summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2026-05-14phy: lynx-28g: probe on per-SoC and per-instance compatible stringsVladimir Oltean
Add driver support for probing on the new, per-instance and per-SoC bindings, which provide the main benefit that they allow rejecting unsupported protocols per lane (10GbE on SerDes 2 lanes 0-5), but they also allow avoiding the creation of PHYs for lanes that don't exist (LX2162A lanes 0-3). For old device trees with just "fsl,lynx-28g", the only things that change are: - a probe time warning/encouragement to update the device tree. This is warranted by the fact that using "fsl,lynx-28g" may already provide incorrect behaviour (undetected absent 10GbE support on LX2160A SerDes 2 lanes 0-5). But we retain bug compatibility nonetheless. - the feature set is frozen in time (e.g. no 25GbE). Since we cannot guarantee that this protocol will work on a lane, just err on the safe side and don't offer it (and require a device tree update to get it). In terms of code, the lynx_28g_supports_lane_mode() function prototype changes. It was a SerDes-global function and now becomes per lane, to reflect the specific capabilities each instance may have. The implementation goes through priv->info->lane_supports_mode(). Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com> Reviewed-by: Ioana Ciornei <ioana.ciornei@nxp.com> Tested-by: Josua Mayer <josua@solid-run.com> Link: https://patch.msgid.link/20260511150023.1903577-5-vladimir.oltean@nxp.com Signed-off-by: Vinod Koul <vkoul@kernel.org>
2026-05-14phy: lynx-28g: require an OF node to probeVladimir Oltean
The driver will gain support for variants in an upcoming change, and will use of_device_get_match_data() to deduce the running variant from the compatible string. Currently, the driver expects the schema at phy/fsl,lynx-28g.yaml, and OF-based consumers, but doesn't enforce this. And it is possible for user space to force-bind the driver to a device without OF node using the driver_override sysfs. To avoid future surprise crashes for an unsupported configuration, explicitly test for the presence of an OF node and fail probing if found. Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com> Reviewed-by: Ioana Ciornei <ioana.ciornei@nxp.com> Tested-by: Josua Mayer <josua@solid-run.com> Link: https://patch.msgid.link/20260511150023.1903577-4-vladimir.oltean@nxp.com Signed-off-by: Vinod Koul <vkoul@kernel.org>
2026-05-14dt-bindings: phy: lynx-28g: add constraint on LX2162A lane indicesVladimir Oltean
The SerDes 1 of LX2162A has fewer lanes than all other instances, and strangely, their indices are not 0-3, but 4-7. This is a best-effort constraint, since we can only impose it when using per-SoC compatible string and per-lane OF nodes. Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com> Acked-by: Conor Dooley <conor.dooley@microchip.com> Tested-by: Josua Mayer <josua@solid-run.com> Link: https://patch.msgid.link/20260511150023.1903577-3-vladimir.oltean@nxp.com Signed-off-by: Vinod Koul <vkoul@kernel.org>
2026-05-14dt-bindings: phy: lynx-28g: add compatible strings per SerDes and instantiationVladimir Oltean
The 28G Lynx SerDes is instantiated 3 times in the NXP LX2160A SoC and twice in the NXP LX2162A. All these instances share the same register map, but the number of lanes and the protocols supported by each lane differs in a way that isn't detectable by the programming model. For example, not all lanes of all SerDes block instantiations support 25GbE. So, using a generic "fsl,lynx-28g" compatible string and expecting all SerDes instantiations to use it was a mistake that needs to be fixed. The option chosen is to encode the SoC and the SerDes instance in the compatible string, with everything else being the responsibility of the driver to derive. An alternative considered but dismissed was to add sufficient device tree properties to describe the per-lane differences (implying: supported protocols), as well as the different lane count. Any decision made for the 28G Lynx should be consistent with the decisions taken for the yet-to-be-introduced 10G Lynx SerDes (older generation for older SoCs), because of how similar they are. I've seen the alternative at play in this unmerged patch set for the 10G Lynx here, and I didn't like it: https://lore.kernel.org/linux-phy/20230413160607.4128315-3-sean.anderson@seco.com/ This is because there, we have a higher degree of variability in the PCCR register values that need to be written per protocol. This makes that approach more drawn-out and more prone to errors, compared to the compatible strings which are more succinct and obviously correct. NXP SoC reference manuals clearly document the SerDes instantiations as not identical, and refers to them as such (SerDes 1, 2, etc). The per-SoC compatible string is prepended to the "fsl,lynx-28g" generic compatible, which is left there for compatibility with old kernels. An exception would be LX2160A SerDes #3, which at the time of writing is not described in fsl-lx2160a.dtsi. As "fsl,lx2160a-serdes3" implies it is a 28G Lynx SerDes, it makes "fsl,lynx-28g" redundant so we don't accept it. Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com> Reviewed-by: Rob Herring (Arm) <robh@kernel.org> Tested-by: Josua Mayer <josua@solid-run.com> Link: https://patch.msgid.link/20260511150023.1903577-2-vladimir.oltean@nxp.com Signed-off-by: Vinod Koul <vkoul@kernel.org>
2026-05-14drm/xe/gt_idle: Use NSEC_PER_MSEC instead of float literalShuicheng Lin
The residency multiplier conversion in get_residency_ms() used the floating-point literal 1e6 as the divisor of mul_u64_u32_div(). While the compiler constant-folds this to an integer, using float literals in kernel code is bad practice since the kernel generally avoids floating-point operations. Replace 1e6 with the standard NSEC_PER_MSEC macro from <linux/time64.h>, which is both self-documenting (ns to ms conversion) and unambiguously integer. Add the corresponding include rather than relying on transitive inclusion. No functional change. Assisted-by: Claude:claude-opus-4.6 Reviewed-by: Nitin Gote <nitin.r.gote@intel.com> Link: https://patch.msgid.link/20260511153307.223435-1-shuicheng.lin@intel.com Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com>
