rpms/kernel
9
4
Fork 6
Code Issues Pull Requests Releases Activity

Recreate RHEL 6.12.0-211.18.1 from CS10/upstream backports

Browse Source 
Add the RHEL 211.17.1..211.18.1 backports (1162-1244) from centos-stream-10 and
upstream, on top of 211.16.1. Includes the lpfc 14.4.0.x revert batch and the
RHEL-only lpfc_nlp_get UAF guard. Bump to 211.18.1.
This commit is contained in:
Andrew Lukoshko 2026-06-07 00:04:03 +00:00
parent b3393f484c
commit b9d46fff46
84 changed files with 7190 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
1162-netfilter-nf-tables-release-flowtable-after-rcu-grace-period.patch Normal file
View File

@ -0,0 +1,46 @@
From 7e3955b282eae20d61c75e499c75eade51c20060 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue, 17 Mar 2026 20:00:26 +0100
Subject: [PATCH] netfilter: nf_tables: release flowtable after rcu grace
period on error
[ Upstream commit d73f4b53aaaea4c95f245e491aa5eeb8a21874ce ]
Call synchronize_rcu() after unregistering the hooks from error path,
since a hook that already refers to this flowtable can be already
registered, exposing this flowtable to packet path and nfnetlink_hook
control plane.
This error path is rare, it should only happen by reaching the maximum
number hooks or by failing to set up to hardware offload, just call
synchronize_rcu().
There is a check for already used device hooks by different flowtable
that could result in EEXIST at this late stage. The hook parser can be
updated to perform this check earlier to this error path really becomes
rarely exercised.
Uncovered by KASAN reported as use-after-free from nfnetlink_hook path
when dumping hooks.
Fixes: 3b49e2e94e6e ("netfilter: nf_tables: add flow table netlink frontend")
Reported-by: Yiming Qian <yimingqian591@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 0c12560e94f3..663c06413518 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -8966,6 +8966,7 @@ static int nf_tables_newflowtable(struct sk_buff *skb,
return 0;
err_flowtable_hooks:
+ synchronize_rcu();
nft_trans_destroy(trans);
err_flowtable_trans:
nft_hooks_destroy(&flowtable->hook_list);
--
2.50.1 (Apple Git-155)

38
1163-can-j1939-j1939-session-new-fix-skb-reference-counting.patch Normal file
View File

@ -0,0 +1,38 @@
From 68fceb143b635cdc59fed3896d5910aff38f345e Mon Sep 17 00:00:00 2001
From: Dmitry Antipov <dmantipov@yandex.ru>
Date: Tue, 5 Nov 2024 12:48:23 +0300
Subject: [PATCH] can: j1939: j1939_session_new(): fix skb reference counting
[ Upstream commit a8c695005bfe6569acd73d777ca298ddddd66105 ]
Since j1939_session_skb_queue() does an extra skb_get() for each new
skb, do the same for the initial one in j1939_session_new() to avoid
refcount underflow.
Reported-by: syzbot+d4e8dc385d9258220c31@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d4e8dc385d9258220c31
Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Tested-by: Oleksij Rempel <o.rempel@pengutronix.de>
Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
Link: https://patch.msgid.link/20241105094823.2403806-1-dmantipov@yandex.ru
[mkl: clean up commit message]
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c
index 319f47df3330..95f7a7e65a73 100644
--- a/net/can/j1939/transport.c
+++ b/net/can/j1939/transport.c
@@ -1505,7 +1505,7 @@ static struct j1939_session *j1939_session_new(struct j1939_priv *priv,
session->state = J1939_SESSION_NEW;
skb_queue_head_init(&session->skb_queue);
- skb_queue_tail(&session->skb_queue, skb);
+ skb_queue_tail(&session->skb_queue, skb_get(skb));
skcb = j1939_skb_to_cb(skb);
memcpy(&session->skcb, skcb, sizeof(session->skcb));
--
2.50.1 (Apple Git-155)

159
1164-ima-don-t-clear-ima-digsig-flag-when-setting-or-removing-non.patch Normal file
View File

@ -0,0 +1,159 @@
From 3c673dcebb6ae37885e3bf6960cac602bb0ae089 Mon Sep 17 00:00:00 2001
From: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>
Date: Tue, 21 Apr 2026 10:10:02 +0000
Subject: [PATCH] ima: don't clear IMA_DIGSIG flag when setting or removing
non-IMA xattr
JIRA: https://redhat.atlassian.net/browse/RHEL-169737
CVE: CVE-2025-68183
commit 88b4cbcf6b041ae0f2fc8a34554a5b6a83a2b7cd
Author: Coiby Xu <coxu@redhat.com>
Date: Mon Sep 15 13:55:23 2025 +0800
ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr
Currently when both IMA and EVM are in fix mode, the IMA signature will
be reset to IMA hash if a program first stores IMA signature in
security.ima and then writes/removes some other security xattr for the
file.
For example, on Fedora, after booting the kernel with "ima_appraise=fix
evm=fix ima_policy=appraise_tcb" and installing rpm-plugin-ima,
installing/reinstalling a package will not make good reference IMA
signature generated. Instead IMA hash is generated,
# getfattr -m - -d -e hex /usr/bin/bash
# file: usr/bin/bash
security.ima=0x0404...
This happens because when setting security.selinux, the IMA_DIGSIG flag
that had been set early was cleared. As a result, IMA hash is generated
when the file is closed.
Similarly, IMA signature can be cleared on file close after removing
security xattr like security.evm or setting/removing ACL.
Prevent replacing the IMA file signature with a file hash, by preventing
the IMA_DIGSIG flag from being reset.
Here's a minimal C reproducer which sets security.selinux as the last
step which can also replaced by removing security.evm or setting ACL,
#include <stdio.h>
#include <sys/xattr.h>
#include <fcntl.h>
#include <unistd.h>
#include <string.h>
#include <stdlib.h>
int main() {
const char* file_path = "/usr/sbin/test_binary";
const char* hex_string = "030204d33204490066306402304";
int length = strlen(hex_string);
char* ima_attr_value;
int fd;
fd = open(file_path, O_WRONLY|O_CREAT|O_EXCL, 0644);
if (fd == -1) {
perror("Error opening file");
return 1;
}
ima_attr_value = (char*)malloc(length / 2 );
for (int i = 0, j = 0; i < length; i += 2, j++) {
sscanf(hex_string + i, "%2hhx", &ima_attr_value[j]);
}
if (fsetxattr(fd, "security.ima", ima_attr_value, length/2, 0) == -1) {
perror("Error setting extended attribute");
close(fd);
return 1;
}
const char* selinux_value= "system_u:object_r:bin_t:s0";
if (fsetxattr(fd, "security.selinux", selinux_value, strlen(selinux_value), 0) == -1) {
perror("Error setting extended attribute");
close(fd);
return 1;
}
close(fd);
return 0;
}
Signed-off-by: Coiby Xu <coxu@redhat.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 656c709b974f..f7770c24995b 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -671,6 +671,15 @@ static int ima_protect_xattr(struct dentry *dentry, const char *xattr_name,
return 0;
}
+/*
+ * ima_reset_appraise_flags - reset ima_iint_cache flags
+ *
+ * @digsig: whether to clear/set IMA_DIGSIG flag, tristate values
+ * 0: clear IMA_DIGSIG
+ * 1: set IMA_DIGSIG
+ * -1: don't change IMA_DIGSIG
+ *
+ */
static void ima_reset_appraise_flags(struct inode *inode, int digsig)
{
struct ima_iint_cache *iint;
@@ -683,9 +692,9 @@ static void ima_reset_appraise_flags(struct inode *inode, int digsig)
return;
iint->measured_pcrs = 0;
set_bit(IMA_CHANGE_XATTR, &iint->atomic_flags);
- if (digsig)
+ if (digsig == 1)
set_bit(IMA_DIGSIG, &iint->atomic_flags);
- else
+ else if (digsig == 0)
clear_bit(IMA_DIGSIG, &iint->atomic_flags);
}
@@ -771,6 +780,8 @@ static int ima_inode_setxattr(struct mnt_idmap *idmap, struct dentry *dentry,
digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG);
} else if (!strcmp(xattr_name, XATTR_NAME_EVM) && xattr_value_len > 0) {
digsig = (xvalue->type == EVM_XATTR_PORTABLE_DIGSIG);
+ } else {
+ digsig = -1;
}
if (result == 1 || evm_revalidate_status(xattr_name)) {
ima_reset_appraise_flags(d_backing_inode(dentry), digsig);
@@ -784,7 +795,7 @@ static int ima_inode_set_acl(struct mnt_idmap *idmap, struct dentry *dentry,
const char *acl_name, struct posix_acl *kacl)
{
if (evm_revalidate_status(acl_name))
- ima_reset_appraise_flags(d_backing_inode(dentry), 0);
+ ima_reset_appraise_flags(d_backing_inode(dentry), -1);
return 0;
}
@@ -792,11 +803,13 @@ static int ima_inode_set_acl(struct mnt_idmap *idmap, struct dentry *dentry,
static int ima_inode_removexattr(struct mnt_idmap *idmap, struct dentry *dentry,
const char *xattr_name)
{
- int result;
+ int result, digsig = -1;
result = ima_protect_xattr(dentry, xattr_name, NULL, 0);
if (result == 1 || evm_revalidate_status(xattr_name)) {
- ima_reset_appraise_flags(d_backing_inode(dentry), 0);
+ if (!strcmp(xattr_name, XATTR_NAME_IMA))
+ digsig = 0;
+ ima_reset_appraise_flags(d_backing_inode(dentry), digsig);
if (result == 1)
result = 0;
}
--
2.50.1 (Apple Git-155)

43
1165-netfilter-nf-conntrack-h323-check-for-zero-length-in-decodeq.patch Normal file
View File

@ -0,0 +1,43 @@
From 633e8f87dad32263f6a57dccdb873f042c062111 Mon Sep 17 00:00:00 2001
From: Jenny Guanni Qu <qguanni@gmail.com>
Date: Thu, 12 Mar 2026 14:49:50 +0000
Subject: [PATCH] netfilter: nf_conntrack_h323: check for zero length in
DecodeQ931()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
[ Upstream commit f173d0f4c0f689173f8cdac79991043a4a89bf66 ]
In DecodeQ931(), the UserUserIE code path reads a 16-bit length from
the packet, then decrements it by 1 to skip the protocol discriminator
byte before passing it to DecodeH323_UserInformation(). If the encoded
length is 0, the decrement wraps to -1, which is then passed as a
large value to the decoder, leading to an out-of-bounds read.
Add a check to ensure len is positive after the decrement.
Fixes: 5e35941d9901 ("[NETFILTER]: Add H.323 conntrack/NAT helper")
Reported-by: Klaudia Kloc <klaudia@vidocsecurity.com>
Reported-by: Dawid Moczadło <dawid@vidocsecurity.com>
Tested-by: Jenny Guanni Qu <qguanni@gmail.com>
Signed-off-by: Jenny Guanni Qu <qguanni@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c
index c972e9488e16..7b1497ed97d2 100644
--- a/net/netfilter/nf_conntrack_h323_asn1.c
+++ b/net/netfilter/nf_conntrack_h323_asn1.c
@@ -924,6 +924,8 @@ int DecodeQ931(unsigned char *buf, size_t sz, Q931 *q931)
break;
p++;
len--;
+ if (len <= 0)
+ break;
return DecodeH323_UserInformation(buf, p, len,
&q931->UUIE);
}
--
2.50.1 (Apple Git-155)

16
1166-revert-scsi-lpfc-update-lpfc-version-to-14-4-0-12.patch Normal file
View File

@ -0,0 +1,16 @@
Subject: [PATCH] Revert "scsi: lpfc: Update lpfc version to 14.4.0.12"
# reverse of cs10 14af547a198d243a0ef02f489884ffb113e8c54f
diff --git a/drivers/scsi/lpfc/lpfc_version.h b/drivers/scsi/lpfc/lpfc_version.h
index f3dada5bf7c1..31c3c5abdca6 100644
--- a/drivers/scsi/lpfc/lpfc_version.h
+++ b/drivers/scsi/lpfc/lpfc_version.h
@@ -20,7 +20,7 @@
* included with this package. *
*******************************************************************/
-#define LPFC_DRIVER_VERSION "14.4.0.12"
+#define LPFC_DRIVER_VERSION "14.4.0.11"
#define LPFC_DRIVER_NAME "lpfc"
/* Used for SLI 2/3 */

329
1167-revert-scsi-lpfc-add-capability-to-register-platform-name-id.patch Normal file
View File

@ -0,0 +1,329 @@
Subject: [PATCH] Revert "scsi: lpfc: Add capability to register Platform Name ID to fabric"
# reverse of cs10 71f3928a71657839d9362695e7446414fa25ebad
diff --git a/drivers/scsi/lpfc/lpfc.h b/drivers/scsi/lpfc/lpfc.h
index 8b6386e2e3a5..ad8f5dee23a3 100644
--- a/drivers/scsi/lpfc/lpfc.h
+++ b/drivers/scsi/lpfc/lpfc.h
@@ -634,7 +634,6 @@ struct lpfc_vport {
#define FC_CT_RSPN_ID 0x8 /* RSPN_ID accepted by switch */
#define FC_CT_RFT_ID 0x10 /* RFT_ID accepted by switch */
#define FC_CT_RPRT_DEFER 0x20 /* Defer issuing FDMI RPRT */
-#define FC_CT_RSPNI_PNI 0x40 /* RSPNI_PNI accepted by switch */
struct list_head fc_nodes;
spinlock_t fc_nodes_list_lock; /* spinlock for fc_nodes list */
@@ -1079,8 +1078,6 @@ struct lpfc_hba {
uint32_t nport_event_cnt; /* timestamp for nlplist entry */
- unsigned long pni; /* 64-bit Platform Name Identifier */
-
uint8_t wwnn[8];
uint8_t wwpn[8];
uint32_t RandomData[7];
diff --git a/drivers/scsi/lpfc/lpfc_ct.c b/drivers/scsi/lpfc/lpfc_ct.c
index 817b02901c9d..cc8af576f57c 100644
--- a/drivers/scsi/lpfc/lpfc_ct.c
+++ b/drivers/scsi/lpfc/lpfc_ct.c
@@ -1742,28 +1742,6 @@ lpfc_cmpl_ct_cmd_rsnn_nn(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb,
return;
}
-static void
-lpfc_cmpl_ct_cmd_rspni_pni(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb,
- struct lpfc_iocbq *rspiocb)
-{
- struct lpfc_vport *vport;
- struct lpfc_dmabuf *outp;
- struct lpfc_sli_ct_request *ctrsp;
- u32 ulp_status;
-
- vport = cmdiocb->vport;
- ulp_status = get_job_ulpstatus(phba, rspiocb);
-
- if (ulp_status == IOSTAT_SUCCESS) {
- outp = cmdiocb->rsp_dmabuf;
- ctrsp = (struct lpfc_sli_ct_request *)outp->virt;
- if (be16_to_cpu(ctrsp->CommandResponse.bits.CmdRsp) ==
- SLI_CT_RESPONSE_FS_ACC)
- vport->ct_flags |= FC_CT_RSPNI_PNI;
- }
- lpfc_cmpl_ct(phba, cmdiocb, rspiocb);
-}
-
static void
lpfc_cmpl_ct_cmd_da_id(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb,
struct lpfc_iocbq *rspiocb)
@@ -1978,8 +1956,6 @@ lpfc_ns_cmd(struct lpfc_vport *vport, int cmdcode,
bpl->tus.f.bdeSize = RSPN_REQUEST_SZ;
else if (cmdcode == SLI_CTNS_RSNN_NN)
bpl->tus.f.bdeSize = RSNN_REQUEST_SZ;
- else if (cmdcode == SLI_CTNS_RSPNI_PNI)
- bpl->tus.f.bdeSize = RSPNI_REQUEST_SZ;
else if (cmdcode == SLI_CTNS_DA_ID)
bpl->tus.f.bdeSize = DA_ID_REQUEST_SZ;
else if (cmdcode == SLI_CTNS_RFF_ID)
@@ -2101,18 +2077,6 @@ lpfc_ns_cmd(struct lpfc_vport *vport, int cmdcode,
CtReq->un.rsnn.symbname, size);
cmpl = lpfc_cmpl_ct_cmd_rsnn_nn;
break;
- case SLI_CTNS_RSPNI_PNI:
- vport->ct_flags &= ~FC_CT_RSPNI_PNI;
- CtReq->CommandResponse.bits.CmdRsp =
- cpu_to_be16(SLI_CTNS_RSPNI_PNI);
- CtReq->un.rspni.pni = cpu_to_be64(phba->pni);
- scnprintf(CtReq->un.rspni.symbname,
- sizeof(CtReq->un.rspni.symbname), "OS Host Name::%s",
- phba->os_host_name);
- CtReq->un.rspni.len = strnlen(CtReq->un.rspni.symbname,
- sizeof(CtReq->un.rspni.symbname));
- cmpl = lpfc_cmpl_ct_cmd_rspni_pni;
- break;
case SLI_CTNS_DA_ID:
/* Implement DA_ID Nameserver request */
CtReq->CommandResponse.bits.CmdRsp =
diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c
index 009d72ed08b0..15c062c1566d 100644
--- a/drivers/scsi/lpfc/lpfc_els.c
+++ b/drivers/scsi/lpfc/lpfc_els.c
@@ -650,6 +650,8 @@ lpfc_cmpl_els_flogi_fabric(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp,
ndlp->nlp_class_sup |= FC_COS_CLASS2;
if (sp->cls3.classValid)
ndlp->nlp_class_sup |= FC_COS_CLASS3;
+ if (sp->cls4.classValid)
+ ndlp->nlp_class_sup |= FC_COS_CLASS4;
ndlp->nlp_maxframe = ((sp->cmn.bbRcvSizeMsb & 0x0F) << 8) |
sp->cmn.bbRcvSizeLsb;
@@ -1354,14 +1356,6 @@ lpfc_issue_els_flogi(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp,
/* Can't do SLI4 class2 without support sequence coalescing */
sp->cls2.classValid = 0;
sp->cls2.seqDelivery = 0;
-
- /* Fill out Auxiliary Parameter Data */
- if (phba->pni) {
- sp->aux.flags =
- AUX_PARM_DATA_VALID | AUX_PARM_PNI_VALID;
- sp->aux.pni = cpu_to_be64(phba->pni);
- sp->aux.npiv_cnt = cpu_to_be16(phba->max_vpi - 1);
- }
} else {
/* Historical, setting sequential-delivery bit for SLI3 */
sp->cls2.seqDelivery = (sp->cls2.classValid) ? 1 : 0;
@@ -5662,6 +5656,7 @@ lpfc_els_rsp_acc(struct lpfc_vport *vport, uint32_t flag,
sp->cls1.classValid = 0;
sp->cls2.classValid = 0;
sp->cls3.classValid = 0;
+ sp->cls4.classValid = 0;
/* Copy our worldwide names */
memcpy(&sp->portName, &vport->fc_sparam.portName,
@@ -11515,13 +11510,6 @@ lpfc_issue_els_fdisc(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp,
sp->cls2.seqDelivery = 1;
sp->cls3.seqDelivery = 1;
- /* Fill out Auxiliary Parameter Data */
- if (phba->pni) {
- sp->aux.flags =
- AUX_PARM_DATA_VALID | AUX_PARM_PNI_VALID;
- sp->aux.pni = cpu_to_be64(phba->pni);
- }
-
pcmd += sizeof(uint32_t); /* CSP Word 2 */
pcmd += sizeof(uint32_t); /* CSP Word 3 */
pcmd += sizeof(uint32_t); /* CSP Word 4 */
diff --git a/drivers/scsi/lpfc/lpfc_hbadisc.c b/drivers/scsi/lpfc/lpfc_hbadisc.c
index d0bc07fd58e1..dcf78ea77a7d 100644
--- a/drivers/scsi/lpfc/lpfc_hbadisc.c
+++ b/drivers/scsi/lpfc/lpfc_hbadisc.c
@@ -4373,8 +4373,6 @@ lpfc_mbx_cmpl_ns_reg_login(struct lpfc_hba *phba, LPFC_MBOXQ_t *pmb)
lpfc_ns_cmd(vport, SLI_CTNS_RNN_ID, 0, 0);
lpfc_ns_cmd(vport, SLI_CTNS_RSNN_NN, 0, 0);
lpfc_ns_cmd(vport, SLI_CTNS_RSPN_ID, 0, 0);
- if (phba->pni)
- lpfc_ns_cmd(vport, SLI_CTNS_RSPNI_PNI, 0, 0);
lpfc_ns_cmd(vport, SLI_CTNS_RFT_ID, 0, 0);
if ((vport->cfg_enable_fc4_type == LPFC_ENABLE_BOTH) ||
diff --git a/drivers/scsi/lpfc/lpfc_hw.h b/drivers/scsi/lpfc/lpfc_hw.h
index b2e353590ebb..3bc0efa7453e 100644
--- a/drivers/scsi/lpfc/lpfc_hw.h
+++ b/drivers/scsi/lpfc/lpfc_hw.h
@@ -168,11 +168,6 @@ struct lpfc_sli_ct_request {
uint8_t len;
uint8_t symbname[255];
} rspn;
- struct rspni { /* For RSPNI_PNI requests */
- __be64 pni;
- u8 len;
- u8 symbname[255];
- } rspni;
struct gff {
uint32_t PortId;
} gff;
@@ -218,8 +213,6 @@ struct lpfc_sli_ct_request {
sizeof(struct da_id))
#define RSPN_REQUEST_SZ (offsetof(struct lpfc_sli_ct_request, un) + \
sizeof(struct rspn))
-#define RSPNI_REQUEST_SZ (offsetof(struct lpfc_sli_ct_request, un) + \
- sizeof(struct rspni))
/*
* FsType Definitions
@@ -316,7 +309,6 @@ struct lpfc_sli_ct_request {
#define SLI_CTNS_RIP_NN 0x0235
#define SLI_CTNS_RIPA_NN 0x0236
#define SLI_CTNS_RSNN_NN 0x0239
-#define SLI_CTNS_RSPNI_PNI 0x0240
#define SLI_CTNS_DA_ID 0x0300
/*
@@ -520,21 +512,6 @@ struct class_parms {
uint8_t word3Reserved2; /* Fc Word 3, bit 0: 7 */
};
-enum aux_parm_flags {
- AUX_PARM_PNI_VALID = 0x20, /* FC Word 0, bit 29 */
- AUX_PARM_DATA_VALID = 0x40, /* FC Word 0, bit 30 */
-};
-
-struct aux_parm {
- u8 flags; /* FC Word 0, bit 31:24 */
- u8 ext_feat[3]; /* FC Word 0, bit 23:0 */
-
- __be64 pni; /* FC Word 1 and 2, platform name identifier */
-
- __be16 rsvd; /* FC Word 3, bit 31:16 */
- __be16 npiv_cnt; /* FC Word 3, bit 15:0 */
-} __packed;
-
struct serv_parm { /* Structure is in Big Endian format */
struct csp cmn;
struct lpfc_name portName;
@@ -542,7 +519,7 @@ struct serv_parm { /* Structure is in Big Endian format */
struct class_parms cls1;
struct class_parms cls2;
struct class_parms cls3;
- struct aux_parm aux;
+ struct class_parms cls4;
union {
uint8_t vendorVersion[16];
struct {
diff --git a/drivers/scsi/lpfc/lpfc_nportdisc.c b/drivers/scsi/lpfc/lpfc_nportdisc.c
index 9e785bbf6785..e16370da3e45 100644
--- a/drivers/scsi/lpfc/lpfc_nportdisc.c
+++ b/drivers/scsi/lpfc/lpfc_nportdisc.c
@@ -432,6 +432,8 @@ lpfc_rcv_plogi(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp,
ndlp->nlp_class_sup |= FC_COS_CLASS2;
if (sp->cls3.classValid)
ndlp->nlp_class_sup |= FC_COS_CLASS3;
+ if (sp->cls4.classValid)
+ ndlp->nlp_class_sup |= FC_COS_CLASS4;
ndlp->nlp_maxframe =
((sp->cmn.bbRcvSizeMsb & 0x0F) << 8) | sp->cmn.bbRcvSizeLsb;
/* if already logged in, do implicit logout */
@@ -1415,6 +1417,8 @@ lpfc_cmpl_plogi_plogi_issue(struct lpfc_vport *vport,
ndlp->nlp_class_sup |= FC_COS_CLASS2;
if (sp->cls3.classValid)
ndlp->nlp_class_sup |= FC_COS_CLASS3;
+ if (sp->cls4.classValid)
+ ndlp->nlp_class_sup |= FC_COS_CLASS4;
ndlp->nlp_maxframe =
((sp->cmn.bbRcvSizeMsb & 0x0F) << 8) | sp->cmn.bbRcvSizeLsb;
diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
index a4ae0e5c0bfa..8b9fcd9c0d36 100644
--- a/drivers/scsi/lpfc/lpfc_sli.c
+++ b/drivers/scsi/lpfc/lpfc_sli.c
@@ -27,8 +27,6 @@
#include <linux/delay.h>
#include <linux/slab.h>
#include <linux/lockdep.h>
-#include <linux/dmi.h>
-#include <linux/of.h>
#include <scsi/scsi.h>
#include <scsi/scsi_cmnd.h>
@@ -8441,70 +8439,6 @@ lpfc_set_host_tm(struct lpfc_hba *phba)
return rc;
}
-/**
- * lpfc_get_platform_uuid - Attempts to extract a platform uuid
- * @phba: pointer to lpfc hba data structure.
- *
- * This routine attempts to first read SMBIOS DMI data for the System
- * Information structure offset 08h called System UUID. Else, no platform
- * UUID will be advertised.
- **/
-static void
-lpfc_get_platform_uuid(struct lpfc_hba *phba)
-{
- int rc;
- const char *uuid;
- char pni[17] = {0}; /* 16 characters + '\0' */
- bool is_ff = true, is_00 = true;
- u8 i;
-
- /* First attempt SMBIOS DMI */
- uuid = dmi_get_system_info(DMI_PRODUCT_UUID);
- if (uuid) {
- lpfc_printf_log(phba, KERN_INFO, LOG_INIT,
- "2088 SMBIOS UUID %s\n",
- uuid);
- } else {
- lpfc_printf_log(phba, KERN_INFO, LOG_INIT,
- "2099 Could not extract UUID\n");
- }
-
- if (uuid && uuid_is_valid(uuid)) {
- /* Generate PNI from UUID format.
- *
- * 1.) Extract lower 64 bits from UUID format.
- * 2.) Set 3h for NAA Locally Assigned Name Identifier format.
- *
- * e.g. xxxxxxxx-xxxx-xxxx-yyyy-yyyyyyyyyyyy
- *
- * extract the yyyy-yyyyyyyyyyyy portion
- * final PNI 3yyyyyyyyyyyyyyy
- */
- scnprintf(pni, sizeof(pni), "3%c%c%c%s",
- uuid[20], uuid[21], uuid[22], &uuid[24]);
-
- /* Sanitize the converted PNI */
- for (i = 1; i < 16 && (is_ff || is_00); i++) {
- if (pni[i] != '0')
- is_00 = false;
- if (pni[i] != 'f' && pni[i] != 'F')
- is_ff = false;
- }
-
- /* Convert from char* to unsigned long */
- rc = kstrtoul(pni, 16, &phba->pni);
- if (!rc && !is_ff && !is_00) {
- lpfc_printf_log(phba, KERN_INFO, LOG_INIT,
- "2100 PNI 0x%016lx\n", phba->pni);
- } else {
- lpfc_printf_log(phba, KERN_INFO, LOG_INIT,
- "2101 PNI %s generation status %d\n",
- pni, rc);
- phba->pni = 0;
- }
- }
-}
-
/**
* lpfc_sli4_hba_setup - SLI4 device initialization PCI function
* @phba: Pointer to HBA context object.
@@ -8588,10 +8522,6 @@ lpfc_sli4_hba_setup(struct lpfc_hba *phba)
clear_bit(HBA_FCOE_MODE, &phba->hba_flag);
}
- /* Obtain platform UUID, only for SLI4 FC adapters */
- if (!test_bit(HBA_FCOE_MODE, &phba->hba_flag))
- lpfc_get_platform_uuid(phba);
-
if (bf_get(lpfc_mbx_rd_rev_cee_ver, &mqe->un.read_rev) ==
LPFC_DCBX_CEE_MODE)
set_bit(HBA_FIP_SUPPORT, &phba->hba_flag);

