From 107aa796b1c42d80ef801c69e437770004ab3d63 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sat, 31 Jan 2026 17:12:24 -0500 Subject: [PATCH] Fixes for all trees Signed-off-by: Sasha Levin --- ...rt-fix-null-ptr-deref-in-hci_uart_wr.patch | 73 ++++ ...nting-udp-csum-mismatch-as-rx_errors.patch | 62 ++++ .../net-bridge-fix-static-key-check.patch | 40 +++ ...-definitions-of-vport-debug-counters.patch | 93 ++++++ ...ory-leak-in-esw_acl_ingress_lgcy_set.patch | 46 +++ ...t-for-netdev-stats-in-ndo_get_stats6.patch | 75 +++++ ...pose-rx_oversize_pkts_buffer-counter.patch | 142 ++++++++ ...eport-rx_discards_phy-via-rx_dropped.patch | 50 +++ ...x-memory-leak-in-mvpp2_ethtool_cls_r.patch | 48 +++ ...ix-memleak-in-nfc_llcp_send_ui_frame.patch | 167 ++++++++++ ...-between-rfkill-and-nci_unregister_d.patch | 197 +++++++++++ ...y-leak-in-rocker_world_port_post_fin.patch | 56 ++++ queue-5.10/series | 12 + ...rt-fix-null-ptr-deref-in-hci_uart_wr.patch | 73 ++++ ...nting-udp-csum-mismatch-as-rx_errors.patch | 62 ++++ ...ht-ifindex-when-replying-to-icmpv6-f.patch | 52 +++ .../net-bridge-fix-static-key-check.patch | 40 +++ ...-definitions-of-vport-debug-counters.patch | 93 ++++++ ...ory-leak-in-esw_acl_ingress_lgcy_set.patch | 46 +++ ...t-for-netdev-stats-in-ndo_get_stats6.patch | 75 +++++ ...pose-rx_oversize_pkts_buffer-counter.patch | 142 ++++++++ ...eport-rx_discards_phy-via-rx_dropped.patch | 50 +++ ...x-memory-leak-in-mvpp2_ethtool_cls_r.patch | 48 +++ ...ix-memleak-in-nfc_llcp_send_ui_frame.patch | 167 ++++++++++ ...-between-rfkill-and-nci_unregister_d.patch | 197 +++++++++++ ...y-leak-in-rocker_world_port_post_fin.patch | 56 ++++ queue-5.15/series | 13 + ...rt-fix-null-ptr-deref-in-hci_uart_wr.patch | 73 ++++ ...tate-data-races-around-slave-last_rx.patch | 178 ++++++++++ ...b_receive_bulk_callback-fix-error-me.patch | 52 +++ ...nting-udp-csum-mismatch-as-rx_errors.patch | 62 ++++ ...ht-ifindex-when-replying-to-icmpv6-f.patch | 52 +++ .../net-bridge-fix-static-key-check.patch | 40 +++ ...ory-leak-in-esw_acl_ingress_lgcy_set.patch | 46 +++ ...t-for-netdev-stats-in-ndo_get_stats6.patch | 75 +++++ ...eport-rx_discards_phy-via-rx_dropped.patch | 50 +++ ...x-memory-leak-in-mvpp2_ethtool_cls_r.patch | 48 +++ ...x-potential-skb-frags-overflow-in-rx.patch | 83 +++++ ...ix-memleak-in-nfc_llcp_send_ui_frame.patch | 167 ++++++++++ ...-between-rfkill-and-nci_unregister_d.patch | 197 +++++++++++ ...y-leak-in-rocker_world_port_post_fin.patch | 56 ++++ queue-6.1/series | 14 + ...rt-fix-null-ptr-deref-in-hci_uart_wr.patch | 73 ++++ ...-fix-memory-leak-in-set_ssp_complete.patch | 63 ++++ ...tate-data-races-around-slave-last_rx.patch | 178 ++++++++++ ...an-fix-memory-leak-in-at91_can_probe.patch | 45 +++ ...b_receive_bulk_callback-fix-error-me.patch | 52 +++ ...nter-dereference-in-ice_vsi_set_napi.patch | 96 ++++++ ...nting-udp-csum-mismatch-as-rx_errors.patch | 62 ++++ ...ht-ifindex-when-replying-to-icmpv6-f.patch | 52 +++ ...p-fix-early-exit-leak-with-fixed-phy.patch | 48 +++ .../net-bridge-fix-static-key-check.patch | 40 +++ ...ory-leak-in-esw_acl_ingress_lgcy_set.patch | 46 +++ ...a_id-access-call-trace-use-before-al.patch | 158 +++++++++ ...inverted-cap-check-in-tx-flow-table-.patch | 44 +++ ...itialize-events-outside-devlink-lock.patch | 115 +++++++ ...sn-replay-window-setup-for-ipsec-cry.patch | 50 +++ ...delete-flows-only-for-existing-peers.patch | 132 ++++++++ ...x-memory-leak-in-mvpp2_ethtool_cls_r.patch | 48 +++ ...ix-clk-warning-when-removing-the-dri.patch | 130 ++++++++ ...x-potential-skb-frags-overflow-in-rx.patch | 83 +++++ ...ix-memleak-in-nfc_llcp_send_ui_frame.patch | 167 ++++++++++ ...-between-rfkill-and-nci_unregister_d.patch | 197 +++++++++++ ...ix-memory-leak-in-octep_device_setup.patch | 46 +++ ...y-leak-in-rocker_world_port_post_fin.patch | 56 ++++ queue-6.12/series | 23 ++ ...rt-fix-null-ptr-deref-in-hci_uart_wr.patch | 73 ++++ ...-fix-memory-leak-in-set_ssp_complete.patch | 63 ++++ ...tate-data-races-around-slave-last_rx.patch | 178 ++++++++++ ...after-free-due-to-enslave-fail-after.patch | 105 ++++++ ...he-folio-leak-on-s390-hardware-accel.patch | 55 +++ ...an-fix-memory-leak-in-at91_can_probe.patch | 45 +++ ...b_receive_bulk_callback-fix-error-me.patch | 52 +++ ...nter-dereference-in-ice_vsi_set_napi.patch | 96 ++++++ ...nting-udp-csum-mismatch-as-rx_errors.patch | 62 ++++ ...ht-ifindex-when-replying-to-icmpv6-f.patch | 52 +++ ...ialize-aci-lock-in-ixgbe_recovery_pr.patch | 54 +++ ...-leaks-in-the-ixgbe_recovery_probe-p.patch | 87 +++++ ...race-in-mptcp_pm_nl_flush_addrs_doit.patch | 72 ++++ ...p-fix-early-exit-leak-with-fixed-phy.patch | 48 +++ .../net-bridge-fix-static-key-check.patch | 40 +++ ...ory-leak-in-esw_acl_ingress_lgcy_set.patch | 46 +++ ...urn-type-mismatch-in-mlx5_esw_vport_.patch | 44 +++ ...a_id-access-call-trace-use-before-al.patch | 158 +++++++++ ...inverted-cap-check-in-tx-flow-table-.patch | 44 +++ ...itialize-events-outside-devlink-lock.patch | 115 +++++++ ...t-for-netdev-stats-in-ndo_get_stats6.patch | 75 +++++ ...assume-psp-tx-skbs-are-ipv6-csum-han.patch | 63 ++++ ...sn-replay-window-setup-for-ipsec-cry.patch | 50 +++ ...delete-flows-only-for-existing-peers.patch | 132 ++++++++ ...x-memory-leak-in-mvpp2_ethtool_cls_r.patch | 48 +++ ...ix-clk-warning-when-removing-the-dri.patch | 130 ++++++++ ...ck-for-netif_carrier_ok-in-emac_stat.patch | 101 ++++++ ...x-potential-skb-frags-overflow-in-rx.patch | 83 +++++ ...ix-memleak-in-nfc_llcp_send_ui_frame.patch | 167 ++++++++++ ...-between-rfkill-and-nci_unregister_d.patch | 197 +++++++++++ ...ix-memory-leak-in-octep_device_setup.patch | 46 +++ ...ddir-require-opt-in-for-d_type-flags.patch | 92 +++++ ...y-leak-in-rocker_world_port_post_fin.patch | 56 ++++ queue-6.18/series | 37 ++ .../sfc-fix-deadlock-in-rss-config-read.patch | 46 +++ ...ply-advertised-ttlm-from-association.patch | 315 ++++++++++++++++++ ...rrectly-decode-ttlm-with-default-lin.patch | 59 ++++ ...wifi-mac80211-parse-all-ttlm-entries.patch | 80 +++++ ...rt-fix-null-ptr-deref-in-hci_uart_wr.patch | 73 ++++ ...tate-data-races-around-slave-last_rx.patch | 178 ++++++++++ ...b_receive_bulk_callback-fix-error-me.patch | 52 +++ ...nting-udp-csum-mismatch-as-rx_errors.patch | 62 ++++ ...ht-ifindex-when-replying-to-icmpv6-f.patch | 52 +++ ...p-fix-early-exit-leak-with-fixed-phy.patch | 48 +++ .../net-bridge-fix-static-key-check.patch | 40 +++ ...ory-leak-in-esw_acl_ingress_lgcy_set.patch | 46 +++ ...t-for-netdev-stats-in-ndo_get_stats6.patch | 75 +++++ ...eport-rx_discards_phy-via-rx_dropped.patch | 50 +++ ...sn-replay-window-setup-for-ipsec-cry.patch | 50 +++ ...delete-flows-only-for-existing-peers.patch | 132 ++++++++ ...x-memory-leak-in-mvpp2_ethtool_cls_r.patch | 48 +++ ...x-potential-skb-frags-overflow-in-rx.patch | 83 +++++ ...ix-memleak-in-nfc_llcp_send_ui_frame.patch | 167 ++++++++++ ...-between-rfkill-and-nci_unregister_d.patch | 197 +++++++++++ ...ix-memory-leak-in-octep_device_setup.patch | 46 +++ ...y-leak-in-rocker_world_port_post_fin.patch | 56 ++++ queue-6.6/series | 18 + 123 files changed, 10111 insertions(+) create mode 100644 queue-5.10/bluetooth-hci_uart-fix-null-ptr-deref-in-hci_uart_wr.patch create mode 100644 queue-5.10/ice-stop-counting-udp-csum-mismatch-as-rx_errors.patch create mode 100644 queue-5.10/net-bridge-fix-static-key-check.patch create mode 100644 queue-5.10/net-mlx5-add-hw-definitions-of-vport-debug-counters.patch create mode 100644 queue-5.10/net-mlx5-fix-memory-leak-in-esw_acl_ingress_lgcy_set.patch create mode 100644 queue-5.10/net-mlx5e-account-for-netdev-stats-in-ndo_get_stats6.patch create mode 100644 queue-5.10/net-mlx5e-expose-rx_oversize_pkts_buffer-counter.patch create mode 100644 queue-5.10/net-mlx5e-report-rx_discards_phy-via-rx_dropped.patch create mode 100644 queue-5.10/net-mvpp2-cls-fix-memory-leak-in-mvpp2_ethtool_cls_r.patch create mode 100644 queue-5.10/nfc-llcp-fix-memleak-in-nfc_llcp_send_ui_frame.patch create mode 100644 queue-5.10/nfc-nci-fix-race-between-rfkill-and-nci_unregister_d.patch create mode 100644 queue-5.10/rocker-fix-memory-leak-in-rocker_world_port_post_fin.patch create mode 100644 queue-5.15/bluetooth-hci_uart-fix-null-ptr-deref-in-hci_uart_wr.patch create mode 100644 queue-5.15/ice-stop-counting-udp-csum-mismatch-as-rx_errors.patch create mode 100644 queue-5.15/ipv6-use-the-right-ifindex-when-replying-to-icmpv6-f.patch create mode 100644 queue-5.15/net-bridge-fix-static-key-check.patch create mode 100644 queue-5.15/net-mlx5-add-hw-definitions-of-vport-debug-counters.patch create mode 100644 queue-5.15/net-mlx5-fix-memory-leak-in-esw_acl_ingress_lgcy_set.patch create mode 100644 queue-5.15/net-mlx5e-account-for-netdev-stats-in-ndo_get_stats6.patch create mode 100644 queue-5.15/net-mlx5e-expose-rx_oversize_pkts_buffer-counter.patch create mode 100644 queue-5.15/net-mlx5e-report-rx_discards_phy-via-rx_dropped.patch create mode 100644 queue-5.15/net-mvpp2-cls-fix-memory-leak-in-mvpp2_ethtool_cls_r.patch create mode 100644 queue-5.15/nfc-llcp-fix-memleak-in-nfc_llcp_send_ui_frame.patch create mode 100644 queue-5.15/nfc-nci-fix-race-between-rfkill-and-nci_unregister_d.patch create mode 100644 queue-5.15/rocker-fix-memory-leak-in-rocker_world_port_post_fin.patch create mode 100644 queue-6.1/bluetooth-hci_uart-fix-null-ptr-deref-in-hci_uart_wr.patch create mode 100644 queue-6.1/bonding-annotate-data-races-around-slave-last_rx.patch create mode 100644 queue-6.1/can-gs_usb-gs_usb_receive_bulk_callback-fix-error-me.patch create mode 100644 queue-6.1/ice-stop-counting-udp-csum-mismatch-as-rx_errors.patch create mode 100644 queue-6.1/ipv6-use-the-right-ifindex-when-replying-to-icmpv6-f.patch create mode 100644 queue-6.1/net-bridge-fix-static-key-check.patch create mode 100644 queue-6.1/net-mlx5-fix-memory-leak-in-esw_acl_ingress_lgcy_set.patch create mode 100644 queue-6.1/net-mlx5e-account-for-netdev-stats-in-ndo_get_stats6.patch create mode 100644 queue-6.1/net-mlx5e-report-rx_discards_phy-via-rx_dropped.patch create mode 100644 queue-6.1/net-mvpp2-cls-fix-memory-leak-in-mvpp2_ethtool_cls_r.patch create mode 100644 queue-6.1/net-wwan-t7xx-fix-potential-skb-frags-overflow-in-rx.patch create mode 100644 queue-6.1/nfc-llcp-fix-memleak-in-nfc_llcp_send_ui_frame.patch create mode 100644 queue-6.1/nfc-nci-fix-race-between-rfkill-and-nci_unregister_d.patch create mode 100644 queue-6.1/rocker-fix-memory-leak-in-rocker_world_port_post_fin.patch create mode 100644 queue-6.12/bluetooth-hci_uart-fix-null-ptr-deref-in-hci_uart_wr.patch create mode 100644 queue-6.12/bluetooth-mgmt-fix-memory-leak-in-set_ssp_complete.patch create mode 100644 queue-6.12/bonding-annotate-data-races-around-slave-last_rx.patch create mode 100644 queue-6.12/can-at91_can-fix-memory-leak-in-at91_can_probe.patch create mode 100644 queue-6.12/can-gs_usb-gs_usb_receive_bulk_callback-fix-error-me.patch create mode 100644 queue-6.12/ice-fix-null-pointer-dereference-in-ice_vsi_set_napi.patch create mode 100644 queue-6.12/ice-stop-counting-udp-csum-mismatch-as-rx_errors.patch create mode 100644 queue-6.12/ipv6-use-the-right-ifindex-when-replying-to-icmpv6-f.patch create mode 100644 queue-6.12/net-bcmasp-fix-early-exit-leak-with-fixed-phy.patch create mode 100644 queue-6.12/net-bridge-fix-static-key-check.patch create mode 100644 queue-6.12/net-mlx5-fix-memory-leak-in-esw_acl_ingress_lgcy_set.patch create mode 100644 queue-6.12/net-mlx5-fix-vhca_id-access-call-trace-use-before-al.patch create mode 100644 queue-6.12/net-mlx5-fs-fix-inverted-cap-check-in-tx-flow-table-.patch create mode 100644 queue-6.12/net-mlx5-initialize-events-outside-devlink-lock.patch create mode 100644 queue-6.12/net-mlx5e-skip-esn-replay-window-setup-for-ipsec-cry.patch create mode 100644 queue-6.12/net-mlx5e-tc-delete-flows-only-for-existing-peers.patch create mode 100644 queue-6.12/net-mvpp2-cls-fix-memory-leak-in-mvpp2_ethtool_cls_r.patch create mode 100644 queue-6.12/net-phy-micrel-fix-clk-warning-when-removing-the-dri.patch create mode 100644 queue-6.12/net-wwan-t7xx-fix-potential-skb-frags-overflow-in-rx.patch create mode 100644 queue-6.12/nfc-llcp-fix-memleak-in-nfc_llcp_send_ui_frame.patch create mode 100644 queue-6.12/nfc-nci-fix-race-between-rfkill-and-nci_unregister_d.patch create mode 100644 queue-6.12/octeon_ep-fix-memory-leak-in-octep_device_setup.patch create mode 100644 queue-6.12/rocker-fix-memory-leak-in-rocker_world_port_post_fin.patch create mode 100644 queue-6.12/series create mode 100644 queue-6.18/bluetooth-hci_uart-fix-null-ptr-deref-in-hci_uart_wr.patch create mode 100644 queue-6.18/bluetooth-mgmt-fix-memory-leak-in-set_ssp_complete.patch create mode 100644 queue-6.18/bonding-annotate-data-races-around-slave-last_rx.patch create mode 100644 queue-6.18/bonding-fix-use-after-free-due-to-enslave-fail-after.patch create mode 100644 queue-6.18/btrfs-zlib-fix-the-folio-leak-on-s390-hardware-accel.patch create mode 100644 queue-6.18/can-at91_can-fix-memory-leak-in-at91_can_probe.patch create mode 100644 queue-6.18/can-gs_usb-gs_usb_receive_bulk_callback-fix-error-me.patch create mode 100644 queue-6.18/ice-fix-null-pointer-dereference-in-ice_vsi_set_napi.patch create mode 100644 queue-6.18/ice-stop-counting-udp-csum-mismatch-as-rx_errors.patch create mode 100644 queue-6.18/ipv6-use-the-right-ifindex-when-replying-to-icmpv6-f.patch create mode 100644 queue-6.18/ixgbe-don-t-initialize-aci-lock-in-ixgbe_recovery_pr.patch create mode 100644 queue-6.18/ixgbe-fix-memory-leaks-in-the-ixgbe_recovery_probe-p.patch create mode 100644 queue-6.18/mptcp-fix-race-in-mptcp_pm_nl_flush_addrs_doit.patch create mode 100644 queue-6.18/net-bcmasp-fix-early-exit-leak-with-fixed-phy.patch create mode 100644 queue-6.18/net-bridge-fix-static-key-check.patch create mode 100644 queue-6.18/net-mlx5-fix-memory-leak-in-esw_acl_ingress_lgcy_set.patch create mode 100644 queue-6.18/net-mlx5-fix-return-type-mismatch-in-mlx5_esw_vport_.patch create mode 100644 queue-6.18/net-mlx5-fix-vhca_id-access-call-trace-use-before-al.patch create mode 100644 queue-6.18/net-mlx5-fs-fix-inverted-cap-check-in-tx-flow-table-.patch create mode 100644 queue-6.18/net-mlx5-initialize-events-outside-devlink-lock.patch create mode 100644 queue-6.18/net-mlx5e-account-for-netdev-stats-in-ndo_get_stats6.patch create mode 100644 queue-6.18/net-mlx5e-don-t-assume-psp-tx-skbs-are-ipv6-csum-han.patch create mode 100644 queue-6.18/net-mlx5e-skip-esn-replay-window-setup-for-ipsec-cry.patch create mode 100644 queue-6.18/net-mlx5e-tc-delete-flows-only-for-existing-peers.patch create mode 100644 queue-6.18/net-mvpp2-cls-fix-memory-leak-in-mvpp2_ethtool_cls_r.patch create mode 100644 queue-6.18/net-phy-micrel-fix-clk-warning-when-removing-the-dri.patch create mode 100644 queue-6.18/net-spacemit-check-for-netif_carrier_ok-in-emac_stat.patch create mode 100644 queue-6.18/net-wwan-t7xx-fix-potential-skb-frags-overflow-in-rx.patch create mode 100644 queue-6.18/nfc-llcp-fix-memleak-in-nfc_llcp_send_ui_frame.patch create mode 100644 queue-6.18/nfc-nci-fix-race-between-rfkill-and-nci_unregister_d.patch create mode 100644 queue-6.18/octeon_ep-fix-memory-leak-in-octep_device_setup.patch create mode 100644 queue-6.18/readdir-require-opt-in-for-d_type-flags.patch create mode 100644 queue-6.18/rocker-fix-memory-leak-in-rocker_world_port_post_fin.patch create mode 100644 queue-6.18/series create mode 100644 queue-6.18/sfc-fix-deadlock-in-rss-config-read.patch create mode 100644 queue-6.18/wifi-mac80211-apply-advertised-ttlm-from-association.patch create mode 100644 queue-6.18/wifi-mac80211-correctly-decode-ttlm-with-default-lin.patch create mode 100644 queue-6.18/wifi-mac80211-parse-all-ttlm-entries.patch create mode 100644 queue-6.6/bluetooth-hci_uart-fix-null-ptr-deref-in-hci_uart_wr.patch create mode 100644 queue-6.6/bonding-annotate-data-races-around-slave-last_rx.patch create mode 100644 queue-6.6/can-gs_usb-gs_usb_receive_bulk_callback-fix-error-me.patch create mode 100644 queue-6.6/ice-stop-counting-udp-csum-mismatch-as-rx_errors.patch create mode 100644 queue-6.6/ipv6-use-the-right-ifindex-when-replying-to-icmpv6-f.patch create mode 100644 queue-6.6/net-bcmasp-fix-early-exit-leak-with-fixed-phy.patch create mode 100644 queue-6.6/net-bridge-fix-static-key-check.patch create mode 100644 queue-6.6/net-mlx5-fix-memory-leak-in-esw_acl_ingress_lgcy_set.patch create mode 100644 queue-6.6/net-mlx5e-account-for-netdev-stats-in-ndo_get_stats6.patch create mode 100644 queue-6.6/net-mlx5e-report-rx_discards_phy-via-rx_dropped.patch create mode 100644 queue-6.6/net-mlx5e-skip-esn-replay-window-setup-for-ipsec-cry.patch create mode 100644 queue-6.6/net-mlx5e-tc-delete-flows-only-for-existing-peers.patch create mode 100644 queue-6.6/net-mvpp2-cls-fix-memory-leak-in-mvpp2_ethtool_cls_r.patch create mode 100644 queue-6.6/net-wwan-t7xx-fix-potential-skb-frags-overflow-in-rx.patch create mode 100644 queue-6.6/nfc-llcp-fix-memleak-in-nfc_llcp_send_ui_frame.patch create mode 100644 queue-6.6/nfc-nci-fix-race-between-rfkill-and-nci_unregister_d.patch create mode 100644 queue-6.6/octeon_ep-fix-memory-leak-in-octep_device_setup.patch create mode 100644 queue-6.6/rocker-fix-memory-leak-in-rocker_world_port_post_fin.patch create mode 100644 queue-6.6/series diff --git a/queue-5.10/bluetooth-hci_uart-fix-null-ptr-deref-in-hci_uart_wr.patch b/queue-5.10/bluetooth-hci_uart-fix-null-ptr-deref-in-hci_uart_wr.patch new file mode 100644 index 0000000000..a4ad2e6207 --- /dev/null +++ b/queue-5.10/bluetooth-hci_uart-fix-null-ptr-deref-in-hci_uart_wr.patch @@ -0,0 +1,73 @@ +From 529bb1727646a10de2a6a67ba7350a5b6bb698d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jan 2026 20:08:59 +0800 +Subject: Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work + +From: Jia-Hong Su + +[ Upstream commit 0c3cd7a0b862c37acbee6d9502107146cc944398 ] + +hci_uart_set_proto() sets HCI_UART_PROTO_INIT before calling +hci_uart_register_dev(), which calls proto->open() to initialize +hu->priv. However, if a TTY write wakeup occurs during this window, +hci_uart_tx_wakeup() may schedule write_work before hu->priv is +initialized, leading to a NULL pointer dereference in +hci_uart_write_work() when proto->dequeue() accesses hu->priv. + +The race condition is: + + CPU0 CPU1 + ---- ---- + hci_uart_set_proto() + set_bit(HCI_UART_PROTO_INIT) + hci_uart_register_dev() + tty write wakeup + hci_uart_tty_wakeup() + hci_uart_tx_wakeup() + schedule_work(&hu->write_work) + proto->open(hu) + // initializes hu->priv + hci_uart_write_work() + hci_uart_dequeue() + proto->dequeue(hu) + // accesses hu->priv (NULL!) + +Fix this by moving set_bit(HCI_UART_PROTO_INIT) after proto->open() +succeeds, ensuring hu->priv is initialized before any work can be +scheduled. + +Fixes: 5df5dafc171b ("Bluetooth: hci_uart: Fix another race during initialization") +Link: https://lore.kernel.org/linux-bluetooth/6969764f.170a0220.2b9fc4.35a7@mx.google.com/ + +Signed-off-by: Jia-Hong Su +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/hci_ldisc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c +index 93bb58971dbe6..436d82a7f5871 100644 +--- a/drivers/bluetooth/hci_ldisc.c ++++ b/drivers/bluetooth/hci_ldisc.c +@@ -684,6 +684,8 @@ static int hci_uart_register_dev(struct hci_uart *hu) + return err; + } + ++ set_bit(HCI_UART_PROTO_INIT, &hu->flags); ++ + if (test_bit(HCI_UART_INIT_PENDING, &hu->hdev_flags)) + return 0; + +@@ -711,8 +713,6 @@ static int hci_uart_set_proto(struct hci_uart *hu, int id) + + hu->proto = p; + +- set_bit(HCI_UART_PROTO_INIT, &hu->flags); +- + err = hci_uart_register_dev(hu); + if (err) { + return err; +-- +2.51.0 + diff --git a/queue-5.10/ice-stop-counting-udp-csum-mismatch-as-rx_errors.patch b/queue-5.10/ice-stop-counting-udp-csum-mismatch-as-rx_errors.patch new file mode 100644 index 0000000000..d55b7d3689 --- /dev/null +++ b/queue-5.10/ice-stop-counting-udp-csum-mismatch-as-rx_errors.patch @@ -0,0 +1,62 @@ +From c55a51f3a18dc8ff03d8f9111014cd403d59c02f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Dec 2025 15:38:52 -0800 +Subject: ice: stop counting UDP csum mismatch as rx_errors + +From: Jesse Brandeburg + +[ Upstream commit 05faf2c0a76581d0a7fdbb8ec46477ba183df95b ] + +Since the beginning, the Intel ice driver has counted receive checksum +offload mismatches into the rx_errors member of the rtnl_link_stats64 +struct. In ethtool -S these show up as rx_csum_bad.nic. + +I believe counting these in rx_errors is fundamentally wrong, as it's +pretty clear from the comments in if_link.h and from every other statistic +the driver is summing into rx_errors, that all of them would cause a +"hardware drop" except for the UDP checksum mismatch, as well as the fact +that all the other causes for rx_errors are L2 reasons, and this L4 UDP +"mismatch" is an outlier. + +A last nail in the coffin is that rx_errors is monitored in production and +can indicate a bad NIC/cable/Switch port, but instead some random series of +UDP packets with bad checksums will now trigger this alert. This false +positive makes the alert useless and affects us as well as other companies. + +This packet with presumably a bad UDP checksum is *already* passed to the +stack, just not marked as offloaded by the hardware/driver. If it is +dropped by the stack it will show up as UDP_MIB_CSUMERRORS. + +And one more thing, none of the other Intel drivers, and at least bnxt_en +and mlx5 both don't appear to count UDP offload mismatches as rx_errors. + +Here is a related customer complaint: +https://community.intel.com/t5/Ethernet-Products/ice-rx-errros-is-too-sensitive-to-IP-TCP-attack-packets-Intel/td-p/1662125 + +Fixes: 4f1fe43c920b ("ice: Add more Rx errors to netdev's rx_error counter") +Cc: Tony Nguyen +Cc: Jake Keller +Cc: IWL +Signed-off-by: Jesse Brandeburg +Acked-by: Jacob Keller +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_main.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c +index a337a6826a845..b3ae457b4db6b 100644 +--- a/drivers/net/ethernet/intel/ice/ice_main.c ++++ b/drivers/net/ethernet/intel/ice/ice_main.c +@@ -5441,7 +5441,6 @@ void ice_update_vsi_stats(struct ice_vsi *vsi) + pf->stats.illegal_bytes + + pf->stats.rx_len_errors + + pf->stats.rx_undersize + +- pf->hw_csum_rx_error + + pf->stats.rx_jabber + + pf->stats.rx_fragments + + pf->stats.rx_oversize; +-- +2.51.0 + diff --git a/queue-5.10/net-bridge-fix-static-key-check.patch b/queue-5.10/net-bridge-fix-static-key-check.patch new file mode 100644 index 0000000000..f669c463d9 --- /dev/null +++ b/queue-5.10/net-bridge-fix-static-key-check.patch @@ -0,0 +1,40 @@ +From 62b7dec27b692abf005ae97f9d0bc98da59e36af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Jan 2026 11:19:23 +0100 +Subject: net: bridge: fix static key check + +From: Martin Kaiser + +[ Upstream commit cc0cf10fdaeadf5542d64a55b5b4120d3df90b7d ] + +Fix the check if netfilter's static keys are available. netfilter defines +and exports static keys if CONFIG_JUMP_LABEL is enabled. (HAVE_JUMP_LABEL +is never defined.) + +Fixes: 971502d77faa ("bridge: netfilter: unroll NF_HOOK helper in bridge input path") +Signed-off-by: Martin Kaiser +Reviewed-by: Florian Westphal +Reviewed-by: Nikolay Aleksandrov +Link: https://patch.msgid.link/20260127101925.1754425-1-martin@kaiser.cx +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/bridge/br_input.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c +index 52dd0708fd143..f9d4b86e3186d 100644 +--- a/net/bridge/br_input.c ++++ b/net/bridge/br_input.c +@@ -218,7 +218,7 @@ static int nf_hook_bridge_pre(struct sk_buff *skb, struct sk_buff **pskb) + int ret; + + net = dev_net(skb->dev); +-#ifdef HAVE_JUMP_LABEL ++#ifdef CONFIG_JUMP_LABEL + if (!static_key_false(&nf_hooks_needed[NFPROTO_BRIDGE][NF_BR_PRE_ROUTING])) + goto frame_finish; + #endif +-- +2.51.0 + diff --git a/queue-5.10/net-mlx5-add-hw-definitions-of-vport-debug-counters.patch b/queue-5.10/net-mlx5-add-hw-definitions-of-vport-debug-counters.patch new file mode 100644 index 0000000000..4e8a0e4858 --- /dev/null +++ b/queue-5.10/net-mlx5-add-hw-definitions-of-vport-debug-counters.patch @@ -0,0 +1,93 @@ +From 0f72403452a108e2fd573d233f8320172afb51bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jun 2022 13:04:48 -0700 +Subject: net/mlx5: Add HW definitions of vport debug counters + +From: Saeed Mahameed + +[ Upstream commit 3e94e61bd44d90070dcda53b647fdc826097ef26 ] + +total_q_under_processor_handle - number of queues in error state due to an +async error or errored command. + +send_queue_priority_update_flow - number of QP/SQ priority/SL update +events. + +cq_overrun - number of times CQ entered an error state due to an +overflow. + +async_eq_overrun -number of time an EQ mapped to async events was +overrun. + +comp_eq_overrun - number of time an EQ mapped to completion events was +overrun. + +quota_exceeded_command - number of commands issued and failed due to quota +exceeded. + +invalid_command - number of commands issued and failed dues to any reason +other than quota exceeded. + +Signed-off-by: Saeed Mahameed +Signed-off-by: Michael Guralnik +Signed-off-by: Saeed Mahameed +Stable-dep-of: 476681f10cc1 ("net/mlx5e: Account for netdev stats in ndo_get_stats64") +Signed-off-by: Sasha Levin +--- + include/linux/mlx5/mlx5_ifc.h | 23 +++++++++++++++++++---- + 1 file changed, 19 insertions(+), 4 deletions(-) + +diff --git a/include/linux/mlx5/mlx5_ifc.h b/include/linux/mlx5/mlx5_ifc.h +index 88dbb20090805..303cbf0355a2e 100644 +--- a/include/linux/mlx5/mlx5_ifc.h ++++ b/include/linux/mlx5/mlx5_ifc.h +@@ -1282,7 +1282,8 @@ struct mlx5_ifc_cmd_hca_cap_bits { + + u8 reserved_at_120[0xa]; + u8 log_max_ra_req_dc[0x6]; +- u8 reserved_at_130[0xa]; ++ u8 reserved_at_130[0x9]; ++ u8 vnic_env_cq_overrun[0x1]; + u8 log_max_ra_res_dc[0x6]; + + u8 reserved_at_140[0x6]; +@@ -1472,7 +1473,11 @@ struct mlx5_ifc_cmd_hca_cap_bits { + u8 nic_receive_steering_discard[0x1]; + u8 receive_discard_vport_down[0x1]; + u8 transmit_discard_vport_down[0x1]; +- u8 reserved_at_343[0x5]; ++ u8 eq_overrun_count[0x1]; ++ u8 reserved_at_344[0x1]; ++ u8 invalid_command_count[0x1]; ++ u8 quota_exceeded_count[0x1]; ++ u8 reserved_at_347[0x1]; + u8 log_max_flow_counter_bulk[0x8]; + u8 max_flow_counter_15_0[0x10]; + +@@ -3128,11 +3133,21 @@ struct mlx5_ifc_vnic_diagnostic_statistics_bits { + + u8 transmit_discard_vport_down[0x40]; + +- u8 reserved_at_140[0xa0]; ++ u8 async_eq_overrun[0x20]; ++ ++ u8 comp_eq_overrun[0x20]; ++ ++ u8 reserved_at_180[0x20]; ++ ++ u8 invalid_command[0x20]; ++ ++ u8 quota_exceeded_command[0x20]; + + u8 internal_rq_out_of_buffer[0x20]; + +- u8 reserved_at_200[0xe00]; ++ u8 cq_overrun[0x20]; ++ ++ u8 reserved_at_220[0xde0]; + }; + + struct mlx5_ifc_traffic_counter_bits { +-- +2.51.0 + diff --git a/queue-5.10/net-mlx5-fix-memory-leak-in-esw_acl_ingress_lgcy_set.patch b/queue-5.10/net-mlx5-fix-memory-leak-in-esw_acl_ingress_lgcy_set.patch new file mode 100644 index 0000000000..8790581cf1 --- /dev/null +++ b/queue-5.10/net-mlx5-fix-memory-leak-in-esw_acl_ingress_lgcy_set.patch @@ -0,0 +1,46 @@ +From 9db8193d3f9a756b7f38a2e357528f8a1bf27b36 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jan 2026 13:46:40 +0000 +Subject: net/mlx5: Fix memory leak in esw_acl_ingress_lgcy_setup() + +From: Zilin Guan + +[ Upstream commit 108948f723b13874b7ebf6b3f1cc598a7de38622 ] + +In esw_acl_ingress_lgcy_setup(), if esw_acl_table_create() fails, +the function returns directly without releasing the previously +created counter, leading to a memory leak. + +Fix this by jumping to the out label instead of returning directly, +which aligns with the error handling logic of other paths in this +function. + +Compile tested only. Issue found using a prototype static analysis tool +and code review. + +Fixes: 07bab9502641 ("net/mlx5: E-Switch, Refactor eswitch ingress acl codes") +Signed-off-by: Zilin Guan +Reviewed-by: Tariq Toukan +Link: https://patch.msgid.link/20260120134640.2717808-1-zilin@seu.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c b/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c +index 45570d0a58d2f..02b2ab7958543 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c +@@ -185,7 +185,7 @@ int esw_acl_ingress_lgcy_setup(struct mlx5_eswitch *esw, + if (IS_ERR(vport->ingress.acl)) { + err = PTR_ERR(vport->ingress.acl); + vport->ingress.acl = NULL; +- return err; ++ goto out; + } + + err = esw_acl_ingress_lgcy_groups_create(esw, vport); +-- +2.51.0 + diff --git a/queue-5.10/net-mlx5e-account-for-netdev-stats-in-ndo_get_stats6.patch b/queue-5.10/net-mlx5e-account-for-netdev-stats-in-ndo_get_stats6.patch new file mode 100644 index 0000000000..5c008ceec1 --- /dev/null +++ b/queue-5.10/net-mlx5e-account-for-netdev-stats-in-ndo_get_stats6.patch @@ -0,0 +1,75 @@ +From 4d08288e9cd4d8782fb7d5685d1960f758a2deb8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jan 2026 09:14:55 +0200 +Subject: net/mlx5e: Account for netdev stats in ndo_get_stats64 + +From: Gal Pressman + +[ Upstream commit 476681f10cc1e0e56e26856684e75d4678b072b2 ] + +The driver's ndo_get_stats64 callback is only reporting mlx5 counters, +without accounting for the netdev stats, causing errors from the network +stack to be invisible in statistics. + +Add netdev_stats_to_stats64() call to first populate the counters, then +add mlx5 counters on top, ensuring both are accounted for (where +appropriate). + +Fixes: f62b8bb8f2d3 ("net/mlx5: Extend mlx5_core to support ConnectX-4 Ethernet functionality") +Signed-off-by: Gal Pressman +Signed-off-by: Tariq Toukan +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/1769411695-18820-4-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/en_main.c | 20 ++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index 36f5d5e449209..9c5ccbaa160b1 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -3679,6 +3679,8 @@ mlx5e_get_stats(struct net_device *dev, struct rtnl_link_stats64 *stats) + mlx5e_queue_update_stats(priv); + } + ++ netdev_stats_to_stats64(stats, &dev->stats); ++ + if (mlx5e_is_uplink_rep(priv)) { + struct mlx5e_vport_stats *vstats = &priv->stats.vport; + +@@ -3695,21 +3697,21 @@ mlx5e_get_stats(struct net_device *dev, struct rtnl_link_stats64 *stats) + mlx5e_fold_sw_stats64(priv, stats); + } + +- stats->rx_missed_errors = priv->stats.qcnt.rx_out_of_buffer; +- stats->rx_dropped = PPORT_2863_GET(pstats, if_in_discards); ++ stats->rx_missed_errors += priv->stats.qcnt.rx_out_of_buffer; ++ stats->rx_dropped += PPORT_2863_GET(pstats, if_in_discards); + +- stats->rx_length_errors = ++ stats->rx_length_errors += + PPORT_802_3_GET(pstats, a_in_range_length_errors) + + PPORT_802_3_GET(pstats, a_out_of_range_length_field) + + PPORT_802_3_GET(pstats, a_frame_too_long_errors) + + VNIC_ENV_GET(&priv->stats.vnic, eth_wqe_too_small); +- stats->rx_crc_errors = ++ stats->rx_crc_errors += + PPORT_802_3_GET(pstats, a_frame_check_sequence_errors); +- stats->rx_frame_errors = PPORT_802_3_GET(pstats, a_alignment_errors); +- stats->tx_aborted_errors = PPORT_2863_GET(pstats, if_out_discards); +- stats->rx_errors = stats->rx_length_errors + stats->rx_crc_errors + +- stats->rx_frame_errors; +- stats->tx_errors = stats->tx_aborted_errors + stats->tx_carrier_errors; ++ stats->rx_frame_errors += PPORT_802_3_GET(pstats, a_alignment_errors); ++ stats->tx_aborted_errors += PPORT_2863_GET(pstats, if_out_discards); ++ stats->rx_errors += stats->rx_length_errors + stats->rx_crc_errors + ++ stats->rx_frame_errors; ++ stats->tx_errors += stats->tx_aborted_errors + stats->tx_carrier_errors; + } + + static void mlx5e_set_rx_mode(struct net_device *dev) +-- +2.51.0 + diff --git a/queue-5.10/net-mlx5e-expose-rx_oversize_pkts_buffer-counter.patch b/queue-5.10/net-mlx5e-expose-rx_oversize_pkts_buffer-counter.patch new file mode 100644 index 0000000000..00b1cfc071 --- /dev/null +++ b/queue-5.10/net-mlx5e-expose-rx_oversize_pkts_buffer-counter.patch @@ -0,0 +1,142 @@ +From 51e11b92cbf62b5b03c103f0fe915c6a1e5d1e12 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Oct 2022 21:56:27 -0700 +Subject: net/mlx5e: Expose rx_oversize_pkts_buffer counter + +From: Gal Pressman + +[ Upstream commit 16ab85e78439bab1201ff26ba430231d1574b4ae ] + +Add the rx_oversize_pkts_buffer counter to ethtool statistics. +This counter exposes the number of dropped received packets due to +length which arrived to RQ and exceed software buffer size allocated by +the device for incoming traffic. It might imply that the device MTU is +larger than the software buffers size. + +Signed-off-by: Gal Pressman +Reviewed-by: Tariq Toukan +Signed-off-by: Saeed Mahameed +Signed-off-by: Jakub Kicinski +Stable-dep-of: 476681f10cc1 ("net/mlx5e: Account for netdev stats in ndo_get_stats64") +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/en_main.c | 3 ++- + .../ethernet/mellanox/mlx5/core/en_stats.c | 21 ++++++++++++++++++- + .../ethernet/mellanox/mlx5/core/en_stats.h | 4 ++++ + include/linux/mlx5/mlx5_ifc.h | 8 +++++-- + 4 files changed, 32 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index c3ff1fc577a7c..af98d9e59626d 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -3700,7 +3700,8 @@ mlx5e_get_stats(struct net_device *dev, struct rtnl_link_stats64 *stats) + stats->rx_length_errors = + PPORT_802_3_GET(pstats, a_in_range_length_errors) + + PPORT_802_3_GET(pstats, a_out_of_range_length_field) + +- PPORT_802_3_GET(pstats, a_frame_too_long_errors); ++ PPORT_802_3_GET(pstats, a_frame_too_long_errors) + ++ VNIC_ENV_GET(&priv->stats.vnic, eth_wqe_too_small); + stats->rx_crc_errors = + PPORT_802_3_GET(pstats, a_frame_check_sequence_errors); + stats->rx_frame_errors = PPORT_802_3_GET(pstats, a_alignment_errors); +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_stats.c b/drivers/net/ethernet/mellanox/mlx5/core/en_stats.c +index ff4f10d0f090b..96d537bc0b8fc 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_stats.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_stats.c +@@ -489,17 +489,26 @@ static const struct counter_desc vnic_env_stats_dev_oob_desc[] = { + VNIC_ENV_OFF(vport_env.internal_rq_out_of_buffer) }, + }; + ++static const struct counter_desc vnic_env_stats_drop_desc[] = { ++ { "rx_oversize_pkts_buffer", ++ VNIC_ENV_OFF(vport_env.eth_wqe_too_small) }, ++}; ++ + #define NUM_VNIC_ENV_STEER_COUNTERS(dev) \ + (MLX5_CAP_GEN(dev, nic_receive_steering_discard) ? \ + ARRAY_SIZE(vnic_env_stats_steer_desc) : 0) + #define NUM_VNIC_ENV_DEV_OOB_COUNTERS(dev) \ + (MLX5_CAP_GEN(dev, vnic_env_int_rq_oob) ? \ + ARRAY_SIZE(vnic_env_stats_dev_oob_desc) : 0) ++#define NUM_VNIC_ENV_DROP_COUNTERS(dev) \ ++ (MLX5_CAP_GEN(dev, eth_wqe_too_small) ? \ ++ ARRAY_SIZE(vnic_env_stats_drop_desc) : 0) + + static MLX5E_DECLARE_STATS_GRP_OP_NUM_STATS(vnic_env) + { + return NUM_VNIC_ENV_STEER_COUNTERS(priv->mdev) + +- NUM_VNIC_ENV_DEV_OOB_COUNTERS(priv->mdev); ++ NUM_VNIC_ENV_DEV_OOB_COUNTERS(priv->mdev) + ++ NUM_VNIC_ENV_DROP_COUNTERS(priv->mdev); + } + + static MLX5E_DECLARE_STATS_GRP_OP_FILL_STRS(vnic_env) +@@ -513,6 +522,11 @@ static MLX5E_DECLARE_STATS_GRP_OP_FILL_STRS(vnic_env) + for (i = 0; i < NUM_VNIC_ENV_DEV_OOB_COUNTERS(priv->mdev); i++) + strcpy(data + (idx++) * ETH_GSTRING_LEN, + vnic_env_stats_dev_oob_desc[i].format); ++ ++ for (i = 0; i < NUM_VNIC_ENV_DROP_COUNTERS(priv->mdev); i++) ++ strcpy(data + (idx++) * ETH_GSTRING_LEN, ++ vnic_env_stats_drop_desc[i].format); ++ + return idx; + } + +@@ -527,6 +541,11 @@ static MLX5E_DECLARE_STATS_GRP_OP_FILL_STATS(vnic_env) + for (i = 0; i < NUM_VNIC_ENV_DEV_OOB_COUNTERS(priv->mdev); i++) + data[idx++] = MLX5E_READ_CTR32_BE(priv->stats.vnic.query_vnic_env_out, + vnic_env_stats_dev_oob_desc, i); ++ ++ for (i = 0; i < NUM_VNIC_ENV_DROP_COUNTERS(priv->mdev); i++) ++ data[idx++] = MLX5E_READ_CTR32_BE(priv->stats.vnic.query_vnic_env_out, ++ vnic_env_stats_drop_desc, i); ++ + return idx; + } + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_stats.h b/drivers/net/ethernet/mellanox/mlx5/core/en_stats.h +index 162daaadb0d8a..8813989f3f109 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_stats.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_stats.h +@@ -239,6 +239,10 @@ struct mlx5e_qcounter_stats { + u32 rx_if_down_packets; + }; + ++#define VNIC_ENV_GET(vnic_env_stats, c) \ ++ MLX5_GET(query_vnic_env_out, (vnic_env_stats)->query_vnic_env_out, \ ++ vport_env.c) ++ + struct mlx5e_vnic_env_stats { + __be64 query_vnic_env_out[MLX5_ST_SZ_QW(query_vnic_env_out)]; + }; +diff --git a/include/linux/mlx5/mlx5_ifc.h b/include/linux/mlx5/mlx5_ifc.h +index 303cbf0355a2e..705d8798bed5f 100644 +--- a/include/linux/mlx5/mlx5_ifc.h ++++ b/include/linux/mlx5/mlx5_ifc.h +@@ -1282,7 +1282,9 @@ struct mlx5_ifc_cmd_hca_cap_bits { + + u8 reserved_at_120[0xa]; + u8 log_max_ra_req_dc[0x6]; +- u8 reserved_at_130[0x9]; ++ u8 reserved_at_130[0x2]; ++ u8 eth_wqe_too_small[0x1]; ++ u8 reserved_at_133[0x6]; + u8 vnic_env_cq_overrun[0x1]; + u8 log_max_ra_res_dc[0x6]; + +@@ -3147,7 +3149,9 @@ struct mlx5_ifc_vnic_diagnostic_statistics_bits { + + u8 cq_overrun[0x20]; + +- u8 reserved_at_220[0xde0]; ++ u8 eth_wqe_too_small[0x20]; ++ ++ u8 reserved_at_220[0xdc0]; + }; + + struct mlx5_ifc_traffic_counter_bits { +-- +2.51.0 + diff --git a/queue-5.10/net-mlx5e-report-rx_discards_phy-via-rx_dropped.patch b/queue-5.10/net-mlx5e-report-rx_discards_phy-via-rx_dropped.patch new file mode 100644 index 0000000000..5096a66798 --- /dev/null +++ b/queue-5.10/net-mlx5e-report-rx_discards_phy-via-rx_dropped.patch @@ -0,0 +1,50 @@ +From b55a17e169396a16eba016b9b19eb01c9be08029 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Dec 2024 10:27:06 +0800 +Subject: net/mlx5e: Report rx_discards_phy via rx_dropped +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Yafang Shao + +[ Upstream commit c9cfced17365b1df8c6ae6cd5db56aebd7ed9b57 ] + +We noticed a high number of rx_discards_phy events on certain servers while +running `ethtool -S`. However, this critical counter is not currently +included in the standard /proc/net/dev statistics file, making it difficult +to monitor effectively—especially given the diversity of vendors across a +large fleet of servers. + +Let's report it via the standard rx_dropped metric. + +Suggested-by: Jakub Kicinski +Signed-off-by: Yafang Shao +Cc: Saeed Mahameed +Cc: Leon Romanovsky +Cc: Gal Pressman +Reviewed-by: Simon Horman +Reviewed-by: Tariq Toukan +Link: https://patch.msgid.link/20241210022706.6665-1-laoar.shao@gmail.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: 476681f10cc1 ("net/mlx5e: Account for netdev stats in ndo_get_stats64") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index af98d9e59626d..36f5d5e449209 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -3696,6 +3696,7 @@ mlx5e_get_stats(struct net_device *dev, struct rtnl_link_stats64 *stats) + } + + stats->rx_missed_errors = priv->stats.qcnt.rx_out_of_buffer; ++ stats->rx_dropped = PPORT_2863_GET(pstats, if_in_discards); + + stats->rx_length_errors = + PPORT_802_3_GET(pstats, a_in_range_length_errors) + +-- +2.51.0 + diff --git a/queue-5.10/net-mvpp2-cls-fix-memory-leak-in-mvpp2_ethtool_cls_r.patch b/queue-5.10/net-mvpp2-cls-fix-memory-leak-in-mvpp2_ethtool_cls_r.patch new file mode 100644 index 0000000000..6f0cbf0142 --- /dev/null +++ b/queue-5.10/net-mvpp2-cls-fix-memory-leak-in-mvpp2_ethtool_cls_r.patch @@ -0,0 +1,48 @@ +From 411d82cc33bb0842428fdb280057d7638e73fdb1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Jan 2026 06:57:16 +0000 +Subject: net: mvpp2: cls: Fix memory leak in mvpp2_ethtool_cls_rule_ins() + +From: Zilin Guan + +[ Upstream commit 09f979d1f312627b31d2ee1e46f9692e442610cd ] + +In mvpp2_ethtool_cls_rule_ins(), the ethtool_rule is allocated by +ethtool_rx_flow_rule_create(). If the subsequent conversion to flow +type fails, the function jumps to the clean_rule label. + +However, the clean_rule label only frees efs, skipping the cleanup +of ethtool_rule, which leads to a memory leak. + +Fix this by jumping to the clean_eth_rule label, which properly calls +ethtool_rx_flow_rule_destroy() before freeing efs. + +Compile tested only. Issue found using a prototype static analysis tool +and code review. + +Fixes: f4f1ba18195d ("net: mvpp2: cls: Report an error for unsupported flow types") +Signed-off-by: Zilin Guan +Reviewed-by: Maxime Chevallier +Link: https://patch.msgid.link/20260123065716.2248324-1-zilin@seu.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c +index 3ad1327395877..821cc5aa4a7b4 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c +@@ -1383,7 +1383,7 @@ int mvpp2_ethtool_cls_rule_ins(struct mvpp2_port *port, + efs->rule.flow_type = mvpp2_cls_ethtool_flow_to_type(info->fs.flow_type); + if (efs->rule.flow_type < 0) { + ret = efs->rule.flow_type; +- goto clean_rule; ++ goto clean_eth_rule; + } + + ret = mvpp2_cls_rfs_parse_rule(&efs->rule); +-- +2.51.0 + diff --git a/queue-5.10/nfc-llcp-fix-memleak-in-nfc_llcp_send_ui_frame.patch b/queue-5.10/nfc-llcp-fix-memleak-in-nfc_llcp_send_ui_frame.patch new file mode 100644 index 0000000000..d739bc5548 --- /dev/null +++ b/queue-5.10/nfc-llcp-fix-memleak-in-nfc_llcp_send_ui_frame.patch @@ -0,0 +1,167 @@ +From 9ced466bb99ca5196d7b6b83fcbf3a0f8c5b139d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 25 Jan 2026 00:59:28 +0000 +Subject: nfc: llcp: Fix memleak in nfc_llcp_send_ui_frame(). + +From: Kuniyuki Iwashima + +[ Upstream commit 165c34fb6068ff153e3fc99a932a80a9d5755709 ] + +syzbot reported various memory leaks related to NFC, struct +nfc_llcp_sock, sk_buff, nfc_dev, etc. [0] + +The leading log hinted that nfc_llcp_send_ui_frame() failed +to allocate skb due to sock_error(sk) being -ENXIO. + +ENXIO is set by nfc_llcp_socket_release() when struct +nfc_llcp_local is destroyed by local_cleanup(). + +The problem is that there is no synchronisation between +nfc_llcp_send_ui_frame() and local_cleanup(), and skb +could be put into local->tx_queue after it was purged in +local_cleanup(): + + CPU1 CPU2 + ---- ---- + nfc_llcp_send_ui_frame() local_cleanup() + |- do { ' + |- pdu = nfc_alloc_send_skb(..., &err) + | . + | |- nfc_llcp_socket_release(local, false, ENXIO); + | |- skb_queue_purge(&local->tx_queue); | + | ' | + |- skb_queue_tail(&local->tx_queue, pdu); | + ... | + |- pdu = nfc_alloc_send_skb(..., &err) | + ^._________________________________.' + +local_cleanup() is called for struct nfc_llcp_local only +after nfc_llcp_remove_local() unlinks it from llcp_devices. + +If we hold local->tx_queue.lock then, we can synchronise +the thread and nfc_llcp_send_ui_frame(). + +Let's do that and check list_empty(&local->list) before +queuing skb to local->tx_queue in nfc_llcp_send_ui_frame(). + +[0]: +[ 56.074943][ T6096] llcp: nfc_llcp_send_ui_frame: Could not allocate PDU (error=-6) +[ 64.318868][ T5813] kmemleak: 6 new suspected memory leaks (see /sys/kernel/debug/kmemleak) +BUG: memory leak +unreferenced object 0xffff8881272f6800 (size 1024): + comm "syz.0.17", pid 6096, jiffies 4294942766 + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 27 00 03 40 00 00 00 00 00 00 00 00 00 00 00 00 '..@............ + backtrace (crc da58d84d): + kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] + slab_post_alloc_hook mm/slub.c:4979 [inline] + slab_alloc_node mm/slub.c:5284 [inline] + __do_kmalloc_node mm/slub.c:5645 [inline] + __kmalloc_noprof+0x3e3/0x6b0 mm/slub.c:5658 + kmalloc_noprof include/linux/slab.h:961 [inline] + sk_prot_alloc+0x11a/0x1b0 net/core/sock.c:2239 + sk_alloc+0x36/0x360 net/core/sock.c:2295 + nfc_llcp_sock_alloc+0x37/0x130 net/nfc/llcp_sock.c:979 + llcp_sock_create+0x71/0xd0 net/nfc/llcp_sock.c:1044 + nfc_sock_create+0xc9/0xf0 net/nfc/af_nfc.c:31 + __sock_create+0x1a9/0x340 net/socket.c:1605 + sock_create net/socket.c:1663 [inline] + __sys_socket_create net/socket.c:1700 [inline] + __sys_socket+0xb9/0x1a0 net/socket.c:1747 + __do_sys_socket net/socket.c:1761 [inline] + __se_sys_socket net/socket.c:1759 [inline] + __x64_sys_socket+0x1b/0x30 net/socket.c:1759 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +BUG: memory leak +unreferenced object 0xffff88810fbd9800 (size 240): + comm "syz.0.17", pid 6096, jiffies 4294942850 + hex dump (first 32 bytes): + 68 f0 ff 08 81 88 ff ff 68 f0 ff 08 81 88 ff ff h.......h....... + 00 00 00 00 00 00 00 00 00 68 2f 27 81 88 ff ff .........h/'.... + backtrace (crc 6cc652b1): + kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] + slab_post_alloc_hook mm/slub.c:4979 [inline] + slab_alloc_node mm/slub.c:5284 [inline] + kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5336 + __alloc_skb+0x203/0x240 net/core/skbuff.c:660 + alloc_skb include/linux/skbuff.h:1383 [inline] + alloc_skb_with_frags+0x69/0x3f0 net/core/skbuff.c:6671 + sock_alloc_send_pskb+0x379/0x3e0 net/core/sock.c:2965 + sock_alloc_send_skb include/net/sock.h:1859 [inline] + nfc_alloc_send_skb+0x45/0x80 net/nfc/core.c:724 + nfc_llcp_send_ui_frame+0x162/0x360 net/nfc/llcp_commands.c:766 + llcp_sock_sendmsg+0x14c/0x1d0 net/nfc/llcp_sock.c:814 + sock_sendmsg_nosec net/socket.c:727 [inline] + __sock_sendmsg net/socket.c:742 [inline] + __sys_sendto+0x2d8/0x2f0 net/socket.c:2244 + __do_sys_sendto net/socket.c:2251 [inline] + __se_sys_sendto net/socket.c:2247 [inline] + __x64_sys_sendto+0x28/0x30 net/socket.c:2247 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fixes: 94f418a20664 ("NFC: UI frame sending routine implementation") +Reported-by: syzbot+f2d245f1d76bbfa50e4c@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/697569c7.a00a0220.33ccc7.0014.GAE@google.com/T/#u +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20260125010214.1572439-1-kuniyu@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/nfc/llcp_commands.c | 17 ++++++++++++++++- + net/nfc/llcp_core.c | 4 +++- + 2 files changed, 19 insertions(+), 2 deletions(-) + +diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c +index 5b8754ae7d3af..706da71c5f298 100644 +--- a/net/nfc/llcp_commands.c ++++ b/net/nfc/llcp_commands.c +@@ -786,8 +786,23 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap, + if (likely(frag_len > 0)) + skb_put_data(pdu, msg_ptr, frag_len); + ++ spin_lock(&local->tx_queue.lock); ++ ++ if (list_empty(&local->list)) { ++ spin_unlock(&local->tx_queue.lock); ++ ++ kfree_skb(pdu); ++ ++ len -= remaining_len; ++ if (len == 0) ++ len = -ENXIO; ++ break; ++ } ++ + /* No need to check for the peer RW for UI frames */ +- skb_queue_tail(&local->tx_queue, pdu); ++ __skb_queue_tail(&local->tx_queue, pdu); ++ ++ spin_unlock(&local->tx_queue.lock); + + remaining_len -= frag_len; + msg_ptr += frag_len; +diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c +index da3cb0d29b972..504245aeb4e2a 100644 +--- a/net/nfc/llcp_core.c ++++ b/net/nfc/llcp_core.c +@@ -316,7 +316,9 @@ static struct nfc_llcp_local *nfc_llcp_remove_local(struct nfc_dev *dev) + spin_lock(&llcp_devices_lock); + list_for_each_entry_safe(local, tmp, &llcp_devices, list) + if (local->dev == dev) { +- list_del(&local->list); ++ spin_lock(&local->tx_queue.lock); ++ list_del_init(&local->list); ++ spin_unlock(&local->tx_queue.lock); + spin_unlock(&llcp_devices_lock); + return local; + } +-- +2.51.0 + diff --git a/queue-5.10/nfc-nci-fix-race-between-rfkill-and-nci_unregister_d.patch b/queue-5.10/nfc-nci-fix-race-between-rfkill-and-nci_unregister_d.patch new file mode 100644 index 0000000000..9cdbff2151 --- /dev/null +++ b/queue-5.10/nfc-nci-fix-race-between-rfkill-and-nci_unregister_d.patch @@ -0,0 +1,197 @@ +From 67d20a761920405c09dbc88d742cd58741170c4b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Jan 2026 04:03:59 +0000 +Subject: nfc: nci: Fix race between rfkill and nci_unregister_device(). + +From: Kuniyuki Iwashima + +[ Upstream commit d2492688bb9fed6ab6e313682c387ae71a66ebae ] + +syzbot reported the splat below [0] without a repro. + +It indicates that struct nci_dev.cmd_wq had been destroyed before +nci_close_device() was called via rfkill. + +nci_dev.cmd_wq is only destroyed in nci_unregister_device(), which +(I think) was called from virtual_ncidev_close() when syzbot close()d +an fd of virtual_ncidev. + +The problem is that nci_unregister_device() destroys nci_dev.cmd_wq +first and then calls nfc_unregister_device(), which removes the +device from rfkill by rfkill_unregister(). + +So, the device is still visible via rfkill even after nci_dev.cmd_wq +is destroyed. + +Let's unregister the device from rfkill first in nci_unregister_device(). + +Note that we cannot call nfc_unregister_device() before +nci_close_device() because + + 1) nfc_unregister_device() calls device_del() which frees + all memory allocated by devm_kzalloc() and linked to + ndev->conn_info_list + + 2) nci_rx_work() could try to queue nci_conn_info to + ndev->conn_info_list which could be leaked + +Thus, nfc_unregister_device() is split into two functions so we +can remove rfkill interfaces only before nci_close_device(). + +[0]: +DEBUG_LOCKS_WARN_ON(1) +WARNING: kernel/locking/lockdep.c:238 at hlock_class kernel/locking/lockdep.c:238 [inline], CPU#0: syz.0.8675/6349 +WARNING: kernel/locking/lockdep.c:238 at check_wait_context kernel/locking/lockdep.c:4854 [inline], CPU#0: syz.0.8675/6349 +WARNING: kernel/locking/lockdep.c:238 at __lock_acquire+0x39d/0x2cf0 kernel/locking/lockdep.c:5187, CPU#0: syz.0.8675/6349 +Modules linked in: +CPU: 0 UID: 0 PID: 6349 Comm: syz.0.8675 Not tainted syzkaller #0 PREEMPT(full) +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/13/2026 +RIP: 0010:hlock_class kernel/locking/lockdep.c:238 [inline] +RIP: 0010:check_wait_context kernel/locking/lockdep.c:4854 [inline] +RIP: 0010:__lock_acquire+0x3a4/0x2cf0 kernel/locking/lockdep.c:5187 +Code: 18 00 4c 8b 74 24 08 75 27 90 e8 17 f2 fc 02 85 c0 74 1c 83 3d 50 e0 4e 0e 00 75 13 48 8d 3d 43 f7 51 0e 48 c7 c6 8b 3a de 8d <67> 48 0f b9 3a 90 31 c0 0f b6 98 c4 00 00 00 41 8b 45 20 25 ff 1f +RSP: 0018:ffffc9000c767680 EFLAGS: 00010046 +RAX: 0000000000000001 RBX: 0000000000040000 RCX: 0000000000080000 +RDX: ffffc90013080000 RSI: ffffffff8dde3a8b RDI: ffffffff8ff24ca0 +RBP: 0000000000000003 R08: ffffffff8fef35a3 R09: 1ffffffff1fde6b4 +R10: dffffc0000000000 R11: fffffbfff1fde6b5 R12: 00000000000012a2 +R13: ffff888030338ba8 R14: ffff888030338000 R15: ffff888030338b30 +FS: 00007fa5995f66c0(0000) GS:ffff8881256f8000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f7e72f842d0 CR3: 00000000485a0000 CR4: 00000000003526f0 +Call Trace: + + lock_acquire+0x106/0x330 kernel/locking/lockdep.c:5868 + touch_wq_lockdep_map+0xcb/0x180 kernel/workqueue.c:3940 + __flush_workqueue+0x14b/0x14f0 kernel/workqueue.c:3982 + nci_close_device+0x302/0x630 net/nfc/nci/core.c:567 + nci_dev_down+0x3b/0x50 net/nfc/nci/core.c:639 + nfc_dev_down+0x152/0x290 net/nfc/core.c:161 + nfc_rfkill_set_block+0x2d/0x100 net/nfc/core.c:179 + rfkill_set_block+0x1d2/0x440 net/rfkill/core.c:346 + rfkill_fop_write+0x461/0x5a0 net/rfkill/core.c:1301 + vfs_write+0x29a/0xb90 fs/read_write.c:684 + ksys_write+0x150/0x270 fs/read_write.c:738 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7fa59b39acb9 +Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007fa5995f6028 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +RAX: ffffffffffffffda RBX: 00007fa59b615fa0 RCX: 00007fa59b39acb9 +RDX: 0000000000000008 RSI: 0000200000000080 RDI: 0000000000000007 +RBP: 00007fa59b408bf7 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007fa59b616038 R14: 00007fa59b615fa0 R15: 00007ffc82218788 + + +Fixes: 6a2968aaf50c ("NFC: basic NCI protocol implementation") +Reported-by: syzbot+f9c5fd1a0874f9069dce@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/695e7f56.050a0220.1c677c.036c.GAE@google.com/ +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20260127040411.494931-1-kuniyu@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/nfc/nfc.h | 2 ++ + net/nfc/core.c | 27 ++++++++++++++++++++++++--- + net/nfc/nci/core.c | 4 +++- + 3 files changed, 29 insertions(+), 4 deletions(-) + +diff --git a/include/net/nfc/nfc.h b/include/net/nfc/nfc.h +index 32890e43f06cc..91f153d0bbb08 100644 +--- a/include/net/nfc/nfc.h ++++ b/include/net/nfc/nfc.h +@@ -215,6 +215,8 @@ static inline void nfc_free_device(struct nfc_dev *dev) + + int nfc_register_device(struct nfc_dev *dev); + ++void nfc_unregister_rfkill(struct nfc_dev *dev); ++void nfc_remove_device(struct nfc_dev *dev); + void nfc_unregister_device(struct nfc_dev *dev); + + /** +diff --git a/net/nfc/core.c b/net/nfc/core.c +index 00cb55e2528d1..2e32af33df7db 100644 +--- a/net/nfc/core.c ++++ b/net/nfc/core.c +@@ -1139,14 +1139,14 @@ int nfc_register_device(struct nfc_dev *dev) + EXPORT_SYMBOL(nfc_register_device); + + /** +- * nfc_unregister_device - unregister a nfc device in the nfc subsystem ++ * nfc_unregister_rfkill - unregister a nfc device in the rfkill subsystem + * + * @dev: The nfc device to unregister + */ +-void nfc_unregister_device(struct nfc_dev *dev) ++void nfc_unregister_rfkill(struct nfc_dev *dev) + { +- int rc; + struct rfkill *rfk = NULL; ++ int rc; + + pr_debug("dev_name=%s\n", dev_name(&dev->dev)); + +@@ -1167,7 +1167,16 @@ void nfc_unregister_device(struct nfc_dev *dev) + rfkill_unregister(rfk); + rfkill_destroy(rfk); + } ++} ++EXPORT_SYMBOL(nfc_unregister_rfkill); + ++/** ++ * nfc_remove_device - remove a nfc device in the nfc subsystem ++ * ++ * @dev: The nfc device to remove ++ */ ++void nfc_remove_device(struct nfc_dev *dev) ++{ + if (dev->ops->check_presence) { + del_timer_sync(&dev->check_pres_timer); + cancel_work_sync(&dev->check_pres_work); +@@ -1180,6 +1189,18 @@ void nfc_unregister_device(struct nfc_dev *dev) + device_del(&dev->dev); + mutex_unlock(&nfc_devlist_mutex); + } ++EXPORT_SYMBOL(nfc_remove_device); ++ ++/** ++ * nfc_unregister_device - unregister a nfc device in the nfc subsystem ++ * ++ * @dev: The nfc device to unregister ++ */ ++void nfc_unregister_device(struct nfc_dev *dev) ++{ ++ nfc_unregister_rfkill(dev); ++ nfc_remove_device(dev); ++} + EXPORT_SYMBOL(nfc_unregister_device); + + static int __init nfc_init(void) +diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c +index 3182b4228cfa4..3514686eb53f9 100644 +--- a/net/nfc/nci/core.c ++++ b/net/nfc/nci/core.c +@@ -1281,6 +1281,8 @@ void nci_unregister_device(struct nci_dev *ndev) + { + struct nci_conn_info *conn_info, *n; + ++ nfc_unregister_rfkill(ndev->nfc_dev); ++ + /* This set_bit is not protected with specialized barrier, + * However, it is fine because the mutex_lock(&ndev->req_lock); + * in nci_close_device() will help to emit one. +@@ -1298,7 +1300,7 @@ void nci_unregister_device(struct nci_dev *ndev) + /* conn_info is allocated with devm_kzalloc */ + } + +- nfc_unregister_device(ndev->nfc_dev); ++ nfc_remove_device(ndev->nfc_dev); + } + EXPORT_SYMBOL(nci_unregister_device); + +-- +2.51.0 + diff --git a/queue-5.10/rocker-fix-memory-leak-in-rocker_world_port_post_fin.patch b/queue-5.10/rocker-fix-memory-leak-in-rocker_world_port_post_fin.patch new file mode 100644 index 0000000000..58670ba9af --- /dev/null +++ b/queue-5.10/rocker-fix-memory-leak-in-rocker_world_port_post_fin.patch @@ -0,0 +1,56 @@ +From aafc87719839b2385e05a4dd793a2b7599ab0e0c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 24 Jan 2026 05:10:31 +0800 +Subject: rocker: fix memory leak in rocker_world_port_post_fini() + +From: Kery Qi + +[ Upstream commit 8d7ba71e46216b8657a82ca2ec118bc93812a4d0 ] + +In rocker_world_port_pre_init(), rocker_port->wpriv is allocated with +kzalloc(wops->port_priv_size, GFP_KERNEL). However, in +rocker_world_port_post_fini(), the memory is only freed when +wops->port_post_fini callback is set: + + if (!wops->port_post_fini) + return; + wops->port_post_fini(rocker_port); + kfree(rocker_port->wpriv); + +Since rocker_ofdpa_ops does not implement port_post_fini callback +(it is NULL), the wpriv memory allocated for each port is never freed +when ports are removed. This leads to a memory leak of +sizeof(struct ofdpa_port) bytes per port on every device removal. + +Fix this by always calling kfree(rocker_port->wpriv) regardless of +whether the port_post_fini callback exists. + +Fixes: e420114eef4a ("rocker: introduce worlds infrastructure") +Signed-off-by: Kery Qi +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20260123211030.2109-2-qikeyu2017@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/rocker/rocker_main.