summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2026-06-11Input: rmi4 - refactor register descriptor parsingDmitry Torokhov
Factor out parsing a register descriptor item from rmi_read_register_desc() and ensure there are no out-of-bounds accesses. Use get_unaligned_le16() and get_unaligned_le32() for reading multi-byte values. Reported-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices") Cc: stable@vger.kernel.org Assisted-by: Gemini:gemini-3.1-pro Link: https://patch.msgid.link/20260505045952.1570713-2-dmitry.torokhov@gmail.com Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
2026-06-11Input: rmi4 - fix register descriptor address calculationDmitry Torokhov
When reading the register descriptor, the base address is incremented by 1 to read the presence register block. However, after reading the presence register block, the address is incorrectly incremented by only 1 byte (++addr) instead of the actual size of the presence block (size_presence_reg). This causes the subsequent structure block read to read from the wrong memory location if the presence block is larger than 1 byte. Fix this by advancing the address by size_presence_reg. Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices") Cc: stable@vger.kernel.org Assisted-by: Gemini:gemini-3.1-pro Link: https://patch.msgid.link/20260505045952.1570713-1-dmitry.torokhov@gmail.com Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
2026-06-12Merge tag 'drm-xe-fixes-2026-06-11' of ↵Dave Airlie
https://gitlab.freedesktop.org/drm/xe/kernel into drm-fixes UAPI Changes: Cross-subsystem Changes: Core Changes: Driver Changes: - fix oops in suspend/shutdown without display (Jani) - RAS fixes (Raag) - Use HW_ERR prefix in log (Raag) - include all registered queues in TLB invalidation (Tangudu) - Fix refcount leak in xe_range_tree in error paths (Wentao) - fix job timeout recovery for unstarted jobs and kernel queues (Rodrigo) Signed-off-by: Dave Airlie <airlied@redhat.com> From: Matthew Brost <matthew.brost@intel.com> Link: https://patch.msgid.link/aitt8ZkYmxIT9cdP@gsse-cloud1.jf.intel.com
2026-06-12Merge tag 'drm-intel-fixes-2026-06-11' of ↵Dave Airlie
https://gitlab.freedesktop.org/drm/i915/kernel into drm-fixes - Check supported link rates DPCD read [edp] (Nikita Zhandarovich) - Fix phys BO pread/pwrite with offset [gem] (Joonas Lahtinen) Signed-off-by: Dave Airlie <airlied@redhat.com> From: Tvrtko Ursulin <tursulin@igalia.com> Link: https://patch.msgid.link/aipkcUDnTlzre-8F@linux
2026-06-11ip6_tunnel: annotate data-races around t->err_count and t->err_timeEric Dumazet
ip6_tnl_xmit() and ipip6_tunnel_xmit() run locklessly (dev->lltx == true). ip6gre_err() and ipip6_err() also run locklessly. We need to add READ_ONCE() and WRITE_ONCE() annotations around t->err_count and t->err_time. Signed-off-by: Eric Dumazet <edumazet@google.com> Reviewed-by: Ido Schimmel <idosch@nvidia.com> Link: https://patch.msgid.link/20260610171458.1359630-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-12crypto: tegra - fix refcount leak in tegra_se_host1x_submit()Wentao Liang
The timeout error path in tegra_se_host1x_submit() returns without calling host1x_job_put(), while all other paths (success, submit error, pin error) properly release the job reference through the job_put label. Since host1x_job_alloc() initializes the reference count and host1x_job_put() is required to drop it, omitting it on timeout causes a permanent refcount leak. Fix this by redirecting the timeout return to the existing job_put label, ensuring the job reference and any associated syncpt references are consistently released. Cc: stable@vger.kernel.org Fixes: 0880bb3b00c8 ("crypto: tegra - Add Tegra Security Engine driver") Signed-off-by: Wentao Liang <vulab@iscas.ac.cn> Reviewed-by: Akhil R <akhilrajeev@nvidia.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2026-06-12crypto: rng - Free default RNG on module exitHerbert Xu
When the rng module is removed the default RNG will be leaked. Call crypto_del_default_rng to free it if possible. Fixes: 7cecadb7cca8 ("crypto: rng - Do not free default RNG when it becomes unused") Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2026-06-12crypto: testmgr - allow authenc(hmac(sha{256,384}),cts(cbc(aes))) in FIPS modeIlya Dryomov
hmac(sha256), hmac(sha384) and cts(cbc(aes)) algorithms have been marked as FIPS allowed for years. Mark the respective authenc() constructions per RFC 8009 ("AES Encryption with HMAC-SHA2 for Kerberos 5") as such as well. SP 800-57 Part 3 Rev. 1 from Jan 2015 [1] links the draft of what became RFC 8009 in Oct 2016 as approved in section 6.3 Procurement Guidance (item/recommendation 3). [1] https://csrc.nist.gov/pubs/sp/800/57/pt3/r1/final Signed-off-by: Ilya Dryomov <idryomov@gmail.com> Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2026-06-12hwrng: jh7110 - fix refcount leak in starfive_trng_read()Wentao Liang
The starfive_trng_read() function acquires a runtime PM reference via pm_runtime_get_sync() but fails to release it on two error paths. If starfive_trng_wait_idle() or starfive_trng_cmd() returns an error, the function exits without calling pm_runtime_put_sync_autosuspend(), leaving the runtime PM usage counter permanently elevated and preventing the device from entering runtime suspend. Refactor the function to use a unified error path that calls pm_runtime_put_sync_autosuspend() before returning. Cc: stable@vger.kernel.org Fixes: c388f458bc34 ("hwrng: starfive - Add TRNG driver for StarFive SoC") Signed-off-by: Wentao Liang <vulab@iscas.ac.cn> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2026-06-12crypto: atmel-ecc - drop dead code in atmel_ecdh_max_sizeThorsten Blum