2026-05-14drm/xe/gsc: Fix double-free of managed BO in error pathShuicheng Lin
The error path in xe_gsc_init_post_hwconfig() explicitly frees a BO allocated with xe_managed_bo_create_pin_map() via xe_bo_unpin_map_no_vm(). Since the managed BO already has a devm cleanup action registered, this causes a double-free when devm unwinds during probe failure. Remove the explicit free and let devm handle it, consistent with all other xe_managed_bo_create_pin_map() callers. Fixes: 2e5d47fe7839 ("drm/xe/uc: Use managed bo for HuC and GSC objects") Reviewed-by: Daniele Ceraolo Spurio <daniele.ceraolospurio@intel.com> Assisted-by: Claude:claude-opus-4.6 Link: https://patch.msgid.link/20260511154134.223696-1-shuicheng.lin@intel.com Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com>
2026-05-14bpf: Use array_map_meta_equal for percpu array inner map replacementGuannan Wang
percpu_array_map_ops.map_meta_equal points to the generic bpf_map_meta_equal(), which does not compare max_entries. When a percpu array serves as an inner map, replacing it with one that has fewer max_entries bypasses the check. Since percpu_array_map_gen_lookup() inlines the original template's index_mask as a JIT immediate, a lookup on the replacement map can access pptrs[] out of bounds. Point percpu_array_map_ops.map_meta_equal to array_map_meta_equal(), which already enforces the max_entries equality check. Add a selftest to verify that replacing a percpu array inner map with a differently-sized one is rejected. Fixes: db69718b8efa ("bpf: inline bpf_map_lookup_elem() for PERCPU_ARRAY maps") Signed-off-by: Guannan Wang <wgnbuaa@gmail.com> Acked-by: Mykyta Yatsenko <yatsenko@meta.com> Link: https://lore.kernel.org/r/20260514074454.77491-1-wgnbuaa@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-05-14soundwire: intel: Move suspend tracking from trigger to pm suspendPeter Ujfalusi
Mark all open DAI runtimes as suspended in the component .suspend callback instead of relying on SNDRV_PCM_TRIGGER_SUSPEND, which is not delivered during PAUSE or xrun states. If during system suspend a dai is open it means that it is in either in SUSPENDED, PAUSED or STOPPED (due to xrun) state and they will need to be re-initialized during resume (which is done in .prepare callback). Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com> Signed-off-by: Bard Liao <yung-chuan.liao@linux.intel.com> Link: https://patch.msgid.link/20260508101755.1247039-1-yung-chuan.liao@linux.intel.com Signed-off-by: Vinod Koul <vkoul@kernel.org>
2026-05-14soundwire: intel_auxdevice: Add es9356 to wake_capable_listZhang Yi
Add es9356 to the wake_capable_list because it can generate jack events whilst the bus is stopped Signed-off-by: Zhang Yi <zhangyi@everest-semi.com> Link: https://patch.msgid.link/20260514075206.3483-7-zhangyi@everest-semi.com Signed-off-by: Vinod Koul <vkoul@kernel.org>
2026-05-14cifs: client: stage smb3_reconfigure() updates and restore ctx on failureDaeMyung Kang
smb3_reconfigure() moves strings out of cifs_sb->ctx before the multichannel update, so a later failure can leave the live context with NULL strings or options that do not match the session. Stage the new ctx separately, commit it only on success, and restore the snapshot on failure. Also make smb3_sync_session_ctx_passwords() all-or-nothing. Commit session passwords before channel updates so newly added channels authenticate with the staged credentials. Fixes: ef529f655a2c ("cifs: client: allow changing multichannel mount options on remount") Reported-by: RAJASI MANDAL <rajasimandalos@gmail.com> Closes: https://lore.kernel.org/lkml/CAEY6_V1+dzW3OD5zqXhsWyXwrDTrg5tAMGZ1AJ7_GAuRE+aevA@mail.gmail.com/ Link: https://lore.kernel.org/lkml/xkr2dlvgibq5j6gkcxd3yhhnj4atgxw2uy4eug2pxm7wy7nbms@iq6cf5taa65v/ Reviewed-by: Henrique Carvalho <henrique.carvalho@suse.com> Signed-off-by: DaeMyung Kang <charsyam@gmail.com> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-05-14nvme-apple: Reset q->sq_tail during queue initNick Chan
Fixes a "duplicate tag error for tag 0" firmware crash during controller reset while setting up a queue on Apple A11 / T8015 caused by stale entries in the submission queue due to an invalid sq_tail offset after reset. Fixes: 04d8ecf37b5e ("nvme: apple: Add Apple A11 support") Cc: stable@vger.kernel.org Suggested-by: Yuriy Havrylyuk <yhavry@gmail.com> Reviewed-by: Sven Peter <sven@kernel.org> Signed-off-by: Nick Chan <towinchenmi@gmail.com> Signed-off-by: Keith Busch <kbusch@kernel.org>
2026-05-14smb/client: fix possible infinite loop and oob read in symlink_data()Ye Bin
On 32-bit architectures, the infinite loop is as follows: len = p->ErrorDataLength == 0xfffffff8 u8 *next = p->ErrorContextData + len next == p On 32-bit architectures, the out-of-bounds read is as follows: len = p->ErrorDataLength == 0xfffffff0 u8 *next = p->ErrorContextData + len next == (u8 *)p - 8 Reported-by: ChenXiaoSong <chenxiaosong@kylinos.cn> Fixes: 76894f3e2f71 ("cifs: improve symlink handling for smb2+") Cc: stable@vger.kernel.org Signed-off-by: Ye Bin <yebin10@huawei.com> Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-05-14ovpn: fix race between deleting interface and adding new peerAntonio Quartulli
While deleting an existing ovpn interface, there is a very narrow window where adding a new peer via netlink may cause the netdevice to hang and prevent its unregistration. It may happen during ovpn_dellink(), when all existing peers are freed and the device is queued for deregistration, but a CMD_PEER_NEW message comes in adding a new peer that takes again a reference to the netdev. At this point there is no way to release the device because we are under the assumption that all peers were already released. Fix the race condition by releasing all peers in ndo_uninit(), when the netdevice has already been removed from the netdev list. Also ovpn_peer_add() has now an extra check that forces the function to bail out if the device reg_state is not REGISTERED. This way any incoming CMD_PEER_NEW racing with the interface deletion routine will simply stop before adding the peer. Note that the above check happens while holding the netdev_lock to prevent racing netdev state changes. ovpn_dellink() is now empty and can be removed. Reported-by: Hyunwoo Kim <imv4bel@gmail.com> Closes: https://lore.kernel.org/netdev/aaVgJ16edTfQkYbx@v4bel/ Suggested-by: Sabrina Dubroca <sd@queasysnail.net> Fixes: 80747caef33d ("ovpn: introduce the ovpn_peer object") Reviewed-by: Sabrina Dubroca <sd@queasysnail.net> Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