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/rocker/rocker_main.c b/drivers/net/ethernet/rocker/rocker_main.c +index ec90f75289dbe..4073e3852adb5 100644 +--- a/drivers/net/ethernet/rocker/rocker_main.c ++++ b/drivers/net/ethernet/rocker/rocker_main.c +@@ -1525,9 +1525,8 @@ static void rocker_world_port_post_fini(struct rocker_port *rocker_port) + { + struct rocker_world_ops *wops = rocker_port->rocker->wops; + +- if (!wops->port_post_fini) +- return; +- wops->port_post_fini(rocker_port); ++ if (wops->port_post_fini) ++ wops->port_post_fini(rocker_port); + kfree(rocker_port->wpriv); + } + +-- +2.51.0 + diff --git a/queue-5.10/series b/queue-5.10/series index b0635d0755..ede948d733 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -118,3 +118,15 @@ bpf-reject-narrower-access-to-pointer-ctx-fields.patch fbdev-fbcon-properly-revert-changes-when-vc_resize-failed.patch fbdev-fbcon-release-buffer-when-fbcon_do_set_font-failed.patch fbcon-always-restore-the-old-font-data-in-fbcon_do_set_font.patch +bluetooth-hci_uart-fix-null-ptr-deref-in-hci_uart_wr.patch +net-mlx5-fix-memory-leak-in-esw_acl_ingress_lgcy_set.patch +net-mvpp2-cls-fix-memory-leak-in-mvpp2_ethtool_cls_r.patch +rocker-fix-memory-leak-in-rocker_world_port_post_fin.patch +nfc-llcp-fix-memleak-in-nfc_llcp_send_ui_frame.patch +ice-stop-counting-udp-csum-mismatch-as-rx_errors.patch +net-mlx5-add-hw-definitions-of-vport-debug-counters.patch +net-mlx5e-expose-rx_oversize_pkts_buffer-counter.patch +net-mlx5e-report-rx_discards_phy-via-rx_dropped.patch +net-mlx5e-account-for-netdev-stats-in-ndo_get_stats6.patch +nfc-nci-fix-race-between-rfkill-and-nci_unregister_d.patch +net-bridge-fix-static-key-check.patch diff --git a/queue-5.15/bluetooth-hci_uart-fix-null-ptr-deref-in-hci_uart_wr.patch b/queue-5.15/bluetooth-hci_uart-fix-null-ptr-deref-in-hci_uart_wr.patch new file mode 100644 index 0000000000..ef25201b54 --- /dev/null +++ b/queue-5.15/bluetooth-hci_uart-fix-null-ptr-deref-in-hci_uart_wr.patch @@ -0,0 +1,73 @@ +From 0e2d51550cd29bd22bd8394af3c0632a4b50723f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jan 2026 20:08:59 +0800 +Subject: Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work + +From: Jia-Hong Su + +[ Upstream commit 0c3cd7a0b862c37acbee6d9502107146cc944398 ] + +hci_uart_set_proto() sets HCI_UART_PROTO_INIT before calling +hci_uart_register_dev(), which calls proto->open() to initialize +hu->priv. However, if a TTY write wakeup occurs during this window, +hci_uart_tx_wakeup() may schedule write_work before hu->priv is +initialized, leading to a NULL pointer dereference in +hci_uart_write_work() when proto->dequeue() accesses hu->priv. + +The race condition is: + + CPU0 CPU1 + ---- ---- + hci_uart_set_proto() + set_bit(HCI_UART_PROTO_INIT) + hci_uart_register_dev() + tty write wakeup + hci_uart_tty_wakeup() + hci_uart_tx_wakeup() + schedule_work(&hu->write_work) + proto->open(hu) + // initializes hu->priv + hci_uart_write_work() + hci_uart_dequeue() + proto->dequeue(hu) + // accesses hu->priv (NULL!) + +Fix this by moving set_bit(HCI_UART_PROTO_INIT) after proto->open() +succeeds, ensuring hu->priv is initialized before any work can be +scheduled. + +Fixes: 5df5dafc171b ("Bluetooth: hci_uart: Fix another race during initialization") +Link: https://lore.kernel.org/linux-bluetooth/6969764f.170a0220.2b9fc4.35a7@mx.google.com/ + +Signed-off-by: Jia-Hong Su +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/hci_ldisc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c +index 4692b9bec4692..46b37d825d185 100644 +--- a/drivers/bluetooth/hci_ldisc.c ++++ b/drivers/bluetooth/hci_ldisc.c +@@ -684,6 +684,8 @@ static int hci_uart_register_dev(struct hci_uart *hu) + return err; + } + ++ set_bit(HCI_UART_PROTO_INIT, &hu->flags); ++ + if (test_bit(HCI_UART_INIT_PENDING, &hu->hdev_flags)) + return 0; + +@@ -711,8 +713,6 @@ static int hci_uart_set_proto(struct hci_uart *hu, int id) + + hu->proto = p; + +- set_bit(HCI_UART_PROTO_INIT, &hu->flags); +- + err = hci_uart_register_dev(hu); + if (err) { + return err; +-- +2.51.0 + diff --git a/queue-5.15/ice-stop-counting-udp-csum-mismatch-as-rx_errors.patch b/queue-5.15/ice-stop-counting-udp-csum-mismatch-as-rx_errors.patch new file mode 100644 index 0000000000..de94a8ea67 --- /dev/null +++ b/queue-5.15/ice-stop-counting-udp-csum-mismatch-as-rx_errors.patch @@ -0,0 +1,62 @@ +From 63bdbd01e03ac70196b853ddfa0162b20a7e3efa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Dec 2025 15:38:52 -0800 +Subject: ice: stop counting UDP csum mismatch as rx_errors + +From: Jesse Brandeburg + +[ Upstream commit 05faf2c0a76581d0a7fdbb8ec46477ba183df95b ] + +Since the beginning, the Intel ice driver has counted receive checksum +offload mismatches into the rx_errors member of the rtnl_link_stats64 +struct. In ethtool -S these show up as rx_csum_bad.nic. + +I believe counting these in rx_errors is fundamentally wrong, as it's +pretty clear from the comments in if_link.h and from every other statistic +the driver is summing into rx_errors, that all of them would cause a +"hardware drop" except for the UDP checksum mismatch, as well as the fact +that all the other causes for rx_errors are L2 reasons, and this L4 UDP +"mismatch" is an outlier. + +A last nail in the coffin is that rx_errors is monitored in production and +can indicate a bad NIC/cable/Switch port, but instead some random series of +UDP packets with bad checksums will now trigger this alert. This false +positive makes the alert useless and affects us as well as other companies. + +This packet with presumably a bad UDP checksum is *already* passed to the +stack, just not marked as offloaded by the hardware/driver. If it is +dropped by the stack it will show up as UDP_MIB_CSUMERRORS. + +And one more thing, none of the other Intel drivers, and at least bnxt_en +and mlx5 both don't appear to count UDP offload mismatches as rx_errors. + +Here is a related customer complaint: +https://community.intel.com/t5/Ethernet-Products/ice-rx-errros-is-too-sensitive-to-IP-TCP-attack-packets-Intel/td-p/1662125 + +Fixes: 4f1fe43c920b ("ice: Add more Rx errors to netdev's rx_error counter") +Cc: Tony Nguyen +Cc: Jake Keller +Cc: IWL +Signed-off-by: Jesse Brandeburg +Acked-by: Jacob Keller +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_main.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c +index 04e3f6c424c0c..db5319a8eb241 100644 +--- a/drivers/net/ethernet/intel/ice/ice_main.c ++++ b/drivers/net/ethernet/intel/ice/ice_main.c +@@ -5841,7 +5841,6 @@ void ice_update_vsi_stats(struct ice_vsi *vsi) + pf->stats.illegal_bytes + + pf->stats.rx_len_errors + + pf->stats.rx_undersize + +- pf->hw_csum_rx_error + + pf->stats.rx_jabber + + pf->stats.rx_fragments + + pf->stats.rx_oversize; +-- +2.51.0 + diff --git a/queue-5.15/ipv6-use-the-right-ifindex-when-replying-to-icmpv6-f.patch b/queue-5.15/ipv6-use-the-right-ifindex-when-replying-to-icmpv6-f.patch new file mode 100644 index 0000000000..4b8c4f7a00 --- /dev/null +++ b/queue-5.15/ipv6-use-the-right-ifindex-when-replying-to-icmpv6-f.patch @@ -0,0 +1,52 @@ +From 2b6d383cd9cd60888679cdc029562141b3e0d0b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 20:44:08 +0100 +Subject: ipv6: use the right ifindex when replying to icmpv6 from localhost + +From: Fernando Fernandez Mancera + +[ Upstream commit 03cbcdf93866e61beb0063392e6dbb701f03aea2 ] + +When replying to a ICMPv6 echo request that comes from localhost address +the right output ifindex is 1 (lo) and not rt6i_idev dev index. Use the +skb device ifindex instead. This fixes pinging to a local address from +localhost source address. + +$ ping6 -I ::1 2001:1:1::2 -c 3 +PING 2001:1:1::2 (2001:1:1::2) from ::1 : 56 data bytes +64 bytes from 2001:1:1::2: icmp_seq=1 ttl=64 time=0.037 ms +64 bytes from 2001:1:1::2: icmp_seq=2 ttl=64 time=0.069 ms +64 bytes from 2001:1:1::2: icmp_seq=3 ttl=64 time=0.122 ms + +2001:1:1::2 ping statistics +3 packets transmitted, 3 received, 0% packet loss, time 2032ms +rtt min/avg/max/mdev = 0.037/0.076/0.122/0.035 ms + +Fixes: 1b70d792cf67 ("ipv6: Use rt6i_idev index for echo replies to a local address") +Signed-off-by: Fernando Fernandez Mancera +Reviewed-by: David Ahern +Link: https://patch.msgid.link/20260121194409.6749-1-fmancera@suse.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/icmp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c +index 71a69166a6bd2..8601c76f3cc93 100644 +--- a/net/ipv6/icmp.c ++++ b/net/ipv6/icmp.c +@@ -761,7 +761,9 @@ static void icmpv6_echo_reply(struct sk_buff *skb) + fl6.daddr = ipv6_hdr(skb)->saddr; + if (saddr) + fl6.saddr = *saddr; +- fl6.flowi6_oif = icmp6_iif(skb); ++ fl6.flowi6_oif = ipv6_addr_loopback(&fl6.daddr) ? ++ skb->dev->ifindex : ++ icmp6_iif(skb); + fl6.fl6_icmp_type = type; + fl6.flowi6_mark = mark; + fl6.flowi6_uid = sock_net_uid(net, NULL); +-- +2.51.0 + diff --git a/queue-5.15/net-bridge-fix-static-key-check.patch b/queue-5.15/net-bridge-fix-static-key-check.patch new file mode 100644 index 0000000000..bdcbe8ad33 --- /dev/null +++ b/queue-5.15/net-bridge-fix-static-key-check.patch @@ -0,0 +1,40 @@ +From bce9c601c203f1a4ebb6b4a9d307cf2fae2aed78 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Jan 2026 11:19:23 +0100 +Subject: net: bridge: fix static key check + +From: Martin Kaiser + +[ Upstream commit cc0cf10fdaeadf5542d64a55b5b4120d3df90b7d ] + +Fix the check if netfilter's static keys are available. netfilter defines +and exports static keys if CONFIG_JUMP_LABEL is enabled. (HAVE_JUMP_LABEL +is never defined.) + +Fixes: 971502d77faa ("bridge: netfilter: unroll NF_HOOK helper in bridge input path") +Signed-off-by: Martin Kaiser +Reviewed-by: Florian Westphal +Reviewed-by: Nikolay Aleksandrov +Link: https://patch.msgid.link/20260127101925.1754425-1-martin@kaiser.cx +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/bridge/br_input.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c +index f3d49343f7dbe..14423132a3df5 100644 +--- a/net/bridge/br_input.c ++++ b/net/bridge/br_input.c +@@ -225,7 +225,7 @@ static int nf_hook_bridge_pre(struct sk_buff *skb, struct sk_buff **pskb) + int ret; + + net = dev_net(skb->dev); +-#ifdef HAVE_JUMP_LABEL ++#ifdef CONFIG_JUMP_LABEL + if (!static_key_false(&nf_hooks_needed[NFPROTO_BRIDGE][NF_BR_PRE_ROUTING])) + goto frame_finish; + #endif +-- +2.51.0 + diff --git a/queue-5.15/net-mlx5-add-hw-definitions-of-vport-debug-counters.patch b/queue-5.15/net-mlx5-add-hw-definitions-of-vport-debug-counters.patch new file mode 100644 index 0000000000..ad3180f242 --- /dev/null +++ b/queue-5.15/net-mlx5-add-hw-definitions-of-vport-debug-counters.patch @@ -0,0 +1,93 @@ +From a27e723165b201183853b660d43b09474636b849 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jun 2022 13:04:48 -0700 +Subject: net/mlx5: Add HW definitions of vport debug counters + +From: Saeed Mahameed + +[ Upstream commit 3e94e61bd44d90070dcda53b647fdc826097ef26 ] + +total_q_under_processor_handle - number of queues in error state due to an +async error or errored command. + +send_queue_priority_update_flow - number of QP/SQ priority/SL update +events. + +cq_overrun - number of times CQ entered an error state due to an +overflow. + +async_eq_overrun -number of time an EQ mapped to async events was +overrun. + +comp_eq_overrun - number of time an EQ mapped to completion events was +overrun. + +quota_exceeded_command - number of commands issued and failed due to quota +exceeded. + +invalid_command - number of commands issued and failed dues to any reason +other than quota exceeded. + +Signed-off-by: Saeed Mahameed +Signed-off-by: Michael Guralnik +Signed-off-by: Saeed Mahameed +Stable-dep-of: 476681f10cc1 ("net/mlx5e: Account for netdev stats in ndo_get_stats64") +Signed-off-by: Sasha Levin +--- + include/linux/mlx5/mlx5_ifc.h | 23 +++++++++++++++++++---- + 1 file changed, 19 insertions(+), 4 deletions(-) + +diff --git a/include/linux/mlx5/mlx5_ifc.h b/include/linux/mlx5/mlx5_ifc.h +index d974c235ad8ee..c8489aeb74f7e 100644 +--- a/include/linux/mlx5/mlx5_ifc.h ++++ b/include/linux/mlx5/mlx5_ifc.h +@@ -1384,7 +1384,8 @@ struct mlx5_ifc_cmd_hca_cap_bits { + + u8 reserved_at_120[0xa]; + u8 log_max_ra_req_dc[0x6]; +- u8 reserved_at_130[0xa]; ++ u8 reserved_at_130[0x9]; ++ u8 vnic_env_cq_overrun[0x1]; + u8 log_max_ra_res_dc[0x6]; + + u8 reserved_at_140[0x6]; +@@ -1579,7 +1580,11 @@ struct mlx5_ifc_cmd_hca_cap_bits { + u8 nic_receive_steering_discard[0x1]; + u8 receive_discard_vport_down[0x1]; + u8 transmit_discard_vport_down[0x1]; +- u8 reserved_at_343[0x5]; ++ u8 eq_overrun_count[0x1]; ++ u8 reserved_at_344[0x1]; ++ u8 invalid_command_count[0x1]; ++ u8 quota_exceeded_count[0x1]; ++ u8 reserved_at_347[0x1]; + u8 log_max_flow_counter_bulk[0x8]; + u8 max_flow_counter_15_0[0x10]; + +@@ -3318,11 +3323,21 @@ struct mlx5_ifc_vnic_diagnostic_statistics_bits { + + u8 transmit_discard_vport_down[0x40]; + +- u8 reserved_at_140[0xa0]; ++ u8 async_eq_overrun[0x20]; ++ ++ u8 comp_eq_overrun[0x20]; ++ ++ u8 reserved_at_180[0x20]; ++ ++ u8 invalid_command[0x20]; ++ ++ u8 quota_exceeded_command[0x20]; + + u8 internal_rq_out_of_buffer[0x20]; + +- u8 reserved_at_200[0xe00]; ++ u8 cq_overrun[0x20]; ++ ++ u8 reserved_at_220[0xde0]; + }; + + struct mlx5_ifc_traffic_counter_bits { +-- +2.51.0 + diff --git a/queue-5.15/net-mlx5-fix-memory-leak-in-esw_acl_ingress_lgcy_set.patch b/queue-5.15/net-mlx5-fix-memory-leak-in-esw_acl_ingress_lgcy_set.patch new file mode 100644 index 0000000000..9ed7e3a198 --- /dev/null +++ b/queue-5.15/net-mlx5-fix-memory-leak-in-esw_acl_ingress_lgcy_set.patch @@ -0,0 +1,46 @@ +From 959997f8106618f7f23ffe45f50ed309325059f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jan 2026 13:46:40 +0000 +Subject: net/mlx5: Fix memory leak in esw_acl_ingress_lgcy_setup() + +From: Zilin Guan + +[ Upstream commit 108948f723b13874b7ebf6b3f1cc598a7de38622 ] + +In esw_acl_ingress_lgcy_setup(), if esw_acl_table_create() fails, +the function returns directly without releasing the previously +created counter, leading to a memory leak. + +Fix this by jumping to the out label instead of returning directly, +which aligns with the error handling logic of other paths in this +function. + +Compile tested only. Issue found using a prototype static analysis tool +and code review. + +Fixes: 07bab9502641 ("net/mlx5: E-Switch, Refactor eswitch ingress acl codes") +Signed-off-by: Zilin Guan +Reviewed-by: Tariq Toukan +Link: https://patch.msgid.link/20260120134640.2717808-1-zilin@seu.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c b/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c +index 093ed86a0acd8..db51c500ed359 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c +@@ -188,7 +188,7 @@ int esw_acl_ingress_lgcy_setup(struct mlx5_eswitch *esw, + if (IS_ERR(vport->ingress.acl)) { + err = PTR_ERR(vport->ingress.acl); + vport->ingress.acl = NULL; +- return err; ++ goto out; + } + + err = esw_acl_ingress_lgcy_groups_create(esw, vport); +-- +2.51.0 + diff --git a/queue-5.15/net-mlx5e-account-for-netdev-stats-in-ndo_get_stats6.patch b/queue-5.15/net-mlx5e-account-for-netdev-stats-in-ndo_get_stats6.patch new file mode 100644 index 0000000000..77ef05b415 --- /dev/null +++ b/queue-5.15/net-mlx5e-account-for-netdev-stats-in-ndo_get_stats6.patch @@ -0,0 +1,75 @@ +From 77d2e538c02729c196571d6629cf7dd20befa0ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jan 2026 09:14:55 +0200 +Subject: net/mlx5e: Account for netdev stats in ndo_get_stats64 + +From: Gal Pressman + +[ Upstream commit 476681f10cc1e0e56e26856684e75d4678b072b2 ] + +The driver's ndo_get_stats64 callback is only reporting mlx5 counters, +without accounting for the netdev stats, causing errors from the network +stack to be invisible in statistics. + +Add netdev_stats_to_stats64() call to first populate the counters, then +add mlx5 counters on top, ensuring both are accounted for (where +appropriate). + +Fixes: f62b8bb8f2d3 ("net/mlx5: Extend mlx5_core to support ConnectX-4 Ethernet functionality") +Signed-off-by: Gal Pressman +Signed-off-by: Tariq Toukan +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/1769411695-18820-4-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/en_main.c | 20 ++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index 5504b7b3b3f90..130e54562a6bc 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -3169,6 +3169,8 @@ mlx5e_get_stats(struct net_device *dev, struct rtnl_link_stats64 *stats) + mlx5e_queue_update_stats(priv); + } + ++ netdev_stats_to_stats64(stats, &dev->stats); ++ + if (mlx5e_is_uplink_rep(priv)) { + struct mlx5e_vport_stats *vstats = &priv->stats.vport; + +@@ -3185,21 +3187,21 @@ mlx5e_get_stats(struct net_device *dev, struct rtnl_link_stats64 *stats) + mlx5e_fold_sw_stats64(priv, stats); + } + +- stats->rx_missed_errors = priv->stats.qcnt.rx_out_of_buffer; +- stats->rx_dropped = PPORT_2863_GET(pstats, if_in_discards); ++ stats->rx_missed_errors += priv->stats.qcnt.rx_out_of_buffer; ++ stats->rx_dropped += PPORT_2863_GET(pstats, if_in_discards); + +- stats->rx_length_errors = ++ stats->rx_length_errors += + PPORT_802_3_GET(pstats, a_in_range_length_errors) + + PPORT_802_3_GET(pstats, a_out_of_range_length_field) + + PPORT_802_3_GET(pstats, a_frame_too_long_errors) + + VNIC_ENV_GET(&priv->stats.vnic, eth_wqe_too_small); +- stats->rx_crc_errors = ++ stats->rx_crc_errors += + PPORT_802_3_GET(pstats, a_frame_check_sequence_errors); +- stats->rx_frame_errors = PPORT_802_3_GET(pstats, a_alignment_errors); +- stats->tx_aborted_errors = PPORT_2863_GET(pstats, if_out_discards); +- stats->rx_errors = stats->rx_length_errors + stats->rx_crc_errors + +- stats->rx_frame_errors; +- stats->tx_errors = stats->tx_aborted_errors + stats->tx_carrier_errors; ++ stats->rx_frame_errors += PPORT_802_3_GET(pstats, a_alignment_errors); ++ stats->tx_aborted_errors += PPORT_2863_GET(pstats, if_out_discards); ++ stats->rx_errors += stats->rx_length_errors + stats->rx_crc_errors + ++ stats->rx_frame_errors; ++ stats->tx_errors += stats->tx_aborted_errors + stats->tx_carrier_errors; + } + + static void mlx5e_nic_set_rx_mode(struct mlx5e_priv *priv) +-- +2.51.0 + diff --git a/queue-5.15/net-mlx5e-expose-rx_oversize_pkts_buffer-counter.patch b/queue-5.15/net-mlx5e-expose-rx_oversize_pkts_buffer-counter.patch new file mode 100644 index 0000000000..ca926f5b3c --- /dev/null +++ b/queue-5.15/net-mlx5e-expose-rx_oversize_pkts_buffer-counter.patch @@ -0,0 +1,142 @@ +From 13d844748c1dce28cfbe9850a1668c61766e8c50 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Oct 2022 21:56:27 -0700 +Subject: net/mlx5e: Expose rx_oversize_pkts_buffer counter + +From: Gal Pressman + +[ Upstream commit 16ab85e78439bab1201ff26ba430231d1574b4ae ] + +Add the rx_oversize_pkts_buffer counter to ethtool statistics. +This counter exposes the number of dropped received packets due to +length which arrived to RQ and exceed software buffer size allocated by +the device for incoming traffic. It might imply that the device MTU is +larger than the software buffers size. + +Signed-off-by: Gal Pressman +Reviewed-by: Tariq Toukan +Signed-off-by: Saeed Mahameed +Signed-off-by: Jakub Kicinski +Stable-dep-of: 476681f10cc1 ("net/mlx5e: Account for netdev stats in ndo_get_stats64") +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/en_main.c | 3 ++- + .../ethernet/mellanox/mlx5/core/en_stats.c | 21 ++++++++++++++++++- + .../ethernet/mellanox/mlx5/core/en_stats.h | 4 ++++ + include/linux/mlx5/mlx5_ifc.h | 8 +++++-- + 4 files changed, 32 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index ba36e500c1ff1..b4e6a467409be 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -3190,7 +3190,8 @@ mlx5e_get_stats(struct net_device *dev, struct rtnl_link_stats64 *stats) + stats->rx_length_errors = + PPORT_802_3_GET(pstats, a_in_range_length_errors) + + PPORT_802_3_GET(pstats, a_out_of_range_length_field) + +- PPORT_802_3_GET(pstats, a_frame_too_long_errors); ++ PPORT_802_3_GET(pstats, a_frame_too_long_errors) + ++ VNIC_ENV_GET(&priv->stats.vnic, eth_wqe_too_small); + stats->rx_crc_errors = + PPORT_802_3_GET(pstats, a_frame_check_sequence_errors); + stats->rx_frame_errors = PPORT_802_3_GET(pstats, a_alignment_errors); +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_stats.c b/drivers/net/ethernet/mellanox/mlx5/core/en_stats.c +index 5a5c6eda29d28..75c3b2ac7e24e 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_stats.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_stats.c +@@ -567,17 +567,26 @@ static const struct counter_desc vnic_env_stats_dev_oob_desc[] = { + VNIC_ENV_OFF(vport_env.internal_rq_out_of_buffer) }, + }; + ++static const struct counter_desc vnic_env_stats_drop_desc[] = { ++ { "rx_oversize_pkts_buffer", ++ VNIC_ENV_OFF(vport_env.eth_wqe_too_small) }, ++}; ++ + #define NUM_VNIC_ENV_STEER_COUNTERS(dev) \ + (MLX5_CAP_GEN(dev, nic_receive_steering_discard) ? \ + ARRAY_SIZE(vnic_env_stats_steer_desc) : 0) + #define NUM_VNIC_ENV_DEV_OOB_COUNTERS(dev) \ + (MLX5_CAP_GEN(dev, vnic_env_int_rq_oob) ? \ + ARRAY_SIZE(vnic_env_stats_dev_oob_desc) : 0) ++#define NUM_VNIC_ENV_DROP_COUNTERS(dev) \ ++ (MLX5_CAP_GEN(dev, eth_wqe_too_small) ? \ ++ ARRAY_SIZE(vnic_env_stats_drop_desc) : 0) + + static MLX5E_DECLARE_STATS_GRP_OP_NUM_STATS(vnic_env) + { + return NUM_VNIC_ENV_STEER_COUNTERS(priv->mdev) + +- NUM_VNIC_ENV_DEV_OOB_COUNTERS(priv->mdev); ++ NUM_VNIC_ENV_DEV_OOB_COUNTERS(priv->mdev) + ++ NUM_VNIC_ENV_DROP_COUNTERS(priv->mdev); + } + + static MLX5E_DECLARE_STATS_GRP_OP_FILL_STRS(vnic_env) +@@ -591,6 +600,11 @@ static MLX5E_DECLARE_STATS_GRP_OP_FILL_STRS(vnic_env) + for (i = 0; i < NUM_VNIC_ENV_DEV_OOB_COUNTERS(priv->mdev); i++) + strcpy(data + (idx++) * ETH_GSTRING_LEN, + vnic_env_stats_dev_oob_desc[i].format); ++ ++ for (i = 0; i < NUM_VNIC_ENV_DROP_COUNTERS(priv->mdev); i++) ++ strcpy(data + (idx++) * ETH_GSTRING_LEN, ++ vnic_env_stats_drop_desc[i].format); ++ + return idx; + } + +@@ -605,6 +619,11 @@ static MLX5E_DECLARE_STATS_GRP_OP_FILL_STATS(vnic_env) + for (i = 0; i < NUM_VNIC_ENV_DEV_OOB_COUNTERS(priv->mdev); i++) + data[idx++] = MLX5E_READ_CTR32_BE(priv->stats.vnic.query_vnic_env_out, + vnic_env_stats_dev_oob_desc, i); ++ ++ for (i = 0; i < NUM_VNIC_ENV_DROP_COUNTERS(priv->mdev); i++) ++ data[idx++] = MLX5E_READ_CTR32_BE(priv->stats.vnic.query_vnic_env_out, ++ vnic_env_stats_drop_desc, i); ++ + return idx; + } + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_stats.h b/drivers/net/ethernet/mellanox/mlx5/core/en_stats.h +index 139e59f30db00..f31da3699c7b5 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_stats.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_stats.h +@@ -256,6 +256,10 @@ struct mlx5e_qcounter_stats { + u32 rx_if_down_packets; + }; + ++#define VNIC_ENV_GET(vnic_env_stats, c) \ ++ MLX5_GET(query_vnic_env_out, (vnic_env_stats)->query_vnic_env_out, \ ++ vport_env.c) ++ + struct mlx5e_vnic_env_stats { + __be64 query_vnic_env_out[MLX5_ST_SZ_QW(query_vnic_env_out)]; + }; +diff --git a/include/linux/mlx5/mlx5_ifc.h b/include/linux/mlx5/mlx5_ifc.h +index c8489aeb74f7e..30251dfbe040c 100644 +--- a/include/linux/mlx5/mlx5_ifc.h ++++ b/include/linux/mlx5/mlx5_ifc.h +@@ -1384,7 +1384,9 @@ struct mlx5_ifc_cmd_hca_cap_bits { + + u8 reserved_at_120[0xa]; + u8 log_max_ra_req_dc[0x6]; +- u8 reserved_at_130[0x9]; ++ u8 reserved_at_130[0x2]; ++ u8 eth_wqe_too_small[0x1]; ++ u8 reserved_at_133[0x6]; + u8 vnic_env_cq_overrun[0x1]; + u8 log_max_ra_res_dc[0x6]; + +@@ -3337,7 +3339,9 @@ struct mlx5_ifc_vnic_diagnostic_statistics_bits { + + u8 cq_overrun[0x20]; + +- u8 reserved_at_220[0xde0]; ++ u8 eth_wqe_too_small[0x20]; ++ ++ u8 reserved_at_220[0xdc0]; + }; + + struct mlx5_ifc_traffic_counter_bits { +-- +2.51.0 + diff --git a/queue-5.15/net-mlx5e-report-rx_discards_phy-via-rx_dropped.patch b/queue-5.15/net-mlx5e-report-rx_discards_phy-via-rx_dropped.patch new file mode 100644 index 0000000000..c1e1d83558 --- /dev/null +++ b/queue-5.15/net-mlx5e-report-rx_discards_phy-via-rx_dropped.patch @@ -0,0 +1,50 @@ +From cf2aee6fe4a9f0f3863b38b670e5da73c88c6620 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Dec 2024 10:27:06 +0800 +Subject: net/mlx5e: Report rx_discards_phy via rx_dropped +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Yafang Shao + +[ Upstream commit c9cfced17365b1df8c6ae6cd5db56aebd7ed9b57 ] + +We noticed a high number of rx_discards_phy events on certain servers while +running `ethtool -S`. However, this critical counter is not currently +included in the standard /proc/net/dev statistics file, making it difficult +to monitor effectively—especially given the diversity of vendors across a +large fleet of servers. + +Let's report it via the standard rx_dropped metric. + +Suggested-by: Jakub Kicinski +Signed-off-by: Yafang Shao +Cc: Saeed Mahameed +Cc: Leon Romanovsky +Cc: Gal Pressman +Reviewed-by: Simon Horman +Reviewed-by: Tariq Toukan +Link: https://patch.msgid.link/20241210022706.6665-1-laoar.shao@gmail.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: 476681f10cc1 ("net/mlx5e: Account for netdev stats in ndo_get_stats64") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index b4e6a467409be..5504b7b3b3f90 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -3186,6 +3186,7 @@ mlx5e_get_stats(struct net_device *dev, struct rtnl_link_stats64 *stats) + } + + stats->rx_missed_errors = priv->stats.qcnt.rx_out_of_buffer; ++ stats->rx_dropped = PPORT_2863_GET(pstats, if_in_discards); + + stats->rx_length_errors = + PPORT_802_3_GET(pstats, a_in_range_length_errors) + +-- +2.51.0 + diff --git a/queue-5.15/net-mvpp2-cls-fix-memory-leak-in-mvpp2_ethtool_cls_r.patch b/queue-5.15/net-mvpp2-cls-fix-memory-leak-in-mvpp2_ethtool_cls_r.patch new file mode 100644 index 0000000000..f2b47a29e9 --- /dev/null +++ b/queue-5.15/net-mvpp2-cls-fix-memory-leak-in-mvpp2_ethtool_cls_r.patch @@ -0,0 +1,48 @@ +From c01817881edf5cd4ec103593720eb146cc8bad14 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Jan 2026 06:57:16 +0000 +Subject: net: mvpp2: cls: Fix memory leak in mvpp2_ethtool_cls_rule_ins() + +From: Zilin Guan + +[ Upstream commit 09f979d1f312627b31d2ee1e46f9692e442610cd ] + +In mvpp2_ethtool_cls_rule_ins(), the ethtool_rule is allocated by +ethtool_rx_flow_rule_create(). If the subsequent conversion to flow +type fails, the function jumps to the clean_rule label. + +However, the clean_rule label only frees efs, skipping the cleanup +of ethtool_rule, which leads to a memory leak. + +Fix this by jumping to the clean_eth_rule label, which properly calls +ethtool_rx_flow_rule_destroy() before freeing efs. + +Compile tested only. Issue found using a prototype static analysis tool +and code review. + +Fixes: f4f1ba18195d ("net: mvpp2: cls: Report an error for unsupported flow types") +Signed-off-by: Zilin Guan +Reviewed-by: Maxime Chevallier +Link: https://patch.msgid.link/20260123065716.2248324-1-zilin@seu.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c +index d2757cc116139..038382a0b8e9f 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c +@@ -1389,7 +1389,7 @@ int mvpp2_ethtool_cls_rule_ins(struct mvpp2_port *port, + efs->rule.flow_type = mvpp2_cls_ethtool_flow_to_type(info->fs.flow_type); + if (efs->rule.flow_type < 0) { + ret = efs->rule.flow_type; +- goto clean_rule; ++ goto clean_eth_rule; + } + + ret = mvpp2_cls_rfs_parse_rule(&efs->rule); +-- +2.51.0 + diff --git a/queue-5.15/nfc-llcp-fix-memleak-in-nfc_llcp_send_ui_frame.patch b/queue-5.15/nfc-llcp-fix-memleak-in-nfc_llcp_send_ui_frame.patch new file mode 100644 index 0000000000..3354342b64 --- /dev/null +++ b/queue-5.15/nfc-llcp-fix-memleak-in-nfc_llcp_send_ui_frame.patch @@ -0,0 +1,167 @@ +From f134c0d0f22330dbbbd2d79443e58b0bf53f4fce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 25 Jan 2026 00:59:28 +0000 +Subject: nfc: llcp: Fix memleak in nfc_llcp_send_ui_frame(). + +From: Kuniyuki Iwashima + +[ Upstream commit 165c34fb6068ff153e3fc99a932a80a9d5755709 ] + +syzbot reported various memory leaks related to NFC, struct +nfc_llcp_sock, sk_buff, nfc_dev, etc. [0] + +The leading log hinted that nfc_llcp_send_ui_frame() failed +to allocate skb due to sock_error(sk) being -ENXIO. + +ENXIO is set by nfc_llcp_socket_release() when struct +nfc_llcp_local is destroyed by local_cleanup(). + +The problem is that there is no synchronisation between +nfc_llcp_send_ui_frame() and local_cleanup(), and skb +could be put into local->tx_queue after it was purged in +local_cleanup(): + + CPU1 CPU2 + ---- ---- + nfc_llcp_send_ui_frame() local_cleanup() + |- do { ' + |- pdu = nfc_alloc_send_skb(..., &err) + | . + | |- nfc_llcp_socket_release(local, false, ENXIO); + | |- skb_queue_purge(&local->tx_queue); | + | ' | + |- skb_queue_tail(&local->tx_queue, pdu); | + ... | + |- pdu = nfc_alloc_send_skb(..., &err) | + ^._________________________________.' + +local_cleanup() is called for struct nfc_llcp_local only +after nfc_llcp_remove_local() unlinks it from llcp_devices. + +If we hold local->tx_queue.lock then, we can synchronise +the thread and nfc_llcp_send_ui_frame(). + +Let's do that and check list_empty(&local->list) before +queuing skb to local->tx_queue in nfc_llcp_send_ui_frame(). + +[0]: +[ 56.074943][ T6096] llcp: nfc_llcp_send_ui_frame: Could not allocate PDU (error=-6) +[ 64.318868][ T5813] kmemleak: 6 new suspected memory leaks (see /sys/kernel/debug/kmemleak) +BUG: memory leak +unreferenced object 0xffff8881272f6800 (size 1024): + comm "syz.0.17", pid 6096, jiffies 4294942766 + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 27 00 03 40 00 00 00 00 00 00 00 00 00 00 00 00 '..@............ + backtrace (crc da58d84d): + kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] + slab_post_alloc_hook mm/slub.c:4979 [inline] + slab_alloc_node mm/slub.c:5284 [inline] + __do_kmalloc_node mm/slub.c:5645 [inline] + __kmalloc_noprof+0x3e3/0x6b0 mm/slub.c:5658 + kmalloc_noprof include/linux/slab.h:961 [inline] + sk_prot_alloc+0x11a/0x1b0 net/core/sock.c:2239 + sk_alloc+0x36/0x360 net/core/sock.c:2295 + nfc_llcp_sock_alloc+0x37/0x130 net/nfc/llcp_sock.c:979 + llcp_sock_create+0x71/0xd0 net/nfc/llcp_sock.c:1044 + nfc_sock_create+0xc9/0xf0 net/nfc/af_nfc.c:31 + __sock_create+0x1a9/0x340 net/socket.c:1605 + sock_create net/socket.c:1663 [inline] + __sys_socket_create net/socket.c:1700 [inline] + __sys_socket+0xb9/0x1a0 net/socket.c:1747 + __do_sys_socket net/socket.c:1761 [inline] + __se_sys_socket net/socket.c:1759 [inline] + __x64_sys_socket+0x1b/0x30 net/socket.c:1759 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +BUG: memory leak +unreferenced object 0xffff88810fbd9800 (size 240): + comm "syz.0.17", pid 6096, jiffies 4294942850 + hex dump (first 32 bytes): + 68 f0 ff 08 81 88 ff ff 68 f0 ff 08 81 88 ff ff h.......h....... + 00 00 00 00 00 00 00 00 00 68 2f 27 81 88 ff ff .........h/'.... + backtrace (crc 6cc652b1): + kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] + slab_post_alloc_hook mm/slub.c:4979 [inline] + slab_alloc_node mm/slub.c:5284 [inline] + kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5336 + __alloc_skb+0x203/0x240 net/core/skbuff.c:660 + alloc_skb include/linux/skbuff.h:1383 [inline] + alloc_skb_with_frags+0x69/0x3f0 net/core/skbuff.c:6671 + sock_alloc_send_pskb+0x379/0x3e0 net/core/sock.c:2965 + sock_alloc_send_skb include/net/sock.h:1859 [inline] + nfc_alloc_send_skb+0x45/0x80 net/nfc/core.c:724 + nfc_llcp_send_ui_frame+0x162/0x360 net/nfc/llcp_commands.c:766 + llcp_sock_sendmsg+0x14c/0x1d0 net/nfc/llcp_sock.c:814 + sock_sendmsg_nosec net/socket.c:727 [inline] + __sock_sendmsg net/socket.c:742 [inline] + __sys_sendto+0x2d8/0x2f0 net/socket.c:2244 + __do_sys_sendto net/socket.c:2251 [inline] + __se_sys_sendto net/socket.c:2247 [inline] + __x64_sys_sendto+0x28/0x30 net/socket.c:2247 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fixes: 94f418a20664 ("NFC: UI frame sending routine implementation") +Reported-by: syzbot+f2d245f1d76bbfa50e4c@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/697569c7.a00a0220.33ccc7.0014.GAE@google.com/T/#u +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20260125010214.1572439-1-kuniyu@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/nfc/llcp_commands.c | 17 ++++++++++++++++- + net/nfc/llcp_core.c | 4 +++- + 2 files changed, 19 insertions(+), 2 deletions(-) + +diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c +index 5b8754ae7d3af..706da71c5f298 100644 +--- a/net/nfc/llcp_commands.c ++++ b/net/nfc/llcp_commands.c +@@ -786,8 +786,23 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap, + if (likely(frag_len > 0)) + skb_put_data(pdu, msg_ptr, frag_len); + ++ spin_lock(&local->tx_queue.lock); ++ ++ if (list_empty(&local->list)) { ++ spin_unlock(&local->tx_queue.lock); ++ ++ kfree_skb(pdu); ++ ++ len -= remaining_len; ++ if (len == 0) ++ len = -ENXIO; ++ break; ++ } ++ + /* No need to check for the peer RW for UI frames */ +- skb_queue_tail(&local->tx_queue, pdu); ++ __skb_queue_tail(&local->tx_queue, pdu); ++ ++ spin_unlock(&local->tx_queue.lock); + + remaining_len -= frag_len; + msg_ptr += frag_len; +diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c +index da3cb0d29b972..504245aeb4e2a 100644 +--- a/net/nfc/llcp_core.c ++++ b/net/nfc/llcp_core.c +@@ -316,7 +316,9 @@ static struct nfc_llcp_local *nfc_llcp_remove_local(struct nfc_dev *dev) + spin_lock(&llcp_devices_lock); + list_for_each_entry_safe(local, tmp, &llcp_devices, list) + if (local->dev == dev) { +- list_del(&local->list); ++ spin_lock(&local->tx_queue.lock); ++ list_del_init(&local->list); ++ spin_unlock(&local->tx_queue.lock); + spin_unlock(&llcp_devices_lock); + return local; + } +-- +2.51.0 + diff --git a/queue-5.15/nfc-nci-fix-race-between-rfkill-and-nci_unregister_d.patch b/queue-5.15/nfc-nci-fix-race-between-rfkill-and-nci_unregister_d.patch new file mode 100644 index 0000000000..bcb19f50c2 --- /dev/null +++ b/queue-5.15/nfc-nci-fix-race-between-rfkill-and-nci_unregister_d.patch @@ -0,0 +1,197 @@ +From c73490fa6d6400c22bdf0192355c1a2eef449112 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Jan 2026 04:03:59 +0000 +Subject: nfc: nci: Fix race between rfkill and nci_unregister_device(). + +From: Kuniyuki Iwashima + +[ Upstream commit d2492688bb9fed6ab6e313682c387ae71a66ebae ] + +syzbot reported the splat below [0] without a repro. + +It indicates that struct nci_dev.cmd_wq had been destroyed before +nci_close_device() was called via rfkill. + +nci_dev.cmd_wq is only destroyed in nci_unregister_device(), which +(I think) was called from virtual_ncidev_close() when syzbot close()d +an fd of virtual_ncidev. + +The problem is that nci_unregister_device() destroys nci_dev.cmd_wq +first and then calls nfc_unregister_device(), which removes the +device from rfkill by rfkill_unregister(). + +So, the device is still visible via rfkill even after nci_dev.cmd_wq +is destroyed. + +Let's unregister the device from rfkill first in nci_unregister_device(). + +Note that we cannot call nfc_unregister_device() before +nci_close_device() because + + 1) nfc_unregister_device() calls device_del() which frees + all memory allocated by devm_kzalloc() and linked to + ndev->conn_info_list + + 2) nci_rx_work() could try to queue nci_conn_info to + ndev->conn_info_list which could be leaked + +Thus, nfc_unregister_device() is split into two functions so we +can remove rfkill interfaces only before nci_close_device(). + +[0]: +DEBUG_LOCKS_WARN_ON(1) +WARNING: kernel/locking/lockdep.c:238 at hlock_class kernel/locking/lockdep.c:238 [inline], CPU#0: syz.0.8675/6349 +WARNING: kernel/locking/lockdep.c:238 at check_wait_context kernel/locking/lockdep.c:4854 [inline], CPU#0: syz.0.8675/6349 +WARNING: kernel/locking/lockdep.c:238 at __lock_acquire+0x39d/0x2cf0 kernel/locking/lockdep.c:5187, CPU#0: syz.0.8675/6349 +Modules linked in: +CPU: 0 UID: 0 PID: 6349 Comm: syz.0.8675 Not tainted syzkaller #0 PREEMPT(full) +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/13/2026 +RIP: 0010:hlock_class kernel/locking/lockdep.c:238 [inline] +RIP: 0010:check_wait_context kernel/locking/lockdep.c:4854 [inline] +RIP: 0010:__lock_acquire+0x3a4/0x2cf0 kernel/locking/lockdep.c:5187 +Code: 18 00 4c 8b 74 24 08 75 27 90 e8 17 f2 fc 02 85 c0 74 1c 83 3d 50 e0 4e 0e 00 75 13 48 8d 3d 43 f7 51 0e 48 c7 c6 8b 3a de 8d <67> 48 0f b9 3a 90 31 c0 0f b6 98 c4 00 00 00 41 8b 45 20 25 ff 1f +RSP: 0018:ffffc9000c767680 EFLAGS: 00010046 +RAX: 0000000000000001 RBX: 0000000000040000 RCX: 0000000000080000 +RDX: ffffc90013080000 RSI: ffffffff8dde3a8b RDI: ffffffff8ff24ca0 +RBP: 0000000000000003 R08: ffffffff8fef35a3 R09: 1ffffffff1fde6b4 +R10: dffffc0000000000 R11: fffffbfff1fde6b5 R12: 00000000000012a2 +R13: ffff888030338ba8 R14: ffff888030338000 R15: ffff888030338b30 +FS: 00007fa5995f66c0(0000) GS:ffff8881256f8000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f7e72f842d0 CR3: 00000000485a0000 CR4: 00000000003526f0 +Call Trace: + + lock_acquire+0x106/0x330 kernel/locking/lockdep.c:5868 + touch_wq_lockdep_map+0xcb/0x180 kernel/workqueue.c:3940 + __flush_workqueue+0x14b/0x14f0 kernel/workqueue.c:3982 + nci_close_device+0x302/0x630 net/nfc/nci/core.c:567 + nci_dev_down+0x3b/0x50 net/nfc/nci/core.c:639 + nfc_dev_down+0x152/0x290 net/nfc/core.c:161 + nfc_rfkill_set_block+0x2d/0x100 net/nfc/core.c:179 + rfkill_set_block+0x1d2/0x440 net/rfkill/core.c:346 + rfkill_fop_write+0x461/0x5a0 net/rfkill/core.c:1301 + vfs_write+0x29a/0xb90 fs/read_write.c:684 + ksys_write+0x150/0x270 fs/read_write.c:738 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7fa59b39acb9 +Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007fa5995f6028 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +RAX: ffffffffffffffda RBX: 00007fa59b615fa0 RCX: 00007fa59b39acb9 +RDX: 0000000000000008 RSI: 0000200000000080 RDI: 0000000000000007 +RBP: 00007fa59b408bf7 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007fa59b616038 R14: 00007fa59b615fa0 R15: 00007ffc82218788 + + +Fixes: 6a2968aaf50c ("NFC: basic NCI protocol implementation") +Reported-by: syzbot+f9c5fd1a0874f9069dce@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/695e7f56.050a0220.1c677c.036c.GAE@google.com/ +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20260127040411.494931-1-kuniyu@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/nfc/nfc.h | 2 ++ + net/nfc/core.c | 27 ++++++++++++++++++++++++--- + net/nfc/nci/core.c | 4 +++- + 3 files changed, 29 insertions(+), 4 deletions(-) + +diff --git a/include/net/nfc/nfc.h b/include/net/nfc/nfc.h +index 5dee575fbe86a..b82f4f2a27fb8 100644 +--- a/include/net/nfc/nfc.h ++++ b/include/net/nfc/nfc.h +@@ -215,6 +215,8 @@ static inline void nfc_free_device(struct nfc_dev *dev) + + int nfc_register_device(struct nfc_dev *dev); + ++void nfc_unregister_rfkill(struct nfc_dev *dev); ++void nfc_remove_device(struct nfc_dev *dev); + void nfc_unregister_device(struct nfc_dev *dev); + + /** +diff --git a/net/nfc/core.c b/net/nfc/core.c +index c2dab6e2c283e..99f7300497c80 100644 +--- a/net/nfc/core.c ++++ b/net/nfc/core.c +@@ -1147,14 +1147,14 @@ int nfc_register_device(struct nfc_dev *dev) + EXPORT_SYMBOL(nfc_register_device); + + /** +- * nfc_unregister_device - unregister a nfc device in the nfc subsystem ++ * nfc_unregister_rfkill - unregister a nfc device in the rfkill subsystem + * + * @dev: The nfc device to unregister + */ +-void nfc_unregister_device(struct nfc_dev *dev) ++void nfc_unregister_rfkill(struct nfc_dev *dev) + { +- int rc; + struct rfkill *rfk = NULL; ++ int rc; + + pr_debug("dev_name=%s\n", dev_name(&dev->dev)); + +@@ -1175,7 +1175,16 @@ void nfc_unregister_device(struct nfc_dev *dev) + rfkill_unregister(rfk); + rfkill_destroy(rfk); + } ++} ++EXPORT_SYMBOL(nfc_unregister_rfkill); + ++/** ++ * nfc_remove_device - remove a nfc device in the nfc subsystem ++ * ++ * @dev: The nfc device to remove ++ */ ++void nfc_remove_device(struct nfc_dev *dev) ++{ + if (dev->ops->check_presence) { + del_timer_sync(&dev->check_pres_timer); + cancel_work_sync(&dev->check_pres_work); +@@ -1188,6 +1197,18 @@ void nfc_unregister_device(struct nfc_dev *dev) + device_del(&dev->dev); + mutex_unlock(&nfc_devlist_mutex); + } ++EXPORT_SYMBOL(nfc_remove_device); ++ ++/** ++ * nfc_unregister_device - unregister a nfc device in the nfc subsystem ++ * ++ * @dev: The nfc device to unregister ++ */ ++void nfc_unregister_device(struct nfc_dev *dev) ++{ ++ nfc_unregister_rfkill(dev); ++ nfc_remove_device(dev); ++} + EXPORT_SYMBOL(nfc_unregister_device); + + static int __init nfc_init(void) +diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c +index 905452006d2d1..c26914ca40aff 100644 +--- a/net/nfc/nci/core.c ++++ b/net/nfc/nci/core.c +@@ -1295,6 +1295,8 @@ void nci_unregister_device(struct nci_dev *ndev) + { + struct nci_conn_info *conn_info, *n; + ++ nfc_unregister_rfkill(ndev->nfc_dev); ++ + /* This set_bit is not protected with specialized barrier, + * However, it is fine because the mutex_lock(&ndev->req_lock); + * in nci_close_device() will help to emit one. +@@ -1312,7 +1314,7 @@ void nci_unregister_device(struct nci_dev *ndev) + /* conn_info is allocated with devm_kzalloc */ + } + +- nfc_unregister_device(ndev->nfc_dev); ++ nfc_remove_device(ndev->nfc_dev); + } + EXPORT_SYMBOL(nci_unregister_device); + +-- +2.51.0 + diff --git a/queue-5.15/rocker-fix-memory-leak-in-rocker_world_port_post_fin.patch b/queue-5.15/rocker-fix-memory-leak-in-rocker_world_port_post_fin.patch new file mode 100644 index 0000000000..570ab2c2d4 --- /dev/null +++ b/queue-5.15/rocker-fix-memory-leak-in-rocker_world_port_post_fin.patch @@ -0,0 +1,56 @@ +From ba27d1024e6602a2b4cf629f35d6b887e91dd6e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 24 Jan 2026 05:10:31 +0800 +Subject: rocker: fix memory leak in rocker_world_port_post_fini() + +From: Kery Qi + +[ Upstream commit 8d7ba71e46216b8657a82ca2ec118bc93812a4d0 ] + +In rocker_world_port_pre_init(), rocker_port->wpriv is allocated with +kzalloc(wops->port_priv_size, GFP_KERNEL). However, in +rocker_world_port_post_fini(), the memory is only freed when +wops->port_post_fini callback is set: + + if (!wops->port_post_fini) + return; + wops->port_post_fini(rocker_port); + kfree(rocker_port->wpriv); + +Since rocker_ofdpa_ops does not implement port_post_fini callback +(it is NULL), the wpriv memory allocated for each port is never freed +when ports are removed. This leads to a memory leak of +sizeof(struct ofdpa_port) bytes per port on every device removal. + +Fix this by always calling kfree(rocker_port->wpriv) regardless of +whether the port_post_fini callback exists. + +Fixes: e420114eef4a ("rocker: introduce worlds infrastructure") +Signed-off-by: Kery Qi +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20260123211030.2109-2-qikeyu2017@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/rocker/rocker_main.