atmel_ecdh_init_tfm() always allocates ctx->fallback, so it is never NULL in atmel_ecdh_max_size(). Remove the dead code and return crypto_kpp_maxsize() directly. Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2026-06-12crypto: cavium/cpt - fix DMA cleanup using wrong loop indexFelix Gu
The sg_cleanup error path used list[i] instead of list[j] when unmapping DMA buffers, leaking successfully mapped entries and repeatedly unmapping the failed one. Fixes: c694b233295b ("crypto: cavium - Add the Virtual Function driver for CPT") Signed-off-by: Felix Gu <ustc.gu@gmail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2026-06-12crypto: marvell/octeontx - fix DMA cleanup using wrong loop indexFelix Gu
The sg_cleanup path used list[i] instead of list[j] when unmapping DMA buffers, leaking successfully mapped entries and repeatedly unmapping the failed one. Fixes: 10b4f09491bf ("crypto: marvell - add the Virtual Function driver for CPT") Signed-off-by: Felix Gu <ustc.gu@gmail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2026-06-12MAINTAINERS: make myself the maintainer of the Qualcomm QCE driverBartosz Golaszewski
Qualcomm wants to keep supporting and extending the crypto engine driver. Thara has not been active for many months, so change the maintainer to myself and upgrade the driver to Supported. Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com> Acked-by: Krzysztof Kozlowski <krzk@kernel.org> Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2026-06-12crypto: amcc - convert irq_of_parse_and_map to platform_get_irqRosen Penev
Replace the deprecated irq_of_parse_and_map() call with the modern platform_get_irq() in the probe function. This also improves error handling: platform_get_irq() returns a negative errno on failure, whereas irq_of_parse_and_map() returned 0. Change the irq field in struct crypto4xx_core_device from u32 to int to match the return type of platform_get_irq(). Assisted-by: opencode:big-pickle Signed-off-by: Rosen Penev <rosenp@gmail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2026-06-12crypto: sun4i-ss - Remove insecure and unused rng_algEric Biggers
Remove sun4i_ss_rng, as it is insecure and unused: - It has multiple vulnerabilities. sun4i_ss_prng_seed() is missing locking and has a buffer overflow. sun4i_ss_prng_generate() fails to fill the entire buffer with cryptographic random bytes, because it rounds the destination length down and also doesn't actually wait for the hardware to be ready before pulling bytes from it. - No user of this code is known. It's usable only theoretically via the "rng" algorithm type of AF_ALG. But userspace actually just uses the actual Linux RNG (/dev/random etc) instead. And rng_algs don't contribute entropy to the actual Linux RNG either. (This may have been confused with hwrng, which does contribute entropy.) The sun4i_ss_prng_seed() buffer overflow was reported by Tianchu Chen and discovered by Atuin - Automated Vulnerability Discovery Engine There's no point in fixing all these vulnerabilities individually when this is unused code, so let's just remove it. Fixes: b8ae5c7387ad ("crypto: sun4i-ss - support the Security System PRNG") Cc: stable@vger.kernel.org Reported-by: Tianchu Chen <flynnnchen@tencent.com> Closes: https://lore.kernel.org/r/af749a8447bd7f0e9dd26ca6c87e9c6afecb09d9@linux.dev/ Acked-by: Corentin LABBE <clabbe.montjoie@gmail.com> Signed-off-by: Eric Biggers <ebiggers@kernel.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2026-06-12hwrng: xilinx - Move xilinx-rng into drivers/char/hw_random/Eric Biggers
Since this file just implements a hwrng driver, move it into drivers/char/hw_random/. Rename the kconfig option accordingly as well. Signed-off-by: Eric Biggers <ebiggers@kernel.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2026-06-11cxl/test: Add check after kzalloc() memory in alloc_mock_res()Dave Jiang
alloc_mock_res() calls kzalloc() without checking the return value. Add scope based resource management to deal with the allocated memory cleanly. Reported-by: sashiko-bot Fixes: 67dcdd4d3b83 ("tools/testing/cxl: Introduce a mocked-up CXL port hierarchy") Reviewed-by: Alison Schofield <alison.schofield@intel.com> Link: https://patch.msgid.link/20260611230305.197390-1-dave.jiang@intel.com Signed-off-by: Dave Jiang <dave.jiang@intel.com>
2026-06-11cxl/test: Unregister cxl_acpi in cxl_test_init() error pathDave Jiang
In cxl_test_init(), Once cxl_mock_platform_device_add() succeeds, all error paths after needs to call platform_device_unregister() instead of platform_device_put() to clean up. Fixes: 67dcdd4d3b83 ("tools/testing/cxl: Introduce a mocked-up CXL port hierarchy") Reported-by: sashiko-bot Reviewed-by: Alison Schofield <alison.schofield@intel.com> Link: https://patch.msgid.link/20260611230355.198912-1-dave.jiang@intel.com Signed-off-by: Dave Jiang <dave.jiang@intel.com>
2026-06-11perf stat: Fix false NMI watchdog warning in aggregation modesChun-Tse Shao
In aggregation modes (e.g. --per-socket, --per-die, etc.), a counter might not be scheduled or counted on specific aggregate groups if it was not assigned to the CPUs belonging to those groups. However, the printout() check triggers the "print_free_counters_hint" logic unconditionally for any supported counter with a missing count. This results in a false "Some events weren't counted. Try disabling the NMI watchdog" warning. Furthermore, the NMI watchdog only reserves performance counters on core PMUs. Uncore PMU events (e.g. CHA, IMC) are not affected by the NMI watchdog, but their failures also falsely triggered this warning. This warning was originally introduced in commit 02d492e5dcb72c00 ("perf stat: Issue a HW watchdog disable hint") To fix this, restrict setting of print_free_counters_hint to only trigger for core PMU events by checking counter->pmu and counter->pmu->is_core. Example before/after: $ perf stat -M lpm_miss_lat --metric-only --per-socket -a -- sleep 1 Before: Performance counter stats for 'system wide': ns lpm_miss_lat_rem ns lpm_miss_lat_loc S0 126 202.3 207.9 S1 126 231.9 259.3 1.006029831 seconds time elapsed Some events weren't counted. Try disabling the NMI watchdog: echo 0 > /proc/sys/kernel/nmi_watchdog perf stat ... echo 1 > /proc/sys/kernel/nmi_watchdog After: Performance counter stats for 'system wide': ns lpm_miss_lat_rem ns lpm_miss_lat_loc S0 126 202.3 207.9 S1 126 231.9 259.3 1.006029831 seconds time elapsed Assisted-by: Gemini:gemini-next Reviewed-by: Ian Rogers <irogers@google.com> Signed-off-by: Chun-Tse Shao <ctshao@google.com> Cc: Namhyung Kim <namhyung@kernel.org> Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
