From d8f24b3f9f260b6de09cd90a8b595862f52cf327 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sat, 24 Jan 2026 09:19:05 -0500 Subject: [PATCH] Fixes for all trees Signed-off-by: Sasha Levin --- ...void-misleading-per-packet-error-log.patch | 49 ++ ...n-reject-too-short-aad-assoclen-8-to.patch | 53 ++ ...u-don-t-allow-0-for-fou_attr_ipproto.patch | 57 ++ ...skb-memleak-with-inner-ip-protocol-0.patch | 82 +++ ...vlan-make-the-addrs_lock-be-per-port.patch | 292 ++++++++++ ...ne-data-race-in-l2tp_tunnel_del_work.patch | 85 +++ ...et-fou-rename-the-source-for-linking.patch | 43 ++ ...cy-and-operation-tables-generated-fr.patch | 233 ++++++++ ...e-that-teql-can-only-be-used-as-root.patch | 68 +++ ...e-cl_is_active-to-determine-whether-.patch | 40 ++ ...-dm9601-remove-broken-sr9700-support.patch | 53 ++ ...nk-add-a-proto-specification-for-fou.patch | 158 ++++++ ...md_assoc_shkey-right-after-sctp_cmd_.patch | 101 ++++ ...p-sm_statefuns-fix-spelling-mistakes.patch | 172 ++++++ ...nvert-fib-onlink-tests.sh-to-run-it-.patch | 84 +++ ...b-onlink-tests-convert-to-use-namesp.patch | 185 +++++++ queue-5.10/series | 16 + ...void-misleading-per-packet-error-log.patch | 49 ++ ...bond_mode_8023ad-to-ethernet-devices.patch | 91 +++ ...n-reject-too-short-aad-assoclen-8-to.patch | 53 ++ ...u-don-t-allow-0-for-fou_attr_ipproto.patch | 57 ++ ...skb-memleak-with-inner-ip-protocol-0.patch | 82 +++ ...vlan-make-the-addrs_lock-be-per-port.patch | 292 ++++++++++ ...ne-data-race-in-l2tp_tunnel_del_work.patch | 85 +++ ...et-fou-rename-the-source-for-linking.patch | 43 ++ ...cy-and-operation-tables-generated-fr.patch | 233 ++++++++ ...e-that-teql-can-only-be-used-as-root.patch | 68 +++ ...e-cl_is_active-to-determine-whether-.patch | 40 ++ ...-dm9601-remove-broken-sr9700-support.patch | 53 ++ ...nk-add-a-proto-specification-for-fou.patch | 158 ++++++ ...md_assoc_shkey-right-after-sctp_cmd_.patch | 101 ++++ ...nvert-fib-onlink-tests.sh-to-run-it-.patch | 84 +++ ...b-onlink-tests-convert-to-use-namesp.patch | 185 +++++++ queue-5.15/series | 16 + ...void-misleading-per-packet-error-log.patch | 49 ++ ...pr_log-to-ata_dev_print_features-ear.patch | 43 ++ ...ata_dev_config_lpm-for-atapi-devices.patch | 48 ++ ...libata-cleanup-fua-support-detection.patch | 226 ++++++++ ...ta-core-introduce-ata_dev_config_lpm.patch | 79 +++ ...a-libata-introduce-ata_ncq_supported.patch | 75 +++ ...rint-features-also-for-atapi-devices.patch | 48 ++ ...bond_mode_8023ad-to-ethernet-devices.patch | 91 +++ ...b_receive_bulk_callback-unanchor-url.patch | 61 +++ ...n-reject-too-short-aad-assoclen-8-to.patch | 53 ++ ...u-don-t-allow-0-for-fou_attr_ipproto.patch | 57 ++ ...skb-memleak-with-inner-ip-protocol-0.patch | 82 +++ ...vlan-make-the-addrs_lock-be-per-port.patch | 292 ++++++++++ ...ne-data-race-in-l2tp_tunnel_del_work.patch | 85 +++ ...et-fou-rename-the-source-for-linking.patch | 43 ++ ...cy-and-operation-tables-generated-fr.patch | 233 ++++++++ ...e-that-teql-can-only-be-used-as-root.patch | 68 +++ ...e-cl_is_active-to-determine-whether-.patch | 40 ++ ...-dm9601-remove-broken-sr9700-support.patch | 53 ++ ...nk-add-a-proto-specification-for-fou.patch | 158 ++++++ ...10k-fix-rx-flowid-tcam-mask-handling.patch | 43 ++ ...md_assoc_shkey-right-after-sctp_cmd_.patch | 101 ++++ ...nvert-fib-onlink-tests.sh-to-run-it-.patch | 84 +++ ...b-onlink-tests-convert-to-use-namesp.patch | 185 +++++++ queue-6.1/series | 24 + ...void-misleading-per-packet-error-log.patch | 49 ++ ...read-the-per-port-area-for-unimpleme.patch | 72 +++ ...pr_log-to-ata_dev_print_features-ear.patch | 43 ++ ...ata_dev_config_lpm-for-atapi-devices.patch | 48 ++ ...ta-core-introduce-ata_dev_config_lpm.patch | 79 +++ ...rint-features-also-for-atapi-devices.patch | 48 ++ ...improve-link_power_management_suppor.patch | 53 ++ ...bond_mode_8023ad-to-ethernet-devices.patch | 91 +++ ...b_receive_bulk_callback-unanchor-url.patch | 61 +++ ...n-reject-too-short-aad-assoclen-8-to.patch | 53 ++ ...u-don-t-allow-0-for-fou_attr_ipproto.patch | 57 ++ ...skb-memleak-with-inner-ip-protocol-0.patch | 82 +++ ...ental-cleanup-for-bond-during-interf.patch | 77 +++ ...ix-incorrect-timeout-ice_release_res.patch | 50 ++ .../ice-initialize-ring_stats-syncp.patch | 51 ++ ...dition-in-tx-timestamp-read-for-regi.patch | 125 +++++ ...ult-qbv-schedule-when-changing-chann.patch | 88 +++ ...vlan-make-the-addrs_lock-be-per-port.patch | 292 ++++++++++ ...ne-data-race-in-l2tp_tunnel_del_work.patch | 85 +++ ...p-fix-memleak-in-l2tp_udp_encap_recv.patch | 77 +++ ...e-that-teql-can-only-be-used-as-root.patch | 68 +++ ...e-cl_is_active-to-determine-whether-.patch | 40 ++ ...-dm9601-remove-broken-sr9700-support.patch | 53 ++ ...10k-fix-rx-flowid-tcam-mask-handling.patch | 43 ++ ...md_assoc_shkey-right-after-sctp_cmd_.patch | 101 ++++ ...b-onlink-tests-convert-to-use-namesp.patch | 185 +++++++ queue-6.12/series | 30 + ...ecify-no-line-number-in-ynl-regen.sh.patch | 50 ++ ...-data-race-in-veth_get_ethtool_stats.patch | 54 ++ ...sock-virtio-coalesce-only-linear-skb.patch | 58 ++ ...don-t-perform-da-check-on-s1g-beacon.patch | 48 ++ ...void-misleading-per-packet-error-log.patch | 49 ++ ...read-the-per-port-area-for-unimpleme.patch | 72 +++ ...pr_log-to-ata_dev_print_features-ear.patch | 43 ++ ...ipm-and-hipm-to-ata_dev_print_featur.patch | 45 ++ ...ata_dev_config_lpm-for-atapi-devices.patch | 47 ++ ...rint-features-also-for-atapi-devices.patch | 48 ++ ...improve-link_power_management_suppor.patch | 53 ++ ...bond_mode_8023ad-to-ethernet-devices.patch | 91 +++ ...b_receive_bulk_callback-unanchor-url.patch | 61 +++ ...n-reject-too-short-aad-assoclen-8-to.patch | 53 ++ ...power-qcom-rpmpd-add-sc8280xp_mxc_ao.patch | 38 ++ ...u-don-t-allow-0-for-fou_attr_ipproto.patch | 57 ++ ...skb-memleak-with-inner-ip-protocol-0.patch | 82 +++ ...ental-cleanup-for-bond-during-interf.patch | 77 +++ ...ix-incorrect-timeout-ice_release_res.patch | 50 ++ .../ice-initialize-ring_stats-syncp.patch | 51 ++ ...dition-in-tx-timestamp-read-for-regi.patch | 125 +++++ ...x-packet-buffer-from-7kb-to-5kb-per-.patch | 51 ++ ...ult-qbv-schedule-when-changing-chann.patch | 88 +++ ...vlan-make-the-addrs_lock-be-per-port.patch | 292 ++++++++++ ...ne-data-race-in-l2tp_tunnel_del_work.patch | 85 +++ ...p-fix-memleak-in-l2tp_udp_encap_recv.patch | 77 +++ ...c_geth-return-early-when-tbi-phy-can.patch | 47 ++ ...e-that-teql-can-only-be-used-as-root.patch | 68 +++ ...e-cl_is_active-to-determine-whether-.patch | 40 ++ ...-dm9601-remove-broken-sr9700-support.patch | 53 ++ ...10k-fix-rx-flowid-tcam-mask-handling.patch | 43 ++ ...main-qcom-rpmhpd-add-mxc-to-sc8280xp.patch | 50 ++ ...tl-returns-a-negative-errno-on-error.patch | 64 +++ ...late-missing-.sizeof_wfhw-in-max7360.patch | 43 ++ ...md_assoc_shkey-right-after-sctp_cmd_.patch | 101 ++++ ...b-onlink-tests-convert-to-use-namesp.patch | 185 +++++++ queue-6.18/series | 41 ++ ...ecify-no-line-number-in-ynl-regen.sh.patch | 50 ++ ...-data-race-in-veth_get_ethtool_stats.patch | 54 ++ ...sock-virtio-coalesce-only-linear-skb.patch | 58 ++ ...cancel-scan-only-on-active-scan-vdev.patch | 69 +++ ...t-force-radio-frequency-check-in-fre.patch | 142 +++++ ...dead-lock-while-flushing-management-.patch | 77 +++ ...scan-state-stuck-in-aborting-after-c.patch | 51 ++ ...k-fix-wrong-p2p-device-link-id-issue.patch | 78 +++ ...don-t-perform-da-check-on-s1g-beacon.patch | 48 ++ ...void-misleading-per-packet-error-log.patch | 49 ++ ...pr_log-to-ata_dev_print_features-ear.patch | 43 ++ ...ata_dev_config_lpm-for-atapi-devices.patch | 48 ++ ...ta-core-introduce-ata_dev_config_lpm.patch | 79 +++ ...rint-features-also-for-atapi-devices.patch | 48 ++ ...bond_mode_8023ad-to-ethernet-devices.patch | 91 +++ ...b_receive_bulk_callback-unanchor-url.patch | 61 +++ ...n-reject-too-short-aad-assoclen-8-to.patch | 53 ++ ...power-qcom-rpmpd-add-sc8280xp_mxc_ao.patch | 38 ++ ...bindings-power-qcom-rpmpd-add-sm7150.patch | 36 ++ ...power-qcom-rpmpd-add-turbo-l5-corner.patch | 36 ++ ...r-qcom-rpmpd-document-the-sm8650-rpm.patch | 48 ++ ...r-qcom-rpmpd-document-the-sm8750-rpm.patch | 59 ++ ...r-qcom-rpmpd-split-rpmh-domains-defi.patch | 518 ++++++++++++++++++ ...r-rpmpd-add-msm8917-msm8937-and-qm21.patch | 160 ++++++ ...r-rpmpd-update-part-number-to-x1e801.patch | 40 ++ ...u-don-t-allow-0-for-fou_attr_ipproto.patch | 57 ++ ...skb-memleak-with-inner-ip-protocol-0.patch | 82 +++ ...ental-cleanup-for-bond-during-interf.patch | 77 +++ .../ice-initialize-ring_stats-syncp.patch | 51 ++ ...dition-in-tx-timestamp-read-for-regi.patch | 125 +++++ ...vlan-make-the-addrs_lock-be-per-port.patch | 292 ++++++++++ ...ne-data-race-in-l2tp_tunnel_del_work.patch | 85 +++ ...e-that-teql-can-only-be-used-as-root.patch | 68 +++ ...e-cl_is_active-to-determine-whether-.patch | 40 ++ ...-dm9601-remove-broken-sr9700-support.patch | 53 ++ ...10k-fix-rx-flowid-tcam-mask-handling.patch | 43 ++ ...main-qcom-rpmhpd-add-mxc-to-sc8280xp.patch | 50 ++ ...md_assoc_shkey-right-after-sctp_cmd_.patch | 101 ++++ ...nvert-fib-onlink-tests.sh-to-run-it-.patch | 84 +++ ...b-onlink-tests-convert-to-use-namesp.patch | 185 +++++++ queue-6.6/series | 33 ++ ...ecify-no-line-number-in-ynl-regen.sh.patch | 50 ++ ...-data-race-in-veth_get_ethtool_stats.patch | 54 ++ 166 files changed, 14027 insertions(+) create mode 100644 queue-5.10/amd-xgbe-avoid-misleading-per-packet-error-log.patch create mode 100644 queue-5.10/crypto-authencesn-reject-too-short-aad-assoclen-8-to.patch create mode 100644 queue-5.10/fou-don-t-allow-0-for-fou_attr_ipproto.patch create mode 100644 queue-5.10/gue-fix-skb-memleak-with-inner-ip-protocol-0.patch create mode 100644 queue-5.10/ipvlan-make-the-addrs_lock-be-per-port.patch create mode 100644 queue-5.10/l2tp-avoid-one-data-race-in-l2tp_tunnel_del_work.patch create mode 100644 queue-5.10/net-fou-rename-the-source-for-linking.patch create mode 100644 queue-5.10/net-fou-use-policy-and-operation-tables-generated-fr.patch create mode 100644 queue-5.10/net-sched-enforce-that-teql-can-only-be-used-as-root.patch create mode 100644 queue-5.10/net-sched-qfq-use-cl_is_active-to-determine-whether-.patch create mode 100644 queue-5.10/net-usb-dm9601-remove-broken-sr9700-support.patch create mode 100644 queue-5.10/netlink-add-a-proto-specification-for-fou.patch create mode 100644 queue-5.10/sctp-move-sctp_cmd_assoc_shkey-right-after-sctp_cmd_.patch create mode 100644 queue-5.10/sctp-sm_statefuns-fix-spelling-mistakes.patch create mode 100644 queue-5.10/selftests-net-convert-fib-onlink-tests.sh-to-run-it-.patch create mode 100644 queue-5.10/selftests-net-fib-onlink-tests-convert-to-use-namesp.patch create mode 100644 queue-5.15/amd-xgbe-avoid-misleading-per-packet-error-log.patch create mode 100644 queue-5.15/bonding-limit-bond_mode_8023ad-to-ethernet-devices.patch create mode 100644 queue-5.15/crypto-authencesn-reject-too-short-aad-assoclen-8-to.patch create mode 100644 queue-5.15/fou-don-t-allow-0-for-fou_attr_ipproto.patch create mode 100644 queue-5.15/gue-fix-skb-memleak-with-inner-ip-protocol-0.patch create mode 100644 queue-5.15/ipvlan-make-the-addrs_lock-be-per-port.patch create mode 100644 queue-5.15/l2tp-avoid-one-data-race-in-l2tp_tunnel_del_work.patch create mode 100644 queue-5.15/net-fou-rename-the-source-for-linking.patch create mode 100644 queue-5.15/net-fou-use-policy-and-operation-tables-generated-fr.patch create mode 100644 queue-5.15/net-sched-enforce-that-teql-can-only-be-used-as-root.patch create mode 100644 queue-5.15/net-sched-qfq-use-cl_is_active-to-determine-whether-.patch create mode 100644 queue-5.15/net-usb-dm9601-remove-broken-sr9700-support.patch create mode 100644 queue-5.15/netlink-add-a-proto-specification-for-fou.patch create mode 100644 queue-5.15/sctp-move-sctp_cmd_assoc_shkey-right-after-sctp_cmd_.patch create mode 100644 queue-5.15/selftests-net-convert-fib-onlink-tests.sh-to-run-it-.patch create mode 100644 queue-5.15/selftests-net-fib-onlink-tests-convert-to-use-namesp.patch create mode 100644 queue-6.1/amd-xgbe-avoid-misleading-per-packet-error-log.patch create mode 100644 queue-6.1/ata-libata-add-cpr_log-to-ata_dev_print_features-ear.patch create mode 100644 queue-6.1/ata-libata-call-ata_dev_config_lpm-for-atapi-devices.patch create mode 100644 queue-6.1/ata-libata-cleanup-fua-support-detection.patch create mode 100644 queue-6.1/ata-libata-core-introduce-ata_dev_config_lpm.patch create mode 100644 queue-6.1/ata-libata-introduce-ata_ncq_supported.patch create mode 100644 queue-6.1/ata-libata-print-features-also-for-atapi-devices.patch create mode 100644 queue-6.1/bonding-limit-bond_mode_8023ad-to-ethernet-devices.patch create mode 100644 queue-6.1/can-gs_usb-gs_usb_receive_bulk_callback-unanchor-url.patch create mode 100644 queue-6.1/crypto-authencesn-reject-too-short-aad-assoclen-8-to.patch create mode 100644 queue-6.1/fou-don-t-allow-0-for-fou_attr_ipproto.patch create mode 100644 queue-6.1/gue-fix-skb-memleak-with-inner-ip-protocol-0.patch create mode 100644 queue-6.1/ipvlan-make-the-addrs_lock-be-per-port.patch create mode 100644 queue-6.1/l2tp-avoid-one-data-race-in-l2tp_tunnel_del_work.patch create mode 100644 queue-6.1/net-fou-rename-the-source-for-linking.patch create mode 100644 queue-6.1/net-fou-use-policy-and-operation-tables-generated-fr.patch create mode 100644 queue-6.1/net-sched-enforce-that-teql-can-only-be-used-as-root.patch create mode 100644 queue-6.1/net-sched-qfq-use-cl_is_active-to-determine-whether-.patch create mode 100644 queue-6.1/net-usb-dm9601-remove-broken-sr9700-support.patch create mode 100644 queue-6.1/netlink-add-a-proto-specification-for-fou.patch create mode 100644 queue-6.1/octeontx2-cn10k-fix-rx-flowid-tcam-mask-handling.patch create mode 100644 queue-6.1/sctp-move-sctp_cmd_assoc_shkey-right-after-sctp_cmd_.patch create mode 100644 queue-6.1/selftests-net-convert-fib-onlink-tests.sh-to-run-it-.patch create mode 100644 queue-6.1/selftests-net-fib-onlink-tests-convert-to-use-namesp.patch create mode 100644 queue-6.12/amd-xgbe-avoid-misleading-per-packet-error-log.patch create mode 100644 queue-6.12/ata-ahci-do-not-read-the-per-port-area-for-unimpleme.patch create mode 100644 queue-6.12/ata-libata-add-cpr_log-to-ata_dev_print_features-ear.patch create mode 100644 queue-6.12/ata-libata-call-ata_dev_config_lpm-for-atapi-devices.patch create mode 100644 queue-6.12/ata-libata-core-introduce-ata_dev_config_lpm.patch create mode 100644 queue-6.12/ata-libata-print-features-also-for-atapi-devices.patch create mode 100644 queue-6.12/ata-libata-sata-improve-link_power_management_suppor.patch create mode 100644 queue-6.12/bonding-limit-bond_mode_8023ad-to-ethernet-devices.patch create mode 100644 queue-6.12/can-gs_usb-gs_usb_receive_bulk_callback-unanchor-url.patch create mode 100644 queue-6.12/crypto-authencesn-reject-too-short-aad-assoclen-8-to.patch create mode 100644 queue-6.12/fou-don-t-allow-0-for-fou_attr_ipproto.patch create mode 100644 queue-6.12/gue-fix-skb-memleak-with-inner-ip-protocol-0.patch create mode 100644 queue-6.12/ice-avoid-detrimental-cleanup-for-bond-during-interf.patch create mode 100644 queue-6.12/ice-fix-incorrect-timeout-ice_release_res.patch create mode 100644 queue-6.12/ice-initialize-ring_stats-syncp.patch create mode 100644 queue-6.12/igc-fix-race-condition-in-tx-timestamp-read-for-regi.patch create mode 100644 queue-6.12/igc-restore-default-qbv-schedule-when-changing-chann.patch create mode 100644 queue-6.12/ipvlan-make-the-addrs_lock-be-per-port.patch create mode 100644 queue-6.12/l2tp-avoid-one-data-race-in-l2tp_tunnel_del_work.patch create mode 100644 queue-6.12/l2tp-fix-memleak-in-l2tp_udp_encap_recv.patch create mode 100644 queue-6.12/net-sched-enforce-that-teql-can-only-be-used-as-root.patch create mode 100644 queue-6.12/net-sched-qfq-use-cl_is_active-to-determine-whether-.patch create mode 100644 queue-6.12/net-usb-dm9601-remove-broken-sr9700-support.patch create mode 100644 queue-6.12/octeontx2-cn10k-fix-rx-flowid-tcam-mask-handling.patch create mode 100644 queue-6.12/sctp-move-sctp_cmd_assoc_shkey-right-after-sctp_cmd_.patch create mode 100644 queue-6.12/selftests-net-fib-onlink-tests-convert-to-use-namesp.patch create mode 100644 queue-6.12/tools-ynl-specify-no-line-number-in-ynl-regen.sh.patch create mode 100644 queue-6.12/veth-fix-data-race-in-veth_get_ethtool_stats.patch create mode 100644 queue-6.12/vsock-virtio-coalesce-only-linear-skb.patch create mode 100644 queue-6.12/wifi-mac80211-don-t-perform-da-check-on-s1g-beacon.patch create mode 100644 queue-6.18/amd-xgbe-avoid-misleading-per-packet-error-log.patch create mode 100644 queue-6.18/ata-ahci-do-not-read-the-per-port-area-for-unimpleme.patch create mode 100644 queue-6.18/ata-libata-add-cpr_log-to-ata_dev_print_features-ear.patch create mode 100644 queue-6.18/ata-libata-add-dipm-and-hipm-to-ata_dev_print_featur.patch create mode 100644 queue-6.18/ata-libata-call-ata_dev_config_lpm-for-atapi-devices.patch create mode 100644 queue-6.18/ata-libata-print-features-also-for-atapi-devices.patch create mode 100644 queue-6.18/ata-libata-sata-improve-link_power_management_suppor.patch create mode 100644 queue-6.18/bonding-limit-bond_mode_8023ad-to-ethernet-devices.patch create mode 100644 queue-6.18/can-gs_usb-gs_usb_receive_bulk_callback-unanchor-url.patch create mode 100644 queue-6.18/crypto-authencesn-reject-too-short-aad-assoclen-8-to.patch create mode 100644 queue-6.18/dt-bindings-power-qcom-rpmpd-add-sc8280xp_mxc_ao.patch create mode 100644 queue-6.18/fou-don-t-allow-0-for-fou_attr_ipproto.patch create mode 100644 queue-6.18/gue-fix-skb-memleak-with-inner-ip-protocol-0.patch create mode 100644 queue-6.18/ice-avoid-detrimental-cleanup-for-bond-during-interf.patch create mode 100644 queue-6.18/ice-fix-incorrect-timeout-ice_release_res.patch create mode 100644 queue-6.18/ice-initialize-ring_stats-syncp.patch create mode 100644 queue-6.18/igc-fix-race-condition-in-tx-timestamp-read-for-regi.patch create mode 100644 queue-6.18/igc-reduce-tsn-tx-packet-buffer-from-7kb-to-5kb-per-.patch create mode 100644 queue-6.18/igc-restore-default-qbv-schedule-when-changing-chann.patch create mode 100644 queue-6.18/ipvlan-make-the-addrs_lock-be-per-port.patch create mode 100644 queue-6.18/l2tp-avoid-one-data-race-in-l2tp_tunnel_del_work.patch create mode 100644 queue-6.18/l2tp-fix-memleak-in-l2tp_udp_encap_recv.patch create mode 100644 queue-6.18/net-freescale-ucc_geth-return-early-when-tbi-phy-can.patch create mode 100644 queue-6.18/net-sched-enforce-that-teql-can-only-be-used-as-root.patch create mode 100644 queue-6.18/net-sched-qfq-use-cl_is_active-to-determine-whether-.patch create mode 100644 queue-6.18/net-usb-dm9601-remove-broken-sr9700-support.patch create mode 100644 queue-6.18/octeontx2-cn10k-fix-rx-flowid-tcam-mask-handling.patch create mode 100644 queue-6.18/pmdomain-qcom-rpmhpd-add-mxc-to-sc8280xp.patch create mode 100644 queue-6.18/pwm-ensure-ioctl-returns-a-negative-errno-on-error.patch create mode 100644 queue-6.18/pwm-max7360-populate-missing-.sizeof_wfhw-in-max7360.patch create mode 100644 queue-6.18/sctp-move-sctp_cmd_assoc_shkey-right-after-sctp_cmd_.patch create mode 100644 queue-6.18/selftests-net-fib-onlink-tests-convert-to-use-namesp.patch create mode 100644 queue-6.18/tools-ynl-specify-no-line-number-in-ynl-regen.sh.patch create mode 100644 queue-6.18/veth-fix-data-race-in-veth_get_ethtool_stats.patch create mode 100644 queue-6.18/vsock-virtio-coalesce-only-linear-skb.patch create mode 100644 queue-6.18/wifi-ath12k-cancel-scan-only-on-active-scan-vdev.patch create mode 100644 queue-6.18/wifi-ath12k-don-t-force-radio-frequency-check-in-fre.patch create mode 100644 queue-6.18/wifi-ath12k-fix-dead-lock-while-flushing-management-.patch create mode 100644 queue-6.18/wifi-ath12k-fix-scan-state-stuck-in-aborting-after-c.patch create mode 100644 queue-6.18/wifi-ath12k-fix-wrong-p2p-device-link-id-issue.patch create mode 100644 queue-6.18/wifi-mac80211-don-t-perform-da-check-on-s1g-beacon.patch create mode 100644 queue-6.6/amd-xgbe-avoid-misleading-per-packet-error-log.patch create mode 100644 queue-6.6/ata-libata-add-cpr_log-to-ata_dev_print_features-ear.patch create mode 100644 queue-6.6/ata-libata-call-ata_dev_config_lpm-for-atapi-devices.patch create mode 100644 queue-6.6/ata-libata-core-introduce-ata_dev_config_lpm.patch create mode 100644 queue-6.6/ata-libata-print-features-also-for-atapi-devices.patch create mode 100644 queue-6.6/bonding-limit-bond_mode_8023ad-to-ethernet-devices.patch create mode 100644 queue-6.6/can-gs_usb-gs_usb_receive_bulk_callback-unanchor-url.patch create mode 100644 queue-6.6/crypto-authencesn-reject-too-short-aad-assoclen-8-to.patch create mode 100644 queue-6.6/dt-bindings-power-qcom-rpmpd-add-sc8280xp_mxc_ao.patch create mode 100644 queue-6.6/dt-bindings-power-qcom-rpmpd-add-sm7150.patch create mode 100644 queue-6.6/dt-bindings-power-qcom-rpmpd-add-turbo-l5-corner.patch create mode 100644 queue-6.6/dt-bindings-power-qcom-rpmpd-document-the-sm8650-rpm.patch create mode 100644 queue-6.6/dt-bindings-power-qcom-rpmpd-document-the-sm8750-rpm.patch create mode 100644 queue-6.6/dt-bindings-power-qcom-rpmpd-split-rpmh-domains-defi.patch create mode 100644 queue-6.6/dt-bindings-power-rpmpd-add-msm8917-msm8937-and-qm21.patch create mode 100644 queue-6.6/dt-bindings-power-rpmpd-update-part-number-to-x1e801.patch create mode 100644 queue-6.6/fou-don-t-allow-0-for-fou_attr_ipproto.patch create mode 100644 queue-6.6/gue-fix-skb-memleak-with-inner-ip-protocol-0.patch create mode 100644 queue-6.6/ice-avoid-detrimental-cleanup-for-bond-during-interf.patch create mode 100644 queue-6.6/ice-initialize-ring_stats-syncp.patch create mode 100644 queue-6.6/igc-fix-race-condition-in-tx-timestamp-read-for-regi.patch create mode 100644 queue-6.6/ipvlan-make-the-addrs_lock-be-per-port.patch create mode 100644 queue-6.6/l2tp-avoid-one-data-race-in-l2tp_tunnel_del_work.patch create mode 100644 queue-6.6/net-sched-enforce-that-teql-can-only-be-used-as-root.patch create mode 100644 queue-6.6/net-sched-qfq-use-cl_is_active-to-determine-whether-.patch create mode 100644 queue-6.6/net-usb-dm9601-remove-broken-sr9700-support.patch create mode 100644 queue-6.6/octeontx2-cn10k-fix-rx-flowid-tcam-mask-handling.patch create mode 100644 queue-6.6/pmdomain-qcom-rpmhpd-add-mxc-to-sc8280xp.patch create mode 100644 queue-6.6/sctp-move-sctp_cmd_assoc_shkey-right-after-sctp_cmd_.patch create mode 100644 queue-6.6/selftests-net-convert-fib-onlink-tests.sh-to-run-it-.patch create mode 100644 queue-6.6/selftests-net-fib-onlink-tests-convert-to-use-namesp.patch create mode 100644 queue-6.6/tools-ynl-specify-no-line-number-in-ynl-regen.sh.patch create mode 100644 queue-6.6/veth-fix-data-race-in-veth_get_ethtool_stats.patch diff --git a/queue-5.10/amd-xgbe-avoid-misleading-per-packet-error-log.patch b/queue-5.10/amd-xgbe-avoid-misleading-per-packet-error-log.patch new file mode 100644 index 0000000000..f4156c46ff --- /dev/null +++ b/queue-5.10/amd-xgbe-avoid-misleading-per-packet-error-log.patch @@ -0,0 +1,49 @@ +From b98767ac503b3ac3817e296b074206a8bb055f22 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jan 2026 22:00:37 +0530 +Subject: amd-xgbe: avoid misleading per-packet error log + +From: Raju Rangoju + +[ Upstream commit c158f985cf6c2c36c99c4f67af2ff3f5ebe09f8f ] + +On the receive path, packet can be damaged because of buffer +overflow in Rx FIFO. Avoid misleading per-packet error log when +packet->errors is set, this can flood the log. Instead, rely on the +standard rtnl_link_stats64 stats. + +Fixes: c5aa9e3b8156 ("amd-xgbe: Initial AMD 10GbE platform driver") +Signed-off-by: Raju Rangoju +Link: https://patch.msgid.link/20260114163037.2062606-1-Raju.Rangoju@amd.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c +index 9cd6dac033630..3de7674a84675 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c +@@ -2112,7 +2112,7 @@ static void xgbe_get_stats64(struct net_device *netdev, + s->multicast = pstats->rxmulticastframes_g; + s->rx_length_errors = pstats->rxlengtherror; + s->rx_crc_errors = pstats->rxcrcerror; +- s->rx_fifo_errors = pstats->rxfifooverflow; ++ s->rx_over_errors = pstats->rxfifooverflow; + + s->tx_packets = pstats->txframecount_gb; + s->tx_bytes = pstats->txoctetcount_gb; +@@ -2568,9 +2568,6 @@ static int xgbe_rx_poll(struct xgbe_channel *channel, int budget) + goto read_again; + + if (error || packet->errors) { +- if (packet->errors) +- netif_err(pdata, rx_err, netdev, +- "error in received packet\n"); + dev_kfree_skb(skb); + goto next_packet; + } +-- +2.51.0 + diff --git a/queue-5.10/crypto-authencesn-reject-too-short-aad-assoclen-8-to.patch b/queue-5.10/crypto-authencesn-reject-too-short-aad-assoclen-8-to.patch new file mode 100644 index 0000000000..9a726ce7ae --- /dev/null +++ b/queue-5.10/crypto-authencesn-reject-too-short-aad-assoclen-8-to.patch @@ -0,0 +1,53 @@ +From ffa4bd8f9a3937a71d2f0c4edb1d0daa8b137420 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jan 2026 16:03:58 +0900 +Subject: crypto: authencesn - reject too-short AAD (assoclen<8) to match + ESP/ESN spec + +From: Taeyang Lee <0wn@theori.io> + +[ Upstream commit 2397e9264676be7794f8f7f1e9763d90bd3c7335 ] + +authencesn assumes an ESP/ESN-formatted AAD. When assoclen is shorter than +the minimum expected length, crypto_authenc_esn_decrypt() can advance past +the end of the destination scatterlist and trigger a NULL pointer dereference +in scatterwalk_map_and_copy(), leading to a kernel panic (DoS). + +Add a minimum AAD length check to fail fast on invalid inputs. + +Fixes: 104880a6b470 ("crypto: authencesn - Convert to new AEAD interface") +Reported-By: Taeyang Lee <0wn@theori.io> +Signed-off-by: Taeyang Lee <0wn@theori.io> +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/authencesn.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/crypto/authencesn.c b/crypto/authencesn.c +index b60e61b1904cb..6487b35851d54 100644 +--- a/crypto/authencesn.c ++++ b/crypto/authencesn.c +@@ -191,6 +191,9 @@ static int crypto_authenc_esn_encrypt(struct aead_request *req) + struct scatterlist *src, *dst; + int err; + ++ if (assoclen < 8) ++ return -EINVAL; ++ + sg_init_table(areq_ctx->src, 2); + src = scatterwalk_ffwd(areq_ctx->src, req->src, assoclen); + dst = src; +@@ -284,6 +287,9 @@ static int crypto_authenc_esn_decrypt(struct aead_request *req) + u32 tmp[2]; + int err; + ++ if (assoclen < 8) ++ return -EINVAL; ++ + cryptlen -= authsize; + + if (req->src != dst) { +-- +2.51.0 + diff --git a/queue-5.10/fou-don-t-allow-0-for-fou_attr_ipproto.patch b/queue-5.10/fou-don-t-allow-0-for-fou_attr_ipproto.patch new file mode 100644 index 0000000000..27e3f33bc9 --- /dev/null +++ b/queue-5.10/fou-don-t-allow-0-for-fou_attr_ipproto.patch @@ -0,0 +1,57 @@ +From 470815db4f847c7cfc1284040ce43f75e705f049 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jan 2026 17:24:48 +0000 +Subject: fou: Don't allow 0 for FOU_ATTR_IPPROTO. + +From: Kuniyuki Iwashima + +[ Upstream commit 7a9bc9e3f42391e4c187e099263cf7a1c4b69ff5 ] + +fou_udp_recv() has the same problem mentioned in the previous +patch. + +If FOU_ATTR_IPPROTO is set to 0, skb is not freed by +fou_udp_recv() nor "resubmit"-ted in ip_protocol_deliver_rcu(). + +Let's forbid 0 for FOU_ATTR_IPPROTO. + +Fixes: 23461551c0062 ("fou: Support for foo-over-udp RX path") +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20260115172533.693652-4-kuniyu@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + Documentation/netlink/specs/fou.yaml | 2 ++ + net/ipv4/fou_nl.c | 2 +- + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/Documentation/netlink/specs/fou.yaml b/Documentation/netlink/specs/fou.yaml +index 266c386eedf3a..e5753a30a29a2 100644 +--- a/Documentation/netlink/specs/fou.yaml ++++ b/Documentation/netlink/specs/fou.yaml +@@ -36,6 +36,8 @@ attribute-sets: + - + name: ipproto + type: u8 ++ checks: ++ min: 1 + - + name: type + type: u8 +diff --git a/net/ipv4/fou_nl.c b/net/ipv4/fou_nl.c +index 6c3820f41dd5d..5bb8133ed7a89 100644 +--- a/net/ipv4/fou_nl.c ++++ b/net/ipv4/fou_nl.c +@@ -14,7 +14,7 @@ + const struct nla_policy fou_nl_policy[FOU_ATTR_IFINDEX + 1] = { + [FOU_ATTR_PORT] = { .type = NLA_U16, }, + [FOU_ATTR_AF] = { .type = NLA_U8, }, +- [FOU_ATTR_IPPROTO] = { .type = NLA_U8, }, ++ [FOU_ATTR_IPPROTO] = NLA_POLICY_MIN(NLA_U8, 1), + [FOU_ATTR_TYPE] = { .type = NLA_U8, }, + [FOU_ATTR_REMCSUM_NOPARTIAL] = { .type = NLA_FLAG, }, + [FOU_ATTR_LOCAL_V4] = { .type = NLA_U32, }, +-- +2.51.0 + diff --git a/queue-5.10/gue-fix-skb-memleak-with-inner-ip-protocol-0.patch b/queue-5.10/gue-fix-skb-memleak-with-inner-ip-protocol-0.patch new file mode 100644 index 0000000000..bcec1d2aae --- /dev/null +++ b/queue-5.10/gue-fix-skb-memleak-with-inner-ip-protocol-0.patch @@ -0,0 +1,82 @@ +From cbbfcb60156fb20f6a8116c8d7bc41fa77a73a62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jan 2026 17:24:46 +0000 +Subject: gue: Fix skb memleak with inner IP protocol 0. + +From: Kuniyuki Iwashima + +[ Upstream commit 9a56796ad258786d3624eef5aefba394fc9bdded ] + +syzbot reported skb memleak below. [0] + +The repro generated a GUE packet with its inner protocol 0. + +gue_udp_recv() returns -guehdr->proto_ctype for "resubmit" +in ip_protocol_deliver_rcu(), but this only works with +non-zero protocol number. + +Let's drop such packets. + +Note that 0 is a valid number (IPv6 Hop-by-Hop Option). + +I think it is not practical to encap HOPOPT in GUE, so once +someone starts to complain, we could pass down a resubmit +flag pointer to distinguish two zeros from the upper layer: + + * no error + * resubmit HOPOPT + +[0] +BUG: memory leak +unreferenced object 0xffff888109695a00 (size 240): + comm "syz.0.17", pid 6088, jiffies 4294943096 + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 40 c2 10 81 88 ff ff 00 00 00 00 00 00 00 00 .@.............. + backtrace (crc a84b336f): + kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] + slab_post_alloc_hook mm/slub.c:4958 [inline] + slab_alloc_node mm/slub.c:5263 [inline] + kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270 + __build_skb+0x23/0x60 net/core/skbuff.c:474 + build_skb+0x20/0x190 net/core/skbuff.c:490 + __tun_build_skb drivers/net/tun.c:1541 [inline] + tun_build_skb+0x4a1/0xa40 drivers/net/tun.c:1636 + tun_get_user+0xc12/0x2030 drivers/net/tun.c:1770 + tun_chr_write_iter+0x71/0x120 drivers/net/tun.c:1999 + new_sync_write fs/read_write.c:593 [inline] + vfs_write+0x45d/0x710 fs/read_write.c:686 + ksys_write+0xa7/0x170 fs/read_write.c:738 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fixes: 37dd0247797b1 ("gue: Receive side for Generic UDP Encapsulation") +Reported-by: syzbot+4d8c7d16b0e95c0d0f0d@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/6965534b.050a0220.38aacd.0001.GAE@google.com/ +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20260115172533.693652-2-kuniyu@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/fou.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/ipv4/fou.c b/net/ipv4/fou.c +index b1a8e4eec3f6e..e63aa6b52460c 100644 +--- a/net/ipv4/fou.c ++++ b/net/ipv4/fou.c +@@ -213,6 +213,9 @@ static int gue_udp_recv(struct sock *sk, struct sk_buff *skb) + return gue_control_message(skb, guehdr); + + proto_ctype = guehdr->proto_ctype; ++ if (unlikely(!proto_ctype)) ++ goto drop; ++ + __skb_pull(skb, sizeof(struct udphdr) + hdrlen); + skb_reset_transport_header(skb); + +-- +2.51.0 + diff --git a/queue-5.10/ipvlan-make-the-addrs_lock-be-per-port.patch b/queue-5.10/ipvlan-make-the-addrs_lock-be-per-port.patch new file mode 100644 index 0000000000..04bfb56914 --- /dev/null +++ b/queue-5.10/ipvlan-make-the-addrs_lock-be-per-port.patch @@ -0,0 +1,292 @@ +From ef35faa2b81fa476c4ddd5b911ee3ace6e203a51 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 17:24:06 +0300 +Subject: ipvlan: Make the addrs_lock be per port + +From: Dmitry Skorodumov + +[ Upstream commit d3ba32162488283c0a4c5bedd8817aec91748802 ] + +Make the addrs_lock be per port, not per ipvlan dev. + +Initial code seems to be written in the assumption, +that any address change must occur under RTNL. +But it is not so for the case of IPv6. So + +1) Introduce per-port addrs_lock. + +2) It was needed to fix places where it was forgotten +to take lock (ipvlan_open/ipvlan_close) + +This appears to be a very minor problem though. +Since it's highly unlikely that ipvlan_add_addr() will +be called on 2 CPU simultaneously. But nevertheless, +this could cause: + +1) False-negative of ipvlan_addr_busy(): one interface +iterated through all port->ipvlans + ipvlan->addrs +under some ipvlan spinlock, and another added IP +under its own lock. Though this is only possible +for IPv6, since looks like only ipvlan_addr6_event() can be +called without rtnl_lock. + +2) Race since ipvlan_ht_addr_add(port) is called under +different ipvlan->addrs_lock locks + +This should not affect performance, since add/remove IP +is a rare situation and spinlock is not taken on fast +paths. + +Fixes: 8230819494b3 ("ipvlan: use per device spinlock to protect addrs list updates") +Signed-off-by: Dmitry Skorodumov +Reviewed-by: Paolo Abeni +Link: https://patch.msgid.link/20260112142417.4039566-2-skorodumov.dmitry@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ipvlan/ipvlan.h | 2 +- + drivers/net/ipvlan/ipvlan_core.c | 16 +++++------ + drivers/net/ipvlan/ipvlan_main.c | 49 +++++++++++++++++++------------- + 3 files changed, 37 insertions(+), 30 deletions(-) + +diff --git a/drivers/net/ipvlan/ipvlan.h b/drivers/net/ipvlan/ipvlan.h +index 3837c897832ea..befb61e00d07d 100644 +--- a/drivers/net/ipvlan/ipvlan.h ++++ b/drivers/net/ipvlan/ipvlan.h +@@ -69,7 +69,6 @@ struct ipvl_dev { + DECLARE_BITMAP(mac_filters, IPVLAN_MAC_FILTER_SIZE); + netdev_features_t sfeatures; + u32 msg_enable; +- spinlock_t addrs_lock; + }; + + struct ipvl_addr { +@@ -90,6 +89,7 @@ struct ipvl_port { + struct net_device *dev; + possible_net_t pnet; + struct hlist_head hlhead[IPVLAN_HASH_SIZE]; ++ spinlock_t addrs_lock; /* guards hash-table and addrs */ + struct list_head ipvlans; + u16 mode; + u16 flags; +diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c +index a113a06c98a55..c1f57db3f1851 100644 +--- a/drivers/net/ipvlan/ipvlan_core.c ++++ b/drivers/net/ipvlan/ipvlan_core.c +@@ -104,17 +104,15 @@ void ipvlan_ht_addr_del(struct ipvl_addr *addr) + struct ipvl_addr *ipvlan_find_addr(const struct ipvl_dev *ipvlan, + const void *iaddr, bool is_v6) + { +- struct ipvl_addr *addr, *ret = NULL; ++ struct ipvl_addr *addr; + +- rcu_read_lock(); +- list_for_each_entry_rcu(addr, &ipvlan->addrs, anode) { +- if (addr_equal(is_v6, addr, iaddr)) { +- ret = addr; +- break; +- } ++ assert_spin_locked(&ipvlan->port->addrs_lock); ++ ++ list_for_each_entry(addr, &ipvlan->addrs, anode) { ++ if (addr_equal(is_v6, addr, iaddr)) ++ return addr; + } +- rcu_read_unlock(); +- return ret; ++ return NULL; + } + + bool ipvlan_addr_busy(struct ipvl_port *port, void *iaddr, bool is_v6) +diff --git a/drivers/net/ipvlan/ipvlan_main.c b/drivers/net/ipvlan/ipvlan_main.c +index f59ef2e2a614b..964e1449a0c6f 100644 +--- a/drivers/net/ipvlan/ipvlan_main.c ++++ b/drivers/net/ipvlan/ipvlan_main.c +@@ -72,6 +72,7 @@ static int ipvlan_port_create(struct net_device *dev) + for (idx = 0; idx < IPVLAN_HASH_SIZE; idx++) + INIT_HLIST_HEAD(&port->hlhead[idx]); + ++ spin_lock_init(&port->addrs_lock); + skb_queue_head_init(&port->backlog); + INIT_WORK(&port->wq, ipvlan_process_multicast); + ida_init(&port->ida); +@@ -177,6 +178,7 @@ static void ipvlan_uninit(struct net_device *dev) + static int ipvlan_open(struct net_device *dev) + { + struct ipvl_dev *ipvlan = netdev_priv(dev); ++ struct ipvl_port *port = ipvlan->port; + struct ipvl_addr *addr; + + if (ipvlan->port->mode == IPVLAN_MODE_L3 || +@@ -185,10 +187,10 @@ static int ipvlan_open(struct net_device *dev) + else + dev->flags &= ~IFF_NOARP; + +- rcu_read_lock(); +- list_for_each_entry_rcu(addr, &ipvlan->addrs, anode) ++ spin_lock_bh(&port->addrs_lock); ++ list_for_each_entry(addr, &ipvlan->addrs, anode) + ipvlan_ht_addr_add(ipvlan, addr); +- rcu_read_unlock(); ++ spin_unlock_bh(&port->addrs_lock); + + return 0; + } +@@ -202,10 +204,10 @@ static int ipvlan_stop(struct net_device *dev) + dev_uc_unsync(phy_dev, dev); + dev_mc_unsync(phy_dev, dev); + +- rcu_read_lock(); +- list_for_each_entry_rcu(addr, &ipvlan->addrs, anode) ++ spin_lock_bh(&ipvlan->port->addrs_lock); ++ list_for_each_entry(addr, &ipvlan->addrs, anode) + ipvlan_ht_addr_del(addr); +- rcu_read_unlock(); ++ spin_unlock_bh(&ipvlan->port->addrs_lock); + + return 0; + } +@@ -572,7 +574,6 @@ int ipvlan_link_new(struct net *src_net, struct net_device *dev, + if (!tb[IFLA_MTU]) + ipvlan_adjust_mtu(ipvlan, phy_dev); + INIT_LIST_HEAD(&ipvlan->addrs); +- spin_lock_init(&ipvlan->addrs_lock); + + /* TODO Probably put random address here to be presented to the + * world but keep using the physical-dev address for the outgoing +@@ -650,13 +651,13 @@ void ipvlan_link_delete(struct net_device *dev, struct list_head *head) + struct ipvl_dev *ipvlan = netdev_priv(dev); + struct ipvl_addr *addr, *next; + +- spin_lock_bh(&ipvlan->addrs_lock); ++ spin_lock_bh(&ipvlan->port->addrs_lock); + list_for_each_entry_safe(addr, next, &ipvlan->addrs, anode) { + ipvlan_ht_addr_del(addr); + list_del_rcu(&addr->anode); + kfree_rcu(addr, rcu); + } +- spin_unlock_bh(&ipvlan->addrs_lock); ++ spin_unlock_bh(&ipvlan->port->addrs_lock); + + ida_simple_remove(&ipvlan->port->ida, dev->dev_id); + list_del_rcu(&ipvlan->pnode); +@@ -803,6 +804,8 @@ static int ipvlan_add_addr(struct ipvl_dev *ipvlan, void *iaddr, bool is_v6) + { + struct ipvl_addr *addr; + ++ assert_spin_locked(&ipvlan->port->addrs_lock); ++ + addr = kzalloc(sizeof(struct ipvl_addr), GFP_ATOMIC); + if (!addr) + return -ENOMEM; +@@ -833,16 +836,16 @@ static void ipvlan_del_addr(struct ipvl_dev *ipvlan, void *iaddr, bool is_v6) + { + struct ipvl_addr *addr; + +- spin_lock_bh(&ipvlan->addrs_lock); ++ spin_lock_bh(&ipvlan->port->addrs_lock); + addr = ipvlan_find_addr(ipvlan, iaddr, is_v6); + if (!addr) { +- spin_unlock_bh(&ipvlan->addrs_lock); ++ spin_unlock_bh(&ipvlan->port->addrs_lock); + return; + } + + ipvlan_ht_addr_del(addr); + list_del_rcu(&addr->anode); +- spin_unlock_bh(&ipvlan->addrs_lock); ++ spin_unlock_bh(&ipvlan->port->addrs_lock); + kfree_rcu(addr, rcu); + } + +@@ -864,14 +867,14 @@ static int ipvlan_add_addr6(struct ipvl_dev *ipvlan, struct in6_addr *ip6_addr) + { + int ret = -EINVAL; + +- spin_lock_bh(&ipvlan->addrs_lock); ++ spin_lock_bh(&ipvlan->port->addrs_lock); + if (ipvlan_addr_busy(ipvlan->port, ip6_addr, true)) + netif_err(ipvlan, ifup, ipvlan->dev, + "Failed to add IPv6=%pI6c addr for %s intf\n", + ip6_addr, ipvlan->dev->name); + else + ret = ipvlan_add_addr(ipvlan, ip6_addr, true); +- spin_unlock_bh(&ipvlan->addrs_lock); ++ spin_unlock_bh(&ipvlan->port->addrs_lock); + return ret; + } + +@@ -910,21 +913,24 @@ static int ipvlan_addr6_validator_event(struct notifier_block *unused, + struct in6_validator_info *i6vi = (struct in6_validator_info *)ptr; + struct net_device *dev = (struct net_device *)i6vi->i6vi_dev->dev; + struct ipvl_dev *ipvlan = netdev_priv(dev); ++ int ret = NOTIFY_OK; + + if (!ipvlan_is_valid_dev(dev)) + return NOTIFY_DONE; + + switch (event) { + case NETDEV_UP: ++ spin_lock_bh(&ipvlan->port->addrs_lock); + if (ipvlan_addr_busy(ipvlan->port, &i6vi->i6vi_addr, true)) { + NL_SET_ERR_MSG(i6vi->extack, + "Address already assigned to an ipvlan device"); +- return notifier_from_errno(-EADDRINUSE); ++ ret = notifier_from_errno(-EADDRINUSE); + } ++ spin_unlock_bh(&ipvlan->port->addrs_lock); + break; + } + +- return NOTIFY_OK; ++ return ret; + } + #endif + +@@ -932,14 +938,14 @@ static int ipvlan_add_addr4(struct ipvl_dev *ipvlan, struct in_addr *ip4_addr) + { + int ret = -EINVAL; + +- spin_lock_bh(&ipvlan->addrs_lock); ++ spin_lock_bh(&ipvlan->port->addrs_lock); + if (ipvlan_addr_busy(ipvlan->port, ip4_addr, false)) + netif_err(ipvlan, ifup, ipvlan->dev, + "Failed to add IPv4=%pI4 on %s intf.\n", + ip4_addr, ipvlan->dev->name); + else + ret = ipvlan_add_addr(ipvlan, ip4_addr, false); +- spin_unlock_bh(&ipvlan->addrs_lock); ++ spin_unlock_bh(&ipvlan->port->addrs_lock); + return ret; + } + +@@ -981,21 +987,24 @@ static int ipvlan_addr4_validator_event(struct notifier_block *unused, + struct in_validator_info *ivi = (struct in_validator_info *)ptr; + struct net_device *dev = (struct net_device *)ivi->ivi_dev->dev; + struct ipvl_dev *ipvlan = netdev_priv(dev); ++ int ret = NOTIFY_OK; + + if (!ipvlan_is_valid_dev(dev)) + return NOTIFY_DONE; + + switch (event) { + case NETDEV_UP: ++ spin_lock_bh(&ipvlan->port->addrs_lock); + if (ipvlan_addr_busy(ipvlan->port, &ivi->ivi_addr, false)) { + NL_SET_ERR_MSG(ivi->extack, + "Address already assigned to an ipvlan device"); +- return notifier_from_errno(-EADDRINUSE); ++ ret = notifier_from_errno(-EADDRINUSE); + } ++ spin_unlock_bh(&ipvlan->port->addrs_lock); + break; + } + +- return NOTIFY_OK; ++ return ret; + } + + static struct notifier_block ipvlan_addr4_notifier_block __read_mostly = { +-- +2.51.0 + diff --git a/queue-5.10/l2tp-avoid-one-data-race-in-l2tp_tunnel_del_work.patch b/queue-5.10/l2tp-avoid-one-data-race-in-l2tp_tunnel_del_work.patch new file mode 100644 index 0000000000..ef20b3b0ce --- /dev/null +++ b/queue-5.10/l2tp-avoid-one-data-race-in-l2tp_tunnel_del_work.patch @@ -0,0 +1,85 @@ +From 45e71bcb4dfe9acfb11eb3d88b39cd255820bb14 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jan 2026 09:21:39 +0000 +Subject: l2tp: avoid one data-race in l2tp_tunnel_del_work() + +From: Eric Dumazet + +[ Upstream commit 7a29f6bf60f2590fe5e9c4decb451e19afad2bcf ] + +We should read sk->sk_socket only when dealing with kernel sockets. + +syzbot reported the following data-race: + +BUG: KCSAN: data-race in l2tp_tunnel_del_work / sk_common_release + +write to 0xffff88811c182b20 of 8 bytes by task 5365 on cpu 0: + sk_set_socket include/net/sock.h:2092 [inline] + sock_orphan include/net/sock.h:2118 [inline] + sk_common_release+0xae/0x230 net/core/sock.c:4003 + udp_lib_close+0x15/0x20 include/net/udp.h:325 + inet_release+0xce/0xf0 net/ipv4/af_inet.c:437 + __sock_release net/socket.c:662 [inline] + sock_close+0x6b/0x150 net/socket.c:1455 + __fput+0x29b/0x650 fs/file_table.c:468 + ____fput+0x1c/0x30 fs/file_table.c:496 + task_work_run+0x131/0x1a0 kernel/task_work.c:233 + resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] + __exit_to_user_mode_loop kernel/entry/common.c:44 [inline] + exit_to_user_mode_loop+0x1fe/0x740 kernel/entry/common.c:75 + __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline] + syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline] + syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline] + syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline] + do_syscall_64+0x1e1/0x2b0 arch/x86/entry/syscall_64.c:100 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +read to 0xffff88811c182b20 of 8 bytes by task 827 on cpu 1: + l2tp_tunnel_del_work+0x2f/0x1a0 net/l2tp/l2tp_core.c:1418 + process_one_work kernel/workqueue.c:3257 [inline] + process_scheduled_works+0x4ce/0x9d0 kernel/workqueue.c:3340 + worker_thread+0x582/0x770 kernel/workqueue.c:3421 + kthread+0x489/0x510 kernel/kthread.c:463 + ret_from_fork+0x149/0x290 arch/x86/kernel/process.c:158 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 + +value changed: 0xffff88811b818000 -> 0x0000000000000000 + +Fixes: d00fa9adc528 ("l2tp: fix races with tunnel socket close") +Reported-by: syzbot+7312e82745f7fa2526db@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/6968b029.050a0220.58bed.0016.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: James Chapman +Reviewed-by: Guillaume Nault +Link: https://patch.msgid.link/20260115092139.3066180-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/l2tp/l2tp_core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c +index b6dcfca740c1c..83615f5968dd5 100644 +--- a/net/l2tp/l2tp_core.c ++++ b/net/l2tp/l2tp_core.c +@@ -1252,8 +1252,6 @@ static void l2tp_tunnel_del_work(struct work_struct *work) + { + struct l2tp_tunnel *tunnel = container_of(work, struct l2tp_tunnel, + del_work); +- struct sock *sk = tunnel->sock; +- struct socket *sock = sk->sk_socket; + + l2tp_tunnel_closeall(tunnel); + +@@ -1261,6 +1259,8 @@ static void l2tp_tunnel_del_work(struct work_struct *work) + * the sk API to release it here. + */ + if (tunnel->fd < 0) { ++ struct socket *sock = tunnel->sock->sk_socket; ++ + if (sock) { + kernel_sock_shutdown(sock, SHUT_RDWR); + sock_release(sock); +-- +2.51.0 + diff --git a/queue-5.10/net-fou-rename-the-source-for-linking.patch b/queue-5.10/net-fou-rename-the-source-for-linking.patch new file mode 100644 index 0000000000..d378fa740d --- /dev/null +++ b/queue-5.10/net-fou-rename-the-source-for-linking.patch @@ -0,0 +1,43 @@ +From 59e742db93c3fbff603d285f53bf91a87b81aec1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jan 2023 09:50:39 -0800 +Subject: net: fou: rename the source for linking + +From: Jakub Kicinski + +[ Upstream commit 08d323234d10eab077cbf0093eeb5991478a261a ] + +We'll need to link two objects together to form the fou module. +This means the source can't be called fou, the build system expects +fou.o to be the combined object. + +Acked-by: Stanislav Fomichev +Signed-off-by: Jakub Kicinski +Signed-off-by: Paolo Abeni +Stable-dep-of: 7a9bc9e3f423 ("fou: Don't allow 0 for FOU_ATTR_IPPROTO.") +Signed-off-by: Sasha Levin +--- + net/ipv4/Makefile | 1 + + net/ipv4/{fou.c => fou_core.c} | 0 + 2 files changed, 1 insertion(+) + rename net/ipv4/{fou.c => fou_core.c} (100%) + +diff --git a/net/ipv4/Makefile b/net/ipv4/Makefile +index bbdd9c44f14e3..e694a5e5b0302 100644 +--- a/net/ipv4/Makefile ++++ b/net/ipv4/Makefile +@@ -26,6 +26,7 @@ obj-$(CONFIG_IP_MROUTE) += ipmr.o + obj-$(CONFIG_IP_MROUTE_COMMON) += ipmr_base.o + obj-$(CONFIG_NET_IPIP) += ipip.o + gre-y := gre_demux.o ++fou-y := fou_core.o + obj-$(CONFIG_NET_FOU) += fou.o + obj-$(CONFIG_NET_IPGRE_DEMUX) += gre.o + obj-$(CONFIG_NET_IPGRE) += ip_gre.o +diff --git a/net/ipv4/fou.c b/net/ipv4/fou_core.c +similarity index 100% +rename from net/ipv4/fou.c +rename to net/ipv4/fou_core.c +-- +2.51.0 + diff --git a/queue-5.10/net-fou-use-policy-and-operation-tables-generated-fr.patch b/queue-5.10/net-fou-use-policy-and-operation-tables-generated-fr.patch new file mode 100644 index 0000000000..fb31632ea3 --- /dev/null +++ b/queue-5.10/net-fou-use-policy-and-operation-tables-generated-fr.patch @@ -0,0 +1,233 @@ +From 842646cdd658ed09c3abc73f7e6437514bed3b90 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jan 2023 09:50:40 -0800 +Subject: net: fou: use policy and operation tables generated from the spec + +From: Jakub Kicinski + +[ Upstream commit 1d562c32e4392cc091c940918ee1ffd7bfcb9e96 ] + +Generate and plug in the spec-based tables. + +A little bit of renaming is needed in the FOU code. + +Acked-by: Stanislav Fomichev +Signed-off-by: Jakub Kicinski +Signed-off-by: Paolo Abeni +Stable-dep-of: 7a9bc9e3f423 ("fou: Don't allow 0 for FOU_ATTR_IPPROTO.") +Signed-off-by: Sasha Levin +--- + net/ipv4/Makefile | 2 +- + net/ipv4/fou_core.c | 47 +++++++------------------------------------- + net/ipv4/fou_nl.c | 48 +++++++++++++++++++++++++++++++++++++++++++++ + net/ipv4/fou_nl.h | 25 +++++++++++++++++++++++ + 4 files changed, 81 insertions(+), 41 deletions(-) + create mode 100644 net/ipv4/fou_nl.c + create mode 100644 net/ipv4/fou_nl.h + +diff --git a/net/ipv4/Makefile b/net/ipv4/Makefile +index e694a5e5b0302..d1c8d4beb77d4 100644 +--- a/net/ipv4/Makefile ++++ b/net/ipv4/Makefile +@@ -26,7 +26,7 @@ obj-$(CONFIG_IP_MROUTE) += ipmr.o + obj-$(CONFIG_IP_MROUTE_COMMON) += ipmr_base.o + obj-$(CONFIG_NET_IPIP) += ipip.o + gre-y := gre_demux.o +-fou-y := fou_core.o ++fou-y := fou_core.o fou_nl.o + obj-$(CONFIG_NET_FOU) += fou.o + obj-$(CONFIG_NET_IPGRE_DEMUX) += gre.o + obj-$(CONFIG_NET_IPGRE) += ip_gre.o +diff --git a/net/ipv4/fou_core.c b/net/ipv4/fou_core.c +index e63aa6b52460c..118b48279da32 100644 +--- a/net/ipv4/fou_core.c ++++ b/net/ipv4/fou_core.c +@@ -19,6 +19,8 @@ + #include + #include + ++#include "fou_nl.h" ++ + struct fou { + struct socket *sock; + u8 protocol; +@@ -665,20 +667,6 @@ static int fou_destroy(struct net *net, struct fou_cfg *cfg) + + static struct genl_family fou_nl_family; + +-static const struct nla_policy fou_nl_policy[FOU_ATTR_MAX + 1] = { +- [FOU_ATTR_PORT] = { .type = NLA_U16, }, +- [FOU_ATTR_AF] = { .type = NLA_U8, }, +- [FOU_ATTR_IPPROTO] = { .type = NLA_U8, }, +- [FOU_ATTR_TYPE] = { .type = NLA_U8, }, +- [FOU_ATTR_REMCSUM_NOPARTIAL] = { .type = NLA_FLAG, }, +- [FOU_ATTR_LOCAL_V4] = { .type = NLA_U32, }, +- [FOU_ATTR_PEER_V4] = { .type = NLA_U32, }, +- [FOU_ATTR_LOCAL_V6] = { .len = sizeof(struct in6_addr), }, +- [FOU_ATTR_PEER_V6] = { .len = sizeof(struct in6_addr), }, +- [FOU_ATTR_PEER_PORT] = { .type = NLA_U16, }, +- [FOU_ATTR_IFINDEX] = { .type = NLA_S32, }, +-}; +- + static int parse_nl_config(struct genl_info *info, + struct fou_cfg *cfg) + { +@@ -770,7 +758,7 @@ static int parse_nl_config(struct genl_info *info, + return 0; + } + +-static int fou_nl_cmd_add_port(struct sk_buff *skb, struct genl_info *info) ++int fou_nl_add_doit(struct sk_buff *skb, struct genl_info *info) + { + struct net *net = genl_info_net(info); + struct fou_cfg cfg; +@@ -783,7 +771,7 @@ static int fou_nl_cmd_add_port(struct sk_buff *skb, struct genl_info *info) + return fou_create(net, &cfg, NULL); + } + +-static int fou_nl_cmd_rm_port(struct sk_buff *skb, struct genl_info *info) ++int fou_nl_del_doit(struct sk_buff *skb, struct genl_info *info) + { + struct net *net = genl_info_net(info); + struct fou_cfg cfg; +@@ -852,7 +840,7 @@ static int fou_dump_info(struct fou *fou, u32 portid, u32 seq, + return -EMSGSIZE; + } + +-static int fou_nl_cmd_get_port(struct sk_buff *skb, struct genl_info *info) ++int fou_nl_get_doit(struct sk_buff *skb, struct genl_info *info) + { + struct net *net = genl_info_net(info); + struct fou_net *fn = net_generic(net, fou_net_id); +@@ -899,7 +887,7 @@ static int fou_nl_cmd_get_port(struct sk_buff *skb, struct genl_info *info) + return ret; + } + +-static int fou_nl_dump(struct sk_buff *skb, struct netlink_callback *cb) ++int fou_nl_get_dumpit(struct sk_buff *skb, struct netlink_callback *cb) + { + struct net *net = sock_net(skb->sk); + struct fou_net *fn = net_generic(net, fou_net_id); +@@ -922,33 +910,12 @@ static int fou_nl_dump(struct sk_buff *skb, struct netlink_callback *cb) + return skb->len; + } + +-static const struct genl_small_ops fou_nl_ops[] = { +- { +- .cmd = FOU_CMD_ADD, +- .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +- .doit = fou_nl_cmd_add_port, +- .flags = GENL_ADMIN_PERM, +- }, +- { +- .cmd = FOU_CMD_DEL, +- .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +- .doit = fou_nl_cmd_rm_port, +- .flags = GENL_ADMIN_PERM, +- }, +- { +- .cmd = FOU_CMD_GET, +- .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +- .doit = fou_nl_cmd_get_port, +- .dumpit = fou_nl_dump, +- }, +-}; +- + static struct genl_family fou_nl_family __ro_after_init = { + .hdrsize = 0, + .name = FOU_GENL_NAME, + .version = FOU_GENL_VERSION, + .maxattr = FOU_ATTR_MAX, +- .policy = fou_nl_policy, ++ .policy = fou_nl_policy, + .netnsok = true, + .module = THIS_MODULE, + .small_ops = fou_nl_ops, +diff --git a/net/ipv4/fou_nl.c b/net/ipv4/fou_nl.c +new file mode 100644 +index 0000000000000..6c3820f41dd5d +--- /dev/null ++++ b/net/ipv4/fou_nl.c +@@ -0,0 +1,48 @@ ++// SPDX-License-Identifier: BSD-3-Clause ++/* Do not edit directly, auto-generated from: */ ++/* Documentation/netlink/specs/fou.yaml */ ++/* YNL-GEN kernel source */ ++ ++#include ++#include ++ ++#include "fou_nl.h" ++ ++#include ++ ++/* Global operation policy for fou */ ++const struct nla_policy fou_nl_policy[FOU_ATTR_IFINDEX + 1] = { ++ [FOU_ATTR_PORT] = { .type = NLA_U16, }, ++ [FOU_ATTR_AF] = { .type = NLA_U8, }, ++ [FOU_ATTR_IPPROTO] = { .type = NLA_U8, }, ++ [FOU_ATTR_TYPE] = { .type = NLA_U8, }, ++ [FOU_ATTR_REMCSUM_NOPARTIAL] = { .type = NLA_FLAG, }, ++ [FOU_ATTR_LOCAL_V4] = { .type = NLA_U32, }, ++ [FOU_ATTR_LOCAL_V6] = { .len = 16, }, ++ [FOU_ATTR_PEER_V4] = { .type = NLA_U32, }, ++ [FOU_ATTR_PEER_V6] = { .len = 16, }, ++ [FOU_ATTR_PEER_PORT] = { .type = NLA_U16, }, ++ [FOU_ATTR_IFINDEX] = { .type = NLA_S32, }, ++}; ++ ++/* Ops table for fou */ ++const struct genl_small_ops fou_nl_ops[3] = { ++ { ++ .cmd = FOU_CMD_ADD, ++ .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, ++ .doit = fou_nl_add_doit, ++ .flags = GENL_ADMIN_PERM, ++ }, ++ { ++ .cmd = FOU_CMD_DEL, ++ .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, ++ .doit = fou_nl_del_doit, ++ .flags = GENL_ADMIN_PERM, ++ }, ++ { ++ .cmd = FOU_CMD_GET, ++ .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, ++ .doit = fou_nl_get_doit, ++ .dumpit = fou_nl_get_dumpit, ++ }, ++}; +diff --git a/net/ipv4/fou_nl.h b/net/ipv4/fou_nl.h +new file mode 100644 +index 0000000000000..b7a68121ce6f7 +--- /dev/null ++++ b/net/ipv4/fou_nl.h +@@ -0,0 +1,25 @@ ++/* SPDX-License-Identifier: BSD-3-Clause */ ++/* Do not edit directly, auto-generated from: */ ++/* Documentation/netlink/specs/fou.yaml */ ++/* YNL-GEN kernel header */ ++ ++#ifndef _LINUX_FOU_GEN_H ++#define _LINUX_FOU_GEN_H ++ ++#include ++#include ++ ++#include ++ ++/* Global operation policy for fou */ ++extern const struct nla_policy fou_nl_policy[FOU_ATTR_IFINDEX + 1]; ++ ++/* Ops table for fou */ ++extern const struct genl_small_ops fou_nl_ops[3]; ++ ++int fou_nl_add_doit(struct sk_buff *skb, struct genl_info *info); ++int fou_nl_del_doit(struct sk_buff *skb, struct genl_info *info); ++int fou_nl_get_doit(struct sk_buff *skb, struct genl_info *info); ++int fou_nl_get_dumpit(struct sk_buff *skb, struct netlink_callback *cb); ++ ++#endif /* _LINUX_FOU_GEN_H */ +-- +2.51.0 + diff --git a/queue-5.10/net-sched-enforce-that-teql-can-only-be-used-as-root.patch b/queue-5.10/net-sched-enforce-that-teql-can-only-be-used-as-root.patch new file mode 100644 index 0000000000..41adb01d32 --- /dev/null +++ b/queue-5.10/net-sched-enforce-that-teql-can-only-be-used-as-root.patch @@ -0,0 +1,68 @@ +From 24f8bc818b3ed8d89530cf3019d5fa5ee3e5b949 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jan 2026 11:02:41 -0500 +Subject: net/sched: Enforce that teql can only be used as root qdisc +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jamal Hadi Salim + +[ Upstream commit 50da4b9d07a7a463e2cfb738f3ad4cff6b2c9c3b ] + +Design intent of teql is that it is only supposed to be used as root qdisc. +We need to check for that constraint. + +Although not important, I will describe the scenario that unearthed this +issue for the curious. + +GangMin Kim managed to concot a scenario as follows: + +ROOT qdisc 1:0 (QFQ) + ├── class 1:1 (weight=15, lmax=16384) netem with delay 6.4s + └── class 1:2 (weight=1, lmax=1514) teql + +GangMin sends a packet which is enqueued to 1:1 (netem). +Any invocation of dequeue by QFQ from this class will not return a packet +until after 6.4s. In the meantime, a second packet is sent and it lands on +1:2. teql's enqueue will return success and this will activate class 1:2. +Main issue is that teql only updates the parent visible qlen (sch->q.qlen) +at dequeue. Since QFQ will only call dequeue if peek succeeds (and teql's +peek always returns NULL), dequeue will never be called and thus the qlen +will remain as 0. With that in mind, when GangMin updates 1:2's lmax value, +the qfq_change_class calls qfq_deact_rm_from_agg. Since the child qdisc's +qlen was not incremented, qfq fails to deactivate the class, but still +frees its pointers from the aggregate. So when the first packet is +rescheduled after 6.4 seconds (netem's delay), a dangling pointer is +accessed causing GangMin's causing a UAF. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: GangMin Kim +Tested-by: Victor Nogueira +Signed-off-by: Jamal Hadi Salim +Link: https://patch.msgid.link/20260114160243.913069-2-jhs@mojatatu.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_teql.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/sched/sch_teql.c b/net/sched/sch_teql.c +index 79aaab51cbf5c..e9dfa140799c3 100644 +--- a/net/sched/sch_teql.c ++++ b/net/sched/sch_teql.c +@@ -178,6 +178,11 @@ static int teql_qdisc_init(struct Qdisc *sch, struct nlattr *opt, + if (m->dev == dev) + return -ELOOP; + ++ if (sch->parent != TC_H_ROOT) { ++ NL_SET_ERR_MSG_MOD(extack, "teql can only be used as root"); ++ return -EOPNOTSUPP; ++ } ++ + q->m = m; + + skb_queue_head_init(&q->q); +-- +2.51.0 + diff --git a/queue-5.10/net-sched-qfq-use-cl_is_active-to-determine-whether-.patch b/queue-5.10/net-sched-qfq-use-cl_is_active-to-determine-whether-.patch new file mode 100644 index 0000000000..34d71a1960 --- /dev/null +++ b/queue-5.10/net-sched-qfq-use-cl_is_active-to-determine-whether-.patch @@ -0,0 +1,40 @@ +From f0aabf644ca49c9bb1ac0763cd34abb72c85b390 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jan 2026 11:02:42 -0500 +Subject: net/sched: qfq: Use cl_is_active to determine whether class is active + in qfq_rm_from_ag + +From: Jamal Hadi Salim + +[ Upstream commit d837fbee92453fbb829f950c8e7cf76207d73f33 ] + +This is more of a preventive patch to make the code more consistent and +to prevent possible exploits that employ child qlen manipulations on qfq. +use cl_is_active instead of relying on the child qdisc's qlen to determine +class activation. + +Fixes: 462dbc9101acd ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost") +Signed-off-by: Jamal Hadi Salim +Link: https://patch.msgid.link/20260114160243.913069-3-jhs@mojatatu.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_qfq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c +index 9751de2d95e78..1c38447b456a7 100644 +--- a/net/sched/sch_qfq.c ++++ b/net/sched/sch_qfq.c +@@ -375,7 +375,7 @@ static void qfq_rm_from_agg(struct qfq_sched *q, struct qfq_class *cl) + /* Deschedule class and remove it from its parent aggregate. */ + static void qfq_deact_rm_from_agg(struct qfq_sched *q, struct qfq_class *cl) + { +- if (cl->qdisc->q.qlen > 0) /* class is active */ ++ if (cl_is_active(cl)) /* class is active */ + qfq_deactivate_class(q, cl); + + qfq_rm_from_agg(q, cl); +-- +2.51.0 + diff --git a/queue-5.10/net-usb-dm9601-remove-broken-sr9700-support.patch b/queue-5.10/net-usb-dm9601-remove-broken-sr9700-support.patch new file mode 100644 index 0000000000..63f1c7e7ef --- /dev/null +++ b/queue-5.10/net-usb-dm9601-remove-broken-sr9700-support.patch @@ -0,0 +1,53 @@ +From 0ffa9d03c9109d17524f79bfd28061b5298023a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 22:39:24 -0800 +Subject: net: usb: dm9601: remove broken SR9700 support + +From: Ethan Nelson-Moore + +[ Upstream commit 7d7dbafefbe74f5a25efc4807af093b857a7612e ] + +The SR9700 chip sends more than one packet in a USB transaction, +like the DM962x chips can optionally do, but the dm9601 driver does not +support this mode, and the hardware does not have the DM962x +MODE_CTL register to disable it, so this driver drops packets on SR9700 +devices. The sr9700 driver correctly handles receiving more than one +packet per transaction. + +While the dm9601 driver could be improved to handle this, the easiest +way to fix this issue in the short term is to remove the SR9700 device +ID from the dm9601 driver so the sr9700 driver is always used. This +device ID should not have been in more than one driver to begin with. + +The "Fixes" commit was chosen so that the patch is automatically +included in all kernels that have the sr9700 driver, even though the +issue affects dm9601. + +Fixes: c9b37458e956 ("USB2NET : SR9700 : One chip USB 1.1 USB2NET SR9700Device Driver Support") +Signed-off-by: Ethan Nelson-Moore +Acked-by: Peter Korsgaard +Link: https://patch.msgid.link/20260113063924.74464-1-enelsonmoore@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/dm9601.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/net/usb/dm9601.c b/drivers/net/usb/dm9601.c +index 9b7db5fd9e08f..287d54ada4714 100644 +--- a/drivers/net/usb/dm9601.c ++++ b/drivers/net/usb/dm9601.c +@@ -602,10 +602,6 @@ static const struct usb_device_id products[] = { + USB_DEVICE(0x0fe6, 0x8101), /* DM9601 USB to Fast Ethernet Adapter */ + .driver_info = (unsigned long)&dm9601_info, + }, +- { +- USB_DEVICE(0x0fe6, 0x9700), /* DM9601 USB to Fast Ethernet Adapter */ +- .driver_info = (unsigned long)&dm9601_info, +- }, + { + USB_DEVICE(0x0a46, 0x9000), /* DM9000E */ + .driver_info = (unsigned long)&dm9601_info, +-- +2.51.0 + diff --git a/queue-5.10/netlink-add-a-proto-specification-for-fou.patch b/queue-5.10/netlink-add-a-proto-specification-for-fou.patch new file mode 100644 index 0000000000..c9eaba4060 --- /dev/null +++ b/queue-5.10/netlink-add-a-proto-specification-for-fou.patch @@ -0,0 +1,158 @@ +From 5c771e1621ba0541032a994eed0276384f0b5fc1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jan 2023 09:50:37 -0800 +Subject: netlink: add a proto specification for FOU + +From: Jakub Kicinski + +[ Upstream commit 4eb77b4ecd3c5eaab83adf76e67e0a7ed2a24418 ] + +FOU has a reasonably modern Genetlink family. Add a spec. + +Acked-by: Stanislav Fomichev +Signed-off-by: Jakub Kicinski +Signed-off-by: Paolo Abeni +Stable-dep-of: 7a9bc9e3f423 ("fou: Don't allow 0 for FOU_ATTR_IPPROTO.") +Signed-off-by: Sasha Levin +--- + Documentation/netlink/specs/fou.yaml | 128 +++++++++++++++++++++++++++ + 1 file changed, 128 insertions(+) + create mode 100644 Documentation/netlink/specs/fou.yaml + +diff --git a/Documentation/netlink/specs/fou.yaml b/Documentation/netlink/specs/fou.yaml +new file mode 100644 +index 0000000000000..266c386eedf3a +--- /dev/null ++++ b/Documentation/netlink/specs/fou.yaml +@@ -0,0 +1,128 @@ ++name: fou ++ ++protocol: genetlink-legacy ++ ++doc: | ++ Foo-over-UDP. ++ ++c-family-name: fou-genl-name ++c-version-name: fou-genl-version ++max-by-define: true ++kernel-policy: global ++ ++definitions: ++ - ++ type: enum ++ name: encap_type ++ name-prefix: fou-encap- ++ enum-name: ++ entries: [ unspec, direct, gue ] ++ ++attribute-sets: ++ - ++ name: fou ++ name-prefix: fou-attr- ++ attributes: ++ - ++ name: unspec ++ type: unused ++ - ++ name: port ++ type: u16 ++ byte-order: big-endian ++ - ++ name: af ++ type: u8 ++ - ++ name: ipproto ++ type: u8 ++ - ++ name: type ++ type: u8 ++ - ++ name: remcsum_nopartial ++ type: flag ++ - ++ name: local_v4 ++ type: u32 ++ - ++ name: local_v6 ++ type: binary ++ checks: ++ min-len: 16 ++ - ++ name: peer_v4 ++ type: u32 ++ - ++ name: peer_v6 ++ type: binary ++ checks: ++ min-len: 16 ++ - ++ name: peer_port ++ type: u16 ++ byte-order: big-endian ++ - ++ name: ifindex ++ type: s32 ++ ++operations: ++ list: ++ - ++ name: unspec ++ doc: unused ++ ++ - ++ name: add ++ doc: Add port. ++ attribute-set: fou ++ ++ dont-validate: [ strict, dump ] ++ flags: [ admin-perm ] ++ ++ do: ++ request: &all_attrs ++ attributes: ++ - port ++ - ipproto ++ - type ++ - remcsum_nopartial ++ - local_v4 ++ - peer_v4 ++ - local_v6 ++ - peer_v6 ++ - peer_port ++ - ifindex ++ ++ - ++ name: del ++ doc: Delete port. ++ attribute-set: fou ++ ++ dont-validate: [ strict, dump ] ++ flags: [ admin-perm ] ++ ++ do: ++ request: &select_attrs ++ attributes: ++ - af ++ - ifindex ++ - port ++ - peer_port ++ - local_v4 ++ - peer_v4 ++ - local_v6 ++ - peer_v6 ++ ++ - ++ name: get ++ doc: Get tunnel info. ++ attribute-set: fou ++ dont-validate: [ strict, dump ] ++ ++ do: ++ request: *select_attrs ++ reply: *all_attrs ++ ++ dump: ++ reply: *all_attrs +-- +2.51.0 + diff --git a/queue-5.10/sctp-move-sctp_cmd_assoc_shkey-right-after-sctp_cmd_.patch b/queue-5.10/sctp-move-sctp_cmd_assoc_shkey-right-after-sctp_cmd_.patch new file mode 100644 index 0000000000..040f0dfd51 --- /dev/null +++ b/queue-5.10/sctp-move-sctp_cmd_assoc_shkey-right-after-sctp_cmd_.patch @@ -0,0 +1,101 @@ +From 9f136eb06987683f7741a332c42ca361e861fc50 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 12:10:26 -0500 +Subject: sctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT + +From: Xin Long + +[ Upstream commit a80c9d945aef55b23b54838334345f20251dad83 ] + +A null-ptr-deref was reported in the SCTP transmit path when SCTP-AUTH key +initialization fails: + + ================================================================== + KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] + CPU: 0 PID: 16 Comm: ksoftirqd/0 Tainted: G W 6.6.0 #2 + RIP: 0010:sctp_packet_bundle_auth net/sctp/output.c:264 [inline] + RIP: 0010:sctp_packet_append_chunk+0xb36/0x1260 net/sctp/output.c:401 + Call Trace: + + sctp_packet_transmit_chunk+0x31/0x250 net/sctp/output.c:189 + sctp_outq_flush_data+0xa29/0x26d0 net/sctp/outqueue.c:1111 + sctp_outq_flush+0xc80/0x1240 net/sctp/outqueue.c:1217 + sctp_cmd_interpreter.isra.0+0x19a5/0x62c0 net/sctp/sm_sideeffect.c:1787 + sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline] + sctp_do_sm+0x1a3/0x670 net/sctp/sm_sideeffect.c:1169 + sctp_assoc_bh_rcv+0x33e/0x640 net/sctp/associola.c:1052 + sctp_inq_push+0x1dd/0x280 net/sctp/inqueue.c:88 + sctp_rcv+0x11ae/0x3100 net/sctp/input.c:243 + sctp6_rcv+0x3d/0x60 net/sctp/ipv6.c:1127 + +The issue is triggered when sctp_auth_asoc_init_active_key() fails in +sctp_sf_do_5_1C_ack() while processing an INIT_ACK. In this case, the +command sequence is currently: + +- SCTP_CMD_PEER_INIT +- SCTP_CMD_TIMER_STOP (T1_INIT) +- SCTP_CMD_TIMER_START (T1_COOKIE) +- SCTP_CMD_NEW_STATE (COOKIE_ECHOED) +- SCTP_CMD_ASSOC_SHKEY +- SCTP_CMD_GEN_COOKIE_ECHO + +If SCTP_CMD_ASSOC_SHKEY fails, asoc->shkey remains NULL, while +asoc->peer.auth_capable and asoc->peer.peer_chunks have already been set by +SCTP_CMD_PEER_INIT. This allows a DATA chunk with auth = 1 and shkey = NULL +to be queued by sctp_datamsg_from_user(). + +Since command interpretation stops on failure, no COOKIE_ECHO should been +sent via SCTP_CMD_GEN_COOKIE_ECHO. However, the T1_COOKIE timer has already +been started, and it may enqueue a COOKIE_ECHO into the outqueue later. As +a result, the DATA chunk can be transmitted together with the COOKIE_ECHO +in sctp_outq_flush_data(), leading to the observed issue. + +Similar to the other places where it calls sctp_auth_asoc_init_active_key() +right after sctp_process_init(), this patch moves the SCTP_CMD_ASSOC_SHKEY +immediately after SCTP_CMD_PEER_INIT, before stopping T1_INIT and starting +T1_COOKIE. This ensures that if shared key generation fails, authenticated +DATA cannot be sent. It also allows the T1_INIT timer to retransmit INIT, +giving the client another chance to process INIT_ACK and retry key setup. + +Fixes: 730fc3d05cd4 ("[SCTP]: Implete SCTP-AUTH parameter processing") +Reported-by: Zhen Chen +Tested-by: Zhen Chen +Signed-off-by: Xin Long +Link: https://patch.msgid.link/44881224b375aa8853f5e19b4055a1a56d895813.1768324226.git.lucien.xin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sctp/sm_statefuns.