+++ /dev/null
-From 118999c3ea67ee7a625d7b705a84a2c5d4544d45 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 11 May 2026 15:53:55 +0200
-Subject: ARM: allow __do_kernel_fault() to report execution of memory faults
-
-From: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
-
-commit 40b466db1dffb41f0529035c59c5739636d0e5b8 upstream.
-
-Allow __do_kernel_fault() to detect the execution of memory, so we can
-provide the same fault message as do_page_fault() would do. This is
-required when we split the kernel address fault handling from the
-main do_page_fault() code path.
-
-Reviewed-by: Xie Yuanbin <xieyuanbin1@huawei.com>
-Tested-by: Xie Yuanbin <xieyuanbin1@huawei.com>
-Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
-Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/arm/mm/fault.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c
-index 4dca7b75ae5e43..1d052d3c767d96 100644
---- a/arch/arm/mm/fault.c
-+++ b/arch/arm/mm/fault.c
-@@ -176,6 +176,8 @@ __do_kernel_fault(struct mm_struct *mm, unsigned long addr, unsigned int fsr,
- */
- if (addr < PAGE_SIZE) {
- msg = "NULL pointer dereference";
-+ } else if (is_permission_fault(fsr) && fsr & FSR_LNX_PF) {
-+ msg = "execution of memory";
- } else {
- if (is_translation_fault(fsr) &&
- kfence_handle_page_fault(addr, is_write_fault(fsr), regs))
---
-2.53.0
-
+++ /dev/null
-From 3d00acaa8e5ba357b1706dd0002cc5aa941b2be0 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 11 May 2026 15:53:57 +0200
-Subject: ARM: fix branch predictor hardening
-
-From: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
-
-commit fd2dee1c6e2256f726ba33fd3083a7be0efc80d3 upstream.
-
-__do_user_fault() may be called with indeterminent interrupt enable
-state, which means we may be preemptive at this point. This causes
-problems when calling harden_branch_predictor(). For example, when
-called from a data abort, do_alignment_fault()->do_bad_area().
-
-Move harden_branch_predictor() out of __do_user_fault() and into the
-calling contexts.
-
-Moving it into do_kernel_address_page_fault(), we can be sure that
-interrupts will be disabled here.
-
-Converting do_translation_fault() to use do_kernel_address_page_fault()
-rather than do_bad_area() means that we keep branch predictor handling
-for translation faults. Interrupts will also be disabled at this call
-site.
-
-do_sect_fault() needs special handling, so detect user mode accesses
-to kernel-addresses, and add an explicit call to branch predictor
-hardening.
-
-Finally, add branch predictor hardening to do_alignment() for the
-faulting case (user mode accessing kernel addresses) before interrupts
-are enabled.
-
-This should cover all cases where harden_branch_predictor() is called,
-ensuring that it is always has interrupts disabled, also ensuring that
-it is called early in each call path.
-
-Reviewed-by: Xie Yuanbin <xieyuanbin1@huawei.com>
-Tested-by: Xie Yuanbin <xieyuanbin1@huawei.com>
-Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
-Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/arm/mm/alignment.c | 6 +++++-
- arch/arm/mm/fault.c | 39 ++++++++++++++++++++++++++-------------
- 2 files changed, 31 insertions(+), 14 deletions(-)
-
-diff --git a/arch/arm/mm/alignment.c b/arch/arm/mm/alignment.c
-index 3c6ddb1afdc463..812380f30ae36a 100644
---- a/arch/arm/mm/alignment.c
-+++ b/arch/arm/mm/alignment.c
-@@ -19,10 +19,11 @@
- #include <linux/init.h>
- #include <linux/sched/signal.h>
- #include <linux/uaccess.h>
-+#include <linux/unaligned.h>
-
- #include <asm/cp15.h>
- #include <asm/system_info.h>
--#include <linux/unaligned.h>
-+#include <asm/system_misc.h>
- #include <asm/opcodes.h>
-
- #include "fault.h"
-@@ -809,6 +810,9 @@ do_alignment(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
- int thumb2_32b = 0;
- int fault;
-
-+ if (addr >= TASK_SIZE && user_mode(regs))
-+ harden_branch_predictor();
-+
- if (interrupts_enabled(regs))
- local_irq_enable();
-
-diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c
-index 8768c70fd885bc..16b5a7d214808f 100644
---- a/arch/arm/mm/fault.c
-+++ b/arch/arm/mm/fault.c
-@@ -199,9 +199,6 @@ __do_user_fault(unsigned long addr, unsigned int fsr, unsigned int sig,
- {
- struct task_struct *tsk = current;
-
-- if (addr > TASK_SIZE)
-- harden_branch_predictor();
--
- #ifdef CONFIG_DEBUG_USER
- if (((user_debug & UDBG_SEGV) && (sig == SIGSEGV)) ||
- ((user_debug & UDBG_BUS) && (sig == SIGBUS))) {
-@@ -270,8 +267,10 @@ do_kernel_address_page_fault(struct mm_struct *mm, unsigned long addr,
- /*
- * Fault from user mode for a kernel space address. User mode
- * should not be faulting in kernel space, which includes the
-- * vector/khelper page. Send a SIGSEGV.
