summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
10 daysfbdev: pm2fb: unwind WC setup on probe failureHaoxiang Li
Add arch_phys_wc_del() on error path to keep the write-combining setup balanced when later probe steps fail. Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com> Signed-off-by: Helge Deller <deller@gmx.de>
10 daysALSA: firewire: isight: bound the sample count to the packet payloadMaoyi Xie
isight_packet() takes the frame count from the device iso packet and checks it only against the device claimed iso length. count = be32_to_cpu(payload->sample_count); if (likely(count <= (length - 16) / 4)) isight_samples(isight, payload->samples, count); length is the iso header data_length. It can be up to 0xffff. So the gate allows a count up to about 16379. isight_samples() then copies count frames out of payload->samples into the PCM DMA buffer. payload->samples holds only 2 * MAX_FRAMES_PER_PACKET values. The device multiplexes two samples per frame. A count past MAX_FRAMES_PER_PACKET reads past the payload. A count past the buffer size writes past runtime->dma_area. The smallest PCM buffer is larger than MAX_FRAMES_PER_PACKET. Bounding the count to MAX_FRAMES_PER_PACKET keeps both the read and the write in range. A malicious or faulty Apple iSight on the FireWire bus reaches this during a normal capture. Add the MAX_FRAMES_PER_PACKET bound to the gate. Fixes: 3a691b28a0ca ("ALSA: add Apple iSight microphone driver") Suggested-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> Cc: stable@vger.kernel.org Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com> Link: https://patch.msgid.link/178205454729.1900991.7807310178296762772@maoyixie.com Signed-off-by: Takashi Iwai <tiwai@suse.de>
10 daysALSA: usb-audio: qcom: Free QMI handleXu Rao
qc_usb_audio_probe() allocates svc->uaudio_svc_hdl separately from the uaudio_qmi_svc object. qmi_handle_release() releases the resources owned by an initialized QMI handle, but does not free the memory containing the struct qmi_handle itself. The probe error path and the remove path currently release the handle and then free svc, losing the last pointer to the separately allocated handle. This leaks one struct qmi_handle on each affected probe unwind and on each successful probe/remove cycle. Free the handle after qmi_handle_release() in both paths. Signed-off-by: Xu Rao <raoxu@uniontech.com> Link: https://patch.msgid.link/9108EC860F3F87DF+20260623071308.2549182-1-raoxu@uniontech.com Signed-off-by: Takashi Iwai <tiwai@suse.de>
10 daysALSA: hda: Add Lenovo Legion 7i 16IAX7 17AA3874 quirkKamlesh Chhetty
Lenovo Legion 7i 16IAX7 systems with Realtek ALC287 codec SSID 17aa:3874 and CSC3551/CS35L41 speaker amps do not provide the required CS35L41 _DSD properties in ACPI. Without a quirk, cs35l41-hda fails probing the amps with missing cirrus,dev-index / Platform not supported errors, leaving the built-in speakers silent. This model is similar to the already-supported 17AA386F Legion 7i 16IAX7 variant. Add the Realtek ALC287 quirk to select ALC287_FIXUP_CS35L41_I2C_2 and add 17AA3874 to the CS35L41 property table using the same two-amp external-boost configuration. Tested on a Lenovo Legion 7 16IAX7 with Ubuntu 7.0.0-22-generic. Both CSC3551 CS35L41 amps probe and bind, firmware loads, calibration applies, built-in speaker playback works, and the cirrus,dev-index failure is gone. Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221663 Link: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2157060 Signed-off-by: Kamlesh Chhetty <kamleshkc2002@gmail.com> Link: https://patch.msgid.link/20260622172247.19301-1-kamleshkc2002@gmail.com Signed-off-by: Takashi Iwai <tiwai@suse.de>
10 daysALSA: usb-audio: avoid kobject path lookup in DualSense matchDarvell Long
The DualSense jack-detection input handler verifies that a matching input device belongs to the same physical controller by building kobject path strings for both the input device and the USB audio device, then comparing the path prefix. This was observed when a weak physical connection caused the controller to rapidly disconnect and reconnect. During that repeated hotplug, snd_dualsense_ih_match() can run while the controller's USB device is being disconnected. kobject_get_path() walks ancestor kobjects and dereferences their names; if the USB device kobject name is no longer valid, this can fault in strlen(): RIP: 0010:strlen+0x10/0x30 Call Trace: kobject_get_path+0x34/0x150 snd_dualsense_ih_match+0x49/0xd0 [snd_usb_audio] input_register_device+0x566/0x6a0 ps_probe+0xb89/0x1590 [hid_playstation] The same ownership check can be done without building kobject path strings. The input device is parented below the HID device, USB interface and USB device, so walking the input device parent chain and comparing against the mixer USB device preserves the check without dereferencing kobject names during disconnect. Fixes: 79d561c4ec04 ("ALSA: usb-audio: Add mixer quirk for Sony DualSense PS5") Cc: <stable@vger.kernel.org> Assisted-by: Cute:gpt-5.5 Signed-off-by: Darvell Long <contact@darvell.me> Link: https://patch.msgid.link/20260624143723.2986353-1-contact@darvell.me Signed-off-by: Takashi Iwai <tiwai@suse.de>
10 daysALSA: hda/realtek: Add quirk for Acer Nitro ANV15-41Oleg Kucheryavenko
The Acer Nitro ANV15-41 laptop with ALC245 codec does not detect the headset microphone in the combo jack by default. Apply the ALC2XX_FIXUP_HEADSET_MIC quirk to fix it. Signed-off-by: Oleg Kucheryavenko <oleg.kucheryavenko2018@gmail.com> Link: https://patch.msgid.link/20260624191301.10162-1-oleg.kucheryavenko2018@gmail.com Signed-off-by: Takashi Iwai <tiwai@suse.de>
10 daysrtc: s35390a: fix typo in commentAlexandre Belloni
Fix trivial typo Link: https://patch.msgid.link/20260624204223.1479003-1-alexandre.belloni@bootlin.com Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
10 daysselftests/bpf: Test jited inline of bpf_get_smp_processor_id() for LoongArchTiezhu Yang
Add the testcase for the jited inline of bpf_get_smp_processor_id(), only for LoongArch currently. Here is the test result on LoongArch: $ sudo ./test_progs -t verifier_jit_inline #604/1 verifier_jit_inline/inline_bpf_get_current_task:OK #604/2 verifier_jit_inline/inline_bpf_get_smp_processor_id:OK #604 verifier_jit_inline:OK Summary: 1/2 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn> Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
10 daysselftests/bpf: Test jited inline of bpf_get_current_task() for LoongArchTiezhu Yang
