From a827f6a7c724685e329aa9571902747b2093bdd9 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 11 May 2026 10:21:59 +0200
Subject: [PATCH] 6.18-stable patches

added patches:
	kvm-svm-check-validity-of-vmcb-controls-when-returning-from-smm.patch
	net-stmmac-disable-eee-rx-clock-stop-when-vlan-is-enabled.patch
---
 ...mcb-controls-when-returning-from-smm.patch | 76 +++++++++++++++++++
 ...e-rx-clock-stop-when-vlan-is-enabled.patch | 65 ++++++++++++++++
 queue-6.18/series                             |  2 +
 3 files changed, 143 insertions(+)
 create mode 100644 queue-6.18/kvm-svm-check-validity-of-vmcb-controls-when-returning-from-smm.patch
 create mode 100644 queue-6.18/net-stmmac-disable-eee-rx-clock-stop-when-vlan-is-enabled.patch

diff --git a/queue-6.18/kvm-svm-check-validity-of-vmcb-controls-when-returning-from-smm.patch b/queue-6.18/kvm-svm-check-validity-of-vmcb-controls-when-returning-from-smm.patch
new file mode 100644
index 0000000000..eca39d629e
--- /dev/null
+++ b/queue-6.18/kvm-svm-check-validity-of-vmcb-controls-when-returning-from-smm.patch
@@ -0,0 +1,76 @@
+From be5fa8737d42c5ba16d2ea72c23681f8abbb07e8 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Mon, 9 Mar 2026 12:40:52 +0100
+Subject: KVM: SVM: check validity of VMCB controls when returning from SMM
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit be5fa8737d42c5ba16d2ea72c23681f8abbb07e8 upstream.
+
+The VMCB12 is stored in guest memory and can be mangled while in SMM; it
+is then reloaded by svm_leave_smm(), but it is not checked again for
+validity.
+
+Move the cached vmcb12 control and save consistency checks out of
+svm_set_nested_state() and into a helper, and reuse it in
+svm_leave_smm().
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/svm/nested.c |   12 ++++++++++--
+ arch/x86/kvm/svm/svm.c    |    4 ++++
+ arch/x86/kvm/svm/svm.h    |    1 +
+ 3 files changed, 15 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kvm/svm/nested.c
++++ b/arch/x86/kvm/svm/nested.c
+@@ -484,6 +484,15 @@ void nested_copy_vmcb_save_to_cache(stru
+ 	__nested_copy_vmcb_save_to_cache(&svm->nested.save, save);
+ }
+ 
++int nested_svm_check_cached_vmcb12(struct kvm_vcpu *vcpu)
++{
++	if (!nested_vmcb_check_save(vcpu) ||
++	    !nested_vmcb_check_controls(vcpu))
++		return -EINVAL;
++
++	return 0;
++}
++
+ /*
+  * Synchronize fields that are written by the processor, so that
+  * they can be copied back into the vmcb12.
+@@ -990,8 +999,7 @@ int nested_svm_vmrun(struct kvm_vcpu *vc
+ 	nested_copy_vmcb_control_to_cache(svm, &vmcb12->control);
+ 	nested_copy_vmcb_save_to_cache(svm, &vmcb12->save);
+ 
+-	if (!nested_vmcb_check_save(vcpu) ||
+-	    !nested_vmcb_check_controls(vcpu)) {
++	if (nested_svm_check_cached_vmcb12(vcpu) < 0) {
+ 		vmcb12->control.exit_code    = SVM_EXIT_ERR;
+ 		vmcb12->control.exit_code_hi = -1u;
+ 		vmcb12->control.exit_info_1  = 0;
+--- a/arch/x86/kvm/svm/svm.c
++++ b/arch/x86/kvm/svm/svm.c
+@@ -4885,6 +4885,10 @@ static int svm_leave_smm(struct kvm_vcpu
+ 	vmcb12 = map.hva;
+ 	nested_copy_vmcb_control_to_cache(svm, &vmcb12->control);
+ 	nested_copy_vmcb_save_to_cache(svm, &vmcb12->save);
++
++	if (nested_svm_check_cached_vmcb12(vcpu) < 0)
++		goto unmap_save;
++
+ 	ret = enter_svm_guest_mode(vcpu, smram64->svm_guest_vmcb_gpa, vmcb12, false);
+ 
+ 	if (ret)
+--- a/arch/x86/kvm/svm/svm.h
++++ b/arch/x86/kvm/svm/svm.h
+@@ -782,6 +782,7 @@ static inline int nested_svm_simple_vmex
+ 
+ int nested_svm_exit_handled(struct vcpu_svm *svm);
+ int nested_svm_check_permissions(struct kvm_vcpu *vcpu);
++int nested_svm_check_cached_vmcb12(struct kvm_vcpu *vcpu);
+ int nested_svm_check_exception(struct vcpu_svm *svm, unsigned nr,
+ 			       bool has_error_code, u32 error_code);
+ int nested_svm_exit_special(struct vcpu_svm *svm);
diff --git a/queue-6.18/net-stmmac-disable-eee-rx-clock-stop-when-vlan-is-enabled.patch b/queue-6.18/net-stmmac-disable-eee-rx-clock-stop-when-vlan-is-enabled.patch
new file mode 100644
index 0000000000..6ca3f0b49c
--- /dev/null
+++ b/queue-6.18/net-stmmac-disable-eee-rx-clock-stop-when-vlan-is-enabled.patch
@@ -0,0 +1,65 @@
+From c171e679ee66d7c0e2b58db9531af96797a76bca Mon Sep 17 00:00:00 2001
+From: Ovidiu Panait <ovidiu.panait.rb@renesas.com>
+Date: Thu, 13 Nov 2025 11:27:21 +0000
+Subject: net: stmmac: Disable EEE RX clock stop when VLAN is enabled
+
+From: Ovidiu Panait <ovidiu.panait.rb@renesas.com>
+
+commit c171e679ee66d7c0e2b58db9531af96797a76bca upstream.