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c +index 9a0ba3747711c..c91f712ce1fab 100644 +--- a/net/sctp/sm_statefuns.c ++++ b/net/sctp/sm_statefuns.c +@@ -594,6 +594,11 @@ enum sctp_disposition sctp_sf_do_5_1C_ack(struct net *net, + sctp_add_cmd_sf(commands, SCTP_CMD_PEER_INIT, + SCTP_PEER_INIT(initchunk)); + ++ /* SCTP-AUTH: generate the association shared keys so that ++ * we can potentially sign the COOKIE-ECHO. ++ */ ++ sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL()); ++ + /* Reset init error count upon receipt of INIT-ACK. */ + sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL()); + +@@ -608,11 +613,6 @@ enum sctp_disposition sctp_sf_do_5_1C_ack(struct net *net, + sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, + SCTP_STATE(SCTP_STATE_COOKIE_ECHOED)); + +- /* SCTP-AUTH: generate the association shared keys so that +- * we can potentially sign the COOKIE-ECHO. +- */ +- sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL()); +- + /* 5.1 C) "A" shall then send the State Cookie received in the + * INIT ACK chunk in a COOKIE ECHO chunk, ... + */ +-- +2.51.0 + diff --git a/queue-5.10/sctp-sm_statefuns-fix-spelling-mistakes.patch b/queue-5.10/sctp-sm_statefuns-fix-spelling-mistakes.patch new file mode 100644 index 0000000000..9858cd99db --- /dev/null +++ b/queue-5.10/sctp-sm_statefuns-fix-spelling-mistakes.patch @@ -0,0 +1,172 @@ +From 65df3158095ca251aa302e420003efe0c0d92b18 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Jun 2021 10:08:01 +0800 +Subject: sctp: sm_statefuns: Fix spelling mistakes + +From: Zheng Yongjun + +[ Upstream commit 0c2c366e0ec55533decb00d0f1ea1cbc42247e7b ] + +Fix some spelling mistakes in comments: +genereate ==> generate +correclty ==> correctly +boundries ==> boundaries +failes ==> fails +isses ==> issues +assocition ==> association +signe ==> sign +assocaition ==> association +managemement ==> management +restransmissions ==> retransmission +sideffect ==> sideeffect +bomming ==> booming +chukns ==> chunks +SHUDOWN ==> SHUTDOWN +violationg ==> violating +explcitly ==> explicitly +CHunk ==> Chunk + +Signed-off-by: Zheng Yongjun +Link: https://lore.kernel.org/r/20210601020801.3625358-1-zhengyongjun3@huawei.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: a80c9d945aef ("sctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT") +Signed-off-by: Sasha Levin +--- + net/sctp/sm_statefuns.c | 30 +++++++++++++++--------------- + 1 file changed, 15 insertions(+), 15 deletions(-) + +diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c +index 29b879bf86975..9a0ba3747711c 100644 +--- a/net/sctp/sm_statefuns.c ++++ b/net/sctp/sm_statefuns.c +@@ -361,7 +361,7 @@ enum sctp_disposition sctp_sf_do_5_1B_init(struct net *net, + + /* If the INIT is coming toward a closing socket, we'll send back + * and ABORT. Essentially, this catches the race of INIT being +- * backloged to the socket at the same time as the user isses close(). ++ * backloged to the socket at the same time as the user issues close(). + * Since the socket and all its associations are going away, we + * can treat this OOTB + */ +@@ -608,8 +608,8 @@ enum sctp_disposition sctp_sf_do_5_1C_ack(struct net *net, + sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, + SCTP_STATE(SCTP_STATE_COOKIE_ECHOED)); + +- /* SCTP-AUTH: genereate the assocition shared keys so that +- * we can potentially signe the COOKIE-ECHO. ++ /* SCTP-AUTH: generate the association shared keys so that ++ * we can potentially sign the COOKIE-ECHO. + */ + sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL()); + +@@ -791,7 +791,7 @@ enum sctp_disposition sctp_sf_do_5_1D_ce(struct net *net, + goto nomem_init; + + /* SCTP-AUTH: Now that we've populate required fields in +- * sctp_process_init, set up the assocaition shared keys as ++ * sctp_process_init, set up the association shared keys as + * necessary so that we can potentially authenticate the ACK + */ + error = sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC); +@@ -842,7 +842,7 @@ enum sctp_disposition sctp_sf_do_5_1D_ce(struct net *net, + + /* Add all the state machine commands now since we've created + * everything. This way we don't introduce memory corruptions +- * during side-effect processing and correclty count established ++ * during side-effect processing and correctly count established + * associations. + */ + sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc)); +@@ -928,7 +928,7 @@ enum sctp_disposition sctp_sf_do_5_1E_ca(struct net *net, + commands); + + /* Reset init error count upon receipt of COOKIE-ACK, +- * to avoid problems with the managemement of this ++ * to avoid problems with the management of this + * counter in stale cookie situations when a transition back + * from the COOKIE-ECHOED state to the COOKIE-WAIT + * state is performed. +@@ -2935,7 +2935,7 @@ __sctp_sf_do_9_2_reshutack(struct net *net, const struct sctp_endpoint *ep, + commands); + + /* Since we are not going to really process this INIT, there +- * is no point in verifying chunk boundries. Just generate ++ * is no point in verifying chunk boundaries. Just generate + * the SHUTDOWN ACK. + */ + reply = sctp_make_shutdown_ack(asoc, chunk); +@@ -3526,7 +3526,7 @@ enum sctp_disposition sctp_sf_do_9_2_final(struct net *net, + goto nomem_chunk; + + /* Do all the commands now (after allocation), so that we +- * have consistent state if memory allocation failes ++ * have consistent state if memory allocation fails + */ + sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); + +@@ -3710,7 +3710,7 @@ static enum sctp_disposition sctp_sf_shut_8_4_5( + SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); + + /* We need to discard the rest of the packet to prevent +- * potential bomming attacks from additional bundled chunks. ++ * potential boomming attacks from additional bundled chunks. + * This is documented in SCTP Threats ID. + */ + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); +@@ -4221,7 +4221,7 @@ enum sctp_disposition sctp_sf_eat_fwd_tsn_fast( + } + + /* +- * SCTP-AUTH Section 6.3 Receiving authenticated chukns ++ * SCTP-AUTH Section 6.3 Receiving authenticated chunks + * + * The receiver MUST use the HMAC algorithm indicated in the HMAC + * Identifier field. If this algorithm was not specified by the +@@ -4782,7 +4782,7 @@ static enum sctp_disposition sctp_sf_violation_ctsn( + + /* Handle protocol violation of an invalid chunk bundling. For example, + * when we have an association and we receive bundled INIT-ACK, or +- * SHUDOWN-COMPLETE, our peer is clearly violationg the "MUST NOT bundle" ++ * SHUTDOWN-COMPLETE, our peer is clearly violating the "MUST NOT bundle" + * statement from the specs. Additionally, there might be an attacker + * on the path and we may not want to continue this communication. + */ +@@ -5178,7 +5178,7 @@ enum sctp_disposition sctp_sf_cookie_wait_prm_shutdown( + * Inputs + * (endpoint, asoc) + * +- * The RFC does not explcitly address this issue, but is the route through the ++ * The RFC does not explicitly address this issue, but is the route through the + * state table when someone issues a shutdown while in COOKIE_ECHOED state. + * + * Outputs +@@ -5902,7 +5902,7 @@ enum sctp_disposition sctp_sf_t1_cookie_timer_expire( + /* RFC2960 9.2 If the timer expires, the endpoint must re-send the SHUTDOWN + * with the updated last sequential TSN received from its peer. + * +- * An endpoint should limit the number of retransmissions of the ++ * An endpoint should limit the number of retransmission of the + * SHUTDOWN chunk to the protocol parameter 'Association.Max.Retrans'. + * If this threshold is exceeded the endpoint should destroy the TCB and + * MUST report the peer endpoint unreachable to the upper layer (and +@@ -5980,7 +5980,7 @@ enum sctp_disposition sctp_sf_t2_timer_expire( + } + + /* +- * ADDIP Section 4.1 ASCONF CHunk Procedures ++ * ADDIP Section 4.1 ASCONF Chunk Procedures + * If the T4 RTO timer expires the endpoint should do B1 to B5 + */ + enum sctp_disposition sctp_sf_t4_timer_expire( +@@ -6410,7 +6410,7 @@ static int sctp_eat_data(const struct sctp_association *asoc, + chunk->ecn_ce_done = 1; + + if (af->is_ce(sctp_gso_headskb(chunk->skb))) { +- /* Do real work as sideffect. */ ++ /* Do real work as side effect. */ + sctp_add_cmd_sf(commands, SCTP_CMD_ECN_CE, + SCTP_U32(tsn)); + } +-- +2.51.0 + diff --git a/queue-5.10/selftests-net-convert-fib-onlink-tests.sh-to-run-it-.patch b/queue-5.10/selftests-net-convert-fib-onlink-tests.sh-to-run-it-.patch new file mode 100644 index 0000000000..d34ef24468 --- /dev/null +++ b/queue-5.10/selftests-net-convert-fib-onlink-tests.sh-to-run-it-.patch @@ -0,0 +1,84 @@ +From 40fe487e8b4f535a68ccc96dea8f4688c8f61ed4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Dec 2023 14:08:53 +0800 +Subject: selftests/net: convert fib-onlink-tests.sh to run it in unique + namespace + +From: Hangbin Liu + +[ Upstream commit 3a06833b2adc0a902f2469ad4ce41ccd64f1f3ab ] + +Remove PEER_CMD, which is not used in this test + +Here is the test result after conversion. + + ]# ./fib-onlink-tests.sh + Error: ipv4: FIB table does not exist. + Flush terminated + Error: ipv6: FIB table does not exist. + Flush terminated + + ######################################## + Configuring interfaces + + ... + + TEST: Gateway resolves to wrong nexthop device - VRF [ OK ] + + Tests passed: 38 + Tests failed: 0 + +Acked-by: David Ahern +Signed-off-by: Hangbin Liu +Link: https://lore.kernel.org/r/20231213060856.4030084-11-liuhangbin@gmail.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: 4f5f148dd7c0 ("selftests: net: fib-onlink-tests: Convert to use namespaces by default") +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/fib-onlink-tests.sh | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/tools/testing/selftests/net/fib-onlink-tests.sh b/tools/testing/selftests/net/fib-onlink-tests.sh +index c287b90b8af80..ec2d6ceb1f08d 100755 +--- a/tools/testing/selftests/net/fib-onlink-tests.sh ++++ b/tools/testing/selftests/net/fib-onlink-tests.sh +@@ -3,6 +3,7 @@ + + # IPv4 and IPv6 onlink tests + ++source lib.sh + PAUSE_ON_FAIL=${PAUSE_ON_FAIL:=no} + VERBOSE=0 + +@@ -74,9 +75,6 @@ TEST_NET4IN6[2]=10.2.1.254 + # mcast address + MCAST6=ff02::1 + +- +-PEER_NS=bart +-PEER_CMD="ip netns exec ${PEER_NS}" + VRF=lisa + VRF_TABLE=1101 + PBR_TABLE=101 +@@ -176,8 +174,7 @@ setup() + set -e + + # create namespace +- ip netns add ${PEER_NS} +- ip -netns ${PEER_NS} li set lo up ++ setup_ns PEER_NS + + # add vrf table + ip li add ${VRF} type vrf table ${VRF_TABLE} +@@ -219,7 +216,7 @@ setup() + cleanup() + { + # make sure we start from a clean slate +- ip netns del ${PEER_NS} 2>/dev/null ++ cleanup_ns ${PEER_NS} 2>/dev/null + for n in 1 3 5 7; do + ip link del ${NETIFS[p${n}]} 2>/dev/null + done +-- +2.51.0 + diff --git a/queue-5.10/selftests-net-fib-onlink-tests-convert-to-use-namesp.patch b/queue-5.10/selftests-net-fib-onlink-tests-convert-to-use-namesp.patch new file mode 100644 index 0000000000..8d271bdb84 --- /dev/null +++ b/queue-5.10/selftests-net-fib-onlink-tests-convert-to-use-namesp.patch @@ -0,0 +1,185 @@ +From c2a286b60cf757072288d6549a41900ba89ad47d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 12:37:44 -0300 +Subject: selftests: net: fib-onlink-tests: Convert to use namespaces by + default +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ricardo B. Marlière + +[ Upstream commit 4f5f148dd7c0459229d2ab9a769b2e820f9ee6a2 ] + +Currently, the test breaks if the SUT already has a default route +configured for IPv6. Fix by avoiding the use of the default namespace. + +Fixes: 4ed591c8ab44 ("net/ipv6: Allow onlink routes to have a device mismatch if it is the default route") +Suggested-by: Fernando Fernandez Mancera +Signed-off-by: Ricardo B. Marlière +Reviewed-by: Ido Schimmel +Reviewed-by: Fernando Fernandez Mancera +Link: https://patch.msgid.link/20260113-selftests-net-fib-onlink-v2-1-89de2b931389@suse.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../testing/selftests/net/fib-onlink-tests.sh | 71 ++++++++----------- + 1 file changed, 30 insertions(+), 41 deletions(-) + +diff --git a/tools/testing/selftests/net/fib-onlink-tests.sh b/tools/testing/selftests/net/fib-onlink-tests.sh +index ec2d6ceb1f08d..c01be076b210d 100755 +--- a/tools/testing/selftests/net/fib-onlink-tests.sh ++++ b/tools/testing/selftests/net/fib-onlink-tests.sh +@@ -120,7 +120,7 @@ log_subsection() + + run_cmd() + { +- local cmd="$*" ++ local cmd="$1" + local out + local rc + +@@ -145,7 +145,7 @@ get_linklocal() + local pfx + local addr + +- addr=$(${pfx} ip -6 -br addr show dev ${dev} | \ ++ addr=$(${pfx} ${IP} -6 -br addr show dev ${dev} | \ + awk '{ + for (i = 3; i <= NF; ++i) { + if ($i ~ /^fe80/) +@@ -173,58 +173,48 @@ setup() + + set -e + +- # create namespace +- setup_ns PEER_NS ++ # create namespaces ++ setup_ns ns1 ++ IP="ip -netns $ns1" ++ setup_ns ns2 + + # add vrf table +- ip li add ${VRF} type vrf table ${VRF_TABLE} +- ip li set ${VRF} up +- ip ro add table ${VRF_TABLE} unreachable default metric 8192 +- ip -6 ro add table ${VRF_TABLE} unreachable default metric 8192 ++ ${IP} li add ${VRF} type vrf table ${VRF_TABLE} ++ ${IP} li set ${VRF} up ++ ${IP} ro add table ${VRF_TABLE} unreachable default metric 8192 ++ ${IP} -6 ro add table ${VRF_TABLE} unreachable default metric 8192 + + # create test interfaces +- ip li add ${NETIFS[p1]} type veth peer name ${NETIFS[p2]} +- ip li add ${NETIFS[p3]} type veth peer name ${NETIFS[p4]} +- ip li add ${NETIFS[p5]} type veth peer name ${NETIFS[p6]} +- ip li add ${NETIFS[p7]} type veth peer name ${NETIFS[p8]} ++ ${IP} li add ${NETIFS[p1]} type veth peer name ${NETIFS[p2]} ++ ${IP} li add ${NETIFS[p3]} type veth peer name ${NETIFS[p4]} ++ ${IP} li add ${NETIFS[p5]} type veth peer name ${NETIFS[p6]} ++ ${IP} li add ${NETIFS[p7]} type veth peer name ${NETIFS[p8]} + + # enslave vrf interfaces + for n in 5 7; do +- ip li set ${NETIFS[p${n}]} vrf ${VRF} ++ ${IP} li set ${NETIFS[p${n}]} vrf ${VRF} + done + + # add addresses + for n in 1 3 5 7; do +- ip li set ${NETIFS[p${n}]} up +- ip addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]} +- ip addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} nodad ++ ${IP} li set ${NETIFS[p${n}]} up ++ ${IP} addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]} ++ ${IP} addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} nodad + done + + # move peer interfaces to namespace and add addresses + for n in 2 4 6 8; do +- ip li set ${NETIFS[p${n}]} netns ${PEER_NS} up +- ip -netns ${PEER_NS} addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]} +- ip -netns ${PEER_NS} addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} nodad ++ ${IP} li set ${NETIFS[p${n}]} netns ${ns2} up ++ ip -netns $ns2 addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]} ++ ip -netns $ns2 addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} nodad + done + +- ip -6 ro add default via ${V6ADDRS[p3]/::[0-9]/::64} +- ip -6 ro add table ${VRF_TABLE} default via ${V6ADDRS[p7]/::[0-9]/::64} ++ ${IP} -6 ro add default via ${V6ADDRS[p3]/::[0-9]/::64} ++ ${IP} -6 ro add table ${VRF_TABLE} default via ${V6ADDRS[p7]/::[0-9]/::64} + + set +e + } + +-cleanup() +-{ +- # make sure we start from a clean slate +- cleanup_ns ${PEER_NS} 2>/dev/null +- for n in 1 3 5 7; do +- ip link del ${NETIFS[p${n}]} 2>/dev/null +- done +- ip link del ${VRF} 2>/dev/null +- ip ro flush table ${VRF_TABLE} +- ip -6 ro flush table ${VRF_TABLE} +-} +- + ################################################################################ + # IPv4 tests + # +@@ -241,7 +231,7 @@ run_ip() + # dev arg may be empty + [ -n "${dev}" ] && dev="dev ${dev}" + +- run_cmd ip ro add table "${table}" "${prefix}"/32 via "${gw}" "${dev}" onlink ++ run_cmd "${IP} ro add table ${table} ${prefix}/32 via ${gw} ${dev} onlink" + log_test $? ${exp_rc} "${desc}" + } + +@@ -257,8 +247,8 @@ run_ip_mpath() + # dev arg may be empty + [ -n "${dev}" ] && dev="dev ${dev}" + +- run_cmd ip ro add table "${table}" "${prefix}"/32 \ +- nexthop via ${nh1} nexthop via ${nh2} ++ run_cmd "${IP} ro add table ${table} ${prefix}/32 \ ++ nexthop via ${nh1} nexthop via ${nh2}" + log_test $? ${exp_rc} "${desc}" + } + +@@ -339,7 +329,7 @@ run_ip6() + # dev arg may be empty + [ -n "${dev}" ] && dev="dev ${dev}" + +- run_cmd ip -6 ro add table "${table}" "${prefix}"/128 via "${gw}" "${dev}" onlink ++ run_cmd "${IP} -6 ro add table ${table} ${prefix}/128 via ${gw} ${dev} onlink" + log_test $? ${exp_rc} "${desc}" + } + +@@ -353,8 +343,8 @@ run_ip6_mpath() + local exp_rc="$6" + local desc="$7" + +- run_cmd ip -6 ro add table "${table}" "${prefix}"/128 "${opts}" \ +- nexthop via ${nh1} nexthop via ${nh2} ++ run_cmd "${IP} -6 ro add table ${table} ${prefix}/128 ${opts} \ ++ nexthop via ${nh1} nexthop via ${nh2}" + log_test $? ${exp_rc} "${desc}" + } + +@@ -491,10 +481,9 @@ do + esac + done + +-cleanup + setup + run_onlink_tests +-cleanup ++cleanup_ns ${ns1} ${ns2} + + if [ "$TESTS" != "none" ]; then + printf "\nTests passed: %3d\n" ${nsuccess} +-- +2.51.0 + diff --git a/queue-5.10/series b/queue-5.10/series index 12f5e063c3..2f345fec4b 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -46,3 +46,19 @@ posix-clock-introduce-posix_clock_context-concept.patch fix-memory-leak-in-posix_clock_open.patch posix-clock-store-file-pointer-in-struct-posix_clock.patch ptp-add-phc-file-mode-checks.-allow-ro-adjtime-witho.patch +net-usb-dm9601-remove-broken-sr9700-support.patch +selftests-net-convert-fib-onlink-tests.sh-to-run-it-.patch +selftests-net-fib-onlink-tests-convert-to-use-namesp.patch +sctp-sm_statefuns-fix-spelling-mistakes.patch +sctp-move-sctp_cmd_assoc_shkey-right-after-sctp_cmd_.patch +amd-xgbe-avoid-misleading-per-packet-error-log.patch +gue-fix-skb-memleak-with-inner-ip-protocol-0.patch +netlink-add-a-proto-specification-for-fou.patch +net-fou-rename-the-source-for-linking.patch +net-fou-use-policy-and-operation-tables-generated-fr.patch +fou-don-t-allow-0-for-fou_attr_ipproto.patch +l2tp-avoid-one-data-race-in-l2tp_tunnel_del_work.patch +ipvlan-make-the-addrs_lock-be-per-port.patch +net-sched-enforce-that-teql-can-only-be-used-as-root.patch +net-sched-qfq-use-cl_is_active-to-determine-whether-.patch +crypto-authencesn-reject-too-short-aad-assoclen-8-to.patch diff --git a/queue-5.15/amd-xgbe-avoid-misleading-per-packet-error-log.patch b/queue-5.15/amd-xgbe-avoid-misleading-per-packet-error-log.patch new file mode 100644 index 0000000000..6073d1f07f --- /dev/null +++ b/queue-5.15/amd-xgbe-avoid-misleading-per-packet-error-log.patch @@ -0,0 +1,49 @@ +From 24d1eed1b4fa797893dcfe4faccc4830e4bfaa6a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jan 2026 22:00:37 +0530 +Subject: amd-xgbe: avoid misleading per-packet error log + +From: Raju Rangoju + +[ Upstream commit c158f985cf6c2c36c99c4f67af2ff3f5ebe09f8f ] + +On the receive path, packet can be damaged because of buffer +overflow in Rx FIFO. Avoid misleading per-packet error log when +packet->errors is set, this can flood the log. Instead, rely on the +standard rtnl_link_stats64 stats. + +Fixes: c5aa9e3b8156 ("amd-xgbe: Initial AMD 10GbE platform driver") +Signed-off-by: Raju Rangoju +Link: https://patch.msgid.link/20260114163037.2062606-1-Raju.Rangoju@amd.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c +index 32397517807b0..00312543f2267 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c +@@ -2112,7 +2112,7 @@ static void xgbe_get_stats64(struct net_device *netdev, + s->multicast = pstats->rxmulticastframes_g; + s->rx_length_errors = pstats->rxlengtherror; + s->rx_crc_errors = pstats->rxcrcerror; +- s->rx_fifo_errors = pstats->rxfifooverflow; ++ s->rx_over_errors = pstats->rxfifooverflow; + + s->tx_packets = pstats->txframecount_gb; + s->tx_bytes = pstats->txoctetcount_gb; +@@ -2566,9 +2566,6 @@ static int xgbe_rx_poll(struct xgbe_channel *channel, int budget) + goto read_again; + + if (error || packet->errors) { +- if (packet->errors) +- netif_err(pdata, rx_err, netdev, +- "error in received packet\n"); + dev_kfree_skb(skb); + goto next_packet; + } +-- +2.51.0 + diff --git a/queue-5.15/bonding-limit-bond_mode_8023ad-to-ethernet-devices.patch b/queue-5.15/bonding-limit-bond_mode_8023ad-to-ethernet-devices.patch new file mode 100644 index 0000000000..89c71adcf4 --- /dev/null +++ b/queue-5.15/bonding-limit-bond_mode_8023ad-to-ethernet-devices.patch @@ -0,0 +1,91 @@ +From 73a8574122f0bde6b20a1c48d0b93c7fe62b5c94 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 19:12:01 +0000 +Subject: bonding: limit BOND_MODE_8023AD to Ethernet devices + +From: Eric Dumazet + +[ Upstream commit c84fcb79e5dbde0b8d5aeeaf04282d2149aebcf6 ] + +BOND_MODE_8023AD makes sense for ARPHRD_ETHER only. + +syzbot reported: + + BUG: KASAN: global-out-of-bounds in __hw_addr_create net/core/dev_addr_lists.c:63 [inline] + BUG: KASAN: global-out-of-bounds in __hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118 +Read of size 16 at addr ffffffff8bf94040 by task syz.1.3580/19497 + +CPU: 1 UID: 0 PID: 19497 Comm: syz.1.3580 Tainted: G L syzkaller #0 PREEMPT(full) +Tainted: [L]=SOFTLOCKUP +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 +Call Trace: + + dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0xca/0x240 mm/kasan/report.c:482 + kasan_report+0x118/0x150 mm/kasan/report.c:595 + check_region_inline mm/kasan/generic.c:-1 [inline] + kasan_check_range+0x2b0/0x2c0 mm/kasan/generic.c:200 + __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105 + __hw_addr_create net/core/dev_addr_lists.c:63 [inline] + __hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118 + __dev_mc_add net/core/dev_addr_lists.c:868 [inline] + dev_mc_add+0xa1/0x120 net/core/dev_addr_lists.c:886 + bond_enslave+0x2b8b/0x3ac0 drivers/net/bonding/bond_main.c:2180 + do_set_master+0x533/0x6d0 net/core/rtnetlink.c:2963 + do_setlink+0xcf0/0x41c0 net/core/rtnetlink.c:3165 + rtnl_changelink net/core/rtnetlink.c:3776 [inline] + __rtnl_newlink net/core/rtnetlink.c:3935 [inline] + rtnl_newlink+0x161c/0x1c90 net/core/rtnetlink.c:4072 + rtnetlink_rcv_msg+0x7cf/0xb70 net/core/rtnetlink.c:6958 + netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2550 + netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] + netlink_unicast+0x82f/0x9e0 net/netlink/af_netlink.c:1344 + netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1894 + sock_sendmsg_nosec net/socket.c:727 [inline] + __sock_sendmsg+0x21c/0x270 net/socket.c:742 + ____sys_sendmsg+0x505/0x820 net/socket.c:2592 + ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2646 + __sys_sendmsg+0x164/0x220 net/socket.c:2678 + do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline] + __do_fast_syscall_32+0x1dc/0x560 arch/x86/entry/syscall_32.c:307 + do_fast_syscall_32+0x34/0x80 arch/x86/entry/syscall_32.c:332 + entry_SYSENTER_compat_after_hwframe+0x84/0x8e + + +The buggy address belongs to the variable: + lacpdu_mcast_addr+0x0/0x40 + +Fixes: 872254dd6b1f ("net/bonding: Enable bonding to enslave non ARPHRD_ETHER") +Reported-by: syzbot+9c081b17773615f24672@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/6966946b.a70a0220.245e30.0002.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: Andrew Lunn +Acked-by: Jay Vosburgh +Link: https://patch.msgid.link/20260113191201.3970737-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 3fae636eb9ddd..86be928b210a2 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1836,6 +1836,12 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev, + */ + if (!bond_has_slaves(bond)) { + if (bond_dev->type != slave_dev->type) { ++ if (slave_dev->type != ARPHRD_ETHER && ++ BOND_MODE(bond) == BOND_MODE_8023AD) { ++ SLAVE_NL_ERR(bond_dev, slave_dev, extack, ++ "8023AD mode requires Ethernet devices"); ++ return -EINVAL; ++ } + slave_dbg(bond_dev, slave_dev, "change device type from %d to %d\n", + bond_dev->type, slave_dev->type); + +-- +2.51.0 + diff --git a/queue-5.15/crypto-authencesn-reject-too-short-aad-assoclen-8-to.patch b/queue-5.15/crypto-authencesn-reject-too-short-aad-assoclen-8-to.patch new file mode 100644 index 0000000000..419acedcbe --- /dev/null +++ b/queue-5.15/crypto-authencesn-reject-too-short-aad-assoclen-8-to.patch @@ -0,0 +1,53 @@ +From c23204f90f925449abc0bc3ac21f10835d2cf04b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jan 2026 16:03:58 +0900 +Subject: crypto: authencesn - reject too-short AAD (assoclen<8) to match + ESP/ESN spec + +From: Taeyang Lee <0wn@theori.io> + +[ Upstream commit 2397e9264676be7794f8f7f1e9763d90bd3c7335 ] + +authencesn assumes an ESP/ESN-formatted AAD. When assoclen is shorter than +the minimum expected length, crypto_authenc_esn_decrypt() can advance past +the end of the destination scatterlist and trigger a NULL pointer dereference +in scatterwalk_map_and_copy(), leading to a kernel panic (DoS). + +Add a minimum AAD length check to fail fast on invalid inputs. + +Fixes: 104880a6b470 ("crypto: authencesn - Convert to new AEAD interface") +Reported-By: Taeyang Lee <0wn@theori.io> +Signed-off-by: Taeyang Lee <0wn@theori.io> +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/authencesn.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/crypto/authencesn.c b/crypto/authencesn.c +index b60e61b1904cb..6487b35851d54 100644 +--- a/crypto/authencesn.c ++++ b/crypto/authencesn.c +@@ -191,6 +191,9 @@ static int crypto_authenc_esn_encrypt(struct aead_request *req) + struct scatterlist *src, *dst; + int err; + ++ if (assoclen < 8) ++ return -EINVAL; ++ + sg_init_table(areq_ctx->src, 2); + src = scatterwalk_ffwd(areq_ctx->src, req->src, assoclen); + dst = src; +@@ -284,6 +287,9 @@ static int crypto_authenc_esn_decrypt(struct aead_request *req) + u32 tmp[2]; + int err; + ++ if (assoclen < 8) ++ return -EINVAL; ++ + cryptlen -= authsize; + + if (req->src != dst) { +-- +2.51.0 + diff --git a/queue-5.15/fou-don-t-allow-0-for-fou_attr_ipproto.patch b/queue-5.15/fou-don-t-allow-0-for-fou_attr_ipproto.patch new file mode 100644 index 0000000000..509a685205 --- /dev/null +++ b/queue-5.15/fou-don-t-allow-0-for-fou_attr_ipproto.patch @@ -0,0 +1,57 @@ +From 8aec5f9fa06ee0bd212038eb1e8ccdbadcca36ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jan 2026 17:24:48 +0000 +Subject: fou: Don't allow 0 for FOU_ATTR_IPPROTO. + +From: Kuniyuki Iwashima + +[ Upstream commit 7a9bc9e3f42391e4c187e099263cf7a1c4b69ff5 ] + +fou_udp_recv() has the same problem mentioned in the previous +patch. + +If FOU_ATTR_IPPROTO is set to 0, skb is not freed by +fou_udp_recv() nor "resubmit"-ted in ip_protocol_deliver_rcu(). + +Let's forbid 0 for FOU_ATTR_IPPROTO. + +Fixes: 23461551c0062 ("fou: Support for foo-over-udp RX path") +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20260115172533.693652-4-kuniyu@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + Documentation/netlink/specs/fou.yaml | 2 ++ + net/ipv4/fou_nl.c | 2 +- + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/Documentation/netlink/specs/fou.yaml b/Documentation/netlink/specs/fou.yaml +index 266c386eedf3a..e5753a30a29a2 100644 +--- a/Documentation/netlink/specs/fou.yaml ++++ b/Documentation/netlink/specs/fou.yaml +@@ -36,6 +36,8 @@ attribute-sets: + - + name: ipproto + type: u8 ++ checks: ++ min: 1 + - + name: type + type: u8 +diff --git a/net/ipv4/fou_nl.c b/net/ipv4/fou_nl.c +index 6c3820f41dd5d..5bb8133ed7a89 100644 +--- a/net/ipv4/fou_nl.c ++++ b/net/ipv4/fou_nl.c +@@ -14,7 +14,7 @@ + const struct nla_policy fou_nl_policy[FOU_ATTR_IFINDEX + 1] = { + [FOU_ATTR_PORT] = { .type = NLA_U16, }, + [FOU_ATTR_AF] = { .type = NLA_U8, }, +- [FOU_ATTR_IPPROTO] = { .type = NLA_U8, }, ++ [FOU_ATTR_IPPROTO] = NLA_POLICY_MIN(NLA_U8, 1), + [FOU_ATTR_TYPE] = { .type = NLA_U8, }, + [FOU_ATTR_REMCSUM_NOPARTIAL] = { .type = NLA_FLAG, }, + [FOU_ATTR_LOCAL_V4] = { .type = NLA_U32, }, +-- +2.51.0 + diff --git a/queue-5.15/gue-fix-skb-memleak-with-inner-ip-protocol-0.patch b/queue-5.15/gue-fix-skb-memleak-with-inner-ip-protocol-0.patch new file mode 100644 index 0000000000..dbba9c2a51 --- /dev/null +++ b/queue-5.15/gue-fix-skb-memleak-with-inner-ip-protocol-0.patch @@ -0,0 +1,82 @@ +From d272078a4af0a27767d76c5492a72c57316e03f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jan 2026 17:24:46 +0000 +Subject: gue: Fix skb memleak with inner IP protocol 0. + +From: Kuniyuki Iwashima + +[ Upstream commit 9a56796ad258786d3624eef5aefba394fc9bdded ] + +syzbot reported skb memleak below. [0] + +The repro generated a GUE packet with its inner protocol 0. + +gue_udp_recv() returns -guehdr->proto_ctype for "resubmit" +in ip_protocol_deliver_rcu(), but this only works with +non-zero protocol number. + +Let's drop such packets. + +Note that 0 is a valid number (IPv6 Hop-by-Hop Option). + +I think it is not practical to encap HOPOPT in GUE, so once +someone starts to complain, we could pass down a resubmit +flag pointer to distinguish two zeros from the upper layer: + + * no error + * resubmit HOPOPT + +[0] +BUG: memory leak +unreferenced object 0xffff888109695a00 (size 240): + comm "syz.0.17", pid 6088, jiffies 4294943096 + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 40 c2 10 81 88 ff ff 00 00 00 00 00 00 00 00 .@.............. + backtrace (crc a84b336f): + kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] + slab_post_alloc_hook mm/slub.c:4958 [inline] + slab_alloc_node mm/slub.c:5263 [inline] + kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270 + __build_skb+0x23/0x60 net/core/skbuff.c:474 + build_skb+0x20/0x190 net/core/skbuff.c:490 + __tun_build_skb drivers/net/tun.c:1541 [inline] + tun_build_skb+0x4a1/0xa40 drivers/net/tun.c:1636 + tun_get_user+0xc12/0x2030 drivers/net/tun.c:1770 + tun_chr_write_iter+0x71/0x120 drivers/net/tun.c:1999 + new_sync_write fs/read_write.c:593 [inline] + vfs_write+0x45d/0x710 fs/read_write.c:686 + ksys_write+0xa7/0x170 fs/read_write.c:738 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fixes: 37dd0247797b1 ("gue: Receive side for Generic UDP Encapsulation") +Reported-by: syzbot+4d8c7d16b0e95c0d0f0d@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/6965534b.050a0220.38aacd.0001.GAE@google.com/ +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20260115172533.693652-2-kuniyu@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/fou.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/ipv4/fou.c b/net/ipv4/fou.c +index b1a8e4eec3f6e..e63aa6b52460c 100644 +--- a/net/ipv4/fou.c ++++ b/net/ipv4/fou.c +@@ -213,6 +213,9 @@ static int gue_udp_recv(struct sock *sk, struct sk_buff *skb) + return gue_control_message(skb, guehdr); + + proto_ctype = guehdr->proto_ctype; ++ if (unlikely(!proto_ctype)) ++ goto drop; ++ + __skb_pull(skb, sizeof(struct udphdr) + hdrlen); + skb_reset_transport_header(skb); + +-- +2.51.0 + diff --git a/queue-5.15/ipvlan-make-the-addrs_lock-be-per-port.patch b/queue-5.15/ipvlan-make-the-addrs_lock-be-per-port.patch new file mode 100644 index 0000000000..d4e28d6eea --- /dev/null +++ b/queue-5.15/ipvlan-make-the-addrs_lock-be-per-port.patch @@ -0,0 +1,292 @@ +From f127255c140bb5551bac79366d1e92e90436c542 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 17:24:06 +0300 +Subject: ipvlan: Make the addrs_lock be per port + +From: Dmitry Skorodumov + +[ Upstream commit d3ba32162488283c0a4c5bedd8817aec91748802 ] + +Make the addrs_lock be per port, not per ipvlan dev. + +Initial code seems to be written in the assumption, +that any address change must occur under RTNL. +But it is not so for the case of IPv6. So + +1) Introduce per-port addrs_lock. + +2) It was needed to fix places where it was forgotten +to take lock (ipvlan_open/ipvlan_close) + +This appears to be a very minor problem though. +Since it's highly unlikely that ipvlan_add_addr() will +be called on 2 CPU simultaneously. But nevertheless, +this could cause: + +1) False-negative of ipvlan_addr_busy(): one interface +iterated through all port->ipvlans + ipvlan->addrs +under some ipvlan spinlock, and another added IP +under its own lock. Though this is only possible +for IPv6, since looks like only ipvlan_addr6_event() can be +called without rtnl_lock. + +2) Race since ipvlan_ht_addr_add(port) is called under +different ipvlan->addrs_lock locks + +This should not affect performance, since add/remove IP +is a rare situation and spinlock is not taken on fast +paths. + +Fixes: 8230819494b3 ("ipvlan: use per device spinlock to protect addrs list updates") +Signed-off-by: Dmitry Skorodumov +Reviewed-by: Paolo Abeni +Link: https://patch.msgid.link/20260112142417.4039566-2-skorodumov.dmitry@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ipvlan/ipvlan.h | 2 +- + drivers/net/ipvlan/ipvlan_core.c | 16 +++++------ + drivers/net/ipvlan/ipvlan_main.c | 49 +++++++++++++++++++------------- + 3 files changed, 37 insertions(+), 30 deletions(-) + +diff --git a/drivers/net/ipvlan/ipvlan.h b/drivers/net/ipvlan/ipvlan.h +index 3837c897832ea..befb61e00d07d 100644 +--- a/drivers/net/ipvlan/ipvlan.h ++++ b/drivers/net/ipvlan/ipvlan.h +@@ -69,7 +69,6 @@ struct ipvl_dev { + DECLARE_BITMAP(mac_filters, IPVLAN_MAC_FILTER_SIZE); + netdev_features_t sfeatures; + u32 msg_enable; +- spinlock_t addrs_lock; + }; + + struct ipvl_addr { +@@ -90,6 +89,7 @@ struct ipvl_port { + struct net_device *dev; + possible_net_t pnet; + struct hlist_head hlhead[IPVLAN_HASH_SIZE]; ++ spinlock_t addrs_lock; /* guards hash-table and addrs */ + struct list_head ipvlans; + u16 mode; + u16 flags; +diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c +index 35ec6d1af6ea6..3d8b646c16b71 100644 +--- a/drivers/net/ipvlan/ipvlan_core.c ++++ b/drivers/net/ipvlan/ipvlan_core.c +@@ -104,17 +104,15 @@ void ipvlan_ht_addr_del(struct ipvl_addr *addr) + struct ipvl_addr *ipvlan_find_addr(const struct ipvl_dev *ipvlan, + const void *iaddr, bool is_v6) + { +- struct ipvl_addr *addr, *ret = NULL; ++ struct ipvl_addr *addr; + +- rcu_read_lock(); +- list_for_each_entry_rcu(addr, &ipvlan->addrs, anode) { +- if (addr_equal(is_v6, addr, iaddr)) { +- ret = addr; +- break; +- } ++ assert_spin_locked(&ipvlan->port->addrs_lock); ++ ++ list_for_each_entry(addr, &ipvlan->addrs, anode) { ++ if (addr_equal(is_v6, addr, iaddr)) ++ return addr; + } +- rcu_read_unlock(); +- return ret; ++ return NULL; + } + + bool ipvlan_addr_busy(struct ipvl_port *port, void *iaddr, bool is_v6) +diff --git a/drivers/net/ipvlan/ipvlan_main.c b/drivers/net/ipvlan/ipvlan_main.c +index 8660d452f642b..fe4399af8eea7 100644 +--- a/drivers/net/ipvlan/ipvlan_main.c ++++ b/drivers/net/ipvlan/ipvlan_main.c +@@ -74,6 +74,7 @@ static int ipvlan_port_create(struct net_device *dev) + for (idx = 0; idx < IPVLAN_HASH_SIZE; idx++) + INIT_HLIST_HEAD(&port->hlhead[idx]); + ++ spin_lock_init(&port->addrs_lock); + skb_queue_head_init(&port->backlog); + INIT_WORK(&port->wq, ipvlan_process_multicast); + ida_init(&port->ida); +@@ -179,6 +180,7 @@ static void ipvlan_uninit(struct net_device *dev) + static int ipvlan_open(struct net_device *dev) + { + struct ipvl_dev *ipvlan = netdev_priv(dev); ++ struct ipvl_port *port = ipvlan->port; + struct ipvl_addr *addr; + + if (ipvlan->port->mode == IPVLAN_MODE_L3 || +@@ -187,10 +189,10 @@ static int ipvlan_open(struct net_device *dev) + else + dev->flags &= ~IFF_NOARP; + +- rcu_read_lock(); +- list_for_each_entry_rcu(addr, &ipvlan->addrs, anode) ++ spin_lock_bh(&port->addrs_lock); ++ list_for_each_entry(addr, &ipvlan->addrs, anode) + ipvlan_ht_addr_add(ipvlan, addr); +- rcu_read_unlock(); ++ spin_unlock_bh(&port->addrs_lock); + + return 0; + } +@@ -204,10 +206,10 @@ static int ipvlan_stop(struct net_device *dev) + dev_uc_unsync(phy_dev, dev); + dev_mc_unsync(phy_dev, dev); + +- rcu_read_lock(); +- list_for_each_entry_rcu(addr, &ipvlan->addrs, anode) ++ spin_lock_bh(&ipvlan->port->addrs_lock); ++ list_for_each_entry(addr, &ipvlan->addrs, anode) + ipvlan_ht_addr_del(addr); +- rcu_read_unlock(); ++ spin_unlock_bh(&ipvlan->port->addrs_lock); + + return 0; + } +@@ -574,7 +576,6 @@ int ipvlan_link_new(struct net *src_net, struct net_device *dev, + if (!tb[IFLA_MTU]) + ipvlan_adjust_mtu(ipvlan, phy_dev); + INIT_LIST_HEAD(&ipvlan->addrs); +- spin_lock_init(&ipvlan->addrs_lock); + + /* TODO Probably put random address here to be presented to the + * world but keep using the physical-dev address for the outgoing +@@ -652,13 +653,13 @@ void ipvlan_link_delete(struct net_device *dev, struct list_head *head) + struct ipvl_dev *ipvlan = netdev_priv(dev); + struct ipvl_addr *addr, *next; + +- spin_lock_bh(&ipvlan->addrs_lock); ++ spin_lock_bh(&ipvlan->port->addrs_lock); + list_for_each_entry_safe(addr, next, &ipvlan->addrs, anode) { + ipvlan_ht_addr_del(addr); + list_del_rcu(&addr->anode); + kfree_rcu(addr, rcu); + } +- spin_unlock_bh(&ipvlan->addrs_lock); ++ spin_unlock_bh(&ipvlan->port->addrs_lock); + + ida_simple_remove(&ipvlan->port->ida, dev->dev_id); + list_del_rcu(&ipvlan->pnode); +@@ -806,6 +807,8 @@ static int ipvlan_add_addr(struct ipvl_dev *ipvlan, void *iaddr, bool is_v6) + { + struct ipvl_addr *addr; + ++ assert_spin_locked(&ipvlan->port->addrs_lock); ++ + addr = kzalloc(sizeof(struct ipvl_addr), GFP_ATOMIC); + if (!addr) + return -ENOMEM; +@@ -836,16 +839,16 @@ static void ipvlan_del_addr(struct ipvl_dev *ipvlan, void *iaddr, bool is_v6) + { + struct ipvl_addr *addr; + +- spin_lock_bh(&ipvlan->addrs_lock); ++ spin_lock_bh(&ipvlan->port->addrs_lock); + addr = ipvlan_find_addr(ipvlan, iaddr, is_v6); + if (!addr) { +- spin_unlock_bh(&ipvlan->addrs_lock); ++ spin_unlock_bh(&ipvlan->port->addrs_lock); + return; + } + + ipvlan_ht_addr_del(addr); + list_del_rcu(&addr->anode); +- spin_unlock_bh(&ipvlan->addrs_lock); ++ spin_unlock_bh(&ipvlan->port->addrs_lock); + kfree_rcu(addr, rcu); + } + +@@ -867,14 +870,14 @@ static int ipvlan_add_addr6(struct ipvl_dev *ipvlan, struct in6_addr *ip6_addr) + { + int ret = -EINVAL; + +- spin_lock_bh(&ipvlan->addrs_lock); ++ spin_lock_bh(&ipvlan->port->addrs_lock); + if (ipvlan_addr_busy(ipvlan->port, ip6_addr, true)) + netif_err(ipvlan, ifup, ipvlan->dev, + "Failed to add IPv6=%pI6c addr for %s intf\n", + ip6_addr, ipvlan->dev->name); + else + ret = ipvlan_add_addr(ipvlan, ip6_addr, true); +- spin_unlock_bh(&ipvlan->addrs_lock); ++ spin_unlock_bh(&ipvlan->port->addrs_lock); + return ret; + } + +@@ -913,21 +916,24 @@ static int ipvlan_addr6_validator_event(struct notifier_block *unused, + struct in6_validator_info *i6vi = (struct in6_validator_info *)ptr; + struct net_device *dev = (struct net_device *)i6vi->i6vi_dev->dev; + struct ipvl_dev *ipvlan = netdev_priv(dev); ++ int ret = NOTIFY_OK; + + if (!ipvlan_is_valid_dev(dev)) + return NOTIFY_DONE; + + switch (event) { + case NETDEV_UP: ++ spin_lock_bh(&ipvlan->port->addrs_lock); + if (ipvlan_addr_busy(ipvlan->port, &i6vi->i6vi_addr, true)) { + NL_SET_ERR_MSG(i6vi->extack, + "Address already assigned to an ipvlan device"); +- return notifier_from_errno(-EADDRINUSE); ++ ret = notifier_from_errno(-EADDRINUSE); + } ++ spin_unlock_bh(&ipvlan->port->addrs_lock); + break; + } + +- return NOTIFY_OK; ++ return ret; + } + #endif + +@@ -935,14 +941,14 @@ static int ipvlan_add_addr4(struct ipvl_dev *ipvlan, struct in_addr *ip4_addr) + { + int ret = -EINVAL; + +- spin_lock_bh(&ipvlan->addrs_lock); ++ spin_lock_bh(&ipvlan->port->addrs_lock); + if (ipvlan_addr_busy(ipvlan->port, ip4_addr, false)) + netif_err(ipvlan, ifup, ipvlan->dev, + "Failed to add IPv4=%pI4 on %s intf.\n", + ip4_addr, ipvlan->dev->name); + else + ret = ipvlan_add_addr(ipvlan, ip4_addr, false); +- spin_unlock_bh(&ipvlan->addrs_lock); ++ spin_unlock_bh(&ipvlan->port->addrs_lock); + return ret; + } + +@@ -984,21 +990,24 @@ static int ipvlan_addr4_validator_event(struct notifier_block *unused, + struct in_validator_info *ivi = (struct in_validator_info *)ptr; + struct net_device *dev = (struct net_device *)ivi->ivi_dev->dev; + struct ipvl_dev *ipvlan = netdev_priv(dev); ++ int ret = NOTIFY_OK; + + if (!ipvlan_is_valid_dev(dev)) + return NOTIFY_DONE; + + switch (event) { + case NETDEV_UP: ++ spin_lock_bh(&ipvlan->port->addrs_lock); + if (ipvlan_addr_busy(ipvlan->port, &ivi->ivi_addr, false)) { + NL_SET_ERR_MSG(ivi->extack, + "Address already assigned to an ipvlan device"); +- return notifier_from_errno(-EADDRINUSE); ++ ret = notifier_from_errno(-EADDRINUSE); + } ++ spin_unlock_bh(&ipvlan->port->addrs_lock); + break; + } + +- return NOTIFY_OK; ++ return ret; + } + + static struct notifier_block ipvlan_addr4_notifier_block __read_mostly = { +-- +2.51.0 + diff --git a/queue-5.15/l2tp-avoid-one-data-race-in-l2tp_tunnel_del_work.patch b/queue-5.15/l2tp-avoid-one-data-race-in-l2tp_tunnel_del_work.patch new file mode 100644 index 0000000000..4291d84c28 --- /dev/null +++ b/queue-5.15/l2tp-avoid-one-data-race-in-l2tp_tunnel_del_work.patch @@ -0,0 +1,85 @@ +From ee3dcff0a297b2db6f0c652de0ff0d89cf9ca996 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jan 2026 09:21:39 +0000 +Subject: l2tp: avoid one data-race in l2tp_tunnel_del_work() + +From: Eric Dumazet + +[ Upstream commit 7a29f6bf60f2590fe5e9c4decb451e19afad2bcf ] + +We should read sk->sk_socket only when dealing with kernel sockets. + +syzbot reported the following data-race: + +BUG: KCSAN: data-race in l2tp_tunnel_del_work / sk_common_release + +write to 0xffff88811c182b20 of 8 bytes by task 5365 on cpu 0: + sk_set_socket include/net/sock.h:2092 [inline] + sock_orphan include/net/sock.h:2118 [inline] + sk_common_release+0xae/0x230 net/core/sock.c:4003 + udp_lib_close+0x15/0x20 include/net/udp.h:325 + inet_release+0xce/0xf0 net/ipv4/af_inet.c:437 + __sock_release net/socket.c:662 [inline] + sock_close+0x6b/0x150 net/socket.c:1455 + __fput+0x29b/0x650 fs/file_table.c:468 + ____fput+0x1c/0x30 fs/file_table.c:496 + task_work_run+0x131/0x1a0 kernel/task_work.c:233 + resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] + __exit_to_user_mode_loop kernel/entry/common.c:44 [inline] + exit_to_user_mode_loop+0x1fe/0x740 kernel/entry/common.c:75 + __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline] + syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline] + syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline] + syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline] + do_syscall_64+0x1e1/0x2b0 arch/x86/entry/syscall_64.c:100 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +read to 0xffff88811c182b20 of 8 bytes by task 827 on cpu 1: + l2tp_tunnel_del_work+0x2f/0x1a0 net/l2tp/l2tp_core.c:1418 + process_one_work kernel/workqueue.c:3257 [inline] + process_scheduled_works+0x4ce/0x9d0 kernel/workqueue.c:3340 + worker_thread+0x582/0x770 kernel/workqueue.c:3421 + kthread+0x489/0x510 kernel/kthread.c:463 + ret_from_fork+0x149/0x290 arch/x86/kernel/process.c:158 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 + +value changed: 0xffff88811b818000 -> 0x0000000000000000 + +Fixes: d00fa9adc528 ("l2tp: fix races with tunnel socket close") +Reported-by: syzbot+7312e82745f7fa2526db@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/6968b029.050a0220.58bed.0016.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: James Chapman +Reviewed-by: Guillaume Nault +Link: https://patch.msgid.link/20260115092139.3066180-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/l2tp/l2tp_core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c +index acd5b67858ddc..7e242ebac664a 100644 +--- a/net/l2tp/l2tp_core.c ++++ b/net/l2tp/l2tp_core.c +@@ -1252,8 +1252,6 @@ static void l2tp_tunnel_del_work(struct work_struct *work) + { + struct l2tp_tunnel *tunnel = container_of(work, struct l2tp_tunnel, + del_work); +- struct sock *sk = tunnel->sock; +- struct socket *sock = sk->sk_socket; + + l2tp_tunnel_closeall(tunnel); + +@@ -1261,6 +1259,8 @@ static void l2tp_tunnel_del_work(struct work_struct *work) + * the sk API to release it here. + */ + if (tunnel->fd < 0) { ++ struct socket *sock = tunnel->sock->sk_socket; ++ + if (sock) { + kernel_sock_shutdown(sock, SHUT_RDWR); + sock_release(sock); +-- +2.51.0 + diff --git a/queue-5.15/net-fou-rename-the-source-for-linking.patch b/queue-5.15/net-fou-rename-the-source-for-linking.patch new file mode 100644 index 0000000000..e1e63f990b --- /dev/null +++ b/queue-5.15/net-fou-rename-the-source-for-linking.patch @@ -0,0 +1,43 @@ +From 7035565e9d1e5a58831964e2eac979a2d2e14619 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jan 2023 09:50:39 -0800 +Subject: net: fou: rename the source for linking + +From: Jakub Kicinski + +[ Upstream commit 08d323234d10eab077cbf0093eeb5991478a261a ] + +We'll need to link two objects together to form the fou module. +This means the source can't be called fou, the build system expects +fou.o to be the combined object. + +Acked-by: Stanislav Fomichev +Signed-off-by: Jakub Kicinski +Signed-off-by: Paolo Abeni +Stable-dep-of: 7a9bc9e3f423 ("fou: Don't allow 0 for FOU_ATTR_IPPROTO.") +Signed-off-by: Sasha Levin +--- + net/ipv4/Makefile | 1 + + net/ipv4/{fou.c => fou_core.c} | 0 + 2 files changed, 1 insertion(+) + rename net/ipv4/{fou.c => fou_core.c} (100%) + +diff --git a/net/ipv4/Makefile b/net/ipv4/Makefile +index bbdd9c44f14e3..e694a5e5b0302 100644 +--- a/net/ipv4/Makefile ++++ b/net/ipv4/Makefile +@@ -26,6 +26,7 @@ obj-$(CONFIG_IP_MROUTE) += ipmr.o + obj-$(CONFIG_IP_MROUTE_COMMON) += ipmr_base.o + obj-$(CONFIG_NET_IPIP) += ipip.o + gre-y := gre_demux.o ++fou-y := fou_core.o + obj-$(CONFIG_NET_FOU) += fou.o + obj-$(CONFIG_NET_IPGRE_DEMUX) += gre.o + obj-$(CONFIG_NET_IPGRE) += ip_gre.o +diff --git a/net/ipv4/fou.c b/net/ipv4/fou_core.c +similarity index 100% +rename from net/ipv4/fou.c +rename to net/ipv4/fou_core.c +-- +2.51.0 + diff --git a/queue-5.15/net-fou-use-policy-and-operation-tables-generated-fr.patch b/queue-5.15/net-fou-use-policy-and-operation-tables-generated-fr.patch new file mode 100644 index 0000000000..0cfa42800f --- /dev/null +++ b/queue-5.15/net-fou-use-policy-and-operation-tables-generated-fr.patch @@ -0,0 +1,233 @@ +From c3967cacfe4a145cbbec97861b67702265aebc84 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jan 2023 09:50:40 -0800 +Subject: net: fou: use policy and operation tables generated from the spec + +From: Jakub Kicinski + +[ Upstream commit 1d562c32e4392cc091c940918ee1ffd7bfcb9e96 ] + +Generate and plug in the spec-based tables. + +A little bit of renaming is needed in the FOU code. + +Acked-by: Stanislav Fomichev +Signed-off-by: Jakub Kicinski +Signed-off-by: Paolo Abeni +Stable-dep-of: 7a9bc9e3f423 ("fou: Don't allow 0 for FOU_ATTR_IPPROTO.") +Signed-off-by: Sasha Levin +--- + net/ipv4/Makefile | 2 +- + net/ipv4/fou_core.c | 47 +++++++------------------------------------- + net/ipv4/fou_nl.c | 48 +++++++++++++++++++++++++++++++++++++++++++++ + net/ipv4/fou_nl.h | 25 +++++++++++++++++++++++ + 4 files changed, 81 insertions(+), 41 deletions(-) + create mode 100644 net/ipv4/fou_nl.c + create mode 100644 net/ipv4/fou_nl.h + +diff --git a/net/ipv4/Makefile b/net/ipv4/Makefile +index e694a5e5b0302..d1c8d4beb77d4 100644 +--- a/net/ipv4/Makefile ++++ b/net/ipv4/Makefile +@@ -26,7 +26,7 @@ obj-$(CONFIG_IP_MROUTE) += ipmr.o + obj-$(CONFIG_IP_MROUTE_COMMON) += ipmr_base.o + obj-$(CONFIG_NET_IPIP) += ipip.o + gre-y := gre_demux.o +-fou-y := fou_core.o ++fou-y := fou_core.o fou_nl.o + obj-$(CONFIG_NET_FOU) += fou.o + obj-$(CONFIG_NET_IPGRE_DEMUX) += gre.o + obj-$(CONFIG_NET_IPGRE) += ip_gre.o +diff --git a/net/ipv4/fou_core.c b/net/ipv4/fou_core.c +index e63aa6b52460c..118b48279da32 100644 +--- a/net/ipv4/fou_core.c ++++ b/net/ipv4/fou_core.c +@@ -19,6 +19,8 @@ + #include + #include + ++#include "fou_nl.h" ++ + struct fou { + struct socket *sock; + u8 protocol; +@@ -665,20 +667,6 @@ static int fou_destroy(struct net *net, struct fou_cfg *cfg) + + static struct genl_family fou_nl_family; + +-static const struct nla_policy fou_nl_policy[FOU_ATTR_MAX + 1] = { +- [FOU_ATTR_PORT] = { .type = NLA_U16, }, +- [FOU_ATTR_AF] = { .type = NLA_U8, }, +- [FOU_ATTR_IPPROTO] = { .type = NLA_U8, }, +- [FOU_ATTR_TYPE] = { .type = NLA_U8, }, +- [FOU_ATTR_REMCSUM_NOPARTIAL] = { .type = NLA_FLAG, }, +- [FOU_ATTR_LOCAL_V4] = { .type = NLA_U32, }, +- [FOU_ATTR_PEER_V4] = { .type = NLA_U32, }, +- [FOU_ATTR_LOCAL_V6] = { .len = sizeof(struct in6_addr), }, +- [FOU_ATTR_PEER_V6] = { .len = sizeof(struct in6_addr), }, +- [FOU_ATTR_PEER_PORT] = { .type = NLA_U16, }, +- [FOU_ATTR_IFINDEX] = { .type = NLA_S32, }, +-}; +- + static int parse_nl_config(struct genl_info *info, + struct fou_cfg *cfg) + { +@@ -770,7 +758,7 @@ static int parse_nl_config(struct genl_info *info, + return 0; + } + +-static int fou_nl_cmd_add_port(struct sk_buff *skb, struct genl_info *info) ++int fou_nl_add_doit(struct sk_buff *skb, struct genl_info *info) + { + struct net *net = genl_info_net(info); + struct fou_cfg cfg; +@@ -783,7 +771,7 @@ static int fou_nl_cmd_add_port(struct sk_buff *skb, struct genl_info *info) + return fou_create(net, &cfg, NULL); + } + +-static int fou_nl_cmd_rm_port(struct sk_buff *skb, struct genl_info *info) ++int fou_nl_del_doit(struct sk_buff *skb, struct genl_info *info) + { + struct net *net = genl_info_net(info); + struct fou_cfg cfg; +@@ -852,7 +840,7 @@ static int fou_dump_info(struct fou *fou, u32 portid, u32 seq, + return -EMSGSIZE; + } + +-static int fou_nl_cmd_get_port(struct sk_buff *skb, struct genl_info *info) ++int fou_nl_get_doit(struct sk_buff *skb, struct genl_info *info) + { + struct net *net = genl_info_net(info); + struct fou_net *fn = net_generic(net, fou_net_id); +@@ -899,7 +887,7 @@ static int fou_nl_cmd_get_port(struct sk_buff *skb, struct genl_info *info) + return ret; + } + +-static int fou_nl_dump(struct sk_buff *skb, struct netlink_callback *cb) ++int fou_nl_get_dumpit(struct sk_buff *skb, struct netlink_callback *cb) + { + struct net *net = sock_net(skb->sk); + struct fou_net *fn = net_generic(net, fou_net_id); +@@ -922,33 +910,12 @@ static int fou_nl_dump(struct sk_buff *skb, struct netlink_callback *cb) + return skb->len; + } + +-static const struct genl_small_ops fou_nl_ops[] = { +- { +- .cmd = FOU_CMD_ADD, +- .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +- .doit = fou_nl_cmd_add_port, +- .flags = GENL_ADMIN_PERM, +- }, +- { +- .cmd = FOU_CMD_DEL, +- .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +- .doit = fou_nl_cmd_rm_port, +- .flags = GENL_ADMIN_PERM, +- }, +- { +- .cmd = FOU_CMD_GET, +- .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +- .doit = fou_nl_cmd_get_port, +- .dumpit = fou_nl_dump, +- }, +-}; +- + static struct genl_family fou_nl_family __ro_after_init = { + .hdrsize = 0, + .name = FOU_GENL_NAME, + .version = FOU_GENL_VERSION, + .maxattr = FOU_ATTR_MAX, +- .policy = fou_nl_policy, ++ .policy = fou_nl_policy, + .netnsok = true, + .module = THIS_MODULE, + .small_ops = fou_nl_ops, +diff --git a/net/ipv4/fou_nl.c b/net/ipv4/fou_nl.c +new file mode 100644 +index 0000000000000..6c3820f41dd5d +--- /dev/null ++++ b/net/ipv4/fou_nl.c +@@ -0,0 +1,48 @@ ++// SPDX-License-Identifier: BSD-3-Clause ++/* Do not edit directly, auto-generated from: */ ++/* Documentation/netlink/specs/fou.yaml */ ++/* YNL-GEN kernel source */ ++ ++#include ++#include ++ ++#include "fou_nl.h" ++ ++#include ++ ++/* Global operation policy for fou */ ++const struct nla_policy fou_nl_policy[FOU_ATTR_IFINDEX + 1] = { ++ [FOU_ATTR_PORT] = { .type = NLA_U16, }, ++ [FOU_ATTR_AF] = { .type = NLA_U8, }, ++ [FOU_ATTR_IPPROTO] = { .type = NLA_U8, }, ++ [FOU_ATTR_TYPE] = { .type = NLA_U8, }, ++ [FOU_ATTR_REMCSUM_NOPARTIAL] = { .type = NLA_FLAG, }, ++ [FOU_ATTR_LOCAL_V4] = { .type = NLA_U32, }, ++ [FOU_ATTR_LOCAL_V6] = { .len = 16, }, ++ [FOU_ATTR_PEER_V4] = { .type = NLA_U32, }, ++ [FOU_ATTR_PEER_V6] = { .len = 16, }, ++ [FOU_ATTR_PEER_PORT] = { .type = NLA_U16, }, ++ [FOU_ATTR_IFINDEX] = { .type = NLA_S32, }, ++}; ++ ++/* Ops table for fou */ ++const struct genl_small_ops fou_nl_ops[3] = { ++ { ++ .cmd = FOU_CMD_ADD, ++ .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, ++ .doit = fou_nl_add_doit, ++ .flags = GENL_ADMIN_PERM, ++ }, ++ { ++ .cmd = FOU_CMD_DEL, ++ .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, ++ .doit = fou_nl_del_doit, ++ .flags = GENL_ADMIN_PERM, ++ }, ++ { ++ .cmd = FOU_CMD_GET, ++ .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, ++ .doit = fou_nl_get_doit, ++ .dumpit = fou_nl_get_dumpit, ++ }, ++}; +diff --git a/net/ipv4/fou_nl.h b/net/ipv4/fou_nl.h +new file mode 100644 +index 0000000000000..b7a68121ce6f7 +--- /dev/null ++++ b/net/ipv4/fou_nl.h +@@ -0,0 +1,25 @@ ++/* SPDX-License-Identifier: BSD-3-Clause */ ++/* Do not edit directly, auto-generated from: */ ++/* Documentation/netlink/specs/fou.yaml */ ++/* YNL-GEN kernel header */ ++ ++#ifndef _LINUX_FOU_GEN_H ++#define _LINUX_FOU_GEN_H ++ ++#include ++#include ++ ++#include ++ ++/* Global operation policy for fou */ ++extern const struct nla_policy fou_nl_policy[FOU_ATTR_IFINDEX + 1]; ++ ++/* Ops table for fou */ ++extern const struct genl_small_ops fou_nl_ops[3]; ++ ++int fou_nl_add_doit(struct sk_buff *skb, struct genl_info *info); ++int fou_nl_del_doit(struct sk_buff *skb, struct genl_info *info); ++int fou_nl_get_doit(struct sk_buff *skb, struct genl_info *info); ++int fou_nl_get_dumpit(struct sk_buff *skb, struct netlink_callback *cb); ++ ++#endif /* _LINUX_FOU_GEN_H */ +-- +2.51.0 + diff --git a/queue-5.15/net-sched-enforce-that-teql-can-only-be-used-as-root.patch b/queue-5.15/net-sched-enforce-that-teql-can-only-be-used-as-root.patch new file mode 100644 index 0000000000..674d35b75a --- /dev/null +++ b/queue-5.15/net-sched-enforce-that-teql-can-only-be-used-as-root.patch @@ -0,0 +1,68 @@ +From 51ee73e0e7fecd74ed49f4805b8bae46cbe6ba8a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jan 2026 11:02:41 -0500 +Subject: net/sched: Enforce that teql can only be used as root qdisc +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jamal Hadi Salim + +[ Upstream commit 50da4b9d07a7a463e2cfb738f3ad4cff6b2c9c3b ] + +Design intent of teql is that it is only supposed to be used as root qdisc. +We need to check for that constraint. + +Although not important, I will describe the scenario that unearthed this +issue for the curious. + +GangMin Kim managed to concot a scenario as follows: + +ROOT qdisc 1:0 (QFQ) + ├── class 1:1 (weight=15, lmax=16384) netem with delay 6.4s + └── class 1:2 (weight=1, lmax=1514) teql + +GangMin sends a packet which is enqueued to 1:1 (netem). +Any invocation of dequeue by QFQ from this class will not return a packet +until after 6.4s. In the meantime, a second packet is sent and it lands on +1:2. teql's enqueue will return success and this will activate class 1:2. +Main issue is that teql only updates the parent visible qlen (sch->q.qlen) +at dequeue. Since QFQ will only call dequeue if peek succeeds (and teql's +peek always returns NULL), dequeue will never be called and thus the qlen +will remain as 0. With that in mind, when GangMin updates 1:2's lmax value, +the qfq_change_class calls qfq_deact_rm_from_agg. Since the child qdisc's +qlen was not incremented, qfq fails to deactivate the class, but still +frees its pointers from the aggregate. So when the first packet is +rescheduled after 6.4 seconds (netem's delay), a dangling pointer is +accessed causing GangMin's causing a UAF. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: GangMin Kim +Tested-by: Victor Nogueira +Signed-off-by: Jamal Hadi Salim +Link: https://patch.msgid.link/20260114160243.913069-2-jhs@mojatatu.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_teql.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/sched/sch_teql.c b/net/sched/sch_teql.c +index 79aaab51cbf5c..e9dfa140799c3 100644 +--- a/net/sched/sch_teql.c ++++ b/net/sched/sch_teql.c +@@ -178,6 +178,11 @@ static int teql_qdisc_init(struct Qdisc *sch, struct nlattr *opt, + if (m->dev == dev) + return -ELOOP; + ++ if (sch->parent != TC_H_ROOT) { ++ NL_SET_ERR_MSG_MOD(extack, "teql can only be used as root"); ++ return -EOPNOTSUPP; ++ } ++ + q->m = m; + + skb_queue_head_init(&q->q); +-- +2.51.0 + diff --git a/queue-5.15/net-sched-qfq-use-cl_is_active-to-determine-whether-.patch b/queue-5.15/net-sched-qfq-use-cl_is_active-to-determine-whether-.patch new file mode 100644 index 0000000000..dada79fa3c --- /dev/null +++ b/queue-5.15/net-sched-qfq-use-cl_is_active-to-determine-whether-.patch @@ -0,0 +1,40 @@ +From 440bab96679d08b70da173c4f3c87710b17e4f6a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jan 2026 11:02:42 -0500 +Subject: net/sched: qfq: Use cl_is_active to determine whether class is active + in qfq_rm_from_ag + +From: Jamal Hadi Salim + +[ Upstream commit d837fbee92453fbb829f950c8e7cf76207d73f33 ] + +This is more of a preventive patch to make the code more consistent and +to prevent possible exploits that employ child qlen manipulations on qfq. +use cl_is_active instead of relying on the child qdisc's qlen to determine +class activation. + +Fixes: 462dbc9101acd ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost") +Signed-off-by: Jamal Hadi Salim +Link: https://patch.msgid.link/20260114160243.913069-3-jhs@mojatatu.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_qfq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c +index d201bcb5edc42..8e5b30c447b86 100644 +--- a/net/sched/sch_qfq.c ++++ b/net/sched/sch_qfq.c +@@ -375,7 +375,7 @@ static void qfq_rm_from_agg(struct qfq_sched *q, struct qfq_class *cl) + /* Deschedule class and remove it from its parent aggregate. */ + static void qfq_deact_rm_from_agg(struct qfq_sched *q, struct qfq_class *cl) + { +- if (cl->qdisc->q.qlen > 0) /* class is active */ ++ if (cl_is_active(cl)) /* class is active */ + qfq_deactivate_class(q, cl); + + qfq_rm_from_agg(q, cl); +-- +2.51.0 + diff --git a/queue-5.15/net-usb-dm9601-remove-broken-sr9700-support.patch b/queue-5.15/net-usb-dm9601-remove-broken-sr9700-support.patch new file mode 100644 index 0000000000..54b14b5934 --- /dev/null +++ b/queue-5.15/net-usb-dm9601-remove-broken-sr9700-support.patch @@ -0,0 +1,53 @@ +From 286c113926fe022f733ce765156d1eee14654411 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 22:39:24 -0800 +Subject: net: usb: dm9601: remove broken SR9700 support + +From: Ethan Nelson-Moore + +[ Upstream commit 7d7dbafefbe74f5a25efc4807af093b857a7612e ] + +The SR9700 chip sends more than one packet in a USB transaction, +like the DM962x chips can optionally do, but the dm9601 driver does not +support this mode, and the hardware does not have the DM962x +MODE_CTL register to disable it, so this driver drops packets on SR9700 +devices. The sr9700 driver correctly handles receiving more than one +packet per transaction. + +While the dm9601 driver could be improved to handle this, the easiest +way to fix this issue in the short term is to remove the SR9700 device +ID from the dm9601 driver so the sr9700 driver is always used. This +device ID should not have been in more than one driver to begin with. + +The "Fixes" commit was chosen so that the patch is automatically +included in all kernels that have the sr9700 driver, even though the +issue affects dm9601. + +Fixes: c9b37458e956 ("USB2NET : SR9700 : One chip USB 1.1 USB2NET SR9700Device Driver Support") +Signed-off-by: Ethan Nelson-Moore +Acked-by: Peter Korsgaard +Link: https://patch.msgid.link/20260113063924.74464-1-enelsonmoore@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/dm9601.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/net/usb/dm9601.c b/drivers/net/usb/dm9601.c +index f7357d884d6aa..2d98238293a64 100644 +--- a/drivers/net/usb/dm9601.c ++++ b/drivers/net/usb/dm9601.c +@@ -603,10 +603,6 @@ static const struct usb_device_id products[] = { + USB_DEVICE(0x0fe6, 0x8101), /* DM9601 USB to Fast Ethernet Adapter */ + .driver_info = (unsigned long)&dm9601_info, + }, +- { +- USB_DEVICE(0x0fe6, 0x9700), /* DM9601 USB to Fast Ethernet Adapter */ +- .driver_info = (unsigned long)&dm9601_info, +- }, + { + USB_DEVICE(0x0a46, 0x9000), /* DM9000E */ + .driver_info = (unsigned long)&dm9601_info, +-- +2.51.0 + diff --git a/queue-5.15/netlink-add-a-proto-specification-for-fou.patch b/queue-5.15/netlink-add-a-proto-specification-for-fou.patch new file mode 100644 index 0000000000..e21be1d000 --- /dev/null +++ b/queue-5.15/netlink-add-a-proto-specification-for-fou.patch @@ -0,0 +1,158 @@ +From 6baa7e95d82a4a9355ce58f406e8d8a7158dd3b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jan 2023 09:50:37 -0800 +Subject: netlink: add a proto specification for FOU + +From: Jakub Kicinski + +[ Upstream commit 4eb77b4ecd3c5eaab83adf76e67e0a7ed2a24418 ] + +FOU has a reasonably modern Genetlink family. Add a spec. + +Acked-by: Stanislav Fomichev +Signed-off-by: Jakub Kicinski +Signed-off-by: Paolo Abeni +Stable-dep-of: 7a9bc9e3f423 ("fou: Don't allow 0 for FOU_ATTR_IPPROTO.") +Signed-off-by: Sasha Levin +--- + Documentation/netlink/specs/fou.yaml | 128 +++++++++++++++++++++++++++ + 1 file changed, 128 insertions(+) + create mode 100644 Documentation/netlink/specs/fou.yaml + +diff --git a/Documentation/netlink/specs/fou.yaml b/Documentation/netlink/specs/fou.yaml +new file mode 100644 +index 0000000000000..266c386eedf3a +--- /dev/null ++++ b/Documentation/netlink/specs/fou.yaml +@@ -0,0 +1,128 @@ ++name: fou ++ ++protocol: genetlink-legacy ++ ++doc: | ++ Foo-over-UDP. ++ ++c-family-name: fou-genl-name ++c-version-name: fou-genl-version ++max-by-define: true ++kernel-policy: global ++ ++definitions: ++ - ++ type: enum ++ name: encap_type ++ name-prefix: fou-encap- ++ enum-name: ++ entries: [ unspec, direct, gue ] ++ ++attribute-sets: ++ - ++ name: fou ++ name-prefix: fou-attr- ++ attributes: ++ - ++ name: unspec ++ type: unused ++ - ++ name: port ++ type: u16 ++ byte-order: big-endian ++ - ++ name: af ++ type: u8 ++ - ++ name: ipproto ++ type: u8 ++ - ++ name: type ++ type: u8 ++ - ++ name: remcsum_nopartial ++ type: flag ++ - ++ name: local_v4 ++ type: u32 ++ - ++ name: local_v6 ++ type: binary ++ checks: ++ min-len: 16 ++ - ++ name: peer_v4 ++ type: u32 ++ - ++ name: peer_v6 ++ type: binary ++ checks: ++ min-len: 16 ++ - ++ name: peer_port ++ type: u16 ++ byte-order: big-endian ++ - ++ name: ifindex ++ type: s32 ++ ++operations: ++ list: ++ - ++ name: unspec ++ doc: unused ++ ++ - ++ name: add ++ doc: Add port. ++ attribute-set: fou ++ ++ dont-validate: [ strict, dump ] ++ flags: [ admin-perm ] ++ ++ do: ++ request: &all_attrs ++ attributes: ++ - port ++ - ipproto ++ - type ++ - remcsum_nopartial ++ - local_v4 ++ - peer_v4 ++ - local_v6 ++ - peer_v6 ++ - peer_port ++ - ifindex ++ ++ - ++ name: del ++ doc: Delete port. ++ attribute-set: fou ++ ++ dont-validate: [ strict, dump ] ++ flags: [ admin-perm ] ++ ++ do: ++ request: &select_attrs ++ attributes: ++ - af ++ - ifindex ++ - port ++ - peer_port ++ - local_v4 ++ - peer_v4 ++ - local_v6 ++ - peer_v6 ++ ++ - ++ name: get ++ doc: Get tunnel info. ++ attribute-set: fou ++ dont-validate: [ strict, dump ] ++ ++ do: ++ request: *select_attrs ++ reply: *all_attrs ++ ++ dump: ++ reply: *all_attrs +-- +2.51.0 + diff --git a/queue-5.15/sctp-move-sctp_cmd_assoc_shkey-right-after-sctp_cmd_.patch b/queue-5.15/sctp-move-sctp_cmd_assoc_shkey-right-after-sctp_cmd_.patch new file mode 100644 index 0000000000..7cee4402c7 --- /dev/null +++ b/queue-5.15/sctp-move-sctp_cmd_assoc_shkey-right-after-sctp_cmd_.patch @@ -0,0 +1,101 @@ +From d2147952b5b4aa94fbe8a5716c4779e10bfbd334 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 12:10:26 -0500 +Subject: sctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT + +From: Xin Long + +[ Upstream commit a80c9d945aef55b23b54838334345f20251dad83 ] + +A null-ptr-deref was reported in the SCTP transmit path when SCTP-AUTH key +initialization fails: + + ================================================================== + KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] + CPU: 0 PID: 16 Comm: ksoftirqd/0 Tainted: G W 6.6.0 #2 + RIP: 0010:sctp_packet_bundle_auth net/sctp/output.c:264 [inline] + RIP: 0010:sctp_packet_append_chunk+0xb36/0x1260 net/sctp/output.c:401 + Call Trace: + + sctp_packet_transmit_chunk+0x31/0x250 net/sctp/output.c:189 + sctp_outq_flush_data+0xa29/0x26d0 net/sctp/outqueue.c:1111 + sctp_outq_flush+0xc80/0x1240 net/sctp/outqueue.c:1217 + sctp_cmd_interpreter.isra.0+0x19a5/0x62c0 net/sctp/sm_sideeffect.c:1787 + sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline] + sctp_do_sm+0x1a3/0x670 net/sctp/sm_sideeffect.c:1169 + sctp_assoc_bh_rcv+0x33e/0x640 net/sctp/associola.c:1052 + sctp_inq_push+0x1dd/0x280 net/sctp/inqueue.c:88 + sctp_rcv+0x11ae/0x3100 net/sctp/input.c:243 + sctp6_rcv+0x3d/0x60 net/sctp/ipv6.c:1127 + +The issue is triggered when sctp_auth_asoc_init_active_key() fails in +sctp_sf_do_5_1C_ack() while processing an INIT_ACK. In this case, the +command sequence is currently: + +- SCTP_CMD_PEER_INIT +- SCTP_CMD_TIMER_STOP (T1_INIT) +- SCTP_CMD_TIMER_START (T1_COOKIE) +- SCTP_CMD_NEW_STATE (COOKIE_ECHOED) +- SCTP_CMD_ASSOC_SHKEY +- SCTP_CMD_GEN_COOKIE_ECHO + +If SCTP_CMD_ASSOC_SHKEY fails, asoc->shkey remains NULL, while +asoc->peer.auth_capable and asoc->peer.peer_chunks have already been set by +SCTP_CMD_PEER_INIT. This allows a DATA chunk with auth = 1 and shkey = NULL +to be queued by sctp_datamsg_from_user(). + +Since command interpretation stops on failure, no COOKIE_ECHO should been +sent via SCTP_CMD_GEN_COOKIE_ECHO. However, the T1_COOKIE timer has already +been started, and it may enqueue a COOKIE_ECHO into the outqueue later. As +a result, the DATA chunk can be transmitted together with the COOKIE_ECHO +in sctp_outq_flush_data(), leading to the observed issue. + +Similar to the other places where it calls sctp_auth_asoc_init_active_key() +right after sctp_process_init(), this patch moves the SCTP_CMD_ASSOC_SHKEY +immediately after SCTP_CMD_PEER_INIT, before stopping T1_INIT and starting +T1_COOKIE. This ensures that if shared key generation fails, authenticated +DATA cannot be sent. It also allows the T1_INIT timer to retransmit INIT, +giving the client another chance to process INIT_ACK and retry key setup. + +Fixes: 730fc3d05cd4 ("[SCTP]: Implete SCTP-AUTH parameter processing") +Reported-by: Zhen Chen +Tested-by: Zhen Chen +Signed-off-by: Xin Long +Link: https://patch.msgid.link/44881224b375aa8853f5e19b4055a1a56d895813.1768324226.git.lucien.xin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sctp/sm_statefuns.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c +index f9882e0e67b1b..dc758ad0051e0 100644 +--- a/net/sctp/sm_statefuns.c ++++ b/net/sctp/sm_statefuns.c +@@ -601,6 +601,11 @@ enum sctp_disposition sctp_sf_do_5_1C_ack(struct net *net, + sctp_add_cmd_sf(commands, SCTP_CMD_PEER_INIT, + SCTP_PEER_INIT(initchunk)); + ++ /* SCTP-AUTH: generate the association shared keys so that ++ * we can potentially sign the COOKIE-ECHO. ++ */ ++ sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL()); ++ + /* Reset init error count upon receipt of INIT-ACK. */ + sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL()); + +@@ -615,11 +620,6 @@ enum sctp_disposition sctp_sf_do_5_1C_ack(struct net *net, + sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, + SCTP_STATE(SCTP_STATE_COOKIE_ECHOED)); + +- /* SCTP-AUTH: generate the association shared keys so that +- * we can potentially sign the COOKIE-ECHO. +- */ +- sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL()); +- + /* 5.1 C) "A" shall then send the State Cookie received in the + * INIT ACK chunk in a COOKIE ECHO chunk, ... + */ +-- +2.51.0 + diff --git a/queue-5.15/selftests-net-convert-fib-onlink-tests.sh-to-run-it-.patch b/queue-5.15/selftests-net-convert-fib-onlink-tests.sh-to-run-it-.patch new file mode 100644 index 0000000000..98bcb4b7f1 --- /dev/null +++ b/queue-5.15/selftests-net-convert-fib-onlink-tests.sh-to-run-it-.patch @@ -0,0 +1,84 @@ +From 0ee8141aafe9e3a20dc8545f78fa2f0f9498e53b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Dec 2023 14:08:53 +0800 +Subject: selftests/net: convert fib-onlink-tests.sh to run it in unique + namespace + +From: Hangbin Liu + +[ Upstream commit 3a06833b2adc0a902f2469ad4ce41ccd64f1f3ab ] + +Remove PEER_CMD, which is not used in this test + +Here is the test result after conversion. + + ]# ./fib-onlink-tests.sh + Error: ipv4: FIB table does not exist. + Flush terminated + Error: ipv6: FIB table does not exist. + Flush terminated + + ######################################## + Configuring interfaces + + ... + + TEST: Gateway resolves to wrong nexthop device - VRF [ OK ] + + Tests passed: 38 + Tests failed: 0 + +Acked-by: David Ahern +Signed-off-by: Hangbin Liu +Link: https://lore.kernel.org/r/20231213060856.4030084-11-liuhangbin@gmail.