Add the jited inline instruction of bpf_get_current_task() for LoongArch to pass the test case. Before: $ sudo ./test_progs -t verifier_jit_inline #604/1 verifier_jit_inline/inline_bpf_get_current_task:SKIP #604 verifier_jit_inline:SKIP Summary: 1/0 PASSED, 1 SKIPPED, 0 FAILED After: $ sudo ./test_progs -t verifier_jit_inline #604/1 verifier_jit_inline/inline_bpf_get_current_task:OK #604 verifier_jit_inline:OK Summary: 1/1 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn> Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
10 daysselftests/bpf: Add __arch_loongarch to limit test cases for LoongArchTiezhu Yang
Make it possible to limit certain tests to LoongArch, just like it is already done for x86_64, arm64, riscv64, and s390x. This is a follow up patch of: commit ee7fe84468b1 ("selftests/bpf: __arch_* macro to limit test cases to specific archs") commit 1e4e6b9e260d ("selftests/bpf: Add __arch_s390x macro") Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn> Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
10 daysselftests/bpf: Add get_preempt_count() support for LoongArchTiezhu Yang
There is no LoongArch support for get_preempt_count() currently and its fallback path always returns 0, just add it so that bpf_in_interrupt(), bpf_in_nmi(), bpf_in_hardirq(), bpf_in_serving_softirq(), bpf_in_task() work for LoongArch as well. The latest kernels select CONFIG_THREAD_INFO_IN_TASK, it can just read preempt_count from the thread_info which is embedded within task_struct. With this patch, "./test_progs -t exe_ctx" passes on LoongArch. Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn> Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
10 daysLoongArch: dts: Add i2c clocks and clock-frequency properties to LS2K2000Hongliang Wang
Add missing clocks and clock-frequency properties to i2c nodes for LS2K2000. Signed-off-by: Hongliang Wang <wanghongliang@loongson.cn> Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
10 daysLoongArch: dts: Add i2c clocks and clock-frequency properties to LS2K1000Hongliang Wang
Add missing clocks and clock-frequency properties to i2c nodes for LS2K1000. Signed-off-by: Hongliang Wang <wanghongliang@loongson.cn> Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
10 daysLoongArch: dts: Add i2c clocks and clock-frequency properties to LS2K0500Hongliang Wang
Add missing clocks and clock-frequency properties to i2c nodes for LS2K0500. Signed-off-by: Hongliang Wang <wanghongliang@loongson.cn> Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
10 daysLoongArch: BPF: Inline bpf_get_smp_processor_id() helperTiezhu Yang
The pointer to thread_info is always available in the $tp register, so the call to bpf_get_smp_processor_id() can be inlined into a single load instruction. (1) Here is the sample test.c: #include <linux/bpf.h> #include <bpf/bpf_helpers.h> SEC("raw_tp/sys_enter") int test_cpuid(void *ctx) { return bpf_get_smp_processor_id(); } char _license[] SEC("license") = "GPL"; (2) Here are the test steps: sudo yum install libbpf-devel kernel-devel bpftool clang -target bpf -O2 -c test.c -o test.o sudo sysctl -w net.core.bpf_jit_enable=1 sudo bpftool prog show name test_cpuid sudo rm -f /sys/fs/bpf/test_cpuid sudo bpftool prog load test.o /sys/fs/bpf/test_cpuid ID=$(sudo bpftool prog show pinned /sys/fs/bpf/test_cpuid | grep -oE '^[0-9]+') sudo bpftool prog dump jited id $ID (3) Here are the test results: Before: 6 instructions ... 64: lu12i.w $t1, 1213 68: ori $t1, $t1, 1680 6c: lu32i.d $t1, 0 70: lu52i.d $t1, $t1, -1792 74: jirl $ra, $t1, 0 78: move $a5, $a0 ... After: 1 instruction ... 64: ld.wu $a5, $tp, 16 ... This is similar with commit 2ddec2c80b44 ("riscv, bpf: inline bpf_get_smp_processor_id()"). Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn> Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
10 daysLoongArch: BPF: Inline bpf_get_current_task/_btf() helpersTiezhu Yang
The pointer to task_struct is always available in the $tp register, so the calls to bpf_get_current_task() and bpf_get_current_task_btf() can be inlined into a single move instruction. (1) Here is the sample test.c: #include <linux/bpf.h> #include <bpf/bpf_helpers.h> SEC("raw_tp/sys_enter") long test_task(void *ctx) { return (long)bpf_get_current_task(); } char _license[] SEC("license") = "GPL"; (2) Here are the test steps: sudo yum install libbpf-devel kernel-devel bpftool clang -target bpf -O2 -c test.c -o test.o sudo sysctl -w net.core.bpf_jit_enable=1 sudo bpftool prog show name test_task sudo rm -f /sys/fs/bpf/test_task sudo bpftool prog load test.o /sys/fs/bpf/test_task ID=$(sudo bpftool prog show pinned /sys/fs/bpf/test_task | grep -oE '^[0-9]+') sudo bpftool prog dump jited id $ID (3) Here are the test results: Before: 6 instructions ... 64: lu12i.w $t1, 1093 68: ori $t1, $t1, 3320 6c: lu32i.d $t1, 0 70: lu52i.d $t1, $t1, -1792 74: jirl $ra, $t1, 0 78: move $a5, $a0 ... After: 1 instruction ... 64: move $a5, $tp ... This is similar with commit 2bb138cb20a6 ("bpf, arm64: Inline bpf_get_current_task/_btf() helpers"). Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn> Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
10 daysLoongArch: BPF: Fix off-by-one error in tail callTiezhu Yang
The current code updates the tail call counter (TCC) using a pre-increment approach, it stores the incremented value back to memory before performing any boundary or target validation checks. This causes two major issues: 1. When a tail call fails because the target program is NULL, the TCC is incorrectly incremented and saved in memory anyway. 2. This dummy increment implicitly consumes one slot of the allowed tail call budget. As a result, the subsequent loop reaches the maximum limit prematurely, leading to a test failure where the actual loop count is 32 instead of the expected 33. Fix this by deferring the counter update. Change the branch condition to BPF_JSGE (greater or equal) so that we check the boundary first. The TCC is only incremented and stored back to memory after the boundary check and the NULL-target check both pass. Before: $ sudo ./test_progs -t tailcalls/tailcall_3 ... test_tailcall_count:FAIL:tailcall count unexpected tailcall count: actual 32 != expected 33 ... #465/3 tailcalls/tailcall_3:FAIL #465 tailcalls:FAIL After: $ sudo ./test_progs -t tailcalls/tailcall_3 #465/3 tailcalls/tailcall_3:OK #465 tailcalls:OK Summary: 1/1 PASSED, 0 SKIPPED, 0 FAILED Fixes: c0fcc955ff82 ("LoongArch: BPF: Fix the tailcall hierarchy") Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn> Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
10 daysLoongArch: BPF: Fix outdated tail call commentsTiezhu Yang
