netdev CI testing #10590

kuba-moo · 2026-01-02T17:37:43Z

Reusable PR for hooking netdev CI to BPF testing.
Previous one auto-closed for some reason.

…ruct Sphinx reports kernel-doc warning: WARNING: ./net/bridge/br_private.h:267 struct member 'tunnel_hash' not described in 'net_bridge_vlan_group' Fix it by describing @tunnel_hash member. Fixes: efa5356 ("bridge: per vlan dst_metadata netlink support") Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com> Acked-by: Nikolay Aleksandrov <razor@blackwall.org> Reviewed-by: Ido Schimmel <idosch@nvidia.com> Link: https://patch.msgid.link/20251218042936.24175-2-bagasdotme@gmail.com Signed-off-by: Paolo Abeni <pabeni@redhat.com>

Aditya Gupta reported PowerPC crashes bisected to the blamed commit. Apparently some platforms do not allow prefetch() on arbitrary pointers. prefetch(next); prefetch(&next->priority); // CRASH when next == NULL Only NULL seems to be supported, with specific handling in prefetch(). Add a conditional to avoid the two prefetches and the skb->next clearing for the last skb in the list. Fixes: b2e9821 ("net: prefech skb->priority in __dev_xmit_skb()") Reported-by: Aditya Gupta <adityag@linux.ibm.com> Closes: https://lore.kernel.org/netdev/e9f4abee-b132-440f-a50e-bced0868b5a7@linux.ibm.com/T/#mddc372b64ec5a3b181acc9ee3909110c391cc18a Signed-off-by: Eric Dumazet <edumazet@google.com> Tested-by: Aditya Gupta <adityag@linux.ibm.com> Link: https://patch.msgid.link/20251218081844.809008-1-edumazet@google.com Signed-off-by: Paolo Abeni <pabeni@redhat.com>

When mana_serv_reset() encounters -ETIMEDOUT or -EPROTO from mana_gd_resume(), it performs a PCI rescan via mana_serv_rescan(). mana_serv_rescan() calls pci_stop_and_remove_bus_device(), which can invoke the driver's remove path and free the gdma_context associated with the device. After returning, mana_serv_reset() currently jumps to the out label and attempts to clear gc->in_service, dereferencing a freed gdma_context. The issue was observed with the following call logs: [ 698.942636] BUG: unable to handle page fault for address: ff6c2b638088508d [ 698.943121] #PF: supervisor write access in kernel mode [ 698.943423] #PF: error_code(0x0002) - not-present page [S[ 698.943793] Pat Dec 6 07:GD5 100000067 P4D 1002f7067 PUD 1002f8067 PMD 101bef067 PTE 0 0:56 2025] hv_[n e 698.944283] Oops: Oops: 0002 [kernel-patches#1] SMP NOPTI tvsc f8615163-00[ 698.944611] CPU: 28 UID: 0 PID: 249 Comm: kworker/28:1 ... [Sat Dec 6 07:50:56 2025] R10: [ 699.121594] mana 7870:00:00.0 enP30832s1: Configured vPort 0 PD 18 DB 16 000000000000001b R11: 0000000000000000 R12: ff44cf3f40270000 [Sat Dec 6 07:50:56 2025] R13: 0000000000000001 R14: ff44cf3f402700c8 R15: ff44cf3f4021b405 [Sat Dec 6 07:50:56 2025] FS: 0000000000000000(0000) GS:ff44cf7e9fcf9000(0000) knlGS:0000000000000000 [Sat Dec 6 07:50:56 2025] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [Sat Dec 6 07:50:56 2025] CR2: ff6c2b638088508d CR3: 000000011fe43001 CR4: 0000000000b73ef0 [Sat Dec 6 07:50:56 2025] Call Trace: [Sat Dec 6 07:50:56 2025] <TASK> [Sat Dec 6 07:50:56 2025] mana_serv_func+0x24/0x50 [mana] [Sat Dec 6 07:50:56 2025] process_one_work+0x190/0x350 [Sat Dec 6 07:50:56 2025] worker_thread+0x2b7/0x3d0 [Sat Dec 6 07:50:56 2025] kthread+0xf3/0x200 [Sat Dec 6 07:50:56 2025] ? __pfx_worker_thread+0x10/0x10 [Sat Dec 6 07:50:56 2025] ? __pfx_kthread+0x10/0x10 [Sat Dec 6 07:50:56 2025] ret_from_fork+0x21a/0x250 [Sat Dec 6 07:50:56 2025] ? __pfx_kthread+0x10/0x10 [Sat Dec 6 07:50:56 2025] ret_from_fork_asm+0x1a/0x30 [Sat Dec 6 07:50:56 2025] </TASK> Fix this by returning immediately after mana_serv_rescan() to avoid accessing GC state that may no longer be valid. Fixes: 9bf6603 ("net: mana: Handle hardware recovery events when probing the device") Reviewed-by: Simon Horman <horms@kernel.org> Reviewed-by: Long Li <longli@microsoft.com> Signed-off-by: Dipayaan Roy <dipayanroy@linux.microsoft.com> Link: https://patch.msgid.link/20251218131054.GA3173@linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net Signed-off-by: Paolo Abeni <pabeni@redhat.com>

A previous commit added SO_INQ support for AF_UNIX (SOCK_STREAM), but it posts a SCM_INQ cmsg even if just msg->msg_get_inq is set. This is incorrect, as ->msg_get_inq is just the caller asking for the remainder to be passed back in msg->msg_inq, it has nothing to do with cmsg. The original commit states that this is done to make sockets io_uring-friendly", but it's actually incorrect as io_uring doesn't use cmsg headers internally at all, and it's actively wrong as this means that cmsg's are always posted if someone does recvmsg via io_uring. Fix that up by only posting a cmsg if u->recvmsg_inq is set. Additionally, mirror how TCP handles inquiry handling in that it should only be done for a successful return. This makes the logic for the two identical. Cc: stable@vger.kernel.org Fixes: df30285 ("af_unix: Introduce SO_INQ.") Reported-by: Julian Orth <ju.orth@gmail.com> Link: axboe/liburing#1509 Signed-off-by: Jens Axboe <axboe@kernel.dk> Reviewed-by: Willem de Bruijn <willemb@google.com> Link: https://patch.msgid.link/07adc0c2-2c3b-4d08-8af1-1c466a40b6a8@kernel.dk Signed-off-by: Paolo Abeni <pabeni@redhat.com>

