--- /dev/null
+From stable+bounces-219754-greg=kroah.com@vger.kernel.org Thu Feb 26 06:44:29 2026
+From: Rahul Sharma <black.hawk@163.com>
+Date: Thu, 26 Feb 2026 13:43:31 +0800
+Subject: dm-verity: disable recursive forward error correction
+To: gregkh@linuxfoundation.org, stable@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org, Mikulas Patocka <mpatocka@redhat.com>, Guangwu Zhang <guazhang@redhat.com>, Sami Tolvanen <samitolvanen@google.com>, Eric Biggers <ebiggers@kernel.org>, Rahul Sharma <black.hawk@163.com>
+Message-ID: <20260226054331.945438-1-black.hawk@163.com>
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+[ Upstream commit d9f3e47d3fae0c101d9094bc956ed24e7a0ee801 ]
+
+There are two problems with the recursive correction:
+
+1. It may cause denial-of-service. In fec_read_bufs, there is a loop that
+has 253 iterations. For each iteration, we may call verity_hash_for_block
+recursively. There is a limit of 4 nested recursions - that means that
+there may be at most 253^4 (4 billion) iterations. Red Hat QE team
+actually created an image that pushes dm-verity to this limit - and this
+image just makes the udev-worker process get stuck in the 'D' state.
+
+2. It doesn't work. In fec_read_bufs we store data into the variable
+"fio->bufs", but fio bufs is shared between recursive invocations, if
+"verity_hash_for_block" invoked correction recursively, it would
+overwrite partially filled fio->bufs.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Reported-by: Guangwu Zhang <guazhang@redhat.com>
+Reviewed-by: Sami Tolvanen <samitolvanen@google.com>
+Reviewed-by: Eric Biggers <ebiggers@kernel.org>
+[ The context change is due to the commit bdf253d580d7
+("dm-verity: remove support for asynchronous hashes")
+in v6.18 and the commit 9356fcfe0ac4
+("dm verity: set DM_TARGET_SINGLETON feature flag") in v6.9
+which are irrelevant to the logic of this patch. ]
+Signed-off-by: Rahul Sharma <black.hawk@163.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-verity-fec.c | 4 +---
+ drivers/md/dm-verity-fec.h | 3 ---
+ 2 files changed, 1 insertion(+), 6 deletions(-)
+
+--- a/drivers/md/dm-verity-fec.c
++++ b/drivers/md/dm-verity-fec.c
+@@ -439,10 +439,8 @@ int verity_fec_decode(struct dm_verity *
+ if (!verity_fec_is_enabled(v))
+ return -EOPNOTSUPP;
+
+- if (fio->level >= DM_VERITY_FEC_MAX_RECURSION) {
+- DMWARN_LIMIT("%s: FEC: recursion too deep", v->data_dev->name);
++ if (fio->level)
+ return -EIO;
+- }
+
+ fio->level++;
+
+--- a/drivers/md/dm-verity-fec.h
++++ b/drivers/md/dm-verity-fec.h
+@@ -23,9 +23,6 @@
+ #define DM_VERITY_FEC_BUF_MAX \
+ (1 << (PAGE_SHIFT - DM_VERITY_FEC_BUF_RS_BITS))
+
+-/* maximum recursion level for verity_fec_decode */
+-#define DM_VERITY_FEC_MAX_RECURSION 4
+-
+ #define DM_VERITY_OPT_FEC_DEV "use_fec_from_device"
+ #define DM_VERITY_OPT_FEC_BLOCKS "fec_blocks"
+ #define DM_VERITY_OPT_FEC_START "fec_start"
--- /dev/null
+From d4c98c077c7fb2dfdece7d605e694b5ea2665085 Mon Sep 17 00:00:00 2001
+From: Jeongjun Park <aha310510@gmail.com>
+Date: Mon, 19 Jan 2026 17:25:52 +0900
+Subject: drm/exynos: vidi: fix to avoid directly dereferencing user pointer
+
+From: Jeongjun Park <aha310510@gmail.com>
+
+commit d4c98c077c7fb2dfdece7d605e694b5ea2665085 upstream.
+
+In vidi_connection_ioctl(), vidi->edid(user pointer) is directly
+dereferenced in the kernel.
+
+This allows arbitrary kernel memory access from the user space, so instead
+of directly accessing the user pointer in the kernel, we should modify it
+to copy edid to kernel memory using copy_from_user() and use it.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Jeongjun Park <aha310510@gmail.com>
+Signed-off-by: Inki Dae <inki.dae@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/exynos/exynos_drm_vidi.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/exynos/exynos_drm_vidi.c
++++ b/drivers/gpu/drm/exynos/exynos_drm_vidi.c
+@@ -252,19 +252,26 @@ int vidi_connection_ioctl(struct drm_dev
+
+ if (vidi->connection) {
+ struct edid *raw_edid;
++ struct edid edid_buf;
++ void *edid_userptr = u64_to_user_ptr(vidi->edid);
+
+- raw_edid = (struct edid *)(unsigned long)vidi->edid;
+- if (!drm_edid_is_valid(raw_edid)) {
++ if (copy_from_user(&edid_buf, edid_userptr, sizeof(struct edid)))
++ return -EFAULT;
++
++ if (!drm_edid_is_valid(&edid_buf)) {
+ DRM_DEV_DEBUG_KMS(ctx->dev,
+ "edid data is invalid.\n");
+ return -EINVAL;
+ }
+- ctx->raw_edid = drm_edid_duplicate(raw_edid);
+- if (!ctx->raw_edid) {
++
++ raw_edid = drm_edid_duplicate(&edid_buf);
++
++ if (!raw_edid) {
+ DRM_DEV_DEBUG_KMS(ctx->dev,
+ "failed to allocate raw_edid.\n");
+ return -ENOMEM;
+ }
++ ctx->raw_edid = raw_edid;
+ } else {
+ /*
+ * with connection = 0, free raw_edid
--- /dev/null
+From 52b330799e2d6f825ae2bb74662ec1b10eb954bb Mon Sep 17 00:00:00 2001
+From: Jeongjun Park <aha310510@gmail.com>
+Date: Mon, 19 Jan 2026 17:25:53 +0900
+Subject: drm/exynos: vidi: use ctx->lock to protect struct vidi_context member variables related to memory alloc/free
+
+From: Jeongjun Park <aha310510@gmail.com>
+
+commit 52b330799e2d6f825ae2bb74662ec1b10eb954bb upstream.