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/rocker/rocker_main.c b/drivers/net/ethernet/rocker/rocker_main.c +index e1509becb7536..a7495a46d0943 100644 +--- a/drivers/net/ethernet/rocker/rocker_main.c ++++ b/drivers/net/ethernet/rocker/rocker_main.c +@@ -1525,9 +1525,8 @@ static void rocker_world_port_post_fini(struct rocker_port *rocker_port) + { + struct rocker_world_ops *wops = rocker_port->rocker->wops; + +- if (!wops->port_post_fini) +- return; +- wops->port_post_fini(rocker_port); ++ if (wops->port_post_fini) ++ wops->port_post_fini(rocker_port); + kfree(rocker_port->wpriv); + } + +-- +2.51.0 + diff --git a/queue-5.15/series b/queue-5.15/series index c21e59c9d2..4d5974b92b 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -132,3 +132,16 @@ can-usb_8dev-usb_8dev_read_bulk_callback-fix-urb-memory-leak.patch migrate-correct-lock-ordering-for-hugetlb-file-folios.patch bpf-do-not-let-bpf-test-infra-emit-invalid-gso-types-to-stack.patch bpf-reject-narrower-access-to-pointer-ctx-fields.patch +bluetooth-hci_uart-fix-null-ptr-deref-in-hci_uart_wr.patch +net-mlx5-fix-memory-leak-in-esw_acl_ingress_lgcy_set.patch +net-mvpp2-cls-fix-memory-leak-in-mvpp2_ethtool_cls_r.patch +ipv6-use-the-right-ifindex-when-replying-to-icmpv6-f.patch +rocker-fix-memory-leak-in-rocker_world_port_post_fin.patch +nfc-llcp-fix-memleak-in-nfc_llcp_send_ui_frame.patch +ice-stop-counting-udp-csum-mismatch-as-rx_errors.patch +net-mlx5-add-hw-definitions-of-vport-debug-counters.patch +net-mlx5e-expose-rx_oversize_pkts_buffer-counter.patch +net-mlx5e-report-rx_discards_phy-via-rx_dropped.patch +net-mlx5e-account-for-netdev-stats-in-ndo_get_stats6.patch +nfc-nci-fix-race-between-rfkill-and-nci_unregister_d.patch +net-bridge-fix-static-key-check.patch diff --git a/queue-6.1/bluetooth-hci_uart-fix-null-ptr-deref-in-hci_uart_wr.patch b/queue-6.1/bluetooth-hci_uart-fix-null-ptr-deref-in-hci_uart_wr.patch new file mode 100644 index 0000000000..682355c573 --- /dev/null +++ b/queue-6.1/bluetooth-hci_uart-fix-null-ptr-deref-in-hci_uart_wr.patch @@ -0,0 +1,73 @@ +From 006b9d69e6c47aad5cd36d1d59315688bf280451 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jan 2026 20:08:59 +0800 +Subject: Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work + +From: Jia-Hong Su + +[ Upstream commit 0c3cd7a0b862c37acbee6d9502107146cc944398 ] + +hci_uart_set_proto() sets HCI_UART_PROTO_INIT before calling +hci_uart_register_dev(), which calls proto->open() to initialize +hu->priv. However, if a TTY write wakeup occurs during this window, +hci_uart_tx_wakeup() may schedule write_work before hu->priv is +initialized, leading to a NULL pointer dereference in +hci_uart_write_work() when proto->dequeue() accesses hu->priv. + +The race condition is: + + CPU0 CPU1 + ---- ---- + hci_uart_set_proto() + set_bit(HCI_UART_PROTO_INIT) + hci_uart_register_dev() + tty write wakeup + hci_uart_tty_wakeup() + hci_uart_tx_wakeup() + schedule_work(&hu->write_work) + proto->open(hu) + // initializes hu->priv + hci_uart_write_work() + hci_uart_dequeue() + proto->dequeue(hu) + // accesses hu->priv (NULL!) + +Fix this by moving set_bit(HCI_UART_PROTO_INIT) after proto->open() +succeeds, ensuring hu->priv is initialized before any work can be +scheduled. + +Fixes: 5df5dafc171b ("Bluetooth: hci_uart: Fix another race during initialization") +Link: https://lore.kernel.org/linux-bluetooth/6969764f.170a0220.2b9fc4.35a7@mx.google.com/ + +Signed-off-by: Jia-Hong Su +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/hci_ldisc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c +index 6a90fc69ef444..2752857dbccf3 100644 +--- a/drivers/bluetooth/hci_ldisc.c ++++ b/drivers/bluetooth/hci_ldisc.c +@@ -687,6 +687,8 @@ static int hci_uart_register_dev(struct hci_uart *hu) + return err; + } + ++ set_bit(HCI_UART_PROTO_INIT, &hu->flags); ++ + if (test_bit(HCI_UART_INIT_PENDING, &hu->hdev_flags)) + return 0; + +@@ -714,8 +716,6 @@ static int hci_uart_set_proto(struct hci_uart *hu, int id) + + hu->proto = p; + +- set_bit(HCI_UART_PROTO_INIT, &hu->flags); +- + err = hci_uart_register_dev(hu); + if (err) { + return err; +-- +2.51.0 + diff --git a/queue-6.1/bonding-annotate-data-races-around-slave-last_rx.patch b/queue-6.1/bonding-annotate-data-races-around-slave-last_rx.patch new file mode 100644 index 0000000000..ea4517d1f0 --- /dev/null +++ b/queue-6.1/bonding-annotate-data-races-around-slave-last_rx.patch @@ -0,0 +1,178 @@ +From 2c8853c0ecadfa15e44d6806b87b74ab2896798c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jan 2026 16:29:14 +0000 +Subject: bonding: annotate data-races around slave->last_rx + +From: Eric Dumazet + +[ Upstream commit f6c3665b6dc53c3ab7d31b585446a953a74340ef ] + +slave->last_rx and slave->target_last_arp_rx[...] can be read and written +locklessly. Add READ_ONCE() and WRITE_ONCE() annotations. + +syzbot reported: + +BUG: KCSAN: data-race in bond_rcv_validate / bond_rcv_validate + +write to 0xffff888149f0d428 of 8 bytes by interrupt on cpu 1: + bond_rcv_validate+0x202/0x7a0 drivers/net/bonding/bond_main.c:3335 + bond_handle_frame+0xde/0x5e0 drivers/net/bonding/bond_main.c:1533 + __netif_receive_skb_core+0x5b1/0x1950 net/core/dev.c:6039 + __netif_receive_skb_one_core net/core/dev.c:6150 [inline] + __netif_receive_skb+0x59/0x270 net/core/dev.c:6265 + netif_receive_skb_internal net/core/dev.c:6351 [inline] + netif_receive_skb+0x4b/0x2d0 net/core/dev.c:6410 +... + +write to 0xffff888149f0d428 of 8 bytes by interrupt on cpu 0: + bond_rcv_validate+0x202/0x7a0 drivers/net/bonding/bond_main.c:3335 + bond_handle_frame+0xde/0x5e0 drivers/net/bonding/bond_main.c:1533 + __netif_receive_skb_core+0x5b1/0x1950 net/core/dev.c:6039 + __netif_receive_skb_one_core net/core/dev.c:6150 [inline] + __netif_receive_skb+0x59/0x270 net/core/dev.c:6265 + netif_receive_skb_internal net/core/dev.c:6351 [inline] + netif_receive_skb+0x4b/0x2d0 net/core/dev.c:6410 + br_netif_receive_skb net/bridge/br_input.c:30 [inline] + NF_HOOK include/linux/netfilter.h:318 [inline] +... + +value changed: 0x0000000100005365 -> 0x0000000100005366 + +Fixes: f5b2b966f032 ("[PATCH] bonding: Validate probe replies in ARP monitor") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Link: https://patch.msgid.link/20260122162914.2299312-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 18 ++++++++++-------- + drivers/net/bonding/bond_options.c | 8 ++++---- + include/net/bonding.h | 13 +++++++------ + 3 files changed, 21 insertions(+), 18 deletions(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index b0bc811aaab91..71912ddfa7149 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -3082,8 +3082,8 @@ static void bond_validate_arp(struct bonding *bond, struct slave *slave, __be32 + __func__, &sip); + return; + } +- slave->last_rx = jiffies; +- slave->target_last_arp_rx[i] = jiffies; ++ WRITE_ONCE(slave->last_rx, jiffies); ++ WRITE_ONCE(slave->target_last_arp_rx[i], jiffies); + } + + static int bond_arp_rcv(const struct sk_buff *skb, struct bonding *bond, +@@ -3302,8 +3302,8 @@ static void bond_validate_na(struct bonding *bond, struct slave *slave, + __func__, saddr); + return; + } +- slave->last_rx = jiffies; +- slave->target_last_arp_rx[i] = jiffies; ++ WRITE_ONCE(slave->last_rx, jiffies); ++ WRITE_ONCE(slave->target_last_arp_rx[i], jiffies); + } + + static int bond_na_rcv(const struct sk_buff *skb, struct bonding *bond, +@@ -3373,7 +3373,7 @@ int bond_rcv_validate(const struct sk_buff *skb, struct bonding *bond, + (slave_do_arp_validate_only(bond) && is_ipv6) || + #endif + !slave_do_arp_validate_only(bond)) +- slave->last_rx = jiffies; ++ WRITE_ONCE(slave->last_rx, jiffies); + return RX_HANDLER_ANOTHER; + } else if (is_arp) { + return bond_arp_rcv(skb, bond, slave); +@@ -3441,7 +3441,7 @@ static void bond_loadbalance_arp_mon(struct bonding *bond) + + if (slave->link != BOND_LINK_UP) { + if (bond_time_in_interval(bond, last_tx, 1) && +- bond_time_in_interval(bond, slave->last_rx, 1)) { ++ bond_time_in_interval(bond, READ_ONCE(slave->last_rx), 1)) { + + bond_propose_link_state(slave, BOND_LINK_UP); + slave_state_changed = 1; +@@ -3465,8 +3465,10 @@ static void bond_loadbalance_arp_mon(struct bonding *bond) + * when the source ip is 0, so don't take the link down + * if we don't know our ip yet + */ +- if (!bond_time_in_interval(bond, last_tx, bond->params.missed_max) || +- !bond_time_in_interval(bond, slave->last_rx, bond->params.missed_max)) { ++ if (!bond_time_in_interval(bond, last_tx, ++ bond->params.missed_max) || ++ !bond_time_in_interval(bond, READ_ONCE(slave->last_rx), ++ bond->params.missed_max)) { + + bond_propose_link_state(slave, BOND_LINK_DOWN); + slave_state_changed = 1; +diff --git a/drivers/net/bonding/bond_options.c b/drivers/net/bonding/bond_options.c +index 1235878d87159..9473e76c6dc9d 100644 +--- a/drivers/net/bonding/bond_options.c ++++ b/drivers/net/bonding/bond_options.c +@@ -1133,7 +1133,7 @@ static void _bond_options_arp_ip_target_set(struct bonding *bond, int slot, + + if (slot >= 0 && slot < BOND_MAX_ARP_TARGETS) { + bond_for_each_slave(bond, slave, iter) +- slave->target_last_arp_rx[slot] = last_rx; ++ WRITE_ONCE(slave->target_last_arp_rx[slot], last_rx); + targets[slot] = target; + } + } +@@ -1202,8 +1202,8 @@ static int bond_option_arp_ip_target_rem(struct bonding *bond, __be32 target) + bond_for_each_slave(bond, slave, iter) { + targets_rx = slave->target_last_arp_rx; + for (i = ind; (i < BOND_MAX_ARP_TARGETS-1) && targets[i+1]; i++) +- targets_rx[i] = targets_rx[i+1]; +- targets_rx[i] = 0; ++ WRITE_ONCE(targets_rx[i], READ_ONCE(targets_rx[i+1])); ++ WRITE_ONCE(targets_rx[i], 0); + } + for (i = ind; (i < BOND_MAX_ARP_TARGETS-1) && targets[i+1]; i++) + targets[i] = targets[i+1]; +@@ -1358,7 +1358,7 @@ static void _bond_options_ns_ip6_target_set(struct bonding *bond, int slot, + + if (slot >= 0 && slot < BOND_MAX_NS_TARGETS) { + bond_for_each_slave(bond, slave, iter) { +- slave->target_last_arp_rx[slot] = last_rx; ++ WRITE_ONCE(slave->target_last_arp_rx[slot], last_rx); + slave_set_ns_maddr(bond, slave, target, &targets[slot]); + } + targets[slot] = *target; +diff --git a/include/net/bonding.h b/include/net/bonding.h +index bfd3e4e58f861..bdfbe77c18420 100644 +--- a/include/net/bonding.h ++++ b/include/net/bonding.h +@@ -525,13 +525,14 @@ static inline int bond_is_ip6_target_ok(struct in6_addr *addr) + static inline unsigned long slave_oldest_target_arp_rx(struct bonding *bond, + struct slave *slave) + { ++ unsigned long tmp, ret = READ_ONCE(slave->target_last_arp_rx[0]); + int i = 1; +- unsigned long ret = slave->target_last_arp_rx[0]; +- +- for (; (i < BOND_MAX_ARP_TARGETS) && bond->params.arp_targets[i]; i++) +- if (time_before(slave->target_last_arp_rx[i], ret)) +- ret = slave->target_last_arp_rx[i]; + ++ for (; (i < BOND_MAX_ARP_TARGETS) && bond->params.arp_targets[i]; i++) { ++ tmp = READ_ONCE(slave->target_last_arp_rx[i]); ++ if (time_before(tmp, ret)) ++ ret = tmp; ++ } + return ret; + } + +@@ -541,7 +542,7 @@ static inline unsigned long slave_last_rx(struct bonding *bond, + if (bond->params.arp_all_targets == BOND_ARP_TARGETS_ALL) + return slave_oldest_target_arp_rx(bond, slave); + +- return slave->last_rx; ++ return READ_ONCE(slave->last_rx); + } + + static inline void slave_update_last_tx(struct slave *slave) +-- +2.51.0 + diff --git a/queue-6.1/can-gs_usb-gs_usb_receive_bulk_callback-fix-error-me.patch b/queue-6.1/can-gs_usb-gs_usb_receive_bulk_callback-fix-error-me.patch new file mode 100644 index 0000000000..d8cdc78846 --- /dev/null +++ b/queue-6.1/can-gs_usb-gs_usb_receive_bulk_callback-fix-error-me.patch @@ -0,0 +1,52 @@ +From 2ecab70218a048a4aebaf8ff2d1f503b6ca64369 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jan 2026 10:40:22 +0100 +Subject: can: gs_usb: gs_usb_receive_bulk_callback(): fix error message + +From: Marc Kleine-Budde + +[ Upstream commit 494fc029f662c331e06b7c2031deff3c64200eed ] + +Sinc commit 79a6d1bfe114 ("can: gs_usb: gs_usb_receive_bulk_callback(): +unanchor URL on usb_submit_urb() error") a failing resubmit URB will print +an info message. + +In the case of a short read where netdev has not yet been assigned, +initialize as NULL to avoid dereferencing an undefined value. Also report +the error value of the failed resubmit. + +Fixes: 79a6d1bfe114 ("can: gs_usb: gs_usb_receive_bulk_callback(): unanchor URL on usb_submit_urb() error") +Reported-by: Jakub Kicinski +Closes: https://lore.kernel.org/all/20260119181904.1209979-1-kuba@kernel.org/ +Link: https://patch.msgid.link/20260120-gs_usb-fix-error-message-v1-1-6be04de572bc@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/usb/gs_usb.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c +index f782c3aa179e0..8859e65d4470b 100644 +--- a/drivers/net/can/usb/gs_usb.c ++++ b/drivers/net/can/usb/gs_usb.c +@@ -526,7 +526,7 @@ static void gs_usb_receive_bulk_callback(struct urb *urb) + { + struct gs_usb *parent = urb->context; + struct gs_can *dev; +- struct net_device *netdev; ++ struct net_device *netdev = NULL; + int rc; + struct net_device_stats *stats; + struct gs_host_frame *hf = urb->transfer_buffer; +@@ -674,7 +674,7 @@ static void gs_usb_receive_bulk_callback(struct urb *urb) + } + } else if (rc != -ESHUTDOWN && net_ratelimit()) { + netdev_info(netdev, "failed to re-submit IN URB: %pe\n", +- ERR_PTR(urb->status)); ++ ERR_PTR(rc)); + } + } + +-- +2.51.0 + diff --git a/queue-6.1/ice-stop-counting-udp-csum-mismatch-as-rx_errors.patch b/queue-6.1/ice-stop-counting-udp-csum-mismatch-as-rx_errors.patch new file mode 100644 index 0000000000..d80992f579 --- /dev/null +++ b/queue-6.1/ice-stop-counting-udp-csum-mismatch-as-rx_errors.patch @@ -0,0 +1,62 @@ +From 5d80f523e702d13056f7cf65839a05c9d62a501f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Dec 2025 15:38:52 -0800 +Subject: ice: stop counting UDP csum mismatch as rx_errors + +From: Jesse Brandeburg + +[ Upstream commit 05faf2c0a76581d0a7fdbb8ec46477ba183df95b ] + +Since the beginning, the Intel ice driver has counted receive checksum +offload mismatches into the rx_errors member of the rtnl_link_stats64 +struct. In ethtool -S these show up as rx_csum_bad.nic. + +I believe counting these in rx_errors is fundamentally wrong, as it's +pretty clear from the comments in if_link.h and from every other statistic +the driver is summing into rx_errors, that all of them would cause a +"hardware drop" except for the UDP checksum mismatch, as well as the fact +that all the other causes for rx_errors are L2 reasons, and this L4 UDP +"mismatch" is an outlier. + +A last nail in the coffin is that rx_errors is monitored in production and +can indicate a bad NIC/cable/Switch port, but instead some random series of +UDP packets with bad checksums will now trigger this alert. This false +positive makes the alert useless and affects us as well as other companies. + +This packet with presumably a bad UDP checksum is *already* passed to the +stack, just not marked as offloaded by the hardware/driver. If it is +dropped by the stack it will show up as UDP_MIB_CSUMERRORS. + +And one more thing, none of the other Intel drivers, and at least bnxt_en +and mlx5 both don't appear to count UDP offload mismatches as rx_errors. + +Here is a related customer complaint: +https://community.intel.com/t5/Ethernet-Products/ice-rx-errros-is-too-sensitive-to-IP-TCP-attack-packets-Intel/td-p/1662125 + +Fixes: 4f1fe43c920b ("ice: Add more Rx errors to netdev's rx_error counter") +Cc: Tony Nguyen +Cc: Jake Keller +Cc: IWL +Signed-off-by: Jesse Brandeburg +Acked-by: Jacob Keller +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_main.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c +index 9a540b85756f4..2737050aae218 100644 +--- a/drivers/net/ethernet/intel/ice/ice_main.c ++++ b/drivers/net/ethernet/intel/ice/ice_main.c +@@ -6546,7 +6546,6 @@ void ice_update_vsi_stats(struct ice_vsi *vsi) + pf->stats.illegal_bytes + + pf->stats.rx_len_errors + + pf->stats.rx_undersize + +- pf->hw_csum_rx_error + + pf->stats.rx_jabber + + pf->stats.rx_fragments + + pf->stats.rx_oversize; +-- +2.51.0 + diff --git a/queue-6.1/ipv6-use-the-right-ifindex-when-replying-to-icmpv6-f.patch b/queue-6.1/ipv6-use-the-right-ifindex-when-replying-to-icmpv6-f.patch new file mode 100644 index 0000000000..2705d7b332 --- /dev/null +++ b/queue-6.1/ipv6-use-the-right-ifindex-when-replying-to-icmpv6-f.patch @@ -0,0 +1,52 @@ +From 8de5e2c1dcc5085f0b47a154fb5387b1674f8bd4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 20:44:08 +0100 +Subject: ipv6: use the right ifindex when replying to icmpv6 from localhost + +From: Fernando Fernandez Mancera + +[ Upstream commit 03cbcdf93866e61beb0063392e6dbb701f03aea2 ] + +When replying to a ICMPv6 echo request that comes from localhost address +the right output ifindex is 1 (lo) and not rt6i_idev dev index. Use the +skb device ifindex instead. This fixes pinging to a local address from +localhost source address. + +$ ping6 -I ::1 2001:1:1::2 -c 3 +PING 2001:1:1::2 (2001:1:1::2) from ::1 : 56 data bytes +64 bytes from 2001:1:1::2: icmp_seq=1 ttl=64 time=0.037 ms +64 bytes from 2001:1:1::2: icmp_seq=2 ttl=64 time=0.069 ms +64 bytes from 2001:1:1::2: icmp_seq=3 ttl=64 time=0.122 ms + +2001:1:1::2 ping statistics +3 packets transmitted, 3 received, 0% packet loss, time 2032ms +rtt min/avg/max/mdev = 0.037/0.076/0.122/0.035 ms + +Fixes: 1b70d792cf67 ("ipv6: Use rt6i_idev index for echo replies to a local address") +Signed-off-by: Fernando Fernandez Mancera +Reviewed-by: David Ahern +Link: https://patch.msgid.link/20260121194409.6749-1-fmancera@suse.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/icmp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c +index 7d88fd314c390..7ba3c642ab3c3 100644 +--- a/net/ipv6/icmp.c ++++ b/net/ipv6/icmp.c +@@ -765,7 +765,9 @@ static void icmpv6_echo_reply(struct sk_buff *skb) + fl6.daddr = ipv6_hdr(skb)->saddr; + if (saddr) + fl6.saddr = *saddr; +- fl6.flowi6_oif = icmp6_iif(skb); ++ fl6.flowi6_oif = ipv6_addr_loopback(&fl6.daddr) ? ++ skb->dev->ifindex : ++ icmp6_iif(skb); + fl6.fl6_icmp_type = type; + fl6.flowi6_mark = mark; + fl6.flowi6_uid = sock_net_uid(net, NULL); +-- +2.51.0 + diff --git a/queue-6.1/net-bridge-fix-static-key-check.patch b/queue-6.1/net-bridge-fix-static-key-check.patch new file mode 100644 index 0000000000..28bc010def --- /dev/null +++ b/queue-6.1/net-bridge-fix-static-key-check.patch @@ -0,0 +1,40 @@ +From 4c86977dc78555c0ff9bf83763092edf6b398ba3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Jan 2026 11:19:23 +0100 +Subject: net: bridge: fix static key check + +From: Martin Kaiser + +[ Upstream commit cc0cf10fdaeadf5542d64a55b5b4120d3df90b7d ] + +Fix the check if netfilter's static keys are available. netfilter defines +and exports static keys if CONFIG_JUMP_LABEL is enabled. (HAVE_JUMP_LABEL +is never defined.) + +Fixes: 971502d77faa ("bridge: netfilter: unroll NF_HOOK helper in bridge input path") +Signed-off-by: Martin Kaiser +Reviewed-by: Florian Westphal +Reviewed-by: Nikolay Aleksandrov +Link: https://patch.msgid.link/20260127101925.1754425-1-martin@kaiser.cx +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/bridge/br_input.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c +index f11345720c275..e33500771b30f 100644 +--- a/net/bridge/br_input.c ++++ b/net/bridge/br_input.c +@@ -243,7 +243,7 @@ static int nf_hook_bridge_pre(struct sk_buff *skb, struct sk_buff **pskb) + int ret; + + net = dev_net(skb->dev); +-#ifdef HAVE_JUMP_LABEL ++#ifdef CONFIG_JUMP_LABEL + if (!static_key_false(&nf_hooks_needed[NFPROTO_BRIDGE][NF_BR_PRE_ROUTING])) + goto frame_finish; + #endif +-- +2.51.0 + diff --git a/queue-6.1/net-mlx5-fix-memory-leak-in-esw_acl_ingress_lgcy_set.patch b/queue-6.1/net-mlx5-fix-memory-leak-in-esw_acl_ingress_lgcy_set.patch new file mode 100644 index 0000000000..280cbe5f06 --- /dev/null +++ b/queue-6.1/net-mlx5-fix-memory-leak-in-esw_acl_ingress_lgcy_set.patch @@ -0,0 +1,46 @@ +From c2b4483c00aeee0f3dfb68af3aca180dd16b2330 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jan 2026 13:46:40 +0000 +Subject: net/mlx5: Fix memory leak in esw_acl_ingress_lgcy_setup() + +From: Zilin Guan + +[ Upstream commit 108948f723b13874b7ebf6b3f1cc598a7de38622 ] + +In esw_acl_ingress_lgcy_setup(), if esw_acl_table_create() fails, +the function returns directly without releasing the previously +created counter, leading to a memory leak. + +Fix this by jumping to the out label instead of returning directly, +which aligns with the error handling logic of other paths in this +function. + +Compile tested only. Issue found using a prototype static analysis tool +and code review. + +Fixes: 07bab9502641 ("net/mlx5: E-Switch, Refactor eswitch ingress acl codes") +Signed-off-by: Zilin Guan +Reviewed-by: Tariq Toukan +Link: https://patch.msgid.link/20260120134640.2717808-1-zilin@seu.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c b/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c +index 093ed86a0acd8..db51c500ed359 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c +@@ -188,7 +188,7 @@ int esw_acl_ingress_lgcy_setup(struct mlx5_eswitch *esw, + if (IS_ERR(vport->ingress.acl)) { + err = PTR_ERR(vport->ingress.acl); + vport->ingress.acl = NULL; +- return err; ++ goto out; + } + + err = esw_acl_ingress_lgcy_groups_create(esw, vport); +-- +2.51.0 + diff --git a/queue-6.1/net-mlx5e-account-for-netdev-stats-in-ndo_get_stats6.patch b/queue-6.1/net-mlx5e-account-for-netdev-stats-in-ndo_get_stats6.patch new file mode 100644 index 0000000000..d7db9546c3 --- /dev/null +++ b/queue-6.1/net-mlx5e-account-for-netdev-stats-in-ndo_get_stats6.patch @@ -0,0 +1,75 @@ +From 528efe665d38a4fe5e430773a40548db2eb98041 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jan 2026 09:14:55 +0200 +Subject: net/mlx5e: Account for netdev stats in ndo_get_stats64 + +From: Gal Pressman + +[ Upstream commit 476681f10cc1e0e56e26856684e75d4678b072b2 ] + +The driver's ndo_get_stats64 callback is only reporting mlx5 counters, +without accounting for the netdev stats, causing errors from the network +stack to be invisible in statistics. + +Add netdev_stats_to_stats64() call to first populate the counters, then +add mlx5 counters on top, ensuring both are accounted for (where +appropriate). + +Fixes: f62b8bb8f2d3 ("net/mlx5: Extend mlx5_core to support ConnectX-4 Ethernet functionality") +Signed-off-by: Gal Pressman +Signed-off-by: Tariq Toukan +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/1769411695-18820-4-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/en_main.c | 20 ++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index 1d7fe4ffdd734..2d0b57583ea35 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -3650,6 +3650,8 @@ mlx5e_get_stats(struct net_device *dev, struct rtnl_link_stats64 *stats) + mlx5e_queue_update_stats(priv); + } + ++ netdev_stats_to_stats64(stats, &dev->stats); ++ + if (mlx5e_is_uplink_rep(priv)) { + struct mlx5e_vport_stats *vstats = &priv->stats.vport; + +@@ -3666,21 +3668,21 @@ mlx5e_get_stats(struct net_device *dev, struct rtnl_link_stats64 *stats) + mlx5e_fold_sw_stats64(priv, stats); + } + +- stats->rx_missed_errors = priv->stats.qcnt.rx_out_of_buffer; +- stats->rx_dropped = PPORT_2863_GET(pstats, if_in_discards); ++ stats->rx_missed_errors += priv->stats.qcnt.rx_out_of_buffer; ++ stats->rx_dropped += PPORT_2863_GET(pstats, if_in_discards); + +- stats->rx_length_errors = ++ stats->rx_length_errors += + PPORT_802_3_GET(pstats, a_in_range_length_errors) + + PPORT_802_3_GET(pstats, a_out_of_range_length_field) + + PPORT_802_3_GET(pstats, a_frame_too_long_errors) + + VNIC_ENV_GET(&priv->stats.vnic, eth_wqe_too_small); +- stats->rx_crc_errors = ++ stats->rx_crc_errors += + PPORT_802_3_GET(pstats, a_frame_check_sequence_errors); +- stats->rx_frame_errors = PPORT_802_3_GET(pstats, a_alignment_errors); +- stats->tx_aborted_errors = PPORT_2863_GET(pstats, if_out_discards); +- stats->rx_errors = stats->rx_length_errors + stats->rx_crc_errors + +- stats->rx_frame_errors; +- stats->tx_errors = stats->tx_aborted_errors + stats->tx_carrier_errors; ++ stats->rx_frame_errors += PPORT_802_3_GET(pstats, a_alignment_errors); ++ stats->tx_aborted_errors += PPORT_2863_GET(pstats, if_out_discards); ++ stats->rx_errors += stats->rx_length_errors + stats->rx_crc_errors + ++ stats->rx_frame_errors; ++ stats->tx_errors += stats->tx_aborted_errors + stats->tx_carrier_errors; + } + + static void mlx5e_nic_set_rx_mode(struct mlx5e_priv *priv) +-- +2.51.0 + diff --git a/queue-6.1/net-mlx5e-report-rx_discards_phy-via-rx_dropped.patch b/queue-6.1/net-mlx5e-report-rx_discards_phy-via-rx_dropped.patch new file mode 100644 index 0000000000..6c2df666a4 --- /dev/null +++ b/queue-6.1/net-mlx5e-report-rx_discards_phy-via-rx_dropped.patch @@ -0,0 +1,50 @@ +From c1a15d07e011dab1aa14356f125cf6a756957969 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Dec 2024 10:27:06 +0800 +Subject: net/mlx5e: Report rx_discards_phy via rx_dropped +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Yafang Shao + +[ Upstream commit c9cfced17365b1df8c6ae6cd5db56aebd7ed9b57 ] + +We noticed a high number of rx_discards_phy events on certain servers while +running `ethtool -S`. However, this critical counter is not currently +included in the standard /proc/net/dev statistics file, making it difficult +to monitor effectively—especially given the diversity of vendors across a +large fleet of servers. + +Let's report it via the standard rx_dropped metric. + +Suggested-by: Jakub Kicinski +Signed-off-by: Yafang Shao +Cc: Saeed Mahameed +Cc: Leon Romanovsky +Cc: Gal Pressman +Reviewed-by: Simon Horman +Reviewed-by: Tariq Toukan +Link: https://patch.msgid.link/20241210022706.6665-1-laoar.shao@gmail.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: 476681f10cc1 ("net/mlx5e: Account for netdev stats in ndo_get_stats64") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index 73011870e5ff6..1d7fe4ffdd734 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -3667,6 +3667,7 @@ mlx5e_get_stats(struct net_device *dev, struct rtnl_link_stats64 *stats) + } + + stats->rx_missed_errors = priv->stats.qcnt.rx_out_of_buffer; ++ stats->rx_dropped = PPORT_2863_GET(pstats, if_in_discards); + + stats->rx_length_errors = + PPORT_802_3_GET(pstats, a_in_range_length_errors) + +-- +2.51.0 + diff --git a/queue-6.1/net-mvpp2-cls-fix-memory-leak-in-mvpp2_ethtool_cls_r.patch b/queue-6.1/net-mvpp2-cls-fix-memory-leak-in-mvpp2_ethtool_cls_r.patch new file mode 100644 index 0000000000..a2d6946082 --- /dev/null +++ b/queue-6.1/net-mvpp2-cls-fix-memory-leak-in-mvpp2_ethtool_cls_r.patch @@ -0,0 +1,48 @@ +From 41dbbba9bb0d4f14af83b3a9354ed45d8eb4bbd8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Jan 2026 06:57:16 +0000 +Subject: net: mvpp2: cls: Fix memory leak in mvpp2_ethtool_cls_rule_ins() + +From: Zilin Guan + +[ Upstream commit 09f979d1f312627b31d2ee1e46f9692e442610cd ] + +In mvpp2_ethtool_cls_rule_ins(), the ethtool_rule is allocated by +ethtool_rx_flow_rule_create(). If the subsequent conversion to flow +type fails, the function jumps to the clean_rule label. + +However, the clean_rule label only frees efs, skipping the cleanup +of ethtool_rule, which leads to a memory leak. + +Fix this by jumping to the clean_eth_rule label, which properly calls +ethtool_rx_flow_rule_destroy() before freeing efs. + +Compile tested only. Issue found using a prototype static analysis tool +and code review. + +Fixes: f4f1ba18195d ("net: mvpp2: cls: Report an error for unsupported flow types") +Signed-off-by: Zilin Guan +Reviewed-by: Maxime Chevallier +Link: https://patch.msgid.link/20260123065716.2248324-1-zilin@seu.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c +index d2757cc116139..038382a0b8e9f 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c +@@ -1389,7 +1389,7 @@ int mvpp2_ethtool_cls_rule_ins(struct mvpp2_port *port, + efs->rule.flow_type = mvpp2_cls_ethtool_flow_to_type(info->fs.flow_type); + if (efs->rule.flow_type < 0) { + ret = efs->rule.flow_type; +- goto clean_rule; ++ goto clean_eth_rule; + } + + ret = mvpp2_cls_rfs_parse_rule(&efs->rule); +-- +2.51.0 + diff --git a/queue-6.1/net-wwan-t7xx-fix-potential-skb-frags-overflow-in-rx.patch b/queue-6.1/net-wwan-t7xx-fix-potential-skb-frags-overflow-in-rx.patch new file mode 100644 index 0000000000..9e161e94c6 --- /dev/null +++ b/queue-6.1/net-wwan-t7xx-fix-potential-skb-frags-overflow-in-rx.patch @@ -0,0 +1,83 @@ +From b18a77d10d1d2014860cbd37177e3dc908e5fbd8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Jan 2026 01:04:01 +0800 +Subject: net: wwan: t7xx: fix potential skb->frags overflow in RX path + +From: Kery Qi + +[ Upstream commit f0813bcd2d9d97fdbdf2efb9532ab03ae92e99e6 ] + +When receiving data in the DPMAIF RX path, +the t7xx_dpmaif_set_frag_to_skb() function adds +page fragments to an skb without checking if the number of +fragments has exceeded MAX_SKB_FRAGS. This could lead to a buffer overflow +in skb_shinfo(skb)->frags[] array, corrupting adjacent memory and +potentially causing kernel crashes or other undefined behavior. + +This issue was identified through static code analysis by comparing with a +similar vulnerability fixed in the mt76 driver commit b102f0c522cf ("mt76: +fix array overflow on receiving too many fragments for a packet"). + +The vulnerability could be triggered if the modem firmware sends packets +with excessive fragments. While under normal protocol conditions (MTU 3080 +bytes, BAT buffer 3584 bytes), +a single packet should not require additional +fragments, the kernel should not blindly trust firmware behavior. +Malicious, buggy, or compromised firmware could potentially craft packets +with more fragments than the kernel expects. + +Fix this by adding a bounds check before calling skb_add_rx_frag() to +ensure nr_frags does not exceed MAX_SKB_FRAGS. + +The check must be performed before unmapping to avoid a page leak +and double DMA unmap during device teardown. + +Fixes: d642b012df70a ("net: wwan: t7xx: Add data path interface") +Signed-off-by: Kery Qi +Link: https://patch.msgid.link/20260122170401.1986-2-qikeyu2017@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c b/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c +index f4f924d75103a..bdf1451fbc87d 100644 +--- a/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c ++++ b/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c +@@ -430,6 +430,7 @@ static int t7xx_dpmaif_set_frag_to_skb(const struct dpmaif_rx_queue *rxq, + struct sk_buff *skb) + { + unsigned long long data_bus_addr, data_base_addr; ++ struct skb_shared_info *shinfo = skb_shinfo(skb); + struct device *dev = rxq->dpmaif_ctrl->dev; + struct dpmaif_bat_page *page_info; + unsigned int data_len; +@@ -437,18 +438,22 @@ static int t7xx_dpmaif_set_frag_to_skb(const struct dpmaif_rx_queue *rxq, + + page_info = rxq->bat_frag->bat_skb; + page_info += t7xx_normal_pit_bid(pkt_info); +- dma_unmap_page(dev, page_info->data_bus_addr, page_info->data_len, DMA_FROM_DEVICE); + + if (!page_info->page) + return -EINVAL; + ++ if (shinfo->nr_frags >= MAX_SKB_FRAGS) ++ return -EINVAL; ++ ++ dma_unmap_page(dev, page_info->data_bus_addr, page_info->data_len, DMA_FROM_DEVICE); ++ + data_bus_addr = le32_to_cpu(pkt_info->pd.data_addr_h); + data_bus_addr = (data_bus_addr << 32) + le32_to_cpu(pkt_info->pd.data_addr_l); + data_base_addr = page_info->data_bus_addr; + data_offset = data_bus_addr - data_base_addr; + data_offset += page_info->offset; + data_len = FIELD_GET(PD_PIT_DATA_LEN, le32_to_cpu(pkt_info->header)); +- skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags, page_info->page, ++ skb_add_rx_frag(skb, shinfo->nr_frags, page_info->page, + data_offset, data_len, page_info->data_len); + + page_info->page = NULL; +-- +2.51.0 + diff --git a/queue-6.1/nfc-llcp-fix-memleak-in-nfc_llcp_send_ui_frame.patch b/queue-6.1/nfc-llcp-fix-memleak-in-nfc_llcp_send_ui_frame.patch new file mode 100644 index 0000000000..61b9352ade --- /dev/null +++ b/queue-6.1/nfc-llcp-fix-memleak-in-nfc_llcp_send_ui_frame.patch @@ -0,0 +1,167 @@ +From 0d1fb8662bd9935d54fc2140929e2a669a3cb226 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 25 Jan 2026 00:59:28 +0000 +Subject: nfc: llcp: Fix memleak in nfc_llcp_send_ui_frame(). + +From: Kuniyuki Iwashima + +[ Upstream commit 165c34fb6068ff153e3fc99a932a80a9d5755709 ] + +syzbot reported various memory leaks related to NFC, struct +nfc_llcp_sock, sk_buff, nfc_dev, etc. [0] + +The leading log hinted that nfc_llcp_send_ui_frame() failed +to allocate skb due to sock_error(sk) being -ENXIO. + +ENXIO is set by nfc_llcp_socket_release() when struct +nfc_llcp_local is destroyed by local_cleanup(). + +The problem is that there is no synchronisation between +nfc_llcp_send_ui_frame() and local_cleanup(), and skb +could be put into local->tx_queue after it was purged in +local_cleanup(): + + CPU1 CPU2 + ---- ---- + nfc_llcp_send_ui_frame() local_cleanup() + |- do { ' + |- pdu = nfc_alloc_send_skb(..., &err) + | . + | |- nfc_llcp_socket_release(local, false, ENXIO); + | |- skb_queue_purge(&local->tx_queue); | + | ' | + |- skb_queue_tail(&local->tx_queue, pdu); | + ... | + |- pdu = nfc_alloc_send_skb(..., &err) | + ^._________________________________.' + +local_cleanup() is called for struct nfc_llcp_local only +after nfc_llcp_remove_local() unlinks it from llcp_devices. + +If we hold local->tx_queue.lock then, we can synchronise +the thread and nfc_llcp_send_ui_frame(). + +Let's do that and check list_empty(&local->list) before +queuing skb to local->tx_queue in nfc_llcp_send_ui_frame(). + +[0]: +[ 56.074943][ T6096] llcp: nfc_llcp_send_ui_frame: Could not allocate PDU (error=-6) +[ 64.318868][ T5813] kmemleak: 6 new suspected memory leaks (see /sys/kernel/debug/kmemleak) +BUG: memory leak +unreferenced object 0xffff8881272f6800 (size 1024): + comm "syz.0.17", pid 6096, jiffies 4294942766 + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 27 00 03 40 00 00 00 00 00 00 00 00 00 00 00 00 '..@............ + backtrace (crc da58d84d): + kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] + slab_post_alloc_hook mm/slub.c:4979 [inline] + slab_alloc_node mm/slub.c:5284 [inline] + __do_kmalloc_node mm/slub.c:5645 [inline] + __kmalloc_noprof+0x3e3/0x6b0 mm/slub.c:5658 + kmalloc_noprof include/linux/slab.h:961 [inline] + sk_prot_alloc+0x11a/0x1b0 net/core/sock.c:2239 + sk_alloc+0x36/0x360 net/core/sock.c:2295 + nfc_llcp_sock_alloc+0x37/0x130 net/nfc/llcp_sock.c:979 + llcp_sock_create+0x71/0xd0 net/nfc/llcp_sock.c:1044 + nfc_sock_create+0xc9/0xf0 net/nfc/af_nfc.c:31 + __sock_create+0x1a9/0x340 net/socket.c:1605 + sock_create net/socket.c:1663 [inline] + __sys_socket_create net/socket.c:1700 [inline] + __sys_socket+0xb9/0x1a0 net/socket.c:1747 + __do_sys_socket net/socket.c:1761 [inline] + __se_sys_socket net/socket.c:1759 [inline] + __x64_sys_socket+0x1b/0x30 net/socket.c:1759 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +BUG: memory leak +unreferenced object 0xffff88810fbd9800 (size 240): + comm "syz.0.17", pid 6096, jiffies 4294942850 + hex dump (first 32 bytes): + 68 f0 ff 08 81 88 ff ff 68 f0 ff 08 81 88 ff ff h.......h....... + 00 00 00 00 00 00 00 00 00 68 2f 27 81 88 ff ff .........h/'.... + backtrace (crc 6cc652b1): + kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] + slab_post_alloc_hook mm/slub.c:4979 [inline] + slab_alloc_node mm/slub.c:5284 [inline] + kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5336 + __alloc_skb+0x203/0x240 net/core/skbuff.c:660 + alloc_skb include/linux/skbuff.h:1383 [inline] + alloc_skb_with_frags+0x69/0x3f0 net/core/skbuff.c:6671 + sock_alloc_send_pskb+0x379/0x3e0 net/core/sock.c:2965 + sock_alloc_send_skb include/net/sock.h:1859 [inline] + nfc_alloc_send_skb+0x45/0x80 net/nfc/core.c:724 + nfc_llcp_send_ui_frame+0x162/0x360 net/nfc/llcp_commands.c:766 + llcp_sock_sendmsg+0x14c/0x1d0 net/nfc/llcp_sock.c:814 + sock_sendmsg_nosec net/socket.c:727 [inline] + __sock_sendmsg net/socket.c:742 [inline] + __sys_sendto+0x2d8/0x2f0 net/socket.c:2244 + __do_sys_sendto net/socket.c:2251 [inline] + __se_sys_sendto net/socket.c:2247 [inline] + __x64_sys_sendto+0x28/0x30 net/socket.c:2247 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fixes: 94f418a20664 ("NFC: UI frame sending routine implementation") +Reported-by: syzbot+f2d245f1d76bbfa50e4c@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/697569c7.a00a0220.33ccc7.0014.GAE@google.com/T/#u +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20260125010214.1572439-1-kuniyu@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/nfc/llcp_commands.c | 17 ++++++++++++++++- + net/nfc/llcp_core.c | 4 +++- + 2 files changed, 19 insertions(+), 2 deletions(-) + +diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c +index e2680a3bef799..b652323bc2c12 100644 +--- a/net/nfc/llcp_commands.c ++++ b/net/nfc/llcp_commands.c +@@ -778,8 +778,23 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap, + if (likely(frag_len > 0)) + skb_put_data(pdu, msg_ptr, frag_len); + ++ spin_lock(&local->tx_queue.lock); ++ ++ if (list_empty(&local->list)) { ++ spin_unlock(&local->tx_queue.lock); ++ ++ kfree_skb(pdu); ++ ++ len -= remaining_len; ++ if (len == 0) ++ len = -ENXIO; ++ break; ++ } ++ + /* No need to check for the peer RW for UI frames */ +- skb_queue_tail(&local->tx_queue, pdu); ++ __skb_queue_tail(&local->tx_queue, pdu); ++ ++ spin_unlock(&local->tx_queue.lock); + + remaining_len -= frag_len; + msg_ptr += frag_len; +diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c +index 18be13fb9b75a..ced99d2a90cc1 100644 +--- a/net/nfc/llcp_core.c ++++ b/net/nfc/llcp_core.c +@@ -314,7 +314,9 @@ static struct nfc_llcp_local *nfc_llcp_remove_local(struct nfc_dev *dev) + spin_lock(&llcp_devices_lock); + list_for_each_entry_safe(local, tmp, &llcp_devices, list) + if (local->dev == dev) { +- list_del(&local->list); ++ spin_lock(&local->tx_queue.lock); ++ list_del_init(&local->list); ++ spin_unlock(&local->tx_queue.lock); + spin_unlock(&llcp_devices_lock); + return local; + } +-- +2.51.0 + diff --git a/queue-6.1/nfc-nci-fix-race-between-rfkill-and-nci_unregister_d.patch b/queue-6.1/nfc-nci-fix-race-between-rfkill-and-nci_unregister_d.patch new file mode 100644 index 0000000000..9da678ea56 --- /dev/null +++ b/queue-6.1/nfc-nci-fix-race-between-rfkill-and-nci_unregister_d.patch @@ -0,0 +1,197 @@ +From 41808a335347e255d0e262ebc6b19be015b7390d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Jan 2026 04:03:59 +0000 +Subject: nfc: nci: Fix race between rfkill and nci_unregister_device(). + +From: Kuniyuki Iwashima + +[ Upstream commit d2492688bb9fed6ab6e313682c387ae71a66ebae ] + +syzbot reported the splat below [0] without a repro. + +It indicates that struct nci_dev.cmd_wq had been destroyed before +nci_close_device() was called via rfkill. + +nci_dev.cmd_wq is only destroyed in nci_unregister_device(), which +(I think) was called from virtual_ncidev_close() when syzbot close()d +an fd of virtual_ncidev. + +The problem is that nci_unregister_device() destroys nci_dev.cmd_wq +first and then calls nfc_unregister_device(), which removes the +device from rfkill by rfkill_unregister(). + +So, the device is still visible via rfkill even after nci_dev.cmd_wq +is destroyed. + +Let's unregister the device from rfkill first in nci_unregister_device(). + +Note that we cannot call nfc_unregister_device() before +nci_close_device() because + + 1) nfc_unregister_device() calls device_del() which frees + all memory allocated by devm_kzalloc() and linked to + ndev->conn_info_list + + 2) nci_rx_work() could try to queue nci_conn_info to + ndev->conn_info_list which could be leaked + +Thus, nfc_unregister_device() is split into two functions so we +can remove rfkill interfaces only before nci_close_device(). + +[0]: +DEBUG_LOCKS_WARN_ON(1) +WARNING: kernel/locking/lockdep.c:238 at hlock_class kernel/locking/lockdep.c:238 [inline], CPU#0: syz.0.8675/6349 +WARNING: kernel/locking/lockdep.c:238 at check_wait_context kernel/locking/lockdep.c:4854 [inline], CPU#0: syz.0.8675/6349 +WARNING: kernel/locking/lockdep.c:238 at __lock_acquire+0x39d/0x2cf0 kernel/locking/lockdep.c:5187, CPU#0: syz.0.8675/6349 +Modules linked in: +CPU: 0 UID: 0 PID: 6349 Comm: syz.0.8675 Not tainted syzkaller #0 PREEMPT(full) +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/13/2026 +RIP: 0010:hlock_class kernel/locking/lockdep.c:238 [inline] +RIP: 0010:check_wait_context kernel/locking/lockdep.c:4854 [inline] +RIP: 0010:__lock_acquire+0x3a4/0x2cf0 kernel/locking/lockdep.c:5187 +Code: 18 00 4c 8b 74 24 08 75 27 90 e8 17 f2 fc 02 85 c0 74 1c 83 3d 50 e0 4e 0e 00 75 13 48 8d 3d 43 f7 51 0e 48 c7 c6 8b 3a de 8d <67> 48 0f b9 3a 90 31 c0 0f b6 98 c4 00 00 00 41 8b 45 20 25 ff 1f +RSP: 0018:ffffc9000c767680 EFLAGS: 00010046 +RAX: 0000000000000001 RBX: 0000000000040000 RCX: 0000000000080000 +RDX: ffffc90013080000 RSI: ffffffff8dde3a8b RDI: ffffffff8ff24ca0 +RBP: 0000000000000003 R08: ffffffff8fef35a3 R09: 1ffffffff1fde6b4 +R10: dffffc0000000000 R11: fffffbfff1fde6b5 R12: 00000000000012a2 +R13: ffff888030338ba8 R14: ffff888030338000 R15: ffff888030338b30 +FS: 00007fa5995f66c0(0000) GS:ffff8881256f8000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f7e72f842d0 CR3: 00000000485a0000 CR4: 00000000003526f0 +Call Trace: + + lock_acquire+0x106/0x330 kernel/locking/lockdep.c:5868 + touch_wq_lockdep_map+0xcb/0x180 kernel/workqueue.c:3940 + __flush_workqueue+0x14b/0x14f0 kernel/workqueue.c:3982 + nci_close_device+0x302/0x630 net/nfc/nci/core.c:567 + nci_dev_down+0x3b/0x50 net/nfc/nci/core.c:639 + nfc_dev_down+0x152/0x290 net/nfc/core.c:161 + nfc_rfkill_set_block+0x2d/0x100 net/nfc/core.c:179 + rfkill_set_block+0x1d2/0x440 net/rfkill/core.c:346 + rfkill_fop_write+0x461/0x5a0 net/rfkill/core.c:1301 + vfs_write+0x29a/0xb90 fs/read_write.c:684 + ksys_write+0x150/0x270 fs/read_write.c:738 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7fa59b39acb9 +Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007fa5995f6028 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +RAX: ffffffffffffffda RBX: 00007fa59b615fa0 RCX: 00007fa59b39acb9 +RDX: 0000000000000008 RSI: 0000200000000080 RDI: 0000000000000007 +RBP: 00007fa59b408bf7 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007fa59b616038 R14: 00007fa59b615fa0 R15: 00007ffc82218788 + + +Fixes: 6a2968aaf50c ("NFC: basic NCI protocol implementation") +Reported-by: syzbot+f9c5fd1a0874f9069dce@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/695e7f56.050a0220.1c677c.036c.GAE@google.com/ +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20260127040411.494931-1-kuniyu@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/nfc/nfc.h | 2 ++ + net/nfc/core.c | 27 ++++++++++++++++++++++++--- + net/nfc/nci/core.c | 4 +++- + 3 files changed, 29 insertions(+), 4 deletions(-) + +diff --git a/include/net/nfc/nfc.h b/include/net/nfc/nfc.h +index 5dee575fbe86a..b82f4f2a27fb8 100644 +--- a/include/net/nfc/nfc.h ++++ b/include/net/nfc/nfc.h +@@ -215,6 +215,8 @@ static inline void nfc_free_device(struct nfc_dev *dev) + + int nfc_register_device(struct nfc_dev *dev); + ++void nfc_unregister_rfkill(struct nfc_dev *dev); ++void nfc_remove_device(struct nfc_dev *dev); + void nfc_unregister_device(struct nfc_dev *dev); + + /** +diff --git a/net/nfc/core.c b/net/nfc/core.c +index 5352571b62148..a02ede8b067bd 100644 +--- a/net/nfc/core.c ++++ b/net/nfc/core.c +@@ -1147,14 +1147,14 @@ int nfc_register_device(struct nfc_dev *dev) + EXPORT_SYMBOL(nfc_register_device); + + /** +- * nfc_unregister_device - unregister a nfc device in the nfc subsystem ++ * nfc_unregister_rfkill - unregister a nfc device in the rfkill subsystem + * + * @dev: The nfc device to unregister + */ +-void nfc_unregister_device(struct nfc_dev *dev) ++void nfc_unregister_rfkill(struct nfc_dev *dev) + { +- int rc; + struct rfkill *rfk = NULL; ++ int rc; + + pr_debug("dev_name=%s\n", dev_name(&dev->dev)); + +@@ -1175,7 +1175,16 @@ void nfc_unregister_device(struct nfc_dev *dev) + rfkill_unregister(rfk); + rfkill_destroy(rfk); + } ++} ++EXPORT_SYMBOL(nfc_unregister_rfkill); + ++/** ++ * nfc_remove_device - remove a nfc device in the nfc subsystem ++ * ++ * @dev: The nfc device to remove ++ */ ++void nfc_remove_device(struct nfc_dev *dev) ++{ + if (dev->ops->check_presence) { + del_timer_sync(&dev->check_pres_timer); + cancel_work_sync(&dev->check_pres_work); +@@ -1188,6 +1197,18 @@ void nfc_unregister_device(struct nfc_dev *dev) + device_del(&dev->dev); + mutex_unlock(&nfc_devlist_mutex); + } ++EXPORT_SYMBOL(nfc_remove_device); ++ ++/** ++ * nfc_unregister_device - unregister a nfc device in the nfc subsystem ++ * ++ * @dev: The nfc device to unregister ++ */ ++void nfc_unregister_device(struct nfc_dev *dev) ++{ ++ nfc_unregister_rfkill(dev); ++ nfc_remove_device(dev); ++} + EXPORT_SYMBOL(nfc_unregister_device); + + static int __init nfc_init(void) +diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c +index 6196bb512dfc1..2ffdbbf90eb70 100644 +--- a/net/nfc/nci/core.c ++++ b/net/nfc/nci/core.c +@@ -1291,6 +1291,8 @@ void nci_unregister_device(struct nci_dev *ndev) + { + struct nci_conn_info *conn_info, *n; + ++ nfc_unregister_rfkill(ndev->nfc_dev); ++ + /* This set_bit is not protected with specialized barrier, + * However, it is fine because the mutex_lock(&ndev->req_lock); + * in nci_close_device() will help to emit one. +@@ -1308,7 +1310,7 @@ void nci_unregister_device(struct nci_dev *ndev) + /* conn_info is allocated with devm_kzalloc */ + } + +- nfc_unregister_device(ndev->nfc_dev); ++ nfc_remove_device(ndev->nfc_dev); + } + EXPORT_SYMBOL(nci_unregister_device); + +-- +2.51.0 + diff --git a/queue-6.1/rocker-fix-memory-leak-in-rocker_world_port_post_fin.patch b/queue-6.1/rocker-fix-memory-leak-in-rocker_world_port_post_fin.patch new file mode 100644 index 0000000000..576bdd42c7 --- /dev/null +++ b/queue-6.1/rocker-fix-memory-leak-in-rocker_world_port_post_fin.patch @@ -0,0 +1,56 @@ +From 17592778d5c2b445d488476051be037e2fef913f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 24 Jan 2026 05:10:31 +0800 +Subject: rocker: fix memory leak in rocker_world_port_post_fini() + +From: Kery Qi + +[ Upstream commit 8d7ba71e46216b8657a82ca2ec118bc93812a4d0 ] + +In rocker_world_port_pre_init(), rocker_port->wpriv is allocated with +kzalloc(wops->port_priv_size, GFP_KERNEL). However, in +rocker_world_port_post_fini(), the memory is only freed when +wops->port_post_fini callback is set: + + if (!wops->port_post_fini) + return; + wops->port_post_fini(rocker_port); + kfree(rocker_port->wpriv); + +Since rocker_ofdpa_ops does not implement port_post_fini callback +(it is NULL), the wpriv memory allocated for each port is never freed +when ports are removed. This leads to a memory leak of +sizeof(struct ofdpa_port) bytes per port on every device removal. + +Fix this by always calling kfree(rocker_port->wpriv) regardless of +whether the port_post_fini callback exists. + +Fixes: e420114eef4a ("rocker: introduce worlds infrastructure") +Signed-off-by: Kery Qi +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20260123211030.2109-2-qikeyu2017@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/rocker/rocker_main.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/rocker/rocker_main.c b/drivers/net/ethernet/rocker/rocker_main.c +index 2e2826c901fcc..b741d335b1dc4 100644 +--- a/drivers/net/ethernet/rocker/rocker_main.c ++++ b/drivers/net/ethernet/rocker/rocker_main.c +@@ -1525,9 +1525,8 @@ static void rocker_world_port_post_fini(struct rocker_port *rocker_port) + { + struct rocker_world_ops *wops = rocker_port->rocker->wops; + +- if (!wops->port_post_fini) +- return; +- wops->port_post_fini(rocker_port); ++ if (wops->port_post_fini) ++ wops->port_post_fini(rocker_port); + kfree(rocker_port->wpriv); + } + +-- +2.51.0 + diff --git a/queue-6.1/series b/queue-6.1/series index 11c0a12a4c..8b7b518602 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -185,3 +185,17 @@ bpf-do-not-let-bpf-test-infra-emit-invalid-gso-types-to-stack.patch bpf-reject-narrower-access-to-pointer-ctx-fields.patch mm-damon-sysfs-scheme-cleanup-quotas-subdirs-on-scheme-dir-setup-failure.patch mm-damon-sysfs-scheme-cleanup-access_pattern-subdirs-on-scheme-dir-setup-failure.patch +bluetooth-hci_uart-fix-null-ptr-deref-in-hci_uart_wr.patch +net-mlx5-fix-memory-leak-in-esw_acl_ingress_lgcy_set.patch +can-gs_usb-gs_usb_receive_bulk_callback-fix-error-me.patch +bonding-annotate-data-races-around-slave-last_rx.patch +net-mvpp2-cls-fix-memory-leak-in-mvpp2_ethtool_cls_r.patch +ipv6-use-the-right-ifindex-when-replying-to-icmpv6-f.patch +net-wwan-t7xx-fix-potential-skb-frags-overflow-in-rx.patch +rocker-fix-memory-leak-in-rocker_world_port_post_fin.patch +nfc-llcp-fix-memleak-in-nfc_llcp_send_ui_frame.patch +ice-stop-counting-udp-csum-mismatch-as-rx_errors.patch +net-mlx5e-report-rx_discards_phy-via-rx_dropped.patch +net-mlx5e-account-for-netdev-stats-in-ndo_get_stats6.patch +nfc-nci-fix-race-between-rfkill-and-nci_unregister_d.patch +net-bridge-fix-static-key-check.patch diff --git a/queue-6.12/bluetooth-hci_uart-fix-null-ptr-deref-in-hci_uart_wr.patch b/queue-6.12/bluetooth-hci_uart-fix-null-ptr-deref-in-hci_uart_wr.patch new file mode 100644 index 0000000000..b37c0805c8 --- /dev/null +++ b/queue-6.12/bluetooth-hci_uart-fix-null-ptr-deref-in-hci_uart_wr.patch @@ -0,0 +1,73 @@ +From 433ae9a94bbb8b432f17f76a93f2e8a41d073c02 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jan 2026 20:08:59 +0800 +Subject: Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work + +From: Jia-Hong Su + +[ Upstream commit 0c3cd7a0b862c37acbee6d9502107146cc944398 ] + +hci_uart_set_proto() sets HCI_UART_PROTO_INIT before calling +hci_uart_register_dev(), which calls proto->open() to initialize +hu->priv. However, if a TTY write wakeup occurs during this window, +hci_uart_tx_wakeup() may schedule write_work before hu->priv is +initialized, leading to a NULL pointer dereference in +hci_uart_write_work() when proto->dequeue() accesses hu->priv. + +The race condition is: + + CPU0 CPU1 + ---- ---- + hci_uart_set_proto() + set_bit(HCI_UART_PROTO_INIT) + hci_uart_register_dev() + tty write wakeup + hci_uart_tty_wakeup() + hci_uart_tx_wakeup() + schedule_work(&hu->write_work) + proto->open(hu) + // initializes hu->priv + hci_uart_write_work() + hci_uart_dequeue() + proto->dequeue(hu) + // accesses hu->priv (NULL!) + +Fix this by moving set_bit(HCI_UART_PROTO_INIT) after proto->open() +succeeds, ensuring hu->priv is initialized before any work can be +scheduled. + +Fixes: 5df5dafc171b ("Bluetooth: hci_uart: Fix another race during initialization") +Link: https://lore.kernel.org/linux-bluetooth/6969764f.170a0220.2b9fc4.35a7@mx.google.com/ + +Signed-off-by: Jia-Hong Su +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/hci_ldisc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c +index 2f322f890b81f..436ee77d4bf2f 100644 +--- a/drivers/bluetooth/hci_ldisc.c ++++ b/drivers/bluetooth/hci_ldisc.c +@@ -685,6 +685,8 @@ static int hci_uart_register_dev(struct hci_uart *hu) + return err; + } + ++ set_bit(HCI_UART_PROTO_INIT, &hu->flags); ++ + if (test_bit(HCI_UART_INIT_PENDING, &hu->hdev_flags)) + return 0; + +@@ -712,8 +714,6 @@ static int hci_uart_set_proto(struct hci_uart *hu, int id) + + hu->proto = p; + +- set_bit(HCI_UART_PROTO_INIT, &hu->flags); +- + err = hci_uart_register_dev(hu); + if (err) { + return err; +-- +2.51.0 + diff --git a/queue-6.12/bluetooth-mgmt-fix-memory-leak-in-set_ssp_complete.patch b/queue-6.12/bluetooth-mgmt-fix-memory-leak-in-set_ssp_complete.patch new file mode 100644 index 0000000000..5f0082589b --- /dev/null +++ b/queue-6.12/bluetooth-mgmt-fix-memory-leak-in-set_ssp_complete.patch @@ -0,0 +1,63 @@ +From 1b2b6a0c5d1fe3991d2e6488f05d51ba57779744 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 13:29:26 +0800 +Subject: Bluetooth: MGMT: Fix memory leak in set_ssp_complete + +From: Jianpeng Chang + +[ Upstream commit 1b9c17fd0a7fdcbe69ec5d6fe8e50bc5ed7f01f2 ] + +Fix memory leak in set_ssp_complete() where mgmt_pending_cmd structures +are not freed after being removed from the pending list. + +Commit 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs") replaced +mgmt_pending_foreach() calls with individual command handling but missed +adding mgmt_pending_free() calls in both error and success paths of +set_ssp_complete(). Other completion functions like set_le_complete() +were fixed correctly in the same commit. + +This causes a memory leak of the mgmt_pending_cmd structure and its +associated parameter data for each SSP command that completes. + +Add the missing mgmt_pending_free(cmd) calls in both code paths to fix +the memory leak. Also fix the same issue in set_advertising_complete(). + +Fixes: 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs") +Signed-off-by: Jianpeng Chang +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/mgmt.