From: Sasha Levin Date: Sat, 8 Nov 2025 17:22:17 +0000 (-0500) Subject: Fixes for all trees X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;ds=sidebyside;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for all trees Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/net-dsa-b53-fix-enabling-ip-multicast.patch b/queue-5.10/net-dsa-b53-fix-enabling-ip-multicast.patch new file mode 100644 index 0000000000..0203213e4e --- /dev/null +++ b/queue-5.10/net-dsa-b53-fix-enabling-ip-multicast.patch @@ -0,0 +1,75 @@ +From e45b4ddd8fe955784eb810307b8891c6c75d9ebe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Nov 2025 11:07:56 +0100 +Subject: net: dsa: b53: fix enabling ip multicast + +From: Jonas Gorski + +[ Upstream commit c264294624e956a967a9e2e5fa41e3273340b089 ] + +In the New Control register bit 1 is either reserved, or has a different +function: + + Out of Range Error Discard + + When enabled, the ingress port discards any frames + if the Length field is between 1500 and 1536 + (excluding 1500 and 1536) and with good CRC. + +The actual bit for enabling IP multicast is bit 0, which was only +explicitly enabled for BCM5325 so far. + +For older switch chips, this bit defaults to 0, so we want to enable it +as well, while newer switch chips default to 1, and their documentation +says "It is illegal to set this bit to zero." + +So drop the wrong B53_IPMC_FWD_EN define, enable the IP multicast bit +also for other switch chips. While at it, rename it to (B53_)IP_MC as +that is how it is called in Broadcom code. + +Fixes: 63cc54a6f073 ("net: dsa: b53: Fix egress flooding settings") +Signed-off-by: Jonas Gorski +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20251102100758.28352-2-jonas.gorski@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 4 ++-- + drivers/net/dsa/b53/b53_regs.h | 3 +-- + 2 files changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index 704ec51a1500e..a30961f9b0060 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -349,11 +349,11 @@ static void b53_set_forwarding(struct b53_device *dev, int enable) + * frames should be flooded or not. + */ + b53_read8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, &mgmt); +- mgmt |= B53_UC_FWD_EN | B53_MC_FWD_EN | B53_IPMC_FWD_EN; ++ mgmt |= B53_UC_FWD_EN | B53_MC_FWD_EN | B53_IP_MC; + b53_write8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, mgmt); + } else { + b53_read8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, &mgmt); +- mgmt |= B53_IP_MCAST_25; ++ mgmt |= B53_IP_MC; + b53_write8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, mgmt); + } + } +diff --git a/drivers/net/dsa/b53/b53_regs.h b/drivers/net/dsa/b53/b53_regs.h +index 77fb7ae660b8c..95f70248c194d 100644 +--- a/drivers/net/dsa/b53/b53_regs.h ++++ b/drivers/net/dsa/b53/b53_regs.h +@@ -104,8 +104,7 @@ + + /* IP Multicast control (8 bit) */ + #define B53_IP_MULTICAST_CTRL 0x21 +-#define B53_IP_MCAST_25 BIT(0) +-#define B53_IPMC_FWD_EN BIT(1) ++#define B53_IP_MC BIT(0) + #define B53_UC_FWD_EN BIT(6) + #define B53_MC_FWD_EN BIT(7) + +-- +2.51.0 + diff --git a/queue-5.10/net-dsa-b53-fix-resetting-speed-and-pause-on-forced-.patch b/queue-5.10/net-dsa-b53-fix-resetting-speed-and-pause-on-forced-.patch new file mode 100644 index 0000000000..c8290a6b44 --- /dev/null +++ b/queue-5.10/net-dsa-b53-fix-resetting-speed-and-pause-on-forced-.patch @@ -0,0 +1,64 @@ +From ca50867ddaa1d7557ebe52d10a31689b0af8e810 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Nov 2025 14:28:06 +0100 +Subject: net: dsa: b53: fix resetting speed and pause on forced link + +From: Jonas Gorski + +[ Upstream commit b6a8a5477fe9bd6be2b594a88f82f8bba41e6d54 ] + +There is no guarantee that the port state override registers have their +default values, as not all switches support being reset via register or +have a reset GPIO. + +So when forcing port config, we need to make sure to clear all fields, +which we currently do not do for the speed and flow control +configuration. This can cause flow control stay enabled, or in the case +of speed becoming an illegal value, e.g. configured for 1G (0x2), then +setting 100M (0x1), results in 0x3 which is invalid. + +For PORT_OVERRIDE_SPEED_2000M we need to make sure to only clear it on +supported chips, as the bit can have different meanings on other chips, +e.g. for BCM5389 this controls scanning PHYs for link/speed +configuration. + +Fixes: 5e004460f874 ("net: dsa: b53: Add helper to set link parameters") +Signed-off-by: Jonas Gorski +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20251101132807.50419-2-jonas.gorski@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index 361f9be65386e..704ec51a1500e 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -1151,6 +1151,10 @@ static void b53_force_port_config(struct b53_device *dev, int port, + else + reg &= ~PORT_OVERRIDE_FULL_DUPLEX; + ++ reg &= ~(0x3 << GMII_PO_SPEED_S); ++ if (is5301x(dev) || is58xx(dev)) ++ reg &= ~PORT_OVERRIDE_SPEED_2000M; ++ + switch (speed) { + case 2000: + reg |= PORT_OVERRIDE_SPEED_2000M; +@@ -1169,6 +1173,11 @@ static void b53_force_port_config(struct b53_device *dev, int port, + return; + } + ++ if (is5325(dev)) ++ reg &= ~PORT_OVERRIDE_LP_FLOW_25; ++ else ++ reg &= ~(PORT_OVERRIDE_RX_FLOW | PORT_OVERRIDE_TX_FLOW); ++ + if (rx_pause) { + if (is5325(dev)) + reg |= PORT_OVERRIDE_LP_FLOW_25; +-- +2.51.0 + diff --git a/queue-5.10/net-dsa-b53-stop-reading-arl-entries-if-search-is-do.patch b/queue-5.10/net-dsa-b53-stop-reading-arl-entries-if-search-is-do.patch new file mode 100644 index 0000000000..191a4bde8a --- /dev/null +++ b/queue-5.10/net-dsa-b53-stop-reading-arl-entries-if-search-is-do.patch @@ -0,0 +1,51 @@ +From 39a84ad7b5486dc2c18ecbbc5cbb50f9513f0030 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Nov 2025 11:07:57 +0100 +Subject: net: dsa: b53: stop reading ARL entries if search is done + +From: Jonas Gorski + +[ Upstream commit 0be04b5fa62a82a9929ca261f6c9f64a3d0a28da ] + +The switch clears the ARL_SRCH_STDN bit when the search is done, i.e. it +finished traversing the ARL table. + +This means that there will be no valid result, so we should not attempt +to read and process any further entries. + +We only ever check the validity of the entries for 4 ARL bin chips, and +only after having passed the first entry to the b53_fdb_copy(). + +This means that we always pass an invalid entry at the end to the +b53_fdb_copy(). b53_fdb_copy() does check the validity though before +passing on the entry, so it never gets passed on. + +On < 4 ARL bin chips, we will even continue reading invalid entries +until we reach the result limit. + +Fixes: 1da6df85c6fb ("net: dsa: b53: Implement ARL add/del/dump operations") +Signed-off-by: Jonas Gorski +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20251102100758.28352-3-jonas.gorski@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index a30961f9b0060..416ed1ca1d522 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -1731,7 +1731,7 @@ static int b53_arl_search_wait(struct b53_device *dev) + do { + b53_read8(dev, B53_ARLIO_PAGE, B53_ARL_SRCH_CTL, ®); + if (!(reg & ARL_SRCH_STDN)) +- return 0; ++ return -ENOENT; + + if (reg & ARL_SRCH_VLID) + return 0; +-- +2.51.0 + diff --git a/queue-5.10/net-sctp-fix-some-typos.patch b/queue-5.10/net-sctp-fix-some-typos.patch new file mode 100644 index 0000000000..325cfb82a8 --- /dev/null +++ b/queue-5.10/net-sctp-fix-some-typos.patch @@ -0,0 +1,51 @@ +From fcf31d4d127c753b6d67e48443014581cda24693 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 Mar 2021 10:27:23 +0800 +Subject: net: sctp: Fix some typos + +From: Lu Wei + +[ Upstream commit 21c00a186fac6e035eef5e6751f1e2d2609f969c ] + +Modify "unkown" to "unknown" in net/sctp/sm_make_chunk.c and +Modify "orginal" to "original" in net/sctp/socket.c. + +Reported-by: Hulk Robot +Signed-off-by: Lu Wei +Signed-off-by: David S. Miller +Stable-dep-of: f1fc201148c7 ("sctp: Hold sock lock while iterating over address list") +Signed-off-by: Sasha Levin +--- + net/sctp/sm_make_chunk.c | 2 +- + net/sctp/socket.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c +index cf77c4693b91d..85cc11a85b383 100644 +--- a/net/sctp/sm_make_chunk.c ++++ b/net/sctp/sm_make_chunk.c +@@ -3206,7 +3206,7 @@ bool sctp_verify_asconf(const struct sctp_association *asoc, + return false; + break; + default: +- /* This is unkown to us, reject! */ ++ /* This is unknown to us, reject! */ + return false; + } + } +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index 196196ebe81a9..8fe09f962957f 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -9266,7 +9266,7 @@ void sctp_copy_sock(struct sock *newsk, struct sock *sk, + if (newsk->sk_flags & SK_FLAGS_TIMESTAMP) + net_enable_timestamp(); + +- /* Set newsk security attributes from orginal sk and connection ++ /* Set newsk security attributes from original sk and connection + * security attribute from ep. + */ + security_sctp_sk_clone(ep, sk, newsk); +-- +2.51.0 + diff --git a/queue-5.10/net-usb-qmi_wwan-initialize-mac-header-offset-in-qmi.patch b/queue-5.10/net-usb-qmi_wwan-initialize-mac-header-offset-in-qmi.patch new file mode 100644 index 0000000000..45bcc47948 --- /dev/null +++ b/queue-5.10/net-usb-qmi_wwan-initialize-mac-header-offset-in-qmi.patch @@ -0,0 +1,70 @@ +From defaac4585b195815e954323ee3eb91ad396b580 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Oct 2025 08:57:44 +0100 +Subject: net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup + +From: Qendrim Maxhuni + +[ Upstream commit e120f46768d98151ece8756ebd688b0e43dc8b29 ] + +Raw IP packets have no MAC header, leaving skb->mac_header uninitialized. +This can trigger kernel panics on ARM64 when xfrm or other subsystems +access the offset due to strict alignment checks. + +Initialize the MAC header to prevent such crashes. + +This can trigger kernel panics on ARM when running IPsec over the +qmimux0 interface. + +Example trace: + + Internal error: Oops: 000000009600004f [#1] SMP + CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.34-gbe78e49cb433 #1 + Hardware name: LS1028A RDB Board (DT) + pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : xfrm_input+0xde8/0x1318 + lr : xfrm_input+0x61c/0x1318 + sp : ffff800080003b20 + Call trace: + xfrm_input+0xde8/0x1318 + xfrm6_rcv+0x38/0x44 + xfrm6_esp_rcv+0x48/0xa8 + ip6_protocol_deliver_rcu+0x94/0x4b0 + ip6_input_finish+0x44/0x70 + ip6_input+0x44/0xc0 + ipv6_rcv+0x6c/0x114 + __netif_receive_skb_one_core+0x5c/0x8c + __netif_receive_skb+0x18/0x60 + process_backlog+0x78/0x17c + __napi_poll+0x38/0x180 + net_rx_action+0x168/0x2f0 + +Fixes: c6adf77953bc ("net: usb: qmi_wwan: add qmap mux protocol support") +Signed-off-by: Qendrim Maxhuni +Link: https://patch.msgid.link/20251029075744.105113-1-qendrim.maxhuni@garderos.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/qmi_wwan.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index 84f949d8c8c9e..fb5c7ab467c0a 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -207,6 +207,12 @@ static int qmimux_rx_fixup(struct usbnet *dev, struct sk_buff *skb) + return 0; + skbn->dev = net; + ++ /* Raw IP packets don't have a MAC header, but other subsystems ++ * (like xfrm) may still access MAC header offsets, so they must ++ * be initialized. ++ */ ++ skb_reset_mac_header(skbn); ++ + switch (skb->data[offset + qmimux_hdr_sz] & 0xf0) { + case 0x40: + skbn->protocol = htons(ETH_P_IP); +-- +2.51.0 + diff --git a/queue-5.10/net-use-nlmsg_unicast-instead-of-netlink_unicast.patch b/queue-5.10/net-use-nlmsg_unicast-instead-of-netlink_unicast.patch new file mode 100644 index 0000000000..a09811810e --- /dev/null +++ b/queue-5.10/net-use-nlmsg_unicast-instead-of-netlink_unicast.patch @@ -0,0 +1,161 @@ +From cf983dff6a0259f4e45d70f5164d931203b13f3f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jul 2021 10:48:24 +0800 +Subject: net: Use nlmsg_unicast() instead of netlink_unicast() + +From: Yajun Deng + +[ Upstream commit 01757f536ac825e3614d583fee9acb48c64ed084 ] + +It has 'if (err >0 )' statement in nlmsg_unicast(), so use nlmsg_unicast() +instead of netlink_unicast(), this looks more concise. + +v2: remove the change in netfilter. + +Signed-off-by: Yajun Deng +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Stable-dep-of: f1fc201148c7 ("sctp: Hold sock lock while iterating over address list") +Signed-off-by: Sasha Levin +--- + net/ipv4/fib_frontend.c | 2 +- + net/ipv4/inet_diag.c | 5 +---- + net/ipv4/raw_diag.c | 7 ++----- + net/ipv4/udp_diag.c | 6 ++---- + net/mptcp/mptcp_diag.c | 6 ++---- + net/netlink/af_netlink.c | 2 +- + net/sctp/diag.c | 6 ++---- + net/unix/diag.c | 6 ++---- + 8 files changed, 13 insertions(+), 27 deletions(-) + +diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c +index f902cd8cb852b..e35e7793c0e47 100644 +--- a/net/ipv4/fib_frontend.c ++++ b/net/ipv4/fib_frontend.c +@@ -1400,7 +1400,7 @@ static void nl_fib_input(struct sk_buff *skb) + portid = NETLINK_CB(skb).portid; /* netlink portid */ + NETLINK_CB(skb).portid = 0; /* from kernel */ + NETLINK_CB(skb).dst_group = 0; /* unicast */ +- netlink_unicast(net->ipv4.fibnl, skb, portid, MSG_DONTWAIT); ++ nlmsg_unicast(net->ipv4.fibnl, skb, portid); + } + + static int __net_init nl_fib_lookup_init(struct net *net) +diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c +index b9df76f6571cd..611f45da24f82 100644 +--- a/net/ipv4/inet_diag.c ++++ b/net/ipv4/inet_diag.c +@@ -572,10 +572,7 @@ int inet_diag_dump_one_icsk(struct inet_hashinfo *hashinfo, + nlmsg_free(rep); + goto out; + } +- err = netlink_unicast(net->diag_nlsk, rep, NETLINK_CB(in_skb).portid, +- MSG_DONTWAIT); +- if (err > 0) +- err = 0; ++ err = nlmsg_unicast(net->diag_nlsk, rep, NETLINK_CB(in_skb).portid); + + out: + if (sk) +diff --git a/net/ipv4/raw_diag.c b/net/ipv4/raw_diag.c +index 1b5b8af27aafa..ccacbde30a2c5 100644 +--- a/net/ipv4/raw_diag.c ++++ b/net/ipv4/raw_diag.c +@@ -119,11 +119,8 @@ static int raw_diag_dump_one(struct netlink_callback *cb, + return err; + } + +- err = netlink_unicast(net->diag_nlsk, rep, +- NETLINK_CB(in_skb).portid, +- MSG_DONTWAIT); +- if (err > 0) +- err = 0; ++ err = nlmsg_unicast(net->diag_nlsk, rep, NETLINK_CB(in_skb).portid); ++ + return err; + } + +diff --git a/net/ipv4/udp_diag.c b/net/ipv4/udp_diag.c +index 1dbece34496e5..ed69d1edfd099 100644 +--- a/net/ipv4/udp_diag.c ++++ b/net/ipv4/udp_diag.c +@@ -77,10 +77,8 @@ static int udp_dump_one(struct udp_table *tbl, + kfree_skb(rep); + goto out; + } +- err = netlink_unicast(net->diag_nlsk, rep, NETLINK_CB(in_skb).portid, +- MSG_DONTWAIT); +- if (err > 0) +- err = 0; ++ err = nlmsg_unicast(net->diag_nlsk, rep, NETLINK_CB(in_skb).portid); ++ + out: + if (sk) + sock_put(sk); +diff --git a/net/mptcp/mptcp_diag.c b/net/mptcp/mptcp_diag.c +index f1af3f44875ed..7f900b58c71da 100644 +--- a/net/mptcp/mptcp_diag.c ++++ b/net/mptcp/mptcp_diag.c +@@ -57,10 +57,8 @@ static int mptcp_diag_dump_one(struct netlink_callback *cb, + kfree_skb(rep); + goto out; + } +- err = netlink_unicast(net->diag_nlsk, rep, NETLINK_CB(in_skb).portid, +- MSG_DONTWAIT); +- if (err > 0) +- err = 0; ++ err = nlmsg_unicast(net->diag_nlsk, rep, NETLINK_CB(in_skb).portid); ++ + out: + sock_put(sk); + +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index 552682a5ff243..42b7b8574f099 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -2470,7 +2470,7 @@ void netlink_ack(struct sk_buff *in_skb, struct nlmsghdr *nlh, int err, + + nlmsg_end(skb, rep); + +- netlink_unicast(in_skb->sk, skb, NETLINK_CB(in_skb).portid, MSG_DONTWAIT); ++ nlmsg_unicast(in_skb->sk, skb, NETLINK_CB(in_skb).portid); + } + EXPORT_SYMBOL(netlink_ack); + +diff --git a/net/sctp/diag.c b/net/sctp/diag.c +index da00a31e167d7..b1e672227924a 100644 +--- a/net/sctp/diag.c ++++ b/net/sctp/diag.c +@@ -288,10 +288,8 @@ static int sctp_tsp_dump_one(struct sctp_transport *tsp, void *p) + goto out; + } + +- err = netlink_unicast(net->diag_nlsk, rep, NETLINK_CB(in_skb).portid, +- MSG_DONTWAIT); +- if (err > 0) +- err = 0; ++ err = nlmsg_unicast(net->diag_nlsk, rep, NETLINK_CB(in_skb).portid); ++ + out: + return err; + } +diff --git a/net/unix/diag.c b/net/unix/diag.c +index 7066a36234106..486276a1782ed 100644 +--- a/net/unix/diag.c ++++ b/net/unix/diag.c +@@ -299,10 +299,8 @@ static int unix_diag_get_exact(struct sk_buff *in_skb, + + goto again; + } +- err = netlink_unicast(net->diag_nlsk, rep, NETLINK_CB(in_skb).portid, +- MSG_DONTWAIT); +- if (err > 0) +- err = 0; ++ err = nlmsg_unicast(net->diag_nlsk, rep, NETLINK_CB(in_skb).portid); ++ + out: + if (sk) + sock_put(sk); +-- +2.51.0 + diff --git a/queue-5.10/net-vlan-sync-vlan-features-with-lower-device.patch b/queue-5.10/net-vlan-sync-vlan-features-with-lower-device.patch new file mode 100644 index 0000000000..4588e2dcdc --- /dev/null +++ b/queue-5.10/net-vlan-sync-vlan-features-with-lower-device.patch @@ -0,0 +1,44 @@ +From d62ab1bca35a6bc09795a272f61ccc1ad8da6ee6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Oct 2025 07:35:39 +0000 +Subject: net: vlan: sync VLAN features with lower device + +From: Hangbin Liu + +[ Upstream commit c211f5d7cbd5cb34489d526648bb9c8ecc907dee ] + +After registering a VLAN device and setting its feature flags, we need to +synchronize the VLAN features with the lower device. For example, the VLAN +device does not have the NETIF_F_LRO flag, it should be synchronized with +the lower device based on the NETIF_F_UPPER_DISABLES definition. + +As the dev->vlan_features has changed, we need to call +netdev_update_features(). The caller must run after netdev_upper_dev_link() +links the lower devices, so this patch adds the netdev_update_features() +call in register_vlan_dev(). + +Fixes: fd867d51f889 ("net/core: generic support for disabling netdev features down stack") +Signed-off-by: Hangbin Liu +Link: https://patch.msgid.link/20251030073539.133779-1-liuhangbin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/8021q/vlan.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c +index 07b829d19e01e..7be41986001bb 100644 +--- a/net/8021q/vlan.c ++++ b/net/8021q/vlan.c +@@ -191,6 +191,8 @@ int register_vlan_dev(struct net_device *dev, struct netlink_ext_ack *extack) + vlan_group_set_device(grp, vlan->vlan_proto, vlan_id, dev); + grp->nr_vlan_devs++; + ++ netdev_update_features(dev); ++ + return 0; + + out_unregister_netdev: +-- +2.51.0 + diff --git a/queue-5.10/riscv-ptdump-use-seq_puts-in-pt_dump_seq_puts-macro.patch b/queue-5.10/riscv-ptdump-use-seq_puts-in-pt_dump_seq_puts-macro.patch new file mode 100644 index 0000000000..3bd9154040 --- /dev/null +++ b/queue-5.10/riscv-ptdump-use-seq_puts-in-pt_dump_seq_puts-macro.patch @@ -0,0 +1,47 @@ +From 9b8380cc8d3d24894c85d133c3c17169498ea32d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Oct 2025 11:40:43 -0600 +Subject: riscv: ptdump: use seq_puts() in pt_dump_seq_puts() macro + +From: Josephine Pfeiffer + +[ Upstream commit a74f038fa50e0d33b740f44f862fe856f16de6a8 ] + +The pt_dump_seq_puts() macro incorrectly uses seq_printf() instead of +seq_puts(). This is both a performance issue and conceptually wrong, +as the macro name suggests plain string output (puts) but the +implementation uses formatted output (printf). + +The macro is used in ptdump.c:301 to output a newline character. Using +seq_printf() adds unnecessary overhead for format string parsing when +outputting this constant string. + +This bug was introduced in commit 59c4da8640cc ("riscv: Add support to +dump the kernel page tables") in 2020, which copied the implementation +pattern from other architectures that had the same bug. + +Fixes: 59c4da8640cc ("riscv: Add support to dump the kernel page tables") +Signed-off-by: Josephine Pfeiffer +Link: https://lore.kernel.org/r/20251018170451.3355496-1-hi@josie.lol +Signed-off-by: Paul Walmsley +Signed-off-by: Sasha Levin +--- + arch/riscv/mm/ptdump.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/riscv/mm/ptdump.c b/arch/riscv/mm/ptdump.c +index ace74dec7492c..dddb1932ba8b6 100644 +--- a/arch/riscv/mm/ptdump.c ++++ b/arch/riscv/mm/ptdump.c +@@ -22,7 +22,7 @@ + #define pt_dump_seq_puts(m, fmt) \ + ({ \ + if (m) \ +- seq_printf(m, fmt); \ ++ seq_puts(m, fmt); \ + }) + + /* +-- +2.51.0 + diff --git a/queue-5.10/sctp-hold-endpoint-before-calling-cb-in-sctp_transpo.patch b/queue-5.10/sctp-hold-endpoint-before-calling-cb-in-sctp_transpo.patch new file mode 100644 index 0000000000..0bd9ab65bb --- /dev/null +++ b/queue-5.10/sctp-hold-endpoint-before-calling-cb-in-sctp_transpo.patch @@ -0,0 +1,182 @@ +From 580d7b4d975819e38b189c4f6443209e987afdab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 Dec 2021 18:37:37 -0500 +Subject: sctp: hold endpoint before calling cb in + sctp_transport_lookup_process + +From: Xin Long + +[ Upstream commit f9d31c4cf4c11ff10317f038b9c6f7c3bda6cdd4 ] + +The same fix in commit 5ec7d18d1813 ("sctp: use call_rcu to free endpoint") +is also needed for dumping one asoc and sock after the lookup. + +Fixes: 86fdb3448cc1 ("sctp: ensure ep is not destroyed before doing the dump") +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Stable-dep-of: f1fc201148c7 ("sctp: Hold sock lock while iterating over address list") +Signed-off-by: Sasha Levin +--- + include/net/sctp/sctp.h | 3 +-- + net/sctp/diag.c | 46 +++++++++++++++++++---------------------- + net/sctp/socket.c | 22 +++++++++++++------- + 3 files changed, 37 insertions(+), 34 deletions(-) + +diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h +index 6d89a7f3f6a4c..775fde82c6576 100644 +--- a/include/net/sctp/sctp.h ++++ b/include/net/sctp/sctp.h +@@ -110,8 +110,7 @@ struct sctp_transport *sctp_transport_get_next(struct net *net, + struct rhashtable_iter *iter); + struct sctp_transport *sctp_transport_get_idx(struct net *net, + struct rhashtable_iter *iter, int pos); +-int sctp_transport_lookup_process(int (*cb)(struct sctp_transport *, void *), +- struct net *net, ++int sctp_transport_lookup_process(sctp_callback_t cb, struct net *net, + const union sctp_addr *laddr, + const union sctp_addr *paddr, void *p); + int sctp_transport_traverse_process(sctp_callback_t cb, sctp_callback_t cb_done, +diff --git a/net/sctp/diag.c b/net/sctp/diag.c +index b1e672227924a..3631a32d96b07 100644 +--- a/net/sctp/diag.c ++++ b/net/sctp/diag.c +@@ -249,48 +249,44 @@ static size_t inet_assoc_attr_size(struct sctp_association *asoc) + + 64; + } + +-static int sctp_tsp_dump_one(struct sctp_transport *tsp, void *p) ++static int sctp_sock_dump_one(struct sctp_endpoint *ep, struct sctp_transport *tsp, void *p) + { + struct sctp_association *assoc = tsp->asoc; +- struct sock *sk = tsp->asoc->base.sk; + struct sctp_comm_param *commp = p; +- struct sk_buff *in_skb = commp->skb; ++ struct sock *sk = ep->base.sk; + const struct inet_diag_req_v2 *req = commp->r; +- const struct nlmsghdr *nlh = commp->nlh; +- struct net *net = sock_net(in_skb->sk); ++ struct sk_buff *skb = commp->skb; + struct sk_buff *rep; + int err; + + err = sock_diag_check_cookie(sk, req->id.idiag_cookie); + if (err) +- goto out; ++ return err; + +- err = -ENOMEM; + rep = nlmsg_new(inet_assoc_attr_size(assoc), GFP_KERNEL); + if (!rep) +- goto out; ++ return -ENOMEM; + + lock_sock(sk); +- if (sk != assoc->base.sk) { +- release_sock(sk); +- sk = assoc->base.sk; +- lock_sock(sk); ++ if (ep != assoc->ep) { ++ err = -EAGAIN; ++ goto out; + } +- err = inet_sctp_diag_fill(sk, assoc, rep, req, +- sk_user_ns(NETLINK_CB(in_skb).sk), +- NETLINK_CB(in_skb).portid, +- nlh->nlmsg_seq, 0, nlh, +- commp->net_admin); +- release_sock(sk); ++ ++ err = inet_sctp_diag_fill(sk, assoc, rep, req, sk_user_ns(NETLINK_CB(skb).sk), ++ NETLINK_CB(skb).portid, commp->nlh->nlmsg_seq, 0, ++ commp->nlh, commp->net_admin); + if (err < 0) { + WARN_ON(err == -EMSGSIZE); +- kfree_skb(rep); + goto out; + } ++ release_sock(sk); + +- err = nlmsg_unicast(net->diag_nlsk, rep, NETLINK_CB(in_skb).portid); ++ return nlmsg_unicast(sock_net(skb->sk)->diag_nlsk, rep, NETLINK_CB(skb).portid); + + out: ++ release_sock(sk); ++ kfree_skb(rep); + return err; + } + +@@ -431,15 +427,15 @@ static void sctp_diag_get_info(struct sock *sk, struct inet_diag_msg *r, + static int sctp_diag_dump_one(struct netlink_callback *cb, + const struct inet_diag_req_v2 *req) + { +- struct sk_buff *in_skb = cb->skb; +- struct net *net = sock_net(in_skb->sk); ++ struct sk_buff *skb = cb->skb; ++ struct net *net = sock_net(skb->sk); + const struct nlmsghdr *nlh = cb->nlh; + union sctp_addr laddr, paddr; + struct sctp_comm_param commp = { +- .skb = in_skb, ++ .skb = skb, + .r = req, + .nlh = nlh, +- .net_admin = netlink_net_capable(in_skb, CAP_NET_ADMIN), ++ .net_admin = netlink_net_capable(skb, CAP_NET_ADMIN), + }; + + if (req->sdiag_family == AF_INET) { +@@ -462,7 +458,7 @@ static int sctp_diag_dump_one(struct netlink_callback *cb, + paddr.v6.sin6_family = AF_INET6; + } + +- return sctp_transport_lookup_process(sctp_tsp_dump_one, ++ return sctp_transport_lookup_process(sctp_sock_dump_one, + net, &laddr, &paddr, &commp); + } + +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index 8fe09f962957f..5ea0bad561a18 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -5212,23 +5212,31 @@ int sctp_for_each_endpoint(int (*cb)(struct sctp_endpoint *, void *), + } + EXPORT_SYMBOL_GPL(sctp_for_each_endpoint); + +-int sctp_transport_lookup_process(int (*cb)(struct sctp_transport *, void *), +- struct net *net, ++int sctp_transport_lookup_process(sctp_callback_t cb, struct net *net, + const union sctp_addr *laddr, + const union sctp_addr *paddr, void *p) + { + struct sctp_transport *transport; +- int err; ++ struct sctp_endpoint *ep; ++ int err = -ENOENT; + + rcu_read_lock(); + transport = sctp_addrs_lookup_transport(net, laddr, paddr); ++ if (!transport) { ++ rcu_read_unlock(); ++ return err; ++ } ++ ep = transport->asoc->ep; ++ if (!sctp_endpoint_hold(ep)) { /* asoc can be peeled off */ ++ sctp_transport_put(transport); ++ rcu_read_unlock(); ++ return err; ++ } + rcu_read_unlock(); +- if (!transport) +- return -ENOENT; + +- err = cb(transport, p); ++ err = cb(ep, transport, p); ++ sctp_endpoint_put(ep); + sctp_transport_put(transport); +- + return err; + } + EXPORT_SYMBOL_GPL(sctp_transport_lookup_process); +-- +2.51.0 + diff --git a/queue-5.10/sctp-hold-rcu-read-lock-while-iterating-over-address.patch b/queue-5.10/sctp-hold-rcu-read-lock-while-iterating-over-address.patch new file mode 100644 index 0000000000..217cf9c4ea --- /dev/null +++ b/queue-5.10/sctp-hold-rcu-read-lock-while-iterating-over-address.patch @@ -0,0 +1,104 @@ +From 74373a6f716b31fa2e64cebd0510b9e3d74818a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Oct 2025 17:12:26 +0100 +Subject: sctp: Hold RCU read lock while iterating over address list + +From: Stefan Wiehler + +[ Upstream commit 38f50242bf0f237cdc262308d624d333286ec3c5 ] + +With CONFIG_PROVE_RCU_LIST=y and by executing + + $ netcat -l --sctp & + $ netcat --sctp localhost & + $ ss --sctp + +one can trigger the following Lockdep-RCU splat(s): + + WARNING: suspicious RCU usage + 6.18.0-rc1-00093-g7f864458e9a6 #5 Not tainted + ----------------------------- + net/sctp/diag.c:76 RCU-list traversed in non-reader section!! + + other info that might help us debug this: + + rcu_scheduler_active = 2, debug_locks = 1 + 2 locks held by ss/215: + #0: ffff9c740828bec0 (nlk_cb_mutex-SOCK_DIAG){+.+.}-{4:4}, at: __netlink_dump_start+0x84/0x2b0 + #1: ffff9c7401d72cd0 (sk_lock-AF_INET6){+.+.}-{0:0}, at: sctp_sock_dump+0x38/0x200 + + stack backtrace: + CPU: 0 UID: 0 PID: 215 Comm: ss Not tainted 6.18.0-rc1-00093-g7f864458e9a6 #5 PREEMPT(voluntary) + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 + Call Trace: + + dump_stack_lvl+0x5d/0x90 + lockdep_rcu_suspicious.cold+0x4e/0xa3 + inet_sctp_diag_fill.isra.0+0x4b1/0x5d0 + sctp_sock_dump+0x131/0x200 + sctp_transport_traverse_process+0x170/0x1b0 + ? __pfx_sctp_sock_filter+0x10/0x10 + ? __pfx_sctp_sock_dump+0x10/0x10 + sctp_diag_dump+0x103/0x140 + __inet_diag_dump+0x70/0xb0 + netlink_dump+0x148/0x490 + __netlink_dump_start+0x1f3/0x2b0 + inet_diag_handler_cmd+0xcd/0x100 + ? __pfx_inet_diag_dump_start+0x10/0x10 + ? __pfx_inet_diag_dump+0x10/0x10 + ? __pfx_inet_diag_dump_done+0x10/0x10 + sock_diag_rcv_msg+0x18e/0x320 + ? __pfx_sock_diag_rcv_msg+0x10/0x10 + netlink_rcv_skb+0x4d/0x100 + netlink_unicast+0x1d7/0x2b0 + netlink_sendmsg+0x203/0x450 + ____sys_sendmsg+0x30c/0x340 + ___sys_sendmsg+0x94/0xf0 + __sys_sendmsg+0x83/0xf0 + do_syscall_64+0xbb/0x390 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + ... + + +Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file") +Signed-off-by: Stefan Wiehler +Reviewed-by: Kuniyuki Iwashima +Acked-by: Xin Long +Link: https://patch.msgid.link/20251028161506.3294376-2-stefan.wiehler@nokia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sctp/diag.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/sctp/diag.c b/net/sctp/diag.c +index 07d0ada23bfd2..5f441a48e7aa3 100644 +--- a/net/sctp/diag.c ++++ b/net/sctp/diag.c +@@ -73,19 +73,23 @@ static int inet_diag_msg_sctpladdrs_fill(struct sk_buff *skb, + struct nlattr *attr; + void *info = NULL; + ++ rcu_read_lock(); + list_for_each_entry_rcu(laddr, address_list, list) + addrcnt++; ++ rcu_read_unlock(); + + attr = nla_reserve(skb, INET_DIAG_LOCALS, addrlen * addrcnt); + if (!attr) + return -EMSGSIZE; + + info = nla_data(attr); ++ rcu_read_lock(); + list_for_each_entry_rcu(laddr, address_list, list) { + memcpy(info, &laddr->a, sizeof(laddr->a)); + memset(info + sizeof(laddr->a), 0, addrlen - sizeof(laddr->a)); + info += addrlen; + } ++ rcu_read_unlock(); + + return 0; + } +-- +2.51.0 + diff --git a/queue-5.10/sctp-hold-sock-lock-while-iterating-over-address-lis.patch b/queue-5.10/sctp-hold-sock-lock-while-iterating-over-address-lis.patch new file mode 100644 index 0000000000..4157ba46b8 --- /dev/null +++ b/queue-5.10/sctp-hold-sock-lock-while-iterating-over-address-lis.patch @@ -0,0 +1,66 @@ +From f2587d7c2d0bebbaf4d2f37fb75281031d13aa38 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Oct 2025 17:12:28 +0100 +Subject: sctp: Hold sock lock while iterating over address list + +From: Stefan Wiehler + +[ Upstream commit f1fc201148c7e684c10a72b6a3375597f28d1ef6 ] + +Move address list traversal in inet_assoc_attr_size() under the sock +lock to avoid holding the RCU read lock. + +Suggested-by: Xin Long +Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file") +Signed-off-by: Stefan Wiehler +Acked-by: Xin Long +Link: https://patch.msgid.link/20251028161506.3294376-4-stefan.wiehler@nokia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sctp/diag.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/net/sctp/diag.c b/net/sctp/diag.c +index 3631a32d96b07..2cf5ee7a698e2 100644 +--- a/net/sctp/diag.c ++++ b/net/sctp/diag.c +@@ -230,14 +230,15 @@ struct sctp_comm_param { + bool net_admin; + }; + +-static size_t inet_assoc_attr_size(struct sctp_association *asoc) ++static size_t inet_assoc_attr_size(struct sock *sk, ++ struct sctp_association *asoc) + { + int addrlen = sizeof(struct sockaddr_storage); + int addrcnt = 0; + struct sctp_sockaddr_entry *laddr; + + list_for_each_entry_rcu(laddr, &asoc->base.bind_addr.address_list, +- list) ++ list, lockdep_sock_is_held(sk)) + addrcnt++; + + return nla_total_size(sizeof(struct sctp_info)) +@@ -263,11 +264,14 @@ static int sctp_sock_dump_one(struct sctp_endpoint *ep, struct sctp_transport *t + if (err) + return err; + +- rep = nlmsg_new(inet_assoc_attr_size(assoc), GFP_KERNEL); +- if (!rep) ++ lock_sock(sk); ++ ++ rep = nlmsg_new(inet_assoc_attr_size(sk, assoc), GFP_KERNEL); ++ if (!rep) { ++ release_sock(sk); + return -ENOMEM; ++ } + +- lock_sock(sk); + if (ep != assoc->ep) { + err = -EAGAIN; + goto out; +-- +2.51.0 + diff --git a/queue-5.10/sctp-prevent-toctou-out-of-bounds-write.patch b/queue-5.10/sctp-prevent-toctou-out-of-bounds-write.patch new file mode 100644 index 0000000000..af4b16c9e3 --- /dev/null +++ b/queue-5.10/sctp-prevent-toctou-out-of-bounds-write.patch @@ -0,0 +1,45 @@ +From 5b425735255b088afb31b0a309e28436c63865f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Oct 2025 17:12:27 +0100 +Subject: sctp: Prevent TOCTOU out-of-bounds write + +From: Stefan Wiehler + +[ Upstream commit 95aef86ab231f047bb8085c70666059b58f53c09 ] + +For the following path not holding the sock lock, + + sctp_diag_dump() -> sctp_for_each_endpoint() -> sctp_ep_dump() + +make sure not to exceed bounds in case the address list has grown +between buffer allocation (time-of-check) and write (time-of-use). + +Suggested-by: Kuniyuki Iwashima +Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file") +Signed-off-by: Stefan Wiehler +Reviewed-by: Kuniyuki Iwashima +Acked-by: Xin Long +Link: https://patch.msgid.link/20251028161506.3294376-3-stefan.wiehler@nokia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sctp/diag.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/sctp/diag.c b/net/sctp/diag.c +index 5f441a48e7aa3..da00a31e167d7 100644 +--- a/net/sctp/diag.c ++++ b/net/sctp/diag.c +@@ -88,6 +88,9 @@ static int inet_diag_msg_sctpladdrs_fill(struct sk_buff *skb, + memcpy(info, &laddr->a, sizeof(laddr->a)); + memset(info + sizeof(laddr->a), 0, addrlen - sizeof(laddr->a)); + info += addrlen; ++ ++ if (!--addrcnt) ++ break; + } + rcu_read_unlock(); + +-- +2.51.0 + diff --git a/queue-5.10/series b/queue-5.10/series index 7a5f108e1d..7b98631423 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -155,3 +155,16 @@ fbdev-add-bounds-checking-in-bit_putcs-to-fix-vmallo.patch asoc-meson-aiu-encoder-i2s-fix-bit-clock-polarity.patch ceph-add-checking-of-wait_for_completion_killable-re.patch alsa-hda-realtek-audio-disappears-on-hp-15-fc000-aft.patch +riscv-ptdump-use-seq_puts-in-pt_dump_seq_puts-macro.patch +net-vlan-sync-vlan-features-with-lower-device.patch +net-dsa-b53-fix-resetting-speed-and-pause-on-forced-.patch +net-dsa-b53-fix-enabling-ip-multicast.patch +net-dsa-b53-stop-reading-arl-entries-if-search-is-do.patch +sctp-hold-rcu-read-lock-while-iterating-over-address.patch +sctp-prevent-toctou-out-of-bounds-write.patch +net-sctp-fix-some-typos.patch +net-use-nlmsg_unicast-instead-of-netlink_unicast.patch +sctp-hold-endpoint-before-calling-cb-in-sctp_transpo.patch +sctp-hold-sock-lock-while-iterating-over-address-lis.patch +net-usb-qmi_wwan-initialize-mac-header-offset-in-qmi.patch +tracing-fix-memory-leaks-in-create_field_var.patch diff --git a/queue-5.10/tracing-fix-memory-leaks-in-create_field_var.patch b/queue-5.10/tracing-fix-memory-leaks-in-create_field_var.patch new file mode 100644 index 0000000000..0832f6dc57 --- /dev/null +++ b/queue-5.10/tracing-fix-memory-leaks-in-create_field_var.patch @@ -0,0 +1,53 @@ +From 7bcedbab74356960b746880e1cc19be7fcee222c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Nov 2025 12:01:32 +0000 +Subject: tracing: Fix memory leaks in create_field_var() + +From: Zilin Guan + +[ Upstream commit 80f0d631dcc76ee1b7755bfca1d8417d91d71414 ] + +The function create_field_var() allocates memory for 'val' through +create_hist_field() inside parse_atom(), and for 'var' through +create_var(), which in turn allocates var->type and var->var.name +internally. Simply calling kfree() to release these structures will +result in memory leaks. + +Use destroy_hist_field() to properly free 'val', and explicitly release +the memory of var->type and var->var.name before freeing 'var' itself. + +Link: https://patch.msgid.link/20251106120132.3639920-1-zilin@seu.edu.cn +Fixes: 02205a6752f22 ("tracing: Add support for 'field variables'") +Signed-off-by: Zilin Guan +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_events_hist.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c +index a0342b45a06da..f499838d9103f 100644 +--- a/kernel/trace/trace_events_hist.c ++++ b/kernel/trace/trace_events_hist.c +@@ -2729,14 +2729,16 @@ static struct field_var *create_field_var(struct hist_trigger_data *hist_data, + var = create_var(hist_data, file, field_name, val->size, val->type); + if (IS_ERR(var)) { + hist_err(tr, HIST_ERR_VAR_CREATE_FIND_FAIL, errpos(field_name)); +- kfree(val); ++ destroy_hist_field(val, 0); + ret = PTR_ERR(var); + goto err; + } + + field_var = kzalloc(sizeof(struct field_var), GFP_KERNEL); + if (!field_var) { +- kfree(val); ++ destroy_hist_field(val, 0); ++ kfree_const(var->type); ++ kfree(var->var.name); + kfree(var); + ret = -ENOMEM; + goto err; +-- +2.51.0 + diff --git a/queue-5.15/bnxt_en-fix-a-possible-memory-leak-in-bnxt_ptp_init.patch b/queue-5.15/bnxt_en-fix-a-possible-memory-leak-in-bnxt_ptp_init.patch new file mode 100644 index 0000000000..f89bc8880a --- /dev/null +++ b/queue-5.15/bnxt_en-fix-a-possible-memory-leak-in-bnxt_ptp_init.patch @@ -0,0 +1,44 @@ +From 683cef1d634bd0c900264f642e00016c746fa8b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Nov 2025 16:56:56 -0800 +Subject: bnxt_en: Fix a possible memory leak in bnxt_ptp_init + +From: Kalesh AP + +[ Upstream commit deb8eb39164382f1f67ef8e8af9176baf5e10f2d ] + +In bnxt_ptp_init(), when ptp_clock_register() fails, the driver is +not freeing the memory allocated for ptp_info->pin_config. Fix it +to unconditionally free ptp_info->pin_config in bnxt_ptp_free(). + +Fixes: caf3eedbcd8d ("bnxt_en: 1PPS support for 5750X family chips") +Reviewed-by: Pavan Chebbi +Reviewed-by: Somnath Kotur +Signed-off-by: Kalesh AP +Signed-off-by: Michael Chan +Link: https://patch.msgid.link/20251104005700.542174-3-michael.chan@broadcom.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c +index 67717274f6b9e..328ae267eba5c 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c +@@ -755,9 +755,9 @@ static void bnxt_ptp_free(struct bnxt *bp) + if (ptp->ptp_clock) { + ptp_clock_unregister(ptp->ptp_clock); + ptp->ptp_clock = NULL; +- kfree(ptp->ptp_info.pin_config); +- ptp->ptp_info.pin_config = NULL; + } ++ kfree(ptp->ptp_info.pin_config); ++ ptp->ptp_info.pin_config = NULL; + } + + int bnxt_ptp_init(struct bnxt *bp) +-- +2.51.0 + diff --git a/queue-5.15/bnxt_en-ptp-refactor-ptp-initialization-functions.patch b/queue-5.15/bnxt_en-ptp-refactor-ptp-initialization-functions.patch new file mode 100644 index 0000000000..5a3cd84e83 --- /dev/null +++ b/queue-5.15/bnxt_en-ptp-refactor-ptp-initialization-functions.patch @@ -0,0 +1,91 @@ +From fd519b5db0b9b43aa92b9670de14d1149a648d9b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Jan 2022 23:40:10 -0500 +Subject: bnxt_en: PTP: Refactor PTP initialization functions + +From: Pavan Chebbi + +[ Upstream commit 740c342e399981babdd62d0d5beb7c8ec9503a9a ] + +Making the ptp free and timecounter initialization code into separate +functions so that later patches can use them. + +Cc: Richard Cochran +Signed-off-by: Pavan Chebbi +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Stable-dep-of: deb8eb391643 ("bnxt_en: Fix a possible memory leak in bnxt_ptp_init") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c | 45 +++++++++++++------ + 1 file changed, 31 insertions(+), 14 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c +index a78cc65a38f2f..67717274f6b9e 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c +@@ -732,6 +732,34 @@ static bool bnxt_pps_config_ok(struct bnxt *bp) + return !(bp->fw_cap & BNXT_FW_CAP_PTP_PPS) == !ptp->ptp_info.pin_config; + } + ++static void bnxt_ptp_timecounter_init(struct bnxt *bp, bool init_tc) ++{ ++ struct bnxt_ptp_cfg *ptp = bp->ptp_cfg; ++ ++ if (!ptp->ptp_clock) { ++ memset(&ptp->cc, 0, sizeof(ptp->cc)); ++ ptp->cc.read = bnxt_cc_read; ++ ptp->cc.mask = CYCLECOUNTER_MASK(48); ++ ptp->cc.shift = 0; ++ ptp->cc.mult = 1; ++ ptp->next_overflow_check = jiffies + BNXT_PHC_OVERFLOW_PERIOD; ++ } ++ if (init_tc) ++ timecounter_init(&ptp->tc, &ptp->cc, ktime_to_ns(ktime_get_real())); ++} ++ ++static void bnxt_ptp_free(struct bnxt *bp) ++{ ++ struct bnxt_ptp_cfg *ptp = bp->ptp_cfg; ++ ++ if (ptp->ptp_clock) { ++ ptp_clock_unregister(ptp->ptp_clock); ++ ptp->ptp_clock = NULL; ++ kfree(ptp->ptp_info.pin_config); ++ ptp->ptp_info.pin_config = NULL; ++ } ++} ++ + int bnxt_ptp_init(struct bnxt *bp) + { + struct bnxt_ptp_cfg *ptp = bp->ptp_cfg; +@@ -747,23 +775,12 @@ int bnxt_ptp_init(struct bnxt *bp) + if (ptp->ptp_clock && bnxt_pps_config_ok(bp)) + return 0; + +- if (ptp->ptp_clock) { +- ptp_clock_unregister(ptp->ptp_clock); +- ptp->ptp_clock = NULL; +- kfree(ptp->ptp_info.pin_config); +- ptp->ptp_info.pin_config = NULL; +- } ++ bnxt_ptp_free(bp); ++ + atomic_set(&ptp->tx_avail, BNXT_MAX_TX_TS); + spin_lock_init(&ptp->ptp_lock); + +- memset(&ptp->cc, 0, sizeof(ptp->cc)); +- ptp->cc.read = bnxt_cc_read; +- ptp->cc.mask = CYCLECOUNTER_MASK(48); +- ptp->cc.shift = 0; +- ptp->cc.mult = 1; +- +- ptp->next_overflow_check = jiffies + BNXT_PHC_OVERFLOW_PERIOD; +- timecounter_init(&ptp->tc, &ptp->cc, ktime_to_ns(ktime_get_real())); ++ bnxt_ptp_timecounter_init(bp, true); + + ptp->ptp_info = bnxt_ptp_caps; + if ((bp->fw_cap & BNXT_FW_CAP_PTP_PPS)) { +-- +2.51.0 + diff --git a/queue-5.15/net-dsa-b53-fix-enabling-ip-multicast.patch b/queue-5.15/net-dsa-b53-fix-enabling-ip-multicast.patch new file mode 100644 index 0000000000..247b5fc661 --- /dev/null +++ b/queue-5.15/net-dsa-b53-fix-enabling-ip-multicast.patch @@ -0,0 +1,75 @@ +From 801aec1fc0c223f88420abc558ed774c2991ca5f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Nov 2025 11:07:56 +0100 +Subject: net: dsa: b53: fix enabling ip multicast + +From: Jonas Gorski + +[ Upstream commit c264294624e956a967a9e2e5fa41e3273340b089 ] + +In the New Control register bit 1 is either reserved, or has a different +function: + + Out of Range Error Discard + + When enabled, the ingress port discards any frames + if the Length field is between 1500 and 1536 + (excluding 1500 and 1536) and with good CRC. + +The actual bit for enabling IP multicast is bit 0, which was only +explicitly enabled for BCM5325 so far. + +For older switch chips, this bit defaults to 0, so we want to enable it +as well, while newer switch chips default to 1, and their documentation +says "It is illegal to set this bit to zero." + +So drop the wrong B53_IPMC_FWD_EN define, enable the IP multicast bit +also for other switch chips. While at it, rename it to (B53_)IP_MC as +that is how it is called in Broadcom code. + +Fixes: 63cc54a6f073 ("net: dsa: b53: Fix egress flooding settings") +Signed-off-by: Jonas Gorski +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20251102100758.28352-2-jonas.gorski@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 4 ++-- + drivers/net/dsa/b53/b53_regs.h | 3 +-- + 2 files changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index f84f64d5a6163..228b470d13a0f 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -349,11 +349,11 @@ static void b53_set_forwarding(struct b53_device *dev, int enable) + * frames should be flooded or not. + */ + b53_read8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, &mgmt); +- mgmt |= B53_UC_FWD_EN | B53_MC_FWD_EN | B53_IPMC_FWD_EN; ++ mgmt |= B53_UC_FWD_EN | B53_MC_FWD_EN | B53_IP_MC; + b53_write8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, mgmt); + } else { + b53_read8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, &mgmt); +- mgmt |= B53_IP_MCAST_25; ++ mgmt |= B53_IP_MC; + b53_write8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, mgmt); + } + } +diff --git a/drivers/net/dsa/b53/b53_regs.h b/drivers/net/dsa/b53/b53_regs.h +index 77fb7ae660b8c..95f70248c194d 100644 +--- a/drivers/net/dsa/b53/b53_regs.h ++++ b/drivers/net/dsa/b53/b53_regs.h +@@ -104,8 +104,7 @@ + + /* IP Multicast control (8 bit) */ + #define B53_IP_MULTICAST_CTRL 0x21 +-#define B53_IP_MCAST_25 BIT(0) +-#define B53_IPMC_FWD_EN BIT(1) ++#define B53_IP_MC BIT(0) + #define B53_UC_FWD_EN BIT(6) + #define B53_MC_FWD_EN BIT(7) + +-- +2.51.0 + diff --git a/queue-5.15/net-dsa-b53-fix-resetting-speed-and-pause-on-forced-.patch b/queue-5.15/net-dsa-b53-fix-resetting-speed-and-pause-on-forced-.patch new file mode 100644 index 0000000000..512039ac97 --- /dev/null +++ b/queue-5.15/net-dsa-b53-fix-resetting-speed-and-pause-on-forced-.patch @@ -0,0 +1,64 @@ +From caffc7d11f8e454247d1843a1d46ac38143ac1d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Nov 2025 14:28:06 +0100 +Subject: net: dsa: b53: fix resetting speed and pause on forced link + +From: Jonas Gorski + +[ Upstream commit b6a8a5477fe9bd6be2b594a88f82f8bba41e6d54 ] + +There is no guarantee that the port state override registers have their +default values, as not all switches support being reset via register or +have a reset GPIO. + +So when forcing port config, we need to make sure to clear all fields, +which we currently do not do for the speed and flow control +configuration. This can cause flow control stay enabled, or in the case +of speed becoming an illegal value, e.g. configured for 1G (0x2), then +setting 100M (0x1), results in 0x3 which is invalid. + +For PORT_OVERRIDE_SPEED_2000M we need to make sure to only clear it on +supported chips, as the bit can have different meanings on other chips, +e.g. for BCM5389 this controls scanning PHYs for link/speed +configuration. + +Fixes: 5e004460f874 ("net: dsa: b53: Add helper to set link parameters") +Signed-off-by: Jonas Gorski +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20251101132807.50419-2-jonas.gorski@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index 42fd1b4ed56e4..f84f64d5a6163 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -1215,6 +1215,10 @@ static void b53_force_port_config(struct b53_device *dev, int port, + else + reg &= ~PORT_OVERRIDE_FULL_DUPLEX; + ++ reg &= ~(0x3 << GMII_PO_SPEED_S); ++ if (is5301x(dev) || is58xx(dev)) ++ reg &= ~PORT_OVERRIDE_SPEED_2000M; ++ + switch (speed) { + case 2000: + reg |= PORT_OVERRIDE_SPEED_2000M; +@@ -1233,6 +1237,11 @@ static void b53_force_port_config(struct b53_device *dev, int port, + return; + } + ++ if (is5325(dev)) ++ reg &= ~PORT_OVERRIDE_LP_FLOW_25; ++ else ++ reg &= ~(PORT_OVERRIDE_RX_FLOW | PORT_OVERRIDE_TX_FLOW); ++ + if (rx_pause) { + if (is5325(dev)) + reg |= PORT_OVERRIDE_LP_FLOW_25; +-- +2.51.0 + diff --git a/queue-5.15/net-dsa-b53-stop-reading-arl-entries-if-search-is-do.patch b/queue-5.15/net-dsa-b53-stop-reading-arl-entries-if-search-is-do.patch new file mode 100644 index 0000000000..99e9e2253d --- /dev/null +++ b/queue-5.15/net-dsa-b53-stop-reading-arl-entries-if-search-is-do.patch @@ -0,0 +1,51 @@ +From 78ae8e0a59943d2d43bd55ad77715b72ef74786a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Nov 2025 11:07:57 +0100 +Subject: net: dsa: b53: stop reading ARL entries if search is done + +From: Jonas Gorski + +[ Upstream commit 0be04b5fa62a82a9929ca261f6c9f64a3d0a28da ] + +The switch clears the ARL_SRCH_STDN bit when the search is done, i.e. it +finished traversing the ARL table. + +This means that there will be no valid result, so we should not attempt +to read and process any further entries. + +We only ever check the validity of the entries for 4 ARL bin chips, and +only after having passed the first entry to the b53_fdb_copy(). + +This means that we always pass an invalid entry at the end to the +b53_fdb_copy(). b53_fdb_copy() does check the validity though before +passing on the entry, so it never gets passed on. + +On < 4 ARL bin chips, we will even continue reading invalid entries +until we reach the result limit. + +Fixes: 1da6df85c6fb ("net: dsa: b53: Implement ARL add/del/dump operations") +Signed-off-by: Jonas Gorski +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20251102100758.28352-3-jonas.gorski@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index 228b470d13a0f..d5ed733c0c979 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -1802,7 +1802,7 @@ static int b53_arl_search_wait(struct b53_device *dev) + do { + b53_read8(dev, B53_ARLIO_PAGE, B53_ARL_SRCH_CTL, ®); + if (!(reg & ARL_SRCH_STDN)) +- return 0; ++ return -ENOENT; + + if (reg & ARL_SRCH_VLID) + return 0; +-- +2.51.0 + diff --git a/queue-5.15/net-dsa-tag_brcm-legacy-fix-untagged-rx-on-unbridged.patch b/queue-5.15/net-dsa-tag_brcm-legacy-fix-untagged-rx-on-unbridged.patch new file mode 100644 index 0000000000..bb0e63588d --- /dev/null +++ b/queue-5.15/net-dsa-tag_brcm-legacy-fix-untagged-rx-on-unbridged.patch @@ -0,0 +1,77 @@ +From 37a00dfd5cbb4448219adbf0003868ff60dcd2cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Oct 2025 20:46:21 +0100 +Subject: net: dsa: tag_brcm: legacy: fix untagged rx on unbridged ports for + bcm63xx + +From: Jonas Gorski + +[ Upstream commit 3d18a84eddde169d6dbf3c72cc5358b988c347d0 ] + +The internal switch on BCM63XX SoCs will unconditionally add 802.1Q VLAN +tags on egress to CPU when 802.1Q mode is enabled. We do this +unconditionally since commit ed409f3bbaa5 ("net: dsa: b53: Configure +VLANs while not filtering"). + +This is fine for VLAN aware bridges, but for standalone ports and vlan +unaware bridges this means all packets are tagged with the default VID, +which is 0. + +While the kernel will treat that like untagged, this can break userspace +applications processing raw packets, expecting untagged traffic, like +STP daemons. + +This also breaks several bridge tests, where the tcpdump output then +does not match the expected output anymore. + +Since 0 isn't a valid VID, just strip out the VLAN tag if we encounter +it, unless the priority field is set, since that would be a valid tag +again. + +Fixes: 964dbf186eaa ("net: dsa: tag_brcm: add support for legacy tags") +Signed-off-by: Jonas Gorski +Reviewed-by: Vladimir Oltean +Link: https://patch.msgid.link/20251027194621.133301-1-jonas.gorski@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/dsa/tag_brcm.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/net/dsa/tag_brcm.c b/net/dsa/tag_brcm.c +index 3c681d174c58b..4c58219e50449 100644 +--- a/net/dsa/tag_brcm.c ++++ b/net/dsa/tag_brcm.c +@@ -251,12 +251,14 @@ static struct sk_buff *brcm_leg_tag_rcv(struct sk_buff *skb, + { + int len = BRCM_LEG_TAG_LEN; + int source_port; ++ __be16 *proto; + u8 *brcm_tag; + + if (unlikely(!pskb_may_pull(skb, BRCM_LEG_TAG_LEN + VLAN_HLEN))) + return NULL; + + brcm_tag = dsa_etype_header_pos_rx(skb); ++ proto = (__be16 *)(brcm_tag + BRCM_LEG_TAG_LEN); + + source_port = brcm_tag[5] & BRCM_LEG_PORT_ID; + +@@ -264,8 +266,12 @@ static struct sk_buff *brcm_leg_tag_rcv(struct sk_buff *skb, + if (!skb->dev) + return NULL; + +- /* VLAN tag is added by BCM63xx internal switch */ +- if (netdev_uses_dsa(skb->dev)) ++ /* The internal switch in BCM63XX SoCs always tags on egress on the CPU ++ * port. We use VID 0 internally for untagged traffic, so strip the tag ++ * if the TCI field is all 0, and keep it otherwise to also retain ++ * e.g. 802.1p tagged packets. ++ */ ++ if (proto[0] == htons(ETH_P_8021Q) && proto[1] == 0) + len += VLAN_HLEN; + + /* Remove Broadcom tag and update checksum */ +-- +2.51.0 + diff --git a/queue-5.15/net-usb-qmi_wwan-initialize-mac-header-offset-in-qmi.patch b/queue-5.15/net-usb-qmi_wwan-initialize-mac-header-offset-in-qmi.patch new file mode 100644 index 0000000000..7881aa98ef --- /dev/null +++ b/queue-5.15/net-usb-qmi_wwan-initialize-mac-header-offset-in-qmi.patch @@ -0,0 +1,70 @@ +From eb8e9b73792f2ee33d9a1224a975cf2126b08483 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Oct 2025 08:57:44 +0100 +Subject: net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup + +From: Qendrim Maxhuni + +[ Upstream commit e120f46768d98151ece8756ebd688b0e43dc8b29 ] + +Raw IP packets have no MAC header, leaving skb->mac_header uninitialized. +This can trigger kernel panics on ARM64 when xfrm or other subsystems +access the offset due to strict alignment checks. + +Initialize the MAC header to prevent such crashes. + +This can trigger kernel panics on ARM when running IPsec over the +qmimux0 interface. + +Example trace: + + Internal error: Oops: 000000009600004f [#1] SMP + CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.34-gbe78e49cb433 #1 + Hardware name: LS1028A RDB Board (DT) + pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : xfrm_input+0xde8/0x1318 + lr : xfrm_input+0x61c/0x1318 + sp : ffff800080003b20 + Call trace: + xfrm_input+0xde8/0x1318 + xfrm6_rcv+0x38/0x44 + xfrm6_esp_rcv+0x48/0xa8 + ip6_protocol_deliver_rcu+0x94/0x4b0 + ip6_input_finish+0x44/0x70 + ip6_input+0x44/0xc0 + ipv6_rcv+0x6c/0x114 + __netif_receive_skb_one_core+0x5c/0x8c + __netif_receive_skb+0x18/0x60 + process_backlog+0x78/0x17c + __napi_poll+0x38/0x180 + net_rx_action+0x168/0x2f0 + +Fixes: c6adf77953bc ("net: usb: qmi_wwan: add qmap mux protocol support") +Signed-off-by: Qendrim Maxhuni +Link: https://patch.msgid.link/20251029075744.105113-1-qendrim.maxhuni@garderos.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/qmi_wwan.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index f574de58c1996..bd6d8c2b7e5d9 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -192,6 +192,12 @@ static int qmimux_rx_fixup(struct usbnet *dev, struct sk_buff *skb) + return 0; + skbn->dev = net; + ++ /* Raw IP packets don't have a MAC header, but other subsystems ++ * (like xfrm) may still access MAC header offsets, so they must ++ * be initialized. ++ */ ++ skb_reset_mac_header(skbn); ++ + switch (skb->data[offset + qmimux_hdr_sz] & 0xf0) { + case 0x40: + skbn->protocol = htons(ETH_P_IP); +-- +2.51.0 + diff --git a/queue-5.15/net-vlan-sync-vlan-features-with-lower-device.patch b/queue-5.15/net-vlan-sync-vlan-features-with-lower-device.patch new file mode 100644 index 0000000000..13ee9ffcfa --- /dev/null +++ b/queue-5.15/net-vlan-sync-vlan-features-with-lower-device.patch @@ -0,0 +1,44 @@ +From 47a85066ee05d326ad6374730c33e7489fd55600 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Oct 2025 07:35:39 +0000 +Subject: net: vlan: sync VLAN features with lower device + +From: Hangbin Liu + +[ Upstream commit c211f5d7cbd5cb34489d526648bb9c8ecc907dee ] + +After registering a VLAN device and setting its feature flags, we need to +synchronize the VLAN features with the lower device. For example, the VLAN +device does not have the NETIF_F_LRO flag, it should be synchronized with +the lower device based on the NETIF_F_UPPER_DISABLES definition. + +As the dev->vlan_features has changed, we need to call +netdev_update_features(). The caller must run after netdev_upper_dev_link() +links the lower devices, so this patch adds the netdev_update_features() +call in register_vlan_dev(). + +Fixes: fd867d51f889 ("net/core: generic support for disabling netdev features down stack") +Signed-off-by: Hangbin Liu +Link: https://patch.msgid.link/20251030073539.133779-1-liuhangbin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/8021q/vlan.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c +index 2c5b532b0f054..7d61ab0647f20 100644 +--- a/net/8021q/vlan.c ++++ b/net/8021q/vlan.c +@@ -194,6 +194,8 @@ int register_vlan_dev(struct net_device *dev, struct netlink_ext_ack *extack) + vlan_group_set_device(grp, vlan->vlan_proto, vlan_id, dev); + grp->nr_vlan_devs++; + ++ netdev_update_features(dev); ++ + return 0; + + out_unregister_netdev: +-- +2.51.0 + diff --git a/queue-5.15/netdevsim-add-makefile-for-selftests.patch b/queue-5.15/netdevsim-add-makefile-for-selftests.patch new file mode 100644 index 0000000000..b89b4c1873 --- /dev/null +++ b/queue-5.15/netdevsim-add-makefile-for-selftests.patch @@ -0,0 +1,61 @@ +From b5ab484ca0b1ad5dec11420049a86656d33b2bb5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jan 2024 13:46:20 -0800 +Subject: netdevsim: add Makefile for selftests + +From: David Wei + +[ Upstream commit 8ff25dac88f616ebebb30830e3a20f079d7a30c9 ] + +Add a Makefile for netdevsim selftests and add selftests path to +MAINTAINERS + +Signed-off-by: David Wei +Link: https://lore.kernel.org/r/20240130214620.3722189-5-dw@davidwei.uk +Signed-off-by: Jakub Kicinski +Stable-dep-of: d01f8136d46b ("selftests: netdevsim: Fix ethtool-coalesce.sh fail by installing ethtool-common.sh") +Signed-off-by: Sasha Levin +--- + MAINTAINERS | 1 + + .../selftests/drivers/net/netdevsim/Makefile | 17 +++++++++++++++++ + 2 files changed, 18 insertions(+) + create mode 100644 tools/testing/selftests/drivers/net/netdevsim/Makefile + +diff --git a/MAINTAINERS b/MAINTAINERS +index 6bfc75861c8c0..c88de6f356d11 100644 +--- a/MAINTAINERS ++++ b/MAINTAINERS +@@ -12939,6 +12939,7 @@ NETDEVSIM + M: Jakub Kicinski + S: Maintained + F: drivers/net/netdevsim/* ++F: tools/testing/selftests/drivers/net/netdevsim/* + + NETEM NETWORK EMULATOR + M: Stephen Hemminger +diff --git a/tools/testing/selftests/drivers/net/netdevsim/Makefile b/tools/testing/selftests/drivers/net/netdevsim/Makefile +new file mode 100644 +index 0000000000000..7a29a05bea8bc +--- /dev/null ++++ b/tools/testing/selftests/drivers/net/netdevsim/Makefile +@@ -0,0 +1,17 @@ ++# SPDX-License-Identifier: GPL-2.0+ OR MIT ++ ++TEST_PROGS = devlink.sh \ ++ devlink_in_netns.sh \ ++ devlink_trap.sh \ ++ ethtool-coalesce.sh \ ++ ethtool-fec.sh \ ++ ethtool-pause.sh \ ++ ethtool-ring.sh \ ++ fib.sh \ ++ hw_stats_l3.sh \ ++ nexthop.sh \ ++ psample.sh \ ++ tc-mq-visibility.sh \ ++ udp_tunnel_nic.sh \ ++ ++include ../../../lib.mk +-- +2.51.0 + diff --git a/queue-5.15/riscv-ptdump-use-seq_puts-in-pt_dump_seq_puts-macro.patch b/queue-5.15/riscv-ptdump-use-seq_puts-in-pt_dump_seq_puts-macro.patch new file mode 100644 index 0000000000..95960018ae --- /dev/null +++ b/queue-5.15/riscv-ptdump-use-seq_puts-in-pt_dump_seq_puts-macro.patch @@ -0,0 +1,47 @@ +From f16216e728389dbe2ce84c1db016b0162cef663d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Oct 2025 11:40:43 -0600 +Subject: riscv: ptdump: use seq_puts() in pt_dump_seq_puts() macro + +From: Josephine Pfeiffer + +[ Upstream commit a74f038fa50e0d33b740f44f862fe856f16de6a8 ] + +The pt_dump_seq_puts() macro incorrectly uses seq_printf() instead of +seq_puts(). This is both a performance issue and conceptually wrong, +as the macro name suggests plain string output (puts) but the +implementation uses formatted output (printf). + +The macro is used in ptdump.c:301 to output a newline character. Using +seq_printf() adds unnecessary overhead for format string parsing when +outputting this constant string. + +This bug was introduced in commit 59c4da8640cc ("riscv: Add support to +dump the kernel page tables") in 2020, which copied the implementation +pattern from other architectures that had the same bug. + +Fixes: 59c4da8640cc ("riscv: Add support to dump the kernel page tables") +Signed-off-by: Josephine Pfeiffer +Link: https://lore.kernel.org/r/20251018170451.3355496-1-hi@josie.lol +Signed-off-by: Paul Walmsley +Signed-off-by: Sasha Levin +--- + arch/riscv/mm/ptdump.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/riscv/mm/ptdump.c b/arch/riscv/mm/ptdump.c +index 830e7de65e3a3..d36273704b213 100644 +--- a/arch/riscv/mm/ptdump.c ++++ b/arch/riscv/mm/ptdump.c +@@ -22,7 +22,7 @@ + #define pt_dump_seq_puts(m, fmt) \ + ({ \ + if (m) \ +- seq_printf(m, fmt); \ ++ seq_puts(m, fmt); \ + }) + + /* +-- +2.51.0 + diff --git a/queue-5.15/sctp-hold-rcu-read-lock-while-iterating-over-address.patch b/queue-5.15/sctp-hold-rcu-read-lock-while-iterating-over-address.patch new file mode 100644 index 0000000000..9802460fa6 --- /dev/null +++ b/queue-5.15/sctp-hold-rcu-read-lock-while-iterating-over-address.patch @@ -0,0 +1,104 @@ +From 81a64935d7124d2a2b687b2be8f3439e1ffc9b91 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Oct 2025 17:12:26 +0100 +Subject: sctp: Hold RCU read lock while iterating over address list + +From: Stefan Wiehler + +[ Upstream commit 38f50242bf0f237cdc262308d624d333286ec3c5 ] + +With CONFIG_PROVE_RCU_LIST=y and by executing + + $ netcat -l --sctp & + $ netcat --sctp localhost & + $ ss --sctp + +one can trigger the following Lockdep-RCU splat(s): + + WARNING: suspicious RCU usage + 6.18.0-rc1-00093-g7f864458e9a6 #5 Not tainted + ----------------------------- + net/sctp/diag.c:76 RCU-list traversed in non-reader section!! + + other info that might help us debug this: + + rcu_scheduler_active = 2, debug_locks = 1 + 2 locks held by ss/215: + #0: ffff9c740828bec0 (nlk_cb_mutex-SOCK_DIAG){+.+.}-{4:4}, at: __netlink_dump_start+0x84/0x2b0 + #1: ffff9c7401d72cd0 (sk_lock-AF_INET6){+.+.}-{0:0}, at: sctp_sock_dump+0x38/0x200 + + stack backtrace: + CPU: 0 UID: 0 PID: 215 Comm: ss Not tainted 6.18.0-rc1-00093-g7f864458e9a6 #5 PREEMPT(voluntary) + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 + Call Trace: + + dump_stack_lvl+0x5d/0x90 + lockdep_rcu_suspicious.cold+0x4e/0xa3 + inet_sctp_diag_fill.isra.0+0x4b1/0x5d0 + sctp_sock_dump+0x131/0x200 + sctp_transport_traverse_process+0x170/0x1b0 + ? __pfx_sctp_sock_filter+0x10/0x10 + ? __pfx_sctp_sock_dump+0x10/0x10 + sctp_diag_dump+0x103/0x140 + __inet_diag_dump+0x70/0xb0 + netlink_dump+0x148/0x490 + __netlink_dump_start+0x1f3/0x2b0 + inet_diag_handler_cmd+0xcd/0x100 + ? __pfx_inet_diag_dump_start+0x10/0x10 + ? __pfx_inet_diag_dump+0x10/0x10 + ? __pfx_inet_diag_dump_done+0x10/0x10 + sock_diag_rcv_msg+0x18e/0x320 + ? __pfx_sock_diag_rcv_msg+0x10/0x10 + netlink_rcv_skb+0x4d/0x100 + netlink_unicast+0x1d7/0x2b0 + netlink_sendmsg+0x203/0x450 + ____sys_sendmsg+0x30c/0x340 + ___sys_sendmsg+0x94/0xf0 + __sys_sendmsg+0x83/0xf0 + do_syscall_64+0xbb/0x390 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + ... + + +Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file") +Signed-off-by: Stefan Wiehler +Reviewed-by: Kuniyuki Iwashima +Acked-by: Xin Long +Link: https://patch.msgid.link/20251028161506.3294376-2-stefan.wiehler@nokia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sctp/diag.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/sctp/diag.c b/net/sctp/diag.c +index b0ce1080842d4..31cf52026202b 100644 +--- a/net/sctp/diag.c ++++ b/net/sctp/diag.c +@@ -73,19 +73,23 @@ static int inet_diag_msg_sctpladdrs_fill(struct sk_buff *skb, + struct nlattr *attr; + void *info = NULL; + ++ rcu_read_lock(); + list_for_each_entry_rcu(laddr, address_list, list) + addrcnt++; ++ rcu_read_unlock(); + + attr = nla_reserve(skb, INET_DIAG_LOCALS, addrlen * addrcnt); + if (!attr) + return -EMSGSIZE; + + info = nla_data(attr); ++ rcu_read_lock(); + list_for_each_entry_rcu(laddr, address_list, list) { + memcpy(info, &laddr->a, sizeof(laddr->a)); + memset(info + sizeof(laddr->a), 0, addrlen - sizeof(laddr->a)); + info += addrlen; + } ++ rcu_read_unlock(); + + return 0; + } +-- +2.51.0 + diff --git a/queue-5.15/sctp-hold-sock-lock-while-iterating-over-address-lis.patch b/queue-5.15/sctp-hold-sock-lock-while-iterating-over-address-lis.patch new file mode 100644 index 0000000000..9fa334bed1 --- /dev/null +++ b/queue-5.15/sctp-hold-sock-lock-while-iterating-over-address-lis.patch @@ -0,0 +1,66 @@ +From 6b5a829eb286cac0098388fc4da57f7aec8870aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Oct 2025 17:12:28 +0100 +Subject: sctp: Hold sock lock while iterating over address list + +From: Stefan Wiehler + +[ Upstream commit f1fc201148c7e684c10a72b6a3375597f28d1ef6 ] + +Move address list traversal in inet_assoc_attr_size() under the sock +lock to avoid holding the RCU read lock. + +Suggested-by: Xin Long +Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file") +Signed-off-by: Stefan Wiehler +Acked-by: Xin Long +Link: https://patch.msgid.link/20251028161506.3294376-4-stefan.wiehler@nokia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sctp/diag.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/net/sctp/diag.c b/net/sctp/diag.c +index 3631a32d96b07..2cf5ee7a698e2 100644 +--- a/net/sctp/diag.c ++++ b/net/sctp/diag.c +@@ -230,14 +230,15 @@ struct sctp_comm_param { + bool net_admin; + }; + +-static size_t inet_assoc_attr_size(struct sctp_association *asoc) ++static size_t inet_assoc_attr_size(struct sock *sk, ++ struct sctp_association *asoc) + { + int addrlen = sizeof(struct sockaddr_storage); + int addrcnt = 0; + struct sctp_sockaddr_entry *laddr; + + list_for_each_entry_rcu(laddr, &asoc->base.bind_addr.address_list, +- list) ++ list, lockdep_sock_is_held(sk)) + addrcnt++; + + return nla_total_size(sizeof(struct sctp_info)) +@@ -263,11 +264,14 @@ static int sctp_sock_dump_one(struct sctp_endpoint *ep, struct sctp_transport *t + if (err) + return err; + +- rep = nlmsg_new(inet_assoc_attr_size(assoc), GFP_KERNEL); +- if (!rep) ++ lock_sock(sk); ++ ++ rep = nlmsg_new(inet_assoc_attr_size(sk, assoc), GFP_KERNEL); ++ if (!rep) { ++ release_sock(sk); + return -ENOMEM; ++ } + +- lock_sock(sk); + if (ep != assoc->ep) { + err = -EAGAIN; + goto out; +-- +2.51.0 + diff --git a/queue-5.15/sctp-prevent-toctou-out-of-bounds-write.patch b/queue-5.15/sctp-prevent-toctou-out-of-bounds-write.patch new file mode 100644 index 0000000000..a3443783b3 --- /dev/null +++ b/queue-5.15/sctp-prevent-toctou-out-of-bounds-write.patch @@ -0,0 +1,45 @@ +From 5e38abb44e7ad4f3f7ba5c851f2c443f43d01497 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Oct 2025 17:12:27 +0100 +Subject: sctp: Prevent TOCTOU out-of-bounds write + +From: Stefan Wiehler + +[ Upstream commit 95aef86ab231f047bb8085c70666059b58f53c09 ] + +For the following path not holding the sock lock, + + sctp_diag_dump() -> sctp_for_each_endpoint() -> sctp_ep_dump() + +make sure not to exceed bounds in case the address list has grown +between buffer allocation (time-of-check) and write (time-of-use). + +Suggested-by: Kuniyuki Iwashima +Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file") +Signed-off-by: Stefan Wiehler +Reviewed-by: Kuniyuki Iwashima +Acked-by: Xin Long +Link: https://patch.msgid.link/20251028161506.3294376-3-stefan.wiehler@nokia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sctp/diag.