Linux/linux d127176tools/testing/selftests/cachestat test_cachestat.c .gitignore

Merge tag 'linux_kselftest-fixes-6.18-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest

Pull kselftest fixes from Shuah Khan:
 "Fix build warning in cachestat found during clang build and add
  tmpshmcstat to .gitignore"

* tag 'linux_kselftest-fixes-6.18-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest:
  selftests: cachestat: Fix warning on declaration under label
  selftests/cachestat: add tmpshmcstat file to .gitignore
DeltaFile
+2-2tools/testing/selftests/cachestat/test_cachestat.c
+1-0tools/testing/selftests/cachestat/.gitignore
+3-22 files

Linux/linux 1806838. MAINTAINERS .mailmap, lib/kunit test.c kunit-test.c

Merge tag 'linux_kselftest-kunit-fixes-6.18-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest

Pull kunit fixes from Shuah Khan:
 "Fix log overwrite in param_tests and fixes incorrect cast of priv
  pointer in test_dev_action().

  Update email address for Rae Moar in MAINTAINERS KUnit entry"

* tag 'linux_kselftest-kunit-fixes-6.18-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest:
  MAINTAINERS: Update KUnit email address for Rae Moar
  kunit: prevent log overwrite in param_tests
  kunit: test_dev_action: Correctly cast 'priv' pointer to long*
DeltaFile
+2-1lib/kunit/test.c
+1-1lib/kunit/kunit-test.c
+1-1MAINTAINERS
+1-0.mailmap
+5-34 files

Linux/linux a5355e9drivers/acpi fan_core.c fan_hwmon.c

Merge tag 'acpi-6.18-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm

Pull ACPI fixes from Rafael Wysocki:
 "These fix three ACPI driver issues and add version checks to two ACPI
  table parsers:

   - Call input_free_device() on failing input device registration as
     necessary (and mentioned in the input subsystem documentation) in
     the ACPI button driver (Kaushlendra Kumar)

   - Fix use-after-free in acpi_video_switch_brightness() by canceling a
     delayed work during tear-down (Yuhao Jiang)

   - Use platform device for devres-related actions in the ACPI fan
     driver to allow device-managed resources to be cleaned up properly
     (Armin Wolf)

   - Add version checks to the MRRM and SPCR table parsers (Tony Luck
     and Punit Agrawal)"

    [8 lines not shown]
DeltaFile
+23-13drivers/acpi/fan_core.c
+5-6drivers/acpi/fan_hwmon.c
+4-3drivers/acpi/fan.h
+3-1drivers/acpi/acpi_video.c
+3-1drivers/acpi/button.c
+3-0drivers/acpi/acpi_mrrm.c
+41-242 files not shown
+43-268 files

Linux/linux a5dbbb3drivers/cpuidle/governors menu.c, kernel/power main.c hibernate.c

Merge tag 'pm-6.18-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm

Pull power management fixes from Rafael Wysocki:
 "These fix three regressions, two recent ones and one introduced during
  the 6.17 development cycle:

   - Add an exit latency check to the menu cpuidle governor in the case
     when it considers using a real idle state instead of a polling one
     to address a performance regression (Rafael Wysocki)

   - Revert an attempted cleanup of a system suspend code path that
     introduced a regression elsewhere (Samuel Wu)

   - Allow pm_restrict_gfp_mask() to be called multiple times in a row
     and adjust pm_restore_gfp_mask() accordingly to avoid having to
     play nasty games with these calls during hibernation (Rafael
     Wysocki)"

* tag 'pm-6.18-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:

    [3 lines not shown]
DeltaFile
+17-5kernel/power/main.c
+5-2drivers/cpuidle/governors/menu.c
+0-4kernel/power/hibernate.c
+0-1kernel/power/suspend.c
+1-0kernel/power/process.c
+23-125 files

Linux/linux a4819acdrivers/video/fbdev pvr2fb.c valkyriefb.c, drivers/video/fbdev/aty atyfb_base.c

Merge tag 'fbdev-for-6.18-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/linux-fbdev