2026-06-11perf test: Compile named_threads workload with -O0James Clark
The work loop relies on the compiler not optimizing it away, although named_threads_work is not static for that reason, the compiler could still do it. Fix it by compiling without optimization. Also add -fno-inline for consistency and in case anyone wants to look at callstacks. Fixes: b5dd510be55e8670 ("perf test: Add named_threads workload") Closes: https://lore.kernel.org/all/20260609160001.2739E1F00893@smtp.kernel.org Reported-by: sashiko-bot <sashiko-bot@kernel.org> Reviewed-by: Leo Yan <leo.yan@arm.com> Signed-off-by: James Clark <james.clark@linaro.org> Cc: Ian Rogers <irogers@google.com> Cc: Namhyung Kim <namhyung@kernel.org> Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
2026-06-11Merge tag 'for-net-next-2026-06-11' of ↵Jakub Kicinski
git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next Luiz Augusto von Dentz says: ==================== bluetooth-next pull request for net-next: core: - hci_sync: Add support for HCI_LE_Set_Host_Feature [v2] - SMP: Use AES-CMAC library API - sockets: convert to getsockopt_iter - Add SPDX id lines to some source files drivers: - btintel_pcie: Support Product level reset - btintel_pcie: Add support for smart trigger dump - btintel_pcie: Add 50 ms delay before MAC init on BlazarIW - btintel_pcie: Separate coredump work from RX work - btmtk: add event filter to filter specific event - btrtl: fix RTL8761B/BU broken LE extended scan - btusb: Add Realtek RTL8922AE VID/PID 0bda/d922 - btusb: Add Realtek RTL8922AE VID/PID 0bda/d923 - btusb: MT7922: Add VID/PID 0e8d/223c - btusb: MT7925: Add VID/PID 0e8d/8c38 - btusb: Add support for TP-Link TL-UB250 - btusb: Add Mercusys MA530 for Realtek RTL8761BUV - btusb: Add TP-Link UB600 for Realtek 8761BUV - btusb: Add support for Intel Lizard Peak 2 (0x8087:0x0040) - btusb: Add USB ID 2c4e:0128 for Mercusys MA60XNB - btusb: MT7925: Add VID/PID 13d3/3609 * tag 'for-net-next-2026-06-11' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next: (49 commits) Bluetooth: btintel_pcie: Separate coredump work from RX work Bluetooth: btmtksdio: fix infinite loop in btmtksdio_txrx_work() Bluetooth: qca: Add BT FW build version to kernel log Bluetooth: vhci: validate devcoredump state before side effects Bluetooth: L2CAP: validate connectionless PSM length Bluetooth: hci: validate codec capability element length Bluetooth: L2CAP: Fix UAF in channel timeout by holding conn ref Bluetooth: btintel_pcie: Load IOSF debug regs by controller variant Bluetooth: btintel_pcie: Add 50 ms delay before MAC init on BlazarIW Bluetooth: Add SPDX id lines to some source files Bluetooth: btintel_pcie: Add support for smart trigger dump Bluetooth: hci_h5: reset hci_uart::priv in the close() method Bluetooth: btusb: clean up probe error handling Bluetooth: btusb: fix wakeup irq devres lifetime Bluetooth: btusb: fix wakeup source leak on probe failure Bluetooth: btusb: fix use-after-free on marvell probe failure Bluetooth: btusb: fix use-after-free on registration failure Bluetooth: btmtk: fix URB leak in alloc_mtk_intr_urb error path Bluetooth: hci_core: Fix UAF in hci_unregister_dev() Bluetooth: hci_event: fix simultaneous discovery stuck in FINDING ... ==================== Link: https://patch.msgid.link/20260611183358.176776-1-luiz.dentz@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-11Merge tag 'nfc-net-next-20260611' of https://codeberg.org/linux-nfc/linuxJakub Kicinski
David Heidelberg says: ==================== NFC updates for net-next 20260611 - nxp-nci: Add ISO15693 support - nxp-nci: treat -ENXIO in IRQ thread as no data available - nci: uart: Constify struct tty_ldisc_ops - trf7970a: fix comment typos - Use named initializers for struct i2c_device_id - MAINTAINERS: Update address for David Heidelberg * tag 'nfc-net-next-20260611' of https://codeberg.org/linux-nfc/linux: MAINTAINERS: Update address for David Heidelberg nfc: Use named initializers for struct i2c_device_id nfc: nxp-nci: treat -ENXIO in IRQ thread as no data available nfc: nxp-nci: Add ISO15693 support nfc: nci: uart: Constify struct tty_ldisc_ops nfc: trf7970a: fix comment typos ==================== Link: https://patch.msgid.link/1aed7555-3d24-413c-b284-bc85fdd33055@ixit.cz Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-11dt-bindings: mailbox: qcom: Add IPCC support for Maili PlatformChunkai Deng
Document the Inter-Processor Communication Controller on the Qualcomm Maili Platform, which will be used to route interrupts across various subsystems found on the SoC. Signed-off-by: Chunkai Deng <chunkai.deng@oss.qualcomm.com> Reviewed-by: Manivannan Sadhasivam <mani@kernel.org> Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
2026-06-11io_uring/zcrx: kill dead 'sock' member in struct io_zcrx_argsJens Axboe
This member is only ever assigned, never read. Kill it. Signed-off-by: Jens Axboe <axboe@kernel.dk>
2026-06-11Merge branch 'tipc-fix-netlink-gate-and-receive-path-bugs'Jakub Kicinski