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/sctp/diag.c b/net/sctp/diag.c +index 31cf52026202b..3631a32d96b07 100644 +--- a/net/sctp/diag.c ++++ b/net/sctp/diag.c +@@ -88,6 +88,9 @@ static int inet_diag_msg_sctpladdrs_fill(struct sk_buff *skb, + memcpy(info, &laddr->a, sizeof(laddr->a)); + memset(info + sizeof(laddr->a), 0, addrlen - sizeof(laddr->a)); + info += addrlen; ++ ++ if (!--addrcnt) ++ break; + } + rcu_read_unlock(); + +-- +2.51.0 + diff --git a/queue-5.15/selftests-net-fix-gro-coalesce-test-and-add-ext-head.patch b/queue-5.15/selftests-net-fix-gro-coalesce-test-and-add-ext-head.patch new file mode 100644 index 0000000000..a9089e0eb6 --- /dev/null +++ b/queue-5.15/selftests-net-fix-gro-coalesce-test-and-add-ext-head.patch @@ -0,0 +1,200 @@ +From 61a6967e1a6622bcc0070d35af082ef874d30038 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Jan 2024 15:48:35 +0100 +Subject: selftests/net: fix GRO coalesce test and add ext header coalesce + tests + +From: Richard Gobert + +[ Upstream commit 4e321d590cec6053cb3c566413794706035ee638 ] + +Currently there is no test which checks that IPv6 extension header packets +successfully coalesce. This commit adds a test, which verifies two IPv6 +packets with HBH extension headers do coalesce, and another test which +checks that packets with different extension header data do not coalesce +in GRO. + +I changed the receive socket filter to accept a packet with one extension +header. This change exposed a bug in the fragment test -- the old BPF did +not accept the fragment packet. I updated correct_num_packets in the +fragment test accordingly. + +Signed-off-by: Richard Gobert +Reviewed-by: Willem de Bruijn +Link: https://lore.kernel.org/r/69282fed-2415-47e8-b3d3-34939ec3eb56@gmail.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: f8e8486702ab ("selftests/net: use destination options instead of hop-by-hop") +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/gro.c | 93 +++++++++++++++++++++++++++++-- + 1 file changed, 87 insertions(+), 6 deletions(-) + +diff --git a/tools/testing/selftests/net/gro.c b/tools/testing/selftests/net/gro.c +index 687ab5e7cecf1..a6cf29c2c9318 100644 +--- a/tools/testing/selftests/net/gro.c ++++ b/tools/testing/selftests/net/gro.c +@@ -74,6 +74,12 @@ + #define MAX_PAYLOAD (IP_MAXPACKET - sizeof(struct tcphdr) - sizeof(struct ipv6hdr)) + #define NUM_LARGE_PKT (MAX_PAYLOAD / MSS) + #define MAX_HDR_LEN (ETH_HLEN + sizeof(struct ipv6hdr) + sizeof(struct tcphdr)) ++#define MIN_EXTHDR_SIZE 8 ++#define EXT_PAYLOAD_1 "\x00\x00\x00\x00\x00\x00" ++#define EXT_PAYLOAD_2 "\x11\x11\x11\x11\x11\x11" ++ ++#define ipv6_optlen(p) (((p)->hdrlen+1) << 3) /* calculate IPv6 extension header len */ ++#define BUILD_BUG_ON(condition) ((void)sizeof(char[1 - 2*!!(condition)])) + + static int proto = -1; + static uint8_t src_mac[ETH_ALEN], dst_mac[ETH_ALEN]; +@@ -103,7 +109,7 @@ static void setup_sock_filter(int fd) + const int dport_off = tcp_offset + offsetof(struct tcphdr, dest); + const int ethproto_off = offsetof(struct ethhdr, h_proto); + int optlen = 0; +- int ipproto_off; ++ int ipproto_off, opt_ipproto_off; + int next_off; + + if (proto == PF_INET) +@@ -115,14 +121,30 @@ static void setup_sock_filter(int fd) + if (strcmp(testname, "ip") == 0) { + if (proto == PF_INET) + optlen = sizeof(struct ip_timestamp); +- else +- optlen = sizeof(struct ip6_frag); ++ else { ++ BUILD_BUG_ON(sizeof(struct ip6_hbh) > MIN_EXTHDR_SIZE); ++ BUILD_BUG_ON(sizeof(struct ip6_dest) > MIN_EXTHDR_SIZE); ++ BUILD_BUG_ON(sizeof(struct ip6_frag) > MIN_EXTHDR_SIZE); ++ ++ /* same size for HBH and Fragment extension header types */ ++ optlen = MIN_EXTHDR_SIZE; ++ opt_ipproto_off = ETH_HLEN + sizeof(struct ipv6hdr) ++ + offsetof(struct ip6_ext, ip6e_nxt); ++ } + } + ++ /* this filter validates the following: ++ * - packet is IPv4/IPv6 according to the running test. ++ * - packet is TCP. Also handles the case of one extension header and then TCP. ++ * - checks the packet tcp dport equals to DPORT. Also handles the case of one ++ * extension header and then TCP. ++ */ + struct sock_filter filter[] = { + BPF_STMT(BPF_LD + BPF_H + BPF_ABS, ethproto_off), +- BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, ntohs(ethhdr_proto), 0, 7), ++ BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, ntohs(ethhdr_proto), 0, 9), + BPF_STMT(BPF_LD + BPF_B + BPF_ABS, ipproto_off), ++ BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, IPPROTO_TCP, 2, 0), ++ BPF_STMT(BPF_LD + BPF_B + BPF_ABS, opt_ipproto_off), + BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, IPPROTO_TCP, 0, 5), + BPF_STMT(BPF_LD + BPF_H + BPF_ABS, dport_off), + BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, DPORT, 2, 0), +@@ -575,6 +597,39 @@ static void add_ipv4_ts_option(void *buf, void *optpkt) + iph->check = checksum_fold(iph, sizeof(struct iphdr) + optlen, 0); + } + ++static void add_ipv6_exthdr(void *buf, void *optpkt, __u8 exthdr_type, char *ext_payload) ++{ ++ struct ipv6_opt_hdr *exthdr = (struct ipv6_opt_hdr *)(optpkt + tcp_offset); ++ struct ipv6hdr *iph = (struct ipv6hdr *)(optpkt + ETH_HLEN); ++ char *exthdr_payload_start = (char *)(exthdr + 1); ++ ++ exthdr->hdrlen = 0; ++ exthdr->nexthdr = IPPROTO_TCP; ++ ++ memcpy(exthdr_payload_start, ext_payload, MIN_EXTHDR_SIZE - sizeof(*exthdr)); ++ ++ memcpy(optpkt, buf, tcp_offset); ++ memcpy(optpkt + tcp_offset + MIN_EXTHDR_SIZE, buf + tcp_offset, ++ sizeof(struct tcphdr) + PAYLOAD_LEN); ++ ++ iph->nexthdr = exthdr_type; ++ iph->payload_len = htons(ntohs(iph->payload_len) + MIN_EXTHDR_SIZE); ++} ++ ++static void send_ipv6_exthdr(int fd, struct sockaddr_ll *daddr, char *ext_data1, char *ext_data2) ++{ ++ static char buf[MAX_HDR_LEN + PAYLOAD_LEN]; ++ static char exthdr_pck[sizeof(buf) + MIN_EXTHDR_SIZE]; ++ ++ create_packet(buf, 0, 0, PAYLOAD_LEN, 0); ++ add_ipv6_exthdr(buf, exthdr_pck, IPPROTO_HOPOPTS, ext_data1); ++ write_packet(fd, exthdr_pck, total_hdr_len + PAYLOAD_LEN + MIN_EXTHDR_SIZE, daddr); ++ ++ create_packet(buf, PAYLOAD_LEN * 1, 0, PAYLOAD_LEN, 0); ++ add_ipv6_exthdr(buf, exthdr_pck, IPPROTO_HOPOPTS, ext_data2); ++ write_packet(fd, exthdr_pck, total_hdr_len + PAYLOAD_LEN + MIN_EXTHDR_SIZE, daddr); ++} ++ + /* IPv4 options shouldn't coalesce */ + static void send_ip_options(int fd, struct sockaddr_ll *daddr) + { +@@ -696,7 +751,7 @@ static void send_fragment6(int fd, struct sockaddr_ll *daddr) + create_packet(buf, PAYLOAD_LEN * i, 0, PAYLOAD_LEN, 0); + write_packet(fd, buf, bufpkt_len, daddr); + } +- ++ sleep(1); + create_packet(buf, PAYLOAD_LEN * 2, 0, PAYLOAD_LEN, 0); + memset(extpkt, 0, extpkt_len); + +@@ -759,6 +814,7 @@ static void check_recv_pkts(int fd, int *correct_payload, + vlog("}, Total %d packets\nReceived {", correct_num_pkts); + + while (1) { ++ ip_ext_len = 0; + pkt_size = recv(fd, buffer, IP_MAXPACKET + ETH_HLEN + 1, 0); + if (pkt_size < 0) + error(1, errno, "could not receive"); +@@ -766,7 +822,7 @@ static void check_recv_pkts(int fd, int *correct_payload, + if (iph->version == 4) + ip_ext_len = (iph->ihl - 5) * 4; + else if (ip6h->version == 6 && ip6h->nexthdr != IPPROTO_TCP) +- ip_ext_len = sizeof(struct ip6_frag); ++ ip_ext_len = MIN_EXTHDR_SIZE; + + tcph = (struct tcphdr *)(buffer + tcp_offset + ip_ext_len); + +@@ -887,7 +943,21 @@ static void gro_sender(void) + sleep(1); + write_packet(txfd, fin_pkt, total_hdr_len, &daddr); + } else if (proto == PF_INET6) { ++ sleep(1); + send_fragment6(txfd, &daddr); ++ sleep(1); ++ write_packet(txfd, fin_pkt, total_hdr_len, &daddr); ++ ++ sleep(1); ++ /* send IPv6 packets with ext header with same payload */ ++ send_ipv6_exthdr(txfd, &daddr, EXT_PAYLOAD_1, EXT_PAYLOAD_1); ++ sleep(1); ++ write_packet(txfd, fin_pkt, total_hdr_len, &daddr); ++ ++ sleep(1); ++ /* send IPv6 packets with ext header with different payload */ ++ send_ipv6_exthdr(txfd, &daddr, EXT_PAYLOAD_1, EXT_PAYLOAD_2); ++ sleep(1); + write_packet(txfd, fin_pkt, total_hdr_len, &daddr); + } + } else if (strcmp(testname, "large") == 0) { +@@ -1004,6 +1074,17 @@ static void gro_receiver(void) + */ + printf("fragmented ip6 doesn't coalesce: "); + correct_payload[0] = PAYLOAD_LEN * 2; ++ correct_payload[1] = PAYLOAD_LEN; ++ correct_payload[2] = PAYLOAD_LEN; ++ check_recv_pkts(rxfd, correct_payload, 3); ++ ++ printf("ipv6 with ext header does coalesce: "); ++ correct_payload[0] = PAYLOAD_LEN * 2; ++ check_recv_pkts(rxfd, correct_payload, 1); ++ ++ printf("ipv6 with ext header with different payloads doesn't coalesce: "); ++ correct_payload[0] = PAYLOAD_LEN; ++ correct_payload[1] = PAYLOAD_LEN; + check_recv_pkts(rxfd, correct_payload, 2); + } + } else if (strcmp(testname, "large") == 0) { +-- +2.51.0 + diff --git a/queue-5.15/selftests-net-fix-out-of-order-delivery-of-fin-in-gr.patch b/queue-5.15/selftests-net-fix-out-of-order-delivery-of-fin-in-gr.patch new file mode 100644 index 0000000000..049aad5772 --- /dev/null +++ b/queue-5.15/selftests-net-fix-out-of-order-delivery-of-fin-in-gr.patch @@ -0,0 +1,66 @@ +From 0cbd0467ced49e523d1344d645ea531a47a4f880 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Oct 2025 06:28:18 +0000 +Subject: selftests/net: fix out-of-order delivery of FIN in gro:tcp test + +From: Anubhav Singh + +[ Upstream commit 02d064de05b1fcca769391fa82d205bed8bb9bf0 ] + +Due to the gro_sender sending data packets and FIN packets +in very quick succession, these are received almost simultaneously +by the gro_receiver. FIN packets are sometimes processed before the +data packets leading to intermittent (~1/100) test failures. + +This change adds a delay of 100ms before sending FIN packets +in gro:tcp test to avoid the out-of-order delivery. The same +mitigation already exists for the gro:ip test. + +Fixes: 7d1575014a63 ("selftests/net: GRO coalesce test") +Reviewed-by: Willem de Bruijn +Signed-off-by: Anubhav Singh +Link: https://patch.msgid.link/20251030062818.1562228-1-anubhavsinggh@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/gro.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/tools/testing/selftests/net/gro.c b/tools/testing/selftests/net/gro.c +index cf37ce86b0fd0..687ab5e7cecf1 100644 +--- a/tools/testing/selftests/net/gro.c ++++ b/tools/testing/selftests/net/gro.c +@@ -801,6 +801,7 @@ static void check_recv_pkts(int fd, int *correct_payload, + + static void gro_sender(void) + { ++ const int fin_delay_us = 100 * 1000; + static char fin_pkt[MAX_HDR_LEN]; + struct sockaddr_ll daddr = {}; + int txfd = -1; +@@ -844,15 +845,22 @@ static void gro_sender(void) + write_packet(txfd, fin_pkt, total_hdr_len, &daddr); + } else if (strcmp(testname, "tcp") == 0) { + send_changed_checksum(txfd, &daddr); ++ /* Adding sleep before sending FIN so that it is not ++ * received prior to other packets. ++ */ ++ usleep(fin_delay_us); + write_packet(txfd, fin_pkt, total_hdr_len, &daddr); + + send_changed_seq(txfd, &daddr); ++ usleep(fin_delay_us); + write_packet(txfd, fin_pkt, total_hdr_len, &daddr); + + send_changed_ts(txfd, &daddr); ++ usleep(fin_delay_us); + write_packet(txfd, fin_pkt, total_hdr_len, &daddr); + + send_diff_opt(txfd, &daddr); ++ usleep(fin_delay_us); + write_packet(txfd, fin_pkt, total_hdr_len, &daddr); + } else if (strcmp(testname, "ip") == 0) { + send_changed_ECN(txfd, &daddr); +-- +2.51.0 + diff --git a/queue-5.15/selftests-net-use-destination-options-instead-of-hop.patch b/queue-5.15/selftests-net-use-destination-options-instead-of-hop.patch new file mode 100644 index 0000000000..356d40d3e7 --- /dev/null +++ b/queue-5.15/selftests-net-use-destination-options-instead-of-hop.patch @@ -0,0 +1,58 @@ +From 13924b3795e0844d23fd19150f1b7aa6bd2931a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Oct 2025 06:04:36 +0000 +Subject: selftests/net: use destination options instead of hop-by-hop + +From: Anubhav Singh + +[ Upstream commit f8e8486702abb05b8c734093aab1606af0eac068 ] + +The GRO self-test, gro.c, currently constructs IPv6 packets containing a +Hop-by-Hop Options header (IPPROTO_HOPOPTS) to ensure the GRO path +correctly handles IPv6 extension headers. + +However, network elements may be configured to drop packets with the +Hop-by-Hop Options header (HBH). This causes the self-test to fail +in environments where such network elements are present. + +To improve the robustness and reliability of this test in diverse +network environments, switch from using IPPROTO_HOPOPTS to +IPPROTO_DSTOPTS (Destination Options). + +The Destination Options header is less likely to be dropped by +intermediate routers and still serves the core purpose of the test: +validating GRO's handling of an IPv6 extension header. This change +ensures the test can execute successfully without being incorrectly +failed by network policies outside the kernel's control. + +Fixes: 7d1575014a63 ("selftests/net: GRO coalesce test") +Reviewed-by: Willem de Bruijn +Signed-off-by: Anubhav Singh +Link: https://patch.msgid.link/20251030060436.1556664-1-anubhavsinggh@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/gro.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/net/gro.c b/tools/testing/selftests/net/gro.c +index a6cf29c2c9318..e220b6f12336e 100644 +--- a/tools/testing/selftests/net/gro.c ++++ b/tools/testing/selftests/net/gro.c +@@ -622,11 +622,11 @@ static void send_ipv6_exthdr(int fd, struct sockaddr_ll *daddr, char *ext_data1, + static char exthdr_pck[sizeof(buf) + MIN_EXTHDR_SIZE]; + + create_packet(buf, 0, 0, PAYLOAD_LEN, 0); +- add_ipv6_exthdr(buf, exthdr_pck, IPPROTO_HOPOPTS, ext_data1); ++ add_ipv6_exthdr(buf, exthdr_pck, IPPROTO_DSTOPTS, ext_data1); + write_packet(fd, exthdr_pck, total_hdr_len + PAYLOAD_LEN + MIN_EXTHDR_SIZE, daddr); + + create_packet(buf, PAYLOAD_LEN * 1, 0, PAYLOAD_LEN, 0); +- add_ipv6_exthdr(buf, exthdr_pck, IPPROTO_HOPOPTS, ext_data2); ++ add_ipv6_exthdr(buf, exthdr_pck, IPPROTO_DSTOPTS, ext_data2); + write_packet(fd, exthdr_pck, total_hdr_len + PAYLOAD_LEN + MIN_EXTHDR_SIZE, daddr); + } + +-- +2.51.0 + diff --git a/queue-5.15/selftests-netdevsim-fix-ethtool-coalesce.sh-fail-by-.patch b/queue-5.15/selftests-netdevsim-fix-ethtool-coalesce.sh-fail-by-.patch new file mode 100644 index 0000000000..29d7a3758e --- /dev/null +++ b/queue-5.15/selftests-netdevsim-fix-ethtool-coalesce.sh-fail-by-.patch @@ -0,0 +1,60 @@ +From 428e7505db2a8f6150f192a0aa87717897cfbe5b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Oct 2025 12:03:40 +0800 +Subject: selftests: netdevsim: Fix ethtool-coalesce.sh fail by installing + ethtool-common.sh + +From: Wang Liang + +[ Upstream commit d01f8136d46b925798abcf86b35a4021e4cfb8bb ] + +The script "ethtool-common.sh" is not installed in INSTALL_PATH, and +triggers some errors when I try to run the test +'drivers/net/netdevsim/ethtool-coalesce.sh': + + TAP version 13 + 1..1 + # timeout set to 600 + # selftests: drivers/net/netdevsim: ethtool-coalesce.sh + # ./ethtool-coalesce.sh: line 4: ethtool-common.sh: No such file or directory + # ./ethtool-coalesce.sh: line 25: make_netdev: command not found + # ethtool: bad command line argument(s) + # ./ethtool-coalesce.sh: line 124: check: command not found + # ./ethtool-coalesce.sh: line 126: [: -eq: unary operator expected + # FAILED /0 checks + not ok 1 selftests: drivers/net/netdevsim: ethtool-coalesce.sh # exit=1 + +Install this file to avoid this error. After this patch: + + TAP version 13 + 1..1 + # timeout set to 600 + # selftests: drivers/net/netdevsim: ethtool-coalesce.sh + # PASSED all 22 checks + ok 1 selftests: drivers/net/netdevsim: ethtool-coalesce.sh + +Fixes: fbb8531e58bd ("selftests: extract common functions in ethtool-common.sh") +Signed-off-by: Wang Liang +Link: https://patch.msgid.link/20251030040340.3258110-1-wangliang74@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/drivers/net/netdevsim/Makefile | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/tools/testing/selftests/drivers/net/netdevsim/Makefile b/tools/testing/selftests/drivers/net/netdevsim/Makefile +index 7a29a05bea8bc..50932e13cb5a8 100644 +--- a/tools/testing/selftests/drivers/net/netdevsim/Makefile ++++ b/tools/testing/selftests/drivers/net/netdevsim/Makefile +@@ -14,4 +14,8 @@ TEST_PROGS = devlink.sh \ + tc-mq-visibility.sh \ + udp_tunnel_nic.sh \ + ++TEST_FILES := \ ++ ethtool-common.sh ++# end of TEST_FILES ++ + include ../../../lib.mk +-- +2.51.0 + diff --git a/queue-5.15/series b/queue-5.15/series index 35ca8ae017..ff77ac9b46 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -207,3 +207,21 @@ asoc-meson-aiu-encoder-i2s-fix-bit-clock-polarity.patch ceph-add-checking-of-wait_for_completion_killable-re.patch alsa-hda-realtek-audio-disappears-on-hp-15-fc000-aft.patch revert-wifi-ath10k-avoid-unnecessary-wait-for-service-ready-message.patch +riscv-ptdump-use-seq_puts-in-pt_dump_seq_puts-macro.patch +net-dsa-tag_brcm-legacy-fix-untagged-rx-on-unbridged.patch +selftests-net-fix-out-of-order-delivery-of-fin-in-gr.patch +selftests-net-fix-gro-coalesce-test-and-add-ext-head.patch +selftests-net-use-destination-options-instead-of-hop.patch +netdevsim-add-makefile-for-selftests.patch +selftests-netdevsim-fix-ethtool-coalesce.sh-fail-by-.patch +net-vlan-sync-vlan-features-with-lower-device.patch +net-dsa-b53-fix-resetting-speed-and-pause-on-forced-.patch +net-dsa-b53-fix-enabling-ip-multicast.patch +net-dsa-b53-stop-reading-arl-entries-if-search-is-do.patch +sctp-hold-rcu-read-lock-while-iterating-over-address.patch +sctp-prevent-toctou-out-of-bounds-write.patch +sctp-hold-sock-lock-while-iterating-over-address-lis.patch +net-usb-qmi_wwan-initialize-mac-header-offset-in-qmi.patch +bnxt_en-ptp-refactor-ptp-initialization-functions.patch +bnxt_en-fix-a-possible-memory-leak-in-bnxt_ptp_init.patch +tracing-fix-memory-leaks-in-create_field_var.patch diff --git a/queue-5.15/tracing-fix-memory-leaks-in-create_field_var.patch b/queue-5.15/tracing-fix-memory-leaks-in-create_field_var.patch new file mode 100644 index 0000000000..e289236897 --- /dev/null +++ b/queue-5.15/tracing-fix-memory-leaks-in-create_field_var.patch @@ -0,0 +1,53 @@ +From 1706877d645be03540a53d3d524179ce23f2a4dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Nov 2025 12:01:32 +0000 +Subject: tracing: Fix memory leaks in create_field_var() + +From: Zilin Guan + +[ Upstream commit 80f0d631dcc76ee1b7755bfca1d8417d91d71414 ] + +The function create_field_var() allocates memory for 'val' through +create_hist_field() inside parse_atom(), and for 'var' through +create_var(), which in turn allocates var->type and var->var.name +internally. Simply calling kfree() to release these structures will +result in memory leaks. + +Use destroy_hist_field() to properly free 'val', and explicitly release +the memory of var->type and var->var.name before freeing 'var' itself. + +Link: https://patch.msgid.link/20251106120132.3639920-1-zilin@seu.edu.cn +Fixes: 02205a6752f22 ("tracing: Add support for 'field variables'") +Signed-off-by: Zilin Guan +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_events_hist.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c +index e7799814a3c8a..8795913425416 100644 +--- a/kernel/trace/trace_events_hist.c ++++ b/kernel/trace/trace_events_hist.c +@@ -2798,14 +2798,16 @@ static struct field_var *create_field_var(struct hist_trigger_data *hist_data, + var = create_var(hist_data, file, field_name, val->size, val->type); + if (IS_ERR(var)) { + hist_err(tr, HIST_ERR_VAR_CREATE_FIND_FAIL, errpos(field_name)); +- kfree(val); ++ destroy_hist_field(val, 0); + ret = PTR_ERR(var); + goto err; + } + + field_var = kzalloc(sizeof(struct field_var), GFP_KERNEL); + if (!field_var) { +- kfree(val); ++ destroy_hist_field(val, 0); ++ kfree_const(var->type); ++ kfree(var->var.name); + kfree(var); + ret = -ENOMEM; + goto err; +-- +2.51.0 + diff --git a/queue-5.4/net-dsa-b53-change-b53_force_port_config-pause-argum.patch b/queue-5.4/net-dsa-b53-change-b53_force_port_config-pause-argum.patch new file mode 100644 index 0000000000..35eb80f272 --- /dev/null +++ b/queue-5.4/net-dsa-b53-change-b53_force_port_config-pause-argum.patch @@ -0,0 +1,102 @@ +From 426660ec88fb1fbcdad45709306f8c09c36245b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jun 2020 11:25:00 +0100 +Subject: net: dsa/b53: change b53_force_port_config() pause argument + +From: Russell King + +[ Upstream commit 3cad1c8b49e93c62f27f4eb34e0ccfde92f4cdc0 ] + +Replace the b53_force_port_config() pause argument, which is based on +phylink's MLO_PAUSE_* definitions, to use a pair of booleans. This +will allow us to move b53_force_port_config() from +b53_phylink_mac_config() to b53_phylink_mac_link_up(). + +Reviewed-by: Florian Fainelli +Signed-off-by: Russell King +Signed-off-by: David S. Miller +Stable-dep-of: b6a8a5477fe9 ("net: dsa: b53: fix resetting speed and pause on forced link") +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 25 +++++++++++++++---------- + 1 file changed, 15 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index fea28b24a1a0b..4de302f20e4f3 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -1041,7 +1041,8 @@ static void b53_force_link(struct b53_device *dev, int port, int link) + } + + static void b53_force_port_config(struct b53_device *dev, int port, +- int speed, int duplex, int pause) ++ int speed, int duplex, ++ bool tx_pause, bool rx_pause) + { + u8 reg, val, off; + +@@ -1079,9 +1080,9 @@ static void b53_force_port_config(struct b53_device *dev, int port, + return; + } + +- if (pause & MLO_PAUSE_RX) ++ if (rx_pause) + reg |= PORT_OVERRIDE_RX_FLOW; +- if (pause & MLO_PAUSE_TX) ++ if (tx_pause) + reg |= PORT_OVERRIDE_TX_FLOW; + + b53_write8(dev, B53_CTRL_PAGE, off, reg); +@@ -1093,22 +1094,24 @@ static void b53_adjust_link(struct dsa_switch *ds, int port, + struct b53_device *dev = ds->priv; + struct ethtool_eee *p = &dev->ports[port].eee; + u8 rgmii_ctrl = 0, reg = 0, off; +- int pause = 0; ++ bool tx_pause = false; ++ bool rx_pause = false; + + if (!phy_is_pseudo_fixed_link(phydev)) + return; + + /* Enable flow control on BCM5301x's CPU port */ + if (is5301x(dev) && port == dev->cpu_port) +- pause = MLO_PAUSE_TXRX_MASK; ++ tx_pause = rx_pause = true; + + if (phydev->pause) { + if (phydev->asym_pause) +- pause |= MLO_PAUSE_TX; +- pause |= MLO_PAUSE_RX; ++ tx_pause = true; ++ rx_pause = true; + } + +- b53_force_port_config(dev, port, phydev->speed, phydev->duplex, pause); ++ b53_force_port_config(dev, port, phydev->speed, phydev->duplex, ++ tx_pause, rx_pause); + b53_force_link(dev, port, phydev->link); + + if (is531x5(dev) && phy_interface_is_rgmii(phydev)) { +@@ -1170,7 +1173,7 @@ static void b53_adjust_link(struct dsa_switch *ds, int port, + } else if (is5301x(dev)) { + if (port != dev->cpu_port) { + b53_force_port_config(dev, dev->cpu_port, 2000, +- DUPLEX_FULL, MLO_PAUSE_TXRX_MASK); ++ DUPLEX_FULL, true, true); + b53_force_link(dev, dev->cpu_port, 1); + } + } +@@ -1260,7 +1263,9 @@ void b53_phylink_mac_config(struct dsa_switch *ds, int port, + + if (mode == MLO_AN_FIXED) { + b53_force_port_config(dev, port, state->speed, +- state->duplex, state->pause); ++ state->duplex, ++ !!(state->pause & MLO_PAUSE_TX), ++ !!(state->pause & MLO_PAUSE_RX)); + return; + } + +-- +2.51.0 + diff --git a/queue-5.4/net-dsa-b53-fix-enabling-ip-multicast.patch b/queue-5.4/net-dsa-b53-fix-enabling-ip-multicast.patch new file mode 100644 index 0000000000..e02510466a --- /dev/null +++ b/queue-5.4/net-dsa-b53-fix-enabling-ip-multicast.patch @@ -0,0 +1,75 @@ +From cd028a36899f005158d75c98c0200eb0bf9e5862 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Nov 2025 11:07:56 +0100 +Subject: net: dsa: b53: fix enabling ip multicast + +From: Jonas Gorski + +[ Upstream commit c264294624e956a967a9e2e5fa41e3273340b089 ] + +In the New Control register bit 1 is either reserved, or has a different +function: + + Out of Range Error Discard + + When enabled, the ingress port discards any frames + if the Length field is between 1500 and 1536 + (excluding 1500 and 1536) and with good CRC. + +The actual bit for enabling IP multicast is bit 0, which was only +explicitly enabled for BCM5325 so far. + +For older switch chips, this bit defaults to 0, so we want to enable it +as well, while newer switch chips default to 1, and their documentation +says "It is illegal to set this bit to zero." + +So drop the wrong B53_IPMC_FWD_EN define, enable the IP multicast bit +also for other switch chips. While at it, rename it to (B53_)IP_MC as +that is how it is called in Broadcom code. + +Fixes: 63cc54a6f073 ("net: dsa: b53: Fix egress flooding settings") +Signed-off-by: Jonas Gorski +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20251102100758.28352-2-jonas.gorski@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 4 ++-- + drivers/net/dsa/b53/b53_regs.h | 3 +-- + 2 files changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index 234ef7771ceef..bc303b3e1c966 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -347,11 +347,11 @@ static void b53_set_forwarding(struct b53_device *dev, int enable) + * frames should be flooded or not. + */ + b53_read8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, &mgmt); +- mgmt |= B53_UC_FWD_EN | B53_MC_FWD_EN | B53_IPMC_FWD_EN; ++ mgmt |= B53_UC_FWD_EN | B53_MC_FWD_EN | B53_IP_MC; + b53_write8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, mgmt); + } else { + b53_read8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, &mgmt); +- mgmt |= B53_IP_MCAST_25; ++ mgmt |= B53_IP_MC; + b53_write8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, mgmt); + } + } +diff --git a/drivers/net/dsa/b53/b53_regs.h b/drivers/net/dsa/b53/b53_regs.h +index 77fb7ae660b8c..95f70248c194d 100644 +--- a/drivers/net/dsa/b53/b53_regs.h ++++ b/drivers/net/dsa/b53/b53_regs.h +@@ -104,8 +104,7 @@ + + /* IP Multicast control (8 bit) */ + #define B53_IP_MULTICAST_CTRL 0x21 +-#define B53_IP_MCAST_25 BIT(0) +-#define B53_IPMC_FWD_EN BIT(1) ++#define B53_IP_MC BIT(0) + #define B53_UC_FWD_EN BIT(6) + #define B53_MC_FWD_EN BIT(7) + +-- +2.51.0 + diff --git a/queue-5.4/net-dsa-b53-fix-resetting-speed-and-pause-on-forced-.patch b/queue-5.4/net-dsa-b53-fix-resetting-speed-and-pause-on-forced-.patch new file mode 100644 index 0000000000..4721be335a --- /dev/null +++ b/queue-5.4/net-dsa-b53-fix-resetting-speed-and-pause-on-forced-.patch @@ -0,0 +1,64 @@ +From 5cc82741ac8648593b1ae4a23f27b442b3d9ce39 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Nov 2025 14:28:06 +0100 +Subject: net: dsa: b53: fix resetting speed and pause on forced link + +From: Jonas Gorski + +[ Upstream commit b6a8a5477fe9bd6be2b594a88f82f8bba41e6d54 ] + +There is no guarantee that the port state override registers have their +default values, as not all switches support being reset via register or +have a reset GPIO. + +So when forcing port config, we need to make sure to clear all fields, +which we currently do not do for the speed and flow control +configuration. This can cause flow control stay enabled, or in the case +of speed becoming an illegal value, e.g. configured for 1G (0x2), then +setting 100M (0x1), results in 0x3 which is invalid. + +For PORT_OVERRIDE_SPEED_2000M we need to make sure to only clear it on +supported chips, as the bit can have different meanings on other chips, +e.g. for BCM5389 this controls scanning PHYs for link/speed +configuration. + +Fixes: 5e004460f874 ("net: dsa: b53: Add helper to set link parameters") +Signed-off-by: Jonas Gorski +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20251101132807.50419-2-jonas.gorski@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index dca23e0edb9a8..234ef7771ceef 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -1066,6 +1066,10 @@ static void b53_force_port_config(struct b53_device *dev, int port, + else + reg &= ~PORT_OVERRIDE_FULL_DUPLEX; + ++ reg &= ~(0x3 << GMII_PO_SPEED_S); ++ if (is5301x(dev) || is58xx(dev)) ++ reg &= ~PORT_OVERRIDE_SPEED_2000M; ++ + switch (speed) { + case 2000: + reg |= PORT_OVERRIDE_SPEED_2000M; +@@ -1084,6 +1088,11 @@ static void b53_force_port_config(struct b53_device *dev, int port, + return; + } + ++ if (is5325(dev)) ++ reg &= ~PORT_OVERRIDE_LP_FLOW_25; ++ else ++ reg &= ~(PORT_OVERRIDE_RX_FLOW | PORT_OVERRIDE_TX_FLOW); ++ + if (rx_pause) { + if (is5325(dev)) + reg |= PORT_OVERRIDE_LP_FLOW_25; +-- +2.51.0 + diff --git a/queue-5.4/net-dsa-b53-prevent-gmii_port_override_ctrl-access-o.patch b/queue-5.4/net-dsa-b53-prevent-gmii_port_override_ctrl-access-o.patch new file mode 100644 index 0000000000..0650bf1f87 --- /dev/null +++ b/queue-5.4/net-dsa-b53-prevent-gmii_port_override_ctrl-access-o.patch @@ -0,0 +1,89 @@ +From 4893f23f255116ba5286558f2600d357f545f714 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 Jun 2025 09:59:57 +0200 +Subject: net: dsa: b53: prevent GMII_PORT_OVERRIDE_CTRL access on BCM5325 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Álvaro Fernández Rojas + +[ Upstream commit 37883bbc45a8555d6eca88d3a9730504d2dac86c ] + +BCM5325 doesn't implement GMII_PORT_OVERRIDE_CTRL register so we should +avoid reading or writing it. +PORT_OVERRIDE_RX_FLOW and PORT_OVERRIDE_TX_FLOW aren't defined on BCM5325 +and we should use PORT_OVERRIDE_LP_FLOW_25 instead. + +Reviewed-by: Florian Fainelli +Signed-off-by: Álvaro Fernández Rojas +Link: https://patch.msgid.link/20250614080000.1884236-12-noltari@gmail.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: b6a8a5477fe9 ("net: dsa: b53: fix resetting speed and pause on forced link") +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 21 +++++++++++++++++---- + drivers/net/dsa/b53/b53_regs.h | 1 + + 2 files changed, 18 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index 4de302f20e4f3..dca23e0edb9a8 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -1026,6 +1026,8 @@ static void b53_force_link(struct b53_device *dev, int port, int link) + if (port == dev->cpu_port) { + off = B53_PORT_OVERRIDE_CTRL; + val = PORT_OVERRIDE_EN; ++ } else if (is5325(dev)) { ++ return; + } else { + off = B53_GMII_PORT_OVERRIDE_CTRL(port); + val = GMII_PO_EN; +@@ -1050,6 +1052,8 @@ static void b53_force_port_config(struct b53_device *dev, int port, + if (port == dev->cpu_port) { + off = B53_PORT_OVERRIDE_CTRL; + val = PORT_OVERRIDE_EN; ++ } else if (is5325(dev)) { ++ return; + } else { + off = B53_GMII_PORT_OVERRIDE_CTRL(port); + val = GMII_PO_EN; +@@ -1080,10 +1084,19 @@ static void b53_force_port_config(struct b53_device *dev, int port, + return; + } + +- if (rx_pause) +- reg |= PORT_OVERRIDE_RX_FLOW; +- if (tx_pause) +- reg |= PORT_OVERRIDE_TX_FLOW; ++ if (rx_pause) { ++ if (is5325(dev)) ++ reg |= PORT_OVERRIDE_LP_FLOW_25; ++ else ++ reg |= PORT_OVERRIDE_RX_FLOW; ++ } ++ ++ if (tx_pause) { ++ if (is5325(dev)) ++ reg |= PORT_OVERRIDE_LP_FLOW_25; ++ else ++ reg |= PORT_OVERRIDE_TX_FLOW; ++ } + + b53_write8(dev, B53_CTRL_PAGE, off, reg); + } +diff --git a/drivers/net/dsa/b53/b53_regs.h b/drivers/net/dsa/b53/b53_regs.h +index ea6897c3f6f76..77fb7ae660b8c 100644 +--- a/drivers/net/dsa/b53/b53_regs.h ++++ b/drivers/net/dsa/b53/b53_regs.h +@@ -92,6 +92,7 @@ + #define PORT_OVERRIDE_SPEED_10M (0 << PORT_OVERRIDE_SPEED_S) + #define PORT_OVERRIDE_SPEED_100M (1 << PORT_OVERRIDE_SPEED_S) + #define PORT_OVERRIDE_SPEED_1000M (2 << PORT_OVERRIDE_SPEED_S) ++#define PORT_OVERRIDE_LP_FLOW_25 BIT(3) /* BCM5325 only */ + #define PORT_OVERRIDE_RV_MII_25 BIT(4) /* BCM5325 only */ + #define PORT_OVERRIDE_RX_FLOW BIT(4) + #define PORT_OVERRIDE_TX_FLOW BIT(5) +-- +2.51.0 + diff --git a/queue-5.4/net-dsa-b53-stop-reading-arl-entries-if-search-is-do.patch b/queue-5.4/net-dsa-b53-stop-reading-arl-entries-if-search-is-do.patch new file mode 100644 index 0000000000..7141a85361 --- /dev/null +++ b/queue-5.4/net-dsa-b53-stop-reading-arl-entries-if-search-is-do.patch @@ -0,0 +1,51 @@ +From 0d6680cad245b281567c45e4b922b8367be8a686 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Nov 2025 11:07:57 +0100 +Subject: net: dsa: b53: stop reading ARL entries if search is done + +From: Jonas Gorski + +[ Upstream commit 0be04b5fa62a82a9929ca261f6c9f64a3d0a28da ] + +The switch clears the ARL_SRCH_STDN bit when the search is done, i.e. it +finished traversing the ARL table. + +This means that there will be no valid result, so we should not attempt +to read and process any further entries. + +We only ever check the validity of the entries for 4 ARL bin chips, and +only after having passed the first entry to the b53_fdb_copy(). + +This means that we always pass an invalid entry at the end to the +b53_fdb_copy(). b53_fdb_copy() does check the validity though before +passing on the entry, so it never gets passed on. + +On < 4 ARL bin chips, we will even continue reading invalid entries +until we reach the result limit. + +Fixes: 1da6df85c6fb ("net: dsa: b53: Implement ARL add/del/dump operations") +Signed-off-by: Jonas Gorski +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20251102100758.28352-3-jonas.gorski@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index bc303b3e1c966..6a583e220bf84 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -1643,7 +1643,7 @@ static int b53_arl_search_wait(struct b53_device *dev) + do { + b53_read8(dev, B53_ARLIO_PAGE, B53_ARL_SRCH_CTL, ®); + if (!(reg & ARL_SRCH_STDN)) +- return 0; ++ return -ENOENT; + + if (reg & ARL_SRCH_VLID) + return 0; +-- +2.51.0 + diff --git a/queue-5.4/net-usb-qmi_wwan-initialize-mac-header-offset-in-qmi.patch b/queue-5.4/net-usb-qmi_wwan-initialize-mac-header-offset-in-qmi.patch new file mode 100644 index 0000000000..1f8263f841 --- /dev/null +++ b/queue-5.4/net-usb-qmi_wwan-initialize-mac-header-offset-in-qmi.patch @@ -0,0 +1,70 @@ +From 2dbd532a0be399cfd86a6889f013d6847068478e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Oct 2025 08:57:44 +0100 +Subject: net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup + +From: Qendrim Maxhuni + +[ Upstream commit e120f46768d98151ece8756ebd688b0e43dc8b29 ] + +Raw IP packets have no MAC header, leaving skb->mac_header uninitialized. +This can trigger kernel panics on ARM64 when xfrm or other subsystems +access the offset due to strict alignment checks. + +Initialize the MAC header to prevent such crashes. + +This can trigger kernel panics on ARM when running IPsec over the +qmimux0 interface. + +Example trace: + + Internal error: Oops: 000000009600004f [#1] SMP + CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.34-gbe78e49cb433 #1 + Hardware name: LS1028A RDB Board (DT) + pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : xfrm_input+0xde8/0x1318 + lr : xfrm_input+0x61c/0x1318 + sp : ffff800080003b20 + Call trace: + xfrm_input+0xde8/0x1318 + xfrm6_rcv+0x38/0x44 + xfrm6_esp_rcv+0x48/0xa8 + ip6_protocol_deliver_rcu+0x94/0x4b0 + ip6_input_finish+0x44/0x70 + ip6_input+0x44/0xc0 + ipv6_rcv+0x6c/0x114 + __netif_receive_skb_one_core+0x5c/0x8c + __netif_receive_skb+0x18/0x60 + process_backlog+0x78/0x17c + __napi_poll+0x38/0x180 + net_rx_action+0x168/0x2f0 + +Fixes: c6adf77953bc ("net: usb: qmi_wwan: add qmap mux protocol support") +Signed-off-by: Qendrim Maxhuni +Link: https://patch.msgid.link/20251029075744.105113-1-qendrim.maxhuni@garderos.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/qmi_wwan.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index acf1321657ec9..274b15d2a2cc1 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -229,6 +229,12 @@ static int qmimux_rx_fixup(struct usbnet *dev, struct sk_buff *skb) + return 0; + skbn->dev = net; + ++ /* Raw IP packets don't have a MAC header, but other subsystems ++ * (like xfrm) may still access MAC header offsets, so they must ++ * be initialized. ++ */ ++ skb_reset_mac_header(skbn); ++ + switch (skb->data[offset + qmimux_hdr_sz] & 0xf0) { + case 0x40: + skbn->protocol = htons(ETH_P_IP); +-- +2.51.0 + diff --git a/queue-5.4/net-vlan-sync-vlan-features-with-lower-device.patch b/queue-5.4/net-vlan-sync-vlan-features-with-lower-device.patch new file mode 100644 index 0000000000..b7e9612877 --- /dev/null +++ b/queue-5.4/net-vlan-sync-vlan-features-with-lower-device.patch @@ -0,0 +1,44 @@ +From 11da18bf35df36d2bba19aed5e826adbde5db636 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Oct 2025 07:35:39 +0000 +Subject: net: vlan: sync VLAN features with lower device + +From: Hangbin Liu + +[ Upstream commit c211f5d7cbd5cb34489d526648bb9c8ecc907dee ] + +After registering a VLAN device and setting its feature flags, we need to +synchronize the VLAN features with the lower device. For example, the VLAN +device does not have the NETIF_F_LRO flag, it should be synchronized with +the lower device based on the NETIF_F_UPPER_DISABLES definition. + +As the dev->vlan_features has changed, we need to call +netdev_update_features(). The caller must run after netdev_upper_dev_link() +links the lower devices, so this patch adds the netdev_update_features() +call in register_vlan_dev(). + +Fixes: fd867d51f889 ("net/core: generic support for disabling netdev features down stack") +Signed-off-by: Hangbin Liu +Link: https://patch.msgid.link/20251030073539.133779-1-liuhangbin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/8021q/vlan.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c +index 14244445f944a..c6d5cf8105232 100644 +--- a/net/8021q/vlan.c ++++ b/net/8021q/vlan.c +@@ -187,6 +187,8 @@ int register_vlan_dev(struct net_device *dev, struct netlink_ext_ack *extack) + vlan_group_set_device(grp, vlan->vlan_proto, vlan_id, dev); + grp->nr_vlan_devs++; + ++ netdev_update_features(dev); ++ + return 0; + + out_unregister_netdev: +-- +2.51.0 + diff --git a/queue-5.4/sctp-hold-rcu-read-lock-while-iterating-over-address.patch b/queue-5.4/sctp-hold-rcu-read-lock-while-iterating-over-address.patch new file mode 100644 index 0000000000..2d19e46289 --- /dev/null +++ b/queue-5.4/sctp-hold-rcu-read-lock-while-iterating-over-address.patch @@ -0,0 +1,104 @@ +From 71970fbaadbe50fded465b50d9f3d5d56e57741c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Oct 2025 17:12:26 +0100 +Subject: sctp: Hold RCU read lock while iterating over address list + +From: Stefan Wiehler + +[ Upstream commit 38f50242bf0f237cdc262308d624d333286ec3c5 ] + +With CONFIG_PROVE_RCU_LIST=y and by executing + + $ netcat -l --sctp & + $ netcat --sctp localhost & + $ ss --sctp + +one can trigger the following Lockdep-RCU splat(s): + + WARNING: suspicious RCU usage + 6.18.0-rc1-00093-g7f864458e9a6 #5 Not tainted + ----------------------------- + net/sctp/diag.c:76 RCU-list traversed in non-reader section!! + + other info that might help us debug this: + + rcu_scheduler_active = 2, debug_locks = 1 + 2 locks held by ss/215: + #0: ffff9c740828bec0 (nlk_cb_mutex-SOCK_DIAG){+.+.}-{4:4}, at: __netlink_dump_start+0x84/0x2b0 + #1: ffff9c7401d72cd0 (sk_lock-AF_INET6){+.+.}-{0:0}, at: sctp_sock_dump+0x38/0x200 + + stack backtrace: + CPU: 0 UID: 0 PID: 215 Comm: ss Not tainted 6.18.0-rc1-00093-g7f864458e9a6 #5 PREEMPT(voluntary) + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 + Call Trace: + + dump_stack_lvl+0x5d/0x90 + lockdep_rcu_suspicious.cold+0x4e/0xa3 + inet_sctp_diag_fill.isra.0+0x4b1/0x5d0 + sctp_sock_dump+0x131/0x200 + sctp_transport_traverse_process+0x170/0x1b0 + ? __pfx_sctp_sock_filter+0x10/0x10 + ? __pfx_sctp_sock_dump+0x10/0x10 + sctp_diag_dump+0x103/0x140 + __inet_diag_dump+0x70/0xb0 + netlink_dump+0x148/0x490 + __netlink_dump_start+0x1f3/0x2b0 + inet_diag_handler_cmd+0xcd/0x100 + ? __pfx_inet_diag_dump_start+0x10/0x10 + ? __pfx_inet_diag_dump+0x10/0x10 + ? __pfx_inet_diag_dump_done+0x10/0x10 + sock_diag_rcv_msg+0x18e/0x320 + ? __pfx_sock_diag_rcv_msg+0x10/0x10 + netlink_rcv_skb+0x4d/0x100 + netlink_unicast+0x1d7/0x2b0 + netlink_sendmsg+0x203/0x450 + ____sys_sendmsg+0x30c/0x340 + ___sys_sendmsg+0x94/0xf0 + __sys_sendmsg+0x83/0xf0 + do_syscall_64+0xbb/0x390 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + ... + + +Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file") +Signed-off-by: Stefan Wiehler +Reviewed-by: Kuniyuki Iwashima +Acked-by: Xin Long +Link: https://patch.msgid.link/20251028161506.3294376-2-stefan.wiehler@nokia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sctp/diag.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/sctp/diag.c b/net/sctp/diag.c +index 2fcfb8cc8bd12..fd7a55b3049db 100644 +--- a/net/sctp/diag.c ++++ b/net/sctp/diag.c +@@ -73,19 +73,23 @@ static int inet_diag_msg_sctpladdrs_fill(struct sk_buff *skb, + struct nlattr *attr; + void *info = NULL; + ++ rcu_read_lock(); + list_for_each_entry_rcu(laddr, address_list, list) + addrcnt++; ++ rcu_read_unlock(); + + attr = nla_reserve(skb, INET_DIAG_LOCALS, addrlen * addrcnt); + if (!attr) + return -EMSGSIZE; + + info = nla_data(attr); ++ rcu_read_lock(); + list_for_each_entry_rcu(laddr, address_list, list) { + memcpy(info, &laddr->a, sizeof(laddr->a)); + memset(info + sizeof(laddr->a), 0, addrlen - sizeof(laddr->a)); + info += addrlen; + } ++ rcu_read_unlock(); + + return 0; + } +-- +2.51.0 + diff --git a/queue-5.4/sctp-prevent-toctou-out-of-bounds-write.patch b/queue-5.4/sctp-prevent-toctou-out-of-bounds-write.patch new file mode 100644 index 0000000000..583e29dedf --- /dev/null +++ b/queue-5.4/sctp-prevent-toctou-out-of-bounds-write.patch @@ -0,0 +1,45 @@ +From b1aae132f489f469f6ce60bca068002c66dd0d31 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Oct 2025 17:12:27 +0100 +Subject: sctp: Prevent TOCTOU out-of-bounds write + +From: Stefan Wiehler + +[ Upstream commit 95aef86ab231f047bb8085c70666059b58f53c09 ] + +For the following path not holding the sock lock, + + sctp_diag_dump() -> sctp_for_each_endpoint() -> sctp_ep_dump() + +make sure not to exceed bounds in case the address list has grown +between buffer allocation (time-of-check) and write (time-of-use). + +Suggested-by: Kuniyuki Iwashima +Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file") +Signed-off-by: Stefan Wiehler +Reviewed-by: Kuniyuki Iwashima +Acked-by: Xin Long +Link: https://patch.msgid.link/20251028161506.3294376-3-stefan.wiehler@nokia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sctp/diag.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/sctp/diag.c b/net/sctp/diag.c +index fd7a55b3049db..641e52b9099dc 100644 +--- a/net/sctp/diag.c ++++ b/net/sctp/diag.c +@@ -88,6 +88,9 @@ static int inet_diag_msg_sctpladdrs_fill(struct sk_buff *skb, + memcpy(info, &laddr->a, sizeof(laddr->a)); + memset(info + sizeof(laddr->a), 0, addrlen - sizeof(laddr->a)); + info += addrlen; ++ ++ if (!--addrcnt) ++ break; + } + rcu_read_unlock(); + +-- +2.51.0 + diff --git a/queue-5.4/series b/queue-5.4/series index ad05466ed7..ba387c5f65 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -111,3 +111,13 @@ acpi-property-return-present-device-nodes-only-on-fw.patch tools-bitmap-add-missing-asm-generic-bitsperlong.h-i.patch fbdev-add-bounds-checking-in-bit_putcs-to-fix-vmallo.patch ceph-add-checking-of-wait_for_completion_killable-re.patch +net-vlan-sync-vlan-features-with-lower-device.patch +net-dsa-b53-change-b53_force_port_config-pause-argum.patch +net-dsa-b53-prevent-gmii_port_override_ctrl-access-o.patch +net-dsa-b53-fix-resetting-speed-and-pause-on-forced-.patch +net-dsa-b53-fix-enabling-ip-multicast.patch +net-dsa-b53-stop-reading-arl-entries-if-search-is-do.patch +sctp-hold-rcu-read-lock-while-iterating-over-address.patch +sctp-prevent-toctou-out-of-bounds-write.patch +net-usb-qmi_wwan-initialize-mac-header-offset-in-qmi.patch +tracing-fix-memory-leaks-in-create_field_var.patch diff --git a/queue-5.4/tracing-fix-memory-leaks-in-create_field_var.patch b/queue-5.4/tracing-fix-memory-leaks-in-create_field_var.patch new file mode 100644 index 0000000000..b3c6eed41e --- /dev/null +++ b/queue-5.4/tracing-fix-memory-leaks-in-create_field_var.patch @@ -0,0 +1,53 @@ +From d4540765ca54366f9823cc7bd4c4c47b2881a1f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Nov 2025 12:01:32 +0000 +Subject: tracing: Fix memory leaks in create_field_var() + +From: Zilin Guan + +[ Upstream commit 80f0d631dcc76ee1b7755bfca1d8417d91d71414 ] + +The function create_field_var() allocates memory for 'val' through +create_hist_field() inside parse_atom(), and for 'var' through +create_var(), which in turn allocates var->type and var->var.name +internally. Simply calling kfree() to release these structures will +result in memory leaks. + +Use destroy_hist_field() to properly free 'val', and explicitly release +the memory of var->type and var->var.name before freeing 'var' itself. + +Link: https://patch.msgid.link/20251106120132.3639920-1-zilin@seu.edu.cn +Fixes: 02205a6752f22 ("tracing: Add support for 'field variables'") +Signed-off-by: Zilin Guan +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_events_hist.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c +index 1ede6d41ab8da..21d0731874448 100644 +--- a/kernel/trace/trace_events_hist.c ++++ b/kernel/trace/trace_events_hist.c +@@ -3634,14 +3634,16 @@ static struct field_var *create_field_var(struct hist_trigger_data *hist_data, + var = create_var(hist_data, file, field_name, val->size, val->type); + if (IS_ERR(var)) { + hist_err(tr, HIST_ERR_VAR_CREATE_FIND_FAIL, errpos(field_name)); +- kfree(val); ++ destroy_hist_field(val, 0); + ret = PTR_ERR(var); + goto err; + } + + field_var = kzalloc(sizeof(struct field_var), GFP_KERNEL); + if (!field_var) { +- kfree(val); ++ destroy_hist_field(val, 0); ++ kfree_const(var->type); ++ kfree(var->var.name); + kfree(var); + ret = -ENOMEM; + goto err; +-- +2.51.0 + diff --git a/queue-6.1/bluetooth-hci_event-validate-skb-length-for-unknown-.patch b/queue-6.1/bluetooth-hci_event-validate-skb-length-for-unknown-.patch new file mode 100644 index 0000000000..870db4d791 --- /dev/null +++ b/queue-6.1/bluetooth-hci_event-validate-skb-length-for-unknown-.patch @@ -0,0 +1,49 @@ +From f1b405adef491f57a0aeeb2ae6082229959b55d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Oct 2025 12:29:10 -0400 +Subject: Bluetooth: hci_event: validate skb length for unknown CC opcode + +From: Raphael Pinsonneault-Thibeault + +[ Upstream commit 5c5f1f64681cc889d9b13e4a61285e9e029d6ab5 ] + +In hci_cmd_complete_evt(), if the command complete event has an unknown +opcode, we assume the first byte of the remaining skb->data contains the +return status. However, parameter data has previously been pulled in +hci_event_func(), which may leave the skb empty. If so, using skb->data[0] +for the return status uses un-init memory. + +The fix is to check skb->len before using skb->data. + +Reported-by: syzbot+a9a4bedfca6aa9d7fa24@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=a9a4bedfca6aa9d7fa24 +Tested-by: syzbot+a9a4bedfca6aa9d7fa24@syzkaller.appspotmail.com +Fixes: afcb3369f46ed ("Bluetooth: hci_event: Fix vendor (unknown) opcode status handling") +Signed-off-by: Raphael Pinsonneault-Thibeault +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_event.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index e516b169b12fb..f713a9a27e934 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -4224,6 +4224,13 @@ static void hci_cmd_complete_evt(struct hci_dev *hdev, void *data, + } + + if (i == ARRAY_SIZE(hci_cc_table)) { ++ if (!skb->len) { ++ bt_dev_err(hdev, "Unexpected cc 0x%4.4x with no status", ++ *opcode); ++ *status = HCI_ERROR_UNSPECIFIED; ++ return; ++ } ++ + /* Unknown opcode, assume byte 0 contains the status, so + * that e.g. __hci_cmd_sync() properly returns errors + * for vendor specific commands send by HCI drivers. +-- +2.51.0 + diff --git a/queue-6.1/bnxt_en-fix-a-possible-memory-leak-in-bnxt_ptp_init.patch b/queue-6.1/bnxt_en-fix-a-possible-memory-leak-in-bnxt_ptp_init.patch new file mode 100644 index 0000000000..397000d656 --- /dev/null +++ b/queue-6.1/bnxt_en-fix-a-possible-memory-leak-in-bnxt_ptp_init.patch @@ -0,0 +1,44 @@ +From 47001d33384a8437a87edd6210087dba333e91ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Nov 2025 16:56:56 -0800 +Subject: bnxt_en: Fix a possible memory leak in bnxt_ptp_init + +From: Kalesh AP + +[ Upstream commit deb8eb39164382f1f67ef8e8af9176baf5e10f2d ] + +In bnxt_ptp_init(), when ptp_clock_register() fails, the driver is +not freeing the memory allocated for ptp_info->pin_config. Fix it +to unconditionally free ptp_info->pin_config in bnxt_ptp_free(). + +Fixes: caf3eedbcd8d ("bnxt_en: 1PPS support for 5750X family chips") +Reviewed-by: Pavan Chebbi +Reviewed-by: Somnath Kotur +Signed-off-by: Kalesh AP +Signed-off-by: Michael Chan +Link: https://patch.msgid.link/20251104005700.542174-3-michael.chan@broadcom.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c +index ae734314f8de5..1c888d6c3aee8 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c +@@ -895,9 +895,9 @@ static void bnxt_ptp_free(struct bnxt *bp) + if (ptp->ptp_clock) { + ptp_clock_unregister(ptp->ptp_clock); + ptp->ptp_clock = NULL; +- kfree(ptp->ptp_info.pin_config); +- ptp->ptp_info.pin_config = NULL; + } ++ kfree(ptp->ptp_info.pin_config); ++ ptp->ptp_info.pin_config = NULL; + } + + int bnxt_ptp_init(struct bnxt *bp, bool phc_cfg) +-- +2.51.0 + diff --git a/queue-6.1/net-bridge-fix-mst-static-key-usage.patch b/queue-6.1/net-bridge-fix-mst-static-key-usage.patch new file mode 100644 index 0000000000..7c03edd8d7 --- /dev/null +++ b/queue-6.1/net-bridge-fix-mst-static-key-usage.patch @@ -0,0 +1,96 @@ +From ff4acd6931841b31468d6a0b3e6696cc1be828a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Nov 2025 13:19:19 +0200 +Subject: net: bridge: fix MST static key usage + +From: Nikolay Aleksandrov + +[ Upstream commit ee87c63f9b2a418f698d79c2991347e31a7d2c27 ] + +As Ido pointed out, the static key usage in MST is buggy and should use +inc/dec instead of enable/disable because we can have multiple bridges +with MST enabled which means a single bridge can disable MST for all. +Use static_branch_inc/dec to avoid that. When destroying a bridge decrement +the key if MST was enabled. + +Fixes: ec7328b59176 ("net: bridge: mst: Multiple Spanning Tree (MST) mode") +Reported-by: Ido Schimmel +Closes: https://lore.kernel.org/netdev/20251104120313.1306566-1-razor@blackwall.org/T/#m6888d87658f94ed1725433940f4f4ebb00b5a68b +Signed-off-by: Nikolay Aleksandrov +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/20251105111919.1499702-3-razor@blackwall.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/bridge/br_if.c | 1 + + net/bridge/br_mst.c | 10 ++++++++-- + net/bridge/br_private.h | 5 +++++ + 3 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c +index 0989074f316ef..42495d643a1bc 100644 +--- a/net/bridge/br_if.c ++++ b/net/bridge/br_if.c +@@ -386,6 +386,7 @@ void br_dev_delete(struct net_device *dev, struct list_head *head) + del_nbp(p); + } + ++ br_mst_uninit(br); + br_recalculate_neigh_suppress_enabled(br); + + br_fdb_delete_by_port(br, NULL, 0, 1); +diff --git a/net/bridge/br_mst.c b/net/bridge/br_mst.c +index 3f24b4ee49c27..43a300ae6bfaf 100644 +--- a/net/bridge/br_mst.c ++++ b/net/bridge/br_mst.c +@@ -22,6 +22,12 @@ bool br_mst_enabled(const struct net_device *dev) + } + EXPORT_SYMBOL_GPL(br_mst_enabled); + ++void br_mst_uninit(struct net_bridge *br) ++{ ++ if (br_opt_get(br, BROPT_MST_ENABLED)) ++ static_branch_dec(&br_mst_used); ++} ++ + int br_mst_get_info(const struct net_device *dev, u16 msti, unsigned long *vids) + { + const struct net_bridge_vlan_group *vg; +@@ -225,9 +231,9 @@ int br_mst_set_enabled(struct net_bridge *br, bool on, + return err; + + if (on) +- static_branch_enable(&br_mst_used); ++ static_branch_inc(&br_mst_used); + else +- static_branch_disable(&br_mst_used); ++ static_branch_dec(&br_mst_used); + + br_opt_toggle(br, BROPT_MST_ENABLED, on); + return 0; +diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h +index 372e9664b2cb8..901b9f609b0c7 100644 +--- a/net/bridge/br_private.h ++++ b/net/bridge/br_private.h +@@ -1821,6 +1821,7 @@ int br_mst_fill_info(struct sk_buff *skb, + const struct net_bridge_vlan_group *vg); + int br_mst_process(struct net_bridge_port *p, const struct nlattr *mst_attr, + struct netlink_ext_ack *extack); ++void br_mst_uninit(struct net_bridge *br); + #else + static inline bool br_mst_is_enabled(const struct net_bridge_port *p) + { +@@ -1856,6 +1857,10 @@ static inline int br_mst_process(struct net_bridge_port *p, + { + return -EOPNOTSUPP; + } ++ ++static inline void br_mst_uninit(struct net_bridge *br) ++{ ++} + #endif + + struct nf_br_ops { +-- +2.51.0 + diff --git a/queue-6.1/net-bridge-fix-use-after-free-due-to-mst-port-state-.patch b/queue-6.1/net-bridge-fix-use-after-free-due-to-mst-port-state-.patch new file mode 100644 index 0000000000..788815da0e --- /dev/null +++ b/queue-6.1/net-bridge-fix-use-after-free-due-to-mst-port-state-.patch @@ -0,0 +1,104 @@ +From c224e42f03e4a6c403f3b3b591b55366b4034715 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Nov 2025 13:19:18 +0200 +Subject: net: bridge: fix use-after-free due to MST port state bypass + +From: Nikolay Aleksandrov + +[ Upstream commit 8dca36978aa80bab9d4da130c211db75c9e00048 ] + +syzbot reported[1] a use-after-free when deleting an expired fdb. It is +due to a race condition between learning still happening and a port being +deleted, after all its fdbs have been flushed. The port's state has been +toggled to disabled so no learning should happen at that time, but if we +have MST enabled, it will bypass the port's state, that together with VLAN +filtering disabled can lead to fdb learning at a time when it shouldn't +happen while the port is being deleted. VLAN filtering must be disabled +because we flush the port VLANs when it's being deleted which will stop +learning. This fix adds a check for the port's vlan group which is +initialized to NULL when the port is getting deleted, that avoids the port +state bypass. When MST is enabled there would be a minimal new overhead +in the fast-path because the port's vlan group pointer is cache-hot. + +[1] https://syzkaller.appspot.com/bug?extid=dd280197f0f7ab3917be + +Fixes: ec7328b59176 ("net: bridge: mst: Multiple Spanning Tree (MST) mode") +Reported-by: syzbot+dd280197f0f7ab3917be@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/69088ffa.050a0220.29fc44.003d.GAE@google.com/ +Signed-off-by: Nikolay Aleksandrov +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/20251105111919.1499702-2-razor@blackwall.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/bridge/br_forward.c | 2 +- + net/bridge/br_input.c | 4 ++-- + net/bridge/br_private.h | 8 +++++--- + 3 files changed, 8 insertions(+), 6 deletions(-) + +diff --git a/net/bridge/br_forward.c b/net/bridge/br_forward.c +index d3257c9bfa920..9a6a6c1c4ced3 100644 +--- a/net/bridge/br_forward.c ++++ b/net/bridge/br_forward.c +@@ -25,7 +25,7 @@ static inline int should_deliver(const struct net_bridge_port *p, + + vg = nbp_vlan_group_rcu(p); + return ((p->flags & BR_HAIRPIN_MODE) || skb->dev != p->dev) && +- (br_mst_is_enabled(p->br) || p->state == BR_STATE_FORWARDING) && ++ (br_mst_is_enabled(p) || p->state == BR_STATE_FORWARDING) && + br_allowed_egress(vg, skb) && nbp_switchdev_allowed_egress(p, skb) && + !br_skb_isolated(p, skb); + } +diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c +index b94a1783902ea..f11345720c275 100644 +--- a/net/bridge/br_input.c ++++ b/net/bridge/br_input.c +@@ -93,7 +93,7 @@ int br_handle_frame_finish(struct net *net, struct sock *sk, struct sk_buff *skb + + br = p->br; + +- if (br_mst_is_enabled(br)) { ++ if (br_mst_is_enabled(p)) { + state = BR_STATE_FORWARDING; + } else { + if (p->state == BR_STATE_DISABLED) +@@ -393,7 +393,7 @@ static rx_handler_result_t br_handle_frame(struct sk_buff **pskb) + return RX_HANDLER_PASS; + + forward: +- if (br_mst_is_enabled(p->br)) ++ if (br_mst_is_enabled(p)) + goto defer_stp_filtering; + + switch (p->state) { +diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h +index 20c96cb406d5a..372e9664b2cb8 100644 +--- a/net/bridge/br_private.h ++++ b/net/bridge/br_private.h +@@ -1802,10 +1802,12 @@ static inline bool br_vlan_state_allowed(u8 state, bool learn_allow) + /* br_mst.c */ + #ifdef CONFIG_BRIDGE_VLAN_FILTERING + DECLARE_STATIC_KEY_FALSE(br_mst_used); +-static inline bool br_mst_is_enabled(struct net_bridge *br) ++static inline bool br_mst_is_enabled(const struct net_bridge_port *p) + { ++ /* check the port's vlan group to avoid racing with port deletion */ + return static_branch_unlikely(&br_mst_used) && +- br_opt_get(br, BROPT_MST_ENABLED); ++ br_opt_get(p->br, BROPT_MST_ENABLED) && ++ rcu_access_pointer(p->vlgrp); + } + + int br_mst_set_state(struct net_bridge_port *p, u16 msti, u8 state, +@@ -1820,7 +1822,7 @@ int br_mst_fill_info(struct sk_buff *skb, + int br_mst_process(struct net_bridge_port *p, const struct nlattr *mst_attr, + struct netlink_ext_ack *extack); + #else +-static inline bool br_mst_is_enabled(struct net_bridge *br) ++static inline bool br_mst_is_enabled(const struct net_bridge_port *p) + { + return false; + } +-- +2.51.0 + diff --git a/queue-6.1/net-dsa-b53-fix-enabling-ip-multicast.patch b/queue-6.1/net-dsa-b53-fix-enabling-ip-multicast.patch new file mode 100644 index 0000000000..5897b06351 --- /dev/null +++ b/queue-6.1/net-dsa-b53-fix-enabling-ip-multicast.patch @@ -0,0 +1,75 @@ +From 5300f0aaf5a10c5873726ebc083dd046c14aa8f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Nov 2025 11:07:56 +0100 +Subject: net: dsa: b53: fix enabling ip multicast + +From: Jonas Gorski + +[ Upstream commit c264294624e956a967a9e2e5fa41e3273340b089 ] + +In the New Control register bit 1 is either reserved, or has a different +function: + + Out of Range Error Discard + + When enabled, the ingress port discards any frames + if the Length field is between 1500 and 1536 + (excluding 1500 and 1536) and with good CRC. + +The actual bit for enabling IP multicast is bit 0, which was only +explicitly enabled for BCM5325 so far. + +For older switch chips, this bit defaults to 0, so we want to enable it +as well, while newer switch chips default to 1, and their documentation +says "It is illegal to set this bit to zero." + +So drop the wrong B53_IPMC_FWD_EN define, enable the IP multicast bit +also for other switch chips. While at it, rename it to (B53_)IP_MC as +that is how it is called in Broadcom code. + +Fixes: 63cc54a6f073 ("net: dsa: b53: Fix egress flooding settings") +Signed-off-by: Jonas Gorski +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20251102100758.28352-2-jonas.gorski@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 4 ++-- + drivers/net/dsa/b53/b53_regs.h | 3 +-- + 2 files changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index d5a1d26e8e3de..037e1c7e9f45c 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -349,11 +349,11 @@ static void b53_set_forwarding(struct b53_device *dev, int enable) + * frames should be flooded or not. + */ + b53_read8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, &mgmt); +- mgmt |= B53_UC_FWD_EN | B53_MC_FWD_EN | B53_IPMC_FWD_EN; ++ mgmt |= B53_UC_FWD_EN | B53_MC_FWD_EN | B53_IP_MC; + b53_write8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, mgmt); + } else { + b53_read8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, &mgmt); +- mgmt |= B53_IP_MCAST_25; ++ mgmt |= B53_IP_MC; + b53_write8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, mgmt); + } + } +diff --git a/drivers/net/dsa/b53/b53_regs.h b/drivers/net/dsa/b53/b53_regs.h +index 77fb7ae660b8c..95f70248c194d 100644 +--- a/drivers/net/dsa/b53/b53_regs.h ++++ b/drivers/net/dsa/b53/b53_regs.h +@@ -104,8 +104,7 @@ + + /* IP Multicast control (8 bit) */ + #define B53_IP_MULTICAST_CTRL 0x21 +-#define B53_IP_MCAST_25 BIT(0) +-#define B53_IPMC_FWD_EN BIT(1) ++#define B53_IP_MC BIT(0) + #define B53_UC_FWD_EN BIT(6) + #define B53_MC_FWD_EN BIT(7) + +-- +2.51.0 + diff --git a/queue-6.1/net-dsa-b53-fix-resetting-speed-and-pause-on-forced-.patch b/queue-6.1/net-dsa-b53-fix-resetting-speed-and-pause-on-forced-.patch new file mode 100644 index 0000000000..9d9ea0f8e7 --- /dev/null +++ b/queue-6.1/net-dsa-b53-fix-resetting-speed-and-pause-on-forced-.patch @@ -0,0 +1,64 @@ +From 2103718207015dc7ce617732d7a460a6827a4507 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Nov 2025 14:28:06 +0100 +Subject: net: dsa: b53: fix resetting speed and pause on forced link + +From: Jonas Gorski + +[ Upstream commit b6a8a5477fe9bd6be2b594a88f82f8bba41e6d54 ] + +There is no guarantee that the port state override registers have their +default values, as not all switches support being reset via register or +have a reset GPIO. + +So when forcing port config, we need to make sure to clear all fields, +which we currently do not do for the speed and flow control +configuration. This can cause flow control stay enabled, or in the case +of speed becoming an illegal value, e.g. configured for 1G (0x2), then +setting 100M (0x1), results in 0x3 which is invalid. + +For PORT_OVERRIDE_SPEED_2000M we need to make sure to only clear it on +supported chips, as the bit can have different meanings on other chips, +e.g. for BCM5389 this controls scanning PHYs for link/speed +configuration. + +Fixes: 5e004460f874 ("net: dsa: b53: Add helper to set link parameters") +Signed-off-by: Jonas Gorski +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20251101132807.50419-2-jonas.gorski@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index b0e283bc3efbc..d5a1d26e8e3de 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -1215,6 +1215,10 @@ static void b53_force_port_config(struct b53_device *dev, int port, + else + reg &= ~PORT_OVERRIDE_FULL_DUPLEX; + ++ reg &= ~(0x3 << GMII_PO_SPEED_S); ++ if (is5301x(dev) || is58xx(dev)) ++ reg &= ~PORT_OVERRIDE_SPEED_2000M; ++ + switch (speed) { + case 2000: + reg |= PORT_OVERRIDE_SPEED_2000M; +@@ -1233,6 +1237,11 @@ static void b53_force_port_config(struct b53_device *dev, int port, + return; + } + ++ if (is5325(dev)) ++ reg &= ~PORT_OVERRIDE_LP_FLOW_25; ++ else ++ reg &= ~(PORT_OVERRIDE_RX_FLOW | PORT_OVERRIDE_TX_FLOW); ++ + if (rx_pause) { + if (is5325(dev)) + reg |= PORT_OVERRIDE_LP_FLOW_25; +-- +2.51.0 + diff --git a/queue-6.1/net-dsa-b53-stop-reading-arl-entries-if-search-is-do.patch b/queue-6.1/net-dsa-b53-stop-reading-arl-entries-if-search-is-do.patch new file mode 100644 index 0000000000..14093bc12f --- /dev/null +++ b/queue-6.1/net-dsa-b53-stop-reading-arl-entries-if-search-is-do.patch @@ -0,0 +1,51 @@ +From 2609e8844ef127dbc50603c751c8f4b7f01a204b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Nov 2025 11:07:57 +0100 +Subject: net: dsa: b53: stop reading ARL entries if search is done + +From: Jonas Gorski + +[ Upstream commit 0be04b5fa62a82a9929ca261f6c9f64a3d0a28da ] + +The switch clears the ARL_SRCH_STDN bit when the search is done, i.e. it +finished traversing the ARL table. + +This means that there will be no valid result, so we should not attempt +to read and process any further entries. + +We only ever check the validity of the entries for 4 ARL bin chips, and +only after having passed the first entry to the b53_fdb_copy(). + +This means that we always pass an invalid entry at the end to the +b53_fdb_copy(). b53_fdb_copy() does check the validity though before +passing on the entry, so it never gets passed on. + +On < 4 ARL bin chips, we will even continue reading invalid entries +until we reach the result limit. + +Fixes: 1da6df85c6fb ("net: dsa: b53: Implement ARL add/del/dump operations") +Signed-off-by: Jonas Gorski +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20251102100758.28352-3-jonas.gorski@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index 037e1c7e9f45c..bdbb873fe6eb0 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -1785,7 +1785,7 @@ static int b53_arl_search_wait(struct b53_device *dev) + do { + b53_read8(dev, B53_ARLIO_PAGE, B53_ARL_SRCH_CTL, ®); + if (!