-+ * vector/khelper page. Handle the branch predictor hardening
-+ * while interrupts are still disabled, then send a SIGSEGV.
- */
-+ harden_branch_predictor();
- __do_user_fault(addr, fsr, SIGSEGV, SEGV_MAPERR, regs);
- } else {
- /*
-@@ -486,16 +485,20 @@ do_page_fault(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
- * We enter here because the first level page table doesn't contain
- * a valid entry for the address.
- *
-- * If the address is in kernel space (>= TASK_SIZE), then we are
-- * probably faulting in the vmalloc() area.
-+ * If this is a user address (addr < TASK_SIZE), we handle this as a
-+ * normal page fault. This leaves the remainder of the function to handle
-+ * kernel address translation faults.
- *
-- * If the init_task's first level page tables contains the relevant
-- * entry, we copy the it to this task. If not, we send the process
-- * a signal, fixup the exception, or oops the kernel.
-+ * Since user mode is not permitted to access kernel addresses, pass these
-+ * directly to do_kernel_address_page_fault() to handle.
- *
-- * NOTE! We MUST NOT take any locks for this case. We may be in an
-- * interrupt or a critical region, and should only copy the information
-- * from the master page table, nothing more.
-+ * Otherwise, we're probably faulting in the vmalloc() area, so try to fix
-+ * that up. Note that we must not take any locks or enable interrupts in
-+ * this case.
-+ *
-+ * If vmalloc() fixup fails, that means the non-leaf page tables did not
-+ * contain an entry for this address, so handle this via
-+ * do_kernel_address_page_fault().
- */
- #ifdef CONFIG_MMU
- static int __kprobes
-@@ -561,7 +564,8 @@ do_translation_fault(unsigned long addr, unsigned int fsr,
- return 0;
-
- bad_area:
-- do_bad_area(addr, fsr, regs);
-+ do_kernel_address_page_fault(current->mm, addr, fsr, regs);
-+
- return 0;
- }
- #else /* CONFIG_MMU */
-@@ -581,7 +585,16 @@ do_translation_fault(unsigned long addr, unsigned int fsr,
- static int
- do_sect_fault(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
- {
-+ /*
-+ * If this is a kernel address, but from user mode, then userspace
-+ * is trying bad stuff. Invoke the branch predictor handling.
-+ * Interrupts are disabled here.
-+ */
-+ if (addr >= TASK_SIZE && user_mode(regs))
-+ harden_branch_predictor();
-+
- do_bad_area(addr, fsr, regs);
-+
- return 0;
- }
- #endif /* CONFIG_ARM_LPAE */
---
-2.53.0
-
+++ /dev/null
-From 926b0d9847aa8d9515741af254b988ed3722f936 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 11 May 2026 15:53:56 +0200
-Subject: ARM: fix hash_name() fault
-
-From: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
-
-commit 7733bc7d299d682f2723dc38fc7f370b9bf973e9 upstream.