The current LoongArch BPF JIT implementation hardcodes the number of prologue instructions skipped during a tail call as a magic number '7' in the jirl instruction. However, the accompanying comment explaining this offset is completely outdated. It inaccurately states that only a single TCC initialization instruction is bypassed, but in reality, multiple setup slots are skipped, so fix these outdated comments in __build_epilogue(). While at it, refine the comments in build_prologue() to describe the skipped setup slots (RA saving, fentry nops, and the TCC register slot) using proper dynamic tracing context. Also, remove the magic number '7' by introducing descriptive macros to formally define the prologue layout and make the tail call jump offset self-documenting. Fixes: 61319d15a560 ("LoongArch: BPF: Adjust the jump offset of tail calls") Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn> Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
10 daysLoongArch: Add build salt to the vDSOBastian Blank
The vDSO needs to have a unique build id in a similar manner to the kernel and modules. Use the build salt macro. Signed-off-by: Bastian Blank <waldi@debian.org> Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
10 daysLoongArch: Fix nr passing in set_direct_map_valid_noflush()Xuewen Wang
set_direct_map_valid_noflush() incorrectly passes 1 to __set_memory() instead of nr. This causes only the first page's attr to be updated when nr > 1. Other architectures all pass nr correctly. Cc: stable@vger.kernel.org Fixes: 0c6378a71574 ("arch: introduce set_direct_map_valid_noflush()") Signed-off-by: Xuewen Wang <wangxuewen@kylinos.cn> Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
10 daysLoongArch: Fix missing dirty page tracking in {pte,pmd}_wrprotect()Hongchen Zhang
When hardware page table walker (PTW) is enabled on LoongArch, the CPU may set _PAGE_DIRTY directly in the page table entry during a write TLB miss, without going through the software TLB store handler. The software TLB store handler (tlbex.S:254) sets both _PAGE_DIRTY and_PAGE_MODIFIED together: ori t0, t0, (_PAGE_VALID | _PAGE_DIRTY | _PAGE_MODIFIED) Since hardware PTW only sets _PAGE_DIRTY, the software-only bit, i.e. _PAGE_MODIFIED is left unchanged. This creates a window where a PTE has _PAGE_DIRTY set (hardware knows the page is dirty) but _PAGE_MODIFIED clear (software is unaware). When fork()/clone() triggers copy-on-write, __copy_present_ptes() calls pte_wrprotect(), which unconditionally clears both the _PAGE_WRITE and _PAGE_DIRTY bits: pte_val(pte) &= ~(_PAGE_WRITE | _PAGE_DIRTY); Since _PAGE_MODIFIED was never set, the dirtiness information is lost completely. Subsequently, when memory pressure triggers page reclaim, page_mkclean() / try_to_unmap() sees the page as clean (i.e. pte_dirty() returns false) and the page may be freed without writeback, causing data corruption. Fix this by propagating the _PAGE_DIRTY bit to the _PAGE_MODIFIED bit in both pte_wrprotect() and pmd_wrprotect() before clearing writeable bits: if (pte_val(pte) & _PAGE_DIRTY) pte_val(pte) |= _PAGE_MODIFIED; The pmd_wrprotect() fix handles the CONFIG_TRANSPARENT_HUGEPAGE case, where pmd entries need the same treatment. This ensures the software dirty tracking bit (checked by pte_dirty() and pmd_dirty(), which read both the _PAGE_DIRTY and _PAGE_MODIFIED bits) is preserved across fork COW write-protection. The issue was found by the LTP madvise09 test case, which exercises page reclaim after "madvise(MADV_FREE), write and fork" operation sequence on private anonymous mappings. Cc: stable@vger.kernel.org Fixes: 09cfefb7fa70 ("LoongArch: Add memory management") Co-developed-by: Tianyang Zhang <zhangtianyang@loongson.cn> Signed-off-by: Tianyang Zhang <zhangtianyang@loongson.cn> Signed-off-by: Hongchen Zhang <zhanghongchen@loongson.cn> Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
10 daysLoongArch: Move struct kimage forward declaration before use谢致邦 (XIE Zhibang)
arch_kimage_file_post_load_cleanup() and load_other_segments(), both inside the CONFIG_KEXEC_FILE block, take a struct kimage pointer before the forward declaration appears. Move the forward declaration above so it precedes its first use instead of relying on a transitive include. Fixes: d162feec6b6e ("LoongArch: Add preparatory infrastructure for kexec_file") Signed-off-by: 谢致邦 (XIE Zhibang) <Yeking@Red54.com> Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
10 daysLoongArch: Report dying CPU to RCU in stop_this_cpu()Huacai Chen
This is a port of MIPS commit 9f3f3bdc6d9dac1 ("MIPS: smp: report dying CPU to RCU in stop_this_cpu()"). smp_send_stop() parks all secondary CPUs in stop_this_cpu(). And the function marks the CPU offline for the scheduler via set_cpu_online(false) but never informs RCU, so RCU keeps expecting a quiescent state from CPUs that are now spinning forever with interrupts disabled. As long as nothing waits for an RCU grace period after smp_send_stop() this is harmless, which is why it went unnoticed. However, since commit 91840be8f710370 ("irq_work: Fix use-after-free in irq_work_single() on PREEMPT_RT"), irq_work_sync() calls synchronize_rcu() on architectures without an irq_work self-IPI, i.e. where arch_irq_work_has_interrupt() returns false. Any irq_work_sync() issued in the reboot/shutdown/halt path after smp_send_stop() then blocks on a grace period that can never complete, hanging the reboot: WARNING: CPU: 0 PID: 15 at kernel/irq_work.c:144 irq_work_queue_on ... rcu: INFO: rcu_sched detected stalls on CPUs/tasks: rcu: Offline CPU 1 blocking current GP. rcu: Offline CPU 2 blocking current GP. rcu: Offline CPU 3 blocking current GP. This issue needs some hacks to reproduce, and it was not noticed on LoongArch because arch_irq_work_has_interrupt() usually returns true. Call rcutree_report_cpu_dead() once interrupts are disabled, mirroring the generic CPU-hotplug offline path, so RCU stops waiting on the parked CPUs and grace periods can still complete. LoongArch shuts down all CPUs here without going through the CPU-hotplug mechanism, so this report is not otherwise issued. Cc: <stable@vger.kernel.org> Fixes: 91840be8f710 ("irq_work: Fix use-after-free in irq_work_single() on PREEMPT_RT") Reviewed-by: Guo Ren <guoren@kernel.org> Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
10 daysLoongArch: Add PIO for early access before ACPI PCI root registerHuacai Chen