2026-05-14ovpn: respect peer refcount in CMD_NEW_PEER error pathDavid Carlier
ovpn_nl_peer_new_doit()'s error path calls ovpn_peer_release() directly rather than ovpn_peer_put(), bypassing the kref. The accompanying comment ("peer was not yet hashed, thus it is not used in any context") holds for UDP but not for TCP. For UDP, the ovpn_socket union uses the .ovpn arm and never points back at a peer; UDP encap_recv looks up peers via the not-yet-populated hashtables, so the new peer is unreachable until ovpn_peer_add() publishes it. For TCP, ovpn_socket_new() sets ovpn_sock->peer and ovpn_tcp_socket_attach() publishes ovpn_sock via rcu_assign_sk_user_data(). From that moment until ovpn_socket_release() detaches in the error path, the TCP fd is fully wired: userspace recvmsg / sendmsg / close / poll on the fd, as well as the strparser-driven ovpn_tcp_rcv() path, can reach the peer through sk_user_data -> ovpn_sock->peer and bump its refcount via ovpn_peer_hold(). ovpn_tcp_socket_wait_finish() (called inside ovpn_socket_release()) drains strparser and the tx work, but does not synchronize with userspace syscall callers that already hold a peer reference. If ovpn_nl_peer_modify() or ovpn_peer_add() returns an error while such a caller is in flight - notably an ovpn_tcp_recvmsg() blocked in __skb_recv_datagram() on peer->tcp.user_queue - the direct ovpn_peer_release() destroys the peer while the caller still holds the reference, and the eventual ovpn_peer_put() from that caller operates on freed memory. Replace the direct destructor call with ovpn_peer_put() so the kref correctly defers destruction until the last reference is dropped. In the common case where no concurrent user is present, behaviour is unchanged: the kref hits zero immediately and ovpn_peer_release_kref() runs the same destructor. With this conversion ovpn_peer_release() has no callers outside peer.c - ovpn_peer_release_kref() in the same translation unit is the only remaining user - so make it static and drop its declaration from peer.h. Fixes: 11851cbd60ea ("ovpn: implement TCP transport") Reviewed-by: Sabrina Dubroca <sd@queasysnail.net> Assisted-by: Claude:claude-opus-4-7 Signed-off-by: David Carlier <devnexen@gmail.com> Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
2026-05-14ovpn: tcp - use cached peer pointer in ovpn_tcp_close()David Carlier
ovpn_tcp_close() loads the ovpn_socket via rcu_dereference_sk_user_data() under rcu_read_lock(), takes a reference on sock->peer, caches the peer pointer in a local, and drops the read lock. It then passes sock->peer (rather than the cached local) to ovpn_peer_del(), re-dereferencing the ovpn_socket after the RCU read section has ended. Unlike ovpn_tcp_sendmsg(), which uses the same "load under RCU, use after unlock" pattern but is protected by lock_sock() held across the function, ovpn_tcp_close() runs without the socket lock: inet_release() invokes sk_prot->close() without taking lock_sock first. ovpn_socket_release() can therefore complete its kref_put -> detach -> synchronize_rcu -> kfree(sock) sequence concurrently, in the window after ovpn_tcp_close() drops rcu_read_lock() but before it dereferences sock->peer. The synchronize_rcu() in ovpn_socket_release() protects readers that use the dereferenced pointer inside the RCU read section, not those that escape the pointer to a local and use it afterwards. A reproducer follows the pattern of commit 94560267d6c4 ("ovpn: tcp - don't deref NULL sk_socket member after tcp_close()"): trigger a peer removal (keepalive expiration or netlink OVPN_CMD_DEL_PEER) at the same moment userspace closes the TCP fd. That commit fixed the detach-side of the same race window; this one fixes the close-side at a different victim. Tighten the entry block to read sock->peer exactly once into the cached peer local, and route all subsequent uses (the hold check, the ovpn_peer_del() call, and the prot->close() invocation) through that local. sock->peer is only ever written once in ovpn_socket_new() under lock_sock(), before rcu_assign_sk_user_data() publishes the ovpn_socket, and is never reassigned afterwards - but the previous multi-read pattern made that invariant implicit rather than explicit. The same multi-read shape exists in ovpn_tcp_recvmsg(), ovpn_tcp_sendmsg(), ovpn_tcp_data_ready() and ovpn_tcp_write_space(); those will be cleaned up via a dedicated helper in a follow-up net-next series. Fixes: 11851cbd60ea ("ovpn: implement TCP transport") Reviewed-by: Sabrina Dubroca <sd@queasysnail.net> Assisted-by: Claude:claude-opus-4-7 Signed-off-by: David Carlier <devnexen@gmail.com> Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
2026-05-14selftests: ovpn: reduce remaining ping flood countsRalf Lici
Commit 201ba706318d ("selftests: ovpn: reduce ping count in test.sh") lowered the baseline traffic flood ping count to avoid flakes on slower CI instances, however some instances were left out. Apply the same limit to the remaining ovpn selftest flood pings that still request 500 packets. Fixes: 201ba706318d ("selftests: ovpn: reduce ping count in test.sh") Signed-off-by: Ralf Lici <ralf@mandelbit.com> Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
2026-05-14io_uring/rsrc: raise registered buffer 1GB limitJens Axboe
There's no real reason to have a limit, as the memory is accounted by the lockmem limits anyway, if any exist. io_pin_pages() will still restrict the maximum allowed limit per buffer, which is INT_MAX number of pages. Cap it a bit lower than that, at 1TB for a 64-bit system. Surely that should be enough for everyone. For now. Signed-off-by: Jens Axboe <axboe@kernel.dk>
2026-05-14io_uring/rsrc: bump struct io_mapped_ubuf length field to size_tJens Axboe