(reg & ARL_SRCH_STDN)) +- return 0; ++ return -ENOENT; + + if (reg & ARL_SRCH_VLID) + return 0; +-- +2.51.0 + diff --git a/queue-6.1/net-dsa-microchip-fix-reserved-multicast-address-tab.patch b/queue-6.1/net-dsa-microchip-fix-reserved-multicast-address-tab.patch new file mode 100644 index 0000000000..4da79472b2 --- /dev/null +++ b/queue-6.1/net-dsa-microchip-fix-reserved-multicast-address-tab.patch @@ -0,0 +1,218 @@ +From a5884139a4f021f004df9538ed4c6e774387c27e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Nov 2025 19:37:41 -0800 +Subject: net: dsa: microchip: Fix reserved multicast address table programming +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tristram Ha + +[ Upstream commit 96baf482ca1f69f0da9d10a5bd8422c87ea9039e ] + +KSZ9477/KSZ9897 and LAN937X families of switches use a reserved multicast +address table for some specific forwarding with some multicast addresses, +like the one used in STP. The hardware assumes the host port is the last +port in KSZ9897 family and port 5 in LAN937X family. Most of the time +this assumption is correct but not in other cases like KSZ9477. +Originally the function just setups the first entry, but the others still +need update, especially for one common multicast address that is used by +PTP operation. + +LAN937x also uses different register bits when accessing the reserved +table. + +Fixes: 457c182af597 ("net: dsa: microchip: generic access to ksz9477 static and reserved table") +Signed-off-by: Tristram Ha +Tested-by: Łukasz Majewski +Link: https://patch.msgid.link/20251105033741.6455-1-Tristram.Ha@microchip.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/microchip/ksz9477.c | 98 +++++++++++++++++++++---- + drivers/net/dsa/microchip/ksz9477_reg.h | 3 +- + drivers/net/dsa/microchip/ksz_common.c | 4 + + drivers/net/dsa/microchip/ksz_common.h | 2 + + 4 files changed, 91 insertions(+), 16 deletions(-) + +diff --git a/drivers/net/dsa/microchip/ksz9477.c b/drivers/net/dsa/microchip/ksz9477.c +index b854ee425fcdd..d6e459fd7a00a 100644 +--- a/drivers/net/dsa/microchip/ksz9477.c ++++ b/drivers/net/dsa/microchip/ksz9477.c +@@ -1127,9 +1127,15 @@ void ksz9477_config_cpu_port(struct dsa_switch *ds) + } + } + ++#define RESV_MCAST_CNT 8 ++ ++static u8 reserved_mcast_map[RESV_MCAST_CNT] = { 0, 1, 3, 16, 32, 33, 2, 17 }; ++ + int ksz9477_enable_stp_addr(struct ksz_device *dev) + { ++ u8 i, ports, update; + const u32 *masks; ++ bool override; + u32 data; + int ret; + +@@ -1138,23 +1144,87 @@ int ksz9477_enable_stp_addr(struct ksz_device *dev) + /* Enable Reserved multicast table */ + ksz_cfg(dev, REG_SW_LUE_CTRL_0, SW_RESV_MCAST_ENABLE, true); + +- /* Set the Override bit for forwarding BPDU packet to CPU */ +- ret = ksz_write32(dev, REG_SW_ALU_VAL_B, +- ALU_V_OVERRIDE | BIT(dev->cpu_port)); +- if (ret < 0) +- return ret; ++ /* The reserved multicast address table has 8 entries. Each entry has ++ * a default value of which port to forward. It is assumed the host ++ * port is the last port in most of the switches, but that is not the ++ * case for KSZ9477 or maybe KSZ9897. For LAN937X family the default ++ * port is port 5, the first RGMII port. It is okay for LAN9370, a ++ * 5-port switch, but may not be correct for the other 8-port ++ * versions. It is necessary to update the whole table to forward to ++ * the right ports. ++ * Furthermore PTP messages can use a reserved multicast address and ++ * the host will not receive them if this table is not correct. ++ */ ++ for (i = 0; i < RESV_MCAST_CNT; i++) { ++ data = reserved_mcast_map[i] << ++ dev->info->shifts[ALU_STAT_INDEX]; ++ data |= ALU_STAT_START | ++ masks[ALU_STAT_DIRECT] | ++ masks[ALU_RESV_MCAST_ADDR] | ++ masks[ALU_STAT_READ]; ++ ret = ksz_write32(dev, REG_SW_ALU_STAT_CTRL__4, data); ++ if (ret < 0) ++ return ret; + +- data = ALU_STAT_START | ALU_RESV_MCAST_ADDR | masks[ALU_STAT_WRITE]; ++ /* wait to be finished */ ++ ret = ksz9477_wait_alu_sta_ready(dev); ++ if (ret < 0) ++ return ret; + +- ret = ksz_write32(dev, REG_SW_ALU_STAT_CTRL__4, data); +- if (ret < 0) +- return ret; ++ ret = ksz_read32(dev, REG_SW_ALU_VAL_B, &data); ++ if (ret < 0) ++ return ret; + +- /* wait to be finished */ +- ret = ksz9477_wait_alu_sta_ready(dev); +- if (ret < 0) { +- dev_err(dev->dev, "Failed to update Reserved Multicast table\n"); +- return ret; ++ override = false; ++ ports = data & dev->port_mask; ++ switch (i) { ++ case 0: ++ case 6: ++ /* Change the host port. */ ++ update = BIT(dev->cpu_port); ++ override = true; ++ break; ++ case 2: ++ /* Change the host port. */ ++ update = BIT(dev->cpu_port); ++ break; ++ case 4: ++ case 5: ++ case 7: ++ /* Skip the host port. */ ++ update = dev->port_mask & ~BIT(dev->cpu_port); ++ break; ++ default: ++ update = ports; ++ break; ++ } ++ if (update != ports || override) { ++ data &= ~dev->port_mask; ++ data |= update; ++ /* Set Override bit to receive frame even when port is ++ * closed. ++ */ ++ if (override) ++ data |= ALU_V_OVERRIDE; ++ ret = ksz_write32(dev, REG_SW_ALU_VAL_B, data); ++ if (ret < 0) ++ return ret; ++ ++ data = reserved_mcast_map[i] << ++ dev->info->shifts[ALU_STAT_INDEX]; ++ data |= ALU_STAT_START | ++ masks[ALU_STAT_DIRECT] | ++ masks[ALU_RESV_MCAST_ADDR] | ++ masks[ALU_STAT_WRITE]; ++ ret = ksz_write32(dev, REG_SW_ALU_STAT_CTRL__4, data); ++ if (ret < 0) ++ return ret; ++ ++ /* wait to be finished */ ++ ret = ksz9477_wait_alu_sta_ready(dev); ++ if (ret < 0) ++ return ret; ++ } + } + + return 0; +diff --git a/drivers/net/dsa/microchip/ksz9477_reg.h b/drivers/net/dsa/microchip/ksz9477_reg.h +index ffb9484018ed5..600dbf2ba4b1f 100644 +--- a/drivers/net/dsa/microchip/ksz9477_reg.h ++++ b/drivers/net/dsa/microchip/ksz9477_reg.h +@@ -2,7 +2,7 @@ + /* + * Microchip KSZ9477 register definitions + * +- * Copyright (C) 2017-2024 Microchip Technology Inc. ++ * Copyright (C) 2017-2025 Microchip Technology Inc. + */ + + #ifndef __KSZ9477_REGS_H +@@ -422,7 +422,6 @@ + + #define ALU_RESV_MCAST_INDEX_M (BIT(6) - 1) + #define ALU_STAT_START BIT(7) +-#define ALU_RESV_MCAST_ADDR BIT(1) + + #define REG_SW_ALU_VAL_A 0x0420 + +diff --git a/drivers/net/dsa/microchip/ksz_common.c b/drivers/net/dsa/microchip/ksz_common.c +index 9dbe188f09c3c..aa10131f80f95 100644 +--- a/drivers/net/dsa/microchip/ksz_common.c ++++ b/drivers/net/dsa/microchip/ksz_common.c +@@ -392,6 +392,8 @@ static const u16 ksz9477_regs[] = { + static const u32 ksz9477_masks[] = { + [ALU_STAT_WRITE] = 0, + [ALU_STAT_READ] = 1, ++ [ALU_STAT_DIRECT] = 0, ++ [ALU_RESV_MCAST_ADDR] = BIT(1), + [P_MII_TX_FLOW_CTRL] = BIT(5), + [P_MII_RX_FLOW_CTRL] = BIT(3), + }; +@@ -419,6 +421,8 @@ static const u8 ksz9477_xmii_ctrl1[] = { + static const u32 lan937x_masks[] = { + [ALU_STAT_WRITE] = 1, + [ALU_STAT_READ] = 2, ++ [ALU_STAT_DIRECT] = BIT(3), ++ [ALU_RESV_MCAST_ADDR] = BIT(2), + [P_MII_TX_FLOW_CTRL] = BIT(5), + [P_MII_RX_FLOW_CTRL] = BIT(3), + }; +diff --git a/drivers/net/dsa/microchip/ksz_common.h b/drivers/net/dsa/microchip/ksz_common.h +index a3a7a90dad967..b35c98adbfcbd 100644 +--- a/drivers/net/dsa/microchip/ksz_common.h ++++ b/drivers/net/dsa/microchip/ksz_common.h +@@ -225,6 +225,8 @@ enum ksz_masks { + DYNAMIC_MAC_TABLE_TIMESTAMP, + ALU_STAT_WRITE, + ALU_STAT_READ, ++ ALU_STAT_DIRECT, ++ ALU_RESV_MCAST_ADDR, + P_MII_TX_FLOW_CTRL, + P_MII_RX_FLOW_CTRL, + }; +-- +2.51.0 + diff --git a/queue-6.1/net-dsa-tag_brcm-legacy-fix-untagged-rx-on-unbridged.patch b/queue-6.1/net-dsa-tag_brcm-legacy-fix-untagged-rx-on-unbridged.patch new file mode 100644 index 0000000000..67a364ccc6 --- /dev/null +++ b/queue-6.1/net-dsa-tag_brcm-legacy-fix-untagged-rx-on-unbridged.patch @@ -0,0 +1,77 @@ +From a913f19c43211e4de506ca1ca044630140a6dca0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Oct 2025 20:46:21 +0100 +Subject: net: dsa: tag_brcm: legacy: fix untagged rx on unbridged ports for + bcm63xx + +From: Jonas Gorski + +[ Upstream commit 3d18a84eddde169d6dbf3c72cc5358b988c347d0 ] + +The internal switch on BCM63XX SoCs will unconditionally add 802.1Q VLAN +tags on egress to CPU when 802.1Q mode is enabled. We do this +unconditionally since commit ed409f3bbaa5 ("net: dsa: b53: Configure +VLANs while not filtering"). + +This is fine for VLAN aware bridges, but for standalone ports and vlan +unaware bridges this means all packets are tagged with the default VID, +which is 0. + +While the kernel will treat that like untagged, this can break userspace +applications processing raw packets, expecting untagged traffic, like +STP daemons. + +This also breaks several bridge tests, where the tcpdump output then +does not match the expected output anymore. + +Since 0 isn't a valid VID, just strip out the VLAN tag if we encounter +it, unless the priority field is set, since that would be a valid tag +again. + +Fixes: 964dbf186eaa ("net: dsa: tag_brcm: add support for legacy tags") +Signed-off-by: Jonas Gorski +Reviewed-by: Vladimir Oltean +Link: https://patch.msgid.link/20251027194621.133301-1-jonas.gorski@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/dsa/tag_brcm.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/net/dsa/tag_brcm.c b/net/dsa/tag_brcm.c +index 04b57534fe4de..cd07ae440d69d 100644 +--- a/net/dsa/tag_brcm.c ++++ b/net/dsa/tag_brcm.c +@@ -251,12 +251,14 @@ static struct sk_buff *brcm_leg_tag_rcv(struct sk_buff *skb, + { + int len = BRCM_LEG_TAG_LEN; + int source_port; ++ __be16 *proto; + u8 *brcm_tag; + + if (unlikely(!pskb_may_pull(skb, BRCM_LEG_TAG_LEN + VLAN_HLEN))) + return NULL; + + brcm_tag = dsa_etype_header_pos_rx(skb); ++ proto = (__be16 *)(brcm_tag + BRCM_LEG_TAG_LEN); + + source_port = brcm_tag[5] & BRCM_LEG_PORT_ID; + +@@ -264,8 +266,12 @@ static struct sk_buff *brcm_leg_tag_rcv(struct sk_buff *skb, + if (!skb->dev) + return NULL; + +- /* VLAN tag is added by BCM63xx internal switch */ +- if (netdev_uses_dsa(skb->dev)) ++ /* The internal switch in BCM63XX SoCs always tags on egress on the CPU ++ * port. We use VID 0 internally for untagged traffic, so strip the tag ++ * if the TCI field is all 0, and keep it otherwise to also retain ++ * e.g. 802.1p tagged packets. ++ */ ++ if (proto[0] == htons(ETH_P_8021Q) && proto[1] == 0) + len += VLAN_HLEN; + + /* Remove Broadcom tag and update checksum */ +-- +2.51.0 + diff --git a/queue-6.1/net-mlx5e-shampo-fix-skb-size-check-for-64k-pages.patch b/queue-6.1/net-mlx5e-shampo-fix-skb-size-check-for-64k-pages.patch new file mode 100644 index 0000000000..358088d043 --- /dev/null +++ b/queue-6.1/net-mlx5e-shampo-fix-skb-size-check-for-64k-pages.patch @@ -0,0 +1,56 @@ +From d56b011332d992ffed68eddd904d9cc727d1cd39 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Nov 2025 08:48:34 +0200 +Subject: net/mlx5e: SHAMPO, Fix skb size check for 64K pages + +From: Dragos Tatulea + +[ Upstream commit bacd8d80181ebe34b599a39aa26bf73a44c91e55 ] + +mlx5e_hw_gro_skb_has_enough_space() uses a formula to check if there is +enough space in the skb frags to store more data. This formula is +incorrect for 64K page sizes and it triggers early GRO session +termination because the first fragment will blow up beyond +GRO_LEGACY_MAX_SIZE. + +This patch adds a special case for page sizes >= GRO_LEGACY_MAX_SIZE +(64K) which uses the skb->len instead. Within this context, +the check is safe from fragment overflow because the hardware +will continuously fill the data up to the reservation size of 64K +and the driver will coalesce all data from the same page to the same +fragment. This means that the data will span one fragment or at most +two for such a large page size. + +It is expected that the if statement will be optimized out as the +check is done with constants. + +Fixes: 92552d3abd32 ("net/mlx5e: HW_GRO cqe handler implementation") +Signed-off-by: Dragos Tatulea +Signed-off-by: Tariq Toukan +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/1762238915-1027590-3-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c +index 2768eab89eada..75934d0f144cc 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c +@@ -2056,7 +2056,10 @@ mlx5e_hw_gro_skb_has_enough_space(struct sk_buff *skb, u16 data_bcnt) + { + int nr_frags = skb_shinfo(skb)->nr_frags; + +- return PAGE_SIZE * nr_frags + data_bcnt <= GRO_LEGACY_MAX_SIZE; ++ if (PAGE_SIZE >= GRO_LEGACY_MAX_SIZE) ++ return skb->len + data_bcnt <= GRO_LEGACY_MAX_SIZE; ++ else ++ return PAGE_SIZE * nr_frags + data_bcnt <= GRO_LEGACY_MAX_SIZE; + } + + static void +-- +2.51.0 + diff --git a/queue-6.1/net-usb-qmi_wwan-initialize-mac-header-offset-in-qmi.patch b/queue-6.1/net-usb-qmi_wwan-initialize-mac-header-offset-in-qmi.patch new file mode 100644 index 0000000000..a9cc859817 --- /dev/null +++ b/queue-6.1/net-usb-qmi_wwan-initialize-mac-header-offset-in-qmi.patch @@ -0,0 +1,70 @@ +From 9dabbe3fe1b2e66d66f89ebd4127f4ccff7d42dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Oct 2025 08:57:44 +0100 +Subject: net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup + +From: Qendrim Maxhuni + +[ Upstream commit e120f46768d98151ece8756ebd688b0e43dc8b29 ] + +Raw IP packets have no MAC header, leaving skb->mac_header uninitialized. +This can trigger kernel panics on ARM64 when xfrm or other subsystems +access the offset due to strict alignment checks. + +Initialize the MAC header to prevent such crashes. + +This can trigger kernel panics on ARM when running IPsec over the +qmimux0 interface. + +Example trace: + + Internal error: Oops: 000000009600004f [#1] SMP + CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.34-gbe78e49cb433 #1 + Hardware name: LS1028A RDB Board (DT) + pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : xfrm_input+0xde8/0x1318 + lr : xfrm_input+0x61c/0x1318 + sp : ffff800080003b20 + Call trace: + xfrm_input+0xde8/0x1318 + xfrm6_rcv+0x38/0x44 + xfrm6_esp_rcv+0x48/0xa8 + ip6_protocol_deliver_rcu+0x94/0x4b0 + ip6_input_finish+0x44/0x70 + ip6_input+0x44/0xc0 + ipv6_rcv+0x6c/0x114 + __netif_receive_skb_one_core+0x5c/0x8c + __netif_receive_skb+0x18/0x60 + process_backlog+0x78/0x17c + __napi_poll+0x38/0x180 + net_rx_action+0x168/0x2f0 + +Fixes: c6adf77953bc ("net: usb: qmi_wwan: add qmap mux protocol support") +Signed-off-by: Qendrim Maxhuni +Link: https://patch.msgid.link/20251029075744.105113-1-qendrim.maxhuni@garderos.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/qmi_wwan.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index 28fd36234311a..e4d8041861a24 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -191,6 +191,12 @@ static int qmimux_rx_fixup(struct usbnet *dev, struct sk_buff *skb) + if (!skbn) + return 0; + ++ /* Raw IP packets don't have a MAC header, but other subsystems ++ * (like xfrm) may still access MAC header offsets, so they must ++ * be initialized. ++ */ ++ skb_reset_mac_header(skbn); ++ + switch (skb->data[offset + qmimux_hdr_sz] & 0xf0) { + case 0x40: + skbn->protocol = htons(ETH_P_IP); +-- +2.51.0 + diff --git a/queue-6.1/net-vlan-sync-vlan-features-with-lower-device.patch b/queue-6.1/net-vlan-sync-vlan-features-with-lower-device.patch new file mode 100644 index 0000000000..be9a69cbed --- /dev/null +++ b/queue-6.1/net-vlan-sync-vlan-features-with-lower-device.patch @@ -0,0 +1,44 @@ +From 718a002b2ed40fd4bb02c3cb4a68968d0d79d0c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Oct 2025 07:35:39 +0000 +Subject: net: vlan: sync VLAN features with lower device + +From: Hangbin Liu + +[ Upstream commit c211f5d7cbd5cb34489d526648bb9c8ecc907dee ] + +After registering a VLAN device and setting its feature flags, we need to +synchronize the VLAN features with the lower device. For example, the VLAN +device does not have the NETIF_F_LRO flag, it should be synchronized with +the lower device based on the NETIF_F_UPPER_DISABLES definition. + +As the dev->vlan_features has changed, we need to call +netdev_update_features(). The caller must run after netdev_upper_dev_link() +links the lower devices, so this patch adds the netdev_update_features() +call in register_vlan_dev(). + +Fixes: fd867d51f889 ("net/core: generic support for disabling netdev features down stack") +Signed-off-by: Hangbin Liu +Link: https://patch.msgid.link/20251030073539.133779-1-liuhangbin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/8021q/vlan.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c +index 422f726346ea5..7c77482f31594 100644 +--- a/net/8021q/vlan.c ++++ b/net/8021q/vlan.c +@@ -194,6 +194,8 @@ int register_vlan_dev(struct net_device *dev, struct netlink_ext_ack *extack) + vlan_group_set_device(grp, vlan->vlan_proto, vlan_id, dev); + grp->nr_vlan_devs++; + ++ netdev_update_features(dev); ++ + return 0; + + out_unregister_netdev: +-- +2.51.0 + diff --git a/queue-6.1/netdevsim-add-makefile-for-selftests.patch b/queue-6.1/netdevsim-add-makefile-for-selftests.patch new file mode 100644 index 0000000000..5814b810df --- /dev/null +++ b/queue-6.1/netdevsim-add-makefile-for-selftests.patch @@ -0,0 +1,61 @@ +From c7e8335594e5fa2135e42f3e82f05a03eadbb5a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jan 2024 13:46:20 -0800 +Subject: netdevsim: add Makefile for selftests + +From: David Wei + +[ Upstream commit 8ff25dac88f616ebebb30830e3a20f079d7a30c9 ] + +Add a Makefile for netdevsim selftests and add selftests path to +MAINTAINERS + +Signed-off-by: David Wei +Link: https://lore.kernel.org/r/20240130214620.3722189-5-dw@davidwei.uk +Signed-off-by: Jakub Kicinski +Stable-dep-of: d01f8136d46b ("selftests: netdevsim: Fix ethtool-coalesce.sh fail by installing ethtool-common.sh") +Signed-off-by: Sasha Levin +--- + MAINTAINERS | 1 + + .../selftests/drivers/net/netdevsim/Makefile | 17 +++++++++++++++++ + 2 files changed, 18 insertions(+) + create mode 100644 tools/testing/selftests/drivers/net/netdevsim/Makefile + +diff --git a/MAINTAINERS b/MAINTAINERS +index 428b2259225dd..9ed8ee40a2176 100644 +--- a/MAINTAINERS ++++ b/MAINTAINERS +@@ -14221,6 +14221,7 @@ NETDEVSIM + M: Jakub Kicinski + S: Maintained + F: drivers/net/netdevsim/* ++F: tools/testing/selftests/drivers/net/netdevsim/* + + NETEM NETWORK EMULATOR + M: Stephen Hemminger +diff --git a/tools/testing/selftests/drivers/net/netdevsim/Makefile b/tools/testing/selftests/drivers/net/netdevsim/Makefile +new file mode 100644 +index 0000000000000..7a29a05bea8bc +--- /dev/null ++++ b/tools/testing/selftests/drivers/net/netdevsim/Makefile +@@ -0,0 +1,17 @@ ++# SPDX-License-Identifier: GPL-2.0+ OR MIT ++ ++TEST_PROGS = devlink.sh \ ++ devlink_in_netns.sh \ ++ devlink_trap.sh \ ++ ethtool-coalesce.sh \ ++ ethtool-fec.sh \ ++ ethtool-pause.sh \ ++ ethtool-ring.sh \ ++ fib.sh \ ++ hw_stats_l3.sh \ ++ nexthop.sh \ ++ psample.sh \ ++ tc-mq-visibility.sh \ ++ udp_tunnel_nic.sh \ ++ ++include ../../../lib.mk +-- +2.51.0 + diff --git a/queue-6.1/sctp-hold-rcu-read-lock-while-iterating-over-address.patch b/queue-6.1/sctp-hold-rcu-read-lock-while-iterating-over-address.patch new file mode 100644 index 0000000000..95f9f44c8f --- /dev/null +++ b/queue-6.1/sctp-hold-rcu-read-lock-while-iterating-over-address.patch @@ -0,0 +1,104 @@ +From 9e77572385ff588395d9e9641199eca2b23c33a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Oct 2025 17:12:26 +0100 +Subject: sctp: Hold RCU read lock while iterating over address list + +From: Stefan Wiehler + +[ Upstream commit 38f50242bf0f237cdc262308d624d333286ec3c5 ] + +With CONFIG_PROVE_RCU_LIST=y and by executing + + $ netcat -l --sctp & + $ netcat --sctp localhost & + $ ss --sctp + +one can trigger the following Lockdep-RCU splat(s): + + WARNING: suspicious RCU usage + 6.18.0-rc1-00093-g7f864458e9a6 #5 Not tainted + ----------------------------- + net/sctp/diag.c:76 RCU-list traversed in non-reader section!! + + other info that might help us debug this: + + rcu_scheduler_active = 2, debug_locks = 1 + 2 locks held by ss/215: + #0: ffff9c740828bec0 (nlk_cb_mutex-SOCK_DIAG){+.+.}-{4:4}, at: __netlink_dump_start+0x84/0x2b0 + #1: ffff9c7401d72cd0 (sk_lock-AF_INET6){+.+.}-{0:0}, at: sctp_sock_dump+0x38/0x200 + + stack backtrace: + CPU: 0 UID: 0 PID: 215 Comm: ss Not tainted 6.18.0-rc1-00093-g7f864458e9a6 #5 PREEMPT(voluntary) + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 + Call Trace: + + dump_stack_lvl+0x5d/0x90 + lockdep_rcu_suspicious.cold+0x4e/0xa3 + inet_sctp_diag_fill.isra.0+0x4b1/0x5d0 + sctp_sock_dump+0x131/0x200 + sctp_transport_traverse_process+0x170/0x1b0 + ? __pfx_sctp_sock_filter+0x10/0x10 + ? __pfx_sctp_sock_dump+0x10/0x10 + sctp_diag_dump+0x103/0x140 + __inet_diag_dump+0x70/0xb0 + netlink_dump+0x148/0x490 + __netlink_dump_start+0x1f3/0x2b0 + inet_diag_handler_cmd+0xcd/0x100 + ? __pfx_inet_diag_dump_start+0x10/0x10 + ? __pfx_inet_diag_dump+0x10/0x10 + ? __pfx_inet_diag_dump_done+0x10/0x10 + sock_diag_rcv_msg+0x18e/0x320 + ? __pfx_sock_diag_rcv_msg+0x10/0x10 + netlink_rcv_skb+0x4d/0x100 + netlink_unicast+0x1d7/0x2b0 + netlink_sendmsg+0x203/0x450 + ____sys_sendmsg+0x30c/0x340 + ___sys_sendmsg+0x94/0xf0 + __sys_sendmsg+0x83/0xf0 + do_syscall_64+0xbb/0x390 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + ... + + +Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file") +Signed-off-by: Stefan Wiehler +Reviewed-by: Kuniyuki Iwashima +Acked-by: Xin Long +Link: https://patch.msgid.link/20251028161506.3294376-2-stefan.wiehler@nokia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sctp/diag.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/sctp/diag.c b/net/sctp/diag.c +index b0ce1080842d4..31cf52026202b 100644 +--- a/net/sctp/diag.c ++++ b/net/sctp/diag.c +@@ -73,19 +73,23 @@ static int inet_diag_msg_sctpladdrs_fill(struct sk_buff *skb, + struct nlattr *attr; + void *info = NULL; + ++ rcu_read_lock(); + list_for_each_entry_rcu(laddr, address_list, list) + addrcnt++; ++ rcu_read_unlock(); + + attr = nla_reserve(skb, INET_DIAG_LOCALS, addrlen * addrcnt); + if (!attr) + return -EMSGSIZE; + + info = nla_data(attr); ++ rcu_read_lock(); + list_for_each_entry_rcu(laddr, address_list, list) { + memcpy(info, &laddr->a, sizeof(laddr->a)); + memset(info + sizeof(laddr->a), 0, addrlen - sizeof(laddr->a)); + info += addrlen; + } ++ rcu_read_unlock(); + + return 0; + } +-- +2.51.0 + diff --git a/queue-6.1/sctp-hold-sock-lock-while-iterating-over-address-lis.patch b/queue-6.1/sctp-hold-sock-lock-while-iterating-over-address-lis.patch new file mode 100644 index 0000000000..90520c2d47 --- /dev/null +++ b/queue-6.1/sctp-hold-sock-lock-while-iterating-over-address-lis.patch @@ -0,0 +1,66 @@ +From 04ff5f87ace33419a31ab944b8805a1231c28828 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Oct 2025 17:12:28 +0100 +Subject: sctp: Hold sock lock while iterating over address list + +From: Stefan Wiehler + +[ Upstream commit f1fc201148c7e684c10a72b6a3375597f28d1ef6 ] + +Move address list traversal in inet_assoc_attr_size() under the sock +lock to avoid holding the RCU read lock. + +Suggested-by: Xin Long +Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file") +Signed-off-by: Stefan Wiehler +Acked-by: Xin Long +Link: https://patch.msgid.link/20251028161506.3294376-4-stefan.wiehler@nokia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sctp/diag.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/net/sctp/diag.c b/net/sctp/diag.c +index 3631a32d96b07..2cf5ee7a698e2 100644 +--- a/net/sctp/diag.c ++++ b/net/sctp/diag.c +@@ -230,14 +230,15 @@ struct sctp_comm_param { + bool net_admin; + }; + +-static size_t inet_assoc_attr_size(struct sctp_association *asoc) ++static size_t inet_assoc_attr_size(struct sock *sk, ++ struct sctp_association *asoc) + { + int addrlen = sizeof(struct sockaddr_storage); + int addrcnt = 0; + struct sctp_sockaddr_entry *laddr; + + list_for_each_entry_rcu(laddr, &asoc->base.bind_addr.address_list, +- list) ++ list, lockdep_sock_is_held(sk)) + addrcnt++; + + return nla_total_size(sizeof(struct sctp_info)) +@@ -263,11 +264,14 @@ static int sctp_sock_dump_one(struct sctp_endpoint *ep, struct sctp_transport *t + if (err) + return err; + +- rep = nlmsg_new(inet_assoc_attr_size(assoc), GFP_KERNEL); +- if (!rep) ++ lock_sock(sk); ++ ++ rep = nlmsg_new(inet_assoc_attr_size(sk, assoc), GFP_KERNEL); ++ if (!rep) { ++ release_sock(sk); + return -ENOMEM; ++ } + +- lock_sock(sk); + if (ep != assoc->ep) { + err = -EAGAIN; + goto out; +-- +2.51.0 + diff --git a/queue-6.1/sctp-prevent-toctou-out-of-bounds-write.patch b/queue-6.1/sctp-prevent-toctou-out-of-bounds-write.patch new file mode 100644 index 0000000000..fd030924c5 --- /dev/null +++ b/queue-6.1/sctp-prevent-toctou-out-of-bounds-write.patch @@ -0,0 +1,45 @@ +From 9282331bd646ecf3146df9d2ab7be9384f51cd32 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Oct 2025 17:12:27 +0100 +Subject: sctp: Prevent TOCTOU out-of-bounds write + +From: Stefan Wiehler + +[ Upstream commit 95aef86ab231f047bb8085c70666059b58f53c09 ] + +For the following path not holding the sock lock, + + sctp_diag_dump() -> sctp_for_each_endpoint() -> sctp_ep_dump() + +make sure not to exceed bounds in case the address list has grown +between buffer allocation (time-of-check) and write (time-of-use). + +Suggested-by: Kuniyuki Iwashima +Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file") +Signed-off-by: Stefan Wiehler +Reviewed-by: Kuniyuki Iwashima +Acked-by: Xin Long +Link: https://patch.msgid.link/20251028161506.3294376-3-stefan.wiehler@nokia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sctp/diag.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/sctp/diag.c b/net/sctp/diag.c +index 31cf52026202b..3631a32d96b07 100644 +--- a/net/sctp/diag.c ++++ b/net/sctp/diag.c +@@ -88,6 +88,9 @@ static int inet_diag_msg_sctpladdrs_fill(struct sk_buff *skb, + memcpy(info, &laddr->a, sizeof(laddr->a)); + memset(info + sizeof(laddr->a), 0, addrlen - sizeof(laddr->a)); + info += addrlen; ++ ++ if (!--addrcnt) ++ break; + } + rcu_read_unlock(); + +-- +2.51.0 + diff --git a/queue-6.1/selftests-net-fix-gro-coalesce-test-and-add-ext-head.patch b/queue-6.1/selftests-net-fix-gro-coalesce-test-and-add-ext-head.patch new file mode 100644 index 0000000000..2732dd16db --- /dev/null +++ b/queue-6.1/selftests-net-fix-gro-coalesce-test-and-add-ext-head.patch @@ -0,0 +1,200 @@ +From df060764ad2009b4b2784ed8b96a04adadec86ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Jan 2024 15:48:35 +0100 +Subject: selftests/net: fix GRO coalesce test and add ext header coalesce + tests + +From: Richard Gobert + +[ Upstream commit 4e321d590cec6053cb3c566413794706035ee638 ] + +Currently there is no test which checks that IPv6 extension header packets +successfully coalesce. This commit adds a test, which verifies two IPv6 +packets with HBH extension headers do coalesce, and another test which +checks that packets with different extension header data do not coalesce +in GRO. + +I changed the receive socket filter to accept a packet with one extension +header. This change exposed a bug in the fragment test -- the old BPF did +not accept the fragment packet. I updated correct_num_packets in the +fragment test accordingly. + +Signed-off-by: Richard Gobert +Reviewed-by: Willem de Bruijn +Link: https://lore.kernel.org/r/69282fed-2415-47e8-b3d3-34939ec3eb56@gmail.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: f8e8486702ab ("selftests/net: use destination options instead of hop-by-hop") +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/gro.c | 93 +++++++++++++++++++++++++++++-- + 1 file changed, 87 insertions(+), 6 deletions(-) + +diff --git a/tools/testing/selftests/net/gro.c b/tools/testing/selftests/net/gro.c +index ad7b07084ca24..9c6f5b4033c37 100644 +--- a/tools/testing/selftests/net/gro.c ++++ b/tools/testing/selftests/net/gro.c +@@ -71,6 +71,12 @@ + #define MAX_PAYLOAD (IP_MAXPACKET - sizeof(struct tcphdr) - sizeof(struct ipv6hdr)) + #define NUM_LARGE_PKT (MAX_PAYLOAD / MSS) + #define MAX_HDR_LEN (ETH_HLEN + sizeof(struct ipv6hdr) + sizeof(struct tcphdr)) ++#define MIN_EXTHDR_SIZE 8 ++#define EXT_PAYLOAD_1 "\x00\x00\x00\x00\x00\x00" ++#define EXT_PAYLOAD_2 "\x11\x11\x11\x11\x11\x11" ++ ++#define ipv6_optlen(p) (((p)->hdrlen+1) << 3) /* calculate IPv6 extension header len */ ++#define BUILD_BUG_ON(condition) ((void)sizeof(char[1 - 2*!!(condition)])) + + static const char *addr6_src = "fdaa::2"; + static const char *addr6_dst = "fdaa::1"; +@@ -104,7 +110,7 @@ static void setup_sock_filter(int fd) + const int dport_off = tcp_offset + offsetof(struct tcphdr, dest); + const int ethproto_off = offsetof(struct ethhdr, h_proto); + int optlen = 0; +- int ipproto_off; ++ int ipproto_off, opt_ipproto_off; + int next_off; + + if (proto == PF_INET) +@@ -116,14 +122,30 @@ static void setup_sock_filter(int fd) + if (strcmp(testname, "ip") == 0) { + if (proto == PF_INET) + optlen = sizeof(struct ip_timestamp); +- else +- optlen = sizeof(struct ip6_frag); ++ else { ++ BUILD_BUG_ON(sizeof(struct ip6_hbh) > MIN_EXTHDR_SIZE); ++ BUILD_BUG_ON(sizeof(struct ip6_dest) > MIN_EXTHDR_SIZE); ++ BUILD_BUG_ON(sizeof(struct ip6_frag) > MIN_EXTHDR_SIZE); ++ ++ /* same size for HBH and Fragment extension header types */ ++ optlen = MIN_EXTHDR_SIZE; ++ opt_ipproto_off = ETH_HLEN + sizeof(struct ipv6hdr) ++ + offsetof(struct ip6_ext, ip6e_nxt); ++ } + } + ++ /* this filter validates the following: ++ * - packet is IPv4/IPv6 according to the running test. ++ * - packet is TCP. Also handles the case of one extension header and then TCP. ++ * - checks the packet tcp dport equals to DPORT. Also handles the case of one ++ * extension header and then TCP. ++ */ + struct sock_filter filter[] = { + BPF_STMT(BPF_LD + BPF_H + BPF_ABS, ethproto_off), +- BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, ntohs(ethhdr_proto), 0, 7), ++ BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, ntohs(ethhdr_proto), 0, 9), + BPF_STMT(BPF_LD + BPF_B + BPF_ABS, ipproto_off), ++ BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, IPPROTO_TCP, 2, 0), ++ BPF_STMT(BPF_LD + BPF_B + BPF_ABS, opt_ipproto_off), + BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, IPPROTO_TCP, 0, 5), + BPF_STMT(BPF_LD + BPF_H + BPF_ABS, dport_off), + BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, DPORT, 2, 0), +@@ -576,6 +598,39 @@ static void add_ipv4_ts_option(void *buf, void *optpkt) + iph->check = checksum_fold(iph, sizeof(struct iphdr) + optlen, 0); + } + ++static void add_ipv6_exthdr(void *buf, void *optpkt, __u8 exthdr_type, char *ext_payload) ++{ ++ struct ipv6_opt_hdr *exthdr = (struct ipv6_opt_hdr *)(optpkt + tcp_offset); ++ struct ipv6hdr *iph = (struct ipv6hdr *)(optpkt + ETH_HLEN); ++ char *exthdr_payload_start = (char *)(exthdr + 1); ++ ++ exthdr->hdrlen = 0; ++ exthdr->nexthdr = IPPROTO_TCP; ++ ++ memcpy(exthdr_payload_start, ext_payload, MIN_EXTHDR_SIZE - sizeof(*exthdr)); ++ ++ memcpy(optpkt, buf, tcp_offset); ++ memcpy(optpkt + tcp_offset + MIN_EXTHDR_SIZE, buf + tcp_offset, ++ sizeof(struct tcphdr) + PAYLOAD_LEN); ++ ++ iph->nexthdr = exthdr_type; ++ iph->payload_len = htons(ntohs(iph->payload_len) + MIN_EXTHDR_SIZE); ++} ++ ++static void send_ipv6_exthdr(int fd, struct sockaddr_ll *daddr, char *ext_data1, char *ext_data2) ++{ ++ static char buf[MAX_HDR_LEN + PAYLOAD_LEN]; ++ static char exthdr_pck[sizeof(buf) + MIN_EXTHDR_SIZE]; ++ ++ create_packet(buf, 0, 0, PAYLOAD_LEN, 0); ++ add_ipv6_exthdr(buf, exthdr_pck, IPPROTO_HOPOPTS, ext_data1); ++ write_packet(fd, exthdr_pck, total_hdr_len + PAYLOAD_LEN + MIN_EXTHDR_SIZE, daddr); ++ ++ create_packet(buf, PAYLOAD_LEN * 1, 0, PAYLOAD_LEN, 0); ++ add_ipv6_exthdr(buf, exthdr_pck, IPPROTO_HOPOPTS, ext_data2); ++ write_packet(fd, exthdr_pck, total_hdr_len + PAYLOAD_LEN + MIN_EXTHDR_SIZE, daddr); ++} ++ + /* IPv4 options shouldn't coalesce */ + static void send_ip_options(int fd, struct sockaddr_ll *daddr) + { +@@ -697,7 +752,7 @@ static void send_fragment6(int fd, struct sockaddr_ll *daddr) + create_packet(buf, PAYLOAD_LEN * i, 0, PAYLOAD_LEN, 0); + write_packet(fd, buf, bufpkt_len, daddr); + } +- ++ sleep(1); + create_packet(buf, PAYLOAD_LEN * 2, 0, PAYLOAD_LEN, 0); + memset(extpkt, 0, extpkt_len); + +@@ -760,6 +815,7 @@ static void check_recv_pkts(int fd, int *correct_payload, + vlog("}, Total %d packets\nReceived {", correct_num_pkts); + + while (1) { ++ ip_ext_len = 0; + pkt_size = recv(fd, buffer, IP_MAXPACKET + ETH_HLEN + 1, 0); + if (pkt_size < 0) + error(1, errno, "could not receive"); +@@ -767,7 +823,7 @@ static void check_recv_pkts(int fd, int *correct_payload, + if (iph->version == 4) + ip_ext_len = (iph->ihl - 5) * 4; + else if (ip6h->version == 6 && ip6h->nexthdr != IPPROTO_TCP) +- ip_ext_len = sizeof(struct ip6_frag); ++ ip_ext_len = MIN_EXTHDR_SIZE; + + tcph = (struct tcphdr *)(buffer + tcp_offset + ip_ext_len); + +@@ -888,7 +944,21 @@ static void gro_sender(void) + sleep(1); + write_packet(txfd, fin_pkt, total_hdr_len, &daddr); + } else if (proto == PF_INET6) { ++ sleep(1); + send_fragment6(txfd, &daddr); ++ sleep(1); ++ write_packet(txfd, fin_pkt, total_hdr_len, &daddr); ++ ++ sleep(1); ++ /* send IPv6 packets with ext header with same payload */ ++ send_ipv6_exthdr(txfd, &daddr, EXT_PAYLOAD_1, EXT_PAYLOAD_1); ++ sleep(1); ++ write_packet(txfd, fin_pkt, total_hdr_len, &daddr); ++ ++ sleep(1); ++ /* send IPv6 packets with ext header with different payload */ ++ send_ipv6_exthdr(txfd, &daddr, EXT_PAYLOAD_1, EXT_PAYLOAD_2); ++ sleep(1); + write_packet(txfd, fin_pkt, total_hdr_len, &daddr); + } + } else if (strcmp(testname, "large") == 0) { +@@ -1005,6 +1075,17 @@ static void gro_receiver(void) + */ + printf("fragmented ip6 doesn't coalesce: "); + correct_payload[0] = PAYLOAD_LEN * 2; ++ correct_payload[1] = PAYLOAD_LEN; ++ correct_payload[2] = PAYLOAD_LEN; ++ check_recv_pkts(rxfd, correct_payload, 3); ++ ++ printf("ipv6 with ext header does coalesce: "); ++ correct_payload[0] = PAYLOAD_LEN * 2; ++ check_recv_pkts(rxfd, correct_payload, 1); ++ ++ printf("ipv6 with ext header with different payloads doesn't coalesce: "); ++ correct_payload[0] = PAYLOAD_LEN; ++ correct_payload[1] = PAYLOAD_LEN; + check_recv_pkts(rxfd, correct_payload, 2); + } + } else if (strcmp(testname, "large") == 0) { +-- +2.51.0 + diff --git a/queue-6.1/selftests-net-fix-out-of-order-delivery-of-fin-in-gr.patch b/queue-6.1/selftests-net-fix-out-of-order-delivery-of-fin-in-gr.patch new file mode 100644 index 0000000000..dc4b7c6ee1 --- /dev/null +++ b/queue-6.1/selftests-net-fix-out-of-order-delivery-of-fin-in-gr.patch @@ -0,0 +1,66 @@ +From c5ab978908bd07d7aa3027c97ee404d8548419f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Oct 2025 06:28:18 +0000 +Subject: selftests/net: fix out-of-order delivery of FIN in gro:tcp test + +From: Anubhav Singh + +[ Upstream commit 02d064de05b1fcca769391fa82d205bed8bb9bf0 ] + +Due to the gro_sender sending data packets and FIN packets +in very quick succession, these are received almost simultaneously +by the gro_receiver. FIN packets are sometimes processed before the +data packets leading to intermittent (~1/100) test failures. + +This change adds a delay of 100ms before sending FIN packets +in gro:tcp test to avoid the out-of-order delivery. The same +mitigation already exists for the gro:ip test. + +Fixes: 7d1575014a63 ("selftests/net: GRO coalesce test") +Reviewed-by: Willem de Bruijn +Signed-off-by: Anubhav Singh +Link: https://patch.msgid.link/20251030062818.1562228-1-anubhavsinggh@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/gro.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/tools/testing/selftests/net/gro.c b/tools/testing/selftests/net/gro.c +index 30024d0ed3739..ad7b07084ca24 100644 +--- a/tools/testing/selftests/net/gro.c ++++ b/tools/testing/selftests/net/gro.c +@@ -802,6 +802,7 @@ static void check_recv_pkts(int fd, int *correct_payload, + + static void gro_sender(void) + { ++ const int fin_delay_us = 100 * 1000; + static char fin_pkt[MAX_HDR_LEN]; + struct sockaddr_ll daddr = {}; + int txfd = -1; +@@ -845,15 +846,22 @@ static void gro_sender(void) + write_packet(txfd, fin_pkt, total_hdr_len, &daddr); + } else if (strcmp(testname, "tcp") == 0) { + send_changed_checksum(txfd, &daddr); ++ /* Adding sleep before sending FIN so that it is not ++ * received prior to other packets. ++ */ ++ usleep(fin_delay_us); + write_packet(txfd, fin_pkt, total_hdr_len, &daddr); + + send_changed_seq(txfd, &daddr); ++ usleep(fin_delay_us); + write_packet(txfd, fin_pkt, total_hdr_len, &daddr); + + send_changed_ts(txfd, &daddr); ++ usleep(fin_delay_us); + write_packet(txfd, fin_pkt, total_hdr_len, &daddr); + + send_diff_opt(txfd, &daddr); ++ usleep(fin_delay_us); + write_packet(txfd, fin_pkt, total_hdr_len, &daddr); + } else if (strcmp(testname, "ip") == 0) { + send_changed_ECN(txfd, &daddr); +-- +2.51.0 + diff --git a/queue-6.1/selftests-net-use-destination-options-instead-of-hop.patch b/queue-6.1/selftests-net-use-destination-options-instead-of-hop.patch new file mode 100644 index 0000000000..4f9ec17f97 --- /dev/null +++ b/queue-6.1/selftests-net-use-destination-options-instead-of-hop.patch @@ -0,0 +1,58 @@ +From 9a59365115d3fa56e624ecbe8704bab9a9de9dfa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Oct 2025 06:04:36 +0000 +Subject: selftests/net: use destination options instead of hop-by-hop + +From: Anubhav Singh + +[ Upstream commit f8e8486702abb05b8c734093aab1606af0eac068 ] + +The GRO self-test, gro.c, currently constructs IPv6 packets containing a +Hop-by-Hop Options header (IPPROTO_HOPOPTS) to ensure the GRO path +correctly handles IPv6 extension headers. + +However, network elements may be configured to drop packets with the +Hop-by-Hop Options header (HBH). This causes the self-test to fail +in environments where such network elements are present. + +To improve the robustness and reliability of this test in diverse +network environments, switch from using IPPROTO_HOPOPTS to +IPPROTO_DSTOPTS (Destination Options). + +The Destination Options header is less likely to be dropped by +intermediate routers and still serves the core purpose of the test: +validating GRO's handling of an IPv6 extension header. This change +ensures the test can execute successfully without being incorrectly +failed by network policies outside the kernel's control. + +Fixes: 7d1575014a63 ("selftests/net: GRO coalesce test") +Reviewed-by: Willem de Bruijn +Signed-off-by: Anubhav Singh +Link: https://patch.msgid.link/20251030060436.1556664-1-anubhavsinggh@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/gro.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/net/gro.c b/tools/testing/selftests/net/gro.c +index 9c6f5b4033c37..8dd6857e52cb5 100644 +--- a/tools/testing/selftests/net/gro.c ++++ b/tools/testing/selftests/net/gro.c +@@ -623,11 +623,11 @@ static void send_ipv6_exthdr(int fd, struct sockaddr_ll *daddr, char *ext_data1, + static char exthdr_pck[sizeof(buf) + MIN_EXTHDR_SIZE]; + + create_packet(buf, 0, 0, PAYLOAD_LEN, 0); +- add_ipv6_exthdr(buf, exthdr_pck, IPPROTO_HOPOPTS, ext_data1); ++ add_ipv6_exthdr(buf, exthdr_pck, IPPROTO_DSTOPTS, ext_data1); + write_packet(fd, exthdr_pck, total_hdr_len + PAYLOAD_LEN + MIN_EXTHDR_SIZE, daddr); + + create_packet(buf, PAYLOAD_LEN * 1, 0, PAYLOAD_LEN, 0); +- add_ipv6_exthdr(buf, exthdr_pck, IPPROTO_HOPOPTS, ext_data2); ++ add_ipv6_exthdr(buf, exthdr_pck, IPPROTO_DSTOPTS, ext_data2); + write_packet(fd, exthdr_pck, total_hdr_len + PAYLOAD_LEN + MIN_EXTHDR_SIZE, daddr); + } + +-- +2.51.0 + diff --git a/queue-6.1/selftests-netdevsim-fix-ethtool-coalesce.sh-fail-by-.patch b/queue-6.1/selftests-netdevsim-fix-ethtool-coalesce.sh-fail-by-.patch new file mode 100644 index 0000000000..307439f369 --- /dev/null +++ b/queue-6.1/selftests-netdevsim-fix-ethtool-coalesce.sh-fail-by-.patch @@ -0,0 +1,60 @@ +From 31231d2edf22f709fadb12bfbd945979328277e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Oct 2025 12:03:40 +0800 +Subject: selftests: netdevsim: Fix ethtool-coalesce.sh fail by installing + ethtool-common.sh + +From: Wang Liang + +[ Upstream commit d01f8136d46b925798abcf86b35a4021e4cfb8bb ] + +The script "ethtool-common.sh" is not installed in INSTALL_PATH, and +triggers some errors when I try to run the test +'drivers/net/netdevsim/ethtool-coalesce.sh': + + TAP version 13 + 1..1 + # timeout set to 600 + # selftests: drivers/net/netdevsim: ethtool-coalesce.sh + # ./ethtool-coalesce.sh: line 4: ethtool-common.sh: No such file or directory + # ./ethtool-coalesce.sh: line 25: make_netdev: command not found + # ethtool: bad command line argument(s) + # ./ethtool-coalesce.sh: line 124: check: command not found + # ./ethtool-coalesce.sh: line 126: [: -eq: unary operator expected + # FAILED /0 checks + not ok 1 selftests: drivers/net/netdevsim: ethtool-coalesce.sh # exit=1 + +Install this file to avoid this error. After this patch: + + TAP version 13 + 1..1 + # timeout set to 600 + # selftests: drivers/net/netdevsim: ethtool-coalesce.sh + # PASSED all 22 checks + ok 1 selftests: drivers/net/netdevsim: ethtool-coalesce.sh + +Fixes: fbb8531e58bd ("selftests: extract common functions in ethtool-common.sh") +Signed-off-by: Wang Liang +Link: https://patch.msgid.link/20251030040340.3258110-1-wangliang74@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/drivers/net/netdevsim/Makefile | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/tools/testing/selftests/drivers/net/netdevsim/Makefile b/tools/testing/selftests/drivers/net/netdevsim/Makefile +index 7a29a05bea8bc..50932e13cb5a8 100644 +--- a/tools/testing/selftests/drivers/net/netdevsim/Makefile ++++ b/tools/testing/selftests/drivers/net/netdevsim/Makefile +@@ -14,4 +14,8 @@ TEST_PROGS = devlink.sh \ + tc-mq-visibility.sh \ + udp_tunnel_nic.sh \ + ++TEST_FILES := \ ++ ethtool-common.sh ++# end of TEST_FILES ++ + include ../../../lib.mk +-- +2.51.0 + diff --git a/queue-6.1/series b/queue-6.1/series index 5743afbebc..323b56c6c0 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -302,3 +302,24 @@ asoc-meson-aiu-encoder-i2s-fix-bit-clock-polarity.patch ceph-add-checking-of-wait_for_completion_killable-re.patch alsa-hda-realtek-audio-disappears-on-hp-15-fc000-aft.patch revert-wifi-ath10k-avoid-unnecessary-wait-for-service-ready-message.patch +bluetooth-hci_event-validate-skb-length-for-unknown-.patch +net-dsa-tag_brcm-legacy-fix-untagged-rx-on-unbridged.patch +selftests-net-fix-out-of-order-delivery-of-fin-in-gr.patch +selftests-net-fix-gro-coalesce-test-and-add-ext-head.patch +selftests-net-use-destination-options-instead-of-hop.patch +netdevsim-add-makefile-for-selftests.patch +selftests-netdevsim-fix-ethtool-coalesce.sh-fail-by-.patch +net-vlan-sync-vlan-features-with-lower-device.patch +net-dsa-b53-fix-resetting-speed-and-pause-on-forced-.patch +net-dsa-b53-fix-enabling-ip-multicast.patch +net-dsa-b53-stop-reading-arl-entries-if-search-is-do.patch +sctp-hold-rcu-read-lock-while-iterating-over-address.patch +sctp-prevent-toctou-out-of-bounds-write.patch +sctp-hold-sock-lock-while-iterating-over-address-lis.patch +net-usb-qmi_wwan-initialize-mac-header-offset-in-qmi.patch +bnxt_en-fix-a-possible-memory-leak-in-bnxt_ptp_init.patch +net-mlx5e-shampo-fix-skb-size-check-for-64k-pages.patch +net-dsa-microchip-fix-reserved-multicast-address-tab.patch +net-bridge-fix-use-after-free-due-to-mst-port-state-.patch +net-bridge-fix-mst-static-key-usage.patch +tracing-fix-memory-leaks-in-create_field_var.patch diff --git a/queue-6.1/tracing-fix-memory-leaks-in-create_field_var.patch b/queue-6.1/tracing-fix-memory-leaks-in-create_field_var.patch new file mode 100644 index 0000000000..a2ffbfa90f --- /dev/null +++ b/queue-6.1/tracing-fix-memory-leaks-in-create_field_var.patch @@ -0,0 +1,53 @@ +From cd31a260961511a4fd13da0c2565cce95abb6cc6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Nov 2025 12:01:32 +0000 +Subject: tracing: Fix memory leaks in create_field_var() + +From: Zilin Guan + +[ Upstream commit 80f0d631dcc76ee1b7755bfca1d8417d91d71414 ] + +The function create_field_var() allocates memory for 'val' through +create_hist_field() inside parse_atom(), and for 'var' through +create_var(), which in turn allocates var->type and var->var.name +internally. Simply calling kfree() to release these structures will +result in memory leaks. + +Use destroy_hist_field() to properly free 'val', and explicitly release +the memory of var->type and var->var.name before freeing 'var' itself. + +Link: https://patch.msgid.link/20251106120132.3639920-1-zilin@seu.edu.cn +Fixes: 02205a6752f22 ("tracing: Add support for 'field variables'") +Signed-off-by: Zilin Guan +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_events_hist.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c +index c53be68bcd111..31d60758053d1 100644 +--- a/kernel/trace/trace_events_hist.c ++++ b/kernel/trace/trace_events_hist.c +@@ -3210,14 +3210,16 @@ static struct field_var *create_field_var(struct hist_trigger_data *hist_data, + var = create_var(hist_data, file, field_name, val->size, val->type); + if (IS_ERR(var)) { + hist_err(tr, HIST_ERR_VAR_CREATE_FIND_FAIL, errpos(field_name)); +- kfree(val); ++ destroy_hist_field(val, 0); + ret = PTR_ERR(var); + goto err; + } + + field_var = kzalloc(sizeof(struct field_var), GFP_KERNEL); + if (!field_var) { +- kfree(val); ++ destroy_hist_field(val, 0); ++ kfree_const(var->type); ++ kfree(var->var.name); + kfree(var); + ret = -ENOMEM; + goto err; +-- +2.51.0 + diff --git a/queue-6.12/bluetooth-btrtl-fix-memory-leak-in-rtlbt_parse_firmw.patch b/queue-6.12/bluetooth-btrtl-fix-memory-leak-in-rtlbt_parse_firmw.patch new file mode 100644 index 0000000000..1f67c151aa --- /dev/null +++ b/queue-6.12/bluetooth-btrtl-fix-memory-leak-in-rtlbt_parse_firmw.patch @@ -0,0 +1,39 @@ +From 97e9fc133fcfd4ab5220f96e88d34e3ca206ebae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Oct 2025 23:26:30 +0530 +Subject: Bluetooth: btrtl: Fix memory leak in rtlbt_parse_firmware_v2() + +From: Abdun Nihaal + +[ Upstream commit 1c21cf89a66413eb04b2d22c955b7a50edc14dfa ] + +The memory allocated for ptr using kvmalloc() is not freed on the last +error path. Fix that by freeing it on that error path. + +Fixes: 9a24ce5e29b1 ("Bluetooth: btrtl: Firmware format v2 support") +Signed-off-by: Abdun Nihaal +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btrtl.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/bluetooth/btrtl.c b/drivers/bluetooth/btrtl.c +index 59eb948664223..c4431c5976b40 100644 +--- a/drivers/bluetooth/btrtl.c ++++ b/drivers/bluetooth/btrtl.c +@@ -625,8 +625,10 @@ static int rtlbt_parse_firmware_v2(struct hci_dev *hdev, + len += entry->len; + } + +- if (!len) ++ if (!len) { ++ kvfree(ptr); + return -EPERM; ++ } + + *_buf = ptr; + return len; +-- +2.51.0 + diff --git a/queue-6.12/bluetooth-hci_event-validate-skb-length-for-unknown-.patch b/queue-6.12/bluetooth-hci_event-validate-skb-length-for-unknown-.patch new file mode 100644 index 0000000000..6674e13534 --- /dev/null +++ b/queue-6.12/bluetooth-hci_event-validate-skb-length-for-unknown-.patch @@ -0,0 +1,49 @@ +From ad7a1a445b8077dd1eef04414b768214eee44d74 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Oct 2025 12:29:10 -0400 +Subject: Bluetooth: hci_event: validate skb length for unknown CC opcode + +From: Raphael Pinsonneault-Thibeault + +[ Upstream commit 5c5f1f64681cc889d9b13e4a61285e9e029d6ab5 ] + +In hci_cmd_complete_evt(), if the command complete event has an unknown +opcode, we assume the first byte of the remaining skb->data contains the +return status. However, parameter data has previously been pulled in +hci_event_func(), which may leave the skb empty. If so, using skb->data[0] +for the return status uses un-init memory. + +The fix is to check skb->len before using skb->data. + +Reported-by: syzbot+a9a4bedfca6aa9d7fa24@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=a9a4bedfca6aa9d7fa24 +Tested-by: syzbot+a9a4bedfca6aa9d7fa24@syzkaller.appspotmail.com +Fixes: afcb3369f46ed ("Bluetooth: hci_event: Fix vendor (unknown) opcode status handling") +Signed-off-by: Raphael Pinsonneault-Thibeault +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_event.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index ccc73742de356..498b7e4c76d59 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -4210,6 +4210,13 @@ static void hci_cmd_complete_evt(struct hci_dev *hdev, void *data, + } + + if (i == ARRAY_SIZE(hci_cc_table)) { ++ if (!skb->len) { ++ bt_dev_err(hdev, "Unexpected cc 0x%4.4x with no status", ++ *opcode); ++ *status = HCI_ERROR_UNSPECIFIED; ++ return; ++ } ++ + /* Unknown opcode, assume byte 0 contains the status, so + * that e.g. __hci_cmd_sync() properly returns errors + * for vendor specific commands send by HCI drivers. +-- +2.51.0 + diff --git a/queue-6.12/bnxt_en-add-a-force-parameter-to-bnxt_free_ctx_mem.patch b/queue-6.12/bnxt_en-add-a-force-parameter-to-bnxt_free_ctx_mem.patch new file mode 100644 index 0000000000..1e4b1936e2 --- /dev/null +++ b/queue-6.12/bnxt_en-add-a-force-parameter-to-bnxt_free_ctx_mem.patch @@ -0,0 +1,196 @@ +From 5646ca2f441fe326cc33615d30ece7ff0594cfc5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Nov 2024 07:14:30 -0800 +Subject: bnxt_en: Add a 'force' parameter to bnxt_free_ctx_mem() + +From: Hongguang Gao + +[ Upstream commit 46010d43ab7b18fbc8a3a0bf4d65c775f8d2adbd ] + +If 'force' is false, it will keep the memory pages and all data +structures for the context memory type if the memory is valid. + +This patch always passes true for the 'force' parameter so there is +no change in behavior. Later patches will adjust the 'force' parameter +for the FW log context memory types so that the logs will not be reset +after FW reset. + +Signed-off-by: Hongguang Gao +Signed-off-by: Michael Chan +Link: https://patch.msgid.link/20241115151438.550106-5-michael.chan@broadcom.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: 5204943a4c6e ("bnxt_en: Fix warning in bnxt_dl_reload_down()") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 44 ++++++++++++------- + drivers/net/ethernet/broadcom/bnxt/bnxt.h | 2 +- + .../net/ethernet/broadcom/bnxt/bnxt_devlink.c | 2 +- + 3 files changed, 29 insertions(+), 19 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index 5409ad3cee192..a3491b8383f5a 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -8340,7 +8340,7 @@ static int bnxt_hwrm_func_backing_store_qcaps_v2(struct bnxt *bp) + { + struct hwrm_func_backing_store_qcaps_v2_output *resp; + struct hwrm_func_backing_store_qcaps_v2_input *req; +- struct bnxt_ctx_mem_info *ctx; ++ struct bnxt_ctx_mem_info *ctx = bp->ctx; + u16 type; + int rc; + +@@ -8348,10 +8348,12 @@ static int bnxt_hwrm_func_backing_store_qcaps_v2(struct bnxt *bp) + if (rc) + return rc; + +- ctx = kzalloc(sizeof(*ctx), GFP_KERNEL); +- if (!ctx) +- return -ENOMEM; +- bp->ctx = ctx; ++ if (!ctx) { ++ ctx = kzalloc(sizeof(*ctx), GFP_KERNEL); ++ if (!ctx) ++ return -ENOMEM; ++ bp->ctx = ctx; ++ } + + resp = hwrm_req_hold(bp, req); + +@@ -8400,7 +8402,8 @@ static int bnxt_hwrm_func_backing_store_qcaps(struct bnxt *bp) + struct hwrm_func_backing_store_qcaps_input *req; + int rc; + +- if (bp->hwrm_spec_code < 0x10902 || BNXT_VF(bp) || bp->ctx) ++ if (bp->hwrm_spec_code < 0x10902 || BNXT_VF(bp) || ++ (bp->ctx && bp->ctx->flags & BNXT_CTX_FLAG_INITED)) + return 0; + + if (bp->fw_cap & BNXT_FW_CAP_BACKING_STORE_V2) +@@ -8873,11 +8876,16 @@ static int bnxt_backing_store_cfg_v2(struct bnxt *bp, u32 ena) + } + + static void bnxt_free_one_ctx_mem(struct bnxt *bp, +- struct bnxt_ctx_mem_type *ctxm) ++ struct bnxt_ctx_mem_type *ctxm, bool force) + { + struct bnxt_ctx_pg_info *ctx_pg; + int i, n = 1; + ++ ctxm->last = 0; ++ ++ if (ctxm->mem_valid && !force) ++ return; ++ + ctx_pg = ctxm->pg_info; + if (ctx_pg) { + if (ctxm->instance_bmap) +@@ -8891,7 +8899,7 @@ static void bnxt_free_one_ctx_mem(struct bnxt *bp, + } + } + +-void bnxt_free_ctx_mem(struct bnxt *bp) ++void bnxt_free_ctx_mem(struct bnxt *bp, bool force) + { + struct bnxt_ctx_mem_info *ctx = bp->ctx; + u16 type; +@@ -8900,11 +8908,13 @@ void bnxt_free_ctx_mem(struct bnxt *bp) + return; + + for (type = 0; type < BNXT_CTX_V2_MAX; type++) +- bnxt_free_one_ctx_mem(bp, &ctx->ctx_arr[type]); ++ bnxt_free_one_ctx_mem(bp, &ctx->ctx_arr[type], force); + + ctx->flags &= ~BNXT_CTX_FLAG_INITED; +- kfree(ctx); +- bp->ctx = NULL; ++ if (force) { ++ kfree(ctx); ++ bp->ctx = NULL; ++ } + } + + static int bnxt_alloc_ctx_mem(struct bnxt *bp) +@@ -11933,7 +11943,7 @@ static int bnxt_hwrm_if_change(struct bnxt *bp, bool up) + set_bit(BNXT_STATE_FW_RESET_DET, &bp->state); + if (!test_bit(BNXT_STATE_IN_FW_RESET, &bp->state)) + bnxt_ulp_irq_stop(bp); +- bnxt_free_ctx_mem(bp); ++ bnxt_free_ctx_mem(bp, true); + bnxt_dcb_free(bp); + rc = bnxt_fw_init_one(bp); + if (rc) { +@@ -13657,7 +13667,7 @@ static void bnxt_fw_reset_close(struct bnxt *bp) + bnxt_hwrm_func_drv_unrgtr(bp); + if (pci_is_enabled(bp->pdev)) + pci_disable_device(bp->pdev); +- bnxt_free_ctx_mem(bp); ++ bnxt_free_ctx_mem(bp, true); + } + + static bool is_bnxt_fw_ok(struct bnxt *bp) +@@ -15553,7 +15563,7 @@ static void bnxt_remove_one(struct pci_dev *pdev) + kfree(bp->fw_health); + bp->fw_health = NULL; + bnxt_cleanup_pci(bp); +- bnxt_free_ctx_mem(bp); ++ bnxt_free_ctx_mem(bp, true); + bnxt_free_crash_dump_mem(bp); + kfree(bp->rss_indir_tbl); + bp->rss_indir_tbl = NULL; +@@ -16195,7 +16205,7 @@ static int bnxt_init_one(struct pci_dev *pdev, const struct pci_device_id *ent) + kfree(bp->fw_health); + bp->fw_health = NULL; + bnxt_cleanup_pci(bp); +- bnxt_free_ctx_mem(bp); ++ bnxt_free_ctx_mem(bp, true); + bnxt_free_crash_dump_mem(bp); + kfree(bp->rss_indir_tbl); + bp->rss_indir_tbl = NULL; +@@ -16251,7 +16261,7 @@ static int bnxt_suspend(struct device *device) + bnxt_hwrm_func_drv_unrgtr(bp); + bnxt_ptp_clear(bp); + pci_disable_device(bp->pdev); +- bnxt_free_ctx_mem(bp); ++ bnxt_free_ctx_mem(bp, true); + rtnl_unlock(); + return rc; + } +@@ -16367,7 +16377,7 @@ static pci_ers_result_t bnxt_io_error_detected(struct pci_dev *pdev, + + if (pci_is_enabled(pdev)) + pci_disable_device(pdev); +- bnxt_free_ctx_mem(bp); ++ bnxt_free_ctx_mem(bp, true); + rtnl_unlock(); + + /* Request a slot slot reset. */ +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.h b/drivers/net/ethernet/broadcom/bnxt/bnxt.h +index d4e63bf599666..37bb9091bf771 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.h ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.h +@@ -2828,7 +2828,7 @@ int bnxt_hwrm_vnic_alloc(struct bnxt *bp, struct bnxt_vnic_info *vnic, + int __bnxt_hwrm_get_tx_rings(struct bnxt *bp, u16 fid, int *tx_rings); + int bnxt_nq_rings_in_use(struct bnxt *bp); + int bnxt_hwrm_set_coal(struct bnxt *); +-void bnxt_free_ctx_mem(struct bnxt *bp); ++void bnxt_free_ctx_mem(struct bnxt *bp, bool force); + int bnxt_num_tx_to_cp(struct bnxt *bp, int tx); + unsigned int bnxt_get_max_func_stat_ctxs(struct bnxt *bp); + unsigned int bnxt_get_avail_stat_ctxs_for_en(struct bnxt *bp); +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.c +index 4cb0fabf977e3..901fd36757ed6 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.c +@@ -463,7 +463,7 @@ static int bnxt_dl_reload_down(struct devlink *dl, bool netns_change, + break; + } + bnxt_cancel_reservations(bp, false); +- bnxt_free_ctx_mem(bp); ++ bnxt_free_ctx_mem(bp, true); + break; + } + case DEVLINK_RELOAD_ACTION_FW_ACTIVATE: { +-- +2.51.0 + diff --git a/queue-6.12/bnxt_en-add-mem_valid-bit-to-struct-bnxt_ctx_mem_typ.patch b/queue-6.12/bnxt_en-add-mem_valid-bit-to-struct-bnxt_ctx_mem_typ.patch new file mode 100644 index 0000000000..dd9914fe0a --- /dev/null +++ b/queue-6.12/bnxt_en-add-mem_valid-bit-to-struct-bnxt_ctx_mem_typ.patch @@ -0,0 +1,73 @@ +From 9ec759e1fe899a412f028ce89299f66d856a2c45 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Nov 2024 07:14:28 -0800 +Subject: bnxt_en: Add mem_valid bit to struct bnxt_ctx_mem_type + +From: Shruti Parab + +[ Upstream commit 0b350b4927e69d66629099dbb32cad8d2d56a26d ] + +Add a new bit to struct bnxt_ctx_mem_type to indicate that host +memory has been successfully allocated for this context memory type. +In the next patches, we'll be adding some additional context memory +types for FW debugging/logging. If memory cannot be allocated for +any of these new types, we will not abort and the cleared mem_valid +bit will indicate to skip configuring the memory type. + +Reviewed-by: Hongguang Gao +Signed-off-by: Shruti Parab +Signed-of-by: Michael Chan +Link: https://patch.msgid.link/20241115151438.550106-3-michael.chan@broadcom.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: 5204943a4c6e ("bnxt_en: Fix warning in bnxt_dl_reload_down()") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 5 +++++ + drivers/net/ethernet/broadcom/bnxt/bnxt.h | 1 + + 2 files changed, 6 insertions(+) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index 30d8e8b34dfb9..abf8984ac5e20 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -8791,6 +8791,8 @@ static int bnxt_setup_ctxm_pg_tbls(struct bnxt *bp, + rc = bnxt_alloc_ctx_pg_tbls(bp, &ctx_pg[i], mem_size, pg_lvl, + ctxm->init_value ? ctxm : NULL); + } ++ if (!rc) ++ ctxm->mem_valid = 1; + return rc; + } + +@@ -8861,6 +8863,8 @@ static int bnxt_backing_store_cfg_v2(struct bnxt *bp, u32 ena) + for (type = 0 ; type < BNXT_CTX_V2_MAX; type++) { + ctxm = &ctx->ctx_arr[type]; + ++ if (!ctxm->mem_valid) ++ continue; + rc = bnxt_hwrm_func_backing_store_cfg_v2(bp, ctxm, ctxm->last); + if (rc) + return rc; +@@ -8890,6 +8894,7 @@ void bnxt_free_ctx_mem(struct bnxt *bp) + + kfree(ctx_pg); + ctxm->pg_info = NULL; ++ ctxm->mem_valid = 0; + } + + ctx->flags &= ~BNXT_CTX_FLAG_INITED; +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.h b/drivers/net/ethernet/broadcom/bnxt/bnxt.h +index cb934f175a3e4..d4e63bf599666 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.h ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.h +@@ -1892,6 +1892,7 @@ struct bnxt_ctx_mem_type { + u32 max_entries; + u32 min_entries; + u8 last:1; ++ u8 mem_valid:1; + u8 split_entry_cnt; + #define BNXT_MAX_SPLIT_ENTRY 4 + union { +-- +2.51.0 + diff --git a/queue-6.12/bnxt_en-fix-a-possible-memory-leak-in-bnxt_ptp_init.patch b/queue-6.12/bnxt_en-fix-a-possible-memory-leak-in-bnxt_ptp_init.patch new file mode 100644 index 0000000000..f75611c01a --- /dev/null +++ b/queue-6.12/bnxt_en-fix-a-possible-memory-leak-in-bnxt_ptp_init.patch @@ -0,0 +1,44 @@ +From 7719e3605644f6b37fb973dc26d9804957428056 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Nov 2025 16:56:56 -0800 +Subject: bnxt_en: Fix a possible memory leak in bnxt_ptp_init + +From: Kalesh AP + +[ Upstream commit deb8eb39164382f1f67ef8e8af9176baf5e10f2d ] + +In bnxt_ptp_init(), when ptp_clock_register() fails, the driver is +not freeing the memory allocated for ptp_info->pin_config. Fix it +to unconditionally free ptp_info->pin_config in bnxt_ptp_free(). + +Fixes: caf3eedbcd8d ("bnxt_en: 1PPS support for 5750X family chips") +Reviewed-by: Pavan Chebbi +Reviewed-by: Somnath Kotur +Signed-off-by: Kalesh AP +Signed-off-by: Michael Chan +Link: https://patch.msgid.link/20251104005700.542174-3-michael.chan@broadcom.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c +index 650034a4bb46d..6dfa0ab74c332 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c +@@ -1040,9 +1040,9 @@ static void bnxt_ptp_free(struct bnxt *bp) + if (ptp->ptp_clock) { + ptp_clock_unregister(ptp->ptp_clock); + ptp->ptp_clock = NULL; +- kfree(ptp->ptp_info.pin_config); +- ptp->ptp_info.pin_config = NULL; + } ++ kfree(ptp->ptp_info.pin_config); ++ ptp->ptp_info.pin_config = NULL; + } + + int bnxt_ptp_init(struct bnxt *bp) +-- +2.51.0 + diff --git a/queue-6.12/bnxt_en-refactor-bnxt_free_ctx_mem.patch b/queue-6.12/bnxt_en-refactor-bnxt_free_ctx_mem.patch new file mode 100644 index 0000000000..d4e0805425 --- /dev/null +++ b/queue-6.12/bnxt_en-refactor-bnxt_free_ctx_mem.patch @@ -0,0 +1,78 @@ +From 47496832a4ccb56439924ecabc5b411ffae26f30 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Nov 2024 07:14:29 -0800 +Subject: bnxt_en: Refactor bnxt_free_ctx_mem() + +From: Hongguang Gao + +[ Upstream commit 968d2cc07c2fc9a508a53bd2de61200f50206fbc ] + +Add a new function bnxt_free_one_ctx_mem() to free one context +memory type. bnxt_free_ctx_mem() now calls the new function in +the loop to free each context memory type. There is no change in +behavior. Later patches will further make use of the new function. + +Signed-off-by: Hongguang Gao +Signed-off-by: Michael Chan +Link: https://patch.msgid.link/20241115151438.550106-4-michael.chan@broadcom.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: 5204943a4c6e ("bnxt_en: Fix warning in bnxt_dl_reload_down()") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 31 +++++++++++++---------- + 1 file changed, 18 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index abf8984ac5e20..5409ad3cee192 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -8872,21 +8872,14 @@ static int bnxt_backing_store_cfg_v2(struct bnxt *bp, u32 ena) + return 0; + } + +-void bnxt_free_ctx_mem(struct bnxt *bp) ++static void bnxt_free_one_ctx_mem(struct bnxt *bp, ++ struct bnxt_ctx_mem_type *ctxm) + { +- struct bnxt_ctx_mem_info *ctx = bp->ctx; +- u16 type; +- +- if (!ctx) +- return; +- +- for (type = 0; type < BNXT_CTX_V2_MAX; type++) { +- struct bnxt_ctx_mem_type *ctxm = &ctx->ctx_arr[type]; +- struct bnxt_ctx_pg_info *ctx_pg = ctxm->pg_info; +- int i, n = 1; ++ struct bnxt_ctx_pg_info *ctx_pg; ++ int i, n = 1; + +- if (!ctx_pg) +- continue; ++ ctx_pg = ctxm->pg_info; ++ if (ctx_pg) { + if (ctxm->instance_bmap) + n = hweight32(ctxm->instance_bmap); + for (i = 0; i < n; i++) +@@ -8896,6 +8889,18 @@ void bnxt_free_ctx_mem(struct bnxt *bp) + ctxm->pg_info = NULL; + ctxm->mem_valid = 0; + } ++} ++ ++void bnxt_free_ctx_mem(struct bnxt *bp) ++{ ++ struct bnxt_ctx_mem_info *ctx = bp->ctx; ++ u16 type; ++ ++ if (!ctx) ++ return; ++ ++ for (type = 0; type < BNXT_CTX_V2_MAX; type++) ++ bnxt_free_one_ctx_mem(bp, &ctx->ctx_arr[type]); + + ctx->flags &= ~BNXT_CTX_FLAG_INITED; + kfree(ctx); +-- +2.51.0 + diff --git a/queue-6.12/gpio-swnode-don-t-use-the-swnode-s-name-as-the-key-f.patch b/queue-6.12/gpio-swnode-don-t-use-the-swnode-s-name-as-the-key-f.patch new file mode 100644 index 0000000000..7da50f179e --- /dev/null +++ b/queue-6.12/gpio-swnode-don-t-use-the-swnode-s-name-as-the-key-f.patch @@ -0,0 +1,40 @@ +From 33ef6e9618f188c05a9b1939cf0fe139af3e0378 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Nov 2025 10:35:24 +0100 +Subject: gpio: swnode: don't use the swnode's name as the key for GPIO lookup + +From: Bartosz Golaszewski + +[ Upstream commit e5d527be7e6984882306b49c067f1fec18920735 ] + +Looking up a GPIO controller by label that is the name of the software +node is wonky at best - the GPIO controller driver is free to set +a different label than the name of its firmware node. We're already being +passed a firmware node handle attached to the GPIO device to +swnode_get_gpio_device() so use it instead for a more precise lookup. + +Acked-by: Linus Walleij +Fixes: e7f9ff5dc90c ("gpiolib: add support for software nodes") +Link: https://lore.kernel.org/r/20251103-reset-gpios-swnodes-v4-4-6461800b6775@linaro.org +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpiolib-swnode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpiolib-swnode.c b/drivers/gpio/gpiolib-swnode.c +index 51d2475c05c57..bb652921585ea 100644 +--- a/drivers/gpio/gpiolib-swnode.c ++++ b/drivers/gpio/gpiolib-swnode.c +@@ -41,7 +41,7 @@ static struct gpio_device *swnode_get_gpio_device(struct fwnode_handle *fwnode) + !strcmp(gdev_node->name, GPIOLIB_SWNODE_UNDEFINED_NAME)) + return ERR_PTR(-ENOENT); + +- gdev = gpio_device_find_by_label(gdev_node->name); ++ gdev = gpio_device_find_by_fwnode(fwnode); + return gdev ?: ERR_PTR(-EPROBE_DEFER); + } + +-- +2.51.0 + diff --git a/queue-6.12/gpiolib-fix-invalid-pointer-access-in-debugfs.patch b/queue-6.12/gpiolib-fix-invalid-pointer-access-in-debugfs.patch new file mode 100644 index 0000000000..f27d404f9d --- /dev/null +++ b/queue-6.12/gpiolib-fix-invalid-pointer-access-in-debugfs.patch @@ -0,0 +1,53 @@ +From fe12aba52bd8a6c863aef28a1198d2e57b9a363e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Nov 2025 15:11:32 +0100 +Subject: gpiolib: fix invalid pointer access in debugfs + +From: Bartosz Golaszewski + +[ Upstream commit 2f6115ad8864cf3f48598f26c74c7c8e5c391919 ] + +If the memory allocation in gpiolib_seq_start() fails, the s->private +field remains uninitialized and is later dereferenced without checking +in gpiolib_seq_stop(). Initialize s->private to NULL before calling +kzalloc() and check it before dereferencing it. + +Fixes: e348544f7994 ("gpio: protect the list of GPIO devices with SRCU") +Reviewed-by: Linus Walleij +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20251103141132.53471-1-brgl@bgdev.pl +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpiolib.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c +index e5d0d2b0d7989..967ff661e4c96 100644 +--- a/drivers/gpio/gpiolib.c ++++ b/drivers/gpio/gpiolib.c +@@ -4997,6 +4997,8 @@ static void *gpiolib_seq_start(struct seq_file *s, loff_t *pos) + struct gpio_device *gdev; + loff_t index = *pos; + ++ s->private = NULL; ++ + priv = kzalloc(sizeof(*priv), GFP_KERNEL); + if (!priv) + return NULL; +@@ -5030,7 +5032,11 @@ static void *gpiolib_seq_next(struct seq_file *s, void *v, loff_t *pos) + + static void gpiolib_seq_stop(struct seq_file *s, void *v) + { +- struct gpiolib_seq_priv *priv = s->private; ++ struct gpiolib_seq_priv *priv; ++ ++ priv = s->private; ++ if (!priv) ++ return; + + srcu_read_unlock(&gpio_devices_srcu, priv->idx); + kfree(priv); +-- +2.51.0 + diff --git a/queue-6.12/lan966x-fix-sleeping-in-atomic-context.patch b/queue-6.12/lan966x-fix-sleeping-in-atomic-context.patch new file mode 100644 index 0000000000..f6cd613d1f --- /dev/null +++ b/queue-6.12/lan966x-fix-sleeping-in-atomic-context.patch @@ -0,0 +1,213 @@ +From 9ee0c5e8191e10b5f34c4b6d8619683c56765d2a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Nov 2025 08:49:55 +0100 +Subject: lan966x: Fix sleeping in atomic context + +From: Horatiu Vultur + +[ Upstream commit 0216721ce71252f60d89af49c8dff613358058d3 ] + +The following warning was seen when we try to connect using ssh to the device. + +BUG: sleeping function called from invalid context at kernel/locking/mutex.c:575 +in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 104, name: dropbear +preempt_count: 1, expected: 0 +INFO: lockdep is turned off. +CPU: 0 UID: 0 PID: 104 Comm: dropbear Tainted: G W 6.18.0-rc2-00399-g6f1ab1b109b9-dirty #530 NONE +Tainted: [W]=WARN +Hardware name: Generic DT based system +Call trace: + unwind_backtrace from show_stack+0x10/0x14 + show_stack from dump_stack_lvl+0x7c/0xac + dump_stack_lvl from __might_resched+0x16c/0x2b0 + __might_resched from __mutex_lock+0x64/0xd34 + __mutex_lock from mutex_lock_nested+0x1c/0x24 + mutex_lock_nested from lan966x_stats_get+0x5c/0x558 + lan966x_stats_get from dev_get_stats+0x40/0x43c + dev_get_stats from dev_seq_printf_stats+0x3c/0x184 + dev_seq_printf_stats from dev_seq_show+0x10/0x30 + dev_seq_show from seq_read_iter+0x350/0x4ec + seq_read_iter from seq_read+0xfc/0x194 + seq_read from proc_reg_read+0xac/0x100 + proc_reg_read from vfs_read+0xb0/0x2b0 + vfs_read from ksys_read+0x6c/0xec + ksys_read from ret_fast_syscall+0x0/0x1c +Exception stack(0xf0b11fa8 to 0xf0b11ff0) +1fa0: 00000001 00001000 00000008 be9048d8 00001000 00000001 +1fc0: 00000001 00001000 00000008 00000003 be905920 0000001e 00000000 00000001 +1fe0: 0005404c be9048c0 00018684 b6ec2cd8 + +It seems that we are using a mutex in a atomic context which is wrong. +Change the mutex with a spinlock. + +Fixes: 12c2d0a5b8e2 ("net: lan966x: add ethtool configuration and statistics") +Signed-off-by: Horatiu Vultur +Reviewed-by: Jacob Keller +Link: https://patch.msgid.link/20251105074955.1766792-1-horatiu.vultur@microchip.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../microchip/lan966x/lan966x_ethtool.c | 18 +++++++++--------- + .../ethernet/microchip/lan966x/lan966x_main.c | 2 -- + .../ethernet/microchip/lan966x/lan966x_main.h | 4 ++-- + .../microchip/lan966x/lan966x_vcap_impl.c | 8 ++++---- + 4 files changed, 15 insertions(+), 17 deletions(-) + +diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_ethtool.c b/drivers/net/ethernet/microchip/lan966x/lan966x_ethtool.c +index 2474dfd330f46..fe4e614052840 100644 +--- a/drivers/net/ethernet/microchip/lan966x/lan966x_ethtool.c ++++ b/drivers/net/ethernet/microchip/lan966x/lan966x_ethtool.c +@@ -294,7 +294,7 @@ static void lan966x_stats_update(struct lan966x *lan966x) + { + int i, j; + +- mutex_lock(&lan966x->stats_lock); ++ spin_lock(&lan966x->stats_lock); + + for (i = 0; i < lan966x->num_phys_ports; i++) { + uint idx = i * lan966x->num_stats; +@@ -310,7 +310,7 @@ static void lan966x_stats_update(struct lan966x *lan966x) + } + } + +- mutex_unlock(&lan966x->stats_lock); ++ spin_unlock(&lan966x->stats_lock); + } + + static int lan966x_get_sset_count(struct net_device *dev, int sset) +@@ -365,7 +365,7 @@ static void lan966x_get_eth_mac_stats(struct net_device *dev, + + idx = port->chip_port * lan966x->num_stats; + +- mutex_lock(&lan966x->stats_lock); ++ spin_lock(&lan966x->stats_lock); + + mac_stats->FramesTransmittedOK = + lan966x->stats[idx + SYS_COUNT_TX_UC] + +@@ -416,7 +416,7 @@ static void lan966x_get_eth_mac_stats(struct net_device *dev, + lan966x->stats[idx + SYS_COUNT_RX_LONG] + + lan966x->stats[idx + SYS_COUNT_RX_PMAC_LONG]; + +- mutex_unlock(&lan966x->stats_lock); ++ spin_unlock(&lan966x->stats_lock); + } + + static const struct ethtool_rmon_hist_range lan966x_rmon_ranges[] = { +@@ -442,7 +442,7 @@ static void lan966x_get_eth_rmon_stats(struct net_device *dev, + + idx = port->chip_port * lan966x->num_stats; + +- mutex_lock(&lan966x->stats_lock); ++ spin_lock(&lan966x->stats_lock); + + rmon_stats->undersize_pkts = + lan966x->stats[idx + SYS_COUNT_RX_SHORT] + +@@ -500,7 +500,7 @@ static void lan966x_get_eth_rmon_stats(struct net_device *dev, + lan966x->stats[idx + SYS_COUNT_TX_SZ_1024_1526] + + lan966x->stats[idx + SYS_COUNT_TX_PMAC_SZ_1024_1526]; + +- mutex_unlock(&lan966x->stats_lock); ++ spin_unlock(&lan966x->stats_lock); + + *ranges = lan966x_rmon_ranges; + } +@@ -603,7 +603,7 @@ void lan966x_stats_get(struct net_device *dev, + + idx = port->chip_port * lan966x->num_stats; + +- mutex_lock(&lan966x->stats_lock); ++ spin_lock(&lan966x->stats_lock); + + stats->rx_bytes = lan966x->stats[idx + SYS_COUNT_RX_OCT] + + lan966x->stats[idx + SYS_COUNT_RX_PMAC_OCT]; +@@ -685,7 +685,7 @@ void lan966x_stats_get(struct net_device *dev, + + stats->collisions = lan966x->stats[idx + SYS_COUNT_TX_COL]; + +- mutex_unlock(&lan966x->stats_lock); ++ spin_unlock(&lan966x->stats_lock); + } + + int lan966x_stats_init(struct lan966x *lan966x) +@@ -701,7 +701,7 @@ int lan966x_stats_init(struct lan966x *lan966x) + return -ENOMEM; + + /* Init stats worker */ +- mutex_init(&lan966x->stats_lock); ++ spin_lock_init(&lan966x->stats_lock); + snprintf(queue_name, sizeof(queue_name), "%s-stats", + dev_name(lan966x->dev)); + lan966x->stats_queue = create_singlethread_workqueue(queue_name); +diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_main.c b/drivers/net/ethernet/microchip/lan966x/lan966x_main.c +index b34e015eedf9b..b5dc65a4d6403 100644 +--- a/drivers/net/ethernet/microchip/lan966x/lan966x_main.c ++++ b/drivers/net/ethernet/microchip/lan966x/lan966x_main.c +@@ -1262,7 +1262,6 @@ static int lan966x_probe(struct platform_device *pdev) + + cancel_delayed_work_sync(&lan966x->stats_work); + destroy_workqueue(lan966x->stats_queue); +- mutex_destroy(&lan966x->stats_lock); + + debugfs_remove_recursive(lan966x->debugfs_root); + +@@ -1280,7 +1279,6 @@ static void lan966x_remove(struct platform_device *pdev) + + cancel_delayed_work_sync(&lan966x->stats_work); + destroy_workqueue(lan966x->stats_queue); +- mutex_destroy(&lan966x->stats_lock); + + lan966x_mac_purge_entries(lan966x); + lan966x_mdb_deinit(lan966x); +diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_main.h b/drivers/net/ethernet/microchip/lan966x/lan966x_main.h +index 8aa39497818fe..14484ea77cbed 100644 +--- a/drivers/net/ethernet/microchip/lan966x/lan966x_main.h ++++ b/drivers/net/ethernet/microchip/lan966x/lan966x_main.h +@@ -295,8 +295,8 @@ struct lan966x { + const struct lan966x_stat_layout *stats_layout; + u32 num_stats; + +- /* workqueue for reading stats */ +- struct mutex stats_lock; ++ /* lock for reading stats */ ++ spinlock_t stats_lock; + u64 *stats; + struct delayed_work stats_work; + struct workqueue_struct *stats_queue; +diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_vcap_impl.c b/drivers/net/ethernet/microchip/lan966x/lan966x_vcap_impl.c +index a1471e38d1189..2a37fc1ba4bcd 100644 +--- a/drivers/net/ethernet/microchip/lan966x/lan966x_vcap_impl.c ++++ b/drivers/net/ethernet/microchip/lan966x/lan966x_vcap_impl.c +@@ -403,11 +403,11 @@ static void lan966x_es0_read_esdx_counter(struct lan966x *lan966x, + u32 counter; + + id = id & 0xff; /* counter limit */ +- mutex_lock(&lan966x->stats_lock); ++ spin_lock(&lan966x->stats_lock); + lan_wr(SYS_STAT_CFG_STAT_VIEW_SET(id), lan966x, SYS_STAT_CFG); + counter = lan_rd(lan966x, SYS_CNT(LAN966X_STAT_ESDX_GRN_PKTS)) + + lan_rd(lan966x, SYS_CNT(LAN966X_STAT_ESDX_YEL_PKTS)); +- mutex_unlock(&lan966x->stats_lock); ++ spin_unlock(&lan966x->stats_lock); + if (counter) + admin->cache.counter = counter; + } +@@ -417,14 +417,14 @@ static void lan966x_es0_write_esdx_counter(struct lan966x *lan966x, + { + id = id & 0xff; /* counter limit */ + +- mutex_lock(&lan966x->stats_lock); ++ spin_lock(&lan966x->stats_lock); + lan_wr(SYS_STAT_CFG_STAT_VIEW_SET(id), lan966x, SYS_STAT_CFG); + lan_wr(0, lan966x, SYS_CNT(LAN966X_STAT_ESDX_GRN_BYTES)); + lan_wr(admin->cache.counter, lan966x, + SYS_CNT(LAN966X_STAT_ESDX_GRN_PKTS)); + lan_wr(0, lan966x, SYS_CNT(LAN966X_STAT_ESDX_YEL_BYTES)); + lan_wr(0, lan966x, SYS_CNT(LAN966X_STAT_ESDX_YEL_PKTS)); +- mutex_unlock(&lan966x->stats_lock); ++ spin_unlock(&lan966x->stats_lock); + } + + static void lan966x_vcap_cache_write(struct net_device *dev, +-- +2.51.0 + diff --git a/queue-6.12/net-bridge-fix-mst-static-key-usage.patch b/queue-6.12/net-bridge-fix-mst-static-key-usage.patch new file mode 100644 index 0000000000..96dc6ce6ea --- /dev/null +++ b/queue-6.12/net-bridge-fix-mst-static-key-usage.patch @@ -0,0 +1,96 @@ +From 1b8eb5c8b54d02f655576fb89d1385b20bea82ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Nov 2025 13:19:19 +0200 +Subject: net: bridge: fix MST static key usage + +From: Nikolay Aleksandrov + +[ Upstream commit ee87c63f9b2a418f698d79c2991347e31a7d2c27 ] + +As Ido pointed out, the static key usage in MST is buggy and should use +inc/dec instead of enable/disable because we can have multiple bridges +with MST enabled which means a single bridge can disable MST for all. +Use static_branch_inc/dec to avoid that. When destroying a bridge decrement +the key if MST was enabled. + +Fixes: ec7328b59176 ("net: bridge: mst: Multiple Spanning Tree (MST) mode") +Reported-by: Ido Schimmel +Closes: https://lore.kernel.org/netdev/20251104120313.1306566-1-razor@blackwall.org/T/#m6888d87658f94ed1725433940f4f4ebb00b5a68b +Signed-off-by: Nikolay Aleksandrov +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/20251105111919.1499702-3-razor@blackwall.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/bridge/br_if.c | 1 + + net/bridge/br_mst.c | 10 ++++++++-- + net/bridge/br_private.h | 5 +++++ + 3 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c +index 2450690f98cfa..6ffc81eedf074 100644 +--- a/net/bridge/br_if.c ++++ b/net/bridge/br_if.c +@@ -386,6 +386,7 @@ void br_dev_delete(struct net_device *dev, struct list_head *head) + del_nbp(p); + } + ++ br_mst_uninit(br); + br_recalculate_neigh_suppress_enabled(br); + + br_fdb_delete_by_port(br, NULL, 0, 1); +diff --git a/net/bridge/br_mst.c b/net/bridge/br_mst.c +index 3f24b4ee49c27..43a300ae6bfaf 100644 +--- a/net/bridge/br_mst.c ++++ b/net/bridge/br_mst.c +@@ -22,6 +22,12 @@ bool br_mst_enabled(const struct net_device *dev) + } + EXPORT_SYMBOL_GPL(br_mst_enabled); + ++void br_mst_uninit(struct net_bridge *br) ++{ ++ if (br_opt_get(br, BROPT_MST_ENABLED)) ++ static_branch_dec(&br_mst_used); ++} ++ + int br_mst_get_info(const struct net_device *dev, u16 msti, unsigned long *vids) + { + const struct net_bridge_vlan_group *vg; +@@ -225,9 +231,9 @@ int br_mst_set_enabled(struct net_bridge *br, bool on, + return err; + + if (on) +- static_branch_enable(&br_mst_used); ++ static_branch_inc(&br_mst_used); + else +- static_branch_disable(&br_mst_used); ++ static_branch_dec(&br_mst_used); + + br_opt_toggle(br, BROPT_MST_ENABLED, on); + return 0; +diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h +index 40dcffc2132ed..741b0b8c4babb 100644 +--- a/net/bridge/br_private.h ++++ b/net/bridge/br_private.h +@@ -1923,6 +1923,7 @@ int br_mst_fill_info(struct sk_buff *skb, + const struct net_bridge_vlan_group *vg); + int br_mst_process(struct net_bridge_port *p, const struct nlattr *mst_attr, + struct netlink_ext_ack *extack); ++void br_mst_uninit(struct net_bridge *br); + #else + static inline bool br_mst_is_enabled(const struct net_bridge_port *p) + { +@@ -1958,6 +1959,10 @@ static inline int br_mst_process(struct net_bridge_port *p, + { + return -EOPNOTSUPP; + } ++ ++static inline void br_mst_uninit(struct net_bridge *br) ++{ ++} + #endif + + struct nf_br_ops { +-- +2.51.0 + diff --git a/queue-6.12/net-bridge-fix-use-after-free-due-to-mst-port-state-.patch b/queue-6.12/net-bridge-fix-use-after-free-due-to-mst-port-state-.patch new file mode 100644 index 0000000000..1464823a41 --- /dev/null +++ b/queue-6.12/net-bridge-fix-use-after-free-due-to-mst-port-state-.patch @@ -0,0 +1,104 @@ +From 4e50bd1a11f603d4c563ae9b83b879add1557873 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Nov 2025 13:19:18 +0200 +Subject: net: bridge: fix use-after-free due to MST port state bypass + +From: Nikolay Aleksandrov + +[ Upstream commit 8dca36978aa80bab9d4da130c211db75c9e00048 ] + +syzbot reported[1] a use-after-free when deleting an expired fdb. It is +due to a race condition between learning still happening and a port being +deleted, after all its fdbs have been flushed. The port's state has been +toggled to disabled so no learning should happen at that time, but if we +have MST enabled, it will bypass the port's state, that together with VLAN +filtering disabled can lead to fdb learning at a time when it shouldn't +happen while the port is being deleted. VLAN filtering must be disabled +because we flush the port VLANs when it's being deleted which will stop +learning. This fix adds a check for the port's vlan group which is +initialized to NULL when the port is getting deleted, that avoids the port +state bypass. When MST is enabled there would be a minimal new overhead +in the fast-path because the port's vlan group pointer is cache-hot. + +[1] https://syzkaller.appspot.com/bug?extid=dd280197f0f7ab3917be + +Fixes: ec7328b59176 ("net: bridge: mst: Multiple Spanning Tree (MST) mode") +Reported-by: syzbot+dd280197f0f7ab3917be@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/69088ffa.050a0220.29fc44.003d.GAE@google.com/ +Signed-off-by: Nikolay Aleksandrov +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/20251105111919.1499702-2-razor@blackwall.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/bridge/br_forward.c | 2 +- + net/bridge/br_input.c | 4 ++-- + net/bridge/br_private.h | 8 +++++--- + 3 files changed, 8 insertions(+), 6 deletions(-) + +diff --git a/net/bridge/br_forward.c b/net/bridge/br_forward.c +index 49dd8cd526f46..e9f09cdb9848e 100644 +--- a/net/bridge/br_forward.c ++++ b/net/bridge/br_forward.c +@@ -25,7 +25,7 @@ static inline int should_deliver(const struct net_bridge_port *p, + + vg = nbp_vlan_group_rcu(p); + return ((p->flags & BR_HAIRPIN_MODE) || skb->dev != p->dev) && +- (br_mst_is_enabled(p->br) || p->state == BR_STATE_FORWARDING) && ++ (br_mst_is_enabled(p) || p->state == BR_STATE_FORWARDING) && + br_allowed_egress(vg, skb) && nbp_switchdev_allowed_egress(p, skb) && + !br_skb_isolated(p, skb); + } +diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c +index ceaa5a89b947f..2eb2bb6643885 100644 +--- a/net/bridge/br_input.c ++++ b/net/bridge/br_input.c +@@ -93,7 +93,7 @@ int br_handle_frame_finish(struct net *net, struct sock *sk, struct sk_buff *skb + + br = p->br; + +- if (br_mst_is_enabled(br)) { ++ if (br_mst_is_enabled(p)) { + state = BR_STATE_FORWARDING; + } else { + if (p->state == BR_STATE_DISABLED) +@@ -411,7 +411,7 @@ static rx_handler_result_t br_handle_frame(struct sk_buff **pskb) + return RX_HANDLER_PASS; + + forward: +- if (br_mst_is_enabled(p->br)) ++ if (br_mst_is_enabled(p)) + goto defer_stp_filtering; + + switch (p->state) { +diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h +index 5026a256bf92d..40dcffc2132ed 100644 +--- a/net/bridge/br_private.h ++++ b/net/bridge/br_private.h +@@ -1904,10 +1904,12 @@ static inline bool br_vlan_state_allowed(u8 state, bool learn_allow) + /* br_mst.c */ + #ifdef CONFIG_BRIDGE_VLAN_FILTERING + DECLARE_STATIC_KEY_FALSE(br_mst_used); +-static inline bool br_mst_is_enabled(struct net_bridge *br) ++static inline bool br_mst_is_enabled(const struct net_bridge_port *p) + { ++ /* check the port's vlan group to avoid racing with port deletion */ + return static_branch_unlikely(&br_mst_used) && +- br_opt_get(br, BROPT_MST_ENABLED); ++ br_opt_get(p->br, BROPT_MST_ENABLED) && ++ rcu_access_pointer(p->vlgrp); + } + + int br_mst_set_state(struct net_bridge_port *p, u16 msti, u8 state, +@@ -1922,7 +1924,7 @@ int br_mst_fill_info(struct sk_buff *skb, + int br_mst_process(struct net_bridge_port *p, const struct nlattr *mst_attr, + struct netlink_ext_ack *extack); + #else +-static inline bool br_mst_is_enabled(struct net_bridge *br) ++static inline bool br_mst_is_enabled(const struct net_bridge_port *p) + { + return false; + } +-- +2.51.0 + diff --git a/queue-6.12/net-dsa-b53-fix-bcm63xx-rgmii-port-link-adjustment.patch b/queue-6.12/net-dsa-b53-fix-bcm63xx-rgmii-port-link-adjustment.patch new file mode 100644 index 0000000000..df98423e50 --- /dev/null +++ b/queue-6.12/net-dsa-b53-fix-bcm63xx-rgmii-port-link-adjustment.patch @@ -0,0 +1,64 @@ +From 71fc49737f2bfa9bd4e334b70c881418fb184235 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Nov 2025 14:28:07 +0100 +Subject: net: dsa: b53: fix bcm63xx RGMII port link adjustment + +From: Jonas Gorski + +[ Upstream commit 3e4ebdc1606adf77744cf8ed7a433d279fdc57ba ] + +BCM63XX's switch does not support MDIO scanning of external phys, so its +MACs needs to be manually configured for autonegotiated link speeds. + +So b53_force_port_config() and b53_force_link() accordingly also when +mode is MLO_AN_PHY for those ports. + +Fixes lower speeds than 1000/full on rgmii ports 4 - 7. + +This aligns the behaviour with the old bcm63xx_enetsw driver for those +ports. + +Fixes: 967dd82ffc52 ("net: dsa: b53: Add support for Broadcom RoboSwitch") +Signed-off-by: Jonas Gorski +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20251101132807.50419-3-jonas.gorski@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index 318c5c2c8f74a..914dbb86e1b07 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -1554,8 +1554,11 @@ static void b53_phylink_mac_link_down(struct phylink_config *config, + struct b53_device *dev = dp->ds->priv; + int port = dp->index; + +- if (mode == MLO_AN_PHY) ++ if (mode == MLO_AN_PHY) { ++ if (is63xx(dev) && in_range(port, B53_63XX_RGMII0, 4)) ++ b53_force_link(dev, port, false); + return; ++ } + + if (mode == MLO_AN_FIXED) { + b53_force_link(dev, port, false); +@@ -1583,6 +1586,13 @@ static void b53_phylink_mac_link_up(struct phylink_config *config, + if (mode == MLO_AN_PHY) { + /* Re-negotiate EEE if it was enabled already */ + p->eee_enabled = b53_eee_init(ds, port, phydev); ++ ++ if (is63xx(dev) && in_range(port, B53_63XX_RGMII0, 4)) { ++ b53_force_port_config(dev, port, speed, duplex, ++ tx_pause, rx_pause); ++ b53_force_link(dev, port, true); ++ } ++ + return; + } + +-- +2.51.0 + diff --git a/queue-6.12/net-dsa-b53-fix-enabling-ip-multicast.patch b/queue-6.12/net-dsa-b53-fix-enabling-ip-multicast.patch new file mode 100644 index 0000000000..eaba875cfd --- /dev/null +++ b/queue-6.12/net-dsa-b53-fix-enabling-ip-multicast.patch @@ -0,0 +1,75 @@ +From fd7649e05233c070e36876663ffabab441a4ddfe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Nov 2025 11:07:56 +0100 +Subject: net: dsa: b53: fix enabling ip multicast + +From: Jonas Gorski + +[ Upstream commit c264294624e956a967a9e2e5fa41e3273340b089 ] + +In the New Control register bit 1 is either reserved, or has a different +function: + + Out of Range Error Discard + + When enabled, the ingress port discards any frames + if the Length field is between 1500 and 1536 + (excluding 1500 and 1536) and with good CRC. + +The actual bit for enabling IP multicast is bit 0, which was only +explicitly enabled for BCM5325 so far. + +For older switch chips, this bit defaults to 0, so we want to enable it +as well, while newer switch chips default to 1, and their documentation +says "It is illegal to set this bit to zero." + +So drop the wrong B53_IPMC_FWD_EN define, enable the IP multicast bit +also for other switch chips. While at it, rename it to (B53_)IP_MC as +that is how it is called in Broadcom code. + +Fixes: 63cc54a6f073 ("net: dsa: b53: Fix egress flooding settings") +Signed-off-by: Jonas Gorski +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20251102100758.28352-2-jonas.gorski@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 4 ++-- + drivers/net/dsa/b53/b53_regs.h | 3 +-- + 2 files changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index 914dbb86e1b07..a22f28f98faee 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -369,11 +369,11 @@ static void b53_set_forwarding(struct b53_device *dev, int enable) + * frames should be flooded or not. + */ + b53_read8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, &mgmt); +- mgmt |= B53_UC_FWD_EN | B53_MC_FWD_EN | B53_IPMC_FWD_EN; ++ mgmt |= B53_UC_FWD_EN | B53_MC_FWD_EN | B53_IP_MC; + b53_write8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, mgmt); + } else { + b53_read8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, &mgmt); +- mgmt |= B53_IP_MCAST_25; ++ mgmt |= B53_IP_MC; + b53_write8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, mgmt); + } + } +diff --git a/drivers/net/dsa/b53/b53_regs.h b/drivers/net/dsa/b53/b53_regs.h +index 5741231e0841d..2dca7dd76eb6b 100644 +--- a/drivers/net/dsa/b53/b53_regs.h ++++ b/drivers/net/dsa/b53/b53_regs.h +@@ -110,8 +110,7 @@ + + /* IP Multicast control (8 bit) */ + #define B53_IP_MULTICAST_CTRL 0x21 +-#define B53_IP_MCAST_25 BIT(0) +-#define B53_IPMC_FWD_EN BIT(1) ++#define B53_IP_MC BIT(0) + #define B53_UC_FWD_EN BIT(6) + #define B53_MC_FWD_EN BIT(7) + +-- +2.51.0 + diff --git a/queue-6.12/net-dsa-b53-fix-resetting-speed-and-pause-on-forced-.patch b/queue-6.12/net-dsa-b53-fix-resetting-speed-and-pause-on-forced-.patch new file mode 100644 index 0000000000..5a167498fd --- /dev/null +++ b/queue-6.12/net-dsa-b53-fix-resetting-speed-and-pause-on-forced-.patch @@ -0,0 +1,64 @@ +From 69b8b5870b5f19b5a2437f7d6997524efa78e737 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Nov 2025 14:28:06 +0100 +Subject: net: dsa: b53: fix resetting speed and pause on forced link + +From: Jonas Gorski + +[ Upstream commit b6a8a5477fe9bd6be2b594a88f82f8bba41e6d54 ] + +There is no guarantee that the port state override registers have their +default values, as not all switches support being reset via register or +have a reset GPIO. + +So when forcing port config, we need to make sure to clear all fields, +which we currently do not do for the speed and flow control +configuration. This can cause flow control stay enabled, or in the case +of speed becoming an illegal value, e.g. configured for 1G (0x2), then +setting 100M (0x1), results in 0x3 which is invalid. + +For PORT_OVERRIDE_SPEED_2000M we need to make sure to only clear it on +supported chips, as the bit can have different meanings on other chips, +e.g. for BCM5389 this controls scanning PHYs for link/speed +configuration. + +Fixes: 5e004460f874 ("net: dsa: b53: Add helper to set link parameters") +Signed-off-by: Jonas Gorski +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20251101132807.50419-2-jonas.gorski@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index c903c6fcc6663..318c5c2c8f74a 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -1317,6 +1317,10 @@ static void b53_force_port_config(struct b53_device *dev, int port, + else + reg &= ~PORT_OVERRIDE_FULL_DUPLEX; + ++ reg &= ~(0x3 << GMII_PO_SPEED_S); ++ if (is5301x(dev) || is58xx(dev)) ++ reg &= ~PORT_OVERRIDE_SPEED_2000M; ++ + switch (speed) { + case 2000: + reg |= PORT_OVERRIDE_SPEED_2000M; +@@ -1335,6 +1339,11 @@ static void b53_force_port_config(struct b53_device *dev, int port, + return; + } + ++ if (is5325(dev)) ++ reg &= ~PORT_OVERRIDE_LP_FLOW_25; ++ else ++ reg &= ~(PORT_OVERRIDE_RX_FLOW | PORT_OVERRIDE_TX_FLOW); ++ + if (rx_pause) { + if (is5325(dev)) + reg |= PORT_OVERRIDE_LP_FLOW_25; +-- +2.51.0 + diff --git a/queue-6.12/net-dsa-b53-stop-reading-arl-entries-if-search-is-do.patch b/queue-6.12/net-dsa-b53-stop-reading-arl-entries-if-search-is-do.patch new file mode 100644 index 0000000000..e8c046edfe --- /dev/null +++ b/queue-6.12/net-dsa-b53-stop-reading-arl-entries-if-search-is-do.patch @@ -0,0 +1,51 @@ +From 8c36e295f5e85cc0f9c5ceb8227296092495c960 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Nov 2025 11:07:57 +0100 +Subject: net: dsa: b53: stop reading ARL entries if search is done + +From: Jonas Gorski + +[ Upstream commit 0be04b5fa62a82a9929ca261f6c9f64a3d0a28da ] + +The switch clears the ARL_SRCH_STDN bit when the search is done, i.e. it +finished traversing the ARL table. + +This means that there will be no valid result, so we should not attempt +to read and process any further entries. + +We only ever check the validity of the entries for 4 ARL bin chips, and +only after having passed the first entry to the b53_fdb_copy(). + +This means that we always pass an invalid entry at the end to the +b53_fdb_copy(). b53_fdb_copy() does check the validity though before +passing on the entry, so it never gets passed on. + +On < 4 ARL bin chips, we will even continue reading invalid entries +until we reach the result limit. + +Fixes: 1da6df85c6fb ("net: dsa: b53: Implement ARL add/del/dump operations") +Signed-off-by: Jonas Gorski +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20251102100758.28352-3-jonas.gorski@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index a22f28f98faee..01eb62706412e 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -1942,7 +1942,7 @@ static int b53_arl_search_wait(struct b53_device *dev) + do { + b53_read8(dev, B53_ARLIO_PAGE, B53_ARL_SRCH_CTL, ®); + if (!(reg & ARL_SRCH_STDN)) +- return 0; ++ return -ENOENT; + + if (reg & ARL_SRCH_VLID) + return 0; +-- +2.51.0 + diff --git a/queue-6.12/net-dsa-microchip-fix-reserved-multicast-address-tab.patch b/queue-6.12/net-dsa-microchip-fix-reserved-multicast-address-tab.patch new file mode 100644 index 0000000000..5f9c09b4a4 --- /dev/null +++ b/queue-6.12/net-dsa-microchip-fix-reserved-multicast-address-tab.patch @@ -0,0 +1,218 @@ +From cc5b95200d83247cd176338436421d3878e51ecb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Nov 2025 19:37:41 -0800 +Subject: net: dsa: microchip: Fix reserved multicast address table programming +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tristram Ha + +[ Upstream commit 96baf482ca1f69f0da9d10a5bd8422c87ea9039e ] + +KSZ9477/KSZ9897 and LAN937X families of switches use a reserved multicast +address table for some specific forwarding with some multicast addresses, +like the one used in STP. The hardware assumes the host port is the last +port in KSZ9897 family and port 5 in LAN937X family. Most of the time +this assumption is correct but not in other cases like KSZ9477. +Originally the function just setups the first entry, but the others still +need update, especially for one common multicast address that is used by +PTP operation. + +LAN937x also uses different register bits when accessing the reserved +table. + +Fixes: 457c182af597 ("net: dsa: microchip: generic access to ksz9477 static and reserved table") +Signed-off-by: Tristram Ha +Tested-by: Łukasz Majewski +Link: https://patch.msgid.link/20251105033741.6455-1-Tristram.Ha@microchip.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/microchip/ksz9477.c | 98 +++++++++++++++++++++---- + drivers/net/dsa/microchip/ksz9477_reg.h | 3 +- + drivers/net/dsa/microchip/ksz_common.c | 4 + + drivers/net/dsa/microchip/ksz_common.h | 2 + + 4 files changed, 91 insertions(+), 16 deletions(-) + +diff --git a/drivers/net/dsa/microchip/ksz9477.c b/drivers/net/dsa/microchip/ksz9477.c +index 22556d339d6ea..112d6ff0b70b6 100644 +--- a/drivers/net/dsa/microchip/ksz9477.c ++++ b/drivers/net/dsa/microchip/ksz9477.c +@@ -1159,9 +1159,15 @@ void ksz9477_config_cpu_port(struct dsa_switch *ds) + } + } + ++#define RESV_MCAST_CNT 8 ++ ++static u8 reserved_mcast_map[RESV_MCAST_CNT] = { 0, 1, 3, 16, 32, 33, 2, 17 }; ++ + int ksz9477_enable_stp_addr(struct ksz_device *dev) + { ++ u8 i, ports, update; + const u32 *masks; ++ bool override; + u32 data; + int ret; + +@@ -1170,23 +1176,87 @@ int ksz9477_enable_stp_addr(struct ksz_device *dev) + /* Enable Reserved multicast table */ + ksz_cfg(dev, REG_SW_LUE_CTRL_0, SW_RESV_MCAST_ENABLE, true); + +- /* Set the Override bit for forwarding BPDU packet to CPU */ +- ret = ksz_write32(dev, REG_SW_ALU_VAL_B, +- ALU_V_OVERRIDE | BIT(dev->cpu_port)); +- if (ret < 0) +- return ret; ++ /* The reserved multicast address table has 8 entries. Each entry has ++ * a default value of which port to forward. It is assumed the host ++ * port is the last port in most of the switches, but that is not the ++ * case for KSZ9477 or maybe KSZ9897. For LAN937X family the default ++ * port is port 5, the first RGMII port. It is okay for LAN9370, a ++ * 5-port switch, but may not be correct for the other 8-port ++ * versions. It is necessary to update the whole table to forward to ++ * the right ports. ++ * Furthermore PTP messages can use a reserved multicast address and ++ * the host will not receive them if this table is not correct. ++ */ ++ for (i = 0; i < RESV_MCAST_CNT; i++) { ++ data = reserved_mcast_map[i] << ++ dev->info->shifts[ALU_STAT_INDEX]; ++ data |= ALU_STAT_START | ++ masks[ALU_STAT_DIRECT] | ++ masks[ALU_RESV_MCAST_ADDR] | ++ masks[ALU_STAT_READ]; ++ ret = ksz_write32(dev, REG_SW_ALU_STAT_CTRL__4, data); ++ if (ret < 0) ++ return ret; + +- data = ALU_STAT_START | ALU_RESV_MCAST_ADDR | masks[ALU_STAT_WRITE]; ++ /* wait to be finished */ ++ ret = ksz9477_wait_alu_sta_ready(dev); ++ if (ret < 0) ++ return ret; + +- ret = ksz_write32(dev, REG_SW_ALU_STAT_CTRL__4, data); +- if (ret < 0) +- return ret; ++ ret = ksz_read32(dev, REG_SW_ALU_VAL_B, &data); ++ if (ret < 0) ++ return ret; + +- /* wait to be finished */ +- ret = ksz9477_wait_alu_sta_ready(dev); +- if (ret < 0) { +- dev_err(dev->dev, "Failed to update Reserved Multicast table\n"); +- return ret; ++ override = false; ++ ports = data & dev->port_mask; ++ switch (i) { ++ case 0: ++ case 6: ++ /* Change the host port. */ ++ update = BIT(dev->cpu_port); ++ override = true; ++ break; ++ case 2: ++ /* Change the host port. */ ++ update = BIT(dev->cpu_port); ++ break; ++ case 4: ++ case 5: ++ case 7: ++ /* Skip the host port. */ ++ update = dev->port_mask & ~BIT(dev->cpu_port); ++ break; ++ default: ++ update = ports; ++ break; ++ } ++ if (update != ports || override) { ++ data &= ~dev->port_mask; ++ data |= update; ++ /* Set Override bit to receive frame even when port is ++ * closed. ++ */ ++ if (override) ++ data |= ALU_V_OVERRIDE; ++ ret = ksz_write32(dev, REG_SW_ALU_VAL_B, data); ++ if (ret < 0) ++ return ret; ++ ++ data = reserved_mcast_map[i] << ++ dev->info->shifts[ALU_STAT_INDEX]; ++ data |= ALU_STAT_START | ++ masks[ALU_STAT_DIRECT] | ++ masks[ALU_RESV_MCAST_ADDR] | ++ masks[ALU_STAT_WRITE]; ++ ret = ksz_write32(dev, REG_SW_ALU_STAT_CTRL__4, data); ++ if (ret < 0) ++ return ret; ++ ++ /* wait to be finished */ ++ ret = ksz9477_wait_alu_sta_ready(dev); ++ if (ret < 0) ++ return ret; ++ } + } + + return 0; +diff --git a/drivers/net/dsa/microchip/ksz9477_reg.h b/drivers/net/dsa/microchip/ksz9477_reg.h +index ff579920078ee..61ea11e3338e1 100644 +--- a/drivers/net/dsa/microchip/ksz9477_reg.h ++++ b/drivers/net/dsa/microchip/ksz9477_reg.h +@@ -2,7 +2,7 @@ + /* + * Microchip KSZ9477 register definitions + * +- * Copyright (C) 2017-2024 Microchip Technology Inc. ++ * Copyright (C) 2017-2025 Microchip Technology Inc. + */ + + #ifndef __KSZ9477_REGS_H +@@ -397,7 +397,6 @@ + + #define ALU_RESV_MCAST_INDEX_M (BIT(6) - 1) + #define ALU_STAT_START BIT(7) +-#define ALU_RESV_MCAST_ADDR BIT(1) + + #define REG_SW_ALU_VAL_A 0x0420 + +diff --git a/drivers/net/dsa/microchip/ksz_common.c b/drivers/net/dsa/microchip/ksz_common.c +index 1da2310442fc5..5cfbb62058852 100644 +--- a/drivers/net/dsa/microchip/ksz_common.c ++++ b/drivers/net/dsa/microchip/ksz_common.c +@@ -644,6 +644,8 @@ static const u16 ksz9477_regs[] = { + static const u32 ksz9477_masks[] = { + [ALU_STAT_WRITE] = 0, + [ALU_STAT_READ] = 1, ++ [ALU_STAT_DIRECT] = 0, ++ [ALU_RESV_MCAST_ADDR] = BIT(1), + [P_MII_TX_FLOW_CTRL] = BIT(5), + [P_MII_RX_FLOW_CTRL] = BIT(3), + }; +@@ -671,6 +673,8 @@ static const u8 ksz9477_xmii_ctrl1[] = { + static const u32 lan937x_masks[] = { + [ALU_STAT_WRITE] = 1, + [ALU_STAT_READ] = 2, ++ [ALU_STAT_DIRECT] = BIT(3), ++ [ALU_RESV_MCAST_ADDR] = BIT(2), + [P_MII_TX_FLOW_CTRL] = BIT(5), + [P_MII_RX_FLOW_CTRL] = BIT(3), + }; +diff --git a/drivers/net/dsa/microchip/ksz_common.h b/drivers/net/dsa/microchip/ksz_common.h +index bec846e20682f..4ee518f8addc4 100644 +--- a/drivers/net/dsa/microchip/ksz_common.h ++++ b/drivers/net/dsa/microchip/ksz_common.h +@@ -265,6 +265,8 @@ enum ksz_masks { + DYNAMIC_MAC_TABLE_TIMESTAMP, + ALU_STAT_WRITE, + ALU_STAT_READ, ++ ALU_STAT_DIRECT, ++ ALU_RESV_MCAST_ADDR, + P_MII_TX_FLOW_CTRL, + P_MII_RX_FLOW_CTRL, + }; +-- +2.51.0 + diff --git a/queue-6.12/net-dsa-tag_brcm-legacy-fix-untagged-rx-on-unbridged.patch b/queue-6.12/net-dsa-tag_brcm-legacy-fix-untagged-rx-on-unbridged.patch new file mode 100644 index 0000000000..1d58338df7 --- /dev/null +++ b/queue-6.12/net-dsa-tag_brcm-legacy-fix-untagged-rx-on-unbridged.patch @@ -0,0 +1,77 @@ +From fa2af28a2c16e860f82c96b137726c2b09765d7b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Oct 2025 20:46:21 +0100 +Subject: net: dsa: tag_brcm: legacy: fix untagged rx on unbridged ports for + bcm63xx + +From: Jonas Gorski + +[ Upstream commit 3d18a84eddde169d6dbf3c72cc5358b988c347d0 ] + +The internal switch on BCM63XX SoCs will unconditionally add 802.1Q VLAN +tags on egress to CPU when 802.1Q mode is enabled. We do this +unconditionally since commit ed409f3bbaa5 ("net: dsa: b53: Configure +VLANs while not filtering"). + +This is fine for VLAN aware bridges, but for standalone ports and vlan +unaware bridges this means all packets are tagged with the default VID, +which is 0. + +While the kernel will treat that like untagged, this can break userspace +applications processing raw packets, expecting untagged traffic, like +STP daemons. + +This also breaks several bridge tests, where the tcpdump output then +does not match the expected output anymore. + +Since 0 isn't a valid VID, just strip out the VLAN tag if we encounter +it, unless the priority field is set, since that would be a valid tag +again. + +Fixes: 964dbf186eaa ("net: dsa: tag_brcm: add support for legacy tags") +Signed-off-by: Jonas Gorski +Reviewed-by: Vladimir Oltean +Link: https://patch.msgid.link/20251027194621.133301-1-jonas.gorski@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/dsa/tag_brcm.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/net/dsa/tag_brcm.c b/net/dsa/tag_brcm.c +index 9f4b0bcd95cde..df0ab8215b810 100644 +--- a/net/dsa/tag_brcm.c ++++ b/net/dsa/tag_brcm.c +@@ -218,12 +218,14 @@ static struct sk_buff *brcm_leg_tag_rcv(struct sk_buff *skb, + { + int len = BRCM_LEG_TAG_LEN; + int source_port; ++ __be16 *proto; + u8 *brcm_tag; + + if (unlikely(!pskb_may_pull(skb, BRCM_LEG_TAG_LEN + VLAN_HLEN))) + return NULL; + + brcm_tag = dsa_etype_header_pos_rx(skb); ++ proto = (__be16 *)(brcm_tag + BRCM_LEG_TAG_LEN); + + source_port = brcm_tag[5] & BRCM_LEG_PORT_ID; + +@@ -231,8 +233,12 @@ static struct sk_buff *brcm_leg_tag_rcv(struct sk_buff *skb, + if (!skb->dev) + return NULL; + +- /* VLAN tag is added by BCM63xx internal switch */ +- if (netdev_uses_dsa(skb->dev)) ++ /* The internal switch in BCM63XX SoCs always tags on egress on the CPU ++ * port. We use VID 0 internally for untagged traffic, so strip the tag ++ * if the TCI field is all 0, and keep it otherwise to also retain ++ * e.g. 802.1p tagged packets. ++ */ ++ if (proto[0] == htons(ETH_P_8021Q) && proto[1] == 0) + len += VLAN_HLEN; + + /* Remove Broadcom tag and update checksum */ +-- +2.51.0 + diff --git a/queue-6.12/net-dsa-tag_brcm-legacy-reorganize-functions.patch b/queue-6.12/net-dsa-tag_brcm-legacy-reorganize-functions.patch new file mode 100644 index 0000000000..eaa04eceb6 --- /dev/null +++ b/queue-6.12/net-dsa-tag_brcm-legacy-reorganize-functions.patch @@ -0,0 +1,110 @@ +From 198eeca926db825289076c8c153dc1d7ecc527fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 Jun 2025 09:59:47 +0200 +Subject: net: dsa: tag_brcm: legacy: reorganize functions +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Álvaro Fernández Rojas + +[ Upstream commit a4daaf063f8269a5881154c5b77c5ef6639d65d3 ] + +Move brcm_leg_tag_rcv() definition to top. +This function is going to be shared between two different tags. + +Reviewed-by: Florian Fainelli +Signed-off-by: Álvaro Fernández Rojas +Link: https://patch.msgid.link/20250614080000.1884236-2-noltari@gmail.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: 3d18a84eddde ("net: dsa: tag_brcm: legacy: fix untagged rx on unbridged ports for bcm63xx") +Signed-off-by: Sasha Levin +--- + net/dsa/tag_brcm.c | 64 +++++++++++++++++++++++----------------------- + 1 file changed, 32 insertions(+), 32 deletions(-) + +diff --git a/net/dsa/tag_brcm.c b/net/dsa/tag_brcm.c +index fe75821623a4f..9f4b0bcd95cde 100644 +--- a/net/dsa/tag_brcm.c ++++ b/net/dsa/tag_brcm.c +@@ -213,6 +213,38 @@ MODULE_ALIAS_DSA_TAG_DRIVER(DSA_TAG_PROTO_BRCM, BRCM_NAME); + #endif + + #if IS_ENABLED(CONFIG_NET_DSA_TAG_BRCM_LEGACY) ++static struct sk_buff *brcm_leg_tag_rcv(struct sk_buff *skb, ++ struct net_device *dev) ++{ ++ int len = BRCM_LEG_TAG_LEN; ++ int source_port; ++ u8 *brcm_tag; ++ ++ if (unlikely(!pskb_may_pull(skb, BRCM_LEG_TAG_LEN + VLAN_HLEN))) ++ return NULL; ++ ++ brcm_tag = dsa_etype_header_pos_rx(skb); ++ ++ source_port = brcm_tag[5] & BRCM_LEG_PORT_ID; ++ ++ skb->dev = dsa_conduit_find_user(dev, 0, source_port); ++ if (!skb->dev) ++ return NULL; ++ ++ /* VLAN tag is added by BCM63xx internal switch */ ++ if (netdev_uses_dsa(skb->dev)) ++ len += VLAN_HLEN; ++ ++ /* Remove Broadcom tag and update checksum */ ++ skb_pull_rcsum(skb, len); ++ ++ dsa_default_offload_fwd_mark(skb); ++ ++ dsa_strip_etype_header(skb, len); ++ ++ return skb; ++} ++ + static struct sk_buff *brcm_leg_tag_xmit(struct sk_buff *skb, + struct net_device *dev) + { +@@ -250,38 +282,6 @@ static struct sk_buff *brcm_leg_tag_xmit(struct sk_buff *skb, + return skb; + } + +-static struct sk_buff *brcm_leg_tag_rcv(struct sk_buff *skb, +- struct net_device *dev) +-{ +- int len = BRCM_LEG_TAG_LEN; +- int source_port; +- u8 *brcm_tag; +- +- if (unlikely(!pskb_may_pull(skb, BRCM_LEG_TAG_LEN + VLAN_HLEN))) +- return NULL; +- +- brcm_tag = dsa_etype_header_pos_rx(skb); +- +- source_port = brcm_tag[5] & BRCM_LEG_PORT_ID; +- +- skb->dev = dsa_conduit_find_user(dev, 0, source_port); +- if (!skb->dev) +- return NULL; +- +- /* VLAN tag is added by BCM63xx internal switch */ +- if (netdev_uses_dsa(skb->dev)) +- len += VLAN_HLEN; +- +- /* Remove Broadcom tag and update checksum */ +- skb_pull_rcsum(skb, len); +- +- dsa_default_offload_fwd_mark(skb); +- +- dsa_strip_etype_header(skb, len); +- +- return skb; +-} +- + static const struct dsa_device_ops brcm_legacy_netdev_ops = { + .name = BRCM_LEGACY_NAME, + .proto = DSA_TAG_PROTO_BRCM_LEGACY, +-- +2.51.0 + diff --git a/queue-6.12/net-ionic-add-dma_wmb-before-ringing-tx-doorbell.patch b/queue-6.12/net-ionic-add-dma_wmb-before-ringing-tx-doorbell.patch new file mode 100644 index 0000000000..88df877a49 --- /dev/null +++ b/queue-6.12/net-ionic-add-dma_wmb-before-ringing-tx-doorbell.patch @@ -0,0 +1,45 @@ +From 05587f91cc2e8b071605aeef6442d2acf6e627c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 Oct 2025 17:52:02 +0200 +Subject: net: ionic: add dma_wmb() before ringing TX doorbell + +From: Mohammad Heib + +[ Upstream commit d261f5b09c28850dc63ca1d3018596f829f402d5 ] + +The TX path currently writes descriptors and then immediately writes to +the MMIO doorbell register to notify the NIC. On weakly ordered +architectures, descriptor writes may still be pending in CPU or DMA +write buffers when the doorbell is issued, leading to the device +fetching stale or incomplete descriptors. + +Add a dma_wmb() in ionic_txq_post() to ensure all descriptor writes are +visible to the device before the doorbell MMIO write. + +Fixes: 0f3154e6bcb3 ("ionic: Add Tx and Rx handling") +Signed-off-by: Mohammad Heib +Link: https://patch.msgid.link/20251031155203.203031-1-mheib@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/pensando/ionic/ionic_txrx.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/pensando/ionic/ionic_txrx.c b/drivers/net/ethernet/pensando/ionic/ionic_txrx.c +index 0f5758c273c22..3a094d3ea6f4f 100644 +--- a/drivers/net/ethernet/pensando/ionic/ionic_txrx.c ++++ b/drivers/net/ethernet/pensando/ionic/ionic_txrx.c +@@ -29,6 +29,10 @@ static void ionic_tx_clean(struct ionic_queue *q, + + static inline void ionic_txq_post(struct ionic_queue *q, bool ring_dbell) + { ++ /* Ensure TX descriptor writes reach memory before NIC reads them. ++ * Prevents device from fetching stale descriptors. ++ */ ++ dma_wmb(); + ionic_q_post(q, ring_dbell); + } + +-- +2.51.0 + diff --git a/queue-6.12/net-ionic-map-skb-after-pseudo-header-checksum-prep.patch b/queue-6.12/net-ionic-map-skb-after-pseudo-header-checksum-prep.patch new file mode 100644 index 0000000000..79a1863201 --- /dev/null +++ b/queue-6.12/net-ionic-map-skb-after-pseudo-header-checksum-prep.patch @@ -0,0 +1,91 @@ +From beea92304ea8d9533b456e12d2736000e0b2316e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 Oct 2025 17:52:03 +0200 +Subject: net: ionic: map SKB after pseudo-header checksum prep + +From: Mohammad Heib + +[ Upstream commit de0337d641bfa5b6d6b489e479792f1039274e84 ] + +The TSO path called ionic_tx_map_skb() before preparing the TCP pseudo +checksum (ionic_tx_tcp_[inner_]pseudo_csum()), which may perform +skb_cow_head() and might modifies bytes in the linear header area. + +Mapping first and then mutating the header risks: + - Using a stale DMA address if skb_cow_head() relocates the head, and/or + - Device reading stale header bytes on weakly-ordered systems + (CPU writes after mapping are not guaranteed visible without an + explicit dma_sync_single_for_device()). + +Reorder the TX path to perform all header mutations (including +skb_cow_head()) *before* DMA mapping. Mapping is now done only after the +skb layout and header contents are final. This removes the need for any +post-mapping dma_sync and prevents on-wire corruption observed under +VLAN+TSO load after repeated runs. + +This change is purely an ordering fix; no functional behavior change +otherwise. + +Fixes: 0f3154e6bcb3 ("ionic: Add Tx and Rx handling") +Signed-off-by: Mohammad Heib +Reviewed-by: Brett Creeley +Link: https://patch.msgid.link/20251031155203.203031-2-mheib@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/pensando/ionic/ionic_txrx.c | 30 ++++++++----------- + 1 file changed, 13 insertions(+), 17 deletions(-) + +diff --git a/drivers/net/ethernet/pensando/ionic/ionic_txrx.c b/drivers/net/ethernet/pensando/ionic/ionic_txrx.c +index 3a094d3ea6f4f..2cdcd46e922cd 100644 +--- a/drivers/net/ethernet/pensando/ionic/ionic_txrx.c ++++ b/drivers/net/ethernet/pensando/ionic/ionic_txrx.c +@@ -1448,19 +1448,6 @@ static int ionic_tx_tso(struct net_device *netdev, struct ionic_queue *q, + bool encap; + int err; + +- desc_info = &q->tx_info[q->head_idx]; +- +- if (unlikely(ionic_tx_map_skb(q, skb, desc_info))) +- return -EIO; +- +- len = skb->len; +- mss = skb_shinfo(skb)->gso_size; +- outer_csum = (skb_shinfo(skb)->gso_type & (SKB_GSO_GRE | +- SKB_GSO_GRE_CSUM | +- SKB_GSO_IPXIP4 | +- SKB_GSO_IPXIP6 | +- SKB_GSO_UDP_TUNNEL | +- SKB_GSO_UDP_TUNNEL_CSUM)); + has_vlan = !!skb_vlan_tag_present(skb); + vlan_tci = skb_vlan_tag_get(skb); + encap = skb->encapsulation; +@@ -1474,12 +1461,21 @@ static int ionic_tx_tso(struct net_device *netdev, struct ionic_queue *q, + err = ionic_tx_tcp_inner_pseudo_csum(skb); + else + err = ionic_tx_tcp_pseudo_csum(skb); +- if (unlikely(err)) { +- /* clean up mapping from ionic_tx_map_skb */ +- ionic_tx_desc_unmap_bufs(q, desc_info); ++ if (unlikely(err)) + return err; +- } + ++ desc_info = &q->tx_info[q->head_idx]; ++ if (unlikely(ionic_tx_map_skb(q, skb, desc_info))) ++ return -EIO; ++ ++ len = skb->len; ++ mss = skb_shinfo(skb)->gso_size; ++ outer_csum = (skb_shinfo(skb)->gso_type & (SKB_GSO_GRE | ++ SKB_GSO_GRE_CSUM | ++ SKB_GSO_IPXIP4 | ++ SKB_GSO_IPXIP6 | ++ SKB_GSO_UDP_TUNNEL | ++ SKB_GSO_UDP_TUNNEL_CSUM)); + if (encap) + hdrlen = skb_inner_tcp_all_headers(skb); + else +-- +2.51.0 + diff --git a/queue-6.12/net-mlx5e-fix-return-value-in-case-of-module-eeprom-.patch b/queue-6.12/net-mlx5e-fix-return-value-in-case-of-module-eeprom-.patch new file mode 100644 index 0000000000..c9b552e845 --- /dev/null +++ b/queue-6.12/net-mlx5e-fix-return-value-in-case-of-module-eeprom-.patch @@ -0,0 +1,74 @@ +From 77ad281b8a2406bfcaff5b828046549a79d14b86 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Nov 2025 16:15:36 +0200 +Subject: net/mlx5e: Fix return value in case of module EEPROM read error + +From: Gal Pressman + +[ Upstream commit d1c94bc5b90c21b65469d30d4a6bc8ed715c1bfe ] + +mlx5e_get_module_eeprom_by_page() has weird error handling. + +First, it is treating -EINVAL as a special case, but it is unclear why. + +Second, it tries to fail "gracefully" by returning the number of bytes +read even in case of an error. This results in wrongly returning +success (0 return value) if the error occurs before any bytes were +read. + +Simplify the error handling by returning an error when such occurs. This +also aligns with the error handling we have in mlx5e_get_module_eeprom() +for the old API. + +This fixes the following case where the query fails, but userspace +ethtool wrongly treats it as success and dumps an output: + + # ethtool -m eth2 + netlink warning: mlx5_core: Query module eeprom by page failed, read 0 bytes, err -5 + netlink warning: mlx5_core: Query module eeprom by page failed, read 0 bytes, err -5 + Offset Values + ------ ------ + 0x0000: 00 00 00 00 05 00 04 00 00 00 00 00 05 00 05 00 + 0x0010: 00 00 00 00 05 00 06 00 50 00 00 00 67 65 20 66 + 0x0020: 61 69 6c 65 64 2c 20 72 65 61 64 20 30 20 62 79 + 0x0030: 74 65 73 2c 20 65 72 72 20 2d 35 00 14 00 03 00 + 0x0040: 08 00 01 00 03 00 00 00 08 00 02 00 1a 00 00 00 + 0x0050: 14 00 04 00 08 00 01 00 04 00 00 00 08 00 02 00 + 0x0060: 0e 00 00 00 14 00 05 00 08 00 01 00 05 00 00 00 + 0x0070: 08 00 02 00 1a 00 00 00 14 00 06 00 08 00 01 00 + +Fixes: e109d2b204da ("net/mlx5: Implement get_module_eeprom_by_page()") +Signed-off-by: Gal Pressman +Reviewed-by: Alex Lazar +Signed-off-by: Tariq Toukan +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/1762265736-1028868-1-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +index 1966736f98b4a..1f55c5a7edf31 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +@@ -2010,14 +2010,12 @@ static int mlx5e_get_module_eeprom_by_page(struct net_device *netdev, + if (!size_read) + return i; + +- if (size_read == -EINVAL) +- return -EINVAL; + if (size_read < 0) { + NL_SET_ERR_MSG_FMT_MOD( + extack, + "Query module eeprom by page failed, read %u bytes, err %d\n", + i, size_read); +- return i; ++ return size_read; + } + + i += size_read; +-- +2.51.0 + diff --git a/queue-6.12/net-mlx5e-shampo-fix-skb-size-check-for-64k-pages.patch b/queue-6.12/net-mlx5e-shampo-fix-skb-size-check-for-64k-pages.patch new file mode 100644 index 0000000000..2e0bd4d65b --- /dev/null +++ b/queue-6.12/net-mlx5e-shampo-fix-skb-size-check-for-64k-pages.patch @@ -0,0 +1,56 @@ +From 7c41fde08bd3e65bfc7b5ca2e7260effae1afcc2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Nov 2025 08:48:34 +0200 +Subject: net/mlx5e: SHAMPO, Fix skb size check for 64K pages + +From: Dragos Tatulea + +[ Upstream commit bacd8d80181ebe34b599a39aa26bf73a44c91e55 ] + +mlx5e_hw_gro_skb_has_enough_space() uses a formula to check if there is +enough space in the skb frags to store more data. This formula is +incorrect for 64K page sizes and it triggers early GRO session +termination because the first fragment will blow up beyond +GRO_LEGACY_MAX_SIZE. + +This patch adds a special case for page sizes >= GRO_LEGACY_MAX_SIZE +(64K) which uses the skb->len instead. Within this context, +the check is safe from fragment overflow because the hardware +will continuously fill the data up to the reservation size of 64K +and the driver will coalesce all data from the same page to the same +fragment. This means that the data will span one fragment or at most +two for such a large page size. + +It is expected that the if statement will be optimized out as the +check is done with constants. + +Fixes: 92552d3abd32 ("net/mlx5e: HW_GRO cqe handler implementation") +Signed-off-by: Dragos Tatulea +Signed-off-by: Tariq Toukan +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/1762238915-1027590-3-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c +index 59aa10f1a9d95..4eb1150e71547 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c +@@ -2316,7 +2316,10 @@ mlx5e_hw_gro_skb_has_enough_space(struct sk_buff *skb, u16 data_bcnt) + { + int nr_frags = skb_shinfo(skb)->nr_frags; + +- return PAGE_SIZE * nr_frags + data_bcnt <= GRO_LEGACY_MAX_SIZE; ++ if (PAGE_SIZE >= GRO_LEGACY_MAX_SIZE) ++ return skb->len + data_bcnt <= GRO_LEGACY_MAX_SIZE; ++ else ++ return PAGE_SIZE * nr_frags + data_bcnt <= GRO_LEGACY_MAX_SIZE; + } + + static void mlx5e_handle_rx_cqe_mpwrq_shampo(struct mlx5e_rq *rq, struct mlx5_cqe64 *cqe) +-- +2.51.0 + diff --git a/queue-6.12/net-ti-icssg-prueth-fix-fdb-hash-size-configuration.patch b/queue-6.12/net-ti-icssg-prueth-fix-fdb-hash-size-configuration.patch new file mode 100644 index 0000000000..6540a85992 --- /dev/null +++ b/queue-6.12/net-ti-icssg-prueth-fix-fdb-hash-size-configuration.patch @@ -0,0 +1,69 @@ +From f9bde558a9af9222e6fd7daa9617477b95e7a022 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Nov 2025 16:14:15 +0530 +Subject: net: ti: icssg-prueth: Fix fdb hash size configuration + +From: Meghana Malladi + +[ Upstream commit ae4789affd1e181ae46e72e2b5fbe2d6d7b6616a ] + +The ICSSG driver does the initial FDB configuration which +includes setting the control registers. Other run time +management like learning is managed by the PRU's. The default +FDB hash size used by the firmware is 512 slots, which is +currently missing in the current driver. Update the driver +FDB config to include FDB hash size as well. + +Please refer trm [1] 6.4.14.12.17 section on how the FDB config +register gets configured. From the table 6-1404, there is a reset +field for FDB_HAS_SIZE which is 4, meaning 1024 slots. Currently +the driver is not updating this reset value from 4(1024 slots) to +3(512 slots). This patch fixes this by updating the reset value +to 512 slots. + +[1]: https://www.ti.com/lit/pdf/spruim2 +Fixes: abd5576b9c57f ("net: ti: icssg-prueth: Add support for ICSSG switch firmware") +Signed-off-by: Meghana Malladi +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20251104104415.3110537-1-m-malladi@ti.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ti/icssg/icssg_config.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/ethernet/ti/icssg/icssg_config.c b/drivers/net/ethernet/ti/icssg/icssg_config.c +index da53eb04b0a43..3f8237c17d099 100644 +--- a/drivers/net/ethernet/ti/icssg/icssg_config.c ++++ b/drivers/net/ethernet/ti/icssg/icssg_config.c +@@ -66,6 +66,9 @@ + #define FDB_GEN_CFG1 0x60 + #define SMEM_VLAN_OFFSET 8 + #define SMEM_VLAN_OFFSET_MASK GENMASK(25, 8) ++#define FDB_HASH_SIZE_MASK GENMASK(6, 3) ++#define FDB_HASH_SIZE_SHIFT 3 ++#define FDB_HASH_SIZE 3 + + #define FDB_GEN_CFG2 0x64 + #define FDB_VLAN_EN BIT(6) +@@ -463,6 +466,8 @@ void icssg_init_emac_mode(struct prueth *prueth) + /* Set VLAN TABLE address base */ + regmap_update_bits(prueth->miig_rt, FDB_GEN_CFG1, SMEM_VLAN_OFFSET_MASK, + addr << SMEM_VLAN_OFFSET); ++ regmap_update_bits(prueth->miig_rt, FDB_GEN_CFG1, FDB_HASH_SIZE_MASK, ++ FDB_HASH_SIZE << FDB_HASH_SIZE_SHIFT); + /* Set enable VLAN aware mode, and FDBs for all PRUs */ + regmap_write(prueth->miig_rt, FDB_GEN_CFG2, (FDB_PRU0_EN | FDB_PRU1_EN | FDB_HOST_EN)); + prueth->vlan_tbl = (struct prueth_vlan_tbl __force *)(prueth->shram.va + +@@ -484,6 +489,8 @@ void icssg_init_fw_offload_mode(struct prueth *prueth) + /* Set VLAN TABLE address base */ + regmap_update_bits(prueth->miig_rt, FDB_GEN_CFG1, SMEM_VLAN_OFFSET_MASK, + addr << SMEM_VLAN_OFFSET); ++ regmap_update_bits(prueth->miig_rt, FDB_GEN_CFG1, FDB_HASH_SIZE_MASK, ++ FDB_HASH_SIZE << FDB_HASH_SIZE_SHIFT); + /* Set enable VLAN aware mode, and FDBs for all PRUs */ + regmap_write(prueth->miig_rt, FDB_GEN_CFG2, FDB_EN_ALL); + prueth->vlan_tbl = (struct prueth_vlan_tbl __force *)(prueth->shram.va + +-- +2.51.0 + diff --git a/queue-6.12/net-usb-qmi_wwan-initialize-mac-header-offset-in-qmi.patch b/queue-6.12/net-usb-qmi_wwan-initialize-mac-header-offset-in-qmi.patch new file mode 100644 index 0000000000..fbb513bb9b --- /dev/null +++ b/queue-6.12/net-usb-qmi_wwan-initialize-mac-header-offset-in-qmi.patch @@ -0,0 +1,70 @@ +From 46821914df632c25ad5b177cb659d1145645b44d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Oct 2025 08:57:44 +0100 +Subject: net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup + +From: Qendrim Maxhuni + +[ Upstream commit e120f46768d98151ece8756ebd688b0e43dc8b29 ] + +Raw IP packets have no MAC header, leaving skb->mac_header uninitialized. +This can trigger kernel panics on ARM64 when xfrm or other subsystems +access the offset due to strict alignment checks. + +Initialize the MAC header to prevent such crashes. + +This can trigger kernel panics on ARM when running IPsec over the +qmimux0 interface. + +Example trace: + + Internal error: Oops: 000000009600004f [#1] SMP + CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.34-gbe78e49cb433 #1 + Hardware name: LS1028A RDB Board (DT) + pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : xfrm_input+0xde8/0x1318 + lr : xfrm_input+0x61c/0x1318 + sp : ffff800080003b20 + Call trace: + xfrm_input+0xde8/0x1318 + xfrm6_rcv+0x38/0x44 + xfrm6_esp_rcv+0x48/0xa8 + ip6_protocol_deliver_rcu+0x94/0x4b0 + ip6_input_finish+0x44/0x70 + ip6_input+0x44/0xc0 + ipv6_rcv+0x6c/0x114 + __netif_receive_skb_one_core+0x5c/0x8c + __netif_receive_skb+0x18/0x60 + process_backlog+0x78/0x17c + __napi_poll+0x38/0x180 + net_rx_action+0x168/0x2f0 + +Fixes: c6adf77953bc ("net: usb: qmi_wwan: add qmap mux protocol support") +Signed-off-by: Qendrim Maxhuni +Link: https://patch.msgid.link/20251029075744.105113-1-qendrim.maxhuni@garderos.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/qmi_wwan.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index f04da733240c0..bd51435ed4184 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -192,6 +192,12 @@ static int qmimux_rx_fixup(struct usbnet *dev, struct sk_buff *skb) + if (!skbn) + return 0; + ++ /* Raw IP packets don't have a MAC header, but other subsystems ++ * (like xfrm) may still access MAC header offsets, so they must ++ * be initialized. ++ */ ++ skb_reset_mac_header(skbn); ++ + switch (skb->data[offset + qmimux_hdr_sz] & 0xf0) { + case 0x40: + skbn->protocol = htons(ETH_P_IP); +-- +2.51.0 + diff --git a/queue-6.12/net-vlan-sync-vlan-features-with-lower-device.patch b/queue-6.12/net-vlan-sync-vlan-features-with-lower-device.patch new file mode 100644 index 0000000000..7fa90c1f98 --- /dev/null +++ b/queue-6.12/net-vlan-sync-vlan-features-with-lower-device.patch @@ -0,0 +1,44 @@ +From 213dadcb0059d015d1343d2b31f0694ec7852760 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Oct 2025 07:35:39 +0000 +Subject: net: vlan: sync VLAN features with lower device + +From: Hangbin Liu + +[ Upstream commit c211f5d7cbd5cb34489d526648bb9c8ecc907dee ] + +After registering a VLAN device and setting its feature flags, we need to +synchronize the VLAN features with the lower device. For example, the VLAN +device does not have the NETIF_F_LRO flag, it should be synchronized with +the lower device based on the NETIF_F_UPPER_DISABLES definition. + +As the dev->vlan_features has changed, we need to call +netdev_update_features(). The caller must run after netdev_upper_dev_link() +links the lower devices, so this patch adds the netdev_update_features() +call in register_vlan_dev(). + +Fixes: fd867d51f889 ("net/core: generic support for disabling netdev features down stack") +Signed-off-by: Hangbin Liu +Link: https://patch.msgid.link/20251030073539.133779-1-liuhangbin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/8021q/vlan.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c +index 49a6d49c23dc5..ecc1c8624006f 100644 +--- a/net/8021q/vlan.c ++++ b/net/8021q/vlan.c +@@ -194,6 +194,8 @@ int register_vlan_dev(struct net_device *dev, struct netlink_ext_ack *extack) + vlan_group_set_device(grp, vlan->vlan_proto, vlan_id, dev); + grp->nr_vlan_devs++; + ++ netdev_update_features(dev); ++ + return 0; + + out_unregister_netdev: +-- +2.51.0 + diff --git a/queue-6.12/net-wan-framer-pef2256-switch-to-devm_mfd_add_device.patch b/queue-6.12/net-wan-framer-pef2256-switch-to-devm_mfd_add_device.patch new file mode 100644 index 0000000000..5094d067a3 --- /dev/null +++ b/queue-6.12/net-wan-framer-pef2256-switch-to-devm_mfd_add_device.patch @@ -0,0 +1,56 @@ +From 3136078884ce6441af2a6715f90d393bc66fc4c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Nov 2025 11:47:16 +0800 +Subject: net: wan: framer: pef2256: Switch to devm_mfd_add_devices() + +From: Haotian Zhang + +[ Upstream commit 4d6ec3a7932ca5b168426f7b5b40abab2b41d2da ] + +The driver calls mfd_add_devices() but fails to call mfd_remove_devices() +in error paths after successful MFD device registration and in the remove +function. This leads to resource leaks where MFD child devices are not +properly unregistered. + +Replace mfd_add_devices with devm_mfd_add_devices to automatically +manage the device resources. + +Fixes: c96e976d9a05 ("net: wan: framer: Add support for the Lantiq PEF2256 framer") +Suggested-by: Herve Codina +Signed-off-by: Haotian Zhang +Acked-by: Herve Codina +Link: https://patch.msgid.link/20251105034716.662-1-vulab@iscas.ac.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/wan/framer/pef2256/pef2256.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wan/framer/pef2256/pef2256.c b/drivers/net/wan/framer/pef2256/pef2256.c +index 413a3c1d15bbe..dc6466542e2c0 100644 +--- a/drivers/net/wan/framer/pef2256/pef2256.c ++++ b/drivers/net/wan/framer/pef2256/pef2256.c +@@ -637,7 +637,8 @@ static int pef2256_add_audio_devices(struct pef2256 *pef2256) + audio_devs[i].id = i; + } + +- ret = mfd_add_devices(pef2256->dev, 0, audio_devs, count, NULL, 0, NULL); ++ ret = devm_mfd_add_devices(pef2256->dev, 0, audio_devs, count, ++ NULL, 0, NULL); + kfree(audio_devs); + return ret; + } +@@ -812,8 +813,8 @@ static int pef2256_probe(struct platform_device *pdev) + + platform_set_drvdata(pdev, pef2256); + +- ret = mfd_add_devices(pef2256->dev, 0, pef2256_devs, +- ARRAY_SIZE(pef2256_devs), NULL, 0, NULL); ++ ret = devm_mfd_add_devices(pef2256->dev, 0, pef2256_devs, ++ ARRAY_SIZE(pef2256_devs), NULL, 0, NULL); + if (ret) { + dev_err(pef2256->dev, "add devices failed (%d)\n", ret); + return ret; +-- +2.51.0 + diff --git a/queue-6.12/riscv-ptdump-use-seq_puts-in-pt_dump_seq_puts-macro.patch b/queue-6.12/riscv-ptdump-use-seq_puts-in-pt_dump_seq_puts-macro.patch new file mode 100644 index 0000000000..21682dad94 --- /dev/null +++ b/queue-6.12/riscv-ptdump-use-seq_puts-in-pt_dump_seq_puts-macro.patch @@ -0,0 +1,47 @@ +From 68694a78a5c7e9b312a0fc5002892b92c776608e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Oct 2025 11:40:43 -0600 +Subject: riscv: ptdump: use seq_puts() in pt_dump_seq_puts() macro + +From: Josephine Pfeiffer + +[ Upstream commit a74f038fa50e0d33b740f44f862fe856f16de6a8 ] + +The pt_dump_seq_puts() macro incorrectly uses seq_printf() instead of +seq_puts(). This is both a performance issue and conceptually wrong, +as the macro name suggests plain string output (puts) but the +implementation uses formatted output (printf). + +The macro is used in ptdump.c:301 to output a newline character. Using +seq_printf() adds unnecessary overhead for format string parsing when +outputting this constant string. + +This bug was introduced in commit 59c4da8640cc ("riscv: Add support to +dump the kernel page tables") in 2020, which copied the implementation +pattern from other architectures that had the same bug. + +Fixes: 59c4da8640cc ("riscv: Add support to dump the kernel page tables") +Signed-off-by: Josephine Pfeiffer +Link: https://lore.kernel.org/r/20251018170451.3355496-1-hi@josie.lol +Signed-off-by: Paul Walmsley +Signed-off-by: Sasha Levin +--- + arch/riscv/mm/ptdump.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/riscv/mm/ptdump.c b/arch/riscv/mm/ptdump.c +index 1289cc6d3700c..4bb09cadfb858 100644 +--- a/arch/riscv/mm/ptdump.c ++++ b/arch/riscv/mm/ptdump.c +@@ -21,7 +21,7 @@ + #define pt_dump_seq_puts(m, fmt) \ + ({ \ + if (m) \ +- seq_printf(m, fmt); \ ++ seq_puts(m, fmt); \ + }) + + /* +-- +2.51.0 + diff --git a/queue-6.12/riscv-stacktrace-disable-kasan-checks-for-non-curren.patch b/queue-6.12/riscv-stacktrace-disable-kasan-checks-for-non-curren.patch new file mode 100644 index 0000000000..9e420d66f9 --- /dev/null +++ b/queue-6.12/riscv-stacktrace-disable-kasan-checks-for-non-curren.patch @@ -0,0 +1,73 @@ +From f831297908f6e56c866e915977a28af3e664bfa6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Oct 2025 11:40:43 -0600 +Subject: riscv: stacktrace: Disable KASAN checks for non-current tasks + +From: Chunyan Zhang + +[ Upstream commit 060ea84a484e852b52b938f234bf9b5503a6c910 ] + +Unwinding the stack of a task other than current, KASAN would report +"BUG: KASAN: out-of-bounds in walk_stackframe+0x41c/0x460" + +There is a same issue on x86 and has been resolved by the commit +84936118bdf3 ("x86/unwind: Disable KASAN checks for non-current tasks") +The solution could be applied to RISC-V too. + +This patch also can solve the issue: +https://seclists.org/oss-sec/2025/q4/23 + +Fixes: 5d8544e2d007 ("RISC-V: Generic library routines and assembly") +Co-developed-by: Jiakai Xu +Signed-off-by: Jiakai Xu +Signed-off-by: Chunyan Zhang +Link: https://lore.kernel.org/r/20251022072608.743484-1-zhangchunyan@iscas.ac.cn +[pjw@kernel.org: clean up checkpatch issues] +Signed-off-by: Paul Walmsley +Signed-off-by: Sasha Levin +--- + arch/riscv/kernel/stacktrace.c | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +diff --git a/arch/riscv/kernel/stacktrace.c b/arch/riscv/kernel/stacktrace.c +index d4355c770c36a..5a0c0d5b449ed 100644 +--- a/arch/riscv/kernel/stacktrace.c ++++ b/arch/riscv/kernel/stacktrace.c +@@ -16,6 +16,22 @@ + + #ifdef CONFIG_FRAME_POINTER + ++/* ++ * This disables KASAN checking when reading a value from another task's stack, ++ * since the other task could be running on another CPU and could have poisoned ++ * the stack in the meantime. ++ */ ++#define READ_ONCE_TASK_STACK(task, x) \ ++({ \ ++ unsigned long val; \ ++ unsigned long addr = x; \ ++ if ((task) == current) \ ++ val = READ_ONCE(addr); \ ++ else \ ++ val = READ_ONCE_NOCHECK(addr); \ ++ val; \ ++}) ++ + extern asmlinkage void handle_exception(void); + extern unsigned long ret_from_exception_end; + +@@ -69,8 +85,9 @@ void notrace walk_stackframe(struct task_struct *task, struct pt_regs *regs, + fp = frame->ra; + pc = regs->ra; + } else { +- fp = frame->fp; +- pc = ftrace_graph_ret_addr(current, &graph_idx, frame->ra, ++ fp = READ_ONCE_TASK_STACK(task, frame->fp); ++ pc = READ_ONCE_TASK_STACK(task, frame->ra); ++ pc = ftrace_graph_ret_addr(current, &graph_idx, pc, + &frame->ra); + if (pc >= (unsigned long)handle_exception && + pc < (unsigned long)&ret_from_exception_end) { +-- +2.51.0 + diff --git a/queue-6.12/sctp-hold-rcu-read-lock-while-iterating-over-address.patch b/queue-6.12/sctp-hold-rcu-read-lock-while-iterating-over-address.patch new file mode 100644 index 0000000000..08a4dac3f5 --- /dev/null +++ b/queue-6.12/sctp-hold-rcu-read-lock-while-iterating-over-address.patch @@ -0,0 +1,104 @@ +From 3be9e896cfb9e73d6581328c078cef967920c467 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Oct 2025 17:12:26 +0100 +Subject: sctp: Hold RCU read lock while iterating over address list + +From: Stefan Wiehler + +[ Upstream commit 38f50242bf0f237cdc262308d624d333286ec3c5 ] + +With CONFIG_PROVE_RCU_LIST=y and by executing + + $ netcat -l --sctp & + $ netcat --sctp localhost & + $ ss --sctp + +one can trigger the following Lockdep-RCU splat(s): + + WARNING: suspicious RCU usage + 6.18.0-rc1-00093-g7f864458e9a6 #5 Not tainted + ----------------------------- + net/sctp/diag.c:76 RCU-list traversed in non-reader section!! + + other info that might help us debug this: + + rcu_scheduler_active = 2, debug_locks = 1 + 2 locks held by ss/215: + #0: ffff9c740828bec0 (nlk_cb_mutex-SOCK_DIAG){+.+.}-{4:4}, at: __netlink_dump_start+0x84/0x2b0 + #1: ffff9c7401d72cd0 (sk_lock-AF_INET6){+.+.