+
+Exynos Virtual Display driver performs memory alloc/free operations
+without lock protection, which easily causes concurrency problem.
+
+For example, use-after-free can occur in race scenario like this:
+```
+ CPU0 CPU1 CPU2
+ ---- ---- ----
+ vidi_connection_ioctl()
+ if (vidi->connection) // true
+ drm_edid = drm_edid_alloc(); // alloc drm_edid
+ ...
+ ctx->raw_edid = drm_edid;
+ ...
+ drm_mode_getconnector()
+ drm_helper_probe_single_connector_modes()
+ vidi_get_modes()
+ if (ctx->raw_edid) // true
+ drm_edid_dup(ctx->raw_edid);
+ if (!drm_edid) // false
+ ...
+ vidi_connection_ioctl()
+ if (vidi->connection) // false
+ drm_edid_free(ctx->raw_edid); // free drm_edid
+ ...
+ drm_edid_alloc(drm_edid->edid)
+ kmemdup(edid); // UAF!!
+ ...
+```
+
+To prevent these vulns, at least in vidi_context, member variables related
+to memory alloc/free should be protected with ctx->lock.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Jeongjun Park <aha310510@gmail.com>
+Signed-off-by: Inki Dae <inki.dae@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/exynos/exynos_drm_vidi.c | 43 +++++++++++++++++++++++++------
+ 1 file changed, 35 insertions(+), 8 deletions(-)
+
+--- a/drivers/gpu/drm/exynos/exynos_drm_vidi.c
++++ b/drivers/gpu/drm/exynos/exynos_drm_vidi.c
+@@ -186,15 +186,17 @@ static ssize_t vidi_store_connection(str
+ const char *buf, size_t len)
+ {
+ struct vidi_context *ctx = dev_get_drvdata(dev);
+- int ret;
++ int ret, new_connected;
+
+- ret = kstrtoint(buf, 0, &ctx->connected);
++ ret = kstrtoint(buf, 0, &new_connected);
+ if (ret)
+ return ret;
+
+- if (ctx->connected > 1)
++ if (new_connected > 1)
+ return -EINVAL;
+
++ mutex_lock(&ctx->lock);
++
+ /* use fake edid data for test. */
+ if (!ctx->raw_edid)
+ ctx->raw_edid = (struct edid *)fake_edid_info;
+@@ -202,14 +204,21 @@ static ssize_t vidi_store_connection(str
+ /* if raw_edid isn't same as fake data then it can't be tested. */
+ if (ctx->raw_edid != (struct edid *)fake_edid_info) {
+ DRM_DEV_DEBUG_KMS(dev, "edid data is not fake data.\n");
+- return -EINVAL;
++ ret = -EINVAL;
++ goto fail;
+ }
+
++ ctx->connected = new_connected;
++ mutex_unlock(&ctx->lock);
++
+ DRM_DEV_DEBUG_KMS(dev, "requested connection.\n");
+
+ drm_helper_hpd_irq_event(ctx->drm_dev);
+
+ return len;
++fail:
++ mutex_unlock(&ctx->lock);
++ return ret;
+ }
+
+ static DEVICE_ATTR(connection, 0644, vidi_show_connection,
+@@ -244,11 +253,14 @@ int vidi_connection_ioctl(struct drm_dev
+ return -EINVAL;
+ }
+
++ mutex_lock(&ctx->lock);
+ if (ctx->connected == vidi->connection) {
++ mutex_unlock(&ctx->lock);
+ DRM_DEV_DEBUG_KMS(ctx->dev,
+ "same connection request.\n");
+ return -EINVAL;
+ }
++ mutex_unlock(&ctx->lock);
+
+ if (vidi->connection) {
+ struct edid *raw_edid;
+@@ -271,20 +283,27 @@ int vidi_connection_ioctl(struct drm_dev
+ "failed to allocate raw_edid.\n");
+ return -ENOMEM;
+ }
++ mutex_lock(&ctx->lock);
+ ctx->raw_edid = raw_edid;
++ mutex_unlock(&ctx->lock);
+ } else {
+ /*
+ * with connection = 0, free raw_edid
+ * only if raw edid data isn't same as fake data.
+ */
++ mutex_lock(&ctx->lock);
+ if (ctx->raw_edid && ctx->raw_edid !=
+ (struct edid *)fake_edid_info) {
+ kfree(ctx->raw_edid);
+ ctx->raw_edid = NULL;
+ }
++ mutex_unlock(&ctx->lock);
+ }
+
++ mutex_lock(&ctx->lock);
+ ctx->connected = vidi->connection;
++ mutex_unlock(&ctx->lock);
++
+ drm_helper_hpd_irq_event(ctx->drm_dev);
+
+ return 0;
+@@ -299,7 +318,7 @@ static enum drm_connector_status vidi_de
+ * connection request would come from user side
+ * to do hotplug through specific ioctl.
+ */
+- return ctx->connected ? connector_status_connected :
++ return READ_ONCE(ctx->connected) ? connector_status_connected :
+ connector_status_disconnected;
+ }
+
+@@ -321,22 +340,24 @@ static int vidi_get_modes(struct drm_con
+ struct vidi_context *ctx = ctx_from_connector(connector);
+ struct edid *edid;
+ int edid_len;
+- int count;
++ int count = 0;
+
+ /*
+ * the edid data comes from user side and it would be set
+ * to ctx->raw_edid through specific ioctl.
+ */
++
++ mutex_lock(&ctx->lock);
+ if (!ctx->raw_edid) {
+ DRM_DEV_DEBUG_KMS(ctx->dev, "raw_edid is null.\n");
+- return 0;
++ goto fail;
+ }
+
+ edid_len = (1 + ctx->raw_edid->extensions) * EDID_LENGTH;
+ edid = kmemdup(ctx->raw_edid, edid_len, GFP_KERNEL);
+ if (!edid) {
+ DRM_DEV_DEBUG_KMS(ctx->dev, "failed to allocate edid\n");
+- return 0;
++ goto fail;
+ }
+
+ drm_connector_update_edid_property(connector, edid);
+@@ -345,6 +366,8 @@ static int vidi_get_modes(struct drm_con
+
+ kfree(edid);
+
++fail:
++ mutex_unlock(&ctx->lock);
+ return count;
+ }
+
+@@ -490,11 +513,15 @@ static int vidi_remove(struct platform_d
+ {
+ struct vidi_context *ctx = platform_get_drvdata(pdev);
+
++ mutex_lock(&ctx->lock);
++
+ if (ctx->raw_edid != (struct edid *)fake_edid_info) {
+ kfree(ctx->raw_edid);
+ ctx->raw_edid = NULL;
+ }
+
++ mutex_unlock(&ctx->lock);
++
+ component_del(&pdev->dev, &vidi_component_ops);
+
+ return 0;
--- /dev/null
+From d3968a0d85b211e197f2f4f06268a7031079e0d0 Mon Sep 17 00:00:00 2001
+From: Jeongjun Park <aha310510@gmail.com>
+Date: Mon, 19 Jan 2026 17:25:51 +0900
+Subject: drm/exynos: vidi: use priv->vidi_dev for ctx lookup in vidi_connection_ioctl()
+
+From: Jeongjun Park <aha310510@gmail.com>
+
+commit d3968a0d85b211e197f2f4f06268a7031079e0d0 upstream.