In preparation for supporting bigger individual buffers, bump the length field to a full 8-bytes with size_t rather than an unsigned int. Signed-off-by: Jens Axboe <axboe@kernel.dk>
2026-05-14io_uring/rsrc: add huge page accounting for registered buffersJens Axboe
Track huge page references in a per-ring xarray to prevent double accounting when the same huge page is used by multiple registered buffers, either within the same ring or across cloned rings. When registering buffers backed by huge pages, we need to account for RLIMIT_MEMLOCK. But if multiple buffers share the same huge page (common with cloned buffers), we must not account for the same page multiple times. Similarly, we must only unaccount when the last reference to a huge page is released. Maintain a per-ring xarray (hpage_acct) that tracks reference counts for each huge page. When registering a buffer, for each unique huge page, increment its accounting reference count, and only account pages that are newly added. When unregistering a buffer, for each unique huge page, decrement its refcount. Once the refcount hits zero, the page is unaccounted. Note: any account is done against the ctx->user that was assigned when the ring was setup. As before, if root is running the operation, no accounting is done. With these changes, any use of imu->acct_pages is also dead, hence kill it from struct io_mapped_ubuf. This shrinks it from 56b to 48b on a 64-bit arch. Additionally, hpage_already_acct() is gone, which was an O(M*M) scan over current + previous registrations. Signed-off-by: Jens Axboe <axboe@kernel.dk>
2026-05-14Bluetooth: hci_qca: Convert timeout from jiffies to msShuai Zhang
Since the timer uses jiffies as its unit rather than ms, the timeout value must be converted from ms to jiffies when configuring the timer. Otherwise, the intended 8s timeout is incorrectly set to approximately 33s. To improve readability, embed msecs_to_jiffies() directly in the macro definitions and drop the _MS suffix from macros that now yield jiffies values: MEMDUMP_TIMEOUT, FW_DOWNLOAD_TIMEOUT, IBS_DISABLE_SSR_TIMEOUT, CMD_TRANS_TIMEOUT, and IBS_BTSOC_TX_IDLE_TIMEOUT. IBS_WAKE_RETRANS_TIMEOUT_MS and IBS_HOST_TX_IDLE_TIMEOUT_MS are intentionally left unchanged. Their values are stored in the struct fields wake_retrans and tx_idle_delay, which hold ms values at runtime and can be modified via debugfs. The msecs_to_jiffies() conversion happens at each call site against the field value, so it cannot be embedded in the macro. Wake timer depends on commit c347ca17d62a Cc: stable@vger.kernel.org Fixes: d841502c79e3 ("Bluetooth: hci_qca: Collect controller memory dump during SSR") Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de> Acked-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org> Signed-off-by: Shuai Zhang <shuai.zhang@oss.qualcomm.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
2026-05-14Bluetooth: L2CAP: ecred_reconfigure: send packed pdu, not stack pointerMichael Bommarito
Commit 1c08108f3014 ("Bluetooth: L2CAP: Avoid -Wflex-array-member-not-at-end warnings") converted the on-stack request PDU in l2cap_ecred_reconfigure() from an explicit packed struct to DEFINE_RAW_FLEX(), but did not adjust the size and source-pointer arguments to l2cap_send_cmd(): - struct { - struct l2cap_ecred_reconf_req req; - __le16 scid; - } pdu; + DEFINE_RAW_FLEX(struct l2cap_ecred_reconf_req, pdu, scid, 1); ... l2cap_send_cmd(conn, chan->ident, L2CAP_ECRED_RECONF_REQ, sizeof(pdu), &pdu); After the conversion, DEFINE_RAW_FLEX() expands to declare an anonymous union pdu_u plus a local pointer "pdu" pointing at it. Therefore: - sizeof(pdu) is now sizeof(struct l2cap_ecred_reconf_req *) = 8 on 64-bit (4 on 32-bit), not the 6 bytes of (mtu, mps, scid[1]). - &pdu is the address of the local pointer's stack storage, not the address of the request payload. l2cap_send_cmd() forwards (data, count) to l2cap_build_cmd(), which calls skb_put_data(skb, data, count). The L2CAP_ECRED_RECONFIGURE_REQ packet body therefore contains 8 bytes copied from the kernel stack starting at &pdu -- the 8 bytes overlap the pdu pointer's value, leaking a kernel stack address to the paired Bluetooth peer. The intended (mtu, mps, scid) fields are not transmitted at all, so the peer rejects the request as malformed and the L2CAP_ECRED_RECONFIGURE feature itself has been broken for the local-side initiator since the introducing commit landed. The sibling site l2cap_ecred_conn_req() in the same commit was converted correctly (sizeof(*pdu) + len, pdu); only this site was missed. Restore the original semantics: pass the full flex-struct size via struct_size(pdu, scid, 1) and the pdu pointer (the struct address) as the source. Validated on a stock 7.0-based host kernel via the real call path: setsockopt(SOL_BLUETOOTH, BT_RCVMTU, ...) on a BT_CONNECTED L2CAP_MODE_EXT_FLOWCTL socket emits an L2CAP_ECRED_RECONFIGURE_REQ whose body is 8 bytes (the on-stack pdu local's value) rather than the expected 6. Three captures from fresh socket / fresh hciemu peer on the same host -- low bytes vary per call, high 0xffff confirms a kernel virtual address (KASLR-randomised stack slot, not a fixed string): RECONF_REQ body (ident=0x02 len=8): 42 fb 54 af 0e ca ff ff RECONF_REQ body (ident=0x02 len=8): 52 3d 2e af 0e ca ff ff RECONF_REQ body (ident=0x02 len=8): b2 fc 5b af 0e ca ff ff After this patch the body is 6 bytes carrying the expected little-endian (mtu, mps, scid). Cc: stable@vger.kernel.org Fixes: 1c08108f3014 ("Bluetooth: L2CAP: Avoid -Wflex-array-member-not-at-end warnings") Assisted-by: Claude:claude-opus-4-7 Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
2026-05-14Bluetooth: btmtk: accept too short WMT FUNC_CTRL eventsPauli Virtanen
MT7925 (USB ID 0e8d:e025) on fw version 20260106153314 sends WMT FUNC_CTRL events that are missing the status field. Prior to commit 006b9943b982 ("Bluetooth: btmtk: validate WMT event SKB length before struct access") the status was read from out-of-bounds of SKB data, which usually would result to success with BTMTK_WMT_ON_UNDONE, although I don't know the intent here. The bounds check added in that commit returns with error instead, producing "Bluetooth: hci0: Failed to send wmt func ctrl (-22)" and makes the device unusable. Fix the regression by interpreting too short packet as status BTMTK_WMT_ON_UNDONE, which makes the device work normally again. Fixes: 634a4408c061 ("Bluetooth: btmtk: validate WMT event SKB length before struct access") Signed-off-by: Pauli Virtanen <pav@iki.fi> Tested-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com> # MT7922 (0489:e0e2) Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