27
1168-revert-scsi-lpfc-allow-support-for-bb-credit-recovery-in-poi.patch Normal file
View File

@ -0,0 +1,27 @@
Subject: [PATCH] Revert "scsi: lpfc: Allow support for BB credit recovery in point-to-point topology"
# reverse of cs10 db29ff738106f5cd68a5fd5299f937c124aaef2a
diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c
index 15c062c1566d..ef6e4ee9b608 100644
--- a/drivers/scsi/lpfc/lpfc_els.c
+++ b/drivers/scsi/lpfc/lpfc_els.c
@@ -2279,8 +2279,7 @@ lpfc_issue_els_plogi(struct lpfc_vport *vport, uint32_t did, uint8_t retry)
sp->cmn.valid_vendor_ver_level = 0;
memset(sp->un.vendorVersion, 0, sizeof(sp->un.vendorVersion));
- if (!test_bit(FC_PT2PT, &vport->fc_flag))
- sp->cmn.bbRcvSizeMsb &= 0xF;
+ sp->cmn.bbRcvSizeMsb &= 0xF;
/* Check if the destination port supports VMID */
ndlp->vmid_support = 0;
@@ -5670,8 +5669,7 @@ lpfc_els_rsp_acc(struct lpfc_vport *vport, uint32_t flag,
sp->cmn.valid_vendor_ver_level = 0;
memset(sp->un.vendorVersion, 0,
sizeof(sp->un.vendorVersion));
- if (!test_bit(FC_PT2PT, &vport->fc_flag))
- sp->cmn.bbRcvSizeMsb &= 0xF;
+ sp->cmn.bbRcvSizeMsb &= 0xF;
/* If our firmware supports this feature, convey that
* info to the target using the vendor specific field.

101
1169-revert-scsi-lpfc-fix-reusing-an-ndlp-that-is-marked-nlp-drop.patch Normal file
View File

@ -0,0 +1,101 @@
Subject: [PATCH] Revert "scsi: lpfc: Fix reusing an ndlp that is marked NLP_DROPPED during FLOGI"
# reverse of cs10 a1229adf21035776936072b77d724e9e79cdf813
diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c
index ef6e4ee9b608..f8df66009c35 100644
--- a/drivers/scsi/lpfc/lpfc_els.c
+++ b/drivers/scsi/lpfc/lpfc_els.c
@@ -934,15 +934,10 @@ lpfc_cmpl_els_flogi(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb,
/* Check to see if link went down during discovery */
if (lpfc_els_chk_latt(vport)) {
/* One additional decrement on node reference count to
- * trigger the release of the node. Make sure the ndlp
- * is marked NLP_DROPPED.
+ * trigger the release of the node
*/
- if (!test_bit(NLP_IN_DEV_LOSS, &ndlp->nlp_flag) &&
- !test_bit(NLP_DROPPED, &ndlp->nlp_flag) &&
- !(ndlp->fc4_xpt_flags & SCSI_XPT_REGD)) {
- set_bit(NLP_DROPPED, &ndlp->nlp_flag);
+ if (!(ndlp->fc4_xpt_flags & SCSI_XPT_REGD))
lpfc_nlp_put(ndlp);
- }
goto out;
}
@@ -1000,10 +995,9 @@ lpfc_cmpl_els_flogi(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb,
IOERR_LOOP_OPEN_FAILURE)))
lpfc_vlog_msg(vport, KERN_WARNING, LOG_ELS,
"2858 FLOGI Status:x%x/x%x TMO"
- ":x%x Data x%lx x%x x%lx x%x\n",
+ ":x%x Data x%lx x%x\n",
ulp_status, ulp_word4, tmo,
- phba->hba_flag, phba->fcf.fcf_flag,
- ndlp->nlp_flag, ndlp->fc4_xpt_flags);
+ phba->hba_flag, phba->fcf.fcf_flag);
/* Check for retry */
if (lpfc_els_retry(phba, cmdiocb, rspiocb)) {
@@ -1021,17 +1015,14 @@ lpfc_cmpl_els_flogi(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb,
* reference to trigger node release.
*/
if (!test_bit(NLP_IN_DEV_LOSS, &ndlp->nlp_flag) &&
- !test_bit(NLP_DROPPED, &ndlp->nlp_flag) &&
- !(ndlp->fc4_xpt_flags & SCSI_XPT_REGD)) {
- set_bit(NLP_DROPPED, &ndlp->nlp_flag);
+ !(ndlp->fc4_xpt_flags & SCSI_XPT_REGD))
lpfc_nlp_put(ndlp);
- }
lpfc_printf_vlog(vport, KERN_WARNING, LOG_ELS,
"0150 FLOGI Status:x%x/x%x "
- "xri x%x iotag x%x TMO:x%x refcnt %d\n",
+ "xri x%x TMO:x%x refcnt %d\n",
ulp_status, ulp_word4, cmdiocb->sli4_xritag,
- cmdiocb->iotag, tmo, kref_read(&ndlp->kref));
+ tmo, kref_read(&ndlp->kref));
/* If this is not a loop open failure, bail out */
if (!(ulp_status == IOSTAT_LOCAL_REJECT &&
@@ -1288,19 +1279,6 @@ lpfc_issue_els_flogi(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp,
uint32_t tmo, did;
int rc;
- /* It's possible for lpfc to reissue a FLOGI on an ndlp that is marked
- * NLP_DROPPED. This happens when the FLOGI completed with the XB bit
- * set causing lpfc to reference the ndlp until the XRI_ABORTED CQE is
- * issued. The time window for the XRI_ABORTED CQE can be as much as
- * 2*2*RA_TOV allowing for ndlp reuse of this type when the link is
- * cycling quickly. When true, restore the initial reference and remove
- * the NLP_DROPPED flag as lpfc is retrying.
- */
- if (test_and_clear_bit(NLP_DROPPED, &ndlp->nlp_flag)) {
- if (!lpfc_nlp_get(ndlp))
- return 1;
- }
-
cmdsize = (sizeof(uint32_t) + sizeof(struct serv_parm));
elsiocb = lpfc_prep_els_iocb(vport, 1, cmdsize, retry, ndlp,
ndlp->nlp_DID, ELS_CMD_FLOGI);
diff --git a/drivers/scsi/lpfc/lpfc_hbadisc.c b/drivers/scsi/lpfc/lpfc_hbadisc.c
index dcf78ea77a7d..1510ed28f5a4 100644
--- a/drivers/scsi/lpfc/lpfc_hbadisc.c
+++ b/drivers/scsi/lpfc/lpfc_hbadisc.c
@@ -424,7 +424,6 @@ lpfc_check_nlp_post_devloss(struct lpfc_vport *vport,
struct lpfc_nodelist *ndlp)
{
if (test_and_clear_bit(NLP_IN_RECOV_POST_DEV_LOSS, &ndlp->save_flags)) {
- clear_bit(NLP_DROPPED, &ndlp->nlp_flag);
lpfc_nlp_get(ndlp);
lpfc_printf_vlog(vport, KERN_INFO, LOG_DISCOVERY | LOG_NODE,
"8438 Devloss timeout reversed on DID x%x "
@@ -567,8 +566,7 @@ lpfc_dev_loss_tmo_handler(struct lpfc_nodelist *ndlp)
return fcf_inuse;
}
- if (!test_and_set_bit(NLP_DROPPED, &ndlp->nlp_flag))
- lpfc_nlp_put(ndlp);
+ lpfc_nlp_put(ndlp);
return fcf_inuse;
}

231
1170-revert-scsi-lpfc-modify-kref-handling-for-fabric-controller-.patch Normal file
View File

@ -0,0 +1,231 @@
Subject: [PATCH] Revert "scsi: lpfc: Modify kref handling for Fabric Controller ndlps"
# reverse of cs10 4cdd701db602453946844b4900c2da8637acc343
diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c
index f8df66009c35..fea93a585fc9 100644
--- a/drivers/scsi/lpfc/lpfc_els.c
+++ b/drivers/scsi/lpfc/lpfc_els.c
@@ -3390,21 +3390,11 @@ lpfc_cmpl_els_disc_cmd(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb,
lpfc_cmpl_els_edc(phba, cmdiocb, rspiocb);
return;
}
-
if (ulp_status) {
/* ELS discovery cmd completes with error */
lpfc_printf_vlog(vport, KERN_WARNING, LOG_ELS | LOG_CGN_MGMT,
"4203 ELS cmd x%x error: x%x x%X\n", cmd,
ulp_status, ulp_word4);
-
- /* In the case where the ELS cmd completes with an error and
- * the node does not have RPI registered, the node is
- * outstanding and should put its initial reference.
- */
- if ((cmd == ELS_CMD_SCR || cmd == ELS_CMD_RDF) &&
- !(ndlp->fc4_xpt_flags & SCSI_XPT_REGD) &&
- !test_and_set_bit(NLP_DROPPED, &ndlp->nlp_flag))
- lpfc_nlp_put(ndlp);
goto out;
}
@@ -3473,7 +3463,6 @@ lpfc_issue_els_scr(struct lpfc_vport *vport, uint8_t retry)
uint8_t *pcmd;
uint16_t cmdsize;
struct lpfc_nodelist *ndlp;
- bool node_created = false;
cmdsize = (sizeof(uint32_t) + sizeof(SCR));
@@ -3483,21 +3472,21 @@ lpfc_issue_els_scr(struct lpfc_vport *vport, uint8_t retry)
if (!ndlp)
return 1;
lpfc_enqueue_node(vport, ndlp);
- node_created = true;
}
elsiocb = lpfc_prep_els_iocb(vport, 1, cmdsize, retry, ndlp,
ndlp->nlp_DID, ELS_CMD_SCR);
if (!elsiocb)
- goto out_node_created;
+ return 1;
if (phba->sli_rev == LPFC_SLI_REV4) {
rc = lpfc_reg_fab_ctrl_node(vport, ndlp);
if (rc) {
+ lpfc_els_free_iocb(phba, elsiocb);
lpfc_printf_vlog(vport, KERN_ERR, LOG_NODE,
"0937 %s: Failed to reg fc node, rc %d\n",
__func__, rc);
- goto out_free_iocb;
+ return 1;
}
}
pcmd = (uint8_t *)elsiocb->cmd_dmabuf->virt;
@@ -3516,27 +3505,23 @@ lpfc_issue_els_scr(struct lpfc_vport *vport, uint8_t retry)
phba->fc_stat.elsXmitSCR++;
elsiocb->cmd_cmpl = lpfc_cmpl_els_disc_cmd;
elsiocb->ndlp = lpfc_nlp_get(ndlp);
- if (!elsiocb->ndlp)
- goto out_free_iocb;
+ if (!elsiocb->ndlp) {
+ lpfc_els_free_iocb(phba, elsiocb);
+ return 1;
+ }
lpfc_debugfs_disc_trc(vport, LPFC_DISC_TRC_ELS_CMD,
"Issue SCR: did:x%x refcnt %d",
ndlp->nlp_DID, kref_read(&ndlp->kref), 0);
rc = lpfc_sli_issue_iocb(phba, LPFC_ELS_RING, elsiocb, 0);
- if (rc == IOCB_ERROR)
- goto out_iocb_error;
+ if (rc == IOCB_ERROR) {
+ lpfc_els_free_iocb(phba, elsiocb);
+ lpfc_nlp_put(ndlp);
+ return 1;
+ }
return 0;
-
-out_iocb_error:
- lpfc_nlp_put(ndlp);
-out_free_iocb:
- lpfc_els_free_iocb(phba, elsiocb);
-out_node_created:
- if (node_created)
- lpfc_nlp_put(ndlp);
- return 1;
}
/**
@@ -3749,12 +3734,7 @@ lpfc_issue_els_farpr(struct lpfc_vport *vport, uint32_t nportid, uint8_t retry)
*
* Return code
* 0 - Successfully issued rdf command
- * < 0 - Failed to issue rdf command
- * -EACCES - RDF not required for NPIV_PORT
- * -ENODEV - No fabric controller device available
- * -ENOMEM - No available memory
- * -EIO - The mailbox failed to complete successfully.
- *
+ * 1 - Failed to issue rdf command
**/
int
lpfc_issue_els_rdf(struct lpfc_vport *vport, uint8_t retry)
@@ -3765,30 +3745,25 @@ lpfc_issue_els_rdf(struct lpfc_vport *vport, uint8_t retry)
struct lpfc_nodelist *ndlp;
uint16_t cmdsize;
int rc;
- bool node_created = false;
- int err;
cmdsize = sizeof(*prdf);
- /* RDF ELS is not required on an NPIV VN_Port. */
- if (vport->port_type == LPFC_NPIV_PORT)
- return -EACCES;
-
ndlp = lpfc_findnode_did(vport, Fabric_Cntl_DID);
if (!ndlp) {
ndlp = lpfc_nlp_init(vport, Fabric_Cntl_DID);
if (!ndlp)
return -ENODEV;
lpfc_enqueue_node(vport, ndlp);
- node_created = true;
}
+ /* RDF ELS is not required on an NPIV VN_Port. */
+ if (vport->port_type == LPFC_NPIV_PORT)
+ return -EACCES;
+
elsiocb = lpfc_prep_els_iocb(vport, 1, cmdsize, retry, ndlp,
ndlp->nlp_DID, ELS_CMD_RDF);
- if (!elsiocb) {
- err = -ENOMEM;
- goto out_node_created;
- }
+ if (!elsiocb)
+ return -ENOMEM;
/* Configure the payload for the supported FPIN events. */
prdf = (struct lpfc_els_rdf_req *)elsiocb->cmd_dmabuf->virt;
@@ -3814,8 +3789,8 @@ lpfc_issue_els_rdf(struct lpfc_vport *vport, uint8_t retry)
elsiocb->cmd_cmpl = lpfc_cmpl_els_disc_cmd;
elsiocb->ndlp = lpfc_nlp_get(ndlp);
if (!elsiocb->ndlp) {
- err = -EIO;
- goto out_free_iocb;
+ lpfc_els_free_iocb(phba, elsiocb);
+ return -EIO;
}
lpfc_debugfs_disc_trc(vport, LPFC_DISC_TRC_ELS_CMD,
@@ -3824,19 +3799,11 @@ lpfc_issue_els_rdf(struct lpfc_vport *vport, uint8_t retry)
rc = lpfc_sli_issue_iocb(phba, LPFC_ELS_RING, elsiocb, 0);
if (rc == IOCB_ERROR) {
- err = -EIO;
- goto out_iocb_error;
+ lpfc_els_free_iocb(phba, elsiocb);
+ lpfc_nlp_put(ndlp);
+ return -EIO;
}
return 0;
-
-out_iocb_error:
- lpfc_nlp_put(ndlp);
-out_free_iocb:
- lpfc_els_free_iocb(phba, elsiocb);
-out_node_created:
- if (node_created)
- lpfc_nlp_put(ndlp);
- return err;
}
/**
@@ -3857,23 +3824,19 @@ static int
lpfc_els_rcv_rdf(struct lpfc_vport *vport, struct lpfc_iocbq *cmdiocb,
struct lpfc_nodelist *ndlp)
{
- int rc;
-
- rc = lpfc_els_rsp_acc(vport, ELS_CMD_RDF, cmdiocb, ndlp, NULL);
/* Send LS_ACC */
- if (rc) {
+ if (lpfc_els_rsp_acc(vport, ELS_CMD_RDF, cmdiocb, ndlp, NULL)) {
lpfc_printf_vlog(vport, KERN_INFO, LOG_ELS | LOG_CGN_MGMT,
- "1623 Failed to RDF_ACC from x%x for x%x Data: %d\n",
- ndlp->nlp_DID, vport->fc_myDID, rc);
+ "1623 Failed to RDF_ACC from x%x for x%x\n",
+ ndlp->nlp_DID, vport->fc_myDID);
return -EIO;
}
- rc = lpfc_issue_els_rdf(vport, 0);
/* Issue new RDF for reregistering */
- if (rc) {
+ if (lpfc_issue_els_rdf(vport, 0)) {
lpfc_printf_vlog(vport, KERN_INFO, LOG_ELS | LOG_CGN_MGMT,
- "2623 Failed to re register RDF for x%x Data: %d\n",
- vport->fc_myDID, rc);
+ "2623 Failed to re register RDF for x%x\n",
+ vport->fc_myDID);
return -EIO;
}
diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c
index f9682ad0b888..e4f627eeb707 100644
--- a/drivers/scsi/lpfc/lpfc_init.c
+++ b/drivers/scsi/lpfc/lpfc_init.c
@@ -3057,6 +3057,12 @@ lpfc_cleanup(struct lpfc_vport *vport)
lpfc_vmid_vport_cleanup(vport);
list_for_each_entry_safe(ndlp, next_ndlp, &vport->fc_nodes, nlp_listp) {
+ if (ndlp->nlp_DID == Fabric_Cntl_DID &&
+ ndlp->nlp_state == NLP_STE_UNUSED_NODE) {
+ lpfc_nlp_put(ndlp);
+ continue;
+ }
+
/* Fabric Ports not in UNMAPPED state are cleaned up in the
* DEVICE_RM event.
*/

166
1171-revert-scsi-lpfc-fix-leaked-ndlp-krefs-when-in-point-to-poin.patch Normal file
View File

@ -0,0 +1,166 @@
Subject: [PATCH] Revert "scsi: lpfc: Fix leaked ndlp krefs when in point-to-point topology"
# reverse of cs10 6613865f84be09ec32bee8199827f6bc7f9a36b8
diff --git a/drivers/scsi/lpfc/lpfc.h b/drivers/scsi/lpfc/lpfc.h
index ad8f5dee23a3..a3d1ba92c07c 100644
--- a/drivers/scsi/lpfc/lpfc.h
+++ b/drivers/scsi/lpfc/lpfc.h
@@ -312,6 +312,7 @@ struct lpfc_defer_flogi_acc {
u16 rx_id;
u16 ox_id;
struct lpfc_nodelist *ndlp;
+
};
#define LPFC_VMID_TIMER 300 /* timer interval in seconds */
diff --git a/drivers/scsi/lpfc/lpfc_disc.h b/drivers/scsi/lpfc/lpfc_disc.h
index 51cb8571c049..3d47dc7458d1 100644
--- a/drivers/scsi/lpfc/lpfc_disc.h
+++ b/drivers/scsi/lpfc/lpfc_disc.h
@@ -1,7 +1,7 @@
/*******************************************************************
* This file is part of the Emulex Linux Device Driver for *
* Fibre Channel Host Bus Adapters. *
- * Copyright (C) 2017-2025 Broadcom. All Rights Reserved. The term *
+ * Copyright (C) 2017-2024 Broadcom. All Rights Reserved. The term *
* “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. *
* Copyright (C) 2004-2013 Emulex. All rights reserved. *
* EMULEX and SLI are trademarks of Emulex. *
@@ -208,7 +208,6 @@ enum lpfc_nlp_flag {
NPR list */
NLP_RM_DFLT_RPI = 26, /* need to remove leftover dflt RPI */
NLP_NODEV_REMOVE = 27, /* Defer removal till discovery ends */
- NLP_FLOGI_DFR_ACC = 28, /* FLOGI LS_ACC was Deferred */
NLP_SC_REQ = 29, /* Target requires authentication */
NLP_FIRSTBURST = 30, /* Target supports FirstBurst */
NLP_RPI_REGISTERED = 31 /* nlp_rpi is valid */
diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c
index fea93a585fc9..79688e12bae2 100644
--- a/drivers/scsi/lpfc/lpfc_els.c
+++ b/drivers/scsi/lpfc/lpfc_els.c
@@ -1413,12 +1413,11 @@ lpfc_issue_els_flogi(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp,
phba->defer_flogi_acc.ox_id;
}
- /* The LS_ACC completion needs to drop the initial reference.
- * This is a special case for Pt2Pt because both FLOGIs need
- * to complete and lpfc defers the LS_ACC when the remote
- * FLOGI arrives before the driver's FLOGI.
- */
- set_bit(NLP_FLOGI_DFR_ACC, &ndlp->nlp_flag);
+ lpfc_printf_vlog(vport, KERN_INFO, LOG_ELS,
+ "3354 Xmit deferred FLOGI ACC: rx_id: x%x,"
+ " ox_id: x%x, hba_flag x%lx\n",
+ phba->defer_flogi_acc.rx_id,
+ phba->defer_flogi_acc.ox_id, phba->hba_flag);
/* Send deferred FLOGI ACC */
lpfc_els_rsp_acc(vport, ELS_CMD_FLOGI, &defer_flogi_acc,
@@ -1434,14 +1433,6 @@ lpfc_issue_els_flogi(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp,
phba->defer_flogi_acc.ndlp = NULL;
}
- lpfc_printf_vlog(vport, KERN_INFO, LOG_ELS,
- "3354 Xmit deferred FLOGI ACC: rx_id: x%x,"
- " ox_id: x%x, ndlp x%px hba_flag x%lx\n",
- phba->defer_flogi_acc.rx_id,
- phba->defer_flogi_acc.ox_id,
- phba->defer_flogi_acc.ndlp,
- phba->hba_flag);
-
vport->fc_myDID = did;
}
@@ -5310,12 +5301,11 @@ lpfc_cmpl_els_rsp(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb,
IOCB_t *irsp;
LPFC_MBOXQ_t *mbox = NULL;
u32 ulp_status, ulp_word4, tmo, did, iotag;
- u32 cmd;
if (!vport) {
lpfc_printf_log(phba, KERN_WARNING, LOG_ELS,
"3177 null vport in ELS rsp\n");
- goto release;
+ goto out;
}
if (cmdiocb->context_un.mbox)
mbox = cmdiocb->context_un.mbox;
@@ -5425,7 +5415,7 @@ lpfc_cmpl_els_rsp(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb,
* these conditions because it doesn't need the login.
*/
if (phba->sli_rev == LPFC_SLI_REV4 &&
- vport->port_type == LPFC_NPIV_PORT &&
+ vport && vport->port_type == LPFC_NPIV_PORT &&
!(ndlp->fc4_xpt_flags & SCSI_XPT_REGD)) {
if (ndlp->nlp_state != NLP_STE_PLOGI_ISSUE &&
ndlp->nlp_state != NLP_STE_REG_LOGIN_ISSUE &&
@@ -5441,27 +5431,6 @@ lpfc_cmpl_els_rsp(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb,
}
}
- /* The driver's unsolicited deferred FLOGI ACC in Pt2Pt needs to
- * release the initial reference because the put after the free_iocb
- * call removes only the reference from the defer logic. This FLOGI
- * is never registered with the SCSI transport.
- */
- if (test_bit(FC_PT2PT, &vport->fc_flag) &&
- test_and_clear_bit(NLP_FLOGI_DFR_ACC, &ndlp->nlp_flag)) {
- lpfc_printf_vlog(vport, KERN_INFO,
- LOG_ELS | LOG_NODE | LOG_DISCOVERY,
- "3357 Pt2Pt Defer FLOGI ACC ndlp x%px, "
- "nflags x%lx, fc_flag x%lx\n",
- ndlp, ndlp->nlp_flag,
- vport->fc_flag);
- cmd = *((u32 *)cmdiocb->cmd_dmabuf->virt);
- if (cmd == ELS_CMD_ACC) {
- if (!test_and_set_bit(NLP_DROPPED, &ndlp->nlp_flag))
- lpfc_nlp_put(ndlp);
- }
- }
-
-release:
/* Release the originating I/O reference. */
lpfc_els_free_iocb(phba, cmdiocb);
lpfc_nlp_put(ndlp);
@@ -8430,6 +8399,13 @@ lpfc_els_rcv_flogi(struct lpfc_vport *vport, struct lpfc_iocbq *cmdiocb,
&wqe->xmit_els_rsp.wqe_com);
vport->fc_myDID = did;
+
+ lpfc_printf_vlog(vport, KERN_INFO, LOG_ELS,
+ "3344 Deferring FLOGI ACC: rx_id: x%x,"
+ " ox_id: x%x, hba_flag x%lx\n",
+ phba->defer_flogi_acc.rx_id,
+ phba->defer_flogi_acc.ox_id, phba->hba_flag);
+
phba->defer_flogi_acc.flag = true;
/* This nlp_get is paired with nlp_puts that reset the
@@ -8438,14 +8414,6 @@ lpfc_els_rcv_flogi(struct lpfc_vport *vport, struct lpfc_iocbq *cmdiocb,
* processed or cancelled.
*/
phba->defer_flogi_acc.ndlp = lpfc_nlp_get(ndlp);
-
- lpfc_printf_vlog(vport, KERN_INFO, LOG_ELS,
- "3344 Deferring FLOGI ACC: rx_id: x%x,"
- " ox_id: x%x, ndlp x%px, hba_flag x%lx\n",
- phba->defer_flogi_acc.rx_id,
- phba->defer_flogi_acc.ox_id,
- phba->defer_flogi_acc.ndlp,
- phba->hba_flag);
return 0;
}
@@ -10386,8 +10354,11 @@ lpfc_els_unsol_buffer(struct lpfc_hba *phba, struct lpfc_sli_ring *pring,
* Do not process any unsolicited ELS commands
* if the ndlp is in DEV_LOSS
*/
- if (test_bit(NLP_IN_DEV_LOSS, &ndlp->nlp_flag))
+ if (test_bit(NLP_IN_DEV_LOSS, &ndlp->nlp_flag)) {
+ if (newnode)
+ lpfc_nlp_put(ndlp);
goto dropit;
+ }
elsiocb->ndlp = lpfc_nlp_get(ndlp);
if (!elsiocb->ndlp)