+
+vidi_connection_ioctl() retrieves the driver_data from drm_dev->dev to
+obtain a struct vidi_context pointer. However, drm_dev->dev is the
+exynos-drm master device, and the driver_data contained therein is not
+the vidi component device, but a completely different device.
+
+This can lead to various bugs, ranging from null pointer dereferences and
+garbage value accesses to, in unlucky cases, out-of-bounds errors,
+use-after-free errors, and more.
+
+To resolve this issue, we need to store/delete the vidi device pointer in
+exynos_drm_private->vidi_dev during bind/unbind, and then read this
+exynos_drm_private->vidi_dev within ioctl() to obtain the correct
+struct vidi_context pointer.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Jeongjun Park <aha310510@gmail.com>
+Signed-off-by: Inki Dae <inki.dae@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/exynos/exynos_drm_drv.h | 1 +
+ drivers/gpu/drm/exynos/exynos_drm_vidi.c | 14 +++++++++++++-
+ 2 files changed, 14 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/exynos/exynos_drm_drv.h
++++ b/drivers/gpu/drm/exynos/exynos_drm_drv.h
+@@ -201,6 +201,7 @@ struct exynos_drm_private {
+
+ struct device *g2d_dev;
+ struct device *dma_dev;
++ struct device *vidi_dev;
+ void *mapping;
+
+ /* for atomic commit */
+--- a/drivers/gpu/drm/exynos/exynos_drm_vidi.c
++++ b/drivers/gpu/drm/exynos/exynos_drm_vidi.c
+@@ -224,9 +224,14 @@ ATTRIBUTE_GROUPS(vidi);
+ int vidi_connection_ioctl(struct drm_device *drm_dev, void *data,
+ struct drm_file *file_priv)
+ {
+- struct vidi_context *ctx = dev_get_drvdata(drm_dev->dev);
++ struct exynos_drm_private *priv = drm_dev->dev_private;
++ struct device *dev = priv ? priv->vidi_dev : NULL;
++ struct vidi_context *ctx = dev ? dev_get_drvdata(dev) : NULL;
+ struct drm_exynos_vidi_connection *vidi = data;
+
++ if (!ctx)
++ return -ENODEV;
++
+ if (!vidi) {
+ DRM_DEV_DEBUG_KMS(ctx->dev,
+ "user data for vidi is null.\n");
+@@ -386,6 +391,7 @@ static int vidi_bind(struct device *dev,
+ {
+ struct vidi_context *ctx = dev_get_drvdata(dev);
+ struct drm_device *drm_dev = data;
++ struct exynos_drm_private *priv = drm_dev->dev_private;
+ struct drm_encoder *encoder = &ctx->encoder;
+ struct exynos_drm_plane *exynos_plane;
+ struct exynos_drm_plane_config plane_config = { 0 };
+@@ -393,6 +399,8 @@ static int vidi_bind(struct device *dev,
+ int ret;
+
+ ctx->drm_dev = drm_dev;
++ if (priv)
++ priv->vidi_dev = dev;
+
+ plane_config.pixel_formats = formats;
+ plane_config.num_pixel_formats = ARRAY_SIZE(formats);
+@@ -438,8 +446,12 @@ static int vidi_bind(struct device *dev,
+ static void vidi_unbind(struct device *dev, struct device *master, void *data)
+ {
+ struct vidi_context *ctx = dev_get_drvdata(dev);
++ struct drm_device *drm_dev = data;
++ struct exynos_drm_private *priv = drm_dev->dev_private;
+
+ del_timer_sync(&ctx->timer);
++ if (priv)
++ priv->vidi_dev = NULL;
+ }
+
+ static const struct component_ops vidi_component_ops = {
--- /dev/null
+From 3d970eda003441f66551a91fda16478ac0711617 Mon Sep 17 00:00:00 2001
+From: Ankit Garg <nktgrg@google.com>
+Date: Fri, 19 Dec 2025 10:29:45 +0000
+Subject: gve: defer interrupt enabling until NAPI registration
+
+From: Ankit Garg <nktgrg@google.com>
+
+commit 3d970eda003441f66551a91fda16478ac0711617 upstream.
+
+Currently, interrupts are automatically enabled immediately upon
+request. This allows interrupt to fire before the associated NAPI
+context is fully initialized and cause failures like below:
+
+[ 0.946369] Call Trace:
+[ 0.946369] <IRQ>
+[ 0.946369] __napi_poll+0x2a/0x1e0
+[ 0.946369] net_rx_action+0x2f9/0x3f0
+[ 0.946369] handle_softirqs+0xd6/0x2c0
+[ 0.946369] ? handle_edge_irq+0xc1/0x1b0
+[ 0.946369] __irq_exit_rcu+0xc3/0xe0
+[ 0.946369] common_interrupt+0x81/0xa0
+[ 0.946369] </IRQ>
+[ 0.946369] <TASK>
+[ 0.946369] asm_common_interrupt+0x22/0x40
+[ 0.946369] RIP: 0010:pv_native_safe_halt+0xb/0x10
+
+Use the `IRQF_NO_AUTOEN` flag when requesting interrupts to prevent auto
+enablement and explicitly enable the interrupt in NAPI initialization
+path (and disable it during NAPI teardown).
+
+This ensures that interrupt lifecycle is strictly coupled with
+readiness of NAPI context.