2026-05-14Bluetooth: serialize accept_q accessJiexun Wang
bt_sock_poll() walks the accept queue without synchronization, while child teardown can unlink the same socket and drop its last reference. The unsynchronized accept queue walk has existed since the initial Bluetooth import. Protect accept_q with a dedicated lock for queue updates and polling. Also rework bt_accept_dequeue() to take temporary child references under the queue lock before dropping it and locking the child socket. Fixes: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Reported-by: Jann Horn <jannh@google.com> Reported-by: Yuan Tan <yuantan098@gmail.com> Reported-by: Yifan Wu <yifanwucs@gmail.com> Reported-by: Juefei Pu <tomapufckgml@gmail.com> Reported-by: Xin Liu <bird@lzu.edu.cn> Signed-off-by: Jiexun Wang <wangjiexun2025@gmail.com> Signed-off-by: Ren Wei <n05ec@lzu.edu.cn> Signed-off-by: Jiexun Wang <wangjiexun2025@gmail.com> Reviewed-by: Jann Horn <jannh@google.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
2026-05-14cpufreq/amd-pstate: Drop Kconfig option for dynamic EPPMario Limonciello
There are some performance issues being identified by dynamic EPP and we don't want to have distributions turning it on by default exposing them to users at this time. Drop the kconfig option, and require an explicit opt in from kernel command line or runtime sysfs option to turn it on. Reported-by: Viktor Jägersküpper <viktor_jaegerskuepper@freenet.de> Closes: https://lore.kernel.org/linux-pm/14a87c99-785c-4b16-bfce-35ecbf053448@freenet.de/ Reported-by: Stuart Meckle <stuartmeckle@gmail.com> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221473 Signed-off-by: Mario Limonciello <mario.limonciello@amd.com> Reviewed-by: K Prateek Nayak <kprateek.nayak@amd.com> Link: https://lore.kernel.org/r/20260512221947.1652988-1-mario.limonciello@amd.com (fix sysfs file path) Signed-off-by: Mario Limonciello (AMD) <superm1@kernel.org>
2026-05-14drm/ttm: Fix ttm_bo_shrink() infinite LRU walk on backup failureThomas Hellström
Apply the same fix as b2ed01e7ad ("drm/ttm: Fix ttm_bo_swapout() infinite LRU walk on swapout failure") to the ttm_bo_shrink() path. Move del_bulk_move from before the backup to after success only, using ttm_resource_del_bulk_move_unevictable() since the resource is now unevictable once fully backed up. Fixes: 70d645deac98 ("drm/ttm: Add helpers for shrinking") Cc: Christian König <christian.koenig@amd.com> Cc: Huang Rui <ray.huang@amd.com> Cc: Matthew Auld <matthew.auld@intel.com> Cc: Matthew Brost <matthew.brost@intel.com> Cc: Dave Airlie <airlied@redhat.com> Cc: dri-devel@lists.freedesktop.org Cc: stable@vger.kernel.org # v6.15+ Assisted-by: GitHub_Copilot:claude-opus-4.6 Reviewed-by: Matthew Auld <matthew.auld@intel.com> Link: https://patch.msgid.link/20260511162443.24352-1-thomas.hellstrom@linux.intel.com Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
2026-05-14io_uring/net: allow filtering on IORING_OP_CONNECTShouvik Kar
This adds custom filtering for IORING_OP_CONNECT, where the target family is always exposed, and (for AF_INET / AF_INET6) port and address are exposed. port and v4_addr are in network byte order so filter authors can compare against on-wire constants. Skip population unless addr_len covers the populated fields, to avoid leaking stale io_async_msghdr data on short connects. Signed-off-by: Shouvik Kar <auxcorelabs@gmail.com> Link: https://patch.msgid.link/20260512110242.26219-1-auxcorelabs@gmail.com Signed-off-by: Jens Axboe <axboe@kernel.dk>
2026-05-14io_uring: parenthesize io_ring_head_to_buf() expansionYi Xie
Wrap the io_ring_head_to_buf() macro value in an extra pair of parentheses so it is safe when composed into larger expressions, and to satisfy scripts/checkpatch.pl. Signed-off-by: Yi Xie <xieyi@kylinos.cn> Link: https://patch.msgid.link/20260514083443.203387-1-xieyi@kylinos.cn Signed-off-by: Jens Axboe <axboe@kernel.dk>
2026-05-14net: phy: DP83TC811: add reading of abilitiesSven Schuchmann
At this time the driver is not listing any speeds it supports. This should be ETHTOOL_LINK_MODE_100baseT1_Full_BIT for DP83TC811. Add the missing call for phylib to read the abilities. Fixes: b753a9faaf9a ("net: phy: DP83TC811: Introduce support for the DP83TC811 phy") Suggested-by: Andrew Lunn <andrew@lunn.ch> Signed-off-by: Sven Schuchmann <schuchmann@schleissheimer.de> Reviewed-by: Andrew Lunn <andrew@lunn.ch> Link: https://patch.msgid.link/20260512071949.6218-1-schuchmann@schleissheimer.de [pabeni@redhat.com: dropped revision history] Signed-off-by: Paolo Abeni <pabeni@redhat.com>
2026-05-14mm/slub: hold cpus_read_lock around flush_rcu_sheaves_on_cache()Qing Wang
flush_rcu_sheaves_on_cache() calls queue_work_on() in a for_each_online_cpu() loop, which requires the cpu to stay online. But cpus_read_lock() is not held in kvfree_rcu_barrier_on_cache() and the set of "online cpus" is subject to change. There are two paths that call flush_rcu_sheaves_on_cache(): // has cpus_read_lock() flush_all_rcu_sheaves() -> flush_rcu_sheaves_on_cache() // no cpus_read_lock() kvfree_rcu_barrier_on_cache() -> flush_rcu_sheaves_on_cache() Fix this by holding cpus_read_lock() in kvfree_rcu_barrier_on_cache(). Why not move cpus_read_lock() from flush_all_rcu_sheaves() into flush_rcu_sheaves_on_cache()? The reason is it would introduce a new lock order (slab_mutex -> cpu_hotplug_lock). The reverse order (cpu_hotplug_lock -> slab_mutex) is established by - cpuhp_setup_state_nocalls(..., slub_cpu_setup, ...) - kmem_cache_destroy() The two orders together would form an AB-BA deadlock. Finally, add lockdep_assert_cpus_held() in flush_rcu_sheaves_on_cache() to catch the same problem in the future. Fixes: 0f35040de593 ("mm/slab: introduce kvfree_rcu_barrier_on_cache() for cache destruction") Cc: <stable@vger.kernel.org> Signed-off-by: Qing Wang <wangqing7171@gmail.com> Link: https://patch.msgid.link/20260512035035.762317-1-wangqing7171@gmail.com Signed-off-by: Vlastimil Babka (SUSE) <vbabka@kernel.org>