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c +index 6d21b641b0d14..4894e6444900a 100644 +--- a/net/bluetooth/mgmt.c ++++ b/net/bluetooth/mgmt.c +@@ -1943,6 +1943,7 @@ static void set_ssp_complete(struct hci_dev *hdev, void *data, int err) + } + + mgmt_cmd_status(cmd->sk, cmd->hdev->id, cmd->opcode, mgmt_err); ++ mgmt_pending_free(cmd); + return; + } + +@@ -1961,6 +1962,7 @@ static void set_ssp_complete(struct hci_dev *hdev, void *data, int err) + sock_put(match.sk); + + hci_update_eir_sync(hdev); ++ mgmt_pending_free(cmd); + } + + static int set_ssp_sync(struct hci_dev *hdev, void *data) +@@ -6455,6 +6457,7 @@ static void set_advertising_complete(struct hci_dev *hdev, void *data, int err) + hci_dev_clear_flag(hdev, HCI_ADVERTISING); + + settings_rsp(cmd, &match); ++ mgmt_pending_free(cmd); + + new_settings(hdev, match.sk); + +-- +2.51.0 + diff --git a/queue-6.12/bonding-annotate-data-races-around-slave-last_rx.patch b/queue-6.12/bonding-annotate-data-races-around-slave-last_rx.patch new file mode 100644 index 0000000000..4cb4a6a2f4 --- /dev/null +++ b/queue-6.12/bonding-annotate-data-races-around-slave-last_rx.patch @@ -0,0 +1,178 @@ +From 1832825bd8923117561fb06520ce093899d30692 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jan 2026 16:29:14 +0000 +Subject: bonding: annotate data-races around slave->last_rx + +From: Eric Dumazet + +[ Upstream commit f6c3665b6dc53c3ab7d31b585446a953a74340ef ] + +slave->last_rx and slave->target_last_arp_rx[...] can be read and written +locklessly. Add READ_ONCE() and WRITE_ONCE() annotations. + +syzbot reported: + +BUG: KCSAN: data-race in bond_rcv_validate / bond_rcv_validate + +write to 0xffff888149f0d428 of 8 bytes by interrupt on cpu 1: + bond_rcv_validate+0x202/0x7a0 drivers/net/bonding/bond_main.c:3335 + bond_handle_frame+0xde/0x5e0 drivers/net/bonding/bond_main.c:1533 + __netif_receive_skb_core+0x5b1/0x1950 net/core/dev.c:6039 + __netif_receive_skb_one_core net/core/dev.c:6150 [inline] + __netif_receive_skb+0x59/0x270 net/core/dev.c:6265 + netif_receive_skb_internal net/core/dev.c:6351 [inline] + netif_receive_skb+0x4b/0x2d0 net/core/dev.c:6410 +... + +write to 0xffff888149f0d428 of 8 bytes by interrupt on cpu 0: + bond_rcv_validate+0x202/0x7a0 drivers/net/bonding/bond_main.c:3335 + bond_handle_frame+0xde/0x5e0 drivers/net/bonding/bond_main.c:1533 + __netif_receive_skb_core+0x5b1/0x1950 net/core/dev.c:6039 + __netif_receive_skb_one_core net/core/dev.c:6150 [inline] + __netif_receive_skb+0x59/0x270 net/core/dev.c:6265 + netif_receive_skb_internal net/core/dev.c:6351 [inline] + netif_receive_skb+0x4b/0x2d0 net/core/dev.c:6410 + br_netif_receive_skb net/bridge/br_input.c:30 [inline] + NF_HOOK include/linux/netfilter.h:318 [inline] +... + +value changed: 0x0000000100005365 -> 0x0000000100005366 + +Fixes: f5b2b966f032 ("[PATCH] bonding: Validate probe replies in ARP monitor") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Link: https://patch.msgid.link/20260122162914.2299312-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 18 ++++++++++-------- + drivers/net/bonding/bond_options.c | 8 ++++---- + include/net/bonding.h | 13 +++++++------ + 3 files changed, 21 insertions(+), 18 deletions(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index b52f5f64e3abb..209cab75ac0a5 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -3214,8 +3214,8 @@ static void bond_validate_arp(struct bonding *bond, struct slave *slave, __be32 + __func__, &sip); + return; + } +- slave->last_rx = jiffies; +- slave->target_last_arp_rx[i] = jiffies; ++ WRITE_ONCE(slave->last_rx, jiffies); ++ WRITE_ONCE(slave->target_last_arp_rx[i], jiffies); + } + + static int bond_arp_rcv(const struct sk_buff *skb, struct bonding *bond, +@@ -3434,8 +3434,8 @@ static void bond_validate_na(struct bonding *bond, struct slave *slave, + __func__, saddr); + return; + } +- slave->last_rx = jiffies; +- slave->target_last_arp_rx[i] = jiffies; ++ WRITE_ONCE(slave->last_rx, jiffies); ++ WRITE_ONCE(slave->target_last_arp_rx[i], jiffies); + } + + static int bond_na_rcv(const struct sk_buff *skb, struct bonding *bond, +@@ -3505,7 +3505,7 @@ int bond_rcv_validate(const struct sk_buff *skb, struct bonding *bond, + (slave_do_arp_validate_only(bond) && is_ipv6) || + #endif + !slave_do_arp_validate_only(bond)) +- slave->last_rx = jiffies; ++ WRITE_ONCE(slave->last_rx, jiffies); + return RX_HANDLER_ANOTHER; + } else if (is_arp) { + return bond_arp_rcv(skb, bond, slave); +@@ -3573,7 +3573,7 @@ static void bond_loadbalance_arp_mon(struct bonding *bond) + + if (slave->link != BOND_LINK_UP) { + if (bond_time_in_interval(bond, last_tx, 1) && +- bond_time_in_interval(bond, slave->last_rx, 1)) { ++ bond_time_in_interval(bond, READ_ONCE(slave->last_rx), 1)) { + + bond_propose_link_state(slave, BOND_LINK_UP); + slave_state_changed = 1; +@@ -3597,8 +3597,10 @@ static void bond_loadbalance_arp_mon(struct bonding *bond) + * when the source ip is 0, so don't take the link down + * if we don't know our ip yet + */ +- if (!bond_time_in_interval(bond, last_tx, bond->params.missed_max) || +- !bond_time_in_interval(bond, slave->last_rx, bond->params.missed_max)) { ++ if (!bond_time_in_interval(bond, last_tx, ++ bond->params.missed_max) || ++ !bond_time_in_interval(bond, READ_ONCE(slave->last_rx), ++ bond->params.missed_max)) { + + bond_propose_link_state(slave, BOND_LINK_DOWN); + slave_state_changed = 1; +diff --git a/drivers/net/bonding/bond_options.c b/drivers/net/bonding/bond_options.c +index 28c53f1b13826..a37b47b8ea8ed 100644 +--- a/drivers/net/bonding/bond_options.c ++++ b/drivers/net/bonding/bond_options.c +@@ -1124,7 +1124,7 @@ static void _bond_options_arp_ip_target_set(struct bonding *bond, int slot, + + if (slot >= 0 && slot < BOND_MAX_ARP_TARGETS) { + bond_for_each_slave(bond, slave, iter) +- slave->target_last_arp_rx[slot] = last_rx; ++ WRITE_ONCE(slave->target_last_arp_rx[slot], last_rx); + targets[slot] = target; + } + } +@@ -1193,8 +1193,8 @@ static int bond_option_arp_ip_target_rem(struct bonding *bond, __be32 target) + bond_for_each_slave(bond, slave, iter) { + targets_rx = slave->target_last_arp_rx; + for (i = ind; (i < BOND_MAX_ARP_TARGETS-1) && targets[i+1]; i++) +- targets_rx[i] = targets_rx[i+1]; +- targets_rx[i] = 0; ++ WRITE_ONCE(targets_rx[i], READ_ONCE(targets_rx[i+1])); ++ WRITE_ONCE(targets_rx[i], 0); + } + for (i = ind; (i < BOND_MAX_ARP_TARGETS-1) && targets[i+1]; i++) + targets[i] = targets[i+1]; +@@ -1349,7 +1349,7 @@ static void _bond_options_ns_ip6_target_set(struct bonding *bond, int slot, + + if (slot >= 0 && slot < BOND_MAX_NS_TARGETS) { + bond_for_each_slave(bond, slave, iter) { +- slave->target_last_arp_rx[slot] = last_rx; ++ WRITE_ONCE(slave->target_last_arp_rx[slot], last_rx); + slave_set_ns_maddr(bond, slave, target, &targets[slot]); + } + targets[slot] = *target; +diff --git a/include/net/bonding.h b/include/net/bonding.h +index 95f67b308c19a..9fb40a5920209 100644 +--- a/include/net/bonding.h ++++ b/include/net/bonding.h +@@ -519,13 +519,14 @@ static inline int bond_is_ip6_target_ok(struct in6_addr *addr) + static inline unsigned long slave_oldest_target_arp_rx(struct bonding *bond, + struct slave *slave) + { ++ unsigned long tmp, ret = READ_ONCE(slave->target_last_arp_rx[0]); + int i = 1; +- unsigned long ret = slave->target_last_arp_rx[0]; +- +- for (; (i < BOND_MAX_ARP_TARGETS) && bond->params.arp_targets[i]; i++) +- if (time_before(slave->target_last_arp_rx[i], ret)) +- ret = slave->target_last_arp_rx[i]; + ++ for (; (i < BOND_MAX_ARP_TARGETS) && bond->params.arp_targets[i]; i++) { ++ tmp = READ_ONCE(slave->target_last_arp_rx[i]); ++ if (time_before(tmp, ret)) ++ ret = tmp; ++ } + return ret; + } + +@@ -535,7 +536,7 @@ static inline unsigned long slave_last_rx(struct bonding *bond, + if (bond->params.arp_all_targets == BOND_ARP_TARGETS_ALL) + return slave_oldest_target_arp_rx(bond, slave); + +- return slave->last_rx; ++ return READ_ONCE(slave->last_rx); + } + + static inline void slave_update_last_tx(struct slave *slave) +-- +2.51.0 + diff --git a/queue-6.12/can-at91_can-fix-memory-leak-in-at91_can_probe.patch b/queue-6.12/can-at91_can-fix-memory-leak-in-at91_can_probe.patch new file mode 100644 index 0000000000..0a6a700286 --- /dev/null +++ b/queue-6.12/can-at91_can-fix-memory-leak-in-at91_can_probe.patch @@ -0,0 +1,45 @@ +From 45bc603a8c1124fa5be71535995ec89ef44ad9a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jan 2026 11:41:28 +0000 +Subject: can: at91_can: Fix memory leak in at91_can_probe() + +From: Zilin Guan + +[ Upstream commit 0baa4d3170d72a2a8dc93bf729d6d04ad113dc72 ] + +In at91_can_probe(), the dev structure is allocated via alloc_candev(). +However, if the subsequent call to devm_phy_optional_get() fails, the +code jumps directly to exit_iounmap, missing the call to free_candev(). +This results in a memory leak of the allocated net_device structure. + +Fix this by jumping to the exit_free label instead, which ensures that +free_candev() is called to properly release the memory. + +Compile tested only. Issue found using a prototype static analysis tool +and code review. + +Fixes: 3ecc09856afb ("can: at91_can: add CAN transceiver support") +Signed-off-by: Zilin Guan +Link: https://patch.msgid.link/20260122114128.643752-1-zilin@seu.edu.cn +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/at91_can.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/can/at91_can.c b/drivers/net/can/at91_can.c +index 191707d7e3dac..d6dcb2be56342 100644 +--- a/drivers/net/can/at91_can.c ++++ b/drivers/net/can/at91_can.c +@@ -1100,7 +1100,7 @@ static int at91_can_probe(struct platform_device *pdev) + if (IS_ERR(transceiver)) { + err = PTR_ERR(transceiver); + dev_err_probe(&pdev->dev, err, "failed to get phy\n"); +- goto exit_iounmap; ++ goto exit_free; + } + + dev->netdev_ops = &at91_netdev_ops; +-- +2.51.0 + diff --git a/queue-6.12/can-gs_usb-gs_usb_receive_bulk_callback-fix-error-me.patch b/queue-6.12/can-gs_usb-gs_usb_receive_bulk_callback-fix-error-me.patch new file mode 100644 index 0000000000..b9cb3c8f30 --- /dev/null +++ b/queue-6.12/can-gs_usb-gs_usb_receive_bulk_callback-fix-error-me.patch @@ -0,0 +1,52 @@ +From 79e6794e51f0755738752480b7c2189be7b55703 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jan 2026 10:40:22 +0100 +Subject: can: gs_usb: gs_usb_receive_bulk_callback(): fix error message + +From: Marc Kleine-Budde + +[ Upstream commit 494fc029f662c331e06b7c2031deff3c64200eed ] + +Sinc commit 79a6d1bfe114 ("can: gs_usb: gs_usb_receive_bulk_callback(): +unanchor URL on usb_submit_urb() error") a failing resubmit URB will print +an info message. + +In the case of a short read where netdev has not yet been assigned, +initialize as NULL to avoid dereferencing an undefined value. Also report +the error value of the failed resubmit. + +Fixes: 79a6d1bfe114 ("can: gs_usb: gs_usb_receive_bulk_callback(): unanchor URL on usb_submit_urb() error") +Reported-by: Jakub Kicinski +Closes: https://lore.kernel.org/all/20260119181904.1209979-1-kuba@kernel.org/ +Link: https://patch.msgid.link/20260120-gs_usb-fix-error-message-v1-1-6be04de572bc@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/usb/gs_usb.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c +index e63e77f21801c..d1d1412c65659 100644 +--- a/drivers/net/can/usb/gs_usb.c ++++ b/drivers/net/can/usb/gs_usb.c +@@ -607,7 +607,7 @@ static void gs_usb_receive_bulk_callback(struct urb *urb) + { + struct gs_usb *parent = urb->context; + struct gs_can *dev; +- struct net_device *netdev; ++ struct net_device *netdev = NULL; + int rc; + struct net_device_stats *stats; + struct gs_host_frame *hf = urb->transfer_buffer; +@@ -765,7 +765,7 @@ static void gs_usb_receive_bulk_callback(struct urb *urb) + } + } else if (rc != -ESHUTDOWN && net_ratelimit()) { + netdev_info(netdev, "failed to re-submit IN URB: %pe\n", +- ERR_PTR(urb->status)); ++ ERR_PTR(rc)); + } + } + +-- +2.51.0 + diff --git a/queue-6.12/ice-fix-null-pointer-dereference-in-ice_vsi_set_napi.patch b/queue-6.12/ice-fix-null-pointer-dereference-in-ice_vsi_set_napi.patch new file mode 100644 index 0000000000..5617820daf --- /dev/null +++ b/queue-6.12/ice-fix-null-pointer-dereference-in-ice_vsi_set_napi.patch @@ -0,0 +1,96 @@ +From b2cdbcb792e6648c640f1af631ad57f7d1c62101 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Dec 2025 14:21:21 +0800 +Subject: ice: Fix NULL pointer dereference in ice_vsi_set_napi_queues + +From: Aaron Ma + +[ Upstream commit 9bb30be4d89ff9a8d7ab1aa0eb2edaca83431f85 ] + +Add NULL pointer checks in ice_vsi_set_napi_queues() to prevent crashes +during resume from suspend when rings[q_idx]->q_vector is NULL. + +Tested adaptor: +60:00.0 Ethernet controller [0200]: Intel Corporation Ethernet Controller E810-XXV for SFP [8086:159b] (rev 02) + Subsystem: Intel Corporation Ethernet Network Adapter E810-XXV-2 [8086:4003] + +SR-IOV state: both disabled and enabled can reproduce this issue. + +kernel version: v6.18 + +Reproduce steps: +Boot up and execute suspend like systemctl suspend or rtcwake. + +Log: +<1>[ 231.443607] BUG: kernel NULL pointer dereference, address: 0000000000000040 +<1>[ 231.444052] #PF: supervisor read access in kernel mode +<1>[ 231.444484] #PF: error_code(0x0000) - not-present page +<6>[ 231.444913] PGD 0 P4D 0 +<4>[ 231.445342] Oops: Oops: 0000 [#1] SMP NOPTI +<4>[ 231.446635] RIP: 0010:netif_queue_set_napi+0xa/0x170 +<4>[ 231.447067] Code: 31 f6 31 ff c3 cc cc cc cc 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 48 85 c9 74 0b <48> 83 79 30 00 0f 84 39 01 00 00 55 41 89 d1 49 89 f8 89 f2 48 89 +<4>[ 231.447513] RSP: 0018:ffffcc780fc078c0 EFLAGS: 00010202 +<4>[ 231.447961] RAX: ffff8b848ca30400 RBX: ffff8b848caf2028 RCX: 0000000000000010 +<4>[ 231.448443] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8b848dbd4000 +<4>[ 231.448896] RBP: ffffcc780fc078e8 R08: 0000000000000000 R09: 0000000000000000 +<4>[ 231.449345] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001 +<4>[ 231.449817] R13: ffff8b848dbd4000 R14: ffff8b84833390c8 R15: 0000000000000000 +<4>[ 231.450265] FS: 00007c7b29e9d740(0000) GS:ffff8b8c068e2000(0000) knlGS:0000000000000000 +<4>[ 231.450715] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +<4>[ 231.451179] CR2: 0000000000000040 CR3: 000000030626f004 CR4: 0000000000f72ef0 +<4>[ 231.451629] PKRU: 55555554 +<4>[ 231.452076] Call Trace: +<4>[ 231.452549] +<4>[ 231.452996] ? ice_vsi_set_napi_queues+0x4d/0x110 [ice] +<4>[ 231.453482] ice_resume+0xfd/0x220 [ice] +<4>[ 231.453977] ? __pfx_pci_pm_resume+0x10/0x10 +<4>[ 231.454425] pci_pm_resume+0x8c/0x140 +<4>[ 231.454872] ? __pfx_pci_pm_resume+0x10/0x10 +<4>[ 231.455347] dpm_run_callback+0x5f/0x160 +<4>[ 231.455796] ? dpm_wait_for_superior+0x107/0x170 +<4>[ 231.456244] device_resume+0x177/0x270 +<4>[ 231.456708] dpm_resume+0x209/0x2f0 +<4>[ 231.457151] dpm_resume_end+0x15/0x30 +<4>[ 231.457596] suspend_devices_and_enter+0x1da/0x2b0 +<4>[ 231.458054] enter_state+0x10e/0x570 + +Add defensive checks for both the ring pointer and its q_vector +before dereferencing, allowing the system to resume successfully even when +q_vectors are unmapped. + +Fixes: 2a5dc090b92cf ("ice: move netif_queue_set_napi to rtnl-protected sections") +Reviewed-by: Aleksandr Loktionov +Signed-off-by: Aaron Ma +Reviewed-by: Paul Menzel +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_lib.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_lib.c b/drivers/net/ethernet/intel/ice/ice_lib.c +index 4e022de9e4bbd..4ad21c21c5c57 100644 +--- a/drivers/net/ethernet/intel/ice/ice_lib.c ++++ b/drivers/net/ethernet/intel/ice/ice_lib.c +@@ -2731,12 +2731,14 @@ void ice_vsi_set_napi_queues(struct ice_vsi *vsi) + return; + + ice_for_each_rxq(vsi, q_idx) +- netif_queue_set_napi(netdev, q_idx, NETDEV_QUEUE_TYPE_RX, +- &vsi->rx_rings[q_idx]->q_vector->napi); ++ if (vsi->rx_rings[q_idx] && vsi->rx_rings[q_idx]->q_vector) ++ netif_queue_set_napi(netdev, q_idx, NETDEV_QUEUE_TYPE_RX, ++ &vsi->rx_rings[q_idx]->q_vector->napi); + + ice_for_each_txq(vsi, q_idx) +- netif_queue_set_napi(netdev, q_idx, NETDEV_QUEUE_TYPE_TX, +- &vsi->tx_rings[q_idx]->q_vector->napi); ++ if (vsi->tx_rings[q_idx] && vsi->tx_rings[q_idx]->q_vector) ++ netif_queue_set_napi(netdev, q_idx, NETDEV_QUEUE_TYPE_TX, ++ &vsi->tx_rings[q_idx]->q_vector->napi); + /* Also set the interrupt number for the NAPI */ + ice_for_each_q_vector(vsi, v_idx) { + struct ice_q_vector *q_vector = vsi->q_vectors[v_idx]; +-- +2.51.0 + diff --git a/queue-6.12/ice-stop-counting-udp-csum-mismatch-as-rx_errors.patch b/queue-6.12/ice-stop-counting-udp-csum-mismatch-as-rx_errors.patch new file mode 100644 index 0000000000..00a49eeeb5 --- /dev/null +++ b/queue-6.12/ice-stop-counting-udp-csum-mismatch-as-rx_errors.patch @@ -0,0 +1,62 @@ +From b42256ca44dfc9f1cbb600cdc875462f5bbfe382 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Dec 2025 15:38:52 -0800 +Subject: ice: stop counting UDP csum mismatch as rx_errors + +From: Jesse Brandeburg + +[ Upstream commit 05faf2c0a76581d0a7fdbb8ec46477ba183df95b ] + +Since the beginning, the Intel ice driver has counted receive checksum +offload mismatches into the rx_errors member of the rtnl_link_stats64 +struct. In ethtool -S these show up as rx_csum_bad.nic. + +I believe counting these in rx_errors is fundamentally wrong, as it's +pretty clear from the comments in if_link.h and from every other statistic +the driver is summing into rx_errors, that all of them would cause a +"hardware drop" except for the UDP checksum mismatch, as well as the fact +that all the other causes for rx_errors are L2 reasons, and this L4 UDP +"mismatch" is an outlier. + +A last nail in the coffin is that rx_errors is monitored in production and +can indicate a bad NIC/cable/Switch port, but instead some random series of +UDP packets with bad checksums will now trigger this alert. This false +positive makes the alert useless and affects us as well as other companies. + +This packet with presumably a bad UDP checksum is *already* passed to the +stack, just not marked as offloaded by the hardware/driver. If it is +dropped by the stack it will show up as UDP_MIB_CSUMERRORS. + +And one more thing, none of the other Intel drivers, and at least bnxt_en +and mlx5 both don't appear to count UDP offload mismatches as rx_errors. + +Here is a related customer complaint: +https://community.intel.com/t5/Ethernet-Products/ice-rx-errros-is-too-sensitive-to-IP-TCP-attack-packets-Intel/td-p/1662125 + +Fixes: 4f1fe43c920b ("ice: Add more Rx errors to netdev's rx_error counter") +Cc: Tony Nguyen +Cc: Jake Keller +Cc: IWL +Signed-off-by: Jesse Brandeburg +Acked-by: Jacob Keller +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_main.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c +index d024e71722de3..8e0f180ec38e1 100644 +--- a/drivers/net/ethernet/intel/ice/ice_main.c ++++ b/drivers/net/ethernet/intel/ice/ice_main.c +@@ -6974,7 +6974,6 @@ void ice_update_vsi_stats(struct ice_vsi *vsi) + cur_ns->rx_errors = pf->stats.crc_errors + + pf->stats.illegal_bytes + + pf->stats.rx_undersize + +- pf->hw_csum_rx_error + + pf->stats.rx_jabber + + pf->stats.rx_fragments + + pf->stats.rx_oversize; +-- +2.51.0 + diff --git a/queue-6.12/ipv6-use-the-right-ifindex-when-replying-to-icmpv6-f.patch b/queue-6.12/ipv6-use-the-right-ifindex-when-replying-to-icmpv6-f.patch new file mode 100644 index 0000000000..2bb62e98c3 --- /dev/null +++ b/queue-6.12/ipv6-use-the-right-ifindex-when-replying-to-icmpv6-f.patch @@ -0,0 +1,52 @@ +From 80a487164202758f2f4874f9af3a3fb93e0654f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 20:44:08 +0100 +Subject: ipv6: use the right ifindex when replying to icmpv6 from localhost + +From: Fernando Fernandez Mancera + +[ Upstream commit 03cbcdf93866e61beb0063392e6dbb701f03aea2 ] + +When replying to a ICMPv6 echo request that comes from localhost address +the right output ifindex is 1 (lo) and not rt6i_idev dev index. Use the +skb device ifindex instead. This fixes pinging to a local address from +localhost source address. + +$ ping6 -I ::1 2001:1:1::2 -c 3 +PING 2001:1:1::2 (2001:1:1::2) from ::1 : 56 data bytes +64 bytes from 2001:1:1::2: icmp_seq=1 ttl=64 time=0.037 ms +64 bytes from 2001:1:1::2: icmp_seq=2 ttl=64 time=0.069 ms +64 bytes from 2001:1:1::2: icmp_seq=3 ttl=64 time=0.122 ms + +2001:1:1::2 ping statistics +3 packets transmitted, 3 received, 0% packet loss, time 2032ms +rtt min/avg/max/mdev = 0.037/0.076/0.122/0.035 ms + +Fixes: 1b70d792cf67 ("ipv6: Use rt6i_idev index for echo replies to a local address") +Signed-off-by: Fernando Fernandez Mancera +Reviewed-by: David Ahern +Link: https://patch.msgid.link/20260121194409.6749-1-fmancera@suse.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/icmp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c +index 8117c17845967..13a796bfc2f93 100644 +--- a/net/ipv6/icmp.c ++++ b/net/ipv6/icmp.c +@@ -770,7 +770,9 @@ static enum skb_drop_reason icmpv6_echo_reply(struct sk_buff *skb) + fl6.daddr = ipv6_hdr(skb)->saddr; + if (saddr) + fl6.saddr = *saddr; +- fl6.flowi6_oif = icmp6_iif(skb); ++ fl6.flowi6_oif = ipv6_addr_loopback(&fl6.daddr) ? ++ skb->dev->ifindex : ++ icmp6_iif(skb); + fl6.fl6_icmp_type = type; + fl6.flowi6_mark = mark; + fl6.flowi6_uid = sock_net_uid(net, NULL); +-- +2.51.0 + diff --git a/queue-6.12/net-bcmasp-fix-early-exit-leak-with-fixed-phy.patch b/queue-6.12/net-bcmasp-fix-early-exit-leak-with-fixed-phy.patch new file mode 100644 index 0000000000..68093594dc --- /dev/null +++ b/queue-6.12/net-bcmasp-fix-early-exit-leak-with-fixed-phy.patch @@ -0,0 +1,48 @@ +From a56387803fd71db84e1ca4f1408552a70648c733 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jan 2026 11:40:01 -0800 +Subject: net: bcmasp: fix early exit leak with fixed phy + +From: Justin Chen + +[ Upstream commit 6de4436bf369e1444606445e4cd5df5bcfc74b48 ] + +We are not deregistering the fixed phy link when hitting the early +exit condition. Add the correct early exit sequence. + +Fixes: 490cb412007d ("net: bcmasp: Add support for ASP2.0 Ethernet controller") +Signed-off-by: Justin Chen +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20260122194001.1098859-1-justin.chen@broadcom.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c b/drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c +index 9ea16ef4139d3..79185bafaf4b3 100644 +--- a/drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c ++++ b/drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c +@@ -1253,7 +1253,7 @@ struct bcmasp_intf *bcmasp_interface_create(struct bcmasp_priv *priv, + netdev_err(intf->ndev, "invalid PHY mode: %s for port %d\n", + phy_modes(intf->phy_interface), intf->port); + ret = -EINVAL; +- goto err_free_netdev; ++ goto err_deregister_fixed_link; + } + + ret = of_get_ethdev_address(ndev_dn, ndev); +@@ -1276,6 +1276,9 @@ struct bcmasp_intf *bcmasp_interface_create(struct bcmasp_priv *priv, + + return intf; + ++err_deregister_fixed_link: ++ if (of_phy_is_fixed_link(ndev_dn)) ++ of_phy_deregister_fixed_link(ndev_dn); + err_free_netdev: + free_netdev(ndev); + err: +-- +2.51.0 + diff --git a/queue-6.12/net-bridge-fix-static-key-check.patch b/queue-6.12/net-bridge-fix-static-key-check.patch new file mode 100644 index 0000000000..ec8ea90e54 --- /dev/null +++ b/queue-6.12/net-bridge-fix-static-key-check.patch @@ -0,0 +1,40 @@ +From d95e9ba9c734521051a18e2557cff8486155f2b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Jan 2026 11:19:23 +0100 +Subject: net: bridge: fix static key check + +From: Martin Kaiser + +[ Upstream commit cc0cf10fdaeadf5542d64a55b5b4120d3df90b7d ] + +Fix the check if netfilter's static keys are available. netfilter defines +and exports static keys if CONFIG_JUMP_LABEL is enabled. (HAVE_JUMP_LABEL +is never defined.) + +Fixes: 971502d77faa ("bridge: netfilter: unroll NF_HOOK helper in bridge input path") +Signed-off-by: Martin Kaiser +Reviewed-by: Florian Westphal +Reviewed-by: Nikolay Aleksandrov +Link: https://patch.msgid.link/20260127101925.1754425-1-martin@kaiser.cx +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/bridge/br_input.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c +index 8c26605c4cc1e..44459c9d2ce77 100644 +--- a/net/bridge/br_input.c ++++ b/net/bridge/br_input.c +@@ -260,7 +260,7 @@ static int nf_hook_bridge_pre(struct sk_buff *skb, struct sk_buff **pskb) + int ret; + + net = dev_net(skb->dev); +-#ifdef HAVE_JUMP_LABEL ++#ifdef CONFIG_JUMP_LABEL + if (!static_key_false(&nf_hooks_needed[NFPROTO_BRIDGE][NF_BR_PRE_ROUTING])) + goto frame_finish; + #endif +-- +2.51.0 + diff --git a/queue-6.12/net-mlx5-fix-memory-leak-in-esw_acl_ingress_lgcy_set.patch b/queue-6.12/net-mlx5-fix-memory-leak-in-esw_acl_ingress_lgcy_set.patch new file mode 100644 index 0000000000..f1a7aea954 --- /dev/null +++ b/queue-6.12/net-mlx5-fix-memory-leak-in-esw_acl_ingress_lgcy_set.patch @@ -0,0 +1,46 @@ +From 9cbb3ad47cb0d608fee2eebc00f9de94f7617993 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jan 2026 13:46:40 +0000 +Subject: net/mlx5: Fix memory leak in esw_acl_ingress_lgcy_setup() + +From: Zilin Guan + +[ Upstream commit 108948f723b13874b7ebf6b3f1cc598a7de38622 ] + +In esw_acl_ingress_lgcy_setup(), if esw_acl_table_create() fails, +the function returns directly without releasing the previously +created counter, leading to a memory leak. + +Fix this by jumping to the out label instead of returning directly, +which aligns with the error handling logic of other paths in this +function. + +Compile tested only. Issue found using a prototype static analysis tool +and code review. + +Fixes: 07bab9502641 ("net/mlx5: E-Switch, Refactor eswitch ingress acl codes") +Signed-off-by: Zilin Guan +Reviewed-by: Tariq Toukan +Link: https://patch.msgid.link/20260120134640.2717808-1-zilin@seu.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c b/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c +index 093ed86a0acd8..db51c500ed359 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c +@@ -188,7 +188,7 @@ int esw_acl_ingress_lgcy_setup(struct mlx5_eswitch *esw, + if (IS_ERR(vport->ingress.acl)) { + err = PTR_ERR(vport->ingress.acl); + vport->ingress.acl = NULL; +- return err; ++ goto out; + } + + err = esw_acl_ingress_lgcy_groups_create(esw, vport); +-- +2.51.0 + diff --git a/queue-6.12/net-mlx5-fix-vhca_id-access-call-trace-use-before-al.patch b/queue-6.12/net-mlx5-fix-vhca_id-access-call-trace-use-before-al.patch new file mode 100644 index 0000000000..023e5ad19d --- /dev/null +++ b/queue-6.12/net-mlx5-fix-vhca_id-access-call-trace-use-before-al.patch @@ -0,0 +1,158 @@ +From cc1712e9c5f04624992ec0ff0799b256405831f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Jan 2026 10:52:40 +0200 +Subject: net/mlx5: Fix vhca_id access call trace use before alloc + +From: Parav Pandit + +[ Upstream commit a8f930b7be7be3f18f14446df461e17137400407 ] + +HCA CAP structure is allocated in mlx5_hca_caps_alloc(). +mlx5_mdev_init() + mlx5_hca_caps_alloc() + +And HCA CAP is read from the device in mlx5_init_one(). + +The vhca_id's debugfs file is published even before above two +operations are done. +Due to this when user reads the vhca id before the initialization, +following call trace is observed. + +Fix this by deferring debugfs publication until the HCA CAP is +allocated and read from the device. + +BUG: kernel NULL pointer dereference, address: 0000000000000004 +PGD 0 P4D 0 +Oops: Oops: 0000 [#1] SMP PTI +CPU: 23 UID: 0 PID: 6605 Comm: cat Kdump: loaded Not tainted 6.18.0-rc7-sf+ #110 PREEMPT(full) +Hardware name: Supermicro SYS-6028U-TR4+/X10DRU-i+, BIOS 2.0b 08/09/2016 +RIP: 0010:vhca_id_show+0x17/0x30 [mlx5_core] +Code: cb 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 48 8b 47 70 48 c7 c6 45 f0 12 c1 48 8b 80 70 03 00 00 <8b> 50 04 0f ca 0f b7 d2 e8 8c 82 47 cb 31 c0 c3 cc cc cc cc 0f 1f +RSP: 0018:ffffd37f4f337d40 EFLAGS: 00010203 +RAX: 0000000000000000 RBX: ffff8f18445c9b40 RCX: 0000000000000001 +RDX: ffff8f1109825180 RSI: ffffffffc112f045 RDI: ffff8f18445c9b40 +RBP: 0000000000000000 R08: 0000645eac0d2928 R09: 0000000000000006 +R10: ffffd37f4f337d48 R11: 0000000000000000 R12: ffffd37f4f337dd8 +R13: ffffd37f4f337db0 R14: ffff8f18445c9b68 R15: 0000000000000001 +FS: 00007f3eea099580(0000) GS:ffff8f2090f1f000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000004 CR3: 00000008b64e4006 CR4: 00000000003726f0 +Call Trace: + + seq_read_iter+0x11f/0x4f0 + ? _raw_spin_unlock+0x15/0x30 + ? do_anonymous_page+0x104/0x810 + seq_read+0xf6/0x120 + ? srso_alias_untrain_ret+0x1/0x10 + full_proxy_read+0x5c/0x90 + vfs_read+0xad/0x320 + ? handle_mm_fault+0x1ab/0x290 + ksys_read+0x52/0xd0 + do_syscall_64+0x61/0x11e0 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +Fixes: dd3dd7263cde ("net/mlx5: Expose vhca_id to debugfs") +Signed-off-by: Parav Pandit +Reviewed-by: Shay Drori +Reviewed-by: Simon Horman +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/1769503961-124173-4-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/debugfs.c | 16 ++++++++++++++++ + drivers/net/ethernet/mellanox/mlx5/core/main.c | 14 +++----------- + .../net/ethernet/mellanox/mlx5/core/mlx5_core.h | 1 + + .../ethernet/mellanox/mlx5/core/sf/dev/driver.c | 1 + + 4 files changed, 21 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/debugfs.c b/drivers/net/ethernet/mellanox/mlx5/core/debugfs.c +index 36806e813c33c..1301c56e20d65 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/debugfs.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/debugfs.c +@@ -613,3 +613,19 @@ void mlx5_debug_cq_remove(struct mlx5_core_dev *dev, struct mlx5_core_cq *cq) + cq->dbg = NULL; + } + } ++ ++static int vhca_id_show(struct seq_file *file, void *priv) ++{ ++ struct mlx5_core_dev *dev = file->private; ++ ++ seq_printf(file, "0x%x\n", MLX5_CAP_GEN(dev, vhca_id)); ++ return 0; ++} ++ ++DEFINE_SHOW_ATTRIBUTE(vhca_id); ++ ++void mlx5_vhca_debugfs_init(struct mlx5_core_dev *dev) ++{ ++ debugfs_create_file("vhca_id", 0400, dev->priv.dbg.dbg_root, dev, ++ &vhca_id_fops); ++} +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c +index 4ed23d19c0eca..8bfa95cda0063 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c +@@ -1810,16 +1810,6 @@ static int mlx5_hca_caps_alloc(struct mlx5_core_dev *dev) + return -ENOMEM; + } + +-static int vhca_id_show(struct seq_file *file, void *priv) +-{ +- struct mlx5_core_dev *dev = file->private; +- +- seq_printf(file, "0x%x\n", MLX5_CAP_GEN(dev, vhca_id)); +- return 0; +-} +- +-DEFINE_SHOW_ATTRIBUTE(vhca_id); +- + static int mlx5_notifiers_init(struct mlx5_core_dev *dev) + { + int err; +@@ -1862,7 +1852,7 @@ int mlx5_mdev_init(struct mlx5_core_dev *dev, int profile_idx) + priv->numa_node = dev_to_node(mlx5_core_dma_dev(dev)); + priv->dbg.dbg_root = debugfs_create_dir(dev_name(dev->device), + mlx5_debugfs_root); +- debugfs_create_file("vhca_id", 0400, priv->dbg.dbg_root, dev, &vhca_id_fops); ++ + INIT_LIST_HEAD(&priv->traps); + + err = mlx5_cmd_init(dev); +@@ -2000,6 +1990,8 @@ static int probe_one(struct pci_dev *pdev, const struct pci_device_id *id) + goto err_init_one; + } + ++ mlx5_vhca_debugfs_init(dev); ++ + pci_save_state(pdev); + return 0; + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.h b/drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.h +index dc6965f6746ec..6b82a494bd323 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.h +@@ -251,6 +251,7 @@ int mlx5_wait_for_pages(struct mlx5_core_dev *dev, int *pages); + void mlx5_cmd_flush(struct mlx5_core_dev *dev); + void mlx5_cq_debugfs_init(struct mlx5_core_dev *dev); + void mlx5_cq_debugfs_cleanup(struct mlx5_core_dev *dev); ++void mlx5_vhca_debugfs_init(struct mlx5_core_dev *dev); + + int mlx5_query_pcam_reg(struct mlx5_core_dev *dev, u32 *pcam, u8 feature_group, + u8 access_reg_group); +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c b/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c +index b706f1486504a..c45540fe7d9d9 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c +@@ -76,6 +76,7 @@ static int mlx5_sf_dev_probe(struct auxiliary_device *adev, const struct auxilia + goto init_one_err; + } + ++ mlx5_vhca_debugfs_init(mdev); + return 0; + + init_one_err: +-- +2.51.0 + diff --git a/queue-6.12/net-mlx5-fs-fix-inverted-cap-check-in-tx-flow-table-.patch b/queue-6.12/net-mlx5-fs-fix-inverted-cap-check-in-tx-flow-table-.patch new file mode 100644 index 0000000000..c71b04c9b4 --- /dev/null +++ b/queue-6.12/net-mlx5-fs-fix-inverted-cap-check-in-tx-flow-table-.patch @@ -0,0 +1,44 @@ +From d719b31c6525821e88c886c1326b2dfe20097eae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Jan 2026 10:52:38 +0200 +Subject: net/mlx5: fs, Fix inverted cap check in tx flow table root disconnect + +From: Shay Drory + +[ Upstream commit 2610a3d65691a1301ab10c92ff6ebab0bedf9199 ] + +The capability check for reset_root_to_default was inverted, causing +the function to return -EOPNOTSUPP when the capability IS supported, +rather than when it is NOT supported. + +Fix the capability check condition. + +Fixes: 3c9c34c32bc6 ("net/mlx5: fs, Command to control TX flow table root") +Signed-off-by: Shay Drory +Reviewed-by: Mark Bloch +Reviewed-by: Simon Horman +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/1769503961-124173-2-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/fs_cmd.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fs_cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/fs_cmd.c +index 676005854dad4..c115270936774 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_cmd.c +@@ -1166,7 +1166,8 @@ int mlx5_fs_cmd_set_tx_flow_table_root(struct mlx5_core_dev *dev, u32 ft_id, boo + u32 out[MLX5_ST_SZ_DW(set_flow_table_root_out)] = {}; + u32 in[MLX5_ST_SZ_DW(set_flow_table_root_in)] = {}; + +- if (disconnect && MLX5_CAP_FLOWTABLE_NIC_TX(dev, reset_root_to_default)) ++ if (disconnect && ++ !MLX5_CAP_FLOWTABLE_NIC_TX(dev, reset_root_to_default)) + return -EOPNOTSUPP; + + MLX5_SET(set_flow_table_root_in, in, opcode, +-- +2.51.0 + diff --git a/queue-6.12/net-mlx5-initialize-events-outside-devlink-lock.patch b/queue-6.12/net-mlx5-initialize-events-outside-devlink-lock.patch new file mode 100644 index 0000000000..99b3112cbb --- /dev/null +++ b/queue-6.12/net-mlx5-initialize-events-outside-devlink-lock.patch @@ -0,0 +1,115 @@ +From be6973a07f0ffd333d37f8a827bd3d2dc121a254 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 16 Nov 2025 22:45:35 +0200 +Subject: net/mlx5: Initialize events outside devlink lock + +From: Cosmin Ratiu + +[ Upstream commit b6b03097f9826db72aeb3f751774c5e9edd9a5b3 ] + +Move event init/cleanup outside of mlx5_init_one() / mlx5_uninit_one() +and into the mlx5_mdev_init() / mlx5_mdev_uninit() functions. + +By doing this, we avoid the events being reinitialized on devlink reload +and, more importantly, the events->sw_nh notifier chain becomes +available earlier in the init procedure, which will be used in +subsequent patches. This makes sense because the events struct is pure +software, independent of any HW details. + +Signed-off-by: Cosmin Ratiu +Reviewed-by: Carolina Jubran +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/1763325940-1231508-2-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: a8f930b7be7b ("net/mlx5: Fix vhca_id access call trace use before alloc") +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/main.c | 34 +++++++++++++------ + 1 file changed, 24 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c +index e97b3494b9161..4ed23d19c0eca 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c +@@ -1016,16 +1016,10 @@ static int mlx5_init_once(struct mlx5_core_dev *dev) + goto err_irq_cleanup; + } + +- err = mlx5_events_init(dev); +- if (err) { +- mlx5_core_err(dev, "failed to initialize events\n"); +- goto err_eq_cleanup; +- } +- + err = mlx5_fw_reset_init(dev); + if (err) { + mlx5_core_err(dev, "failed to initialize fw reset events\n"); +- goto err_events_cleanup; ++ goto err_eq_cleanup; + } + + mlx5_cq_debugfs_init(dev); +@@ -1121,8 +1115,6 @@ static int mlx5_init_once(struct mlx5_core_dev *dev) + mlx5_cleanup_reserved_gids(dev); + mlx5_cq_debugfs_cleanup(dev); + mlx5_fw_reset_cleanup(dev); +-err_events_cleanup: +- mlx5_events_cleanup(dev); + err_eq_cleanup: + mlx5_eq_table_cleanup(dev); + err_irq_cleanup: +@@ -1155,7 +1147,6 @@ static void mlx5_cleanup_once(struct mlx5_core_dev *dev) + mlx5_cleanup_reserved_gids(dev); + mlx5_cq_debugfs_cleanup(dev); + mlx5_fw_reset_cleanup(dev); +- mlx5_events_cleanup(dev); + mlx5_eq_table_cleanup(dev); + mlx5_irq_table_cleanup(dev); + mlx5_unregister_hca_devcom_comp(dev); +@@ -1829,6 +1820,24 @@ static int vhca_id_show(struct seq_file *file, void *priv) + + DEFINE_SHOW_ATTRIBUTE(vhca_id); + ++static int mlx5_notifiers_init(struct mlx5_core_dev *dev) ++{ ++ int err; ++ ++ err = mlx5_events_init(dev); ++ if (err) { ++ mlx5_core_err(dev, "failed to initialize events\n"); ++ return err; ++ } ++ ++ return 0; ++} ++ ++static void mlx5_notifiers_cleanup(struct mlx5_core_dev *dev) ++{ ++ mlx5_events_cleanup(dev); ++} ++ + int mlx5_mdev_init(struct mlx5_core_dev *dev, int profile_idx) + { + struct mlx5_priv *priv = &dev->priv; +@@ -1884,6 +1893,10 @@ int mlx5_mdev_init(struct mlx5_core_dev *dev, int profile_idx) + if (err) + goto err_hca_caps; + ++ err = mlx5_notifiers_init(dev); ++ if (err) ++ goto err_hca_caps; ++ + /* The conjunction of sw_vhca_id with sw_owner_id will be a global + * unique id per function which uses mlx5_core. + * Those values are supplied to FW as part of the init HCA command to +@@ -1926,6 +1939,7 @@ void mlx5_mdev_uninit(struct mlx5_core_dev *dev) + if (priv->sw_vhca_id > 0) + ida_free(&sw_vhca_ida, dev->priv.sw_vhca_id); + ++ mlx5_notifiers_cleanup(dev); + mlx5_hca_caps_free(dev); + mlx5_adev_cleanup(dev); + mlx5_pagealloc_cleanup(dev); +-- +2.51.0 + diff --git a/queue-6.12/net-mlx5e-skip-esn-replay-window-setup-for-ipsec-cry.patch b/queue-6.12/net-mlx5e-skip-esn-replay-window-setup-for-ipsec-cry.patch new file mode 100644 index 0000000000..075a8d297a --- /dev/null +++ b/queue-6.12/net-mlx5e-skip-esn-replay-window-setup-for-ipsec-cry.patch @@ -0,0 +1,50 @@ +From de3b4becccf598c84d9d30e82e6bb4bda1da0365 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Jan 2026 10:52:41 +0200 +Subject: net/mlx5e: Skip ESN replay window setup for IPsec crypto offload + +From: Jianbo Liu + +[ Upstream commit 011be342dd24b5168a5dcf408b14c3babe503341 ] + +Commit a5e400a985df ("net/mlx5e: Honor user choice of IPsec replay +window size") introduced logic to setup the ESN replay window size. +This logic is only valid for packet offload. + +However, the check to skip this block only covered outbound offloads. +It was not skipped for crypto offload, causing it to fall through to +the new switch statement and trigger its WARN_ON default case (for +instance, if a window larger than 256 bits was configured). + +Fix this by amending the condition to also skip the replay window +setup if the offload type is not XFRM_DEV_OFFLOAD_PACKET. + +Fixes: a5e400a985df ("net/mlx5e: Honor user choice of IPsec replay window size") +Signed-off-by: Jianbo Liu +Reviewed-by: Leon Romanovsky +Reviewed-by: Simon Horman +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/1769503961-124173-5-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c +index 39dcbf863421a..7e24f3f0b4dd3 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c +@@ -347,7 +347,8 @@ void mlx5e_ipsec_build_accel_xfrm_attrs(struct mlx5e_ipsec_sa_entry *sa_entry, + attrs->replay_esn.esn = sa_entry->esn_state.esn; + attrs->replay_esn.esn_msb = sa_entry->esn_state.esn_msb; + attrs->replay_esn.overlap = sa_entry->esn_state.overlap; +- if (attrs->dir == XFRM_DEV_OFFLOAD_OUT) ++ if (attrs->dir == XFRM_DEV_OFFLOAD_OUT || ++ x->xso.type != XFRM_DEV_OFFLOAD_PACKET) + goto skip_replay_window; + + switch (x->replay_esn->replay_window) { +-- +2.51.0 + diff --git a/queue-6.12/net-mlx5e-tc-delete-flows-only-for-existing-peers.patch b/queue-6.12/net-mlx5e-tc-delete-flows-only-for-existing-peers.patch new file mode 100644 index 0000000000..aff88cef3e --- /dev/null +++ b/queue-6.12/net-mlx5e-tc-delete-flows-only-for-existing-peers.patch @@ -0,0 +1,132 @@ +From 9343aaadff6cd32d4305a4a338f44f70645e7c43 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jan 2026 09:14:54 +0200 +Subject: net/mlx5e: TC, delete flows only for existing peers + +From: Mark Bloch + +[ Upstream commit f67666938ae626cbda63fbf5176b3583c07e7124 ] + +When deleting TC steering flows, iterate only over actual devcom +peers instead of assuming all possible ports exist. This avoids +touching non-existent peers and ensures cleanup is limited to +devices the driver is currently connected to. + + BUG: kernel NULL pointer dereference, address: 0000000000000008 + #PF: supervisor write access in kernel mode + #PF: error_code(0x0002) - not-present page + PGD 133c8a067 P4D 0 + Oops: Oops: 0002 [#1] SMP + CPU: 19 UID: 0 PID: 2169 Comm: tc Not tainted 6.18.0+ #156 NONE + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 + RIP: 0010:mlx5e_tc_del_fdb_peers_flow+0xbe/0x200 [mlx5_core] + Code: 00 00 a8 08 74 a8 49 8b 46 18 f6 c4 02 74 9f 4c 8d bf a0 12 00 00 4c 89 ff e8 0e e7 96 e1 49 8b 44 24 08 49 8b 0c 24 4c 89 ff <48> 89 41 08 48 89 08 49 89 2c 24 49 89 5c 24 08 e8 7d ce 96 e1 49 + RSP: 0018:ff11000143867528 EFLAGS: 00010246 + RAX: 0000000000000000 RBX: dead000000000122 RCX: 0000000000000000 + RDX: ff11000143691580 RSI: ff110001026e5000 RDI: ff11000106f3d2a0 + RBP: dead000000000100 R08: 00000000000003fd R09: 0000000000000002 + R10: ff11000101c75690 R11: ff1100085faea178 R12: ff11000115f0ae78 + R13: 0000000000000000 R14: ff11000115f0a800 R15: ff11000106f3d2a0 + FS: 00007f35236bf740(0000) GS:ff110008dc809000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000008 CR3: 0000000157a01001 CR4: 0000000000373eb0 + Call Trace: + + mlx5e_tc_del_flow+0x46/0x270 [mlx5_core] + mlx5e_flow_put+0x25/0x50 [mlx5_core] + mlx5e_delete_flower+0x2a6/0x3e0 [mlx5_core] + tc_setup_cb_reoffload+0x20/0x80 + fl_reoffload+0x26f/0x2f0 [cls_flower] + ? mlx5e_tc_reoffload_flows_work+0xc0/0xc0 [mlx5_core] + ? mlx5e_tc_reoffload_flows_work+0xc0/0xc0 [mlx5_core] + tcf_block_playback_offloads+0x9e/0x1c0 + tcf_block_unbind+0x7b/0xd0 + tcf_block_setup+0x186/0x1d0 + tcf_block_offload_cmd.isra.0+0xef/0x130 + tcf_block_offload_unbind+0x43/0x70 + __tcf_block_put+0x85/0x160 + ingress_destroy+0x32/0x110 [sch_ingress] + __qdisc_destroy+0x44/0x100 + qdisc_graft+0x22b/0x610 + tc_get_qdisc+0x183/0x4d0 + rtnetlink_rcv_msg+0x2d7/0x3d0 + ? rtnl_calcit.isra.0+0x100/0x100 + netlink_rcv_skb+0x53/0x100 + netlink_unicast+0x249/0x320 + ? __alloc_skb+0x102/0x1f0 + netlink_sendmsg+0x1e3/0x420 + __sock_sendmsg+0x38/0x60 + ____sys_sendmsg+0x1ef/0x230 + ? copy_msghdr_from_user+0x6c/0xa0 + ___sys_sendmsg+0x7f/0xc0 + ? ___sys_recvmsg+0x8a/0xc0 + ? __sys_sendto+0x119/0x180 + __sys_sendmsg+0x61/0xb0 + do_syscall_64+0x55/0x640 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + RIP: 0033:0x7f35238bb764 + Code: 15 b9 86 0c 00 f7 d8 64 89 02 b8 ff ff ff ff eb bf 0f 1f 44 00 00 f3 0f 1e fa 80 3d e5 08 0d 00 00 74 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 4c c3 0f 1f 00 55 48 89 e5 48 83 ec 20 89 55 + RSP: 002b:00007ffed4c35638 EFLAGS: 00000202 ORIG_RAX: 000000000000002e + RAX: ffffffffffffffda RBX: 000055a2efcc75e0 RCX: 00007f35238bb764 + RDX: 0000000000000000 RSI: 00007ffed4c356a0 RDI: 0000000000000003 + RBP: 00007ffed4c35710 R08: 0000000000000010 R09: 00007f3523984b20 + R10: 0000000000000004 R11: 0000000000000202 R12: 00007ffed4c35790 + R13: 000000006947df8f R14: 000055a2efcc75e0 R15: 00007ffed4c35780 + +Fixes: 9be6c21fdcf8 ("net/mlx5e: Handle offloads flows per peer") +Signed-off-by: Mark Bloch +Reviewed-by: Shay Drori +Signed-off-by: Tariq Toukan +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/1769411695-18820-3-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/en_tc.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +index 4d766eea32a37..8878990254f46 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +@@ -2143,11 +2143,14 @@ static void mlx5e_tc_del_fdb_peer_flow(struct mlx5e_tc_flow *flow, + + static void mlx5e_tc_del_fdb_peers_flow(struct mlx5e_tc_flow *flow) + { ++ struct mlx5_devcom_comp_dev *devcom; ++ struct mlx5_devcom_comp_dev *pos; ++ struct mlx5_eswitch *peer_esw; + int i; + +- for (i = 0; i < MLX5_MAX_PORTS; i++) { +- if (i == mlx5_get_dev_index(flow->priv->mdev)) +- continue; ++ devcom = flow->priv->mdev->priv.eswitch->devcom; ++ mlx5_devcom_for_each_peer_entry(devcom, peer_esw, pos) { ++ i = mlx5_get_dev_index(peer_esw->dev); + mlx5e_tc_del_fdb_peer_flow(flow, i); + } + } +@@ -5504,12 +5507,16 @@ int mlx5e_tc_num_filters(struct mlx5e_priv *priv, unsigned long flags) + + void mlx5e_tc_clean_fdb_peer_flows(struct mlx5_eswitch *esw) + { ++ struct mlx5_devcom_comp_dev *devcom; ++ struct mlx5_devcom_comp_dev *pos; + struct mlx5e_tc_flow *flow, *tmp; ++ struct mlx5_eswitch *peer_esw; + int i; + +- for (i = 0; i < MLX5_MAX_PORTS; i++) { +- if (i == mlx5_get_dev_index(esw->dev)) +- continue; ++ devcom = esw->devcom; ++ ++ mlx5_devcom_for_each_peer_entry(devcom, peer_esw, pos) { ++ i = mlx5_get_dev_index(peer_esw->dev); + list_for_each_entry_safe(flow, tmp, &esw->offloads.peer_flows[i], peer[i]) + mlx5e_tc_del_fdb_peers_flow(flow); + } +-- +2.51.0 + diff --git a/queue-6.12/net-mvpp2-cls-fix-memory-leak-in-mvpp2_ethtool_cls_r.patch b/queue-6.12/net-mvpp2-cls-fix-memory-leak-in-mvpp2_ethtool_cls_r.patch new file mode 100644 index 0000000000..8db908fdb9 --- /dev/null +++ b/queue-6.12/net-mvpp2-cls-fix-memory-leak-in-mvpp2_ethtool_cls_r.patch @@ -0,0 +1,48 @@ +From 3eb9d176e8914bb50296065c6ad35f7afa519106 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Jan 2026 06:57:16 +0000 +Subject: net: mvpp2: cls: Fix memory leak in mvpp2_ethtool_cls_rule_ins() + +From: Zilin Guan + +[ Upstream commit 09f979d1f312627b31d2ee1e46f9692e442610cd ] + +In mvpp2_ethtool_cls_rule_ins(), the ethtool_rule is allocated by +ethtool_rx_flow_rule_create(). If the subsequent conversion to flow +type fails, the function jumps to the clean_rule label. + +However, the clean_rule label only frees efs, skipping the cleanup +of ethtool_rule, which leads to a memory leak. + +Fix this by jumping to the clean_eth_rule label, which properly calls +ethtool_rx_flow_rule_destroy() before freeing efs. + +Compile tested only. Issue found using a prototype static analysis tool +and code review. + +Fixes: f4f1ba18195d ("net: mvpp2: cls: Report an error for unsupported flow types") +Signed-off-by: Zilin Guan +Reviewed-by: Maxime Chevallier +Link: https://patch.msgid.link/20260123065716.2248324-1-zilin@seu.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c +index 8ed83fb988624..155bc41ffce65 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c +@@ -1389,7 +1389,7 @@ int mvpp2_ethtool_cls_rule_ins(struct mvpp2_port *port, + efs->rule.flow_type = mvpp2_cls_ethtool_flow_to_type(info->fs.flow_type); + if (efs->rule.flow_type < 0) { + ret = efs->rule.flow_type; +- goto clean_rule; ++ goto clean_eth_rule; + } + + ret = mvpp2_cls_rfs_parse_rule(&efs->rule); +-- +2.51.0 + diff --git a/queue-6.12/net-phy-micrel-fix-clk-warning-when-removing-the-dri.patch b/queue-6.12/net-phy-micrel-fix-clk-warning-when-removing-the-dri.patch new file mode 100644 index 0000000000..455741b78d --- /dev/null +++ b/queue-6.12/net-phy-micrel-fix-clk-warning-when-removing-the-dri.patch @@ -0,0 +1,130 @@ +From 3440953da668736b9afdcdea94abe95be7bb7288 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jan 2026 16:15:44 +0800 +Subject: net: phy: micrel: fix clk warning when removing the driver + +From: Wei Fang + +[ Upstream commit 2aa1545ba8d4801fba5be83a404e28014b80196a ] + +Since the commit 25c6a5ab151f ("net: phy: micrel: Dynamically control +external clock of KSZ PHY"), the clock of Micrel PHY has been enabled +by phy_driver::resume() and disabled by phy_driver::suspend(). However, +devm_clk_get_optional_enabled() is used in kszphy_probe(), so the clock +will automatically be disabled when the device is unbound from the bus. +Therefore, this could cause the clock to be disabled twice, resulting +in clk driver warnings. + +For example, this issue can be reproduced on i.MX6ULL platform, and we +can see the following logs when removing the FEC MAC drivers. + +$ echo 2188000.ethernet > /sys/bus/platform/drivers/fec/unbind +$ echo 20b4000.ethernet > /sys/bus/platform/drivers/fec/unbind +[ 109.758207] ------------[ cut here ]------------ +[ 109.758240] WARNING: drivers/clk/clk.c:1188 at clk_core_disable+0xb4/0xd0, CPU#0: sh/639 +[ 109.771011] enet2_ref already disabled +[ 109.793359] Call trace: +[ 109.822006] clk_core_disable from clk_disable+0x28/0x34 +[ 109.827340] clk_disable from clk_disable_unprepare+0xc/0x18 +[ 109.833029] clk_disable_unprepare from devm_clk_release+0x1c/0x28 +[ 109.839241] devm_clk_release from devres_release_all+0x98/0x100 +[ 109.845278] devres_release_all from device_unbind_cleanup+0xc/0x70 +[ 109.851571] device_unbind_cleanup from device_release_driver_internal+0x1a4/0x1f4 +[ 109.859170] device_release_driver_internal from bus_remove_device+0xbc/0xe4 +[ 109.866243] bus_remove_device from device_del+0x140/0x458 +[ 109.871757] device_del from phy_mdio_device_remove+0xc/0x24 +[ 109.877452] phy_mdio_device_remove from mdiobus_unregister+0x40/0xac +[ 109.883918] mdiobus_unregister from fec_enet_mii_remove+0x40/0x78 +[ 109.890125] fec_enet_mii_remove from fec_drv_remove+0x4c/0x158 +[ 109.896076] fec_drv_remove from device_release_driver_internal+0x17c/0x1f4 +[ 109.962748] WARNING: drivers/clk/clk.c:1047 at clk_core_unprepare+0xfc/0x13c, CPU#0: sh/639 +[ 109.975805] enet2_ref already unprepared +[ 110.002866] Call trace: +[ 110.031758] clk_core_unprepare from clk_unprepare+0x24/0x2c +[ 110.037440] clk_unprepare from devm_clk_release+0x1c/0x28 +[ 110.042957] devm_clk_release from devres_release_all+0x98/0x100 +[ 110.048989] devres_release_all from device_unbind_cleanup+0xc/0x70 +[ 110.055280] device_unbind_cleanup from device_release_driver_internal+0x1a4/0x1f4 +[ 110.062877] device_release_driver_internal from bus_remove_device+0xbc/0xe4 +[ 110.069950] bus_remove_device from device_del+0x140/0x458 +[ 110.075469] device_del from phy_mdio_device_remove+0xc/0x24 +[ 110.081165] phy_mdio_device_remove from mdiobus_unregister+0x40/0xac +[ 110.087632] mdiobus_unregister from fec_enet_mii_remove+0x40/0x78 +[ 110.093836] fec_enet_mii_remove from fec_drv_remove+0x4c/0x158 +[ 110.099782] fec_drv_remove from device_release_driver_internal+0x17c/0x1f4 + +After analyzing the process of removing the FEC driver, as shown below, +it can be seen that the clock was disabled twice by the PHY driver. + +fec_drv_remove() + --> fec_enet_close() + --> phy_stop() + --> phy_suspend() + --> kszphy_suspend() #1 The clock is disabled + --> fec_enet_mii_remove() + --> mdiobus_unregister() + --> phy_mdio_device_remove() + --> device_del() + --> devm_clk_release() #2 The clock is disabled again + +Therefore, devm_clk_get_optional() is used to fix the above issue. And +to avoid the issue mentioned by the commit 985329462723 ("net: phy: +micrel: use devm_clk_get_optional_enabled for the rmii-ref clock"), the +clock is enabled by clk_prepare_enable() to get the correct clock rate. + +Fixes: 25c6a5ab151f ("net: phy: micrel: Dynamically control external clock of KSZ PHY") +Signed-off-by: Wei Fang +Reviewed-by: Maxime Chevallier +Link: https://patch.msgid.link/20260126081544.983517-1-wei.fang@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/micrel.