}-{0:0}, at: sctp_sock_dump+0x38/0x200 + + stack backtrace: + CPU: 0 UID: 0 PID: 215 Comm: ss Not tainted 6.18.0-rc1-00093-g7f864458e9a6 #5 PREEMPT(voluntary) + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 + Call Trace: + + dump_stack_lvl+0x5d/0x90 + lockdep_rcu_suspicious.cold+0x4e/0xa3 + inet_sctp_diag_fill.isra.0+0x4b1/0x5d0 + sctp_sock_dump+0x131/0x200 + sctp_transport_traverse_process+0x170/0x1b0 + ? __pfx_sctp_sock_filter+0x10/0x10 + ? __pfx_sctp_sock_dump+0x10/0x10 + sctp_diag_dump+0x103/0x140 + __inet_diag_dump+0x70/0xb0 + netlink_dump+0x148/0x490 + __netlink_dump_start+0x1f3/0x2b0 + inet_diag_handler_cmd+0xcd/0x100 + ? __pfx_inet_diag_dump_start+0x10/0x10 + ? __pfx_inet_diag_dump+0x10/0x10 + ? __pfx_inet_diag_dump_done+0x10/0x10 + sock_diag_rcv_msg+0x18e/0x320 + ? __pfx_sock_diag_rcv_msg+0x10/0x10 + netlink_rcv_skb+0x4d/0x100 + netlink_unicast+0x1d7/0x2b0 + netlink_sendmsg+0x203/0x450 + ____sys_sendmsg+0x30c/0x340 + ___sys_sendmsg+0x94/0xf0 + __sys_sendmsg+0x83/0xf0 + do_syscall_64+0xbb/0x390 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + ... + + +Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file") +Signed-off-by: Stefan Wiehler +Reviewed-by: Kuniyuki Iwashima +Acked-by: Xin Long +Link: https://patch.msgid.link/20251028161506.3294376-2-stefan.wiehler@nokia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sctp/diag.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/sctp/diag.c b/net/sctp/diag.c +index 23359e522273f..dadf8254b30fd 100644 +--- a/net/sctp/diag.c ++++ b/net/sctp/diag.c +@@ -73,19 +73,23 @@ static int inet_diag_msg_sctpladdrs_fill(struct sk_buff *skb, + struct nlattr *attr; + void *info = NULL; + ++ rcu_read_lock(); + list_for_each_entry_rcu(laddr, address_list, list) + addrcnt++; ++ rcu_read_unlock(); + + attr = nla_reserve(skb, INET_DIAG_LOCALS, addrlen * addrcnt); + if (!attr) + return -EMSGSIZE; + + info = nla_data(attr); ++ rcu_read_lock(); + list_for_each_entry_rcu(laddr, address_list, list) { + memcpy(info, &laddr->a, sizeof(laddr->a)); + memset(info + sizeof(laddr->a), 0, addrlen - sizeof(laddr->a)); + info += addrlen; + } ++ rcu_read_unlock(); + + return 0; + } +-- +2.51.0 + diff --git a/queue-6.12/sctp-hold-sock-lock-while-iterating-over-address-lis.patch b/queue-6.12/sctp-hold-sock-lock-while-iterating-over-address-lis.patch new file mode 100644 index 0000000000..6427ab542c --- /dev/null +++ b/queue-6.12/sctp-hold-sock-lock-while-iterating-over-address-lis.patch @@ -0,0 +1,66 @@ +From 6a3c37486743a3a4279477e0575fa7728efd3ee4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Oct 2025 17:12:28 +0100 +Subject: sctp: Hold sock lock while iterating over address list + +From: Stefan Wiehler + +[ Upstream commit f1fc201148c7e684c10a72b6a3375597f28d1ef6 ] + +Move address list traversal in inet_assoc_attr_size() under the sock +lock to avoid holding the RCU read lock. + +Suggested-by: Xin Long +Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file") +Signed-off-by: Stefan Wiehler +Acked-by: Xin Long +Link: https://patch.msgid.link/20251028161506.3294376-4-stefan.wiehler@nokia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sctp/diag.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/net/sctp/diag.c b/net/sctp/diag.c +index 95e65b9d623b3..5a43f25478d03 100644 +--- a/net/sctp/diag.c ++++ b/net/sctp/diag.c +@@ -230,14 +230,15 @@ struct sctp_comm_param { + bool net_admin; + }; + +-static size_t inet_assoc_attr_size(struct sctp_association *asoc) ++static size_t inet_assoc_attr_size(struct sock *sk, ++ struct sctp_association *asoc) + { + int addrlen = sizeof(struct sockaddr_storage); + int addrcnt = 0; + struct sctp_sockaddr_entry *laddr; + + list_for_each_entry_rcu(laddr, &asoc->base.bind_addr.address_list, +- list) ++ list, lockdep_sock_is_held(sk)) + addrcnt++; + + return nla_total_size(sizeof(struct sctp_info)) +@@ -263,11 +264,14 @@ static int sctp_sock_dump_one(struct sctp_endpoint *ep, struct sctp_transport *t + if (err) + return err; + +- rep = nlmsg_new(inet_assoc_attr_size(assoc), GFP_KERNEL); +- if (!rep) ++ lock_sock(sk); ++ ++ rep = nlmsg_new(inet_assoc_attr_size(sk, assoc), GFP_KERNEL); ++ if (!rep) { ++ release_sock(sk); + return -ENOMEM; ++ } + +- lock_sock(sk); + if (ep != assoc->ep) { + err = -EAGAIN; + goto out; +-- +2.51.0 + diff --git a/queue-6.12/sctp-prevent-toctou-out-of-bounds-write.patch b/queue-6.12/sctp-prevent-toctou-out-of-bounds-write.patch new file mode 100644 index 0000000000..c99d49b9c5 --- /dev/null +++ b/queue-6.12/sctp-prevent-toctou-out-of-bounds-write.patch @@ -0,0 +1,45 @@ +From ba77afd99ce5260a8385736a9a356778302582b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Oct 2025 17:12:27 +0100 +Subject: sctp: Prevent TOCTOU out-of-bounds write + +From: Stefan Wiehler + +[ Upstream commit 95aef86ab231f047bb8085c70666059b58f53c09 ] + +For the following path not holding the sock lock, + + sctp_diag_dump() -> sctp_for_each_endpoint() -> sctp_ep_dump() + +make sure not to exceed bounds in case the address list has grown +between buffer allocation (time-of-check) and write (time-of-use). + +Suggested-by: Kuniyuki Iwashima +Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file") +Signed-off-by: Stefan Wiehler +Reviewed-by: Kuniyuki Iwashima +Acked-by: Xin Long +Link: https://patch.msgid.link/20251028161506.3294376-3-stefan.wiehler@nokia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sctp/diag.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/sctp/diag.c b/net/sctp/diag.c +index dadf8254b30fd..95e65b9d623b3 100644 +--- a/net/sctp/diag.c ++++ b/net/sctp/diag.c +@@ -88,6 +88,9 @@ static int inet_diag_msg_sctpladdrs_fill(struct sk_buff *skb, + memcpy(info, &laddr->a, sizeof(laddr->a)); + memset(info + sizeof(laddr->a), 0, addrlen - sizeof(laddr->a)); + info += addrlen; ++ ++ if (!--addrcnt) ++ break; + } + rcu_read_unlock(); + +-- +2.51.0 + diff --git a/queue-6.12/selftests-net-fix-out-of-order-delivery-of-fin-in-gr.patch b/queue-6.12/selftests-net-fix-out-of-order-delivery-of-fin-in-gr.patch new file mode 100644 index 0000000000..d341011254 --- /dev/null +++ b/queue-6.12/selftests-net-fix-out-of-order-delivery-of-fin-in-gr.patch @@ -0,0 +1,66 @@ +From baf1f1f4837579cbca0efc5895c2c9b17f621cf0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Oct 2025 06:28:18 +0000 +Subject: selftests/net: fix out-of-order delivery of FIN in gro:tcp test + +From: Anubhav Singh + +[ Upstream commit 02d064de05b1fcca769391fa82d205bed8bb9bf0 ] + +Due to the gro_sender sending data packets and FIN packets +in very quick succession, these are received almost simultaneously +by the gro_receiver. FIN packets are sometimes processed before the +data packets leading to intermittent (~1/100) test failures. + +This change adds a delay of 100ms before sending FIN packets +in gro:tcp test to avoid the out-of-order delivery. The same +mitigation already exists for the gro:ip test. + +Fixes: 7d1575014a63 ("selftests/net: GRO coalesce test") +Reviewed-by: Willem de Bruijn +Signed-off-by: Anubhav Singh +Link: https://patch.msgid.link/20251030062818.1562228-1-anubhavsinggh@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/gro.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/tools/testing/selftests/net/gro.c b/tools/testing/selftests/net/gro.c +index b2184847e3881..d8a7906a9df98 100644 +--- a/tools/testing/selftests/net/gro.c ++++ b/tools/testing/selftests/net/gro.c +@@ -969,6 +969,7 @@ static void check_recv_pkts(int fd, int *correct_payload, + + static void gro_sender(void) + { ++ const int fin_delay_us = 100 * 1000; + static char fin_pkt[MAX_HDR_LEN]; + struct sockaddr_ll daddr = {}; + int txfd = -1; +@@ -1012,15 +1013,22 @@ static void gro_sender(void) + write_packet(txfd, fin_pkt, total_hdr_len, &daddr); + } else if (strcmp(testname, "tcp") == 0) { + send_changed_checksum(txfd, &daddr); ++ /* Adding sleep before sending FIN so that it is not ++ * received prior to other packets. ++ */ ++ usleep(fin_delay_us); + write_packet(txfd, fin_pkt, total_hdr_len, &daddr); + + send_changed_seq(txfd, &daddr); ++ usleep(fin_delay_us); + write_packet(txfd, fin_pkt, total_hdr_len, &daddr); + + send_changed_ts(txfd, &daddr); ++ usleep(fin_delay_us); + write_packet(txfd, fin_pkt, total_hdr_len, &daddr); + + send_diff_opt(txfd, &daddr); ++ usleep(fin_delay_us); + write_packet(txfd, fin_pkt, total_hdr_len, &daddr); + } else if (strcmp(testname, "ip") == 0) { + send_changed_ECN(txfd, &daddr); +-- +2.51.0 + diff --git a/queue-6.12/selftests-net-use-destination-options-instead-of-hop.patch b/queue-6.12/selftests-net-use-destination-options-instead-of-hop.patch new file mode 100644 index 0000000000..a54ad52834 --- /dev/null +++ b/queue-6.12/selftests-net-use-destination-options-instead-of-hop.patch @@ -0,0 +1,58 @@ +From ddcaf3ba5b8da0ce271cb844bad277dcaf38c595 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Oct 2025 06:04:36 +0000 +Subject: selftests/net: use destination options instead of hop-by-hop + +From: Anubhav Singh + +[ Upstream commit f8e8486702abb05b8c734093aab1606af0eac068 ] + +The GRO self-test, gro.c, currently constructs IPv6 packets containing a +Hop-by-Hop Options header (IPPROTO_HOPOPTS) to ensure the GRO path +correctly handles IPv6 extension headers. + +However, network elements may be configured to drop packets with the +Hop-by-Hop Options header (HBH). This causes the self-test to fail +in environments where such network elements are present. + +To improve the robustness and reliability of this test in diverse +network environments, switch from using IPPROTO_HOPOPTS to +IPPROTO_DSTOPTS (Destination Options). + +The Destination Options header is less likely to be dropped by +intermediate routers and still serves the core purpose of the test: +validating GRO's handling of an IPv6 extension header. This change +ensures the test can execute successfully without being incorrectly +failed by network policies outside the kernel's control. + +Fixes: 7d1575014a63 ("selftests/net: GRO coalesce test") +Reviewed-by: Willem de Bruijn +Signed-off-by: Anubhav Singh +Link: https://patch.msgid.link/20251030060436.1556664-1-anubhavsinggh@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/gro.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/net/gro.c b/tools/testing/selftests/net/gro.c +index d8a7906a9df98..ecd28f2dacee3 100644 +--- a/tools/testing/selftests/net/gro.c ++++ b/tools/testing/selftests/net/gro.c +@@ -734,11 +734,11 @@ static void send_ipv6_exthdr(int fd, struct sockaddr_ll *daddr, char *ext_data1, + static char exthdr_pck[sizeof(buf) + MIN_EXTHDR_SIZE]; + + create_packet(buf, 0, 0, PAYLOAD_LEN, 0); +- add_ipv6_exthdr(buf, exthdr_pck, IPPROTO_HOPOPTS, ext_data1); ++ add_ipv6_exthdr(buf, exthdr_pck, IPPROTO_DSTOPTS, ext_data1); + write_packet(fd, exthdr_pck, total_hdr_len + PAYLOAD_LEN + MIN_EXTHDR_SIZE, daddr); + + create_packet(buf, PAYLOAD_LEN * 1, 0, PAYLOAD_LEN, 0); +- add_ipv6_exthdr(buf, exthdr_pck, IPPROTO_HOPOPTS, ext_data2); ++ add_ipv6_exthdr(buf, exthdr_pck, IPPROTO_DSTOPTS, ext_data2); + write_packet(fd, exthdr_pck, total_hdr_len + PAYLOAD_LEN + MIN_EXTHDR_SIZE, daddr); + } + +-- +2.51.0 + diff --git a/queue-6.12/selftests-netdevsim-fix-ethtool-coalesce.sh-fail-by-.patch b/queue-6.12/selftests-netdevsim-fix-ethtool-coalesce.sh-fail-by-.patch new file mode 100644 index 0000000000..830fac3c73 --- /dev/null +++ b/queue-6.12/selftests-netdevsim-fix-ethtool-coalesce.sh-fail-by-.patch @@ -0,0 +1,60 @@ +From 042912d1b862b07aca02c4fa46f1cf3c8f771fa9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Oct 2025 12:03:40 +0800 +Subject: selftests: netdevsim: Fix ethtool-coalesce.sh fail by installing + ethtool-common.sh + +From: Wang Liang + +[ Upstream commit d01f8136d46b925798abcf86b35a4021e4cfb8bb ] + +The script "ethtool-common.sh" is not installed in INSTALL_PATH, and +triggers some errors when I try to run the test +'drivers/net/netdevsim/ethtool-coalesce.sh': + + TAP version 13 + 1..1 + # timeout set to 600 + # selftests: drivers/net/netdevsim: ethtool-coalesce.sh + # ./ethtool-coalesce.sh: line 4: ethtool-common.sh: No such file or directory + # ./ethtool-coalesce.sh: line 25: make_netdev: command not found + # ethtool: bad command line argument(s) + # ./ethtool-coalesce.sh: line 124: check: command not found + # ./ethtool-coalesce.sh: line 126: [: -eq: unary operator expected + # FAILED /0 checks + not ok 1 selftests: drivers/net/netdevsim: ethtool-coalesce.sh # exit=1 + +Install this file to avoid this error. After this patch: + + TAP version 13 + 1..1 + # timeout set to 600 + # selftests: drivers/net/netdevsim: ethtool-coalesce.sh + # PASSED all 22 checks + ok 1 selftests: drivers/net/netdevsim: ethtool-coalesce.sh + +Fixes: fbb8531e58bd ("selftests: extract common functions in ethtool-common.sh") +Signed-off-by: Wang Liang +Link: https://patch.msgid.link/20251030040340.3258110-1-wangliang74@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/drivers/net/netdevsim/Makefile | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/tools/testing/selftests/drivers/net/netdevsim/Makefile b/tools/testing/selftests/drivers/net/netdevsim/Makefile +index 5bace0b7fb570..d7800f0703bcf 100644 +--- a/tools/testing/selftests/drivers/net/netdevsim/Makefile ++++ b/tools/testing/selftests/drivers/net/netdevsim/Makefile +@@ -15,4 +15,8 @@ TEST_PROGS = devlink.sh \ + tc-mq-visibility.sh \ + udp_tunnel_nic.sh \ + ++TEST_FILES := \ ++ ethtool-common.sh ++# end of TEST_FILES ++ + include ../../../lib.mk +-- +2.51.0 + diff --git a/queue-6.12/series b/queue-6.12/series index 3030b3b658..6456638919 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -504,3 +504,39 @@ drm-mediatek-disable-afbc-support-on-mediatek-drm-driver.patch revert-wifi-ath10k-avoid-unnecessary-wait-for-service-ready-message.patch ring-buffer-do-not-warn-in-ring_buffer_map_get_reader-when-reader-catches-up.patch net-libwx-fix-device-bus-lan-id.patch +riscv-stacktrace-disable-kasan-checks-for-non-curren.patch +riscv-ptdump-use-seq_puts-in-pt_dump_seq_puts-macro.patch +bluetooth-hci_event-validate-skb-length-for-unknown-.patch +bluetooth-btrtl-fix-memory-leak-in-rtlbt_parse_firmw.patch +net-dsa-tag_brcm-legacy-reorganize-functions.patch +net-dsa-tag_brcm-legacy-fix-untagged-rx-on-unbridged.patch +selftests-net-fix-out-of-order-delivery-of-fin-in-gr.patch +selftests-net-use-destination-options-instead-of-hop.patch +selftests-netdevsim-fix-ethtool-coalesce.sh-fail-by-.patch +net-vlan-sync-vlan-features-with-lower-device.patch +gpio-swnode-don-t-use-the-swnode-s-name-as-the-key-f.patch +gpiolib-fix-invalid-pointer-access-in-debugfs.patch +net-dsa-b53-fix-resetting-speed-and-pause-on-forced-.patch +net-dsa-b53-fix-bcm63xx-rgmii-port-link-adjustment.patch +net-dsa-b53-fix-enabling-ip-multicast.patch +net-dsa-b53-stop-reading-arl-entries-if-search-is-do.patch +sctp-hold-rcu-read-lock-while-iterating-over-address.patch +sctp-prevent-toctou-out-of-bounds-write.patch +sctp-hold-sock-lock-while-iterating-over-address-lis.patch +net-ionic-add-dma_wmb-before-ringing-tx-doorbell.patch +net-ionic-map-skb-after-pseudo-header-checksum-prep.patch +net-usb-qmi_wwan-initialize-mac-header-offset-in-qmi.patch +bnxt_en-fix-a-possible-memory-leak-in-bnxt_ptp_init.patch +bnxt_en-add-mem_valid-bit-to-struct-bnxt_ctx_mem_typ.patch +bnxt_en-refactor-bnxt_free_ctx_mem.patch +bnxt_en-add-a-force-parameter-to-bnxt_free_ctx_mem.patch +wifi-mac80211_hwsim-limit-destroy_on_close-radio-rem.patch +net-mlx5e-fix-return-value-in-case-of-module-eeprom-.patch +net-ti-icssg-prueth-fix-fdb-hash-size-configuration.patch +net-mlx5e-shampo-fix-skb-size-check-for-64k-pages.patch +net-wan-framer-pef2256-switch-to-devm_mfd_add_device.patch +net-dsa-microchip-fix-reserved-multicast-address-tab.patch +lan966x-fix-sleeping-in-atomic-context.patch +net-bridge-fix-use-after-free-due-to-mst-port-state-.patch +net-bridge-fix-mst-static-key-usage.patch +tracing-fix-memory-leaks-in-create_field_var.patch diff --git a/queue-6.12/tracing-fix-memory-leaks-in-create_field_var.patch b/queue-6.12/tracing-fix-memory-leaks-in-create_field_var.patch new file mode 100644 index 0000000000..74308d154e --- /dev/null +++ b/queue-6.12/tracing-fix-memory-leaks-in-create_field_var.patch @@ -0,0 +1,53 @@ +From cc406139c025bdee272762b59474b0f03c2ba8dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Nov 2025 12:01:32 +0000 +Subject: tracing: Fix memory leaks in create_field_var() + +From: Zilin Guan + +[ Upstream commit 80f0d631dcc76ee1b7755bfca1d8417d91d71414 ] + +The function create_field_var() allocates memory for 'val' through +create_hist_field() inside parse_atom(), and for 'var' through +create_var(), which in turn allocates var->type and var->var.name +internally. Simply calling kfree() to release these structures will +result in memory leaks. + +Use destroy_hist_field() to properly free 'val', and explicitly release +the memory of var->type and var->var.name before freeing 'var' itself. + +Link: https://patch.msgid.link/20251106120132.3639920-1-zilin@seu.edu.cn +Fixes: 02205a6752f22 ("tracing: Add support for 'field variables'") +Signed-off-by: Zilin Guan +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_events_hist.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c +index 3379e14d38e9b..84954b8918156 100644 +--- a/kernel/trace/trace_events_hist.c ++++ b/kernel/trace/trace_events_hist.c +@@ -3251,14 +3251,16 @@ static struct field_var *create_field_var(struct hist_trigger_data *hist_data, + var = create_var(hist_data, file, field_name, val->size, val->type); + if (IS_ERR(var)) { + hist_err(tr, HIST_ERR_VAR_CREATE_FIND_FAIL, errpos(field_name)); +- kfree(val); ++ destroy_hist_field(val, 0); + ret = PTR_ERR(var); + goto err; + } + + field_var = kzalloc(sizeof(struct field_var), GFP_KERNEL); + if (!field_var) { +- kfree(val); ++ destroy_hist_field(val, 0); ++ kfree_const(var->type); ++ kfree(var->var.name); + kfree(var); + ret = -ENOMEM; + goto err; +-- +2.51.0 + diff --git a/queue-6.12/wifi-mac80211_hwsim-limit-destroy_on_close-radio-rem.patch b/queue-6.12/wifi-mac80211_hwsim-limit-destroy_on_close-radio-rem.patch new file mode 100644 index 0000000000..1e9cc7b62a --- /dev/null +++ b/queue-6.12/wifi-mac80211_hwsim-limit-destroy_on_close-radio-rem.patch @@ -0,0 +1,64 @@ +From 1ec03dd0c64cfff1f6d6fa4fa7a24da234d0463c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Nov 2025 09:24:36 +0100 +Subject: wifi: mac80211_hwsim: Limit destroy_on_close radio removal to + netgroup + +From: Martin Willi + +[ Upstream commit c74619e7602e88a0239cd4999571dd31081e9adf ] + +hwsim radios marked destroy_on_close are removed when the Netlink socket +that created them is closed. As the portid is not unique across network +namespaces, closing a socket in one namespace may remove radios in another +if it has the destroy_on_close flag set. + +Instead of matching the network namespace, match the netgroup of the radio +to limit radio removal to those that have been created by the closing +Netlink socket. The netgroup of a radio identifies the network namespace +it was created in, and matching on it removes a destroy_on_close radio +even if it has been moved to another namespace. + +Fixes: 100cb9ff40e0 ("mac80211_hwsim: Allow managing radios from non-initial namespaces") +Signed-off-by: Martin Willi +Link: https://patch.msgid.link/20251103082436.30483-1-martin@strongswan.org +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/virtual/mac80211_hwsim.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/virtual/mac80211_hwsim.c b/drivers/net/wireless/virtual/mac80211_hwsim.c +index 6fcc21f596ea7..8b4fd5fd11b0e 100644 +--- a/drivers/net/wireless/virtual/mac80211_hwsim.c ++++ b/drivers/net/wireless/virtual/mac80211_hwsim.c +@@ -6411,14 +6411,15 @@ static struct genl_family hwsim_genl_family __ro_after_init = { + .n_mcgrps = ARRAY_SIZE(hwsim_mcgrps), + }; + +-static void remove_user_radios(u32 portid) ++static void remove_user_radios(u32 portid, int netgroup) + { + struct mac80211_hwsim_data *entry, *tmp; + LIST_HEAD(list); + + spin_lock_bh(&hwsim_radio_lock); + list_for_each_entry_safe(entry, tmp, &hwsim_radios, list) { +- if (entry->destroy_on_close && entry->portid == portid) { ++ if (entry->destroy_on_close && entry->portid == portid && ++ entry->netgroup == netgroup) { + list_move(&entry->list, &list); + rhashtable_remove_fast(&hwsim_radios_rht, &entry->rht, + hwsim_rht_params); +@@ -6443,7 +6444,7 @@ static int mac80211_hwsim_netlink_notify(struct notifier_block *nb, + if (state != NETLINK_URELEASE) + return NOTIFY_DONE; + +- remove_user_radios(notify->portid); ++ remove_user_radios(notify->portid, hwsim_net_get_netgroup(notify->net)); + + if (notify->portid == hwsim_net_get_wmediumd(notify->net)) { + printk(KERN_INFO "mac80211_hwsim: wmediumd released netlink" +-- +2.51.0 + diff --git a/queue-6.17/bluetooth-btrtl-fix-memory-leak-in-rtlbt_parse_firmw.patch b/queue-6.17/bluetooth-btrtl-fix-memory-leak-in-rtlbt_parse_firmw.patch new file mode 100644 index 0000000000..c2dafd7b2e --- /dev/null +++ b/queue-6.17/bluetooth-btrtl-fix-memory-leak-in-rtlbt_parse_firmw.patch @@ -0,0 +1,39 @@ +From 2aa28236cdb990f8f9fccda66ca2f6e79a5f5167 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Oct 2025 23:26:30 +0530 +Subject: Bluetooth: btrtl: Fix memory leak in rtlbt_parse_firmware_v2() + +From: Abdun Nihaal + +[ Upstream commit 1c21cf89a66413eb04b2d22c955b7a50edc14dfa ] + +The memory allocated for ptr using kvmalloc() is not freed on the last +error path. Fix that by freeing it on that error path. + +Fixes: 9a24ce5e29b1 ("Bluetooth: btrtl: Firmware format v2 support") +Signed-off-by: Abdun Nihaal +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btrtl.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/bluetooth/btrtl.c b/drivers/bluetooth/btrtl.c +index 6abd962502e36..1d4a7887abccf 100644 +--- a/drivers/bluetooth/btrtl.c ++++ b/drivers/bluetooth/btrtl.c +@@ -625,8 +625,10 @@ static int rtlbt_parse_firmware_v2(struct hci_dev *hdev, + len += entry->len; + } + +- if (!len) ++ if (!len) { ++ kvfree(ptr); + return -EPERM; ++ } + + *_buf = ptr; + return len; +-- +2.51.0 + diff --git a/queue-6.17/bluetooth-hci_event-validate-skb-length-for-unknown-.patch b/queue-6.17/bluetooth-hci_event-validate-skb-length-for-unknown-.patch new file mode 100644 index 0000000000..a26b35cf41 --- /dev/null +++ b/queue-6.17/bluetooth-hci_event-validate-skb-length-for-unknown-.patch @@ -0,0 +1,49 @@ +From f758fdce361ee3ef6d62bfb4db4d6d35a0a8b438 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Oct 2025 12:29:10 -0400 +Subject: Bluetooth: hci_event: validate skb length for unknown CC opcode + +From: Raphael Pinsonneault-Thibeault + +[ Upstream commit 5c5f1f64681cc889d9b13e4a61285e9e029d6ab5 ] + +In hci_cmd_complete_evt(), if the command complete event has an unknown +opcode, we assume the first byte of the remaining skb->data contains the +return status. However, parameter data has previously been pulled in +hci_event_func(), which may leave the skb empty. If so, using skb->data[0] +for the return status uses un-init memory. + +The fix is to check skb->len before using skb->data. + +Reported-by: syzbot+a9a4bedfca6aa9d7fa24@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=a9a4bedfca6aa9d7fa24 +Tested-by: syzbot+a9a4bedfca6aa9d7fa24@syzkaller.appspotmail.com +Fixes: afcb3369f46ed ("Bluetooth: hci_event: Fix vendor (unknown) opcode status handling") +Signed-off-by: Raphael Pinsonneault-Thibeault +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_event.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index 429f5a858a14b..7ee8bc7ac5a2a 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -4218,6 +4218,13 @@ static void hci_cmd_complete_evt(struct hci_dev *hdev, void *data, + } + + if (i == ARRAY_SIZE(hci_cc_table)) { ++ if (!skb->len) { ++ bt_dev_err(hdev, "Unexpected cc 0x%4.4x with no status", ++ *opcode); ++ *status = HCI_ERROR_UNSPECIFIED; ++ return; ++ } ++ + /* Unknown opcode, assume byte 0 contains the status, so + * that e.g. __hci_cmd_sync() properly returns errors + * for vendor specific commands send by HCI drivers. +-- +2.51.0 + diff --git a/queue-6.17/bnxt_en-always-provide-max-entry-and-entry-size-in-c.patch b/queue-6.17/bnxt_en-always-provide-max-entry-and-entry-size-in-c.patch new file mode 100644 index 0000000000..f17b6ec3cc --- /dev/null +++ b/queue-6.17/bnxt_en-always-provide-max-entry-and-entry-size-in-c.patch @@ -0,0 +1,54 @@ +From bfde4c7af93b6bc05cd6e63c1a8c694a1175d7d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Nov 2025 16:56:58 -0800 +Subject: bnxt_en: Always provide max entry and entry size in coredump segments + +From: Kashyap Desai + +[ Upstream commit 28d9a84ef0ce56cc623da2a1ebf7583c00d52b31 ] + +While populating firmware host logging segments for the coredump, it is +possible for the FW command that flushes the segment to fail. When that +happens, the existing code will not update the max entry and entry size +in the segment header and this causes software that decodes the coredump +to skip the segment. + +The segment most likely has already collected some DMA data, so always +update these 2 segment fields in the header to allow the decoder to +decode any data in the segment. + +Fixes: 3c2179e66355 ("bnxt_en: Add FW trace coredump segments to the coredump") +Reviewed-by: Shruti Parab +Signed-off-by: Kashyap Desai +Signed-off-by: Michael Chan +Link: https://patch.msgid.link/20251104005700.542174-5-michael.chan@broadcom.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt_coredump.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_coredump.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_coredump.c +index a0a37216efb3b..b16534c1c3f11 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_coredump.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_coredump.c +@@ -332,13 +332,14 @@ static void bnxt_fill_drv_seg_record(struct bnxt *bp, + u32 offset = 0; + int rc = 0; + ++ record->max_entries = cpu_to_le32(ctxm->max_entries); ++ record->entry_size = cpu_to_le32(ctxm->entry_size); ++ + rc = bnxt_dbg_hwrm_log_buffer_flush(bp, type, 0, &offset); + if (rc) + return; + + bnxt_bs_trace_check_wrap(bs_trace, offset); +- record->max_entries = cpu_to_le32(ctxm->max_entries); +- record->entry_size = cpu_to_le32(ctxm->entry_size); + record->offset = cpu_to_le32(bs_trace->last_offset); + record->wrapped = bs_trace->wrapped; + } +-- +2.51.0 + diff --git a/queue-6.17/bnxt_en-fix-a-possible-memory-leak-in-bnxt_ptp_init.patch b/queue-6.17/bnxt_en-fix-a-possible-memory-leak-in-bnxt_ptp_init.patch new file mode 100644 index 0000000000..2edbe2e4cb --- /dev/null +++ b/queue-6.17/bnxt_en-fix-a-possible-memory-leak-in-bnxt_ptp_init.patch @@ -0,0 +1,44 @@ +From 4b2ed7ff9c6cdbce340fa8df34d51fb14b954d2e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Nov 2025 16:56:56 -0800 +Subject: bnxt_en: Fix a possible memory leak in bnxt_ptp_init + +From: Kalesh AP + +[ Upstream commit deb8eb39164382f1f67ef8e8af9176baf5e10f2d ] + +In bnxt_ptp_init(), when ptp_clock_register() fails, the driver is +not freeing the memory allocated for ptp_info->pin_config. Fix it +to unconditionally free ptp_info->pin_config in bnxt_ptp_free(). + +Fixes: caf3eedbcd8d ("bnxt_en: 1PPS support for 5750X family chips") +Reviewed-by: Pavan Chebbi +Reviewed-by: Somnath Kotur +Signed-off-by: Kalesh AP +Signed-off-by: Michael Chan +Link: https://patch.msgid.link/20251104005700.542174-3-michael.chan@broadcom.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c +index ca660e6d28a4c..8f2faff044591 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c +@@ -1054,9 +1054,9 @@ static void bnxt_ptp_free(struct bnxt *bp) + if (ptp->ptp_clock) { + ptp_clock_unregister(ptp->ptp_clock); + ptp->ptp_clock = NULL; +- kfree(ptp->ptp_info.pin_config); +- ptp->ptp_info.pin_config = NULL; + } ++ kfree(ptp->ptp_info.pin_config); ++ ptp->ptp_info.pin_config = NULL; + } + + int bnxt_ptp_init(struct bnxt *bp) +-- +2.51.0 + diff --git a/queue-6.17/bnxt_en-fix-null-pointer-dereference-in-bnxt_bs_trac.patch b/queue-6.17/bnxt_en-fix-null-pointer-dereference-in-bnxt_bs_trac.patch new file mode 100644 index 0000000000..1a9bf218eb --- /dev/null +++ b/queue-6.17/bnxt_en-fix-null-pointer-dereference-in-bnxt_bs_trac.patch @@ -0,0 +1,42 @@ +From f9cc9d1543e6dc699396ae2a763b04d8e98a7fc6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Nov 2025 16:56:57 -0800 +Subject: bnxt_en: Fix null pointer dereference in bnxt_bs_trace_check_wrap() + +From: Gautam R A + +[ Upstream commit ff02be05f78399c766be68ab0b2285ff90b2aaa8 ] + +With older FW, we may get the ASYNC_EVENT_CMPL_EVENT_ID_DBG_BUF_PRODUCER +for FW trace data type that has not been initialized. This will result +in a crash in bnxt_bs_trace_type_wrap(). Add a guard to check for a +valid magic_byte pointer before proceeding. + +Fixes: 84fcd9449fd7 ("bnxt_en: Manage the FW trace context memory") +Reviewed-by: Somnath Kotur +Reviewed-by: Shruti Parab +Signed-off-by: Gautam R A +Signed-off-by: Michael Chan +Link: https://patch.msgid.link/20251104005700.542174-4-michael.chan@broadcom.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.h b/drivers/net/ethernet/broadcom/bnxt/bnxt.h +index 2317172166c7d..6b751eb29c2d4 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.h ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.h +@@ -2148,7 +2148,7 @@ struct bnxt_bs_trace_info { + static inline void bnxt_bs_trace_check_wrap(struct bnxt_bs_trace_info *bs_trace, + u32 offset) + { +- if (!bs_trace->wrapped && ++ if (!bs_trace->wrapped && bs_trace->magic_byte && + *bs_trace->magic_byte != BNXT_TRACE_BUF_MAGIC_BYTE) + bs_trace->wrapped = 1; + bs_trace->last_offset = offset; +-- +2.51.0 + diff --git a/queue-6.17/bnxt_en-fix-warning-in-bnxt_dl_reload_down.patch b/queue-6.17/bnxt_en-fix-warning-in-bnxt_dl_reload_down.patch new file mode 100644 index 0000000000..7552f96812 --- /dev/null +++ b/queue-6.17/bnxt_en-fix-warning-in-bnxt_dl_reload_down.patch @@ -0,0 +1,75 @@ +From 0d0fa9862bff6ae0598ca9056247d12946ef7441 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Nov 2025 16:56:59 -0800 +Subject: bnxt_en: Fix warning in bnxt_dl_reload_down() + +From: Shantiprasad Shettar + +[ Upstream commit 5204943a4c6efc832993c0fa17dec275071eeccc ] + +The existing code calls bnxt_cancel_reservations() after +bnxt_hwrm_func_drv_unrgtr() in bnxt_dl_reload_down(). +bnxt_cancel_reservations() calls the FW and it will always fail since +the driver has already unregistered, triggering this warning: + +bnxt_en 0000:0a:00.0 ens2np0: resc_qcaps failed + +Fix it by calling bnxt_clear_reservations() which will skip the +unnecessary FW call since we have unregistered. + +Fixes: 228ea8c187d8 ("bnxt_en: implement devlink dev reload driver_reinit") +Reviewed-by: Mohammad Shuab Siddique +Reviewed-by: Somnath Kotur +Reviewed-by: Kalesh AP +Signed-off-by: Shantiprasad Shettar +Signed-off-by: Michael Chan +Link: https://patch.msgid.link/20251104005700.542174-6-michael.chan@broadcom.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 2 +- + drivers/net/ethernet/broadcom/bnxt/bnxt.h | 1 + + drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.c | 2 +- + 3 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index 6a97753c618de..b213ef75c5d17 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -12428,7 +12428,7 @@ static int bnxt_try_recover_fw(struct bnxt *bp) + return -ENODEV; + } + +-static void bnxt_clear_reservations(struct bnxt *bp, bool fw_reset) ++void bnxt_clear_reservations(struct bnxt *bp, bool fw_reset) + { + struct bnxt_hw_resc *hw_resc = &bp->hw_resc; + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.h b/drivers/net/ethernet/broadcom/bnxt/bnxt.h +index 6b751eb29c2d4..2e96e7fd74914 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.h ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.h +@@ -2930,6 +2930,7 @@ void bnxt_report_link(struct bnxt *bp); + int bnxt_update_link(struct bnxt *bp, bool chng_link_state); + int bnxt_hwrm_set_pause(struct bnxt *); + int bnxt_hwrm_set_link_setting(struct bnxt *, bool, bool); ++void bnxt_clear_reservations(struct bnxt *bp, bool fw_reset); + int bnxt_cancel_reservations(struct bnxt *bp, bool fw_reset); + int bnxt_hwrm_alloc_wol_fltr(struct bnxt *bp); + int bnxt_hwrm_free_wol_fltr(struct bnxt *bp); +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.c +index 4c4581b0342e8..3c540c63c7949 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.c +@@ -467,7 +467,7 @@ static int bnxt_dl_reload_down(struct devlink *dl, bool netns_change, + rtnl_unlock(); + break; + } +- bnxt_cancel_reservations(bp, false); ++ bnxt_clear_reservations(bp, false); + bnxt_free_ctx_mem(bp, false); + break; + } +-- +2.51.0 + diff --git a/queue-6.17/bnxt_en-shutdown-fw-dma-in-bnxt_shutdown.patch b/queue-6.17/bnxt_en-shutdown-fw-dma-in-bnxt_shutdown.patch new file mode 100644 index 0000000000..a25e7f4747 --- /dev/null +++ b/queue-6.17/bnxt_en-shutdown-fw-dma-in-bnxt_shutdown.patch @@ -0,0 +1,48 @@ +From 16a6ab8bd67ca8b95cb6b051ede49a6caa0dc7ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Nov 2025 16:56:55 -0800 +Subject: bnxt_en: Shutdown FW DMA in bnxt_shutdown() + +From: Michael Chan + +[ Upstream commit bc7208ca805ae6062f353a4753467d913d963bc6 ] + +The netif_close() call in bnxt_shutdown() only stops packet DMA. There +may be FW DMA for trace logging (recently added) that will continue. If +we kexec to a new kernel, the DMA will corrupt memory in the new kernel. + +Add bnxt_hwrm_func_drv_unrgtr() to unregister the driver from the FW. +This will stop the FW DMA. In case the call fails, call pcie_flr() to +reset the function and stop the DMA. + +Fixes: 24d694aec139 ("bnxt_en: Allocate backing store memory for FW trace logs") +Reported-by: Jakub Kicinski +Reviewed-by: Damodharam Ammepalli +Reviewed-by: Kalesh AP +Reviewed-by: Somnath Kotur +Signed-off-by: Michael Chan +Link: https://patch.msgid.link/20251104005700.542174-2-michael.chan@broadcom.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index 60e20b7642174..6a97753c618de 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -16869,6 +16869,10 @@ static void bnxt_shutdown(struct pci_dev *pdev) + if (netif_running(dev)) + netif_close(dev); + ++ if (bnxt_hwrm_func_drv_unrgtr(bp)) { ++ pcie_flr(pdev); ++ goto shutdown_exit; ++ } + bnxt_ptp_clear(bp); + bnxt_clear_int_mode(bp); + pci_disable_device(pdev); +-- +2.51.0 + diff --git a/queue-6.17/gpio-swnode-don-t-use-the-swnode-s-name-as-the-key-f.patch b/queue-6.17/gpio-swnode-don-t-use-the-swnode-s-name-as-the-key-f.patch new file mode 100644 index 0000000000..a704e463e6 --- /dev/null +++ b/queue-6.17/gpio-swnode-don-t-use-the-swnode-s-name-as-the-key-f.patch @@ -0,0 +1,40 @@ +From 920aff4f15546098e73287459a6159732fb2b610 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Nov 2025 10:35:24 +0100 +Subject: gpio: swnode: don't use the swnode's name as the key for GPIO lookup + +From: Bartosz Golaszewski + +[ Upstream commit e5d527be7e6984882306b49c067f1fec18920735 ] + +Looking up a GPIO controller by label that is the name of the software +node is wonky at best - the GPIO controller driver is free to set +a different label than the name of its firmware node. We're already being +passed a firmware node handle attached to the GPIO device to +swnode_get_gpio_device() so use it instead for a more precise lookup. + +Acked-by: Linus Walleij +Fixes: e7f9ff5dc90c ("gpiolib: add support for software nodes") +Link: https://lore.kernel.org/r/20251103-reset-gpios-swnodes-v4-4-6461800b6775@linaro.org +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpiolib-swnode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpiolib-swnode.c b/drivers/gpio/gpiolib-swnode.c +index f21dbc28cf2c8..e3806db1c0e07 100644 +--- a/drivers/gpio/gpiolib-swnode.c ++++ b/drivers/gpio/gpiolib-swnode.c +@@ -41,7 +41,7 @@ static struct gpio_device *swnode_get_gpio_device(struct fwnode_handle *fwnode) + !strcmp(gdev_node->name, GPIOLIB_SWNODE_UNDEFINED_NAME)) + return ERR_PTR(-ENOENT); + +- gdev = gpio_device_find_by_label(gdev_node->name); ++ gdev = gpio_device_find_by_fwnode(fwnode); + return gdev ?: ERR_PTR(-EPROBE_DEFER); + } + +-- +2.51.0 + diff --git a/queue-6.17/gpiolib-fix-invalid-pointer-access-in-debugfs.patch b/queue-6.17/gpiolib-fix-invalid-pointer-access-in-debugfs.patch new file mode 100644 index 0000000000..92511b3b2e --- /dev/null +++ b/queue-6.17/gpiolib-fix-invalid-pointer-access-in-debugfs.patch @@ -0,0 +1,53 @@ +From 28462986580aa87eb296c27aebb876f4d4966429 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Nov 2025 15:11:32 +0100 +Subject: gpiolib: fix invalid pointer access in debugfs + +From: Bartosz Golaszewski + +[ Upstream commit 2f6115ad8864cf3f48598f26c74c7c8e5c391919 ] + +If the memory allocation in gpiolib_seq_start() fails, the s->private +field remains uninitialized and is later dereferenced without checking +in gpiolib_seq_stop(). Initialize s->private to NULL before calling +kzalloc() and check it before dereferencing it. + +Fixes: e348544f7994 ("gpio: protect the list of GPIO devices with SRCU") +Reviewed-by: Linus Walleij +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20251103141132.53471-1-brgl@bgdev.pl +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpiolib.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c +index 74d54513730a7..4aa66d7b08598 100644 +--- a/drivers/gpio/gpiolib.c ++++ b/drivers/gpio/gpiolib.c +@@ -5285,6 +5285,8 @@ static void *gpiolib_seq_start(struct seq_file *s, loff_t *pos) + struct gpio_device *gdev; + loff_t index = *pos; + ++ s->private = NULL; ++ + priv = kzalloc(sizeof(*priv), GFP_KERNEL); + if (!priv) + return NULL; +@@ -5318,7 +5320,11 @@ static void *gpiolib_seq_next(struct seq_file *s, void *v, loff_t *pos) + + static void gpiolib_seq_stop(struct seq_file *s, void *v) + { +- struct gpiolib_seq_priv *priv = s->private; ++ struct gpiolib_seq_priv *priv; ++ ++ priv = s->private; ++ if (!priv) ++ return; + + srcu_read_unlock(&gpio_devices_srcu, priv->idx); + kfree(priv); +-- +2.51.0 + diff --git a/queue-6.17/gve-implement-gettimex64-with-eopnotsupp.patch b/queue-6.17/gve-implement-gettimex64-with-eopnotsupp.patch new file mode 100644 index 0000000000..2977d82e90 --- /dev/null +++ b/queue-6.17/gve-implement-gettimex64-with-eopnotsupp.patch @@ -0,0 +1,57 @@ +From 29eda4b600254f6ab99080bd790ad8c6ede63752 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Oct 2025 11:45:39 -0700 +Subject: gve: Implement gettimex64 with -EOPNOTSUPP + +From: Tim Hostetler + +[ Upstream commit 6ab753b5d8e521616cd9bd10b09891cbeb7e0235 ] + +gve implemented a ptp_clock for sole use of do_aux_work at this time. +ptp_clock_gettime() and ptp_sys_offset() assume every ptp_clock has +implemented either gettimex64 or gettime64. Stub gettimex64 and return +-EOPNOTSUPP to prevent NULL dereferencing. + +Fixes: acd16380523b ("gve: Add initial PTP device support") +Reported-by: syzbot+c8c0e7ccabd456541612@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=c8c0e7ccabd456541612 +Signed-off-by: Tim Hostetler +Reviewed-by: Harshitha Ramamurthy +Reviewed-by: Kuniyuki Iwashima +Signed-off-by: Joshua Washington +Link: https://patch.msgid.link/20251029184555.3852952-2-joshwash@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/google/gve/gve_ptp.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/net/ethernet/google/gve/gve_ptp.c b/drivers/net/ethernet/google/gve/gve_ptp.c +index e96247c9d68d2..19ae699d4b18d 100644 +--- a/drivers/net/ethernet/google/gve/gve_ptp.c ++++ b/drivers/net/ethernet/google/gve/gve_ptp.c +@@ -26,6 +26,13 @@ int gve_clock_nic_ts_read(struct gve_priv *priv) + return 0; + } + ++static int gve_ptp_gettimex64(struct ptp_clock_info *info, ++ struct timespec64 *ts, ++ struct ptp_system_timestamp *sts) ++{ ++ return -EOPNOTSUPP; ++} ++ + static long gve_ptp_do_aux_work(struct ptp_clock_info *info) + { + const struct gve_ptp *ptp = container_of(info, struct gve_ptp, info); +@@ -47,6 +54,7 @@ static long gve_ptp_do_aux_work(struct ptp_clock_info *info) + static const struct ptp_clock_info gve_ptp_caps = { + .owner = THIS_MODULE, + .name = "gve clock", ++ .gettimex64 = gve_ptp_gettimex64, + .do_aux_work = gve_ptp_do_aux_work, + }; + +-- +2.51.0 + diff --git a/queue-6.17/gve-implement-settime64-with-eopnotsupp.patch b/queue-6.17/gve-implement-settime64-with-eopnotsupp.patch new file mode 100644 index 0000000000..ad969c2cf2 --- /dev/null +++ b/queue-6.17/gve-implement-settime64-with-eopnotsupp.patch @@ -0,0 +1,53 @@ +From 5c39456e4ee4d526aa69c54e6eca378646b9274e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Oct 2025 11:45:40 -0700 +Subject: gve: Implement settime64 with -EOPNOTSUPP + +From: Tim Hostetler + +[ Upstream commit 329d050bbe63c2999f657cf2d3855be11a473745 ] + +ptp_clock_settime() assumes every ptp_clock has implemented settime64(). +Stub it with -EOPNOTSUPP to prevent a NULL dereference. + +Fixes: acd16380523b ("gve: Add initial PTP device support") +Reported-by: syzbot+a546141ca6d53b90aba3@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=a546141ca6d53b90aba3 +Signed-off-by: Tim Hostetler +Reviewed-by: Kuniyuki Iwashima +Signed-off-by: Joshua Washington +Link: https://patch.msgid.link/20251029184555.3852952-3-joshwash@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/google/gve/gve_ptp.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/ethernet/google/gve/gve_ptp.c b/drivers/net/ethernet/google/gve/gve_ptp.c +index 19ae699d4b18d..a384a9ed4914e 100644 +--- a/drivers/net/ethernet/google/gve/gve_ptp.c ++++ b/drivers/net/ethernet/google/gve/gve_ptp.c +@@ -33,6 +33,12 @@ static int gve_ptp_gettimex64(struct ptp_clock_info *info, + return -EOPNOTSUPP; + } + ++static int gve_ptp_settime64(struct ptp_clock_info *info, ++ const struct timespec64 *ts) ++{ ++ return -EOPNOTSUPP; ++} ++ + static long gve_ptp_do_aux_work(struct ptp_clock_info *info) + { + const struct gve_ptp *ptp = container_of(info, struct gve_ptp, info); +@@ -55,6 +61,7 @@ static const struct ptp_clock_info gve_ptp_caps = { + .owner = THIS_MODULE, + .name = "gve clock", + .gettimex64 = gve_ptp_gettimex64, ++ .settime64 = gve_ptp_settime64, + .do_aux_work = gve_ptp_do_aux_work, + }; + +-- +2.51.0 + diff --git a/queue-6.17/io_uring-fix-types-for-region-size-calulation.patch b/queue-6.17/io_uring-fix-types-for-region-size-calulation.patch new file mode 100644 index 0000000000..c21725516b --- /dev/null +++ b/queue-6.17/io_uring-fix-types-for-region-size-calulation.patch @@ -0,0 +1,37 @@ +From 40d018a3fad6e97f9599c304b280f76d6c2e6ba1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Nov 2025 15:47:01 +0000 +Subject: io_uring: fix types for region size calulation + +From: Pavel Begunkov + +[ Upstream commit 1fd5367391bf0eeb09e624c4ab45121b54eaab96 ] + +->nr_pages is int, it needs type extension before calculating the region +size. + +Fixes: a90558b36ccee ("io_uring/memmap: helper for pinning region pages") +Signed-off-by: Pavel Begunkov +[axboe: style fixup] +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + io_uring/memmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/io_uring/memmap.c b/io_uring/memmap.c +index 2e99dffddfc5c..add03ca75cb90 100644 +--- a/io_uring/memmap.c ++++ b/io_uring/memmap.c +@@ -135,7 +135,7 @@ static int io_region_pin_pages(struct io_ring_ctx *ctx, + struct io_mapped_region *mr, + struct io_uring_region_desc *reg) + { +- unsigned long size = mr->nr_pages << PAGE_SHIFT; ++ unsigned long size = (size_t) mr->nr_pages << PAGE_SHIFT; + struct page **pages; + int nr_pages; + +-- +2.51.0 + diff --git a/queue-6.17/lan966x-fix-sleeping-in-atomic-context.patch b/queue-6.17/lan966x-fix-sleeping-in-atomic-context.patch new file mode 100644 index 0000000000..6526dbfbb2 --- /dev/null +++ b/queue-6.17/lan966x-fix-sleeping-in-atomic-context.patch @@ -0,0 +1,213 @@ +From 1a2e55ccae59a51a33b89d2c5e27a94823bc663f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Nov 2025 08:49:55 +0100 +Subject: lan966x: Fix sleeping in atomic context + +From: Horatiu Vultur + +[ Upstream commit 0216721ce71252f60d89af49c8dff613358058d3 ] + +The following warning was seen when we try to connect using ssh to the device. + +BUG: sleeping function called from invalid context at kernel/locking/mutex.c:575 +in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 104, name: dropbear +preempt_count: 1, expected: 0 +INFO: lockdep is turned off. +CPU: 0 UID: 0 PID: 104 Comm: dropbear Tainted: G W 6.18.0-rc2-00399-g6f1ab1b109b9-dirty #530 NONE +Tainted: [W]=WARN +Hardware name: Generic DT based system +Call trace: + unwind_backtrace from show_stack+0x10/0x14 + show_stack from dump_stack_lvl+0x7c/0xac + dump_stack_lvl from __might_resched+0x16c/0x2b0 + __might_resched from __mutex_lock+0x64/0xd34 + __mutex_lock from mutex_lock_nested+0x1c/0x24 + mutex_lock_nested from lan966x_stats_get+0x5c/0x558 + lan966x_stats_get from dev_get_stats+0x40/0x43c + dev_get_stats from dev_seq_printf_stats+0x3c/0x184 + dev_seq_printf_stats from dev_seq_show+0x10/0x30 + dev_seq_show from seq_read_iter+0x350/0x4ec + seq_read_iter from seq_read+0xfc/0x194 + seq_read from proc_reg_read+0xac/0x100 + proc_reg_read from vfs_read+0xb0/0x2b0 + vfs_read from ksys_read+0x6c/0xec + ksys_read from ret_fast_syscall+0x0/0x1c +Exception stack(0xf0b11fa8 to 0xf0b11ff0) +1fa0: 00000001 00001000 00000008 be9048d8 00001000 00000001 +1fc0: 00000001 00001000 00000008 00000003 be905920 0000001e 00000000 00000001 +1fe0: 0005404c be9048c0 00018684 b6ec2cd8 + +It seems that we are using a mutex in a atomic context which is wrong. +Change the mutex with a spinlock. + +Fixes: 12c2d0a5b8e2 ("net: lan966x: add ethtool configuration and statistics") +Signed-off-by: Horatiu Vultur +Reviewed-by: Jacob Keller +Link: https://patch.msgid.link/20251105074955.1766792-1-horatiu.vultur@microchip.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../microchip/lan966x/lan966x_ethtool.c | 18 +++++++++--------- + .../ethernet/microchip/lan966x/lan966x_main.c | 2 -- + .../ethernet/microchip/lan966x/lan966x_main.h | 4 ++-- + .../microchip/lan966x/lan966x_vcap_impl.c | 8 ++++---- + 4 files changed, 15 insertions(+), 17 deletions(-) + +diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_ethtool.c b/drivers/net/ethernet/microchip/lan966x/lan966x_ethtool.c +index 2474dfd330f46..fe4e614052840 100644 +--- a/drivers/net/ethernet/microchip/lan966x/lan966x_ethtool.c ++++ b/drivers/net/ethernet/microchip/lan966x/lan966x_ethtool.c +@@ -294,7 +294,7 @@ static void lan966x_stats_update(struct lan966x *lan966x) + { + int i, j; + +- mutex_lock(&lan966x->stats_lock); ++ spin_lock(&lan966x->stats_lock); + + for (i = 0; i < lan966x->num_phys_ports; i++) { + uint idx = i * lan966x->num_stats; +@@ -310,7 +310,7 @@ static void lan966x_stats_update(struct lan966x *lan966x) + } + } + +- mutex_unlock(&lan966x->stats_lock); ++ spin_unlock(&lan966x->stats_lock); + } + + static int lan966x_get_sset_count(struct net_device *dev, int sset) +@@ -365,7 +365,7 @@ static void lan966x_get_eth_mac_stats(struct net_device *dev, + + idx = port->chip_port * lan966x->num_stats; + +- mutex_lock(&lan966x->stats_lock); ++ spin_lock(&lan966x->stats_lock); + + mac_stats->FramesTransmittedOK = + lan966x->stats[idx + SYS_COUNT_TX_UC] + +@@ -416,7 +416,7 @@ static void lan966x_get_eth_mac_stats(struct net_device *dev, + lan966x->stats[idx + SYS_COUNT_RX_LONG] + + lan966x->stats[idx + SYS_COUNT_RX_PMAC_LONG]; + +- mutex_unlock(&lan966x->stats_lock); ++ spin_unlock(&lan966x->stats_lock); + } + + static const struct ethtool_rmon_hist_range lan966x_rmon_ranges[] = { +@@ -442,7 +442,7 @@ static void lan966x_get_eth_rmon_stats(struct net_device *dev, + + idx = port->chip_port * lan966x->num_stats; + +- mutex_lock(&lan966x->stats_lock); ++ spin_lock(&lan966x->stats_lock); + + rmon_stats->undersize_pkts = + lan966x->stats[idx + SYS_COUNT_RX_SHORT] + +@@ -500,7 +500,7 @@ static void lan966x_get_eth_rmon_stats(struct net_device *dev, + lan966x->stats[idx + SYS_COUNT_TX_SZ_1024_1526] + + lan966x->stats[idx + SYS_COUNT_TX_PMAC_SZ_1024_1526]; + +- mutex_unlock(&lan966x->stats_lock); ++ spin_unlock(&lan966x->stats_lock); + + *ranges = lan966x_rmon_ranges; + } +@@ -603,7 +603,7 @@ void lan966x_stats_get(struct net_device *dev, + + idx = port->chip_port * lan966x->num_stats; + +- mutex_lock(&lan966x->stats_lock); ++ spin_lock(&lan966x->stats_lock); + + stats->rx_bytes = lan966x->stats[idx + SYS_COUNT_RX_OCT] + + lan966x->stats[idx + SYS_COUNT_RX_PMAC_OCT]; +@@ -685,7 +685,7 @@ void lan966x_stats_get(struct net_device *dev, + + stats->collisions = lan966x->stats[idx + SYS_COUNT_TX_COL]; + +- mutex_unlock(&lan966x->stats_lock); ++ spin_unlock(&lan966x->stats_lock); + } + + int lan966x_stats_init(struct lan966x *lan966x) +@@ -701,7 +701,7 @@ int lan966x_stats_init(struct lan966x *lan966x) + return -ENOMEM; + + /* Init stats worker */ +- mutex_init(&lan966x->stats_lock); ++ spin_lock_init(&lan966x->stats_lock); + snprintf(queue_name, sizeof(queue_name), "%s-stats", + dev_name(lan966x->dev)); + lan966x->stats_queue = create_singlethread_workqueue(queue_name); +diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_main.c b/drivers/net/ethernet/microchip/lan966x/lan966x_main.c +index 7001584f1b7a6..47752d3fde0b1 100644 +--- a/drivers/net/ethernet/microchip/lan966x/lan966x_main.c ++++ b/drivers/net/ethernet/microchip/lan966x/lan966x_main.c +@@ -1261,7 +1261,6 @@ static int lan966x_probe(struct platform_device *pdev) + + cancel_delayed_work_sync(&lan966x->stats_work); + destroy_workqueue(lan966x->stats_queue); +- mutex_destroy(&lan966x->stats_lock); + + debugfs_remove_recursive(lan966x->debugfs_root); + +@@ -1279,7 +1278,6 @@ static void lan966x_remove(struct platform_device *pdev) + + cancel_delayed_work_sync(&lan966x->stats_work); + destroy_workqueue(lan966x->stats_queue); +- mutex_destroy(&lan966x->stats_lock); + + lan966x_mac_purge_entries(lan966x); + lan966x_mdb_deinit(lan966x); +diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_main.h b/drivers/net/ethernet/microchip/lan966x/lan966x_main.h +index 4f75f06883693..eea286c29474f 100644 +--- a/drivers/net/ethernet/microchip/lan966x/lan966x_main.h ++++ b/drivers/net/ethernet/microchip/lan966x/lan966x_main.h +@@ -295,8 +295,8 @@ struct lan966x { + const struct lan966x_stat_layout *stats_layout; + u32 num_stats; + +- /* workqueue for reading stats */ +- struct mutex stats_lock; ++ /* lock for reading stats */ ++ spinlock_t stats_lock; + u64 *stats; + struct delayed_work stats_work; + struct workqueue_struct *stats_queue; +diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_vcap_impl.c b/drivers/net/ethernet/microchip/lan966x/lan966x_vcap_impl.c +index a1471e38d1189..2a37fc1ba4bcd 100644 +--- a/drivers/net/ethernet/microchip/lan966x/lan966x_vcap_impl.c ++++ b/drivers/net/ethernet/microchip/lan966x/lan966x_vcap_impl.c +@@ -403,11 +403,11 @@ static void lan966x_es0_read_esdx_counter(struct lan966x *lan966x, + u32 counter; + + id = id & 0xff; /* counter limit */ +- mutex_lock(&lan966x->stats_lock); ++ spin_lock(&lan966x->stats_lock); + lan_wr(SYS_STAT_CFG_STAT_VIEW_SET(id), lan966x, SYS_STAT_CFG); + counter = lan_rd(lan966x, SYS_CNT(LAN966X_STAT_ESDX_GRN_PKTS)) + + lan_rd(lan966x, SYS_CNT(LAN966X_STAT_ESDX_YEL_PKTS)); +- mutex_unlock(&lan966x->stats_lock); ++ spin_unlock(&lan966x->stats_lock); + if (counter) + admin->cache.counter = counter; + } +@@ -417,14 +417,14 @@ static void lan966x_es0_write_esdx_counter(struct lan966x *lan966x, + { + id = id & 0xff; /* counter limit */ + +- mutex_lock(&lan966x->stats_lock); ++ spin_lock(&lan966x->stats_lock); + lan_wr(SYS_STAT_CFG_STAT_VIEW_SET(id), lan966x, SYS_STAT_CFG); + lan_wr(0, lan966x, SYS_CNT(LAN966X_STAT_ESDX_GRN_BYTES)); + lan_wr(admin->cache.counter, lan966x, + SYS_CNT(LAN966X_STAT_ESDX_GRN_PKTS)); + lan_wr(0, lan966x, SYS_CNT(LAN966X_STAT_ESDX_YEL_BYTES)); + lan_wr(0, lan966x, SYS_CNT(LAN966X_STAT_ESDX_YEL_PKTS)); +- mutex_unlock(&lan966x->stats_lock); ++ spin_unlock(&lan966x->stats_lock); + } + + static void lan966x_vcap_cache_write(struct net_device *dev, +-- +2.51.0 + diff --git a/queue-6.17/net-bridge-fix-mst-static-key-usage.patch b/queue-6.17/net-bridge-fix-mst-static-key-usage.patch new file mode 100644 index 0000000000..263d7c1720 --- /dev/null +++ b/queue-6.17/net-bridge-fix-mst-static-key-usage.patch @@ -0,0 +1,96 @@ +From 9f4c14e62448cdef9c67bc7bed90db23c0ad3a5a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Nov 2025 13:19:19 +0200 +Subject: net: bridge: fix MST static key usage + +From: Nikolay Aleksandrov + +[ Upstream commit ee87c63f9b2a418f698d79c2991347e31a7d2c27 ] + +As Ido pointed out, the static key usage in MST is buggy and should use +inc/dec instead of enable/disable because we can have multiple bridges +with MST enabled which means a single bridge can disable MST for all. +Use static_branch_inc/dec to avoid that. When destroying a bridge decrement +the key if MST was enabled. + +Fixes: ec7328b59176 ("net: bridge: mst: Multiple Spanning Tree (MST) mode") +Reported-by: Ido Schimmel +Closes: https://lore.kernel.org/netdev/20251104120313.1306566-1-razor@blackwall.org/T/#m6888d87658f94ed1725433940f4f4ebb00b5a68b +Signed-off-by: Nikolay Aleksandrov +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/20251105111919.1499702-3-razor@blackwall.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/bridge/br_if.c | 1 + + net/bridge/br_mst.c | 10 ++++++++-- + net/bridge/br_private.h | 5 +++++ + 3 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c +index 98c5b9c3145f3..ca3a637d7cca7 100644 +--- a/net/bridge/br_if.c ++++ b/net/bridge/br_if.c +@@ -386,6 +386,7 @@ void br_dev_delete(struct net_device *dev, struct list_head *head) + del_nbp(p); + } + ++ br_mst_uninit(br); + br_recalculate_neigh_suppress_enabled(br); + + br_fdb_delete_by_port(br, NULL, 0, 1); +diff --git a/net/bridge/br_mst.c b/net/bridge/br_mst.c +index 3f24b4ee49c27..43a300ae6bfaf 100644 +--- a/net/bridge/br_mst.c ++++ b/net/bridge/br_mst.c +@@ -22,6 +22,12 @@ bool br_mst_enabled(const struct net_device *dev) + } + EXPORT_SYMBOL_GPL(br_mst_enabled); + ++void br_mst_uninit(struct net_bridge *br) ++{ ++ if (br_opt_get(br, BROPT_MST_ENABLED)) ++ static_branch_dec(&br_mst_used); ++} ++ + int br_mst_get_info(const struct net_device *dev, u16 msti, unsigned long *vids) + { + const struct net_bridge_vlan_group *vg; +@@ -225,9 +231,9 @@ int br_mst_set_enabled(struct net_bridge *br, bool on, + return err; + + if (on) +- static_branch_enable(&br_mst_used); ++ static_branch_inc(&br_mst_used); + else +- static_branch_disable(&br_mst_used); ++ static_branch_dec(&br_mst_used); + + br_opt_toggle(br, BROPT_MST_ENABLED, on); + return 0; +diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h +index fdaf7d8374639..5926e708d586a 100644 +--- a/net/bridge/br_private.h ++++ b/net/bridge/br_private.h +@@ -1951,6 +1951,7 @@ int br_mst_fill_info(struct sk_buff *skb, + const struct net_bridge_vlan_group *vg); + int br_mst_process(struct net_bridge_port *p, const struct nlattr *mst_attr, + struct netlink_ext_ack *extack); ++void br_mst_uninit(struct net_bridge *br); + #else + static inline bool br_mst_is_enabled(const struct net_bridge_port *p) + { +@@ -1986,6 +1987,10 @@ static inline int br_mst_process(struct net_bridge_port *p, + { + return -EOPNOTSUPP; + } ++ ++static inline void br_mst_uninit(struct net_bridge *br) ++{ ++} + #endif + + struct nf_br_ops { +-- +2.51.0 + diff --git a/queue-6.17/net-bridge-fix-use-after-free-due-to-mst-port-state-.patch b/queue-6.17/net-bridge-fix-use-after-free-due-to-mst-port-state-.patch new file mode 100644 index 0000000000..7a83e26839 --- /dev/null +++ b/queue-6.17/net-bridge-fix-use-after-free-due-to-mst-port-state-.patch @@ -0,0 +1,104 @@ +From 56a6b9a0e344dcd2ad297dc3b70f3e0a9c60359e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Nov 2025 13:19:18 +0200 +Subject: net: bridge: fix use-after-free due to MST port state bypass + +From: Nikolay Aleksandrov + +[ Upstream commit 8dca36978aa80bab9d4da130c211db75c9e00048 ] + +syzbot reported[1] a use-after-free when deleting an expired fdb. It is +due to a race condition between learning still happening and a port being +deleted, after all its fdbs have been flushed. The port's state has been +toggled to disabled so no learning should happen at that time, but if we +have MST enabled, it will bypass the port's state, that together with VLAN +filtering disabled can lead to fdb learning at a time when it shouldn't +happen while the port is being deleted. VLAN filtering must be disabled +because we flush the port VLANs when it's being deleted which will stop +learning. This fix adds a check for the port's vlan group which is +initialized to NULL when the port is getting deleted, that avoids the port +state bypass. When MST is enabled there would be a minimal new overhead +in the fast-path because the port's vlan group pointer is cache-hot. + +[1] https://syzkaller.appspot.com/bug?extid=dd280197f0f7ab3917be + +Fixes: ec7328b59176 ("net: bridge: mst: Multiple Spanning Tree (MST) mode") +Reported-by: syzbot+dd280197f0f7ab3917be@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/69088ffa.050a0220.29fc44.003d.GAE@google.com/ +Signed-off-by: Nikolay Aleksandrov +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/20251105111919.1499702-2-razor@blackwall.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/bridge/br_forward.c | 2 +- + net/bridge/br_input.c | 4 ++-- + net/bridge/br_private.h | 8 +++++--- + 3 files changed, 8 insertions(+), 6 deletions(-) + +diff --git a/net/bridge/br_forward.c b/net/bridge/br_forward.c +index 870bdf2e082c4..dea09096ad0fb 100644 +--- a/net/bridge/br_forward.c ++++ b/net/bridge/br_forward.c +@@ -25,7 +25,7 @@ static inline int should_deliver(const struct net_bridge_port *p, + + vg = nbp_vlan_group_rcu(p); + return ((p->flags & BR_HAIRPIN_MODE) || skb->dev != p->dev) && +- (br_mst_is_enabled(p->br) || p->state == BR_STATE_FORWARDING) && ++ (br_mst_is_enabled(p) || p->state == BR_STATE_FORWARDING) && + br_allowed_egress(vg, skb) && nbp_switchdev_allowed_egress(p, skb) && + !br_skb_isolated(p, skb); + } +diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c +index 5f6ac9bf15275..c07265b365b10 100644 +--- a/net/bridge/br_input.c ++++ b/net/bridge/br_input.c +@@ -94,7 +94,7 @@ int br_handle_frame_finish(struct net *net, struct sock *sk, struct sk_buff *skb + + br = p->br; + +- if (br_mst_is_enabled(br)) { ++ if (br_mst_is_enabled(p)) { + state = BR_STATE_FORWARDING; + } else { + if (p->state == BR_STATE_DISABLED) { +@@ -421,7 +421,7 @@ static rx_handler_result_t br_handle_frame(struct sk_buff **pskb) + return RX_HANDLER_PASS; + + forward: +- if (br_mst_is_enabled(p->br)) ++ if (br_mst_is_enabled(p)) + goto defer_stp_filtering; + + switch (p->state) { +diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h +index 8de0904b9627f..fdaf7d8374639 100644 +--- a/net/bridge/br_private.h ++++ b/net/bridge/br_private.h +@@ -1932,10 +1932,12 @@ static inline bool br_vlan_state_allowed(u8 state, bool learn_allow) + /* br_mst.c */ + #ifdef CONFIG_BRIDGE_VLAN_FILTERING + DECLARE_STATIC_KEY_FALSE(br_mst_used); +-static inline bool br_mst_is_enabled(struct net_bridge *br) ++static inline bool br_mst_is_enabled(const struct net_bridge_port *p) + { ++ /* check the port's vlan group to avoid racing with port deletion */ + return static_branch_unlikely(&br_mst_used) && +- br_opt_get(br, BROPT_MST_ENABLED); ++ br_opt_get(p->br, BROPT_MST_ENABLED) && ++ rcu_access_pointer(p->vlgrp); + } + + int br_mst_set_state(struct net_bridge_port *p, u16 msti, u8 state, +@@ -1950,7 +1952,7 @@ int br_mst_fill_info(struct sk_buff *skb, + int br_mst_process(struct net_bridge_port *p, const struct nlattr *mst_attr, + struct netlink_ext_ack *extack); + #else +-static inline bool br_mst_is_enabled(struct net_bridge *br) ++static inline bool br_mst_is_enabled(const struct net_bridge_port *p) + { + return false; + } +-- +2.51.0 + diff --git a/queue-6.17/net-dsa-b53-fix-bcm63xx-rgmii-port-link-adjustment.patch b/queue-6.17/net-dsa-b53-fix-bcm63xx-rgmii-port-link-adjustment.patch new file mode 100644 index 0000000000..5db85323b3 --- /dev/null +++ b/queue-6.17/net-dsa-b53-fix-bcm63xx-rgmii-port-link-adjustment.patch @@ -0,0 +1,64 @@ +From 6297ec4975f088d056e55fb6ae6d04810747aaf2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Nov 2025 14:28:07 +0100 +Subject: net: dsa: b53: fix bcm63xx RGMII port link adjustment + +From: Jonas Gorski + +[ Upstream commit 3e4ebdc1606adf77744cf8ed7a433d279fdc57ba ] + +BCM63XX's switch does not support MDIO scanning of external phys, so its +MACs needs to be manually configured for autonegotiated link speeds. + +So b53_force_port_config() and b53_force_link() accordingly also when +mode is MLO_AN_PHY for those ports. + +Fixes lower speeds than 1000/full on rgmii ports 4 - 7. + +This aligns the behaviour with the old bcm63xx_enetsw driver for those +ports. + +Fixes: 967dd82ffc52 ("net: dsa: b53: Add support for Broadcom RoboSwitch") +Signed-off-by: Jonas Gorski +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20251101132807.50419-3-jonas.gorski@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index cb28256ef3cc3..bb2c6dfa7835d 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -1602,8 +1602,11 @@ static void b53_phylink_mac_link_down(struct phylink_config *config, + struct b53_device *dev = dp->ds->priv; + int port = dp->index; + +- if (mode == MLO_AN_PHY) ++ if (mode == MLO_AN_PHY) { ++ if (is63xx(dev) && in_range(port, B53_63XX_RGMII0, 4)) ++ b53_force_link(dev, port, false); + return; ++ } + + if (mode == MLO_AN_FIXED) { + b53_force_link(dev, port, false); +@@ -1631,6 +1634,13 @@ static void b53_phylink_mac_link_up(struct phylink_config *config, + if (mode == MLO_AN_PHY) { + /* Re-negotiate EEE if it was enabled already */ + p->eee_enabled = b53_eee_init(ds, port, phydev); ++ ++ if (is63xx(dev) && in_range(port, B53_63XX_RGMII0, 4)) { ++ b53_force_port_config(dev, port, speed, duplex, ++ tx_pause, rx_pause); ++ b53_force_link(dev, port, true); ++ } ++ + return; + } + +-- +2.51.0 + diff --git a/queue-6.17/net-dsa-b53-fix-enabling-ip-multicast.patch b/queue-6.17/net-dsa-b53-fix-enabling-ip-multicast.patch new file mode 100644 index 0000000000..d2409c613c --- /dev/null +++ b/queue-6.17/net-dsa-b53-fix-enabling-ip-multicast.patch @@ -0,0 +1,75 @@ +From 8111f3208d04520201c35fbda7a66b505e05c8bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Nov 2025 11:07:56 +0100 +Subject: net: dsa: b53: fix enabling ip multicast + +From: Jonas Gorski + +[ Upstream commit c264294624e956a967a9e2e5fa41e3273340b089 ] + +In the New Control register bit 1 is either reserved, or has a different +function: + + Out of Range Error Discard + + When enabled, the ingress port discards any frames + if the Length field is between 1500 and 1536 + (excluding 1500 and 1536) and with good CRC. + +The actual bit for enabling IP multicast is bit 0, which was only +explicitly enabled for BCM5325 so far. + +For older switch chips, this bit defaults to 0, so we want to enable it +as well, while newer switch chips default to 1, and their documentation +says "It is illegal to set this bit to zero." + +So drop the wrong B53_IPMC_FWD_EN define, enable the IP multicast bit +also for other switch chips. While at it, rename it to (B53_)IP_MC as +that is how it is called in Broadcom code. + +Fixes: 63cc54a6f073 ("net: dsa: b53: Fix egress flooding settings") +Signed-off-by: Jonas Gorski +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20251102100758.28352-2-jonas.gorski@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 4 ++-- + drivers/net/dsa/b53/b53_regs.h | 3 +-- + 2 files changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index bb2c6dfa7835d..58c31049c0e7a 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -371,11 +371,11 @@ static void b53_set_forwarding(struct b53_device *dev, int enable) + * frames should be flooded or not. + */ + b53_read8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, &mgmt); +- mgmt |= B53_UC_FWD_EN | B53_MC_FWD_EN | B53_IPMC_FWD_EN; ++ mgmt |= B53_UC_FWD_EN | B53_MC_FWD_EN | B53_IP_MC; + b53_write8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, mgmt); + } else { + b53_read8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, &mgmt); +- mgmt |= B53_IP_MCAST_25; ++ mgmt |= B53_IP_MC; + b53_write8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, mgmt); + } + } +diff --git a/drivers/net/dsa/b53/b53_regs.h b/drivers/net/dsa/b53/b53_regs.h +index 309fe0e46dadf..8ce1ce72e9385 100644 +--- a/drivers/net/dsa/b53/b53_regs.h ++++ b/drivers/net/dsa/b53/b53_regs.h +@@ -111,8 +111,7 @@ + + /* IP Multicast control (8 bit) */ + #define B53_IP_MULTICAST_CTRL 0x21 +-#define B53_IP_MCAST_25 BIT(0) +-#define B53_IPMC_FWD_EN BIT(1) ++#define B53_IP_MC BIT(0) + #define B53_UC_FWD_EN BIT(6) + #define B53_MC_FWD_EN BIT(7) + +-- +2.51.0 + diff --git a/queue-6.17/net-dsa-b53-fix-resetting-speed-and-pause-on-forced-.patch b/queue-6.17/net-dsa-b53-fix-resetting-speed-and-pause-on-forced-.patch new file mode 100644 index 0000000000..c6791eff21 --- /dev/null +++ b/queue-6.17/net-dsa-b53-fix-resetting-speed-and-pause-on-forced-.patch @@ -0,0 +1,64 @@ +From fe830e0e68bd5d8a77c8f25a3ec8403eef6eb5f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Nov 2025 14:28:06 +0100 +Subject: net: dsa: b53: fix resetting speed and pause on forced link + +From: Jonas Gorski + +[ Upstream commit b6a8a5477fe9bd6be2b594a88f82f8bba41e6d54 ] + +There is no guarantee that the port state override registers have their +default values, as not all switches support being reset via register or +have a reset GPIO. + +So when forcing port config, we need to make sure to clear all fields, +which we currently do not do for the speed and flow control +configuration. This can cause flow control stay enabled, or in the case +of speed becoming an illegal value, e.g. configured for 1G (0x2), then +setting 100M (0x1), results in 0x3 which is invalid. + +For PORT_OVERRIDE_SPEED_2000M we need to make sure to only clear it on +supported chips, as the bit can have different meanings on other chips, +e.g. for BCM5389 this controls scanning PHYs for link/speed +configuration. + +Fixes: 5e004460f874 ("net: dsa: b53: Add helper to set link parameters") +Signed-off-by: Jonas Gorski +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20251101132807.50419-2-jonas.gorski@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index 2f846381d5a76..cb28256ef3cc3 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -1372,6 +1372,10 @@ static void b53_force_port_config(struct b53_device *dev, int port, + else + reg &= ~PORT_OVERRIDE_FULL_DUPLEX; + ++ reg &= ~(0x3 << GMII_PO_SPEED_S); ++ if (is5301x(dev) || is58xx(dev)) ++ reg &= ~PORT_OVERRIDE_SPEED_2000M; ++ + switch (speed) { + case 2000: + reg |= PORT_OVERRIDE_SPEED_2000M; +@@ -1390,6 +1394,11 @@ static void b53_force_port_config(struct b53_device *dev, int port, + return; + } + ++ if (is5325(dev)) ++ reg &= ~PORT_OVERRIDE_LP_FLOW_25; ++ else ++ reg &= ~(PORT_OVERRIDE_RX_FLOW | PORT_OVERRIDE_TX_FLOW); ++ + if (rx_pause) { + if (is5325(dev)) + reg |= PORT_OVERRIDE_LP_FLOW_25; +-- +2.51.0 + diff --git a/queue-6.17/net-dsa-b53-properly-bound-arl-searches-for-4-arl-bi.patch b/queue-6.17/net-dsa-b53-properly-bound-arl-searches-for-4-arl-bi.patch new file mode 100644 index 0000000000..5a01e6d070 --- /dev/null +++ b/queue-6.17/net-dsa-b53-properly-bound-arl-searches-for-4-arl-bi.patch @@ -0,0 +1,70 @@ +From 65b4f99ff9c183eedbb4e398d6fe025a62f34ab5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Nov 2025 11:07:58 +0100 +Subject: net: dsa: b53: properly bound ARL searches for < 4 ARL bin chips + +From: Jonas Gorski + +[ Upstream commit e57723fe536f040cc2635ec1545dd0a7919a321e ] + +When iterating over the ARL table we stop at max ARL entries / 2, but +this is only valid if the chip actually returns 2 results at once. For +chips with only one result register we will stop before reaching the end +of the table if it is more than half full. + +Fix this by only dividing the maximum results by two if we have a chip +with more than one result register (i.e. those with 4 ARL bins). + +Fixes: cd169d799bee ("net: dsa: b53: Bound check ARL searches") +Signed-off-by: Jonas Gorski +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20251102100758.28352-4-jonas.gorski@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index b467500699c70..eb767edc4c135 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -2087,13 +2087,16 @@ static int b53_fdb_copy(int port, const struct b53_arl_entry *ent, + int b53_fdb_dump(struct dsa_switch *ds, int port, + dsa_fdb_dump_cb_t *cb, void *data) + { ++ unsigned int count = 0, results_per_hit = 1; + struct b53_device *priv = ds->priv; + struct b53_arl_entry results[2]; +- unsigned int count = 0; + u8 offset; + int ret; + u8 reg; + ++ if (priv->num_arl_bins > 2) ++ results_per_hit = 2; ++ + mutex_lock(&priv->arl_mutex); + + if (is5325(priv) || is5365(priv)) +@@ -2115,7 +2118,7 @@ int b53_fdb_dump(struct dsa_switch *ds, int port, + if (ret) + break; + +- if (priv->num_arl_bins > 2) { ++ if (results_per_hit == 2) { + b53_arl_search_rd(priv, 1, &results[1]); + ret = b53_fdb_copy(port, &results[1], cb, data); + if (ret) +@@ -2125,7 +2128,7 @@ int b53_fdb_dump(struct dsa_switch *ds, int port, + break; + } + +- } while (count++ < b53_max_arl_entries(priv) / 2); ++ } while (count++ < b53_max_arl_entries(priv) / results_per_hit); + + mutex_unlock(&priv->arl_mutex); + +-- +2.51.0 + diff --git a/queue-6.17/net-dsa-b53-stop-reading-arl-entries-if-search-is-do.patch b/queue-6.17/net-dsa-b53-stop-reading-arl-entries-if-search-is-do.patch new file mode 100644 index 0000000000..daa751d204 --- /dev/null +++ b/queue-6.17/net-dsa-b53-stop-reading-arl-entries-if-search-is-do.patch @@ -0,0 +1,51 @@ +From a65dd18c022716ce250b5f680941274b6c3a017a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Nov 2025 11:07:57 +0100 +Subject: net: dsa: b53: stop reading ARL entries if search is done + +From: Jonas Gorski + +[ Upstream commit 0be04b5fa62a82a9929ca261f6c9f64a3d0a28da ] + +The switch clears the ARL_SRCH_STDN bit when the search is done, i.e. it +finished traversing the ARL table. + +This means that there will be no valid result, so we should not attempt +to read and process any further entries. + +We only ever check the validity of the entries for 4 ARL bin chips, and +only after having passed the first entry to the b53_fdb_copy(). + +This means that we always pass an invalid entry at the end to the +b53_fdb_copy(). b53_fdb_copy() does check the validity though before +passing on the entry, so it never gets passed on. + +On < 4 ARL bin chips, we will even continue reading invalid entries +until we reach the result limit. + +Fixes: 1da6df85c6fb ("net: dsa: b53: Implement ARL add/del/dump operations") +Signed-off-by: Jonas Gorski +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20251102100758.28352-3-jonas.gorski@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index 58c31049c0e7a..b467500699c70 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -2037,7 +2037,7 @@ static int b53_arl_search_wait(struct b53_device *dev) + do { + b53_read8(dev, B53_ARLIO_PAGE, offset, ®); + if (!