51
1172-revert-scsi-lpfc-ensure-unregistration-of-rpis-for-received-.patch Normal file
View File

@ -0,0 +1,51 @@
Subject: [PATCH] Revert "scsi: lpfc: Ensure unregistration of rpis for received PLOGIs"
# reverse of cs10 f695221fbfe2235768a0d33cce97523eb1d12399
diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c
index 79688e12bae2..458b46374189 100644
--- a/drivers/scsi/lpfc/lpfc_els.c
+++ b/drivers/scsi/lpfc/lpfc_els.c
@@ -3263,7 +3263,7 @@ lpfc_reg_fab_ctrl_node(struct lpfc_vport *vport, struct lpfc_nodelist *fc_ndlp)
return -ENOMEM;
}
rc = lpfc_reg_rpi(phba, vport->vpi, fc_ndlp->nlp_DID,
- (u8 *)&ns_ndlp->fc_sparam, mbox, fc_ndlp->nlp_rpi);
+ (u8 *)&vport->fc_sparam, mbox, fc_ndlp->nlp_rpi);
if (rc) {
rc = -EACCES;
goto out;
diff --git a/drivers/scsi/lpfc/lpfc_nportdisc.c b/drivers/scsi/lpfc/lpfc_nportdisc.c
index e16370da3e45..99aefc54ac35 100644
--- a/drivers/scsi/lpfc/lpfc_nportdisc.c
+++ b/drivers/scsi/lpfc/lpfc_nportdisc.c
@@ -452,7 +452,18 @@ lpfc_rcv_plogi(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp,
*/
if (!(ndlp->nlp_type & NLP_FABRIC) &&
!(phba->nvmet_support)) {
- break;
+ /* Clear ndlp info, since follow up PRLI may have
+ * updated ndlp information
+ */
+ ndlp->nlp_type &= ~(NLP_FCP_TARGET | NLP_FCP_INITIATOR);
+ ndlp->nlp_type &= ~(NLP_NVME_TARGET | NLP_NVME_INITIATOR);
+ ndlp->nlp_fcp_info &= ~NLP_FCP_2_DEVICE;
+ ndlp->nlp_nvme_info &= ~NLP_NVME_NSLER;
+ clear_bit(NLP_FIRSTBURST, &ndlp->nlp_flag);
+
+ lpfc_els_rsp_acc(vport, ELS_CMD_PLOGI, cmdiocb,
+ ndlp, NULL);
+ return 1;
}
if (nlp_portwwn != 0 &&
nlp_portwwn != wwn_to_u64(sp->portName.u.wwn))
@@ -474,9 +485,7 @@ lpfc_rcv_plogi(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp,
lpfc_nlp_set_state(vport, ndlp, NLP_STE_NPR_NODE);
break;
}
- /* Clear ndlp info, since follow up processes may have
- * updated ndlp information
- */
+
ndlp->nlp_type &= ~(NLP_FCP_TARGET | NLP_FCP_INITIATOR);
ndlp->nlp_type &= ~(NLP_NVME_TARGET | NLP_NVME_INITIATOR);
ndlp->nlp_fcp_info &= ~NLP_FCP_2_DEVICE;

22
1173-revert-scsi-lpfc-remove-redundant-null-ptr-assignment-in-lpf.patch Normal file
View File

@ -0,0 +1,22 @@
Subject: [PATCH] Revert "scsi: lpfc: Remove redundant NULL ptr assignment in lpfc_els_free_iocb()"
# reverse of cs10 834ef5ff877b17409e754a04a433e05441938a3d
diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c
index 458b46374189..073c4c69d646 100644
--- a/drivers/scsi/lpfc/lpfc_els.c
+++ b/drivers/scsi/lpfc/lpfc_els.c
@@ -5158,12 +5158,14 @@ lpfc_els_free_iocb(struct lpfc_hba *phba, struct lpfc_iocbq *elsiocb)
} else {
buf_ptr1 = elsiocb->cmd_dmabuf;
lpfc_els_free_data(phba, buf_ptr1);
+ elsiocb->cmd_dmabuf = NULL;
}
}
if (elsiocb->bpl_dmabuf) {
buf_ptr = elsiocb->bpl_dmabuf;
lpfc_els_free_bpl(phba, buf_ptr);
+ elsiocb->bpl_dmabuf = NULL;
}
lpfc_sli_release_iocbq(phba, elsiocb);
return 0;

104
1174-revert-scsi-lpfc-revise-discovery-related-function-headers-a.patch Normal file
View File

@ -0,0 +1,104 @@
Subject: [PATCH] Revert "scsi: lpfc: Revise discovery related function headers and comments"
# reverse of cs10 5e8d3ec786a04644f14f881e4017a450c305f786
diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c
index 073c4c69d646..f9a08704b78e 100644
--- a/drivers/scsi/lpfc/lpfc_els.c
+++ b/drivers/scsi/lpfc/lpfc_els.c
@@ -3024,7 +3024,6 @@ lpfc_cmpl_els_logo(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb,
ndlp->nlp_DID, ulp_status,
ulp_word4);
- /* Call NLP_EVT_DEVICE_RM if link is down or LOGO is aborted */
if (lpfc_error_lost_link(vport, ulp_status, ulp_word4))
skip_recovery = 1;
}
@@ -3307,8 +3306,7 @@ lpfc_reg_fab_ctrl_node(struct lpfc_vport *vport, struct lpfc_nodelist *fc_ndlp)
*
* This routine is a generic completion callback function for Discovery ELS cmd.
* Currently used by the ELS command issuing routines for the ELS State Change
- * Request (SCR), lpfc_issue_els_scr(), Exchange Diagnostic Capabilities (EDC),
- * lpfc_issue_els_edc() and the ELS RDF, lpfc_issue_els_rdf().
+ * Request (SCR), lpfc_issue_els_scr() and the ELS RDF, lpfc_issue_els_rdf().
* These commands will be retried once only for ELS timeout errors.
**/
static void
@@ -3707,7 +3705,10 @@ lpfc_issue_els_farpr(struct lpfc_vport *vport, uint32_t nportid, uint8_t retry)
lpfc_nlp_put(ndlp);
return 1;
}
-
+ /* This will cause the callback-function lpfc_cmpl_els_cmd to
+ * trigger the release of the node.
+ */
+ /* Don't release reference count as RDF is likely outstanding */
return 0;
}
@@ -4298,7 +4299,7 @@ lpfc_issue_els_edc(struct lpfc_vport *vport, uint8_t retry)
rc = lpfc_sli_issue_iocb(phba, LPFC_ELS_RING, elsiocb, 0);
if (rc == IOCB_ERROR) {
/* The additional lpfc_nlp_put will cause the following
- * lpfc_els_free_iocb routine to trigger the release of
+ * lpfc_els_free_iocb routine to trigger the rlease of
* the node.
*/
lpfc_els_free_iocb(phba, elsiocb);
@@ -5125,7 +5126,7 @@ lpfc_els_free_iocb(struct lpfc_hba *phba, struct lpfc_iocbq *elsiocb)
{
struct lpfc_dmabuf *buf_ptr, *buf_ptr1;
- /* The I/O iocb is complete. Clear the node and first dmabuf */
+ /* The I/O iocb is complete. Clear the node and first dmbuf */
elsiocb->ndlp = NULL;
/* cmd_dmabuf = cmd, cmd_dmabuf->next = rsp, bpl_dmabuf = bpl */
@@ -8733,7 +8734,7 @@ lpfc_els_rcv_rls(struct lpfc_vport *vport, struct lpfc_iocbq *cmdiocb,
* @cmdiocb: pointer to lpfc command iocb data structure.
* @ndlp: pointer to a node-list data structure.
*
- * This routine processes Read Timeout Value (RTV) IOCB received as an
+ * This routine processes Read Timout Value (RTV) IOCB received as an
* ELS unsolicited event. It first checks the remote port state. If the
* remote port is not in NLP_STE_UNMAPPED_NODE state or NLP_STE_MAPPED_NODE
* state, it invokes the lpfc_els_rsl_reject() routine to send the reject
@@ -10842,7 +10843,7 @@ lpfc_els_unsol_event(struct lpfc_hba *phba, struct lpfc_sli_ring *pring,
lpfc_els_unsol_buffer(phba, pring, vport, elsiocb);
/*
* The different unsolicited event handlers would tell us
- * if they are done with "mp" by setting cmd_dmabuf/bpl_dmabuf to NULL.
+ * if they are done with "mp" by setting cmd_dmabuf to NULL.
*/
if (elsiocb->cmd_dmabuf) {
lpfc_in_buf_free(phba, elsiocb->cmd_dmabuf);
diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
index 8b9fcd9c0d36..08d16552c4b7 100644
--- a/drivers/scsi/lpfc/lpfc_sli.c
+++ b/drivers/scsi/lpfc/lpfc_sli.c
@@ -19857,15 +19857,13 @@ lpfc_sli4_remove_rpis(struct lpfc_hba *phba)
}
/**
- * lpfc_sli4_resume_rpi - Resume traffic relative to an RPI
+ * lpfc_sli4_resume_rpi - Remove the rpi bitmask region
* @ndlp: pointer to lpfc nodelist data structure.
* @cmpl: completion call-back.
* @iocbq: data to load as mbox ctx_u information
*
- * Return codes
- * 0 - successful
- * -ENOMEM - No available memory
- * -EIO - The mailbox failed to complete successfully.
+ * This routine is invoked to remove the memory region that
+ * provided rpi via a bitmask.
**/
int
lpfc_sli4_resume_rpi(struct lpfc_nodelist *ndlp,
@@ -19895,6 +19893,7 @@ lpfc_sli4_resume_rpi(struct lpfc_nodelist *ndlp,
return -EIO;
}
+ /* Post all rpi memory regions to the port. */
lpfc_resume_rpi(mboxq, ndlp);
if (cmpl) {
mboxq->mbox_cmpl = cmpl;

44
1175-revert-scsi-lpfc-update-various-npiv-diagnostic-log-messagin.patch Normal file
View File

@ -0,0 +1,44 @@
Subject: [PATCH] Revert "scsi: lpfc: Update various NPIV diagnostic log messaging"
# reverse of cs10 a4b8d188c3e27a0335f85a2cfb877d3f684df5c9
diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c
index f9a08704b78e..9a20a08f4bd9 100644
--- a/drivers/scsi/lpfc/lpfc_els.c
+++ b/drivers/scsi/lpfc/lpfc_els.c
@@ -2367,7 +2367,7 @@ lpfc_cmpl_els_prli(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb,
mode = KERN_INFO;
/* Warn PRLI status */
- lpfc_vlog_msg(vport, mode, LOG_ELS,
+ lpfc_printf_vlog(vport, mode, LOG_ELS,
"2754 PRLI DID:%06X Status:x%x/x%x, "
"data: x%x x%x x%lx\n",
ndlp->nlp_DID, ulp_status,
@@ -3597,8 +3597,8 @@ lpfc_issue_els_rscn(struct lpfc_vport *vport, uint8_t retry)
}
lpfc_debugfs_disc_trc(vport, LPFC_DISC_TRC_ELS_CMD,
- "Issue RSCN: did:x%x refcnt %d",
- ndlp->nlp_DID, kref_read(&ndlp->kref), 0);
+ "Issue RSCN: did:x%x",
+ ndlp->nlp_DID, 0, 0);
rc = lpfc_sli_issue_iocb(phba, LPFC_ELS_RING, elsiocb, 0);
if (rc == IOCB_ERROR) {
diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c
index e4f627eeb707..fd4317b9484c 100644
--- a/drivers/scsi/lpfc/lpfc_init.c
+++ b/drivers/scsi/lpfc/lpfc_init.c
@@ -9082,9 +9082,9 @@ lpfc_setup_fdmi_mask(struct lpfc_vport *vport)
vport->fdmi_port_mask = LPFC_FDMI2_PORT_ATTR;
}
- lpfc_printf_vlog(vport, KERN_INFO, LOG_DISCOVERY,
- "6077 Setup FDMI mask: hba x%x port x%x\n",
- vport->fdmi_hba_mask, vport->fdmi_port_mask);
+ lpfc_printf_log(phba, KERN_INFO, LOG_DISCOVERY,
+ "6077 Setup FDMI mask: hba x%x port x%x\n",
+ vport->fdmi_hba_mask, vport->fdmi_port_mask);
}
/**

55
1176-revert-scsi-lpfc-copyright-updates-for-14-4-0-11-patches.patch Normal file
View File

@ -0,0 +1,55 @@
Subject: [PATCH] Revert "scsi: lpfc: Copyright updates for 14.4.0.11 patches"
# reverse of cs10 80c5e57a6da70af590e98e8e30455e83bd70d3a2
diff --git a/drivers/scsi/lpfc/lpfc.h b/drivers/scsi/lpfc/lpfc.h
index a3d1ba92c07c..426a0e8d5731 100644
--- a/drivers/scsi/lpfc/lpfc.h
+++ b/drivers/scsi/lpfc/lpfc.h
@@ -1,7 +1,7 @@
/*******************************************************************
* This file is part of the Emulex Linux Device Driver for *
* Fibre Channel Host Bus Adapters. *
- * Copyright (C) 2017-2025 Broadcom. All Rights Reserved. The term *
+ * Copyright (C) 2017-2024 Broadcom. All Rights Reserved. The term *
* “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. *
* Copyright (C) 2004-2016 Emulex. All rights reserved. *
* EMULEX and SLI are trademarks of Emulex. *
diff --git a/drivers/scsi/lpfc/lpfc_debugfs.h b/drivers/scsi/lpfc/lpfc_debugfs.h
index a1464f8ac331..566dd84e0677 100644
--- a/drivers/scsi/lpfc/lpfc_debugfs.h
+++ b/drivers/scsi/lpfc/lpfc_debugfs.h
@@ -1,7 +1,7 @@
/*******************************************************************
* This file is part of the Emulex Linux Device Driver for *
* Fibre Channel Host Bus Adapters. *
- * Copyright (C) 2017-2025 Broadcom. All Rights Reserved. The term *
+ * Copyright (C) 2017-2022 Broadcom. All Rights Reserved. The term *
* “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. *
* Copyright (C) 2007-2011 Emulex. All rights reserved. *
* EMULEX and SLI are trademarks of Emulex. *
diff --git a/drivers/scsi/lpfc/lpfc_hw.h b/drivers/scsi/lpfc/lpfc_hw.h
index 3bc0efa7453e..b287d39ad033 100644
--- a/drivers/scsi/lpfc/lpfc_hw.h
+++ b/drivers/scsi/lpfc/lpfc_hw.h
@@ -1,7 +1,7 @@
/*******************************************************************
* This file is part of the Emulex Linux Device Driver for *
* Fibre Channel Host Bus Adapters. *
- * Copyright (C) 2017-2025 Broadcom. All Rights Reserved. The term *
+ * Copyright (C) 2017-2024 Broadcom. All Rights Reserved. The term *
* “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. *
* Copyright (C) 2004-2016 Emulex. All rights reserved. *
* EMULEX and SLI are trademarks of Emulex. *
diff --git a/drivers/scsi/lpfc/lpfc_nportdisc.c b/drivers/scsi/lpfc/lpfc_nportdisc.c
index 99aefc54ac35..1e331b76dff4 100644
--- a/drivers/scsi/lpfc/lpfc_nportdisc.c
+++ b/drivers/scsi/lpfc/lpfc_nportdisc.c
@@ -1,7 +1,7 @@
/*******************************************************************
* This file is part of the Emulex Linux Device Driver for *
* Fibre Channel Host Bus Adapters. *
- * Copyright (C) 2017-2025 Broadcom. All Rights Reserved. The term *
+ * Copyright (C) 2017-2024 Broadcom. All Rights Reserved. The term *
* “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. *
* Copyright (C) 2004-2016 Emulex. All rights reserved. *
* EMULEX and SLI are trademarks of Emulex. *

16
1177-revert-scsi-lpfc-update-lpfc-version-to-14-4-0-11.patch Normal file
View File

@ -0,0 +1,16 @@
Subject: [PATCH] Revert "scsi: lpfc: Update lpfc version to 14.4.0.11"
# reverse of cs10 a34163398eef02a5c95e52c2be3e2025799273e7
diff --git a/drivers/scsi/lpfc/lpfc_version.h b/drivers/scsi/lpfc/lpfc_version.h
index 31c3c5abdca6..9ee3a3a4ec4d 100644
--- a/drivers/scsi/lpfc/lpfc_version.h
+++ b/drivers/scsi/lpfc/lpfc_version.h
@@ -20,7 +20,7 @@
* included with this package. *
*******************************************************************/
-#define LPFC_DRIVER_VERSION "14.4.0.11"
+#define LPFC_DRIVER_VERSION "14.4.0.10"
#define LPFC_DRIVER_NAME "lpfc"
/* Used for SLI 2/3 */

89
1178-revert-scsi-lpfc-convert-debugfs-directory-counts-from-atomi.patch Normal file
View File

@ -0,0 +1,89 @@
Subject: [PATCH] Revert "scsi: lpfc: Convert debugfs directory counts from atomic to unsigned int"
# reverse of cs10 91f7d8fdec311ec1d75aa4cc8d76ffd65da74689
diff --git a/drivers/scsi/lpfc/lpfc.h b/drivers/scsi/lpfc/lpfc.h
index 426a0e8d5731..1293d145b94e 100644
--- a/drivers/scsi/lpfc/lpfc.h
+++ b/drivers/scsi/lpfc/lpfc.h
@@ -1333,7 +1333,7 @@ struct lpfc_hba {
unsigned long last_ramp_down_time;
#ifdef CONFIG_SCSI_LPFC_DEBUG_FS
struct dentry *hba_debugfs_root;
- unsigned int debugfs_vport_count;
+ atomic_t debugfs_vport_count;
struct lpfc_debugfs_nvmeio_trc *nvmeio_trc;
atomic_t nvmeio_trc_cnt;
diff --git a/drivers/scsi/lpfc/lpfc_debugfs.c b/drivers/scsi/lpfc/lpfc_debugfs.c
index 92b5b2dbe847..eaedbaff5a78 100644
--- a/drivers/scsi/lpfc/lpfc_debugfs.c
+++ b/drivers/scsi/lpfc/lpfc_debugfs.c
@@ -5752,7 +5752,7 @@ static const struct file_operations lpfc_debugfs_op_slow_ring_trc = {
};
static struct dentry *lpfc_debugfs_root = NULL;
-static unsigned int lpfc_debugfs_hba_count;
+static atomic_t lpfc_debugfs_hba_count;
/*
* File operations for the iDiag debugfs
@@ -6074,7 +6074,7 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport)
/* Setup lpfc root directory */
if (!lpfc_debugfs_root) {
lpfc_debugfs_root = debugfs_create_dir("lpfc", NULL);
- lpfc_debugfs_hba_count = 0;
+ atomic_set(&lpfc_debugfs_hba_count, 0);
if (IS_ERR(lpfc_debugfs_root)) {
lpfc_vlog_msg(vport, KERN_WARNING, LOG_INIT,
"0527 Cannot create debugfs lpfc\n");
@@ -6090,13 +6090,13 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport)
pport_setup = true;
phba->hba_debugfs_root =
debugfs_create_dir(name, lpfc_debugfs_root);
- phba->debugfs_vport_count = 0;
+ atomic_set(&phba->debugfs_vport_count, 0);
if (IS_ERR(phba->hba_debugfs_root)) {
lpfc_vlog_msg(vport, KERN_WARNING, LOG_INIT,
"0528 Cannot create debugfs %s\n", name);
return;
}
- lpfc_debugfs_hba_count++;
+ atomic_inc(&lpfc_debugfs_hba_count);
/* Multi-XRI pools */
debugfs_create_file("multixripools", 0644,
@@ -6268,7 +6268,7 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport)
"0529 Cannot create debugfs %s\n", name);
return;
}
- phba->debugfs_vport_count++;
+ atomic_inc(&phba->debugfs_vport_count);
}
if (lpfc_debugfs_max_disc_trc) {
@@ -6402,10 +6402,10 @@ lpfc_debugfs_terminate(struct lpfc_vport *vport)
if (vport->vport_debugfs_root) {
debugfs_remove(vport->vport_debugfs_root); /* vportX */
vport->vport_debugfs_root = NULL;
- phba->debugfs_vport_count--;
+ atomic_dec(&phba->debugfs_vport_count);
}
- if (!phba->debugfs_vport_count) {
+ if (atomic_read(&phba->debugfs_vport_count) == 0) {
kfree(phba->slow_ring_trc);
phba->slow_ring_trc = NULL;
@@ -6415,10 +6415,10 @@ lpfc_debugfs_terminate(struct lpfc_vport *vport)
if (phba->hba_debugfs_root) {
debugfs_remove(phba->hba_debugfs_root); /* fnX */
phba->hba_debugfs_root = NULL;
- lpfc_debugfs_hba_count--;
+ atomic_dec(&lpfc_debugfs_hba_count);
}
- if (!lpfc_debugfs_hba_count) {
+ if (atomic_read(&lpfc_debugfs_hba_count) == 0) {
debugfs_remove(lpfc_debugfs_root); /* lpfc */
lpfc_debugfs_root = NULL;
}

680
1179-revert-scsi-lpfc-clean-up-extraneous-phba-dentries.patch Normal file
View File