Pull fbdev fixes from Helge Deller:

 - atyfb: Avoid hard lock up when PLL not initialized (Daniel Palmer)

 - pvr2fb: Fix build error when CONFIG_PVR2_DMA enabled (Florian Fuchs)

 - bitblit: Fix out-of-bounds read in bit_putcs* (Junjie Cao)

 - valkyriefb: Fix reference count leak (Miaoqian Lin)

 - fbcon: Fix slab-use-after-free in fb_mode_is_equal (Quanmin Yan)

 - fb.h: Fix typo in "vertical" (Piyush Choudhary)

* tag 'fbdev-for-6.18-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/linux-fbdev:
  fbdev: atyfb: Check if pll_ops->init_pll failed
  fbcon: Set fb_display[i]->mode to NULL when the mode is released

    [4 lines not shown]
DeltaFile
+19-0drivers/video/fbdev/core/fbcon.c
+12-4drivers/video/fbdev/core/bitblit.c
+6-2drivers/video/fbdev/aty/atyfb_base.c
+1-1include/uapi/linux/fb.h
+1-1drivers/video/fbdev/pvr2fb.c
+2-0drivers/video/fbdev/valkyriefb.c
+41-82 files not shown
+44-88 files

Linux/linux e576349drivers/dpll dpll_netlink.c, drivers/net/ethernet/intel/ice ice_common.c

Merge tag 'net-6.18-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net

Pull networking fixes from Paolo Abeni:
 "Including fixes from wireless, Bluetooth and netfilter.

  Current release - regressions:

    - tcp: fix too slow tcp_rcvbuf_grow() action

    - bluetooth: fix corruption in h4_recv_buf() after cleanup

  Previous releases - regressions:

    - mptcp: restore window probe

    - bluetooth:
       - fix connection cleanup with BIG with 2 or more BIS
       - fix crash in set_mesh_sync and set_mesh_complete


    [45 lines not shown]
DeltaFile
+53-30net/mptcp/protocol.c
+48-6drivers/net/wireless/ath/ath11k/core.c
+35-6drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_rx.c
+20-16drivers/dpll/dpll_netlink.c
+33-2drivers/net/ethernet/intel/ice/ice_common.c
+18-16drivers/net/wireless/ath/ath12k/mac.c
+207-7690 files not shown
+598-28696 files

Linux/linux 8907226drivers/acpi fan_core.c fan_hwmon.c

Merge branches 'acpi-button', 'acpi-video' and 'acpi-fan'

Merge ACPI button, ACPI backlight (video), and ACPI fan driver fixes for
6.18-rc4:

 - Call input_free_device() on failing input device registration as
   necessary (and mentioned in the input subsystem documentation) in the
   ACPI button driver (Kaushlendra Kumar)

 - Fix use-after-free in acpi_video_switch_brightness() by canceling
   a delayed work during tear-down (Yuhao Jiang)

 - Use platform device for devres-related actions in the ACPI fan driver
   to allow device-managed resources to be cleaned up properly (Armin
   Wolf)

* acpi-button:
  ACPI: button: Call input_free_device() on failing input device registration


    [6 lines not shown]
DeltaFile
+23-13drivers/acpi/fan_core.c
+5-6drivers/acpi/fan_hwmon.c
+4-3drivers/acpi/fan.h
+3-1drivers/acpi/button.c
+3-1drivers/acpi/acpi_video.c
+1-1drivers/acpi/fan_attr.c
+39-256 files

Linux/linux 590c5cdkernel/power main.c hibernate.c

Merge branches 'pm-cpuidle' and 'pm-sleep'

Merge a cpuidle fix and two fixes related to system sleep for 6.18-rc4:

 - Add an exit latency check to the menu cpuidle governor in the case
   when it considers using a real idle state instead of a polling one to
   address a performance regression (Rafael Wysocki)

 - Revert an attempted cleanup of a system suspend code path that
   introduced a regression elsewhere (Samuel Wu)

