Linux/linux 6fab32b. MAINTAINERS

MAINTAINERS: add Mark Brown as a linux-next maintainer

Mark has been kindly helping fill in when I have been unavailable over
the past several years.  He has also put his hand up to take over
linux-next maintenance when I finally decide to stop (which may be some
time yet ;-) ).

Signed-off-by: Stephen Rothwell <sfr at canb.auug.org.au>
Acked-by: Mark Brown <broonie at kernel.org>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
DeltaFile
+1-0MAINTAINERS
+1-01 files

Linux/linux 5121062kernel/trace/rv rv.c, kernel/trace/rv/monitors/pagefault Kconfig

Merge tag 'trace-rv-v6.18-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace

Pull tracing fixes from Steven Rostedt:
 "A couple of fixes for Runtime Verification:

   - A bug caused a kernel panic when reading enabled_monitors was
     reported.

     Change callback functions to always use list_head iterators and by
     doing so, fix the wrong pointer that was leading to the panic.

   - The rtapp/pagefault monitor relies on the MMU to be present
     (pagefaults exist) but that was not enforced via kconfig, leading
     to potential build errors on systems without an MMU.

     Add that kconfig dependency"

* tag 'trace-rv-v6.18-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
  rv: Make rtapp/pagefault monitor depends on CONFIG_MMU
  rv: Fully convert enabled_monitors to use list_head as iterator
DeltaFile
+6-6kernel/trace/rv/rv.c
+1-0kernel/trace/rv/monitors/pagefault/Kconfig
+7-62 files

Linux/linux 266ee58arch/arm64/include/asm pgtable.h, arch/arm64/mm copypage.c

Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux

Pull arm64 fixes from Catalin Marinas:

 - Do not make a clean PTE dirty in pte_mkwrite()

   The Arm architecture, for backwards compatibility reasons (ARMv8.0
   before in-hardware dirty bit management - DBM), uses the PTE_RDONLY
   bit to mean !dirty while the PTE_WRITE bit means DBM enabled. The
   arm64 pte_mkwrite() simply clears the PTE_RDONLY bit and this
   inadvertently makes the PTE pte_hw_dirty(). Most places making a PTE
   writable also invoke pte_mkdirty() but do_swap_page() does not and we
   end up with dirty, freshly swapped in, writeable pages.

 - Do not warn if the destination page is already MTE-tagged in
   copy_highpage()

   In the majority of the cases, a destination page copied into is
   freshly allocated without the PG_mte_tagged flag set. However, the

    [6 lines not shown]
DeltaFile
+8-3arch/arm64/mm/copypage.c
+2-1arch/arm64/include/asm/pgtable.h
+10-42 files

Linux/linux ab431bcdrivers/net/bonding bond_main.c, drivers/net/ethernet/mellanox/mlx5/core en_rx.c

Merge tag 'net-6.18-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net

Pull networking fixes from Jakub Kicinski:
 "Including fixes from can. Slim pickings, I'm guessing people haven't
  really started testing.

  Current release - new code bugs:

   - eth: mlx5e:
       - psp: avoid 'accel' NULL pointer dereference
       - skip PPHCR register query for FEC histogram if not supported

  Previous releases - regressions:

   - bonding: update the slave array for broadcast mode

   - rtnetlink: re-allow deleting FDB entries in user namespace

   - eth: dpaa2: fix the pointer passed to PTR_ALIGN on Tx path

    [38 lines not shown]
DeltaFile
+45-28tools/testing/selftests/net/sctp_vrf.sh
+43-20drivers/net/ethernet/ti/am65-cpts.c
+26-27drivers/net/ethernet/mellanox/mlx5/core/lib/devcom.c
+42-9drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
+23-24drivers/net/bonding/bond_main.c
+34-10net/core/datagram.c
+213-11844 files not shown
+451-26350 files