Commit 48e1267 ("sched_ext: Introduce scx_sched") introduced scx_root and removed scx_ops, causing scx_show_state.py to fail when searching for the 'scx_ops' object. [1] Fix by using 'scx_root' instead, with NULL pointer handling. [1] # drgn -s vmlinux ./tools/sched_ext/scx_show_state.py Traceback (most recent call last): File "/root/.venv/bin/drgn", line 8, in <module> sys.exit(_main()) ~~~~~^^ File "/root/.venv/lib64/python3.14/site-packages/drgn/cli.py", line 625, in _main runpy.run_path( ~~~~~~~~~~~~~~^ script_path, init_globals={"prog": prog}, run_name="__main__" ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ) ^ File "<frozen runpy>", line 287, in run_path File "<frozen runpy>", line 98, in _run_module_code File "<frozen runpy>", line 88, in _run_code File "./tools/sched_ext/scx_show_state.py", line 30, in <module> ops = prog['scx_ops'] ~~~~^^^^^^^^^^^ _drgn.ObjectNotFoundError: could not find 'scx_ops' Fixes: 48e1267 ("sched_ext: Introduce scx_sched") Signed-off-by: Kohei Enju <enjuk@amazon.com> Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com> Signed-off-by: Tejun Heo <tj@kernel.org>

Commit a69040e ("sched_ext: Simplify breather mechanism with scx_aborting flag") removed scx_in_softlockup and scx_breather_depth, replacing them with scx_aborting. Update the script accordingly. Fixes: a69040e ("sched_ext: Simplify breather mechanism with scx_aborting flag") Signed-off-by: Kohei Enju <enjuk@amazon.com> Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com> Signed-off-by: Tejun Heo <tj@kernel.org>

…el/git/powerpc/linux Pull powerpc fixes from Madhavan Srinivasan: - Fix for kexec warning due to SMT disable or partial SMT enabled - Handle font bitmap pointer with reloc_offset to fix boot crash - Fix to enable cpuidle state for Power11 - Couple of misc fixes Thanks to Aboorva Devarajan, Aditya Bodkhe, Cedar Maxwell, Christian Zigotzky, Christophe Leroy, Christophe Leroy (CS GROUP), Finn Thain, Gopi Krishna Menon, Guenter Roeck, Jan Stancek, Joe Lawrence, Josh Poimboeuf, Justin M. Forbes, Madadi Vineeth Reddy, Naveen N Rao (AMD), Nysal Jan K.A., Sachin P Bappalige, Samir M, Sourabh Jain, Srikar Dronamraju, and Stan Johnson * tag 'powerpc-6.19-2' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux: powerpc/32: Restore disabling of interrupts at interrupt/syscall exit powerpc/powernv: Enable cpuidle state detection for POWER11 powerpc: Add reloc_offset() to font bitmap pointer used for bootx_printf() powerpc/tools: drop `-o pipefail` in gcc check scripts selftests/powerpc/pmu/: Add check_extended_reg_test to .gitignore powerpc/kexec: Enable SMT before waking offline CPUs

…linux/kernel/git/riscv/linux Pull RISC-V updates from Paul Walmsley: "Nothing exotic here; these are the cleanup and new ISA extension probing patches (not including CFI): - Add probing and userspace reporting support for the standard RISC-V ISA extensions Zilsd and Zclsd, which implement load/store dual instructions on RV32 - Abstract the register saving code in setup_sigcontext() so it can be used for stateful RISC-V ISA extensions beyond the vector extension - Add the SBI extension ID and some initial data structure definitions for the RISC-V standard SBI debug trigger extension - Clean up some code slightly: change some page table functions to avoid atomic operations oinn !SMP and to avoid unnecessary casts to atomic_long_t; and use the existing RISCV_FULL_BARRIER macro in place of some open-coded 'fence rw,rw' instructions" * tag 'riscv-for-linus-6.19-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux: riscv: Add SBI debug trigger extension and function ids riscv/atomic.h: use RISCV_FULL_BARRIER in _arch_atomic* function. riscv: hwprobe: export Zilsd and Zclsd ISA extensions riscv: add ISA extension parsing for Zilsd and Zclsd dt-bindings: riscv: add Zilsd and Zclsd extension descriptions riscv: mm: use xchg() on non-atomic_long_t variables, not atomic_long_xchg() riscv: mm: ptep_get_and_clear(): avoid atomic ops when !CONFIG_SMP riscv: mm: pmdp_huge_get_and_clear(): avoid atomic ops when !CONFIG_SMP riscv: signal: abstract header saving for setup_sigcontext

…inux/kernel/git/ieee1394/linux1394 Pull firewire fix from Takashi Sakamoto: "A fix for PCI driver for Texas Instruments PCILyx series. The driver had a bug where it allocated a DMA-coherent buffer of 16 KB but released it using PAGE_SIZE. This disproportion was reported in 2020, but the fix was never merged. It is finally resolved" * tag 'firewire-fixes-6.19-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394: firewire: nosy: Fix dma_free_coherent() size

…/git/gregkh/tty Pull serial driver fixes from Greg KH: "Here are some small serial driver fixes for some reported issues. Included in here are: - serial sysfs fwnode fix that was much reported - sh-sci driver fix - serial device init bugfix - 8250 bugfix - xilinx_uartps bugfix All of these have passed 0-day testing and individual testing" * tag 'tty-6.19-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty: serial: xilinx_uartps: fix rs485 delay_rts_after_send serial: sh-sci: Check that the DMA cookie is valid serial: core: Fix serial device initialization serial: 8250: longson: Fix NULL vs IS_ERR() bug in probe serial: core: Restore sysfs fwnode information

…/git/gregkh/usb Pull USB fixes from Greg KH: "Here are some small USB fixes, and bunch of reverts for 6.19-rc3. Included in here are: - reverts of some typec ucsi driver changes that had a lot of regression reports after -rc1. Let's just revert it all for now and it will come back in a way that is better tested. - other typec bugfixes - usb-storage quirk fixups - dwc3 driver fix - other minor USB fixes for reported problems. All of these have passed 0-day testing and individual testing" * tag 'usb-6.19-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (22 commits) Revert "usb: typec: ucsi: Update UCSI structure to have message in and message out fields" Revert "usb: typec: ucsi: Add support for message out data structure" Revert "usb: typec: ucsi: Enable debugfs for message_out data structure" Revert "usb: typec: ucsi: Add support for SET_PDOS command" Revert "usb: typec: ucsi: Fix null pointer dereference in ucsi_sync_control_common" Revert "usb: typec: ucsi: Get connector status after enable notifications" usb: ohci-nxp: clean up probe error labels usb: gadget: lpc32xx_udc: clean up probe error labels usb: ohci-nxp: fix device leak on probe failure usb: phy: isp1301: fix non-OF device reference imbalance usb: gadget: lpc32xx_udc: fix clock imbalance in error path usb: typec: ucsi: Get connector status after enable notifications usb: usb-storage: Maintain minimal modifications to the bcdDevice range. usb: dwc3: of-simple: fix clock resource leak in dwc3_of_simple_probe usb: typec: ucsi: Fix null pointer dereference in ucsi_sync_control_common USB: lpc32xx_udc: Fix error handling in probe usb: typec: altmodes/displayport: Drop the device reference in dp_altmode_probe() usb: phy: fsl-usb: Fix use-after-free in delayed work during device removal usb: renesas_usbhs: Fix a resource leak in usbhs_pipe_malloc() usb: typec: ucsi: huawei-gaokin: add DRM dependency ...