+
+Cc: stable@vger.kernel.org
+Fixes: 1dfc2e46117e ("gve: Refactor napi add and remove functions")
+Signed-off-by: Ankit Garg <nktgrg@google.com>
+Reviewed-by: Jordan Rhee <jordanrhee@google.com>
+Reviewed-by: Joshua Washington <joshwash@google.com>
+Signed-off-by: Harshitha Ramamurthy <hramamurthy@google.com>
+Link: https://patch.msgid.link/20251219102945.2193617-1-hramamurthy@google.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+[ modified to re-introduce the irq member to struct gve_notify_block,
+ which was introuduced in commit 9a5e0776d11f ("gve: Avoid rescheduling
+ napi if on wrong cpu"). ]
+Signed-off-by: Joshua Washington <joshwash@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/google/gve/gve.h | 1 +
+ drivers/net/ethernet/google/gve/gve_main.c | 5 ++++-
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/google/gve/gve.h
++++ b/drivers/net/ethernet/google/gve/gve.h
+@@ -450,6 +450,7 @@ struct gve_notify_block {
+ struct gve_priv *priv;
+ struct gve_tx_ring *tx; /* tx rings on this block */
+ struct gve_rx_ring *rx; /* rx rings on this block */
++ u32 irq;
+ };
+
+ /* Tracks allowed and current queue settings */
+--- a/drivers/net/ethernet/google/gve/gve_main.c
++++ b/drivers/net/ethernet/google/gve/gve_main.c
+@@ -353,9 +353,10 @@ static int gve_alloc_notify_blocks(struc
+ snprintf(block->name, sizeof(block->name), "%s-ntfy-block.%d",
+ name, i);
+ block->priv = priv;
++ block->irq = priv->msix_vectors[msix_idx].vector;
+ err = request_irq(priv->msix_vectors[msix_idx].vector,
+ gve_is_gqi(priv) ? gve_intr : gve_intr_dqo,
+- 0, block->name, block);
++ IRQF_NO_AUTOEN, block->name, block);
+ if (err) {
+ dev_err(&priv->pdev->dev,
+ "Failed to receive msix vector %d\n", i);
+@@ -521,6 +522,7 @@ static void gve_add_napi(struct gve_priv
+ struct gve_notify_block *block = &priv->ntfy_blocks[ntfy_idx];
+
+ netif_napi_add(priv->dev, &block->napi, gve_poll);
++ enable_irq(block->irq);
+ }
+
+ static void gve_remove_napi(struct gve_priv *priv, int ntfy_idx)
+@@ -528,6 +530,7 @@ static void gve_remove_napi(struct gve_p
+ struct gve_notify_block *block = &priv->ntfy_blocks[ntfy_idx];
+
+ netif_napi_del(&block->napi);
++ disable_irq(block->irq);
+ }
+
+ static int gve_register_qpls(struct gve_priv *priv)
--- /dev/null
+From lanbincn@139.com Thu Feb 26 10:56:06 2026
+From: Bin Lan <lanbincn@139.com>
+Date: Thu, 26 Feb 2026 17:55:50 +0800
+Subject: net: add skb_header_pointer_careful() helper
+To: gregkh@linuxfoundation.org, stable@vger.kernel.org
+Cc: Eric Dumazet <edumazet@google.com>, Jakub Kicinski <kuba@kernel.org>, Bin Lan <lanbincn@139.com>
+Message-ID: <20260226095551.4183-1-lanbincn@139.com>
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 13e00fdc9236bd4d0bff4109d2983171fbcb74c4 ]
+
+This variant of skb_header_pointer() should be used in contexts
+where @offset argument is user-controlled and could be negative.
+
+Negative offsets are supported, as long as the zone starts
+between skb->head and skb->data.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20260128141539.3404400-2-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[ Adjust context ]
+Signed-off-by: Bin Lan <lanbincn@139.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/skbuff.h | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/include/linux/skbuff.h
++++ b/include/linux/skbuff.h
+@@ -4113,6 +4113,18 @@ skb_header_pointer(const struct sk_buff
+ skb_headlen(skb), buffer);
+ }
+
++/* Variant of skb_header_pointer() where @offset is user-controlled
++ * and potentially negative.
++ */
++static inline void * __must_check
++skb_header_pointer_careful(const struct sk_buff *skb, int offset,
++ int len, void *buffer)
++{
++ if (unlikely(offset < 0 && -offset > skb_headroom(skb)))
++ return NULL;
++ return skb_header_pointer(skb, offset, len, buffer);
++}
++
+ /**
+ * skb_needs_linearize - check if we need to linearize a given skb
+ * depending on the given device features.
--- /dev/null
+From stable+bounces-219189-greg=kroah.com@vger.kernel.org Wed Feb 25 05:16:47 2026
+From: Rahul Sharma <black.hawk@163.com>
+Date: Wed, 25 Feb 2026 12:16:05 +0800
+Subject: net: enetc: allocate vf_state during PF probes
+To: gregkh@linuxfoundation.org, stable@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org, Wei Fang <wei.fang@nxp.com>, Vladimir Oltean <vladimir.oltean@nxp.com>, Jakub Kicinski <kuba@kernel.org>, Rahul Sharma <black.hawk@163.com>
+Message-ID: <20260225041605.1563705-2-black.hawk@163.com>
+
+From: Wei Fang <wei.fang@nxp.com>
+
+[ Upstream commit e15c5506dd39885cd047f811a64240e2e8ab401b ]
+
+In the previous implementation, vf_state is allocated memory only when VF
+is enabled. However, net_device_ops::ndo_set_vf_mac() may be called before
+VF is enabled to configure the MAC address of VF. If this is the case,
+enetc_pf_set_vf_mac() will access vf_state, resulting in access to a null
+pointer. The simplified error log is as follows.