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/phy/micrel.c b/drivers/net/phy/micrel.c +index 5e5a5010932c1..f0c068075322f 100644 +--- a/drivers/net/phy/micrel.c ++++ b/drivers/net/phy/micrel.c +@@ -2268,11 +2268,21 @@ static int kszphy_probe(struct phy_device *phydev) + + kszphy_parse_led_mode(phydev); + +- clk = devm_clk_get_optional_enabled(&phydev->mdio.dev, "rmii-ref"); ++ clk = devm_clk_get_optional(&phydev->mdio.dev, "rmii-ref"); + /* NOTE: clk may be NULL if building without CONFIG_HAVE_CLK */ + if (!IS_ERR_OR_NULL(clk)) { +- unsigned long rate = clk_get_rate(clk); + bool rmii_ref_clk_sel_25_mhz; ++ unsigned long rate; ++ int err; ++ ++ err = clk_prepare_enable(clk); ++ if (err) { ++ phydev_err(phydev, "Failed to enable rmii-ref clock\n"); ++ return err; ++ } ++ ++ rate = clk_get_rate(clk); ++ clk_disable_unprepare(clk); + + if (type) + priv->rmii_ref_clk_sel = type->has_rmii_ref_clk_sel; +@@ -2290,13 +2300,12 @@ static int kszphy_probe(struct phy_device *phydev) + } + } else if (!clk) { + /* unnamed clock from the generic ethernet-phy binding */ +- clk = devm_clk_get_optional_enabled(&phydev->mdio.dev, NULL); ++ clk = devm_clk_get_optional(&phydev->mdio.dev, NULL); + } + + if (IS_ERR(clk)) + return PTR_ERR(clk); + +- clk_disable_unprepare(clk); + priv->clk = clk; + + if (ksz8041_fiber_mode(phydev)) +-- +2.51.0 + diff --git a/queue-6.12/net-wwan-t7xx-fix-potential-skb-frags-overflow-in-rx.patch b/queue-6.12/net-wwan-t7xx-fix-potential-skb-frags-overflow-in-rx.patch new file mode 100644 index 0000000000..4d1d2fc520 --- /dev/null +++ b/queue-6.12/net-wwan-t7xx-fix-potential-skb-frags-overflow-in-rx.patch @@ -0,0 +1,83 @@ +From aa1be734c05f9a94a73c424dfa9fb74231d8d1c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Jan 2026 01:04:01 +0800 +Subject: net: wwan: t7xx: fix potential skb->frags overflow in RX path + +From: Kery Qi + +[ Upstream commit f0813bcd2d9d97fdbdf2efb9532ab03ae92e99e6 ] + +When receiving data in the DPMAIF RX path, +the t7xx_dpmaif_set_frag_to_skb() function adds +page fragments to an skb without checking if the number of +fragments has exceeded MAX_SKB_FRAGS. This could lead to a buffer overflow +in skb_shinfo(skb)->frags[] array, corrupting adjacent memory and +potentially causing kernel crashes or other undefined behavior. + +This issue was identified through static code analysis by comparing with a +similar vulnerability fixed in the mt76 driver commit b102f0c522cf ("mt76: +fix array overflow on receiving too many fragments for a packet"). + +The vulnerability could be triggered if the modem firmware sends packets +with excessive fragments. While under normal protocol conditions (MTU 3080 +bytes, BAT buffer 3584 bytes), +a single packet should not require additional +fragments, the kernel should not blindly trust firmware behavior. +Malicious, buggy, or compromised firmware could potentially craft packets +with more fragments than the kernel expects. + +Fix this by adding a bounds check before calling skb_add_rx_frag() to +ensure nr_frags does not exceed MAX_SKB_FRAGS. + +The check must be performed before unmapping to avoid a page leak +and double DMA unmap during device teardown. + +Fixes: d642b012df70a ("net: wwan: t7xx: Add data path interface") +Signed-off-by: Kery Qi +Link: https://patch.msgid.link/20260122170401.1986-2-qikeyu2017@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c b/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c +index 7a9c09cd4fdcf..6b0df637afeb8 100644 +--- a/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c ++++ b/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c +@@ -394,6 +394,7 @@ static int t7xx_dpmaif_set_frag_to_skb(const struct dpmaif_rx_queue *rxq, + struct sk_buff *skb) + { + unsigned long long data_bus_addr, data_base_addr; ++ struct skb_shared_info *shinfo = skb_shinfo(skb); + struct device *dev = rxq->dpmaif_ctrl->dev; + struct dpmaif_bat_page *page_info; + unsigned int data_len; +@@ -401,18 +402,22 @@ static int t7xx_dpmaif_set_frag_to_skb(const struct dpmaif_rx_queue *rxq, + + page_info = rxq->bat_frag->bat_skb; + page_info += t7xx_normal_pit_bid(pkt_info); +- dma_unmap_page(dev, page_info->data_bus_addr, page_info->data_len, DMA_FROM_DEVICE); + + if (!page_info->page) + return -EINVAL; + ++ if (shinfo->nr_frags >= MAX_SKB_FRAGS) ++ return -EINVAL; ++ ++ dma_unmap_page(dev, page_info->data_bus_addr, page_info->data_len, DMA_FROM_DEVICE); ++ + data_bus_addr = le32_to_cpu(pkt_info->pd.data_addr_h); + data_bus_addr = (data_bus_addr << 32) + le32_to_cpu(pkt_info->pd.data_addr_l); + data_base_addr = page_info->data_bus_addr; + data_offset = data_bus_addr - data_base_addr; + data_offset += page_info->offset; + data_len = FIELD_GET(PD_PIT_DATA_LEN, le32_to_cpu(pkt_info->header)); +- skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags, page_info->page, ++ skb_add_rx_frag(skb, shinfo->nr_frags, page_info->page, + data_offset, data_len, page_info->data_len); + + page_info->page = NULL; +-- +2.51.0 + diff --git a/queue-6.12/nfc-llcp-fix-memleak-in-nfc_llcp_send_ui_frame.patch b/queue-6.12/nfc-llcp-fix-memleak-in-nfc_llcp_send_ui_frame.patch new file mode 100644 index 0000000000..7a00ed1b60 --- /dev/null +++ b/queue-6.12/nfc-llcp-fix-memleak-in-nfc_llcp_send_ui_frame.patch @@ -0,0 +1,167 @@ +From 83bd7526794c50bf111c999bd5fb9d9937877d85 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 25 Jan 2026 00:59:28 +0000 +Subject: nfc: llcp: Fix memleak in nfc_llcp_send_ui_frame(). + +From: Kuniyuki Iwashima + +[ Upstream commit 165c34fb6068ff153e3fc99a932a80a9d5755709 ] + +syzbot reported various memory leaks related to NFC, struct +nfc_llcp_sock, sk_buff, nfc_dev, etc. [0] + +The leading log hinted that nfc_llcp_send_ui_frame() failed +to allocate skb due to sock_error(sk) being -ENXIO. + +ENXIO is set by nfc_llcp_socket_release() when struct +nfc_llcp_local is destroyed by local_cleanup(). + +The problem is that there is no synchronisation between +nfc_llcp_send_ui_frame() and local_cleanup(), and skb +could be put into local->tx_queue after it was purged in +local_cleanup(): + + CPU1 CPU2 + ---- ---- + nfc_llcp_send_ui_frame() local_cleanup() + |- do { ' + |- pdu = nfc_alloc_send_skb(..., &err) + | . + | |- nfc_llcp_socket_release(local, false, ENXIO); + | |- skb_queue_purge(&local->tx_queue); | + | ' | + |- skb_queue_tail(&local->tx_queue, pdu); | + ... | + |- pdu = nfc_alloc_send_skb(..., &err) | + ^._________________________________.' + +local_cleanup() is called for struct nfc_llcp_local only +after nfc_llcp_remove_local() unlinks it from llcp_devices. + +If we hold local->tx_queue.lock then, we can synchronise +the thread and nfc_llcp_send_ui_frame(). + +Let's do that and check list_empty(&local->list) before +queuing skb to local->tx_queue in nfc_llcp_send_ui_frame(). + +[0]: +[ 56.074943][ T6096] llcp: nfc_llcp_send_ui_frame: Could not allocate PDU (error=-6) +[ 64.318868][ T5813] kmemleak: 6 new suspected memory leaks (see /sys/kernel/debug/kmemleak) +BUG: memory leak +unreferenced object 0xffff8881272f6800 (size 1024): + comm "syz.0.17", pid 6096, jiffies 4294942766 + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 27 00 03 40 00 00 00 00 00 00 00 00 00 00 00 00 '..@............ + backtrace (crc da58d84d): + kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] + slab_post_alloc_hook mm/slub.c:4979 [inline] + slab_alloc_node mm/slub.c:5284 [inline] + __do_kmalloc_node mm/slub.c:5645 [inline] + __kmalloc_noprof+0x3e3/0x6b0 mm/slub.c:5658 + kmalloc_noprof include/linux/slab.h:961 [inline] + sk_prot_alloc+0x11a/0x1b0 net/core/sock.c:2239 + sk_alloc+0x36/0x360 net/core/sock.c:2295 + nfc_llcp_sock_alloc+0x37/0x130 net/nfc/llcp_sock.c:979 + llcp_sock_create+0x71/0xd0 net/nfc/llcp_sock.c:1044 + nfc_sock_create+0xc9/0xf0 net/nfc/af_nfc.c:31 + __sock_create+0x1a9/0x340 net/socket.c:1605 + sock_create net/socket.c:1663 [inline] + __sys_socket_create net/socket.c:1700 [inline] + __sys_socket+0xb9/0x1a0 net/socket.c:1747 + __do_sys_socket net/socket.c:1761 [inline] + __se_sys_socket net/socket.c:1759 [inline] + __x64_sys_socket+0x1b/0x30 net/socket.c:1759 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +BUG: memory leak +unreferenced object 0xffff88810fbd9800 (size 240): + comm "syz.0.17", pid 6096, jiffies 4294942850 + hex dump (first 32 bytes): + 68 f0 ff 08 81 88 ff ff 68 f0 ff 08 81 88 ff ff h.......h....... + 00 00 00 00 00 00 00 00 00 68 2f 27 81 88 ff ff .........h/'.... + backtrace (crc 6cc652b1): + kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] + slab_post_alloc_hook mm/slub.c:4979 [inline] + slab_alloc_node mm/slub.c:5284 [inline] + kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5336 + __alloc_skb+0x203/0x240 net/core/skbuff.c:660 + alloc_skb include/linux/skbuff.h:1383 [inline] + alloc_skb_with_frags+0x69/0x3f0 net/core/skbuff.c:6671 + sock_alloc_send_pskb+0x379/0x3e0 net/core/sock.c:2965 + sock_alloc_send_skb include/net/sock.h:1859 [inline] + nfc_alloc_send_skb+0x45/0x80 net/nfc/core.c:724 + nfc_llcp_send_ui_frame+0x162/0x360 net/nfc/llcp_commands.c:766 + llcp_sock_sendmsg+0x14c/0x1d0 net/nfc/llcp_sock.c:814 + sock_sendmsg_nosec net/socket.c:727 [inline] + __sock_sendmsg net/socket.c:742 [inline] + __sys_sendto+0x2d8/0x2f0 net/socket.c:2244 + __do_sys_sendto net/socket.c:2251 [inline] + __se_sys_sendto net/socket.c:2247 [inline] + __x64_sys_sendto+0x28/0x30 net/socket.c:2247 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fixes: 94f418a20664 ("NFC: UI frame sending routine implementation") +Reported-by: syzbot+f2d245f1d76bbfa50e4c@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/697569c7.a00a0220.33ccc7.0014.GAE@google.com/T/#u +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20260125010214.1572439-1-kuniyu@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/nfc/llcp_commands.c | 17 ++++++++++++++++- + net/nfc/llcp_core.c | 4 +++- + 2 files changed, 19 insertions(+), 2 deletions(-) + +diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c +index e2680a3bef799..b652323bc2c12 100644 +--- a/net/nfc/llcp_commands.c ++++ b/net/nfc/llcp_commands.c +@@ -778,8 +778,23 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap, + if (likely(frag_len > 0)) + skb_put_data(pdu, msg_ptr, frag_len); + ++ spin_lock(&local->tx_queue.lock); ++ ++ if (list_empty(&local->list)) { ++ spin_unlock(&local->tx_queue.lock); ++ ++ kfree_skb(pdu); ++ ++ len -= remaining_len; ++ if (len == 0) ++ len = -ENXIO; ++ break; ++ } ++ + /* No need to check for the peer RW for UI frames */ +- skb_queue_tail(&local->tx_queue, pdu); ++ __skb_queue_tail(&local->tx_queue, pdu); ++ ++ spin_unlock(&local->tx_queue.lock); + + remaining_len -= frag_len; + msg_ptr += frag_len; +diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c +index 18be13fb9b75a..ced99d2a90cc1 100644 +--- a/net/nfc/llcp_core.c ++++ b/net/nfc/llcp_core.c +@@ -314,7 +314,9 @@ static struct nfc_llcp_local *nfc_llcp_remove_local(struct nfc_dev *dev) + spin_lock(&llcp_devices_lock); + list_for_each_entry_safe(local, tmp, &llcp_devices, list) + if (local->dev == dev) { +- list_del(&local->list); ++ spin_lock(&local->tx_queue.lock); ++ list_del_init(&local->list); ++ spin_unlock(&local->tx_queue.lock); + spin_unlock(&llcp_devices_lock); + return local; + } +-- +2.51.0 + diff --git a/queue-6.12/nfc-nci-fix-race-between-rfkill-and-nci_unregister_d.patch b/queue-6.12/nfc-nci-fix-race-between-rfkill-and-nci_unregister_d.patch new file mode 100644 index 0000000000..c035f8c1a7 --- /dev/null +++ b/queue-6.12/nfc-nci-fix-race-between-rfkill-and-nci_unregister_d.patch @@ -0,0 +1,197 @@ +From 6f1b98539bc62f244404ac253cdc6eb7e24e64f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Jan 2026 04:03:59 +0000 +Subject: nfc: nci: Fix race between rfkill and nci_unregister_device(). + +From: Kuniyuki Iwashima + +[ Upstream commit d2492688bb9fed6ab6e313682c387ae71a66ebae ] + +syzbot reported the splat below [0] without a repro. + +It indicates that struct nci_dev.cmd_wq had been destroyed before +nci_close_device() was called via rfkill. + +nci_dev.cmd_wq is only destroyed in nci_unregister_device(), which +(I think) was called from virtual_ncidev_close() when syzbot close()d +an fd of virtual_ncidev. + +The problem is that nci_unregister_device() destroys nci_dev.cmd_wq +first and then calls nfc_unregister_device(), which removes the +device from rfkill by rfkill_unregister(). + +So, the device is still visible via rfkill even after nci_dev.cmd_wq +is destroyed. + +Let's unregister the device from rfkill first in nci_unregister_device(). + +Note that we cannot call nfc_unregister_device() before +nci_close_device() because + + 1) nfc_unregister_device() calls device_del() which frees + all memory allocated by devm_kzalloc() and linked to + ndev->conn_info_list + + 2) nci_rx_work() could try to queue nci_conn_info to + ndev->conn_info_list which could be leaked + +Thus, nfc_unregister_device() is split into two functions so we +can remove rfkill interfaces only before nci_close_device(). + +[0]: +DEBUG_LOCKS_WARN_ON(1) +WARNING: kernel/locking/lockdep.c:238 at hlock_class kernel/locking/lockdep.c:238 [inline], CPU#0: syz.0.8675/6349 +WARNING: kernel/locking/lockdep.c:238 at check_wait_context kernel/locking/lockdep.c:4854 [inline], CPU#0: syz.0.8675/6349 +WARNING: kernel/locking/lockdep.c:238 at __lock_acquire+0x39d/0x2cf0 kernel/locking/lockdep.c:5187, CPU#0: syz.0.8675/6349 +Modules linked in: +CPU: 0 UID: 0 PID: 6349 Comm: syz.0.8675 Not tainted syzkaller #0 PREEMPT(full) +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/13/2026 +RIP: 0010:hlock_class kernel/locking/lockdep.c:238 [inline] +RIP: 0010:check_wait_context kernel/locking/lockdep.c:4854 [inline] +RIP: 0010:__lock_acquire+0x3a4/0x2cf0 kernel/locking/lockdep.c:5187 +Code: 18 00 4c 8b 74 24 08 75 27 90 e8 17 f2 fc 02 85 c0 74 1c 83 3d 50 e0 4e 0e 00 75 13 48 8d 3d 43 f7 51 0e 48 c7 c6 8b 3a de 8d <67> 48 0f b9 3a 90 31 c0 0f b6 98 c4 00 00 00 41 8b 45 20 25 ff 1f +RSP: 0018:ffffc9000c767680 EFLAGS: 00010046 +RAX: 0000000000000001 RBX: 0000000000040000 RCX: 0000000000080000 +RDX: ffffc90013080000 RSI: ffffffff8dde3a8b RDI: ffffffff8ff24ca0 +RBP: 0000000000000003 R08: ffffffff8fef35a3 R09: 1ffffffff1fde6b4 +R10: dffffc0000000000 R11: fffffbfff1fde6b5 R12: 00000000000012a2 +R13: ffff888030338ba8 R14: ffff888030338000 R15: ffff888030338b30 +FS: 00007fa5995f66c0(0000) GS:ffff8881256f8000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f7e72f842d0 CR3: 00000000485a0000 CR4: 00000000003526f0 +Call Trace: + + lock_acquire+0x106/0x330 kernel/locking/lockdep.c:5868 + touch_wq_lockdep_map+0xcb/0x180 kernel/workqueue.c:3940 + __flush_workqueue+0x14b/0x14f0 kernel/workqueue.c:3982 + nci_close_device+0x302/0x630 net/nfc/nci/core.c:567 + nci_dev_down+0x3b/0x50 net/nfc/nci/core.c:639 + nfc_dev_down+0x152/0x290 net/nfc/core.c:161 + nfc_rfkill_set_block+0x2d/0x100 net/nfc/core.c:179 + rfkill_set_block+0x1d2/0x440 net/rfkill/core.c:346 + rfkill_fop_write+0x461/0x5a0 net/rfkill/core.c:1301 + vfs_write+0x29a/0xb90 fs/read_write.c:684 + ksys_write+0x150/0x270 fs/read_write.c:738 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7fa59b39acb9 +Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007fa5995f6028 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +RAX: ffffffffffffffda RBX: 00007fa59b615fa0 RCX: 00007fa59b39acb9 +RDX: 0000000000000008 RSI: 0000200000000080 RDI: 0000000000000007 +RBP: 00007fa59b408bf7 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007fa59b616038 R14: 00007fa59b615fa0 R15: 00007ffc82218788 + + +Fixes: 6a2968aaf50c ("NFC: basic NCI protocol implementation") +Reported-by: syzbot+f9c5fd1a0874f9069dce@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/695e7f56.050a0220.1c677c.036c.GAE@google.com/ +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20260127040411.494931-1-kuniyu@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/nfc/nfc.h | 2 ++ + net/nfc/core.c | 27 ++++++++++++++++++++++++--- + net/nfc/nci/core.c | 4 +++- + 3 files changed, 29 insertions(+), 4 deletions(-) + +diff --git a/include/net/nfc/nfc.h b/include/net/nfc/nfc.h +index 3a3781838c672..473f58e646cc5 100644 +--- a/include/net/nfc/nfc.h ++++ b/include/net/nfc/nfc.h +@@ -215,6 +215,8 @@ static inline void nfc_free_device(struct nfc_dev *dev) + + int nfc_register_device(struct nfc_dev *dev); + ++void nfc_unregister_rfkill(struct nfc_dev *dev); ++void nfc_remove_device(struct nfc_dev *dev); + void nfc_unregister_device(struct nfc_dev *dev); + + /** +diff --git a/net/nfc/core.c b/net/nfc/core.c +index eebe9b511e0ed..96dc0e6786013 100644 +--- a/net/nfc/core.c ++++ b/net/nfc/core.c +@@ -1147,14 +1147,14 @@ int nfc_register_device(struct nfc_dev *dev) + EXPORT_SYMBOL(nfc_register_device); + + /** +- * nfc_unregister_device - unregister a nfc device in the nfc subsystem ++ * nfc_unregister_rfkill - unregister a nfc device in the rfkill subsystem + * + * @dev: The nfc device to unregister + */ +-void nfc_unregister_device(struct nfc_dev *dev) ++void nfc_unregister_rfkill(struct nfc_dev *dev) + { +- int rc; + struct rfkill *rfk = NULL; ++ int rc; + + pr_debug("dev_name=%s\n", dev_name(&dev->dev)); + +@@ -1175,7 +1175,16 @@ void nfc_unregister_device(struct nfc_dev *dev) + rfkill_unregister(rfk); + rfkill_destroy(rfk); + } ++} ++EXPORT_SYMBOL(nfc_unregister_rfkill); + ++/** ++ * nfc_remove_device - remove a nfc device in the nfc subsystem ++ * ++ * @dev: The nfc device to remove ++ */ ++void nfc_remove_device(struct nfc_dev *dev) ++{ + if (dev->ops->check_presence) { + del_timer_sync(&dev->check_pres_timer); + cancel_work_sync(&dev->check_pres_work); +@@ -1188,6 +1197,18 @@ void nfc_unregister_device(struct nfc_dev *dev) + device_del(&dev->dev); + mutex_unlock(&nfc_devlist_mutex); + } ++EXPORT_SYMBOL(nfc_remove_device); ++ ++/** ++ * nfc_unregister_device - unregister a nfc device in the nfc subsystem ++ * ++ * @dev: The nfc device to unregister ++ */ ++void nfc_unregister_device(struct nfc_dev *dev) ++{ ++ nfc_unregister_rfkill(dev); ++ nfc_remove_device(dev); ++} + EXPORT_SYMBOL(nfc_unregister_device); + + static int __init nfc_init(void) +diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c +index f456a5911e7d1..1bdaf680b488c 100644 +--- a/net/nfc/nci/core.c ++++ b/net/nfc/nci/core.c +@@ -1292,6 +1292,8 @@ void nci_unregister_device(struct nci_dev *ndev) + { + struct nci_conn_info *conn_info, *n; + ++ nfc_unregister_rfkill(ndev->nfc_dev); ++ + /* This set_bit is not protected with specialized barrier, + * However, it is fine because the mutex_lock(&ndev->req_lock); + * in nci_close_device() will help to emit one. +@@ -1309,7 +1311,7 @@ void nci_unregister_device(struct nci_dev *ndev) + /* conn_info is allocated with devm_kzalloc */ + } + +- nfc_unregister_device(ndev->nfc_dev); ++ nfc_remove_device(ndev->nfc_dev); + } + EXPORT_SYMBOL(nci_unregister_device); + +-- +2.51.0 + diff --git a/queue-6.12/octeon_ep-fix-memory-leak-in-octep_device_setup.patch b/queue-6.12/octeon_ep-fix-memory-leak-in-octep_device_setup.patch new file mode 100644 index 0000000000..61e7ca994a --- /dev/null +++ b/queue-6.12/octeon_ep-fix-memory-leak-in-octep_device_setup.patch @@ -0,0 +1,46 @@ +From aca0974b8184986ff649ee2ff2c0814f61d76626 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 13:05:51 +0000 +Subject: octeon_ep: Fix memory leak in octep_device_setup() + +From: Zilin Guan + +[ Upstream commit 8016dc5ee19a77678c264f8ba368b1e873fa705b ] + +In octep_device_setup(), if octep_ctrl_net_init() fails, the function +returns directly without unmapping the mapped resources and freeing the +allocated configuration memory. + +Fix this by jumping to the unsupported_dev label, which performs the +necessary cleanup. This aligns with the error handling logic of other +paths in this function. + +Compile tested only. Issue found using a prototype static analysis tool +and code review. + +Fixes: 577f0d1b1c5f ("octeon_ep: add separate mailbox command and response queues") +Signed-off-by: Zilin Guan +Reviewed-by: Vadim Fedorenko +Link: https://patch.msgid.link/20260121130551.3717090-1-zilin@seu.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeon_ep/octep_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/octeon_ep/octep_main.c b/drivers/net/ethernet/marvell/octeon_ep/octep_main.c +index 1b2f5cae06449..449c55c09b4a5 100644 +--- a/drivers/net/ethernet/marvell/octeon_ep/octep_main.c ++++ b/drivers/net/ethernet/marvell/octeon_ep/octep_main.c +@@ -1283,7 +1283,7 @@ int octep_device_setup(struct octep_device *oct) + + ret = octep_ctrl_net_init(oct); + if (ret) +- return ret; ++ goto unsupported_dev; + + INIT_WORK(&oct->tx_timeout_task, octep_tx_timeout_task); + INIT_WORK(&oct->ctrl_mbox_task, octep_ctrl_mbox_task); +-- +2.51.0 + diff --git a/queue-6.12/rocker-fix-memory-leak-in-rocker_world_port_post_fin.patch b/queue-6.12/rocker-fix-memory-leak-in-rocker_world_port_post_fin.patch new file mode 100644 index 0000000000..5aa01847ff --- /dev/null +++ b/queue-6.12/rocker-fix-memory-leak-in-rocker_world_port_post_fin.patch @@ -0,0 +1,56 @@ +From 9cc1411c6823f1f70738ad20763b076b5743ae01 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 24 Jan 2026 05:10:31 +0800 +Subject: rocker: fix memory leak in rocker_world_port_post_fini() + +From: Kery Qi + +[ Upstream commit 8d7ba71e46216b8657a82ca2ec118bc93812a4d0 ] + +In rocker_world_port_pre_init(), rocker_port->wpriv is allocated with +kzalloc(wops->port_priv_size, GFP_KERNEL). However, in +rocker_world_port_post_fini(), the memory is only freed when +wops->port_post_fini callback is set: + + if (!wops->port_post_fini) + return; + wops->port_post_fini(rocker_port); + kfree(rocker_port->wpriv); + +Since rocker_ofdpa_ops does not implement port_post_fini callback +(it is NULL), the wpriv memory allocated for each port is never freed +when ports are removed. This leads to a memory leak of +sizeof(struct ofdpa_port) bytes per port on every device removal. + +Fix this by always calling kfree(rocker_port->wpriv) regardless of +whether the port_post_fini callback exists. + +Fixes: e420114eef4a ("rocker: introduce worlds infrastructure") +Signed-off-by: Kery Qi +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20260123211030.2109-2-qikeyu2017@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/rocker/rocker_main.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/rocker/rocker_main.c b/drivers/net/ethernet/rocker/rocker_main.c +index fe0bf1d3217af..23b20d5fd0168 100644 +--- a/drivers/net/ethernet/rocker/rocker_main.c ++++ b/drivers/net/ethernet/rocker/rocker_main.c +@@ -1524,9 +1524,8 @@ static void rocker_world_port_post_fini(struct rocker_port *rocker_port) + { + struct rocker_world_ops *wops = rocker_port->rocker->wops; + +- if (!wops->port_post_fini) +- return; +- wops->port_post_fini(rocker_port); ++ if (wops->port_post_fini) ++ wops->port_post_fini(rocker_port); + kfree(rocker_port->wpriv); + } + +-- +2.51.0 + diff --git a/queue-6.12/series b/queue-6.12/series new file mode 100644 index 0000000000..3e110dbae8 --- /dev/null +++ b/queue-6.12/series @@ -0,0 +1,23 @@ +can-at91_can-fix-memory-leak-in-at91_can_probe.patch +bluetooth-hci_uart-fix-null-ptr-deref-in-hci_uart_wr.patch +bluetooth-mgmt-fix-memory-leak-in-set_ssp_complete.patch +net-mlx5-fix-memory-leak-in-esw_acl_ingress_lgcy_set.patch +can-gs_usb-gs_usb_receive_bulk_callback-fix-error-me.patch +net-bcmasp-fix-early-exit-leak-with-fixed-phy.patch +octeon_ep-fix-memory-leak-in-octep_device_setup.patch +bonding-annotate-data-races-around-slave-last_rx.patch +net-mvpp2-cls-fix-memory-leak-in-mvpp2_ethtool_cls_r.patch +ipv6-use-the-right-ifindex-when-replying-to-icmpv6-f.patch +net-wwan-t7xx-fix-potential-skb-frags-overflow-in-rx.patch +rocker-fix-memory-leak-in-rocker_world_port_post_fin.patch +nfc-llcp-fix-memleak-in-nfc_llcp_send_ui_frame.patch +ice-fix-null-pointer-dereference-in-ice_vsi_set_napi.patch +ice-stop-counting-udp-csum-mismatch-as-rx_errors.patch +net-mlx5e-tc-delete-flows-only-for-existing-peers.patch +nfc-nci-fix-race-between-rfkill-and-nci_unregister_d.patch +net-bridge-fix-static-key-check.patch +net-phy-micrel-fix-clk-warning-when-removing-the-dri.patch +net-mlx5-fs-fix-inverted-cap-check-in-tx-flow-table-.patch +net-mlx5-initialize-events-outside-devlink-lock.patch +net-mlx5-fix-vhca_id-access-call-trace-use-before-al.patch +net-mlx5e-skip-esn-replay-window-setup-for-ipsec-cry.patch diff --git a/queue-6.18/bluetooth-hci_uart-fix-null-ptr-deref-in-hci_uart_wr.patch b/queue-6.18/bluetooth-hci_uart-fix-null-ptr-deref-in-hci_uart_wr.patch new file mode 100644 index 0000000000..c915832788 --- /dev/null +++ b/queue-6.18/bluetooth-hci_uart-fix-null-ptr-deref-in-hci_uart_wr.patch @@ -0,0 +1,73 @@ +From 6d895a67bd58f26c8ee18139db78a0312c7d41a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jan 2026 20:08:59 +0800 +Subject: Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work + +From: Jia-Hong Su + +[ Upstream commit 0c3cd7a0b862c37acbee6d9502107146cc944398 ] + +hci_uart_set_proto() sets HCI_UART_PROTO_INIT before calling +hci_uart_register_dev(), which calls proto->open() to initialize +hu->priv. However, if a TTY write wakeup occurs during this window, +hci_uart_tx_wakeup() may schedule write_work before hu->priv is +initialized, leading to a NULL pointer dereference in +hci_uart_write_work() when proto->dequeue() accesses hu->priv. + +The race condition is: + + CPU0 CPU1 + ---- ---- + hci_uart_set_proto() + set_bit(HCI_UART_PROTO_INIT) + hci_uart_register_dev() + tty write wakeup + hci_uart_tty_wakeup() + hci_uart_tx_wakeup() + schedule_work(&hu->write_work) + proto->open(hu) + // initializes hu->priv + hci_uart_write_work() + hci_uart_dequeue() + proto->dequeue(hu) + // accesses hu->priv (NULL!) + +Fix this by moving set_bit(HCI_UART_PROTO_INIT) after proto->open() +succeeds, ensuring hu->priv is initialized before any work can be +scheduled. + +Fixes: 5df5dafc171b ("Bluetooth: hci_uart: Fix another race during initialization") +Link: https://lore.kernel.org/linux-bluetooth/6969764f.170a0220.2b9fc4.35a7@mx.google.com/ + +Signed-off-by: Jia-Hong Su +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/hci_ldisc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c +index d0adae3267b41..2b28515de92c4 100644 +--- a/drivers/bluetooth/hci_ldisc.c ++++ b/drivers/bluetooth/hci_ldisc.c +@@ -685,6 +685,8 @@ static int hci_uart_register_dev(struct hci_uart *hu) + return err; + } + ++ set_bit(HCI_UART_PROTO_INIT, &hu->flags); ++ + if (test_bit(HCI_UART_INIT_PENDING, &hu->hdev_flags)) + return 0; + +@@ -712,8 +714,6 @@ static int hci_uart_set_proto(struct hci_uart *hu, int id) + + hu->proto = p; + +- set_bit(HCI_UART_PROTO_INIT, &hu->flags); +- + err = hci_uart_register_dev(hu); + if (err) { + return err; +-- +2.51.0 + diff --git a/queue-6.18/bluetooth-mgmt-fix-memory-leak-in-set_ssp_complete.patch b/queue-6.18/bluetooth-mgmt-fix-memory-leak-in-set_ssp_complete.patch new file mode 100644 index 0000000000..81e78b9d5f --- /dev/null +++ b/queue-6.18/bluetooth-mgmt-fix-memory-leak-in-set_ssp_complete.patch @@ -0,0 +1,63 @@ +From da26a089bfe76cdf345a60b4582800cada6deb3b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 13:29:26 +0800 +Subject: Bluetooth: MGMT: Fix memory leak in set_ssp_complete + +From: Jianpeng Chang + +[ Upstream commit 1b9c17fd0a7fdcbe69ec5d6fe8e50bc5ed7f01f2 ] + +Fix memory leak in set_ssp_complete() where mgmt_pending_cmd structures +are not freed after being removed from the pending list. + +Commit 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs") replaced +mgmt_pending_foreach() calls with individual command handling but missed +adding mgmt_pending_free() calls in both error and success paths of +set_ssp_complete(). Other completion functions like set_le_complete() +were fixed correctly in the same commit. + +This causes a memory leak of the mgmt_pending_cmd structure and its +associated parameter data for each SSP command that completes. + +Add the missing mgmt_pending_free(cmd) calls in both code paths to fix +the memory leak. Also fix the same issue in set_advertising_complete(). + +Fixes: 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs") +Signed-off-by: Jianpeng Chang +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/mgmt.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c +index 211951eb832af..ee2dd26b1b82b 100644 +--- a/net/bluetooth/mgmt.c ++++ b/net/bluetooth/mgmt.c +@@ -1954,6 +1954,7 @@ static void set_ssp_complete(struct hci_dev *hdev, void *data, int err) + } + + mgmt_cmd_status(cmd->sk, cmd->hdev->id, cmd->opcode, mgmt_err); ++ mgmt_pending_free(cmd); + return; + } + +@@ -1972,6 +1973,7 @@ static void set_ssp_complete(struct hci_dev *hdev, void *data, int err) + sock_put(match.sk); + + hci_update_eir_sync(hdev); ++ mgmt_pending_free(cmd); + } + + static int set_ssp_sync(struct hci_dev *hdev, void *data) +@@ -6356,6 +6358,7 @@ static void set_advertising_complete(struct hci_dev *hdev, void *data, int err) + hci_dev_clear_flag(hdev, HCI_ADVERTISING); + + settings_rsp(cmd, &match); ++ mgmt_pending_free(cmd); + + new_settings(hdev, match.sk); + +-- +2.51.0 + diff --git a/queue-6.18/bonding-annotate-data-races-around-slave-last_rx.patch b/queue-6.18/bonding-annotate-data-races-around-slave-last_rx.patch new file mode 100644 index 0000000000..0a76991c17 --- /dev/null +++ b/queue-6.18/bonding-annotate-data-races-around-slave-last_rx.patch @@ -0,0 +1,178 @@ +From ab1cd047893bd06cae3c864673ce615ad01bc176 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jan 2026 16:29:14 +0000 +Subject: bonding: annotate data-races around slave->last_rx + +From: Eric Dumazet + +[ Upstream commit f6c3665b6dc53c3ab7d31b585446a953a74340ef ] + +slave->last_rx and slave->target_last_arp_rx[...] can be read and written +locklessly. Add READ_ONCE() and WRITE_ONCE() annotations. + +syzbot reported: + +BUG: KCSAN: data-race in bond_rcv_validate / bond_rcv_validate + +write to 0xffff888149f0d428 of 8 bytes by interrupt on cpu 1: + bond_rcv_validate+0x202/0x7a0 drivers/net/bonding/bond_main.c:3335 + bond_handle_frame+0xde/0x5e0 drivers/net/bonding/bond_main.c:1533 + __netif_receive_skb_core+0x5b1/0x1950 net/core/dev.c:6039 + __netif_receive_skb_one_core net/core/dev.c:6150 [inline] + __netif_receive_skb+0x59/0x270 net/core/dev.c:6265 + netif_receive_skb_internal net/core/dev.c:6351 [inline] + netif_receive_skb+0x4b/0x2d0 net/core/dev.c:6410 +... + +write to 0xffff888149f0d428 of 8 bytes by interrupt on cpu 0: + bond_rcv_validate+0x202/0x7a0 drivers/net/bonding/bond_main.c:3335 + bond_handle_frame+0xde/0x5e0 drivers/net/bonding/bond_main.c:1533 + __netif_receive_skb_core+0x5b1/0x1950 net/core/dev.c:6039 + __netif_receive_skb_one_core net/core/dev.c:6150 [inline] + __netif_receive_skb+0x59/0x270 net/core/dev.c:6265 + netif_receive_skb_internal net/core/dev.c:6351 [inline] + netif_receive_skb+0x4b/0x2d0 net/core/dev.c:6410 + br_netif_receive_skb net/bridge/br_input.c:30 [inline] + NF_HOOK include/linux/netfilter.h:318 [inline] +... + +value changed: 0x0000000100005365 -> 0x0000000100005366 + +Fixes: f5b2b966f032 ("[PATCH] bonding: Validate probe replies in ARP monitor") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Link: https://patch.msgid.link/20260122162914.2299312-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 18 ++++++++++-------- + drivers/net/bonding/bond_options.c | 8 ++++---- + include/net/bonding.h | 13 +++++++------ + 3 files changed, 21 insertions(+), 18 deletions(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 595fda2444b1f..99adfffcca044 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -3138,8 +3138,8 @@ static void bond_validate_arp(struct bonding *bond, struct slave *slave, __be32 + __func__, &sip); + return; + } +- slave->last_rx = jiffies; +- slave->target_last_arp_rx[i] = jiffies; ++ WRITE_ONCE(slave->last_rx, jiffies); ++ WRITE_ONCE(slave->target_last_arp_rx[i], jiffies); + } + + static int bond_arp_rcv(const struct sk_buff *skb, struct bonding *bond, +@@ -3358,8 +3358,8 @@ static void bond_validate_na(struct bonding *bond, struct slave *slave, + __func__, saddr); + return; + } +- slave->last_rx = jiffies; +- slave->target_last_arp_rx[i] = jiffies; ++ WRITE_ONCE(slave->last_rx, jiffies); ++ WRITE_ONCE(slave->target_last_arp_rx[i], jiffies); + } + + static int bond_na_rcv(const struct sk_buff *skb, struct bonding *bond, +@@ -3429,7 +3429,7 @@ int bond_rcv_validate(const struct sk_buff *skb, struct bonding *bond, + (slave_do_arp_validate_only(bond) && is_ipv6) || + #endif + !slave_do_arp_validate_only(bond)) +- slave->last_rx = jiffies; ++ WRITE_ONCE(slave->last_rx, jiffies); + return RX_HANDLER_ANOTHER; + } else if (is_arp) { + return bond_arp_rcv(skb, bond, slave); +@@ -3497,7 +3497,7 @@ static void bond_loadbalance_arp_mon(struct bonding *bond) + + if (slave->link != BOND_LINK_UP) { + if (bond_time_in_interval(bond, last_tx, 1) && +- bond_time_in_interval(bond, slave->last_rx, 1)) { ++ bond_time_in_interval(bond, READ_ONCE(slave->last_rx), 1)) { + + bond_propose_link_state(slave, BOND_LINK_UP); + slave_state_changed = 1; +@@ -3521,8 +3521,10 @@ static void bond_loadbalance_arp_mon(struct bonding *bond) + * when the source ip is 0, so don't take the link down + * if we don't know our ip yet + */ +- if (!bond_time_in_interval(bond, last_tx, bond->params.missed_max) || +- !bond_time_in_interval(bond, slave->last_rx, bond->params.missed_max)) { ++ if (!bond_time_in_interval(bond, last_tx, ++ bond->params.missed_max) || ++ !bond_time_in_interval(bond, READ_ONCE(slave->last_rx), ++ bond->params.missed_max)) { + + bond_propose_link_state(slave, BOND_LINK_DOWN); + slave_state_changed = 1; +diff --git a/drivers/net/bonding/bond_options.c b/drivers/net/bonding/bond_options.c +index 384499c869b8d..f1c6e9d8f6167 100644 +--- a/drivers/net/bonding/bond_options.c ++++ b/drivers/net/bonding/bond_options.c +@@ -1152,7 +1152,7 @@ static void _bond_options_arp_ip_target_set(struct bonding *bond, int slot, + + if (slot >= 0 && slot < BOND_MAX_ARP_TARGETS) { + bond_for_each_slave(bond, slave, iter) +- slave->target_last_arp_rx[slot] = last_rx; ++ WRITE_ONCE(slave->target_last_arp_rx[slot], last_rx); + targets[slot] = target; + } + } +@@ -1221,8 +1221,8 @@ static int bond_option_arp_ip_target_rem(struct bonding *bond, __be32 target) + bond_for_each_slave(bond, slave, iter) { + targets_rx = slave->target_last_arp_rx; + for (i = ind; (i < BOND_MAX_ARP_TARGETS-1) && targets[i+1]; i++) +- targets_rx[i] = targets_rx[i+1]; +- targets_rx[i] = 0; ++ WRITE_ONCE(targets_rx[i], READ_ONCE(targets_rx[i+1])); ++ WRITE_ONCE(targets_rx[i], 0); + } + for (i = ind; (i < BOND_MAX_ARP_TARGETS-1) && targets[i+1]; i++) + targets[i] = targets[i+1]; +@@ -1377,7 +1377,7 @@ static void _bond_options_ns_ip6_target_set(struct bonding *bond, int slot, + + if (slot >= 0 && slot < BOND_MAX_NS_TARGETS) { + bond_for_each_slave(bond, slave, iter) { +- slave->target_last_arp_rx[slot] = last_rx; ++ WRITE_ONCE(slave->target_last_arp_rx[slot], last_rx); + slave_set_ns_maddr(bond, slave, target, &targets[slot]); + } + targets[slot] = *target; +diff --git a/include/net/bonding.h b/include/net/bonding.h +index 49edc7da05867..4620784035570 100644 +--- a/include/net/bonding.h ++++ b/include/net/bonding.h +@@ -521,13 +521,14 @@ static inline int bond_is_ip6_target_ok(struct in6_addr *addr) + static inline unsigned long slave_oldest_target_arp_rx(struct bonding *bond, + struct slave *slave) + { ++ unsigned long tmp, ret = READ_ONCE(slave->target_last_arp_rx[0]); + int i = 1; +- unsigned long ret = slave->target_last_arp_rx[0]; +- +- for (; (i < BOND_MAX_ARP_TARGETS) && bond->params.arp_targets[i]; i++) +- if (time_before(slave->target_last_arp_rx[i], ret)) +- ret = slave->target_last_arp_rx[i]; + ++ for (; (i < BOND_MAX_ARP_TARGETS) && bond->params.arp_targets[i]; i++) { ++ tmp = READ_ONCE(slave->target_last_arp_rx[i]); ++ if (time_before(tmp, ret)) ++ ret = tmp; ++ } + return ret; + } + +@@ -537,7 +538,7 @@ static inline unsigned long slave_last_rx(struct bonding *bond, + if (bond->params.arp_all_targets == BOND_ARP_TARGETS_ALL) + return slave_oldest_target_arp_rx(bond, slave); + +- return slave->last_rx; ++ return READ_ONCE(slave->last_rx); + } + + static inline void slave_update_last_tx(struct slave *slave) +-- +2.51.0 + diff --git a/queue-6.18/bonding-fix-use-after-free-due-to-enslave-fail-after.patch b/queue-6.18/bonding-fix-use-after-free-due-to-enslave-fail-after.patch new file mode 100644 index 0000000000..b5c024c8ce --- /dev/null +++ b/queue-6.18/bonding-fix-use-after-free-due-to-enslave-fail-after.patch @@ -0,0 +1,105 @@ +From 59abd1d5be0e5776ba142116c9e53107296af41a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Jan 2026 14:06:59 +0200 +Subject: bonding: fix use-after-free due to enslave fail after slave array + update + +From: Nikolay Aleksandrov + +[ Upstream commit e9acda52fd2ee0cdca332f996da7a95c5fd25294 ] + +Fix a use-after-free which happens due to enslave failure after the new +slave has been added to the array. Since the new slave can be used for Tx +immediately, we can use it after it has been freed by the enslave error +cleanup path which frees the allocated slave memory. Slave update array is +supposed to be called last when further enslave failures are not expected. +Move it after xdp setup to avoid any problems. + +It is very easy to reproduce the problem with a simple xdp_pass prog: + ip l add bond1 type bond mode balance-xor + ip l set bond1 up + ip l set dev bond1 xdp object xdp_pass.o sec xdp_pass + ip l add dumdum type dummy + +Then run in parallel: + while :; do ip l set dumdum master bond1 1>/dev/null 2>&1; done; + mausezahn bond1 -a own -b rand -A rand -B 1.1.1.1 -c 0 -t tcp "dp=1-1023, flags=syn" + +The crash happens almost immediately: + [ 605.602850] Oops: general protection fault, probably for non-canonical address 0xe0e6fc2460000137: 0000 [#1] SMP KASAN NOPTI + [ 605.602916] KASAN: maybe wild-memory-access in range [0x07380123000009b8-0x07380123000009bf] + [ 605.602946] CPU: 0 UID: 0 PID: 2445 Comm: mausezahn Kdump: loaded Tainted: G B 6.19.0-rc6+ #21 PREEMPT(voluntary) + [ 605.602979] Tainted: [B]=BAD_PAGE + [ 605.602998] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 + [ 605.603032] RIP: 0010:netdev_core_pick_tx+0xcd/0x210 + [ 605.603063] Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 3e 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 6b 08 49 8d 7d 30 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 25 01 00 00 49 8b 45 30 4c 89 e2 48 89 ee 48 89 + [ 605.603111] RSP: 0018:ffff88817b9af348 EFLAGS: 00010213 + [ 605.603145] RAX: dffffc0000000000 RBX: ffff88817d28b420 RCX: 0000000000000000 + [ 605.603172] RDX: 00e7002460000137 RSI: 0000000000000008 RDI: 07380123000009be + [ 605.603199] RBP: ffff88817b541a00 R08: 0000000000000001 R09: fffffbfff3ed8c0c + [ 605.603226] R10: ffffffff9f6c6067 R11: 0000000000000001 R12: 0000000000000000 + [ 605.603253] R13: 073801230000098e R14: ffff88817d28b448 R15: ffff88817b541a84 + [ 605.603286] FS: 00007f6570ef67c0(0000) GS:ffff888221dfa000(0000) knlGS:0000000000000000 + [ 605.603319] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [ 605.603343] CR2: 00007f65712fae40 CR3: 000000011371b000 CR4: 0000000000350ef0 + [ 605.603373] Call Trace: + [ 605.603392] + [ 605.603410] __dev_queue_xmit+0x448/0x32a0 + [ 605.603434] ? __pfx_vprintk_emit+0x10/0x10 + [ 605.603461] ? __pfx_vprintk_emit+0x10/0x10 + [ 605.603484] ? __pfx___dev_queue_xmit+0x10/0x10 + [ 605.603507] ? bond_start_xmit+0xbfb/0xc20 [bonding] + [ 605.603546] ? _printk+0xcb/0x100 + [ 605.603566] ? __pfx__printk+0x10/0x10 + [ 605.603589] ? bond_start_xmit+0xbfb/0xc20 [bonding] + [ 605.603627] ? add_taint+0x5e/0x70 + [ 605.603648] ? add_taint+0x2a/0x70 + [ 605.603670] ? end_report.cold+0x51/0x75 + [ 605.603693] ? bond_start_xmit+0xbfb/0xc20 [bonding] + [ 605.603731] bond_start_xmit+0x623/0xc20 [bonding] + +Fixes: 9e2ee5c7e7c3 ("net, bonding: Add XDP support to the bonding driver") +Signed-off-by: Nikolay Aleksandrov +Reported-by: Chen Zhen +Closes: https://lore.kernel.org/netdev/fae17c21-4940-5605-85b2-1d5e17342358@huawei.com/ +CC: Jussi Maki +CC: Daniel Borkmann +Acked-by: Daniel Borkmann +Link: https://patch.msgid.link/20260123120659.571187-1-razor@blackwall.org +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 99adfffcca044..51733fb29bd77 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -2293,11 +2293,6 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev, + unblock_netpoll_tx(); + } + +- /* broadcast mode uses the all_slaves to loop through slaves. */ +- if (bond_mode_can_use_xmit_hash(bond) || +- BOND_MODE(bond) == BOND_MODE_BROADCAST) +- bond_update_slave_arr(bond, NULL); +- + if (!slave_dev->netdev_ops->ndo_bpf || + !slave_dev->netdev_ops->ndo_xdp_xmit) { + if (bond->xdp_prog) { +@@ -2331,6 +2326,11 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev, + bpf_prog_inc(bond->xdp_prog); + } + ++ /* broadcast mode uses the all_slaves to loop through slaves. */ ++ if (bond_mode_can_use_xmit_hash(bond) || ++ BOND_MODE(bond) == BOND_MODE_BROADCAST) ++ bond_update_slave_arr(bond, NULL); ++ + bond_xdp_set_features(bond_dev); + + slave_info(bond_dev, slave_dev, "Enslaving as %s interface with %s link\n", +-- +2.51.0 + diff --git a/queue-6.18/btrfs-zlib-fix-the-folio-leak-on-s390-hardware-accel.patch b/queue-6.18/btrfs-zlib-fix-the-folio-leak-on-s390-hardware-accel.patch new file mode 100644 index 0000000000..b81f73d2df --- /dev/null +++ b/queue-6.18/btrfs-zlib-fix-the-folio-leak-on-s390-hardware-accel.patch @@ -0,0 +1,55 @@ +From 7e113818fd2955204a517331255e0957a5912b73 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jan 2026 16:24:04 +1030 +Subject: btrfs: zlib: fix the folio leak on S390 hardware acceleration + +From: Qu Wenruo + +[ Upstream commit 0d0f1314e8f86f5205f71f9e31e272a1d008e40b ] + +[BUG] +After commit aa60fe12b4f4 ("btrfs: zlib: refactor S390x HW acceleration +buffer preparation"), we no longer release the folio of the page cache +of folio returned by btrfs_compress_filemap_get_folio() for S390 +hardware acceleration path. + +[CAUSE] +Before that commit, we call kumap_local() and folio_put() after handling +each folio. + +Although the timing is not ideal (it release previous folio at the +beginning of the loop, and rely on some extra cleanup out of the loop), +it at least handles the folio release correctly. + +Meanwhile the refactored code is easier to read, it lacks the call to +release the filemap folio. + +[FIX] +Add the missing folio_put() for copy_data_into_buffer(). + +CC: linux-s390@vger.kernel.org # 6.18+ +Fixes: aa60fe12b4f4 ("btrfs: zlib: refactor S390x HW acceleration buffer preparation") +Reviewed-by: Boris Burkov +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/zlib.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/btrfs/zlib.c b/fs/btrfs/zlib.c +index 6caba8be7c845..10ed48d4a8466 100644 +--- a/fs/btrfs/zlib.c ++++ b/fs/btrfs/zlib.c +@@ -139,6 +139,7 @@ static int copy_data_into_buffer(struct address_space *mapping, + data_in = kmap_local_folio(folio, offset); + memcpy(workspace->buf + cur - filepos, data_in, copy_length); + kunmap_local(data_in); ++ folio_put(folio); + cur += copy_length; + } + return 0; +-- +2.51.0 + diff --git a/queue-6.18/can-at91_can-fix-memory-leak-in-at91_can_probe.patch b/queue-6.18/can-at91_can-fix-memory-leak-in-at91_can_probe.patch new file mode 100644 index 0000000000..ccbf35f539 --- /dev/null +++ b/queue-6.18/can-at91_can-fix-memory-leak-in-at91_can_probe.patch @@ -0,0 +1,45 @@ +From 804ea02ee94cf12bbc5fcf6d792a7b1e2a09739b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jan 2026 11:41:28 +0000 +Subject: can: at91_can: Fix memory leak in at91_can_probe() + +From: Zilin Guan + +[ Upstream commit 0baa4d3170d72a2a8dc93bf729d6d04ad113dc72 ] + +In at91_can_probe(), the dev structure is allocated via alloc_candev(). +However, if the subsequent call to devm_phy_optional_get() fails, the +code jumps directly to exit_iounmap, missing the call to free_candev(). +This results in a memory leak of the allocated net_device structure. + +Fix this by jumping to the exit_free label instead, which ensures that +free_candev() is called to properly release the memory. + +Compile tested only. Issue found using a prototype static analysis tool +and code review. + +Fixes: 3ecc09856afb ("can: at91_can: add CAN transceiver support") +Signed-off-by: Zilin Guan +Link: https://patch.msgid.link/20260122114128.643752-1-zilin@seu.edu.cn +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/at91_can.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/can/at91_can.c b/drivers/net/can/at91_can.c +index 191707d7e3dac..d6dcb2be56342 100644 +--- a/drivers/net/can/at91_can.c ++++ b/drivers/net/can/at91_can.c +@@ -1100,7 +1100,7 @@ static int at91_can_probe(struct platform_device *pdev) + if (IS_ERR(transceiver)) { + err = PTR_ERR(transceiver); + dev_err_probe(&pdev->dev, err, "failed to get phy\n"); +- goto exit_iounmap; ++ goto exit_free; + } + + dev->netdev_ops = &at91_netdev_ops; +-- +2.51.0 + diff --git a/queue-6.18/can-gs_usb-gs_usb_receive_bulk_callback-fix-error-me.patch b/queue-6.18/can-gs_usb-gs_usb_receive_bulk_callback-fix-error-me.patch new file mode 100644 index 0000000000..2b080b6393 --- /dev/null +++ b/queue-6.18/can-gs_usb-gs_usb_receive_bulk_callback-fix-error-me.patch @@ -0,0 +1,52 @@ +From ab6b05879531f990a48f65d560fa5936dc0ab73d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jan 2026 10:40:22 +0100 +Subject: can: gs_usb: gs_usb_receive_bulk_callback(): fix error message + +From: Marc Kleine-Budde + +[ Upstream commit 494fc029f662c331e06b7c2031deff3c64200eed ] + +Sinc commit 79a6d1bfe114 ("can: gs_usb: gs_usb_receive_bulk_callback(): +unanchor URL on usb_submit_urb() error") a failing resubmit URB will print +an info message. + +In the case of a short read where netdev has not yet been assigned, +initialize as NULL to avoid dereferencing an undefined value. Also report +the error value of the failed resubmit. + +Fixes: 79a6d1bfe114 ("can: gs_usb: gs_usb_receive_bulk_callback(): unanchor URL on usb_submit_urb() error") +Reported-by: Jakub Kicinski +Closes: https://lore.kernel.org/all/20260119181904.1209979-1-kuba@kernel.org/ +Link: https://patch.msgid.link/20260120-gs_usb-fix-error-message-v1-1-6be04de572bc@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/usb/gs_usb.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c +index fd7fb21b10989..861b583935225 100644 +--- a/drivers/net/can/usb/gs_usb.c ++++ b/drivers/net/can/usb/gs_usb.c +@@ -610,7 +610,7 @@ static void gs_usb_receive_bulk_callback(struct urb *urb) + { + struct gs_usb *parent = urb->context; + struct gs_can *dev; +- struct net_device *netdev; ++ struct net_device *netdev = NULL; + int rc; + struct net_device_stats *stats; + struct gs_host_frame *hf = urb->transfer_buffer; +@@ -768,7 +768,7 @@ static void gs_usb_receive_bulk_callback(struct urb *urb) + } + } else if (rc != -ESHUTDOWN && net_ratelimit()) { + netdev_info(netdev, "failed to re-submit IN URB: %pe\n", +- ERR_PTR(urb->status)); ++ ERR_PTR(rc)); + } + } + +-- +2.51.0 + diff --git a/queue-6.18/ice-fix-null-pointer-dereference-in-ice_vsi_set_napi.patch b/queue-6.18/ice-fix-null-pointer-dereference-in-ice_vsi_set_napi.patch new file mode 100644 index 0000000000..08822aff95 --- /dev/null +++ b/queue-6.18/ice-fix-null-pointer-dereference-in-ice_vsi_set_napi.patch @@ -0,0 +1,96 @@ +From 32355b2d35f195b355cf4821db437c1ad1f3d835 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Dec 2025 14:21:21 +0800 +Subject: ice: Fix NULL pointer dereference in ice_vsi_set_napi_queues + +From: Aaron Ma + +[ Upstream commit 9bb30be4d89ff9a8d7ab1aa0eb2edaca83431f85 ] + +Add NULL pointer checks in ice_vsi_set_napi_queues() to prevent crashes +during resume from suspend when rings[q_idx]->q_vector is NULL. + +Tested adaptor: +60:00.0 Ethernet controller [0200]: Intel Corporation Ethernet Controller E810-XXV for SFP [8086:159b] (rev 02) + Subsystem: Intel Corporation Ethernet Network Adapter E810-XXV-2 [8086:4003] + +SR-IOV state: both disabled and enabled can reproduce this issue. + +kernel version: v6.18 + +Reproduce steps: +Boot up and execute suspend like systemctl suspend or rtcwake. + +Log: +<1>[ 231.443607] BUG: kernel NULL pointer dereference, address: 0000000000000040 +<1>[ 231.444052] #PF: supervisor read access in kernel mode +<1>[ 231.444484] #PF: error_code(0x0000) - not-present page +<6>[ 231.444913] PGD 0 P4D 0 +<4>[ 231.445342] Oops: Oops: 0000 [#1] SMP NOPTI +<4>[ 231.446635] RIP: 0010:netif_queue_set_napi+0xa/0x170 +<4>[ 231.447067] Code: 31 f6 31 ff c3 cc cc cc cc 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 48 85 c9 74 0b <48> 83 79 30 00 0f 84 39 01 00 00 55 41 89 d1 49 89 f8 89 f2 48 89 +<4>[ 231.447513] RSP: 0018:ffffcc780fc078c0 EFLAGS: 00010202 +<4>[ 231.447961] RAX: ffff8b848ca30400 RBX: ffff8b848caf2028 RCX: 0000000000000010 +<4>[ 231.448443] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8b848dbd4000 +<4>[ 231.448896] RBP: ffffcc780fc078e8 R08: 0000000000000000 R09: 0000000000000000 +<4>[ 231.449345] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001 +<4>[ 231.449817] R13: ffff8b848dbd4000 R14: ffff8b84833390c8 R15: 0000000000000000 +<4>[ 231.450265] FS: 00007c7b29e9d740(0000) GS:ffff8b8c068e2000(0000) knlGS:0000000000000000 +<4>[ 231.450715] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +<4>[ 231.451179] CR2: 0000000000000040 CR3: 000000030626f004 CR4: 0000000000f72ef0 +<4>[ 231.451629] PKRU: 55555554 +<4>[ 231.452076] Call Trace: +<4>[ 231.452549] +<4>[ 231.452996] ? ice_vsi_set_napi_queues+0x4d/0x110 [ice] +<4>[ 231.453482] ice_resume+0xfd/0x220 [ice] +<4>[ 231.453977] ? __pfx_pci_pm_resume+0x10/0x10 +<4>[ 231.454425] pci_pm_resume+0x8c/0x140 +<4>[ 231.454872] ? __pfx_pci_pm_resume+0x10/0x10 +<4>[ 231.455347] dpm_run_callback+0x5f/0x160 +<4>[ 231.455796] ? dpm_wait_for_superior+0x107/0x170 +<4>[ 231.456244] device_resume+0x177/0x270 +<4>[ 231.456708] dpm_resume+0x209/0x2f0 +<4>[ 231.457151] dpm_resume_end+0x15/0x30 +<4>[ 231.457596] suspend_devices_and_enter+0x1da/0x2b0 +<4>[ 231.458054] enter_state+0x10e/0x570 + +Add defensive checks for both the ring pointer and its q_vector +before dereferencing, allowing the system to resume successfully even when +q_vectors are unmapped. + +Fixes: 2a5dc090b92cf ("ice: move netif_queue_set_napi to rtnl-protected sections") +Reviewed-by: Aleksandr Loktionov +Signed-off-by: Aaron Ma +Reviewed-by: Paul Menzel +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_lib.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_lib.c b/drivers/net/ethernet/intel/ice/ice_lib.c +index 5a3e7d6697325..3d14932871c58 100644 +--- a/drivers/net/ethernet/intel/ice/ice_lib.c ++++ b/drivers/net/ethernet/intel/ice/ice_lib.c +@@ -2784,12 +2784,14 @@ void ice_vsi_set_napi_queues(struct ice_vsi *vsi) + return; + + ice_for_each_rxq(vsi, q_idx) +- netif_queue_set_napi(netdev, q_idx, NETDEV_QUEUE_TYPE_RX, +- &vsi->rx_rings[q_idx]->q_vector->napi); ++ if (vsi->rx_rings[q_idx] && vsi->rx_rings[q_idx]->q_vector) ++ netif_queue_set_napi(netdev, q_idx, NETDEV_QUEUE_TYPE_RX, ++ &vsi->rx_rings[q_idx]->q_vector->napi); + + ice_for_each_txq(vsi, q_idx) +- netif_queue_set_napi(netdev, q_idx, NETDEV_QUEUE_TYPE_TX, +- &vsi->tx_rings[q_idx]->q_vector->napi); ++ if (vsi->tx_rings[q_idx] && vsi->tx_rings[q_idx]->q_vector) ++ netif_queue_set_napi(netdev, q_idx, NETDEV_QUEUE_TYPE_TX, ++ &vsi->tx_rings[q_idx]->q_vector->napi); + /* Also set the interrupt number for the NAPI */ + ice_for_each_q_vector(vsi, v_idx) { + struct ice_q_vector *q_vector = vsi->q_vectors[v_idx]; +-- +2.51.0 + diff --git a/queue-6.18/ice-stop-counting-udp-csum-mismatch-as-rx_errors.patch b/queue-6.18/ice-stop-counting-udp-csum-mismatch-as-rx_errors.patch new file mode 100644 index 0000000000..99345f0e71 --- /dev/null +++ b/queue-6.18/ice-stop-counting-udp-csum-mismatch-as-rx_errors.patch @@ -0,0 +1,62 @@ +From f8b0c509efd78a3079b308d8a1519e00d6ee3e4f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Dec 2025 15:38:52 -0800 +Subject: ice: stop counting UDP csum mismatch as rx_errors + +From: Jesse Brandeburg + +[ Upstream commit 05faf2c0a76581d0a7fdbb8ec46477ba183df95b ] + +Since the beginning, the Intel ice driver has counted receive checksum +offload mismatches into the rx_errors member of the rtnl_link_stats64 +struct. In ethtool -S these show up as rx_csum_bad.nic. + +I believe counting these in rx_errors is fundamentally wrong, as it's +pretty clear from the comments in if_link.h and from every other statistic +the driver is summing into rx_errors, that all of them would cause a +"hardware drop" except for the UDP checksum mismatch, as well as the fact +that all the other causes for rx_errors are L2 reasons, and this L4 UDP +"mismatch" is an outlier. + +A last nail in the coffin is that rx_errors is monitored in production and +can indicate a bad NIC/cable/Switch port, but instead some random series of +UDP packets with bad checksums will now trigger this alert. This false +positive makes the alert useless and affects us as well as other companies. + +This packet with presumably a bad UDP checksum is *already* passed to the +stack, just not marked as offloaded by the hardware/driver. If it is +dropped by the stack it will show up as UDP_MIB_CSUMERRORS. + +And one more thing, none of the other Intel drivers, and at least bnxt_en +and mlx5 both don't appear to count UDP offload mismatches as rx_errors. + +Here is a related customer complaint: +https://community.intel.com/t5/Ethernet-Products/ice-rx-errros-is-too-sensitive-to-IP-TCP-attack-packets-Intel/td-p/1662125 + +Fixes: 4f1fe43c920b ("ice: Add more Rx errors to netdev's rx_error counter") +Cc: Tony Nguyen +Cc: Jake Keller +Cc: IWL +Signed-off-by: Jesse Brandeburg +Acked-by: Jacob Keller +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_main.