…/herbert/crypto-2.6 Pull crypto fixes from Herbert Xu: - Fix UAF in seqiv - Fix regression in hisilicon * tag 'v6.19-p2' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: crypto: hisilicon/qm - fix incorrect judgment in qm_get_complete_eqe_num() crypto: seqiv - Do not use req->iv after crypto_aead_encrypt

…/linux/kernel/git/tj/cgroup Pull cgroup fix from Tejun Heo: - Fix a spurious cpuset warning when disabling remote partition after CPU hotplug leaves subpartitions_cpus empty. Guard the warning and invalidate affected partitions. * tag 'cgroup-for-6.19-rc3-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup: cpuset: fix warning when disabling remote partition

@ret

…scm/linux/kernel/git/tj/sched_ext Pull sched_ext fixes from Tejun Heo: - Fix uninitialized @ret on alloc_percpu() failure leading to ERR_PTR(0) - Fix PREEMPT_RT warning when bypass load balancer sends IPI to offline CPU by using resched_cpu() instead of resched_curr() - Fix comment referring to renamed function - Update scx_show_state.py for scx_root and scx_aborting changes * tag 'sched_ext-for-6.19-rc3-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/sched_ext: tools/sched_ext: update scx_show_state.py for scx_aborting change tools/sched_ext: fix scx_show_state.py for scx_root change sched_ext: Use the resched_cpu() to replace resched_curr() in the bypass_lb_node() sched_ext: Fix some comments in ext.c sched_ext: fix uninitialized ret on alloc_percpu() failure

This patch ensures that the RX ring size (rx_pending) is not set below the permitted length. This avoids UBSAN shift-out-of-bounds errors when users passes small or zero ring sizes via ethtool -G. Fixes: d45d897 ("octeontx2-pf: Add basic ethtool support") Signed-off-by: Anshumali Gaur <agaur@marvell.com> Link: https://patch.msgid.link/20251219062226.524844-1-agaur@marvell.com Signed-off-by: Paolo Abeni <pabeni@redhat.com>

…ux/kernel/git/wireless/wireless Johannes Berg says: ==================== Various fixes all over, most are recent regressions but also some long-standing issues: - cfg80211: - fix an issue with overly long SSIDs - mac80211: - long-standing beacon protection issue on some devices - for for a multi-BSSID AP-side issue - fix a syzbot warning on OCB (not really used in practice) - remove WARN on connections using disabled channels, as that can happen due to changes in the disable flag - fix monitor mode list iteration - iwlwifi: - fix firmware loading on certain (really old) devices - add settime64 to PTP clock to avoid a warning and clock registration failure, but it's not actually supported - rtw88: - remove WQ_UNBOUND since it broke USB adapters (because it can't be used with WQ_BH) - fix SDIO issues with certain devices - rtl8192cu: fix TID array out-of-bounds (since 6.9) - wlcore (TI): add missing skb push headroom increase * tag 'wireless-2025-12-17' of https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless: wifi: iwlwifi: Implement settime64 as stub for MVM/MLD PTP wifi: iwlwifi: Fix firmware version handling wifi: mac80211: ocb: skip rx_no_sta when interface is not joined wifi: mac80211: do not use old MBSSID elements wifi: mac80211: don't WARN for connections on invalid channels wifi: wlcore: ensure skb headroom before skb_push wifi: cfg80211: sme: store capped length in __cfg80211_connect_result() wifi: mac80211: fix list iteration in ieee80211_add_virtual_monitor() wifi: mac80211: Discard Beacon frames to non-broadcast address Revert "wifi: rtw88: add WQ_UNBOUND to alloc_workqueue users" wifi: rtlwifi: 8192cu: fix tid out of range in rtl92cu_tx_fill_desc() wifi: rtw88: limit indirect IO under powered off for RTL8822CS ==================== Link: https://patch.msgid.link/20251217201441.59876-3-johannes@sipsolutions.net Signed-off-by: Paolo Abeni <pabeni@redhat.com>

There is a crash issue when running zero copy XDP_TX action, the crash log is shown below. [ 216.122464] Unable to handle kernel paging request at virtual address fffeffff80000000 [ 216.187524] Internal error: Oops: 0000000096000144 [kernel-patches#1] SMP [ 216.301694] Call trace: [ 216.304130] dcache_clean_poc+0x20/0x38 (P) [ 216.308308] __dma_sync_single_for_device+0x1bc/0x1e0 [ 216.313351] stmmac_xdp_xmit_xdpf+0x354/0x400 [ 216.317701] __stmmac_xdp_run_prog+0x164/0x368 [ 216.322139] stmmac_napi_poll_rxtx+0xba8/0xf00 [ 216.326576] __napi_poll+0x40/0x218 [ 216.408054] Kernel panic - not syncing: Oops: Fatal exception in interrupt For XDP_TX action, the xdp_buff is converted to xdp_frame by xdp_convert_buff_to_frame(). The memory type of the resulting xdp_frame depends on the memory type of the xdp_buff. For page pool based xdp_buff it produces xdp_frame with memory type MEM_TYPE_PAGE_POOL. For zero copy XSK pool based xdp_buff it produces xdp_frame with memory type MEM_TYPE_PAGE_ORDER0. However, stmmac_xdp_xmit_back() does not check the memory type and always uses the page pool type, this leads to invalid mappings and causes the crash. Therefore, check the xdp_buff memory type in stmmac_xdp_xmit_back() to fix this issue. Fixes: bba2556 ("net: stmmac: Enable RX via AF_XDP zero-copy") Signed-off-by: Wei Fang <wei.fang@nxp.com> Reviewed-by: Hariprasad Kelam <hkelam@marvell.com> Link: https://patch.msgid.link/20251204071332.1907111-1-wei.fang@nxp.com Signed-off-by: Paolo Abeni <pabeni@redhat.com>