2026-05-14kbuild: pacman-pkg: package unstripped vDSO librariesThomas Weißschuh
The unstripped vDSO files are useful for debugging. They are provided in the upstream 'linux-headers' package. Also package them as part of 'make pacman-pkg'. Make them part of the '-debug' package, as they fit there best. This differs from the upstream package as that has no '-debug' variant. Signed-off-by: Thomas Weißschuh <linux@weissschuh.net> Reviewed-by: Nathan Chancellor <nathan@kernel.org> Tested-by: Nathan Chancellor <nathan@kernel.org> Link: https://patch.msgid.link/20260318-kbuild-pacman-vdso-install-v1-1-48ceb31c0e80@weissschuh.net Signed-off-by: Nathan Chancellor <nathan@kernel.org>
2026-05-14KVM: x86: nSVM: Save/restore gPAT with KVM_{GET,SET}_NESTED_STATEJim Mattson
Add a 'gpat' field to kvm_svm_nested_state_hdr to carry L2's guest PAT value across save and restore. When KVM_X86_QUIRK_NESTED_SVM_SHARED_PAT is disabled and the vCPU is in guest mode with nested NPT enabled, save vmcb02's g_pat into the header on KVM_GET_NESTED_STATE, and restore it on KVM_SET_NESTED_STATE. Host-initiated accesses to IA32_PAT (via KVM_GET/SET_MSRS) always target L1's hPAT, so they cannot be used to save or restore gPAT. The separate header field ensures that KVM_GET/SET_MSRS and KVM_GET/SET_NESTED_STATE are independent and can be ordered arbitrarily during save and restore. Note that struct kvm_svm_nested_state_hdr is included in a union padded to 120 bytes, so there is room to add the gpat field without changing any offsets. Fixes: cc440cdad5b7 ("KVM: nSVM: implement KVM_GET_NESTED_STATE and KVM_SET_NESTED_STATE") Signed-off-by: Jim Mattson <jmattson@google.com> Link: https://patch.msgid.link/20260407190343.325299-9-jmattson@google.com Signed-off-by: Sean Christopherson <seanjc@google.com>
2026-05-14KVM: Documentation: document KVM_{GET,SET}_NESTED_STATE for SVMJim Mattson
Document the nested state constants and structures for SVM that were added by commit cc440cdad5b7 ("KVM: nSVM: implement KVM_GET_NESTED_STATE and KVM_SET_NESTED_STATE"). Fixes: cc440cdad5b7 ("KVM: nSVM: implement KVM_GET_NESTED_STATE and KVM_SET_NESTED_STATE") Signed-off-by: Jim Mattson <jmattson@google.com> Link: https://patch.msgid.link/20260407190343.325299-8-jmattson@google.com Signed-off-by: Sean Christopherson <seanjc@google.com>
2026-05-14KVM: x86: nSVM: Save gPAT to vmcb12.g_pat on VMEXITJim Mattson
According to the APM volume 3 pseudo-code for "VMRUN," when nested paging is enabled in the vmcb, the guest PAT register (gPAT) is saved to the vmcb on emulated VMEXIT. When KVM_X86_QUIRK_NESTED_SVM_SHARED_PAT is disabled and the vCPU is in guest mode with nested NPT enabled, save the vmcb02 g_pat field to the vmcb12 g_pat field on emulated VMEXIT. Fixes: 15038e147247 ("KVM: SVM: obey guest PAT") Signed-off-by: Jim Mattson <jmattson@google.com> Link: https://patch.msgid.link/20260407190343.325299-7-jmattson@google.com Signed-off-by: Sean Christopherson <seanjc@google.com>
2026-05-14KVM: x86: nSVM: Redirect IA32_PAT accesses to either hPAT or gPATJim Mattson
When handling PAT accesses from L2, route PAT accesses to either hPAT or gPAT based on whether or not L2 has a separate PAT, i.e. if KVM is actually emulating gPAT, instead of using L1's PAT for everything. Specifically, if KVM_X86_QUIRK_NESTED_SVM_SHARED_PAT is disabled, the vCPU is in guest mode with nested NPT enabled, *and* the access if from the guest (i.e. is not from the host stuffing PAT as part of save/restore), then redirect guest PAT accesses to the gPAT "register" in vmcb02, i.e. emulate gPAT for L2. Always route non-guest accesses to hPAT, i.e. L1's PAT in vcpu->arch.pat, to ensures that KVM_{G,S}ET_MSRS and KVM_{G,S}ET_NESTED_STATE are independent of each other and can be ordered arbitrarily during save and restore. E.g. if KVM didn't exempt host accesses, then whether a write to PAT hit hPAT or gPAT would vary based on whether userspace restores PAT before or after nested state. Note, gPAT is saved and restored separately via KVM_{G,S}ET_NESTED_STATE. WARN if there's a host-initiated access to PAT from within KVM_RUN, i.e. if KVM itself initiated the access, as there are no such accesses today, and it's not clear what the "right" behavior would be. Fixes: 15038e147247 ("KVM: SVM: obey guest PAT") Signed-off-by: Jim Mattson <jmattson@google.com> Co-developed-by: Sean Christopherson <seanjc@google.com> Signed-off-by: Sean Christopherson <seanjc@google.com>
2026-05-14KVM: x86: nSVM: Set vmcb02.g_pat correctly for nested NPTJim Mattson
When KVM_X86_QUIRK_NESTED_SVM_SHARED_PAT is disabled and nested NPT is enabled in vmcb12, copy the (cached and validated) vmcb12 g_pat field to vmcb02's g_pat, giving L2 its own independent guest PAT register. When the quirk is enabled (default), or when NPT is enabled but nested NPT is disabled, copy L1's IA32_PAT MSR to the vmcb02 g_pat field, since L2 shares the IA32_PAT MSR with L1. When NPT is disabled, the g_pat field is ignored by hardware. Fixes: 15038e147247 ("KVM: SVM: obey guest PAT") Signed-off-by: Jim Mattson <jmattson@google.com> Link: https://patch.msgid.link/20260407190343.325299-5-jmattson@google.com Signed-off-by: Sean Christopherson <seanjc@google.com>
2026-05-14KVM: x86: nSVM: Cache and validate vmcb12 g_patJim Mattson
When KVM_X86_QUIRK_NESTED_SVM_SHARED_PAT is disabled and nested paging is enabled in vmcb12, validate g_pat at emulated VMRUN and cause an immediate VMEXIT with exit code VMEXIT_INVALID if it is invalid, as specified in the APM, volume 2: "Nested Paging and VMRUN/VMEXIT." Fixes: 3d6368ef580a ("KVM: SVM: Add VMRUN handler") Signed-off-by: Jim Mattson <jmattson@google.com> Link: https://patch.msgid.link/20260407190343.325299-4-jmattson@google.com Signed-off-by: Sean Christopherson <seanjc@google.com>
2026-05-14KVM: x86: nSVM: Clear VMCB_NPT clean bit when updating hPAT from guest modeJim Mattson