+
+root@ls1028ardb:~# ip link set eno0 vf 1 mac 00:0c:e7:66:77:89
+[ 173.543315] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004
+[ 173.637254] pc : enetc_pf_set_vf_mac+0x3c/0x80 Message from sy
+[ 173.641973] lr : do_setlink+0x4a8/0xec8
+[ 173.732292] Call trace:
+[ 173.734740] enetc_pf_set_vf_mac+0x3c/0x80
+[ 173.738847] __rtnl_newlink+0x530/0x89c
+[ 173.742692] rtnl_newlink+0x50/0x7c
+[ 173.746189] rtnetlink_rcv_msg+0x128/0x390
+[ 173.750298] netlink_rcv_skb+0x60/0x130
+[ 173.754145] rtnetlink_rcv+0x18/0x24
+[ 173.757731] netlink_unicast+0x318/0x380
+[ 173.761665] netlink_sendmsg+0x17c/0x3c8
+
+Fixes: d4fd0404c1c9 ("enetc: Introduce basic PF and VF ENETC ethernet drivers")
+Signed-off-by: Wei Fang <wei.fang@nxp.com>
+Reviewed-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Tested-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Link: https://patch.msgid.link/20241031060247.1290941-2-wei.fang@nxp.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Rahul Sharma <black.hawk@163.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/freescale/enetc/enetc_pf.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+--- a/drivers/net/ethernet/freescale/enetc/enetc_pf.c
++++ b/drivers/net/ethernet/freescale/enetc/enetc_pf.c
+@@ -683,19 +683,11 @@ static int enetc_sriov_configure(struct
+
+ if (!num_vfs) {
+ enetc_msg_psi_free(pf);
+- kfree(pf->vf_state);
+ pf->num_vfs = 0;
+ pci_disable_sriov(pdev);
+ } else {
+ pf->num_vfs = num_vfs;
+
+- pf->vf_state = kcalloc(num_vfs, sizeof(struct enetc_vf_state),
+- GFP_KERNEL);
+- if (!pf->vf_state) {
+- pf->num_vfs = 0;
+- return -ENOMEM;
+- }
+-
+ err = enetc_msg_psi_init(pf);
+ if (err) {
+ dev_err(&pdev->dev, "enetc_msg_psi_init (%d)\n", err);
+@@ -714,7 +706,6 @@ static int enetc_sriov_configure(struct
+ err_en_sriov:
+ enetc_msg_psi_free(pf);
+ err_msg_psi:
+- kfree(pf->vf_state);
+ pf->num_vfs = 0;
+
+ return err;
+@@ -1322,6 +1313,12 @@ static int enetc_pf_probe(struct pci_dev
+ pf = enetc_si_priv(si);
+ pf->si = si;
+ pf->total_vfs = pci_sriov_get_totalvfs(pdev);
++ if (pf->total_vfs) {
++ pf->vf_state = kcalloc(pf->total_vfs, sizeof(struct enetc_vf_state),
++ GFP_KERNEL);
++ if (!pf->vf_state)
++ goto err_alloc_vf_state;
++ }
+
+ err = enetc_setup_mac_addresses(node, pf);
+ if (err)
+@@ -1398,6 +1395,8 @@ err_alloc_si_res:
+ err_alloc_netdev:
+ err_device_disabled:
+ err_setup_mac_addresses:
++ kfree(pf->vf_state);
++err_alloc_vf_state:
+ enetc_psi_destroy(pdev);
+ err_psi_create:
+ return err;
+@@ -1424,6 +1423,7 @@ static void enetc_pf_remove(struct pci_d
+ enetc_free_si_resources(priv);
+
+ free_netdev(si->ndev);
++ kfree(pf->vf_state);
+
+ enetc_psi_destroy(pdev);
+ }
--- /dev/null
+From stable+bounces-219188-greg=kroah.com@vger.kernel.org Wed Feb 25 05:16:43 2026
+From: Rahul Sharma <black.hawk@163.com>
+Date: Wed, 25 Feb 2026 12:16:04 +0800
+Subject: net: enetc: reimplement RFS/RSS memory clearing as PCI quirk
+To: gregkh@linuxfoundation.org, stable@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org, Vladimir Oltean <vladimir.oltean@nxp.com>, Rob Herring <robh@kernel.org>, "David S . Miller" <davem@davemloft.net>, Rahul Sharma <black.hawk@163.com>
+Message-ID: <20260225041605.1563705-1-black.hawk@163.com>
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit f0168042a21292d20007d24ab2e4fc32f79ebf11 ]
+
+The workaround implemented in commit 3222b5b613db ("net: enetc:
+initialize RFS/RSS memories for unused ports too") is no longer
+effective after commit 6fffbc7ae137 ("PCI: Honor firmware's device
+disabled status"). Thus, it has introduced a regression and we see AER
+errors being reported again:
+
+$ ip link set sw2p0 up && dhclient -i sw2p0 && ip addr show sw2p0
+fsl_enetc 0000:00:00.2 eno2: configuring for fixed/internal link mode
+fsl_enetc 0000:00:00.2 eno2: Link is Up - 2.5Gbps/Full - flow control rx/tx
+mscc_felix 0000:00:00.5 swp2: configuring for fixed/sgmii link mode
+mscc_felix 0000:00:00.5 swp2: Link is Up - 1Gbps/Full - flow control off
+sja1105 spi2.2 sw2p0: configuring for phy/rgmii-id link mode
+sja1105 spi2.2 sw2p0: Link is Up - 1Gbps/Full - flow control off
+pcieport 0000:00:1f.0: AER: Multiple Corrected error received: 0000:00:00.0
+pcieport 0000:00:1f.0: AER: can't find device of ID0000
+
+Rob's suggestion is to reimplement the enetc driver workaround as a
+PCI fixup, and to modify the PCI core to run the fixups for all PCI
+functions. This change handles the first part.
+
+We refactor the common code in enetc_psi_create() and enetc_psi_destroy(),
+and use the PCI fixup only for those functions for which enetc_pf_probe()
+won't get called. This avoids some work being done twice for the PFs
+which are enabled.