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: 4f5f148dd7c0 ("selftests: net: fib-onlink-tests: Convert to use namespaces by default") +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/fib-onlink-tests.sh | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/tools/testing/selftests/net/fib-onlink-tests.sh b/tools/testing/selftests/net/fib-onlink-tests.sh +index c287b90b8af80..ec2d6ceb1f08d 100755 +--- a/tools/testing/selftests/net/fib-onlink-tests.sh ++++ b/tools/testing/selftests/net/fib-onlink-tests.sh +@@ -3,6 +3,7 @@ + + # IPv4 and IPv6 onlink tests + ++source lib.sh + PAUSE_ON_FAIL=${PAUSE_ON_FAIL:=no} + VERBOSE=0 + +@@ -74,9 +75,6 @@ TEST_NET4IN6[2]=10.2.1.254 + # mcast address + MCAST6=ff02::1 + +- +-PEER_NS=bart +-PEER_CMD="ip netns exec ${PEER_NS}" + VRF=lisa + VRF_TABLE=1101 + PBR_TABLE=101 +@@ -176,8 +174,7 @@ setup() + set -e + + # create namespace +- ip netns add ${PEER_NS} +- ip -netns ${PEER_NS} li set lo up ++ setup_ns PEER_NS + + # add vrf table + ip li add ${VRF} type vrf table ${VRF_TABLE} +@@ -219,7 +216,7 @@ setup() + cleanup() + { + # make sure we start from a clean slate +- ip netns del ${PEER_NS} 2>/dev/null ++ cleanup_ns ${PEER_NS} 2>/dev/null + for n in 1 3 5 7; do + ip link del ${NETIFS[p${n}]} 2>/dev/null + done +-- +2.51.0 + diff --git a/queue-5.15/selftests-net-fib-onlink-tests-convert-to-use-namesp.patch b/queue-5.15/selftests-net-fib-onlink-tests-convert-to-use-namesp.patch new file mode 100644 index 0000000000..67fd0db227 --- /dev/null +++ b/queue-5.15/selftests-net-fib-onlink-tests-convert-to-use-namesp.patch @@ -0,0 +1,185 @@ +From 0988a747ae7612c0c63226918633bd02837d8ab0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 12:37:44 -0300 +Subject: selftests: net: fib-onlink-tests: Convert to use namespaces by + default +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ricardo B. Marlière + +[ Upstream commit 4f5f148dd7c0459229d2ab9a769b2e820f9ee6a2 ] + +Currently, the test breaks if the SUT already has a default route +configured for IPv6. Fix by avoiding the use of the default namespace. + +Fixes: 4ed591c8ab44 ("net/ipv6: Allow onlink routes to have a device mismatch if it is the default route") +Suggested-by: Fernando Fernandez Mancera +Signed-off-by: Ricardo B. Marlière +Reviewed-by: Ido Schimmel +Reviewed-by: Fernando Fernandez Mancera +Link: https://patch.msgid.link/20260113-selftests-net-fib-onlink-v2-1-89de2b931389@suse.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../testing/selftests/net/fib-onlink-tests.sh | 71 ++++++++----------- + 1 file changed, 30 insertions(+), 41 deletions(-) + +diff --git a/tools/testing/selftests/net/fib-onlink-tests.sh b/tools/testing/selftests/net/fib-onlink-tests.sh +index ec2d6ceb1f08d..c01be076b210d 100755 +--- a/tools/testing/selftests/net/fib-onlink-tests.sh ++++ b/tools/testing/selftests/net/fib-onlink-tests.sh +@@ -120,7 +120,7 @@ log_subsection() + + run_cmd() + { +- local cmd="$*" ++ local cmd="$1" + local out + local rc + +@@ -145,7 +145,7 @@ get_linklocal() + local pfx + local addr + +- addr=$(${pfx} ip -6 -br addr show dev ${dev} | \ ++ addr=$(${pfx} ${IP} -6 -br addr show dev ${dev} | \ + awk '{ + for (i = 3; i <= NF; ++i) { + if ($i ~ /^fe80/) +@@ -173,58 +173,48 @@ setup() + + set -e + +- # create namespace +- setup_ns PEER_NS ++ # create namespaces ++ setup_ns ns1 ++ IP="ip -netns $ns1" ++ setup_ns ns2 + + # add vrf table +- ip li add ${VRF} type vrf table ${VRF_TABLE} +- ip li set ${VRF} up +- ip ro add table ${VRF_TABLE} unreachable default metric 8192 +- ip -6 ro add table ${VRF_TABLE} unreachable default metric 8192 ++ ${IP} li add ${VRF} type vrf table ${VRF_TABLE} ++ ${IP} li set ${VRF} up ++ ${IP} ro add table ${VRF_TABLE} unreachable default metric 8192 ++ ${IP} -6 ro add table ${VRF_TABLE} unreachable default metric 8192 + + # create test interfaces +- ip li add ${NETIFS[p1]} type veth peer name ${NETIFS[p2]} +- ip li add ${NETIFS[p3]} type veth peer name ${NETIFS[p4]} +- ip li add ${NETIFS[p5]} type veth peer name ${NETIFS[p6]} +- ip li add ${NETIFS[p7]} type veth peer name ${NETIFS[p8]} ++ ${IP} li add ${NETIFS[p1]} type veth peer name ${NETIFS[p2]} ++ ${IP} li add ${NETIFS[p3]} type veth peer name ${NETIFS[p4]} ++ ${IP} li add ${NETIFS[p5]} type veth peer name ${NETIFS[p6]} ++ ${IP} li add ${NETIFS[p7]} type veth peer name ${NETIFS[p8]} + + # enslave vrf interfaces + for n in 5 7; do +- ip li set ${NETIFS[p${n}]} vrf ${VRF} ++ ${IP} li set ${NETIFS[p${n}]} vrf ${VRF} + done + + # add addresses + for n in 1 3 5 7; do +- ip li set ${NETIFS[p${n}]} up +- ip addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]} +- ip addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} nodad ++ ${IP} li set ${NETIFS[p${n}]} up ++ ${IP} addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]} ++ ${IP} addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} nodad + done + + # move peer interfaces to namespace and add addresses + for n in 2 4 6 8; do +- ip li set ${NETIFS[p${n}]} netns ${PEER_NS} up +- ip -netns ${PEER_NS} addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]} +- ip -netns ${PEER_NS} addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} nodad ++ ${IP} li set ${NETIFS[p${n}]} netns ${ns2} up ++ ip -netns $ns2 addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]} ++ ip -netns $ns2 addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} nodad + done + +- ip -6 ro add default via ${V6ADDRS[p3]/::[0-9]/::64} +- ip -6 ro add table ${VRF_TABLE} default via ${V6ADDRS[p7]/::[0-9]/::64} ++ ${IP} -6 ro add default via ${V6ADDRS[p3]/::[0-9]/::64} ++ ${IP} -6 ro add table ${VRF_TABLE} default via ${V6ADDRS[p7]/::[0-9]/::64} + + set +e + } + +-cleanup() +-{ +- # make sure we start from a clean slate +- cleanup_ns ${PEER_NS} 2>/dev/null +- for n in 1 3 5 7; do +- ip link del ${NETIFS[p${n}]} 2>/dev/null +- done +- ip link del ${VRF} 2>/dev/null +- ip ro flush table ${VRF_TABLE} +- ip -6 ro flush table ${VRF_TABLE} +-} +- + ################################################################################ + # IPv4 tests + # +@@ -241,7 +231,7 @@ run_ip() + # dev arg may be empty + [ -n "${dev}" ] && dev="dev ${dev}" + +- run_cmd ip ro add table "${table}" "${prefix}"/32 via "${gw}" "${dev}" onlink ++ run_cmd "${IP} ro add table ${table} ${prefix}/32 via ${gw} ${dev} onlink" + log_test $? ${exp_rc} "${desc}" + } + +@@ -257,8 +247,8 @@ run_ip_mpath() + # dev arg may be empty + [ -n "${dev}" ] && dev="dev ${dev}" + +- run_cmd ip ro add table "${table}" "${prefix}"/32 \ +- nexthop via ${nh1} nexthop via ${nh2} ++ run_cmd "${IP} ro add table ${table} ${prefix}/32 \ ++ nexthop via ${nh1} nexthop via ${nh2}" + log_test $? ${exp_rc} "${desc}" + } + +@@ -339,7 +329,7 @@ run_ip6() + # dev arg may be empty + [ -n "${dev}" ] && dev="dev ${dev}" + +- run_cmd ip -6 ro add table "${table}" "${prefix}"/128 via "${gw}" "${dev}" onlink ++ run_cmd "${IP} -6 ro add table ${table} ${prefix}/128 via ${gw} ${dev} onlink" + log_test $? ${exp_rc} "${desc}" + } + +@@ -353,8 +343,8 @@ run_ip6_mpath() + local exp_rc="$6" + local desc="$7" + +- run_cmd ip -6 ro add table "${table}" "${prefix}"/128 "${opts}" \ +- nexthop via ${nh1} nexthop via ${nh2} ++ run_cmd "${IP} -6 ro add table ${table} ${prefix}/128 ${opts} \ ++ nexthop via ${nh1} nexthop via ${nh2}" + log_test $? ${exp_rc} "${desc}" + } + +@@ -491,10 +481,9 @@ do + esac + done + +-cleanup + setup + run_onlink_tests +-cleanup ++cleanup_ns ${ns1} ${ns2} + + if [ "$TESTS" != "none" ]; then + printf "\nTests passed: %3d\n" ${nsuccess} +-- +2.51.0 + diff --git a/queue-5.15/series b/queue-5.15/series index a96a91a9a0..22719ddd6c 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -63,3 +63,19 @@ selftests-ptp-add-x-option-for-testing-ptp_sys_offse.patch-2439 ptp-add-testptp-mask-test.patch selftest-ptp-update-ptp-selftest-to-exercise-the-get.patch testptp-add-option-to-open-phc-in-readonly-mode.patch +net-usb-dm9601-remove-broken-sr9700-support.patch +bonding-limit-bond_mode_8023ad-to-ethernet-devices.patch +selftests-net-convert-fib-onlink-tests.sh-to-run-it-.patch +selftests-net-fib-onlink-tests-convert-to-use-namesp.patch +sctp-move-sctp_cmd_assoc_shkey-right-after-sctp_cmd_.patch +amd-xgbe-avoid-misleading-per-packet-error-log.patch +gue-fix-skb-memleak-with-inner-ip-protocol-0.patch +netlink-add-a-proto-specification-for-fou.patch +net-fou-rename-the-source-for-linking.patch +net-fou-use-policy-and-operation-tables-generated-fr.patch +fou-don-t-allow-0-for-fou_attr_ipproto.patch +l2tp-avoid-one-data-race-in-l2tp_tunnel_del_work.patch +ipvlan-make-the-addrs_lock-be-per-port.patch +net-sched-enforce-that-teql-can-only-be-used-as-root.patch +net-sched-qfq-use-cl_is_active-to-determine-whether-.patch +crypto-authencesn-reject-too-short-aad-assoclen-8-to.patch diff --git a/queue-6.1/amd-xgbe-avoid-misleading-per-packet-error-log.patch b/queue-6.1/amd-xgbe-avoid-misleading-per-packet-error-log.patch new file mode 100644 index 0000000000..7b5d1d22be --- /dev/null +++ b/queue-6.1/amd-xgbe-avoid-misleading-per-packet-error-log.patch @@ -0,0 +1,49 @@ +From ca9c31dcaff134cca1afcc7af9f48783e367d81e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jan 2026 22:00:37 +0530 +Subject: amd-xgbe: avoid misleading per-packet error log + +From: Raju Rangoju + +[ Upstream commit c158f985cf6c2c36c99c4f67af2ff3f5ebe09f8f ] + +On the receive path, packet can be damaged because of buffer +overflow in Rx FIFO. Avoid misleading per-packet error log when +packet->errors is set, this can flood the log. Instead, rely on the +standard rtnl_link_stats64 stats. + +Fixes: c5aa9e3b8156 ("amd-xgbe: Initial AMD 10GbE platform driver") +Signed-off-by: Raju Rangoju +Link: https://patch.msgid.link/20260114163037.2062606-1-Raju.Rangoju@amd.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c +index b4d57da71de2a..3d6f8f3a83366 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c +@@ -2105,7 +2105,7 @@ static void xgbe_get_stats64(struct net_device *netdev, + s->multicast = pstats->rxmulticastframes_g; + s->rx_length_errors = pstats->rxlengtherror; + s->rx_crc_errors = pstats->rxcrcerror; +- s->rx_fifo_errors = pstats->rxfifooverflow; ++ s->rx_over_errors = pstats->rxfifooverflow; + + s->tx_packets = pstats->txframecount_gb; + s->tx_bytes = pstats->txoctetcount_gb; +@@ -2559,9 +2559,6 @@ static int xgbe_rx_poll(struct xgbe_channel *channel, int budget) + goto read_again; + + if (error || packet->errors) { +- if (packet->errors) +- netif_err(pdata, rx_err, netdev, +- "error in received packet\n"); + dev_kfree_skb(skb); + goto next_packet; + } +-- +2.51.0 + diff --git a/queue-6.1/ata-libata-add-cpr_log-to-ata_dev_print_features-ear.patch b/queue-6.1/ata-libata-add-cpr_log-to-ata_dev_print_features-ear.patch new file mode 100644 index 0000000000..6625dcd1b4 --- /dev/null +++ b/queue-6.1/ata-libata-add-cpr_log-to-ata_dev_print_features-ear.patch @@ -0,0 +1,43 @@ +From ec6f9ac67d0cecda46e68eb4dedfbbad6a89239f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 13:20:49 +0100 +Subject: ata: libata: Add cpr_log to ata_dev_print_features() early return + +From: Niklas Cassel + +[ Upstream commit a6bee5e5243ad02cae575becc4c83df66fc29573 ] + +ata_dev_print_features() is supposed to return early and not print anything +if there are no features supported. + +However, commit fe22e1c2f705 ("libata: support concurrent positioning +ranges log") added another feature to ata_dev_print_features() without +updating the early return conditional. + +Add the missing feature to the early return conditional. + +Fixes: fe22e1c2f705 ("libata: support concurrent positioning ranges log") +Signed-off-by: Niklas Cassel +Tested-by: Wolf +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c +index 14bcfebf20b8f..98d610c37e8c7 100644 +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -2597,7 +2597,7 @@ static void ata_dev_config_cpr(struct ata_device *dev) + + static void ata_dev_print_features(struct ata_device *dev) + { +- if (!(dev->flags & ATA_DFLAG_FEATURES_MASK)) ++ if (!(dev->flags & ATA_DFLAG_FEATURES_MASK) && !dev->cpr_log) + return; + + ata_dev_info(dev, +-- +2.51.0 + diff --git a/queue-6.1/ata-libata-call-ata_dev_config_lpm-for-atapi-devices.patch b/queue-6.1/ata-libata-call-ata_dev_config_lpm-for-atapi-devices.patch new file mode 100644 index 0000000000..181052c464 --- /dev/null +++ b/queue-6.1/ata-libata-call-ata_dev_config_lpm-for-atapi-devices.patch @@ -0,0 +1,48 @@ +From c5fa3b1d713e1213dffa8b64e2a609bf261536c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 13:20:47 +0100 +Subject: ata: libata: Call ata_dev_config_lpm() for ATAPI devices + +From: Niklas Cassel + +[ Upstream commit 8f3fb33f8f3f825c708ece800c921977c157f9b6 ] + +Commit d360121832d8 ("ata: libata-core: Introduce ata_dev_config_lpm()") +introduced ata_dev_config_lpm(). However, it only called this function for +ATA_DEV_ATA and ATA_DEV_ZAC devices, not for ATA_DEV_ATAPI devices. + +Additionally, commit d99a9142e782 ("ata: libata-core: Move device LPM quirk +settings to ata_dev_config_lpm()") moved the LPM quirk application from +ata_dev_configure() to ata_dev_config_lpm(), causing LPM quirks for ATAPI +devices to no longer be applied. + +Call ata_dev_config_lpm() also for ATAPI devices, such that LPM quirks are +applied for ATAPI devices with an entry in __ata_dev_quirks once again. + +Fixes: d360121832d8 ("ata: libata-core: Introduce ata_dev_config_lpm()") +Fixes: d99a9142e782 ("ata: libata-core: Move device LPM quirk settings to ata_dev_config_lpm()") +Signed-off-by: Niklas Cassel +Tested-by: Wolf +Signed-off-by: Damien Le Moal +Stable-dep-of: c8c6fb886f57 ("ata: libata: Print features also for ATAPI devices") +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-core.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c +index 1277b80726535..3fb7f7a5181a9 100644 +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -2882,6 +2882,8 @@ int ata_dev_configure(struct ata_device *dev) + ata_mode_string(xfer_mask), + cdb_intr_string, atapi_an_string, + dma_dir_string); ++ ++ ata_dev_config_lpm(dev); + } + + /* determine max_sectors */ +-- +2.51.0 + diff --git a/queue-6.1/ata-libata-cleanup-fua-support-detection.patch b/queue-6.1/ata-libata-cleanup-fua-support-detection.patch new file mode 100644 index 0000000000..bdfeac7799 --- /dev/null +++ b/queue-6.1/ata-libata-cleanup-fua-support-detection.patch @@ -0,0 +1,226 @@ +From ae98e781252cbc289ab7899be4b9dd4555ed7b14 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Oct 2022 18:05:38 +0900 +Subject: ata: libata: cleanup fua support detection + +From: Damien Le Moal + +[ Upstream commit 4d2e4980a5289ae31a1cff40d258b68573182a37 ] + +Move the detection of a device FUA support from +ata_scsiop_mode_sense()/ata_dev_supports_fua() to device scan time in +ata_dev_configure(). + +The function ata_dev_config_fua() is introduced to detect if a device +supports FUA and this support is indicated using the new device flag +ATA_DFLAG_FUA. + +In order to blacklist known buggy devices, the horkage flag +ATA_HORKAGE_NO_FUA is introduced. Similarly to other horkage flags, the +libata.force= arguments "fua" and "nofua" are also introduced to allow +a user to control this horkage flag through the "force" libata +module parameter. + +The ATA_DFLAG_FUA device flag is set only and only if all the following +conditions are met: +* libata.fua module parameter is set to 1 +* The device supports the WRITE DMA FUA EXT command, +* The device is not marked with the ATA_HORKAGE_NO_FUA flag, either from + the blacklist or set by the user with libata.force=nofua +* The device supports NCQ (while this is not mandated by the standards, + this restriction is introduced to avoid problems with older non-NCQ + devices). + +Enabling or diabling libata FUA support for all devices can now also be +done using the "force=[no]fua" module parameter when libata.fua is set +to 1. + +Signed-off-by: Damien Le Moal +Reviewed-by: Hannes Reinecke +Reviewed-by: Chaitanya Kulkarni +Reviewed-by: Christoph Hellwig +Reviewed-by: Johannes Thumshirn +Reviewed-by: Niklas Cassel +Stable-dep-of: c8c6fb886f57 ("ata: libata: Print features also for ATAPI devices") +Signed-off-by: Sasha Levin +--- + .../admin-guide/kernel-parameters.txt | 3 ++ + drivers/ata/libata-core.c | 30 ++++++++++++++++++- + drivers/ata/libata-scsi.c | 30 ++----------------- + include/linux/libata.h | 8 +++-- + 4 files changed, 39 insertions(+), 32 deletions(-) + +diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt +index 05ab068c1cc6d..b026eb1c4c7db 100644 +--- a/Documentation/admin-guide/kernel-parameters.txt ++++ b/Documentation/admin-guide/kernel-parameters.txt +@@ -2852,6 +2852,9 @@ + * [no]setxfer: Indicate if transfer speed mode setting + should be skipped. + ++ * [no]fua: Disable or enable FUA (Force Unit Access) ++ support for devices supporting this feature. ++ + * dump_id: Dump IDENTIFY data. + + * disable: Disable this device. +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c +index 98d610c37e8c7..31c8156a4f3d3 100644 +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -2513,6 +2513,28 @@ static void ata_dev_config_chs(struct ata_device *dev) + dev->heads, dev->sectors); + } + ++static void ata_dev_config_fua(struct ata_device *dev) ++{ ++ /* Ignore FUA support if its use is disabled globally */ ++ if (!libata_fua) ++ goto nofua; ++ ++ /* Ignore devices without support for WRITE DMA FUA EXT */ ++ if (!(dev->flags & ATA_DFLAG_LBA48) || !ata_id_has_fua(dev->id)) ++ goto nofua; ++ ++ /* Ignore known bad devices and devices that lack NCQ support */ ++ if (!ata_ncq_supported(dev) || (dev->horkage & ATA_HORKAGE_NO_FUA)) ++ goto nofua; ++ ++ dev->flags |= ATA_DFLAG_FUA; ++ ++ return; ++ ++nofua: ++ dev->flags &= ~ATA_DFLAG_FUA; ++} ++ + static void ata_dev_config_devslp(struct ata_device *dev) + { + u8 *sata_setting = dev->link->ap->sector_buf; +@@ -2601,7 +2623,8 @@ static void ata_dev_print_features(struct ata_device *dev) + return; + + ata_dev_info(dev, +- "Features:%s%s%s%s%s%s\n", ++ "Features:%s%s%s%s%s%s%s\n", ++ dev->flags & ATA_DFLAG_FUA ? " FUA" : "", + dev->flags & ATA_DFLAG_TRUSTED ? " Trust" : "", + dev->flags & ATA_DFLAG_DA ? " Dev-Attention" : "", + dev->flags & ATA_DFLAG_DEVSLP ? " Dev-Sleep" : "", +@@ -2762,6 +2785,7 @@ int ata_dev_configure(struct ata_device *dev) + ata_dev_config_chs(dev); + } + ++ ata_dev_config_fua(dev); + ata_dev_config_devslp(dev); + ata_dev_config_sense_reporting(dev); + ata_dev_config_zac(dev); +@@ -4199,6 +4223,9 @@ static const struct ata_blacklist_entry ata_device_blacklist [] = { + */ + { "SATADOM-ML 3ME", NULL, ATA_HORKAGE_NO_LOG_DIR }, + ++ /* Buggy FUA */ ++ { "Maxtor", "BANC1G10", ATA_HORKAGE_NO_FUA }, ++ + /* End Marker */ + { } + }; +@@ -6351,6 +6378,7 @@ static const struct ata_force_param force_tbl[] __initconst = { + force_horkage_onoff(lpm, ATA_HORKAGE_NOLPM), + force_horkage_onoff(setxfer, ATA_HORKAGE_NOSETXFER), + force_horkage_on(dump_id, ATA_HORKAGE_DUMP_ID), ++ force_horkage_onoff(fua, ATA_HORKAGE_NO_FUA), + + force_horkage_on(disable, ATA_HORKAGE_DISABLE), + }; +diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c +index c838bc8cc4f3d..430970db482a8 100644 +--- a/drivers/ata/libata-scsi.c ++++ b/drivers/ata/libata-scsi.c +@@ -2283,30 +2283,6 @@ static unsigned int ata_msense_rw_recovery(u8 *buf, bool changeable) + return sizeof(def_rw_recovery_mpage); + } + +-/* +- * We can turn this into a real blacklist if it's needed, for now just +- * blacklist any Maxtor BANC1G10 revision firmware +- */ +-static int ata_dev_supports_fua(u16 *id) +-{ +- unsigned char model[ATA_ID_PROD_LEN + 1], fw[ATA_ID_FW_REV_LEN + 1]; +- +- if (!libata_fua) +- return 0; +- if (!ata_id_has_fua(id)) +- return 0; +- +- ata_id_c_string(id, model, ATA_ID_PROD, sizeof(model)); +- ata_id_c_string(id, fw, ATA_ID_FW_REV, sizeof(fw)); +- +- if (strcmp(model, "Maxtor")) +- return 1; +- if (strcmp(fw, "BANC1G10")) +- return 1; +- +- return 0; /* blacklisted */ +-} +- + /** + * ata_scsiop_mode_sense - Simulate MODE SENSE 6, 10 commands + * @args: device IDENTIFY data / SCSI command of interest. +@@ -2330,7 +2306,7 @@ static unsigned int ata_scsiop_mode_sense(struct ata_scsi_args *args, u8 *rbuf) + }; + u8 pg, spg; + unsigned int ebd, page_control, six_byte; +- u8 dpofua, bp = 0xff; ++ u8 dpofua = 0, bp = 0xff; + u16 fp; + + six_byte = (scsicmd[0] == MODE_SENSE); +@@ -2393,9 +2369,7 @@ static unsigned int ata_scsiop_mode_sense(struct ata_scsi_args *args, u8 *rbuf) + goto invalid_fld; + } + +- dpofua = 0; +- if (ata_dev_supports_fua(args->id) && (dev->flags & ATA_DFLAG_LBA48) && +- (!(dev->flags & ATA_DFLAG_PIO) || dev->multi_count)) ++ if (dev->flags & ATA_DFLAG_FUA) + dpofua = 1 << 4; + + if (six_byte) { +diff --git a/include/linux/libata.h b/include/linux/libata.h +index 99886930fb819..d7f86de11d18e 100644 +--- a/include/linux/libata.h ++++ b/include/linux/libata.h +@@ -90,6 +90,7 @@ enum { + ATA_DFLAG_ACPI_FAILED = (1 << 6), /* ACPI on devcfg has failed */ + ATA_DFLAG_AN = (1 << 7), /* AN configured */ + ATA_DFLAG_TRUSTED = (1 << 8), /* device supports trusted send/recv */ ++ ATA_DFLAG_FUA = (1 << 9), /* device supports FUA */ + ATA_DFLAG_DMADIR = (1 << 10), /* device requires DMADIR */ + ATA_DFLAG_CFG_MASK = (1 << 12) - 1, + +@@ -114,9 +115,9 @@ enum { + ATA_DFLAG_D_SENSE = (1 << 29), /* Descriptor sense requested */ + ATA_DFLAG_ZAC = (1 << 30), /* ZAC device */ + +- ATA_DFLAG_FEATURES_MASK = ATA_DFLAG_TRUSTED | ATA_DFLAG_DA | \ +- ATA_DFLAG_DEVSLP | ATA_DFLAG_NCQ_SEND_RECV | \ +- ATA_DFLAG_NCQ_PRIO, ++ ATA_DFLAG_FEATURES_MASK = (ATA_DFLAG_TRUSTED | ATA_DFLAG_DA | \ ++ ATA_DFLAG_DEVSLP | ATA_DFLAG_NCQ_SEND_RECV | \ ++ ATA_DFLAG_NCQ_PRIO | ATA_DFLAG_FUA), + + ATA_DEV_UNKNOWN = 0, /* unknown device */ + ATA_DEV_ATA = 1, /* ATA device */ +@@ -389,6 +390,7 @@ enum { + ATA_HORKAGE_NO_NCQ_ON_ATI = (1 << 27), /* Disable NCQ on ATI chipset */ + ATA_HORKAGE_NO_ID_DEV_LOG = (1 << 28), /* Identify device log missing */ + ATA_HORKAGE_NO_LOG_DIR = (1 << 29), /* Do not read log directory */ ++ ATA_HORKAGE_NO_FUA = (1 << 30), /* Do not use FUA */ + + /* DMA mask for user DMA control: User visible values; DO NOT + renumber */ +-- +2.51.0 + diff --git a/queue-6.1/ata-libata-core-introduce-ata_dev_config_lpm.patch b/queue-6.1/ata-libata-core-introduce-ata_dev_config_lpm.patch new file mode 100644 index 0000000000..9c33829d44 --- /dev/null +++ b/queue-6.1/ata-libata-core-introduce-ata_dev_config_lpm.patch @@ -0,0 +1,79 @@ +From 945e78c24453cd996c4239b951382335a791bd8a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Jul 2025 21:53:12 +0900 +Subject: ata: libata-core: Introduce ata_dev_config_lpm() + +From: Damien Le Moal + +[ Upstream commit d360121832d8a36871249271df5b9ff05f835f62 ] + +If the port of a device does not support Device Initiated Power +Management (DIPM), that is, the port is flagged with ATA_FLAG_NO_DIPM, +the DIPM feature of a device should not be used. Though DIPM is disabled +by default on a device, the "Software Settings Preservation feature" +may keep DIPM enabled or DIPM may have been enabled by the system +firmware. + +Introduce the function ata_dev_config_lpm() to always disable DIPM on a +device that supports this feature if the port of the device is flagged +with ATA_FLAG_NO_DIPM. ata_dev_config_lpm() is called from +ata_dev_configure(), ensuring that a device DIPM feature is disabled +when it cannot be used. + +Signed-off-by: Damien Le Moal +Reviewed-by: Niklas Cassel +Reviewed-by: Hannes Reinecke +Link: https://lore.kernel.org/r/20250701125321.69496-2-dlemoal@kernel.org +Signed-off-by: Niklas Cassel +Stable-dep-of: c8c6fb886f57 ("ata: libata: Print features also for ATAPI devices") +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-core.c | 25 +++++++++++++++++++++++++ + 1 file changed, 25 insertions(+) + +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c +index 31c8156a4f3d3..1277b80726535 100644 +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -2617,6 +2617,30 @@ static void ata_dev_config_cpr(struct ata_device *dev) + kfree(buf); + } + ++/* ++ * Configure features related to link power management. ++ */ ++static void ata_dev_config_lpm(struct ata_device *dev) ++{ ++ struct ata_port *ap = dev->link->ap; ++ unsigned int err_mask; ++ ++ /* ++ * Device Initiated Power Management (DIPM) is normally disabled by ++ * default on a device. However, DIPM may have been enabled and that ++ * setting kept even after COMRESET because of the Software Settings ++ * Preservation feature. So if the port does not support DIPM and the ++ * device does, disable DIPM on the device. ++ */ ++ if (ap->flags & ATA_FLAG_NO_DIPM && ata_id_has_dipm(dev->id)) { ++ err_mask = ata_dev_set_feature(dev, ++ SETFEATURES_SATA_DISABLE, SATA_DIPM); ++ if (err_mask && err_mask != AC_ERR_DEV) ++ ata_dev_err(dev, "Disable DIPM failed, Emask 0x%x\n", ++ err_mask); ++ } ++} ++ + static void ata_dev_print_features(struct ata_device *dev) + { + if (!(dev->flags & ATA_DFLAG_FEATURES_MASK) && !dev->cpr_log) +@@ -2785,6 +2809,7 @@ int ata_dev_configure(struct ata_device *dev) + ata_dev_config_chs(dev); + } + ++ ata_dev_config_lpm(dev); + ata_dev_config_fua(dev); + ata_dev_config_devslp(dev); + ata_dev_config_sense_reporting(dev); +-- +2.51.0 + diff --git a/queue-6.1/ata-libata-introduce-ata_ncq_supported.patch b/queue-6.1/ata-libata-introduce-ata_ncq_supported.patch new file mode 100644 index 0000000000..4458584435 --- /dev/null +++ b/queue-6.1/ata-libata-introduce-ata_ncq_supported.patch @@ -0,0 +1,75 @@ +From 8eb3f7c7468970d4580413bec28d39d4eb1ab17b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Oct 2022 13:07:55 +0900 +Subject: ata: libata: Introduce ata_ncq_supported() + +From: Damien Le Moal + +[ Upstream commit fa5bde139ee43ab91087c01e690c61aec957c339 ] + +Introduce the inline helper function ata_ncq_supported() to test if a +device supports NCQ commands. The function ata_ncq_enabled() is also +rewritten using this new helper function. + +Signed-off-by: Damien Le Moal +Reviewed-by: Hannes Reinecke +Reviewed-by: Chaitanya Kulkarni +Reviewed-by: Christoph Hellwig +Reviewed-by: Johannes Thumshirn +Reviewed-by: Niklas Cassel +Stable-dep-of: c8c6fb886f57 ("ata: libata: Print features also for ATAPI devices") +Signed-off-by: Sasha Levin +--- + include/linux/libata.h | 28 +++++++++++++++++++++------- + 1 file changed, 21 insertions(+), 7 deletions(-) + +diff --git a/include/linux/libata.h b/include/linux/libata.h +index 363462d3f0773..99886930fb819 100644 +--- a/include/linux/libata.h ++++ b/include/linux/libata.h +@@ -1694,21 +1694,35 @@ extern struct ata_device *ata_dev_next(struct ata_device *dev, + (dev) = ata_dev_next((dev), (link), ATA_DITER_##mode)) + + /** +- * ata_ncq_enabled - Test whether NCQ is enabled +- * @dev: ATA device to test for ++ * ata_ncq_supported - Test whether NCQ is supported ++ * @dev: ATA device to test + * + * LOCKING: + * spin_lock_irqsave(host lock) + * + * RETURNS: +- * 1 if NCQ is enabled for @dev, 0 otherwise. ++ * true if @dev supports NCQ, false otherwise. + */ +-static inline int ata_ncq_enabled(struct ata_device *dev) ++static inline bool ata_ncq_supported(struct ata_device *dev) + { + if (!IS_ENABLED(CONFIG_SATA_HOST)) +- return 0; +- return (dev->flags & (ATA_DFLAG_PIO | ATA_DFLAG_NCQ_OFF | +- ATA_DFLAG_NCQ)) == ATA_DFLAG_NCQ; ++ return false; ++ return (dev->flags & (ATA_DFLAG_PIO | ATA_DFLAG_NCQ)) == ATA_DFLAG_NCQ; ++} ++ ++/** ++ * ata_ncq_enabled - Test whether NCQ is enabled ++ * @dev: ATA device to test ++ * ++ * LOCKING: ++ * spin_lock_irqsave(host lock) ++ * ++ * RETURNS: ++ * true if NCQ is enabled for @dev, false otherwise. ++ */ ++static inline bool ata_ncq_enabled(struct ata_device *dev) ++{ ++ return ata_ncq_supported(dev) && !(dev->flags & ATA_DFLAG_NCQ_OFF); + } + + static inline bool ata_fpdma_dsm_supported(struct ata_device *dev) +-- +2.51.0 + diff --git a/queue-6.1/ata-libata-print-features-also-for-atapi-devices.patch b/queue-6.1/ata-libata-print-features-also-for-atapi-devices.patch new file mode 100644 index 0000000000..f3b39a5b2e --- /dev/null +++ b/queue-6.1/ata-libata-print-features-also-for-atapi-devices.patch @@ -0,0 +1,48 @@ +From 1ebb12d5d0e086533933ea179cdb49b4d53b11bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 13:20:51 +0100 +Subject: ata: libata: Print features also for ATAPI devices + +From: Niklas Cassel + +[ Upstream commit c8c6fb886f57d5bf71fb6de6334a143608d35707 ] + +Commit d633b8a702ab ("libata: print feature list on device scan") +added a print of the features supported by the device for ATA_DEV_ATA and +ATA_DEV_ZAC devices, but not for ATA_DEV_ATAPI devices. + +Fix this by printing the features also for ATAPI devices. + +Before changes: +ata1.00: ATAPI: Slimtype DVD A DU8AESH, 6C2M, max UDMA/133 + +After changes: +ata1.00: ATAPI: Slimtype DVD A DU8AESH, 6C2M, max UDMA/133 +ata1.00: Features: Dev-Attention HIPM DIPM + +Fixes: d633b8a702ab ("libata: print feature list on device scan") +Signed-off-by: Niklas Cassel +Tested-by: Wolf +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-core.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c +index 3fb7f7a5181a9..96b13b89f0a73 100644 +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -2884,6 +2884,9 @@ int ata_dev_configure(struct ata_device *dev) + dma_dir_string); + + ata_dev_config_lpm(dev); ++ ++ if (print_info) ++ ata_dev_print_features(dev); + } + + /* determine max_sectors */ +-- +2.51.0 + diff --git a/queue-6.1/bonding-limit-bond_mode_8023ad-to-ethernet-devices.patch b/queue-6.1/bonding-limit-bond_mode_8023ad-to-ethernet-devices.patch new file mode 100644 index 0000000000..ea5d681d2c --- /dev/null +++ b/queue-6.1/bonding-limit-bond_mode_8023ad-to-ethernet-devices.patch @@ -0,0 +1,91 @@ +From 9fc3d5a46935efe2e2e2aeb137b78449305188bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 19:12:01 +0000 +Subject: bonding: limit BOND_MODE_8023AD to Ethernet devices + +From: Eric Dumazet + +[ Upstream commit c84fcb79e5dbde0b8d5aeeaf04282d2149aebcf6 ] + +BOND_MODE_8023AD makes sense for ARPHRD_ETHER only. + +syzbot reported: + + BUG: KASAN: global-out-of-bounds in __hw_addr_create net/core/dev_addr_lists.c:63 [inline] + BUG: KASAN: global-out-of-bounds in __hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118 +Read of size 16 at addr ffffffff8bf94040 by task syz.1.3580/19497 + +CPU: 1 UID: 0 PID: 19497 Comm: syz.1.3580 Tainted: G L syzkaller #0 PREEMPT(full) +Tainted: [L]=SOFTLOCKUP +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 +Call Trace: + + dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0xca/0x240 mm/kasan/report.c:482 + kasan_report+0x118/0x150 mm/kasan/report.c:595 + check_region_inline mm/kasan/generic.c:-1 [inline] + kasan_check_range+0x2b0/0x2c0 mm/kasan/generic.c:200 + __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105 + __hw_addr_create net/core/dev_addr_lists.c:63 [inline] + __hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118 + __dev_mc_add net/core/dev_addr_lists.c:868 [inline] + dev_mc_add+0xa1/0x120 net/core/dev_addr_lists.c:886 + bond_enslave+0x2b8b/0x3ac0 drivers/net/bonding/bond_main.c:2180 + do_set_master+0x533/0x6d0 net/core/rtnetlink.c:2963 + do_setlink+0xcf0/0x41c0 net/core/rtnetlink.c:3165 + rtnl_changelink net/core/rtnetlink.c:3776 [inline] + __rtnl_newlink net/core/rtnetlink.c:3935 [inline] + rtnl_newlink+0x161c/0x1c90 net/core/rtnetlink.c:4072 + rtnetlink_rcv_msg+0x7cf/0xb70 net/core/rtnetlink.c:6958 + netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2550 + netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] + netlink_unicast+0x82f/0x9e0 net/netlink/af_netlink.c:1344 + netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1894 + sock_sendmsg_nosec net/socket.c:727 [inline] + __sock_sendmsg+0x21c/0x270 net/socket.c:742 + ____sys_sendmsg+0x505/0x820 net/socket.c:2592 + ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2646 + __sys_sendmsg+0x164/0x220 net/socket.c:2678 + do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline] + __do_fast_syscall_32+0x1dc/0x560 arch/x86/entry/syscall_32.c:307 + do_fast_syscall_32+0x34/0x80 arch/x86/entry/syscall_32.c:332 + entry_SYSENTER_compat_after_hwframe+0x84/0x8e + + +The buggy address belongs to the variable: + lacpdu_mcast_addr+0x0/0x40 + +Fixes: 872254dd6b1f ("net/bonding: Enable bonding to enslave non ARPHRD_ETHER") +Reported-by: syzbot+9c081b17773615f24672@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/6966946b.a70a0220.245e30.0002.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: Andrew Lunn +Acked-by: Jay Vosburgh +Link: https://patch.msgid.link/20260113191201.3970737-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index cefe37c447a26..dd0ea86d7934a 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1906,6 +1906,12 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev, + */ + if (!bond_has_slaves(bond)) { + if (bond_dev->type != slave_dev->type) { ++ if (slave_dev->type != ARPHRD_ETHER && ++ BOND_MODE(bond) == BOND_MODE_8023AD) { ++ SLAVE_NL_ERR(bond_dev, slave_dev, extack, ++ "8023AD mode requires Ethernet devices"); ++ return -EINVAL; ++ } + slave_dbg(bond_dev, slave_dev, "change device type from %d to %d\n", + bond_dev->type, slave_dev->type); + +-- +2.51.0 + diff --git a/queue-6.1/can-gs_usb-gs_usb_receive_bulk_callback-unanchor-url.patch b/queue-6.1/can-gs_usb-gs_usb_receive_bulk_callback-unanchor-url.patch new file mode 100644 index 0000000000..74bc30e097 --- /dev/null +++ b/queue-6.1/can-gs_usb-gs_usb_receive_bulk_callback-unanchor-url.patch @@ -0,0 +1,61 @@ +From 6ddac67dcf3f902de43f9bd9072ba57d6bd34fd9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jan 2026 14:10:10 +0100 +Subject: can: gs_usb: gs_usb_receive_bulk_callback(): unanchor URL on + usb_submit_urb() error + +From: Marc Kleine-Budde + +[ Upstream commit 79a6d1bfe1148bc921b8d7f3371a7fbce44e30f7 ] + +In commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix +URB memory leak"), the URB was re-anchored before usb_submit_urb() in +gs_usb_receive_bulk_callback() to prevent a leak of this URB during +cleanup. + +However, this patch did not take into account that usb_submit_urb() could +fail. The URB remains anchored and +usb_kill_anchored_urbs(&parent->rx_submitted) in gs_can_close() loops +infinitely since the anchor list never becomes empty. + +To fix the bug, unanchor the URB when an usb_submit_urb() error occurs, +also print an info message. + +Fixes: 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak") +Reported-by: Jakub Kicinski +Closes: https://lore.kernel.org/all/20260110223836.3890248-1-kuba@kernel.org/ +Link: https://patch.msgid.link/20260116-can_usb-fix-reanchor-v1-1-9d74e7289225@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/usb/gs_usb.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c +index da05c2aa90d7b..f782c3aa179e0 100644 +--- a/drivers/net/can/usb/gs_usb.c ++++ b/drivers/net/can/usb/gs_usb.c +@@ -660,6 +660,10 @@ static void gs_usb_receive_bulk_callback(struct urb *urb) + usb_anchor_urb(urb, &parent->rx_submitted); + + rc = usb_submit_urb(urb, GFP_ATOMIC); ++ if (!rc) ++ return; ++ ++ usb_unanchor_urb(urb); + + /* USB failure take down all interfaces */ + if (rc == -ENODEV) { +@@ -668,6 +672,9 @@ static void gs_usb_receive_bulk_callback(struct urb *urb) + if (parent->canch[rc]) + netif_device_detach(parent->canch[rc]->netdev); + } ++ } else if (rc != -ESHUTDOWN && net_ratelimit()) { ++ netdev_info(netdev, "failed to re-submit IN URB: %pe\n", ++ ERR_PTR(urb->status)); + } + } + +-- +2.51.0 + diff --git a/queue-6.1/crypto-authencesn-reject-too-short-aad-assoclen-8-to.patch b/queue-6.1/crypto-authencesn-reject-too-short-aad-assoclen-8-to.patch new file mode 100644 index 0000000000..a421165d79 --- /dev/null +++ b/queue-6.1/crypto-authencesn-reject-too-short-aad-assoclen-8-to.patch @@ -0,0 +1,53 @@ +From c3f9abadfbf3c5e294032391729b12335d13f639 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jan 2026 16:03:58 +0900 +Subject: crypto: authencesn - reject too-short AAD (assoclen<8) to match + ESP/ESN spec + +From: Taeyang Lee <0wn@theori.io> + +[ Upstream commit 2397e9264676be7794f8f7f1e9763d90bd3c7335 ] + +authencesn assumes an ESP/ESN-formatted AAD. When assoclen is shorter than +the minimum expected length, crypto_authenc_esn_decrypt() can advance past +the end of the destination scatterlist and trigger a NULL pointer dereference +in scatterwalk_map_and_copy(), leading to a kernel panic (DoS). + +Add a minimum AAD length check to fail fast on invalid inputs. + +Fixes: 104880a6b470 ("crypto: authencesn - Convert to new AEAD interface") +Reported-By: Taeyang Lee <0wn@theori.io> +Signed-off-by: Taeyang Lee <0wn@theori.io> +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/authencesn.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/crypto/authencesn.c b/crypto/authencesn.c +index b60e61b1904cb..6487b35851d54 100644 +--- a/crypto/authencesn.c ++++ b/crypto/authencesn.c +@@ -191,6 +191,9 @@ static int crypto_authenc_esn_encrypt(struct aead_request *req) + struct scatterlist *src, *dst; + int err; + ++ if (assoclen < 8) ++ return -EINVAL; ++ + sg_init_table(areq_ctx->src, 2); + src = scatterwalk_ffwd(areq_ctx->src, req->src, assoclen); + dst = src; +@@ -284,6 +287,9 @@ static int crypto_authenc_esn_decrypt(struct aead_request *req) + u32 tmp[2]; + int err; + ++ if (assoclen < 8) ++ return -EINVAL; ++ + cryptlen -= authsize; + + if (req->src != dst) { +-- +2.51.0 + diff --git a/queue-6.1/fou-don-t-allow-0-for-fou_attr_ipproto.patch b/queue-6.1/fou-don-t-allow-0-for-fou_attr_ipproto.patch new file mode 100644 index 0000000000..9c03f2f338 --- /dev/null +++ b/queue-6.1/fou-don-t-allow-0-for-fou_attr_ipproto.patch @@ -0,0 +1,57 @@ +From 1477ee15bd0e5976007a23e59c51ee781354d887 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jan 2026 17:24:48 +0000 +Subject: fou: Don't allow 0 for FOU_ATTR_IPPROTO. + +From: Kuniyuki Iwashima + +[ Upstream commit 7a9bc9e3f42391e4c187e099263cf7a1c4b69ff5 ] + +fou_udp_recv() has the same problem mentioned in the previous +patch. + +If FOU_ATTR_IPPROTO is set to 0, skb is not freed by +fou_udp_recv() nor "resubmit"-ted in ip_protocol_deliver_rcu(). + +Let's forbid 0 for FOU_ATTR_IPPROTO. + +Fixes: 23461551c0062 ("fou: Support for foo-over-udp RX path") +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20260115172533.693652-4-kuniyu@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + Documentation/netlink/specs/fou.yaml | 2 ++ + net/ipv4/fou_nl.c | 2 +- + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/Documentation/netlink/specs/fou.yaml b/Documentation/netlink/specs/fou.yaml +index 266c386eedf3a..e5753a30a29a2 100644 +--- a/Documentation/netlink/specs/fou.yaml ++++ b/Documentation/netlink/specs/fou.yaml +@@ -36,6 +36,8 @@ attribute-sets: + - + name: ipproto + type: u8 ++ checks: ++ min: 1 + - + name: type + type: u8 +diff --git a/net/ipv4/fou_nl.c b/net/ipv4/fou_nl.c +index 6c3820f41dd5d..5bb8133ed7a89 100644 +--- a/net/ipv4/fou_nl.c ++++ b/net/ipv4/fou_nl.c +@@ -14,7 +14,7 @@ + const struct nla_policy fou_nl_policy[FOU_ATTR_IFINDEX + 1] = { + [FOU_ATTR_PORT] = { .type = NLA_U16, }, + [FOU_ATTR_AF] = { .type = NLA_U8, }, +- [FOU_ATTR_IPPROTO] = { .type = NLA_U8, }, ++ [FOU_ATTR_IPPROTO] = NLA_POLICY_MIN(NLA_U8, 1), + [FOU_ATTR_TYPE] = { .type = NLA_U8, }, + [FOU_ATTR_REMCSUM_NOPARTIAL] = { .type = NLA_FLAG, }, + [FOU_ATTR_LOCAL_V4] = { .type = NLA_U32, }, +-- +2.51.0 + diff --git a/queue-6.1/gue-fix-skb-memleak-with-inner-ip-protocol-0.patch b/queue-6.1/gue-fix-skb-memleak-with-inner-ip-protocol-0.patch new file mode 100644 index 0000000000..a098093ee7 --- /dev/null +++ b/queue-6.1/gue-fix-skb-memleak-with-inner-ip-protocol-0.patch @@ -0,0 +1,82 @@ +From b704d1c29e9338a2c2fae0ca810d734ce501175e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jan 2026 17:24:46 +0000 +Subject: gue: Fix skb memleak with inner IP protocol 0. + +From: Kuniyuki Iwashima + +[ Upstream commit 9a56796ad258786d3624eef5aefba394fc9bdded ] + +syzbot reported skb memleak below. [0] + +The repro generated a GUE packet with its inner protocol 0. + +gue_udp_recv() returns -guehdr->proto_ctype for "resubmit" +in ip_protocol_deliver_rcu(), but this only works with +non-zero protocol number. + +Let's drop such packets. + +Note that 0 is a valid number (IPv6 Hop-by-Hop Option). + +I think it is not practical to encap HOPOPT in GUE, so once +someone starts to complain, we could pass down a resubmit +flag pointer to distinguish two zeros from the upper layer: + + * no error + * resubmit HOPOPT + +[0] +BUG: memory leak +unreferenced object 0xffff888109695a00 (size 240): + comm "syz.0.17", pid 6088, jiffies 4294943096 + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 40 c2 10 81 88 ff ff 00 00 00 00 00 00 00 00 .@.............. + backtrace (crc a84b336f): + kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] + slab_post_alloc_hook mm/slub.c:4958 [inline] + slab_alloc_node mm/slub.c:5263 [inline] + kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270 + __build_skb+0x23/0x60 net/core/skbuff.c:474 + build_skb+0x20/0x190 net/core/skbuff.c:490 + __tun_build_skb drivers/net/tun.c:1541 [inline] + tun_build_skb+0x4a1/0xa40 drivers/net/tun.c:1636 + tun_get_user+0xc12/0x2030 drivers/net/tun.c:1770 + tun_chr_write_iter+0x71/0x120 drivers/net/tun.c:1999 + new_sync_write fs/read_write.c:593 [inline] + vfs_write+0x45d/0x710 fs/read_write.c:686 + ksys_write+0xa7/0x170 fs/read_write.c:738 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fixes: 37dd0247797b1 ("gue: Receive side for Generic UDP Encapsulation") +Reported-by: syzbot+4d8c7d16b0e95c0d0f0d@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/6965534b.050a0220.38aacd.0001.GAE@google.com/ +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20260115172533.693652-2-kuniyu@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/fou.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/ipv4/fou.c b/net/ipv4/fou.c +index c29c976a25965..9d4ae723d2e7d 100644 +--- a/net/ipv4/fou.c ++++ b/net/ipv4/fou.c +@@ -213,6 +213,9 @@ static int gue_udp_recv(struct sock *sk, struct sk_buff *skb) + return gue_control_message(skb, guehdr); + + proto_ctype = guehdr->proto_ctype; ++ if (unlikely(!proto_ctype)) ++ goto drop; ++ + __skb_pull(skb, sizeof(struct udphdr) + hdrlen); + skb_reset_transport_header(skb); + +-- +2.51.0 + diff --git a/queue-6.1/ipvlan-make-the-addrs_lock-be-per-port.patch b/queue-6.1/ipvlan-make-the-addrs_lock-be-per-port.patch new file mode 100644 index 0000000000..aed7ea7ff2 --- /dev/null +++ b/queue-6.1/ipvlan-make-the-addrs_lock-be-per-port.patch @@ -0,0 +1,292 @@ +From 3c11c648dc12392a3ac8a0d1d52da879e8642b7f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 17:24:06 +0300 +Subject: ipvlan: Make the addrs_lock be per port + +From: Dmitry Skorodumov + +[ Upstream commit d3ba32162488283c0a4c5bedd8817aec91748802 ] + +Make the addrs_lock be per port, not per ipvlan dev. + +Initial code seems to be written in the assumption, +that any address change must occur under RTNL. +But it is not so for the case of IPv6. So + +1) Introduce per-port addrs_lock. + +2) It was needed to fix places where it was forgotten +to take lock (ipvlan_open/ipvlan_close) + +This appears to be a very minor problem though. +Since it's highly unlikely that ipvlan_add_addr() will +be called on 2 CPU simultaneously. But nevertheless, +this could cause: + +1) False-negative of ipvlan_addr_busy(): one interface +iterated through all port->ipvlans + ipvlan->addrs +under some ipvlan spinlock, and another added IP +under its own lock. Though this is only possible +for IPv6, since looks like only ipvlan_addr6_event() can be +called without rtnl_lock. + +2) Race since ipvlan_ht_addr_add(port) is called under +different ipvlan->addrs_lock locks + +This should not affect performance, since add/remove IP +is a rare situation and spinlock is not taken on fast +paths. + +Fixes: 8230819494b3 ("ipvlan: use per device spinlock to protect addrs list updates") +Signed-off-by: Dmitry Skorodumov +Reviewed-by: Paolo Abeni +Link: https://patch.msgid.link/20260112142417.4039566-2-skorodumov.dmitry@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ipvlan/ipvlan.h | 2 +- + drivers/net/ipvlan/ipvlan_core.c | 16 +++++------ + drivers/net/ipvlan/ipvlan_main.c | 49 +++++++++++++++++++------------- + 3 files changed, 37 insertions(+), 30 deletions(-) + +diff --git a/drivers/net/ipvlan/ipvlan.h b/drivers/net/ipvlan/ipvlan.h +index 025e0c19ec255..fce3ced90bd3d 100644 +--- a/drivers/net/ipvlan/ipvlan.h ++++ b/drivers/net/ipvlan/ipvlan.h +@@ -69,7 +69,6 @@ struct ipvl_dev { + DECLARE_BITMAP(mac_filters, IPVLAN_MAC_FILTER_SIZE); + netdev_features_t sfeatures; + u32 msg_enable; +- spinlock_t addrs_lock; + }; + + struct ipvl_addr { +@@ -90,6 +89,7 @@ struct ipvl_port { + struct net_device *dev; + possible_net_t pnet; + struct hlist_head hlhead[IPVLAN_HASH_SIZE]; ++ spinlock_t addrs_lock; /* guards hash-table and addrs */ + struct list_head ipvlans; + u16 mode; + u16 flags; +diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c +index a8017424ab538..bf57e4427eb4f 100644 +--- a/drivers/net/ipvlan/ipvlan_core.c ++++ b/drivers/net/ipvlan/ipvlan_core.c +@@ -107,17 +107,15 @@ void ipvlan_ht_addr_del(struct ipvl_addr *addr) + struct ipvl_addr *ipvlan_find_addr(const struct ipvl_dev *ipvlan, + const void *iaddr, bool is_v6) + { +- struct ipvl_addr *addr, *ret = NULL; ++ struct ipvl_addr *addr; + +- rcu_read_lock(); +- list_for_each_entry_rcu(addr, &ipvlan->addrs, anode) { +- if (addr_equal(is_v6, addr, iaddr)) { +- ret = addr; +- break; +- } ++ assert_spin_locked(&ipvlan->port->addrs_lock); ++ ++ list_for_each_entry(addr, &ipvlan->addrs, anode) { ++ if (addr_equal(is_v6, addr, iaddr)) ++ return addr; + } +- rcu_read_unlock(); +- return ret; ++ return NULL; + } + + bool ipvlan_addr_busy(struct ipvl_port *port, void *iaddr, bool is_v6) +diff --git a/drivers/net/ipvlan/ipvlan_main.c b/drivers/net/ipvlan/ipvlan_main.c +index fbf2d5b67aafa..a9aeaa9b5779d 100644 +--- a/drivers/net/ipvlan/ipvlan_main.c ++++ b/drivers/net/ipvlan/ipvlan_main.c +@@ -74,6 +74,7 @@ static int ipvlan_port_create(struct net_device *dev) + for (idx = 0; idx < IPVLAN_HASH_SIZE; idx++) + INIT_HLIST_HEAD(&port->hlhead[idx]); + ++ spin_lock_init(&port->addrs_lock); + skb_queue_head_init(&port->backlog); + INIT_WORK(&port->wq, ipvlan_process_multicast); + ida_init(&port->ida); +@@ -179,6 +180,7 @@ static void ipvlan_uninit(struct net_device *dev) + static int ipvlan_open(struct net_device *dev) + { + struct ipvl_dev *ipvlan = netdev_priv(dev); ++ struct ipvl_port *port = ipvlan->port; + struct ipvl_addr *addr; + + if (ipvlan->port->mode == IPVLAN_MODE_L3 || +@@ -187,10 +189,10 @@ static int ipvlan_open(struct net_device *dev) + else + dev->flags &= ~IFF_NOARP; + +- rcu_read_lock(); +- list_for_each_entry_rcu(addr, &ipvlan->addrs, anode) ++ spin_lock_bh(&port->addrs_lock); ++ list_for_each_entry(addr, &ipvlan->addrs, anode) + ipvlan_ht_addr_add(ipvlan, addr); +- rcu_read_unlock(); ++ spin_unlock_bh(&port->addrs_lock); + + return 0; + } +@@ -204,10 +206,10 @@ static int ipvlan_stop(struct net_device *dev) + dev_uc_unsync(phy_dev, dev); + dev_mc_unsync(phy_dev, dev); + +- rcu_read_lock(); +- list_for_each_entry_rcu(addr, &ipvlan->addrs, anode) ++ spin_lock_bh(&ipvlan->port->addrs_lock); ++ list_for_each_entry(addr, &ipvlan->addrs, anode) + ipvlan_ht_addr_del(addr); +- rcu_read_unlock(); ++ spin_unlock_bh(&ipvlan->port->addrs_lock); + + return 0; + } +@@ -574,7 +576,6 @@ int ipvlan_link_new(struct net *src_net, struct net_device *dev, + if (!tb[IFLA_MTU]) + ipvlan_adjust_mtu(ipvlan, phy_dev); + INIT_LIST_HEAD(&ipvlan->addrs); +- spin_lock_init(&ipvlan->addrs_lock); + + /* TODO Probably put random address here to be presented to the + * world but keep using the physical-dev address for the outgoing +@@ -652,13 +653,13 @@ void ipvlan_link_delete(struct net_device *dev, struct list_head *head) + struct ipvl_dev *ipvlan = netdev_priv(dev); + struct ipvl_addr *addr, *next; + +- spin_lock_bh(&ipvlan->addrs_lock); ++ spin_lock_bh(&ipvlan->port->addrs_lock); + list_for_each_entry_safe(addr, next, &ipvlan->addrs, anode) { + ipvlan_ht_addr_del(addr); + list_del_rcu(&addr->anode); + kfree_rcu(addr, rcu); + } +- spin_unlock_bh(&ipvlan->addrs_lock); ++ spin_unlock_bh(&ipvlan->port->addrs_lock); + + ida_simple_remove(&ipvlan->port->ida, dev->dev_id); + list_del_rcu(&ipvlan->pnode); +@@ -805,6 +806,8 @@ static int ipvlan_add_addr(struct ipvl_dev *ipvlan, void *iaddr, bool is_v6) + { + struct ipvl_addr *addr; + ++ assert_spin_locked(&ipvlan->port->addrs_lock); ++ + addr = kzalloc(sizeof(struct ipvl_addr), GFP_ATOMIC); + if (!addr) + return -ENOMEM; +@@ -835,16 +838,16 @@ static void ipvlan_del_addr(struct ipvl_dev *ipvlan, void *iaddr, bool is_v6) + { + struct ipvl_addr *addr; + +- spin_lock_bh(&ipvlan->addrs_lock); ++ spin_lock_bh(&ipvlan->port->addrs_lock); + addr = ipvlan_find_addr(ipvlan, iaddr, is_v6); + if (!addr) { +- spin_unlock_bh(&ipvlan->addrs_lock); ++ spin_unlock_bh(&ipvlan->port->addrs_lock); + return; + } + + ipvlan_ht_addr_del(addr); + list_del_rcu(&addr->anode); +- spin_unlock_bh(&ipvlan->addrs_lock); ++ spin_unlock_bh(&ipvlan->port->addrs_lock); + kfree_rcu(addr, rcu); + } + +@@ -866,14 +869,14 @@ static int ipvlan_add_addr6(struct ipvl_dev *ipvlan, struct in6_addr *ip6_addr) + { + int ret = -EINVAL; + +- spin_lock_bh(&ipvlan->addrs_lock); ++ spin_lock_bh(&ipvlan->port->addrs_lock); + if (ipvlan_addr_busy(ipvlan->port, ip6_addr, true)) + netif_err(ipvlan, ifup, ipvlan->dev, + "Failed to add IPv6=%pI6c addr for %s intf\n", + ip6_addr, ipvlan->dev->name); + else + ret = ipvlan_add_addr(ipvlan, ip6_addr, true); +- spin_unlock_bh(&ipvlan->addrs_lock); ++ spin_unlock_bh(&ipvlan->port->addrs_lock); + return ret; + } + +@@ -912,21 +915,24 @@ static int ipvlan_addr6_validator_event(struct notifier_block *unused, + struct in6_validator_info *i6vi = (struct in6_validator_info *)ptr; + struct net_device *dev = (struct net_device *)i6vi->i6vi_dev->dev; + struct ipvl_dev *ipvlan = netdev_priv(dev); ++ int ret = NOTIFY_OK; + + if (!ipvlan_is_valid_dev(dev)) + return NOTIFY_DONE; + + switch (event) { + case NETDEV_UP: ++ spin_lock_bh(&ipvlan->port->addrs_lock); + if (ipvlan_addr_busy(ipvlan->port, &i6vi->i6vi_addr, true)) { + NL_SET_ERR_MSG(i6vi->extack, + "Address already assigned to an ipvlan device"); +- return notifier_from_errno(-EADDRINUSE); ++ ret = notifier_from_errno(-EADDRINUSE); + } ++ spin_unlock_bh(&ipvlan->port->addrs_lock); + break; + } + +- return NOTIFY_OK; ++ return ret; + } + #endif + +@@ -934,14 +940,14 @@ static int ipvlan_add_addr4(struct ipvl_dev *ipvlan, struct in_addr *ip4_addr) + { + int ret = -EINVAL; + +- spin_lock_bh(&ipvlan->addrs_lock); ++ spin_lock_bh(&ipvlan->port->addrs_lock); + if (ipvlan_addr_busy(ipvlan->port, ip4_addr, false)) + netif_err(ipvlan, ifup, ipvlan->dev, + "Failed to add IPv4=%pI4 on %s intf.\n", + ip4_addr, ipvlan->dev->name); + else + ret = ipvlan_add_addr(ipvlan, ip4_addr, false); +- spin_unlock_bh(&ipvlan->addrs_lock); ++ spin_unlock_bh(&ipvlan->port->addrs_lock); + return ret; + } + +@@ -983,21 +989,24 @@ static int ipvlan_addr4_validator_event(struct notifier_block *unused, + struct in_validator_info *ivi = (struct in_validator_info *)ptr; + struct net_device *dev = (struct net_device *)ivi->ivi_dev->dev; + struct ipvl_dev *ipvlan = netdev_priv(dev); ++ int ret = NOTIFY_OK; + + if (!ipvlan_is_valid_dev(dev)) + return NOTIFY_DONE; + + switch (event) { + case NETDEV_UP: ++ spin_lock_bh(&ipvlan->port->addrs_lock); + if (ipvlan_addr_busy(ipvlan->port, &ivi->ivi_addr, false)) { + NL_SET_ERR_MSG(ivi->extack, + "Address already assigned to an ipvlan device"); +- return notifier_from_errno(-EADDRINUSE); ++ ret = notifier_from_errno(-EADDRINUSE); + } ++ spin_unlock_bh(&ipvlan->port->addrs_lock); + break; + } + +- return NOTIFY_OK; ++ return ret; + } + + static struct notifier_block ipvlan_addr4_notifier_block __read_mostly = { +-- +2.51.0 + diff --git a/queue-6.1/l2tp-avoid-one-data-race-in-l2tp_tunnel_del_work.patch b/queue-6.1/l2tp-avoid-one-data-race-in-l2tp_tunnel_del_work.patch new file mode 100644 index 0000000000..54a52401d6 --- /dev/null +++ b/queue-6.1/l2tp-avoid-one-data-race-in-l2tp_tunnel_del_work.patch @@ -0,0 +1,85 @@ +From 134b677aee2446fb83450f00738188b4ae84699e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jan 2026 09:21:39 +0000 +Subject: l2tp: avoid one data-race in l2tp_tunnel_del_work() + +From: Eric Dumazet + +[ Upstream commit 7a29f6bf60f2590fe5e9c4decb451e19afad2bcf ] + +We should read sk->sk_socket only when dealing with kernel sockets. + +syzbot reported the following data-race: + +BUG: KCSAN: data-race in l2tp_tunnel_del_work / sk_common_release + +write to 0xffff88811c182b20 of 8 bytes by task 5365 on cpu 0: + sk_set_socket include/net/sock.h:2092 [inline] + sock_orphan include/net/sock.h:2118 [inline] + sk_common_release+0xae/0x230 net/core/sock.c:4003 + udp_lib_close+0x15/0x20 include/net/udp.h:325 + inet_release+0xce/0xf0 net/ipv4/af_inet.c:437 + __sock_release net/socket.c:662 [inline] + sock_close+0x6b/0x150 net/socket.c:1455 + __fput+0x29b/0x650 fs/file_table.c:468 + ____fput+0x1c/0x30 fs/file_table.c:496 + task_work_run+0x131/0x1a0 kernel/task_work.c:233 + resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] + __exit_to_user_mode_loop kernel/entry/common.c:44 [inline] + exit_to_user_mode_loop+0x1fe/0x740 kernel/entry/common.c:75 + __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline] + syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline] + syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline] + syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline] + do_syscall_64+0x1e1/0x2b0 arch/x86/entry/syscall_64.c:100 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +read to 0xffff88811c182b20 of 8 bytes by task 827 on cpu 1: + l2tp_tunnel_del_work+0x2f/0x1a0 net/l2tp/l2tp_core.c:1418 + process_one_work kernel/workqueue.c:3257 [inline] + process_scheduled_works+0x4ce/0x9d0 kernel/workqueue.c:3340 + worker_thread+0x582/0x770 kernel/workqueue.c:3421 + kthread+0x489/0x510 kernel/kthread.c:463 + ret_from_fork+0x149/0x290 arch/x86/kernel/process.c:158 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 + +value changed: 0xffff88811b818000 -> 0x0000000000000000 + +Fixes: d00fa9adc528 ("l2tp: fix races with tunnel socket close") +Reported-by: syzbot+7312e82745f7fa2526db@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/6968b029.050a0220.58bed.0016.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: James Chapman +Reviewed-by: Guillaume Nault +Link: https://patch.msgid.link/20260115092139.3066180-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/l2tp/l2tp_core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c +index 70da78ab95202..e0ca08ebd16a9 100644 +--- a/net/l2tp/l2tp_core.c ++++ b/net/l2tp/l2tp_core.c +@@ -1250,8 +1250,6 @@ static void l2tp_tunnel_del_work(struct work_struct *work) + { + struct l2tp_tunnel *tunnel = container_of(work, struct l2tp_tunnel, + del_work); +- struct sock *sk = tunnel->sock; +- struct socket *sock = sk->sk_socket; + + l2tp_tunnel_closeall(tunnel); + +@@ -1259,6 +1257,8 @@ static void l2tp_tunnel_del_work(struct work_struct *work) + * the sk API to release it here. + */ + if (tunnel->fd < 0) { ++ struct socket *sock = tunnel->sock->sk_socket; ++ + if (sock) { + kernel_sock_shutdown(sock, SHUT_RDWR); + sock_release(sock); +-- +2.51.0 + diff --git a/queue-6.1/net-fou-rename-the-source-for-linking.patch b/queue-6.1/net-fou-rename-the-source-for-linking.patch new file mode 100644 index 0000000000..3f0087e45c --- /dev/null +++ b/queue-6.1/net-fou-rename-the-source-for-linking.patch @@ -0,0 +1,43 @@ +From 9f91820ac130c7e13f1318960c18329d621ba8d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jan 2023 09:50:39 -0800 +Subject: net: fou: rename the source for linking + +From: Jakub Kicinski + +[ Upstream commit 08d323234d10eab077cbf0093eeb5991478a261a ] + +We'll need to link two objects together to form the fou module. +This means the source can't be called fou, the build system expects +fou.o to be the combined object. + +Acked-by: Stanislav Fomichev +Signed-off-by: Jakub Kicinski +Signed-off-by: Paolo Abeni +Stable-dep-of: 7a9bc9e3f423 ("fou: Don't allow 0 for FOU_ATTR_IPPROTO.") +Signed-off-by: Sasha Levin +--- + net/ipv4/Makefile | 1 + + net/ipv4/{fou.c => fou_core.c} | 0 + 2 files changed, 1 insertion(+) + rename net/ipv4/{fou.c => fou_core.c} (100%) + +diff --git a/net/ipv4/Makefile b/net/ipv4/Makefile +index bbdd9c44f14e3..e694a5e5b0302 100644 +--- a/net/ipv4/Makefile ++++ b/net/ipv4/Makefile +@@ -26,6 +26,7 @@ obj-$(CONFIG_IP_MROUTE) += ipmr.o + obj-$(CONFIG_IP_MROUTE_COMMON) += ipmr_base.o + obj-$(CONFIG_NET_IPIP) += ipip.o + gre-y := gre_demux.o ++fou-y := fou_core.o + obj-$(CONFIG_NET_FOU) += fou.o + obj-$(CONFIG_NET_IPGRE_DEMUX) += gre.o + obj-$(CONFIG_NET_IPGRE) += ip_gre.o +diff --git a/net/ipv4/fou.c b/net/ipv4/fou_core.c +similarity index 100% +rename from net/ipv4/fou.c +rename to net/ipv4/fou_core.c +-- +2.51.0 + diff --git a/queue-6.1/net-fou-use-policy-and-operation-tables-generated-fr.patch b/queue-6.1/net-fou-use-policy-and-operation-tables-generated-fr.patch new file mode 100644 index 0000000000..375c063eb2 --- /dev/null +++ b/queue-6.1/net-fou-use-policy-and-operation-tables-generated-fr.patch @@ -0,0 +1,233 @@ +From e70ea5c6d67e984570ca297effdac0601f32334d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jan 2023 09:50:40 -0800 +Subject: net: fou: use policy and operation tables generated from the spec + +From: Jakub Kicinski + +[ Upstream commit 1d562c32e4392cc091c940918ee1ffd7bfcb9e96 ] + +Generate and plug in the spec-based tables. + +A little bit of renaming is needed in the FOU code. + +Acked-by: Stanislav Fomichev +Signed-off-by: Jakub Kicinski +Signed-off-by: Paolo Abeni +Stable-dep-of: 7a9bc9e3f423 ("fou: Don't allow 0 for FOU_ATTR_IPPROTO.") +Signed-off-by: Sasha Levin +--- + net/ipv4/Makefile | 2 +- + net/ipv4/fou_core.c | 47 +++++++------------------------------------- + net/ipv4/fou_nl.c | 48 +++++++++++++++++++++++++++++++++++++++++++++ + net/ipv4/fou_nl.h | 25 +++++++++++++++++++++++ + 4 files changed, 81 insertions(+), 41 deletions(-) + create mode 100644 net/ipv4/fou_nl.c + create mode 100644 net/ipv4/fou_nl.h + +diff --git a/net/ipv4/Makefile b/net/ipv4/Makefile +index e694a5e5b0302..d1c8d4beb77d4 100644 +--- a/net/ipv4/Makefile ++++ b/net/ipv4/Makefile +@@ -26,7 +26,7 @@ obj-$(CONFIG_IP_MROUTE) += ipmr.o + obj-$(CONFIG_IP_MROUTE_COMMON) += ipmr_base.o + obj-$(CONFIG_NET_IPIP) += ipip.o + gre-y := gre_demux.o +-fou-y := fou_core.o ++fou-y := fou_core.o fou_nl.o + obj-$(CONFIG_NET_FOU) += fou.o + obj-$(CONFIG_NET_IPGRE_DEMUX) += gre.o + obj-$(CONFIG_NET_IPGRE) += ip_gre.o +diff --git a/net/ipv4/fou_core.c b/net/ipv4/fou_core.c +index 9d4ae723d2e7d..4ee6c424d96b7 100644 +--- a/net/ipv4/fou_core.c ++++ b/net/ipv4/fou_core.c +@@ -19,6 +19,8 @@ + #include + #include + ++#include "fou_nl.h" ++ + struct fou { + struct socket *sock; + u8 protocol; +@@ -662,20 +664,6 @@ static int fou_destroy(struct net *net, struct fou_cfg *cfg) + + static struct genl_family fou_nl_family; + +-static const struct nla_policy fou_nl_policy[FOU_ATTR_MAX + 1] = { +- [FOU_ATTR_PORT] = { .type = NLA_U16, }, +- [FOU_ATTR_AF] = { .type = NLA_U8, }, +- [FOU_ATTR_IPPROTO] = { .type = NLA_U8, }, +- [FOU_ATTR_TYPE] = { .type = NLA_U8, }, +- [FOU_ATTR_REMCSUM_NOPARTIAL] = { .type = NLA_FLAG, }, +- [FOU_ATTR_LOCAL_V4] = { .type = NLA_U32, }, +- [FOU_ATTR_PEER_V4] = { .type = NLA_U32, }, +- [FOU_ATTR_LOCAL_V6] = { .len = sizeof(struct in6_addr), }, +- [FOU_ATTR_PEER_V6] = { .len = sizeof(struct in6_addr), }, +- [FOU_ATTR_PEER_PORT] = { .type = NLA_U16, }, +- [FOU_ATTR_IFINDEX] = { .type = NLA_S32, }, +-}; +- + static int parse_nl_config(struct genl_info *info, + struct fou_cfg *cfg) + { +@@ -767,7 +755,7 @@ static int parse_nl_config(struct genl_info *info, + return 0; + } + +-static int fou_nl_cmd_add_port(struct sk_buff *skb, struct genl_info *info) ++int fou_nl_add_doit(struct sk_buff *skb, struct genl_info *info) + { + struct net *net = genl_info_net(info); + struct fou_cfg cfg; +@@ -780,7 +768,7 @@ static int fou_nl_cmd_add_port(struct sk_buff *skb, struct genl_info *info) + return fou_create(net, &cfg, NULL); + } + +-static int fou_nl_cmd_rm_port(struct sk_buff *skb, struct genl_info *info) ++int fou_nl_del_doit(struct sk_buff *skb, struct genl_info *info) + { + struct net *net = genl_info_net(info); + struct fou_cfg cfg; +@@ -849,7 +837,7 @@ static int fou_dump_info(struct fou *fou, u32 portid, u32 seq, + return -EMSGSIZE; + } + +-static int fou_nl_cmd_get_port(struct sk_buff *skb, struct genl_info *info) ++int fou_nl_get_doit(struct sk_buff *skb, struct genl_info *info) + { + struct net *net = genl_info_net(info); + struct fou_net *fn = net_generic(net, fou_net_id); +@@ -896,7 +884,7 @@ static int fou_nl_cmd_get_port(struct sk_buff *skb, struct genl_info *info) + return ret; + } + +-static int fou_nl_dump(struct sk_buff *skb, struct netlink_callback *cb) ++int fou_nl_get_dumpit(struct sk_buff *skb, struct netlink_callback *cb) + { + struct net *net = sock_net(skb->sk); + struct fou_net *fn = net_generic(net, fou_net_id); +@@ -919,33 +907,12 @@ static int fou_nl_dump(struct sk_buff *skb, struct netlink_callback *cb) + return skb->len; + } + +-static const struct genl_small_ops fou_nl_ops[] = { +- { +- .cmd = FOU_CMD_ADD, +- .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +- .doit = fou_nl_cmd_add_port, +- .flags = GENL_ADMIN_PERM, +- }, +- { +- .cmd = FOU_CMD_DEL, +- .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +- .doit = fou_nl_cmd_rm_port, +- .flags = GENL_ADMIN_PERM, +- }, +- { +- .cmd = FOU_CMD_GET, +- .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +- .doit = fou_nl_cmd_get_port, +- .dumpit = fou_nl_dump, +- }, +-}; +- + static struct genl_family fou_nl_family __ro_after_init = { + .hdrsize = 0, + .name = FOU_GENL_NAME, + .version = FOU_GENL_VERSION, + .maxattr = FOU_ATTR_MAX, +- .policy = fou_nl_policy, ++ .policy = fou_nl_policy, + .netnsok = true, + .module = THIS_MODULE, + .small_ops = fou_nl_ops, +diff --git a/net/ipv4/fou_nl.c b/net/ipv4/fou_nl.c +new file mode 100644 +index 0000000000000..6c3820f41dd5d +--- /dev/null ++++ b/net/ipv4/fou_nl.c +@@ -0,0 +1,48 @@ ++// SPDX-License-Identifier: BSD-3-Clause ++/* Do not edit directly, auto-generated from: */ ++/* Documentation/netlink/specs/fou.yaml */ ++/* YNL-GEN kernel source */ ++ ++#include ++#include ++ ++#include "fou_nl.h" ++ ++#include ++ ++/* Global operation policy for fou */ ++const struct nla_policy fou_nl_policy[FOU_ATTR_IFINDEX + 1] = { ++ [FOU_ATTR_PORT] = { .type = NLA_U16, }, ++ [FOU_ATTR_AF] = { .type = NLA_U8, }, ++ [FOU_ATTR_IPPROTO] = { .type = NLA_U8, }, ++ [FOU_ATTR_TYPE] = { .type = NLA_U8, }, ++ [FOU_ATTR_REMCSUM_NOPARTIAL] = { .type = NLA_FLAG, }, ++ [FOU_ATTR_LOCAL_V4] = { .type = NLA_U32, }, ++ [FOU_ATTR_LOCAL_V6] = { .len = 16, }, ++ [FOU_ATTR_PEER_V4] = { .type = NLA_U32, }, ++ [FOU_ATTR_PEER_V6] = { .len = 16, }, ++ [FOU_ATTR_PEER_PORT] = { .type = NLA_U16, }, ++ [FOU_ATTR_IFINDEX] = { .type = NLA_S32, }, ++}; ++ ++/* Ops table for fou */ ++const struct genl_small_ops fou_nl_ops[3] = { ++ { ++ .cmd = FOU_CMD_ADD, ++ .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, ++ .doit = fou_nl_add_doit, ++ .flags = GENL_ADMIN_PERM, ++ }, ++ { ++ .cmd = FOU_CMD_DEL, ++ .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, ++ .doit = fou_nl_del_doit, ++ .flags = GENL_ADMIN_PERM, ++ }, ++ { ++ .cmd = FOU_CMD_GET, ++ .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, ++ .doit = fou_nl_get_doit, ++ .dumpit = fou_nl_get_dumpit, ++ }, ++}; +diff --git a/net/ipv4/fou_nl.h b/net/ipv4/fou_nl.h +new file mode 100644 +index 0000000000000..b7a68121ce6f7 +--- /dev/null ++++ b/net/ipv4/fou_nl.h +@@ -0,0 +1,25 @@ ++/* SPDX-License-Identifier: BSD-3-Clause */ ++/* Do not edit directly, auto-generated from: */ ++/* Documentation/netlink/specs/fou.yaml */ ++/* YNL-GEN kernel header */ ++ ++#ifndef _LINUX_FOU_GEN_H ++#define _LINUX_FOU_GEN_H ++ ++#include ++#include ++ ++#include ++ ++/* Global operation policy for fou */ ++extern const struct nla_policy fou_nl_policy[FOU_ATTR_IFINDEX + 1]; ++ ++/* Ops table for fou */ ++extern const struct genl_small_ops fou_nl_ops[3]; ++ ++int fou_nl_add_doit(struct sk_buff *skb, struct genl_info *info); ++int fou_nl_del_doit(struct sk_buff *skb, struct genl_info *info); ++int fou_nl_get_doit(struct sk_buff *skb, struct genl_info *info); ++int fou_nl_get_dumpit(struct sk_buff *skb, struct netlink_callback *cb); ++ ++#endif /* _LINUX_FOU_GEN_H */ +-- +2.51.0 + diff --git a/queue-6.1/net-sched-enforce-that-teql-can-only-be-used-as-root.patch b/queue-6.1/net-sched-enforce-that-teql-can-only-be-used-as-root.patch new file mode 100644 index 0000000000..5939359c58 --- /dev/null +++ b/queue-6.1/net-sched-enforce-that-teql-can-only-be-used-as-root.patch @@ -0,0 +1,68 @@ +From 92592adbc021576cfdc4547ccaa524ffc924860b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jan 2026 11:02:41 -0500 +Subject: net/sched: Enforce that teql can only be used as root qdisc +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jamal Hadi Salim + +[ Upstream commit 50da4b9d07a7a463e2cfb738f3ad4cff6b2c9c3b ] + +Design intent of teql is that it is only supposed to be used as root qdisc. +We need to check for that constraint. + +Although not important, I will describe the scenario that unearthed this +issue for the curious. + +GangMin Kim managed to concot a scenario as follows: + +ROOT qdisc 1:0 (QFQ) + ├── class 1:1 (weight=15, lmax=16384) netem with delay 6.4s + └── class 1:2 (weight=1, lmax=1514) teql + +GangMin sends a packet which is enqueued to 1:1 (netem). +Any invocation of dequeue by QFQ from this class will not return a packet +until after 6.4s. In the meantime, a second packet is sent and it lands on +1:2. teql's enqueue will return success and this will activate class 1:2. +Main issue is that teql only updates the parent visible qlen (sch->q.qlen) +at dequeue. Since QFQ will only call dequeue if peek succeeds (and teql's +peek always returns NULL), dequeue will never be called and thus the qlen +will remain as 0. With that in mind, when GangMin updates 1:2's lmax value, +the qfq_change_class calls qfq_deact_rm_from_agg. Since the child qdisc's +qlen was not incremented, qfq fails to deactivate the class, but still +frees its pointers from the aggregate. So when the first packet is +rescheduled after 6.4 seconds (netem's delay), a dangling pointer is +accessed causing GangMin's causing a UAF. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: GangMin Kim +Tested-by: Victor Nogueira +Signed-off-by: Jamal Hadi Salim +Link: https://patch.msgid.link/20260114160243.913069-2-jhs@mojatatu.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_teql.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/sched/sch_teql.c b/net/sched/sch_teql.c +index 7721239c185fb..0a7856e14a975 100644 +--- a/net/sched/sch_teql.c ++++ b/net/sched/sch_teql.c +@@ -178,6 +178,11 @@ static int teql_qdisc_init(struct Qdisc *sch, struct nlattr *opt, + if (m->dev == dev) + return -ELOOP; + ++ if (sch->parent != TC_H_ROOT) { ++ NL_SET_ERR_MSG_MOD(extack, "teql can only be used as root"); ++ return -EOPNOTSUPP; ++ } ++ + q->m = m; + + skb_queue_head_init(&q->q); +-- +2.51.0 + diff --git a/queue-6.1/net-sched-qfq-use-cl_is_active-to-determine-whether-.patch b/queue-6.1/net-sched-qfq-use-cl_is_active-to-determine-whether-.patch new file mode 100644 index 0000000000..61a932643e --- /dev/null +++ b/queue-6.1/net-sched-qfq-use-cl_is_active-to-determine-whether-.patch @@ -0,0 +1,40 @@ +From aa3bb937526b67ff81a101b196c5fadf60b9d8a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jan 2026 11:02:42 -0500 +Subject: net/sched: qfq: Use cl_is_active to determine whether class is active + in qfq_rm_from_ag + +From: Jamal Hadi Salim + +[ Upstream commit d837fbee92453fbb829f950c8e7cf76207d73f33 ] + +This is more of a preventive patch to make the code more consistent and +to prevent possible exploits that employ child qlen manipulations on qfq. +use cl_is_active instead of relying on the child qdisc's qlen to determine +class activation. + +Fixes: 462dbc9101acd ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost") +Signed-off-by: Jamal Hadi Salim +Link: https://patch.msgid.link/20260114160243.913069-3-jhs@mojatatu.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_qfq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c +index 0047f35504348..51d962e5113bc 100644 +--- a/net/sched/sch_qfq.c ++++ b/net/sched/sch_qfq.c +@@ -375,7 +375,7 @@ static void qfq_rm_from_agg(struct qfq_sched *q, struct qfq_class *cl) + /* Deschedule class and remove it from its parent aggregate. */ + static void qfq_deact_rm_from_agg(struct qfq_sched *q, struct qfq_class *cl) + { +- if (cl->qdisc->q.qlen > 0) /* class is active */ ++ if (cl_is_active(cl)) /* class is active */ + qfq_deactivate_class(q, cl); + + qfq_rm_from_agg(q, cl); +-- +2.51.0 + diff --git a/queue-6.1/net-usb-dm9601-remove-broken-sr9700-support.patch b/queue-6.1/net-usb-dm9601-remove-broken-sr9700-support.patch new file mode 100644 index 0000000000..029707b6a0 --- /dev/null +++ b/queue-6.1/net-usb-dm9601-remove-broken-sr9700-support.patch @@ -0,0 +1,53 @@ +From 075859af3b3cfb6f904e6ba97bc743bdc8a5e2a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 22:39:24 -0800 +Subject: net: usb: dm9601: remove broken SR9700 support + +From: Ethan Nelson-Moore + +[ Upstream commit 7d7dbafefbe74f5a25efc4807af093b857a7612e ] + +The SR9700 chip sends more than one packet in a USB transaction, +like the DM962x chips can optionally do, but the dm9601 driver does not +support this mode, and the hardware does not have the DM962x +MODE_CTL register to disable it, so this driver drops packets on SR9700 +devices. The sr9700 driver correctly handles receiving more than one +packet per transaction. + +While the dm9601 driver could be improved to handle this, the easiest +way to fix this issue in the short term is to remove the SR9700 device +ID from the dm9601 driver so the sr9700 driver is always used. This +device ID should not have been in more than one driver to begin with. + +The "Fixes" commit was chosen so that the patch is automatically +included in all kernels that have the sr9700 driver, even though the +issue affects dm9601. + +Fixes: c9b37458e956 ("USB2NET : SR9700 : One chip USB 1.1 USB2NET SR9700Device Driver Support") +Signed-off-by: Ethan Nelson-Moore +Acked-by: Peter Korsgaard +Link: https://patch.msgid.link/20260113063924.74464-1-enelsonmoore@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/dm9601.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/net/usb/dm9601.c b/drivers/net/usb/dm9601.c +index 8b6d6a1b3c2ec..2b4716ccf0c5b 100644 +--- a/drivers/net/usb/dm9601.c ++++ b/drivers/net/usb/dm9601.c +@@ -603,10 +603,6 @@ static const struct usb_device_id products[] = { + USB_DEVICE(0x0fe6, 0x8101), /* DM9601 USB to Fast Ethernet Adapter */ + .driver_info = (unsigned long)&dm9601_info, + }, +- { +- USB_DEVICE(0x0fe6, 0x9700), /* DM9601 USB to Fast Ethernet Adapter */ +- .driver_info = (unsigned long)&dm9601_info, +- }, + { + USB_DEVICE(0x0a46, 0x9000), /* DM9000E */ + .driver_info = (unsigned long)&dm9601_info, +-- +2.51.0 + diff --git a/queue-6.1/netlink-add-a-proto-specification-for-fou.patch b/queue-6.1/netlink-add-a-proto-specification-for-fou.patch new file mode 100644 index 0000000000..b2024eae58 --- /dev/null +++ b/queue-6.1/netlink-add-a-proto-specification-for-fou.patch @@ -0,0 +1,158 @@ +From 4753f47ecb87163809abb3e7aa37cf5efc53b357 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jan 2023 09:50:37 -0800 +Subject: netlink: add a proto specification for FOU + +From: Jakub Kicinski + +[ Upstream commit 4eb77b4ecd3c5eaab83adf76e67e0a7ed2a24418 ] + +FOU has a reasonably modern Genetlink family. Add a spec. + +Acked-by: Stanislav Fomichev +Signed-off-by: Jakub Kicinski +Signed-off-by: Paolo Abeni +Stable-dep-of: 7a9bc9e3f423 ("fou: Don't allow 0 for FOU_ATTR_IPPROTO.") +Signed-off-by: Sasha Levin +--- + Documentation/netlink/specs/fou.yaml | 128 +++++++++++++++++++++++++++ + 1 file changed, 128 insertions(+) + create mode 100644 Documentation/netlink/specs/fou.yaml + +diff --git a/Documentation/netlink/specs/fou.yaml b/Documentation/netlink/specs/fou.yaml +new file mode 100644 +index 0000000000000..266c386eedf3a +--- /dev/null ++++ b/Documentation/netlink/specs/fou.yaml +@@ -0,0 +1,128 @@ ++name: fou ++ ++protocol: genetlink-legacy ++ ++doc: | ++ Foo-over-UDP. ++ ++c-family-name: fou-genl-name ++c-version-name: fou-genl-version ++max-by-define: true ++kernel-policy: global ++ ++definitions: ++ - ++ type: enum ++ name: encap_type ++ name-prefix: fou-encap- ++ enum-name: ++ entries: [ unspec, direct, gue ] ++ ++attribute-sets: ++ - ++ name: fou ++ name-prefix: fou-attr- ++ attributes: ++ - ++ name: unspec ++ type: unused ++ - ++ name: port ++ type: u16 ++ byte-order: big-endian ++ - ++ name: af ++ type: u8 ++ - ++ name: ipproto ++ type: u8 ++ - ++ name: type ++ type: u8 ++ - ++ name: remcsum_nopartial ++ type: flag ++ - ++ name: local_v4 ++ type: u32 ++ - ++ name: local_v6 ++ type: binary ++ checks: ++ min-len: 16 ++ - ++ name: peer_v4 ++ type: u32 ++ - ++ name: peer_v6 ++ type: binary ++ checks: ++ min-len: 16 ++ - ++ name: peer_port ++ type: u16 ++ byte-order: big-endian ++ - ++ name: ifindex ++ type: s32 ++ ++operations: ++ list: ++ - ++ name: unspec ++ doc: unused ++ ++ - ++ name: add ++ doc: Add port. ++ attribute-set: fou ++ ++ dont-validate: [ strict, dump ] ++ flags: [ admin-perm ] ++ ++ do: ++ request: &all_attrs ++ attributes: ++ - port ++ - ipproto ++ - type ++ - remcsum_nopartial ++ - local_v4 ++ - peer_v4 ++ - local_v6 ++ - peer_v6 ++ - peer_port ++ - ifindex ++ ++ - ++ name: del ++ doc: Delete port. ++ attribute-set: fou ++ ++ dont-validate: [ strict, dump ] ++ flags: [ admin-perm ] ++ ++ do: ++ request: &select_attrs ++ attributes: ++ - af ++ - ifindex ++ - port ++ - peer_port ++ - local_v4 ++ - peer_v4 ++ - local_v6 ++ - peer_v6 ++ ++ - ++ name: get ++ doc: Get tunnel info. ++ attribute-set: fou ++ dont-validate: [ strict, dump ] ++ ++ do: ++ request: *select_attrs ++ reply: *all_attrs ++ ++ dump: ++ reply: *all_attrs +-- +2.51.0 + diff --git a/queue-6.1/octeontx2-cn10k-fix-rx-flowid-tcam-mask-handling.patch b/queue-6.1/octeontx2-cn10k-fix-rx-flowid-tcam-mask-handling.patch new file mode 100644 index 0000000000..e186a636b9 --- /dev/null +++ b/queue-6.1/octeontx2-cn10k-fix-rx-flowid-tcam-mask-handling.patch @@ -0,0 +1,43 @@ +From 764580e1fa027be209700139060850c6e7569e2e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jan 2026 08:47:12 -0800 +Subject: octeontx2: cn10k: fix RX flowid TCAM mask handling + +From: Alok Tiwari + +[ Upstream commit ab9b218a1521133a4410722907fa7189566be9bc ] + +The RX flowid programming initializes the TCAM mask to all ones, but +then overwrites it when clearing the MAC DA mask bits. This results +in losing the intended initialization and may affect other match fields. + +Update the code to clear the MAC DA bits using an AND operation, making +the handling of mask[0] consistent with mask[1], where the field-specific +bits are cleared after initializing the mask to ~0ULL. + +Fixes: 57d00d4364f3 ("octeontx2-pf: mcs: Match macsec ethertype along with DMAC") +Signed-off-by: Alok Tiwari +Reviewed-by: Subbaraya Sundeep +Link: https://patch.msgid.link/20260116164724.2733511-1-alok.a.tiwari@oracle.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c b/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c +index 6da8d8f2a8701..60425e6ce0767 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c +@@ -265,7 +265,7 @@ static int cn10k_mcs_write_rx_flowid(struct otx2_nic *pfvf, + + req->data[0] = FIELD_PREP(MCS_TCAM0_MAC_DA_MASK, mac_da); + req->mask[0] = ~0ULL; +- req->mask[0] = ~MCS_TCAM0_MAC_DA_MASK; ++ req->mask[0] &= ~MCS_TCAM0_MAC_DA_MASK; + + req->data[1] = FIELD_PREP(MCS_TCAM1_ETYPE_MASK, ETH_P_MACSEC); + req->mask[1] = ~0ULL; +-- +2.51.0 + diff --git a/queue-6.1/sctp-move-sctp_cmd_assoc_shkey-right-after-sctp_cmd_.patch b/queue-6.1/sctp-move-sctp_cmd_assoc_shkey-right-after-sctp_cmd_.patch new file mode 100644 index 0000000000..029fb57603 --- /dev/null +++ b/queue-6.1/sctp-move-sctp_cmd_assoc_shkey-right-after-sctp_cmd_.patch @@ -0,0 +1,101 @@ +From 5e9a99c28e626004076c814d7e5b9f5bd9cf1668 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 12:10:26 -0500 +Subject: sctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT + +From: Xin Long + +[ Upstream commit a80c9d945aef55b23b54838334345f20251dad83 ] + +A null-ptr-deref was reported in the SCTP transmit path when SCTP-AUTH key +initialization fails: + + ================================================================== + KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] + CPU: 0 PID: 16 Comm: ksoftirqd/0 Tainted: G W 6.6.0 #2 + RIP: 0010:sctp_packet_bundle_auth net/sctp/output.c:264 [inline] + RIP: 0010:sctp_packet_append_chunk+0xb36/0x1260 net/sctp/output.c:401 + Call Trace: + + sctp_packet_transmit_chunk+0x31/0x250 net/sctp/output.c:189 + sctp_outq_flush_data+0xa29/0x26d0 net/sctp/outqueue.c:1111 + sctp_outq_flush+0xc80/0x1240 net/sctp/outqueue.c:1217 + sctp_cmd_interpreter.isra.0+0x19a5/0x62c0 net/sctp/sm_sideeffect.c:1787 + sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline] + sctp_do_sm+0x1a3/0x670 net/sctp/sm_sideeffect.c:1169 + sctp_assoc_bh_rcv+0x33e/0x640 net/sctp/associola.c:1052 + sctp_inq_push+0x1dd/0x280 net/sctp/inqueue.c:88 + sctp_rcv+0x11ae/0x3100 net/sctp/input.c:243 + sctp6_rcv+0x3d/0x60 net/sctp/ipv6.c:1127 + +The issue is triggered when sctp_auth_asoc_init_active_key() fails in +sctp_sf_do_5_1C_ack() while processing an INIT_ACK. In this case, the +command sequence is currently: + +- SCTP_CMD_PEER_INIT +- SCTP_CMD_TIMER_STOP (T1_INIT) +- SCTP_CMD_TIMER_START (T1_COOKIE) +- SCTP_CMD_NEW_STATE (COOKIE_ECHOED) +- SCTP_CMD_ASSOC_SHKEY +- SCTP_CMD_GEN_COOKIE_ECHO + +If SCTP_CMD_ASSOC_SHKEY fails, asoc->shkey remains NULL, while +asoc->peer.auth_capable and asoc->peer.peer_chunks have already been set by +SCTP_CMD_PEER_INIT. This allows a DATA chunk with auth = 1 and shkey = NULL +to be queued by sctp_datamsg_from_user(). + +Since command interpretation stops on failure, no COOKIE_ECHO should been +sent via SCTP_CMD_GEN_COOKIE_ECHO. However, the T1_COOKIE timer has already +been started, and it may enqueue a COOKIE_ECHO into the outqueue later. As +a result, the DATA chunk can be transmitted together with the COOKIE_ECHO +in sctp_outq_flush_data(), leading to the observed issue. + +Similar to the other places where it calls sctp_auth_asoc_init_active_key() +right after sctp_process_init(), this patch moves the SCTP_CMD_ASSOC_SHKEY +immediately after SCTP_CMD_PEER_INIT, before stopping T1_INIT and starting +T1_COOKIE. This ensures that if shared key generation fails, authenticated +DATA cannot be sent. It also allows the T1_INIT timer to retransmit INIT, +giving the client another chance to process INIT_ACK and retry key setup. + +Fixes: 730fc3d05cd4 ("[SCTP]: Implete SCTP-AUTH parameter processing") +Reported-by: Zhen Chen +Tested-by: Zhen Chen +Signed-off-by: Xin Long +Link: https://patch.msgid.link/44881224b375aa8853f5e19b4055a1a56d895813.1768324226.git.lucien.xin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sctp/sm_statefuns.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c +index beae92ad25bb0..80a6b9fc964e5 100644 +--- a/net/sctp/sm_statefuns.c ++++ b/net/sctp/sm_statefuns.c +@@ -602,6 +602,11 @@ enum sctp_disposition sctp_sf_do_5_1C_ack(struct net *net, + sctp_add_cmd_sf(commands, SCTP_CMD_PEER_INIT, + SCTP_PEER_INIT(initchunk)); + ++ /* SCTP-AUTH: generate the association shared keys so that ++ * we can potentially sign the COOKIE-ECHO. ++ */ ++ sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL()); ++ + /* Reset init error count upon receipt of INIT-ACK. */ + sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL()); + +@@ -616,11 +621,6 @@ enum sctp_disposition sctp_sf_do_5_1C_ack(struct net *net, + sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, + SCTP_STATE(SCTP_STATE_COOKIE_ECHOED)); + +- /* SCTP-AUTH: generate the association shared keys so that +- * we can potentially sign the COOKIE-ECHO. +- */ +- sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL()); +- + /* 5.1 C) "A" shall then send the State Cookie received in the + * INIT ACK chunk in a COOKIE ECHO chunk, ... + */ +-- +2.51.0 + diff --git a/queue-6.1/selftests-net-convert-fib-onlink-tests.sh-to-run-it-.patch b/queue-6.1/selftests-net-convert-fib-onlink-tests.sh-to-run-it-.patch new file mode 100644 index 0000000000..89996fb244 --- /dev/null +++ b/queue-6.1/selftests-net-convert-fib-onlink-tests.sh-to-run-it-.patch @@ -0,0 +1,84 @@ +From 042b574cae1694c5f62d3065cc0f95c340762218 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Dec 2023 14:08:53 +0800 +Subject: selftests/net: convert fib-onlink-tests.sh to run it in unique + namespace + +From: Hangbin Liu + +[ Upstream commit 3a06833b2adc0a902f2469ad4ce41ccd64f1f3ab ] + +Remove PEER_CMD, which is not used in this test + +Here is the test result after conversion. + + ]# ./fib-onlink-tests.sh + Error: ipv4: FIB table does not exist. + Flush terminated + Error: ipv6: FIB table does not exist. + Flush terminated + + ######################################## + Configuring interfaces + + ... + + TEST: Gateway resolves to wrong nexthop device - VRF [ OK ] + + Tests passed: 38 + Tests failed: 0 + +Acked-by: David Ahern +Signed-off-by: Hangbin Liu +Link: https://lore.kernel.org/r/20231213060856.4030084-11-liuhangbin@gmail.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: 4f5f148dd7c0 ("selftests: net: fib-onlink-tests: Convert to use namespaces by default") +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/fib-onlink-tests.sh | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/tools/testing/selftests/net/fib-onlink-tests.sh b/tools/testing/selftests/net/fib-onlink-tests.sh +index c287b90b8af80..ec2d6ceb1f08d 100755 +--- a/tools/testing/selftests/net/fib-onlink-tests.sh ++++ b/tools/testing/selftests/net/fib-onlink-tests.sh +@@ -3,6 +3,7 @@ + + # IPv4 and IPv6 onlink tests + ++source lib.sh + PAUSE_ON_FAIL=${PAUSE_ON_FAIL:=no} + VERBOSE=0 + +@@ -74,9 +75,6 @@ TEST_NET4IN6[2]=10.2.1.254 + # mcast address + MCAST6=ff02::1 + +- +-PEER_NS=bart +-PEER_CMD="ip netns exec ${PEER_NS}" + VRF=lisa + VRF_TABLE=1101 + PBR_TABLE=101 +@@ -176,8 +174,7 @@ setup() + set -e + + # create namespace +- ip netns add ${PEER_NS} +- ip -netns ${PEER_NS} li set lo up ++ setup_ns PEER_NS + + # add vrf table + ip li add ${VRF} type vrf table ${VRF_TABLE} +@@ -219,7 +216,7 @@ setup() + cleanup() + { + # make sure we start from a clean slate +- ip netns del ${PEER_NS} 2>/dev/null ++ cleanup_ns ${PEER_NS} 2>/dev/null + for n in 1 3 5 7; do + ip link del ${NETIFS[p${n}]} 2>/dev/null + done +-- +2.51.0 + diff --git a/queue-6.1/selftests-net-fib-onlink-tests-convert-to-use-namesp.patch b/queue-6.1/selftests-net-fib-onlink-tests-convert-to-use-namesp.patch new file mode 100644 index 0000000000..af96a366b2 --- /dev/null +++ b/queue-6.1/selftests-net-fib-onlink-tests-convert-to-use-namesp.patch @@ -0,0 +1,185 @@ +From a448636a7d38638fecdb3b032d9f98e06720459e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 12:37:44 -0300 +Subject: selftests: net: fib-onlink-tests: Convert to use namespaces by + default +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ricardo B. Marlière + +[ Upstream commit 4f5f148dd7c0459229d2ab9a769b2e820f9ee6a2 ] + +Currently, the test breaks if the SUT already has a default route +configured for IPv6. Fix by avoiding the use of the default namespace. + +Fixes: 4ed591c8ab44 ("net/ipv6: Allow onlink routes to have a device mismatch if it is the default route") +Suggested-by: Fernando Fernandez Mancera +Signed-off-by: Ricardo B. Marlière +Reviewed-by: Ido Schimmel +Reviewed-by: Fernando Fernandez Mancera +Link: https://patch.msgid.link/20260113-selftests-net-fib-onlink-v2-1-89de2b931389@suse.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../testing/selftests/net/fib-onlink-tests.sh | 71 ++++++++----------- + 1 file changed, 30 insertions(+), 41 deletions(-) + +diff --git a/tools/testing/selftests/net/fib-onlink-tests.sh b/tools/testing/selftests/net/fib-onlink-tests.sh +index ec2d6ceb1f08d..c01be076b210d 100755 +--- a/tools/testing/selftests/net/fib-onlink-tests.sh ++++ b/tools/testing/selftests/net/fib-onlink-tests.sh +@@ -120,7 +120,7 @@ log_subsection() + + run_cmd() + { +- local cmd="$*" ++ local cmd="$1" + local out + local rc + +@@ -145,7 +145,7 @@ get_linklocal() + local pfx + local addr + +- addr=$(${pfx} ip -6 -br addr show dev ${dev} | \ ++ addr=$(${pfx} ${IP} -6 -br addr show dev ${dev} | \ + awk '{ + for (i = 3; i <= NF; ++i) { + if ($i ~ /^fe80/) +@@ -173,58 +173,48 @@ setup() + + set -e + +- # create namespace +- setup_ns PEER_NS ++ # create namespaces ++ setup_ns ns1 ++ IP="ip -netns $ns1" ++ setup_ns ns2 + + # add vrf table +- ip li add ${VRF} type vrf table ${VRF_TABLE} +- ip li set ${VRF} up +- ip ro add table ${VRF_TABLE} unreachable default metric 8192 +- ip -6 ro add table ${VRF_TABLE} unreachable default metric 8192 ++ ${IP} li add ${VRF} type vrf table ${VRF_TABLE} ++ ${IP} li set ${VRF} up ++ ${IP} ro add table ${VRF_TABLE} unreachable default metric 8192 ++ ${IP} -6 ro add table ${VRF_TABLE} unreachable default metric 8192 + + # create test interfaces +- ip li add ${NETIFS[p1]} type veth peer name ${NETIFS[p2]} +- ip li add ${NETIFS[p3]} type veth peer name ${NETIFS[p4]} +- ip li add ${NETIFS[p5]} type veth peer name ${NETIFS[p6]} +- ip li add ${NETIFS[p7]} type veth peer name ${NETIFS[p8]} ++ ${IP} li add ${NETIFS[p1]} type veth peer name ${NETIFS[p2]} ++ ${IP} li add ${NETIFS[p3]} type veth peer name ${NETIFS[p4]} ++ ${IP} li add ${NETIFS[p5]} type veth peer name ${NETIFS[p6]} ++ ${IP} li add ${NETIFS[p7]} type veth peer name ${NETIFS[p8]} + + # enslave vrf interfaces + for n in 5 7; do +- ip li set ${NETIFS[p${n}]} vrf ${VRF} ++ ${IP} li set ${NETIFS[p${n}]} vrf ${VRF} + done + + # add addresses + for n in 1 3 5 7; do +- ip li set ${NETIFS[p${n}]} up +- ip addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]} +- ip addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} nodad ++ ${IP} li set ${NETIFS[p${n}]} up ++ ${IP} addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]} ++ ${IP} addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} nodad + done + + # move peer interfaces to namespace and add addresses + for n in 2 4 6 8; do +- ip li set ${NETIFS[p${n}]} netns ${PEER_NS} up +- ip -netns ${PEER_NS} addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]} +- ip -netns ${PEER_NS} addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} nodad ++ ${IP} li set ${NETIFS[p${n}]} netns ${ns2} up ++ ip -netns $ns2 addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]} ++ ip -netns $ns2 addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} nodad + done + +- ip -6 ro add default via ${V6ADDRS[p3]/::[0-9]/::64} +- ip -6 ro add table ${VRF_TABLE} default via ${V6ADDRS[p7]/::[0-9]/::64} ++ ${IP} -6 ro add default via ${V6ADDRS[p3]/::[0-9]/::64} ++ ${IP} -6 ro add table ${VRF_TABLE} default via ${V6ADDRS[p7]/::[0-9]/::64} + + set +e + } + +-cleanup() +-{ +- # make sure we start from a clean slate +- cleanup_ns ${PEER_NS} 2>/dev/null +- for n in 1 3 5 7; do +- ip link del ${NETIFS[p${n}]} 2>/dev/null +- done +- ip link del ${VRF} 2>/dev/null +- ip ro flush table ${VRF_TABLE} +- ip -6 ro flush table ${VRF_TABLE} +-} +- + ################################################################################ + # IPv4 tests + # +@@ -241,7 +231,7 @@ run_ip() + # dev arg may be empty + [ -n "${dev}" ] && dev="dev ${dev}" + +- run_cmd ip ro add table "${table}" "${prefix}"/32 via "${gw}" "${dev}" onlink ++ run_cmd "${IP} ro add table ${table} ${prefix}/32 via ${gw} ${dev} onlink" + log_test $? ${exp_rc} "${desc}" + } + +@@ -257,8 +247,8 @@ run_ip_mpath() + # dev arg may be empty + [ -n "${dev}" ] && dev="dev ${dev}" + +- run_cmd ip ro add table "${table}" "${prefix}"/32 \ +- nexthop via ${nh1} nexthop via ${nh2} ++ run_cmd "${IP} ro add table ${table} ${prefix}/32 \ ++ nexthop via ${nh1} nexthop via ${nh2}" + log_test $? ${exp_rc} "${desc}" + } + +@@ -339,7 +329,7 @@ run_ip6() + # dev arg may be empty + [ -n "${dev}" ] && dev="dev ${dev}" + +- run_cmd ip -6 ro add table "${table}" "${prefix}"/128 via "${gw}" "${dev}" onlink ++ run_cmd "${IP} -6 ro add table ${table} ${prefix}/128 via ${gw} ${dev} onlink" + log_test $? ${exp_rc} "${desc}" + } + +@@ -353,8 +343,8 @@ run_ip6_mpath() + local exp_rc="$6" + local desc="$7" + +- run_cmd ip -6 ro add table "${table}" "${prefix}"/128 "${opts}" \ +- nexthop via ${nh1} nexthop via ${nh2} ++ run_cmd "${IP} -6 ro add table ${table} ${prefix}/128 ${opts} \ ++ nexthop via ${nh1} nexthop via ${nh2}" + log_test $? ${exp_rc} "${desc}" + } + +@@ -491,10 +481,9 @@ do + esac + done + +-cleanup + setup + run_onlink_tests +-cleanup ++cleanup_ns ${ns1} ${ns2} + + if [ "$TESTS" != "none" ]; then + printf "\nTests passed: %3d\n" ${nsuccess} +-- +2.51.0 + diff --git a/queue-6.1/series b/queue-6.1/series index f49457cd45..8d2ab3b8b2 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -88,3 +88,27 @@ selftest-ptp-update-ptp-selftest-to-exercise-the-get.patch testptp-add-option-to-open-phc-in-readonly-mode.patch arm64-dts-qcom-sc8280xp-add-missing-vdd_mxc-links.patch btrfs-fix-missing-fields-in-superblock-backup-with-b.patch +ata-libata-add-cpr_log-to-ata_dev_print_features-ear.patch +ata-libata-introduce-ata_ncq_supported.patch +ata-libata-cleanup-fua-support-detection.patch +ata-libata-core-introduce-ata_dev_config_lpm.patch +ata-libata-call-ata_dev_config_lpm-for-atapi-devices.patch +ata-libata-print-features-also-for-atapi-devices.patch +net-usb-dm9601-remove-broken-sr9700-support.patch +bonding-limit-bond_mode_8023ad-to-ethernet-devices.patch +selftests-net-convert-fib-onlink-tests.sh-to-run-it-.patch +selftests-net-fib-onlink-tests-convert-to-use-namesp.patch +can-gs_usb-gs_usb_receive_bulk_callback-unanchor-url.patch +sctp-move-sctp_cmd_assoc_shkey-right-after-sctp_cmd_.patch +amd-xgbe-avoid-misleading-per-packet-error-log.patch +gue-fix-skb-memleak-with-inner-ip-protocol-0.patch +netlink-add-a-proto-specification-for-fou.patch +net-fou-rename-the-source-for-linking.patch +net-fou-use-policy-and-operation-tables-generated-fr.patch +fou-don-t-allow-0-for-fou_attr_ipproto.patch +l2tp-avoid-one-data-race-in-l2tp_tunnel_del_work.patch +ipvlan-make-the-addrs_lock-be-per-port.patch +octeontx2-cn10k-fix-rx-flowid-tcam-mask-handling.patch +net-sched-enforce-that-teql-can-only-be-used-as-root.patch +net-sched-qfq-use-cl_is_active-to-determine-whether-.patch +crypto-authencesn-reject-too-short-aad-assoclen-8-to.patch diff --git a/queue-6.12/amd-xgbe-avoid-misleading-per-packet-error-log.patch b/queue-6.12/amd-xgbe-avoid-misleading-per-packet-error-log.patch new file mode 100644 index 0000000000..80b87d5390 --- /dev/null +++ b/queue-6.12/amd-xgbe-avoid-misleading-per-packet-error-log.patch @@ -0,0 +1,49 @@ +From faebdb6f9e605bb3c612a2d3b100ac6aab020728 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jan 2026 22:00:37 +0530 +Subject: amd-xgbe: avoid misleading per-packet error log + +From: Raju Rangoju + +[ Upstream commit c158f985cf6c2c36c99c4f67af2ff3f5ebe09f8f ] + +On the receive path, packet can be damaged because of buffer +overflow in Rx FIFO. Avoid misleading per-packet error log when +packet->errors is set, this can flood the log. Instead, rely on the +standard rtnl_link_stats64 stats. + +Fixes: c5aa9e3b8156 ("amd-xgbe: Initial AMD 10GbE platform driver") +Signed-off-by: Raju Rangoju +Link: https://patch.msgid.link/20260114163037.2062606-1-Raju.Rangoju@amd.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c +index 32a6d52614242..e6a2492360227 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c +@@ -2105,7 +2105,7 @@ static void xgbe_get_stats64(struct net_device *netdev, + s->multicast = pstats->rxmulticastframes_g; + s->rx_length_errors = pstats->rxlengtherror; + s->rx_crc_errors = pstats->rxcrcerror; +- s->rx_fifo_errors = pstats->rxfifooverflow; ++ s->rx_over_errors = pstats->rxfifooverflow; + + s->tx_packets = pstats->txframecount_gb; + s->tx_bytes = pstats->txoctetcount_gb; +@@ -2559,9 +2559,6 @@ static int xgbe_rx_poll(struct xgbe_channel *channel, int budget) + goto read_again; + + if (error || packet->errors) { +- if (packet->errors) +- netif_err(pdata, rx_err, netdev, +- "error in received packet\n"); + dev_kfree_skb(skb); + goto next_packet; + } +-- +2.51.0 + diff --git a/queue-6.12/ata-ahci-do-not-read-the-per-port-area-for-unimpleme.patch b/queue-6.12/ata-ahci-do-not-read-the-per-port-area-for-unimpleme.patch new file mode 100644 index 0000000000..a00eef9ab5 --- /dev/null +++ b/queue-6.12/ata-ahci-do-not-read-the-per-port-area-for-unimpleme.patch @@ -0,0 +1,72 @@ +From aa58ecf7083f2e9be07f7eb7e5f80864a6b05a99 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 13:20:46 +0100 +Subject: ata: ahci: Do not read the per port area for unimplemented ports +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Niklas Cassel + +[ Upstream commit ea4d4ea6d10a561043922d285f1765c7e4bfd32a ] + +An AHCI HBA specifies the number of ports it supports using CAP.NP. +The HBA is free to only make a subset of the number of ports available +using the PI (Ports Implemented) register. + +libata currently creates dummy ports for HBA ports that are provided by +the HBA, but which are marked as "unavailable" using the PI register. + +Each port will have a per port area of registers in the HBA, regardless +if the port is marked as "unavailable" or not. + +ahci_mark_external_port() currently reads this per port area of registers +using readl() to see if the port is marked as external/hotplug-capable. + +However, AHCI 1.3.1, section "3.1.4 Offset 0Ch: PI – Ports Implemented" +states: "Software must not read or write to registers within unavailable +ports." + +Thus, make sure that we only call ahci_mark_external_port() and +ahci_update_initial_lpm_policy() for ports that are implemented. + +From a libata perspective, this should not change anything related to LPM, +as dummy ports do not provide any ap->ops (they do not have a .set_lpm() +callback), so even if EH were to call .set_lpm() on a dummy port, it was +already a no-op. + +Fixes: f7131935238d ("ata: ahci: move marking of external port earlier") +Signed-off-by: Niklas Cassel +Tested-by: Wolf +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + drivers/ata/ahci.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c +index 944e44caa2606..e78b97fe81708 100644 +--- a/drivers/ata/ahci.c ++++ b/drivers/ata/ahci.c +@@ -2071,13 +2071,13 @@ static int ahci_init_one(struct pci_dev *pdev, const struct pci_device_id *ent) + if (ap->flags & ATA_FLAG_EM) + ap->em_message_type = hpriv->em_msg_type; + +- ahci_mark_external_port(ap); +- +- ahci_update_initial_lpm_policy(ap); +- + /* disabled/not-implemented port */ +- if (!(hpriv->port_map & (1 << i))) ++ if (!(hpriv->port_map & (1 << i))) { + ap->ops = &ata_dummy_port_ops; ++ } else { ++ ahci_mark_external_port(ap); ++ ahci_update_initial_lpm_policy(ap); ++ } + } + + /* apply workaround for ASUS P5W DH Deluxe mainboard */ +-- +2.51.0 + diff --git a/queue-6.12/ata-libata-add-cpr_log-to-ata_dev_print_features-ear.patch b/queue-6.12/ata-libata-add-cpr_log-to-ata_dev_print_features-ear.patch new file mode 100644 index 0000000000..6009a09691 --- /dev/null +++ b/queue-6.12/ata-libata-add-cpr_log-to-ata_dev_print_features-ear.patch @@ -0,0 +1,43 @@ +From 867ef1820489468ef8e967923a925b612c2e86a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 13:20:49 +0100 +Subject: ata: libata: Add cpr_log to ata_dev_print_features() early return + +From: Niklas Cassel + +[ Upstream commit a6bee5e5243ad02cae575becc4c83df66fc29573 ] + +ata_dev_print_features() is supposed to return early and not print anything +if there are no features supported. + +However, commit fe22e1c2f705 ("libata: support concurrent positioning +ranges log") added another feature to ata_dev_print_features() without +updating the early return conditional. + +Add the missing feature to the early return conditional. + +Fixes: fe22e1c2f705 ("libata: support concurrent positioning ranges log") +Signed-off-by: Niklas Cassel +Tested-by: Wolf +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c +index 802967eabc344..864248ff1faf9 100644 +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -2803,7 +2803,7 @@ static void ata_dev_config_cpr(struct ata_device *dev) + + static void ata_dev_print_features(struct ata_device *dev) + { +- if (!(dev->flags & ATA_DFLAG_FEATURES_MASK)) ++ if (!(dev->flags & ATA_DFLAG_FEATURES_MASK) && !dev->cpr_log) + return; + + ata_dev_info(dev, +-- +2.51.0 + diff --git a/queue-6.12/ata-libata-call-ata_dev_config_lpm-for-atapi-devices.patch b/queue-6.12/ata-libata-call-ata_dev_config_lpm-for-atapi-devices.patch new file mode 100644 index 0000000000..82693a4132 --- /dev/null +++ b/queue-6.12/ata-libata-call-ata_dev_config_lpm-for-atapi-devices.patch @@ -0,0 +1,48 @@ +From 25f70641db26591e0fd171b920cdbbb96a1d507b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 13:20:47 +0100 +Subject: ata: libata: Call ata_dev_config_lpm() for ATAPI devices + +From: Niklas Cassel + +[ Upstream commit 8f3fb33f8f3f825c708ece800c921977c157f9b6 ] + +Commit d360121832d8 ("ata: libata-core: Introduce ata_dev_config_lpm()") +introduced ata_dev_config_lpm(). However, it only called this function for +ATA_DEV_ATA and ATA_DEV_ZAC devices, not for ATA_DEV_ATAPI devices. + +Additionally, commit d99a9142e782 ("ata: libata-core: Move device LPM quirk +settings to ata_dev_config_lpm()") moved the LPM quirk application from +ata_dev_configure() to ata_dev_config_lpm(), causing LPM quirks for ATAPI +devices to no longer be applied. + +Call ata_dev_config_lpm() also for ATAPI devices, such that LPM quirks are +applied for ATAPI devices with an entry in __ata_dev_quirks once again. + +Fixes: d360121832d8 ("ata: libata-core: Introduce ata_dev_config_lpm()") +Fixes: d99a9142e782 ("ata: libata-core: Move device LPM quirk settings to ata_dev_config_lpm()") +Signed-off-by: Niklas Cassel +Tested-by: Wolf +Signed-off-by: Damien Le Moal +Stable-dep-of: c8c6fb886f57 ("ata: libata: Print features also for ATAPI devices") +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-core.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c +index cdb41b66bff2b..fba5166168978 100644 +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -3073,6 +3073,8 @@ int ata_dev_configure(struct ata_device *dev) + ata_mode_string(xfer_mask), + cdb_intr_string, atapi_an_string, + dma_dir_string); ++ ++ ata_dev_config_lpm(dev); + } + + /* determine max_sectors */ +-- +2.51.0 + diff --git a/queue-6.12/ata-libata-core-introduce-ata_dev_config_lpm.patch b/queue-6.12/ata-libata-core-introduce-ata_dev_config_lpm.patch new file mode 100644 index 0000000000..a920bac06b --- /dev/null +++ b/queue-6.12/ata-libata-core-introduce-ata_dev_config_lpm.patch @@ -0,0 +1,79 @@ +From 764895a55b39534218f482ef443e1e3b9e2afe8c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Jul 2025 21:53:12 +0900 +Subject: ata: libata-core: Introduce ata_dev_config_lpm() + +From: Damien Le Moal + +[ Upstream commit d360121832d8a36871249271df5b9ff05f835f62 ] + +If the port of a device does not support Device Initiated Power +Management (DIPM), that is, the port is flagged with ATA_FLAG_NO_DIPM, +the DIPM feature of a device should not be used. Though DIPM is disabled +by default on a device, the "Software Settings Preservation feature" +may keep DIPM enabled or DIPM may have been enabled by the system +firmware. + +Introduce the function ata_dev_config_lpm() to always disable DIPM on a +device that supports this feature if the port of the device is flagged +with ATA_FLAG_NO_DIPM. ata_dev_config_lpm() is called from +ata_dev_configure(), ensuring that a device DIPM feature is disabled +when it cannot be used. + +Signed-off-by: Damien Le Moal +Reviewed-by: Niklas Cassel +Reviewed-by: Hannes Reinecke +Link: https://lore.kernel.org/r/20250701125321.69496-2-dlemoal@kernel.org +Signed-off-by: Niklas Cassel +Stable-dep-of: c8c6fb886f57 ("ata: libata: Print features also for ATAPI devices") +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-core.c | 25 +++++++++++++++++++++++++ + 1 file changed, 25 insertions(+) + +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c +index 864248ff1faf9..cdb41b66bff2b 100644 +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -2801,6 +2801,30 @@ static void ata_dev_config_cpr(struct ata_device *dev) + kfree(buf); + } + ++/* ++ * Configure features related to link power management. ++ */ ++static void ata_dev_config_lpm(struct ata_device *dev) ++{ ++ struct ata_port *ap = dev->link->ap; ++ unsigned int err_mask; ++ ++ /* ++ * Device Initiated Power Management (DIPM) is normally disabled by ++ * default on a device. However, DIPM may have been enabled and that ++ * setting kept even after COMRESET because of the Software Settings ++ * Preservation feature. So if the port does not support DIPM and the ++ * device does, disable DIPM on the device. ++ */ ++ if (ap->flags & ATA_FLAG_NO_DIPM && ata_id_has_dipm(dev->id)) { ++ err_mask = ata_dev_set_feature(dev, ++ SETFEATURES_SATA_DISABLE, SATA_DIPM); ++ if (err_mask && err_mask != AC_ERR_DEV) ++ ata_dev_err(dev, "Disable DIPM failed, Emask 0x%x\n", ++ err_mask); ++ } ++} ++ + static void ata_dev_print_features(struct ata_device *dev) + { + if (!(dev->flags & ATA_DFLAG_FEATURES_MASK) && !dev->cpr_log) +@@ -2974,6 +2998,7 @@ int ata_dev_configure(struct ata_device *dev) + ata_dev_config_chs(dev); + } + ++ ata_dev_config_lpm(dev); + ata_dev_config_fua(dev); + ata_dev_config_devslp(dev); + ata_dev_config_sense_reporting(dev); +-- +2.51.0 + diff --git a/queue-6.12/ata-libata-print-features-also-for-atapi-devices.patch b/queue-6.12/ata-libata-print-features-also-for-atapi-devices.patch new file mode 100644 index 0000000000..b494909522 --- /dev/null +++ b/queue-6.12/ata-libata-print-features-also-for-atapi-devices.patch @@ -0,0 +1,48 @@ +From bca069a8e73fe0030b36eb5e23e9601fb68a5288 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 13:20:51 +0100 +Subject: ata: libata: Print features also for ATAPI devices + +From: Niklas Cassel + +[ Upstream commit c8c6fb886f57d5bf71fb6de6334a143608d35707 ] + +Commit d633b8a702ab ("libata: print feature list on device scan") +added a print of the features supported by the device for ATA_DEV_ATA and +ATA_DEV_ZAC devices, but not for ATA_DEV_ATAPI devices. + +Fix this by printing the features also for ATAPI devices. + +Before changes: +ata1.00: ATAPI: Slimtype DVD A DU8AESH, 6C2M, max UDMA/133 + +After changes: +ata1.00: ATAPI: Slimtype DVD A DU8AESH, 6C2M, max UDMA/133 +ata1.00: Features: Dev-Attention HIPM DIPM + +Fixes: d633b8a702ab ("libata: print feature list on device scan") +Signed-off-by: Niklas Cassel +Tested-by: Wolf +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-core.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c +index fba5166168978..33454d01c2044 100644 +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -3075,6 +3075,9 @@ int ata_dev_configure(struct ata_device *dev) + dma_dir_string); + + ata_dev_config_lpm(dev); ++ ++ if (print_info) ++ ata_dev_print_features(dev); + } + + /* determine max_sectors */ +-- +2.51.0 + diff --git a/queue-6.12/ata-libata-sata-improve-link_power_management_suppor.patch b/queue-6.12/ata-libata-sata-improve-link_power_management_suppor.patch new file mode 100644 index 0000000000..4189b0fc92 --- /dev/null +++ b/queue-6.12/ata-libata-sata-improve-link_power_management_suppor.patch @@ -0,0 +1,53 @@ +From 574fdd81c3928e1848a0f30a5513801cb5a439b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 13:20:48 +0100 +Subject: ata: libata-sata: Improve link_power_management_supported sysfs + attribute + +From: Niklas Cassel + +[ Upstream commit ce83767ea323baf8509a75eb0c783cd203e14789 ] + +The link_power_management_supported sysfs attribute is currently set as +true even for ata ports that lack a .set_lpm() callback, e.g. dummy ports. + +This is a bit silly, because while writing to the +link_power_management_policy sysfs attribute will make ata_scsi_lpm_store() +update ap->target_lpm_policy (thus sysfs will reflect the new value) and +call ata_port_schedule_eh() for the port, it is essentially a no-op. + +This is because for a port without a .set_lpm() callback, once EH gets to +run, the ata_eh_link_set_lpm() will simply return, since the port does not +provide a .set_lpm() callback. + +Thus, make sure that the link_power_management_supported sysfs attribute +is set to false for ports that lack a .set_lpm() callback. This way the +link_power_management_policy sysfs attribute will no longer be writable, +so we will no longer be misleading users to think that their sysfs write +actually does something. + +Fixes: 0060beec0bfa ("ata: libata-sata: Add link_power_management_supported sysfs attribute") +Signed-off-by: Niklas Cassel +Tested-by: Wolf +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-sata.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/ata/libata-sata.c b/drivers/ata/libata-sata.c +index cad3855373cb1..5fbbdf6f87e34 100644 +--- a/drivers/ata/libata-sata.c ++++ b/drivers/ata/libata-sata.c +@@ -909,7 +909,7 @@ static bool ata_scsi_lpm_supported(struct ata_port *ap) + struct ata_link *link; + struct ata_device *dev; + +- if (ap->flags & ATA_FLAG_NO_LPM) ++ if ((ap->flags & ATA_FLAG_NO_LPM) || !ap->ops->set_lpm) + return false; + + ata_for_each_link(link, ap, EDGE) { +-- +2.51.0 + diff --git a/queue-6.12/bonding-limit-bond_mode_8023ad-to-ethernet-devices.patch b/queue-6.12/bonding-limit-bond_mode_8023ad-to-ethernet-devices.patch new file mode 100644 index 0000000000..9079f062a2 --- /dev/null +++ b/queue-6.12/bonding-limit-bond_mode_8023ad-to-ethernet-devices.patch @@ -0,0 +1,91 @@ +From b6d14502320935940e320905349680f690afbd17 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 19:12:01 +0000 +Subject: bonding: limit BOND_MODE_8023AD to Ethernet devices + +From: Eric Dumazet + +[ Upstream commit c84fcb79e5dbde0b8d5aeeaf04282d2149aebcf6 ] + +BOND_MODE_8023AD makes sense for ARPHRD_ETHER only. + +syzbot reported: + + BUG: KASAN: global-out-of-bounds in __hw_addr_create net/core/dev_addr_lists.c:63 [inline] + BUG: KASAN: global-out-of-bounds in __hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118 +Read of size 16 at addr ffffffff8bf94040 by task syz.1.3580/19497 + +CPU: 1 UID: 0 PID: 19497 Comm: syz.1.3580 Tainted: G L syzkaller #0 PREEMPT(full) +Tainted: [L]=SOFTLOCKUP +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 +Call Trace: + + dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0xca/0x240 mm/kasan/report.c:482 + kasan_report+0x118/0x150 mm/kasan/report.c:595 + check_region_inline mm/kasan/generic.c:-1 [inline] + kasan_check_range+0x2b0/0x2c0 mm/kasan/generic.c:200 + __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105 + __hw_addr_create net/core/dev_addr_lists.c:63 [inline] + __hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118 + __dev_mc_add net/core/dev_addr_lists.c:868 [inline] + dev_mc_add+0xa1/0x120 net/core/dev_addr_lists.c:886 + bond_enslave+0x2b8b/0x3ac0 drivers/net/bonding/bond_main.c:2180 + do_set_master+0x533/0x6d0 net/core/rtnetlink.c:2963 + do_setlink+0xcf0/0x41c0 net/core/rtnetlink.c:3165 + rtnl_changelink net/core/rtnetlink.c:3776 [inline] + __rtnl_newlink net/core/rtnetlink.c:3935 [inline] + rtnl_newlink+0x161c/0x1c90 net/core/rtnetlink.c:4072 + rtnetlink_rcv_msg+0x7cf/0xb70 net/core/rtnetlink.c:6958 + netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2550 + netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] + netlink_unicast+0x82f/0x9e0 net/netlink/af_netlink.c:1344 + netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1894 + sock_sendmsg_nosec net/socket.c:727 [inline] + __sock_sendmsg+0x21c/0x270 net/socket.c:742 + ____sys_sendmsg+0x505/0x820 net/socket.c:2592 + ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2646 + __sys_sendmsg+0x164/0x220 net/socket.c:2678 + do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline] + __do_fast_syscall_32+0x1dc/0x560 arch/x86/entry/syscall_32.c:307 + do_fast_syscall_32+0x34/0x80 arch/x86/entry/syscall_32.c:332 + entry_SYSENTER_compat_after_hwframe+0x84/0x8e + + +The buggy address belongs to the variable: + lacpdu_mcast_addr+0x0/0x40 + +Fixes: 872254dd6b1f ("net/bonding: Enable bonding to enslave non ARPHRD_ETHER") +Reported-by: syzbot+9c081b17773615f24672@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/6966946b.a70a0220.245e30.0002.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: Andrew Lunn +Acked-by: Jay Vosburgh +Link: https://patch.msgid.link/20260113191201.3970737-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index f17a170d1be47..6f87d7e29e19b 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -2017,6 +2017,12 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev, + */ + if (!bond_has_slaves(bond)) { + if (bond_dev->type != slave_dev->type) { ++ if (slave_dev->type != ARPHRD_ETHER && ++ BOND_MODE(bond) == BOND_MODE_8023AD) { ++ SLAVE_NL_ERR(bond_dev, slave_dev, extack, ++ "8023AD mode requires Ethernet devices"); ++ return -EINVAL; ++ } + slave_dbg(bond_dev, slave_dev, "change device type from %d to %d\n", + bond_dev->type, slave_dev->type); + +-- +2.51.0 + diff --git a/queue-6.12/can-gs_usb-gs_usb_receive_bulk_callback-unanchor-url.patch b/queue-6.12/can-gs_usb-gs_usb_receive_bulk_callback-unanchor-url.patch new file mode 100644 index 0000000000..6ef6d1bb71 --- /dev/null +++ b/queue-6.12/can-gs_usb-gs_usb_receive_bulk_callback-unanchor-url.patch @@ -0,0 +1,61 @@ +From 3b99d7e48abd5374b072d2ecd2138c911c6cf577 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jan 2026 14:10:10 +0100 +Subject: can: gs_usb: gs_usb_receive_bulk_callback(): unanchor URL on + usb_submit_urb() error + +From: Marc Kleine-Budde + +[ Upstream commit 79a6d1bfe1148bc921b8d7f3371a7fbce44e30f7 ] + +In commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix +URB memory leak"), the URB was re-anchored before usb_submit_urb() in +gs_usb_receive_bulk_callback() to prevent a leak of this URB during +cleanup. + +However, this patch did not take into account that usb_submit_urb() could +fail. The URB remains anchored and +usb_kill_anchored_urbs(&parent->rx_submitted) in gs_can_close() loops +infinitely since the anchor list never becomes empty. + +To fix the bug, unanchor the URB when an usb_submit_urb() error occurs, +also print an info message. + +Fixes: 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak") +Reported-by: Jakub Kicinski +Closes: https://lore.kernel.org/all/20260110223836.3890248-1-kuba@kernel.org/ +Link: https://patch.msgid.link/20260116-can_usb-fix-reanchor-v1-1-9d74e7289225@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/usb/gs_usb.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c +index 1aa2f99f92b20..e63e77f21801c 100644 +--- a/drivers/net/can/usb/gs_usb.c ++++ b/drivers/net/can/usb/gs_usb.c +@@ -751,6 +751,10 @@ static void gs_usb_receive_bulk_callback(struct urb *urb) + usb_anchor_urb(urb, &parent->rx_submitted); + + rc = usb_submit_urb(urb, GFP_ATOMIC); ++ if (!rc) ++ return; ++ ++ usb_unanchor_urb(urb); + + /* USB failure take down all interfaces */ + if (rc == -ENODEV) { +@@ -759,6 +763,9 @@ static void gs_usb_receive_bulk_callback(struct urb *urb) + if (parent->canch[rc]) + netif_device_detach(parent->canch[rc]->netdev); + } ++ } else if (rc != -ESHUTDOWN && net_ratelimit()) { ++ netdev_info(netdev, "failed to re-submit IN URB: %pe\n", ++ ERR_PTR(urb->status)); + } + } + +-- +2.51.0 + diff --git a/queue-6.12/crypto-authencesn-reject-too-short-aad-assoclen-8-to.patch b/queue-6.12/crypto-authencesn-reject-too-short-aad-assoclen-8-to.patch new file mode 100644 index 0000000000..6c31c0927c --- /dev/null +++ b/queue-6.12/crypto-authencesn-reject-too-short-aad-assoclen-8-to.patch @@ -0,0 +1,53 @@ +From 9822c82e5e3b7005ac0d73cd42c64b8b95b194cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jan 2026 16:03:58 +0900 +Subject: crypto: authencesn - reject too-short AAD (assoclen<8) to match + ESP/ESN spec + +From: Taeyang Lee <0wn@theori.io> + +[ Upstream commit 2397e9264676be7794f8f7f1e9763d90bd3c7335 ] + +authencesn assumes an ESP/ESN-formatted AAD. When assoclen is shorter than +the minimum expected length, crypto_authenc_esn_decrypt() can advance past +the end of the destination scatterlist and trigger a NULL pointer dereference +in scatterwalk_map_and_copy(), leading to a kernel panic (DoS). + +Add a minimum AAD length check to fail fast on invalid inputs. + +Fixes: 104880a6b470 ("crypto: authencesn - Convert to new AEAD interface") +Reported-By: Taeyang Lee <0wn@theori.io> +Signed-off-by: Taeyang Lee <0wn@theori.io> +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/authencesn.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/crypto/authencesn.c b/crypto/authencesn.c +index 2cc933e2f7901..e08032e80f188 100644 +--- a/crypto/authencesn.c ++++ b/crypto/authencesn.c +@@ -185,6 +185,9 @@ static int crypto_authenc_esn_encrypt(struct aead_request *req) + struct scatterlist *src, *dst; + int err; + ++ if (assoclen < 8) ++ return -EINVAL; ++ + sg_init_table(areq_ctx->src, 2); + src = scatterwalk_ffwd(areq_ctx->src, req->src, assoclen); + dst = src; +@@ -275,6 +278,9 @@ static int crypto_authenc_esn_decrypt(struct aead_request *req) + u32 tmp[2]; + int err; + ++ if (assoclen < 8) ++ return -EINVAL; ++ + cryptlen -= authsize; + + if (req->src != dst) { +-- +2.51.0 + diff --git a/queue-6.12/fou-don-t-allow-0-for-fou_attr_ipproto.patch b/queue-6.12/fou-don-t-allow-0-for-fou_attr_ipproto.patch new file mode 100644 index 0000000000..ecee1e1dcf --- /dev/null +++ b/queue-6.12/fou-don-t-allow-0-for-fou_attr_ipproto.patch @@ -0,0 +1,57 @@ +From 1073f8b0d85b37d3d7e3bb49401bb7ae2f659d39 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jan 2026 17:24:48 +0000 +Subject: fou: Don't allow 0 for FOU_ATTR_IPPROTO. + +From: Kuniyuki Iwashima + +[ Upstream commit 7a9bc9e3f42391e4c187e099263cf7a1c4b69ff5 ] + +fou_udp_recv() has the same problem mentioned in the previous +patch. + +If FOU_ATTR_IPPROTO is set to 0, skb is not freed by +fou_udp_recv() nor "resubmit"-ted in ip_protocol_deliver_rcu(). + +Let's forbid 0 for FOU_ATTR_IPPROTO. + +Fixes: 23461551c0062 ("fou: Support for foo-over-udp RX path") +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20260115172533.693652-4-kuniyu@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + Documentation/netlink/specs/fou.yaml | 2 ++ + net/ipv4/fou_nl.c | 2 +- + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/Documentation/netlink/specs/fou.yaml b/Documentation/netlink/specs/fou.yaml +index 0af5ab842c04d..91721ee406413 100644 +--- a/Documentation/netlink/specs/fou.yaml ++++ b/Documentation/netlink/specs/fou.yaml +@@ -39,6 +39,8 @@ attribute-sets: + - + name: ipproto + type: u8 ++ checks: ++ min: 1 + - + name: type + type: u8 +diff --git a/net/ipv4/fou_nl.c b/net/ipv4/fou_nl.c +index 98b90107b5abc..bbd955f4c9d19 100644 +--- a/net/ipv4/fou_nl.c ++++ b/net/ipv4/fou_nl.c +@@ -14,7 +14,7 @@ + const struct nla_policy fou_nl_policy[FOU_ATTR_IFINDEX + 1] = { + [FOU_ATTR_PORT] = { .type = NLA_U16, }, + [FOU_ATTR_AF] = { .type = NLA_U8, }, +- [FOU_ATTR_IPPROTO] = { .type = NLA_U8, }, ++ [FOU_ATTR_IPPROTO] = NLA_POLICY_MIN(NLA_U8, 1), + [FOU_ATTR_TYPE] = { .type = NLA_U8, }, + [FOU_ATTR_REMCSUM_NOPARTIAL] = { .type = NLA_FLAG, }, + [FOU_ATTR_LOCAL_V4] = { .type = NLA_U32, }, +-- +2.51.0 + diff --git a/queue-6.12/gue-fix-skb-memleak-with-inner-ip-protocol-0.patch b/queue-6.12/gue-fix-skb-memleak-with-inner-ip-protocol-0.patch new file mode 100644 index 0000000000..85b60c676b --- /dev/null +++ b/queue-6.12/gue-fix-skb-memleak-with-inner-ip-protocol-0.patch @@ -0,0 +1,82 @@ +From 70be1d8653838b83730f3e434c2e9114e7d44af1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jan 2026 17:24:46 +0000 +Subject: gue: Fix skb memleak with inner IP protocol 0. + +From: Kuniyuki Iwashima + +[ Upstream commit 9a56796ad258786d3624eef5aefba394fc9bdded ] + +syzbot reported skb memleak below. [0] + +The repro generated a GUE packet with its inner protocol 0. + +gue_udp_recv() returns -guehdr->proto_ctype for "resubmit" +in ip_protocol_deliver_rcu(), but this only works with +non-zero protocol number. + +Let's drop such packets. + +Note that 0 is a valid number (IPv6 Hop-by-Hop Option). + +I think it is not practical to encap HOPOPT in GUE, so once +someone starts to complain, we could pass down a resubmit +flag pointer to distinguish two zeros from the upper layer: + + * no error + * resubmit HOPOPT + +[0] +BUG: memory leak +unreferenced object 0xffff888109695a00 (size 240): + comm "syz.0.17", pid 6088, jiffies 4294943096 + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 40 c2 10 81 88 ff ff 00 00 00 00 00 00 00 00 .@.............. + backtrace (crc a84b336f): + kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] + slab_post_alloc_hook mm/slub.c:4958 [inline] + slab_alloc_node mm/slub.c:5263 [inline] + kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270 + __build_skb+0x23/0x60 net/core/skbuff.c:474 + build_skb+0x20/0x190 net/core/skbuff.c:490 + __tun_build_skb drivers/net/tun.c:1541 [inline] + tun_build_skb+0x4a1/0xa40 drivers/net/tun.c:1636 + tun_get_user+0xc12/0x2030 drivers/net/tun.c:1770 + tun_chr_write_iter+0x71/0x120 drivers/net/tun.c:1999 + new_sync_write fs/read_write.c:593 [inline] + vfs_write+0x45d/0x710 fs/read_write.c:686 + ksys_write+0xa7/0x170 fs/read_write.c:738 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fixes: 37dd0247797b1 ("gue: Receive side for Generic UDP Encapsulation") +Reported-by: syzbot+4d8c7d16b0e95c0d0f0d@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/6965534b.050a0220.38aacd.0001.GAE@google.com/ +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20260115172533.693652-2-kuniyu@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/fou_core.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/ipv4/fou_core.c b/net/ipv4/fou_core.c +index 3e30745e2c09a..0e173998f1d7a 100644 +--- a/net/ipv4/fou_core.c ++++ b/net/ipv4/fou_core.c +@@ -215,6 +215,9 @@ static int gue_udp_recv(struct sock *sk, struct sk_buff *skb) + return gue_control_message(skb, guehdr); + + proto_ctype = guehdr->proto_ctype; ++ if (unlikely(!proto_ctype)) ++ goto drop; ++ + __skb_pull(skb, sizeof(struct udphdr) + hdrlen); + skb_reset_transport_header(skb); + +-- +2.51.0 + diff --git a/queue-6.12/ice-avoid-detrimental-cleanup-for-bond-during-interf.patch b/queue-6.12/ice-avoid-detrimental-cleanup-for-bond-during-interf.patch new file mode 100644 index 0000000000..3777042f49 --- /dev/null +++ b/queue-6.12/ice-avoid-detrimental-cleanup-for-bond-during-interf.patch @@ -0,0 +1,77 @@ +From ff60f3f938363419a27d87f6d4739a6b5ee365ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Nov 2025 09:58:26 -0800 +Subject: ice: Avoid detrimental cleanup for bond during interface stop + +From: Dave Ertman + +[ Upstream commit a9d45c22ed120cdd15ff56d0a6e4700c46451901 ] + +When the user issues an administrative down to an interface that is the +primary for an aggregate bond, the prune lists are being purged. This +breaks communication to the secondary interface, which shares a prune +list on the main switch block while bonded together. + +For the primary interface of an aggregate, avoid deleting these prune +lists during stop, and since they are hardcoded to specific values for +the default vlan and QinQ vlans, the attempt to re-add them during the +up phase will quietly fail without any additional problem. + +Fixes: 1e0f9881ef79 ("ice: Flesh out implementation of support for SRIOV on bonded interface") +Reviewed-by: Jacob Keller +Reviewed-by: Marcin Szycik +Signed-off-by: Dave Ertman +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_lib.c | 25 ++++++++++++++++-------- + 1 file changed, 17 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_lib.c b/drivers/net/ethernet/intel/ice/ice_lib.c +index 8f8bdc3072ccc..4e022de9e4bbd 100644 +--- a/drivers/net/ethernet/intel/ice/ice_lib.c ++++ b/drivers/net/ethernet/intel/ice/ice_lib.c +@@ -3746,22 +3746,31 @@ int ice_vsi_add_vlan_zero(struct ice_vsi *vsi) + int ice_vsi_del_vlan_zero(struct ice_vsi *vsi) + { + struct ice_vsi_vlan_ops *vlan_ops = ice_get_compat_vsi_vlan_ops(vsi); ++ struct ice_pf *pf = vsi->back; + struct ice_vlan vlan; + int err; + +- vlan = ICE_VLAN(0, 0, 0); +- err = vlan_ops->del_vlan(vsi, &vlan); +- if (err && err != -EEXIST) +- return err; ++ if (pf->lag && pf->lag->primary) { ++ dev_dbg(ice_pf_to_dev(pf), "Interface is primary in aggregate - not deleting prune list\n"); ++ } else { ++ vlan = ICE_VLAN(0, 0, 0); ++ err = vlan_ops->del_vlan(vsi, &vlan); ++ if (err && err != -EEXIST) ++ return err; ++ } + + /* in SVM both VLAN 0 filters are identical */ + if (!ice_is_dvm_ena(&vsi->back->hw)) + return 0; + +- vlan = ICE_VLAN(ETH_P_8021Q, 0, 0); +- err = vlan_ops->del_vlan(vsi, &vlan); +- if (err && err != -EEXIST) +- return err; ++ if (pf->lag && pf->lag->primary) { ++ dev_dbg(ice_pf_to_dev(pf), "Interface is primary in aggregate - not deleting QinQ prune list\n"); ++ } else { ++ vlan = ICE_VLAN(ETH_P_8021Q, 0, 0); ++ err = vlan_ops->del_vlan(vsi, &vlan); ++ if (err && err != -EEXIST) ++ return err; ++ } + + /* when deleting the last VLAN filter, make sure to disable the VLAN + * promisc mode so the filter isn't left by accident +-- +2.51.0 + diff --git a/queue-6.12/ice-fix-incorrect-timeout-ice_release_res.patch b/queue-6.12/ice-fix-incorrect-timeout-ice_release_res.patch new file mode 100644 index 0000000000..a5a82d1923 --- /dev/null +++ b/queue-6.12/ice-fix-incorrect-timeout-ice_release_res.patch @@ -0,0 +1,50 @@ +From 33ccf859a3176a0f1ad0c72257ec5b3f675d6af7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 6 Dec 2025 21:46:09 +0800 +Subject: ice: Fix incorrect timeout ice_release_res() + +From: Ding Hui + +[ Upstream commit 01139a2ce532d77379e1593230127caa261a8036 ] + +The commit 5f6df173f92e ("ice: implement and use rd32_poll_timeout for +ice_sq_done timeout") converted ICE_CTL_Q_SQ_CMD_TIMEOUT from jiffies +to microseconds. + +But the ice_release_res() function was missed, and its logic still +treats ICE_CTL_Q_SQ_CMD_TIMEOUT as a jiffies value. + +So correct the issue by usecs_to_jiffies(). + +Found by inspection of the DDP downloading process. +Compile and modprobe tested only. + +Fixes: 5f6df173f92e ("ice: implement and use rd32_poll_timeout for ice_sq_done timeout") +Signed-off-by: Ding Hui +Reviewed-by: Simon Horman +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Jacob Keller +Reviewed-by: Paul Menzel +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_common.c b/drivers/net/ethernet/intel/ice/ice_common.c +index 068a467de1d56..36b3912761870 100644 +--- a/drivers/net/ethernet/intel/ice/ice_common.c ++++ b/drivers/net/ethernet/intel/ice/ice_common.c +@@ -1951,7 +1951,7 @@ void ice_release_res(struct ice_hw *hw, enum ice_aq_res_ids res) + /* there are some rare cases when trying to release the resource + * results in an admin queue timeout, so handle them correctly + */ +- timeout = jiffies + 10 * ICE_CTL_Q_SQ_CMD_TIMEOUT; ++ timeout = jiffies + 10 * usecs_to_jiffies(ICE_CTL_Q_SQ_CMD_TIMEOUT); + do { + status = ice_aq_release_res(hw, res, 0, NULL); + if (status != -EIO) +-- +2.51.0 + diff --git a/queue-6.12/ice-initialize-ring_stats-syncp.patch b/queue-6.12/ice-initialize-ring_stats-syncp.patch new file mode 100644 index 0000000000..d4de576bbe --- /dev/null +++ b/queue-6.12/ice-initialize-ring_stats-syncp.patch @@ -0,0 +1,51 @@ +From df49d6632f7c3145ad38992627d5000557831471 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Nov 2025 12:20:41 -0800 +Subject: ice: initialize ring_stats->syncp + +From: Jacob Keller + +[ Upstream commit 8439016c3b8b5ab687c2420317b1691585106611 ] + +The u64_stats_sync structure is empty on 64-bit systems. However, on 32-bit +systems it contains a seqcount_t which needs to be initialized. While the +memory is zero-initialized, a lack of u64_stats_init means that lockdep +won't get initialized properly. Fix this by adding u64_stats_init() calls +to the rings just after allocation. + +Fixes: 2b245cb29421 ("ice: Implement transmit and NAPI support") +Reviewed-by: Aleksandr Loktionov +Signed-off-by: Jacob Keller +Reviewed-by: Simon Horman +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_lib.