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c +index fc284802e2bcd..b5ebfcdc9d434 100644 +--- a/drivers/net/ethernet/intel/ice/ice_main.c ++++ b/drivers/net/ethernet/intel/ice/ice_main.c +@@ -6993,7 +6993,6 @@ void ice_update_vsi_stats(struct ice_vsi *vsi) + cur_ns->rx_errors = pf->stats.crc_errors + + pf->stats.illegal_bytes + + pf->stats.rx_undersize + +- pf->hw_csum_rx_error + + pf->stats.rx_jabber + + pf->stats.rx_fragments + + pf->stats.rx_oversize; +-- +2.51.0 + diff --git a/queue-6.18/ipv6-use-the-right-ifindex-when-replying-to-icmpv6-f.patch b/queue-6.18/ipv6-use-the-right-ifindex-when-replying-to-icmpv6-f.patch new file mode 100644 index 0000000000..0488d6597b --- /dev/null +++ b/queue-6.18/ipv6-use-the-right-ifindex-when-replying-to-icmpv6-f.patch @@ -0,0 +1,52 @@ +From 4d486e66a41f15b07a01e0b6f87889891e7343d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 20:44:08 +0100 +Subject: ipv6: use the right ifindex when replying to icmpv6 from localhost + +From: Fernando Fernandez Mancera + +[ Upstream commit 03cbcdf93866e61beb0063392e6dbb701f03aea2 ] + +When replying to a ICMPv6 echo request that comes from localhost address +the right output ifindex is 1 (lo) and not rt6i_idev dev index. Use the +skb device ifindex instead. This fixes pinging to a local address from +localhost source address. + +$ ping6 -I ::1 2001:1:1::2 -c 3 +PING 2001:1:1::2 (2001:1:1::2) from ::1 : 56 data bytes +64 bytes from 2001:1:1::2: icmp_seq=1 ttl=64 time=0.037 ms +64 bytes from 2001:1:1::2: icmp_seq=2 ttl=64 time=0.069 ms +64 bytes from 2001:1:1::2: icmp_seq=3 ttl=64 time=0.122 ms + +2001:1:1::2 ping statistics +3 packets transmitted, 3 received, 0% packet loss, time 2032ms +rtt min/avg/max/mdev = 0.037/0.076/0.122/0.035 ms + +Fixes: 1b70d792cf67 ("ipv6: Use rt6i_idev index for echo replies to a local address") +Signed-off-by: Fernando Fernandez Mancera +Reviewed-by: David Ahern +Link: https://patch.msgid.link/20260121194409.6749-1-fmancera@suse.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/icmp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c +index 56c974cf75d15..cf6455cbe2cc9 100644 +--- a/net/ipv6/icmp.c ++++ b/net/ipv6/icmp.c +@@ -769,7 +769,9 @@ static enum skb_drop_reason icmpv6_echo_reply(struct sk_buff *skb) + fl6.daddr = ipv6_hdr(skb)->saddr; + if (saddr) + fl6.saddr = *saddr; +- fl6.flowi6_oif = icmp6_iif(skb); ++ fl6.flowi6_oif = ipv6_addr_loopback(&fl6.daddr) ? ++ skb->dev->ifindex : ++ icmp6_iif(skb); + fl6.fl6_icmp_type = type; + fl6.flowi6_mark = mark; + fl6.flowi6_uid = sock_net_uid(net, NULL); +-- +2.51.0 + diff --git a/queue-6.18/ixgbe-don-t-initialize-aci-lock-in-ixgbe_recovery_pr.patch b/queue-6.18/ixgbe-don-t-initialize-aci-lock-in-ixgbe_recovery_pr.patch new file mode 100644 index 0000000000..fa9c3bbdf7 --- /dev/null +++ b/queue-6.18/ixgbe-don-t-initialize-aci-lock-in-ixgbe_recovery_pr.patch @@ -0,0 +1,54 @@ +From fbe5570ca175c2869d3d7aa2131d74e110f1ae9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Dec 2025 18:15:32 +0900 +Subject: ixgbe: don't initialize aci lock in ixgbe_recovery_probe() + +From: Kohei Enju + +[ Upstream commit 100cf7b4ca6ed770ec4287f3789b1da2e340a05a ] + +hw->aci.lock is already initialized in ixgbe_sw_init(), so +ixgbe_recovery_probe() doesn't need to initialize the lock. This +function is also not responsible for destroying the lock on failures. + +Additionally, change the name of label in accordance with this change. + +Fixes: 29cb3b8d95c7 ("ixgbe: add E610 implementation of FW recovery mode") +Reported-by: Simon Horman +Closes: https://lore.kernel.org/intel-wired-lan/aTcFhoH-z2btEKT-@horms.kernel.org/ +Signed-off-by: Kohei Enju +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +index ee1007e9b6355..3edebca958307 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +@@ -11476,10 +11476,9 @@ static int ixgbe_recovery_probe(struct ixgbe_adapter *adapter) + return err; + + ixgbe_get_hw_control(adapter); +- mutex_init(&hw->aci.lock); + err = ixgbe_get_flash_data(&adapter->hw); + if (err) +- goto shutdown_aci; ++ goto err_release_hw_control; + + timer_setup(&adapter->service_timer, ixgbe_service_timer, 0); + INIT_WORK(&adapter->service_task, ixgbe_recovery_service_task); +@@ -11502,8 +11501,7 @@ static int ixgbe_recovery_probe(struct ixgbe_adapter *adapter) + devl_unlock(adapter->devlink); + + return 0; +-shutdown_aci: +- mutex_destroy(&adapter->hw.aci.lock); ++err_release_hw_control: + ixgbe_release_hw_control(adapter); + return err; + } +-- +2.51.0 + diff --git a/queue-6.18/ixgbe-fix-memory-leaks-in-the-ixgbe_recovery_probe-p.patch b/queue-6.18/ixgbe-fix-memory-leaks-in-the-ixgbe_recovery_probe-p.patch new file mode 100644 index 0000000000..687ce76079 --- /dev/null +++ b/queue-6.18/ixgbe-fix-memory-leaks-in-the-ixgbe_recovery_probe-p.patch @@ -0,0 +1,87 @@ +From 9be5e2deabb98fface0252ea29ab5cdfec487dba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Dec 2025 18:15:31 +0900 +Subject: ixgbe: fix memory leaks in the ixgbe_recovery_probe() path + +From: Kohei Enju + +[ Upstream commit 638344712aefeba97b6e0d90f560815fd88abd0f ] + +When ixgbe_recovery_probe() is invoked and this function fails, +allocated resources in advance are not completely freed, because +ixgbe_probe() returns ixgbe_recovery_probe() directly and +ixgbe_recovery_probe() only frees partial resources, resulting in memory +leaks including: +- adapter->io_addr +- adapter->jump_tables[0] +- adapter->mac_table +- adapter->rss_key +- adapter->af_xdp_zc_qps + +The leaked MMIO region can be observed in /proc/vmallocinfo, and the +remaining leaks are reported by kmemleak. + +Don't return ixgbe_recovery_probe() directly, and instead let +ixgbe_probe() to clean up resources on failures. + +Fixes: 29cb3b8d95c7 ("ixgbe: add E610 implementation of FW recovery mode") +Signed-off-by: Kohei Enju +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 20 ++++++++----------- + 1 file changed, 8 insertions(+), 12 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +index 3190ce7e44c74..ee1007e9b6355 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +@@ -11468,14 +11468,12 @@ static void ixgbe_set_fw_version(struct ixgbe_adapter *adapter) + */ + static int ixgbe_recovery_probe(struct ixgbe_adapter *adapter) + { +- struct net_device *netdev = adapter->netdev; + struct pci_dev *pdev = adapter->pdev; + struct ixgbe_hw *hw = &adapter->hw; +- bool disable_dev; + int err = -EIO; + + if (hw->mac.type != ixgbe_mac_e610) +- goto clean_up_probe; ++ return err; + + ixgbe_get_hw_control(adapter); + mutex_init(&hw->aci.lock); +@@ -11507,13 +11505,6 @@ static int ixgbe_recovery_probe(struct ixgbe_adapter *adapter) + shutdown_aci: + mutex_destroy(&adapter->hw.aci.lock); + ixgbe_release_hw_control(adapter); +-clean_up_probe: +- disable_dev = !test_and_set_bit(__IXGBE_DISABLED, &adapter->state); +- free_netdev(netdev); +- devlink_free(adapter->devlink); +- pci_release_mem_regions(pdev); +- if (disable_dev) +- pci_disable_device(pdev); + return err; + } + +@@ -11655,8 +11646,13 @@ static int ixgbe_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + if (err) + goto err_sw_init; + +- if (ixgbe_check_fw_error(adapter)) +- return ixgbe_recovery_probe(adapter); ++ if (ixgbe_check_fw_error(adapter)) { ++ err = ixgbe_recovery_probe(adapter); ++ if (err) ++ goto err_sw_init; ++ ++ return 0; ++ } + + if (adapter->hw.mac.type == ixgbe_mac_e610) { + err = ixgbe_get_caps(&adapter->hw); +-- +2.51.0 + diff --git a/queue-6.18/mptcp-fix-race-in-mptcp_pm_nl_flush_addrs_doit.patch b/queue-6.18/mptcp-fix-race-in-mptcp_pm_nl_flush_addrs_doit.patch new file mode 100644 index 0000000000..a578726b8f --- /dev/null +++ b/queue-6.18/mptcp-fix-race-in-mptcp_pm_nl_flush_addrs_doit.patch @@ -0,0 +1,72 @@ +From a4261966354cf91abd8d526d681772bfe41a1de7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 24 Jan 2026 11:59:18 +0100 +Subject: mptcp: fix race in mptcp_pm_nl_flush_addrs_doit() + +From: Eric Dumazet + +[ Upstream commit e2a9eeb69f7d4ca4cf4c70463af77664fdb6ab1d ] + +syzbot and Eulgyu Kim reported crashes in mptcp_pm_nl_get_local_id() +and/or mptcp_pm_nl_is_backup() + +Root cause is list_splice_init() in mptcp_pm_nl_flush_addrs_doit() +which is not RCU ready. + +list_splice_init_rcu() can not be called here while holding pernet->lock +spinlock. + +Many thanks to Eulgyu Kim for providing a repro and testing our patches. + +Fixes: 141694df6573 ("mptcp: remove address when netlink flushes addrs") +Signed-off-by: Eric Dumazet +Reported-by: syzbot+5498a510ff9de39d37da@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/6970a46d.a00a0220.3ad28e.5cf0.GAE@google.com/T/ +Reported-by: Eulgyu Kim +Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/611 +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20260124-net-mptcp-race_nl_flush_addrs-v3-1-b2dc1b613e9d@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/mptcp/pm_kernel.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/net/mptcp/pm_kernel.c b/net/mptcp/pm_kernel.c +index 0a50fd5edc06d..1b517a81e0299 100644 +--- a/net/mptcp/pm_kernel.c ++++ b/net/mptcp/pm_kernel.c +@@ -1276,16 +1276,26 @@ static void __reset_counters(struct pm_nl_pernet *pernet) + int mptcp_pm_nl_flush_addrs_doit(struct sk_buff *skb, struct genl_info *info) + { + struct pm_nl_pernet *pernet = genl_info_pm_nl(info); +- LIST_HEAD(free_list); ++ struct list_head free_list; + + spin_lock_bh(&pernet->lock); +- list_splice_init(&pernet->endp_list, &free_list); ++ free_list = pernet->endp_list; ++ INIT_LIST_HEAD_RCU(&pernet->endp_list); + __reset_counters(pernet); + pernet->next_id = 1; + bitmap_zero(pernet->id_bitmap, MPTCP_PM_MAX_ADDR_ID + 1); + spin_unlock_bh(&pernet->lock); +- mptcp_nl_flush_addrs_list(sock_net(skb->sk), &free_list); ++ ++ if (free_list.next == &pernet->endp_list) ++ return 0; ++ + synchronize_rcu(); ++ ++ /* Adjust the pointers to free_list instead of pernet->endp_list */ ++ free_list.prev->next = &free_list; ++ free_list.next->prev = &free_list; ++ ++ mptcp_nl_flush_addrs_list(sock_net(skb->sk), &free_list); + __flush_addrs(&free_list); + return 0; + } +-- +2.51.0 + diff --git a/queue-6.18/net-bcmasp-fix-early-exit-leak-with-fixed-phy.patch b/queue-6.18/net-bcmasp-fix-early-exit-leak-with-fixed-phy.patch new file mode 100644 index 0000000000..2941a4a56f --- /dev/null +++ b/queue-6.18/net-bcmasp-fix-early-exit-leak-with-fixed-phy.patch @@ -0,0 +1,48 @@ +From 251a190efea59a816d136cb8c8e8992a69248d83 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jan 2026 11:40:01 -0800 +Subject: net: bcmasp: fix early exit leak with fixed phy + +From: Justin Chen + +[ Upstream commit 6de4436bf369e1444606445e4cd5df5bcfc74b48 ] + +We are not deregistering the fixed phy link when hitting the early +exit condition. Add the correct early exit sequence. + +Fixes: 490cb412007d ("net: bcmasp: Add support for ASP2.0 Ethernet controller") +Signed-off-by: Justin Chen +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20260122194001.1098859-1-justin.chen@broadcom.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c b/drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c +index b9973956c4809..ceb6c11431dd9 100644 +--- a/drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c ++++ b/drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c +@@ -1261,7 +1261,7 @@ struct bcmasp_intf *bcmasp_interface_create(struct bcmasp_priv *priv, + netdev_err(intf->ndev, "invalid PHY mode: %s for port %d\n", + phy_modes(intf->phy_interface), intf->port); + ret = -EINVAL; +- goto err_free_netdev; ++ goto err_deregister_fixed_link; + } + + ret = of_get_ethdev_address(ndev_dn, ndev); +@@ -1286,6 +1286,9 @@ struct bcmasp_intf *bcmasp_interface_create(struct bcmasp_priv *priv, + + return intf; + ++err_deregister_fixed_link: ++ if (of_phy_is_fixed_link(ndev_dn)) ++ of_phy_deregister_fixed_link(ndev_dn); + err_free_netdev: + free_netdev(ndev); + err: +-- +2.51.0 + diff --git a/queue-6.18/net-bridge-fix-static-key-check.patch b/queue-6.18/net-bridge-fix-static-key-check.patch new file mode 100644 index 0000000000..f73baca9e3 --- /dev/null +++ b/queue-6.18/net-bridge-fix-static-key-check.patch @@ -0,0 +1,40 @@ +From ab41fbe11b52999622e98c403a8e7463207b65db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Jan 2026 11:19:23 +0100 +Subject: net: bridge: fix static key check + +From: Martin Kaiser + +[ Upstream commit cc0cf10fdaeadf5542d64a55b5b4120d3df90b7d ] + +Fix the check if netfilter's static keys are available. netfilter defines +and exports static keys if CONFIG_JUMP_LABEL is enabled. (HAVE_JUMP_LABEL +is never defined.) + +Fixes: 971502d77faa ("bridge: netfilter: unroll NF_HOOK helper in bridge input path") +Signed-off-by: Martin Kaiser +Reviewed-by: Florian Westphal +Reviewed-by: Nikolay Aleksandrov +Link: https://patch.msgid.link/20260127101925.1754425-1-martin@kaiser.cx +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/bridge/br_input.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c +index e355a15bf5ab1..1405f1061a549 100644 +--- a/net/bridge/br_input.c ++++ b/net/bridge/br_input.c +@@ -274,7 +274,7 @@ static int nf_hook_bridge_pre(struct sk_buff *skb, struct sk_buff **pskb) + int ret; + + net = dev_net(skb->dev); +-#ifdef HAVE_JUMP_LABEL ++#ifdef CONFIG_JUMP_LABEL + if (!static_key_false(&nf_hooks_needed[NFPROTO_BRIDGE][NF_BR_PRE_ROUTING])) + goto frame_finish; + #endif +-- +2.51.0 + diff --git a/queue-6.18/net-mlx5-fix-memory-leak-in-esw_acl_ingress_lgcy_set.patch b/queue-6.18/net-mlx5-fix-memory-leak-in-esw_acl_ingress_lgcy_set.patch new file mode 100644 index 0000000000..de98a1aeaf --- /dev/null +++ b/queue-6.18/net-mlx5-fix-memory-leak-in-esw_acl_ingress_lgcy_set.patch @@ -0,0 +1,46 @@ +From 7fe6886209eb51d8c1e394443dab596a4a984b0e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jan 2026 13:46:40 +0000 +Subject: net/mlx5: Fix memory leak in esw_acl_ingress_lgcy_setup() + +From: Zilin Guan + +[ Upstream commit 108948f723b13874b7ebf6b3f1cc598a7de38622 ] + +In esw_acl_ingress_lgcy_setup(), if esw_acl_table_create() fails, +the function returns directly without releasing the previously +created counter, leading to a memory leak. + +Fix this by jumping to the out label instead of returning directly, +which aligns with the error handling logic of other paths in this +function. + +Compile tested only. Issue found using a prototype static analysis tool +and code review. + +Fixes: 07bab9502641 ("net/mlx5: E-Switch, Refactor eswitch ingress acl codes") +Signed-off-by: Zilin Guan +Reviewed-by: Tariq Toukan +Link: https://patch.msgid.link/20260120134640.2717808-1-zilin@seu.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c b/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c +index 1c37098e09ea5..49a637829c594 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c +@@ -188,7 +188,7 @@ int esw_acl_ingress_lgcy_setup(struct mlx5_eswitch *esw, + if (IS_ERR(vport->ingress.acl)) { + err = PTR_ERR(vport->ingress.acl); + vport->ingress.acl = NULL; +- return err; ++ goto out; + } + + err = esw_acl_ingress_lgcy_groups_create(esw, vport); +-- +2.51.0 + diff --git a/queue-6.18/net-mlx5-fix-return-type-mismatch-in-mlx5_esw_vport_.patch b/queue-6.18/net-mlx5-fix-return-type-mismatch-in-mlx5_esw_vport_.patch new file mode 100644 index 0000000000..06706ee4f3 --- /dev/null +++ b/queue-6.18/net-mlx5-fix-return-type-mismatch-in-mlx5_esw_vport_.patch @@ -0,0 +1,44 @@ +From 75d3e88b686dd59ee3e9df72aba5a02ff166eb32 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Jan 2026 16:57:49 +0800 +Subject: net/mlx5: Fix return type mismatch in mlx5_esw_vport_vhca_id() + +From: Zeng Chi + +[ Upstream commit ca12c4a155ebf84e9ef29b05ce979bc89364290f ] + +The function mlx5_esw_vport_vhca_id() is declared to return bool, +but returns -EOPNOTSUPP (-45), which is an int error code. This +causes a signedness bug as reported by smatch. + +This patch fixes this smatch report: +drivers/net/ethernet/mellanox/mlx5/core/eswitch.h:981 mlx5_esw_vport_vhca_id() +warn: signedness bug returning '(-45)' + +Fixes: 1baf30426553 ("net/mlx5: E-Switch, Set/Query hca cap via vhca id") +Reviewed-by: Parav Pandit +Signed-off-by: Zeng Chi +Reviewed-by: Tariq Toukan +Link: https://patch.msgid.link/20260123085749.1401969-1-zeng_chi911@163.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/eswitch.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h +index 16eb99aba2a7e..2d91f77b01601 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h +@@ -1002,7 +1002,7 @@ mlx5_esw_host_functions_enabled(const struct mlx5_core_dev *dev) + static inline bool + mlx5_esw_vport_vhca_id(struct mlx5_eswitch *esw, u16 vportn, u16 *vhca_id) + { +- return -EOPNOTSUPP; ++ return false; + } + + #endif /* CONFIG_MLX5_ESWITCH */ +-- +2.51.0 + diff --git a/queue-6.18/net-mlx5-fix-vhca_id-access-call-trace-use-before-al.patch b/queue-6.18/net-mlx5-fix-vhca_id-access-call-trace-use-before-al.patch new file mode 100644 index 0000000000..68a304e83d --- /dev/null +++ b/queue-6.18/net-mlx5-fix-vhca_id-access-call-trace-use-before-al.patch @@ -0,0 +1,158 @@ +From 7e6b669e5049bed6936a052d5e37dc874e3c37cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Jan 2026 10:52:40 +0200 +Subject: net/mlx5: Fix vhca_id access call trace use before alloc + +From: Parav Pandit + +[ Upstream commit a8f930b7be7be3f18f14446df461e17137400407 ] + +HCA CAP structure is allocated in mlx5_hca_caps_alloc(). +mlx5_mdev_init() + mlx5_hca_caps_alloc() + +And HCA CAP is read from the device in mlx5_init_one(). + +The vhca_id's debugfs file is published even before above two +operations are done. +Due to this when user reads the vhca id before the initialization, +following call trace is observed. + +Fix this by deferring debugfs publication until the HCA CAP is +allocated and read from the device. + +BUG: kernel NULL pointer dereference, address: 0000000000000004 +PGD 0 P4D 0 +Oops: Oops: 0000 [#1] SMP PTI +CPU: 23 UID: 0 PID: 6605 Comm: cat Kdump: loaded Not tainted 6.18.0-rc7-sf+ #110 PREEMPT(full) +Hardware name: Supermicro SYS-6028U-TR4+/X10DRU-i+, BIOS 2.0b 08/09/2016 +RIP: 0010:vhca_id_show+0x17/0x30 [mlx5_core] +Code: cb 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 48 8b 47 70 48 c7 c6 45 f0 12 c1 48 8b 80 70 03 00 00 <8b> 50 04 0f ca 0f b7 d2 e8 8c 82 47 cb 31 c0 c3 cc cc cc cc 0f 1f +RSP: 0018:ffffd37f4f337d40 EFLAGS: 00010203 +RAX: 0000000000000000 RBX: ffff8f18445c9b40 RCX: 0000000000000001 +RDX: ffff8f1109825180 RSI: ffffffffc112f045 RDI: ffff8f18445c9b40 +RBP: 0000000000000000 R08: 0000645eac0d2928 R09: 0000000000000006 +R10: ffffd37f4f337d48 R11: 0000000000000000 R12: ffffd37f4f337dd8 +R13: ffffd37f4f337db0 R14: ffff8f18445c9b68 R15: 0000000000000001 +FS: 00007f3eea099580(0000) GS:ffff8f2090f1f000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000004 CR3: 00000008b64e4006 CR4: 00000000003726f0 +Call Trace: + + seq_read_iter+0x11f/0x4f0 + ? _raw_spin_unlock+0x15/0x30 + ? do_anonymous_page+0x104/0x810 + seq_read+0xf6/0x120 + ? srso_alias_untrain_ret+0x1/0x10 + full_proxy_read+0x5c/0x90 + vfs_read+0xad/0x320 + ? handle_mm_fault+0x1ab/0x290 + ksys_read+0x52/0xd0 + do_syscall_64+0x61/0x11e0 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +Fixes: dd3dd7263cde ("net/mlx5: Expose vhca_id to debugfs") +Signed-off-by: Parav Pandit +Reviewed-by: Shay Drori +Reviewed-by: Simon Horman +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/1769503961-124173-4-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/debugfs.c | 16 ++++++++++++++++ + drivers/net/ethernet/mellanox/mlx5/core/main.c | 14 +++----------- + .../net/ethernet/mellanox/mlx5/core/mlx5_core.h | 1 + + .../ethernet/mellanox/mlx5/core/sf/dev/driver.c | 1 + + 4 files changed, 21 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/debugfs.c b/drivers/net/ethernet/mellanox/mlx5/core/debugfs.c +index 36806e813c33c..1301c56e20d65 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/debugfs.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/debugfs.c +@@ -613,3 +613,19 @@ void mlx5_debug_cq_remove(struct mlx5_core_dev *dev, struct mlx5_core_cq *cq) + cq->dbg = NULL; + } + } ++ ++static int vhca_id_show(struct seq_file *file, void *priv) ++{ ++ struct mlx5_core_dev *dev = file->private; ++ ++ seq_printf(file, "0x%x\n", MLX5_CAP_GEN(dev, vhca_id)); ++ return 0; ++} ++ ++DEFINE_SHOW_ATTRIBUTE(vhca_id); ++ ++void mlx5_vhca_debugfs_init(struct mlx5_core_dev *dev) ++{ ++ debugfs_create_file("vhca_id", 0400, dev->priv.dbg.dbg_root, dev, ++ &vhca_id_fops); ++} +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c +index 236cb1eb98c82..14c57d4372802 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c +@@ -1803,16 +1803,6 @@ static int mlx5_hca_caps_alloc(struct mlx5_core_dev *dev) + return -ENOMEM; + } + +-static int vhca_id_show(struct seq_file *file, void *priv) +-{ +- struct mlx5_core_dev *dev = file->private; +- +- seq_printf(file, "0x%x\n", MLX5_CAP_GEN(dev, vhca_id)); +- return 0; +-} +- +-DEFINE_SHOW_ATTRIBUTE(vhca_id); +- + static int mlx5_notifiers_init(struct mlx5_core_dev *dev) + { + int err; +@@ -1855,7 +1845,7 @@ int mlx5_mdev_init(struct mlx5_core_dev *dev, int profile_idx) + priv->numa_node = dev_to_node(mlx5_core_dma_dev(dev)); + priv->dbg.dbg_root = debugfs_create_dir(dev_name(dev->device), + mlx5_debugfs_root); +- debugfs_create_file("vhca_id", 0400, priv->dbg.dbg_root, dev, &vhca_id_fops); ++ + INIT_LIST_HEAD(&priv->traps); + + err = mlx5_cmd_init(dev); +@@ -1993,6 +1983,8 @@ static int probe_one(struct pci_dev *pdev, const struct pci_device_id *id) + goto err_init_one; + } + ++ mlx5_vhca_debugfs_init(dev); ++ + pci_save_state(pdev); + return 0; + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.h b/drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.h +index 082259b56816c..da5345e19082d 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.h +@@ -258,6 +258,7 @@ int mlx5_wait_for_pages(struct mlx5_core_dev *dev, int *pages); + void mlx5_cmd_flush(struct mlx5_core_dev *dev); + void mlx5_cq_debugfs_init(struct mlx5_core_dev *dev); + void mlx5_cq_debugfs_cleanup(struct mlx5_core_dev *dev); ++void mlx5_vhca_debugfs_init(struct mlx5_core_dev *dev); + + int mlx5_query_pcam_reg(struct mlx5_core_dev *dev, u32 *pcam, u8 feature_group, + u8 access_reg_group); +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c b/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c +index b706f1486504a..c45540fe7d9d9 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c +@@ -76,6 +76,7 @@ static int mlx5_sf_dev_probe(struct auxiliary_device *adev, const struct auxilia + goto init_one_err; + } + ++ mlx5_vhca_debugfs_init(mdev); + return 0; + + init_one_err: +-- +2.51.0 + diff --git a/queue-6.18/net-mlx5-fs-fix-inverted-cap-check-in-tx-flow-table-.patch b/queue-6.18/net-mlx5-fs-fix-inverted-cap-check-in-tx-flow-table-.patch new file mode 100644 index 0000000000..868e1edac2 --- /dev/null +++ b/queue-6.18/net-mlx5-fs-fix-inverted-cap-check-in-tx-flow-table-.patch @@ -0,0 +1,44 @@ +From a09b3a74d2b5508938d090d5c4b2c052c1268c6a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Jan 2026 10:52:38 +0200 +Subject: net/mlx5: fs, Fix inverted cap check in tx flow table root disconnect + +From: Shay Drory + +[ Upstream commit 2610a3d65691a1301ab10c92ff6ebab0bedf9199 ] + +The capability check for reset_root_to_default was inverted, causing +the function to return -EOPNOTSUPP when the capability IS supported, +rather than when it is NOT supported. + +Fix the capability check condition. + +Fixes: 3c9c34c32bc6 ("net/mlx5: fs, Command to control TX flow table root") +Signed-off-by: Shay Drory +Reviewed-by: Mark Bloch +Reviewed-by: Simon Horman +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/1769503961-124173-2-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/fs_cmd.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fs_cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/fs_cmd.c +index 1af76da8b1320..b79544134e2a2 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_cmd.c +@@ -1167,7 +1167,8 @@ int mlx5_fs_cmd_set_tx_flow_table_root(struct mlx5_core_dev *dev, u32 ft_id, boo + u32 out[MLX5_ST_SZ_DW(set_flow_table_root_out)] = {}; + u32 in[MLX5_ST_SZ_DW(set_flow_table_root_in)] = {}; + +- if (disconnect && MLX5_CAP_FLOWTABLE_NIC_TX(dev, reset_root_to_default)) ++ if (disconnect && ++ !MLX5_CAP_FLOWTABLE_NIC_TX(dev, reset_root_to_default)) + return -EOPNOTSUPP; + + MLX5_SET(set_flow_table_root_in, in, opcode, +-- +2.51.0 + diff --git a/queue-6.18/net-mlx5-initialize-events-outside-devlink-lock.patch b/queue-6.18/net-mlx5-initialize-events-outside-devlink-lock.patch new file mode 100644 index 0000000000..eaae8b8348 --- /dev/null +++ b/queue-6.18/net-mlx5-initialize-events-outside-devlink-lock.patch @@ -0,0 +1,115 @@ +From d39df8f4185b39bbdf9f05255c9f027bb7f4c6f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 16 Nov 2025 22:45:35 +0200 +Subject: net/mlx5: Initialize events outside devlink lock + +From: Cosmin Ratiu + +[ Upstream commit b6b03097f9826db72aeb3f751774c5e9edd9a5b3 ] + +Move event init/cleanup outside of mlx5_init_one() / mlx5_uninit_one() +and into the mlx5_mdev_init() / mlx5_mdev_uninit() functions. + +By doing this, we avoid the events being reinitialized on devlink reload +and, more importantly, the events->sw_nh notifier chain becomes +available earlier in the init procedure, which will be used in +subsequent patches. This makes sense because the events struct is pure +software, independent of any HW details. + +Signed-off-by: Cosmin Ratiu +Reviewed-by: Carolina Jubran +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/1763325940-1231508-2-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: a8f930b7be7b ("net/mlx5: Fix vhca_id access call trace use before alloc") +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/main.c | 34 +++++++++++++------ + 1 file changed, 24 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c +index 9e0c9e6266a47..236cb1eb98c82 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c +@@ -999,16 +999,10 @@ static int mlx5_init_once(struct mlx5_core_dev *dev) + goto err_irq_cleanup; + } + +- err = mlx5_events_init(dev); +- if (err) { +- mlx5_core_err(dev, "failed to initialize events\n"); +- goto err_eq_cleanup; +- } +- + err = mlx5_fw_reset_init(dev); + if (err) { + mlx5_core_err(dev, "failed to initialize fw reset events\n"); +- goto err_events_cleanup; ++ goto err_eq_cleanup; + } + + mlx5_cq_debugfs_init(dev); +@@ -1110,8 +1104,6 @@ static int mlx5_init_once(struct mlx5_core_dev *dev) + mlx5_cleanup_reserved_gids(dev); + mlx5_cq_debugfs_cleanup(dev); + mlx5_fw_reset_cleanup(dev); +-err_events_cleanup: +- mlx5_events_cleanup(dev); + err_eq_cleanup: + mlx5_eq_table_cleanup(dev); + err_irq_cleanup: +@@ -1144,7 +1136,6 @@ static void mlx5_cleanup_once(struct mlx5_core_dev *dev) + mlx5_cleanup_reserved_gids(dev); + mlx5_cq_debugfs_cleanup(dev); + mlx5_fw_reset_cleanup(dev); +- mlx5_events_cleanup(dev); + mlx5_eq_table_cleanup(dev); + mlx5_irq_table_cleanup(dev); + mlx5_devcom_unregister_device(dev->priv.devc); +@@ -1822,6 +1813,24 @@ static int vhca_id_show(struct seq_file *file, void *priv) + + DEFINE_SHOW_ATTRIBUTE(vhca_id); + ++static int mlx5_notifiers_init(struct mlx5_core_dev *dev) ++{ ++ int err; ++ ++ err = mlx5_events_init(dev); ++ if (err) { ++ mlx5_core_err(dev, "failed to initialize events\n"); ++ return err; ++ } ++ ++ return 0; ++} ++ ++static void mlx5_notifiers_cleanup(struct mlx5_core_dev *dev) ++{ ++ mlx5_events_cleanup(dev); ++} ++ + int mlx5_mdev_init(struct mlx5_core_dev *dev, int profile_idx) + { + struct mlx5_priv *priv = &dev->priv; +@@ -1877,6 +1886,10 @@ int mlx5_mdev_init(struct mlx5_core_dev *dev, int profile_idx) + if (err) + goto err_hca_caps; + ++ err = mlx5_notifiers_init(dev); ++ if (err) ++ goto err_hca_caps; ++ + /* The conjunction of sw_vhca_id with sw_owner_id will be a global + * unique id per function which uses mlx5_core. + * Those values are supplied to FW as part of the init HCA command to +@@ -1919,6 +1932,7 @@ void mlx5_mdev_uninit(struct mlx5_core_dev *dev) + if (priv->sw_vhca_id > 0) + ida_free(&sw_vhca_ida, dev->priv.sw_vhca_id); + ++ mlx5_notifiers_cleanup(dev); + mlx5_hca_caps_free(dev); + mlx5_adev_cleanup(dev); + mlx5_pagealloc_cleanup(dev); +-- +2.51.0 + diff --git a/queue-6.18/net-mlx5e-account-for-netdev-stats-in-ndo_get_stats6.patch b/queue-6.18/net-mlx5e-account-for-netdev-stats-in-ndo_get_stats6.patch new file mode 100644 index 0000000000..e56bd246bf --- /dev/null +++ b/queue-6.18/net-mlx5e-account-for-netdev-stats-in-ndo_get_stats6.patch @@ -0,0 +1,75 @@ +From ad057131d7e5baae1536ed2c0b80ac8e8a2c782f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jan 2026 09:14:55 +0200 +Subject: net/mlx5e: Account for netdev stats in ndo_get_stats64 + +From: Gal Pressman + +[ Upstream commit 476681f10cc1e0e56e26856684e75d4678b072b2 ] + +The driver's ndo_get_stats64 callback is only reporting mlx5 counters, +without accounting for the netdev stats, causing errors from the network +stack to be invisible in statistics. + +Add netdev_stats_to_stats64() call to first populate the counters, then +add mlx5 counters on top, ensuring both are accounted for (where +appropriate). + +Fixes: f62b8bb8f2d3 ("net/mlx5: Extend mlx5_core to support ConnectX-4 Ethernet functionality") +Signed-off-by: Gal Pressman +Signed-off-by: Tariq Toukan +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/1769411695-18820-4-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/en_main.c | 20 ++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index f8d9968542d9c..59e17b41c3a67 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -4033,6 +4033,8 @@ mlx5e_get_stats(struct net_device *dev, struct rtnl_link_stats64 *stats) + mlx5e_queue_update_stats(priv); + } + ++ netdev_stats_to_stats64(stats, &dev->stats); ++ + if (mlx5e_is_uplink_rep(priv)) { + struct mlx5e_vport_stats *vstats = &priv->stats.vport; + +@@ -4049,21 +4051,21 @@ mlx5e_get_stats(struct net_device *dev, struct rtnl_link_stats64 *stats) + mlx5e_fold_sw_stats64(priv, stats); + } + +- stats->rx_missed_errors = priv->stats.qcnt.rx_out_of_buffer; +- stats->rx_dropped = PPORT_2863_GET(pstats, if_in_discards); ++ stats->rx_missed_errors += priv->stats.qcnt.rx_out_of_buffer; ++ stats->rx_dropped += PPORT_2863_GET(pstats, if_in_discards); + +- stats->rx_length_errors = ++ stats->rx_length_errors += + PPORT_802_3_GET(pstats, a_in_range_length_errors) + + PPORT_802_3_GET(pstats, a_out_of_range_length_field) + + PPORT_802_3_GET(pstats, a_frame_too_long_errors) + + VNIC_ENV_GET(&priv->stats.vnic, eth_wqe_too_small); +- stats->rx_crc_errors = ++ stats->rx_crc_errors += + PPORT_802_3_GET(pstats, a_frame_check_sequence_errors); +- stats->rx_frame_errors = PPORT_802_3_GET(pstats, a_alignment_errors); +- stats->tx_aborted_errors = PPORT_2863_GET(pstats, if_out_discards); +- stats->rx_errors = stats->rx_length_errors + stats->rx_crc_errors + +- stats->rx_frame_errors; +- stats->tx_errors = stats->tx_aborted_errors + stats->tx_carrier_errors; ++ stats->rx_frame_errors += PPORT_802_3_GET(pstats, a_alignment_errors); ++ stats->tx_aborted_errors += PPORT_2863_GET(pstats, if_out_discards); ++ stats->rx_errors += stats->rx_length_errors + stats->rx_crc_errors + ++ stats->rx_frame_errors; ++ stats->tx_errors += stats->tx_aborted_errors + stats->tx_carrier_errors; + } + + static void mlx5e_nic_set_rx_mode(struct mlx5e_priv *priv) +-- +2.51.0 + diff --git a/queue-6.18/net-mlx5e-don-t-assume-psp-tx-skbs-are-ipv6-csum-han.patch b/queue-6.18/net-mlx5e-don-t-assume-psp-tx-skbs-are-ipv6-csum-han.patch new file mode 100644 index 0000000000..32119d2eda --- /dev/null +++ b/queue-6.18/net-mlx5e-don-t-assume-psp-tx-skbs-are-ipv6-csum-han.patch @@ -0,0 +1,63 @@ +From e479d52b2f06971f0b705c6ebeff8a85e727a5a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jan 2026 11:38:17 -0800 +Subject: net/mlx5e: don't assume psp tx skbs are ipv6 csum handling + +From: Daniel Zahka + +[ Upstream commit a62f7d62d2b115e67c7224e36ace4ef12a9650b4 ] + +mlx5e_psp_handle_tx_skb() assumes skbs are ipv6 when doing a partial +TCP checksum with tso. Make correctly mlx5e_psp_handle_tx_skb() handle +ipv4 packets. + +Fixes: e5a1861a298e ("net/mlx5e: Implement PSP Tx data path") +Signed-off-by: Daniel Zahka +Reviewed-by: Eric Dumazet +Reviewed-by: Cosmin Ratiu +Link: https://patch.msgid.link/20260126-dzahka-fix-tx-csum-partial-v2-1-0a905590ea5f@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../mellanox/mlx5/core/en_accel/psp_rxtx.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/psp_rxtx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/psp_rxtx.c +index 828bff1137aff..fa98d0074531b 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/psp_rxtx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/psp_rxtx.c +@@ -177,8 +177,6 @@ bool mlx5e_psp_handle_tx_skb(struct net_device *netdev, + { + struct mlx5e_priv *priv = netdev_priv(netdev); + struct net *net = sock_net(skb->sk); +- const struct ipv6hdr *ip6; +- struct tcphdr *th; + + if (!mlx5e_psp_set_state(priv, skb, psp_st)) + return true; +@@ -189,11 +187,18 @@ bool mlx5e_psp_handle_tx_skb(struct net_device *netdev, + return false; + } + if (skb_is_gso(skb)) { +- ip6 = ipv6_hdr(skb); +- th = inner_tcp_hdr(skb); ++ int len = skb_shinfo(skb)->gso_size + inner_tcp_hdrlen(skb); ++ struct tcphdr *th = inner_tcp_hdr(skb); + +- th->check = ~tcp_v6_check(skb_shinfo(skb)->gso_size + inner_tcp_hdrlen(skb), &ip6->saddr, +- &ip6->daddr, 0); ++ if (skb->protocol == htons(ETH_P_IP)) { ++ const struct iphdr *ip = ip_hdr(skb); ++ ++ th->check = ~tcp_v4_check(len, ip->saddr, ip->daddr, 0); ++ } else { ++ const struct ipv6hdr *ip6 = ipv6_hdr(skb); ++ ++ th->check = ~tcp_v6_check(len, &ip6->saddr, &ip6->daddr, 0); ++ } + } + + return true; +-- +2.51.0 + diff --git a/queue-6.18/net-mlx5e-skip-esn-replay-window-setup-for-ipsec-cry.patch b/queue-6.18/net-mlx5e-skip-esn-replay-window-setup-for-ipsec-cry.patch new file mode 100644 index 0000000000..9d1cd3f778 --- /dev/null +++ b/queue-6.18/net-mlx5e-skip-esn-replay-window-setup-for-ipsec-cry.patch @@ -0,0 +1,50 @@ +From 5b5bfc6b6e73f6a58a7ea491e2032ff72697b04c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Jan 2026 10:52:41 +0200 +Subject: net/mlx5e: Skip ESN replay window setup for IPsec crypto offload + +From: Jianbo Liu + +[ Upstream commit 011be342dd24b5168a5dcf408b14c3babe503341 ] + +Commit a5e400a985df ("net/mlx5e: Honor user choice of IPsec replay +window size") introduced logic to setup the ESN replay window size. +This logic is only valid for packet offload. + +However, the check to skip this block only covered outbound offloads. +It was not skipped for crypto offload, causing it to fall through to +the new switch statement and trigger its WARN_ON default case (for +instance, if a window larger than 256 bits was configured). + +Fix this by amending the condition to also skip the replay window +setup if the offload type is not XFRM_DEV_OFFLOAD_PACKET. + +Fixes: a5e400a985df ("net/mlx5e: Honor user choice of IPsec replay window size") +Signed-off-by: Jianbo Liu +Reviewed-by: Leon Romanovsky +Reviewed-by: Simon Horman +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/1769503961-124173-5-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c +index a8fb4bec369cf..9c7064187ed0f 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c +@@ -430,7 +430,8 @@ void mlx5e_ipsec_build_accel_xfrm_attrs(struct mlx5e_ipsec_sa_entry *sa_entry, + attrs->replay_esn.esn = sa_entry->esn_state.esn; + attrs->replay_esn.esn_msb = sa_entry->esn_state.esn_msb; + attrs->replay_esn.overlap = sa_entry->esn_state.overlap; +- if (attrs->dir == XFRM_DEV_OFFLOAD_OUT) ++ if (attrs->dir == XFRM_DEV_OFFLOAD_OUT || ++ x->xso.type != XFRM_DEV_OFFLOAD_PACKET) + goto skip_replay_window; + + switch (x->replay_esn->replay_window) { +-- +2.51.0 + diff --git a/queue-6.18/net-mlx5e-tc-delete-flows-only-for-existing-peers.patch b/queue-6.18/net-mlx5e-tc-delete-flows-only-for-existing-peers.patch new file mode 100644 index 0000000000..e29c11bc45 --- /dev/null +++ b/queue-6.18/net-mlx5e-tc-delete-flows-only-for-existing-peers.patch @@ -0,0 +1,132 @@ +From 3ac403689e90bb4f828ab9a54b5d1830b6b9be12 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jan 2026 09:14:54 +0200 +Subject: net/mlx5e: TC, delete flows only for existing peers + +From: Mark Bloch + +[ Upstream commit f67666938ae626cbda63fbf5176b3583c07e7124 ] + +When deleting TC steering flows, iterate only over actual devcom +peers instead of assuming all possible ports exist. This avoids +touching non-existent peers and ensures cleanup is limited to +devices the driver is currently connected to. + + BUG: kernel NULL pointer dereference, address: 0000000000000008 + #PF: supervisor write access in kernel mode + #PF: error_code(0x0002) - not-present page + PGD 133c8a067 P4D 0 + Oops: Oops: 0002 [#1] SMP + CPU: 19 UID: 0 PID: 2169 Comm: tc Not tainted 6.18.0+ #156 NONE + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 + RIP: 0010:mlx5e_tc_del_fdb_peers_flow+0xbe/0x200 [mlx5_core] + Code: 00 00 a8 08 74 a8 49 8b 46 18 f6 c4 02 74 9f 4c 8d bf a0 12 00 00 4c 89 ff e8 0e e7 96 e1 49 8b 44 24 08 49 8b 0c 24 4c 89 ff <48> 89 41 08 48 89 08 49 89 2c 24 49 89 5c 24 08 e8 7d ce 96 e1 49 + RSP: 0018:ff11000143867528 EFLAGS: 00010246 + RAX: 0000000000000000 RBX: dead000000000122 RCX: 0000000000000000 + RDX: ff11000143691580 RSI: ff110001026e5000 RDI: ff11000106f3d2a0 + RBP: dead000000000100 R08: 00000000000003fd R09: 0000000000000002 + R10: ff11000101c75690 R11: ff1100085faea178 R12: ff11000115f0ae78 + R13: 0000000000000000 R14: ff11000115f0a800 R15: ff11000106f3d2a0 + FS: 00007f35236bf740(0000) GS:ff110008dc809000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000008 CR3: 0000000157a01001 CR4: 0000000000373eb0 + Call Trace: + + mlx5e_tc_del_flow+0x46/0x270 [mlx5_core] + mlx5e_flow_put+0x25/0x50 [mlx5_core] + mlx5e_delete_flower+0x2a6/0x3e0 [mlx5_core] + tc_setup_cb_reoffload+0x20/0x80 + fl_reoffload+0x26f/0x2f0 [cls_flower] + ? mlx5e_tc_reoffload_flows_work+0xc0/0xc0 [mlx5_core] + ? mlx5e_tc_reoffload_flows_work+0xc0/0xc0 [mlx5_core] + tcf_block_playback_offloads+0x9e/0x1c0 + tcf_block_unbind+0x7b/0xd0 + tcf_block_setup+0x186/0x1d0 + tcf_block_offload_cmd.isra.0+0xef/0x130 + tcf_block_offload_unbind+0x43/0x70 + __tcf_block_put+0x85/0x160 + ingress_destroy+0x32/0x110 [sch_ingress] + __qdisc_destroy+0x44/0x100 + qdisc_graft+0x22b/0x610 + tc_get_qdisc+0x183/0x4d0 + rtnetlink_rcv_msg+0x2d7/0x3d0 + ? rtnl_calcit.isra.0+0x100/0x100 + netlink_rcv_skb+0x53/0x100 + netlink_unicast+0x249/0x320 + ? __alloc_skb+0x102/0x1f0 + netlink_sendmsg+0x1e3/0x420 + __sock_sendmsg+0x38/0x60 + ____sys_sendmsg+0x1ef/0x230 + ? copy_msghdr_from_user+0x6c/0xa0 + ___sys_sendmsg+0x7f/0xc0 + ? ___sys_recvmsg+0x8a/0xc0 + ? __sys_sendto+0x119/0x180 + __sys_sendmsg+0x61/0xb0 + do_syscall_64+0x55/0x640 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + RIP: 0033:0x7f35238bb764 + Code: 15 b9 86 0c 00 f7 d8 64 89 02 b8 ff ff ff ff eb bf 0f 1f 44 00 00 f3 0f 1e fa 80 3d e5 08 0d 00 00 74 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 4c c3 0f 1f 00 55 48 89 e5 48 83 ec 20 89 55 + RSP: 002b:00007ffed4c35638 EFLAGS: 00000202 ORIG_RAX: 000000000000002e + RAX: ffffffffffffffda RBX: 000055a2efcc75e0 RCX: 00007f35238bb764 + RDX: 0000000000000000 RSI: 00007ffed4c356a0 RDI: 0000000000000003 + RBP: 00007ffed4c35710 R08: 0000000000000010 R09: 00007f3523984b20 + R10: 0000000000000004 R11: 0000000000000202 R12: 00007ffed4c35790 + R13: 000000006947df8f R14: 000055a2efcc75e0 R15: 00007ffed4c35780 + +Fixes: 9be6c21fdcf8 ("net/mlx5e: Handle offloads flows per peer") +Signed-off-by: Mark Bloch +Reviewed-by: Shay Drori +Signed-off-by: Tariq Toukan +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/1769411695-18820-3-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/en_tc.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +index 00c2763e57ca1..ebea43c235cc3 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +@@ -2147,11 +2147,14 @@ static void mlx5e_tc_del_fdb_peer_flow(struct mlx5e_tc_flow *flow, + + static void mlx5e_tc_del_fdb_peers_flow(struct mlx5e_tc_flow *flow) + { ++ struct mlx5_devcom_comp_dev *devcom; ++ struct mlx5_devcom_comp_dev *pos; ++ struct mlx5_eswitch *peer_esw; + int i; + +- for (i = 0; i < MLX5_MAX_PORTS; i++) { +- if (i == mlx5_get_dev_index(flow->priv->mdev)) +- continue; ++ devcom = flow->priv->mdev->priv.eswitch->devcom; ++ mlx5_devcom_for_each_peer_entry(devcom, peer_esw, pos) { ++ i = mlx5_get_dev_index(peer_esw->dev); + mlx5e_tc_del_fdb_peer_flow(flow, i); + } + } +@@ -5511,12 +5514,16 @@ int mlx5e_tc_num_filters(struct mlx5e_priv *priv, unsigned long flags) + + void mlx5e_tc_clean_fdb_peer_flows(struct mlx5_eswitch *esw) + { ++ struct mlx5_devcom_comp_dev *devcom; ++ struct mlx5_devcom_comp_dev *pos; + struct mlx5e_tc_flow *flow, *tmp; ++ struct mlx5_eswitch *peer_esw; + int i; + +- for (i = 0; i < MLX5_MAX_PORTS; i++) { +- if (i == mlx5_get_dev_index(esw->dev)) +- continue; ++ devcom = esw->devcom; ++ ++ mlx5_devcom_for_each_peer_entry(devcom, peer_esw, pos) { ++ i = mlx5_get_dev_index(peer_esw->dev); + list_for_each_entry_safe(flow, tmp, &esw->offloads.peer_flows[i], peer[i]) + mlx5e_tc_del_fdb_peers_flow(flow); + } +-- +2.51.0 + diff --git a/queue-6.18/net-mvpp2-cls-fix-memory-leak-in-mvpp2_ethtool_cls_r.patch b/queue-6.18/net-mvpp2-cls-fix-memory-leak-in-mvpp2_ethtool_cls_r.patch new file mode 100644 index 0000000000..7a0824beb2 --- /dev/null +++ b/queue-6.18/net-mvpp2-cls-fix-memory-leak-in-mvpp2_ethtool_cls_r.patch @@ -0,0 +1,48 @@ +From 08a670f1ca25e58840dee561b4e928d24388700e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Jan 2026 06:57:16 +0000 +Subject: net: mvpp2: cls: Fix memory leak in mvpp2_ethtool_cls_rule_ins() + +From: Zilin Guan + +[ Upstream commit 09f979d1f312627b31d2ee1e46f9692e442610cd ] + +In mvpp2_ethtool_cls_rule_ins(), the ethtool_rule is allocated by +ethtool_rx_flow_rule_create(). If the subsequent conversion to flow +type fails, the function jumps to the clean_rule label. + +However, the clean_rule label only frees efs, skipping the cleanup +of ethtool_rule, which leads to a memory leak. + +Fix this by jumping to the clean_eth_rule label, which properly calls +ethtool_rx_flow_rule_destroy() before freeing efs. + +Compile tested only. Issue found using a prototype static analysis tool +and code review. + +Fixes: f4f1ba18195d ("net: mvpp2: cls: Report an error for unsupported flow types") +Signed-off-by: Zilin Guan +Reviewed-by: Maxime Chevallier +Link: https://patch.msgid.link/20260123065716.2248324-1-zilin@seu.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c +index 44b201817d94c..c116da7d7f18c 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c +@@ -1389,7 +1389,7 @@ int mvpp2_ethtool_cls_rule_ins(struct mvpp2_port *port, + efs->rule.flow_type = mvpp2_cls_ethtool_flow_to_type(info->fs.flow_type); + if (efs->rule.flow_type < 0) { + ret = efs->rule.flow_type; +- goto clean_rule; ++ goto clean_eth_rule; + } + + ret = mvpp2_cls_rfs_parse_rule(&efs->rule); +-- +2.51.0 + diff --git a/queue-6.18/net-phy-micrel-fix-clk-warning-when-removing-the-dri.patch b/queue-6.18/net-phy-micrel-fix-clk-warning-when-removing-the-dri.patch new file mode 100644 index 0000000000..df0465df69 --- /dev/null +++ b/queue-6.18/net-phy-micrel-fix-clk-warning-when-removing-the-dri.patch @@ -0,0 +1,130 @@ +From e24fb0d0e87b1bc74e86b3151f1c00cd9bb62186 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jan 2026 16:15:44 +0800 +Subject: net: phy: micrel: fix clk warning when removing the driver + +From: Wei Fang + +[ Upstream commit 2aa1545ba8d4801fba5be83a404e28014b80196a ] + +Since the commit 25c6a5ab151f ("net: phy: micrel: Dynamically control +external clock of KSZ PHY"), the clock of Micrel PHY has been enabled +by phy_driver::resume() and disabled by phy_driver::suspend(). However, +devm_clk_get_optional_enabled() is used in kszphy_probe(), so the clock +will automatically be disabled when the device is unbound from the bus. +Therefore, this could cause the clock to be disabled twice, resulting +in clk driver warnings. + +For example, this issue can be reproduced on i.MX6ULL platform, and we +can see the following logs when removing the FEC MAC drivers. + +$ echo 2188000.ethernet > /sys/bus/platform/drivers/fec/unbind +$ echo 20b4000.ethernet > /sys/bus/platform/drivers/fec/unbind +[ 109.758207] ------------[ cut here ]------------ +[ 109.758240] WARNING: drivers/clk/clk.c:1188 at clk_core_disable+0xb4/0xd0, CPU#0: sh/639 +[ 109.771011] enet2_ref already disabled +[ 109.793359] Call trace: +[ 109.822006] clk_core_disable from clk_disable+0x28/0x34 +[ 109.827340] clk_disable from clk_disable_unprepare+0xc/0x18 +[ 109.833029] clk_disable_unprepare from devm_clk_release+0x1c/0x28 +[ 109.839241] devm_clk_release from devres_release_all+0x98/0x100 +[ 109.845278] devres_release_all from device_unbind_cleanup+0xc/0x70 +[ 109.851571] device_unbind_cleanup from device_release_driver_internal+0x1a4/0x1f4 +[ 109.859170] device_release_driver_internal from bus_remove_device+0xbc/0xe4 +[ 109.866243] bus_remove_device from device_del+0x140/0x458 +[ 109.871757] device_del from phy_mdio_device_remove+0xc/0x24 +[ 109.877452] phy_mdio_device_remove from mdiobus_unregister+0x40/0xac +[ 109.883918] mdiobus_unregister from fec_enet_mii_remove+0x40/0x78 +[ 109.890125] fec_enet_mii_remove from fec_drv_remove+0x4c/0x158 +[ 109.896076] fec_drv_remove from device_release_driver_internal+0x17c/0x1f4 +[ 109.962748] WARNING: drivers/clk/clk.c:1047 at clk_core_unprepare+0xfc/0x13c, CPU#0: sh/639 +[ 109.975805] enet2_ref already unprepared +[ 110.002866] Call trace: +[ 110.031758] clk_core_unprepare from clk_unprepare+0x24/0x2c +[ 110.037440] clk_unprepare from devm_clk_release+0x1c/0x28 +[ 110.042957] devm_clk_release from devres_release_all+0x98/0x100 +[ 110.048989] devres_release_all from device_unbind_cleanup+0xc/0x70 +[ 110.055280] device_unbind_cleanup from device_release_driver_internal+0x1a4/0x1f4 +[ 110.062877] device_release_driver_internal from bus_remove_device+0xbc/0xe4 +[ 110.069950] bus_remove_device from device_del+0x140/0x458 +[ 110.075469] device_del from phy_mdio_device_remove+0xc/0x24 +[ 110.081165] phy_mdio_device_remove from mdiobus_unregister+0x40/0xac +[ 110.087632] mdiobus_unregister from fec_enet_mii_remove+0x40/0x78 +[ 110.093836] fec_enet_mii_remove from fec_drv_remove+0x4c/0x158 +[ 110.099782] fec_drv_remove from device_release_driver_internal+0x17c/0x1f4 + +After analyzing the process of removing the FEC driver, as shown below, +it can be seen that the clock was disabled twice by the PHY driver. + +fec_drv_remove() + --> fec_enet_close() + --> phy_stop() + --> phy_suspend() + --> kszphy_suspend() #1 The clock is disabled + --> fec_enet_mii_remove() + --> mdiobus_unregister() + --> phy_mdio_device_remove() + --> device_del() + --> devm_clk_release() #2 The clock is disabled again + +Therefore, devm_clk_get_optional() is used to fix the above issue. And +to avoid the issue mentioned by the commit 985329462723 ("net: phy: +micrel: use devm_clk_get_optional_enabled for the rmii-ref clock"), the +clock is enabled by clk_prepare_enable() to get the correct clock rate. + +Fixes: 25c6a5ab151f ("net: phy: micrel: Dynamically control external clock of KSZ PHY") +Signed-off-by: Wei Fang +Reviewed-by: Maxime Chevallier +Link: https://patch.msgid.link/20260126081544.983517-1-wei.fang@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/micrel.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/phy/micrel.c b/drivers/net/phy/micrel.c +index 01c87c9b77020..bc19880107ae4 100644 +--- a/drivers/net/phy/micrel.c ++++ b/drivers/net/phy/micrel.c +@@ -2541,11 +2541,21 @@ static int kszphy_probe(struct phy_device *phydev) + + kszphy_parse_led_mode(phydev); + +- clk = devm_clk_get_optional_enabled(&phydev->mdio.dev, "rmii-ref"); ++ clk = devm_clk_get_optional(&phydev->mdio.dev, "rmii-ref"); + /* NOTE: clk may be NULL if building without CONFIG_HAVE_CLK */ + if (!IS_ERR_OR_NULL(clk)) { +- unsigned long rate = clk_get_rate(clk); + bool rmii_ref_clk_sel_25_mhz; ++ unsigned long rate; ++ int err; ++ ++ err = clk_prepare_enable(clk); ++ if (err) { ++ phydev_err(phydev, "Failed to enable rmii-ref clock\n"); ++ return err; ++ } ++ ++ rate = clk_get_rate(clk); ++ clk_disable_unprepare(clk); + + if (type) + priv->rmii_ref_clk_sel = type->has_rmii_ref_clk_sel; +@@ -2563,13 +2573,12 @@ static int kszphy_probe(struct phy_device *phydev) + } + } else if (!clk) { + /* unnamed clock from the generic ethernet-phy binding */ +- clk = devm_clk_get_optional_enabled(&phydev->mdio.dev, NULL); ++ clk = devm_clk_get_optional(&phydev->mdio.dev, NULL); + } + + if (IS_ERR(clk)) + return PTR_ERR(clk); + +- clk_disable_unprepare(clk); + priv->clk = clk; + + if (ksz8041_fiber_mode(phydev)) +-- +2.51.0 + diff --git a/queue-6.18/net-spacemit-check-for-netif_carrier_ok-in-emac_stat.patch b/queue-6.18/net-spacemit-check-for-netif_carrier_ok-in-emac_stat.patch new file mode 100644 index 0000000000..524c82eded --- /dev/null +++ b/queue-6.18/net-spacemit-check-for-netif_carrier_ok-in-emac_stat.patch @@ -0,0 +1,101 @@ +From db998d0ddd2bea0c62ed638b953c89acc1953010 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Jan 2026 11:52:23 +0800 +Subject: net: spacemit: Check for netif_carrier_ok() in emac_stats_update() + +From: Vivian Wang + +[ Upstream commit 2c84959167d6493dbdac88965c7389b8ab88bf4e ] + +Some PHYs stop the refclk for power saving, usually while link down. +This causes reading stats to time out. + +Therefore, in emac_stats_update(), also don't update and reschedule if +!netif_carrier_ok(). But that means we could be missing later updates if +the link comes back up, so also reschedule when link up is detected in +emac_adjust_link(). + +While we're at it, improve the comments and error message prints around +this to reflect the better understanding of how this could happen. +Hopefully if this happens again on new hardware, these comments will +direct towards a solution. + +Closes: https://lore.kernel.org/r/20260119141620.1318102-1-amadeus@jmu.edu.cn/ +Fixes: bfec6d7f2001 ("net: spacemit: Add K1 Ethernet MAC") +Co-developed-by: Chukun Pan +Signed-off-by: Chukun Pan +Signed-off-by: Vivian Wang +Link: https://patch.msgid.link/20260123-k1-ethernet-clarify-stat-timeout-v3-1-93b9df627e87@iscas.ac.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/spacemit/k1_emac.c | 34 ++++++++++++++++++++----- + 1 file changed, 27 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/spacemit/k1_emac.c b/drivers/net/ethernet/spacemit/k1_emac.c +index 220eb5ce75833..88e9424d2d51a 100644 +--- a/drivers/net/ethernet/spacemit/k1_emac.c ++++ b/drivers/net/ethernet/spacemit/k1_emac.c +@@ -1099,7 +1099,13 @@ static int emac_read_stat_cnt(struct emac_priv *priv, u8 cnt, u32 *res, + 100, 10000); + + if (ret) { +- netdev_err(priv->ndev, "Read stat timeout\n"); ++ /* ++ * This could be caused by the PHY stopping its refclk even when ++ * the link is up, for power saving. See also comments in ++ * emac_stats_update(). ++ */ ++ dev_err_ratelimited(&priv->ndev->dev, ++ "Read stat timeout. PHY clock stopped?