For ACPI system we suppose the ISA/LPC PIO range is registered together with PCI root bridge. But the fact is there may be some early access to the ISA/LPC PIO range before ACPI PCI root register (most of them are due to abnormal BIOS). Unconditionally register the ISA/LPC PIO range usually causes ACPI PCI root register fail because of the address range confliction. So we add a pair of helpers: acpi_add_early_pio() to add PIO for early access, and acpi_remove_early_pio() to remove PIO before PCI root register. Since acpi_remove_early_pio() may be called multiple times, we add an acpi_pio flag to ensure PIO be removed only once. Cc: <stable@vger.kernel.org> Tested-by: Yuanzhen Gan <elysia-best@simplelinux.cn.eu.org> Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
10 daysLoongArch: Add THREAD_INFO_IN_TASK implementationTiezhu Yang
Like other architectures such as x86, arm64, riscv, powerpc and s390, select THREAD_INFO_IN_TASK for LoongArch to move thread_info off the stack into task_struct. This follows modern kernel standards and also makes the system more secure. With this patch, thread_info is included in task_struct at an offset of 0 instead of being placed at the bottom of the kernel stack. Thus, the $tp register points to both thread_info and task_struct. To support this, introduce a per-CPU variable cpu_tasks to store the pointer to the current task_struct. This decouples the recovery of the $tp register from the stack pointer during exception entry. Then initialize cpu_tasks for the primary and secondary CPUs during arch-specific setup and SMP boot paths. To eliminate the dangerous windows during the early initialization where the cpu_tasks remains uninitialized, set_current() is invoked as early as possible in both setup_arch() and start_secondary(). This ensures the $tp recovery barrier is armed in case any early boot exceptions or kernel panics occur. Modify SAVE_SOME and handle_syscall to restore the $tp register from cpu_tasks, and also use the la_abs absolute addressing for cpu_tasks access in assembly to bypass the relocation limits within exception handling sections. By advancing the preservation of u0 in SAVE_SOME, we reuse the PERCPU_BASE_KS value in u0 for the cpu_tasks calculation, effectively eliminating a duplicate csrrd instruction execution on SMP platforms. Update <asm/switch_to.h> and <kernel/switch.S> to fully support the CONFIG_THREAD_INFO_IN_TASK feature. Remove the obsolete next_ti argument from __switch_to(), which shifts the remaining arguments ahead in the calling convention (sched_ra from a3 to a2, and sched_cfa from a4 to a3). Under the new configuration, __switch_to() now directly derives the thread pointer ($tp) from the next task_struct pointer in a1. To preserve the optimal and clean "move tp, a1" path for 64-bit kernels, the thread pointer ($tp) is assigned directly from a1 in the core path. For 32-bit kernels, where a1 carries a 2000-byte structural pointer bias at entry, an explicit adjustment "PTR_ADDI tp, tp, -TASK_STRUCT_OFFSET" is introduced at the function exit. In the context of __switch_to(), local interrupts are disabled, and the kernel is in a critical switching phase where handling any synchronous exception is practically impossible and prohibited. If any synchronous exception or watchpoint does trigger in this narrow window, it constitutes a fatal double fault and the kernel is expected to die/panic immediately anyway. Therefore, the temporary biased value in $tp is safe and acceptable here. Additionally, evaluate the stack lookup as a single load instruction "LONG_LPTR t0, a1, (TASK_STACK - TASK_STRUCT_OFFSET)", this perfectly satisfies both 32-bit and 64-bit kernels. Using the "next" pointer in a1 as the base register, rather than $tp, effectively unchains the data dependency (RAW hazard) from the preceding move instruction, maximizing the instruction-level parallelism and superscalar execution efficiency while naturally adapting the structural shift. With CONFIG_THREAD_INFO_IN_TASK enabled, the kernel stack life cycle is decoupled from task_struct and can be freed concurrently. Currently, show_stacktrace() reads raw stack data via __get_addr() and subsequently calls show_backtrace() to unwind the frame, without holding any reference to the target task's stack. If show_stacktrace() is called on a concurrently exiting task, it could attempt to read from a freed or reallocated kernel stack. This introduces a severe use-after-free (UAF) read risk or kernel panics. Wrap the entire stack inspection process inside show_stacktrace() with a try_get_task_stack() and put_task_stack() pair. This ensures the task stack remains pinned safely during both the raw stack data dump loop and the subsequent stack unwinding phase. Also, ensure that the task pointer is initialized to "current" early if it is NULL, so that try_get_task_stack() always operates on a valid task reference. Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn> Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
10 daysMerge tag 'nf-26-06-23' of ↵Jakub Kicinski
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf Pablo Neira Ayuso says: ==================== Netfilter fixes for net The following patchset contains Netfilter fixes for net: 1) Add a workaround to avoid a possible crash if nf_nat and nft_chain_nat are compiled built-in and nf_nat fails to register, allowing nft_chain_nat to access the incorrect pernetns area. This is crash specific of all built-in compilation. From Matias Krause. 2) Revisit conncount GC optimization for confirmed conntracks, skip GC round if IPS_ASSURED is set on. This is addressing an issue for corner case use case scenario involving locally generated traffic. No crash, just a functionality fix. From Fernando F. Mancera. 3) Validate iph->ihl in flowtable IPIP tunnel support, from Lorenzo Bianconi. This a sanity check to bounces back malformed IPIP packets to classic forwarding path. 4) Kdoc fixes for x_tables.h, from Randy Dunlap. 5) Use info->options so nft_synproxy_tcp_options() stays on the same local snapshot, otherwise eval path can observe inconsistent mix of mss and timestamps. From Runyu Xiao. 6) Add conntrack_sctp_collision.sh to cover for SCTP INIT collisions. From Yi Chen. 7) Do not allow NFPROTO_UNSPEC targets if family is NFPROTO_BRIDGE in nft_compat. This allows to use non-sense targets such as xt_nat leading to crash. From Florian Westphal. 8) Add a selftest queueing from bridge family. From Florian Westphal. 9) Do not allow to reset a conntrack helper via ctnetlink. This feature antedates the creation of the conntrack-tools, and it is not used I don't have a usecase for it, I prefer to remove than fixing it. 10) Add deprecation warning for IPv4 only conntrack helpers for PPTP and IRC. From Florian Westphal. 11) Store the master tuple in the expectation object and use it, otherwise SLAB_TYPESAFE_RCU rules allow to display incorrect master tuple information through ctnetlink. 