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/intel/ice/ice_lib.c b/drivers/net/ethernet/intel/ice/ice_lib.c +index 8961eebe67aa2..8f8bdc3072ccc 100644 +--- a/drivers/net/ethernet/intel/ice/ice_lib.c ++++ b/drivers/net/ethernet/intel/ice/ice_lib.c +@@ -394,6 +394,8 @@ static int ice_vsi_alloc_ring_stats(struct ice_vsi *vsi) + if (!ring_stats) + goto err_out; + ++ u64_stats_init(&ring_stats->syncp); ++ + WRITE_ONCE(tx_ring_stats[i], ring_stats); + } + +@@ -413,6 +415,8 @@ static int ice_vsi_alloc_ring_stats(struct ice_vsi *vsi) + if (!ring_stats) + goto err_out; + ++ u64_stats_init(&ring_stats->syncp); ++ + WRITE_ONCE(rx_ring_stats[i], ring_stats); + } + +-- +2.51.0 + diff --git a/queue-6.12/igc-fix-race-condition-in-tx-timestamp-read-for-regi.patch b/queue-6.12/igc-fix-race-condition-in-tx-timestamp-read-for-regi.patch new file mode 100644 index 0000000000..ec982f0753 --- /dev/null +++ b/queue-6.12/igc-fix-race-condition-in-tx-timestamp-read-for-regi.patch @@ -0,0 +1,125 @@ +From 383c43bc60db7e99e3dff98146efed6c12da234a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Nov 2025 18:53:04 +0800 +Subject: igc: fix race condition in TX timestamp read for register 0 + +From: Chwee-Lin Choong + +[ Upstream commit 6990dc392a9ab10e52af37e0bee8c7b753756dc4 ] + +The current HW bug workaround checks the TXTT_0 ready bit first, +then reads TXSTMPL_0 twice (before and after reading TXSTMPH_0) +to detect whether a new timestamp was captured by timestamp +register 0 during the workaround. + +This sequence has a race: if a new timestamp is captured after +checking the TXTT_0 bit but before the first TXSTMPL_0 read, the +detection fails because both the "old" and "new" values come from +the same timestamp. + +Fix by reading TXSTMPL_0 first to establish a baseline, then +checking the TXTT_0 bit. This ensures any timestamp captured +during the race window will be detected. + +Old sequence: + 1. Check TXTT_0 ready bit + 2. Read TXSTMPL_0 (baseline) + 3. Read TXSTMPH_0 (interrupt workaround) + 4. Read TXSTMPL_0 (detect changes vs baseline) + +New sequence: + 1. Read TXSTMPL_0 (baseline) + 2. Check TXTT_0 ready bit + 3. Read TXSTMPH_0 (interrupt workaround) + 4. Read TXSTMPL_0 (detect changes vs baseline) + +Fixes: c789ad7cbebc ("igc: Work around HW bug causing missing timestamps") +Suggested-by: Avi Shalev +Reviewed-by: Aleksandr Loktionov +Co-developed-by: Song Yoong Siang +Signed-off-by: Song Yoong Siang +Signed-off-by: Chwee-Lin Choong +Tested-by: Avigail Dahan +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_ptp.c | 43 ++++++++++++++---------- + 1 file changed, 25 insertions(+), 18 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc_ptp.c b/drivers/net/ethernet/intel/igc/igc_ptp.c +index efc7b30e42113..a272d1a29eadb 100644 +--- a/drivers/net/ethernet/intel/igc/igc_ptp.c ++++ b/drivers/net/ethernet/intel/igc/igc_ptp.c +@@ -785,36 +785,43 @@ static void igc_ptp_tx_reg_to_stamp(struct igc_adapter *adapter, + static void igc_ptp_tx_hwtstamp(struct igc_adapter *adapter) + { + struct igc_hw *hw = &adapter->hw; ++ u32 txstmpl_old; + u64 regval; + u32 mask; + int i; + ++ /* Establish baseline of TXSTMPL_0 before checking TXTT_0. ++ * This baseline is used to detect if a new timestamp arrives in ++ * register 0 during the hardware bug workaround below. ++ */ ++ txstmpl_old = rd32(IGC_TXSTMPL); ++ + mask = rd32(IGC_TSYNCTXCTL) & IGC_TSYNCTXCTL_TXTT_ANY; + if (mask & IGC_TSYNCTXCTL_TXTT_0) { + regval = rd32(IGC_TXSTMPL); + regval |= (u64)rd32(IGC_TXSTMPH) << 32; + } else { +- /* There's a bug in the hardware that could cause +- * missing interrupts for TX timestamping. The issue +- * is that for new interrupts to be triggered, the +- * IGC_TXSTMPH_0 register must be read. ++ /* TXTT_0 not set - register 0 has no new timestamp initially. ++ * ++ * Hardware bug: Future timestamp interrupts won't fire unless ++ * TXSTMPH_0 is read, even if the timestamp was captured in ++ * registers 1-3. + * +- * To avoid discarding a valid timestamp that just +- * happened at the "wrong" time, we need to confirm +- * that there was no timestamp captured, we do that by +- * assuming that no two timestamps in sequence have +- * the same nanosecond value. ++ * Workaround: Read TXSTMPH_0 here to enable future interrupts. ++ * However, this read clears TXTT_0. If a timestamp arrives in ++ * register 0 after checking TXTT_0 but before this read, it ++ * would be lost. + * +- * So, we read the "low" register, read the "high" +- * register (to latch a new timestamp) and read the +- * "low" register again, if "old" and "new" versions +- * of the "low" register are different, a valid +- * timestamp was captured, we can read the "high" +- * register again. ++ * To detect this race: We saved a baseline read of TXSTMPL_0 ++ * before TXTT_0 check. After performing the workaround read of ++ * TXSTMPH_0, we read TXSTMPL_0 again. Since consecutive ++ * timestamps never share the same nanosecond value, a change ++ * between the baseline and new TXSTMPL_0 indicates a timestamp ++ * arrived during the race window. If so, read the complete ++ * timestamp. + */ +- u32 txstmpl_old, txstmpl_new; ++ u32 txstmpl_new; + +- txstmpl_old = rd32(IGC_TXSTMPL); + rd32(IGC_TXSTMPH); + txstmpl_new = rd32(IGC_TXSTMPL); + +@@ -829,7 +836,7 @@ static void igc_ptp_tx_hwtstamp(struct igc_adapter *adapter) + + done: + /* Now that the problematic first register was handled, we can +- * use retrieve the timestamps from the other registers ++ * retrieve the timestamps from the other registers + * (starting from '1') with less complications. + */ + for (i = 1; i < IGC_MAX_TX_TSTAMP_REGS; i++) { +-- +2.51.0 + diff --git a/queue-6.12/igc-restore-default-qbv-schedule-when-changing-chann.patch b/queue-6.12/igc-restore-default-qbv-schedule-when-changing-chann.patch new file mode 100644 index 0000000000..832698081f --- /dev/null +++ b/queue-6.12/igc-restore-default-qbv-schedule-when-changing-chann.patch @@ -0,0 +1,88 @@ +From 9823ddc43cc0310af6678988c731f0fd23d97abc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Nov 2025 09:18:29 +0100 +Subject: igc: Restore default Qbv schedule when changing channels + +From: Kurt Kanzenbach + +[ Upstream commit 41a9a6826f20a524242a6c984845c4855f629841 ] + +The Multi-queue Priority (MQPRIO) and Earliest TxTime First (ETF) offloads +utilize the Time Sensitive Networking (TSN) Tx mode. This mode is always +coupled to IEEE 802.1Qbv time aware shaper (Qbv). Therefore, the driver +sets a default Qbv schedule of all gates opened and a cycle time of +1s. This schedule is set during probe. + +However, the following sequence of events lead to Tx issues: + + - Boot a dual core system + igc_probe(): + igc_tsn_clear_schedule(): + -> Default Schedule is set + Note: At this point the driver has allocated two Tx/Rx queues, because + there are only two CPUs. + + - ethtool -L enp3s0 combined 4 + igc_ethtool_set_channels(): + igc_reinit_queues() + -> Default schedule is gone, per Tx ring start and end time are zero + + - tc qdisc replace dev enp3s0 handle 100 parent root mqprio \ + num_tc 4 map 3 3 2 2 0 1 1 1 3 3 3 3 3 3 3 3 \ + queues 1@0 1@1 1@2 1@3 hw 1 + igc_tsn_offload_apply(): + igc_tsn_enable_offload(): + -> Writes zeros to IGC_STQT(i) and IGC_ENDQT(i), causing Tx to stall/fail + +Therefore, restore the default Qbv schedule after changing the number of +channels. + +Furthermore, add a restriction to not allow queue reconfiguration when +TSN/Qbv is enabled, because it may lead to inconsistent states. + +Fixes: c814a2d2d48f ("igc: Use default cycle 'start' and 'end' values for queues") +Signed-off-by: Kurt Kanzenbach +Reviewed-by: Aleksandr Loktionov +Tested-by: Avigail Dahan +Acked-by: Vinicius Costa Gomes +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_ethtool.c | 4 ++-- + drivers/net/ethernet/intel/igc/igc_main.c | 5 +++++ + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc_ethtool.c b/drivers/net/ethernet/intel/igc/igc_ethtool.c +index 5b0c6f4337679..f4179b814eafc 100644 +--- a/drivers/net/ethernet/intel/igc/igc_ethtool.c ++++ b/drivers/net/ethernet/intel/igc/igc_ethtool.c +@@ -1540,8 +1540,8 @@ static int igc_ethtool_set_channels(struct net_device *netdev, + if (ch->other_count != NON_Q_VECTORS) + return -EINVAL; + +- /* Do not allow channel reconfiguration when mqprio is enabled */ +- if (adapter->strict_priority_enable) ++ /* Do not allow channel reconfiguration when any TSN qdisc is enabled */ ++ if (adapter->flags & IGC_FLAG_TSN_ANY_ENABLED) + return -EINVAL; + + /* Verify the number of channels doesn't exceed hw limits */ +diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c +index 9ba41a427e141..18dad521aefcc 100644 +--- a/drivers/net/ethernet/intel/igc/igc_main.c ++++ b/drivers/net/ethernet/intel/igc/igc_main.c +@@ -7582,6 +7582,11 @@ int igc_reinit_queues(struct igc_adapter *adapter) + if (netif_running(netdev)) + err = igc_open(netdev); + ++ if (!err) { ++ /* Restore default IEEE 802.1Qbv schedule after queue reinit */ ++ igc_tsn_clear_schedule(adapter); ++ } ++ + return err; + } + +-- +2.51.0 + diff --git a/queue-6.12/ipvlan-make-the-addrs_lock-be-per-port.patch b/queue-6.12/ipvlan-make-the-addrs_lock-be-per-port.patch new file mode 100644 index 0000000000..158d3ca5f2 --- /dev/null +++ b/queue-6.12/ipvlan-make-the-addrs_lock-be-per-port.patch @@ -0,0 +1,292 @@ +From 706e732cbb85b1d5acfa2b8221597a7388c6a2d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 17:24:06 +0300 +Subject: ipvlan: Make the addrs_lock be per port + +From: Dmitry Skorodumov + +[ Upstream commit d3ba32162488283c0a4c5bedd8817aec91748802 ] + +Make the addrs_lock be per port, not per ipvlan dev. + +Initial code seems to be written in the assumption, +that any address change must occur under RTNL. +But it is not so for the case of IPv6. So + +1) Introduce per-port addrs_lock. + +2) It was needed to fix places where it was forgotten +to take lock (ipvlan_open/ipvlan_close) + +This appears to be a very minor problem though. +Since it's highly unlikely that ipvlan_add_addr() will +be called on 2 CPU simultaneously. But nevertheless, +this could cause: + +1) False-negative of ipvlan_addr_busy(): one interface +iterated through all port->ipvlans + ipvlan->addrs +under some ipvlan spinlock, and another added IP +under its own lock. Though this is only possible +for IPv6, since looks like only ipvlan_addr6_event() can be +called without rtnl_lock. + +2) Race since ipvlan_ht_addr_add(port) is called under +different ipvlan->addrs_lock locks + +This should not affect performance, since add/remove IP +is a rare situation and spinlock is not taken on fast +paths. + +Fixes: 8230819494b3 ("ipvlan: use per device spinlock to protect addrs list updates") +Signed-off-by: Dmitry Skorodumov +Reviewed-by: Paolo Abeni +Link: https://patch.msgid.link/20260112142417.4039566-2-skorodumov.dmitry@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ipvlan/ipvlan.h | 2 +- + drivers/net/ipvlan/ipvlan_core.c | 16 +++++------ + drivers/net/ipvlan/ipvlan_main.c | 49 +++++++++++++++++++------------- + 3 files changed, 37 insertions(+), 30 deletions(-) + +diff --git a/drivers/net/ipvlan/ipvlan.h b/drivers/net/ipvlan/ipvlan.h +index 025e0c19ec255..fce3ced90bd3d 100644 +--- a/drivers/net/ipvlan/ipvlan.h ++++ b/drivers/net/ipvlan/ipvlan.h +@@ -69,7 +69,6 @@ struct ipvl_dev { + DECLARE_BITMAP(mac_filters, IPVLAN_MAC_FILTER_SIZE); + netdev_features_t sfeatures; + u32 msg_enable; +- spinlock_t addrs_lock; + }; + + struct ipvl_addr { +@@ -90,6 +89,7 @@ struct ipvl_port { + struct net_device *dev; + possible_net_t pnet; + struct hlist_head hlhead[IPVLAN_HASH_SIZE]; ++ spinlock_t addrs_lock; /* guards hash-table and addrs */ + struct list_head ipvlans; + u16 mode; + u16 flags; +diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c +index 83bd65a227709..268ea41a17d52 100644 +--- a/drivers/net/ipvlan/ipvlan_core.c ++++ b/drivers/net/ipvlan/ipvlan_core.c +@@ -107,17 +107,15 @@ void ipvlan_ht_addr_del(struct ipvl_addr *addr) + struct ipvl_addr *ipvlan_find_addr(const struct ipvl_dev *ipvlan, + const void *iaddr, bool is_v6) + { +- struct ipvl_addr *addr, *ret = NULL; ++ struct ipvl_addr *addr; + +- rcu_read_lock(); +- list_for_each_entry_rcu(addr, &ipvlan->addrs, anode) { +- if (addr_equal(is_v6, addr, iaddr)) { +- ret = addr; +- break; +- } ++ assert_spin_locked(&ipvlan->port->addrs_lock); ++ ++ list_for_each_entry(addr, &ipvlan->addrs, anode) { ++ if (addr_equal(is_v6, addr, iaddr)) ++ return addr; + } +- rcu_read_unlock(); +- return ret; ++ return NULL; + } + + bool ipvlan_addr_busy(struct ipvl_port *port, void *iaddr, bool is_v6) +diff --git a/drivers/net/ipvlan/ipvlan_main.c b/drivers/net/ipvlan/ipvlan_main.c +index ee2c3cf4df365..bce52c743f0e8 100644 +--- a/drivers/net/ipvlan/ipvlan_main.c ++++ b/drivers/net/ipvlan/ipvlan_main.c +@@ -74,6 +74,7 @@ static int ipvlan_port_create(struct net_device *dev) + for (idx = 0; idx < IPVLAN_HASH_SIZE; idx++) + INIT_HLIST_HEAD(&port->hlhead[idx]); + ++ spin_lock_init(&port->addrs_lock); + skb_queue_head_init(&port->backlog); + INIT_WORK(&port->wq, ipvlan_process_multicast); + ida_init(&port->ida); +@@ -180,6 +181,7 @@ static void ipvlan_uninit(struct net_device *dev) + static int ipvlan_open(struct net_device *dev) + { + struct ipvl_dev *ipvlan = netdev_priv(dev); ++ struct ipvl_port *port = ipvlan->port; + struct ipvl_addr *addr; + + if (ipvlan->port->mode == IPVLAN_MODE_L3 || +@@ -188,10 +190,10 @@ static int ipvlan_open(struct net_device *dev) + else + dev->flags &= ~IFF_NOARP; + +- rcu_read_lock(); +- list_for_each_entry_rcu(addr, &ipvlan->addrs, anode) ++ spin_lock_bh(&port->addrs_lock); ++ list_for_each_entry(addr, &ipvlan->addrs, anode) + ipvlan_ht_addr_add(ipvlan, addr); +- rcu_read_unlock(); ++ spin_unlock_bh(&port->addrs_lock); + + return 0; + } +@@ -205,10 +207,10 @@ static int ipvlan_stop(struct net_device *dev) + dev_uc_unsync(phy_dev, dev); + dev_mc_unsync(phy_dev, dev); + +- rcu_read_lock(); +- list_for_each_entry_rcu(addr, &ipvlan->addrs, anode) ++ spin_lock_bh(&ipvlan->port->addrs_lock); ++ list_for_each_entry(addr, &ipvlan->addrs, anode) + ipvlan_ht_addr_del(addr); +- rcu_read_unlock(); ++ spin_unlock_bh(&ipvlan->port->addrs_lock); + + return 0; + } +@@ -576,7 +578,6 @@ int ipvlan_link_new(struct net *src_net, struct net_device *dev, + if (!tb[IFLA_MTU]) + ipvlan_adjust_mtu(ipvlan, phy_dev); + INIT_LIST_HEAD(&ipvlan->addrs); +- spin_lock_init(&ipvlan->addrs_lock); + + /* TODO Probably put random address here to be presented to the + * world but keep using the physical-dev address for the outgoing +@@ -654,13 +655,13 @@ void ipvlan_link_delete(struct net_device *dev, struct list_head *head) + struct ipvl_dev *ipvlan = netdev_priv(dev); + struct ipvl_addr *addr, *next; + +- spin_lock_bh(&ipvlan->addrs_lock); ++ spin_lock_bh(&ipvlan->port->addrs_lock); + list_for_each_entry_safe(addr, next, &ipvlan->addrs, anode) { + ipvlan_ht_addr_del(addr); + list_del_rcu(&addr->anode); + kfree_rcu(addr, rcu); + } +- spin_unlock_bh(&ipvlan->addrs_lock); ++ spin_unlock_bh(&ipvlan->port->addrs_lock); + + ida_free(&ipvlan->port->ida, dev->dev_id); + list_del_rcu(&ipvlan->pnode); +@@ -808,6 +809,8 @@ static int ipvlan_add_addr(struct ipvl_dev *ipvlan, void *iaddr, bool is_v6) + { + struct ipvl_addr *addr; + ++ assert_spin_locked(&ipvlan->port->addrs_lock); ++ + addr = kzalloc(sizeof(struct ipvl_addr), GFP_ATOMIC); + if (!addr) + return -ENOMEM; +@@ -838,16 +841,16 @@ static void ipvlan_del_addr(struct ipvl_dev *ipvlan, void *iaddr, bool is_v6) + { + struct ipvl_addr *addr; + +- spin_lock_bh(&ipvlan->addrs_lock); ++ spin_lock_bh(&ipvlan->port->addrs_lock); + addr = ipvlan_find_addr(ipvlan, iaddr, is_v6); + if (!addr) { +- spin_unlock_bh(&ipvlan->addrs_lock); ++ spin_unlock_bh(&ipvlan->port->addrs_lock); + return; + } + + ipvlan_ht_addr_del(addr); + list_del_rcu(&addr->anode); +- spin_unlock_bh(&ipvlan->addrs_lock); ++ spin_unlock_bh(&ipvlan->port->addrs_lock); + kfree_rcu(addr, rcu); + } + +@@ -869,14 +872,14 @@ static int ipvlan_add_addr6(struct ipvl_dev *ipvlan, struct in6_addr *ip6_addr) + { + int ret = -EINVAL; + +- spin_lock_bh(&ipvlan->addrs_lock); ++ spin_lock_bh(&ipvlan->port->addrs_lock); + if (ipvlan_addr_busy(ipvlan->port, ip6_addr, true)) + netif_err(ipvlan, ifup, ipvlan->dev, + "Failed to add IPv6=%pI6c addr for %s intf\n", + ip6_addr, ipvlan->dev->name); + else + ret = ipvlan_add_addr(ipvlan, ip6_addr, true); +- spin_unlock_bh(&ipvlan->addrs_lock); ++ spin_unlock_bh(&ipvlan->port->addrs_lock); + return ret; + } + +@@ -915,21 +918,24 @@ static int ipvlan_addr6_validator_event(struct notifier_block *unused, + struct in6_validator_info *i6vi = (struct in6_validator_info *)ptr; + struct net_device *dev = (struct net_device *)i6vi->i6vi_dev->dev; + struct ipvl_dev *ipvlan = netdev_priv(dev); ++ int ret = NOTIFY_OK; + + if (!ipvlan_is_valid_dev(dev)) + return NOTIFY_DONE; + + switch (event) { + case NETDEV_UP: ++ spin_lock_bh(&ipvlan->port->addrs_lock); + if (ipvlan_addr_busy(ipvlan->port, &i6vi->i6vi_addr, true)) { + NL_SET_ERR_MSG(i6vi->extack, + "Address already assigned to an ipvlan device"); +- return notifier_from_errno(-EADDRINUSE); ++ ret = notifier_from_errno(-EADDRINUSE); + } ++ spin_unlock_bh(&ipvlan->port->addrs_lock); + break; + } + +- return NOTIFY_OK; ++ return ret; + } + #endif + +@@ -937,14 +943,14 @@ static int ipvlan_add_addr4(struct ipvl_dev *ipvlan, struct in_addr *ip4_addr) + { + int ret = -EINVAL; + +- spin_lock_bh(&ipvlan->addrs_lock); ++ spin_lock_bh(&ipvlan->port->addrs_lock); + if (ipvlan_addr_busy(ipvlan->port, ip4_addr, false)) + netif_err(ipvlan, ifup, ipvlan->dev, + "Failed to add IPv4=%pI4 on %s intf.\n", + ip4_addr, ipvlan->dev->name); + else + ret = ipvlan_add_addr(ipvlan, ip4_addr, false); +- spin_unlock_bh(&ipvlan->addrs_lock); ++ spin_unlock_bh(&ipvlan->port->addrs_lock); + return ret; + } + +@@ -986,21 +992,24 @@ static int ipvlan_addr4_validator_event(struct notifier_block *unused, + struct in_validator_info *ivi = (struct in_validator_info *)ptr; + struct net_device *dev = (struct net_device *)ivi->ivi_dev->dev; + struct ipvl_dev *ipvlan = netdev_priv(dev); ++ int ret = NOTIFY_OK; + + if (!ipvlan_is_valid_dev(dev)) + return NOTIFY_DONE; + + switch (event) { + case NETDEV_UP: ++ spin_lock_bh(&ipvlan->port->addrs_lock); + if (ipvlan_addr_busy(ipvlan->port, &ivi->ivi_addr, false)) { + NL_SET_ERR_MSG(ivi->extack, + "Address already assigned to an ipvlan device"); +- return notifier_from_errno(-EADDRINUSE); ++ ret = notifier_from_errno(-EADDRINUSE); + } ++ spin_unlock_bh(&ipvlan->port->addrs_lock); + break; + } + +- return NOTIFY_OK; ++ return ret; + } + + static struct notifier_block ipvlan_addr4_notifier_block __read_mostly = { +-- +2.51.0 + diff --git a/queue-6.12/l2tp-avoid-one-data-race-in-l2tp_tunnel_del_work.patch b/queue-6.12/l2tp-avoid-one-data-race-in-l2tp_tunnel_del_work.patch new file mode 100644 index 0000000000..2ddc72c39d --- /dev/null +++ b/queue-6.12/l2tp-avoid-one-data-race-in-l2tp_tunnel_del_work.patch @@ -0,0 +1,85 @@ +From 1ecaf032a3ff4f9c0cbf3dba6fb3efa653858a8b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jan 2026 09:21:39 +0000 +Subject: l2tp: avoid one data-race in l2tp_tunnel_del_work() + +From: Eric Dumazet + +[ Upstream commit 7a29f6bf60f2590fe5e9c4decb451e19afad2bcf ] + +We should read sk->sk_socket only when dealing with kernel sockets. + +syzbot reported the following data-race: + +BUG: KCSAN: data-race in l2tp_tunnel_del_work / sk_common_release + +write to 0xffff88811c182b20 of 8 bytes by task 5365 on cpu 0: + sk_set_socket include/net/sock.h:2092 [inline] + sock_orphan include/net/sock.h:2118 [inline] + sk_common_release+0xae/0x230 net/core/sock.c:4003 + udp_lib_close+0x15/0x20 include/net/udp.h:325 + inet_release+0xce/0xf0 net/ipv4/af_inet.c:437 + __sock_release net/socket.c:662 [inline] + sock_close+0x6b/0x150 net/socket.c:1455 + __fput+0x29b/0x650 fs/file_table.c:468 + ____fput+0x1c/0x30 fs/file_table.c:496 + task_work_run+0x131/0x1a0 kernel/task_work.c:233 + resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] + __exit_to_user_mode_loop kernel/entry/common.c:44 [inline] + exit_to_user_mode_loop+0x1fe/0x740 kernel/entry/common.c:75 + __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline] + syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline] + syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline] + syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline] + do_syscall_64+0x1e1/0x2b0 arch/x86/entry/syscall_64.c:100 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +read to 0xffff88811c182b20 of 8 bytes by task 827 on cpu 1: + l2tp_tunnel_del_work+0x2f/0x1a0 net/l2tp/l2tp_core.c:1418 + process_one_work kernel/workqueue.c:3257 [inline] + process_scheduled_works+0x4ce/0x9d0 kernel/workqueue.c:3340 + worker_thread+0x582/0x770 kernel/workqueue.c:3421 + kthread+0x489/0x510 kernel/kthread.c:463 + ret_from_fork+0x149/0x290 arch/x86/kernel/process.c:158 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 + +value changed: 0xffff88811b818000 -> 0x0000000000000000 + +Fixes: d00fa9adc528 ("l2tp: fix races with tunnel socket close") +Reported-by: syzbot+7312e82745f7fa2526db@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/6968b029.050a0220.58bed.0016.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: James Chapman +Reviewed-by: Guillaume Nault +Link: https://patch.msgid.link/20260115092139.3066180-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/l2tp/l2tp_core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c +index 61fe27d71c230..95060ff7adc5f 100644 +--- a/net/l2tp/l2tp_core.c ++++ b/net/l2tp/l2tp_core.c +@@ -1416,8 +1416,6 @@ static void l2tp_tunnel_del_work(struct work_struct *work) + { + struct l2tp_tunnel *tunnel = container_of(work, struct l2tp_tunnel, + del_work); +- struct sock *sk = tunnel->sock; +- struct socket *sock = sk->sk_socket; + + l2tp_tunnel_closeall(tunnel); + +@@ -1425,6 +1423,8 @@ static void l2tp_tunnel_del_work(struct work_struct *work) + * the sk API to release it here. + */ + if (tunnel->fd < 0) { ++ struct socket *sock = tunnel->sock->sk_socket; ++ + if (sock) { + kernel_sock_shutdown(sock, SHUT_RDWR); + sock_release(sock); +-- +2.51.0 + diff --git a/queue-6.12/l2tp-fix-memleak-in-l2tp_udp_encap_recv.patch b/queue-6.12/l2tp-fix-memleak-in-l2tp_udp_encap_recv.patch new file mode 100644 index 0000000000..82a8b7f234 --- /dev/null +++ b/queue-6.12/l2tp-fix-memleak-in-l2tp_udp_encap_recv.patch @@ -0,0 +1,77 @@ +From ab18b3b8dca7550c571a6977b8c4877b787e0670 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 18:54:44 +0000 +Subject: l2tp: Fix memleak in l2tp_udp_encap_recv(). + +From: Kuniyuki Iwashima + +[ Upstream commit 4d10edfd1475b69dbd4c47f34b61a3772ece83ca ] + +syzbot reported memleak of struct l2tp_session, l2tp_tunnel, +sock, etc. [0] + +The cited commit moved down the validation of the protocol +version in l2tp_udp_encap_recv(). + +The new place requires an extra error handling to avoid the +memleak. + +Let's call l2tp_session_put() there. + +[0]: +BUG: memory leak +unreferenced object 0xffff88810a290200 (size 512): + comm "syz.0.17", pid 6086, jiffies 4294944299 + hex dump (first 32 bytes): + 7d eb 04 0c 00 00 00 00 01 00 00 00 00 00 00 00 }............... + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace (crc babb6a4f): + kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] + slab_post_alloc_hook mm/slub.c:4958 [inline] + slab_alloc_node mm/slub.c:5263 [inline] + __do_kmalloc_node mm/slub.c:5656 [inline] + __kmalloc_noprof+0x3e0/0x660 mm/slub.c:5669 + kmalloc_noprof include/linux/slab.h:961 [inline] + kzalloc_noprof include/linux/slab.h:1094 [inline] + l2tp_session_create+0x3a/0x3b0 net/l2tp/l2tp_core.c:1778 + pppol2tp_connect+0x48b/0x920 net/l2tp/l2tp_ppp.c:755 + __sys_connect_file+0x7a/0xb0 net/socket.c:2089 + __sys_connect+0xde/0x110 net/socket.c:2108 + __do_sys_connect net/socket.c:2114 [inline] + __se_sys_connect net/socket.c:2111 [inline] + __x64_sys_connect+0x1c/0x30 net/socket.c:2111 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fixes: 364798056f518 ("l2tp: Support different protocol versions with same IP/port quadruple") +Reported-by: syzbot+2c42ea4485b29beb0643@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/696693f2.a70a0220.245e30.0001.GAE@google.com/ +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Guillaume Nault +Link: https://patch.msgid.link/20260113185446.2533333-1-kuniyu@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/l2tp/l2tp_core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c +index 369a2f2e459cd..61fe27d71c230 100644 +--- a/net/l2tp/l2tp_core.c ++++ b/net/l2tp/l2tp_core.c +@@ -1086,8 +1086,10 @@ int l2tp_udp_encap_recv(struct sock *sk, struct sk_buff *skb) + tunnel = session->tunnel; + + /* Check protocol version */ +- if (version != tunnel->version) ++ if (version != tunnel->version) { ++ l2tp_session_put(session); + goto invalid; ++ } + + if (version == L2TP_HDR_VER_3 && + l2tp_v3_ensure_opt_in_linear(session, skb, &ptr, &optr)) { +-- +2.51.0 + diff --git a/queue-6.12/net-sched-enforce-that-teql-can-only-be-used-as-root.patch b/queue-6.12/net-sched-enforce-that-teql-can-only-be-used-as-root.patch new file mode 100644 index 0000000000..c6c2f55f93 --- /dev/null +++ b/queue-6.12/net-sched-enforce-that-teql-can-only-be-used-as-root.patch @@ -0,0 +1,68 @@ +From 5b5592730b9f2879ef25a6d249d92843f007b77d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jan 2026 11:02:41 -0500 +Subject: net/sched: Enforce that teql can only be used as root qdisc +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jamal Hadi Salim + +[ Upstream commit 50da4b9d07a7a463e2cfb738f3ad4cff6b2c9c3b ] + +Design intent of teql is that it is only supposed to be used as root qdisc. +We need to check for that constraint. + +Although not important, I will describe the scenario that unearthed this +issue for the curious. + +GangMin Kim managed to concot a scenario as follows: + +ROOT qdisc 1:0 (QFQ) + ├── class 1:1 (weight=15, lmax=16384) netem with delay 6.4s + └── class 1:2 (weight=1, lmax=1514) teql + +GangMin sends a packet which is enqueued to 1:1 (netem). +Any invocation of dequeue by QFQ from this class will not return a packet +until after 6.4s. In the meantime, a second packet is sent and it lands on +1:2. teql's enqueue will return success and this will activate class 1:2. +Main issue is that teql only updates the parent visible qlen (sch->q.qlen) +at dequeue. Since QFQ will only call dequeue if peek succeeds (and teql's +peek always returns NULL), dequeue will never be called and thus the qlen +will remain as 0. With that in mind, when GangMin updates 1:2's lmax value, +the qfq_change_class calls qfq_deact_rm_from_agg. Since the child qdisc's +qlen was not incremented, qfq fails to deactivate the class, but still +frees its pointers from the aggregate. So when the first packet is +rescheduled after 6.4 seconds (netem's delay), a dangling pointer is +accessed causing GangMin's causing a UAF. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: GangMin Kim +Tested-by: Victor Nogueira +Signed-off-by: Jamal Hadi Salim +Link: https://patch.msgid.link/20260114160243.913069-2-jhs@mojatatu.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_teql.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/sched/sch_teql.c b/net/sched/sch_teql.c +index 8badec6d82a24..6e4bdaa876ed6 100644 +--- a/net/sched/sch_teql.c ++++ b/net/sched/sch_teql.c +@@ -178,6 +178,11 @@ static int teql_qdisc_init(struct Qdisc *sch, struct nlattr *opt, + if (m->dev == dev) + return -ELOOP; + ++ if (sch->parent != TC_H_ROOT) { ++ NL_SET_ERR_MSG_MOD(extack, "teql can only be used as root"); ++ return -EOPNOTSUPP; ++ } ++ + q->m = m; + + skb_queue_head_init(&q->q); +-- +2.51.0 + diff --git a/queue-6.12/net-sched-qfq-use-cl_is_active-to-determine-whether-.patch b/queue-6.12/net-sched-qfq-use-cl_is_active-to-determine-whether-.patch new file mode 100644 index 0000000000..1348df368e --- /dev/null +++ b/queue-6.12/net-sched-qfq-use-cl_is_active-to-determine-whether-.patch @@ -0,0 +1,40 @@ +From 51aedbde7588d510ad80da0a754bcb292253512a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jan 2026 11:02:42 -0500 +Subject: net/sched: qfq: Use cl_is_active to determine whether class is active + in qfq_rm_from_ag + +From: Jamal Hadi Salim + +[ Upstream commit d837fbee92453fbb829f950c8e7cf76207d73f33 ] + +This is more of a preventive patch to make the code more consistent and +to prevent possible exploits that employ child qlen manipulations on qfq. +use cl_is_active instead of relying on the child qdisc's qlen to determine +class activation. + +Fixes: 462dbc9101acd ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost") +Signed-off-by: Jamal Hadi Salim +Link: https://patch.msgid.link/20260114160243.913069-3-jhs@mojatatu.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_qfq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c +index d8dabc1a620bd..c7c8e8dde31d1 100644 +--- a/net/sched/sch_qfq.c ++++ b/net/sched/sch_qfq.c +@@ -373,7 +373,7 @@ static void qfq_rm_from_agg(struct qfq_sched *q, struct qfq_class *cl) + /* Deschedule class and remove it from its parent aggregate. */ + static void qfq_deact_rm_from_agg(struct qfq_sched *q, struct qfq_class *cl) + { +- if (cl->qdisc->q.qlen > 0) /* class is active */ ++ if (cl_is_active(cl)) /* class is active */ + qfq_deactivate_class(q, cl); + + qfq_rm_from_agg(q, cl); +-- +2.51.0 + diff --git a/queue-6.12/net-usb-dm9601-remove-broken-sr9700-support.patch b/queue-6.12/net-usb-dm9601-remove-broken-sr9700-support.patch new file mode 100644 index 0000000000..9984dcd4b8 --- /dev/null +++ b/queue-6.12/net-usb-dm9601-remove-broken-sr9700-support.patch @@ -0,0 +1,53 @@ +From b7b96963ea85c454272127a2a03ee9c0815d63bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 22:39:24 -0800 +Subject: net: usb: dm9601: remove broken SR9700 support + +From: Ethan Nelson-Moore + +[ Upstream commit 7d7dbafefbe74f5a25efc4807af093b857a7612e ] + +The SR9700 chip sends more than one packet in a USB transaction, +like the DM962x chips can optionally do, but the dm9601 driver does not +support this mode, and the hardware does not have the DM962x +MODE_CTL register to disable it, so this driver drops packets on SR9700 +devices. The sr9700 driver correctly handles receiving more than one +packet per transaction. + +While the dm9601 driver could be improved to handle this, the easiest +way to fix this issue in the short term is to remove the SR9700 device +ID from the dm9601 driver so the sr9700 driver is always used. This +device ID should not have been in more than one driver to begin with. + +The "Fixes" commit was chosen so that the patch is automatically +included in all kernels that have the sr9700 driver, even though the +issue affects dm9601. + +Fixes: c9b37458e956 ("USB2NET : SR9700 : One chip USB 1.1 USB2NET SR9700Device Driver Support") +Signed-off-by: Ethan Nelson-Moore +Acked-by: Peter Korsgaard +Link: https://patch.msgid.link/20260113063924.74464-1-enelsonmoore@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/dm9601.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/net/usb/dm9601.c b/drivers/net/usb/dm9601.c +index 8b6d6a1b3c2ec..2b4716ccf0c5b 100644 +--- a/drivers/net/usb/dm9601.c ++++ b/drivers/net/usb/dm9601.c +@@ -603,10 +603,6 @@ static const struct usb_device_id products[] = { + USB_DEVICE(0x0fe6, 0x8101), /* DM9601 USB to Fast Ethernet Adapter */ + .driver_info = (unsigned long)&dm9601_info, + }, +- { +- USB_DEVICE(0x0fe6, 0x9700), /* DM9601 USB to Fast Ethernet Adapter */ +- .driver_info = (unsigned long)&dm9601_info, +- }, + { + USB_DEVICE(0x0a46, 0x9000), /* DM9000E */ + .driver_info = (unsigned long)&dm9601_info, +-- +2.51.0 + diff --git a/queue-6.12/octeontx2-cn10k-fix-rx-flowid-tcam-mask-handling.patch b/queue-6.12/octeontx2-cn10k-fix-rx-flowid-tcam-mask-handling.patch new file mode 100644 index 0000000000..ef2b330ee5 --- /dev/null +++ b/queue-6.12/octeontx2-cn10k-fix-rx-flowid-tcam-mask-handling.patch @@ -0,0 +1,43 @@ +From 073bcc2aa41cf98d9612aa7f042fb52c094753f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jan 2026 08:47:12 -0800 +Subject: octeontx2: cn10k: fix RX flowid TCAM mask handling + +From: Alok Tiwari + +[ Upstream commit ab9b218a1521133a4410722907fa7189566be9bc ] + +The RX flowid programming initializes the TCAM mask to all ones, but +then overwrites it when clearing the MAC DA mask bits. This results +in losing the intended initialization and may affect other match fields. + +Update the code to clear the MAC DA bits using an AND operation, making +the handling of mask[0] consistent with mask[1], where the field-specific +bits are cleared after initializing the mask to ~0ULL. + +Fixes: 57d00d4364f3 ("octeontx2-pf: mcs: Match macsec ethertype along with DMAC") +Signed-off-by: Alok Tiwari +Reviewed-by: Subbaraya Sundeep +Link: https://patch.msgid.link/20260116164724.2733511-1-alok.a.tiwari@oracle.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c b/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c +index 74953f67a2bf9..3af58bc9f533c 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c +@@ -330,7 +330,7 @@ static int cn10k_mcs_write_rx_flowid(struct otx2_nic *pfvf, + + req->data[0] = FIELD_PREP(MCS_TCAM0_MAC_DA_MASK, mac_da); + req->mask[0] = ~0ULL; +- req->mask[0] = ~MCS_TCAM0_MAC_DA_MASK; ++ req->mask[0] &= ~MCS_TCAM0_MAC_DA_MASK; + + req->data[1] = FIELD_PREP(MCS_TCAM1_ETYPE_MASK, ETH_P_MACSEC); + req->mask[1] = ~0ULL; +-- +2.51.0 + diff --git a/queue-6.12/sctp-move-sctp_cmd_assoc_shkey-right-after-sctp_cmd_.patch b/queue-6.12/sctp-move-sctp_cmd_assoc_shkey-right-after-sctp_cmd_.patch new file mode 100644 index 0000000000..6d0cdf7eab --- /dev/null +++ b/queue-6.12/sctp-move-sctp_cmd_assoc_shkey-right-after-sctp_cmd_.patch @@ -0,0 +1,101 @@ +From c7af868174019716eb50f491452c26dbdeec339a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 12:10:26 -0500 +Subject: sctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT + +From: Xin Long + +[ Upstream commit a80c9d945aef55b23b54838334345f20251dad83 ] + +A null-ptr-deref was reported in the SCTP transmit path when SCTP-AUTH key +initialization fails: + + ================================================================== + KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] + CPU: 0 PID: 16 Comm: ksoftirqd/0 Tainted: G W 6.6.0 #2 + RIP: 0010:sctp_packet_bundle_auth net/sctp/output.c:264 [inline] + RIP: 0010:sctp_packet_append_chunk+0xb36/0x1260 net/sctp/output.c:401 + Call Trace: + + sctp_packet_transmit_chunk+0x31/0x250 net/sctp/output.c:189 + sctp_outq_flush_data+0xa29/0x26d0 net/sctp/outqueue.c:1111 + sctp_outq_flush+0xc80/0x1240 net/sctp/outqueue.c:1217 + sctp_cmd_interpreter.isra.0+0x19a5/0x62c0 net/sctp/sm_sideeffect.c:1787 + sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline] + sctp_do_sm+0x1a3/0x670 net/sctp/sm_sideeffect.c:1169 + sctp_assoc_bh_rcv+0x33e/0x640 net/sctp/associola.c:1052 + sctp_inq_push+0x1dd/0x280 net/sctp/inqueue.c:88 + sctp_rcv+0x11ae/0x3100 net/sctp/input.c:243 + sctp6_rcv+0x3d/0x60 net/sctp/ipv6.c:1127 + +The issue is triggered when sctp_auth_asoc_init_active_key() fails in +sctp_sf_do_5_1C_ack() while processing an INIT_ACK. In this case, the +command sequence is currently: + +- SCTP_CMD_PEER_INIT +- SCTP_CMD_TIMER_STOP (T1_INIT) +- SCTP_CMD_TIMER_START (T1_COOKIE) +- SCTP_CMD_NEW_STATE (COOKIE_ECHOED) +- SCTP_CMD_ASSOC_SHKEY +- SCTP_CMD_GEN_COOKIE_ECHO + +If SCTP_CMD_ASSOC_SHKEY fails, asoc->shkey remains NULL, while +asoc->peer.auth_capable and asoc->peer.peer_chunks have already been set by +SCTP_CMD_PEER_INIT. This allows a DATA chunk with auth = 1 and shkey = NULL +to be queued by sctp_datamsg_from_user(). + +Since command interpretation stops on failure, no COOKIE_ECHO should been +sent via SCTP_CMD_GEN_COOKIE_ECHO. However, the T1_COOKIE timer has already +been started, and it may enqueue a COOKIE_ECHO into the outqueue later. As +a result, the DATA chunk can be transmitted together with the COOKIE_ECHO +in sctp_outq_flush_data(), leading to the observed issue. + +Similar to the other places where it calls sctp_auth_asoc_init_active_key() +right after sctp_process_init(), this patch moves the SCTP_CMD_ASSOC_SHKEY +immediately after SCTP_CMD_PEER_INIT, before stopping T1_INIT and starting +T1_COOKIE. This ensures that if shared key generation fails, authenticated +DATA cannot be sent. It also allows the T1_INIT timer to retransmit INIT, +giving the client another chance to process INIT_ACK and retry key setup. + +Fixes: 730fc3d05cd4 ("[SCTP]: Implete SCTP-AUTH parameter processing") +Reported-by: Zhen Chen +Tested-by: Zhen Chen +Signed-off-by: Xin Long +Link: https://patch.msgid.link/44881224b375aa8853f5e19b4055a1a56d895813.1768324226.git.lucien.xin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sctp/sm_statefuns.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c +index dc66dff33d6d4..966bd6a44594a 100644 +--- a/net/sctp/sm_statefuns.c ++++ b/net/sctp/sm_statefuns.c +@@ -603,6 +603,11 @@ enum sctp_disposition sctp_sf_do_5_1C_ack(struct net *net, + sctp_add_cmd_sf(commands, SCTP_CMD_PEER_INIT, + SCTP_PEER_INIT(initchunk)); + ++ /* SCTP-AUTH: generate the association shared keys so that ++ * we can potentially sign the COOKIE-ECHO. ++ */ ++ sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL()); ++ + /* Reset init error count upon receipt of INIT-ACK. */ + sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL()); + +@@ -617,11 +622,6 @@ enum sctp_disposition sctp_sf_do_5_1C_ack(struct net *net, + sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, + SCTP_STATE(SCTP_STATE_COOKIE_ECHOED)); + +- /* SCTP-AUTH: generate the association shared keys so that +- * we can potentially sign the COOKIE-ECHO. +- */ +- sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL()); +- + /* 5.1 C) "A" shall then send the State Cookie received in the + * INIT ACK chunk in a COOKIE ECHO chunk, ... + */ +-- +2.51.0 + diff --git a/queue-6.12/selftests-net-fib-onlink-tests-convert-to-use-namesp.patch b/queue-6.12/selftests-net-fib-onlink-tests-convert-to-use-namesp.patch new file mode 100644 index 0000000000..e484978376 --- /dev/null +++ b/queue-6.12/selftests-net-fib-onlink-tests-convert-to-use-namesp.patch @@ -0,0 +1,185 @@ +From acd06a4061854f627dd7b90635e645db6ae63848 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 12:37:44 -0300 +Subject: selftests: net: fib-onlink-tests: Convert to use namespaces by + default +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ricardo B. Marlière + +[ Upstream commit 4f5f148dd7c0459229d2ab9a769b2e820f9ee6a2 ] + +Currently, the test breaks if the SUT already has a default route +configured for IPv6. Fix by avoiding the use of the default namespace. + +Fixes: 4ed591c8ab44 ("net/ipv6: Allow onlink routes to have a device mismatch if it is the default route") +Suggested-by: Fernando Fernandez Mancera +Signed-off-by: Ricardo B. Marlière +Reviewed-by: Ido Schimmel +Reviewed-by: Fernando Fernandez Mancera +Link: https://patch.msgid.link/20260113-selftests-net-fib-onlink-v2-1-89de2b931389@suse.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../testing/selftests/net/fib-onlink-tests.sh | 71 ++++++++----------- + 1 file changed, 30 insertions(+), 41 deletions(-) + +diff --git a/tools/testing/selftests/net/fib-onlink-tests.sh b/tools/testing/selftests/net/fib-onlink-tests.sh +index ec2d6ceb1f08d..c01be076b210d 100755 +--- a/tools/testing/selftests/net/fib-onlink-tests.sh ++++ b/tools/testing/selftests/net/fib-onlink-tests.sh +@@ -120,7 +120,7 @@ log_subsection() + + run_cmd() + { +- local cmd="$*" ++ local cmd="$1" + local out + local rc + +@@ -145,7 +145,7 @@ get_linklocal() + local pfx + local addr + +- addr=$(${pfx} ip -6 -br addr show dev ${dev} | \ ++ addr=$(${pfx} ${IP} -6 -br addr show dev ${dev} | \ + awk '{ + for (i = 3; i <= NF; ++i) { + if ($i ~ /^fe80/) +@@ -173,58 +173,48 @@ setup() + + set -e + +- # create namespace +- setup_ns PEER_NS ++ # create namespaces ++ setup_ns ns1 ++ IP="ip -netns $ns1" ++ setup_ns ns2 + + # add vrf table +- ip li add ${VRF} type vrf table ${VRF_TABLE} +- ip li set ${VRF} up +- ip ro add table ${VRF_TABLE} unreachable default metric 8192 +- ip -6 ro add table ${VRF_TABLE} unreachable default metric 8192 ++ ${IP} li add ${VRF} type vrf table ${VRF_TABLE} ++ ${IP} li set ${VRF} up ++ ${IP} ro add table ${VRF_TABLE} unreachable default metric 8192 ++ ${IP} -6 ro add table ${VRF_TABLE} unreachable default metric 8192 + + # create test interfaces +- ip li add ${NETIFS[p1]} type veth peer name ${NETIFS[p2]} +- ip li add ${NETIFS[p3]} type veth peer name ${NETIFS[p4]} +- ip li add ${NETIFS[p5]} type veth peer name ${NETIFS[p6]} +- ip li add ${NETIFS[p7]} type veth peer name ${NETIFS[p8]} ++ ${IP} li add ${NETIFS[p1]} type veth peer name ${NETIFS[p2]} ++ ${IP} li add ${NETIFS[p3]} type veth peer name ${NETIFS[p4]} ++ ${IP} li add ${NETIFS[p5]} type veth peer name ${NETIFS[p6]} ++ ${IP} li add ${NETIFS[p7]} type veth peer name ${NETIFS[p8]} + + # enslave vrf interfaces + for n in 5 7; do +- ip li set ${NETIFS[p${n}]} vrf ${VRF} ++ ${IP} li set ${NETIFS[p${n}]} vrf ${VRF} + done + + # add addresses + for n in 1 3 5 7; do +- ip li set ${NETIFS[p${n}]} up +- ip addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]} +- ip addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} nodad ++ ${IP} li set ${NETIFS[p${n}]} up ++ ${IP} addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]} ++ ${IP} addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} nodad + done + + # move peer interfaces to namespace and add addresses + for n in 2 4 6 8; do +- ip li set ${NETIFS[p${n}]} netns ${PEER_NS} up +- ip -netns ${PEER_NS} addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]} +- ip -netns ${PEER_NS} addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} nodad ++ ${IP} li set ${NETIFS[p${n}]} netns ${ns2} up ++ ip -netns $ns2 addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]} ++ ip -netns $ns2 addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} nodad + done + +- ip -6 ro add default via ${V6ADDRS[p3]/::[0-9]/::64} +- ip -6 ro add table ${VRF_TABLE} default via ${V6ADDRS[p7]/::[0-9]/::64} ++ ${IP} -6 ro add default via ${V6ADDRS[p3]/::[0-9]/::64} ++ ${IP} -6 ro add table ${VRF_TABLE} default via ${V6ADDRS[p7]/::[0-9]/::64} + + set +e + } + +-cleanup() +-{ +- # make sure we start from a clean slate +- cleanup_ns ${PEER_NS} 2>/dev/null +- for n in 1 3 5 7; do +- ip link del ${NETIFS[p${n}]} 2>/dev/null +- done +- ip link del ${VRF} 2>/dev/null +- ip ro flush table ${VRF_TABLE} +- ip -6 ro flush table ${VRF_TABLE} +-} +- + ################################################################################ + # IPv4 tests + # +@@ -241,7 +231,7 @@ run_ip() + # dev arg may be empty + [ -n "${dev}" ] && dev="dev ${dev}" + +- run_cmd ip ro add table "${table}" "${prefix}"/32 via "${gw}" "${dev}" onlink ++ run_cmd "${IP} ro add table ${table} ${prefix}/32 via ${gw} ${dev} onlink" + log_test $? ${exp_rc} "${desc}" + } + +@@ -257,8 +247,8 @@ run_ip_mpath() + # dev arg may be empty + [ -n "${dev}" ] && dev="dev ${dev}" + +- run_cmd ip ro add table "${table}" "${prefix}"/32 \ +- nexthop via ${nh1} nexthop via ${nh2} ++ run_cmd "${IP} ro add table ${table} ${prefix}/32 \ ++ nexthop via ${nh1} nexthop via ${nh2}" + log_test $? ${exp_rc} "${desc}" + } + +@@ -339,7 +329,7 @@ run_ip6() + # dev arg may be empty + [ -n "${dev}" ] && dev="dev ${dev}" + +- run_cmd ip -6 ro add table "${table}" "${prefix}"/128 via "${gw}" "${dev}" onlink ++ run_cmd "${IP} -6 ro add table ${table} ${prefix}/128 via ${gw} ${dev} onlink" + log_test $? ${exp_rc} "${desc}" + } + +@@ -353,8 +343,8 @@ run_ip6_mpath() + local exp_rc="$6" + local desc="$7" + +- run_cmd ip -6 ro add table "${table}" "${prefix}"/128 "${opts}" \ +- nexthop via ${nh1} nexthop via ${nh2} ++ run_cmd "${IP} -6 ro add table ${table} ${prefix}/128 ${opts} \ ++ nexthop via ${nh1} nexthop via ${nh2}" + log_test $? ${exp_rc} "${desc}" + } + +@@ -491,10 +481,9 @@ do + esac + done + +-cleanup + setup + run_onlink_tests +-cleanup ++cleanup_ns ${ns1} ${ns2} + + if [ "$TESTS" != "none" ]; then + printf "\nTests passed: %3d\n" ${nsuccess} +-- +2.51.0 + diff --git a/queue-6.12/series b/queue-6.12/series index 0bb795799b..91957492ee 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -10,3 +10,33 @@ pmdomain-qcom-rpmhpd-add-mxc-to-sc8280xp.patch arm64-dts-qcom-sc8280xp-add-missing-vdd_mxc-links.patch drivers-hv-always-do-hyper-v-panic-notification-in-h.patch btrfs-fix-missing-fields-in-superblock-backup-with-b.patch +ata-ahci-do-not-read-the-per-port-area-for-unimpleme.patch +ata-libata-sata-improve-link_power_management_suppor.patch +ata-libata-add-cpr_log-to-ata_dev_print_features-ear.patch +ata-libata-core-introduce-ata_dev_config_lpm.patch +ata-libata-call-ata_dev_config_lpm-for-atapi-devices.patch +ata-libata-print-features-also-for-atapi-devices.patch +ice-initialize-ring_stats-syncp.patch +ice-avoid-detrimental-cleanup-for-bond-during-interf.patch +ice-fix-incorrect-timeout-ice_release_res.patch +igc-restore-default-qbv-schedule-when-changing-chann.patch +igc-fix-race-condition-in-tx-timestamp-read-for-regi.patch +vsock-virtio-coalesce-only-linear-skb.patch +net-usb-dm9601-remove-broken-sr9700-support.patch +bonding-limit-bond_mode_8023ad-to-ethernet-devices.patch +l2tp-fix-memleak-in-l2tp_udp_encap_recv.patch +selftests-net-fib-onlink-tests-convert-to-use-namesp.patch +can-gs_usb-gs_usb_receive_bulk_callback-unanchor-url.patch +sctp-move-sctp_cmd_assoc_shkey-right-after-sctp_cmd_.patch +amd-xgbe-avoid-misleading-per-packet-error-log.patch +gue-fix-skb-memleak-with-inner-ip-protocol-0.patch +tools-ynl-specify-no-line-number-in-ynl-regen.sh.patch +fou-don-t-allow-0-for-fou_attr_ipproto.patch +veth-fix-data-race-in-veth_get_ethtool_stats.patch +l2tp-avoid-one-data-race-in-l2tp_tunnel_del_work.patch +ipvlan-make-the-addrs_lock-be-per-port.patch +octeontx2-cn10k-fix-rx-flowid-tcam-mask-handling.patch +net-sched-enforce-that-teql-can-only-be-used-as-root.patch +net-sched-qfq-use-cl_is_active-to-determine-whether-.patch +crypto-authencesn-reject-too-short-aad-assoclen-8-to.patch +wifi-mac80211-don-t-perform-da-check-on-s1g-beacon.patch diff --git a/queue-6.12/tools-ynl-specify-no-line-number-in-ynl-regen.sh.patch b/queue-6.12/tools-ynl-specify-no-line-number-in-ynl-regen.sh.patch new file mode 100644 index 0000000000..78712e1dab --- /dev/null +++ b/queue-6.12/tools-ynl-specify-no-line-number-in-ynl-regen.sh.patch @@ -0,0 +1,50 @@ +From 3e0c9ab61f31368d397b58140ef4f82ddb782ff1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jan 2026 17:24:47 +0000 +Subject: tools: ynl: Specify --no-line-number in ynl-regen.sh. + +From: Kuniyuki Iwashima + +[ Upstream commit 68578370f9b3a2aba5964b273312d51c581b6aad ] + +If grep.lineNumber is enabled in .gitconfig, + + [grep] + lineNumber = true + +ynl-regen.sh fails with the following error: + + $ ./tools/net/ynl/ynl-regen.sh -f + ... + ynl_gen_c.py: error: argument --mode: invalid choice: '4:' (choose from user, kernel, uapi) + GEN 4: net/ipv4/fou_nl.c + +Let's specify --no-line-number explicitly. + +Fixes: be5bea1cc0bf ("net: add basic C code generators for Netlink") +Suggested-by: Jakub Kicinski +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20260115172533.693652-3-kuniyu@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/net/ynl/ynl-regen.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/net/ynl/ynl-regen.sh b/tools/net/ynl/ynl-regen.sh +index a37304dcc88e1..7bfe773dce1bf 100755 +--- a/tools/net/ynl/ynl-regen.sh ++++ b/tools/net/ynl/ynl-regen.sh +@@ -21,7 +21,7 @@ files=$(git grep --files-with-matches '^/\* YNL-GEN \(kernel\|uapi\|user\)') + for f in $files; do + # params: 0 1 2 3 + # $YAML YNL-GEN kernel $mode +- params=( $(git grep -B1 -h '/\* YNL-GEN' $f | sed 's@/\*\(.*\)\*/@\1@') ) ++ params=( $(git grep --no-line-number -B1 -h '/\* YNL-GEN' $f | sed 's@/\*\(.*\)\*/@\1@') ) + args=$(sed -n 's@/\* YNL-ARG \(.*\) \*/@\1@p' $f) + + if [ $f -nt ${params[0]} -a -z "$force" ]; then +-- +2.51.0 + diff --git a/queue-6.12/veth-fix-data-race-in-veth_get_ethtool_stats.patch b/queue-6.12/veth-fix-data-race-in-veth_get_ethtool_stats.patch new file mode 100644 index 0000000000..7371e28a00 --- /dev/null +++ b/queue-6.12/veth-fix-data-race-in-veth_get_ethtool_stats.patch @@ -0,0 +1,54 @@ +From 1c95764aa9d2297e9f6af50d7173a2bc385b90d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jan 2026 20:24:45 +0800 +Subject: veth: fix data race in veth_get_ethtool_stats + +From: David Yang + +[ Upstream commit b47adaab8b3d443868096bac08fdbb3d403194ba ] + +In veth_get_ethtool_stats(), some statistics protected by +u64_stats_sync, are read and accumulated in ignorance of possible +u64_stats_fetch_retry() events. These statistics, peer_tq_xdp_xmit and +peer_tq_xdp_xmit_err, are already accumulated by veth_xdp_xmit(). Fix +this by reading them into a temporary buffer first. + +Fixes: 5fe6e56776ba ("veth: rely on peer veth_rq for ndo_xdp_xmit accounting") +Signed-off-by: David Yang +Link: https://patch.msgid.link/20260114122450.227982-1-mmyangfl@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/veth.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/veth.c b/drivers/net/veth.c +index 4ff0d4232914f..77e4b0d1ca557 100644 +--- a/drivers/net/veth.c ++++ b/drivers/net/veth.c +@@ -227,16 +227,20 @@ static void veth_get_ethtool_stats(struct net_device *dev, + const struct veth_rq_stats *rq_stats = &rcv_priv->rq[i].stats; + const void *base = (void *)&rq_stats->vs; + unsigned int start, tx_idx = idx; ++ u64 buf[VETH_TQ_STATS_LEN]; + size_t offset; + +- tx_idx += (i % dev->real_num_tx_queues) * VETH_TQ_STATS_LEN; + do { + start = u64_stats_fetch_begin(&rq_stats->syncp); + for (j = 0; j < VETH_TQ_STATS_LEN; j++) { + offset = veth_tq_stats_desc[j].offset; +- data[tx_idx + j] += *(u64 *)(base + offset); ++ buf[j] = *(u64 *)(base + offset); + } + } while (u64_stats_fetch_retry(&rq_stats->syncp, start)); ++ ++ tx_idx += (i % dev->real_num_tx_queues) * VETH_TQ_STATS_LEN; ++ for (j = 0; j < VETH_TQ_STATS_LEN; j++) ++ data[tx_idx + j] += buf[j]; + } + pp_idx = idx + dev->real_num_tx_queues * VETH_TQ_STATS_LEN; + +-- +2.51.0 + diff --git a/queue-6.12/vsock-virtio-coalesce-only-linear-skb.patch b/queue-6.12/vsock-virtio-coalesce-only-linear-skb.patch new file mode 100644 index 0000000000..bf598169c3 --- /dev/null +++ b/queue-6.12/vsock-virtio-coalesce-only-linear-skb.patch @@ -0,0 +1,58 @@ +From 173a22c3509a43dee477a9d0d62e622a436a1619 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 16:08:18 +0100 +Subject: vsock/virtio: Coalesce only linear skb + +From: Michal Luczaj + +[ Upstream commit 0386bd321d0f95d041a7b3d7b07643411b044a96 ] + +vsock/virtio common tries to coalesce buffers in rx queue: if a linear skb +(with a spare tail room) is followed by a small skb (length limited by +GOOD_COPY_LEN = 128), an attempt is made to join them. + +Since the introduction of MSG_ZEROCOPY support, assumption that a small skb +will always be linear is incorrect. In the zerocopy case, data is lost and +the linear skb is appended with uninitialized kernel memory. + +Of all 3 supported virtio-based transports, only loopback-transport is +affected. G2H virtio-transport rx queue operates on explicitly linear skbs; +see virtio_vsock_alloc_linear_skb() in virtio_vsock_rx_fill(). H2G +vhost-transport may allocate non-linear skbs, but only for sizes that are +not considered for coalescence; see PAGE_ALLOC_COSTLY_ORDER in +virtio_vsock_alloc_skb(). + +Ensure only linear skbs are coalesced. Note that skb_tailroom(last_skb) > 0 +guarantees last_skb is linear. + +Fixes: 581512a6dc93 ("vsock/virtio: MSG_ZEROCOPY flag support") +Signed-off-by: Michal Luczaj +Reviewed-by: Stefano Garzarella +Link: https://patch.msgid.link/20260113-vsock-recv-coalescence-v2-1-552b17837cf4@rbox.co +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/virtio_transport_common.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c +index 2c9b1011cdcc8..4e8a9771a04d6 100644 +--- a/net/vmw_vsock/virtio_transport_common.c ++++ b/net/vmw_vsock/virtio_transport_common.c +@@ -1374,9 +1374,11 @@ virtio_transport_recv_enqueue(struct vsock_sock *vsk, + + /* Try to copy small packets into the buffer of last packet queued, + * to avoid wasting memory queueing the entire buffer with a small +- * payload. ++ * payload. Skip non-linear (e.g. zerocopy) skbs; these carry payload ++ * in skb_shinfo. + */ +- if (len <= GOOD_COPY_LEN && !skb_queue_empty(&vvs->rx_queue)) { ++ if (len <= GOOD_COPY_LEN && !skb_queue_empty(&vvs->rx_queue) && ++ !skb_is_nonlinear(skb)) { + struct virtio_vsock_hdr *last_hdr; + struct sk_buff *last_skb; + +-- +2.51.0 + diff --git a/queue-6.12/wifi-mac80211-don-t-perform-da-check-on-s1g-beacon.patch b/queue-6.12/wifi-mac80211-don-t-perform-da-check-on-s1g-beacon.patch new file mode 100644 index 0000000000..c49d5edea4 --- /dev/null +++ b/queue-6.12/wifi-mac80211-don-t-perform-da-check-on-s1g-beacon.patch @@ -0,0 +1,48 @@ +From 7cce5ce90d69fd68b0a081328379d8b4a61d3b38 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jan 2026 14:11:21 +1100 +Subject: wifi: mac80211: don't perform DA check on S1G beacon + +From: Lachlan Hodges + +[ Upstream commit 5dc6975566f5d142ec53eb7e97af688c45dd314d ] + +S1G beacons don't contain the DA field as per IEEE80211-2024 9.3.4.3, +so the DA broadcast check reads the SA address of the S1G beacon which +will subsequently lead to the beacon being dropped. As a result, passive +scanning is not possible. Fix this by only performing the check on +non-S1G beacons to allow S1G long beacons to be processed during a +passive scan. + +Fixes: ddf82e752f8a ("wifi: mac80211: Allow beacons to update BSS table regardless of scan") +Signed-off-by: Lachlan Hodges +Link: https://patch.msgid.link/20260120031122.309942-1-lachlan.hodges@morsemicro.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/scan.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c +index ce6d5857214eb..8675d2e99c564 100644 +--- a/net/mac80211/scan.c ++++ b/net/mac80211/scan.c +@@ -327,8 +327,13 @@ void ieee80211_scan_rx(struct ieee80211_local *local, struct sk_buff *skb) + mgmt->da)) + return; + } else { +- /* Beacons are expected only with broadcast address */ +- if (!is_broadcast_ether_addr(mgmt->da)) ++ /* ++ * Non-S1G beacons are expected only with broadcast address. ++ * S1G beacons only carry the SA so no DA check is required ++ * nor possible. ++ */ ++ if (!ieee80211_is_s1g_beacon(mgmt->frame_control) && ++ !is_broadcast_ether_addr(mgmt->da)) + return; + } + +-- +2.51.0 + diff --git a/queue-6.18/amd-xgbe-avoid-misleading-per-packet-error-log.patch b/queue-6.18/amd-xgbe-avoid-misleading-per-packet-error-log.patch new file mode 100644 index 0000000000..465dd015e0 --- /dev/null +++ b/queue-6.18/amd-xgbe-avoid-misleading-per-packet-error-log.patch @@ -0,0 +1,49 @@ +From c9524e3725ba3ad2d715393d573b26fed68c1a32 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jan 2026 22:00:37 +0530 +Subject: amd-xgbe: avoid misleading per-packet error log + +From: Raju Rangoju + +[ Upstream commit c158f985cf6c2c36c99c4f67af2ff3f5ebe09f8f ] + +On the receive path, packet can be damaged because of buffer +overflow in Rx FIFO. Avoid misleading per-packet error log when +packet->errors is set, this can flood the log. Instead, rely on the +standard rtnl_link_stats64 stats. + +Fixes: c5aa9e3b8156 ("amd-xgbe: Initial AMD 10GbE platform driver") +Signed-off-by: Raju Rangoju +Link: https://patch.msgid.link/20260114163037.2062606-1-Raju.Rangoju@amd.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c +index 4dc631af79332..ba5e728ae6308 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c +@@ -1823,7 +1823,7 @@ static void xgbe_get_stats64(struct net_device *netdev, + s->multicast = pstats->rxmulticastframes_g; + s->rx_length_errors = pstats->rxlengtherror; + s->rx_crc_errors = pstats->rxcrcerror; +- s->rx_fifo_errors = pstats->rxfifooverflow; ++ s->rx_over_errors = pstats->rxfifooverflow; + + s->tx_packets = pstats->txframecount_gb; + s->tx_bytes = pstats->txoctetcount_gb; +@@ -2277,9 +2277,6 @@ static int xgbe_rx_poll(struct xgbe_channel *channel, int budget) + goto read_again; + + if (error || packet->errors) { +- if (packet->errors) +- netif_err(pdata, rx_err, netdev, +- "error in received packet\n"); + dev_kfree_skb(skb); + goto next_packet; + } +-- +2.51.0 + diff --git a/queue-6.18/ata-ahci-do-not-read-the-per-port-area-for-unimpleme.patch b/queue-6.18/ata-ahci-do-not-read-the-per-port-area-for-unimpleme.patch new file mode 100644 index 0000000000..1a7cd8d9d0 --- /dev/null +++ b/queue-6.18/ata-ahci-do-not-read-the-per-port-area-for-unimpleme.patch @@ -0,0 +1,72 @@ +From e76b6e9fa0fd3ca6282537ad77bc2ef4c17939e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 13:20:46 +0100 +Subject: ata: ahci: Do not read the per port area for unimplemented ports +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Niklas Cassel + +[ Upstream commit ea4d4ea6d10a561043922d285f1765c7e4bfd32a ] + +An AHCI HBA specifies the number of ports it supports using CAP.NP. +The HBA is free to only make a subset of the number of ports available +using the PI (Ports Implemented) register. + +libata currently creates dummy ports for HBA ports that are provided by +the HBA, but which are marked as "unavailable" using the PI register. + +Each port will have a per port area of registers in the HBA, regardless +if the port is marked as "unavailable" or not. + +ahci_mark_external_port() currently reads this per port area of registers +using readl() to see if the port is marked as external/hotplug-capable. + +However, AHCI 1.3.1, section "3.1.4 Offset 0Ch: PI – Ports Implemented" +states: "Software must not read or write to registers within unavailable +ports." + +Thus, make sure that we only call ahci_mark_external_port() and +ahci_update_initial_lpm_policy() for ports that are implemented. + +From a libata perspective, this should not change anything related to LPM, +as dummy ports do not provide any ap->ops (they do not have a .set_lpm() +callback), so even if EH were to call .set_lpm() on a dummy port, it was +already a no-op. + +Fixes: f7131935238d ("ata: ahci: move marking of external port earlier") +Signed-off-by: Niklas Cassel +Tested-by: Wolf +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + drivers/ata/ahci.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c +index 7a7f88b3fa2b1..931d0081169b9 100644 +--- a/drivers/ata/ahci.c ++++ b/drivers/ata/ahci.c +@@ -2094,13 +2094,13 @@ static int ahci_init_one(struct pci_dev *pdev, const struct pci_device_id *ent) + if (ap->flags & ATA_FLAG_EM) + ap->em_message_type = hpriv->em_msg_type; + +- ahci_mark_external_port(ap); +- +- ahci_update_initial_lpm_policy(ap); +- + /* disabled/not-implemented port */ +- if (!(hpriv->port_map & (1 << i))) ++ if (!(hpriv->port_map & (1 << i))) { + ap->ops = &ata_dummy_port_ops; ++ } else { ++ ahci_mark_external_port(ap); ++ ahci_update_initial_lpm_policy(ap); ++ } + } + + /* apply workaround for ASUS P5W DH Deluxe mainboard */ +-- +2.51.0 + diff --git a/queue-6.18/ata-libata-add-cpr_log-to-ata_dev_print_features-ear.patch b/queue-6.18/ata-libata-add-cpr_log-to-ata_dev_print_features-ear.patch new file mode 100644 index 0000000000..3afdfdc7cd --- /dev/null +++ b/queue-6.18/ata-libata-add-cpr_log-to-ata_dev_print_features-ear.patch @@ -0,0 +1,43 @@ +From 8e1e327136aba08009c1664512ef8eb8824e7786 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 13:20:49 +0100 +Subject: ata: libata: Add cpr_log to ata_dev_print_features() early return + +From: Niklas Cassel + +[ Upstream commit a6bee5e5243ad02cae575becc4c83df66fc29573 ] + +ata_dev_print_features() is supposed to return early and not print anything +if there are no features supported. + +However, commit fe22e1c2f705 ("libata: support concurrent positioning +ranges log") added another feature to ata_dev_print_features() without +updating the early return conditional. + +Add the missing feature to the early return conditional. + +Fixes: fe22e1c2f705 ("libata: support concurrent positioning ranges log") +Signed-off-by: Niklas Cassel +Tested-by: Wolf +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c +index 0a21804b133a4..490cc0d628d3b 100644 +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -2872,7 +2872,7 @@ static void ata_dev_config_lpm(struct ata_device *dev) + + static void ata_dev_print_features(struct ata_device *dev) + { +- if (!(dev->flags & ATA_DFLAG_FEATURES_MASK)) ++ if (!(dev->flags & ATA_DFLAG_FEATURES_MASK) && !dev->cpr_log) + return; + + ata_dev_info(dev, +-- +2.51.0 + diff --git a/queue-6.18/ata-libata-add-dipm-and-hipm-to-ata_dev_print_featur.patch b/queue-6.18/ata-libata-add-dipm-and-hipm-to-ata_dev_print_featur.patch new file mode 100644 index 0000000000..f02a6a2239 --- /dev/null +++ b/queue-6.18/ata-libata-add-dipm-and-hipm-to-ata_dev_print_featur.patch @@ -0,0 +1,45 @@ +From c72c3d384da322db202e64bb05fc2c7f72e05053 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 13:20:50 +0100 +Subject: ata: libata: Add DIPM and HIPM to ata_dev_print_features() early + return + +From: Niklas Cassel + +[ Upstream commit 89531b68fc293e91187bf0992147e8d22c65cff3 ] + +ata_dev_print_features() is supposed to return early and not print anything +if there are no features supported. + +However, commit b1f5af54f1f5 ("ata: libata-core: Advertize device support +for DIPM and HIPM features") added additional features to +ata_dev_print_features() without updating the early return conditional. + +Add the missing features to the early return conditional. + +Fixes: b1f5af54f1f5 ("ata: libata-core: Advertize device support for DIPM and HIPM features") +Signed-off-by: Niklas Cassel +Tested-by: Wolf +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c +index 490cc0d628d3b..c41714bea77e8 100644 +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -2872,7 +2872,8 @@ static void ata_dev_config_lpm(struct ata_device *dev) + + static void ata_dev_print_features(struct ata_device *dev) + { +- if (!(dev->flags & ATA_DFLAG_FEATURES_MASK) && !dev->cpr_log) ++ if (!(dev->flags & ATA_DFLAG_FEATURES_MASK) && !dev->cpr_log && ++ !ata_id_has_hipm(dev->id) && !ata_id_has_dipm(dev->id)) + return; + + ata_dev_info(dev, +-- +2.51.0 + diff --git a/queue-6.18/ata-libata-call-ata_dev_config_lpm-for-atapi-devices.patch b/queue-6.18/ata-libata-call-ata_dev_config_lpm-for-atapi-devices.patch new file mode 100644 index 0000000000..f87955e8c4 --- /dev/null +++ b/queue-6.18/ata-libata-call-ata_dev_config_lpm-for-atapi-devices.patch @@ -0,0 +1,47 @@ +From 8df3d6d66c279663f8281a35f142368f3fe70764 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 13:20:47 +0100 +Subject: ata: libata: Call ata_dev_config_lpm() for ATAPI devices + +From: Niklas Cassel + +[ Upstream commit 8f3fb33f8f3f825c708ece800c921977c157f9b6 ] + +Commit d360121832d8 ("ata: libata-core: Introduce ata_dev_config_lpm()") +introduced ata_dev_config_lpm(). However, it only called this function for +ATA_DEV_ATA and ATA_DEV_ZAC devices, not for ATA_DEV_ATAPI devices. + +Additionally, commit d99a9142e782 ("ata: libata-core: Move device LPM quirk +settings to ata_dev_config_lpm()") moved the LPM quirk application from +ata_dev_configure() to ata_dev_config_lpm(), causing LPM quirks for ATAPI +devices to no longer be applied. + +Call ata_dev_config_lpm() also for ATAPI devices, such that LPM quirks are +applied for ATAPI devices with an entry in __ata_dev_quirks once again. + +Fixes: d360121832d8 ("ata: libata-core: Introduce ata_dev_config_lpm()") +Fixes: d99a9142e782 ("ata: libata-core: Move device LPM quirk settings to ata_dev_config_lpm()") +Signed-off-by: Niklas Cassel +Tested-by: Wolf +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-core.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c +index 1216b4f2eb904..0a21804b133a4 100644 +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -3116,6 +3116,8 @@ int ata_dev_configure(struct ata_device *dev) + ata_mode_string(xfer_mask), + cdb_intr_string, atapi_an_string, + dma_dir_string); ++ ++ ata_dev_config_lpm(dev); + } + + /* determine max_sectors */ +-- +2.51.0 + diff --git a/queue-6.18/ata-libata-print-features-also-for-atapi-devices.patch b/queue-6.18/ata-libata-print-features-also-for-atapi-devices.patch new file mode 100644 index 0000000000..98b81ecb92 --- /dev/null +++ b/queue-6.18/ata-libata-print-features-also-for-atapi-devices.patch @@ -0,0 +1,48 @@ +From 68e42d6aa101896b7d3a3f25cdb299468a6d8b8a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 13:20:51 +0100 +Subject: ata: libata: Print features also for ATAPI devices + +From: Niklas Cassel + +[ Upstream commit c8c6fb886f57d5bf71fb6de6334a143608d35707 ] + +Commit d633b8a702ab ("libata: print feature list on device scan") +added a print of the features supported by the device for ATA_DEV_ATA and +ATA_DEV_ZAC devices, but not for ATA_DEV_ATAPI devices. + +Fix this by printing the features also for ATAPI devices. + +Before changes: +ata1.00: ATAPI: Slimtype DVD A DU8AESH, 6C2M, max UDMA/133 + +After changes: +ata1.00: ATAPI: Slimtype DVD A DU8AESH, 6C2M, max UDMA/133 +ata1.00: Features: Dev-Attention HIPM DIPM + +Fixes: d633b8a702ab ("libata: print feature list on device scan") +Signed-off-by: Niklas Cassel +Tested-by: Wolf +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-core.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c +index c41714bea77e8..699919e4579e1 100644 +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -3119,6 +3119,9 @@ int ata_dev_configure(struct ata_device *dev) + dma_dir_string); + + ata_dev_config_lpm(dev); ++ ++ if (print_info) ++ ata_dev_print_features(dev); + } + + /* determine max_sectors */ +-- +2.51.0 + diff --git a/queue-6.18/ata-libata-sata-improve-link_power_management_suppor.patch b/queue-6.18/ata-libata-sata-improve-link_power_management_suppor.patch new file mode 100644 index 0000000000..50d7826795 --- /dev/null +++ b/queue-6.18/ata-libata-sata-improve-link_power_management_suppor.patch @@ -0,0 +1,53 @@ +From 257bb1b74f9ab50ff2c05b9b4d8141b8acbeee65 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 13:20:48 +0100 +Subject: ata: libata-sata: Improve link_power_management_supported sysfs + attribute + +From: Niklas Cassel + +[ Upstream commit ce83767ea323baf8509a75eb0c783cd203e14789 ] + +The link_power_management_supported sysfs attribute is currently set as +true even for ata ports that lack a .set_lpm() callback, e.g. dummy ports. + +This is a bit silly, because while writing to the +link_power_management_policy sysfs attribute will make ata_scsi_lpm_store() +update ap->target_lpm_policy (thus sysfs will reflect the new value) and +call ata_port_schedule_eh() for the port, it is essentially a no-op. + +This is because for a port without a .set_lpm() callback, once EH gets to +run, the ata_eh_link_set_lpm() will simply return, since the port does not +provide a .set_lpm() callback. + +Thus, make sure that the link_power_management_supported sysfs attribute +is set to false for ports that lack a .set_lpm() callback. This way the +link_power_management_policy sysfs attribute will no longer be writable, +so we will no longer be misleading users to think that their sysfs write +actually does something. + +Fixes: 0060beec0bfa ("ata: libata-sata: Add link_power_management_supported sysfs attribute") +Signed-off-by: Niklas Cassel +Tested-by: Wolf +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-sata.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/ata/libata-sata.c b/drivers/ata/libata-sata.c +index b2817a2995d6b..04e1e774645e2 100644 +--- a/drivers/ata/libata-sata.c ++++ b/drivers/ata/libata-sata.c +@@ -909,7 +909,7 @@ static bool ata_scsi_lpm_supported(struct ata_port *ap) + struct ata_link *link; + struct ata_device *dev; + +- if (ap->flags & ATA_FLAG_NO_LPM) ++ if ((ap->flags & ATA_FLAG_NO_LPM) || !ap->ops->set_lpm) + return false; + + ata_for_each_link(link, ap, EDGE) { +-- +2.51.0 + diff --git a/queue-6.18/bonding-limit-bond_mode_8023ad-to-ethernet-devices.patch b/queue-6.18/bonding-limit-bond_mode_8023ad-to-ethernet-devices.patch new file mode 100644 index 0000000000..be1bf0e36a --- /dev/null +++ b/queue-6.18/bonding-limit-bond_mode_8023ad-to-ethernet-devices.patch @@ -0,0 +1,91 @@ +From fba41d9ebc13a8cfd2c3a44b2242051814aa989e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 19:12:01 +0000 +Subject: bonding: limit BOND_MODE_8023AD to Ethernet devices + +From: Eric Dumazet + +[ Upstream commit c84fcb79e5dbde0b8d5aeeaf04282d2149aebcf6 ] + +BOND_MODE_8023AD makes sense for ARPHRD_ETHER only. + +syzbot reported: + + BUG: KASAN: global-out-of-bounds in __hw_addr_create net/core/dev_addr_lists.c:63 [inline] + BUG: KASAN: global-out-of-bounds in __hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118 +Read of size 16 at addr ffffffff8bf94040 by task syz.1.3580/19497 + +CPU: 1 UID: 0 PID: 19497 Comm: syz.1.3580 Tainted: G L syzkaller #0 PREEMPT(full) +Tainted: [L]=SOFTLOCKUP +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 +Call Trace: + + dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0xca/0x240 mm/kasan/report.c:482 + kasan_report+0x118/0x150 mm/kasan/report.c:595 + check_region_inline mm/kasan/generic.c:-1 [inline] + kasan_check_range+0x2b0/0x2c0 mm/kasan/generic.c:200 + __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105 + __hw_addr_create net/core/dev_addr_lists.c:63 [inline] + __hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118 + __dev_mc_add net/core/dev_addr_lists.c:868 [inline] + dev_mc_add+0xa1/0x120 net/core/dev_addr_lists.c:886 + bond_enslave+0x2b8b/0x3ac0 drivers/net/bonding/bond_main.c:2180 + do_set_master+0x533/0x6d0 net/core/rtnetlink.c:2963 + do_setlink+0xcf0/0x41c0 net/core/rtnetlink.c:3165 + rtnl_changelink net/core/rtnetlink.c:3776 [inline] + __rtnl_newlink net/core/rtnetlink.c:3935 [inline] + rtnl_newlink+0x161c/0x1c90 net/core/rtnetlink.c:4072 + rtnetlink_rcv_msg+0x7cf/0xb70 net/core/rtnetlink.c:6958 + netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2550 + netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] + netlink_unicast+0x82f/0x9e0 net/netlink/af_netlink.c:1344 + netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1894 + sock_sendmsg_nosec net/socket.c:727 [inline] + __sock_sendmsg+0x21c/0x270 net/socket.c:742 + ____sys_sendmsg+0x505/0x820 net/socket.c:2592 + ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2646 + __sys_sendmsg+0x164/0x220 net/socket.c:2678 + do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline] + __do_fast_syscall_32+0x1dc/0x560 arch/x86/entry/syscall_32.c:307 + do_fast_syscall_32+0x34/0x80 arch/x86/entry/syscall_32.c:332 + entry_SYSENTER_compat_after_hwframe+0x84/0x8e + + +The buggy address belongs to the variable: + lacpdu_mcast_addr+0x0/0x40 + +Fixes: 872254dd6b1f ("net/bonding: Enable bonding to enslave non ARPHRD_ETHER") +Reported-by: syzbot+9c081b17773615f24672@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/6966946b.a70a0220.245e30.0002.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: Andrew Lunn +Acked-by: Jay Vosburgh +Link: https://patch.msgid.link/20260113191201.3970737-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 5abef8a3b7758..c66cb2d43dcf1 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1953,6 +1953,12 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev, + */ + if (!bond_has_slaves(bond)) { + if (bond_dev->type != slave_dev->type) { ++ if (slave_dev->type != ARPHRD_ETHER && ++ BOND_MODE(bond) == BOND_MODE_8023AD) { ++ SLAVE_NL_ERR(bond_dev, slave_dev, extack, ++ "8023AD mode requires Ethernet devices"); ++ return -EINVAL; ++ } + slave_dbg(bond_dev, slave_dev, "change device type from %d to %d\n", + bond_dev->type, slave_dev->type); + +-- +2.51.0 + diff --git a/queue-6.18/can-gs_usb-gs_usb_receive_bulk_callback-unanchor-url.patch b/queue-6.18/can-gs_usb-gs_usb_receive_bulk_callback-unanchor-url.patch new file mode 100644 index 0000000000..b2c053582e --- /dev/null +++ b/queue-6.18/can-gs_usb-gs_usb_receive_bulk_callback-unanchor-url.patch @@ -0,0 +1,61 @@ +From bd99d5eb5a41c847b628e77e94ca509ce7f56321 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jan 2026 14:10:10 +0100 +Subject: can: gs_usb: gs_usb_receive_bulk_callback(): unanchor URL on + usb_submit_urb() error + +From: Marc Kleine-Budde + +[ Upstream commit 79a6d1bfe1148bc921b8d7f3371a7fbce44e30f7 ] + +In commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix +URB memory leak"), the URB was re-anchored before usb_submit_urb() in +gs_usb_receive_bulk_callback() to prevent a leak of this URB during +cleanup. + +However, this patch did not take into account that usb_submit_urb() could +fail. The URB remains anchored and +usb_kill_anchored_urbs(&parent->rx_submitted) in gs_can_close() loops +infinitely since the anchor list never becomes empty. + +To fix the bug, unanchor the URB when an usb_submit_urb() error occurs, +also print an info message. + +Fixes: 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak") +Reported-by: Jakub Kicinski +Closes: https://lore.kernel.org/all/20260110223836.3890248-1-kuba@kernel.org/ +Link: https://patch.msgid.link/20260116-can_usb-fix-reanchor-v1-1-9d74e7289225@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/usb/gs_usb.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c +index b14b132ad8e6a..fd7fb21b10989 100644 +--- a/drivers/net/can/usb/gs_usb.c ++++ b/drivers/net/can/usb/gs_usb.c +@@ -754,6 +754,10 @@ static void gs_usb_receive_bulk_callback(struct urb *urb) + usb_anchor_urb(urb, &parent->rx_submitted); + + rc = usb_submit_urb(urb, GFP_ATOMIC); ++ if (!rc) ++ return; ++ ++ usb_unanchor_urb(urb); + + /* USB failure take down all interfaces */ + if (rc == -ENODEV) { +@@ -762,6 +766,9 @@ static void gs_usb_receive_bulk_callback(struct urb *urb) + if (parent->canch[rc]) + netif_device_detach(parent->canch[rc]->netdev); + } ++ } else if (rc != -ESHUTDOWN && net_ratelimit()) { ++ netdev_info(netdev, "failed to re-submit IN URB: %pe\n", ++ ERR_PTR(urb->status)); + } + } + +-- +2.51.0 + diff --git a/queue-6.18/crypto-authencesn-reject-too-short-aad-assoclen-8-to.patch b/queue-6.18/crypto-authencesn-reject-too-short-aad-assoclen-8-to.patch new file mode 100644 index 0000000000..cc5223591a --- /dev/null +++ b/queue-6.18/crypto-authencesn-reject-too-short-aad-assoclen-8-to.patch @@ -0,0 +1,53 @@ +From 5dd6eea975f1e60103153fd8b1a2d31a720648ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jan 2026 16:03:58 +0900 +Subject: crypto: authencesn - reject too-short AAD (assoclen<8) to match + ESP/ESN spec + +From: Taeyang Lee <0wn@theori.io> + +[ Upstream commit 2397e9264676be7794f8f7f1e9763d90bd3c7335 ] + +authencesn assumes an ESP/ESN-formatted AAD. When assoclen is shorter than +the minimum expected length, crypto_authenc_esn_decrypt() can advance past +the end of the destination scatterlist and trigger a NULL pointer dereference +in scatterwalk_map_and_copy(), leading to a kernel panic (DoS). + +Add a minimum AAD length check to fail fast on invalid inputs. + +Fixes: 104880a6b470 ("crypto: authencesn - Convert to new AEAD interface") +Reported-By: Taeyang Lee <0wn@theori.io> +Signed-off-by: Taeyang Lee <0wn@theori.io> +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/authencesn.