(reg & ARL_SRCH_STDN)) +- return 0; ++ return -ENOENT; + + if (reg & ARL_SRCH_VLID) + return 0; +-- +2.51.0 + diff --git a/queue-6.17/net-dsa-microchip-fix-reserved-multicast-address-tab.patch b/queue-6.17/net-dsa-microchip-fix-reserved-multicast-address-tab.patch new file mode 100644 index 0000000000..79cd295018 --- /dev/null +++ b/queue-6.17/net-dsa-microchip-fix-reserved-multicast-address-tab.patch @@ -0,0 +1,218 @@ +From f8b80e0b3ddb9fca07d68149f5f41b7112079706 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Nov 2025 19:37:41 -0800 +Subject: net: dsa: microchip: Fix reserved multicast address table programming +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tristram Ha + +[ Upstream commit 96baf482ca1f69f0da9d10a5bd8422c87ea9039e ] + +KSZ9477/KSZ9897 and LAN937X families of switches use a reserved multicast +address table for some specific forwarding with some multicast addresses, +like the one used in STP. The hardware assumes the host port is the last +port in KSZ9897 family and port 5 in LAN937X family. Most of the time +this assumption is correct but not in other cases like KSZ9477. +Originally the function just setups the first entry, but the others still +need update, especially for one common multicast address that is used by +PTP operation. + +LAN937x also uses different register bits when accessing the reserved +table. + +Fixes: 457c182af597 ("net: dsa: microchip: generic access to ksz9477 static and reserved table") +Signed-off-by: Tristram Ha +Tested-by: Łukasz Majewski +Link: https://patch.msgid.link/20251105033741.6455-1-Tristram.Ha@microchip.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/microchip/ksz9477.c | 98 +++++++++++++++++++++---- + drivers/net/dsa/microchip/ksz9477_reg.h | 3 +- + drivers/net/dsa/microchip/ksz_common.c | 4 + + drivers/net/dsa/microchip/ksz_common.h | 2 + + 4 files changed, 91 insertions(+), 16 deletions(-) + +diff --git a/drivers/net/dsa/microchip/ksz9477.c b/drivers/net/dsa/microchip/ksz9477.c +index d747ea1c41a79..5df8f153d511b 100644 +--- a/drivers/net/dsa/microchip/ksz9477.c ++++ b/drivers/net/dsa/microchip/ksz9477.c +@@ -1355,9 +1355,15 @@ void ksz9477_config_cpu_port(struct dsa_switch *ds) + } + } + ++#define RESV_MCAST_CNT 8 ++ ++static u8 reserved_mcast_map[RESV_MCAST_CNT] = { 0, 1, 3, 16, 32, 33, 2, 17 }; ++ + int ksz9477_enable_stp_addr(struct ksz_device *dev) + { ++ u8 i, ports, update; + const u32 *masks; ++ bool override; + u32 data; + int ret; + +@@ -1366,23 +1372,87 @@ int ksz9477_enable_stp_addr(struct ksz_device *dev) + /* Enable Reserved multicast table */ + ksz_cfg(dev, REG_SW_LUE_CTRL_0, SW_RESV_MCAST_ENABLE, true); + +- /* Set the Override bit for forwarding BPDU packet to CPU */ +- ret = ksz_write32(dev, REG_SW_ALU_VAL_B, +- ALU_V_OVERRIDE | BIT(dev->cpu_port)); +- if (ret < 0) +- return ret; ++ /* The reserved multicast address table has 8 entries. Each entry has ++ * a default value of which port to forward. It is assumed the host ++ * port is the last port in most of the switches, but that is not the ++ * case for KSZ9477 or maybe KSZ9897. For LAN937X family the default ++ * port is port 5, the first RGMII port. It is okay for LAN9370, a ++ * 5-port switch, but may not be correct for the other 8-port ++ * versions. It is necessary to update the whole table to forward to ++ * the right ports. ++ * Furthermore PTP messages can use a reserved multicast address and ++ * the host will not receive them if this table is not correct. ++ */ ++ for (i = 0; i < RESV_MCAST_CNT; i++) { ++ data = reserved_mcast_map[i] << ++ dev->info->shifts[ALU_STAT_INDEX]; ++ data |= ALU_STAT_START | ++ masks[ALU_STAT_DIRECT] | ++ masks[ALU_RESV_MCAST_ADDR] | ++ masks[ALU_STAT_READ]; ++ ret = ksz_write32(dev, REG_SW_ALU_STAT_CTRL__4, data); ++ if (ret < 0) ++ return ret; + +- data = ALU_STAT_START | ALU_RESV_MCAST_ADDR | masks[ALU_STAT_WRITE]; ++ /* wait to be finished */ ++ ret = ksz9477_wait_alu_sta_ready(dev); ++ if (ret < 0) ++ return ret; + +- ret = ksz_write32(dev, REG_SW_ALU_STAT_CTRL__4, data); +- if (ret < 0) +- return ret; ++ ret = ksz_read32(dev, REG_SW_ALU_VAL_B, &data); ++ if (ret < 0) ++ return ret; + +- /* wait to be finished */ +- ret = ksz9477_wait_alu_sta_ready(dev); +- if (ret < 0) { +- dev_err(dev->dev, "Failed to update Reserved Multicast table\n"); +- return ret; ++ override = false; ++ ports = data & dev->port_mask; ++ switch (i) { ++ case 0: ++ case 6: ++ /* Change the host port. */ ++ update = BIT(dev->cpu_port); ++ override = true; ++ break; ++ case 2: ++ /* Change the host port. */ ++ update = BIT(dev->cpu_port); ++ break; ++ case 4: ++ case 5: ++ case 7: ++ /* Skip the host port. */ ++ update = dev->port_mask & ~BIT(dev->cpu_port); ++ break; ++ default: ++ update = ports; ++ break; ++ } ++ if (update != ports || override) { ++ data &= ~dev->port_mask; ++ data |= update; ++ /* Set Override bit to receive frame even when port is ++ * closed. ++ */ ++ if (override) ++ data |= ALU_V_OVERRIDE; ++ ret = ksz_write32(dev, REG_SW_ALU_VAL_B, data); ++ if (ret < 0) ++ return ret; ++ ++ data = reserved_mcast_map[i] << ++ dev->info->shifts[ALU_STAT_INDEX]; ++ data |= ALU_STAT_START | ++ masks[ALU_STAT_DIRECT] | ++ masks[ALU_RESV_MCAST_ADDR] | ++ masks[ALU_STAT_WRITE]; ++ ret = ksz_write32(dev, REG_SW_ALU_STAT_CTRL__4, data); ++ if (ret < 0) ++ return ret; ++ ++ /* wait to be finished */ ++ ret = ksz9477_wait_alu_sta_ready(dev); ++ if (ret < 0) ++ return ret; ++ } + } + + return 0; +diff --git a/drivers/net/dsa/microchip/ksz9477_reg.h b/drivers/net/dsa/microchip/ksz9477_reg.h +index ff579920078ee..61ea11e3338e1 100644 +--- a/drivers/net/dsa/microchip/ksz9477_reg.h ++++ b/drivers/net/dsa/microchip/ksz9477_reg.h +@@ -2,7 +2,7 @@ + /* + * Microchip KSZ9477 register definitions + * +- * Copyright (C) 2017-2024 Microchip Technology Inc. ++ * Copyright (C) 2017-2025 Microchip Technology Inc. + */ + + #ifndef __KSZ9477_REGS_H +@@ -397,7 +397,6 @@ + + #define ALU_RESV_MCAST_INDEX_M (BIT(6) - 1) + #define ALU_STAT_START BIT(7) +-#define ALU_RESV_MCAST_ADDR BIT(1) + + #define REG_SW_ALU_VAL_A 0x0420 + +diff --git a/drivers/net/dsa/microchip/ksz_common.c b/drivers/net/dsa/microchip/ksz_common.c +index a962055bfdbd8..933ae8dc63378 100644 +--- a/drivers/net/dsa/microchip/ksz_common.c ++++ b/drivers/net/dsa/microchip/ksz_common.c +@@ -808,6 +808,8 @@ static const u16 ksz9477_regs[] = { + static const u32 ksz9477_masks[] = { + [ALU_STAT_WRITE] = 0, + [ALU_STAT_READ] = 1, ++ [ALU_STAT_DIRECT] = 0, ++ [ALU_RESV_MCAST_ADDR] = BIT(1), + [P_MII_TX_FLOW_CTRL] = BIT(5), + [P_MII_RX_FLOW_CTRL] = BIT(3), + }; +@@ -835,6 +837,8 @@ static const u8 ksz9477_xmii_ctrl1[] = { + static const u32 lan937x_masks[] = { + [ALU_STAT_WRITE] = 1, + [ALU_STAT_READ] = 2, ++ [ALU_STAT_DIRECT] = BIT(3), ++ [ALU_RESV_MCAST_ADDR] = BIT(2), + [P_MII_TX_FLOW_CTRL] = BIT(5), + [P_MII_RX_FLOW_CTRL] = BIT(3), + }; +diff --git a/drivers/net/dsa/microchip/ksz_common.h b/drivers/net/dsa/microchip/ksz_common.h +index a1eb39771bb99..c65188cd3c0a0 100644 +--- a/drivers/net/dsa/microchip/ksz_common.h ++++ b/drivers/net/dsa/microchip/ksz_common.h +@@ -294,6 +294,8 @@ enum ksz_masks { + DYNAMIC_MAC_TABLE_TIMESTAMP, + ALU_STAT_WRITE, + ALU_STAT_READ, ++ ALU_STAT_DIRECT, ++ ALU_RESV_MCAST_ADDR, + P_MII_TX_FLOW_CTRL, + P_MII_RX_FLOW_CTRL, + }; +-- +2.51.0 + diff --git a/queue-6.17/net-dsa-tag_brcm-legacy-fix-untagged-rx-on-unbridged.patch b/queue-6.17/net-dsa-tag_brcm-legacy-fix-untagged-rx-on-unbridged.patch new file mode 100644 index 0000000000..c19ac9168e --- /dev/null +++ b/queue-6.17/net-dsa-tag_brcm-legacy-fix-untagged-rx-on-unbridged.patch @@ -0,0 +1,77 @@ +From a173e9231f13f70e95e7d1c0a606f651f6c22147 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Oct 2025 20:46:21 +0100 +Subject: net: dsa: tag_brcm: legacy: fix untagged rx on unbridged ports for + bcm63xx + +From: Jonas Gorski + +[ Upstream commit 3d18a84eddde169d6dbf3c72cc5358b988c347d0 ] + +The internal switch on BCM63XX SoCs will unconditionally add 802.1Q VLAN +tags on egress to CPU when 802.1Q mode is enabled. We do this +unconditionally since commit ed409f3bbaa5 ("net: dsa: b53: Configure +VLANs while not filtering"). + +This is fine for VLAN aware bridges, but for standalone ports and vlan +unaware bridges this means all packets are tagged with the default VID, +which is 0. + +While the kernel will treat that like untagged, this can break userspace +applications processing raw packets, expecting untagged traffic, like +STP daemons. + +This also breaks several bridge tests, where the tcpdump output then +does not match the expected output anymore. + +Since 0 isn't a valid VID, just strip out the VLAN tag if we encounter +it, unless the priority field is set, since that would be a valid tag +again. + +Fixes: 964dbf186eaa ("net: dsa: tag_brcm: add support for legacy tags") +Signed-off-by: Jonas Gorski +Reviewed-by: Vladimir Oltean +Link: https://patch.msgid.link/20251027194621.133301-1-jonas.gorski@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/dsa/tag_brcm.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/net/dsa/tag_brcm.c b/net/dsa/tag_brcm.c +index 26bb657ceac36..d9c77fa553b53 100644 +--- a/net/dsa/tag_brcm.c ++++ b/net/dsa/tag_brcm.c +@@ -224,12 +224,14 @@ static struct sk_buff *brcm_leg_tag_rcv(struct sk_buff *skb, + { + int len = BRCM_LEG_TAG_LEN; + int source_port; ++ __be16 *proto; + u8 *brcm_tag; + + if (unlikely(!pskb_may_pull(skb, BRCM_LEG_TAG_LEN + VLAN_HLEN))) + return NULL; + + brcm_tag = dsa_etype_header_pos_rx(skb); ++ proto = (__be16 *)(brcm_tag + BRCM_LEG_TAG_LEN); + + source_port = brcm_tag[5] & BRCM_LEG_PORT_ID; + +@@ -237,8 +239,12 @@ static struct sk_buff *brcm_leg_tag_rcv(struct sk_buff *skb, + if (!skb->dev) + return NULL; + +- /* VLAN tag is added by BCM63xx internal switch */ +- if (netdev_uses_dsa(skb->dev)) ++ /* The internal switch in BCM63XX SoCs always tags on egress on the CPU ++ * port. We use VID 0 internally for untagged traffic, so strip the tag ++ * if the TCI field is all 0, and keep it otherwise to also retain ++ * e.g. 802.1p tagged packets. ++ */ ++ if (proto[0] == htons(ETH_P_8021Q) && proto[1] == 0) + len += VLAN_HLEN; + + /* Remove Broadcom tag and update checksum */ +-- +2.51.0 + diff --git a/queue-6.17/net-ionic-add-dma_wmb-before-ringing-tx-doorbell.patch b/queue-6.17/net-ionic-add-dma_wmb-before-ringing-tx-doorbell.patch new file mode 100644 index 0000000000..390309c333 --- /dev/null +++ b/queue-6.17/net-ionic-add-dma_wmb-before-ringing-tx-doorbell.patch @@ -0,0 +1,45 @@ +From 766bd8ff1e7c4be3d86be90da41e56378db3d59b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 Oct 2025 17:52:02 +0200 +Subject: net: ionic: add dma_wmb() before ringing TX doorbell + +From: Mohammad Heib + +[ Upstream commit d261f5b09c28850dc63ca1d3018596f829f402d5 ] + +The TX path currently writes descriptors and then immediately writes to +the MMIO doorbell register to notify the NIC. On weakly ordered +architectures, descriptor writes may still be pending in CPU or DMA +write buffers when the doorbell is issued, leading to the device +fetching stale or incomplete descriptors. + +Add a dma_wmb() in ionic_txq_post() to ensure all descriptor writes are +visible to the device before the doorbell MMIO write. + +Fixes: 0f3154e6bcb3 ("ionic: Add Tx and Rx handling") +Signed-off-by: Mohammad Heib +Link: https://patch.msgid.link/20251031155203.203031-1-mheib@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/pensando/ionic/ionic_txrx.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/pensando/ionic/ionic_txrx.c b/drivers/net/ethernet/pensando/ionic/ionic_txrx.c +index d10b58ebf6034..2e571d0a0d8a2 100644 +--- a/drivers/net/ethernet/pensando/ionic/ionic_txrx.c ++++ b/drivers/net/ethernet/pensando/ionic/ionic_txrx.c +@@ -29,6 +29,10 @@ static void ionic_tx_clean(struct ionic_queue *q, + + static inline void ionic_txq_post(struct ionic_queue *q, bool ring_dbell) + { ++ /* Ensure TX descriptor writes reach memory before NIC reads them. ++ * Prevents device from fetching stale descriptors. ++ */ ++ dma_wmb(); + ionic_q_post(q, ring_dbell); + } + +-- +2.51.0 + diff --git a/queue-6.17/net-ionic-map-skb-after-pseudo-header-checksum-prep.patch b/queue-6.17/net-ionic-map-skb-after-pseudo-header-checksum-prep.patch new file mode 100644 index 0000000000..9c725d0664 --- /dev/null +++ b/queue-6.17/net-ionic-map-skb-after-pseudo-header-checksum-prep.patch @@ -0,0 +1,91 @@ +From 18b6993fbb518625a524088c1005f6a0f2ca4888 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 Oct 2025 17:52:03 +0200 +Subject: net: ionic: map SKB after pseudo-header checksum prep + +From: Mohammad Heib + +[ Upstream commit de0337d641bfa5b6d6b489e479792f1039274e84 ] + +The TSO path called ionic_tx_map_skb() before preparing the TCP pseudo +checksum (ionic_tx_tcp_[inner_]pseudo_csum()), which may perform +skb_cow_head() and might modifies bytes in the linear header area. + +Mapping first and then mutating the header risks: + - Using a stale DMA address if skb_cow_head() relocates the head, and/or + - Device reading stale header bytes on weakly-ordered systems + (CPU writes after mapping are not guaranteed visible without an + explicit dma_sync_single_for_device()). + +Reorder the TX path to perform all header mutations (including +skb_cow_head()) *before* DMA mapping. Mapping is now done only after the +skb layout and header contents are final. This removes the need for any +post-mapping dma_sync and prevents on-wire corruption observed under +VLAN+TSO load after repeated runs. + +This change is purely an ordering fix; no functional behavior change +otherwise. + +Fixes: 0f3154e6bcb3 ("ionic: Add Tx and Rx handling") +Signed-off-by: Mohammad Heib +Reviewed-by: Brett Creeley +Link: https://patch.msgid.link/20251031155203.203031-2-mheib@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/pensando/ionic/ionic_txrx.c | 30 ++++++++----------- + 1 file changed, 13 insertions(+), 17 deletions(-) + +diff --git a/drivers/net/ethernet/pensando/ionic/ionic_txrx.c b/drivers/net/ethernet/pensando/ionic/ionic_txrx.c +index 2e571d0a0d8a2..301ebee2fdc50 100644 +--- a/drivers/net/ethernet/pensando/ionic/ionic_txrx.c ++++ b/drivers/net/ethernet/pensando/ionic/ionic_txrx.c +@@ -1448,19 +1448,6 @@ static int ionic_tx_tso(struct net_device *netdev, struct ionic_queue *q, + bool encap; + int err; + +- desc_info = &q->tx_info[q->head_idx]; +- +- if (unlikely(ionic_tx_map_skb(q, skb, desc_info))) +- return -EIO; +- +- len = skb->len; +- mss = skb_shinfo(skb)->gso_size; +- outer_csum = (skb_shinfo(skb)->gso_type & (SKB_GSO_GRE | +- SKB_GSO_GRE_CSUM | +- SKB_GSO_IPXIP4 | +- SKB_GSO_IPXIP6 | +- SKB_GSO_UDP_TUNNEL | +- SKB_GSO_UDP_TUNNEL_CSUM)); + has_vlan = !!skb_vlan_tag_present(skb); + vlan_tci = skb_vlan_tag_get(skb); + encap = skb->encapsulation; +@@ -1474,12 +1461,21 @@ static int ionic_tx_tso(struct net_device *netdev, struct ionic_queue *q, + err = ionic_tx_tcp_inner_pseudo_csum(skb); + else + err = ionic_tx_tcp_pseudo_csum(skb); +- if (unlikely(err)) { +- /* clean up mapping from ionic_tx_map_skb */ +- ionic_tx_desc_unmap_bufs(q, desc_info); ++ if (unlikely(err)) + return err; +- } + ++ desc_info = &q->tx_info[q->head_idx]; ++ if (unlikely(ionic_tx_map_skb(q, skb, desc_info))) ++ return -EIO; ++ ++ len = skb->len; ++ mss = skb_shinfo(skb)->gso_size; ++ outer_csum = (skb_shinfo(skb)->gso_type & (SKB_GSO_GRE | ++ SKB_GSO_GRE_CSUM | ++ SKB_GSO_IPXIP4 | ++ SKB_GSO_IPXIP6 | ++ SKB_GSO_UDP_TUNNEL | ++ SKB_GSO_UDP_TUNNEL_CSUM)); + if (encap) + hdrlen = skb_inner_tcp_all_headers(skb); + else +-- +2.51.0 + diff --git a/queue-6.17/net-mdio-check-regmap-pointer-returned-by-device_nod.patch b/queue-6.17/net-mdio-check-regmap-pointer-returned-by-device_nod.patch new file mode 100644 index 0000000000..ef57ee12ee --- /dev/null +++ b/queue-6.17/net-mdio-check-regmap-pointer-returned-by-device_nod.patch @@ -0,0 +1,43 @@ +From 6e38173344d8bc0cebec05f462c692ac7b75407a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 Oct 2025 09:15:53 -0700 +Subject: net: mdio: Check regmap pointer returned by device_node_to_regmap() + +From: Alok Tiwari + +[ Upstream commit b2b526c2cf57d14ee269e012ed179081871f45a1 ] + +The call to device_node_to_regmap() in airoha_mdio_probe() can return +an ERR_PTR() if regmap initialization fails. Currently, the driver +stores the pointer without validation, which could lead to a crash +if it is later dereferenced. + +Add an IS_ERR() check and return the corresponding error code to make +the probe path more robust. + +Fixes: 67e3ba978361 ("net: mdio: Add MDIO bus controller for Airoha AN7583") +Signed-off-by: Alok Tiwari +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/20251031161607.58581-1-alok.a.tiwari@oracle.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/mdio/mdio-airoha.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/mdio/mdio-airoha.c b/drivers/net/mdio/mdio-airoha.c +index 1dc9939c8d7d4..52e7475121eaf 100644 +--- a/drivers/net/mdio/mdio-airoha.c ++++ b/drivers/net/mdio/mdio-airoha.c +@@ -219,6 +219,8 @@ static int airoha_mdio_probe(struct platform_device *pdev) + priv = bus->priv; + priv->base_addr = addr; + priv->regmap = device_node_to_regmap(dev->parent->of_node); ++ if (IS_ERR(priv->regmap)) ++ return PTR_ERR(priv->regmap); + + priv->clk = devm_clk_get_enabled(dev, NULL); + if (IS_ERR(priv->clk)) +-- +2.51.0 + diff --git a/queue-6.17/net-mlx5e-fix-return-value-in-case-of-module-eeprom-.patch b/queue-6.17/net-mlx5e-fix-return-value-in-case-of-module-eeprom-.patch new file mode 100644 index 0000000000..d829a63e6e --- /dev/null +++ b/queue-6.17/net-mlx5e-fix-return-value-in-case-of-module-eeprom-.patch @@ -0,0 +1,74 @@ +From fde2b8e3afc4bd48a69055f2791e3a942044b8fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Nov 2025 16:15:36 +0200 +Subject: net/mlx5e: Fix return value in case of module EEPROM read error + +From: Gal Pressman + +[ Upstream commit d1c94bc5b90c21b65469d30d4a6bc8ed715c1bfe ] + +mlx5e_get_module_eeprom_by_page() has weird error handling. + +First, it is treating -EINVAL as a special case, but it is unclear why. + +Second, it tries to fail "gracefully" by returning the number of bytes +read even in case of an error. This results in wrongly returning +success (0 return value) if the error occurs before any bytes were +read. + +Simplify the error handling by returning an error when such occurs. This +also aligns with the error handling we have in mlx5e_get_module_eeprom() +for the old API. + +This fixes the following case where the query fails, but userspace +ethtool wrongly treats it as success and dumps an output: + + # ethtool -m eth2 + netlink warning: mlx5_core: Query module eeprom by page failed, read 0 bytes, err -5 + netlink warning: mlx5_core: Query module eeprom by page failed, read 0 bytes, err -5 + Offset Values + ------ ------ + 0x0000: 00 00 00 00 05 00 04 00 00 00 00 00 05 00 05 00 + 0x0010: 00 00 00 00 05 00 06 00 50 00 00 00 67 65 20 66 + 0x0020: 61 69 6c 65 64 2c 20 72 65 61 64 20 30 20 62 79 + 0x0030: 74 65 73 2c 20 65 72 72 20 2d 35 00 14 00 03 00 + 0x0040: 08 00 01 00 03 00 00 00 08 00 02 00 1a 00 00 00 + 0x0050: 14 00 04 00 08 00 01 00 04 00 00 00 08 00 02 00 + 0x0060: 0e 00 00 00 14 00 05 00 08 00 01 00 05 00 00 00 + 0x0070: 08 00 02 00 1a 00 00 00 14 00 06 00 08 00 01 00 + +Fixes: e109d2b204da ("net/mlx5: Implement get_module_eeprom_by_page()") +Signed-off-by: Gal Pressman +Reviewed-by: Alex Lazar +Signed-off-by: Tariq Toukan +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/1762265736-1028868-1-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +index d507366d773e1..2198c9e893da6 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +@@ -2121,14 +2121,12 @@ static int mlx5e_get_module_eeprom_by_page(struct net_device *netdev, + if (!size_read) + return i; + +- if (size_read == -EINVAL) +- return -EINVAL; + if (size_read < 0) { + NL_SET_ERR_MSG_FMT_MOD( + extack, + "Query module eeprom by page failed, read %u bytes, err %d", + i, size_read); +- return i; ++ return size_read; + } + + i += size_read; +-- +2.51.0 + diff --git a/queue-6.17/net-mlx5e-shampo-fix-header-formulas-for-higher-mtus.patch b/queue-6.17/net-mlx5e-shampo-fix-header-formulas-for-higher-mtus.patch new file mode 100644 index 0000000000..7048bc6462 --- /dev/null +++ b/queue-6.17/net-mlx5e-shampo-fix-header-formulas-for-higher-mtus.patch @@ -0,0 +1,200 @@ +From cba3f9cde89cc58df871241c898a054ac7e857dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Nov 2025 08:48:35 +0200 +Subject: net/mlx5e: SHAMPO, Fix header formulas for higher MTUs and 64K pages + +From: Dragos Tatulea + +[ Upstream commit d8a7ed9586c7579a99e9e2d90988c9eceeee61ff ] + +The MLX5E_SHAMPO_WQ_HEADER_PER_PAGE and +MLX5E_SHAMPO_LOG_MAX_HEADER_ENTRY_SIZE macros are used directly in +several places under the assumption that there will always be more +headers per WQE than headers per page. However, this assumption doesn't +hold for 64K page sizes and higher MTUs (> 4K). This can be first +observed during header page allocation: ksm_entries will become 0 during +alignment to MLX5E_SHAMPO_WQ_HEADER_PER_PAGE. + +This patch introduces 2 additional members to the mlx5e_shampo_hd struct +which are meant to be used instead of the macrose mentioned above. +When the number of headers per WQE goes below +MLX5E_SHAMPO_WQ_HEADER_PER_PAGE, clamp the number of headers per +page and expand the header size accordingly so that the headers +for one WQE cover a full page. + +All the formulas are adapted to use these two new members. + +Fixes: 945ca432bfd0 ("net/mlx5e: SHAMPO, Drop info array") +Signed-off-by: Dragos Tatulea +Signed-off-by: Tariq Toukan +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/1762238915-1027590-4-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en.h | 3 ++ + .../net/ethernet/mellanox/mlx5/core/en_main.c | 24 +++++++++++--- + .../net/ethernet/mellanox/mlx5/core/en_rx.c | 33 +++++++++++-------- + 3 files changed, 41 insertions(+), 19 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en.h b/drivers/net/ethernet/mellanox/mlx5/core/en.h +index 0dd3bc0f4caae..ff4a68648e604 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en.h +@@ -632,7 +632,10 @@ struct mlx5e_dma_info { + struct mlx5e_shampo_hd { + struct mlx5e_frag_page *pages; + u32 hd_per_wq; ++ u32 hd_per_page; + u16 hd_per_wqe; ++ u8 log_hd_per_page; ++ u8 log_hd_entry_size; + unsigned long *bitmap; + u16 pi; + u16 ci; +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index 8a63e62938e73..2c82c5100af3c 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -793,8 +793,9 @@ static int mlx5_rq_shampo_alloc(struct mlx5_core_dev *mdev, + int node) + { + void *wqc = MLX5_ADDR_OF(rqc, rqp->rqc, wq); ++ u8 log_hd_per_page, log_hd_entry_size; ++ u16 hd_per_wq, hd_per_wqe; + u32 hd_pool_size; +- u16 hd_per_wq; + int wq_size; + int err; + +@@ -817,11 +818,24 @@ static int mlx5_rq_shampo_alloc(struct mlx5_core_dev *mdev, + if (err) + goto err_umr_mkey; + +- rq->mpwqe.shampo->hd_per_wqe = +- mlx5e_shampo_hd_per_wqe(mdev, params, rqp); ++ hd_per_wqe = mlx5e_shampo_hd_per_wqe(mdev, params, rqp); + wq_size = BIT(MLX5_GET(wq, wqc, log_wq_sz)); +- hd_pool_size = (rq->mpwqe.shampo->hd_per_wqe * wq_size) / +- MLX5E_SHAMPO_WQ_HEADER_PER_PAGE; ++ ++ BUILD_BUG_ON(MLX5E_SHAMPO_LOG_MAX_HEADER_ENTRY_SIZE > PAGE_SHIFT); ++ if (hd_per_wqe >= MLX5E_SHAMPO_WQ_HEADER_PER_PAGE) { ++ log_hd_per_page = MLX5E_SHAMPO_LOG_WQ_HEADER_PER_PAGE; ++ log_hd_entry_size = MLX5E_SHAMPO_LOG_MAX_HEADER_ENTRY_SIZE; ++ } else { ++ log_hd_per_page = order_base_2(hd_per_wqe); ++ log_hd_entry_size = order_base_2(PAGE_SIZE / hd_per_wqe); ++ } ++ ++ rq->mpwqe.shampo->hd_per_wqe = hd_per_wqe; ++ rq->mpwqe.shampo->hd_per_page = BIT(log_hd_per_page); ++ rq->mpwqe.shampo->log_hd_per_page = log_hd_per_page; ++ rq->mpwqe.shampo->log_hd_entry_size = log_hd_entry_size; ++ ++ hd_pool_size = (hd_per_wqe * wq_size) >> log_hd_per_page; + + if (mlx5_rq_needs_separate_hd_pool(rq)) { + /* Separate page pool for shampo headers */ +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c +index 0dcb4d5b06c8e..56a872c4fafe5 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c +@@ -647,17 +647,20 @@ static void build_ksm_umr(struct mlx5e_icosq *sq, struct mlx5e_umr_wqe *umr_wqe, + umr_wqe->hdr.uctrl.mkey_mask = cpu_to_be64(MLX5_MKEY_MASK_FREE); + } + +-static struct mlx5e_frag_page *mlx5e_shampo_hd_to_frag_page(struct mlx5e_rq *rq, int header_index) ++static struct mlx5e_frag_page *mlx5e_shampo_hd_to_frag_page(struct mlx5e_rq *rq, ++ int header_index) + { +- BUILD_BUG_ON(MLX5E_SHAMPO_LOG_MAX_HEADER_ENTRY_SIZE > PAGE_SHIFT); ++ struct mlx5e_shampo_hd *shampo = rq->mpwqe.shampo; + +- return &rq->mpwqe.shampo->pages[header_index >> MLX5E_SHAMPO_LOG_WQ_HEADER_PER_PAGE]; ++ return &shampo->pages[header_index >> shampo->log_hd_per_page]; + } + +-static u64 mlx5e_shampo_hd_offset(int header_index) ++static u64 mlx5e_shampo_hd_offset(struct mlx5e_rq *rq, int header_index) + { +- return (header_index & (MLX5E_SHAMPO_WQ_HEADER_PER_PAGE - 1)) << +- MLX5E_SHAMPO_LOG_MAX_HEADER_ENTRY_SIZE; ++ struct mlx5e_shampo_hd *shampo = rq->mpwqe.shampo; ++ u32 hd_per_page = shampo->hd_per_page; ++ ++ return (header_index & (hd_per_page - 1)) << shampo->log_hd_entry_size; + } + + static void mlx5e_free_rx_shampo_hd_entry(struct mlx5e_rq *rq, u16 header_index); +@@ -683,7 +686,7 @@ static int mlx5e_build_shampo_hd_umr(struct mlx5e_rq *rq, + u64 addr; + + frag_page = mlx5e_shampo_hd_to_frag_page(rq, index); +- header_offset = mlx5e_shampo_hd_offset(index); ++ header_offset = mlx5e_shampo_hd_offset(rq, index); + if (!header_offset) { + err = mlx5e_page_alloc_fragmented(rq->hd_page_pool, + frag_page); +@@ -713,7 +716,7 @@ static int mlx5e_build_shampo_hd_umr(struct mlx5e_rq *rq, + err_unmap: + while (--i >= 0) { + --index; +- header_offset = mlx5e_shampo_hd_offset(index); ++ header_offset = mlx5e_shampo_hd_offset(rq, index); + if (!header_offset) { + struct mlx5e_frag_page *frag_page = mlx5e_shampo_hd_to_frag_page(rq, index); + +@@ -737,7 +740,7 @@ static int mlx5e_alloc_rx_hd_mpwqe(struct mlx5e_rq *rq) + ksm_entries = bitmap_find_window(shampo->bitmap, + shampo->hd_per_wqe, + shampo->hd_per_wq, shampo->pi); +- ksm_entries = ALIGN_DOWN(ksm_entries, MLX5E_SHAMPO_WQ_HEADER_PER_PAGE); ++ ksm_entries = ALIGN_DOWN(ksm_entries, shampo->hd_per_page); + if (!ksm_entries) + return 0; + +@@ -855,7 +858,7 @@ mlx5e_free_rx_shampo_hd_entry(struct mlx5e_rq *rq, u16 header_index) + { + struct mlx5e_shampo_hd *shampo = rq->mpwqe.shampo; + +- if (((header_index + 1) & (MLX5E_SHAMPO_WQ_HEADER_PER_PAGE - 1)) == 0) { ++ if (((header_index + 1) & (shampo->hd_per_page - 1)) == 0) { + struct mlx5e_frag_page *frag_page = mlx5e_shampo_hd_to_frag_page(rq, header_index); + + mlx5e_page_release_fragmented(rq->hd_page_pool, frag_page); +@@ -1218,9 +1221,10 @@ static unsigned int mlx5e_lro_update_hdr(struct sk_buff *skb, + static void *mlx5e_shampo_get_packet_hd(struct mlx5e_rq *rq, u16 header_index) + { + struct mlx5e_frag_page *frag_page = mlx5e_shampo_hd_to_frag_page(rq, header_index); +- u16 head_offset = mlx5e_shampo_hd_offset(header_index) + rq->buff.headroom; ++ u16 head_offset = mlx5e_shampo_hd_offset(rq, header_index); ++ void *addr = netmem_address(frag_page->netmem); + +- return netmem_address(frag_page->netmem) + head_offset; ++ return addr + head_offset + rq->buff.headroom; + } + + static void mlx5e_shampo_update_ipv4_udp_hdr(struct mlx5e_rq *rq, struct iphdr *ipv4) +@@ -2238,7 +2242,8 @@ mlx5e_skb_from_cqe_shampo(struct mlx5e_rq *rq, struct mlx5e_mpw_info *wi, + struct mlx5_cqe64 *cqe, u16 header_index) + { + struct mlx5e_frag_page *frag_page = mlx5e_shampo_hd_to_frag_page(rq, header_index); +- u16 head_offset = mlx5e_shampo_hd_offset(header_index); ++ u16 head_offset = mlx5e_shampo_hd_offset(rq, header_index); ++ struct mlx5e_shampo_hd *shampo = rq->mpwqe.shampo; + u16 head_size = cqe->shampo.header_size; + u16 rx_headroom = rq->buff.headroom; + struct sk_buff *skb = NULL; +@@ -2254,7 +2259,7 @@ mlx5e_skb_from_cqe_shampo(struct mlx5e_rq *rq, struct mlx5e_mpw_info *wi, + data = hdr + rx_headroom; + frag_size = MLX5_SKB_FRAG_SZ(rx_headroom + head_size); + +- if (likely(frag_size <= BIT(MLX5E_SHAMPO_LOG_MAX_HEADER_ENTRY_SIZE))) { ++ if (likely(frag_size <= BIT(shampo->log_hd_entry_size))) { + /* build SKB around header */ + dma_sync_single_range_for_cpu(rq->pdev, dma_addr, 0, frag_size, rq->buff.map_dir); + net_prefetchw(hdr); +-- +2.51.0 + diff --git a/queue-6.17/net-mlx5e-shampo-fix-header-mapping-for-64k-pages.patch b/queue-6.17/net-mlx5e-shampo-fix-header-mapping-for-64k-pages.patch new file mode 100644 index 0000000000..71170561d8 --- /dev/null +++ b/queue-6.17/net-mlx5e-shampo-fix-header-mapping-for-64k-pages.patch @@ -0,0 +1,121 @@ +From 0f19abc4a2efbda022ccf82d0131ccb4b9e876dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Nov 2025 08:48:33 +0200 +Subject: net/mlx5e: SHAMPO, Fix header mapping for 64K pages + +From: Dragos Tatulea + +[ Upstream commit 665a7e13c220bbde55531a24bd5524320648df10 ] + +HW-GRO is broken on mlx5 for 64K page sizes. The patch in the fixes tag +didn't take into account larger page sizes when doing an align down +of max_ksm_entries. For 64K page size, max_ksm_entries is 0 which will skip +mapping header pages via WQE UMR. This breaks header-data split +and will result in the following syndrome: + +mlx5_core 0000:00:08.0 eth2: Error cqe on cqn 0x4c9, ci 0x0, qn 0x1133, opcode 0xe, syndrome 0x4, vendor syndrome 0x32 +00000000: 00 00 00 00 04 4a 00 00 00 00 00 00 20 00 93 32 +00000010: 55 00 00 00 fb cc 00 00 00 00 00 00 07 18 00 00 +00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4a +00000030: 00 00 3b c7 93 01 32 04 00 00 00 00 00 00 bf e0 +mlx5_core 0000:00:08.0 eth2: ERR CQE on RQ: 0x1133 + +Furthermore, the function that fills in WQE UMRs for the headers +(mlx5e_build_shampo_hd_umr()) only supports mapping page sizes that +fit in a single UMR WQE. + +This patch goes back to the old non-aligned max_ksm_entries value and it +changes mlx5e_build_shampo_hd_umr() to support mapping a large page over +multiple UMR WQEs. + +This means that mlx5e_build_shampo_hd_umr() can now leave a page only +partially mapped. The caller, mlx5e_alloc_rx_hd_mpwqe(), ensures that +there are enough UMR WQEs to cover complete pages by working on +ksm_entries that are multiples of MLX5E_SHAMPO_WQ_HEADER_PER_PAGE. + +Fixes: 8a0ee54027b1 ("net/mlx5e: SHAMPO, Simplify UMR allocation for headers") +Signed-off-by: Dragos Tatulea +Signed-off-by: Tariq Toukan +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/1762238915-1027590-2-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/en_rx.c | 36 +++++++++---------- + 1 file changed, 17 insertions(+), 19 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c +index 5dbf48da2f4f1..f19e94884a52e 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c +@@ -670,7 +670,7 @@ static int mlx5e_build_shampo_hd_umr(struct mlx5e_rq *rq, + u16 pi, header_offset, err, wqe_bbs; + u32 lkey = rq->mdev->mlx5e_res.hw_objs.mkey; + struct mlx5e_umr_wqe *umr_wqe; +- int headroom, i = 0; ++ int headroom, i; + + headroom = rq->buff.headroom; + wqe_bbs = MLX5E_KSM_UMR_WQEBBS(ksm_entries); +@@ -678,25 +678,24 @@ static int mlx5e_build_shampo_hd_umr(struct mlx5e_rq *rq, + umr_wqe = mlx5_wq_cyc_get_wqe(&sq->wq, pi); + build_ksm_umr(sq, umr_wqe, shampo->mkey_be, index, ksm_entries); + +- WARN_ON_ONCE(ksm_entries & (MLX5E_SHAMPO_WQ_HEADER_PER_PAGE - 1)); +- while (i < ksm_entries) { +- struct mlx5e_frag_page *frag_page = mlx5e_shampo_hd_to_frag_page(rq, index); ++ for (i = 0; i < ksm_entries; i++, index++) { ++ struct mlx5e_frag_page *frag_page; + u64 addr; + +- err = mlx5e_page_alloc_fragmented(rq->hd_page_pool, frag_page); +- if (unlikely(err)) +- goto err_unmap; ++ frag_page = mlx5e_shampo_hd_to_frag_page(rq, index); ++ header_offset = mlx5e_shampo_hd_offset(index); ++ if (!header_offset) { ++ err = mlx5e_page_alloc_fragmented(rq->hd_page_pool, ++ frag_page); ++ if (err) ++ goto err_unmap; ++ } + + addr = page_pool_get_dma_addr_netmem(frag_page->netmem); +- +- for (int j = 0; j < MLX5E_SHAMPO_WQ_HEADER_PER_PAGE; j++) { +- header_offset = mlx5e_shampo_hd_offset(index++); +- +- umr_wqe->inline_ksms[i++] = (struct mlx5_ksm) { +- .key = cpu_to_be32(lkey), +- .va = cpu_to_be64(addr + header_offset + headroom), +- }; +- } ++ umr_wqe->inline_ksms[i] = (struct mlx5_ksm) { ++ .key = cpu_to_be32(lkey), ++ .va = cpu_to_be64(addr + header_offset + headroom), ++ }; + } + + sq->db.wqe_info[pi] = (struct mlx5e_icosq_wqe_info) { +@@ -712,7 +711,7 @@ static int mlx5e_build_shampo_hd_umr(struct mlx5e_rq *rq, + return 0; + + err_unmap: +- while (--i) { ++ while (--i >= 0) { + --index; + header_offset = mlx5e_shampo_hd_offset(index); + if (!header_offset) { +@@ -734,8 +733,7 @@ static int mlx5e_alloc_rx_hd_mpwqe(struct mlx5e_rq *rq) + struct mlx5e_icosq *sq = rq->icosq; + int i, err, max_ksm_entries, len; + +- max_ksm_entries = ALIGN_DOWN(MLX5E_MAX_KSM_PER_WQE(rq->mdev), +- MLX5E_SHAMPO_WQ_HEADER_PER_PAGE); ++ max_ksm_entries = MLX5E_MAX_KSM_PER_WQE(rq->mdev); + ksm_entries = bitmap_find_window(shampo->bitmap, + shampo->hd_per_wqe, + shampo->hd_per_wq, shampo->pi); +-- +2.51.0 + diff --git a/queue-6.17/net-mlx5e-shampo-fix-skb-size-check-for-64k-pages.patch b/queue-6.17/net-mlx5e-shampo-fix-skb-size-check-for-64k-pages.patch new file mode 100644 index 0000000000..55f6ddd8c6 --- /dev/null +++ b/queue-6.17/net-mlx5e-shampo-fix-skb-size-check-for-64k-pages.patch @@ -0,0 +1,56 @@ +From fb51d8862a19759603790d7d601b4884a6b86778 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Nov 2025 08:48:34 +0200 +Subject: net/mlx5e: SHAMPO, Fix skb size check for 64K pages + +From: Dragos Tatulea + +[ Upstream commit bacd8d80181ebe34b599a39aa26bf73a44c91e55 ] + +mlx5e_hw_gro_skb_has_enough_space() uses a formula to check if there is +enough space in the skb frags to store more data. This formula is +incorrect for 64K page sizes and it triggers early GRO session +termination because the first fragment will blow up beyond +GRO_LEGACY_MAX_SIZE. + +This patch adds a special case for page sizes >= GRO_LEGACY_MAX_SIZE +(64K) which uses the skb->len instead. Within this context, +the check is safe from fragment overflow because the hardware +will continuously fill the data up to the reservation size of 64K +and the driver will coalesce all data from the same page to the same +fragment. This means that the data will span one fragment or at most +two for such a large page size. + +It is expected that the if statement will be optimized out as the +check is done with constants. + +Fixes: 92552d3abd32 ("net/mlx5e: HW_GRO cqe handler implementation") +Signed-off-by: Dragos Tatulea +Signed-off-by: Tariq Toukan +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/1762238915-1027590-3-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c +index f19e94884a52e..0dcb4d5b06c8e 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c +@@ -2327,7 +2327,10 @@ mlx5e_hw_gro_skb_has_enough_space(struct sk_buff *skb, u16 data_bcnt) + { + int nr_frags = skb_shinfo(skb)->nr_frags; + +- return PAGE_SIZE * nr_frags + data_bcnt <= GRO_LEGACY_MAX_SIZE; ++ if (PAGE_SIZE >= GRO_LEGACY_MAX_SIZE) ++ return skb->len + data_bcnt <= GRO_LEGACY_MAX_SIZE; ++ else ++ return PAGE_SIZE * nr_frags + data_bcnt <= GRO_LEGACY_MAX_SIZE; + } + + static void mlx5e_handle_rx_cqe_mpwrq_shampo(struct mlx5e_rq *rq, struct mlx5_cqe64 *cqe) +-- +2.51.0 + diff --git a/queue-6.17/net-ti-icssg-prueth-fix-fdb-hash-size-configuration.patch b/queue-6.17/net-ti-icssg-prueth-fix-fdb-hash-size-configuration.patch new file mode 100644 index 0000000000..e6c1ee00da --- /dev/null +++ b/queue-6.17/net-ti-icssg-prueth-fix-fdb-hash-size-configuration.patch @@ -0,0 +1,69 @@ +From eaf8230c3172100662191c390a637bb54ae83455 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Nov 2025 16:14:15 +0530 +Subject: net: ti: icssg-prueth: Fix fdb hash size configuration + +From: Meghana Malladi + +[ Upstream commit ae4789affd1e181ae46e72e2b5fbe2d6d7b6616a ] + +The ICSSG driver does the initial FDB configuration which +includes setting the control registers. Other run time +management like learning is managed by the PRU's. The default +FDB hash size used by the firmware is 512 slots, which is +currently missing in the current driver. Update the driver +FDB config to include FDB hash size as well. + +Please refer trm [1] 6.4.14.12.17 section on how the FDB config +register gets configured. From the table 6-1404, there is a reset +field for FDB_HAS_SIZE which is 4, meaning 1024 slots. Currently +the driver is not updating this reset value from 4(1024 slots) to +3(512 slots). This patch fixes this by updating the reset value +to 512 slots. + +[1]: https://www.ti.com/lit/pdf/spruim2 +Fixes: abd5576b9c57f ("net: ti: icssg-prueth: Add support for ICSSG switch firmware") +Signed-off-by: Meghana Malladi +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20251104104415.3110537-1-m-malladi@ti.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ti/icssg/icssg_config.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/ethernet/ti/icssg/icssg_config.c b/drivers/net/ethernet/ti/icssg/icssg_config.c +index da53eb04b0a43..3f8237c17d099 100644 +--- a/drivers/net/ethernet/ti/icssg/icssg_config.c ++++ b/drivers/net/ethernet/ti/icssg/icssg_config.c +@@ -66,6 +66,9 @@ + #define FDB_GEN_CFG1 0x60 + #define SMEM_VLAN_OFFSET 8 + #define SMEM_VLAN_OFFSET_MASK GENMASK(25, 8) ++#define FDB_HASH_SIZE_MASK GENMASK(6, 3) ++#define FDB_HASH_SIZE_SHIFT 3 ++#define FDB_HASH_SIZE 3 + + #define FDB_GEN_CFG2 0x64 + #define FDB_VLAN_EN BIT(6) +@@ -463,6 +466,8 @@ void icssg_init_emac_mode(struct prueth *prueth) + /* Set VLAN TABLE address base */ + regmap_update_bits(prueth->miig_rt, FDB_GEN_CFG1, SMEM_VLAN_OFFSET_MASK, + addr << SMEM_VLAN_OFFSET); ++ regmap_update_bits(prueth->miig_rt, FDB_GEN_CFG1, FDB_HASH_SIZE_MASK, ++ FDB_HASH_SIZE << FDB_HASH_SIZE_SHIFT); + /* Set enable VLAN aware mode, and FDBs for all PRUs */ + regmap_write(prueth->miig_rt, FDB_GEN_CFG2, (FDB_PRU0_EN | FDB_PRU1_EN | FDB_HOST_EN)); + prueth->vlan_tbl = (struct prueth_vlan_tbl __force *)(prueth->shram.va + +@@ -484,6 +489,8 @@ void icssg_init_fw_offload_mode(struct prueth *prueth) + /* Set VLAN TABLE address base */ + regmap_update_bits(prueth->miig_rt, FDB_GEN_CFG1, SMEM_VLAN_OFFSET_MASK, + addr << SMEM_VLAN_OFFSET); ++ regmap_update_bits(prueth->miig_rt, FDB_GEN_CFG1, FDB_HASH_SIZE_MASK, ++ FDB_HASH_SIZE << FDB_HASH_SIZE_SHIFT); + /* Set enable VLAN aware mode, and FDBs for all PRUs */ + regmap_write(prueth->miig_rt, FDB_GEN_CFG2, FDB_EN_ALL); + prueth->vlan_tbl = (struct prueth_vlan_tbl __force *)(prueth->shram.va + +-- +2.51.0 + diff --git a/queue-6.17/net-usb-qmi_wwan-initialize-mac-header-offset-in-qmi.patch b/queue-6.17/net-usb-qmi_wwan-initialize-mac-header-offset-in-qmi.patch new file mode 100644 index 0000000000..f2522549b8 --- /dev/null +++ b/queue-6.17/net-usb-qmi_wwan-initialize-mac-header-offset-in-qmi.patch @@ -0,0 +1,70 @@ +From 337305b9369508e2ded954581621e71e365787e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Oct 2025 08:57:44 +0100 +Subject: net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup + +From: Qendrim Maxhuni + +[ Upstream commit e120f46768d98151ece8756ebd688b0e43dc8b29 ] + +Raw IP packets have no MAC header, leaving skb->mac_header uninitialized. +This can trigger kernel panics on ARM64 when xfrm or other subsystems +access the offset due to strict alignment checks. + +Initialize the MAC header to prevent such crashes. + +This can trigger kernel panics on ARM when running IPsec over the +qmimux0 interface. + +Example trace: + + Internal error: Oops: 000000009600004f [#1] SMP + CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.34-gbe78e49cb433 #1 + Hardware name: LS1028A RDB Board (DT) + pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : xfrm_input+0xde8/0x1318 + lr : xfrm_input+0x61c/0x1318 + sp : ffff800080003b20 + Call trace: + xfrm_input+0xde8/0x1318 + xfrm6_rcv+0x38/0x44 + xfrm6_esp_rcv+0x48/0xa8 + ip6_protocol_deliver_rcu+0x94/0x4b0 + ip6_input_finish+0x44/0x70 + ip6_input+0x44/0xc0 + ipv6_rcv+0x6c/0x114 + __netif_receive_skb_one_core+0x5c/0x8c + __netif_receive_skb+0x18/0x60 + process_backlog+0x78/0x17c + __napi_poll+0x38/0x180 + net_rx_action+0x168/0x2f0 + +Fixes: c6adf77953bc ("net: usb: qmi_wwan: add qmap mux protocol support") +Signed-off-by: Qendrim Maxhuni +Link: https://patch.msgid.link/20251029075744.105113-1-qendrim.maxhuni@garderos.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/qmi_wwan.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index 11352d85475ae..3a4985b582cb1 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -192,6 +192,12 @@ static int qmimux_rx_fixup(struct usbnet *dev, struct sk_buff *skb) + if (!skbn) + return 0; + ++ /* Raw IP packets don't have a MAC header, but other subsystems ++ * (like xfrm) may still access MAC header offsets, so they must ++ * be initialized. ++ */ ++ skb_reset_mac_header(skbn); ++ + switch (skb->data[offset + qmimux_hdr_sz] & 0xf0) { + case 0x40: + skbn->protocol = htons(ETH_P_IP); +-- +2.51.0 + diff --git a/queue-6.17/net-vlan-sync-vlan-features-with-lower-device.patch b/queue-6.17/net-vlan-sync-vlan-features-with-lower-device.patch new file mode 100644 index 0000000000..2c6c85fca0 --- /dev/null +++ b/queue-6.17/net-vlan-sync-vlan-features-with-lower-device.patch @@ -0,0 +1,44 @@ +From e44c76e7b5e3adcb4e3aeb23d12738c816cd0d6c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Oct 2025 07:35:39 +0000 +Subject: net: vlan: sync VLAN features with lower device + +From: Hangbin Liu + +[ Upstream commit c211f5d7cbd5cb34489d526648bb9c8ecc907dee ] + +After registering a VLAN device and setting its feature flags, we need to +synchronize the VLAN features with the lower device. For example, the VLAN +device does not have the NETIF_F_LRO flag, it should be synchronized with +the lower device based on the NETIF_F_UPPER_DISABLES definition. + +As the dev->vlan_features has changed, we need to call +netdev_update_features(). The caller must run after netdev_upper_dev_link() +links the lower devices, so this patch adds the netdev_update_features() +call in register_vlan_dev(). + +Fixes: fd867d51f889 ("net/core: generic support for disabling netdev features down stack") +Signed-off-by: Hangbin Liu +Link: https://patch.msgid.link/20251030073539.133779-1-liuhangbin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/8021q/vlan.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c +index fda3a80e9340c..2b74ed56eb166 100644 +--- a/net/8021q/vlan.c ++++ b/net/8021q/vlan.c +@@ -193,6 +193,8 @@ int register_vlan_dev(struct net_device *dev, struct netlink_ext_ack *extack) + vlan_group_set_device(grp, vlan->vlan_proto, vlan_id, dev); + grp->nr_vlan_devs++; + ++ netdev_update_features(dev); ++ + return 0; + + out_unregister_netdev: +-- +2.51.0 + diff --git a/queue-6.17/net-wan-framer-pef2256-switch-to-devm_mfd_add_device.patch b/queue-6.17/net-wan-framer-pef2256-switch-to-devm_mfd_add_device.patch new file mode 100644 index 0000000000..425e5bb2ef --- /dev/null +++ b/queue-6.17/net-wan-framer-pef2256-switch-to-devm_mfd_add_device.patch @@ -0,0 +1,56 @@ +From 7b131cf59942266992d063e02416764ad158c0ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Nov 2025 11:47:16 +0800 +Subject: net: wan: framer: pef2256: Switch to devm_mfd_add_devices() + +From: Haotian Zhang + +[ Upstream commit 4d6ec3a7932ca5b168426f7b5b40abab2b41d2da ] + +The driver calls mfd_add_devices() but fails to call mfd_remove_devices() +in error paths after successful MFD device registration and in the remove +function. This leads to resource leaks where MFD child devices are not +properly unregistered. + +Replace mfd_add_devices with devm_mfd_add_devices to automatically +manage the device resources. + +Fixes: c96e976d9a05 ("net: wan: framer: Add support for the Lantiq PEF2256 framer") +Suggested-by: Herve Codina +Signed-off-by: Haotian Zhang +Acked-by: Herve Codina +Link: https://patch.msgid.link/20251105034716.662-1-vulab@iscas.ac.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/wan/framer/pef2256/pef2256.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wan/framer/pef2256/pef2256.c b/drivers/net/wan/framer/pef2256/pef2256.c +index 1e4c8e85d598d..395ac986f4ab2 100644 +--- a/drivers/net/wan/framer/pef2256/pef2256.c ++++ b/drivers/net/wan/framer/pef2256/pef2256.c +@@ -637,7 +637,8 @@ static int pef2256_add_audio_devices(struct pef2256 *pef2256) + audio_devs[i].id = i; + } + +- ret = mfd_add_devices(pef2256->dev, 0, audio_devs, count, NULL, 0, NULL); ++ ret = devm_mfd_add_devices(pef2256->dev, 0, audio_devs, count, ++ NULL, 0, NULL); + kfree(audio_devs); + return ret; + } +@@ -812,8 +813,8 @@ static int pef2256_probe(struct platform_device *pdev) + + platform_set_drvdata(pdev, pef2256); + +- ret = mfd_add_devices(pef2256->dev, 0, pef2256_devs, +- ARRAY_SIZE(pef2256_devs), NULL, 0, NULL); ++ ret = devm_mfd_add_devices(pef2256->dev, 0, pef2256_devs, ++ ARRAY_SIZE(pef2256_devs), NULL, 0, NULL); + if (ret) { + dev_err(pef2256->dev, "add devices failed (%d)\n", ret); + return ret; +-- +2.51.0 + diff --git a/queue-6.17/netconsole-acquire-su_mutex-before-navigating-config.patch b/queue-6.17/netconsole-acquire-su_mutex-before-navigating-config.patch new file mode 100644 index 0000000000..440f6fc7be --- /dev/null +++ b/queue-6.17/netconsole-acquire-su_mutex-before-navigating-config.patch @@ -0,0 +1,138 @@ +From 07a7ea60b3a3adaeede3cfb999b542dec521a4f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Oct 2025 13:50:24 -0700 +Subject: netconsole: Acquire su_mutex before navigating configs hierarchy + +From: Gustavo Luiz Duarte + +[ Upstream commit d7d2fcf7ae31471b4e08b7e448b8fd0ec2e06a1b ] + +There is a race between operations that iterate over the userdata +cg_children list and concurrent add/remove of userdata items through +configfs. The update_userdata() function iterates over the +nt->userdata_group.cg_children list, and count_extradata_entries() also +iterates over this same list to count nodes. + +Quoting from Documentation/filesystems/configfs.rst: +> A subsystem can navigate the cg_children list and the ci_parent pointer +> to see the tree created by the subsystem. This can race with configfs' +> management of the hierarchy, so configfs uses the subsystem mutex to +> protect modifications. Whenever a subsystem wants to navigate the +> hierarchy, it must do so under the protection of the subsystem +> mutex. + +Without proper locking, if a userdata item is added or removed +concurrently while these functions are iterating, the list can be +accessed in an inconsistent state. For example, the list_for_each() loop +can reach a node that is being removed from the list by list_del_init() +which sets the nodes' .next pointer to point to itself, so the loop will +never end (or reach the WARN_ON_ONCE in update_userdata() ). + +Fix this by holding the configfs subsystem mutex (su_mutex) during all +operations that iterate over cg_children. +This includes: +- userdatum_value_store() which calls update_userdata() to iterate over + cg_children +- All sysdata_*_enabled_store() functions which call + count_extradata_entries() to iterate over cg_children + +The su_mutex must be acquired before dynamic_netconsole_mutex to avoid +potential lock ordering issues, as configfs operations may already hold +su_mutex when calling into our code. + +Fixes: df03f830d099 ("net: netconsole: cache userdata formatted string in netconsole_target") +Signed-off-by: Gustavo Luiz Duarte +Link: https://patch.msgid.link/20251029-netconsole-fix-warn-v1-1-0d0dd4622f48@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/netconsole.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/net/netconsole.c b/drivers/net/netconsole.c +index e3722de08ea9f..3ff1dfc3d26b2 100644 +--- a/drivers/net/netconsole.c ++++ b/drivers/net/netconsole.c +@@ -928,6 +928,7 @@ static ssize_t userdatum_value_store(struct config_item *item, const char *buf, + if (count > MAX_EXTRADATA_VALUE_LEN) + return -EMSGSIZE; + ++ mutex_lock(&netconsole_subsys.su_mutex); + mutex_lock(&dynamic_netconsole_mutex); + + ret = strscpy(udm->value, buf, sizeof(udm->value)); +@@ -941,6 +942,7 @@ static ssize_t userdatum_value_store(struct config_item *item, const char *buf, + ret = count; + out_unlock: + mutex_unlock(&dynamic_netconsole_mutex); ++ mutex_unlock(&netconsole_subsys.su_mutex); + return ret; + } + +@@ -966,6 +968,7 @@ static ssize_t sysdata_msgid_enabled_store(struct config_item *item, + if (ret) + return ret; + ++ mutex_lock(&netconsole_subsys.su_mutex); + mutex_lock(&dynamic_netconsole_mutex); + curr = !!(nt->sysdata_fields & SYSDATA_MSGID); + if (msgid_enabled == curr) +@@ -986,6 +989,7 @@ static ssize_t sysdata_msgid_enabled_store(struct config_item *item, + ret = strnlen(buf, count); + unlock: + mutex_unlock(&dynamic_netconsole_mutex); ++ mutex_unlock(&netconsole_subsys.su_mutex); + return ret; + } + +@@ -1000,6 +1004,7 @@ static ssize_t sysdata_release_enabled_store(struct config_item *item, + if (ret) + return ret; + ++ mutex_lock(&netconsole_subsys.su_mutex); + mutex_lock(&dynamic_netconsole_mutex); + curr = !!(nt->sysdata_fields & SYSDATA_RELEASE); + if (release_enabled == curr) +@@ -1020,6 +1025,7 @@ static ssize_t sysdata_release_enabled_store(struct config_item *item, + ret = strnlen(buf, count); + unlock: + mutex_unlock(&dynamic_netconsole_mutex); ++ mutex_unlock(&netconsole_subsys.su_mutex); + return ret; + } + +@@ -1034,6 +1040,7 @@ static ssize_t sysdata_taskname_enabled_store(struct config_item *item, + if (ret) + return ret; + ++ mutex_lock(&netconsole_subsys.su_mutex); + mutex_lock(&dynamic_netconsole_mutex); + curr = !!(nt->sysdata_fields & SYSDATA_TASKNAME); + if (taskname_enabled == curr) +@@ -1054,6 +1061,7 @@ static ssize_t sysdata_taskname_enabled_store(struct config_item *item, + ret = strnlen(buf, count); + unlock: + mutex_unlock(&dynamic_netconsole_mutex); ++ mutex_unlock(&netconsole_subsys.su_mutex); + return ret; + } + +@@ -1069,6 +1077,7 @@ static ssize_t sysdata_cpu_nr_enabled_store(struct config_item *item, + if (ret) + return ret; + ++ mutex_lock(&netconsole_subsys.su_mutex); + mutex_lock(&dynamic_netconsole_mutex); + curr = !!(nt->sysdata_fields & SYSDATA_CPU_NR); + if (cpu_nr_enabled == curr) +@@ -1097,6 +1106,7 @@ static ssize_t sysdata_cpu_nr_enabled_store(struct config_item *item, + ret = strnlen(buf, count); + unlock: + mutex_unlock(&dynamic_netconsole_mutex); ++ mutex_unlock(&netconsole_subsys.su_mutex); + return ret; + } + +-- +2.51.0 + diff --git a/queue-6.17/netpoll-fix-deadlock-in-memory-allocation-under-spin.patch b/queue-6.17/netpoll-fix-deadlock-in-memory-allocation-under-spin.patch new file mode 100644 index 0000000000..f674e061ed --- /dev/null +++ b/queue-6.17/netpoll-fix-deadlock-in-memory-allocation-under-spin.patch @@ -0,0 +1,95 @@ +From 5ca593d0775910800aef52e59c9db5d904311c53 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Nov 2025 08:38:17 -0800 +Subject: netpoll: Fix deadlock in memory allocation under spinlock + +From: Breno Leitao + +[ Upstream commit 327c20c21d80e0d87834b392d83ae73c955ad8ff ] + +Fix a AA deadlock in refill_skbs() where memory allocation while holding +skb_pool->lock can trigger a recursive lock acquisition attempt. + +The deadlock scenario occurs when the system is under severe memory +pressure: + +1. refill_skbs() acquires skb_pool->lock (spinlock) +2. alloc_skb() is called while holding the lock +3. Memory allocator fails and calls slab_out_of_memory() +4. This triggers printk() for the OOM warning +5. The console output path calls netpoll_send_udp() +6. netpoll_send_udp() attempts to acquire the same skb_pool->lock +7. Deadlock: the lock is already held by the same CPU + +Call stack: + refill_skbs() + spin_lock_irqsave(&skb_pool->lock) <- lock acquired + __alloc_skb() + kmem_cache_alloc_node_noprof() + slab_out_of_memory() + printk() + console_flush_all() + netpoll_send_udp() + skb_dequeue() + spin_lock_irqsave(&skb_pool->lock) <- deadlock attempt + +This bug was exposed by commit 248f6571fd4c51 ("netpoll: Optimize skb +refilling on critical path") which removed refill_skbs() from the +critical path (where nested printk was being deferred), letting nested +printk being called from inside refill_skbs() + +Refactor refill_skbs() to never allocate memory while holding +the spinlock. + +Another possible solution to fix this problem is protecting the +refill_skbs() from nested printks, basically calling +printk_deferred_{enter,exit}() in refill_skbs(), then, any nested +pr_warn() would be deferred. + +I prefer this approach, given I _think_ it might be a good idea to move +the alloc_skb() from GFP_ATOMIC to GFP_KERNEL in the future, so, having +the alloc_skb() outside of the lock will be necessary step. + +There is a possible TOCTOU issue when checking for the pool length, and +queueing the new allocated skb, but, this is not an issue, given that +an extra SKB in the pool is harmless and it will be eventually used. + +Signed-off-by: Breno Leitao +Fixes: 248f6571fd4c51 ("netpoll: Optimize skb refilling on critical path") +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20251103-fix_netpoll_aa-v4-1-4cfecdf6da7c@debian.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/netpoll.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/net/core/netpoll.c b/net/core/netpoll.c +index 5f65b62346d4e..4ab154c614e33 100644 +--- a/net/core/netpoll.c ++++ b/net/core/netpoll.c +@@ -228,19 +228,16 @@ static void refill_skbs(struct netpoll *np) + { + struct sk_buff_head *skb_pool; + struct sk_buff *skb; +- unsigned long flags; + + skb_pool = &np->skb_pool; + +- spin_lock_irqsave(&skb_pool->lock, flags); +- while (skb_pool->qlen < MAX_SKBS) { ++ while (READ_ONCE(skb_pool->qlen) < MAX_SKBS) { + skb = alloc_skb(MAX_SKB_SIZE, GFP_ATOMIC); + if (!skb) + break; + +- __skb_queue_tail(skb_pool, skb); ++ skb_queue_tail(skb_pool, skb); + } +- spin_unlock_irqrestore(&skb_pool->lock, flags); + } + + static void zap_completion_queue(void) +-- +2.51.0 + diff --git a/queue-6.17/octeontx2-pf-fix-devm_kcalloc-error-checking.patch b/queue-6.17/octeontx2-pf-fix-devm_kcalloc-error-checking.patch new file mode 100644 index 0000000000..ee6f4b06ab --- /dev/null +++ b/queue-6.17/octeontx2-pf-fix-devm_kcalloc-error-checking.patch @@ -0,0 +1,43 @@ +From 67b45ab4bace5a7bc5d4d0d10c1205b1295e6440 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Nov 2025 16:26:42 +0300 +Subject: octeontx2-pf: Fix devm_kcalloc() error checking + +From: Dan Carpenter + +[ Upstream commit 2e25935ed24daee37c4c2e8e29e478ce6e1f72c7 ] + +The devm_kcalloc() function never return error pointers, it returns NULL +on failure. Also delete the netdev_err() printk. These allocation +functions already have debug output built-in some the extra error message +is not required. + +Fixes: efabce290151 ("octeontx2-pf: AF_XDP zero copy receive support") +Signed-off-by: Dan Carpenter +Link: https://patch.msgid.link/aQYKkrGA12REb2sj@stanley.mountain +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c +index aff17c37ddde0..902d6abaa3ec1 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c +@@ -1516,10 +1516,8 @@ int otx2_pool_init(struct otx2_nic *pfvf, u16 pool_id, + pool->xdp_cnt = numptrs; + pool->xdp = devm_kcalloc(pfvf->dev, + numptrs, sizeof(struct xdp_buff *), GFP_KERNEL); +- if (IS_ERR(pool->xdp)) { +- netdev_err(pfvf->netdev, "Creation of xsk pool failed\n"); +- return PTR_ERR(pool->xdp); +- } ++ if (!pool->xdp) ++ return -ENOMEM; + } + + return 0; +-- +2.51.0 + diff --git a/queue-6.17/revert-wifi-ath12k-fix-missing-station-power-save-co.patch b/queue-6.17/revert-wifi-ath12k-fix-missing-station-power-save-co.patch new file mode 100644 index 0000000000..65f62f399f --- /dev/null +++ b/queue-6.17/revert-wifi-ath12k-fix-missing-station-power-save-co.patch @@ -0,0 +1,199 @@ +From 527ba75a9bf7338db4e85f9e02510c8079d00c49 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Oct 2025 14:07:44 +0800 +Subject: Revert "wifi: ath12k: Fix missing station power save configuration" + +From: Miaoqing Pan + +[ Upstream commit 9222582ec524707fbb9d076febead5b6a07611ed ] + +This reverts commit 4b66d18918f8e4d85e51974a9e3ce9abad5c7c3d. + +In [1], Ross Brown reports poor performance of WCN7850 after enabling +power save. Temporarily revert the fix; it will be re-enabled once +the issue is resolved. + +Tested-on: WCN7850 hw2.0 PCI WLAN.IOE_HMT.1.1-00011-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1 + +Fixes: 4b66d18918f8 ("wifi: ath12k: Fix missing station power save configuration") +Reported-by: Ross Brown +Closes: https://lore.kernel.org/all/CAMn66qZENLhDOcVJuwUZ3ir89PVtVnQRq9DkV5xjJn1p6BKB9w@mail.gmail.com/ # [1] +Signed-off-by: Miaoqing Pan +Reviewed-by: Baochen Qiang +Link: https://patch.msgid.link/20251028060744.897198-1-miaoqing.pan@oss.qualcomm.