12) Run expectation eviction when inserting an expectation with no helper, this is a fix for the nft_ct custom expectation support. 13) Fix nft_ct custom expectation timeouts, userspace provides a timeout in milliseconds but kernel assumes this comes in seconds. From Florian Westphal. 14) Cap maximum number of expectations per class to 255 expectations per master conntrack at helper registration. This is a fix to restrict the maximum number of expectations per master conntrack which can be a issue for the new lazy GC expectation approach. * tag 'nf-26-06-23' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf: netfilter: nf_conntrack_helper: cap maximum number of expectation at helper registration netfilter: nft_ct: expectation timeouts are passed in milliseconds netfilter: nf_conntrack_expect: run expectation eviction with no helper netfilter: nf_conntrack_expect: store master_tuple in expectation netfilter: conntrack: add deprecation warnings for irc and pptp trackers netfilter: ctnetlink: do not allow to reset helper on existing conntrack selftests: nft_queue.sh: add a bridge queue test netfilter: nft_compat: ebtables emulation must reject non-bridge targets selftests: netfilter: conntrack_sctp_collision.sh: Introduce SCTP INIT collision test netfilter: nft_synproxy: stop bypassing the priv->info snapshot netfilter: x_tables.h: fix all kernel-doc warnings netfilter: flowtable: Validate iph->ihl in nf_flow_ip4_tunnel_proto() netfilter: nf_conncount: prevent connlimit drops for early confirmed ct netfilter: nf_nat: avoid invalid nat_net pointer use on failed nf_nat_init() ==================== Link: https://patch.msgid.link/20260623221548.701545-1-pablo@netfilter.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
10 daysMerge branch '100GbE' of ↵Jakub Kicinski
git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue Tony Nguyen says: ==================== Intel Wired LAN Driver Updates 2026-06-22 (ice, i40e, e1000e) For ice: Dawid changes call to release control VSI during reset to prevent leaking it. Lukasz fixes flow control error check to check value rather than treat is as bitmap values. Paul makes link related errors non-fatal to probe to allow for recovery in certain NVM update situations. Marcin moves netif_keep_dst() to only be called once when entering switchdev mode. ZhaoJinming adds a cleanup path for ice_dpll_init_info() to prevent memory leaks on error path. For i40e: Mohamed Khalfella corrects argument passed in macro to match the one provided to the macro. For e1000e: Dima resolves power state issues by adjusting value of PLL clock gate and re-enabling K1; a quirk table is added to keep it off for known bad systems. * '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue: e1000e: Reconfigure PLL clock gate timeout and re-enable K1 on Meteor Lake i40e: Fix i40e_debug() to use struct i40e_hw argument ice: dpll: fix memory leak in ice_dpll_init_info error paths ice: dpll: set pointers to NULL after kfree in ice_dpll_deinit_info ice: call netif_keep_dst() once when entering switchdev mode ice: fix ice_init_link() error return preventing probe ice: fix AQ error code comparison in ice_set_pauseparam() ice: fix FDIR CTRL VSI resource leak in ice_reset_all_vfs() ==================== Link: https://patch.msgid.link/20260622220059.2471844-1-anthony.l.nguyen@intel.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
10 daysMerge branch 'net-stmmac-dwmac-spacemit-fix-wrong-macro-definition'Jakub Kicinski
Inochi Amaoto says: ==================== net: stmmac: dwmac-spacemit: Fix wrong macro definition Fix Wrong macro definition of the Spacemit K3. ==================== Link: https://patch.msgid.link/20260623074637.503864-1-inochiama@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
10 daysnet: stmmac: dwmac-spacemit: Fix wrong irq definitionInochi Amaoto
The current irq definition of the wake irq and the lpi irq is wrong, replace them with the right number and name. Fixes: 30f0ba420ed3 ("net: stmmac: Add glue layer for Spacemit K3 SoC") Signed-off-by: Inochi Amaoto <inochiama@gmail.com> Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com> Link: https://patch.msgid.link/20260623074637.503864-3-inochiama@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
10 daysnet: stmmac: dwmac-spacemit: Fix wrong phy interface definitionInochi Amaoto
The current MII interface register definition from the vendor is wrong, use the right number for the macro. Also, correct the interface mask in spacemit_set_phy_intf_sel() so it can update the register with the right number Fixes: 30f0ba420ed3 ("net: stmmac: Add glue layer for Spacemit K3 SoC") Signed-off-by: Inochi Amaoto <inochiama@gmail.com> Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com> Link: https://patch.msgid.link/20260623074637.503864-2-inochiama@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
10 daysnet: ethernet: sunplus: spl2sw: fix phy_node refcount leak in removeShitalkumar Gandhi
mac->phy_node is acquired via of_parse_phandle() in spl2sw_probe() and stored in the mac private data, transferring ownership of the device_node reference to mac. On driver removal, spl2sw_phy_remove() disconnects the PHY but never drops that reference, so each probe-then-remove cycle leaks one of_node refcount per port permanently. Drop the reference after phy_disconnect(). While at it, remove the redundant inner "if (ndev)" check; comm->ndev[i] was just verified non-NULL on the line above. Compile-tested only; no SP7021 hardware available. Fixes: fd3040b9394c ("net: ethernet: Add driver for Sunplus SP7021") Signed-off-by: Shitalkumar Gandhi <shitalkumar.gandhi@cambiumnetworks.com> Reviewed-by: Andrew Lunn <andrew@lunn.ch> Link: https://patch.msgid.link/f3bdd4c91f3e2269b4e256075f9dc70808b1b8e9.1782195965.git.shitalkumar.gandhi@cambiumnetworks.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
10 daystools/ynl: add missing uapi header deps in Makefile.depsThorsten Leemhuis
drm_ras includes drm/drm_ras.h, which is a relatively new header not yet shipped in most distro kernel-header packages. Without the explicit entry, the build might fail with a message like this: drm_ras-user.c:19:10: error: ‘DRM_RAS_CMD_CLEAR_ERROR_COUNTER’ \ undeclared here (not in a function); did you mean \ ‘DRM_RAS_CMD_GET_ERROR_COUNTER’ Signed-off-by: Thorsten Leemhuis <linux@leemhuis.info> Link: https://patch.msgid.link/20260623070818.2161810-1-linux@leemhuis.info Signed-off-by: Jakub Kicinski <kuba@kernel.org>
10 daysnet: sungem: fix probe error cleanupRuoyu Wang
