From 3127b7a45c595affcf4edbf41a7fed6c37a84a8a Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Tue, 13 Jan 2026 11:41:05 -0500 Subject: [PATCH] Fixes for all trees Signed-off-by: Sasha Levin --- ...s-imx6q-ba16-fix-rtc-interrupt-level.patch | 40 ++ ...e-dev_hard_header-does-not-change-sk.patch | 58 +++ ...ntial-data-corruption-with-hw-gro-lr.patch | 88 ++++ ...n-preservation-in-802.1ad-vlan_tunne.patch | 75 ++++ ...h-bnxt-move-and-rename-reset-helpers.patch | 145 +++++++ ...around-vid-pid-conflict-for-appledis.patch | 47 ++ .../inet-ping-fix-icmp-out-counting.patch | 55 +++ ...print-error-message-due-to-invalid-m.patch | 50 +++ ...q-fix-null-deref-when-deactivating-i.patch | 162 +++++++ ...dened-usercopy-panic-in-sock_recv_er.patch | 114 +++++ ...fix-memory-leak-in-update_eth_regs_a.patch | 37 ++ ...netif_f_all_for_all-across-tso-updat.patch | 43 ++ ...ncount-update-last_gc-only-when-gc-h.patch | 48 +++ ...nproxy-avoid-possible-data-race-on-u.patch | 55 +++ queue-5.10/series | 14 + ...s-imx6q-ba16-fix-rtc-interrupt-level.patch | 40 ++ ...off-on-delay-us-for-usdhc2-regulator.patch | 41 ++ ...e-dev_hard_header-does-not-change-sk.patch | 58 +++ ...ntial-data-corruption-with-hw-gro-lr.patch | 88 ++++ ...n-preservation-in-802.1ad-vlan_tunne.patch | 75 ++++ ...h-bnxt-move-and-rename-reset-helpers.patch | 145 +++++++ ...around-vid-pid-conflict-for-appledis.patch | 47 ++ .../inet-ping-fix-icmp-out-counting.patch | 55 +++ ...ild-warning-when-page_size-is-greate.patch | 49 +++ ...tera-fix-null-dereference-on-devlink.patch | 44 ++ ...print-error-message-due-to-invalid-m.patch | 50 +++ ...fix-crash-when-adding-interface-unde.patch | 56 +++ ...q-fix-null-deref-when-deactivating-i.patch | 162 +++++++ ...dened-usercopy-panic-in-sock_recv_er.patch | 114 +++++ ...fix-memory-leak-in-update_eth_regs_a.patch | 37 ++ ...netif_f_all_for_all-across-tso-updat.patch | 43 ++ ...ncount-update-last_gc-only-when-gc-h.patch | 48 +++ ...les-fix-memory-leak-in-nf_tables_new.patch | 49 +++ ...nproxy-avoid-possible-data-race-on-u.patch | 55 +++ queue-5.15/series | 19 + ...s-imx6q-ba16-fix-rtc-interrupt-level.patch | 40 ++ ...off-on-delay-us-for-usdhc2-regulator.patch | 41 ++ ...-fix-lan8740ai-phy-reference-clock-o.patch | 42 ++ ...e-dev_hard_header-does-not-change-sk.patch | 58 +++ ...ntial-data-corruption-with-hw-gro-lr.patch | 88 ++++ ...n-preservation-in-802.1ad-vlan_tunne.patch | 75 ++++ ...h-bnxt-move-and-rename-reset-helpers.patch | 145 +++++++ ...around-vid-pid-conflict-for-appledis.patch | 47 ++ .../inet-ping-fix-icmp-out-counting.patch | 55 +++ ...ild-warning-when-page_size-is-greate.patch | 49 +++ ...eak-in-skb_segment_list-for-gro-pack.patch | 108 +++++ ...tera-fix-null-dereference-on-devlink.patch | 44 ++ ...print-error-message-due-to-invalid-m.patch | 50 +++ ...fix-crash-when-adding-interface-unde.patch | 56 +++ ...q-fix-null-deref-when-deactivating-i.patch | 162 +++++++ ...dened-usercopy-panic-in-sock_recv_er.patch | 114 +++++ ...fix-memory-leak-in-update_eth_regs_a.patch | 37 ++ ...sm-fix-memory-leak-in-ipc_mux_deinit.patch | 54 +++ ...netif_f_all_for_all-across-tso-updat.patch | 43 ++ ...ncount-update-last_gc-only-when-gc-h.patch | 48 +++ ...les-fix-memory-leak-in-nf_tables_new.patch | 49 +++ ...nproxy-avoid-possible-data-race-on-u.patch | 55 +++ queue-6.1/series | 22 + ...s-imx6q-ba16-fix-rtc-interrupt-level.patch | 40 ++ ...off-on-delay-us-for-usdhc2-regulator.patch | 41 ++ ...-fix-lan8740ai-phy-reference-clock-o.patch | 42 ++ ...-ss-dma-correct-the-dma-channels-of-.patch | 66 +++ ...-mba8mx-fix-ethernet-phy-irq-support.patch | 37 ++ ...am62-lp-sk-nand-rename-pinctrls-to-f.patch | 38 ++ ...e-dev_hard_header-does-not-change-sk.patch | 58 +++ ...ntial-data-corruption-with-hw-gro-lr.patch | 88 ++++ ...n-preservation-in-802.1ad-vlan_tunne.patch | 75 ++++ ...ce-free-space-tree-if-v1-cache-is-re.patch | 87 ++++ ...uplicate-restarting-msg-during-aer-e.patch | 47 ++ ...md-display-apply-e4479aecf658-to-dml.patch | 62 +++ ...respect-user-s-config_frame_warn-mor.patch | 94 ++++ ...er-with-s_stack_depth-increasing-for.patch | 100 +++++ ...acked-mounts-no-longer-working-on-er.patch | 67 +++ ...-support-for-level-triggered-interru.patch | 116 +++++ ...dle-short-interrupt-pulses-on-pcal-d.patch | 148 +++++++ ...around-vid-pid-conflict-for-appledis.patch | 47 ++ .../idpf-cap-maximum-rx-buffer-size.patch | 75 ++++ ...pf-fix-memory-leak-in-idpf_vport_rel.patch | 54 +++ ...f-keep-the-netdev-when-a-reset-fails.patch | 107 +++++ .../inet-ping-fix-icmp-out-counting.patch | 55 +++ ...ild-warning-when-page_size-is-greate.patch | 49 +++ ...eak-in-skb_segment_list-for-gro-pack.patch | 108 +++++ ...tera-fix-null-dereference-on-devlink.patch | 44 ++ ...print-error-message-due-to-invalid-m.patch | 50 +++ ...fix-crash-when-adding-interface-unde.patch | 56 +++ ...x-inconsistent-carrier-state-after-l.patch | 79 ++++ ...q-fix-null-deref-when-deactivating-i.patch | 162 +++++++ ...dened-usercopy-panic-in-sock_recv_er.patch | 114 +++++ ...fix-memory-leak-in-update_eth_regs_a.patch | 37 ++ ...sm-fix-memory-leak-in-ipc_mux_deinit.patch | 54 +++ ...netif_f_all_for_all-across-tso-updat.patch | 43 ++ ...ncount-update-last_gc-only-when-gc-h.patch | 48 +++ ...les-fix-memory-leak-in-nf_tables_new.patch | 49 +++ ...t_pipapo-fix-range-overlap-detection.patch | 62 +++ ...nproxy-avoid-possible-data-race-on-u.patch | 55 +++ ...eanup-useless-va_user_xxx-definition.patch | 41 ++ queue-6.12/series | 39 ++ ...ept-ed-sockets-use-custom-setsockopt.patch | 39 ++ ...s-imx6q-ba16-fix-rtc-interrupt-level.patch | 40 ++ ...off-on-delay-us-for-usdhc2-regulator.patch | 41 ++ ...cale-moduline-display-fix-compatible.patch | 43 ++ ...scale-tx8p-ml81-fix-eqos-nvmem-cells.patch | 58 +++ ...-fix-lan8740ai-phy-reference-clock-o.patch | 42 ++ ...-mek-correct-the-light-sensor-interr.patch | 43 ++ ...-ss-dma-correct-the-dma-channels-of-.patch | 66 +++ ...-mba8mx-fix-ethernet-phy-irq-support.patch | 37 ++ ...am62-lp-sk-nand-rename-pinctrls-to-f.patch | 38 ++ ...am642-phyboard-electra-peb-c-010-fix.patch | 47 ++ ...am642-phyboard-electra-x27-gpio1-spi.patch | 64 +++ ...e-dev_hard_header-does-not-change-sk.patch | 58 +++ ...t-merge-bios-with-different-app_tags.patch | 80 ++++ ...ntial-data-corruption-with-hw-gro-lr.patch | 88 ++++ ...n-preservation-in-802.1ad-vlan_tunne.patch | 75 ++++ ...ointer-dereference-in-do_abort_log_r.patch | 43 ++ ...ce-free-space-tree-if-v1-cache-is-re.patch | 87 ++++ ...th-before-initializing-extent-tree-i.patch | 222 ++++++++++ ...uplicate-restarting-msg-during-aer-e.patch | 47 ++ ...m-fix-wrong-pcie-parameter-on-navi1x.patch | 43 ++ ...m-force-send-pcie-parmater-on-navi1x.patch | 74 ++++ ...er-with-s_stack_depth-increasing-for.patch | 100 +++++ ...acked-mounts-no-longer-working-on-er.patch | 67 +++ ...e-superio-enter-exit-calls-in-error-.patch | 64 +++ ...dle-short-interrupt-pulses-on-pcal-d.patch | 148 +++++++ ...lib-fix-race-condition-for-gdev-srcu.patch | 157 +++++++ ...e-unnecessary-out-of-memory-messages.patch | 51 +++ ...iolib-rename-gpio-chip-printk-macros.patch | 306 +++++++++++++ ...e-select-rust_fw_loader_abstractions.patch | 45 ++ ...d-intel-thc-fix-dma_unmap_sg-nents-v.patch | 77 ++++ ...d-intel-thc-fix-wrong-register-readi.patch | 46 ++ ...around-vid-pid-conflict-for-appledis.patch | 47 ++ .../idpf-cap-maximum-rx-buffer-size.patch | 75 ++++ .../idpf-convert-vport-state-to-bitmap.patch | 302 +++++++++++++ ...close-netdevs-while-handling-a-reset.patch | 280 ++++++++++++ ...ice-unplugging-when-rdma-is-not-supp.patch | 44 ++ ...ix-error-handling-in-idpf_vport_open.patch | 50 +++ ...or-handling-in-the-init_task-on-load.patch | 100 +++++ ...issue-with-ethtool-n-command-display.patch | 217 ++++++++++ ...x-memory-leak-in-idpf_vc_core_deinit.patch | 62 +++ ...pf-fix-memory-leak-in-idpf_vport_rel.patch | 54 +++ ...ory-leak-of-flow-steer-list-on-rmmod.patch | 195 +++++++++ ...lut-configuration-on-down-interfaces.patch | 100 +++++ ...-null-pointer-crash-on-early-ethtool.patch | 407 ++++++++++++++++++ ...-lut-null-ptr-issue-after-soft-reset.patch | 154 +++++++ ...f-keep-the-netdev-when-a-reset-fails.patch | 107 +++++ ...s-drop-fraglist-conntrack-references.patch | 93 ++++ .../inet-ping-fix-icmp-out-counting.patch | 55 +++ ...ix-gicv5_its_map_event-itte-read-end.patch | 42 ++ ...et-airoha-fix-npu-rx-dma-definitions.patch | 44 ++ ...chedule-while-atomic-in-airoha_ppe_d.patch | 51 +++ ...sing-lock-when-update-devlink-params.patch | 87 ++++ ...ild-warning-when-page_size-is-greate.patch | 49 +++ ...eak-in-skb_segment_list-for-gro-pack.patch | 108 +++++ ...tera-fix-null-dereference-on-devlink.patch | 44 ++ ...tipath-give-priority-for-routes-with.patch | 57 +++ ...alloc-forgotten-psp-rx-modify-header.patch | 92 ++++ ...gate-fec-histograms-on-ppcnt_statist.patch | 60 +++ ...print-error-message-due-to-invalid-m.patch | 50 +++ ...fix-crash-when-adding-interface-unde.patch | 56 +++ ...x-inconsistent-carrier-state-after-l.patch | 79 ++++ ...0-add-power-management-and-soft-rese.patch | 47 ++ ...i-avoid-dereferencing-err_ptr-in-tcf.patch | 45 ++ ...q-fix-null-deref-when-deactivating-i.patch | 162 +++++++ ...he-number-of-written-bytes-for-smbus.patch | 42 ++ ...dened-usercopy-panic-in-sock_recv_er.patch | 114 +++++ ...fix-memory-leak-in-update_eth_regs_a.patch | 37 ++ ...sm-fix-memory-leak-in-ipc_mux_deinit.patch | 54 +++ ...netif_f_all_for_all-across-tso-updat.patch | 43 ++ ...ncount-update-last_gc-only-when-gc-h.patch | 48 +++ ...les-fix-memory-leak-in-nf_tables_new.patch | 49 +++ ...t_pipapo-fix-range-overlap-detection.patch | 62 +++ ...nproxy-avoid-possible-data-race-on-u.patch | 55 +++ ...read-unlock-of-page-with-eof-in-midd.patch | 106 +++++ ...sume-the-only-vga-device-on-a-system.patch | 55 +++ ...wevent-hrtimer-is-properly-destroyed.patch | 53 +++ ...-mt8189-restore-previous-register-ba.patch | 54 +++ ...6xxx-make-serdes-sgmii-fiber-tx-ampl.patch | 209 +++++++++ ...-fix-zk-bundled-extension-missing-zk.patch | 78 ++++ ...eanup-useless-va_user_xxx-definition.patch | 41 ++ ...t-bring-back-tool-to-driver-__init__.patch | 73 ++++ queue-6.18/series | 88 ++++ ...t-64-bit-non-pref-pref-bar-resources.patch | 108 +++++ ...p_on_oops-is-not-exported-make-it-st.patch | 39 ++ ...ter-free-in-ublk_partition_scan_work.patch | 102 +++++ ...orphan-before-skb_attempt_defer_free.patch | 46 ++ ...evice-mismatch-in-devm_kzalloc-devm_.patch | 126 ++++++ ...ept-ed-sockets-use-custom-setsockopt.patch | 39 ++ ...sim-fix-typo-in-frequency-notificati.patch | 40 ++ ...s-imx6q-ba16-fix-rtc-interrupt-level.patch | 40 ++ ...off-on-delay-us-for-usdhc2-regulator.patch | 41 ++ ...-fix-lan8740ai-phy-reference-clock-o.patch | 42 ++ ...e-dev_hard_header-does-not-change-sk.patch | 58 +++ ...ntial-data-corruption-with-hw-gro-lr.patch | 88 ++++ ...n-preservation-in-802.1ad-vlan_tunne.patch | 75 ++++ ...-support-for-level-triggered-interru.patch | 116 +++++ ...dle-short-interrupt-pulses-on-pcal-d.patch | 148 +++++++ ...lise-dev_err_probe-where-it-makes-se.patch | 48 +++ ...lise-temporary-variable-for-struct-d.patch | 118 +++++ ...around-vid-pid-conflict-for-appledis.patch | 47 ++ .../inet-ping-fix-icmp-out-counting.patch | 55 +++ ...ild-warning-when-page_size-is-greate.patch | 49 +++ ...eak-in-skb_segment_list-for-gro-pack.patch | 108 +++++ ...tera-fix-null-dereference-on-devlink.patch | 44 ++ ...print-error-message-due-to-invalid-m.patch | 50 +++ ...fix-crash-when-adding-interface-unde.patch | 56 +++ ...q-fix-null-deref-when-deactivating-i.patch | 162 +++++++ ...dened-usercopy-panic-in-sock_recv_er.patch | 114 +++++ ...fix-memory-leak-in-update_eth_regs_a.patch | 37 ++ ...sm-fix-memory-leak-in-ipc_mux_deinit.patch | 54 +++ ...netif_f_all_for_all-across-tso-updat.patch | 43 ++ ...ncount-update-last_gc-only-when-gc-h.patch | 48 +++ ...les-fix-memory-leak-in-nf_tables_new.patch | 49 +++ ...nproxy-avoid-possible-data-race-on-u.patch | 55 +++ queue-6.6/series | 25 ++ 213 files changed, 15804 insertions(+) create mode 100644 queue-5.10/arm-dts-imx6q-ba16-fix-rtc-interrupt-level.patch create mode 100644 queue-5.10/arp-do-not-assume-dev_hard_header-does-not-change-sk.patch create mode 100644 queue-5.10/bnxt_en-fix-potential-data-corruption-with-hw-gro-lr.patch create mode 100644 queue-5.10/bridge-fix-c-vlan-preservation-in-802.1ad-vlan_tunne.patch create mode 100644 queue-5.10/eth-bnxt-move-and-rename-reset-helpers.patch create mode 100644 queue-5.10/hid-quirks-work-around-vid-pid-conflict-for-appledis.patch create mode 100644 queue-5.10/inet-ping-fix-icmp-out-counting.patch create mode 100644 queue-5.10/net-mlx5e-don-t-print-error-message-due-to-invalid-m.patch create mode 100644 queue-5.10/net-sched-sch_qfq-fix-null-deref-when-deactivating-i.patch create mode 100644 queue-5.10/net-sock-fix-hardened-usercopy-panic-in-sock_recv_er.patch create mode 100644 queue-5.10/net-usb-pegasus-fix-memory-leak-in-update_eth_regs_a.patch create mode 100644 queue-5.10/netdev-preserve-netif_f_all_for_all-across-tso-updat.patch create mode 100644 queue-5.10/netfilter-nf_conncount-update-last_gc-only-when-gc-h.patch create mode 100644 queue-5.10/netfilter-nft_synproxy-avoid-possible-data-race-on-u.patch create mode 100644 queue-5.15/arm-dts-imx6q-ba16-fix-rtc-interrupt-level.patch create mode 100644 queue-5.15/arm64-dts-add-off-on-delay-us-for-usdhc2-regulator.patch create mode 100644 queue-5.15/arp-do-not-assume-dev_hard_header-does-not-change-sk.patch create mode 100644 queue-5.15/bnxt_en-fix-potential-data-corruption-with-hw-gro-lr.patch create mode 100644 queue-5.15/bridge-fix-c-vlan-preservation-in-802.1ad-vlan_tunne.patch create mode 100644 queue-5.15/eth-bnxt-move-and-rename-reset-helpers.patch create mode 100644 queue-5.15/hid-quirks-work-around-vid-pid-conflict-for-appledis.patch create mode 100644 queue-5.15/inet-ping-fix-icmp-out-counting.patch create mode 100644 queue-5.15/net-enetc-fix-build-warning-when-page_size-is-greate.patch create mode 100644 queue-5.15/net-marvell-prestera-fix-null-dereference-on-devlink.patch create mode 100644 queue-5.15/net-mlx5e-don-t-print-error-message-due-to-invalid-m.patch create mode 100644 queue-5.15/net-mscc-ocelot-fix-crash-when-adding-interface-unde.patch create mode 100644 queue-5.15/net-sched-sch_qfq-fix-null-deref-when-deactivating-i.patch create mode 100644 queue-5.15/net-sock-fix-hardened-usercopy-panic-in-sock_recv_er.patch create mode 100644 queue-5.15/net-usb-pegasus-fix-memory-leak-in-update_eth_regs_a.patch create mode 100644 queue-5.15/netdev-preserve-netif_f_all_for_all-across-tso-updat.patch create mode 100644 queue-5.15/netfilter-nf_conncount-update-last_gc-only-when-gc-h.patch create mode 100644 queue-5.15/netfilter-nf_tables-fix-memory-leak-in-nf_tables_new.patch create mode 100644 queue-5.15/netfilter-nft_synproxy-avoid-possible-data-race-on-u.patch create mode 100644 queue-6.1/arm-dts-imx6q-ba16-fix-rtc-interrupt-level.patch create mode 100644 queue-6.1/arm64-dts-add-off-on-delay-us-for-usdhc2-regulator.patch create mode 100644 queue-6.1/arm64-dts-imx8mp-fix-lan8740ai-phy-reference-clock-o.patch create mode 100644 queue-6.1/arp-do-not-assume-dev_hard_header-does-not-change-sk.patch create mode 100644 queue-6.1/bnxt_en-fix-potential-data-corruption-with-hw-gro-lr.patch create mode 100644 queue-6.1/bridge-fix-c-vlan-preservation-in-802.1ad-vlan_tunne.patch create mode 100644 queue-6.1/eth-bnxt-move-and-rename-reset-helpers.patch create mode 100644 queue-6.1/hid-quirks-work-around-vid-pid-conflict-for-appledis.patch create mode 100644 queue-6.1/inet-ping-fix-icmp-out-counting.patch create mode 100644 queue-6.1/net-enetc-fix-build-warning-when-page_size-is-greate.patch create mode 100644 queue-6.1/net-fix-memory-leak-in-skb_segment_list-for-gro-pack.patch create mode 100644 queue-6.1/net-marvell-prestera-fix-null-dereference-on-devlink.patch create mode 100644 queue-6.1/net-mlx5e-don-t-print-error-message-due-to-invalid-m.patch create mode 100644 queue-6.1/net-mscc-ocelot-fix-crash-when-adding-interface-unde.patch create mode 100644 queue-6.1/net-sched-sch_qfq-fix-null-deref-when-deactivating-i.patch create mode 100644 queue-6.1/net-sock-fix-hardened-usercopy-panic-in-sock_recv_er.patch create mode 100644 queue-6.1/net-usb-pegasus-fix-memory-leak-in-update_eth_regs_a.patch create mode 100644 queue-6.1/net-wwan-iosm-fix-memory-leak-in-ipc_mux_deinit.patch create mode 100644 queue-6.1/netdev-preserve-netif_f_all_for_all-across-tso-updat.patch create mode 100644 queue-6.1/netfilter-nf_conncount-update-last_gc-only-when-gc-h.patch create mode 100644 queue-6.1/netfilter-nf_tables-fix-memory-leak-in-nf_tables_new.patch create mode 100644 queue-6.1/netfilter-nft_synproxy-avoid-possible-data-race-on-u.patch create mode 100644 queue-6.12/arm-dts-imx6q-ba16-fix-rtc-interrupt-level.patch create mode 100644 queue-6.12/arm64-dts-add-off-on-delay-us-for-usdhc2-regulator.patch create mode 100644 queue-6.12/arm64-dts-imx8mp-fix-lan8740ai-phy-reference-clock-o.patch create mode 100644 queue-6.12/arm64-dts-imx8qm-ss-dma-correct-the-dma-channels-of-.patch create mode 100644 queue-6.12/arm64-dts-mba8mx-fix-ethernet-phy-irq-support.patch create mode 100644 queue-6.12/arm64-dts-ti-k3-am62-lp-sk-nand-rename-pinctrls-to-f.patch create mode 100644 queue-6.12/arp-do-not-assume-dev_hard_header-does-not-change-sk.patch create mode 100644 queue-6.12/bnxt_en-fix-potential-data-corruption-with-hw-gro-lr.patch create mode 100644 queue-6.12/bridge-fix-c-vlan-preservation-in-802.1ad-vlan_tunne.patch create mode 100644 queue-6.12/btrfs-only-enforce-free-space-tree-if-v1-cache-is-re.patch create mode 100644 queue-6.12/crypto-qat-fix-duplicate-restarting-msg-during-aer-e.patch create mode 100644 queue-6.12/drm-amd-display-apply-e4479aecf658-to-dml.patch create mode 100644 queue-6.12/drm-amd-display-respect-user-s-config_frame_warn-mor.patch create mode 100644 queue-6.12/erofs-don-t-bother-with-s_stack_depth-increasing-for.patch create mode 100644 queue-6.12/erofs-fix-file-backed-mounts-no-longer-working-on-er.patch create mode 100644 queue-6.12/gpio-pca953x-add-support-for-level-triggered-interru.patch create mode 100644 queue-6.12/gpio-pca953x-handle-short-interrupt-pulses-on-pcal-d.patch create mode 100644 queue-6.12/hid-quirks-work-around-vid-pid-conflict-for-appledis.patch create mode 100644 queue-6.12/idpf-cap-maximum-rx-buffer-size.patch create mode 100644 queue-6.12/idpf-fix-memory-leak-in-idpf_vport_rel.patch create mode 100644 queue-6.12/idpf-keep-the-netdev-when-a-reset-fails.patch create mode 100644 queue-6.12/inet-ping-fix-icmp-out-counting.patch create mode 100644 queue-6.12/net-enetc-fix-build-warning-when-page_size-is-greate.patch create mode 100644 queue-6.12/net-fix-memory-leak-in-skb_segment_list-for-gro-pack.patch create mode 100644 queue-6.12/net-marvell-prestera-fix-null-dereference-on-devlink.patch create mode 100644 queue-6.12/net-mlx5e-don-t-print-error-message-due-to-invalid-m.patch create mode 100644 queue-6.12/net-mscc-ocelot-fix-crash-when-adding-interface-unde.patch create mode 100644 queue-6.12/net-netdevsim-fix-inconsistent-carrier-state-after-l.patch create mode 100644 queue-6.12/net-sched-sch_qfq-fix-null-deref-when-deactivating-i.patch create mode 100644 queue-6.12/net-sock-fix-hardened-usercopy-panic-in-sock_recv_er.patch create mode 100644 queue-6.12/net-usb-pegasus-fix-memory-leak-in-update_eth_regs_a.patch create mode 100644 queue-6.12/net-wwan-iosm-fix-memory-leak-in-ipc_mux_deinit.patch create mode 100644 queue-6.12/netdev-preserve-netif_f_all_for_all-across-tso-updat.patch create mode 100644 queue-6.12/netfilter-nf_conncount-update-last_gc-only-when-gc-h.patch create mode 100644 queue-6.12/netfilter-nf_tables-fix-memory-leak-in-nf_tables_new.patch create mode 100644 queue-6.12/netfilter-nft_set_pipapo-fix-range-overlap-detection.patch create mode 100644 queue-6.12/netfilter-nft_synproxy-avoid-possible-data-race-on-u.patch create mode 100644 queue-6.12/riscv-pgtable-cleanup-useless-va_user_xxx-definition.patch create mode 100644 queue-6.12/vsock-make-accept-ed-sockets-use-custom-setsockopt.patch create mode 100644 queue-6.18/arm-dts-imx6q-ba16-fix-rtc-interrupt-level.patch create mode 100644 queue-6.18/arm64-dts-add-off-on-delay-us-for-usdhc2-regulator.patch create mode 100644 queue-6.18/arm64-dts-freescale-moduline-display-fix-compatible.patch create mode 100644 queue-6.18/arm64-dts-freescale-tx8p-ml81-fix-eqos-nvmem-cells.patch create mode 100644 queue-6.18/arm64-dts-imx8mp-fix-lan8740ai-phy-reference-clock-o.patch create mode 100644 queue-6.18/arm64-dts-imx8qm-mek-correct-the-light-sensor-interr.patch create mode 100644 queue-6.18/arm64-dts-imx8qm-ss-dma-correct-the-dma-channels-of-.patch create mode 100644 queue-6.18/arm64-dts-mba8mx-fix-ethernet-phy-irq-support.patch create mode 100644 queue-6.18/arm64-dts-ti-k3-am62-lp-sk-nand-rename-pinctrls-to-f.patch create mode 100644 queue-6.18/arm64-dts-ti-k3-am642-phyboard-electra-peb-c-010-fix.patch create mode 100644 queue-6.18/arm64-dts-ti-k3-am642-phyboard-electra-x27-gpio1-spi.patch create mode 100644 queue-6.18/arp-do-not-assume-dev_hard_header-does-not-change-sk.patch create mode 100644 queue-6.18/block-don-t-merge-bios-with-different-app_tags.patch create mode 100644 queue-6.18/bnxt_en-fix-potential-data-corruption-with-hw-gro-lr.patch create mode 100644 queue-6.18/bridge-fix-c-vlan-preservation-in-802.1ad-vlan_tunne.patch create mode 100644 queue-6.18/btrfs-fix-null-pointer-dereference-in-do_abort_log_r.patch create mode 100644 queue-6.18/btrfs-only-enforce-free-space-tree-if-v1-cache-is-re.patch create mode 100644 queue-6.18/btrfs-release-path-before-initializing-extent-tree-i.patch create mode 100644 queue-6.18/crypto-qat-fix-duplicate-restarting-msg-during-aer-e.patch create mode 100644 queue-6.18/drm-amd-pm-fix-wrong-pcie-parameter-on-navi1x.patch create mode 100644 queue-6.18/drm-amd-pm-force-send-pcie-parmater-on-navi1x.patch create mode 100644 queue-6.18/erofs-don-t-bother-with-s_stack_depth-increasing-for.patch create mode 100644 queue-6.18/erofs-fix-file-backed-mounts-no-longer-working-on-er.patch create mode 100644 queue-6.18/gpio-it87-balance-superio-enter-exit-calls-in-error-.patch create mode 100644 queue-6.18/gpio-pca953x-handle-short-interrupt-pulses-on-pcal-d.patch create mode 100644 queue-6.18/gpiolib-fix-race-condition-for-gdev-srcu.patch create mode 100644 queue-6.18/gpiolib-remove-unnecessary-out-of-memory-messages.patch create mode 100644 queue-6.18/gpiolib-rename-gpio-chip-printk-macros.patch create mode 100644 queue-6.18/gpu-nova-core-select-rust_fw_loader_abstractions.patch create mode 100644 queue-6.18/hid-intel-thc-hid-intel-thc-fix-dma_unmap_sg-nents-v.patch create mode 100644 queue-6.18/hid-intel-thc-hid-intel-thc-fix-wrong-register-readi.patch create mode 100644 queue-6.18/hid-quirks-work-around-vid-pid-conflict-for-appledis.patch create mode 100644 queue-6.18/idpf-cap-maximum-rx-buffer-size.patch create mode 100644 queue-6.18/idpf-convert-vport-state-to-bitmap.patch create mode 100644 queue-6.18/idpf-detach-and-close-netdevs-while-handling-a-reset.patch create mode 100644 queue-6.18/idpf-fix-aux-device-unplugging-when-rdma-is-not-supp.patch create mode 100644 queue-6.18/idpf-fix-error-handling-in-idpf_vport_open.patch create mode 100644 queue-6.18/idpf-fix-error-handling-in-the-init_task-on-load.patch create mode 100644 queue-6.18/idpf-fix-issue-with-ethtool-n-command-display.patch create mode 100644 queue-6.18/idpf-fix-memory-leak-in-idpf_vc_core_deinit.patch create mode 100644 queue-6.18/idpf-fix-memory-leak-in-idpf_vport_rel.patch create mode 100644 queue-6.18/idpf-fix-memory-leak-of-flow-steer-list-on-rmmod.patch create mode 100644 queue-6.18/idpf-fix-rss-lut-configuration-on-down-interfaces.patch create mode 100644 queue-6.18/idpf-fix-rss-lut-null-pointer-crash-on-early-ethtool.patch create mode 100644 queue-6.18/idpf-fix-rss-lut-null-ptr-issue-after-soft-reset.patch create mode 100644 queue-6.18/idpf-keep-the-netdev-when-a-reset-fails.patch create mode 100644 queue-6.18/inet-frags-drop-fraglist-conntrack-references.patch create mode 100644 queue-6.18/inet-ping-fix-icmp-out-counting.patch create mode 100644 queue-6.18/irqchip-gic-v5-fix-gicv5_its_map_event-itte-read-end.patch create mode 100644 queue-6.18/net-airoha-fix-npu-rx-dma-definitions.patch create mode 100644 queue-6.18/net-airoha-fix-schedule-while-atomic-in-airoha_ppe_d.patch create mode 100644 queue-6.18/net-ena-fix-missing-lock-when-update-devlink-params.patch create mode 100644 queue-6.18/net-enetc-fix-build-warning-when-page_size-is-greate.patch create mode 100644 queue-6.18/net-fix-memory-leak-in-skb_segment_list-for-gro-pack.patch create mode 100644 queue-6.18/net-marvell-prestera-fix-null-dereference-on-devlink.patch create mode 100644 queue-6.18/net-mlx5-lag-multipath-give-priority-for-routes-with.patch create mode 100644 queue-6.18/net-mlx5e-dealloc-forgotten-psp-rx-modify-header.patch create mode 100644 queue-6.18/net-mlx5e-don-t-gate-fec-histograms-on-ppcnt_statist.patch create mode 100644 queue-6.18/net-mlx5e-don-t-print-error-message-due-to-invalid-m.patch create mode 100644 queue-6.18/net-mscc-ocelot-fix-crash-when-adding-interface-unde.patch create mode 100644 queue-6.18/net-netdevsim-fix-inconsistent-carrier-state-after-l.patch create mode 100644 queue-6.18/net-phy-mxl-86110-add-power-management-and-soft-rese.patch create mode 100644 queue-6.18/net-sched-act_api-avoid-dereferencing-err_ptr-in-tcf.patch create mode 100644 queue-6.18/net-sched-sch_qfq-fix-null-deref-when-deactivating-i.patch create mode 100644 queue-6.18/net-sfp-return-the-number-of-written-bytes-for-smbus.patch create mode 100644 queue-6.18/net-sock-fix-hardened-usercopy-panic-in-sock_recv_er.patch create mode 100644 queue-6.18/net-usb-pegasus-fix-memory-leak-in-update_eth_regs_a.patch create mode 100644 queue-6.18/net-wwan-iosm-fix-memory-leak-in-ipc_mux_deinit.patch create mode 100644 queue-6.18/netdev-preserve-netif_f_all_for_all-across-tso-updat.patch create mode 100644 queue-6.18/netfilter-nf_conncount-update-last_gc-only-when-gc-h.patch create mode 100644 queue-6.18/netfilter-nf_tables-fix-memory-leak-in-nf_tables_new.patch create mode 100644 queue-6.18/netfilter-nft_set_pipapo-fix-range-overlap-detection.patch create mode 100644 queue-6.18/netfilter-nft_synproxy-avoid-possible-data-race-on-u.patch create mode 100644 queue-6.18/netfs-fix-early-read-unlock-of-page-with-eof-in-midd.patch create mode 100644 queue-6.18/pci-vga-don-t-assume-the-only-vga-device-on-a-system.patch create mode 100644 queue-6.18/perf-ensure-swevent-hrtimer-is-properly-destroyed.patch create mode 100644 queue-6.18/pinctrl-mediatek-mt8189-restore-previous-register-ba.patch create mode 100644 queue-6.18/revert-dsa-mv88e6xxx-make-serdes-sgmii-fiber-tx-ampl.patch create mode 100644 queue-6.18/riscv-cpufeature-fix-zk-bundled-extension-missing-zk.patch create mode 100644 queue-6.18/riscv-pgtable-cleanup-useless-va_user_xxx-definition.patch create mode 100644 queue-6.18/selftests-drv-net-bring-back-tool-to-driver-__init__.patch create mode 100644 queue-6.18/sparc-pci-correct-64-bit-non-pref-pref-bar-resources.patch create mode 100644 queue-6.18/trace-ftrace_dump_on_oops-is-not-exported-make-it-st.patch create mode 100644 queue-6.18/ublk-fix-use-after-free-in-ublk_partition_scan_work.patch create mode 100644 queue-6.18/udp-call-skb_orphan-before-skb_attempt_defer_free.patch create mode 100644 queue-6.18/virtio_net-fix-device-mismatch-in-devm_kzalloc-devm_.patch create mode 100644 queue-6.18/vsock-make-accept-ed-sockets-use-custom-setsockopt.patch create mode 100644 queue-6.18/wifi-mac80211_hwsim-fix-typo-in-frequency-notificati.patch create mode 100644 queue-6.6/arm-dts-imx6q-ba16-fix-rtc-interrupt-level.patch create mode 100644 queue-6.6/arm64-dts-add-off-on-delay-us-for-usdhc2-regulator.patch create mode 100644 queue-6.6/arm64-dts-imx8mp-fix-lan8740ai-phy-reference-clock-o.patch create mode 100644 queue-6.6/arp-do-not-assume-dev_hard_header-does-not-change-sk.patch create mode 100644 queue-6.6/bnxt_en-fix-potential-data-corruption-with-hw-gro-lr.patch create mode 100644 queue-6.6/bridge-fix-c-vlan-preservation-in-802.1ad-vlan_tunne.patch create mode 100644 queue-6.6/gpio-pca953x-add-support-for-level-triggered-interru.patch create mode 100644 queue-6.6/gpio-pca953x-handle-short-interrupt-pulses-on-pcal-d.patch create mode 100644 queue-6.6/gpio-pca953x-utilise-dev_err_probe-where-it-makes-se.patch create mode 100644 queue-6.6/gpio-pca953x-utilise-temporary-variable-for-struct-d.patch create mode 100644 queue-6.6/hid-quirks-work-around-vid-pid-conflict-for-appledis.patch create mode 100644 queue-6.6/inet-ping-fix-icmp-out-counting.patch create mode 100644 queue-6.6/net-enetc-fix-build-warning-when-page_size-is-greate.patch create mode 100644 queue-6.6/net-fix-memory-leak-in-skb_segment_list-for-gro-pack.patch create mode 100644 queue-6.6/net-marvell-prestera-fix-null-dereference-on-devlink.patch create mode 100644 queue-6.6/net-mlx5e-don-t-print-error-message-due-to-invalid-m.patch create mode 100644 queue-6.6/net-mscc-ocelot-fix-crash-when-adding-interface-unde.patch create mode 100644 queue-6.6/net-sched-sch_qfq-fix-null-deref-when-deactivating-i.patch create mode 100644 queue-6.6/net-sock-fix-hardened-usercopy-panic-in-sock_recv_er.patch create mode 100644 queue-6.6/net-usb-pegasus-fix-memory-leak-in-update_eth_regs_a.patch create mode 100644 queue-6.6/net-wwan-iosm-fix-memory-leak-in-ipc_mux_deinit.patch create mode 100644 queue-6.6/netdev-preserve-netif_f_all_for_all-across-tso-updat.patch create mode 100644 queue-6.6/netfilter-nf_conncount-update-last_gc-only-when-gc-h.patch create mode 100644 queue-6.6/netfilter-nf_tables-fix-memory-leak-in-nf_tables_new.patch create mode 100644 queue-6.6/netfilter-nft_synproxy-avoid-possible-data-race-on-u.patch diff --git a/queue-5.10/arm-dts-imx6q-ba16-fix-rtc-interrupt-level.patch b/queue-5.10/arm-dts-imx6q-ba16-fix-rtc-interrupt-level.patch new file mode 100644 index 0000000000..7696971564 --- /dev/null +++ b/queue-5.10/arm-dts-imx6q-ba16-fix-rtc-interrupt-level.patch @@ -0,0 +1,40 @@ +From 3ece5815f17f093b27b062f8a3a983761f5560f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Dec 2025 11:56:05 +0200 +Subject: ARM: dts: imx6q-ba16: fix RTC interrupt level + +From: Ian Ray + +[ Upstream commit e6a4eedd49ce27c16a80506c66a04707e0ee0116 ] + +RTC interrupt level should be set to "LOW". This was revealed by the +introduction of commit: + + f181987ef477 ("rtc: m41t80: use IRQ flags obtained from fwnode") + +which changed the way IRQ type is obtained. + +Fixes: 56c27310c1b4 ("ARM: dts: imx: Add Advantech BA-16 Qseven module") +Signed-off-by: Ian Ray +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6q-ba16.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/imx6q-ba16.dtsi b/arch/arm/boot/dts/imx6q-ba16.dtsi +index 133991ca8c633..6147d1ff4515e 100644 +--- a/arch/arm/boot/dts/imx6q-ba16.dtsi ++++ b/arch/arm/boot/dts/imx6q-ba16.dtsi +@@ -320,7 +320,7 @@ rtc@32 { + pinctrl-0 = <&pinctrl_rtc>; + reg = <0x32>; + interrupt-parent = <&gpio4>; +- interrupts = <10 IRQ_TYPE_LEVEL_HIGH>; ++ interrupts = <10 IRQ_TYPE_LEVEL_LOW>; + }; + }; + +-- +2.51.0 + diff --git a/queue-5.10/arp-do-not-assume-dev_hard_header-does-not-change-sk.patch b/queue-5.10/arp-do-not-assume-dev_hard_header-does-not-change-sk.patch new file mode 100644 index 0000000000..4dba65d30b --- /dev/null +++ b/queue-5.10/arp-do-not-assume-dev_hard_header-does-not-change-sk.patch @@ -0,0 +1,58 @@ +From e2ac71fa372da78a59f3f6d2b7ff354df2ae08ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jan 2026 21:22:50 +0000 +Subject: arp: do not assume dev_hard_header() does not change skb->head + +From: Eric Dumazet + +[ Upstream commit c92510f5e3f82ba11c95991824a41e59a9c5ed81 ] + +arp_create() is the only dev_hard_header() caller +making assumption about skb->head being unchanged. + +A recent commit broke this assumption. + +Initialize @arp pointer after dev_hard_header() call. + +Fixes: db5b4e39c4e6 ("ip6_gre: make ip6gre_header() robust") +Reported-by: syzbot+58b44a770a1585795351@syzkaller.appspotmail.com +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20260107212250.384552-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/arp.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c +index 6879e0b70c769..5f2788b87dfd5 100644 +--- a/net/ipv4/arp.c ++++ b/net/ipv4/arp.c +@@ -542,7 +542,7 @@ struct sk_buff *arp_create(int type, int ptype, __be32 dest_ip, + + skb_reserve(skb, hlen); + skb_reset_network_header(skb); +- arp = skb_put(skb, arp_hdr_len(dev)); ++ skb_put(skb, arp_hdr_len(dev)); + skb->dev = dev; + skb->protocol = htons(ETH_P_ARP); + if (!src_hw) +@@ -550,12 +550,13 @@ struct sk_buff *arp_create(int type, int ptype, __be32 dest_ip, + if (!dest_hw) + dest_hw = dev->broadcast; + +- /* +- * Fill the device header for the ARP frame ++ /* Fill the device header for the ARP frame. ++ * Note: skb->head can be changed. + */ + if (dev_hard_header(skb, dev, ptype, dest_hw, src_hw, skb->len) < 0) + goto out; + ++ arp = arp_hdr(skb); + /* + * Fill out the arp protocol part. + * +-- +2.51.0 + diff --git a/queue-5.10/bnxt_en-fix-potential-data-corruption-with-hw-gro-lr.patch b/queue-5.10/bnxt_en-fix-potential-data-corruption-with-hw-gro-lr.patch new file mode 100644 index 0000000000..2253a8e16b --- /dev/null +++ b/queue-5.10/bnxt_en-fix-potential-data-corruption-with-hw-gro-lr.patch @@ -0,0 +1,88 @@ +From 34775c6d96774467f74d1dc0e0173d26ad75752d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Dec 2025 00:36:25 -0800 +Subject: bnxt_en: Fix potential data corruption with HW GRO/LRO + +From: Srijit Bose + +[ Upstream commit ffeafa65b2b26df2f5b5a6118d3174f17bd12ec5 ] + +Fix the max number of bits passed to find_first_zero_bit() in +bnxt_alloc_agg_idx(). We were incorrectly passing the number of +long words. find_first_zero_bit() may fail to find a zero bit and +cause a wrong ID to be used. If the wrong ID is already in use, this +can cause data corruption. Sometimes an error like this can also be +seen: + +bnxt_en 0000:83:00.0 enp131s0np0: TPA end agg_buf 2 != expected agg_bufs 1 + +Fix it by passing the correct number of bits MAX_TPA_P5. Use +DECLARE_BITMAP() to more cleanly define the bitmap. Add a sanity +check to warn if a bit cannot be found and reset the ring [MChan]. + +Fixes: ec4d8e7cf024 ("bnxt_en: Add TPA ID mapping logic for 57500 chips.") +Reviewed-by: Ray Jui +Signed-off-by: Srijit Bose +Signed-off-by: Michael Chan +Reviewed-by: Vadim Fedorenko +Link: https://patch.msgid.link/20251231083625.3911652-1-michael.chan@broadcom.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 15 ++++++++++++--- + drivers/net/ethernet/broadcom/bnxt/bnxt.h | 4 +--- + 2 files changed, 13 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index 7fa215b320603..fd54a194a5e5f 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -1218,9 +1218,11 @@ static u16 bnxt_alloc_agg_idx(struct bnxt_rx_ring_info *rxr, u16 agg_id) + struct bnxt_tpa_idx_map *map = rxr->rx_tpa_idx_map; + u16 idx = agg_id & MAX_TPA_P5_MASK; + +- if (test_bit(idx, map->agg_idx_bmap)) +- idx = find_first_zero_bit(map->agg_idx_bmap, +- BNXT_AGG_IDX_BMAP_SIZE); ++ if (test_bit(idx, map->agg_idx_bmap)) { ++ idx = find_first_zero_bit(map->agg_idx_bmap, MAX_TPA_P5); ++ if (idx >= MAX_TPA_P5) ++ return INVALID_HW_RING_ID; ++ } + __set_bit(idx, map->agg_idx_bmap); + map->agg_id_tbl[agg_id] = idx; + return idx; +@@ -1253,6 +1255,13 @@ static void bnxt_tpa_start(struct bnxt *bp, struct bnxt_rx_ring_info *rxr, + if (bp->flags & BNXT_FLAG_CHIP_P5) { + agg_id = TPA_START_AGG_ID_P5(tpa_start); + agg_id = bnxt_alloc_agg_idx(rxr, agg_id); ++ if (unlikely(agg_id == INVALID_HW_RING_ID)) { ++ netdev_warn(bp->dev, "Unable to allocate agg ID for ring %d, agg 0x%x\n", ++ rxr->bnapi->index, ++ TPA_START_AGG_ID_P5(tpa_start)); ++ bnxt_sched_reset_rxr(bp, rxr); ++ return; ++ } + } else { + agg_id = TPA_START_AGG_ID(tpa_start); + } +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.h b/drivers/net/ethernet/broadcom/bnxt/bnxt.h +index b7b07beb17ffb..c2122d5cda622 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.h ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.h +@@ -870,11 +870,9 @@ struct bnxt_tpa_info { + struct rx_agg_cmp *agg_arr; + }; + +-#define BNXT_AGG_IDX_BMAP_SIZE (MAX_TPA_P5 / BITS_PER_LONG) +- + struct bnxt_tpa_idx_map { + u16 agg_id_tbl[1024]; +- unsigned long agg_idx_bmap[BNXT_AGG_IDX_BMAP_SIZE]; ++ DECLARE_BITMAP(agg_idx_bmap, MAX_TPA_P5); + }; + + struct bnxt_rx_ring_info { +-- +2.51.0 + diff --git a/queue-5.10/bridge-fix-c-vlan-preservation-in-802.1ad-vlan_tunne.patch b/queue-5.10/bridge-fix-c-vlan-preservation-in-802.1ad-vlan_tunne.patch new file mode 100644 index 0000000000..685a20ecb6 --- /dev/null +++ b/queue-5.10/bridge-fix-c-vlan-preservation-in-802.1ad-vlan_tunne.patch @@ -0,0 +1,75 @@ +From 8eb4bae0d3edd30d8035162870c3f59d9b615f97 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Dec 2025 03:00:57 +0100 +Subject: bridge: fix C-VLAN preservation in 802.1ad vlan_tunnel egress + +From: Alexandre Knecht + +[ Upstream commit 3128df6be147768fe536986fbb85db1d37806a9f ] + +When using an 802.1ad bridge with vlan_tunnel, the C-VLAN tag is +incorrectly stripped from frames during egress processing. + +br_handle_egress_vlan_tunnel() uses skb_vlan_pop() to remove the S-VLAN +from hwaccel before VXLAN encapsulation. However, skb_vlan_pop() also +moves any "next" VLAN from the payload into hwaccel: + + /* move next vlan tag to hw accel tag */ + __skb_vlan_pop(skb, &vlan_tci); + __vlan_hwaccel_put_tag(skb, vlan_proto, vlan_tci); + +For QinQ frames where the C-VLAN sits in the payload, this moves it to +hwaccel where it gets lost during VXLAN encapsulation. + +Fix by calling __vlan_hwaccel_clear_tag() directly, which clears only +the hwaccel S-VLAN and leaves the payload untouched. + +This path is only taken when vlan_tunnel is enabled and tunnel_info +is configured, so 802.1Q bridges are unaffected. + +Tested with 802.1ad bridge + VXLAN vlan_tunnel, verified C-VLAN +preserved in VXLAN payload via tcpdump. + +Fixes: 11538d039ac6 ("bridge: vlan dst_metadata hooks in ingress and egress paths") +Signed-off-by: Alexandre Knecht +Reviewed-by: Ido Schimmel +Acked-by: Nikolay Aleksandrov +Link: https://patch.msgid.link/20251228020057.2788865-1-knecht.alexandre@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/bridge/br_vlan_tunnel.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/net/bridge/br_vlan_tunnel.c b/net/bridge/br_vlan_tunnel.c +index debe167202782..9e960e2ab3fa9 100644 +--- a/net/bridge/br_vlan_tunnel.c ++++ b/net/bridge/br_vlan_tunnel.c +@@ -189,7 +189,6 @@ int br_handle_egress_vlan_tunnel(struct sk_buff *skb, + { + struct metadata_dst *tunnel_dst; + __be64 tunnel_id; +- int err; + + if (!vlan) + return 0; +@@ -199,9 +198,13 @@ int br_handle_egress_vlan_tunnel(struct sk_buff *skb, + return 0; + + skb_dst_drop(skb); +- err = skb_vlan_pop(skb); +- if (err) +- return err; ++ /* For 802.1ad (QinQ), skb_vlan_pop() incorrectly moves the C-VLAN ++ * from payload to hwaccel after clearing S-VLAN. We only need to ++ * clear the hwaccel S-VLAN; the C-VLAN must stay in payload for ++ * correct VXLAN encapsulation. This is also correct for 802.1Q ++ * where no C-VLAN exists in payload. ++ */ ++ __vlan_hwaccel_clear_tag(skb); + + tunnel_dst = rcu_dereference(vlan->tinfo.tunnel_dst); + if (tunnel_dst && dst_hold_safe(&tunnel_dst->dst)) +-- +2.51.0 + diff --git a/queue-5.10/eth-bnxt-move-and-rename-reset-helpers.patch b/queue-5.10/eth-bnxt-move-and-rename-reset-helpers.patch new file mode 100644 index 0000000000..f6b3ca15cb --- /dev/null +++ b/queue-5.10/eth-bnxt-move-and-rename-reset-helpers.patch @@ -0,0 +1,145 @@ +From 6844fe03d6160903224de0d78460079dc858e042 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 18:04:38 -0700 +Subject: eth: bnxt: move and rename reset helpers + +From: Jakub Kicinski + +[ Upstream commit fea2993aecd74d5d11ede1ebbd60e478ebfed996 ] + +Move the reset helpers, subsequent patches will need some +of them on the Tx path. + +While at it rename bnxt_sched_reset(), on more recent chips +it schedules a queue reset, instead of a fuller reset. + +Link: https://lore.kernel.org/r/20230720010440.1967136-2-kuba@kernel.org +Reviewed-by: Michael Chan +Signed-off-by: Jakub Kicinski +Stable-dep-of: ffeafa65b2b2 ("bnxt_en: Fix potential data corruption with HW GRO/LRO") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 72 +++++++++++------------ + 1 file changed, 36 insertions(+), 36 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index 40c53404bccbb..7fa215b320603 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -330,6 +330,38 @@ static void bnxt_db_cq(struct bnxt *bp, struct bnxt_db_info *db, u32 idx) + BNXT_DB_CQ(db, idx); + } + ++static void bnxt_queue_fw_reset_work(struct bnxt *bp, unsigned long delay) ++{ ++ if (!(test_bit(BNXT_STATE_IN_FW_RESET, &bp->state))) ++ return; ++ ++ if (BNXT_PF(bp)) ++ queue_delayed_work(bnxt_pf_wq, &bp->fw_reset_task, delay); ++ else ++ schedule_delayed_work(&bp->fw_reset_task, delay); ++} ++ ++static void bnxt_queue_sp_work(struct bnxt *bp) ++{ ++ if (BNXT_PF(bp)) ++ queue_work(bnxt_pf_wq, &bp->sp_task); ++ else ++ schedule_work(&bp->sp_task); ++} ++ ++static void bnxt_sched_reset_rxr(struct bnxt *bp, struct bnxt_rx_ring_info *rxr) ++{ ++ if (!rxr->bnapi->in_reset) { ++ rxr->bnapi->in_reset = true; ++ if (bp->flags & BNXT_FLAG_CHIP_P5) ++ set_bit(BNXT_RESET_TASK_SP_EVENT, &bp->sp_event); ++ else ++ set_bit(BNXT_RST_RING_SP_EVENT, &bp->sp_event); ++ bnxt_queue_sp_work(bp); ++ } ++ rxr->rx_next_cons = 0xffff; ++} ++ + const u16 bnxt_lhint_arr[] = { + TX_BD_FLAGS_LHINT_512_AND_SMALLER, + TX_BD_FLAGS_LHINT_512_TO_1023, +@@ -1181,38 +1213,6 @@ static int bnxt_discard_rx(struct bnxt *bp, struct bnxt_cp_ring_info *cpr, + return 0; + } + +-static void bnxt_queue_fw_reset_work(struct bnxt *bp, unsigned long delay) +-{ +- if (!(test_bit(BNXT_STATE_IN_FW_RESET, &bp->state))) +- return; +- +- if (BNXT_PF(bp)) +- queue_delayed_work(bnxt_pf_wq, &bp->fw_reset_task, delay); +- else +- schedule_delayed_work(&bp->fw_reset_task, delay); +-} +- +-static void bnxt_queue_sp_work(struct bnxt *bp) +-{ +- if (BNXT_PF(bp)) +- queue_work(bnxt_pf_wq, &bp->sp_task); +- else +- schedule_work(&bp->sp_task); +-} +- +-static void bnxt_sched_reset(struct bnxt *bp, struct bnxt_rx_ring_info *rxr) +-{ +- if (!rxr->bnapi->in_reset) { +- rxr->bnapi->in_reset = true; +- if (bp->flags & BNXT_FLAG_CHIP_P5) +- set_bit(BNXT_RESET_TASK_SP_EVENT, &bp->sp_event); +- else +- set_bit(BNXT_RST_RING_SP_EVENT, &bp->sp_event); +- bnxt_queue_sp_work(bp); +- } +- rxr->rx_next_cons = 0xffff; +-} +- + static u16 bnxt_alloc_agg_idx(struct bnxt_rx_ring_info *rxr, u16 agg_id) + { + struct bnxt_tpa_idx_map *map = rxr->rx_tpa_idx_map; +@@ -1267,7 +1267,7 @@ static void bnxt_tpa_start(struct bnxt *bp, struct bnxt_rx_ring_info *rxr, + netdev_warn(bp->dev, "TPA cons %x, expected cons %x, error code %x\n", + cons, rxr->rx_next_cons, + TPA_START_ERROR_CODE(tpa_start1)); +- bnxt_sched_reset(bp, rxr); ++ bnxt_sched_reset_rxr(bp, rxr); + return; + } + /* Store cfa_code in tpa_info to use in tpa_end +@@ -1785,7 +1785,7 @@ static int bnxt_rx_pkt(struct bnxt *bp, struct bnxt_cp_ring_info *cpr, + if (rxr->rx_next_cons != 0xffff) + netdev_warn(bp->dev, "RX cons %x != expected cons %x\n", + cons, rxr->rx_next_cons); +- bnxt_sched_reset(bp, rxr); ++ bnxt_sched_reset_rxr(bp, rxr); + if (rc1) + return rc1; + goto next_rx_no_prod_no_len; +@@ -1823,7 +1823,7 @@ static int bnxt_rx_pkt(struct bnxt *bp, struct bnxt_cp_ring_info *cpr, + !(bp->fw_cap & BNXT_FW_CAP_RING_MONITOR)) { + netdev_warn_once(bp->dev, "RX buffer error %x\n", + rx_err); +- bnxt_sched_reset(bp, rxr); ++ bnxt_sched_reset_rxr(bp, rxr); + } + } + goto next_rx_no_len; +@@ -2165,7 +2165,7 @@ static int bnxt_async_event_process(struct bnxt *bp, + goto async_event_process_exit; + } + rxr = bp->bnapi[grp_idx]->rx_ring; +- bnxt_sched_reset(bp, rxr); ++ bnxt_sched_reset_rxr(bp, rxr); + goto async_event_process_exit; + } + default: +-- +2.51.0 + diff --git a/queue-5.10/hid-quirks-work-around-vid-pid-conflict-for-appledis.patch b/queue-5.10/hid-quirks-work-around-vid-pid-conflict-for-appledis.patch new file mode 100644 index 0000000000..ec929eb3c7 --- /dev/null +++ b/queue-5.10/hid-quirks-work-around-vid-pid-conflict-for-appledis.patch @@ -0,0 +1,47 @@ +From 62c4f6b80e47670ab41660ec7d07a76849199f8c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Nov 2025 13:46:41 +0100 +Subject: HID: quirks: work around VID/PID conflict for appledisplay +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: René Rebe + +[ Upstream commit c7fabe4ad9219866c203164a214c474c95b36bf2 ] + +For years I wondered why the Apple Cinema Display driver would not +just work for me. Turns out the hidraw driver instantly takes it +over. Fix by adding appledisplay VID/PIDs to hid_have_special_driver. + +Fixes: 069e8a65cd79 ("Driver for Apple Cinema Display") +Signed-off-by: René Rebe +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-quirks.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c +index ee99f5b3342da..0d15148d52533 100644 +--- a/drivers/hid/hid-quirks.c ++++ b/drivers/hid/hid-quirks.c +@@ -220,6 +220,15 @@ static const struct hid_device_id hid_quirks[] = { + * used as a driver. See hid_scan_report(). + */ + static const struct hid_device_id hid_have_special_driver[] = { ++#if IS_ENABLED(CONFIG_APPLEDISPLAY) ++ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x9218) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x9219) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x921c) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x921d) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x9222) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x9226) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x9236) }, ++#endif + #if IS_ENABLED(CONFIG_HID_A4TECH) + { HID_USB_DEVICE(USB_VENDOR_ID_A4TECH, USB_DEVICE_ID_A4TECH_WCP32PU) }, + { HID_USB_DEVICE(USB_VENDOR_ID_A4TECH, USB_DEVICE_ID_A4TECH_X5_005D) }, +-- +2.51.0 + diff --git a/queue-5.10/inet-ping-fix-icmp-out-counting.patch b/queue-5.10/inet-ping-fix-icmp-out-counting.patch new file mode 100644 index 0000000000..afcbd8a6d2 --- /dev/null +++ b/queue-5.10/inet-ping-fix-icmp-out-counting.patch @@ -0,0 +1,55 @@ +From a4166883a8d0eb393bad0fd89d35fd73d0fd0707 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Dec 2025 14:31:45 +0800 +Subject: inet: ping: Fix icmp out counting + +From: yuan.gao + +[ Upstream commit 4c0856c225b39b1def6c9a6bc56faca79550da13 ] + +When the ping program uses an IPPROTO_ICMP socket to send ICMP_ECHO +messages, ICMP_MIB_OUTMSGS is counted twice. + + ping_v4_sendmsg + ping_v4_push_pending_frames + ip_push_pending_frames + ip_finish_skb + __ip_make_skb + icmp_out_count(net, icmp_type); // first count + icmp_out_count(sock_net(sk), user_icmph.type); // second count + +However, when the ping program uses an IPPROTO_RAW socket, +ICMP_MIB_OUTMSGS is counted correctly only once. + +Therefore, the first count should be removed. + +Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind") +Signed-off-by: yuan.gao +Reviewed-by: Ido Schimmel +Tested-by: Ido Schimmel +Link: https://patch.msgid.link/20251224063145.3615282-1-yuan.gao@ucloud.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/ping.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c +index 1bad851b3fc35..69612770006e2 100644 +--- a/net/ipv4/ping.c ++++ b/net/ipv4/ping.c +@@ -842,10 +842,8 @@ static int ping_v4_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + out_free: + if (free) + kfree(ipc.opt); +- if (!err) { +- icmp_out_count(sock_net(sk), user_icmph.type); ++ if (!err) + return len; +- } + return err; + + do_confirm: +-- +2.51.0 + diff --git a/queue-5.10/net-mlx5e-don-t-print-error-message-due-to-invalid-m.patch b/queue-5.10/net-mlx5e-don-t-print-error-message-due-to-invalid-m.patch new file mode 100644 index 0000000000..1ae3efcc61 --- /dev/null +++ b/queue-5.10/net-mlx5e-don-t-print-error-message-due-to-invalid-m.patch @@ -0,0 +1,50 @@ +From 4a80d214030ae0ea9b91e26b522bee93e25df321 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Dec 2025 15:27:16 +0200 +Subject: net/mlx5e: Don't print error message due to invalid module + +From: Gal Pressman + +[ Upstream commit 144297e2a24e3e54aee1180ec21120ea38822b97 ] + +Dumping module EEPROM on newer modules is supported through the netlink +interface only. + +Querying with old userspace ethtool (or other tools, such as 'lshw') +which still uses the ioctl interface results in an error message that +could flood dmesg (in addition to the expected error return value). +The original message was added under the assumption that the driver +should be able to handle all module types, but now that such flows are +easily triggered from userspace, it doesn't serve its purpose. + +Change the log level of the print in mlx5_query_module_eeprom() to +debug. + +Fixes: bb64143eee8c ("net/mlx5e: Add ethtool support for dump module EEPROM") +Signed-off-by: Gal Pressman +Reviewed-by: Tariq Toukan +Signed-off-by: Mark Bloch +Link: https://patch.msgid.link/20251225132717.358820-5-mbloch@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/port.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/port.c b/drivers/net/ethernet/mellanox/mlx5/core/port.c +index 4bb219565c58e..b62c3514ddf14 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/port.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/port.c +@@ -381,7 +381,8 @@ int mlx5_query_module_eeprom(struct mlx5_core_dev *dev, + mlx5_qsfp_eeprom_params_set(&i2c_addr, &page_num, &offset); + break; + default: +- mlx5_core_err(dev, "Module ID not recognized: 0x%x\n", module_id); ++ mlx5_core_dbg(dev, "Module ID not recognized: 0x%x\n", ++ module_id); + return -EINVAL; + } + +-- +2.51.0 + diff --git a/queue-5.10/net-sched-sch_qfq-fix-null-deref-when-deactivating-i.patch b/queue-5.10/net-sched-sch_qfq-fix-null-deref-when-deactivating-i.patch new file mode 100644 index 0000000000..bd1dfd9de5 --- /dev/null +++ b/queue-5.10/net-sched-sch_qfq-fix-null-deref-when-deactivating-i.patch @@ -0,0 +1,162 @@ +From f4aededb0e3888475188bf6fd4fa2d0719014557 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jan 2026 20:41:00 -0700 +Subject: net/sched: sch_qfq: Fix NULL deref when deactivating inactive + aggregate in qfq_reset + +From: Xiang Mei + +[ Upstream commit c1d73b1480235731e35c81df70b08f4714a7d095 ] + +`qfq_class->leaf_qdisc->q.qlen > 0` does not imply that the class +itself is active. + +Two qfq_class objects may point to the same leaf_qdisc. This happens +when: + +1. one QFQ qdisc is attached to the dev as the root qdisc, and + +2. another QFQ qdisc is temporarily referenced (e.g., via qdisc_get() +/ qdisc_put()) and is pending to be destroyed, as in function +tc_new_tfilter. + +When packets are enqueued through the root QFQ qdisc, the shared +leaf_qdisc->q.qlen increases. At the same time, the second QFQ +qdisc triggers qdisc_put and qdisc_destroy: the qdisc enters +qfq_reset() with its own q->q.qlen == 0, but its class's leaf +qdisc->q.qlen > 0. Therefore, the qfq_reset would wrongly deactivate +an inactive aggregate and trigger a null-deref in qfq_deactivate_agg: + +[ 0.903172] BUG: kernel NULL pointer dereference, address: 0000000000000000 +[ 0.903571] #PF: supervisor write access in kernel mode +[ 0.903860] #PF: error_code(0x0002) - not-present page +[ 0.904177] PGD 10299b067 P4D 10299b067 PUD 10299c067 PMD 0 +[ 0.904502] Oops: Oops: 0002 [#1] SMP NOPTI +[ 0.904737] CPU: 0 UID: 0 PID: 135 Comm: exploit Not tainted 6.19.0-rc3+ #2 NONE +[ 0.905157] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014 +[ 0.905754] RIP: 0010:qfq_deactivate_agg (include/linux/list.h:992 (discriminator 2) include/linux/list.h:1006 (discriminator 2) net/sched/sch_qfq.c:1367 (discriminator 2) net/sched/sch_qfq.c:1393 (discriminator 2)) +[ 0.906046] Code: 0f 84 4d 01 00 00 48 89 70 18 8b 4b 10 48 c7 c2 ff ff ff ff 48 8b 78 08 48 d3 e2 48 21 f2 48 2b 13 48 8b 30 48 d3 ea 8b 4b 18 0 + +Code starting with the faulting instruction +=========================================== + 0: 0f 84 4d 01 00 00 je 0x153 + 6: 48 89 70 18 mov %rsi,0x18(%rax) + a: 8b 4b 10 mov 0x10(%rbx),%ecx + d: 48 c7 c2 ff ff ff ff mov $0xffffffffffffffff,%rdx + 14: 48 8b 78 08 mov 0x8(%rax),%rdi + 18: 48 d3 e2 shl %cl,%rdx + 1b: 48 21 f2 and %rsi,%rdx + 1e: 48 2b 13 sub (%rbx),%rdx + 21: 48 8b 30 mov (%rax),%rsi + 24: 48 d3 ea shr %cl,%rdx + 27: 8b 4b 18 mov 0x18(%rbx),%ecx + ... +[ 0.907095] RSP: 0018:ffffc900004a39a0 EFLAGS: 00010246 +[ 0.907368] RAX: ffff8881043a0880 RBX: ffff888102953340 RCX: 0000000000000000 +[ 0.907723] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 +[ 0.908100] RBP: ffff888102952180 R08: 0000000000000000 R09: 0000000000000000 +[ 0.908451] R10: ffff8881043a0000 R11: 0000000000000000 R12: ffff888102952000 +[ 0.908804] R13: ffff888102952180 R14: ffff8881043a0ad8 R15: ffff8881043a0880 +[ 0.909179] FS: 000000002a1a0380(0000) GS:ffff888196d8d000(0000) knlGS:0000000000000000 +[ 0.909572] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 0.909857] CR2: 0000000000000000 CR3: 0000000102993002 CR4: 0000000000772ef0 +[ 0.910247] PKRU: 55555554 +[ 0.910391] Call Trace: +[ 0.910527] +[ 0.910638] qfq_reset_qdisc (net/sched/sch_qfq.c:357 net/sched/sch_qfq.c:1485) +[ 0.910826] qdisc_reset (include/linux/skbuff.h:2195 include/linux/skbuff.h:2501 include/linux/skbuff.h:3424 include/linux/skbuff.h:3430 net/sched/sch_generic.c:1036) +[ 0.911040] __qdisc_destroy (net/sched/sch_generic.c:1076) +[ 0.911236] tc_new_tfilter (net/sched/cls_api.c:2447) +[ 0.911447] rtnetlink_rcv_msg (net/core/rtnetlink.c:6958) +[ 0.911663] ? __pfx_rtnetlink_rcv_msg (net/core/rtnetlink.c:6861) +[ 0.911894] netlink_rcv_skb (net/netlink/af_netlink.c:2550) +[ 0.912100] netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344) +[ 0.912296] ? __alloc_skb (net/core/skbuff.c:706) +[ 0.912484] netlink_sendmsg (net/netlink/af_netlink.c:1894) +[ 0.912682] sock_write_iter (net/socket.c:727 (discriminator 1) net/socket.c:742 (discriminator 1) net/socket.c:1195 (discriminator 1)) +[ 0.912880] vfs_write (fs/read_write.c:593 fs/read_write.c:686) +[ 0.913077] ksys_write (fs/read_write.c:738) +[ 0.913252] do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) +[ 0.913438] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131) +[ 0.913687] RIP: 0033:0x424c34 +[ 0.913844] Code: 89 02 48 c7 c0 ff ff ff ff eb bd 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 80 3d 2d 44 09 00 00 74 13 b8 01 00 00 00 0f 05 9 + +Code starting with the faulting instruction +=========================================== + 0: 89 02 mov %eax,(%rdx) + 2: 48 c7 c0 ff ff ff ff mov $0xffffffffffffffff,%rax + 9: eb bd jmp 0xffffffffffffffc8 + b: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1) + 12: 00 00 00 + 15: 90 nop + 16: f3 0f 1e fa endbr64 + 1a: 80 3d 2d 44 09 00 00 cmpb $0x0,0x9442d(%rip) # 0x9444e + 21: 74 13 je 0x36 + 23: b8 01 00 00 00 mov $0x1,%eax + 28: 0f 05 syscall + 2a: 09 .byte 0x9 +[ 0.914807] RSP: 002b:00007ffea1938b78 EFLAGS: 00000202 ORIG_RAX: 0000000000000001 +[ 0.915197] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000424c34 +[ 0.915556] RDX: 000000000000003c RSI: 000000002af378c0 RDI: 0000000000000003 +[ 0.915912] RBP: 00007ffea1938bc0 R08: 00000000004b8820 R09: 0000000000000000 +[ 0.916297] R10: 0000000000000001 R11: 0000000000000202 R12: 00007ffea1938d28 +[ 0.916652] R13: 00007ffea1938d38 R14: 00000000004b3828 R15: 0000000000000001 +[ 0.917039] +[ 0.917158] Modules linked in: +[ 0.917316] CR2: 0000000000000000 +[ 0.917484] ---[ end trace 0000000000000000 ]--- +[ 0.917717] RIP: 0010:qfq_deactivate_agg (include/linux/list.h:992 (discriminator 2) include/linux/list.h:1006 (discriminator 2) net/sched/sch_qfq.c:1367 (discriminator 2) net/sched/sch_qfq.c:1393 (discriminator 2)) +[ 0.917978] Code: 0f 84 4d 01 00 00 48 89 70 18 8b 4b 10 48 c7 c2 ff ff ff ff 48 8b 78 08 48 d3 e2 48 21 f2 48 2b 13 48 8b 30 48 d3 ea 8b 4b 18 0 + +Code starting with the faulting instruction +=========================================== + 0: 0f 84 4d 01 00 00 je 0x153 + 6: 48 89 70 18 mov %rsi,0x18(%rax) + a: 8b 4b 10 mov 0x10(%rbx),%ecx + d: 48 c7 c2 ff ff ff ff mov $0xffffffffffffffff,%rdx + 14: 48 8b 78 08 mov 0x8(%rax),%rdi + 18: 48 d3 e2 shl %cl,%rdx + 1b: 48 21 f2 and %rsi,%rdx + 1e: 48 2b 13 sub (%rbx),%rdx + 21: 48 8b 30 mov (%rax),%rsi + 24: 48 d3 ea shr %cl,%rdx + 27: 8b 4b 18 mov 0x18(%rbx),%ecx + ... +[ 0.918902] RSP: 0018:ffffc900004a39a0 EFLAGS: 00010246 +[ 0.919198] RAX: ffff8881043a0880 RBX: ffff888102953340 RCX: 0000000000000000 +[ 0.919559] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 +[ 0.919908] RBP: ffff888102952180 R08: 0000000000000000 R09: 0000000000000000 +[ 0.920289] R10: ffff8881043a0000 R11: 0000000000000000 R12: ffff888102952000 +[ 0.920648] R13: ffff888102952180 R14: ffff8881043a0ad8 R15: ffff8881043a0880 +[ 0.921014] FS: 000000002a1a0380(0000) GS:ffff888196d8d000(0000) knlGS:0000000000000000 +[ 0.921424] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 0.921710] CR2: 0000000000000000 CR3: 0000000102993002 CR4: 0000000000772ef0 +[ 0.922097] PKRU: 55555554 +[ 0.922240] Kernel panic - not syncing: Fatal exception +[ 0.922590] Kernel Offset: disabled + +Fixes: 0545a3037773 ("pkt_sched: QFQ - quick fair queue scheduler") +Signed-off-by: Xiang Mei +Link: https://patch.msgid.link/20260106034100.1780779-1-xmei5@asu.edu +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_qfq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c +index 3d793ace2b5bf..34a6c4ec9a157 100644 +--- a/net/sched/sch_qfq.c ++++ b/net/sched/sch_qfq.c +@@ -1490,7 +1490,7 @@ static void qfq_reset_qdisc(struct Qdisc *sch) + + for (i = 0; i < q->clhash.hashsize; i++) { + hlist_for_each_entry(cl, &q->clhash.hash[i], common.hnode) { +- if (cl->qdisc->q.qlen > 0) ++ if (cl_is_active(cl)) + qfq_deactivate_class(q, cl); + + qdisc_reset(cl->qdisc); +-- +2.51.0 + diff --git a/queue-5.10/net-sock-fix-hardened-usercopy-panic-in-sock_recv_er.patch b/queue-5.10/net-sock-fix-hardened-usercopy-panic-in-sock_recv_er.patch new file mode 100644 index 0000000000..4423bfb8ca --- /dev/null +++ b/queue-5.10/net-sock-fix-hardened-usercopy-panic-in-sock_recv_er.patch @@ -0,0 +1,114 @@ +From 46c458c2af8b79d14a42a5978652132a5c3f13ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Dec 2025 04:35:35 +0800 +Subject: net: sock: fix hardened usercopy panic in sock_recv_errqueue + +From: Weiming Shi + +[ Upstream commit 2a71a1a8d0ed718b1c7a9ac61f07e5755c47ae20 ] + +skbuff_fclone_cache was created without defining a usercopy region, +[1] unlike skbuff_head_cache which properly whitelists the cb[] field. +[2] This causes a usercopy BUG() when CONFIG_HARDENED_USERCOPY is +enabled and the kernel attempts to copy sk_buff.cb data to userspace +via sock_recv_errqueue() -> put_cmsg(). + +The crash occurs when: 1. TCP allocates an skb using alloc_skb_fclone() + (from skbuff_fclone_cache) [1] +2. The skb is cloned via skb_clone() using the pre-allocated fclone +[3] 3. The cloned skb is queued to sk_error_queue for timestamp +reporting 4. Userspace reads the error queue via recvmsg(MSG_ERRQUEUE) +5. sock_recv_errqueue() calls put_cmsg() to copy serr->ee from skb->cb +[4] 6. __check_heap_object() fails because skbuff_fclone_cache has no + usercopy whitelist [5] + +When cloned skbs allocated from skbuff_fclone_cache are used in the +socket error queue, accessing the sock_exterr_skb structure in skb->cb +via put_cmsg() triggers a usercopy hardening violation: + +[ 5.379589] usercopy: Kernel memory exposure attempt detected from SLUB object 'skbuff_fclone_cache' (offset 296, size 16)! +[ 5.382796] kernel BUG at mm/usercopy.c:102! +[ 5.383923] Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI +[ 5.384903] CPU: 1 UID: 0 PID: 138 Comm: poc_put_cmsg Not tainted 6.12.57 #7 +[ 5.384903] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 +[ 5.384903] RIP: 0010:usercopy_abort+0x6c/0x80 +[ 5.384903] Code: 1a 86 51 48 c7 c2 40 15 1a 86 41 52 48 c7 c7 c0 15 1a 86 48 0f 45 d6 48 c7 c6 80 15 1a 86 48 89 c1 49 0f 45 f3 e8 84 27 88 ff <0f> 0b 490 +[ 5.384903] RSP: 0018:ffffc900006f77a8 EFLAGS: 00010246 +[ 5.384903] RAX: 000000000000006f RBX: ffff88800f0ad2a8 RCX: 1ffffffff0f72e74 +[ 5.384903] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffff87b973a0 +[ 5.384903] RBP: 0000000000000010 R08: 0000000000000000 R09: fffffbfff0f72e74 +[ 5.384903] R10: 0000000000000003 R11: 79706f6372657375 R12: 0000000000000001 +[ 5.384903] R13: ffff88800f0ad2b8 R14: ffffea00003c2b40 R15: ffffea00003c2b00 +[ 5.384903] FS: 0000000011bc4380(0000) GS:ffff8880bf100000(0000) knlGS:0000000000000000 +[ 5.384903] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 5.384903] CR2: 000056aa3b8e5fe4 CR3: 000000000ea26004 CR4: 0000000000770ef0 +[ 5.384903] PKRU: 55555554 +[ 5.384903] Call Trace: +[ 5.384903] +[ 5.384903] __check_heap_object+0x9a/0xd0 +[ 5.384903] __check_object_size+0x46c/0x690 +[ 5.384903] put_cmsg+0x129/0x5e0 +[ 5.384903] sock_recv_errqueue+0x22f/0x380 +[ 5.384903] tls_sw_recvmsg+0x7ed/0x1960 +[ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5 +[ 5.384903] ? schedule+0x6d/0x270 +[ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5 +[ 5.384903] ? mutex_unlock+0x81/0xd0 +[ 5.384903] ? __pfx_mutex_unlock+0x10/0x10 +[ 5.384903] ? __pfx_tls_sw_recvmsg+0x10/0x10 +[ 5.384903] ? _raw_spin_lock_irqsave+0x8f/0xf0 +[ 5.384903] ? _raw_read_unlock_irqrestore+0x20/0x40 +[ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5 + +The crash offset 296 corresponds to skb2->cb within skbuff_fclones: + - sizeof(struct sk_buff) = 232 - offsetof(struct sk_buff, cb) = 40 - + offset of skb2.cb in fclones = 232 + 40 = 272 - crash offset 296 = + 272 + 24 (inside sock_exterr_skb.ee) + +This patch uses a local stack variable as a bounce buffer to avoid the hardened usercopy check failure. + +[1] https://elixir.bootlin.com/linux/v6.12.62/source/net/ipv4/tcp.c#L885 +[2] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5104 +[3] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5566 +[4] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5491 +[5] https://elixir.bootlin.com/linux/v6.12.62/source/mm/slub.c#L5719 + +Fixes: 6d07d1cd300f ("usercopy: Restrict non-usercopy caches to size 0") +Reported-by: Xiang Mei +Signed-off-by: Weiming Shi +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20251223203534.1392218-2-bestswngs@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/sock.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/core/sock.c b/net/core/sock.c +index 6c93381cf0bdf..963ea323362ad 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -3226,7 +3226,7 @@ void sock_enable_timestamp(struct sock *sk, enum sock_flags flag) + int sock_recv_errqueue(struct sock *sk, struct msghdr *msg, int len, + int level, int type) + { +- struct sock_exterr_skb *serr; ++ struct sock_extended_err ee; + struct sk_buff *skb; + int copied, err; + +@@ -3246,8 +3246,9 @@ int sock_recv_errqueue(struct sock *sk, struct msghdr *msg, int len, + + sock_recv_timestamp(msg, sk, skb); + +- serr = SKB_EXT_ERR(skb); +- put_cmsg(msg, level, type, sizeof(serr->ee), &serr->ee); ++ /* We must use a bounce buffer for CONFIG_HARDENED_USERCOPY=y */ ++ ee = SKB_EXT_ERR(skb)->ee; ++ put_cmsg(msg, level, type, sizeof(ee), &ee); + + msg->msg_flags |= MSG_ERRQUEUE; + err = copied; +-- +2.51.0 + diff --git a/queue-5.10/net-usb-pegasus-fix-memory-leak-in-update_eth_regs_a.patch b/queue-5.10/net-usb-pegasus-fix-memory-leak-in-update_eth_regs_a.patch new file mode 100644 index 0000000000..57462897e9 --- /dev/null +++ b/queue-5.10/net-usb-pegasus-fix-memory-leak-in-update_eth_regs_a.patch @@ -0,0 +1,37 @@ +From e3d41f35738fab35a7cfc6ab3ace5ac87126c4a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jan 2026 10:48:21 +0200 +Subject: net: usb: pegasus: fix memory leak in update_eth_regs_async() + +From: Petko Manolov + +[ Upstream commit afa27621a28af317523e0836dad430bec551eb54 ] + +When asynchronously writing to the device registers and if usb_submit_urb() +fail, the code fail to release allocated to this point resources. + +Fixes: 323b34963d11 ("drivers: net: usb: pegasus: fix control urb submission") +Signed-off-by: Petko Manolov +Link: https://patch.msgid.link/20260106084821.3746677-1-petko.manolov@konsulko.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/pegasus.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/usb/pegasus.c b/drivers/net/usb/pegasus.c +index 138279bbb544b..e3ddb990dc543 100644 +--- a/drivers/net/usb/pegasus.c ++++ b/drivers/net/usb/pegasus.c +@@ -193,6 +193,8 @@ static int update_eth_regs_async(pegasus_t *pegasus) + netif_device_detach(pegasus->net); + netif_err(pegasus, drv, pegasus->net, + "%s returned %d\n", __func__, ret); ++ usb_free_urb(async_urb); ++ kfree(req); + } + return ret; + } +-- +2.51.0 + diff --git a/queue-5.10/netdev-preserve-netif_f_all_for_all-across-tso-updat.patch b/queue-5.10/netdev-preserve-netif_f_all_for_all-across-tso-updat.patch new file mode 100644 index 0000000000..f4e356bbfd --- /dev/null +++ b/queue-5.10/netdev-preserve-netif_f_all_for_all-across-tso-updat.patch @@ -0,0 +1,43 @@ +From 8a21fbac7d2a39b023eb4cf3a544f2ba5d99387a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Dec 2025 09:22:24 +0800 +Subject: netdev: preserve NETIF_F_ALL_FOR_ALL across TSO updates + +From: Di Zhu + +[ Upstream commit 02d1e1a3f9239cdb3ecf2c6d365fb959d1bf39df ] + +Directly increment the TSO features incurs a side effect: it will also +directly clear the flags in NETIF_F_ALL_FOR_ALL on the master device, +which can cause issues such as the inability to enable the nocache copy +feature on the bonding driver. + +The fix is to include NETIF_F_ALL_FOR_ALL in the update mask, thereby +preventing it from being cleared. + +Fixes: b0ce3508b25e ("bonding: allow TSO being set on bonding master") +Signed-off-by: Di Zhu +Link: https://patch.msgid.link/20251224012224.56185-1-zhud@hygon.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/linux/netdevice.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h +index c9f2a88a6c83e..934ecac171ccb 100644 +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -4894,7 +4894,8 @@ netdev_features_t netdev_increment_features(netdev_features_t all, + static inline netdev_features_t netdev_add_tso_features(netdev_features_t features, + netdev_features_t mask) + { +- return netdev_increment_features(features, NETIF_F_ALL_TSO, mask); ++ return netdev_increment_features(features, NETIF_F_ALL_TSO | ++ NETIF_F_ALL_FOR_ALL, mask); + } + + int __netdev_update_features(struct net_device *dev); +-- +2.51.0 + diff --git a/queue-5.10/netfilter-nf_conncount-update-last_gc-only-when-gc-h.patch b/queue-5.10/netfilter-nf_conncount-update-last_gc-only-when-gc-h.patch new file mode 100644 index 0000000000..0a9c4e0336 --- /dev/null +++ b/queue-5.10/netfilter-nf_conncount-update-last_gc-only-when-gc-h.patch @@ -0,0 +1,48 @@ +From 12cb49a5aa40d8fde99f00b5fb95bf50da42a90c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Dec 2025 15:46:40 +0100 +Subject: netfilter: nf_conncount: update last_gc only when GC has been + performed + +From: Fernando Fernandez Mancera + +[ Upstream commit 7811ba452402d58628e68faedf38745b3d485e3c ] + +Currently last_gc is being updated everytime a new connection is +tracked, that means that it is updated even if a GC wasn't performed. +With a sufficiently high packet rate, it is possible to always bypass +the GC, causing the list to grow infinitely. + +Update the last_gc value only when a GC has been actually performed. + +Fixes: d265929930e2 ("netfilter: nf_conncount: reduce unnecessary GC") +Signed-off-by: Fernando Fernandez Mancera +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conncount.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c +index c00b8e522c5a7..a2c5a7ba0c6fc 100644 +--- a/net/netfilter/nf_conncount.c ++++ b/net/netfilter/nf_conncount.c +@@ -229,6 +229,7 @@ static int __nf_conncount_add(struct net *net, + + nf_ct_put(found_ct); + } ++ list->last_gc = (u32)jiffies; + + add_new_node: + if (WARN_ON_ONCE(list->count > INT_MAX)) { +@@ -248,7 +249,6 @@ static int __nf_conncount_add(struct net *net, + conn->jiffies32 = (u32)jiffies; + list_add_tail(&conn->node, &list->head); + list->count++; +- list->last_gc = (u32)jiffies; + + out_put: + if (refcounted) +-- +2.51.0 + diff --git a/queue-5.10/netfilter-nft_synproxy-avoid-possible-data-race-on-u.patch b/queue-5.10/netfilter-nft_synproxy-avoid-possible-data-race-on-u.patch new file mode 100644 index 0000000000..a4ba7a6236 --- /dev/null +++ b/queue-5.10/netfilter-nft_synproxy-avoid-possible-data-race-on-u.patch @@ -0,0 +1,55 @@ +From be5f9053e8de84b294bf60adbbb9298ff8809459 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Dec 2025 21:21:59 +0100 +Subject: netfilter: nft_synproxy: avoid possible data-race on update operation + +From: Fernando Fernandez Mancera + +[ Upstream commit 36a3200575642846a96436d503d46544533bb943 ] + +During nft_synproxy eval we are reading nf_synproxy_info struct which +can be modified on update operation concurrently. As nf_synproxy_info +struct fits in 32 bits, use READ_ONCE/WRITE_ONCE annotations. + +Fixes: ee394f96ad75 ("netfilter: nft_synproxy: add synproxy stateful object support") +Signed-off-by: Fernando Fernandez Mancera +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_synproxy.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/netfilter/nft_synproxy.c b/net/netfilter/nft_synproxy.c +index 0806813d3a767..46d2eefb0b218 100644 +--- a/net/netfilter/nft_synproxy.c ++++ b/net/netfilter/nft_synproxy.c +@@ -48,7 +48,7 @@ static void nft_synproxy_eval_v4(const struct nft_synproxy *priv, + struct tcphdr *_tcph, + struct synproxy_options *opts) + { +- struct nf_synproxy_info info = priv->info; ++ struct nf_synproxy_info info = READ_ONCE(priv->info); + struct net *net = nft_net(pkt); + struct synproxy_net *snet = synproxy_pernet(net); + struct sk_buff *skb = pkt->skb; +@@ -79,7 +79,7 @@ static void nft_synproxy_eval_v6(const struct nft_synproxy *priv, + struct tcphdr *_tcph, + struct synproxy_options *opts) + { +- struct nf_synproxy_info info = priv->info; ++ struct nf_synproxy_info info = READ_ONCE(priv->info); + struct net *net = nft_net(pkt); + struct synproxy_net *snet = synproxy_pernet(net); + struct sk_buff *skb = pkt->skb; +@@ -339,7 +339,7 @@ static void nft_synproxy_obj_update(struct nft_object *obj, + struct nft_synproxy *newpriv = nft_obj_data(newobj); + struct nft_synproxy *priv = nft_obj_data(obj); + +- priv->info = newpriv->info; ++ WRITE_ONCE(priv->info, newpriv->info); + } + + static struct nft_object_type nft_synproxy_obj_type; +-- +2.51.0 + diff --git a/queue-5.10/series b/queue-5.10/series index 7e6ac9adca..7f77bb5df4 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -431,3 +431,17 @@ nfsv4-ensure-the-open-stateid-seqid-doesn-t-go-backw.patch nfs-fix-up-the-automount-fs_context-to-use-the-corre.patch scsi-ipr-enable-disable-irqd_no_balancing-during-res.patch scsi-revert-scsi-libsas-fix-exp-attached-device-scan.patch +arm-dts-imx6q-ba16-fix-rtc-interrupt-level.patch +netfilter-nft_synproxy-avoid-possible-data-race-on-u.patch +netfilter-nf_conncount-update-last_gc-only-when-gc-h.patch +bridge-fix-c-vlan-preservation-in-802.1ad-vlan_tunne.patch +inet-ping-fix-icmp-out-counting.patch +net-sock-fix-hardened-usercopy-panic-in-sock_recv_er.patch +netdev-preserve-netif_f_all_for_all-across-tso-updat.patch +net-mlx5e-don-t-print-error-message-due-to-invalid-m.patch +eth-bnxt-move-and-rename-reset-helpers.patch +bnxt_en-fix-potential-data-corruption-with-hw-gro-lr.patch +hid-quirks-work-around-vid-pid-conflict-for-appledis.patch +net-sched-sch_qfq-fix-null-deref-when-deactivating-i.patch +net-usb-pegasus-fix-memory-leak-in-update_eth_regs_a.patch +arp-do-not-assume-dev_hard_header-does-not-change-sk.patch diff --git a/queue-5.15/arm-dts-imx6q-ba16-fix-rtc-interrupt-level.patch b/queue-5.15/arm-dts-imx6q-ba16-fix-rtc-interrupt-level.patch new file mode 100644 index 0000000000..40ea144f19 --- /dev/null +++ b/queue-5.15/arm-dts-imx6q-ba16-fix-rtc-interrupt-level.patch @@ -0,0 +1,40 @@ +From 6831a40624109e2ca70ae09f874707a466e607bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Dec 2025 11:56:05 +0200 +Subject: ARM: dts: imx6q-ba16: fix RTC interrupt level + +From: Ian Ray + +[ Upstream commit e6a4eedd49ce27c16a80506c66a04707e0ee0116 ] + +RTC interrupt level should be set to "LOW". This was revealed by the +introduction of commit: + + f181987ef477 ("rtc: m41t80: use IRQ flags obtained from fwnode") + +which changed the way IRQ type is obtained. + +Fixes: 56c27310c1b4 ("ARM: dts: imx: Add Advantech BA-16 Qseven module") +Signed-off-by: Ian Ray +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6q-ba16.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/imx6q-ba16.dtsi b/arch/arm/boot/dts/imx6q-ba16.dtsi +index f266f1b7e0cfc..0c033e69ecc04 100644 +--- a/arch/arm/boot/dts/imx6q-ba16.dtsi ++++ b/arch/arm/boot/dts/imx6q-ba16.dtsi +@@ -335,7 +335,7 @@ rtc@32 { + pinctrl-0 = <&pinctrl_rtc>; + reg = <0x32>; + interrupt-parent = <&gpio4>; +- interrupts = <10 IRQ_TYPE_LEVEL_HIGH>; ++ interrupts = <10 IRQ_TYPE_LEVEL_LOW>; + }; + }; + +-- +2.51.0 + diff --git a/queue-5.15/arm64-dts-add-off-on-delay-us-for-usdhc2-regulator.patch b/queue-5.15/arm64-dts-add-off-on-delay-us-for-usdhc2-regulator.patch new file mode 100644 index 0000000000..ee6a042a2a --- /dev/null +++ b/queue-5.15/arm64-dts-add-off-on-delay-us-for-usdhc2-regulator.patch @@ -0,0 +1,41 @@ +From bd8027fac0a636ee75d358332811215037452d85 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Nov 2025 11:22:40 +0800 +Subject: arm64: dts: add off-on-delay-us for usdhc2 regulator + +From: Haibo Chen + +[ Upstream commit ca643894a37a25713029b36cfe7d1bae515cac08 ] + +For SD card, according to the spec requirement, for sd card power reset +operation, it need sd card supply voltage to be lower than 0.5v and keep +over 1ms, otherwise, next time power back the sd card supply voltage to +3.3v, sd card can't support SD3.0 mode again. + +To match such requirement on imx8qm-mek board, add 4.8ms delay between +sd power off and power on. + +Fixes: 307fd14d4b14 ("arm64: dts: imx: add imx8qm mek support") +Reviewed-by: Frank Li +Signed-off-by: Haibo Chen +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8qm-mek.dts | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/boot/dts/freescale/imx8qm-mek.dts b/arch/arm64/boot/dts/freescale/imx8qm-mek.dts +index 470e4e4aa8c78..059f8c0ab93d9 100644 +--- a/arch/arm64/boot/dts/freescale/imx8qm-mek.dts ++++ b/arch/arm64/boot/dts/freescale/imx8qm-mek.dts +@@ -34,6 +34,7 @@ reg_usdhc2_vmmc: usdhc2-vmmc { + regulator-max-microvolt = <3000000>; + gpio = <&lsio_gpio4 7 GPIO_ACTIVE_HIGH>; + enable-active-high; ++ off-on-delay-us = <4800>; + }; + }; + +-- +2.51.0 + diff --git a/queue-5.15/arp-do-not-assume-dev_hard_header-does-not-change-sk.patch b/queue-5.15/arp-do-not-assume-dev_hard_header-does-not-change-sk.patch new file mode 100644 index 0000000000..905b212cc4 --- /dev/null +++ b/queue-5.15/arp-do-not-assume-dev_hard_header-does-not-change-sk.patch @@ -0,0 +1,58 @@ +From bc0b3b19633cfd208732fc1d7106c00da7c7a5bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jan 2026 21:22:50 +0000 +Subject: arp: do not assume dev_hard_header() does not change skb->head + +From: Eric Dumazet + +[ Upstream commit c92510f5e3f82ba11c95991824a41e59a9c5ed81 ] + +arp_create() is the only dev_hard_header() caller +making assumption about skb->head being unchanged. + +A recent commit broke this assumption. + +Initialize @arp pointer after dev_hard_header() call. + +Fixes: db5b4e39c4e6 ("ip6_gre: make ip6gre_header() robust") +Reported-by: syzbot+58b44a770a1585795351@syzkaller.appspotmail.com +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20260107212250.384552-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/arp.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c +index ef69321886798..5a76164980344 100644 +--- a/net/ipv4/arp.c ++++ b/net/ipv4/arp.c +@@ -542,7 +542,7 @@ struct sk_buff *arp_create(int type, int ptype, __be32 dest_ip, + + skb_reserve(skb, hlen); + skb_reset_network_header(skb); +- arp = skb_put(skb, arp_hdr_len(dev)); ++ skb_put(skb, arp_hdr_len(dev)); + skb->dev = dev; + skb->protocol = htons(ETH_P_ARP); + if (!src_hw) +@@ -550,12 +550,13 @@ struct sk_buff *arp_create(int type, int ptype, __be32 dest_ip, + if (!dest_hw) + dest_hw = dev->broadcast; + +- /* +- * Fill the device header for the ARP frame ++ /* Fill the device header for the ARP frame. ++ * Note: skb->head can be changed. + */ + if (dev_hard_header(skb, dev, ptype, dest_hw, src_hw, skb->len) < 0) + goto out; + ++ arp = arp_hdr(skb); + /* + * Fill out the arp protocol part. + * +-- +2.51.0 + diff --git a/queue-5.15/bnxt_en-fix-potential-data-corruption-with-hw-gro-lr.patch b/queue-5.15/bnxt_en-fix-potential-data-corruption-with-hw-gro-lr.patch new file mode 100644 index 0000000000..fa4f7d7d1e --- /dev/null +++ b/queue-5.15/bnxt_en-fix-potential-data-corruption-with-hw-gro-lr.patch @@ -0,0 +1,88 @@ +From 920a281106a803876690e6adc5222ca484ab6f1b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Dec 2025 00:36:25 -0800 +Subject: bnxt_en: Fix potential data corruption with HW GRO/LRO + +From: Srijit Bose + +[ Upstream commit ffeafa65b2b26df2f5b5a6118d3174f17bd12ec5 ] + +Fix the max number of bits passed to find_first_zero_bit() in +bnxt_alloc_agg_idx(). We were incorrectly passing the number of +long words. find_first_zero_bit() may fail to find a zero bit and +cause a wrong ID to be used. If the wrong ID is already in use, this +can cause data corruption. Sometimes an error like this can also be +seen: + +bnxt_en 0000:83:00.0 enp131s0np0: TPA end agg_buf 2 != expected agg_bufs 1 + +Fix it by passing the correct number of bits MAX_TPA_P5. Use +DECLARE_BITMAP() to more cleanly define the bitmap. Add a sanity +check to warn if a bit cannot be found and reset the ring [MChan]. + +Fixes: ec4d8e7cf024 ("bnxt_en: Add TPA ID mapping logic for 57500 chips.") +Reviewed-by: Ray Jui +Signed-off-by: Srijit Bose +Signed-off-by: Michael Chan +Reviewed-by: Vadim Fedorenko +Link: https://patch.msgid.link/20251231083625.3911652-1-michael.chan@broadcom.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 15 ++++++++++++--- + drivers/net/ethernet/broadcom/bnxt/bnxt.h | 4 +--- + 2 files changed, 13 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index 90719916184db..74344722d63d1 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -1264,9 +1264,11 @@ static u16 bnxt_alloc_agg_idx(struct bnxt_rx_ring_info *rxr, u16 agg_id) + struct bnxt_tpa_idx_map *map = rxr->rx_tpa_idx_map; + u16 idx = agg_id & MAX_TPA_P5_MASK; + +- if (test_bit(idx, map->agg_idx_bmap)) +- idx = find_first_zero_bit(map->agg_idx_bmap, +- BNXT_AGG_IDX_BMAP_SIZE); ++ if (test_bit(idx, map->agg_idx_bmap)) { ++ idx = find_first_zero_bit(map->agg_idx_bmap, MAX_TPA_P5); ++ if (idx >= MAX_TPA_P5) ++ return INVALID_HW_RING_ID; ++ } + __set_bit(idx, map->agg_idx_bmap); + map->agg_id_tbl[agg_id] = idx; + return idx; +@@ -1299,6 +1301,13 @@ static void bnxt_tpa_start(struct bnxt *bp, struct bnxt_rx_ring_info *rxr, + if (bp->flags & BNXT_FLAG_CHIP_P5) { + agg_id = TPA_START_AGG_ID_P5(tpa_start); + agg_id = bnxt_alloc_agg_idx(rxr, agg_id); ++ if (unlikely(agg_id == INVALID_HW_RING_ID)) { ++ netdev_warn(bp->dev, "Unable to allocate agg ID for ring %d, agg 0x%x\n", ++ rxr->bnapi->index, ++ TPA_START_AGG_ID_P5(tpa_start)); ++ bnxt_sched_reset_rxr(bp, rxr); ++ return; ++ } + } else { + agg_id = TPA_START_AGG_ID(tpa_start); + } +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.h b/drivers/net/ethernet/broadcom/bnxt/bnxt.h +index ae4695fc067d5..56aae0d654e8a 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.h ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.h +@@ -872,11 +872,9 @@ struct bnxt_tpa_info { + struct rx_agg_cmp *agg_arr; + }; + +-#define BNXT_AGG_IDX_BMAP_SIZE (MAX_TPA_P5 / BITS_PER_LONG) +- + struct bnxt_tpa_idx_map { + u16 agg_id_tbl[1024]; +- unsigned long agg_idx_bmap[BNXT_AGG_IDX_BMAP_SIZE]; ++ DECLARE_BITMAP(agg_idx_bmap, MAX_TPA_P5); + }; + + struct bnxt_rx_ring_info { +-- +2.51.0 + diff --git a/queue-5.15/bridge-fix-c-vlan-preservation-in-802.1ad-vlan_tunne.patch b/queue-5.15/bridge-fix-c-vlan-preservation-in-802.1ad-vlan_tunne.patch new file mode 100644 index 0000000000..04b1a834d7 --- /dev/null +++ b/queue-5.15/bridge-fix-c-vlan-preservation-in-802.1ad-vlan_tunne.patch @@ -0,0 +1,75 @@ +From 9f311baaf054db58126358aa11c0440ea59c0f37 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Dec 2025 03:00:57 +0100 +Subject: bridge: fix C-VLAN preservation in 802.1ad vlan_tunnel egress + +From: Alexandre Knecht + +[ Upstream commit 3128df6be147768fe536986fbb85db1d37806a9f ] + +When using an 802.1ad bridge with vlan_tunnel, the C-VLAN tag is +incorrectly stripped from frames during egress processing. + +br_handle_egress_vlan_tunnel() uses skb_vlan_pop() to remove the S-VLAN +from hwaccel before VXLAN encapsulation. However, skb_vlan_pop() also +moves any "next" VLAN from the payload into hwaccel: + + /* move next vlan tag to hw accel tag */ + __skb_vlan_pop(skb, &vlan_tci); + __vlan_hwaccel_put_tag(skb, vlan_proto, vlan_tci); + +For QinQ frames where the C-VLAN sits in the payload, this moves it to +hwaccel where it gets lost during VXLAN encapsulation. + +Fix by calling __vlan_hwaccel_clear_tag() directly, which clears only +the hwaccel S-VLAN and leaves the payload untouched. + +This path is only taken when vlan_tunnel is enabled and tunnel_info +is configured, so 802.1Q bridges are unaffected. + +Tested with 802.1ad bridge + VXLAN vlan_tunnel, verified C-VLAN +preserved in VXLAN payload via tcpdump. + +Fixes: 11538d039ac6 ("bridge: vlan dst_metadata hooks in ingress and egress paths") +Signed-off-by: Alexandre Knecht +Reviewed-by: Ido Schimmel +Acked-by: Nikolay Aleksandrov +Link: https://patch.msgid.link/20251228020057.2788865-1-knecht.alexandre@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/bridge/br_vlan_tunnel.