Currently, interrupts are automatically enabled immediately upon request. This allows interrupt to fire before the associated NAPI context is fully initialized and cause failures like below: [ 0.946369] Call Trace: [ 0.946369] <IRQ> [ 0.946369] __napi_poll+0x2a/0x1e0 [ 0.946369] net_rx_action+0x2f9/0x3f0 [ 0.946369] handle_softirqs+0xd6/0x2c0 [ 0.946369] ? handle_edge_irq+0xc1/0x1b0 [ 0.946369] __irq_exit_rcu+0xc3/0xe0 [ 0.946369] common_interrupt+0x81/0xa0 [ 0.946369] </IRQ> [ 0.946369] <TASK> [ 0.946369] asm_common_interrupt+0x22/0x40 [ 0.946369] RIP: 0010:pv_native_safe_halt+0xb/0x10 Use the `IRQF_NO_AUTOEN` flag when requesting interrupts to prevent auto enablement and explicitly enable the interrupt in NAPI initialization path (and disable it during NAPI teardown). This ensures that interrupt lifecycle is strictly coupled with readiness of NAPI context. Cc: stable@vger.kernel.org Fixes: 1dfc2e4 ("gve: Refactor napi add and remove functions") Signed-off-by: Ankit Garg <nktgrg@google.com> Reviewed-by: Jordan Rhee <jordanrhee@google.com> Reviewed-by: Joshua Washington <joshwash@google.com> Signed-off-by: Harshitha Ramamurthy <hramamurthy@google.com> Link: https://patch.msgid.link/20251219102945.2193617-1-hramamurthy@google.com Signed-off-by: Paolo Abeni <pabeni@redhat.com>

syzbot reported a crash [1] in dql_completed() after recent usbnet BQL adoption. The reason for the crash is that netdev_reset_queue() is called too soon. It should be called after cancel_work_sync(&dev->bh_work) to make sure no more TX completion can happen. [1] kernel BUG at lib/dynamic_queue_limits.c:99 ! Oops: invalid opcode: 0000 [kernel-patches#1] SMP KASAN PTI CPU: 1 UID: 0 PID: 5197 Comm: udevd Tainted: G L syzkaller #0 PREEMPT(full) Tainted: [L]=SOFTLOCKUP Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 RIP: 0010:dql_completed+0xbe1/0xbf0 lib/dynamic_queue_limits.c:99 Call Trace: <IRQ> netdev_tx_completed_queue include/linux/netdevice.h:3864 [inline] netdev_completed_queue include/linux/netdevice.h:3894 [inline] usbnet_bh+0x793/0x1020 drivers/net/usb/usbnet.c:1601 process_one_work kernel/workqueue.c:3257 [inline] process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340 bh_worker+0x2b1/0x600 kernel/workqueue.c:3611 tasklet_action+0xc/0x70 kernel/softirq.c:952 handle_softirqs+0x27d/0x850 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] invoke_softirq kernel/softirq.c:496 [inline] __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:723 irq_exit_rcu+0x9/0x30 kernel/softirq.c:739 Fixes: 7ff14c5 ("usbnet: Add support for Byte Queue Limits (BQL)") Reported-by: syzbot+5b55e49f8bbd84631a9c@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/6945644f.a70a0220.207337.0113.GAE@google.com/T/#u Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Simon Schippers <simon.schippers@tu-dortmund.de> Link: https://patch.msgid.link/20251219144459.692715-1-edumazet@google.com Signed-off-by: Paolo Abeni <pabeni@redhat.com>

There exists a kernel oops caused by a BUG_ON(nhead < 0) at net/core/skbuff.c:2232 in pskb_expand_head(). This bug is triggered as part of the calipso_skbuff_setattr() routine when skb_cow() is passed headroom > INT_MAX (i.e. (int)(skb_headroom(skb) + len_delta) < 0). The root cause of the bug is due to an implicit integer cast in __skb_cow(). The check (headroom > skb_headroom(skb)) is meant to ensure that delta = headroom - skb_headroom(skb) is never negative, otherwise we will trigger a BUG_ON in pskb_expand_head(). However, if headroom > INT_MAX and delta <= -NET_SKB_PAD, the check passes, delta becomes negative, and pskb_expand_head() is passed a negative value for nhead. Fix the trigger condition in calipso_skbuff_setattr(). Avoid passing "negative" headroom sizes to skb_cow() within calipso_skbuff_setattr() by only using skb_cow() to grow headroom. PoC: Using `netlabelctl` tool: netlabelctl map del default netlabelctl calipso add pass doi:7 netlabelctl map add default address:0::1/128 protocol:calipso,7 Then run the following PoC: int fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP); // setup msghdr int cmsg_size = 2; int cmsg_len = 0x60; struct msghdr msg; struct sockaddr_in6 dest_addr; struct cmsghdr * cmsg = (struct cmsghdr *) calloc(1, sizeof(struct cmsghdr) + cmsg_len); msg.msg_name = &dest_addr; msg.msg_namelen = sizeof(dest_addr); msg.msg_iov = NULL; msg.msg_iovlen = 0; msg.msg_control = cmsg; msg.msg_controllen = cmsg_len; msg.msg_flags = 0; // setup sockaddr dest_addr.sin6_family = AF_INET6; dest_addr.sin6_port = htons(31337); dest_addr.sin6_flowinfo = htonl(31337); dest_addr.sin6_addr = in6addr_loopback; dest_addr.sin6_scope_id = 31337; // setup cmsghdr cmsg->cmsg_len = cmsg_len; cmsg->cmsg_level = IPPROTO_IPV6; cmsg->cmsg_type = IPV6_HOPOPTS; char * hop_hdr = (char *)cmsg + sizeof(struct cmsghdr); hop_hdr[1] = 0x9; //set hop size - (0x9 + 1) * 8 = 80 sendmsg(fd, &msg, 0); Fixes: 2917f57 ("calipso: Allow the lsm to label the skbuff directly.") Suggested-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Will Rosenberg <whrosenb@asu.edu> Acked-by: Paul Moore <paul@paul-moore.com> Link: https://patch.msgid.link/20251219173637.797418-1-whrosenb@asu.edu Signed-off-by: Paolo Abeni <pabeni@redhat.com>