gem_init_one() calls gem_remove_one() when register_netdev() fails. gem_remove_one() unregisters and frees resources owned by the net_device, including the DMA block, MMIO mapping, PCI regions, and the net_device itself. gem_init_one() then falls through to its own cleanup labels and frees the same resources again. Keep the register_netdev() error path in gem_init_one(): clear drvdata so PM/remove paths do not see a half-registered device, remove the NAPI instance added during probe, and let the existing cleanup labels release the resources once. The issue was found by a local static-analysis checker for probe error paths. The reported path was manually inspected before sending this fix. Compile-tested with CONFIG_SUNGEM=y. Runtime testing was not performed because no sungem hardware is available. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Ruoyu Wang <ruoyuw560@gmail.com> Reviewed-by: Simon Horman <horms@kernel.org> Link: https://patch.msgid.link/20260623025759.3468566-1-ruoyuw560@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
10 daysnet/tcp-ao: fix use-after-free of key in del_async pathHanQuan
In tcp_ao_delete_key(), the del_async path skips the current_key and rnext_key validity checks present in the synchronous path, assuming these pointers are always NULL on LISTEN sockets. However, if a key was added with set_current=1/set_rnext=1 while the socket was in CLOSE state, current_key and rnext_key will be non-NULL after listen() transitions the socket to LISTEN. When such a key is deleted with del_async=1, hlist_del_rcu() and call_rcu() free the key without clearing the dangling pointers. After the RCU grace period, getsockopt(TCP_AO_INFO) dereferences current_key->sndid and rnext_key->rcvid from freed slab memory. Clear current_key and rnext_key in the del_async path when they reference the key being deleted. Fixes: d6732b95b6fb ("net/tcp: Allow asynchronous delete for TCP-AO keys (MKTs)") Signed-off-by: HanQuan <eilaimemedsnaimel@gmail.com> Reviewed-by: Eric Dumazet <edumazet@google.com> Link: https://patch.msgid.link/20260623015208.1191687-1-eilaimemedsnaimel@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
10 daystools: ynl: build archives with $(AR)Greg Thelen
Use $(AR) to allow build system to override the archiver tool (e.g., when cross-compiling for a different architecture) by setting the AR environment variable. GNU Make defaults AR to ar, so this change will not break existing build environments that do not explicitly set AR. Fixes: 07c3cc51a085 ("tools: net: package libynl for use in selftests") Fixes: 86878f14d71a ("tools: ynl: user space helpers") Signed-off-by: Greg Thelen <gthelen@google.com> Link: https://patch.msgid.link/20260622161659.145047-1-gthelen@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
10 dayseth: mlx5: fix macsec dependencyArnd Bergmann
Configurations with mlx5 built-in but macsec=m fail to link: x86_64-linux-ld: drivers/infiniband/hw/mlx5/macsec.o: in function `mlx5r_add_gid_macsec_operations': macsec.c:(.text+0x77d): undefined reference to `macsec_netdev_is_offloaded' x86_64-linux-ld: drivers/infiniband/hw/mlx5/macsec.o: in function `mlx5r_del_gid_macsec_operations': macsec.c:(.text+0xe81): undefined reference to `macsec_netdev_is_offloaded' Fix the dependency so this configuration cannot happen. Signed-off-by: Arnd Bergmann <arnd@arndb.de> Reviewed-by: Sabrina Dubroca <sd@queasysnail.net> Link: https://patch.msgid.link/20260622124229.2444502-1-arnd@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
10 daysnet: usb: kalmia: bound RX frame length in kalmia_rx_fixup()Maoyi Xie
kalmia_rx_fixup() computes usb_packet_length = skb->len - (2 * KALMIA_HEADER_LENGTH) as a u16, guarded only by a pre-loop check that skb->len is at least KALMIA_HEADER_LENGTH, which is 6. A device can deliver a short bulk-IN frame with skb->len in the 6 to 11 range, or leave a short trailing remainder on a later loop iteration. Either case underflows usb_packet_length to about 65530. That bypasses the usb_packet_length < ether_packet_length truncation path. The device-supplied ether_packet_length, a le16 up to 65535 read from header_start[2], then drives a memcmp() and the following skb_trim() and skb_pull() past the end of the rx buffer. The rx buffer is hard_mtu * 10, which is 14000 bytes. That is an out of bounds read. Require both the start and end framing headers to be present before subtracting them, on every loop iteration. Fixes: d40261236e8e ("net/usb: Add Samsung Kalmia driver for Samsung GT-B3730") Cc: stable@vger.kernel.org Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com> Reviewed-by: Andrew Lunn <andrew@lunn.ch> Link: https://patch.msgid.link/178211531778.2216480.12637613349790980750@maoyixie.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
10 daysgeneve: validate inner network offset in geneve_gro_complete()Xiang Mei
Even with both paths gated on gs->gro_hint, geneve_gro_complete() re-derives the inner dispatch type and length from the packet and the current gs->gro_hint, independently of geneve_gro_receive(). The two can disagree if gs->gro_hint flips under a concurrent geneve_quiesce()/ geneve_unquiesce() (sk_user_data is NULL across a synchronize_net()), or if the re-read option bytes differ from the ones receive parsed. geneve_gro_receive() already records the inner network header position in NAPI_GRO_CB()->inner_network_offset. Have geneve_gro_complete() compute the offset it is about to dispatch at, adding ETH_HLEN in the ETH_P_TEB case where eth_gro_complete() steps over the inner MAC header, and bail out if it lands past inner_network_offset. Use a lower bound rather than exact equality: between gh_len and the inner L3 header, geneve_gro_receive() may also have pulled an inner VLAN tag (vlan_gro_receive() advances the recorded offset past it), which only moves inner_network_offset further out. A valid frame therefore always satisfies inner_nh <= inner_network_offset, while a gh_len inflated by a hint gro_receive() did not honour dispatches past the validated inner header, i.e. the out-of-bounds completion. Only the latter is rejected. Fixes: fd0dd796576e ("geneve: use GRO hint option in the RX path") Suggested-by: Paolo Abeni <pabeni@redhat.com> Co-developed-by: Weiming Shi <bestswngs@gmail.com> Signed-off-by: Xiang Mei <xmei5@asu.edu> Link: https://patch.msgid.link/20260618032622.484720-2-xmei5@asu.edu Signed-off-by: Jakub Kicinski <kuba@kernel.org>
10 daysgeneve: gate GRO hint in geneve_gro_complete() on gs->gro_hintXiang Mei