-
-Zizhi Wo reports:
-
-"During the execution of hash_name()->load_unaligned_zeropad(), a
- potential memory access beyond the PAGE boundary may occur. For
- example, when the filename length is near the PAGE_SIZE boundary.
- This triggers a page fault, which leads to a call to
- do_page_fault()->mmap_read_trylock(). If we can't acquire the lock,
- we have to fall back to the mmap_read_lock() path, which calls
- might_sleep(). This breaks RCU semantics because path lookup occurs
- under an RCU read-side critical section."
-
-This is seen with CONFIG_DEBUG_ATOMIC_SLEEP=y and CONFIG_KFENCE=y.
-
-Kernel addresses (with the exception of the vectors/kuser helper
-page) do not have VMAs associated with them. If the vectors/kuser
-helper page faults, then there are two possibilities:
-
-1. if the fault happened while in kernel mode, then we're basically
- dead, because the CPU won't be able to vector through this page
- to handle the fault.
-2. if the fault happened while in user mode, that means the page was
- protected from user access, and we want to fault anyway.
-
-Thus, we can handle kernel addresses from any context entirely
-separately without going anywhere near the mmap lock. This gives us
-an entirely non-sleeping path for all kernel mode kernel address
-faults.
-
-As we handle the kernel address faults before interrupts are enabled,
-this change has the side effect of improving the branch predictor
-hardening, but does not completely solve the issue.
-
-Reported-by: Zizhi Wo <wozizhi@huaweicloud.com>
-Reported-by: Xie Yuanbin <xieyuanbin1@huawei.com>
-Link: https://lore.kernel.org/r/20251126090505.3057219-1-wozizhi@huaweicloud.com
-Reviewed-by: Xie Yuanbin <xieyuanbin1@huawei.com>
-Tested-by: Xie Yuanbin <xieyuanbin1@huawei.com>
-Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
-Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/arm/mm/fault.c | 35 +++++++++++++++++++++++++++++++++++
- 1 file changed, 35 insertions(+)
-
-diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c
-index 1d052d3c767d96..8768c70fd885bc 100644
---- a/arch/arm/mm/fault.c
-+++ b/arch/arm/mm/fault.c
-@@ -262,6 +262,35 @@ static inline bool ttbr0_usermode_access_allowed(struct pt_regs *regs)
- }
- #endif
-
-+static int __kprobes
-+do_kernel_address_page_fault(struct mm_struct *mm, unsigned long addr,
-+ unsigned int fsr, struct pt_regs *regs)
-+{
-+ if (user_mode(regs)) {
-+ /*
-+ * Fault from user mode for a kernel space address. User mode
-+ * should not be faulting in kernel space, which includes the
-+ * vector/khelper page. Send a SIGSEGV.
-+ */
-+ __do_user_fault(addr, fsr, SIGSEGV, SEGV_MAPERR, regs);
-+ } else {
-+ /*
-+ * Fault from kernel mode. Enable interrupts if they were
-+ * enabled in the parent context. Section (upper page table)
-+ * translation faults are handled via do_translation_fault(),
-+ * so we will only get here for a non-present kernel space
-+ * PTE or PTE permission fault. This may happen in exceptional
-+ * circumstances and need the fixup tables to be walked.
-+ */
-+ if (interrupts_enabled(regs))
-+ local_irq_enable();
-+
-+ __do_kernel_fault(mm, addr, fsr, regs);
-+ }
-+
-+ return 0;
-+}
-+
- static int __kprobes
- do_page_fault(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
- {
-@@ -275,6 +304,12 @@ do_page_fault(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
- if (kprobe_page_fault(regs, fsr))
- return 0;
-
-+ /*
-+ * Handle kernel addresses faults separately, which avoids touching
-+ * the mmap lock from contexts that are not able to sleep.
-+ */
-+ if (addr >= TASK_SIZE)
-+ return do_kernel_address_page_fault(mm, addr, fsr, regs);
-
- /* Enable interrupts if they were enabled in the parent context. */
- if (interrupts_enabled(regs))
---
-2.53.0
-
+++ /dev/null
-From d99ba41af61fbe7af8709d9ccc26f1c0c31a4ab4 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 11 May 2026 15:53:54 +0200
-Subject: ARM: group is_permission_fault() with is_translation_fault()
-
-From: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
-
-commit dea20281ac88226615761c570c8ff7adc18e6ac2 upstream.