…rg/pub/scm/linux/kernel/git/akpm/mm Pull misc fixes from Andrew Morton: "27 hotfixes. 12 are cc:stable, 18 are MM. There's a patch series from Jiayuan Chen which fixes some issues with KASAN and vmalloc. Apart from that it's the usual shower of singletons - please see the respective changelogs for details" * tag 'mm-hotfixes-stable-2025-12-28-21-50' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm: (27 commits) mm/ksm: fix pte_unmap_unlock of wrong address in break_ksm_pmd_entry mm/page_owner: fix memory leak in page_owner_stack_fops->release() mm/memremap: fix spurious large folio warning for FS-DAX MAINTAINERS: notify the "Device Memory" community of memory hotplug changes sparse: update MAINTAINERS info mm/page_alloc: report 1 as zone_batchsize for !CONFIG_MMU mm: consider non-anon swap cache folios in folio_expected_ref_count() rust: maple_tree: rcu_read_lock() in destructor to silence lockdep mm: memcg: fix unit conversion for K() macro in OOM log mm: fixup pfnmap memory failure handling to use pgoff tools/mm/page_owner_sort: fix timestamp comparison for stable sorting selftests/mm: fix thread state check in uffd-unit-tests kernel/kexec: fix IMA when allocation happens in CMA area kernel/kexec: change the prototype of kimage_map_segment() MAINTAINERS: add ABI headers to KHO and LIVE UPDATE .mailmap: remove one of the entries for WangYuli mm/damon/vaddr: fix missing pte_unmap_unlock in damos_va_migrate_pmd_entry() MAINTAINERS: update one straggling entry for Bartosz Golaszewski mm/page_alloc: change all pageblocks migrate type on coalescing mm: leafops.h: correct kernel-doc function param. names ...

…/kernel/git/kbuild/linux Pull Kbuild fixes from Nicolas Schier: - Revert commit "scripts/clang-tools: Handle included .c files in gen_compile_commands" which is reported to cause false entries for some files. - Fix compilation of dtb specified on command-line without make rule - mcb: Add missing modpost build support * tag 'kbuild-fixes-6.19-1' of git://git.kernel.org/pub/scm/linux/kernel/git/kbuild/linux: mcb: Add missing modpost build support kbuild: fix compilation of dtb specified on command-line without make rule Revert "scripts/clang-tools: Handle included .c files in gen_compile_commands"

This fixes the device failing to initialize with "error reading MAC address" for me, probably because the incorrect write of NCR_RST to SR_NCR is not actually resetting the device. Fixes: c9b3745 ("USB2NET : SR9700 : One chip USB 1.1 USB2NET SR9700Device Driver Support") Cc: stable@vger.kernel.org Signed-off-by: Ethan Nelson-Moore <enelsonmoore@gmail.com> Link: https://patch.msgid.link/20251221082400.50688-1-enelsonmoore@gmail.com Signed-off-by: Paolo Abeni <pabeni@redhat.com>

…bjects When a nexthop object is deleted, it is marked as dead and then fib_table_flush() is called to flush all the routes that are using the dead nexthop. The current logic in fib_table_flush() is to only flush error routes (e.g., blackhole) when it is called as part of network namespace dismantle (i.e., with flush_all=true). Therefore, error routes are not flushed when their nexthop object is deleted: # ip link add name dummy1 up type dummy # ip nexthop add id 1 dev dummy1 # ip route add 198.51.100.1/32 nhid 1 # ip route add blackhole 198.51.100.2/32 nhid 1 # ip nexthop del id 1 # ip route show blackhole 198.51.100.2 nhid 1 dev dummy1 As such, they keep holding a reference on the nexthop object which in turn holds a reference on the nexthop device, resulting in a reference count leak: # ip link del dev dummy1 [ 70.516258] unregister_netdevice: waiting for dummy1 to become free. Usage count = 2 Fix by flushing error routes when their nexthop is marked as dead. IPv6 does not suffer from this problem. Fixes: 493ced1 ("ipv4: Allow routes to use nexthop objects") Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Closes: https://lore.kernel.org/netdev/d943f806-4da6-4970-ac28-b9373b0e63ac@I-love.SAKURA.ne.jp/ Reported-by: syzbot+881d65229ca4f9ae8c84@syzkaller.appspotmail.com Signed-off-by: Ido Schimmel <idosch@nvidia.com> Reviewed-by: David Ahern <dsahern@kernel.org> Link: https://patch.msgid.link/20251221144829.197694-1-idosch@nvidia.com Signed-off-by: Paolo Abeni <pabeni@redhat.com>

Add test cases that check that error routes (e.g., blackhole) are deleted when their nexthop is deleted. Output without "ipv4: Fix reference count leak when using error routes with nexthop objects": # ./fib_nexthops.sh -t "ipv4_fcnal ipv6_fcnal" IPv4 functional ---------------------- [...] WARNING: Unexpected route entry TEST: Error route removed on nexthop deletion [FAIL] IPv6 ---------------------- [...] TEST: Error route removed on nexthop deletion [ OK ] Tests passed: 20 Tests failed: 1 Tests skipped: 0 Output with "ipv4: Fix reference count leak when using error routes with nexthop objects": # ./fib_nexthops.sh -t "ipv4_fcnal ipv6_fcnal" IPv4 functional ---------------------- [...] TEST: Error route removed on nexthop deletion [ OK ] IPv6 ---------------------- [...] TEST: Error route removed on nexthop deletion [ OK ] Tests passed: 21 Tests failed: 0 Tests skipped: 0 Signed-off-by: Ido Schimmel <idosch@nvidia.com> Reviewed-by: David Ahern <dsahern@kernel.org> Link: https://patch.msgid.link/20251221144829.197694-2-idosch@nvidia.com Signed-off-by: Paolo Abeni <pabeni@redhat.com>

Preference of nexthop with source address broke ECMP for packets with source addresses which are not in the broadcast domain, but rather added to loopback/dummy interfaces. Original behaviour was to balance over nexthops while now it uses the latest nexthop from the group. To fix the issue introduce next hop scoring system where next hops with source address equal to requested will always have higher priority. For the case with 198.51.100.1/32 assigned to dummy0 and routed using 192.0.2.0/24 and 203.0.113.0/24 networks: 2: dummy0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000 link/ether d6:54:8a:ff:78:f5 brd ff:ff:ff:ff:ff:ff inet 198.51.100.1/32 scope global dummy0 valid_lft forever preferred_lft forever 7: veth1@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 06:ed:98:87:6d:8a brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 192.0.2.2/24 scope global veth1 valid_lft forever preferred_lft forever inet6 fe80::4ed:98ff:fe87:6d8a/64 scope link proto kernel_ll valid_lft forever preferred_lft forever 9: veth3@if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether ae:75:23:38:a0:d2 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 203.0.113.2/24 scope global veth3 valid_lft forever preferred_lft forever inet6 fe80::ac75:23ff:fe38:a0d2/64 scope link proto kernel_ll valid_lft forever preferred_lft forever ~ ip ro list: default nexthop via 192.0.2.1 dev veth1 weight 1 nexthop via 203.0.113.1 dev veth3 weight 1 192.0.2.0/24 dev veth1 proto kernel scope link src 192.0.2.2 203.0.113.0/24 dev veth3 proto kernel scope link src 203.0.113.2 before: for i in {1..255} ; do ip ro get 10.0.0.$i; done | grep veth | awk ' {print $(NF-2)}' | sort | uniq -c: 255 veth3 after: for i in {1..255} ; do ip ro get 10.0.0.$i; done | grep veth | awk ' {print $(NF-2)}' | sort | uniq -c: 122 veth1 133 veth3 Fixes: 32607a3 ("ipv4: prefer multipath nexthop that matches source address") Signed-off-by: Vadim Fedorenko <vadim.fedorenko@linux.dev> Reviewed-by: Ido Schimmel <idosch@nvidia.com> Reviewed-by: Willem de Bruijn <willemb@google.com> Link: https://patch.msgid.link/20251221192639.3911901-1-vadim.fedorenko@linux.dev Signed-off-by: Paolo Abeni <pabeni@redhat.com>