 - Allow pm_restrict_gfp_mask() to be called multiple times in a row
   and adjust pm_restore_gfp_mask() accordingly to avoid having to play
   nasty games with these calls during hibernation (Rafael Wysocki)

* pm-cpuidle:
  cpuidle: governors: menu: Select polling state in some more cases

* pm-sleep:

    [2 lines not shown]
DeltaFile
+17-5kernel/power/main.c
+0-4kernel/power/hibernate.c
+1-0kernel/power/process.c
+0-1kernel/power/suspend.c
+18-104 files

Linux/linux 51e5ad5net/sctp input.c

net: sctp: fix KMSAN uninit-value in sctp_inq_pop

Fix an issue detected by syzbot:

KMSAN reported an uninitialized-value access in sctp_inq_pop
BUG: KMSAN: uninit-value in sctp_inq_pop

The issue is actually caused by skb trimming via sk_filter() in sctp_rcv().
In the reproducer, skb->len becomes 1 after sk_filter(), which bypassed the
original check:

        if (skb->len < sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr) +
                       skb_transport_offset(skb))
To handle this safely, a new check should be performed after sk_filter().

Reported-by: syzbot+d101e12bccd4095460e7 at syzkaller.appspotmail.com
Tested-by: syzbot+d101e12bccd4095460e7 at syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d101e12bccd4095460e7
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")

    [6 lines not shown]
DeltaFile
+1-1net/sctp/input.c
+1-11 files

Linux/linux 6a2108cnet/core devmem.c

net: devmem: refresh devmem TX dst in case of route invalidation

The zero-copy Device Memory (Devmem) transmit path
relies on the socket's route cache (`dst_entry`) to
validate that the packet is being sent via the network
device to which the DMA buffer was bound.

However, this check incorrectly fails and returns `-ENODEV`
if the socket's route cache entry (`dst`) is merely missing
or expired (`dst == NULL`). This scenario is observed during
network events, such as when flow steering rules are deleted,
leading to a temporary route cache invalidation.

This patch fixes -ENODEV error for `net_devmem_get_binding()`
by doing the following:

1.  It attempts to rebuild the route via `rebuild_header()`
if the route is initially missing (`dst == NULL`). This
allows the TCP/IP stack to recover from transient route

    [22 lines not shown]
DeltaFile
+24-3net/core/devmem.c
+24-31 files

Linux/linux a38eeecdrivers/net/ethernet/stmicro/stmmac stmmac_main.c stmmac_tc.c

Merge branch 'net-stmmac-fixes-for-stmmac-tx-vlan-insert-and-est'

Rohan G Thomas says:

====================
net: stmmac: Fixes for stmmac Tx VLAN insert and EST

This patchset includes following fixes for stmmac Tx VLAN insert and
EST implementations:
   1. Disable STAG insertion offloading, as DWMAC IPs doesn't support
      offload of STAG for double VLAN packets and CTAG for single VLAN
      packets when using the same register configuration. The current
      configuration in the driver is undocumented and is adding an
      additional 802.1Q tag with VLAN ID 0 for double VLAN packets.
   2. Consider Tx VLAN offload tag length for maxSDU estimation.
   3. Fix GCL bounds check
====================

Link: https://patch.msgid.link/20251028-qbv-fixes-v4-0-26481c7634e3@altera.com
Signed-off-by: Jakub Kicinski <kuba at kernel.org>
DeltaFile
+14-18drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+2-2drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c
+1-1drivers/net/ethernet/stmicro/stmmac/stmmac_vlan.c
+17-213 files

Linux/linux 48b2e32drivers/net/ethernet/stmicro/stmmac stmmac_tc.c

net: stmmac: est: Fix GCL bounds checks

Fix the bounds checks for the hw supported maximum GCL entry
count and gate interval time.