@ -0,0 +1,680 @@
Subject: [PATCH] Revert "scsi: lpfc: Clean up extraneous phba dentries"
# reverse of cs10 0602f03214fe3d617fa735dfdc7aace47c0d2f54
diff --git a/drivers/scsi/lpfc/lpfc.h b/drivers/scsi/lpfc/lpfc.h
index 1293d145b94e..9389e3def94e 100644
--- a/drivers/scsi/lpfc/lpfc.h
+++ b/drivers/scsi/lpfc/lpfc.h
@@ -742,6 +742,12 @@ struct lpfc_vport {
struct lpfc_vmid_priority_info vmid_priority;
#ifdef CONFIG_SCSI_LPFC_DEBUG_FS
+ struct dentry *debug_disc_trc;
+ struct dentry *debug_nodelist;
+ struct dentry *debug_nvmestat;
+ struct dentry *debug_scsistat;
+ struct dentry *debug_ioktime;
+ struct dentry *debug_hdwqstat;
struct dentry *vport_debugfs_root;
struct lpfc_debugfs_trc *disc_trc;
atomic_t disc_trc_cnt;
@@ -1334,8 +1340,29 @@ struct lpfc_hba {
#ifdef CONFIG_SCSI_LPFC_DEBUG_FS
struct dentry *hba_debugfs_root;
atomic_t debugfs_vport_count;
-
+ struct dentry *debug_multixri_pools;
+ struct dentry *debug_hbqinfo;
+ struct dentry *debug_dumpHostSlim;
+ struct dentry *debug_dumpHBASlim;
+ struct dentry *debug_InjErrLBA; /* LBA to inject errors at */
+ struct dentry *debug_InjErrNPortID; /* NPortID to inject errors at */
+ struct dentry *debug_InjErrWWPN; /* WWPN to inject errors at */
+ struct dentry *debug_writeGuard; /* inject write guard_tag errors */
+ struct dentry *debug_writeApp; /* inject write app_tag errors */
+ struct dentry *debug_writeRef; /* inject write ref_tag errors */
+ struct dentry *debug_readGuard; /* inject read guard_tag errors */
+ struct dentry *debug_readApp; /* inject read app_tag errors */
+ struct dentry *debug_readRef; /* inject read ref_tag errors */
+
+ struct dentry *debug_nvmeio_trc;
struct lpfc_debugfs_nvmeio_trc *nvmeio_trc;
+ struct dentry *debug_hdwqinfo;
+#ifdef LPFC_HDWQ_LOCK_STAT
+ struct dentry *debug_lockstat;
+#endif
+ struct dentry *debug_cgn_buffer;
+ struct dentry *debug_rx_monitor;
+ struct dentry *debug_ras_log;
atomic_t nvmeio_trc_cnt;
uint32_t nvmeio_trc_size;
uint32_t nvmeio_trc_output_idx;
@@ -1352,10 +1379,19 @@ struct lpfc_hba {
sector_t lpfc_injerr_lba;
#define LPFC_INJERR_LBA_OFF (sector_t)(-1)
+ struct dentry *debug_slow_ring_trc;
struct lpfc_debugfs_trc *slow_ring_trc;
atomic_t slow_ring_trc_cnt;
/* iDiag debugfs sub-directory */
struct dentry *idiag_root;
+ struct dentry *idiag_pci_cfg;
+ struct dentry *idiag_bar_acc;
+ struct dentry *idiag_que_info;
+ struct dentry *idiag_que_acc;
+ struct dentry *idiag_drb_acc;
+ struct dentry *idiag_ctl_acc;
+ struct dentry *idiag_mbx_acc;
+ struct dentry *idiag_ext_acc;
uint8_t lpfc_idiag_last_eq;
#endif
uint16_t nvmeio_trc_on;
diff --git a/drivers/scsi/lpfc/lpfc_debugfs.c b/drivers/scsi/lpfc/lpfc_debugfs.c
index eaedbaff5a78..691314c68b59 100644
--- a/drivers/scsi/lpfc/lpfc_debugfs.c
+++ b/drivers/scsi/lpfc/lpfc_debugfs.c
@@ -6075,11 +6075,6 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport)
if (!lpfc_debugfs_root) {
lpfc_debugfs_root = debugfs_create_dir("lpfc", NULL);
atomic_set(&lpfc_debugfs_hba_count, 0);
- if (IS_ERR(lpfc_debugfs_root)) {
- lpfc_vlog_msg(vport, KERN_WARNING, LOG_INIT,
- "0527 Cannot create debugfs lpfc\n");
- return;
- }
}
if (!lpfc_debugfs_start_time)
lpfc_debugfs_start_time = jiffies;
@@ -6090,96 +6085,150 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport)
pport_setup = true;
phba->hba_debugfs_root =
debugfs_create_dir(name, lpfc_debugfs_root);
- atomic_set(&phba->debugfs_vport_count, 0);
- if (IS_ERR(phba->hba_debugfs_root)) {
- lpfc_vlog_msg(vport, KERN_WARNING, LOG_INIT,
- "0528 Cannot create debugfs %s\n", name);
- return;
- }
atomic_inc(&lpfc_debugfs_hba_count);
+ atomic_set(&phba->debugfs_vport_count, 0);
/* Multi-XRI pools */
- debugfs_create_file("multixripools", 0644,
- phba->hba_debugfs_root, phba,
- &lpfc_debugfs_op_multixripools);
+ snprintf(name, sizeof(name), "multixripools");
+ phba->debug_multixri_pools =
+ debugfs_create_file(name, S_IFREG | 0644,
+ phba->hba_debugfs_root,
+ phba,
+ &lpfc_debugfs_op_multixripools);
+ if (IS_ERR(phba->debug_multixri_pools)) {
+ lpfc_printf_vlog(vport, KERN_ERR, LOG_INIT,
+ "0527 Cannot create debugfs multixripools\n");
+ goto debug_failed;
+ }
/* Congestion Info Buffer */
- debugfs_create_file("cgn_buffer", 0644, phba->hba_debugfs_root,
- phba, &lpfc_cgn_buffer_op);
+ scnprintf(name, sizeof(name), "cgn_buffer");
+ phba->debug_cgn_buffer =
+ debugfs_create_file(name, S_IFREG | 0644,
+ phba->hba_debugfs_root,
+ phba, &lpfc_cgn_buffer_op);
+ if (IS_ERR(phba->debug_cgn_buffer)) {
+ lpfc_printf_vlog(vport, KERN_ERR, LOG_INIT,
+ "6527 Cannot create debugfs "
+ "cgn_buffer\n");
+ goto debug_failed;
+ }
/* RX Monitor */
- debugfs_create_file("rx_monitor", 0644, phba->hba_debugfs_root,
- phba, &lpfc_rx_monitor_op);
+ scnprintf(name, sizeof(name), "rx_monitor");
+ phba->debug_rx_monitor =
+ debugfs_create_file(name, S_IFREG | 0644,
+ phba->hba_debugfs_root,
+ phba, &lpfc_rx_monitor_op);
+ if (IS_ERR(phba->debug_rx_monitor)) {
+ lpfc_printf_vlog(vport, KERN_ERR, LOG_INIT,
+ "6528 Cannot create debugfs "
+ "rx_monitor\n");
+ goto debug_failed;
+ }
/* RAS log */
- debugfs_create_file("ras_log", 0644, phba->hba_debugfs_root,
- phba, &lpfc_debugfs_ras_log);
+ snprintf(name, sizeof(name), "ras_log");
+ phba->debug_ras_log =
+ debugfs_create_file(name, 0644,
+ phba->hba_debugfs_root,
+ phba, &lpfc_debugfs_ras_log);
+ if (IS_ERR(phba->debug_ras_log)) {
+ lpfc_printf_vlog(vport, KERN_ERR, LOG_INIT,
+ "6148 Cannot create debugfs"
+ " ras_log\n");
+ goto debug_failed;
+ }
/* Setup hbqinfo */
- debugfs_create_file("hbqinfo", 0644, phba->hba_debugfs_root,
- phba, &lpfc_debugfs_op_hbqinfo);
+ snprintf(name, sizeof(name), "hbqinfo");
+ phba->debug_hbqinfo =
+ debugfs_create_file(name, S_IFREG | 0644,
+ phba->hba_debugfs_root,
+ phba, &lpfc_debugfs_op_hbqinfo);
#ifdef LPFC_HDWQ_LOCK_STAT
/* Setup lockstat */
- debugfs_create_file("lockstat", 0644, phba->hba_debugfs_root,
- phba, &lpfc_debugfs_op_lockstat);
+ snprintf(name, sizeof(name), "lockstat");
+ phba->debug_lockstat =
+ debugfs_create_file(name, S_IFREG | 0644,
+ phba->hba_debugfs_root,
+ phba, &lpfc_debugfs_op_lockstat);
+ if (IS_ERR(phba->debug_lockstat)) {
+ lpfc_printf_vlog(vport, KERN_ERR, LOG_INIT,
+ "4610 Can't create debugfs lockstat\n");
+ goto debug_failed;
+ }
#endif
+
+ /* Setup dumpHBASlim */
if (phba->sli_rev < LPFC_SLI_REV4) {
- /* Setup dumpHBASlim */
- debugfs_create_file("dumpHBASlim", 0644,
- phba->hba_debugfs_root, phba,
- &lpfc_debugfs_op_dumpHBASlim);
- }
+ snprintf(name, sizeof(name), "dumpHBASlim");
+ phba->debug_dumpHBASlim =
+ debugfs_create_file(name,
+ S_IFREG|S_IRUGO|S_IWUSR,
+ phba->hba_debugfs_root,
+ phba, &lpfc_debugfs_op_dumpHBASlim);
+ } else
+ phba->debug_dumpHBASlim = NULL;
+ /* Setup dumpHostSlim */
if (phba->sli_rev < LPFC_SLI_REV4) {
- /* Setup dumpHostSlim */
- debugfs_create_file("dumpHostSlim", 0644,
- phba->hba_debugfs_root, phba,
- &lpfc_debugfs_op_dumpHostSlim);
- }
+ snprintf(name, sizeof(name), "dumpHostSlim");
+ phba->debug_dumpHostSlim =
+ debugfs_create_file(name,
+ S_IFREG|S_IRUGO|S_IWUSR,
+ phba->hba_debugfs_root,
+ phba, &lpfc_debugfs_op_dumpHostSlim);
+ } else
+ phba->debug_dumpHostSlim = NULL;
/* Setup DIF Error Injections */
- debugfs_create_file_aux_num("InjErrLBA", 0644,
- phba->hba_debugfs_root, phba,
- InjErrLBA,
- &lpfc_debugfs_op_dif_err);
+ phba->debug_InjErrLBA =
+ debugfs_create_file_aux_num("InjErrLBA", 0644,
+ phba->hba_debugfs_root,
+ phba, InjErrLBA, &lpfc_debugfs_op_dif_err);
phba->lpfc_injerr_lba = LPFC_INJERR_LBA_OFF;
- debugfs_create_file_aux_num("InjErrNPortID", 0644,
- phba->hba_debugfs_root, phba,
- InjErrNPortID,
- &lpfc_debugfs_op_dif_err);
-
- debugfs_create_file_aux_num("InjErrWWPN", 0644,
- phba->hba_debugfs_root, phba,
- InjErrWWPN,
- &lpfc_debugfs_op_dif_err);
-
- debugfs_create_file_aux_num("writeGuardInjErr", 0644,
- phba->hba_debugfs_root, phba,
- writeGuard,
- &lpfc_debugfs_op_dif_err);
-
- debugfs_create_file_aux_num("writeAppInjErr", 0644,
- phba->hba_debugfs_root, phba,
- writeApp, &lpfc_debugfs_op_dif_err);
-
- debugfs_create_file_aux_num("writeRefInjErr", 0644,
- phba->hba_debugfs_root, phba,
- writeRef, &lpfc_debugfs_op_dif_err);
-
- debugfs_create_file_aux_num("readGuardInjErr", 0644,
- phba->hba_debugfs_root, phba,
- readGuard,
- &lpfc_debugfs_op_dif_err);
-
- debugfs_create_file_aux_num("readAppInjErr", 0644,
- phba->hba_debugfs_root, phba,
- readApp, &lpfc_debugfs_op_dif_err);
-
- debugfs_create_file_aux_num("readRefInjErr", 0644,
- phba->hba_debugfs_root, phba,
- readRef, &lpfc_debugfs_op_dif_err);
+ phba->debug_InjErrNPortID =
+ debugfs_create_file_aux_num("InjErrNPortID", 0644,
+ phba->hba_debugfs_root,
+ phba, InjErrNPortID, &lpfc_debugfs_op_dif_err);
+
+ phba->debug_InjErrWWPN =
+ debugfs_create_file_aux_num("InjErrWWPN", 0644,
+ phba->hba_debugfs_root,
+ phba, InjErrWWPN, &lpfc_debugfs_op_dif_err);
+
+ phba->debug_writeGuard =
+ debugfs_create_file_aux_num("writeGuardInjErr", 0644,
+ phba->hba_debugfs_root,
+ phba, writeGuard, &lpfc_debugfs_op_dif_err);
+
+ phba->debug_writeApp =
+ debugfs_create_file_aux_num("writeAppInjErr", 0644,
+ phba->hba_debugfs_root,
+ phba, writeApp, &lpfc_debugfs_op_dif_err);
+
+ phba->debug_writeRef =
+ debugfs_create_file_aux_num("writeRefInjErr", 0644,
+ phba->hba_debugfs_root,
+ phba, writeRef, &lpfc_debugfs_op_dif_err);
+
+ phba->debug_readGuard =
+ debugfs_create_file_aux_num("readGuardInjErr", 0644,
+ phba->hba_debugfs_root,
+ phba, readGuard, &lpfc_debugfs_op_dif_err);
+
+ phba->debug_readApp =
+ debugfs_create_file_aux_num("readAppInjErr", 0644,
+ phba->hba_debugfs_root,
+ phba, readApp, &lpfc_debugfs_op_dif_err);
+
+ phba->debug_readRef =
+ debugfs_create_file_aux_num("readRefInjErr", 0644,
+ phba->hba_debugfs_root,
+ phba, readRef, &lpfc_debugfs_op_dif_err);
/* Setup slow ring trace */
if (lpfc_debugfs_max_slow_ring_trc) {
@@ -6199,9 +6248,11 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport)
}
}
- debugfs_create_file("slow_ring_trace", 0644,
- phba->hba_debugfs_root, phba,
- &lpfc_debugfs_op_slow_ring_trc);
+ snprintf(name, sizeof(name), "slow_ring_trace");
+ phba->debug_slow_ring_trc =
+ debugfs_create_file(name, S_IFREG|S_IRUGO|S_IWUSR,
+ phba->hba_debugfs_root,
+ phba, &lpfc_debugfs_op_slow_ring_trc);
if (!phba->slow_ring_trc) {
phba->slow_ring_trc = kcalloc(
lpfc_debugfs_max_slow_ring_trc,
@@ -6211,13 +6262,16 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport)
lpfc_printf_vlog(vport, KERN_ERR, LOG_INIT,
"0416 Cannot create debugfs "
"slow_ring buffer\n");
- goto out;
+ goto debug_failed;
}
atomic_set(&phba->slow_ring_trc_cnt, 0);
}
- debugfs_create_file("nvmeio_trc", 0644, phba->hba_debugfs_root,
- phba, &lpfc_debugfs_op_nvmeio_trc);
+ snprintf(name, sizeof(name), "nvmeio_trc");
+ phba->debug_nvmeio_trc =
+ debugfs_create_file(name, 0644,
+ phba->hba_debugfs_root,
+ phba, &lpfc_debugfs_op_nvmeio_trc);
atomic_set(&phba->nvmeio_trc_cnt, 0);
if (lpfc_debugfs_max_nvmeio_trc) {
@@ -6263,11 +6317,6 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport)
if (!vport->vport_debugfs_root) {
vport->vport_debugfs_root =
debugfs_create_dir(name, phba->hba_debugfs_root);
- if (IS_ERR(vport->vport_debugfs_root)) {
- lpfc_vlog_msg(vport, KERN_WARNING, LOG_INIT,
- "0529 Cannot create debugfs %s\n", name);
- return;
- }
atomic_inc(&phba->debugfs_vport_count);
}
@@ -6295,27 +6344,54 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport)
lpfc_printf_vlog(vport, KERN_ERR, LOG_INIT,
"0418 Cannot create debugfs disc trace "
"buffer\n");
- goto out;
+ goto debug_failed;
}
atomic_set(&vport->disc_trc_cnt, 0);
- debugfs_create_file("discovery_trace", 0644, vport->vport_debugfs_root,
- vport, &lpfc_debugfs_op_disc_trc);
-
- debugfs_create_file("nodelist", 0644, vport->vport_debugfs_root, vport,
- &lpfc_debugfs_op_nodelist);
-
- debugfs_create_file("nvmestat", 0644, vport->vport_debugfs_root, vport,
- &lpfc_debugfs_op_nvmestat);
-
- debugfs_create_file("scsistat", 0644, vport->vport_debugfs_root, vport,
- &lpfc_debugfs_op_scsistat);
+ snprintf(name, sizeof(name), "discovery_trace");
+ vport->debug_disc_trc =
+ debugfs_create_file(name, S_IFREG|S_IRUGO|S_IWUSR,
+ vport->vport_debugfs_root,
+ vport, &lpfc_debugfs_op_disc_trc);
+ snprintf(name, sizeof(name), "nodelist");
+ vport->debug_nodelist =
+ debugfs_create_file(name, S_IFREG|S_IRUGO|S_IWUSR,
+ vport->vport_debugfs_root,
+ vport, &lpfc_debugfs_op_nodelist);
+
+ snprintf(name, sizeof(name), "nvmestat");
+ vport->debug_nvmestat =
+ debugfs_create_file(name, 0644,
+ vport->vport_debugfs_root,
+ vport, &lpfc_debugfs_op_nvmestat);
+
+ snprintf(name, sizeof(name), "scsistat");
+ vport->debug_scsistat =
+ debugfs_create_file(name, 0644,
+ vport->vport_debugfs_root,
+ vport, &lpfc_debugfs_op_scsistat);
+ if (IS_ERR(vport->debug_scsistat)) {
+ lpfc_printf_vlog(vport, KERN_ERR, LOG_INIT,
+ "4611 Cannot create debugfs scsistat\n");
+ goto debug_failed;
+ }
- debugfs_create_file("ioktime", 0644, vport->vport_debugfs_root, vport,
- &lpfc_debugfs_op_ioktime);
+ snprintf(name, sizeof(name), "ioktime");
+ vport->debug_ioktime =
+ debugfs_create_file(name, 0644,
+ vport->vport_debugfs_root,
+ vport, &lpfc_debugfs_op_ioktime);
+ if (IS_ERR(vport->debug_ioktime)) {
+ lpfc_printf_vlog(vport, KERN_ERR, LOG_INIT,
+ "0815 Cannot create debugfs ioktime\n");
+ goto debug_failed;
+ }
- debugfs_create_file("hdwqstat", 0644, vport->vport_debugfs_root, vport,
- &lpfc_debugfs_op_hdwqstat);
+ snprintf(name, sizeof(name), "hdwqstat");
+ vport->debug_hdwqstat =
+ debugfs_create_file(name, 0644,
+ vport->vport_debugfs_root,
+ vport, &lpfc_debugfs_op_hdwqstat);
/*
* The following section is for additional directories/files for the
@@ -6323,58 +6399,93 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport)
*/
if (!pport_setup)
- return;
+ goto debug_failed;
/*
* iDiag debugfs root entry points for SLI4 device only
*/
if (phba->sli_rev < LPFC_SLI_REV4)
- return;
+ goto debug_failed;
+ snprintf(name, sizeof(name), "iDiag");
if (!phba->idiag_root) {
phba->idiag_root =
- debugfs_create_dir("iDiag", phba->hba_debugfs_root);
+ debugfs_create_dir(name, phba->hba_debugfs_root);
/* Initialize iDiag data structure */
memset(&idiag, 0, sizeof(idiag));
}
/* iDiag read PCI config space */
- debugfs_create_file("pciCfg", 0644, phba->idiag_root, phba,
- &lpfc_idiag_op_pciCfg);
- idiag.offset.last_rd = 0;
+ snprintf(name, sizeof(name), "pciCfg");
+ if (!phba->idiag_pci_cfg) {
+ phba->idiag_pci_cfg =
+ debugfs_create_file(name, S_IFREG|S_IRUGO|S_IWUSR,
+ phba->idiag_root, phba, &lpfc_idiag_op_pciCfg);
+ idiag.offset.last_rd = 0;
+ }
/* iDiag PCI BAR access */
- debugfs_create_file("barAcc", 0644, phba->idiag_root, phba,
- &lpfc_idiag_op_barAcc);
- idiag.offset.last_rd = 0;
+ snprintf(name, sizeof(name), "barAcc");
+ if (!phba->idiag_bar_acc) {
+ phba->idiag_bar_acc =
+ debugfs_create_file(name, S_IFREG|S_IRUGO|S_IWUSR,
+ phba->idiag_root, phba, &lpfc_idiag_op_barAcc);
+ idiag.offset.last_rd = 0;
+ }
/* iDiag get PCI function queue information */
- debugfs_create_file("queInfo", 0444, phba->idiag_root, phba,
- &lpfc_idiag_op_queInfo);
+ snprintf(name, sizeof(name), "queInfo");
+ if (!phba->idiag_que_info) {
+ phba->idiag_que_info =
+ debugfs_create_file(name, S_IFREG|S_IRUGO,
+ phba->idiag_root, phba, &lpfc_idiag_op_queInfo);
+ }
/* iDiag access PCI function queue */
- debugfs_create_file("queAcc", 0644, phba->idiag_root, phba,
- &lpfc_idiag_op_queAcc);
+ snprintf(name, sizeof(name), "queAcc");
+ if (!phba->idiag_que_acc) {
+ phba->idiag_que_acc =
+ debugfs_create_file(name, S_IFREG|S_IRUGO|S_IWUSR,
+ phba->idiag_root, phba, &lpfc_idiag_op_queAcc);
+ }
/* iDiag access PCI function doorbell registers */
- debugfs_create_file("drbAcc", 0644, phba->idiag_root, phba,
- &lpfc_idiag_op_drbAcc);
+ snprintf(name, sizeof(name), "drbAcc");
+ if (!phba->idiag_drb_acc) {
+ phba->idiag_drb_acc =
+ debugfs_create_file(name, S_IFREG|S_IRUGO|S_IWUSR,
+ phba->idiag_root, phba, &lpfc_idiag_op_drbAcc);
+ }
/* iDiag access PCI function control registers */
- debugfs_create_file("ctlAcc", 0644, phba->idiag_root, phba,
- &lpfc_idiag_op_ctlAcc);
+ snprintf(name, sizeof(name), "ctlAcc");
+ if (!phba->idiag_ctl_acc) {
+ phba->idiag_ctl_acc =
+ debugfs_create_file(name, S_IFREG|S_IRUGO|S_IWUSR,
+ phba->idiag_root, phba, &lpfc_idiag_op_ctlAcc);
+ }
/* iDiag access mbox commands */
- debugfs_create_file("mbxAcc", 0644, phba->idiag_root, phba,
- &lpfc_idiag_op_mbxAcc);
+ snprintf(name, sizeof(name), "mbxAcc");
+ if (!phba->idiag_mbx_acc) {
+ phba->idiag_mbx_acc =
+ debugfs_create_file(name, S_IFREG|S_IRUGO|S_IWUSR,
+ phba->idiag_root, phba, &lpfc_idiag_op_mbxAcc);
+ }
/* iDiag extents access commands */
if (phba->sli4_hba.extents_in_use) {
- debugfs_create_file("extAcc", 0644, phba->idiag_root, phba,
- &lpfc_idiag_op_extAcc);
+ snprintf(name, sizeof(name), "extAcc");
+ if (!phba->idiag_ext_acc) {
+ phba->idiag_ext_acc =
+ debugfs_create_file(name,
+ S_IFREG|S_IRUGO|S_IWUSR,
+ phba->idiag_root, phba,
+ &lpfc_idiag_op_extAcc);
+ }
}
-out:
- /* alloc'ed items are kfree'd in lpfc_debugfs_terminate */
+
+debug_failed:
return;
#endif
}
@@ -6399,6 +6510,24 @@ lpfc_debugfs_terminate(struct lpfc_vport *vport)
kfree(vport->disc_trc);
vport->disc_trc = NULL;
+ debugfs_remove(vport->debug_disc_trc); /* discovery_trace */
+ vport->debug_disc_trc = NULL;
+
+ debugfs_remove(vport->debug_nodelist); /* nodelist */
+ vport->debug_nodelist = NULL;
+
+ debugfs_remove(vport->debug_nvmestat); /* nvmestat */
+ vport->debug_nvmestat = NULL;
+
+ debugfs_remove(vport->debug_scsistat); /* scsistat */
+ vport->debug_scsistat = NULL;
+
+ debugfs_remove(vport->debug_ioktime); /* ioktime */
+ vport->debug_ioktime = NULL;
+
+ debugfs_remove(vport->debug_hdwqstat); /* hdwqstat */
+ vport->debug_hdwqstat = NULL;
+
if (vport->vport_debugfs_root) {
debugfs_remove(vport->vport_debugfs_root); /* vportX */
vport->vport_debugfs_root = NULL;
@@ -6406,12 +6535,113 @@ lpfc_debugfs_terminate(struct lpfc_vport *vport)
}
if (atomic_read(&phba->debugfs_vport_count) == 0) {
+
+ debugfs_remove(phba->debug_multixri_pools); /* multixripools*/
+ phba->debug_multixri_pools = NULL;
+
+ debugfs_remove(phba->debug_hbqinfo); /* hbqinfo */
+ phba->debug_hbqinfo = NULL;
+
+ debugfs_remove(phba->debug_cgn_buffer);
+ phba->debug_cgn_buffer = NULL;
+
+ debugfs_remove(phba->debug_rx_monitor);
+ phba->debug_rx_monitor = NULL;
+
+ debugfs_remove(phba->debug_ras_log);
+ phba->debug_ras_log = NULL;
+
+#ifdef LPFC_HDWQ_LOCK_STAT
+ debugfs_remove(phba->debug_lockstat); /* lockstat */
+ phba->debug_lockstat = NULL;
+#endif
+ debugfs_remove(phba->debug_dumpHBASlim); /* HBASlim */
+ phba->debug_dumpHBASlim = NULL;
+
+ debugfs_remove(phba->debug_dumpHostSlim); /* HostSlim */
+ phba->debug_dumpHostSlim = NULL;
+
+ debugfs_remove(phba->debug_InjErrLBA); /* InjErrLBA */
+ phba->debug_InjErrLBA = NULL;
+
+ debugfs_remove(phba->debug_InjErrNPortID);
+ phba->debug_InjErrNPortID = NULL;
+
+ debugfs_remove(phba->debug_InjErrWWPN); /* InjErrWWPN */
+ phba->debug_InjErrWWPN = NULL;
+
+ debugfs_remove(phba->debug_writeGuard); /* writeGuard */
+ phba->debug_writeGuard = NULL;
+
+ debugfs_remove(phba->debug_writeApp); /* writeApp */
+ phba->debug_writeApp = NULL;
+
+ debugfs_remove(phba->debug_writeRef); /* writeRef */
+ phba->debug_writeRef = NULL;
+
+ debugfs_remove(phba->debug_readGuard); /* readGuard */
+ phba->debug_readGuard = NULL;
+
+ debugfs_remove(phba->debug_readApp); /* readApp */
+ phba->debug_readApp = NULL;
+
+ debugfs_remove(phba->debug_readRef); /* readRef */
+ phba->debug_readRef = NULL;
+
kfree(phba->slow_ring_trc);
phba->slow_ring_trc = NULL;
+ /* slow_ring_trace */
+ debugfs_remove(phba->debug_slow_ring_trc);
+ phba->debug_slow_ring_trc = NULL;
+
+ debugfs_remove(phba->debug_nvmeio_trc);
+ phba->debug_nvmeio_trc = NULL;
+
kfree(phba->nvmeio_trc);
phba->nvmeio_trc = NULL;
+ /*
+ * iDiag release
+ */
+ if (phba->sli_rev == LPFC_SLI_REV4) {
+ /* iDiag extAcc */
+ debugfs_remove(phba->idiag_ext_acc);
+ phba->idiag_ext_acc = NULL;
+
+ /* iDiag mbxAcc */
+ debugfs_remove(phba->idiag_mbx_acc);
+ phba->idiag_mbx_acc = NULL;
+
+ /* iDiag ctlAcc */
+ debugfs_remove(phba->idiag_ctl_acc);
+ phba->idiag_ctl_acc = NULL;
+
+ /* iDiag drbAcc */
+ debugfs_remove(phba->idiag_drb_acc);
+ phba->idiag_drb_acc = NULL;
+
+ /* iDiag queAcc */
+ debugfs_remove(phba->idiag_que_acc);
+ phba->idiag_que_acc = NULL;
+
+ /* iDiag queInfo */
+ debugfs_remove(phba->idiag_que_info);
+ phba->idiag_que_info = NULL;
+
+ /* iDiag barAcc */
+ debugfs_remove(phba->idiag_bar_acc);
+ phba->idiag_bar_acc = NULL;
+
+ /* iDiag pciCfg */
+ debugfs_remove(phba->idiag_pci_cfg);
+ phba->idiag_pci_cfg = NULL;
+
+ /* Finally remove the iDiag debugfs root */
+ debugfs_remove(phba->idiag_root);
+ phba->idiag_root = NULL;
+ }
+
if (phba->hba_debugfs_root) {
debugfs_remove(phba->hba_debugfs_root); /* fnX */
phba->hba_debugfs_root = NULL;