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/net/bridge/br_vlan_tunnel.c b/net/bridge/br_vlan_tunnel.c +index 6399a8a69d076..0f03572d89d09 100644 +--- a/net/bridge/br_vlan_tunnel.c ++++ b/net/bridge/br_vlan_tunnel.c +@@ -187,7 +187,6 @@ int br_handle_egress_vlan_tunnel(struct sk_buff *skb, + { + struct metadata_dst *tunnel_dst; + __be64 tunnel_id; +- int err; + + if (!vlan) + return 0; +@@ -197,9 +196,13 @@ int br_handle_egress_vlan_tunnel(struct sk_buff *skb, + return 0; + + skb_dst_drop(skb); +- err = skb_vlan_pop(skb); +- if (err) +- return err; ++ /* For 802.1ad (QinQ), skb_vlan_pop() incorrectly moves the C-VLAN ++ * from payload to hwaccel after clearing S-VLAN. We only need to ++ * clear the hwaccel S-VLAN; the C-VLAN must stay in payload for ++ * correct VXLAN encapsulation. This is also correct for 802.1Q ++ * where no C-VLAN exists in payload. ++ */ ++ __vlan_hwaccel_clear_tag(skb); + + tunnel_dst = rcu_dereference(vlan->tinfo.tunnel_dst); + if (tunnel_dst && dst_hold_safe(&tunnel_dst->dst)) +-- +2.51.0 + diff --git a/queue-5.15/eth-bnxt-move-and-rename-reset-helpers.patch b/queue-5.15/eth-bnxt-move-and-rename-reset-helpers.patch new file mode 100644 index 0000000000..4ef975fdc3 --- /dev/null +++ b/queue-5.15/eth-bnxt-move-and-rename-reset-helpers.patch @@ -0,0 +1,145 @@ +From 219494c191eae84237e4ff72a7fa91efd3f19250 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 18:04:38 -0700 +Subject: eth: bnxt: move and rename reset helpers + +From: Jakub Kicinski + +[ Upstream commit fea2993aecd74d5d11ede1ebbd60e478ebfed996 ] + +Move the reset helpers, subsequent patches will need some +of them on the Tx path. + +While at it rename bnxt_sched_reset(), on more recent chips +it schedules a queue reset, instead of a fuller reset. + +Link: https://lore.kernel.org/r/20230720010440.1967136-2-kuba@kernel.org +Reviewed-by: Michael Chan +Signed-off-by: Jakub Kicinski +Stable-dep-of: ffeafa65b2b2 ("bnxt_en: Fix potential data corruption with HW GRO/LRO") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 72 +++++++++++------------ + 1 file changed, 36 insertions(+), 36 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index 127f7d238a041..90719916184db 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -340,6 +340,38 @@ static void bnxt_db_cq(struct bnxt *bp, struct bnxt_db_info *db, u32 idx) + BNXT_DB_CQ(db, idx); + } + ++static void bnxt_queue_fw_reset_work(struct bnxt *bp, unsigned long delay) ++{ ++ if (!(test_bit(BNXT_STATE_IN_FW_RESET, &bp->state))) ++ return; ++ ++ if (BNXT_PF(bp)) ++ queue_delayed_work(bnxt_pf_wq, &bp->fw_reset_task, delay); ++ else ++ schedule_delayed_work(&bp->fw_reset_task, delay); ++} ++ ++static void bnxt_queue_sp_work(struct bnxt *bp) ++{ ++ if (BNXT_PF(bp)) ++ queue_work(bnxt_pf_wq, &bp->sp_task); ++ else ++ schedule_work(&bp->sp_task); ++} ++ ++static void bnxt_sched_reset_rxr(struct bnxt *bp, struct bnxt_rx_ring_info *rxr) ++{ ++ if (!rxr->bnapi->in_reset) { ++ rxr->bnapi->in_reset = true; ++ if (bp->flags & BNXT_FLAG_CHIP_P5) ++ set_bit(BNXT_RESET_TASK_SP_EVENT, &bp->sp_event); ++ else ++ set_bit(BNXT_RST_RING_SP_EVENT, &bp->sp_event); ++ bnxt_queue_sp_work(bp); ++ } ++ rxr->rx_next_cons = 0xffff; ++} ++ + const u16 bnxt_lhint_arr[] = { + TX_BD_FLAGS_LHINT_512_AND_SMALLER, + TX_BD_FLAGS_LHINT_512_TO_1023, +@@ -1227,38 +1259,6 @@ static int bnxt_discard_rx(struct bnxt *bp, struct bnxt_cp_ring_info *cpr, + return 0; + } + +-static void bnxt_queue_fw_reset_work(struct bnxt *bp, unsigned long delay) +-{ +- if (!(test_bit(BNXT_STATE_IN_FW_RESET, &bp->state))) +- return; +- +- if (BNXT_PF(bp)) +- queue_delayed_work(bnxt_pf_wq, &bp->fw_reset_task, delay); +- else +- schedule_delayed_work(&bp->fw_reset_task, delay); +-} +- +-static void bnxt_queue_sp_work(struct bnxt *bp) +-{ +- if (BNXT_PF(bp)) +- queue_work(bnxt_pf_wq, &bp->sp_task); +- else +- schedule_work(&bp->sp_task); +-} +- +-static void bnxt_sched_reset(struct bnxt *bp, struct bnxt_rx_ring_info *rxr) +-{ +- if (!rxr->bnapi->in_reset) { +- rxr->bnapi->in_reset = true; +- if (bp->flags & BNXT_FLAG_CHIP_P5) +- set_bit(BNXT_RESET_TASK_SP_EVENT, &bp->sp_event); +- else +- set_bit(BNXT_RST_RING_SP_EVENT, &bp->sp_event); +- bnxt_queue_sp_work(bp); +- } +- rxr->rx_next_cons = 0xffff; +-} +- + static u16 bnxt_alloc_agg_idx(struct bnxt_rx_ring_info *rxr, u16 agg_id) + { + struct bnxt_tpa_idx_map *map = rxr->rx_tpa_idx_map; +@@ -1313,7 +1313,7 @@ static void bnxt_tpa_start(struct bnxt *bp, struct bnxt_rx_ring_info *rxr, + netdev_warn(bp->dev, "TPA cons %x, expected cons %x, error code %x\n", + cons, rxr->rx_next_cons, + TPA_START_ERROR_CODE(tpa_start1)); +- bnxt_sched_reset(bp, rxr); ++ bnxt_sched_reset_rxr(bp, rxr); + return; + } + /* Store cfa_code in tpa_info to use in tpa_end +@@ -1835,7 +1835,7 @@ static int bnxt_rx_pkt(struct bnxt *bp, struct bnxt_cp_ring_info *cpr, + if (rxr->rx_next_cons != 0xffff) + netdev_warn(bp->dev, "RX cons %x != expected cons %x\n", + cons, rxr->rx_next_cons); +- bnxt_sched_reset(bp, rxr); ++ bnxt_sched_reset_rxr(bp, rxr); + if (rc1) + return rc1; + goto next_rx_no_prod_no_len; +@@ -1873,7 +1873,7 @@ static int bnxt_rx_pkt(struct bnxt *bp, struct bnxt_cp_ring_info *cpr, + !(bp->fw_cap & BNXT_FW_CAP_RING_MONITOR)) { + netdev_warn_once(bp->dev, "RX buffer error %x\n", + rx_err); +- bnxt_sched_reset(bp, rxr); ++ bnxt_sched_reset_rxr(bp, rxr); + } + } + goto next_rx_no_len; +@@ -2254,7 +2254,7 @@ static int bnxt_async_event_process(struct bnxt *bp, + goto async_event_process_exit; + } + rxr = bp->bnapi[grp_idx]->rx_ring; +- bnxt_sched_reset(bp, rxr); ++ bnxt_sched_reset_rxr(bp, rxr); + goto async_event_process_exit; + } + case ASYNC_EVENT_CMPL_EVENT_ID_ECHO_REQUEST: { +-- +2.51.0 + diff --git a/queue-5.15/hid-quirks-work-around-vid-pid-conflict-for-appledis.patch b/queue-5.15/hid-quirks-work-around-vid-pid-conflict-for-appledis.patch new file mode 100644 index 0000000000..2820ebb168 --- /dev/null +++ b/queue-5.15/hid-quirks-work-around-vid-pid-conflict-for-appledis.patch @@ -0,0 +1,47 @@ +From bd612be26b1be7c0fec61e2f53966d45aa3f4d28 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Nov 2025 13:46:41 +0100 +Subject: HID: quirks: work around VID/PID conflict for appledisplay +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: René Rebe + +[ Upstream commit c7fabe4ad9219866c203164a214c474c95b36bf2 ] + +For years I wondered why the Apple Cinema Display driver would not +just work for me. Turns out the hidraw driver instantly takes it +over. Fix by adding appledisplay VID/PIDs to hid_have_special_driver. + +Fixes: 069e8a65cd79 ("Driver for Apple Cinema Display") +Signed-off-by: René Rebe +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-quirks.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c +index 4b645db5cd4bc..cc2f462fced27 100644 +--- a/drivers/hid/hid-quirks.c ++++ b/drivers/hid/hid-quirks.c +@@ -220,6 +220,15 @@ static const struct hid_device_id hid_quirks[] = { + * used as a driver. See hid_scan_report(). + */ + static const struct hid_device_id hid_have_special_driver[] = { ++#if IS_ENABLED(CONFIG_APPLEDISPLAY) ++ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x9218) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x9219) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x921c) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x921d) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x9222) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x9226) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x9236) }, ++#endif + #if IS_ENABLED(CONFIG_HID_A4TECH) + { HID_USB_DEVICE(USB_VENDOR_ID_A4TECH, USB_DEVICE_ID_A4TECH_WCP32PU) }, + { HID_USB_DEVICE(USB_VENDOR_ID_A4TECH, USB_DEVICE_ID_A4TECH_X5_005D) }, +-- +2.51.0 + diff --git a/queue-5.15/inet-ping-fix-icmp-out-counting.patch b/queue-5.15/inet-ping-fix-icmp-out-counting.patch new file mode 100644 index 0000000000..80f432d587 --- /dev/null +++ b/queue-5.15/inet-ping-fix-icmp-out-counting.patch @@ -0,0 +1,55 @@ +From bd74c49fa451bffb4afe1e6d8dae1a708fa8b004 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Dec 2025 14:31:45 +0800 +Subject: inet: ping: Fix icmp out counting + +From: yuan.gao + +[ Upstream commit 4c0856c225b39b1def6c9a6bc56faca79550da13 ] + +When the ping program uses an IPPROTO_ICMP socket to send ICMP_ECHO +messages, ICMP_MIB_OUTMSGS is counted twice. + + ping_v4_sendmsg + ping_v4_push_pending_frames + ip_push_pending_frames + ip_finish_skb + __ip_make_skb + icmp_out_count(net, icmp_type); // first count + icmp_out_count(sock_net(sk), user_icmph.type); // second count + +However, when the ping program uses an IPPROTO_RAW socket, +ICMP_MIB_OUTMSGS is counted correctly only once. + +Therefore, the first count should be removed. + +Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind") +Signed-off-by: yuan.gao +Reviewed-by: Ido Schimmel +Tested-by: Ido Schimmel +Link: https://patch.msgid.link/20251224063145.3615282-1-yuan.gao@ucloud.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/ping.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c +index c4a2565da2806..069ac54ef7565 100644 +--- a/net/ipv4/ping.c ++++ b/net/ipv4/ping.c +@@ -844,10 +844,8 @@ static int ping_v4_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + out_free: + if (free) + kfree(ipc.opt); +- if (!err) { +- icmp_out_count(sock_net(sk), user_icmph.type); ++ if (!err) + return len; +- } + return err; + + do_confirm: +-- +2.51.0 + diff --git a/queue-5.15/net-enetc-fix-build-warning-when-page_size-is-greate.patch b/queue-5.15/net-enetc-fix-build-warning-when-page_size-is-greate.patch new file mode 100644 index 0000000000..804f0d303f --- /dev/null +++ b/queue-5.15/net-enetc-fix-build-warning-when-page_size-is-greate.patch @@ -0,0 +1,49 @@ +From b8ed79ae8a9d8bb8cbd55ea5558d3d88b7b13ac7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jan 2026 17:12:04 +0800 +Subject: net: enetc: fix build warning when PAGE_SIZE is greater than 128K + +From: Wei Fang + +[ Upstream commit 4b5bdabb5449b652122e43f507f73789041d4abe ] + +The max buffer size of ENETC RX BD is 0xFFFF bytes, so if the PAGE_SIZE +is greater than 128K, ENETC_RXB_DMA_SIZE and ENETC_RXB_DMA_SIZE_XDP will +be greater than 0xFFFF, thus causing a build warning. + +This will not cause any practical issues because ENETC is currently only +used on the ARM64 platform, and the max PAGE_SIZE is 64K. So this patch +is only for fixing the build warning that occurs when compiling ENETC +drivers for other platforms. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202601050637.kHEKKOG7-lkp@intel.com/ +Fixes: e59bc32df2e9 ("net: enetc: correct the value of ENETC_RXB_TRUESIZE") +Signed-off-by: Wei Fang +Reviewed-by: Frank Li +Link: https://patch.msgid.link/20260107091204.1980222-1-wei.fang@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/enetc/enetc.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/enetc/enetc.h b/drivers/net/ethernet/freescale/enetc/enetc.h +index 40c8f0f026a5b..adcb53167d3f9 100644 +--- a/drivers/net/ethernet/freescale/enetc/enetc.h ++++ b/drivers/net/ethernet/freescale/enetc/enetc.h +@@ -40,9 +40,9 @@ struct enetc_tx_swbd { + #define ENETC_RXB_TRUESIZE (PAGE_SIZE >> 1) + #define ENETC_RXB_PAD NET_SKB_PAD /* add extra space if needed */ + #define ENETC_RXB_DMA_SIZE \ +- (SKB_WITH_OVERHEAD(ENETC_RXB_TRUESIZE) - ENETC_RXB_PAD) ++ min(SKB_WITH_OVERHEAD(ENETC_RXB_TRUESIZE) - ENETC_RXB_PAD, 0xffff) + #define ENETC_RXB_DMA_SIZE_XDP \ +- (SKB_WITH_OVERHEAD(ENETC_RXB_TRUESIZE) - XDP_PACKET_HEADROOM) ++ min(SKB_WITH_OVERHEAD(ENETC_RXB_TRUESIZE) - XDP_PACKET_HEADROOM, 0xffff) + + struct enetc_rx_swbd { + dma_addr_t dma; +-- +2.51.0 + diff --git a/queue-5.15/net-marvell-prestera-fix-null-dereference-on-devlink.patch b/queue-5.15/net-marvell-prestera-fix-null-dereference-on-devlink.patch new file mode 100644 index 0000000000..6d174c6ab3 --- /dev/null +++ b/queue-5.15/net-marvell-prestera-fix-null-dereference-on-devlink.patch @@ -0,0 +1,44 @@ +From 909018b53bfb408a9c65141adedb114d41ebe4ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Dec 2025 21:21:18 -0800 +Subject: net: marvell: prestera: fix NULL dereference on devlink_alloc() + failure + +From: Alok Tiwari + +[ Upstream commit a428e0da1248c353557970848994f35fd3f005e2 ] + +devlink_alloc() may return NULL on allocation failure, but +prestera_devlink_alloc() unconditionally calls devlink_priv() on +the returned pointer. + +This leads to a NULL pointer dereference if devlink allocation fails. +Add a check for a NULL devlink pointer and return NULL early to avoid +the crash. + +Fixes: 34dd1710f5a3 ("net: marvell: prestera: Add basic devlink support") +Signed-off-by: Alok Tiwari +Acked-by: Elad Nachman +Link: https://patch.msgid.link/20251230052124.897012-1-alok.a.tiwari@oracle.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/prestera/prestera_devlink.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/marvell/prestera/prestera_devlink.c b/drivers/net/ethernet/marvell/prestera/prestera_devlink.c +index 68b442eb6d694..59e865df6cee0 100644 +--- a/drivers/net/ethernet/marvell/prestera/prestera_devlink.c ++++ b/drivers/net/ethernet/marvell/prestera/prestera_devlink.c +@@ -396,6 +396,8 @@ struct prestera_switch *prestera_devlink_alloc(struct prestera_device *dev) + + dl = devlink_alloc(&prestera_dl_ops, sizeof(struct prestera_switch), + dev->dev); ++ if (!dl) ++ return NULL; + + return devlink_priv(dl); + } +-- +2.51.0 + diff --git a/queue-5.15/net-mlx5e-don-t-print-error-message-due-to-invalid-m.patch b/queue-5.15/net-mlx5e-don-t-print-error-message-due-to-invalid-m.patch new file mode 100644 index 0000000000..82c4443a9f --- /dev/null +++ b/queue-5.15/net-mlx5e-don-t-print-error-message-due-to-invalid-m.patch @@ -0,0 +1,50 @@ +From cd162fd20d1ab3a7291fa922314bb4017e815d08 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Dec 2025 15:27:16 +0200 +Subject: net/mlx5e: Don't print error message due to invalid module + +From: Gal Pressman + +[ Upstream commit 144297e2a24e3e54aee1180ec21120ea38822b97 ] + +Dumping module EEPROM on newer modules is supported through the netlink +interface only. + +Querying with old userspace ethtool (or other tools, such as 'lshw') +which still uses the ioctl interface results in an error message that +could flood dmesg (in addition to the expected error return value). +The original message was added under the assumption that the driver +should be able to handle all module types, but now that such flows are +easily triggered from userspace, it doesn't serve its purpose. + +Change the log level of the print in mlx5_query_module_eeprom() to +debug. + +Fixes: bb64143eee8c ("net/mlx5e: Add ethtool support for dump module EEPROM") +Signed-off-by: Gal Pressman +Reviewed-by: Tariq Toukan +Signed-off-by: Mark Bloch +Link: https://patch.msgid.link/20251225132717.358820-5-mbloch@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/port.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/port.c b/drivers/net/ethernet/mellanox/mlx5/core/port.c +index fd79860de723b..fdf708d642887 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/port.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/port.c +@@ -414,7 +414,8 @@ int mlx5_query_module_eeprom(struct mlx5_core_dev *dev, + mlx5_qsfp_eeprom_params_set(&query.i2c_address, &query.page, &offset); + break; + default: +- mlx5_core_err(dev, "Module ID not recognized: 0x%x\n", module_id); ++ mlx5_core_dbg(dev, "Module ID not recognized: 0x%x\n", ++ module_id); + return -EINVAL; + } + +-- +2.51.0 + diff --git a/queue-5.15/net-mscc-ocelot-fix-crash-when-adding-interface-unde.patch b/queue-5.15/net-mscc-ocelot-fix-crash-when-adding-interface-unde.patch new file mode 100644 index 0000000000..913114a173 --- /dev/null +++ b/queue-5.15/net-mscc-ocelot-fix-crash-when-adding-interface-unde.patch @@ -0,0 +1,56 @@ +From 48a02c2b3dd668a4db240f9dab4f6ff01cf3e7ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Dec 2025 20:36:17 +0000 +Subject: net: mscc: ocelot: Fix crash when adding interface under a lag + +From: Jerry Wu + +[ Upstream commit 34f3ff52cb9fa7dbf04f5c734fcc4cb6ed5d1a95 ] + +Commit 15faa1f67ab4 ("lan966x: Fix crash when adding interface under a lag") +fixed a similar issue in the lan966x driver caused by a NULL pointer dereference. +The ocelot_set_aggr_pgids() function in the ocelot driver has similar logic +and is susceptible to the same crash. + +This issue specifically affects the ocelot_vsc7514.c frontend, which leaves +unused ports as NULL pointers. The felix_vsc9959.c frontend is unaffected as +it uses the DSA framework which registers all ports. + +Fix this by checking if the port pointer is valid before accessing it. + +Fixes: 528d3f190c98 ("net: mscc: ocelot: drop the use of the "lags" array") +Signed-off-by: Jerry Wu +Reviewed-by: Vladimir Oltean +Link: https://patch.msgid.link/tencent_75EF812B305E26B0869C673DD1160866C90A@qq.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mscc/ocelot.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mscc/ocelot.c b/drivers/net/ethernet/mscc/ocelot.c +index 96b1e394a397f..f3bf7757302c0 100644 +--- a/drivers/net/ethernet/mscc/ocelot.c ++++ b/drivers/net/ethernet/mscc/ocelot.c +@@ -1718,14 +1718,16 @@ static void ocelot_set_aggr_pgids(struct ocelot *ocelot) + + /* Now, set PGIDs for each active LAG */ + for (lag = 0; lag < ocelot->num_phys_ports; lag++) { +- struct net_device *bond = ocelot->ports[lag]->bond; ++ struct ocelot_port *ocelot_port = ocelot->ports[lag]; + int num_active_ports = 0; ++ struct net_device *bond; + unsigned long bond_mask; + u8 aggr_idx[16]; + +- if (!bond || (visited & BIT(lag))) ++ if (!ocelot_port || !ocelot_port->bond || (visited & BIT(lag))) + continue; + ++ bond = ocelot_port->bond; + bond_mask = ocelot_get_bond_mask(ocelot, bond); + + for_each_set_bit(port, &bond_mask, ocelot->num_phys_ports) { +-- +2.51.0 + diff --git a/queue-5.15/net-sched-sch_qfq-fix-null-deref-when-deactivating-i.patch b/queue-5.15/net-sched-sch_qfq-fix-null-deref-when-deactivating-i.patch new file mode 100644 index 0000000000..443d0c62c0 --- /dev/null +++ b/queue-5.15/net-sched-sch_qfq-fix-null-deref-when-deactivating-i.patch @@ -0,0 +1,162 @@ +From c2764c525e3ec1bcd33c8a17f6650d886d9ba828 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jan 2026 20:41:00 -0700 +Subject: net/sched: sch_qfq: Fix NULL deref when deactivating inactive + aggregate in qfq_reset + +From: Xiang Mei + +[ Upstream commit c1d73b1480235731e35c81df70b08f4714a7d095 ] + +`qfq_class->leaf_qdisc->q.qlen > 0` does not imply that the class +itself is active. + +Two qfq_class objects may point to the same leaf_qdisc. This happens +when: + +1. one QFQ qdisc is attached to the dev as the root qdisc, and + +2. another QFQ qdisc is temporarily referenced (e.g., via qdisc_get() +/ qdisc_put()) and is pending to be destroyed, as in function +tc_new_tfilter. + +When packets are enqueued through the root QFQ qdisc, the shared +leaf_qdisc->q.qlen increases. At the same time, the second QFQ +qdisc triggers qdisc_put and qdisc_destroy: the qdisc enters +qfq_reset() with its own q->q.qlen == 0, but its class's leaf +qdisc->q.qlen > 0. Therefore, the qfq_reset would wrongly deactivate +an inactive aggregate and trigger a null-deref in qfq_deactivate_agg: + +[ 0.903172] BUG: kernel NULL pointer dereference, address: 0000000000000000 +[ 0.903571] #PF: supervisor write access in kernel mode +[ 0.903860] #PF: error_code(0x0002) - not-present page +[ 0.904177] PGD 10299b067 P4D 10299b067 PUD 10299c067 PMD 0 +[ 0.904502] Oops: Oops: 0002 [#1] SMP NOPTI +[ 0.904737] CPU: 0 UID: 0 PID: 135 Comm: exploit Not tainted 6.19.0-rc3+ #2 NONE +[ 0.905157] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014 +[ 0.905754] RIP: 0010:qfq_deactivate_agg (include/linux/list.h:992 (discriminator 2) include/linux/list.h:1006 (discriminator 2) net/sched/sch_qfq.c:1367 (discriminator 2) net/sched/sch_qfq.c:1393 (discriminator 2)) +[ 0.906046] Code: 0f 84 4d 01 00 00 48 89 70 18 8b 4b 10 48 c7 c2 ff ff ff ff 48 8b 78 08 48 d3 e2 48 21 f2 48 2b 13 48 8b 30 48 d3 ea 8b 4b 18 0 + +Code starting with the faulting instruction +=========================================== + 0: 0f 84 4d 01 00 00 je 0x153 + 6: 48 89 70 18 mov %rsi,0x18(%rax) + a: 8b 4b 10 mov 0x10(%rbx),%ecx + d: 48 c7 c2 ff ff ff ff mov $0xffffffffffffffff,%rdx + 14: 48 8b 78 08 mov 0x8(%rax),%rdi + 18: 48 d3 e2 shl %cl,%rdx + 1b: 48 21 f2 and %rsi,%rdx + 1e: 48 2b 13 sub (%rbx),%rdx + 21: 48 8b 30 mov (%rax),%rsi + 24: 48 d3 ea shr %cl,%rdx + 27: 8b 4b 18 mov 0x18(%rbx),%ecx + ... +[ 0.907095] RSP: 0018:ffffc900004a39a0 EFLAGS: 00010246 +[ 0.907368] RAX: ffff8881043a0880 RBX: ffff888102953340 RCX: 0000000000000000 +[ 0.907723] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 +[ 0.908100] RBP: ffff888102952180 R08: 0000000000000000 R09: 0000000000000000 +[ 0.908451] R10: ffff8881043a0000 R11: 0000000000000000 R12: ffff888102952000 +[ 0.908804] R13: ffff888102952180 R14: ffff8881043a0ad8 R15: ffff8881043a0880 +[ 0.909179] FS: 000000002a1a0380(0000) GS:ffff888196d8d000(0000) knlGS:0000000000000000 +[ 0.909572] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 0.909857] CR2: 0000000000000000 CR3: 0000000102993002 CR4: 0000000000772ef0 +[ 0.910247] PKRU: 55555554 +[ 0.910391] Call Trace: +[ 0.910527] +[ 0.910638] qfq_reset_qdisc (net/sched/sch_qfq.c:357 net/sched/sch_qfq.c:1485) +[ 0.910826] qdisc_reset (include/linux/skbuff.h:2195 include/linux/skbuff.h:2501 include/linux/skbuff.h:3424 include/linux/skbuff.h:3430 net/sched/sch_generic.c:1036) +[ 0.911040] __qdisc_destroy (net/sched/sch_generic.c:1076) +[ 0.911236] tc_new_tfilter (net/sched/cls_api.c:2447) +[ 0.911447] rtnetlink_rcv_msg (net/core/rtnetlink.c:6958) +[ 0.911663] ? __pfx_rtnetlink_rcv_msg (net/core/rtnetlink.c:6861) +[ 0.911894] netlink_rcv_skb (net/netlink/af_netlink.c:2550) +[ 0.912100] netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344) +[ 0.912296] ? __alloc_skb (net/core/skbuff.c:706) +[ 0.912484] netlink_sendmsg (net/netlink/af_netlink.c:1894) +[ 0.912682] sock_write_iter (net/socket.c:727 (discriminator 1) net/socket.c:742 (discriminator 1) net/socket.c:1195 (discriminator 1)) +[ 0.912880] vfs_write (fs/read_write.c:593 fs/read_write.c:686) +[ 0.913077] ksys_write (fs/read_write.c:738) +[ 0.913252] do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) +[ 0.913438] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131) +[ 0.913687] RIP: 0033:0x424c34 +[ 0.913844] Code: 89 02 48 c7 c0 ff ff ff ff eb bd 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 80 3d 2d 44 09 00 00 74 13 b8 01 00 00 00 0f 05 9 + +Code starting with the faulting instruction +=========================================== + 0: 89 02 mov %eax,(%rdx) + 2: 48 c7 c0 ff ff ff ff mov $0xffffffffffffffff,%rax + 9: eb bd jmp 0xffffffffffffffc8 + b: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1) + 12: 00 00 00 + 15: 90 nop + 16: f3 0f 1e fa endbr64 + 1a: 80 3d 2d 44 09 00 00 cmpb $0x0,0x9442d(%rip) # 0x9444e + 21: 74 13 je 0x36 + 23: b8 01 00 00 00 mov $0x1,%eax + 28: 0f 05 syscall + 2a: 09 .byte 0x9 +[ 0.914807] RSP: 002b:00007ffea1938b78 EFLAGS: 00000202 ORIG_RAX: 0000000000000001 +[ 0.915197] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000424c34 +[ 0.915556] RDX: 000000000000003c RSI: 000000002af378c0 RDI: 0000000000000003 +[ 0.915912] RBP: 00007ffea1938bc0 R08: 00000000004b8820 R09: 0000000000000000 +[ 0.916297] R10: 0000000000000001 R11: 0000000000000202 R12: 00007ffea1938d28 +[ 0.916652] R13: 00007ffea1938d38 R14: 00000000004b3828 R15: 0000000000000001 +[ 0.917039] +[ 0.917158] Modules linked in: +[ 0.917316] CR2: 0000000000000000 +[ 0.917484] ---[ end trace 0000000000000000 ]--- +[ 0.917717] RIP: 0010:qfq_deactivate_agg (include/linux/list.h:992 (discriminator 2) include/linux/list.h:1006 (discriminator 2) net/sched/sch_qfq.c:1367 (discriminator 2) net/sched/sch_qfq.c:1393 (discriminator 2)) +[ 0.917978] Code: 0f 84 4d 01 00 00 48 89 70 18 8b 4b 10 48 c7 c2 ff ff ff ff 48 8b 78 08 48 d3 e2 48 21 f2 48 2b 13 48 8b 30 48 d3 ea 8b 4b 18 0 + +Code starting with the faulting instruction +=========================================== + 0: 0f 84 4d 01 00 00 je 0x153 + 6: 48 89 70 18 mov %rsi,0x18(%rax) + a: 8b 4b 10 mov 0x10(%rbx),%ecx + d: 48 c7 c2 ff ff ff ff mov $0xffffffffffffffff,%rdx + 14: 48 8b 78 08 mov 0x8(%rax),%rdi + 18: 48 d3 e2 shl %cl,%rdx + 1b: 48 21 f2 and %rsi,%rdx + 1e: 48 2b 13 sub (%rbx),%rdx + 21: 48 8b 30 mov (%rax),%rsi + 24: 48 d3 ea shr %cl,%rdx + 27: 8b 4b 18 mov 0x18(%rbx),%ecx + ... +[ 0.918902] RSP: 0018:ffffc900004a39a0 EFLAGS: 00010246 +[ 0.919198] RAX: ffff8881043a0880 RBX: ffff888102953340 RCX: 0000000000000000 +[ 0.919559] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 +[ 0.919908] RBP: ffff888102952180 R08: 0000000000000000 R09: 0000000000000000 +[ 0.920289] R10: ffff8881043a0000 R11: 0000000000000000 R12: ffff888102952000 +[ 0.920648] R13: ffff888102952180 R14: ffff8881043a0ad8 R15: ffff8881043a0880 +[ 0.921014] FS: 000000002a1a0380(0000) GS:ffff888196d8d000(0000) knlGS:0000000000000000 +[ 0.921424] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 0.921710] CR2: 0000000000000000 CR3: 0000000102993002 CR4: 0000000000772ef0 +[ 0.922097] PKRU: 55555554 +[ 0.922240] Kernel panic - not syncing: Fatal exception +[ 0.922590] Kernel Offset: disabled + +Fixes: 0545a3037773 ("pkt_sched: QFQ - quick fair queue scheduler") +Signed-off-by: Xiang Mei +Link: https://patch.msgid.link/20260106034100.1780779-1-xmei5@asu.edu +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_qfq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c +index 649cf7a7dce46..aa049dd33a74e 100644 +--- a/net/sched/sch_qfq.c ++++ b/net/sched/sch_qfq.c +@@ -1491,7 +1491,7 @@ static void qfq_reset_qdisc(struct Qdisc *sch) + + for (i = 0; i < q->clhash.hashsize; i++) { + hlist_for_each_entry(cl, &q->clhash.hash[i], common.hnode) { +- if (cl->qdisc->q.qlen > 0) ++ if (cl_is_active(cl)) + qfq_deactivate_class(q, cl); + + qdisc_reset(cl->qdisc); +-- +2.51.0 + diff --git a/queue-5.15/net-sock-fix-hardened-usercopy-panic-in-sock_recv_er.patch b/queue-5.15/net-sock-fix-hardened-usercopy-panic-in-sock_recv_er.patch new file mode 100644 index 0000000000..733a46b2ef --- /dev/null +++ b/queue-5.15/net-sock-fix-hardened-usercopy-panic-in-sock_recv_er.patch @@ -0,0 +1,114 @@ +From 225311978f40818fef2e4ca3889628b0659be309 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Dec 2025 04:35:35 +0800 +Subject: net: sock: fix hardened usercopy panic in sock_recv_errqueue + +From: Weiming Shi + +[ Upstream commit 2a71a1a8d0ed718b1c7a9ac61f07e5755c47ae20 ] + +skbuff_fclone_cache was created without defining a usercopy region, +[1] unlike skbuff_head_cache which properly whitelists the cb[] field. +[2] This causes a usercopy BUG() when CONFIG_HARDENED_USERCOPY is +enabled and the kernel attempts to copy sk_buff.cb data to userspace +via sock_recv_errqueue() -> put_cmsg(). + +The crash occurs when: 1. TCP allocates an skb using alloc_skb_fclone() + (from skbuff_fclone_cache) [1] +2. The skb is cloned via skb_clone() using the pre-allocated fclone +[3] 3. The cloned skb is queued to sk_error_queue for timestamp +reporting 4. Userspace reads the error queue via recvmsg(MSG_ERRQUEUE) +5. sock_recv_errqueue() calls put_cmsg() to copy serr->ee from skb->cb +[4] 6. __check_heap_object() fails because skbuff_fclone_cache has no + usercopy whitelist [5] + +When cloned skbs allocated from skbuff_fclone_cache are used in the +socket error queue, accessing the sock_exterr_skb structure in skb->cb +via put_cmsg() triggers a usercopy hardening violation: + +[ 5.379589] usercopy: Kernel memory exposure attempt detected from SLUB object 'skbuff_fclone_cache' (offset 296, size 16)! +[ 5.382796] kernel BUG at mm/usercopy.c:102! +[ 5.383923] Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI +[ 5.384903] CPU: 1 UID: 0 PID: 138 Comm: poc_put_cmsg Not tainted 6.12.57 #7 +[ 5.384903] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 +[ 5.384903] RIP: 0010:usercopy_abort+0x6c/0x80 +[ 5.384903] Code: 1a 86 51 48 c7 c2 40 15 1a 86 41 52 48 c7 c7 c0 15 1a 86 48 0f 45 d6 48 c7 c6 80 15 1a 86 48 89 c1 49 0f 45 f3 e8 84 27 88 ff <0f> 0b 490 +[ 5.384903] RSP: 0018:ffffc900006f77a8 EFLAGS: 00010246 +[ 5.384903] RAX: 000000000000006f RBX: ffff88800f0ad2a8 RCX: 1ffffffff0f72e74 +[ 5.384903] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffff87b973a0 +[ 5.384903] RBP: 0000000000000010 R08: 0000000000000000 R09: fffffbfff0f72e74 +[ 5.384903] R10: 0000000000000003 R11: 79706f6372657375 R12: 0000000000000001 +[ 5.384903] R13: ffff88800f0ad2b8 R14: ffffea00003c2b40 R15: ffffea00003c2b00 +[ 5.384903] FS: 0000000011bc4380(0000) GS:ffff8880bf100000(0000) knlGS:0000000000000000 +[ 5.384903] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 5.384903] CR2: 000056aa3b8e5fe4 CR3: 000000000ea26004 CR4: 0000000000770ef0 +[ 5.384903] PKRU: 55555554 +[ 5.384903] Call Trace: +[ 5.384903] +[ 5.384903] __check_heap_object+0x9a/0xd0 +[ 5.384903] __check_object_size+0x46c/0x690 +[ 5.384903] put_cmsg+0x129/0x5e0 +[ 5.384903] sock_recv_errqueue+0x22f/0x380 +[ 5.384903] tls_sw_recvmsg+0x7ed/0x1960 +[ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5 +[ 5.384903] ? schedule+0x6d/0x270 +[ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5 +[ 5.384903] ? mutex_unlock+0x81/0xd0 +[ 5.384903] ? __pfx_mutex_unlock+0x10/0x10 +[ 5.384903] ? __pfx_tls_sw_recvmsg+0x10/0x10 +[ 5.384903] ? _raw_spin_lock_irqsave+0x8f/0xf0 +[ 5.384903] ? _raw_read_unlock_irqrestore+0x20/0x40 +[ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5 + +The crash offset 296 corresponds to skb2->cb within skbuff_fclones: + - sizeof(struct sk_buff) = 232 - offsetof(struct sk_buff, cb) = 40 - + offset of skb2.cb in fclones = 232 + 40 = 272 - crash offset 296 = + 272 + 24 (inside sock_exterr_skb.ee) + +This patch uses a local stack variable as a bounce buffer to avoid the hardened usercopy check failure. + +[1] https://elixir.bootlin.com/linux/v6.12.62/source/net/ipv4/tcp.c#L885 +[2] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5104 +[3] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5566 +[4] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5491 +[5] https://elixir.bootlin.com/linux/v6.12.62/source/mm/slub.c#L5719 + +Fixes: 6d07d1cd300f ("usercopy: Restrict non-usercopy caches to size 0") +Reported-by: Xiang Mei +Signed-off-by: Weiming Shi +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20251223203534.1392218-2-bestswngs@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/sock.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/core/sock.c b/net/core/sock.c +index b4e605ac79c9f..bf2bec10d5d6a 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -3377,7 +3377,7 @@ void sock_enable_timestamp(struct sock *sk, enum sock_flags flag) + int sock_recv_errqueue(struct sock *sk, struct msghdr *msg, int len, + int level, int type) + { +- struct sock_exterr_skb *serr; ++ struct sock_extended_err ee; + struct sk_buff *skb; + int copied, err; + +@@ -3397,8 +3397,9 @@ int sock_recv_errqueue(struct sock *sk, struct msghdr *msg, int len, + + sock_recv_timestamp(msg, sk, skb); + +- serr = SKB_EXT_ERR(skb); +- put_cmsg(msg, level, type, sizeof(serr->ee), &serr->ee); ++ /* We must use a bounce buffer for CONFIG_HARDENED_USERCOPY=y */ ++ ee = SKB_EXT_ERR(skb)->ee; ++ put_cmsg(msg, level, type, sizeof(ee), &ee); + + msg->msg_flags |= MSG_ERRQUEUE; + err = copied; +-- +2.51.0 + diff --git a/queue-5.15/net-usb-pegasus-fix-memory-leak-in-update_eth_regs_a.patch b/queue-5.15/net-usb-pegasus-fix-memory-leak-in-update_eth_regs_a.patch new file mode 100644 index 0000000000..8bcd360d33 --- /dev/null +++ b/queue-5.15/net-usb-pegasus-fix-memory-leak-in-update_eth_regs_a.patch @@ -0,0 +1,37 @@ +From f31f5dfcbd75ac2fb7654c86e8e928496800a8e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jan 2026 10:48:21 +0200 +Subject: net: usb: pegasus: fix memory leak in update_eth_regs_async() + +From: Petko Manolov + +[ Upstream commit afa27621a28af317523e0836dad430bec551eb54 ] + +When asynchronously writing to the device registers and if usb_submit_urb() +fail, the code fail to release allocated to this point resources. + +Fixes: 323b34963d11 ("drivers: net: usb: pegasus: fix control urb submission") +Signed-off-by: Petko Manolov +Link: https://patch.msgid.link/20260106084821.3746677-1-petko.manolov@konsulko.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/pegasus.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/usb/pegasus.c b/drivers/net/usb/pegasus.c +index cd063f45785b7..fd7b9776b4824 100644 +--- a/drivers/net/usb/pegasus.c ++++ b/drivers/net/usb/pegasus.c +@@ -168,6 +168,8 @@ static int update_eth_regs_async(pegasus_t *pegasus) + netif_device_detach(pegasus->net); + netif_err(pegasus, drv, pegasus->net, + "%s returned %d\n", __func__, ret); ++ usb_free_urb(async_urb); ++ kfree(req); + } + return ret; + } +-- +2.51.0 + diff --git a/queue-5.15/netdev-preserve-netif_f_all_for_all-across-tso-updat.patch b/queue-5.15/netdev-preserve-netif_f_all_for_all-across-tso-updat.patch new file mode 100644 index 0000000000..f94b15db6c --- /dev/null +++ b/queue-5.15/netdev-preserve-netif_f_all_for_all-across-tso-updat.patch @@ -0,0 +1,43 @@ +From 2f17e797bd179a85edbb045cff28393bf45b16e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Dec 2025 09:22:24 +0800 +Subject: netdev: preserve NETIF_F_ALL_FOR_ALL across TSO updates + +From: Di Zhu + +[ Upstream commit 02d1e1a3f9239cdb3ecf2c6d365fb959d1bf39df ] + +Directly increment the TSO features incurs a side effect: it will also +directly clear the flags in NETIF_F_ALL_FOR_ALL on the master device, +which can cause issues such as the inability to enable the nocache copy +feature on the bonding driver. + +The fix is to include NETIF_F_ALL_FOR_ALL in the update mask, thereby +preventing it from being cleared. + +Fixes: b0ce3508b25e ("bonding: allow TSO being set on bonding master") +Signed-off-by: Di Zhu +Link: https://patch.msgid.link/20251224012224.56185-1-zhud@hygon.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/linux/netdevice.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h +index 83bb0f21b1b02..dddb866d88075 100644 +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -5093,7 +5093,8 @@ netdev_features_t netdev_increment_features(netdev_features_t all, + static inline netdev_features_t netdev_add_tso_features(netdev_features_t features, + netdev_features_t mask) + { +- return netdev_increment_features(features, NETIF_F_ALL_TSO, mask); ++ return netdev_increment_features(features, NETIF_F_ALL_TSO | ++ NETIF_F_ALL_FOR_ALL, mask); + } + + int __netdev_update_features(struct net_device *dev); +-- +2.51.0 + diff --git a/queue-5.15/netfilter-nf_conncount-update-last_gc-only-when-gc-h.patch b/queue-5.15/netfilter-nf_conncount-update-last_gc-only-when-gc-h.patch new file mode 100644 index 0000000000..fddaee4f14 --- /dev/null +++ b/queue-5.15/netfilter-nf_conncount-update-last_gc-only-when-gc-h.patch @@ -0,0 +1,48 @@ +From fa984ee0dc407a0d9c026ccb546c9c0425a95221 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Dec 2025 15:46:40 +0100 +Subject: netfilter: nf_conncount: update last_gc only when GC has been + performed + +From: Fernando Fernandez Mancera + +[ Upstream commit 7811ba452402d58628e68faedf38745b3d485e3c ] + +Currently last_gc is being updated everytime a new connection is +tracked, that means that it is updated even if a GC wasn't performed. +With a sufficiently high packet rate, it is possible to always bypass +the GC, causing the list to grow infinitely. + +Update the last_gc value only when a GC has been actually performed. + +Fixes: d265929930e2 ("netfilter: nf_conncount: reduce unnecessary GC") +Signed-off-by: Fernando Fernandez Mancera +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conncount.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c +index c00b8e522c5a7..a2c5a7ba0c6fc 100644 +--- a/net/netfilter/nf_conncount.c ++++ b/net/netfilter/nf_conncount.c +@@ -229,6 +229,7 @@ static int __nf_conncount_add(struct net *net, + + nf_ct_put(found_ct); + } ++ list->last_gc = (u32)jiffies; + + add_new_node: + if (WARN_ON_ONCE(list->count > INT_MAX)) { +@@ -248,7 +249,6 @@ static int __nf_conncount_add(struct net *net, + conn->jiffies32 = (u32)jiffies; + list_add_tail(&conn->node, &list->head); + list->count++; +- list->last_gc = (u32)jiffies; + + out_put: + if (refcounted) +-- +2.51.0 + diff --git a/queue-5.15/netfilter-nf_tables-fix-memory-leak-in-nf_tables_new.patch b/queue-5.15/netfilter-nf_tables-fix-memory-leak-in-nf_tables_new.patch new file mode 100644 index 0000000000..fa4342b2e6 --- /dev/null +++ b/queue-5.15/netfilter-nf_tables-fix-memory-leak-in-nf_tables_new.patch @@ -0,0 +1,49 @@ +From 31879d04bba81b3b61c3b2ac8e3c1ca805b9cff7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Dec 2025 12:48:26 +0000 +Subject: netfilter: nf_tables: fix memory leak in nf_tables_newrule() + +From: Zilin Guan + +[ Upstream commit d077e8119ddbb4fca67540f1a52453631a47f221 ] + +In nf_tables_newrule(), if nft_use_inc() fails, the function jumps to +the err_release_rule label without freeing the allocated flow, leading +to a memory leak. + +Fix this by adding a new label err_destroy_flow and jumping to it when +nft_use_inc() fails. This ensures that the flow is properly released +in this error case. + +Fixes: 1689f25924ada ("netfilter: nf_tables: report use refcount overflow") +Signed-off-by: Zilin Guan +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 91b012e476be6..e37d2ef9538e5 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -3741,7 +3741,7 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info, + + if (!nft_use_inc(&chain->use)) { + err = -EMFILE; +- goto err_release_rule; ++ goto err_destroy_flow; + } + + if (info->nlh->nlmsg_flags & NLM_F_REPLACE) { +@@ -3791,6 +3791,7 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info, + + err_destroy_flow_rule: + nft_use_dec_restore(&chain->use); ++err_destroy_flow: + if (flow) + nft_flow_rule_destroy(flow); + err_release_rule: +-- +2.51.0 + diff --git a/queue-5.15/netfilter-nft_synproxy-avoid-possible-data-race-on-u.patch b/queue-5.15/netfilter-nft_synproxy-avoid-possible-data-race-on-u.patch new file mode 100644 index 0000000000..c3adc9aaea --- /dev/null +++ b/queue-5.15/netfilter-nft_synproxy-avoid-possible-data-race-on-u.patch @@ -0,0 +1,55 @@ +From b6c3426ec07173474e65ec62c2f554e43d5925de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Dec 2025 21:21:59 +0100 +Subject: netfilter: nft_synproxy: avoid possible data-race on update operation + +From: Fernando Fernandez Mancera + +[ Upstream commit 36a3200575642846a96436d503d46544533bb943 ] + +During nft_synproxy eval we are reading nf_synproxy_info struct which +can be modified on update operation concurrently. As nf_synproxy_info +struct fits in 32 bits, use READ_ONCE/WRITE_ONCE annotations. + +Fixes: ee394f96ad75 ("netfilter: nft_synproxy: add synproxy stateful object support") +Signed-off-by: Fernando Fernandez Mancera +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_synproxy.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/netfilter/nft_synproxy.c b/net/netfilter/nft_synproxy.c +index 0806813d3a767..46d2eefb0b218 100644 +--- a/net/netfilter/nft_synproxy.c ++++ b/net/netfilter/nft_synproxy.c +@@ -48,7 +48,7 @@ static void nft_synproxy_eval_v4(const struct nft_synproxy *priv, + struct tcphdr *_tcph, + struct synproxy_options *opts) + { +- struct nf_synproxy_info info = priv->info; ++ struct nf_synproxy_info info = READ_ONCE(priv->info); + struct net *net = nft_net(pkt); + struct synproxy_net *snet = synproxy_pernet(net); + struct sk_buff *skb = pkt->skb; +@@ -79,7 +79,7 @@ static void nft_synproxy_eval_v6(const struct nft_synproxy *priv, + struct tcphdr *_tcph, + struct synproxy_options *opts) + { +- struct nf_synproxy_info info = priv->info; ++ struct nf_synproxy_info info = READ_ONCE(priv->info); + struct net *net = nft_net(pkt); + struct synproxy_net *snet = synproxy_pernet(net); + struct sk_buff *skb = pkt->skb; +@@ -339,7 +339,7 @@ static void nft_synproxy_obj_update(struct nft_object *obj, + struct nft_synproxy *newpriv = nft_obj_data(newobj); + struct nft_synproxy *priv = nft_obj_data(obj); + +- priv->info = newpriv->info; ++ WRITE_ONCE(priv->info, newpriv->info); + } + + static struct nft_object_type nft_synproxy_obj_type; +-- +2.51.0 + diff --git a/queue-5.15/series b/queue-5.15/series index 2429291ef9..bb966a6406 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -525,3 +525,22 @@ nfsv4-ensure-the-open-stateid-seqid-doesn-t-go-backw.patch nfs-fix-up-the-automount-fs_context-to-use-the-corre.patch scsi-ipr-enable-disable-irqd_no_balancing-during-res.patch scsi-revert-scsi-libsas-fix-exp-attached-device-scan.patch +arm64-dts-add-off-on-delay-us-for-usdhc2-regulator.patch +arm-dts-imx6q-ba16-fix-rtc-interrupt-level.patch +netfilter-nft_synproxy-avoid-possible-data-race-on-u.patch +netfilter-nf_tables-fix-memory-leak-in-nf_tables_new.patch +netfilter-nf_conncount-update-last_gc-only-when-gc-h.patch +net-marvell-prestera-fix-null-dereference-on-devlink.patch +bridge-fix-c-vlan-preservation-in-802.1ad-vlan_tunne.patch +net-mscc-ocelot-fix-crash-when-adding-interface-unde.patch +inet-ping-fix-icmp-out-counting.patch +net-sock-fix-hardened-usercopy-panic-in-sock_recv_er.patch +netdev-preserve-netif_f_all_for_all-across-tso-updat.patch +net-mlx5e-don-t-print-error-message-due-to-invalid-m.patch +eth-bnxt-move-and-rename-reset-helpers.patch +bnxt_en-fix-potential-data-corruption-with-hw-gro-lr.patch +hid-quirks-work-around-vid-pid-conflict-for-appledis.patch +net-sched-sch_qfq-fix-null-deref-when-deactivating-i.patch +net-usb-pegasus-fix-memory-leak-in-update_eth_regs_a.patch +net-enetc-fix-build-warning-when-page_size-is-greate.patch +arp-do-not-assume-dev_hard_header-does-not-change-sk.patch diff --git a/queue-6.1/arm-dts-imx6q-ba16-fix-rtc-interrupt-level.patch b/queue-6.1/arm-dts-imx6q-ba16-fix-rtc-interrupt-level.patch new file mode 100644 index 0000000000..6a8ad8733d --- /dev/null +++ b/queue-6.1/arm-dts-imx6q-ba16-fix-rtc-interrupt-level.patch @@ -0,0 +1,40 @@ +From 6e648fa1a777456a1ede39683686e8c850563cb3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Dec 2025 11:56:05 +0200 +Subject: ARM: dts: imx6q-ba16: fix RTC interrupt level + +From: Ian Ray + +[ Upstream commit e6a4eedd49ce27c16a80506c66a04707e0ee0116 ] + +RTC interrupt level should be set to "LOW". This was revealed by the +introduction of commit: + + f181987ef477 ("rtc: m41t80: use IRQ flags obtained from fwnode") + +which changed the way IRQ type is obtained. + +Fixes: 56c27310c1b4 ("ARM: dts: imx: Add Advantech BA-16 Qseven module") +Signed-off-by: Ian Ray +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6q-ba16.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/imx6q-ba16.dtsi b/arch/arm/boot/dts/imx6q-ba16.dtsi +index f266f1b7e0cfc..0c033e69ecc04 100644 +--- a/arch/arm/boot/dts/imx6q-ba16.dtsi ++++ b/arch/arm/boot/dts/imx6q-ba16.dtsi +@@ -335,7 +335,7 @@ rtc@32 { + pinctrl-0 = <&pinctrl_rtc>; + reg = <0x32>; + interrupt-parent = <&gpio4>; +- interrupts = <10 IRQ_TYPE_LEVEL_HIGH>; ++ interrupts = <10 IRQ_TYPE_LEVEL_LOW>; + }; + }; + +-- +2.51.0 + diff --git a/queue-6.1/arm64-dts-add-off-on-delay-us-for-usdhc2-regulator.patch b/queue-6.1/arm64-dts-add-off-on-delay-us-for-usdhc2-regulator.patch new file mode 100644 index 0000000000..35d8361bb0 --- /dev/null +++ b/queue-6.1/arm64-dts-add-off-on-delay-us-for-usdhc2-regulator.patch @@ -0,0 +1,41 @@ +From 48cfa7beeeade128ed1e865141c3c5d297d7a17f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Nov 2025 11:22:40 +0800 +Subject: arm64: dts: add off-on-delay-us for usdhc2 regulator + +From: Haibo Chen + +[ Upstream commit ca643894a37a25713029b36cfe7d1bae515cac08 ] + +For SD card, according to the spec requirement, for sd card power reset +operation, it need sd card supply voltage to be lower than 0.5v and keep +over 1ms, otherwise, next time power back the sd card supply voltage to +3.3v, sd card can't support SD3.0 mode again. + +To match such requirement on imx8qm-mek board, add 4.8ms delay between +sd power off and power on. + +Fixes: 307fd14d4b14 ("arm64: dts: imx: add imx8qm mek support") +Reviewed-by: Frank Li +Signed-off-by: Haibo Chen +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8qm-mek.dts | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/boot/dts/freescale/imx8qm-mek.dts b/arch/arm64/boot/dts/freescale/imx8qm-mek.dts +index 470e4e4aa8c78..059f8c0ab93d9 100644 +--- a/arch/arm64/boot/dts/freescale/imx8qm-mek.dts ++++ b/arch/arm64/boot/dts/freescale/imx8qm-mek.dts +@@ -34,6 +34,7 @@ reg_usdhc2_vmmc: usdhc2-vmmc { + regulator-max-microvolt = <3000000>; + gpio = <&lsio_gpio4 7 GPIO_ACTIVE_HIGH>; + enable-active-high; ++ off-on-delay-us = <4800>; + }; + }; + +-- +2.51.0 + diff --git a/queue-6.1/arm64-dts-imx8mp-fix-lan8740ai-phy-reference-clock-o.patch b/queue-6.1/arm64-dts-imx8mp-fix-lan8740ai-phy-reference-clock-o.patch new file mode 100644 index 0000000000..382bf27f63 --- /dev/null +++ b/queue-6.1/arm64-dts-imx8mp-fix-lan8740ai-phy-reference-clock-o.patch @@ -0,0 +1,42 @@ +From 3b50f9a43e026492144f5cc4a697259ee731bcc1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Dec 2025 14:41:51 +0100 +Subject: arm64: dts: imx8mp: Fix LAN8740Ai PHY reference clock on DH + electronics i.MX8M Plus DHCOM + +From: Marek Vasut + +[ Upstream commit c63749a7ddc59ac6ec0b05abfa0a21af9f2c1d38 ] + +Add missing 'clocks' property to LAN8740Ai PHY node, to allow the PHY driver +to manage LAN8740Ai CLKIN reference clock supply. This fixes sporadic link +bouncing caused by interruptions on the PHY reference clock, by letting the +PHY driver manage the reference clock and assure there are no interruptions. + +This follows the matching PHY driver recommendation described in commit +bedd8d78aba3 ("net: phy: smsc: LAN8710/20: add phy refclk in support") + +Fixes: 8d6712695bc8 ("arm64: dts: imx8mp: Add support for DH electronics i.MX8M Plus DHCOM and PDK2") +Signed-off-by: Marek Vasut +Tested-by: Christoph Niedermaier +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8mp-dhcom-som.dtsi | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/boot/dts/freescale/imx8mp-dhcom-som.dtsi b/arch/arm64/boot/dts/freescale/imx8mp-dhcom-som.dtsi +index 2fd50b5890afa..0b81b85887f40 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mp-dhcom-som.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mp-dhcom-som.dtsi +@@ -97,6 +97,7 @@ mdio { + ethphy0f: ethernet-phy@1 { /* SMSC LAN8740Ai */ + compatible = "ethernet-phy-id0007.c110", + "ethernet-phy-ieee802.3-c22"; ++ clocks = <&clk IMX8MP_CLK_ENET_QOS>; + interrupt-parent = <&gpio3>; + interrupts = <19 IRQ_TYPE_LEVEL_LOW>; + pinctrl-0 = <&pinctrl_ethphy0>; +-- +2.51.0 + diff --git a/queue-6.1/arp-do-not-assume-dev_hard_header-does-not-change-sk.patch b/queue-6.1/arp-do-not-assume-dev_hard_header-does-not-change-sk.patch new file mode 100644 index 0000000000..3ef5472fc7 --- /dev/null +++ b/queue-6.1/arp-do-not-assume-dev_hard_header-does-not-change-sk.patch @@ -0,0 +1,58 @@ +From a66f255e41b19617e828dce7343710adc3498c1c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jan 2026 21:22:50 +0000 +Subject: arp: do not assume dev_hard_header() does not change skb->head + +From: Eric Dumazet + +[ Upstream commit c92510f5e3f82ba11c95991824a41e59a9c5ed81 ] + +arp_create() is the only dev_hard_header() caller +making assumption about skb->head being unchanged. + +A recent commit broke this assumption. + +Initialize @arp pointer after dev_hard_header() call. + +Fixes: db5b4e39c4e6 ("ip6_gre: make ip6gre_header() robust") +Reported-by: syzbot+58b44a770a1585795351@syzkaller.appspotmail.com +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20260107212250.384552-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/arp.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c +index 50e2b4939d8e9..fc8c7a34b53e6 100644 +--- a/net/ipv4/arp.c ++++ b/net/ipv4/arp.c +@@ -563,7 +563,7 @@ struct sk_buff *arp_create(int type, int ptype, __be32 dest_ip, + + skb_reserve(skb, hlen); + skb_reset_network_header(skb); +- arp = skb_put(skb, arp_hdr_len(dev)); ++ skb_put(skb, arp_hdr_len(dev)); + skb->dev = dev; + skb->protocol = htons(ETH_P_ARP); + if (!src_hw) +@@ -571,12 +571,13 @@ struct sk_buff *arp_create(int type, int ptype, __be32 dest_ip, + if (!dest_hw) + dest_hw = dev->broadcast; + +- /* +- * Fill the device header for the ARP frame ++ /* Fill the device header for the ARP frame. ++ * Note: skb->head can be changed. + */ + if (dev_hard_header(skb, dev, ptype, dest_hw, src_hw, skb->len) < 0) + goto out; + ++ arp = arp_hdr(skb); + /* + * Fill out the arp protocol part. + * +-- +2.51.0 + diff --git a/queue-6.1/bnxt_en-fix-potential-data-corruption-with-hw-gro-lr.patch b/queue-6.1/bnxt_en-fix-potential-data-corruption-with-hw-gro-lr.patch new file mode 100644 index 0000000000..2fa6a77016 --- /dev/null +++ b/queue-6.1/bnxt_en-fix-potential-data-corruption-with-hw-gro-lr.patch @@ -0,0 +1,88 @@ +From bcc4b86c8e8d8379c06f4120fdbeb12c8d426a86 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Dec 2025 00:36:25 -0800 +Subject: bnxt_en: Fix potential data corruption with HW GRO/LRO + +From: Srijit Bose + +[ Upstream commit ffeafa65b2b26df2f5b5a6118d3174f17bd12ec5 ] + +Fix the max number of bits passed to find_first_zero_bit() in +bnxt_alloc_agg_idx(). We were incorrectly passing the number of +long words. find_first_zero_bit() may fail to find a zero bit and +cause a wrong ID to be used. If the wrong ID is already in use, this +can cause data corruption. Sometimes an error like this can also be +seen: + +bnxt_en 0000:83:00.0 enp131s0np0: TPA end agg_buf 2 != expected agg_bufs 1 + +Fix it by passing the correct number of bits MAX_TPA_P5. Use +DECLARE_BITMAP() to more cleanly define the bitmap. Add a sanity +check to warn if a bit cannot be found and reset the ring [MChan]. + +Fixes: ec4d8e7cf024 ("bnxt_en: Add TPA ID mapping logic for 57500 chips.") +Reviewed-by: Ray Jui +Signed-off-by: Srijit Bose +Signed-off-by: Michael Chan +Reviewed-by: Vadim Fedorenko +Link: https://patch.msgid.link/20251231083625.3911652-1-michael.chan@broadcom.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 15 ++++++++++++--- + drivers/net/ethernet/broadcom/bnxt/bnxt.h | 4 +--- + 2 files changed, 13 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index 2540402030bf1..a70870393b65c 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -1306,9 +1306,11 @@ static u16 bnxt_alloc_agg_idx(struct bnxt_rx_ring_info *rxr, u16 agg_id) + struct bnxt_tpa_idx_map *map = rxr->rx_tpa_idx_map; + u16 idx = agg_id & MAX_TPA_P5_MASK; + +- if (test_bit(idx, map->agg_idx_bmap)) +- idx = find_first_zero_bit(map->agg_idx_bmap, +- BNXT_AGG_IDX_BMAP_SIZE); ++ if (test_bit(idx, map->agg_idx_bmap)) { ++ idx = find_first_zero_bit(map->agg_idx_bmap, MAX_TPA_P5); ++ if (idx >= MAX_TPA_P5) ++ return INVALID_HW_RING_ID; ++ } + __set_bit(idx, map->agg_idx_bmap); + map->agg_id_tbl[agg_id] = idx; + return idx; +@@ -1341,6 +1343,13 @@ static void bnxt_tpa_start(struct bnxt *bp, struct bnxt_rx_ring_info *rxr, + if (bp->flags & BNXT_FLAG_CHIP_P5) { + agg_id = TPA_START_AGG_ID_P5(tpa_start); + agg_id = bnxt_alloc_agg_idx(rxr, agg_id); ++ if (unlikely(agg_id == INVALID_HW_RING_ID)) { ++ netdev_warn(bp->dev, "Unable to allocate agg ID for ring %d, agg 0x%x\n", ++ rxr->bnapi->index, ++ TPA_START_AGG_ID_P5(tpa_start)); ++ bnxt_sched_reset_rxr(bp, rxr); ++ return; ++ } + } else { + agg_id = TPA_START_AGG_ID(tpa_start); + } +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.h b/drivers/net/ethernet/broadcom/bnxt/bnxt.h +index 111098b4b6062..4d27636aa200d 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.h ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.h +@@ -897,11 +897,9 @@ struct bnxt_tpa_info { + struct rx_agg_cmp *agg_arr; + }; + +-#define BNXT_AGG_IDX_BMAP_SIZE (MAX_TPA_P5 / BITS_PER_LONG) +- + struct bnxt_tpa_idx_map { + u16 agg_id_tbl[1024]; +- unsigned long agg_idx_bmap[BNXT_AGG_IDX_BMAP_SIZE]; ++ DECLARE_BITMAP(agg_idx_bmap, MAX_TPA_P5); + }; + + struct bnxt_rx_ring_info { +-- +2.51.0 + diff --git a/queue-6.1/bridge-fix-c-vlan-preservation-in-802.1ad-vlan_tunne.patch b/queue-6.1/bridge-fix-c-vlan-preservation-in-802.1ad-vlan_tunne.patch new file mode 100644 index 0000000000..9ac6ad436d --- /dev/null +++ b/queue-6.1/bridge-fix-c-vlan-preservation-in-802.1ad-vlan_tunne.patch @@ -0,0 +1,75 @@ +From 418c739efe236f56f8fcba18adb1d6fc69ea9d93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Dec 2025 03:00:57 +0100 +Subject: bridge: fix C-VLAN preservation in 802.1ad vlan_tunnel egress + +From: Alexandre Knecht + +[ Upstream commit 3128df6be147768fe536986fbb85db1d37806a9f ] + +When using an 802.1ad bridge with vlan_tunnel, the C-VLAN tag is +incorrectly stripped from frames during egress processing. + +br_handle_egress_vlan_tunnel() uses skb_vlan_pop() to remove the S-VLAN +from hwaccel before VXLAN encapsulation. However, skb_vlan_pop() also +moves any "next" VLAN from the payload into hwaccel: + + /* move next vlan tag to hw accel tag */ + __skb_vlan_pop(skb, &vlan_tci); + __vlan_hwaccel_put_tag(skb, vlan_proto, vlan_tci); + +For QinQ frames where the C-VLAN sits in the payload, this moves it to +hwaccel where it gets lost during VXLAN encapsulation. + +Fix by calling __vlan_hwaccel_clear_tag() directly, which clears only +the hwaccel S-VLAN and leaves the payload untouched. + +This path is only taken when vlan_tunnel is enabled and tunnel_info +is configured, so 802.1Q bridges are unaffected. + +Tested with 802.1ad bridge + VXLAN vlan_tunnel, verified C-VLAN +preserved in VXLAN payload via tcpdump. + +Fixes: 11538d039ac6 ("bridge: vlan dst_metadata hooks in ingress and egress paths") +Signed-off-by: Alexandre Knecht +Reviewed-by: Ido Schimmel +Acked-by: Nikolay Aleksandrov +Link: https://patch.msgid.link/20251228020057.2788865-1-knecht.alexandre@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/bridge/br_vlan_tunnel.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/net/bridge/br_vlan_tunnel.c b/net/bridge/br_vlan_tunnel.c +index 6399a8a69d076..0f03572d89d09 100644 +--- a/net/bridge/br_vlan_tunnel.c ++++ b/net/bridge/br_vlan_tunnel.c +@@ -187,7 +187,6 @@ int br_handle_egress_vlan_tunnel(struct sk_buff *skb, + { + struct metadata_dst *tunnel_dst; + __be64 tunnel_id; +- int err; + + if (!vlan) + return 0; +@@ -197,9 +196,13 @@ int br_handle_egress_vlan_tunnel(struct sk_buff *skb, + return 0; + + skb_dst_drop(skb); +- err = skb_vlan_pop(skb); +- if (err) +- return err; ++ /* For 802.1ad (QinQ), skb_vlan_pop() incorrectly moves the C-VLAN ++ * from payload to hwaccel after clearing S-VLAN. We only need to ++ * clear the hwaccel S-VLAN; the C-VLAN must stay in payload for ++ * correct VXLAN encapsulation. This is also correct for 802.1Q ++ * where no C-VLAN exists in payload. ++ */ ++ __vlan_hwaccel_clear_tag(skb); + + tunnel_dst = rcu_dereference(vlan->tinfo.tunnel_dst); + if (tunnel_dst && dst_hold_safe(&tunnel_dst->dst)) +-- +2.51.0 + diff --git a/queue-6.1/eth-bnxt-move-and-rename-reset-helpers.patch b/queue-6.1/eth-bnxt-move-and-rename-reset-helpers.patch new file mode 100644 index 0000000000..9c26b8f71a --- /dev/null +++ b/queue-6.1/eth-bnxt-move-and-rename-reset-helpers.patch @@ -0,0 +1,145 @@ +From 574e5cd67d0fbe235ef3d775ff322e6bf9f6c929 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 18:04:38 -0700 +Subject: eth: bnxt: move and rename reset helpers + +From: Jakub Kicinski + +[ Upstream commit fea2993aecd74d5d11ede1ebbd60e478ebfed996 ] + +Move the reset helpers, subsequent patches will need some +of them on the Tx path. + +While at it rename bnxt_sched_reset(), on more recent chips +it schedules a queue reset, instead of a fuller reset. + +Link: https://lore.kernel.org/r/20230720010440.1967136-2-kuba@kernel.org +Reviewed-by: Michael Chan +Signed-off-by: Jakub Kicinski +Stable-dep-of: ffeafa65b2b2 ("bnxt_en: Fix potential data corruption with HW GRO/LRO") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 72 +++++++++++------------ + 1 file changed, 36 insertions(+), 36 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index 6b1245a3ab4b1..2540402030bf1 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -293,6 +293,38 @@ static void bnxt_db_cq(struct bnxt *bp, struct bnxt_db_info *db, u32 idx) + BNXT_DB_CQ(db, idx); + } + ++static void bnxt_queue_fw_reset_work(struct bnxt *bp, unsigned long delay) ++{ ++ if (!(test_bit(BNXT_STATE_IN_FW_RESET, &bp->state))) ++ return; ++ ++ if (BNXT_PF(bp)) ++ queue_delayed_work(bnxt_pf_wq, &bp->fw_reset_task, delay); ++ else ++ schedule_delayed_work(&bp->fw_reset_task, delay); ++} ++ ++static void bnxt_queue_sp_work(struct bnxt *bp) ++{ ++ if (BNXT_PF(bp)) ++ queue_work(bnxt_pf_wq, &bp->sp_task); ++ else ++ schedule_work(&bp->sp_task); ++} ++ ++static void bnxt_sched_reset_rxr(struct bnxt *bp, struct bnxt_rx_ring_info *rxr) ++{ ++ if (!rxr->bnapi->in_reset) { ++ rxr->bnapi->in_reset = true; ++ if (bp->flags & BNXT_FLAG_CHIP_P5) ++ set_bit(BNXT_RESET_TASK_SP_EVENT, &bp->sp_event); ++ else ++ set_bit(BNXT_RST_RING_SP_EVENT, &bp->sp_event); ++ bnxt_queue_sp_work(bp); ++ } ++ rxr->rx_next_cons = 0xffff; ++} ++ + const u16 bnxt_lhint_arr[] = { + TX_BD_FLAGS_LHINT_512_AND_SMALLER, + TX_BD_FLAGS_LHINT_512_TO_1023, +@@ -1269,38 +1301,6 @@ static int bnxt_discard_rx(struct bnxt *bp, struct bnxt_cp_ring_info *cpr, + return 0; + } + +-static void bnxt_queue_fw_reset_work(struct bnxt *bp, unsigned long delay) +-{ +- if (!(test_bit(BNXT_STATE_IN_FW_RESET, &bp->state))) +- return; +- +- if (BNXT_PF(bp)) +- queue_delayed_work(bnxt_pf_wq, &bp->fw_reset_task, delay); +- else +- schedule_delayed_work(&bp->fw_reset_task, delay); +-} +- +-static void bnxt_queue_sp_work(struct bnxt *bp) +-{ +- if (BNXT_PF(bp)) +- queue_work(bnxt_pf_wq, &bp->sp_task); +- else +- schedule_work(&bp->sp_task); +-} +- +-static void bnxt_sched_reset(struct bnxt *bp, struct bnxt_rx_ring_info *rxr) +-{ +- if (!rxr->bnapi->in_reset) { +- rxr->bnapi->in_reset = true; +- if (bp->flags & BNXT_FLAG_CHIP_P5) +- set_bit(BNXT_RESET_TASK_SP_EVENT, &bp->sp_event); +- else +- set_bit(BNXT_RST_RING_SP_EVENT, &bp->sp_event); +- bnxt_queue_sp_work(bp); +- } +- rxr->rx_next_cons = 0xffff; +-} +- + static u16 bnxt_alloc_agg_idx(struct bnxt_rx_ring_info *rxr, u16 agg_id) + { + struct bnxt_tpa_idx_map *map = rxr->rx_tpa_idx_map; +@@ -1355,7 +1355,7 @@ static void bnxt_tpa_start(struct bnxt *bp, struct bnxt_rx_ring_info *rxr, + netdev_warn(bp->dev, "TPA cons %x, expected cons %x, error code %x\n", + cons, rxr->rx_next_cons, + TPA_START_ERROR_CODE(tpa_start1)); +- bnxt_sched_reset(bp, rxr); ++ bnxt_sched_reset_rxr(bp, rxr); + return; + } + /* Store cfa_code in tpa_info to use in tpa_end +@@ -1895,7 +1895,7 @@ static int bnxt_rx_pkt(struct bnxt *bp, struct bnxt_cp_ring_info *cpr, + if (rxr->rx_next_cons != 0xffff) + netdev_warn(bp->dev, "RX cons %x != expected cons %x\n", + cons, rxr->rx_next_cons); +- bnxt_sched_reset(bp, rxr); ++ bnxt_sched_reset_rxr(bp, rxr); + if (rc1) + return rc1; + goto next_rx_no_prod_no_len; +@@ -1933,7 +1933,7 @@ static int bnxt_rx_pkt(struct bnxt *bp, struct bnxt_cp_ring_info *cpr, + !(bp->fw_cap & BNXT_FW_CAP_RING_MONITOR)) { + netdev_warn_once(bp->dev, "RX buffer error %x\n", + rx_err); +- bnxt_sched_reset(bp, rxr); ++ bnxt_sched_reset_rxr(bp, rxr); + } + } + goto next_rx_no_len; +@@ -2371,7 +2371,7 @@ static int bnxt_async_event_process(struct bnxt *bp, + goto async_event_process_exit; + } + rxr = bp->bnapi[grp_idx]->rx_ring; +- bnxt_sched_reset(bp, rxr); ++ bnxt_sched_reset_rxr(bp, rxr); + goto async_event_process_exit; + } + case ASYNC_EVENT_CMPL_EVENT_ID_ECHO_REQUEST: { +-- +2.51.0 + diff --git a/queue-6.1/hid-quirks-work-around-vid-pid-conflict-for-appledis.patch b/queue-6.1/hid-quirks-work-around-vid-pid-conflict-for-appledis.patch new file mode 100644 index 0000000000..c64fdc8199 --- /dev/null +++ b/queue-6.1/hid-quirks-work-around-vid-pid-conflict-for-appledis.patch @@ -0,0 +1,47 @@ +From a9921b8ea072bc7a32b3470c2052388e39188a01 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Nov 2025 13:46:41 +0100 +Subject: HID: quirks: work around VID/PID conflict for appledisplay +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: René Rebe + +[ Upstream commit c7fabe4ad9219866c203164a214c474c95b36bf2 ] + +For years I wondered why the Apple Cinema Display driver would not +just work for me. Turns out the hidraw driver instantly takes it +over. Fix by adding appledisplay VID/PIDs to hid_have_special_driver. + +Fixes: 069e8a65cd79 ("Driver for Apple Cinema Display") +Signed-off-by: René Rebe +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-quirks.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c +index 249e626d1c6a3..b6bec3614cfea 100644 +--- a/drivers/hid/hid-quirks.c ++++ b/drivers/hid/hid-quirks.c +@@ -220,6 +220,15 @@ static const struct hid_device_id hid_quirks[] = { + * used as a driver. See hid_scan_report(). + */ + static const struct hid_device_id hid_have_special_driver[] = { ++#if IS_ENABLED(CONFIG_APPLEDISPLAY) ++ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x9218) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x9219) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x921c) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x921d) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x9222) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x9226) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x9236) }, ++#endif + #if IS_ENABLED(CONFIG_HID_A4TECH) + { HID_USB_DEVICE(USB_VENDOR_ID_A4TECH, USB_DEVICE_ID_A4TECH_WCP32PU) }, + { HID_USB_DEVICE(USB_VENDOR_ID_A4TECH, USB_DEVICE_ID_A4TECH_X5_005D) }, +-- +2.51.0 + diff --git a/queue-6.1/inet-ping-fix-icmp-out-counting.patch b/queue-6.1/inet-ping-fix-icmp-out-counting.patch new file mode 100644 index 0000000000..76f09c0e2c --- /dev/null +++ b/queue-6.1/inet-ping-fix-icmp-out-counting.patch @@ -0,0 +1,55 @@ +From f25b11857bbbf306e8f6db9df772409aa29ecfb3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Dec 2025 14:31:45 +0800 +Subject: inet: ping: Fix icmp out counting + +From: yuan.gao + +[ Upstream commit 4c0856c225b39b1def6c9a6bc56faca79550da13 ] + +When the ping program uses an IPPROTO_ICMP socket to send ICMP_ECHO +messages, ICMP_MIB_OUTMSGS is counted twice. + + ping_v4_sendmsg + ping_v4_push_pending_frames + ip_push_pending_frames + ip_finish_skb + __ip_make_skb + icmp_out_count(net, icmp_type); // first count + icmp_out_count(sock_net(sk), user_icmph.type); // second count + +However, when the ping program uses an IPPROTO_RAW socket, +ICMP_MIB_OUTMSGS is counted correctly only once. + +Therefore, the first count should be removed. + +Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind") +Signed-off-by: yuan.gao +Reviewed-by: Ido Schimmel +Tested-by: Ido Schimmel +Link: https://patch.msgid.link/20251224063145.3615282-1-yuan.gao@ucloud.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/ping.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c +index 5178a3f3cb537..cadf743ab4f52 100644 +--- a/net/ipv4/ping.c ++++ b/net/ipv4/ping.c +@@ -848,10 +848,8 @@ static int ping_v4_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + out_free: + if (free) + kfree(ipc.opt); +- if (!err) { +- icmp_out_count(sock_net(sk), user_icmph.type); ++ if (!err) + return len; +- } + return err; + + do_confirm: +-- +2.51.0 + diff --git a/queue-6.1/net-enetc-fix-build-warning-when-page_size-is-greate.patch b/queue-6.1/net-enetc-fix-build-warning-when-page_size-is-greate.patch new file mode 100644 index 0000000000..0d2308e7d1 --- /dev/null +++ b/queue-6.1/net-enetc-fix-build-warning-when-page_size-is-greate.patch @@ -0,0 +1,49 @@ +From 5624243f72b0eb7b7fdf810afeb1ff0b476cf50a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jan 2026 17:12:04 +0800 +Subject: net: enetc: fix build warning when PAGE_SIZE is greater than 128K + +From: Wei Fang + +[ Upstream commit 4b5bdabb5449b652122e43f507f73789041d4abe ] + +The max buffer size of ENETC RX BD is 0xFFFF bytes, so if the PAGE_SIZE +is greater than 128K, ENETC_RXB_DMA_SIZE and ENETC_RXB_DMA_SIZE_XDP will +be greater than 0xFFFF, thus causing a build warning. + +This will not cause any practical issues because ENETC is currently only +used on the ARM64 platform, and the max PAGE_SIZE is 64K. So this patch +is only for fixing the build warning that occurs when compiling ENETC +drivers for other platforms. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202601050637.kHEKKOG7-lkp@intel.com/ +Fixes: e59bc32df2e9 ("net: enetc: correct the value of ENETC_RXB_TRUESIZE") +Signed-off-by: Wei Fang +Reviewed-by: Frank Li +Link: https://patch.msgid.link/20260107091204.1980222-1-wei.fang@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/enetc/enetc.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/enetc/enetc.h b/drivers/net/ethernet/freescale/enetc/enetc.h +index aacdfe98b65ab..d2ad5be02a0d8 100644 +--- a/drivers/net/ethernet/freescale/enetc/enetc.h ++++ b/drivers/net/ethernet/freescale/enetc/enetc.h +@@ -43,9 +43,9 @@ struct enetc_tx_swbd { + #define ENETC_RXB_TRUESIZE (PAGE_SIZE >> 1) + #define ENETC_RXB_PAD NET_SKB_PAD /* add extra space if needed */ + #define ENETC_RXB_DMA_SIZE \ +- (SKB_WITH_OVERHEAD(ENETC_RXB_TRUESIZE) - ENETC_RXB_PAD) ++ min(SKB_WITH_OVERHEAD(ENETC_RXB_TRUESIZE) - ENETC_RXB_PAD, 0xffff) + #define ENETC_RXB_DMA_SIZE_XDP \ +- (SKB_WITH_OVERHEAD(ENETC_RXB_TRUESIZE) - XDP_PACKET_HEADROOM) ++ min(SKB_WITH_OVERHEAD(ENETC_RXB_TRUESIZE) - XDP_PACKET_HEADROOM, 0xffff) + + struct enetc_rx_swbd { + dma_addr_t dma; +-- +2.51.0 + diff --git a/queue-6.1/net-fix-memory-leak-in-skb_segment_list-for-gro-pack.patch b/queue-6.1/net-fix-memory-leak-in-skb_segment_list-for-gro-pack.patch new file mode 100644 index 0000000000..5b2491233d --- /dev/null +++ b/queue-6.1/net-fix-memory-leak-in-skb_segment_list-for-gro-pack.patch @@ -0,0 +1,108 @@ +From 6a249a4aa5ce6e197d900ac66f5b0e3f7460389b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Jan 2026 23:31:01 +0200 +Subject: net: fix memory leak in skb_segment_list for GRO packets + +From: Mohammad Heib + +[ Upstream commit 238e03d0466239410b72294b79494e43d4fabe77 ] + +When skb_segment_list() is called during packet forwarding, it handles +packets that were aggregated by the GRO engine. + +Historically, the segmentation logic in skb_segment_list assumes that +individual segments are split from a parent SKB and may need to carry +their own socket memory accounting. Accordingly, the code transfers +truesize from the parent to the newly created segments. + +Prior to commit ed4cccef64c1 ("gro: fix ownership transfer"), this +truesize subtraction in skb_segment_list() was valid because fragments +still carry a reference to the original socket. + +However, commit ed4cccef64c1 ("gro: fix ownership transfer") changed +this behavior by ensuring that fraglist entries are explicitly +orphaned (skb->sk = NULL) to prevent illegal orphaning later in the +stack. This change meant that the entire socket memory charge remained +with the head SKB, but the corresponding accounting logic in +skb_segment_list() was never updated. + +As a result, the current code unconditionally adds each fragment's +truesize to delta_truesize and subtracts it from the parent SKB. Since +the fragments are no longer charged to the socket, this subtraction +results in an effective under-count of memory when the head is freed. +This causes sk_wmem_alloc to remain non-zero, preventing socket +destruction and leading to a persistent memory leak. + +The leak can be observed via KMEMLEAK when tearing down the networking +environment: + +unreferenced object 0xffff8881e6eb9100 (size 2048): + comm "ping", pid 6720, jiffies 4295492526 + backtrace: + kmem_cache_alloc_noprof+0x5c6/0x800 + sk_prot_alloc+0x5b/0x220 + sk_alloc+0x35/0xa00 + inet6_create.part.0+0x303/0x10d0 + __sock_create+0x248/0x640 + __sys_socket+0x11b/0x1d0 + +Since skb_segment_list() is exclusively used for SKB_GSO_FRAGLIST +packets constructed by GRO, the truesize adjustment is removed. + +The call to skb_release_head_state() must be preserved. As documented in +commit cf673ed0e057 ("net: fix fraglist segmentation reference count +leak"), it is still required to correctly drop references to SKB +extensions that may be overwritten during __copy_skb_header(). + +Fixes: ed4cccef64c1 ("gro: fix ownership transfer") +Signed-off-by: Mohammad Heib +Reviewed-by: Willem de Bruijn +Link: https://patch.msgid.link/20260104213101.352887-1-mheib@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/skbuff.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index d8a3ada886ffb..ef24911af05a8 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -4045,12 +4045,14 @@ struct sk_buff *skb_segment_list(struct sk_buff *skb, + { + struct sk_buff *list_skb = skb_shinfo(skb)->frag_list; + unsigned int tnl_hlen = skb_tnl_header_len(skb); +- unsigned int delta_truesize = 0; + unsigned int delta_len = 0; + struct sk_buff *tail = NULL; + struct sk_buff *nskb, *tmp; + int len_diff, err; + ++ /* Only skb_gro_receive_list generated skbs arrive here */ ++ DEBUG_NET_WARN_ON_ONCE(!(skb_shinfo(skb)->gso_type & SKB_GSO_FRAGLIST)); ++ + skb_push(skb, -skb_network_offset(skb) + offset); + + /* Ensure the head is writeable before touching the shared info */ +@@ -4064,8 +4066,9 @@ struct sk_buff *skb_segment_list(struct sk_buff *skb, + nskb = list_skb; + list_skb = list_skb->next; + ++ DEBUG_NET_WARN_ON_ONCE(nskb->sk); ++ + err = 0; +- delta_truesize += nskb->truesize; + if (skb_shared(nskb)) { + tmp = skb_clone(nskb, GFP_ATOMIC); + if (tmp) { +@@ -4108,7 +4111,6 @@ struct sk_buff *skb_segment_list(struct sk_buff *skb, + goto err_linearize; + } + +- skb->truesize = skb->truesize - delta_truesize; + skb->data_len = skb->data_len - delta_len; + skb->len = skb->len - delta_len; + +-- +2.51.0 + diff --git a/queue-6.1/net-marvell-prestera-fix-null-dereference-on-devlink.patch b/queue-6.1/net-marvell-prestera-fix-null-dereference-on-devlink.patch new file mode 100644 index 0000000000..121adfd9eb --- /dev/null +++ b/queue-6.1/net-marvell-prestera-fix-null-dereference-on-devlink.patch @@ -0,0 +1,44 @@ +From bb4879700aef5556d51b55df198f9fcea483927c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Dec 2025 21:21:18 -0800 +Subject: net: marvell: prestera: fix NULL dereference on devlink_alloc() + failure + +From: Alok Tiwari + +[ Upstream commit a428e0da1248c353557970848994f35fd3f005e2 ] + +devlink_alloc() may return NULL on allocation failure, but +prestera_devlink_alloc() unconditionally calls devlink_priv() on +the returned pointer. + +This leads to a NULL pointer dereference if devlink allocation fails. +Add a check for a NULL devlink pointer and return NULL early to avoid +the crash. + +Fixes: 34dd1710f5a3 ("net: marvell: prestera: Add basic devlink support") +Signed-off-by: Alok Tiwari +Acked-by: Elad Nachman +Link: https://patch.msgid.link/20251230052124.897012-1-alok.a.tiwari@oracle.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/prestera/prestera_devlink.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/marvell/prestera/prestera_devlink.c b/drivers/net/ethernet/marvell/prestera/prestera_devlink.c +index 06279cd6da674..8f0ae62d4a893 100644 +--- a/drivers/net/ethernet/marvell/prestera/prestera_devlink.c ++++ b/drivers/net/ethernet/marvell/prestera/prestera_devlink.c +@@ -392,6 +392,8 @@ struct prestera_switch *prestera_devlink_alloc(struct prestera_device *dev) + + dl = devlink_alloc(&prestera_dl_ops, sizeof(struct prestera_switch), + dev->dev); ++ if (!dl) ++ return NULL; + + return devlink_priv(dl); + } +-- +2.51.0 + diff --git a/queue-6.1/net-mlx5e-don-t-print-error-message-due-to-invalid-m.patch b/queue-6.1/net-mlx5e-don-t-print-error-message-due-to-invalid-m.patch new file mode 100644 index 0000000000..95dae224be --- /dev/null +++ b/queue-6.1/net-mlx5e-don-t-print-error-message-due-to-invalid-m.patch @@ -0,0 +1,50 @@ +From ad0628601bcd2dd7b7d4367e5f9ffc402e4b5811 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Dec 2025 15:27:16 +0200 +Subject: net/mlx5e: Don't print error message due to invalid module + +From: Gal Pressman + +[ Upstream commit 144297e2a24e3e54aee1180ec21120ea38822b97 ] + +Dumping module EEPROM on newer modules is supported through the netlink +interface only. + +Querying with old userspace ethtool (or other tools, such as 'lshw') +which still uses the ioctl interface results in an error message that +could flood dmesg (in addition to the expected error return value). +The original message was added under the assumption that the driver +should be able to handle all module types, but now that such flows are +easily triggered from userspace, it doesn't serve its purpose. + +Change the log level of the print in mlx5_query_module_eeprom() to +debug. + +Fixes: bb64143eee8c ("net/mlx5e: Add ethtool support for dump module EEPROM") +Signed-off-by: Gal Pressman +Reviewed-by: Tariq Toukan +Signed-off-by: Mark Bloch +Link: https://patch.msgid.link/20251225132717.358820-5-mbloch@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/port.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/port.c b/drivers/net/ethernet/mellanox/mlx5/core/port.c +index a1548e6bfb35d..28ec31722ec2f 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/port.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/port.c +@@ -432,7 +432,8 @@ int mlx5_query_module_eeprom(struct mlx5_core_dev *dev, + mlx5_qsfp_eeprom_params_set(&query.i2c_address, &query.page, &offset); + break; + default: +- mlx5_core_err(dev, "Module ID not recognized: 0x%x\n", module_id); ++ mlx5_core_dbg(dev, "Module ID not recognized: 0x%x\n", ++ module_id); + return -EINVAL; + } + +-- +2.51.0 + diff --git a/queue-6.1/net-mscc-ocelot-fix-crash-when-adding-interface-unde.patch b/queue-6.1/net-mscc-ocelot-fix-crash-when-adding-interface-unde.patch new file mode 100644 index 0000000000..66c3e41606 --- /dev/null +++ b/queue-6.1/net-mscc-ocelot-fix-crash-when-adding-interface-unde.patch @@ -0,0 +1,56 @@ +From fe9cf2c48c0ae4dd14edcd3f80adbac54fcff449 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Dec 2025 20:36:17 +0000 +Subject: net: mscc: ocelot: Fix crash when adding interface under a lag + +From: Jerry Wu + +[ Upstream commit 34f3ff52cb9fa7dbf04f5c734fcc4cb6ed5d1a95 ] + +Commit 15faa1f67ab4 ("lan966x: Fix crash when adding interface under a lag") +fixed a similar issue in the lan966x driver caused by a NULL pointer dereference. +The ocelot_set_aggr_pgids() function in the ocelot driver has similar logic +and is susceptible to the same crash. + +This issue specifically affects the ocelot_vsc7514.c frontend, which leaves +unused ports as NULL pointers. The felix_vsc9959.c frontend is unaffected as +it uses the DSA framework which registers all ports. + +Fix this by checking if the port pointer is valid before accessing it. + +Fixes: 528d3f190c98 ("net: mscc: ocelot: drop the use of the "lags" array") +Signed-off-by: Jerry Wu +Reviewed-by: Vladimir Oltean +Link: https://patch.msgid.link/tencent_75EF812B305E26B0869C673DD1160866C90A@qq.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mscc/ocelot.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mscc/ocelot.c b/drivers/net/ethernet/mscc/ocelot.c +index 203cb4978544a..01417c2a61e23 100644 +--- a/drivers/net/ethernet/mscc/ocelot.c ++++ b/drivers/net/ethernet/mscc/ocelot.c +@@ -2202,14 +2202,16 @@ static void ocelot_set_aggr_pgids(struct ocelot *ocelot) + + /* Now, set PGIDs for each active LAG */ + for (lag = 0; lag < ocelot->num_phys_ports; lag++) { +- struct net_device *bond = ocelot->ports[lag]->bond; ++ struct ocelot_port *ocelot_port = ocelot->ports[lag]; + int num_active_ports = 0; ++ struct net_device *bond; + unsigned long bond_mask; + u8 aggr_idx[16]; + +- if (!bond || (visited & BIT(lag))) ++ if (!ocelot_port || !ocelot_port->bond || (visited & BIT(lag))) + continue; + ++ bond = ocelot_port->bond; + bond_mask = ocelot_get_bond_mask(ocelot, bond); + + for_each_set_bit(port, &bond_mask, ocelot->num_phys_ports) { +-- +2.51.0 + diff --git a/queue-6.1/net-sched-sch_qfq-fix-null-deref-when-deactivating-i.patch b/queue-6.1/net-sched-sch_qfq-fix-null-deref-when-deactivating-i.patch new file mode 100644 index 0000000000..f7a7aaa061 --- /dev/null +++ b/queue-6.1/net-sched-sch_qfq-fix-null-deref-when-deactivating-i.patch @@ -0,0 +1,162 @@ +From 2ca383e2b950899e122a2d4176402948ef6818d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jan 2026 20:41:00 -0700 +Subject: net/sched: sch_qfq: Fix NULL deref when deactivating inactive + aggregate in qfq_reset + +From: Xiang Mei + +[ Upstream commit c1d73b1480235731e35c81df70b08f4714a7d095 ] + +`qfq_class->leaf_qdisc->q.qlen > 0` does not imply that the class +itself is active. + +Two qfq_class objects may point to the same leaf_qdisc. This happens +when: + +1. one QFQ qdisc is attached to the dev as the root qdisc, and + +2. another QFQ qdisc is temporarily referenced (e.g., via qdisc_get() +/ qdisc_put()) and is pending to be destroyed, as in function +tc_new_tfilter. + +When packets are enqueued through the root QFQ qdisc, the shared +leaf_qdisc->q.qlen increases. At the same time, the second QFQ +qdisc triggers qdisc_put and qdisc_destroy: the qdisc enters +qfq_reset() with its own q->q.qlen == 0, but its class's leaf +qdisc->q.qlen > 0. Therefore, the qfq_reset would wrongly deactivate +an inactive aggregate and trigger a null-deref in qfq_deactivate_agg: + +[ 0.903172] BUG: kernel NULL pointer dereference, address: 0000000000000000 +[ 0.903571] #PF: supervisor write access in kernel mode +[ 0.903860] #PF: error_code(0x0002) - not-present page +[ 0.904177] PGD 10299b067 P4D 10299b067 PUD 10299c067 PMD 0 +[ 0.904502] Oops: Oops: 0002 [#1] SMP NOPTI +[ 0.904737] CPU: 0 UID: 0 PID: 135 Comm: exploit Not tainted 6.19.0-rc3+ #2 NONE +[ 0.905157] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014 +[ 0.905754] RIP: 0010:qfq_deactivate_agg (include/linux/list.h:992 (discriminator 2) include/linux/list.h:1006 (discriminator 2) net/sched/sch_qfq.c:1367 (discriminator 2) net/sched/sch_qfq.c:1393 (discriminator 2)) +[ 0.906046] Code: 0f 84 4d 01 00 00 48 89 70 18 8b 4b 10 48 c7 c2 ff ff ff ff 48 8b 78 08 48 d3 e2 48 21 f2 48 2b 13 48 8b 30 48 d3 ea 8b 4b 18 0 + +Code starting with the faulting instruction +=========================================== + 0: 0f 84 4d 01 00 00 je 0x153 + 6: 48 89 70 18 mov %rsi,0x18(%rax) + a: 8b 4b 10 mov 0x10(%rbx),%ecx + d: 48 c7 c2 ff ff ff ff mov $0xffffffffffffffff,%rdx + 14: 48 8b 78 08 mov 0x8(%rax),%rdi + 18: 48 d3 e2 shl %cl,%rdx + 1b: 48 21 f2 and %rsi,%rdx + 1e: 48 2b 13 sub (%rbx),%rdx + 21: 48 8b 30 mov (%rax),%rsi + 24: 48 d3 ea shr %cl,%rdx + 27: 8b 4b 18 mov 0x18(%rbx),%ecx + ... +[ 0.907095] RSP: 0018:ffffc900004a39a0 EFLAGS: 00010246 +[ 0.907368] RAX: ffff8881043a0880 RBX: ffff888102953340 RCX: 0000000000000000 +[ 0.907723] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 +[ 0.908100] RBP: ffff888102952180 R08: 0000000000000000 R09: 0000000000000000 +[ 0.908451] R10: ffff8881043a0000 R11: 0000000000000000 R12: ffff888102952000 +[ 0.908804] R13: ffff888102952180 R14: ffff8881043a0ad8 R15: ffff8881043a0880 +[ 0.909179] FS: 000000002a1a0380(0000) GS:ffff888196d8d000(0000) knlGS:0000000000000000 +[ 0.909572] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 0.909857] CR2: 0000000000000000 CR3: 0000000102993002 CR4: 0000000000772ef0 +[ 0.910247] PKRU: 55555554 +[ 0.910391] Call Trace: +[ 0.910527] +[ 0.910638] qfq_reset_qdisc (net/sched/sch_qfq.c:357 net/sched/sch_qfq.c:1485) +[ 0.910826] qdisc_reset (include/linux/skbuff.h:2195 include/linux/skbuff.h:2501 include/linux/skbuff.h:3424 include/linux/skbuff.h:3430 net/sched/sch_generic.c:1036) +[ 0.911040] __qdisc_destroy (net/sched/sch_generic.c:1076) +[ 0.911236] tc_new_tfilter (net/sched/cls_api.c:2447) +[ 0.911447] rtnetlink_rcv_msg (net/core/rtnetlink.c:6958) +[ 0.911663] ? __pfx_rtnetlink_rcv_msg (net/core/rtnetlink.c:6861) +[ 0.911894] netlink_rcv_skb (net/netlink/af_netlink.c:2550) +[ 0.912100] netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344) +[ 0.912296] ? __alloc_skb (net/core/skbuff.c:706) +[ 0.912484] netlink_sendmsg (net/netlink/af_netlink.c:1894) +[ 0.912682] sock_write_iter (net/socket.c:727 (discriminator 1) net/socket.c:742 (discriminator 1) net/socket.c:1195 (discriminator 1)) +[ 0.912880] vfs_write (fs/read_write.c:593 fs/read_write.c:686) +[ 0.913077] ksys_write (fs/read_write.c:738) +[ 0.913252] do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) +[ 0.913438] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131) +[ 0.913687] RIP: 0033:0x424c34 +[ 0.913844] Code: 89 02 48 c7 c0 ff ff ff ff eb bd 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 80 3d 2d 44 09 00 00 74 13 b8 01 00 00 00 0f 05 9 + +Code starting with the faulting instruction +=========================================== + 0: 89 02 mov %eax,(%rdx) + 2: 48 c7 c0 ff ff ff ff mov $0xffffffffffffffff,%rax + 9: eb bd jmp 0xffffffffffffffc8 + b: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1) + 12: 00 00 00 + 15: 90 nop + 16: f3 0f 1e fa endbr64 + 1a: 80 3d 2d 44 09 00 00 cmpb $0x0,0x9442d(%rip) # 0x9444e + 21: 74 13 je 0x36 + 23: b8 01 00 00 00 mov $0x1,%eax + 28: 0f 05 syscall + 2a: 09 .byte 0x9 +[ 0.914807] RSP: 002b:00007ffea1938b78 EFLAGS: 00000202 ORIG_RAX: 0000000000000001 +[ 0.915197] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000424c34 +[ 0.915556] RDX: 000000000000003c RSI: 000000002af378c0 RDI: 0000000000000003 +[ 0.915912] RBP: 00007ffea1938bc0 R08: 00000000004b8820 R09: 0000000000000000 +[ 0.916297] R10: 0000000000000001 R11: 0000000000000202 R12: 00007ffea1938d28 +[ 0.916652] R13: 00007ffea1938d38 R14: 00000000004b3828 R15: 0000000000000001 +[ 0.917039] +[ 0.917158] Modules linked in: +[ 0.917316] CR2: 0000000000000000 +[ 0.917484] ---[ end trace 0000000000000000 ]--- +[ 0.917717] RIP: 0010:qfq_deactivate_agg (include/linux/list.h:992 (discriminator 2) include/linux/list.h:1006 (discriminator 2) net/sched/sch_qfq.c:1367 (discriminator 2) net/sched/sch_qfq.c:1393 (discriminator 2)) +[ 0.917978] Code: 0f 84 4d 01 00 00 48 89 70 18 8b 4b 10 48 c7 c2 ff ff ff ff 48 8b 78 08 48 d3 e2 48 21 f2 48 2b 13 48 8b 30 48 d3 ea 8b 4b 18 0 + +Code starting with the faulting instruction +=========================================== + 0: 0f 84 4d 01 00 00 je 0x153 + 6: 48 89 70 18 mov %rsi,0x18(%rax) + a: 8b 4b 10 mov 0x10(%rbx),%ecx + d: 48 c7 c2 ff ff ff ff mov $0xffffffffffffffff,%rdx + 14: 48 8b 78 08 mov 0x8(%rax),%rdi + 18: 48 d3 e2 shl %cl,%rdx + 1b: 48 21 f2 and %rsi,%rdx + 1e: 48 2b 13 sub (%rbx),%rdx + 21: 48 8b 30 mov (%rax),%rsi + 24: 48 d3 ea shr %cl,%rdx + 27: 8b 4b 18 mov 0x18(%rbx),%ecx + ... +[ 0.918902] RSP: 0018:ffffc900004a39a0 EFLAGS: 00010246 +[ 0.919198] RAX: ffff8881043a0880 RBX: ffff888102953340 RCX: 0000000000000000 +[ 0.919559] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 +[ 0.919908] RBP: ffff888102952180 R08: 0000000000000000 R09: 0000000000000000 +[ 0.920289] R10: ffff8881043a0000 R11: 0000000000000000 R12: ffff888102952000 +[ 0.920648] R13: ffff888102952180 R14: ffff8881043a0ad8 R15: ffff8881043a0880 +[ 0.921014] FS: 000000002a1a0380(0000) GS:ffff888196d8d000(0000) knlGS:0000000000000000 +[ 0.921424] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 0.921710] CR2: 0000000000000000 CR3: 0000000102993002 CR4: 0000000000772ef0 +[ 0.922097] PKRU: 55555554 +[ 0.922240] Kernel panic - not syncing: Fatal exception +[ 0.922590] Kernel Offset: disabled + +Fixes: 0545a3037773 ("pkt_sched: QFQ - quick fair queue scheduler") +Signed-off-by: Xiang Mei +Link: https://patch.msgid.link/20260106034100.1780779-1-xmei5@asu.edu +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_qfq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c +index 896ff7c741110..80a7173843b90 100644 +--- a/net/sched/sch_qfq.c ++++ b/net/sched/sch_qfq.c +@@ -1483,7 +1483,7 @@ static void qfq_reset_qdisc(struct Qdisc *sch) + + for (i = 0; i < q->clhash.hashsize; i++) { + hlist_for_each_entry(cl, &q->clhash.hash[i], common.hnode) { +- if (cl->qdisc->q.qlen > 0) ++ if (cl_is_active(cl)) + qfq_deactivate_class(q, cl); + + qdisc_reset(cl->qdisc); +-- +2.51.0 + diff --git a/queue-6.1/net-sock-fix-hardened-usercopy-panic-in-sock_recv_er.patch b/queue-6.1/net-sock-fix-hardened-usercopy-panic-in-sock_recv_er.patch new file mode 100644 index 0000000000..58845435b0 --- /dev/null +++ b/queue-6.1/net-sock-fix-hardened-usercopy-panic-in-sock_recv_er.patch @@ -0,0 +1,114 @@ +From 97ff4703c10a8fa9fca74a198eecc7de71379ce7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Dec 2025 04:35:35 +0800 +Subject: net: sock: fix hardened usercopy panic in sock_recv_errqueue + +From: Weiming Shi + +[ Upstream commit 2a71a1a8d0ed718b1c7a9ac61f07e5755c47ae20 ] + +skbuff_fclone_cache was created without defining a usercopy region, +[1] unlike skbuff_head_cache which properly whitelists the cb[] field. +[2] This causes a usercopy BUG() when CONFIG_HARDENED_USERCOPY is +enabled and the kernel attempts to copy sk_buff.cb data to userspace +via sock_recv_errqueue() -> put_cmsg(). + +The crash occurs when: 1. TCP allocates an skb using alloc_skb_fclone() + (from skbuff_fclone_cache) [1] +2. The skb is cloned via skb_clone() using the pre-allocated fclone +[3] 3. The cloned skb is queued to sk_error_queue for timestamp +reporting 4. Userspace reads the error queue via recvmsg(MSG_ERRQUEUE) +5. sock_recv_errqueue() calls put_cmsg() to copy serr->ee from skb->cb +[4] 6. __check_heap_object() fails because skbuff_fclone_cache has no + usercopy whitelist [5] + +When cloned skbs allocated from skbuff_fclone_cache are used in the +socket error queue, accessing the sock_exterr_skb structure in skb->cb +via put_cmsg() triggers a usercopy hardening violation: + +[ 5.379589] usercopy: Kernel memory exposure attempt detected from SLUB object 'skbuff_fclone_cache' (offset 296, size 16)! +[ 5.382796] kernel BUG at mm/usercopy.c:102! +[ 5.383923] Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI +[ 5.384903] CPU: 1 UID: 0 PID: 138 Comm: poc_put_cmsg Not tainted 6.12.57 #7 +[ 5.384903] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 +[ 5.384903] RIP: 0010:usercopy_abort+0x6c/0x80 +[ 5.384903] Code: 1a 86 51 48 c7 c2 40 15 1a 86 41 52 48 c7 c7 c0 15 1a 86 48 0f 45 d6 48 c7 c6 80 15 1a 86 48 89 c1 49 0f 45 f3 e8 84 27 88 ff <0f> 0b 490 +[ 5.384903] RSP: 0018:ffffc900006f77a8 EFLAGS: 00010246 +[ 5.384903] RAX: 000000000000006f RBX: ffff88800f0ad2a8 RCX: 1ffffffff0f72e74 +[ 5.384903] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffff87b973a0 +[ 5.384903] RBP: 0000000000000010 R08: 0000000000000000 R09: fffffbfff0f72e74 +[ 5.384903] R10: 0000000000000003 R11: 79706f6372657375 R12: 0000000000000001 +[ 5.384903] R13: ffff88800f0ad2b8 R14: ffffea00003c2b40 R15: ffffea00003c2b00 +[ 5.384903] FS: 0000000011bc4380(0000) GS:ffff8880bf100000(0000) knlGS:0000000000000000 +[ 5.384903] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 5.384903] CR2: 000056aa3b8e5fe4 CR3: 000000000ea26004 CR4: 0000000000770ef0 +[ 5.384903] PKRU: 55555554 +[ 5.384903] Call Trace: +[ 5.384903] +[ 5.384903] __check_heap_object+0x9a/0xd0 +[ 5.384903] __check_object_size+0x46c/0x690 +[ 5.384903] put_cmsg+0x129/0x5e0 +[ 5.384903] sock_recv_errqueue+0x22f/0x380 +[ 5.384903] tls_sw_recvmsg+0x7ed/0x1960 +[ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5 +[ 5.384903] ? schedule+0x6d/0x270 +[ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5 +[ 5.384903] ? mutex_unlock+0x81/0xd0 +[ 5.384903] ? __pfx_mutex_unlock+0x10/0x10 +[ 5.384903] ? __pfx_tls_sw_recvmsg+0x10/0x10 +[ 5.384903] ? _raw_spin_lock_irqsave+0x8f/0xf0 +[ 5.384903] ? _raw_read_unlock_irqrestore+0x20/0x40 +[ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5 + +The crash offset 296 corresponds to skb2->cb within skbuff_fclones: + - sizeof(struct sk_buff) = 232 - offsetof(struct sk_buff, cb) = 40 - + offset of skb2.cb in fclones = 232 + 40 = 272 - crash offset 296 = + 272 + 24 (inside sock_exterr_skb.ee) + +This patch uses a local stack variable as a bounce buffer to avoid the hardened usercopy check failure. + +[1] https://elixir.bootlin.com/linux/v6.12.62/source/net/ipv4/tcp.c#L885 +[2] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5104 +[3] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5566 +[4] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5491 +[5] https://elixir.bootlin.com/linux/v6.12.62/source/mm/slub.c#L5719 + +Fixes: 6d07d1cd300f ("usercopy: Restrict non-usercopy caches to size 0") +Reported-by: Xiang Mei +Signed-off-by: Weiming Shi +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20251223203534.1392218-2-bestswngs@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/sock.