-
-Group is_permission_fault() with is_translation_fault(), which is
-needed to use is_permission_fault() in __do_kernel_fault(). As
-this is static inline, there is no need for this to be under
-CONFIG_MMU.
-
-Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
-Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/arm/mm/fault.c | 26 +++++++++++++-------------
- 1 file changed, 13 insertions(+), 13 deletions(-)
-
-diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c
-index ab01b51de5590b..4dca7b75ae5e43 100644
---- a/arch/arm/mm/fault.c
-+++ b/arch/arm/mm/fault.c
-@@ -128,6 +128,19 @@ static inline bool is_translation_fault(unsigned int fsr)
- return false;
- }
-
-+static inline bool is_permission_fault(unsigned int fsr)
-+{
-+ int fs = fsr_fs(fsr);
-+#ifdef CONFIG_ARM_LPAE
-+ if ((fs & FS_MMU_NOLL_MASK) == FS_PERM_NOLL)
-+ return true;
-+#else
-+ if (fs == FS_L1_PERM || fs == FS_L2_PERM)
-+ return true;
-+#endif
-+ return false;
-+}
-+
- static void die_kernel_fault(const char *msg, struct mm_struct *mm,
- unsigned long addr, unsigned int fsr,
- struct pt_regs *regs)
-@@ -226,19 +239,6 @@ void do_bad_area(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
- }
-
- #ifdef CONFIG_MMU
--static inline bool is_permission_fault(unsigned int fsr)
--{
-- int fs = fsr_fs(fsr);
--#ifdef CONFIG_ARM_LPAE
-- if ((fs & FS_MMU_NOLL_MASK) == FS_PERM_NOLL)
-- return true;
--#else
-- if (fs == FS_L1_PERM || fs == FS_L2_PERM)
-- return true;
--#endif
-- return false;
--}
--
- #ifdef CONFIG_CPU_TTBR0_PAN
- static inline bool ttbr0_usermode_access_allowed(struct pt_regs *regs)
- {
---
-2.53.0
-
+++ /dev/null
-From 8d4ccdc3a532a9a74ef0eba9c36c455b3417e6b3 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Sun, 26 Apr 2026 01:26:43 +0000
-Subject: bpf: Free reuseport cBPF prog after RCU grace period.
-
-From: Kuniyuki Iwashima <kuniyu@google.com>
-
-[ Upstream commit 18fc650ccd7fe3376eca89203668cfb8268f60df ]
-
-Eulgyu Kim reported the splat below with a repro. [0]
-
-The repro sets up a UDP reuseport group with a cBPF prog and
-replaces it with a new one while another thread is sending
-a UDP packet to the group.
-
-The reuseport prog is freed by sk_reuseport_prog_free().
-bpf_prog_put() is called for "e"BPF prog to destruct through
-multiple stages while cBPF prog is freed immediately by
-bpf_release_orig_filter() and bpf_prog_free().
-
-If a reuseport prog is detached from the setsockopt() path
-(reuseport_attach_prog() or reuseport_detach_prog()),
-sk_reuseport_prog_free() is called without waiting for RCU
-readers to complete, resulting in various bugs.
-
-Let's defer freeing the reuseport cBPF prog after one RCU
-grace period.
-
-Note "e"BPF prog is safe as is unless the fast path starts
-to touch fields destroyed in bpf_prog_put_deferred() and
-__bpf_prog_put_noref().