The test checks that with multi nexthops route the preferred route is the one which matches source ip. In case when source ip is on dummy interface, it checks that the routes are balanced. Reviewed-by: Willem de Bruijn <willemb@google.com> Signed-off-by: Vadim Fedorenko <vadim.fedorenko@linux.dev> Link: https://patch.msgid.link/20251221192639.3911901-2-vadim.fedorenko@linux.dev Signed-off-by: Paolo Abeni <pabeni@redhat.com>

… to macb_open() In the non-RT kernel, local_bh_disable() merely disables preemption, whereas it maps to an actual spin lock in the RT kernel. Consequently, when attempting to refill RX buffers via netdev_alloc_skb() in macb_mac_link_up(), a deadlock scenario arises as follows: WARNING: possible circular locking dependency detected 6.18.0-08691-g2061f18ad76e kernel-patches#39 Not tainted ------------------------------------------------------ kworker/0:0/8 is trying to acquire lock: ffff00080369bbe0 (&bp->lock){+.+.}-{3:3}, at: macb_start_xmit+0x808/0xb7c but task is already holding lock: ffff000803698e58 (&queue->tx_ptr_lock){+...}-{3:3}, at: macb_start_xmit +0x148/0xb7c which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> kernel-patches#3 (&queue->tx_ptr_lock){+...}-{3:3}: rt_spin_lock+0x50/0x1f0 macb_start_xmit+0x148/0xb7c dev_hard_start_xmit+0x94/0x284 sch_direct_xmit+0x8c/0x37c __dev_queue_xmit+0x708/0x1120 neigh_resolve_output+0x148/0x28c ip6_finish_output2+0x2c0/0xb2c __ip6_finish_output+0x114/0x308 ip6_output+0xc4/0x4a4 mld_sendpack+0x220/0x68c mld_ifc_work+0x2a8/0x4f4 process_one_work+0x20c/0x5f8 worker_thread+0x1b0/0x35c kthread+0x144/0x200 ret_from_fork+0x10/0x20 -> kernel-patches#2 (_xmit_ETHER#2){+...}-{3:3}: rt_spin_lock+0x50/0x1f0 sch_direct_xmit+0x11c/0x37c __dev_queue_xmit+0x708/0x1120 neigh_resolve_output+0x148/0x28c ip6_finish_output2+0x2c0/0xb2c __ip6_finish_output+0x114/0x308 ip6_output+0xc4/0x4a4 mld_sendpack+0x220/0x68c mld_ifc_work+0x2a8/0x4f4 process_one_work+0x20c/0x5f8 worker_thread+0x1b0/0x35c kthread+0x144/0x200 ret_from_fork+0x10/0x20 -> kernel-patches#1 ((softirq_ctrl.lock)){+.+.}-{3:3}: lock_release+0x250/0x348 __local_bh_enable_ip+0x7c/0x240 __netdev_alloc_skb+0x1b4/0x1d8 gem_rx_refill+0xdc/0x240 gem_init_rings+0xb4/0x108 macb_mac_link_up+0x9c/0x2b4 phylink_resolve+0x170/0x614 process_one_work+0x20c/0x5f8 worker_thread+0x1b0/0x35c kthread+0x144/0x200 ret_from_fork+0x10/0x20 -> #0 (&bp->lock){+.+.}-{3:3}: __lock_acquire+0x15a8/0x2084 lock_acquire+0x1cc/0x350 rt_spin_lock+0x50/0x1f0 macb_start_xmit+0x808/0xb7c dev_hard_start_xmit+0x94/0x284 sch_direct_xmit+0x8c/0x37c __dev_queue_xmit+0x708/0x1120 neigh_resolve_output+0x148/0x28c ip6_finish_output2+0x2c0/0xb2c __ip6_finish_output+0x114/0x308 ip6_output+0xc4/0x4a4 mld_sendpack+0x220/0x68c mld_ifc_work+0x2a8/0x4f4 process_one_work+0x20c/0x5f8 worker_thread+0x1b0/0x35c kthread+0x144/0x200 ret_from_fork+0x10/0x20 other info that might help us debug this: Chain exists of: &bp->lock --> _xmit_ETHER#2 --> &queue->tx_ptr_lock Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&queue->tx_ptr_lock); lock(_xmit_ETHER#2); lock(&queue->tx_ptr_lock); lock(&bp->lock); *** DEADLOCK *** Call trace: show_stack+0x18/0x24 (C) dump_stack_lvl+0xa0/0xf0 dump_stack+0x18/0x24 print_circular_bug+0x28c/0x370 check_noncircular+0x198/0x1ac __lock_acquire+0x15a8/0x2084 lock_acquire+0x1cc/0x350 rt_spin_lock+0x50/0x1f0 macb_start_xmit+0x808/0xb7c dev_hard_start_xmit+0x94/0x284 sch_direct_xmit+0x8c/0x37c __dev_queue_xmit+0x708/0x1120 neigh_resolve_output+0x148/0x28c ip6_finish_output2+0x2c0/0xb2c __ip6_finish_output+0x114/0x308 ip6_output+0xc4/0x4a4 mld_sendpack+0x220/0x68c mld_ifc_work+0x2a8/0x4f4 process_one_work+0x20c/0x5f8 worker_thread+0x1b0/0x35c kthread+0x144/0x200 ret_from_fork+0x10/0x20 Notably, invoking the mog_init_rings() callback upon link establishment is unnecessary. Instead, we can exclusively call mog_init_rings() within the ndo_open() callback. This adjustment resolves the deadlock issue. Furthermore, since MACB_CAPS_MACB_IS_EMAC cases do not use mog_init_rings() when opening the network interface via at91ether_open(), moving mog_init_rings() to macb_open() also eliminates the MACB_CAPS_MACB_IS_EMAC check. Fixes: 633e98a ("net: macb: use resolved link config in mac_link_up()") Cc: stable@vger.kernel.org Suggested-by: Kevin Hao <kexin.hao@windriver.com> Signed-off-by: Xiaolei Wang <xiaolei.wang@windriver.com> Link: https://patch.msgid.link/20251222015624.1994551-1-xiaolei.wang@windriver.com Signed-off-by: Paolo Abeni <pabeni@redhat.com>