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/core/sock.c b/net/core/sock.c +index 7702033680e7b..6c178b4742666 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -3614,7 +3614,7 @@ void sock_enable_timestamp(struct sock *sk, enum sock_flags flag) + int sock_recv_errqueue(struct sock *sk, struct msghdr *msg, int len, + int level, int type) + { +- struct sock_exterr_skb *serr; ++ struct sock_extended_err ee; + struct sk_buff *skb; + int copied, err; + +@@ -3634,8 +3634,9 @@ int sock_recv_errqueue(struct sock *sk, struct msghdr *msg, int len, + + sock_recv_timestamp(msg, sk, skb); + +- serr = SKB_EXT_ERR(skb); +- put_cmsg(msg, level, type, sizeof(serr->ee), &serr->ee); ++ /* We must use a bounce buffer for CONFIG_HARDENED_USERCOPY=y */ ++ ee = SKB_EXT_ERR(skb)->ee; ++ put_cmsg(msg, level, type, sizeof(ee), &ee); + + msg->msg_flags |= MSG_ERRQUEUE; + err = copied; +-- +2.51.0 + diff --git a/queue-6.1/net-usb-pegasus-fix-memory-leak-in-update_eth_regs_a.patch b/queue-6.1/net-usb-pegasus-fix-memory-leak-in-update_eth_regs_a.patch new file mode 100644 index 0000000000..0f7617c7fa --- /dev/null +++ b/queue-6.1/net-usb-pegasus-fix-memory-leak-in-update_eth_regs_a.patch @@ -0,0 +1,37 @@ +From 32b948eba20db349a345d3fe51587683a328ba32 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jan 2026 10:48:21 +0200 +Subject: net: usb: pegasus: fix memory leak in update_eth_regs_async() + +From: Petko Manolov + +[ Upstream commit afa27621a28af317523e0836dad430bec551eb54 ] + +When asynchronously writing to the device registers and if usb_submit_urb() +fail, the code fail to release allocated to this point resources. + +Fixes: 323b34963d11 ("drivers: net: usb: pegasus: fix control urb submission") +Signed-off-by: Petko Manolov +Link: https://patch.msgid.link/20260106084821.3746677-1-petko.manolov@konsulko.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/pegasus.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/usb/pegasus.c b/drivers/net/usb/pegasus.c +index 81ca64debc5b9..c514483134f05 100644 +--- a/drivers/net/usb/pegasus.c ++++ b/drivers/net/usb/pegasus.c +@@ -168,6 +168,8 @@ static int update_eth_regs_async(pegasus_t *pegasus) + netif_device_detach(pegasus->net); + netif_err(pegasus, drv, pegasus->net, + "%s returned %d\n", __func__, ret); ++ usb_free_urb(async_urb); ++ kfree(req); + } + return ret; + } +-- +2.51.0 + diff --git a/queue-6.1/net-wwan-iosm-fix-memory-leak-in-ipc_mux_deinit.patch b/queue-6.1/net-wwan-iosm-fix-memory-leak-in-ipc_mux_deinit.patch new file mode 100644 index 0000000000..cc25b11b44 --- /dev/null +++ b/queue-6.1/net-wwan-iosm-fix-memory-leak-in-ipc_mux_deinit.patch @@ -0,0 +1,54 @@ +From 219d846710d0b0e27f78cb96bdaa444960671288 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Dec 2025 07:18:53 +0000 +Subject: net: wwan: iosm: Fix memory leak in ipc_mux_deinit() + +From: Zilin Guan + +[ Upstream commit 92e6e0a87f6860a4710f9494f8c704d498ae60f8 ] + +Commit 1f52d7b62285 ("net: wwan: iosm: Enable M.2 7360 WWAN card support") +allocated memory for pp_qlt in ipc_mux_init() but did not free it in +ipc_mux_deinit(). This results in a memory leak when the driver is +unloaded. + +Free the allocated memory in ipc_mux_deinit() to fix the leak. + +Fixes: 1f52d7b62285 ("net: wwan: iosm: Enable M.2 7360 WWAN card support") +Co-developed-by: Jianhao Xu +Signed-off-by: Jianhao Xu +Signed-off-by: Zilin Guan +Reviewed-by: Loic Poulain +Link: https://patch.msgid.link/20251230071853.1062223-1-zilin@seu.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/wwan/iosm/iosm_ipc_mux.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/wwan/iosm/iosm_ipc_mux.c b/drivers/net/wwan/iosm/iosm_ipc_mux.c +index fc928b298a984..b846889fcb099 100644 +--- a/drivers/net/wwan/iosm/iosm_ipc_mux.c ++++ b/drivers/net/wwan/iosm/iosm_ipc_mux.c +@@ -456,6 +456,7 @@ void ipc_mux_deinit(struct iosm_mux *ipc_mux) + struct sk_buff_head *free_list; + union mux_msg mux_msg; + struct sk_buff *skb; ++ int i; + + if (!ipc_mux->initialized) + return; +@@ -479,5 +480,10 @@ void ipc_mux_deinit(struct iosm_mux *ipc_mux) + ipc_mux->channel->dl_pipe.is_open = false; + } + ++ if (ipc_mux->protocol != MUX_LITE) { ++ for (i = 0; i < IPC_MEM_MUX_IP_SESSION_ENTRIES; i++) ++ kfree(ipc_mux->ul_adb.pp_qlt[i]); ++ } ++ + kfree(ipc_mux); + } +-- +2.51.0 + diff --git a/queue-6.1/netdev-preserve-netif_f_all_for_all-across-tso-updat.patch b/queue-6.1/netdev-preserve-netif_f_all_for_all-across-tso-updat.patch new file mode 100644 index 0000000000..a49e7261d6 --- /dev/null +++ b/queue-6.1/netdev-preserve-netif_f_all_for_all-across-tso-updat.patch @@ -0,0 +1,43 @@ +From d6148642186b4e84419bf8fe80da61bcb925319f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Dec 2025 09:22:24 +0800 +Subject: netdev: preserve NETIF_F_ALL_FOR_ALL across TSO updates + +From: Di Zhu + +[ Upstream commit 02d1e1a3f9239cdb3ecf2c6d365fb959d1bf39df ] + +Directly increment the TSO features incurs a side effect: it will also +directly clear the flags in NETIF_F_ALL_FOR_ALL on the master device, +which can cause issues such as the inability to enable the nocache copy +feature on the bonding driver. + +The fix is to include NETIF_F_ALL_FOR_ALL in the update mask, thereby +preventing it from being cleared. + +Fixes: b0ce3508b25e ("bonding: allow TSO being set on bonding master") +Signed-off-by: Di Zhu +Link: https://patch.msgid.link/20251224012224.56185-1-zhud@hygon.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/linux/netdevice.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h +index f44701b82ea80..1c47ab59a2c7f 100644 +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -4951,7 +4951,8 @@ netdev_features_t netdev_increment_features(netdev_features_t all, + static inline netdev_features_t netdev_add_tso_features(netdev_features_t features, + netdev_features_t mask) + { +- return netdev_increment_features(features, NETIF_F_ALL_TSO, mask); ++ return netdev_increment_features(features, NETIF_F_ALL_TSO | ++ NETIF_F_ALL_FOR_ALL, mask); + } + + int __netdev_update_features(struct net_device *dev); +-- +2.51.0 + diff --git a/queue-6.1/netfilter-nf_conncount-update-last_gc-only-when-gc-h.patch b/queue-6.1/netfilter-nf_conncount-update-last_gc-only-when-gc-h.patch new file mode 100644 index 0000000000..eadbe865ed --- /dev/null +++ b/queue-6.1/netfilter-nf_conncount-update-last_gc-only-when-gc-h.patch @@ -0,0 +1,48 @@ +From 21ff6824681476425aacd973d1fd115653e873cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Dec 2025 15:46:40 +0100 +Subject: netfilter: nf_conncount: update last_gc only when GC has been + performed + +From: Fernando Fernandez Mancera + +[ Upstream commit 7811ba452402d58628e68faedf38745b3d485e3c ] + +Currently last_gc is being updated everytime a new connection is +tracked, that means that it is updated even if a GC wasn't performed. +With a sufficiently high packet rate, it is possible to always bypass +the GC, causing the list to grow infinitely. + +Update the last_gc value only when a GC has been actually performed. + +Fixes: d265929930e2 ("netfilter: nf_conncount: reduce unnecessary GC") +Signed-off-by: Fernando Fernandez Mancera +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conncount.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c +index c00b8e522c5a7..a2c5a7ba0c6fc 100644 +--- a/net/netfilter/nf_conncount.c ++++ b/net/netfilter/nf_conncount.c +@@ -229,6 +229,7 @@ static int __nf_conncount_add(struct net *net, + + nf_ct_put(found_ct); + } ++ list->last_gc = (u32)jiffies; + + add_new_node: + if (WARN_ON_ONCE(list->count > INT_MAX)) { +@@ -248,7 +249,6 @@ static int __nf_conncount_add(struct net *net, + conn->jiffies32 = (u32)jiffies; + list_add_tail(&conn->node, &list->head); + list->count++; +- list->last_gc = (u32)jiffies; + + out_put: + if (refcounted) +-- +2.51.0 + diff --git a/queue-6.1/netfilter-nf_tables-fix-memory-leak-in-nf_tables_new.patch b/queue-6.1/netfilter-nf_tables-fix-memory-leak-in-nf_tables_new.patch new file mode 100644 index 0000000000..7244304b7c --- /dev/null +++ b/queue-6.1/netfilter-nf_tables-fix-memory-leak-in-nf_tables_new.patch @@ -0,0 +1,49 @@ +From c2a2de39a808c4079b5e5e2bea26e4c5893b6df1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Dec 2025 12:48:26 +0000 +Subject: netfilter: nf_tables: fix memory leak in nf_tables_newrule() + +From: Zilin Guan + +[ Upstream commit d077e8119ddbb4fca67540f1a52453631a47f221 ] + +In nf_tables_newrule(), if nft_use_inc() fails, the function jumps to +the err_release_rule label without freeing the allocated flow, leading +to a memory leak. + +Fix this by adding a new label err_destroy_flow and jumping to it when +nft_use_inc() fails. This ensures that the flow is properly released +in this error case. + +Fixes: 1689f25924ada ("netfilter: nf_tables: report use refcount overflow") +Signed-off-by: Zilin Guan +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index b278f493cc93c..d154e3e0c9803 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -3811,7 +3811,7 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info, + + if (!nft_use_inc(&chain->use)) { + err = -EMFILE; +- goto err_release_rule; ++ goto err_destroy_flow; + } + + if (info->nlh->nlmsg_flags & NLM_F_REPLACE) { +@@ -3861,6 +3861,7 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info, + + err_destroy_flow_rule: + nft_use_dec_restore(&chain->use); ++err_destroy_flow: + if (flow) + nft_flow_rule_destroy(flow); + err_release_rule: +-- +2.51.0 + diff --git a/queue-6.1/netfilter-nft_synproxy-avoid-possible-data-race-on-u.patch b/queue-6.1/netfilter-nft_synproxy-avoid-possible-data-race-on-u.patch new file mode 100644 index 0000000000..95ed1e9140 --- /dev/null +++ b/queue-6.1/netfilter-nft_synproxy-avoid-possible-data-race-on-u.patch @@ -0,0 +1,55 @@ +From 75f05cc2b5fe98882df346d699367b5c90b98f38 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Dec 2025 21:21:59 +0100 +Subject: netfilter: nft_synproxy: avoid possible data-race on update operation + +From: Fernando Fernandez Mancera + +[ Upstream commit 36a3200575642846a96436d503d46544533bb943 ] + +During nft_synproxy eval we are reading nf_synproxy_info struct which +can be modified on update operation concurrently. As nf_synproxy_info +struct fits in 32 bits, use READ_ONCE/WRITE_ONCE annotations. + +Fixes: ee394f96ad75 ("netfilter: nft_synproxy: add synproxy stateful object support") +Signed-off-by: Fernando Fernandez Mancera +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_synproxy.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/netfilter/nft_synproxy.c b/net/netfilter/nft_synproxy.c +index a450f28a5ef60..0cc638553aef2 100644 +--- a/net/netfilter/nft_synproxy.c ++++ b/net/netfilter/nft_synproxy.c +@@ -48,7 +48,7 @@ static void nft_synproxy_eval_v4(const struct nft_synproxy *priv, + struct tcphdr *_tcph, + struct synproxy_options *opts) + { +- struct nf_synproxy_info info = priv->info; ++ struct nf_synproxy_info info = READ_ONCE(priv->info); + struct net *net = nft_net(pkt); + struct synproxy_net *snet = synproxy_pernet(net); + struct sk_buff *skb = pkt->skb; +@@ -79,7 +79,7 @@ static void nft_synproxy_eval_v6(const struct nft_synproxy *priv, + struct tcphdr *_tcph, + struct synproxy_options *opts) + { +- struct nf_synproxy_info info = priv->info; ++ struct nf_synproxy_info info = READ_ONCE(priv->info); + struct net *net = nft_net(pkt); + struct synproxy_net *snet = synproxy_pernet(net); + struct sk_buff *skb = pkt->skb; +@@ -340,7 +340,7 @@ static void nft_synproxy_obj_update(struct nft_object *obj, + struct nft_synproxy *newpriv = nft_obj_data(newobj); + struct nft_synproxy *priv = nft_obj_data(obj); + +- priv->info = newpriv->info; ++ WRITE_ONCE(priv->info, newpriv->info); + } + + static struct nft_object_type nft_synproxy_obj_type; +-- +2.51.0 + diff --git a/queue-6.1/series b/queue-6.1/series index 99842b03fd..9e50c13d04 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -28,3 +28,25 @@ smb-client-fix-nt_status_no_data_detected-value.patch scsi-ipr-enable-disable-irqd_no_balancing-during-res.patch scsi-ufs-core-fix-eh-failure-after-w-lun-resume-erro.patch scsi-revert-scsi-libsas-fix-exp-attached-device-scan.patch +arm64-dts-add-off-on-delay-us-for-usdhc2-regulator.patch +arm-dts-imx6q-ba16-fix-rtc-interrupt-level.patch +arm64-dts-imx8mp-fix-lan8740ai-phy-reference-clock-o.patch +netfilter-nft_synproxy-avoid-possible-data-race-on-u.patch +netfilter-nf_tables-fix-memory-leak-in-nf_tables_new.patch +netfilter-nf_conncount-update-last_gc-only-when-gc-h.patch +net-marvell-prestera-fix-null-dereference-on-devlink.patch +bridge-fix-c-vlan-preservation-in-802.1ad-vlan_tunne.patch +net-mscc-ocelot-fix-crash-when-adding-interface-unde.patch +inet-ping-fix-icmp-out-counting.patch +net-sock-fix-hardened-usercopy-panic-in-sock_recv_er.patch +netdev-preserve-netif_f_all_for_all-across-tso-updat.patch +net-mlx5e-don-t-print-error-message-due-to-invalid-m.patch +net-wwan-iosm-fix-memory-leak-in-ipc_mux_deinit.patch +eth-bnxt-move-and-rename-reset-helpers.patch +bnxt_en-fix-potential-data-corruption-with-hw-gro-lr.patch +net-fix-memory-leak-in-skb_segment_list-for-gro-pack.patch +hid-quirks-work-around-vid-pid-conflict-for-appledis.patch +net-sched-sch_qfq-fix-null-deref-when-deactivating-i.patch +net-usb-pegasus-fix-memory-leak-in-update_eth_regs_a.patch +net-enetc-fix-build-warning-when-page_size-is-greate.patch +arp-do-not-assume-dev_hard_header-does-not-change-sk.patch diff --git a/queue-6.12/arm-dts-imx6q-ba16-fix-rtc-interrupt-level.patch b/queue-6.12/arm-dts-imx6q-ba16-fix-rtc-interrupt-level.patch new file mode 100644 index 0000000000..162531bb10 --- /dev/null +++ b/queue-6.12/arm-dts-imx6q-ba16-fix-rtc-interrupt-level.patch @@ -0,0 +1,40 @@ +From b7bcf21c2fe12200529a85d113ebe5bafb75acd9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Dec 2025 11:56:05 +0200 +Subject: ARM: dts: imx6q-ba16: fix RTC interrupt level + +From: Ian Ray + +[ Upstream commit e6a4eedd49ce27c16a80506c66a04707e0ee0116 ] + +RTC interrupt level should be set to "LOW". This was revealed by the +introduction of commit: + + f181987ef477 ("rtc: m41t80: use IRQ flags obtained from fwnode") + +which changed the way IRQ type is obtained. + +Fixes: 56c27310c1b4 ("ARM: dts: imx: Add Advantech BA-16 Qseven module") +Signed-off-by: Ian Ray +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/nxp/imx/imx6q-ba16.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/nxp/imx/imx6q-ba16.dtsi b/arch/arm/boot/dts/nxp/imx/imx6q-ba16.dtsi +index 09d9ca0cb3324..0f28b140ec811 100644 +--- a/arch/arm/boot/dts/nxp/imx/imx6q-ba16.dtsi ++++ b/arch/arm/boot/dts/nxp/imx/imx6q-ba16.dtsi +@@ -335,7 +335,7 @@ rtc@32 { + pinctrl-0 = <&pinctrl_rtc>; + reg = <0x32>; + interrupt-parent = <&gpio4>; +- interrupts = <10 IRQ_TYPE_LEVEL_HIGH>; ++ interrupts = <10 IRQ_TYPE_LEVEL_LOW>; + }; + }; + +-- +2.51.0 + diff --git a/queue-6.12/arm64-dts-add-off-on-delay-us-for-usdhc2-regulator.patch b/queue-6.12/arm64-dts-add-off-on-delay-us-for-usdhc2-regulator.patch new file mode 100644 index 0000000000..c436de7659 --- /dev/null +++ b/queue-6.12/arm64-dts-add-off-on-delay-us-for-usdhc2-regulator.patch @@ -0,0 +1,41 @@ +From 572c930dd4d4433f809060583c94ba928011345d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Nov 2025 11:22:40 +0800 +Subject: arm64: dts: add off-on-delay-us for usdhc2 regulator + +From: Haibo Chen + +[ Upstream commit ca643894a37a25713029b36cfe7d1bae515cac08 ] + +For SD card, according to the spec requirement, for sd card power reset +operation, it need sd card supply voltage to be lower than 0.5v and keep +over 1ms, otherwise, next time power back the sd card supply voltage to +3.3v, sd card can't support SD3.0 mode again. + +To match such requirement on imx8qm-mek board, add 4.8ms delay between +sd power off and power on. + +Fixes: 307fd14d4b14 ("arm64: dts: imx: add imx8qm mek support") +Reviewed-by: Frank Li +Signed-off-by: Haibo Chen +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8qm-mek.dts | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/boot/dts/freescale/imx8qm-mek.dts b/arch/arm64/boot/dts/freescale/imx8qm-mek.dts +index 9d031f6334965..19c8d7ce1d409 100644 +--- a/arch/arm64/boot/dts/freescale/imx8qm-mek.dts ++++ b/arch/arm64/boot/dts/freescale/imx8qm-mek.dts +@@ -132,6 +132,7 @@ reg_usdhc2_vmmc: usdhc2-vmmc { + regulator-max-microvolt = <3000000>; + gpio = <&lsio_gpio4 7 GPIO_ACTIVE_HIGH>; + enable-active-high; ++ off-on-delay-us = <4800>; + }; + + reg_fec2_supply: regulator-fec2-nvcc { +-- +2.51.0 + diff --git a/queue-6.12/arm64-dts-imx8mp-fix-lan8740ai-phy-reference-clock-o.patch b/queue-6.12/arm64-dts-imx8mp-fix-lan8740ai-phy-reference-clock-o.patch new file mode 100644 index 0000000000..676712d3bb --- /dev/null +++ b/queue-6.12/arm64-dts-imx8mp-fix-lan8740ai-phy-reference-clock-o.patch @@ -0,0 +1,42 @@ +From 3549b7f0488d04079ea312dc4af46567a0469845 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Dec 2025 14:41:51 +0100 +Subject: arm64: dts: imx8mp: Fix LAN8740Ai PHY reference clock on DH + electronics i.MX8M Plus DHCOM + +From: Marek Vasut + +[ Upstream commit c63749a7ddc59ac6ec0b05abfa0a21af9f2c1d38 ] + +Add missing 'clocks' property to LAN8740Ai PHY node, to allow the PHY driver +to manage LAN8740Ai CLKIN reference clock supply. This fixes sporadic link +bouncing caused by interruptions on the PHY reference clock, by letting the +PHY driver manage the reference clock and assure there are no interruptions. + +This follows the matching PHY driver recommendation described in commit +bedd8d78aba3 ("net: phy: smsc: LAN8710/20: add phy refclk in support") + +Fixes: 8d6712695bc8 ("arm64: dts: imx8mp: Add support for DH electronics i.MX8M Plus DHCOM and PDK2") +Signed-off-by: Marek Vasut +Tested-by: Christoph Niedermaier +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8mp-dhcom-som.dtsi | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/boot/dts/freescale/imx8mp-dhcom-som.dtsi b/arch/arm64/boot/dts/freescale/imx8mp-dhcom-som.dtsi +index 6835f28c1e3c5..1141b26d6b6f9 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mp-dhcom-som.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mp-dhcom-som.dtsi +@@ -113,6 +113,7 @@ mdio { + ethphy0f: ethernet-phy@1 { /* SMSC LAN8740Ai */ + compatible = "ethernet-phy-id0007.c110", + "ethernet-phy-ieee802.3-c22"; ++ clocks = <&clk IMX8MP_CLK_ENET_QOS>; + interrupt-parent = <&gpio3>; + interrupts = <19 IRQ_TYPE_LEVEL_LOW>; + pinctrl-0 = <&pinctrl_ethphy0>; +-- +2.51.0 + diff --git a/queue-6.12/arm64-dts-imx8qm-ss-dma-correct-the-dma-channels-of-.patch b/queue-6.12/arm64-dts-imx8qm-ss-dma-correct-the-dma-channels-of-.patch new file mode 100644 index 0000000000..bc916e56c9 --- /dev/null +++ b/queue-6.12/arm64-dts-imx8qm-ss-dma-correct-the-dma-channels-of-.patch @@ -0,0 +1,66 @@ +From f033bb5c547ffe89000eadd3a462e4266be0b04c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 09:59:56 +0800 +Subject: arm64: dts: imx8qm-ss-dma: correct the dma channels of lpuart + +From: Sherry Sun + +[ Upstream commit a988caeed9d918452aa0a68de2c6e94d86aa43ba ] + +The commit 616effc0272b5 ("arm64: dts: imx8: Fix lpuart DMA channel +order") swap uart rx and tx channel at common imx8-ss-dma.dtsi. But miss +update imx8qm-ss-dma.dtsi. + +The commit 5a8e9b022e569 ("arm64: dts: imx8qm-ss-dma: Pass lpuart +dma-names") just simple add dma-names as binding doc requirement. + +Correct lpuart0 - lpuart3 dma rx and tx channels, and use defines for +the FSL_EDMA_RX flag. + +Fixes: 5a8e9b022e56 ("arm64: dts: imx8qm-ss-dma: Pass lpuart dma-names") +Signed-off-by: Sherry Sun +Reviewed-by: Frank Li +Reviewed-by: Alexander Stein +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8qm-ss-dma.dtsi | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/arm64/boot/dts/freescale/imx8qm-ss-dma.dtsi b/arch/arm64/boot/dts/freescale/imx8qm-ss-dma.dtsi +index aa9f28c4431d0..f381e2636c3ad 100644 +--- a/arch/arm64/boot/dts/freescale/imx8qm-ss-dma.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8qm-ss-dma.dtsi +@@ -168,25 +168,25 @@ &flexcan3 { + + &lpuart0 { + compatible = "fsl,imx8qm-lpuart", "fsl,imx8qxp-lpuart"; +- dmas = <&edma2 13 0 0>, <&edma2 12 0 1>; ++ dmas = <&edma2 12 0 FSL_EDMA_RX>, <&edma2 13 0 0>; + dma-names = "rx","tx"; + }; + + &lpuart1 { + compatible = "fsl,imx8qm-lpuart", "fsl,imx8qxp-lpuart"; +- dmas = <&edma2 15 0 0>, <&edma2 14 0 1>; ++ dmas = <&edma2 14 0 FSL_EDMA_RX>, <&edma2 15 0 0>; + dma-names = "rx","tx"; + }; + + &lpuart2 { + compatible = "fsl,imx8qm-lpuart", "fsl,imx8qxp-lpuart"; +- dmas = <&edma2 17 0 0>, <&edma2 16 0 1>; ++ dmas = <&edma2 16 0 FSL_EDMA_RX>, <&edma2 17 0 0>; + dma-names = "rx","tx"; + }; + + &lpuart3 { + compatible = "fsl,imx8qm-lpuart", "fsl,imx8qxp-lpuart"; +- dmas = <&edma2 19 0 0>, <&edma2 18 0 1>; ++ dmas = <&edma2 18 0 FSL_EDMA_RX>, <&edma2 19 0 0>; + dma-names = "rx","tx"; + }; + +-- +2.51.0 + diff --git a/queue-6.12/arm64-dts-mba8mx-fix-ethernet-phy-irq-support.patch b/queue-6.12/arm64-dts-mba8mx-fix-ethernet-phy-irq-support.patch new file mode 100644 index 0000000000..e97670346d --- /dev/null +++ b/queue-6.12/arm64-dts-mba8mx-fix-ethernet-phy-irq-support.patch @@ -0,0 +1,37 @@ +From 34c8d60e871b4422ee1f863628c29a3c242cfb53 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Dec 2025 14:15:28 +0100 +Subject: arm64: dts: mba8mx: Fix Ethernet PHY IRQ support + +From: Alexander Stein + +[ Upstream commit 89e87d0dc87eb3654c9ae01afc4a18c1c6d1e523 ] + +Ethernet PHY interrupt mode is level triggered. Adjust the mode +accordingly. + +Signed-off-by: Alexander Stein +Reviewed-by: Andrew Lunn +Fixes: 70cf622bb16e ("arm64: dts: mba8mx: Add Ethernet PHY IRQ support") +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/mba8mx.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/freescale/mba8mx.dtsi b/arch/arm64/boot/dts/freescale/mba8mx.dtsi +index c60c7a9e54aff..66f927198fe94 100644 +--- a/arch/arm64/boot/dts/freescale/mba8mx.dtsi ++++ b/arch/arm64/boot/dts/freescale/mba8mx.dtsi +@@ -186,7 +186,7 @@ ethphy0: ethernet-phy@e { + reset-assert-us = <500000>; + reset-deassert-us = <500>; + interrupt-parent = <&expander2>; +- interrupts = <6 IRQ_TYPE_EDGE_FALLING>; ++ interrupts = <6 IRQ_TYPE_LEVEL_LOW>; + }; + }; + }; +-- +2.51.0 + diff --git a/queue-6.12/arm64-dts-ti-k3-am62-lp-sk-nand-rename-pinctrls-to-f.patch b/queue-6.12/arm64-dts-ti-k3-am62-lp-sk-nand-rename-pinctrls-to-f.patch new file mode 100644 index 0000000000..64aee04866 --- /dev/null +++ b/queue-6.12/arm64-dts-ti-k3-am62-lp-sk-nand-rename-pinctrls-to-f.patch @@ -0,0 +1,38 @@ +From ec71a3cdebe391ec733b6f1ead4ebe9b4a34d547 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Nov 2025 13:27:33 +0100 +Subject: arm64: dts: ti: k3-am62-lp-sk-nand: Rename pinctrls to fix schema + warnings + +From: Wadim Egorov + +[ Upstream commit cf5e8adebe77917a4cc95e43e461cdbd857591ce ] + +Rename pinctrl nodes to comply with naming conventions required by +pinctrl-single schema. + +Fixes: e569152274fec ("arm64: dts: ti: am62-lp-sk: Add overlay for NAND expansion card") +Signed-off-by: Wadim Egorov +Link: https://patch.msgid.link/20251127122733.2523367-3-w.egorov@phytec.de +Signed-off-by: Nishanth Menon +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/ti/k3-am62-lp-sk-nand.dtso | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/ti/k3-am62-lp-sk-nand.dtso b/arch/arm64/boot/dts/ti/k3-am62-lp-sk-nand.dtso +index 173ac60723b64..b4daa674eaa1e 100644 +--- a/arch/arm64/boot/dts/ti/k3-am62-lp-sk-nand.dtso ++++ b/arch/arm64/boot/dts/ti/k3-am62-lp-sk-nand.dtso +@@ -14,7 +14,7 @@ + }; + + &main_pmx0 { +- gpmc0_pins_default: gpmc0-pins-default { ++ gpmc0_pins_default: gpmc0-default-pins { + pinctrl-single,pins = < + AM62X_IOPAD(0x003c, PIN_INPUT, 0) /* (K19) GPMC0_AD0 */ + AM62X_IOPAD(0x0040, PIN_INPUT, 0) /* (L19) GPMC0_AD1 */ +-- +2.51.0 + diff --git a/queue-6.12/arp-do-not-assume-dev_hard_header-does-not-change-sk.patch b/queue-6.12/arp-do-not-assume-dev_hard_header-does-not-change-sk.patch new file mode 100644 index 0000000000..7358d0bbbc --- /dev/null +++ b/queue-6.12/arp-do-not-assume-dev_hard_header-does-not-change-sk.patch @@ -0,0 +1,58 @@ +From 97f2ec3249c44d5a15c9180f87780c1ff4237c83 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jan 2026 21:22:50 +0000 +Subject: arp: do not assume dev_hard_header() does not change skb->head + +From: Eric Dumazet + +[ Upstream commit c92510f5e3f82ba11c95991824a41e59a9c5ed81 ] + +arp_create() is the only dev_hard_header() caller +making assumption about skb->head being unchanged. + +A recent commit broke this assumption. + +Initialize @arp pointer after dev_hard_header() call. + +Fixes: db5b4e39c4e6 ("ip6_gre: make ip6gre_header() robust") +Reported-by: syzbot+58b44a770a1585795351@syzkaller.appspotmail.com +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20260107212250.384552-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/arp.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c +index 8fb48f42581ce..7822b21445148 100644 +--- a/net/ipv4/arp.c ++++ b/net/ipv4/arp.c +@@ -564,7 +564,7 @@ struct sk_buff *arp_create(int type, int ptype, __be32 dest_ip, + + skb_reserve(skb, hlen); + skb_reset_network_header(skb); +- arp = skb_put(skb, arp_hdr_len(dev)); ++ skb_put(skb, arp_hdr_len(dev)); + skb->dev = dev; + skb->protocol = htons(ETH_P_ARP); + if (!src_hw) +@@ -572,12 +572,13 @@ struct sk_buff *arp_create(int type, int ptype, __be32 dest_ip, + if (!dest_hw) + dest_hw = dev->broadcast; + +- /* +- * Fill the device header for the ARP frame ++ /* Fill the device header for the ARP frame. ++ * Note: skb->head can be changed. + */ + if (dev_hard_header(skb, dev, ptype, dest_hw, src_hw, skb->len) < 0) + goto out; + ++ arp = arp_hdr(skb); + /* + * Fill out the arp protocol part. + * +-- +2.51.0 + diff --git a/queue-6.12/bnxt_en-fix-potential-data-corruption-with-hw-gro-lr.patch b/queue-6.12/bnxt_en-fix-potential-data-corruption-with-hw-gro-lr.patch new file mode 100644 index 0000000000..64340baba5 --- /dev/null +++ b/queue-6.12/bnxt_en-fix-potential-data-corruption-with-hw-gro-lr.patch @@ -0,0 +1,88 @@ +From ee9802d1f30ffb7f2f8aa66e80a9f3ea07d75d4b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Dec 2025 00:36:25 -0800 +Subject: bnxt_en: Fix potential data corruption with HW GRO/LRO + +From: Srijit Bose + +[ Upstream commit ffeafa65b2b26df2f5b5a6118d3174f17bd12ec5 ] + +Fix the max number of bits passed to find_first_zero_bit() in +bnxt_alloc_agg_idx(). We were incorrectly passing the number of +long words. find_first_zero_bit() may fail to find a zero bit and +cause a wrong ID to be used. If the wrong ID is already in use, this +can cause data corruption. Sometimes an error like this can also be +seen: + +bnxt_en 0000:83:00.0 enp131s0np0: TPA end agg_buf 2 != expected agg_bufs 1 + +Fix it by passing the correct number of bits MAX_TPA_P5. Use +DECLARE_BITMAP() to more cleanly define the bitmap. Add a sanity +check to warn if a bit cannot be found and reset the ring [MChan]. + +Fixes: ec4d8e7cf024 ("bnxt_en: Add TPA ID mapping logic for 57500 chips.") +Reviewed-by: Ray Jui +Signed-off-by: Srijit Bose +Signed-off-by: Michael Chan +Reviewed-by: Vadim Fedorenko +Link: https://patch.msgid.link/20251231083625.3911652-1-michael.chan@broadcom.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 15 ++++++++++++--- + drivers/net/ethernet/broadcom/bnxt/bnxt.h | 4 +--- + 2 files changed, 13 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index a3491b8383f5a..1f5149d45b089 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -1412,9 +1412,11 @@ static u16 bnxt_alloc_agg_idx(struct bnxt_rx_ring_info *rxr, u16 agg_id) + struct bnxt_tpa_idx_map *map = rxr->rx_tpa_idx_map; + u16 idx = agg_id & MAX_TPA_P5_MASK; + +- if (test_bit(idx, map->agg_idx_bmap)) +- idx = find_first_zero_bit(map->agg_idx_bmap, +- BNXT_AGG_IDX_BMAP_SIZE); ++ if (test_bit(idx, map->agg_idx_bmap)) { ++ idx = find_first_zero_bit(map->agg_idx_bmap, MAX_TPA_P5); ++ if (idx >= MAX_TPA_P5) ++ return INVALID_HW_RING_ID; ++ } + __set_bit(idx, map->agg_idx_bmap); + map->agg_id_tbl[agg_id] = idx; + return idx; +@@ -1478,6 +1480,13 @@ static void bnxt_tpa_start(struct bnxt *bp, struct bnxt_rx_ring_info *rxr, + if (bp->flags & BNXT_FLAG_CHIP_P5_PLUS) { + agg_id = TPA_START_AGG_ID_P5(tpa_start); + agg_id = bnxt_alloc_agg_idx(rxr, agg_id); ++ if (unlikely(agg_id == INVALID_HW_RING_ID)) { ++ netdev_warn(bp->dev, "Unable to allocate agg ID for ring %d, agg 0x%x\n", ++ rxr->bnapi->index, ++ TPA_START_AGG_ID_P5(tpa_start)); ++ bnxt_sched_reset_rxr(bp, rxr); ++ return; ++ } + } else { + agg_id = TPA_START_AGG_ID(tpa_start); + } +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.h b/drivers/net/ethernet/broadcom/bnxt/bnxt.h +index 37bb9091bf771..38690fdc3c46c 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.h ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.h +@@ -1070,11 +1070,9 @@ struct bnxt_tpa_info { + struct rx_agg_cmp *agg_arr; + }; + +-#define BNXT_AGG_IDX_BMAP_SIZE (MAX_TPA_P5 / BITS_PER_LONG) +- + struct bnxt_tpa_idx_map { + u16 agg_id_tbl[1024]; +- unsigned long agg_idx_bmap[BNXT_AGG_IDX_BMAP_SIZE]; ++ DECLARE_BITMAP(agg_idx_bmap, MAX_TPA_P5); + }; + + struct bnxt_rx_ring_info { +-- +2.51.0 + diff --git a/queue-6.12/bridge-fix-c-vlan-preservation-in-802.1ad-vlan_tunne.patch b/queue-6.12/bridge-fix-c-vlan-preservation-in-802.1ad-vlan_tunne.patch new file mode 100644 index 0000000000..616a637f89 --- /dev/null +++ b/queue-6.12/bridge-fix-c-vlan-preservation-in-802.1ad-vlan_tunne.patch @@ -0,0 +1,75 @@ +From c1d35a52cc2bc23f2080b7dff017473b3578ba7a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Dec 2025 03:00:57 +0100 +Subject: bridge: fix C-VLAN preservation in 802.1ad vlan_tunnel egress + +From: Alexandre Knecht + +[ Upstream commit 3128df6be147768fe536986fbb85db1d37806a9f ] + +When using an 802.1ad bridge with vlan_tunnel, the C-VLAN tag is +incorrectly stripped from frames during egress processing. + +br_handle_egress_vlan_tunnel() uses skb_vlan_pop() to remove the S-VLAN +from hwaccel before VXLAN encapsulation. However, skb_vlan_pop() also +moves any "next" VLAN from the payload into hwaccel: + + /* move next vlan tag to hw accel tag */ + __skb_vlan_pop(skb, &vlan_tci); + __vlan_hwaccel_put_tag(skb, vlan_proto, vlan_tci); + +For QinQ frames where the C-VLAN sits in the payload, this moves it to +hwaccel where it gets lost during VXLAN encapsulation. + +Fix by calling __vlan_hwaccel_clear_tag() directly, which clears only +the hwaccel S-VLAN and leaves the payload untouched. + +This path is only taken when vlan_tunnel is enabled and tunnel_info +is configured, so 802.1Q bridges are unaffected. + +Tested with 802.1ad bridge + VXLAN vlan_tunnel, verified C-VLAN +preserved in VXLAN payload via tcpdump. + +Fixes: 11538d039ac6 ("bridge: vlan dst_metadata hooks in ingress and egress paths") +Signed-off-by: Alexandre Knecht +Reviewed-by: Ido Schimmel +Acked-by: Nikolay Aleksandrov +Link: https://patch.msgid.link/20251228020057.2788865-1-knecht.alexandre@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/bridge/br_vlan_tunnel.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/net/bridge/br_vlan_tunnel.c b/net/bridge/br_vlan_tunnel.c +index a966a6ec82634..257cae9f15698 100644 +--- a/net/bridge/br_vlan_tunnel.c ++++ b/net/bridge/br_vlan_tunnel.c +@@ -189,7 +189,6 @@ int br_handle_egress_vlan_tunnel(struct sk_buff *skb, + IP_TUNNEL_DECLARE_FLAGS(flags) = { }; + struct metadata_dst *tunnel_dst; + __be64 tunnel_id; +- int err; + + if (!vlan) + return 0; +@@ -199,9 +198,13 @@ int br_handle_egress_vlan_tunnel(struct sk_buff *skb, + return 0; + + skb_dst_drop(skb); +- err = skb_vlan_pop(skb); +- if (err) +- return err; ++ /* For 802.1ad (QinQ), skb_vlan_pop() incorrectly moves the C-VLAN ++ * from payload to hwaccel after clearing S-VLAN. We only need to ++ * clear the hwaccel S-VLAN; the C-VLAN must stay in payload for ++ * correct VXLAN encapsulation. This is also correct for 802.1Q ++ * where no C-VLAN exists in payload. ++ */ ++ __vlan_hwaccel_clear_tag(skb); + + if (BR_INPUT_SKB_CB(skb)->backup_nhid) { + __set_bit(IP_TUNNEL_KEY_BIT, flags); +-- +2.51.0 + diff --git a/queue-6.12/btrfs-only-enforce-free-space-tree-if-v1-cache-is-re.patch b/queue-6.12/btrfs-only-enforce-free-space-tree-if-v1-cache-is-re.patch new file mode 100644 index 0000000000..4713ad8913 --- /dev/null +++ b/queue-6.12/btrfs-only-enforce-free-space-tree-if-v1-cache-is-re.patch @@ -0,0 +1,87 @@ +From 19a1512a8281578ddf02448735cc854fdaffe60d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Dec 2025 15:15:28 +1030 +Subject: btrfs: only enforce free space tree if v1 cache is required for bs < + ps cases + +From: Qu Wenruo + +[ Upstream commit 30bcf4e824aa37d305502f52e1527c7b1eabef3d ] + +[BUG] +Since the introduction of btrfs bs < ps support, v1 cache was never on +the plan due to its hard coded PAGE_SIZE usage, and the future plan to +properly deprecate it. + +However for bs < ps cases, even if 'nospace_cache,clear_cache' mount +option is specified, it's never respected and free space tree is always +enabled: + + mkfs.btrfs -f -O ^bgt,fst $dev + mount $dev $mnt -o clear_cache,nospace_cache + umount $mnt + btrfs ins dump-super $dev + ... + compat_ro_flags 0x3 + ( FREE_SPACE_TREE | + FREE_SPACE_TREE_VALID ) + ... + +This means a different behavior compared to bs >= ps cases. + +[CAUSE] +The forcing usage of v2 space cache is done inside +btrfs_set_free_space_cache_settings(), however it never checks if we're +even using space cache but always enabling v2 cache. + +[FIX] +Instead unconditionally enable v2 cache, only forcing v2 cache if the +old v1 cache is required. + +Now v2 space cache can be properly disabled on bs < ps cases: + + mkfs.btrfs -f -O ^bgt,fst $dev + mount $dev $mnt -o clear_cache,nospace_cache + umount $mnt + btrfs ins dump-super $dev + ... + compat_ro_flags 0x0 + ... + +Fixes: 9f73f1aef98b ("btrfs: force v2 space cache usage for subpage mount") +Reviewed-by: Filipe Manana +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/super.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c +index b0d4ad7fbe489..833602511f62d 100644 +--- a/fs/btrfs/super.c ++++ b/fs/btrfs/super.c +@@ -722,14 +722,12 @@ bool btrfs_check_options(const struct btrfs_fs_info *info, + */ + void btrfs_set_free_space_cache_settings(struct btrfs_fs_info *fs_info) + { +- if (fs_info->sectorsize < PAGE_SIZE) { ++ if (fs_info->sectorsize < PAGE_SIZE && btrfs_test_opt(fs_info, SPACE_CACHE)) { ++ btrfs_info(fs_info, ++ "forcing free space tree for sector size %u with page size %lu", ++ fs_info->sectorsize, PAGE_SIZE); + btrfs_clear_opt(fs_info->mount_opt, SPACE_CACHE); +- if (!btrfs_test_opt(fs_info, FREE_SPACE_TREE)) { +- btrfs_info(fs_info, +- "forcing free space tree for sector size %u with page size %lu", +- fs_info->sectorsize, PAGE_SIZE); +- btrfs_set_opt(fs_info->mount_opt, FREE_SPACE_TREE); +- } ++ btrfs_set_opt(fs_info->mount_opt, FREE_SPACE_TREE); + } + + /* +-- +2.51.0 + diff --git a/queue-6.12/crypto-qat-fix-duplicate-restarting-msg-during-aer-e.patch b/queue-6.12/crypto-qat-fix-duplicate-restarting-msg-during-aer-e.patch new file mode 100644 index 0000000000..2af1e234fd --- /dev/null +++ b/queue-6.12/crypto-qat-fix-duplicate-restarting-msg-during-aer-e.patch @@ -0,0 +1,47 @@ +From a843de87709ad255854694b504ac1d021aa71162 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Dec 2025 11:16:06 +0530 +Subject: crypto: qat - fix duplicate restarting msg during AER error + +From: Harshita Bhilwaria + +[ Upstream commit 961ac9d97be72267255f1ed841aabf6694b17454 ] + +The restarting message from PF to VF is sent twice during AER error +handling: once from adf_error_detected() and again from +adf_disable_sriov(). +This causes userspace subservices to shutdown unexpectedly when they +receive a duplicate restarting message after already being restarted. + +Avoid calling adf_pf2vf_notify_restarting() and +adf_pf2vf_wait_for_restarting_complete() from adf_error_detected() so +that the restarting msg is sent only once from PF to VF. + +Fixes: 9567d3dc760931 ("crypto: qat - improve aer error reset handling") +Signed-off-by: Harshita Bhilwaria +Reviewed-by: Giovanni Cabiddu +Reviewed-by: Ahsan Atta +Reviewed-by: Ravikumar PM +Reviewed-by: Srikanth Thokala +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/intel/qat/qat_common/adf_aer.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/crypto/intel/qat/qat_common/adf_aer.c b/drivers/crypto/intel/qat/qat_common/adf_aer.c +index 4cb8bd83f5707..bd19d3a14422a 100644 +--- a/drivers/crypto/intel/qat/qat_common/adf_aer.c ++++ b/drivers/crypto/intel/qat/qat_common/adf_aer.c +@@ -41,8 +41,6 @@ static pci_ers_result_t adf_error_detected(struct pci_dev *pdev, + adf_error_notifier(accel_dev); + adf_pf2vf_notify_fatal_error(accel_dev); + adf_dev_restarting_notify(accel_dev); +- adf_pf2vf_notify_restarting(accel_dev); +- adf_pf2vf_wait_for_restarting_complete(accel_dev); + pci_clear_master(pdev); + adf_dev_down(accel_dev); + +-- +2.51.0 + diff --git a/queue-6.12/drm-amd-display-apply-e4479aecf658-to-dml.patch b/queue-6.12/drm-amd-display-apply-e4479aecf658-to-dml.patch new file mode 100644 index 0000000000..f9ac1fe227 --- /dev/null +++ b/queue-6.12/drm-amd-display-apply-e4479aecf658-to-dml.patch @@ -0,0 +1,62 @@ +From 4a3ccf8d35bd75083d63e0b9fc04447851a71995 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Dec 2025 15:16:43 +0900 +Subject: drm/amd/display: Apply e4479aecf658 to dml + +From: Nathan Chancellor + +[ Upstream commit 70740454377f1ba3ff32f5df4acd965db99d055b ] + +After an innocuous optimization change in clang-22, allmodconfig (which +enables CONFIG_KASAN and CONFIG_WERROR) breaks with: + + drivers/gpu/drm/amd/amdgpu/../display/dc/dml/dcn32/display_mode_vba_32.c:1724:6: error: stack frame size (3144) exceeds limit (3072) in 'dml32_ModeSupportAndSystemConfigurationFull' [-Werror,-Wframe-larger-than] + 1724 | void dml32_ModeSupportAndSystemConfigurationFull(struct display_mode_lib *mode_lib) + | ^ + +With clang-21, this function was already pretty close to the existing +limit of 3072 bytes. + + drivers/gpu/drm/amd/amdgpu/../display/dc/dml/dcn32/display_mode_vba_32.c:1724:6: error: stack frame size (2904) exceeds limit (2048) in 'dml32_ModeSupportAndSystemConfigurationFull' [-Werror,-Wframe-larger-than] + 1724 | void dml32_ModeSupportAndSystemConfigurationFull(struct display_mode_lib *mode_lib) + | ^ + +A similar situation occurred in dml2, which was resolved by +commit e4479aecf658 ("drm/amd/display: Increase sanitizer frame larger +than limit when compile testing with clang") by increasing the limit for +clang when compile testing with certain sanitizer enabled, so that +allmodconfig (an easy testing target) continues to work. + +Apply that same change to the dml folder to clear up the warning for +allmodconfig, unbreaking the build. + +Closes: https://github.com/ClangBuiltLinux/linux/issues/2135 +Signed-off-by: Nathan Chancellor +Signed-off-by: Alex Deucher +(cherry picked from commit 25314b453cf812150e9951a32007a32bba85707e) +Cc: stable@vger.kernel.org +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dml/Makefile | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dml/Makefile b/drivers/gpu/drm/amd/display/dc/dml/Makefile +index e1d500633dfad..54a2af210b4c0 100644 +--- a/drivers/gpu/drm/amd/display/dc/dml/Makefile ++++ b/drivers/gpu/drm/amd/display/dc/dml/Makefile +@@ -30,7 +30,11 @@ dml_rcflags := $(CC_FLAGS_NO_FPU) + + ifneq ($(CONFIG_FRAME_WARN),0) + ifeq ($(filter y,$(CONFIG_KASAN)$(CONFIG_KCSAN)),y) +- frame_warn_limit := 3072 ++ ifeq ($(CONFIG_CC_IS_CLANG)$(CONFIG_COMPILE_TEST),yy) ++ frame_warn_limit := 4096 ++ else ++ frame_warn_limit := 3072 ++ endif + else + frame_warn_limit := 2048 + endif +-- +2.51.0 + diff --git a/queue-6.12/drm-amd-display-respect-user-s-config_frame_warn-mor.patch b/queue-6.12/drm-amd-display-respect-user-s-config_frame_warn-mor.patch new file mode 100644 index 0000000000..a9844d3b05 --- /dev/null +++ b/queue-6.12/drm-amd-display-respect-user-s-config_frame_warn-mor.patch @@ -0,0 +1,94 @@ +From bcd7bdd0c494187cd12567bb893712cd0fee4f27 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 Jan 2025 15:31:19 -0700 +Subject: drm/amd/display: Respect user's CONFIG_FRAME_WARN more for dml files + +From: Nathan Chancellor + +[ Upstream commit 820ccf8cb2b145ab9fc12651f7f80339614fa46c ] + +Currently, there are several files in drm/amd/display that aim to have a +higher -Wframe-larger-than value to avoid instances of that warning with +a lower value from the user's configuration. However, with the way that +it is currently implemented, it does not respect the user's request via +CONFIG_FRAME_WARN for a higher stack frame limit, which can cause pain +when new instances of the warning appear and break the build due to +CONFIG_WERROR. + +Adjust the logic to switch from a hard coded -Wframe-larger-than value +to only using the value as a minimum clamp and deferring to the +requested value from CONFIG_FRAME_WARN if it is higher. + +Suggested-by: Harry Wentland +Reported-by: Greg Kroah-Hartman +Closes: https://lore.kernel.org/2025013003-audience-opposing-7f95@gregkh/ +Signed-off-by: Nathan Chancellor +Signed-off-by: Alex Deucher +Stable-dep-of: 70740454377f ("drm/amd/display: Apply e4479aecf658 to dml") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dml/Makefile | 14 ++++++++----- + drivers/gpu/drm/amd/display/dc/dml2/Makefile | 22 ++++++++++++-------- + 2 files changed, 22 insertions(+), 14 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dml/Makefile b/drivers/gpu/drm/amd/display/dc/dml/Makefile +index 46f9c05de16e8..e1d500633dfad 100644 +--- a/drivers/gpu/drm/amd/display/dc/dml/Makefile ++++ b/drivers/gpu/drm/amd/display/dc/dml/Makefile +@@ -29,11 +29,15 @@ dml_ccflags := $(CC_FLAGS_FPU) + dml_rcflags := $(CC_FLAGS_NO_FPU) + + ifneq ($(CONFIG_FRAME_WARN),0) +-ifeq ($(filter y,$(CONFIG_KASAN)$(CONFIG_KCSAN)),y) +-frame_warn_flag := -Wframe-larger-than=3072 +-else +-frame_warn_flag := -Wframe-larger-than=2048 +-endif ++ ifeq ($(filter y,$(CONFIG_KASAN)$(CONFIG_KCSAN)),y) ++ frame_warn_limit := 3072 ++ else ++ frame_warn_limit := 2048 ++ endif ++ ++ ifeq ($(call test-lt, $(CONFIG_FRAME_WARN), $(frame_warn_limit)),y) ++ frame_warn_flag := -Wframe-larger-than=$(frame_warn_limit) ++ endif + endif + + CFLAGS_$(AMDDALPATH)/dc/dml/display_mode_lib.o := $(dml_ccflags) +diff --git a/drivers/gpu/drm/amd/display/dc/dml2/Makefile b/drivers/gpu/drm/amd/display/dc/dml2/Makefile +index 986a69c5bd4bc..2a7669a1071e4 100644 +--- a/drivers/gpu/drm/amd/display/dc/dml2/Makefile ++++ b/drivers/gpu/drm/amd/display/dc/dml2/Makefile +@@ -28,15 +28,19 @@ dml2_ccflags := $(CC_FLAGS_FPU) + dml2_rcflags := $(CC_FLAGS_NO_FPU) + + ifneq ($(CONFIG_FRAME_WARN),0) +-ifeq ($(filter y,$(CONFIG_KASAN)$(CONFIG_KCSAN)),y) +-ifeq ($(CONFIG_CC_IS_CLANG)$(CONFIG_COMPILE_TEST),yy) +-frame_warn_flag := -Wframe-larger-than=4096 +-else +-frame_warn_flag := -Wframe-larger-than=3072 +-endif +-else +-frame_warn_flag := -Wframe-larger-than=2048 +-endif ++ ifeq ($(filter y,$(CONFIG_KASAN)$(CONFIG_KCSAN)),y) ++ ifeq ($(CONFIG_CC_IS_CLANG)$(CONFIG_COMPILE_TEST),yy) ++ frame_warn_limit := 4096 ++ else ++ frame_warn_limit := 3072 ++ endif ++ else ++ frame_warn_limit := 2048 ++ endif ++ ++ ifeq ($(call test-lt, $(CONFIG_FRAME_WARN), $(frame_warn_limit)),y) ++ frame_warn_flag := -Wframe-larger-than=$(frame_warn_limit) ++ endif + endif + + subdir-ccflags-y += -I$(FULL_AMD_DISPLAY_PATH)/dc/dml2 +-- +2.51.0 + diff --git a/queue-6.12/erofs-don-t-bother-with-s_stack_depth-increasing-for.patch b/queue-6.12/erofs-don-t-bother-with-s_stack_depth-increasing-for.patch new file mode 100644 index 0000000000..5c46ccbd14 --- /dev/null +++ b/queue-6.12/erofs-don-t-bother-with-s_stack_depth-increasing-for.patch @@ -0,0 +1,100 @@ +From d5e2c299b9ab6a726028f3cbd61ed8003ad4578a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jan 2026 10:38:31 +0800 +Subject: erofs: don't bother with s_stack_depth increasing for now +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Gao Xiang + +[ Upstream commit 072a7c7cdbea4f91df854ee2bb216256cd619f2a ] + +Previously, commit d53cd891f0e4 ("erofs: limit the level of fs stacking +for file-backed mounts") bumped `s_stack_depth` by one to avoid kernel +stack overflow when stacking an unlimited number of EROFS on top of +each other. + +This fix breaks composefs mounts, which need EROFS+ovl^2 sometimes +(and such setups are already used in production for quite a long time). + +One way to fix this regression is to bump FILESYSTEM_MAX_STACK_DEPTH +from 2 to 3, but proving that this is safe in general is a high bar. + +After a long discussion on GitHub issues [1] about possible solutions, +one conclusion is that there is no need to support nesting file-backed +EROFS mounts on stacked filesystems, because there is always the option +to use loopback devices as a fallback. + +As a quick fix for the composefs regression for this cycle, instead of +bumping `s_stack_depth` for file backed EROFS mounts, we disallow +nesting file-backed EROFS over EROFS and over filesystems with +`s_stack_depth` > 0. + +This works for all known file-backed mount use cases (composefs, +containerd, and Android APEX for some Android vendors), and the fix is +self-contained. + +Essentially, we are allowing one extra unaccounted fs stacking level of +EROFS below stacking filesystems, but EROFS can only be used in the read +path (i.e. overlayfs lower layers), which typically has much lower stack +usage than the write path. + +We can consider increasing FILESYSTEM_MAX_STACK_DEPTH later, after more +stack usage analysis or using alternative approaches, such as splitting +the `s_stack_depth` limitation according to different combinations of +stacking. + +Fixes: d53cd891f0e4 ("erofs: limit the level of fs stacking for file-backed mounts") +Reported-and-tested-by: Dusty Mabe +Reported-by: Timothée Ravier +Closes: https://github.com/coreos/fedora-coreos-tracker/issues/2087 [1] +Reported-by: "Alekséi Naidénov" +Closes: https://lore.kernel.org/r/CAFHtUiYv4+=+JP_-JjARWjo6OwcvBj1wtYN=z0QXwCpec9sXtg@mail.gmail.com +Acked-by: Amir Goldstein +Acked-by: Alexander Larsson +Reviewed-and-tested-by: Sheng Yong +Reviewed-by: Zhiguo Niu +Reviewed-by: Chao Yu +Cc: Christian Brauner +Cc: Miklos Szeredi +Signed-off-by: Gao Xiang +Signed-off-by: Sasha Levin +--- + fs/erofs/super.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/fs/erofs/super.c b/fs/erofs/super.c +index 027fd567a4d9f..f0b83beec6b24 100644 +--- a/fs/erofs/super.c ++++ b/fs/erofs/super.c +@@ -641,14 +641,20 @@ static int erofs_fc_fill_super(struct super_block *sb, struct fs_context *fc) + * fs contexts (including its own) due to self-controlled RO + * accesses/contexts and no side-effect changes that need to + * context save & restore so it can reuse the current thread +- * context. However, it still needs to bump `s_stack_depth` to +- * avoid kernel stack overflow from nested filesystems. ++ * context. ++ * However, we still need to prevent kernel stack overflow due ++ * to filesystem nesting: just ensure that s_stack_depth is 0 ++ * to disallow mounting EROFS on stacked filesystems. ++ * Note: s_stack_depth is not incremented here for now, since ++ * EROFS is the only fs supporting file-backed mounts for now. ++ * It MUST change if another fs plans to support them, which ++ * may also require adjusting FILESYSTEM_MAX_STACK_DEPTH. + */ + if (erofs_is_fileio_mode(sbi)) { +- sb->s_stack_depth = +- file_inode(sbi->dif0.file)->i_sb->s_stack_depth + 1; +- if (sb->s_stack_depth > FILESYSTEM_MAX_STACK_DEPTH) { +- erofs_err(sb, "maximum fs stacking depth exceeded"); ++ inode = file_inode(sbi->dif0.file); ++ if ((inode->i_sb->s_op == &erofs_sops && !sb->s_bdev) || ++ inode->i_sb->s_stack_depth) { ++ erofs_err(sb, "file-backed mounts cannot be applied to stacked fses"); + return -ENOTBLK; + } + } +-- +2.51.0 + diff --git a/queue-6.12/erofs-fix-file-backed-mounts-no-longer-working-on-er.patch b/queue-6.12/erofs-fix-file-backed-mounts-no-longer-working-on-er.patch new file mode 100644 index 0000000000..7b763db95a --- /dev/null +++ b/queue-6.12/erofs-fix-file-backed-mounts-no-longer-working-on-er.patch @@ -0,0 +1,67 @@ +From 6a9fdc860a6337ebb413c3c43f70f6b4d3a68aa4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 Jan 2026 19:47:03 +0800 +Subject: erofs: fix file-backed mounts no longer working on EROFS partitions + +From: Gao Xiang + +[ Upstream commit 7893cc12251f6f19e7689a4cf3ba803bddbd8437 ] + +Sheng Yong reported [1] that Android APEX images didn't work with commit +072a7c7cdbea ("erofs: don't bother with s_stack_depth increasing for +now") because "EROFS-formatted APEX file images can be stored within an +EROFS-formatted Android system partition." + +In response, I sent a quick fat-fingered [PATCH v3] to address the +report. Unfortunately, the updated condition was incorrect: + + if (erofs_is_fileio_mode(sbi)) { +- sb->s_stack_depth = +- file_inode(sbi->dif0.file)->i_sb->s_stack_depth + 1; +- if (sb->s_stack_depth > FILESYSTEM_MAX_STACK_DEPTH) { +- erofs_err(sb, "maximum fs stacking depth exceeded"); ++ inode = file_inode(sbi->dif0.file); ++ if ((inode->i_sb->s_op == &erofs_sops && !sb->s_bdev) || ++ inode->i_sb->s_stack_depth) { + +The condition `!sb->s_bdev` is always true for all file-backed EROFS +mounts, making the check effectively a no-op. + +The real fix tested and confirmed by Sheng Yong [2] at that time was +[PATCH v3 RESEND], which correctly ensures the following EROFS^2 setup +works: + EROFS (on a block device) + EROFS (file-backed mount) + +But sadly I screwed it up again by upstreaming the outdated [PATCH v3]. + +This patch applies the same logic as the delta between the upstream +[PATCH v3] and the real fix [PATCH v3 RESEND]. + +Reported-by: Sheng Yong +Closes: https://lore.kernel.org/r/3acec686-4020-4609-aee4-5dae7b9b0093@gmail.com [1] +Fixes: 072a7c7cdbea ("erofs: don't bother with s_stack_depth increasing for now") +Link: https://lore.kernel.org/r/243f57b8-246f-47e7-9fb1-27a771e8e9e8@gmail.com [2] +Signed-off-by: Gao Xiang +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/erofs/super.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/erofs/super.c b/fs/erofs/super.c +index f0b83beec6b24..bc968cf812bac 100644 +--- a/fs/erofs/super.c ++++ b/fs/erofs/super.c +@@ -652,7 +652,8 @@ static int erofs_fc_fill_super(struct super_block *sb, struct fs_context *fc) + */ + if (erofs_is_fileio_mode(sbi)) { + inode = file_inode(sbi->dif0.file); +- if ((inode->i_sb->s_op == &erofs_sops && !sb->s_bdev) || ++ if ((inode->i_sb->s_op == &erofs_sops && ++ !inode->i_sb->s_bdev) || + inode->i_sb->s_stack_depth) { + erofs_err(sb, "file-backed mounts cannot be applied to stacked fses"); + return -ENOTBLK; +-- +2.51.0 + diff --git a/queue-6.12/gpio-pca953x-add-support-for-level-triggered-interru.patch b/queue-6.12/gpio-pca953x-add-support-for-level-triggered-interru.patch new file mode 100644 index 0000000000..3d221b5ff8 --- /dev/null +++ b/queue-6.12/gpio-pca953x-add-support-for-level-triggered-interru.patch @@ -0,0 +1,116 @@ +From dbe80d7eee72d2c41d9e9581f7099ef7dbf618be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Apr 2025 23:37:30 +0800 +Subject: gpio: pca953x: Add support for level-triggered interrupts + +From: Potin Lai + +[ Upstream commit 417b0f8d08f878615de9481c6e8827fbc8b57ed2 ] + +Adds support for level-triggered interrupts in the PCA953x GPIO +expander driver. Previously, the driver only supported edge-triggered +interrupts, which could lead to missed events in scenarios where an +interrupt condition persists until it is explicitly cleared. + +By enabling level-triggered interrupts, the driver can now detect and +respond to sustained interrupt conditions more reliably. + +Signed-off-by: Potin Lai +Link: https://lore.kernel.org/r/20250409-gpio-pca953x-level-triggered-irq-v3-1-7f184d814934@gmail.com +Signed-off-by: Bartosz Golaszewski +Stable-dep-of: 014a17deb412 ("gpio: pca953x: handle short interrupt pulses on PCAL devices") +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-pca953x.c | 32 +++++++++++++++++++++++++++----- + 1 file changed, 27 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpio/gpio-pca953x.c b/drivers/gpio/gpio-pca953x.c +index bb7c1bf5f856e..76879dc6461c4 100644 +--- a/drivers/gpio/gpio-pca953x.c ++++ b/drivers/gpio/gpio-pca953x.c +@@ -215,6 +215,8 @@ struct pca953x_chip { + DECLARE_BITMAP(irq_stat, MAX_LINE); + DECLARE_BITMAP(irq_trig_raise, MAX_LINE); + DECLARE_BITMAP(irq_trig_fall, MAX_LINE); ++ DECLARE_BITMAP(irq_trig_level_high, MAX_LINE); ++ DECLARE_BITMAP(irq_trig_level_low, MAX_LINE); + #endif + atomic_t wakeup_path; + +@@ -773,6 +775,8 @@ static void pca953x_irq_bus_sync_unlock(struct irq_data *d) + pca953x_read_regs(chip, chip->regs->direction, reg_direction); + + bitmap_or(irq_mask, chip->irq_trig_fall, chip->irq_trig_raise, gc->ngpio); ++ bitmap_or(irq_mask, irq_mask, chip->irq_trig_level_high, gc->ngpio); ++ bitmap_or(irq_mask, irq_mask, chip->irq_trig_level_low, gc->ngpio); + bitmap_complement(reg_direction, reg_direction, gc->ngpio); + bitmap_and(irq_mask, irq_mask, reg_direction, gc->ngpio); + +@@ -790,13 +794,15 @@ static int pca953x_irq_set_type(struct irq_data *d, unsigned int type) + struct device *dev = &chip->client->dev; + irq_hw_number_t hwirq = irqd_to_hwirq(d); + +- if (!(type & IRQ_TYPE_EDGE_BOTH)) { ++ if (!(type & IRQ_TYPE_SENSE_MASK)) { + dev_err(dev, "irq %d: unsupported type %d\n", d->irq, type); + return -EINVAL; + } + + assign_bit(hwirq, chip->irq_trig_fall, type & IRQ_TYPE_EDGE_FALLING); + assign_bit(hwirq, chip->irq_trig_raise, type & IRQ_TYPE_EDGE_RISING); ++ assign_bit(hwirq, chip->irq_trig_level_low, type & IRQ_TYPE_LEVEL_LOW); ++ assign_bit(hwirq, chip->irq_trig_level_high, type & IRQ_TYPE_LEVEL_HIGH); + + return 0; + } +@@ -809,6 +815,8 @@ static void pca953x_irq_shutdown(struct irq_data *d) + + clear_bit(hwirq, chip->irq_trig_raise); + clear_bit(hwirq, chip->irq_trig_fall); ++ clear_bit(hwirq, chip->irq_trig_level_low); ++ clear_bit(hwirq, chip->irq_trig_level_high); + } + + static void pca953x_irq_print_chip(struct irq_data *data, struct seq_file *p) +@@ -839,6 +847,7 @@ static bool pca953x_irq_pending(struct pca953x_chip *chip, unsigned long *pendin + DECLARE_BITMAP(cur_stat, MAX_LINE); + DECLARE_BITMAP(new_stat, MAX_LINE); + DECLARE_BITMAP(trigger, MAX_LINE); ++ DECLARE_BITMAP(edges, MAX_LINE); + int ret; + + ret = pca953x_read_regs(chip, chip->regs->input, cur_stat); +@@ -856,13 +865,26 @@ static bool pca953x_irq_pending(struct pca953x_chip *chip, unsigned long *pendin + + bitmap_copy(chip->irq_stat, new_stat, gc->ngpio); + +- if (bitmap_empty(trigger, gc->ngpio)) +- return false; ++ if (bitmap_empty(chip->irq_trig_level_high, gc->ngpio) && ++ bitmap_empty(chip->irq_trig_level_low, gc->ngpio)) { ++ if (bitmap_empty(trigger, gc->ngpio)) ++ return false; ++ } + + bitmap_and(cur_stat, chip->irq_trig_fall, old_stat, gc->ngpio); + bitmap_and(old_stat, chip->irq_trig_raise, new_stat, gc->ngpio); +- bitmap_or(new_stat, old_stat, cur_stat, gc->ngpio); +- bitmap_and(pending, new_stat, trigger, gc->ngpio); ++ bitmap_or(edges, old_stat, cur_stat, gc->ngpio); ++ bitmap_and(pending, edges, trigger, gc->ngpio); ++ ++ bitmap_and(cur_stat, new_stat, chip->irq_trig_level_high, gc->ngpio); ++ bitmap_and(cur_stat, cur_stat, chip->irq_mask, gc->ngpio); ++ bitmap_or(pending, pending, cur_stat, gc->ngpio); ++ ++ bitmap_complement(cur_stat, new_stat, gc->ngpio); ++ bitmap_and(cur_stat, cur_stat, reg_direction, gc->ngpio); ++ bitmap_and(old_stat, cur_stat, chip->irq_trig_level_low, gc->ngpio); ++ bitmap_and(old_stat, old_stat, chip->irq_mask, gc->ngpio); ++ bitmap_or(pending, pending, old_stat, gc->ngpio); + + return !bitmap_empty(pending, gc->ngpio); + } +-- +2.51.0 + diff --git a/queue-6.12/gpio-pca953x-handle-short-interrupt-pulses-on-pcal-d.patch b/queue-6.12/gpio-pca953x-handle-short-interrupt-pulses-on-pcal-d.patch new file mode 100644 index 0000000000..9180723829 --- /dev/null +++ b/queue-6.12/gpio-pca953x-handle-short-interrupt-pulses-on-pcal-d.patch @@ -0,0 +1,148 @@ +From 91fd61b4f648dcc38498cd20928766b99d682481 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Dec 2025 16:30:25 +0100 +Subject: gpio: pca953x: handle short interrupt pulses on PCAL devices +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ernest Van Hoecke + +[ Upstream commit 014a17deb41201449f76df2b20c857a9c3294a7c ] + +GPIO drivers with latch input support may miss short pulses on input +pins even when input latching is enabled. The generic interrupt logic in +the pca953x driver reports interrupts by comparing the current input +value against the previously sampled one and only signals an event when +a level change is observed between two reads. + +For short pulses, the first edge is captured when the input register is +read, but if the signal returns to its previous level before the read, +the second edge is not observed. As a result, successive pulses can +produce identical input values at read time and no level change is +detected, causing interrupts to be missed. Below timing diagram shows +this situation where the top signal is the input pin level and the +bottom signal indicates the latched value. + +─────┐ ┌──*───────────────┐ ┌──*─────────────────┐ ┌──*─── + │ │ . │ │ . │ │ . + │ │ │ │ │ │ │ │ │ + └──*──┘ │ └──*──┘ │ └──*──┘ │ +Input │ │ │ │ │ │ + ▼ │ ▼ │ ▼ │ + IRQ │ IRQ │ IRQ │ + . . . +─────┐ .┌──────────────┐ .┌────────────────┐ .┌── + │ │ │ │ │ │ + │ │ │ │ │ │ + └────────*┘ └────────*┘ └────────*┘ +Latched │ │ │ + ▼ ▼ ▼ + READ 0 READ 0 READ 0 + NO CHANGE NO CHANGE + +PCAL variants provide an interrupt status register that records which +pins triggered an interrupt, but the status and input registers cannot +be read atomically. The interrupt status is only cleared when the input +port is read, and the input value must also be read to determine the +triggering edge. If another interrupt occurs on a different line after +the status register has been read but before the input register is +sampled, that event will not be reflected in the earlier status +snapshot, so relying solely on the interrupt status register is also +insufficient. + +Support for input latching and interrupt status handling was previously +added by [1], but the interrupt status-based logic was reverted by [2] +due to these issues. This patch addresses the original problem by +combining both sources of information. Events indicated by the interrupt +status register are merged with events detected through the existing +level-change logic. As a result: + +* short pulses, whose second edges are invisible, are detected via the + interrupt status register, and +* interrupts that occur between the status and input reads are still + caught by the generic level-change logic. + +This significantly improves robustness on devices that signal interrupts +as short pulses, while avoiding the issues that led to the earlier +reversion. In practice, even if only the first edge of a pulse is +observable, the interrupt is reliably detected. + +This fixes missed interrupts from an Ilitek touch controller with its +interrupt line connected to a PCAL6416A, where active-low pulses are +approximately 200 us long. + +[1] commit 44896beae605 ("gpio: pca953x: add PCAL9535 interrupt support for Galileo Gen2") +[2] commit d6179f6c6204 ("gpio: pca953x: Improve interrupt support") + +Fixes: d6179f6c6204 ("gpio: pca953x: Improve interrupt support") +Signed-off-by: Ernest Van Hoecke +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20251217153050.142057-1-ernestvanhoecke@gmail.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-pca953x.c | 25 ++++++++++++++++++++++++- + 1 file changed, 24 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpio-pca953x.c b/drivers/gpio/gpio-pca953x.c +index 76879dc6461c4..34000f699ba7f 100644 +--- a/drivers/gpio/gpio-pca953x.c ++++ b/drivers/gpio/gpio-pca953x.c +@@ -846,14 +846,35 @@ static bool pca953x_irq_pending(struct pca953x_chip *chip, unsigned long *pendin + DECLARE_BITMAP(old_stat, MAX_LINE); + DECLARE_BITMAP(cur_stat, MAX_LINE); + DECLARE_BITMAP(new_stat, MAX_LINE); ++ DECLARE_BITMAP(int_stat, MAX_LINE); + DECLARE_BITMAP(trigger, MAX_LINE); + DECLARE_BITMAP(edges, MAX_LINE); + int ret; + ++ if (chip->driver_data & PCA_PCAL) { ++ /* Read INT_STAT before it is cleared by the input-port read. */ ++ ret = pca953x_read_regs(chip, PCAL953X_INT_STAT, int_stat); ++ if (ret) ++ return false; ++ } ++ + ret = pca953x_read_regs(chip, chip->regs->input, cur_stat); + if (ret) + return false; + ++ if (chip->driver_data & PCA_PCAL) { ++ /* Detect short pulses via INT_STAT. */ ++ bitmap_and(trigger, int_stat, chip->irq_mask, gc->ngpio); ++ ++ /* Apply filter for rising/falling edge selection. */ ++ bitmap_replace(new_stat, chip->irq_trig_fall, chip->irq_trig_raise, ++ cur_stat, gc->ngpio); ++ ++ bitmap_and(int_stat, new_stat, trigger, gc->ngpio); ++ } else { ++ bitmap_zero(int_stat, gc->ngpio); ++ } ++ + /* Remove output pins from the equation */ + pca953x_read_regs(chip, chip->regs->direction, reg_direction); + +@@ -867,7 +888,8 @@ static bool pca953x_irq_pending(struct pca953x_chip *chip, unsigned long *pendin + + if (bitmap_empty(chip->irq_trig_level_high, gc->ngpio) && + bitmap_empty(chip->irq_trig_level_low, gc->ngpio)) { +- if (bitmap_empty(trigger, gc->ngpio)) ++ if (bitmap_empty(trigger, gc->ngpio) && ++ bitmap_empty(int_stat, gc->ngpio)) + return false; + } + +@@ -875,6 +897,7 @@ static bool pca953x_irq_pending(struct pca953x_chip *chip, unsigned long *pendin + bitmap_and(old_stat, chip->irq_trig_raise, new_stat, gc->ngpio); + bitmap_or(edges, old_stat, cur_stat, gc->ngpio); + bitmap_and(pending, edges, trigger, gc->ngpio); ++ bitmap_or(pending, pending, int_stat, gc->ngpio); + + bitmap_and(cur_stat, new_stat, chip->irq_trig_level_high, gc->ngpio); + bitmap_and(cur_stat, cur_stat, chip->irq_mask, gc->ngpio); +-- +2.51.0 + diff --git a/queue-6.12/hid-quirks-work-around-vid-pid-conflict-for-appledis.patch b/queue-6.12/hid-quirks-work-around-vid-pid-conflict-for-appledis.patch new file mode 100644 index 0000000000..72b7098ed0 --- /dev/null +++ b/queue-6.12/hid-quirks-work-around-vid-pid-conflict-for-appledis.patch @@ -0,0 +1,47 @@ +From a9a327af3244a579ae41793144086f5c4888f017 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Nov 2025 13:46:41 +0100 +Subject: HID: quirks: work around VID/PID conflict for appledisplay +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: René Rebe + +[ Upstream commit c7fabe4ad9219866c203164a214c474c95b36bf2 ] + +For years I wondered why the Apple Cinema Display driver would not +just work for me. Turns out the hidraw driver instantly takes it +over. Fix by adding appledisplay VID/PIDs to hid_have_special_driver. + +Fixes: 069e8a65cd79 ("Driver for Apple Cinema Display") +Signed-off-by: René Rebe +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-quirks.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c +index 2da21415e676c..192b8f63baaab 100644 +--- a/drivers/hid/hid-quirks.c ++++ b/drivers/hid/hid-quirks.c +@@ -232,6 +232,15 @@ static const struct hid_device_id hid_quirks[] = { + * used as a driver. See hid_scan_report(). + */ + static const struct hid_device_id hid_have_special_driver[] = { ++#if IS_ENABLED(CONFIG_APPLEDISPLAY) ++ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x9218) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x9219) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x921c) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x921d) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x9222) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x9226) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x9236) }, ++#endif + #if IS_ENABLED(CONFIG_HID_A4TECH) + { HID_USB_DEVICE(USB_VENDOR_ID_A4TECH, USB_DEVICE_ID_A4TECH_WCP32PU) }, + { HID_USB_DEVICE(USB_VENDOR_ID_A4TECH, USB_DEVICE_ID_A4TECH_X5_005D) }, +-- +2.51.0 + diff --git a/queue-6.12/idpf-cap-maximum-rx-buffer-size.patch b/queue-6.12/idpf-cap-maximum-rx-buffer-size.patch new file mode 100644 index 0000000000..2430181ad8 --- /dev/null +++ b/queue-6.12/idpf-cap-maximum-rx-buffer-size.patch @@ -0,0 +1,75 @@ +From bd5c311f450ad8cb5fbcd7ac7704b8ab60911de4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Nov 2025 13:20:36 -0800 +Subject: idpf: cap maximum Rx buffer size + +From: Joshua Hay + +[ Upstream commit 086efe0a1ecc36cffe46640ce12649a4cd3ff171 ] + +The HW only supports a maximum Rx buffer size of 16K-128. On systems +using large pages, the libeth logic can configure the buffer size to be +larger than this. The upper bound is PAGE_SIZE while the lower bound is +MTU rounded up to the nearest power of 2. For example, ARM systems with +a 64K page size and an mtu of 9000 will set the Rx buffer size to 16K, +which will cause the config Rx queues message to fail. + +Initialize the bufq/fill queue buf_len field to the maximum supported +size. This will trigger the libeth logic to cap the maximum Rx buffer +size by reducing the upper bound. + +Fixes: 74d1412ac8f37 ("idpf: use libeth Rx buffer management for payload buffer") +Signed-off-by: Joshua Hay +Acked-by: Alexander Lobakin +Reviewed-by: Madhu Chittim +Reviewed-by: Jacob Keller +Reviewed-by: Aleksandr Loktionov +Reviewed-by: David Decotigny +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/idpf/idpf_txrx.c | 8 +++++--- + drivers/net/ethernet/intel/idpf/idpf_txrx.h | 1 + + 2 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/intel/idpf/idpf_txrx.c b/drivers/net/ethernet/intel/idpf/idpf_txrx.c +index d03fb063a1efa..3ddf7b1e85ef4 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_txrx.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_txrx.c +@@ -655,9 +655,10 @@ static int idpf_rx_buf_alloc_singleq(struct idpf_rx_queue *rxq) + static int idpf_rx_bufs_init_singleq(struct idpf_rx_queue *rxq) + { + struct libeth_fq fq = { +- .count = rxq->desc_count, +- .type = LIBETH_FQE_MTU, +- .nid = idpf_q_vector_to_mem(rxq->q_vector), ++ .count = rxq->desc_count, ++ .type = LIBETH_FQE_MTU, ++ .buf_len = IDPF_RX_MAX_BUF_SZ, ++ .nid = idpf_q_vector_to_mem(rxq->q_vector), + }; + int ret; + +@@ -714,6 +715,7 @@ static int idpf_rx_bufs_init(struct idpf_buf_queue *bufq, + .truesize = bufq->truesize, + .count = bufq->desc_count, + .type = type, ++ .buf_len = IDPF_RX_MAX_BUF_SZ, + .hsplit = idpf_queue_has(HSPLIT_EN, bufq), + .nid = idpf_q_vector_to_mem(bufq->q_vector), + }; +diff --git a/drivers/net/ethernet/intel/idpf/idpf_txrx.h b/drivers/net/ethernet/intel/idpf/idpf_txrx.h +index 48d55b373425b..5f8a9b9f5d5d7 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_txrx.h ++++ b/drivers/net/ethernet/intel/idpf/idpf_txrx.h +@@ -96,6 +96,7 @@ do { \ + idx = 0; \ + } while (0) + ++#define IDPF_RX_MAX_BUF_SZ (16384 - 128) + #define IDPF_RX_BUF_STRIDE 32 + #define IDPF_RX_BUF_POST_STRIDE 16 + #define IDPF_LOW_WATERMARK 64 +-- +2.51.0 + diff --git a/queue-6.12/idpf-fix-memory-leak-in-idpf_vport_rel.patch b/queue-6.12/idpf-fix-memory-leak-in-idpf_vport_rel.patch new file mode 100644 index 0000000000..818ff9f239 --- /dev/null +++ b/queue-6.12/idpf-fix-memory-leak-in-idpf_vport_rel.patch @@ -0,0 +1,54 @@ +From a856addb4724dcb070ceb8e5df3fb2db2a79965b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Nov 2025 16:12:16 -0800 +Subject: idpf: fix memory leak in idpf_vport_rel() + +From: Emil Tantilov + +[ Upstream commit f6242b354605faff263ca45882b148200915a3f6 ] + +Free vport->rx_ptype_lkup in idpf_vport_rel() to avoid leaking memory +during a reset. Reported by kmemleak: + +unreferenced object 0xff450acac838a000 (size 4096): + comm "kworker/u258:5", pid 7732, jiffies 4296830044 + hex dump (first 32 bytes): + 00 00 00 00 00 10 00 00 00 10 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 ................ + backtrace (crc 3da81902): + __kmalloc_cache_noprof+0x469/0x7a0 + idpf_send_get_rx_ptype_msg+0x90/0x570 [idpf] + idpf_init_task+0x1ec/0x8d0 [idpf] + process_one_work+0x226/0x6d0 + worker_thread+0x19e/0x340 + kthread+0x10f/0x250 + ret_from_fork+0x251/0x2b0 + ret_from_fork_asm+0x1a/0x30 + +Fixes: 0fe45467a104 ("idpf: add create vport and netdev configuration") +Signed-off-by: Emil Tantilov +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Madhu Chittim +Tested-by: Samuel Salin +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/idpf/idpf_lib.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/intel/idpf/idpf_lib.c b/drivers/net/ethernet/intel/idpf/idpf_lib.c +index 568b57cb2298e..a0677b3277839 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_lib.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_lib.c +@@ -968,6 +968,8 @@ static void idpf_vport_rel(struct idpf_vport *vport) + kfree(adapter->vport_config[idx]->req_qs_chunks); + adapter->vport_config[idx]->req_qs_chunks = NULL; + } ++ kfree(vport->rx_ptype_lkup); ++ vport->rx_ptype_lkup = NULL; + kfree(vport); + adapter->num_alloc_vports--; + } +-- +2.51.0 + diff --git a/queue-6.12/idpf-keep-the-netdev-when-a-reset-fails.patch b/queue-6.12/idpf-keep-the-netdev-when-a-reset-fails.patch new file mode 100644 index 0000000000..8836be341b --- /dev/null +++ b/queue-6.12/idpf-keep-the-netdev-when-a-reset-fails.patch @@ -0,0 +1,107 @@ +From 907e7665d61da1b19aae6972dd40a59e9b71fb66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Nov 2025 16:12:14 -0800 +Subject: idpf: keep the netdev when a reset fails + +From: Emil Tantilov + +[ Upstream commit 083029bd8b445595222a3cd14076b880781c1765 ] + +During a successful reset the driver would re-allocate vport resources +while keeping the netdevs intact. However, in case of an error in the +init task, the netdev of the failing vport will be unregistered, +effectively removing the network interface: + +[ 121.211076] idpf 0000:83:00.0: enabling device (0100 -> 0102) +[ 121.221976] idpf 0000:83:00.0: Device HW Reset initiated +[ 124.161229] idpf 0000:83:00.0 ens801f0: renamed from eth0 +[ 124.163364] idpf 0000:83:00.0 ens801f0d1: renamed from eth1 +[ 125.934656] idpf 0000:83:00.0 ens801f0d2: renamed from eth2 +[ 128.218429] idpf 0000:83:00.0 ens801f0d3: renamed from eth3 + +ip -br a +ens801f0 UP +ens801f0d1 UP +ens801f0d2 UP +ens801f0d3 UP +echo 1 > /sys/class/net/ens801f0/device/reset + +[ 145.885537] idpf 0000:83:00.0: resetting +[ 145.990280] idpf 0000:83:00.0: reset done +[ 146.284766] idpf 0000:83:00.0: HW reset detected +[ 146.296610] idpf 0000:83:00.0: Device HW Reset initiated +[ 211.556719] idpf 0000:83:00.0: Transaction timed-out (op:526 cookie:7700 vc_op:526 salt:77 timeout:60000ms) +[ 272.996705] idpf 0000:83:00.0: Transaction timed-out (op:502 cookie:7800 vc_op:502 salt:78 timeout:60000ms) + +ip -br a +ens801f0d1 DOWN +ens801f0d2 DOWN +ens801f0d3 DOWN + +Re-shuffle the logic in the error path of the init task to make sure the +netdevs remain intact. This will allow the driver to attempt recovery via +subsequent resets, provided the FW is still functional. + +The main change is to make sure that idpf_decfg_netdev() is not called +should the init task fail during a reset. The error handling is +consolidated under unwind_vports, as the removed labels had the same +cleanup logic split depending on the point of failure. + +Fixes: ce1b75d0635c ("idpf: add ptypes and MAC filter support") +Signed-off-by: Emil Tantilov +Reviewed-by: Aleksandr Loktionov +Tested-by: Samuel Salin +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/idpf/idpf_lib.c | 17 ++++++----------- + 1 file changed, 6 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/ethernet/intel/idpf/idpf_lib.c b/drivers/net/ethernet/intel/idpf/idpf_lib.c +index 173ddc2488678..568b57cb2298e 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_lib.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_lib.c +@@ -1500,6 +1500,10 @@ void idpf_init_task(struct work_struct *work) + goto unwind_vports; + } + ++ err = idpf_send_get_rx_ptype_msg(vport); ++ if (err) ++ goto unwind_vports; ++ + index = vport->idx; + vport_config = adapter->vport_config[index]; + +@@ -1512,15 +1516,11 @@ void idpf_init_task(struct work_struct *work) + err = idpf_check_supported_desc_ids(vport); + if (err) { + dev_err(&pdev->dev, "failed to get required descriptor ids\n"); +- goto cfg_netdev_err; ++ goto unwind_vports; + } + + if (idpf_cfg_netdev(vport)) +- goto cfg_netdev_err; +- +- err = idpf_send_get_rx_ptype_msg(vport); +- if (err) +- goto handle_err; ++ goto unwind_vports; + + /* Once state is put into DOWN, driver is ready for dev_open */ + np = netdev_priv(vport->netdev); +@@ -1558,11 +1558,6 @@ void idpf_init_task(struct work_struct *work) + + return; + +-handle_err: +- idpf_decfg_netdev(vport); +-cfg_netdev_err: +- idpf_vport_rel(vport); +- adapter->vports[index] = NULL; + unwind_vports: + if (default_vport) { + for (index = 0; index < adapter->max_vports; index++) { +-- +2.51.0 + diff --git a/queue-6.12/inet-ping-fix-icmp-out-counting.patch b/queue-6.12/inet-ping-fix-icmp-out-counting.patch new file mode 100644 index 0000000000..808c2bfcfe --- /dev/null +++ b/queue-6.12/inet-ping-fix-icmp-out-counting.patch @@ -0,0 +1,55 @@ +From 5d40c6e8edfba15ec6b6e85ee00104350466cba1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Dec 2025 14:31:45 +0800 +Subject: inet: ping: Fix icmp out counting + +From: yuan.gao + +[ Upstream commit 4c0856c225b39b1def6c9a6bc56faca79550da13 ] + +When the ping program uses an IPPROTO_ICMP socket to send ICMP_ECHO +messages, ICMP_MIB_OUTMSGS is counted twice. + + ping_v4_sendmsg + ping_v4_push_pending_frames + ip_push_pending_frames + ip_finish_skb + __ip_make_skb + icmp_out_count(net, icmp_type); // first count + icmp_out_count(sock_net(sk), user_icmph.type); // second count + +However, when the ping program uses an IPPROTO_RAW socket, +ICMP_MIB_OUTMSGS is counted correctly only once. + +Therefore, the first count should be removed. + +Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind") +Signed-off-by: yuan.gao +Reviewed-by: Ido Schimmel +Tested-by: Ido Schimmel +Link: https://patch.msgid.link/20251224063145.3615282-1-yuan.gao@ucloud.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/ping.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c +index 37a3fa98d904f..f62b17f59bb4a 100644 +--- a/net/ipv4/ping.c ++++ b/net/ipv4/ping.c +@@ -839,10 +839,8 @@ static int ping_v4_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + out_free: + if (free) + kfree(ipc.opt); +- if (!err) { +- icmp_out_count(sock_net(sk), user_icmph.type); ++ if (!err) + return len; +- } + return err; + + do_confirm: +-- +2.51.0 + diff --git a/queue-6.12/net-enetc-fix-build-warning-when-page_size-is-greate.patch b/queue-6.12/net-enetc-fix-build-warning-when-page_size-is-greate.patch new file mode 100644 index 0000000000..e02f5a2167 --- /dev/null +++ b/queue-6.12/net-enetc-fix-build-warning-when-page_size-is-greate.patch @@ -0,0 +1,49 @@ +From 286b69b5c713e4ddbb74e926cd35bdf0db6d37ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jan 2026 17:12:04 +0800 +Subject: net: enetc: fix build warning when PAGE_SIZE is greater than 128K + +From: Wei Fang + +[ Upstream commit 4b5bdabb5449b652122e43f507f73789041d4abe ] + +The max buffer size of ENETC RX BD is 0xFFFF bytes, so if the PAGE_SIZE +is greater than 128K, ENETC_RXB_DMA_SIZE and ENETC_RXB_DMA_SIZE_XDP will +be greater than 0xFFFF, thus causing a build warning. + +This will not cause any practical issues because ENETC is currently only +used on the ARM64 platform, and the max PAGE_SIZE is 64K. So this patch +is only for fixing the build warning that occurs when compiling ENETC +drivers for other platforms. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202601050637.kHEKKOG7-lkp@intel.com/ +Fixes: e59bc32df2e9 ("net: enetc: correct the value of ENETC_RXB_TRUESIZE") +Signed-off-by: Wei Fang +Reviewed-by: Frank Li +Link: https://patch.msgid.link/20260107091204.1980222-1-wei.fang@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/enetc/enetc.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/enetc/enetc.h b/drivers/net/ethernet/freescale/enetc/enetc.h +index bf72b2825fa68..2b052bea78bc1 100644 +--- a/drivers/net/ethernet/freescale/enetc/enetc.h ++++ b/drivers/net/ethernet/freescale/enetc/enetc.h +@@ -44,9 +44,9 @@ struct enetc_tx_swbd { + #define ENETC_RXB_TRUESIZE (PAGE_SIZE >> 1) + #define ENETC_RXB_PAD NET_SKB_PAD /* add extra space if needed */ + #define ENETC_RXB_DMA_SIZE \ +- (SKB_WITH_OVERHEAD(ENETC_RXB_TRUESIZE) - ENETC_RXB_PAD) ++ min(SKB_WITH_OVERHEAD(ENETC_RXB_TRUESIZE) - ENETC_RXB_PAD, 0xffff) + #define ENETC_RXB_DMA_SIZE_XDP \ +- (SKB_WITH_OVERHEAD(ENETC_RXB_TRUESIZE) - XDP_PACKET_HEADROOM) ++ min(SKB_WITH_OVERHEAD(ENETC_RXB_TRUESIZE) - XDP_PACKET_HEADROOM, 0xffff) + + struct enetc_rx_swbd { + dma_addr_t dma; +-- +2.51.0 + diff --git a/queue-6.12/net-fix-memory-leak-in-skb_segment_list-for-gro-pack.patch b/queue-6.12/net-fix-memory-leak-in-skb_segment_list-for-gro-pack.patch new file mode 100644 index 0000000000..3082655a18 --- /dev/null +++ b/queue-6.12/net-fix-memory-leak-in-skb_segment_list-for-gro-pack.patch @@ -0,0 +1,108 @@ +From 854c810b6be4ffdab67e7558a4e4ebdb1c4f4ef8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Jan 2026 23:31:01 +0200 +Subject: net: fix memory leak in skb_segment_list for GRO packets + +From: Mohammad Heib + +[ Upstream commit 238e03d0466239410b72294b79494e43d4fabe77 ] + +When skb_segment_list() is called during packet forwarding, it handles +packets that were aggregated by the GRO engine. + +Historically, the segmentation logic in skb_segment_list assumes that +individual segments are split from a parent SKB and may need to carry +their own socket memory accounting. Accordingly, the code transfers +truesize from the parent to the newly created segments. + +Prior to commit ed4cccef64c1 ("gro: fix ownership transfer"), this +truesize subtraction in skb_segment_list() was valid because fragments +still carry a reference to the original socket. + +However, commit ed4cccef64c1 ("gro: fix ownership transfer") changed +this behavior by ensuring that fraglist entries are explicitly +orphaned (skb->sk = NULL) to prevent illegal orphaning later in the +stack. This change meant that the entire socket memory charge remained +with the head SKB, but the corresponding accounting logic in +skb_segment_list() was never updated. + +As a result, the current code unconditionally adds each fragment's +truesize to delta_truesize and subtracts it from the parent SKB. Since +the fragments are no longer charged to the socket, this subtraction +results in an effective under-count of memory when the head is freed. +This causes sk_wmem_alloc to remain non-zero, preventing socket +destruction and leading to a persistent memory leak. + +The leak can be observed via KMEMLEAK when tearing down the networking +environment: + +unreferenced object 0xffff8881e6eb9100 (size 2048): + comm "ping", pid 6720, jiffies 4295492526 + backtrace: + kmem_cache_alloc_noprof+0x5c6/0x800 + sk_prot_alloc+0x5b/0x220 + sk_alloc+0x35/0xa00 + inet6_create.part.0+0x303/0x10d0 + __sock_create+0x248/0x640 + __sys_socket+0x11b/0x1d0 + +Since skb_segment_list() is exclusively used for SKB_GSO_FRAGLIST +packets constructed by GRO, the truesize adjustment is removed. + +The call to skb_release_head_state() must be preserved. As documented in +commit cf673ed0e057 ("net: fix fraglist segmentation reference count +leak"), it is still required to correctly drop references to SKB +extensions that may be overwritten during __copy_skb_header(). + +Fixes: ed4cccef64c1 ("gro: fix ownership transfer") +Signed-off-by: Mohammad Heib +Reviewed-by: Willem de Bruijn +Link: https://patch.msgid.link/20260104213101.352887-1-mheib@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/skbuff.