geneve_gro_receive() reads the GRO hint through geneve_sk_gro_hint_off(), which honours it only when the socket enabled IFLA_GENEVE_GRO_HINT (gs->gro_hint). geneve_gro_complete() instead calls the low-level geneve_opt_gro_hint_off() and acts on the hint unconditionally. On a tunnel without the hint, receive aggregates the frames as plain ETH_P_TEB while complete still honours an attacker-supplied hint option: it inflates gh_len by gro_hint->nested_hdr_len (u8) and redirects the dispatch type, so the inner gro_complete handler runs at nhoff + gh_len, an offset receive never pulled nor validated, reading out of bounds of the skb head: BUG: KASAN: slab-out-of-bounds in ipv6_gro_complete (net/ipv6/ip6_offload.c:196) Read of size 1 at addr ffff88800fe91980 by task exploit/153 ipv6_gro_complete (net/ipv6/ip6_offload.c:196) geneve_gro_complete (drivers/net/geneve.c:965) udp_gro_complete (net/ipv4/udp_offload.c:940) inet_gro_complete (net/ipv4/af_inet.c:1621) __gro_flush (net/core/gro.c:306) Gate the complete path on gs->gro_hint too via geneve_sk_gro_hint_off(), so both paths agree. Tunnels that enable the hint are unaffected. Fixes: fd0dd796576e ("geneve: use GRO hint option in the RX path") Reported-by: Weiming Shi <bestswngs@gmail.com> Reported-by: Kyle Zeng <kylebot@openai.com> Signed-off-by: Xiang Mei <xmei5@asu.edu> Link: https://patch.msgid.link/20260618032622.484720-1-xmei5@asu.edu Signed-off-by: Jakub Kicinski <kuba@kernel.org>
10 daysnet: mvneta: re-enable percpu interrupt on resumeYun Zhou
On Marvell MPIC platforms (Armada 370/XP/38x), mvneta uses a percpu IRQ disable/enable scheme for NAPI: the ISR (mvneta_percpu_isr) calls disable_percpu_irq() to mask the MPIC per-CPU interrupt and schedules NAPI poll, which calls enable_percpu_irq() on completion to unmask. If suspend occurs while NAPI poll is pending (between disable_percpu_irq in the ISR and enable_percpu_irq in poll completion), the interrupt is never re-enabled: 1. mvneta_percpu_isr: disable_percpu_irq() + napi_schedule() => MPIC masked, percpu_enabled cpumask bit cleared 2. NAPI poll does not complete before suspend proceeds (on PREEMPT_RT this is highly likely since softirqs run in ksoftirqd which gets frozen; on non-RT it can happen when softirq processing is deferred to ksoftirqd) 3. mvneta_stop_dev => napi_disable(): cancels the pending poll without executing the completion path 4. suspend_device_irqs => IRQCHIP_MASK_ON_SUSPEND: masks MPIC (already masked, but records IRQS_SUSPENDED) 5. Resume: mpic_resume checks irq_percpu_is_enabled() => false (bit was cleared in step 1) => skips unmask 6. mvneta_start_dev only restores device-level INTR_NEW_MASK, does not touch the MPIC per-CPU mask Result: MPIC per-CPU interrupt stays masked permanently. The NIC generates interrupts (INTR_NEW_CAUSE != 0) but the CPU never receives them, causing complete loss of network connectivity. Fix by calling on_each_cpu(mvneta_percpu_enable) in the resume path to unconditionally unmask the MPIC per-CPU interrupt regardless of pre-suspend state. Fixes: 12bb03b436da ("net: mvneta: Handle per-cpu interrupts") Signed-off-by: Yun Zhou <yun.zhou@windriver.com> Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Link: https://patch.msgid.link/20260622074350.1666290-1-yun.zhou@windriver.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
10 daysocteontx2-af: fix CGX debugfs RVU AF PCI reference leaksRatheesh Kannoth
CGX per-lmac debugfs seq readers obtained struct rvu via pci_get_drvdata(pci_get_device(..., PCI_DEVID_OCTEONTX2_RVU_AF, ...)), which leaks a PCI device reference on every read. Store rvu and the CGX handle in debugfs inode private data when creating stats, mac_filter, and fwdata files (one context per CGX), and use debugfs aux numbers for fwdata so lmac_id matches the other CGX debugfs entries. Fixes: f967488d095e ("octeontx2-af: Add per CGX port level NIX Rx/Tx counters") Fixes: dbc52debf95f ("octeontx2-af: Debugfs support for DMAC filters") Fixes: 49f02e6877d1 ("Octeontx2-af: Debugfs support for firmware data") Cc: Linu Cherian <lcherian@marvell.com> Reported-by: Yuho Choi <dbgh9129@gmail.com> Reviewed-by: Simon Horman <horms@kernel.org> Signed-off-by: Ratheesh Kannoth <rkannoth@marvell.com> Link: https://patch.msgid.link/20260622034229.2254145-1-rkannoth@marvell.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
10 daysocteontx2-af: Validate NIX maximum LFs correctlySubbaraya Sundeep
NIX maximum number of LFs can be set via devlink command but that can be done before assigning any LFs to a PF/VF. The condition used to check whether any LFs are assigned is incorrect. This patch fixes that condition. Fixes: dd7842878633 ("octeontx2-af: Add new devlink param to configure maximum usable NIX block LFs") Signed-off-by: Subbaraya Sundeep <sbhatta@marvell.com> Link: https://patch.msgid.link/1782082853-6941-1-git-send-email-sbhatta@marvell.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
10 daysnet: wwan: t7xx: destroy DMA pool on CLDMA late init failureHaoxiang Li
t7xx_cldma_late_init() creates md_ctrl->gpd_dmapool before initializing the TX and RX rings. If any ring initialization fails, the error path frees the already initialized rings but leaves the DMA pool allocated. Destroy md_ctrl->gpd_dmapool on the late-init failure path to avoid leaking the DMA pool. Fixes: 39d439047f1d ("net: wwan: t7xx: Add control DMA interface") Cc: stable@vger.kernel.org Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com> Reviewed-by: Loic Poulain <loic.poulain@oss.qualcomm.com> Link: https://patch.msgid.link/20260621031714.3605022-1-haoxiang_li2024@163.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
10 daysnet: airoha: fix BQL underflow in shared QDMA TX ringLorenzo Bianconi
When multiple netdevs share a QDMA TX ring and one device is stopped, netdev_tx_reset_subqueue() zeroes that device's BQL counters while its pending skbs remain in the shared HW TX ring. When NAPI later completes those skbs via netdev_tx_completed_queue(), the already-zeroed dql->num_queued counter underflows. Fix the issue: - Remove netdev_tx_reset_subqueue() from airoha_dev_stop() so pending skbs are completed naturally by NAPI with proper BQL accounting. - Rework airoha_qdma_tx_cleanup() to disable TX DMA, flush BQL counters, DMA-unmap and free all pending skbs while skb->dev references are still valid. Use a per-queue flushing flag checked under q->lock in airoha_dev_xmit() to prevent races between teardown and transmit. Call airoha_qdma_stop_napi() before airoha_qdma_tx_cleanup() at the call sites. - Move DMA engine start into probe. Split DMA teardown so TX DMA is disabled in airoha_qdma_tx_cleanup() and RX DMA in airoha_qdma_cleanup(). - Remove qdma->users counter since DMA lifetime is now tied to probe/cleanup rather than per-netdev open/stop. Fixes: a9c2ca61fec7 ("net: airoha: Support multiple net_devices for a single FE GDM port") Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org> Reviewed-by: Simon Horman <horms@kernel.org> Link: https://patch.msgid.link/20260620-airoha-bql-fixes-v3-1-76b95374e63e@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