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/crypto/authencesn.c b/crypto/authencesn.c +index d1bf0fda3f2ef..542a978663b9e 100644 +--- a/crypto/authencesn.c ++++ b/crypto/authencesn.c +@@ -169,6 +169,9 @@ static int crypto_authenc_esn_encrypt(struct aead_request *req) + struct scatterlist *src, *dst; + int err; + ++ if (assoclen < 8) ++ return -EINVAL; ++ + sg_init_table(areq_ctx->src, 2); + src = scatterwalk_ffwd(areq_ctx->src, req->src, assoclen); + dst = src; +@@ -256,6 +259,9 @@ static int crypto_authenc_esn_decrypt(struct aead_request *req) + u32 tmp[2]; + int err; + ++ if (assoclen < 8) ++ return -EINVAL; ++ + cryptlen -= authsize; + + if (req->src != dst) +-- +2.51.0 + diff --git a/queue-6.18/dt-bindings-power-qcom-rpmpd-add-sc8280xp_mxc_ao.patch b/queue-6.18/dt-bindings-power-qcom-rpmpd-add-sc8280xp_mxc_ao.patch new file mode 100644 index 0000000000..cc886bc4b3 --- /dev/null +++ b/queue-6.18/dt-bindings-power-qcom-rpmpd-add-sc8280xp_mxc_ao.patch @@ -0,0 +1,38 @@ +From 9356bdc73af15f74a402704622b4710fec692855 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Dec 2025 18:36:20 +0100 +Subject: dt-bindings: power: qcom,rpmpd: Add SC8280XP_MXC_AO + +From: Konrad Dybcio + +[ Upstream commit 45e1be5ddec98db71e7481fa7a3005673200d85c ] + +Not sure how useful it's gonna be in practice, but the definition is +missing (unlike the previously-unused SC8280XP_MXC-non-_AO), so add it +to allow the driver to create the corresponding pmdomain. + +Fixes: dbfb5f94e084 ("dt-bindings: power: rpmpd: Add sc8280xp RPMh power-domains") +Acked-by: Rob Herring (Arm) +Signed-off-by: Konrad Dybcio +Reviewed-by: Ulf Hansson +Link: https://lore.kernel.org/r/20251202-topic-8280_mxc-v2-1-46cdf47a829e@oss.qualcomm.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + include/dt-bindings/power/qcom,rpmhpd.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/dt-bindings/power/qcom,rpmhpd.h b/include/dt-bindings/power/qcom,rpmhpd.h +index 73cceb88953f7..269b73ff866a8 100644 +--- a/include/dt-bindings/power/qcom,rpmhpd.h ++++ b/include/dt-bindings/power/qcom,rpmhpd.h +@@ -261,5 +261,6 @@ + #define SC8280XP_NSP 13 + #define SC8280XP_QPHY 14 + #define SC8280XP_XO 15 ++#define SC8280XP_MXC_AO 16 + + #endif +-- +2.51.0 + diff --git a/queue-6.18/fou-don-t-allow-0-for-fou_attr_ipproto.patch b/queue-6.18/fou-don-t-allow-0-for-fou_attr_ipproto.patch new file mode 100644 index 0000000000..49a57e474d --- /dev/null +++ b/queue-6.18/fou-don-t-allow-0-for-fou_attr_ipproto.patch @@ -0,0 +1,57 @@ +From 6f7c40c88c06abec7a111976f5ffdff9bb3d386d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jan 2026 17:24:48 +0000 +Subject: fou: Don't allow 0 for FOU_ATTR_IPPROTO. + +From: Kuniyuki Iwashima + +[ Upstream commit 7a9bc9e3f42391e4c187e099263cf7a1c4b69ff5 ] + +fou_udp_recv() has the same problem mentioned in the previous +patch. + +If FOU_ATTR_IPPROTO is set to 0, skb is not freed by +fou_udp_recv() nor "resubmit"-ted in ip_protocol_deliver_rcu(). + +Let's forbid 0 for FOU_ATTR_IPPROTO. + +Fixes: 23461551c0062 ("fou: Support for foo-over-udp RX path") +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20260115172533.693652-4-kuniyu@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + Documentation/netlink/specs/fou.yaml | 2 ++ + net/ipv4/fou_nl.c | 2 +- + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/Documentation/netlink/specs/fou.yaml b/Documentation/netlink/specs/fou.yaml +index 8e7974ec453fc..331f1b342b3ad 100644 +--- a/Documentation/netlink/specs/fou.yaml ++++ b/Documentation/netlink/specs/fou.yaml +@@ -39,6 +39,8 @@ attribute-sets: + - + name: ipproto + type: u8 ++ checks: ++ min: 1 + - + name: type + type: u8 +diff --git a/net/ipv4/fou_nl.c b/net/ipv4/fou_nl.c +index 506260b4a4dc2..9ff7797ef7c4f 100644 +--- a/net/ipv4/fou_nl.c ++++ b/net/ipv4/fou_nl.c +@@ -14,7 +14,7 @@ + const struct nla_policy fou_nl_policy[FOU_ATTR_IFINDEX + 1] = { + [FOU_ATTR_PORT] = { .type = NLA_BE16, }, + [FOU_ATTR_AF] = { .type = NLA_U8, }, +- [FOU_ATTR_IPPROTO] = { .type = NLA_U8, }, ++ [FOU_ATTR_IPPROTO] = NLA_POLICY_MIN(NLA_U8, 1), + [FOU_ATTR_TYPE] = { .type = NLA_U8, }, + [FOU_ATTR_REMCSUM_NOPARTIAL] = { .type = NLA_FLAG, }, + [FOU_ATTR_LOCAL_V4] = { .type = NLA_U32, }, +-- +2.51.0 + diff --git a/queue-6.18/gue-fix-skb-memleak-with-inner-ip-protocol-0.patch b/queue-6.18/gue-fix-skb-memleak-with-inner-ip-protocol-0.patch new file mode 100644 index 0000000000..3550a9660d --- /dev/null +++ b/queue-6.18/gue-fix-skb-memleak-with-inner-ip-protocol-0.patch @@ -0,0 +1,82 @@ +From b198e8a953e24141b6f8b0701897d47f52fdb653 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jan 2026 17:24:46 +0000 +Subject: gue: Fix skb memleak with inner IP protocol 0. + +From: Kuniyuki Iwashima + +[ Upstream commit 9a56796ad258786d3624eef5aefba394fc9bdded ] + +syzbot reported skb memleak below. [0] + +The repro generated a GUE packet with its inner protocol 0. + +gue_udp_recv() returns -guehdr->proto_ctype for "resubmit" +in ip_protocol_deliver_rcu(), but this only works with +non-zero protocol number. + +Let's drop such packets. + +Note that 0 is a valid number (IPv6 Hop-by-Hop Option). + +I think it is not practical to encap HOPOPT in GUE, so once +someone starts to complain, we could pass down a resubmit +flag pointer to distinguish two zeros from the upper layer: + + * no error + * resubmit HOPOPT + +[0] +BUG: memory leak +unreferenced object 0xffff888109695a00 (size 240): + comm "syz.0.17", pid 6088, jiffies 4294943096 + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 40 c2 10 81 88 ff ff 00 00 00 00 00 00 00 00 .@.............. + backtrace (crc a84b336f): + kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] + slab_post_alloc_hook mm/slub.c:4958 [inline] + slab_alloc_node mm/slub.c:5263 [inline] + kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270 + __build_skb+0x23/0x60 net/core/skbuff.c:474 + build_skb+0x20/0x190 net/core/skbuff.c:490 + __tun_build_skb drivers/net/tun.c:1541 [inline] + tun_build_skb+0x4a1/0xa40 drivers/net/tun.c:1636 + tun_get_user+0xc12/0x2030 drivers/net/tun.c:1770 + tun_chr_write_iter+0x71/0x120 drivers/net/tun.c:1999 + new_sync_write fs/read_write.c:593 [inline] + vfs_write+0x45d/0x710 fs/read_write.c:686 + ksys_write+0xa7/0x170 fs/read_write.c:738 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fixes: 37dd0247797b1 ("gue: Receive side for Generic UDP Encapsulation") +Reported-by: syzbot+4d8c7d16b0e95c0d0f0d@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/6965534b.050a0220.38aacd.0001.GAE@google.com/ +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20260115172533.693652-2-kuniyu@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/fou_core.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/ipv4/fou_core.c b/net/ipv4/fou_core.c +index 3970b6b7ace53..ab8f309f8925d 100644 +--- a/net/ipv4/fou_core.c ++++ b/net/ipv4/fou_core.c +@@ -215,6 +215,9 @@ static int gue_udp_recv(struct sock *sk, struct sk_buff *skb) + return gue_control_message(skb, guehdr); + + proto_ctype = guehdr->proto_ctype; ++ if (unlikely(!proto_ctype)) ++ goto drop; ++ + __skb_pull(skb, sizeof(struct udphdr) + hdrlen); + skb_reset_transport_header(skb); + +-- +2.51.0 + diff --git a/queue-6.18/ice-avoid-detrimental-cleanup-for-bond-during-interf.patch b/queue-6.18/ice-avoid-detrimental-cleanup-for-bond-during-interf.patch new file mode 100644 index 0000000000..ffda253e8e --- /dev/null +++ b/queue-6.18/ice-avoid-detrimental-cleanup-for-bond-during-interf.patch @@ -0,0 +1,77 @@ +From 1975cdc2e2797170d8f26d61eef97e4c9b38b05a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Nov 2025 09:58:26 -0800 +Subject: ice: Avoid detrimental cleanup for bond during interface stop + +From: Dave Ertman + +[ Upstream commit a9d45c22ed120cdd15ff56d0a6e4700c46451901 ] + +When the user issues an administrative down to an interface that is the +primary for an aggregate bond, the prune lists are being purged. This +breaks communication to the secondary interface, which shares a prune +list on the main switch block while bonded together. + +For the primary interface of an aggregate, avoid deleting these prune +lists during stop, and since they are hardcoded to specific values for +the default vlan and QinQ vlans, the attempt to re-add them during the +up phase will quietly fail without any additional problem. + +Fixes: 1e0f9881ef79 ("ice: Flesh out implementation of support for SRIOV on bonded interface") +Reviewed-by: Jacob Keller +Reviewed-by: Marcin Szycik +Signed-off-by: Dave Ertman +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_lib.c | 25 ++++++++++++++++-------- + 1 file changed, 17 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_lib.c b/drivers/net/ethernet/intel/ice/ice_lib.c +index c0d221d4b4f47..5a3e7d6697325 100644 +--- a/drivers/net/ethernet/intel/ice/ice_lib.c ++++ b/drivers/net/ethernet/intel/ice/ice_lib.c +@@ -3810,22 +3810,31 @@ int ice_vsi_add_vlan_zero(struct ice_vsi *vsi) + int ice_vsi_del_vlan_zero(struct ice_vsi *vsi) + { + struct ice_vsi_vlan_ops *vlan_ops = ice_get_compat_vsi_vlan_ops(vsi); ++ struct ice_pf *pf = vsi->back; + struct ice_vlan vlan; + int err; + +- vlan = ICE_VLAN(0, 0, 0); +- err = vlan_ops->del_vlan(vsi, &vlan); +- if (err && err != -EEXIST) +- return err; ++ if (pf->lag && pf->lag->primary) { ++ dev_dbg(ice_pf_to_dev(pf), "Interface is primary in aggregate - not deleting prune list\n"); ++ } else { ++ vlan = ICE_VLAN(0, 0, 0); ++ err = vlan_ops->del_vlan(vsi, &vlan); ++ if (err && err != -EEXIST) ++ return err; ++ } + + /* in SVM both VLAN 0 filters are identical */ + if (!ice_is_dvm_ena(&vsi->back->hw)) + return 0; + +- vlan = ICE_VLAN(ETH_P_8021Q, 0, 0); +- err = vlan_ops->del_vlan(vsi, &vlan); +- if (err && err != -EEXIST) +- return err; ++ if (pf->lag && pf->lag->primary) { ++ dev_dbg(ice_pf_to_dev(pf), "Interface is primary in aggregate - not deleting QinQ prune list\n"); ++ } else { ++ vlan = ICE_VLAN(ETH_P_8021Q, 0, 0); ++ err = vlan_ops->del_vlan(vsi, &vlan); ++ if (err && err != -EEXIST) ++ return err; ++ } + + /* when deleting the last VLAN filter, make sure to disable the VLAN + * promisc mode so the filter isn't left by accident +-- +2.51.0 + diff --git a/queue-6.18/ice-fix-incorrect-timeout-ice_release_res.patch b/queue-6.18/ice-fix-incorrect-timeout-ice_release_res.patch new file mode 100644 index 0000000000..0cc8888764 --- /dev/null +++ b/queue-6.18/ice-fix-incorrect-timeout-ice_release_res.patch @@ -0,0 +1,50 @@ +From 9ba242c0a4ce1dd750382132bd63857a935cc473 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 6 Dec 2025 21:46:09 +0800 +Subject: ice: Fix incorrect timeout ice_release_res() + +From: Ding Hui + +[ Upstream commit 01139a2ce532d77379e1593230127caa261a8036 ] + +The commit 5f6df173f92e ("ice: implement and use rd32_poll_timeout for +ice_sq_done timeout") converted ICE_CTL_Q_SQ_CMD_TIMEOUT from jiffies +to microseconds. + +But the ice_release_res() function was missed, and its logic still +treats ICE_CTL_Q_SQ_CMD_TIMEOUT as a jiffies value. + +So correct the issue by usecs_to_jiffies(). + +Found by inspection of the DDP downloading process. +Compile and modprobe tested only. + +Fixes: 5f6df173f92e ("ice: implement and use rd32_poll_timeout for ice_sq_done timeout") +Signed-off-by: Ding Hui +Reviewed-by: Simon Horman +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Jacob Keller +Reviewed-by: Paul Menzel +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_common.c b/drivers/net/ethernet/intel/ice/ice_common.c +index 6edeb06b4dce2..eb148c8d9e083 100644 +--- a/drivers/net/ethernet/intel/ice/ice_common.c ++++ b/drivers/net/ethernet/intel/ice/ice_common.c +@@ -2251,7 +2251,7 @@ void ice_release_res(struct ice_hw *hw, enum ice_aq_res_ids res) + /* there are some rare cases when trying to release the resource + * results in an admin queue timeout, so handle them correctly + */ +- timeout = jiffies + 10 * ICE_CTL_Q_SQ_CMD_TIMEOUT; ++ timeout = jiffies + 10 * usecs_to_jiffies(ICE_CTL_Q_SQ_CMD_TIMEOUT); + do { + status = ice_aq_release_res(hw, res, 0, NULL); + if (status != -EIO) +-- +2.51.0 + diff --git a/queue-6.18/ice-initialize-ring_stats-syncp.patch b/queue-6.18/ice-initialize-ring_stats-syncp.patch new file mode 100644 index 0000000000..5abbe17094 --- /dev/null +++ b/queue-6.18/ice-initialize-ring_stats-syncp.patch @@ -0,0 +1,51 @@ +From 18226482d3ddc0a6456e14d676d5d29f1fb08f36 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Nov 2025 12:20:41 -0800 +Subject: ice: initialize ring_stats->syncp + +From: Jacob Keller + +[ Upstream commit 8439016c3b8b5ab687c2420317b1691585106611 ] + +The u64_stats_sync structure is empty on 64-bit systems. However, on 32-bit +systems it contains a seqcount_t which needs to be initialized. While the +memory is zero-initialized, a lack of u64_stats_init means that lockdep +won't get initialized properly. Fix this by adding u64_stats_init() calls +to the rings just after allocation. + +Fixes: 2b245cb29421 ("ice: Implement transmit and NAPI support") +Reviewed-by: Aleksandr Loktionov +Signed-off-by: Jacob Keller +Reviewed-by: Simon Horman +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_lib.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/intel/ice/ice_lib.c b/drivers/net/ethernet/intel/ice/ice_lib.c +index 4479c824561e9..c0d221d4b4f47 100644 +--- a/drivers/net/ethernet/intel/ice/ice_lib.c ++++ b/drivers/net/ethernet/intel/ice/ice_lib.c +@@ -398,6 +398,8 @@ static int ice_vsi_alloc_ring_stats(struct ice_vsi *vsi) + if (!ring_stats) + goto err_out; + ++ u64_stats_init(&ring_stats->syncp); ++ + WRITE_ONCE(tx_ring_stats[i], ring_stats); + } + +@@ -417,6 +419,8 @@ static int ice_vsi_alloc_ring_stats(struct ice_vsi *vsi) + if (!ring_stats) + goto err_out; + ++ u64_stats_init(&ring_stats->syncp); ++ + WRITE_ONCE(rx_ring_stats[i], ring_stats); + } + +-- +2.51.0 + diff --git a/queue-6.18/igc-fix-race-condition-in-tx-timestamp-read-for-regi.patch b/queue-6.18/igc-fix-race-condition-in-tx-timestamp-read-for-regi.patch new file mode 100644 index 0000000000..56b77b11b5 --- /dev/null +++ b/queue-6.18/igc-fix-race-condition-in-tx-timestamp-read-for-regi.patch @@ -0,0 +1,125 @@ +From b9671f974ffde0f27d3e25eb09395a5ef7b3a913 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Nov 2025 18:53:04 +0800 +Subject: igc: fix race condition in TX timestamp read for register 0 + +From: Chwee-Lin Choong + +[ Upstream commit 6990dc392a9ab10e52af37e0bee8c7b753756dc4 ] + +The current HW bug workaround checks the TXTT_0 ready bit first, +then reads TXSTMPL_0 twice (before and after reading TXSTMPH_0) +to detect whether a new timestamp was captured by timestamp +register 0 during the workaround. + +This sequence has a race: if a new timestamp is captured after +checking the TXTT_0 bit but before the first TXSTMPL_0 read, the +detection fails because both the "old" and "new" values come from +the same timestamp. + +Fix by reading TXSTMPL_0 first to establish a baseline, then +checking the TXTT_0 bit. This ensures any timestamp captured +during the race window will be detected. + +Old sequence: + 1. Check TXTT_0 ready bit + 2. Read TXSTMPL_0 (baseline) + 3. Read TXSTMPH_0 (interrupt workaround) + 4. Read TXSTMPL_0 (detect changes vs baseline) + +New sequence: + 1. Read TXSTMPL_0 (baseline) + 2. Check TXTT_0 ready bit + 3. Read TXSTMPH_0 (interrupt workaround) + 4. Read TXSTMPL_0 (detect changes vs baseline) + +Fixes: c789ad7cbebc ("igc: Work around HW bug causing missing timestamps") +Suggested-by: Avi Shalev +Reviewed-by: Aleksandr Loktionov +Co-developed-by: Song Yoong Siang +Signed-off-by: Song Yoong Siang +Signed-off-by: Chwee-Lin Choong +Tested-by: Avigail Dahan +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_ptp.c | 43 ++++++++++++++---------- + 1 file changed, 25 insertions(+), 18 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc_ptp.c b/drivers/net/ethernet/intel/igc/igc_ptp.c +index b7b46d863bee4..7aae83c108fd7 100644 +--- a/drivers/net/ethernet/intel/igc/igc_ptp.c ++++ b/drivers/net/ethernet/intel/igc/igc_ptp.c +@@ -774,36 +774,43 @@ static void igc_ptp_tx_reg_to_stamp(struct igc_adapter *adapter, + static void igc_ptp_tx_hwtstamp(struct igc_adapter *adapter) + { + struct igc_hw *hw = &adapter->hw; ++ u32 txstmpl_old; + u64 regval; + u32 mask; + int i; + ++ /* Establish baseline of TXSTMPL_0 before checking TXTT_0. ++ * This baseline is used to detect if a new timestamp arrives in ++ * register 0 during the hardware bug workaround below. ++ */ ++ txstmpl_old = rd32(IGC_TXSTMPL); ++ + mask = rd32(IGC_TSYNCTXCTL) & IGC_TSYNCTXCTL_TXTT_ANY; + if (mask & IGC_TSYNCTXCTL_TXTT_0) { + regval = rd32(IGC_TXSTMPL); + regval |= (u64)rd32(IGC_TXSTMPH) << 32; + } else { +- /* There's a bug in the hardware that could cause +- * missing interrupts for TX timestamping. The issue +- * is that for new interrupts to be triggered, the +- * IGC_TXSTMPH_0 register must be read. ++ /* TXTT_0 not set - register 0 has no new timestamp initially. ++ * ++ * Hardware bug: Future timestamp interrupts won't fire unless ++ * TXSTMPH_0 is read, even if the timestamp was captured in ++ * registers 1-3. + * +- * To avoid discarding a valid timestamp that just +- * happened at the "wrong" time, we need to confirm +- * that there was no timestamp captured, we do that by +- * assuming that no two timestamps in sequence have +- * the same nanosecond value. ++ * Workaround: Read TXSTMPH_0 here to enable future interrupts. ++ * However, this read clears TXTT_0. If a timestamp arrives in ++ * register 0 after checking TXTT_0 but before this read, it ++ * would be lost. + * +- * So, we read the "low" register, read the "high" +- * register (to latch a new timestamp) and read the +- * "low" register again, if "old" and "new" versions +- * of the "low" register are different, a valid +- * timestamp was captured, we can read the "high" +- * register again. ++ * To detect this race: We saved a baseline read of TXSTMPL_0 ++ * before TXTT_0 check. After performing the workaround read of ++ * TXSTMPH_0, we read TXSTMPL_0 again. Since consecutive ++ * timestamps never share the same nanosecond value, a change ++ * between the baseline and new TXSTMPL_0 indicates a timestamp ++ * arrived during the race window. If so, read the complete ++ * timestamp. + */ +- u32 txstmpl_old, txstmpl_new; ++ u32 txstmpl_new; + +- txstmpl_old = rd32(IGC_TXSTMPL); + rd32(IGC_TXSTMPH); + txstmpl_new = rd32(IGC_TXSTMPL); + +@@ -818,7 +825,7 @@ static void igc_ptp_tx_hwtstamp(struct igc_adapter *adapter) + + done: + /* Now that the problematic first register was handled, we can +- * use retrieve the timestamps from the other registers ++ * retrieve the timestamps from the other registers + * (starting from '1') with less complications. + */ + for (i = 1; i < IGC_MAX_TX_TSTAMP_REGS; i++) { +-- +2.51.0 + diff --git a/queue-6.18/igc-reduce-tsn-tx-packet-buffer-from-7kb-to-5kb-per-.patch b/queue-6.18/igc-reduce-tsn-tx-packet-buffer-from-7kb-to-5kb-per-.patch new file mode 100644 index 0000000000..5400f3ad93 --- /dev/null +++ b/queue-6.18/igc-reduce-tsn-tx-packet-buffer-from-7kb-to-5kb-per-.patch @@ -0,0 +1,51 @@ +From 0676dab16094caf09fa50d9cfbeb34fe10775748 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Dec 2025 20:21:50 +0800 +Subject: igc: Reduce TSN TX packet buffer from 7KB to 5KB per queue + +From: Chwee-Lin Choong + +[ Upstream commit 8ad1b6c1e63d25f5465b7a8aa403bdcee84b86f9 ] + +The previous 7 KB per queue caused TX unit hangs under heavy +timestamping load. Reducing to 5 KB avoids these hangs and matches +the TSN recommendation in I225/I226 SW User Manual Section 7.5.4. + +The 8 KB "freed" by this change is currently unused. This reduction +is not expected to impact throughput, as the i226 is PCIe-limited +for small TSN packets rather than TX-buffer-limited. + +Fixes: 0d58cdc902da ("igc: optimize TX packet buffer utilization for TSN mode") +Reported-by: Zdenek Bouska +Closes: https://lore.kernel.org/netdev/AS1PR10MB5675DBFE7CE5F2A9336ABFA4EBEAA@AS1PR10MB5675.EURPRD10.PROD.OUTLOOK.COM/ +Reviewed-by: Paul Menzel +Reviewed-by: Simon Horman +Reviewed-by: Aleksandr Loktionov +Signed-off-by: Chwee-Lin Choong +Tested-by: Avigail Dahan +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_defines.h | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc_defines.h b/drivers/net/ethernet/intel/igc/igc_defines.h +index 498ba1522ca4d..9482ab11f050f 100644 +--- a/drivers/net/ethernet/intel/igc/igc_defines.h ++++ b/drivers/net/ethernet/intel/igc/igc_defines.h +@@ -443,9 +443,10 @@ + #define IGC_TXPBSIZE_DEFAULT ( \ + IGC_TXPB0SIZE(20) | IGC_TXPB1SIZE(0) | IGC_TXPB2SIZE(0) | \ + IGC_TXPB3SIZE(0) | IGC_OS2BMCPBSIZE(4)) ++/* TSN value following I225/I226 SW User Manual Section 7.5.4 */ + #define IGC_TXPBSIZE_TSN ( \ +- IGC_TXPB0SIZE(7) | IGC_TXPB1SIZE(7) | IGC_TXPB2SIZE(7) | \ +- IGC_TXPB3SIZE(7) | IGC_OS2BMCPBSIZE(4)) ++ IGC_TXPB0SIZE(5) | IGC_TXPB1SIZE(5) | IGC_TXPB2SIZE(5) | \ ++ IGC_TXPB3SIZE(5) | IGC_OS2BMCPBSIZE(4)) + + #define IGC_DTXMXPKTSZ_TSN 0x19 /* 1600 bytes of max TX DMA packet size */ + #define IGC_DTXMXPKTSZ_DEFAULT 0x98 /* 9728-byte Jumbo frames */ +-- +2.51.0 + diff --git a/queue-6.18/igc-restore-default-qbv-schedule-when-changing-chann.patch b/queue-6.18/igc-restore-default-qbv-schedule-when-changing-chann.patch new file mode 100644 index 0000000000..6803c37ead --- /dev/null +++ b/queue-6.18/igc-restore-default-qbv-schedule-when-changing-chann.patch @@ -0,0 +1,88 @@ +From 8ecb03fe0f17b237b76a174c14430aeb5f1ffffd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Nov 2025 09:18:29 +0100 +Subject: igc: Restore default Qbv schedule when changing channels + +From: Kurt Kanzenbach + +[ Upstream commit 41a9a6826f20a524242a6c984845c4855f629841 ] + +The Multi-queue Priority (MQPRIO) and Earliest TxTime First (ETF) offloads +utilize the Time Sensitive Networking (TSN) Tx mode. This mode is always +coupled to IEEE 802.1Qbv time aware shaper (Qbv). Therefore, the driver +sets a default Qbv schedule of all gates opened and a cycle time of +1s. This schedule is set during probe. + +However, the following sequence of events lead to Tx issues: + + - Boot a dual core system + igc_probe(): + igc_tsn_clear_schedule(): + -> Default Schedule is set + Note: At this point the driver has allocated two Tx/Rx queues, because + there are only two CPUs. + + - ethtool -L enp3s0 combined 4 + igc_ethtool_set_channels(): + igc_reinit_queues() + -> Default schedule is gone, per Tx ring start and end time are zero + + - tc qdisc replace dev enp3s0 handle 100 parent root mqprio \ + num_tc 4 map 3 3 2 2 0 1 1 1 3 3 3 3 3 3 3 3 \ + queues 1@0 1@1 1@2 1@3 hw 1 + igc_tsn_offload_apply(): + igc_tsn_enable_offload(): + -> Writes zeros to IGC_STQT(i) and IGC_ENDQT(i), causing Tx to stall/fail + +Therefore, restore the default Qbv schedule after changing the number of +channels. + +Furthermore, add a restriction to not allow queue reconfiguration when +TSN/Qbv is enabled, because it may lead to inconsistent states. + +Fixes: c814a2d2d48f ("igc: Use default cycle 'start' and 'end' values for queues") +Signed-off-by: Kurt Kanzenbach +Reviewed-by: Aleksandr Loktionov +Tested-by: Avigail Dahan +Acked-by: Vinicius Costa Gomes +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_ethtool.c | 4 ++-- + drivers/net/ethernet/intel/igc/igc_main.c | 5 +++++ + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc_ethtool.c b/drivers/net/ethernet/intel/igc/igc_ethtool.c +index bb783042d1af9..4b39329e9e32b 100644 +--- a/drivers/net/ethernet/intel/igc/igc_ethtool.c ++++ b/drivers/net/ethernet/intel/igc/igc_ethtool.c +@@ -1561,8 +1561,8 @@ static int igc_ethtool_set_channels(struct net_device *netdev, + if (ch->other_count != NON_Q_VECTORS) + return -EINVAL; + +- /* Do not allow channel reconfiguration when mqprio is enabled */ +- if (adapter->strict_priority_enable) ++ /* Do not allow channel reconfiguration when any TSN qdisc is enabled */ ++ if (adapter->flags & IGC_FLAG_TSN_ANY_ENABLED) + return -EINVAL; + + /* Verify the number of channels doesn't exceed hw limits */ +diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c +index 728d7ca5338bf..21e67e7534562 100644 +--- a/drivers/net/ethernet/intel/igc/igc_main.c ++++ b/drivers/net/ethernet/intel/igc/igc_main.c +@@ -7761,6 +7761,11 @@ int igc_reinit_queues(struct igc_adapter *adapter) + if (netif_running(netdev)) + err = igc_open(netdev); + ++ if (!err) { ++ /* Restore default IEEE 802.1Qbv schedule after queue reinit */ ++ igc_tsn_clear_schedule(adapter); ++ } ++ + return err; + } + +-- +2.51.0 + diff --git a/queue-6.18/ipvlan-make-the-addrs_lock-be-per-port.patch b/queue-6.18/ipvlan-make-the-addrs_lock-be-per-port.patch new file mode 100644 index 0000000000..c476e7630b --- /dev/null +++ b/queue-6.18/ipvlan-make-the-addrs_lock-be-per-port.patch @@ -0,0 +1,292 @@ +From 2fdfdadc404dc14780fe20b33aaf5aac0a59e705 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 17:24:06 +0300 +Subject: ipvlan: Make the addrs_lock be per port + +From: Dmitry Skorodumov + +[ Upstream commit d3ba32162488283c0a4c5bedd8817aec91748802 ] + +Make the addrs_lock be per port, not per ipvlan dev. + +Initial code seems to be written in the assumption, +that any address change must occur under RTNL. +But it is not so for the case of IPv6. So + +1) Introduce per-port addrs_lock. + +2) It was needed to fix places where it was forgotten +to take lock (ipvlan_open/ipvlan_close) + +This appears to be a very minor problem though. +Since it's highly unlikely that ipvlan_add_addr() will +be called on 2 CPU simultaneously. But nevertheless, +this could cause: + +1) False-negative of ipvlan_addr_busy(): one interface +iterated through all port->ipvlans + ipvlan->addrs +under some ipvlan spinlock, and another added IP +under its own lock. Though this is only possible +for IPv6, since looks like only ipvlan_addr6_event() can be +called without rtnl_lock. + +2) Race since ipvlan_ht_addr_add(port) is called under +different ipvlan->addrs_lock locks + +This should not affect performance, since add/remove IP +is a rare situation and spinlock is not taken on fast +paths. + +Fixes: 8230819494b3 ("ipvlan: use per device spinlock to protect addrs list updates") +Signed-off-by: Dmitry Skorodumov +Reviewed-by: Paolo Abeni +Link: https://patch.msgid.link/20260112142417.4039566-2-skorodumov.dmitry@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ipvlan/ipvlan.h | 2 +- + drivers/net/ipvlan/ipvlan_core.c | 16 +++++------ + drivers/net/ipvlan/ipvlan_main.c | 49 +++++++++++++++++++------------- + 3 files changed, 37 insertions(+), 30 deletions(-) + +diff --git a/drivers/net/ipvlan/ipvlan.h b/drivers/net/ipvlan/ipvlan.h +index 50de3ee204dbc..80f84fc87008b 100644 +--- a/drivers/net/ipvlan/ipvlan.h ++++ b/drivers/net/ipvlan/ipvlan.h +@@ -69,7 +69,6 @@ struct ipvl_dev { + DECLARE_BITMAP(mac_filters, IPVLAN_MAC_FILTER_SIZE); + netdev_features_t sfeatures; + u32 msg_enable; +- spinlock_t addrs_lock; + }; + + struct ipvl_addr { +@@ -90,6 +89,7 @@ struct ipvl_port { + struct net_device *dev; + possible_net_t pnet; + struct hlist_head hlhead[IPVLAN_HASH_SIZE]; ++ spinlock_t addrs_lock; /* guards hash-table and addrs */ + struct list_head ipvlans; + u16 mode; + u16 flags; +diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c +index baf2ef3bcd54b..6c6677ded82ef 100644 +--- a/drivers/net/ipvlan/ipvlan_core.c ++++ b/drivers/net/ipvlan/ipvlan_core.c +@@ -107,17 +107,15 @@ void ipvlan_ht_addr_del(struct ipvl_addr *addr) + struct ipvl_addr *ipvlan_find_addr(const struct ipvl_dev *ipvlan, + const void *iaddr, bool is_v6) + { +- struct ipvl_addr *addr, *ret = NULL; ++ struct ipvl_addr *addr; + +- rcu_read_lock(); +- list_for_each_entry_rcu(addr, &ipvlan->addrs, anode) { +- if (addr_equal(is_v6, addr, iaddr)) { +- ret = addr; +- break; +- } ++ assert_spin_locked(&ipvlan->port->addrs_lock); ++ ++ list_for_each_entry(addr, &ipvlan->addrs, anode) { ++ if (addr_equal(is_v6, addr, iaddr)) ++ return addr; + } +- rcu_read_unlock(); +- return ret; ++ return NULL; + } + + bool ipvlan_addr_busy(struct ipvl_port *port, void *iaddr, bool is_v6) +diff --git a/drivers/net/ipvlan/ipvlan_main.c b/drivers/net/ipvlan/ipvlan_main.c +index 660f3db117664..baccdad695fda 100644 +--- a/drivers/net/ipvlan/ipvlan_main.c ++++ b/drivers/net/ipvlan/ipvlan_main.c +@@ -75,6 +75,7 @@ static int ipvlan_port_create(struct net_device *dev) + for (idx = 0; idx < IPVLAN_HASH_SIZE; idx++) + INIT_HLIST_HEAD(&port->hlhead[idx]); + ++ spin_lock_init(&port->addrs_lock); + skb_queue_head_init(&port->backlog); + INIT_WORK(&port->wq, ipvlan_process_multicast); + ida_init(&port->ida); +@@ -181,6 +182,7 @@ static void ipvlan_uninit(struct net_device *dev) + static int ipvlan_open(struct net_device *dev) + { + struct ipvl_dev *ipvlan = netdev_priv(dev); ++ struct ipvl_port *port = ipvlan->port; + struct ipvl_addr *addr; + + if (ipvlan->port->mode == IPVLAN_MODE_L3 || +@@ -189,10 +191,10 @@ static int ipvlan_open(struct net_device *dev) + else + dev->flags &= ~IFF_NOARP; + +- rcu_read_lock(); +- list_for_each_entry_rcu(addr, &ipvlan->addrs, anode) ++ spin_lock_bh(&port->addrs_lock); ++ list_for_each_entry(addr, &ipvlan->addrs, anode) + ipvlan_ht_addr_add(ipvlan, addr); +- rcu_read_unlock(); ++ spin_unlock_bh(&port->addrs_lock); + + return 0; + } +@@ -206,10 +208,10 @@ static int ipvlan_stop(struct net_device *dev) + dev_uc_unsync(phy_dev, dev); + dev_mc_unsync(phy_dev, dev); + +- rcu_read_lock(); +- list_for_each_entry_rcu(addr, &ipvlan->addrs, anode) ++ spin_lock_bh(&ipvlan->port->addrs_lock); ++ list_for_each_entry(addr, &ipvlan->addrs, anode) + ipvlan_ht_addr_del(addr); +- rcu_read_unlock(); ++ spin_unlock_bh(&ipvlan->port->addrs_lock); + + return 0; + } +@@ -579,7 +581,6 @@ int ipvlan_link_new(struct net_device *dev, struct rtnl_newlink_params *params, + if (!tb[IFLA_MTU]) + ipvlan_adjust_mtu(ipvlan, phy_dev); + INIT_LIST_HEAD(&ipvlan->addrs); +- spin_lock_init(&ipvlan->addrs_lock); + + /* TODO Probably put random address here to be presented to the + * world but keep using the physical-dev address for the outgoing +@@ -657,13 +658,13 @@ void ipvlan_link_delete(struct net_device *dev, struct list_head *head) + struct ipvl_dev *ipvlan = netdev_priv(dev); + struct ipvl_addr *addr, *next; + +- spin_lock_bh(&ipvlan->addrs_lock); ++ spin_lock_bh(&ipvlan->port->addrs_lock); + list_for_each_entry_safe(addr, next, &ipvlan->addrs, anode) { + ipvlan_ht_addr_del(addr); + list_del_rcu(&addr->anode); + kfree_rcu(addr, rcu); + } +- spin_unlock_bh(&ipvlan->addrs_lock); ++ spin_unlock_bh(&ipvlan->port->addrs_lock); + + ida_free(&ipvlan->port->ida, dev->dev_id); + list_del_rcu(&ipvlan->pnode); +@@ -817,6 +818,8 @@ static int ipvlan_add_addr(struct ipvl_dev *ipvlan, void *iaddr, bool is_v6) + { + struct ipvl_addr *addr; + ++ assert_spin_locked(&ipvlan->port->addrs_lock); ++ + addr = kzalloc(sizeof(struct ipvl_addr), GFP_ATOMIC); + if (!addr) + return -ENOMEM; +@@ -847,16 +850,16 @@ static void ipvlan_del_addr(struct ipvl_dev *ipvlan, void *iaddr, bool is_v6) + { + struct ipvl_addr *addr; + +- spin_lock_bh(&ipvlan->addrs_lock); ++ spin_lock_bh(&ipvlan->port->addrs_lock); + addr = ipvlan_find_addr(ipvlan, iaddr, is_v6); + if (!addr) { +- spin_unlock_bh(&ipvlan->addrs_lock); ++ spin_unlock_bh(&ipvlan->port->addrs_lock); + return; + } + + ipvlan_ht_addr_del(addr); + list_del_rcu(&addr->anode); +- spin_unlock_bh(&ipvlan->addrs_lock); ++ spin_unlock_bh(&ipvlan->port->addrs_lock); + kfree_rcu(addr, rcu); + } + +@@ -878,14 +881,14 @@ static int ipvlan_add_addr6(struct ipvl_dev *ipvlan, struct in6_addr *ip6_addr) + { + int ret = -EINVAL; + +- spin_lock_bh(&ipvlan->addrs_lock); ++ spin_lock_bh(&ipvlan->port->addrs_lock); + if (ipvlan_addr_busy(ipvlan->port, ip6_addr, true)) + netif_err(ipvlan, ifup, ipvlan->dev, + "Failed to add IPv6=%pI6c addr for %s intf\n", + ip6_addr, ipvlan->dev->name); + else + ret = ipvlan_add_addr(ipvlan, ip6_addr, true); +- spin_unlock_bh(&ipvlan->addrs_lock); ++ spin_unlock_bh(&ipvlan->port->addrs_lock); + return ret; + } + +@@ -924,21 +927,24 @@ static int ipvlan_addr6_validator_event(struct notifier_block *unused, + struct in6_validator_info *i6vi = (struct in6_validator_info *)ptr; + struct net_device *dev = (struct net_device *)i6vi->i6vi_dev->dev; + struct ipvl_dev *ipvlan = netdev_priv(dev); ++ int ret = NOTIFY_OK; + + if (!ipvlan_is_valid_dev(dev)) + return NOTIFY_DONE; + + switch (event) { + case NETDEV_UP: ++ spin_lock_bh(&ipvlan->port->addrs_lock); + if (ipvlan_addr_busy(ipvlan->port, &i6vi->i6vi_addr, true)) { + NL_SET_ERR_MSG(i6vi->extack, + "Address already assigned to an ipvlan device"); +- return notifier_from_errno(-EADDRINUSE); ++ ret = notifier_from_errno(-EADDRINUSE); + } ++ spin_unlock_bh(&ipvlan->port->addrs_lock); + break; + } + +- return NOTIFY_OK; ++ return ret; + } + #endif + +@@ -946,14 +952,14 @@ static int ipvlan_add_addr4(struct ipvl_dev *ipvlan, struct in_addr *ip4_addr) + { + int ret = -EINVAL; + +- spin_lock_bh(&ipvlan->addrs_lock); ++ spin_lock_bh(&ipvlan->port->addrs_lock); + if (ipvlan_addr_busy(ipvlan->port, ip4_addr, false)) + netif_err(ipvlan, ifup, ipvlan->dev, + "Failed to add IPv4=%pI4 on %s intf.\n", + ip4_addr, ipvlan->dev->name); + else + ret = ipvlan_add_addr(ipvlan, ip4_addr, false); +- spin_unlock_bh(&ipvlan->addrs_lock); ++ spin_unlock_bh(&ipvlan->port->addrs_lock); + return ret; + } + +@@ -995,21 +1001,24 @@ static int ipvlan_addr4_validator_event(struct notifier_block *unused, + struct in_validator_info *ivi = (struct in_validator_info *)ptr; + struct net_device *dev = (struct net_device *)ivi->ivi_dev->dev; + struct ipvl_dev *ipvlan = netdev_priv(dev); ++ int ret = NOTIFY_OK; + + if (!ipvlan_is_valid_dev(dev)) + return NOTIFY_DONE; + + switch (event) { + case NETDEV_UP: ++ spin_lock_bh(&ipvlan->port->addrs_lock); + if (ipvlan_addr_busy(ipvlan->port, &ivi->ivi_addr, false)) { + NL_SET_ERR_MSG(ivi->extack, + "Address already assigned to an ipvlan device"); +- return notifier_from_errno(-EADDRINUSE); ++ ret = notifier_from_errno(-EADDRINUSE); + } ++ spin_unlock_bh(&ipvlan->port->addrs_lock); + break; + } + +- return NOTIFY_OK; ++ return ret; + } + + static struct notifier_block ipvlan_addr4_notifier_block __read_mostly = { +-- +2.51.0 + diff --git a/queue-6.18/l2tp-avoid-one-data-race-in-l2tp_tunnel_del_work.patch b/queue-6.18/l2tp-avoid-one-data-race-in-l2tp_tunnel_del_work.patch new file mode 100644 index 0000000000..d77b6108d1 --- /dev/null +++ b/queue-6.18/l2tp-avoid-one-data-race-in-l2tp_tunnel_del_work.patch @@ -0,0 +1,85 @@ +From af3fddfa7095dc1e2b461e1a40cc135b415a4229 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jan 2026 09:21:39 +0000 +Subject: l2tp: avoid one data-race in l2tp_tunnel_del_work() + +From: Eric Dumazet + +[ Upstream commit 7a29f6bf60f2590fe5e9c4decb451e19afad2bcf ] + +We should read sk->sk_socket only when dealing with kernel sockets. + +syzbot reported the following data-race: + +BUG: KCSAN: data-race in l2tp_tunnel_del_work / sk_common_release + +write to 0xffff88811c182b20 of 8 bytes by task 5365 on cpu 0: + sk_set_socket include/net/sock.h:2092 [inline] + sock_orphan include/net/sock.h:2118 [inline] + sk_common_release+0xae/0x230 net/core/sock.c:4003 + udp_lib_close+0x15/0x20 include/net/udp.h:325 + inet_release+0xce/0xf0 net/ipv4/af_inet.c:437 + __sock_release net/socket.c:662 [inline] + sock_close+0x6b/0x150 net/socket.c:1455 + __fput+0x29b/0x650 fs/file_table.c:468 + ____fput+0x1c/0x30 fs/file_table.c:496 + task_work_run+0x131/0x1a0 kernel/task_work.c:233 + resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] + __exit_to_user_mode_loop kernel/entry/common.c:44 [inline] + exit_to_user_mode_loop+0x1fe/0x740 kernel/entry/common.c:75 + __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline] + syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline] + syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline] + syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline] + do_syscall_64+0x1e1/0x2b0 arch/x86/entry/syscall_64.c:100 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +read to 0xffff88811c182b20 of 8 bytes by task 827 on cpu 1: + l2tp_tunnel_del_work+0x2f/0x1a0 net/l2tp/l2tp_core.c:1418 + process_one_work kernel/workqueue.c:3257 [inline] + process_scheduled_works+0x4ce/0x9d0 kernel/workqueue.c:3340 + worker_thread+0x582/0x770 kernel/workqueue.c:3421 + kthread+0x489/0x510 kernel/kthread.c:463 + ret_from_fork+0x149/0x290 arch/x86/kernel/process.c:158 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 + +value changed: 0xffff88811b818000 -> 0x0000000000000000 + +Fixes: d00fa9adc528 ("l2tp: fix races with tunnel socket close") +Reported-by: syzbot+7312e82745f7fa2526db@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/6968b029.050a0220.58bed.0016.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: James Chapman +Reviewed-by: Guillaume Nault +Link: https://patch.msgid.link/20260115092139.3066180-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/l2tp/l2tp_core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c +index d6f4bef0236dc..a0682e63fc637 100644 +--- a/net/l2tp/l2tp_core.c ++++ b/net/l2tp/l2tp_core.c +@@ -1416,8 +1416,6 @@ static void l2tp_tunnel_del_work(struct work_struct *work) + { + struct l2tp_tunnel *tunnel = container_of(work, struct l2tp_tunnel, + del_work); +- struct sock *sk = tunnel->sock; +- struct socket *sock = sk->sk_socket; + + l2tp_tunnel_closeall(tunnel); + +@@ -1425,6 +1423,8 @@ static void l2tp_tunnel_del_work(struct work_struct *work) + * the sk API to release it here. + */ + if (tunnel->fd < 0) { ++ struct socket *sock = tunnel->sock->sk_socket; ++ + if (sock) { + kernel_sock_shutdown(sock, SHUT_RDWR); + sock_release(sock); +-- +2.51.0 + diff --git a/queue-6.18/l2tp-fix-memleak-in-l2tp_udp_encap_recv.patch b/queue-6.18/l2tp-fix-memleak-in-l2tp_udp_encap_recv.patch new file mode 100644 index 0000000000..44b383d81d --- /dev/null +++ b/queue-6.18/l2tp-fix-memleak-in-l2tp_udp_encap_recv.patch @@ -0,0 +1,77 @@ +From 0ba3549e6887f903b489cbaa5bf1e2829187cd2e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 18:54:44 +0000 +Subject: l2tp: Fix memleak in l2tp_udp_encap_recv(). + +From: Kuniyuki Iwashima + +[ Upstream commit 4d10edfd1475b69dbd4c47f34b61a3772ece83ca ] + +syzbot reported memleak of struct l2tp_session, l2tp_tunnel, +sock, etc. [0] + +The cited commit moved down the validation of the protocol +version in l2tp_udp_encap_recv(). + +The new place requires an extra error handling to avoid the +memleak. + +Let's call l2tp_session_put() there. + +[0]: +BUG: memory leak +unreferenced object 0xffff88810a290200 (size 512): + comm "syz.0.17", pid 6086, jiffies 4294944299 + hex dump (first 32 bytes): + 7d eb 04 0c 00 00 00 00 01 00 00 00 00 00 00 00 }............... + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace (crc babb6a4f): + kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] + slab_post_alloc_hook mm/slub.c:4958 [inline] + slab_alloc_node mm/slub.c:5263 [inline] + __do_kmalloc_node mm/slub.c:5656 [inline] + __kmalloc_noprof+0x3e0/0x660 mm/slub.c:5669 + kmalloc_noprof include/linux/slab.h:961 [inline] + kzalloc_noprof include/linux/slab.h:1094 [inline] + l2tp_session_create+0x3a/0x3b0 net/l2tp/l2tp_core.c:1778 + pppol2tp_connect+0x48b/0x920 net/l2tp/l2tp_ppp.c:755 + __sys_connect_file+0x7a/0xb0 net/socket.c:2089 + __sys_connect+0xde/0x110 net/socket.c:2108 + __do_sys_connect net/socket.c:2114 [inline] + __se_sys_connect net/socket.c:2111 [inline] + __x64_sys_connect+0x1c/0x30 net/socket.c:2111 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fixes: 364798056f518 ("l2tp: Support different protocol versions with same IP/port quadruple") +Reported-by: syzbot+2c42ea4485b29beb0643@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/696693f2.a70a0220.245e30.0001.GAE@google.com/ +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Guillaume Nault +Link: https://patch.msgid.link/20260113185446.2533333-1-kuniyu@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/l2tp/l2tp_core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c +index 0710281dd95aa..d6f4bef0236dc 100644 +--- a/net/l2tp/l2tp_core.c ++++ b/net/l2tp/l2tp_core.c +@@ -1086,8 +1086,10 @@ int l2tp_udp_encap_recv(struct sock *sk, struct sk_buff *skb) + tunnel = session->tunnel; + + /* Check protocol version */ +- if (version != tunnel->version) ++ if (version != tunnel->version) { ++ l2tp_session_put(session); + goto invalid; ++ } + + if (version == L2TP_HDR_VER_3 && + l2tp_v3_ensure_opt_in_linear(session, skb, &ptr, &optr)) { +-- +2.51.0 + diff --git a/queue-6.18/net-freescale-ucc_geth-return-early-when-tbi-phy-can.patch b/queue-6.18/net-freescale-ucc_geth-return-early-when-tbi-phy-can.patch new file mode 100644 index 0000000000..cb374aef07 --- /dev/null +++ b/queue-6.18/net-freescale-ucc_geth-return-early-when-tbi-phy-can.patch @@ -0,0 +1,47 @@ +From 3173fdfa21957438a98d98979adf62946bdde9c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jan 2026 09:02:46 +0100 +Subject: net: freescale: ucc_geth: Return early when TBI PHY can't be found + +From: Maxime Chevallier + +[ Upstream commit a74c7a58ca2ca1cbb93f4c01421cf24b8642b962 ] + +In ucc_geth's .mac_config(), we configure the TBI Serdes block represented by a +struct phy_device that we get from firmware. + +While porting to phylink, a check was missed to make sure we don't try +to access the TBI PHY if we can't get it. Let's add it and return early +in case of error + +Reported-by: kernel test robot +Reported-by: Dan Carpenter +Closes: https://lore.kernel.org/r/202601130843.rFGNXA5a-lkp@intel.com/ +Fixes: 53036aa8d031 ("net: freescale: ucc_geth: phylink conversion") +Signed-off-by: Maxime Chevallier +Link: https://patch.msgid.link/20260114080247.366252-1-maxime.chevallier@bootlin.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/ucc_geth.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/freescale/ucc_geth.c b/drivers/net/ethernet/freescale/ucc_geth.c +index affd5a6c44e7b..131d1210dc4a8 100644 +--- a/drivers/net/ethernet/freescale/ucc_geth.c ++++ b/drivers/net/ethernet/freescale/ucc_geth.c +@@ -1602,8 +1602,10 @@ static void ugeth_mac_config(struct phylink_config *config, unsigned int mode, + pr_warn("TBI mode requires that the device tree specify a tbi-handle\n"); + + tbiphy = of_phy_find_device(ug_info->tbi_node); +- if (!tbiphy) ++ if (!tbiphy) { + pr_warn("Could not get TBI device\n"); ++ return; ++ } + + value = phy_read(tbiphy, ENET_TBI_MII_CR); + value &= ~0x1000; /* Turn off autonegotiation */ +-- +2.51.0 + diff --git a/queue-6.18/net-sched-enforce-that-teql-can-only-be-used-as-root.patch b/queue-6.18/net-sched-enforce-that-teql-can-only-be-used-as-root.patch new file mode 100644 index 0000000000..635fbbc45d --- /dev/null +++ b/queue-6.18/net-sched-enforce-that-teql-can-only-be-used-as-root.patch @@ -0,0 +1,68 @@ +From ec9c4391c49d5b8a0408ddcf0d7872f3ee5a015a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jan 2026 11:02:41 -0500 +Subject: net/sched: Enforce that teql can only be used as root qdisc +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jamal Hadi Salim + +[ Upstream commit 50da4b9d07a7a463e2cfb738f3ad4cff6b2c9c3b ] + +Design intent of teql is that it is only supposed to be used as root qdisc. +We need to check for that constraint. + +Although not important, I will describe the scenario that unearthed this +issue for the curious. + +GangMin Kim managed to concot a scenario as follows: + +ROOT qdisc 1:0 (QFQ) + ├── class 1:1 (weight=15, lmax=16384) netem with delay 6.4s + └── class 1:2 (weight=1, lmax=1514) teql + +GangMin sends a packet which is enqueued to 1:1 (netem). +Any invocation of dequeue by QFQ from this class will not return a packet +until after 6.4s. In the meantime, a second packet is sent and it lands on +1:2. teql's enqueue will return success and this will activate class 1:2. +Main issue is that teql only updates the parent visible qlen (sch->q.qlen) +at dequeue. Since QFQ will only call dequeue if peek succeeds (and teql's +peek always returns NULL), dequeue will never be called and thus the qlen +will remain as 0. With that in mind, when GangMin updates 1:2's lmax value, +the qfq_change_class calls qfq_deact_rm_from_agg. Since the child qdisc's +qlen was not incremented, qfq fails to deactivate the class, but still +frees its pointers from the aggregate. So when the first packet is +rescheduled after 6.4 seconds (netem's delay), a dangling pointer is +accessed causing GangMin's causing a UAF. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: GangMin Kim +Tested-by: Victor Nogueira +Signed-off-by: Jamal Hadi Salim +Link: https://patch.msgid.link/20260114160243.913069-2-jhs@mojatatu.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_teql.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/sched/sch_teql.c b/net/sched/sch_teql.c +index 8badec6d82a24..6e4bdaa876ed6 100644 +--- a/net/sched/sch_teql.c ++++ b/net/sched/sch_teql.c +@@ -178,6 +178,11 @@ static int teql_qdisc_init(struct Qdisc *sch, struct nlattr *opt, + if (m->dev == dev) + return -ELOOP; + ++ if (sch->parent != TC_H_ROOT) { ++ NL_SET_ERR_MSG_MOD(extack, "teql can only be used as root"); ++ return -EOPNOTSUPP; ++ } ++ + q->m = m; + + skb_queue_head_init(&q->q); +-- +2.51.0 + diff --git a/queue-6.18/net-sched-qfq-use-cl_is_active-to-determine-whether-.patch b/queue-6.18/net-sched-qfq-use-cl_is_active-to-determine-whether-.patch new file mode 100644 index 0000000000..2276cc770a --- /dev/null +++ b/queue-6.18/net-sched-qfq-use-cl_is_active-to-determine-whether-.patch @@ -0,0 +1,40 @@ +From b10d8fb2bd5af1dd0ae64b539b176f78346d6cff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jan 2026 11:02:42 -0500 +Subject: net/sched: qfq: Use cl_is_active to determine whether class is active + in qfq_rm_from_ag + +From: Jamal Hadi Salim + +[ Upstream commit d837fbee92453fbb829f950c8e7cf76207d73f33 ] + +This is more of a preventive patch to make the code more consistent and +to prevent possible exploits that employ child qlen manipulations on qfq. +use cl_is_active instead of relying on the child qdisc's qlen to determine +class activation. + +Fixes: 462dbc9101acd ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost") +Signed-off-by: Jamal Hadi Salim +Link: https://patch.msgid.link/20260114160243.913069-3-jhs@mojatatu.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_qfq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c +index 9b16ad431028f..f94c9c9c90424 100644 +--- a/net/sched/sch_qfq.c ++++ b/net/sched/sch_qfq.c +@@ -373,7 +373,7 @@ static void qfq_rm_from_agg(struct qfq_sched *q, struct qfq_class *cl) + /* Deschedule class and remove it from its parent aggregate. */ + static void qfq_deact_rm_from_agg(struct qfq_sched *q, struct qfq_class *cl) + { +- if (cl->qdisc->q.qlen > 0) /* class is active */ ++ if (cl_is_active(cl)) /* class is active */ + qfq_deactivate_class(q, cl); + + qfq_rm_from_agg(q, cl); +-- +2.51.0 + diff --git a/queue-6.18/net-usb-dm9601-remove-broken-sr9700-support.patch b/queue-6.18/net-usb-dm9601-remove-broken-sr9700-support.patch new file mode 100644 index 0000000000..a4fed5b0aa --- /dev/null +++ b/queue-6.18/net-usb-dm9601-remove-broken-sr9700-support.patch @@ -0,0 +1,53 @@ +From 6b2a4797477ed35ebabd12c625e22e86e5444d0b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 22:39:24 -0800 +Subject: net: usb: dm9601: remove broken SR9700 support + +From: Ethan Nelson-Moore + +[ Upstream commit 7d7dbafefbe74f5a25efc4807af093b857a7612e ] + +The SR9700 chip sends more than one packet in a USB transaction, +like the DM962x chips can optionally do, but the dm9601 driver does not +support this mode, and the hardware does not have the DM962x +MODE_CTL register to disable it, so this driver drops packets on SR9700 +devices. The sr9700 driver correctly handles receiving more than one +packet per transaction. + +While the dm9601 driver could be improved to handle this, the easiest +way to fix this issue in the short term is to remove the SR9700 device +ID from the dm9601 driver so the sr9700 driver is always used. This +device ID should not have been in more than one driver to begin with. + +The "Fixes" commit was chosen so that the patch is automatically +included in all kernels that have the sr9700 driver, even though the +issue affects dm9601. + +Fixes: c9b37458e956 ("USB2NET : SR9700 : One chip USB 1.1 USB2NET SR9700Device Driver Support") +Signed-off-by: Ethan Nelson-Moore +Acked-by: Peter Korsgaard +Link: https://patch.msgid.link/20260113063924.74464-1-enelsonmoore@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/dm9601.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/net/usb/dm9601.c b/drivers/net/usb/dm9601.c +index 8b6d6a1b3c2ec..2b4716ccf0c5b 100644 +--- a/drivers/net/usb/dm9601.c ++++ b/drivers/net/usb/dm9601.c +@@ -603,10 +603,6 @@ static const struct usb_device_id products[] = { + USB_DEVICE(0x0fe6, 0x8101), /* DM9601 USB to Fast Ethernet Adapter */ + .driver_info = (unsigned long)&dm9601_info, + }, +- { +- USB_DEVICE(0x0fe6, 0x9700), /* DM9601 USB to Fast Ethernet Adapter */ +- .driver_info = (unsigned long)&dm9601_info, +- }, + { + USB_DEVICE(0x0a46, 0x9000), /* DM9000E */ + .driver_info = (unsigned long)&dm9601_info, +-- +2.51.0 + diff --git a/queue-6.18/octeontx2-cn10k-fix-rx-flowid-tcam-mask-handling.patch b/queue-6.18/octeontx2-cn10k-fix-rx-flowid-tcam-mask-handling.patch new file mode 100644 index 0000000000..b157fbb57e --- /dev/null +++ b/queue-6.18/octeontx2-cn10k-fix-rx-flowid-tcam-mask-handling.patch @@ -0,0 +1,43 @@ +From 9631fe523c3274d10c963636bfa78d79872d9950 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jan 2026 08:47:12 -0800 +Subject: octeontx2: cn10k: fix RX flowid TCAM mask handling + +From: Alok Tiwari + +[ Upstream commit ab9b218a1521133a4410722907fa7189566be9bc ] + +The RX flowid programming initializes the TCAM mask to all ones, but +then overwrites it when clearing the MAC DA mask bits. This results +in losing the intended initialization and may affect other match fields. + +Update the code to clear the MAC DA bits using an AND operation, making +the handling of mask[0] consistent with mask[1], where the field-specific +bits are cleared after initializing the mask to ~0ULL. + +Fixes: 57d00d4364f3 ("octeontx2-pf: mcs: Match macsec ethertype along with DMAC") +Signed-off-by: Alok Tiwari +Reviewed-by: Subbaraya Sundeep +Link: https://patch.msgid.link/20260116164724.2733511-1-alok.a.tiwari@oracle.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c b/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c +index 4c7e0f345cb5b..060c715ebad0a 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c +@@ -328,7 +328,7 @@ static int cn10k_mcs_write_rx_flowid(struct otx2_nic *pfvf, + + req->data[0] = FIELD_PREP(MCS_TCAM0_MAC_DA_MASK, mac_da); + req->mask[0] = ~0ULL; +- req->mask[0] = ~MCS_TCAM0_MAC_DA_MASK; ++ req->mask[0] &= ~MCS_TCAM0_MAC_DA_MASK; + + req->data[1] = FIELD_PREP(MCS_TCAM1_ETYPE_MASK, ETH_P_MACSEC); + req->mask[1] = ~0ULL; +-- +2.51.0 + diff --git a/queue-6.18/pmdomain-qcom-rpmhpd-add-mxc-to-sc8280xp.patch b/queue-6.18/pmdomain-qcom-rpmhpd-add-mxc-to-sc8280xp.patch new file mode 100644 index 0000000000..85ed80ad09 --- /dev/null +++ b/queue-6.18/pmdomain-qcom-rpmhpd-add-mxc-to-sc8280xp.patch @@ -0,0 +1,50 @@ +From 7c6723a15304c465b922c375a92c30a5bd9d1879 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Dec 2025 18:36:21 +0100 +Subject: pmdomain: qcom: rpmhpd: Add MXC to SC8280XP + +From: Konrad Dybcio + +[ Upstream commit 5bc3e720e725cd5fa34875fa1e5434d565858067 ] + +This was apparently accounted for in dt-bindings, but never made its +way into the driver. + +Fix it for SC8280XP and its VDD_GFX-less cousin, SA8540P. + +Fixes: f68f1cb3437d ("soc: qcom: rpmhpd: add sc8280xp & sa8540p rpmh power-domains") +Reviewed-by: Dmitry Baryshkov +Signed-off-by: Konrad Dybcio +Reviewed-by: Ulf Hansson +Link: https://lore.kernel.org/r/20251202-topic-8280_mxc-v2-2-46cdf47a829e@oss.qualcomm.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/pmdomain/qcom/rpmhpd.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/pmdomain/qcom/rpmhpd.c b/drivers/pmdomain/qcom/rpmhpd.c +index 4faa8a2561862..4c3cbf3abc750 100644 +--- a/drivers/pmdomain/qcom/rpmhpd.c ++++ b/drivers/pmdomain/qcom/rpmhpd.c +@@ -246,6 +246,8 @@ static struct rpmhpd *sa8540p_rpmhpds[] = { + [SC8280XP_MMCX_AO] = &mmcx_ao, + [SC8280XP_MX] = &mx, + [SC8280XP_MX_AO] = &mx_ao, ++ [SC8280XP_MXC] = &mxc, ++ [SC8280XP_MXC_AO] = &mxc_ao, + [SC8280XP_NSP] = &nsp, + }; + +@@ -675,6 +677,8 @@ static struct rpmhpd *sc8280xp_rpmhpds[] = { + [SC8280XP_MMCX_AO] = &mmcx_ao, + [SC8280XP_MX] = &mx, + [SC8280XP_MX_AO] = &mx_ao, ++ [SC8280XP_MXC] = &mxc, ++ [SC8280XP_MXC_AO] = &mxc_ao, + [SC8280XP_NSP] = &nsp, + [SC8280XP_QPHY] = &qphy, + }; +-- +2.51.0 + diff --git a/queue-6.18/pwm-ensure-ioctl-returns-a-negative-errno-on-error.patch b/queue-6.18/pwm-ensure-ioctl-returns-a-negative-errno-on-error.patch new file mode 100644 index 0000000000..45b2f67ab7 --- /dev/null +++ b/queue-6.18/pwm-ensure-ioctl-returns-a-negative-errno-on-error.patch @@ -0,0 +1,64 @@ +From e2f2edb76b63e22a3964bb0184a1965673c4dcda Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jan 2026 16:13:26 +0100 +Subject: pwm: Ensure ioctl() returns a negative errno on error +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit c198b7773ca5bc3bdfb15b85e414fb9a99a5e5ba ] + +copy_to_user() returns the number of bytes not copied, thus if there is +a problem a positive number. However the ioctl callback is supposed to +return a negative error code on error. + +This error is a unfortunate as strictly speaking it became ABI with the +introduction of pwm character devices. However I never saw the issue in +real life -- I found this by code inspection -- and it only affects an +error case where readonly memory is passed to the ioctls or the address +mapping changes while the ioctl is active. Also there are already error +cases returning negative values, so the calling code must be prepared to +see such values already. + +Fixes: 9c06f26ba5f5 ("pwm: Add support for pwmchip devices for faster and easier userspace access") +Signed-off-by: Uwe Kleine-König +Link: https://patch.msgid.link/20260119151325.571857-2-u.kleine-koenig@baylibre.com +Signed-off-by: Uwe Kleine-König +Signed-off-by: Sasha Levin +--- + drivers/pwm/core.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/pwm/core.c b/drivers/pwm/core.c +index 7dd1cf2ba4025..462c91a034c8e 100644 +--- a/drivers/pwm/core.c ++++ b/drivers/pwm/core.c +@@ -2294,8 +2294,9 @@ static long pwm_cdev_ioctl(struct file *file, unsigned int cmd, unsigned long ar + .duty_offset_ns = wf.duty_offset_ns, + }; + +- return copy_to_user((struct pwmchip_waveform __user *)arg, +- &cwf, sizeof(cwf)); ++ ret = copy_to_user((struct pwmchip_waveform __user *)arg, ++ &cwf, sizeof(cwf)); ++ return ret ? -EFAULT : 0; + } + + case PWM_IOCTL_GETWF: +@@ -2328,8 +2329,9 @@ static long pwm_cdev_ioctl(struct file *file, unsigned int cmd, unsigned long ar + .duty_offset_ns = wf.duty_offset_ns, + }; + +- return copy_to_user((struct pwmchip_waveform __user *)arg, +- &cwf, sizeof(cwf)); ++ ret = copy_to_user((struct pwmchip_waveform __user *)arg, ++ &cwf, sizeof(cwf)); ++ return ret ? -EFAULT : 0; + } + + case PWM_IOCTL_SETROUNDEDWF: +-- +2.51.0 + diff --git a/queue-6.18/pwm-max7360-populate-missing-.sizeof_wfhw-in-max7360.patch b/queue-6.18/pwm-max7360-populate-missing-.sizeof_wfhw-in-max7360.patch new file mode 100644 index 0000000000..78f1fb959c --- /dev/null +++ b/queue-6.18/pwm-max7360-populate-missing-.sizeof_wfhw-in-max7360.patch @@ -0,0 +1,43 @@ +From 48c8c0966f6cd24cfcf38a3046b30be5ebfb4e82 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 17:39:07 +0100 +Subject: pwm: max7360: Populate missing .sizeof_wfhw in max7360_pwm_ops +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Richard Genoud + +[ Upstream commit 63faf32666e03a78cc985bcbae196418cf7d7938 ] + +The sizeof_wfhw field wasn't populated in max7360_pwm_ops so it was set +to 0 by default. +While this is ok for now because: +sizeof(struct max7360_pwm_waveform) < PWM_WFHWSIZE +in the future, if struct max7360_pwm_waveform grows, it could lead to +stack corruption. + +Fixes: d93a75d94b79 ("pwm: max7360: Add MAX7360 PWM support") +Signed-off-by: Richard Genoud +Link: https://patch.msgid.link/20260113163907.368919-1-richard.genoud@bootlin.com +Signed-off-by: Uwe Kleine-König +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-max7360.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pwm/pwm-max7360.c b/drivers/pwm/pwm-max7360.c +index ebf93a7aee5be..31972bd00ebe9 100644 +--- a/drivers/pwm/pwm-max7360.c ++++ b/drivers/pwm/pwm-max7360.c +@@ -153,6 +153,7 @@ static int max7360_pwm_read_waveform(struct pwm_chip *chip, + } + + static const struct pwm_ops max7360_pwm_ops = { ++ .sizeof_wfhw = sizeof(struct max7360_pwm_waveform), + .request = max7360_pwm_request, + .round_waveform_tohw = max7360_pwm_round_waveform_tohw, + .round_waveform_fromhw = max7360_pwm_round_waveform_fromhw, +-- +2.51.0 + diff --git a/queue-6.18/sctp-move-sctp_cmd_assoc_shkey-right-after-sctp_cmd_.patch b/queue-6.18/sctp-move-sctp_cmd_assoc_shkey-right-after-sctp_cmd_.patch new file mode 100644 index 0000000000..b2843886d6 --- /dev/null +++ b/queue-6.18/sctp-move-sctp_cmd_assoc_shkey-right-after-sctp_cmd_.patch @@ -0,0 +1,101 @@ +From c11190f02b70937cf7ecaa2783fc339964c3a7ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 12:10:26 -0500 +Subject: sctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT + +From: Xin Long + +[ Upstream commit a80c9d945aef55b23b54838334345f20251dad83 ] + +A null-ptr-deref was reported in the SCTP transmit path when SCTP-AUTH key +initialization fails: + + ================================================================== + KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] + CPU: 0 PID: 16 Comm: ksoftirqd/0 Tainted: G W 6.6.0 #2 + RIP: 0010:sctp_packet_bundle_auth net/sctp/output.c:264 [inline] + RIP: 0010:sctp_packet_append_chunk+0xb36/0x1260 net/sctp/output.c:401 + Call Trace: + + sctp_packet_transmit_chunk+0x31/0x250 net/sctp/output.c:189 + sctp_outq_flush_data+0xa29/0x26d0 net/sctp/outqueue.c:1111 + sctp_outq_flush+0xc80/0x1240 net/sctp/outqueue.c:1217 + sctp_cmd_interpreter.isra.0+0x19a5/0x62c0 net/sctp/sm_sideeffect.c:1787 + sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline] + sctp_do_sm+0x1a3/0x670 net/sctp/sm_sideeffect.c:1169 + sctp_assoc_bh_rcv+0x33e/0x640 net/sctp/associola.c:1052 + sctp_inq_push+0x1dd/0x280 net/sctp/inqueue.c:88 + sctp_rcv+0x11ae/0x3100 net/sctp/input.c:243 + sctp6_rcv+0x3d/0x60 net/sctp/ipv6.c:1127 + +The issue is triggered when sctp_auth_asoc_init_active_key() fails in +sctp_sf_do_5_1C_ack() while processing an INIT_ACK. In this case, the +command sequence is currently: + +- SCTP_CMD_PEER_INIT +- SCTP_CMD_TIMER_STOP (T1_INIT) +- SCTP_CMD_TIMER_START (T1_COOKIE) +- SCTP_CMD_NEW_STATE (COOKIE_ECHOED) +- SCTP_CMD_ASSOC_SHKEY +- SCTP_CMD_GEN_COOKIE_ECHO + +If SCTP_CMD_ASSOC_SHKEY fails, asoc->shkey remains NULL, while +asoc->peer.auth_capable and asoc->peer.peer_chunks have already been set by +SCTP_CMD_PEER_INIT. This allows a DATA chunk with auth = 1 and shkey = NULL +to be queued by sctp_datamsg_from_user(). + +Since command interpretation stops on failure, no COOKIE_ECHO should been +sent via SCTP_CMD_GEN_COOKIE_ECHO. However, the T1_COOKIE timer has already +been started, and it may enqueue a COOKIE_ECHO into the outqueue later. As +a result, the DATA chunk can be transmitted together with the COOKIE_ECHO +in sctp_outq_flush_data(), leading to the observed issue. + +Similar to the other places where it calls sctp_auth_asoc_init_active_key() +right after sctp_process_init(), this patch moves the SCTP_CMD_ASSOC_SHKEY +immediately after SCTP_CMD_PEER_INIT, before stopping T1_INIT and starting +T1_COOKIE. This ensures that if shared key generation fails, authenticated +DATA cannot be sent. It also allows the T1_INIT timer to retransmit INIT, +giving the client another chance to process INIT_ACK and retry key setup. + +Fixes: 730fc3d05cd4 ("[SCTP]: Implete SCTP-AUTH parameter processing") +Reported-by: Zhen Chen +Tested-by: Zhen Chen +Signed-off-by: Xin Long +Link: https://patch.msgid.link/44881224b375aa8853f5e19b4055a1a56d895813.1768324226.git.lucien.xin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sctp/sm_statefuns.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c +index 3755ba079d077..7b823d7591419 100644 +--- a/net/sctp/sm_statefuns.c ++++ b/net/sctp/sm_statefuns.c +@@ -603,6 +603,11 @@ enum sctp_disposition sctp_sf_do_5_1C_ack(struct net *net, + sctp_add_cmd_sf(commands, SCTP_CMD_PEER_INIT, + SCTP_PEER_INIT(initchunk)); + ++ /* SCTP-AUTH: generate the association shared keys so that ++ * we can potentially sign the COOKIE-ECHO. ++ */ ++ sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL()); ++ + /* Reset init error count upon receipt of INIT-ACK. */ + sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL()); + +@@ -617,11 +622,6 @@ enum sctp_disposition sctp_sf_do_5_1C_ack(struct net *net, + sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, + SCTP_STATE(SCTP_STATE_COOKIE_ECHOED)); + +- /* SCTP-AUTH: generate the association shared keys so that +- * we can potentially sign the COOKIE-ECHO. +- */ +- sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL()); +- + /* 5.1 C) "A" shall then send the State Cookie received in the + * INIT ACK chunk in a COOKIE ECHO chunk, ... + */ +-- +2.51.0 + diff --git a/queue-6.18/selftests-net-fib-onlink-tests-convert-to-use-namesp.patch b/queue-6.18/selftests-net-fib-onlink-tests-convert-to-use-namesp.patch new file mode 100644 index 0000000000..fd387a316f --- /dev/null +++ b/queue-6.18/selftests-net-fib-onlink-tests-convert-to-use-namesp.patch @@ -0,0 +1,185 @@ +From bac1c29bb17c2da579204237c4d1fa7a74f53eb9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 12:37:44 -0300 +Subject: selftests: net: fib-onlink-tests: Convert to use namespaces by + default +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ricardo B. Marlière + +[ Upstream commit 4f5f148dd7c0459229d2ab9a769b2e820f9ee6a2 ] + +Currently, the test breaks if the SUT already has a default route +configured for IPv6. Fix by avoiding the use of the default namespace. + +Fixes: 4ed591c8ab44 ("net/ipv6: Allow onlink routes to have a device mismatch if it is the default route") +Suggested-by: Fernando Fernandez Mancera +Signed-off-by: Ricardo B. Marlière +Reviewed-by: Ido Schimmel +Reviewed-by: Fernando Fernandez Mancera +Link: https://patch.msgid.link/20260113-selftests-net-fib-onlink-v2-1-89de2b931389@suse.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../testing/selftests/net/fib-onlink-tests.sh | 71 ++++++++----------- + 1 file changed, 30 insertions(+), 41 deletions(-) + +diff --git a/tools/testing/selftests/net/fib-onlink-tests.sh b/tools/testing/selftests/net/fib-onlink-tests.sh +index ec2d6ceb1f08d..c01be076b210d 100755 +--- a/tools/testing/selftests/net/fib-onlink-tests.sh ++++ b/tools/testing/selftests/net/fib-onlink-tests.sh +@@ -120,7 +120,7 @@ log_subsection() + + run_cmd() + { +- local cmd="$*" ++ local cmd="$1" + local out + local rc + +@@ -145,7 +145,7 @@ get_linklocal() + local pfx + local addr + +- addr=$(${pfx} ip -6 -br addr show dev ${dev} | \ ++ addr=$(${pfx} ${IP} -6 -br addr show dev ${dev} | \ + awk '{ + for (i = 3; i <= NF; ++i) { + if ($i ~ /^fe80/) +@@ -173,58 +173,48 @@ setup() + + set -e + +- # create namespace +- setup_ns PEER_NS ++ # create namespaces ++ setup_ns ns1 ++ IP="ip -netns $ns1" ++ setup_ns ns2 + + # add vrf table +- ip li add ${VRF} type vrf table ${VRF_TABLE} +- ip li set ${VRF} up +- ip ro add table ${VRF_TABLE} unreachable default metric 8192 +- ip -6 ro add table ${VRF_TABLE} unreachable default metric 8192 ++ ${IP} li add ${VRF} type vrf table ${VRF_TABLE} ++ ${IP} li set ${VRF} up ++ ${IP} ro add table ${VRF_TABLE} unreachable default metric 8192 ++ ${IP} -6 ro add table ${VRF_TABLE} unreachable default metric 8192 + + # create test interfaces +- ip li add ${NETIFS[p1]} type veth peer name ${NETIFS[p2]} +- ip li add ${NETIFS[p3]} type veth peer name ${NETIFS[p4]} +- ip li add ${NETIFS[p5]} type veth peer name ${NETIFS[p6]} +- ip li add ${NETIFS[p7]} type veth peer name ${NETIFS[p8]} ++ ${IP} li add ${NETIFS[p1]} type veth peer name ${NETIFS[p2]} ++ ${IP} li add ${NETIFS[p3]} type veth peer name ${NETIFS[p4]} ++ ${IP} li add ${NETIFS[p5]} type veth peer name ${NETIFS[p6]} ++ ${IP} li add ${NETIFS[p7]} type veth peer name ${NETIFS[p8]} + + # enslave vrf interfaces + for n in 5 7; do +- ip li set ${NETIFS[p${n}]} vrf ${VRF} ++ ${IP} li set ${NETIFS[p${n}]} vrf ${VRF} + done + + # add addresses + for n in 1 3 5 7; do +- ip li set ${NETIFS[p${n}]} up +- ip addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]} +- ip addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} nodad ++ ${IP} li set ${NETIFS[p${n}]} up ++ ${IP} addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]} ++ ${IP} addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} nodad + done + + # move peer interfaces to namespace and add addresses + for n in 2 4 6 8; do +- ip li set ${NETIFS[p${n}]} netns ${PEER_NS} up +- ip -netns ${PEER_NS} addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]} +- ip -netns ${PEER_NS} addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} nodad ++ ${IP} li set ${NETIFS[p${n}]} netns ${ns2} up ++ ip -netns $ns2 addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]} ++ ip -netns $ns2 addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} nodad + done + +- ip -6 ro add default via ${V6ADDRS[p3]/::[0-9]/::64} +- ip -6 ro add table ${VRF_TABLE} default via ${V6ADDRS[p7]/::[0-9]/::64} ++ ${IP} -6 ro add default via ${V6ADDRS[p3]/::[0-9]/::64} ++ ${IP} -6 ro add table ${VRF_TABLE} default via ${V6ADDRS[p7]/::[0-9]/::64} + + set +e + } + +-cleanup() +-{ +- # make sure we start from a clean slate +- cleanup_ns ${PEER_NS} 2>/dev/null +- for n in 1 3 5 7; do +- ip link del ${NETIFS[p${n}]} 2>/dev/null +- done +- ip link del ${VRF} 2>/dev/null +- ip ro flush table ${VRF_TABLE} +- ip -6 ro flush table ${VRF_TABLE} +-} +- + ################################################################################ + # IPv4 tests + # +@@ -241,7 +231,7 @@ run_ip() + # dev arg may be empty + [ -n "${dev}" ] && dev="dev ${dev}" + +- run_cmd ip ro add table "${table}" "${prefix}"/32 via "${gw}" "${dev}" onlink ++ run_cmd "${IP} ro add table ${table} ${prefix}/32 via ${gw} ${dev} onlink" + log_test $? ${exp_rc} "${desc}" + } + +@@ -257,8 +247,8 @@ run_ip_mpath() + # dev arg may be empty + [ -n "${dev}" ] && dev="dev ${dev}" + +- run_cmd ip ro add table "${table}" "${prefix}"/32 \ +- nexthop via ${nh1} nexthop via ${nh2} ++ run_cmd "${IP} ro add table ${table} ${prefix}/32 \ ++ nexthop via ${nh1} nexthop via ${nh2}" + log_test $? ${exp_rc} "${desc}" + } + +@@ -339,7 +329,7 @@ run_ip6() + # dev arg may be empty + [ -n "${dev}" ] && dev="dev ${dev}" + +- run_cmd ip -6 ro add table "${table}" "${prefix}"/128 via "${gw}" "${dev}" onlink ++ run_cmd "${IP} -6 ro add table ${table} ${prefix}/128 via ${gw} ${dev} onlink" + log_test $? ${exp_rc} "${desc}" + } + +@@ -353,8 +343,8 @@ run_ip6_mpath() + local exp_rc="$6" + local desc="$7" + +- run_cmd ip -6 ro add table "${table}" "${prefix}"/128 "${opts}" \ +- nexthop via ${nh1} nexthop via ${nh2} ++ run_cmd "${IP} -6 ro add table ${table} ${prefix}/128 ${opts} \ ++ nexthop via ${nh1} nexthop via ${nh2}" + log_test $? ${exp_rc} "${desc}" + } + +@@ -491,10 +481,9 @@ do + esac + done + +-cleanup + setup + run_onlink_tests +-cleanup ++cleanup_ns ${ns1} ${ns2} + + if [ "$TESTS" != "none" ]; then + printf "\nTests passed: %3d\n" ${nsuccess} +-- +2.51.0 + diff --git a/queue-6.18/series b/queue-6.18/series index 06f234f439..b885a52ddb 100644 --- a/queue-6.18/series +++ b/queue-6.18/series @@ -5,3 +5,44 @@ arm64-dts-rockchip-fix-wrong-register-range-of-rk357.patch perf-parse-events-fix-evsel-allocation-failure.patch drivers-hv-always-do-hyper-v-panic-notification-in-h.patch btrfs-fix-missing-fields-in-superblock-backup-with-b.patch +dt-bindings-power-qcom-rpmpd-add-sc8280xp_mxc_ao.patch +pmdomain-qcom-rpmhpd-add-mxc-to-sc8280xp.patch +wifi-ath12k-don-t-force-radio-frequency-check-in-fre.patch +ata-ahci-do-not-read-the-per-port-area-for-unimpleme.patch +ata-libata-call-ata_dev_config_lpm-for-atapi-devices.patch +ata-libata-sata-improve-link_power_management_suppor.patch +ata-libata-add-cpr_log-to-ata_dev_print_features-ear.patch +ata-libata-add-dipm-and-hipm-to-ata_dev_print_featur.patch +ata-libata-print-features-also-for-atapi-devices.patch +wifi-ath12k-cancel-scan-only-on-active-scan-vdev.patch +wifi-ath12k-fix-scan-state-stuck-in-aborting-after-c.patch +wifi-ath12k-fix-dead-lock-while-flushing-management-.patch +wifi-ath12k-fix-wrong-p2p-device-link-id-issue.patch +ice-initialize-ring_stats-syncp.patch +ice-avoid-detrimental-cleanup-for-bond-during-interf.patch +ice-fix-incorrect-timeout-ice_release_res.patch +igc-restore-default-qbv-schedule-when-changing-chann.patch +igc-fix-race-condition-in-tx-timestamp-read-for-regi.patch +igc-reduce-tsn-tx-packet-buffer-from-7kb-to-5kb-per-.patch +vsock-virtio-coalesce-only-linear-skb.patch +net-usb-dm9601-remove-broken-sr9700-support.patch +bonding-limit-bond_mode_8023ad-to-ethernet-devices.patch +l2tp-fix-memleak-in-l2tp_udp_encap_recv.patch +selftests-net-fib-onlink-tests-convert-to-use-namesp.patch +net-freescale-ucc_geth-return-early-when-tbi-phy-can.patch +can-gs_usb-gs_usb_receive_bulk_callback-unanchor-url.patch +sctp-move-sctp_cmd_assoc_shkey-right-after-sctp_cmd_.patch +amd-xgbe-avoid-misleading-per-packet-error-log.patch +gue-fix-skb-memleak-with-inner-ip-protocol-0.patch +tools-ynl-specify-no-line-number-in-ynl-regen.sh.patch +fou-don-t-allow-0-for-fou_attr_ipproto.patch +veth-fix-data-race-in-veth_get_ethtool_stats.patch +pwm-ensure-ioctl-returns-a-negative-errno-on-error.patch +pwm-max7360-populate-missing-.sizeof_wfhw-in-max7360.patch +l2tp-avoid-one-data-race-in-l2tp_tunnel_del_work.patch +ipvlan-make-the-addrs_lock-be-per-port.patch +octeontx2-cn10k-fix-rx-flowid-tcam-mask-handling.patch +net-sched-enforce-that-teql-can-only-be-used-as-root.patch +net-sched-qfq-use-cl_is_active-to-determine-whether-.patch +crypto-authencesn-reject-too-short-aad-assoclen-8-to.patch +wifi-mac80211-don-t-perform-da-check-on-s1g-beacon.patch diff --git a/queue-6.18/tools-ynl-specify-no-line-number-in-ynl-regen.sh.patch b/queue-6.18/tools-ynl-specify-no-line-number-in-ynl-regen.sh.patch new file mode 100644 index 0000000000..829a188fdd --- /dev/null +++ b/queue-6.18/tools-ynl-specify-no-line-number-in-ynl-regen.sh.patch @@ -0,0 +1,50 @@ +From 84c528c0173f7c16be7e11b2536d973489b5585f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jan 2026 17:24:47 +0000 +Subject: tools: ynl: Specify --no-line-number in ynl-regen.sh. + +From: Kuniyuki Iwashima + +[ Upstream commit 68578370f9b3a2aba5964b273312d51c581b6aad ] + +If grep.lineNumber is enabled in .gitconfig, + + [grep] + lineNumber = true + +ynl-regen.sh fails with the following error: + + $ ./tools/net/ynl/ynl-regen.sh -f + ... + ynl_gen_c.py: error: argument --mode: invalid choice: '4:' (choose from user, kernel, uapi) + GEN 4: net/ipv4/fou_nl.c + +Let's specify --no-line-number explicitly. + +Fixes: be5bea1cc0bf ("net: add basic C code generators for Netlink") +Suggested-by: Jakub Kicinski +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20260115172533.693652-3-kuniyu@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/net/ynl/ynl-regen.