Michael Bommarito says: ==================== tipc: fix netlink gate and receive-path bugs This is v4 of the public TIPC series. The only change from v3 is in patch 1: TIPC_NL_MEDIA_SET now uses GENL_UNS_ADMIN_PERM like the other mutators, instead of GENL_ADMIN_PERM, so the whole series uses the namespace-aware CAP_NET_ADMIN check that matches the legacy TIPC netlink path. Patches 2 and 3 are unchanged. Patch 1 gives the TIPCv2 mutating generic-netlink operations the admin gate the legacy API already has, so a local unprivileged process can no longer change TIPC state. Patch 2 drops CONN_ACK messages that acknowledge more outstanding sends than exist, preventing the snt_unacked underflow. Patch 3 rejects peer bindings with lower > upper, which would otherwise leak binding-table memory. ==================== Link: https://patch.msgid.link/20260610124003.3831170-1-michael.bommarito@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-11tipc: reject inverted service ranges from peer bindingsMichael Bommarito
tipc_update_nametbl() inserts a binding advertised by a peer node using the lower and upper service-range bounds taken directly from the wire, without checking that lower <= upper. The local bind path validates the ordering (tipc_uaddr_valid()), but the name-distribution path does not. A binding with lower > upper is inserted at the far end of the service-range rbtree (keyed on lower) where no lookup or withdrawal can ever match it (service_range_foreach_match() requires sr->lower <= end). The publication, its service_range node and the augmented rbtree entry are then leaked for the lifetime of the namespace, and there is no per-peer cap equivalent to TIPC_MAX_PUBL on locally created bindings. Reject inverted ranges in the network path as well. A peer node can otherwise leak unbounded binding-table memory by sending PUBLICATION items with lower > upper. Fixes: 37922ea4a310 ("tipc: permit overlapping service ranges in name table") Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com> Reviewed-by: Tung Nguyen <tung.quang.nguyen@est.tech> Link: https://patch.msgid.link/20260610124003.3831170-4-michael.bommarito@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-11tipc: prevent snt_unacked underflow on CONN_ACKMichael Bommarito
tipc_sk_conn_proto_rcv() subtracts the peer-supplied connection ack count from the unsigned 16-bit send counter snt_unacked without checking that it does not exceed the number of messages actually outstanding: tsk->snt_unacked -= msg_conn_ack(hdr); msg_conn_ack() is read straight from a received CONN_MANAGER/CONN_ACK message. If the ack count is larger than snt_unacked, the subtraction wraps to a near-maximum value, leaving tsk_conn_cong() permanently true and starving the connection of further transmits. Validate the ACK count at the start of the CONN_ACK block and drop the message if it acknowledges more messages than are outstanding. A peer (or, for a local connection, the connected peer socket) can otherwise wedge a TIPC connection's send side by sending an oversized connection ack. Fixes: 10724cc7bb78 ("tipc: redesign connection-level flow control") Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com> Reviewed-by: Tung Nguyen <tung.quang.nguyen@est.tech> Link: https://patch.msgid.link/20260610124003.3831170-3-michael.bommarito@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-11tipc: require net admin for TIPCv2 netlink mutatorsMichael Bommarito
TIPCv2 registers mutating generic-netlink operations without admin permission flags. Generic netlink only checks CAP_NET_ADMIN when an operation sets GENL_ADMIN_PERM or GENL_UNS_ADMIN_PERM, so a local unprivileged process can currently change TIPC state through commands such as TIPC_NL_NET_SET, TIPC_NL_KEY_SET, TIPC_NL_KEY_FLUSH, and bearer enable/disable. The legacy TIPC netlink API already checks netlink_net_capable(..., CAP_NET_ADMIN) for administrative commands. Give the TIPCv2 mutators the equivalent generic-netlink gate. Use GENL_UNS_ADMIN_PERM, which maps to the same namespace-aware CAP_NET_ADMIN check that netlink_net_capable() performs, so the behaviour matches the legacy path and keeps working for CAP_NET_ADMIN holders in a non-initial user namespace (containers). A QEMU/KASAN repro run as uid/gid 65534 with zero effective capabilities previously succeeded in changing the network id and node identity, setting and flushing key material, and enabling/disabling a UDP bearer. With this patch applied the same operations fail with -EPERM. Fixes: 0655f6a8635b ("tipc: add bearer disable/enable to new netlink api") Link: https://lore.kernel.org/all/20260604163102.2658553-1-dominik.czarnota@trailofbits.com/ Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com> Reviewed-by: Tung Nguyen <tung.quang.nguyen@est.tech> Link: https://patch.msgid.link/20260610124003.3831170-2-michael.bommarito@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-11net: airoha: simplify WAN device check in airoha_dev_init()Lorenzo Bianconi
airoha_register_gdm_devices() iterates eth->ports[] in order, so GDM2's netdev is always registered before GDM3/GDM4. This means the explicit check for eth->ports[1] && eth->ports[1]->devs[0] is a redundant special-case of what airoha_get_wan_gdm_dev() already covers, since GDM2 is always marked as WAN during its own ndo_init. Remove the redundant check and rely solely on airoha_get_wan_gdm_dev() which handles both the GDM2-present and GDM2-absent cases. Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org> Reviewed-by: Alexander Lobakin <aleksander.lobakin@intel.com> Link: https://patch.msgid.link/20260610-airoha-eth-simplify-dev-init-v2-1-8f244e69b0d4@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-11net/sched: sch_hfsc: Don't make class passive twiceVictor Nogueira