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index 6a92c03ee6f42..c3e1395d8ac5c 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -4585,12 +4585,14 @@ struct sk_buff *skb_segment_list(struct sk_buff *skb, + { + struct sk_buff *list_skb = skb_shinfo(skb)->frag_list; + unsigned int tnl_hlen = skb_tnl_header_len(skb); +- unsigned int delta_truesize = 0; + unsigned int delta_len = 0; + struct sk_buff *tail = NULL; + struct sk_buff *nskb, *tmp; + int len_diff, err; + ++ /* Only skb_gro_receive_list generated skbs arrive here */ ++ DEBUG_NET_WARN_ON_ONCE(!(skb_shinfo(skb)->gso_type & SKB_GSO_FRAGLIST)); ++ + skb_push(skb, -skb_network_offset(skb) + offset); + + /* Ensure the head is writeable before touching the shared info */ +@@ -4604,8 +4606,9 @@ struct sk_buff *skb_segment_list(struct sk_buff *skb, + nskb = list_skb; + list_skb = list_skb->next; + ++ DEBUG_NET_WARN_ON_ONCE(nskb->sk); ++ + err = 0; +- delta_truesize += nskb->truesize; + if (skb_shared(nskb)) { + tmp = skb_clone(nskb, GFP_ATOMIC); + if (tmp) { +@@ -4648,7 +4651,6 @@ struct sk_buff *skb_segment_list(struct sk_buff *skb, + goto err_linearize; + } + +- skb->truesize = skb->truesize - delta_truesize; + skb->data_len = skb->data_len - delta_len; + skb->len = skb->len - delta_len; + +-- +2.51.0 + diff --git a/queue-6.12/net-marvell-prestera-fix-null-dereference-on-devlink.patch b/queue-6.12/net-marvell-prestera-fix-null-dereference-on-devlink.patch new file mode 100644 index 0000000000..ab2298b6a5 --- /dev/null +++ b/queue-6.12/net-marvell-prestera-fix-null-dereference-on-devlink.patch @@ -0,0 +1,44 @@ +From 3ed3d9389a3f11a563ca3299fdd917a0383cb77a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Dec 2025 21:21:18 -0800 +Subject: net: marvell: prestera: fix NULL dereference on devlink_alloc() + failure + +From: Alok Tiwari + +[ Upstream commit a428e0da1248c353557970848994f35fd3f005e2 ] + +devlink_alloc() may return NULL on allocation failure, but +prestera_devlink_alloc() unconditionally calls devlink_priv() on +the returned pointer. + +This leads to a NULL pointer dereference if devlink allocation fails. +Add a check for a NULL devlink pointer and return NULL early to avoid +the crash. + +Fixes: 34dd1710f5a3 ("net: marvell: prestera: Add basic devlink support") +Signed-off-by: Alok Tiwari +Acked-by: Elad Nachman +Link: https://patch.msgid.link/20251230052124.897012-1-alok.a.tiwari@oracle.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/prestera/prestera_devlink.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/marvell/prestera/prestera_devlink.c b/drivers/net/ethernet/marvell/prestera/prestera_devlink.c +index 2a4c9df4eb797..e63d95c1842f3 100644 +--- a/drivers/net/ethernet/marvell/prestera/prestera_devlink.c ++++ b/drivers/net/ethernet/marvell/prestera/prestera_devlink.c +@@ -387,6 +387,8 @@ struct prestera_switch *prestera_devlink_alloc(struct prestera_device *dev) + + dl = devlink_alloc(&prestera_dl_ops, sizeof(struct prestera_switch), + dev->dev); ++ if (!dl) ++ return NULL; + + return devlink_priv(dl); + } +-- +2.51.0 + diff --git a/queue-6.12/net-mlx5e-don-t-print-error-message-due-to-invalid-m.patch b/queue-6.12/net-mlx5e-don-t-print-error-message-due-to-invalid-m.patch new file mode 100644 index 0000000000..9d653047d4 --- /dev/null +++ b/queue-6.12/net-mlx5e-don-t-print-error-message-due-to-invalid-m.patch @@ -0,0 +1,50 @@ +From fa4ce901855f54fc9619600ddcc8ce911acad5a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Dec 2025 15:27:16 +0200 +Subject: net/mlx5e: Don't print error message due to invalid module + +From: Gal Pressman + +[ Upstream commit 144297e2a24e3e54aee1180ec21120ea38822b97 ] + +Dumping module EEPROM on newer modules is supported through the netlink +interface only. + +Querying with old userspace ethtool (or other tools, such as 'lshw') +which still uses the ioctl interface results in an error message that +could flood dmesg (in addition to the expected error return value). +The original message was added under the assumption that the driver +should be able to handle all module types, but now that such flows are +easily triggered from userspace, it doesn't serve its purpose. + +Change the log level of the print in mlx5_query_module_eeprom() to +debug. + +Fixes: bb64143eee8c ("net/mlx5e: Add ethtool support for dump module EEPROM") +Signed-off-by: Gal Pressman +Reviewed-by: Tariq Toukan +Signed-off-by: Mark Bloch +Link: https://patch.msgid.link/20251225132717.358820-5-mbloch@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/port.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/port.c b/drivers/net/ethernet/mellanox/mlx5/core/port.c +index 389b34d56b751..79c477e05e46c 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/port.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/port.c +@@ -430,7 +430,8 @@ int mlx5_query_module_eeprom(struct mlx5_core_dev *dev, + mlx5_qsfp_eeprom_params_set(&query.i2c_address, &query.page, &offset); + break; + default: +- mlx5_core_err(dev, "Module ID not recognized: 0x%x\n", module_id); ++ mlx5_core_dbg(dev, "Module ID not recognized: 0x%x\n", ++ module_id); + return -EINVAL; + } + +-- +2.51.0 + diff --git a/queue-6.12/net-mscc-ocelot-fix-crash-when-adding-interface-unde.patch b/queue-6.12/net-mscc-ocelot-fix-crash-when-adding-interface-unde.patch new file mode 100644 index 0000000000..5a35e70456 --- /dev/null +++ b/queue-6.12/net-mscc-ocelot-fix-crash-when-adding-interface-unde.patch @@ -0,0 +1,56 @@ +From 6f6d219b22586a10ddd1ed17ebe4af215c383632 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Dec 2025 20:36:17 +0000 +Subject: net: mscc: ocelot: Fix crash when adding interface under a lag + +From: Jerry Wu + +[ Upstream commit 34f3ff52cb9fa7dbf04f5c734fcc4cb6ed5d1a95 ] + +Commit 15faa1f67ab4 ("lan966x: Fix crash when adding interface under a lag") +fixed a similar issue in the lan966x driver caused by a NULL pointer dereference. +The ocelot_set_aggr_pgids() function in the ocelot driver has similar logic +and is susceptible to the same crash. + +This issue specifically affects the ocelot_vsc7514.c frontend, which leaves +unused ports as NULL pointers. The felix_vsc9959.c frontend is unaffected as +it uses the DSA framework which registers all ports. + +Fix this by checking if the port pointer is valid before accessing it. + +Fixes: 528d3f190c98 ("net: mscc: ocelot: drop the use of the "lags" array") +Signed-off-by: Jerry Wu +Reviewed-by: Vladimir Oltean +Link: https://patch.msgid.link/tencent_75EF812B305E26B0869C673DD1160866C90A@qq.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mscc/ocelot.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mscc/ocelot.c b/drivers/net/ethernet/mscc/ocelot.c +index 08bee56aea35f..c345d9b17c892 100644 +--- a/drivers/net/ethernet/mscc/ocelot.c ++++ b/drivers/net/ethernet/mscc/ocelot.c +@@ -2307,14 +2307,16 @@ static void ocelot_set_aggr_pgids(struct ocelot *ocelot) + + /* Now, set PGIDs for each active LAG */ + for (lag = 0; lag < ocelot->num_phys_ports; lag++) { +- struct net_device *bond = ocelot->ports[lag]->bond; ++ struct ocelot_port *ocelot_port = ocelot->ports[lag]; + int num_active_ports = 0; ++ struct net_device *bond; + unsigned long bond_mask; + u8 aggr_idx[16]; + +- if (!bond || (visited & BIT(lag))) ++ if (!ocelot_port || !ocelot_port->bond || (visited & BIT(lag))) + continue; + ++ bond = ocelot_port->bond; + bond_mask = ocelot_get_bond_mask(ocelot, bond); + + for_each_set_bit(port, &bond_mask, ocelot->num_phys_ports) { +-- +2.51.0 + diff --git a/queue-6.12/net-netdevsim-fix-inconsistent-carrier-state-after-l.patch b/queue-6.12/net-netdevsim-fix-inconsistent-carrier-state-after-l.patch new file mode 100644 index 0000000000..9f83c2d821 --- /dev/null +++ b/queue-6.12/net-netdevsim-fix-inconsistent-carrier-state-after-l.patch @@ -0,0 +1,79 @@ +From 6fdaf470fc8829864475f5ed2697209aab582eab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jan 2026 00:17:32 +0900 +Subject: net: netdevsim: fix inconsistent carrier state after link/unlink + +From: Yohei Kojima + +[ Upstream commit d83dddffe1904e4a576d11a541878850a8e64cd2 ] + +This patch fixes the edge case behavior on ifup/ifdown and +linking/unlinking two netdevsim interfaces: + +1. unlink two interfaces netdevsim1 and netdevsim2 +2. ifdown netdevsim1 +3. ifup netdevsim1 +4. link two interfaces netdevsim1 and netdevsim2 +5. (Now two interfaces are linked in terms of netdevsim peer, but + carrier state of the two interfaces remains DOWN.) + +This inconsistent behavior is caused by the current implementation, +which only cares about the "link, then ifup" order, not "ifup, then +link" order. This patch fixes the inconsistency by calling +netif_carrier_on() when two netdevsim interfaces are linked. + +This patch fixes buggy behavior on NetworkManager-based systems which +causes the netdevsim test to fail with the following error: + + # timeout set to 600 + # selftests: drivers/net/netdevsim: peer.sh + # 2025/12/25 00:54:03 socat[9115] W address is opened in read-write mode but only supports read-only + # 2025/12/25 00:56:17 socat[9115] W connect(7, AF=2 192.168.1.1:1234, 16): Connection timed out + # 2025/12/25 00:56:17 socat[9115] E TCP:192.168.1.1:1234: Connection timed out + # expected 3 bytes, got 0 + # 2025/12/25 00:56:17 socat[9109] W exiting on signal 15 + not ok 13 selftests: drivers/net/netdevsim: peer.sh # exit=1 + +This patch also solves timeout on TCP Fast Open (TFO) test in +NetworkManager-based systems because it also depends on netdevsim's +carrier consistency. + +Fixes: 1a8fed52f7be ("netdevsim: set the carrier when the device goes up") +Signed-off-by: Yohei Kojima +Reviewed-by: Breno Leitao +Link: https://patch.msgid.link/602c9e1ba5bb2ee1997bb38b1d866c9c3b807ae9.1767624906.git.yk@y-koj.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/netdevsim/bus.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/net/netdevsim/bus.c b/drivers/net/netdevsim/bus.c +index 64c0cdd31bf85..067cbf788da48 100644 +--- a/drivers/net/netdevsim/bus.c ++++ b/drivers/net/netdevsim/bus.c +@@ -314,6 +314,11 @@ static ssize_t link_device_store(const struct bus_type *bus, const char *buf, si + rcu_assign_pointer(nsim_a->peer, nsim_b); + rcu_assign_pointer(nsim_b->peer, nsim_a); + ++ if (netif_running(dev_a) && netif_running(dev_b)) { ++ netif_carrier_on(dev_a); ++ netif_carrier_on(dev_b); ++ } ++ + out_err: + put_net(ns_b); + put_net(ns_a); +@@ -363,6 +368,9 @@ static ssize_t unlink_device_store(const struct bus_type *bus, const char *buf, + if (!peer) + goto out_put_netns; + ++ netif_carrier_off(dev); ++ netif_carrier_off(peer->netdev); ++ + err = 0; + RCU_INIT_POINTER(nsim->peer, NULL); + RCU_INIT_POINTER(peer->peer, NULL); +-- +2.51.0 + diff --git a/queue-6.12/net-sched-sch_qfq-fix-null-deref-when-deactivating-i.patch b/queue-6.12/net-sched-sch_qfq-fix-null-deref-when-deactivating-i.patch new file mode 100644 index 0000000000..9490e1fcf4 --- /dev/null +++ b/queue-6.12/net-sched-sch_qfq-fix-null-deref-when-deactivating-i.patch @@ -0,0 +1,162 @@ +From b5fcf92cbc125f9fb834f9cf7103fc4da7de89e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jan 2026 20:41:00 -0700 +Subject: net/sched: sch_qfq: Fix NULL deref when deactivating inactive + aggregate in qfq_reset + +From: Xiang Mei + +[ Upstream commit c1d73b1480235731e35c81df70b08f4714a7d095 ] + +`qfq_class->leaf_qdisc->q.qlen > 0` does not imply that the class +itself is active. + +Two qfq_class objects may point to the same leaf_qdisc. This happens +when: + +1. one QFQ qdisc is attached to the dev as the root qdisc, and + +2. another QFQ qdisc is temporarily referenced (e.g., via qdisc_get() +/ qdisc_put()) and is pending to be destroyed, as in function +tc_new_tfilter. + +When packets are enqueued through the root QFQ qdisc, the shared +leaf_qdisc->q.qlen increases. At the same time, the second QFQ +qdisc triggers qdisc_put and qdisc_destroy: the qdisc enters +qfq_reset() with its own q->q.qlen == 0, but its class's leaf +qdisc->q.qlen > 0. Therefore, the qfq_reset would wrongly deactivate +an inactive aggregate and trigger a null-deref in qfq_deactivate_agg: + +[ 0.903172] BUG: kernel NULL pointer dereference, address: 0000000000000000 +[ 0.903571] #PF: supervisor write access in kernel mode +[ 0.903860] #PF: error_code(0x0002) - not-present page +[ 0.904177] PGD 10299b067 P4D 10299b067 PUD 10299c067 PMD 0 +[ 0.904502] Oops: Oops: 0002 [#1] SMP NOPTI +[ 0.904737] CPU: 0 UID: 0 PID: 135 Comm: exploit Not tainted 6.19.0-rc3+ #2 NONE +[ 0.905157] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014 +[ 0.905754] RIP: 0010:qfq_deactivate_agg (include/linux/list.h:992 (discriminator 2) include/linux/list.h:1006 (discriminator 2) net/sched/sch_qfq.c:1367 (discriminator 2) net/sched/sch_qfq.c:1393 (discriminator 2)) +[ 0.906046] Code: 0f 84 4d 01 00 00 48 89 70 18 8b 4b 10 48 c7 c2 ff ff ff ff 48 8b 78 08 48 d3 e2 48 21 f2 48 2b 13 48 8b 30 48 d3 ea 8b 4b 18 0 + +Code starting with the faulting instruction +=========================================== + 0: 0f 84 4d 01 00 00 je 0x153 + 6: 48 89 70 18 mov %rsi,0x18(%rax) + a: 8b 4b 10 mov 0x10(%rbx),%ecx + d: 48 c7 c2 ff ff ff ff mov $0xffffffffffffffff,%rdx + 14: 48 8b 78 08 mov 0x8(%rax),%rdi + 18: 48 d3 e2 shl %cl,%rdx + 1b: 48 21 f2 and %rsi,%rdx + 1e: 48 2b 13 sub (%rbx),%rdx + 21: 48 8b 30 mov (%rax),%rsi + 24: 48 d3 ea shr %cl,%rdx + 27: 8b 4b 18 mov 0x18(%rbx),%ecx + ... +[ 0.907095] RSP: 0018:ffffc900004a39a0 EFLAGS: 00010246 +[ 0.907368] RAX: ffff8881043a0880 RBX: ffff888102953340 RCX: 0000000000000000 +[ 0.907723] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 +[ 0.908100] RBP: ffff888102952180 R08: 0000000000000000 R09: 0000000000000000 +[ 0.908451] R10: ffff8881043a0000 R11: 0000000000000000 R12: ffff888102952000 +[ 0.908804] R13: ffff888102952180 R14: ffff8881043a0ad8 R15: ffff8881043a0880 +[ 0.909179] FS: 000000002a1a0380(0000) GS:ffff888196d8d000(0000) knlGS:0000000000000000 +[ 0.909572] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 0.909857] CR2: 0000000000000000 CR3: 0000000102993002 CR4: 0000000000772ef0 +[ 0.910247] PKRU: 55555554 +[ 0.910391] Call Trace: +[ 0.910527] +[ 0.910638] qfq_reset_qdisc (net/sched/sch_qfq.c:357 net/sched/sch_qfq.c:1485) +[ 0.910826] qdisc_reset (include/linux/skbuff.h:2195 include/linux/skbuff.h:2501 include/linux/skbuff.h:3424 include/linux/skbuff.h:3430 net/sched/sch_generic.c:1036) +[ 0.911040] __qdisc_destroy (net/sched/sch_generic.c:1076) +[ 0.911236] tc_new_tfilter (net/sched/cls_api.c:2447) +[ 0.911447] rtnetlink_rcv_msg (net/core/rtnetlink.c:6958) +[ 0.911663] ? __pfx_rtnetlink_rcv_msg (net/core/rtnetlink.c:6861) +[ 0.911894] netlink_rcv_skb (net/netlink/af_netlink.c:2550) +[ 0.912100] netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344) +[ 0.912296] ? __alloc_skb (net/core/skbuff.c:706) +[ 0.912484] netlink_sendmsg (net/netlink/af_netlink.c:1894) +[ 0.912682] sock_write_iter (net/socket.c:727 (discriminator 1) net/socket.c:742 (discriminator 1) net/socket.c:1195 (discriminator 1)) +[ 0.912880] vfs_write (fs/read_write.c:593 fs/read_write.c:686) +[ 0.913077] ksys_write (fs/read_write.c:738) +[ 0.913252] do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) +[ 0.913438] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131) +[ 0.913687] RIP: 0033:0x424c34 +[ 0.913844] Code: 89 02 48 c7 c0 ff ff ff ff eb bd 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 80 3d 2d 44 09 00 00 74 13 b8 01 00 00 00 0f 05 9 + +Code starting with the faulting instruction +=========================================== + 0: 89 02 mov %eax,(%rdx) + 2: 48 c7 c0 ff ff ff ff mov $0xffffffffffffffff,%rax + 9: eb bd jmp 0xffffffffffffffc8 + b: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1) + 12: 00 00 00 + 15: 90 nop + 16: f3 0f 1e fa endbr64 + 1a: 80 3d 2d 44 09 00 00 cmpb $0x0,0x9442d(%rip) # 0x9444e + 21: 74 13 je 0x36 + 23: b8 01 00 00 00 mov $0x1,%eax + 28: 0f 05 syscall + 2a: 09 .byte 0x9 +[ 0.914807] RSP: 002b:00007ffea1938b78 EFLAGS: 00000202 ORIG_RAX: 0000000000000001 +[ 0.915197] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000424c34 +[ 0.915556] RDX: 000000000000003c RSI: 000000002af378c0 RDI: 0000000000000003 +[ 0.915912] RBP: 00007ffea1938bc0 R08: 00000000004b8820 R09: 0000000000000000 +[ 0.916297] R10: 0000000000000001 R11: 0000000000000202 R12: 00007ffea1938d28 +[ 0.916652] R13: 00007ffea1938d38 R14: 00000000004b3828 R15: 0000000000000001 +[ 0.917039] +[ 0.917158] Modules linked in: +[ 0.917316] CR2: 0000000000000000 +[ 0.917484] ---[ end trace 0000000000000000 ]--- +[ 0.917717] RIP: 0010:qfq_deactivate_agg (include/linux/list.h:992 (discriminator 2) include/linux/list.h:1006 (discriminator 2) net/sched/sch_qfq.c:1367 (discriminator 2) net/sched/sch_qfq.c:1393 (discriminator 2)) +[ 0.917978] Code: 0f 84 4d 01 00 00 48 89 70 18 8b 4b 10 48 c7 c2 ff ff ff ff 48 8b 78 08 48 d3 e2 48 21 f2 48 2b 13 48 8b 30 48 d3 ea 8b 4b 18 0 + +Code starting with the faulting instruction +=========================================== + 0: 0f 84 4d 01 00 00 je 0x153 + 6: 48 89 70 18 mov %rsi,0x18(%rax) + a: 8b 4b 10 mov 0x10(%rbx),%ecx + d: 48 c7 c2 ff ff ff ff mov $0xffffffffffffffff,%rdx + 14: 48 8b 78 08 mov 0x8(%rax),%rdi + 18: 48 d3 e2 shl %cl,%rdx + 1b: 48 21 f2 and %rsi,%rdx + 1e: 48 2b 13 sub (%rbx),%rdx + 21: 48 8b 30 mov (%rax),%rsi + 24: 48 d3 ea shr %cl,%rdx + 27: 8b 4b 18 mov 0x18(%rbx),%ecx + ... +[ 0.918902] RSP: 0018:ffffc900004a39a0 EFLAGS: 00010246 +[ 0.919198] RAX: ffff8881043a0880 RBX: ffff888102953340 RCX: 0000000000000000 +[ 0.919559] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 +[ 0.919908] RBP: ffff888102952180 R08: 0000000000000000 R09: 0000000000000000 +[ 0.920289] R10: ffff8881043a0000 R11: 0000000000000000 R12: ffff888102952000 +[ 0.920648] R13: ffff888102952180 R14: ffff8881043a0ad8 R15: ffff8881043a0880 +[ 0.921014] FS: 000000002a1a0380(0000) GS:ffff888196d8d000(0000) knlGS:0000000000000000 +[ 0.921424] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 0.921710] CR2: 0000000000000000 CR3: 0000000102993002 CR4: 0000000000772ef0 +[ 0.922097] PKRU: 55555554 +[ 0.922240] Kernel panic - not syncing: Fatal exception +[ 0.922590] Kernel Offset: disabled + +Fixes: 0545a3037773 ("pkt_sched: QFQ - quick fair queue scheduler") +Signed-off-by: Xiang Mei +Link: https://patch.msgid.link/20260106034100.1780779-1-xmei5@asu.edu +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_qfq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c +index 5b43578493ef1..998030d6ce2dd 100644 +--- a/net/sched/sch_qfq.c ++++ b/net/sched/sch_qfq.c +@@ -1484,7 +1484,7 @@ static void qfq_reset_qdisc(struct Qdisc *sch) + + for (i = 0; i < q->clhash.hashsize; i++) { + hlist_for_each_entry(cl, &q->clhash.hash[i], common.hnode) { +- if (cl->qdisc->q.qlen > 0) ++ if (cl_is_active(cl)) + qfq_deactivate_class(q, cl); + + qdisc_reset(cl->qdisc); +-- +2.51.0 + diff --git a/queue-6.12/net-sock-fix-hardened-usercopy-panic-in-sock_recv_er.patch b/queue-6.12/net-sock-fix-hardened-usercopy-panic-in-sock_recv_er.patch new file mode 100644 index 0000000000..9a66c247f8 --- /dev/null +++ b/queue-6.12/net-sock-fix-hardened-usercopy-panic-in-sock_recv_er.patch @@ -0,0 +1,114 @@ +From 045631b9754dbd71408283ad40dd87bc8df74dd5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Dec 2025 04:35:35 +0800 +Subject: net: sock: fix hardened usercopy panic in sock_recv_errqueue + +From: Weiming Shi + +[ Upstream commit 2a71a1a8d0ed718b1c7a9ac61f07e5755c47ae20 ] + +skbuff_fclone_cache was created without defining a usercopy region, +[1] unlike skbuff_head_cache which properly whitelists the cb[] field. +[2] This causes a usercopy BUG() when CONFIG_HARDENED_USERCOPY is +enabled and the kernel attempts to copy sk_buff.cb data to userspace +via sock_recv_errqueue() -> put_cmsg(). + +The crash occurs when: 1. TCP allocates an skb using alloc_skb_fclone() + (from skbuff_fclone_cache) [1] +2. The skb is cloned via skb_clone() using the pre-allocated fclone +[3] 3. The cloned skb is queued to sk_error_queue for timestamp +reporting 4. Userspace reads the error queue via recvmsg(MSG_ERRQUEUE) +5. sock_recv_errqueue() calls put_cmsg() to copy serr->ee from skb->cb +[4] 6. __check_heap_object() fails because skbuff_fclone_cache has no + usercopy whitelist [5] + +When cloned skbs allocated from skbuff_fclone_cache are used in the +socket error queue, accessing the sock_exterr_skb structure in skb->cb +via put_cmsg() triggers a usercopy hardening violation: + +[ 5.379589] usercopy: Kernel memory exposure attempt detected from SLUB object 'skbuff_fclone_cache' (offset 296, size 16)! +[ 5.382796] kernel BUG at mm/usercopy.c:102! +[ 5.383923] Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI +[ 5.384903] CPU: 1 UID: 0 PID: 138 Comm: poc_put_cmsg Not tainted 6.12.57 #7 +[ 5.384903] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 +[ 5.384903] RIP: 0010:usercopy_abort+0x6c/0x80 +[ 5.384903] Code: 1a 86 51 48 c7 c2 40 15 1a 86 41 52 48 c7 c7 c0 15 1a 86 48 0f 45 d6 48 c7 c6 80 15 1a 86 48 89 c1 49 0f 45 f3 e8 84 27 88 ff <0f> 0b 490 +[ 5.384903] RSP: 0018:ffffc900006f77a8 EFLAGS: 00010246 +[ 5.384903] RAX: 000000000000006f RBX: ffff88800f0ad2a8 RCX: 1ffffffff0f72e74 +[ 5.384903] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffff87b973a0 +[ 5.384903] RBP: 0000000000000010 R08: 0000000000000000 R09: fffffbfff0f72e74 +[ 5.384903] R10: 0000000000000003 R11: 79706f6372657375 R12: 0000000000000001 +[ 5.384903] R13: ffff88800f0ad2b8 R14: ffffea00003c2b40 R15: ffffea00003c2b00 +[ 5.384903] FS: 0000000011bc4380(0000) GS:ffff8880bf100000(0000) knlGS:0000000000000000 +[ 5.384903] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 5.384903] CR2: 000056aa3b8e5fe4 CR3: 000000000ea26004 CR4: 0000000000770ef0 +[ 5.384903] PKRU: 55555554 +[ 5.384903] Call Trace: +[ 5.384903] +[ 5.384903] __check_heap_object+0x9a/0xd0 +[ 5.384903] __check_object_size+0x46c/0x690 +[ 5.384903] put_cmsg+0x129/0x5e0 +[ 5.384903] sock_recv_errqueue+0x22f/0x380 +[ 5.384903] tls_sw_recvmsg+0x7ed/0x1960 +[ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5 +[ 5.384903] ? schedule+0x6d/0x270 +[ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5 +[ 5.384903] ? mutex_unlock+0x81/0xd0 +[ 5.384903] ? __pfx_mutex_unlock+0x10/0x10 +[ 5.384903] ? __pfx_tls_sw_recvmsg+0x10/0x10 +[ 5.384903] ? _raw_spin_lock_irqsave+0x8f/0xf0 +[ 5.384903] ? _raw_read_unlock_irqrestore+0x20/0x40 +[ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5 + +The crash offset 296 corresponds to skb2->cb within skbuff_fclones: + - sizeof(struct sk_buff) = 232 - offsetof(struct sk_buff, cb) = 40 - + offset of skb2.cb in fclones = 232 + 40 = 272 - crash offset 296 = + 272 + 24 (inside sock_exterr_skb.ee) + +This patch uses a local stack variable as a bounce buffer to avoid the hardened usercopy check failure. + +[1] https://elixir.bootlin.com/linux/v6.12.62/source/net/ipv4/tcp.c#L885 +[2] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5104 +[3] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5566 +[4] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5491 +[5] https://elixir.bootlin.com/linux/v6.12.62/source/mm/slub.c#L5719 + +Fixes: 6d07d1cd300f ("usercopy: Restrict non-usercopy caches to size 0") +Reported-by: Xiang Mei +Signed-off-by: Weiming Shi +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20251223203534.1392218-2-bestswngs@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/sock.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/core/sock.c b/net/core/sock.c +index 97cc796a1d334..58f3f0d979540 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -3769,7 +3769,7 @@ void sock_enable_timestamp(struct sock *sk, enum sock_flags flag) + int sock_recv_errqueue(struct sock *sk, struct msghdr *msg, int len, + int level, int type) + { +- struct sock_exterr_skb *serr; ++ struct sock_extended_err ee; + struct sk_buff *skb; + int copied, err; + +@@ -3789,8 +3789,9 @@ int sock_recv_errqueue(struct sock *sk, struct msghdr *msg, int len, + + sock_recv_timestamp(msg, sk, skb); + +- serr = SKB_EXT_ERR(skb); +- put_cmsg(msg, level, type, sizeof(serr->ee), &serr->ee); ++ /* We must use a bounce buffer for CONFIG_HARDENED_USERCOPY=y */ ++ ee = SKB_EXT_ERR(skb)->ee; ++ put_cmsg(msg, level, type, sizeof(ee), &ee); + + msg->msg_flags |= MSG_ERRQUEUE; + err = copied; +-- +2.51.0 + diff --git a/queue-6.12/net-usb-pegasus-fix-memory-leak-in-update_eth_regs_a.patch b/queue-6.12/net-usb-pegasus-fix-memory-leak-in-update_eth_regs_a.patch new file mode 100644 index 0000000000..4e52372bc6 --- /dev/null +++ b/queue-6.12/net-usb-pegasus-fix-memory-leak-in-update_eth_regs_a.patch @@ -0,0 +1,37 @@ +From 6cff300e013c5eafab2a659ffb5232e24d463022 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jan 2026 10:48:21 +0200 +Subject: net: usb: pegasus: fix memory leak in update_eth_regs_async() + +From: Petko Manolov + +[ Upstream commit afa27621a28af317523e0836dad430bec551eb54 ] + +When asynchronously writing to the device registers and if usb_submit_urb() +fail, the code fail to release allocated to this point resources. + +Fixes: 323b34963d11 ("drivers: net: usb: pegasus: fix control urb submission") +Signed-off-by: Petko Manolov +Link: https://patch.msgid.link/20260106084821.3746677-1-petko.manolov@konsulko.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/pegasus.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/usb/pegasus.c b/drivers/net/usb/pegasus.c +index 81ca64debc5b9..c514483134f05 100644 +--- a/drivers/net/usb/pegasus.c ++++ b/drivers/net/usb/pegasus.c +@@ -168,6 +168,8 @@ static int update_eth_regs_async(pegasus_t *pegasus) + netif_device_detach(pegasus->net); + netif_err(pegasus, drv, pegasus->net, + "%s returned %d\n", __func__, ret); ++ usb_free_urb(async_urb); ++ kfree(req); + } + return ret; + } +-- +2.51.0 + diff --git a/queue-6.12/net-wwan-iosm-fix-memory-leak-in-ipc_mux_deinit.patch b/queue-6.12/net-wwan-iosm-fix-memory-leak-in-ipc_mux_deinit.patch new file mode 100644 index 0000000000..b524c8b622 --- /dev/null +++ b/queue-6.12/net-wwan-iosm-fix-memory-leak-in-ipc_mux_deinit.patch @@ -0,0 +1,54 @@ +From 8481990e25d3df489f014ca19434272543d7599e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Dec 2025 07:18:53 +0000 +Subject: net: wwan: iosm: Fix memory leak in ipc_mux_deinit() + +From: Zilin Guan + +[ Upstream commit 92e6e0a87f6860a4710f9494f8c704d498ae60f8 ] + +Commit 1f52d7b62285 ("net: wwan: iosm: Enable M.2 7360 WWAN card support") +allocated memory for pp_qlt in ipc_mux_init() but did not free it in +ipc_mux_deinit(). This results in a memory leak when the driver is +unloaded. + +Free the allocated memory in ipc_mux_deinit() to fix the leak. + +Fixes: 1f52d7b62285 ("net: wwan: iosm: Enable M.2 7360 WWAN card support") +Co-developed-by: Jianhao Xu +Signed-off-by: Jianhao Xu +Signed-off-by: Zilin Guan +Reviewed-by: Loic Poulain +Link: https://patch.msgid.link/20251230071853.1062223-1-zilin@seu.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/wwan/iosm/iosm_ipc_mux.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/wwan/iosm/iosm_ipc_mux.c b/drivers/net/wwan/iosm/iosm_ipc_mux.c +index fc928b298a984..b846889fcb099 100644 +--- a/drivers/net/wwan/iosm/iosm_ipc_mux.c ++++ b/drivers/net/wwan/iosm/iosm_ipc_mux.c +@@ -456,6 +456,7 @@ void ipc_mux_deinit(struct iosm_mux *ipc_mux) + struct sk_buff_head *free_list; + union mux_msg mux_msg; + struct sk_buff *skb; ++ int i; + + if (!ipc_mux->initialized) + return; +@@ -479,5 +480,10 @@ void ipc_mux_deinit(struct iosm_mux *ipc_mux) + ipc_mux->channel->dl_pipe.is_open = false; + } + ++ if (ipc_mux->protocol != MUX_LITE) { ++ for (i = 0; i < IPC_MEM_MUX_IP_SESSION_ENTRIES; i++) ++ kfree(ipc_mux->ul_adb.pp_qlt[i]); ++ } ++ + kfree(ipc_mux); + } +-- +2.51.0 + diff --git a/queue-6.12/netdev-preserve-netif_f_all_for_all-across-tso-updat.patch b/queue-6.12/netdev-preserve-netif_f_all_for_all-across-tso-updat.patch new file mode 100644 index 0000000000..09ad451dd4 --- /dev/null +++ b/queue-6.12/netdev-preserve-netif_f_all_for_all-across-tso-updat.patch @@ -0,0 +1,43 @@ +From 4dc1c32b435f9cef4cae53534cea876e792324f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Dec 2025 09:22:24 +0800 +Subject: netdev: preserve NETIF_F_ALL_FOR_ALL across TSO updates + +From: Di Zhu + +[ Upstream commit 02d1e1a3f9239cdb3ecf2c6d365fb959d1bf39df ] + +Directly increment the TSO features incurs a side effect: it will also +directly clear the flags in NETIF_F_ALL_FOR_ALL on the master device, +which can cause issues such as the inability to enable the nocache copy +feature on the bonding driver. + +The fix is to include NETIF_F_ALL_FOR_ALL in the update mask, thereby +preventing it from being cleared. + +Fixes: b0ce3508b25e ("bonding: allow TSO being set on bonding master") +Signed-off-by: Di Zhu +Link: https://patch.msgid.link/20251224012224.56185-1-zhud@hygon.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/linux/netdevice.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h +index 35b886385f329..77a99c8ab01c7 100644 +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -4986,7 +4986,8 @@ netdev_features_t netdev_increment_features(netdev_features_t all, + static inline netdev_features_t netdev_add_tso_features(netdev_features_t features, + netdev_features_t mask) + { +- return netdev_increment_features(features, NETIF_F_ALL_TSO, mask); ++ return netdev_increment_features(features, NETIF_F_ALL_TSO | ++ NETIF_F_ALL_FOR_ALL, mask); + } + + int __netdev_update_features(struct net_device *dev); +-- +2.51.0 + diff --git a/queue-6.12/netfilter-nf_conncount-update-last_gc-only-when-gc-h.patch b/queue-6.12/netfilter-nf_conncount-update-last_gc-only-when-gc-h.patch new file mode 100644 index 0000000000..bbaaa085ff --- /dev/null +++ b/queue-6.12/netfilter-nf_conncount-update-last_gc-only-when-gc-h.patch @@ -0,0 +1,48 @@ +From 34beff7a4e1a9bf95c961107940b423228af1b21 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Dec 2025 15:46:40 +0100 +Subject: netfilter: nf_conncount: update last_gc only when GC has been + performed + +From: Fernando Fernandez Mancera + +[ Upstream commit 7811ba452402d58628e68faedf38745b3d485e3c ] + +Currently last_gc is being updated everytime a new connection is +tracked, that means that it is updated even if a GC wasn't performed. +With a sufficiently high packet rate, it is possible to always bypass +the GC, causing the list to grow infinitely. + +Update the last_gc value only when a GC has been actually performed. + +Fixes: d265929930e2 ("netfilter: nf_conncount: reduce unnecessary GC") +Signed-off-by: Fernando Fernandez Mancera +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conncount.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c +index 3c1b155f7a0ea..828d5c64c68a3 100644 +--- a/net/netfilter/nf_conncount.c ++++ b/net/netfilter/nf_conncount.c +@@ -229,6 +229,7 @@ static int __nf_conncount_add(struct net *net, + + nf_ct_put(found_ct); + } ++ list->last_gc = (u32)jiffies; + + add_new_node: + if (WARN_ON_ONCE(list->count > INT_MAX)) { +@@ -248,7 +249,6 @@ static int __nf_conncount_add(struct net *net, + conn->jiffies32 = (u32)jiffies; + list_add_tail(&conn->node, &list->head); + list->count++; +- list->last_gc = (u32)jiffies; + + out_put: + if (refcounted) +-- +2.51.0 + diff --git a/queue-6.12/netfilter-nf_tables-fix-memory-leak-in-nf_tables_new.patch b/queue-6.12/netfilter-nf_tables-fix-memory-leak-in-nf_tables_new.patch new file mode 100644 index 0000000000..daf7b61c80 --- /dev/null +++ b/queue-6.12/netfilter-nf_tables-fix-memory-leak-in-nf_tables_new.patch @@ -0,0 +1,49 @@ +From c87bf8ab17562619af5b98f0b0620853330c1545 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Dec 2025 12:48:26 +0000 +Subject: netfilter: nf_tables: fix memory leak in nf_tables_newrule() + +From: Zilin Guan + +[ Upstream commit d077e8119ddbb4fca67540f1a52453631a47f221 ] + +In nf_tables_newrule(), if nft_use_inc() fails, the function jumps to +the err_release_rule label without freeing the allocated flow, leading +to a memory leak. + +Fix this by adding a new label err_destroy_flow and jumping to it when +nft_use_inc() fails. This ensures that the flow is properly released +in this error case. + +Fixes: 1689f25924ada ("netfilter: nf_tables: report use refcount overflow") +Signed-off-by: Zilin Guan +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index b4741fb337988..6a2b7ce67e7f3 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -4196,7 +4196,7 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info, + + if (!nft_use_inc(&chain->use)) { + err = -EMFILE; +- goto err_release_rule; ++ goto err_destroy_flow; + } + + if (info->nlh->nlmsg_flags & NLM_F_REPLACE) { +@@ -4246,6 +4246,7 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info, + + err_destroy_flow_rule: + nft_use_dec_restore(&chain->use); ++err_destroy_flow: + if (flow) + nft_flow_rule_destroy(flow); + err_release_rule: +-- +2.51.0 + diff --git a/queue-6.12/netfilter-nft_set_pipapo-fix-range-overlap-detection.patch b/queue-6.12/netfilter-nft_set_pipapo-fix-range-overlap-detection.patch new file mode 100644 index 0000000000..76e4614cdb --- /dev/null +++ b/queue-6.12/netfilter-nft_set_pipapo-fix-range-overlap-detection.patch @@ -0,0 +1,62 @@ +From 699d0caa518f7bdd3e65a4478e82b942a9a61b09 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Dec 2025 12:20:35 +0100 +Subject: netfilter: nft_set_pipapo: fix range overlap detection + +From: Florian Westphal + +[ Upstream commit 7711f4bb4b360d9c0ff84db1c0ec91e385625047 ] + +set->klen has to be used, not sizeof(). The latter only compares a +single register but a full check of the entire key is needed. + +Example: +table ip t { + map s { + typeof iifname . ip saddr : verdict + flags interval + } +} + +nft add element t s '{ "lo" . 10.0.0.0/24 : drop }' # no error, expected +nft add element t s '{ "lo" . 10.0.0.0/24 : drop }' # no error, expected +nft add element t s '{ "lo" . 10.0.0.0/8 : drop }' # bug: no error + +The 3rd 'add element' should be rejected via -ENOTEMPTY, not -EEXIST, +so userspace / nft can report an error to the user. + +The latter is only correct for the 2nd case (re-add of existing element). + +As-is, userspace is told that the command was successful, but no elements were +added. + +After this patch, 3rd command gives: +Error: Could not process rule: File exists +add element t s { "lo" . 127.0.0.0/8 . "lo" : drop } + ^^^^^^^^^^^^^^^^^^^^^^^^^ + +Fixes: 0eb4b5ee33f2 ("netfilter: nft_set_pipapo: Separate partial and complete overlap cases on insertion") +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_set_pipapo.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c +index 793790d79d138..642152e9c3227 100644 +--- a/net/netfilter/nft_set_pipapo.c ++++ b/net/netfilter/nft_set_pipapo.c +@@ -1303,8 +1303,8 @@ static int nft_pipapo_insert(const struct net *net, const struct nft_set *set, + else + dup_end = dup_key; + +- if (!memcmp(start, dup_key->data, sizeof(*dup_key->data)) && +- !memcmp(end, dup_end->data, sizeof(*dup_end->data))) { ++ if (!memcmp(start, dup_key->data, set->klen) && ++ !memcmp(end, dup_end->data, set->klen)) { + *elem_priv = &dup->priv; + return -EEXIST; + } +-- +2.51.0 + diff --git a/queue-6.12/netfilter-nft_synproxy-avoid-possible-data-race-on-u.patch b/queue-6.12/netfilter-nft_synproxy-avoid-possible-data-race-on-u.patch new file mode 100644 index 0000000000..4902e89160 --- /dev/null +++ b/queue-6.12/netfilter-nft_synproxy-avoid-possible-data-race-on-u.patch @@ -0,0 +1,55 @@ +From 4bc9236733d4bc99e8dd859a3d2f2d4aa4ca3c6e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Dec 2025 21:21:59 +0100 +Subject: netfilter: nft_synproxy: avoid possible data-race on update operation + +From: Fernando Fernandez Mancera + +[ Upstream commit 36a3200575642846a96436d503d46544533bb943 ] + +During nft_synproxy eval we are reading nf_synproxy_info struct which +can be modified on update operation concurrently. As nf_synproxy_info +struct fits in 32 bits, use READ_ONCE/WRITE_ONCE annotations. + +Fixes: ee394f96ad75 ("netfilter: nft_synproxy: add synproxy stateful object support") +Signed-off-by: Fernando Fernandez Mancera +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_synproxy.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/netfilter/nft_synproxy.c b/net/netfilter/nft_synproxy.c +index 5d3e518259859..4d3e5a31b4125 100644 +--- a/net/netfilter/nft_synproxy.c ++++ b/net/netfilter/nft_synproxy.c +@@ -48,7 +48,7 @@ static void nft_synproxy_eval_v4(const struct nft_synproxy *priv, + struct tcphdr *_tcph, + struct synproxy_options *opts) + { +- struct nf_synproxy_info info = priv->info; ++ struct nf_synproxy_info info = READ_ONCE(priv->info); + struct net *net = nft_net(pkt); + struct synproxy_net *snet = synproxy_pernet(net); + struct sk_buff *skb = pkt->skb; +@@ -79,7 +79,7 @@ static void nft_synproxy_eval_v6(const struct nft_synproxy *priv, + struct tcphdr *_tcph, + struct synproxy_options *opts) + { +- struct nf_synproxy_info info = priv->info; ++ struct nf_synproxy_info info = READ_ONCE(priv->info); + struct net *net = nft_net(pkt); + struct synproxy_net *snet = synproxy_pernet(net); + struct sk_buff *skb = pkt->skb; +@@ -340,7 +340,7 @@ static void nft_synproxy_obj_update(struct nft_object *obj, + struct nft_synproxy *newpriv = nft_obj_data(newobj); + struct nft_synproxy *priv = nft_obj_data(obj); + +- priv->info = newpriv->info; ++ WRITE_ONCE(priv->info, newpriv->info); + } + + static struct nft_object_type nft_synproxy_obj_type; +-- +2.51.0 + diff --git a/queue-6.12/riscv-pgtable-cleanup-useless-va_user_xxx-definition.patch b/queue-6.12/riscv-pgtable-cleanup-useless-va_user_xxx-definition.patch new file mode 100644 index 0000000000..d5989aaf8c --- /dev/null +++ b/queue-6.12/riscv-pgtable-cleanup-useless-va_user_xxx-definition.patch @@ -0,0 +1,41 @@ +From 9a24d9f689bb762bc4173bf46b85641264da2191 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 30 Nov 2025 19:58:50 -0500 +Subject: riscv: pgtable: Cleanup useless VA_USER_XXX definitions + +From: Guo Ren (Alibaba DAMO Academy) + +[ Upstream commit 5e5be092ffadcab0093464ccd9e30f0c5cce16b9 ] + +These marcos are not used after commit b5b4287accd7 ("riscv: mm: Use +hint address in mmap if available"). Cleanup VA_USER_XXX definitions +in asm/pgtable.h. + +Fixes: b5b4287accd7 ("riscv: mm: Use hint address in mmap if available") +Signed-off-by: Guo Ren (Alibaba DAMO Academy) +Reviewed-by: Jinjie Ruan +Link: https://patch.msgid.link/20251201005850.702569-1-guoren@kernel.org +Signed-off-by: Paul Walmsley +Signed-off-by: Sasha Levin +--- + arch/riscv/include/asm/pgtable.h | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/arch/riscv/include/asm/pgtable.h b/arch/riscv/include/asm/pgtable.h +index 87c7d94c71f13..aeba8028e9aa8 100644 +--- a/arch/riscv/include/asm/pgtable.h ++++ b/arch/riscv/include/asm/pgtable.h +@@ -119,10 +119,6 @@ + #ifdef CONFIG_64BIT + #include + +-#define VA_USER_SV39 (UL(1) << (VA_BITS_SV39 - 1)) +-#define VA_USER_SV48 (UL(1) << (VA_BITS_SV48 - 1)) +-#define VA_USER_SV57 (UL(1) << (VA_BITS_SV57 - 1)) +- + #define MMAP_VA_BITS_64 ((VA_BITS >= VA_BITS_SV48) ? VA_BITS_SV48 : VA_BITS) + #define MMAP_MIN_VA_BITS_64 (VA_BITS_SV39) + #define MMAP_VA_BITS (is_compat_task() ? VA_BITS_SV32 : MMAP_VA_BITS_64) +-- +2.51.0 + diff --git a/queue-6.12/series b/queue-6.12/series index 7e2ad6dd41..5b665cd7e0 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -47,3 +47,42 @@ btrfs-fix-qgroup_snapshot_quick_inherit-squota-bug.patch btrfs-qgroup-update-all-parent-qgroups-when-doing-qu.patch btrfs-tracepoints-use-btrfs_root_id-to-get-the-id-of.patch btrfs-fix-null-dereference-on-root-when-tracing-inod.patch +drm-amd-display-respect-user-s-config_frame_warn-mor.patch +drm-amd-display-apply-e4479aecf658-to-dml.patch +arm64-dts-ti-k3-am62-lp-sk-nand-rename-pinctrls-to-f.patch +crypto-qat-fix-duplicate-restarting-msg-during-aer-e.patch +arm64-dts-add-off-on-delay-us-for-usdhc2-regulator.patch +arm-dts-imx6q-ba16-fix-rtc-interrupt-level.patch +arm64-dts-imx8mp-fix-lan8740ai-phy-reference-clock-o.patch +arm64-dts-imx8qm-ss-dma-correct-the-dma-channels-of-.patch +arm64-dts-mba8mx-fix-ethernet-phy-irq-support.patch +netfilter-nft_set_pipapo-fix-range-overlap-detection.patch +netfilter-nft_synproxy-avoid-possible-data-race-on-u.patch +gpio-pca953x-add-support-for-level-triggered-interru.patch +gpio-pca953x-handle-short-interrupt-pulses-on-pcal-d.patch +netfilter-nf_tables-fix-memory-leak-in-nf_tables_new.patch +netfilter-nf_conncount-update-last_gc-only-when-gc-h.patch +net-marvell-prestera-fix-null-dereference-on-devlink.patch +bridge-fix-c-vlan-preservation-in-802.1ad-vlan_tunne.patch +net-mscc-ocelot-fix-crash-when-adding-interface-unde.patch +inet-ping-fix-icmp-out-counting.patch +net-sock-fix-hardened-usercopy-panic-in-sock_recv_er.patch +netdev-preserve-netif_f_all_for_all-across-tso-updat.patch +net-mlx5e-don-t-print-error-message-due-to-invalid-m.patch +net-wwan-iosm-fix-memory-leak-in-ipc_mux_deinit.patch +bnxt_en-fix-potential-data-corruption-with-hw-gro-lr.patch +vsock-make-accept-ed-sockets-use-custom-setsockopt.patch +btrfs-only-enforce-free-space-tree-if-v1-cache-is-re.patch +riscv-pgtable-cleanup-useless-va_user_xxx-definition.patch +net-fix-memory-leak-in-skb_segment_list-for-gro-pack.patch +idpf-keep-the-netdev-when-a-reset-fails.patch +idpf-fix-memory-leak-in-idpf_vport_rel.patch +idpf-cap-maximum-rx-buffer-size.patch +net-netdevsim-fix-inconsistent-carrier-state-after-l.patch +hid-quirks-work-around-vid-pid-conflict-for-appledis.patch +net-sched-sch_qfq-fix-null-deref-when-deactivating-i.patch +net-usb-pegasus-fix-memory-leak-in-update_eth_regs_a.patch +net-enetc-fix-build-warning-when-page_size-is-greate.patch +arp-do-not-assume-dev_hard_header-does-not-change-sk.patch +erofs-don-t-bother-with-s_stack_depth-increasing-for.patch +erofs-fix-file-backed-mounts-no-longer-working-on-er.patch diff --git a/queue-6.12/vsock-make-accept-ed-sockets-use-custom-setsockopt.patch b/queue-6.12/vsock-make-accept-ed-sockets-use-custom-setsockopt.patch new file mode 100644 index 0000000000..9f34b38c88 --- /dev/null +++ b/queue-6.12/vsock-make-accept-ed-sockets-use-custom-setsockopt.patch @@ -0,0 +1,39 @@ +From 907f5445653d145fc723717256e4a11f72d7c1f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Dec 2025 20:43:10 +0100 +Subject: vsock: Make accept()ed sockets use custom setsockopt() + +From: Michal Luczaj + +[ Upstream commit ce5e612dd411de096aa041b9e9325ba1bec5f9f4 ] + +SO_ZEROCOPY handling in vsock_connectible_setsockopt() does not get called +on accept()ed sockets due to a missing flag. Flip it. + +Fixes: e0718bd82e27 ("vsock: enable setting SO_ZEROCOPY") +Signed-off-by: Michal Luczaj +Link: https://patch.msgid.link/20251229-vsock-child-sock-custom-sockopt-v2-1-64778d6c4f88@rbox.co +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/af_vsock.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c +index 621be9be64f67..282d973233245 100644 +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -1742,6 +1742,10 @@ static int vsock_accept(struct socket *sock, struct socket *newsock, + } else { + newsock->state = SS_CONNECTED; + sock_graft(connected, newsock); ++ ++ set_bit(SOCK_CUSTOM_SOCKOPT, ++ &connected->sk_socket->flags); ++ + if (vsock_msgzerocopy_allow(vconnected->transport)) + set_bit(SOCK_SUPPORT_ZC, + &connected->sk_socket->flags); +-- +2.51.0 + diff --git a/queue-6.18/arm-dts-imx6q-ba16-fix-rtc-interrupt-level.patch b/queue-6.18/arm-dts-imx6q-ba16-fix-rtc-interrupt-level.patch new file mode 100644 index 0000000000..a24b44536a --- /dev/null +++ b/queue-6.18/arm-dts-imx6q-ba16-fix-rtc-interrupt-level.patch @@ -0,0 +1,40 @@ +From e0a82f70a545645eb69f2d9d45e008a495340192 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Dec 2025 11:56:05 +0200 +Subject: ARM: dts: imx6q-ba16: fix RTC interrupt level + +From: Ian Ray + +[ Upstream commit e6a4eedd49ce27c16a80506c66a04707e0ee0116 ] + +RTC interrupt level should be set to "LOW". This was revealed by the +introduction of commit: + + f181987ef477 ("rtc: m41t80: use IRQ flags obtained from fwnode") + +which changed the way IRQ type is obtained. + +Fixes: 56c27310c1b4 ("ARM: dts: imx: Add Advantech BA-16 Qseven module") +Signed-off-by: Ian Ray +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/nxp/imx/imx6q-ba16.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/nxp/imx/imx6q-ba16.dtsi b/arch/arm/boot/dts/nxp/imx/imx6q-ba16.dtsi +index 53013b12c2ecb..02d66523668d2 100644 +--- a/arch/arm/boot/dts/nxp/imx/imx6q-ba16.dtsi ++++ b/arch/arm/boot/dts/nxp/imx/imx6q-ba16.dtsi +@@ -337,7 +337,7 @@ rtc@32 { + pinctrl-0 = <&pinctrl_rtc>; + reg = <0x32>; + interrupt-parent = <&gpio4>; +- interrupts = <10 IRQ_TYPE_LEVEL_HIGH>; ++ interrupts = <10 IRQ_TYPE_LEVEL_LOW>; + }; + }; + +-- +2.51.0 + diff --git a/queue-6.18/arm64-dts-add-off-on-delay-us-for-usdhc2-regulator.patch b/queue-6.18/arm64-dts-add-off-on-delay-us-for-usdhc2-regulator.patch new file mode 100644 index 0000000000..1941960afd --- /dev/null +++ b/queue-6.18/arm64-dts-add-off-on-delay-us-for-usdhc2-regulator.patch @@ -0,0 +1,41 @@ +From 8ed5e90f4dd566ce0b27b9291349cc2636989fa3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Nov 2025 11:22:40 +0800 +Subject: arm64: dts: add off-on-delay-us for usdhc2 regulator + +From: Haibo Chen + +[ Upstream commit ca643894a37a25713029b36cfe7d1bae515cac08 ] + +For SD card, according to the spec requirement, for sd card power reset +operation, it need sd card supply voltage to be lower than 0.5v and keep +over 1ms, otherwise, next time power back the sd card supply voltage to +3.3v, sd card can't support SD3.0 mode again. + +To match such requirement on imx8qm-mek board, add 4.8ms delay between +sd power off and power on. + +Fixes: 307fd14d4b14 ("arm64: dts: imx: add imx8qm mek support") +Reviewed-by: Frank Li +Signed-off-by: Haibo Chen +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8qm-mek.dts | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/boot/dts/freescale/imx8qm-mek.dts b/arch/arm64/boot/dts/freescale/imx8qm-mek.dts +index d4b13cfd87a92..df99fe88cf4ac 100644 +--- a/arch/arm64/boot/dts/freescale/imx8qm-mek.dts ++++ b/arch/arm64/boot/dts/freescale/imx8qm-mek.dts +@@ -256,6 +256,7 @@ reg_usdhc2_vmmc: usdhc2-vmmc { + regulator-max-microvolt = <3000000>; + gpio = <&lsio_gpio4 7 GPIO_ACTIVE_HIGH>; + enable-active-high; ++ off-on-delay-us = <4800>; + }; + + reg_audio: regulator-audio { +-- +2.51.0 + diff --git a/queue-6.18/arm64-dts-freescale-moduline-display-fix-compatible.patch b/queue-6.18/arm64-dts-freescale-moduline-display-fix-compatible.patch new file mode 100644 index 0000000000..6503d4e717 --- /dev/null +++ b/queue-6.18/arm64-dts-freescale-moduline-display-fix-compatible.patch @@ -0,0 +1,43 @@ +From bb3bfd4d5b41404e34a29df83d2e02c8e1507bf4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Dec 2025 12:56:51 +0100 +Subject: arm64: dts: freescale: moduline-display: fix compatible + +From: Maud Spierings + +[ Upstream commit 056c68875122dd342782e5956ed145fe9e059614 ] + +The compatibles should include the SoM compatible, this board is based +on the Ka-Ro TX8P-ML81 SoM, so add it to allow using shared code in the +bootloader which uses upstream Linux devicetrees as a base. + +Also add the hardware revision to the board compatible to handle +revision specific quirks in the bootloader/userspace. + +This is a breaking change, but it is early enough that it can be +corrected without causing any issues. + +Fixes: 03f07be54cdc ("arm64: dts: freescale: Add the GOcontroll Moduline Display baseboard") +Signed-off-by: Maud Spierings +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + .../dts/freescale/imx8mp-tx8p-ml81-moduline-display-106.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/freescale/imx8mp-tx8p-ml81-moduline-display-106.dts b/arch/arm64/boot/dts/freescale/imx8mp-tx8p-ml81-moduline-display-106.dts +index 88ad422c27603..399230144ce39 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mp-tx8p-ml81-moduline-display-106.dts ++++ b/arch/arm64/boot/dts/freescale/imx8mp-tx8p-ml81-moduline-display-106.dts +@@ -9,7 +9,7 @@ + #include "imx8mp-tx8p-ml81.dtsi" + + / { +- compatible = "gocontroll,moduline-display", "fsl,imx8mp"; ++ compatible = "gocontroll,moduline-display-106", "karo,tx8p-ml81", "fsl,imx8mp"; + chassis-type = "embedded"; + hardware = "Moduline Display V1.06"; + model = "GOcontroll Moduline Display baseboard"; +-- +2.51.0 + diff --git a/queue-6.18/arm64-dts-freescale-tx8p-ml81-fix-eqos-nvmem-cells.patch b/queue-6.18/arm64-dts-freescale-tx8p-ml81-fix-eqos-nvmem-cells.patch new file mode 100644 index 0000000000..38451f82aa --- /dev/null +++ b/queue-6.18/arm64-dts-freescale-tx8p-ml81-fix-eqos-nvmem-cells.patch @@ -0,0 +1,58 @@ +From 293e4d496dde5865930ec04b706d4b691a0a676a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Dec 2025 12:56:52 +0100 +Subject: arm64: dts: freescale: tx8p-ml81: fix eqos nvmem-cells + +From: Maud Spierings + +[ Upstream commit cdf4e631eec5ddd49bb625df9fb144d6ecdd6f15 ] + +On this SoM eqos is the primary ethernet interface, Ka-Ro fuses the +address for it in eth_mac1, eth_mac2 seems to be left unfused. In their +downstream u-boot they fetch it from eth_mac1 [1][2], by setting alias +of eqos to ethernet0, the driver then fetches the mac address based on +the alias number. + +Set eqos to read from eth_mac1 instead of eth_mac2. Also set fec to +point at eth_mac2 as it may be fused later even though it is disabled +by default. + +With this changed barebox is now capable of loading the correct address. + +Link: https://github.com/karo-electronics/karo-tx-uboot/blob/380543278410bbf04264d80a3bfbe340b8e62439/drivers/net/dwc_eth_qos.c#L1167 [1] +Link: https://github.com/karo-electronics/karo-tx-uboot/blob/380543278410bbf04264d80a3bfbe340b8e62439/arch/arm/dts/imx8mp-karo.dtsi#L12 [2] + +Fixes: bac63d7c5f46 ("arm64: dts: freescale: add Ka-Ro Electronics tx8p-ml81 COM") +Signed-off-by: Maud Spierings +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8mp-tx8p-ml81.dtsi | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/arch/arm64/boot/dts/freescale/imx8mp-tx8p-ml81.dtsi b/arch/arm64/boot/dts/freescale/imx8mp-tx8p-ml81.dtsi +index fe8ba16eb40e7..761ee046eb72e 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mp-tx8p-ml81.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mp-tx8p-ml81.dtsi +@@ -47,6 +47,7 @@ &eqos { + <&clk IMX8MP_SYS_PLL2_100M>, + <&clk IMX8MP_SYS_PLL2_50M>; + assigned-clock-rates = <266000000>, <100000000>, <50000000>; ++ nvmem-cells = <ð_mac1>; + phy-handle = <ðphy0>; + phy-mode = "rmii"; + pinctrl-0 = <&pinctrl_eqos>; +@@ -75,6 +76,10 @@ ethphy0: ethernet-phy@0 { + }; + }; + ++&fec { ++ nvmem-cells = <ð_mac2>; ++}; ++ + &gpio1 { + gpio-line-names = "SODIMM_152", + "SODIMM_42", +-- +2.51.0 + diff --git a/queue-6.18/arm64-dts-imx8mp-fix-lan8740ai-phy-reference-clock-o.patch b/queue-6.18/arm64-dts-imx8mp-fix-lan8740ai-phy-reference-clock-o.patch new file mode 100644 index 0000000000..9bc287fe08 --- /dev/null +++ b/queue-6.18/arm64-dts-imx8mp-fix-lan8740ai-phy-reference-clock-o.patch @@ -0,0 +1,42 @@ +From 9bad753fdb277fbb6c571dc18e97d931b5209d19 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Dec 2025 14:41:51 +0100 +Subject: arm64: dts: imx8mp: Fix LAN8740Ai PHY reference clock on DH + electronics i.MX8M Plus DHCOM + +From: Marek Vasut + +[ Upstream commit c63749a7ddc59ac6ec0b05abfa0a21af9f2c1d38 ] + +Add missing 'clocks' property to LAN8740Ai PHY node, to allow the PHY driver +to manage LAN8740Ai CLKIN reference clock supply. This fixes sporadic link +bouncing caused by interruptions on the PHY reference clock, by letting the +PHY driver manage the reference clock and assure there are no interruptions. + +This follows the matching PHY driver recommendation described in commit +bedd8d78aba3 ("net: phy: smsc: LAN8710/20: add phy refclk in support") + +Fixes: 8d6712695bc8 ("arm64: dts: imx8mp: Add support for DH electronics i.MX8M Plus DHCOM and PDK2") +Signed-off-by: Marek Vasut +Tested-by: Christoph Niedermaier +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8mp-dhcom-som.dtsi | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/boot/dts/freescale/imx8mp-dhcom-som.dtsi b/arch/arm64/boot/dts/freescale/imx8mp-dhcom-som.dtsi +index 68c2e0156a5c8..f8303b7e2bd22 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mp-dhcom-som.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mp-dhcom-som.dtsi +@@ -113,6 +113,7 @@ mdio { + ethphy0f: ethernet-phy@1 { /* SMSC LAN8740Ai */ + compatible = "ethernet-phy-id0007.c110", + "ethernet-phy-ieee802.3-c22"; ++ clocks = <&clk IMX8MP_CLK_ENET_QOS>; + interrupt-parent = <&gpio3>; + interrupts = <19 IRQ_TYPE_LEVEL_LOW>; + pinctrl-0 = <&pinctrl_ethphy0>; +-- +2.51.0 + diff --git a/queue-6.18/arm64-dts-imx8qm-mek-correct-the-light-sensor-interr.patch b/queue-6.18/arm64-dts-imx8qm-mek-correct-the-light-sensor-interr.patch new file mode 100644 index 0000000000..e2f73237ca --- /dev/null +++ b/queue-6.18/arm64-dts-imx8qm-mek-correct-the-light-sensor-interr.patch @@ -0,0 +1,43 @@ +From 361013f29c0884ffe6f9da894a93c1b4e7e5bc3b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Nov 2025 11:22:39 +0800 +Subject: arm64: dts: imx8qm-mek: correct the light sensor interrupt type to + low level + +From: Haibo Chen + +[ Upstream commit e0d8678c2f09dca22e6197321f223fa9a0ca2839 ] + +light sensor isl29023 share the interrupt with lsm303arg, but these +two devices use different interrupt type. According to the datasheet +of these two devides, both support low level trigger type, so correct +the interrupt type here to avoid the following error log: + + irq: type mismatch, failed to map hwirq-11 for gpio@5d0c0000! + +Fixes: 9918092cbb0e ("arm64: dts: imx8qm-mek: add i2c0 and children devices") +Fixes: 1d8a9f043a77 ("arm64: dts: imx8: use defines for interrupts") +Signed-off-by: Haibo Chen +Reviewed-by: Frank Li +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8qm-mek.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/freescale/imx8qm-mek.dts b/arch/arm64/boot/dts/freescale/imx8qm-mek.dts +index 9c0b6b8d6459d..d4b13cfd87a92 100644 +--- a/arch/arm64/boot/dts/freescale/imx8qm-mek.dts ++++ b/arch/arm64/boot/dts/freescale/imx8qm-mek.dts +@@ -560,7 +560,7 @@ light-sensor@44 { + compatible = "isil,isl29023"; + reg = <0x44>; + interrupt-parent = <&lsio_gpio4>; +- interrupts = <11 IRQ_TYPE_EDGE_FALLING>; ++ interrupts = <11 IRQ_TYPE_LEVEL_LOW>; + }; + + pressure-sensor@60 { +-- +2.51.0 + diff --git a/queue-6.18/arm64-dts-imx8qm-ss-dma-correct-the-dma-channels-of-.patch b/queue-6.18/arm64-dts-imx8qm-ss-dma-correct-the-dma-channels-of-.patch new file mode 100644 index 0000000000..dc6093a07d --- /dev/null +++ b/queue-6.18/arm64-dts-imx8qm-ss-dma-correct-the-dma-channels-of-.patch @@ -0,0 +1,66 @@ +From 34f2150012504d2802c06dfc565001680f6006ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 09:59:56 +0800 +Subject: arm64: dts: imx8qm-ss-dma: correct the dma channels of lpuart + +From: Sherry Sun + +[ Upstream commit a988caeed9d918452aa0a68de2c6e94d86aa43ba ] + +The commit 616effc0272b5 ("arm64: dts: imx8: Fix lpuart DMA channel +order") swap uart rx and tx channel at common imx8-ss-dma.dtsi. But miss +update imx8qm-ss-dma.dtsi. + +The commit 5a8e9b022e569 ("arm64: dts: imx8qm-ss-dma: Pass lpuart +dma-names") just simple add dma-names as binding doc requirement. + +Correct lpuart0 - lpuart3 dma rx and tx channels, and use defines for +the FSL_EDMA_RX flag. + +Fixes: 5a8e9b022e56 ("arm64: dts: imx8qm-ss-dma: Pass lpuart dma-names") +Signed-off-by: Sherry Sun +Reviewed-by: Frank Li +Reviewed-by: Alexander Stein +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8qm-ss-dma.dtsi | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/arm64/boot/dts/freescale/imx8qm-ss-dma.dtsi b/arch/arm64/boot/dts/freescale/imx8qm-ss-dma.dtsi +index d4856b8590e0c..e186c31bfd482 100644 +--- a/arch/arm64/boot/dts/freescale/imx8qm-ss-dma.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8qm-ss-dma.dtsi +@@ -171,25 +171,25 @@ &flexcan3 { + + &lpuart0 { + compatible = "fsl,imx8qm-lpuart", "fsl,imx8qxp-lpuart"; +- dmas = <&edma2 13 0 0>, <&edma2 12 0 1>; ++ dmas = <&edma2 12 0 FSL_EDMA_RX>, <&edma2 13 0 0>; + dma-names = "rx","tx"; + }; + + &lpuart1 { + compatible = "fsl,imx8qm-lpuart", "fsl,imx8qxp-lpuart"; +- dmas = <&edma2 15 0 0>, <&edma2 14 0 1>; ++ dmas = <&edma2 14 0 FSL_EDMA_RX>, <&edma2 15 0 0>; + dma-names = "rx","tx"; + }; + + &lpuart2 { + compatible = "fsl,imx8qm-lpuart", "fsl,imx8qxp-lpuart"; +- dmas = <&edma2 17 0 0>, <&edma2 16 0 1>; ++ dmas = <&edma2 16 0 FSL_EDMA_RX>, <&edma2 17 0 0>; + dma-names = "rx","tx"; + }; + + &lpuart3 { + compatible = "fsl,imx8qm-lpuart", "fsl,imx8qxp-lpuart"; +- dmas = <&edma2 19 0 0>, <&edma2 18 0 1>; ++ dmas = <&edma2 18 0 FSL_EDMA_RX>, <&edma2 19 0 0>; + dma-names = "rx","tx"; + }; + +-- +2.51.0 + diff --git a/queue-6.18/arm64-dts-mba8mx-fix-ethernet-phy-irq-support.patch b/queue-6.18/arm64-dts-mba8mx-fix-ethernet-phy-irq-support.patch new file mode 100644 index 0000000000..02f669dd6b --- /dev/null +++ b/queue-6.18/arm64-dts-mba8mx-fix-ethernet-phy-irq-support.patch @@ -0,0 +1,37 @@ +From bb20f0b84cba55969b449baafd7295865910fc7b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Dec 2025 14:15:28 +0100 +Subject: arm64: dts: mba8mx: Fix Ethernet PHY IRQ support + +From: Alexander Stein + +[ Upstream commit 89e87d0dc87eb3654c9ae01afc4a18c1c6d1e523 ] + +Ethernet PHY interrupt mode is level triggered. Adjust the mode +accordingly. + +Signed-off-by: Alexander Stein +Reviewed-by: Andrew Lunn +Fixes: 70cf622bb16e ("arm64: dts: mba8mx: Add Ethernet PHY IRQ support") +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/mba8mx.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/freescale/mba8mx.dtsi b/arch/arm64/boot/dts/freescale/mba8mx.dtsi +index 79daba930ad64..3e41da4d6122b 100644 +--- a/arch/arm64/boot/dts/freescale/mba8mx.dtsi ++++ b/arch/arm64/boot/dts/freescale/mba8mx.dtsi +@@ -185,7 +185,7 @@ ethphy0: ethernet-phy@e { + reset-assert-us = <500000>; + reset-deassert-us = <500>; + interrupt-parent = <&expander2>; +- interrupts = <6 IRQ_TYPE_EDGE_FALLING>; ++ interrupts = <6 IRQ_TYPE_LEVEL_LOW>; + }; + }; + }; +-- +2.51.0 + diff --git a/queue-6.18/arm64-dts-ti-k3-am62-lp-sk-nand-rename-pinctrls-to-f.patch b/queue-6.18/arm64-dts-ti-k3-am62-lp-sk-nand-rename-pinctrls-to-f.patch new file mode 100644 index 0000000000..248ce7a256 --- /dev/null +++ b/queue-6.18/arm64-dts-ti-k3-am62-lp-sk-nand-rename-pinctrls-to-f.patch @@ -0,0 +1,38 @@ +From 914363657beba745a9f2ce7faf58c90abb617f9c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Nov 2025 13:27:33 +0100 +Subject: arm64: dts: ti: k3-am62-lp-sk-nand: Rename pinctrls to fix schema + warnings + +From: Wadim Egorov + +[ Upstream commit cf5e8adebe77917a4cc95e43e461cdbd857591ce ] + +Rename pinctrl nodes to comply with naming conventions required by +pinctrl-single schema. + +Fixes: e569152274fec ("arm64: dts: ti: am62-lp-sk: Add overlay for NAND expansion card") +Signed-off-by: Wadim Egorov +Link: https://patch.msgid.link/20251127122733.2523367-3-w.egorov@phytec.de +Signed-off-by: Nishanth Menon +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/ti/k3-am62-lp-sk-nand.dtso | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/ti/k3-am62-lp-sk-nand.dtso b/arch/arm64/boot/dts/ti/k3-am62-lp-sk-nand.dtso +index 173ac60723b64..b4daa674eaa1e 100644 +--- a/arch/arm64/boot/dts/ti/k3-am62-lp-sk-nand.dtso ++++ b/arch/arm64/boot/dts/ti/k3-am62-lp-sk-nand.dtso +@@ -14,7 +14,7 @@ + }; + + &main_pmx0 { +- gpmc0_pins_default: gpmc0-pins-default { ++ gpmc0_pins_default: gpmc0-default-pins { + pinctrl-single,pins = < + AM62X_IOPAD(0x003c, PIN_INPUT, 0) /* (K19) GPMC0_AD0 */ + AM62X_IOPAD(0x0040, PIN_INPUT, 0) /* (L19) GPMC0_AD1 */ +-- +2.51.0 + diff --git a/queue-6.18/arm64-dts-ti-k3-am642-phyboard-electra-peb-c-010-fix.patch b/queue-6.18/arm64-dts-ti-k3-am642-phyboard-electra-peb-c-010-fix.patch new file mode 100644 index 0000000000..3299f574d9 --- /dev/null +++ b/queue-6.18/arm64-dts-ti-k3-am642-phyboard-electra-peb-c-010-fix.patch @@ -0,0 +1,47 @@ +From 2675d6f43092333993c4bf981ea54408409a002c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Nov 2025 13:27:31 +0100 +Subject: arm64: dts: ti: k3-am642-phyboard-electra-peb-c-010: Fix icssg-prueth + schema warning + +From: Wadim Egorov + +[ Upstream commit 05bbe52d0be5637dcd3c880348e3688f7ec64eb7 ] + +Reduce length of dma-names and dmas properties for icssg1-ethernet +node to comply with ti,icssg-prueth schema constraints. The previous +entries exceeded the allowed count and triggered dtschema warnings +during validation. + +Fixes: e53fbf955ea7 ("arm64: dts: ti: k3-am642-phyboard-electra: Add PEB-C-010 Overlay") +Signed-off-by: Wadim Egorov +Link: https://patch.msgid.link/20251127122733.2523367-1-w.egorov@phytec.de +Signed-off-by: Nishanth Menon +Signed-off-by: Sasha Levin +--- + .../boot/dts/ti/k3-am642-phyboard-electra-peb-c-010.dtso | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/arch/arm64/boot/dts/ti/k3-am642-phyboard-electra-peb-c-010.dtso b/arch/arm64/boot/dts/ti/k3-am642-phyboard-electra-peb-c-010.dtso +index 7fc73cfacadb8..1176a52d560b7 100644 +--- a/arch/arm64/boot/dts/ti/k3-am642-phyboard-electra-peb-c-010.dtso ++++ b/arch/arm64/boot/dts/ti/k3-am642-phyboard-electra-peb-c-010.dtso +@@ -30,13 +30,10 @@ + <&main_pktdma 0xc206 15>, /* egress slice 1 */ + <&main_pktdma 0xc207 15>, /* egress slice 1 */ + <&main_pktdma 0x4200 15>, /* ingress slice 0 */ +- <&main_pktdma 0x4201 15>, /* ingress slice 1 */ +- <&main_pktdma 0x4202 0>, /* mgmnt rsp slice 0 */ +- <&main_pktdma 0x4203 0>; /* mgmnt rsp slice 1 */ ++ <&main_pktdma 0x4201 15>; /* ingress slice 1 */ + dma-names = "tx0-0", "tx0-1", "tx0-2", "tx0-3", + "tx1-0", "tx1-1", "tx1-2", "tx1-3", +- "rx0", "rx1", +- "rxmgm0", "rxmgm1"; ++ "rx0", "rx1"; + + firmware-name = "ti-pruss/am65x-sr2-pru0-prueth-fw.elf", + "ti-pruss/am65x-sr2-rtu0-prueth-fw.elf", +-- +2.51.0 + diff --git a/queue-6.18/arm64-dts-ti-k3-am642-phyboard-electra-x27-gpio1-spi.patch b/queue-6.18/arm64-dts-ti-k3-am642-phyboard-electra-x27-gpio1-spi.patch new file mode 100644 index 0000000000..8032fd143b --- /dev/null +++ b/queue-6.18/arm64-dts-ti-k3-am642-phyboard-electra-x27-gpio1-spi.patch @@ -0,0 +1,64 @@ +From 8fd3b28a9266c2f6bf4ec9019046f0be9e482d96 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Nov 2025 13:27:32 +0100 +Subject: arm64: dts: ti: k3-am642-phyboard-electra-x27-gpio1-spi1-uart3: Fix + schema warnings + +From: Wadim Egorov + +[ Upstream commit d876bb9353d87dee0ae620300106e8def189c785 ] + +Rename pinctrl nodes to comply with naming conventions required by +pinctrl-single schema. Also, replace invalid integer assignment in +SPI node with a boolean to align with omap-spi schema. + +Fixes: 638ab30ce4c6 ("arm64: dts: ti: am64-phyboard-electra: Add DT overlay for X27 connector") +Signed-off-by: Wadim Egorov +Link: https://patch.msgid.link/20251127122733.2523367-2-w.egorov@phytec.de +Signed-off-by: Nishanth Menon +Signed-off-by: Sasha Levin +--- + .../k3-am642-phyboard-electra-x27-gpio1-spi1-uart3.dtso | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/arm64/boot/dts/ti/k3-am642-phyboard-electra-x27-gpio1-spi1-uart3.dtso b/arch/arm64/boot/dts/ti/k3-am642-phyboard-electra-x27-gpio1-spi1-uart3.dtso +index 996c42ec4253e..bea8efa3e9094 100644 +--- a/arch/arm64/boot/dts/ti/k3-am642-phyboard-electra-x27-gpio1-spi1-uart3.dtso ++++ b/arch/arm64/boot/dts/ti/k3-am642-phyboard-electra-x27-gpio1-spi1-uart3.dtso +@@ -20,13 +20,13 @@ + }; + + &main_pmx0 { +- main_gpio1_exp_header_gpio_pins_default: main-gpio1-exp-header-gpio-pins-default { ++ main_gpio1_exp_header_gpio_pins_default: main-gpio1-exp-header-gpio-default-pins { + pinctrl-single,pins = < + AM64X_IOPAD(0x0220, PIN_INPUT, 7) /* (D14) SPI1_CS1.GPIO1_48 */ + >; + }; + +- main_spi1_pins_default: main-spi1-pins-default { ++ main_spi1_pins_default: main-spi1-default-pins { + pinctrl-single,pins = < + AM64X_IOPAD(0x0224, PIN_INPUT, 0) /* (C14) SPI1_CLK */ + AM64X_IOPAD(0x021C, PIN_OUTPUT, 0) /* (B14) SPI1_CS0 */ +@@ -35,7 +35,7 @@ + >; + }; + +- main_uart3_pins_default: main-uart3-pins-default { ++ main_uart3_pins_default: main-uart3-default-pins { + pinctrl-single,pins = < + AM64X_IOPAD(0x0048, PIN_INPUT, 2) /* (U20) GPMC0_AD3.UART3_RXD */ + AM64X_IOPAD(0x004c, PIN_OUTPUT, 2) /* (U18) GPMC0_AD4.UART3_TXD */ +@@ -52,7 +52,7 @@ + &main_spi1 { + pinctrl-names = "default"; + pinctrl-0 = <&main_spi1_pins_default>; +- ti,pindir-d0-out-d1-in = <1>; ++ ti,pindir-d0-out-d1-in; + status = "okay"; + }; + +-- +2.51.0 + diff --git a/queue-6.18/arp-do-not-assume-dev_hard_header-does-not-change-sk.patch b/queue-6.18/arp-do-not-assume-dev_hard_header-does-not-change-sk.patch new file mode 100644 index 0000000000..b25018fb74 --- /dev/null +++ b/queue-6.18/arp-do-not-assume-dev_hard_header-does-not-change-sk.patch @@ -0,0 +1,58 @@ +From 2e13ceb4bda22764963326cb69e37035ff72040e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jan 2026 21:22:50 +0000 +Subject: arp: do not assume dev_hard_header() does not change skb->head + +From: Eric Dumazet + +[ Upstream commit c92510f5e3f82ba11c95991824a41e59a9c5ed81 ] + +arp_create() is the only dev_hard_header() caller +making assumption about skb->head being unchanged. + +A recent commit broke this assumption. + +Initialize @arp pointer after dev_hard_header() call. + +Fixes: db5b4e39c4e6 ("ip6_gre: make ip6gre_header() robust") +Reported-by: syzbot+58b44a770a1585795351@syzkaller.appspotmail.com +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20260107212250.384552-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/arp.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c +index 833f2cf97178e..3ce1664e8632a 100644 +--- a/net/ipv4/arp.c ++++ b/net/ipv4/arp.c +@@ -564,7 +564,7 @@ struct sk_buff *arp_create(int type, int ptype, __be32 dest_ip, + + skb_reserve(skb, hlen); + skb_reset_network_header(skb); +- arp = skb_put(skb, arp_hdr_len(dev)); ++ skb_put(skb, arp_hdr_len(dev)); + skb->dev = dev; + skb->protocol = htons(ETH_P_ARP); + if (!src_hw) +@@ -572,12 +572,13 @@ struct sk_buff *arp_create(int type, int ptype, __be32 dest_ip, + if (!dest_hw) + dest_hw = dev->broadcast; + +- /* +- * Fill the device header for the ARP frame ++ /* Fill the device header for the ARP frame. ++ * Note: skb->head can be changed. + */ + if (dev_hard_header(skb, dev, ptype, dest_hw, src_hw, skb->len) < 0) + goto out; + ++ arp = arp_hdr(skb); + /* + * Fill out the arp protocol part. + * +-- +2.51.0 + diff --git a/queue-6.18/block-don-t-merge-bios-with-different-app_tags.patch b/queue-6.18/block-don-t-merge-bios-with-different-app_tags.patch new file mode 100644 index 0000000000..cea5f3fc6a --- /dev/null +++ b/queue-6.18/block-don-t-merge-bios-with-different-app_tags.patch @@ -0,0 +1,80 @@ +From 079c5b5c1830febc654710a71f282d0607357cf3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jan 2026 13:08:37 -0700 +Subject: block: don't merge bios with different app_tags + +From: Caleb Sander Mateos + +[ Upstream commit 6acd4ac5f8f0ec9b946875553e52907700bcfc77 ] + +nvme_set_app_tag() uses the app_tag value from the bio_integrity_payload +of the struct request's first bio. This assumes all the request's bios +have the same app_tag. However, it is possible for bios with different +app_tag values to be merged into a single request. +Add a check in blk_integrity_merge_{bio,rq}() to prevent the merging of +bios/requests with different app_tag values if BIP_CHECK_APPTAG is set. + +Signed-off-by: Caleb Sander Mateos +Fixes: 3d8b5a22d404 ("block: add support to pass user meta buffer") +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-integrity.c | 23 ++++++++++++++++++----- + 1 file changed, 18 insertions(+), 5 deletions(-) + +diff --git a/block/blk-integrity.c b/block/blk-integrity.c +index 9b27963680dc3..964eebbee14d0 100644 +--- a/block/blk-integrity.c ++++ b/block/blk-integrity.c +@@ -140,14 +140,21 @@ EXPORT_SYMBOL_GPL(blk_rq_integrity_map_user); + bool blk_integrity_merge_rq(struct request_queue *q, struct request *req, + struct request *next) + { ++ struct bio_integrity_payload *bip, *bip_next; ++ + if (blk_integrity_rq(req) == 0 && blk_integrity_rq(next) == 0) + return true; + + if (blk_integrity_rq(req) == 0 || blk_integrity_rq(next) == 0) + return false; + +- if (bio_integrity(req->bio)->bip_flags != +- bio_integrity(next->bio)->bip_flags) ++ bip = bio_integrity(req->bio); ++ bip_next = bio_integrity(next->bio); ++ if (bip->bip_flags != bip_next->bip_flags) ++ return false; ++ ++ if (bip->bip_flags & BIP_CHECK_APPTAG && ++ bip->app_tag != bip_next->app_tag) + return false; + + if (req->nr_integrity_segments + next->nr_integrity_segments > +@@ -163,15 +170,21 @@ bool blk_integrity_merge_rq(struct request_queue *q, struct request *req, + bool blk_integrity_merge_bio(struct request_queue *q, struct request *req, + struct bio *bio) + { ++ struct bio_integrity_payload *bip, *bip_bio = bio_integrity(bio); + int nr_integrity_segs; + +- if (blk_integrity_rq(req) == 0 && bio_integrity(bio) == NULL) ++ if (blk_integrity_rq(req) == 0 && bip_bio == NULL) + return true; + +- if (blk_integrity_rq(req) == 0 || bio_integrity(bio) == NULL) ++ if (blk_integrity_rq(req) == 0 || bip_bio == NULL) ++ return false; ++ ++ bip = bio_integrity(req->bio); ++ if (bip->bip_flags != bip_bio->bip_flags) + return false; + +- if (bio_integrity(req->bio)->bip_flags != bio_integrity(bio)->bip_flags) ++ if (bip->bip_flags & BIP_CHECK_APPTAG && ++ bip->app_tag != bip_bio->app_tag) + return false; + + nr_integrity_segs = blk_rq_count_integrity_sg(q, bio); +-- +2.51.0 + diff --git a/queue-6.18/bnxt_en-fix-potential-data-corruption-with-hw-gro-lr.patch b/queue-6.18/bnxt_en-fix-potential-data-corruption-with-hw-gro-lr.patch new file mode 100644 index 0000000000..5359e12573 --- /dev/null +++ b/queue-6.18/bnxt_en-fix-potential-data-corruption-with-hw-gro-lr.patch @@ -0,0 +1,88 @@ +From 5d1b0ceb5aeab8a08eaead6bc8e352d902c1f700 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Dec 2025 00:36:25 -0800 +Subject: bnxt_en: Fix potential data corruption with HW GRO/LRO + +From: Srijit Bose + +[ Upstream commit ffeafa65b2b26df2f5b5a6118d3174f17bd12ec5 ] + +Fix the max number of bits passed to find_first_zero_bit() in +bnxt_alloc_agg_idx(). We were incorrectly passing the number of +long words. find_first_zero_bit() may fail to find a zero bit and +cause a wrong ID to be used. If the wrong ID is already in use, this +can cause data corruption. Sometimes an error like this can also be +seen: + +bnxt_en 0000:83:00.0 enp131s0np0: TPA end agg_buf 2 != expected agg_bufs 1 + +Fix it by passing the correct number of bits MAX_TPA_P5. Use +DECLARE_BITMAP() to more cleanly define the bitmap. Add a sanity +check to warn if a bit cannot be found and reset the ring [MChan]. + +Fixes: ec4d8e7cf024 ("bnxt_en: Add TPA ID mapping logic for 57500 chips.") +Reviewed-by: Ray Jui +Signed-off-by: Srijit Bose +Signed-off-by: Michael Chan +Reviewed-by: Vadim Fedorenko +Link: https://patch.msgid.link/20251231083625.3911652-1-michael.chan@broadcom.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 15 ++++++++++++--- + drivers/net/ethernet/broadcom/bnxt/bnxt.h | 4 +--- + 2 files changed, 13 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index 0366323ab0676..95c774d98da66 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -1482,9 +1482,11 @@ static u16 bnxt_alloc_agg_idx(struct bnxt_rx_ring_info *rxr, u16 agg_id) + struct bnxt_tpa_idx_map *map = rxr->rx_tpa_idx_map; + u16 idx = agg_id & MAX_TPA_P5_MASK; + +- if (test_bit(idx, map->agg_idx_bmap)) +- idx = find_first_zero_bit(map->agg_idx_bmap, +- BNXT_AGG_IDX_BMAP_SIZE); ++ if (test_bit(idx, map->agg_idx_bmap)) { ++ idx = find_first_zero_bit(map->agg_idx_bmap, MAX_TPA_P5); ++ if (idx >= MAX_TPA_P5) ++ return INVALID_HW_RING_ID; ++ } + __set_bit(idx, map->agg_idx_bmap); + map->agg_id_tbl[agg_id] = idx; + return idx; +@@ -1548,6 +1550,13 @@ static void bnxt_tpa_start(struct bnxt *bp, struct bnxt_rx_ring_info *rxr, + if (bp->flags & BNXT_FLAG_CHIP_P5_PLUS) { + agg_id = TPA_START_AGG_ID_P5(tpa_start); + agg_id = bnxt_alloc_agg_idx(rxr, agg_id); ++ if (unlikely(agg_id == INVALID_HW_RING_ID)) { ++ netdev_warn(bp->dev, "Unable to allocate agg ID for ring %d, agg 0x%x\n", ++ rxr->bnapi->index, ++ TPA_START_AGG_ID_P5(tpa_start)); ++ bnxt_sched_reset_rxr(bp, rxr); ++ return; ++ } + } else { + agg_id = TPA_START_AGG_ID(tpa_start); + } +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.h b/drivers/net/ethernet/broadcom/bnxt/bnxt.h +index 3613a172483a1..45bbaec75ded4 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.h ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.h +@@ -1079,11 +1079,9 @@ struct bnxt_tpa_info { + struct rx_agg_cmp *agg_arr; + }; + +-#define BNXT_AGG_IDX_BMAP_SIZE (MAX_TPA_P5 / BITS_PER_LONG) +- + struct bnxt_tpa_idx_map { + u16 agg_id_tbl[1024]; +- unsigned long agg_idx_bmap[BNXT_AGG_IDX_BMAP_SIZE]; ++ DECLARE_BITMAP(agg_idx_bmap, MAX_TPA_P5); + }; + + struct bnxt_rx_ring_info { +-- +2.51.0 + diff --git a/queue-6.18/bridge-fix-c-vlan-preservation-in-802.1ad-vlan_tunne.patch b/queue-6.18/bridge-fix-c-vlan-preservation-in-802.1ad-vlan_tunne.patch new file mode 100644 index 0000000000..386be81872 --- /dev/null +++ b/queue-6.18/bridge-fix-c-vlan-preservation-in-802.1ad-vlan_tunne.patch @@ -0,0 +1,75 @@ +From 1ef04a8baeed4c5a11ec4444f24f92a30bb2b919 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Dec 2025 03:00:57 +0100 +Subject: bridge: fix C-VLAN preservation in 802.1ad vlan_tunnel egress + +From: Alexandre Knecht + +[ Upstream commit 3128df6be147768fe536986fbb85db1d37806a9f ] + +When using an 802.1ad bridge with vlan_tunnel, the C-VLAN tag is +incorrectly stripped from frames during egress processing. + +br_handle_egress_vlan_tunnel() uses skb_vlan_pop() to remove the S-VLAN +from hwaccel before VXLAN encapsulation. However, skb_vlan_pop() also +moves any "next" VLAN from the payload into hwaccel: + + /* move next vlan tag to hw accel tag */ + __skb_vlan_pop(skb, &vlan_tci); + __vlan_hwaccel_put_tag(skb, vlan_proto, vlan_tci); + +For QinQ frames where the C-VLAN sits in the payload, this moves it to +hwaccel where it gets lost during VXLAN encapsulation. + +Fix by calling __vlan_hwaccel_clear_tag() directly, which clears only +the hwaccel S-VLAN and leaves the payload untouched. + +This path is only taken when vlan_tunnel is enabled and tunnel_info +is configured, so 802.1Q bridges are unaffected. + +Tested with 802.1ad bridge + VXLAN vlan_tunnel, verified C-VLAN +preserved in VXLAN payload via tcpdump. + +Fixes: 11538d039ac6 ("bridge: vlan dst_metadata hooks in ingress and egress paths") +Signed-off-by: Alexandre Knecht +Reviewed-by: Ido Schimmel +Acked-by: Nikolay Aleksandrov +Link: https://patch.msgid.link/20251228020057.2788865-1-knecht.alexandre@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/bridge/br_vlan_tunnel.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/net/bridge/br_vlan_tunnel.c b/net/bridge/br_vlan_tunnel.c +index a966a6ec82634..257cae9f15698 100644 +--- a/net/bridge/br_vlan_tunnel.c ++++ b/net/bridge/br_vlan_tunnel.c +@@ -189,7 +189,6 @@ int br_handle_egress_vlan_tunnel(struct sk_buff *skb, + IP_TUNNEL_DECLARE_FLAGS(flags) = { }; + struct metadata_dst *tunnel_dst; + __be64 tunnel_id; +- int err; + + if (!vlan) + return 0; +@@ -199,9 +198,13 @@ int br_handle_egress_vlan_tunnel(struct sk_buff *skb, + return 0; + + skb_dst_drop(skb); +- err = skb_vlan_pop(skb); +- if (err) +- return err; ++ /* For 802.1ad (QinQ), skb_vlan_pop() incorrectly moves the C-VLAN ++ * from payload to hwaccel after clearing S-VLAN. We only need to ++ * clear the hwaccel S-VLAN; the C-VLAN must stay in payload for ++ * correct VXLAN encapsulation. This is also correct for 802.1Q ++ * where no C-VLAN exists in payload. ++ */ ++ __vlan_hwaccel_clear_tag(skb); + + if (BR_INPUT_SKB_CB(skb)->backup_nhid) { + __set_bit(IP_TUNNEL_KEY_BIT, flags); +-- +2.51.0 + diff --git a/queue-6.18/btrfs-fix-null-pointer-dereference-in-do_abort_log_r.patch b/queue-6.18/btrfs-fix-null-pointer-dereference-in-do_abort_log_r.patch new file mode 100644 index 0000000000..f2e978fb3c --- /dev/null +++ b/queue-6.18/btrfs-fix-null-pointer-dereference-in-do_abort_log_r.patch @@ -0,0 +1,43 @@ +From bbecd464186f18d94019382623024ea328d82c82 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 22:44:34 +0530 +Subject: btrfs: fix NULL pointer dereference in do_abort_log_replay() + +From: Suchit Karunakaran + +[ Upstream commit 530e3d4af566ca44807d79359b90794dea24c4f3 ] + +Coverity reported a NULL pointer dereference issue (CID 1666756) in +do_abort_log_replay(). When btrfs_alloc_path() fails in +replay_one_buffer(), wc->subvol_path is NULL, but btrfs_abort_log_replay() +calls do_abort_log_replay() which unconditionally dereferences +wc->subvol_path when attempting to print debug information. Fix this by +adding a NULL check before dereferencing wc->subvol_path in +do_abort_log_replay(). + +Fixes: 2753e4917624 ("btrfs: dump detailed info and specific messages on log replay failures") +Reviewed-by: Filipe Manana +Signed-off-by: Suchit Karunakaran +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/tree-log.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c +index de9ea9d52482f..1444857de9fe8 100644 +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -189,7 +189,7 @@ static void do_abort_log_replay(struct walk_control *wc, const char *function, + + btrfs_abort_transaction(wc->trans, error); + +- if (wc->subvol_path->nodes[0]) { ++ if (wc->subvol_path && wc->subvol_path->nodes[0]) { + btrfs_crit(fs_info, + "subvolume (root %llu) leaf currently being processed:", + btrfs_root_id(wc->root)); +-- +2.51.0 + diff --git a/queue-6.18/btrfs-only-enforce-free-space-tree-if-v1-cache-is-re.patch b/queue-6.18/btrfs-only-enforce-free-space-tree-if-v1-cache-is-re.patch new file mode 100644 index 0000000000..bd75f56034 --- /dev/null +++ b/queue-6.18/btrfs-only-enforce-free-space-tree-if-v1-cache-is-re.patch @@ -0,0 +1,87 @@ +From 7569496c394815fe803b146011a6aa9b9b6c4d14 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Dec 2025 15:15:28 +1030 +Subject: btrfs: only enforce free space tree if v1 cache is required for bs < + ps cases + +From: Qu Wenruo + +[ Upstream commit 30bcf4e824aa37d305502f52e1527c7b1eabef3d ] + +[BUG] +Since the introduction of btrfs bs < ps support, v1 cache was never on +the plan due to its hard coded PAGE_SIZE usage, and the future plan to +properly deprecate it. + +However for bs < ps cases, even if 'nospace_cache,clear_cache' mount +option is specified, it's never respected and free space tree is always +enabled: + + mkfs.btrfs -f -O ^bgt,fst $dev + mount $dev $mnt -o clear_cache,nospace_cache + umount $mnt + btrfs ins dump-super $dev + ... + compat_ro_flags 0x3 + ( FREE_SPACE_TREE | + FREE_SPACE_TREE_VALID ) + ... + +This means a different behavior compared to bs >= ps cases. + +[CAUSE] +The forcing usage of v2 space cache is done inside +btrfs_set_free_space_cache_settings(), however it never checks if we're +even using space cache but always enabling v2 cache. + +[FIX] +Instead unconditionally enable v2 cache, only forcing v2 cache if the +old v1 cache is required. + +Now v2 space cache can be properly disabled on bs < ps cases: + + mkfs.btrfs -f -O ^bgt,fst $dev + mount $dev $mnt -o clear_cache,nospace_cache + umount $mnt + btrfs ins dump-super $dev + ... + compat_ro_flags 0x0 + ... + +Fixes: 9f73f1aef98b ("btrfs: force v2 space cache usage for subpage mount") +Reviewed-by: Filipe Manana +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/super.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c +index 430e7419349c9..c40944ca7b948 100644 +--- a/fs/btrfs/super.c ++++ b/fs/btrfs/super.c +@@ -736,14 +736,12 @@ bool btrfs_check_options(const struct btrfs_fs_info *info, + */ + void btrfs_set_free_space_cache_settings(struct btrfs_fs_info *fs_info) + { +- if (fs_info->sectorsize < PAGE_SIZE) { ++ if (fs_info->sectorsize < PAGE_SIZE && btrfs_test_opt(fs_info, SPACE_CACHE)) { ++ btrfs_info(fs_info, ++ "forcing free space tree for sector size %u with page size %lu", ++ fs_info->sectorsize, PAGE_SIZE); + btrfs_clear_opt(fs_info->mount_opt, SPACE_CACHE); +- if (!btrfs_test_opt(fs_info, FREE_SPACE_TREE)) { +- btrfs_info(fs_info, +- "forcing free space tree for sector size %u with page size %lu", +- fs_info->sectorsize, PAGE_SIZE); +- btrfs_set_opt(fs_info->mount_opt, FREE_SPACE_TREE); +- } ++ btrfs_set_opt(fs_info->mount_opt, FREE_SPACE_TREE); + } + + /* +-- +2.51.0 + diff --git a/queue-6.18/btrfs-release-path-before-initializing-extent-tree-i.patch b/queue-6.18/btrfs-release-path-before-initializing-extent-tree-i.patch new file mode 100644 index 0000000000..260fb9215a --- /dev/null +++ b/queue-6.18/btrfs-release-path-before-initializing-extent-tree-i.patch @@ -0,0 +1,222 @@ +From cfd21e6dc6c9b32a21a7b80f16eeea7ff8378a5b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Dec 2025 14:51:52 +0000 +Subject: btrfs: release path before initializing extent tree in + btrfs_read_locked_inode() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Filipe Manana + +[ Upstream commit 8731f2c50b0b1d2b58ed5b9671ef2c4bdc2f8347 ] + +In btrfs_read_locked_inode() we are calling btrfs_init_file_extent_tree() +while holding a path with a read locked leaf from a subvolume tree, and +btrfs_init_file_extent_tree() may do a GFP_KERNEL allocation, which can +trigger reclaim. + +This can create a circular lock dependency which lockdep warns about with +the following splat: + + [6.1433] ====================================================== + [6.1574] WARNING: possible circular locking dependency detected + [6.1583] 6.18.0+ #4 Tainted: G U + [6.1591] ------------------------------------------------------ + [6.1599] kswapd0/117 is trying to acquire lock: + [6.1606] ffff8d9b6333c5b8 (&delayed_node->mutex){+.