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/net/ynl/ynl-regen.sh b/tools/net/ynl/ynl-regen.sh +index 81b4ecd891006..d9809276db982 100755 +--- a/tools/net/ynl/ynl-regen.sh ++++ b/tools/net/ynl/ynl-regen.sh +@@ -21,7 +21,7 @@ files=$(git grep --files-with-matches '^/\* YNL-GEN \(kernel\|uapi\|user\)') + for f in $files; do + # params: 0 1 2 3 + # $YAML YNL-GEN kernel $mode +- params=( $(git grep -B1 -h '/\* YNL-GEN' $f | sed 's@/\*\(.*\)\*/@\1@') ) ++ params=( $(git grep --no-line-number -B1 -h '/\* YNL-GEN' $f | sed 's@/\*\(.*\)\*/@\1@') ) + args=$(sed -n 's@/\* YNL-ARG \(.*\) \*/@\1@p' $f) + + if [ $f -nt ${params[0]} -a -z "$force" ]; then +-- +2.51.0 + diff --git a/queue-6.18/veth-fix-data-race-in-veth_get_ethtool_stats.patch b/queue-6.18/veth-fix-data-race-in-veth_get_ethtool_stats.patch new file mode 100644 index 0000000000..8f1c14f86f --- /dev/null +++ b/queue-6.18/veth-fix-data-race-in-veth_get_ethtool_stats.patch @@ -0,0 +1,54 @@ +From 9a6dc2be8146092fd877d290c00b0758bd30e0f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jan 2026 20:24:45 +0800 +Subject: veth: fix data race in veth_get_ethtool_stats + +From: David Yang + +[ Upstream commit b47adaab8b3d443868096bac08fdbb3d403194ba ] + +In veth_get_ethtool_stats(), some statistics protected by +u64_stats_sync, are read and accumulated in ignorance of possible +u64_stats_fetch_retry() events. These statistics, peer_tq_xdp_xmit and +peer_tq_xdp_xmit_err, are already accumulated by veth_xdp_xmit(). Fix +this by reading them into a temporary buffer first. + +Fixes: 5fe6e56776ba ("veth: rely on peer veth_rq for ndo_xdp_xmit accounting") +Signed-off-by: David Yang +Link: https://patch.msgid.link/20260114122450.227982-1-mmyangfl@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/veth.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/veth.c b/drivers/net/veth.c +index cc502bf022d55..b00613cb07cf0 100644 +--- a/drivers/net/veth.c ++++ b/drivers/net/veth.c +@@ -228,16 +228,20 @@ static void veth_get_ethtool_stats(struct net_device *dev, + const struct veth_rq_stats *rq_stats = &rcv_priv->rq[i].stats; + const void *base = (void *)&rq_stats->vs; + unsigned int start, tx_idx = idx; ++ u64 buf[VETH_TQ_STATS_LEN]; + size_t offset; + +- tx_idx += (i % dev->real_num_tx_queues) * VETH_TQ_STATS_LEN; + do { + start = u64_stats_fetch_begin(&rq_stats->syncp); + for (j = 0; j < VETH_TQ_STATS_LEN; j++) { + offset = veth_tq_stats_desc[j].offset; +- data[tx_idx + j] += *(u64 *)(base + offset); ++ buf[j] = *(u64 *)(base + offset); + } + } while (u64_stats_fetch_retry(&rq_stats->syncp, start)); ++ ++ tx_idx += (i % dev->real_num_tx_queues) * VETH_TQ_STATS_LEN; ++ for (j = 0; j < VETH_TQ_STATS_LEN; j++) ++ data[tx_idx + j] += buf[j]; + } + pp_idx = idx + dev->real_num_tx_queues * VETH_TQ_STATS_LEN; + +-- +2.51.0 + diff --git a/queue-6.18/vsock-virtio-coalesce-only-linear-skb.patch b/queue-6.18/vsock-virtio-coalesce-only-linear-skb.patch new file mode 100644 index 0000000000..dfddd873aa --- /dev/null +++ b/queue-6.18/vsock-virtio-coalesce-only-linear-skb.patch @@ -0,0 +1,58 @@ +From 9548cb333a7070516bb1c4ec93b32e7df7fef4fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 16:08:18 +0100 +Subject: vsock/virtio: Coalesce only linear skb + +From: Michal Luczaj + +[ Upstream commit 0386bd321d0f95d041a7b3d7b07643411b044a96 ] + +vsock/virtio common tries to coalesce buffers in rx queue: if a linear skb +(with a spare tail room) is followed by a small skb (length limited by +GOOD_COPY_LEN = 128), an attempt is made to join them. + +Since the introduction of MSG_ZEROCOPY support, assumption that a small skb +will always be linear is incorrect. In the zerocopy case, data is lost and +the linear skb is appended with uninitialized kernel memory. + +Of all 3 supported virtio-based transports, only loopback-transport is +affected. G2H virtio-transport rx queue operates on explicitly linear skbs; +see virtio_vsock_alloc_linear_skb() in virtio_vsock_rx_fill(). H2G +vhost-transport may allocate non-linear skbs, but only for sizes that are +not considered for coalescence; see PAGE_ALLOC_COSTLY_ORDER in +virtio_vsock_alloc_skb(). + +Ensure only linear skbs are coalesced. Note that skb_tailroom(last_skb) > 0 +guarantees last_skb is linear. + +Fixes: 581512a6dc93 ("vsock/virtio: MSG_ZEROCOPY flag support") +Signed-off-by: Michal Luczaj +Reviewed-by: Stefano Garzarella +Link: https://patch.msgid.link/20260113-vsock-recv-coalescence-v2-1-552b17837cf4@rbox.co +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/virtio_transport_common.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c +index dcc8a1d5851e6..26b979ad71f09 100644 +--- a/net/vmw_vsock/virtio_transport_common.c ++++ b/net/vmw_vsock/virtio_transport_common.c +@@ -1359,9 +1359,11 @@ virtio_transport_recv_enqueue(struct vsock_sock *vsk, + + /* Try to copy small packets into the buffer of last packet queued, + * to avoid wasting memory queueing the entire buffer with a small +- * payload. ++ * payload. Skip non-linear (e.g. zerocopy) skbs; these carry payload ++ * in skb_shinfo. + */ +- if (len <= GOOD_COPY_LEN && !skb_queue_empty(&vvs->rx_queue)) { ++ if (len <= GOOD_COPY_LEN && !skb_queue_empty(&vvs->rx_queue) && ++ !skb_is_nonlinear(skb)) { + struct virtio_vsock_hdr *last_hdr; + struct sk_buff *last_skb; + +-- +2.51.0 + diff --git a/queue-6.18/wifi-ath12k-cancel-scan-only-on-active-scan-vdev.patch b/queue-6.18/wifi-ath12k-cancel-scan-only-on-active-scan-vdev.patch new file mode 100644 index 0000000000..d1d4e72993 --- /dev/null +++ b/queue-6.18/wifi-ath12k-cancel-scan-only-on-active-scan-vdev.patch @@ -0,0 +1,69 @@ +From cd3f960d0134da4510864b74a0352eb151b33758 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jan 2026 11:32:35 +0530 +Subject: wifi: ath12k: cancel scan only on active scan vdev + +From: Manish Dharanenthiran + +[ Upstream commit 39c90b1a1dbe6d7c49d19da6e5aec00980c55d8b ] + +Cancel the scheduled scan request only on the vdev that has an active +scan running. Currently, ahvif->links_map is used to obtain the links, +but this includes links for which no scan is scheduled. In failure cases +where the scan fails due to an invalid channel definition, other links +which are not yet brought up (vdev not created) may also be accessed, +leading to the following trace: + +Unable to handle kernel paging request at virtual address 0000000000004c8c +pc : _raw_spin_lock_bh+0x1c/0x54 +lr : ath12k_scan_abort+0x20/0xc8 [ath12k] + +Call trace: + _raw_spin_lock_bh+0x1c/0x54 (P) + ath12k_mac_op_cancel_hw_scan+0xac/0xc4 [ath12k] + ieee80211_scan_cancel+0xcc/0x12c [mac80211] + ieee80211_do_stop+0x6c4/0x7a8 [mac80211] + ieee80211_stop+0x60/0xd8 [mac80211] + +Skip links that are not created or are not the current scan vdev. This +ensures only the scan for the matching links is aborted and avoids +aborting unrelated links during cancellation, thus aligning with how +start/cleanup manage ar->scan.arvif. + +Also, remove the redundant arvif->is_started check from +ath12k_mac_op_cancel_hw_scan() that was introduced in commit 3863f014ad23 +("wifi: ath12k: symmetrize scan vdev creation and deletion during HW +scan") to avoid deleting the scan interface if the scan is triggered on +the existing AP vdev as this use case is already handled in +ath12k_scan_vdev_clean_work(). + +Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1 + +Fixes: feed05f1526e ("wifi: ath12k: Split scan request for split band device") +Signed-off-by: Manish Dharanenthiran +Reviewed-by: Baochen Qiang +Reviewed-by: Vasanthakumar Thiagarajan +Link: https://patch.msgid.link/20260107-scan_vdev-v1-1-b600aedc645a@qti.qualcomm.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath12k/mac.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath12k/mac.c b/drivers/net/wireless/ath/ath12k/mac.c +index 095b49a39683c..ffeb667734358 100644 +--- a/drivers/net/wireless/ath/ath12k/mac.c ++++ b/drivers/net/wireless/ath/ath12k/mac.c +@@ -5254,7 +5254,8 @@ static void ath12k_mac_op_cancel_hw_scan(struct ieee80211_hw *hw, + + for_each_set_bit(link_id, &links_map, ATH12K_NUM_MAX_LINKS) { + arvif = wiphy_dereference(hw->wiphy, ahvif->link[link_id]); +- if (!arvif || arvif->is_started) ++ if (!arvif || !arvif->is_created || ++ arvif->ar->scan.arvif != arvif) + continue; + + ar = arvif->ar; +-- +2.51.0 + diff --git a/queue-6.18/wifi-ath12k-don-t-force-radio-frequency-check-in-fre.patch b/queue-6.18/wifi-ath12k-don-t-force-radio-frequency-check-in-fre.patch new file mode 100644 index 0000000000..35926d6b86 --- /dev/null +++ b/queue-6.18/wifi-ath12k-don-t-force-radio-frequency-check-in-fre.patch @@ -0,0 +1,142 @@ +From 2b30aa371fb100388bdd154dcd88f4d8cdc1a72f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jan 2026 11:21:46 +0800 +Subject: wifi: ath12k: don't force radio frequency check in freq_to_idx() + +From: Baochen Qiang + +[ Upstream commit 1fed08c5519d2f929457f354d3c06c6a8c33829c ] + +freq_to_idx() is used to map a channel to a survey index. Commit +acc152f9be20 ("wifi: ath12k: combine channel list for split-phy devices in +single-wiphy") adds radio specific frequency range check in this helper to +make sure an invalid index is returned if the channel falls outside that +range. However, this check introduces a race, resulting in below warnings +as reported in [1]. + + ath12k_pci 0000:08:00.0: chan info: invalid frequency 6455 (idx 101 out of bounds) + ath12k_pci 0000:08:00.0: chan info: invalid frequency 6535 (idx 101 out of bounds) + ath12k_pci 0000:08:00.0: chan info: invalid frequency 6615 (idx 101 out of bounds) + ath12k_pci 0000:08:00.0: chan info: invalid frequency 6695 (idx 101 out of bounds) + ath12k_pci 0000:08:00.0: chan info: invalid frequency 6775 (idx 101 out of bounds) + ath12k_pci 0000:08:00.0: chan info: invalid frequency 6855 (idx 101 out of bounds) + ath12k_pci 0000:08:00.0: chan info: invalid frequency 6935 (idx 101 out of bounds) + ath12k_pci 0000:08:00.0: chan info: invalid frequency 7015 (idx 101 out of bounds) + ath12k_pci 0000:08:00.0: chan info: invalid frequency 7095 (idx 101 out of bounds) + ath12k_pci 0000:08:00.0: chan info: invalid frequency 6435 (idx 101 out of bounds) + +Race scenario: + + 1) A regdomain covering below frequency range is uploaded to host via + WMI_REG_CHAN_LIST_CC_EXT_EVENTID event: + + Country 00, CFG Regdomain UNSET FW Regdomain 0, num_reg_rules 6 + 1. (2402 - 2472 @ 40) (0, 20) (0 ms) (FLAGS 360448) (0, 0) + 2. (2457 - 2477 @ 20) (0, 20) (0 ms) (FLAGS 360576) (0, 0) + 3. (5170 - 5330 @ 160) (0, 20) (0 ms) (FLAGS 264320) (0, 0) + 4. (5490 - 5730 @ 160) (0, 20) (0 ms) (FLAGS 264320) (0, 0) + 5. (5735 - 5895 @ 160) (0, 20) (0 ms) (FLAGS 264320) (0, 0) + 6. (5925 - 7125 @ 320) (0, 24) (0 ms) (FLAGS 2056) (0, 255) + + As a result, radio frequency range is updated as [2402, 7125] + + ath12k_pci 0000:08:00.0: mac pdev 0 freq limit updated. New range 2402->7125 MHz + + If no scan in progress or after scan finished, command + WMI_SCAN_CHAN_LIST_CMDID is sent to firmware notifying that firmware + is allowed to do scan on all channels within that range. + + The running path is: + + /* redomain uploaded */ + 1. WMI_REG_CHAN_LIST_CC_EXT_EVENTID + 2. ath12k_reg_chan_list_event() + 3. ath12k_reg_handle_chan_list() + 4. queue_work(..., &ar->regd_update_work) + 5. ath12k_regd_update_work() + 6. ath12k_regd_update() + /* update radio frequency range */ + 7. ath12k_mac_update_freq_range() + 8. regulatory_set_wiphy_regd() + 9. ath12k_reg_notifier() + 10. ath12k_reg_update_chan_list() + 11. queue_work(..., &ar->regd_channel_update_work) + 12. ath12k_regd_update_chan_list_work() + /* wait scan finishes */ + 13. wait_for_completion_timeout(&ar->scan.completed, ...) + /* command notifying list of valid channels */ + 14. ath12k_wmi_send_scan_chan_list_cmd() + + 2) Hardware scan is triggered on all allowed channels. + 3) Before scan completed, 11D mechanism detects a new country code + + ath12k_pci 0000:08:00.0: wmi 11d new cc GB + + With this code sent to firmware, firmware uploads a new regdomain + + Country GB, CFG Regdomain ETSI FW Regdomain 2, num_reg_rules 9 + 1. (2402 - 2482 @ 40) (0, 20) (0 ms) (FLAGS 360448) (0, 0) + 2. (5170 - 5250 @ 80) (0, 23) (0 ms) (FLAGS 264192) (0, 0) + 3. (5250 - 5330 @ 80) (0, 23) (0 ms) (FLAGS 264216) (0, 0) + 4. (5490 - 5590 @ 80) (0, 30) (0 ms) (FLAGS 264208) + 5. (5590 - 5650 @ 40) (0, 30) (600000 ms) (FLAGS 264208) + 6. (5650 - 5730 @ 80) (0, 30) (0 ms) (FLAGS 264208) + 7. (5735 - 5875 @ 80) (0, 14) (0 ms) (FLAGS 264192) (0, 0) + 8. (5855 - 5875 @ 20) (0, 14) (0 ms) (FLAGS 264192) (0, 0) + 9. (5945 - 6425 @ 320) (0, 24) (0 ms) (FLAGS 2056) (0, 11) + + Then radio frequency range is updated as [2402, 6425] + + ath12k_pci 0000:08:00.0: mac pdev 0 freq limit updated. New range 2402->6425 MHz + + Please note this is a smaller range than the previous one. Later host + runs the same path for the purpose of notifying the new channel list. + However since scan not completed, host just waits there. Meanwhile, + firmware is possibly scanning channels outside the new range. As a + result, WMI_CHAN_INFO_EVENTID events for those channels fail + freq_to_idx() check and triggers warnings above. + +Fix this issue by removing radio frequency check in freq_to_idx(). This is +valid because channels being scanned do not synchronize with frequency +range update. Besides, this won't cause any problem, since freq_to_idx() +is only used for survey data. Even out-of-range channels filled in the +survey, they won't get delivered to userspace due to the range check +already there in ath12k_mac_op_get_survey(). + +Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00302-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.115823.3 + +Fixes: acc152f9be20 ("wifi: ath12k: combine channel list for split-phy devices in single-wiphy") +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220871 # 1 +Signed-off-by: Baochen Qiang +Link: https://patch.msgid.link/20260108-ath12k-fix-freq-to-idx-v1-1-b2458cf7aa0d@oss.qualcomm.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath12k/wmi.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath12k/wmi.c b/drivers/net/wireless/ath/ath12k/wmi.c +index e647b842a6a1c..44e99b47e445d 100644 +--- a/drivers/net/wireless/ath/ath12k/wmi.c ++++ b/drivers/net/wireless/ath/ath12k/wmi.c +@@ -6520,16 +6520,9 @@ static int freq_to_idx(struct ath12k *ar, int freq) + if (!sband) + continue; + +- for (ch = 0; ch < sband->n_channels; ch++, idx++) { +- if (sband->channels[ch].center_freq < +- KHZ_TO_MHZ(ar->freq_range.start_freq) || +- sband->channels[ch].center_freq > +- KHZ_TO_MHZ(ar->freq_range.end_freq)) +- continue; +- ++ for (ch = 0; ch < sband->n_channels; ch++, idx++) + if (sband->channels[ch].center_freq == freq) + goto exit; +- } + } + + exit: +-- +2.51.0 + diff --git a/queue-6.18/wifi-ath12k-fix-dead-lock-while-flushing-management-.patch b/queue-6.18/wifi-ath12k-fix-dead-lock-while-flushing-management-.patch new file mode 100644 index 0000000000..abc3caf5e8 --- /dev/null +++ b/queue-6.18/wifi-ath12k-fix-dead-lock-while-flushing-management-.patch @@ -0,0 +1,77 @@ +From e5e8a31d85b94633eb6bb37825ad3fcdd3b694f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 09:48:11 +0800 +Subject: wifi: ath12k: fix dead lock while flushing management frames + +From: Baochen Qiang + +[ Upstream commit f88e9fc30a261d63946ddc6cc6a33405e6aa27c3 ] + +Commit [1] converted the management transmission work item into a +wiphy work. Since a wiphy work can only run under wiphy lock +protection, a race condition happens in below scenario: + +1. a management frame is queued for transmission. +2. ath12k_mac_op_flush() gets called to flush pending frames associated + with the hardware (i.e, vif being NULL). Then in ath12k_mac_flush() + the process waits for the transmission done. +3. Since wiphy lock has been taken by the flush process, the transmission + work item has no chance to run, hence the dead lock. + +>From user view, this dead lock results in below issue: + + wlp8s0: authenticate with xxxxxx (local address=xxxxxx) + wlp8s0: send auth to xxxxxx (try 1/3) + wlp8s0: authenticate with xxxxxx (local address=xxxxxx) + wlp8s0: send auth to xxxxxx (try 1/3) + wlp8s0: authenticated + wlp8s0: associate with xxxxxx (try 1/3) + wlp8s0: aborting association with xxxxxx by local choice (Reason: 3=DEAUTH_LEAVING) + ath12k_pci 0000:08:00.0: failed to flush mgmt transmit queue, mgmt pkts pending 1 + +The dead lock can be avoided by invoking wiphy_work_flush() to proactively +run the queued work item. Note actually it is already present in +ath12k_mac_op_flush(), however it does not protect the case where vif +being NULL. Hence move it ahead to cover this case as well. + +Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00302-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.115823.3 + +Fixes: 56dcbf0b5207 ("wifi: ath12k: convert struct ath12k::wmi_mgmt_tx_work to struct wiphy_work") # [1] +Reported-by: Stuart Hayhurst +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220959 +Signed-off-by: Baochen Qiang +Reviewed-by: Vasanthakumar Thiagarajan +Link: https://patch.msgid.link/20260113-ath12k-fix-dead-lock-while-flushing-v1-1-9713621f3a0f@oss.qualcomm.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath12k/mac.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath12k/mac.c b/drivers/net/wireless/ath/ath12k/mac.c +index 00b3bf4d882a5..d6a44c19e2245 100644 +--- a/drivers/net/wireless/ath/ath12k/mac.c ++++ b/drivers/net/wireless/ath/ath12k/mac.c +@@ -11798,6 +11798,9 @@ static void ath12k_mac_op_flush(struct ieee80211_hw *hw, struct ieee80211_vif *v + if (drop) + return; + ++ for_each_ar(ah, ar, i) ++ wiphy_work_flush(hw->wiphy, &ar->wmi_mgmt_tx_work); ++ + /* vif can be NULL when flush() is considered for hw */ + if (!vif) { + for_each_ar(ah, ar, i) +@@ -11805,9 +11808,6 @@ static void ath12k_mac_op_flush(struct ieee80211_hw *hw, struct ieee80211_vif *v + return; + } + +- for_each_ar(ah, ar, i) +- wiphy_work_flush(hw->wiphy, &ar->wmi_mgmt_tx_work); +- + ahvif = ath12k_vif_to_ahvif(vif); + links = ahvif->links_map; + for_each_set_bit(link_id, &links, IEEE80211_MLD_MAX_NUM_LINKS) { +-- +2.51.0 + diff --git a/queue-6.18/wifi-ath12k-fix-scan-state-stuck-in-aborting-after-c.patch b/queue-6.18/wifi-ath12k-fix-scan-state-stuck-in-aborting-after-c.patch new file mode 100644 index 0000000000..b69c5f4112 --- /dev/null +++ b/queue-6.18/wifi-ath12k-fix-scan-state-stuck-in-aborting-after-c.patch @@ -0,0 +1,51 @@ +From d97271ab63232ccecd25c11cf5558dfc4c510524 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 19:55:16 +0800 +Subject: wifi: ath12k: Fix scan state stuck in ABORTING after + cancel_remain_on_channel + +From: Yingying Tang + +[ Upstream commit 8b8d6ee53dfdee61b0beff66afe3f712456e707a ] + +Scan finish workqueue was introduced in __ath12k_mac_scan_finish() by [1]. + +During ath12k_mac_op_cancel_remain_on_channel(), scan state is set to +ABORTING and should be reset to IDLE in the queued work. However, +wiphy_work_cancel() is called before exiting +ath12k_mac_op_cancel_remain_on_channel(), which prevents the work +from running and leaves the state in ABORTING. This blocks all +subsequent scan requests. + +Replace wiphy_work_cancel() with wiphy_work_flush() to ensure the +queued work runs and scan state is reset to IDLE. + +Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00302-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.115823.3 + +Fixes: 3863f014ad23 ("wifi: ath12k: symmetrize scan vdev creation and deletion during HW scan") # [1] +Signed-off-by: Yingying Tang +Reviewed-by: Vasanthakumar Thiagarajan +Reviewed-by: Baochen Qiang +Link: https://patch.msgid.link/20260112115516.2144219-1-yingying.tang@oss.qualcomm.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath12k/mac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath12k/mac.c b/drivers/net/wireless/ath/ath12k/mac.c +index ffeb667734358..00b3bf4d882a5 100644 +--- a/drivers/net/wireless/ath/ath12k/mac.c ++++ b/drivers/net/wireless/ath/ath12k/mac.c +@@ -12833,7 +12833,7 @@ static int ath12k_mac_op_cancel_remain_on_channel(struct ieee80211_hw *hw, + ath12k_scan_abort(ar); + + cancel_delayed_work_sync(&ar->scan.timeout); +- wiphy_work_cancel(hw->wiphy, &ar->scan.vdev_clean_wk); ++ wiphy_work_flush(hw->wiphy, &ar->scan.vdev_clean_wk); + + return 0; + } +-- +2.51.0 + diff --git a/queue-6.18/wifi-ath12k-fix-wrong-p2p-device-link-id-issue.patch b/queue-6.18/wifi-ath12k-fix-wrong-p2p-device-link-id-issue.patch new file mode 100644 index 0000000000..8fdcb92671 --- /dev/null +++ b/queue-6.18/wifi-ath12k-fix-wrong-p2p-device-link-id-issue.patch @@ -0,0 +1,78 @@ +From 4bf43a7d93cb16975551c41e7052577e586b3590 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 13:46:36 +0800 +Subject: wifi: ath12k: Fix wrong P2P device link id issue + +From: Yingying Tang + +[ Upstream commit 31707572108da55a005e7fed32cc3869c16b7c16 ] + +Wrong P2P device link id value of 0 was introduced in ath12k_mac_op_tx() by [1]. + +During the P2P negotiation process, there is only one scan vdev with link ID 15. +Currently, the device link ID is incorrectly set to 0 in ath12k_mac_op_tx() +during the P2P negotiation process, which leads to TX failures. + +Set the correct P2P device link ID to 15 to fix the TX failure issue. + +Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00302-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.115823.3 + +Fixes: 648a121bafa3 ("wifi: ath12k: ath12k_mac_op_tx(): MLO support") # [1] +Signed-off-by: Yingying Tang +Reviewed-by: Baochen Qiang +Reviewed-by: Vasanthakumar Thiagarajan +Cc: linux-next@vger.kernel.org +Cc: netdev@vger.kernel.org +Link: https://patch.msgid.link/20260113054636.2620035-1-yingying.tang@oss.qualcomm.com +Signed-off-by: Jeff Johnson + +--- + +Note to linux-next and netdev maintainers: + +This patch going through the "current" tree conflicts with +the following going through the "next" tree: +commit 631ee338f04d ("Merge branch 'ath12k-ng' into ath-next") + +The conflict resolution is to leave the following file unmodified: +drivers/net/wireless/ath/ath12k/mac. + +And to apply the following patch to ath12k_wifi7_mac_op_tx() +in the file drivers/net/wireless/ath/ath12k/wifi7/hw.c -705,7 +705,10 + + return; + } + } else { +- link_id = 0; ++ if (vif->type == NL80211_IFTYPE_P2P_DEVICE) ++ link_id = ATH12K_FIRST_SCAN_LINK; ++ else ++ link_id = 0; + } + + arvif = rcu_dereference(ahvif->link[link_id]); + +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath12k/mac.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath12k/mac.c b/drivers/net/wireless/ath/ath12k/mac.c +index d6a44c19e2245..256ffae4d7f7d 100644 +--- a/drivers/net/wireless/ath/ath12k/mac.c ++++ b/drivers/net/wireless/ath/ath12k/mac.c +@@ -8840,7 +8840,10 @@ static void ath12k_mac_op_tx(struct ieee80211_hw *hw, + return; + } + } else { +- link_id = 0; ++ if (vif->type == NL80211_IFTYPE_P2P_DEVICE) ++ link_id = ATH12K_FIRST_SCAN_LINK; ++ else ++ link_id = 0; + } + + arvif = rcu_dereference(ahvif->link[link_id]); +-- +2.51.0 + diff --git a/queue-6.18/wifi-mac80211-don-t-perform-da-check-on-s1g-beacon.patch b/queue-6.18/wifi-mac80211-don-t-perform-da-check-on-s1g-beacon.patch new file mode 100644 index 0000000000..4fa8729506 --- /dev/null +++ b/queue-6.18/wifi-mac80211-don-t-perform-da-check-on-s1g-beacon.patch @@ -0,0 +1,48 @@ +From 044ee9451d71697f880f1e07c76b92a1eb105ae5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jan 2026 14:11:21 +1100 +Subject: wifi: mac80211: don't perform DA check on S1G beacon + +From: Lachlan Hodges + +[ Upstream commit 5dc6975566f5d142ec53eb7e97af688c45dd314d ] + +S1G beacons don't contain the DA field as per IEEE80211-2024 9.3.4.3, +so the DA broadcast check reads the SA address of the S1G beacon which +will subsequently lead to the beacon being dropped. As a result, passive +scanning is not possible. Fix this by only performing the check on +non-S1G beacons to allow S1G long beacons to be processed during a +passive scan. + +Fixes: ddf82e752f8a ("wifi: mac80211: Allow beacons to update BSS table regardless of scan") +Signed-off-by: Lachlan Hodges +Link: https://patch.msgid.link/20260120031122.309942-1-lachlan.hodges@morsemicro.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/scan.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c +index bb9563f50e7b4..1e06a465b49e3 100644 +--- a/net/mac80211/scan.c ++++ b/net/mac80211/scan.c +@@ -343,8 +343,13 @@ void ieee80211_scan_rx(struct ieee80211_local *local, struct sk_buff *skb) + mgmt->da)) + return; + } else { +- /* Beacons are expected only with broadcast address */ +- if (!is_broadcast_ether_addr(mgmt->da)) ++ /* ++ * Non-S1G beacons are expected only with broadcast address. ++ * S1G beacons only carry the SA so no DA check is required ++ * nor possible. ++ */ ++ if (!ieee80211_is_s1g_beacon(mgmt->frame_control) && ++ !is_broadcast_ether_addr(mgmt->da)) + return; + } + +-- +2.51.0 + diff --git a/queue-6.6/amd-xgbe-avoid-misleading-per-packet-error-log.patch b/queue-6.6/amd-xgbe-avoid-misleading-per-packet-error-log.patch new file mode 100644 index 0000000000..68a9bf5d98 --- /dev/null +++ b/queue-6.6/amd-xgbe-avoid-misleading-per-packet-error-log.patch @@ -0,0 +1,49 @@ +From 22ea4f4c7532b32c1787d70f39db957793adee0f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jan 2026 22:00:37 +0530 +Subject: amd-xgbe: avoid misleading per-packet error log + +From: Raju Rangoju + +[ Upstream commit c158f985cf6c2c36c99c4f67af2ff3f5ebe09f8f ] + +On the receive path, packet can be damaged because of buffer +overflow in Rx FIFO. Avoid misleading per-packet error log when +packet->errors is set, this can flood the log. Instead, rely on the +standard rtnl_link_stats64 stats. + +Fixes: c5aa9e3b8156 ("amd-xgbe: Initial AMD 10GbE platform driver") +Signed-off-by: Raju Rangoju +Link: https://patch.msgid.link/20260114163037.2062606-1-Raju.Rangoju@amd.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c +index b4d57da71de2a..3d6f8f3a83366 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c +@@ -2105,7 +2105,7 @@ static void xgbe_get_stats64(struct net_device *netdev, + s->multicast = pstats->rxmulticastframes_g; + s->rx_length_errors = pstats->rxlengtherror; + s->rx_crc_errors = pstats->rxcrcerror; +- s->rx_fifo_errors = pstats->rxfifooverflow; ++ s->rx_over_errors = pstats->rxfifooverflow; + + s->tx_packets = pstats->txframecount_gb; + s->tx_bytes = pstats->txoctetcount_gb; +@@ -2559,9 +2559,6 @@ static int xgbe_rx_poll(struct xgbe_channel *channel, int budget) + goto read_again; + + if (error || packet->errors) { +- if (packet->errors) +- netif_err(pdata, rx_err, netdev, +- "error in received packet\n"); + dev_kfree_skb(skb); + goto next_packet; + } +-- +2.51.0 + diff --git a/queue-6.6/ata-libata-add-cpr_log-to-ata_dev_print_features-ear.patch b/queue-6.6/ata-libata-add-cpr_log-to-ata_dev_print_features-ear.patch new file mode 100644 index 0000000000..d15123d541 --- /dev/null +++ b/queue-6.6/ata-libata-add-cpr_log-to-ata_dev_print_features-ear.patch @@ -0,0 +1,43 @@ +From 9b16963d86b0a58d5e6541140e9be53189223db2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 13:20:49 +0100 +Subject: ata: libata: Add cpr_log to ata_dev_print_features() early return + +From: Niklas Cassel + +[ Upstream commit a6bee5e5243ad02cae575becc4c83df66fc29573 ] + +ata_dev_print_features() is supposed to return early and not print anything +if there are no features supported. + +However, commit fe22e1c2f705 ("libata: support concurrent positioning +ranges log") added another feature to ata_dev_print_features() without +updating the early return conditional. + +Add the missing feature to the early return conditional. + +Fixes: fe22e1c2f705 ("libata: support concurrent positioning ranges log") +Signed-off-by: Niklas Cassel +Tested-by: Wolf +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c +index f627753519b97..f332835156dbc 100644 +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -2782,7 +2782,7 @@ static void ata_dev_config_cpr(struct ata_device *dev) + + static void ata_dev_print_features(struct ata_device *dev) + { +- if (!(dev->flags & ATA_DFLAG_FEATURES_MASK)) ++ if (!(dev->flags & ATA_DFLAG_FEATURES_MASK) && !dev->cpr_log) + return; + + ata_dev_info(dev, +-- +2.51.0 + diff --git a/queue-6.6/ata-libata-call-ata_dev_config_lpm-for-atapi-devices.patch b/queue-6.6/ata-libata-call-ata_dev_config_lpm-for-atapi-devices.patch new file mode 100644 index 0000000000..33422024c7 --- /dev/null +++ b/queue-6.6/ata-libata-call-ata_dev_config_lpm-for-atapi-devices.patch @@ -0,0 +1,48 @@ +From 7c9945e440086ed4cb8cda6f1c76deb6794fd6e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 13:20:47 +0100 +Subject: ata: libata: Call ata_dev_config_lpm() for ATAPI devices + +From: Niklas Cassel + +[ Upstream commit 8f3fb33f8f3f825c708ece800c921977c157f9b6 ] + +Commit d360121832d8 ("ata: libata-core: Introduce ata_dev_config_lpm()") +introduced ata_dev_config_lpm(). However, it only called this function for +ATA_DEV_ATA and ATA_DEV_ZAC devices, not for ATA_DEV_ATAPI devices. + +Additionally, commit d99a9142e782 ("ata: libata-core: Move device LPM quirk +settings to ata_dev_config_lpm()") moved the LPM quirk application from +ata_dev_configure() to ata_dev_config_lpm(), causing LPM quirks for ATAPI +devices to no longer be applied. + +Call ata_dev_config_lpm() also for ATAPI devices, such that LPM quirks are +applied for ATAPI devices with an entry in __ata_dev_quirks once again. + +Fixes: d360121832d8 ("ata: libata-core: Introduce ata_dev_config_lpm()") +Fixes: d99a9142e782 ("ata: libata-core: Move device LPM quirk settings to ata_dev_config_lpm()") +Signed-off-by: Niklas Cassel +Tested-by: Wolf +Signed-off-by: Damien Le Moal +Stable-dep-of: c8c6fb886f57 ("ata: libata: Print features also for ATAPI devices") +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-core.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c +index b748c8ead39de..e51a27ae0a7d2 100644 +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -3047,6 +3047,8 @@ int ata_dev_configure(struct ata_device *dev) + ata_mode_string(xfer_mask), + cdb_intr_string, atapi_an_string, + dma_dir_string); ++ ++ ata_dev_config_lpm(dev); + } + + /* determine max_sectors */ +-- +2.51.0 + diff --git a/queue-6.6/ata-libata-core-introduce-ata_dev_config_lpm.patch b/queue-6.6/ata-libata-core-introduce-ata_dev_config_lpm.patch new file mode 100644 index 0000000000..13373d44af --- /dev/null +++ b/queue-6.6/ata-libata-core-introduce-ata_dev_config_lpm.patch @@ -0,0 +1,79 @@ +From 04818c634eaa7204577ff7f521357c15170651d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Jul 2025 21:53:12 +0900 +Subject: ata: libata-core: Introduce ata_dev_config_lpm() + +From: Damien Le Moal + +[ Upstream commit d360121832d8a36871249271df5b9ff05f835f62 ] + +If the port of a device does not support Device Initiated Power +Management (DIPM), that is, the port is flagged with ATA_FLAG_NO_DIPM, +the DIPM feature of a device should not be used. Though DIPM is disabled +by default on a device, the "Software Settings Preservation feature" +may keep DIPM enabled or DIPM may have been enabled by the system +firmware. + +Introduce the function ata_dev_config_lpm() to always disable DIPM on a +device that supports this feature if the port of the device is flagged +with ATA_FLAG_NO_DIPM. ata_dev_config_lpm() is called from +ata_dev_configure(), ensuring that a device DIPM feature is disabled +when it cannot be used. + +Signed-off-by: Damien Le Moal +Reviewed-by: Niklas Cassel +Reviewed-by: Hannes Reinecke +Link: https://lore.kernel.org/r/20250701125321.69496-2-dlemoal@kernel.org +Signed-off-by: Niklas Cassel +Stable-dep-of: c8c6fb886f57 ("ata: libata: Print features also for ATAPI devices") +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-core.c | 25 +++++++++++++++++++++++++ + 1 file changed, 25 insertions(+) + +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c +index f332835156dbc..b748c8ead39de 100644 +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -2780,6 +2780,30 @@ static void ata_dev_config_cpr(struct ata_device *dev) + kfree(buf); + } + ++/* ++ * Configure features related to link power management. ++ */ ++static void ata_dev_config_lpm(struct ata_device *dev) ++{ ++ struct ata_port *ap = dev->link->ap; ++ unsigned int err_mask; ++ ++ /* ++ * Device Initiated Power Management (DIPM) is normally disabled by ++ * default on a device. However, DIPM may have been enabled and that ++ * setting kept even after COMRESET because of the Software Settings ++ * Preservation feature. So if the port does not support DIPM and the ++ * device does, disable DIPM on the device. ++ */ ++ if (ap->flags & ATA_FLAG_NO_DIPM && ata_id_has_dipm(dev->id)) { ++ err_mask = ata_dev_set_feature(dev, ++ SETFEATURES_SATA_DISABLE, SATA_DIPM); ++ if (err_mask && err_mask != AC_ERR_DEV) ++ ata_dev_err(dev, "Disable DIPM failed, Emask 0x%x\n", ++ err_mask); ++ } ++} ++ + static void ata_dev_print_features(struct ata_device *dev) + { + if (!(dev->flags & ATA_DFLAG_FEATURES_MASK) && !dev->cpr_log) +@@ -2949,6 +2973,7 @@ int ata_dev_configure(struct ata_device *dev) + ata_dev_config_chs(dev); + } + ++ ata_dev_config_lpm(dev); + ata_dev_config_fua(dev); + ata_dev_config_devslp(dev); + ata_dev_config_sense_reporting(dev); +-- +2.51.0 + diff --git a/queue-6.6/ata-libata-print-features-also-for-atapi-devices.patch b/queue-6.6/ata-libata-print-features-also-for-atapi-devices.patch new file mode 100644 index 0000000000..2a41e11558 --- /dev/null +++ b/queue-6.6/ata-libata-print-features-also-for-atapi-devices.patch @@ -0,0 +1,48 @@ +From 22f2f80d73dd72d7ae81c4180662d1d72ed26f0d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 13:20:51 +0100 +Subject: ata: libata: Print features also for ATAPI devices + +From: Niklas Cassel + +[ Upstream commit c8c6fb886f57d5bf71fb6de6334a143608d35707 ] + +Commit d633b8a702ab ("libata: print feature list on device scan") +added a print of the features supported by the device for ATA_DEV_ATA and +ATA_DEV_ZAC devices, but not for ATA_DEV_ATAPI devices. + +Fix this by printing the features also for ATAPI devices. + +Before changes: +ata1.00: ATAPI: Slimtype DVD A DU8AESH, 6C2M, max UDMA/133 + +After changes: +ata1.00: ATAPI: Slimtype DVD A DU8AESH, 6C2M, max UDMA/133 +ata1.00: Features: Dev-Attention HIPM DIPM + +Fixes: d633b8a702ab ("libata: print feature list on device scan") +Signed-off-by: Niklas Cassel +Tested-by: Wolf +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-core.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c +index e51a27ae0a7d2..d5e713f284b71 100644 +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -3049,6 +3049,9 @@ int ata_dev_configure(struct ata_device *dev) + dma_dir_string); + + ata_dev_config_lpm(dev); ++ ++ if (print_info) ++ ata_dev_print_features(dev); + } + + /* determine max_sectors */ +-- +2.51.0 + diff --git a/queue-6.6/bonding-limit-bond_mode_8023ad-to-ethernet-devices.patch b/queue-6.6/bonding-limit-bond_mode_8023ad-to-ethernet-devices.patch new file mode 100644 index 0000000000..61ec429ad9 --- /dev/null +++ b/queue-6.6/bonding-limit-bond_mode_8023ad-to-ethernet-devices.patch @@ -0,0 +1,91 @@ +From 2aaf19d90798be40bfc7c1579316d0e683702471 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 19:12:01 +0000 +Subject: bonding: limit BOND_MODE_8023AD to Ethernet devices + +From: Eric Dumazet + +[ Upstream commit c84fcb79e5dbde0b8d5aeeaf04282d2149aebcf6 ] + +BOND_MODE_8023AD makes sense for ARPHRD_ETHER only. + +syzbot reported: + + BUG: KASAN: global-out-of-bounds in __hw_addr_create net/core/dev_addr_lists.c:63 [inline] + BUG: KASAN: global-out-of-bounds in __hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118 +Read of size 16 at addr ffffffff8bf94040 by task syz.1.3580/19497 + +CPU: 1 UID: 0 PID: 19497 Comm: syz.1.3580 Tainted: G L syzkaller #0 PREEMPT(full) +Tainted: [L]=SOFTLOCKUP +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 +Call Trace: + + dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0xca/0x240 mm/kasan/report.c:482 + kasan_report+0x118/0x150 mm/kasan/report.c:595 + check_region_inline mm/kasan/generic.c:-1 [inline] + kasan_check_range+0x2b0/0x2c0 mm/kasan/generic.c:200 + __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105 + __hw_addr_create net/core/dev_addr_lists.c:63 [inline] + __hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118 + __dev_mc_add net/core/dev_addr_lists.c:868 [inline] + dev_mc_add+0xa1/0x120 net/core/dev_addr_lists.c:886 + bond_enslave+0x2b8b/0x3ac0 drivers/net/bonding/bond_main.c:2180 + do_set_master+0x533/0x6d0 net/core/rtnetlink.c:2963 + do_setlink+0xcf0/0x41c0 net/core/rtnetlink.c:3165 + rtnl_changelink net/core/rtnetlink.c:3776 [inline] + __rtnl_newlink net/core/rtnetlink.c:3935 [inline] + rtnl_newlink+0x161c/0x1c90 net/core/rtnetlink.c:4072 + rtnetlink_rcv_msg+0x7cf/0xb70 net/core/rtnetlink.c:6958 + netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2550 + netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] + netlink_unicast+0x82f/0x9e0 net/netlink/af_netlink.c:1344 + netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1894 + sock_sendmsg_nosec net/socket.c:727 [inline] + __sock_sendmsg+0x21c/0x270 net/socket.c:742 + ____sys_sendmsg+0x505/0x820 net/socket.c:2592 + ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2646 + __sys_sendmsg+0x164/0x220 net/socket.c:2678 + do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline] + __do_fast_syscall_32+0x1dc/0x560 arch/x86/entry/syscall_32.c:307 + do_fast_syscall_32+0x34/0x80 arch/x86/entry/syscall_32.c:332 + entry_SYSENTER_compat_after_hwframe+0x84/0x8e + + +The buggy address belongs to the variable: + lacpdu_mcast_addr+0x0/0x40 + +Fixes: 872254dd6b1f ("net/bonding: Enable bonding to enslave non ARPHRD_ETHER") +Reported-by: syzbot+9c081b17773615f24672@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/6966946b.a70a0220.245e30.0002.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: Andrew Lunn +Acked-by: Jay Vosburgh +Link: https://patch.msgid.link/20260113191201.3970737-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index b3ccc064cbff2..9dfbbf4cd71f0 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1942,6 +1942,12 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev, + */ + if (!bond_has_slaves(bond)) { + if (bond_dev->type != slave_dev->type) { ++ if (slave_dev->type != ARPHRD_ETHER && ++ BOND_MODE(bond) == BOND_MODE_8023AD) { ++ SLAVE_NL_ERR(bond_dev, slave_dev, extack, ++ "8023AD mode requires Ethernet devices"); ++ return -EINVAL; ++ } + slave_dbg(bond_dev, slave_dev, "change device type from %d to %d\n", + bond_dev->type, slave_dev->type); + +-- +2.51.0 + diff --git a/queue-6.6/can-gs_usb-gs_usb_receive_bulk_callback-unanchor-url.patch b/queue-6.6/can-gs_usb-gs_usb_receive_bulk_callback-unanchor-url.patch new file mode 100644 index 0000000000..e40357af86 --- /dev/null +++ b/queue-6.6/can-gs_usb-gs_usb_receive_bulk_callback-unanchor-url.patch @@ -0,0 +1,61 @@ +From 64c992f99f08f5823cf15cb6c357519d38147563 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jan 2026 14:10:10 +0100 +Subject: can: gs_usb: gs_usb_receive_bulk_callback(): unanchor URL on + usb_submit_urb() error + +From: Marc Kleine-Budde + +[ Upstream commit 79a6d1bfe1148bc921b8d7f3371a7fbce44e30f7 ] + +In commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix +URB memory leak"), the URB was re-anchored before usb_submit_urb() in +gs_usb_receive_bulk_callback() to prevent a leak of this URB during +cleanup. + +However, this patch did not take into account that usb_submit_urb() could +fail. The URB remains anchored and +usb_kill_anchored_urbs(&parent->rx_submitted) in gs_can_close() loops +infinitely since the anchor list never becomes empty. + +To fix the bug, unanchor the URB when an usb_submit_urb() error occurs, +also print an info message. + +Fixes: 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak") +Reported-by: Jakub Kicinski +Closes: https://lore.kernel.org/all/20260110223836.3890248-1-kuba@kernel.org/ +Link: https://patch.msgid.link/20260116-can_usb-fix-reanchor-v1-1-9d74e7289225@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/usb/gs_usb.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c +index d3837252e505a..63439affd59d5 100644 +--- a/drivers/net/can/usb/gs_usb.c ++++ b/drivers/net/can/usb/gs_usb.c +@@ -751,6 +751,10 @@ static void gs_usb_receive_bulk_callback(struct urb *urb) + usb_anchor_urb(urb, &parent->rx_submitted); + + rc = usb_submit_urb(urb, GFP_ATOMIC); ++ if (!rc) ++ return; ++ ++ usb_unanchor_urb(urb); + + /* USB failure take down all interfaces */ + if (rc == -ENODEV) { +@@ -759,6 +763,9 @@ static void gs_usb_receive_bulk_callback(struct urb *urb) + if (parent->canch[rc]) + netif_device_detach(parent->canch[rc]->netdev); + } ++ } else if (rc != -ESHUTDOWN && net_ratelimit()) { ++ netdev_info(netdev, "failed to re-submit IN URB: %pe\n", ++ ERR_PTR(urb->status)); + } + } + +-- +2.51.0 + diff --git a/queue-6.6/crypto-authencesn-reject-too-short-aad-assoclen-8-to.patch b/queue-6.6/crypto-authencesn-reject-too-short-aad-assoclen-8-to.patch new file mode 100644 index 0000000000..ef62c581db --- /dev/null +++ b/queue-6.6/crypto-authencesn-reject-too-short-aad-assoclen-8-to.patch @@ -0,0 +1,53 @@ +From 5bde089ad117356b8b9bf33680fbd3b7bfbe71d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jan 2026 16:03:58 +0900 +Subject: crypto: authencesn - reject too-short AAD (assoclen<8) to match + ESP/ESN spec + +From: Taeyang Lee <0wn@theori.io> + +[ Upstream commit 2397e9264676be7794f8f7f1e9763d90bd3c7335 ] + +authencesn assumes an ESP/ESN-formatted AAD. When assoclen is shorter than +the minimum expected length, crypto_authenc_esn_decrypt() can advance past +the end of the destination scatterlist and trigger a NULL pointer dereference +in scatterwalk_map_and_copy(), leading to a kernel panic (DoS). + +Add a minimum AAD length check to fail fast on invalid inputs. + +Fixes: 104880a6b470 ("crypto: authencesn - Convert to new AEAD interface") +Reported-By: Taeyang Lee <0wn@theori.io> +Signed-off-by: Taeyang Lee <0wn@theori.io> +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/authencesn.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/crypto/authencesn.c b/crypto/authencesn.c +index 91424e791d5c7..29ff3a0e86c09 100644 +--- a/crypto/authencesn.c ++++ b/crypto/authencesn.c +@@ -189,6 +189,9 @@ static int crypto_authenc_esn_encrypt(struct aead_request *req) + struct scatterlist *src, *dst; + int err; + ++ if (assoclen < 8) ++ return -EINVAL; ++ + sg_init_table(areq_ctx->src, 2); + src = scatterwalk_ffwd(areq_ctx->src, req->src, assoclen); + dst = src; +@@ -281,6 +284,9 @@ static int crypto_authenc_esn_decrypt(struct aead_request *req) + u32 tmp[2]; + int err; + ++ if (assoclen < 8) ++ return -EINVAL; ++ + cryptlen -= authsize; + + if (req->src != dst) { +-- +2.51.0 + diff --git a/queue-6.6/dt-bindings-power-qcom-rpmpd-add-sc8280xp_mxc_ao.patch b/queue-6.6/dt-bindings-power-qcom-rpmpd-add-sc8280xp_mxc_ao.patch new file mode 100644 index 0000000000..e5b45f6c56 --- /dev/null +++ b/queue-6.6/dt-bindings-power-qcom-rpmpd-add-sc8280xp_mxc_ao.patch @@ -0,0 +1,38 @@ +From ea00a65b0be91f41e857fbf0db5413bf6206979e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Dec 2025 18:36:20 +0100 +Subject: dt-bindings: power: qcom,rpmpd: Add SC8280XP_MXC_AO + +From: Konrad Dybcio + +[ Upstream commit 45e1be5ddec98db71e7481fa7a3005673200d85c ] + +Not sure how useful it's gonna be in practice, but the definition is +missing (unlike the previously-unused SC8280XP_MXC-non-_AO), so add it +to allow the driver to create the corresponding pmdomain. + +Fixes: dbfb5f94e084 ("dt-bindings: power: rpmpd: Add sc8280xp RPMh power-domains") +Acked-by: Rob Herring (Arm) +Signed-off-by: Konrad Dybcio +Reviewed-by: Ulf Hansson +Link: https://lore.kernel.org/r/20251202-topic-8280_mxc-v2-1-46cdf47a829e@oss.qualcomm.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + include/dt-bindings/power/qcom,rpmhpd.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/dt-bindings/power/qcom,rpmhpd.h b/include/dt-bindings/power/qcom,rpmhpd.h +index 758c3487bd662..0abd1c4c53143 100644 +--- a/include/dt-bindings/power/qcom,rpmhpd.h ++++ b/include/dt-bindings/power/qcom,rpmhpd.h +@@ -260,5 +260,6 @@ + #define SC8280XP_NSP 13 + #define SC8280XP_QPHY 14 + #define SC8280XP_XO 15 ++#define SC8280XP_MXC_AO 16 + + #endif +-- +2.51.0 + diff --git a/queue-6.6/dt-bindings-power-qcom-rpmpd-add-sm7150.patch b/queue-6.6/dt-bindings-power-qcom-rpmpd-add-sm7150.patch new file mode 100644 index 0000000000..b3ac9e9f49 --- /dev/null +++ b/queue-6.6/dt-bindings-power-qcom-rpmpd-add-sm7150.patch @@ -0,0 +1,36 @@ +From 56f9f23952a0e7d1ff44bfbf2be7af82a1df9849 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 16 Sep 2023 20:59:51 +0300 +Subject: dt-bindings: power: qcom,rpmpd: Add SM7150 + +From: Danila Tikhonov + +[ Upstream commit 0cd3f86ad558d3f585634e211c6fccbe786cbc28 ] + +Add a compatible for SM7150 platforms. + +Signed-off-by: Danila Tikhonov +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20230916175952.178611-2-danila@jiaxyga.com +Signed-off-by: Ulf Hansson +Stable-dep-of: 45e1be5ddec9 ("dt-bindings: power: qcom,rpmpd: Add SC8280XP_MXC_AO") +Signed-off-by: Sasha Levin +--- + Documentation/devicetree/bindings/power/qcom,rpmpd.yaml | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/Documentation/devicetree/bindings/power/qcom,rpmpd.yaml b/Documentation/devicetree/bindings/power/qcom,rpmpd.yaml +index 9b03c41d3604e..53886f02d98a9 100644 +--- a/Documentation/devicetree/bindings/power/qcom,rpmpd.yaml ++++ b/Documentation/devicetree/bindings/power/qcom,rpmpd.yaml +@@ -46,6 +46,7 @@ properties: + - qcom,sm6125-rpmpd + - qcom,sm6350-rpmhpd + - qcom,sm6375-rpmpd ++ - qcom,sm7150-rpmhpd + - qcom,sm8150-rpmhpd + - qcom,sm8250-rpmhpd + - qcom,sm8350-rpmhpd +-- +2.51.0 + diff --git a/queue-6.6/dt-bindings-power-qcom-rpmpd-add-turbo-l5-corner.patch b/queue-6.6/dt-bindings-power-qcom-rpmpd-add-turbo-l5-corner.patch new file mode 100644 index 0000000000..0275c3d99a --- /dev/null +++ b/queue-6.6/dt-bindings-power-qcom-rpmpd-add-turbo-l5-corner.patch @@ -0,0 +1,36 @@ +From 89e504561952780ccced0b7980a7571738b47559 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Jul 2025 21:50:45 +0530 +Subject: dt-bindings: power: qcom,rpmpd: add Turbo L5 corner + +From: Akhil P Oommen + +[ Upstream commit 1c402295c10891988fb2a6fc658e6e95d4852a20 ] + +Update the RPMH level definitions to include TURBO_L5 corner. + +Acked-by: Krzysztof Kozlowski +Signed-off-by: Akhil P Oommen +Patchwork: https://patchwork.freedesktop.org/patch/661840/ +Signed-off-by: Rob Clark +Stable-dep-of: 45e1be5ddec9 ("dt-bindings: power: qcom,rpmpd: Add SC8280XP_MXC_AO") +Signed-off-by: Sasha Levin +--- + include/dt-bindings/power/qcom-rpmpd.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/dt-bindings/power/qcom-rpmpd.h b/include/dt-bindings/power/qcom-rpmpd.h +index ced784a8afc12..73b3655155ec0 100644 +--- a/include/dt-bindings/power/qcom-rpmpd.h ++++ b/include/dt-bindings/power/qcom-rpmpd.h +@@ -240,6 +240,7 @@ + #define RPMH_REGULATOR_LEVEL_TURBO_L2 432 + #define RPMH_REGULATOR_LEVEL_TURBO_L3 448 + #define RPMH_REGULATOR_LEVEL_TURBO_L4 452 ++#define RPMH_REGULATOR_LEVEL_TURBO_L5 456 + #define RPMH_REGULATOR_LEVEL_SUPER_TURBO 464 + #define RPMH_REGULATOR_LEVEL_SUPER_TURBO_NO_CPR 480 + +-- +2.51.0 + diff --git a/queue-6.6/dt-bindings-power-qcom-rpmpd-document-the-sm8650-rpm.patch b/queue-6.6/dt-bindings-power-qcom-rpmpd-document-the-sm8650-rpm.patch new file mode 100644 index 0000000000..5ef01c33ff --- /dev/null +++ b/queue-6.6/dt-bindings-power-qcom-rpmpd-document-the-sm8650-rpm.patch @@ -0,0 +1,48 @@ +From 33a389b1e1a546b4f2812b245838eeb3e47b8b9e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Oct 2023 09:32:02 +0200 +Subject: dt-bindings: power: qcom,rpmpd: document the SM8650 RPMh Power + Domains + +From: Neil Armstrong + +[ Upstream commit d4d56c079ddd19293b11de1f2309add0b8972af2 ] + +Document the RPMh Power Domains on the SM8650 Platform. + +Signed-off-by: Neil Armstrong +Link: https://lore.kernel.org/r/20231025-topic-sm8650-upstream-rpmpd-v1-1-f25d313104c6@linaro.org +Signed-off-by: Ulf Hansson +Stable-dep-of: 45e1be5ddec9 ("dt-bindings: power: qcom,rpmpd: Add SC8280XP_MXC_AO") +Signed-off-by: Sasha Levin +--- + Documentation/devicetree/bindings/power/qcom,rpmpd.yaml | 1 + + include/dt-bindings/power/qcom,rpmhpd.h | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/Documentation/devicetree/bindings/power/qcom,rpmpd.yaml b/Documentation/devicetree/bindings/power/qcom,rpmpd.yaml +index d38c762e12804..2803f7d568217 100644 +--- a/Documentation/devicetree/bindings/power/qcom,rpmpd.yaml ++++ b/Documentation/devicetree/bindings/power/qcom,rpmpd.yaml +@@ -55,6 +55,7 @@ properties: + - qcom,sm8350-rpmhpd + - qcom,sm8450-rpmhpd + - qcom,sm8550-rpmhpd ++ - qcom,sm8650-rpmhpd + - items: + - enum: + - qcom,msm8937-rpmpd +diff --git a/include/dt-bindings/power/qcom,rpmhpd.h b/include/dt-bindings/power/qcom,rpmhpd.h +index 7c201a66bc691..0f6a74e099701 100644 +--- a/include/dt-bindings/power/qcom,rpmhpd.h ++++ b/include/dt-bindings/power/qcom,rpmhpd.h +@@ -26,5 +26,6 @@ + #define RPMHPD_QPHY 16 + #define RPMHPD_DDR 17 + #define RPMHPD_XO 18 ++#define RPMHPD_NSP2 19 + + #endif +-- +2.51.0 + diff --git a/queue-6.6/dt-bindings-power-qcom-rpmpd-document-the-sm8750-rpm.patch b/queue-6.6/dt-bindings-power-qcom-rpmpd-document-the-sm8750-rpm.patch new file mode 100644 index 0000000000..e4e63da637 --- /dev/null +++ b/queue-6.6/dt-bindings-power-qcom-rpmpd-document-the-sm8750-rpm.patch @@ -0,0 +1,59 @@ +From ceb54ef56e6a0c89c1747822403df993e3641210 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Nov 2024 16:24:43 -0800 +Subject: dt-bindings: power: qcom,rpmpd: document the SM8750 RPMh Power + Domains + +From: Taniya Das + +[ Upstream commit 134e9d035d830aabd1121bcda89f7ee9a476d3a3 ] + +Document the RPMh Power Domains on the SM8750 Platform. + +Signed-off-by: Taniya Das +Signed-off-by: Jishnu Prakash +Signed-off-by: Melody Olvera +Message-ID: <20241112002444.2802092-2-quic_molvera@quicinc.com> +Signed-off-by: Ulf Hansson +Stable-dep-of: 45e1be5ddec9 ("dt-bindings: power: qcom,rpmpd: Add SC8280XP_MXC_AO") +Signed-off-by: Sasha Levin +--- + Documentation/devicetree/bindings/power/qcom,rpmpd.yaml | 1 + + include/dt-bindings/power/qcom-rpmpd.h | 2 ++ + 2 files changed, 3 insertions(+) + +diff --git a/Documentation/devicetree/bindings/power/qcom,rpmpd.yaml b/Documentation/devicetree/bindings/power/qcom,rpmpd.yaml +index 2ff246cf8b81d..bb01bf5663f37 100644 +--- a/Documentation/devicetree/bindings/power/qcom,rpmpd.yaml ++++ b/Documentation/devicetree/bindings/power/qcom,rpmpd.yaml +@@ -56,6 +56,7 @@ properties: + - qcom,sm8450-rpmhpd + - qcom,sm8550-rpmhpd + - qcom,sm8650-rpmhpd ++ - qcom,sm8750-rpmhpd + - qcom,x1e80100-rpmhpd + - items: + - enum: +diff --git a/include/dt-bindings/power/qcom-rpmpd.h b/include/dt-bindings/power/qcom-rpmpd.h +index 7f4e2983a4c57..ced784a8afc12 100644 +--- a/include/dt-bindings/power/qcom-rpmpd.h ++++ b/include/dt-bindings/power/qcom-rpmpd.h +@@ -218,6 +218,7 @@ + /* SDM845 Power Domain performance levels */ + #define RPMH_REGULATOR_LEVEL_RETENTION 16 + #define RPMH_REGULATOR_LEVEL_MIN_SVS 48 ++#define RPMH_REGULATOR_LEVEL_LOW_SVS_D3 50 + #define RPMH_REGULATOR_LEVEL_LOW_SVS_D2 52 + #define RPMH_REGULATOR_LEVEL_LOW_SVS_D1 56 + #define RPMH_REGULATOR_LEVEL_LOW_SVS_D0 60 +@@ -238,6 +239,7 @@ + #define RPMH_REGULATOR_LEVEL_TURBO_L1 416 + #define RPMH_REGULATOR_LEVEL_TURBO_L2 432 + #define RPMH_REGULATOR_LEVEL_TURBO_L3 448 ++#define RPMH_REGULATOR_LEVEL_TURBO_L4 452 + #define RPMH_REGULATOR_LEVEL_SUPER_TURBO 464 + #define RPMH_REGULATOR_LEVEL_SUPER_TURBO_NO_CPR 480 + +-- +2.51.0 + diff --git a/queue-6.6/dt-bindings-power-qcom-rpmpd-split-rpmh-domains-defi.patch b/queue-6.6/dt-bindings-power-qcom-rpmpd-split-rpmh-domains-defi.patch new file mode 100644 index 0000000000..f6586b438f --- /dev/null +++ b/queue-6.6/dt-bindings-power-qcom-rpmpd-split-rpmh-domains-defi.patch @@ -0,0 +1,518 @@ +From f9206e3ae1b74cd3b04266a0725b1921f6d0d692 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jul 2025 19:13:39 +0300 +Subject: dt-bindings: power: qcom-rpmpd: split RPMh domains definitions + +From: Dmitry Baryshkov + +[ Upstream commit dcb8d01b65fb5a891ddbbedcbe6eff0b8ec37867 ] + +Historically both RPM and RPMh domain definitions were a part of the +same, qcom-rpmpd.h header. Now as we have a separate header for RPMh +definitions, qcom,rpmhpd.h, move all RPMh power domain definitions to +that header. + +Signed-off-by: Dmitry Baryshkov +Acked-by: Rob Herring (Arm) +Reviewed-by: Konrad Dybcio +Reviewed-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20250718-rework-rpmhpd-rpmpd-v1-1-eedca108e540@oss.qualcomm.com +Signed-off-by: Ulf Hansson +Stable-dep-of: 45e1be5ddec9 ("dt-bindings: power: qcom,rpmpd: Add SC8280XP_MXC_AO") +Signed-off-by: Sasha Levin +--- + include/dt-bindings/power/qcom,rpmhpd.h | 233 ++++++++++++++++++++++++ + include/dt-bindings/power/qcom-rpmpd.h | 228 +---------------------- + 2 files changed, 234 insertions(+), 227 deletions(-) + +diff --git a/include/dt-bindings/power/qcom,rpmhpd.h b/include/dt-bindings/power/qcom,rpmhpd.h +index 0f6a74e099701..758c3487bd662 100644 +--- a/include/dt-bindings/power/qcom,rpmhpd.h ++++ b/include/dt-bindings/power/qcom,rpmhpd.h +@@ -28,4 +28,237 @@ + #define RPMHPD_XO 18 + #define RPMHPD_NSP2 19 + ++/* RPMh Power Domain performance levels */ ++#define RPMH_REGULATOR_LEVEL_RETENTION 16 ++#define RPMH_REGULATOR_LEVEL_MIN_SVS 48 ++#define RPMH_REGULATOR_LEVEL_LOW_SVS_D3 50 ++#define RPMH_REGULATOR_LEVEL_LOW_SVS_D2 52 ++#define RPMH_REGULATOR_LEVEL_LOW_SVS_D1 56 ++#define RPMH_REGULATOR_LEVEL_LOW_SVS_D0 60 ++#define RPMH_REGULATOR_LEVEL_LOW_SVS 64 ++#define RPMH_REGULATOR_LEVEL_LOW_SVS_P1 72 ++#define RPMH_REGULATOR_LEVEL_LOW_SVS_L1 80 ++#define RPMH_REGULATOR_LEVEL_LOW_SVS_L2 96 ++#define RPMH_REGULATOR_LEVEL_SVS 128 ++#define RPMH_REGULATOR_LEVEL_SVS_L0 144 ++#define RPMH_REGULATOR_LEVEL_SVS_L1 192 ++#define RPMH_REGULATOR_LEVEL_SVS_L2 224 ++#define RPMH_REGULATOR_LEVEL_NOM 256 ++#define RPMH_REGULATOR_LEVEL_NOM_L0 288 ++#define RPMH_REGULATOR_LEVEL_NOM_L1 320 ++#define RPMH_REGULATOR_LEVEL_NOM_L2 336 ++#define RPMH_REGULATOR_LEVEL_TURBO 384 ++#define RPMH_REGULATOR_LEVEL_TURBO_L0 400 ++#define RPMH_REGULATOR_LEVEL_TURBO_L1 416 ++#define RPMH_REGULATOR_LEVEL_TURBO_L2 432 ++#define RPMH_REGULATOR_LEVEL_TURBO_L3 448 ++#define RPMH_REGULATOR_LEVEL_TURBO_L4 452 ++#define RPMH_REGULATOR_LEVEL_TURBO_L5 456 ++#define RPMH_REGULATOR_LEVEL_SUPER_TURBO 464 ++#define RPMH_REGULATOR_LEVEL_SUPER_TURBO_NO_CPR 480 ++ ++/* ++ * Platform-specific power domain bindings. Don't add new entries here, use ++ * RPMHPD_* above. ++ */ ++ ++/* SA8775P Power Domain Indexes */ ++#define SA8775P_CX 0 ++#define SA8775P_CX_AO 1 ++#define SA8775P_DDR 2 ++#define SA8775P_EBI 3 ++#define SA8775P_GFX 4 ++#define SA8775P_LCX 5 ++#define SA8775P_LMX 6 ++#define SA8775P_MMCX 7 ++#define SA8775P_MMCX_AO 8 ++#define SA8775P_MSS 9 ++#define SA8775P_MX 10 ++#define SA8775P_MX_AO 11 ++#define SA8775P_MXC 12 ++#define SA8775P_MXC_AO 13 ++#define SA8775P_NSP0 14 ++#define SA8775P_NSP1 15 ++#define SA8775P_XO 16 ++ ++/* SDM670 Power Domain Indexes */ ++#define SDM670_MX 0 ++#define SDM670_MX_AO 1 ++#define SDM670_CX 2 ++#define SDM670_CX_AO 3 ++#define SDM670_LMX 4 ++#define SDM670_LCX 5 ++#define SDM670_GFX 6 ++#define SDM670_MSS 7 ++ ++/* SDM845 Power Domain Indexes */ ++#define SDM845_EBI 0 ++#define SDM845_MX 1 ++#define SDM845_MX_AO 2 ++#define SDM845_CX 3 ++#define SDM845_CX_AO 4 ++#define SDM845_LMX 5 ++#define SDM845_LCX 6 ++#define SDM845_GFX 7 ++#define SDM845_MSS 8 ++ ++/* SDX55 Power Domain Indexes */ ++#define SDX55_MSS 0 ++#define SDX55_MX 1 ++#define SDX55_CX 2 ++ ++/* SDX65 Power Domain Indexes */ ++#define SDX65_MSS 0 ++#define SDX65_MX 1 ++#define SDX65_MX_AO 2 ++#define SDX65_CX 3 ++#define SDX65_CX_AO 4 ++#define SDX65_MXC 5 ++ ++/* SM6350 Power Domain Indexes */ ++#define SM6350_CX 0 ++#define SM6350_GFX 1 ++#define SM6350_LCX 2 ++#define SM6350_LMX 3 ++#define SM6350_MSS 4 ++#define SM6350_MX 5 ++ ++/* SM8150 Power Domain Indexes */ ++#define SM8150_MSS 0 ++#define SM8150_EBI 1 ++#define SM8150_LMX 2 ++#define SM8150_LCX 3 ++#define SM8150_GFX 4 ++#define SM8150_MX 5 ++#define SM8150_MX_AO 6 ++#define SM8150_CX 7 ++#define SM8150_CX_AO 8 ++#define SM8150_MMCX 9 ++#define SM8150_MMCX_AO 10 ++ ++/* SA8155P is a special case, kept for backwards compatibility */ ++#define SA8155P_CX SM8150_CX ++#define SA8155P_CX_AO SM8150_CX_AO ++#define SA8155P_EBI SM8150_EBI ++#define SA8155P_GFX SM8150_GFX ++#define SA8155P_MSS SM8150_MSS ++#define SA8155P_MX SM8150_MX ++#define SA8155P_MX_AO SM8150_MX_AO ++ ++/* SM8250 Power Domain Indexes */ ++#define SM8250_CX 0 ++#define SM8250_CX_AO 1 ++#define SM8250_EBI 2 ++#define SM8250_GFX 3 ++#define SM8250_LCX 4 ++#define SM8250_LMX 5 ++#define SM8250_MMCX 6 ++#define SM8250_MMCX_AO 7 ++#define SM8250_MX 8 ++#define SM8250_MX_AO 9 ++ ++/* SM8350 Power Domain Indexes */ ++#define SM8350_CX 0 ++#define SM8350_CX_AO 1 ++#define SM8350_EBI 2 ++#define SM8350_GFX 3 ++#define SM8350_LCX 4 ++#define SM8350_LMX 5 ++#define SM8350_MMCX 6 ++#define SM8350_MMCX_AO 7 ++#define SM8350_MX 8 ++#define SM8350_MX_AO 9 ++#define SM8350_MXC 10 ++#define SM8350_MXC_AO 11 ++#define SM8350_MSS 12 ++ ++/* SM8450 Power Domain Indexes */ ++#define SM8450_CX 0 ++#define SM8450_CX_AO 1 ++#define SM8450_EBI 2 ++#define SM8450_GFX 3 ++#define SM8450_LCX 4 ++#define SM8450_LMX 5 ++#define SM8450_MMCX 6 ++#define SM8450_MMCX_AO 7 ++#define SM8450_MX 8 ++#define SM8450_MX_AO 9 ++#define SM8450_MXC 10 ++#define SM8450_MXC_AO 11 ++#define SM8450_MSS 12 ++ ++/* SM8550 Power Domain Indexes */ ++#define SM8550_CX 0 ++#define SM8550_CX_AO 1 ++#define SM8550_EBI 2 ++#define SM8550_GFX 3 ++#define SM8550_LCX 4 ++#define SM8550_LMX 5 ++#define SM8550_MMCX 6 ++#define SM8550_MMCX_AO 7 ++#define SM8550_MX 8 ++#define SM8550_MX_AO 9 ++#define SM8550_MXC 10 ++#define SM8550_MXC_AO 11 ++#define SM8550_MSS 12 ++#define SM8550_NSP 13 ++ ++/* QDU1000/QRU1000 Power Domain Indexes */ ++#define QDU1000_EBI 0 ++#define QDU1000_MSS 1 ++#define QDU1000_CX 2 ++#define QDU1000_MX 3 ++ ++/* SC7180 Power Domain Indexes */ ++#define SC7180_CX 0 ++#define SC7180_CX_AO 1 ++#define SC7180_GFX 2 ++#define SC7180_MX 3 ++#define SC7180_MX_AO 4 ++#define SC7180_LMX 5 ++#define SC7180_LCX 6 ++#define SC7180_MSS 7 ++ ++/* SC7280 Power Domain Indexes */ ++#define SC7280_CX 0 ++#define SC7280_CX_AO 1 ++#define SC7280_EBI 2 ++#define SC7280_GFX 3 ++#define SC7280_MX 4 ++#define SC7280_MX_AO 5 ++#define SC7280_LMX 6 ++#define SC7280_LCX 7 ++#define SC7280_MSS 8 ++ ++/* SC8180X Power Domain Indexes */ ++#define SC8180X_CX 0 ++#define SC8180X_CX_AO 1 ++#define SC8180X_EBI 2 ++#define SC8180X_GFX 3 ++#define SC8180X_LCX 4 ++#define SC8180X_LMX 5 ++#define SC8180X_MMCX 6 ++#define SC8180X_MMCX_AO 7 ++#define SC8180X_MSS 8 ++#define SC8180X_MX 9 ++#define SC8180X_MX_AO 10 ++ ++/* SC8280XP Power Domain Indexes */ ++#define SC8280XP_CX 0 ++#define SC8280XP_CX_AO 1 ++#define SC8280XP_DDR 2 ++#define SC8280XP_EBI 3 ++#define SC8280XP_GFX 4 ++#define SC8280XP_LCX 5 ++#define SC8280XP_LMX 6 ++#define SC8280XP_MMCX 7 ++#define SC8280XP_MMCX_AO 8 ++#define SC8280XP_MSS 9 ++#define SC8280XP_MX 10 ++#define SC8280XP_MXC 12 ++#define SC8280XP_MX_AO 11 ++#define SC8280XP_NSP 13 ++#define SC8280XP_QPHY 14 ++#define SC8280XP_XO 15 ++ + #endif +diff --git a/include/dt-bindings/power/qcom-rpmpd.h b/include/dt-bindings/power/qcom-rpmpd.h +index 73b3655155ec0..f160f373be2a3 100644 +--- a/include/dt-bindings/power/qcom-rpmpd.h ++++ b/include/dt-bindings/power/qcom-rpmpd.h +@@ -4,66 +4,7 @@ + #ifndef _DT_BINDINGS_POWER_QCOM_RPMPD_H + #define _DT_BINDINGS_POWER_QCOM_RPMPD_H + +-/* SA8775P Power Domain Indexes */ +-#define SA8775P_CX 0 +-#define SA8775P_CX_AO 1 +-#define SA8775P_DDR 2 +-#define SA8775P_EBI 3 +-#define SA8775P_GFX 4 +-#define SA8775P_LCX 5 +-#define SA8775P_LMX 6 +-#define SA8775P_MMCX 7 +-#define SA8775P_MMCX_AO 8 +-#define SA8775P_MSS 9 +-#define SA8775P_MX 10 +-#define SA8775P_MX_AO 11 +-#define SA8775P_MXC 12 +-#define SA8775P_MXC_AO 13 +-#define SA8775P_NSP0 14 +-#define SA8775P_NSP1 15 +-#define SA8775P_XO 16 +- +-/* SDM670 Power Domain Indexes */ +-#define SDM670_MX 0 +-#define SDM670_MX_AO 1 +-#define SDM670_CX 2 +-#define SDM670_CX_AO 3 +-#define SDM670_LMX 4 +-#define SDM670_LCX 5 +-#define SDM670_GFX 6 +-#define SDM670_MSS 7 +- +-/* SDM845 Power Domain Indexes */ +-#define SDM845_EBI 0 +-#define SDM845_MX 1 +-#define SDM845_MX_AO 2 +-#define SDM845_CX 3 +-#define SDM845_CX_AO 4 +-#define SDM845_LMX 5 +-#define SDM845_LCX 6 +-#define SDM845_GFX 7 +-#define SDM845_MSS 8 +- +-/* SDX55 Power Domain Indexes */ +-#define SDX55_MSS 0 +-#define SDX55_MX 1 +-#define SDX55_CX 2 +- +-/* SDX65 Power Domain Indexes */ +-#define SDX65_MSS 0 +-#define SDX65_MX 1 +-#define SDX65_MX_AO 2 +-#define SDX65_CX 3 +-#define SDX65_CX_AO 4 +-#define SDX65_MXC 5 +- +-/* SM6350 Power Domain Indexes */ +-#define SM6350_CX 0 +-#define SM6350_GFX 1 +-#define SM6350_LCX 2 +-#define SM6350_LMX 3 +-#define SM6350_MSS 4 +-#define SM6350_MX 5 ++#include + + /* SM6350 Power Domain Indexes */ + #define SM6375_VDDCX 0 +@@ -77,173 +18,6 @@ + #define SM6375_VDD_LPI_CX 8 + #define SM6375_VDD_LPI_MX 9 + +-/* SM8150 Power Domain Indexes */ +-#define SM8150_MSS 0 +-#define SM8150_EBI 1 +-#define SM8150_LMX 2 +-#define SM8150_LCX 3 +-#define SM8150_GFX 4 +-#define SM8150_MX 5 +-#define SM8150_MX_AO 6 +-#define SM8150_CX 7 +-#define SM8150_CX_AO 8 +-#define SM8150_MMCX 9 +-#define SM8150_MMCX_AO 10 +- +-/* SA8155P is a special case, kept for backwards compatibility */ +-#define SA8155P_CX SM8150_CX +-#define SA8155P_CX_AO SM8150_CX_AO +-#define SA8155P_EBI SM8150_EBI +-#define SA8155P_GFX SM8150_GFX +-#define SA8155P_MSS SM8150_MSS +-#define SA8155P_MX SM8150_MX +-#define SA8155P_MX_AO SM8150_MX_AO +- +-/* SM8250 Power Domain Indexes */ +-#define SM8250_CX 0 +-#define SM8250_CX_AO 1 +-#define SM8250_EBI 2 +-#define SM8250_GFX 3 +-#define SM8250_LCX 4 +-#define SM8250_LMX 5 +-#define SM8250_MMCX 6 +-#define SM8250_MMCX_AO 7 +-#define SM8250_MX 8 +-#define SM8250_MX_AO 9 +- +-/* SM8350 Power Domain Indexes */ +-#define SM8350_CX 0 +-#define SM8350_CX_AO 1 +-#define SM8350_EBI 2 +-#define SM8350_GFX 3 +-#define SM8350_LCX 4 +-#define SM8350_LMX 5 +-#define SM8350_MMCX 6 +-#define SM8350_MMCX_AO 7 +-#define SM8350_MX 8 +-#define SM8350_MX_AO 9 +-#define SM8350_MXC 10 +-#define SM8350_MXC_AO 11 +-#define SM8350_MSS 12 +- +-/* SM8450 Power Domain Indexes */ +-#define SM8450_CX 0 +-#define SM8450_CX_AO 1 +-#define SM8450_EBI 2 +-#define SM8450_GFX 3 +-#define SM8450_LCX 4 +-#define SM8450_LMX 5 +-#define SM8450_MMCX 6 +-#define SM8450_MMCX_AO 7 +-#define SM8450_MX 8 +-#define SM8450_MX_AO 9 +-#define SM8450_MXC 10 +-#define SM8450_MXC_AO 11 +-#define SM8450_MSS 12 +- +-/* SM8550 Power Domain Indexes */ +-#define SM8550_CX 0 +-#define