+
+Fixes: 6fffbc7ae137 ("PCI: Honor firmware's device disabled status")
+Link: https://lore.kernel.org/netdev/CAL_JsqLsVYiPLx2kcHkDQ4t=hQVCR7NHziDwi9cCFUFhx48Qow@mail.gmail.com/
+Suggested-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Rahul Sharma <black.hawk@163.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/freescale/enetc/enetc_pf.c | 103 +++++++++++++++++-------
+ 1 file changed, 73 insertions(+), 30 deletions(-)
+
+--- a/drivers/net/ethernet/freescale/enetc/enetc_pf.c
++++ b/drivers/net/ethernet/freescale/enetc/enetc_pf.c
+@@ -1236,50 +1236,81 @@ static int enetc_pf_register_with_ierb(s
+ return ret;
+ }
+
+-static int enetc_pf_probe(struct pci_dev *pdev,
+- const struct pci_device_id *ent)
++static struct enetc_si *enetc_psi_create(struct pci_dev *pdev)
+ {
+- struct device_node *node = pdev->dev.of_node;
+- struct enetc_ndev_priv *priv;
+- struct net_device *ndev;
+ struct enetc_si *si;
+- struct enetc_pf *pf;
+ int err;
+
+- err = enetc_pf_register_with_ierb(pdev);
+- if (err == -EPROBE_DEFER)
+- return err;
+- if (err)
+- dev_warn(&pdev->dev,
+- "Could not register with IERB driver: %pe, please update the device tree\n",
+- ERR_PTR(err));
+-
+- err = enetc_pci_probe(pdev, KBUILD_MODNAME, sizeof(*pf));
+- if (err)
+- return dev_err_probe(&pdev->dev, err, "PCI probing failed\n");
++ err = enetc_pci_probe(pdev, KBUILD_MODNAME, sizeof(struct enetc_pf));
++ if (err) {
++ dev_err_probe(&pdev->dev, err, "PCI probing failed\n");
++ goto out;
++ }
+
+ si = pci_get_drvdata(pdev);
+ if (!si->hw.port || !si->hw.global) {
+ err = -ENODEV;
+ dev_err(&pdev->dev, "could not map PF space, probing a VF?\n");
+- goto err_map_pf_space;
++ goto out_pci_remove;
+ }
+
+ err = enetc_setup_cbdr(&pdev->dev, &si->hw, ENETC_CBDR_DEFAULT_SIZE,
+ &si->cbd_ring);
+ if (err)
+- goto err_setup_cbdr;
++ goto out_pci_remove;
+
+ err = enetc_init_port_rfs_memory(si);
+ if (err) {
+ dev_err(&pdev->dev, "Failed to initialize RFS memory\n");
+- goto err_init_port_rfs;
++ goto out_teardown_cbdr;
+ }
+
+ err = enetc_init_port_rss_memory(si);
+ if (err) {
+ dev_err(&pdev->dev, "Failed to initialize RSS memory\n");
+- goto err_init_port_rss;
++ goto out_teardown_cbdr;
++ }
++
++ return si;
++
++out_teardown_cbdr:
++ enetc_teardown_cbdr(&si->cbd_ring);
++out_pci_remove:
++ enetc_pci_remove(pdev);
++out:
++ return ERR_PTR(err);
++}
++
++static void enetc_psi_destroy(struct pci_dev *pdev)
++{
++ struct enetc_si *si = pci_get_drvdata(pdev);
++
++ enetc_teardown_cbdr(&si->cbd_ring);
++ enetc_pci_remove(pdev);
++}
++
++static int enetc_pf_probe(struct pci_dev *pdev,
++ const struct pci_device_id *ent)
++{
++ struct device_node *node = pdev->dev.of_node;
++ struct enetc_ndev_priv *priv;
++ struct net_device *ndev;
++ struct enetc_si *si;
++ struct enetc_pf *pf;
++ int err;
++
++ err = enetc_pf_register_with_ierb(pdev);
++ if (err == -EPROBE_DEFER)
++ return err;
++ if (err)
++ dev_warn(&pdev->dev,
++ "Could not register with IERB driver: %pe, please update the device tree\n",
++ ERR_PTR(err));
++
++ si = enetc_psi_create(pdev);
++ if (IS_ERR(si)) {
++ err = PTR_ERR(si);
++ goto err_psi_create;
+ }
+
+ if (node && !of_device_is_available(node)) {
+@@ -1365,15 +1396,10 @@ err_alloc_si_res:
+ si->ndev = NULL;
+ free_netdev(ndev);
+ err_alloc_netdev:
+-err_init_port_rss:
+-err_init_port_rfs:
+ err_device_disabled:
+ err_setup_mac_addresses:
+- enetc_teardown_cbdr(&si->cbd_ring);
+-err_setup_cbdr:
+-err_map_pf_space:
+- enetc_pci_remove(pdev);
+-
++ enetc_psi_destroy(pdev);
++err_psi_create:
+ return err;
+ }
+
+@@ -1396,12 +1422,29 @@ static void enetc_pf_remove(struct pci_d
+ enetc_free_msix(priv);
+
+ enetc_free_si_resources(priv);
+- enetc_teardown_cbdr(&si->cbd_ring);
+
+ free_netdev(si->ndev);
+
+- enetc_pci_remove(pdev);
++ enetc_psi_destroy(pdev);
++}
++
++static void enetc_fixup_clear_rss_rfs(struct pci_dev *pdev)
++{
++ struct device_node *node = pdev->dev.of_node;
++ struct enetc_si *si;
++
++ /* Only apply quirk for disabled functions. For the ones
++ * that are enabled, enetc_pf_probe() will apply it.
++ */
++ if (node && of_device_is_available(node))
++ return;
++
++ si = enetc_psi_create(pdev);
++ if (si)
++ enetc_psi_destroy(pdev);
+ }
++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_FREESCALE, ENETC_DEV_ID_PF,
++ enetc_fixup_clear_rss_rfs);
+
+ static const struct pci_device_id enetc_pf_id_table[] = {
+ { PCI_DEVICE(PCI_VENDOR_ID_FREESCALE, ENETC_DEV_ID_PF) },
--- /dev/null
+From 77e45145e3039a0fb212556ab3f8c87f54771757 Mon Sep 17 00:00:00 2001
+From: Frederic Weisbecker <frederic@kernel.org>
+Date: Sun, 23 Feb 2025 23:17:08 +0100
+Subject: net: Handle napi_schedule() calls from non-interrupt
+
+From: Frederic Weisbecker <frederic@kernel.org>
+
+commit 77e45145e3039a0fb212556ab3f8c87f54771757 upstream.
+
+napi_schedule() is expected to be called either:
+
+* From an interrupt, where raised softirqs are handled on IRQ exit
+
+* From a softirq disabled section, where raised softirqs are handled on
+ the next call to local_bh_enable().
+
+* From a softirq handler, where raised softirqs are handled on the next
+ round in do_softirq(), or further deferred to a dedicated kthread.
+
+Other bare tasks context may end up ignoring the raised NET_RX vector
+until the next random softirq handling opportunity, which may not
+happen before a while if the CPU goes idle afterwards with the tick
+stopped.
+
+Such "misuses" have been detected on several places thanks to messages
+of the kind:
+
+ "NOHZ tick-stop error: local softirq work is pending, handler #08!!!"