+
+On the Renesas RZ/V2H EVK platform, where the stmmac MAC is connected to a
+Microchip KSZ9131RNXI PHY, creating or deleting VLAN interfaces may fail
+with timeouts:
+
+    # ip link add link end1 name end1.5 type vlan id 5
+    15c40000.ethernet end1: Timeout accessing MAC_VLAN_Tag_Filter
+    RTNETLINK answers: Device or resource busy
+
+Disabling EEE at runtime avoids the problem:
+
+    # ethtool --set-eee end1 eee off
+    # ip link add link end1 name end1.5 type vlan id 5
+    # ip link del end1.5
+
+The stmmac hardware requires the receive clock to be running when writing
+certain registers, such as those used for MAC address configuration or
+VLAN filtering. However, by default the driver enables Energy Efficient
+Ethernet (EEE) and allows the PHY to stop the receive clock when the link
+is idle. As a result, the RX clock might be stopped when attempting to
+access these registers, leading to timeouts and other issues.
+
+Commit dd557266cf5fb ("net: stmmac: block PHY RXC clock-stop")
+addressed this issue for most register accesses by wrapping them in
+phylink_rx_clk_stop_block()/phylink_rx_clk_stop_unblock() calls.
+However, VLAN add/delete operations may be invoked with bottom halves
+disabled, where sleeping is not allowed, so using these helpers is not
+possible.
+
+Therefore, to fix this, disable the RX clock stop feature in the phylink
+configuration if VLAN features are set. This ensures the RX clock remains
+active and register accesses succeed during VLAN operations.
+
+Signed-off-by: Ovidiu Panait <ovidiu.panait.rb@renesas.com>
+Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Link: https://patch.msgid.link/20251113112721.70500-3-ovidiu.panait.rb@renesas.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c |    6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -1204,7 +1204,11 @@ static int stmmac_phy_setup(struct stmma
+ 	/* Stmmac always requires an RX clock for hardware initialization */
+ 	config->mac_requires_rxc = true;
+ 
+-	if (!(priv->plat->flags & STMMAC_FLAG_RX_CLK_RUNS_IN_LPI))
++	/* Disable EEE RX clock stop to ensure VLAN register access works
++	 * correctly.
++	 */
++	if (!(priv->plat->flags & STMMAC_FLAG_RX_CLK_RUNS_IN_LPI) &&
++	    !(priv->dev->features & NETIF_F_VLAN_FEATURES))
+ 		config->eee_rx_clk_stop_enable = true;
+ 
+ 	/* Set the default transmit clock stop bit based on the platform glue */
diff --git a/queue-6.18/series b/queue-6.18/series
index f0229e7394..2a447f862d 100644
--- a/queue-6.18/series
+++ b/queue-6.18/series
@@ -19,3 +19,5 @@ flow_dissector-do-not-dissect-pppoe-pfc-frames.patch
 mptcp-sync-the-msk-sndbuf-at-accept-time.patch
 smb-client-smbdirect-fix-mr-registration-for-coalesc.patch
 net-af_key-zero-aligned-sockaddr-tail-in-pf_key-expo.patch
+kvm-svm-check-validity-of-vmcb-controls-when-returning-from-smm.patch
+net-stmmac-disable-eee-rx-clock-stop-when-vlan-is-enabled.patch
-- 
2.47.3