195
1180-revert-scsi-lpfc-use-switch-case-statements-in-dif-debugfs-h.patch Normal file
View File

@ -0,0 +1,195 @@
Subject: [PATCH] Revert "scsi: lpfc: Use switch case statements in DIF debugfs handlers"
# reverse of cs10 d19023a336a31f49111b96a266610a4d923f9cad
diff --git a/drivers/scsi/lpfc/lpfc_debugfs.c b/drivers/scsi/lpfc/lpfc_debugfs.c
index 691314c68b59..7c4d7bb3a56f 100644
--- a/drivers/scsi/lpfc/lpfc_debugfs.c
+++ b/drivers/scsi/lpfc/lpfc_debugfs.c
@@ -2373,117 +2373,93 @@ lpfc_debugfs_dumpHostSlim_open(struct inode *inode, struct file *file)
static ssize_t
lpfc_debugfs_dif_err_read(struct file *file, char __user *buf,
- size_t nbytes, loff_t *ppos)
+ size_t nbytes, loff_t *ppos)
{
struct lpfc_hba *phba = file->private_data;
int kind = debugfs_get_aux_num(file);
- char cbuf[32] = {0};
+ char cbuf[32];
+ uint64_t tmp = 0;
int cnt = 0;
- switch (kind) {
- case writeGuard:
- cnt = scnprintf(cbuf, sizeof(cbuf), "%u\n",
- phba->lpfc_injerr_wgrd_cnt);
- break;
- case writeApp:
- cnt = scnprintf(cbuf, sizeof(cbuf), "%u\n",
- phba->lpfc_injerr_wapp_cnt);
- break;
- case writeRef:
- cnt = scnprintf(cbuf, sizeof(cbuf), "%u\n",
- phba->lpfc_injerr_wref_cnt);
- break;
- case readGuard:
- cnt = scnprintf(cbuf, sizeof(cbuf), "%u\n",
- phba->lpfc_injerr_rgrd_cnt);
- break;
- case readApp:
- cnt = scnprintf(cbuf, sizeof(cbuf), "%u\n",
- phba->lpfc_injerr_rapp_cnt);
- break;
- case readRef:
- cnt = scnprintf(cbuf, sizeof(cbuf), "%u\n",
- phba->lpfc_injerr_rref_cnt);
- break;
- case InjErrNPortID:
- cnt = scnprintf(cbuf, sizeof(cbuf), "0x%06x\n",
+ if (kind == writeGuard)
+ cnt = scnprintf(cbuf, 32, "%u\n", phba->lpfc_injerr_wgrd_cnt);
+ else if (kind == writeApp)
+ cnt = scnprintf(cbuf, 32, "%u\n", phba->lpfc_injerr_wapp_cnt);
+ else if (kind == writeRef)
+ cnt = scnprintf(cbuf, 32, "%u\n", phba->lpfc_injerr_wref_cnt);
+ else if (kind == readGuard)
+ cnt = scnprintf(cbuf, 32, "%u\n", phba->lpfc_injerr_rgrd_cnt);
+ else if (kind == readApp)
+ cnt = scnprintf(cbuf, 32, "%u\n", phba->lpfc_injerr_rapp_cnt);
+ else if (kind == readRef)
+ cnt = scnprintf(cbuf, 32, "%u\n", phba->lpfc_injerr_rref_cnt);
+ else if (kind == InjErrNPortID)
+ cnt = scnprintf(cbuf, 32, "0x%06x\n",
phba->lpfc_injerr_nportid);
- break;
- case InjErrWWPN:
- cnt = scnprintf(cbuf, sizeof(cbuf), "0x%016llx\n",
- be64_to_cpu(phba->lpfc_injerr_wwpn.u.wwn_be));
- break;
- case InjErrLBA:
- if (phba->lpfc_injerr_lba == LPFC_INJERR_LBA_OFF)
- cnt = scnprintf(cbuf, sizeof(cbuf), "off\n");
+ else if (kind == InjErrWWPN) {
+ memcpy(&tmp, &phba->lpfc_injerr_wwpn, sizeof(struct lpfc_name));
+ tmp = cpu_to_be64(tmp);
+ cnt = scnprintf(cbuf, 32, "0x%016llx\n", tmp);
+ } else if (kind == InjErrLBA) {
+ if (phba->lpfc_injerr_lba == (sector_t)(-1))
+ cnt = scnprintf(cbuf, 32, "off\n");
else
- cnt = scnprintf(cbuf, sizeof(cbuf), "0x%llx\n",
- (uint64_t)phba->lpfc_injerr_lba);
- break;
- default:
- lpfc_log_msg(phba, KERN_WARNING, LOG_INIT,
- "0547 Unknown debugfs error injection entry\n");
- break;
- }
+ cnt = scnprintf(cbuf, 32, "0x%llx\n",
+ (uint64_t) phba->lpfc_injerr_lba);
+ } else
+ lpfc_printf_log(phba, KERN_ERR, LOG_INIT,
+ "0547 Unknown debugfs error injection entry\n");
return simple_read_from_buffer(buf, nbytes, ppos, &cbuf, cnt);
}
static ssize_t
lpfc_debugfs_dif_err_write(struct file *file, const char __user *buf,
- size_t nbytes, loff_t *ppos)
+ size_t nbytes, loff_t *ppos)
{
struct lpfc_hba *phba = file->private_data;
int kind = debugfs_get_aux_num(file);
- char dstbuf[33] = {0};
- unsigned long long tmp;
- unsigned long size;
+ char dstbuf[33];
+ uint64_t tmp = 0;
+ int size;
- size = (nbytes < (sizeof(dstbuf) - 1)) ? nbytes : (sizeof(dstbuf) - 1);
+ memset(dstbuf, 0, 33);
+ size = (nbytes < 32) ? nbytes : 32;
if (copy_from_user(dstbuf, buf, size))
return -EFAULT;
- if (kstrtoull(dstbuf, 0, &tmp)) {
- if (kind != InjErrLBA || !strstr(dstbuf, "off"))
- return -EINVAL;
+ if (kind == InjErrLBA) {
+ if ((dstbuf[0] == 'o') && (dstbuf[1] == 'f') &&
+ (dstbuf[2] == 'f'))
+ tmp = (uint64_t)(-1);
}
- switch (kind) {
- case writeGuard:
+ if ((tmp == 0) && (kstrtoull(dstbuf, 0, &tmp)))
+ return -EINVAL;
+
+ if (kind == writeGuard)
phba->lpfc_injerr_wgrd_cnt = (uint32_t)tmp;
- break;
- case writeApp:
+ else if (kind == writeApp)
phba->lpfc_injerr_wapp_cnt = (uint32_t)tmp;
- break;
- case writeRef:
+ else if (kind == writeRef)
phba->lpfc_injerr_wref_cnt = (uint32_t)tmp;
- break;
- case readGuard:
+ else if (kind == readGuard)
phba->lpfc_injerr_rgrd_cnt = (uint32_t)tmp;
- break;
- case readApp:
+ else if (kind == readApp)
phba->lpfc_injerr_rapp_cnt = (uint32_t)tmp;
- break;
- case readRef:
+ else if (kind == readRef)
phba->lpfc_injerr_rref_cnt = (uint32_t)tmp;
- break;
- case InjErrLBA:
- if (strstr(dstbuf, "off"))
- phba->lpfc_injerr_lba = LPFC_INJERR_LBA_OFF;
- else
- phba->lpfc_injerr_lba = (sector_t)tmp;
- break;
- case InjErrNPortID:
+ else if (kind == InjErrLBA)
+ phba->lpfc_injerr_lba = (sector_t)tmp;
+ else if (kind == InjErrNPortID)
phba->lpfc_injerr_nportid = (uint32_t)(tmp & Mask_DID);
- break;
- case InjErrWWPN:
- phba->lpfc_injerr_wwpn.u.wwn_be = cpu_to_be64(tmp);
- break;
- default:
- lpfc_log_msg(phba, KERN_WARNING, LOG_INIT,
- "0548 Unknown debugfs error injection entry\n");
- break;
- }
+ else if (kind == InjErrWWPN) {
+ tmp = cpu_to_be64(tmp);
+ memcpy(&phba->lpfc_injerr_wwpn, &tmp, sizeof(struct lpfc_name));
+ } else
+ lpfc_printf_log(phba, KERN_ERR, LOG_INIT,
+ "0548 Unknown debugfs error injection entry\n");
+
return nbytes;
}
diff --git a/drivers/scsi/lpfc/lpfc_hw.h b/drivers/scsi/lpfc/lpfc_hw.h
index b287d39ad033..32298285ea5e 100644
--- a/drivers/scsi/lpfc/lpfc_hw.h
+++ b/drivers/scsi/lpfc/lpfc_hw.h
@@ -366,7 +366,6 @@ struct lpfc_name {
} s;
uint8_t wwn[8];
uint64_t name __packed __aligned(4);
- __be64 wwn_be __packed __aligned(4);
} u;
};

15
1181-revert-scsi-lpfc-fix-memory-leak-when-nvmeio-trc-debugfs-ent.patch Normal file
View File

@ -0,0 +1,15 @@
Subject: [PATCH] Revert "scsi: lpfc: Fix memory leak when nvmeio_trc debugfs entry is used"
# reverse of cs10 1b923bbb0077b6f1679b13b26a46342034b0c794
diff --git a/drivers/scsi/lpfc/lpfc_debugfs.c b/drivers/scsi/lpfc/lpfc_debugfs.c
index 7c4d7bb3a56f..2db8d9529b8f 100644
--- a/drivers/scsi/lpfc/lpfc_debugfs.c
+++ b/drivers/scsi/lpfc/lpfc_debugfs.c
@@ -6280,6 +6280,7 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport)
}
phba->nvmeio_trc_on = 1;
phba->nvmeio_trc_output_idx = 0;
+ phba->nvmeio_trc = NULL;
} else {
nvmeio_off:
phba->nvmeio_trc_size = 0;

17
1182-revert-scsi-lpfc-define-size-of-debugfs-entry-for-xri-rebala.patch Normal file
View File

@ -0,0 +1,17 @@
Subject: [PATCH] Revert "scsi: lpfc: Define size of debugfs entry for xri rebalancing"
# reverse of cs10 60dc76d9e94b45301a874cede2364bf4d7a4c16e
diff --git a/drivers/scsi/lpfc/lpfc_debugfs.h b/drivers/scsi/lpfc/lpfc_debugfs.h
index 566dd84e0677..f319f3af0400 100644
--- a/drivers/scsi/lpfc/lpfc_debugfs.h
+++ b/drivers/scsi/lpfc/lpfc_debugfs.h
@@ -44,9 +44,6 @@
/* hbqinfo output buffer size */
#define LPFC_HBQINFO_SIZE 8192
-/* hdwqinfo output buffer size */
-#define LPFC_HDWQINFO_SIZE 8192
-
/* nvmestat output buffer size */
#define LPFC_NVMESTAT_SIZE 8192
#define LPFC_IOKTIME_SIZE 8192

75
1183-revert-scsi-lpfc-ensure-plogi-acc-is-sent-prior-to-prli-in-p.patch Normal file
View File

@ -0,0 +1,75 @@
Subject: [PATCH] Revert "scsi: lpfc: Ensure PLOGI_ACC is sent prior to PRLI in Point to Point topology"
# reverse of cs10 6dcd096ed524a8b9dcc82b80bfcebca892be8ea2
diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c
index 9a20a08f4bd9..941027b329a2 100644
--- a/drivers/scsi/lpfc/lpfc_els.c
+++ b/drivers/scsi/lpfc/lpfc_els.c
@@ -5338,12 +5338,12 @@ lpfc_cmpl_els_rsp(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb,
ulp_status, ulp_word4, did);
/* ELS response tag <ulpIoTag> completes */
lpfc_printf_vlog(vport, KERN_INFO, LOG_ELS,
- "0110 ELS response tag x%x completes fc_flag x%lx"
+ "0110 ELS response tag x%x completes "
"Data: x%x x%x x%x x%x x%lx x%x x%x x%x %p %p\n",
- iotag, vport->fc_flag, ulp_status, ulp_word4, tmo,
+ iotag, ulp_status, ulp_word4, tmo,
ndlp->nlp_DID, ndlp->nlp_flag, ndlp->nlp_state,
ndlp->nlp_rpi, kref_read(&ndlp->kref), mbox, ndlp);
- if (mbox && !test_bit(FC_PT2PT, &vport->fc_flag)) {
+ if (mbox) {
if (ulp_status == 0 &&
test_bit(NLP_ACC_REGLOGIN, &ndlp->nlp_flag)) {
if (!lpfc_unreg_rpi(vport, ndlp) &&
@@ -5402,10 +5402,6 @@ lpfc_cmpl_els_rsp(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb,
}
out_free_mbox:
lpfc_mbox_rsrc_cleanup(phba, mbox, MBOX_THD_UNLOCKED);
- } else if (mbox && test_bit(FC_PT2PT, &vport->fc_flag) &&
- test_bit(NLP_ACC_REGLOGIN, &ndlp->nlp_flag)) {
- lpfc_mbx_cmpl_reg_login(phba, mbox);
- clear_bit(NLP_ACC_REGLOGIN, &ndlp->nlp_flag);
}
out:
if (ndlp && shost) {
diff --git a/drivers/scsi/lpfc/lpfc_nportdisc.c b/drivers/scsi/lpfc/lpfc_nportdisc.c
index 1e331b76dff4..5aa21c683ac6 100644
--- a/drivers/scsi/lpfc/lpfc_nportdisc.c
+++ b/drivers/scsi/lpfc/lpfc_nportdisc.c
@@ -326,14 +326,8 @@ lpfc_defer_plogi_acc(struct lpfc_hba *phba, LPFC_MBOXQ_t *login_mbox)
/* Now that REG_RPI completed successfully,
* we can now proceed with sending the PLOGI ACC.
*/
- if (test_bit(FC_PT2PT, &ndlp->vport->fc_flag)) {
- rc = lpfc_els_rsp_acc(login_mbox->vport, ELS_CMD_PLOGI,
- save_iocb, ndlp, login_mbox);
- } else {
- rc = lpfc_els_rsp_acc(login_mbox->vport, ELS_CMD_PLOGI,
- save_iocb, ndlp, NULL);
- }
-
+ rc = lpfc_els_rsp_acc(login_mbox->vport, ELS_CMD_PLOGI,
+ save_iocb, ndlp, NULL);
if (rc) {
lpfc_printf_log(phba, KERN_ERR, LOG_TRACE_EVENT,
"4576 PLOGI ACC fails pt2pt discovery: "
@@ -341,16 +335,9 @@ lpfc_defer_plogi_acc(struct lpfc_hba *phba, LPFC_MBOXQ_t *login_mbox)
}
}
- /* If this is a fabric topology, complete the reg_rpi and prli now.
- * For Pt2Pt, the reg_rpi and PRLI are deferred until after the LS_ACC
- * completes. This ensures, in Pt2Pt, that the PLOGI LS_ACC is sent
- * before the PRLI.
- */
- if (!test_bit(FC_PT2PT, &ndlp->vport->fc_flag)) {
- /* Now process the REG_RPI cmpl */
- lpfc_mbx_cmpl_reg_login(phba, login_mbox);
- clear_bit(NLP_ACC_REGLOGIN, &ndlp->nlp_flag);
- }
+ /* Now process the REG_RPI cmpl */
+ lpfc_mbx_cmpl_reg_login(phba, login_mbox);
+ clear_bit(NLP_ACC_REGLOGIN, &ndlp->nlp_flag);
kfree(save_iocb);
}

42
1184-revert-scsi-lpfc-check-return-status-of-lpfc-reset-flush-io-.patch Normal file
View File

@ -0,0 +1,42 @@
Subject: [PATCH] Revert "scsi: lpfc: Check return status of lpfc_reset_flush_io_context during TGT_RESET"
# reverse of cs10 df9467ebb13f73db4517d73b5445c0ea4233ab36
diff --git a/drivers/scsi/lpfc/lpfc_scsi.c b/drivers/scsi/lpfc/lpfc_scsi.c
index be709f12c6a1..a9c8c6c021b9 100644
--- a/drivers/scsi/lpfc/lpfc_scsi.c
+++ b/drivers/scsi/lpfc/lpfc_scsi.c
@@ -5936,7 +5936,7 @@ lpfc_chk_tgt_mapped(struct lpfc_vport *vport, struct fc_rport *rport)
/**
* lpfc_reset_flush_io_context -
* @vport: The virtual port (scsi_host) for the flush context
- * @tgt_id: If aborting by Target context - specifies the target id
+ * @tgt_id: If aborting by Target contect - specifies the target id
* @lun_id: If aborting by Lun context - specifies the lun id
* @context: specifies the context level to flush at.
*
@@ -6110,14 +6110,8 @@ lpfc_target_reset_handler(struct scsi_cmnd *cmnd)
pnode->nlp_fcp_info &= ~NLP_FCP_2_DEVICE;
spin_unlock_irqrestore(&pnode->lock, flags);
}
- status = lpfc_reset_flush_io_context(vport, tgt_id, lun_id,
- LPFC_CTX_TGT);
- if (status != SUCCESS) {
- lpfc_printf_vlog(vport, KERN_ERR, LOG_FCP,
- "0726 Target Reset flush status x%x\n",
- status);
- return status;
- }
+ lpfc_reset_flush_io_context(vport, tgt_id, lun_id,
+ LPFC_CTX_TGT);
return FAST_IO_FAIL;
}
@@ -6210,7 +6204,7 @@ lpfc_host_reset_handler(struct scsi_cmnd *cmnd)
int rc, ret = SUCCESS;
lpfc_printf_vlog(vport, KERN_ERR, LOG_FCP,
- "3172 SCSI layer issued Host Reset\n");
+ "3172 SCSI layer issued Host Reset Data:\n");
lpfc_offline_prep(phba, LPFC_MBX_WAIT);
lpfc_offline(phba);

19
1185-revert-scsi-lpfc-decrement-ndlp-kref-after-fdisc-retries-exh.patch Normal file
View File

@ -0,0 +1,19 @@
Subject: [PATCH] Revert "scsi: lpfc: Decrement ndlp kref after FDISC retries exhausted"
# reverse of cs10 14172e24e848ad269867eae4464dd5704c041c92
diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c
index 941027b329a2..17390e5075cb 100644
--- a/drivers/scsi/lpfc/lpfc_els.c
+++ b/drivers/scsi/lpfc/lpfc_els.c
@@ -11259,11 +11259,6 @@ lpfc_cmpl_els_fdisc(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb,
lpfc_vlog_msg(vport, KERN_WARNING, LOG_ELS,
"0126 FDISC cmpl status: x%x/x%x)\n",
ulp_status, ulp_word4);
-
- /* drop initial reference */
- if (!test_and_set_bit(NLP_DROPPED, &ndlp->nlp_flag))
- lpfc_nlp_put(ndlp);
-
goto fdisc_failed;
}

38
1186-revert-scsi-lpfc-remove-ndlp-kref-decrement-clause-for-f-por.patch Normal file
View File

@ -0,0 +1,38 @@
Subject: [PATCH] Revert "scsi: lpfc: Remove ndlp kref decrement clause for F_Port_Ctrl in lpfc_cleanup"
# reverse of cs10 1073b98315bf10385a9bfdb2859415d38f641dc2
diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c
index 17390e5075cb..71e76e681621 100644
--- a/drivers/scsi/lpfc/lpfc_els.c
+++ b/drivers/scsi/lpfc/lpfc_els.c
@@ -12007,11 +12007,7 @@ lpfc_sli4_els_xri_aborted(struct lpfc_hba *phba,
sglq_entry->state = SGL_FREED;
spin_unlock_irqrestore(&phba->sli4_hba.sgl_list_lock,
iflag);
- lpfc_printf_log(phba, KERN_INFO, LOG_ELS | LOG_SLI |
- LOG_DISCOVERY | LOG_NODE,
- "0732 ELS XRI ABORT on Node: ndlp=x%px "
- "xri=x%x\n",
- ndlp, xri);
+
if (ndlp) {
lpfc_set_rrq_active(phba, ndlp,
sglq_entry->sli4_lxritag,
diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c
index fd4317b9484c..0555b85ba9e7 100644
--- a/drivers/scsi/lpfc/lpfc_init.c
+++ b/drivers/scsi/lpfc/lpfc_init.c
@@ -3057,6 +3057,13 @@ lpfc_cleanup(struct lpfc_vport *vport)
lpfc_vmid_vport_cleanup(vport);
list_for_each_entry_safe(ndlp, next_ndlp, &vport->fc_nodes, nlp_listp) {
+ if (vport->port_type != LPFC_PHYSICAL_PORT &&
+ ndlp->nlp_DID == Fabric_DID) {
+ /* Just free up ndlp with Fabric_DID for vports */
+ lpfc_nlp_put(ndlp);
+ continue;
+ }
+
if (ndlp->nlp_DID == Fabric_Cntl_DID &&
ndlp->nlp_state == NLP_STE_UNUSED_NODE) {
lpfc_nlp_put(ndlp);

24
1187-revert-scsi-lpfc-clean-up-allocated-queues-when-queue-setup-.patch Normal file
View File

@ -0,0 +1,24 @@
Subject: [PATCH] Revert "scsi: lpfc: Clean up allocated queues when queue setup mbox commands fail"
# reverse of cs10 82a9e6041f61db2763bfbec1e19b17ff5ea1cc8b
diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
index 08d16552c4b7..4ab7edf53103 100644
--- a/drivers/scsi/lpfc/lpfc_sli.c
+++ b/drivers/scsi/lpfc/lpfc_sli.c
@@ -8813,7 +8813,7 @@ lpfc_sli4_hba_setup(struct lpfc_hba *phba)
if (unlikely(rc)) {
lpfc_printf_log(phba, KERN_ERR, LOG_TRACE_EVENT,
"0381 Error %d during queue setup.\n", rc);
- goto out_destroy_queue;
+ goto out_stop_timers;
}
/* Initialize the driver internal SLI layer lists. */
lpfc_sli4_setup(phba);
@@ -9096,6 +9096,7 @@ lpfc_sli4_hba_setup(struct lpfc_hba *phba)
lpfc_free_iocb_list(phba);
out_destroy_queue:
lpfc_sli4_queue_destroy(phba);
+out_stop_timers:
lpfc_stop_hba_timers(phba);
out_free_mbox:
mempool_free(mboxq, phba->mbox_mem_pool);

31
1188-revert-scsi-lpfc-abort-outstanding-els-wqes-regardless-of-if.patch Normal file
View File

@ -0,0 +1,31 @@
Subject: [PATCH] Revert "scsi: lpfc: Abort outstanding ELS WQEs regardless of if rmmod is in progress"
# reverse of cs10 9009d1c6b30ca0c790618ddfa962012b89a46f01
diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
index 4ab7edf53103..e1fdce8d6bfd 100644
--- a/drivers/scsi/lpfc/lpfc_sli.c
+++ b/drivers/scsi/lpfc/lpfc_sli.c
@@ -12436,11 +12436,19 @@ lpfc_sli_issue_abort_iotag(struct lpfc_hba *phba, struct lpfc_sli_ring *pring,
}
/*
- * Always abort the outstanding WQE and set the IA bit correctly
- * for the context. This is necessary for correctly removing
- * outstanding ndlp reference counts when the CQE completes with
- * the XB bit set.
+ * If we're unloading, don't abort iocb on the ELS ring, but change
+ * the callback so that nothing happens when it finishes.
*/
+ if (test_bit(FC_UNLOADING, &vport->load_flag) &&
+ pring->ringno == LPFC_ELS_RING) {
+ if (cmdiocb->cmd_flag & LPFC_IO_FABRIC)
+ cmdiocb->fabric_cmd_cmpl = lpfc_ignore_els_cmpl;
+ else
+ cmdiocb->cmd_cmpl = lpfc_ignore_els_cmpl;
+ return retval;
+ }
+
+ /* issue ABTS for this IOCB based on iotag */
abtsiocbp = __lpfc_sli_get_iocbq(phba);
if (abtsiocbp == NULL)
return IOCB_NORESOURCE;

58
1189-revert-scsi-lpfc-remove-unused-member-variables-in-struct-lp.patch Normal file
View File

@ -0,0 +1,58 @@
Subject: [PATCH] Revert "scsi: lpfc: Remove unused member variables in struct lpfc_hba and lpfc_vport"
# reverse of cs10 65bf58f972704e641faa9302b8ba54512707b9f0
diff --git a/drivers/scsi/lpfc/lpfc.h b/drivers/scsi/lpfc/lpfc.h
index 9389e3def94e..e5a9c5a323f8 100644
--- a/drivers/scsi/lpfc/lpfc.h
+++ b/drivers/scsi/lpfc/lpfc.h
@@ -662,12 +662,15 @@ struct lpfc_vport {
uint32_t num_disc_nodes; /* in addition to hba_state */
uint32_t gidft_inp; /* cnt of outstanding GID_FTs */
+ uint32_t fc_nlp_cnt; /* outstanding NODELIST requests */
uint32_t fc_rscn_id_cnt; /* count of RSCNs payloads in list */
uint32_t fc_rscn_flush; /* flag use of fc_rscn_id_list */
struct lpfc_dmabuf *fc_rscn_id_list[FC_MAX_HOLD_RSCN];
struct lpfc_name fc_nodename; /* fc nodename */
struct lpfc_name fc_portname; /* fc portname */
+ struct lpfc_work_evt disc_timeout_evt;
+
struct timer_list fc_disctmo; /* Discovery rescue timer */
uint8_t fc_ns_retry; /* retries for fabric nameserver */
uint32_t fc_prli_sent; /* cntr for outstanding PRLIs */
@@ -765,6 +768,7 @@ struct lpfc_vport {
/* There is a single nvme instance per vport. */
struct nvme_fc_local_port *localport;
uint8_t nvmei_support; /* driver supports NVME Initiator */
+ uint32_t last_fcp_wqidx;
uint32_t rcv_flogi_cnt; /* How many unsol FLOGIs ACK'd. */
};
@@ -1057,6 +1061,8 @@ struct lpfc_hba {
struct lpfc_dmabuf hbqslimp;
+ uint16_t pci_cfg_value;
+
uint8_t fc_linkspeed; /* Link speed after last READ_LA */
uint32_t fc_eventTag; /* event tag for link attention */
@@ -1083,6 +1089,7 @@ struct lpfc_hba {
struct lpfc_stats fc_stat;
+ struct lpfc_nodelist fc_fcpnodev; /* nodelist entry for no device */
uint32_t nport_event_cnt; /* timestamp for nlplist entry */
uint8_t wwnn[8];
@@ -1223,6 +1230,9 @@ struct lpfc_hba {
uint32_t hbq_count; /* Count of configured HBQs */
struct hbq_s hbqs[LPFC_MAX_HBQS]; /* local copy of hbq indicies */
+ atomic_t fcp_qidx; /* next FCP WQ (RR Policy) */
+ atomic_t nvme_qidx; /* next NVME WQ (RR Policy) */
+
phys_addr_t pci_bar0_map; /* Physical address for PCI BAR0 */
phys_addr_t pci_bar1_map; /* Physical address for PCI BAR1 */
phys_addr_t pci_bar2_map; /* Physical address for PCI BAR2 */