-
-[0]:
-BUG: KASAN: vmalloc-out-of-bounds in reuseport_select_sock+0xedc/0x1220 net/core/sock_reuseport.c:596
-Read of size 4 at addr ffffc9000051e004 by task slowme/10208
-CPU: 6 UID: 1000 PID: 10208 Comm: slowme Not tainted 7.0.0-geb7ac95ff75e #32 PREEMPT(full)
-Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
-Call Trace:
- <IRQ>
- dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
- print_address_description mm/kasan/report.c:378 [inline]
- print_report+0xca/0x240 mm/kasan/report.c:482
- kasan_report+0x118/0x150 mm/kasan/report.c:595
- reuseport_select_sock+0xedc/0x1220 net/core/sock_reuseport.c:596
- udp4_lib_lookup2+0x3bc/0x950 net/ipv4/udp.c:495
- __udp4_lib_lookup+0x768/0xe20 net/ipv4/udp.c:723
- __udp4_lib_lookup_skb+0x297/0x390 net/ipv4/udp.c:752
- __udp4_lib_rcv+0x1312/0x2620 net/ipv4/udp.c:2752
- ip_protocol_deliver_rcu+0x282/0x440 net/ipv4/ip_input.c:207
- ip_local_deliver_finish+0x3bb/0x6f0 net/ipv4/ip_input.c:241
- NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318
- NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318
- __netif_receive_skb_one_core net/core/dev.c:6181 [inline]
- __netif_receive_skb net/core/dev.c:6294 [inline]
- process_backlog+0xaa4/0x1960 net/core/dev.c:6645
- __napi_poll+0xae/0x340 net/core/dev.c:7709
- napi_poll net/core/dev.c:7772 [inline]
- net_rx_action+0x5d7/0xf50 net/core/dev.c:7929
- handle_softirqs+0x22b/0x870 kernel/softirq.c:622
- do_softirq+0x76/0xd0 kernel/softirq.c:523
- </IRQ>
- <TASK>
- __local_bh_enable_ip+0xf8/0x130 kernel/softirq.c:450
- local_bh_enable include/linux/bottom_half.h:33 [inline]
- rcu_read_unlock_bh include/linux/rcupdate.h:924 [inline]
- __dev_queue_xmit+0x1dd7/0x3710 net/core/dev.c:4890
- neigh_output include/net/neighbour.h:556 [inline]
- ip_finish_output2+0xca9/0x1070 net/ipv4/ip_output.c:237
- NF_HOOK_COND include/linux/netfilter.h:307 [inline]
- ip_output+0x29f/0x450 net/ipv4/ip_output.c:438
- ip_send_skb+0x45/0xc0 net/ipv4/ip_output.c:1508
- udp_send_skb+0xb04/0x1510 net/ipv4/udp.c:1195
- udp_sendmsg+0x1a71/0x2350 net/ipv4/udp.c:1485
- sock_sendmsg_nosec net/socket.c:727 [inline]
- __sock_sendmsg net/socket.c:742 [inline]
- __sys_sendto+0x554/0x680 net/socket.c:2206
- __do_sys_sendto net/socket.c:2213 [inline]
- __se_sys_sendto net/socket.c:2209 [inline]
- __x64_sys_sendto+0xde/0x100 net/socket.c:2209
- do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
- do_syscall_64+0x160/0xf80 arch/x86/entry/syscall_64.c:94
- entry_SYSCALL_64_after_hwframe+0x77/0x7f
-RIP: 0033:0x415a2d
-Code: b3 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
-RSP: 002b:00007f6bc31e41e8 EFLAGS: 00000212 ORIG_RAX: 000000000000002c
-RAX: ffffffffffffffda RBX: 00007f6bc31e4cdc RCX: 0000000000415a2d
-RDX: 0000000000000001 RSI: 00007f6bc31e421f RDI: 0000000000000003
-RBP: 00007f6bc31e4240 R08: 00007f6bc31e4220 R09: 0000000000000010
-R10: 0000000000000000 R11: 0000000000000212 R12: 00007f6bc31e46c0
-R13: ffffffffffffffb8 R14: 0000000000000000 R15: 00007ffc9b0d70b0
- </TASK>
-
-Fixes: 538950a1b752 ("soreuseport: setsockopt SO_ATTACH_REUSEPORT_[CE]BPF")
-Reported-by: Eulgyu Kim <eulgyukim@snu.ac.kr>
-Reported-by: Taeyang Lee <0wn@theori.io>
-Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
-Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
-Acked-by: Daniel Borkmann <daniel@iogearbox.net>
-Link: https://lore.kernel.org/bpf/20260426012647.3233119-1-kuniyu@google.com