Fixes: b60189e0392f ("net: stmmac: Integrate EST with TAPRIO scheduler API")
Signed-off-by: Rohan G Thomas <rohan.g.thomas at altera.com>
Reviewed-by: Matthew Gerlach <matthew.gerlach at altera.com>
Link: https://patch.msgid.link/20251028-qbv-fixes-v4-3-26481c7634e3@altera.com
Signed-off-by: Jakub Kicinski <kuba at kernel.org>
DeltaFile
+2-2drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c
+2-21 files

Linux/linux c657f86drivers/net/ethernet/stmicro/stmmac stmmac_main.c stmmac_vlan.c

net: stmmac: vlan: Disable 802.1AD tag insertion offload

The DWMAC IP's VLAN tag insertion offload does not support inserting
STAG (802.1AD) and CTAG (802.1Q) types in bytes 13 and 14 using the
same MAC_VLAN_Incl and MAC_VLAN_Inner_Incl register configurations.

Currently, MAC_VLAN_Incl is configured to offload only STAG type
insertion. However, the DWMAC IP inserts a CTAG type when the inner
VLAN ID field of the descriptor is not configured, and a STAG type
when it is configured. This behavior is not documented and leads to
inconsistent double VLAN tagging.

Additionally, an unexpected CTAG with VLAN ID 0 is inserted, resulting
in frames like:

Frame 1: 110 bytes on wire (880 bits), 110 bytes captured (880 bits)
Ethernet II, Src: <src> (<src>), Dst: <dst> (<dst>)
IEEE 802.1ad, ID: 100
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 0 (unexpected)

    [18 lines not shown]
DeltaFile
+4-14drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+1-1drivers/net/ethernet/stmicro/stmmac/stmmac_vlan.c
+5-152 files

Linux/linux ded9813drivers/net/ethernet/stmicro/stmmac stmmac_main.c

net: stmmac: Consider Tx VLAN offload tag length for maxSDU

Queue maxSDU requirement of 802.1 Qbv standard requires mac to drop
packets that exceeds maxSDU length and maxSDU doesn't include
preamble, destination and source address, or FCS but includes
ethernet type and VLAN header.

On hardware with Tx VLAN offload enabled, VLAN header length is not
included in the skb->len, when Tx VLAN offload is requested. This
leads to incorrect length checks and allows transmission of
oversized packets. Add the VLAN_HLEN to the skb->len before checking
the Qbv maxSDU if Tx VLAN offload is requested for the packet.

Fixes: c5c3e1bfc9e0 ("net: stmmac: Offload queueMaxSDU from tc-taprio")
Signed-off-by: Rohan G Thomas <rohan.g.thomas at altera.com>
Reviewed-by: Matthew Gerlach <matthew.gerlach at altera.com>
Link: https://patch.msgid.link/20251028-qbv-fixes-v4-2-26481c7634e3@altera.com
Signed-off-by: Jakub Kicinski <kuba at kernel.org>
DeltaFile
+10-4drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+10-41 files

Linux/linux 0dd1be4drivers/net/ethernet/mellanox/mlx5/core en_rx.c, drivers/net/ethernet/mellanox/mlx5/core/en_accel ktls_rx.c ktls_txrx.h

Merge branch 'tls-introduce-and-use-rx-async-resync-request-cancel-function'

Tariq Toukan says:

====================
tls: Introduce and use RX async resync request cancel function

This series by Shahar introduces RX async resync request cancel function
in tls module, and uses it in mlx5e driver.

For a device-offloaded TLS RX connection, the TLS module increments
rcd_delta each time a new TLS record is received, tracking the distance
from the original resync request. In the meanwhile, the device is
queried and is expected to respond, asynchronously.

However, if the device response is delayed or fails (e.g due to unstable
connection and device getting out of tracking, hardware errors, resource
exhaustion etc.), the TLS module keeps logging and incrementing
rcd_delta, which can lead to a WARN() when rcd_delta exceeds the

    [8 lines not shown]
DeltaFile
+35-6drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_rx.c
+13-12include/net/tls.h
+4-0drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_txrx.h
+4-0drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
+3-1net/tls/tls_device.c
+59-195 files

Linux/linux c15d5c6include/net tls.h, net/tls tls_device.c

net: tls: Cancel RX async resync request on rcd_delta overflow

When a netdev issues a RX async resync request for a TLS connection,
the TLS module handles it by logging record headers and attempting to
match them to the tcp_sn provided by the device. If a match is found,
the TLS module approves the tcp_sn for resynchronization.