16
1190-revert-scsi-lpfc-use-int-type-to-store-negative-error-codes.patch Normal file
View File

@ -0,0 +1,16 @@
Subject: [PATCH] Revert "scsi: lpfc: Use int type to store negative error codes"
# reverse of cs10 1aeb9b98c42dfb8a653f27359979d2e769a0e492
diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
index e1fdce8d6bfd..585c80944832 100644
--- a/drivers/scsi/lpfc/lpfc_sli.c
+++ b/drivers/scsi/lpfc/lpfc_sli.c
@@ -21372,7 +21372,7 @@ lpfc_sli4_issue_wqe(struct lpfc_hba *phba, struct lpfc_sli4_hdw_queue *qp,
struct lpfc_sglq *sglq;
struct lpfc_sli_ring *pring;
unsigned long iflags;
- int ret = 0;
+ uint32_t ret = 0;
/* NVME_LS and NVME_LS ABTS requests. */
if (pwqe->cmd_flag & LPFC_IO_NVME_LS) {

38
1191-revert-scsi-lpfc-use-min-to-improve-code.patch Normal file
View File

@ -0,0 +1,38 @@
Subject: [PATCH] Revert "scsi: lpfc: use min() to improve code"
# reverse of cs10 e891063a53bdd334d714e6769e385508722ceef6
diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c
index 0555b85ba9e7..29503ceb8e7a 100644
--- a/drivers/scsi/lpfc/lpfc_init.c
+++ b/drivers/scsi/lpfc/lpfc_init.c
@@ -8300,7 +8300,10 @@ lpfc_sli4_driver_resource_setup(struct lpfc_hba *phba)
phba->cfg_total_seg_cnt, phba->cfg_scsi_seg_cnt,
phba->cfg_nvme_seg_cnt);
- i = min(phba->cfg_sg_dma_buf_size, SLI4_PAGE_SIZE);
+ if (phba->cfg_sg_dma_buf_size < SLI4_PAGE_SIZE)
+ i = phba->cfg_sg_dma_buf_size;
+ else
+ i = SLI4_PAGE_SIZE;
phba->lpfc_sg_dma_buf_pool =
dma_pool_create("lpfc_sg_dma_buf_pool",
diff --git a/drivers/scsi/lpfc/lpfc_nvme.c b/drivers/scsi/lpfc/lpfc_nvme.c
index 2dd148fd3ea1..1d7488b9e7b9 100644
--- a/drivers/scsi/lpfc/lpfc_nvme.c
+++ b/drivers/scsi/lpfc/lpfc_nvme.c
@@ -1234,8 +1234,12 @@ lpfc_nvme_prep_io_cmd(struct lpfc_vport *vport,
if ((phba->cfg_nvme_enable_fb) &&
test_bit(NLP_FIRSTBURST, &pnode->nlp_flag)) {
req_len = lpfc_ncmd->nvmeCmd->payload_length;
- wqe->fcp_iwrite.initial_xfer_len = min(req_len,
- pnode->nvme_fb_size);
+ if (req_len < pnode->nvme_fb_size)
+ wqe->fcp_iwrite.initial_xfer_len =
+ req_len;
+ else
+ wqe->fcp_iwrite.initial_xfer_len =
+ pnode->nvme_fb_size;
} else {
wqe->fcp_iwrite.initial_xfer_len = 0;
}

16
1192-revert-scsi-lpfc-fix-wrong-function-reference-in-a-comment.patch Normal file
View File

@ -0,0 +1,16 @@
Subject: [PATCH] Revert "scsi: lpfc: Fix wrong function reference in a comment"
# reverse of cs10 7feab3ea585404dd34641c698930e7fc6bb8043a
diff --git a/drivers/scsi/lpfc/lpfc_vport.c b/drivers/scsi/lpfc/lpfc_vport.c
index 8653839ee728..3d70cc517573 100644
--- a/drivers/scsi/lpfc/lpfc_vport.c
+++ b/drivers/scsi/lpfc/lpfc_vport.c
@@ -666,7 +666,7 @@ lpfc_vport_delete(struct fc_vport *fc_vport)
* Take early refcount for outstanding I/O requests we schedule during
* delete processing for unreg_vpi. Always keep this before
* scsi_remove_host() as we can no longer obtain a reference through
- * scsi_host_get() after scsi_remove_host as shost is set to SHOST_DEL.
+ * scsi_host_get() after scsi_host_remove as shost is set to SHOST_DEL.
*/
if (!scsi_host_get(shost))
return VPORT_INVAL;

203
1193-revert-lpfc-don-t-use-file-f-path-dentry-for-comparisons.patch Normal file
View File

@ -0,0 +1,203 @@
Subject: [PATCH] Revert "lpfc: don't use file->f_path.dentry for comparisons"
# reverse of cs10 ba0a8d52eb98a4f44818f9abf664eeeeb8558255
diff --git a/drivers/scsi/lpfc/lpfc_debugfs.c b/drivers/scsi/lpfc/lpfc_debugfs.c
index 2db8d9529b8f..2c7d876c64c7 100644
--- a/drivers/scsi/lpfc/lpfc_debugfs.c
+++ b/drivers/scsi/lpfc/lpfc_debugfs.c
@@ -2375,32 +2375,32 @@ static ssize_t
lpfc_debugfs_dif_err_read(struct file *file, char __user *buf,
size_t nbytes, loff_t *ppos)
{
+ struct dentry *dent = file->f_path.dentry;
struct lpfc_hba *phba = file->private_data;
- int kind = debugfs_get_aux_num(file);
char cbuf[32];
uint64_t tmp = 0;
int cnt = 0;
- if (kind == writeGuard)
+ if (dent == phba->debug_writeGuard)
cnt = scnprintf(cbuf, 32, "%u\n", phba->lpfc_injerr_wgrd_cnt);
- else if (kind == writeApp)
+ else if (dent == phba->debug_writeApp)
cnt = scnprintf(cbuf, 32, "%u\n", phba->lpfc_injerr_wapp_cnt);
- else if (kind == writeRef)
+ else if (dent == phba->debug_writeRef)
cnt = scnprintf(cbuf, 32, "%u\n", phba->lpfc_injerr_wref_cnt);
- else if (kind == readGuard)
+ else if (dent == phba->debug_readGuard)
cnt = scnprintf(cbuf, 32, "%u\n", phba->lpfc_injerr_rgrd_cnt);
- else if (kind == readApp)
+ else if (dent == phba->debug_readApp)
cnt = scnprintf(cbuf, 32, "%u\n", phba->lpfc_injerr_rapp_cnt);
- else if (kind == readRef)
+ else if (dent == phba->debug_readRef)
cnt = scnprintf(cbuf, 32, "%u\n", phba->lpfc_injerr_rref_cnt);
- else if (kind == InjErrNPortID)
+ else if (dent == phba->debug_InjErrNPortID)
cnt = scnprintf(cbuf, 32, "0x%06x\n",
phba->lpfc_injerr_nportid);
- else if (kind == InjErrWWPN) {
+ else if (dent == phba->debug_InjErrWWPN) {
memcpy(&tmp, &phba->lpfc_injerr_wwpn, sizeof(struct lpfc_name));
tmp = cpu_to_be64(tmp);
cnt = scnprintf(cbuf, 32, "0x%016llx\n", tmp);
- } else if (kind == InjErrLBA) {
+ } else if (dent == phba->debug_InjErrLBA) {
if (phba->lpfc_injerr_lba == (sector_t)(-1))
cnt = scnprintf(cbuf, 32, "off\n");
else
@@ -2417,8 +2417,8 @@ static ssize_t
lpfc_debugfs_dif_err_write(struct file *file, const char __user *buf,
size_t nbytes, loff_t *ppos)
{
+ struct dentry *dent = file->f_path.dentry;
struct lpfc_hba *phba = file->private_data;
- int kind = debugfs_get_aux_num(file);
char dstbuf[33];
uint64_t tmp = 0;
int size;
@@ -2428,7 +2428,7 @@ lpfc_debugfs_dif_err_write(struct file *file, const char __user *buf,
if (copy_from_user(dstbuf, buf, size))
return -EFAULT;
- if (kind == InjErrLBA) {
+ if (dent == phba->debug_InjErrLBA) {
if ((dstbuf[0] == 'o') && (dstbuf[1] == 'f') &&
(dstbuf[2] == 'f'))
tmp = (uint64_t)(-1);
@@ -2437,23 +2437,23 @@ lpfc_debugfs_dif_err_write(struct file *file, const char __user *buf,
if ((tmp == 0) && (kstrtoull(dstbuf, 0, &tmp)))
return -EINVAL;
- if (kind == writeGuard)
+ if (dent == phba->debug_writeGuard)
phba->lpfc_injerr_wgrd_cnt = (uint32_t)tmp;
- else if (kind == writeApp)
+ else if (dent == phba->debug_writeApp)
phba->lpfc_injerr_wapp_cnt = (uint32_t)tmp;
- else if (kind == writeRef)
+ else if (dent == phba->debug_writeRef)
phba->lpfc_injerr_wref_cnt = (uint32_t)tmp;
- else if (kind == readGuard)
+ else if (dent == phba->debug_readGuard)
phba->lpfc_injerr_rgrd_cnt = (uint32_t)tmp;
- else if (kind == readApp)
+ else if (dent == phba->debug_readApp)
phba->lpfc_injerr_rapp_cnt = (uint32_t)tmp;
- else if (kind == readRef)
+ else if (dent == phba->debug_readRef)
phba->lpfc_injerr_rref_cnt = (uint32_t)tmp;
- else if (kind == InjErrLBA)
+ else if (dent == phba->debug_InjErrLBA)
phba->lpfc_injerr_lba = (sector_t)tmp;
- else if (kind == InjErrNPortID)
+ else if (dent == phba->debug_InjErrNPortID)
phba->lpfc_injerr_nportid = (uint32_t)(tmp & Mask_DID);
- else if (kind == InjErrWWPN) {
+ else if (dent == phba->debug_InjErrWWPN) {
tmp = cpu_to_be64(tmp);
memcpy(&phba->lpfc_injerr_wwpn, &tmp, sizeof(struct lpfc_name));
} else
@@ -6160,51 +6160,60 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport)
phba->debug_dumpHostSlim = NULL;
/* Setup DIF Error Injections */
+ snprintf(name, sizeof(name), "InjErrLBA");
phba->debug_InjErrLBA =
- debugfs_create_file_aux_num("InjErrLBA", 0644,
+ debugfs_create_file(name, S_IFREG|S_IRUGO|S_IWUSR,
phba->hba_debugfs_root,
- phba, InjErrLBA, &lpfc_debugfs_op_dif_err);
+ phba, &lpfc_debugfs_op_dif_err);
phba->lpfc_injerr_lba = LPFC_INJERR_LBA_OFF;
+ snprintf(name, sizeof(name), "InjErrNPortID");
phba->debug_InjErrNPortID =
- debugfs_create_file_aux_num("InjErrNPortID", 0644,
+ debugfs_create_file(name, S_IFREG|S_IRUGO|S_IWUSR,
phba->hba_debugfs_root,
- phba, InjErrNPortID, &lpfc_debugfs_op_dif_err);
+ phba, &lpfc_debugfs_op_dif_err);
+ snprintf(name, sizeof(name), "InjErrWWPN");
phba->debug_InjErrWWPN =
- debugfs_create_file_aux_num("InjErrWWPN", 0644,
+ debugfs_create_file(name, S_IFREG|S_IRUGO|S_IWUSR,
phba->hba_debugfs_root,
- phba, InjErrWWPN, &lpfc_debugfs_op_dif_err);
+ phba, &lpfc_debugfs_op_dif_err);
+ snprintf(name, sizeof(name), "writeGuardInjErr");
phba->debug_writeGuard =
- debugfs_create_file_aux_num("writeGuardInjErr", 0644,
+ debugfs_create_file(name, S_IFREG|S_IRUGO|S_IWUSR,
phba->hba_debugfs_root,
- phba, writeGuard, &lpfc_debugfs_op_dif_err);
+ phba, &lpfc_debugfs_op_dif_err);
+ snprintf(name, sizeof(name), "writeAppInjErr");
phba->debug_writeApp =
- debugfs_create_file_aux_num("writeAppInjErr", 0644,
+ debugfs_create_file(name, S_IFREG|S_IRUGO|S_IWUSR,
phba->hba_debugfs_root,
- phba, writeApp, &lpfc_debugfs_op_dif_err);
+ phba, &lpfc_debugfs_op_dif_err);
+ snprintf(name, sizeof(name), "writeRefInjErr");
phba->debug_writeRef =
- debugfs_create_file_aux_num("writeRefInjErr", 0644,
+ debugfs_create_file(name, S_IFREG|S_IRUGO|S_IWUSR,
phba->hba_debugfs_root,
- phba, writeRef, &lpfc_debugfs_op_dif_err);
+ phba, &lpfc_debugfs_op_dif_err);
+ snprintf(name, sizeof(name), "readGuardInjErr");
phba->debug_readGuard =
- debugfs_create_file_aux_num("readGuardInjErr", 0644,
+ debugfs_create_file(name, S_IFREG|S_IRUGO|S_IWUSR,
phba->hba_debugfs_root,
- phba, readGuard, &lpfc_debugfs_op_dif_err);
+ phba, &lpfc_debugfs_op_dif_err);
+ snprintf(name, sizeof(name), "readAppInjErr");
phba->debug_readApp =
- debugfs_create_file_aux_num("readAppInjErr", 0644,
+ debugfs_create_file(name, S_IFREG|S_IRUGO|S_IWUSR,
phba->hba_debugfs_root,
- phba, readApp, &lpfc_debugfs_op_dif_err);
+ phba, &lpfc_debugfs_op_dif_err);
+ snprintf(name, sizeof(name), "readRefInjErr");
phba->debug_readRef =
- debugfs_create_file_aux_num("readRefInjErr", 0644,
+ debugfs_create_file(name, S_IFREG|S_IRUGO|S_IWUSR,
phba->hba_debugfs_root,
- phba, readRef, &lpfc_debugfs_op_dif_err);
+ phba, &lpfc_debugfs_op_dif_err);
/* Setup slow ring trace */
if (lpfc_debugfs_max_slow_ring_trc) {
diff --git a/drivers/scsi/lpfc/lpfc_debugfs.h b/drivers/scsi/lpfc/lpfc_debugfs.h
index f319f3af0400..8d2e8d05bbc0 100644
--- a/drivers/scsi/lpfc/lpfc_debugfs.h
+++ b/drivers/scsi/lpfc/lpfc_debugfs.h
@@ -322,17 +322,6 @@ enum {
* discovery */
#endif /* H_LPFC_DEBUG_FS */
-enum {
- writeGuard = 1,
- writeApp,
- writeRef,
- readGuard,
- readApp,
- readRef,
- InjErrLBA,
- InjErrNPortID,
- InjErrWWPN,
-};
/*
* Driver debug utility routines outside of debugfs. The debug utility

68
1194-revert-scsi-lpfc-copyright-updates-for-14-4-0-10-patches.patch Normal file
View File

@ -0,0 +1,68 @@
Subject: [PATCH] Revert "scsi: lpfc: Copyright updates for 14.4.0.10 patches"
# reverse of cs10 b681f59c801919396f35f2e33060d37b0732f1d1
diff --git a/drivers/scsi/lpfc/lpfc_ct.c b/drivers/scsi/lpfc/lpfc_ct.c
index cc8af576f57c..daba94529b45 100644
--- a/drivers/scsi/lpfc/lpfc_ct.c
+++ b/drivers/scsi/lpfc/lpfc_ct.c
@@ -1,7 +1,7 @@
/*******************************************************************
* This file is part of the Emulex Linux Device Driver for *
* Fibre Channel Host Bus Adapters. *
- * Copyright (C) 2017-2025 Broadcom. All Rights Reserved. The term *
+ * Copyright (C) 2017-2024 Broadcom. All Rights Reserved. The term *
* “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. *
* Copyright (C) 2004-2016 Emulex. All rights reserved. *
* EMULEX and SLI are trademarks of Emulex. *
diff --git a/drivers/scsi/lpfc/lpfc_debugfs.c b/drivers/scsi/lpfc/lpfc_debugfs.c
index 2c7d876c64c7..061a5e4e525d 100644
--- a/drivers/scsi/lpfc/lpfc_debugfs.c
+++ b/drivers/scsi/lpfc/lpfc_debugfs.c
@@ -1,7 +1,7 @@
/*******************************************************************
* This file is part of the Emulex Linux Device Driver for *
* Fibre Channel Host Bus Adapters. *
- * Copyright (C) 2017-2025 Broadcom. All Rights Reserved. The term *
+ * Copyright (C) 2017-2024 Broadcom. All Rights Reserved. The term *
* “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. *
* Copyright (C) 2007-2015 Emulex. All rights reserved. *
* EMULEX and SLI are trademarks of Emulex. *
diff --git a/drivers/scsi/lpfc/lpfc_hw4.h b/drivers/scsi/lpfc/lpfc_hw4.h
index bc709786e6af..dd9f170fbdc8 100644
--- a/drivers/scsi/lpfc/lpfc_hw4.h
+++ b/drivers/scsi/lpfc/lpfc_hw4.h
@@ -1,7 +1,7 @@
/*******************************************************************
* This file is part of the Emulex Linux Device Driver for *
* Fibre Channel Host Bus Adapters. *
- * Copyright (C) 2017-2025 Broadcom. All Rights Reserved. The term *
+ * Copyright (C) 2017-2024 Broadcom. All Rights Reserved. The term *
* “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. *
* Copyright (C) 2009-2016 Emulex. All rights reserved. *
* EMULEX and SLI are trademarks of Emulex. *
diff --git a/drivers/scsi/lpfc/lpfc_scsi.c b/drivers/scsi/lpfc/lpfc_scsi.c
index a9c8c6c021b9..71188060dc08 100644
--- a/drivers/scsi/lpfc/lpfc_scsi.c
+++ b/drivers/scsi/lpfc/lpfc_scsi.c
@@ -1,7 +1,7 @@
/*******************************************************************
* This file is part of the Emulex Linux Device Driver for *
* Fibre Channel Host Bus Adapters. *
- * Copyright (C) 2017-2025 Broadcom. All Rights Reserved. The term *
+ * Copyright (C) 2017-2024 Broadcom. All Rights Reserved. The term *
* “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. *
* Copyright (C) 2004-2016 Emulex. All rights reserved. *
* EMULEX and SLI are trademarks of Emulex. *
diff --git a/drivers/scsi/lpfc/lpfc_sli4.h b/drivers/scsi/lpfc/lpfc_sli4.h
index fd6dab157887..e42b44fcc7f6 100644
--- a/drivers/scsi/lpfc/lpfc_sli4.h
+++ b/drivers/scsi/lpfc/lpfc_sli4.h
@@ -1,7 +1,7 @@
/*******************************************************************
* This file is part of the Emulex Linux Device Driver for *
* Fibre Channel Host Bus Adapters. *
- * Copyright (C) 2017-2025 Broadcom. All Rights Reserved. The term *
+ * Copyright (C) 2017-2024 Broadcom. All Rights Reserved. The term *
* “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. *
* Copyright (C) 2009-2016 Emulex. All rights reserved. *
* EMULEX and SLI are trademarks of Emulex. *

16
1195-revert-scsi-lpfc-update-lpfc-version-to-14-4-0-10.patch Normal file
View File

@ -0,0 +1,16 @@
Subject: [PATCH] Revert "scsi: lpfc: Update lpfc version to 14.4.0.10"
# reverse of cs10 25abc74ff90b76294454ae9d19b06b1cbc489a4b
diff --git a/drivers/scsi/lpfc/lpfc_version.h b/drivers/scsi/lpfc/lpfc_version.h
index 9ee3a3a4ec4d..749688aa8a82 100644
--- a/drivers/scsi/lpfc/lpfc_version.h
+++ b/drivers/scsi/lpfc/lpfc_version.h
@@ -20,7 +20,7 @@
* included with this package. *
*******************************************************************/
-#define LPFC_DRIVER_VERSION "14.4.0.10"
+#define LPFC_DRIVER_VERSION "14.4.0.9"
#define LPFC_DRIVER_NAME "lpfc"
/* Used for SLI 2/3 */

138
1196-revert-scsi-lpfc-modify-end-of-life-adapters-model-descripti.patch Normal file
View File

@ -0,0 +1,138 @@
Subject: [PATCH] Revert "scsi: lpfc: Modify end-of-life adapters' model descriptions"
# reverse of cs10 5e442a469bde8240d35a7242dd888dc9dab5b9a7
diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c
index 29503ceb8e7a..0876fcf07b5a 100644
--- a/drivers/scsi/lpfc/lpfc_init.c
+++ b/drivers/scsi/lpfc/lpfc_init.c
@@ -2627,33 +2627,27 @@ lpfc_get_hba_model_desc(struct lpfc_hba *phba, uint8_t *mdp, uint8_t *descp)
"Obsolete, Unsupported Fibre Channel Adapter"};
break;
case PCI_DEVICE_ID_BMID:
- m = (typeof(m)){"LP1150", "PCI-X2",
- "Obsolete, Unsupported Fibre Channel Adapter"};
+ m = (typeof(m)){"LP1150", "PCI-X2", "Fibre Channel Adapter"};
break;
case PCI_DEVICE_ID_BSMB:
m = (typeof(m)){"LP111", "PCI-X2",
"Obsolete, Unsupported Fibre Channel Adapter"};
break;
case PCI_DEVICE_ID_ZEPHYR:
- m = (typeof(m)){"LPe11000", "PCIe",
- "Obsolete, Unsupported Fibre Channel Adapter"};
+ m = (typeof(m)){"LPe11000", "PCIe", "Fibre Channel Adapter"};
break;
case PCI_DEVICE_ID_ZEPHYR_SCSP:
- m = (typeof(m)){"LPe11000", "PCIe",
- "Obsolete, Unsupported Fibre Channel Adapter"};
+ m = (typeof(m)){"LPe11000", "PCIe", "Fibre Channel Adapter"};
break;
case PCI_DEVICE_ID_ZEPHYR_DCSP:
- m = (typeof(m)){"LP2105", "PCIe",
- "Obsolete, Unsupported FCoE Adapter"};
+ m = (typeof(m)){"LP2105", "PCIe", "FCoE Adapter"};
GE = 1;
break;
case PCI_DEVICE_ID_ZMID:
- m = (typeof(m)){"LPe1150", "PCIe",
- "Obsolete, Unsupported Fibre Channel Adapter"};
+ m = (typeof(m)){"LPe1150", "PCIe", "Fibre Channel Adapter"};
break;
case PCI_DEVICE_ID_ZSMB:
- m = (typeof(m)){"LPe111", "PCIe",
- "Obsolete, Unsupported Fibre Channel Adapter"};
+ m = (typeof(m)){"LPe111", "PCIe", "Fibre Channel Adapter"};
break;
case PCI_DEVICE_ID_LP101:
m = (typeof(m)){"LP101", "PCI-X",
@@ -2672,28 +2666,22 @@ lpfc_get_hba_model_desc(struct lpfc_hba *phba, uint8_t *mdp, uint8_t *descp)
"Obsolete, Unsupported Fibre Channel Adapter"};
break;
case PCI_DEVICE_ID_SAT:
- m = (typeof(m)){"LPe12000", "PCIe",
- "Obsolete, Unsupported Fibre Channel Adapter"};
+ m = (typeof(m)){"LPe12000", "PCIe", "Fibre Channel Adapter"};
break;
case PCI_DEVICE_ID_SAT_MID:
- m = (typeof(m)){"LPe1250", "PCIe",
- "Obsolete, Unsupported Fibre Channel Adapter"};
+ m = (typeof(m)){"LPe1250", "PCIe", "Fibre Channel Adapter"};
break;
case PCI_DEVICE_ID_SAT_SMB:
- m = (typeof(m)){"LPe121", "PCIe",
- "Obsolete, Unsupported Fibre Channel Adapter"};
+ m = (typeof(m)){"LPe121", "PCIe", "Fibre Channel Adapter"};
break;
case PCI_DEVICE_ID_SAT_DCSP:
- m = (typeof(m)){"LPe12002-SP", "PCIe",
- "Obsolete, Unsupported Fibre Channel Adapter"};
+ m = (typeof(m)){"LPe12002-SP", "PCIe", "Fibre Channel Adapter"};
break;
case PCI_DEVICE_ID_SAT_SCSP:
- m = (typeof(m)){"LPe12000-SP", "PCIe",
- "Obsolete, Unsupported Fibre Channel Adapter"};
+ m = (typeof(m)){"LPe12000-SP", "PCIe", "Fibre Channel Adapter"};
break;
case PCI_DEVICE_ID_SAT_S:
- m = (typeof(m)){"LPe12000-S", "PCIe",
- "Obsolete, Unsupported Fibre Channel Adapter"};
+ m = (typeof(m)){"LPe12000-S", "PCIe", "Fibre Channel Adapter"};
break;
case PCI_DEVICE_ID_PROTEUS_VF:
m = (typeof(m)){"LPev12000", "PCIe IOV",
@@ -2709,25 +2697,22 @@ lpfc_get_hba_model_desc(struct lpfc_hba *phba, uint8_t *mdp, uint8_t *descp)
break;
case PCI_DEVICE_ID_TIGERSHARK:
oneConnect = 1;
- m = (typeof(m)){"OCe10100", "PCIe",
- "Obsolete, Unsupported FCoE Adapter"};
+ m = (typeof(m)){"OCe10100", "PCIe", "FCoE"};
break;
case PCI_DEVICE_ID_TOMCAT:
oneConnect = 1;
- m = (typeof(m)){"OCe11100", "PCIe",
- "Obsolete, Unsupported FCoE Adapter"};
+ m = (typeof(m)){"OCe11100", "PCIe", "FCoE"};
break;
case PCI_DEVICE_ID_FALCON:
m = (typeof(m)){"LPSe12002-ML1-E", "PCIe",
- "Obsolete, Unsupported Fibre Channel Adapter"};
+ "EmulexSecure Fibre"};
break;
case PCI_DEVICE_ID_BALIUS:
m = (typeof(m)){"LPVe12002", "PCIe Shared I/O",
"Obsolete, Unsupported Fibre Channel Adapter"};
break;
case PCI_DEVICE_ID_LANCER_FC:
- m = (typeof(m)){"LPe16000", "PCIe",
- "Obsolete, Unsupported Fibre Channel Adapter"};
+ m = (typeof(m)){"LPe16000", "PCIe", "Fibre Channel Adapter"};
break;
case PCI_DEVICE_ID_LANCER_FC_VF:
m = (typeof(m)){"LPe16000", "PCIe",
@@ -2735,13 +2720,12 @@ lpfc_get_hba_model_desc(struct lpfc_hba *phba, uint8_t *mdp, uint8_t *descp)
break;
case PCI_DEVICE_ID_LANCER_FCOE:
oneConnect = 1;
- m = (typeof(m)){"OCe15100", "PCIe",
- "Obsolete, Unsupported FCoE Adapter"};
+ m = (typeof(m)){"OCe15100", "PCIe", "FCoE"};
break;
case PCI_DEVICE_ID_LANCER_FCOE_VF:
oneConnect = 1;
m = (typeof(m)){"OCe15100", "PCIe",
- "Obsolete, Unsupported FCoE Adapter"};
+ "Obsolete, Unsupported FCoE"};
break;
case PCI_DEVICE_ID_LANCER_G6_FC:
m = (typeof(m)){"LPe32000", "PCIe", "Fibre Channel Adapter"};
@@ -2755,8 +2739,7 @@ lpfc_get_hba_model_desc(struct lpfc_hba *phba, uint8_t *mdp, uint8_t *descp)
case PCI_DEVICE_ID_SKYHAWK:
case PCI_DEVICE_ID_SKYHAWK_VF:
oneConnect = 1;
- m = (typeof(m)){"OCe14000", "PCIe",
- "Obsolete, Unsupported FCoE Adapter"};
+ m = (typeof(m)){"OCe14000", "PCIe", "FCoE"};
break;
default:
m = (typeof(m)){"Unknown", "", ""};