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/core/filter.c | 15 ++++++++++++---
- 1 file changed, 12 insertions(+), 3 deletions(-)
-
-diff --git a/net/core/filter.c b/net/core/filter.c
-index 193ecaa7425ea2..3d71a59072533d 100644
---- a/net/core/filter.c
-+++ b/net/core/filter.c
-@@ -1651,15 +1651,24 @@ int sk_reuseport_attach_bpf(u32 ufd, struct sock *sk)
- return err;
- }
-
-+static void sk_reuseport_prog_free_rcu(struct rcu_head *rcu)
-+{
-+ struct bpf_prog_aux *aux = container_of(rcu, struct bpf_prog_aux, rcu);
-+ struct bpf_prog *prog = aux->prog;
-+
-+ bpf_release_orig_filter(prog);
-+ bpf_prog_free(prog);
-+}
-+
- void sk_reuseport_prog_free(struct bpf_prog *prog)
- {
- if (!prog)
- return;
-
-- if (prog->type == BPF_PROG_TYPE_SK_REUSEPORT)
-- bpf_prog_put(prog);
-+ if (bpf_prog_was_classic(prog))
-+ call_rcu(&prog->aux->rcu, sk_reuseport_prog_free_rcu);
- else
-- bpf_prog_destroy(prog);
-+ bpf_prog_put(prog);
- }
-
- struct bpf_scratchpad {
---
-2.53.0
-
+++ /dev/null
-From 5b4e8d854b6d27bd7353caf435de8c0972ef82a4 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 28 Apr 2026 15:41:01 +0200
-Subject: net: phy: micrel: fix LAN8814 QSGMII soft reset
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-From: Robert Marko <robert.marko@sartura.hr>
-
-[ Upstream commit e027c218c482c6a0ae1948129ccda3b0a2033368 ]
-
-LAN8814 QSGMII soft reset was moved into the probe function to avoid
-triggering it for each of 4 PHY-s in the package.
-
-However, that broke QSGMII link between the MAC and PHY on most LAN8814
-PHY-s, specificaly for us on the Microchip LAN969x switch.
-Reading the QSGMII status registers it was visible that lanes were only
-partially synced.
-
-It looks like the reset timing is crucial, so lets move the reset back
-into the .config_init function but guard it with phy_package_init_once()
-to avoid it being triggered on each of 4 PHY-s in the package.
-Change the probe function to use phy_package_probe_once() for coma and PtP
-setup.
-
-Fixes: 347bf638d39f ("net: phy: micrel: lan8814 fix reset of the QSGMII interface")
-Signed-off-by: Robert Marko <robert.marko@sartura.hr>
-Link: https://patch.msgid.link/20260428134138.1741253-1-robert.marko@sartura.hr
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-Signed-off-by: Joël Esponde <joel.esponde@leroy-agon.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/net/phy/micrel.c | 15 ++++++++-------
- 1 file changed, 8 insertions(+), 7 deletions(-)
-
-diff --git a/drivers/net/phy/micrel.c b/drivers/net/phy/micrel.c
-index f0c068075322f9..2dca6e8a5fce5c 100644
---- a/drivers/net/phy/micrel.c
-+++ b/drivers/net/phy/micrel.c
-@@ -4093,6 +4093,13 @@ static int lan8814_config_init(struct phy_device *phydev)
- {
- struct kszphy_priv *lan8814 = phydev->priv;
-
-+ if (phy_package_init_once(phydev))
-+ /* Reset the PHY */
-+ lanphy_modify_page_reg(phydev, LAN8814_PAGE_COMMON_REGS,
-+ LAN8814_QSGMII_SOFT_RESET,
-+ LAN8814_QSGMII_SOFT_RESET_BIT,
-+ LAN8814_QSGMII_SOFT_RESET_BIT);
-+
- /* Disable ANEG with QSGMII PCS Host side */
- lanphy_modify_page_reg(phydev, LAN8814_PAGE_PORT_REGS,
- LAN8814_QSGMII_PCS1G_ANEG_CONFIG,
-@@ -4177,13 +4184,7 @@ static int lan8814_probe(struct phy_device *phydev)
- devm_phy_package_join(&phydev->mdio.dev, phydev,
- addr, sizeof(struct lan8814_shared_priv));
-
-- if (phy_package_init_once(phydev)) {
-- /* Reset the PHY */