+.}-{3:3}, at: __btrfs_release_delayed_node.part.0+0x39/0x2f0 + [6.1625] + but task is already holding lock: + [6.1633] ffffffffa4ab8ce0 (fs_reclaim){+.+.}-{0:0}, at: balance_pgdat+0x195/0xc60 + [6.1646] + which lock already depends on the new lock. + + [6.1657] + the existing dependency chain (in reverse order) is: + [6.1667] + -> #2 (fs_reclaim){+.+.}-{0:0}: + [6.1677] fs_reclaim_acquire+0x9d/0xd0 + [6.1685] __kmalloc_cache_noprof+0x59/0x750 + [6.1694] btrfs_init_file_extent_tree+0x90/0x100 + [6.1702] btrfs_read_locked_inode+0xc3/0x6b0 + [6.1710] btrfs_iget+0xbb/0xf0 + [6.1716] btrfs_lookup_dentry+0x3c5/0x8e0 + [6.1724] btrfs_lookup+0x12/0x30 + [6.1731] lookup_open.isra.0+0x1aa/0x6a0 + [6.1739] path_openat+0x5f7/0xc60 + [6.1746] do_filp_open+0xd6/0x180 + [6.1753] do_sys_openat2+0x8b/0xe0 + [6.1760] __x64_sys_openat+0x54/0xa0 + [6.1768] do_syscall_64+0x97/0x3e0 + [6.1776] entry_SYSCALL_64_after_hwframe+0x76/0x7e + [6.1784] + -> #1 (btrfs-tree-00){++++}-{3:3}: + [6.1794] lock_release+0x127/0x2a0 + [6.1801] up_read+0x1b/0x30 + [6.1808] btrfs_search_slot+0x8e0/0xff0 + [6.1817] btrfs_lookup_inode+0x52/0xd0 + [6.1825] __btrfs_update_delayed_inode+0x73/0x520 + [6.1833] btrfs_commit_inode_delayed_inode+0x11a/0x120 + [6.1842] btrfs_log_inode+0x608/0x1aa0 + [6.1849] btrfs_log_inode_parent+0x249/0xf80 + [6.1857] btrfs_log_dentry_safe+0x3e/0x60 + [6.1865] btrfs_sync_file+0x431/0x690 + [6.1872] do_fsync+0x39/0x80 + [6.1879] __x64_sys_fsync+0x13/0x20 + [6.1887] do_syscall_64+0x97/0x3e0 + [6.1894] entry_SYSCALL_64_after_hwframe+0x76/0x7e + [6.1903] + -> #0 (&delayed_node->mutex){+.+.}-{3:3}: + [6.1913] __lock_acquire+0x15e9/0x2820 + [6.1920] lock_acquire+0xc9/0x2d0 + [6.1927] __mutex_lock+0xcc/0x10a0 + [6.1934] __btrfs_release_delayed_node.part.0+0x39/0x2f0 + [6.1944] btrfs_evict_inode+0x20b/0x4b0 + [6.1952] evict+0x15a/0x2f0 + [6.1958] prune_icache_sb+0x91/0xd0 + [6.1966] super_cache_scan+0x150/0x1d0 + [6.1974] do_shrink_slab+0x155/0x6f0 + [6.1981] shrink_slab+0x48e/0x890 + [6.1988] shrink_one+0x11a/0x1f0 + [6.1995] shrink_node+0xbfd/0x1320 + [6.1002] balance_pgdat+0x67f/0xc60 + [6.1321] kswapd+0x1dc/0x3e0 + [6.1643] kthread+0xff/0x240 + [6.1965] ret_from_fork+0x223/0x280 + [6.1287] ret_from_fork_asm+0x1a/0x30 + [6.1616] + other info that might help us debug this: + + [6.1561] Chain exists of: + &delayed_node->mutex --> btrfs-tree-00 --> fs_reclaim + + [6.1503] Possible unsafe locking scenario: + + [6.1110] CPU0 CPU1 + [6.1411] ---- ---- + [6.1707] lock(fs_reclaim); + [6.1998] lock(btrfs-tree-00); + [6.1291] lock(fs_reclaim); + [6.1581] lock(&delayed_node->mutex); + [6.1874] + *** DEADLOCK *** + + [6.1716] 2 locks held by kswapd0/117: + [6.1999] #0: ffffffffa4ab8ce0 (fs_reclaim){+.+.}-{0:0}, at: balance_pgdat+0x195/0xc60 + [6.1294] #1: ffff8d998344b0e0 (&type->s_umount_key#40){++++}- {3:3}, at: super_cache_scan+0x37/0x1d0 + [6.1596] + stack backtrace: + [6.1183] CPU: 11 UID: 0 PID: 117 Comm: kswapd0 Tainted: G U 6.18.0+ #4 PREEMPT(lazy) + [6.1185] Tainted: [U]=USER + [6.1186] Hardware name: ASUS System Product Name/PRIME B560M-A AC, BIOS 2001 02/01/2023 + [6.1187] Call Trace: + [6.1187] + [6.1189] dump_stack_lvl+0x6e/0xa0 + [6.1192] print_circular_bug.cold+0x17a/0x1c0 + [6.1194] check_noncircular+0x175/0x190 + [6.1197] __lock_acquire+0x15e9/0x2820 + [6.1200] lock_acquire+0xc9/0x2d0 + [6.1201] ? __btrfs_release_delayed_node.part.0+0x39/0x2f0 + [6.1204] __mutex_lock+0xcc/0x10a0 + [6.1206] ? __btrfs_release_delayed_node.part.0+0x39/0x2f0 + [6.1208] ? __btrfs_release_delayed_node.part.0+0x39/0x2f0 + [6.1211] ? __btrfs_release_delayed_node.part.0+0x39/0x2f0 + [6.1213] __btrfs_release_delayed_node.part.0+0x39/0x2f0 + [6.1215] btrfs_evict_inode+0x20b/0x4b0 + [6.1217] ? lock_acquire+0xc9/0x2d0 + [6.1220] evict+0x15a/0x2f0 + [6.1222] prune_icache_sb+0x91/0xd0 + [6.1224] super_cache_scan+0x150/0x1d0 + [6.1226] do_shrink_slab+0x155/0x6f0 + [6.1228] shrink_slab+0x48e/0x890 + [6.1229] ? shrink_slab+0x2d2/0x890 + [6.1231] shrink_one+0x11a/0x1f0 + [6.1234] shrink_node+0xbfd/0x1320 + [6.1236] ? shrink_node+0xa2d/0x1320 + [6.1236] ? shrink_node+0xbd3/0x1320 + [6.1239] ? balance_pgdat+0x67f/0xc60 + [6.1239] balance_pgdat+0x67f/0xc60 + [6.1241] ? finish_task_switch.isra.0+0xc4/0x2a0 + [6.1246] kswapd+0x1dc/0x3e0 + [6.1247] ? __pfx_autoremove_wake_function+0x10/0x10 + [6.1249] ? __pfx_kswapd+0x10/0x10 + [6.1250] kthread+0xff/0x240 + [6.1251] ? __pfx_kthread+0x10/0x10 + [6.1253] ret_from_fork+0x223/0x280 + [6.1255] ? __pfx_kthread+0x10/0x10 + [6.1257] ret_from_fork_asm+0x1a/0x30 + [6.1260] + +This is because: + +1) The fsync task is holding an inode's delayed node mutex (for a + directory) while calling __btrfs_update_delayed_inode() and that needs + to do a search on the subvolume's btree (therefore read lock some + extent buffers); + +2) The lookup task, at btrfs_lookup(), triggered reclaim with the + GFP_KERNEL allocation done by btrfs_init_file_extent_tree() while + holding a read lock on a subvolume leaf; + +3) The reclaim triggered kswapd which is doing inode eviction for the + directory inode the fsync task is using as an argument to + btrfs_commit_inode_delayed_inode() - but in that call chain we are + trying to read lock the same leaf that the lookup task is holding + while calling btrfs_init_file_extent_tree() and doing the GFP_KERNEL + allocation. + +Fix this by calling btrfs_init_file_extent_tree() after we don't need the +path anymore and release it in btrfs_read_locked_inode(). + +Reported-by: Thomas Hellström +Link: https://lore.kernel.org/linux-btrfs/6e55113a22347c3925458a5d840a18401a38b276.camel@linux.intel.com/ +Fixes: 8679d2687c35 ("btrfs: initialize inode::file_extent_tree after i_mode has been set") +Reviewed-by: Qu Wenruo +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/inode.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c +index 51401d586a7b6..27a562bad6e87 100644 +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -3976,11 +3976,6 @@ static int btrfs_read_locked_inode(struct btrfs_inode *inode, struct btrfs_path + btrfs_set_inode_mapping_order(inode); + + cache_index: +- ret = btrfs_init_file_extent_tree(inode); +- if (ret) +- goto out; +- btrfs_inode_set_file_extent_range(inode, 0, +- round_up(i_size_read(vfs_inode), fs_info->sectorsize)); + /* + * If we were modified in the current generation and evicted from memory + * and then re-read we need to do a full sync since we don't have any +@@ -4067,6 +4062,20 @@ static int btrfs_read_locked_inode(struct btrfs_inode *inode, struct btrfs_path + btrfs_ino(inode), btrfs_root_id(root), ret); + } + ++ /* ++ * We don't need the path anymore, so release it to avoid holding a read ++ * lock on a leaf while calling btrfs_init_file_extent_tree(), which can ++ * allocate memory that triggers reclaim (GFP_KERNEL) and cause a locking ++ * dependency. ++ */ ++ btrfs_release_path(path); ++ ++ ret = btrfs_init_file_extent_tree(inode); ++ if (ret) ++ goto out; ++ btrfs_inode_set_file_extent_range(inode, 0, ++ round_up(i_size_read(vfs_inode), fs_info->sectorsize)); ++ + if (!maybe_acls) + cache_no_acl(vfs_inode); + +-- +2.51.0 + diff --git a/queue-6.18/crypto-qat-fix-duplicate-restarting-msg-during-aer-e.patch b/queue-6.18/crypto-qat-fix-duplicate-restarting-msg-during-aer-e.patch new file mode 100644 index 0000000000..d168098c3b --- /dev/null +++ b/queue-6.18/crypto-qat-fix-duplicate-restarting-msg-during-aer-e.patch @@ -0,0 +1,47 @@ +From b121d6de3662b43b087788bd6ebc0a1ea9deca44 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Dec 2025 11:16:06 +0530 +Subject: crypto: qat - fix duplicate restarting msg during AER error + +From: Harshita Bhilwaria + +[ Upstream commit 961ac9d97be72267255f1ed841aabf6694b17454 ] + +The restarting message from PF to VF is sent twice during AER error +handling: once from adf_error_detected() and again from +adf_disable_sriov(). +This causes userspace subservices to shutdown unexpectedly when they +receive a duplicate restarting message after already being restarted. + +Avoid calling adf_pf2vf_notify_restarting() and +adf_pf2vf_wait_for_restarting_complete() from adf_error_detected() so +that the restarting msg is sent only once from PF to VF. + +Fixes: 9567d3dc760931 ("crypto: qat - improve aer error reset handling") +Signed-off-by: Harshita Bhilwaria +Reviewed-by: Giovanni Cabiddu +Reviewed-by: Ahsan Atta +Reviewed-by: Ravikumar PM +Reviewed-by: Srikanth Thokala +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/intel/qat/qat_common/adf_aer.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/crypto/intel/qat/qat_common/adf_aer.c b/drivers/crypto/intel/qat/qat_common/adf_aer.c +index 35679b21ff63b..a098689ab5b75 100644 +--- a/drivers/crypto/intel/qat/qat_common/adf_aer.c ++++ b/drivers/crypto/intel/qat/qat_common/adf_aer.c +@@ -41,8 +41,6 @@ static pci_ers_result_t adf_error_detected(struct pci_dev *pdev, + adf_error_notifier(accel_dev); + adf_pf2vf_notify_fatal_error(accel_dev); + adf_dev_restarting_notify(accel_dev); +- adf_pf2vf_notify_restarting(accel_dev); +- adf_pf2vf_wait_for_restarting_complete(accel_dev); + pci_clear_master(pdev); + adf_dev_down(accel_dev); + +-- +2.51.0 + diff --git a/queue-6.18/drm-amd-pm-fix-wrong-pcie-parameter-on-navi1x.patch b/queue-6.18/drm-amd-pm-fix-wrong-pcie-parameter-on-navi1x.patch new file mode 100644 index 0000000000..31df607395 --- /dev/null +++ b/queue-6.18/drm-amd-pm-fix-wrong-pcie-parameter-on-navi1x.patch @@ -0,0 +1,43 @@ +From d0b6d7857774d3e4fabab5d02841a978af24b4ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Dec 2025 10:47:18 +0800 +Subject: drm/amd/pm: fix wrong pcie parameter on navi1x + +From: Yang Wang + +[ Upstream commit 4f74c2dd970611d3ec3bb0d58215e73af5cd7214 ] + +fix wrong pcie dpm parameter on navi1x + +Fixes: 1a18607c07bb ("drm/amd/pm: override pcie dpm parameters only if it is necessary") +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4671 +Signed-off-by: Yang Wang +Co-developed-by: Kenneth Feng +Signed-off-by: Kenneth Feng +Acked-by: Alex Deucher +Reviewed-by: Lijo Lazar +Signed-off-by: Alex Deucher +(cherry picked from commit 5c5189cf4b0cc0a22bac74a40743ee711cff07f8) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c +index 0028f10ead423..d0fd9537e6236 100644 +--- a/drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c +@@ -2463,8 +2463,8 @@ static int navi10_update_pcie_parameters(struct smu_context *smu, + pptable->PcieLaneCount[i] > pcie_width_cap ? + pcie_width_cap : pptable->PcieLaneCount[i]; + smu_pcie_arg = i << 16; +- smu_pcie_arg |= pcie_gen_cap << 8; +- smu_pcie_arg |= pcie_width_cap; ++ smu_pcie_arg |= dpm_context->dpm_tables.pcie_table.pcie_gen[i] << 8; ++ smu_pcie_arg |= dpm_context->dpm_tables.pcie_table.pcie_lane[i]; + ret = smu_cmn_send_smc_msg_with_param(smu, + SMU_MSG_OverridePcieParameters, + smu_pcie_arg, +-- +2.51.0 + diff --git a/queue-6.18/drm-amd-pm-force-send-pcie-parmater-on-navi1x.patch b/queue-6.18/drm-amd-pm-force-send-pcie-parmater-on-navi1x.patch new file mode 100644 index 0000000000..860e350d79 --- /dev/null +++ b/queue-6.18/drm-amd-pm-force-send-pcie-parmater-on-navi1x.patch @@ -0,0 +1,74 @@ +From 55fac2a2986b5b85c6083f15991ee98ebfccbfe5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Dec 2025 17:51:11 +0800 +Subject: drm/amd/pm: force send pcie parmater on navi1x + +From: Yang Wang + +[ Upstream commit dc8a887de1a7d397ab4131f45676e89565417aa8 ] + +v1: +the PMFW didn't initialize the PCIe DPM parameters +and requires the KMD to actively provide these parameters. + +v2: +clean & remove unused code logic (lijo) + +Fixes: 1a18607c07bb ("drm/amd/pm: override pcie dpm parameters only if it is necessary") +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4671 +Signed-off-by: Yang Wang +Reviewed-by: Lijo Lazar +Signed-off-by: Alex Deucher +(cherry picked from commit b0dbd5db7cf1f81e4aaedd25cb5e72ce369387b2) +Signed-off-by: Sasha Levin +--- + .../gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c | 33 +++++++++---------- + 1 file changed, 15 insertions(+), 18 deletions(-) + +diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c +index d0fd9537e6236..a2fcf678182b4 100644 +--- a/drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c +@@ -2454,24 +2454,21 @@ static int navi10_update_pcie_parameters(struct smu_context *smu, + } + + for (i = 0; i < NUM_LINK_LEVELS; i++) { +- if (pptable->PcieGenSpeed[i] > pcie_gen_cap || +- pptable->PcieLaneCount[i] > pcie_width_cap) { +- dpm_context->dpm_tables.pcie_table.pcie_gen[i] = +- pptable->PcieGenSpeed[i] > pcie_gen_cap ? +- pcie_gen_cap : pptable->PcieGenSpeed[i]; +- dpm_context->dpm_tables.pcie_table.pcie_lane[i] = +- pptable->PcieLaneCount[i] > pcie_width_cap ? +- pcie_width_cap : pptable->PcieLaneCount[i]; +- smu_pcie_arg = i << 16; +- smu_pcie_arg |= dpm_context->dpm_tables.pcie_table.pcie_gen[i] << 8; +- smu_pcie_arg |= dpm_context->dpm_tables.pcie_table.pcie_lane[i]; +- ret = smu_cmn_send_smc_msg_with_param(smu, +- SMU_MSG_OverridePcieParameters, +- smu_pcie_arg, +- NULL); +- if (ret) +- break; +- } ++ dpm_context->dpm_tables.pcie_table.pcie_gen[i] = ++ pptable->PcieGenSpeed[i] > pcie_gen_cap ? ++ pcie_gen_cap : pptable->PcieGenSpeed[i]; ++ dpm_context->dpm_tables.pcie_table.pcie_lane[i] = ++ pptable->PcieLaneCount[i] > pcie_width_cap ? ++ pcie_width_cap : pptable->PcieLaneCount[i]; ++ smu_pcie_arg = i << 16; ++ smu_pcie_arg |= dpm_context->dpm_tables.pcie_table.pcie_gen[i] << 8; ++ smu_pcie_arg |= dpm_context->dpm_tables.pcie_table.pcie_lane[i]; ++ ret = smu_cmn_send_smc_msg_with_param(smu, ++ SMU_MSG_OverridePcieParameters, ++ smu_pcie_arg, ++ NULL); ++ if (ret) ++ return ret; + } + + return ret; +-- +2.51.0 + diff --git a/queue-6.18/erofs-don-t-bother-with-s_stack_depth-increasing-for.patch b/queue-6.18/erofs-don-t-bother-with-s_stack_depth-increasing-for.patch new file mode 100644 index 0000000000..e1c7d9753e --- /dev/null +++ b/queue-6.18/erofs-don-t-bother-with-s_stack_depth-increasing-for.patch @@ -0,0 +1,100 @@ +From 26c09d7668577eb6712a940b07f8c057434d0b03 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jan 2026 10:38:31 +0800 +Subject: erofs: don't bother with s_stack_depth increasing for now +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Gao Xiang + +[ Upstream commit 072a7c7cdbea4f91df854ee2bb216256cd619f2a ] + +Previously, commit d53cd891f0e4 ("erofs: limit the level of fs stacking +for file-backed mounts") bumped `s_stack_depth` by one to avoid kernel +stack overflow when stacking an unlimited number of EROFS on top of +each other. + +This fix breaks composefs mounts, which need EROFS+ovl^2 sometimes +(and such setups are already used in production for quite a long time). + +One way to fix this regression is to bump FILESYSTEM_MAX_STACK_DEPTH +from 2 to 3, but proving that this is safe in general is a high bar. + +After a long discussion on GitHub issues [1] about possible solutions, +one conclusion is that there is no need to support nesting file-backed +EROFS mounts on stacked filesystems, because there is always the option +to use loopback devices as a fallback. + +As a quick fix for the composefs regression for this cycle, instead of +bumping `s_stack_depth` for file backed EROFS mounts, we disallow +nesting file-backed EROFS over EROFS and over filesystems with +`s_stack_depth` > 0. + +This works for all known file-backed mount use cases (composefs, +containerd, and Android APEX for some Android vendors), and the fix is +self-contained. + +Essentially, we are allowing one extra unaccounted fs stacking level of +EROFS below stacking filesystems, but EROFS can only be used in the read +path (i.e. overlayfs lower layers), which typically has much lower stack +usage than the write path. + +We can consider increasing FILESYSTEM_MAX_STACK_DEPTH later, after more +stack usage analysis or using alternative approaches, such as splitting +the `s_stack_depth` limitation according to different combinations of +stacking. + +Fixes: d53cd891f0e4 ("erofs: limit the level of fs stacking for file-backed mounts") +Reported-and-tested-by: Dusty Mabe +Reported-by: Timothée Ravier +Closes: https://github.com/coreos/fedora-coreos-tracker/issues/2087 [1] +Reported-by: "Alekséi Naidénov" +Closes: https://lore.kernel.org/r/CAFHtUiYv4+=+JP_-JjARWjo6OwcvBj1wtYN=z0QXwCpec9sXtg@mail.gmail.com +Acked-by: Amir Goldstein +Acked-by: Alexander Larsson +Reviewed-and-tested-by: Sheng Yong +Reviewed-by: Zhiguo Niu +Reviewed-by: Chao Yu +Cc: Christian Brauner +Cc: Miklos Szeredi +Signed-off-by: Gao Xiang +Signed-off-by: Sasha Levin +--- + fs/erofs/super.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/fs/erofs/super.c b/fs/erofs/super.c +index 937a215f626c1..e93264034b5db 100644 +--- a/fs/erofs/super.c ++++ b/fs/erofs/super.c +@@ -644,14 +644,20 @@ static int erofs_fc_fill_super(struct super_block *sb, struct fs_context *fc) + * fs contexts (including its own) due to self-controlled RO + * accesses/contexts and no side-effect changes that need to + * context save & restore so it can reuse the current thread +- * context. However, it still needs to bump `s_stack_depth` to +- * avoid kernel stack overflow from nested filesystems. ++ * context. ++ * However, we still need to prevent kernel stack overflow due ++ * to filesystem nesting: just ensure that s_stack_depth is 0 ++ * to disallow mounting EROFS on stacked filesystems. ++ * Note: s_stack_depth is not incremented here for now, since ++ * EROFS is the only fs supporting file-backed mounts for now. ++ * It MUST change if another fs plans to support them, which ++ * may also require adjusting FILESYSTEM_MAX_STACK_DEPTH. + */ + if (erofs_is_fileio_mode(sbi)) { +- sb->s_stack_depth = +- file_inode(sbi->dif0.file)->i_sb->s_stack_depth + 1; +- if (sb->s_stack_depth > FILESYSTEM_MAX_STACK_DEPTH) { +- erofs_err(sb, "maximum fs stacking depth exceeded"); ++ inode = file_inode(sbi->dif0.file); ++ if ((inode->i_sb->s_op == &erofs_sops && !sb->s_bdev) || ++ inode->i_sb->s_stack_depth) { ++ erofs_err(sb, "file-backed mounts cannot be applied to stacked fses"); + return -ENOTBLK; + } + } +-- +2.51.0 + diff --git a/queue-6.18/erofs-fix-file-backed-mounts-no-longer-working-on-er.patch b/queue-6.18/erofs-fix-file-backed-mounts-no-longer-working-on-er.patch new file mode 100644 index 0000000000..b8aa7c00fc --- /dev/null +++ b/queue-6.18/erofs-fix-file-backed-mounts-no-longer-working-on-er.patch @@ -0,0 +1,67 @@ +From 18b080aea14c46511e8413c271f7f527332af43a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 Jan 2026 19:47:03 +0800 +Subject: erofs: fix file-backed mounts no longer working on EROFS partitions + +From: Gao Xiang + +[ Upstream commit 7893cc12251f6f19e7689a4cf3ba803bddbd8437 ] + +Sheng Yong reported [1] that Android APEX images didn't work with commit +072a7c7cdbea ("erofs: don't bother with s_stack_depth increasing for +now") because "EROFS-formatted APEX file images can be stored within an +EROFS-formatted Android system partition." + +In response, I sent a quick fat-fingered [PATCH v3] to address the +report. Unfortunately, the updated condition was incorrect: + + if (erofs_is_fileio_mode(sbi)) { +- sb->s_stack_depth = +- file_inode(sbi->dif0.file)->i_sb->s_stack_depth + 1; +- if (sb->s_stack_depth > FILESYSTEM_MAX_STACK_DEPTH) { +- erofs_err(sb, "maximum fs stacking depth exceeded"); ++ inode = file_inode(sbi->dif0.file); ++ if ((inode->i_sb->s_op == &erofs_sops && !sb->s_bdev) || ++ inode->i_sb->s_stack_depth) { + +The condition `!sb->s_bdev` is always true for all file-backed EROFS +mounts, making the check effectively a no-op. + +The real fix tested and confirmed by Sheng Yong [2] at that time was +[PATCH v3 RESEND], which correctly ensures the following EROFS^2 setup +works: + EROFS (on a block device) + EROFS (file-backed mount) + +But sadly I screwed it up again by upstreaming the outdated [PATCH v3]. + +This patch applies the same logic as the delta between the upstream +[PATCH v3] and the real fix [PATCH v3 RESEND]. + +Reported-by: Sheng Yong +Closes: https://lore.kernel.org/r/3acec686-4020-4609-aee4-5dae7b9b0093@gmail.com [1] +Fixes: 072a7c7cdbea ("erofs: don't bother with s_stack_depth increasing for now") +Link: https://lore.kernel.org/r/243f57b8-246f-47e7-9fb1-27a771e8e9e8@gmail.com [2] +Signed-off-by: Gao Xiang +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/erofs/super.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/erofs/super.c b/fs/erofs/super.c +index e93264034b5db..5136cda5972a9 100644 +--- a/fs/erofs/super.c ++++ b/fs/erofs/super.c +@@ -655,7 +655,8 @@ static int erofs_fc_fill_super(struct super_block *sb, struct fs_context *fc) + */ + if (erofs_is_fileio_mode(sbi)) { + inode = file_inode(sbi->dif0.file); +- if ((inode->i_sb->s_op == &erofs_sops && !sb->s_bdev) || ++ if ((inode->i_sb->s_op == &erofs_sops && ++ !inode->i_sb->s_bdev) || + inode->i_sb->s_stack_depth) { + erofs_err(sb, "file-backed mounts cannot be applied to stacked fses"); + return -ENOTBLK; +-- +2.51.0 + diff --git a/queue-6.18/gpio-it87-balance-superio-enter-exit-calls-in-error-.patch b/queue-6.18/gpio-it87-balance-superio-enter-exit-calls-in-error-.patch new file mode 100644 index 0000000000..2fc82ce33c --- /dev/null +++ b/queue-6.18/gpio-it87-balance-superio-enter-exit-calls-in-error-.patch @@ -0,0 +1,64 @@ +From 649c1bc1cb2e239c62ee9230872060419fdd679d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Dec 2025 06:50:26 +0100 +Subject: gpio: it87: balance superio enter/exit calls in error path + +From: Bartosz Golaszewski + +[ Upstream commit a05543d6b05ba998fdbb4b383319ae5121bb7407 ] + +We always call superio_enter() in it87_gpio_direction_out() but only +call superio_exit() if the call to it87_gpio_set() succeeds. Move the +label to balance the calls in error path as well. + +Fixes: ef877a159072 ("gpio: it87: use new line value setter callbacks") +Reported-by: Daniel Gibson +Closes: https://lore.kernel.org/all/bd0a00e3-9b8c-43e8-8772-e67b91f4c71e@gibson.sh/ +Link: https://lore.kernel.org/r/20251210055026.23146-1-bartosz.golaszewski@oss.qualcomm.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-it87.c | 11 +++-------- + 1 file changed, 3 insertions(+), 8 deletions(-) + +diff --git a/drivers/gpio/gpio-it87.c b/drivers/gpio/gpio-it87.c +index 5d677bcfccf26..2ad3c239367bc 100644 +--- a/drivers/gpio/gpio-it87.c ++++ b/drivers/gpio/gpio-it87.c +@@ -12,6 +12,7 @@ + + #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt + ++#include + #include + #include + #include +@@ -241,23 +242,17 @@ static int it87_gpio_direction_out(struct gpio_chip *chip, + mask = 1 << (gpio_num % 8); + group = (gpio_num / 8); + +- spin_lock(&it87_gpio->lock); ++ guard(spinlock)(&it87_gpio->lock); + + rc = superio_enter(); + if (rc) +- goto exit; ++ return rc; + + /* set the output enable bit */ + superio_set_mask(mask, group + it87_gpio->output_base); + + rc = it87_gpio_set(chip, gpio_num, val); +- if (rc) +- goto exit; +- + superio_exit(); +- +-exit: +- spin_unlock(&it87_gpio->lock); + return rc; + } + +-- +2.51.0 + diff --git a/queue-6.18/gpio-pca953x-handle-short-interrupt-pulses-on-pcal-d.patch b/queue-6.18/gpio-pca953x-handle-short-interrupt-pulses-on-pcal-d.patch new file mode 100644 index 0000000000..aef481a3d9 --- /dev/null +++ b/queue-6.18/gpio-pca953x-handle-short-interrupt-pulses-on-pcal-d.patch @@ -0,0 +1,148 @@ +From 67967137a5c1f68ab1e3b0a387a6e1daaf352923 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Dec 2025 16:30:25 +0100 +Subject: gpio: pca953x: handle short interrupt pulses on PCAL devices +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ernest Van Hoecke + +[ Upstream commit 014a17deb41201449f76df2b20c857a9c3294a7c ] + +GPIO drivers with latch input support may miss short pulses on input +pins even when input latching is enabled. The generic interrupt logic in +the pca953x driver reports interrupts by comparing the current input +value against the previously sampled one and only signals an event when +a level change is observed between two reads. + +For short pulses, the first edge is captured when the input register is +read, but if the signal returns to its previous level before the read, +the second edge is not observed. As a result, successive pulses can +produce identical input values at read time and no level change is +detected, causing interrupts to be missed. Below timing diagram shows +this situation where the top signal is the input pin level and the +bottom signal indicates the latched value. + +─────┐ ┌──*───────────────┐ ┌──*─────────────────┐ ┌──*─── + │ │ . │ │ . │ │ . + │ │ │ │ │ │ │ │ │ + └──*──┘ │ └──*──┘ │ └──*──┘ │ +Input │ │ │ │ │ │ + ▼ │ ▼ │ ▼ │ + IRQ │ IRQ │ IRQ │ + . . . +─────┐ .┌──────────────┐ .┌────────────────┐ .┌── + │ │ │ │ │ │ + │ │ │ │ │ │ + └────────*┘ └────────*┘ └────────*┘ +Latched │ │ │ + ▼ ▼ ▼ + READ 0 READ 0 READ 0 + NO CHANGE NO CHANGE + +PCAL variants provide an interrupt status register that records which +pins triggered an interrupt, but the status and input registers cannot +be read atomically. The interrupt status is only cleared when the input +port is read, and the input value must also be read to determine the +triggering edge. If another interrupt occurs on a different line after +the status register has been read but before the input register is +sampled, that event will not be reflected in the earlier status +snapshot, so relying solely on the interrupt status register is also +insufficient. + +Support for input latching and interrupt status handling was previously +added by [1], but the interrupt status-based logic was reverted by [2] +due to these issues. This patch addresses the original problem by +combining both sources of information. Events indicated by the interrupt +status register are merged with events detected through the existing +level-change logic. As a result: + +* short pulses, whose second edges are invisible, are detected via the + interrupt status register, and +* interrupts that occur between the status and input reads are still + caught by the generic level-change logic. + +This significantly improves robustness on devices that signal interrupts +as short pulses, while avoiding the issues that led to the earlier +reversion. In practice, even if only the first edge of a pulse is +observable, the interrupt is reliably detected. + +This fixes missed interrupts from an Ilitek touch controller with its +interrupt line connected to a PCAL6416A, where active-low pulses are +approximately 200 us long. + +[1] commit 44896beae605 ("gpio: pca953x: add PCAL9535 interrupt support for Galileo Gen2") +[2] commit d6179f6c6204 ("gpio: pca953x: Improve interrupt support") + +Fixes: d6179f6c6204 ("gpio: pca953x: Improve interrupt support") +Signed-off-by: Ernest Van Hoecke +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20251217153050.142057-1-ernestvanhoecke@gmail.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-pca953x.c | 25 ++++++++++++++++++++++++- + 1 file changed, 24 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpio-pca953x.c b/drivers/gpio/gpio-pca953x.c +index b46927f550389..b2de916107f42 100644 +--- a/drivers/gpio/gpio-pca953x.c ++++ b/drivers/gpio/gpio-pca953x.c +@@ -940,14 +940,35 @@ static bool pca953x_irq_pending(struct pca953x_chip *chip, unsigned long *pendin + DECLARE_BITMAP(old_stat, MAX_LINE); + DECLARE_BITMAP(cur_stat, MAX_LINE); + DECLARE_BITMAP(new_stat, MAX_LINE); ++ DECLARE_BITMAP(int_stat, MAX_LINE); + DECLARE_BITMAP(trigger, MAX_LINE); + DECLARE_BITMAP(edges, MAX_LINE); + int ret; + ++ if (chip->driver_data & PCA_PCAL) { ++ /* Read INT_STAT before it is cleared by the input-port read. */ ++ ret = pca953x_read_regs(chip, PCAL953X_INT_STAT, int_stat); ++ if (ret) ++ return false; ++ } ++ + ret = pca953x_read_regs(chip, chip->regs->input, cur_stat); + if (ret) + return false; + ++ if (chip->driver_data & PCA_PCAL) { ++ /* Detect short pulses via INT_STAT. */ ++ bitmap_and(trigger, int_stat, chip->irq_mask, gc->ngpio); ++ ++ /* Apply filter for rising/falling edge selection. */ ++ bitmap_replace(new_stat, chip->irq_trig_fall, chip->irq_trig_raise, ++ cur_stat, gc->ngpio); ++ ++ bitmap_and(int_stat, new_stat, trigger, gc->ngpio); ++ } else { ++ bitmap_zero(int_stat, gc->ngpio); ++ } ++ + /* Remove output pins from the equation */ + pca953x_read_regs(chip, chip->regs->direction, reg_direction); + +@@ -961,7 +982,8 @@ static bool pca953x_irq_pending(struct pca953x_chip *chip, unsigned long *pendin + + if (bitmap_empty(chip->irq_trig_level_high, gc->ngpio) && + bitmap_empty(chip->irq_trig_level_low, gc->ngpio)) { +- if (bitmap_empty(trigger, gc->ngpio)) ++ if (bitmap_empty(trigger, gc->ngpio) && ++ bitmap_empty(int_stat, gc->ngpio)) + return false; + } + +@@ -969,6 +991,7 @@ static bool pca953x_irq_pending(struct pca953x_chip *chip, unsigned long *pendin + bitmap_and(old_stat, chip->irq_trig_raise, new_stat, gc->ngpio); + bitmap_or(edges, old_stat, cur_stat, gc->ngpio); + bitmap_and(pending, edges, trigger, gc->ngpio); ++ bitmap_or(pending, pending, int_stat, gc->ngpio); + + bitmap_and(cur_stat, new_stat, chip->irq_trig_level_high, gc->ngpio); + bitmap_and(cur_stat, cur_stat, chip->irq_mask, gc->ngpio); +-- +2.51.0 + diff --git a/queue-6.18/gpiolib-fix-race-condition-for-gdev-srcu.patch b/queue-6.18/gpiolib-fix-race-condition-for-gdev-srcu.patch new file mode 100644 index 0000000000..9b2bc017d7 --- /dev/null +++ b/queue-6.18/gpiolib-fix-race-condition-for-gdev-srcu.patch @@ -0,0 +1,157 @@ +From 0e5eb275845a25d4aeb551472adabb0e4647e708 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Dec 2025 09:26:40 +0100 +Subject: gpiolib: fix race condition for gdev->srcu +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Paweł Narewski + +[ Upstream commit a7ac22d53d0990152b108c3f4fe30df45fcb0181 ] + +If two drivers were calling gpiochip_add_data_with_key(), one may be +traversing the srcu-protected list in gpio_name_to_desc(), meanwhile +other has just added its gdev in gpiodev_add_to_list_unlocked(). +This creates a non-mutexed and non-protected timeframe, when one +instance is dereferencing and using &gdev->srcu, before the other +has initialized it, resulting in crash: + +[ 4.935481] Unable to handle kernel paging request at virtual address ffff800272bcc000 +[ 4.943396] Mem abort info: +[ 4.943400] ESR = 0x0000000096000005 +[ 4.943403] EC = 0x25: DABT (current EL), IL = 32 bits +[ 4.943407] SET = 0, FnV = 0 +[ 4.943410] EA = 0, S1PTW = 0 +[ 4.943413] FSC = 0x05: level 1 translation fault +[ 4.943416] Data abort info: +[ 4.943418] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 +[ 4.946220] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 +[ 4.955261] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 +[ 4.955268] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000038e6c000 +[ 4.961449] [ffff800272bcc000] pgd=0000000000000000 +[ 4.969203] , p4d=1000000039739003 +[ 4.979730] , pud=0000000000000000 +[ 4.980210] phandle (CPU): 0x0000005e, phandle (BE): 0x5e000000 for node "reset" +[ 4.991736] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP +... +[ 5.121359] pc : __srcu_read_lock+0x44/0x98 +[ 5.131091] lr : gpio_name_to_desc+0x60/0x1a0 +[ 5.153671] sp : ffff8000833bb430 +[ 5.298440] +[ 5.298443] Call trace: +[ 5.298445] __srcu_read_lock+0x44/0x98 +[ 5.309484] gpio_name_to_desc+0x60/0x1a0 +[ 5.320692] gpiochip_add_data_with_key+0x488/0xf00 + 5.946419] ---[ end trace 0000000000000000 ]--- + +Move initialization code for gdev fields before it is added to +gpio_devices, with adjacent initialization code. +Adjust goto statements to reflect modified order of operations + +Fixes: 47d8b4c1d868 ("gpio: add SRCU infrastructure to struct gpio_device") +Reviewed-by: Jakub Lewalski +Signed-off-by: Paweł Narewski +[Bartosz: fixed a build issue, removed stray newline] +Link: https://lore.kernel.org/r/20251224082641.10769-1-bartosz.golaszewski@oss.qualcomm.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpiolib.c | 40 ++++++++++++++++++++-------------------- + 1 file changed, 20 insertions(+), 20 deletions(-) + +diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c +index 9a4395a29f68e..9aa6ddf6389cc 100644 +--- a/drivers/gpio/gpiolib.c ++++ b/drivers/gpio/gpiolib.c +@@ -1091,6 +1091,18 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, void *data, + gdev->ngpio = gc->ngpio; + gdev->can_sleep = gc->can_sleep; + ++ rwlock_init(&gdev->line_state_lock); ++ RAW_INIT_NOTIFIER_HEAD(&gdev->line_state_notifier); ++ BLOCKING_INIT_NOTIFIER_HEAD(&gdev->device_notifier); ++ ++ ret = init_srcu_struct(&gdev->srcu); ++ if (ret) ++ goto err_free_label; ++ ++ ret = init_srcu_struct(&gdev->desc_srcu); ++ if (ret) ++ goto err_cleanup_gdev_srcu; ++ + scoped_guard(mutex, &gpio_devices_lock) { + /* + * TODO: this allocates a Linux GPIO number base in the global +@@ -1105,7 +1117,7 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, void *data, + if (base < 0) { + ret = base; + base = 0; +- goto err_free_label; ++ goto err_cleanup_desc_srcu; + } + + /* +@@ -1125,22 +1137,10 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, void *data, + ret = gpiodev_add_to_list_unlocked(gdev); + if (ret) { + gpiochip_err(gc, "GPIO integer space overlap, cannot add chip\n"); +- goto err_free_label; ++ goto err_cleanup_desc_srcu; + } + } + +- rwlock_init(&gdev->line_state_lock); +- RAW_INIT_NOTIFIER_HEAD(&gdev->line_state_notifier); +- BLOCKING_INIT_NOTIFIER_HEAD(&gdev->device_notifier); +- +- ret = init_srcu_struct(&gdev->srcu); +- if (ret) +- goto err_remove_from_list; +- +- ret = init_srcu_struct(&gdev->desc_srcu); +- if (ret) +- goto err_cleanup_gdev_srcu; +- + #ifdef CONFIG_PINCTRL + INIT_LIST_HEAD(&gdev->pin_ranges); + #endif +@@ -1150,11 +1150,11 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, void *data, + + ret = gpiochip_set_names(gc); + if (ret) +- goto err_cleanup_desc_srcu; ++ goto err_remove_from_list; + + ret = gpiochip_init_valid_mask(gc); + if (ret) +- goto err_cleanup_desc_srcu; ++ goto err_remove_from_list; + + for (desc_index = 0; desc_index < gc->ngpio; desc_index++) { + struct gpio_desc *desc = &gdev->descs[desc_index]; +@@ -1227,10 +1227,6 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, void *data, + of_gpiochip_remove(gc); + err_free_valid_mask: + gpiochip_free_valid_mask(gc); +-err_cleanup_desc_srcu: +- cleanup_srcu_struct(&gdev->desc_srcu); +-err_cleanup_gdev_srcu: +- cleanup_srcu_struct(&gdev->srcu); + err_remove_from_list: + scoped_guard(mutex, &gpio_devices_lock) + list_del_rcu(&gdev->list); +@@ -1240,6 +1236,10 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, void *data, + gpio_device_put(gdev); + goto err_print_message; + } ++err_cleanup_desc_srcu: ++ cleanup_srcu_struct(&gdev->desc_srcu); ++err_cleanup_gdev_srcu: ++ cleanup_srcu_struct(&gdev->srcu); + err_free_label: + kfree_const(gdev->label); + err_free_descs: +-- +2.51.0 + diff --git a/queue-6.18/gpiolib-remove-unnecessary-out-of-memory-messages.patch b/queue-6.18/gpiolib-remove-unnecessary-out-of-memory-messages.patch new file mode 100644 index 0000000000..507142d252 --- /dev/null +++ b/queue-6.18/gpiolib-remove-unnecessary-out-of-memory-messages.patch @@ -0,0 +1,51 @@ +From 6c5513b839ce40c82acac4c063e916ffe9dd810f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Sep 2025 11:54:02 +0200 +Subject: gpiolib: remove unnecessary 'out of memory' messages + +From: Bartosz Golaszewski + +[ Upstream commit 0ba6f1ed3808b1f095fbdb490006f0ecd00f52bd ] + +We don't need to add additional logs when returning -ENOMEM so remove +unnecessary error messages. + +Reviewed-by: Linus Walleij +Signed-off-by: Bartosz Golaszewski +Stable-dep-of: a7ac22d53d09 ("gpiolib: fix race condition for gdev->srcu") +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpiolib.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c +index cd8800ba5825f..f2ed234b4135e 100644 +--- a/drivers/gpio/gpiolib.c ++++ b/drivers/gpio/gpiolib.c +@@ -2316,10 +2316,8 @@ int gpiochip_add_pingroup_range(struct gpio_chip *gc, + int ret; + + pin_range = kzalloc(sizeof(*pin_range), GFP_KERNEL); +- if (!pin_range) { +- chip_err(gc, "failed to allocate pin ranges\n"); ++ if (!pin_range) + return -ENOMEM; +- } + + /* Use local offset as range ID */ + pin_range->range.id = gpio_offset; +@@ -2379,10 +2377,8 @@ int gpiochip_add_pin_range_with_pins(struct gpio_chip *gc, + int ret; + + pin_range = kzalloc(sizeof(*pin_range), GFP_KERNEL); +- if (!pin_range) { +- chip_err(gc, "failed to allocate pin ranges\n"); ++ if (!pin_range) + return -ENOMEM; +- } + + /* Use local offset as range ID */ + pin_range->range.id = gpio_offset; +-- +2.51.0 + diff --git a/queue-6.18/gpiolib-rename-gpio-chip-printk-macros.patch b/queue-6.18/gpiolib-rename-gpio-chip-printk-macros.patch new file mode 100644 index 0000000000..2a94f621ac --- /dev/null +++ b/queue-6.18/gpiolib-rename-gpio-chip-printk-macros.patch @@ -0,0 +1,306 @@ +From c0fbf279d84e0aba28ef8690d8e216ff0951a655 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Sep 2025 11:54:03 +0200 +Subject: gpiolib: rename GPIO chip printk macros + +From: Bartosz Golaszewski + +[ Upstream commit d4f335b410ddbe3e99f48f8b5ea78a25041274f1 ] + +The chip_$level() macros take struct gpio_chip as argument so make it +follow the convention of using the 'gpiochip_' prefix. + +Reviewed-by: Linus Walleij +Signed-off-by: Bartosz Golaszewski +Stable-dep-of: a7ac22d53d09 ("gpiolib: fix race condition for gdev->srcu") +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpiolib-cdev.c | 2 +- + drivers/gpio/gpiolib-sysfs.c | 2 +- + drivers/gpio/gpiolib.c | 80 ++++++++++++++++++------------------ + drivers/gpio/gpiolib.h | 8 ++-- + 4 files changed, 45 insertions(+), 47 deletions(-) + +diff --git a/drivers/gpio/gpiolib-cdev.c b/drivers/gpio/gpiolib-cdev.c +index d8d93059ac04c..d925e75d1dce1 100644 +--- a/drivers/gpio/gpiolib-cdev.c ++++ b/drivers/gpio/gpiolib-cdev.c +@@ -2828,7 +2828,7 @@ int gpiolib_cdev_register(struct gpio_device *gdev, dev_t devt) + if (!gc) + return -ENODEV; + +- chip_dbg(gc, "added GPIO chardev (%d:%d)\n", MAJOR(devt), gdev->id); ++ gpiochip_dbg(gc, "added GPIO chardev (%d:%d)\n", MAJOR(devt), gdev->id); + + return 0; + } +diff --git a/drivers/gpio/gpiolib-sysfs.c b/drivers/gpio/gpiolib-sysfs.c +index 9a849245b3588..7d5fc1ea2aa54 100644 +--- a/drivers/gpio/gpiolib-sysfs.c ++++ b/drivers/gpio/gpiolib-sysfs.c +@@ -1091,7 +1091,7 @@ static int gpiofind_sysfs_register(struct gpio_chip *gc, const void *data) + + ret = gpiochip_sysfs_register(gdev); + if (ret) +- chip_err(gc, "failed to register the sysfs entry: %d\n", ret); ++ gpiochip_err(gc, "failed to register the sysfs entry: %d\n", ret); + + return 0; + } +diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c +index f2ed234b4135e..9a4395a29f68e 100644 +--- a/drivers/gpio/gpiolib.c ++++ b/drivers/gpio/gpiolib.c +@@ -921,8 +921,8 @@ static void gpiochip_machine_hog(struct gpio_chip *gc, struct gpiod_hog *hog) + + desc = gpiochip_get_desc(gc, hog->chip_hwnum); + if (IS_ERR(desc)) { +- chip_err(gc, "%s: unable to get GPIO desc: %ld\n", __func__, +- PTR_ERR(desc)); ++ gpiochip_err(gc, "%s: unable to get GPIO desc: %ld\n", ++ __func__, PTR_ERR(desc)); + return; + } + +@@ -1124,7 +1124,7 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, void *data, + + ret = gpiodev_add_to_list_unlocked(gdev); + if (ret) { +- chip_err(gc, "GPIO integer space overlap, cannot add chip\n"); ++ gpiochip_err(gc, "GPIO integer space overlap, cannot add chip\n"); + goto err_free_label; + } + } +@@ -1528,8 +1528,7 @@ static void gpiochip_set_hierarchical_irqchip(struct gpio_chip *gc, + &parent_hwirq, + &parent_type); + if (ret) { +- chip_err(gc, "skip set-up on hwirq %d\n", +- i); ++ gpiochip_err(gc, "skip set-up on hwirq %d\n", i); + continue; + } + +@@ -1542,15 +1541,14 @@ static void gpiochip_set_hierarchical_irqchip(struct gpio_chip *gc, + ret = irq_domain_alloc_irqs(gc->irq.domain, 1, + NUMA_NO_NODE, &fwspec); + if (ret < 0) { +- chip_err(gc, +- "can not allocate irq for GPIO line %d parent hwirq %d in hierarchy domain: %d\n", +- i, parent_hwirq, +- ret); ++ gpiochip_err(gc, ++ "can not allocate irq for GPIO line %d parent hwirq %d in hierarchy domain: %d\n", ++ i, parent_hwirq, ret); + } + } + } + +- chip_err(gc, "%s unknown fwnode type proceed anyway\n", __func__); ++ gpiochip_err(gc, "%s unknown fwnode type proceed anyway\n", __func__); + + return; + } +@@ -1602,15 +1600,15 @@ static int gpiochip_hierarchy_irq_domain_alloc(struct irq_domain *d, + if (ret) + return ret; + +- chip_dbg(gc, "allocate IRQ %d, hwirq %lu\n", irq, hwirq); ++ gpiochip_dbg(gc, "allocate IRQ %d, hwirq %lu\n", irq, hwirq); + + ret = girq->child_to_parent_hwirq(gc, hwirq, type, + &parent_hwirq, &parent_type); + if (ret) { +- chip_err(gc, "can't look up hwirq %lu\n", hwirq); ++ gpiochip_err(gc, "can't look up hwirq %lu\n", hwirq); + return ret; + } +- chip_dbg(gc, "found parent hwirq %u\n", parent_hwirq); ++ gpiochip_dbg(gc, "found parent hwirq %u\n", parent_hwirq); + + /* + * We set handle_bad_irq because the .set_type() should +@@ -1631,8 +1629,8 @@ static int gpiochip_hierarchy_irq_domain_alloc(struct irq_domain *d, + if (ret) + return ret; + +- chip_dbg(gc, "alloc_irqs_parent for %d parent hwirq %d\n", +- irq, parent_hwirq); ++ gpiochip_dbg(gc, "alloc_irqs_parent for %d parent hwirq %d\n", ++ irq, parent_hwirq); + irq_set_lockdep_class(irq, gc->irq.lock_key, gc->irq.request_key); + ret = irq_domain_alloc_irqs_parent(d, irq, 1, &gpio_parent_fwspec); + /* +@@ -1642,9 +1640,9 @@ static int gpiochip_hierarchy_irq_domain_alloc(struct irq_domain *d, + if (irq_domain_is_msi(d->parent) && (ret == -EEXIST)) + ret = 0; + if (ret) +- chip_err(gc, +- "failed to allocate parent hwirq %d for hwirq %lu\n", +- parent_hwirq, hwirq); ++ gpiochip_err(gc, ++ "failed to allocate parent hwirq %d for hwirq %lu\n", ++ parent_hwirq, hwirq); + + return ret; + } +@@ -1720,7 +1718,7 @@ static struct irq_domain *gpiochip_hierarchy_create_domain(struct gpio_chip *gc) + + if (!gc->irq.child_to_parent_hwirq || + !gc->irq.fwnode) { +- chip_err(gc, "missing irqdomain vital data\n"); ++ gpiochip_err(gc, "missing irqdomain vital data\n"); + return ERR_PTR(-EINVAL); + } + +@@ -1993,7 +1991,7 @@ static void gpiochip_set_irq_hooks(struct gpio_chip *gc) + if (irqchip->flags & IRQCHIP_IMMUTABLE) + return; + +- chip_warn(gc, "not an immutable chip, please consider fixing it!\n"); ++ gpiochip_warn(gc, "not an immutable chip, please consider fixing it!\n"); + + if (!irqchip->irq_request_resources && + !irqchip->irq_release_resources) { +@@ -2009,8 +2007,8 @@ static void gpiochip_set_irq_hooks(struct gpio_chip *gc) + * ...and if so, give a gentle warning that this is bad + * practice. + */ +- chip_info(gc, +- "detected irqchip that is shared with multiple gpiochips: please fix the driver.\n"); ++ gpiochip_info(gc, ++ "detected irqchip that is shared with multiple gpiochips: please fix the driver.\n"); + return; + } + +@@ -2039,7 +2037,8 @@ static int gpiochip_irqchip_add_allocated_domain(struct gpio_chip *gc, + return -EINVAL; + + if (gc->to_irq) +- chip_warn(gc, "to_irq is redefined in %s and you shouldn't rely on it\n", __func__); ++ gpiochip_warn(gc, "to_irq is redefined in %s and you shouldn't rely on it\n", ++ __func__); + + gc->to_irq = gpiochip_to_irq; + gc->irq.domain = domain; +@@ -2080,7 +2079,7 @@ static int gpiochip_add_irqchip(struct gpio_chip *gc, + return 0; + + if (gc->irq.parent_handler && gc->can_sleep) { +- chip_err(gc, "you cannot have chained interrupts on a chip that may sleep\n"); ++ gpiochip_err(gc, "you cannot have chained interrupts on a chip that may sleep\n"); + return -EINVAL; + } + +@@ -2336,7 +2335,7 @@ int gpiochip_add_pingroup_range(struct gpio_chip *gc, + + pinctrl_add_gpio_range(pctldev, &pin_range->range); + +- chip_dbg(gc, "created GPIO range %d->%d ==> %s PINGRP %s\n", ++ gpiochip_dbg(gc, "created GPIO range %d->%d ==> %s PINGRP %s\n", + gpio_offset, gpio_offset + pin_range->range.npins - 1, + pinctrl_dev_get_devname(pctldev), pin_group); + +@@ -2392,19 +2391,18 @@ int gpiochip_add_pin_range_with_pins(struct gpio_chip *gc, + &pin_range->range); + if (IS_ERR(pin_range->pctldev)) { + ret = PTR_ERR(pin_range->pctldev); +- chip_err(gc, "could not create pin range\n"); ++ gpiochip_err(gc, "could not create pin range\n"); + kfree(pin_range); + return ret; + } + if (pin_range->range.pins) +- chip_dbg(gc, "created GPIO range %d->%d ==> %s %d sparse PIN range { %d, ... }", +- gpio_offset, gpio_offset + npins - 1, +- pinctl_name, npins, pins[0]); ++ gpiochip_dbg(gc, "created GPIO range %d->%d ==> %s %d sparse PIN range { %d, ... }", ++ gpio_offset, gpio_offset + npins - 1, ++ pinctl_name, npins, pins[0]); + else +- chip_dbg(gc, "created GPIO range %d->%d ==> %s PIN %d->%d\n", +- gpio_offset, gpio_offset + npins - 1, +- pinctl_name, +- pin_offset, pin_offset + npins - 1); ++ gpiochip_dbg(gc, "created GPIO range %d->%d ==> %s PIN %d->%d\n", ++ gpio_offset, gpio_offset + npins - 1, pinctl_name, ++ pin_offset, pin_offset + npins - 1); + + list_add_tail(&pin_range->node, &gdev->pin_ranges); + +@@ -2614,7 +2612,7 @@ struct gpio_desc *gpiochip_request_own_desc(struct gpio_chip *gc, + int ret; + + if (IS_ERR(desc)) { +- chip_err(gc, "failed to get GPIO %s descriptor\n", name); ++ gpiochip_err(gc, "failed to get GPIO %s descriptor\n", name); + return desc; + } + +@@ -2625,7 +2623,7 @@ struct gpio_desc *gpiochip_request_own_desc(struct gpio_chip *gc, + ret = gpiod_configure_flags(desc, label, lflags, dflags); + if (ret) { + gpiod_free_commit(desc); +- chip_err(gc, "setup of own GPIO %s failed\n", name); ++ gpiochip_err(gc, "setup of own GPIO %s failed\n", name); + return ERR_PTR(ret); + } + +@@ -4052,8 +4050,8 @@ int gpiochip_lock_as_irq(struct gpio_chip *gc, unsigned int offset) + int dir = gpiod_get_direction(desc); + + if (dir < 0) { +- chip_err(gc, "%s: cannot get GPIO direction\n", +- __func__); ++ gpiochip_err(gc, "%s: cannot get GPIO direction\n", ++ __func__); + return dir; + } + } +@@ -4061,9 +4059,9 @@ int gpiochip_lock_as_irq(struct gpio_chip *gc, unsigned int offset) + /* To be valid for IRQ the line needs to be input or open drain */ + if (test_bit(GPIOD_FLAG_IS_OUT, &desc->flags) && + !test_bit(GPIOD_FLAG_OPEN_DRAIN, &desc->flags)) { +- chip_err(gc, +- "%s: tried to flag a GPIO set as output for IRQ\n", +- __func__); ++ gpiochip_err(gc, ++ "%s: tried to flag a GPIO set as output for IRQ\n", ++ __func__); + return -EIO; + } + +@@ -4140,7 +4138,7 @@ int gpiochip_reqres_irq(struct gpio_chip *gc, unsigned int offset) + + ret = gpiochip_lock_as_irq(gc, offset); + if (ret) { +- chip_err(gc, "unable to lock HW IRQ %u for IRQ\n", offset); ++ gpiochip_err(gc, "unable to lock HW IRQ %u for IRQ\n", offset); + module_put(gc->gpiodev->owner); + return ret; + } +diff --git a/drivers/gpio/gpiolib.h b/drivers/gpio/gpiolib.h +index 2a003a7311e7a..6ee29d0222393 100644 +--- a/drivers/gpio/gpiolib.h ++++ b/drivers/gpio/gpiolib.h +@@ -309,13 +309,13 @@ do { \ + + /* With chip prefix */ + +-#define chip_err(gc, fmt, ...) \ ++#define gpiochip_err(gc, fmt, ...) \ + dev_err(&gc->gpiodev->dev, "(%s): " fmt, gc->label, ##__VA_ARGS__) +-#define chip_warn(gc, fmt, ...) \ ++#define gpiochip_warn(gc, fmt, ...) \ + dev_warn(&gc->gpiodev->dev, "(%s): " fmt, gc->label, ##__VA_ARGS__) +-#define chip_info(gc, fmt, ...) \ ++#define gpiochip_info(gc, fmt, ...) \ + dev_info(&gc->gpiodev->dev, "(%s): " fmt, gc->label, ##__VA_ARGS__) +-#define chip_dbg(gc, fmt, ...) \ ++#define gpiochip_dbg(gc, fmt, ...) \ + dev_dbg(&gc->gpiodev->dev, "(%s): " fmt, gc->label, ##__VA_ARGS__) + + #endif /* GPIOLIB_H */ +-- +2.51.0 + diff --git a/queue-6.18/gpu-nova-core-select-rust_fw_loader_abstractions.patch b/queue-6.18/gpu-nova-core-select-rust_fw_loader_abstractions.patch new file mode 100644 index 0000000000..99a0ac5545 --- /dev/null +++ b/queue-6.18/gpu-nova-core-select-rust_fw_loader_abstractions.patch @@ -0,0 +1,45 @@ +From b5898cabed4089d0f4da413d8285b8e476b26ceb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Nov 2025 09:40:09 +0900 +Subject: gpu: nova-core: select RUST_FW_LOADER_ABSTRACTIONS + +From: Alexandre Courbot + +[ Upstream commit 3d3352e73a55a4ccf110f8b3419bbe2fbfd8a030 ] + +RUST_FW_LOADER_ABSTRACTIONS was depended on by NOVA_CORE, but NOVA_CORE +is selected by DRM_NOVA. This creates a situation where, if DRM_NOVA is +selected, NOVA_CORE gets enabled but not RUST_FW_LOADER_ABSTRACTIONS, +which results in a build error. + +Since the firmware loader is an implementation detail of the driver, it +should be enabled along with it, so change the "depends on" to a +"select". + +Fixes: 54e6baf123fd ("gpu: nova-core: add initial driver stub") +Closes: https://lore.kernel.org/oe-kbuild-all/202512061721.rxKGnt5q-lkp@intel.com/ +Tested-by: Alyssa Ross +Acked-by: Danilo Krummrich +Link: https://patch.msgid.link/20251106-b4-select-rust-fw-v3-2-771172257755@nvidia.com +Signed-off-by: Alexandre Courbot +Signed-off-by: Sasha Levin +--- + drivers/gpu/nova-core/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/nova-core/Kconfig b/drivers/gpu/nova-core/Kconfig +index 20d3e6d0d796e..527920f9c4d39 100644 +--- a/drivers/gpu/nova-core/Kconfig ++++ b/drivers/gpu/nova-core/Kconfig +@@ -3,7 +3,7 @@ config NOVA_CORE + depends on 64BIT + depends on PCI + depends on RUST +- depends on RUST_FW_LOADER_ABSTRACTIONS ++ select RUST_FW_LOADER_ABSTRACTIONS + select AUXILIARY_BUS + default n + help +-- +2.51.0 + diff --git a/queue-6.18/hid-intel-thc-hid-intel-thc-fix-dma_unmap_sg-nents-v.patch b/queue-6.18/hid-intel-thc-hid-intel-thc-fix-dma_unmap_sg-nents-v.patch new file mode 100644 index 0000000000..09793f7af1 --- /dev/null +++ b/queue-6.18/hid-intel-thc-hid-intel-thc-fix-dma_unmap_sg-nents-v.patch @@ -0,0 +1,77 @@ +From 85b30574cf3989138a4e736b82825df28c6dffe2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 17:56:35 +0100 +Subject: HID: Intel-thc-hid: Intel-thc: fix dma_unmap_sg() nents value + +From: Thomas Fourier + +[ Upstream commit 0e13150c1a13a3a3d6184c24bfd080d5999945d1 ] + +The `dma_unmap_sg()` functions should be called with the same nents as the +`dma_map_sg()`, not the value the map function returned. + +Save the number of entries in struct thc_dma_configuration. + +Fixes: a688404b2e20 ("HID: intel-thc-hid: intel-thc: Add THC DMA interfaces") +Signed-off-by: Thomas Fourier +Reviewed-by: Even Xu +Reviewed-by: Andy Shevchenko +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +--- + drivers/hid/intel-thc-hid/intel-thc/intel-thc-dma.c | 4 +++- + drivers/hid/intel-thc-hid/intel-thc/intel-thc-dma.h | 2 ++ + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/hid/intel-thc-hid/intel-thc/intel-thc-dma.c b/drivers/hid/intel-thc-hid/intel-thc/intel-thc-dma.c +index 82b8854843e05..a0c368aa7979c 100644 +--- a/drivers/hid/intel-thc-hid/intel-thc/intel-thc-dma.c ++++ b/drivers/hid/intel-thc-hid/intel-thc/intel-thc-dma.c +@@ -232,6 +232,7 @@ static int setup_dma_buffers(struct thc_device *dev, + return 0; + + memset(config->sgls, 0, sizeof(config->sgls)); ++ memset(config->sgls_nent_pages, 0, sizeof(config->sgls_nent_pages)); + memset(config->sgls_nent, 0, sizeof(config->sgls_nent)); + + cpu_addr = dma_alloc_coherent(dev->dev, prd_tbls_size, +@@ -254,6 +255,7 @@ static int setup_dma_buffers(struct thc_device *dev, + } + count = dma_map_sg(dev->dev, config->sgls[i], nent, dir); + ++ config->sgls_nent_pages[i] = nent; + config->sgls_nent[i] = count; + } + +@@ -299,7 +301,7 @@ static void release_dma_buffers(struct thc_device *dev, + continue; + + dma_unmap_sg(dev->dev, config->sgls[i], +- config->sgls_nent[i], ++ config->sgls_nent_pages[i], + config->dir); + + sgl_free(config->sgls[i]); +diff --git a/drivers/hid/intel-thc-hid/intel-thc/intel-thc-dma.h b/drivers/hid/intel-thc-hid/intel-thc/intel-thc-dma.h +index 78917400492ca..541d33995baf3 100644 +--- a/drivers/hid/intel-thc-hid/intel-thc/intel-thc-dma.h ++++ b/drivers/hid/intel-thc-hid/intel-thc/intel-thc-dma.h +@@ -91,6 +91,7 @@ struct thc_prd_table { + * @dir: Direction of DMA for this config + * @prd_tbls: PRD tables for current DMA + * @sgls: Array of pointers to scatter-gather lists ++ * @sgls_nent_pages: Number of pages per scatter-gather list + * @sgls_nent: Actual number of entries per scatter-gather list + * @prd_tbl_num: Actual number of PRD tables + * @max_packet_size: Size of the buffer needed for 1 DMA message (1 PRD table) +@@ -107,6 +108,7 @@ struct thc_dma_configuration { + + struct thc_prd_table *prd_tbls; + struct scatterlist *sgls[PRD_TABLES_NUM]; ++ u8 sgls_nent_pages[PRD_TABLES_NUM]; + u8 sgls_nent[PRD_TABLES_NUM]; + u8 prd_tbl_num; + +-- +2.51.0 + diff --git a/queue-6.18/hid-intel-thc-hid-intel-thc-fix-wrong-register-readi.patch b/queue-6.18/hid-intel-thc-hid-intel-thc-fix-wrong-register-readi.patch new file mode 100644 index 0000000000..954e358290 --- /dev/null +++ b/queue-6.18/hid-intel-thc-hid-intel-thc-fix-wrong-register-readi.patch @@ -0,0 +1,46 @@ +From cc5c6a20719cc2942731d3b6706578207142a788 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 09:14:38 +0800 +Subject: HID: Intel-thc-hid: Intel-thc: Fix wrong register reading + +From: Even Xu + +[ Upstream commit f39006965dd37e7be823dba6ca484adccc7a4dff ] + +Correct the read register for the setting of max input size and +interrupt delay. + +Fixes: 22da60f0304b ("HID: Intel-thc-hid: Intel-thc: Introduce interrupt delay control") +Fixes: 45e92a093099 ("HID: Intel-thc-hid: Intel-thc: Introduce max input size control") +Signed-off-by: Even Xu +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +--- + drivers/hid/intel-thc-hid/intel-thc/intel-thc-dev.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/hid/intel-thc-hid/intel-thc/intel-thc-dev.c b/drivers/hid/intel-thc-hid/intel-thc/intel-thc-dev.c +index 636a683065015..7e220a4c5ded7 100644 +--- a/drivers/hid/intel-thc-hid/intel-thc/intel-thc-dev.c ++++ b/drivers/hid/intel-thc-hid/intel-thc/intel-thc-dev.c +@@ -1593,7 +1593,7 @@ int thc_i2c_set_rx_max_size(struct thc_device *dev, u32 max_rx_size) + if (!max_rx_size) + return -EOPNOTSUPP; + +- ret = regmap_read(dev->thc_regmap, THC_M_PRT_SW_SEQ_STS_OFFSET, &val); ++ ret = regmap_read(dev->thc_regmap, THC_M_PRT_SPI_ICRRD_OPCODE_OFFSET, &val); + if (ret) + return ret; + +@@ -1662,7 +1662,7 @@ int thc_i2c_set_rx_int_delay(struct thc_device *dev, u32 delay_us) + if (!delay_us) + return -EOPNOTSUPP; + +- ret = regmap_read(dev->thc_regmap, THC_M_PRT_SW_SEQ_STS_OFFSET, &val); ++ ret = regmap_read(dev->thc_regmap, THC_M_PRT_SPI_ICRRD_OPCODE_OFFSET, &val); + if (ret) + return ret; + +-- +2.51.0 + diff --git a/queue-6.18/hid-quirks-work-around-vid-pid-conflict-for-appledis.patch b/queue-6.18/hid-quirks-work-around-vid-pid-conflict-for-appledis.patch new file mode 100644 index 0000000000..cbef2187a9 --- /dev/null +++ b/queue-6.18/hid-quirks-work-around-vid-pid-conflict-for-appledis.patch @@ -0,0 +1,47 @@ +From 5207c3fbf4ca0ad7935f9687e20e3379045a8918 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Nov 2025 13:46:41 +0100 +Subject: HID: quirks: work around VID/PID conflict for appledisplay +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: René Rebe + +[ Upstream commit c7fabe4ad9219866c203164a214c474c95b36bf2 ] + +For years I wondered why the Apple Cinema Display driver would not +just work for me. Turns out the hidraw driver instantly takes it +over. Fix by adding appledisplay VID/PIDs to hid_have_special_driver. + +Fixes: 069e8a65cd79 ("Driver for Apple Cinema Display") +Signed-off-by: René Rebe +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-quirks.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c +index c89a015686c07..6a8a7ca3d8047 100644 +--- a/drivers/hid/hid-quirks.c ++++ b/drivers/hid/hid-quirks.c +@@ -232,6 +232,15 @@ static const struct hid_device_id hid_quirks[] = { + * used as a driver. See hid_scan_report(). + */ + static const struct hid_device_id hid_have_special_driver[] = { ++#if IS_ENABLED(CONFIG_APPLEDISPLAY) ++ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x9218) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x9219) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x921c) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x921d) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x9222) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x9226) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x9236) }, ++#endif + #if IS_ENABLED(CONFIG_HID_A4TECH) + { HID_USB_DEVICE(USB_VENDOR_ID_A4TECH, USB_DEVICE_ID_A4TECH_WCP32PU) }, + { HID_USB_DEVICE(USB_VENDOR_ID_A4TECH, USB_DEVICE_ID_A4TECH_X5_005D) }, +-- +2.51.0 + diff --git a/queue-6.18/idpf-cap-maximum-rx-buffer-size.patch b/queue-6.18/idpf-cap-maximum-rx-buffer-size.patch new file mode 100644 index 0000000000..59bdcd3371 --- /dev/null +++ b/queue-6.18/idpf-cap-maximum-rx-buffer-size.patch @@ -0,0 +1,75 @@ +From 0e351f44e8e72dd8a8a44162720999610260beca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Nov 2025 13:20:36 -0800 +Subject: idpf: cap maximum Rx buffer size + +From: Joshua Hay + +[ Upstream commit 086efe0a1ecc36cffe46640ce12649a4cd3ff171 ] + +The HW only supports a maximum Rx buffer size of 16K-128. On systems +using large pages, the libeth logic can configure the buffer size to be +larger than this. The upper bound is PAGE_SIZE while the lower bound is +MTU rounded up to the nearest power of 2. For example, ARM systems with +a 64K page size and an mtu of 9000 will set the Rx buffer size to 16K, +which will cause the config Rx queues message to fail. + +Initialize the bufq/fill queue buf_len field to the maximum supported +size. This will trigger the libeth logic to cap the maximum Rx buffer +size by reducing the upper bound. + +Fixes: 74d1412ac8f37 ("idpf: use libeth Rx buffer management for payload buffer") +Signed-off-by: Joshua Hay +Acked-by: Alexander Lobakin +Reviewed-by: Madhu Chittim +Reviewed-by: Jacob Keller +Reviewed-by: Aleksandr Loktionov +Reviewed-by: David Decotigny +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/idpf/idpf_txrx.c | 8 +++++--- + drivers/net/ethernet/intel/idpf/idpf_txrx.h | 1 + + 2 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/intel/idpf/idpf_txrx.c b/drivers/net/ethernet/intel/idpf/idpf_txrx.c +index 3698979b4c9ee..f66948f5de78b 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_txrx.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_txrx.c +@@ -695,9 +695,10 @@ static int idpf_rx_buf_alloc_singleq(struct idpf_rx_queue *rxq) + static int idpf_rx_bufs_init_singleq(struct idpf_rx_queue *rxq) + { + struct libeth_fq fq = { +- .count = rxq->desc_count, +- .type = LIBETH_FQE_MTU, +- .nid = idpf_q_vector_to_mem(rxq->q_vector), ++ .count = rxq->desc_count, ++ .type = LIBETH_FQE_MTU, ++ .buf_len = IDPF_RX_MAX_BUF_SZ, ++ .nid = idpf_q_vector_to_mem(rxq->q_vector), + }; + int ret; + +@@ -754,6 +755,7 @@ static int idpf_rx_bufs_init(struct idpf_buf_queue *bufq, + .truesize = bufq->truesize, + .count = bufq->desc_count, + .type = type, ++ .buf_len = IDPF_RX_MAX_BUF_SZ, + .hsplit = idpf_queue_has(HSPLIT_EN, bufq), + .xdp = idpf_xdp_enabled(bufq->q_vector->vport), + .nid = idpf_q_vector_to_mem(bufq->q_vector), +diff --git a/drivers/net/ethernet/intel/idpf/idpf_txrx.h b/drivers/net/ethernet/intel/idpf/idpf_txrx.h +index 0472698ca1927..423cc9486dce7 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_txrx.h ++++ b/drivers/net/ethernet/intel/idpf/idpf_txrx.h +@@ -101,6 +101,7 @@ do { \ + idx = 0; \ + } while (0) + ++#define IDPF_RX_MAX_BUF_SZ (16384 - 128) + #define IDPF_RX_BUF_STRIDE 32 + #define IDPF_RX_BUF_POST_STRIDE 16 + #define IDPF_LOW_WATERMARK 64 +-- +2.51.0 + diff --git a/queue-6.18/idpf-convert-vport-state-to-bitmap.patch b/queue-6.18/idpf-convert-vport-state-to-bitmap.patch new file mode 100644 index 0000000000..76f08625df --- /dev/null +++ b/queue-6.18/idpf-convert-vport-state-to-bitmap.patch @@ -0,0 +1,302 @@ +From bc5821ad381722367b5864879910758417bd8f4e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Nov 2025 14:36:24 -0800 +Subject: idpf: convert vport state to bitmap + +From: Emil Tantilov + +[ Upstream commit 8dd72ebc73f37b216410db17340f15e6fb2cdb7b ] + +Convert vport state to a bitmap and remove the DOWN state which is +redundant in the existing logic. There are no functional changes aside +from the use of bitwise operations when setting and checking the states. +Removed the double underscore to be consistent with the naming of other +bitmaps in the header and renamed current_state to vport_is_up to match +the meaning of the new variable. + +Reviewed-by: Przemek Kitszel +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Chittim Madhu +Signed-off-by: Emil Tantilov +Tested-by: Samuel Salin +Signed-off-by: Tony Nguyen +Link: https://patch.msgid.link/20251125223632.1857532-6-anthony.l.nguyen@intel.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: 2e281e1155fc ("idpf: detach and close netdevs while handling a reset") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/idpf/idpf.h | 12 ++++------ + .../net/ethernet/intel/idpf/idpf_ethtool.c | 12 +++++----- + drivers/net/ethernet/intel/idpf/idpf_lib.c | 24 +++++++++---------- + .../ethernet/intel/idpf/idpf_singleq_txrx.c | 2 +- + drivers/net/ethernet/intel/idpf/idpf_txrx.c | 2 +- + .../net/ethernet/intel/idpf/idpf_virtchnl.c | 4 ++-- + drivers/net/ethernet/intel/idpf/xdp.c | 2 +- + 7 files changed, 28 insertions(+), 30 deletions(-) + +diff --git a/drivers/net/ethernet/intel/idpf/idpf.h b/drivers/net/ethernet/intel/idpf/idpf.h +index ca4da0c899794..64142f8163fed 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf.h ++++ b/drivers/net/ethernet/intel/idpf/idpf.h +@@ -131,14 +131,12 @@ enum idpf_cap_field { + + /** + * enum idpf_vport_state - Current vport state +- * @__IDPF_VPORT_DOWN: Vport is down +- * @__IDPF_VPORT_UP: Vport is up +- * @__IDPF_VPORT_STATE_LAST: Must be last, number of states ++ * @IDPF_VPORT_UP: Vport is up ++ * @IDPF_VPORT_STATE_NBITS: Must be last, number of states + */ + enum idpf_vport_state { +- __IDPF_VPORT_DOWN, +- __IDPF_VPORT_UP, +- __IDPF_VPORT_STATE_LAST, ++ IDPF_VPORT_UP, ++ IDPF_VPORT_STATE_NBITS + }; + + /** +@@ -162,7 +160,7 @@ struct idpf_netdev_priv { + u16 vport_idx; + u16 max_tx_hdr_size; + u16 tx_max_bufs; +- enum idpf_vport_state state; ++ DECLARE_BITMAP(state, IDPF_VPORT_STATE_NBITS); + struct rtnl_link_stats64 netstats; + spinlock_t stats_lock; + }; +diff --git a/drivers/net/ethernet/intel/idpf/idpf_ethtool.c b/drivers/net/ethernet/intel/idpf/idpf_ethtool.c +index a5a1eec9ade8b..eed166bc46f38 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_ethtool.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_ethtool.c +@@ -386,7 +386,7 @@ static int idpf_get_rxfh(struct net_device *netdev, + } + + rss_data = &adapter->vport_config[np->vport_idx]->user_config.rss_data; +- if (np->state != __IDPF_VPORT_UP) ++ if (!test_bit(IDPF_VPORT_UP, np->state)) + goto unlock_mutex; + + rxfh->hfunc = ETH_RSS_HASH_TOP; +@@ -436,7 +436,7 @@ static int idpf_set_rxfh(struct net_device *netdev, + } + + rss_data = &adapter->vport_config[vport->idx]->user_config.rss_data; +- if (np->state != __IDPF_VPORT_UP) ++ if (!test_bit(IDPF_VPORT_UP, np->state)) + goto unlock_mutex; + + if (rxfh->hfunc != ETH_RSS_HASH_NO_CHANGE && +@@ -1167,7 +1167,7 @@ static void idpf_get_ethtool_stats(struct net_device *netdev, + idpf_vport_ctrl_lock(netdev); + vport = idpf_netdev_to_vport(netdev); + +- if (np->state != __IDPF_VPORT_UP) { ++ if (!test_bit(IDPF_VPORT_UP, np->state)) { + idpf_vport_ctrl_unlock(netdev); + + return; +@@ -1319,7 +1319,7 @@ static int idpf_get_q_coalesce(struct net_device *netdev, + idpf_vport_ctrl_lock(netdev); + vport = idpf_netdev_to_vport(netdev); + +- if (np->state != __IDPF_VPORT_UP) ++ if (!test_bit(IDPF_VPORT_UP, np->state)) + goto unlock_mutex; + + if (q_num >= vport->num_rxq && q_num >= vport->num_txq) { +@@ -1507,7 +1507,7 @@ static int idpf_set_coalesce(struct net_device *netdev, + idpf_vport_ctrl_lock(netdev); + vport = idpf_netdev_to_vport(netdev); + +- if (np->state != __IDPF_VPORT_UP) ++ if (!test_bit(IDPF_VPORT_UP, np->state)) + goto unlock_mutex; + + for (i = 0; i < vport->num_txq; i++) { +@@ -1710,7 +1710,7 @@ static void idpf_get_ts_stats(struct net_device *netdev, + ts_stats->err = u64_stats_read(&vport->tstamp_stats.discarded); + } while (u64_stats_fetch_retry(&vport->tstamp_stats.stats_sync, start)); + +- if (np->state != __IDPF_VPORT_UP) ++ if (!test_bit(IDPF_VPORT_UP, np->state)) + goto exit; + + for (u16 i = 0; i < vport->num_txq_grp; i++) { +diff --git a/drivers/net/ethernet/intel/idpf/idpf_lib.c b/drivers/net/ethernet/intel/idpf/idpf_lib.c +index 452f3107378cb..313803c088478 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_lib.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_lib.c +@@ -519,7 +519,7 @@ static int idpf_del_mac_filter(struct idpf_vport *vport, + } + spin_unlock_bh(&vport_config->mac_filter_list_lock); + +- if (np->state == __IDPF_VPORT_UP) { ++ if (test_bit(IDPF_VPORT_UP, np->state)) { + int err; + + err = idpf_add_del_mac_filters(vport, np, false, async); +@@ -590,7 +590,7 @@ static int idpf_add_mac_filter(struct idpf_vport *vport, + if (err) + return err; + +- if (np->state == __IDPF_VPORT_UP) ++ if (test_bit(IDPF_VPORT_UP, np->state)) + err = idpf_add_del_mac_filters(vport, np, true, async); + + return err; +@@ -894,7 +894,7 @@ static void idpf_vport_stop(struct idpf_vport *vport, bool rtnl) + { + struct idpf_netdev_priv *np = netdev_priv(vport->netdev); + +- if (np->state <= __IDPF_VPORT_DOWN) ++ if (!test_bit(IDPF_VPORT_UP, np->state)) + return; + + if (rtnl) +@@ -921,7 +921,7 @@ static void idpf_vport_stop(struct idpf_vport *vport, bool rtnl) + idpf_xdp_rxq_info_deinit_all(vport); + idpf_vport_queues_rel(vport); + idpf_vport_intr_rel(vport); +- np->state = __IDPF_VPORT_DOWN; ++ clear_bit(IDPF_VPORT_UP, np->state); + + if (rtnl) + rtnl_unlock(); +@@ -1345,7 +1345,7 @@ static int idpf_up_complete(struct idpf_vport *vport) + netif_tx_start_all_queues(vport->netdev); + } + +- np->state = __IDPF_VPORT_UP; ++ set_bit(IDPF_VPORT_UP, np->state); + + return 0; + } +@@ -1391,7 +1391,7 @@ static int idpf_vport_open(struct idpf_vport *vport, bool rtnl) + struct idpf_vport_config *vport_config; + int err; + +- if (np->state != __IDPF_VPORT_DOWN) ++ if (test_bit(IDPF_VPORT_UP, np->state)) + return -EBUSY; + + if (rtnl) +@@ -1602,7 +1602,7 @@ void idpf_init_task(struct work_struct *work) + + /* Once state is put into DOWN, driver is ready for dev_open */ + np = netdev_priv(vport->netdev); +- np->state = __IDPF_VPORT_DOWN; ++ clear_bit(IDPF_VPORT_UP, np->state); + if (test_and_clear_bit(IDPF_VPORT_UP_REQUESTED, vport_config->flags)) + idpf_vport_open(vport, true); + +@@ -1796,7 +1796,7 @@ static void idpf_set_vport_state(struct idpf_adapter *adapter) + continue; + + np = netdev_priv(adapter->netdevs[i]); +- if (np->state == __IDPF_VPORT_UP) ++ if (test_bit(IDPF_VPORT_UP, np->state)) + set_bit(IDPF_VPORT_UP_REQUESTED, + adapter->vport_config[i]->flags); + } +@@ -1934,7 +1934,7 @@ int idpf_initiate_soft_reset(struct idpf_vport *vport, + enum idpf_vport_reset_cause reset_cause) + { + struct idpf_netdev_priv *np = netdev_priv(vport->netdev); +- enum idpf_vport_state current_state = np->state; ++ bool vport_is_up = test_bit(IDPF_VPORT_UP, np->state); + struct idpf_adapter *adapter = vport->adapter; + struct idpf_vport *new_vport; + int err; +@@ -1985,7 +1985,7 @@ int idpf_initiate_soft_reset(struct idpf_vport *vport, + goto free_vport; + } + +- if (current_state <= __IDPF_VPORT_DOWN) { ++ if (!vport_is_up) { + idpf_send_delete_queues_msg(vport); + } else { + set_bit(IDPF_VPORT_DEL_QUEUES, vport->flags); +@@ -2018,7 +2018,7 @@ int idpf_initiate_soft_reset(struct idpf_vport *vport, + if (err) + goto err_open; + +- if (current_state == __IDPF_VPORT_UP) ++ if (vport_is_up) + err = idpf_vport_open(vport, false); + + goto free_vport; +@@ -2028,7 +2028,7 @@ int idpf_initiate_soft_reset(struct idpf_vport *vport, + vport->num_rxq, vport->num_bufq); + + err_open: +- if (current_state == __IDPF_VPORT_UP) ++ if (vport_is_up) + idpf_vport_open(vport, false); + + free_vport: +diff --git a/drivers/net/ethernet/intel/idpf/idpf_singleq_txrx.c b/drivers/net/ethernet/intel/idpf/idpf_singleq_txrx.c +index 61e6130661404..e3ddf18dcbf51 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_singleq_txrx.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_singleq_txrx.c +@@ -570,7 +570,7 @@ static bool idpf_tx_singleq_clean(struct idpf_tx_queue *tx_q, int napi_budget, + np = netdev_priv(tx_q->netdev); + nq = netdev_get_tx_queue(tx_q->netdev, tx_q->idx); + +- dont_wake = np->state != __IDPF_VPORT_UP || ++ dont_wake = !test_bit(IDPF_VPORT_UP, np->state) || + !netif_carrier_ok(tx_q->netdev); + __netif_txq_completed_wake(nq, ss.packets, ss.bytes, + IDPF_DESC_UNUSED(tx_q), IDPF_TX_WAKE_THRESH, +diff --git a/drivers/net/ethernet/intel/idpf/idpf_txrx.c b/drivers/net/ethernet/intel/idpf/idpf_txrx.c +index 828f7c444d309..1993a3b0da59b 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_txrx.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_txrx.c +@@ -2275,7 +2275,7 @@ static bool idpf_tx_clean_complq(struct idpf_compl_queue *complq, int budget, + /* Update BQL */ + nq = netdev_get_tx_queue(tx_q->netdev, tx_q->idx); + +- dont_wake = !complq_ok || np->state != __IDPF_VPORT_UP || ++ dont_wake = !complq_ok || !test_bit(IDPF_VPORT_UP, np->state) || + !netif_carrier_ok(tx_q->netdev); + /* Check if the TXQ needs to and can be restarted */ + __netif_txq_completed_wake(nq, tx_q->cleaned_pkts, tx_q->cleaned_bytes, +diff --git a/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c b/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c +index fc03d55bc9b90..5bbe7d9294c14 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c +@@ -68,7 +68,7 @@ static void idpf_handle_event_link(struct idpf_adapter *adapter, + + vport->link_up = v2e->link_status; + +- if (np->state != __IDPF_VPORT_UP) ++ if (!test_bit(IDPF_VPORT_UP, np->state)) + return; + + if (vport->link_up) { +@@ -2760,7 +2760,7 @@ int idpf_send_get_stats_msg(struct idpf_vport *vport) + + + /* Don't send get_stats message if the link is down */ +- if (np->state <= __IDPF_VPORT_DOWN) ++ if (!test_bit(IDPF_VPORT_UP, np->state)) + return 0; + + stats_msg.vport_id = cpu_to_le32(vport->vport_id); +diff --git a/drivers/net/ethernet/intel/idpf/xdp.c b/drivers/net/ethernet/intel/idpf/xdp.c +index 21ce25b0567f6..958d16f874248 100644 +--- a/drivers/net/ethernet/intel/idpf/xdp.c ++++ b/drivers/net/ethernet/intel/idpf/xdp.c +@@ -418,7 +418,7 @@ static int idpf_xdp_setup_prog(struct idpf_vport *vport, + if (test_bit(IDPF_REMOVE_IN_PROG, vport->adapter->flags) || + !test_bit(IDPF_VPORT_REG_NETDEV, cfg->flags) || + !!vport->xdp_prog == !!prog) { +- if (np->state == __IDPF_VPORT_UP) ++ if (test_bit(IDPF_VPORT_UP, np->state)) + idpf_xdp_copy_prog_to_rqs(vport, prog); + + old = xchg(&vport->xdp_prog, prog); +-- +2.51.0 + diff --git a/queue-6.18/idpf-detach-and-close-netdevs-while-handling-a-reset.patch b/queue-6.18/idpf-detach-and-close-netdevs-while-handling-a-reset.patch new file mode 100644 index 0000000000..b30a531897 --- /dev/null +++ b/queue-6.18/idpf-detach-and-close-netdevs-while-handling-a-reset.patch @@ -0,0 +1,280 @@ +From dcdfe306c5acf645bba24e4016b7f5c32a1ca96c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Nov 2025 16:12:15 -0800 +Subject: idpf: detach and close netdevs while handling a reset + +From: Emil Tantilov + +[ Upstream commit 2e281e1155fc476c571c0bd2ffbfe28ab829a5c3 ] + +Protect the reset path from callbacks by setting the netdevs to detached +state and close any netdevs in UP state until the reset handling has +completed. During a reset, the driver will de-allocate resources for the +vport, and there is no guarantee that those will recover, which is why the +existing vport_ctrl_lock does not provide sufficient protection. + +idpf_detach_and_close() is called right before reset handling. If the +reset handling succeeds, the netdevs state is recovered via call to +idpf_attach_and_open(). If the reset handling fails the netdevs remain +down. The detach/down calls are protected with RTNL lock to avoid racing +with callbacks. On the recovery side the attach can be done without +holding the RTNL lock as there are no callbacks expected at that point, +due to detach/close always being done first in that flow. + +The previous logic restoring the netdevs state based on the +IDPF_VPORT_UP_REQUESTED flag in the init task is not needed anymore, hence +the removal of idpf_set_vport_state(). The IDPF_VPORT_UP_REQUESTED is +still being used to restore the state of the netdevs following the reset, +but has no use outside of the reset handling flow. + +idpf_init_hard_reset() is converted to void, since it was used as such and +there is no error handling being done based on its return value. + +Before this change, invoking hard and soft resets simultaneously will +cause the driver to lose the vport state: +ip -br a + UP +echo 1 > /sys/class/net/ens801f0/device/reset& \ +ethtool -L ens801f0 combined 8 +ip -br a + DOWN +ip link set up +ip -br a + DOWN + +Also in case of a failure in the reset path, the netdev is left +exposed to external callbacks, while vport resources are not +initialized, leading to a crash on subsequent ifup/down: +[408471.398966] idpf 0000:83:00.0: HW reset detected +[408471.411744] idpf 0000:83:00.0: Device HW Reset initiated +[408472.277901] idpf 0000:83:00.0: The driver was unable to contact the device's firmware. Check that the FW is running. Driver state= 0x2 +[408508.125551] BUG: kernel NULL pointer dereference, address: 0000000000000078 +[408508.126112] #PF: supervisor read access in kernel mode +[408508.126687] #PF: error_code(0x0000) - not-present page +[408508.127256] PGD 2aae2f067 P4D 0 +[408508.127824] Oops: Oops: 0000 [#1] SMP NOPTI +... +[408508.130871] RIP: 0010:idpf_stop+0x39/0x70 [idpf] +... +[408508.139193] Call Trace: +[408508.139637] +[408508.140077] __dev_close_many+0xbb/0x260 +[408508.140533] __dev_change_flags+0x1cf/0x280 +[408508.140987] netif_change_flags+0x26/0x70 +[408508.141434] dev_change_flags+0x3d/0xb0 +[408508.141878] devinet_ioctl+0x460/0x890 +[408508.142321] inet_ioctl+0x18e/0x1d0 +[408508.142762] ? _copy_to_user+0x22/0x70 +[408508.143207] sock_do_ioctl+0x3d/0xe0 +[408508.143652] sock_ioctl+0x10e/0x330 +[408508.144091] ? find_held_lock+0x2b/0x80 +[408508.144537] __x64_sys_ioctl+0x96/0xe0 +[408508.144979] do_syscall_64+0x79/0x3d0 +[408508.145415] entry_SYSCALL_64_after_hwframe+0x76/0x7e +[408508.145860] RIP: 0033:0x7f3e0bb4caff + +Fixes: 0fe45467a104 ("idpf: add create vport and netdev configuration") +Signed-off-by: Emil Tantilov +Reviewed-by: Madhu Chittim +Tested-by: Samuel Salin +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/idpf/idpf_lib.c | 121 ++++++++++++--------- + 1 file changed, 72 insertions(+), 49 deletions(-) + +diff --git a/drivers/net/ethernet/intel/idpf/idpf_lib.c b/drivers/net/ethernet/intel/idpf/idpf_lib.c +index 313803c088478..a964e0f5891eb 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_lib.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_lib.c +@@ -729,6 +729,65 @@ static int idpf_init_mac_addr(struct idpf_vport *vport, + return 0; + } + ++static void idpf_detach_and_close(struct idpf_adapter *adapter) ++{ ++ int max_vports = adapter->max_vports; ++ ++ for (int i = 0; i < max_vports; i++) { ++ struct net_device *netdev = adapter->netdevs[i]; ++ ++ /* If the interface is in detached state, that means the ++ * previous reset was not handled successfully for this ++ * vport. ++ */ ++ if (!netif_device_present(netdev)) ++ continue; ++ ++ /* Hold RTNL to protect racing with callbacks */ ++ rtnl_lock(); ++ netif_device_detach(netdev); ++ if (netif_running(netdev)) { ++ set_bit(IDPF_VPORT_UP_REQUESTED, ++ adapter->vport_config[i]->flags); ++ dev_close(netdev); ++ } ++ rtnl_unlock(); ++ } ++} ++ ++static void idpf_attach_and_open(struct idpf_adapter *adapter) ++{ ++ int max_vports = adapter->max_vports; ++ ++ for (int i = 0; i < max_vports; i++) { ++ struct idpf_vport *vport = adapter->vports[i]; ++ struct idpf_vport_config *vport_config; ++ struct net_device *netdev; ++ ++ /* In case of a critical error in the init task, the vport ++ * will be freed. Only continue to restore the netdevs ++ * if the vport is allocated. ++ */ ++ if (!vport) ++ continue; ++ ++ /* No need for RTNL on attach as this function is called ++ * following detach and dev_close(). We do take RTNL for ++ * dev_open() below as it can race with external callbacks ++ * following the call to netif_device_attach(). ++ */ ++ netdev = adapter->netdevs[i]; ++ netif_device_attach(netdev); ++ vport_config = adapter->vport_config[vport->idx]; ++ if (test_and_clear_bit(IDPF_VPORT_UP_REQUESTED, ++ vport_config->flags)) { ++ rtnl_lock(); ++ dev_open(netdev, NULL); ++ rtnl_unlock(); ++ } ++ } ++} ++ + /** + * idpf_cfg_netdev - Allocate, configure and register a netdev + * @vport: main vport structure +@@ -1041,10 +1100,11 @@ static void idpf_vport_dealloc(struct idpf_vport *vport) + idpf_idc_deinit_vport_aux_device(vport->vdev_info); + + idpf_deinit_mac_addr(vport); +- idpf_vport_stop(vport, true); + +- if (!test_bit(IDPF_HR_RESET_IN_PROG, adapter->flags)) ++ if (!test_bit(IDPF_HR_RESET_IN_PROG, adapter->flags)) { ++ idpf_vport_stop(vport, true); + idpf_decfg_netdev(vport); ++ } + if (test_bit(IDPF_REMOVE_IN_PROG, adapter->flags)) + idpf_del_all_mac_filters(vport); + +@@ -1544,7 +1604,6 @@ void idpf_init_task(struct work_struct *work) + struct idpf_vport_config *vport_config; + struct idpf_vport_max_q max_q; + struct idpf_adapter *adapter; +- struct idpf_netdev_priv *np; + struct idpf_vport *vport; + u16 num_default_vports; + struct pci_dev *pdev; +@@ -1600,12 +1659,6 @@ void idpf_init_task(struct work_struct *work) + if (idpf_cfg_netdev(vport)) + goto unwind_vports; + +- /* Once state is put into DOWN, driver is ready for dev_open */ +- np = netdev_priv(vport->netdev); +- clear_bit(IDPF_VPORT_UP, np->state); +- if (test_and_clear_bit(IDPF_VPORT_UP_REQUESTED, vport_config->flags)) +- idpf_vport_open(vport, true); +- + /* Spawn and return 'idpf_init_task' work queue until all the + * default vports are created + */ +@@ -1781,27 +1834,6 @@ static int idpf_check_reset_complete(struct idpf_hw *hw, + return -EBUSY; + } + +-/** +- * idpf_set_vport_state - Set the vport state to be after the reset +- * @adapter: Driver specific private structure +- */ +-static void idpf_set_vport_state(struct idpf_adapter *adapter) +-{ +- u16 i; +- +- for (i = 0; i < adapter->max_vports; i++) { +- struct idpf_netdev_priv *np; +- +- if (!adapter->netdevs[i]) +- continue; +- +- np = netdev_priv(adapter->netdevs[i]); +- if (test_bit(IDPF_VPORT_UP, np->state)) +- set_bit(IDPF_VPORT_UP_REQUESTED, +- adapter->vport_config[i]->flags); +- } +-} +- + /** + * idpf_init_hard_reset - Initiate a hardware reset + * @adapter: Driver specific private structure +@@ -1810,28 +1842,17 @@ static void idpf_set_vport_state(struct idpf_adapter *adapter) + * reallocate. Also reinitialize the mailbox. Return 0 on success, + * negative on failure. + */ +-static int idpf_init_hard_reset(struct idpf_adapter *adapter) ++static void idpf_init_hard_reset(struct idpf_adapter *adapter) + { + struct idpf_reg_ops *reg_ops = &adapter->dev_ops.reg_ops; + struct device *dev = &adapter->pdev->dev; +- struct net_device *netdev; + int err; +- u16 i; + ++ idpf_detach_and_close(adapter); + mutex_lock(&adapter->vport_ctrl_lock); + + dev_info(dev, "Device HW Reset initiated\n"); + +- /* Avoid TX hangs on reset */ +- for (i = 0; i < adapter->max_vports; i++) { +- netdev = adapter->netdevs[i]; +- if (!netdev) +- continue; +- +- netif_carrier_off(netdev); +- netif_tx_disable(netdev); +- } +- + /* Prepare for reset */ + if (test_and_clear_bit(IDPF_HR_DRV_LOAD, adapter->flags)) { + reg_ops->trigger_reset(adapter, IDPF_HR_DRV_LOAD); +@@ -1840,7 +1861,6 @@ static int idpf_init_hard_reset(struct idpf_adapter *adapter) + + idpf_idc_issue_reset_event(adapter->cdev_info); + +- idpf_set_vport_state(adapter); + idpf_vc_core_deinit(adapter); + if (!is_reset) + reg_ops->trigger_reset(adapter, IDPF_HR_FUNC_RESET); +@@ -1887,11 +1907,14 @@ static int idpf_init_hard_reset(struct idpf_adapter *adapter) + unlock_mutex: + mutex_unlock(&adapter->vport_ctrl_lock); + +- /* Wait until all vports are created to init RDMA CORE AUX */ +- if (!err) +- err = idpf_idc_init(adapter); +- +- return err; ++ /* Attempt to restore netdevs and initialize RDMA CORE AUX device, ++ * provided vc_core_init succeeded. It is still possible that ++ * vports are not allocated at this point if the init task failed. ++ */ ++ if (!err) { ++ idpf_attach_and_open(adapter); ++ idpf_idc_init(adapter); ++ } + } + + /** +-- +2.51.0 + diff --git a/queue-6.18/idpf-fix-aux-device-unplugging-when-rdma-is-not-supp.patch b/queue-6.18/idpf-fix-aux-device-unplugging-when-rdma-is-not-supp.patch new file mode 100644 index 0000000000..5fc2640770 --- /dev/null +++ b/queue-6.18/idpf-fix-aux-device-unplugging-when-rdma-is-not-supp.patch @@ -0,0 +1,44 @@ +From e5a184d2b3c84b6a404e02e7a9b192fccc135db5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Nov 2025 08:03:49 +0100 +Subject: idpf: fix aux device unplugging when rdma is not supported by vport + +From: Larysa Zaremba + +[ Upstream commit 4648fb2f2e7210c53b85220ee07d42d1e4bae3f9 ] + +If vport flags do not contain VIRTCHNL2_VPORT_ENABLE_RDMA, driver does not +allocate vdev_info for this vport. This leads to kernel NULL pointer +dereference in idpf_idc_vport_dev_down(), which references vdev_info for +every vport regardless. + +Check, if vdev_info was ever allocated before unplugging aux device. + +Fixes: be91128c579c ("idpf: implement RDMA vport auxiliary dev create, init, and destroy") +Reviewed-by: Madhu Chittim +Signed-off-by: Larysa Zaremba +Reviewed-by: Paul Menzel +Reviewed-by: Aleksandr Loktionov +Tested-by: Krishneil Singh +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/idpf/idpf_idc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/idpf/idpf_idc.c b/drivers/net/ethernet/intel/idpf/idpf_idc.c +index 7e20a07e98e53..6dad0593f7f22 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_idc.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_idc.c +@@ -322,7 +322,7 @@ static void idpf_idc_vport_dev_down(struct idpf_adapter *adapter) + for (i = 0; i < adapter->num_alloc_vports; i++) { + struct idpf_vport *vport = adapter->vports[i]; + +- if (!vport) ++ if (!vport || !vport->vdev_info) + continue; + + idpf_unplug_aux_dev(vport->vdev_info->adev); +-- +2.51.0 + diff --git a/queue-6.18/idpf-fix-error-handling-in-idpf_vport_open.patch b/queue-6.18/idpf-fix-error-handling-in-idpf_vport_open.patch new file mode 100644 index 0000000000..e49b1492a5 --- /dev/null +++ b/queue-6.18/idpf-fix-error-handling-in-idpf_vport_open.patch @@ -0,0 +1,50 @@ +From 9febd6969e968eb13e78781856e46360c787acef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Dec 2025 17:12:46 -0600 +Subject: idpf: Fix error handling in idpf_vport_open() + +From: Sreedevi Joshi + +[ Upstream commit 87b8ee64685bc096a087af833d4594b2332bfdb1 ] + +Fix error handling to properly cleanup interrupts when +idpf_vport_queue_ids_init() or idpf_rx_bufs_init_all() fail. Jump to +'intr_deinit' instead of 'queues_rel' to ensure interrupts are cleaned up +before releasing other resources. + +Fixes: d4d558718266 ("idpf: initialize interrupts and enable vport") +Signed-off-by: Sreedevi Joshi +Reviewed-by: Madhu Chittim +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Simon Horman +Tested-by: Samuel Salin +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/idpf/idpf_lib.