102
1197-revert-scsi-lpfc-revise-cq-create-set-mailbox-bitfield-defin.patch Normal file
View File

@ -0,0 +1,102 @@
Subject: [PATCH] Revert "scsi: lpfc: Revise CQ_CREATE_SET mailbox bitfield definitions"
# reverse of cs10 ee3715dad64c5b70516cac33ed1c31e66dfb1ebd
diff --git a/drivers/scsi/lpfc/lpfc_hw4.h b/drivers/scsi/lpfc/lpfc_hw4.h
index dd9f170fbdc8..2dedb273b091 100644
--- a/drivers/scsi/lpfc/lpfc_hw4.h
+++ b/drivers/scsi/lpfc/lpfc_hw4.h
@@ -1328,9 +1328,6 @@ struct cq_context {
#define LPFC_CQ_CNT_512 0x1
#define LPFC_CQ_CNT_1024 0x2
#define LPFC_CQ_CNT_WORD7 0x3
-#define lpfc_cq_context_cqe_sz_SHIFT 25
-#define lpfc_cq_context_cqe_sz_MASK 0x00000003
-#define lpfc_cq_context_cqe_sz_WORD word0
#define lpfc_cq_context_autovalid_SHIFT 15
#define lpfc_cq_context_autovalid_MASK 0x00000001
#define lpfc_cq_context_autovalid_WORD word0
@@ -1386,9 +1383,9 @@ struct lpfc_mbx_cq_create_set {
#define lpfc_mbx_cq_create_set_valid_SHIFT 29
#define lpfc_mbx_cq_create_set_valid_MASK 0x00000001
#define lpfc_mbx_cq_create_set_valid_WORD word1
-#define lpfc_mbx_cq_create_set_cqecnt_SHIFT 27
-#define lpfc_mbx_cq_create_set_cqecnt_MASK 0x00000003
-#define lpfc_mbx_cq_create_set_cqecnt_WORD word1
+#define lpfc_mbx_cq_create_set_cqe_cnt_SHIFT 27
+#define lpfc_mbx_cq_create_set_cqe_cnt_MASK 0x00000003
+#define lpfc_mbx_cq_create_set_cqe_cnt_WORD word1
#define lpfc_mbx_cq_create_set_cqe_size_SHIFT 25
#define lpfc_mbx_cq_create_set_cqe_size_MASK 0x00000003
#define lpfc_mbx_cq_create_set_cqe_size_WORD word1
@@ -1401,16 +1398,13 @@ struct lpfc_mbx_cq_create_set {
#define lpfc_mbx_cq_create_set_clswm_SHIFT 12
#define lpfc_mbx_cq_create_set_clswm_MASK 0x00000003
#define lpfc_mbx_cq_create_set_clswm_WORD word1
-#define lpfc_mbx_cq_create_set_cqe_cnt_hi_SHIFT 0
-#define lpfc_mbx_cq_create_set_cqe_cnt_hi_MASK 0x0000001F
-#define lpfc_mbx_cq_create_set_cqe_cnt_hi_WORD word1
uint32_t word2;
#define lpfc_mbx_cq_create_set_arm_SHIFT 31
#define lpfc_mbx_cq_create_set_arm_MASK 0x00000001
#define lpfc_mbx_cq_create_set_arm_WORD word2
-#define lpfc_mbx_cq_create_set_cqe_cnt_lo_SHIFT 16
-#define lpfc_mbx_cq_create_set_cqe_cnt_lo_MASK 0x00007FFF
-#define lpfc_mbx_cq_create_set_cqe_cnt_lo_WORD word2
+#define lpfc_mbx_cq_create_set_cq_cnt_SHIFT 16
+#define lpfc_mbx_cq_create_set_cq_cnt_MASK 0x00007FFF
+#define lpfc_mbx_cq_create_set_cq_cnt_WORD word2
#define lpfc_mbx_cq_create_set_num_cq_SHIFT 0
#define lpfc_mbx_cq_create_set_num_cq_MASK 0x0000FFFF
#define lpfc_mbx_cq_create_set_num_cq_WORD word2
diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
index 585c80944832..a96e6489594c 100644
--- a/drivers/scsi/lpfc/lpfc_sli.c
+++ b/drivers/scsi/lpfc/lpfc_sli.c
@@ -16476,10 +16476,10 @@ lpfc_cq_create_set(struct lpfc_hba *phba, struct lpfc_queue **cqp,
case 4096:
if (phba->sli4_hba.pc_sli4_params.cqv ==
LPFC_Q_CREATE_VERSION_2) {
- bf_set(lpfc_mbx_cq_create_set_cqe_cnt_lo,
+ bf_set(lpfc_mbx_cq_create_set_cqe_cnt,
&cq_set->u.request,
- cq->entry_count);
- bf_set(lpfc_mbx_cq_create_set_cqecnt,
+ cq->entry_count);
+ bf_set(lpfc_mbx_cq_create_set_cqe_cnt,
&cq_set->u.request,
LPFC_CQ_CNT_WORD7);
break;
@@ -16495,15 +16495,15 @@ lpfc_cq_create_set(struct lpfc_hba *phba, struct lpfc_queue **cqp,
}
fallthrough; /* otherwise default to smallest */
case 256:
- bf_set(lpfc_mbx_cq_create_set_cqecnt,
+ bf_set(lpfc_mbx_cq_create_set_cqe_cnt,
&cq_set->u.request, LPFC_CQ_CNT_256);
break;
case 512:
- bf_set(lpfc_mbx_cq_create_set_cqecnt,
+ bf_set(lpfc_mbx_cq_create_set_cqe_cnt,
&cq_set->u.request, LPFC_CQ_CNT_512);
break;
case 1024:
- bf_set(lpfc_mbx_cq_create_set_cqecnt,
+ bf_set(lpfc_mbx_cq_create_set_cqe_cnt,
&cq_set->u.request, LPFC_CQ_CNT_1024);
break;
}
diff --git a/drivers/scsi/lpfc/lpfc_sli4.h b/drivers/scsi/lpfc/lpfc_sli4.h
index e42b44fcc7f6..9be3da91c923 100644
--- a/drivers/scsi/lpfc/lpfc_sli4.h
+++ b/drivers/scsi/lpfc/lpfc_sli4.h
@@ -575,10 +575,8 @@ struct lpfc_pc_sli4_params {
#define LPFC_CQ_4K_PAGE_SZ 0x1
#define LPFC_CQ_16K_PAGE_SZ 0x4
-#define LPFC_CQ_32K_PAGE_SZ 0x8
#define LPFC_WQ_4K_PAGE_SZ 0x1
#define LPFC_WQ_16K_PAGE_SZ 0x4
-#define LPFC_WQ_32K_PAGE_SZ 0x8
struct lpfc_iov {
uint32_t pf_number;

37
1198-revert-scsi-lpfc-move-clearing-of-hba-setup-flag-to-before-l.patch Normal file
View File

@ -0,0 +1,37 @@
Subject: [PATCH] Revert "scsi: lpfc: Move clearing of HBA_SETUP flag to before lpfc_sli4_queue_unset"
# reverse of cs10 034b060b9f17847aeb3475fb2c579a6c87d87667
diff --git a/drivers/scsi/lpfc/lpfc_scsi.c b/drivers/scsi/lpfc/lpfc_scsi.c
index 71188060dc08..0afc5fe013bc 100644
--- a/drivers/scsi/lpfc/lpfc_scsi.c
+++ b/drivers/scsi/lpfc/lpfc_scsi.c
@@ -536,8 +536,7 @@ lpfc_sli4_io_xri_aborted(struct lpfc_hba *phba,
psb = container_of(iocbq, struct lpfc_io_buf, cur_iocbq);
psb->flags &= ~LPFC_SBUF_XBUSY;
spin_unlock_irqrestore(&phba->hbalock, iflag);
- if (test_bit(HBA_SETUP, &phba->hba_flag) &&
- !list_empty(&pring->txq))
+ if (!list_empty(&pring->txq))
lpfc_worker_wake_up(phba);
return;
}
diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
index a96e6489594c..b9a5d377f336 100644
--- a/drivers/scsi/lpfc/lpfc_sli.c
+++ b/drivers/scsi/lpfc/lpfc_sli.c
@@ -5160,6 +5160,7 @@ lpfc_sli4_brdreset(struct lpfc_hba *phba)
phba->link_events = 0;
phba->pport->fc_myDID = 0;
phba->pport->fc_prevDID = 0;
+ clear_bit(HBA_SETUP, &phba->hba_flag);
spin_lock_irq(&phba->hbalock);
psli->sli_flag &= ~(LPFC_PROCESS_LA);
@@ -5276,7 +5277,6 @@ lpfc_sli_brdrestart_s4(struct lpfc_hba *phba)
"0296 Restart HBA Data: x%x x%x\n",
phba->pport->port_state, psli->sli_flag);
- clear_bit(HBA_SETUP, &phba->hba_flag);
lpfc_sli4_queue_unset(phba);
rc = lpfc_sli4_brdreset(phba);

17
1199-revert-scsi-lpfc-ensure-hba-setup-flag-is-used-only-for-sli4.patch Normal file
View File

@ -0,0 +1,17 @@
Subject: [PATCH] Revert "scsi: lpfc: Ensure HBA_SETUP flag is used only for SLI4 in dev_loss_tmo_callbk"
# reverse of cs10 68ce87a35f24f9dbfee4c60bc0bcdb3f88734db5
diff --git a/drivers/scsi/lpfc/lpfc_hbadisc.c b/drivers/scsi/lpfc/lpfc_hbadisc.c
index 1510ed28f5a4..d8a0915d1df0 100644
--- a/drivers/scsi/lpfc/lpfc_hbadisc.c
+++ b/drivers/scsi/lpfc/lpfc_hbadisc.c
@@ -183,8 +183,7 @@ lpfc_dev_loss_tmo_callbk(struct fc_rport *rport)
/* Don't schedule a worker thread event if the vport is going down. */
if (test_bit(FC_UNLOADING, &vport->load_flag) ||
- (phba->sli_rev == LPFC_SLI_REV4 &&
- !test_bit(HBA_SETUP, &phba->hba_flag))) {
+ !test_bit(HBA_SETUP, &phba->hba_flag)) {
spin_lock_irqsave(&ndlp->lock, iflags);
ndlp->rport = NULL;

45
1200-revert-scsi-lpfc-relocate-clearing-initial-phba-flags-from-l.patch Normal file
View File

@ -0,0 +1,45 @@
Subject: [PATCH] Revert "scsi: lpfc: Relocate clearing initial phba flags from link up to link down hdlr"
# reverse of cs10 f13e1a401181a22b42c52a1c5ef3271a239606e6
diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c
index 71e76e681621..3cbacc923fbd 100644
--- a/drivers/scsi/lpfc/lpfc_els.c
+++ b/drivers/scsi/lpfc/lpfc_els.c
@@ -8376,9 +8376,9 @@ lpfc_els_rcv_flogi(struct lpfc_vport *vport, struct lpfc_iocbq *cmdiocb,
clear_bit(FC_PUBLIC_LOOP, &vport->fc_flag);
lpfc_printf_vlog(vport, KERN_INFO, LOG_ELS,
"3311 Rcv Flogi PS x%x new PS x%x "
- "fc_flag x%lx new fc_flag x%lx, hba_flag x%lx\n",
+ "fc_flag x%lx new fc_flag x%lx\n",
port_state, vport->port_state,
- fc_flag, vport->fc_flag, phba->hba_flag);
+ fc_flag, vport->fc_flag);
/*
* We temporarily set fc_myDID to make it look like we are
diff --git a/drivers/scsi/lpfc/lpfc_hbadisc.c b/drivers/scsi/lpfc/lpfc_hbadisc.c
index d8a0915d1df0..aff0740a5510 100644
--- a/drivers/scsi/lpfc/lpfc_hbadisc.c
+++ b/drivers/scsi/lpfc/lpfc_hbadisc.c
@@ -1266,10 +1266,6 @@ lpfc_linkdown(struct lpfc_hba *phba)
}
phba->defer_flogi_acc.flag = false;
- /* reinitialize initial HBA flag */
- clear_bit(HBA_FLOGI_ISSUED, &phba->hba_flag);
- clear_bit(HBA_RHBA_CMPL, &phba->hba_flag);
-
/* Clear external loopback plug detected flag */
phba->link_flag &= ~LS_EXTERNAL_LOOPBACK;
@@ -1440,6 +1436,10 @@ lpfc_linkup(struct lpfc_hba *phba)
phba->pport->rcv_flogi_cnt = 0;
spin_unlock_irq(shost->host_lock);
+ /* reinitialize initial HBA flag */
+ clear_bit(HBA_FLOGI_ISSUED, &phba->hba_flag);
+ clear_bit(HBA_RHBA_CMPL, &phba->hba_flag);
+
return 0;
}

50
1201-revert-scsi-lpfc-simplify-error-handling-for-failed-lpfc-get.patch Normal file
View File

@ -0,0 +1,50 @@
Subject: [PATCH] Revert "scsi: lpfc: Simplify error handling for failed lpfc_get_sli4_parameters cmd"
# reverse of cs10 9cf927d02bc932338017864503fc177d8a0a4f2b
diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c
index 0876fcf07b5a..5b848288f522 100644
--- a/drivers/scsi/lpfc/lpfc_init.c
+++ b/drivers/scsi/lpfc/lpfc_init.c
@@ -7918,6 +7918,8 @@ lpfc_sli4_driver_resource_setup(struct lpfc_hba *phba)
int longs;
int extra;
uint64_t wwn;
+ u32 if_type;
+ u32 if_fam;
phba->sli4_hba.num_present_cpu = lpfc_present_cpu;
phba->sli4_hba.num_possible_cpu = cpumask_last(cpu_possible_mask) + 1;
@@ -8178,11 +8180,28 @@ lpfc_sli4_driver_resource_setup(struct lpfc_hba *phba)
*/
rc = lpfc_get_sli4_parameters(phba, mboxq);
if (rc) {
- lpfc_log_msg(phba, KERN_WARNING, LOG_INIT,
- "2999 Could not get SLI4 parameters\n");
- rc = -EIO;
- mempool_free(mboxq, phba->mbox_mem_pool);
- goto out_free_bsmbx;
+ if_type = bf_get(lpfc_sli_intf_if_type,
+ &phba->sli4_hba.sli_intf);
+ if_fam = bf_get(lpfc_sli_intf_sli_family,
+ &phba->sli4_hba.sli_intf);
+ if (phba->sli4_hba.extents_in_use &&
+ phba->sli4_hba.rpi_hdrs_in_use) {
+ lpfc_printf_log(phba, KERN_ERR, LOG_TRACE_EVENT,
+ "2999 Unsupported SLI4 Parameters "
+ "Extents and RPI headers enabled.\n");
+ if (if_type == LPFC_SLI_INTF_IF_TYPE_0 &&
+ if_fam == LPFC_SLI_INTF_FAMILY_BE2) {
+ mempool_free(mboxq, phba->mbox_mem_pool);
+ rc = -EIO;
+ goto out_free_bsmbx;
+ }
+ }
+ if (!(if_type == LPFC_SLI_INTF_IF_TYPE_0 &&
+ if_fam == LPFC_SLI_INTF_FAMILY_BE2)) {
+ mempool_free(mboxq, phba->mbox_mem_pool);
+ rc = -EIO;
+ goto out_free_bsmbx;
+ }
}
/*

39
1202-revert-scsi-lpfc-early-return-out-of-fdmi-cmpl-for-locally-r.patch Normal file
View File

@ -0,0 +1,39 @@
Subject: [PATCH] Revert "scsi: lpfc: Early return out of FDMI cmpl for locally rejected statuses"
# reverse of cs10 0c985d88af920e163f033fca2fd907a1ea3199fe
diff --git a/drivers/scsi/lpfc/lpfc_ct.c b/drivers/scsi/lpfc/lpfc_ct.c
index daba94529b45..72ff92ac5321 100644
--- a/drivers/scsi/lpfc/lpfc_ct.c
+++ b/drivers/scsi/lpfc/lpfc_ct.c
@@ -2229,6 +2229,21 @@ lpfc_cmpl_ct_disc_fdmi(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb,
/* Look for a retryable error */
if (ulp_status == IOSTAT_LOCAL_REJECT) {
switch ((ulp_word4 & IOERR_PARAM_MASK)) {
+ case IOERR_SLI_ABORTED:
+ case IOERR_SLI_DOWN:
+ /* Driver aborted this IO. No retry as error
+ * is likely Offline->Online or some adapter
+ * error. Recovery will try again, but if port
+ * is not active there's no point to continue
+ * issuing follow up FDMI commands.
+ */
+ if (!(phba->sli.sli_flag & LPFC_SLI_ACTIVE)) {
+ free_ndlp = cmdiocb->ndlp;
+ lpfc_ct_free_iocb(phba, cmdiocb);
+ lpfc_nlp_put(free_ndlp);
+ return;
+ }
+ break;
case IOERR_ABORT_IN_PROGRESS:
case IOERR_SEQUENCE_TIMEOUT:
case IOERR_ILLEGAL_FRAME:
@@ -2254,9 +2269,6 @@ lpfc_cmpl_ct_disc_fdmi(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb,
lpfc_ct_free_iocb(phba, cmdiocb);
lpfc_nlp_put(free_ndlp);
- if (ulp_status != IOSTAT_SUCCESS)
- return;
-
ndlp = lpfc_findnode_did(vport, FDMI_DID);
if (!ndlp)
return;

21
1203-revert-scsi-lpfc-skip-rscn-processing-when-fc-unloading-flag.patch Normal file
View File

@ -0,0 +1,21 @@
Subject: [PATCH] Revert "scsi: lpfc: Skip RSCN processing when FC_UNLOADING flag is set"
# reverse of cs10 78262dda794a4ef21146664546d2cf058132113d
diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c
index 3cbacc923fbd..9ab2e98cf693 100644
--- a/drivers/scsi/lpfc/lpfc_els.c
+++ b/drivers/scsi/lpfc/lpfc_els.c
@@ -7860,13 +7860,6 @@ lpfc_rscn_recovery_check(struct lpfc_vport *vport)
/* Move all affected nodes by pending RSCNs to NPR state. */
list_for_each_entry_safe(ndlp, n, &vport->fc_nodes, nlp_listp) {
- if (test_bit(FC_UNLOADING, &vport->load_flag)) {
- lpfc_printf_vlog(vport, KERN_INFO, LOG_ELS,
- "1000 %s Unloading set\n",
- __func__);
- return 0;
- }
-
if ((ndlp->nlp_state == NLP_STE_UNUSED_NODE) ||
!lpfc_rscn_payload_check(vport, ndlp->nlp_DID))
continue;

18
1204-revert-scsi-lpfc-check-for-hdwq-null-ptr-when-cleaning-up-lp.patch Normal file
View File

@ -0,0 +1,18 @@
Subject: [PATCH] Revert "scsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport structure"
# reverse of cs10 935d1d90f2dfbfeb3fde78b925df9eea248e7523
diff --git a/drivers/scsi/lpfc/lpfc_scsi.c b/drivers/scsi/lpfc/lpfc_scsi.c
index 0afc5fe013bc..055ed632c14d 100644
--- a/drivers/scsi/lpfc/lpfc_scsi.c
+++ b/drivers/scsi/lpfc/lpfc_scsi.c
@@ -390,10 +390,6 @@ lpfc_sli4_vport_delete_fcp_xri_aborted(struct lpfc_vport *vport)
if (!(vport->cfg_enable_fc4_type & LPFC_ENABLE_FCP))
return;
- /* may be called before queues established if hba_setup fails */
- if (!phba->sli4_hba.hdwq)
- return;
-
spin_lock_irqsave(&phba->hbalock, iflag);
for (idx = 0; idx < phba->cfg_hdw_queue; idx++) {
qp = &phba->sli4_hba.hdwq[idx];

53
1205-revert-scsi-lpfc-update-debugfs-trace-ring-initialization-me.patch Normal file
View File

@ -0,0 +1,53 @@
Subject: [PATCH] Revert "scsi: lpfc: Update debugfs trace ring initialization messages"
# reverse of cs10 0bacc04f93bb5b7334c7197ce716e378e9887081
diff --git a/drivers/scsi/lpfc/lpfc_debugfs.c b/drivers/scsi/lpfc/lpfc_debugfs.c
index 061a5e4e525d..3fd1aa5cc78c 100644
--- a/drivers/scsi/lpfc/lpfc_debugfs.c
+++ b/drivers/scsi/lpfc/lpfc_debugfs.c
@@ -6227,9 +6227,8 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport)
i++;
}
lpfc_debugfs_max_slow_ring_trc = (1 << i);
- pr_info("lpfc_debugfs_max_slow_ring_trc "
- "changed to %d\n",
- lpfc_debugfs_max_slow_ring_trc);
+ pr_err("lpfc_debugfs_max_disc_trc changed to "
+ "%d\n", lpfc_debugfs_max_disc_trc);
}
}
@@ -6261,7 +6260,7 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport)
atomic_set(&phba->nvmeio_trc_cnt, 0);
if (lpfc_debugfs_max_nvmeio_trc) {
num = lpfc_debugfs_max_nvmeio_trc - 1;
- if (num & lpfc_debugfs_max_nvmeio_trc) {
+ if (num & lpfc_debugfs_max_disc_trc) {
/* Change to be a power of 2 */
num = lpfc_debugfs_max_nvmeio_trc;
i = 0;
@@ -6270,9 +6269,10 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport)
i++;
}
lpfc_debugfs_max_nvmeio_trc = (1 << i);
- pr_info("lpfc_debugfs_max_nvmeio_trc changed "
- "to %d\n",
- lpfc_debugfs_max_nvmeio_trc);
+ lpfc_printf_log(phba, KERN_ERR, LOG_INIT,
+ "0575 lpfc_debugfs_max_nvmeio_trc "
+ "changed to %d\n",
+ lpfc_debugfs_max_nvmeio_trc);
}
phba->nvmeio_trc_size = lpfc_debugfs_max_nvmeio_trc;
@@ -6317,8 +6317,8 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport)
i++;
}
lpfc_debugfs_max_disc_trc = (1 << i);
- pr_info("lpfc_debugfs_max_disc_trc changed to %d\n",
- lpfc_debugfs_max_disc_trc);
+ pr_err("lpfc_debugfs_max_disc_trc changed to %d\n",
+ lpfc_debugfs_max_disc_trc);
}
}

29
1206-revert-scsi-lpfc-revise-logging-format-for-failed-ct-mib-req.patch Normal file
View File