-- lanphy_modify_page_reg(phydev, LAN8814_PAGE_COMMON_REGS,
-- LAN8814_QSGMII_SOFT_RESET,
-- LAN8814_QSGMII_SOFT_RESET_BIT,
-- LAN8814_QSGMII_SOFT_RESET_BIT);
--
-+ if (phy_package_probe_once(phydev)) {
- err = lan8814_release_coma_mode(phydev);
- if (err)
- return err;
---
-2.53.0
-
+++ /dev/null
-bpf-free-reuseport-cbpf-prog-after-rcu-grace-period.patch
-usb-serial-mct_u232-fix-memory-corruption-with-small.patch
-arm-group-is_permission_fault-with-is_translation_fa.patch
-arm-allow-__do_kernel_fault-to-report-execution-of-m.patch
-arm-fix-hash_name-fault.patch
-arm-fix-branch-predictor-hardening.patch
-net-phy-micrel-fix-lan8814-qsgmii-soft-reset.patch
-wifi-remove-zero-length-arrays.patch
+++ /dev/null
-From 8d0fd8b9a42dd7c07484915459a5efe6e3f1ab2b Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 4 Jun 2026 14:11:33 +0200
-Subject: USB: serial: mct_u232: fix memory corruption with small endpoint
-
-From: Johan Hovold <johan@kernel.org>
-
-commit 915b36d701950503c4ea0f6e314b10868e59fce3 upstream.
-
-The driver overrides the maximum transfer size for a specific device
-which only accepts 16 byte packets for its 32 byte bulk-out endpoint.
-
-Make sure to never increase the maximum transfer size to prevent slab
-corruption should a malicious device report a smaller endpoint max
-packet size than expected.
-
-Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
-Cc: stable@vger.kernel.org
-Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Johan Hovold <johan@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/usb/serial/mct_u232.c | 21 +++++++++++----------
- 1 file changed, 11 insertions(+), 10 deletions(-)
-
-diff --git a/drivers/usb/serial/mct_u232.c b/drivers/usb/serial/mct_u232.c
-index d225d7c1455f4f..33d4bbc461be6a 100644
---- a/drivers/usb/serial/mct_u232.c
-+++ b/drivers/usb/serial/mct_u232.c
-@@ -378,6 +378,7 @@ static int mct_u232_port_probe(struct usb_serial_port *port)
- {
- struct usb_serial *serial = port->serial;
- struct mct_u232_private *priv;
-+ u16 pid;
-
- /* check first to simplify error handling */
- if (!serial->port[1] || !serial->port[1]->interrupt_in_urb) {
-@@ -385,6 +386,16 @@ static int mct_u232_port_probe(struct usb_serial_port *port)
- return -ENODEV;
- }
-
-+ /*
-+ * Compensate for a hardware bug: although the Sitecom U232-P25
-+ * device reports a maximum output packet size of 32 bytes,
-+ * it seems to be able to accept only 16 bytes (and that's what
-+ * SniffUSB says too...)
-+ */
-+ pid = le16_to_cpu(serial->dev->descriptor.idProduct);
-+ if (pid == MCT_U232_SITECOM_PID)
-+ port->bulk_out_size = min(16, port->bulk_out_size);
-+
- priv = kzalloc(sizeof(*priv), GFP_KERNEL);
- if (!priv)
- return -ENOMEM;
-@@ -410,7 +421,6 @@ static void mct_u232_port_remove(struct usb_serial_port *port)
-
- static int mct_u232_open(struct tty_struct *tty, struct usb_serial_port *port)
- {
-- struct usb_serial *serial = port->serial;
- struct mct_u232_private *priv = usb_get_serial_port_data(port);
- int retval = 0;
- unsigned int control_state;
-@@ -418,15 +428,6 @@ static int mct_u232_open(struct tty_struct *tty, struct usb_serial_port *port)
- unsigned char last_lcr;
- unsigned char last_msr;
-
-- /* Compensate for a hardware bug: although the Sitecom U232-P25
-- * device reports a maximum output packet size of 32 bytes,
-- * it seems to be able to accept only 16 bytes (and that's what
-- * SniffUSB says too...)