Linux/linux a0b12d7drivers/acpi property.c, drivers/acpi/acpica tbprint.c

Merge tag 'acpi-6.18-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm

Pull ACPI fixes from Rafael Wysocki:
 "These fix a fallout of a recent ACPI properties management update and
  work around a compiler bug in ACPICA:

   - Fix a recent coding mistake causing __acpi_node_get_property_reference()
     arguments to be put in an incorrect order (Sunil V L)

   - Work around bogus -Wstringop-overread warning on LoongArch since
     GCC 11 in ACPICA (Xi Ruoyao)"

* tag 'acpi-6.18-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
  ACPICA: Work around bogus -Wstringop-overread warning since GCC 11
  ACPI: property: Fix argument order in __acpi_node_get_property_reference()
DeltaFile
+6-0drivers/acpi/acpica/tbprint.c
+1-1drivers/acpi/property.c
+7-12 files

Linux/linux 85db0c0drivers/cpufreq amd-pstate.c, drivers/cpuidle/governors menu.c

Merge tag 'pm-6.18-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm

Pull power management fixes from Rafael Wysocki:
 "These revert a cpuidle menu governor commit leading to a performance
  regression, fix an amd-pstate driver regression introduced recently,
  and fix new conditional guard definitions for runtime PM.

   - Add missing _RET == 0 condition to recently introduced conditional
     guard definitions for runtime PM (Rafael Wysocki)

   - Revert a cpuidle menu governor change that introduced a serious
     performance regression on Chromebooks with Intel Jasper Lake
     processors (Rafael Wysocki)

   - Fix an amd-pstate driver regression leading to EPP=0 after
     hibernation (Mario Limonciello)"

* tag 'pm-6.18-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
  PM: runtime: Fix conditional guard definitions

    [2 lines not shown]
DeltaFile
+9-12drivers/cpuidle/governors/menu.c
+4-4include/linux/pm_runtime.h
+5-1drivers/cpufreq/amd-pstate.c
+18-173 files

Linux/linux 942048dfs/btrfs send.c super.c

Merge tag 'for-6.18-rc2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux

Pull btrfs fixes from David Sterba:

 - in send, fix duplicated rmdir operations when using extrefs
   (hardlinks), receive can fail with ENOENT

 - fixup of error check when reading extent root in ref-verify and
   damaged roots are allowed by mount option (found by smatch)

 - fix freeing partially initialized fs info (found by syzkaller)

 - fix use-after-free when printing ref_tracking status of delayed
   inodes

* tag 'for-6.18-rc2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
  btrfs: ref-verify: fix IS_ERR() vs NULL check in btrfs_build_ref_tree()
  btrfs: fix delayed_node ref_tracker use after free
  btrfs: send: fix duplicated rmdir operations when using extrefs
  btrfs: directly free partially initialized fs_info in btrfs_check_leaked_roots()
DeltaFile
+48-8fs/btrfs/send.c
+7-1fs/btrfs/super.c
+7-0fs/btrfs/delayed-inode.h
+1-1fs/btrfs/ref-verify.c
+1-1fs/btrfs/delayed-inode.c
+64-115 files

Linux/linux b98c94earch/arm64/mm copypage.c

arm64: mte: Do not warn if the page is already tagged in copy_highpage()

The arm64 copy_highpage() assumes that the destination page is newly
allocated and not MTE-tagged (PG_mte_tagged unset) and warns
accordingly. However, following commit 060913999d7a ("mm: migrate:
support poisoned recover from migrate folio"), folio_mc_copy() is called
before __folio_migrate_mapping(). If the latter fails (-EAGAIN), the
copy will be done again to the same destination page. Since
copy_highpage() already set the PG_mte_tagged flag, this second copy
will warn.

Replace the WARN_ON_ONCE(page already tagged) in the arm64
copy_highpage() with a comment.