\n"); + return ret; + } + +@@ -1147,17 +1153,25 @@ static void emac_stats_update(struct emac_priv *priv) + + assert_spin_locked(&priv->stats_lock); + +- if (!netif_running(priv->ndev) || !netif_device_present(priv->ndev)) { +- /* Not up, don't try to update */ ++ /* ++ * We can't read statistics if the interface is not up. Also, some PHYs ++ * stop their reference clocks for link down power saving, which also ++ * causes reading statistics to time out. Don't update and don't ++ * reschedule in these cases. ++ */ ++ if (!netif_running(priv->ndev) || ++ !netif_carrier_ok(priv->ndev) || ++ !netif_device_present(priv->ndev)) { + return; + } + + for (i = 0; i < sizeof(priv->tx_stats) / sizeof(*tx_stats); i++) { + /* +- * If reading stats times out, everything is broken and there's +- * nothing we can do. Reading statistics also can't return an +- * error, so just return without updating and without +- * rescheduling. ++ * If reading stats times out anyway, the stat registers will be ++ * stuck, and we can't really recover from that. ++ * ++ * Reading statistics also can't return an error, so just return ++ * without updating and without rescheduling. + */ + if (emac_tx_read_stat_cnt(priv, i, &res)) + return; +@@ -1636,6 +1650,12 @@ static void emac_adjust_link(struct net_device *dev) + emac_wr(priv, MAC_GLOBAL_CONTROL, ctrl); + + emac_set_fc_autoneg(priv); ++ ++ /* ++ * Reschedule stats updates now that link is up. See comments in ++ * emac_stats_update(). ++ */ ++ mod_timer(&priv->stats_timer, jiffies); + } + + phy_print_status(phydev); +-- +2.51.0 + diff --git a/queue-6.18/net-wwan-t7xx-fix-potential-skb-frags-overflow-in-rx.patch b/queue-6.18/net-wwan-t7xx-fix-potential-skb-frags-overflow-in-rx.patch new file mode 100644 index 0000000000..089dd23be0 --- /dev/null +++ b/queue-6.18/net-wwan-t7xx-fix-potential-skb-frags-overflow-in-rx.patch @@ -0,0 +1,83 @@ +From e49f772fcae292d939718fc5100d4b75ae42478e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Jan 2026 01:04:01 +0800 +Subject: net: wwan: t7xx: fix potential skb->frags overflow in RX path + +From: Kery Qi + +[ Upstream commit f0813bcd2d9d97fdbdf2efb9532ab03ae92e99e6 ] + +When receiving data in the DPMAIF RX path, +the t7xx_dpmaif_set_frag_to_skb() function adds +page fragments to an skb without checking if the number of +fragments has exceeded MAX_SKB_FRAGS. This could lead to a buffer overflow +in skb_shinfo(skb)->frags[] array, corrupting adjacent memory and +potentially causing kernel crashes or other undefined behavior. + +This issue was identified through static code analysis by comparing with a +similar vulnerability fixed in the mt76 driver commit b102f0c522cf ("mt76: +fix array overflow on receiving too many fragments for a packet"). + +The vulnerability could be triggered if the modem firmware sends packets +with excessive fragments. While under normal protocol conditions (MTU 3080 +bytes, BAT buffer 3584 bytes), +a single packet should not require additional +fragments, the kernel should not blindly trust firmware behavior. +Malicious, buggy, or compromised firmware could potentially craft packets +with more fragments than the kernel expects. + +Fix this by adding a bounds check before calling skb_add_rx_frag() to +ensure nr_frags does not exceed MAX_SKB_FRAGS. + +The check must be performed before unmapping to avoid a page leak +and double DMA unmap during device teardown. + +Fixes: d642b012df70a ("net: wwan: t7xx: Add data path interface") +Signed-off-by: Kery Qi +Link: https://patch.msgid.link/20260122170401.1986-2-qikeyu2017@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c b/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c +index 2310493203d3c..d9f10df03a5db 100644 +--- a/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c ++++ b/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c +@@ -395,6 +395,7 @@ static int t7xx_dpmaif_set_frag_to_skb(const struct dpmaif_rx_queue *rxq, + struct sk_buff *skb) + { + unsigned long long data_bus_addr, data_base_addr; ++ struct skb_shared_info *shinfo = skb_shinfo(skb); + struct device *dev = rxq->dpmaif_ctrl->dev; + struct dpmaif_bat_page *page_info; + unsigned int data_len; +@@ -402,18 +403,22 @@ static int t7xx_dpmaif_set_frag_to_skb(const struct dpmaif_rx_queue *rxq, + + page_info = rxq->bat_frag->bat_skb; + page_info += t7xx_normal_pit_bid(pkt_info); +- dma_unmap_page(dev, page_info->data_bus_addr, page_info->data_len, DMA_FROM_DEVICE); + + if (!page_info->page) + return -EINVAL; + ++ if (shinfo->nr_frags >= MAX_SKB_FRAGS) ++ return -EINVAL; ++ ++ dma_unmap_page(dev, page_info->data_bus_addr, page_info->data_len, DMA_FROM_DEVICE); ++ + data_bus_addr = le32_to_cpu(pkt_info->pd.data_addr_h); + data_bus_addr = (data_bus_addr << 32) + le32_to_cpu(pkt_info->pd.data_addr_l); + data_base_addr = page_info->data_bus_addr; + data_offset = data_bus_addr - data_base_addr; + data_offset += page_info->offset; + data_len = FIELD_GET(PD_PIT_DATA_LEN, le32_to_cpu(pkt_info->header)); +- skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags, page_info->page, ++ skb_add_rx_frag(skb, shinfo->nr_frags, page_info->page, + data_offset, data_len, page_info->data_len); + + page_info->page = NULL; +-- +2.51.0 + diff --git a/queue-6.18/nfc-llcp-fix-memleak-in-nfc_llcp_send_ui_frame.patch b/queue-6.18/nfc-llcp-fix-memleak-in-nfc_llcp_send_ui_frame.patch new file mode 100644 index 0000000000..d9a64344a9 --- /dev/null +++ b/queue-6.18/nfc-llcp-fix-memleak-in-nfc_llcp_send_ui_frame.patch @@ -0,0 +1,167 @@ +From a66d7c4b5d81961bdbc91a02e66eed00d22179b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 25 Jan 2026 00:59:28 +0000 +Subject: nfc: llcp: Fix memleak in nfc_llcp_send_ui_frame(). + +From: Kuniyuki Iwashima + +[ Upstream commit 165c34fb6068ff153e3fc99a932a80a9d5755709 ] + +syzbot reported various memory leaks related to NFC, struct +nfc_llcp_sock, sk_buff, nfc_dev, etc. [0] + +The leading log hinted that nfc_llcp_send_ui_frame() failed +to allocate skb due to sock_error(sk) being -ENXIO. + +ENXIO is set by nfc_llcp_socket_release() when struct +nfc_llcp_local is destroyed by local_cleanup(). + +The problem is that there is no synchronisation between +nfc_llcp_send_ui_frame() and local_cleanup(), and skb +could be put into local->tx_queue after it was purged in +local_cleanup(): + + CPU1 CPU2 + ---- ---- + nfc_llcp_send_ui_frame() local_cleanup() + |- do { ' + |- pdu = nfc_alloc_send_skb(..., &err) + | . + | |- nfc_llcp_socket_release(local, false, ENXIO); + | |- skb_queue_purge(&local->tx_queue); | + | ' | + |- skb_queue_tail(&local->tx_queue, pdu); | + ... | + |- pdu = nfc_alloc_send_skb(..., &err) | + ^._________________________________.' + +local_cleanup() is called for struct nfc_llcp_local only +after nfc_llcp_remove_local() unlinks it from llcp_devices. + +If we hold local->tx_queue.lock then, we can synchronise +the thread and nfc_llcp_send_ui_frame(). + +Let's do that and check list_empty(&local->list) before +queuing skb to local->tx_queue in nfc_llcp_send_ui_frame(). + +[0]: +[ 56.074943][ T6096] llcp: nfc_llcp_send_ui_frame: Could not allocate PDU (error=-6) +[ 64.318868][ T5813] kmemleak: 6 new suspected memory leaks (see /sys/kernel/debug/kmemleak) +BUG: memory leak +unreferenced object 0xffff8881272f6800 (size 1024): + comm "syz.0.17", pid 6096, jiffies 4294942766 + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 27 00 03 40 00 00 00 00 00 00 00 00 00 00 00 00 '..@............ + backtrace (crc da58d84d): + kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] + slab_post_alloc_hook mm/slub.c:4979 [inline] + slab_alloc_node mm/slub.c:5284 [inline] + __do_kmalloc_node mm/slub.c:5645 [inline] + __kmalloc_noprof+0x3e3/0x6b0 mm/slub.c:5658 + kmalloc_noprof include/linux/slab.h:961 [inline] + sk_prot_alloc+0x11a/0x1b0 net/core/sock.c:2239 + sk_alloc+0x36/0x360 net/core/sock.c:2295 + nfc_llcp_sock_alloc+0x37/0x130 net/nfc/llcp_sock.c:979 + llcp_sock_create+0x71/0xd0 net/nfc/llcp_sock.c:1044 + nfc_sock_create+0xc9/0xf0 net/nfc/af_nfc.c:31 + __sock_create+0x1a9/0x340 net/socket.c:1605 + sock_create net/socket.c:1663 [inline] + __sys_socket_create net/socket.c:1700 [inline] + __sys_socket+0xb9/0x1a0 net/socket.c:1747 + __do_sys_socket net/socket.c:1761 [inline] + __se_sys_socket net/socket.c:1759 [inline] + __x64_sys_socket+0x1b/0x30 net/socket.c:1759 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +BUG: memory leak +unreferenced object 0xffff88810fbd9800 (size 240): + comm "syz.0.17", pid 6096, jiffies 4294942850 + hex dump (first 32 bytes): + 68 f0 ff 08 81 88 ff ff 68 f0 ff 08 81 88 ff ff h.......h....... + 00 00 00 00 00 00 00 00 00 68 2f 27 81 88 ff ff .........h/'.... + backtrace (crc 6cc652b1): + kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] + slab_post_alloc_hook mm/slub.c:4979 [inline] + slab_alloc_node mm/slub.c:5284 [inline] + kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5336 + __alloc_skb+0x203/0x240 net/core/skbuff.c:660 + alloc_skb include/linux/skbuff.h:1383 [inline] + alloc_skb_with_frags+0x69/0x3f0 net/core/skbuff.c:6671 + sock_alloc_send_pskb+0x379/0x3e0 net/core/sock.c:2965 + sock_alloc_send_skb include/net/sock.h:1859 [inline] + nfc_alloc_send_skb+0x45/0x80 net/nfc/core.c:724 + nfc_llcp_send_ui_frame+0x162/0x360 net/nfc/llcp_commands.c:766 + llcp_sock_sendmsg+0x14c/0x1d0 net/nfc/llcp_sock.c:814 + sock_sendmsg_nosec net/socket.c:727 [inline] + __sock_sendmsg net/socket.c:742 [inline] + __sys_sendto+0x2d8/0x2f0 net/socket.c:2244 + __do_sys_sendto net/socket.c:2251 [inline] + __se_sys_sendto net/socket.c:2247 [inline] + __x64_sys_sendto+0x28/0x30 net/socket.c:2247 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fixes: 94f418a20664 ("NFC: UI frame sending routine implementation") +Reported-by: syzbot+f2d245f1d76bbfa50e4c@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/697569c7.a00a0220.33ccc7.0014.GAE@google.com/T/#u +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20260125010214.1572439-1-kuniyu@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/nfc/llcp_commands.c | 17 ++++++++++++++++- + net/nfc/llcp_core.c | 4 +++- + 2 files changed, 19 insertions(+), 2 deletions(-) + +diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c +index e2680a3bef799..b652323bc2c12 100644 +--- a/net/nfc/llcp_commands.c ++++ b/net/nfc/llcp_commands.c +@@ -778,8 +778,23 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap, + if (likely(frag_len > 0)) + skb_put_data(pdu, msg_ptr, frag_len); + ++ spin_lock(&local->tx_queue.lock); ++ ++ if (list_empty(&local->list)) { ++ spin_unlock(&local->tx_queue.lock); ++ ++ kfree_skb(pdu); ++ ++ len -= remaining_len; ++ if (len == 0) ++ len = -ENXIO; ++ break; ++ } ++ + /* No need to check for the peer RW for UI frames */ +- skb_queue_tail(&local->tx_queue, pdu); ++ __skb_queue_tail(&local->tx_queue, pdu); ++ ++ spin_unlock(&local->tx_queue.lock); + + remaining_len -= frag_len; + msg_ptr += frag_len; +diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c +index beeb3b4d28cab..444a3774c8e80 100644 +--- a/net/nfc/llcp_core.c ++++ b/net/nfc/llcp_core.c +@@ -316,7 +316,9 @@ static struct nfc_llcp_local *nfc_llcp_remove_local(struct nfc_dev *dev) + spin_lock(&llcp_devices_lock); + list_for_each_entry_safe(local, tmp, &llcp_devices, list) + if (local->dev == dev) { +- list_del(&local->list); ++ spin_lock(&local->tx_queue.lock); ++ list_del_init(&local->list); ++ spin_unlock(&local->tx_queue.lock); + spin_unlock(&llcp_devices_lock); + return local; + } +-- +2.51.0 + diff --git a/queue-6.18/nfc-nci-fix-race-between-rfkill-and-nci_unregister_d.patch b/queue-6.18/nfc-nci-fix-race-between-rfkill-and-nci_unregister_d.patch new file mode 100644 index 0000000000..fd563f5476 --- /dev/null +++ b/queue-6.18/nfc-nci-fix-race-between-rfkill-and-nci_unregister_d.patch @@ -0,0 +1,197 @@ +From 90a9a5e2096da7ec1fa3319d9d7bf09b5e80d324 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Jan 2026 04:03:59 +0000 +Subject: nfc: nci: Fix race between rfkill and nci_unregister_device(). + +From: Kuniyuki Iwashima + +[ Upstream commit d2492688bb9fed6ab6e313682c387ae71a66ebae ] + +syzbot reported the splat below [0] without a repro. + +It indicates that struct nci_dev.cmd_wq had been destroyed before +nci_close_device() was called via rfkill. + +nci_dev.cmd_wq is only destroyed in nci_unregister_device(), which +(I think) was called from virtual_ncidev_close() when syzbot close()d +an fd of virtual_ncidev. + +The problem is that nci_unregister_device() destroys nci_dev.cmd_wq +first and then calls nfc_unregister_device(), which removes the +device from rfkill by rfkill_unregister(). + +So, the device is still visible via rfkill even after nci_dev.cmd_wq +is destroyed. + +Let's unregister the device from rfkill first in nci_unregister_device(). + +Note that we cannot call nfc_unregister_device() before +nci_close_device() because + + 1) nfc_unregister_device() calls device_del() which frees + all memory allocated by devm_kzalloc() and linked to + ndev->conn_info_list + + 2) nci_rx_work() could try to queue nci_conn_info to + ndev->conn_info_list which could be leaked + +Thus, nfc_unregister_device() is split into two functions so we +can remove rfkill interfaces only before nci_close_device(). + +[0]: +DEBUG_LOCKS_WARN_ON(1) +WARNING: kernel/locking/lockdep.c:238 at hlock_class kernel/locking/lockdep.c:238 [inline], CPU#0: syz.0.8675/6349 +WARNING: kernel/locking/lockdep.c:238 at check_wait_context kernel/locking/lockdep.c:4854 [inline], CPU#0: syz.0.8675/6349 +WARNING: kernel/locking/lockdep.c:238 at __lock_acquire+0x39d/0x2cf0 kernel/locking/lockdep.c:5187, CPU#0: syz.0.8675/6349 +Modules linked in: +CPU: 0 UID: 0 PID: 6349 Comm: syz.0.8675 Not tainted syzkaller #0 PREEMPT(full) +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/13/2026 +RIP: 0010:hlock_class kernel/locking/lockdep.c:238 [inline] +RIP: 0010:check_wait_context kernel/locking/lockdep.c:4854 [inline] +RIP: 0010:__lock_acquire+0x3a4/0x2cf0 kernel/locking/lockdep.c:5187 +Code: 18 00 4c 8b 74 24 08 75 27 90 e8 17 f2 fc 02 85 c0 74 1c 83 3d 50 e0 4e 0e 00 75 13 48 8d 3d 43 f7 51 0e 48 c7 c6 8b 3a de 8d <67> 48 0f b9 3a 90 31 c0 0f b6 98 c4 00 00 00 41 8b 45 20 25 ff 1f +RSP: 0018:ffffc9000c767680 EFLAGS: 00010046 +RAX: 0000000000000001 RBX: 0000000000040000 RCX: 0000000000080000 +RDX: ffffc90013080000 RSI: ffffffff8dde3a8b RDI: ffffffff8ff24ca0 +RBP: 0000000000000003 R08: ffffffff8fef35a3 R09: 1ffffffff1fde6b4 +R10: dffffc0000000000 R11: fffffbfff1fde6b5 R12: 00000000000012a2 +R13: ffff888030338ba8 R14: ffff888030338000 R15: ffff888030338b30 +FS: 00007fa5995f66c0(0000) GS:ffff8881256f8000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f7e72f842d0 CR3: 00000000485a0000 CR4: 00000000003526f0 +Call Trace: + + lock_acquire+0x106/0x330 kernel/locking/lockdep.c:5868 + touch_wq_lockdep_map+0xcb/0x180 kernel/workqueue.c:3940 + __flush_workqueue+0x14b/0x14f0 kernel/workqueue.c:3982 + nci_close_device+0x302/0x630 net/nfc/nci/core.c:567 + nci_dev_down+0x3b/0x50 net/nfc/nci/core.c:639 + nfc_dev_down+0x152/0x290 net/nfc/core.c:161 + nfc_rfkill_set_block+0x2d/0x100 net/nfc/core.c:179 + rfkill_set_block+0x1d2/0x440 net/rfkill/core.c:346 + rfkill_fop_write+0x461/0x5a0 net/rfkill/core.c:1301 + vfs_write+0x29a/0xb90 fs/read_write.c:684 + ksys_write+0x150/0x270 fs/read_write.c:738 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7fa59b39acb9 +Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007fa5995f6028 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +RAX: ffffffffffffffda RBX: 00007fa59b615fa0 RCX: 00007fa59b39acb9 +RDX: 0000000000000008 RSI: 0000200000000080 RDI: 0000000000000007 +RBP: 00007fa59b408bf7 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007fa59b616038 R14: 00007fa59b615fa0 R15: 00007ffc82218788 + + +Fixes: 6a2968aaf50c ("NFC: basic NCI protocol implementation") +Reported-by: syzbot+f9c5fd1a0874f9069dce@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/695e7f56.050a0220.1c677c.036c.GAE@google.com/ +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20260127040411.494931-1-kuniyu@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/nfc/nfc.h | 2 ++ + net/nfc/core.c | 27 ++++++++++++++++++++++++--- + net/nfc/nci/core.c | 4 +++- + 3 files changed, 29 insertions(+), 4 deletions(-) + +diff --git a/include/net/nfc/nfc.h b/include/net/nfc/nfc.h +index 127e6c7d910dc..c54df042db6be 100644 +--- a/include/net/nfc/nfc.h ++++ b/include/net/nfc/nfc.h +@@ -219,6 +219,8 @@ static inline void nfc_free_device(struct nfc_dev *dev) + + int nfc_register_device(struct nfc_dev *dev); + ++void nfc_unregister_rfkill(struct nfc_dev *dev); ++void nfc_remove_device(struct nfc_dev *dev); + void nfc_unregister_device(struct nfc_dev *dev); + + /** +diff --git a/net/nfc/core.c b/net/nfc/core.c +index 82f023f377541..f50e5bab35d8e 100644 +--- a/net/nfc/core.c ++++ b/net/nfc/core.c +@@ -1147,14 +1147,14 @@ int nfc_register_device(struct nfc_dev *dev) + EXPORT_SYMBOL(nfc_register_device); + + /** +- * nfc_unregister_device - unregister a nfc device in the nfc subsystem ++ * nfc_unregister_rfkill - unregister a nfc device in the rfkill subsystem + * + * @dev: The nfc device to unregister + */ +-void nfc_unregister_device(struct nfc_dev *dev) ++void nfc_unregister_rfkill(struct nfc_dev *dev) + { +- int rc; + struct rfkill *rfk = NULL; ++ int rc; + + pr_debug("dev_name=%s\n", dev_name(&dev->dev)); + +@@ -1175,7 +1175,16 @@ void nfc_unregister_device(struct nfc_dev *dev) + rfkill_unregister(rfk); + rfkill_destroy(rfk); + } ++} ++EXPORT_SYMBOL(nfc_unregister_rfkill); + ++/** ++ * nfc_remove_device - remove a nfc device in the nfc subsystem ++ * ++ * @dev: The nfc device to remove ++ */ ++void nfc_remove_device(struct nfc_dev *dev) ++{ + if (dev->ops->check_presence) { + timer_delete_sync(&dev->check_pres_timer); + cancel_work_sync(&dev->check_pres_work); +@@ -1188,6 +1197,18 @@ void nfc_unregister_device(struct nfc_dev *dev) + device_del(&dev->dev); + mutex_unlock(&nfc_devlist_mutex); + } ++EXPORT_SYMBOL(nfc_remove_device); ++ ++/** ++ * nfc_unregister_device - unregister a nfc device in the nfc subsystem ++ * ++ * @dev: The nfc device to unregister ++ */ ++void nfc_unregister_device(struct nfc_dev *dev) ++{ ++ nfc_unregister_rfkill(dev); ++ nfc_remove_device(dev); ++} + EXPORT_SYMBOL(nfc_unregister_device); + + static int __init nfc_init(void) +diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c +index fc921cd2cdffa..e419e020a70a3 100644 +--- a/net/nfc/nci/core.c ++++ b/net/nfc/nci/core.c +@@ -1303,6 +1303,8 @@ void nci_unregister_device(struct nci_dev *ndev) + { + struct nci_conn_info *conn_info, *n; + ++ nfc_unregister_rfkill(ndev->nfc_dev); ++ + /* This set_bit is not protected with specialized barrier, + * However, it is fine because the mutex_lock(&ndev->req_lock); + * in nci_close_device() will help to emit one. +@@ -1320,7 +1322,7 @@ void nci_unregister_device(struct nci_dev *ndev) + /* conn_info is allocated with devm_kzalloc */ + } + +- nfc_unregister_device(ndev->nfc_dev); ++ nfc_remove_device(ndev->nfc_dev); + } + EXPORT_SYMBOL(nci_unregister_device); + +-- +2.51.0 + diff --git a/queue-6.18/octeon_ep-fix-memory-leak-in-octep_device_setup.patch b/queue-6.18/octeon_ep-fix-memory-leak-in-octep_device_setup.patch new file mode 100644 index 0000000000..a85ff04a0c --- /dev/null +++ b/queue-6.18/octeon_ep-fix-memory-leak-in-octep_device_setup.patch @@ -0,0 +1,46 @@ +From 8a45f3310e08a03b44e60cb1a1f751722dfed44c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 13:05:51 +0000 +Subject: octeon_ep: Fix memory leak in octep_device_setup() + +From: Zilin Guan + +[ Upstream commit 8016dc5ee19a77678c264f8ba368b1e873fa705b ] + +In octep_device_setup(), if octep_ctrl_net_init() fails, the function +returns directly without unmapping the mapped resources and freeing the +allocated configuration memory. + +Fix this by jumping to the unsupported_dev label, which performs the +necessary cleanup. This aligns with the error handling logic of other +paths in this function. + +Compile tested only. Issue found using a prototype static analysis tool +and code review. + +Fixes: 577f0d1b1c5f ("octeon_ep: add separate mailbox command and response queues") +Signed-off-by: Zilin Guan +Reviewed-by: Vadim Fedorenko +Link: https://patch.msgid.link/20260121130551.3717090-1-zilin@seu.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeon_ep/octep_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/octeon_ep/octep_main.c b/drivers/net/ethernet/marvell/octeon_ep/octep_main.c +index bcea3fc26a8c7..57db7ea2f5be9 100644 +--- a/drivers/net/ethernet/marvell/octeon_ep/octep_main.c ++++ b/drivers/net/ethernet/marvell/octeon_ep/octep_main.c +@@ -1338,7 +1338,7 @@ int octep_device_setup(struct octep_device *oct) + + ret = octep_ctrl_net_init(oct); + if (ret) +- return ret; ++ goto unsupported_dev; + + INIT_WORK(&oct->tx_timeout_task, octep_tx_timeout_task); + INIT_WORK(&oct->ctrl_mbox_task, octep_ctrl_mbox_task); +-- +2.51.0 + diff --git a/queue-6.18/readdir-require-opt-in-for-d_type-flags.patch b/queue-6.18/readdir-require-opt-in-for-d_type-flags.patch new file mode 100644 index 0000000000..a3c0c08ca8 --- /dev/null +++ b/queue-6.18/readdir-require-opt-in-for-d_type-flags.patch @@ -0,0 +1,92 @@ +From 0172410f66d957efd1248ac7a994c7b865e08ec2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jan 2026 08:45:22 +0100 +Subject: readdir: require opt-in for d_type flags + +From: Amir Goldstein + +[ Upstream commit c644bce62b9c6b441143a03c910f986109c47001 ] + +Commit c31f91c6af96 ("fuse: don't allow signals to interrupt getdents +copying") introduced the use of high bits in d_type as flags. However, +overlayfs was not adapted to handle this change. + +In ovl_cache_entry_new(), the code checks if d_type == DT_CHR to +determine if an entry might be a whiteout. When fuse is used as the +lower layer and sets high bits in d_type, this comparison fails, +causing whiteout files to not be recognized properly and resulting in +incorrect overlayfs behavior. + +Fix this by requiring callers of iterate_dir() to opt-in for getting +flag bits in d_type outside of S_DT_MASK. + +Fixes: c31f91c6af96 ("fuse: don't allow signals to interrupt getdents copying") +Link: https://lore.kernel.org/all/20260107034551.439-1-luochunsheng@ustc.edu/ +Link: https://github.com/containerd/stargz-snapshotter/issues/2214 +Reported-by: Chunsheng Luo +Reviewed-by: Chunsheng Luo +Tested-by: Chunsheng Luo +Signed-off-by: Amir Goldstein +Link: https://patch.msgid.link/20260108074522.3400998-1-amir73il@gmail.com +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/readdir.c | 3 +++ + include/linux/fs.h | 6 +++++- + 2 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/fs/readdir.c b/fs/readdir.c +index 7764b86389788..73707b6816e9a 100644 +--- a/fs/readdir.c ++++ b/fs/readdir.c +@@ -316,6 +316,7 @@ SYSCALL_DEFINE3(getdents, unsigned int, fd, + struct getdents_callback buf = { + .ctx.actor = filldir, + .ctx.count = count, ++ .ctx.dt_flags_mask = FILLDIR_FLAG_NOINTR, + .current_dir = dirent + }; + int error; +@@ -400,6 +401,7 @@ SYSCALL_DEFINE3(getdents64, unsigned int, fd, + struct getdents_callback64 buf = { + .ctx.actor = filldir64, + .ctx.count = count, ++ .ctx.dt_flags_mask = FILLDIR_FLAG_NOINTR, + .current_dir = dirent + }; + int error; +@@ -569,6 +571,7 @@ COMPAT_SYSCALL_DEFINE3(getdents, unsigned int, fd, + struct compat_getdents_callback buf = { + .ctx.actor = compat_filldir, + .ctx.count = count, ++ .ctx.dt_flags_mask = FILLDIR_FLAG_NOINTR, + .current_dir = dirent, + }; + int error; +diff --git a/include/linux/fs.h b/include/linux/fs.h +index 9b2230fb2332f..3e965c77fa1b1 100644 +--- a/include/linux/fs.h ++++ b/include/linux/fs.h +@@ -2207,6 +2207,8 @@ struct dir_context { + * INT_MAX unlimited + */ + int count; ++ /* @actor supports these flags in d_type high bits */ ++ unsigned int dt_flags_mask; + }; + + /* If OR-ed with d_type, pending signals are not checked */ +@@ -3985,7 +3987,9 @@ static inline bool dir_emit(struct dir_context *ctx, + const char *name, int namelen, + u64 ino, unsigned type) + { +- return ctx->actor(ctx, name, namelen, ctx->pos, ino, type); ++ unsigned int dt_mask = S_DT_MASK | ctx->dt_flags_mask; ++ ++ return ctx->actor(ctx, name, namelen, ctx->pos, ino, type & dt_mask); + } + static inline bool dir_emit_dot(struct file *file, struct dir_context *ctx) + { +-- +2.51.0 + diff --git a/queue-6.18/rocker-fix-memory-leak-in-rocker_world_port_post_fin.patch b/queue-6.18/rocker-fix-memory-leak-in-rocker_world_port_post_fin.patch new file mode 100644 index 0000000000..9b938f1fca --- /dev/null +++ b/queue-6.18/rocker-fix-memory-leak-in-rocker_world_port_post_fin.patch @@ -0,0 +1,56 @@ +From c918f6e830dc4374c573f3d2eefac9e55fb9670c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 24 Jan 2026 05:10:31 +0800 +Subject: rocker: fix memory leak in rocker_world_port_post_fini() + +From: Kery Qi + +[ Upstream commit 8d7ba71e46216b8657a82ca2ec118bc93812a4d0 ] + +In rocker_world_port_pre_init(), rocker_port->wpriv is allocated with +kzalloc(wops->port_priv_size, GFP_KERNEL). However, in +rocker_world_port_post_fini(), the memory is only freed when +wops->port_post_fini callback is set: + + if (!wops->port_post_fini) + return; + wops->port_post_fini(rocker_port); + kfree(rocker_port->wpriv); + +Since rocker_ofdpa_ops does not implement port_post_fini callback +(it is NULL), the wpriv memory allocated for each port is never freed +when ports are removed. This leads to a memory leak of +sizeof(struct ofdpa_port) bytes per port on every device removal. + +Fix this by always calling kfree(rocker_port->wpriv) regardless of +whether the port_post_fini callback exists. + +Fixes: e420114eef4a ("rocker: introduce worlds infrastructure") +Signed-off-by: Kery Qi +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20260123211030.2109-2-qikeyu2017@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/rocker/rocker_main.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/rocker/rocker_main.c b/drivers/net/ethernet/rocker/rocker_main.c +index 36af94a2e062a..2794f75df8fcb 100644 +--- a/drivers/net/ethernet/rocker/rocker_main.c ++++ b/drivers/net/ethernet/rocker/rocker_main.c +@@ -1524,9 +1524,8 @@ static void rocker_world_port_post_fini(struct rocker_port *rocker_port) + { + struct rocker_world_ops *wops = rocker_port->rocker->wops; + +- if (!wops->port_post_fini) +- return; +- wops->port_post_fini(rocker_port); ++ if (wops->port_post_fini) ++ wops->port_post_fini(rocker_port); + kfree(rocker_port->wpriv); + } + +-- +2.51.0 + diff --git a/queue-6.18/series b/queue-6.18/series new file mode 100644 index 0000000000..f7c3bc0cf3 --- /dev/null +++ b/queue-6.18/series @@ -0,0 +1,37 @@ +readdir-require-opt-in-for-d_type-flags.patch +btrfs-zlib-fix-the-folio-leak-on-s390-hardware-accel.patch +can-at91_can-fix-memory-leak-in-at91_can_probe.patch +bluetooth-hci_uart-fix-null-ptr-deref-in-hci_uart_wr.patch +bluetooth-mgmt-fix-memory-leak-in-set_ssp_complete.patch +net-mlx5-fix-memory-leak-in-esw_acl_ingress_lgcy_set.patch +can-gs_usb-gs_usb_receive_bulk_callback-fix-error-me.patch +net-bcmasp-fix-early-exit-leak-with-fixed-phy.patch +octeon_ep-fix-memory-leak-in-octep_device_setup.patch +bonding-annotate-data-races-around-slave-last_rx.patch +sfc-fix-deadlock-in-rss-config-read.patch +net-mvpp2-cls-fix-memory-leak-in-mvpp2_ethtool_cls_r.patch +ipv6-use-the-right-ifindex-when-replying-to-icmpv6-f.patch +net-wwan-t7xx-fix-potential-skb-frags-overflow-in-rx.patch +net-mlx5-fix-return-type-mismatch-in-mlx5_esw_vport_.patch +rocker-fix-memory-leak-in-rocker_world_port_post_fin.patch +mptcp-fix-race-in-mptcp_pm_nl_flush_addrs_doit.patch +net-spacemit-check-for-netif_carrier_ok-in-emac_stat.patch +nfc-llcp-fix-memleak-in-nfc_llcp_send_ui_frame.patch +bonding-fix-use-after-free-due-to-enslave-fail-after.patch +ixgbe-fix-memory-leaks-in-the-ixgbe_recovery_probe-p.patch +ixgbe-don-t-initialize-aci-lock-in-ixgbe_recovery_pr.patch +ice-fix-null-pointer-dereference-in-ice_vsi_set_napi.patch +ice-stop-counting-udp-csum-mismatch-as-rx_errors.patch +net-mlx5e-tc-delete-flows-only-for-existing-peers.patch +net-mlx5e-account-for-netdev-stats-in-ndo_get_stats6.patch +nfc-nci-fix-race-between-rfkill-and-nci_unregister_d.patch +net-bridge-fix-static-key-check.patch +net-mlx5e-don-t-assume-psp-tx-skbs-are-ipv6-csum-han.patch +net-phy-micrel-fix-clk-warning-when-removing-the-dri.patch +net-mlx5-fs-fix-inverted-cap-check-in-tx-flow-table-.patch +net-mlx5-initialize-events-outside-devlink-lock.patch +net-mlx5-fix-vhca_id-access-call-trace-use-before-al.patch +net-mlx5e-skip-esn-replay-window-setup-for-ipsec-cry.patch +wifi-mac80211-parse-all-ttlm-entries.patch +wifi-mac80211-apply-advertised-ttlm-from-association.patch +wifi-mac80211-correctly-decode-ttlm-with-default-lin.patch diff --git a/queue-6.18/sfc-fix-deadlock-in-rss-config-read.patch b/queue-6.18/sfc-fix-deadlock-in-rss-config-read.patch new file mode 100644 index 0000000000..0768cc1a8b --- /dev/null +++ b/queue-6.18/sfc-fix-deadlock-in-rss-config-read.patch @@ -0,0 +1,46 @@ +From 0a97f9fa820a0f2db755bcef81db707a978d87b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Jan 2026 16:16:34 +0000 +Subject: sfc: fix deadlock in RSS config read + +From: Edward Cree + +[ Upstream commit 944c614b0a7afa5b87612c3fb557b95a50ad654c ] + +Since cited commit, core locks the net_device's rss_lock when handling + ethtool -x command, so driver's implementation should not lock it + again. Remove the latter. + +Fixes: 040cef30b5e6 ("net: ethtool: move get_rxfh callback under the rss_lock") +Reported-by: Damir Mansurov +Closes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126015 +Suggested-by: Ben Hutchings +Signed-off-by: Edward Cree +Link: https://patch.msgid.link/20260123161634.1215006-1-edward.cree@amd.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sfc/mcdi_filters.c | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/sfc/mcdi_filters.c b/drivers/net/ethernet/sfc/mcdi_filters.c +index 6ef96292909a2..3db589b90b68a 100644 +--- a/drivers/net/ethernet/sfc/mcdi_filters.c ++++ b/drivers/net/ethernet/sfc/mcdi_filters.c +@@ -2182,12 +2182,7 @@ int efx_mcdi_rx_pull_rss_context_config(struct efx_nic *efx, + + int efx_mcdi_rx_pull_rss_config(struct efx_nic *efx) + { +- int rc; +- +- mutex_lock(&efx->net_dev->ethtool->rss_lock); +- rc = efx_mcdi_rx_pull_rss_context_config(efx, &efx->rss_context); +- mutex_unlock(&efx->net_dev->ethtool->rss_lock); +- return rc; ++ return efx_mcdi_rx_pull_rss_context_config(efx, &efx->rss_context); + } + + void efx_mcdi_rx_restore_rss_contexts(struct efx_nic *efx) +-- +2.51.0 + diff --git a/queue-6.18/wifi-mac80211-apply-advertised-ttlm-from-association.patch b/queue-6.18/wifi-mac80211-apply-advertised-ttlm-from-association.patch new file mode 100644 index 0000000000..51b4e55fd0 --- /dev/null +++ b/queue-6.18/wifi-mac80211-apply-advertised-ttlm-from-association.patch @@ -0,0 +1,315 @@ +From 6d4e008d166b218e87d5c9adc9a207a61ae975c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jan 2026 09:51:14 +0200 +Subject: wifi: mac80211: apply advertised TTLM from association response + +From: Benjamin Berg + +[ Upstream commit aebc29dec67aa998a9ea6d34aacba7b5c6a74d33 ] + +When the AP has a disabled link that the station can include in the +association, the fact that the link is dormant needs to be advertised +in the TID to Link Mapping (TTLM). Section 35.3.7.2.3 ("Negotiation of +TTLM") of Draft P802.11REVmf_D1.0 also states that the mapping needs to +be included in the association response frame. + +As such, we can simply rely on the TTLM from the association response. +Before this change mac80211 would not properly track that an advertised +TTLM was effectively active, resulting in it not enabling the link once +it became available again. + +For the link reconfiguration case, the data was not used at all. This +behaviour is actually correct because Draft P802.11REVmf_D1.0 states in +section 35.3.6.4 that we "shall operate with all the TIDs mapped to the +newly added links ..." + +Fixes: 6d543b34dbcf ("wifi: mac80211: Support disabled links during association") +Signed-off-by: Benjamin Berg +Signed-off-by: Miri Korenblit +Link: https://patch.msgid.link/20260118093904.43c861424543.I067f702ac46b84ac3f8b4ea16fb0db9cbbfae7e2@changeid +Signed-off-by: Johannes Berg +Stable-dep-of: 1eab33aa63c9 ("wifi: mac80211: correctly decode TTLM with default link map") +Signed-off-by: Sasha Levin +--- + net/mac80211/ieee80211_i.h | 2 - + net/mac80211/mlme.c | 216 ++++++++++++++++++++----------------- + 2 files changed, 119 insertions(+), 99 deletions(-) + +diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h +index 878c3b14aeb80..5c0c833fcf7a9 100644 +--- a/net/mac80211/ieee80211_i.h ++++ b/net/mac80211/ieee80211_i.h +@@ -451,8 +451,6 @@ struct ieee80211_mgd_assoc_data { + struct ieee80211_conn_settings conn; + + u16 status; +- +- bool disabled; + } link[IEEE80211_MLD_MAX_NUM_LINKS]; + + u8 ap_addr[ETH_ALEN] __aligned(2); +diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c +index d70163c0b9e32..21c73a65f73f9 100644 +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -6161,6 +6161,98 @@ static bool ieee80211_get_dtim(const struct cfg80211_bss_ies *ies, + return true; + } + ++static u16 ieee80211_get_ttlm(u8 bm_size, u8 *data) ++{ ++ if (bm_size == 1) ++ return *data; ++ ++ return get_unaligned_le16(data); ++} ++ ++static int ++ieee80211_parse_adv_t2l(struct ieee80211_sub_if_data *sdata, ++ const struct ieee80211_ttlm_elem *ttlm, ++ struct ieee80211_adv_ttlm_info *ttlm_info) ++{ ++ /* The element size was already validated in ++ * ieee80211_tid_to_link_map_size_ok() ++ */ ++ u8 control, link_map_presence, map_size, tid; ++ u8 *pos; ++ ++ memset(ttlm_info, 0, sizeof(*ttlm_info)); ++ pos = (void *)ttlm->optional; ++ control = ttlm->control; ++ ++ if ((control & IEEE80211_TTLM_CONTROL_DIRECTION) != ++ IEEE80211_TTLM_DIRECTION_BOTH) { ++ sdata_info(sdata, "Invalid advertised T2L map direction\n"); ++ return -EINVAL; ++ } ++ ++ link_map_presence = *pos; ++ pos++; ++ ++ if (control & IEEE80211_TTLM_CONTROL_SWITCH_TIME_PRESENT) { ++ ttlm_info->switch_time = get_unaligned_le16(pos); ++ ++ /* Since ttlm_info->switch_time == 0 means no switch time, bump ++ * it by 1. ++ */ ++ if (!ttlm_info->switch_time) ++ ttlm_info->switch_time = 1; ++ ++ pos += 2; ++ } ++ ++ if (control & IEEE80211_TTLM_CONTROL_EXPECTED_DUR_PRESENT) { ++ ttlm_info->duration = pos[0] | pos[1] << 8 | pos[2] << 16; ++ pos += 3; ++ } ++ ++ if (control & IEEE80211_TTLM_CONTROL_DEF_LINK_MAP) { ++ ttlm_info->map = 0xffff; ++ return 0; ++ } ++ ++ if (control & IEEE80211_TTLM_CONTROL_LINK_MAP_SIZE) ++ map_size = 1; ++ else ++ map_size = 2; ++ ++ /* According to Draft P802.11be_D3.0 clause 35.3.7.1.7, an AP MLD shall ++ * not advertise a TID-to-link mapping that does not map all TIDs to the ++ * same link set, reject frame if not all links have mapping ++ */ ++ if (link_map_presence != 0xff) { ++ sdata_info(sdata, ++ "Invalid advertised T2L mapping presence indicator\n"); ++ return -EINVAL; ++ } ++ ++ ttlm_info->map = ieee80211_get_ttlm(map_size, pos); ++ if (!ttlm_info->map) { ++ sdata_info(sdata, ++ "Invalid advertised T2L map for TID 0\n"); ++ return -EINVAL; ++ } ++ ++ pos += map_size; ++ ++ for (tid = 1; tid < 8; tid++) { ++ u16 map = ieee80211_get_ttlm(map_size, pos); ++ ++ if (map != ttlm_info->map) { ++ sdata_info(sdata, "Invalid advertised T2L map for tid %d\n", ++ tid); ++ return -EINVAL; ++ } ++ ++ pos += map_size; ++ } ++ return 0; ++} ++ + static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata, + struct ieee80211_mgmt *mgmt, + struct ieee802_11_elems *elems, +@@ -6192,8 +6284,6 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata, + continue; + + valid_links |= BIT(link_id); +- if (assoc_data->link[link_id].disabled) +- dormant_links |= BIT(link_id); + + if (link_id != assoc_data->assoc_link_id) { + err = ieee80211_sta_allocate_link(sta, link_id); +@@ -6202,6 +6292,33 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata, + } + } + ++ /* ++ * We do not support setting a negotiated TTLM during ++ * association. As such, we can assume that if there is a TTLM, ++ * then it is the currently active advertised TTLM. ++ * In that case, there must be exactly one TTLM that does not ++ * have a switch time set. This mapping should also leave us ++ * with at least one usable link. ++ */ ++ if (elems->ttlm_num > 1) { ++ sdata_info(sdata, ++ "More than one advertised TTLM in association response\n"); ++ goto out_err; ++ } else if (elems->ttlm_num == 1) { ++ if (ieee80211_parse_adv_t2l(sdata, elems->ttlm[0], ++ &sdata->u.mgd.ttlm_info) || ++ sdata->u.mgd.ttlm_info.switch_time != 0 || ++ !(valid_links & sdata->u.mgd.ttlm_info.map)) { ++ sdata_info(sdata, ++ "Invalid advertised TTLM in association response\n"); ++ goto out_err; ++ } ++ ++ sdata->u.mgd.ttlm_info.active = true; ++ dormant_links = ++ valid_links & ~sdata->u.mgd.ttlm_info.map; ++ } ++ + ieee80211_vif_set_links(sdata, valid_links, dormant_links); + } + +@@ -6991,98 +7108,6 @@ static void ieee80211_tid_to_link_map_work(struct wiphy *wiphy, + sdata->u.mgd.ttlm_info.switch_time = 0; + } + +-static u16 ieee80211_get_ttlm(u8 bm_size, u8 *data) +-{ +- if (bm_size == 1) +- return *data; +- else +- return get_unaligned_le16(data); +-} +- +-static int +-ieee80211_parse_adv_t2l(struct ieee80211_sub_if_data *sdata, +- const struct ieee80211_ttlm_elem *ttlm, +- struct ieee80211_adv_ttlm_info *ttlm_info) +-{ +- /* The element size was already validated in +- * ieee80211_tid_to_link_map_size_ok() +- */ +- u8 control, link_map_presence, map_size, tid; +- u8 *pos; +- +- memset(ttlm_info, 0, sizeof(*ttlm_info)); +- pos = (void *)ttlm->optional; +- control = ttlm->control; +- +- if ((control & IEEE80211_TTLM_CONTROL_DIRECTION) != +- IEEE80211_TTLM_DIRECTION_BOTH) { +- sdata_info(sdata, "Invalid advertised T2L map direction\n"); +- return -EINVAL; +- } +- +- link_map_presence = *pos; +- pos++; +- +- if (control & IEEE80211_TTLM_CONTROL_SWITCH_TIME_PRESENT) { +- ttlm_info->switch_time = get_unaligned_le16(pos); +- +- /* Since ttlm_info->switch_time == 0 means no switch time, bump +- * it by 1. +- */ +- if (!ttlm_info->switch_time) +- ttlm_info->switch_time = 1; +- +- pos += 2; +- } +- +- if (control & IEEE80211_TTLM_CONTROL_EXPECTED_DUR_PRESENT) { +- ttlm_info->duration = pos[0] | pos[1] << 8 | pos[2] << 16; +- pos += 3; +- } +- +- if (control & IEEE80211_TTLM_CONTROL_DEF_LINK_MAP) { +- ttlm_info->map = 0xffff; +- return 0; +- } +- +- if (control & IEEE80211_TTLM_CONTROL_LINK_MAP_SIZE) +- map_size = 1; +- else +- map_size = 2; +- +- /* According to Draft P802.11be_D3.0 clause 35.3.7.1.7, an AP MLD shall +- * not advertise a TID-to-link mapping that does not map all TIDs to the +- * same link set, reject frame if not all links have mapping +- */ +- if (link_map_presence != 0xff) { +- sdata_info(sdata, +- "Invalid advertised T2L mapping presence indicator\n"); +- return -EINVAL; +- } +- +- ttlm_info->map = ieee80211_get_ttlm(map_size, pos); +- if (!ttlm_info->map) { +- sdata_info(sdata, +- "Invalid advertised T2L map for TID 0\n"); +- return -EINVAL; +- } +- +- pos += map_size; +- +- for (tid = 1; tid < 8; tid++) { +- u16 map = ieee80211_get_ttlm(map_size, pos); +- +- if (map != ttlm_info->map) { +- sdata_info(sdata, "Invalid advertised T2L map for tid %d\n", +- tid); +- return -EINVAL; +- } +- +- pos += map_size; +- } +- return 0; +-} +- + static void ieee80211_process_adv_ttlm(struct ieee80211_sub_if_data *sdata, + struct ieee802_11_elems *elems, + u64 beacon_ts) +@@ -9729,7 +9754,6 @@ int ieee80211_mgd_assoc(struct ieee80211_sub_if_data *sdata, + req, true, i, + &assoc_data->link[i].conn); + assoc_data->link[i].bss = link_cbss; +- assoc_data->link[i].disabled = req->links[i].disabled; + + if (!bss->uapsd_supported) + uapsd_supported = false; +@@ -10711,8 +10735,6 @@ int ieee80211_mgd_assoc_ml_reconf(struct ieee80211_sub_if_data *sdata, + &data->link[link_id].conn); + + data->link[link_id].bss = link_cbss; +- data->link[link_id].disabled = +- req->add_links[link_id].disabled; + data->link[link_id].elems = + (u8 *)req->add_links[link_id].elems; + data->link[link_id].elems_len = +-- +2.51.0 + diff --git a/queue-6.18/wifi-mac80211-correctly-decode-ttlm-with-default-lin.patch b/queue-6.18/wifi-mac80211-correctly-decode-ttlm-with-default-lin.patch new file mode 100644 index 0000000000..ea77bb674a --- /dev/null +++ b/queue-6.18/wifi-mac80211-correctly-decode-ttlm-with-default-lin.patch @@ -0,0 +1,59 @@ +From 8335fc8987008789cefb2606df0a68bac56d5d15 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jan 2026 11:33:50 +0100 +Subject: wifi: mac80211: correctly decode TTLM with default link map + +From: Benjamin Berg + +[ Upstream commit 1eab33aa63c993685dd341e03bd5b267dd7403fa ] + +TID-To-Link Mapping (TTLM) elements do not contain any link mapping +presence indicator if a default mapping is used and parsing needs to be +skipped. + +Note that access points should not explicitly report an advertised TTLM +with a default mapping as that is the implied mapping if the element is +not included, this is even the case when switching back to the default +mapping. However, mac80211 would incorrectly parse the frame and would +also read one byte beyond the end of the element. + +Reported-by: Ruikai Peng +Closes: https://lore.kernel.org/linux-wireless/CAFD3drMqc9YWvTCSHLyP89AOpBZsHdZ+pak6zVftYoZcUyF7gw@mail.gmail.com +Fixes: 702e80470a33 ("wifi: mac80211: support handling of advertised TID-to-link mapping") +Signed-off-by: Benjamin Berg +Link: https://patch.msgid.link/20260129113349.d6b96f12c732.I69212a50f0f70db185edd3abefb6f04d3cb3e5ff@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/mlme.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c +index 21c73a65f73f9..dca47a533392a 100644 +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -8,7 +8,7 @@ + * Copyright 2007, Michael Wu + * Copyright 2013-2014 Intel Mobile Communications GmbH + * Copyright (C) 2015 - 2017 Intel Deutschland GmbH +- * Copyright (C) 2018 - 2025 Intel Corporation ++ * Copyright (C) 2018 - 2026 Intel Corporation + */ + + #include +@@ -6190,8 +6190,10 @@ ieee80211_parse_adv_t2l(struct ieee80211_sub_if_data *sdata, + return -EINVAL; + } + +- link_map_presence = *pos; +- pos++; ++ if (!(control & IEEE80211_TTLM_CONTROL_DEF_LINK_MAP)) { ++ link_map_presence = *pos; ++ pos++; ++ } + + if (control & IEEE80211_TTLM_CONTROL_SWITCH_TIME_PRESENT) { + ttlm_info->switch_time = get_unaligned_le16(pos); +-- +2.51.0 + diff --git a/queue-6.18/wifi-mac80211-parse-all-ttlm-entries.patch b/queue-6.18/wifi-mac80211-parse-all-ttlm-entries.patch new file mode 100644 index 0000000000..8fee8b07d8 --- /dev/null +++ b/queue-6.18/wifi-mac80211-parse-all-ttlm-entries.patch @@ -0,0 +1,80 @@ +From 65dd3bc58486988ea765b59526244423da57db73 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jan 2026 09:51:13 +0200 +Subject: wifi: mac80211: parse all TTLM entries + +From: Benjamin Berg + +[ Upstream commit 3fa2886d11d4545dc0dcfd0759ffbd03f88b5410 ] + +For the follow up patch, we need to properly parse TTLM entries that do +not have a switch time. Change the logic so that ieee80211_parse_adv_t2l +returns usable values in all non-error cases. Before the values filled +in were technically incorrect but enough for ieee80211_process_adv_ttlm. + +Signed-off-by: Benjamin Berg +Reviewed-by: Johannes Berg +Reviewed-by: Ilan Peer +Signed-off-by: Miri Korenblit +Link: https://patch.msgid.link/20260118093904.ccd324e2dd59.I69f0bee0a22e9b11bb95beef313e305dab17c051@changeid +Signed-off-by: Johannes Berg +Stable-dep-of: 1eab33aa63c9 ("wifi: mac80211: correctly decode TTLM with default link map") +Signed-off-by: Sasha Levin +--- + net/mac80211/mlme.c | 25 ++++++++++++++----------- + 1 file changed, 14 insertions(+), 11 deletions(-) + +diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c +index f3138d1585353..d70163c0b9e32 100644 +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -7014,10 +7014,6 @@ ieee80211_parse_adv_t2l(struct ieee80211_sub_if_data *sdata, + pos = (void *)ttlm->optional; + control = ttlm->control; + +- if ((control & IEEE80211_TTLM_CONTROL_DEF_LINK_MAP) || +- !(control & IEEE80211_TTLM_CONTROL_SWITCH_TIME_PRESENT)) +- return 0; +- + if ((control & IEEE80211_TTLM_CONTROL_DIRECTION) != + IEEE80211_TTLM_DIRECTION_BOTH) { + sdata_info(sdata, "Invalid advertised T2L map direction\n"); +@@ -7027,21 +7023,28 @@ ieee80211_parse_adv_t2l(struct ieee80211_sub_if_data *sdata, + link_map_presence = *pos; + pos++; + +- ttlm_info->switch_time = get_unaligned_le16(pos); ++ if (control & IEEE80211_TTLM_CONTROL_SWITCH_TIME_PRESENT) { ++ ttlm_info->switch_time = get_unaligned_le16(pos); + +- /* Since ttlm_info->switch_time == 0 means no switch time, bump it +- * by 1. +- */ +- if (!ttlm_info->switch_time) +- ttlm_info->switch_time = 1; ++ /* Since ttlm_info->switch_time == 0 means no switch time, bump ++ * it by 1. ++ */ ++ if (!ttlm_info->switch_time) ++ ttlm_info->switch_time = 1; + +- pos += 2; ++ pos += 2; ++ } + + if (control & IEEE80211_TTLM_CONTROL_EXPECTED_DUR_PRESENT) { + ttlm_info->duration = pos[0] | pos[1] << 8 | pos[2] << 16; + pos += 3; + } + ++ if (control & IEEE80211_TTLM_CONTROL_DEF_LINK_MAP) { ++ ttlm_info->map = 0xffff; ++ return 0; ++ } ++ + if (control & IEEE80211_TTLM_CONTROL_LINK_MAP_SIZE) + map_size = 1; + else +-- +2.51.0 + diff --git a/queue-6.6/bluetooth-hci_uart-fix-null-ptr-deref-in-hci_uart_wr.patch b/queue-6.6/bluetooth-hci_uart-fix-null-ptr-deref-in-hci_uart_wr.patch new file mode 100644 index 0000000000..adce3117d6 --- /dev/null +++ b/queue-6.6/bluetooth-hci_uart-fix-null-ptr-deref-in-hci_uart_wr.patch @@ -0,0 +1,73 @@ +From b6abc6134056dc4d5f78238a6d4da83c0c76a0b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jan 2026 20:08:59 +0800 +Subject: Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work + +From: Jia-Hong Su + +[ Upstream commit 0c3cd7a0b862c37acbee6d9502107146cc944398 ] + +hci_uart_set_proto() sets HCI_UART_PROTO_INIT before calling +hci_uart_register_dev(), which calls proto->open() to initialize +hu->priv. However, if a TTY write wakeup occurs during this window, +hci_uart_tx_wakeup() may schedule write_work before hu->priv is +initialized, leading to a NULL pointer dereference in +hci_uart_write_work() when proto->dequeue() accesses hu->priv. + +The race condition is: + + CPU0 CPU1 + ---- ---- + hci_uart_set_proto() + set_bit(HCI_UART_PROTO_INIT) + hci_uart_register_dev() + tty write wakeup + hci_uart_tty_wakeup() + hci_uart_tx_wakeup() + schedule_work(&hu->write_work) + proto->open(hu) + // initializes hu->priv + hci_uart_write_work() + hci_uart_dequeue() + proto->dequeue(hu) + // accesses hu->priv (NULL!) + +Fix this by moving set_bit(HCI_UART_PROTO_INIT) after proto->open() +succeeds, ensuring hu->priv is initialized before any work can be +scheduled. + +Fixes: 5df5dafc171b ("Bluetooth: hci_uart: Fix another race during initialization") +Link: https://lore.kernel.org/linux-bluetooth/6969764f.170a0220.2b9fc4.35a7@mx.google.com/ + +Signed-off-by: Jia-Hong Su +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/hci_ldisc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c +index 70320b8f1aa1c..e38f3c4458c90 100644 +--- a/drivers/bluetooth/hci_ldisc.c ++++ b/drivers/bluetooth/hci_ldisc.c +@@ -682,6 +682,8 @@ static int hci_uart_register_dev(struct hci_uart *hu) + return err; + } + ++ set_bit(HCI_UART_PROTO_INIT, &hu->flags); ++ + if (test_bit(HCI_UART_INIT_PENDING, &hu->hdev_flags)) + return 0; + +@@ -709,8 +711,6 @@ static int hci_uart_set_proto(struct hci_uart *hu, int id) + + hu->proto = p; + +- set_bit(HCI_UART_PROTO_INIT, &hu->flags); +- + err = hci_uart_register_dev(hu); + if (err) { + return err; +-- +2.51.0 + diff --git a/queue-6.6/bonding-annotate-data-races-around-slave-last_rx.patch b/queue-6.6/bonding-annotate-data-races-around-slave-last_rx.patch new file mode 100644 index 0000000000..7fb5cfc8bf --- /dev/null +++ b/queue-6.6/bonding-annotate-data-races-around-slave-last_rx.patch @@ -0,0 +1,178 @@ +From 61360d9a379070cd9d2835e4f96c9bfb0d8798e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jan 2026 16:29:14 +0000 +Subject: bonding: annotate data-races around slave->last_rx + +From: Eric Dumazet + +[ Upstream commit f6c3665b6dc53c3ab7d31b585446a953a74340ef ] + +slave->last_rx and slave->target_last_arp_rx[...] can be read and written +locklessly. Add READ_ONCE() and WRITE_ONCE() annotations. + +syzbot reported: + +BUG: KCSAN: data-race in bond_rcv_validate / bond_rcv_validate + +write to 0xffff888149f0d428 of 8 bytes by interrupt on cpu 1: + bond_rcv_validate+0x202/0x7a0 drivers/net/bonding/bond_main.c:3335 + bond_handle_frame+0xde/0x5e0 drivers/net/bonding/bond_main.c:1533 + __netif_receive_skb_core+0x5b1/0x1950 net/core/dev.c:6039 + __netif_receive_skb_one_core net/core/dev.c:6150 [inline] + __netif_receive_skb+0x59/0x270 net/core/dev.c:6265 + netif_receive_skb_internal net/core/dev.c:6351 [inline] + netif_receive_skb+0x4b/0x2d0 net/core/dev.c:6410 +... + +write to 0xffff888149f0d428 of 8 bytes by interrupt on cpu 0: + bond_rcv_validate+0x202/0x7a0 drivers/net/bonding/bond_main.c:3335 + bond_handle_frame+0xde/0x5e0 drivers/net/bonding/bond_main.c:1533 + __netif_receive_skb_core+0x5b1/0x1950 net/core/dev.c:6039 + __netif_receive_skb_one_core net/core/dev.c:6150 [inline] + __netif_receive_skb+0x59/0x270 net/core/dev.c:6265 + netif_receive_skb_internal net/core/dev.c:6351 [inline] + netif_receive_skb+0x4b/0x2d0 net/core/dev.c:6410 + br_netif_receive_skb net/bridge/br_input.c:30 [inline] + NF_HOOK include/linux/netfilter.h:318 [inline] +... + +value changed: 0x0000000100005365 -> 0x0000000100005366 + +Fixes: f5b2b966f032 ("[PATCH] bonding: Validate probe replies in ARP monitor") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Link: https://patch.msgid.link/20260122162914.2299312-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 18 ++++++++++-------- + drivers/net/bonding/bond_options.c | 8 ++++---- + include/net/bonding.h | 13 +++++++------ + 3 files changed, 21 insertions(+), 18 deletions(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 9385c3ac0c83c..4373e300879d9 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -3137,8 +3137,8 @@ static void bond_validate_arp(struct bonding *bond, struct slave *slave, __be32 + __func__, &sip); + return; + } +- slave->last_rx = jiffies; +- slave->target_last_arp_rx[i] = jiffies; ++ WRITE_ONCE(slave->last_rx, jiffies); ++ WRITE_ONCE(slave->target_last_arp_rx[i], jiffies); + } + + static int bond_arp_rcv(const struct sk_buff *skb, struct bonding *bond, +@@ -3357,8 +3357,8 @@ static void bond_validate_na(struct bonding *bond, struct slave *slave, + __func__, saddr); + return; + } +- slave->last_rx = jiffies; +- slave->target_last_arp_rx[i] = jiffies; ++ WRITE_ONCE(slave->last_rx, jiffies); ++ WRITE_ONCE(slave->target_last_arp_rx[i], jiffies); + } + + static int bond_na_rcv(const struct sk_buff *skb, struct bonding *bond, +@@ -3428,7 +3428,7 @@ int bond_rcv_validate(const struct sk_buff *skb, struct bonding *bond, + (slave_do_arp_validate_only(bond) && is_ipv6) || + #endif + !slave_do_arp_validate_only(bond)) +- slave->last_rx = jiffies; ++ WRITE_ONCE(slave->last_rx, jiffies); + return RX_HANDLER_ANOTHER; + } else if (is_arp) { + return bond_arp_rcv(skb, bond, slave); +@@ -3496,7 +3496,7 @@ static void bond_loadbalance_arp_mon(struct bonding *bond) + + if (slave->link != BOND_LINK_UP) { + if (bond_time_in_interval(bond, last_tx, 1) && +- bond_time_in_interval(bond, slave->last_rx, 1)) { ++ bond_time_in_interval(bond, READ_ONCE(slave->last_rx), 1)) { + + bond_propose_link_state(slave, BOND_LINK_UP); + slave_state_changed = 1; +@@ -3520,8 +3520,10 @@ static void bond_loadbalance_arp_mon(struct bonding *bond) + * when the source ip is 0, so don't take the link down + * if we don't know our ip yet + */ +- if (!bond_time_in_interval(bond, last_tx, bond->params.missed_max) || +- !bond_time_in_interval(bond, slave->last_rx, bond->params.missed_max)) { ++ if (!bond_time_in_interval(bond, last_tx, ++ bond->params.missed_max) || ++ !bond_time_in_interval(bond, READ_ONCE(slave->last_rx), ++ bond->params.missed_max)) { + + bond_propose_link_state(slave, BOND_LINK_DOWN); + slave_state_changed = 1; +diff --git a/drivers/net/bonding/bond_options.c b/drivers/net/bonding/bond_options.c +index a2fa068193e3b..5a2a935945c4c 100644 +--- a/drivers/net/bonding/bond_options.c ++++ b/drivers/net/bonding/bond_options.c +@@ -1124,7 +1124,7 @@ static void _bond_options_arp_ip_target_set(struct bonding *bond, int slot, + + if (slot >= 0 && slot < BOND_MAX_ARP_TARGETS) { + bond_for_each_slave(bond, slave, iter) +- slave->target_last_arp_rx[slot] = last_rx; ++ WRITE_ONCE(slave->target_last_arp_rx[slot], last_rx); + targets[slot] = target; + } + } +@@ -1193,8 +1193,8 @@ static int bond_option_arp_ip_target_rem(struct bonding *bond, __be32 target) + bond_for_each_slave(bond, slave, iter) { + targets_rx = slave->target_last_arp_rx; + for (i = ind; (i < BOND_MAX_ARP_TARGETS-1) && targets[i+1]; i++) +- targets_rx[i] = targets_rx[i+1]; +- targets_rx[i] = 0; ++ WRITE_ONCE(targets_rx[i], READ_ONCE(targets_rx[i+1])); ++ WRITE_ONCE(targets_rx[i], 0); + } + for (i = ind; (i < BOND_MAX_ARP_TARGETS-1) && targets[i+1]; i++) + targets[i] = targets[i+1]; +@@ -1349,7 +1349,7 @@ static void _bond_options_ns_ip6_target_set(struct bonding *bond, int slot, + + if (slot >= 0 && slot < BOND_MAX_NS_TARGETS) { + bond_for_each_slave(bond, slave, iter) { +- slave->target_last_arp_rx[slot] = last_rx; ++ WRITE_ONCE(slave->target_last_arp_rx[slot], last_rx); + slave_set_ns_maddr(bond, slave, target, &targets[slot]); + } + targets[slot] = *target; +diff --git a/include/net/bonding.h b/include/net/bonding.h +index 95f67b308c19a..9fb40a5920209 100644 +--- a/include/net/bonding.h ++++ b/include/net/bonding.h +@@ -519,13 +519,14 @@ static inline int bond_is_ip6_target_ok(struct in6_addr *addr) + static inline unsigned long slave_oldest_target_arp_rx(struct bonding *bond, + struct slave *slave) + { ++ unsigned long tmp, ret = READ_ONCE(slave->target_last_arp_rx[0]); + int i = 1; +- unsigned long ret = slave->target_last_arp_rx[0]; +- +- for (; (i < BOND_MAX_ARP_TARGETS) && bond->params.arp_targets[i]; i++) +- if (time_before(slave->target_last_arp_rx[i], ret)) +- ret = slave->target_last_arp_rx[i]; + ++ for (; (i < BOND_MAX_ARP_TARGETS) && bond->params.arp_targets[i]; i++) { ++ tmp = READ_ONCE(slave->target_last_arp_rx[i]); ++ if (time_before(tmp, ret)) ++ ret = tmp; ++ } + return ret; + } + +@@ -535,7 +536,7 @@ static inline unsigned long slave_last_rx(struct bonding *bond, + if (bond->params.arp_all_targets == BOND_ARP_TARGETS_ALL) + return slave_oldest_target_arp_rx(bond, slave); + +- return slave->last_rx; ++ return READ_ONCE(slave->last_rx); + } + + static inline void slave_update_last_tx(struct slave *slave) +-- +2.51.0 + diff --git a/queue-6.6/can-gs_usb-gs_usb_receive_bulk_callback-fix-error-me.patch b/queue-6.6/can-gs_usb-gs_usb_receive_bulk_callback-fix-error-me.patch new file mode 100644 index 0000000000..1c371f806d --- /dev/null +++ b/queue-6.6/can-gs_usb-gs_usb_receive_bulk_callback-fix-error-me.patch @@ -0,0 +1,52 @@ +From e77c5939ab7a30a2db9bf31bd850649c6cee571a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jan 2026 10:40:22 +0100 +Subject: can: gs_usb: gs_usb_receive_bulk_callback(): fix error message + +From: Marc Kleine-Budde + +[ Upstream commit 494fc029f662c331e06b7c2031deff3c64200eed ] + +Sinc commit 79a6d1bfe114 ("can: gs_usb: gs_usb_receive_bulk_callback(): +unanchor URL on usb_submit_urb() error") a failing resubmit URB will print +an info message. + +In the case of a short read where netdev has not yet been assigned, +initialize as NULL to avoid dereferencing an undefined value. Also report +the error value of the failed resubmit. + +Fixes: 79a6d1bfe114 ("can: gs_usb: gs_usb_receive_bulk_callback(): unanchor URL on usb_submit_urb() error") +Reported-by: Jakub Kicinski +Closes: https://lore.kernel.org/all/20260119181904.1209979-1-kuba@kernel.org/ +Link: https://patch.msgid.link/20260120-gs_usb-fix-error-message-v1-1-6be04de572bc@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/usb/gs_usb.