-- */
-- if (le16_to_cpu(serial->dev->descriptor.idProduct)
-- == MCT_U232_SITECOM_PID)
-- port->bulk_out_size = 16;
--
- /* Do a defined restart: the normal serial device seems to
- * always turn on DTR and RTS here, so do the same. I'm not
- * sure if this is really necessary. But it should not harm
---
-2.53.0
-
+++ /dev/null
-From 9624cc1827c137d1d56189e8662b15d37d4a710d Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 8 Jun 2026 13:32:16 +0000
-Subject: wifi: remove zero-length arrays
-
-From: Johannes Berg <johannes.berg@intel.com>
-
-commit a85b8544d46390469b6ca72d6bfd3ecb7be985ff upstream.
-
-All of these are really meant to be variable-length, and
-in the case of s1g_beacon it's actually accessed. Make that
-one in particular, and a couple of others (that aren't used
-as arrays now), actually variable.
-
-Reported-by: syzbot+fd222bb38e916df26fa4@syzkaller.appspotmail.com
-Fixes: 1e1f706fc2ce ("wifi: cfg80211/mac80211: correctly parse S1G beacon optional elements")
-Link: https://patch.msgid.link/20250614003037.a3e82e882251.I2e8b58e56ff2a9f8b06c66f036578b7c1d4e4685@changeid
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
-Signed-off-by: Carlos Llamas <cmllamas@google.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- include/linux/ieee80211.h | 18 +++++++++---------
- 1 file changed, 9 insertions(+), 9 deletions(-)
-
-diff --git a/include/linux/ieee80211.h b/include/linux/ieee80211.h
-index abb069aa5fa54f..85bf3ac6db570b 100644
---- a/include/linux/ieee80211.h
-+++ b/include/linux/ieee80211.h
-@@ -1266,7 +1266,7 @@ struct ieee80211_ext {
- u8 sa[ETH_ALEN];
- __le32 timestamp;
- u8 change_seq;
-- u8 variable[0];
-+ u8 variable[];
- } __packed s1g_beacon;
- } u;
- } __packed __aligned(2);
-@@ -1522,7 +1522,7 @@ struct ieee80211_mgmt {
- u8 action_code;
- u8 dialog_token;
- __le16 capability;
-- u8 variable[0];
-+ u8 variable[];
- } __packed tdls_discover_resp;
- struct {
- u8 action_code;
-@@ -1690,35 +1690,35 @@ struct ieee80211_tdls_data {
- struct {
- u8 dialog_token;
- __le16 capability;
-- u8 variable[0];
-+ u8 variable[];
- } __packed setup_req;
- struct {
- __le16 status_code;
- u8 dialog_token;
- __le16 capability;
-- u8 variable[0];
-+ u8 variable[];
- } __packed setup_resp;
- struct {
- __le16 status_code;
- u8 dialog_token;
-- u8 variable[0];
-+ u8 variable[];
- } __packed setup_cfm;
- struct {
- __le16 reason_code;
-- u8 variable[0];
-+ u8 variable[];
- } __packed teardown;
- struct {
- u8 dialog_token;
-- u8 variable[0];
-+ u8 variable[];
- } __packed discover_req;
- struct {
- u8 target_channel;
- u8 oper_class;
-- u8 variable[0];
-+ u8 variable[];
- } __packed chan_switch_req;
- struct {
- __le16 status_code;
-- u8 variable[0];
-+ u8 variable[];
- } __packed chan_switch_resp;
- } u;
- } __packed;
---
-2.53.0
-
projects / thirdparty / kernel / stable-queue.git / commitdiff