Reported-by: syzbot+d1974fc28545a3e6218b at syzkaller.appspotmail.com
Link: https://lore.kernel.org/r/68dda1ae.a00a0220.102ee.0065.GAE@google.com
Reviewed-by: David Hildenbrand <david at redhat.com>
Cc: Will Deacon <will at kernel.org>
Cc: Kefeng Wang <wangkefeng.wang at huawei.com>

    [3 lines not shown]
DeltaFile
+8-3arch/arm64/mm/copypage.c
+8-31 files

Linux/linux cb68d1edrivers/net/ethernet/mellanox/mlx5/core en_main.c main.c, drivers/net/ethernet/mellanox/mlx5/core/en_accel ipsec_fs.c ipsec.h

Merge branch 'mlx5-misc-fixes-2025-10-22'

Tariq Toukan says:

====================
mlx5 misc fixes 2025-10-22

This patchset provides misc bug fixes from the team to the mlx5 core and
Eth drivers.
====================

Link: https://patch.msgid.link/1761136182-918470-1-git-send-email-tariqt@nvidia.com
Signed-off-by: Jakub Kicinski <kuba at kernel.org>
DeltaFile
+26-27drivers/net/ethernet/mellanox/mlx5/core/lib/devcom.c
+23-2drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
+5-3drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+3-4drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c
+2-3drivers/net/ethernet/mellanox/mlx5/core/main.c
+5-0drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h
+64-395 files not shown
+75-4611 files

Linux/linux d58a9a9drivers/net/ethernet/mellanox/mlx5/core en_stats.c

net/mlx5e: Skip PPHCR register query if not supported by the device

Check the PCAM supported registers mask before querying the PPHCR
register, as it is not supported in older devices.

Fixes: 44907e7c8fd0 ("net/mlx5e: Add logic to read RS-FEC histogram bin ranges from PPHCR")
Signed-off-by: Alexei Lazar <alazar at nvidia.com>
Reviewed-by: Yael Chemla <ychemla at nvidia.com>
Signed-off-by: Tariq Toukan <tariqt at nvidia.com>
Link: https://patch.msgid.link/1761136182-918470-3-git-send-email-tariqt@nvidia.com
Signed-off-by: Jakub Kicinski <kuba at kernel.org>
DeltaFile
+3-1drivers/net/ethernet/mellanox/mlx5/core/en_stats.c
+3-11 files

Linux/linux 664f76bdrivers/net/ethernet/mellanox/mlx5/core en_main.c, drivers/net/ethernet/mellanox/mlx5/core/en_accel ipsec_fs.c ipsec.h

net/mlx5: Fix IPsec cleanup over MPV device

When we do mlx5e_detach_netdev() we eventually disable blocking events
notifier, among those events are IPsec MPV events from IB to core.

So before disabling those blocking events, make sure to also unregister
the devcom device and mark all this device operations as complete,
in order to prevent the other device from using invalid netdev
during future devcom events which could cause the trace below.

BUG: kernel NULL pointer dereference, address: 0000000000000010
PGD 146427067 P4D 146427067 PUD 146488067 PMD 0
Oops: Oops: 0000 [#1] SMP
CPU: 1 UID: 0 PID: 7735 Comm: devlink Tainted: GW 6.12.0-rc6_for_upstream_min_debug_2024_11_08_00_46 #1
Tainted: [W]=WARN
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
RIP: 0010:mlx5_devcom_comp_set_ready+0x5/0x40 [mlx5_core]
Code: 00 01 48 83 05 23 32 1e 00 01 41 b8 ed ff ff ff e9 60 ff ff ff 48 83 05 00 32 1e 00 01 eb e3 66 0f 1f 44 00 00 0f 1f 44 00 00 <48> 8b 47 10 48 83 05 5f 32 1e 00 01 48 8b 50 40 48 85 d2 74 05 40
RSP: 0018:ffff88811a5c35f8 EFLAGS: 00010206

    [85 lines not shown]
DeltaFile
+23-2drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
+5-0drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h
+2-0drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+30-23 files

Linux/linux 8f82f89drivers/net/ethernet/mellanox/mlx5/core en_main.c main.c, drivers/net/ethernet/mellanox/mlx5/core/lag lag.c

net/mlx5: Refactor devcom to return NULL on failure

Devcom device and component registration isn't always critical to the
functionality of the caller, hence the registration can fail and we can
continue working with an ERR_PTR value saved inside a variable.