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath12k/mac.c | 122 ++++++++++++-------------- + 1 file changed, 55 insertions(+), 67 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath12k/mac.c b/drivers/net/wireless/ath/ath12k/mac.c +index d717e74b01c89..fd584633392c1 100644 +--- a/drivers/net/wireless/ath/ath12k/mac.c ++++ b/drivers/net/wireless/ath/ath12k/mac.c +@@ -4078,68 +4078,12 @@ static int ath12k_mac_fils_discovery(struct ath12k_link_vif *arvif, + return ret; + } + +-static void ath12k_mac_vif_setup_ps(struct ath12k_link_vif *arvif) +-{ +- struct ath12k *ar = arvif->ar; +- struct ieee80211_vif *vif = arvif->ahvif->vif; +- struct ieee80211_conf *conf = &ath12k_ar_to_hw(ar)->conf; +- enum wmi_sta_powersave_param param; +- struct ieee80211_bss_conf *info; +- enum wmi_sta_ps_mode psmode; +- int ret; +- int timeout; +- bool enable_ps; +- +- lockdep_assert_wiphy(ath12k_ar_to_hw(ar)->wiphy); +- +- if (vif->type != NL80211_IFTYPE_STATION) +- return; +- +- enable_ps = arvif->ahvif->ps; +- if (enable_ps) { +- psmode = WMI_STA_PS_MODE_ENABLED; +- param = WMI_STA_PS_PARAM_INACTIVITY_TIME; +- +- timeout = conf->dynamic_ps_timeout; +- if (timeout == 0) { +- info = ath12k_mac_get_link_bss_conf(arvif); +- if (!info) { +- ath12k_warn(ar->ab, "unable to access bss link conf in setup ps for vif %pM link %u\n", +- vif->addr, arvif->link_id); +- return; +- } +- +- /* firmware doesn't like 0 */ +- timeout = ieee80211_tu_to_usec(info->beacon_int) / 1000; +- } +- +- ret = ath12k_wmi_set_sta_ps_param(ar, arvif->vdev_id, param, +- timeout); +- if (ret) { +- ath12k_warn(ar->ab, "failed to set inactivity time for vdev %d: %i\n", +- arvif->vdev_id, ret); +- return; +- } +- } else { +- psmode = WMI_STA_PS_MODE_DISABLED; +- } +- +- ath12k_dbg(ar->ab, ATH12K_DBG_MAC, "mac vdev %d psmode %s\n", +- arvif->vdev_id, psmode ? "enable" : "disable"); +- +- ret = ath12k_wmi_pdev_set_ps_mode(ar, arvif->vdev_id, psmode); +- if (ret) +- ath12k_warn(ar->ab, "failed to set sta power save mode %d for vdev %d: %d\n", +- psmode, arvif->vdev_id, ret); +-} +- + static void ath12k_mac_op_vif_cfg_changed(struct ieee80211_hw *hw, + struct ieee80211_vif *vif, + u64 changed) + { + struct ath12k_vif *ahvif = ath12k_vif_to_ahvif(vif); + unsigned long links = ahvif->links_map; +- struct ieee80211_vif_cfg *vif_cfg; + struct ieee80211_bss_conf *info; + struct ath12k_link_vif *arvif; + struct ieee80211_sta *sta; +@@ -4203,24 +4147,61 @@ static void ath12k_mac_op_vif_cfg_changed(struct ieee80211_hw *hw, + } + } + } ++} + +- if (changed & BSS_CHANGED_PS) { +- links = ahvif->links_map; +- vif_cfg = &vif->cfg; ++static void ath12k_mac_vif_setup_ps(struct ath12k_link_vif *arvif) ++{ ++ struct ath12k *ar = arvif->ar; ++ struct ieee80211_vif *vif = arvif->ahvif->vif; ++ struct ieee80211_conf *conf = &ath12k_ar_to_hw(ar)->conf; ++ enum wmi_sta_powersave_param param; ++ struct ieee80211_bss_conf *info; ++ enum wmi_sta_ps_mode psmode; ++ int ret; ++ int timeout; ++ bool enable_ps; + +- for_each_set_bit(link_id, &links, IEEE80211_MLD_MAX_NUM_LINKS) { +- arvif = wiphy_dereference(hw->wiphy, ahvif->link[link_id]); +- if (!arvif || !arvif->ar) +- continue; ++ lockdep_assert_wiphy(ath12k_ar_to_hw(ar)->wiphy); + +- ar = arvif->ar; ++ if (vif->type != NL80211_IFTYPE_STATION) ++ return; ++ ++ enable_ps = arvif->ahvif->ps; ++ if (enable_ps) { ++ psmode = WMI_STA_PS_MODE_ENABLED; ++ param = WMI_STA_PS_PARAM_INACTIVITY_TIME; + +- if (ar->ab->hw_params->supports_sta_ps) { +- ahvif->ps = vif_cfg->ps; +- ath12k_mac_vif_setup_ps(arvif); ++ timeout = conf->dynamic_ps_timeout; ++ if (timeout == 0) { ++ info = ath12k_mac_get_link_bss_conf(arvif); ++ if (!info) { ++ ath12k_warn(ar->ab, "unable to access bss link conf in setup ps for vif %pM link %u\n", ++ vif->addr, arvif->link_id); ++ return; + } ++ ++ /* firmware doesn't like 0 */ ++ timeout = ieee80211_tu_to_usec(info->beacon_int) / 1000; + } ++ ++ ret = ath12k_wmi_set_sta_ps_param(ar, arvif->vdev_id, param, ++ timeout); ++ if (ret) { ++ ath12k_warn(ar->ab, "failed to set inactivity time for vdev %d: %i\n", ++ arvif->vdev_id, ret); ++ return; ++ } ++ } else { ++ psmode = WMI_STA_PS_MODE_DISABLED; + } ++ ++ ath12k_dbg(ar->ab, ATH12K_DBG_MAC, "mac vdev %d psmode %s\n", ++ arvif->vdev_id, psmode ? "enable" : "disable"); ++ ++ ret = ath12k_wmi_pdev_set_ps_mode(ar, arvif->vdev_id, psmode); ++ if (ret) ++ ath12k_warn(ar->ab, "failed to set sta power save mode %d for vdev %d: %d\n", ++ psmode, arvif->vdev_id, ret); + } + + static bool ath12k_mac_supports_tpc(struct ath12k *ar, struct ath12k_vif *ahvif, +@@ -4242,6 +4223,7 @@ static void ath12k_mac_bss_info_changed(struct ath12k *ar, + { + struct ath12k_vif *ahvif = arvif->ahvif; + struct ieee80211_vif *vif = ath12k_ahvif_to_vif(ahvif); ++ struct ieee80211_vif_cfg *vif_cfg = &vif->cfg; + struct cfg80211_chan_def def; + u32 param_id, param_value; + enum nl80211_band band; +@@ -4528,6 +4510,12 @@ static void ath12k_mac_bss_info_changed(struct ath12k *ar, + } + + ath12k_mac_fils_discovery(arvif, info); ++ ++ if (changed & BSS_CHANGED_PS && ++ ar->ab->hw_params->supports_sta_ps) { ++ ahvif->ps = vif_cfg->ps; ++ ath12k_mac_vif_setup_ps(arvif); ++ } + } + + static struct ath12k_vif_cache *ath12k_ahvif_get_link_cache(struct ath12k_vif *ahvif, +-- +2.51.0 + diff --git a/queue-6.17/riscv-ptdump-use-seq_puts-in-pt_dump_seq_puts-macro.patch b/queue-6.17/riscv-ptdump-use-seq_puts-in-pt_dump_seq_puts-macro.patch new file mode 100644 index 0000000000..f686aee180 --- /dev/null +++ b/queue-6.17/riscv-ptdump-use-seq_puts-in-pt_dump_seq_puts-macro.patch @@ -0,0 +1,47 @@ +From e9e7048413a0a02c97611297089172f5962f6edd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Oct 2025 11:40:43 -0600 +Subject: riscv: ptdump: use seq_puts() in pt_dump_seq_puts() macro + +From: Josephine Pfeiffer + +[ Upstream commit a74f038fa50e0d33b740f44f862fe856f16de6a8 ] + +The pt_dump_seq_puts() macro incorrectly uses seq_printf() instead of +seq_puts(). This is both a performance issue and conceptually wrong, +as the macro name suggests plain string output (puts) but the +implementation uses formatted output (printf). + +The macro is used in ptdump.c:301 to output a newline character. Using +seq_printf() adds unnecessary overhead for format string parsing when +outputting this constant string. + +This bug was introduced in commit 59c4da8640cc ("riscv: Add support to +dump the kernel page tables") in 2020, which copied the implementation +pattern from other architectures that had the same bug. + +Fixes: 59c4da8640cc ("riscv: Add support to dump the kernel page tables") +Signed-off-by: Josephine Pfeiffer +Link: https://lore.kernel.org/r/20251018170451.3355496-1-hi@josie.lol +Signed-off-by: Paul Walmsley +Signed-off-by: Sasha Levin +--- + arch/riscv/mm/ptdump.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/riscv/mm/ptdump.c b/arch/riscv/mm/ptdump.c +index 3b51690cc8760..34299c2b231f1 100644 +--- a/arch/riscv/mm/ptdump.c ++++ b/arch/riscv/mm/ptdump.c +@@ -21,7 +21,7 @@ + #define pt_dump_seq_puts(m, fmt) \ + ({ \ + if (m) \ +- seq_printf(m, fmt); \ ++ seq_puts(m, fmt); \ + }) + + /* +-- +2.51.0 + diff --git a/queue-6.17/riscv-stacktrace-disable-kasan-checks-for-non-curren.patch b/queue-6.17/riscv-stacktrace-disable-kasan-checks-for-non-curren.patch new file mode 100644 index 0000000000..77cf9fde25 --- /dev/null +++ b/queue-6.17/riscv-stacktrace-disable-kasan-checks-for-non-curren.patch @@ -0,0 +1,73 @@ +From b0e63b6fe2874c72eb57f931e116a258879fe451 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Oct 2025 11:40:43 -0600 +Subject: riscv: stacktrace: Disable KASAN checks for non-current tasks + +From: Chunyan Zhang + +[ Upstream commit 060ea84a484e852b52b938f234bf9b5503a6c910 ] + +Unwinding the stack of a task other than current, KASAN would report +"BUG: KASAN: out-of-bounds in walk_stackframe+0x41c/0x460" + +There is a same issue on x86 and has been resolved by the commit +84936118bdf3 ("x86/unwind: Disable KASAN checks for non-current tasks") +The solution could be applied to RISC-V too. + +This patch also can solve the issue: +https://seclists.org/oss-sec/2025/q4/23 + +Fixes: 5d8544e2d007 ("RISC-V: Generic library routines and assembly") +Co-developed-by: Jiakai Xu +Signed-off-by: Jiakai Xu +Signed-off-by: Chunyan Zhang +Link: https://lore.kernel.org/r/20251022072608.743484-1-zhangchunyan@iscas.ac.cn +[pjw@kernel.org: clean up checkpatch issues] +Signed-off-by: Paul Walmsley +Signed-off-by: Sasha Levin +--- + arch/riscv/kernel/stacktrace.c | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +diff --git a/arch/riscv/kernel/stacktrace.c b/arch/riscv/kernel/stacktrace.c +index 3fe9e6edef8f1..b41b6255751cb 100644 +--- a/arch/riscv/kernel/stacktrace.c ++++ b/arch/riscv/kernel/stacktrace.c +@@ -16,6 +16,22 @@ + + #ifdef CONFIG_FRAME_POINTER + ++/* ++ * This disables KASAN checking when reading a value from another task's stack, ++ * since the other task could be running on another CPU and could have poisoned ++ * the stack in the meantime. ++ */ ++#define READ_ONCE_TASK_STACK(task, x) \ ++({ \ ++ unsigned long val; \ ++ unsigned long addr = x; \ ++ if ((task) == current) \ ++ val = READ_ONCE(addr); \ ++ else \ ++ val = READ_ONCE_NOCHECK(addr); \ ++ val; \ ++}) ++ + extern asmlinkage void handle_exception(void); + extern unsigned long ret_from_exception_end; + +@@ -69,8 +85,9 @@ void notrace walk_stackframe(struct task_struct *task, struct pt_regs *regs, + fp = frame->ra; + pc = regs->ra; + } else { +- fp = frame->fp; +- pc = ftrace_graph_ret_addr(current, &graph_idx, frame->ra, ++ fp = READ_ONCE_TASK_STACK(task, frame->fp); ++ pc = READ_ONCE_TASK_STACK(task, frame->ra); ++ pc = ftrace_graph_ret_addr(current, &graph_idx, pc, + &frame->ra); + if (pc >= (unsigned long)handle_exception && + pc < (unsigned long)&ret_from_exception_end) { +-- +2.51.0 + diff --git a/queue-6.17/scsi-ufs-core-fix-a-race-condition-related-to-the-hi.patch b/queue-6.17/scsi-ufs-core-fix-a-race-condition-related-to-the-hi.patch new file mode 100644 index 0000000000..f659db958a --- /dev/null +++ b/queue-6.17/scsi-ufs-core-fix-a-race-condition-related-to-the-hi.patch @@ -0,0 +1,77 @@ +From 53fbdbf481c1a88b486f75e6b18a8f50705d8c8d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Oct 2025 13:00:53 -0700 +Subject: scsi: ufs: core: Fix a race condition related to the "hid" attribute + group + +From: Bart Van Assche + +[ Upstream commit c74dc8ab47c1ec3927f63ca83b542c363249b3d8 ] + +ufs_sysfs_add_nodes() is called concurrently with ufs_get_device_desc(). +This may cause the following code to be called before +ufs_sysfs_add_nodes(): + + sysfs_update_group(&hba->dev->kobj, &ufs_sysfs_hid_group); + +If this happens, ufs_sysfs_add_nodes() triggers a kernel warning and +fails. Fix this by calling ufs_sysfs_add_nodes() before SCSI LUNs are +scanned since the sysfs_update_group() call happens from the context of +thread that executes ufshcd_async_scan(). This patch fixes the following +kernel warning: + +sysfs: cannot create duplicate filename '/devices/platform/3c2d0000.ufs/hid' +Workqueue: async async_run_entry_fn +Call trace: + dump_backtrace+0xfc/0x17c + show_stack+0x18/0x28 + dump_stack_lvl+0x40/0x104 + dump_stack+0x18/0x3c + sysfs_warn_dup+0x6c/0xc8 + internal_create_group+0x1c8/0x504 + sysfs_create_groups+0x38/0x9c + ufs_sysfs_add_nodes+0x20/0x58 + ufshcd_init+0x1114/0x134c + ufshcd_pltfrm_init+0x728/0x7d8 + ufs_google_probe+0x30/0x84 + platform_probe+0xa0/0xe0 + really_probe+0x114/0x454 + __driver_probe_device+0xa4/0x160 + driver_probe_device+0x44/0x23c + __device_attach_driver+0x15c/0x1f4 + bus_for_each_drv+0x10c/0x168 + __device_attach_async_helper+0x80/0xf8 + async_run_entry_fn+0x4c/0x17c + process_one_work+0x26c/0x65c + worker_thread+0x33c/0x498 + kthread+0x110/0x134 + ret_from_fork+0x10/0x20 +ufshcd 3c2d0000.ufs: ufs_sysfs_add_nodes: sysfs groups creation failed (err = -17) + +Cc: Daniel Lee +Fixes: bb7663dec67b ("scsi: ufs: sysfs: Make HID attributes visible") +Signed-off-by: Bart Van Assche +Link: https://patch.msgid.link/20251014200118.3390839-2-bvanassche@acm.org +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/ufs/core/ufshcd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c +index b6d5d135527c0..8208a26c3ed63 100644 +--- a/drivers/ufs/core/ufshcd.c ++++ b/drivers/ufs/core/ufshcd.c +@@ -10869,8 +10869,8 @@ int ufshcd_init(struct ufs_hba *hba, void __iomem *mmio_base, unsigned int irq) + if (err) + goto out_disable; + +- async_schedule(ufshcd_async_scan, hba); + ufs_sysfs_add_nodes(hba->dev); ++ async_schedule(ufshcd_async_scan, hba); + + device_enable_async_suspend(dev); + ufshcd_pm_qos_init(hba); +-- +2.51.0 + diff --git a/queue-6.17/scsi-ufs-core-revert-make-hid-attributes-visible.patch b/queue-6.17/scsi-ufs-core-revert-make-hid-attributes-visible.patch new file mode 100644 index 0000000000..1ab491b654 --- /dev/null +++ b/queue-6.17/scsi-ufs-core-revert-make-hid-attributes-visible.patch @@ -0,0 +1,110 @@ +From 853d4ce77c3d2a909cd7e53e5e7a5849ff6ce1fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Oct 2025 15:24:24 -0700 +Subject: scsi: ufs: core: Revert "Make HID attributes visible" + +From: Bart Van Assche + +[ Upstream commit f838d624fd1183e07db86f3138bcd05fd7630a1e ] + +Patch "Make HID attributes visible" is needed for older kernel versions +(e.g. 6.12) where ufs_get_device_desc() is called from ufshcd_probe_hba(). +In these older kernel versions ufshcd_get_device_desc() may be called +after the sysfs attributes have been added. In the upstream kernel however +ufshcd_get_device_desc() is called before ufs_sysfs_add_nodes(). See also +the ufshcd_device_params_init() call from ufshcd_init(). Hence, calling +sysfs_update_group() is not necessary. + +See also commit 69f5eb78d4b0 ("scsi: ufs: core: Move the +ufshcd_device_init(hba, true) call") in kernel v6.13. + +This patch fixes the following kernel warning: + +sysfs: cannot create duplicate filename '/devices/platform/3c2d0000.ufs/hid' +Workqueue: async async_run_entry_fn +Call trace: + dump_backtrace+0xfc/0x17c + show_stack+0x18/0x28 + dump_stack_lvl+0x40/0x104 + dump_stack+0x18/0x3c + sysfs_warn_dup+0x6c/0xc8 + internal_create_group+0x1c8/0x504 + sysfs_create_groups+0x38/0x9c + ufs_sysfs_add_nodes+0x20/0x58 + ufshcd_init+0x1114/0x134c + ufshcd_pltfrm_init+0x728/0x7d8 + ufs_google_probe+0x30/0x84 + platform_probe+0xa0/0xe0 + really_probe+0x114/0x454 + __driver_probe_device+0xa4/0x160 + driver_probe_device+0x44/0x23c + __device_attach_driver+0x15c/0x1f4 + bus_for_each_drv+0x10c/0x168 + __device_attach_async_helper+0x80/0xf8 + async_run_entry_fn+0x4c/0x17c + process_one_work+0x26c/0x65c + worker_thread+0x33c/0x498 + kthread+0x110/0x134 + ret_from_fork+0x10/0x20 +ufshcd 3c2d0000.ufs: ufs_sysfs_add_nodes: sysfs groups creation failed (err = -17) + +Cc: Daniel Lee +Cc: Peter Wang +Cc: Bjorn Andersson +Cc: Neil Armstrong +Fixes: bb7663dec67b ("scsi: ufs: sysfs: Make HID attributes visible") +Signed-off-by: Bart Van Assche + +Fixes: bb7663dec67b ("scsi: ufs: sysfs: Make HID attributes visible") +Acked-by: Neil Armstrong +Reviewed-by: Peter Wang +Reviewed-by: Bjorn Andersson +Link: https://patch.msgid.link/20251028222433.1108299-1-bvanassche@acm.org +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/ufs/core/ufs-sysfs.c | 2 +- + drivers/ufs/core/ufs-sysfs.h | 1 - + drivers/ufs/core/ufshcd.c | 2 -- + 3 files changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/ufs/core/ufs-sysfs.c b/drivers/ufs/core/ufs-sysfs.c +index c040afc6668e8..0086816b27cd9 100644 +--- a/drivers/ufs/core/ufs-sysfs.c ++++ b/drivers/ufs/core/ufs-sysfs.c +@@ -1949,7 +1949,7 @@ static umode_t ufs_sysfs_hid_is_visible(struct kobject *kobj, + return hba->dev_info.hid_sup ? attr->mode : 0; + } + +-const struct attribute_group ufs_sysfs_hid_group = { ++static const struct attribute_group ufs_sysfs_hid_group = { + .name = "hid", + .attrs = ufs_sysfs_hid, + .is_visible = ufs_sysfs_hid_is_visible, +diff --git a/drivers/ufs/core/ufs-sysfs.h b/drivers/ufs/core/ufs-sysfs.h +index 6efb82a082fdd..8d94af3b80771 100644 +--- a/drivers/ufs/core/ufs-sysfs.h ++++ b/drivers/ufs/core/ufs-sysfs.h +@@ -14,6 +14,5 @@ void ufs_sysfs_remove_nodes(struct device *dev); + + extern const struct attribute_group ufs_sysfs_unit_descriptor_group; + extern const struct attribute_group ufs_sysfs_lun_attributes_group; +-extern const struct attribute_group ufs_sysfs_hid_group; + + #endif +diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c +index 8208a26c3ed63..9e10287d5d6be 100644 +--- a/drivers/ufs/core/ufshcd.c ++++ b/drivers/ufs/core/ufshcd.c +@@ -8481,8 +8481,6 @@ static int ufs_get_device_desc(struct ufs_hba *hba) + DEVICE_DESC_PARAM_EXT_UFS_FEATURE_SUP) & + UFS_DEV_HID_SUPPORT; + +- sysfs_update_group(&hba->dev->kobj, &ufs_sysfs_hid_group); +- + model_index = desc_buf[DEVICE_DESC_PARAM_PRDCT_NAME]; + + err = ufshcd_read_string_desc(hba, model_index, +-- +2.51.0 + diff --git a/queue-6.17/sctp-hold-rcu-read-lock-while-iterating-over-address.patch b/queue-6.17/sctp-hold-rcu-read-lock-while-iterating-over-address.patch new file mode 100644 index 0000000000..d9dbaf6837 --- /dev/null +++ b/queue-6.17/sctp-hold-rcu-read-lock-while-iterating-over-address.patch @@ -0,0 +1,104 @@ +From 9d65b59410b45cd7b403979f73528d370af92b4b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Oct 2025 17:12:26 +0100 +Subject: sctp: Hold RCU read lock while iterating over address list + +From: Stefan Wiehler + +[ Upstream commit 38f50242bf0f237cdc262308d624d333286ec3c5 ] + +With CONFIG_PROVE_RCU_LIST=y and by executing + + $ netcat -l --sctp & + $ netcat --sctp localhost & + $ ss --sctp + +one can trigger the following Lockdep-RCU splat(s): + + WARNING: suspicious RCU usage + 6.18.0-rc1-00093-g7f864458e9a6 #5 Not tainted + ----------------------------- + net/sctp/diag.c:76 RCU-list traversed in non-reader section!! + + other info that might help us debug this: + + rcu_scheduler_active = 2, debug_locks = 1 + 2 locks held by ss/215: + #0: ffff9c740828bec0 (nlk_cb_mutex-SOCK_DIAG){+.+.}-{4:4}, at: __netlink_dump_start+0x84/0x2b0 + #1: ffff9c7401d72cd0 (sk_lock-AF_INET6){+.+.}-{0:0}, at: sctp_sock_dump+0x38/0x200 + + stack backtrace: + CPU: 0 UID: 0 PID: 215 Comm: ss Not tainted 6.18.0-rc1-00093-g7f864458e9a6 #5 PREEMPT(voluntary) + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 + Call Trace: + + dump_stack_lvl+0x5d/0x90 + lockdep_rcu_suspicious.cold+0x4e/0xa3 + inet_sctp_diag_fill.isra.0+0x4b1/0x5d0 + sctp_sock_dump+0x131/0x200 + sctp_transport_traverse_process+0x170/0x1b0 + ? __pfx_sctp_sock_filter+0x10/0x10 + ? __pfx_sctp_sock_dump+0x10/0x10 + sctp_diag_dump+0x103/0x140 + __inet_diag_dump+0x70/0xb0 + netlink_dump+0x148/0x490 + __netlink_dump_start+0x1f3/0x2b0 + inet_diag_handler_cmd+0xcd/0x100 + ? __pfx_inet_diag_dump_start+0x10/0x10 + ? __pfx_inet_diag_dump+0x10/0x10 + ? __pfx_inet_diag_dump_done+0x10/0x10 + sock_diag_rcv_msg+0x18e/0x320 + ? __pfx_sock_diag_rcv_msg+0x10/0x10 + netlink_rcv_skb+0x4d/0x100 + netlink_unicast+0x1d7/0x2b0 + netlink_sendmsg+0x203/0x450 + ____sys_sendmsg+0x30c/0x340 + ___sys_sendmsg+0x94/0xf0 + __sys_sendmsg+0x83/0xf0 + do_syscall_64+0xbb/0x390 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + ... + + +Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file") +Signed-off-by: Stefan Wiehler +Reviewed-by: Kuniyuki Iwashima +Acked-by: Xin Long +Link: https://patch.msgid.link/20251028161506.3294376-2-stefan.wiehler@nokia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sctp/diag.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/sctp/diag.c b/net/sctp/diag.c +index 23359e522273f..dadf8254b30fd 100644 +--- a/net/sctp/diag.c ++++ b/net/sctp/diag.c +@@ -73,19 +73,23 @@ static int inet_diag_msg_sctpladdrs_fill(struct sk_buff *skb, + struct nlattr *attr; + void *info = NULL; + ++ rcu_read_lock(); + list_for_each_entry_rcu(laddr, address_list, list) + addrcnt++; ++ rcu_read_unlock(); + + attr = nla_reserve(skb, INET_DIAG_LOCALS, addrlen * addrcnt); + if (!attr) + return -EMSGSIZE; + + info = nla_data(attr); ++ rcu_read_lock(); + list_for_each_entry_rcu(laddr, address_list, list) { + memcpy(info, &laddr->a, sizeof(laddr->a)); + memset(info + sizeof(laddr->a), 0, addrlen - sizeof(laddr->a)); + info += addrlen; + } ++ rcu_read_unlock(); + + return 0; + } +-- +2.51.0 + diff --git a/queue-6.17/sctp-hold-sock-lock-while-iterating-over-address-lis.patch b/queue-6.17/sctp-hold-sock-lock-while-iterating-over-address-lis.patch new file mode 100644 index 0000000000..8b9c8d89b2 --- /dev/null +++ b/queue-6.17/sctp-hold-sock-lock-while-iterating-over-address-lis.patch @@ -0,0 +1,66 @@ +From a1b24831b53de1a5566c95f5a50bf80b22e68fd5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Oct 2025 17:12:28 +0100 +Subject: sctp: Hold sock lock while iterating over address list + +From: Stefan Wiehler + +[ Upstream commit f1fc201148c7e684c10a72b6a3375597f28d1ef6 ] + +Move address list traversal in inet_assoc_attr_size() under the sock +lock to avoid holding the RCU read lock. + +Suggested-by: Xin Long +Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file") +Signed-off-by: Stefan Wiehler +Acked-by: Xin Long +Link: https://patch.msgid.link/20251028161506.3294376-4-stefan.wiehler@nokia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sctp/diag.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/net/sctp/diag.c b/net/sctp/diag.c +index 95e65b9d623b3..5a43f25478d03 100644 +--- a/net/sctp/diag.c ++++ b/net/sctp/diag.c +@@ -230,14 +230,15 @@ struct sctp_comm_param { + bool net_admin; + }; + +-static size_t inet_assoc_attr_size(struct sctp_association *asoc) ++static size_t inet_assoc_attr_size(struct sock *sk, ++ struct sctp_association *asoc) + { + int addrlen = sizeof(struct sockaddr_storage); + int addrcnt = 0; + struct sctp_sockaddr_entry *laddr; + + list_for_each_entry_rcu(laddr, &asoc->base.bind_addr.address_list, +- list) ++ list, lockdep_sock_is_held(sk)) + addrcnt++; + + return nla_total_size(sizeof(struct sctp_info)) +@@ -263,11 +264,14 @@ static int sctp_sock_dump_one(struct sctp_endpoint *ep, struct sctp_transport *t + if (err) + return err; + +- rep = nlmsg_new(inet_assoc_attr_size(assoc), GFP_KERNEL); +- if (!rep) ++ lock_sock(sk); ++ ++ rep = nlmsg_new(inet_assoc_attr_size(sk, assoc), GFP_KERNEL); ++ if (!rep) { ++ release_sock(sk); + return -ENOMEM; ++ } + +- lock_sock(sk); + if (ep != assoc->ep) { + err = -EAGAIN; + goto out; +-- +2.51.0 + diff --git a/queue-6.17/sctp-prevent-toctou-out-of-bounds-write.patch b/queue-6.17/sctp-prevent-toctou-out-of-bounds-write.patch new file mode 100644 index 0000000000..fdc8ec5944 --- /dev/null +++ b/queue-6.17/sctp-prevent-toctou-out-of-bounds-write.patch @@ -0,0 +1,45 @@ +From 7163f7c4538c5bbaf88926fd19242dec23b5e3ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Oct 2025 17:12:27 +0100 +Subject: sctp: Prevent TOCTOU out-of-bounds write + +From: Stefan Wiehler + +[ Upstream commit 95aef86ab231f047bb8085c70666059b58f53c09 ] + +For the following path not holding the sock lock, + + sctp_diag_dump() -> sctp_for_each_endpoint() -> sctp_ep_dump() + +make sure not to exceed bounds in case the address list has grown +between buffer allocation (time-of-check) and write (time-of-use). + +Suggested-by: Kuniyuki Iwashima +Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file") +Signed-off-by: Stefan Wiehler +Reviewed-by: Kuniyuki Iwashima +Acked-by: Xin Long +Link: https://patch.msgid.link/20251028161506.3294376-3-stefan.wiehler@nokia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sctp/diag.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/sctp/diag.c b/net/sctp/diag.c +index dadf8254b30fd..95e65b9d623b3 100644 +--- a/net/sctp/diag.c ++++ b/net/sctp/diag.c +@@ -88,6 +88,9 @@ static int inet_diag_msg_sctpladdrs_fill(struct sk_buff *skb, + memcpy(info, &laddr->a, sizeof(laddr->a)); + memset(info + sizeof(laddr->a), 0, addrlen - sizeof(laddr->a)); + info += addrlen; ++ ++ if (!--addrcnt) ++ break; + } + rcu_read_unlock(); + +-- +2.51.0 + diff --git a/queue-6.17/selftests-net-fix-out-of-order-delivery-of-fin-in-gr.patch b/queue-6.17/selftests-net-fix-out-of-order-delivery-of-fin-in-gr.patch new file mode 100644 index 0000000000..e295fd40f4 --- /dev/null +++ b/queue-6.17/selftests-net-fix-out-of-order-delivery-of-fin-in-gr.patch @@ -0,0 +1,66 @@ +From cb1ed2449a52b5b930346edd0febe7027ade67d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Oct 2025 06:28:18 +0000 +Subject: selftests/net: fix out-of-order delivery of FIN in gro:tcp test + +From: Anubhav Singh + +[ Upstream commit 02d064de05b1fcca769391fa82d205bed8bb9bf0 ] + +Due to the gro_sender sending data packets and FIN packets +in very quick succession, these are received almost simultaneously +by the gro_receiver. FIN packets are sometimes processed before the +data packets leading to intermittent (~1/100) test failures. + +This change adds a delay of 100ms before sending FIN packets +in gro:tcp test to avoid the out-of-order delivery. The same +mitigation already exists for the gro:ip test. + +Fixes: 7d1575014a63 ("selftests/net: GRO coalesce test") +Reviewed-by: Willem de Bruijn +Signed-off-by: Anubhav Singh +Link: https://patch.msgid.link/20251030062818.1562228-1-anubhavsinggh@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/gro.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/tools/testing/selftests/net/gro.c b/tools/testing/selftests/net/gro.c +index d5824eadea109..209ec60052f5b 100644 +--- a/tools/testing/selftests/net/gro.c ++++ b/tools/testing/selftests/net/gro.c +@@ -969,6 +969,7 @@ static void check_recv_pkts(int fd, int *correct_payload, + + static void gro_sender(void) + { ++ const int fin_delay_us = 100 * 1000; + static char fin_pkt[MAX_HDR_LEN]; + struct sockaddr_ll daddr = {}; + int txfd = -1; +@@ -1012,15 +1013,22 @@ static void gro_sender(void) + write_packet(txfd, fin_pkt, total_hdr_len, &daddr); + } else if (strcmp(testname, "tcp") == 0) { + send_changed_checksum(txfd, &daddr); ++ /* Adding sleep before sending FIN so that it is not ++ * received prior to other packets. ++ */ ++ usleep(fin_delay_us); + write_packet(txfd, fin_pkt, total_hdr_len, &daddr); + + send_changed_seq(txfd, &daddr); ++ usleep(fin_delay_us); + write_packet(txfd, fin_pkt, total_hdr_len, &daddr); + + send_changed_ts(txfd, &daddr); ++ usleep(fin_delay_us); + write_packet(txfd, fin_pkt, total_hdr_len, &daddr); + + send_diff_opt(txfd, &daddr); ++ usleep(fin_delay_us); + write_packet(txfd, fin_pkt, total_hdr_len, &daddr); + } else if (strcmp(testname, "ip") == 0) { + send_changed_ECN(txfd, &daddr); +-- +2.51.0 + diff --git a/queue-6.17/selftests-net-use-destination-options-instead-of-hop.patch b/queue-6.17/selftests-net-use-destination-options-instead-of-hop.patch new file mode 100644 index 0000000000..c8c8106edd --- /dev/null +++ b/queue-6.17/selftests-net-use-destination-options-instead-of-hop.patch @@ -0,0 +1,58 @@ +From a34cf00f4013095b692c881208431b0ec4bd50c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Oct 2025 06:04:36 +0000 +Subject: selftests/net: use destination options instead of hop-by-hop + +From: Anubhav Singh + +[ Upstream commit f8e8486702abb05b8c734093aab1606af0eac068 ] + +The GRO self-test, gro.c, currently constructs IPv6 packets containing a +Hop-by-Hop Options header (IPPROTO_HOPOPTS) to ensure the GRO path +correctly handles IPv6 extension headers. + +However, network elements may be configured to drop packets with the +Hop-by-Hop Options header (HBH). This causes the self-test to fail +in environments where such network elements are present. + +To improve the robustness and reliability of this test in diverse +network environments, switch from using IPPROTO_HOPOPTS to +IPPROTO_DSTOPTS (Destination Options). + +The Destination Options header is less likely to be dropped by +intermediate routers and still serves the core purpose of the test: +validating GRO's handling of an IPv6 extension header. This change +ensures the test can execute successfully without being incorrectly +failed by network policies outside the kernel's control. + +Fixes: 7d1575014a63 ("selftests/net: GRO coalesce test") +Reviewed-by: Willem de Bruijn +Signed-off-by: Anubhav Singh +Link: https://patch.msgid.link/20251030060436.1556664-1-anubhavsinggh@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/gro.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/net/gro.c b/tools/testing/selftests/net/gro.c +index 209ec60052f5b..48755b8475a4b 100644 +--- a/tools/testing/selftests/net/gro.c ++++ b/tools/testing/selftests/net/gro.c +@@ -734,11 +734,11 @@ static void send_ipv6_exthdr(int fd, struct sockaddr_ll *daddr, char *ext_data1, + static char exthdr_pck[sizeof(buf) + MIN_EXTHDR_SIZE]; + + create_packet(buf, 0, 0, PAYLOAD_LEN, 0); +- add_ipv6_exthdr(buf, exthdr_pck, IPPROTO_HOPOPTS, ext_data1); ++ add_ipv6_exthdr(buf, exthdr_pck, IPPROTO_DSTOPTS, ext_data1); + write_packet(fd, exthdr_pck, total_hdr_len + PAYLOAD_LEN + MIN_EXTHDR_SIZE, daddr); + + create_packet(buf, PAYLOAD_LEN * 1, 0, PAYLOAD_LEN, 0); +- add_ipv6_exthdr(buf, exthdr_pck, IPPROTO_HOPOPTS, ext_data2); ++ add_ipv6_exthdr(buf, exthdr_pck, IPPROTO_DSTOPTS, ext_data2); + write_packet(fd, exthdr_pck, total_hdr_len + PAYLOAD_LEN + MIN_EXTHDR_SIZE, daddr); + } + +-- +2.51.0 + diff --git a/queue-6.17/selftests-netdevsim-fix-ethtool-coalesce.sh-fail-by-.patch b/queue-6.17/selftests-netdevsim-fix-ethtool-coalesce.sh-fail-by-.patch new file mode 100644 index 0000000000..ce82074a0c --- /dev/null +++ b/queue-6.17/selftests-netdevsim-fix-ethtool-coalesce.sh-fail-by-.patch @@ -0,0 +1,60 @@ +From 54fa97b01fe8522e92aa0b020204b46a20fb0679 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Oct 2025 12:03:40 +0800 +Subject: selftests: netdevsim: Fix ethtool-coalesce.sh fail by installing + ethtool-common.sh + +From: Wang Liang + +[ Upstream commit d01f8136d46b925798abcf86b35a4021e4cfb8bb ] + +The script "ethtool-common.sh" is not installed in INSTALL_PATH, and +triggers some errors when I try to run the test +'drivers/net/netdevsim/ethtool-coalesce.sh': + + TAP version 13 + 1..1 + # timeout set to 600 + # selftests: drivers/net/netdevsim: ethtool-coalesce.sh + # ./ethtool-coalesce.sh: line 4: ethtool-common.sh: No such file or directory + # ./ethtool-coalesce.sh: line 25: make_netdev: command not found + # ethtool: bad command line argument(s) + # ./ethtool-coalesce.sh: line 124: check: command not found + # ./ethtool-coalesce.sh: line 126: [: -eq: unary operator expected + # FAILED /0 checks + not ok 1 selftests: drivers/net/netdevsim: ethtool-coalesce.sh # exit=1 + +Install this file to avoid this error. After this patch: + + TAP version 13 + 1..1 + # timeout set to 600 + # selftests: drivers/net/netdevsim: ethtool-coalesce.sh + # PASSED all 22 checks + ok 1 selftests: drivers/net/netdevsim: ethtool-coalesce.sh + +Fixes: fbb8531e58bd ("selftests: extract common functions in ethtool-common.sh") +Signed-off-by: Wang Liang +Link: https://patch.msgid.link/20251030040340.3258110-1-wangliang74@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/drivers/net/netdevsim/Makefile | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/tools/testing/selftests/drivers/net/netdevsim/Makefile b/tools/testing/selftests/drivers/net/netdevsim/Makefile +index 07b7c46d33118..abe5bea5afb3b 100644 +--- a/tools/testing/selftests/drivers/net/netdevsim/Makefile ++++ b/tools/testing/selftests/drivers/net/netdevsim/Makefile +@@ -18,4 +18,8 @@ TEST_PROGS = devlink.sh \ + tc-mq-visibility.sh \ + udp_tunnel_nic.sh \ + ++TEST_FILES := \ ++ ethtool-common.sh ++# end of TEST_FILES ++ + include ../../../lib.mk +-- +2.51.0 + diff --git a/queue-6.17/selftests-vsock-avoid-false-positives-when-checking-.patch b/queue-6.17/selftests-vsock-avoid-false-positives-when-checking-.patch new file mode 100644 index 0000000000..2f61b78bcf --- /dev/null +++ b/queue-6.17/selftests-vsock-avoid-false-positives-when-checking-.patch @@ -0,0 +1,63 @@ +From 18acadf5741e2e68a7c990df5851eb2240d1b911 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Nov 2025 07:59:19 -0800 +Subject: selftests/vsock: avoid false-positives when checking dmesg + +From: Bobby Eshleman + +[ Upstream commit 3534e03e0ec2e00908765549828a69df5ebefb91 ] + +Sometimes VMs will have some intermittent dmesg warnings that are +unrelated to vsock. Change the dmesg parsing to filter on strings +containing 'vsock' to avoid false positive failures that are unrelated +to vsock. The downside is that it is possible for some vsock related +warnings to not contain the substring 'vsock', so those will be missed. + +Fixes: a4a65c6fe08b ("selftests/vsock: add initial vmtest.sh for vsock") +Reviewed-by: Simon Horman +Signed-off-by: Bobby Eshleman +Reviewed-by: Stefano Garzarella +Link: https://patch.msgid.link/20251105-vsock-vmtest-dmesg-fix-v2-1-1a042a14892c@meta.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/vsock/vmtest.sh | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/tools/testing/selftests/vsock/vmtest.sh b/tools/testing/selftests/vsock/vmtest.sh +index edacebfc16325..8ceeb8a7894f5 100755 +--- a/tools/testing/selftests/vsock/vmtest.sh ++++ b/tools/testing/selftests/vsock/vmtest.sh +@@ -389,9 +389,9 @@ run_test() { + local rc + + host_oops_cnt_before=$(dmesg | grep -c -i 'Oops') +- host_warn_cnt_before=$(dmesg --level=warn | wc -l) ++ host_warn_cnt_before=$(dmesg --level=warn | grep -c -i 'vsock') + vm_oops_cnt_before=$(vm_ssh -- dmesg | grep -c -i 'Oops') +- vm_warn_cnt_before=$(vm_ssh -- dmesg --level=warn | wc -l) ++ vm_warn_cnt_before=$(vm_ssh -- dmesg --level=warn | grep -c -i 'vsock') + + name=$(echo "${1}" | awk '{ print $1 }') + eval test_"${name}" +@@ -403,7 +403,7 @@ run_test() { + rc=$KSFT_FAIL + fi + +- host_warn_cnt_after=$(dmesg --level=warn | wc -l) ++ host_warn_cnt_after=$(dmesg --level=warn | grep -c -i 'vsock') + if [[ ${host_warn_cnt_after} -gt ${host_warn_cnt_before} ]]; then + echo "FAIL: kernel warning detected on host" | log_host "${name}" + rc=$KSFT_FAIL +@@ -415,7 +415,7 @@ run_test() { + rc=$KSFT_FAIL + fi + +- vm_warn_cnt_after=$(vm_ssh -- dmesg --level=warn | wc -l) ++ vm_warn_cnt_after=$(vm_ssh -- dmesg --level=warn | grep -c -i 'vsock') + if [[ ${vm_warn_cnt_after} -gt ${vm_warn_cnt_before} ]]; then + echo "FAIL: kernel warning detected on vm" | log_host "${name}" + rc=$KSFT_FAIL +-- +2.51.0 + diff --git a/queue-6.17/series b/queue-6.17/series index 1aa2a24dc2..d50f5686a8 100644 --- a/queue-6.17/series +++ b/queue-6.17/series @@ -748,3 +748,53 @@ tracing-tprobe-events-fix-to-register-tracepoint-correctly.patch tracing-tprobe-events-fix-to-put-tracepoint_user-when-disable-the-tprobe.patch ring-buffer-do-not-warn-in-ring_buffer_map_get_reader-when-reader-catches-up.patch net-libwx-fix-device-bus-lan-id.patch +scsi-ufs-core-fix-a-race-condition-related-to-the-hi.patch +riscv-stacktrace-disable-kasan-checks-for-non-curren.patch +riscv-ptdump-use-seq_puts-in-pt_dump_seq_puts-macro.patch +revert-wifi-ath12k-fix-missing-station-power-save-co.patch +scsi-ufs-core-revert-make-hid-attributes-visible.patch +bluetooth-hci_event-validate-skb-length-for-unknown-.patch +bluetooth-btrtl-fix-memory-leak-in-rtlbt_parse_firmw.patch +gve-implement-gettimex64-with-eopnotsupp.patch +gve-implement-settime64-with-eopnotsupp.patch +net-dsa-tag_brcm-legacy-fix-untagged-rx-on-unbridged.patch +selftests-net-fix-out-of-order-delivery-of-fin-in-gr.patch +selftests-net-use-destination-options-instead-of-hop.patch +selftests-netdevsim-fix-ethtool-coalesce.sh-fail-by-.patch +net-vlan-sync-vlan-features-with-lower-device.patch +netconsole-acquire-su_mutex-before-navigating-config.patch +gpio-swnode-don-t-use-the-swnode-s-name-as-the-key-f.patch +gpiolib-fix-invalid-pointer-access-in-debugfs.patch +net-mdio-check-regmap-pointer-returned-by-device_nod.patch +net-dsa-b53-fix-resetting-speed-and-pause-on-forced-.patch +net-dsa-b53-fix-bcm63xx-rgmii-port-link-adjustment.patch +net-dsa-b53-fix-enabling-ip-multicast.patch +net-dsa-b53-stop-reading-arl-entries-if-search-is-do.patch +net-dsa-b53-properly-bound-arl-searches-for-4-arl-bi.patch +sctp-hold-rcu-read-lock-while-iterating-over-address.patch +sctp-prevent-toctou-out-of-bounds-write.patch +sctp-hold-sock-lock-while-iterating-over-address-lis.patch +net-ionic-add-dma_wmb-before-ringing-tx-doorbell.patch +net-ionic-map-skb-after-pseudo-header-checksum-prep.patch +octeontx2-pf-fix-devm_kcalloc-error-checking.patch +net-usb-qmi_wwan-initialize-mac-header-offset-in-qmi.patch +bnxt_en-shutdown-fw-dma-in-bnxt_shutdown.patch +bnxt_en-fix-a-possible-memory-leak-in-bnxt_ptp_init.patch +bnxt_en-fix-null-pointer-dereference-in-bnxt_bs_trac.patch +bnxt_en-always-provide-max-entry-and-entry-size-in-c.patch +bnxt_en-fix-warning-in-bnxt_dl_reload_down.patch +netpoll-fix-deadlock-in-memory-allocation-under-spin.patch +wifi-mac80211_hwsim-limit-destroy_on_close-radio-rem.patch +io_uring-fix-types-for-region-size-calulation.patch +net-mlx5e-fix-return-value-in-case-of-module-eeprom-.patch +net-ti-icssg-prueth-fix-fdb-hash-size-configuration.patch +net-mlx5e-shampo-fix-header-mapping-for-64k-pages.patch +net-mlx5e-shampo-fix-skb-size-check-for-64k-pages.patch +net-mlx5e-shampo-fix-header-formulas-for-higher-mtus.patch +net-wan-framer-pef2256-switch-to-devm_mfd_add_device.patch +net-dsa-microchip-fix-reserved-multicast-address-tab.patch +lan966x-fix-sleeping-in-atomic-context.patch +net-bridge-fix-use-after-free-due-to-mst-port-state-.patch +net-bridge-fix-mst-static-key-usage.patch +selftests-vsock-avoid-false-positives-when-checking-.patch +tracing-fix-memory-leaks-in-create_field_var.patch diff --git a/queue-6.17/tracing-fix-memory-leaks-in-create_field_var.patch b/queue-6.17/tracing-fix-memory-leaks-in-create_field_var.patch new file mode 100644 index 0000000000..96cb59688e --- /dev/null +++ b/queue-6.17/tracing-fix-memory-leaks-in-create_field_var.patch @@ -0,0 +1,53 @@ +From 922a87d3710a979fd4b394806deef6d4ad07eb7c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Nov 2025 12:01:32 +0000 +Subject: tracing: Fix memory leaks in create_field_var() + +From: Zilin Guan + +[ Upstream commit 80f0d631dcc76ee1b7755bfca1d8417d91d71414 ] + +The function create_field_var() allocates memory for 'val' through +create_hist_field() inside parse_atom(), and for 'var' through +create_var(), which in turn allocates var->type and var->var.name +internally. Simply calling kfree() to release these structures will +result in memory leaks. + +Use destroy_hist_field() to properly free 'val', and explicitly release +the memory of var->type and var->var.name before freeing 'var' itself. + +Link: https://patch.msgid.link/20251106120132.3639920-1-zilin@seu.edu.cn +Fixes: 02205a6752f22 ("tracing: Add support for 'field variables'") +Signed-off-by: Zilin Guan +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_events_hist.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c +index 1d536219b6248..6bfaf1210dd24 100644 +--- a/kernel/trace/trace_events_hist.c ++++ b/kernel/trace/trace_events_hist.c +@@ -3272,14 +3272,16 @@ static struct field_var *create_field_var(struct hist_trigger_data *hist_data, + var = create_var(hist_data, file, field_name, val->size, val->type); + if (IS_ERR(var)) { + hist_err(tr, HIST_ERR_VAR_CREATE_FIND_FAIL, errpos(field_name)); +- kfree(val); ++ destroy_hist_field(val, 0); + ret = PTR_ERR(var); + goto err; + } + + field_var = kzalloc(sizeof(struct field_var), GFP_KERNEL); + if (!field_var) { +- kfree(val); ++ destroy_hist_field(val, 0); ++ kfree_const(var->type); ++ kfree(var->var.name); + kfree(var); + ret = -ENOMEM; + goto err; +-- +2.51.0 + diff --git a/queue-6.17/wifi-mac80211_hwsim-limit-destroy_on_close-radio-rem.patch b/queue-6.17/wifi-mac80211_hwsim-limit-destroy_on_close-radio-rem.patch new file mode 100644 index 0000000000..99e32738ef --- /dev/null +++ b/queue-6.17/wifi-mac80211_hwsim-limit-destroy_on_close-radio-rem.patch @@ -0,0 +1,64 @@ +From c8d794e5d5a22abed5bbf655d7bd66828c12369f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Nov 2025 09:24:36 +0100 +Subject: wifi: mac80211_hwsim: Limit destroy_on_close radio removal to + netgroup + +From: Martin Willi + +[ Upstream commit c74619e7602e88a0239cd4999571dd31081e9adf ] + +hwsim radios marked destroy_on_close are removed when the Netlink socket +that created them is closed. As the portid is not unique across network +namespaces, closing a socket in one namespace may remove radios in another +if it has the destroy_on_close flag set. + +Instead of matching the network namespace, match the netgroup of the radio +to limit radio removal to those that have been created by the closing +Netlink socket. The netgroup of a radio identifies the network namespace +it was created in, and matching on it removes a destroy_on_close radio +even if it has been moved to another namespace. + +Fixes: 100cb9ff40e0 ("mac80211_hwsim: Allow managing radios from non-initial namespaces") +Signed-off-by: Martin Willi +Link: https://patch.msgid.link/20251103082436.30483-1-martin@strongswan.org +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/virtual/mac80211_hwsim.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/virtual/mac80211_hwsim.c b/drivers/net/wireless/virtual/mac80211_hwsim.c +index 3789d46d56149..0555a6bb3620e 100644 +--- a/drivers/net/wireless/virtual/mac80211_hwsim.c ++++ b/drivers/net/wireless/virtual/mac80211_hwsim.c +@@ -6453,14 +6453,15 @@ static struct genl_family hwsim_genl_family __ro_after_init = { + .n_mcgrps = ARRAY_SIZE(hwsim_mcgrps), + }; + +-static void remove_user_radios(u32 portid) ++static void remove_user_radios(u32 portid, int netgroup) + { + struct mac80211_hwsim_data *entry, *tmp; + LIST_HEAD(list); + + spin_lock_bh(&hwsim_radio_lock); + list_for_each_entry_safe(entry, tmp, &hwsim_radios, list) { +- if (entry->destroy_on_close && entry->portid == portid) { ++ if (entry->destroy_on_close && entry->portid == portid && ++ entry->netgroup == netgroup) { + list_move(&entry->list, &list); + rhashtable_remove_fast(&hwsim_radios_rht, &entry->rht, + hwsim_rht_params); +@@ -6485,7 +6486,7 @@ static int mac80211_hwsim_netlink_notify(struct notifier_block *nb, + if (state != NETLINK_URELEASE) + return NOTIFY_DONE; + +- remove_user_radios(notify->portid); ++ remove_user_radios(notify->portid, hwsim_net_get_netgroup(notify->net)); + + if (notify->portid == hwsim_net_get_wmediumd(notify->net)) { + printk(KERN_INFO "mac80211_hwsim: wmediumd released netlink" +-- +2.51.0 + diff --git a/queue-6.6/bluetooth-btrtl-fix-memory-leak-in-rtlbt_parse_firmw.patch b/queue-6.6/bluetooth-btrtl-fix-memory-leak-in-rtlbt_parse_firmw.patch new file mode 100644 index 0000000000..bb96eb1215 --- /dev/null +++ b/queue-6.6/bluetooth-btrtl-fix-memory-leak-in-rtlbt_parse_firmw.patch @@ -0,0 +1,39 @@ +From 78941694308d6a3624cfdb502639fe24d85a78dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Oct 2025 23:26:30 +0530 +Subject: Bluetooth: btrtl: Fix memory leak in rtlbt_parse_firmware_v2() + +From: Abdun Nihaal + +[ Upstream commit 1c21cf89a66413eb04b2d22c955b7a50edc14dfa ] + +The memory allocated for ptr using kvmalloc() is not freed on the last +error path. Fix that by freeing it on that error path. + +Fixes: 9a24ce5e29b1 ("Bluetooth: btrtl: Firmware format v2 support") +Signed-off-by: Abdun Nihaal +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btrtl.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/bluetooth/btrtl.c b/drivers/bluetooth/btrtl.c +index 7f67e460f7f49..24dae5440c036 100644 +--- a/drivers/bluetooth/btrtl.c ++++ b/drivers/bluetooth/btrtl.c +@@ -604,8 +604,10 @@ static int rtlbt_parse_firmware_v2(struct hci_dev *hdev, + len += entry->len; + } + +- if (!len) ++ if (!len) { ++ kvfree(ptr); + return -EPERM; ++ } + + *_buf = ptr; + return len; +-- +2.51.0 + diff --git a/queue-6.6/bluetooth-hci_event-validate-skb-length-for-unknown-.patch b/queue-6.6/bluetooth-hci_event-validate-skb-length-for-unknown-.patch new file mode 100644 index 0000000000..9c0676a100 --- /dev/null +++ b/queue-6.6/bluetooth-hci_event-validate-skb-length-for-unknown-.patch @@ -0,0 +1,49 @@ +From c236ca1ee3f3d3b4c94c530463a3d410afb31637 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Oct 2025 12:29:10 -0400 +Subject: Bluetooth: hci_event: validate skb length for unknown CC opcode + +From: Raphael Pinsonneault-Thibeault + +[ Upstream commit 5c5f1f64681cc889d9b13e4a61285e9e029d6ab5 ] + +In hci_cmd_complete_evt(), if the command complete event has an unknown +opcode, we assume the first byte of the remaining skb->data contains the +return status. However, parameter data has previously been pulled in +hci_event_func(), which may leave the skb empty. If so, using skb->data[0] +for the return status uses un-init memory. + +The fix is to check skb->len before using skb->data. + +Reported-by: syzbot+a9a4bedfca6aa9d7fa24@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=a9a4bedfca6aa9d7fa24 +Tested-by: syzbot+a9a4bedfca6aa9d7fa24@syzkaller.appspotmail.com +Fixes: afcb3369f46ed ("Bluetooth: hci_event: Fix vendor (unknown) opcode status handling") +Signed-off-by: Raphael Pinsonneault-Thibeault +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_event.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index 4e70b85647035..4aa445e7f56bc 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -4208,6 +4208,13 @@ static void hci_cmd_complete_evt(struct hci_dev *hdev, void *data, + } + + if (i == ARRAY_SIZE(hci_cc_table)) { ++ if (!skb->len) { ++ bt_dev_err(hdev, "Unexpected cc 0x%4.4x with no status", ++ *opcode); ++ *status = HCI_ERROR_UNSPECIFIED; ++ return; ++ } ++ + /* Unknown opcode, assume byte 0 contains the status, so + * that e.g. __hci_cmd_sync() properly returns errors + * for vendor specific commands send by HCI drivers. +-- +2.51.0 + diff --git a/queue-6.6/bnxt_en-fix-a-possible-memory-leak-in-bnxt_ptp_init.patch b/queue-6.6/bnxt_en-fix-a-possible-memory-leak-in-bnxt_ptp_init.patch new file mode 100644 index 0000000000..3f9b731176 --- /dev/null +++ b/queue-6.6/bnxt_en-fix-a-possible-memory-leak-in-bnxt_ptp_init.patch @@ -0,0 +1,44 @@ +From f2d18384fb1793ff03cece629be41b187e76d03e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Nov 2025 16:56:56 -0800 +Subject: bnxt_en: Fix a possible memory leak in bnxt_ptp_init + +From: Kalesh AP + +[ Upstream commit deb8eb39164382f1f67ef8e8af9176baf5e10f2d ] + +In bnxt_ptp_init(), when ptp_clock_register() fails, the driver is +not freeing the memory allocated for ptp_info->pin_config. Fix it +to unconditionally free ptp_info->pin_config in bnxt_ptp_free(). + +Fixes: caf3eedbcd8d ("bnxt_en: 1PPS support for 5750X family chips") +Reviewed-by: Pavan Chebbi +Reviewed-by: Somnath Kotur +Signed-off-by: Kalesh AP +Signed-off-by: Michael Chan +Link: https://patch.msgid.link/20251104005700.542174-3-michael.chan@broadcom.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c +index bbe8657f6545b..404b433f1bc08 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c +@@ -917,9 +917,9 @@ static void bnxt_ptp_free(struct bnxt *bp) + if (ptp->ptp_clock) { + ptp_clock_unregister(ptp->ptp_clock); + ptp->ptp_clock = NULL; +- kfree(ptp->ptp_info.pin_config); +- ptp->ptp_info.pin_config = NULL; + } ++ kfree(ptp->ptp_info.pin_config); ++ ptp->ptp_info.pin_config = NULL; + } + + int bnxt_ptp_init(struct bnxt *bp) +-- +2.51.0 + diff --git a/queue-6.6/lan966x-fix-sleeping-in-atomic-context.patch b/queue-6.6/lan966x-fix-sleeping-in-atomic-context.patch new file mode 100644 index 0000000000..2d40fca6c6 --- /dev/null +++ b/queue-6.6/lan966x-fix-sleeping-in-atomic-context.patch @@ -0,0 +1,213 @@ +From c6cd72fb3f354240f22057ad026ff6692b472d9c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Nov 2025 08:49:55 +0100 +Subject: lan966x: Fix sleeping in atomic context + +From: Horatiu Vultur + +[ Upstream commit 0216721ce71252f60d89af49c8dff613358058d3 ] + +The following warning was seen when we try to connect using ssh to the device. + +BUG: sleeping function called from invalid context at kernel/locking/mutex.c:575 +in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 104, name: dropbear +preempt_count: 1, expected: 0 +INFO: lockdep is turned off. +CPU: 0 UID: 0 PID: 104 Comm: dropbear Tainted: G W 6.18.0-rc2-00399-g6f1ab1b109b9-dirty #530 NONE +Tainted: [W]=WARN +Hardware name: Generic DT based system +Call trace: + unwind_backtrace from show_stack+0x10/0x14 + show_stack from dump_stack_lvl+0x7c/0xac + dump_stack_lvl from __might_resched+0x16c/0x2b0 + __might_resched from __mutex_lock+0x64/0xd34 + __mutex_lock from mutex_lock_nested+0x1c/0x24 + mutex_lock_nested from lan966x_stats_get+0x5c/0x558 + lan966x_stats_get from dev_get_stats+0x40/0x43c + dev_get_stats from dev_seq_printf_stats+0x3c/0x184 + dev_seq_printf_stats from dev_seq_show+0x10/0x30 + dev_seq_show from seq_read_iter+0x350/0x4ec + seq_read_iter from seq_read+0xfc/0x194 + seq_read from proc_reg_read+0xac/0x100 + proc_reg_read from vfs_read+0xb0/0x2b0 + vfs_read from ksys_read+0x6c/0xec + ksys_read from ret_fast_syscall+0x0/0x1c +Exception stack(0xf0b11fa8 to 0xf0b11ff0) +1fa0: 00000001 00001000 00000008 be9048d8 00001000 00000001 +1fc0: 00000001 00001000 00000008 00000003 be905920 0000001e 00000000 00000001 +1fe0: 0005404c be9048c0 00018684 b6ec2cd8 + +It seems that we are using a mutex in a atomic context which is wrong. +Change the mutex with a spinlock. + +Fixes: 12c2d0a5b8e2 ("net: lan966x: add ethtool configuration and statistics") +Signed-off-by: Horatiu Vultur +Reviewed-by: Jacob Keller +Link: https://patch.msgid.link/20251105074955.1766792-1-horatiu.vultur@microchip.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../microchip/lan966x/lan966x_ethtool.c | 18 +++++++++--------- + .../ethernet/microchip/lan966x/lan966x_main.c | 2 -- + .../ethernet/microchip/lan966x/lan966x_main.h | 4 ++-- + .../microchip/lan966x/lan966x_vcap_impl.c | 8 ++++---- + 4 files changed, 15 insertions(+), 17 deletions(-) + +diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_ethtool.c b/drivers/net/ethernet/microchip/lan966x/lan966x_ethtool.c +index 06811c60d598e..df10a0b68a08e 100644 +--- a/drivers/net/ethernet/microchip/lan966x/lan966x_ethtool.c ++++ b/drivers/net/ethernet/microchip/lan966x/lan966x_ethtool.c +@@ -294,7 +294,7 @@ static void lan966x_stats_update(struct lan966x *lan966x) + { + int i, j; + +- mutex_lock(&lan966x->stats_lock); ++ spin_lock(&lan966x->stats_lock); + + for (i = 0; i < lan966x->num_phys_ports; i++) { + uint idx = i * lan966x->num_stats; +@@ -310,7 +310,7 @@ static void lan966x_stats_update(struct lan966x *lan966x) + } + } + +- mutex_unlock(&lan966x->stats_lock); ++ spin_unlock(&lan966x->stats_lock); + } + + static int lan966x_get_sset_count(struct net_device *dev, int sset) +@@ -365,7 +365,7 @@ static void lan966x_get_eth_mac_stats(struct net_device *dev, + + idx = port->chip_port * lan966x->num_stats; + +- mutex_lock(&lan966x->stats_lock); ++ spin_lock(&lan966x->stats_lock); + + mac_stats->FramesTransmittedOK = + lan966x->stats[idx + SYS_COUNT_TX_UC] + +@@ -424,7 +424,7 @@ static void lan966x_get_eth_mac_stats(struct net_device *dev, + lan966x->stats[idx + SYS_COUNT_RX_LONG] + + lan966x->stats[idx + SYS_COUNT_RX_PMAC_LONG]; + +- mutex_unlock(&lan966x->stats_lock); ++ spin_unlock(&lan966x->stats_lock); + } + + static const struct ethtool_rmon_hist_range lan966x_rmon_ranges[] = { +@@ -450,7 +450,7 @@ static void lan966x_get_eth_rmon_stats(struct net_device *dev, + + idx = port->chip_port * lan966x->num_stats; + +- mutex_lock(&lan966x->stats_lock); ++ spin_lock(&lan966x->stats_lock); + + rmon_stats->undersize_pkts = + lan966x->stats[idx + SYS_COUNT_RX_SHORT] + +@@ -508,7 +508,7 @@ static void lan966x_get_eth_rmon_stats(struct net_device *dev, + lan966x->stats[idx + SYS_COUNT_TX_SZ_1024_1526] + + lan966x->stats[idx + SYS_COUNT_TX_PMAC_SZ_1024_1526]; + +- mutex_unlock(&lan966x->stats_lock); ++ spin_unlock(&lan966x->stats_lock); + + *ranges = lan966x_rmon_ranges; + } +@@ -614,7 +614,7 @@ void lan966x_stats_get(struct net_device *dev, + + idx = port->chip_port * lan966x->num_stats; + +- mutex_lock(&lan966x->stats_lock); ++ spin_lock(&lan966x->stats_lock); + + stats->rx_bytes = lan966x->stats[idx + SYS_COUNT_RX_OCT] + + lan966x->stats[idx + SYS_COUNT_RX_PMAC_OCT]; +@@ -696,7 +696,7 @@ void lan966x_stats_get(struct net_device *dev, + + stats->collisions = lan966x->stats[idx + SYS_COUNT_TX_COL]; + +- mutex_unlock(&lan966x->stats_lock); ++ spin_unlock(&lan966x->stats_lock); + } + + int lan966x_stats_init(struct lan966x *lan966x) +@@ -712,7 +712,7 @@ int lan966x_stats_init(struct lan966x *lan966x) + return -ENOMEM; + + /* Init stats worker */ +- mutex_init(&lan966x->stats_lock); ++ spin_lock_init(&lan966x->stats_lock); + snprintf(queue_name, sizeof(queue_name), "%s-stats", + dev_name(lan966x->dev)); + lan966x->stats_queue = create_singlethread_workqueue(queue_name); +diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_main.c b/drivers/net/ethernet/microchip/lan966x/lan966x_main.c +index b424e75fd40c4..5466f14e000ce 100644 +--- a/drivers/net/ethernet/microchip/lan966x/lan966x_main.c ++++ b/drivers/net/ethernet/microchip/lan966x/lan966x_main.c +@@ -1263,7 +1263,6 @@ static int lan966x_probe(struct platform_device *pdev) + + cancel_delayed_work_sync(&lan966x->stats_work); + destroy_workqueue(lan966x->stats_queue); +- mutex_destroy(&lan966x->stats_lock); + + debugfs_remove_recursive(lan966x->debugfs_root); + +@@ -1281,7 +1280,6 @@ static int lan966x_remove(struct platform_device *pdev) + + cancel_delayed_work_sync(&lan966x->stats_work); + destroy_workqueue(lan966x->stats_queue); +- mutex_destroy(&lan966x->stats_lock); + + lan966x_mac_purge_entries(lan966x); + lan966x_mdb_deinit(lan966x); +diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_main.h b/drivers/net/ethernet/microchip/lan966x/lan966x_main.h +index 5a16d76eb000d..1f5a18b205bf2 100644 +--- a/drivers/net/ethernet/microchip/lan966x/lan966x_main.h ++++ b/drivers/net/ethernet/microchip/lan966x/lan966x_main.h +@@ -347,8 +347,8 @@ struct lan966x { + const struct lan966x_stat_layout *stats_layout; + u32 num_stats; + +- /* workqueue for reading stats */ +- struct mutex stats_lock; ++ /* lock for reading stats */ ++ spinlock_t stats_lock; + u64 *stats; + struct delayed_work stats_work; + struct workqueue_struct *stats_queue; +diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_vcap_impl.c b/drivers/net/ethernet/microchip/lan966x/lan966x_vcap_impl.c +index a4414f63c9b1c..c266f903ea8a6 100644 +--- a/drivers/net/ethernet/microchip/lan966x/lan966x_vcap_impl.c ++++ b/drivers/net/ethernet/microchip/lan966x/lan966x_vcap_impl.c +@@ -403,11 +403,11 @@ static void lan966x_es0_read_esdx_counter(struct lan966x *lan966x, + u32 counter; + + id = id & 0xff; /* counter limit */ +- mutex_lock(&lan966x->stats_lock); ++ spin_lock(&lan966x->stats_lock); + lan_wr(SYS_STAT_CFG_STAT_VIEW_SET(id), lan966x, SYS_STAT_CFG); + counter = lan_rd(lan966x, SYS_CNT(LAN966X_STAT_ESDX_GRN_PKTS)) + + lan_rd(lan966x, SYS_CNT(LAN966X_STAT_ESDX_YEL_PKTS)); +- mutex_unlock(&lan966x->stats_lock); ++ spin_unlock(&lan966x->stats_lock); + if (counter) + admin->cache.counter = counter; + } +@@ -417,14 +417,14 @@ static void lan966x_es0_write_esdx_counter(struct lan966x *lan966x, + { + id = id & 0xff; /* counter limit */ + +- mutex_lock(&lan966x->stats_lock); ++ spin_lock(&lan966x->stats_lock); + lan_wr(SYS_STAT_CFG_STAT_VIEW_SET(id), lan966x, SYS_STAT_CFG); + lan_wr(0, lan966x, SYS_CNT(LAN966X_STAT_ESDX_GRN_BYTES)); + lan_wr(admin->cache.counter, lan966x, + SYS_CNT(LAN966X_STAT_ESDX_GRN_PKTS)); + lan_wr(0, lan966x, SYS_CNT(LAN966X_STAT_ESDX_YEL_BYTES)); + lan_wr(0, lan966x, SYS_CNT(LAN966X_STAT_ESDX_YEL_PKTS)); +- mutex_unlock(&lan966x->stats_lock); ++ spin_unlock(&lan966x->stats_lock); + } + + static void lan966x_vcap_cache_write(struct net_device *dev, +-- +2.51.0 + diff --git a/queue-6.6/net-bridge-fix-mst-static-key-usage.patch b/queue-6.6/net-bridge-fix-mst-static-key-usage.patch new file mode 100644 index 0000000000..d0fdc9166e --- /dev/null +++ b/queue-6.6/net-bridge-fix-mst-static-key-usage.patch @@ -0,0 +1,96 @@ +From a2def11df5b98748280ef32c31dae0c78139e853 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Nov 2025 13:19:19 +0200 +Subject: net: bridge: fix MST static key usage + +From: Nikolay Aleksandrov + +[ Upstream commit ee87c63f9b2a418f698d79c2991347e31a7d2c27 ] + +As Ido pointed out, the static key usage in MST is buggy and should use +inc/dec instead of enable/disable because we can have multiple bridges +with MST enabled which means a single bridge can disable MST for all. +Use static_branch_inc/dec to avoid that. When destroying a bridge decrement +the key if MST was enabled. + +Fixes: ec7328b59176 ("net: bridge: mst: Multiple Spanning Tree (MST) mode") +Reported-by: Ido Schimmel +Closes: https://lore.kernel.org/netdev/20251104120313.1306566-1-razor@blackwall.org/T/#m6888d87658f94ed1725433940f4f4ebb00b5a68b +Signed-off-by: Nikolay Aleksandrov +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/20251105111919.1499702-3-razor@blackwall.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/bridge/br_if.c | 1 + + net/bridge/br_mst.c | 10 ++++++++-- + net/bridge/br_private.h | 5 +++++ + 3 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c +index 2450690f98cfa..6ffc81eedf074 100644 +--- a/net/bridge/br_if.c ++++ b/net/bridge/br_if.c +@@ -386,6 +386,7 @@ void br_dev_delete(struct net_device *dev, struct list_head *head) + del_nbp(p); + } + ++ br_mst_uninit(br); + br_recalculate_neigh_suppress_enabled(br); + + br_fdb_delete_by_port(br, NULL, 0, 1); +diff --git a/net/bridge/br_mst.c b/net/bridge/br_mst.c +index 3f24b4ee49c27..43a300ae6bfaf 100644 +--- a/net/bridge/br_mst.c ++++ b/net/bridge/br_mst.c +@@ -22,6 +22,12 @@ bool br_mst_enabled(const struct net_device *dev) + } + EXPORT_SYMBOL_GPL(br_mst_enabled); + ++void br_mst_uninit(struct net_bridge *br) ++{ ++ if (br_opt_get(br, BROPT_MST_ENABLED)) ++ static_branch_dec(&br_mst_used); ++} ++ + int br_mst_get_info(const struct net_device *dev, u16 msti, unsigned long *vids) + { + const struct net_bridge_vlan_group *vg; +@@ -225,9 +231,9 @@ int br_mst_set_enabled(struct net_bridge *br, bool on, + return err; + + if (on) +- static_branch_enable(&br_mst_used); ++ static_branch_inc(&br_mst_used); + else +- static_branch_disable(&br_mst_used); ++ static_branch_dec(&br_mst_used); + + br_opt_toggle(br, BROPT_MST_ENABLED, on); + return 0; +diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h +index 798960ef2dcd0..c8a4e3b39b0e2 100644 +--- a/net/bridge/br_private.h ++++ b/net/bridge/br_private.h +@@ -1899,6 +1899,7 @@ int br_mst_fill_info(struct sk_buff *skb, + const struct net_bridge_vlan_group *vg); + int br_mst_process(struct net_bridge_port *p, const struct nlattr *mst_attr, + struct netlink_ext_ack *extack); ++void br_mst_uninit(struct net_bridge *br); + #else + static inline bool br_mst_is_enabled(const struct net_bridge_port *p) + { +@@ -1934,6 +1935,10 @@ static inline int br_mst_process(struct net_bridge_port *p, + { + return -EOPNOTSUPP; + } ++ ++static inline void br_mst_uninit(struct net_bridge *br) ++{ ++} + #endif + + struct nf_br_ops { +-- +2.51.0 + diff --git a/queue-6.6/net-bridge-fix-use-after-free-due-to-mst-port-state-.patch b/queue-6.6/net-bridge-fix-use-after-free-due-to-mst-port-state-.patch new file mode 100644 index 0000000000..ea5f3c6898 --- /dev/null +++ b/queue-6.6/net-bridge-fix-use-after-free-due-to-mst-port-state-.patch @@ -0,0 +1,104 @@ +From e5e82bdcb847e02fd5818d698864a49499c3289d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Nov 2025 13:19:18 +0200 +Subject: net: bridge: fix use-after-free due to MST port state bypass + +From: Nikolay Aleksandrov + +[ Upstream commit 8dca36978aa80bab9d4da130c211db75c9e00048 ] + +syzbot reported[1] a use-after-free when deleting an expired fdb. It is +due to a race condition between learning still happening and a port being +deleted, after all its fdbs have been flushed. The port's state has been +toggled to disabled so no learning should happen at that time, but if we +have MST enabled, it will bypass the port's state, that together with VLAN +filtering disabled can lead to fdb learning at a time when it shouldn't +happen while the port is being deleted. VLAN filtering must be disabled +because we flush the port VLANs when it's being deleted which will stop +learning. This fix adds a check for the port's vlan group which is +initialized to NULL when the port is getting deleted, that avoids the port +state bypass. When MST is enabled there would be a minimal new overhead +in the fast-path because the port's vlan group pointer is cache-hot. + +[1] https://syzkaller.appspot.com/bug?extid=dd280197f0f7ab3917be + +Fixes: ec7328b59176 ("net: bridge: mst: Multiple Spanning Tree (MST) mode") +Reported-by: syzbot+dd280197f0f7ab3917be@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/69088ffa.050a0220.29fc44.003d.GAE@google.com/ +Signed-off-by: Nikolay Aleksandrov +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/20251105111919.1499702-2-razor@blackwall.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/bridge/br_forward.c | 2 +- + net/bridge/br_input.c | 4 ++-- + net/bridge/br_private.h | 8 +++++--- + 3 files changed, 8 insertions(+), 6 deletions(-) + +diff --git a/net/bridge/br_forward.c b/net/bridge/br_forward.c +index 49dd8cd526f46..e9f09cdb9848e 100644 +--- a/net/bridge/br_forward.c ++++ b/net/bridge/br_forward.c +@@ -25,7 +25,7 @@ static inline int should_deliver(const struct net_bridge_port *p, + + vg = nbp_vlan_group_rcu(p); + return ((p->flags & BR_HAIRPIN_MODE) || skb->dev != p->dev) && +- (br_mst_is_enabled(p->br) || p->state == BR_STATE_FORWARDING) && ++ (br_mst_is_enabled(p) || p->state == BR_STATE_FORWARDING) && + br_allowed_egress(vg, skb) && nbp_switchdev_allowed_egress(p, skb) && + !br_skb_isolated(p, skb); + } +diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c +index e09000e38d071..951330c1a813b 100644 +--- a/net/bridge/br_input.c ++++ b/net/bridge/br_input.c +@@ -93,7 +93,7 @@ int br_handle_frame_finish(struct net *net, struct sock *sk, struct sk_buff *skb + + br = p->br; + +- if (br_mst_is_enabled(br)) { ++ if (br_mst_is_enabled(p)) { + state = BR_STATE_FORWARDING; + } else { + if (p->state == BR_STATE_DISABLED) +@@ -411,7 +411,7 @@ static rx_handler_result_t br_handle_frame(struct sk_buff **pskb) + return RX_HANDLER_PASS; + + forward: +- if (br_mst_is_enabled(p->br)) ++ if (br_mst_is_enabled(p)) + goto defer_stp_filtering; + + switch (p->state) { +diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h +index ef98ec4c3f51d..798960ef2dcd0 100644 +--- a/net/bridge/br_private.h ++++ b/net/bridge/br_private.h +@@ -1880,10 +1880,12 @@ static inline bool br_vlan_state_allowed(u8 state, bool learn_allow) + /* br_mst.c */ + #ifdef CONFIG_BRIDGE_VLAN_FILTERING + DECLARE_STATIC_KEY_FALSE(br_mst_used); +-static inline bool br_mst_is_enabled(struct net_bridge *br) ++static inline bool br_mst_is_enabled(const struct net_bridge_port *p) + { ++ /* check the port's vlan group to avoid racing with port deletion */ + return static_branch_unlikely(&br_mst_used) && +- br_opt_get(br, BROPT_MST_ENABLED); ++ br_opt_get(p->br, BROPT_MST_ENABLED) && ++ rcu_access_pointer(p->vlgrp); + } + + int br_mst_set_state(struct net_bridge_port *p, u16 msti, u8 state, +@@ -1898,7 +1900,7 @@ int br_mst_fill_info(struct sk_buff *skb, + int br_mst_process(struct net_bridge_port *p, const struct nlattr *mst_attr, + struct netlink_ext_ack *extack); + #else +-static inline bool br_mst_is_enabled(struct net_bridge *br) ++static inline bool br_mst_is_enabled(const struct net_bridge_port *p) + { + return false; + } +-- +2.51.0 + diff --git a/queue-6.6/net-dsa-b53-fix-enabling-ip-multicast.patch b/queue-6.6/net-dsa-b53-fix-enabling-ip-multicast.patch new file mode 100644 index 0000000000..8b8807df7f --- /dev/null +++ b/queue-6.6/net-dsa-b53-fix-enabling-ip-multicast.patch @@ -0,0 +1,75 @@ +From b691337f31a13743c22b53675ed9f31493a21fdd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Nov 2025 11:07:56 +0100 +Subject: net: dsa: b53: fix enabling ip multicast + +From: Jonas Gorski + +[ Upstream commit c264294624e956a967a9e2e5fa41e3273340b089 ] + +In the New Control register bit 1 is either reserved, or has a different +function: + + Out of Range Error Discard + + When enabled, the ingress port discards any frames + if the Length field is between 1500 and 1536 + (excluding 1500 and 1536) and with good CRC. + +The actual bit for enabling IP multicast is bit 0, which was only +explicitly enabled for BCM5325 so far. + +For older switch chips, this bit defaults to 0, so we want to enable it +as well, while newer switch chips default to 1, and their documentation +says "It is illegal to set this bit to zero." + +So drop the wrong B53_IPMC_FWD_EN define, enable the IP multicast bit +also for other switch chips. While at it, rename it to (B53_)IP_MC as +that is how it is called in Broadcom code. + +Fixes: 63cc54a6f073 ("net: dsa: b53: Fix egress flooding settings") +Signed-off-by: Jonas Gorski +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20251102100758.28352-2-jonas.gorski@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 4 ++-- + drivers/net/dsa/b53/b53_regs.h | 3 +-- + 2 files changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index 4e850e5f7d220..3c5bf65aca6a2 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -349,11 +349,11 @@ static void b53_set_forwarding(struct b53_device *dev, int enable) + * frames should be flooded or not. + */ + b53_read8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, &mgmt); +- mgmt |= B53_UC_FWD_EN | B53_MC_FWD_EN | B53_IPMC_FWD_EN; ++ mgmt |= B53_UC_FWD_EN | B53_MC_FWD_EN | B53_IP_MC; + b53_write8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, mgmt); + } else { + b53_read8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, &mgmt); +- mgmt |= B53_IP_MCAST_25; ++ mgmt |= B53_IP_MC; + b53_write8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, mgmt); + } + } +diff --git a/drivers/net/dsa/b53/b53_regs.h b/drivers/net/dsa/b53/b53_regs.h +index 3179fe58de6b6..38e2d60dab7d5 100644 +--- a/drivers/net/dsa/b53/b53_regs.h ++++ b/drivers/net/dsa/b53/b53_regs.h +@@ -104,8 +104,7 @@ + + /* IP Multicast control (8 bit) */ + #define B53_IP_MULTICAST_CTRL 0x21 +-#define B53_IP_MCAST_25 BIT(0) +-#define B53_IPMC_FWD_EN BIT(1) ++#define B53_IP_MC BIT(0) + #define B53_UC_FWD_EN BIT(6) + #define B53_MC_FWD_EN BIT(7) + +-- +2.51.0 + diff --git a/queue-6.6/net-dsa-b53-fix-resetting-speed-and-pause-on-forced-.patch b/queue-6.6/net-dsa-b53-fix-resetting-speed-and-pause-on-forced-.patch new file mode 100644 index 0000000000..3c705c4ace --- /dev/null +++ b/queue-6.6/net-dsa-b53-fix-resetting-speed-and-pause-on-forced-.patch @@ -0,0 +1,64 @@ +From 12016cb3a436584fd9745e5594f4075aaacae88f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Nov 2025 14:28:06 +0100 +Subject: net: dsa: b53: fix resetting speed and pause on forced link + +From: Jonas Gorski + +[ Upstream commit b6a8a5477fe9bd6be2b594a88f82f8bba41e6d54 ] + +There is no guarantee that the port state override registers have their +default values, as not all switches support being reset via register or +have a reset GPIO. + +So when forcing port config, we need to make sure to clear all fields, +which we currently do not do for the speed and flow control +configuration. This can cause flow control stay enabled, or in the case +of speed becoming an illegal value, e.g. configured for 1G (0x2), then +setting 100M (0x1), results in 0x3 which is invalid. + +For PORT_OVERRIDE_SPEED_2000M we need to make sure to only clear it on +supported chips, as the bit can have different meanings on other chips, +e.g. for BCM5389 this controls scanning PHYs for link/speed +configuration. + +Fixes: 5e004460f874 ("net: dsa: b53: Add helper to set link parameters") +Signed-off-by: Jonas Gorski +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20251101132807.50419-2-jonas.gorski@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index b00bac4686773..4e850e5f7d220 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -1215,6 +1215,10 @@ static void b53_force_port_config(struct b53_device *dev, int port, + else + reg &= ~PORT_OVERRIDE_FULL_DUPLEX; + ++ reg &= ~(0x3 << GMII_PO_SPEED_S); ++ if (is5301x(dev) || is58xx(dev)) ++ reg &= ~PORT_OVERRIDE_SPEED_2000M; ++ + switch (speed) { + case 2000: + reg |= PORT_OVERRIDE_SPEED_2000M; +@@ -1233,6 +1237,11 @@ static void b53_force_port_config(struct b53_device *dev, int port, + return; + } + ++ if (is5325(dev)) ++ reg &= ~PORT_OVERRIDE_LP_FLOW_25; ++ else ++ reg &= ~(PORT_OVERRIDE_RX_FLOW | PORT_OVERRIDE_TX_FLOW); ++ + if (rx_pause) { + if (is5325(dev)) + reg |= PORT_OVERRIDE_LP_FLOW_25; +-- +2.51.0 + diff --git a/queue-6.6/net-dsa-b53-stop-reading-arl-entries-if-search-is-do.patch b/queue-6.6/net-dsa-b53-stop-reading-arl-entries-if-search-is-do.patch new file mode 100644 index 0000000000..959145f61f --- /dev/null +++ b/queue-6.6/net-dsa-b53-stop-reading-arl-entries-if-search-is-do.patch @@ -0,0 +1,51 @@ +From 5d74af7233011fdcd9d55d6abc709d58d05a0ef0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Nov 2025 11:07:57 +0100 +Subject: net: dsa: b53: stop reading ARL entries if search is done + +From: Jonas Gorski + +[ Upstream commit 0be04b5fa62a82a9929ca261f6c9f64a3d0a28da ] + +The switch clears the ARL_SRCH_STDN bit when the search is done, i.e. it +finished traversing the ARL table. + +This means that there will be no valid result, so we should not attempt +to read and process any further entries. + +We only ever check the validity of the entries for 4 ARL bin chips, and +only after having passed the first entry to the b53_fdb_copy(). + +This means that we always pass an invalid entry at the end to the +b53_fdb_copy(). b53_fdb_copy() does check the validity though before +passing on the entry, so it never gets passed on. + +On < 4 ARL bin chips, we will even continue reading invalid entries +until we reach the result limit. + +Fixes: 1da6df85c6fb ("net: dsa: b53: Implement ARL add/del/dump operations") +Signed-off-by: Jonas Gorski +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20251102100758.28352-3-jonas.gorski@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index 3c5bf65aca6a2..ffe8db7c2f1f4 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -1816,7 +1816,7 @@ static int b53_arl_search_wait(struct b53_device *dev) + do { + b53_read8(dev, B53_ARLIO_PAGE, B53_ARL_SRCH_CTL, ®); + if (!