A value of 0 for addr indicates that the IEB_LBCR register does not need to be configured, as its default value is 0. However, the driver will print an error log if addr is 0, so this issue needs to be fixed. Fixes: 50bfd9c ("net: enetc: set external PHY address in IERB for i.MX94 ENETC") Signed-off-by: Wei Fang <wei.fang@nxp.com> Reviewed-by: Vladimir Oltean <vladimir.oltean@nxp.com> Link: https://patch.msgid.link/20251222022628.4016403-1-wei.fang@nxp.com Signed-off-by: Paolo Abeni <pabeni@redhat.com>

pdev can be null and free_ring: can be called in 1297 with a null pdev. Fixes: 55c8261 ("3c59x: convert to generic DMA API") Cc: <stable@vger.kernel.org> Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com> Signed-off-by: NipaLocal <nipa@local>

This patch fixes an issue in skb_gso_network_seglen and similar functions where the calculated segment length includes the HBH headers of BIG TCP jumbograms despite these headers being removed before segmentation. These headers are added by GRO or by ip6_xmit for BIG TCP packets and are later removed by GSO. This bug causes MTU validation of BIG TCP jumbograms to fail. Signed-off-by: Mariusz Klimek <maklimek97@gmail.com> Signed-off-by: NipaLocal <nipa@local>

This patch removes the IP6SKB_FAKEJUMBO flag that is used as a work-around to bypass MTU validation of BIG TCP jumbograms due to a bug in skb_gso_network_seglen. This work-around is no longer required now that the bug is fixed. Signed-off-by: Mariusz Klimek <maklimek97@gmail.com> Signed-off-by: NipaLocal <nipa@local>

This patch removes the manual lowering of the client MTU in big_tcp.sh. The MTU lowering was previously required as a work-around due to a bug in the MTU validation of BIG TCP jumbograms. The MTU was lowered to 1442, but note that 1492 (1500 - 8) would of worked just as well. Now that the bug has been fixed, the manual client MTU modification can be removed entirely. Signed-off-by: Mariusz Klimek <maklimek97@gmail.com> Signed-off-by: NipaLocal <nipa@local>

To enable the cake_mq qdisc to reuse code from the mq qdisc, export a bunch of functions from sch_mq. Split common functionality out from some functions so it can be composed with other code, and export other functions wholesale. To discourage wanton reuse, put the symbols into a new NET_SCHED_INTERNAL namespace, and a sch_priv.h header file. No functional change intended. Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com> Signed-off-by: NipaLocal <nipa@local>

Factor out all the user-configurable variables into a separate struct and embed it into struct cake_sched_data. This is done in preparation for sharing the configuration across multiple instances of cake in an mq setup. No functional change is intended with this patch. Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com> Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com> Signed-off-by: NipaLocal <nipa@local>

Add a cake_mq qdisc which installs cake instances on each hardware queue on a multi-queue device. This is just a copy of sch_mq that installs cake instead of the default qdisc on each queue. Subsequent commits will add sharing of the config between cake instances, as well as a multi-queue aware shaper algorithm. Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com> Signed-off-by: NipaLocal <nipa@local>

This adds support for configuring the cake_mq instance directly, sharing the config across the cake sub-qdiscs. Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com> Signed-off-by: NipaLocal <nipa@local>

This commit adds shared shaper state across the cake instances beneath a cake_mq qdisc. It works by periodically tracking the number of active instances, and scaling the configured rate by the number of active queues. The scan is lockless and simply reads the qlen and the last_active state variable of each of the instances configured beneath the parent cake_mq instance. Locking is not required since the values are only updated by the owning instance, and eventual consistency is sufficient for the purpose of estimating the number of active queues. The interval for scanning the number of active queues is set to 200 us. We found this to be a good tradeoff between overhead and response time. For a detailed analysis of this aspect see the Netdevconf talk: https://netdevconf.info/0x19/docs/netdev-0x19-paper16-talk-paper.pdf Signed-off-by: Jonas Köppeler <j.koeppeler@tu-berlin.de> Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com> Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com> Signed-off-by: NipaLocal <nipa@local>

Test 684b: Create CAKE_MQ with default setting (4 queues) Test 7ee8: Create CAKE_MQ with bandwidth limit (4 queues) Test 1f87: Create CAKE_MQ with rtt time (4 queues) Test e9cf: Create CAKE_MQ with besteffort flag (4 queues) Test 7c05: Create CAKE_MQ with diffserv8 flag (4 queues) Test 5a77: Create CAKE_MQ with diffserv4 flag (4 queues) Test 8f7a: Create CAKE_MQ with flowblind flag (4 queues) Test 7ef7: Create CAKE_MQ with dsthost and nat flag (4 queues) Test 2e4d: Create CAKE_MQ with wash flag (4 queues) Test b3e6: Create CAKE_MQ with flowblind and no-split-gso flag (4 queues) Test 62cd: Create CAKE_MQ with dual-srchost and ack-filter flag (4 queues) Test 0df3: Create CAKE_MQ with dual-dsthost and ack-filter-aggressive flag (4 queues) Test 9a75: Create CAKE_MQ with memlimit and ptm flag (4 queues) Test cdef: Create CAKE_MQ with fwmark and atm flag (4 queues) Test 93dd: Create CAKE_MQ with overhead 0 and mpu (4 queues) Test 1475: Create CAKE_MQ with conservative and ingress flag (4 queues) Test 7bf1: Delete CAKE_MQ with conservative and ingress flag (4 queues) Test ee55: Replace CAKE_MQ with mpu (4 queues) Test 6df9: Change CAKE_MQ with mpu (4 queues) Test 67e2: Show CAKE_MQ class (4 queues) Test 2de4: Change bandwidth of CAKE_MQ (4 queues) Test 5f62: Fail to create CAKE_MQ with autorate-ingress flag (4 queues) Test 038e: Fail to change setting of sub-qdisc under CAKE_MQ Test 7bdc: Fail to replace sub-qdisc under CAKE_MQ Test 18e0: Fail to install CAKE_MQ on single queue device Signed-off-by: Jonas Köppeler <j.koeppeler@tu-berlin.de> Signed-off-by: NipaLocal <nipa@local>