SM8550_CX_AO 1 +-#define SM8550_EBI 2 +-#define SM8550_GFX 3 +-#define SM8550_LCX 4 +-#define SM8550_LMX 5 +-#define SM8550_MMCX 6 +-#define SM8550_MMCX_AO 7 +-#define SM8550_MX 8 +-#define SM8550_MX_AO 9 +-#define SM8550_MXC 10 +-#define SM8550_MXC_AO 11 +-#define SM8550_MSS 12 +-#define SM8550_NSP 13 +- +-/* QDU1000/QRU1000 Power Domain Indexes */ +-#define QDU1000_EBI 0 +-#define QDU1000_MSS 1 +-#define QDU1000_CX 2 +-#define QDU1000_MX 3 +- +-/* SC7180 Power Domain Indexes */ +-#define SC7180_CX 0 +-#define SC7180_CX_AO 1 +-#define SC7180_GFX 2 +-#define SC7180_MX 3 +-#define SC7180_MX_AO 4 +-#define SC7180_LMX 5 +-#define SC7180_LCX 6 +-#define SC7180_MSS 7 +- +-/* SC7280 Power Domain Indexes */ +-#define SC7280_CX 0 +-#define SC7280_CX_AO 1 +-#define SC7280_EBI 2 +-#define SC7280_GFX 3 +-#define SC7280_MX 4 +-#define SC7280_MX_AO 5 +-#define SC7280_LMX 6 +-#define SC7280_LCX 7 +-#define SC7280_MSS 8 +- +-/* SC8180X Power Domain Indexes */ +-#define SC8180X_CX 0 +-#define SC8180X_CX_AO 1 +-#define SC8180X_EBI 2 +-#define SC8180X_GFX 3 +-#define SC8180X_LCX 4 +-#define SC8180X_LMX 5 +-#define SC8180X_MMCX 6 +-#define SC8180X_MMCX_AO 7 +-#define SC8180X_MSS 8 +-#define SC8180X_MX 9 +-#define SC8180X_MX_AO 10 +- +-/* SC8280XP Power Domain Indexes */ +-#define SC8280XP_CX 0 +-#define SC8280XP_CX_AO 1 +-#define SC8280XP_DDR 2 +-#define SC8280XP_EBI 3 +-#define SC8280XP_GFX 4 +-#define SC8280XP_LCX 5 +-#define SC8280XP_LMX 6 +-#define SC8280XP_MMCX 7 +-#define SC8280XP_MMCX_AO 8 +-#define SC8280XP_MSS 9 +-#define SC8280XP_MX 10 +-#define SC8280XP_MXC 12 +-#define SC8280XP_MX_AO 11 +-#define SC8280XP_NSP 13 +-#define SC8280XP_QPHY 14 +-#define SC8280XP_XO 15 +- +-/* SDM845 Power Domain performance levels */ +-#define RPMH_REGULATOR_LEVEL_RETENTION 16 +-#define RPMH_REGULATOR_LEVEL_MIN_SVS 48 +-#define RPMH_REGULATOR_LEVEL_LOW_SVS_D3 50 +-#define RPMH_REGULATOR_LEVEL_LOW_SVS_D2 52 +-#define RPMH_REGULATOR_LEVEL_LOW_SVS_D1 56 +-#define RPMH_REGULATOR_LEVEL_LOW_SVS_D0 60 +-#define RPMH_REGULATOR_LEVEL_LOW_SVS 64 +-#define RPMH_REGULATOR_LEVEL_LOW_SVS_P1 72 +-#define RPMH_REGULATOR_LEVEL_LOW_SVS_L1 80 +-#define RPMH_REGULATOR_LEVEL_LOW_SVS_L2 96 +-#define RPMH_REGULATOR_LEVEL_SVS 128 +-#define RPMH_REGULATOR_LEVEL_SVS_L0 144 +-#define RPMH_REGULATOR_LEVEL_SVS_L1 192 +-#define RPMH_REGULATOR_LEVEL_SVS_L2 224 +-#define RPMH_REGULATOR_LEVEL_NOM 256 +-#define RPMH_REGULATOR_LEVEL_NOM_L0 288 +-#define RPMH_REGULATOR_LEVEL_NOM_L1 320 +-#define RPMH_REGULATOR_LEVEL_NOM_L2 336 +-#define RPMH_REGULATOR_LEVEL_TURBO 384 +-#define RPMH_REGULATOR_LEVEL_TURBO_L0 400 +-#define RPMH_REGULATOR_LEVEL_TURBO_L1 416 +-#define RPMH_REGULATOR_LEVEL_TURBO_L2 432 +-#define RPMH_REGULATOR_LEVEL_TURBO_L3 448 +-#define RPMH_REGULATOR_LEVEL_TURBO_L4 452 +-#define RPMH_REGULATOR_LEVEL_TURBO_L5 456 +-#define RPMH_REGULATOR_LEVEL_SUPER_TURBO 464 +-#define RPMH_REGULATOR_LEVEL_SUPER_TURBO_NO_CPR 480 +- + /* MDM9607 Power Domains */ + #define MDM9607_VDDCX 0 + #define MDM9607_VDDCX_AO 1 +-- +2.51.0 + diff --git a/queue-6.6/dt-bindings-power-rpmpd-add-msm8917-msm8937-and-qm21.patch b/queue-6.6/dt-bindings-power-rpmpd-add-msm8917-msm8937-and-qm21.patch new file mode 100644 index 0000000000..a3232720aa --- /dev/null +++ b/queue-6.6/dt-bindings-power-rpmpd-add-msm8917-msm8937-and-qm21.patch @@ -0,0 +1,160 @@ +From 3679a73e5aecd0ab7e2851b322d19be28052df76 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 Oct 2023 15:38:21 +0200 +Subject: dt-bindings: power: rpmpd: Add MSM8917, MSM8937 and QM215 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Otto Pflüger + +[ Upstream commit 61848698288d93a230cab9c0585e726df66f2402 ] + +The MSM8917, MSM8937 and QM215 SoCs have VDDCX and VDDMX power domains +controlled in voltage level mode. Define the MSM8937 and QM215 power +domains as aliases because these SoCs are similar to MSM8917 and may +share some parts of the device tree. + +Also add the compatibles for these SoCs to the documentation, with +qcom,msm8937-rpmpd using qcom,msm8917-rpmpd as a fallback compatible +because there are no known differences. QM215 is not compatible with +these because it uses different regulators. + +Signed-off-by: Otto Pflüger +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20231014133823.14088-2-otto.pflueger@abscue.de +Signed-off-by: Ulf Hansson +Stable-dep-of: 45e1be5ddec9 ("dt-bindings: power: qcom,rpmpd: Add SC8280XP_MXC_AO") +Signed-off-by: Sasha Levin +--- + .../devicetree/bindings/power/qcom,rpmpd.yaml | 81 ++++++++++--------- + include/dt-bindings/power/qcom-rpmpd.h | 21 +++++ + 2 files changed, 65 insertions(+), 37 deletions(-) + +diff --git a/Documentation/devicetree/bindings/power/qcom,rpmpd.yaml b/Documentation/devicetree/bindings/power/qcom,rpmpd.yaml +index 53886f02d98a9..d38c762e12804 100644 +--- a/Documentation/devicetree/bindings/power/qcom,rpmpd.yaml ++++ b/Documentation/devicetree/bindings/power/qcom,rpmpd.yaml +@@ -15,43 +15,50 @@ description: + + properties: + compatible: +- enum: +- - qcom,mdm9607-rpmpd +- - qcom,msm8226-rpmpd +- - qcom,msm8909-rpmpd +- - qcom,msm8916-rpmpd +- - qcom,msm8939-rpmpd +- - qcom,msm8953-rpmpd +- - qcom,msm8976-rpmpd +- - qcom,msm8994-rpmpd +- - qcom,msm8996-rpmpd +- - qcom,msm8998-rpmpd +- - qcom,qcm2290-rpmpd +- - qcom,qcs404-rpmpd +- - qcom,qdu1000-rpmhpd +- - qcom,sa8155p-rpmhpd +- - qcom,sa8540p-rpmhpd +- - qcom,sa8775p-rpmhpd +- - qcom,sdm660-rpmpd +- - qcom,sc7180-rpmhpd +- - qcom,sc7280-rpmhpd +- - qcom,sc8180x-rpmhpd +- - qcom,sc8280xp-rpmhpd +- - qcom,sdm670-rpmhpd +- - qcom,sdm845-rpmhpd +- - qcom,sdx55-rpmhpd +- - qcom,sdx65-rpmhpd +- - qcom,sdx75-rpmhpd +- - qcom,sm6115-rpmpd +- - qcom,sm6125-rpmpd +- - qcom,sm6350-rpmhpd +- - qcom,sm6375-rpmpd +- - qcom,sm7150-rpmhpd +- - qcom,sm8150-rpmhpd +- - qcom,sm8250-rpmhpd +- - qcom,sm8350-rpmhpd +- - qcom,sm8450-rpmhpd +- - qcom,sm8550-rpmhpd ++ oneOf: ++ - enum: ++ - qcom,mdm9607-rpmpd ++ - qcom,msm8226-rpmpd ++ - qcom,msm8909-rpmpd ++ - qcom,msm8916-rpmpd ++ - qcom,msm8917-rpmpd ++ - qcom,msm8939-rpmpd ++ - qcom,msm8953-rpmpd ++ - qcom,msm8976-rpmpd ++ - qcom,msm8994-rpmpd ++ - qcom,msm8996-rpmpd ++ - qcom,msm8998-rpmpd ++ - qcom,qcm2290-rpmpd ++ - qcom,qcs404-rpmpd ++ - qcom,qdu1000-rpmhpd ++ - qcom,qm215-rpmpd ++ - qcom,sa8155p-rpmhpd ++ - qcom,sa8540p-rpmhpd ++ - qcom,sa8775p-rpmhpd ++ - qcom,sc7180-rpmhpd ++ - qcom,sc7280-rpmhpd ++ - qcom,sc8180x-rpmhpd ++ - qcom,sc8280xp-rpmhpd ++ - qcom,sdm660-rpmpd ++ - qcom,sdm670-rpmhpd ++ - qcom,sdm845-rpmhpd ++ - qcom,sdx55-rpmhpd ++ - qcom,sdx65-rpmhpd ++ - qcom,sdx75-rpmhpd ++ - qcom,sm6115-rpmpd ++ - qcom,sm6125-rpmpd ++ - qcom,sm6350-rpmhpd ++ - qcom,sm6375-rpmpd ++ - qcom,sm7150-rpmhpd ++ - qcom,sm8150-rpmhpd ++ - qcom,sm8250-rpmhpd ++ - qcom,sm8350-rpmhpd ++ - qcom,sm8450-rpmhpd ++ - qcom,sm8550-rpmhpd ++ - items: ++ - enum: ++ - qcom,msm8937-rpmpd ++ - const: qcom,msm8917-rpmpd + + '#power-domain-cells': + const: 1 +diff --git a/include/dt-bindings/power/qcom-rpmpd.h b/include/dt-bindings/power/qcom-rpmpd.h +index 83be996cb5eb9..7f4e2983a4c57 100644 +--- a/include/dt-bindings/power/qcom-rpmpd.h ++++ b/include/dt-bindings/power/qcom-rpmpd.h +@@ -278,6 +278,27 @@ + #define MSM8909_VDDMX MSM8916_VDDMX + #define MSM8909_VDDMX_AO MSM8916_VDDMX_AO + ++/* MSM8917 Power Domain Indexes */ ++#define MSM8917_VDDCX 0 ++#define MSM8917_VDDCX_AO 1 ++#define MSM8917_VDDCX_VFL 2 ++#define MSM8917_VDDMX 3 ++#define MSM8917_VDDMX_AO 4 ++ ++/* MSM8937 Power Domain Indexes */ ++#define MSM8937_VDDCX MSM8917_VDDCX ++#define MSM8937_VDDCX_AO MSM8917_VDDCX_AO ++#define MSM8937_VDDCX_VFL MSM8917_VDDCX_VFL ++#define MSM8937_VDDMX MSM8917_VDDMX ++#define MSM8937_VDDMX_AO MSM8917_VDDMX_AO ++ ++/* QM215 Power Domain Indexes */ ++#define QM215_VDDCX MSM8917_VDDCX ++#define QM215_VDDCX_AO MSM8917_VDDCX_AO ++#define QM215_VDDCX_VFL MSM8917_VDDCX_VFL ++#define QM215_VDDMX MSM8917_VDDMX ++#define QM215_VDDMX_AO MSM8917_VDDMX_AO ++ + /* MSM8953 Power Domain Indexes */ + #define MSM8953_VDDMD 0 + #define MSM8953_VDDMD_AO 1 +-- +2.51.0 + diff --git a/queue-6.6/dt-bindings-power-rpmpd-update-part-number-to-x1e801.patch b/queue-6.6/dt-bindings-power-rpmpd-update-part-number-to-x1e801.patch new file mode 100644 index 0000000000..1f40d564af --- /dev/null +++ b/queue-6.6/dt-bindings-power-rpmpd-update-part-number-to-x1e801.patch @@ -0,0 +1,40 @@ +From 319d767af3f1f02be668992b316054b56a82ed22 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Nov 2023 15:30:20 +0530 +Subject: dt-bindings: power: rpmpd: Update part number to X1E80100 + +From: Sibi Sankar + +[ Upstream commit 3d123f513af055b4c085b555f9c856bbd7390536 ] + +There was a recent part number update from SC8380XP to X1E80100 and as +a result of which the SC8380xp rpmpd bindings introduced is no longer +correct. Given that it currently has no users, it was agreed that it +can be updated to the correct part number (X1E80100) without causing +any binding breakage. + +Signed-off-by: Sibi Sankar +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20231123100021.10918-2-quic_sibis@quicinc.com +Signed-off-by: Ulf Hansson +Stable-dep-of: 45e1be5ddec9 ("dt-bindings: power: qcom,rpmpd: Add SC8280XP_MXC_AO") +Signed-off-by: Sasha Levin +--- + Documentation/devicetree/bindings/power/qcom,rpmpd.yaml | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/Documentation/devicetree/bindings/power/qcom,rpmpd.yaml b/Documentation/devicetree/bindings/power/qcom,rpmpd.yaml +index 2803f7d568217..2ff246cf8b81d 100644 +--- a/Documentation/devicetree/bindings/power/qcom,rpmpd.yaml ++++ b/Documentation/devicetree/bindings/power/qcom,rpmpd.yaml +@@ -56,6 +56,7 @@ properties: + - qcom,sm8450-rpmhpd + - qcom,sm8550-rpmhpd + - qcom,sm8650-rpmhpd ++ - qcom,x1e80100-rpmhpd + - items: + - enum: + - qcom,msm8937-rpmpd +-- +2.51.0 + diff --git a/queue-6.6/fou-don-t-allow-0-for-fou_attr_ipproto.patch b/queue-6.6/fou-don-t-allow-0-for-fou_attr_ipproto.patch new file mode 100644 index 0000000000..831ffaadae --- /dev/null +++ b/queue-6.6/fou-don-t-allow-0-for-fou_attr_ipproto.patch @@ -0,0 +1,57 @@ +From e995ee522f4d5f145fc33b749493c26abbfc1ba9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jan 2026 17:24:48 +0000 +Subject: fou: Don't allow 0 for FOU_ATTR_IPPROTO. + +From: Kuniyuki Iwashima + +[ Upstream commit 7a9bc9e3f42391e4c187e099263cf7a1c4b69ff5 ] + +fou_udp_recv() has the same problem mentioned in the previous +patch. + +If FOU_ATTR_IPPROTO is set to 0, skb is not freed by +fou_udp_recv() nor "resubmit"-ted in ip_protocol_deliver_rcu(). + +Let's forbid 0 for FOU_ATTR_IPPROTO. + +Fixes: 23461551c0062 ("fou: Support for foo-over-udp RX path") +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20260115172533.693652-4-kuniyu@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + Documentation/netlink/specs/fou.yaml | 2 ++ + net/ipv4/fou_nl.c | 2 +- + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/Documentation/netlink/specs/fou.yaml b/Documentation/netlink/specs/fou.yaml +index 0af5ab842c04d..91721ee406413 100644 +--- a/Documentation/netlink/specs/fou.yaml ++++ b/Documentation/netlink/specs/fou.yaml +@@ -39,6 +39,8 @@ attribute-sets: + - + name: ipproto + type: u8 ++ checks: ++ min: 1 + - + name: type + type: u8 +diff --git a/net/ipv4/fou_nl.c b/net/ipv4/fou_nl.c +index 98b90107b5abc..bbd955f4c9d19 100644 +--- a/net/ipv4/fou_nl.c ++++ b/net/ipv4/fou_nl.c +@@ -14,7 +14,7 @@ + const struct nla_policy fou_nl_policy[FOU_ATTR_IFINDEX + 1] = { + [FOU_ATTR_PORT] = { .type = NLA_U16, }, + [FOU_ATTR_AF] = { .type = NLA_U8, }, +- [FOU_ATTR_IPPROTO] = { .type = NLA_U8, }, ++ [FOU_ATTR_IPPROTO] = NLA_POLICY_MIN(NLA_U8, 1), + [FOU_ATTR_TYPE] = { .type = NLA_U8, }, + [FOU_ATTR_REMCSUM_NOPARTIAL] = { .type = NLA_FLAG, }, + [FOU_ATTR_LOCAL_V4] = { .type = NLA_U32, }, +-- +2.51.0 + diff --git a/queue-6.6/gue-fix-skb-memleak-with-inner-ip-protocol-0.patch b/queue-6.6/gue-fix-skb-memleak-with-inner-ip-protocol-0.patch new file mode 100644 index 0000000000..5587cd4283 --- /dev/null +++ b/queue-6.6/gue-fix-skb-memleak-with-inner-ip-protocol-0.patch @@ -0,0 +1,82 @@ +From 9d3fa7347622064c6f82423fbe41af78c9ce5abb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jan 2026 17:24:46 +0000 +Subject: gue: Fix skb memleak with inner IP protocol 0. + +From: Kuniyuki Iwashima + +[ Upstream commit 9a56796ad258786d3624eef5aefba394fc9bdded ] + +syzbot reported skb memleak below. [0] + +The repro generated a GUE packet with its inner protocol 0. + +gue_udp_recv() returns -guehdr->proto_ctype for "resubmit" +in ip_protocol_deliver_rcu(), but this only works with +non-zero protocol number. + +Let's drop such packets. + +Note that 0 is a valid number (IPv6 Hop-by-Hop Option). + +I think it is not practical to encap HOPOPT in GUE, so once +someone starts to complain, we could pass down a resubmit +flag pointer to distinguish two zeros from the upper layer: + + * no error + * resubmit HOPOPT + +[0] +BUG: memory leak +unreferenced object 0xffff888109695a00 (size 240): + comm "syz.0.17", pid 6088, jiffies 4294943096 + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 40 c2 10 81 88 ff ff 00 00 00 00 00 00 00 00 .@.............. + backtrace (crc a84b336f): + kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] + slab_post_alloc_hook mm/slub.c:4958 [inline] + slab_alloc_node mm/slub.c:5263 [inline] + kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270 + __build_skb+0x23/0x60 net/core/skbuff.c:474 + build_skb+0x20/0x190 net/core/skbuff.c:490 + __tun_build_skb drivers/net/tun.c:1541 [inline] + tun_build_skb+0x4a1/0xa40 drivers/net/tun.c:1636 + tun_get_user+0xc12/0x2030 drivers/net/tun.c:1770 + tun_chr_write_iter+0x71/0x120 drivers/net/tun.c:1999 + new_sync_write fs/read_write.c:593 [inline] + vfs_write+0x45d/0x710 fs/read_write.c:686 + ksys_write+0xa7/0x170 fs/read_write.c:738 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fixes: 37dd0247797b1 ("gue: Receive side for Generic UDP Encapsulation") +Reported-by: syzbot+4d8c7d16b0e95c0d0f0d@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/6965534b.050a0220.38aacd.0001.GAE@google.com/ +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20260115172533.693652-2-kuniyu@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/fou_core.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/ipv4/fou_core.c b/net/ipv4/fou_core.c +index 4e0a7d038e219..6df7a0c614d56 100644 +--- a/net/ipv4/fou_core.c ++++ b/net/ipv4/fou_core.c +@@ -215,6 +215,9 @@ static int gue_udp_recv(struct sock *sk, struct sk_buff *skb) + return gue_control_message(skb, guehdr); + + proto_ctype = guehdr->proto_ctype; ++ if (unlikely(!proto_ctype)) ++ goto drop; ++ + __skb_pull(skb, sizeof(struct udphdr) + hdrlen); + skb_reset_transport_header(skb); + +-- +2.51.0 + diff --git a/queue-6.6/ice-avoid-detrimental-cleanup-for-bond-during-interf.patch b/queue-6.6/ice-avoid-detrimental-cleanup-for-bond-during-interf.patch new file mode 100644 index 0000000000..b900f71898 --- /dev/null +++ b/queue-6.6/ice-avoid-detrimental-cleanup-for-bond-during-interf.patch @@ -0,0 +1,77 @@ +From 1c0785be906750e17903fb56fbe2a982f28f7239 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Nov 2025 09:58:26 -0800 +Subject: ice: Avoid detrimental cleanup for bond during interface stop + +From: Dave Ertman + +[ Upstream commit a9d45c22ed120cdd15ff56d0a6e4700c46451901 ] + +When the user issues an administrative down to an interface that is the +primary for an aggregate bond, the prune lists are being purged. This +breaks communication to the secondary interface, which shares a prune +list on the main switch block while bonded together. + +For the primary interface of an aggregate, avoid deleting these prune +lists during stop, and since they are hardcoded to specific values for +the default vlan and QinQ vlans, the attempt to re-add them during the +up phase will quietly fail without any additional problem. + +Fixes: 1e0f9881ef79 ("ice: Flesh out implementation of support for SRIOV on bonded interface") +Reviewed-by: Jacob Keller +Reviewed-by: Marcin Szycik +Signed-off-by: Dave Ertman +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_lib.c | 25 ++++++++++++++++-------- + 1 file changed, 17 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_lib.c b/drivers/net/ethernet/intel/ice/ice_lib.c +index 972c515d8789f..7aef40b50b898 100644 +--- a/drivers/net/ethernet/intel/ice/ice_lib.c ++++ b/drivers/net/ethernet/intel/ice/ice_lib.c +@@ -3897,22 +3897,31 @@ int ice_vsi_add_vlan_zero(struct ice_vsi *vsi) + int ice_vsi_del_vlan_zero(struct ice_vsi *vsi) + { + struct ice_vsi_vlan_ops *vlan_ops = ice_get_compat_vsi_vlan_ops(vsi); ++ struct ice_pf *pf = vsi->back; + struct ice_vlan vlan; + int err; + +- vlan = ICE_VLAN(0, 0, 0); +- err = vlan_ops->del_vlan(vsi, &vlan); +- if (err && err != -EEXIST) +- return err; ++ if (pf->lag && pf->lag->primary) { ++ dev_dbg(ice_pf_to_dev(pf), "Interface is primary in aggregate - not deleting prune list\n"); ++ } else { ++ vlan = ICE_VLAN(0, 0, 0); ++ err = vlan_ops->del_vlan(vsi, &vlan); ++ if (err && err != -EEXIST) ++ return err; ++ } + + /* in SVM both VLAN 0 filters are identical */ + if (!ice_is_dvm_ena(&vsi->back->hw)) + return 0; + +- vlan = ICE_VLAN(ETH_P_8021Q, 0, 0); +- err = vlan_ops->del_vlan(vsi, &vlan); +- if (err && err != -EEXIST) +- return err; ++ if (pf->lag && pf->lag->primary) { ++ dev_dbg(ice_pf_to_dev(pf), "Interface is primary in aggregate - not deleting QinQ prune list\n"); ++ } else { ++ vlan = ICE_VLAN(ETH_P_8021Q, 0, 0); ++ err = vlan_ops->del_vlan(vsi, &vlan); ++ if (err && err != -EEXIST) ++ return err; ++ } + + /* when deleting the last VLAN filter, make sure to disable the VLAN + * promisc mode so the filter isn't left by accident +-- +2.51.0 + diff --git a/queue-6.6/ice-initialize-ring_stats-syncp.patch b/queue-6.6/ice-initialize-ring_stats-syncp.patch new file mode 100644 index 0000000000..e88fcaabaf --- /dev/null +++ b/queue-6.6/ice-initialize-ring_stats-syncp.patch @@ -0,0 +1,51 @@ +From 1e936de7df30aa9b7bc55f95d2222f0c449bfadf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Nov 2025 12:20:41 -0800 +Subject: ice: initialize ring_stats->syncp + +From: Jacob Keller + +[ Upstream commit 8439016c3b8b5ab687c2420317b1691585106611 ] + +The u64_stats_sync structure is empty on 64-bit systems. However, on 32-bit +systems it contains a seqcount_t which needs to be initialized. While the +memory is zero-initialized, a lack of u64_stats_init means that lockdep +won't get initialized properly. Fix this by adding u64_stats_init() calls +to the rings just after allocation. + +Fixes: 2b245cb29421 ("ice: Implement transmit and NAPI support") +Reviewed-by: Aleksandr Loktionov +Signed-off-by: Jacob Keller +Reviewed-by: Simon Horman +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_lib.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/intel/ice/ice_lib.c b/drivers/net/ethernet/intel/ice/ice_lib.c +index a6a290514e548..972c515d8789f 100644 +--- a/drivers/net/ethernet/intel/ice/ice_lib.c ++++ b/drivers/net/ethernet/intel/ice/ice_lib.c +@@ -396,6 +396,8 @@ static int ice_vsi_alloc_ring_stats(struct ice_vsi *vsi) + if (!ring_stats) + goto err_out; + ++ u64_stats_init(&ring_stats->syncp); ++ + WRITE_ONCE(tx_ring_stats[i], ring_stats); + } + +@@ -415,6 +417,8 @@ static int ice_vsi_alloc_ring_stats(struct ice_vsi *vsi) + if (!ring_stats) + goto err_out; + ++ u64_stats_init(&ring_stats->syncp); ++ + WRITE_ONCE(rx_ring_stats[i], ring_stats); + } + +-- +2.51.0 + diff --git a/queue-6.6/igc-fix-race-condition-in-tx-timestamp-read-for-regi.patch b/queue-6.6/igc-fix-race-condition-in-tx-timestamp-read-for-regi.patch new file mode 100644 index 0000000000..5d94d03119 --- /dev/null +++ b/queue-6.6/igc-fix-race-condition-in-tx-timestamp-read-for-regi.patch @@ -0,0 +1,125 @@ +From ba27ea4f6fd4647906d4cc15f1b7ab36a41d344d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Nov 2025 18:53:04 +0800 +Subject: igc: fix race condition in TX timestamp read for register 0 + +From: Chwee-Lin Choong + +[ Upstream commit 6990dc392a9ab10e52af37e0bee8c7b753756dc4 ] + +The current HW bug workaround checks the TXTT_0 ready bit first, +then reads TXSTMPL_0 twice (before and after reading TXSTMPH_0) +to detect whether a new timestamp was captured by timestamp +register 0 during the workaround. + +This sequence has a race: if a new timestamp is captured after +checking the TXTT_0 bit but before the first TXSTMPL_0 read, the +detection fails because both the "old" and "new" values come from +the same timestamp. + +Fix by reading TXSTMPL_0 first to establish a baseline, then +checking the TXTT_0 bit. This ensures any timestamp captured +during the race window will be detected. + +Old sequence: + 1. Check TXTT_0 ready bit + 2. Read TXSTMPL_0 (baseline) + 3. Read TXSTMPH_0 (interrupt workaround) + 4. Read TXSTMPL_0 (detect changes vs baseline) + +New sequence: + 1. Read TXSTMPL_0 (baseline) + 2. Check TXTT_0 ready bit + 3. Read TXSTMPH_0 (interrupt workaround) + 4. Read TXSTMPL_0 (detect changes vs baseline) + +Fixes: c789ad7cbebc ("igc: Work around HW bug causing missing timestamps") +Suggested-by: Avi Shalev +Reviewed-by: Aleksandr Loktionov +Co-developed-by: Song Yoong Siang +Signed-off-by: Song Yoong Siang +Signed-off-by: Chwee-Lin Choong +Tested-by: Avigail Dahan +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_ptp.c | 43 ++++++++++++++---------- + 1 file changed, 25 insertions(+), 18 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc_ptp.c b/drivers/net/ethernet/intel/igc/igc_ptp.c +index a82af96e6bd12..4c07c1e4aa997 100644 +--- a/drivers/net/ethernet/intel/igc/igc_ptp.c ++++ b/drivers/net/ethernet/intel/igc/igc_ptp.c +@@ -758,36 +758,43 @@ static void igc_ptp_tx_reg_to_stamp(struct igc_adapter *adapter, + static void igc_ptp_tx_hwtstamp(struct igc_adapter *adapter) + { + struct igc_hw *hw = &adapter->hw; ++ u32 txstmpl_old; + u64 regval; + u32 mask; + int i; + ++ /* Establish baseline of TXSTMPL_0 before checking TXTT_0. ++ * This baseline is used to detect if a new timestamp arrives in ++ * register 0 during the hardware bug workaround below. ++ */ ++ txstmpl_old = rd32(IGC_TXSTMPL); ++ + mask = rd32(IGC_TSYNCTXCTL) & IGC_TSYNCTXCTL_TXTT_ANY; + if (mask & IGC_TSYNCTXCTL_TXTT_0) { + regval = rd32(IGC_TXSTMPL); + regval |= (u64)rd32(IGC_TXSTMPH) << 32; + } else { +- /* There's a bug in the hardware that could cause +- * missing interrupts for TX timestamping. The issue +- * is that for new interrupts to be triggered, the +- * IGC_TXSTMPH_0 register must be read. ++ /* TXTT_0 not set - register 0 has no new timestamp initially. ++ * ++ * Hardware bug: Future timestamp interrupts won't fire unless ++ * TXSTMPH_0 is read, even if the timestamp was captured in ++ * registers 1-3. + * +- * To avoid discarding a valid timestamp that just +- * happened at the "wrong" time, we need to confirm +- * that there was no timestamp captured, we do that by +- * assuming that no two timestamps in sequence have +- * the same nanosecond value. ++ * Workaround: Read TXSTMPH_0 here to enable future interrupts. ++ * However, this read clears TXTT_0. If a timestamp arrives in ++ * register 0 after checking TXTT_0 but before this read, it ++ * would be lost. + * +- * So, we read the "low" register, read the "high" +- * register (to latch a new timestamp) and read the +- * "low" register again, if "old" and "new" versions +- * of the "low" register are different, a valid +- * timestamp was captured, we can read the "high" +- * register again. ++ * To detect this race: We saved a baseline read of TXSTMPL_0 ++ * before TXTT_0 check. After performing the workaround read of ++ * TXSTMPH_0, we read TXSTMPL_0 again. Since consecutive ++ * timestamps never share the same nanosecond value, a change ++ * between the baseline and new TXSTMPL_0 indicates a timestamp ++ * arrived during the race window. If so, read the complete ++ * timestamp. + */ +- u32 txstmpl_old, txstmpl_new; ++ u32 txstmpl_new; + +- txstmpl_old = rd32(IGC_TXSTMPL); + rd32(IGC_TXSTMPH); + txstmpl_new = rd32(IGC_TXSTMPL); + +@@ -802,7 +809,7 @@ static void igc_ptp_tx_hwtstamp(struct igc_adapter *adapter) + + done: + /* Now that the problematic first register was handled, we can +- * use retrieve the timestamps from the other registers ++ * retrieve the timestamps from the other registers + * (starting from '1') with less complications. + */ + for (i = 1; i < IGC_MAX_TX_TSTAMP_REGS; i++) { +-- +2.51.0 + diff --git a/queue-6.6/ipvlan-make-the-addrs_lock-be-per-port.patch b/queue-6.6/ipvlan-make-the-addrs_lock-be-per-port.patch new file mode 100644 index 0000000000..fd1542e03c --- /dev/null +++ b/queue-6.6/ipvlan-make-the-addrs_lock-be-per-port.patch @@ -0,0 +1,292 @@ +From 1091b6211f70af11706003e4f479ee908d0cde45 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 17:24:06 +0300 +Subject: ipvlan: Make the addrs_lock be per port + +From: Dmitry Skorodumov + +[ Upstream commit d3ba32162488283c0a4c5bedd8817aec91748802 ] + +Make the addrs_lock be per port, not per ipvlan dev. + +Initial code seems to be written in the assumption, +that any address change must occur under RTNL. +But it is not so for the case of IPv6. So + +1) Introduce per-port addrs_lock. + +2) It was needed to fix places where it was forgotten +to take lock (ipvlan_open/ipvlan_close) + +This appears to be a very minor problem though. +Since it's highly unlikely that ipvlan_add_addr() will +be called on 2 CPU simultaneously. But nevertheless, +this could cause: + +1) False-negative of ipvlan_addr_busy(): one interface +iterated through all port->ipvlans + ipvlan->addrs +under some ipvlan spinlock, and another added IP +under its own lock. Though this is only possible +for IPv6, since looks like only ipvlan_addr6_event() can be +called without rtnl_lock. + +2) Race since ipvlan_ht_addr_add(port) is called under +different ipvlan->addrs_lock locks + +This should not affect performance, since add/remove IP +is a rare situation and spinlock is not taken on fast +paths. + +Fixes: 8230819494b3 ("ipvlan: use per device spinlock to protect addrs list updates") +Signed-off-by: Dmitry Skorodumov +Reviewed-by: Paolo Abeni +Link: https://patch.msgid.link/20260112142417.4039566-2-skorodumov.dmitry@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ipvlan/ipvlan.h | 2 +- + drivers/net/ipvlan/ipvlan_core.c | 16 +++++------ + drivers/net/ipvlan/ipvlan_main.c | 49 +++++++++++++++++++------------- + 3 files changed, 37 insertions(+), 30 deletions(-) + +diff --git a/drivers/net/ipvlan/ipvlan.h b/drivers/net/ipvlan/ipvlan.h +index 025e0c19ec255..fce3ced90bd3d 100644 +--- a/drivers/net/ipvlan/ipvlan.h ++++ b/drivers/net/ipvlan/ipvlan.h +@@ -69,7 +69,6 @@ struct ipvl_dev { + DECLARE_BITMAP(mac_filters, IPVLAN_MAC_FILTER_SIZE); + netdev_features_t sfeatures; + u32 msg_enable; +- spinlock_t addrs_lock; + }; + + struct ipvl_addr { +@@ -90,6 +89,7 @@ struct ipvl_port { + struct net_device *dev; + possible_net_t pnet; + struct hlist_head hlhead[IPVLAN_HASH_SIZE]; ++ spinlock_t addrs_lock; /* guards hash-table and addrs */ + struct list_head ipvlans; + u16 mode; + u16 flags; +diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c +index 83bd65a227709..268ea41a17d52 100644 +--- a/drivers/net/ipvlan/ipvlan_core.c ++++ b/drivers/net/ipvlan/ipvlan_core.c +@@ -107,17 +107,15 @@ void ipvlan_ht_addr_del(struct ipvl_addr *addr) + struct ipvl_addr *ipvlan_find_addr(const struct ipvl_dev *ipvlan, + const void *iaddr, bool is_v6) + { +- struct ipvl_addr *addr, *ret = NULL; ++ struct ipvl_addr *addr; + +- rcu_read_lock(); +- list_for_each_entry_rcu(addr, &ipvlan->addrs, anode) { +- if (addr_equal(is_v6, addr, iaddr)) { +- ret = addr; +- break; +- } ++ assert_spin_locked(&ipvlan->port->addrs_lock); ++ ++ list_for_each_entry(addr, &ipvlan->addrs, anode) { ++ if (addr_equal(is_v6, addr, iaddr)) ++ return addr; + } +- rcu_read_unlock(); +- return ret; ++ return NULL; + } + + bool ipvlan_addr_busy(struct ipvl_port *port, void *iaddr, bool is_v6) +diff --git a/drivers/net/ipvlan/ipvlan_main.c b/drivers/net/ipvlan/ipvlan_main.c +index 57c79f5f29916..679e816146d81 100644 +--- a/drivers/net/ipvlan/ipvlan_main.c ++++ b/drivers/net/ipvlan/ipvlan_main.c +@@ -74,6 +74,7 @@ static int ipvlan_port_create(struct net_device *dev) + for (idx = 0; idx < IPVLAN_HASH_SIZE; idx++) + INIT_HLIST_HEAD(&port->hlhead[idx]); + ++ spin_lock_init(&port->addrs_lock); + skb_queue_head_init(&port->backlog); + INIT_WORK(&port->wq, ipvlan_process_multicast); + ida_init(&port->ida); +@@ -179,6 +180,7 @@ static void ipvlan_uninit(struct net_device *dev) + static int ipvlan_open(struct net_device *dev) + { + struct ipvl_dev *ipvlan = netdev_priv(dev); ++ struct ipvl_port *port = ipvlan->port; + struct ipvl_addr *addr; + + if (ipvlan->port->mode == IPVLAN_MODE_L3 || +@@ -187,10 +189,10 @@ static int ipvlan_open(struct net_device *dev) + else + dev->flags &= ~IFF_NOARP; + +- rcu_read_lock(); +- list_for_each_entry_rcu(addr, &ipvlan->addrs, anode) ++ spin_lock_bh(&port->addrs_lock); ++ list_for_each_entry(addr, &ipvlan->addrs, anode) + ipvlan_ht_addr_add(ipvlan, addr); +- rcu_read_unlock(); ++ spin_unlock_bh(&port->addrs_lock); + + return 0; + } +@@ -204,10 +206,10 @@ static int ipvlan_stop(struct net_device *dev) + dev_uc_unsync(phy_dev, dev); + dev_mc_unsync(phy_dev, dev); + +- rcu_read_lock(); +- list_for_each_entry_rcu(addr, &ipvlan->addrs, anode) ++ spin_lock_bh(&ipvlan->port->addrs_lock); ++ list_for_each_entry(addr, &ipvlan->addrs, anode) + ipvlan_ht_addr_del(addr); +- rcu_read_unlock(); ++ spin_unlock_bh(&ipvlan->port->addrs_lock); + + return 0; + } +@@ -574,7 +576,6 @@ int ipvlan_link_new(struct net *src_net, struct net_device *dev, + if (!tb[IFLA_MTU]) + ipvlan_adjust_mtu(ipvlan, phy_dev); + INIT_LIST_HEAD(&ipvlan->addrs); +- spin_lock_init(&ipvlan->addrs_lock); + + /* TODO Probably put random address here to be presented to the + * world but keep using the physical-dev address for the outgoing +@@ -652,13 +653,13 @@ void ipvlan_link_delete(struct net_device *dev, struct list_head *head) + struct ipvl_dev *ipvlan = netdev_priv(dev); + struct ipvl_addr *addr, *next; + +- spin_lock_bh(&ipvlan->addrs_lock); ++ spin_lock_bh(&ipvlan->port->addrs_lock); + list_for_each_entry_safe(addr, next, &ipvlan->addrs, anode) { + ipvlan_ht_addr_del(addr); + list_del_rcu(&addr->anode); + kfree_rcu(addr, rcu); + } +- spin_unlock_bh(&ipvlan->addrs_lock); ++ spin_unlock_bh(&ipvlan->port->addrs_lock); + + ida_simple_remove(&ipvlan->port->ida, dev->dev_id); + list_del_rcu(&ipvlan->pnode); +@@ -805,6 +806,8 @@ static int ipvlan_add_addr(struct ipvl_dev *ipvlan, void *iaddr, bool is_v6) + { + struct ipvl_addr *addr; + ++ assert_spin_locked(&ipvlan->port->addrs_lock); ++ + addr = kzalloc(sizeof(struct ipvl_addr), GFP_ATOMIC); + if (!addr) + return -ENOMEM; +@@ -835,16 +838,16 @@ static void ipvlan_del_addr(struct ipvl_dev *ipvlan, void *iaddr, bool is_v6) + { + struct ipvl_addr *addr; + +- spin_lock_bh(&ipvlan->addrs_lock); ++ spin_lock_bh(&ipvlan->port->addrs_lock); + addr = ipvlan_find_addr(ipvlan, iaddr, is_v6); + if (!addr) { +- spin_unlock_bh(&ipvlan->addrs_lock); ++ spin_unlock_bh(&ipvlan->port->addrs_lock); + return; + } + + ipvlan_ht_addr_del(addr); + list_del_rcu(&addr->anode); +- spin_unlock_bh(&ipvlan->addrs_lock); ++ spin_unlock_bh(&ipvlan->port->addrs_lock); + kfree_rcu(addr, rcu); + } + +@@ -866,14 +869,14 @@ static int ipvlan_add_addr6(struct ipvl_dev *ipvlan, struct in6_addr *ip6_addr) + { + int ret = -EINVAL; + +- spin_lock_bh(&ipvlan->addrs_lock); ++ spin_lock_bh(&ipvlan->port->addrs_lock); + if (ipvlan_addr_busy(ipvlan->port, ip6_addr, true)) + netif_err(ipvlan, ifup, ipvlan->dev, + "Failed to add IPv6=%pI6c addr for %s intf\n", + ip6_addr, ipvlan->dev->name); + else + ret = ipvlan_add_addr(ipvlan, ip6_addr, true); +- spin_unlock_bh(&ipvlan->addrs_lock); ++ spin_unlock_bh(&ipvlan->port->addrs_lock); + return ret; + } + +@@ -912,21 +915,24 @@ static int ipvlan_addr6_validator_event(struct notifier_block *unused, + struct in6_validator_info *i6vi = (struct in6_validator_info *)ptr; + struct net_device *dev = (struct net_device *)i6vi->i6vi_dev->dev; + struct ipvl_dev *ipvlan = netdev_priv(dev); ++ int ret = NOTIFY_OK; + + if (!ipvlan_is_valid_dev(dev)) + return NOTIFY_DONE; + + switch (event) { + case NETDEV_UP: ++ spin_lock_bh(&ipvlan->port->addrs_lock); + if (ipvlan_addr_busy(ipvlan->port, &i6vi->i6vi_addr, true)) { + NL_SET_ERR_MSG(i6vi->extack, + "Address already assigned to an ipvlan device"); +- return notifier_from_errno(-EADDRINUSE); ++ ret = notifier_from_errno(-EADDRINUSE); + } ++ spin_unlock_bh(&ipvlan->port->addrs_lock); + break; + } + +- return NOTIFY_OK; ++ return ret; + } + #endif + +@@ -934,14 +940,14 @@ static int ipvlan_add_addr4(struct ipvl_dev *ipvlan, struct in_addr *ip4_addr) + { + int ret = -EINVAL; + +- spin_lock_bh(&ipvlan->addrs_lock); ++ spin_lock_bh(&ipvlan->port->addrs_lock); + if (ipvlan_addr_busy(ipvlan->port, ip4_addr, false)) + netif_err(ipvlan, ifup, ipvlan->dev, + "Failed to add IPv4=%pI4 on %s intf.\n", + ip4_addr, ipvlan->dev->name); + else + ret = ipvlan_add_addr(ipvlan, ip4_addr, false); +- spin_unlock_bh(&ipvlan->addrs_lock); ++ spin_unlock_bh(&ipvlan->port->addrs_lock); + return ret; + } + +@@ -983,21 +989,24 @@ static int ipvlan_addr4_validator_event(struct notifier_block *unused, + struct in_validator_info *ivi = (struct in_validator_info *)ptr; + struct net_device *dev = (struct net_device *)ivi->ivi_dev->dev; + struct ipvl_dev *ipvlan = netdev_priv(dev); ++ int ret = NOTIFY_OK; + + if (!ipvlan_is_valid_dev(dev)) + return NOTIFY_DONE; + + switch (event) { + case NETDEV_UP: ++ spin_lock_bh(&ipvlan->port->addrs_lock); + if (ipvlan_addr_busy(ipvlan->port, &ivi->ivi_addr, false)) { + NL_SET_ERR_MSG(ivi->extack, + "Address already assigned to an ipvlan device"); +- return notifier_from_errno(-EADDRINUSE); ++ ret = notifier_from_errno(-EADDRINUSE); + } ++ spin_unlock_bh(&ipvlan->port->addrs_lock); + break; + } + +- return NOTIFY_OK; ++ return ret; + } + + static struct notifier_block ipvlan_addr4_notifier_block __read_mostly = { +-- +2.51.0 + diff --git a/queue-6.6/l2tp-avoid-one-data-race-in-l2tp_tunnel_del_work.patch b/queue-6.6/l2tp-avoid-one-data-race-in-l2tp_tunnel_del_work.patch new file mode 100644 index 0000000000..f8cd00209d --- /dev/null +++ b/queue-6.6/l2tp-avoid-one-data-race-in-l2tp_tunnel_del_work.patch @@ -0,0 +1,85 @@ +From c42dec56a0172d287b9cecf9068cc7b2595e12fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jan 2026 09:21:39 +0000 +Subject: l2tp: avoid one data-race in l2tp_tunnel_del_work() + +From: Eric Dumazet + +[ Upstream commit 7a29f6bf60f2590fe5e9c4decb451e19afad2bcf ] + +We should read sk->sk_socket only when dealing with kernel sockets. + +syzbot reported the following data-race: + +BUG: KCSAN: data-race in l2tp_tunnel_del_work / sk_common_release + +write to 0xffff88811c182b20 of 8 bytes by task 5365 on cpu 0: + sk_set_socket include/net/sock.h:2092 [inline] + sock_orphan include/net/sock.h:2118 [inline] + sk_common_release+0xae/0x230 net/core/sock.c:4003 + udp_lib_close+0x15/0x20 include/net/udp.h:325 + inet_release+0xce/0xf0 net/ipv4/af_inet.c:437 + __sock_release net/socket.c:662 [inline] + sock_close+0x6b/0x150 net/socket.c:1455 + __fput+0x29b/0x650 fs/file_table.c:468 + ____fput+0x1c/0x30 fs/file_table.c:496 + task_work_run+0x131/0x1a0 kernel/task_work.c:233 + resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] + __exit_to_user_mode_loop kernel/entry/common.c:44 [inline] + exit_to_user_mode_loop+0x1fe/0x740 kernel/entry/common.c:75 + __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline] + syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline] + syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline] + syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline] + do_syscall_64+0x1e1/0x2b0 arch/x86/entry/syscall_64.c:100 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +read to 0xffff88811c182b20 of 8 bytes by task 827 on cpu 1: + l2tp_tunnel_del_work+0x2f/0x1a0 net/l2tp/l2tp_core.c:1418 + process_one_work kernel/workqueue.c:3257 [inline] + process_scheduled_works+0x4ce/0x9d0 kernel/workqueue.c:3340 + worker_thread+0x582/0x770 kernel/workqueue.c:3421 + kthread+0x489/0x510 kernel/kthread.c:463 + ret_from_fork+0x149/0x290 arch/x86/kernel/process.c:158 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 + +value changed: 0xffff88811b818000 -> 0x0000000000000000 + +Fixes: d00fa9adc528 ("l2tp: fix races with tunnel socket close") +Reported-by: syzbot+7312e82745f7fa2526db@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/6968b029.050a0220.58bed.0016.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: James Chapman +Reviewed-by: Guillaume Nault +Link: https://patch.msgid.link/20260115092139.3066180-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/l2tp/l2tp_core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c +index 70da78ab95202..e0ca08ebd16a9 100644 +--- a/net/l2tp/l2tp_core.c ++++ b/net/l2tp/l2tp_core.c +@@ -1250,8 +1250,6 @@ static void l2tp_tunnel_del_work(struct work_struct *work) + { + struct l2tp_tunnel *tunnel = container_of(work, struct l2tp_tunnel, + del_work); +- struct sock *sk = tunnel->sock; +- struct socket *sock = sk->sk_socket; + + l2tp_tunnel_closeall(tunnel); + +@@ -1259,6 +1257,8 @@ static void l2tp_tunnel_del_work(struct work_struct *work) + * the sk API to release it here. + */ + if (tunnel->fd < 0) { ++ struct socket *sock = tunnel->sock->sk_socket; ++ + if (sock) { + kernel_sock_shutdown(sock, SHUT_RDWR); + sock_release(sock); +-- +2.51.0 + diff --git a/queue-6.6/net-sched-enforce-that-teql-can-only-be-used-as-root.patch b/queue-6.6/net-sched-enforce-that-teql-can-only-be-used-as-root.patch new file mode 100644 index 0000000000..69a9d65d2d --- /dev/null +++ b/queue-6.6/net-sched-enforce-that-teql-can-only-be-used-as-root.patch @@ -0,0 +1,68 @@ +From 84b00cb5f4d2f302d4f27b77eb52c3f4118594f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jan 2026 11:02:41 -0500 +Subject: net/sched: Enforce that teql can only be used as root qdisc +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jamal Hadi Salim + +[ Upstream commit 50da4b9d07a7a463e2cfb738f3ad4cff6b2c9c3b ] + +Design intent of teql is that it is only supposed to be used as root qdisc. +We need to check for that constraint. + +Although not important, I will describe the scenario that unearthed this +issue for the curious. + +GangMin Kim managed to concot a scenario as follows: + +ROOT qdisc 1:0 (QFQ) + ├── class 1:1 (weight=15, lmax=16384) netem with delay 6.4s + └── class 1:2 (weight=1, lmax=1514) teql + +GangMin sends a packet which is enqueued to 1:1 (netem). +Any invocation of dequeue by QFQ from this class will not return a packet +until after 6.4s. In the meantime, a second packet is sent and it lands on +1:2. teql's enqueue will return success and this will activate class 1:2. +Main issue is that teql only updates the parent visible qlen (sch->q.qlen) +at dequeue. Since QFQ will only call dequeue if peek succeeds (and teql's +peek always returns NULL), dequeue will never be called and thus the qlen +will remain as 0. With that in mind, when GangMin updates 1:2's lmax value, +the qfq_change_class calls qfq_deact_rm_from_agg. Since the child qdisc's +qlen was not incremented, qfq fails to deactivate the class, but still +frees its pointers from the aggregate. So when the first packet is +rescheduled after 6.4 seconds (netem's delay), a dangling pointer is +accessed causing GangMin's causing a UAF. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: GangMin Kim +Tested-by: Victor Nogueira +Signed-off-by: Jamal Hadi Salim +Link: https://patch.msgid.link/20260114160243.913069-2-jhs@mojatatu.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_teql.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/sched/sch_teql.c b/net/sched/sch_teql.c +index 7721239c185fb..0a7856e14a975 100644 +--- a/net/sched/sch_teql.c ++++ b/net/sched/sch_teql.c +@@ -178,6 +178,11 @@ static int teql_qdisc_init(struct Qdisc *sch, struct nlattr *opt, + if (m->dev == dev) + return -ELOOP; + ++ if (sch->parent != TC_H_ROOT) { ++ NL_SET_ERR_MSG_MOD(extack, "teql can only be used as root"); ++ return -EOPNOTSUPP; ++ } ++ + q->m = m; + + skb_queue_head_init(&q->q); +-- +2.51.0 + diff --git a/queue-6.6/net-sched-qfq-use-cl_is_active-to-determine-whether-.patch b/queue-6.6/net-sched-qfq-use-cl_is_active-to-determine-whether-.patch new file mode 100644 index 0000000000..0ffe587551 --- /dev/null +++ b/queue-6.6/net-sched-qfq-use-cl_is_active-to-determine-whether-.patch @@ -0,0 +1,40 @@ +From 8b59586dda88c8cc54fe789441140e27f4e3cfb0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jan 2026 11:02:42 -0500 +Subject: net/sched: qfq: Use cl_is_active to determine whether class is active + in qfq_rm_from_ag + +From: Jamal Hadi Salim + +[ Upstream commit d837fbee92453fbb829f950c8e7cf76207d73f33 ] + +This is more of a preventive patch to make the code more consistent and +to prevent possible exploits that employ child qlen manipulations on qfq. +use cl_is_active instead of relying on the child qdisc's qlen to determine +class activation. + +Fixes: 462dbc9101acd ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost") +Signed-off-by: Jamal Hadi Salim +Link: https://patch.msgid.link/20260114160243.913069-3-jhs@mojatatu.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_qfq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c +index 7c6b5428b8ed4..a17f7c31378e6 100644 +--- a/net/sched/sch_qfq.c ++++ b/net/sched/sch_qfq.c +@@ -373,7 +373,7 @@ static void qfq_rm_from_agg(struct qfq_sched *q, struct qfq_class *cl) + /* Deschedule class and remove it from its parent aggregate. */ + static void qfq_deact_rm_from_agg(struct qfq_sched *q, struct qfq_class *cl) + { +- if (cl->qdisc->q.qlen > 0) /* class is active */ ++ if (cl_is_active(cl)) /* class is active */ + qfq_deactivate_class(q, cl); + + qfq_rm_from_agg(q, cl); +-- +2.51.0 + diff --git a/queue-6.6/net-usb-dm9601-remove-broken-sr9700-support.patch b/queue-6.6/net-usb-dm9601-remove-broken-sr9700-support.patch new file mode 100644 index 0000000000..694eb13344 --- /dev/null +++ b/queue-6.6/net-usb-dm9601-remove-broken-sr9700-support.patch @@ -0,0 +1,53 @@ +From 3a07c352258950d07c6db4289f05e68a3287e7ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 22:39:24 -0800 +Subject: net: usb: dm9601: remove broken SR9700 support + +From: Ethan Nelson-Moore + +[ Upstream commit 7d7dbafefbe74f5a25efc4807af093b857a7612e ] + +The SR9700 chip sends more than one packet in a USB transaction, +like the DM962x chips can optionally do, but the dm9601 driver does not +support this mode, and the hardware does not have the DM962x +MODE_CTL register to disable it, so this driver drops packets on SR9700 +devices. The sr9700 driver correctly handles receiving more than one +packet per transaction. + +While the dm9601 driver could be improved to handle this, the easiest +way to fix this issue in the short term is to remove the SR9700 device +ID from the dm9601 driver so the sr9700 driver is always used. This +device ID should not have been in more than one driver to begin with. + +The "Fixes" commit was chosen so that the patch is automatically +included in all kernels that have the sr9700 driver, even though the +issue affects dm9601. + +Fixes: c9b37458e956 ("USB2NET : SR9700 : One chip USB 1.1 USB2NET SR9700Device Driver Support") +Signed-off-by: Ethan Nelson-Moore +Acked-by: Peter Korsgaard +Link: https://patch.msgid.link/20260113063924.74464-1-enelsonmoore@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/dm9601.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/net/usb/dm9601.c b/drivers/net/usb/dm9601.c +index 8b6d6a1b3c2ec..2b4716ccf0c5b 100644 +--- a/drivers/net/usb/dm9601.c ++++ b/drivers/net/usb/dm9601.c +@@ -603,10 +603,6 @@ static const struct usb_device_id products[] = { + USB_DEVICE(0x0fe6, 0x8101), /* DM9601 USB to Fast Ethernet Adapter */ + .driver_info = (unsigned long)&dm9601_info, + }, +- { +- USB_DEVICE(0x0fe6, 0x9700), /* DM9601 USB to Fast Ethernet Adapter */ +- .driver_info = (unsigned long)&dm9601_info, +- }, + { + USB_DEVICE(0x0a46, 0x9000), /* DM9000E */ + .driver_info = (unsigned long)&dm9601_info, +-- +2.51.0 + diff --git a/queue-6.6/octeontx2-cn10k-fix-rx-flowid-tcam-mask-handling.patch b/queue-6.6/octeontx2-cn10k-fix-rx-flowid-tcam-mask-handling.patch new file mode 100644 index 0000000000..ce2c4aef74 --- /dev/null +++ b/queue-6.6/octeontx2-cn10k-fix-rx-flowid-tcam-mask-handling.patch @@ -0,0 +1,43 @@ +From 6543d4c84b21c27ed4d88574901d9f1921ea748e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jan 2026 08:47:12 -0800 +Subject: octeontx2: cn10k: fix RX flowid TCAM mask handling + +From: Alok Tiwari + +[ Upstream commit ab9b218a1521133a4410722907fa7189566be9bc ] + +The RX flowid programming initializes the TCAM mask to all ones, but +then overwrites it when clearing the MAC DA mask bits. This results +in losing the intended initialization and may affect other match fields. + +Update the code to clear the MAC DA bits using an AND operation, making +the handling of mask[0] consistent with mask[1], where the field-specific +bits are cleared after initializing the mask to ~0ULL. + +Fixes: 57d00d4364f3 ("octeontx2-pf: mcs: Match macsec ethertype along with DMAC") +Signed-off-by: Alok Tiwari +Reviewed-by: Subbaraya Sundeep +Link: https://patch.msgid.link/20260116164724.2733511-1-alok.a.tiwari@oracle.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c b/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c +index 74953f67a2bf9..3af58bc9f533c 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c +@@ -330,7 +330,7 @@ static int cn10k_mcs_write_rx_flowid(struct otx2_nic *pfvf, + + req->data[0] = FIELD_PREP(MCS_TCAM0_MAC_DA_MASK, mac_da); + req->mask[0] = ~0ULL; +- req->mask[0] = ~MCS_TCAM0_MAC_DA_MASK; ++ req->mask[0] &= ~MCS_TCAM0_MAC_DA_MASK; + + req->data[1] = FIELD_PREP(MCS_TCAM1_ETYPE_MASK, ETH_P_MACSEC); + req->mask[1] = ~0ULL; +-- +2.51.0 + diff --git a/queue-6.6/pmdomain-qcom-rpmhpd-add-mxc-to-sc8280xp.patch b/queue-6.6/pmdomain-qcom-rpmhpd-add-mxc-to-sc8280xp.patch new file mode 100644 index 0000000000..a591103a7f --- /dev/null +++ b/queue-6.6/pmdomain-qcom-rpmhpd-add-mxc-to-sc8280xp.patch @@ -0,0 +1,50 @@ +From 9dc81537e3ffece8b40fc1d80be2c50c2fff75ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Dec 2025 18:36:21 +0100 +Subject: pmdomain: qcom: rpmhpd: Add MXC to SC8280XP + +From: Konrad Dybcio + +[ Upstream commit 5bc3e720e725cd5fa34875fa1e5434d565858067 ] + +This was apparently accounted for in dt-bindings, but never made its +way into the driver. + +Fix it for SC8280XP and its VDD_GFX-less cousin, SA8540P. + +Fixes: f68f1cb3437d ("soc: qcom: rpmhpd: add sc8280xp & sa8540p rpmh power-domains") +Reviewed-by: Dmitry Baryshkov +Signed-off-by: Konrad Dybcio +Reviewed-by: Ulf Hansson +Link: https://lore.kernel.org/r/20251202-topic-8280_mxc-v2-2-46cdf47a829e@oss.qualcomm.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/pmdomain/qcom/rpmhpd.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/pmdomain/qcom/rpmhpd.c b/drivers/pmdomain/qcom/rpmhpd.c +index 1bb9f70ab04c8..823604952b5ec 100644 +--- a/drivers/pmdomain/qcom/rpmhpd.c ++++ b/drivers/pmdomain/qcom/rpmhpd.c +@@ -217,6 +217,8 @@ static struct rpmhpd *sa8540p_rpmhpds[] = { + [SC8280XP_MMCX_AO] = &mmcx_ao, + [SC8280XP_MX] = &mx, + [SC8280XP_MX_AO] = &mx_ao, ++ [SC8280XP_MXC] = &mxc, ++ [SC8280XP_MXC_AO] = &mxc_ao, + [SC8280XP_NSP] = &nsp, + }; + +@@ -541,6 +543,8 @@ static struct rpmhpd *sc8280xp_rpmhpds[] = { + [SC8280XP_MMCX_AO] = &mmcx_ao, + [SC8280XP_MX] = &mx, + [SC8280XP_MX_AO] = &mx_ao, ++ [SC8280XP_MXC] = &mxc, ++ [SC8280XP_MXC_AO] = &mxc_ao, + [SC8280XP_NSP] = &nsp, + [SC8280XP_QPHY] = &qphy, + }; +-- +2.51.0 + diff --git a/queue-6.6/sctp-move-sctp_cmd_assoc_shkey-right-after-sctp_cmd_.patch b/queue-6.6/sctp-move-sctp_cmd_assoc_shkey-right-after-sctp_cmd_.patch new file mode 100644 index 0000000000..217e4608e2 --- /dev/null +++ b/queue-6.6/sctp-move-sctp_cmd_assoc_shkey-right-after-sctp_cmd_.patch @@ -0,0 +1,101 @@ +From 8ac6e13e3a1a453086d0c615c9565b8018287a04 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 12:10:26 -0500 +Subject: sctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT + +From: Xin Long + +[ Upstream commit a80c9d945aef55b23b54838334345f20251dad83 ] + +A null-ptr-deref was reported in the SCTP transmit path when SCTP-AUTH key +initialization fails: + + ================================================================== + KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] + CPU: 0 PID: 16 Comm: ksoftirqd/0 Tainted: G W 6.6.0 #2 + RIP: 0010:sctp_packet_bundle_auth net/sctp/output.c:264 [inline] + RIP: 0010:sctp_packet_append_chunk+0xb36/0x1260 net/sctp/output.c:401 + Call Trace: + + sctp_packet_transmit_chunk+0x31/0x250 net/sctp/output.c:189 + sctp_outq_flush_data+0xa29/0x26d0 net/sctp/outqueue.c:1111 + sctp_outq_flush+0xc80/0x1240 net/sctp/outqueue.c:1217 + sctp_cmd_interpreter.isra.0+0x19a5/0x62c0 net/sctp/sm_sideeffect.c:1787 + sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline] + sctp_do_sm+0x1a3/0x670 net/sctp/sm_sideeffect.c:1169 + sctp_assoc_bh_rcv+0x33e/0x640 net/sctp/associola.c:1052 + sctp_inq_push+0x1dd/0x280 net/sctp/inqueue.c:88 + sctp_rcv+0x11ae/0x3100 net/sctp/input.c:243 + sctp6_rcv+0x3d/0x60 net/sctp/ipv6.c:1127 + +The issue is triggered when sctp_auth_asoc_init_active_key() fails in +sctp_sf_do_5_1C_ack() while processing an INIT_ACK. In this case, the +command sequence is currently: + +- SCTP_CMD_PEER_INIT +- SCTP_CMD_TIMER_STOP (T1_INIT) +- SCTP_CMD_TIMER_START (T1_COOKIE) +- SCTP_CMD_NEW_STATE (COOKIE_ECHOED) +- SCTP_CMD_ASSOC_SHKEY +- SCTP_CMD_GEN_COOKIE_ECHO + +If SCTP_CMD_ASSOC_SHKEY fails, asoc->shkey remains NULL, while +asoc->peer.auth_capable and asoc->peer.peer_chunks have already been set by +SCTP_CMD_PEER_INIT. This allows a DATA chunk with auth = 1 and shkey = NULL +to be queued by sctp_datamsg_from_user(). + +Since command interpretation stops on failure, no COOKIE_ECHO should been +sent via SCTP_CMD_GEN_COOKIE_ECHO. However, the T1_COOKIE timer has already +been started, and it may enqueue a COOKIE_ECHO into the outqueue later. As +a result, the DATA chunk can be transmitted together with the COOKIE_ECHO +in sctp_outq_flush_data(), leading to the observed issue. + +Similar to the other places where it calls sctp_auth_asoc_init_active_key() +right after sctp_process_init(), this patch moves the SCTP_CMD_ASSOC_SHKEY +immediately after SCTP_CMD_PEER_INIT, before stopping T1_INIT and starting +T1_COOKIE. This ensures that if shared key generation fails, authenticated +DATA cannot be sent. It also allows the T1_INIT timer to retransmit INIT, +giving the client another chance to process INIT_ACK and retry key setup. + +Fixes: 730fc3d05cd4 ("[SCTP]: Implete SCTP-AUTH parameter processing") +Reported-by: Zhen Chen +Tested-by: Zhen Chen +Signed-off-by: Xin Long +Link: https://patch.msgid.link/44881224b375aa8853f5e19b4055a1a56d895813.1768324226.git.lucien.xin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sctp/sm_statefuns.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c +index cd18b22b2bbae..e0e626dc79535 100644 +--- a/net/sctp/sm_statefuns.c ++++ b/net/sctp/sm_statefuns.c +@@ -602,6 +602,11 @@ enum sctp_disposition sctp_sf_do_5_1C_ack(struct net *net, + sctp_add_cmd_sf(commands, SCTP_CMD_PEER_INIT, + SCTP_PEER_INIT(initchunk)); + ++ /* SCTP-AUTH: generate the association shared keys so that ++ * we can potentially sign the COOKIE-ECHO. ++ */ ++ sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL()); ++ + /* Reset init error count upon receipt of INIT-ACK. */ + sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL()); + +@@ -616,11 +621,6 @@ enum sctp_disposition sctp_sf_do_5_1C_ack(struct net *net, + sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, + SCTP_STATE(SCTP_STATE_COOKIE_ECHOED)); + +- /* SCTP-AUTH: generate the association shared keys so that +- * we can potentially sign the COOKIE-ECHO. +- */ +- sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL()); +- + /* 5.1 C) "A" shall then send the State Cookie received in the + * INIT ACK chunk in a COOKIE ECHO chunk, ... + */ +-- +2.51.0 + diff --git a/queue-6.6/selftests-net-convert-fib-onlink-tests.sh-to-run-it-.patch b/queue-6.6/selftests-net-convert-fib-onlink-tests.sh-to-run-it-.patch new file mode 100644 index 0000000000..291a5cef56 --- /dev/null +++ b/queue-6.6/selftests-net-convert-fib-onlink-tests.sh-to-run-it-.patch @@ -0,0 +1,84 @@ +From cb6e7d33abd712a1bed47b1562ce61b4a8eb5212 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Dec 2023 14:08:53 +0800 +Subject: selftests/net: convert fib-onlink-tests.sh to run it in unique + namespace + +From: Hangbin Liu + +[ Upstream commit 3a06833b2adc0a902f2469ad4ce41ccd64f1f3ab ] + +Remove PEER_CMD, which is not used in this test + +Here is the test result after conversion. + + ]# ./fib-onlink-tests.sh + Error: ipv4: FIB table does not exist. + Flush terminated + Error: ipv6: FIB table does not exist. + Flush terminated + + ######################################## + Configuring interfaces + + ... + + TEST: Gateway resolves to wrong nexthop device - VRF [ OK ] + + Tests passed: 38 + Tests failed: 0 + +Acked-by: David Ahern +Signed-off-by: Hangbin Liu +Link: https://lore.kernel.org/r/20231213060856.4030084-11-liuhangbin@gmail.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: 4f5f148dd7c0 ("selftests: net: fib-onlink-tests: Convert to use namespaces by default") +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/fib-onlink-tests.sh | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/tools/testing/selftests/net/fib-onlink-tests.sh b/tools/testing/selftests/net/fib-onlink-tests.sh +index c287b90b8af80..ec2d6ceb1f08d 100755 +--- a/tools/testing/selftests/net/fib-onlink-tests.sh ++++ b/tools/testing/selftests/net/fib-onlink-tests.sh +@@ -3,6 +3,7 @@ + + # IPv4 and IPv6 onlink tests + ++source lib.sh + PAUSE_ON_FAIL=${PAUSE_ON_FAIL:=no} + VERBOSE=0 + +@@ -74,9 +75,6 @@ TEST_NET4IN6[2]=10.2.1.254 + # mcast address + MCAST6=ff02::1 + +- +-PEER_NS=bart +-PEER_CMD="ip netns exec ${PEER_NS}" + VRF=lisa + VRF_TABLE=1101 + PBR_TABLE=101 +@@ -176,8 +174,7 @@ setup() + set -e + + # create namespace +- ip netns add ${PEER_NS} +- ip -netns ${PEER_NS} li set lo up ++ setup_ns PEER_NS + + # add vrf table + ip li add ${VRF} type vrf table ${VRF_TABLE} +@@ -219,7 +216,7 @@ setup() + cleanup() + { + # make sure we start from a clean slate +- ip netns del ${PEER_NS} 2>/dev/null ++ cleanup_ns ${PEER_NS} 2>/dev/null + for n in 1 3 5 7; do + ip link del ${NETIFS[p${n}]} 2>/dev/null + done +-- +2.51.0 + diff --git a/queue-6.6/selftests-net-fib-onlink-tests-convert-to-use-namesp.patch b/queue-6.6/selftests-net-fib-onlink-tests-convert-to-use-namesp.patch new file mode 100644 index 0000000000..3b0336bb0a --- /dev/null +++ b/queue-6.6/selftests-net-fib-onlink-tests-convert-to-use-namesp.patch @@ -0,0 +1,185 @@ +From f3fa96e923d5a1ebc34f23fe850819cba25a822e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 12:37:44 -0300 +Subject: selftests: net: fib-onlink-tests: Convert to use namespaces by + default +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ricardo B. Marlière + +[ Upstream commit 4f5f148dd7c0459229d2ab9a769b2e820f9ee6a2 ] + +Currently, the test breaks if the SUT already has a default route +configured for IPv6. Fix by avoiding the use of the default namespace. + +Fixes: 4ed591c8ab44 ("net/ipv6: Allow onlink routes to have a device mismatch if it is the default route") +Suggested-by: Fernando Fernandez Mancera +Signed-off-by: Ricardo B. Marlière +Reviewed-by: Ido Schimmel +Reviewed-by: Fernando Fernandez Mancera +Link: https://patch.msgid.link/20260113-selftests-net-fib-onlink-v2-1-89de2b931389@suse.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../testing/selftests/net/fib-onlink-tests.sh | 71 ++++++++----------- + 1 file changed, 30 insertions(+), 41 deletions(-) + +diff --git a/tools/testing/selftests/net/fib-onlink-tests.sh b/tools/testing/selftests/net/fib-onlink-tests.sh +index ec2d6ceb1f08d..c01be076b210d 100755 +--- a/tools/testing/selftests/net/fib-onlink-tests.sh ++++ b/tools/testing/selftests/net/fib-onlink-tests.sh +@@ -120,7 +120,7 @@ log_subsection() + + run_cmd() + { +- local cmd="$*" ++ local cmd="$1" + local out + local rc + +@@ -145,7 +145,7 @@ get_linklocal() + local pfx + local addr + +- addr=$(${pfx} ip -6 -br addr show dev ${dev} | \ ++ addr=$(${pfx} ${IP} -6 -br addr show dev ${dev} | \ + awk '{ + for (i = 3; i <= NF; ++i) { + if ($i ~ /^fe80/) +@@ -173,58 +173,48 @@ setup() + + set -e + +- # create namespace +- setup_ns PEER_NS ++ # create namespaces ++ setup_ns ns1 ++ IP="ip -netns $ns1" ++ setup_ns ns2 + + # add vrf table +- ip li add ${VRF} type vrf table ${VRF_TABLE} +- ip li set ${VRF} up +- ip ro add table ${VRF_TABLE} unreachable default metric 8192 +- ip -6 ro add table ${VRF_TABLE} unreachable default metric 8192 ++ ${IP} li add ${VRF} type vrf table ${VRF_TABLE} ++ ${IP} li set ${VRF} up ++ ${IP} ro add table ${VRF_TABLE} unreachable default metric 8192 ++ ${IP} -6 ro add table ${VRF_TABLE} unreachable default metric 8192 + + # create test interfaces +- ip li add ${NETIFS[p1]} type veth peer name ${NETIFS[p2]} +- ip li add ${NETIFS[p3]} type veth peer name ${NETIFS[p4]} +- ip li add ${NETIFS[p5]} type veth peer name ${NETIFS[p6]} +- ip li add ${NETIFS[p7]} type veth peer name ${NETIFS[p8]} ++ ${IP} li add ${NETIFS[p1]} type veth peer name ${NETIFS[p2]} ++ ${IP} li add ${NETIFS[p3]} type veth peer name ${NETIFS[p4]} ++ ${IP} li add ${NETIFS[p5]} type veth peer name ${NETIFS[p6]} ++ ${IP} li add ${NETIFS[p7]} type veth peer name ${NETIFS[p8]} + + # enslave vrf interfaces + for n in 5 7; do +- ip li set ${NETIFS[p${n}]} vrf ${VRF} ++ ${IP} li set ${NETIFS[p${n}]} vrf ${VRF} + done + + # add addresses + for n in 1 3 5 7; do +- ip li set ${NETIFS[p${n}]} up +- ip addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]} +- ip addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} nodad ++ ${IP} li set ${NETIFS[p${n}]} up ++ ${IP} addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]} ++ ${IP} addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} nodad + done + + # move peer interfaces to namespace and add addresses + for n in 2 4 6 8; do +- ip li set ${NETIFS[p${n}]} netns ${PEER_NS} up +- ip -netns ${PEER_NS} addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]} +- ip -netns ${PEER_NS} addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} nodad ++ ${IP} li set ${NETIFS[p${n}]} netns ${ns2} up ++ ip -netns $ns2 addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]} ++ ip -netns $ns2 addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} nodad + done + +- ip -6 ro add default via ${V6ADDRS[p3]/::[0-9]/::64} +- ip -6 ro add table ${VRF_TABLE} default via ${V6ADDRS[p7]/::[0-9]/::64} ++ ${IP} -6 ro add default via ${V6ADDRS[p3]/::[0-9]/::64} ++ ${IP} -6 ro add table ${VRF_TABLE} default via ${V6ADDRS[p7]/::[0-9]/::64} + + set +e + } + +-cleanup() +-{ +- # make sure we start from a clean slate +- cleanup_ns ${PEER_NS} 2>/dev/null +- for n in 1 3 5 7; do +- ip link del ${NETIFS[p${n}]} 2>/dev/null +- done +- ip link del ${VRF} 2>/dev/null +- ip ro flush table ${VRF_TABLE} +- ip -6 ro flush table ${VRF_TABLE} +-} +- + ################################################################################ + # IPv4 tests + # +@@ -241,7 +231,7 @@ run_ip() + # dev arg may be empty + [ -n "${dev}" ] && dev="dev ${dev}" + +- run_cmd ip ro add table "${table}" "${prefix}"/32 via "${gw}" "${dev}" onlink ++ run_cmd "${IP} ro add table ${table} ${prefix}/32 via ${gw} ${dev} onlink" + log_test $? ${exp_rc} "${desc}" + } + +@@ -257,8 +247,8 @@ run_ip_mpath() + # dev arg may be empty + [ -n "${dev}" ] && dev="dev ${dev}" + +- run_cmd ip ro add table "${table}" "${prefix}"/32 \ +- nexthop via ${nh1} nexthop via ${nh2} ++ run_cmd "${IP} ro add table ${table} ${prefix}/32 \ ++ nexthop via ${nh1} nexthop via ${nh2}" + log_test $? ${exp_rc} "${desc}" + } + +@@ -339,7 +329,7 @@ run_ip6() + # dev arg may be empty + [ -n "${dev}" ] && dev="dev ${dev}" + +- run_cmd ip -6 ro add table "${table}" "${prefix}"/128 via "${gw}" "${dev}" onlink ++ run_cmd "${IP} -6 ro add table ${table} ${prefix}/128 via ${gw} ${dev} onlink" + log_test $? ${exp_rc} "${desc}" + } + +@@ -353,8 +343,8 @@ run_ip6_mpath() + local exp_rc="$6" + local desc="$7" + +- run_cmd ip -6 ro add table "${table}" "${prefix}"/128 "${opts}" \ +- nexthop via ${nh1} nexthop via ${nh2} ++ run_cmd "${IP} -6 ro add table ${table} ${prefix}/128 ${opts} \ ++ nexthop via ${nh1} nexthop via ${nh2}" + log_test $? ${exp_rc} "${desc}" + } + +@@ -491,10 +481,9 @@ do + esac + done + +-cleanup + setup + run_onlink_tests +-cleanup ++cleanup_ns ${ns1} ${ns2} + + if [ "$TESTS" != "none" ]; then + printf "\nTests passed: %3d\n" ${nsuccess} +-- +2.51.0 + diff --git a/queue-6.6/series b/queue-6.6/series index 9b78dd8316..4af22eed48 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -99,3 +99,36 @@ arm64-dts-qcom-sc8280xp-add-missing-vdd_mxc-links.patch hyperv-tlfs-change-prefix-of-generic-hv_register_-ms.patch drivers-hv-always-do-hyper-v-panic-notification-in-h.patch btrfs-fix-missing-fields-in-superblock-backup-with-b.patch +dt-bindings-power-qcom-rpmpd-add-sm7150.patch +dt-bindings-power-rpmpd-add-msm8917-msm8937-and-qm21.patch +dt-bindings-power-qcom-rpmpd-document-the-sm8650-rpm.patch +dt-bindings-power-rpmpd-update-part-number-to-x1e801.patch +dt-bindings-power-qcom-rpmpd-document-the-sm8750-rpm.patch +dt-bindings-power-qcom-rpmpd-add-turbo-l5-corner.patch +dt-bindings-power-qcom-rpmpd-split-rpmh-domains-defi.patch +dt-bindings-power-qcom-rpmpd-add-sc8280xp_mxc_ao.patch +pmdomain-qcom-rpmhpd-add-mxc-to-sc8280xp.patch +ata-libata-add-cpr_log-to-ata_dev_print_features-ear.patch +ata-libata-core-introduce-ata_dev_config_lpm.patch +ata-libata-call-ata_dev_config_lpm-for-atapi-devices.patch +ata-libata-print-features-also-for-atapi-devices.patch +ice-initialize-ring_stats-syncp.patch +ice-avoid-detrimental-cleanup-for-bond-during-interf.patch +igc-fix-race-condition-in-tx-timestamp-read-for-regi.patch +net-usb-dm9601-remove-broken-sr9700-support.patch +bonding-limit-bond_mode_8023ad-to-ethernet-devices.patch +selftests-net-convert-fib-onlink-tests.sh-to-run-it-.patch +selftests-net-fib-onlink-tests-convert-to-use-namesp.patch +can-gs_usb-gs_usb_receive_bulk_callback-unanchor-url.patch +sctp-move-sctp_cmd_assoc_shkey-right-after-sctp_cmd_.patch +amd-xgbe-avoid-misleading-per-packet-error-log.patch +gue-fix-skb-memleak-with-inner-ip-protocol-0.patch +tools-ynl-specify-no-line-number-in-ynl-regen.sh.patch +fou-don-t-allow-0-for-fou_attr_ipproto.patch +veth-fix-data-race-in-veth_get_ethtool_stats.patch +l2tp-avoid-one-data-race-in-l2tp_tunnel_del_work.patch +ipvlan-make-the-addrs_lock-be-per-port.patch +octeontx2-cn10k-fix-rx-flowid-tcam-mask-handling.patch +net-sched-enforce-that-teql-can-only-be-used-as-root.patch +net-sched-qfq-use-cl_is_active-to-determine-whether-.patch +crypto-authencesn-reject-too-short-aad-assoclen-8-to.patch diff --git a/queue-6.6/tools-ynl-specify-no-line-number-in-ynl-regen.sh.patch b/queue-6.6/tools-ynl-specify-no-line-number-in-ynl-regen.sh.patch new file mode 100644 index 0000000000..fc39fb180b --- /dev/null +++ b/queue-6.6/tools-ynl-specify-no-line-number-in-ynl-regen.sh.patch @@ -0,0 +1,50 @@ +From 49b6a5e1236dca01e494d7fc1bdd33c6c2eeffc1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jan 2026 17:24:47 +0000 +Subject: tools: ynl: Specify --no-line-number in ynl-regen.sh. + +From: Kuniyuki Iwashima + +[ Upstream commit 68578370f9b3a2aba5964b273312d51c581b6aad ] + +If grep.lineNumber is enabled in .gitconfig, + + [grep] + lineNumber = true + +ynl-regen.sh fails with the following error: + + $ ./tools/net/ynl/ynl-regen.sh -f + ... + ynl_gen_c.py: error: argument --mode: invalid choice: '4:' (choose from user, kernel, uapi) + GEN 4: net/ipv4/fou_nl.c + +Let's specify --no-line-number explicitly. + +Fixes: be5bea1cc0bf ("net: add basic C code generators for Netlink") +Suggested-by: Jakub Kicinski +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20260115172533.693652-3-kuniyu@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/net/ynl/ynl-regen.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/net/ynl/ynl-regen.sh b/tools/net/ynl/ynl-regen.sh +index bdba24066cf10..88bd42496cac5 100755 +--- a/tools/net/ynl/ynl-regen.sh ++++ b/tools/net/ynl/ynl-regen.sh +@@ -21,7 +21,7 @@ files=$(git grep --files-with-matches '^/\* YNL-GEN \(kernel\|uapi\|user\)') + for f in $files; do + # params: 0 1 2 3 + # $YAML YNL-GEN kernel $mode +- params=( $(git grep -B1 -h '/\* YNL-GEN' $f | sed 's@/\*\(.*\)\*/@\1@') ) ++ params=( $(git grep --no-line-number -B1 -h '/\* YNL-GEN' $f | sed 's@/\*\(.*\)\*/@\1@') ) + args=$(sed -n 's@/\* YNL-ARG \(.*\) \*/@\1@p' $f) + + if [ $f -nt ${params[0]} -a -z "$force" ]; then +-- +2.51.0 + diff --git a/queue-6.6/veth-fix-data-race-in-veth_get_ethtool_stats.patch b/queue-6.6/veth-fix-data-race-in-veth_get_ethtool_stats.patch new file mode 100644 index 0000000000..5778553030 --- /dev/null +++ b/queue-6.6/veth-fix-data-race-in-veth_get_ethtool_stats.patch @@ -0,0 +1,54 @@ +From f04438f01746e6f3c04ae30243dbb88e5e3e424c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jan 2026 20:24:45 +0800 +Subject: veth: fix data race in veth_get_ethtool_stats + +From: David Yang + +[ Upstream commit b47adaab8b3d443868096bac08fdbb3d403194ba ] + +In veth_get_ethtool_stats(), some statistics protected by +u64_stats_sync, are read and accumulated in ignorance of possible +u64_stats_fetch_retry() events. These statistics, peer_tq_xdp_xmit and +peer_tq_xdp_xmit_err, are already accumulated by veth_xdp_xmit(). Fix +this by reading them into a temporary buffer first. + +Fixes: 5fe6e56776ba ("veth: rely on peer veth_rq for ndo_xdp_xmit accounting") +Signed-off-by: David Yang +Link: https://patch.msgid.link/20260114122450.227982-1-mmyangfl@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/veth.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/veth.c b/drivers/net/veth.c +index 7767b6ff5a155..2b3b0beb55c88 100644 +--- a/drivers/net/veth.c ++++ b/drivers/net/veth.c +@@ -226,16 +226,20 @@ static void veth_get_ethtool_stats(struct net_device *dev, + const struct veth_rq_stats *rq_stats = &rcv_priv->rq[i].stats; + const void *base = (void *)&rq_stats->vs; + unsigned int start, tx_idx = idx; ++ u64 buf[VETH_TQ_STATS_LEN]; + size_t offset; + +- tx_idx += (i % dev->real_num_tx_queues) * VETH_TQ_STATS_LEN; + do { + start = u64_stats_fetch_begin(&rq_stats->syncp); + for (j = 0; j < VETH_TQ_STATS_LEN; j++) { + offset = veth_tq_stats_desc[j].offset; +- data[tx_idx + j] += *(u64 *)(base + offset); ++ buf[j] = *(u64 *)(base + offset); + } + } while (u64_stats_fetch_retry(&rq_stats->syncp, start)); ++ ++ tx_idx += (i % dev->real_num_tx_queues) * VETH_TQ_STATS_LEN; ++ for (j = 0; j < VETH_TQ_STATS_LEN; j++) ++ data[tx_idx + j] += buf[j]; + } + pp_idx = idx + dev->real_num_tx_queues * VETH_TQ_STATS_LEN; + +-- +2.51.0 + -- 2.47.3