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/idpf/idpf_lib.c b/drivers/net/ethernet/intel/idpf/idpf_lib.c +index 003bab3ce5ae6..131a8121839bd 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_lib.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_lib.c +@@ -1524,14 +1524,14 @@ static int idpf_vport_open(struct idpf_vport *vport, bool rtnl) + if (err) { + dev_err(&adapter->pdev->dev, "Failed to initialize queue registers for vport %u: %d\n", + vport->vport_id, err); +- goto queues_rel; ++ goto intr_deinit; + } + + err = idpf_rx_bufs_init_all(vport); + if (err) { + dev_err(&adapter->pdev->dev, "Failed to initialize RX buffers for vport %u: %d\n", + vport->vport_id, err); +- goto queues_rel; ++ goto intr_deinit; + } + + idpf_rx_init_buf_tail(vport); +-- +2.51.0 + diff --git a/queue-6.18/idpf-fix-error-handling-in-the-init_task-on-load.patch b/queue-6.18/idpf-fix-error-handling-in-the-init_task-on-load.patch new file mode 100644 index 0000000000..53171dc89a --- /dev/null +++ b/queue-6.18/idpf-fix-error-handling-in-the-init_task-on-load.patch @@ -0,0 +1,100 @@ +From c46f5d470a5d104b5032cc28f5b5addc58df236b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Nov 2025 16:12:18 -0800 +Subject: idpf: fix error handling in the init_task on load + +From: Emil Tantilov + +[ Upstream commit 4d792219fe6f891b5b557a607ac8a0a14eda6e38 ] + +If the init_task fails during a driver load, we end up without vports and +netdevs, effectively failing the entire process. In that state a +subsequent reset will result in a crash as the service task attempts to +access uninitialized resources. Following trace is from an error in the +init_task where the CREATE_VPORT (op 501) is rejected by the FW: + +[40922.763136] idpf 0000:83:00.0: Device HW Reset initiated +[40924.449797] idpf 0000:83:00.0: Transaction failed (op 501) +[40958.148190] idpf 0000:83:00.0: HW reset detected +[40958.161202] BUG: kernel NULL pointer dereference, address: 00000000000000a8 +... +[40958.168094] Workqueue: idpf-0000:83:00.0-vc_event idpf_vc_event_task [idpf] +[40958.168865] RIP: 0010:idpf_vc_event_task+0x9b/0x350 [idpf] +... +[40958.177932] Call Trace: +[40958.178491] +[40958.179040] process_one_work+0x226/0x6d0 +[40958.179609] worker_thread+0x19e/0x340 +[40958.180158] ? __pfx_worker_thread+0x10/0x10 +[40958.180702] kthread+0x10f/0x250 +[40958.181238] ? __pfx_kthread+0x10/0x10 +[40958.181774] ret_from_fork+0x251/0x2b0 +[40958.182307] ? __pfx_kthread+0x10/0x10 +[40958.182834] ret_from_fork_asm+0x1a/0x30 +[40958.183370] + +Fix the error handling in the init_task to make sure the service and +mailbox tasks are disabled if the error happens during load. These are +started in idpf_vc_core_init(), which spawns the init_task and has no way +of knowing if it failed. If the error happens on reset, following +successful driver load, the tasks can still run, as that will allow the +netdevs to attempt recovery through another reset. Stop the PTP callbacks +either way as those will be restarted by the call to idpf_vc_core_init() +during a successful reset. + +Fixes: 0fe45467a104 ("idpf: add create vport and netdev configuration") +Reported-by: Vivek Kumar +Signed-off-by: Emil Tantilov +Reviewed-by: Madhu Chittim +Tested-by: Samuel Salin +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/idpf/idpf_lib.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/intel/idpf/idpf_lib.c b/drivers/net/ethernet/intel/idpf/idpf_lib.c +index 04af10cfaa8cb..e2ee8b137421f 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_lib.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_lib.c +@@ -1690,10 +1690,9 @@ void idpf_init_task(struct work_struct *work) + set_bit(IDPF_VPORT_REG_NETDEV, vport_config->flags); + } + +- /* As all the required vports are created, clear the reset flag +- * unconditionally here in case we were in reset and the link was down. +- */ ++ /* Clear the reset and load bits as all vports are created */ + clear_bit(IDPF_HR_RESET_IN_PROG, adapter->flags); ++ clear_bit(IDPF_HR_DRV_LOAD, adapter->flags); + /* Start the statistics task now */ + queue_delayed_work(adapter->stats_wq, &adapter->stats_task, + msecs_to_jiffies(10 * (pdev->devfn & 0x07))); +@@ -1707,6 +1706,15 @@ void idpf_init_task(struct work_struct *work) + idpf_vport_dealloc(adapter->vports[index]); + } + } ++ /* Cleanup after vc_core_init, which has no way of knowing the ++ * init task failed on driver load. ++ */ ++ if (test_and_clear_bit(IDPF_HR_DRV_LOAD, adapter->flags)) { ++ cancel_delayed_work_sync(&adapter->serv_task); ++ cancel_delayed_work_sync(&adapter->mbx_task); ++ } ++ idpf_ptp_release(adapter); ++ + clear_bit(IDPF_HR_RESET_IN_PROG, adapter->flags); + } + +@@ -1856,7 +1864,7 @@ static void idpf_init_hard_reset(struct idpf_adapter *adapter) + dev_info(dev, "Device HW Reset initiated\n"); + + /* Prepare for reset */ +- if (test_and_clear_bit(IDPF_HR_DRV_LOAD, adapter->flags)) { ++ if (test_bit(IDPF_HR_DRV_LOAD, adapter->flags)) { + reg_ops->trigger_reset(adapter, IDPF_HR_DRV_LOAD); + } else if (test_and_clear_bit(IDPF_HR_FUNC_RESET, adapter->flags)) { + bool is_reset = idpf_is_reset_detected(adapter); +-- +2.51.0 + diff --git a/queue-6.18/idpf-fix-issue-with-ethtool-n-command-display.patch b/queue-6.18/idpf-fix-issue-with-ethtool-n-command-display.patch new file mode 100644 index 0000000000..72cb8ee0c8 --- /dev/null +++ b/queue-6.18/idpf-fix-issue-with-ethtool-n-command-display.patch @@ -0,0 +1,217 @@ +From dcc07f75ba22c82dac0a1c6fe152573bf9f87b9c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Sep 2025 16:23:52 -0500 +Subject: idpf: fix issue with ethtool -n command display + +From: Erik Gabriel Carrillo + +[ Upstream commit 36aae2ea6bd76b8246caa50e34a4f4824f0a3be8 ] + +When ethtool -n is executed on an interface to display the flow steering +rules, "rxclass: Unknown flow type" error is generated. + +The flow steering list maintained in the driver currently stores only the +location and q_index but other fields of the ethtool_rx_flow_spec are not +stored. This may be enough for the virtchnl command to delete the entry. +However, when the ethtool -n command is used to query the flow steering +rules, the ethtool_rx_flow_spec returned is not complete causing the +error below. + +Resolve this by storing the flow spec (fsp) when rules are added and +returning the complete flow spec when rules are queried. + +Also, change the return value from EINVAL to ENOENT when flow steering +entry is not found during query by location or when deleting an entry. + +Add logic to detect and reject duplicate filter entries at the same +location and change logic to perform upfront validation of all error +conditions before adding flow rules through virtchnl. This avoids the +need for additional virtchnl delete messages when subsequent operations +fail, which was missing in the original upstream code. + +Example: +Before the fix: +ethtool -n eth1 +2 RX rings available +Total 2 rules + +rxclass: Unknown flow type +rxclass: Unknown flow type + +After the fix: +ethtool -n eth1 +2 RX rings available +Total 2 rules + +Filter: 0 + Rule Type: TCP over IPv4 + Src IP addr: 10.0.0.1 mask: 0.0.0.0 + Dest IP addr: 0.0.0.0 mask: 255.255.255.255 + TOS: 0x0 mask: 0xff + Src port: 0 mask: 0xffff + Dest port: 0 mask: 0xffff + Action: Direct to queue 0 + +Filter: 1 + Rule Type: UDP over IPv4 + Src IP addr: 10.0.0.1 mask: 0.0.0.0 + Dest IP addr: 0.0.0.0 mask: 255.255.255.255 + TOS: 0x0 mask: 0xff + Src port: 0 mask: 0xffff + Dest port: 0 mask: 0xffff + Action: Direct to queue 0 + +Fixes: ada3e24b84a0 ("idpf: add flow steering support") +Signed-off-by: Erik Gabriel Carrillo +Co-developed-by: Sreedevi Joshi +Signed-off-by: Sreedevi Joshi +Reviewed-by: Przemek Kitszel +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Simon Horman +Tested-by: Mina Almasry +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/idpf/idpf.h | 3 +- + .../net/ethernet/intel/idpf/idpf_ethtool.c | 59 ++++++++++++------- + 2 files changed, 40 insertions(+), 22 deletions(-) + +diff --git a/drivers/net/ethernet/intel/idpf/idpf.h b/drivers/net/ethernet/intel/idpf/idpf.h +index af8deb5fa80f0..df64d252b5642 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf.h ++++ b/drivers/net/ethernet/intel/idpf/idpf.h +@@ -284,8 +284,7 @@ struct idpf_port_stats { + + struct idpf_fsteer_fltr { + struct list_head list; +- u32 loc; +- u32 q_index; ++ struct ethtool_rx_flow_spec fs; + }; + + /** +diff --git a/drivers/net/ethernet/intel/idpf/idpf_ethtool.c b/drivers/net/ethernet/intel/idpf/idpf_ethtool.c +index 8477e7ba28706..8e9a93125b4aa 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_ethtool.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_ethtool.c +@@ -38,11 +38,15 @@ static int idpf_get_rxnfc(struct net_device *netdev, struct ethtool_rxnfc *cmd, + cmd->data = idpf_fsteer_max_rules(vport); + break; + case ETHTOOL_GRXCLSRULE: +- err = -EINVAL; ++ err = -ENOENT; + spin_lock_bh(&vport_config->flow_steer_list_lock); + list_for_each_entry(f, &user_config->flow_steer_list, list) +- if (f->loc == cmd->fs.location) { +- cmd->fs.ring_cookie = f->q_index; ++ if (f->fs.location == cmd->fs.location) { ++ /* Avoid infoleak from padding: zero first, ++ * then assign fields ++ */ ++ memset(&cmd->fs, 0, sizeof(cmd->fs)); ++ cmd->fs = f->fs; + err = 0; + break; + } +@@ -56,7 +60,7 @@ static int idpf_get_rxnfc(struct net_device *netdev, struct ethtool_rxnfc *cmd, + err = -EMSGSIZE; + break; + } +- rule_locs[cnt] = f->loc; ++ rule_locs[cnt] = f->fs.location; + cnt++; + } + if (!err) +@@ -158,7 +162,7 @@ static int idpf_add_flow_steer(struct net_device *netdev, + struct idpf_vport *vport; + u32 flow_type, q_index; + u16 num_rxq; +- int err; ++ int err = 0; + + vport = idpf_netdev_to_vport(netdev); + vport_config = vport->adapter->vport_config[np->vport_idx]; +@@ -184,6 +188,29 @@ static int idpf_add_flow_steer(struct net_device *netdev, + if (!rule) + return -ENOMEM; + ++ fltr = kzalloc(sizeof(*fltr), GFP_KERNEL); ++ if (!fltr) { ++ err = -ENOMEM; ++ goto out_free_rule; ++ } ++ ++ /* detect duplicate entry and reject before adding rules */ ++ spin_lock_bh(&vport_config->flow_steer_list_lock); ++ list_for_each_entry(f, &user_config->flow_steer_list, list) { ++ if (f->fs.location == fsp->location) { ++ err = -EEXIST; ++ break; ++ } ++ ++ if (f->fs.location > fsp->location) ++ break; ++ parent = f; ++ } ++ spin_unlock_bh(&vport_config->flow_steer_list_lock); ++ ++ if (err) ++ goto out; ++ + rule->vport_id = cpu_to_le32(vport->vport_id); + rule->count = cpu_to_le32(1); + info = &rule->rule_info[0]; +@@ -222,28 +249,20 @@ static int idpf_add_flow_steer(struct net_device *netdev, + goto out; + } + +- fltr = kzalloc(sizeof(*fltr), GFP_KERNEL); +- if (!fltr) { +- err = -ENOMEM; +- goto out; +- } ++ /* Save a copy of the user's flow spec so ethtool can later retrieve it */ ++ fltr->fs = *fsp; + +- fltr->loc = fsp->location; +- fltr->q_index = q_index; + spin_lock_bh(&vport_config->flow_steer_list_lock); +- list_for_each_entry(f, &user_config->flow_steer_list, list) { +- if (f->loc >= fltr->loc) +- break; +- parent = f; +- } +- + parent ? list_add(&fltr->list, &parent->list) : + list_add(&fltr->list, &user_config->flow_steer_list); + + user_config->num_fsteer_fltrs++; + spin_unlock_bh(&vport_config->flow_steer_list_lock); ++ goto out_free_rule; + + out: ++ kfree(fltr); ++out_free_rule: + kfree(rule); + return err; + } +@@ -297,14 +316,14 @@ static int idpf_del_flow_steer(struct net_device *netdev, + spin_lock_bh(&vport_config->flow_steer_list_lock); + list_for_each_entry_safe(f, iter, + &user_config->flow_steer_list, list) { +- if (f->loc == fsp->location) { ++ if (f->fs.location == fsp->location) { + list_del(&f->list); + kfree(f); + user_config->num_fsteer_fltrs--; + goto out_unlock; + } + } +- err = -EINVAL; ++ err = -ENOENT; + + out_unlock: + spin_unlock_bh(&vport_config->flow_steer_list_lock); +-- +2.51.0 + diff --git a/queue-6.18/idpf-fix-memory-leak-in-idpf_vc_core_deinit.patch b/queue-6.18/idpf-fix-memory-leak-in-idpf_vc_core_deinit.patch new file mode 100644 index 0000000000..0270487831 --- /dev/null +++ b/queue-6.18/idpf-fix-memory-leak-in-idpf_vc_core_deinit.patch @@ -0,0 +1,62 @@ +From a399f1e201af2823b557936b509a83cdf14fce29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Nov 2025 16:12:17 -0800 +Subject: idpf: fix memory leak in idpf_vc_core_deinit() + +From: Emil Tantilov + +[ Upstream commit e111cbc4adf9f9974eed040aeece7e17460f6bff ] + +Make sure to free hw->lan_regs. Reported by kmemleak during reset: + +unreferenced object 0xff1b913d02a936c0 (size 96): + comm "kworker/u258:14", pid 2174, jiffies 4294958305 + hex dump (first 32 bytes): + 00 00 00 c0 a8 ba 2d ff 00 00 00 00 00 00 00 00 ......-......... + 00 00 40 08 00 00 00 00 00 00 25 b3 a8 ba 2d ff ..@.......%...-. + backtrace (crc 36063c4f): + __kmalloc_noprof+0x48f/0x890 + idpf_vc_core_init+0x6ce/0x9b0 [idpf] + idpf_vc_event_task+0x1fb/0x350 [idpf] + process_one_work+0x226/0x6d0 + worker_thread+0x19e/0x340 + kthread+0x10f/0x250 + ret_from_fork+0x251/0x2b0 + ret_from_fork_asm+0x1a/0x30 + +Fixes: 6aa53e861c1a ("idpf: implement get LAN MMIO memory regions") +Signed-off-by: Emil Tantilov +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Joshua Hay +Tested-by: Samuel Salin +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/idpf/idpf_virtchnl.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c b/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c +index 5bbe7d9294c14..01bbd12a642a0 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c +@@ -3570,6 +3570,7 @@ int idpf_vc_core_init(struct idpf_adapter *adapter) + */ + void idpf_vc_core_deinit(struct idpf_adapter *adapter) + { ++ struct idpf_hw *hw = &adapter->hw; + bool remove_in_prog; + + if (!test_bit(IDPF_VC_CORE_INIT, adapter->flags)) +@@ -3593,6 +3594,9 @@ void idpf_vc_core_deinit(struct idpf_adapter *adapter) + + idpf_vport_params_buf_rel(adapter); + ++ kfree(hw->lan_regs); ++ hw->lan_regs = NULL; ++ + kfree(adapter->vports); + adapter->vports = NULL; + +-- +2.51.0 + diff --git a/queue-6.18/idpf-fix-memory-leak-in-idpf_vport_rel.patch b/queue-6.18/idpf-fix-memory-leak-in-idpf_vport_rel.patch new file mode 100644 index 0000000000..8b1cb0e6ed --- /dev/null +++ b/queue-6.18/idpf-fix-memory-leak-in-idpf_vport_rel.patch @@ -0,0 +1,54 @@ +From 7082071cb84975afb16c5b8596cc04b82419c4e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Nov 2025 16:12:16 -0800 +Subject: idpf: fix memory leak in idpf_vport_rel() + +From: Emil Tantilov + +[ Upstream commit f6242b354605faff263ca45882b148200915a3f6 ] + +Free vport->rx_ptype_lkup in idpf_vport_rel() to avoid leaking memory +during a reset. Reported by kmemleak: + +unreferenced object 0xff450acac838a000 (size 4096): + comm "kworker/u258:5", pid 7732, jiffies 4296830044 + hex dump (first 32 bytes): + 00 00 00 00 00 10 00 00 00 10 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 ................ + backtrace (crc 3da81902): + __kmalloc_cache_noprof+0x469/0x7a0 + idpf_send_get_rx_ptype_msg+0x90/0x570 [idpf] + idpf_init_task+0x1ec/0x8d0 [idpf] + process_one_work+0x226/0x6d0 + worker_thread+0x19e/0x340 + kthread+0x10f/0x250 + ret_from_fork+0x251/0x2b0 + ret_from_fork_asm+0x1a/0x30 + +Fixes: 0fe45467a104 ("idpf: add create vport and netdev configuration") +Signed-off-by: Emil Tantilov +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Madhu Chittim +Tested-by: Samuel Salin +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/idpf/idpf_lib.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/intel/idpf/idpf_lib.c b/drivers/net/ethernet/intel/idpf/idpf_lib.c +index a964e0f5891eb..04af10cfaa8cb 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_lib.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_lib.c +@@ -1082,6 +1082,8 @@ static void idpf_vport_rel(struct idpf_vport *vport) + kfree(adapter->vport_config[idx]->req_qs_chunks); + adapter->vport_config[idx]->req_qs_chunks = NULL; + } ++ kfree(vport->rx_ptype_lkup); ++ vport->rx_ptype_lkup = NULL; + kfree(vport); + adapter->num_alloc_vports--; + } +-- +2.51.0 + diff --git a/queue-6.18/idpf-fix-memory-leak-of-flow-steer-list-on-rmmod.patch b/queue-6.18/idpf-fix-memory-leak-of-flow-steer-list-on-rmmod.patch new file mode 100644 index 0000000000..2e7a5dd00f --- /dev/null +++ b/queue-6.18/idpf-fix-memory-leak-of-flow-steer-list-on-rmmod.patch @@ -0,0 +1,195 @@ +From de0870497fc20162be47318287aaf87b5cf9b9cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Sep 2025 16:23:51 -0500 +Subject: idpf: fix memory leak of flow steer list on rmmod + +From: Sreedevi Joshi + +[ Upstream commit f9841bd28b600526ca4f6713b0ca49bf7bb98452 ] + +The flow steering list maintains entries that are added and removed as +ethtool creates and deletes flow steering rules. Module removal with active +entries causes memory leak as the list is not properly cleaned up. + +Prevent this by iterating through the remaining entries in the list and +freeing the associated memory during module removal. Add a spinlock +(flow_steer_list_lock) to protect the list access from multiple threads. + +Fixes: ada3e24b84a0 ("idpf: add flow steering support") +Reviewed-by: Przemek Kitszel +Reviewed-by: Aleksandr Loktionov +Signed-off-by: Sreedevi Joshi +Reviewed-by: Simon Horman +Tested-by: Mina Almasry +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/idpf/idpf.h | 2 ++ + .../net/ethernet/intel/idpf/idpf_ethtool.c | 15 ++++++++-- + drivers/net/ethernet/intel/idpf/idpf_lib.c | 28 ++++++++++++++++++- + 3 files changed, 42 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/intel/idpf/idpf.h b/drivers/net/ethernet/intel/idpf/idpf.h +index 64142f8163fed..af8deb5fa80f0 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf.h ++++ b/drivers/net/ethernet/intel/idpf/idpf.h +@@ -558,6 +558,7 @@ struct idpf_vector_lifo { + * @max_q: Maximum possible queues + * @req_qs_chunks: Queue chunk data for requested queues + * @mac_filter_list_lock: Lock to protect mac filters ++ * @flow_steer_list_lock: Lock to protect fsteer filters + * @flags: See enum idpf_vport_config_flags + */ + struct idpf_vport_config { +@@ -565,6 +566,7 @@ struct idpf_vport_config { + struct idpf_vport_max_q max_q; + struct virtchnl2_add_queues *req_qs_chunks; + spinlock_t mac_filter_list_lock; ++ spinlock_t flow_steer_list_lock; + DECLARE_BITMAP(flags, IDPF_VPORT_CONFIG_FLAGS_NBITS); + }; + +diff --git a/drivers/net/ethernet/intel/idpf/idpf_ethtool.c b/drivers/net/ethernet/intel/idpf/idpf_ethtool.c +index eed166bc46f38..8477e7ba28706 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_ethtool.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_ethtool.c +@@ -18,6 +18,7 @@ static int idpf_get_rxnfc(struct net_device *netdev, struct ethtool_rxnfc *cmd, + { + struct idpf_netdev_priv *np = netdev_priv(netdev); + struct idpf_vport_user_config_data *user_config; ++ struct idpf_vport_config *vport_config; + struct idpf_fsteer_fltr *f; + struct idpf_vport *vport; + unsigned int cnt = 0; +@@ -25,7 +26,8 @@ static int idpf_get_rxnfc(struct net_device *netdev, struct ethtool_rxnfc *cmd, + + idpf_vport_ctrl_lock(netdev); + vport = idpf_netdev_to_vport(netdev); +- user_config = &np->adapter->vport_config[np->vport_idx]->user_config; ++ vport_config = np->adapter->vport_config[np->vport_idx]; ++ user_config = &vport_config->user_config; + + switch (cmd->cmd) { + case ETHTOOL_GRXRINGS: +@@ -37,15 +39,18 @@ static int idpf_get_rxnfc(struct net_device *netdev, struct ethtool_rxnfc *cmd, + break; + case ETHTOOL_GRXCLSRULE: + err = -EINVAL; ++ spin_lock_bh(&vport_config->flow_steer_list_lock); + list_for_each_entry(f, &user_config->flow_steer_list, list) + if (f->loc == cmd->fs.location) { + cmd->fs.ring_cookie = f->q_index; + err = 0; + break; + } ++ spin_unlock_bh(&vport_config->flow_steer_list_lock); + break; + case ETHTOOL_GRXCLSRLALL: + cmd->data = idpf_fsteer_max_rules(vport); ++ spin_lock_bh(&vport_config->flow_steer_list_lock); + list_for_each_entry(f, &user_config->flow_steer_list, list) { + if (cnt == cmd->rule_cnt) { + err = -EMSGSIZE; +@@ -56,6 +61,7 @@ static int idpf_get_rxnfc(struct net_device *netdev, struct ethtool_rxnfc *cmd, + } + if (!err) + cmd->rule_cnt = user_config->num_fsteer_fltrs; ++ spin_unlock_bh(&vport_config->flow_steer_list_lock); + break; + default: + break; +@@ -224,6 +230,7 @@ static int idpf_add_flow_steer(struct net_device *netdev, + + fltr->loc = fsp->location; + fltr->q_index = q_index; ++ spin_lock_bh(&vport_config->flow_steer_list_lock); + list_for_each_entry(f, &user_config->flow_steer_list, list) { + if (f->loc >= fltr->loc) + break; +@@ -234,6 +241,7 @@ static int idpf_add_flow_steer(struct net_device *netdev, + list_add(&fltr->list, &user_config->flow_steer_list); + + user_config->num_fsteer_fltrs++; ++ spin_unlock_bh(&vport_config->flow_steer_list_lock); + + out: + kfree(rule); +@@ -286,17 +294,20 @@ static int idpf_del_flow_steer(struct net_device *netdev, + goto out; + } + ++ spin_lock_bh(&vport_config->flow_steer_list_lock); + list_for_each_entry_safe(f, iter, + &user_config->flow_steer_list, list) { + if (f->loc == fsp->location) { + list_del(&f->list); + kfree(f); + user_config->num_fsteer_fltrs--; +- goto out; ++ goto out_unlock; + } + } + err = -EINVAL; + ++out_unlock: ++ spin_unlock_bh(&vport_config->flow_steer_list_lock); + out: + kfree(rule); + return err; +diff --git a/drivers/net/ethernet/intel/idpf/idpf_lib.c b/drivers/net/ethernet/intel/idpf/idpf_lib.c +index e2ee8b137421f..d56366e676cf7 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_lib.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_lib.c +@@ -442,6 +442,29 @@ int idpf_intr_req(struct idpf_adapter *adapter) + return err; + } + ++/** ++ * idpf_del_all_flow_steer_filters - Delete all flow steer filters in list ++ * @vport: main vport struct ++ * ++ * Takes flow_steer_list_lock spinlock. Deletes all filters ++ */ ++static void idpf_del_all_flow_steer_filters(struct idpf_vport *vport) ++{ ++ struct idpf_vport_config *vport_config; ++ struct idpf_fsteer_fltr *f, *ftmp; ++ ++ vport_config = vport->adapter->vport_config[vport->idx]; ++ ++ spin_lock_bh(&vport_config->flow_steer_list_lock); ++ list_for_each_entry_safe(f, ftmp, &vport_config->user_config.flow_steer_list, ++ list) { ++ list_del(&f->list); ++ kfree(f); ++ } ++ vport_config->user_config.num_fsteer_fltrs = 0; ++ spin_unlock_bh(&vport_config->flow_steer_list_lock); ++} ++ + /** + * idpf_find_mac_filter - Search filter list for specific mac filter + * @vconfig: Vport config structure +@@ -1107,8 +1130,10 @@ static void idpf_vport_dealloc(struct idpf_vport *vport) + idpf_vport_stop(vport, true); + idpf_decfg_netdev(vport); + } +- if (test_bit(IDPF_REMOVE_IN_PROG, adapter->flags)) ++ if (test_bit(IDPF_REMOVE_IN_PROG, adapter->flags)) { + idpf_del_all_mac_filters(vport); ++ idpf_del_all_flow_steer_filters(vport); ++ } + + if (adapter->netdevs[i]) { + struct idpf_netdev_priv *np = netdev_priv(adapter->netdevs[i]); +@@ -1648,6 +1673,7 @@ void idpf_init_task(struct work_struct *work) + vport_config = adapter->vport_config[index]; + + spin_lock_init(&vport_config->mac_filter_list_lock); ++ spin_lock_init(&vport_config->flow_steer_list_lock); + + INIT_LIST_HEAD(&vport_config->user_config.mac_filter_list); + INIT_LIST_HEAD(&vport_config->user_config.flow_steer_list); +-- +2.51.0 + diff --git a/queue-6.18/idpf-fix-rss-lut-configuration-on-down-interfaces.patch b/queue-6.18/idpf-fix-rss-lut-configuration-on-down-interfaces.patch new file mode 100644 index 0000000000..6dc8025b50 --- /dev/null +++ b/queue-6.18/idpf-fix-rss-lut-configuration-on-down-interfaces.patch @@ -0,0 +1,100 @@ +From ac03729cd114a3889a1e773c4930c410c5d605a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Nov 2025 12:47:49 -0600 +Subject: idpf: Fix RSS LUT configuration on down interfaces + +From: Sreedevi Joshi + +[ Upstream commit 445b49d13787da2fe8d51891ee196e5077feef44 ] + +RSS LUT provisioning and queries on a down interface currently return +silently without effect. Users should be able to configure RSS settings +even when the interface is down. + +Fix by maintaining RSS configuration changes in the driver's soft copy and +deferring HW programming until the interface comes up. + +Fixes: 02cbfba1add5 ("idpf: add ethtool callbacks") +Signed-off-by: Sreedevi Joshi +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Sridhar Samudrala +Reviewed-by: Emil Tantilov +Tested-by: Samuel Salin +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/idpf/idpf_ethtool.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/intel/idpf/idpf_ethtool.c b/drivers/net/ethernet/intel/idpf/idpf_ethtool.c +index 8e9a93125b4aa..3e191cf528b69 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_ethtool.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_ethtool.c +@@ -395,7 +395,10 @@ static u32 idpf_get_rxfh_indir_size(struct net_device *netdev) + * @netdev: network interface device structure + * @rxfh: pointer to param struct (indir, key, hfunc) + * +- * Reads the indirection table directly from the hardware. Always returns 0. ++ * RSS LUT and Key information are read from driver's cached ++ * copy. When rxhash is off, rss lut will be displayed as zeros. ++ * ++ * Return: 0 on success, -errno otherwise. + */ + static int idpf_get_rxfh(struct net_device *netdev, + struct ethtool_rxfh_param *rxfh) +@@ -403,10 +406,13 @@ static int idpf_get_rxfh(struct net_device *netdev, + struct idpf_netdev_priv *np = netdev_priv(netdev); + struct idpf_rss_data *rss_data; + struct idpf_adapter *adapter; ++ struct idpf_vport *vport; ++ bool rxhash_ena; + int err = 0; + u16 i; + + idpf_vport_ctrl_lock(netdev); ++ vport = idpf_netdev_to_vport(netdev); + + adapter = np->adapter; + +@@ -416,9 +422,8 @@ static int idpf_get_rxfh(struct net_device *netdev, + } + + rss_data = &adapter->vport_config[np->vport_idx]->user_config.rss_data; +- if (!test_bit(IDPF_VPORT_UP, np->state)) +- goto unlock_mutex; + ++ rxhash_ena = idpf_is_feature_ena(vport, NETIF_F_RXHASH); + rxfh->hfunc = ETH_RSS_HASH_TOP; + + if (rxfh->key) +@@ -426,7 +431,7 @@ static int idpf_get_rxfh(struct net_device *netdev, + + if (rxfh->indir) { + for (i = 0; i < rss_data->rss_lut_size; i++) +- rxfh->indir[i] = rss_data->rss_lut[i]; ++ rxfh->indir[i] = rxhash_ena ? rss_data->rss_lut[i] : 0; + } + + unlock_mutex: +@@ -466,8 +471,6 @@ static int idpf_set_rxfh(struct net_device *netdev, + } + + rss_data = &adapter->vport_config[vport->idx]->user_config.rss_data; +- if (!test_bit(IDPF_VPORT_UP, np->state)) +- goto unlock_mutex; + + if (rxfh->hfunc != ETH_RSS_HASH_NO_CHANGE && + rxfh->hfunc != ETH_RSS_HASH_TOP) { +@@ -483,7 +486,8 @@ static int idpf_set_rxfh(struct net_device *netdev, + rss_data->rss_lut[lut] = rxfh->indir[lut]; + } + +- err = idpf_config_rss(vport); ++ if (test_bit(IDPF_VPORT_UP, np->state)) ++ err = idpf_config_rss(vport); + + unlock_mutex: + idpf_vport_ctrl_unlock(netdev); +-- +2.51.0 + diff --git a/queue-6.18/idpf-fix-rss-lut-null-pointer-crash-on-early-ethtool.patch b/queue-6.18/idpf-fix-rss-lut-null-pointer-crash-on-early-ethtool.patch new file mode 100644 index 0000000000..99e759e026 --- /dev/null +++ b/queue-6.18/idpf-fix-rss-lut-null-pointer-crash-on-early-ethtool.patch @@ -0,0 +1,407 @@ +From 7f174e16516d16f7c18fbe258fe098a33f106a01 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Nov 2025 12:47:48 -0600 +Subject: idpf: Fix RSS LUT NULL pointer crash on early ethtool operations + +From: Sreedevi Joshi + +[ Upstream commit 83f38f210b85676f40ba8586b5a8edae19b56995 ] + +The RSS LUT is not initialized until the interface comes up, causing +the following NULL pointer crash when ethtool operations like rxhash on/off +are performed before the interface is brought up for the first time. + +Move RSS LUT initialization from ndo_open to vport creation to ensure LUT +is always available. This enables RSS configuration via ethtool before +bringing the interface up. Simplify LUT management by maintaining all +changes in the driver's soft copy and programming zeros to the indirection +table when rxhash is disabled. Defer HW programming until the interface +comes up if it is down during rxhash and LUT configuration changes. + +Steps to reproduce: +** Load idpf driver; interfaces will be created + modprobe idpf +** Before bringing the interfaces up, turn rxhash off + ethtool -K eth2 rxhash off + +[89408.371875] BUG: kernel NULL pointer dereference, address: 0000000000000000 +[89408.371908] #PF: supervisor read access in kernel mode +[89408.371924] #PF: error_code(0x0000) - not-present page +[89408.371940] PGD 0 P4D 0 +[89408.371953] Oops: Oops: 0000 [#1] SMP NOPTI + +[89408.372052] RIP: 0010:memcpy_orig+0x16/0x130 +[89408.372310] Call Trace: +[89408.372317] +[89408.372326] ? idpf_set_features+0xfc/0x180 [idpf] +[89408.372363] __netdev_update_features+0x295/0xde0 +[89408.372384] ethnl_set_features+0x15e/0x460 +[89408.372406] genl_family_rcv_msg_doit+0x11f/0x180 +[89408.372429] genl_rcv_msg+0x1ad/0x2b0 +[89408.372446] ? __pfx_ethnl_set_features+0x10/0x10 +[89408.372465] ? __pfx_genl_rcv_msg+0x10/0x10 +[89408.372482] netlink_rcv_skb+0x58/0x100 +[89408.372502] genl_rcv+0x2c/0x50 +[89408.372516] netlink_unicast+0x289/0x3e0 +[89408.372533] netlink_sendmsg+0x215/0x440 +[89408.372551] __sys_sendto+0x234/0x240 +[89408.372571] __x64_sys_sendto+0x28/0x30 +[89408.372585] x64_sys_call+0x1909/0x1da0 +[89408.372604] do_syscall_64+0x7a/0xfa0 +[89408.373140] ? clear_bhb_loop+0x60/0xb0 +[89408.373647] entry_SYSCALL_64_after_hwframe+0x76/0x7e +[89408.378887] + + +Fixes: a251eee62133 ("idpf: add SRIOV support and other ndo_ops") +Signed-off-by: Sreedevi Joshi +Reviewed-by: Sridhar Samudrala +Reviewed-by: Emil Tantilov +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Paul Menzel +Reviewed-by: Simon Horman +Tested-by: Samuel Salin +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/idpf/idpf.h | 2 - + drivers/net/ethernet/intel/idpf/idpf_lib.c | 94 +++++++++---------- + drivers/net/ethernet/intel/idpf/idpf_txrx.c | 36 +++---- + drivers/net/ethernet/intel/idpf/idpf_txrx.h | 4 +- + .../net/ethernet/intel/idpf/idpf_virtchnl.c | 9 +- + 5 files changed, 66 insertions(+), 79 deletions(-) + +diff --git a/drivers/net/ethernet/intel/idpf/idpf.h b/drivers/net/ethernet/intel/idpf/idpf.h +index df64d252b5642..c74c47bc0b9b9 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf.h ++++ b/drivers/net/ethernet/intel/idpf/idpf.h +@@ -423,14 +423,12 @@ enum idpf_user_flags { + * @rss_key: RSS hash key + * @rss_lut_size: Size of RSS lookup table + * @rss_lut: RSS lookup table +- * @cached_lut: Used to restore previously init RSS lut + */ + struct idpf_rss_data { + u16 rss_key_size; + u8 *rss_key; + u16 rss_lut_size; + u32 *rss_lut; +- u32 *cached_lut; + }; + + /** +diff --git a/drivers/net/ethernet/intel/idpf/idpf_lib.c b/drivers/net/ethernet/intel/idpf/idpf_lib.c +index d56366e676cf7..51716e5a84ef3 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_lib.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_lib.c +@@ -1073,7 +1073,7 @@ static void idpf_vport_rel(struct idpf_vport *vport) + u16 idx = vport->idx; + + vport_config = adapter->vport_config[vport->idx]; +- idpf_deinit_rss(vport); ++ idpf_deinit_rss_lut(vport); + rss_data = &vport_config->user_config.rss_data; + kfree(rss_data->rss_key); + rss_data->rss_key = NULL; +@@ -1226,6 +1226,7 @@ static struct idpf_vport *idpf_vport_alloc(struct idpf_adapter *adapter, + u16 idx = adapter->next_vport; + struct idpf_vport *vport; + u16 num_max_q; ++ int err; + + if (idx == IDPF_NO_FREE_SLOT) + return NULL; +@@ -1276,10 +1277,11 @@ static struct idpf_vport *idpf_vport_alloc(struct idpf_adapter *adapter, + + idpf_vport_init(vport, max_q); + +- /* This alloc is done separate from the LUT because it's not strictly +- * dependent on how many queues we have. If we change number of queues +- * and soft reset we'll need a new LUT but the key can remain the same +- * for as long as the vport exists. ++ /* LUT and key are both initialized here. Key is not strictly dependent ++ * on how many queues we have. If we change number of queues and soft ++ * reset is initiated, LUT will be freed and a new LUT will be allocated ++ * as per the updated number of queues during vport bringup. However, ++ * the key remains the same for as long as the vport exists. + */ + rss_data = &adapter->vport_config[idx]->user_config.rss_data; + rss_data->rss_key = kzalloc(rss_data->rss_key_size, GFP_KERNEL); +@@ -1289,6 +1291,11 @@ static struct idpf_vport *idpf_vport_alloc(struct idpf_adapter *adapter, + /* Initialize default rss key */ + netdev_rss_key_fill((void *)rss_data->rss_key, rss_data->rss_key_size); + ++ /* Initialize default rss LUT */ ++ err = idpf_init_rss_lut(vport); ++ if (err) ++ goto free_rss_key; ++ + /* fill vport slot in the adapter struct */ + adapter->vports[idx] = vport; + adapter->vport_ids[idx] = idpf_get_vport_id(vport); +@@ -1299,6 +1306,8 @@ static struct idpf_vport *idpf_vport_alloc(struct idpf_adapter *adapter, + + return vport; + ++free_rss_key: ++ kfree(rss_data->rss_key); + free_vector_idxs: + kfree(vport->q_vector_idxs); + free_vport: +@@ -1476,6 +1485,7 @@ static int idpf_vport_open(struct idpf_vport *vport, bool rtnl) + struct idpf_netdev_priv *np = netdev_priv(vport->netdev); + struct idpf_adapter *adapter = vport->adapter; + struct idpf_vport_config *vport_config; ++ struct idpf_rss_data *rss_data; + int err; + + if (test_bit(IDPF_VPORT_UP, np->state)) +@@ -1570,12 +1580,21 @@ static int idpf_vport_open(struct idpf_vport *vport, bool rtnl) + idpf_restore_features(vport); + + vport_config = adapter->vport_config[vport->idx]; +- if (vport_config->user_config.rss_data.rss_lut) +- err = idpf_config_rss(vport); +- else +- err = idpf_init_rss(vport); ++ rss_data = &vport_config->user_config.rss_data; ++ ++ if (!rss_data->rss_lut) { ++ err = idpf_init_rss_lut(vport); ++ if (err) { ++ dev_err(&adapter->pdev->dev, ++ "Failed to initialize RSS LUT for vport %u: %d\n", ++ vport->vport_id, err); ++ goto disable_vport; ++ } ++ } ++ ++ err = idpf_config_rss(vport); + if (err) { +- dev_err(&adapter->pdev->dev, "Failed to initialize RSS for vport %u: %d\n", ++ dev_err(&adapter->pdev->dev, "Failed to configure RSS for vport %u: %d\n", + vport->vport_id, err); + goto disable_vport; + } +@@ -1584,7 +1603,7 @@ static int idpf_vport_open(struct idpf_vport *vport, bool rtnl) + if (err) { + dev_err(&adapter->pdev->dev, "Failed to complete interface up for vport %u: %d\n", + vport->vport_id, err); +- goto deinit_rss; ++ goto disable_vport; + } + + if (rtnl) +@@ -1592,8 +1611,6 @@ static int idpf_vport_open(struct idpf_vport *vport, bool rtnl) + + return 0; + +-deinit_rss: +- idpf_deinit_rss(vport); + disable_vport: + idpf_send_disable_vport_msg(vport); + disable_queues: +@@ -2051,7 +2068,7 @@ int idpf_initiate_soft_reset(struct idpf_vport *vport, + idpf_vport_stop(vport, false); + } + +- idpf_deinit_rss(vport); ++ idpf_deinit_rss_lut(vport); + /* We're passing in vport here because we need its wait_queue + * to send a message and it should be getting all the vport + * config data out of the adapter but we need to be careful not +@@ -2219,40 +2236,6 @@ static void idpf_set_rx_mode(struct net_device *netdev) + dev_err(dev, "Failed to set promiscuous mode: %d\n", err); + } + +-/** +- * idpf_vport_manage_rss_lut - disable/enable RSS +- * @vport: the vport being changed +- * +- * In the event of disable request for RSS, this function will zero out RSS +- * LUT, while in the event of enable request for RSS, it will reconfigure RSS +- * LUT with the default LUT configuration. +- */ +-static int idpf_vport_manage_rss_lut(struct idpf_vport *vport) +-{ +- bool ena = idpf_is_feature_ena(vport, NETIF_F_RXHASH); +- struct idpf_rss_data *rss_data; +- u16 idx = vport->idx; +- int lut_size; +- +- rss_data = &vport->adapter->vport_config[idx]->user_config.rss_data; +- lut_size = rss_data->rss_lut_size * sizeof(u32); +- +- if (ena) { +- /* This will contain the default or user configured LUT */ +- memcpy(rss_data->rss_lut, rss_data->cached_lut, lut_size); +- } else { +- /* Save a copy of the current LUT to be restored later if +- * requested. +- */ +- memcpy(rss_data->cached_lut, rss_data->rss_lut, lut_size); +- +- /* Zero out the current LUT to disable */ +- memset(rss_data->rss_lut, 0, lut_size); +- } +- +- return idpf_config_rss(vport); +-} +- + /** + * idpf_set_features - set the netdev feature flags + * @netdev: ptr to the netdev being adjusted +@@ -2278,10 +2261,19 @@ static int idpf_set_features(struct net_device *netdev, + } + + if (changed & NETIF_F_RXHASH) { ++ struct idpf_netdev_priv *np = netdev_priv(netdev); ++ + netdev->features ^= NETIF_F_RXHASH; +- err = idpf_vport_manage_rss_lut(vport); +- if (err) +- goto unlock_mutex; ++ ++ /* If the interface is not up when changing the rxhash, update ++ * to the HW is skipped. The updated LUT will be committed to ++ * the HW when the interface is brought up. ++ */ ++ if (test_bit(IDPF_VPORT_UP, np->state)) { ++ err = idpf_config_rss(vport); ++ if (err) ++ goto unlock_mutex; ++ } + } + + if (changed & NETIF_F_GRO_HW) { +diff --git a/drivers/net/ethernet/intel/idpf/idpf_txrx.c b/drivers/net/ethernet/intel/idpf/idpf_txrx.c +index 1993a3b0da59b..39553689ffdbf 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_txrx.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_txrx.c +@@ -4650,57 +4650,47 @@ static void idpf_fill_dflt_rss_lut(struct idpf_vport *vport) + + rss_data = &adapter->vport_config[vport->idx]->user_config.rss_data; + +- for (i = 0; i < rss_data->rss_lut_size; i++) { ++ for (i = 0; i < rss_data->rss_lut_size; i++) + rss_data->rss_lut[i] = i % num_active_rxq; +- rss_data->cached_lut[i] = rss_data->rss_lut[i]; +- } + } + + /** +- * idpf_init_rss - Allocate and initialize RSS resources ++ * idpf_init_rss_lut - Allocate and initialize RSS LUT + * @vport: virtual port + * +- * Return 0 on success, negative on failure ++ * Return: 0 on success, negative on failure + */ +-int idpf_init_rss(struct idpf_vport *vport) ++int idpf_init_rss_lut(struct idpf_vport *vport) + { + struct idpf_adapter *adapter = vport->adapter; + struct idpf_rss_data *rss_data; +- u32 lut_size; + + rss_data = &adapter->vport_config[vport->idx]->user_config.rss_data; ++ if (!rss_data->rss_lut) { ++ u32 lut_size; + +- lut_size = rss_data->rss_lut_size * sizeof(u32); +- rss_data->rss_lut = kzalloc(lut_size, GFP_KERNEL); +- if (!rss_data->rss_lut) +- return -ENOMEM; +- +- rss_data->cached_lut = kzalloc(lut_size, GFP_KERNEL); +- if (!rss_data->cached_lut) { +- kfree(rss_data->rss_lut); +- rss_data->rss_lut = NULL; +- +- return -ENOMEM; ++ lut_size = rss_data->rss_lut_size * sizeof(u32); ++ rss_data->rss_lut = kzalloc(lut_size, GFP_KERNEL); ++ if (!rss_data->rss_lut) ++ return -ENOMEM; + } + + /* Fill the default RSS lut values */ + idpf_fill_dflt_rss_lut(vport); + +- return idpf_config_rss(vport); ++ return 0; + } + + /** +- * idpf_deinit_rss - Release RSS resources ++ * idpf_deinit_rss_lut - Release RSS LUT + * @vport: virtual port + */ +-void idpf_deinit_rss(struct idpf_vport *vport) ++void idpf_deinit_rss_lut(struct idpf_vport *vport) + { + struct idpf_adapter *adapter = vport->adapter; + struct idpf_rss_data *rss_data; + + rss_data = &adapter->vport_config[vport->idx]->user_config.rss_data; +- kfree(rss_data->cached_lut); +- rss_data->cached_lut = NULL; + kfree(rss_data->rss_lut); + rss_data->rss_lut = NULL; + } +diff --git a/drivers/net/ethernet/intel/idpf/idpf_txrx.h b/drivers/net/ethernet/intel/idpf/idpf_txrx.h +index 75b977094741f..7d20593bd8778 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_txrx.h ++++ b/drivers/net/ethernet/intel/idpf/idpf_txrx.h +@@ -1086,8 +1086,8 @@ void idpf_vport_intr_deinit(struct idpf_vport *vport); + int idpf_vport_intr_init(struct idpf_vport *vport); + void idpf_vport_intr_ena(struct idpf_vport *vport); + int idpf_config_rss(struct idpf_vport *vport); +-int idpf_init_rss(struct idpf_vport *vport); +-void idpf_deinit_rss(struct idpf_vport *vport); ++int idpf_init_rss_lut(struct idpf_vport *vport); ++void idpf_deinit_rss_lut(struct idpf_vport *vport); + int idpf_rx_bufs_init_all(struct idpf_vport *vport); + + struct idpf_q_vector *idpf_find_rxq_vec(const struct idpf_vport *vport, +diff --git a/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c b/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c +index 01bbd12a642a0..cb702eac86c80 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c +@@ -2804,6 +2804,10 @@ int idpf_send_get_stats_msg(struct idpf_vport *vport) + * @vport: virtual port data structure + * @get: flag to set or get rss look up table + * ++ * When rxhash is disabled, RSS LUT will be configured with zeros. If rxhash ++ * is enabled, the LUT values stored in driver's soft copy will be used to setup ++ * the HW. ++ * + * Returns 0 on success, negative on failure. + */ + int idpf_send_get_set_rss_lut_msg(struct idpf_vport *vport, bool get) +@@ -2814,10 +2818,12 @@ int idpf_send_get_set_rss_lut_msg(struct idpf_vport *vport, bool get) + struct idpf_rss_data *rss_data; + int buf_size, lut_buf_size; + ssize_t reply_sz; ++ bool rxhash_ena; + int i; + + rss_data = + &vport->adapter->vport_config[vport->idx]->user_config.rss_data; ++ rxhash_ena = idpf_is_feature_ena(vport, NETIF_F_RXHASH); + buf_size = struct_size(rl, lut, rss_data->rss_lut_size); + rl = kzalloc(buf_size, GFP_KERNEL); + if (!rl) +@@ -2839,7 +2845,8 @@ int idpf_send_get_set_rss_lut_msg(struct idpf_vport *vport, bool get) + } else { + rl->lut_entries = cpu_to_le16(rss_data->rss_lut_size); + for (i = 0; i < rss_data->rss_lut_size; i++) +- rl->lut[i] = cpu_to_le32(rss_data->rss_lut[i]); ++ rl->lut[i] = rxhash_ena ? ++ cpu_to_le32(rss_data->rss_lut[i]) : 0; + + xn_params.vc_op = VIRTCHNL2_OP_SET_RSS_LUT; + } +-- +2.51.0 + diff --git a/queue-6.18/idpf-fix-rss-lut-null-ptr-issue-after-soft-reset.patch b/queue-6.18/idpf-fix-rss-lut-null-ptr-issue-after-soft-reset.patch new file mode 100644 index 0000000000..57b1ef5c33 --- /dev/null +++ b/queue-6.18/idpf-fix-rss-lut-null-ptr-issue-after-soft-reset.patch @@ -0,0 +1,154 @@ +From 65a8437a57b3b0d0caafd2e8a9a45320db6e5e12 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Nov 2025 12:47:50 -0600 +Subject: idpf: Fix RSS LUT NULL ptr issue after soft reset + +From: Sreedevi Joshi + +[ Upstream commit ebecca5b093895da801b3eba1a55b4ec4027d196 ] + +During soft reset, the RSS LUT is freed and not restored unless the +interface is up. If an ethtool command that accesses the rss lut is +attempted immediately after reset, it will result in NULL ptr +dereference. Also, there is no need to reset the rss lut if the soft reset +does not involve queue count change. + +After soft reset, set the RSS LUT to default values based on the updated +queue count only if the reset was a result of a queue count change and +the LUT was not configured by the user. In all other cases, don't touch +the LUT. + +Steps to reproduce: + +** Bring the interface down (if up) +ifconfig eth1 down + +** update the queue count (eg., 27->20) +ethtool -L eth1 combined 20 + +** display the RSS LUT +ethtool -x eth1 + +[82375.558338] BUG: kernel NULL pointer dereference, address: 0000000000000000 +[82375.558373] #PF: supervisor read access in kernel mode +[82375.558391] #PF: error_code(0x0000) - not-present page +[82375.558408] PGD 0 P4D 0 +[82375.558421] Oops: Oops: 0000 [#1] SMP NOPTI + +[82375.558516] RIP: 0010:idpf_get_rxfh+0x108/0x150 [idpf] +[82375.558786] Call Trace: +[82375.558793] +[82375.558804] rss_prepare.isra.0+0x187/0x2a0 +[82375.558827] rss_prepare_data+0x3a/0x50 +[82375.558845] ethnl_default_doit+0x13d/0x3e0 +[82375.558863] genl_family_rcv_msg_doit+0x11f/0x180 +[82375.558886] genl_rcv_msg+0x1ad/0x2b0 +[82375.558902] ? __pfx_ethnl_default_doit+0x10/0x10 +[82375.558920] ? __pfx_genl_rcv_msg+0x10/0x10 +[82375.558937] netlink_rcv_skb+0x58/0x100 +[82375.558957] genl_rcv+0x2c/0x50 +[82375.558971] netlink_unicast+0x289/0x3e0 +[82375.558988] netlink_sendmsg+0x215/0x440 +[82375.559005] __sys_sendto+0x234/0x240 +[82375.559555] __x64_sys_sendto+0x28/0x30 +[82375.560068] x64_sys_call+0x1909/0x1da0 +[82375.560576] do_syscall_64+0x7a/0xfa0 +[82375.561076] ? clear_bhb_loop+0x60/0xb0 +[82375.561567] entry_SYSCALL_64_after_hwframe+0x76/0x7e + + +Fixes: 02cbfba1add5 ("idpf: add ethtool callbacks") +Signed-off-by: Sreedevi Joshi +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Sridhar Samudrala +Reviewed-by: Emil Tantilov +Reviewed-by: Simon Horman +Tested-by: Samuel Salin +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/idpf/idpf_lib.c | 20 ++++---------------- + drivers/net/ethernet/intel/idpf/idpf_txrx.c | 2 +- + drivers/net/ethernet/intel/idpf/idpf_txrx.h | 1 + + 3 files changed, 6 insertions(+), 17 deletions(-) + +diff --git a/drivers/net/ethernet/intel/idpf/idpf_lib.c b/drivers/net/ethernet/intel/idpf/idpf_lib.c +index 51716e5a84ef3..003bab3ce5ae6 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_lib.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_lib.c +@@ -1484,8 +1484,6 @@ static int idpf_vport_open(struct idpf_vport *vport, bool rtnl) + { + struct idpf_netdev_priv *np = netdev_priv(vport->netdev); + struct idpf_adapter *adapter = vport->adapter; +- struct idpf_vport_config *vport_config; +- struct idpf_rss_data *rss_data; + int err; + + if (test_bit(IDPF_VPORT_UP, np->state)) +@@ -1579,19 +1577,6 @@ static int idpf_vport_open(struct idpf_vport *vport, bool rtnl) + + idpf_restore_features(vport); + +- vport_config = adapter->vport_config[vport->idx]; +- rss_data = &vport_config->user_config.rss_data; +- +- if (!rss_data->rss_lut) { +- err = idpf_init_rss_lut(vport); +- if (err) { +- dev_err(&adapter->pdev->dev, +- "Failed to initialize RSS LUT for vport %u: %d\n", +- vport->vport_id, err); +- goto disable_vport; +- } +- } +- + err = idpf_config_rss(vport); + if (err) { + dev_err(&adapter->pdev->dev, "Failed to configure RSS for vport %u: %d\n", +@@ -2068,7 +2053,6 @@ int idpf_initiate_soft_reset(struct idpf_vport *vport, + idpf_vport_stop(vport, false); + } + +- idpf_deinit_rss_lut(vport); + /* We're passing in vport here because we need its wait_queue + * to send a message and it should be getting all the vport + * config data out of the adapter but we need to be careful not +@@ -2094,6 +2078,10 @@ int idpf_initiate_soft_reset(struct idpf_vport *vport, + if (err) + goto err_open; + ++ if (reset_cause == IDPF_SR_Q_CHANGE && ++ !netif_is_rxfh_configured(vport->netdev)) ++ idpf_fill_dflt_rss_lut(vport); ++ + if (vport_is_up) + err = idpf_vport_open(vport, false); + +diff --git a/drivers/net/ethernet/intel/idpf/idpf_txrx.c b/drivers/net/ethernet/intel/idpf/idpf_txrx.c +index 39553689ffdbf..3698979b4c9ee 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_txrx.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_txrx.c +@@ -4641,7 +4641,7 @@ int idpf_config_rss(struct idpf_vport *vport) + * idpf_fill_dflt_rss_lut - Fill the indirection table with the default values + * @vport: virtual port structure + */ +-static void idpf_fill_dflt_rss_lut(struct idpf_vport *vport) ++void idpf_fill_dflt_rss_lut(struct idpf_vport *vport) + { + struct idpf_adapter *adapter = vport->adapter; + u16 num_active_rxq = vport->num_rxq; +diff --git a/drivers/net/ethernet/intel/idpf/idpf_txrx.h b/drivers/net/ethernet/intel/idpf/idpf_txrx.h +index 7d20593bd8778..0472698ca1927 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_txrx.h ++++ b/drivers/net/ethernet/intel/idpf/idpf_txrx.h +@@ -1085,6 +1085,7 @@ void idpf_vport_intr_update_itr_ena_irq(struct idpf_q_vector *q_vector); + void idpf_vport_intr_deinit(struct idpf_vport *vport); + int idpf_vport_intr_init(struct idpf_vport *vport); + void idpf_vport_intr_ena(struct idpf_vport *vport); ++void idpf_fill_dflt_rss_lut(struct idpf_vport *vport); + int idpf_config_rss(struct idpf_vport *vport); + int idpf_init_rss_lut(struct idpf_vport *vport); + void idpf_deinit_rss_lut(struct idpf_vport *vport); +-- +2.51.0 + diff --git a/queue-6.18/idpf-keep-the-netdev-when-a-reset-fails.patch b/queue-6.18/idpf-keep-the-netdev-when-a-reset-fails.patch new file mode 100644 index 0000000000..72b0bbeac9 --- /dev/null +++ b/queue-6.18/idpf-keep-the-netdev-when-a-reset-fails.patch @@ -0,0 +1,107 @@ +From a59ff67e3dddb9410ae9687ee66e55c7602151c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Nov 2025 16:12:14 -0800 +Subject: idpf: keep the netdev when a reset fails + +From: Emil Tantilov + +[ Upstream commit 083029bd8b445595222a3cd14076b880781c1765 ] + +During a successful reset the driver would re-allocate vport resources +while keeping the netdevs intact. However, in case of an error in the +init task, the netdev of the failing vport will be unregistered, +effectively removing the network interface: + +[ 121.211076] idpf 0000:83:00.0: enabling device (0100 -> 0102) +[ 121.221976] idpf 0000:83:00.0: Device HW Reset initiated +[ 124.161229] idpf 0000:83:00.0 ens801f0: renamed from eth0 +[ 124.163364] idpf 0000:83:00.0 ens801f0d1: renamed from eth1 +[ 125.934656] idpf 0000:83:00.0 ens801f0d2: renamed from eth2 +[ 128.218429] idpf 0000:83:00.0 ens801f0d3: renamed from eth3 + +ip -br a +ens801f0 UP +ens801f0d1 UP +ens801f0d2 UP +ens801f0d3 UP +echo 1 > /sys/class/net/ens801f0/device/reset + +[ 145.885537] idpf 0000:83:00.0: resetting +[ 145.990280] idpf 0000:83:00.0: reset done +[ 146.284766] idpf 0000:83:00.0: HW reset detected +[ 146.296610] idpf 0000:83:00.0: Device HW Reset initiated +[ 211.556719] idpf 0000:83:00.0: Transaction timed-out (op:526 cookie:7700 vc_op:526 salt:77 timeout:60000ms) +[ 272.996705] idpf 0000:83:00.0: Transaction timed-out (op:502 cookie:7800 vc_op:502 salt:78 timeout:60000ms) + +ip -br a +ens801f0d1 DOWN +ens801f0d2 DOWN +ens801f0d3 DOWN + +Re-shuffle the logic in the error path of the init task to make sure the +netdevs remain intact. This will allow the driver to attempt recovery via +subsequent resets, provided the FW is still functional. + +The main change is to make sure that idpf_decfg_netdev() is not called +should the init task fail during a reset. The error handling is +consolidated under unwind_vports, as the removed labels had the same +cleanup logic split depending on the point of failure. + +Fixes: ce1b75d0635c ("idpf: add ptypes and MAC filter support") +Signed-off-by: Emil Tantilov +Reviewed-by: Aleksandr Loktionov +Tested-by: Samuel Salin +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/idpf/idpf_lib.c | 17 ++++++----------- + 1 file changed, 6 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/ethernet/intel/idpf/idpf_lib.c b/drivers/net/ethernet/intel/idpf/idpf_lib.c +index aaafe40f5eaf7..452f3107378cb 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_lib.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_lib.c +@@ -1579,6 +1579,10 @@ void idpf_init_task(struct work_struct *work) + goto unwind_vports; + } + ++ err = idpf_send_get_rx_ptype_msg(vport); ++ if (err) ++ goto unwind_vports; ++ + index = vport->idx; + vport_config = adapter->vport_config[index]; + +@@ -1590,15 +1594,11 @@ void idpf_init_task(struct work_struct *work) + err = idpf_check_supported_desc_ids(vport); + if (err) { + dev_err(&pdev->dev, "failed to get required descriptor ids\n"); +- goto cfg_netdev_err; ++ goto unwind_vports; + } + + if (idpf_cfg_netdev(vport)) +- goto cfg_netdev_err; +- +- err = idpf_send_get_rx_ptype_msg(vport); +- if (err) +- goto handle_err; ++ goto unwind_vports; + + /* Once state is put into DOWN, driver is ready for dev_open */ + np = netdev_priv(vport->netdev); +@@ -1645,11 +1645,6 @@ void idpf_init_task(struct work_struct *work) + + return; + +-handle_err: +- idpf_decfg_netdev(vport); +-cfg_netdev_err: +- idpf_vport_rel(vport); +- adapter->vports[index] = NULL; + unwind_vports: + if (default_vport) { + for (index = 0; index < adapter->max_vports; index++) { +-- +2.51.0 + diff --git a/queue-6.18/inet-frags-drop-fraglist-conntrack-references.patch b/queue-6.18/inet-frags-drop-fraglist-conntrack-references.patch new file mode 100644 index 0000000000..0baf646d65 --- /dev/null +++ b/queue-6.18/inet-frags-drop-fraglist-conntrack-references.patch @@ -0,0 +1,93 @@ +From df84dda3eb0b11e424d4eb5d018cac4fb206daf2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Jan 2026 15:00:07 +0100 +Subject: inet: frags: drop fraglist conntrack references + +From: Florian Westphal + +[ Upstream commit 2ef02ac38d3c17f34a00c4b267d961a8d4b45d1a ] + +Jakub added a warning in nf_conntrack_cleanup_net_list() to make debugging +leaked skbs/conntrack references more obvious. + +syzbot reports this as triggering, and I can also reproduce this via +ip_defrag.sh selftest: + + conntrack cleanup blocked for 60s + WARNING: net/netfilter/nf_conntrack_core.c:2512 + [..] + +conntrack clenups gets stuck because there are skbs with still hold nf_conn +references via their frag_list. + + net.core.skb_defer_max=0 makes the hang disappear. + +Eric Dumazet points out that skb_release_head_state() doesn't follow the +fraglist. + +ip_defrag.sh can only reproduce this problem since +commit 6471658dc66c ("udp: use skb_attempt_defer_free()"), but AFAICS this +problem could happen with TCP as well if pmtu discovery is off. + +The relevant problem path for udp is: +1. netns emits fragmented packets +2. nf_defrag_v6_hook reassembles them (in output hook) +3. reassembled skb is tracked (skb owns nf_conn reference) +4. ip6_output refragments +5. refragmented packets also own nf_conn reference (ip6_fragment + calls ip6_copy_metadata()) +6. on input path, nf_defrag_v6_hook skips defragmentation: the + fragments already have skb->nf_conn attached +7. skbs are reassembled via ipv6_frag_rcv() +8. skb_consume_udp -> skb_attempt_defer_free() -> skb ends up + in pcpu freelist, but still has nf_conn reference. + +Possible solutions: + 1 let defrag engine drop nf_conn entry, OR + 2 export kick_defer_list_purge() and call it from the conntrack + netns exit callback, OR + 3 add skb_has_frag_list() check to skb_attempt_defer_free() + +2 & 3 also solve ip_defrag.sh hang but share same drawback: + +Such reassembled skbs, queued to socket, can prevent conntrack module +removal until userspace has consumed the packet. While both tcp and udp +stack do call nf_reset_ct() before placing skb on socket queue, that +function doesn't iterate frag_list skbs. + +Therefore drop nf_conn entries when they are placed in defrag queue. +Keep the nf_conn entry of the first (offset 0) skb so that reassembled +skb retains nf_conn entry for sake of TX path. + +Note that fixes tag is incorrect; it points to the commit introducing the +'ip_defrag.sh reproducible problem': no need to backport this patch to +every stable kernel. + +Reported-by: syzbot+4393c47753b7808dac7d@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/693b0fa7.050a0220.4004e.040d.GAE@google.com/ +Fixes: 6471658dc66c ("udp: use skb_attempt_defer_free()") +Signed-off-by: Florian Westphal +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20260102140030.32367-1-fw@strlen.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/inet_fragment.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/ipv4/inet_fragment.c b/net/ipv4/inet_fragment.c +index 001ee5c4d962e..4e6d7467ed444 100644 +--- a/net/ipv4/inet_fragment.c ++++ b/net/ipv4/inet_fragment.c +@@ -488,6 +488,8 @@ int inet_frag_queue_insert(struct inet_frag_queue *q, struct sk_buff *skb, + } + + FRAG_CB(skb)->ip_defrag_offset = offset; ++ if (offset) ++ nf_reset_ct(skb); + + return IPFRAG_OK; + } +-- +2.51.0 + diff --git a/queue-6.18/inet-ping-fix-icmp-out-counting.patch b/queue-6.18/inet-ping-fix-icmp-out-counting.patch new file mode 100644 index 0000000000..072a994de5 --- /dev/null +++ b/queue-6.18/inet-ping-fix-icmp-out-counting.patch @@ -0,0 +1,55 @@ +From fea544b94db57fc1e290b5d53daee46a35b4f50f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Dec 2025 14:31:45 +0800 +Subject: inet: ping: Fix icmp out counting + +From: yuan.gao + +[ Upstream commit 4c0856c225b39b1def6c9a6bc56faca79550da13 ] + +When the ping program uses an IPPROTO_ICMP socket to send ICMP_ECHO +messages, ICMP_MIB_OUTMSGS is counted twice. + + ping_v4_sendmsg + ping_v4_push_pending_frames + ip_push_pending_frames + ip_finish_skb + __ip_make_skb + icmp_out_count(net, icmp_type); // first count + icmp_out_count(sock_net(sk), user_icmph.type); // second count + +However, when the ping program uses an IPPROTO_RAW socket, +ICMP_MIB_OUTMSGS is counted correctly only once. + +Therefore, the first count should be removed. + +Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind") +Signed-off-by: yuan.gao +Reviewed-by: Ido Schimmel +Tested-by: Ido Schimmel +Link: https://patch.msgid.link/20251224063145.3615282-1-yuan.gao@ucloud.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/ping.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c +index 5321c5801c64d..a5227d23bb0b5 100644 +--- a/net/ipv4/ping.c ++++ b/net/ipv4/ping.c +@@ -828,10 +828,8 @@ static int ping_v4_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + out_free: + if (free) + kfree(ipc.opt); +- if (!err) { +- icmp_out_count(sock_net(sk), user_icmph.type); ++ if (!err) + return len; +- } + return err; + + do_confirm: +-- +2.51.0 + diff --git a/queue-6.18/irqchip-gic-v5-fix-gicv5_its_map_event-itte-read-end.patch b/queue-6.18/irqchip-gic-v5-fix-gicv5_its_map_event-itte-read-end.patch new file mode 100644 index 0000000000..3986d4fe5f --- /dev/null +++ b/queue-6.18/irqchip-gic-v5-fix-gicv5_its_map_event-itte-read-end.patch @@ -0,0 +1,42 @@ +From eba901a5b709df97926010f89bcd6ba4e02468c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Dec 2025 11:22:50 +0100 +Subject: irqchip/gic-v5: Fix gicv5_its_map_event() ITTE read endianness + +From: Lorenzo Pieralisi + +[ Upstream commit 1690eeb0cb2bb77096cb6c826b6849ef05013e34 ] + +Kbuild bot (through sparse) reported that the ITTE read to carry out +a valid check in gicv5_its_map_event() lacks proper endianness handling. + +Add the missing endianess conversion. + +Fixes: 57d72196dfc8 ("irqchip/gic-v5: Add GICv5 ITS support") +Reported-by: kernel test robot +Signed-off-by: Lorenzo Pieralisi +Signed-off-by: Thomas Gleixner +Acked-by: Marc Zyngier +Link: https://patch.msgid.link/20251222102250.435460-1-lpieralisi@kernel.org +Closes: https://lore.kernel.org/oe-kbuild-all/202512131849.30ZRTBeR-lkp@intel.com/ +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-gic-v5-its.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/irqchip/irq-gic-v5-its.c b/drivers/irqchip/irq-gic-v5-its.c +index 554485f0be1fb..8e22134b9f486 100644 +--- a/drivers/irqchip/irq-gic-v5-its.c ++++ b/drivers/irqchip/irq-gic-v5-its.c +@@ -849,7 +849,7 @@ static int gicv5_its_map_event(struct gicv5_its_dev *its_dev, u16 event_id, u32 + + itte = gicv5_its_device_get_itte_ref(its_dev, event_id); + +- if (FIELD_GET(GICV5_ITTL2E_VALID, *itte)) ++ if (FIELD_GET(GICV5_ITTL2E_VALID, le64_to_cpu(*itte))) + return -EEXIST; + + itt_entry = FIELD_PREP(GICV5_ITTL2E_LPI_ID, lpi) | +-- +2.51.0 + diff --git a/queue-6.18/net-airoha-fix-npu-rx-dma-definitions.patch b/queue-6.18/net-airoha-fix-npu-rx-dma-definitions.patch new file mode 100644 index 0000000000..3878589ff5 --- /dev/null +++ b/queue-6.18/net-airoha-fix-npu-rx-dma-definitions.patch @@ -0,0 +1,44 @@ +From 3f10e07e56cf99569e9d2c7dca3aa64c694aa296 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Jan 2026 12:29:38 +0100 +Subject: net: airoha: Fix npu rx DMA definitions + +From: Lorenzo Bianconi + +[ Upstream commit a7fc8c641cab855824c45e5e8877e40fd528b5df ] + +Fix typos in npu rx DMA descriptor definitions. + +Fixes: b3ef7bdec66fb ("net: airoha: Add airoha_offload.h header") +Signed-off-by: Lorenzo Bianconi +Link: https://patch.msgid.link/20260102-airoha-npu-dma-rx-def-fixes-v1-1-205fc6bf7d94@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/linux/soc/airoha/airoha_offload.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/include/linux/soc/airoha/airoha_offload.h b/include/linux/soc/airoha/airoha_offload.h +index 6f66eb339b3fc..1a33f846afafa 100644 +--- a/include/linux/soc/airoha/airoha_offload.h ++++ b/include/linux/soc/airoha/airoha_offload.h +@@ -70,12 +70,12 @@ static inline void airoha_ppe_dev_check_skb(struct airoha_ppe_dev *dev, + #define NPU_RX1_DESC_NUM 512 + + /* CTRL */ +-#define NPU_RX_DMA_DESC_LAST_MASK BIT(29) +-#define NPU_RX_DMA_DESC_LEN_MASK GENMASK(28, 15) +-#define NPU_RX_DMA_DESC_CUR_LEN_MASK GENMASK(14, 1) ++#define NPU_RX_DMA_DESC_LAST_MASK BIT(27) ++#define NPU_RX_DMA_DESC_LEN_MASK GENMASK(26, 14) ++#define NPU_RX_DMA_DESC_CUR_LEN_MASK GENMASK(13, 1) + #define NPU_RX_DMA_DESC_DONE_MASK BIT(0) + /* INFO */ +-#define NPU_RX_DMA_PKT_COUNT_MASK GENMASK(31, 28) ++#define NPU_RX_DMA_PKT_COUNT_MASK GENMASK(31, 29) + #define NPU_RX_DMA_PKT_ID_MASK GENMASK(28, 26) + #define NPU_RX_DMA_SRC_PORT_MASK GENMASK(25, 21) + #define NPU_RX_DMA_CRSN_MASK GENMASK(20, 16) +-- +2.51.0 + diff --git a/queue-6.18/net-airoha-fix-schedule-while-atomic-in-airoha_ppe_d.patch b/queue-6.18/net-airoha-fix-schedule-while-atomic-in-airoha_ppe_d.patch new file mode 100644 index 0000000000..b56b39344a --- /dev/null +++ b/queue-6.18/net-airoha-fix-schedule-while-atomic-in-airoha_ppe_d.patch @@ -0,0 +1,51 @@ +From 1049a9e89c8aaab31c4bb4abfa8b7868d1563229 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jan 2026 09:43:31 +0100 +Subject: net: airoha: Fix schedule while atomic in airoha_ppe_deinit() + +From: Lorenzo Bianconi + +[ Upstream commit 6abcf751bc084804a9e5b3051442e8a2ce67f48a ] + +airoha_ppe_deinit() runs airoha_npu_ppe_deinit() in atomic context. +airoha_npu_ppe_deinit routine allocates ppe_data buffer with GFP_KERNEL +flag. Rely on rcu_replace_pointer in airoha_ppe_deinit routine in order +to fix schedule while atomic issue in airoha_npu_ppe_deinit() since we +do not need atomic context there. + +Fixes: 00a7678310fe3 ("net: airoha: Introduce flowtable offload support") +Signed-off-by: Lorenzo Bianconi +Link: https://patch.msgid.link/20260105-airoha-fw-ethtool-v2-1-3b32b158cc31@kernel.org +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/airoha/airoha_ppe.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/airoha/airoha_ppe.c b/drivers/net/ethernet/airoha/airoha_ppe.c +index c0e17035db18e..190d98970014f 100644 +--- a/drivers/net/ethernet/airoha/airoha_ppe.c ++++ b/drivers/net/ethernet/airoha/airoha_ppe.c +@@ -1466,13 +1466,16 @@ void airoha_ppe_deinit(struct airoha_eth *eth) + { + struct airoha_npu *npu; + +- rcu_read_lock(); +- npu = rcu_dereference(eth->npu); ++ mutex_lock(&flow_offload_mutex); ++ ++ npu = rcu_replace_pointer(eth->npu, NULL, ++ lockdep_is_held(&flow_offload_mutex)); + if (npu) { + npu->ops.ppe_deinit(npu); + airoha_npu_put(npu); + } +- rcu_read_unlock(); ++ ++ mutex_unlock(&flow_offload_mutex); + + rhashtable_destroy(ð->ppe->l2_flows); + rhashtable_destroy(ð->flow_table); +-- +2.51.0 + diff --git a/queue-6.18/net-ena-fix-missing-lock-when-update-devlink-params.patch b/queue-6.18/net-ena-fix-missing-lock-when-update-devlink-params.patch new file mode 100644 index 0000000000..c671324717 --- /dev/null +++ b/queue-6.18/net-ena-fix-missing-lock-when-update-devlink-params.patch @@ -0,0 +1,87 @@ +From 0217741a4eb3caef1172e6071e82425b59fdbea9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Dec 2025 22:58:08 +0800 +Subject: net/ena: fix missing lock when update devlink params + +From: Frank Liang + +[ Upstream commit 8da901ffe497a53fa4ecc3ceed0e6d771586f88e ] + +Fix assert lock warning while calling devl_param_driverinit_value_set() +in ena. + +WARNING: net/devlink/core.c:261 at devl_assert_locked+0x62/0x90, CPU#0: kworker/0:0/9 +CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not tainted 6.19.0-rc2+ #1 PREEMPT(lazy) +Hardware name: Amazon EC2 m8i-flex.4xlarge/, BIOS 1.0 10/16/2017 +Workqueue: events work_for_cpu_fn +RIP: 0010:devl_assert_locked+0x62/0x90 + +Call Trace: + + devl_param_driverinit_value_set+0x15/0x1c0 + ena_devlink_alloc+0x18c/0x220 [ena] + ? __pfx_ena_devlink_alloc+0x10/0x10 [ena] + ? trace_hardirqs_on+0x18/0x140 + ? lockdep_hardirqs_on+0x8c/0x130 + ? __raw_spin_unlock_irqrestore+0x5d/0x80 + ? __raw_spin_unlock_irqrestore+0x46/0x80 + ? devm_ioremap_wc+0x9a/0xd0 + ena_probe+0x4d2/0x1b20 [ena] + ? __lock_acquire+0x56a/0xbd0 + ? __pfx_ena_probe+0x10/0x10 [ena] + ? local_clock+0x15/0x30 + ? __lock_release.isra.0+0x1c9/0x340 + ? mark_held_locks+0x40/0x70 + ? lockdep_hardirqs_on_prepare.part.0+0x92/0x170 + ? trace_hardirqs_on+0x18/0x140 + ? lockdep_hardirqs_on+0x8c/0x130 + ? __raw_spin_unlock_irqrestore+0x5d/0x80 + ? __raw_spin_unlock_irqrestore+0x46/0x80 + ? __pfx_ena_probe+0x10/0x10 [ena] + ...... + + +Fixes: 816b52624cf6 ("net: ena: Control PHC enable through devlink") +Signed-off-by: Frank Liang +Reviewed-by: David Arinzon +Reviewed-by: Jiri Pirko +Link: https://patch.msgid.link/20251231145808.6103-1-xiliang@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amazon/ena/ena_devlink.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/amazon/ena/ena_devlink.c b/drivers/net/ethernet/amazon/ena/ena_devlink.c +index ac81c24016dd4..4772185e669d2 100644 +--- a/drivers/net/ethernet/amazon/ena/ena_devlink.c ++++ b/drivers/net/ethernet/amazon/ena/ena_devlink.c +@@ -53,10 +53,12 @@ void ena_devlink_disable_phc_param(struct devlink *devlink) + { + union devlink_param_value value; + ++ devl_lock(devlink); + value.vbool = false; + devl_param_driverinit_value_set(devlink, + DEVLINK_PARAM_GENERIC_ID_ENABLE_PHC, + value); ++ devl_unlock(devlink); + } + + static void ena_devlink_port_register(struct devlink *devlink) +@@ -145,10 +147,12 @@ static int ena_devlink_configure_params(struct devlink *devlink) + return rc; + } + ++ devl_lock(devlink); + value.vbool = ena_phc_is_enabled(adapter); + devl_param_driverinit_value_set(devlink, + DEVLINK_PARAM_GENERIC_ID_ENABLE_PHC, + value); ++ devl_unlock(devlink); + + return 0; + } +-- +2.51.0 + diff --git a/queue-6.18/net-enetc-fix-build-warning-when-page_size-is-greate.patch b/queue-6.18/net-enetc-fix-build-warning-when-page_size-is-greate.patch new file mode 100644 index 0000000000..2202dcb284 --- /dev/null +++ b/queue-6.18/net-enetc-fix-build-warning-when-page_size-is-greate.patch @@ -0,0 +1,49 @@ +From 0b5296ac0df0f1aa809a149b16a62bed63000a6c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jan 2026 17:12:04 +0800 +Subject: net: enetc: fix build warning when PAGE_SIZE is greater than 128K + +From: Wei Fang + +[ Upstream commit 4b5bdabb5449b652122e43f507f73789041d4abe ] + +The max buffer size of ENETC RX BD is 0xFFFF bytes, so if the PAGE_SIZE +is greater than 128K, ENETC_RXB_DMA_SIZE and ENETC_RXB_DMA_SIZE_XDP will +be greater than 0xFFFF, thus causing a build warning. + +This will not cause any practical issues because ENETC is currently only +used on the ARM64 platform, and the max PAGE_SIZE is 64K. So this patch +is only for fixing the build warning that occurs when compiling ENETC +drivers for other platforms. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202601050637.kHEKKOG7-lkp@intel.com/ +Fixes: e59bc32df2e9 ("net: enetc: correct the value of ENETC_RXB_TRUESIZE") +Signed-off-by: Wei Fang +Reviewed-by: Frank Li +Link: https://patch.msgid.link/20260107091204.1980222-1-wei.fang@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/enetc/enetc.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/enetc/enetc.h b/drivers/net/ethernet/freescale/enetc/enetc.h +index f279fa597991e..60c7205ea9ff5 100644 +--- a/drivers/net/ethernet/freescale/enetc/enetc.h ++++ b/drivers/net/ethernet/freescale/enetc/enetc.h +@@ -79,9 +79,9 @@ struct enetc_lso_t { + #define ENETC_RXB_TRUESIZE (PAGE_SIZE >> 1) + #define ENETC_RXB_PAD NET_SKB_PAD /* add extra space if needed */ + #define ENETC_RXB_DMA_SIZE \ +- (SKB_WITH_OVERHEAD(ENETC_RXB_TRUESIZE) - ENETC_RXB_PAD) ++ min(SKB_WITH_OVERHEAD(ENETC_RXB_TRUESIZE) - ENETC_RXB_PAD, 0xffff) + #define ENETC_RXB_DMA_SIZE_XDP \ +- (SKB_WITH_OVERHEAD(ENETC_RXB_TRUESIZE) - XDP_PACKET_HEADROOM) ++ min(SKB_WITH_OVERHEAD(ENETC_RXB_TRUESIZE) - XDP_PACKET_HEADROOM, 0xffff) + + struct enetc_rx_swbd { + dma_addr_t dma; +-- +2.51.0 + diff --git a/queue-6.18/net-fix-memory-leak-in-skb_segment_list-for-gro-pack.patch b/queue-6.18/net-fix-memory-leak-in-skb_segment_list-for-gro-pack.patch new file mode 100644 index 0000000000..7783586739 --- /dev/null +++ b/queue-6.18/net-fix-memory-leak-in-skb_segment_list-for-gro-pack.patch @@ -0,0 +1,108 @@ +From abeda43c3c174a4af1e799990dfbaeff013d703f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Jan 2026 23:31:01 +0200 +Subject: net: fix memory leak in skb_segment_list for GRO packets + +From: Mohammad Heib + +[ Upstream commit 238e03d0466239410b72294b79494e43d4fabe77 ] + +When skb_segment_list() is called during packet forwarding, it handles +packets that were aggregated by the GRO engine. + +Historically, the segmentation logic in skb_segment_list assumes that +individual segments are split from a parent SKB and may need to carry +their own socket memory accounting. Accordingly, the code transfers +truesize from the parent to the newly created segments. + +Prior to commit ed4cccef64c1 ("gro: fix ownership transfer"), this +truesize subtraction in skb_segment_list() was valid because fragments +still carry a reference to the original socket. + +However, commit ed4cccef64c1 ("gro: fix ownership transfer") changed +this behavior by ensuring that fraglist entries are explicitly +orphaned (skb->sk = NULL) to prevent illegal orphaning later in the +stack. This change meant that the entire socket memory charge remained +with the head SKB, but the corresponding accounting logic in +skb_segment_list() was never updated. + +As a result, the current code unconditionally adds each fragment's +truesize to delta_truesize and subtracts it from the parent SKB. Since +the fragments are no longer charged to the socket, this subtraction +results in an effective under-count of memory when the head is freed. +This causes sk_wmem_alloc to remain non-zero, preventing socket +destruction and leading to a persistent memory leak. + +The leak can be observed via KMEMLEAK when tearing down the networking +environment: + +unreferenced object 0xffff8881e6eb9100 (size 2048): + comm "ping", pid 6720, jiffies 4295492526 + backtrace: + kmem_cache_alloc_noprof+0x5c6/0x800 + sk_prot_alloc+0x5b/0x220 + sk_alloc+0x35/0xa00 + inet6_create.part.0+0x303/0x10d0 + __sock_create+0x248/0x640 + __sys_socket+0x11b/0x1d0 + +Since skb_segment_list() is exclusively used for SKB_GSO_FRAGLIST +packets constructed by GRO, the truesize adjustment is removed. + +The call to skb_release_head_state() must be preserved. As documented in +commit cf673ed0e057 ("net: fix fraglist segmentation reference count +leak"), it is still required to correctly drop references to SKB +extensions that may be overwritten during __copy_skb_header(). + +Fixes: ed4cccef64c1 ("gro: fix ownership transfer") +Signed-off-by: Mohammad Heib +Reviewed-by: Willem de Bruijn +Link: https://patch.msgid.link/20260104213101.352887-1-mheib@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/skbuff.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index 6be01454f262a..9a763d120925a 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -4597,12 +4597,14 @@ struct sk_buff *skb_segment_list(struct sk_buff *skb, + { + struct sk_buff *list_skb = skb_shinfo(skb)->frag_list; + unsigned int tnl_hlen = skb_tnl_header_len(skb); +- unsigned int delta_truesize = 0; + unsigned int delta_len = 0; + struct sk_buff *tail = NULL; + struct sk_buff *nskb, *tmp; + int len_diff, err; + ++ /* Only skb_gro_receive_list generated skbs arrive here */ ++ DEBUG_NET_WARN_ON_ONCE(!(skb_shinfo(skb)->gso_type & SKB_GSO_FRAGLIST)); ++ + skb_push(skb, -skb_network_offset(skb) + offset); + + /* Ensure the head is writeable before touching the shared info */ +@@ -4616,8 +4618,9 @@ struct sk_buff *skb_segment_list(struct sk_buff *skb, + nskb = list_skb; + list_skb = list_skb->next; + ++ DEBUG_NET_WARN_ON_ONCE(nskb->sk); ++ + err = 0; +- delta_truesize += nskb->truesize; + if (skb_shared(nskb)) { + tmp = skb_clone(nskb, GFP_ATOMIC); + if (tmp) { +@@ -4660,7 +4663,6 @@ struct sk_buff *skb_segment_list(struct sk_buff *skb, + goto err_linearize; + } + +- skb->truesize = skb->truesize - delta_truesize; + skb->data_len = skb->data_len - delta_len; + skb->len = skb->len - delta_len; + +-- +2.51.0 + diff --git a/queue-6.18/net-marvell-prestera-fix-null-dereference-on-devlink.patch b/queue-6.18/net-marvell-prestera-fix-null-dereference-on-devlink.patch new file mode 100644 index 0000000000..b7100aced0 --- /dev/null +++ b/queue-6.18/net-marvell-prestera-fix-null-dereference-on-devlink.patch @@ -0,0 +1,44 @@ +From d43d06fe161d0fc45807cd0d8029601ebe2451b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Dec 2025 21:21:18 -0800 +Subject: net: marvell: prestera: fix NULL dereference on devlink_alloc() + failure + +From: Alok Tiwari + +[ Upstream commit a428e0da1248c353557970848994f35fd3f005e2 ] + +devlink_alloc() may return NULL on allocation failure, but +prestera_devlink_alloc() unconditionally calls devlink_priv() on +the returned pointer. + +This leads to a NULL pointer dereference if devlink allocation fails. +Add a check for a NULL devlink pointer and return NULL early to avoid +the crash. + +Fixes: 34dd1710f5a3 ("net: marvell: prestera: Add basic devlink support") +Signed-off-by: Alok Tiwari +Acked-by: Elad Nachman +Link: https://patch.msgid.link/20251230052124.897012-1-alok.a.tiwari@oracle.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/prestera/prestera_devlink.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/marvell/prestera/prestera_devlink.c b/drivers/net/ethernet/marvell/prestera/prestera_devlink.c +index 2a4c9df4eb797..e63d95c1842f3 100644 +--- a/drivers/net/ethernet/marvell/prestera/prestera_devlink.c ++++ b/drivers/net/ethernet/marvell/prestera/prestera_devlink.c +@@ -387,6 +387,8 @@ struct prestera_switch *prestera_devlink_alloc(struct prestera_device *dev) + + dl = devlink_alloc(&prestera_dl_ops, sizeof(struct prestera_switch), + dev->dev); ++ if (!dl) ++ return NULL; + + return devlink_priv(dl); + } +-- +2.51.0 + diff --git a/queue-6.18/net-mlx5-lag-multipath-give-priority-for-routes-with.patch b/queue-6.18/net-mlx5-lag-multipath-give-priority-for-routes-with.patch new file mode 100644 index 0000000000..aaa5d45f32 --- /dev/null +++ b/queue-6.18/net-mlx5-lag-multipath-give-priority-for-routes-with.patch @@ -0,0 +1,57 @@ +From 2cedb4c99fb3a237a16da800aa22fe7356ecf91c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Dec 2025 15:27:13 +0200 +Subject: net/mlx5: Lag, multipath, give priority for routes with smaller + network prefix + +From: Patrisious Haddad + +[ Upstream commit 31057979cdadfee9f934746fd84046b43506ba61 ] + +Today multipath offload is controlled by a single route and the route +controlling is selected if it meets one of the following criteria: + 1. No controlling route is set. + 2. New route destination is the same as old one. + 3. New route metric is lower than old route metric. + +This can cause unwanted behaviour in case a new route is added +with a smaller network prefix which should get the priority. + +Fix this by adding a new criteria to give priority to new route with +a smaller network prefix. + +Fixes: ad11c4f1d8fd ("net/mlx5e: Lag, Only handle events from highest priority multipath entry") +Signed-off-by: Patrisious Haddad +Signed-off-by: Mark Bloch +Link: https://patch.msgid.link/20251225132717.358820-2-mbloch@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/lag/mp.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lag/mp.c b/drivers/net/ethernet/mellanox/mlx5/core/lag/mp.c +index aee17fcf3b36c..cdc99fe5c9568 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/lag/mp.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lag/mp.c +@@ -173,10 +173,15 @@ static void mlx5_lag_fib_route_event(struct mlx5_lag *ldev, unsigned long event, + } + + /* Handle multipath entry with lower priority value */ +- if (mp->fib.mfi && mp->fib.mfi != fi && ++ if (mp->fib.mfi && + (mp->fib.dst != fen_info->dst || mp->fib.dst_len != fen_info->dst_len) && +- fi->fib_priority >= mp->fib.priority) ++ mp->fib.dst_len <= fen_info->dst_len && ++ !(mp->fib.dst_len == fen_info->dst_len && ++ fi->fib_priority < mp->fib.priority)) { ++ mlx5_core_dbg(ldev->pf[idx].dev, ++ "Multipath entry with lower priority was rejected\n"); + return; ++ } + + nh_dev0 = mlx5_lag_get_next_fib_dev(ldev, fi, NULL); + nh_dev1 = mlx5_lag_get_next_fib_dev(ldev, fi, nh_dev0); +-- +2.51.0 + diff --git a/queue-6.18/net-mlx5e-dealloc-forgotten-psp-rx-modify-header.patch b/queue-6.18/net-mlx5e-dealloc-forgotten-psp-rx-modify-header.patch new file mode 100644 index 0000000000..607290e190 --- /dev/null +++ b/queue-6.18/net-mlx5e-dealloc-forgotten-psp-rx-modify-header.patch @@ -0,0 +1,92 @@ +From 061e0b06d9303638c01861ece07f073f931e371e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Dec 2025 15:27:17 +0200 +Subject: net/mlx5e: Dealloc forgotten PSP RX modify header + +From: Cosmin Ratiu + +[ Upstream commit 0462a15d2d1fafd3d48cf3c7c67393e42d03908c ] + +The commit which added RX steering rules for PSP forgot to free a modify +header HW object on the cleanup path, which lead to health errors when +reloading the driver and uninitializing the device: + +mlx5_core 0000:08:00.0: poll_health:803:(pid 3021): Fatal error 3 detected + +Fix that by saving the modify header pointer in the PSP steering struct +and deallocating it after freeing the rule which references it. + +Fixes: 9536fbe10c9d ("net/mlx5e: Add PSP steering in local NIC RX") +Signed-off-by: Cosmin Ratiu +Reviewed-by: Dragos Tatulea +Reviewed-by: Tariq Toukan +Signed-off-by: Mark Bloch +Link: https://patch.msgid.link/20251225132717.358820-6-mbloch@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/en_accel/psp.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/psp.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/psp.c +index 8565cfe8d7dce..943d6fc6e7a04 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/psp.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/psp.c +@@ -41,6 +41,7 @@ struct mlx5e_accel_fs_psp_prot { + struct mlx5_flow_table *ft; + struct mlx5_flow_group *miss_group; + struct mlx5_flow_handle *miss_rule; ++ struct mlx5_modify_hdr *rx_modify_hdr; + struct mlx5_flow_destination default_dest; + struct mlx5e_psp_rx_err rx_err; + u32 refcnt; +@@ -217,13 +218,19 @@ static int accel_psp_fs_rx_err_create_ft(struct mlx5e_psp_fs *fs, + return err; + } + +-static void accel_psp_fs_rx_fs_destroy(struct mlx5e_accel_fs_psp_prot *fs_prot) ++static void accel_psp_fs_rx_fs_destroy(struct mlx5e_psp_fs *fs, ++ struct mlx5e_accel_fs_psp_prot *fs_prot) + { + if (fs_prot->def_rule) { + mlx5_del_flow_rules(fs_prot->def_rule); + fs_prot->def_rule = NULL; + } + ++ if (fs_prot->rx_modify_hdr) { ++ mlx5_modify_header_dealloc(fs->mdev, fs_prot->rx_modify_hdr); ++ fs_prot->rx_modify_hdr = NULL; ++ } ++ + if (fs_prot->miss_rule) { + mlx5_del_flow_rules(fs_prot->miss_rule); + fs_prot->miss_rule = NULL; +@@ -327,6 +334,7 @@ static int accel_psp_fs_rx_create_ft(struct mlx5e_psp_fs *fs, + modify_hdr = NULL; + goto out_err; + } ++ fs_prot->rx_modify_hdr = modify_hdr; + + flow_act.action = MLX5_FLOW_CONTEXT_ACTION_FWD_DEST | + MLX5_FLOW_CONTEXT_ACTION_CRYPTO_DECRYPT | +@@ -347,7 +355,7 @@ static int accel_psp_fs_rx_create_ft(struct mlx5e_psp_fs *fs, + goto out; + + out_err: +- accel_psp_fs_rx_fs_destroy(fs_prot); ++ accel_psp_fs_rx_fs_destroy(fs, fs_prot); + out: + kvfree(flow_group_in); + kvfree(spec); +@@ -364,7 +372,7 @@ static int accel_psp_fs_rx_destroy(struct mlx5e_psp_fs *fs, enum accel_fs_psp_ty + /* The netdev unreg already happened, so all offloaded rule are already removed */ + fs_prot = &accel_psp->fs_prot[type]; + +- accel_psp_fs_rx_fs_destroy(fs_prot); ++ accel_psp_fs_rx_fs_destroy(fs, fs_prot); + + accel_psp_fs_rx_err_destroy_ft(fs, &fs_prot->rx_err); + +-- +2.51.0 + diff --git a/queue-6.18/net-mlx5e-don-t-gate-fec-histograms-on-ppcnt_statist.patch b/queue-6.18/net-mlx5e-don-t-gate-fec-histograms-on-ppcnt_statist.patch new file mode 100644 index 0000000000..d0603b5816 --- /dev/null +++ b/queue-6.18/net-mlx5e-don-t-gate-fec-histograms-on-ppcnt_statist.patch @@ -0,0 +1,60 @@ +From db805d3128473ffbb72a57d2105b4f6f2f95c3df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Dec 2025 15:27:14 +0200 +Subject: net/mlx5e: Don't gate FEC histograms on ppcnt_statistical_group + +From: Alexei Lazar + +[ Upstream commit 6c75dc9de40ff91ec2b621b78f6cd9031762067c ] + +Currently, the ppcnt_statistical_group capability check +incorrectly gates access to FEC histogram statistics. +This capability applies only to statistical and physical +counter groups, not for histogram data. + +Restrict the ppcnt_statistical_group check to the +Physical_Layer_Counters and Physical_Layer_Statistical_Counters +groups. +Histogram statistics access remains gated by the pphcr +capability. + +The issue is harmless as of today, as it happens that +ppcnt_statistical_group is set on all existing devices that +have pphcr set. + +Fixes: 6b81b8a0b197 ("net/mlx5e: Don't query FEC statistics when FEC is disabled") +Signed-off-by: Alexei Lazar +Reviewed-by: Tariq Toukan +Signed-off-by: Mark Bloch +Link: https://patch.msgid.link/20251225132717.358820-3-mbloch@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_stats.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_stats.c b/drivers/net/ethernet/mellanox/mlx5/core/en_stats.c +index a2802cfc9b989..a8af84fc97638 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_stats.