While waiting for a device response, the TLS module also increments
rcd_delta each time a new TLS record is received, tracking the distance
from the original resync request.

However, if the device response is delayed or fails (e.g due to
unstable connection and device getting out of tracking, hardware
errors, resource exhaustion etc.), the TLS module keeps logging and
incrementing, which can lead to a WARN() when rcd_delta exceeds the
threshold.

To address this, introduce tls_offload_rx_resync_async_request_cancel()
to explicitly cancel resync requests when a device response failure is

    [9 lines not shown]
DeltaFile
+6-0include/net/tls.h
+3-1net/tls/tls_device.c
+9-12 files

Linux/linux 426e9dadrivers/net/ethernet/mellanox/mlx5/core en_rx.c, drivers/net/ethernet/mellanox/mlx5/core/en_accel ktls_rx.c ktls_txrx.h

net/mlx5e: kTLS, Cancel RX async resync request in error flows

When device loses track of TLS records, it attempts to resync by
monitoring records and requests an asynchronous resynchronization
from software for this TLS connection.

The TLS module handles such device RX resync requests by logging record
headers and comparing them with the record tcp_sn when provided by the
device. It also increments rcd_delta to track how far the current
record tcp_sn is from the tcp_sn of the original resync request.
If the device later responds with a matching tcp_sn, the TLS module
approves the tcp_sn for resync.

However, the device response may be delayed or never arrive,
particularly due to traffic-related issues such as packet drops or
reordering. In such cases, the TLS module remains unaware that resync
will not complete, and continues performing unnecessary work by logging
headers and incrementing rcd_delta, which can eventually exceed the
threshold and trigger a WARN(). For example, this was observed when the

    [14 lines not shown]
DeltaFile
+29-5drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_rx.c
+4-0drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_txrx.h
+4-0drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
+37-53 files

Linux/linux 34892cfdrivers/net/ethernet/mellanox/mlx5/core/en_accel ktls_rx.c, include/net tls.h

net: tls: Change async resync helpers argument

Update tls_offload_rx_resync_async_request_start() and
tls_offload_rx_resync_async_request_end() to get a struct
tls_offload_resync_async parameter directly, rather than
extracting it from struct sock.

This change aligns the function signatures with the upcoming
tls_offload_rx_resync_async_request_cancel() helper, which
will be introduced in a subsequent patch.

Signed-off-by: Shahar Shitrit <shshitrit at nvidia.com>
Reviewed-by: Sabrina Dubroca <sd at queasysnail.net>
Signed-off-by: Tariq Toukan <tariqt at nvidia.com>
Link: https://patch.msgid.link/1761508983-937977-2-git-send-email-tariqt@nvidia.com
Signed-off-by: Jakub Kicinski <kuba at kernel.org>
DeltaFile
+8-13include/net/tls.h
+7-2drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_rx.c
+15-152 files

Linux/linux e98cda7net/netfilter nft_ct.c nft_connlimit.c

Merge tag 'nf-25-10-29' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf

Florian Westphal says:

====================
netfilter: updates for net

1) its not possible to attach conntrack labels via ctnetlink
   unless one creates a dummy 'ct labels set' rule in nftables.
   This is an oversight, the 'ruleset tests presence, userspace
   (netlink) sets' use-case is valid and should 'just work'.
   Always broken since this got added in Linux 4.7.

2) nft_connlimit reads count value without holding the relevant
   lock, add a READ_ONCE annotation.  From Fernando Fernandez Mancera.