+
+For example:
+
+ __raise_softirq_irqoff
+ __napi_schedule
+ rtl8152_runtime_resume.isra.0
+ rtl8152_resume
+ usb_resume_interface.isra.0
+ usb_resume_both
+ __rpm_callback
+ rpm_callback
+ rpm_resume
+ __pm_runtime_resume
+ usb_autoresume_device
+ usb_remote_wakeup
+ hub_event
+ process_one_work
+ worker_thread
+ kthread
+ ret_from_fork
+ ret_from_fork_asm
+
+And also:
+
+* drivers/net/usb/r8152.c::rtl_work_func_t
+* drivers/net/netdevsim/netdev.c::nsim_start_xmit
+
+There is a long history of issues of this kind:
+
+ 019edd01d174 ("ath10k: sdio: Add missing BH locking around napi_schdule()")
+ 330068589389 ("idpf: disable local BH when scheduling napi for marker packets")
+ e3d5d70cb483 ("net: lan78xx: fix "softirq work is pending" error")
+ e55c27ed9ccf ("mt76: mt7615: add missing bh-disable around rx napi schedule")
+ c0182aa98570 ("mt76: mt7915: add missing bh-disable around tx napi enable/schedule")
+ 970be1dff26d ("mt76: disable BH around napi_schedule() calls")
+ 019edd01d174 ("ath10k: sdio: Add missing BH locking around napi_schdule()")
+ 30bfec4fec59 ("can: rx-offload: can_rx_offload_threaded_irq_finish(): add new function to be called from threaded interrupt")
+ e63052a5dd3c ("mlx5e: add add missing BH locking around napi_schdule()")
+ 83a0c6e58901 ("i40e: Invoke softirqs after napi_reschedule")
+ bd4ce941c8d5 ("mlx4: Invoke softirqs after napi_reschedule")
+ 8cf699ec849f ("mlx4: do not call napi_schedule() without care")
+ ec13ee80145c ("virtio_net: invoke softirqs after __napi_schedule")
+
+This shows that relying on the caller to arrange a proper context for
+the softirqs to be handled while calling napi_schedule() is very fragile
+and error prone. Also fixing them can also prove challenging if the
+caller may be called from different kinds of contexts.
+
+Therefore fix this from napi_schedule() itself with waking up ksoftirqd
+when softirqs are raised from task contexts.
+
+Reported-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Reported-by: Jakub Kicinski <kuba@kernel.org>
+Reported-by: Francois Romieu <romieu@fr.zoreil.com>
+Closes: https://lore.kernel.org/lkml/354a2690-9bbf-4ccb-8769-fa94707a9340@molgen.mpg.de/
+Cc: Breno Leitao <leitao@debian.org>
+Signed-off-by: Frederic Weisbecker <frederic@kernel.org>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20250223221708.27130-1-frederic@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -4486,7 +4486,7 @@ static inline void ____napi_schedule(str
+ }
+
+ list_add_tail(&napi->poll_list, &sd->poll_list);
+- __raise_softirq_irqoff(NET_RX_SOFTIRQ);
++ raise_softirq_irqoff(NET_RX_SOFTIRQ);
+ }
+
+ #ifdef CONFIG_RPS
--- /dev/null
+From lanbincn@139.com Thu Feb 26 10:56:09 2026
+From: Bin Lan <lanbincn@139.com>
+Date: Thu, 26 Feb 2026 17:55:51 +0800
+Subject: net/sched: cls_u32: use skb_header_pointer_careful()
+To: gregkh@linuxfoundation.org, stable@vger.kernel.org
+Cc: Eric Dumazet <edumazet@google.com>, GangMin Kim <km.kim1503@gmail.com>, Jakub Kicinski <kuba@kernel.org>, Bin Lan <lanbincn@139.com>
+Message-ID: <20260226095551.4183-2-lanbincn@139.com>
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit cabd1a976375780dabab888784e356f574bbaed8 ]
+
+skb_header_pointer() does not fully validate negative @offset values.
+
+Use skb_header_pointer_careful() instead.
+
+GangMin Kim provided a report and a repro fooling u32_classify():
+
+BUG: KASAN: slab-out-of-bounds in u32_classify+0x1180/0x11b0
+net/sched/cls_u32.c:221
+
+Fixes: fbc2e7d9cf49 ("cls_u32: use skb_header_pointer() to dereference data safely")
+Reported-by: GangMin Kim <km.kim1503@gmail.com>
+Closes: https://lore.kernel.org/netdev/CANn89iJkyUZ=mAzLzC4GdcAgLuPnUoivdLaOs6B9rq5_erj76w@mail.gmail.com/T/
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20260128141539.3404400-3-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Bin Lan <lanbincn@139.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/cls_u32.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+--- a/net/sched/cls_u32.c
++++ b/net/sched/cls_u32.c
+@@ -159,10 +159,8 @@ next_knode:
+ int toff = off + key->off + (off2 & key->offmask);
+ __be32 *data, hdata;
+
+- if (skb_headroom(skb) + toff > INT_MAX)
+- goto out;
+-
+- data = skb_header_pointer(skb, toff, 4, &hdata);
++ data = skb_header_pointer_careful(skb, toff, 4,
++ &hdata);
+ if (!data)
+ goto out;
+ if ((*data ^ key->val) & key->mask) {
+@@ -212,8 +210,9 @@ check_terminal:
+ if (ht->divisor) {
+ __be32 *data, hdata;
+
+- data = skb_header_pointer(skb, off + n->sel.hoff, 4,
+- &hdata);
++ data = skb_header_pointer_careful(skb,
++ off + n->sel.hoff,
++ 4, &hdata);
+ if (!data)
+ goto out;
+ sel = ht->divisor & u32_hash_fold(*data, &n->sel,
+@@ -227,7 +226,7 @@ check_terminal:
+ if (n->sel.flags & TC_U32_VAROFFSET) {
+ __be16 *data, hdata;
+
+- data = skb_header_pointer(skb,
++ data = skb_header_pointer_careful(skb,
+ off + n->sel.offoff,
+ 2, &hdata);
+ if (!data)
--- /dev/null
+From e1aa5ef892fb4fa9014a25e87b64b97347919d37 Mon Sep 17 00:00:00 2001
+From: Huacai Chen <chenhuacai@loongson.cn>
+Date: Tue, 3 Feb 2026 14:29:01 +0800
+Subject: net: stmmac: dwmac-loongson: Set clk_csr_i to 100-150MHz
+
+From: Huacai Chen <chenhuacai@loongson.cn>
+
+commit e1aa5ef892fb4fa9014a25e87b64b97347919d37 upstream.