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_stats.c +@@ -1608,12 +1608,13 @@ void mlx5e_stats_fec_get(struct mlx5e_priv *priv, + { + int mode = fec_active_mode(priv->mdev); + +- if (mode == MLX5E_FEC_NOFEC || +- !MLX5_CAP_PCAM_FEATURE(priv->mdev, ppcnt_statistical_group)) ++ if (mode == MLX5E_FEC_NOFEC) + return; + +- fec_set_corrected_bits_total(priv, fec_stats); +- fec_set_block_stats(priv, mode, fec_stats); ++ if (MLX5_CAP_PCAM_FEATURE(priv->mdev, ppcnt_statistical_group)) { ++ fec_set_corrected_bits_total(priv, fec_stats); ++ fec_set_block_stats(priv, mode, fec_stats); ++ } + + if (MLX5_CAP_PCAM_REG(priv->mdev, pphcr)) + fec_set_histograms_stats(priv, mode, hist); +-- +2.51.0 + diff --git a/queue-6.18/net-mlx5e-don-t-print-error-message-due-to-invalid-m.patch b/queue-6.18/net-mlx5e-don-t-print-error-message-due-to-invalid-m.patch new file mode 100644 index 0000000000..cf02a1a473 --- /dev/null +++ b/queue-6.18/net-mlx5e-don-t-print-error-message-due-to-invalid-m.patch @@ -0,0 +1,50 @@ +From 352dad73a3e2d48e3ab30ebf4fd4806866358397 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Dec 2025 15:27:16 +0200 +Subject: net/mlx5e: Don't print error message due to invalid module + +From: Gal Pressman + +[ Upstream commit 144297e2a24e3e54aee1180ec21120ea38822b97 ] + +Dumping module EEPROM on newer modules is supported through the netlink +interface only. + +Querying with old userspace ethtool (or other tools, such as 'lshw') +which still uses the ioctl interface results in an error message that +could flood dmesg (in addition to the expected error return value). +The original message was added under the assumption that the driver +should be able to handle all module types, but now that such flows are +easily triggered from userspace, it doesn't serve its purpose. + +Change the log level of the print in mlx5_query_module_eeprom() to +debug. + +Fixes: bb64143eee8c ("net/mlx5e: Add ethtool support for dump module EEPROM") +Signed-off-by: Gal Pressman +Reviewed-by: Tariq Toukan +Signed-off-by: Mark Bloch +Link: https://patch.msgid.link/20251225132717.358820-5-mbloch@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/port.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/port.c b/drivers/net/ethernet/mellanox/mlx5/core/port.c +index aa9f2b0a77d36..876e648c91ba8 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/port.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/port.c +@@ -430,7 +430,8 @@ int mlx5_query_module_eeprom(struct mlx5_core_dev *dev, + mlx5_qsfp_eeprom_params_set(&query.i2c_address, &query.page, &offset); + break; + default: +- mlx5_core_err(dev, "Module ID not recognized: 0x%x\n", module_id); ++ mlx5_core_dbg(dev, "Module ID not recognized: 0x%x\n", ++ module_id); + return -EINVAL; + } + +-- +2.51.0 + diff --git a/queue-6.18/net-mscc-ocelot-fix-crash-when-adding-interface-unde.patch b/queue-6.18/net-mscc-ocelot-fix-crash-when-adding-interface-unde.patch new file mode 100644 index 0000000000..d029bec10e --- /dev/null +++ b/queue-6.18/net-mscc-ocelot-fix-crash-when-adding-interface-unde.patch @@ -0,0 +1,56 @@ +From becc50932ab9947b506a7d5f55897f6df555d5eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Dec 2025 20:36:17 +0000 +Subject: net: mscc: ocelot: Fix crash when adding interface under a lag + +From: Jerry Wu + +[ Upstream commit 34f3ff52cb9fa7dbf04f5c734fcc4cb6ed5d1a95 ] + +Commit 15faa1f67ab4 ("lan966x: Fix crash when adding interface under a lag") +fixed a similar issue in the lan966x driver caused by a NULL pointer dereference. +The ocelot_set_aggr_pgids() function in the ocelot driver has similar logic +and is susceptible to the same crash. + +This issue specifically affects the ocelot_vsc7514.c frontend, which leaves +unused ports as NULL pointers. The felix_vsc9959.c frontend is unaffected as +it uses the DSA framework which registers all ports. + +Fix this by checking if the port pointer is valid before accessing it. + +Fixes: 528d3f190c98 ("net: mscc: ocelot: drop the use of the "lags" array") +Signed-off-by: Jerry Wu +Reviewed-by: Vladimir Oltean +Link: https://patch.msgid.link/tencent_75EF812B305E26B0869C673DD1160866C90A@qq.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mscc/ocelot.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mscc/ocelot.c b/drivers/net/ethernet/mscc/ocelot.c +index 08bee56aea35f..c345d9b17c892 100644 +--- a/drivers/net/ethernet/mscc/ocelot.c ++++ b/drivers/net/ethernet/mscc/ocelot.c +@@ -2307,14 +2307,16 @@ static void ocelot_set_aggr_pgids(struct ocelot *ocelot) + + /* Now, set PGIDs for each active LAG */ + for (lag = 0; lag < ocelot->num_phys_ports; lag++) { +- struct net_device *bond = ocelot->ports[lag]->bond; ++ struct ocelot_port *ocelot_port = ocelot->ports[lag]; + int num_active_ports = 0; ++ struct net_device *bond; + unsigned long bond_mask; + u8 aggr_idx[16]; + +- if (!bond || (visited & BIT(lag))) ++ if (!ocelot_port || !ocelot_port->bond || (visited & BIT(lag))) + continue; + ++ bond = ocelot_port->bond; + bond_mask = ocelot_get_bond_mask(ocelot, bond); + + for_each_set_bit(port, &bond_mask, ocelot->num_phys_ports) { +-- +2.51.0 + diff --git a/queue-6.18/net-netdevsim-fix-inconsistent-carrier-state-after-l.patch b/queue-6.18/net-netdevsim-fix-inconsistent-carrier-state-after-l.patch new file mode 100644 index 0000000000..395620fdcc --- /dev/null +++ b/queue-6.18/net-netdevsim-fix-inconsistent-carrier-state-after-l.patch @@ -0,0 +1,79 @@ +From 2c198731a405d469b4f0e27bc541216fb0a23259 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jan 2026 00:17:32 +0900 +Subject: net: netdevsim: fix inconsistent carrier state after link/unlink + +From: Yohei Kojima + +[ Upstream commit d83dddffe1904e4a576d11a541878850a8e64cd2 ] + +This patch fixes the edge case behavior on ifup/ifdown and +linking/unlinking two netdevsim interfaces: + +1. unlink two interfaces netdevsim1 and netdevsim2 +2. ifdown netdevsim1 +3. ifup netdevsim1 +4. link two interfaces netdevsim1 and netdevsim2 +5. (Now two interfaces are linked in terms of netdevsim peer, but + carrier state of the two interfaces remains DOWN.) + +This inconsistent behavior is caused by the current implementation, +which only cares about the "link, then ifup" order, not "ifup, then +link" order. This patch fixes the inconsistency by calling +netif_carrier_on() when two netdevsim interfaces are linked. + +This patch fixes buggy behavior on NetworkManager-based systems which +causes the netdevsim test to fail with the following error: + + # timeout set to 600 + # selftests: drivers/net/netdevsim: peer.sh + # 2025/12/25 00:54:03 socat[9115] W address is opened in read-write mode but only supports read-only + # 2025/12/25 00:56:17 socat[9115] W connect(7, AF=2 192.168.1.1:1234, 16): Connection timed out + # 2025/12/25 00:56:17 socat[9115] E TCP:192.168.1.1:1234: Connection timed out + # expected 3 bytes, got 0 + # 2025/12/25 00:56:17 socat[9109] W exiting on signal 15 + not ok 13 selftests: drivers/net/netdevsim: peer.sh # exit=1 + +This patch also solves timeout on TCP Fast Open (TFO) test in +NetworkManager-based systems because it also depends on netdevsim's +carrier consistency. + +Fixes: 1a8fed52f7be ("netdevsim: set the carrier when the device goes up") +Signed-off-by: Yohei Kojima +Reviewed-by: Breno Leitao +Link: https://patch.msgid.link/602c9e1ba5bb2ee1997bb38b1d866c9c3b807ae9.1767624906.git.yk@y-koj.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/netdevsim/bus.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/net/netdevsim/bus.c b/drivers/net/netdevsim/bus.c +index 70e8c38ddad6b..d16b95304aa7e 100644 +--- a/drivers/net/netdevsim/bus.c ++++ b/drivers/net/netdevsim/bus.c +@@ -332,6 +332,11 @@ static ssize_t link_device_store(const struct bus_type *bus, const char *buf, si + rcu_assign_pointer(nsim_a->peer, nsim_b); + rcu_assign_pointer(nsim_b->peer, nsim_a); + ++ if (netif_running(dev_a) && netif_running(dev_b)) { ++ netif_carrier_on(dev_a); ++ netif_carrier_on(dev_b); ++ } ++ + out_err: + put_net(ns_b); + put_net(ns_a); +@@ -381,6 +386,9 @@ static ssize_t unlink_device_store(const struct bus_type *bus, const char *buf, + if (!peer) + goto out_put_netns; + ++ netif_carrier_off(dev); ++ netif_carrier_off(peer->netdev); ++ + err = 0; + RCU_INIT_POINTER(nsim->peer, NULL); + RCU_INIT_POINTER(peer->peer, NULL); +-- +2.51.0 + diff --git a/queue-6.18/net-phy-mxl-86110-add-power-management-and-soft-rese.patch b/queue-6.18/net-phy-mxl-86110-add-power-management-and-soft-rese.patch new file mode 100644 index 0000000000..61d0821166 --- /dev/null +++ b/queue-6.18/net-phy-mxl-86110-add-power-management-and-soft-rese.patch @@ -0,0 +1,47 @@ +From 9f433e570b007dcfa742ca584e100bd38c2bc674 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Dec 2025 13:09:39 +0100 +Subject: net: phy: mxl-86110: Add power management and soft reset support + +From: Stefano Radaelli + +[ Upstream commit 62f7edd59964eb588e96fce1ad35a2327ea54424 ] + +Implement soft_reset, suspend, and resume callbacks using +genphy_soft_reset(), genphy_suspend(), and genphy_resume() +to fix PHY initialization and power management issues. + +The soft_reset callback is needed to properly recover the PHY after an +ifconfig down/up cycle. Without it, the PHY can remain in power-down +state, causing MDIO register access failures during config_init(). +The soft reset ensures the PHY is operational before configuration. + +The suspend/resume callbacks enable proper power management during +system suspend/resume cycles. + +Fixes: b2908a989c59 ("net: phy: add driver for MaxLinear MxL86110 PHY") +Signed-off-by: Stefano Radaelli +Link: https://patch.msgid.link/20251223120940.407195-1-stefano.r@variscite.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/mxl-86110.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/phy/mxl-86110.c b/drivers/net/phy/mxl-86110.c +index e5d137a37a1d4..42a5fe3f115f4 100644 +--- a/drivers/net/phy/mxl-86110.c ++++ b/drivers/net/phy/mxl-86110.c +@@ -938,6 +938,9 @@ static struct phy_driver mxl_phy_drvs[] = { + PHY_ID_MATCH_EXACT(PHY_ID_MXL86110), + .name = "MXL86110 Gigabit Ethernet", + .config_init = mxl86110_config_init, ++ .suspend = genphy_suspend, ++ .resume = genphy_resume, ++ .soft_reset = genphy_soft_reset, + .get_wol = mxl86110_get_wol, + .set_wol = mxl86110_set_wol, + .led_brightness_set = mxl86110_led_brightness_set, +-- +2.51.0 + diff --git a/queue-6.18/net-sched-act_api-avoid-dereferencing-err_ptr-in-tcf.patch b/queue-6.18/net-sched-act_api-avoid-dereferencing-err_ptr-in-tcf.patch new file mode 100644 index 0000000000..9b5c14fe72 --- /dev/null +++ b/queue-6.18/net-sched-act_api-avoid-dereferencing-err_ptr-in-tcf.patch @@ -0,0 +1,45 @@ +From 3161594057fa6ec3ff2c804e08125db2762973df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jan 2026 00:59:05 +0000 +Subject: net/sched: act_api: avoid dereferencing ERR_PTR in + tcf_idrinfo_destroy + +From: Shivani Gupta + +[ Upstream commit adb25a46dc0a43173f5ea5f5f58fc8ba28970c7c ] + +syzbot reported a crash in tc_act_in_hw() during netns teardown where +tcf_idrinfo_destroy() passed an ERR_PTR(-EBUSY) value as a tc_action +pointer, leading to an invalid dereference. + +Guard against ERR_PTR entries when iterating the action IDR so teardown +does not call tc_act_in_hw() on an error pointer. + +Fixes: 84a7d6797e6a ("net/sched: acp_api: no longer acquire RTNL in tc_action_net_exit()") +Link: https://syzkaller.appspot.com/bug?extid=8f1c492ffa4644ff3826 +Reported-by: syzbot+8f1c492ffa4644ff3826@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=8f1c492ffa4644ff3826 +Signed-off-by: Shivani Gupta +Link: https://patch.msgid.link/20260105005905.243423-1-shivani07g@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/act_api.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/sched/act_api.c b/net/sched/act_api.c +index ff6be5cfe2b05..e1ab0faeb8113 100644 +--- a/net/sched/act_api.c ++++ b/net/sched/act_api.c +@@ -940,6 +940,8 @@ void tcf_idrinfo_destroy(const struct tc_action_ops *ops, + int ret; + + idr_for_each_entry_ul(idr, p, tmp, id) { ++ if (IS_ERR(p)) ++ continue; + if (tc_act_in_hw(p) && !mutex_taken) { + rtnl_lock(); + mutex_taken = true; +-- +2.51.0 + diff --git a/queue-6.18/net-sched-sch_qfq-fix-null-deref-when-deactivating-i.patch b/queue-6.18/net-sched-sch_qfq-fix-null-deref-when-deactivating-i.patch new file mode 100644 index 0000000000..3bbb27d16d --- /dev/null +++ b/queue-6.18/net-sched-sch_qfq-fix-null-deref-when-deactivating-i.patch @@ -0,0 +1,162 @@ +From 9be1ef85487ebf3e64f10a5025f2cf7f67039c1d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jan 2026 20:41:00 -0700 +Subject: net/sched: sch_qfq: Fix NULL deref when deactivating inactive + aggregate in qfq_reset + +From: Xiang Mei + +[ Upstream commit c1d73b1480235731e35c81df70b08f4714a7d095 ] + +`qfq_class->leaf_qdisc->q.qlen > 0` does not imply that the class +itself is active. + +Two qfq_class objects may point to the same leaf_qdisc. This happens +when: + +1. one QFQ qdisc is attached to the dev as the root qdisc, and + +2. another QFQ qdisc is temporarily referenced (e.g., via qdisc_get() +/ qdisc_put()) and is pending to be destroyed, as in function +tc_new_tfilter. + +When packets are enqueued through the root QFQ qdisc, the shared +leaf_qdisc->q.qlen increases. At the same time, the second QFQ +qdisc triggers qdisc_put and qdisc_destroy: the qdisc enters +qfq_reset() with its own q->q.qlen == 0, but its class's leaf +qdisc->q.qlen > 0. Therefore, the qfq_reset would wrongly deactivate +an inactive aggregate and trigger a null-deref in qfq_deactivate_agg: + +[ 0.903172] BUG: kernel NULL pointer dereference, address: 0000000000000000 +[ 0.903571] #PF: supervisor write access in kernel mode +[ 0.903860] #PF: error_code(0x0002) - not-present page +[ 0.904177] PGD 10299b067 P4D 10299b067 PUD 10299c067 PMD 0 +[ 0.904502] Oops: Oops: 0002 [#1] SMP NOPTI +[ 0.904737] CPU: 0 UID: 0 PID: 135 Comm: exploit Not tainted 6.19.0-rc3+ #2 NONE +[ 0.905157] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014 +[ 0.905754] RIP: 0010:qfq_deactivate_agg (include/linux/list.h:992 (discriminator 2) include/linux/list.h:1006 (discriminator 2) net/sched/sch_qfq.c:1367 (discriminator 2) net/sched/sch_qfq.c:1393 (discriminator 2)) +[ 0.906046] Code: 0f 84 4d 01 00 00 48 89 70 18 8b 4b 10 48 c7 c2 ff ff ff ff 48 8b 78 08 48 d3 e2 48 21 f2 48 2b 13 48 8b 30 48 d3 ea 8b 4b 18 0 + +Code starting with the faulting instruction +=========================================== + 0: 0f 84 4d 01 00 00 je 0x153 + 6: 48 89 70 18 mov %rsi,0x18(%rax) + a: 8b 4b 10 mov 0x10(%rbx),%ecx + d: 48 c7 c2 ff ff ff ff mov $0xffffffffffffffff,%rdx + 14: 48 8b 78 08 mov 0x8(%rax),%rdi + 18: 48 d3 e2 shl %cl,%rdx + 1b: 48 21 f2 and %rsi,%rdx + 1e: 48 2b 13 sub (%rbx),%rdx + 21: 48 8b 30 mov (%rax),%rsi + 24: 48 d3 ea shr %cl,%rdx + 27: 8b 4b 18 mov 0x18(%rbx),%ecx + ... +[ 0.907095] RSP: 0018:ffffc900004a39a0 EFLAGS: 00010246 +[ 0.907368] RAX: ffff8881043a0880 RBX: ffff888102953340 RCX: 0000000000000000 +[ 0.907723] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 +[ 0.908100] RBP: ffff888102952180 R08: 0000000000000000 R09: 0000000000000000 +[ 0.908451] R10: ffff8881043a0000 R11: 0000000000000000 R12: ffff888102952000 +[ 0.908804] R13: ffff888102952180 R14: ffff8881043a0ad8 R15: ffff8881043a0880 +[ 0.909179] FS: 000000002a1a0380(0000) GS:ffff888196d8d000(0000) knlGS:0000000000000000 +[ 0.909572] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 0.909857] CR2: 0000000000000000 CR3: 0000000102993002 CR4: 0000000000772ef0 +[ 0.910247] PKRU: 55555554 +[ 0.910391] Call Trace: +[ 0.910527] +[ 0.910638] qfq_reset_qdisc (net/sched/sch_qfq.c:357 net/sched/sch_qfq.c:1485) +[ 0.910826] qdisc_reset (include/linux/skbuff.h:2195 include/linux/skbuff.h:2501 include/linux/skbuff.h:3424 include/linux/skbuff.h:3430 net/sched/sch_generic.c:1036) +[ 0.911040] __qdisc_destroy (net/sched/sch_generic.c:1076) +[ 0.911236] tc_new_tfilter (net/sched/cls_api.c:2447) +[ 0.911447] rtnetlink_rcv_msg (net/core/rtnetlink.c:6958) +[ 0.911663] ? __pfx_rtnetlink_rcv_msg (net/core/rtnetlink.c:6861) +[ 0.911894] netlink_rcv_skb (net/netlink/af_netlink.c:2550) +[ 0.912100] netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344) +[ 0.912296] ? __alloc_skb (net/core/skbuff.c:706) +[ 0.912484] netlink_sendmsg (net/netlink/af_netlink.c:1894) +[ 0.912682] sock_write_iter (net/socket.c:727 (discriminator 1) net/socket.c:742 (discriminator 1) net/socket.c:1195 (discriminator 1)) +[ 0.912880] vfs_write (fs/read_write.c:593 fs/read_write.c:686) +[ 0.913077] ksys_write (fs/read_write.c:738) +[ 0.913252] do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) +[ 0.913438] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131) +[ 0.913687] RIP: 0033:0x424c34 +[ 0.913844] Code: 89 02 48 c7 c0 ff ff ff ff eb bd 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 80 3d 2d 44 09 00 00 74 13 b8 01 00 00 00 0f 05 9 + +Code starting with the faulting instruction +=========================================== + 0: 89 02 mov %eax,(%rdx) + 2: 48 c7 c0 ff ff ff ff mov $0xffffffffffffffff,%rax + 9: eb bd jmp 0xffffffffffffffc8 + b: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1) + 12: 00 00 00 + 15: 90 nop + 16: f3 0f 1e fa endbr64 + 1a: 80 3d 2d 44 09 00 00 cmpb $0x0,0x9442d(%rip) # 0x9444e + 21: 74 13 je 0x36 + 23: b8 01 00 00 00 mov $0x1,%eax + 28: 0f 05 syscall + 2a: 09 .byte 0x9 +[ 0.914807] RSP: 002b:00007ffea1938b78 EFLAGS: 00000202 ORIG_RAX: 0000000000000001 +[ 0.915197] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000424c34 +[ 0.915556] RDX: 000000000000003c RSI: 000000002af378c0 RDI: 0000000000000003 +[ 0.915912] RBP: 00007ffea1938bc0 R08: 00000000004b8820 R09: 0000000000000000 +[ 0.916297] R10: 0000000000000001 R11: 0000000000000202 R12: 00007ffea1938d28 +[ 0.916652] R13: 00007ffea1938d38 R14: 00000000004b3828 R15: 0000000000000001 +[ 0.917039] +[ 0.917158] Modules linked in: +[ 0.917316] CR2: 0000000000000000 +[ 0.917484] ---[ end trace 0000000000000000 ]--- +[ 0.917717] RIP: 0010:qfq_deactivate_agg (include/linux/list.h:992 (discriminator 2) include/linux/list.h:1006 (discriminator 2) net/sched/sch_qfq.c:1367 (discriminator 2) net/sched/sch_qfq.c:1393 (discriminator 2)) +[ 0.917978] Code: 0f 84 4d 01 00 00 48 89 70 18 8b 4b 10 48 c7 c2 ff ff ff ff 48 8b 78 08 48 d3 e2 48 21 f2 48 2b 13 48 8b 30 48 d3 ea 8b 4b 18 0 + +Code starting with the faulting instruction +=========================================== + 0: 0f 84 4d 01 00 00 je 0x153 + 6: 48 89 70 18 mov %rsi,0x18(%rax) + a: 8b 4b 10 mov 0x10(%rbx),%ecx + d: 48 c7 c2 ff ff ff ff mov $0xffffffffffffffff,%rdx + 14: 48 8b 78 08 mov 0x8(%rax),%rdi + 18: 48 d3 e2 shl %cl,%rdx + 1b: 48 21 f2 and %rsi,%rdx + 1e: 48 2b 13 sub (%rbx),%rdx + 21: 48 8b 30 mov (%rax),%rsi + 24: 48 d3 ea shr %cl,%rdx + 27: 8b 4b 18 mov 0x18(%rbx),%ecx + ... +[ 0.918902] RSP: 0018:ffffc900004a39a0 EFLAGS: 00010246 +[ 0.919198] RAX: ffff8881043a0880 RBX: ffff888102953340 RCX: 0000000000000000 +[ 0.919559] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 +[ 0.919908] RBP: ffff888102952180 R08: 0000000000000000 R09: 0000000000000000 +[ 0.920289] R10: ffff8881043a0000 R11: 0000000000000000 R12: ffff888102952000 +[ 0.920648] R13: ffff888102952180 R14: ffff8881043a0ad8 R15: ffff8881043a0880 +[ 0.921014] FS: 000000002a1a0380(0000) GS:ffff888196d8d000(0000) knlGS:0000000000000000 +[ 0.921424] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 0.921710] CR2: 0000000000000000 CR3: 0000000102993002 CR4: 0000000000772ef0 +[ 0.922097] PKRU: 55555554 +[ 0.922240] Kernel panic - not syncing: Fatal exception +[ 0.922590] Kernel Offset: disabled + +Fixes: 0545a3037773 ("pkt_sched: QFQ - quick fair queue scheduler") +Signed-off-by: Xiang Mei +Link: https://patch.msgid.link/20260106034100.1780779-1-xmei5@asu.edu +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_qfq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c +index 2255355e51d35..a91a5bac8f737 100644 +--- a/net/sched/sch_qfq.c ++++ b/net/sched/sch_qfq.c +@@ -1481,7 +1481,7 @@ static void qfq_reset_qdisc(struct Qdisc *sch) + + for (i = 0; i < q->clhash.hashsize; i++) { + hlist_for_each_entry(cl, &q->clhash.hash[i], common.hnode) { +- if (cl->qdisc->q.qlen > 0) ++ if (cl_is_active(cl)) + qfq_deactivate_class(q, cl); + + qdisc_reset(cl->qdisc); +-- +2.51.0 + diff --git a/queue-6.18/net-sfp-return-the-number-of-written-bytes-for-smbus.patch b/queue-6.18/net-sfp-return-the-number-of-written-bytes-for-smbus.patch new file mode 100644 index 0000000000..db2b4a0e5d --- /dev/null +++ b/queue-6.18/net-sfp-return-the-number-of-written-bytes-for-smbus.patch @@ -0,0 +1,42 @@ +From e38383e18648565cf933a6b02a14b3c8f7f525a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jan 2026 16:18:39 +0100 +Subject: net: sfp: return the number of written bytes for smbus single byte + access + +From: Maxime Chevallier + +[ Upstream commit 13ff3e724207f579d3c814ee05516fefcb4f32e8 ] + +We expect the SFP write accessors to return the number of written bytes. +We fail to do so for single-byte smbus accesses, which may cause errors +when setting a module's high-power state and for some cotsworks modules. + +Let's return the amount of written bytes, as expected. + +Fixes: 7662abf4db94 ("net: phy: sfp: Add support for SMBus module access") +Signed-off-by: Maxime Chevallier +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/20260105151840.144552-1-maxime.chevallier@bootlin.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/sfp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/phy/sfp.c b/drivers/net/phy/sfp.c +index 0401fa6b24d25..6b4dd906b804f 100644 +--- a/drivers/net/phy/sfp.c ++++ b/drivers/net/phy/sfp.c +@@ -763,7 +763,7 @@ static int sfp_smbus_byte_write(struct sfp *sfp, bool a2, u8 dev_addr, + dev_addr++; + } + +- return 0; ++ return data - (u8 *)buf; + } + + static int sfp_i2c_configure(struct sfp *sfp, struct i2c_adapter *i2c) +-- +2.51.0 + diff --git a/queue-6.18/net-sock-fix-hardened-usercopy-panic-in-sock_recv_er.patch b/queue-6.18/net-sock-fix-hardened-usercopy-panic-in-sock_recv_er.patch new file mode 100644 index 0000000000..ba436254f2 --- /dev/null +++ b/queue-6.18/net-sock-fix-hardened-usercopy-panic-in-sock_recv_er.patch @@ -0,0 +1,114 @@ +From 33e41f658c05d39a75cf7cfb6c36e0020715d6cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Dec 2025 04:35:35 +0800 +Subject: net: sock: fix hardened usercopy panic in sock_recv_errqueue + +From: Weiming Shi + +[ Upstream commit 2a71a1a8d0ed718b1c7a9ac61f07e5755c47ae20 ] + +skbuff_fclone_cache was created without defining a usercopy region, +[1] unlike skbuff_head_cache which properly whitelists the cb[] field. +[2] This causes a usercopy BUG() when CONFIG_HARDENED_USERCOPY is +enabled and the kernel attempts to copy sk_buff.cb data to userspace +via sock_recv_errqueue() -> put_cmsg(). + +The crash occurs when: 1. TCP allocates an skb using alloc_skb_fclone() + (from skbuff_fclone_cache) [1] +2. The skb is cloned via skb_clone() using the pre-allocated fclone +[3] 3. The cloned skb is queued to sk_error_queue for timestamp +reporting 4. Userspace reads the error queue via recvmsg(MSG_ERRQUEUE) +5. sock_recv_errqueue() calls put_cmsg() to copy serr->ee from skb->cb +[4] 6. __check_heap_object() fails because skbuff_fclone_cache has no + usercopy whitelist [5] + +When cloned skbs allocated from skbuff_fclone_cache are used in the +socket error queue, accessing the sock_exterr_skb structure in skb->cb +via put_cmsg() triggers a usercopy hardening violation: + +[ 5.379589] usercopy: Kernel memory exposure attempt detected from SLUB object 'skbuff_fclone_cache' (offset 296, size 16)! +[ 5.382796] kernel BUG at mm/usercopy.c:102! +[ 5.383923] Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI +[ 5.384903] CPU: 1 UID: 0 PID: 138 Comm: poc_put_cmsg Not tainted 6.12.57 #7 +[ 5.384903] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 +[ 5.384903] RIP: 0010:usercopy_abort+0x6c/0x80 +[ 5.384903] Code: 1a 86 51 48 c7 c2 40 15 1a 86 41 52 48 c7 c7 c0 15 1a 86 48 0f 45 d6 48 c7 c6 80 15 1a 86 48 89 c1 49 0f 45 f3 e8 84 27 88 ff <0f> 0b 490 +[ 5.384903] RSP: 0018:ffffc900006f77a8 EFLAGS: 00010246 +[ 5.384903] RAX: 000000000000006f RBX: ffff88800f0ad2a8 RCX: 1ffffffff0f72e74 +[ 5.384903] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffff87b973a0 +[ 5.384903] RBP: 0000000000000010 R08: 0000000000000000 R09: fffffbfff0f72e74 +[ 5.384903] R10: 0000000000000003 R11: 79706f6372657375 R12: 0000000000000001 +[ 5.384903] R13: ffff88800f0ad2b8 R14: ffffea00003c2b40 R15: ffffea00003c2b00 +[ 5.384903] FS: 0000000011bc4380(0000) GS:ffff8880bf100000(0000) knlGS:0000000000000000 +[ 5.384903] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 5.384903] CR2: 000056aa3b8e5fe4 CR3: 000000000ea26004 CR4: 0000000000770ef0 +[ 5.384903] PKRU: 55555554 +[ 5.384903] Call Trace: +[ 5.384903] +[ 5.384903] __check_heap_object+0x9a/0xd0 +[ 5.384903] __check_object_size+0x46c/0x690 +[ 5.384903] put_cmsg+0x129/0x5e0 +[ 5.384903] sock_recv_errqueue+0x22f/0x380 +[ 5.384903] tls_sw_recvmsg+0x7ed/0x1960 +[ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5 +[ 5.384903] ? schedule+0x6d/0x270 +[ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5 +[ 5.384903] ? mutex_unlock+0x81/0xd0 +[ 5.384903] ? __pfx_mutex_unlock+0x10/0x10 +[ 5.384903] ? __pfx_tls_sw_recvmsg+0x10/0x10 +[ 5.384903] ? _raw_spin_lock_irqsave+0x8f/0xf0 +[ 5.384903] ? _raw_read_unlock_irqrestore+0x20/0x40 +[ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5 + +The crash offset 296 corresponds to skb2->cb within skbuff_fclones: + - sizeof(struct sk_buff) = 232 - offsetof(struct sk_buff, cb) = 40 - + offset of skb2.cb in fclones = 232 + 40 = 272 - crash offset 296 = + 272 + 24 (inside sock_exterr_skb.ee) + +This patch uses a local stack variable as a bounce buffer to avoid the hardened usercopy check failure. + +[1] https://elixir.bootlin.com/linux/v6.12.62/source/net/ipv4/tcp.c#L885 +[2] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5104 +[3] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5566 +[4] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5491 +[5] https://elixir.bootlin.com/linux/v6.12.62/source/mm/slub.c#L5719 + +Fixes: 6d07d1cd300f ("usercopy: Restrict non-usercopy caches to size 0") +Reported-by: Xiang Mei +Signed-off-by: Weiming Shi +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20251223203534.1392218-2-bestswngs@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/sock.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/core/sock.c b/net/core/sock.c +index dc03d4b5909a2..5a38837a58384 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -3836,7 +3836,7 @@ void sock_enable_timestamp(struct sock *sk, enum sock_flags flag) + int sock_recv_errqueue(struct sock *sk, struct msghdr *msg, int len, + int level, int type) + { +- struct sock_exterr_skb *serr; ++ struct sock_extended_err ee; + struct sk_buff *skb; + int copied, err; + +@@ -3856,8 +3856,9 @@ int sock_recv_errqueue(struct sock *sk, struct msghdr *msg, int len, + + sock_recv_timestamp(msg, sk, skb); + +- serr = SKB_EXT_ERR(skb); +- put_cmsg(msg, level, type, sizeof(serr->ee), &serr->ee); ++ /* We must use a bounce buffer for CONFIG_HARDENED_USERCOPY=y */ ++ ee = SKB_EXT_ERR(skb)->ee; ++ put_cmsg(msg, level, type, sizeof(ee), &ee); + + msg->msg_flags |= MSG_ERRQUEUE; + err = copied; +-- +2.51.0 + diff --git a/queue-6.18/net-usb-pegasus-fix-memory-leak-in-update_eth_regs_a.patch b/queue-6.18/net-usb-pegasus-fix-memory-leak-in-update_eth_regs_a.patch new file mode 100644 index 0000000000..e888c2ce5e --- /dev/null +++ b/queue-6.18/net-usb-pegasus-fix-memory-leak-in-update_eth_regs_a.patch @@ -0,0 +1,37 @@ +From 9315635e14bef5fbe8bd1fa608273a6e600de992 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jan 2026 10:48:21 +0200 +Subject: net: usb: pegasus: fix memory leak in update_eth_regs_async() + +From: Petko Manolov + +[ Upstream commit afa27621a28af317523e0836dad430bec551eb54 ] + +When asynchronously writing to the device registers and if usb_submit_urb() +fail, the code fail to release allocated to this point resources. + +Fixes: 323b34963d11 ("drivers: net: usb: pegasus: fix control urb submission") +Signed-off-by: Petko Manolov +Link: https://patch.msgid.link/20260106084821.3746677-1-petko.manolov@konsulko.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/pegasus.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/usb/pegasus.c b/drivers/net/usb/pegasus.c +index 81ca64debc5b9..c514483134f05 100644 +--- a/drivers/net/usb/pegasus.c ++++ b/drivers/net/usb/pegasus.c +@@ -168,6 +168,8 @@ static int update_eth_regs_async(pegasus_t *pegasus) + netif_device_detach(pegasus->net); + netif_err(pegasus, drv, pegasus->net, + "%s returned %d\n", __func__, ret); ++ usb_free_urb(async_urb); ++ kfree(req); + } + return ret; + } +-- +2.51.0 + diff --git a/queue-6.18/net-wwan-iosm-fix-memory-leak-in-ipc_mux_deinit.patch b/queue-6.18/net-wwan-iosm-fix-memory-leak-in-ipc_mux_deinit.patch new file mode 100644 index 0000000000..a39ba221d1 --- /dev/null +++ b/queue-6.18/net-wwan-iosm-fix-memory-leak-in-ipc_mux_deinit.patch @@ -0,0 +1,54 @@ +From 872ae6307f8fa6832bbf466af4185088df1276d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Dec 2025 07:18:53 +0000 +Subject: net: wwan: iosm: Fix memory leak in ipc_mux_deinit() + +From: Zilin Guan + +[ Upstream commit 92e6e0a87f6860a4710f9494f8c704d498ae60f8 ] + +Commit 1f52d7b62285 ("net: wwan: iosm: Enable M.2 7360 WWAN card support") +allocated memory for pp_qlt in ipc_mux_init() but did not free it in +ipc_mux_deinit(). This results in a memory leak when the driver is +unloaded. + +Free the allocated memory in ipc_mux_deinit() to fix the leak. + +Fixes: 1f52d7b62285 ("net: wwan: iosm: Enable M.2 7360 WWAN card support") +Co-developed-by: Jianhao Xu +Signed-off-by: Jianhao Xu +Signed-off-by: Zilin Guan +Reviewed-by: Loic Poulain +Link: https://patch.msgid.link/20251230071853.1062223-1-zilin@seu.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/wwan/iosm/iosm_ipc_mux.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/wwan/iosm/iosm_ipc_mux.c b/drivers/net/wwan/iosm/iosm_ipc_mux.c +index fc928b298a984..b846889fcb099 100644 +--- a/drivers/net/wwan/iosm/iosm_ipc_mux.c ++++ b/drivers/net/wwan/iosm/iosm_ipc_mux.c +@@ -456,6 +456,7 @@ void ipc_mux_deinit(struct iosm_mux *ipc_mux) + struct sk_buff_head *free_list; + union mux_msg mux_msg; + struct sk_buff *skb; ++ int i; + + if (!ipc_mux->initialized) + return; +@@ -479,5 +480,10 @@ void ipc_mux_deinit(struct iosm_mux *ipc_mux) + ipc_mux->channel->dl_pipe.is_open = false; + } + ++ if (ipc_mux->protocol != MUX_LITE) { ++ for (i = 0; i < IPC_MEM_MUX_IP_SESSION_ENTRIES; i++) ++ kfree(ipc_mux->ul_adb.pp_qlt[i]); ++ } ++ + kfree(ipc_mux); + } +-- +2.51.0 + diff --git a/queue-6.18/netdev-preserve-netif_f_all_for_all-across-tso-updat.patch b/queue-6.18/netdev-preserve-netif_f_all_for_all-across-tso-updat.patch new file mode 100644 index 0000000000..39c13cf1ca --- /dev/null +++ b/queue-6.18/netdev-preserve-netif_f_all_for_all-across-tso-updat.patch @@ -0,0 +1,43 @@ +From 6cf7042e70f5d0a24c17fd44afe49e492faa6e39 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Dec 2025 09:22:24 +0800 +Subject: netdev: preserve NETIF_F_ALL_FOR_ALL across TSO updates + +From: Di Zhu + +[ Upstream commit 02d1e1a3f9239cdb3ecf2c6d365fb959d1bf39df ] + +Directly increment the TSO features incurs a side effect: it will also +directly clear the flags in NETIF_F_ALL_FOR_ALL on the master device, +which can cause issues such as the inability to enable the nocache copy +feature on the bonding driver. + +The fix is to include NETIF_F_ALL_FOR_ALL in the update mask, thereby +preventing it from being cleared. + +Fixes: b0ce3508b25e ("bonding: allow TSO being set on bonding master") +Signed-off-by: Di Zhu +Link: https://patch.msgid.link/20251224012224.56185-1-zhud@hygon.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/linux/netdevice.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h +index 77c46a2823eca..c6c04cd0a6816 100644 +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -5299,7 +5299,8 @@ netdev_features_t netdev_increment_features(netdev_features_t all, + static inline netdev_features_t netdev_add_tso_features(netdev_features_t features, + netdev_features_t mask) + { +- return netdev_increment_features(features, NETIF_F_ALL_TSO, mask); ++ return netdev_increment_features(features, NETIF_F_ALL_TSO | ++ NETIF_F_ALL_FOR_ALL, mask); + } + + int __netdev_update_features(struct net_device *dev); +-- +2.51.0 + diff --git a/queue-6.18/netfilter-nf_conncount-update-last_gc-only-when-gc-h.patch b/queue-6.18/netfilter-nf_conncount-update-last_gc-only-when-gc-h.patch new file mode 100644 index 0000000000..23081bc57c --- /dev/null +++ b/queue-6.18/netfilter-nf_conncount-update-last_gc-only-when-gc-h.patch @@ -0,0 +1,48 @@ +From 4fe8e22facd5ca51818904d0a328a657c65d0866 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Dec 2025 15:46:40 +0100 +Subject: netfilter: nf_conncount: update last_gc only when GC has been + performed + +From: Fernando Fernandez Mancera + +[ Upstream commit 7811ba452402d58628e68faedf38745b3d485e3c ] + +Currently last_gc is being updated everytime a new connection is +tracked, that means that it is updated even if a GC wasn't performed. +With a sufficiently high packet rate, it is possible to always bypass +the GC, causing the list to grow infinitely. + +Update the last_gc value only when a GC has been actually performed. + +Fixes: d265929930e2 ("netfilter: nf_conncount: reduce unnecessary GC") +Signed-off-by: Fernando Fernandez Mancera +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conncount.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c +index 3c1b155f7a0ea..828d5c64c68a3 100644 +--- a/net/netfilter/nf_conncount.c ++++ b/net/netfilter/nf_conncount.c +@@ -229,6 +229,7 @@ static int __nf_conncount_add(struct net *net, + + nf_ct_put(found_ct); + } ++ list->last_gc = (u32)jiffies; + + add_new_node: + if (WARN_ON_ONCE(list->count > INT_MAX)) { +@@ -248,7 +249,6 @@ static int __nf_conncount_add(struct net *net, + conn->jiffies32 = (u32)jiffies; + list_add_tail(&conn->node, &list->head); + list->count++; +- list->last_gc = (u32)jiffies; + + out_put: + if (refcounted) +-- +2.51.0 + diff --git a/queue-6.18/netfilter-nf_tables-fix-memory-leak-in-nf_tables_new.patch b/queue-6.18/netfilter-nf_tables-fix-memory-leak-in-nf_tables_new.patch new file mode 100644 index 0000000000..9f3f911a84 --- /dev/null +++ b/queue-6.18/netfilter-nf_tables-fix-memory-leak-in-nf_tables_new.patch @@ -0,0 +1,49 @@ +From 052b23c13f730a9535855e82aae66dd71858f378 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Dec 2025 12:48:26 +0000 +Subject: netfilter: nf_tables: fix memory leak in nf_tables_newrule() + +From: Zilin Guan + +[ Upstream commit d077e8119ddbb4fca67540f1a52453631a47f221 ] + +In nf_tables_newrule(), if nft_use_inc() fails, the function jumps to +the err_release_rule label without freeing the allocated flow, leading +to a memory leak. + +Fix this by adding a new label err_destroy_flow and jumping to it when +nft_use_inc() fails. This ensures that the flow is properly released +in this error case. + +Fixes: 1689f25924ada ("netfilter: nf_tables: report use refcount overflow") +Signed-off-by: Zilin Guan +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 1a204f6371ad1..a3669acd68a32 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -4378,7 +4378,7 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info, + + if (!nft_use_inc(&chain->use)) { + err = -EMFILE; +- goto err_release_rule; ++ goto err_destroy_flow; + } + + if (info->nlh->nlmsg_flags & NLM_F_REPLACE) { +@@ -4428,6 +4428,7 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info, + + err_destroy_flow_rule: + nft_use_dec_restore(&chain->use); ++err_destroy_flow: + if (flow) + nft_flow_rule_destroy(flow); + err_release_rule: +-- +2.51.0 + diff --git a/queue-6.18/netfilter-nft_set_pipapo-fix-range-overlap-detection.patch b/queue-6.18/netfilter-nft_set_pipapo-fix-range-overlap-detection.patch new file mode 100644 index 0000000000..d176d8aad8 --- /dev/null +++ b/queue-6.18/netfilter-nft_set_pipapo-fix-range-overlap-detection.patch @@ -0,0 +1,62 @@ +From 5d3f20e25bc4b95c90107e979126a0689abc7179 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Dec 2025 12:20:35 +0100 +Subject: netfilter: nft_set_pipapo: fix range overlap detection + +From: Florian Westphal + +[ Upstream commit 7711f4bb4b360d9c0ff84db1c0ec91e385625047 ] + +set->klen has to be used, not sizeof(). The latter only compares a +single register but a full check of the entire key is needed. + +Example: +table ip t { + map s { + typeof iifname . ip saddr : verdict + flags interval + } +} + +nft add element t s '{ "lo" . 10.0.0.0/24 : drop }' # no error, expected +nft add element t s '{ "lo" . 10.0.0.0/24 : drop }' # no error, expected +nft add element t s '{ "lo" . 10.0.0.0/8 : drop }' # bug: no error + +The 3rd 'add element' should be rejected via -ENOTEMPTY, not -EEXIST, +so userspace / nft can report an error to the user. + +The latter is only correct for the 2nd case (re-add of existing element). + +As-is, userspace is told that the command was successful, but no elements were +added. + +After this patch, 3rd command gives: +Error: Could not process rule: File exists +add element t s { "lo" . 127.0.0.0/8 . "lo" : drop } + ^^^^^^^^^^^^^^^^^^^^^^^^^ + +Fixes: 0eb4b5ee33f2 ("netfilter: nft_set_pipapo: Separate partial and complete overlap cases on insertion") +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_set_pipapo.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c +index 112fe46788b6f..6d77a5f0088ad 100644 +--- a/net/netfilter/nft_set_pipapo.c ++++ b/net/netfilter/nft_set_pipapo.c +@@ -1317,8 +1317,8 @@ static int nft_pipapo_insert(const struct net *net, const struct nft_set *set, + else + dup_end = dup_key; + +- if (!memcmp(start, dup_key->data, sizeof(*dup_key->data)) && +- !memcmp(end, dup_end->data, sizeof(*dup_end->data))) { ++ if (!memcmp(start, dup_key->data, set->klen) && ++ !memcmp(end, dup_end->data, set->klen)) { + *elem_priv = &dup->priv; + return -EEXIST; + } +-- +2.51.0 + diff --git a/queue-6.18/netfilter-nft_synproxy-avoid-possible-data-race-on-u.patch b/queue-6.18/netfilter-nft_synproxy-avoid-possible-data-race-on-u.patch new file mode 100644 index 0000000000..8af937b671 --- /dev/null +++ b/queue-6.18/netfilter-nft_synproxy-avoid-possible-data-race-on-u.patch @@ -0,0 +1,55 @@ +From 3b8f1179a0714cede677bc3c9875ffe55b2059ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Dec 2025 21:21:59 +0100 +Subject: netfilter: nft_synproxy: avoid possible data-race on update operation + +From: Fernando Fernandez Mancera + +[ Upstream commit 36a3200575642846a96436d503d46544533bb943 ] + +During nft_synproxy eval we are reading nf_synproxy_info struct which +can be modified on update operation concurrently. As nf_synproxy_info +struct fits in 32 bits, use READ_ONCE/WRITE_ONCE annotations. + +Fixes: ee394f96ad75 ("netfilter: nft_synproxy: add synproxy stateful object support") +Signed-off-by: Fernando Fernandez Mancera +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_synproxy.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/netfilter/nft_synproxy.c b/net/netfilter/nft_synproxy.c +index 5d3e518259859..4d3e5a31b4125 100644 +--- a/net/netfilter/nft_synproxy.c ++++ b/net/netfilter/nft_synproxy.c +@@ -48,7 +48,7 @@ static void nft_synproxy_eval_v4(const struct nft_synproxy *priv, + struct tcphdr *_tcph, + struct synproxy_options *opts) + { +- struct nf_synproxy_info info = priv->info; ++ struct nf_synproxy_info info = READ_ONCE(priv->info); + struct net *net = nft_net(pkt); + struct synproxy_net *snet = synproxy_pernet(net); + struct sk_buff *skb = pkt->skb; +@@ -79,7 +79,7 @@ static void nft_synproxy_eval_v6(const struct nft_synproxy *priv, + struct tcphdr *_tcph, + struct synproxy_options *opts) + { +- struct nf_synproxy_info info = priv->info; ++ struct nf_synproxy_info info = READ_ONCE(priv->info); + struct net *net = nft_net(pkt); + struct synproxy_net *snet = synproxy_pernet(net); + struct sk_buff *skb = pkt->skb; +@@ -340,7 +340,7 @@ static void nft_synproxy_obj_update(struct nft_object *obj, + struct nft_synproxy *newpriv = nft_obj_data(newobj); + struct nft_synproxy *priv = nft_obj_data(obj); + +- priv->info = newpriv->info; ++ WRITE_ONCE(priv->info, newpriv->info); + } + + static struct nft_object_type nft_synproxy_obj_type; +-- +2.51.0 + diff --git a/queue-6.18/netfs-fix-early-read-unlock-of-page-with-eof-in-midd.patch b/queue-6.18/netfs-fix-early-read-unlock-of-page-with-eof-in-midd.patch new file mode 100644 index 0000000000..070bb5d9a3 --- /dev/null +++ b/queue-6.18/netfs-fix-early-read-unlock-of-page-with-eof-in-midd.patch @@ -0,0 +1,106 @@ +From 08f97bc7f4105fb660f7a6b8ec9580350f86e6a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 Dec 2025 12:31:40 +0000 +Subject: netfs: Fix early read unlock of page with EOF in middle + +From: David Howells + +[ Upstream commit 570ad253a3455a520f03c2136af8714bc780186d ] + +The read result collection for buffered reads seems to run ahead of the +completion of subrequests under some circumstances, as can be seen in the +following log snippet: + + 9p_client_res: client 18446612686390831168 response P9_TREAD tag 0 err 0 + ... + netfs_sreq: R=00001b55[1] DOWN TERM f=192 s=0 5fb2/5fb2 s=5 e=0 + ... + netfs_collect_folio: R=00001b55 ix=00004 r=4000-5000 t=4000/5fb2 + netfs_folio: i=157f3 ix=00004-00004 read-done + netfs_folio: i=157f3 ix=00004-00004 read-unlock + netfs_collect_folio: R=00001b55 ix=00005 r=5000-5fb2 t=5000/5fb2 + netfs_folio: i=157f3 ix=00005-00005 read-done + netfs_folio: i=157f3 ix=00005-00005 read-unlock + ... + netfs_collect_stream: R=00001b55[0:] cto=5fb2 frn=ffffffff + netfs_collect_state: R=00001b55 col=5fb2 cln=6000 n=c + netfs_collect_stream: R=00001b55[0:] cto=5fb2 frn=ffffffff + netfs_collect_state: R=00001b55 col=5fb2 cln=6000 n=8 + ... + netfs_sreq: R=00001b55[2] ZERO SUBMT f=000 s=5fb2 0/4e s=0 e=0 + netfs_sreq: R=00001b55[2] ZERO TERM f=102 s=5fb2 4e/4e s=5 e=0 + +The 'cto=5fb2' indicates the collected file pos we've collected results to +so far - but we still have 0x4e more bytes to go - so we shouldn't have +collected folio ix=00005 yet. The 'ZERO' subreq that clears the tail +happens after we unlock the folio, allowing the application to see the +uncleared tail through mmap. + +The problem is that netfs_read_unlock_folios() will unlock a folio in which +the amount of read results collected hits EOF position - but the ZERO +subreq lies beyond that and so happens after. + +Fix this by changing the end check to always be the end of the folio and +never the end of the file. + +In the future, I should look at clearing to the end of the folio here rather +than adding a ZERO subreq to do this. On the other hand, the ZERO subreq can +run in parallel with an async READ subreq. Further, the ZERO subreq may still +be necessary to, say, handle extents in a ceph file that don't have any +backing store and are thus implicitly all zeros. + +This can be reproduced by creating a file, the size of which doesn't align +to a page boundary, e.g. 24998 (0x5fb2) bytes and then doing something +like: + + xfs_io -c "mmap -r 0 0x6000" -c "madvise -d 0 0x6000" \ + -c "mread -v 0 0x6000" /xfstest.test/x + +The last 0x4e bytes should all be 00, but if the tail hasn't been cleared +yet, you may see rubbish there. This can be reproduced with kafs by +modifying the kernel to disable the call to netfs_read_subreq_progress() +and to stop afs_issue_read() from doing the async call for NETFS_READAHEAD. +Reproduction can be made easier by inserting an mdelay(100) in +netfs_issue_read() for the ZERO-subreq case. + +AFS and CIFS are normally unlikely to show this as they dispatch READ ops +asynchronously, which allows the ZERO-subreq to finish first. 9P's READ op is +completely synchronous, so the ZERO-subreq will always happen after. It isn't +seen all the time, though, because the collection may be done in a worker +thread. + +Reported-by: Christian Schoenebeck +Link: https://lore.kernel.org/r/8622834.T7Z3S40VBb@weasel/ +Signed-off-by: David Howells +Link: https://patch.msgid.link/938162.1766233900@warthog.procyon.org.uk +Fixes: e2d46f2ec332 ("netfs: Change the read result collector to only use one work item") +Tested-by: Christian Schoenebeck +Acked-by: Dominique Martinet +Suggested-by: Dominique Martinet +cc: Dominique Martinet +cc: Christian Schoenebeck +cc: v9fs@lists.linux.dev +cc: netfs@lists.linux.dev +cc: linux-fsdevel@vger.kernel.org +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/netfs/read_collect.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/netfs/read_collect.c b/fs/netfs/read_collect.c +index a95e7aadafd07..7a0ffa675fb17 100644 +--- a/fs/netfs/read_collect.c ++++ b/fs/netfs/read_collect.c +@@ -137,7 +137,7 @@ static void netfs_read_unlock_folios(struct netfs_io_request *rreq, + rreq->front_folio_order = order; + fsize = PAGE_SIZE << order; + fpos = folio_pos(folio); +- fend = umin(fpos + fsize, rreq->i_size); ++ fend = fpos + fsize; + + trace_netfs_collect_folio(rreq, folio, fend, collected_to); + +-- +2.51.0 + diff --git a/queue-6.18/pci-vga-don-t-assume-the-only-vga-device-on-a-system.patch b/queue-6.18/pci-vga-don-t-assume-the-only-vga-device-on-a-system.patch new file mode 100644 index 0000000000..14ec4153f5 --- /dev/null +++ b/queue-6.18/pci-vga-don-t-assume-the-only-vga-device-on-a-system.patch @@ -0,0 +1,55 @@ +From 3625bb833d38bde1145dd4acc37a643fd170f1d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jan 2026 22:46:38 -0600 +Subject: PCI/VGA: Don't assume the only VGA device on a system is `boot_vga` + +From: Mario Limonciello (AMD) + +[ Upstream commit fd390ff144513eb0310c350b1cf5fa8d6ddd0c53 ] + +Some systems ship with multiple display class devices but not all +of them are VGA devices. If the "only" VGA device on the system is not +used for displaying the image on the screen marking it as `boot_vga` +because nothing was found is totally wrong. + +This behavior actually leads to mistakes of the wrong device being +advertised to userspace and then userspace can make incorrect decisions. + +As there is an accurate `boot_display` sysfs file stop lying about +`boot_vga` by assuming if nothing is found it's the right device. + +Reported-by: Aaron Erhardt +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220712 +Tested-by: Aaron Erhardt +Acked-by: Thomas Zimmermann +Fixes: ad90860bd10ee ("fbcon: Use screen info to find primary device") +Tested-by: Luke D. Jones +Signed-off-by: Mario Limonciello (AMD) +Signed-off-by: Thomas Zimmermann +Link: https://patch.msgid.link/20260106044638.52906-1-superm1@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/pci/vgaarb.c | 7 ------- + 1 file changed, 7 deletions(-) + +diff --git a/drivers/pci/vgaarb.c b/drivers/pci/vgaarb.c +index 436fa7f4c3873..baa242b140993 100644 +--- a/drivers/pci/vgaarb.c ++++ b/drivers/pci/vgaarb.c +@@ -652,13 +652,6 @@ static bool vga_is_boot_device(struct vga_device *vgadev) + return true; + } + +- /* +- * Vgadev has neither IO nor MEM enabled. If we haven't found any +- * other VGA devices, it is the best candidate so far. +- */ +- if (!boot_vga) +- return true; +- + return false; + } + +-- +2.51.0 + diff --git a/queue-6.18/perf-ensure-swevent-hrtimer-is-properly-destroyed.patch b/queue-6.18/perf-ensure-swevent-hrtimer-is-properly-destroyed.patch new file mode 100644 index 0000000000..eb097ac320 --- /dev/null +++ b/queue-6.18/perf-ensure-swevent-hrtimer-is-properly-destroyed.patch @@ -0,0 +1,53 @@ +From 6aa5d3195bfc83fac2aad710eb45c793c3c7b6de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 Dec 2025 14:14:41 +0100 +Subject: perf: Ensure swevent hrtimer is properly destroyed + +From: Peter Zijlstra + +[ Upstream commit ff5860f5088e9076ebcccf05a6ca709d5935cfa9 ] + +With the change to hrtimer_try_to_cancel() in +perf_swevent_cancel_hrtimer() it appears possible for the hrtimer to +still be active by the time the event gets freed. + +Make sure the event does a full hrtimer_cancel() on the free path by +installing a perf_event::destroy handler. + +Fixes: eb3182ef0405 ("perf/core: Fix system hang caused by cpu-clock usage") +Reported-by: CyberUnicorns +Tested-by: CyberUnicorns +Debugged-by: Thomas Gleixner +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Sasha Levin +--- + kernel/events/core.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 413b88a4e00fb..d95f9dce018f4 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -11835,6 +11835,11 @@ static void perf_swevent_cancel_hrtimer(struct perf_event *event) + } + } + ++static void perf_swevent_destroy_hrtimer(struct perf_event *event) ++{ ++ hrtimer_cancel(&event->hw.hrtimer); ++} ++ + static void perf_swevent_init_hrtimer(struct perf_event *event) + { + struct hw_perf_event *hwc = &event->hw; +@@ -11843,6 +11848,7 @@ static void perf_swevent_init_hrtimer(struct perf_event *event) + return; + + hrtimer_setup(&hwc->hrtimer, perf_swevent_hrtimer, CLOCK_MONOTONIC, HRTIMER_MODE_REL_HARD); ++ event->destroy = perf_swevent_destroy_hrtimer; + + /* + * Since hrtimers have a fixed rate, we can do a static freq->period +-- +2.51.0 + diff --git a/queue-6.18/pinctrl-mediatek-mt8189-restore-previous-register-ba.patch b/queue-6.18/pinctrl-mediatek-mt8189-restore-previous-register-ba.patch new file mode 100644 index 0000000000..696db8a7e3 --- /dev/null +++ b/queue-6.18/pinctrl-mediatek-mt8189-restore-previous-register-ba.patch @@ -0,0 +1,54 @@ +From 626fe4931bc7f951bba2a97e27d228de7270bc37 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 12:32:42 +0100 +Subject: pinctrl: mediatek: mt8189: restore previous register base name array + order + +From: Louis-Alexis Eyraud + +[ Upstream commit fa917d3d570279dc3d699cbd947d0da0fde2e402 ] + +In mt8189-pinctrl driver, a previous commit changed the register base +name array (mt8189_pinctrl_register_base_names) entry name and order to +align it with the same name and order as the "mediatek,mt8189-pinctrl" +devicetree bindings. The new order (by ascending register address) now +causes an issue with MT8189 pinctrl configuration. + +MT8189 SoC has multiple base addresses for the pin configuration +registers. Several constant data structures, declaring each pin +configuration, are using PIN_FIELD_BASE() macro which i_base parameter +indicates for a given pin the lookup index in the base register address +array of the driver internal data for the configuration register +read/write accesses. But in practice, this parameter is given a +hardcoded numerical value that corresponds to the expected base +register entry index in mt8189_pinctrl_register_base_names array. +Since this array reordering, the i_base index matching is no more +correct. + +So, in order to avoid modifying over a thousand of PIN_FIELD_BASE() +calls, restore previous mt8189_pinctrl_register_base_names entry order. + +Fixes: 518919276c41 ("pinctrl: mediatek: mt8189: align register base names to dt-bindings ones") +Signed-off-by: Louis-Alexis Eyraud +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/mediatek/pinctrl-mt8189.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/mediatek/pinctrl-mt8189.c b/drivers/pinctrl/mediatek/pinctrl-mt8189.c +index f6a3e584588b0..cd4cdff309a12 100644 +--- a/drivers/pinctrl/mediatek/pinctrl-mt8189.c ++++ b/drivers/pinctrl/mediatek/pinctrl-mt8189.c +@@ -1642,7 +1642,7 @@ static const struct mtk_pin_reg_calc mt8189_reg_cals[PINCTRL_PIN_REG_MAX] = { + }; + + static const char * const mt8189_pinctrl_register_base_names[] = { +- "base", "lm", "rb0", "rb1", "bm0", "bm1", "bm2", "lt0", "lt1", "rt", ++ "base", "bm0", "bm1", "bm2", "lm", "lt0", "lt1", "rb0", "rb1", "rt", + }; + + static const struct mtk_eint_hw mt8189_eint_hw = { +-- +2.51.0 + diff --git a/queue-6.18/revert-dsa-mv88e6xxx-make-serdes-sgmii-fiber-tx-ampl.patch b/queue-6.18/revert-dsa-mv88e6xxx-make-serdes-sgmii-fiber-tx-ampl.patch new file mode 100644 index 0000000000..42486c5c2e --- /dev/null +++ b/queue-6.18/revert-dsa-mv88e6xxx-make-serdes-sgmii-fiber-tx-ampl.patch @@ -0,0 +1,209 @@ +From a6b8ccc4894a67c65ef37717e2b1868e66032615 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Jan 2026 11:39:52 +0200 +Subject: Revert "dsa: mv88e6xxx: make serdes SGMII/Fiber tx amplitude + configurable" + +From: Vladimir Oltean + +[ Upstream commit 7801edc9badd972cb62cf11c0427e70b6dca239d ] + +This reverts commit 926eae604403acfa27ba5b072af458e87e634a50, which +never could have produced the intended effect: +https://lore.kernel.org/netdev/AM0PR06MB10396BBF8B568D77556FC46F8F7DEA@AM0PR06MB10396.eurprd06.prod.outlook.com/ + +The reason why it is broken beyond repair in this form is that the +mv88e6xxx driver outsources its "tx-p2p-microvolt" property to the OF +node of an external Ethernet PHY. This: +(a) does not work if there is no external PHY (chip-to-chip connection, + or SFP module) +(b) pollutes the OF property namespace / bindings of said external PHY + ("tx-p2p-microvolt" could have meaning for the Ethernet PHY's SerDes + interface as well) + +We can revisit the idea of making SerDes amplitude configurable once we +have proper bindings for the mv88e6xxx SerDes. Until then, remove the +code that leaves us with unnecessary baggage. + +Fixes: 926eae604403 ("dsa: mv88e6xxx: make serdes SGMII/Fiber tx amplitude configurable") +Cc: Holger Brunck +Signed-off-by: Vladimir Oltean +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/20260104093952.486606-1-vladimir.oltean@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/mv88e6xxx/chip.c | 23 --------------- + drivers/net/dsa/mv88e6xxx/chip.h | 4 --- + drivers/net/dsa/mv88e6xxx/serdes.c | 46 ------------------------------ + drivers/net/dsa/mv88e6xxx/serdes.h | 5 ---- + 4 files changed, 78 deletions(-) + +diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c +index b4d48997bf467..09002c853b78e 100644 +--- a/drivers/net/dsa/mv88e6xxx/chip.c ++++ b/drivers/net/dsa/mv88e6xxx/chip.c +@@ -3364,13 +3364,10 @@ static int mv88e6xxx_setup_upstream_port(struct mv88e6xxx_chip *chip, int port) + + static int mv88e6xxx_setup_port(struct mv88e6xxx_chip *chip, int port) + { +- struct device_node *phy_handle = NULL; + struct fwnode_handle *ports_fwnode; + struct fwnode_handle *port_fwnode; + struct dsa_switch *ds = chip->ds; + struct mv88e6xxx_port *p; +- struct dsa_port *dp; +- int tx_amp; + int err; + u16 reg; + u32 val; +@@ -3582,23 +3579,6 @@ static int mv88e6xxx_setup_port(struct mv88e6xxx_chip *chip, int port) + return err; + } + +- if (chip->info->ops->serdes_set_tx_amplitude) { +- dp = dsa_to_port(ds, port); +- if (dp) +- phy_handle = of_parse_phandle(dp->dn, "phy-handle", 0); +- +- if (phy_handle && !of_property_read_u32(phy_handle, +- "tx-p2p-microvolt", +- &tx_amp)) +- err = chip->info->ops->serdes_set_tx_amplitude(chip, +- port, tx_amp); +- if (phy_handle) { +- of_node_put(phy_handle); +- if (err) +- return err; +- } +- } +- + /* Port based VLAN map: give each port the same default address + * database, and allow bidirectional communication between the + * CPU and DSA port(s), and the other ports. +@@ -4768,7 +4748,6 @@ static const struct mv88e6xxx_ops mv88e6176_ops = { + .serdes_irq_mapping = mv88e6352_serdes_irq_mapping, + .serdes_get_regs_len = mv88e6352_serdes_get_regs_len, + .serdes_get_regs = mv88e6352_serdes_get_regs, +- .serdes_set_tx_amplitude = mv88e6352_serdes_set_tx_amplitude, + .gpio_ops = &mv88e6352_gpio_ops, + .phylink_get_caps = mv88e6352_phylink_get_caps, + .pcs_ops = &mv88e6352_pcs_ops, +@@ -5044,7 +5023,6 @@ static const struct mv88e6xxx_ops mv88e6240_ops = { + .serdes_irq_mapping = mv88e6352_serdes_irq_mapping, + .serdes_get_regs_len = mv88e6352_serdes_get_regs_len, + .serdes_get_regs = mv88e6352_serdes_get_regs, +- .serdes_set_tx_amplitude = mv88e6352_serdes_set_tx_amplitude, + .gpio_ops = &mv88e6352_gpio_ops, + .avb_ops = &mv88e6352_avb_ops, + .ptp_ops = &mv88e6352_ptp_ops, +@@ -5481,7 +5459,6 @@ static const struct mv88e6xxx_ops mv88e6352_ops = { + .serdes_get_stats = mv88e6352_serdes_get_stats, + .serdes_get_regs_len = mv88e6352_serdes_get_regs_len, + .serdes_get_regs = mv88e6352_serdes_get_regs, +- .serdes_set_tx_amplitude = mv88e6352_serdes_set_tx_amplitude, + .phylink_get_caps = mv88e6352_phylink_get_caps, + .pcs_ops = &mv88e6352_pcs_ops, + }; +diff --git a/drivers/net/dsa/mv88e6xxx/chip.h b/drivers/net/dsa/mv88e6xxx/chip.h +index 2f211e55cb47b..e073446ee7d02 100644 +--- a/drivers/net/dsa/mv88e6xxx/chip.h ++++ b/drivers/net/dsa/mv88e6xxx/chip.h +@@ -642,10 +642,6 @@ struct mv88e6xxx_ops { + void (*serdes_get_regs)(struct mv88e6xxx_chip *chip, int port, + void *_p); + +- /* SERDES SGMII/Fiber Output Amplitude */ +- int (*serdes_set_tx_amplitude)(struct mv88e6xxx_chip *chip, int port, +- int val); +- + /* Address Translation Unit operations */ + int (*atu_get_hash)(struct mv88e6xxx_chip *chip, u8 *hash); + int (*atu_set_hash)(struct mv88e6xxx_chip *chip, u8 hash); +diff --git a/drivers/net/dsa/mv88e6xxx/serdes.c b/drivers/net/dsa/mv88e6xxx/serdes.c +index b3330211edbca..a936ee80ce006 100644 +--- a/drivers/net/dsa/mv88e6xxx/serdes.c ++++ b/drivers/net/dsa/mv88e6xxx/serdes.c +@@ -25,14 +25,6 @@ static int mv88e6352_serdes_read(struct mv88e6xxx_chip *chip, int reg, + reg, val); + } + +-static int mv88e6352_serdes_write(struct mv88e6xxx_chip *chip, int reg, +- u16 val) +-{ +- return mv88e6xxx_phy_page_write(chip, MV88E6352_ADDR_SERDES, +- MV88E6352_SERDES_PAGE_FIBER, +- reg, val); +-} +- + static int mv88e6390_serdes_read(struct mv88e6xxx_chip *chip, + int lane, int device, int reg, u16 *val) + { +@@ -506,41 +498,3 @@ void mv88e6390_serdes_get_regs(struct mv88e6xxx_chip *chip, int port, void *_p) + p[i] = reg; + } + } +- +-static const int mv88e6352_serdes_p2p_to_reg[] = { +- /* Index of value in microvolts corresponds to the register value */ +- 14000, 112000, 210000, 308000, 406000, 504000, 602000, 700000, +-}; +- +-int mv88e6352_serdes_set_tx_amplitude(struct mv88e6xxx_chip *chip, int port, +- int val) +-{ +- bool found = false; +- u16 ctrl, reg; +- int err; +- int i; +- +- err = mv88e6352_g2_scratch_port_has_serdes(chip, port); +- if (err <= 0) +- return err; +- +- for (i = 0; i < ARRAY_SIZE(mv88e6352_serdes_p2p_to_reg); ++i) { +- if (mv88e6352_serdes_p2p_to_reg[i] == val) { +- reg = i; +- found = true; +- break; +- } +- } +- +- if (!found) +- return -EINVAL; +- +- err = mv88e6352_serdes_read(chip, MV88E6352_SERDES_SPEC_CTRL2, &ctrl); +- if (err) +- return err; +- +- ctrl &= ~MV88E6352_SERDES_OUT_AMP_MASK; +- ctrl |= reg; +- +- return mv88e6352_serdes_write(chip, MV88E6352_SERDES_SPEC_CTRL2, ctrl); +-} +diff --git a/drivers/net/dsa/mv88e6xxx/serdes.h b/drivers/net/dsa/mv88e6xxx/serdes.h +index ad887d8601bcb..17a3e85fabaa3 100644 +--- a/drivers/net/dsa/mv88e6xxx/serdes.h ++++ b/drivers/net/dsa/mv88e6xxx/serdes.h +@@ -29,8 +29,6 @@ struct phylink_link_state; + #define MV88E6352_SERDES_INT_FIBRE_ENERGY BIT(4) + #define MV88E6352_SERDES_INT_STATUS 0x13 + +-#define MV88E6352_SERDES_SPEC_CTRL2 0x1a +-#define MV88E6352_SERDES_OUT_AMP_MASK 0x0007 + + #define MV88E6341_PORT5_LANE 0x15 + +@@ -140,9 +138,6 @@ void mv88e6352_serdes_get_regs(struct mv88e6xxx_chip *chip, int port, void *_p); + int mv88e6390_serdes_get_regs_len(struct mv88e6xxx_chip *chip, int port); + void mv88e6390_serdes_get_regs(struct mv88e6xxx_chip *chip, int port, void *_p); + +-int mv88e6352_serdes_set_tx_amplitude(struct mv88e6xxx_chip *chip, int port, +- int val); +- + /* Return the (first) SERDES lane address a port is using, -errno otherwise. */ + static inline int mv88e6xxx_serdes_get_lane(struct mv88e6xxx_chip *chip, + int port) +-- +2.51.0 + diff --git a/queue-6.18/riscv-cpufeature-fix-zk-bundled-extension-missing-zk.patch b/queue-6.18/riscv-cpufeature-fix-zk-bundled-extension-missing-zk.patch new file mode 100644 index 0000000000..07b6e85878 --- /dev/null +++ b/queue-6.18/riscv-cpufeature-fix-zk-bundled-extension-missing-zk.patch @@ -0,0 +1,78 @@ +From bc9dd368ce9f2da835ace34a199a5ee3e42255da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Dec 2025 10:44:27 +0800 +Subject: riscv: cpufeature: Fix Zk bundled extension missing Zknh +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Guodong Xu + +[ Upstream commit 8632180daf735074a746ce2b3808a8f2c079310e ] + +The Zk extension is a bundle consisting of Zkn, Zkr, and Zkt. The Zkn +extension itself is a bundle consisting of Zbkb, Zbkc, Zbkx, Zknd, Zkne, +and Zknh. + +The current implementation of riscv_zk_bundled_exts manually listed +the dependencies but missed RISCV_ISA_EXT_ZKNH. + +Fix this by introducing a RISCV_ISA_EXT_ZKN macro that lists the Zkn +components and using it in both riscv_zk_bundled_exts and +riscv_zkn_bundled_exts. + +This adds the missing Zknh extension to Zk and reduces code duplication. + +Fixes: 0d8295ed975b ("riscv: add ISA extension parsing for scalar crypto") +Link: https://patch.msgid.link/20231114141256.126749-4-cleger@rivosinc.com/ +Signed-off-by: Guodong Xu +Reviewed-by: Clément Léger +Link: https://patch.msgid.link/20251223-zk-missing-zknh-v1-1-b627c990ee1a@riscstar.com +Signed-off-by: Paul Walmsley +Signed-off-by: Sasha Levin +--- + arch/riscv/kernel/cpufeature.c | 23 +++++++++++------------ + 1 file changed, 11 insertions(+), 12 deletions(-) + +diff --git a/arch/riscv/kernel/cpufeature.c b/arch/riscv/kernel/cpufeature.c +index 72ca768f4e919..2367e9755524a 100644 +--- a/arch/riscv/kernel/cpufeature.c ++++ b/arch/riscv/kernel/cpufeature.c +@@ -279,23 +279,22 @@ static const unsigned int riscv_a_exts[] = { + RISCV_ISA_EXT_ZALRSC, + }; + ++#define RISCV_ISA_EXT_ZKN \ ++ RISCV_ISA_EXT_ZBKB, \ ++ RISCV_ISA_EXT_ZBKC, \ ++ RISCV_ISA_EXT_ZBKX, \ ++ RISCV_ISA_EXT_ZKND, \ ++ RISCV_ISA_EXT_ZKNE, \ ++ RISCV_ISA_EXT_ZKNH ++ + static const unsigned int riscv_zk_bundled_exts[] = { +- RISCV_ISA_EXT_ZBKB, +- RISCV_ISA_EXT_ZBKC, +- RISCV_ISA_EXT_ZBKX, +- RISCV_ISA_EXT_ZKND, +- RISCV_ISA_EXT_ZKNE, ++ RISCV_ISA_EXT_ZKN, + RISCV_ISA_EXT_ZKR, +- RISCV_ISA_EXT_ZKT, ++ RISCV_ISA_EXT_ZKT + }; + + static const unsigned int riscv_zkn_bundled_exts[] = { +- RISCV_ISA_EXT_ZBKB, +- RISCV_ISA_EXT_ZBKC, +- RISCV_ISA_EXT_ZBKX, +- RISCV_ISA_EXT_ZKND, +- RISCV_ISA_EXT_ZKNE, +- RISCV_ISA_EXT_ZKNH, ++ RISCV_ISA_EXT_ZKN + }; + + static const unsigned int riscv_zks_bundled_exts[] = { +-- +2.51.0 + diff --git a/queue-6.18/riscv-pgtable-cleanup-useless-va_user_xxx-definition.patch b/queue-6.18/riscv-pgtable-cleanup-useless-va_user_xxx-definition.patch new file mode 100644 index 0000000000..908445c1e3 --- /dev/null +++ b/queue-6.18/riscv-pgtable-cleanup-useless-va_user_xxx-definition.patch @@ -0,0 +1,41 @@ +From e087ca13929254be2e88be6f91e1607bb32e31a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 30 Nov 2025 19:58:50 -0500 +Subject: riscv: pgtable: Cleanup useless VA_USER_XXX definitions + +From: Guo Ren (Alibaba DAMO Academy) + +[ Upstream commit 5e5be092ffadcab0093464ccd9e30f0c5cce16b9 ] + +These marcos are not used after commit b5b4287accd7 ("riscv: mm: Use +hint address in mmap if available"). Cleanup VA_USER_XXX definitions +in asm/pgtable.h. + +Fixes: b5b4287accd7 ("riscv: mm: Use hint address in mmap if available") +Signed-off-by: Guo Ren (Alibaba DAMO Academy) +Reviewed-by: Jinjie Ruan +Link: https://patch.msgid.link/20251201005850.702569-1-guoren@kernel.org +Signed-off-by: Paul Walmsley +Signed-off-by: Sasha Levin +--- + arch/riscv/include/asm/pgtable.h | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/arch/riscv/include/asm/pgtable.h b/arch/riscv/include/asm/pgtable.h +index 5a08eb5fe99fc..30d1ea93dde34 100644 +--- a/arch/riscv/include/asm/pgtable.h ++++ b/arch/riscv/include/asm/pgtable.h +@@ -124,10 +124,6 @@ + #ifdef CONFIG_64BIT + #include + +-#define VA_USER_SV39 (UL(1) << (VA_BITS_SV39 - 1)) +-#define VA_USER_SV48 (UL(1) << (VA_BITS_SV48 - 1)) +-#define VA_USER_SV57 (UL(1) << (VA_BITS_SV57 - 1)) +- + #define MMAP_VA_BITS_64 ((VA_BITS >= VA_BITS_SV48) ? VA_BITS_SV48 : VA_BITS) + #define MMAP_MIN_VA_BITS_64 (VA_BITS_SV39) + #define MMAP_VA_BITS (is_compat_task() ? VA_BITS_SV32 : MMAP_VA_BITS_64) +-- +2.51.0 + diff --git a/queue-6.18/selftests-drv-net-bring-back-tool-to-driver-__init__.patch b/queue-6.18/selftests-drv-net-bring-back-tool-to-driver-__init__.patch new file mode 100644 index 0000000000..eba4c19e37 --- /dev/null +++ b/queue-6.18/selftests-drv-net-bring-back-tool-to-driver-__init__.patch @@ -0,0 +1,73 @@ +From 6e30f188454a2ca8f16a0cabd1ad291036d00e02 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jan 2026 18:33:19 +0200 +Subject: selftests: drv-net: Bring back tool() to driver __init__s + +From: Gal Pressman + +[ Upstream commit 353cfc0ef3f34ef7fe313ae38dac37f2454a7cf5 ] + +The pp_alloc_fail.py test (which doesn't run in NIPA CI?) uses tool, add +back the import. + +Resolves: + ImportError: cannot import name 'tool' from 'lib.py' + +Fixes: 68a052239fc4 ("selftests: drv-net: update remaining Python init files") +Reviewed-by: Nimrod Oren +Signed-off-by: Gal Pressman +Link: https://patch.msgid.link/20260105163319.47619-1-gal@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/drivers/net/hw/lib/py/__init__.py | 4 ++-- + tools/testing/selftests/net/lib/py/__init__.py | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/tools/testing/selftests/drivers/net/hw/lib/py/__init__.py b/tools/testing/selftests/drivers/net/hw/lib/py/__init__.py +index fb010a48a5a19..a86f5c311fdcb 100644 +--- a/tools/testing/selftests/drivers/net/hw/lib/py/__init__.py ++++ b/tools/testing/selftests/drivers/net/hw/lib/py/__init__.py +@@ -22,7 +22,7 @@ try: + NlError, RtnlFamily, DevlinkFamily, PSPFamily + from net.lib.py import CmdExitFailure + from net.lib.py import bkg, cmd, bpftool, bpftrace, defer, ethtool, \ +- fd_read_timeout, ip, rand_port, wait_port_listen, wait_file ++ fd_read_timeout, ip, rand_port, wait_port_listen, wait_file, tool + from net.lib.py import KsftSkipEx, KsftFailEx, KsftXfailEx + from net.lib.py import ksft_disruptive, ksft_exit, ksft_pr, ksft_run, \ + ksft_setup +@@ -37,7 +37,7 @@ try: + "CmdExitFailure", + "bkg", "cmd", "bpftool", "bpftrace", "defer", "ethtool", + "fd_read_timeout", "ip", "rand_port", +- "wait_port_listen", "wait_file", ++ "wait_port_listen", "wait_file", "tool", + "KsftSkipEx", "KsftFailEx", "KsftXfailEx", + "ksft_disruptive", "ksft_exit", "ksft_pr", "ksft_run", + "ksft_setup", +diff --git a/tools/testing/selftests/net/lib/py/__init__.py b/tools/testing/selftests/net/lib/py/__init__.py +index 97b7cf2b20eb9..8f2da17d53510 100644 +--- a/tools/testing/selftests/net/lib/py/__init__.py ++++ b/tools/testing/selftests/net/lib/py/__init__.py +@@ -12,7 +12,7 @@ from .ksft import KsftFailEx, KsftSkipEx, KsftXfailEx, ksft_pr, ksft_eq, \ + from .netns import NetNS, NetNSEnter + from .nsim import NetdevSim, NetdevSimDev + from .utils import CmdExitFailure, fd_read_timeout, cmd, bkg, defer, \ +- bpftool, ip, ethtool, bpftrace, rand_port, wait_port_listen, wait_file ++ bpftool, ip, ethtool, bpftrace, rand_port, wait_port_listen, wait_file, tool + from .ynl import NlError, YnlFamily, EthtoolFamily, NetdevFamily, RtnlFamily, RtnlAddrFamily + from .ynl import NetshaperFamily, DevlinkFamily, PSPFamily + +@@ -25,7 +25,7 @@ __all__ = ["KSRC", + "NetNS", "NetNSEnter", + "CmdExitFailure", "fd_read_timeout", "cmd", "bkg", "defer", + "bpftool", "ip", "ethtool", "bpftrace", "rand_port", +- "wait_port_listen", "wait_file", ++ "wait_port_listen", "wait_file", "tool", + "NetdevSim", "NetdevSimDev", + "NetshaperFamily", "DevlinkFamily", "PSPFamily", "NlError", + "YnlFamily", "EthtoolFamily", "NetdevFamily", "RtnlFamily", +-- +2.51.0 + diff --git a/queue-6.18/series b/queue-6.18/series index 72e169018b..c8b4bc4e67 100644 --- a/queue-6.18/series +++ b/queue-6.18/series @@ -67,3 +67,91 @@ btrfs-qgroup-update-all-parent-qgroups-when-doing-qu.patch btrfs-fix-null-dereference-on-root-when-tracing-inod.patch btrfs-fix-use-after-free-warning-in-btrfs_get_or_cre.patch of-unittest-fix-memory-leak-in-unittest_data_add.patch +arm64-dts-ti-k3-am642-phyboard-electra-peb-c-010-fix.patch +arm64-dts-ti-k3-am642-phyboard-electra-x27-gpio1-spi.patch +arm64-dts-ti-k3-am62-lp-sk-nand-rename-pinctrls-to-f.patch +gpu-nova-core-select-rust_fw_loader_abstractions.patch +gpio-it87-balance-superio-enter-exit-calls-in-error-.patch +hid-intel-thc-hid-intel-thc-fix-dma_unmap_sg-nents-v.patch +hid-intel-thc-hid-intel-thc-fix-wrong-register-readi.patch +netfs-fix-early-read-unlock-of-page-with-eof-in-midd.patch +pinctrl-mediatek-mt8189-restore-previous-register-ba.patch +crypto-qat-fix-duplicate-restarting-msg-during-aer-e.patch +arm64-dts-imx8qm-mek-correct-the-light-sensor-interr.patch +arm64-dts-add-off-on-delay-us-for-usdhc2-regulator.patch +arm-dts-imx6q-ba16-fix-rtc-interrupt-level.patch +arm64-dts-freescale-moduline-display-fix-compatible.patch +arm64-dts-freescale-tx8p-ml81-fix-eqos-nvmem-cells.patch +arm64-dts-imx8mp-fix-lan8740ai-phy-reference-clock-o.patch +arm64-dts-imx8qm-ss-dma-correct-the-dma-channels-of-.patch +arm64-dts-mba8mx-fix-ethernet-phy-irq-support.patch +netfilter-nft_set_pipapo-fix-range-overlap-detection.patch +netfilter-nft_synproxy-avoid-possible-data-race-on-u.patch +gpiolib-remove-unnecessary-out-of-memory-messages.patch +gpiolib-rename-gpio-chip-printk-macros.patch +gpiolib-fix-race-condition-for-gdev-srcu.patch +gpio-pca953x-handle-short-interrupt-pulses-on-pcal-d.patch +netfilter-nf_tables-fix-memory-leak-in-nf_tables_new.patch +netfilter-nf_conncount-update-last_gc-only-when-gc-h.patch +net-marvell-prestera-fix-null-dereference-on-devlink.patch +bridge-fix-c-vlan-preservation-in-802.1ad-vlan_tunne.patch +net-mscc-ocelot-fix-crash-when-adding-interface-unde.patch +inet-ping-fix-icmp-out-counting.patch +net-phy-mxl-86110-add-power-management-and-soft-rese.patch +net-sock-fix-hardened-usercopy-panic-in-sock_recv_er.patch +netdev-preserve-netif_f_all_for_all-across-tso-updat.patch +net-mlx5-lag-multipath-give-priority-for-routes-with.patch +net-mlx5e-don-t-gate-fec-histograms-on-ppcnt_statist.patch +net-mlx5e-don-t-print-error-message-due-to-invalid-m.patch +net-mlx5e-dealloc-forgotten-psp-rx-modify-header.patch +net-ena-fix-missing-lock-when-update-devlink-params.patch +net-wwan-iosm-fix-memory-leak-in-ipc_mux_deinit.patch +bnxt_en-fix-potential-data-corruption-with-hw-gro-lr.patch +virtio_net-fix-device-mismatch-in-devm_kzalloc-devm_.patch +inet-frags-drop-fraglist-conntrack-references.patch +perf-ensure-swevent-hrtimer-is-properly-destroyed.patch +drm-amd-pm-fix-wrong-pcie-parameter-on-navi1x.patch +drm-amd-pm-force-send-pcie-parmater-on-navi1x.patch +vsock-make-accept-ed-sockets-use-custom-setsockopt.patch +btrfs-release-path-before-initializing-extent-tree-i.patch +btrfs-only-enforce-free-space-tree-if-v1-cache-is-re.patch +btrfs-fix-null-pointer-dereference-in-do_abort_log_r.patch +net-airoha-fix-npu-rx-dma-definitions.patch +riscv-cpufeature-fix-zk-bundled-extension-missing-zk.patch +riscv-pgtable-cleanup-useless-va_user_xxx-definition.patch +net-fix-memory-leak-in-skb_segment_list-for-gro-pack.patch +pci-vga-don-t-assume-the-only-vga-device-on-a-system.patch +idpf-keep-the-netdev-when-a-reset-fails.patch +idpf-convert-vport-state-to-bitmap.patch +idpf-detach-and-close-netdevs-while-handling-a-reset.patch +idpf-fix-memory-leak-in-idpf_vport_rel.patch +idpf-fix-memory-leak-in-idpf_vc_core_deinit.patch +idpf-fix-error-handling-in-the-init_task-on-load.patch +idpf-fix-memory-leak-of-flow-steer-list-on-rmmod.patch +idpf-fix-issue-with-ethtool-n-command-display.patch +idpf-fix-rss-lut-null-pointer-crash-on-early-ethtool.patch +idpf-fix-rss-lut-configuration-on-down-interfaces.patch +idpf-fix-rss-lut-null-ptr-issue-after-soft-reset.patch +idpf-fix-error-handling-in-idpf_vport_open.patch +idpf-cap-maximum-rx-buffer-size.patch +idpf-fix-aux-device-unplugging-when-rdma-is-not-supp.patch +revert-dsa-mv88e6xxx-make-serdes-sgmii-fiber-tx-ampl.patch +udp-call-skb_orphan-before-skb_attempt_defer_free.patch +net-sfp-return-the-number-of-written-bytes-for-smbus.patch +net-sched-act_api-avoid-dereferencing-err_ptr-in-tcf.patch +selftests-drv-net-bring-back-tool-to-driver-__init__.patch +net-netdevsim-fix-inconsistent-carrier-state-after-l.patch +block-don-t-merge-bios-with-different-app_tags.patch +trace-ftrace_dump_on_oops-is-not-exported-make-it-st.patch +sparc-pci-correct-64-bit-non-pref-pref-bar-resources.patch +hid-quirks-work-around-vid-pid-conflict-for-appledis.patch +net-airoha-fix-schedule-while-atomic-in-airoha_ppe_d.patch +wifi-mac80211_hwsim-fix-typo-in-frequency-notificati.patch +net-sched-sch_qfq-fix-null-deref-when-deactivating-i.patch +net-usb-pegasus-fix-memory-leak-in-update_eth_regs_a.patch +net-enetc-fix-build-warning-when-page_size-is-greate.patch +arp-do-not-assume-dev_hard_header-does-not-change-sk.patch +ublk-fix-use-after-free-in-ublk_partition_scan_work.patch +irqchip-gic-v5-fix-gicv5_its_map_event-itte-read-end.patch +erofs-don-t-bother-with-s_stack_depth-increasing-for.patch +erofs-fix-file-backed-mounts-no-longer-working-on-er.patch diff --git a/queue-6.18/sparc-pci-correct-64-bit-non-pref-pref-bar-resources.patch b/queue-6.18/sparc-pci-correct-64-bit-non-pref-pref-bar-resources.patch new file mode 100644 index 0000000000..5afdd82599 --- /dev/null +++ b/queue-6.18/sparc-pci-correct-64-bit-non-pref-pref-bar-resources.patch @@ -0,0 +1,108 @@ +From 34f18fb1e4672f919b506978e88bcb074e6ec2fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Nov 2025 19:04:11 +0200 +Subject: sparc/PCI: Correct 64-bit non-pref -> pref BAR resources +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +[ Upstream commit bdb32359eab94013e80cf7e3d40a3fd4972da93a ] + +SPARC T5-2 dts describes some PCI BARs as 64-bit resources without the +pref(etchable) bit (0x83... vs 0xc3... in assigned-addresses) for address +ranges above the 4G threshold. Such resources cannot be placed into a +non-prefetchable PCI bridge window that is capable only of 32-bit +addressing. As such, it looks like the platform is improperly described by +the dts. + +The kernel detects this problem (see the IORESOURCE_PREFETCH check in +pci_find_parent_resource()) and fails to assign these BAR resources to the +resource tree due to lack of a compatible bridge window. + +Prior to 754babaaf333 ("sparc/PCI: Remove pcibios_enable_device() as they +do nothing extra") SPARC arch code did not test whether device resources +were successfully in the resource tree when enabling a device, effectively +hiding the problem. After removing the arch-specific enable code, +pci_enable_resources() refuses to enable the device when it finds not all +mem resources are assigned, and therefore mpt3sas can't be enabled: + + pci 0001:04:00.0: reg 0x14: [mem 0x801110000000-0x80111000ffff 64bit] + pci 0001:04:00.0: reg 0x1c: [mem 0x801110040000-0x80111007ffff 64bit] + pci 0001:04:00.0: BAR 1 [mem 0x801110000000-0x80111000ffff 64bit]: can't claim; no compatible bridge window + pci 0001:04:00.0: BAR 3 [mem 0x801110040000-0x80111007ffff 64bit]: can't claim; no compatible bridge window + mpt3sas 0001:04:00.0: BAR 1 [mem size 0x00010000 64bit]: not assigned; can't enable device + +For clarity, this filtered log only shows failures for one mpt3sas device +but other devices fail similarly. In the reported case, the end result with +all the failures is an unbootable system. + +Things appeared to "work" before 754babaaf333 ("sparc/PCI: Remove +pcibios_enable_device() as they do nothing extra") because the resource +tree is agnostic to whether PCI BAR resources are properly in the tree or +not. So as long as there was a parent resource (e.g. a root bus resource) +that contains the address range, the resource tree code just places +resource request underneath it without any consideration to the +intermediate BAR resource. While it worked, it's incorrect setup still. + +Add an OF fixup to set the IORESOURCE_PREFETCH flag for a 64-bit PCI +resource that has the end address above 4G requiring placement into the +prefetchable window. Also log the issue. + +Fixes: 754babaaf333 ("sparc/PCI: Remove pcibios_enable_device() as they do nothing extra") +Reported-by: Nathaniel Roach +Closes: https://github.com/sparclinux/issues/issues/22 +Signed-off-by: Ilpo Järvinen +Signed-off-by: Bjorn Helgaas +Tested-by: Nathaniel Roach +Link: https://patch.msgid.link/20251124170411.3709-1-ilpo.jarvinen@linux.intel.com +Signed-off-by: Sasha Levin +--- + arch/sparc/kernel/pci.c | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + +diff --git a/arch/sparc/kernel/pci.c b/arch/sparc/kernel/pci.c +index a9448088e762e..b290107170e94 100644 +--- a/arch/sparc/kernel/pci.c ++++ b/arch/sparc/kernel/pci.c +@@ -181,6 +181,28 @@ static int __init ofpci_debug(char *str) + + __setup("ofpci_debug=", ofpci_debug); + ++static void of_fixup_pci_pref(struct pci_dev *dev, int index, ++ struct resource *res) ++{ ++ struct pci_bus_region region; ++ ++ if (!(res->flags & IORESOURCE_MEM_64)) ++ return; ++ ++ if (!resource_size(res)) ++ return; ++ ++ pcibios_resource_to_bus(dev->bus, ®ion, res); ++ if (region.end <= ~((u32)0)) ++ return; ++ ++ if (!(res->flags & IORESOURCE_PREFETCH)) { ++ res->flags |= IORESOURCE_PREFETCH; ++ pci_info(dev, "reg 0x%x: fixup: pref added to 64-bit resource\n", ++ index); ++ } ++} ++ + static unsigned long pci_parse_of_flags(u32 addr0) + { + unsigned long flags = 0; +@@ -244,6 +266,7 @@ static void pci_parse_of_addrs(struct platform_device *op, + res->end = op_res->end; + res->flags = flags; + res->name = pci_name(dev); ++ of_fixup_pci_pref(dev, i, res); + + pci_info(dev, "reg 0x%x: %pR\n", i, res); + } +-- +2.51.0 + diff --git a/queue-6.18/trace-ftrace_dump_on_oops-is-not-exported-make-it-st.patch b/queue-6.18/trace-ftrace_dump_on_oops-is-not-exported-make-it-st.patch new file mode 100644 index 0000000000..1c8205fddb --- /dev/null +++ b/queue-6.18/trace-ftrace_dump_on_oops-is-not-exported-make-it-st.patch @@ -0,0 +1,39 @@ +From 5f8eb937800bfe7517af8f7bc0eca1dafbbad30e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jan 2026 23:10:54 +0000 +Subject: trace: ftrace_dump_on_oops[] is not exported, make it static + +From: Ben Dooks + +[ Upstream commit 1e2ed4bfd50ace3c4272cfab7e9aa90956fb7ae0 ] + +The ftrace_dump_on_oops string is not used outside of trace.c so +make it static to avoid the export warning from sparse: + +kernel/trace/trace.c:141:6: warning: symbol 'ftrace_dump_on_oops' was not declared. Should it be static? + +Fixes: dd293df6395a2 ("tracing: Move trace sysctls into trace.c") +Link: https://patch.msgid.link/20260106231054.84270-1-ben.dooks@codethink.co.uk +Signed-off-by: Ben Dooks +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c +index ddff2af3cd3f7..142e3b737f0bc 100644 +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -141,7 +141,7 @@ cpumask_var_t __read_mostly tracing_buffer_mask; + * by commas. + */ + /* Set to string format zero to disable by default */ +-char ftrace_dump_on_oops[MAX_TRACER_SIZE] = "0"; ++static char ftrace_dump_on_oops[MAX_TRACER_SIZE] = "0"; + + /* When set, tracing will stop when a WARN*() is hit */ + static int __disable_trace_on_warning; +-- +2.51.0 + diff --git a/queue-6.18/ublk-fix-use-after-free-in-ublk_partition_scan_work.patch b/queue-6.18/ublk-fix-use-after-free-in-ublk_partition_scan_work.patch new file mode 100644 index 0000000000..29d7745d25 --- /dev/null +++ b/queue-6.18/ublk-fix-use-after-free-in-ublk_partition_scan_work.patch @@ -0,0 +1,102 @@ +From 18007e5f9d53152918a477b9a611d03b29edd5b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jan 2026 20:14:54 +0800 +Subject: ublk: fix use-after-free in ublk_partition_scan_work + +From: Ming Lei + +[ Upstream commit f0d385f6689f37a2828c686fb279121df006b4cb ] + +A race condition exists between the async partition scan work and device +teardown that can lead to a use-after-free of ub->ub_disk: + +1. ublk_ctrl_start_dev() schedules partition_scan_work after add_disk() +2. ublk_stop_dev() calls ublk_stop_dev_unlocked() which does: + - del_gendisk(ub->ub_disk) + - ublk_detach_disk() sets ub->ub_disk = NULL + - put_disk() which may free the disk +3. The worker ublk_partition_scan_work() then dereferences ub->ub_disk + leading to UAF + +Fix this by using ublk_get_disk()/ublk_put_disk() in the worker to hold +a reference to the disk during the partition scan. The spinlock in +ublk_get_disk() synchronizes with ublk_detach_disk() ensuring the worker +either gets a valid reference or sees NULL and exits early. + +Also change flush_work() to cancel_work_sync() to avoid running the +partition scan work unnecessarily when the disk is already detached. + +Fixes: 7fc4da6a304b ("ublk: scan partition in async way") +Reported-by: Ruikai Peng +Signed-off-by: Ming Lei +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/ublk_drv.c | 37 ++++++++++++++++++++++--------------- + 1 file changed, 22 insertions(+), 15 deletions(-) + +diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c +index babb58d2dcaf7..e09c1b5999b75 100644 +--- a/drivers/block/ublk_drv.c ++++ b/drivers/block/ublk_drv.c +@@ -255,20 +255,6 @@ static inline struct request *__ublk_check_and_get_req(struct ublk_device *ub, + u16 q_id, u16 tag, struct ublk_io *io, size_t offset); + static inline unsigned int ublk_req_build_flags(struct request *req); + +-static void ublk_partition_scan_work(struct work_struct *work) +-{ +- struct ublk_device *ub = +- container_of(work, struct ublk_device, partition_scan_work); +- +- if (WARN_ON_ONCE(!test_and_clear_bit(GD_SUPPRESS_PART_SCAN, +- &ub->ub_disk->state))) +- return; +- +- mutex_lock(&ub->ub_disk->open_mutex); +- bdev_disk_changed(ub->ub_disk, false); +- mutex_unlock(&ub->ub_disk->open_mutex); +-} +- + static inline struct ublksrv_io_desc * + ublk_get_iod(const struct ublk_queue *ubq, unsigned tag) + { +@@ -1663,6 +1649,27 @@ static void ublk_put_disk(struct gendisk *disk) + put_device(disk_to_dev(disk)); + } + ++static void ublk_partition_scan_work(struct work_struct *work) ++{ ++ struct ublk_device *ub = ++ container_of(work, struct ublk_device, partition_scan_work); ++ /* Hold disk reference to prevent UAF during concurrent teardown */ ++ struct gendisk *disk = ublk_get_disk(ub); ++ ++ if (!disk) ++ return; ++ ++ if (WARN_ON_ONCE(!test_and_clear_bit(GD_SUPPRESS_PART_SCAN, ++ &disk->state))) ++ goto out; ++ ++ mutex_lock(&disk->open_mutex); ++ bdev_disk_changed(disk, false); ++ mutex_unlock(&disk->open_mutex); ++out: ++ ublk_put_disk(disk); ++} ++ + /* + * Use this function to ensure that ->canceling is consistently set for + * the device and all queues. Do not set these flags directly. +@@ -2107,7 +2114,7 @@ static void ublk_stop_dev(struct ublk_device *ub) + mutex_lock(&ub->mutex); + ublk_stop_dev_unlocked(ub); + mutex_unlock(&ub->mutex); +- flush_work(&ub->partition_scan_work); ++ cancel_work_sync(&ub->partition_scan_work); + ublk_cancel_dev(ub); + } + +-- +2.51.0 + diff --git a/queue-6.18/udp-call-skb_orphan-before-skb_attempt_defer_free.patch b/queue-6.18/udp-call-skb_orphan-before-skb_attempt_defer_free.patch new file mode 100644 index 0000000000..6d5049a2a1 --- /dev/null +++ b/queue-6.18/udp-call-skb_orphan-before-skb_attempt_defer_free.patch @@ -0,0 +1,46 @@ +From 7f0db1978eca699e2ca2cdd3166e7d695ea71fd4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jan 2026 09:36:30 +0000 +Subject: udp: call skb_orphan() before skb_attempt_defer_free() + +From: Eric Dumazet + +[ Upstream commit e5c8eda39a9fc1547d1398d707aa06c1d080abdd ] + +Standard UDP receive path does not use skb->destructor. + +But skmsg layer does use it, since it calls skb_set_owner_sk_safe() +from udp_read_skb(). + +This then triggers this warning in skb_attempt_defer_free(): + + DEBUG_NET_WARN_ON_ONCE(skb->destructor); + +We must call skb_orphan() to fix this issue. + +Fixes: 6471658dc66c ("udp: use skb_attempt_defer_free()") +Reported-by: syzbot+3e68572cf2286ce5ebe9@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/695b83bd.050a0220.1c9965.002b.