In order to avoid that make sure all devcom failures return NULL.

Signed-off-by: Patrisious Haddad <phaddad at nvidia.com>
Reviewed-by: Leon Romanovsky <leonro at nvidia.com>
Signed-off-by: Tariq Toukan <tariqt at nvidia.com>
Link: https://patch.msgid.link/1761136182-918470-4-git-send-email-tariqt@nvidia.com
Signed-off-by: Jakub Kicinski <kuba at kernel.org>
DeltaFile
+26-27drivers/net/ethernet/mellanox/mlx5/core/lib/devcom.c
+3-4drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c
+3-3drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+2-3drivers/net/ethernet/mellanox/mlx5/core/main.c
+2-2drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
+2-2drivers/net/ethernet/mellanox/mlx5/core/lib/sd.c
+38-411 files not shown
+39-427 files

Linux/linux bb65e0cinclude/linux/mlx5 mlx5_ifc.h

net/mlx5: Add PPHCR to PCAM supported registers mask

Add the PPHCR bit to the port_access_reg_cap_mask field of PCAM
register to indicate that the device supports the PPHCR register
and the RS-FEC histogram feature.

Signed-off-by: Alexei Lazar <alazar at nvidia.com>
Reviewed-by: Yael Chemla <ychemla at nvidia.com>
Signed-off-by: Tariq Toukan <tariqt at nvidia.com>
Link: https://patch.msgid.link/1761136182-918470-2-git-send-email-tariqt@nvidia.com
Signed-off-by: Jakub Kicinski <kuba at kernel.org>
DeltaFile
+3-1include/linux/mlx5/mlx5_ifc.h
+3-11 files

Linux/linux b228476include/linux virtio_net.h

virtio-net: zero unused hash fields

When GSO tunnel is negotiated virtio_net_hdr_tnl_from_skb() tries to
initialize the tunnel metadata but forget to zero unused rxhash
fields. This may leak information to another side. Fixing this by
zeroing the unused hash fields.

Acked-by: Michael S. Tsirkin <mst at redhat.com>
Fixes: a2fb4bc4e2a6a ("net: implement virtio helpers to handle UDP GSO tunneling")
Cc: <stable at vger.kernel.org>
Signed-off-by: Jason Wang <jasowang at redhat.com>
Reviewed-by: Xuan Zhuo <xuanzhuo at linux.alibaba.com>
Link: https://patch.msgid.link/20251022034421.70244-1-jasowang@redhat.com
Signed-off-by: Jakub Kicinski <kuba at kernel.org>
DeltaFile
+4-0include/linux/virtio_net.h
+4-01 files

Linux/linux 399d109drivers/net/phy micrel.c

net: phy: micrel: always set shared->phydev for LAN8814

Currently, during the LAN8814 PTP probe shared->phydev is only set if PTP
clock gets actually set, otherwise the function will return before setting
it.

This is an issue as shared->phydev is unconditionally being used when IRQ
is being handled, especially in lan8814_gpio_process_cap and since it was
not set it will cause a NULL pointer exception and crash the kernel.

So, simply always set shared->phydev to avoid the NULL pointer exception.