3) There is a long-standing bug (since 4.12) in nftables helper infra
   when NAT is in use: if the helper gets assigned after the nat binding
   was set up, we fail to initialise the 'seqadj' extension, which is

    [11 lines not shown]
DeltaFile
+27-3net/netfilter/nft_ct.c
+1-1net/netfilter/nft_connlimit.c
+28-42 files

Linux/linux 2985749drivers/net/phy dp83869.c

net: phy: dp83869: fix STRAP_OPMODE bitmask

According to the TI DP83869HM datasheet Revision D (June 2025), section
7.6.1.41 STRAP_STS Register, the STRAP_OPMODE bitmask is bit [11:9].
Fix this.

In case the PHY is auto-detected via PHY ID registers, or not described
in DT, or, in case the PHY is described in DT but the optional DT property
"ti,op-mode" is not present, then the driver reads out the PHY functional
mode (RGMII, SGMII, ...) from hardware straps.

Currently, all upstream users of this PHY specify both DT compatible string
"ethernet-phy-id2000.a0f1" and ti,op-mode = <DP83869_RGMII_COPPER_ETHERNET>
property, therefore it seems no upstream users are affected by this bug.

The driver currently interprets bits [2:0] of STRAP_STS register as PHY
functional mode. Those bits are controlled by ANEG_DIS, ANEGSEL_0 straps
and an always-zero reserved bit. Systems that use RGMII-to-Copper functional
mode are unlikely to disable auto-negotiation via ANEG_DIS strap, or change

    [19 lines not shown]
DeltaFile
+2-2drivers/net/phy/dp83869.c
+2-21 files

Linux/linux 9311e95tools/testing/selftests/net bareudp.sh

selftests: net: use BASH for bareudp testing

In bareudp.sh, this script uses /bin/sh and it will load another lib.sh
BASH script at the very beginning.

But on some operating systems like Ubuntu, /bin/sh is actually pointed to
DASH, thus it will try to run BASH commands with DASH and consequently
leads to syntax issues:
  # ./bareudp.sh: 4: ./lib.sh: Bad substitution
  # ./bareudp.sh: 5: ./lib.sh: source: not found
  # ./bareudp.sh: 24: ./lib.sh: Syntax error: "(" unexpected

Fix this by explicitly using BASH for bareudp.sh. This fixes test
execution failures on systems where /bin/sh is not BASH.

Reported-by: Edoardo Canepa <edoardo.canepa at canonical.com>
Link: https://bugs.launchpad.net/bugs/2129812
Signed-off-by: Po-Hsu Lin <po-hsu.lin at canonical.com>
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel at intel.com>

    [2 lines not shown]
DeltaFile
+1-1tools/testing/selftests/net/bareudp.sh
+1-11 files

Linux/linux da2522ddrivers/net/mctp mctp-usb.c

net: mctp: Fix tx queue stall

The tx queue can become permanently stuck in a stopped state due to a
race condition between the URB submission path and its completion
callback.

The URB completion callback can run immediately after usb_submit_urb()
returns, before the submitting function calls netif_stop_queue(). If
this occurs, the queue state management becomes desynchronized, leading
to a stall where the queue is never woken.

Fix this by moving the netif_stop_queue() call to before submitting the
URB. This closes the race window by ensuring the network stack is aware
the queue is stopped before the URB completion can possibly run.

Fixes: 0791c0327a6e ("net: mctp: Add MCTP USB transport driver")
Signed-off-by: Jinliang Wang <jinliangw at google.com>
Acked-by: Jeremy Kerr <jk at codeconstruct.com.au>
Link: https://patch.msgid.link/20251027065530.2045724-1-jinliangw@google.com
Signed-off-by: Jakub Kicinski <kuba at kernel.org>
DeltaFile
+5-3drivers/net/mctp/mctp-usb.c
+5-31 files

Linux/linux 5311023drivers/net/ethernet/mellanox/mlx5/core eswitch_offloads.c, drivers/net/ethernet/mellanox/mlx5/core/esw legacy.c

net/mlx5: Don't zero user_count when destroying FDB tables

esw->user_count tracks how many TC rules are added on an esw via
mlx5e_configure_flower -> mlx5_esw_get -> atomic64_inc(&esw->user_count)

esw.user_count was unconditionally set to 0 in
esw_destroy_legacy_fdb_table and esw_destroy_offloads_fdb_tables.