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20260105093630.1976085-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/udp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c +index 30dfbf73729da..860bd61ff047f 100644 +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -1851,6 +1851,7 @@ void skb_consume_udp(struct sock *sk, struct sk_buff *skb, int len) + sk_peek_offset_bwd(sk, len); + + if (!skb_shared(skb)) { ++ skb_orphan(skb); + skb_attempt_defer_free(skb); + return; + } +-- +2.51.0 + diff --git a/queue-6.18/virtio_net-fix-device-mismatch-in-devm_kzalloc-devm_.patch b/queue-6.18/virtio_net-fix-device-mismatch-in-devm_kzalloc-devm_.patch new file mode 100644 index 0000000000..5f2aac5722 --- /dev/null +++ b/queue-6.18/virtio_net-fix-device-mismatch-in-devm_kzalloc-devm_.patch @@ -0,0 +1,126 @@ +From 514b8d3a28c339e0031542c18f44c90355908b60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Jan 2026 15:49:00 +0530 +Subject: virtio_net: fix device mismatch in devm_kzalloc/devm_kfree + +From: Kommula Shiva Shankar + +[ Upstream commit acb4bc6e1ba34ae1a34a9334a1ce8474c909466e ] + +Initial rss_hdr allocation uses virtio_device->device, +but virtnet_set_queues() frees using net_device->device. +This device mismatch causing below devres warning + +[ 3788.514041] ------------[ cut here ]------------ +[ 3788.514044] WARNING: drivers/base/devres.c:1095 at devm_kfree+0x84/0x98, CPU#16: vdpa/1463 +[ 3788.514054] Modules linked in: octep_vdpa virtio_net virtio_vdpa [last unloaded: virtio_vdpa] +[ 3788.514064] CPU: 16 UID: 0 PID: 1463 Comm: vdpa Tainted: G W 6.18.0 #10 PREEMPT +[ 3788.514067] Tainted: [W]=WARN +[ 3788.514069] Hardware name: Marvell CN106XX board (DT) +[ 3788.514071] pstate: 63400009 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) +[ 3788.514074] pc : devm_kfree+0x84/0x98 +[ 3788.514076] lr : devm_kfree+0x54/0x98 +[ 3788.514079] sp : ffff800084e2f220 +[ 3788.514080] x29: ffff800084e2f220 x28: ffff0003b2366000 x27: 000000000000003f +[ 3788.514085] x26: 000000000000003f x25: ffff000106f17c10 x24: 0000000000000080 +[ 3788.514089] x23: ffff00045bb8ab08 x22: ffff00045bb8a000 x21: 0000000000000018 +[ 3788.514093] x20: ffff0004355c3080 x19: ffff00045bb8aa00 x18: 0000000000080000 +[ 3788.514098] x17: 0000000000000040 x16: 000000000000001f x15: 000000000007ffff +[ 3788.514102] x14: 0000000000000488 x13: 0000000000000005 x12: 00000000000fffff +[ 3788.514106] x11: ffffffffffffffff x10: 0000000000000005 x9 : ffff800080c8c05c +[ 3788.514110] x8 : ffff800084e2eeb8 x7 : 0000000000000000 x6 : 000000000000003f +[ 3788.514115] x5 : ffff8000831bafe0 x4 : ffff800080c8b010 x3 : ffff0004355c3080 +[ 3788.514119] x2 : ffff0004355c3080 x1 : 0000000000000000 x0 : 0000000000000000 +[ 3788.514123] Call trace: +[ 3788.514125] devm_kfree+0x84/0x98 (P) +[ 3788.514129] virtnet_set_queues+0x134/0x2e8 [virtio_net] +[ 3788.514135] virtnet_probe+0x9c0/0xe00 [virtio_net] +[ 3788.514139] virtio_dev_probe+0x1e0/0x338 +[ 3788.514144] really_probe+0xc8/0x3a0 +[ 3788.514149] __driver_probe_device+0x84/0x170 +[ 3788.514152] driver_probe_device+0x44/0x120 +[ 3788.514155] __device_attach_driver+0xc4/0x168 +[ 3788.514158] bus_for_each_drv+0x8c/0xf0 +[ 3788.514161] __device_attach+0xa4/0x1c0 +[ 3788.514164] device_initial_probe+0x1c/0x30 +[ 3788.514168] bus_probe_device+0xb4/0xc0 +[ 3788.514170] device_add+0x614/0x828 +[ 3788.514173] register_virtio_device+0x214/0x258 +[ 3788.514175] virtio_vdpa_probe+0xa0/0x110 [virtio_vdpa] +[ 3788.514179] vdpa_dev_probe+0xa8/0xd8 +[ 3788.514183] really_probe+0xc8/0x3a0 +[ 3788.514186] __driver_probe_device+0x84/0x170 +[ 3788.514189] driver_probe_device+0x44/0x120 +[ 3788.514192] __device_attach_driver+0xc4/0x168 +[ 3788.514195] bus_for_each_drv+0x8c/0xf0 +[ 3788.514197] __device_attach+0xa4/0x1c0 +[ 3788.514200] device_initial_probe+0x1c/0x30 +[ 3788.514203] bus_probe_device+0xb4/0xc0 +[ 3788.514206] device_add+0x614/0x828 +[ 3788.514209] _vdpa_register_device+0x58/0x88 +[ 3788.514211] octep_vdpa_dev_add+0x104/0x228 [octep_vdpa] +[ 3788.514215] vdpa_nl_cmd_dev_add_set_doit+0x2d0/0x3c0 +[ 3788.514218] genl_family_rcv_msg_doit+0xe4/0x158 +[ 3788.514222] genl_rcv_msg+0x218/0x298 +[ 3788.514225] netlink_rcv_skb+0x64/0x138 +[ 3788.514229] genl_rcv+0x40/0x60 +[ 3788.514233] netlink_unicast+0x32c/0x3b0 +[ 3788.514237] netlink_sendmsg+0x170/0x3b8 +[ 3788.514241] __sys_sendto+0x12c/0x1c0 +[ 3788.514246] __arm64_sys_sendto+0x30/0x48 +[ 3788.514249] invoke_syscall.constprop.0+0x58/0xf8 +[ 3788.514255] do_el0_svc+0x48/0xd0 +[ 3788.514259] el0_svc+0x48/0x210 +[ 3788.514264] el0t_64_sync_handler+0xa0/0xe8 +[ 3788.514268] el0t_64_sync+0x198/0x1a0 +[ 3788.514271] ---[ end trace 0000000000000000 ]--- + +Fix by using virtio_device->device consistently for +allocation and deallocation + +Fixes: 4944be2f5ad8c ("virtio_net: Allocate rss_hdr with devres") +Signed-off-by: Kommula Shiva Shankar +Acked-by: Michael S. Tsirkin +Acked-by: Jason Wang +Reviewed-by: Xuan Zhuo +Link: https://patch.msgid.link/20260102101900.692770-1-kshankar@marvell.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/virtio_net.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c +index 8e04adb57f52a..4e1a5291099a5 100644 +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -3783,7 +3783,7 @@ static int virtnet_set_queues(struct virtnet_info *vi, u16 queue_pairs) + if (vi->has_rss && !netif_is_rxfh_configured(dev)) { + old_rss_hdr = vi->rss_hdr; + old_rss_trailer = vi->rss_trailer; +- vi->rss_hdr = devm_kzalloc(&dev->dev, virtnet_rss_hdr_size(vi), GFP_KERNEL); ++ vi->rss_hdr = devm_kzalloc(&vi->vdev->dev, virtnet_rss_hdr_size(vi), GFP_KERNEL); + if (!vi->rss_hdr) { + vi->rss_hdr = old_rss_hdr; + return -ENOMEM; +@@ -3794,7 +3794,7 @@ static int virtnet_set_queues(struct virtnet_info *vi, u16 queue_pairs) + + if (!virtnet_commit_rss_command(vi)) { + /* restore ctrl_rss if commit_rss_command failed */ +- devm_kfree(&dev->dev, vi->rss_hdr); ++ devm_kfree(&vi->vdev->dev, vi->rss_hdr); + vi->rss_hdr = old_rss_hdr; + vi->rss_trailer = old_rss_trailer; + +@@ -3802,7 +3802,7 @@ static int virtnet_set_queues(struct virtnet_info *vi, u16 queue_pairs) + queue_pairs); + return -EINVAL; + } +- devm_kfree(&dev->dev, old_rss_hdr); ++ devm_kfree(&vi->vdev->dev, old_rss_hdr); + goto succ; + } + +-- +2.51.0 + diff --git a/queue-6.18/vsock-make-accept-ed-sockets-use-custom-setsockopt.patch b/queue-6.18/vsock-make-accept-ed-sockets-use-custom-setsockopt.patch new file mode 100644 index 0000000000..39e9b5fe89 --- /dev/null +++ b/queue-6.18/vsock-make-accept-ed-sockets-use-custom-setsockopt.patch @@ -0,0 +1,39 @@ +From 869718eb18bca75d5aa9ba3e0808b01c6d950b36 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Dec 2025 20:43:10 +0100 +Subject: vsock: Make accept()ed sockets use custom setsockopt() + +From: Michal Luczaj + +[ Upstream commit ce5e612dd411de096aa041b9e9325ba1bec5f9f4 ] + +SO_ZEROCOPY handling in vsock_connectible_setsockopt() does not get called +on accept()ed sockets due to a missing flag. Flip it. + +Fixes: e0718bd82e27 ("vsock: enable setting SO_ZEROCOPY") +Signed-off-by: Michal Luczaj +Link: https://patch.msgid.link/20251229-vsock-child-sock-custom-sockopt-v2-1-64778d6c4f88@rbox.co +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/af_vsock.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c +index a9ca9c3b87b31..cbd649bf01459 100644 +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -1787,6 +1787,10 @@ static int vsock_accept(struct socket *sock, struct socket *newsock, + } else { + newsock->state = SS_CONNECTED; + sock_graft(connected, newsock); ++ ++ set_bit(SOCK_CUSTOM_SOCKOPT, ++ &connected->sk_socket->flags); ++ + if (vsock_msgzerocopy_allow(vconnected->transport)) + set_bit(SOCK_SUPPORT_ZC, + &connected->sk_socket->flags); +-- +2.51.0 + diff --git a/queue-6.18/wifi-mac80211_hwsim-fix-typo-in-frequency-notificati.patch b/queue-6.18/wifi-mac80211_hwsim-fix-typo-in-frequency-notificati.patch new file mode 100644 index 0000000000..89ff875ad1 --- /dev/null +++ b/queue-6.18/wifi-mac80211_hwsim-fix-typo-in-frequency-notificati.patch @@ -0,0 +1,40 @@ +From 3d727cac8c8a3a39347162220b6d152aba255fae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jan 2026 14:36:51 +0100 +Subject: wifi: mac80211_hwsim: fix typo in frequency notification + +From: Benjamin Berg + +[ Upstream commit 333418872bfecf4843f1ded7a4151685dfcf07d5 ] + +The NAN notification is for 5745 MHz which corresponds to channel 149 +and not 5475 which is not actually a valid channel. This could result in +a NULL pointer dereference in cfg80211_next_nan_dw_notif. + +Fixes: a37a6f54439b ("wifi: mac80211_hwsim: Add simulation support for NAN device") +Signed-off-by: Benjamin Berg +Reviewed-by: Ilan Peer +Reviewed-by: Miriam Rachel Korenblit +Link: https://patch.msgid.link/20260107143652.7dab2035836f.Iacbaf7bb94ed5c14a0928a625827e4137d8bfede@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/virtual/mac80211_hwsim.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/virtual/mac80211_hwsim.c b/drivers/net/wireless/virtual/mac80211_hwsim.c +index 5903d82e1ab1e..2f263d89d2d69 100644 +--- a/drivers/net/wireless/virtual/mac80211_hwsim.c ++++ b/drivers/net/wireless/virtual/mac80211_hwsim.c +@@ -4040,7 +4040,7 @@ mac80211_hwsim_nan_dw_start(struct hrtimer *timer) + ieee80211_vif_to_wdev(data->nan_device_vif); + + if (data->nan_curr_dw_band == NL80211_BAND_5GHZ) +- ch = ieee80211_get_channel(hw->wiphy, 5475); ++ ch = ieee80211_get_channel(hw->wiphy, 5745); + else + ch = ieee80211_get_channel(hw->wiphy, 2437); + +-- +2.51.0 + diff --git a/queue-6.6/arm-dts-imx6q-ba16-fix-rtc-interrupt-level.patch b/queue-6.6/arm-dts-imx6q-ba16-fix-rtc-interrupt-level.patch new file mode 100644 index 0000000000..734d252b45 --- /dev/null +++ b/queue-6.6/arm-dts-imx6q-ba16-fix-rtc-interrupt-level.patch @@ -0,0 +1,40 @@ +From 6d5cf4d2d7dbbede637f1d956e957e285a2f8e16 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Dec 2025 11:56:05 +0200 +Subject: ARM: dts: imx6q-ba16: fix RTC interrupt level + +From: Ian Ray + +[ Upstream commit e6a4eedd49ce27c16a80506c66a04707e0ee0116 ] + +RTC interrupt level should be set to "LOW". This was revealed by the +introduction of commit: + + f181987ef477 ("rtc: m41t80: use IRQ flags obtained from fwnode") + +which changed the way IRQ type is obtained. + +Fixes: 56c27310c1b4 ("ARM: dts: imx: Add Advantech BA-16 Qseven module") +Signed-off-by: Ian Ray +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/nxp/imx/imx6q-ba16.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/nxp/imx/imx6q-ba16.dtsi b/arch/arm/boot/dts/nxp/imx/imx6q-ba16.dtsi +index f266f1b7e0cfc..0c033e69ecc04 100644 +--- a/arch/arm/boot/dts/nxp/imx/imx6q-ba16.dtsi ++++ b/arch/arm/boot/dts/nxp/imx/imx6q-ba16.dtsi +@@ -335,7 +335,7 @@ rtc@32 { + pinctrl-0 = <&pinctrl_rtc>; + reg = <0x32>; + interrupt-parent = <&gpio4>; +- interrupts = <10 IRQ_TYPE_LEVEL_HIGH>; ++ interrupts = <10 IRQ_TYPE_LEVEL_LOW>; + }; + }; + +-- +2.51.0 + diff --git a/queue-6.6/arm64-dts-add-off-on-delay-us-for-usdhc2-regulator.patch b/queue-6.6/arm64-dts-add-off-on-delay-us-for-usdhc2-regulator.patch new file mode 100644 index 0000000000..4f51cc3ba5 --- /dev/null +++ b/queue-6.6/arm64-dts-add-off-on-delay-us-for-usdhc2-regulator.patch @@ -0,0 +1,41 @@ +From 5db5bea494a28a6ec197262cf3df8be3e4d03e21 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Nov 2025 11:22:40 +0800 +Subject: arm64: dts: add off-on-delay-us for usdhc2 regulator + +From: Haibo Chen + +[ Upstream commit ca643894a37a25713029b36cfe7d1bae515cac08 ] + +For SD card, according to the spec requirement, for sd card power reset +operation, it need sd card supply voltage to be lower than 0.5v and keep +over 1ms, otherwise, next time power back the sd card supply voltage to +3.3v, sd card can't support SD3.0 mode again. + +To match such requirement on imx8qm-mek board, add 4.8ms delay between +sd power off and power on. + +Fixes: 307fd14d4b14 ("arm64: dts: imx: add imx8qm mek support") +Reviewed-by: Frank Li +Signed-off-by: Haibo Chen +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8qm-mek.dts | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/boot/dts/freescale/imx8qm-mek.dts b/arch/arm64/boot/dts/freescale/imx8qm-mek.dts +index a9ab87699f3d5..d22cec32b7cee 100644 +--- a/arch/arm64/boot/dts/freescale/imx8qm-mek.dts ++++ b/arch/arm64/boot/dts/freescale/imx8qm-mek.dts +@@ -38,6 +38,7 @@ reg_usdhc2_vmmc: usdhc2-vmmc { + regulator-max-microvolt = <3000000>; + gpio = <&lsio_gpio4 7 GPIO_ACTIVE_HIGH>; + enable-active-high; ++ off-on-delay-us = <4800>; + }; + }; + +-- +2.51.0 + diff --git a/queue-6.6/arm64-dts-imx8mp-fix-lan8740ai-phy-reference-clock-o.patch b/queue-6.6/arm64-dts-imx8mp-fix-lan8740ai-phy-reference-clock-o.patch new file mode 100644 index 0000000000..7b73360e2b --- /dev/null +++ b/queue-6.6/arm64-dts-imx8mp-fix-lan8740ai-phy-reference-clock-o.patch @@ -0,0 +1,42 @@ +From a4ee756ef8d515c046cd5d11ed033afc6260c901 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Dec 2025 14:41:51 +0100 +Subject: arm64: dts: imx8mp: Fix LAN8740Ai PHY reference clock on DH + electronics i.MX8M Plus DHCOM + +From: Marek Vasut + +[ Upstream commit c63749a7ddc59ac6ec0b05abfa0a21af9f2c1d38 ] + +Add missing 'clocks' property to LAN8740Ai PHY node, to allow the PHY driver +to manage LAN8740Ai CLKIN reference clock supply. This fixes sporadic link +bouncing caused by interruptions on the PHY reference clock, by letting the +PHY driver manage the reference clock and assure there are no interruptions. + +This follows the matching PHY driver recommendation described in commit +bedd8d78aba3 ("net: phy: smsc: LAN8710/20: add phy refclk in support") + +Fixes: 8d6712695bc8 ("arm64: dts: imx8mp: Add support for DH electronics i.MX8M Plus DHCOM and PDK2") +Signed-off-by: Marek Vasut +Tested-by: Christoph Niedermaier +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8mp-dhcom-som.dtsi | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/boot/dts/freescale/imx8mp-dhcom-som.dtsi b/arch/arm64/boot/dts/freescale/imx8mp-dhcom-som.dtsi +index 2e93d922c8611..2ff47f6ec7979 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mp-dhcom-som.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mp-dhcom-som.dtsi +@@ -105,6 +105,7 @@ mdio { + ethphy0f: ethernet-phy@0 { /* SMSC LAN8740Ai */ + compatible = "ethernet-phy-id0007.c110", + "ethernet-phy-ieee802.3-c22"; ++ clocks = <&clk IMX8MP_CLK_ENET_QOS>; + interrupt-parent = <&gpio3>; + interrupts = <19 IRQ_TYPE_LEVEL_LOW>; + pinctrl-0 = <&pinctrl_ethphy0>; +-- +2.51.0 + diff --git a/queue-6.6/arp-do-not-assume-dev_hard_header-does-not-change-sk.patch b/queue-6.6/arp-do-not-assume-dev_hard_header-does-not-change-sk.patch new file mode 100644 index 0000000000..d39e54e22b --- /dev/null +++ b/queue-6.6/arp-do-not-assume-dev_hard_header-does-not-change-sk.patch @@ -0,0 +1,58 @@ +From a810f24b7f42afa115fd37a9a59ca118d8dd0dde Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jan 2026 21:22:50 +0000 +Subject: arp: do not assume dev_hard_header() does not change skb->head + +From: Eric Dumazet + +[ Upstream commit c92510f5e3f82ba11c95991824a41e59a9c5ed81 ] + +arp_create() is the only dev_hard_header() caller +making assumption about skb->head being unchanged. + +A recent commit broke this assumption. + +Initialize @arp pointer after dev_hard_header() call. + +Fixes: db5b4e39c4e6 ("ip6_gre: make ip6gre_header() robust") +Reported-by: syzbot+58b44a770a1585795351@syzkaller.appspotmail.com +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20260107212250.384552-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/arp.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c +index 784dc8b37be5a..4ea5987e06b61 100644 +--- a/net/ipv4/arp.c ++++ b/net/ipv4/arp.c +@@ -563,7 +563,7 @@ struct sk_buff *arp_create(int type, int ptype, __be32 dest_ip, + + skb_reserve(skb, hlen); + skb_reset_network_header(skb); +- arp = skb_put(skb, arp_hdr_len(dev)); ++ skb_put(skb, arp_hdr_len(dev)); + skb->dev = dev; + skb->protocol = htons(ETH_P_ARP); + if (!src_hw) +@@ -571,12 +571,13 @@ struct sk_buff *arp_create(int type, int ptype, __be32 dest_ip, + if (!dest_hw) + dest_hw = dev->broadcast; + +- /* +- * Fill the device header for the ARP frame ++ /* Fill the device header for the ARP frame. ++ * Note: skb->head can be changed. + */ + if (dev_hard_header(skb, dev, ptype, dest_hw, src_hw, skb->len) < 0) + goto out; + ++ arp = arp_hdr(skb); + /* + * Fill out the arp protocol part. + * +-- +2.51.0 + diff --git a/queue-6.6/bnxt_en-fix-potential-data-corruption-with-hw-gro-lr.patch b/queue-6.6/bnxt_en-fix-potential-data-corruption-with-hw-gro-lr.patch new file mode 100644 index 0000000000..0cf8bbbcbf --- /dev/null +++ b/queue-6.6/bnxt_en-fix-potential-data-corruption-with-hw-gro-lr.patch @@ -0,0 +1,88 @@ +From 12eee252a2389db4012d4e5d1426f868d1108fbd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Dec 2025 00:36:25 -0800 +Subject: bnxt_en: Fix potential data corruption with HW GRO/LRO + +From: Srijit Bose + +[ Upstream commit ffeafa65b2b26df2f5b5a6118d3174f17bd12ec5 ] + +Fix the max number of bits passed to find_first_zero_bit() in +bnxt_alloc_agg_idx(). We were incorrectly passing the number of +long words. find_first_zero_bit() may fail to find a zero bit and +cause a wrong ID to be used. If the wrong ID is already in use, this +can cause data corruption. Sometimes an error like this can also be +seen: + +bnxt_en 0000:83:00.0 enp131s0np0: TPA end agg_buf 2 != expected agg_bufs 1 + +Fix it by passing the correct number of bits MAX_TPA_P5. Use +DECLARE_BITMAP() to more cleanly define the bitmap. Add a sanity +check to warn if a bit cannot be found and reset the ring [MChan]. + +Fixes: ec4d8e7cf024 ("bnxt_en: Add TPA ID mapping logic for 57500 chips.") +Reviewed-by: Ray Jui +Signed-off-by: Srijit Bose +Signed-off-by: Michael Chan +Reviewed-by: Vadim Fedorenko +Link: https://patch.msgid.link/20251231083625.3911652-1-michael.chan@broadcom.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 15 ++++++++++++--- + drivers/net/ethernet/broadcom/bnxt/bnxt.h | 4 +--- + 2 files changed, 13 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index 8e4e8291d8c66..e337b6c7ee6f9 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -1268,9 +1268,11 @@ static u16 bnxt_alloc_agg_idx(struct bnxt_rx_ring_info *rxr, u16 agg_id) + struct bnxt_tpa_idx_map *map = rxr->rx_tpa_idx_map; + u16 idx = agg_id & MAX_TPA_P5_MASK; + +- if (test_bit(idx, map->agg_idx_bmap)) +- idx = find_first_zero_bit(map->agg_idx_bmap, +- BNXT_AGG_IDX_BMAP_SIZE); ++ if (test_bit(idx, map->agg_idx_bmap)) { ++ idx = find_first_zero_bit(map->agg_idx_bmap, MAX_TPA_P5); ++ if (idx >= MAX_TPA_P5) ++ return INVALID_HW_RING_ID; ++ } + __set_bit(idx, map->agg_idx_bmap); + map->agg_id_tbl[agg_id] = idx; + return idx; +@@ -1303,6 +1305,13 @@ static void bnxt_tpa_start(struct bnxt *bp, struct bnxt_rx_ring_info *rxr, + if (bp->flags & BNXT_FLAG_CHIP_P5) { + agg_id = TPA_START_AGG_ID_P5(tpa_start); + agg_id = bnxt_alloc_agg_idx(rxr, agg_id); ++ if (unlikely(agg_id == INVALID_HW_RING_ID)) { ++ netdev_warn(bp->dev, "Unable to allocate agg ID for ring %d, agg 0x%x\n", ++ rxr->bnapi->index, ++ TPA_START_AGG_ID_P5(tpa_start)); ++ bnxt_sched_reset_rxr(bp, rxr); ++ return; ++ } + } else { + agg_id = TPA_START_AGG_ID(tpa_start); + } +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.h b/drivers/net/ethernet/broadcom/bnxt/bnxt.h +index 0116f67593e3a..d96c9aabf97a7 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.h ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.h +@@ -898,11 +898,9 @@ struct bnxt_tpa_info { + struct rx_agg_cmp *agg_arr; + }; + +-#define BNXT_AGG_IDX_BMAP_SIZE (MAX_TPA_P5 / BITS_PER_LONG) +- + struct bnxt_tpa_idx_map { + u16 agg_id_tbl[1024]; +- unsigned long agg_idx_bmap[BNXT_AGG_IDX_BMAP_SIZE]; ++ DECLARE_BITMAP(agg_idx_bmap, MAX_TPA_P5); + }; + + struct bnxt_rx_ring_info { +-- +2.51.0 + diff --git a/queue-6.6/bridge-fix-c-vlan-preservation-in-802.1ad-vlan_tunne.patch b/queue-6.6/bridge-fix-c-vlan-preservation-in-802.1ad-vlan_tunne.patch new file mode 100644 index 0000000000..547bc9388a --- /dev/null +++ b/queue-6.6/bridge-fix-c-vlan-preservation-in-802.1ad-vlan_tunne.patch @@ -0,0 +1,75 @@ +From 8dd712605b7895dfbe618a1777bdbf6fa060836f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Dec 2025 03:00:57 +0100 +Subject: bridge: fix C-VLAN preservation in 802.1ad vlan_tunnel egress + +From: Alexandre Knecht + +[ Upstream commit 3128df6be147768fe536986fbb85db1d37806a9f ] + +When using an 802.1ad bridge with vlan_tunnel, the C-VLAN tag is +incorrectly stripped from frames during egress processing. + +br_handle_egress_vlan_tunnel() uses skb_vlan_pop() to remove the S-VLAN +from hwaccel before VXLAN encapsulation. However, skb_vlan_pop() also +moves any "next" VLAN from the payload into hwaccel: + + /* move next vlan tag to hw accel tag */ + __skb_vlan_pop(skb, &vlan_tci); + __vlan_hwaccel_put_tag(skb, vlan_proto, vlan_tci); + +For QinQ frames where the C-VLAN sits in the payload, this moves it to +hwaccel where it gets lost during VXLAN encapsulation. + +Fix by calling __vlan_hwaccel_clear_tag() directly, which clears only +the hwaccel S-VLAN and leaves the payload untouched. + +This path is only taken when vlan_tunnel is enabled and tunnel_info +is configured, so 802.1Q bridges are unaffected. + +Tested with 802.1ad bridge + VXLAN vlan_tunnel, verified C-VLAN +preserved in VXLAN payload via tcpdump. + +Fixes: 11538d039ac6 ("bridge: vlan dst_metadata hooks in ingress and egress paths") +Signed-off-by: Alexandre Knecht +Reviewed-by: Ido Schimmel +Acked-by: Nikolay Aleksandrov +Link: https://patch.msgid.link/20251228020057.2788865-1-knecht.alexandre@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/bridge/br_vlan_tunnel.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/net/bridge/br_vlan_tunnel.c b/net/bridge/br_vlan_tunnel.c +index 81833ca7a2c77..b41494ce59438 100644 +--- a/net/bridge/br_vlan_tunnel.c ++++ b/net/bridge/br_vlan_tunnel.c +@@ -187,7 +187,6 @@ int br_handle_egress_vlan_tunnel(struct sk_buff *skb, + { + struct metadata_dst *tunnel_dst; + __be64 tunnel_id; +- int err; + + if (!vlan) + return 0; +@@ -197,9 +196,13 @@ int br_handle_egress_vlan_tunnel(struct sk_buff *skb, + return 0; + + skb_dst_drop(skb); +- err = skb_vlan_pop(skb); +- if (err) +- return err; ++ /* For 802.1ad (QinQ), skb_vlan_pop() incorrectly moves the C-VLAN ++ * from payload to hwaccel after clearing S-VLAN. We only need to ++ * clear the hwaccel S-VLAN; the C-VLAN must stay in payload for ++ * correct VXLAN encapsulation. This is also correct for 802.1Q ++ * where no C-VLAN exists in payload. ++ */ ++ __vlan_hwaccel_clear_tag(skb); + + if (BR_INPUT_SKB_CB(skb)->backup_nhid) { + tunnel_dst = __ip_tun_set_dst(0, 0, 0, 0, 0, TUNNEL_KEY, +-- +2.51.0 + diff --git a/queue-6.6/gpio-pca953x-add-support-for-level-triggered-interru.patch b/queue-6.6/gpio-pca953x-add-support-for-level-triggered-interru.patch new file mode 100644 index 0000000000..cce978311b --- /dev/null +++ b/queue-6.6/gpio-pca953x-add-support-for-level-triggered-interru.patch @@ -0,0 +1,116 @@ +From 60dca6715320754489c49225806d0ec42056418a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Apr 2025 23:37:30 +0800 +Subject: gpio: pca953x: Add support for level-triggered interrupts + +From: Potin Lai + +[ Upstream commit 417b0f8d08f878615de9481c6e8827fbc8b57ed2 ] + +Adds support for level-triggered interrupts in the PCA953x GPIO +expander driver. Previously, the driver only supported edge-triggered +interrupts, which could lead to missed events in scenarios where an +interrupt condition persists until it is explicitly cleared. + +By enabling level-triggered interrupts, the driver can now detect and +respond to sustained interrupt conditions more reliably. + +Signed-off-by: Potin Lai +Link: https://lore.kernel.org/r/20250409-gpio-pca953x-level-triggered-irq-v3-1-7f184d814934@gmail.com +Signed-off-by: Bartosz Golaszewski +Stable-dep-of: 014a17deb412 ("gpio: pca953x: handle short interrupt pulses on PCAL devices") +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-pca953x.c | 32 +++++++++++++++++++++++++++----- + 1 file changed, 27 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpio/gpio-pca953x.c b/drivers/gpio/gpio-pca953x.c +index de965e6353c5b..6b9bfdebadb5a 100644 +--- a/drivers/gpio/gpio-pca953x.c ++++ b/drivers/gpio/gpio-pca953x.c +@@ -207,6 +207,8 @@ struct pca953x_chip { + DECLARE_BITMAP(irq_stat, MAX_LINE); + DECLARE_BITMAP(irq_trig_raise, MAX_LINE); + DECLARE_BITMAP(irq_trig_fall, MAX_LINE); ++ DECLARE_BITMAP(irq_trig_level_high, MAX_LINE); ++ DECLARE_BITMAP(irq_trig_level_low, MAX_LINE); + #endif + atomic_t wakeup_path; + +@@ -767,6 +769,8 @@ static void pca953x_irq_bus_sync_unlock(struct irq_data *d) + pca953x_read_regs(chip, chip->regs->direction, reg_direction); + + bitmap_or(irq_mask, chip->irq_trig_fall, chip->irq_trig_raise, gc->ngpio); ++ bitmap_or(irq_mask, irq_mask, chip->irq_trig_level_high, gc->ngpio); ++ bitmap_or(irq_mask, irq_mask, chip->irq_trig_level_low, gc->ngpio); + bitmap_complement(reg_direction, reg_direction, gc->ngpio); + bitmap_and(irq_mask, irq_mask, reg_direction, gc->ngpio); + +@@ -784,13 +788,15 @@ static int pca953x_irq_set_type(struct irq_data *d, unsigned int type) + struct device *dev = &chip->client->dev; + irq_hw_number_t hwirq = irqd_to_hwirq(d); + +- if (!(type & IRQ_TYPE_EDGE_BOTH)) { ++ if (!(type & IRQ_TYPE_SENSE_MASK)) { + dev_err(dev, "irq %d: unsupported type %d\n", d->irq, type); + return -EINVAL; + } + + assign_bit(hwirq, chip->irq_trig_fall, type & IRQ_TYPE_EDGE_FALLING); + assign_bit(hwirq, chip->irq_trig_raise, type & IRQ_TYPE_EDGE_RISING); ++ assign_bit(hwirq, chip->irq_trig_level_low, type & IRQ_TYPE_LEVEL_LOW); ++ assign_bit(hwirq, chip->irq_trig_level_high, type & IRQ_TYPE_LEVEL_HIGH); + + return 0; + } +@@ -803,6 +809,8 @@ static void pca953x_irq_shutdown(struct irq_data *d) + + clear_bit(hwirq, chip->irq_trig_raise); + clear_bit(hwirq, chip->irq_trig_fall); ++ clear_bit(hwirq, chip->irq_trig_level_low); ++ clear_bit(hwirq, chip->irq_trig_level_high); + } + + static void pca953x_irq_print_chip(struct irq_data *data, struct seq_file *p) +@@ -833,6 +841,7 @@ static bool pca953x_irq_pending(struct pca953x_chip *chip, unsigned long *pendin + DECLARE_BITMAP(cur_stat, MAX_LINE); + DECLARE_BITMAP(new_stat, MAX_LINE); + DECLARE_BITMAP(trigger, MAX_LINE); ++ DECLARE_BITMAP(edges, MAX_LINE); + int ret; + + ret = pca953x_read_regs(chip, chip->regs->input, cur_stat); +@@ -850,13 +859,26 @@ static bool pca953x_irq_pending(struct pca953x_chip *chip, unsigned long *pendin + + bitmap_copy(chip->irq_stat, new_stat, gc->ngpio); + +- if (bitmap_empty(trigger, gc->ngpio)) +- return false; ++ if (bitmap_empty(chip->irq_trig_level_high, gc->ngpio) && ++ bitmap_empty(chip->irq_trig_level_low, gc->ngpio)) { ++ if (bitmap_empty(trigger, gc->ngpio)) ++ return false; ++ } + + bitmap_and(cur_stat, chip->irq_trig_fall, old_stat, gc->ngpio); + bitmap_and(old_stat, chip->irq_trig_raise, new_stat, gc->ngpio); +- bitmap_or(new_stat, old_stat, cur_stat, gc->ngpio); +- bitmap_and(pending, new_stat, trigger, gc->ngpio); ++ bitmap_or(edges, old_stat, cur_stat, gc->ngpio); ++ bitmap_and(pending, edges, trigger, gc->ngpio); ++ ++ bitmap_and(cur_stat, new_stat, chip->irq_trig_level_high, gc->ngpio); ++ bitmap_and(cur_stat, cur_stat, chip->irq_mask, gc->ngpio); ++ bitmap_or(pending, pending, cur_stat, gc->ngpio); ++ ++ bitmap_complement(cur_stat, new_stat, gc->ngpio); ++ bitmap_and(cur_stat, cur_stat, reg_direction, gc->ngpio); ++ bitmap_and(old_stat, cur_stat, chip->irq_trig_level_low, gc->ngpio); ++ bitmap_and(old_stat, old_stat, chip->irq_mask, gc->ngpio); ++ bitmap_or(pending, pending, old_stat, gc->ngpio); + + return !bitmap_empty(pending, gc->ngpio); + } +-- +2.51.0 + diff --git a/queue-6.6/gpio-pca953x-handle-short-interrupt-pulses-on-pcal-d.patch b/queue-6.6/gpio-pca953x-handle-short-interrupt-pulses-on-pcal-d.patch new file mode 100644 index 0000000000..cfab98f36e --- /dev/null +++ b/queue-6.6/gpio-pca953x-handle-short-interrupt-pulses-on-pcal-d.patch @@ -0,0 +1,148 @@ +From dbac0105e2ebc49dad10c08b94da8910c58126e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Dec 2025 16:30:25 +0100 +Subject: gpio: pca953x: handle short interrupt pulses on PCAL devices +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ernest Van Hoecke + +[ Upstream commit 014a17deb41201449f76df2b20c857a9c3294a7c ] + +GPIO drivers with latch input support may miss short pulses on input +pins even when input latching is enabled. The generic interrupt logic in +the pca953x driver reports interrupts by comparing the current input +value against the previously sampled one and only signals an event when +a level change is observed between two reads. + +For short pulses, the first edge is captured when the input register is +read, but if the signal returns to its previous level before the read, +the second edge is not observed. As a result, successive pulses can +produce identical input values at read time and no level change is +detected, causing interrupts to be missed. Below timing diagram shows +this situation where the top signal is the input pin level and the +bottom signal indicates the latched value. + +─────┐ ┌──*───────────────┐ ┌──*─────────────────┐ ┌──*─── + │ │ . │ │ . │ │ . + │ │ │ │ │ │ │ │ │ + └──*──┘ │ └──*──┘ │ └──*──┘ │ +Input │ │ │ │ │ │ + ▼ │ ▼ │ ▼ │ + IRQ │ IRQ │ IRQ │ + . . . +─────┐ .┌──────────────┐ .┌────────────────┐ .┌── + │ │ │ │ │ │ + │ │ │ │ │ │ + └────────*┘ └────────*┘ └────────*┘ +Latched │ │ │ + ▼ ▼ ▼ + READ 0 READ 0 READ 0 + NO CHANGE NO CHANGE + +PCAL variants provide an interrupt status register that records which +pins triggered an interrupt, but the status and input registers cannot +be read atomically. The interrupt status is only cleared when the input +port is read, and the input value must also be read to determine the +triggering edge. If another interrupt occurs on a different line after +the status register has been read but before the input register is +sampled, that event will not be reflected in the earlier status +snapshot, so relying solely on the interrupt status register is also +insufficient. + +Support for input latching and interrupt status handling was previously +added by [1], but the interrupt status-based logic was reverted by [2] +due to these issues. This patch addresses the original problem by +combining both sources of information. Events indicated by the interrupt +status register are merged with events detected through the existing +level-change logic. As a result: + +* short pulses, whose second edges are invisible, are detected via the + interrupt status register, and +* interrupts that occur between the status and input reads are still + caught by the generic level-change logic. + +This significantly improves robustness on devices that signal interrupts +as short pulses, while avoiding the issues that led to the earlier +reversion. In practice, even if only the first edge of a pulse is +observable, the interrupt is reliably detected. + +This fixes missed interrupts from an Ilitek touch controller with its +interrupt line connected to a PCAL6416A, where active-low pulses are +approximately 200 us long. + +[1] commit 44896beae605 ("gpio: pca953x: add PCAL9535 interrupt support for Galileo Gen2") +[2] commit d6179f6c6204 ("gpio: pca953x: Improve interrupt support") + +Fixes: d6179f6c6204 ("gpio: pca953x: Improve interrupt support") +Signed-off-by: Ernest Van Hoecke +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20251217153050.142057-1-ernestvanhoecke@gmail.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-pca953x.c | 25 ++++++++++++++++++++++++- + 1 file changed, 24 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpio-pca953x.c b/drivers/gpio/gpio-pca953x.c +index 6b9bfdebadb5a..120d6695a4b55 100644 +--- a/drivers/gpio/gpio-pca953x.c ++++ b/drivers/gpio/gpio-pca953x.c +@@ -840,14 +840,35 @@ static bool pca953x_irq_pending(struct pca953x_chip *chip, unsigned long *pendin + DECLARE_BITMAP(old_stat, MAX_LINE); + DECLARE_BITMAP(cur_stat, MAX_LINE); + DECLARE_BITMAP(new_stat, MAX_LINE); ++ DECLARE_BITMAP(int_stat, MAX_LINE); + DECLARE_BITMAP(trigger, MAX_LINE); + DECLARE_BITMAP(edges, MAX_LINE); + int ret; + ++ if (chip->driver_data & PCA_PCAL) { ++ /* Read INT_STAT before it is cleared by the input-port read. */ ++ ret = pca953x_read_regs(chip, PCAL953X_INT_STAT, int_stat); ++ if (ret) ++ return false; ++ } ++ + ret = pca953x_read_regs(chip, chip->regs->input, cur_stat); + if (ret) + return false; + ++ if (chip->driver_data & PCA_PCAL) { ++ /* Detect short pulses via INT_STAT. */ ++ bitmap_and(trigger, int_stat, chip->irq_mask, gc->ngpio); ++ ++ /* Apply filter for rising/falling edge selection. */ ++ bitmap_replace(new_stat, chip->irq_trig_fall, chip->irq_trig_raise, ++ cur_stat, gc->ngpio); ++ ++ bitmap_and(int_stat, new_stat, trigger, gc->ngpio); ++ } else { ++ bitmap_zero(int_stat, gc->ngpio); ++ } ++ + /* Remove output pins from the equation */ + pca953x_read_regs(chip, chip->regs->direction, reg_direction); + +@@ -861,7 +882,8 @@ static bool pca953x_irq_pending(struct pca953x_chip *chip, unsigned long *pendin + + if (bitmap_empty(chip->irq_trig_level_high, gc->ngpio) && + bitmap_empty(chip->irq_trig_level_low, gc->ngpio)) { +- if (bitmap_empty(trigger, gc->ngpio)) ++ if (bitmap_empty(trigger, gc->ngpio) && ++ bitmap_empty(int_stat, gc->ngpio)) + return false; + } + +@@ -869,6 +891,7 @@ static bool pca953x_irq_pending(struct pca953x_chip *chip, unsigned long *pendin + bitmap_and(old_stat, chip->irq_trig_raise, new_stat, gc->ngpio); + bitmap_or(edges, old_stat, cur_stat, gc->ngpio); + bitmap_and(pending, edges, trigger, gc->ngpio); ++ bitmap_or(pending, pending, int_stat, gc->ngpio); + + bitmap_and(cur_stat, new_stat, chip->irq_trig_level_high, gc->ngpio); + bitmap_and(cur_stat, cur_stat, chip->irq_mask, gc->ngpio); +-- +2.51.0 + diff --git a/queue-6.6/gpio-pca953x-utilise-dev_err_probe-where-it-makes-se.patch b/queue-6.6/gpio-pca953x-utilise-dev_err_probe-where-it-makes-se.patch new file mode 100644 index 0000000000..6e4ed08ad9 --- /dev/null +++ b/queue-6.6/gpio-pca953x-utilise-dev_err_probe-where-it-makes-se.patch @@ -0,0 +1,48 @@ +From 78cf9d68a3ad33ab45254d9c49cc902ea086585b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Sep 2023 16:40:34 +0300 +Subject: gpio: pca953x: Utilise dev_err_probe() where it makes sense + +From: Andy Shevchenko + +[ Upstream commit c47f7ff0fe61738a40b1b4fef3cd8317ec314079 ] + +At least in pca953x_irq_setup() we may use dev_err_probe(). + +Signed-off-by: Andy Shevchenko +Signed-off-by: Bartosz Golaszewski +Stable-dep-of: 014a17deb412 ("gpio: pca953x: handle short interrupt pulses on PCAL devices") +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-pca953x.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpio/gpio-pca953x.c b/drivers/gpio/gpio-pca953x.c +index faadbe66b23e7..3a0b999521e44 100644 +--- a/drivers/gpio/gpio-pca953x.c ++++ b/drivers/gpio/gpio-pca953x.c +@@ -895,6 +895,7 @@ static irqreturn_t pca953x_irq_handler(int irq, void *devid) + static int pca953x_irq_setup(struct pca953x_chip *chip, int irq_base) + { + struct i2c_client *client = chip->client; ++ struct device *dev = &client->dev; + DECLARE_BITMAP(reg_direction, MAX_LINE); + DECLARE_BITMAP(irq_stat, MAX_LINE); + struct gpio_irq_chip *girq; +@@ -943,11 +944,8 @@ static int pca953x_irq_setup(struct pca953x_chip *chip, int irq_base) + NULL, pca953x_irq_handler, + IRQF_ONESHOT | IRQF_SHARED, + dev_name(&client->dev), chip); +- if (ret) { +- dev_err(&client->dev, "failed to request irq %d\n", +- client->irq); +- return ret; +- } ++ if (ret) ++ return dev_err_probe(dev, client->irq, "failed to request irq\n"); + + return 0; + } +-- +2.51.0 + diff --git a/queue-6.6/gpio-pca953x-utilise-temporary-variable-for-struct-d.patch b/queue-6.6/gpio-pca953x-utilise-temporary-variable-for-struct-d.patch new file mode 100644 index 0000000000..81abd5ad33 --- /dev/null +++ b/queue-6.6/gpio-pca953x-utilise-temporary-variable-for-struct-d.patch @@ -0,0 +1,118 @@ +From 013624a867604fb362c04b3de028bfd1a6cc2bd6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Sep 2023 16:40:37 +0300 +Subject: gpio: pca953x: Utilise temporary variable for struct device + +From: Andy Shevchenko + +[ Upstream commit 6811886ac91eb414b1b74920e05e6590c3f2a688 ] + +We have a temporary variable to keep pointer to struct device. +Utilise it where it makes sense. + +Signed-off-by: Andy Shevchenko +Signed-off-by: Bartosz Golaszewski +Stable-dep-of: 014a17deb412 ("gpio: pca953x: handle short interrupt pulses on PCAL devices") +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-pca953x.c | 30 ++++++++++++++---------------- + 1 file changed, 14 insertions(+), 16 deletions(-) + +diff --git a/drivers/gpio/gpio-pca953x.c b/drivers/gpio/gpio-pca953x.c +index 3a0b999521e44..de965e6353c5b 100644 +--- a/drivers/gpio/gpio-pca953x.c ++++ b/drivers/gpio/gpio-pca953x.c +@@ -781,11 +781,11 @@ static int pca953x_irq_set_type(struct irq_data *d, unsigned int type) + { + struct gpio_chip *gc = irq_data_get_irq_chip_data(d); + struct pca953x_chip *chip = gpiochip_get_data(gc); ++ struct device *dev = &chip->client->dev; + irq_hw_number_t hwirq = irqd_to_hwirq(d); + + if (!(type & IRQ_TYPE_EDGE_BOTH)) { +- dev_err(&chip->client->dev, "irq %d: unsupported type %d\n", +- d->irq, type); ++ dev_err(dev, "irq %d: unsupported type %d\n", d->irq, type); + return -EINVAL; + } + +@@ -902,7 +902,7 @@ static int pca953x_irq_setup(struct pca953x_chip *chip, int irq_base) + int ret; + + if (dmi_first_match(pca953x_dmi_acpi_irq_info)) { +- ret = pca953x_acpi_get_irq(&client->dev); ++ ret = pca953x_acpi_get_irq(dev); + if (ret > 0) + client->irq = ret; + } +@@ -940,10 +940,9 @@ static int pca953x_irq_setup(struct pca953x_chip *chip, int irq_base) + girq->threaded = true; + girq->first = irq_base; /* FIXME: get rid of this */ + +- ret = devm_request_threaded_irq(&client->dev, client->irq, +- NULL, pca953x_irq_handler, +- IRQF_ONESHOT | IRQF_SHARED, +- dev_name(&client->dev), chip); ++ ret = devm_request_threaded_irq(dev, client->irq, NULL, pca953x_irq_handler, ++ IRQF_ONESHOT | IRQF_SHARED, dev_name(dev), ++ chip); + if (ret) + return dev_err_probe(dev, client->irq, "failed to request irq\n"); + +@@ -951,13 +950,13 @@ static int pca953x_irq_setup(struct pca953x_chip *chip, int irq_base) + } + + #else /* CONFIG_GPIO_PCA953X_IRQ */ +-static int pca953x_irq_setup(struct pca953x_chip *chip, +- int irq_base) ++static int pca953x_irq_setup(struct pca953x_chip *chip, int irq_base) + { + struct i2c_client *client = chip->client; ++ struct device *dev = &client->dev; + + if (client->irq && irq_base != -1 && (chip->driver_data & PCA_INT)) +- dev_warn(&client->dev, "interrupt support not compiled in\n"); ++ dev_warn(dev, "interrupt support not compiled in\n"); + + return 0; + } +@@ -1048,11 +1047,11 @@ static int pca953x_probe(struct i2c_client *client) + int ret; + const struct regmap_config *regmap_config; + +- chip = devm_kzalloc(&client->dev, sizeof(*chip), GFP_KERNEL); ++ chip = devm_kzalloc(dev, sizeof(*chip), GFP_KERNEL); + if (chip == NULL) + return -ENOMEM; + +- pdata = dev_get_platdata(&client->dev); ++ pdata = dev_get_platdata(dev); + if (pdata) { + irq_base = pdata->irq_base; + chip->gpio_start = pdata->gpio_base; +@@ -1069,8 +1068,7 @@ static int pca953x_probe(struct i2c_client *client) + * using "reset" GPIO. Otherwise any of those platform + * must use _DSD method with corresponding property. + */ +- reset_gpio = devm_gpiod_get_optional(&client->dev, "reset", +- GPIOD_OUT_LOW); ++ reset_gpio = devm_gpiod_get_optional(dev, "reset", GPIOD_OUT_LOW); + if (IS_ERR(reset_gpio)) + return dev_err_probe(dev, PTR_ERR(reset_gpio), + "Failed to get reset gpio\n"); +@@ -1090,10 +1088,10 @@ static int pca953x_probe(struct i2c_client *client) + pca953x_setup_gpio(chip, chip->driver_data & PCA_GPIO_MASK); + + if (NBANK(chip) > 2 || PCA_CHIP_TYPE(chip->driver_data) == PCA957X_TYPE) { +- dev_info(&client->dev, "using AI\n"); ++ dev_info(dev, "using AI\n"); + regmap_config = &pca953x_ai_i2c_regmap; + } else { +- dev_info(&client->dev, "using no AI\n"); ++ dev_info(dev, "using no AI\n"); + regmap_config = &pca953x_i2c_regmap; + } + +-- +2.51.0 + diff --git a/queue-6.6/hid-quirks-work-around-vid-pid-conflict-for-appledis.patch b/queue-6.6/hid-quirks-work-around-vid-pid-conflict-for-appledis.patch new file mode 100644 index 0000000000..e36b85996d --- /dev/null +++ b/queue-6.6/hid-quirks-work-around-vid-pid-conflict-for-appledis.patch @@ -0,0 +1,47 @@ +From ca72f42ff4402842f839f41c8c5616447908423d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Nov 2025 13:46:41 +0100 +Subject: HID: quirks: work around VID/PID conflict for appledisplay +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: René Rebe + +[ Upstream commit c7fabe4ad9219866c203164a214c474c95b36bf2 ] + +For years I wondered why the Apple Cinema Display driver would not +just work for me. Turns out the hidraw driver instantly takes it +over. Fix by adding appledisplay VID/PIDs to hid_have_special_driver. + +Fixes: 069e8a65cd79 ("Driver for Apple Cinema Display") +Signed-off-by: René Rebe +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-quirks.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c +index 2da21415e676c..192b8f63baaab 100644 +--- a/drivers/hid/hid-quirks.c ++++ b/drivers/hid/hid-quirks.c +@@ -232,6 +232,15 @@ static const struct hid_device_id hid_quirks[] = { + * used as a driver. See hid_scan_report(). + */ + static const struct hid_device_id hid_have_special_driver[] = { ++#if IS_ENABLED(CONFIG_APPLEDISPLAY) ++ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x9218) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x9219) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x921c) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x921d) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x9222) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x9226) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x9236) }, ++#endif + #if IS_ENABLED(CONFIG_HID_A4TECH) + { HID_USB_DEVICE(USB_VENDOR_ID_A4TECH, USB_DEVICE_ID_A4TECH_WCP32PU) }, + { HID_USB_DEVICE(USB_VENDOR_ID_A4TECH, USB_DEVICE_ID_A4TECH_X5_005D) }, +-- +2.51.0 + diff --git a/queue-6.6/inet-ping-fix-icmp-out-counting.patch b/queue-6.6/inet-ping-fix-icmp-out-counting.patch new file mode 100644 index 0000000000..7211d32b59 --- /dev/null +++ b/queue-6.6/inet-ping-fix-icmp-out-counting.patch @@ -0,0 +1,55 @@ +From c3ad4d9dc882bf29c6a9963695f9f229528bce2c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Dec 2025 14:31:45 +0800 +Subject: inet: ping: Fix icmp out counting + +From: yuan.gao + +[ Upstream commit 4c0856c225b39b1def6c9a6bc56faca79550da13 ] + +When the ping program uses an IPPROTO_ICMP socket to send ICMP_ECHO +messages, ICMP_MIB_OUTMSGS is counted twice. + + ping_v4_sendmsg + ping_v4_push_pending_frames + ip_push_pending_frames + ip_finish_skb + __ip_make_skb + icmp_out_count(net, icmp_type); // first count + icmp_out_count(sock_net(sk), user_icmph.type); // second count + +However, when the ping program uses an IPPROTO_RAW socket, +ICMP_MIB_OUTMSGS is counted correctly only once. + +Therefore, the first count should be removed. + +Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind") +Signed-off-by: yuan.gao +Reviewed-by: Ido Schimmel +Tested-by: Ido Schimmel +Link: https://patch.msgid.link/20251224063145.3615282-1-yuan.gao@ucloud.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/ping.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c +index 5c848136bc266..47f2e7dd554ad 100644 +--- a/net/ipv4/ping.c ++++ b/net/ipv4/ping.c +@@ -839,10 +839,8 @@ static int ping_v4_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + out_free: + if (free) + kfree(ipc.opt); +- if (!err) { +- icmp_out_count(sock_net(sk), user_icmph.type); ++ if (!err) + return len; +- } + return err; + + do_confirm: +-- +2.51.0 + diff --git a/queue-6.6/net-enetc-fix-build-warning-when-page_size-is-greate.patch b/queue-6.6/net-enetc-fix-build-warning-when-page_size-is-greate.patch new file mode 100644 index 0000000000..1624604c22 --- /dev/null +++ b/queue-6.6/net-enetc-fix-build-warning-when-page_size-is-greate.patch @@ -0,0 +1,49 @@ +From 2c9c0719f0bfe1ae0ea081389de1de62ab0e6e58 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jan 2026 17:12:04 +0800 +Subject: net: enetc: fix build warning when PAGE_SIZE is greater than 128K + +From: Wei Fang + +[ Upstream commit 4b5bdabb5449b652122e43f507f73789041d4abe ] + +The max buffer size of ENETC RX BD is 0xFFFF bytes, so if the PAGE_SIZE +is greater than 128K, ENETC_RXB_DMA_SIZE and ENETC_RXB_DMA_SIZE_XDP will +be greater than 0xFFFF, thus causing a build warning. + +This will not cause any practical issues because ENETC is currently only +used on the ARM64 platform, and the max PAGE_SIZE is 64K. So this patch +is only for fixing the build warning that occurs when compiling ENETC +drivers for other platforms. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202601050637.kHEKKOG7-lkp@intel.com/ +Fixes: e59bc32df2e9 ("net: enetc: correct the value of ENETC_RXB_TRUESIZE") +Signed-off-by: Wei Fang +Reviewed-by: Frank Li +Link: https://patch.msgid.link/20260107091204.1980222-1-wei.fang@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/enetc/enetc.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/enetc/enetc.h b/drivers/net/ethernet/freescale/enetc/enetc.h +index dcf3e4b4e3f55..14b2f471fc68f 100644 +--- a/drivers/net/ethernet/freescale/enetc/enetc.h ++++ b/drivers/net/ethernet/freescale/enetc/enetc.h +@@ -44,9 +44,9 @@ struct enetc_tx_swbd { + #define ENETC_RXB_TRUESIZE (PAGE_SIZE >> 1) + #define ENETC_RXB_PAD NET_SKB_PAD /* add extra space if needed */ + #define ENETC_RXB_DMA_SIZE \ +- (SKB_WITH_OVERHEAD(ENETC_RXB_TRUESIZE) - ENETC_RXB_PAD) ++ min(SKB_WITH_OVERHEAD(ENETC_RXB_TRUESIZE) - ENETC_RXB_PAD, 0xffff) + #define ENETC_RXB_DMA_SIZE_XDP \ +- (SKB_WITH_OVERHEAD(ENETC_RXB_TRUESIZE) - XDP_PACKET_HEADROOM) ++ min(SKB_WITH_OVERHEAD(ENETC_RXB_TRUESIZE) - XDP_PACKET_HEADROOM, 0xffff) + + struct enetc_rx_swbd { + dma_addr_t dma; +-- +2.51.0 + diff --git a/queue-6.6/net-fix-memory-leak-in-skb_segment_list-for-gro-pack.patch b/queue-6.6/net-fix-memory-leak-in-skb_segment_list-for-gro-pack.patch new file mode 100644 index 0000000000..7d94155472 --- /dev/null +++ b/queue-6.6/net-fix-memory-leak-in-skb_segment_list-for-gro-pack.patch @@ -0,0 +1,108 @@ +From 2226784ccea63aef2e63464fdab473c255fd869c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Jan 2026 23:31:01 +0200 +Subject: net: fix memory leak in skb_segment_list for GRO packets + +From: Mohammad Heib + +[ Upstream commit 238e03d0466239410b72294b79494e43d4fabe77 ] + +When skb_segment_list() is called during packet forwarding, it handles +packets that were aggregated by the GRO engine. + +Historically, the segmentation logic in skb_segment_list assumes that +individual segments are split from a parent SKB and may need to carry +their own socket memory accounting. Accordingly, the code transfers +truesize from the parent to the newly created segments. + +Prior to commit ed4cccef64c1 ("gro: fix ownership transfer"), this +truesize subtraction in skb_segment_list() was valid because fragments +still carry a reference to the original socket. + +However, commit ed4cccef64c1 ("gro: fix ownership transfer") changed +this behavior by ensuring that fraglist entries are explicitly +orphaned (skb->sk = NULL) to prevent illegal orphaning later in the +stack. This change meant that the entire socket memory charge remained +with the head SKB, but the corresponding accounting logic in +skb_segment_list() was never updated. + +As a result, the current code unconditionally adds each fragment's +truesize to delta_truesize and subtracts it from the parent SKB. Since +the fragments are no longer charged to the socket, this subtraction +results in an effective under-count of memory when the head is freed. +This causes sk_wmem_alloc to remain non-zero, preventing socket +destruction and leading to a persistent memory leak. + +The leak can be observed via KMEMLEAK when tearing down the networking +environment: + +unreferenced object 0xffff8881e6eb9100 (size 2048): + comm "ping", pid 6720, jiffies 4295492526 + backtrace: + kmem_cache_alloc_noprof+0x5c6/0x800 + sk_prot_alloc+0x5b/0x220 + sk_alloc+0x35/0xa00 + inet6_create.part.0+0x303/0x10d0 + __sock_create+0x248/0x640 + __sys_socket+0x11b/0x1d0 + +Since skb_segment_list() is exclusively used for SKB_GSO_FRAGLIST +packets constructed by GRO, the truesize adjustment is removed. + +The call to skb_release_head_state() must be preserved. As documented in +commit cf673ed0e057 ("net: fix fraglist segmentation reference count +leak"), it is still required to correctly drop references to SKB +extensions that may be overwritten during __copy_skb_header(). + +Fixes: ed4cccef64c1 ("gro: fix ownership transfer") +Signed-off-by: Mohammad Heib +Reviewed-by: Willem de Bruijn +Link: https://patch.msgid.link/20260104213101.352887-1-mheib@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/skbuff.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index 073e2c5274079..4c28954f915fa 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -4344,12 +4344,14 @@ struct sk_buff *skb_segment_list(struct sk_buff *skb, + { + struct sk_buff *list_skb = skb_shinfo(skb)->frag_list; + unsigned int tnl_hlen = skb_tnl_header_len(skb); +- unsigned int delta_truesize = 0; + unsigned int delta_len = 0; + struct sk_buff *tail = NULL; + struct sk_buff *nskb, *tmp; + int len_diff, err; + ++ /* Only skb_gro_receive_list generated skbs arrive here */ ++ DEBUG_NET_WARN_ON_ONCE(!(skb_shinfo(skb)->gso_type & SKB_GSO_FRAGLIST)); ++ + skb_push(skb, -skb_network_offset(skb) + offset); + + /* Ensure the head is writeable before touching the shared info */ +@@ -4363,8 +4365,9 @@ struct sk_buff *skb_segment_list(struct sk_buff *skb, + nskb = list_skb; + list_skb = list_skb->next; + ++ DEBUG_NET_WARN_ON_ONCE(nskb->sk); ++ + err = 0; +- delta_truesize += nskb->truesize; + if (skb_shared(nskb)) { + tmp = skb_clone(nskb, GFP_ATOMIC); + if (tmp) { +@@ -4407,7 +4410,6 @@ struct sk_buff *skb_segment_list(struct sk_buff *skb, + goto err_linearize; + } + +- skb->truesize = skb->truesize - delta_truesize; + skb->data_len = skb->data_len - delta_len; + skb->len = skb->len - delta_len; + +-- +2.51.0 + diff --git a/queue-6.6/net-marvell-prestera-fix-null-dereference-on-devlink.patch b/queue-6.6/net-marvell-prestera-fix-null-dereference-on-devlink.patch new file mode 100644 index 0000000000..7924545979 --- /dev/null +++ b/queue-6.6/net-marvell-prestera-fix-null-dereference-on-devlink.patch @@ -0,0 +1,44 @@ +From c6201f3e7bc282e891bbde0548016f25ca43083f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Dec 2025 21:21:18 -0800 +Subject: net: marvell: prestera: fix NULL dereference on devlink_alloc() + failure + +From: Alok Tiwari + +[ Upstream commit a428e0da1248c353557970848994f35fd3f005e2 ] + +devlink_alloc() may return NULL on allocation failure, but +prestera_devlink_alloc() unconditionally calls devlink_priv() on +the returned pointer. + +This leads to a NULL pointer dereference if devlink allocation fails. +Add a check for a NULL devlink pointer and return NULL early to avoid +the crash. + +Fixes: 34dd1710f5a3 ("net: marvell: prestera: Add basic devlink support") +Signed-off-by: Alok Tiwari +Acked-by: Elad Nachman +Link: https://patch.msgid.link/20251230052124.897012-1-alok.a.tiwari@oracle.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/prestera/prestera_devlink.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/marvell/prestera/prestera_devlink.c b/drivers/net/ethernet/marvell/prestera/prestera_devlink.c +index 2a4c9df4eb797..e63d95c1842f3 100644 +--- a/drivers/net/ethernet/marvell/prestera/prestera_devlink.c ++++ b/drivers/net/ethernet/marvell/prestera/prestera_devlink.c +@@ -387,6 +387,8 @@ struct prestera_switch *prestera_devlink_alloc(struct prestera_device *dev) + + dl = devlink_alloc(&prestera_dl_ops, sizeof(struct prestera_switch), + dev->dev); ++ if (!dl) ++ return NULL; + + return devlink_priv(dl); + } +-- +2.51.0 + diff --git a/queue-6.6/net-mlx5e-don-t-print-error-message-due-to-invalid-m.patch b/queue-6.6/net-mlx5e-don-t-print-error-message-due-to-invalid-m.patch new file mode 100644 index 0000000000..e74cffeb62 --- /dev/null +++ b/queue-6.6/net-mlx5e-don-t-print-error-message-due-to-invalid-m.patch @@ -0,0 +1,50 @@ +From 1e98ae0ed8948198baffca17d9b5eaf2a1321128 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Dec 2025 15:27:16 +0200 +Subject: net/mlx5e: Don't print error message due to invalid module + +From: Gal Pressman + +[ Upstream commit 144297e2a24e3e54aee1180ec21120ea38822b97 ] + +Dumping module EEPROM on newer modules is supported through the netlink +interface only. + +Querying with old userspace ethtool (or other tools, such as 'lshw') +which still uses the ioctl interface results in an error message that +could flood dmesg (in addition to the expected error return value). +The original message was added under the assumption that the driver +should be able to handle all module types, but now that such flows are +easily triggered from userspace, it doesn't serve its purpose. + +Change the log level of the print in mlx5_query_module_eeprom() to +debug. + +Fixes: bb64143eee8c ("net/mlx5e: Add ethtool support for dump module EEPROM") +Signed-off-by: Gal Pressman +Reviewed-by: Tariq Toukan +Signed-off-by: Mark Bloch +Link: https://patch.msgid.link/20251225132717.358820-5-mbloch@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/port.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/port.c b/drivers/net/ethernet/mellanox/mlx5/core/port.c +index 749f0fc2c189a..a5622b44385eb 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/port.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/port.c +@@ -432,7 +432,8 @@ int mlx5_query_module_eeprom(struct mlx5_core_dev *dev, + mlx5_qsfp_eeprom_params_set(&query.i2c_address, &query.page, &offset); + break; + default: +- mlx5_core_err(dev, "Module ID not recognized: 0x%x\n", module_id); ++ mlx5_core_dbg(dev, "Module ID not recognized: 0x%x\n", ++ module_id); + return -EINVAL; + } + +-- +2.51.0 + diff --git a/queue-6.6/net-mscc-ocelot-fix-crash-when-adding-interface-unde.patch b/queue-6.6/net-mscc-ocelot-fix-crash-when-adding-interface-unde.patch new file mode 100644 index 0000000000..7cba0004db --- /dev/null +++ b/queue-6.6/net-mscc-ocelot-fix-crash-when-adding-interface-unde.patch @@ -0,0 +1,56 @@ +From b192432f6e8e0d8cf11bec6ad2fea522e385d2b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Dec 2025 20:36:17 +0000 +Subject: net: mscc: ocelot: Fix crash when adding interface under a lag + +From: Jerry Wu + +[ Upstream commit 34f3ff52cb9fa7dbf04f5c734fcc4cb6ed5d1a95 ] + +Commit 15faa1f67ab4 ("lan966x: Fix crash when adding interface under a lag") +fixed a similar issue in the lan966x driver caused by a NULL pointer dereference. +The ocelot_set_aggr_pgids() function in the ocelot driver has similar logic +and is susceptible to the same crash. + +This issue specifically affects the ocelot_vsc7514.c frontend, which leaves +unused ports as NULL pointers. The felix_vsc9959.c frontend is unaffected as +it uses the DSA framework which registers all ports. + +Fix this by checking if the port pointer is valid before accessing it. + +Fixes: 528d3f190c98 ("net: mscc: ocelot: drop the use of the "lags" array") +Signed-off-by: Jerry Wu +Reviewed-by: Vladimir Oltean +Link: https://patch.msgid.link/tencent_75EF812B305E26B0869C673DD1160866C90A@qq.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mscc/ocelot.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mscc/ocelot.c b/drivers/net/ethernet/mscc/ocelot.c +index 252d8e6f18c3c..a77d42d611dab 100644 +--- a/drivers/net/ethernet/mscc/ocelot.c ++++ b/drivers/net/ethernet/mscc/ocelot.c +@@ -2307,14 +2307,16 @@ static void ocelot_set_aggr_pgids(struct ocelot *ocelot) + + /* Now, set PGIDs for each active LAG */ + for (lag = 0; lag < ocelot->num_phys_ports; lag++) { +- struct net_device *bond = ocelot->ports[lag]->bond; ++ struct ocelot_port *ocelot_port = ocelot->ports[lag]; + int num_active_ports = 0; ++ struct net_device *bond; + unsigned long bond_mask; + u8 aggr_idx[16]; + +- if (!bond || (visited & BIT(lag))) ++ if (!ocelot_port || !ocelot_port->bond || (visited & BIT(lag))) + continue; + ++ bond = ocelot_port->bond; + bond_mask = ocelot_get_bond_mask(ocelot, bond); + + for_each_set_bit(port, &bond_mask, ocelot->num_phys_ports) { +-- +2.51.0 + diff --git a/queue-6.6/net-sched-sch_qfq-fix-null-deref-when-deactivating-i.patch b/queue-6.6/net-sched-sch_qfq-fix-null-deref-when-deactivating-i.patch new file mode 100644 index 0000000000..b6389a21d0 --- /dev/null +++ b/queue-6.6/net-sched-sch_qfq-fix-null-deref-when-deactivating-i.patch @@ -0,0 +1,162 @@ +From 66fb4a416b86b3394924757d4cb9b142f39fe1f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jan 2026 20:41:00 -0700 +Subject: net/sched: sch_qfq: Fix NULL deref when deactivating inactive + aggregate in qfq_reset + +From: Xiang Mei + +[ Upstream commit c1d73b1480235731e35c81df70b08f4714a7d095 ] + +`qfq_class->leaf_qdisc->q.qlen > 0` does not imply that the class +itself is active. + +Two qfq_class objects may point to the same leaf_qdisc. This happens +when: + +1. one QFQ qdisc is attached to the dev as the root qdisc, and + +2. another QFQ qdisc is temporarily referenced (e.g., via qdisc_get() +/ qdisc_put()) and is pending to be destroyed, as in function +tc_new_tfilter. + +When packets are enqueued through the root QFQ qdisc, the shared +leaf_qdisc->q.qlen increases. At the same time, the second QFQ +qdisc triggers qdisc_put and qdisc_destroy: the qdisc enters +qfq_reset() with its own q->q.qlen == 0, but its class's leaf +qdisc->q.qlen > 0. Therefore, the qfq_reset would wrongly deactivate +an inactive aggregate and trigger a null-deref in qfq_deactivate_agg: + +[ 0.903172] BUG: kernel NULL pointer dereference, address: 0000000000000000 +[ 0.903571] #PF: supervisor write access in kernel mode +[ 0.903860] #PF: error_code(0x0002) - not-present page +[ 0.904177] PGD 10299b067 P4D 10299b067 PUD 10299c067 PMD 0 +[ 0.904502] Oops: Oops: 0002 [#1] SMP NOPTI +[ 0.904737] CPU: 0 UID: 0 PID: 135 Comm: exploit Not tainted 6.19.0-rc3+ #2 NONE +[ 0.905157] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014 +[ 0.905754] RIP: 0010:qfq_deactivate_agg (include/linux/list.h:992 (discriminator 2) include/linux/list.h:1006 (discriminator 2) net/sched/sch_qfq.c:1367 (discriminator 2) net/sched/sch_qfq.c:1393 (discriminator 2)) +[ 0.906046] Code: 0f 84 4d 01 00 00 48 89 70 18 8b 4b 10 48 c7 c2 ff ff ff ff 48 8b 78 08 48 d3 e2 48 21 f2 48 2b 13 48 8b 30 48 d3 ea 8b 4b 18 0 + +Code starting with the faulting instruction +=========================================== + 0: 0f 84 4d 01 00 00 je 0x153 + 6: 48 89 70 18 mov %rsi,0x18(%rax) + a: 8b 4b 10 mov 0x10(%rbx),%ecx + d: 48 c7 c2 ff ff ff ff mov $0xffffffffffffffff,%rdx + 14: 48 8b 78 08 mov 0x8(%rax),%rdi + 18: 48 d3 e2 shl %cl,%rdx + 1b: 48 21 f2 and %rsi,%rdx + 1e: 48 2b 13 sub (%rbx),%rdx + 21: 48 8b 30 mov (%rax),%rsi + 24: 48 d3 ea shr %cl,%rdx + 27: 8b 4b 18 mov 0x18(%rbx),%ecx + ... +[ 0.907095] RSP: 0018:ffffc900004a39a0 EFLAGS: 00010246 +[ 0.907368] RAX: ffff8881043a0880 RBX: ffff888102953340 RCX: 0000000000000000 +[ 0.907723] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 +[ 0.908100] RBP: ffff888102952180 R08: 0000000000000000 R09: 0000000000000000 +[ 0.908451] R10: ffff8881043a0000 R11: 0000000000000000 R12: ffff888102952000 +[ 0.908804] R13: ffff888102952180 R14: ffff8881043a0ad8 R15: ffff8881043a0880 +[ 0.909179] FS: 000000002a1a0380(0000) GS:ffff888196d8d000(0000) knlGS:0000000000000000 +[ 0.909572] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 0.909857] CR2: 0000000000000000 CR3: 0000000102993002 CR4: 0000000000772ef0 +[ 0.910247] PKRU: 55555554 +[ 0.910391] Call Trace: +[ 0.910527] +[ 0.910638] qfq_reset_qdisc (net/sched/sch_qfq.c:357 net/sched/sch_qfq.c:1485) +[ 0.910826] qdisc_reset (include/linux/skbuff.h:2195 include/linux/skbuff.h:2501 include/linux/skbuff.h:3424 include/linux/skbuff.h:3430 net/sched/sch_generic.c:1036) +[ 0.911040] __qdisc_destroy (net/sched/sch_generic.c:1076) +[ 0.911236] tc_new_tfilter (net/sched/cls_api.c:2447) +[ 0.911447] rtnetlink_rcv_msg (net/core/rtnetlink.c:6958) +[ 0.911663] ? __pfx_rtnetlink_rcv_msg (net/core/rtnetlink.c:6861) +[ 0.911894] netlink_rcv_skb (net/netlink/af_netlink.c:2550) +[ 0.912100] netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344) +[ 0.912296] ? __alloc_skb (net/core/skbuff.c:706) +[ 0.912484] netlink_sendmsg (net/netlink/af_netlink.c:1894) +[ 0.912682] sock_write_iter (net/socket.c:727 (discriminator 1) net/socket.c:742 (discriminator 1) net/socket.c:1195 (discriminator 1)) +[ 0.912880] vfs_write (fs/read_write.c:593 fs/read_write.c:686) +[ 0.913077] ksys_write (fs/read_write.c:738) +[ 0.913252] do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) +[ 0.913438] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131) +[ 0.913687] RIP: 0033:0x424c34 +[ 0.913844] Code: 89 02 48 c7 c0 ff ff ff ff eb bd 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 80 3d 2d 44 09 00 00 74 13 b8 01 00 00 00 0f 05 9 + +Code starting with the faulting instruction +=========================================== + 0: 89 02 mov %eax,(%rdx) + 2: 48 c7 c0 ff ff ff ff mov $0xffffffffffffffff,%rax + 9: eb bd jmp 0xffffffffffffffc8 + b: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1) + 12: 00 00 00 + 15: 90 nop + 16: f3 0f 1e fa endbr64 + 1a: 80 3d 2d 44 09 00 00 cmpb $0x0,0x9442d(%rip) # 0x9444e + 21: 74 13 je 0x36 + 23: b8 01 00 00 00 mov $0x1,%eax + 28: 0f 05 syscall + 2a: 09 .byte 0x9 +[ 0.914807] RSP: 002b:00007ffea1938b78 EFLAGS: 00000202 ORIG_RAX: 0000000000000001 +[ 0.915197] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000424c34 +[ 0.915556] RDX: 000000000000003c RSI: 000000002af378c0 RDI: 0000000000000003 +[ 0.915912] RBP: 00007ffea1938bc0 R08: 00000000004b8820 R09: 0000000000000000 +[ 0.916297] R10: 0000000000000001 R11: 0000000000000202 R12: 00007ffea1938d28 +[ 0.916652] R13: 00007ffea1938d38 R14: 00000000004b3828 R15: 0000000000000001 +[ 0.917039] +[ 0.917158] Modules linked in: +[ 0.917316] CR2: 0000000000000000 +[ 0.917484] ---[ end trace 0000000000000000 ]--- +[ 0.917717] RIP: 0010:qfq_deactivate_agg (include/linux/list.h:992 (discriminator 2) include/linux/list.h:1006 (discriminator 2) net/sched/sch_qfq.c:1367 (discriminator 2) net/sched/sch_qfq.c:1393 (discriminator 2)) +[ 0.917978] Code: 0f 84 4d 01 00 00 48 89 70 18 8b 4b 10 48 c7 c2 ff ff ff ff 48 8b 78 08 48 d3 e2 48 21 f2 48 2b 13 48 8b 30 48 d3 ea 8b 4b 18 0 + +Code starting with the faulting instruction +=========================================== + 0: 0f 84 4d 01 00 00 je 0x153 + 6: 48 89 70 18 mov %rsi,0x18(%rax) + a: 8b 4b 10 mov 0x10(%rbx),%ecx + d: 48 c7 c2 ff ff ff ff mov $0xffffffffffffffff,%rdx + 14: 48 8b 78 08 mov 0x8(%rax),%rdi + 18: 48 d3 e2 shl %cl,%rdx + 1b: 48 21 f2 and %rsi,%rdx + 1e: 48 2b 13 sub (%rbx),%rdx + 21: 48 8b 30 mov (%rax),%rsi + 24: 48 d3 ea shr %cl,%rdx + 27: 8b 4b 18 mov 0x18(%rbx),%ecx + ... +[ 0.918902] RSP: 0018:ffffc900004a39a0 EFLAGS: 00010246 +[ 0.919198] RAX: ffff8881043a0880 RBX: ffff888102953340 RCX: 0000000000000000 +[ 0.919559] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 +[ 0.919908] RBP: ffff888102952180 R08: 0000000000000000 R09: 0000000000000000 +[ 0.920289] R10: ffff8881043a0000 R11: 0000000000000000 R12: ffff888102952000 +[ 0.920648] R13: ffff888102952180 R14: ffff8881043a0ad8 R15: ffff8881043a0880 +[ 0.921014] FS: 000000002a1a0380(0000) GS:ffff888196d8d000(0000) knlGS:0000000000000000 +[ 0.921424] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 0.921710] CR2: 0000000000000000 CR3: 0000000102993002 CR4: 0000000000772ef0 +[ 0.922097] PKRU: 55555554 +[ 0.922240] Kernel panic - not syncing: Fatal exception +[ 0.922590] Kernel Offset: disabled + +Fixes: 0545a3037773 ("pkt_sched: QFQ - quick fair queue scheduler") +Signed-off-by: Xiang Mei +Link: https://patch.msgid.link/20260106034100.1780779-1-xmei5@asu.edu +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_qfq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c +index 69fdbbbb3b634..29847c28ffaca 100644 +--- a/net/sched/sch_qfq.c ++++ b/net/sched/sch_qfq.c +@@ -1484,7 +1484,7 @@ static void qfq_reset_qdisc(struct Qdisc *sch) + + for (i = 0; i < q->clhash.hashsize; i++) { + hlist_for_each_entry(cl, &q->clhash.hash[i], common.hnode) { +- if (cl->qdisc->q.qlen > 0) ++ if (cl_is_active(cl)) + qfq_deactivate_class(q, cl); + + qdisc_reset(cl->qdisc); +-- +2.51.0 + diff --git a/queue-6.6/net-sock-fix-hardened-usercopy-panic-in-sock_recv_er.patch b/queue-6.6/net-sock-fix-hardened-usercopy-panic-in-sock_recv_er.patch new file mode 100644 index 0000000000..6e708964a2 --- /dev/null +++ b/queue-6.6/net-sock-fix-hardened-usercopy-panic-in-sock_recv_er.patch @@ -0,0 +1,114 @@ +From c064996cff94744effda3c3720be10e308673751 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Dec 2025 04:35:35 +0800 +Subject: net: sock: fix hardened usercopy panic in sock_recv_errqueue + +From: Weiming Shi + +[ Upstream commit 2a71a1a8d0ed718b1c7a9ac61f07e5755c47ae20 ] + +skbuff_fclone_cache was created without defining a usercopy region, +[1] unlike skbuff_head_cache which properly whitelists the cb[] field. +[2] This causes a usercopy BUG() when CONFIG_HARDENED_USERCOPY is +enabled and the kernel attempts to copy sk_buff.cb data to userspace +via sock_recv_errqueue() -> put_cmsg(). + +The crash occurs when: 1. TCP allocates an skb using alloc_skb_fclone() + (from skbuff_fclone_cache) [1] +2. The skb is cloned via skb_clone() using the pre-allocated fclone +[3] 3. The cloned skb is queued to sk_error_queue for timestamp +reporting 4. Userspace reads the error queue via recvmsg(MSG_ERRQUEUE) +5. sock_recv_errqueue() calls put_cmsg() to copy serr->ee from skb->cb +[4] 6. __check_heap_object() fails because skbuff_fclone_cache has no + usercopy whitelist [5] + +When cloned skbs allocated from skbuff_fclone_cache are used in the +socket error queue, accessing the sock_exterr_skb structure in skb->cb +via put_cmsg() triggers a usercopy hardening violation: + +[ 5.379589] usercopy: Kernel memory exposure attempt detected from SLUB object 'skbuff_fclone_cache' (offset 296, size 16)! +[ 5.382796] kernel BUG at mm/usercopy.c:102! +[ 5.383923] Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI +[ 5.384903] CPU: 1 UID: 0 PID: 138 Comm: poc_put_cmsg Not tainted 6.12.57 #7 +[ 5.384903] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 +[ 5.384903] RIP: 0010:usercopy_abort+0x6c/0x80 +[ 5.384903] Code: 1a 86 51 48 c7 c2 40 15 1a 86 41 52 48 c7 c7 c0 15 1a 86 48 0f 45 d6 48 c7 c6 80 15 1a 86 48 89 c1 49 0f 45 f3 e8 84 27 88 ff <0f> 0b 490 +[ 5.384903] RSP: 0018:ffffc900006f77a8 EFLAGS: 00010246 +[ 5.384903] RAX: 000000000000006f RBX: ffff88800f0ad2a8 RCX: 1ffffffff0f72e74 +[ 5.384903] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffff87b973a0 +[ 5.384903] RBP: 0000000000000010 R08: 0000000000000000 R09: fffffbfff0f72e74 +[ 5.384903] R10: 0000000000000003 R11: 79706f6372657375 R12: 0000000000000001 +[ 5.384903] R13: ffff88800f0ad2b8 R14: ffffea00003c2b40 R15: ffffea00003c2b00 +[ 5.384903] FS: 0000000011bc4380(0000) GS:ffff8880bf100000(0000) knlGS:0000000000000000 +[ 5.384903] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 5.384903] CR2: 000056aa3b8e5fe4 CR3: 000000000ea26004 CR4: 0000000000770ef0 +[ 5.384903] PKRU: 55555554 +[ 5.384903] Call Trace: +[ 5.384903] +[ 5.384903] __check_heap_object+0x9a/0xd0 +[ 5.384903] __check_object_size+0x46c/0x690 +[ 5.384903] put_cmsg+0x129/0x5e0 +[ 5.384903] sock_recv_errqueue+0x22f/0x380 +[ 5.384903] tls_sw_recvmsg+0x7ed/0x1960 +[ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5 +[ 5.384903] ? schedule+0x6d/0x270 +[ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5 +[ 5.384903] ? mutex_unlock+0x81/0xd0 +[ 5.384903] ? __pfx_mutex_unlock+0x10/0x10 +[ 5.384903] ? __pfx_tls_sw_recvmsg+0x10/0x10 +[ 5.384903] ? _raw_spin_lock_irqsave+0x8f/0xf0 +[ 5.384903] ? _raw_read_unlock_irqrestore+0x20/0x40 +[ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5 + +The crash offset 296 corresponds to skb2->cb within skbuff_fclones: + - sizeof(struct sk_buff) = 232 - offsetof(struct sk_buff, cb) = 40 - + offset of skb2.cb in fclones = 232 + 40 = 272 - crash offset 296 = + 272 + 24 (inside sock_exterr_skb.ee) + +This patch uses a local stack variable as a bounce buffer to avoid the hardened usercopy check failure. + +[1] https://elixir.bootlin.com/linux/v6.12.62/source/net/ipv4/tcp.c#L885 +[2] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5104 +[3] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5566 +[4] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5491 +[5] https://elixir.bootlin.com/linux/v6.12.62/source/mm/slub.c#L5719 + +Fixes: 6d07d1cd300f ("usercopy: Restrict non-usercopy caches to size 0") +Reported-by: Xiang Mei +Signed-off-by: Weiming Shi +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20251223203534.1392218-2-bestswngs@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/sock.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/core/sock.c b/net/core/sock.c +index 91f101231309d..8e4c87a39dc87 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -3653,7 +3653,7 @@ void sock_enable_timestamp(struct sock *sk, enum sock_flags flag) + int sock_recv_errqueue(struct sock *sk, struct msghdr *msg, int len, + int level, int type) + { +- struct sock_exterr_skb *serr; ++ struct sock_extended_err ee; + struct sk_buff *skb; + int copied, err; + +@@ -3673,8 +3673,9 @@ int sock_recv_errqueue(struct sock *sk, struct msghdr *msg, int len, + + sock_recv_timestamp(msg, sk, skb); + +- serr = SKB_EXT_ERR(skb); +- put_cmsg(msg, level, type, sizeof(serr->ee), &serr->ee); ++ /* We must use a bounce buffer for CONFIG_HARDENED_USERCOPY=y */ ++ ee = SKB_EXT_ERR(skb)->ee; ++ put_cmsg(msg, level, type, sizeof(ee), &ee); + + msg->msg_flags |= MSG_ERRQUEUE; + err = copied; +-- +2.51.0 + diff --git a/queue-6.6/net-usb-pegasus-fix-memory-leak-in-update_eth_regs_a.patch b/queue-6.6/net-usb-pegasus-fix-memory-leak-in-update_eth_regs_a.patch new file mode 100644 index 0000000000..1f5ede0ca8 --- /dev/null +++ b/queue-6.6/net-usb-pegasus-fix-memory-leak-in-update_eth_regs_a.patch @@ -0,0 +1,37 @@ +From 6f3f461d3a583c66e6efbf1020fea95553220b79 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jan 2026 10:48:21 +0200 +Subject: net: usb: pegasus: fix memory leak in update_eth_regs_async() + +From: Petko Manolov + +[ Upstream commit afa27621a28af317523e0836dad430bec551eb54 ] + +When asynchronously writing to the device registers and if usb_submit_urb() +fail, the code fail to release allocated to this point resources. + +Fixes: 323b34963d11 ("drivers: net: usb: pegasus: fix control urb submission") +Signed-off-by: Petko Manolov +Link: https://patch.msgid.link/20260106084821.3746677-1-petko.manolov@konsulko.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/pegasus.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/usb/pegasus.c b/drivers/net/usb/pegasus.c +index 81ca64debc5b9..c514483134f05 100644 +--- a/drivers/net/usb/pegasus.c ++++ b/drivers/net/usb/pegasus.c +@@ -168,6 +168,8 @@ static int update_eth_regs_async(pegasus_t *pegasus) + netif_device_detach(pegasus->net); + netif_err(pegasus, drv, pegasus->net, + "%s returned %d\n", __func__, ret); ++ usb_free_urb(async_urb); ++ kfree(req); + } + return ret; + } +-- +2.51.0 + diff --git a/queue-6.6/net-wwan-iosm-fix-memory-leak-in-ipc_mux_deinit.patch b/queue-6.6/net-wwan-iosm-fix-memory-leak-in-ipc_mux_deinit.patch new file mode 100644 index 0000000000..b0e59e2c1c --- /dev/null +++ b/queue-6.6/net-wwan-iosm-fix-memory-leak-in-ipc_mux_deinit.patch @@ -0,0 +1,54 @@ +From 66c27b8f707da4b0a9f39506f03e28d63ecc1830 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Dec 2025 07:18:53 +0000 +Subject: net: wwan: iosm: Fix memory leak in ipc_mux_deinit() + +From: Zilin Guan + +[ Upstream commit 92e6e0a87f6860a4710f9494f8c704d498ae60f8 ] + +Commit 1f52d7b62285 ("net: wwan: iosm: Enable M.2 7360 WWAN card support") +allocated memory for pp_qlt in ipc_mux_init() but did not free it in +ipc_mux_deinit(). This results in a memory leak when the driver is +unloaded. + +Free the allocated memory in ipc_mux_deinit() to fix the leak. + +Fixes: 1f52d7b62285 ("net: wwan: iosm: Enable M.2 7360 WWAN card support") +Co-developed-by: Jianhao Xu +Signed-off-by: Jianhao Xu +Signed-off-by: Zilin Guan +Reviewed-by: Loic Poulain +Link: https://patch.msgid.link/20251230071853.1062223-1-zilin@seu.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/wwan/iosm/iosm_ipc_mux.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/wwan/iosm/iosm_ipc_mux.c b/drivers/net/wwan/iosm/iosm_ipc_mux.c +index fc928b298a984..b846889fcb099 100644 +--- a/drivers/net/wwan/iosm/iosm_ipc_mux.c ++++ b/drivers/net/wwan/iosm/iosm_ipc_mux.c +@@ -456,6 +456,7 @@ void ipc_mux_deinit(struct iosm_mux *ipc_mux) + struct sk_buff_head *free_list; + union mux_msg mux_msg; + struct sk_buff *skb; ++ int i; + + if (!ipc_mux->initialized) + return; +@@ -479,5 +480,10 @@ void ipc_mux_deinit(struct iosm_mux *ipc_mux) + ipc_mux->channel->dl_pipe.is_open = false; + } + ++ if (ipc_mux->protocol != MUX_LITE) { ++ for (i = 0; i < IPC_MEM_MUX_IP_SESSION_ENTRIES; i++) ++ kfree(ipc_mux->ul_adb.pp_qlt[i]); ++ } ++ + kfree(ipc_mux); + } +-- +2.51.0 + diff --git a/queue-6.6/netdev-preserve-netif_f_all_for_all-across-tso-updat.patch b/queue-6.6/netdev-preserve-netif_f_all_for_all-across-tso-updat.patch new file mode 100644 index 0000000000..b6214876e1 --- /dev/null +++ b/queue-6.6/netdev-preserve-netif_f_all_for_all-across-tso-updat.patch @@ -0,0 +1,43 @@ +From 571e48dbe04883fe274cc9d2e52ba93030ecc101 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Dec 2025 09:22:24 +0800 +Subject: netdev: preserve NETIF_F_ALL_FOR_ALL across TSO updates + +From: Di Zhu + +[ Upstream commit 02d1e1a3f9239cdb3ecf2c6d365fb959d1bf39df ] + +Directly increment the TSO features incurs a side effect: it will also +directly clear the flags in NETIF_F_ALL_FOR_ALL on the master device, +which can cause issues such as the inability to enable the nocache copy +feature on the bonding driver. + +The fix is to include NETIF_F_ALL_FOR_ALL in the update mask, thereby +preventing it from being cleared. + +Fixes: b0ce3508b25e ("bonding: allow TSO being set on bonding master") +Signed-off-by: Di Zhu +Link: https://patch.msgid.link/20251224012224.56185-1-zhud@hygon.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/linux/netdevice.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h +index 030d9de2ba2d2..202e557496fb4 100644 +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -4998,7 +4998,8 @@ netdev_features_t netdev_increment_features(netdev_features_t all, + static inline netdev_features_t netdev_add_tso_features(netdev_features_t features, + netdev_features_t mask) + { +- return netdev_increment_features(features, NETIF_F_ALL_TSO, mask); ++ return netdev_increment_features(features, NETIF_F_ALL_TSO | ++ NETIF_F_ALL_FOR_ALL, mask); + } + + int __netdev_update_features(struct net_device *dev); +-- +2.51.0 + diff --git a/queue-6.6/netfilter-nf_conncount-update-last_gc-only-when-gc-h.patch b/queue-6.6/netfilter-nf_conncount-update-last_gc-only-when-gc-h.patch new file mode 100644 index 0000000000..31eeecd78d --- /dev/null +++ b/queue-6.6/netfilter-nf_conncount-update-last_gc-only-when-gc-h.patch @@ -0,0 +1,48 @@ +From e53fc9aa531dc11a64bd4cbd0e01012a2a73afa1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Dec 2025 15:46:40 +0100 +Subject: netfilter: nf_conncount: update last_gc only when GC has been + performed + +From: Fernando Fernandez Mancera + +[ Upstream commit 7811ba452402d58628e68faedf38745b3d485e3c ] + +Currently last_gc is being updated everytime a new connection is +tracked, that means that it is updated even if a GC wasn't performed. +With a sufficiently high packet rate, it is possible to always bypass +the GC, causing the list to grow infinitely. + +Update the last_gc value only when a GC has been actually performed. + +Fixes: d265929930e2 ("netfilter: nf_conncount: reduce unnecessary GC") +Signed-off-by: Fernando Fernandez Mancera +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conncount.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c +index c00b8e522c5a7..a2c5a7ba0c6fc 100644 +--- a/net/netfilter/nf_conncount.c ++++ b/net/netfilter/nf_conncount.c +@@ -229,6 +229,7 @@ static int __nf_conncount_add(struct net *net, + + nf_ct_put(found_ct); + } ++ list->last_gc = (u32)jiffies; + + add_new_node: + if (WARN_ON_ONCE(list->count > INT_MAX)) { +@@ -248,7 +249,6 @@ static int __nf_conncount_add(struct net *net, + conn->jiffies32 = (u32)jiffies; + list_add_tail(&conn->node, &list->head); + list->count++; +- list->last_gc = (u32)jiffies; + + out_put: + if (refcounted) +-- +2.51.0 + diff --git a/queue-6.6/netfilter-nf_tables-fix-memory-leak-in-nf_tables_new.patch b/queue-6.6/netfilter-nf_tables-fix-memory-leak-in-nf_tables_new.patch new file mode 100644 index 0000000000..676376af7d --- /dev/null +++ b/queue-6.6/netfilter-nf_tables-fix-memory-leak-in-nf_tables_new.patch @@ -0,0 +1,49 @@ +From 86a21302997bdbc20b389dc38b28a3cb2b065a64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Dec 2025 12:48:26 +0000 +Subject: netfilter: nf_tables: fix memory leak in nf_tables_newrule() + +From: Zilin Guan + +[ Upstream commit d077e8119ddbb4fca67540f1a52453631a47f221 ] + +In nf_tables_newrule(), if nft_use_inc() fails, the function jumps to +the err_release_rule label without freeing the allocated flow, leading +to a memory leak. + +Fix this by adding a new label err_destroy_flow and jumping to it when +nft_use_inc() fails. This ensures that the flow is properly released +in this error case. + +Fixes: 1689f25924ada ("netfilter: nf_tables: report use refcount overflow") +Signed-off-by: Zilin Guan +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 394ee65e1d35f..43ebe3b4f886a 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -4098,7 +4098,7 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info, + + if (!nft_use_inc(&chain->use)) { + err = -EMFILE; +- goto err_release_rule; ++ goto err_destroy_flow; + } + + if (info->nlh->nlmsg_flags & NLM_F_REPLACE) { +@@ -4148,6 +4148,7 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info, + + err_destroy_flow_rule: + nft_use_dec_restore(&chain->use); ++err_destroy_flow: + if (flow) + nft_flow_rule_destroy(flow); + err_release_rule: +-- +2.51.0 + diff --git a/queue-6.6/netfilter-nft_synproxy-avoid-possible-data-race-on-u.patch b/queue-6.6/netfilter-nft_synproxy-avoid-possible-data-race-on-u.patch new file mode 100644 index 0000000000..2d7f5a945e --- /dev/null +++ b/queue-6.6/netfilter-nft_synproxy-avoid-possible-data-race-on-u.patch @@ -0,0 +1,55 @@ +From 2f674a52838d1879558be793ce7aeb3f9da64483 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Dec 2025 21:21:59 +0100 +Subject: netfilter: nft_synproxy: avoid possible data-race on update operation + +From: Fernando Fernandez Mancera + +[ Upstream commit 36a3200575642846a96436d503d46544533bb943 ] + +During nft_synproxy eval we are reading nf_synproxy_info struct which +can be modified on update operation concurrently. As nf_synproxy_info +struct fits in 32 bits, use READ_ONCE/WRITE_ONCE annotations. + +Fixes: ee394f96ad75 ("netfilter: nft_synproxy: add synproxy stateful object support") +Signed-off-by: Fernando Fernandez Mancera +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_synproxy.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/netfilter/nft_synproxy.c b/net/netfilter/nft_synproxy.c +index 5d3e518259859..4d3e5a31b4125 100644 +--- a/net/netfilter/nft_synproxy.c ++++ b/net/netfilter/nft_synproxy.c +@@ -48,7 +48,7 @@ static void nft_synproxy_eval_v4(const struct nft_synproxy *priv, + struct tcphdr *_tcph, + struct synproxy_options *opts) + { +- struct nf_synproxy_info info = priv->info; ++ struct nf_synproxy_info info = READ_ONCE(priv->info); + struct net *net = nft_net(pkt); + struct synproxy_net *snet = synproxy_pernet(net); + struct sk_buff *skb = pkt->skb; +@@ -79,7 +79,7 @@ static void nft_synproxy_eval_v6(const struct nft_synproxy *priv, + struct tcphdr *_tcph, + struct synproxy_options *opts) + { +- struct nf_synproxy_info info = priv->info; ++ struct nf_synproxy_info info = READ_ONCE(priv->info); + struct net *net = nft_net(pkt); + struct synproxy_net *snet = synproxy_pernet(net); + struct sk_buff *skb = pkt->skb; +@@ -340,7 +340,7 @@ static void nft_synproxy_obj_update(struct nft_object *obj, + struct nft_synproxy *newpriv = nft_obj_data(newobj); + struct nft_synproxy *priv = nft_obj_data(obj); + +- priv->info = newpriv->info; ++ WRITE_ONCE(priv->info, newpriv->info); + } + + static struct nft_object_type nft_synproxy_obj_type; +-- +2.51.0 + diff --git a/queue-6.6/series b/queue-6.6/series index 137d9477dd..8fd302c823 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -38,3 +38,28 @@ smb-client-fix-nt_status_no_data_detected-value.patch scsi-ipr-enable-disable-irqd_no_balancing-during-res.patch scsi-ufs-core-fix-eh-failure-after-w-lun-resume-erro.patch scsi-revert-scsi-libsas-fix-exp-attached-device-scan.patch +arm64-dts-add-off-on-delay-us-for-usdhc2-regulator.patch +arm-dts-imx6q-ba16-fix-rtc-interrupt-level.patch +arm64-dts-imx8mp-fix-lan8740ai-phy-reference-clock-o.patch +netfilter-nft_synproxy-avoid-possible-data-race-on-u.patch +gpio-pca953x-utilise-dev_err_probe-where-it-makes-se.patch +gpio-pca953x-utilise-temporary-variable-for-struct-d.patch +gpio-pca953x-add-support-for-level-triggered-interru.patch +gpio-pca953x-handle-short-interrupt-pulses-on-pcal-d.patch +netfilter-nf_tables-fix-memory-leak-in-nf_tables_new.patch +netfilter-nf_conncount-update-last_gc-only-when-gc-h.patch +net-marvell-prestera-fix-null-dereference-on-devlink.patch +bridge-fix-c-vlan-preservation-in-802.1ad-vlan_tunne.patch +net-mscc-ocelot-fix-crash-when-adding-interface-unde.patch +inet-ping-fix-icmp-out-counting.patch +net-sock-fix-hardened-usercopy-panic-in-sock_recv_er.patch +netdev-preserve-netif_f_all_for_all-across-tso-updat.patch +net-mlx5e-don-t-print-error-message-due-to-invalid-m.patch +net-wwan-iosm-fix-memory-leak-in-ipc_mux_deinit.patch +bnxt_en-fix-potential-data-corruption-with-hw-gro-lr.patch +net-fix-memory-leak-in-skb_segment_list-for-gro-pack.patch +hid-quirks-work-around-vid-pid-conflict-for-appledis.patch +net-sched-sch_qfq-fix-null-deref-when-deactivating-i.patch +net-usb-pegasus-fix-memory-leak-in-update_eth_regs_a.patch +net-enetc-fix-build-warning-when-page_size-is-greate.patch +arp-do-not-assume-dev_hard_header-does-not-change-sk.patch -- 2.47.3