Fixes: b3f1a08fcf0d ("net: phy: micrel: Add support for PTP_PF_EXTTS for lan8814")
Signed-off-by: Robert Marko <robert.marko at sartura.hr>
Tested-by: Horatiu Vultur <horatiu.vultur at microchip.com>
Link: https://patch.msgid.link/20251021132034.983936-1-robert.marko@sartura.hr
Signed-off-by: Jakub Kicinski <kuba at kernel.org>
DeltaFile
+2-2drivers/net/phy/micrel.c
+2-21 files

Linux/linux f7c877enet/vmw_vsock af_vsock.c

vsock: fix lock inversion in vsock_assign_transport()

Syzbot reported a potential lock inversion deadlock between
vsock_register_mutex and sk_lock-AF_VSOCK when vsock_linger() is called.

The issue was introduced by commit 687aa0c5581b ("vsock: Fix
transport_* TOCTOU") which added vsock_register_mutex locking in
vsock_assign_transport() around the transport->release() call, that can
call vsock_linger(). vsock_assign_transport() can be called with sk_lock
held. vsock_linger() calls sk_wait_event() that temporarily releases and
re-acquires sk_lock. During this window, if another thread hold
vsock_register_mutex while trying to acquire sk_lock, a circular
dependency is created.

Fix this by releasing vsock_register_mutex before calling
transport->release() and vsock_deassign_transport(). This is safe
because we don't need to hold vsock_register_mutex while releasing the
old transport, and we ensure the new transport won't disappear by
obtaining a module reference first via try_module_get().

    [10 lines not shown]
DeltaFile
+19-19net/vmw_vsock/af_vsock.c
+19-191 files

Linux/linux df890cedrivers/net/ovpn tcp.c, include/linux skbuff.h

Merge branch 'fix-poll-behaviour-for-tcp-based-tunnel-protocols'

Ralf Lici says:

====================
fix poll behaviour for TCP-based tunnel protocols

This patch series introduces a polling function for datagram-style
sockets that operates on custom skb queues, and updates ovpn (the
OpenVPN data-channel offload module) and espintcp (the TCP Encapsulation
of IKE and IPsec Packets implementation) to use it accordingly.

Protocols like the aforementioned one decapsulate packets received over
TCP and deliver userspace-bound data through a separate skb queue, not
the standard sk_receive_queue. Previously, both relied on
datagram_poll(), which would signal readiness based on non-userspace
packets, leading to misleading poll results and unnecessary recv
attempts in userspace.


    [13 lines not shown]
DeltaFile
+34-10net/core/datagram.c
+22-4drivers/net/ovpn/tcp.c
+1-5net/xfrm/espintcp.c
+3-0include/linux/skbuff.h
+60-194 files

Linux/linux efd7294drivers/net/ovpn tcp.c

ovpn: use datagram_poll_queue for socket readiness in TCP

openvpn TCP encapsulation uses a custom queue to deliver packets to
userspace. Currently it relies on datagram_poll, which checks
sk_receive_queue, leading to false readiness signals when that queue
contains non-userspace packets.

Switch ovpn_tcp_poll to use datagram_poll_queue with the peer's
user_queue, ensuring poll only signals readiness when userspace data is
actually available. Also refactor ovpn_tcp_poll in order to enforce the
assumption we can make on the lifetime of ovpn_sock and peer.

Fixes: 11851cbd60ea ("ovpn: implement TCP transport")
Signed-off-by: Antonio Quartulli <antonio at openvpn.net>
Signed-off-by: Ralf Lici <ralf at mandelbit.com>
Reviewed-by: Sabrina Dubroca <sd at queasysnail.net>
Link: https://patch.msgid.link/20251021100942.195010-4-ralf@mandelbit.com
Signed-off-by: Paolo Abeni <pabeni at redhat.com>

DeltaFile
+22-4drivers/net/ovpn/tcp.c
+22-41 files

Linux/linux 0fc3e32net/xfrm espintcp.c

espintcp: use datagram_poll_queue for socket readiness

espintcp uses a custom queue (ike_queue) to deliver packets to
userspace. The polling logic relies on datagram_poll, which checks
sk_receive_queue, which can lead to false readiness signals when that
queue contains non-userspace packets.