(reg & ARL_SRCH_STDN)) +- return 0; ++ return -ENOENT; + + if (reg & ARL_SRCH_VLID) + return 0; +-- +2.51.0 + diff --git a/queue-6.6/net-dsa-microchip-fix-reserved-multicast-address-tab.patch b/queue-6.6/net-dsa-microchip-fix-reserved-multicast-address-tab.patch new file mode 100644 index 0000000000..6736a9cd78 --- /dev/null +++ b/queue-6.6/net-dsa-microchip-fix-reserved-multicast-address-tab.patch @@ -0,0 +1,218 @@ +From a98ad8327ab1788e46ead142e1a9f8a0b78c56a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Nov 2025 19:37:41 -0800 +Subject: net: dsa: microchip: Fix reserved multicast address table programming +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tristram Ha + +[ Upstream commit 96baf482ca1f69f0da9d10a5bd8422c87ea9039e ] + +KSZ9477/KSZ9897 and LAN937X families of switches use a reserved multicast +address table for some specific forwarding with some multicast addresses, +like the one used in STP. The hardware assumes the host port is the last +port in KSZ9897 family and port 5 in LAN937X family. Most of the time +this assumption is correct but not in other cases like KSZ9477. +Originally the function just setups the first entry, but the others still +need update, especially for one common multicast address that is used by +PTP operation. + +LAN937x also uses different register bits when accessing the reserved +table. + +Fixes: 457c182af597 ("net: dsa: microchip: generic access to ksz9477 static and reserved table") +Signed-off-by: Tristram Ha +Tested-by: Łukasz Majewski +Link: https://patch.msgid.link/20251105033741.6455-1-Tristram.Ha@microchip.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/microchip/ksz9477.c | 98 +++++++++++++++++++++---- + drivers/net/dsa/microchip/ksz9477_reg.h | 3 +- + drivers/net/dsa/microchip/ksz_common.c | 4 + + drivers/net/dsa/microchip/ksz_common.h | 2 + + 4 files changed, 91 insertions(+), 16 deletions(-) + +diff --git a/drivers/net/dsa/microchip/ksz9477.c b/drivers/net/dsa/microchip/ksz9477.c +index 59134d117846d..a11f2c1aabaca 100644 +--- a/drivers/net/dsa/microchip/ksz9477.c ++++ b/drivers/net/dsa/microchip/ksz9477.c +@@ -1087,9 +1087,15 @@ void ksz9477_config_cpu_port(struct dsa_switch *ds) + } + } + ++#define RESV_MCAST_CNT 8 ++ ++static u8 reserved_mcast_map[RESV_MCAST_CNT] = { 0, 1, 3, 16, 32, 33, 2, 17 }; ++ + int ksz9477_enable_stp_addr(struct ksz_device *dev) + { ++ u8 i, ports, update; + const u32 *masks; ++ bool override; + u32 data; + int ret; + +@@ -1098,23 +1104,87 @@ int ksz9477_enable_stp_addr(struct ksz_device *dev) + /* Enable Reserved multicast table */ + ksz_cfg(dev, REG_SW_LUE_CTRL_0, SW_RESV_MCAST_ENABLE, true); + +- /* Set the Override bit for forwarding BPDU packet to CPU */ +- ret = ksz_write32(dev, REG_SW_ALU_VAL_B, +- ALU_V_OVERRIDE | BIT(dev->cpu_port)); +- if (ret < 0) +- return ret; ++ /* The reserved multicast address table has 8 entries. Each entry has ++ * a default value of which port to forward. It is assumed the host ++ * port is the last port in most of the switches, but that is not the ++ * case for KSZ9477 or maybe KSZ9897. For LAN937X family the default ++ * port is port 5, the first RGMII port. It is okay for LAN9370, a ++ * 5-port switch, but may not be correct for the other 8-port ++ * versions. It is necessary to update the whole table to forward to ++ * the right ports. ++ * Furthermore PTP messages can use a reserved multicast address and ++ * the host will not receive them if this table is not correct. ++ */ ++ for (i = 0; i < RESV_MCAST_CNT; i++) { ++ data = reserved_mcast_map[i] << ++ dev->info->shifts[ALU_STAT_INDEX]; ++ data |= ALU_STAT_START | ++ masks[ALU_STAT_DIRECT] | ++ masks[ALU_RESV_MCAST_ADDR] | ++ masks[ALU_STAT_READ]; ++ ret = ksz_write32(dev, REG_SW_ALU_STAT_CTRL__4, data); ++ if (ret < 0) ++ return ret; + +- data = ALU_STAT_START | ALU_RESV_MCAST_ADDR | masks[ALU_STAT_WRITE]; ++ /* wait to be finished */ ++ ret = ksz9477_wait_alu_sta_ready(dev); ++ if (ret < 0) ++ return ret; + +- ret = ksz_write32(dev, REG_SW_ALU_STAT_CTRL__4, data); +- if (ret < 0) +- return ret; ++ ret = ksz_read32(dev, REG_SW_ALU_VAL_B, &data); ++ if (ret < 0) ++ return ret; + +- /* wait to be finished */ +- ret = ksz9477_wait_alu_sta_ready(dev); +- if (ret < 0) { +- dev_err(dev->dev, "Failed to update Reserved Multicast table\n"); +- return ret; ++ override = false; ++ ports = data & dev->port_mask; ++ switch (i) { ++ case 0: ++ case 6: ++ /* Change the host port. */ ++ update = BIT(dev->cpu_port); ++ override = true; ++ break; ++ case 2: ++ /* Change the host port. */ ++ update = BIT(dev->cpu_port); ++ break; ++ case 4: ++ case 5: ++ case 7: ++ /* Skip the host port. */ ++ update = dev->port_mask & ~BIT(dev->cpu_port); ++ break; ++ default: ++ update = ports; ++ break; ++ } ++ if (update != ports || override) { ++ data &= ~dev->port_mask; ++ data |= update; ++ /* Set Override bit to receive frame even when port is ++ * closed. ++ */ ++ if (override) ++ data |= ALU_V_OVERRIDE; ++ ret = ksz_write32(dev, REG_SW_ALU_VAL_B, data); ++ if (ret < 0) ++ return ret; ++ ++ data = reserved_mcast_map[i] << ++ dev->info->shifts[ALU_STAT_INDEX]; ++ data |= ALU_STAT_START | ++ masks[ALU_STAT_DIRECT] | ++ masks[ALU_RESV_MCAST_ADDR] | ++ masks[ALU_STAT_WRITE]; ++ ret = ksz_write32(dev, REG_SW_ALU_STAT_CTRL__4, data); ++ if (ret < 0) ++ return ret; ++ ++ /* wait to be finished */ ++ ret = ksz9477_wait_alu_sta_ready(dev); ++ if (ret < 0) ++ return ret; ++ } + } + + return 0; +diff --git a/drivers/net/dsa/microchip/ksz9477_reg.h b/drivers/net/dsa/microchip/ksz9477_reg.h +index d0886ed984c57..c3ad8ce707f85 100644 +--- a/drivers/net/dsa/microchip/ksz9477_reg.h ++++ b/drivers/net/dsa/microchip/ksz9477_reg.h +@@ -2,7 +2,7 @@ + /* + * Microchip KSZ9477 register definitions + * +- * Copyright (C) 2017-2024 Microchip Technology Inc. ++ * Copyright (C) 2017-2025 Microchip Technology Inc. + */ + + #ifndef __KSZ9477_REGS_H +@@ -422,7 +422,6 @@ + + #define ALU_RESV_MCAST_INDEX_M (BIT(6) - 1) + #define ALU_STAT_START BIT(7) +-#define ALU_RESV_MCAST_ADDR BIT(1) + + #define REG_SW_ALU_VAL_A 0x0420 + +diff --git a/drivers/net/dsa/microchip/ksz_common.c b/drivers/net/dsa/microchip/ksz_common.c +index 997c225dfba4d..cff83a8fb7d28 100644 +--- a/drivers/net/dsa/microchip/ksz_common.c ++++ b/drivers/net/dsa/microchip/ksz_common.c +@@ -437,6 +437,8 @@ static const u16 ksz9477_regs[] = { + static const u32 ksz9477_masks[] = { + [ALU_STAT_WRITE] = 0, + [ALU_STAT_READ] = 1, ++ [ALU_STAT_DIRECT] = 0, ++ [ALU_RESV_MCAST_ADDR] = BIT(1), + [P_MII_TX_FLOW_CTRL] = BIT(5), + [P_MII_RX_FLOW_CTRL] = BIT(3), + }; +@@ -464,6 +466,8 @@ static const u8 ksz9477_xmii_ctrl1[] = { + static const u32 lan937x_masks[] = { + [ALU_STAT_WRITE] = 1, + [ALU_STAT_READ] = 2, ++ [ALU_STAT_DIRECT] = BIT(3), ++ [ALU_RESV_MCAST_ADDR] = BIT(2), + [P_MII_TX_FLOW_CTRL] = BIT(5), + [P_MII_RX_FLOW_CTRL] = BIT(3), + }; +diff --git a/drivers/net/dsa/microchip/ksz_common.h b/drivers/net/dsa/microchip/ksz_common.h +index a4de58847deab..0e51f2277381d 100644 +--- a/drivers/net/dsa/microchip/ksz_common.h ++++ b/drivers/net/dsa/microchip/ksz_common.h +@@ -255,6 +255,8 @@ enum ksz_masks { + DYNAMIC_MAC_TABLE_TIMESTAMP, + ALU_STAT_WRITE, + ALU_STAT_READ, ++ ALU_STAT_DIRECT, ++ ALU_RESV_MCAST_ADDR, + P_MII_TX_FLOW_CTRL, + P_MII_RX_FLOW_CTRL, + }; +-- +2.51.0 + diff --git a/queue-6.6/net-dsa-tag_brcm-legacy-fix-untagged-rx-on-unbridged.patch b/queue-6.6/net-dsa-tag_brcm-legacy-fix-untagged-rx-on-unbridged.patch new file mode 100644 index 0000000000..70ce998510 --- /dev/null +++ b/queue-6.6/net-dsa-tag_brcm-legacy-fix-untagged-rx-on-unbridged.patch @@ -0,0 +1,77 @@ +From f0ebfee503a6e451d600c3abc8d30fa2d4c35bcb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Oct 2025 20:46:21 +0100 +Subject: net: dsa: tag_brcm: legacy: fix untagged rx on unbridged ports for + bcm63xx + +From: Jonas Gorski + +[ Upstream commit 3d18a84eddde169d6dbf3c72cc5358b988c347d0 ] + +The internal switch on BCM63XX SoCs will unconditionally add 802.1Q VLAN +tags on egress to CPU when 802.1Q mode is enabled. We do this +unconditionally since commit ed409f3bbaa5 ("net: dsa: b53: Configure +VLANs while not filtering"). + +This is fine for VLAN aware bridges, but for standalone ports and vlan +unaware bridges this means all packets are tagged with the default VID, +which is 0. + +While the kernel will treat that like untagged, this can break userspace +applications processing raw packets, expecting untagged traffic, like +STP daemons. + +This also breaks several bridge tests, where the tcpdump output then +does not match the expected output anymore. + +Since 0 isn't a valid VID, just strip out the VLAN tag if we encounter +it, unless the priority field is set, since that would be a valid tag +again. + +Fixes: 964dbf186eaa ("net: dsa: tag_brcm: add support for legacy tags") +Signed-off-by: Jonas Gorski +Reviewed-by: Vladimir Oltean +Link: https://patch.msgid.link/20251027194621.133301-1-jonas.gorski@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/dsa/tag_brcm.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/net/dsa/tag_brcm.c b/net/dsa/tag_brcm.c +index 146c1dbd15a93..385581cf3b7ba 100644 +--- a/net/dsa/tag_brcm.c ++++ b/net/dsa/tag_brcm.c +@@ -255,12 +255,14 @@ static struct sk_buff *brcm_leg_tag_rcv(struct sk_buff *skb, + { + int len = BRCM_LEG_TAG_LEN; + int source_port; ++ __be16 *proto; + u8 *brcm_tag; + + if (unlikely(!pskb_may_pull(skb, BRCM_LEG_TAG_LEN + VLAN_HLEN))) + return NULL; + + brcm_tag = dsa_etype_header_pos_rx(skb); ++ proto = (__be16 *)(brcm_tag + BRCM_LEG_TAG_LEN); + + source_port = brcm_tag[5] & BRCM_LEG_PORT_ID; + +@@ -268,8 +270,12 @@ static struct sk_buff *brcm_leg_tag_rcv(struct sk_buff *skb, + if (!skb->dev) + return NULL; + +- /* VLAN tag is added by BCM63xx internal switch */ +- if (netdev_uses_dsa(skb->dev)) ++ /* The internal switch in BCM63XX SoCs always tags on egress on the CPU ++ * port. We use VID 0 internally for untagged traffic, so strip the tag ++ * if the TCI field is all 0, and keep it otherwise to also retain ++ * e.g. 802.1p tagged packets. ++ */ ++ if (proto[0] == htons(ETH_P_8021Q) && proto[1] == 0) + len += VLAN_HLEN; + + /* Remove Broadcom tag and update checksum */ +-- +2.51.0 + diff --git a/queue-6.6/net-mlx5e-fix-return-value-in-case-of-module-eeprom-.patch b/queue-6.6/net-mlx5e-fix-return-value-in-case-of-module-eeprom-.patch new file mode 100644 index 0000000000..a51aa7340b --- /dev/null +++ b/queue-6.6/net-mlx5e-fix-return-value-in-case-of-module-eeprom-.patch @@ -0,0 +1,74 @@ +From fb3a6be6388f7993d948becceec54be9dad548aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Nov 2025 16:15:36 +0200 +Subject: net/mlx5e: Fix return value in case of module EEPROM read error + +From: Gal Pressman + +[ Upstream commit d1c94bc5b90c21b65469d30d4a6bc8ed715c1bfe ] + +mlx5e_get_module_eeprom_by_page() has weird error handling. + +First, it is treating -EINVAL as a special case, but it is unclear why. + +Second, it tries to fail "gracefully" by returning the number of bytes +read even in case of an error. This results in wrongly returning +success (0 return value) if the error occurs before any bytes were +read. + +Simplify the error handling by returning an error when such occurs. This +also aligns with the error handling we have in mlx5e_get_module_eeprom() +for the old API. + +This fixes the following case where the query fails, but userspace +ethtool wrongly treats it as success and dumps an output: + + # ethtool -m eth2 + netlink warning: mlx5_core: Query module eeprom by page failed, read 0 bytes, err -5 + netlink warning: mlx5_core: Query module eeprom by page failed, read 0 bytes, err -5 + Offset Values + ------ ------ + 0x0000: 00 00 00 00 05 00 04 00 00 00 00 00 05 00 05 00 + 0x0010: 00 00 00 00 05 00 06 00 50 00 00 00 67 65 20 66 + 0x0020: 61 69 6c 65 64 2c 20 72 65 61 64 20 30 20 62 79 + 0x0030: 74 65 73 2c 20 65 72 72 20 2d 35 00 14 00 03 00 + 0x0040: 08 00 01 00 03 00 00 00 08 00 02 00 1a 00 00 00 + 0x0050: 14 00 04 00 08 00 01 00 04 00 00 00 08 00 02 00 + 0x0060: 0e 00 00 00 14 00 05 00 08 00 01 00 05 00 00 00 + 0x0070: 08 00 02 00 1a 00 00 00 14 00 06 00 08 00 01 00 + +Fixes: e109d2b204da ("net/mlx5: Implement get_module_eeprom_by_page()") +Signed-off-by: Gal Pressman +Reviewed-by: Alex Lazar +Signed-off-by: Tariq Toukan +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/1762265736-1028868-1-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +index b189220f8a877..ccd2ebfd26737 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +@@ -1839,14 +1839,12 @@ static int mlx5e_get_module_eeprom_by_page(struct net_device *netdev, + if (!size_read) + return i; + +- if (size_read == -EINVAL) +- return -EINVAL; + if (size_read < 0) { + NL_SET_ERR_MSG_FMT_MOD( + extack, + "Query module eeprom by page failed, read %u bytes, err %d\n", + i, size_read); +- return i; ++ return size_read; + } + + i += size_read; +-- +2.51.0 + diff --git a/queue-6.6/net-mlx5e-shampo-fix-skb-size-check-for-64k-pages.patch b/queue-6.6/net-mlx5e-shampo-fix-skb-size-check-for-64k-pages.patch new file mode 100644 index 0000000000..0a2969ae5e --- /dev/null +++ b/queue-6.6/net-mlx5e-shampo-fix-skb-size-check-for-64k-pages.patch @@ -0,0 +1,56 @@ +From 7bd5f7ff465296c99e95ed4426d180db5156fd23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Nov 2025 08:48:34 +0200 +Subject: net/mlx5e: SHAMPO, Fix skb size check for 64K pages + +From: Dragos Tatulea + +[ Upstream commit bacd8d80181ebe34b599a39aa26bf73a44c91e55 ] + +mlx5e_hw_gro_skb_has_enough_space() uses a formula to check if there is +enough space in the skb frags to store more data. This formula is +incorrect for 64K page sizes and it triggers early GRO session +termination because the first fragment will blow up beyond +GRO_LEGACY_MAX_SIZE. + +This patch adds a special case for page sizes >= GRO_LEGACY_MAX_SIZE +(64K) which uses the skb->len instead. Within this context, +the check is safe from fragment overflow because the hardware +will continuously fill the data up to the reservation size of 64K +and the driver will coalesce all data from the same page to the same +fragment. This means that the data will span one fragment or at most +two for such a large page size. + +It is expected that the if statement will be optimized out as the +check is done with constants. + +Fixes: 92552d3abd32 ("net/mlx5e: HW_GRO cqe handler implementation") +Signed-off-by: Dragos Tatulea +Signed-off-by: Tariq Toukan +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/1762238915-1027590-3-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c +index fcf7437174e18..1d586451900b8 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c +@@ -2321,7 +2321,10 @@ mlx5e_hw_gro_skb_has_enough_space(struct sk_buff *skb, u16 data_bcnt) + { + int nr_frags = skb_shinfo(skb)->nr_frags; + +- return PAGE_SIZE * nr_frags + data_bcnt <= GRO_LEGACY_MAX_SIZE; ++ if (PAGE_SIZE >= GRO_LEGACY_MAX_SIZE) ++ return skb->len + data_bcnt <= GRO_LEGACY_MAX_SIZE; ++ else ++ return PAGE_SIZE * nr_frags + data_bcnt <= GRO_LEGACY_MAX_SIZE; + } + + static void +-- +2.51.0 + diff --git a/queue-6.6/net-mlx5e-use-extack-in-get-module-eeprom-by-page-ca.patch b/queue-6.6/net-mlx5e-use-extack-in-get-module-eeprom-by-page-ca.patch new file mode 100644 index 0000000000..1f317ccd72 --- /dev/null +++ b/queue-6.6/net-mlx5e-use-extack-in-get-module-eeprom-by-page-ca.patch @@ -0,0 +1,44 @@ +From 5ad1abb5383fd69acf1a8d9f5fc71719c8eb8e2a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Aug 2024 08:59:25 +0300 +Subject: net/mlx5e: Use extack in get module eeprom by page callback + +From: Gal Pressman + +[ Upstream commit b5100b72da688282558b28255c03a2d72241a729 ] + +In case of errors in get module eeprom by page, reflect it through +extack instead of a dmesg print. +While at it, make the messages more human friendly. + +Signed-off-by: Gal Pressman +Reviewed-by: Cosmin Ratiu +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/20240808055927.2059700-10-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: d1c94bc5b90c ("net/mlx5e: Fix return value in case of module EEPROM read error") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +index 54379297a7489..b189220f8a877 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +@@ -1842,8 +1842,10 @@ static int mlx5e_get_module_eeprom_by_page(struct net_device *netdev, + if (size_read == -EINVAL) + return -EINVAL; + if (size_read < 0) { +- netdev_err(priv->netdev, "%s: mlx5_query_module_eeprom_by_page failed:0x%x\n", +- __func__, size_read); ++ NL_SET_ERR_MSG_FMT_MOD( ++ extack, ++ "Query module eeprom by page failed, read %u bytes, err %d\n", ++ i, size_read); + return i; + } + +-- +2.51.0 + diff --git a/queue-6.6/net-usb-qmi_wwan-initialize-mac-header-offset-in-qmi.patch b/queue-6.6/net-usb-qmi_wwan-initialize-mac-header-offset-in-qmi.patch new file mode 100644 index 0000000000..68d2f73117 --- /dev/null +++ b/queue-6.6/net-usb-qmi_wwan-initialize-mac-header-offset-in-qmi.patch @@ -0,0 +1,70 @@ +From 024ab735c906e62fd57ef5f3e318f6f284ea250f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Oct 2025 08:57:44 +0100 +Subject: net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup + +From: Qendrim Maxhuni + +[ Upstream commit e120f46768d98151ece8756ebd688b0e43dc8b29 ] + +Raw IP packets have no MAC header, leaving skb->mac_header uninitialized. +This can trigger kernel panics on ARM64 when xfrm or other subsystems +access the offset due to strict alignment checks. + +Initialize the MAC header to prevent such crashes. + +This can trigger kernel panics on ARM when running IPsec over the +qmimux0 interface. + +Example trace: + + Internal error: Oops: 000000009600004f [#1] SMP + CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.34-gbe78e49cb433 #1 + Hardware name: LS1028A RDB Board (DT) + pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : xfrm_input+0xde8/0x1318 + lr : xfrm_input+0x61c/0x1318 + sp : ffff800080003b20 + Call trace: + xfrm_input+0xde8/0x1318 + xfrm6_rcv+0x38/0x44 + xfrm6_esp_rcv+0x48/0xa8 + ip6_protocol_deliver_rcu+0x94/0x4b0 + ip6_input_finish+0x44/0x70 + ip6_input+0x44/0xc0 + ipv6_rcv+0x6c/0x114 + __netif_receive_skb_one_core+0x5c/0x8c + __netif_receive_skb+0x18/0x60 + process_backlog+0x78/0x17c + __napi_poll+0x38/0x180 + net_rx_action+0x168/0x2f0 + +Fixes: c6adf77953bc ("net: usb: qmi_wwan: add qmap mux protocol support") +Signed-off-by: Qendrim Maxhuni +Link: https://patch.msgid.link/20251029075744.105113-1-qendrim.maxhuni@garderos.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/qmi_wwan.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index eba755b584a45..73df808978b20 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -192,6 +192,12 @@ static int qmimux_rx_fixup(struct usbnet *dev, struct sk_buff *skb) + if (!skbn) + return 0; + ++ /* Raw IP packets don't have a MAC header, but other subsystems ++ * (like xfrm) may still access MAC header offsets, so they must ++ * be initialized. ++ */ ++ skb_reset_mac_header(skbn); ++ + switch (skb->data[offset + qmimux_hdr_sz] & 0xf0) { + case 0x40: + skbn->protocol = htons(ETH_P_IP); +-- +2.51.0 + diff --git a/queue-6.6/net-vlan-sync-vlan-features-with-lower-device.patch b/queue-6.6/net-vlan-sync-vlan-features-with-lower-device.patch new file mode 100644 index 0000000000..067621af1d --- /dev/null +++ b/queue-6.6/net-vlan-sync-vlan-features-with-lower-device.patch @@ -0,0 +1,44 @@ +From 639878541d0096e52997dd86053dfb728679b503 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Oct 2025 07:35:39 +0000 +Subject: net: vlan: sync VLAN features with lower device + +From: Hangbin Liu + +[ Upstream commit c211f5d7cbd5cb34489d526648bb9c8ecc907dee ] + +After registering a VLAN device and setting its feature flags, we need to +synchronize the VLAN features with the lower device. For example, the VLAN +device does not have the NETIF_F_LRO flag, it should be synchronized with +the lower device based on the NETIF_F_UPPER_DISABLES definition. + +As the dev->vlan_features has changed, we need to call +netdev_update_features(). The caller must run after netdev_upper_dev_link() +links the lower devices, so this patch adds the netdev_update_features() +call in register_vlan_dev(). + +Fixes: fd867d51f889 ("net/core: generic support for disabling netdev features down stack") +Signed-off-by: Hangbin Liu +Link: https://patch.msgid.link/20251030073539.133779-1-liuhangbin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/8021q/vlan.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c +index 422f726346ea5..7c77482f31594 100644 +--- a/net/8021q/vlan.c ++++ b/net/8021q/vlan.c +@@ -194,6 +194,8 @@ int register_vlan_dev(struct net_device *dev, struct netlink_ext_ack *extack) + vlan_group_set_device(grp, vlan->vlan_proto, vlan_id, dev); + grp->nr_vlan_devs++; + ++ netdev_update_features(dev); ++ + return 0; + + out_unregister_netdev: +-- +2.51.0 + diff --git a/queue-6.6/netdevsim-add-makefile-for-selftests.patch b/queue-6.6/netdevsim-add-makefile-for-selftests.patch new file mode 100644 index 0000000000..e30ca38e7e --- /dev/null +++ b/queue-6.6/netdevsim-add-makefile-for-selftests.patch @@ -0,0 +1,61 @@ +From d49fdec16d9c7412759dd0acc046e791a237040e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jan 2024 13:46:20 -0800 +Subject: netdevsim: add Makefile for selftests + +From: David Wei + +[ Upstream commit 8ff25dac88f616ebebb30830e3a20f079d7a30c9 ] + +Add a Makefile for netdevsim selftests and add selftests path to +MAINTAINERS + +Signed-off-by: David Wei +Link: https://lore.kernel.org/r/20240130214620.3722189-5-dw@davidwei.uk +Signed-off-by: Jakub Kicinski +Stable-dep-of: d01f8136d46b ("selftests: netdevsim: Fix ethtool-coalesce.sh fail by installing ethtool-common.sh") +Signed-off-by: Sasha Levin +--- + MAINTAINERS | 1 + + .../selftests/drivers/net/netdevsim/Makefile | 17 +++++++++++++++++ + 2 files changed, 18 insertions(+) + create mode 100644 tools/testing/selftests/drivers/net/netdevsim/Makefile + +diff --git a/MAINTAINERS b/MAINTAINERS +index 294d2ce29b735..c1aafeb3babf9 100644 +--- a/MAINTAINERS ++++ b/MAINTAINERS +@@ -14725,6 +14725,7 @@ NETDEVSIM + M: Jakub Kicinski + S: Maintained + F: drivers/net/netdevsim/* ++F: tools/testing/selftests/drivers/net/netdevsim/* + + NETEM NETWORK EMULATOR + M: Stephen Hemminger +diff --git a/tools/testing/selftests/drivers/net/netdevsim/Makefile b/tools/testing/selftests/drivers/net/netdevsim/Makefile +new file mode 100644 +index 0000000000000..7a29a05bea8bc +--- /dev/null ++++ b/tools/testing/selftests/drivers/net/netdevsim/Makefile +@@ -0,0 +1,17 @@ ++# SPDX-License-Identifier: GPL-2.0+ OR MIT ++ ++TEST_PROGS = devlink.sh \ ++ devlink_in_netns.sh \ ++ devlink_trap.sh \ ++ ethtool-coalesce.sh \ ++ ethtool-fec.sh \ ++ ethtool-pause.sh \ ++ ethtool-ring.sh \ ++ fib.sh \ ++ hw_stats_l3.sh \ ++ nexthop.sh \ ++ psample.sh \ ++ tc-mq-visibility.sh \ ++ udp_tunnel_nic.sh \ ++ ++include ../../../lib.mk +-- +2.51.0 + diff --git a/queue-6.6/riscv-improve-exception-and-system-call-latency.patch b/queue-6.6/riscv-improve-exception-and-system-call-latency.patch new file mode 100644 index 0000000000..143baf4a30 --- /dev/null +++ b/queue-6.6/riscv-improve-exception-and-system-call-latency.patch @@ -0,0 +1,115 @@ +From 903886e08ea62c31685e5a4a282aaf065ab25eb2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Jun 2024 23:13:35 -0700 +Subject: riscv: Improve exception and system call latency + +From: Anton Blanchard + +[ Upstream commit 5d5fc33ce58e81e8738816f5ee59f8e85fd3b404 ] + +Many CPUs implement return address branch prediction as a stack. The +RISCV architecture refers to this as a return address stack (RAS). If +this gets corrupted then the CPU will mispredict at least one but +potentally many function returns. + +There are two issues with the current RISCV exception code: + +- We are using the alternate link stack (x5/t0) for the indirect branch + which makes the hardware think this is a function return. This will + corrupt the RAS. + +- We modify the return address of handle_exception to point to + ret_from_exception. This will also corrupt the RAS. + +Testing the null system call latency before and after the patch: + +Visionfive2 (StarFive JH7110 / U74) +baseline: 189.87 ns +patched: 176.76 ns + +Lichee pi 4a (T-Head TH1520 / C910) +baseline: 666.58 ns +patched: 636.90 ns + +Just over 7% on the U74 and just over 4% on the C910. + +Signed-off-by: Anton Blanchard +Signed-off-by: Cyril Bur +Tested-by: Jisheng Zhang +Reviewed-by: Jisheng Zhang +Link: https://lore.kernel.org/r/20240607061335.2197383-1-cyrilbur@tenstorrent.com +Signed-off-by: Palmer Dabbelt +Stable-dep-of: 060ea84a484e ("riscv: stacktrace: Disable KASAN checks for non-current tasks") +Signed-off-by: Sasha Levin +--- + arch/riscv/kernel/entry.S | 17 ++++++++++------- + arch/riscv/kernel/stacktrace.c | 4 ++-- + 2 files changed, 12 insertions(+), 9 deletions(-) + +diff --git a/arch/riscv/kernel/entry.S b/arch/riscv/kernel/entry.S +index 1f90fee24a8ba..56c101e381270 100644 +--- a/arch/riscv/kernel/entry.S ++++ b/arch/riscv/kernel/entry.S +@@ -82,7 +82,6 @@ _save_context: + la gp, __global_pointer$ + .option pop + move a0, sp /* pt_regs */ +- la ra, ret_from_exception + + /* + * MSB of cause differentiates between +@@ -91,7 +90,8 @@ _save_context: + bge s4, zero, 1f + + /* Handle interrupts */ +- tail do_irq ++ call do_irq ++ j ret_from_exception + 1: + /* Handle other exceptions */ + slli t0, s4, RISCV_LGPTR +@@ -99,11 +99,14 @@ _save_context: + la t2, excp_vect_table_end + add t0, t1, t0 + /* Check if exception code lies within bounds */ +- bgeu t0, t2, 1f +- REG_L t0, 0(t0) +- jr t0 +-1: +- tail do_trap_unknown ++ bgeu t0, t2, 3f ++ REG_L t1, 0(t0) ++2: jalr t1 ++ j ret_from_exception ++3: ++ ++ la t1, do_trap_unknown ++ j 2b + SYM_CODE_END(handle_exception) + ASM_NOKPROBE(handle_exception) + +diff --git a/arch/riscv/kernel/stacktrace.c b/arch/riscv/kernel/stacktrace.c +index 10e311b2759d3..c6d5de22463f9 100644 +--- a/arch/riscv/kernel/stacktrace.c ++++ b/arch/riscv/kernel/stacktrace.c +@@ -16,7 +16,7 @@ + + #ifdef CONFIG_FRAME_POINTER + +-extern asmlinkage void ret_from_exception(void); ++extern asmlinkage void handle_exception(void); + + static inline int fp_is_valid(unsigned long fp, unsigned long sp) + { +@@ -71,7 +71,7 @@ void notrace walk_stackframe(struct task_struct *task, struct pt_regs *regs, + fp = frame->fp; + pc = ftrace_graph_ret_addr(current, &graph_idx, frame->ra, + &frame->ra); +- if (pc == (unsigned long)ret_from_exception) { ++ if (pc == (unsigned long)handle_exception) { + if (unlikely(!__kernel_text_address(pc) || !fn(arg, pc))) + break; + +-- +2.51.0 + diff --git a/queue-6.6/riscv-ptdump-use-seq_puts-in-pt_dump_seq_puts-macro.patch b/queue-6.6/riscv-ptdump-use-seq_puts-in-pt_dump_seq_puts-macro.patch new file mode 100644 index 0000000000..e7b19fcc62 --- /dev/null +++ b/queue-6.6/riscv-ptdump-use-seq_puts-in-pt_dump_seq_puts-macro.patch @@ -0,0 +1,47 @@ +From 73de30c00c2289ea70e38ea51553b6f429d9e03f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Oct 2025 11:40:43 -0600 +Subject: riscv: ptdump: use seq_puts() in pt_dump_seq_puts() macro + +From: Josephine Pfeiffer + +[ Upstream commit a74f038fa50e0d33b740f44f862fe856f16de6a8 ] + +The pt_dump_seq_puts() macro incorrectly uses seq_printf() instead of +seq_puts(). This is both a performance issue and conceptually wrong, +as the macro name suggests plain string output (puts) but the +implementation uses formatted output (printf). + +The macro is used in ptdump.c:301 to output a newline character. Using +seq_printf() adds unnecessary overhead for format string parsing when +outputting this constant string. + +This bug was introduced in commit 59c4da8640cc ("riscv: Add support to +dump the kernel page tables") in 2020, which copied the implementation +pattern from other architectures that had the same bug. + +Fixes: 59c4da8640cc ("riscv: Add support to dump the kernel page tables") +Signed-off-by: Josephine Pfeiffer +Link: https://lore.kernel.org/r/20251018170451.3355496-1-hi@josie.lol +Signed-off-by: Paul Walmsley +Signed-off-by: Sasha Levin +--- + arch/riscv/mm/ptdump.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/riscv/mm/ptdump.c b/arch/riscv/mm/ptdump.c +index e9090b38f8117..52cc3d9380c08 100644 +--- a/arch/riscv/mm/ptdump.c ++++ b/arch/riscv/mm/ptdump.c +@@ -22,7 +22,7 @@ + #define pt_dump_seq_puts(m, fmt) \ + ({ \ + if (m) \ +- seq_printf(m, fmt); \ ++ seq_puts(m, fmt); \ + }) + + /* +-- +2.51.0 + diff --git a/queue-6.6/riscv-stacktrace-disable-kasan-checks-for-non-curren.patch b/queue-6.6/riscv-stacktrace-disable-kasan-checks-for-non-curren.patch new file mode 100644 index 0000000000..45ef531362 --- /dev/null +++ b/queue-6.6/riscv-stacktrace-disable-kasan-checks-for-non-curren.patch @@ -0,0 +1,73 @@ +From bbe49b8eb0b89a0b9e99d3777721f9ebc0e792bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Oct 2025 11:40:43 -0600 +Subject: riscv: stacktrace: Disable KASAN checks for non-current tasks + +From: Chunyan Zhang + +[ Upstream commit 060ea84a484e852b52b938f234bf9b5503a6c910 ] + +Unwinding the stack of a task other than current, KASAN would report +"BUG: KASAN: out-of-bounds in walk_stackframe+0x41c/0x460" + +There is a same issue on x86 and has been resolved by the commit +84936118bdf3 ("x86/unwind: Disable KASAN checks for non-current tasks") +The solution could be applied to RISC-V too. + +This patch also can solve the issue: +https://seclists.org/oss-sec/2025/q4/23 + +Fixes: 5d8544e2d007 ("RISC-V: Generic library routines and assembly") +Co-developed-by: Jiakai Xu +Signed-off-by: Jiakai Xu +Signed-off-by: Chunyan Zhang +Link: https://lore.kernel.org/r/20251022072608.743484-1-zhangchunyan@iscas.ac.cn +[pjw@kernel.org: clean up checkpatch issues] +Signed-off-by: Paul Walmsley +Signed-off-by: Sasha Levin +--- + arch/riscv/kernel/stacktrace.c | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +diff --git a/arch/riscv/kernel/stacktrace.c b/arch/riscv/kernel/stacktrace.c +index c6d5de22463f9..f87ab8f5a6615 100644 +--- a/arch/riscv/kernel/stacktrace.c ++++ b/arch/riscv/kernel/stacktrace.c +@@ -16,6 +16,22 @@ + + #ifdef CONFIG_FRAME_POINTER + ++/* ++ * This disables KASAN checking when reading a value from another task's stack, ++ * since the other task could be running on another CPU and could have poisoned ++ * the stack in the meantime. ++ */ ++#define READ_ONCE_TASK_STACK(task, x) \ ++({ \ ++ unsigned long val; \ ++ unsigned long addr = x; \ ++ if ((task) == current) \ ++ val = READ_ONCE(addr); \ ++ else \ ++ val = READ_ONCE_NOCHECK(addr); \ ++ val; \ ++}) ++ + extern asmlinkage void handle_exception(void); + + static inline int fp_is_valid(unsigned long fp, unsigned long sp) +@@ -68,8 +84,9 @@ void notrace walk_stackframe(struct task_struct *task, struct pt_regs *regs, + fp = frame->ra; + pc = regs->ra; + } else { +- fp = frame->fp; +- pc = ftrace_graph_ret_addr(current, &graph_idx, frame->ra, ++ fp = READ_ONCE_TASK_STACK(task, frame->fp); ++ pc = READ_ONCE_TASK_STACK(task, frame->ra); ++ pc = ftrace_graph_ret_addr(current, &graph_idx, pc, + &frame->ra); + if (pc == (unsigned long)handle_exception) { + if (unlikely(!__kernel_text_address(pc) || !fn(arg, pc))) +-- +2.51.0 + diff --git a/queue-6.6/sctp-hold-rcu-read-lock-while-iterating-over-address.patch b/queue-6.6/sctp-hold-rcu-read-lock-while-iterating-over-address.patch new file mode 100644 index 0000000000..355ef89b6a --- /dev/null +++ b/queue-6.6/sctp-hold-rcu-read-lock-while-iterating-over-address.patch @@ -0,0 +1,104 @@ +From a62ca54b121e431c761698af8f39c5ca1fd0c79b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Oct 2025 17:12:26 +0100 +Subject: sctp: Hold RCU read lock while iterating over address list + +From: Stefan Wiehler + +[ Upstream commit 38f50242bf0f237cdc262308d624d333286ec3c5 ] + +With CONFIG_PROVE_RCU_LIST=y and by executing + + $ netcat -l --sctp & + $ netcat --sctp localhost & + $ ss --sctp + +one can trigger the following Lockdep-RCU splat(s): + + WARNING: suspicious RCU usage + 6.18.0-rc1-00093-g7f864458e9a6 #5 Not tainted + ----------------------------- + net/sctp/diag.c:76 RCU-list traversed in non-reader section!! + + other info that might help us debug this: + + rcu_scheduler_active = 2, debug_locks = 1 + 2 locks held by ss/215: + #0: ffff9c740828bec0 (nlk_cb_mutex-SOCK_DIAG){+.+.}-{4:4}, at: __netlink_dump_start+0x84/0x2b0 + #1: ffff9c7401d72cd0 (sk_lock-AF_INET6){+.+.}-{0:0}, at: sctp_sock_dump+0x38/0x200 + + stack backtrace: + CPU: 0 UID: 0 PID: 215 Comm: ss Not tainted 6.18.0-rc1-00093-g7f864458e9a6 #5 PREEMPT(voluntary) + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 + Call Trace: + + dump_stack_lvl+0x5d/0x90 + lockdep_rcu_suspicious.cold+0x4e/0xa3 + inet_sctp_diag_fill.isra.0+0x4b1/0x5d0 + sctp_sock_dump+0x131/0x200 + sctp_transport_traverse_process+0x170/0x1b0 + ? __pfx_sctp_sock_filter+0x10/0x10 + ? __pfx_sctp_sock_dump+0x10/0x10 + sctp_diag_dump+0x103/0x140 + __inet_diag_dump+0x70/0xb0 + netlink_dump+0x148/0x490 + __netlink_dump_start+0x1f3/0x2b0 + inet_diag_handler_cmd+0xcd/0x100 + ? __pfx_inet_diag_dump_start+0x10/0x10 + ? __pfx_inet_diag_dump+0x10/0x10 + ? __pfx_inet_diag_dump_done+0x10/0x10 + sock_diag_rcv_msg+0x18e/0x320 + ? __pfx_sock_diag_rcv_msg+0x10/0x10 + netlink_rcv_skb+0x4d/0x100 + netlink_unicast+0x1d7/0x2b0 + netlink_sendmsg+0x203/0x450 + ____sys_sendmsg+0x30c/0x340 + ___sys_sendmsg+0x94/0xf0 + __sys_sendmsg+0x83/0xf0 + do_syscall_64+0xbb/0x390 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + ... + + +Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file") +Signed-off-by: Stefan Wiehler +Reviewed-by: Kuniyuki Iwashima +Acked-by: Xin Long +Link: https://patch.msgid.link/20251028161506.3294376-2-stefan.wiehler@nokia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sctp/diag.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/sctp/diag.c b/net/sctp/diag.c +index c3d6b92dd3862..d92b210c70f8e 100644 +--- a/net/sctp/diag.c ++++ b/net/sctp/diag.c +@@ -73,19 +73,23 @@ static int inet_diag_msg_sctpladdrs_fill(struct sk_buff *skb, + struct nlattr *attr; + void *info = NULL; + ++ rcu_read_lock(); + list_for_each_entry_rcu(laddr, address_list, list) + addrcnt++; ++ rcu_read_unlock(); + + attr = nla_reserve(skb, INET_DIAG_LOCALS, addrlen * addrcnt); + if (!attr) + return -EMSGSIZE; + + info = nla_data(attr); ++ rcu_read_lock(); + list_for_each_entry_rcu(laddr, address_list, list) { + memcpy(info, &laddr->a, sizeof(laddr->a)); + memset(info + sizeof(laddr->a), 0, addrlen - sizeof(laddr->a)); + info += addrlen; + } ++ rcu_read_unlock(); + + return 0; + } +-- +2.51.0 + diff --git a/queue-6.6/sctp-hold-sock-lock-while-iterating-over-address-lis.patch b/queue-6.6/sctp-hold-sock-lock-while-iterating-over-address-lis.patch new file mode 100644 index 0000000000..b662cd57dc --- /dev/null +++ b/queue-6.6/sctp-hold-sock-lock-while-iterating-over-address-lis.patch @@ -0,0 +1,66 @@ +From a1ef7d83de5fe8364c1676260203963ab0f617d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Oct 2025 17:12:28 +0100 +Subject: sctp: Hold sock lock while iterating over address list + +From: Stefan Wiehler + +[ Upstream commit f1fc201148c7e684c10a72b6a3375597f28d1ef6 ] + +Move address list traversal in inet_assoc_attr_size() under the sock +lock to avoid holding the RCU read lock. + +Suggested-by: Xin Long +Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file") +Signed-off-by: Stefan Wiehler +Acked-by: Xin Long +Link: https://patch.msgid.link/20251028161506.3294376-4-stefan.wiehler@nokia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sctp/diag.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/net/sctp/diag.c b/net/sctp/diag.c +index 7799e5abdbd05..ad3e1462a896e 100644 +--- a/net/sctp/diag.c ++++ b/net/sctp/diag.c +@@ -230,14 +230,15 @@ struct sctp_comm_param { + bool net_admin; + }; + +-static size_t inet_assoc_attr_size(struct sctp_association *asoc) ++static size_t inet_assoc_attr_size(struct sock *sk, ++ struct sctp_association *asoc) + { + int addrlen = sizeof(struct sockaddr_storage); + int addrcnt = 0; + struct sctp_sockaddr_entry *laddr; + + list_for_each_entry_rcu(laddr, &asoc->base.bind_addr.address_list, +- list) ++ list, lockdep_sock_is_held(sk)) + addrcnt++; + + return nla_total_size(sizeof(struct sctp_info)) +@@ -263,11 +264,14 @@ static int sctp_sock_dump_one(struct sctp_endpoint *ep, struct sctp_transport *t + if (err) + return err; + +- rep = nlmsg_new(inet_assoc_attr_size(assoc), GFP_KERNEL); +- if (!rep) ++ lock_sock(sk); ++ ++ rep = nlmsg_new(inet_assoc_attr_size(sk, assoc), GFP_KERNEL); ++ if (!rep) { ++ release_sock(sk); + return -ENOMEM; ++ } + +- lock_sock(sk); + if (ep != assoc->ep) { + err = -EAGAIN; + goto out; +-- +2.51.0 + diff --git a/queue-6.6/sctp-prevent-toctou-out-of-bounds-write.patch b/queue-6.6/sctp-prevent-toctou-out-of-bounds-write.patch new file mode 100644 index 0000000000..fce888015a --- /dev/null +++ b/queue-6.6/sctp-prevent-toctou-out-of-bounds-write.patch @@ -0,0 +1,45 @@ +From a9bfcd8337214cfd75a0b05dbf1a0c7ff16d1718 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Oct 2025 17:12:27 +0100 +Subject: sctp: Prevent TOCTOU out-of-bounds write + +From: Stefan Wiehler + +[ Upstream commit 95aef86ab231f047bb8085c70666059b58f53c09 ] + +For the following path not holding the sock lock, + + sctp_diag_dump() -> sctp_for_each_endpoint() -> sctp_ep_dump() + +make sure not to exceed bounds in case the address list has grown +between buffer allocation (time-of-check) and write (time-of-use). + +Suggested-by: Kuniyuki Iwashima +Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file") +Signed-off-by: Stefan Wiehler +Reviewed-by: Kuniyuki Iwashima +Acked-by: Xin Long +Link: https://patch.msgid.link/20251028161506.3294376-3-stefan.wiehler@nokia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sctp/diag.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/sctp/diag.c b/net/sctp/diag.c +index d92b210c70f8e..7799e5abdbd05 100644 +--- a/net/sctp/diag.c ++++ b/net/sctp/diag.c +@@ -88,6 +88,9 @@ static int inet_diag_msg_sctpladdrs_fill(struct sk_buff *skb, + memcpy(info, &laddr->a, sizeof(laddr->a)); + memset(info + sizeof(laddr->a), 0, addrlen - sizeof(laddr->a)); + info += addrlen; ++ ++ if (!--addrcnt) ++ break; + } + rcu_read_unlock(); + +-- +2.51.0 + diff --git a/queue-6.6/selftests-net-fix-gro-coalesce-test-and-add-ext-head.patch b/queue-6.6/selftests-net-fix-gro-coalesce-test-and-add-ext-head.patch new file mode 100644 index 0000000000..f00b2376d7 --- /dev/null +++ b/queue-6.6/selftests-net-fix-gro-coalesce-test-and-add-ext-head.patch @@ -0,0 +1,200 @@ +From ff067485d643cf65763147eaeacb93913c82b549 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Jan 2024 15:48:35 +0100 +Subject: selftests/net: fix GRO coalesce test and add ext header coalesce + tests + +From: Richard Gobert + +[ Upstream commit 4e321d590cec6053cb3c566413794706035ee638 ] + +Currently there is no test which checks that IPv6 extension header packets +successfully coalesce. This commit adds a test, which verifies two IPv6 +packets with HBH extension headers do coalesce, and another test which +checks that packets with different extension header data do not coalesce +in GRO. + +I changed the receive socket filter to accept a packet with one extension +header. This change exposed a bug in the fragment test -- the old BPF did +not accept the fragment packet. I updated correct_num_packets in the +fragment test accordingly. + +Signed-off-by: Richard Gobert +Reviewed-by: Willem de Bruijn +Link: https://lore.kernel.org/r/69282fed-2415-47e8-b3d3-34939ec3eb56@gmail.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: f8e8486702ab ("selftests/net: use destination options instead of hop-by-hop") +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/gro.c | 93 +++++++++++++++++++++++++++++-- + 1 file changed, 87 insertions(+), 6 deletions(-) + +diff --git a/tools/testing/selftests/net/gro.c b/tools/testing/selftests/net/gro.c +index ad7b07084ca24..9c6f5b4033c37 100644 +--- a/tools/testing/selftests/net/gro.c ++++ b/tools/testing/selftests/net/gro.c +@@ -71,6 +71,12 @@ + #define MAX_PAYLOAD (IP_MAXPACKET - sizeof(struct tcphdr) - sizeof(struct ipv6hdr)) + #define NUM_LARGE_PKT (MAX_PAYLOAD / MSS) + #define MAX_HDR_LEN (ETH_HLEN + sizeof(struct ipv6hdr) + sizeof(struct tcphdr)) ++#define MIN_EXTHDR_SIZE 8 ++#define EXT_PAYLOAD_1 "\x00\x00\x00\x00\x00\x00" ++#define EXT_PAYLOAD_2 "\x11\x11\x11\x11\x11\x11" ++ ++#define ipv6_optlen(p) (((p)->hdrlen+1) << 3) /* calculate IPv6 extension header len */ ++#define BUILD_BUG_ON(condition) ((void)sizeof(char[1 - 2*!!(condition)])) + + static const char *addr6_src = "fdaa::2"; + static const char *addr6_dst = "fdaa::1"; +@@ -104,7 +110,7 @@ static void setup_sock_filter(int fd) + const int dport_off = tcp_offset + offsetof(struct tcphdr, dest); + const int ethproto_off = offsetof(struct ethhdr, h_proto); + int optlen = 0; +- int ipproto_off; ++ int ipproto_off, opt_ipproto_off; + int next_off; + + if (proto == PF_INET) +@@ -116,14 +122,30 @@ static void setup_sock_filter(int fd) + if (strcmp(testname, "ip") == 0) { + if (proto == PF_INET) + optlen = sizeof(struct ip_timestamp); +- else +- optlen = sizeof(struct ip6_frag); ++ else { ++ BUILD_BUG_ON(sizeof(struct ip6_hbh) > MIN_EXTHDR_SIZE); ++ BUILD_BUG_ON(sizeof(struct ip6_dest) > MIN_EXTHDR_SIZE); ++ BUILD_BUG_ON(sizeof(struct ip6_frag) > MIN_EXTHDR_SIZE); ++ ++ /* same size for HBH and Fragment extension header types */ ++ optlen = MIN_EXTHDR_SIZE; ++ opt_ipproto_off = ETH_HLEN + sizeof(struct ipv6hdr) ++ + offsetof(struct ip6_ext, ip6e_nxt); ++ } + } + ++ /* this filter validates the following: ++ * - packet is IPv4/IPv6 according to the running test. ++ * - packet is TCP. Also handles the case of one extension header and then TCP. ++ * - checks the packet tcp dport equals to DPORT. Also handles the case of one ++ * extension header and then TCP. ++ */ + struct sock_filter filter[] = { + BPF_STMT(BPF_LD + BPF_H + BPF_ABS, ethproto_off), +- BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, ntohs(ethhdr_proto), 0, 7), ++ BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, ntohs(ethhdr_proto), 0, 9), + BPF_STMT(BPF_LD + BPF_B + BPF_ABS, ipproto_off), ++ BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, IPPROTO_TCP, 2, 0), ++ BPF_STMT(BPF_LD + BPF_B + BPF_ABS, opt_ipproto_off), + BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, IPPROTO_TCP, 0, 5), + BPF_STMT(BPF_LD + BPF_H + BPF_ABS, dport_off), + BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, DPORT, 2, 0), +@@ -576,6 +598,39 @@ static void add_ipv4_ts_option(void *buf, void *optpkt) + iph->check = checksum_fold(iph, sizeof(struct iphdr) + optlen, 0); + } + ++static void add_ipv6_exthdr(void *buf, void *optpkt, __u8 exthdr_type, char *ext_payload) ++{ ++ struct ipv6_opt_hdr *exthdr = (struct ipv6_opt_hdr *)(optpkt + tcp_offset); ++ struct ipv6hdr *iph = (struct ipv6hdr *)(optpkt + ETH_HLEN); ++ char *exthdr_payload_start = (char *)(exthdr + 1); ++ ++ exthdr->hdrlen = 0; ++ exthdr->nexthdr = IPPROTO_TCP; ++ ++ memcpy(exthdr_payload_start, ext_payload, MIN_EXTHDR_SIZE - sizeof(*exthdr)); ++ ++ memcpy(optpkt, buf, tcp_offset); ++ memcpy(optpkt + tcp_offset + MIN_EXTHDR_SIZE, buf + tcp_offset, ++ sizeof(struct tcphdr) + PAYLOAD_LEN); ++ ++ iph->nexthdr = exthdr_type; ++ iph->payload_len = htons(ntohs(iph->payload_len) + MIN_EXTHDR_SIZE); ++} ++ ++static void send_ipv6_exthdr(int fd, struct sockaddr_ll *daddr, char *ext_data1, char *ext_data2) ++{ ++ static char buf[MAX_HDR_LEN + PAYLOAD_LEN]; ++ static char exthdr_pck[sizeof(buf) + MIN_EXTHDR_SIZE]; ++ ++ create_packet(buf, 0, 0, PAYLOAD_LEN, 0); ++ add_ipv6_exthdr(buf, exthdr_pck, IPPROTO_HOPOPTS, ext_data1); ++ write_packet(fd, exthdr_pck, total_hdr_len + PAYLOAD_LEN + MIN_EXTHDR_SIZE, daddr); ++ ++ create_packet(buf, PAYLOAD_LEN * 1, 0, PAYLOAD_LEN, 0); ++ add_ipv6_exthdr(buf, exthdr_pck, IPPROTO_HOPOPTS, ext_data2); ++ write_packet(fd, exthdr_pck, total_hdr_len + PAYLOAD_LEN + MIN_EXTHDR_SIZE, daddr); ++} ++ + /* IPv4 options shouldn't coalesce */ + static void send_ip_options(int fd, struct sockaddr_ll *daddr) + { +@@ -697,7 +752,7 @@ static void send_fragment6(int fd, struct sockaddr_ll *daddr) + create_packet(buf, PAYLOAD_LEN * i, 0, PAYLOAD_LEN, 0); + write_packet(fd, buf, bufpkt_len, daddr); + } +- ++ sleep(1); + create_packet(buf, PAYLOAD_LEN * 2, 0, PAYLOAD_LEN, 0); + memset(extpkt, 0, extpkt_len); + +@@ -760,6 +815,7 @@ static void check_recv_pkts(int fd, int *correct_payload, + vlog("}, Total %d packets\nReceived {", correct_num_pkts); + + while (1) { ++ ip_ext_len = 0; + pkt_size = recv(fd, buffer, IP_MAXPACKET + ETH_HLEN + 1, 0); + if (pkt_size < 0) + error(1, errno, "could not receive"); +@@ -767,7 +823,7 @@ static void check_recv_pkts(int fd, int *correct_payload, + if (iph->version == 4) + ip_ext_len = (iph->ihl - 5) * 4; + else if (ip6h->version == 6 && ip6h->nexthdr != IPPROTO_TCP) +- ip_ext_len = sizeof(struct ip6_frag); ++ ip_ext_len = MIN_EXTHDR_SIZE; + + tcph = (struct tcphdr *)(buffer + tcp_offset + ip_ext_len); + +@@ -888,7 +944,21 @@ static void gro_sender(void) + sleep(1); + write_packet(txfd, fin_pkt, total_hdr_len, &daddr); + } else if (proto == PF_INET6) { ++ sleep(1); + send_fragment6(txfd, &daddr); ++ sleep(1); ++ write_packet(txfd, fin_pkt, total_hdr_len, &daddr); ++ ++ sleep(1); ++ /* send IPv6 packets with ext header with same payload */ ++ send_ipv6_exthdr(txfd, &daddr, EXT_PAYLOAD_1, EXT_PAYLOAD_1); ++ sleep(1); ++ write_packet(txfd, fin_pkt, total_hdr_len, &daddr); ++ ++ sleep(1); ++ /* send IPv6 packets with ext header with different payload */ ++ send_ipv6_exthdr(txfd, &daddr, EXT_PAYLOAD_1, EXT_PAYLOAD_2); ++ sleep(1); + write_packet(txfd, fin_pkt, total_hdr_len, &daddr); + } + } else if (strcmp(testname, "large") == 0) { +@@ -1005,6 +1075,17 @@ static void gro_receiver(void) + */ + printf("fragmented ip6 doesn't coalesce: "); + correct_payload[0] = PAYLOAD_LEN * 2; ++ correct_payload[1] = PAYLOAD_LEN; ++ correct_payload[2] = PAYLOAD_LEN; ++ check_recv_pkts(rxfd, correct_payload, 3); ++ ++ printf("ipv6 with ext header does coalesce: "); ++ correct_payload[0] = PAYLOAD_LEN * 2; ++ check_recv_pkts(rxfd, correct_payload, 1); ++ ++ printf("ipv6 with ext header with different payloads doesn't coalesce: "); ++ correct_payload[0] = PAYLOAD_LEN; ++ correct_payload[1] = PAYLOAD_LEN; + check_recv_pkts(rxfd, correct_payload, 2); + } + } else if (strcmp(testname, "large") == 0) { +-- +2.51.0 + diff --git a/queue-6.6/selftests-net-fix-out-of-order-delivery-of-fin-in-gr.patch b/queue-6.6/selftests-net-fix-out-of-order-delivery-of-fin-in-gr.patch new file mode 100644 index 0000000000..6692377a8f --- /dev/null +++ b/queue-6.6/selftests-net-fix-out-of-order-delivery-of-fin-in-gr.patch @@ -0,0 +1,66 @@ +From b7efe5d35de18bc7d3f5cf1d59541b7994c9b554 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Oct 2025 06:28:18 +0000 +Subject: selftests/net: fix out-of-order delivery of FIN in gro:tcp test + +From: Anubhav Singh + +[ Upstream commit 02d064de05b1fcca769391fa82d205bed8bb9bf0 ] + +Due to the gro_sender sending data packets and FIN packets +in very quick succession, these are received almost simultaneously +by the gro_receiver. FIN packets are sometimes processed before the +data packets leading to intermittent (~1/100) test failures. + +This change adds a delay of 100ms before sending FIN packets +in gro:tcp test to avoid the out-of-order delivery. The same +mitigation already exists for the gro:ip test. + +Fixes: 7d1575014a63 ("selftests/net: GRO coalesce test") +Reviewed-by: Willem de Bruijn +Signed-off-by: Anubhav Singh +Link: https://patch.msgid.link/20251030062818.1562228-1-anubhavsinggh@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/gro.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/tools/testing/selftests/net/gro.c b/tools/testing/selftests/net/gro.c +index 30024d0ed3739..ad7b07084ca24 100644 +--- a/tools/testing/selftests/net/gro.c ++++ b/tools/testing/selftests/net/gro.c +@@ -802,6 +802,7 @@ static void check_recv_pkts(int fd, int *correct_payload, + + static void gro_sender(void) + { ++ const int fin_delay_us = 100 * 1000; + static char fin_pkt[MAX_HDR_LEN]; + struct sockaddr_ll daddr = {}; + int txfd = -1; +@@ -845,15 +846,22 @@ static void gro_sender(void) + write_packet(txfd, fin_pkt, total_hdr_len, &daddr); + } else if (strcmp(testname, "tcp") == 0) { + send_changed_checksum(txfd, &daddr); ++ /* Adding sleep before sending FIN so that it is not ++ * received prior to other packets. ++ */ ++ usleep(fin_delay_us); + write_packet(txfd, fin_pkt, total_hdr_len, &daddr); + + send_changed_seq(txfd, &daddr); ++ usleep(fin_delay_us); + write_packet(txfd, fin_pkt, total_hdr_len, &daddr); + + send_changed_ts(txfd, &daddr); ++ usleep(fin_delay_us); + write_packet(txfd, fin_pkt, total_hdr_len, &daddr); + + send_diff_opt(txfd, &daddr); ++ usleep(fin_delay_us); + write_packet(txfd, fin_pkt, total_hdr_len, &daddr); + } else if (strcmp(testname, "ip") == 0) { + send_changed_ECN(txfd, &daddr); +-- +2.51.0 + diff --git a/queue-6.6/selftests-net-use-destination-options-instead-of-hop.patch b/queue-6.6/selftests-net-use-destination-options-instead-of-hop.patch new file mode 100644 index 0000000000..af0ed1fc20 --- /dev/null +++ b/queue-6.6/selftests-net-use-destination-options-instead-of-hop.patch @@ -0,0 +1,58 @@ +From ede957c4dee57f428b797a43db12e73c737e48e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Oct 2025 06:04:36 +0000 +Subject: selftests/net: use destination options instead of hop-by-hop + +From: Anubhav Singh + +[ Upstream commit f8e8486702abb05b8c734093aab1606af0eac068 ] + +The GRO self-test, gro.c, currently constructs IPv6 packets containing a +Hop-by-Hop Options header (IPPROTO_HOPOPTS) to ensure the GRO path +correctly handles IPv6 extension headers. + +However, network elements may be configured to drop packets with the +Hop-by-Hop Options header (HBH). This causes the self-test to fail +in environments where such network elements are present. + +To improve the robustness and reliability of this test in diverse +network environments, switch from using IPPROTO_HOPOPTS to +IPPROTO_DSTOPTS (Destination Options). + +The Destination Options header is less likely to be dropped by +intermediate routers and still serves the core purpose of the test: +validating GRO's handling of an IPv6 extension header. This change +ensures the test can execute successfully without being incorrectly +failed by network policies outside the kernel's control. + +Fixes: 7d1575014a63 ("selftests/net: GRO coalesce test") +Reviewed-by: Willem de Bruijn +Signed-off-by: Anubhav Singh +Link: https://patch.msgid.link/20251030060436.1556664-1-anubhavsinggh@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/gro.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/net/gro.c b/tools/testing/selftests/net/gro.c +index 9c6f5b4033c37..8dd6857e52cb5 100644 +--- a/tools/testing/selftests/net/gro.c ++++ b/tools/testing/selftests/net/gro.c +@@ -623,11 +623,11 @@ static void send_ipv6_exthdr(int fd, struct sockaddr_ll *daddr, char *ext_data1, + static char exthdr_pck[sizeof(buf) + MIN_EXTHDR_SIZE]; + + create_packet(buf, 0, 0, PAYLOAD_LEN, 0); +- add_ipv6_exthdr(buf, exthdr_pck, IPPROTO_HOPOPTS, ext_data1); ++ add_ipv6_exthdr(buf, exthdr_pck, IPPROTO_DSTOPTS, ext_data1); + write_packet(fd, exthdr_pck, total_hdr_len + PAYLOAD_LEN + MIN_EXTHDR_SIZE, daddr); + + create_packet(buf, PAYLOAD_LEN * 1, 0, PAYLOAD_LEN, 0); +- add_ipv6_exthdr(buf, exthdr_pck, IPPROTO_HOPOPTS, ext_data2); ++ add_ipv6_exthdr(buf, exthdr_pck, IPPROTO_DSTOPTS, ext_data2); + write_packet(fd, exthdr_pck, total_hdr_len + PAYLOAD_LEN + MIN_EXTHDR_SIZE, daddr); + } + +-- +2.51.0 + diff --git a/queue-6.6/selftests-netdevsim-fix-ethtool-coalesce.sh-fail-by-.patch b/queue-6.6/selftests-netdevsim-fix-ethtool-coalesce.sh-fail-by-.patch new file mode 100644 index 0000000000..7a16979255 --- /dev/null +++ b/queue-6.6/selftests-netdevsim-fix-ethtool-coalesce.sh-fail-by-.patch @@ -0,0 +1,60 @@ +From 17aa6547c6cf087de2d3be33b1f047430c8b4e3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Oct 2025 12:03:40 +0800 +Subject: selftests: netdevsim: Fix ethtool-coalesce.sh fail by installing + ethtool-common.sh + +From: Wang Liang + +[ Upstream commit d01f8136d46b925798abcf86b35a4021e4cfb8bb ] + +The script "ethtool-common.sh" is not installed in INSTALL_PATH, and +triggers some errors when I try to run the test +'drivers/net/netdevsim/ethtool-coalesce.sh': + + TAP version 13 + 1..1 + # timeout set to 600 + # selftests: drivers/net/netdevsim: ethtool-coalesce.sh + # ./ethtool-coalesce.sh: line 4: ethtool-common.sh: No such file or directory + # ./ethtool-coalesce.sh: line 25: make_netdev: command not found + # ethtool: bad command line argument(s) + # ./ethtool-coalesce.sh: line 124: check: command not found + # ./ethtool-coalesce.sh: line 126: [: -eq: unary operator expected + # FAILED /0 checks + not ok 1 selftests: drivers/net/netdevsim: ethtool-coalesce.sh # exit=1 + +Install this file to avoid this error. After this patch: + + TAP version 13 + 1..1 + # timeout set to 600 + # selftests: drivers/net/netdevsim: ethtool-coalesce.sh + # PASSED all 22 checks + ok 1 selftests: drivers/net/netdevsim: ethtool-coalesce.sh + +Fixes: fbb8531e58bd ("selftests: extract common functions in ethtool-common.sh") +Signed-off-by: Wang Liang +Link: https://patch.msgid.link/20251030040340.3258110-1-wangliang74@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/drivers/net/netdevsim/Makefile | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/tools/testing/selftests/drivers/net/netdevsim/Makefile b/tools/testing/selftests/drivers/net/netdevsim/Makefile +index 7a29a05bea8bc..50932e13cb5a8 100644 +--- a/tools/testing/selftests/drivers/net/netdevsim/Makefile ++++ b/tools/testing/selftests/drivers/net/netdevsim/Makefile +@@ -14,4 +14,8 @@ TEST_PROGS = devlink.sh \ + tc-mq-visibility.sh \ + udp_tunnel_nic.sh \ + ++TEST_FILES := \ ++ ethtool-common.sh ++# end of TEST_FILES ++ + include ../../../lib.mk +-- +2.51.0 + diff --git a/queue-6.6/series b/queue-6.6/series index d286a873f5..78d96996e7 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -330,3 +330,32 @@ alsa-hda-realtek-audio-disappears-on-hp-15-fc000-aft.patch media-uvcvideo-use-heuristic-to-find-stream-entity.patch revert-wifi-ath10k-avoid-unnecessary-wait-for-service-ready-message.patch net-libwx-fix-device-bus-lan-id.patch +riscv-improve-exception-and-system-call-latency.patch +riscv-stacktrace-disable-kasan-checks-for-non-curren.patch +riscv-ptdump-use-seq_puts-in-pt_dump_seq_puts-macro.patch +bluetooth-hci_event-validate-skb-length-for-unknown-.patch +bluetooth-btrtl-fix-memory-leak-in-rtlbt_parse_firmw.patch +net-dsa-tag_brcm-legacy-fix-untagged-rx-on-unbridged.patch +selftests-net-fix-out-of-order-delivery-of-fin-in-gr.patch +selftests-net-fix-gro-coalesce-test-and-add-ext-head.patch +selftests-net-use-destination-options-instead-of-hop.patch +netdevsim-add-makefile-for-selftests.patch +selftests-netdevsim-fix-ethtool-coalesce.sh-fail-by-.patch +net-vlan-sync-vlan-features-with-lower-device.patch +net-dsa-b53-fix-resetting-speed-and-pause-on-forced-.patch +net-dsa-b53-fix-enabling-ip-multicast.patch +net-dsa-b53-stop-reading-arl-entries-if-search-is-do.patch +sctp-hold-rcu-read-lock-while-iterating-over-address.patch +sctp-prevent-toctou-out-of-bounds-write.patch +sctp-hold-sock-lock-while-iterating-over-address-lis.patch +net-usb-qmi_wwan-initialize-mac-header-offset-in-qmi.patch +bnxt_en-fix-a-possible-memory-leak-in-bnxt_ptp_init.patch +wifi-mac80211_hwsim-limit-destroy_on_close-radio-rem.patch +net-mlx5e-use-extack-in-get-module-eeprom-by-page-ca.patch +net-mlx5e-fix-return-value-in-case-of-module-eeprom-.patch +net-mlx5e-shampo-fix-skb-size-check-for-64k-pages.patch +net-dsa-microchip-fix-reserved-multicast-address-tab.patch +lan966x-fix-sleeping-in-atomic-context.patch +net-bridge-fix-use-after-free-due-to-mst-port-state-.patch +net-bridge-fix-mst-static-key-usage.patch +tracing-fix-memory-leaks-in-create_field_var.patch diff --git a/queue-6.6/tracing-fix-memory-leaks-in-create_field_var.patch b/queue-6.6/tracing-fix-memory-leaks-in-create_field_var.patch new file mode 100644 index 0000000000..9a3cbd5605 --- /dev/null +++ b/queue-6.6/tracing-fix-memory-leaks-in-create_field_var.patch @@ -0,0 +1,53 @@ +From f4dc6d59470d3825f38bc1ec90aa4798f2fdceb5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Nov 2025 12:01:32 +0000 +Subject: tracing: Fix memory leaks in create_field_var() + +From: Zilin Guan + +[ Upstream commit 80f0d631dcc76ee1b7755bfca1d8417d91d71414 ] + +The function create_field_var() allocates memory for 'val' through +create_hist_field() inside parse_atom(), and for 'var' through +create_var(), which in turn allocates var->type and var->var.name +internally. Simply calling kfree() to release these structures will +result in memory leaks. + +Use destroy_hist_field() to properly free 'val', and explicitly release +the memory of var->type and var->var.name before freeing 'var' itself. + +Link: https://patch.msgid.link/20251106120132.3639920-1-zilin@seu.edu.cn +Fixes: 02205a6752f22 ("tracing: Add support for 'field variables'") +Signed-off-by: Zilin Guan +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_events_hist.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c +index 88985aefb71ff..e6d2f2a94235f 100644 +--- a/kernel/trace/trace_events_hist.c ++++ b/kernel/trace/trace_events_hist.c +@@ -3258,14 +3258,16 @@ static struct field_var *create_field_var(struct hist_trigger_data *hist_data, + var = create_var(hist_data, file, field_name, val->size, val->type); + if (IS_ERR(var)) { + hist_err(tr, HIST_ERR_VAR_CREATE_FIND_FAIL, errpos(field_name)); +- kfree(val); ++ destroy_hist_field(val, 0); + ret = PTR_ERR(var); + goto err; + } + + field_var = kzalloc(sizeof(struct field_var), GFP_KERNEL); + if (!field_var) { +- kfree(val); ++ destroy_hist_field(val, 0); ++ kfree_const(var->type); ++ kfree(var->var.name); + kfree(var); + ret = -ENOMEM; + goto err; +-- +2.51.0 + diff --git a/queue-6.6/wifi-mac80211_hwsim-limit-destroy_on_close-radio-rem.patch b/queue-6.6/wifi-mac80211_hwsim-limit-destroy_on_close-radio-rem.patch new file mode 100644 index 0000000000..d508cc0af3 --- /dev/null +++ b/queue-6.6/wifi-mac80211_hwsim-limit-destroy_on_close-radio-rem.patch @@ -0,0 +1,64 @@ +From 70d0d2472774cfd4dd995c8ea6d654f375600e60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Nov 2025 09:24:36 +0100 +Subject: wifi: mac80211_hwsim: Limit destroy_on_close radio removal to + netgroup + +From: Martin Willi + +[ Upstream commit c74619e7602e88a0239cd4999571dd31081e9adf ] + +hwsim radios marked destroy_on_close are removed when the Netlink socket +that created them is closed. As the portid is not unique across network +namespaces, closing a socket in one namespace may remove radios in another +if it has the destroy_on_close flag set. + +Instead of matching the network namespace, match the netgroup of the radio +to limit radio removal to those that have been created by the closing +Netlink socket. The netgroup of a radio identifies the network namespace +it was created in, and matching on it removes a destroy_on_close radio +even if it has been moved to another namespace. + +Fixes: 100cb9ff40e0 ("mac80211_hwsim: Allow managing radios from non-initial namespaces") +Signed-off-by: Martin Willi +Link: https://patch.msgid.link/20251103082436.30483-1-martin@strongswan.org +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/virtual/mac80211_hwsim.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/virtual/mac80211_hwsim.c b/drivers/net/wireless/virtual/mac80211_hwsim.c +index f5f48f7e6d26e..1214e7dcc8124 100644 +--- a/drivers/net/wireless/virtual/mac80211_hwsim.c ++++ b/drivers/net/wireless/virtual/mac80211_hwsim.c +@@ -6189,14 +6189,15 @@ static struct genl_family hwsim_genl_family __ro_after_init = { + .n_mcgrps = ARRAY_SIZE(hwsim_mcgrps), + }; + +-static void remove_user_radios(u32 portid) ++static void remove_user_radios(u32 portid, int netgroup) + { + struct mac80211_hwsim_data *entry, *tmp; + LIST_HEAD(list); + + spin_lock_bh(&hwsim_radio_lock); + list_for_each_entry_safe(entry, tmp, &hwsim_radios, list) { +- if (entry->destroy_on_close && entry->portid == portid) { ++ if (entry->destroy_on_close && entry->portid == portid && ++ entry->netgroup == netgroup) { + list_move(&entry->list, &list); + rhashtable_remove_fast(&hwsim_radios_rht, &entry->rht, + hwsim_rht_params); +@@ -6221,7 +6222,7 @@ static int mac80211_hwsim_netlink_notify(struct notifier_block *nb, + if (state != NETLINK_URELEASE) + return NOTIFY_DONE; + +- remove_user_radios(notify->portid); ++ remove_user_radios(notify->portid, hwsim_net_get_netgroup(notify->net)); + + if (notify->portid == hwsim_net_get_wmediumd(notify->net)) { + printk(KERN_INFO "mac80211_hwsim: wmediumd released netlink" +-- +2.51.0 +