When running an L2 guest and writing to MSR_IA32_CR_PAT, the host PAT value is stored in both vmcb01's g_pat field and vmcb02's g_pat field, but the clean bit was only being cleared for vmcb02. Introduce the helper vmcb_set_gpat() which sets vmcb->save.g_pat and marks the VMCB dirty for VMCB_NPT. Use this helper in both svm_set_msr() for updating vmcb01 and in nested_vmcb02_compute_g_pat() for updating vmcb02, ensuring both VMCBs' NPT fields are properly marked dirty. Fixes: 4995a3685f1b ("KVM: SVM: Use a separate vmcb for the nested L2 guest") Signed-off-by: Jim Mattson <jmattson@google.com> Link: https://patch.msgid.link/20260407190343.325299-3-jmattson@google.com Signed-off-by: Sean Christopherson <seanjc@google.com>
2026-05-14KVM: x86: Define KVM_X86_QUIRK_NESTED_SVM_SHARED_PATJim Mattson
Define a quirk to control whether nested SVM shares L1's PAT with L2 (legacy behavior) or gives L2 its own independent gPAT (correct behavior per the APM). When the quirk is enabled (default), L2 shares L1's PAT, preserving the legacy KVM behavior. When userspace disables the quirk, KVM correctly virtualizes the PAT for nested SVM guests, giving L2 a separate gPAT as specified in the AMD architecture. Signed-off-by: Jim Mattson <jmattson@google.com> Link: https://patch.msgid.link/20260407190343.325299-2-jmattson@google.com Signed-off-by: Sean Christopherson <seanjc@google.com>
2026-05-14docs: threat-model: don't limit root capabilities to CAP_SYS_ADMINJonathan Corbet
The threat-model document says that only users with CAP_SYS_ADMIN can carry out a number of admin-level tasks, but there are numerous capabilities that can confer that sort of power. Generalize the text slightly to make it clear that CAP_SYS_ADMIN is not the only all-powerful capability. Acked-by: Willy Tarreau <w@1wt.eu> Signed-off-by: Jonathan Corbet <corbet@lwn.net>
2026-05-14docs: security-bugs: add a link to the threat-model documentationJonathan Corbet
Rather than make readers search for this document, just a link to it where it is referenced. (While I was at it, I removed the unused and unneeded _threatmodel label from the top of threat-model.rst). Acked-by: Willy Tarreau <w@1wt.eu> Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Jonathan Corbet <corbet@lwn.net>
2026-05-14timers: Fix flseep() typo in kernel-doc commentGitle Mikkelsen
Signed-off-by: Gitle Mikkelsen <gitlem@gmail.com> Signed-off-by: Thomas Gleixner <tglx@kernel.org> Link: https://patch.msgid.link/20260501170616.1402-1-gitlem@gmail.com
2026-05-14ARM: dts: socfpga: arria10: Increase JFFS2 rootfs partition sizeNiravkumar L Rabara
Increase the JFFS2 partition size to support larger root filesystem. Also fix the partition label to match the actual start address. Signed-off-by: Niravkumar L Rabara <niravkumar.l.rabara@altera.com> Signed-off-by: Nazim Amirul <muhammad.nazim.amirul.nazle.asmade@altera.com> Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
2026-05-14RAS/AMD/ATL: Drop malformed default N from KconfigAndy Shevchenko
The capital letters are for symbols and N in 'default N' will be evaluated as another, nonexistent, Kconfig symbol, and not as the 'no' it should be. More importantly, 'n' *is* the default already. Hence just drop the malformed line. Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de> Link: https://patch.msgid.link/20260513205021.368190-1-andriy.shevchenko@linux.intel.com
2026-05-14net: tls: prevent chain-after-chain in plain text SGJakub Kicinski
Sashiko points out that if end = 0 (start != 0) the current code will create a chain link to content type right after the wrap link: This would create a chain where the wrap link points directly to another chain link. The scatterlist API sg_next iterator does not recursively resolve consecutive chain links. meaning this is illegal input to crypto. The wrapping link is unnecessary if end = 0. end is the entry after the last one used so end = 0 means there's nothing pushed after the wrap: end start i v v v [ ]...[ ][ d ][ d ][ d ][ d ][rsv for wrap] Skip the wrapping in this case. TLS 1.3 can use the "wrapping slot" for it's chaining if end = 0. This avoids the chain-after-chain. Move the wrap chaining before marking END and chaining off content type, that feels like more logical ordering to me, but should not matter from functional perspective. Reported-by: Sashiko <sashiko-bot@kernel.org> Fixes: 9aaaa56845a0 ("bpf: Sockmap/tls, skmsg can have wrapped skmsg that needs extra chaining") Signed-off-by: Jakub Kicinski <kuba@kernel.org> Link: https://patch.msgid.link/20260511174920.433155-3-kuba@kernel.org Signed-off-by: Paolo Abeni <pabeni@redhat.com>
2026-05-14net: tls: fix off-by-one in sg_chain entry count for wrapped sk_msg ringJakub Kicinski
When an sk_msg scatterlist ring wraps (sg.end < sg.start), tls_push_record() chains the tail portion of the ring to the head using sg_chain(). An extra entry in the sg array is reserved for this: struct sk_msg_sg { [...] /* The extra two elements: * 1) used for chaining the front and sections when the list becomes * partitioned (e.g. end < start). The crypto APIs require the * chaining; * 2) to chain tailer SG entries after the message. */ struct scatterlist data[MAX_MSG_FRAGS + 2]; The current code uses MAX_SKB_FRAGS + 1 as the ring size: sg_chain(&msg_pl->sg.data[msg_pl->sg.start], MAX_SKB_FRAGS - msg_pl->sg.start + 1, msg_pl->sg.data); This places the chain pointer at sg_chain(data[start], (MAX_SKB_FRAGS - msg_start + 1) .. = &data[start] + (MAX_SKB_FRAGS - msg_start + 1) - 1 = data[start + (MAX_SKB_FRAGS - start + 1) - 1] = data[MAX_SKB_FRAGS] instead of the true last entry. This is likely due to a "race" of the commit under Fixes landing close to commit 031097d9e079 ("bpf: sk_msg, zap ingress queue on psock down") Convert to ARRAY_SIZE and drop the data[start] / - start (as suggested by Sabrina). Reported-by: 钱一铭 <yimingqian591@gmail.com> Fixes: 9aaaa56845a0 ("bpf: Sockmap/tls, skmsg can have wrapped skmsg that needs extra chaining") Signed-off-by: Jakub Kicinski <kuba@kernel.org> Reviewed-by: Sabrina Dubroca <sd@queasysnail.net> Link: https://patch.msgid.link/20260511174920.433155-2-kuba@kernel.org Signed-off-by: Paolo Abeni <pabeni@redhat.com>
2026-05-14clk: scpi: Unregister child clock providers on removeStepan Ionichev