Switch espintcp_poll to use datagram_poll_queue with ike_queue, ensuring
poll only signals readiness when userspace data is actually available.

Fixes: e27cca96cd68 ("xfrm: add espintcp (RFC 8229)")
Signed-off-by: Ralf Lici <ralf at mandelbit.com>
Reviewed-by: Sabrina Dubroca <sd at queasysnail.net>
Link: https://patch.msgid.link/20251021100942.195010-3-ralf@mandelbit.com
Signed-off-by: Paolo Abeni <pabeni at redhat.com>

DeltaFile
+1-5net/xfrm/espintcp.c
+1-51 files

Linux/linux f6ceec6include/linux skbuff.h, net/core datagram.c

net: datagram: introduce datagram_poll_queue for custom receive queues

Some protocols using TCP encapsulation (e.g., espintcp, openvpn) deliver
userspace-bound packets through a custom skb queue rather than the
standard sk_receive_queue.

Introduce datagram_poll_queue that accepts an explicit receive queue,
and convert datagram_poll into a wrapper around datagram_poll_queue.
This allows protocols with custom skb queues to reuse the core polling
logic without relying on sk_receive_queue.

Cc: Sabrina Dubroca <sd at queasysnail.net>
Cc: Antonio Quartulli <antonio at openvpn.net>
Signed-off-by: Ralf Lici <ralf at mandelbit.com>
Reviewed-by: Sabrina Dubroca <sd at queasysnail.net>
Reviewed-by: Antonio Quartulli <antonio at openvpn.net>
Link: https://patch.msgid.link/20251021100942.195010-2-ralf@mandelbit.com
Signed-off-by: Paolo Abeni <pabeni at redhat.com>

DeltaFile
+34-10net/core/datagram.c
+3-0include/linux/skbuff.h
+37-102 files

Linux/linux 114cbd6drivers/acpi property.c

Merge branch 'acpi-property'

Merge an ACPI device properties handling change fixing the order of
__acpi_node_get_property_reference() arguments broken by a recent
update (Sunil V L)

* 'acpi-property':
  ACPI: property: Fix argument order in __acpi_node_get_property_reference()
DeltaFile
+1-1drivers/acpi/property.c
+1-11 files

Linux/linux b62bd2cdrivers/cpufreq amd-pstate.c, drivers/cpuidle/governors menu.c

Merge branches 'pm-cpuidle' and 'pm-cpufreq'

Merge cpuidle and cpufreq fixes for 6.18-rc3:

 - Revert a cpuidle menu governor change that introduced a serious
   performance regression on Chromebooks with Intel Jasper Lake
   processors (Rafael Wysocki)

 - Fix an amd-pstate driver regression leading to EPP=0 after
   hibernation (Mario Limonciello)

* pm-cpuidle:
  Revert "cpuidle: menu: Avoid discarding useful information"

* pm-cpufreq:
  cpufreq/amd-pstate: Fix a regression leading to EPP 0 after hibernate
DeltaFile
+9-12drivers/cpuidle/governors/menu.c
+5-1drivers/cpufreq/amd-pstate.c
+14-132 files

Linux/linux 10843e1drivers/net/bonding bond_main.c

net: bonding: fix possible peer notify event loss or dup issue

If the send_peer_notif counter and the peer event notify are not synchronized.
It may cause problems such as the loss or dup of peer notify event.

Before this patch:
- If should_notify_peers is true and the lock for send_peer_notif-- fails, peer
  event may be sent again in next mii_monitor loop, because should_notify_peers
  is still true.
- If should_notify_peers is true and the lock for send_peer_notif-- succeeded,
  but the lock for peer event fails, the peer event will be lost.

This patch locks the RTNL for send_peer_notif, events, and commit simultaneously.