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c +index 63439affd59d5..7a3c6493a3536 100644 +--- a/drivers/net/can/usb/gs_usb.c ++++ b/drivers/net/can/usb/gs_usb.c +@@ -607,7 +607,7 @@ static void gs_usb_receive_bulk_callback(struct urb *urb) + { + struct gs_usb *parent = urb->context; + struct gs_can *dev; +- struct net_device *netdev; ++ struct net_device *netdev = NULL; + int rc; + struct net_device_stats *stats; + struct gs_host_frame *hf = urb->transfer_buffer; +@@ -765,7 +765,7 @@ static void gs_usb_receive_bulk_callback(struct urb *urb) + } + } else if (rc != -ESHUTDOWN && net_ratelimit()) { + netdev_info(netdev, "failed to re-submit IN URB: %pe\n", +- ERR_PTR(urb->status)); ++ ERR_PTR(rc)); + } + } + +-- +2.51.0 + diff --git a/queue-6.6/ice-stop-counting-udp-csum-mismatch-as-rx_errors.patch b/queue-6.6/ice-stop-counting-udp-csum-mismatch-as-rx_errors.patch new file mode 100644 index 0000000000..b4d3a6ace4 --- /dev/null +++ b/queue-6.6/ice-stop-counting-udp-csum-mismatch-as-rx_errors.patch @@ -0,0 +1,62 @@ +From 27627eaa1d58bba4f9e106cca66acafb52e864ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Dec 2025 15:38:52 -0800 +Subject: ice: stop counting UDP csum mismatch as rx_errors + +From: Jesse Brandeburg + +[ Upstream commit 05faf2c0a76581d0a7fdbb8ec46477ba183df95b ] + +Since the beginning, the Intel ice driver has counted receive checksum +offload mismatches into the rx_errors member of the rtnl_link_stats64 +struct. In ethtool -S these show up as rx_csum_bad.nic. + +I believe counting these in rx_errors is fundamentally wrong, as it's +pretty clear from the comments in if_link.h and from every other statistic +the driver is summing into rx_errors, that all of them would cause a +"hardware drop" except for the UDP checksum mismatch, as well as the fact +that all the other causes for rx_errors are L2 reasons, and this L4 UDP +"mismatch" is an outlier. + +A last nail in the coffin is that rx_errors is monitored in production and +can indicate a bad NIC/cable/Switch port, but instead some random series of +UDP packets with bad checksums will now trigger this alert. This false +positive makes the alert useless and affects us as well as other companies. + +This packet with presumably a bad UDP checksum is *already* passed to the +stack, just not marked as offloaded by the hardware/driver. If it is +dropped by the stack it will show up as UDP_MIB_CSUMERRORS. + +And one more thing, none of the other Intel drivers, and at least bnxt_en +and mlx5 both don't appear to count UDP offload mismatches as rx_errors. + +Here is a related customer complaint: +https://community.intel.com/t5/Ethernet-Products/ice-rx-errros-is-too-sensitive-to-IP-TCP-attack-packets-Intel/td-p/1662125 + +Fixes: 4f1fe43c920b ("ice: Add more Rx errors to netdev's rx_error counter") +Cc: Tony Nguyen +Cc: Jake Keller +Cc: IWL +Signed-off-by: Jesse Brandeburg +Acked-by: Jacob Keller +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_main.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c +index e846246261b94..72e394dc68f4e 100644 +--- a/drivers/net/ethernet/intel/ice/ice_main.c ++++ b/drivers/net/ethernet/intel/ice/ice_main.c +@@ -6711,7 +6711,6 @@ void ice_update_vsi_stats(struct ice_vsi *vsi) + pf->stats.illegal_bytes + + pf->stats.rx_len_errors + + pf->stats.rx_undersize + +- pf->hw_csum_rx_error + + pf->stats.rx_jabber + + pf->stats.rx_fragments + + pf->stats.rx_oversize; +-- +2.51.0 + diff --git a/queue-6.6/ipv6-use-the-right-ifindex-when-replying-to-icmpv6-f.patch b/queue-6.6/ipv6-use-the-right-ifindex-when-replying-to-icmpv6-f.patch new file mode 100644 index 0000000000..5801f7d7c5 --- /dev/null +++ b/queue-6.6/ipv6-use-the-right-ifindex-when-replying-to-icmpv6-f.patch @@ -0,0 +1,52 @@ +From 3fae1e4e9630a57bf7812007ce8464afce1b04a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 20:44:08 +0100 +Subject: ipv6: use the right ifindex when replying to icmpv6 from localhost + +From: Fernando Fernandez Mancera + +[ Upstream commit 03cbcdf93866e61beb0063392e6dbb701f03aea2 ] + +When replying to a ICMPv6 echo request that comes from localhost address +the right output ifindex is 1 (lo) and not rt6i_idev dev index. Use the +skb device ifindex instead. This fixes pinging to a local address from +localhost source address. + +$ ping6 -I ::1 2001:1:1::2 -c 3 +PING 2001:1:1::2 (2001:1:1::2) from ::1 : 56 data bytes +64 bytes from 2001:1:1::2: icmp_seq=1 ttl=64 time=0.037 ms +64 bytes from 2001:1:1::2: icmp_seq=2 ttl=64 time=0.069 ms +64 bytes from 2001:1:1::2: icmp_seq=3 ttl=64 time=0.122 ms + +2001:1:1::2 ping statistics +3 packets transmitted, 3 received, 0% packet loss, time 2032ms +rtt min/avg/max/mdev = 0.037/0.076/0.122/0.035 ms + +Fixes: 1b70d792cf67 ("ipv6: Use rt6i_idev index for echo replies to a local address") +Signed-off-by: Fernando Fernandez Mancera +Reviewed-by: David Ahern +Link: https://patch.msgid.link/20260121194409.6749-1-fmancera@suse.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/icmp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c +index fd91fd139d76c..c7e815b7ca087 100644 +--- a/net/ipv6/icmp.c ++++ b/net/ipv6/icmp.c +@@ -768,7 +768,9 @@ static enum skb_drop_reason icmpv6_echo_reply(struct sk_buff *skb) + fl6.daddr = ipv6_hdr(skb)->saddr; + if (saddr) + fl6.saddr = *saddr; +- fl6.flowi6_oif = icmp6_iif(skb); ++ fl6.flowi6_oif = ipv6_addr_loopback(&fl6.daddr) ? ++ skb->dev->ifindex : ++ icmp6_iif(skb); + fl6.fl6_icmp_type = type; + fl6.flowi6_mark = mark; + fl6.flowi6_uid = sock_net_uid(net, NULL); +-- +2.51.0 + diff --git a/queue-6.6/net-bcmasp-fix-early-exit-leak-with-fixed-phy.patch b/queue-6.6/net-bcmasp-fix-early-exit-leak-with-fixed-phy.patch new file mode 100644 index 0000000000..2b645b40c7 --- /dev/null +++ b/queue-6.6/net-bcmasp-fix-early-exit-leak-with-fixed-phy.patch @@ -0,0 +1,48 @@ +From 8350c8c24a48f5559213878ea07514270d2215cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jan 2026 11:40:01 -0800 +Subject: net: bcmasp: fix early exit leak with fixed phy + +From: Justin Chen + +[ Upstream commit 6de4436bf369e1444606445e4cd5df5bcfc74b48 ] + +We are not deregistering the fixed phy link when hitting the early +exit condition. Add the correct early exit sequence. + +Fixes: 490cb412007d ("net: bcmasp: Add support for ASP2.0 Ethernet controller") +Signed-off-by: Justin Chen +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20260122194001.1098859-1-justin.chen@broadcom.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c b/drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c +index f0647286c68b2..3127f335e0b7b 100644 +--- a/drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c ++++ b/drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c +@@ -1272,7 +1272,7 @@ struct bcmasp_intf *bcmasp_interface_create(struct bcmasp_priv *priv, + netdev_err(intf->ndev, "invalid PHY mode: %s for port %d\n", + phy_modes(intf->phy_interface), intf->port); + ret = -EINVAL; +- goto err_free_netdev; ++ goto err_deregister_fixed_link; + } + + ret = of_get_ethdev_address(ndev_dn, ndev); +@@ -1295,6 +1295,9 @@ struct bcmasp_intf *bcmasp_interface_create(struct bcmasp_priv *priv, + + return intf; + ++err_deregister_fixed_link: ++ if (of_phy_is_fixed_link(ndev_dn)) ++ of_phy_deregister_fixed_link(ndev_dn); + err_free_netdev: + free_netdev(ndev); + err: +-- +2.51.0 + diff --git a/queue-6.6/net-bridge-fix-static-key-check.patch b/queue-6.6/net-bridge-fix-static-key-check.patch new file mode 100644 index 0000000000..bfb9f6a5fb --- /dev/null +++ b/queue-6.6/net-bridge-fix-static-key-check.patch @@ -0,0 +1,40 @@ +From 180de8c0830af5d2c88f24c8fefed34bd28fbdf4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Jan 2026 11:19:23 +0100 +Subject: net: bridge: fix static key check + +From: Martin Kaiser + +[ Upstream commit cc0cf10fdaeadf5542d64a55b5b4120d3df90b7d ] + +Fix the check if netfilter's static keys are available. netfilter defines +and exports static keys if CONFIG_JUMP_LABEL is enabled. (HAVE_JUMP_LABEL +is never defined.) + +Fixes: 971502d77faa ("bridge: netfilter: unroll NF_HOOK helper in bridge input path") +Signed-off-by: Martin Kaiser +Reviewed-by: Florian Westphal +Reviewed-by: Nikolay Aleksandrov +Link: https://patch.msgid.link/20260127101925.1754425-1-martin@kaiser.cx +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/bridge/br_input.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c +index 2d5b81ebbaa6d..847fe03a08ee8 100644 +--- a/net/bridge/br_input.c ++++ b/net/bridge/br_input.c +@@ -260,7 +260,7 @@ static int nf_hook_bridge_pre(struct sk_buff *skb, struct sk_buff **pskb) + int ret; + + net = dev_net(skb->dev); +-#ifdef HAVE_JUMP_LABEL ++#ifdef CONFIG_JUMP_LABEL + if (!static_key_false(&nf_hooks_needed[NFPROTO_BRIDGE][NF_BR_PRE_ROUTING])) + goto frame_finish; + #endif +-- +2.51.0 + diff --git a/queue-6.6/net-mlx5-fix-memory-leak-in-esw_acl_ingress_lgcy_set.patch b/queue-6.6/net-mlx5-fix-memory-leak-in-esw_acl_ingress_lgcy_set.patch new file mode 100644 index 0000000000..b96460e8ca --- /dev/null +++ b/queue-6.6/net-mlx5-fix-memory-leak-in-esw_acl_ingress_lgcy_set.patch @@ -0,0 +1,46 @@ +From b0f14d333655d8fdd327c501c42d4e24f1ab5120 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jan 2026 13:46:40 +0000 +Subject: net/mlx5: Fix memory leak in esw_acl_ingress_lgcy_setup() + +From: Zilin Guan + +[ Upstream commit 108948f723b13874b7ebf6b3f1cc598a7de38622 ] + +In esw_acl_ingress_lgcy_setup(), if esw_acl_table_create() fails, +the function returns directly without releasing the previously +created counter, leading to a memory leak. + +Fix this by jumping to the out label instead of returning directly, +which aligns with the error handling logic of other paths in this +function. + +Compile tested only. Issue found using a prototype static analysis tool +and code review. + +Fixes: 07bab9502641 ("net/mlx5: E-Switch, Refactor eswitch ingress acl codes") +Signed-off-by: Zilin Guan +Reviewed-by: Tariq Toukan +Link: https://patch.msgid.link/20260120134640.2717808-1-zilin@seu.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c b/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c +index 093ed86a0acd8..db51c500ed359 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c +@@ -188,7 +188,7 @@ int esw_acl_ingress_lgcy_setup(struct mlx5_eswitch *esw, + if (IS_ERR(vport->ingress.acl)) { + err = PTR_ERR(vport->ingress.acl); + vport->ingress.acl = NULL; +- return err; ++ goto out; + } + + err = esw_acl_ingress_lgcy_groups_create(esw, vport); +-- +2.51.0 + diff --git a/queue-6.6/net-mlx5e-account-for-netdev-stats-in-ndo_get_stats6.patch b/queue-6.6/net-mlx5e-account-for-netdev-stats-in-ndo_get_stats6.patch new file mode 100644 index 0000000000..b434b26ec9 --- /dev/null +++ b/queue-6.6/net-mlx5e-account-for-netdev-stats-in-ndo_get_stats6.patch @@ -0,0 +1,75 @@ +From 67601aa35dfe5ea3fd9ddd21be6e7ff8b565638a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jan 2026 09:14:55 +0200 +Subject: net/mlx5e: Account for netdev stats in ndo_get_stats64 + +From: Gal Pressman + +[ Upstream commit 476681f10cc1e0e56e26856684e75d4678b072b2 ] + +The driver's ndo_get_stats64 callback is only reporting mlx5 counters, +without accounting for the netdev stats, causing errors from the network +stack to be invisible in statistics. + +Add netdev_stats_to_stats64() call to first populate the counters, then +add mlx5 counters on top, ensuring both are accounted for (where +appropriate). + +Fixes: f62b8bb8f2d3 ("net/mlx5: Extend mlx5_core to support ConnectX-4 Ethernet functionality") +Signed-off-by: Gal Pressman +Signed-off-by: Tariq Toukan +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/1769411695-18820-4-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/en_main.c | 20 ++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index c72c085be603c..71749497ec27a 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -3743,6 +3743,8 @@ mlx5e_get_stats(struct net_device *dev, struct rtnl_link_stats64 *stats) + mlx5e_queue_update_stats(priv); + } + ++ netdev_stats_to_stats64(stats, &dev->stats); ++ + if (mlx5e_is_uplink_rep(priv)) { + struct mlx5e_vport_stats *vstats = &priv->stats.vport; + +@@ -3759,21 +3761,21 @@ mlx5e_get_stats(struct net_device *dev, struct rtnl_link_stats64 *stats) + mlx5e_fold_sw_stats64(priv, stats); + } + +- stats->rx_missed_errors = priv->stats.qcnt.rx_out_of_buffer; +- stats->rx_dropped = PPORT_2863_GET(pstats, if_in_discards); ++ stats->rx_missed_errors += priv->stats.qcnt.rx_out_of_buffer; ++ stats->rx_dropped += PPORT_2863_GET(pstats, if_in_discards); + +- stats->rx_length_errors = ++ stats->rx_length_errors += + PPORT_802_3_GET(pstats, a_in_range_length_errors) + + PPORT_802_3_GET(pstats, a_out_of_range_length_field) + + PPORT_802_3_GET(pstats, a_frame_too_long_errors) + + VNIC_ENV_GET(&priv->stats.vnic, eth_wqe_too_small); +- stats->rx_crc_errors = ++ stats->rx_crc_errors += + PPORT_802_3_GET(pstats, a_frame_check_sequence_errors); +- stats->rx_frame_errors = PPORT_802_3_GET(pstats, a_alignment_errors); +- stats->tx_aborted_errors = PPORT_2863_GET(pstats, if_out_discards); +- stats->rx_errors = stats->rx_length_errors + stats->rx_crc_errors + +- stats->rx_frame_errors; +- stats->tx_errors = stats->tx_aborted_errors + stats->tx_carrier_errors; ++ stats->rx_frame_errors += PPORT_802_3_GET(pstats, a_alignment_errors); ++ stats->tx_aborted_errors += PPORT_2863_GET(pstats, if_out_discards); ++ stats->rx_errors += stats->rx_length_errors + stats->rx_crc_errors + ++ stats->rx_frame_errors; ++ stats->tx_errors += stats->tx_aborted_errors + stats->tx_carrier_errors; + } + + static void mlx5e_nic_set_rx_mode(struct mlx5e_priv *priv) +-- +2.51.0 + diff --git a/queue-6.6/net-mlx5e-report-rx_discards_phy-via-rx_dropped.patch b/queue-6.6/net-mlx5e-report-rx_discards_phy-via-rx_dropped.patch new file mode 100644 index 0000000000..8b2da60179 --- /dev/null +++ b/queue-6.6/net-mlx5e-report-rx_discards_phy-via-rx_dropped.patch @@ -0,0 +1,50 @@ +From e2b4036b7c05593ee1170f8cacd90db23efb0708 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Dec 2024 10:27:06 +0800 +Subject: net/mlx5e: Report rx_discards_phy via rx_dropped +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Yafang Shao + +[ Upstream commit c9cfced17365b1df8c6ae6cd5db56aebd7ed9b57 ] + +We noticed a high number of rx_discards_phy events on certain servers while +running `ethtool -S`. However, this critical counter is not currently +included in the standard /proc/net/dev statistics file, making it difficult +to monitor effectively—especially given the diversity of vendors across a +large fleet of servers. + +Let's report it via the standard rx_dropped metric. + +Suggested-by: Jakub Kicinski +Signed-off-by: Yafang Shao +Cc: Saeed Mahameed +Cc: Leon Romanovsky +Cc: Gal Pressman +Reviewed-by: Simon Horman +Reviewed-by: Tariq Toukan +Link: https://patch.msgid.link/20241210022706.6665-1-laoar.shao@gmail.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: 476681f10cc1 ("net/mlx5e: Account for netdev stats in ndo_get_stats64") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index 03201bcda1a68..c72c085be603c 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -3760,6 +3760,7 @@ mlx5e_get_stats(struct net_device *dev, struct rtnl_link_stats64 *stats) + } + + stats->rx_missed_errors = priv->stats.qcnt.rx_out_of_buffer; ++ stats->rx_dropped = PPORT_2863_GET(pstats, if_in_discards); + + stats->rx_length_errors = + PPORT_802_3_GET(pstats, a_in_range_length_errors) + +-- +2.51.0 + diff --git a/queue-6.6/net-mlx5e-skip-esn-replay-window-setup-for-ipsec-cry.patch b/queue-6.6/net-mlx5e-skip-esn-replay-window-setup-for-ipsec-cry.patch new file mode 100644 index 0000000000..9a64cb43e6 --- /dev/null +++ b/queue-6.6/net-mlx5e-skip-esn-replay-window-setup-for-ipsec-cry.patch @@ -0,0 +1,50 @@ +From 9c620158eb3f0f1bbef0b4d8f25d19cbe22d5bed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Jan 2026 10:52:41 +0200 +Subject: net/mlx5e: Skip ESN replay window setup for IPsec crypto offload + +From: Jianbo Liu + +[ Upstream commit 011be342dd24b5168a5dcf408b14c3babe503341 ] + +Commit a5e400a985df ("net/mlx5e: Honor user choice of IPsec replay +window size") introduced logic to setup the ESN replay window size. +This logic is only valid for packet offload. + +However, the check to skip this block only covered outbound offloads. +It was not skipped for crypto offload, causing it to fall through to +the new switch statement and trigger its WARN_ON default case (for +instance, if a window larger than 256 bits was configured). + +Fix this by amending the condition to also skip the replay window +setup if the offload type is not XFRM_DEV_OFFLOAD_PACKET. + +Fixes: a5e400a985df ("net/mlx5e: Honor user choice of IPsec replay window size") +Signed-off-by: Jianbo Liu +Reviewed-by: Leon Romanovsky +Reviewed-by: Simon Horman +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/1769503961-124173-5-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c +index 5161bf51fa110..fdf664e9c46e9 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c +@@ -350,7 +350,8 @@ void mlx5e_ipsec_build_accel_xfrm_attrs(struct mlx5e_ipsec_sa_entry *sa_entry, + attrs->replay_esn.esn = sa_entry->esn_state.esn; + attrs->replay_esn.esn_msb = sa_entry->esn_state.esn_msb; + attrs->replay_esn.overlap = sa_entry->esn_state.overlap; +- if (attrs->dir == XFRM_DEV_OFFLOAD_OUT) ++ if (attrs->dir == XFRM_DEV_OFFLOAD_OUT || ++ x->xso.type != XFRM_DEV_OFFLOAD_PACKET) + goto skip_replay_window; + + switch (x->replay_esn->replay_window) { +-- +2.51.0 + diff --git a/queue-6.6/net-mlx5e-tc-delete-flows-only-for-existing-peers.patch b/queue-6.6/net-mlx5e-tc-delete-flows-only-for-existing-peers.patch new file mode 100644 index 0000000000..ec92ab3078 --- /dev/null +++ b/queue-6.6/net-mlx5e-tc-delete-flows-only-for-existing-peers.patch @@ -0,0 +1,132 @@ +From 42a4122d0b825f801a850d5581528ae973152c04 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jan 2026 09:14:54 +0200 +Subject: net/mlx5e: TC, delete flows only for existing peers + +From: Mark Bloch + +[ Upstream commit f67666938ae626cbda63fbf5176b3583c07e7124 ] + +When deleting TC steering flows, iterate only over actual devcom +peers instead of assuming all possible ports exist. This avoids +touching non-existent peers and ensures cleanup is limited to +devices the driver is currently connected to. + + BUG: kernel NULL pointer dereference, address: 0000000000000008 + #PF: supervisor write access in kernel mode + #PF: error_code(0x0002) - not-present page + PGD 133c8a067 P4D 0 + Oops: Oops: 0002 [#1] SMP + CPU: 19 UID: 0 PID: 2169 Comm: tc Not tainted 6.18.0+ #156 NONE + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 + RIP: 0010:mlx5e_tc_del_fdb_peers_flow+0xbe/0x200 [mlx5_core] + Code: 00 00 a8 08 74 a8 49 8b 46 18 f6 c4 02 74 9f 4c 8d bf a0 12 00 00 4c 89 ff e8 0e e7 96 e1 49 8b 44 24 08 49 8b 0c 24 4c 89 ff <48> 89 41 08 48 89 08 49 89 2c 24 49 89 5c 24 08 e8 7d ce 96 e1 49 + RSP: 0018:ff11000143867528 EFLAGS: 00010246 + RAX: 0000000000000000 RBX: dead000000000122 RCX: 0000000000000000 + RDX: ff11000143691580 RSI: ff110001026e5000 RDI: ff11000106f3d2a0 + RBP: dead000000000100 R08: 00000000000003fd R09: 0000000000000002 + R10: ff11000101c75690 R11: ff1100085faea178 R12: ff11000115f0ae78 + R13: 0000000000000000 R14: ff11000115f0a800 R15: ff11000106f3d2a0 + FS: 00007f35236bf740(0000) GS:ff110008dc809000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000008 CR3: 0000000157a01001 CR4: 0000000000373eb0 + Call Trace: + + mlx5e_tc_del_flow+0x46/0x270 [mlx5_core] + mlx5e_flow_put+0x25/0x50 [mlx5_core] + mlx5e_delete_flower+0x2a6/0x3e0 [mlx5_core] + tc_setup_cb_reoffload+0x20/0x80 + fl_reoffload+0x26f/0x2f0 [cls_flower] + ? mlx5e_tc_reoffload_flows_work+0xc0/0xc0 [mlx5_core] + ? mlx5e_tc_reoffload_flows_work+0xc0/0xc0 [mlx5_core] + tcf_block_playback_offloads+0x9e/0x1c0 + tcf_block_unbind+0x7b/0xd0 + tcf_block_setup+0x186/0x1d0 + tcf_block_offload_cmd.isra.0+0xef/0x130 + tcf_block_offload_unbind+0x43/0x70 + __tcf_block_put+0x85/0x160 + ingress_destroy+0x32/0x110 [sch_ingress] + __qdisc_destroy+0x44/0x100 + qdisc_graft+0x22b/0x610 + tc_get_qdisc+0x183/0x4d0 + rtnetlink_rcv_msg+0x2d7/0x3d0 + ? rtnl_calcit.isra.0+0x100/0x100 + netlink_rcv_skb+0x53/0x100 + netlink_unicast+0x249/0x320 + ? __alloc_skb+0x102/0x1f0 + netlink_sendmsg+0x1e3/0x420 + __sock_sendmsg+0x38/0x60 + ____sys_sendmsg+0x1ef/0x230 + ? copy_msghdr_from_user+0x6c/0xa0 + ___sys_sendmsg+0x7f/0xc0 + ? ___sys_recvmsg+0x8a/0xc0 + ? __sys_sendto+0x119/0x180 + __sys_sendmsg+0x61/0xb0 + do_syscall_64+0x55/0x640 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + RIP: 0033:0x7f35238bb764 + Code: 15 b9 86 0c 00 f7 d8 64 89 02 b8 ff ff ff ff eb bf 0f 1f 44 00 00 f3 0f 1e fa 80 3d e5 08 0d 00 00 74 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 4c c3 0f 1f 00 55 48 89 e5 48 83 ec 20 89 55 + RSP: 002b:00007ffed4c35638 EFLAGS: 00000202 ORIG_RAX: 000000000000002e + RAX: ffffffffffffffda RBX: 000055a2efcc75e0 RCX: 00007f35238bb764 + RDX: 0000000000000000 RSI: 00007ffed4c356a0 RDI: 0000000000000003 + RBP: 00007ffed4c35710 R08: 0000000000000010 R09: 00007f3523984b20 + R10: 0000000000000004 R11: 0000000000000202 R12: 00007ffed4c35790 + R13: 000000006947df8f R14: 000055a2efcc75e0 R15: 00007ffed4c35780 + +Fixes: 9be6c21fdcf8 ("net/mlx5e: Handle offloads flows per peer") +Signed-off-by: Mark Bloch +Reviewed-by: Shay Drori +Signed-off-by: Tariq Toukan +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/1769411695-18820-3-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/en_tc.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +index 2be9c69daad5f..f1f4225057311 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +@@ -2025,11 +2025,14 @@ static void mlx5e_tc_del_fdb_peer_flow(struct mlx5e_tc_flow *flow, + + static void mlx5e_tc_del_fdb_peers_flow(struct mlx5e_tc_flow *flow) + { ++ struct mlx5_devcom_comp_dev *devcom; ++ struct mlx5_devcom_comp_dev *pos; ++ struct mlx5_eswitch *peer_esw; + int i; + +- for (i = 0; i < MLX5_MAX_PORTS; i++) { +- if (i == mlx5_get_dev_index(flow->priv->mdev)) +- continue; ++ devcom = flow->priv->mdev->priv.eswitch->devcom; ++ mlx5_devcom_for_each_peer_entry(devcom, peer_esw, pos) { ++ i = mlx5_get_dev_index(peer_esw->dev); + mlx5e_tc_del_fdb_peer_flow(flow, i); + } + } +@@ -5404,12 +5407,16 @@ int mlx5e_tc_num_filters(struct mlx5e_priv *priv, unsigned long flags) + + void mlx5e_tc_clean_fdb_peer_flows(struct mlx5_eswitch *esw) + { ++ struct mlx5_devcom_comp_dev *devcom; ++ struct mlx5_devcom_comp_dev *pos; + struct mlx5e_tc_flow *flow, *tmp; ++ struct mlx5_eswitch *peer_esw; + int i; + +- for (i = 0; i < MLX5_MAX_PORTS; i++) { +- if (i == mlx5_get_dev_index(esw->dev)) +- continue; ++ devcom = esw->devcom; ++ ++ mlx5_devcom_for_each_peer_entry(devcom, peer_esw, pos) { ++ i = mlx5_get_dev_index(peer_esw->dev); + list_for_each_entry_safe(flow, tmp, &esw->offloads.peer_flows[i], peer[i]) + mlx5e_tc_del_fdb_peers_flow(flow); + } +-- +2.51.0 + diff --git a/queue-6.6/net-mvpp2-cls-fix-memory-leak-in-mvpp2_ethtool_cls_r.patch b/queue-6.6/net-mvpp2-cls-fix-memory-leak-in-mvpp2_ethtool_cls_r.patch new file mode 100644 index 0000000000..498027aee6 --- /dev/null +++ b/queue-6.6/net-mvpp2-cls-fix-memory-leak-in-mvpp2_ethtool_cls_r.patch @@ -0,0 +1,48 @@ +From bf9057d6cd66d215dff830f38507268cfa12276a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Jan 2026 06:57:16 +0000 +Subject: net: mvpp2: cls: Fix memory leak in mvpp2_ethtool_cls_rule_ins() + +From: Zilin Guan + +[ Upstream commit 09f979d1f312627b31d2ee1e46f9692e442610cd ] + +In mvpp2_ethtool_cls_rule_ins(), the ethtool_rule is allocated by +ethtool_rx_flow_rule_create(). If the subsequent conversion to flow +type fails, the function jumps to the clean_rule label. + +However, the clean_rule label only frees efs, skipping the cleanup +of ethtool_rule, which leads to a memory leak. + +Fix this by jumping to the clean_eth_rule label, which properly calls +ethtool_rx_flow_rule_destroy() before freeing efs. + +Compile tested only. Issue found using a prototype static analysis tool +and code review. + +Fixes: f4f1ba18195d ("net: mvpp2: cls: Report an error for unsupported flow types") +Signed-off-by: Zilin Guan +Reviewed-by: Maxime Chevallier +Link: https://patch.msgid.link/20260123065716.2248324-1-zilin@seu.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c +index d2757cc116139..038382a0b8e9f 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c +@@ -1389,7 +1389,7 @@ int mvpp2_ethtool_cls_rule_ins(struct mvpp2_port *port, + efs->rule.flow_type = mvpp2_cls_ethtool_flow_to_type(info->fs.flow_type); + if (efs->rule.flow_type < 0) { + ret = efs->rule.flow_type; +- goto clean_rule; ++ goto clean_eth_rule; + } + + ret = mvpp2_cls_rfs_parse_rule(&efs->rule); +-- +2.51.0 + diff --git a/queue-6.6/net-wwan-t7xx-fix-potential-skb-frags-overflow-in-rx.patch b/queue-6.6/net-wwan-t7xx-fix-potential-skb-frags-overflow-in-rx.patch new file mode 100644 index 0000000000..15bea49e3f --- /dev/null +++ b/queue-6.6/net-wwan-t7xx-fix-potential-skb-frags-overflow-in-rx.patch @@ -0,0 +1,83 @@ +From 508a22a8a532028c214e871cac650dc33632ddfb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Jan 2026 01:04:01 +0800 +Subject: net: wwan: t7xx: fix potential skb->frags overflow in RX path + +From: Kery Qi + +[ Upstream commit f0813bcd2d9d97fdbdf2efb9532ab03ae92e99e6 ] + +When receiving data in the DPMAIF RX path, +the t7xx_dpmaif_set_frag_to_skb() function adds +page fragments to an skb without checking if the number of +fragments has exceeded MAX_SKB_FRAGS. This could lead to a buffer overflow +in skb_shinfo(skb)->frags[] array, corrupting adjacent memory and +potentially causing kernel crashes or other undefined behavior. + +This issue was identified through static code analysis by comparing with a +similar vulnerability fixed in the mt76 driver commit b102f0c522cf ("mt76: +fix array overflow on receiving too many fragments for a packet"). + +The vulnerability could be triggered if the modem firmware sends packets +with excessive fragments. While under normal protocol conditions (MTU 3080 +bytes, BAT buffer 3584 bytes), +a single packet should not require additional +fragments, the kernel should not blindly trust firmware behavior. +Malicious, buggy, or compromised firmware could potentially craft packets +with more fragments than the kernel expects. + +Fix this by adding a bounds check before calling skb_add_rx_frag() to +ensure nr_frags does not exceed MAX_SKB_FRAGS. + +The check must be performed before unmapping to avoid a page leak +and double DMA unmap during device teardown. + +Fixes: d642b012df70a ("net: wwan: t7xx: Add data path interface") +Signed-off-by: Kery Qi +Link: https://patch.msgid.link/20260122170401.1986-2-qikeyu2017@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c b/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c +index 7c4a11f60f911..52b036fe6cfea 100644 +--- a/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c ++++ b/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c +@@ -394,6 +394,7 @@ static int t7xx_dpmaif_set_frag_to_skb(const struct dpmaif_rx_queue *rxq, + struct sk_buff *skb) + { + unsigned long long data_bus_addr, data_base_addr; ++ struct skb_shared_info *shinfo = skb_shinfo(skb); + struct device *dev = rxq->dpmaif_ctrl->dev; + struct dpmaif_bat_page *page_info; + unsigned int data_len; +@@ -401,18 +402,22 @@ static int t7xx_dpmaif_set_frag_to_skb(const struct dpmaif_rx_queue *rxq, + + page_info = rxq->bat_frag->bat_skb; + page_info += t7xx_normal_pit_bid(pkt_info); +- dma_unmap_page(dev, page_info->data_bus_addr, page_info->data_len, DMA_FROM_DEVICE); + + if (!page_info->page) + return -EINVAL; + ++ if (shinfo->nr_frags >= MAX_SKB_FRAGS) ++ return -EINVAL; ++ ++ dma_unmap_page(dev, page_info->data_bus_addr, page_info->data_len, DMA_FROM_DEVICE); ++ + data_bus_addr = le32_to_cpu(pkt_info->pd.data_addr_h); + data_bus_addr = (data_bus_addr << 32) + le32_to_cpu(pkt_info->pd.data_addr_l); + data_base_addr = page_info->data_bus_addr; + data_offset = data_bus_addr - data_base_addr; + data_offset += page_info->offset; + data_len = FIELD_GET(PD_PIT_DATA_LEN, le32_to_cpu(pkt_info->header)); +- skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags, page_info->page, ++ skb_add_rx_frag(skb, shinfo->nr_frags, page_info->page, + data_offset, data_len, page_info->data_len); + + page_info->page = NULL; +-- +2.51.0 + diff --git a/queue-6.6/nfc-llcp-fix-memleak-in-nfc_llcp_send_ui_frame.patch b/queue-6.6/nfc-llcp-fix-memleak-in-nfc_llcp_send_ui_frame.patch new file mode 100644 index 0000000000..67dc90d391 --- /dev/null +++ b/queue-6.6/nfc-llcp-fix-memleak-in-nfc_llcp_send_ui_frame.patch @@ -0,0 +1,167 @@ +From c3747cdc707c2f41670a9e43f46d498077aa839d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 25 Jan 2026 00:59:28 +0000 +Subject: nfc: llcp: Fix memleak in nfc_llcp_send_ui_frame(). + +From: Kuniyuki Iwashima + +[ Upstream commit 165c34fb6068ff153e3fc99a932a80a9d5755709 ] + +syzbot reported various memory leaks related to NFC, struct +nfc_llcp_sock, sk_buff, nfc_dev, etc. [0] + +The leading log hinted that nfc_llcp_send_ui_frame() failed +to allocate skb due to sock_error(sk) being -ENXIO. + +ENXIO is set by nfc_llcp_socket_release() when struct +nfc_llcp_local is destroyed by local_cleanup(). + +The problem is that there is no synchronisation between +nfc_llcp_send_ui_frame() and local_cleanup(), and skb +could be put into local->tx_queue after it was purged in +local_cleanup(): + + CPU1 CPU2 + ---- ---- + nfc_llcp_send_ui_frame() local_cleanup() + |- do { ' + |- pdu = nfc_alloc_send_skb(..., &err) + | . + | |- nfc_llcp_socket_release(local, false, ENXIO); + | |- skb_queue_purge(&local->tx_queue); | + | ' | + |- skb_queue_tail(&local->tx_queue, pdu); | + ... | + |- pdu = nfc_alloc_send_skb(..., &err) | + ^._________________________________.' + +local_cleanup() is called for struct nfc_llcp_local only +after nfc_llcp_remove_local() unlinks it from llcp_devices. + +If we hold local->tx_queue.lock then, we can synchronise +the thread and nfc_llcp_send_ui_frame(). + +Let's do that and check list_empty(&local->list) before +queuing skb to local->tx_queue in nfc_llcp_send_ui_frame(). + +[0]: +[ 56.074943][ T6096] llcp: nfc_llcp_send_ui_frame: Could not allocate PDU (error=-6) +[ 64.318868][ T5813] kmemleak: 6 new suspected memory leaks (see /sys/kernel/debug/kmemleak) +BUG: memory leak +unreferenced object 0xffff8881272f6800 (size 1024): + comm "syz.0.17", pid 6096, jiffies 4294942766 + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 27 00 03 40 00 00 00 00 00 00 00 00 00 00 00 00 '..@............ + backtrace (crc da58d84d): + kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] + slab_post_alloc_hook mm/slub.c:4979 [inline] + slab_alloc_node mm/slub.c:5284 [inline] + __do_kmalloc_node mm/slub.c:5645 [inline] + __kmalloc_noprof+0x3e3/0x6b0 mm/slub.c:5658 + kmalloc_noprof include/linux/slab.h:961 [inline] + sk_prot_alloc+0x11a/0x1b0 net/core/sock.c:2239 + sk_alloc+0x36/0x360 net/core/sock.c:2295 + nfc_llcp_sock_alloc+0x37/0x130 net/nfc/llcp_sock.c:979 + llcp_sock_create+0x71/0xd0 net/nfc/llcp_sock.c:1044 + nfc_sock_create+0xc9/0xf0 net/nfc/af_nfc.c:31 + __sock_create+0x1a9/0x340 net/socket.c:1605 + sock_create net/socket.c:1663 [inline] + __sys_socket_create net/socket.c:1700 [inline] + __sys_socket+0xb9/0x1a0 net/socket.c:1747 + __do_sys_socket net/socket.c:1761 [inline] + __se_sys_socket net/socket.c:1759 [inline] + __x64_sys_socket+0x1b/0x30 net/socket.c:1759 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +BUG: memory leak +unreferenced object 0xffff88810fbd9800 (size 240): + comm "syz.0.17", pid 6096, jiffies 4294942850 + hex dump (first 32 bytes): + 68 f0 ff 08 81 88 ff ff 68 f0 ff 08 81 88 ff ff h.......h....... + 00 00 00 00 00 00 00 00 00 68 2f 27 81 88 ff ff .........h/'.... + backtrace (crc 6cc652b1): + kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] + slab_post_alloc_hook mm/slub.c:4979 [inline] + slab_alloc_node mm/slub.c:5284 [inline] + kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5336 + __alloc_skb+0x203/0x240 net/core/skbuff.c:660 + alloc_skb include/linux/skbuff.h:1383 [inline] + alloc_skb_with_frags+0x69/0x3f0 net/core/skbuff.c:6671 + sock_alloc_send_pskb+0x379/0x3e0 net/core/sock.c:2965 + sock_alloc_send_skb include/net/sock.h:1859 [inline] + nfc_alloc_send_skb+0x45/0x80 net/nfc/core.c:724 + nfc_llcp_send_ui_frame+0x162/0x360 net/nfc/llcp_commands.c:766 + llcp_sock_sendmsg+0x14c/0x1d0 net/nfc/llcp_sock.c:814 + sock_sendmsg_nosec net/socket.c:727 [inline] + __sock_sendmsg net/socket.c:742 [inline] + __sys_sendto+0x2d8/0x2f0 net/socket.c:2244 + __do_sys_sendto net/socket.c:2251 [inline] + __se_sys_sendto net/socket.c:2247 [inline] + __x64_sys_sendto+0x28/0x30 net/socket.c:2247 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fixes: 94f418a20664 ("NFC: UI frame sending routine implementation") +Reported-by: syzbot+f2d245f1d76bbfa50e4c@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/697569c7.a00a0220.33ccc7.0014.GAE@google.com/T/#u +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20260125010214.1572439-1-kuniyu@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/nfc/llcp_commands.c | 17 ++++++++++++++++- + net/nfc/llcp_core.c | 4 +++- + 2 files changed, 19 insertions(+), 2 deletions(-) + +diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c +index e2680a3bef799..b652323bc2c12 100644 +--- a/net/nfc/llcp_commands.c ++++ b/net/nfc/llcp_commands.c +@@ -778,8 +778,23 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap, + if (likely(frag_len > 0)) + skb_put_data(pdu, msg_ptr, frag_len); + ++ spin_lock(&local->tx_queue.lock); ++ ++ if (list_empty(&local->list)) { ++ spin_unlock(&local->tx_queue.lock); ++ ++ kfree_skb(pdu); ++ ++ len -= remaining_len; ++ if (len == 0) ++ len = -ENXIO; ++ break; ++ } ++ + /* No need to check for the peer RW for UI frames */ +- skb_queue_tail(&local->tx_queue, pdu); ++ __skb_queue_tail(&local->tx_queue, pdu); ++ ++ spin_unlock(&local->tx_queue.lock); + + remaining_len -= frag_len; + msg_ptr += frag_len; +diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c +index 18be13fb9b75a..ced99d2a90cc1 100644 +--- a/net/nfc/llcp_core.c ++++ b/net/nfc/llcp_core.c +@@ -314,7 +314,9 @@ static struct nfc_llcp_local *nfc_llcp_remove_local(struct nfc_dev *dev) + spin_lock(&llcp_devices_lock); + list_for_each_entry_safe(local, tmp, &llcp_devices, list) + if (local->dev == dev) { +- list_del(&local->list); ++ spin_lock(&local->tx_queue.lock); ++ list_del_init(&local->list); ++ spin_unlock(&local->tx_queue.lock); + spin_unlock(&llcp_devices_lock); + return local; + } +-- +2.51.0 + diff --git a/queue-6.6/nfc-nci-fix-race-between-rfkill-and-nci_unregister_d.patch b/queue-6.6/nfc-nci-fix-race-between-rfkill-and-nci_unregister_d.patch new file mode 100644 index 0000000000..7bd966d33c --- /dev/null +++ b/queue-6.6/nfc-nci-fix-race-between-rfkill-and-nci_unregister_d.patch @@ -0,0 +1,197 @@ +From 1b52d0e89619be2c61cfe27251b243c7c849de15 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Jan 2026 04:03:59 +0000 +Subject: nfc: nci: Fix race between rfkill and nci_unregister_device(). + +From: Kuniyuki Iwashima + +[ Upstream commit d2492688bb9fed6ab6e313682c387ae71a66ebae ] + +syzbot reported the splat below [0] without a repro. + +It indicates that struct nci_dev.cmd_wq had been destroyed before +nci_close_device() was called via rfkill. + +nci_dev.cmd_wq is only destroyed in nci_unregister_device(), which +(I think) was called from virtual_ncidev_close() when syzbot close()d +an fd of virtual_ncidev. + +The problem is that nci_unregister_device() destroys nci_dev.cmd_wq +first and then calls nfc_unregister_device(), which removes the +device from rfkill by rfkill_unregister(). + +So, the device is still visible via rfkill even after nci_dev.cmd_wq +is destroyed. + +Let's unregister the device from rfkill first in nci_unregister_device(). + +Note that we cannot call nfc_unregister_device() before +nci_close_device() because + + 1) nfc_unregister_device() calls device_del() which frees + all memory allocated by devm_kzalloc() and linked to + ndev->conn_info_list + + 2) nci_rx_work() could try to queue nci_conn_info to + ndev->conn_info_list which could be leaked + +Thus, nfc_unregister_device() is split into two functions so we +can remove rfkill interfaces only before nci_close_device(). + +[0]: +DEBUG_LOCKS_WARN_ON(1) +WARNING: kernel/locking/lockdep.c:238 at hlock_class kernel/locking/lockdep.c:238 [inline], CPU#0: syz.0.8675/6349 +WARNING: kernel/locking/lockdep.c:238 at check_wait_context kernel/locking/lockdep.c:4854 [inline], CPU#0: syz.0.8675/6349 +WARNING: kernel/locking/lockdep.c:238 at __lock_acquire+0x39d/0x2cf0 kernel/locking/lockdep.c:5187, CPU#0: syz.0.8675/6349 +Modules linked in: +CPU: 0 UID: 0 PID: 6349 Comm: syz.0.8675 Not tainted syzkaller #0 PREEMPT(full) +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/13/2026 +RIP: 0010:hlock_class kernel/locking/lockdep.c:238 [inline] +RIP: 0010:check_wait_context kernel/locking/lockdep.c:4854 [inline] +RIP: 0010:__lock_acquire+0x3a4/0x2cf0 kernel/locking/lockdep.c:5187 +Code: 18 00 4c 8b 74 24 08 75 27 90 e8 17 f2 fc 02 85 c0 74 1c 83 3d 50 e0 4e 0e 00 75 13 48 8d 3d 43 f7 51 0e 48 c7 c6 8b 3a de 8d <67> 48 0f b9 3a 90 31 c0 0f b6 98 c4 00 00 00 41 8b 45 20 25 ff 1f +RSP: 0018:ffffc9000c767680 EFLAGS: 00010046 +RAX: 0000000000000001 RBX: 0000000000040000 RCX: 0000000000080000 +RDX: ffffc90013080000 RSI: ffffffff8dde3a8b RDI: ffffffff8ff24ca0 +RBP: 0000000000000003 R08: ffffffff8fef35a3 R09: 1ffffffff1fde6b4 +R10: dffffc0000000000 R11: fffffbfff1fde6b5 R12: 00000000000012a2 +R13: ffff888030338ba8 R14: ffff888030338000 R15: ffff888030338b30 +FS: 00007fa5995f66c0(0000) GS:ffff8881256f8000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f7e72f842d0 CR3: 00000000485a0000 CR4: 00000000003526f0 +Call Trace: + + lock_acquire+0x106/0x330 kernel/locking/lockdep.c:5868 + touch_wq_lockdep_map+0xcb/0x180 kernel/workqueue.c:3940 + __flush_workqueue+0x14b/0x14f0 kernel/workqueue.c:3982 + nci_close_device+0x302/0x630 net/nfc/nci/core.c:567 + nci_dev_down+0x3b/0x50 net/nfc/nci/core.c:639 + nfc_dev_down+0x152/0x290 net/nfc/core.c:161 + nfc_rfkill_set_block+0x2d/0x100 net/nfc/core.c:179 + rfkill_set_block+0x1d2/0x440 net/rfkill/core.c:346 + rfkill_fop_write+0x461/0x5a0 net/rfkill/core.c:1301 + vfs_write+0x29a/0xb90 fs/read_write.c:684 + ksys_write+0x150/0x270 fs/read_write.c:738 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7fa59b39acb9 +Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007fa5995f6028 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +RAX: ffffffffffffffda RBX: 00007fa59b615fa0 RCX: 00007fa59b39acb9 +RDX: 0000000000000008 RSI: 0000200000000080 RDI: 0000000000000007 +RBP: 00007fa59b408bf7 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007fa59b616038 R14: 00007fa59b615fa0 R15: 00007ffc82218788 + + +Fixes: 6a2968aaf50c ("NFC: basic NCI protocol implementation") +Reported-by: syzbot+f9c5fd1a0874f9069dce@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/695e7f56.050a0220.1c677c.036c.GAE@google.com/ +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20260127040411.494931-1-kuniyu@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/nfc/nfc.h | 2 ++ + net/nfc/core.c | 27 ++++++++++++++++++++++++--- + net/nfc/nci/core.c | 4 +++- + 3 files changed, 29 insertions(+), 4 deletions(-) + +diff --git a/include/net/nfc/nfc.h b/include/net/nfc/nfc.h +index 5dee575fbe86a..b82f4f2a27fb8 100644 +--- a/include/net/nfc/nfc.h ++++ b/include/net/nfc/nfc.h +@@ -215,6 +215,8 @@ static inline void nfc_free_device(struct nfc_dev *dev) + + int nfc_register_device(struct nfc_dev *dev); + ++void nfc_unregister_rfkill(struct nfc_dev *dev); ++void nfc_remove_device(struct nfc_dev *dev); + void nfc_unregister_device(struct nfc_dev *dev); + + /** +diff --git a/net/nfc/core.c b/net/nfc/core.c +index 5352571b62148..a02ede8b067bd 100644 +--- a/net/nfc/core.c ++++ b/net/nfc/core.c +@@ -1147,14 +1147,14 @@ int nfc_register_device(struct nfc_dev *dev) + EXPORT_SYMBOL(nfc_register_device); + + /** +- * nfc_unregister_device - unregister a nfc device in the nfc subsystem ++ * nfc_unregister_rfkill - unregister a nfc device in the rfkill subsystem + * + * @dev: The nfc device to unregister + */ +-void nfc_unregister_device(struct nfc_dev *dev) ++void nfc_unregister_rfkill(struct nfc_dev *dev) + { +- int rc; + struct rfkill *rfk = NULL; ++ int rc; + + pr_debug("dev_name=%s\n", dev_name(&dev->dev)); + +@@ -1175,7 +1175,16 @@ void nfc_unregister_device(struct nfc_dev *dev) + rfkill_unregister(rfk); + rfkill_destroy(rfk); + } ++} ++EXPORT_SYMBOL(nfc_unregister_rfkill); + ++/** ++ * nfc_remove_device - remove a nfc device in the nfc subsystem ++ * ++ * @dev: The nfc device to remove ++ */ ++void nfc_remove_device(struct nfc_dev *dev) ++{ + if (dev->ops->check_presence) { + del_timer_sync(&dev->check_pres_timer); + cancel_work_sync(&dev->check_pres_work); +@@ -1188,6 +1197,18 @@ void nfc_unregister_device(struct nfc_dev *dev) + device_del(&dev->dev); + mutex_unlock(&nfc_devlist_mutex); + } ++EXPORT_SYMBOL(nfc_remove_device); ++ ++/** ++ * nfc_unregister_device - unregister a nfc device in the nfc subsystem ++ * ++ * @dev: The nfc device to unregister ++ */ ++void nfc_unregister_device(struct nfc_dev *dev) ++{ ++ nfc_unregister_rfkill(dev); ++ nfc_remove_device(dev); ++} + EXPORT_SYMBOL(nfc_unregister_device); + + static int __init nfc_init(void) +diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c +index c4d2932c59032..b7d4952a7dcf8 100644 +--- a/net/nfc/nci/core.c ++++ b/net/nfc/nci/core.c +@@ -1292,6 +1292,8 @@ void nci_unregister_device(struct nci_dev *ndev) + { + struct nci_conn_info *conn_info, *n; + ++ nfc_unregister_rfkill(ndev->nfc_dev); ++ + /* This set_bit is not protected with specialized barrier, + * However, it is fine because the mutex_lock(&ndev->req_lock); + * in nci_close_device() will help to emit one. +@@ -1309,7 +1311,7 @@ void nci_unregister_device(struct nci_dev *ndev) + /* conn_info is allocated with devm_kzalloc */ + } + +- nfc_unregister_device(ndev->nfc_dev); ++ nfc_remove_device(ndev->nfc_dev); + } + EXPORT_SYMBOL(nci_unregister_device); + +-- +2.51.0 + diff --git a/queue-6.6/octeon_ep-fix-memory-leak-in-octep_device_setup.patch b/queue-6.6/octeon_ep-fix-memory-leak-in-octep_device_setup.patch new file mode 100644 index 0000000000..fac619ff35 --- /dev/null +++ b/queue-6.6/octeon_ep-fix-memory-leak-in-octep_device_setup.patch @@ -0,0 +1,46 @@ +From 38af85d07be02342216e39e4d6e962f5b19b7109 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 13:05:51 +0000 +Subject: octeon_ep: Fix memory leak in octep_device_setup() + +From: Zilin Guan + +[ Upstream commit 8016dc5ee19a77678c264f8ba368b1e873fa705b ] + +In octep_device_setup(), if octep_ctrl_net_init() fails, the function +returns directly without unmapping the mapped resources and freeing the +allocated configuration memory. + +Fix this by jumping to the unsupported_dev label, which performs the +necessary cleanup. This aligns with the error handling logic of other +paths in this function. + +Compile tested only. Issue found using a prototype static analysis tool +and code review. + +Fixes: 577f0d1b1c5f ("octeon_ep: add separate mailbox command and response queues") +Signed-off-by: Zilin Guan +Reviewed-by: Vadim Fedorenko +Link: https://patch.msgid.link/20260121130551.3717090-1-zilin@seu.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeon_ep/octep_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/octeon_ep/octep_main.c b/drivers/net/ethernet/marvell/octeon_ep/octep_main.c +index 7a30095b3486f..c385084546639 100644 +--- a/drivers/net/ethernet/marvell/octeon_ep/octep_main.c ++++ b/drivers/net/ethernet/marvell/octeon_ep/octep_main.c +@@ -998,7 +998,7 @@ int octep_device_setup(struct octep_device *oct) + + ret = octep_ctrl_net_init(oct); + if (ret) +- return ret; ++ goto unsupported_dev; + + atomic_set(&oct->hb_miss_cnt, 0); + INIT_DELAYED_WORK(&oct->hb_task, octep_hb_timeout_task); +-- +2.51.0 + diff --git a/queue-6.6/rocker-fix-memory-leak-in-rocker_world_port_post_fin.patch b/queue-6.6/rocker-fix-memory-leak-in-rocker_world_port_post_fin.patch new file mode 100644 index 0000000000..699e6b8547 --- /dev/null +++ b/queue-6.6/rocker-fix-memory-leak-in-rocker_world_port_post_fin.patch @@ -0,0 +1,56 @@ +From 689e661addd6c9857bd3d0b117cd70dd8cd3d9cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 24 Jan 2026 05:10:31 +0800 +Subject: rocker: fix memory leak in rocker_world_port_post_fini() + +From: Kery Qi + +[ Upstream commit 8d7ba71e46216b8657a82ca2ec118bc93812a4d0 ] + +In rocker_world_port_pre_init(), rocker_port->wpriv is allocated with +kzalloc(wops->port_priv_size, GFP_KERNEL). However, in +rocker_world_port_post_fini(), the memory is only freed when +wops->port_post_fini callback is set: + + if (!wops->port_post_fini) + return; + wops->port_post_fini(rocker_port); + kfree(rocker_port->wpriv); + +Since rocker_ofdpa_ops does not implement port_post_fini callback +(it is NULL), the wpriv memory allocated for each port is never freed +when ports are removed. This leads to a memory leak of +sizeof(struct ofdpa_port) bytes per port on every device removal. + +Fix this by always calling kfree(rocker_port->wpriv) regardless of +whether the port_post_fini callback exists. + +Fixes: e420114eef4a ("rocker: introduce worlds infrastructure") +Signed-off-by: Kery Qi +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20260123211030.2109-2-qikeyu2017@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/rocker/rocker_main.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/rocker/rocker_main.c b/drivers/net/ethernet/rocker/rocker_main.c +index 2e2826c901fcc..b741d335b1dc4 100644 +--- a/drivers/net/ethernet/rocker/rocker_main.c ++++ b/drivers/net/ethernet/rocker/rocker_main.c +@@ -1525,9 +1525,8 @@ static void rocker_world_port_post_fini(struct rocker_port *rocker_port) + { + struct rocker_world_ops *wops = rocker_port->rocker->wops; + +- if (!wops->port_post_fini) +- return; +- wops->port_post_fini(rocker_port); ++ if (wops->port_post_fini) ++ wops->port_post_fini(rocker_port); + kfree(rocker_port->wpriv); + } + +-- +2.51.0 + diff --git a/queue-6.6/series b/queue-6.6/series new file mode 100644 index 0000000000..b2f6f6ea3f --- /dev/null +++ b/queue-6.6/series @@ -0,0 +1,18 @@ +bluetooth-hci_uart-fix-null-ptr-deref-in-hci_uart_wr.patch +net-mlx5-fix-memory-leak-in-esw_acl_ingress_lgcy_set.patch +can-gs_usb-gs_usb_receive_bulk_callback-fix-error-me.patch +net-bcmasp-fix-early-exit-leak-with-fixed-phy.patch +octeon_ep-fix-memory-leak-in-octep_device_setup.patch +bonding-annotate-data-races-around-slave-last_rx.patch +net-mvpp2-cls-fix-memory-leak-in-mvpp2_ethtool_cls_r.patch +ipv6-use-the-right-ifindex-when-replying-to-icmpv6-f.patch +net-wwan-t7xx-fix-potential-skb-frags-overflow-in-rx.patch +rocker-fix-memory-leak-in-rocker_world_port_post_fin.patch +nfc-llcp-fix-memleak-in-nfc_llcp_send_ui_frame.patch +ice-stop-counting-udp-csum-mismatch-as-rx_errors.patch +net-mlx5e-tc-delete-flows-only-for-existing-peers.patch +net-mlx5e-report-rx_discards_phy-via-rx_dropped.patch +net-mlx5e-account-for-netdev-stats-in-ndo_get_stats6.patch +nfc-nci-fix-race-between-rfkill-and-nci_unregister_d.patch +net-bridge-fix-static-key-check.patch +net-mlx5e-skip-esn-replay-window-setup-for-ipsec-cry.patch -- 2.47.3