When the TSO function sets tx_skbuff_dma[tx_q->cur_tx].last_segment = true , and the last_segment value is not cleared in stmmac_free_tx_buffer after resume, restarting TSO transmission may incorrectly use tx_q->tx_skbuff_dma[first_entry].last_segment = true for a new TSO packet. after resume dev_watchdog() message: "NETDEV WATCHDOG: CPU: x: transmit queue x timed out xx ms" tx ring descriptor info as follows: eth0: 221 [0x0000000876d10dd0]: 0x73660cbe 0x8 0x42 0xb04416a0 eth0: 222 [0x0000000876d10de0]: 0x77731d40 0x8 0x16a0 0x90000000 Descriptor 221 is the TSO header, and descriptor 222 is the TSO payload. In the tdes3 (0xb04416a0), bit 29 (first descriptor) and bit 28 (last descriptor) of the TSO packet 221 DMA descriptor cannot both be set to 1 simultaneously. Since descriptor 222 is the actual last descriptor, failing to set it properly will cause the EMAC DMA to stop and hang. To solve the issue, set last_segment to false in stmmac_free_tx_buffer: tx_q->tx_skbuff_dma[i].last_segment = false; Set last_segment to false in stmmac_tso_xmit, and do not use the default value: tx_q->tx_skbuff_dma[first_entry].last_segment = false; This will prevent similar issues from occurring in the future. Signed-off-by: Tao Wang <tao03.wang@horizon.auto> Signed-off-by: NipaLocal <nipa@local>

Increment tx_dropped when dropping the skb due to link down. Tested-on: D-Link DGE-550T Rev-A3 Signed-off-by: Yeounsu Moon <yyyynoom@gmail.com> Signed-off-by: NipaLocal <nipa@local>

…ter dereference in chcr_ktls_dev_del() In this function, u_ctx is guarded by an if statement, which indicates that it may be NULL: u_ctx = tx_info->adap->uld[CXGB4_ULD_KTLS].handle; if (u_ctx && u_ctx->detach) return; Consequently, a potential null-pointer dereference may occur when tx_info->tid != -1, as shown below: if (tx_info->tid != -1) { ... xa_erase(&u_ctx->tid_list, tx_info->tid); } Therefore, add a defensive NULL check to prevent this issue. Fixes: 65e302a ("cxgb4/ch_ktls: Clear resources when pf4 device is removed") Signed-off-by: Tuo Li <islituo@gmail.com> Signed-off-by: NipaLocal <nipa@local>

When bnxt_init_one() fails during initialization (e.g., bnxt_init_int_mode returns -ENODEV), the error path calls bnxt_free_hwrm_resources() which destroys the DMA pool and sets bp->hwrm_dma_pool to NULL. Subsequently, bnxt_ptp_clear() is called, which invokes ptp_clock_unregister(). Since commit a60fc32 ("ptp: rework ptp_clock_unregister() to disable events"), ptp_clock_unregister() now calls ptp_disable_all_events(), which in turn invokes the driver's .enable() callback (bnxt_ptp_enable()) to disable PTP events before completing the unregistration. bnxt_ptp_enable() attempts to send HWRM commands via bnxt_ptp_cfg_pin() and bnxt_ptp_cfg_event(), both of which call hwrm_req_init(). This function tries to allocate from bp->hwrm_dma_pool, causing a NULL pointer dereference: bnxt_en 0000:01:00.0 (unnamed net_device) (uninitialized): bnxt_init_int_mode err: ffffffed KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] Call Trace: __hwrm_req_init (drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.c:72) bnxt_ptp_enable (drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:323 drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:517) ptp_disable_all_events (drivers/ptp/ptp_chardev.c:66) ptp_clock_unregister (drivers/ptp/ptp_clock.c:518) bnxt_ptp_clear (drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:1134) bnxt_init_one (drivers/net/ethernet/broadcom/bnxt/bnxt.c:16889) Lines are against commit f8f9c1f ("Linux 6.19-rc3") Fix this by clearing and unregistering ptp (bnxt_ptp_clear()) before freeing HWRM resources. Suggested-by: Pavan Chebbi <pavan.chebbi@broadcom.com> Signed-off-by: Breno Leitao <leitao@debian.org> Fixes: a60fc32 ("ptp: rework ptp_clock_unregister() to disable events") Cc: stable@vger.kernel.org Signed-off-by: NipaLocal <nipa@local>

I added skb_vlan_inet_prepare() helper in the cited commit, hinting that we would need to use it more broadly. syzbot confirmed this was the case in ip6_gre. uninit-value in ip6table_mangle_hook+0x97d/0x9c0 net/ipv6/netfilter/ip6table_mangle.c:72 ip6t_mangle_out net/ipv6/netfilter/ip6table_mangle.c:56 [inline] ip6table_mangle_hook+0x97d/0x9c0 net/ipv6/netfilter/ip6table_mangle.c:72 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] __ip6_local_out+0x5ac/0x640 net/ipv6/output_core.c:143 ip6_local_out+0x4c/0x210 net/ipv6/output_core.c:153 ip6tunnel_xmit+0x129/0x460 include/net/ip6_tunnel.h:161 ip6_tnl_xmit+0x341a/0x3860 net/ipv6/ip6_tunnel.c:1281 Uninit was stored to memory at: ip6_tnl_xmit+0x34f7/0x3860 net/ipv6/ip6_tunnel.c:1277 __gre6_xmit+0x14b9/0x1550 net/ipv6/ip6_gre.c:815 ip6gre_xmit_ipv4 net/ipv6/ip6_gre.c:839 [inline] ip6gre_tunnel_xmit+0x18f7/0x2030 net/ipv6/ip6_gre.c:922 Uninit was created at: slab_post_alloc_hook mm/slub.c:4091 [inline] slab_alloc_node mm/slub.c:4134 [inline] __do_kmalloc_node mm/slub.c:4263 [inline] __kmalloc_node_track_caller_noprof+0x6c7/0xf90 mm/slub.c:4283 kmalloc_reserve+0x23e/0x4a0 net/core/skbuff.c:609 pskb_expand_head+0x226/0x1a60 net/core/skbuff.c:2275 skb_realloc_headroom+0x140/0x2b0 net/core/skbuff.c:2355 ip6_tnl_xmit+0x2106/0x3860 net/ipv6/ip6_tunnel.c:1227 __gre6_xmit+0x14b9/0x1550 net/ipv6/ip6_gre.c:815 ip6gre_xmit_ipv4 net/ipv6/ip6_gre.c:839 [inline] ip6gre_tunnel_xmit+0x18f7/0x2030 net/ipv6/ip6_gre.c:922 Fixes: d8a6213 ("geneve: fix header validation in geneve[6]_xmit_skb") Reported-by: syzbot+6023ea32e206eef7920a@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=6023ea32e206eef7920a Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Mazin Al Haddad <mazin@getstate.dev> Signed-off-by: NipaLocal <nipa@local>