Fixes: 07a4ddec3ce9 ("bonding: add an option to specify a delay between peer notifications")
Cc: Jay Vosburgh <jv at jvosburgh.net>
Cc: Andrew Lunn <andrew+netdev at lunn.ch>
Cc: Eric Dumazet <edumazet at google.com>
Cc: Jakub Kicinski <kuba at kernel.org>

    [10 lines not shown]
DeltaFile
+18-22drivers/net/bonding/bond_main.c
+18-221 files

Linux/linux c0178eenet/hsr hsr_netlink.c

net: hsr: prevent creation of HSR device with slaves from another netns

HSR/PRP driver does not handle correctly having slaves/interlink devices
in a different net namespace. Currently, it is possible to create a HSR
link in a different net namespace than the slaves/interlink with the
following command:

 ip link add hsr0 netns hsr-ns type hsr slave1 eth1 slave2 eth2

As there is no use-case on supporting this scenario, enforce that HSR
device link matches netns defined by IFLA_LINK_NETNSID.

The iproute2 command mentioned above will throw the following error:

 Error: hsr: HSR slaves/interlink must be on the same net namespace than HSR link.

Fixes: f421436a591d ("net/hsr: Add support for the High-availability Seamless Redundancy protocol (HSRv0)")
Signed-off-by: Fernando Fernandez Mancera <fmancera at suse.de>
Link: https://patch.msgid.link/20251020135533.9373-1-fmancera@suse.de
Signed-off-by: Jakub Kicinski <kuba at kernel.org>
DeltaFile
+7-1net/hsr/hsr_netlink.c
+7-11 files

Linux/linux 441f064net/sctp inqueue.c

sctp: avoid NULL dereference when chunk data buffer is missing

chunk->skb pointer is dereferenced in the if-block where it's supposed
to be NULL only.

chunk->skb can only be NULL if chunk->head_skb is not. Check for frag_list
instead and do it just before replacing chunk->skb. We're sure that
otherwise chunk->skb is non-NULL because of outer if() condition.

Fixes: 90017accff61 ("sctp: Add GSO support")
Signed-off-by: Alexey Simakov <bigalex934 at gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner at gmail.com>
Link: https://patch.msgid.link/20251021130034.6333-1-bigalex934@gmail.com
Signed-off-by: Jakub Kicinski <kuba at kernel.org>
DeltaFile
+7-6net/sctp/inqueue.c
+7-61 files

Linux/linux a767957drivers/ptp ptp_ocp.c

ptp: ocp: Fix typo using index 1 instead of i in SMA initialization loop

In ptp_ocp_sma_fb_init(), the code mistakenly used bp->sma[1]
instead of bp->sma[i] inside a for-loop, which caused only SMA[1]
to have its DIRECTION_CAN_CHANGE capability cleared. This led to
inconsistent capability flags across SMA pins.

Fixes: 09eeb3aecc6c ("ptp_ocp: implement DPLL ops")
Signed-off-by: Jiasheng Jiang <jiashengjiangcool at gmail.com>
Reviewed-by: Vadim Fedorenko <vadim.fedorenko at linux.dev>
Link: https://patch.msgid.link/20251021182456.9729-1-jiashengjiangcool@gmail.com
Signed-off-by: Jakub Kicinski <kuba at kernel.org>
DeltaFile
+1-1drivers/ptp/ptp_ocp.c
+1-11 files

Linux/linux 4c3aa49drivers/net/ethernet/renesas ravb_main.c

Merge branch 'net-ravb-fix-soc-specific-configuration-and-descriptor-handling-issues'

Lad Prabhakar says:

====================
net: ravb: Fix SoC-specific configuration and descriptor handling issues [part]

This series addresses several issues in the Renesas Ethernet AVB (ravb)
driver related descriptor ordering.

A potential ordering hazard in descriptor setup could cause
the DMA engine to start prematurely, leading to TX stalls on some
platforms.