update_vf() is called from two places for the same class during a single dequeue when the class's child qdisc (e.g. codel/fq_codel) drops its last packets while dequeuing: 1. The child calls qdisc_tree_reduce_backlog(), which, now that the child is empty, invokes hfsc_qlen_notify() -> update_vf(cl, 0, 0) and turns the class passive (cl_nactive is decremented up the hierarchy). 2. hfsc_dequeue() then calls update_vf(cl, qdisc_pkt_len(skb), cur_time) to charge the dequeued bytes. On the second call the class is already passive, but its child qdisc is still empty, so update_vf() arms go_passive again: if (cl->qdisc->q.qlen == 0 && cl->cl_flags & HFSC_FSC) go_passive = 1; The leaf is then skipped by the cl_nactive == 0 check inside the loop, which does not clear go_passive, so the stale go_passive propagates to the parent and decrements its cl_nactive a second time. A parent that still has other active children is driven to cl_nactive == 0 and removed from the vttree, even though those siblings are still backlogged. They are never dequeued again and the qdisc stalls. Fix this by only arming go_passive when the class is actually active, so an already-passive class no longer triggers a second passive transition. The byte accounting (cl->cl_total += len) still runs for every ancestor, so dequeued bytes continue to be counted exactly once. Fixes: 51eb3b65544c ("sch_hfsc: make hfsc_qlen_notify() idempotent") Reported-by: Anirudh Gupta <anirudhrudr@gmail.com> Closes: https://lore.kernel.org/netdev/CAN2cbVe79oj0O9==m4+4x3v+O+qzRagA=2=wkrp9i9=CqYvyZA@mail.gmail.com/ Tested-by: Anirudh Gupta <anirudhrudr@gmail.com> Acked-by: Jamal Hadi Salim <jhs@mojatatu.com> Signed-off-by: Victor Nogueira <victor@mojatatu.com> Link: https://patch.msgid.link/20260610132824.3027549-1-victor@mojatatu.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-11net: Stop leased rxq before uninstalling its memory providerDaniel Borkmann
netif_rxq_cleanup_unlease() tears down the memory provider that was installed on a physical RX queue through a netkit queue lease. It currently revokes the provider's DMA mappings before stopping the physical queue: __netif_mp_uninstall_rxq(virt_rxq, p); /* DMA unmap */ __netif_mp_close_rxq(phys_rxq->dev, rxq_idx, p); /* queue stop */ This inverts the ordering used by the regular teardown paths (normal device unregister and the io_uring zcrx close path), which stop the queue before revoking the provider's mappings. With the physical queue still live, its NAPI can keep consuming net_iov entries from the page_pool alloc cache after the __netif_mp_uninstall_rxq() has already cleared their dma_addr, opening a window for the device to DMA to a stale or zero address. Fix it by swapping the two calls so the queue is stopped (and its NAPI quiesced) before the provider is uninstalled. No functional regression was observed across repeated runs of the nk_qlease.py HW selftest, which exercises the lease teardown path; this was tested against fbnic QEMU emulation. Fixes: 5602ad61ebee ("net: Proxy netif_mp_{open,close}_rxq for leased queues") Reported-by: Ahmed Abdelmoemen <ahmedabdelmoumen05@gmail.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Cc: David Wei <dw@davidwei.uk> Reviewed-by: Bobby Eshleman <bobbyeshleman@meta.com> Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org> Link: https://patch.msgid.link/20260609212240.677889-1-daniel@iogearbox.net Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-11mlxsw: fix refcount leak in mlxsw_sp_vrs_lpm_tree_replace()Wentao Liang
When mlxsw_sp_vrs_lpm_tree_replace() fails after replacing some VRs, the error rollback loop does not correctly revert the preceding replacements. The loop decrements the index but fails to update the vr pointer, which still points to the VR that caused the failure. As a result, the condition and the rollback call always operate on the same VR, potentially calling mlxsw_sp_vr_lpm_tree_replace() multiple times on it while never rolling back the earlier VRs. Those VRs continue to hold a reference to new_tree acquired via mlxsw_sp_lpm_tree_hold(), leaking the reference count of new_tree. Fix by reinitializing vr inside the error loop with the updated index: vr = &mlxsw_sp->router->vrs[i]; so that the loop correctly iterates over all VRs that were actually replaced. Cc: stable@vger.kernel.org Fixes: fc922bb0dd94 ("mlxsw: spectrum_router: Use one LPM tree for all virtual routers") Signed-off-by: Wentao Liang <vulab@iscas.ac.cn> Reviewed-by: Ido Schimmel <idosch@nvidia.com> Link: https://patch.msgid.link/20260609084730.215732-1-vulab@iscas.ac.cn Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-11mlxsw: fix refcount leak in mlxsw_sp_port_lag_join()Wentao Liang
When mlxsw_sp_port_lag_index_get() fails, mlxsw_sp_port_lag_join() returns an error without releasing the lag reference obtained by the earlier mlxsw_sp_lag_get(). All other error paths in the function jump to the cleanup label that ends with mlxsw_sp_lag_put(), so this is a single missed release. Fix the leak by replacing the bare 'return err' with a goto to the existing error cleanup label, which will drop the reference safely. Cc: stable@vger.kernel.org Fixes: 0d65fc13042f ("mlxsw: spectrum: Implement LAG port join/leave") Signed-off-by: Wentao Liang <vulab@iscas.ac.cn> Reviewed-by: Ido Schimmel <idosch@nvidia.com> Link: https://patch.msgid.link/20260609083709.209743-1-vulab@iscas.ac.cn Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-11Merge branch 'ksz87xx-add-support-for-low-loss-cable-equalizer-errata'Jakub Kicinski