These two together can lead to the following sequence of events:
1. echo 1 > /sys/class/net/eth2/device/sriov_numvfs
  - mlx5_core_sriov_configure -...-> esw_create_legacy_table ->
    atomic64_set(&esw->user_count, 0)
2. tc qdisc add dev eth2 ingress && \
   tc filter replace dev eth2 pref 1 protocol ip chain 0 ingress \
       handle 1 flower action ct nat zone 64000 pipe
  - mlx5e_configure_flower -> mlx5_esw_get ->
    atomic64_inc(&esw->user_count)
3. echo 0 > /sys/class/net/eth2/device/sriov_numvfs
  - mlx5_core_sriov_configure -..-> esw_destroy_legacy_fdb_table

    [22 lines not shown]
DeltaFile
+0-1drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
+0-1drivers/net/ethernet/mellanox/mlx5/core/esw/legacy.c
+0-22 files

Linux/linux dc89548drivers/net/usb asix_devices.c

net: usb: asix_devices: Check return value of usbnet_get_endpoints

The code did not check the return value of usbnet_get_endpoints.
Add checks and return the error if it fails to transfer the error.

Found via static anlaysis and this is similar to
commit 07161b2416f7 ("sr9800: Add check for usbnet_get_endpoints").

Fixes: 933a27d39e0e ("USB: asix - Add AX88178 support and many other changes")
Fixes: 2e55cc7210fe ("[PATCH] USB: usbnet (3/9) module for ASIX Ethernet adapters")
Cc: stable at vger.kernel.org
Signed-off-by: Miaoqian Lin <linmq006 at gmail.com>
Link: https://patch.msgid.link/20251026164318.57624-1-linmq006@gmail.com
Signed-off-by: Jakub Kicinski <kuba at kernel.org>
DeltaFile
+9-3drivers/net/usb/asix_devices.c
+9-31 files

Linux/linux ac345c5net/mptcp protocol.c protocol.h

Merge branch 'mptcp-various-rare-sending-issues'

Matthieu Baerts says:

====================
mptcp: various rare sending issues

Here are various fixes from Paolo, addressing very occasional issues on
the sending side:

- Patch 1: drop an optimisation that could lead to timeout in case of
  race conditions. A fix for up to v5.11.

- Patch 2: fix stream corruption under very specific conditions.
  A fix for up to v5.13.

- Patch 3: restore MPTCP-level zero window probe after a recent fix.
  A fix for up to v5.16.


    [6 lines not shown]
DeltaFile
+36-21net/mptcp/protocol.c
+1-1net/mptcp/protocol.h
+1-0net/mptcp/mib.h
+1-0net/mptcp/mib.c
+39-224 files

Linux/linux fe11dfanet/mptcp mib.h mib.c

mptcp: zero window probe mib

Explicitly account for MPTCP-level zero windows probe, to catch
hopefully earlier issues alike the one addressed by the previous
patch.

Reviewed-by: Mat Martineau <martineau at kernel.org>
Signed-off-by: Paolo Abeni <pabeni at redhat.com>
Tested-by: Geliang Tang <geliang at kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe at kernel.org>
Link: https://patch.msgid.link/20251028-net-mptcp-send-timeout-v1-4-38ffff5a9ec8@kernel.org
Signed-off-by: Jakub Kicinski <kuba at kernel.org>
DeltaFile
+1-0net/mptcp/mib.h
+1-0net/mptcp/mib.c
+1-0net/mptcp/protocol.c
+3-03 files

Linux/linux 8e04ce4net/mptcp protocol.c

mptcp: fix MSG_PEEK stream corruption

If a MSG_PEEK | MSG_WAITALL read operation consumes all the bytes in the
receive queue and recvmsg() need to waits for more data - i.e. it's a
blocking one - upon arrival of the next packet the MPTCP protocol will
start again copying the oldest data present in the receive queue,
corrupting the data stream.