10 daysnet: phy: realtek: Clear MDIO_AN_10GBT_CTRL_ADV10G bitJan Klos
On RTL8127A connected to a link partner that advertises 10000baseT speed cannot be changed to anything other than 10000baseT as 10GbE is always advertised regardless of any setting. Fix this by clearing MDIO_AN_10GBT_CTRL_ADV10G bit in rtl822x_config_aneg()'s call to phy_modify_mmd_changed(). Fixes: 83d962316128 ("net: phy: realtek: add RTL8127-internal PHY") Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com> Signed-off-by: Jan Klos <honza.klos@gmail.com> Link: https://patch.msgid.link/20260620011956.37181-1-honza.klos@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
10 daysocteontx2-af: npc: cn20k: Fix subbank free list indexing for search orderRatheesh Kannoth
subbank_srch_order[i] is the physical subbank at search-order slot i, so each subbank's arr_idx must be i (its slot), not subbank_srch_order[sb->idx]. The old logic mis-keyed xa_sb_free and broke allocation traversal order. Populate arr_idx and xa_sb_free in a single pass over the search order after subbank structs are initialized. Fixes: 7ac9d4c4075c ("octeontx2-af: npc: cn20k: add subbank search order control") Signed-off-by: Ratheesh Kannoth <rkannoth@marvell.com> Reviewed-by: Simon Horman <horms@kernel.org> Link: https://patch.msgid.link/20260619095100.1864440-1-rkannoth@marvell.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
10 daysnet: mana: Fall back to standard MTU when PF reports adapter_mtu of 0Erni Sri Satya Vennela
Commit d7709812e13d ("net: mana: hardening: Validate adapter_mtu from MANA_QUERY_DEV_CONFIG") rejected any adapter_mtu value smaller than ETH_MIN_MTU + ETH_HLEN, including 0, returning -EPROTO and failing mana_probe(). Some older PF firmware versions still in the field report adapter_mtu as 0 in the MANA_QUERY_DEV_CONFIG response. With the hardening check in place, the MANA VF driver now fails to load on those hosts, breaking networking entirely for guests. MANA hardware always supports the standard Ethernet MTU. Treat a reported adapter_mtu of 0 as "the PF did not advertise a value" and fall back to ETH_FRAME_LEN, the same value used for the pre-V2 message version path. Only jumbo frames remain unavailable until the PF reports a valid MTU. Other small-but-nonzero bogus values are still rejected, preserving the original protection against the unsigned-subtraction wrap that would otherwise let ndev->max_mtu underflow to a huge value. Fixes: d7709812e13d ("net: mana: hardening: Validate adapter_mtu from MANA_QUERY_DEV_CONFIG") Signed-off-by: Erni Sri Satya Vennela <ernis@linux.microsoft.com> Reviewed-by: Simon Horman <horms@kernel.org> Link: https://patch.msgid.link/20260619055348.467224-1-ernis@linux.microsoft.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
10 daysnet: dsa: mxl862xx: fix use-after-free of DSA ports in crc_err_workDaniel Golle
Upon an MDIO CRC error mxl862xx_crc_err_work_fn() walks the DSA ports and closes the CPU port conduits: dsa_switch_for_each_cpu_port(dp, priv->ds) dev_close(dp->conduit); mxl862xx_remove() unregisters the switch before cancelling this work: set_bit(MXL862XX_FLAG_WORK_STOPPED, &priv->flags); cancel_delayed_work_sync(&priv->stats_work); dsa_unregister_switch(ds); mxl862xx_host_shutdown(priv); dsa_unregister_switch() frees the dsa_port objects. If a CRC error schedules the work during teardown it can run after the ports have been freed and dereference freed memory. Guard the port walk with MXL862XX_FLAG_WORK_STOPPED, which is already set before dsa_unregister_switch(). DSA tears the ports down under rtnl_lock(), so checking the flag under rtnl_lock() means the work either runs before teardown and sees valid ports, or runs afterwards, observes the flag and skips the walk. This mirrors the host_flood_work handler, which skips torn-down ports under rtnl_lock(). Link: https://sashiko.dev/#/patchset/cover.1780968180.git.daniel%40makrotopia.org?part=2 Fixes: a319d0c8c8ce ("net: dsa: mxl862xx: add CRC for MDIO communication") Signed-off-by: Daniel Golle <daniel@makrotopia.org> Link: https://patch.msgid.link/5e55169926c02f2b914e5ada529d7453b943cda4.1781702256.git.daniel@makrotopia.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
10 daysnet: dsa: mxl862xx: avoid unaligned 16-bit access in api_wrapDaniel Golle
The MXL862XX_API_* macros pass the address of a stack-allocated, __packed firmware-ABI struct to mxl862xx_api_wrap() as a void *. The struct has an alignment of 1, so the compiler is free to place it at an odd address. mxl862xx_api_wrap() reinterprets that buffer as a __le16 * and accesses it with data[i], for which the compiler assumes the natural 2-byte alignment of __le16 and emits aligned 16-bit loads/stores (e.g. lhu/sh on MIPS). When the buffer lands on an odd address these fault on architectures that do not support unaligned access, such as MIPS32. -Waddress-of-packed-member does not catch this: the packed origin is laundered through the void * parameter, so the cast inside api_wrap looks alignment-safe to the compiler and no warning is emitted. Use get_unaligned_le16()/put_unaligned_le16() for the three 16-bit word accesses. The byte accesses (*(u8 *)&data[i], crc16()) are already safe and are left unchanged. Link: https://sashiko.dev/#/patchset/cover.1781319534.git.daniel%40makrotopia.org?part=4 Fixes: 23794bec1cb6 ("net: dsa: add basic initial driver for MxL862xx switches") Signed-off-by: Daniel Golle <daniel@makrotopia.org> Link: https://patch.msgid.link/599327521db465a534d277de53ab9b6cac01928b.1781702256.git.daniel@makrotopia.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
10 daysnet: dsa: realtek: fix memory leak in rtl8366rb_setup_led()David Yang
led_classdev_register_ext() only reads init_data.devicename - it never stores the pointer. However, the caller allocated devicename with kasprintf() but never freed it, leaking the string memory. Fix it with a stack buffer to avoid dynamic buffers completely. Fixes: 32d617005475 ("net: dsa: realtek: add LED drivers for rtl8366rb") Signed-off-by: David Yang <mmyangfl@gmail.com> Reviewed-by: Linus Walleij <linusw@kernel.org> Link: https://patch.msgid.link/20260618140200.1888707-1-mmyangfl@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>