+
+Current clk_csr_i setting of Loongson STMMAC (including LS7A1000/2000
+and LS2K1000/2000/3000) are copy & paste from other drivers. In fact,
+Loongson STMMAC use 125MHz clocks and need 62 freq division to within
+2.5MHz, meeting most PHY MDC requirement. So fix by setting clk_csr_i
+to 100-150MHz, otherwise some PHYs may link fail.
+
+Cc: stable@vger.kernel.org
+Fixes: 30bba69d7db40e7 ("stmmac: pci: Add dwmac support for Loongson")
+Signed-off-by: Hongliang Wang <wanghongliang@loongson.cn>
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Link: https://patch.msgid.link/20260203062901.2158236-1-chenhuacai@loongson.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c
+@@ -11,7 +11,7 @@
+
+ static int loongson_default_data(struct plat_stmmacenet_data *plat)
+ {
+- plat->clk_csr = 2; /* clk_csr_i = 20-35MHz & MDC = clk_csr_i/16 */
++ plat->clk_csr = 1; /* clk_csr_i = 100-150MHz & MDC = clk_csr_i/62 */
+ plat->has_gmac = 1;
+ plat->force_sf_dma_mode = 1;
+
--- /dev/null
+From stable+bounces-219894-greg=kroah.com@vger.kernel.org Fri Feb 27 04:12:46 2026
+From: Rajani Kantha <681739313@139.com>
+Date: Fri, 27 Feb 2026 11:12:23 +0800
+Subject: scsi: ufs: core: Fix handling of lrbp->cmd
+To: bvanassche@acm.org, adrian.hunter@intel.com, martin.petersen@oracle.com, gregkh@linuxfoundation.org
+Cc: stable@vger.kernel.org
+Message-ID: <20260227031223.1643-1-681739313@139.com>
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit 549e91a9bbaa0ee480f59357868421a61d369770 ]
+
+ufshcd_queuecommand() may be called two times in a row for a SCSI command
+before it is completed. Hence make the following changes:
+
+ - In the functions that submit a command, do not check the old value of
+ lrbp->cmd nor clear lrbp->cmd in error paths.
+
+ - In ufshcd_release_scsi_cmd(), do not clear lrbp->cmd.
+
+See also scsi_send_eh_cmnd().
+
+This commit prevents that the following appears if a command times out:
+
+WARNING: at drivers/ufs/core/ufshcd.c:2965 ufshcd_queuecommand+0x6f8/0x9a8
+Call trace:
+ ufshcd_queuecommand+0x6f8/0x9a8
+ scsi_send_eh_cmnd+0x2c0/0x960
+ scsi_eh_test_devices+0x100/0x314
+ scsi_eh_ready_devs+0xd90/0x114c
+ scsi_error_handler+0x2b4/0xb70
+ kthread+0x16c/0x1e0
+
+Fixes: 5a0b0cb9bee7 ("[SCSI] ufs: Add support for sending NOP OUT UPIU")
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Link: https://lore.kernel.org/r/20230524203659.1394307-3-bvanassche@acm.org
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+[ Removed the change in ufshcd_advanced_rpmb_req_handler() due to missing
+commit:6ff265fc5ef6("scsi: ufs: core: bsg: Add advanced RPMB support in ufs_bsg") ]
+Signed-off-by: Rajani Kantha <681739313@139.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ufs/core/ufshcd.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+--- a/drivers/ufs/core/ufshcd.c
++++ b/drivers/ufs/core/ufshcd.c
+@@ -2821,7 +2821,6 @@ static int ufshcd_queuecommand(struct Sc
+ (hba->clk_gating.state != CLKS_ON));
+
+ lrbp = &hba->lrb[tag];
+- WARN_ON(lrbp->cmd);
+ lrbp->cmd = cmd;
+ lrbp->task_tag = tag;
+ lrbp->lun = ufshcd_scsi_to_upiu_lun(cmd->device->lun);
+@@ -2837,7 +2836,6 @@ static int ufshcd_queuecommand(struct Sc
+
+ err = ufshcd_map_sg(hba, lrbp);
+ if (err) {
+- lrbp->cmd = NULL;
+ ufshcd_release(hba);
+ goto out;
+ }
+@@ -3047,7 +3045,7 @@ static int ufshcd_exec_dev_cmd(struct uf
+ down_read(&hba->clk_scaling_lock);
+
+ lrbp = &hba->lrb[tag];
+- WARN_ON(lrbp->cmd);
++ lrbp->cmd = NULL;
+ err = ufshcd_compose_dev_cmd(hba, lrbp, cmd_type, tag);
+ if (unlikely(err))
+ goto out;
+@@ -5357,7 +5355,6 @@ static void ufshcd_release_scsi_cmd(stru
+ struct scsi_cmnd *cmd = lrbp->cmd;
+
+ scsi_dma_unmap(cmd);
+- lrbp->cmd = NULL; /* Mark the command as completed. */
+ ufshcd_release(hba);
+ ufshcd_clk_scaling_update_busy(hba);
+ }
+@@ -6936,7 +6933,6 @@ static int ufshcd_issue_devman_upiu_cmd(
+ down_read(&hba->clk_scaling_lock);
+
+ lrbp = &hba->lrb[tag];
+- WARN_ON(lrbp->cmd);
+ lrbp->cmd = NULL;
+ lrbp->task_tag = tag;
+ lrbp->lun = 0;
ksmbd-compare-macs-in-constant-time.patch
net-tcp-md5-fix-mac-comparison-to-be-constant-time.patch
mtd-spinand-macronix-use-scratch-buffer-for-dma-operation.patch
+net-enetc-reimplement-rfs-rss-memory-clearing-as-pci-quirk.patch
+net-enetc-allocate-vf_state-during-pf-probes.patch
+dm-verity-disable-recursive-forward-error-correction.patch
+net-add-skb_header_pointer_careful-helper.patch
+net-sched-cls_u32-use-skb_header_pointer_careful.patch
+scsi-ufs-core-fix-handling-of-lrbp-cmd.patch
+net-stmmac-dwmac-loongson-set-clk_csr_i-to-100-150mhz.patch
+net-handle-napi_schedule-calls-from-non-interrupt.patch
+gve-defer-interrupt-enabling-until-napi-registration.patch
+drm-exynos-vidi-use-priv-vidi_dev-for-ctx-lookup-in-vidi_connection_ioctl.patch
+drm-exynos-vidi-fix-to-avoid-directly-dereferencing-user-pointer.patch
+drm-exynos-vidi-use-ctx-lock-to-protect-struct-vidi_context-member-variables-related-to-memory-alloc-free.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