Fidelio Lawson says: ==================== ksz87xx: add support for low-loss cable equalizer errata This patch implements the KSZ87xx short cable erratum described in Microchip document DS80000687C for KSZ87xx switches and the following support article: Link: https://support.microchip.com/s/article/Solution-for-Using-CAT-5E-or-CAT-6-Short-Cable-with-a-Link-Issue-for-the-KSZ8795-Family According to the erratum, the embedded PHY receiver in KSZ87xx switches is tuned by default for long, high-loss Ethernet cables. When operating with short or low-loss cables (for example CAT5e or CAT6), the PHY equalizer may over-amplify the incoming signal, leading to internal distortion and link establishment failures. Microchip documents two independent mechanisms to mitigate this issue: adjusting the receiver low‑pass filter bandwidth and reducing the DSP equalizer initial value. These registers are located in the switch’s internal LinkMD table and cannot be accessed directly through a stand‑alone PHY driver. To keep the PHY‑facing API clean, this series models the erratum handling as vendor‑specific Clause 22 PHY registers, virtualized by the KSZ8 DSA driver. Accesses are intercepted by ksz8_r_phy() / ksz8_w_phy() and translated into the appropriate indirect LinkMD register writes. The erratum affects the shared PHY analog front‑end and therefore applies globally to the switch. Based on review feedback, the user‑visible interface is kept deliberately simple and predictable: - A boolean “short‑cable” PHY tunable applies a documented and conservative preset (LPF bandwidth 62MHz, DSP EQ initial value 0). This is the recommended KISS interface for the common short‑cable scenario. - Two additional integer PHY tunables allow advanced or experimental tuning of the LPF bandwidth and the DSP EQ initial value. These controls are orthogonal, have no ordering requirements, and simply override the corresponding setting when written. The tunables act as simple setters with no implicit state machine or invalid combinations, avoiding surprises for userspace and not relying on extended error reporting or netlink ethtool support. This series contains: 1. Support for the KSZ87xx low‑loss cable erratum in the KSZ8 DSA driver, including the short‑cable preset and orthogonal tuning controls. 2. Addition of vendor‑specific PHY tunable identifiers for the short‑cable preset, LPF bandwidth, and DSP EQ initial value. 3. Exposure of these tunables through the Micrel PHY driver via get_tunable / set_tunable callbacks. This version follows the design agreed upon during v3 review and reworks the interface accordingly. ==================== Link: https://patch.msgid.link/20260609-ksz87xx_errata_low_loss_connections-v10-0-9ba4418cf3db@exotec.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-11net: phy: micrel: expose KSZ87xx low-loss cable tunablesFidelio Lawson
Add support for the KSZ87xx low-loss cable PHY tunables in the Micrel PHY driver by implementing get_tunable and set_tunable callbacks. These callbacks expose vendor-specific PHY tunables used to control the KSZ87xx embedded PHY receiver behavior when operating with short or low-loss Ethernet cables. The tunables provide: - a boolean short-cable preset applying known good settings; - an integer LPF bandwidth control; - an integer DSP EQ initial value control. The Micrel PHY driver forwards these tunables via standard phy_read() / phy_write() operations, which are virtualized by the KSZ8 DSA driver and translated into the appropriate indirect switch register accesses. Reviewed-by: Marek Vasut <marex@nabladev.com> Reviewed-by: Nicolai Buchwitz <nb@tipi-net.de> Signed-off-by: Fidelio Lawson <fidelio.lawson@exotec.com> Link: https://patch.msgid.link/20260609-ksz87xx_errata_low_loss_connections-v10-3-9ba4418cf3db@exotec.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-11net: ethtool: add KSZ87xx low-loss cable PHY tunablesFidelio Lawson
Introduce vendor-specific PHY tunable identifiers to control the KSZ87xx low-loss cable erratum handling through the ethtool PHY tunable interface. The following tunables are added: - a boolean "short-cable" tunable, applying a documented and conservative preset intended for short or low-loss Ethernet cables; - an integer LPF bandwidth tunable, allowing advanced adjustment of the receiver low-pass filter bandwidth; - an integer DSP EQ initial value tunable, allowing advanced tuning of the PHY equalizer initialization. The actual behavior is implemented by the corresponding PHY and switch drivers. Reviewed-by: Marek Vasut <marex@nabladev.com> Reviewed-by: Nicolai Buchwitz <nb@tipi-net.de> Signed-off-by: Fidelio Lawson <fidelio.lawson@exotec.com> Link: https://patch.msgid.link/20260609-ksz87xx_errata_low_loss_connections-v10-2-9ba4418cf3db@exotec.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-11net: dsa: microchip: implement KSZ87xx Module 3 low-loss cable errataFidelio Lawson
Implement the KSZ87xx short cable workaround. This patch implements the KSZ87xx short cable erratum described in Microchip document DS80000687C for KSZ87xx switches and the following support article: Link: https://support.microchip.com/s/article/Solution-for-Using-CAT-5E-or-CAT-6-Short-Cable-with-a-Link-Issue-for-the-KSZ8795-Family The issue affects short or low-loss cable links (e.g. CAT5e/CAT6), where the PHY receiver equalizer may amplify high-amplitude signals excessively, resulting in internal distortion and link establishment failures. KSZ87xx devices require a workaround for the Module 3 low-loss cable condition, controlled through the switch TABLE_LINK_MD_V indirect registers. This change models the erratum handling as vendor-specific Clause 22 PHY registers, virtualized by the KSZ8 DSA driver and accessed via ksz8_r_phy() / ksz8_w_phy(). The following controls are provided: - A boolean “short-cable” preset, which applies a documented and conservative configuration (LPF 62 MHz bandwidth and DSP EQ initial value 0), and is the recommended interface for typical use cases. - Separate LPF bandwidth and DSP EQ initial value controls intended for advanced or experimental tuning. These are orthogonal and independent, and override the corresponding settings without requiring any specific ordering. The preset and tunables act as simple setters with no implicit state machine or invalid combinations, keeping the API predictable and aligned with the KISS principle. The erratum affects the shared PHY analog front-end and therefore applies globally to the switch. Reviewed-by: Nicolai Buchwitz <nb@tipi-net.de> Reviewed-by: Marek Vasut <marex@nabladev.com> Signed-off-by: Fidelio Lawson <fidelio.lawson@exotec.com> Link: https://patch.msgid.link/20260609-ksz87xx_errata_low_loss_connections-v10-1-9ba4418cf3db@exotec.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-11selftests/net/openvswitch: add flow modify testMinxi Hou