Address the issue explicitly tracking the peeked sequence number,
restarting from the last peeked byte.

Fixes: ca4fb892579f ("mptcp: add MSG_PEEK support")
Cc: stable at vger.kernel.org
Signed-off-by: Paolo Abeni <pabeni at redhat.com>
Reviewed-by: Geliang Tang <geliang at kernel.org>
Tested-by: Geliang Tang <geliang at kernel.org>
Reviewed-by: Mat Martineau <martineau at kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe at kernel.org>
Link: https://patch.msgid.link/20251028-net-mptcp-send-timeout-v1-2-38ffff5a9ec8@kernel.org
Signed-off-by: Jakub Kicinski <kuba at kernel.org>
DeltaFile
+25-13net/mptcp/protocol.c
+25-131 files

Linux/linux a824084net/mptcp protocol.c

mptcp: restore window probe

Since commit 72377ab2d671 ("mptcp: more conservative check for zero
probes") the MPTCP-level zero window probe check is always disabled, as
the TCP-level write queue always contains at least the newly allocated
skb.

Refine the relevant check tacking in account that the above condition
and that such skb can have zero length.

Fixes: 72377ab2d671 ("mptcp: more conservative check for zero probes")
Cc: stable at vger.kernel.org
Reported-by: Geliang Tang <geliang at kernel.org>
Closes: https://lore.kernel.org/d0a814c364e744ca6b836ccd5b6e9146882e8d42.camel@kernel.org
Reviewed-by: Mat Martineau <martineau at kernel.org>
Signed-off-by: Paolo Abeni <pabeni at redhat.com>
Tested-by: Geliang Tang <geliang at kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe at kernel.org>
Link: https://patch.msgid.link/20251028-net-mptcp-send-timeout-v1-3-38ffff5a9ec8@kernel.org
Signed-off-by: Jakub Kicinski <kuba at kernel.org>
DeltaFile
+6-1net/mptcp/protocol.c
+6-11 files

Linux/linux 27b0e70net/mptcp protocol.c protocol.h

mptcp: drop bogus optimization in __mptcp_check_push()

Accessing the transmit queue without owning the msk socket lock is
inherently racy, hence __mptcp_check_push() could actually quit early
even when there is pending data.

That in turn could cause unexpected tx lock and timeout.

Dropping the early check avoids the race, implicitly relaying on later
tests under the relevant lock. With such change, all the other
mptcp_send_head() call sites are now under the msk socket lock and we
can additionally drop the now unneeded annotation on the transmit head
pointer accesses.

Fixes: 6e628cd3a8f7 ("mptcp: use mptcp release_cb for delayed tasks")
Cc: stable at vger.kernel.org
Signed-off-by: Paolo Abeni <pabeni at redhat.com>
Reviewed-by: Geliang Tang <geliang at kernel.org>
Tested-by: Geliang Tang <geliang at kernel.org>

    [4 lines not shown]
DeltaFile
+4-7net/mptcp/protocol.c
+1-1net/mptcp/protocol.h
+5-82 files

Linux/linux 00764aadrivers/net netconsole.c

netconsole: Fix race condition in between reader and writer of userdata

The update_userdata() function constructs the complete userdata string
in nt->extradata_complete and updates nt->userdata_length. This data
is then read by write_msg() and write_ext_msg() when sending netconsole
messages. However, update_userdata() was not holding target_list_lock
during this process, allowing concurrent message transmission to read
partially updated userdata.

This race condition could result in netconsole messages containing
incomplete or inconsistent userdata - for example, reading the old
userdata_length with new extradata_complete content, or vice versa,
leading to truncated or corrupted output.

Fix this by acquiring target_list_lock with spin_lock_irqsave() before
updating extradata_complete and userdata_length, and releasing it after
both fields are fully updated. This ensures that readers see a
consistent view of the userdata, preventing corruption during concurrent
access.

    [13 lines not shown]
DeltaFile
+13-8drivers/net/netconsole.c
+13-81 files