The series includes the following changes:

Enforce descriptor type ordering to prevent early DMA start
Ensure proper write ordering of TX descriptor type fields to prevent the
DMA engine from observing an incomplete descriptor chain. This fixes

    [7 lines not shown]
DeltaFile
+22-2drivers/net/ethernet/renesas/ravb_main.c
+22-21 files

Linux/linux 706136cdrivers/net/ethernet/renesas ravb_main.c

net: ravb: Ensure memory write completes before ringing TX doorbell

Add a final dma_wmb() barrier before triggering the transmit request
(TCCR_TSRQ) to ensure all descriptor and buffer writes are visible to
the DMA engine.

According to the hardware manual, a read-back operation is required
before writing to the doorbell register to guarantee completion of
previous writes. Instead of performing a dummy read, a dma_wmb() is
used to both enforce the same ordering semantics on the CPU side and
also to ensure completion of writes.

Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper")
Cc: stable at vger.kernel.org
Co-developed-by: Fabrizio Castro <fabrizio.castro.jz at renesas.com>
Signed-off-by: Fabrizio Castro <fabrizio.castro.jz at renesas.com>
Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj at bp.renesas.com>
Reviewed-by: Niklas Söderlund <niklas.soderlund+renesas at ragnatech.se>
Link: https://patch.msgid.link/20251017151830.171062-5-prabhakar.mahadev-lad.rj@bp.renesas.com
Signed-off-by: Jakub Kicinski <kuba at kernel.org>
DeltaFile
+8-0drivers/net/ethernet/renesas/ravb_main.c
+8-01 files

Linux/linux 5370c31drivers/net/ethernet/renesas ravb_main.c

net: ravb: Enforce descriptor type ordering

Ensure the TX descriptor type fields are published in a safe order so the
DMA engine never begins processing a descriptor chain before all descriptor
fields are fully initialised.

For multi-descriptor transmits the driver writes DT_FEND into the last
descriptor and DT_FSTART into the first. The DMA engine begins processing
when it observes DT_FSTART. Move the dma_wmb() barrier so it executes
immediately after DT_FEND and immediately before writing DT_FSTART
(and before DT_FSINGLE in the single-descriptor case). This guarantees
that all prior CPU writes to the descriptor memory are visible to the
device before DT_FSTART is seen.

This avoids a situation where compiler/CPU reordering could publish
DT_FSTART ahead of DT_FEND or other descriptor fields, allowing the DMA to
start on a partially initialised chain and causing corrupted transmissions
or TX timeouts. Such a failure was observed on RZ/G2L with an RT kernel as
transmit queue timeouts and device resets.

    [9 lines not shown]
DeltaFile
+14-2drivers/net/ethernet/renesas/ravb_main.c
+14-21 files

Linux/linux 43e9ad0Documentation/devicetree/bindings/phy qcom,sc8280xp-qmp-ufs-phy.yaml, Documentation/devicetree/bindings/ufs qcom,sm8650-ufshc.yaml

Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi

Pull SCSI fixes from James Bottomley:
 "All driver fixes. The big change is the storvsc one to rejig the
  hyper-v channel handling to be more efficient for SMP virtual
  machines"

* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
  scsi: ufs: phy: dt-bindings: Add QMP UFS PHY compatible for Kaanapali
  scsi: ufs: qcom: dt-bindings: Document the Kaanapali UFS controller
  scsi: libfc: Prevent integer overflow in fc_fcp_recv_data()
  scsi: qla4xxx: Fix typos in comments
  scsi: storvsc: Prefer returning channel with the same CPU as on the I/O issuing CPU
DeltaFile
+46-52drivers/scsi/storvsc_drv.c
+4-4drivers/scsi/qla4xxx/ql4_os.c
+4-0Documentation/devicetree/bindings/phy/qcom,sc8280xp-qmp-ufs-phy.yaml
+1-1drivers/scsi/libfc/fc_fcp.c
+2-0Documentation/devicetree/bindings/ufs/qcom,sm8650-ufshc.yaml
+57-575 files