Add mod_flow() and the mod-flow CLI command to ovs-dpctl.py, exercising OVS_FLOW_CMD_SET. Add test_flow_set which first modifies an existing flow with new actions and verifies the change via traffic, then modifies the same flow without actions and verifies the kernel handles the no-actions case gracefully. The no-actions path is unreachable from userspace OVS tools (dpctl mod-flow requires actions) but reachable via raw netlink. This is the code path where Adrian Moreno found a possible kfree_skb of ERR_PTR when reply allocation fails after locking. Make parse() skip OVS_FLOW_ATTR_ACTIONS when actstr is None so the kernel enters the post-lock allocation branch in ovs_flow_cmd_set(). After the no-actions set, verify via dump-flows that the flow retained its drop action. Suggested-by: Aaron Conole <aconole@redhat.com> Signed-off-by: Minxi Hou <houminxi@gmail.com> Reviewed-by: Aaron Conole <aconole@redhat.com> Link: https://patch.msgid.link/20260609165725.107484-1-houminxi@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-11net: bcmgenet: convert RX path to page_poolNicolai Buchwitz
Replace the per-packet __netdev_alloc_skb() + dma_map_single() in the RX path with page_pool. SKBs are built from pool pages via napi_build_skb() with skb_mark_for_recycle() so the network stack returns pages to the pool, and DMA mapping happens once per page instead of once per packet. Reject HW-reported lengths smaller than the RSB so a runt cannot underflow the SKB build path. Drop the now-unused priv->rx_buf_len field and the rx_dma_failed soft MIB counter (nothing increments it after the conversion). This removes the "rx_dma_failed" entry from ethtool -S, which is a user-visible change for monitoring tools that key on stat names. Signed-off-by: Nicolai Buchwitz <nb@tipi-net.de> Reviewed-by: Justin Chen <justin.chen@broadcom.com> Tested-by: Justin Chen <justin.chen@broadcom.com> Link: https://patch.msgid.link/20260610114835.2225423-1-nb@tipi-net.de Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-11net: airoha: move get_sport() callback at the beginning of ↵Lorenzo Bianconi
airoha_enable_gdm2_loopback() Move the get_sport() callback invocation at the beginning of airoha_enable_gdm2_loopback() routine in order to avoid leaving the hardware in a partially configured state if get_sport() fails. Previously, get_sport() was called after GDM2 forwarding, loopback, channel, length, VIP and IFC registers had already been programmed. A failure at that point would return an error leaving GDM2 with loopback enabled but WAN port, PPE CPU port and flow control mappings not configured. Performing the get_sport() lookup before any register write guarantees the routine either completes the full configuration sequence or exits with no side effects on the hardware. Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org> Reviewed-by: Simon Horman <horms@kernel.org> Link: https://patch.msgid.link/20260608-airoha_enable_gdm2_loopback-minor-change-v1-1-1787a0f42b31@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-11Merge branch 'mptcp-pm-drop-tcp-ts-with-add_addrv6-port'Jakub Kicinski
Matthieu Baerts says: ==================== mptcp: pm: drop TCP TS with ADD_ADDRv6 + port Up to this series, it was possible to add a "signal" MPTCP endpoint with an IPv6 address and a port, or to directly request to send an ADD_ADDR with a v6 address and a port, but the expected ADD_ADDR wasn't sent when TCP timestamps was used for the connection. In fact, such signalling option cannot be sent when TCP timestamps is used due to a lack of option space: the limit is at 40 bytes, and, with padding, TCP timestamps is taking 12 bytes, while an ADD_ADDR IPv6 + port is taking 30 bytes. The selected solution here is to simply drop the TCP timestamps option when such ADD_ADDR of 30 bytes needs to be sent. - Patches 1-3: small cleanups to avoid computing ADD/RM_ADDR twice. - Patches 4-7: the new feature, controlled by a new sysctl knob. - Patch 8: extra checks in the MPTCP Join selftests. - Patches 9-15: A bunch of refactoring: renamed confusing helpers and variables, and prevent future misused functions. ==================== Link: https://patch.msgid.link/20260605-net-next-mptcp-add-addr6-port-ts-v2-0-758e7ca73f4d@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-11mptcp: options: rst: drop unused skb parameterMatthieu Baerts (NGI0)
It was passed since its introduction in commit dc87efdb1a5c ("mptcp: add mptcp reset option support"), but never used. Simply removes it. Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org> Link: https://patch.msgid.link/20260605-net-next-mptcp-add-addr6-port-ts-v2-15-758e7ca73f4d@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-11mptcp: pm: avoid using del_timer directlyMatthieu Baerts (NGI0)