SCPI clock providers are registered for each child node in scpi_clk_add(), but scpi_clocks_remove() unregisters the parent node on each iteration. of_clk_del_provider() matches providers by the node used at registration time, so passing the parent node leaves the child providers registered. This leaks the provider allocations and the node references held by the clock provider core. Pass the child node to of_clk_del_provider() so the remove path matches the probe path. Fixes: cd52c2a4b5c4 ("clk: add support for clocks provided by SCP(System Control Processor)") Signed-off-by: Stepan Ionichev <sozdayvek@gmail.com> Link: https://patch.msgid.link/20260513090900.5323-1-sozdayvek@gmail.com (sudeep.holla: Updated commit title and message a bit) Signed-off-by: Sudeep Holla <sudeep.holla@kernel.org>
2026-05-14drm/ttm: Convert -EAGAIN from dmem_cgroup_try_charge to -ENOSPCThomas Hellström
dmem_cgroup_try_charge() returns -EAGAIN when the cgroup limit is hit and the charge fails. TTM has no concept of -EAGAIN from resource allocation; -ENOSPC is the canonical error meaning "no space, try eviction". Convert at the source in ttm_resource_alloc() so no caller needs to handle an unexpected error code, and clean up the now-redundant -EAGAIN check in ttm_bo_alloc_resource(). Without this, -EAGAIN escaping ttm_resource_alloc() during an eviction walk causes the walk to terminate early instead of continuing to the next candidate. Cc: Friedrich Vock <friedrich.vock@gmx.de> Cc: Maarten Lankhorst <dev@lankhorst.se> Cc: Tejun Heo <tj@kernel.org> Cc: Maxime Ripard <mripard@kernel.org> Cc: Christian Koenig <christian.koenig@amd.com> Cc: dri-devel@lists.freedesktop.org Cc: <stable@vger.kernel.org> # v6.14+ Fixes: 2b624a2c1865 ("drm/ttm: Handle cgroup based eviction in TTM") Assisted-by: GitHub_Copilot:claude-sonnet-4.6 Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com> Reviewed-by: Maarten Lankhorst <dev@lankhrost.se> Link: https://patch.msgid.link/20260508160920.230339-1-thomas.hellstrom@linux.intel.com
2026-05-14Merge branch ↵Paolo Abeni
'bridge-add-selective-forwarding-of-gratuitous-neighbor-announcements' Danielle Ratson says: ==================== bridge: Add selective forwarding of gratuitous neighbor announcements The existing neighbor suppression unconditionally suppresses gratuitous ARPs and unsolicited Neighbor Advertisements, which prevents fast mobility of hosts between VTEPs. This series adds a new neigh_forward_grat option that provides independent control of gratuitous ARP and unsolicited NA forwarding. When neigh_suppress is enabled but neigh_forward_grat is enabled, regular neighbor discovery is suppressed while gratuitous announcements are forwarded. The implementation marks gratuitous ARPs and unsolicited NAs in BR_INPUT_SKB_CB during input processing, then checks the per-output-port neigh_forward_grat setting during flooding. This allows gratuitous announcements from any input port to be selectively forwarded based on each output port's individual configuration. Both port-level control (via IFLA_BRPORT_NEIGH_FORWARD_GRAT) and per-VLAN control (via BRIDGE_VLANDB_ENTRY_NEIGH_FORWARD_GRAT) are provided. The default value of OFF preserves existing behavior. This behavior is in accordance with RFC 9161 (Section 3.6), which recommends that VTEPs forward gratuitous ARP and unsolicited NA messages to avoid traffic disruption during host mobility events. The new attributes use NLA_U8, although the kernel netlink guideline recommends NLA_U32 as the minimum integer type on the grounds that alignment makes smaller types equivalent on the wire. For a simple on/off attribute there is no technical advantage to u32 over u8, and keeping u8 preserves consistency with all surrounding bridge port attributes and avoids introducing new helpers alongside the existing infrastructure. Patchset overview: Patch #1: adds uapi headers. Patches #2-#3: support selective forwarding of gratuitous ARP. Patches #4-#5: add netlink handling. Patch #6: adds tests. Please see iproute related patches in the last 3 commits of: https://github.com/daniellerts/iproute2 ==================== Link: https://patch.msgid.link/20260511065936.4173106-1-danieller@nvidia.com Signed-off-by: Paolo Abeni <pabeni@redhat.com>
2026-05-14selftests: net: Add tests for neigh_forward_grat optionDanielle Ratson
Add tests to validate the neigh_forward_grat bridge option for selective forwarding of gratuitous neighbor announcements. The tests verify per-port and per-VLAN control of gratuitous neighbor announcement forwarding for both IPv4 (gratuitous ARP) and IPv6 (unsolicited NA): - When neigh_suppress is enabled with neigh_forward_grat off (default), gratuitous announcements are suppressed - When neigh_forward_grat is enabled, gratuitous announcements are forwarded while regular neighbor discovery remains suppressed For IPv4, use arping to send gratuitous ARP packets. For IPv6, use mausezahn to craft unsolicited Neighbor Advertisement packets. For the per-port tests, the IPv4 test exercises the ip link interface, while the IPv6 test exercises the bridge link interface. The per-VLAN tests use the bridge interface throughout, as per-VLAN attributes are only accessible via 'bridge vlan'. Signed-off-by: Danielle Ratson <danieller@nvidia.com> Link: https://patch.msgid.link/20260511065936.4173106-7-danieller@nvidia.com Signed-off-by: Paolo Abeni <pabeni@redhat.com>
2026-05-14bridge: Add per-VLAN netlink handling for neigh_forward_gratDanielle Ratson
Add netlink handlers for the per-VLAN neigh_forward_grat option via BRIDGE_VLANDB_ENTRY_NEIGH_FORWARD_GRAT attribute. The per-VLAN option provides fine-grained control, allowing different VLANs on the same port to have different gratuitous ARP/unsolicited NA forwarding behavior. This enables control via 'bridge' commands: # bridge vlan set dev eth0 vid 10 neigh_suppress on # bridge vlan set dev eth0 vid 10 neigh_forward_grat on Reviewed-by: Ido Schimmel <idosch@nvidia.com> Reviewed-by: Petr Machata <petrm@nvidia.com> Signed-off-by: Danielle Ratson <danieller@nvidia.com> Acked-by: Nikolay Aleksandrov <razor@blackwall.org> Link: https://patch.msgid.link/20260511065936.4173106-6-danieller@nvidia.com Signed-off-by: Paolo Abeni <pabeni@redhat.com>