mptcp_pm_announced_del_timer() removes the matched ADD_ADDR entry (if found) from the ADD_ADDR list only if check_id is false. That's dangerous, and not clear, because it means the caller should be free the entry only in some cases, and it easy to miss that. Instead, make it static, and call it from mptcp_pm_add_addr_echoed, which is the only other case where mptcp_pm_add_addr_del_timer should be called with check_id set to true. Bonus with that: a second call to mptcp_pm_add_addr_lookup_by_addr() can be avoided. Note that instead of adding the signature above to avoid a compilation issue because this helper is called before the definition of the function, the whole helper is moved above where it is first called. Its content is untouched, except the addition of the 'static' keyboard. Reviewed-by: Mat Martineau <martineau@kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org> Link: https://patch.msgid.link/20260605-net-next-mptcp-add-addr6-port-ts-v2-14-758e7ca73f4d@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-11mptcp: pm: make mptcp_pm_add_addr_send_ack staticMatthieu Baerts (NGI0)
Only used in pm.c. Note that the signature is added above: it is easier than moving the code around, because this helper depends on mptcp_pm_schedule_work which is declared below. While at it, explicitly mark it as to be called while pm->lock is held. Reviewed-by: Mat Martineau <martineau@kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org> Link: https://patch.msgid.link/20260605-net-next-mptcp-add-addr6-port-ts-v2-13-758e7ca73f4d@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-11mptcp: pm: remove add_ prefix from timerMatthieu Baerts (NGI0)
Similar to the two previous commits, using the 'add' prefix is confusing, also confirmed by [1]. Now that the structure has been renamed to include 'add_addr' in its name, easier to know the timer is linked to the ADD_ADDR, no need to add the confusing prefix, or an unneeded longer one. While at it, also update the ADD_ADDR timer helper to clearly specify it is linked to ADD_ADDR, and it is not there to add a new timer. Link: https://lore.kernel.org/20251117100745.1913963-1-edumazet@google.com [1] Reviewed-by: Mat Martineau <martineau@kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org> Link: https://patch.msgid.link/20260605-net-next-mptcp-add-addr6-port-ts-v2-12-758e7ca73f4d@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-11mptcp: pm: uniform announced addresses helpersMatthieu Baerts (NGI0)
Similar to the previous commit, only using the 'add' or 'anno' prefixes is confusing -- generally associated to the action of adding something, or the Latin name for "year" -- and lack of uniformity. This has been causing issues in the past, e.g. del_add_timer seemed to suggest the goal is to delete a previously added timer. Instead, use the mptcp_pm_announced_ prefix. While at it, slightly improves some helpers: - mptcp_lookup_anno_list_by_saddr: no need to specify what is used to do the lookup: mptcp_pm_announced_lookup. - mptcp_pm_sport_in_anno_list: it doesn't just compare the port, but the whole address linked to the sublow: mptcp_pm_announced_has_ssk. - mptcp_pm_alloc_anno_list: it allocates one item of the list, not a whole list: mptcp_pm_announced_alloc. Reviewed-by: Mat Martineau <martineau@kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org> Link: https://patch.msgid.link/20260605-net-next-mptcp-add-addr6-port-ts-v2-11-758e7ca73f4d@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-11mptcp: pm: rename add_entry structure to add_addrMatthieu Baerts (NGI0)
Using only the 'add' prefix is confusing: does it refer to a generic added entry or address, or specifically to ADD_ADDRs. Using add_addr removes this confusion. Reviewed-by: Mat Martineau <martineau@kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org> Link: https://patch.msgid.link/20260605-net-next-mptcp-add-addr6-port-ts-v2-10-758e7ca73f4d@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-11mptcp: pm: use for_each_subflow helperMatthieu Baerts (NGI0)
Similar to most places in the MPTCP code. So instead of passing the subflow list and use list_for_each_entry(subflow, list, node), pass the msk and use mptcp_for_each_subflow(msk, subflow). That's clearer and more uniform with the rest. While at it, add 'pm_' prefix for the exported one to easily identify the origin. Plus replace 'lookup' by 'has', because a bool is returned. Reviewed-by: Mat Martineau <martineau@kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org> Link: https://patch.msgid.link/20260605-net-next-mptcp-add-addr6-port-ts-v2-9-758e7ca73f4d@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-11selftests: mptcp: always check sent/dropped ADD_ADDRsMatthieu Baerts (NGI0)
Before, they were only checked on demand, but it seems better to check them each time received ADD_ADDRs are checked. Errors are only reported when the counter exists, and the value is not the expected one. This is similar to what is done in chk_join_nr: it reduces the output, and avoids a lot of 'skip' when validating older kernels. Also here, some tests need to adapt the default expected counters, e.g. when ADD_ADDR echo are dropped on the reception side, or it is not possible to send an ADD_ADDR due to the limited option space. Reviewed-by: Mat Martineau <martineau@kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org> Link: https://patch.msgid.link/20260605-net-next-mptcp-add-addr6-port-ts-v2-8-758e7ca73f4d@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-11selftests: mptcp: validate ADD_ADDRv6 + TS + portMatthieu Baerts (NGI0)
This validates the feature added by parent commit, where it is now possible to send an ADD_ADDR with a v6 IP address and a port number, while the connection is using TCP Timestamps. This test is simply a copy of the previous one: "signal address with port", but using IPv6 addresses. This test is only executed if the add_addr_v6_port_drop_ts sysctl knob is available. If not, it means the kernel doesn't support this feature. Reviewed-by: Mat Martineau <martineau@kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org> Link: https://patch.msgid.link/20260605-net-next-mptcp-add-addr6-port-ts-v2-7-758e7ca73f4d@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>