@ -0,0 +1,29 @@
Subject: [PATCH] Revert "scsi: lpfc: Revise logging format for failed CT MIB requests"
# reverse of cs10 dc6d2aecdbfe696ca05464d29ad974e73b02d52c
diff --git a/drivers/scsi/lpfc/lpfc_ct.c b/drivers/scsi/lpfc/lpfc_ct.c
index 72ff92ac5321..12c67cdd7c19 100644
--- a/drivers/scsi/lpfc/lpfc_ct.c
+++ b/drivers/scsi/lpfc/lpfc_ct.c
@@ -264,9 +264,9 @@ lpfc_ct_reject_event(struct lpfc_nodelist *ndlp,
ct_free_mp:
kfree(mp);
ct_exit:
- lpfc_vlog_msg(vport, KERN_WARNING, LOG_ELS,
- "6440 Unsol CT: Rsp err %d Data: x%lx\n",
- rc, vport->fc_flag);
+ lpfc_printf_vlog(vport, KERN_ERR, LOG_ELS,
+ "6440 Unsol CT: Rsp err %d Data: x%lx\n",
+ rc, vport->fc_flag);
}
/**
@@ -313,7 +313,7 @@ lpfc_ct_handle_mibreq(struct lpfc_hba *phba, struct lpfc_iocbq *ctiocbq)
mi_cmd = be16_to_cpu(ct_req->CommandResponse.bits.CmdRsp);
lpfc_vlog_msg(vport, KERN_WARNING, LOG_ELS,
- "6442 MI Cmd: x%x Not Supported\n", mi_cmd);
+ "6442 MI Cmd : x%x Not Supported\n", mi_cmd);
lpfc_ct_reject_event(ndlp, ct_req,
bf_get(wqe_ctxt_tag,
&ctiocbq->wqe.xmit_els_rsp.wqe_com),

31
1207-scsi-lpfc-avoid-crashing-in-lpfc-nlp-get-rhel-only.patch Normal file
View File

@ -0,0 +1,31 @@
Subject: [PATCH] scsi: lpfc: avoid crashing in lpfc_nlp_get() if lpfc_nodelist was freed
# RHEL-only (no CS10/upstream commit); reconstructed use-after-free guard.
diff --git a/drivers/scsi/lpfc/lpfc_hbadisc.c b/drivers/scsi/lpfc/lpfc_hbadisc.c
index f6fb92f..d8b5896 100644
--- a/drivers/scsi/lpfc/lpfc_hbadisc.c
+++ b/drivers/scsi/lpfc/lpfc_hbadisc.c
@@ -6595,11 +6595,6 @@ lpfc_nlp_get(struct lpfc_nodelist *ndlp)
unsigned long flags;
if (ndlp) {
- lpfc_debugfs_disc_trc(ndlp->vport, LPFC_DISC_TRC_NODE,
- "node get: did:x%x flg:x%lx refcnt:x%x",
- ndlp->nlp_DID, ndlp->nlp_flag,
- kref_read(&ndlp->kref));
-
/* The check of ndlp usage to prevent incrementing the
* ndlp reference count that is in the process of being
* released.
@@ -6607,9 +6602,8 @@ lpfc_nlp_get(struct lpfc_nodelist *ndlp)
spin_lock_irqsave(&ndlp->lock, flags);
if (!kref_get_unless_zero(&ndlp->kref)) {
spin_unlock_irqrestore(&ndlp->lock, flags);
- lpfc_printf_vlog(ndlp->vport, KERN_WARNING, LOG_NODE,
- "0276 %s: ndlp:x%px refcnt:%d\n",
- __func__, (void *)ndlp, kref_read(&ndlp->kref));
+ pr_info("0276 %s: NDLP has zero reference count. "
+ "Exiting\n", __func__);
return NULL;
}
spin_unlock_irqrestore(&ndlp->lock, flags);

210
1208-drm-mgag200-fix-mgag200-bmc-stop-scanout.patch Normal file
View File

@ -0,0 +1,210 @@
From 1aacebe9d4ccb1a89caa9eb9fe3bb24723e80564 Mon Sep 17 00:00:00 2001
From: Jacob Keller <jacob.e.keller@intel.com>
Date: Mon, 2 Feb 2026 16:16:39 -0800
Subject: [PATCH] drm/mgag200: fix mgag200_bmc_stop_scanout()
[ Upstream commit 0e0c8f4d16de92520623aa1ea485cadbf64e6929 ]
The mgag200_bmc_stop_scanout() function is called by the .atomic_disable()
handler for the MGA G200 VGA BMC encoder. This function performs a few
register writes to inform the BMC of an upcoming mode change, and then
polls to wait until the BMC actually stops.
The polling is implemented using a busy loop with udelay() and an iteration
timeout of 300, resulting in the function blocking for 300 milliseconds.
The function gets called ultimately by the output_poll_execute work thread
for the DRM output change polling thread of the mgag200 driver:
kworker/0:0-mm_ 3528 [000] 4555.315364:
ffffffffaa0e25b3 delay_halt.part.0+0x33
ffffffffc03f6188 mgag200_bmc_stop_scanout+0x178
ffffffffc087ae7a disable_outputs+0x12a
ffffffffc087c12a drm_atomic_helper_commit_tail+0x1a
ffffffffc03fa7b6 mgag200_mode_config_helper_atomic_commit_tail+0x26
ffffffffc087c9c1 commit_tail+0x91
ffffffffc087d51b drm_atomic_helper_commit+0x11b
ffffffffc0509694 drm_atomic_commit+0xa4
ffffffffc05105e8 drm_client_modeset_commit_atomic+0x1e8
ffffffffc0510ce6 drm_client_modeset_commit_locked+0x56
ffffffffc0510e24 drm_client_modeset_commit+0x24
ffffffffc088a743 __drm_fb_helper_restore_fbdev_mode_unlocked+0x93
ffffffffc088a683 drm_fb_helper_hotplug_event+0xe3
ffffffffc050f8aa drm_client_dev_hotplug+0x9a
ffffffffc088555a output_poll_execute+0x29a
ffffffffa9b35924 process_one_work+0x194
ffffffffa9b364ee worker_thread+0x2fe
ffffffffa9b3ecad kthread+0xdd
ffffffffa9a08549 ret_from_fork+0x29
On a server running ptp4l with the mgag200 driver loaded, we found that
ptp4l would sometimes get blocked from execution because of this busy
waiting loop.
Every so often, approximately once every 20 minutes -- though with large
variance -- the output_poll_execute() thread would detect some sort of
change that required performing a hotplug event which results in attempting
to stop the BMC scanout, resulting in a 300msec delay on one CPU.
On this system, ptp4l was pinned to a single CPU. When the
output_poll_execute() thread ran on that CPU, it blocked ptp4l from
executing for its 300 millisecond duration.
This resulted in PTP service disruptions such as failure to send a SYNC
message on time, failure to handle ANNOUNCE messages on time, and clock
check warnings from the application. All of this despite the application
being configured with FIFO_RT and a higher priority than the background
workqueue tasks. (However, note that the kernel did not use
CONFIG_PREEMPT...)
It is unclear if the event is due to a faulty VGA connection, another bug,
or actual events causing a change in the connection. At least on the system
under test it is not a one-time event and consistently causes disruption to
the time sensitive applications.
The function has some helpful comments explaining what steps it is
attempting to take. In particular, step 3a and 3b are explained as such:
3a - The third step is to verify if there is an active scan. We are
waiting on a 0 on remhsyncsts (<XSPAREREG<0>.
3b - This step occurs only if the remove is actually scanning. We are
waiting for the end of the frame which is a 1 on remvsyncsts
(<XSPAREREG<1>).
The actual steps 3a and 3b are implemented as while loops with a
non-sleeping udelay(). The first step iterates while the tmp value at
position 0 is *not* set. That is, it keeps iterating as long as the bit is
zero. If the bit is already 0 (because there is no active scan), it will
iterate the entire 300 attempts which wastes 300 milliseconds in total.
This is opposite of what the description claims.
The step 3b logic only executes if we do not iterate over the entire 300
attempts in the first loop. If it does trigger, it is trying to check and
wait for a 1 on the remvsyncsts. However, again the condition is actually
inverted and it will loop as long as the bit is 1, stopping once it hits
zero (rather than the explained attempt to wait until we see a 1).
Worse, both loops are implemented using non-sleeping waits which spin
instead of allowing the scheduler to run other processes. If the kernel is
not configured to allow arbitrary preemption, it will waste valuable CPU
time doing nothing.
There does not appear to be any documentation for the BMC register
interface, beyond what is in the comments here. It seems more probable that
the comment here is correct and the implementation accidentally got
inverted from the intended logic.
Reading through other DRM driver implementations, it does not appear that
the .atomic_enable or .atomic_disable handlers need to delay instead of
sleep. For example, the ast_astdp_encoder_helper_atomic_disable() function
calls ast_dp_set_phy_sleep() which uses msleep(). The "atomic" in the name
is referring to the atomic modesetting support, which is the support to
enable atomic configuration from userspace, and not to the "atomic context"
of the kernel. There is no reason to use udelay() here if a sleep would be
sufficient.
Replace the while loops with a read_poll_timeout() based implementation
that will sleep between iterations, and which stops polling once the
condition is met (instead of looping as long as the condition is met). This
aligns with the commented behavior and avoids blocking on the CPU while
doing nothing.
Note the RREG_DAC is implemented using a statement expression to allow
working properly with the read_poll_timeout family of functions. The other
RREG_<TYPE> macros ought to be cleaned up to have better semantics, and
several places in the mgag200 driver could make use of RREG_DAC or similar
RREG_* macros should likely be cleaned up for better semantics as well, but
that task has been left as a future cleanup for a non-bugfix.
Fixes: 414c45310625 ("mgag200: initial g200se driver (v2)")
Suggested-by: Thomas Zimmermann <tzimmermann@suse.de>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
Reviewed-by: Jocelyn Falempe <jfalempe@redhat.com>
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://patch.msgid.link/20260202-jk-mgag200-fix-bad-udelay-v2-1-ce1e9665987d@intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
diff --git a/drivers/gpu/drm/mgag200/mgag200_bmc.c b/drivers/gpu/drm/mgag200/mgag200_bmc.c
index a689c71ff165..bbdeb791c5b3 100644
--- a/drivers/gpu/drm/mgag200/mgag200_bmc.c
+++ b/drivers/gpu/drm/mgag200/mgag200_bmc.c
@@ -1,6 +1,7 @@
// SPDX-License-Identifier: GPL-2.0-only
#include <linux/delay.h>
+#include <linux/iopoll.h>
#include <drm/drm_atomic_helper.h>
#include <drm/drm_edid.h>
@@ -12,7 +13,7 @@
void mgag200_bmc_stop_scanout(struct mga_device *mdev)
{
u8 tmp;
- int iter_max;
+ int ret;
/*
* 1 - The first step is to inform the BMC of an upcoming mode
@@ -42,30 +43,22 @@ void mgag200_bmc_stop_scanout(struct mga_device *mdev)
/*
* 3a- The third step is to verify if there is an active scan.
- * We are waiting for a 0 on remhsyncsts <XSPAREREG<0>).
+ * We are waiting for a 0 on remhsyncsts (<XSPAREREG<0>).
*/
- iter_max = 300;
- while (!(tmp & 0x1) && iter_max) {
- WREG8(DAC_INDEX, MGA1064_SPAREREG);
- tmp = RREG8(DAC_DATA);
- udelay(1000);
- iter_max--;
- }
+ ret = read_poll_timeout(RREG_DAC, tmp, !(tmp & 0x1),
+ 1000, 300000, false,
+ MGA1064_SPAREREG);
+ if (ret == -ETIMEDOUT)
+ return;
/*
- * 3b- This step occurs only if the remove is actually
+ * 3b- This step occurs only if the remote BMC is actually
* scanning. We are waiting for the end of the frame which is
* a 1 on remvsyncsts (XSPAREREG<1>)
*/
- if (iter_max) {
- iter_max = 300;
- while ((tmp & 0x2) && iter_max) {
- WREG8(DAC_INDEX, MGA1064_SPAREREG);
- tmp = RREG8(DAC_DATA);
- udelay(1000);
- iter_max--;
- }
- }
+ (void)read_poll_timeout(RREG_DAC, tmp, (tmp & 0x2),
+ 1000, 300000, false,
+ MGA1064_SPAREREG);
}
void mgag200_bmc_start_scanout(struct mga_device *mdev)
diff --git a/drivers/gpu/drm/mgag200/mgag200_drv.h b/drivers/gpu/drm/mgag200/mgag200_drv.h
index 988967eafbf2..c67007348142 100644
--- a/drivers/gpu/drm/mgag200/mgag200_drv.h
+++ b/drivers/gpu/drm/mgag200/mgag200_drv.h
@@ -112,6 +112,12 @@
#define DAC_INDEX 0x3c00
#define DAC_DATA 0x3c0a
+#define RREG_DAC(reg) \
+ ({ \
+ WREG8(DAC_INDEX, reg); \
+ RREG8(DAC_DATA); \
+ }) \
+
#define WREG_DAC(reg, v) \
do { \
WREG8(DAC_INDEX, reg); \
--
2.50.1 (Apple Git-155)

55
1209-net-sched-act-csum-validate-nested-vlan-headers.patch Normal file
View File

@ -0,0 +1,55 @@
From a69738efea0996d05a3c7d2178551b891744df1b Mon Sep 17 00:00:00 2001
From: Ruide Cao <caoruide123@gmail.com>
Date: Thu, 2 Apr 2026 22:46:20 +0800
Subject: [PATCH] net: sched: act_csum: validate nested VLAN headers
[ Upstream commit c842743d073bdd683606cb414eb0ca84465dd834 ]
tcf_csum_act() walks nested VLAN headers directly from skb->data when an
skb still carries in-payload VLAN tags. The current code reads
vlan->h_vlan_encapsulated_proto and then pulls VLAN_HLEN bytes without
first ensuring that the full VLAN header is present in the linear area.
If only part of an inner VLAN header is linearized, accessing
h_vlan_encapsulated_proto reads past the linear area, and the following
skb_pull(VLAN_HLEN) may violate skb invariants.
Fix this by requiring pskb_may_pull(skb, VLAN_HLEN) before accessing and
pulling each nested VLAN header. If the header still is not fully
available, drop the packet through the existing error path.
Fixes: 2ecba2d1e45b ("net: sched: act_csum: Fix csum calc for tagged packets")
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Co-developed-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Yuan Tan <yuantan098@gmail.com>
Suggested-by: Xin Liu <bird@lzu.edu.cn>
Tested-by: Ren Wei <enjou1224z@gmail.com>
Signed-off-by: Ruide Cao <caoruide123@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/22df2fcb49f410203eafa5d97963dd36089f4ecf.1774892775.git.caoruide123@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
diff --git a/net/sched/act_csum.c b/net/sched/act_csum.c
index 5cc8e407e791..8ea37c2c3c54 100644
--- a/net/sched/act_csum.c
+++ b/net/sched/act_csum.c
@@ -603,8 +603,12 @@ TC_INDIRECT_SCOPE int tcf_csum_act(struct sk_buff *skb,
protocol = skb->protocol;
orig_vlan_tag_present = true;
} else {
- struct vlan_hdr *vlan = (struct vlan_hdr *)skb->data;
+ struct vlan_hdr *vlan;
+ if (!pskb_may_pull(skb, VLAN_HLEN))
+ goto drop;
+
+ vlan = (struct vlan_hdr *)skb->data;
protocol = vlan->h_vlan_encapsulated_proto;
skb_pull(skb, VLAN_HLEN);
skb_reset_network_header(skb);
--
2.50.1 (Apple Git-155)

47
1210-netfilter-ip6t-eui64-reject-invalid-mac-header-for-all-packe.patch Normal file
View File

@ -0,0 +1,47 @@
From 9eda5478746ef7dc0e4e537b5a5e4b0ca1027091 Mon Sep 17 00:00:00 2001
From: Zhengchuan Liang <zcliangcn@gmail.com>
Date: Sat, 4 Apr 2026 17:39:47 +0800
Subject: [PATCH] netfilter: ip6t_eui64: reject invalid MAC header for all
packets
[ Upstream commit fdce0b3590f724540795b874b4c8850c90e6b0a8 ]
`eui64_mt6()` derives a modified EUI-64 from the Ethernet source address
and compares it with the low 64 bits of the IPv6 source address.
The existing guard only rejects an invalid MAC header when
`par->fragoff != 0`. For packets with `par->fragoff == 0`, `eui64_mt6()`
can still reach `eth_hdr(skb)` even when the MAC header is not valid.
Fix this by removing the `par->fragoff != 0` condition so that packets
with an invalid MAC header are rejected before accessing `eth_hdr(skb)`.
Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2")
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Co-developed-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Yuan Tan <yuantan098@gmail.com>
Suggested-by: Xin Liu <bird@lzu.edu.cn>
Tested-by: Ren Wei <enjou1224z@gmail.com>
Signed-off-by: Zhengchuan Liang <zcliangcn@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
diff --git a/net/ipv6/netfilter/ip6t_eui64.c b/net/ipv6/netfilter/ip6t_eui64.c
index d704f7ed300c..da69a27e8332 100644
--- a/net/ipv6/netfilter/ip6t_eui64.c
+++ b/net/ipv6/netfilter/ip6t_eui64.c
@@ -22,8 +22,7 @@ eui64_mt6(const struct sk_buff *skb, struct xt_action_param *par)
unsigned char eui64[8];
if (!(skb_mac_header(skb) >= skb->head &&
- skb_mac_header(skb) + ETH_HLEN <= skb->data) &&
- par->fragoff != 0) {
+ skb_mac_header(skb) + ETH_HLEN <= skb->data)) {
par->hotdrop = true;
return false;
}
--
2.50.1 (Apple Git-155)

52
1211-cifs-remove-unnecessary-tracing-after-put-tcon.patch Normal file
View File

@ -0,0 +1,52 @@
From ccfb4a950c79db99c153de111d0b4d05edaf193d Mon Sep 17 00:00:00 2001
From: Paulo Alcantara <paalcant@redhat.com>
Date: Wed, 18 Feb 2026 18:34:03 -0300
Subject: [PATCH] cifs: remove unnecessary tracing after put tcon
JIRA: https://issues.redhat.com/browse/RHEL-150776
commit a5a50f1415692a0fe3bf0ec17f422cac8e158e65
Author: Shyam Prasad N <sprasad@microsoft.com>
Date: Sat Feb 14 13:05:50 2026 +0530
cifs: remove unnecessary tracing after put tcon
This code was recently changed from manually decrementing
tcon ref to using cifs_put_tcon. But even before that change
this tracing happened after decrementing the ref count, which
is wrong. With cifs_put_tcon, tracing already happens inside it.
So just removing the extra tracing here.
Signed-off-by: Shyam Prasad N <sprasad@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Paulo Alcantara <paalcant@redhat.com>
diff --git a/fs/smb/client/smb2ops.c b/fs/smb/client/smb2ops.c
index 1e13dd0a24c3..61c521712f86 100644
--- a/fs/smb/client/smb2ops.c
+++ b/fs/smb/client/smb2ops.c
@@ -3181,8 +3181,6 @@ smb2_get_dfs_refer(const unsigned int xid, struct cifs_ses *ses,
if (tcon && !tcon->ipc) {
/* ipc tcons are not refcounted */
cifs_put_tcon(tcon, netfs_trace_tcon_ref_put_dfs_refer);
- trace_smb3_tcon_ref(tcon->debug_id, tcon->tc_count,
- netfs_trace_tcon_ref_dec_dfs_refer);
}
kfree(utf16_path);
kfree(dfs_req);
diff --git a/fs/smb/client/trace.h b/fs/smb/client/trace.h
index 191f02344dcd..9228f95cae2b 100644
--- a/fs/smb/client/trace.h
+++ b/fs/smb/client/trace.h
@@ -168,7 +168,6 @@
E_(cifs_trace_rw_credits_zero_in_flight, "ZERO-IN-FLT")
#define smb3_tcon_ref_traces \
- EM(netfs_trace_tcon_ref_dec_dfs_refer, "DEC DfsRef") \
EM(netfs_trace_tcon_ref_free, "FRE ") \
EM(netfs_trace_tcon_ref_free_fail, "FRE Fail ") \
EM(netfs_trace_tcon_ref_free_ipc, "FRE Ipc ") \
--
2.50.1 (Apple Git-155)

41
1212-cifs-make-default-value-of-retrans-as-zero.patch Normal file
View File

@ -0,0 +1,41 @@
From e96124d5b440c57a270d3903e7cec81d14fc2e07 Mon Sep 17 00:00:00 2001
From: Paulo Alcantara <paalcant@redhat.com>
Date: Tue, 28 Apr 2026 18:52:21 -0300
Subject: [PATCH] cifs: make default value of retrans as zero
JIRA: https://issues.redhat.com/browse/RHEL-171638
commit e3beefd3af09f8e460ddaf39063d3d7664d7ab59
Author: Shyam Prasad N <sprasad@microsoft.com>
Date: Wed Mar 11 10:48:54 2026 +0530
cifs: make default value of retrans as zero
When retrans mount option was introduced, the default value was set
as 1. However, in the light of some bugs that this has exposed recently
we should change it to 0 and retain the old behaviour before this option
was introduced.
Cc: <stable@vger.kernel.org>
Reviewed-by: Bharath SM <bharathsm@microsoft.com>
Signed-off-by: Shyam Prasad N <sprasad@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Paulo Alcantara <paalcant@redhat.com>
diff --git a/fs/smb/client/fs_context.c b/fs/smb/client/fs_context.c
index a5c336f8f2b7..943f4d3610ee 100644
--- a/fs/smb/client/fs_context.c
+++ b/fs/smb/client/fs_context.c
@@ -2000,7 +2000,7 @@ int smb3_init_fs_context(struct fs_context *fc)
ctx->backupuid_specified = false; /* no backup intent for a user */
ctx->backupgid_specified = false; /* no backup intent for a group */
- ctx->retrans = 1;
+ ctx->retrans = 0;
ctx->reparse_type = CIFS_REPARSE_TYPE_DEFAULT;
ctx->symlink_type = CIFS_SYMLINK_TYPE_DEFAULT;
ctx->nonativesocket = 0;
--
2.50.1 (Apple Git-155)

158
1213-dpll-zl3073x-add-output-pin-frequency-helper.patch Normal file
View File

@ -0,0 +1,158 @@
From 6482a608b65938f2fdacc01e93dd4f62b1f298c7 Mon Sep 17 00:00:00 2001
From: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>
Date: Thu, 2 Apr 2026 14:24:19 +0000
Subject: [PATCH] dpll: zl3073x: Add output pin frequency helper
JIRA: https://redhat.atlassian.net/browse/RHEL-164429
commit 24e4336a87f5c51263535201218889b5f324511f
Author: Ivan Vecera <ivecera@redhat.com>
Date: Thu Feb 5 16:43:49 2026 +0100
dpll: zl3073x: Add output pin frequency helper
Introduce zl3073x_dev_output_pin_freq_get() helper function to compute
the output pin frequency based on synthesizer frequency, output divisor,
and signal format. For N-div signal formats, the N-pin frequency is
additionally divided by esync_n_period.
Add zl3073x_out_is_ndiv() helper to check if an output is configured
in N-div mode (2_NDIV or 2_NDIV_INV signal formats).
Refactor zl3073x_dpll_output_pin_frequency_get() callback to use the
new helper, reducing code duplication and enabling reuse of the
frequency calculation logic in other contexts.
This is a preparatory change for adding current frequency to the
supported frequencies list in pin properties.
Signed-off-by: Ivan Vecera <ivecera@redhat.com>
Link: https://patch.msgid.link/20260205154350.3180465-2-ivecera@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>
diff --git a/drivers/dpll/zl3073x/core.h b/drivers/dpll/zl3073x/core.h
index 09bca2d0926d..dddfcacea5c0 100644
--- a/drivers/dpll/zl3073x/core.h
+++ b/drivers/dpll/zl3073x/core.h
@@ -301,6 +301,36 @@ u8 zl3073x_dev_out_dpll_get(struct zl3073x_dev *zldev, u8 index)
return zl3073x_synth_dpll_get(synth);
}
+/**
+ * zl3073x_dev_output_pin_freq_get - get output pin frequency
+ * @zldev: pointer to zl3073x device
+ * @id: output pin id
+ *
+ * Computes the output pin frequency based on the synth frequency, output
+ * divisor, and signal format. For N-div formats, N-pin frequency is
+ * additionally divided by esync_n_period.
+ *
+ * Return: frequency of the given output pin in Hz
+ */
+static inline u32
+zl3073x_dev_output_pin_freq_get(struct zl3073x_dev *zldev, u8 id)
+{
+ const struct zl3073x_synth *synth;
+ const struct zl3073x_out *out;
+ u8 out_id;
+ u32 freq;
+
+ out_id = zl3073x_output_pin_out_get(id);
+ out = zl3073x_out_state_get(zldev, out_id);
+ synth = zl3073x_synth_state_get(zldev, zl3073x_out_synth_get(out));
+ freq = zl3073x_synth_freq_get(synth) / out->div;
+
+ if (zl3073x_out_is_ndiv(out) && zl3073x_is_n_pin(id))
+ freq /= out->esync_n_period;
+
+ return freq;
+}
+
/**
* zl3073x_dev_out_is_diff - check if the given output is differential
* @zldev: pointer to zl3073x device
diff --git a/drivers/dpll/zl3073x/dpll.c b/drivers/dpll/zl3073x/dpll.c
index 897ed682dbf9..78edc36b17fb 100644
--- a/drivers/dpll/zl3073x/dpll.c
+++ b/drivers/dpll/zl3073x/dpll.c
@@ -916,46 +916,9 @@ zl3073x_dpll_output_pin_frequency_get(const struct dpll_pin *dpll_pin,
struct netlink_ext_ack *extack)
{
struct zl3073x_dpll *zldpll = dpll_priv;
- struct zl3073x_dev *zldev = zldpll->dev;
struct zl3073x_dpll_pin *pin = pin_priv;
- const struct zl3073x_synth *synth;
- const struct zl3073x_out *out;
- u32 synth_freq;
- u8 out_id;
- out_id = zl3073x_output_pin_out_get(pin->id);
- out = zl3073x_out_state_get(zldev, out_id);
-
- /* Get attached synth frequency */
- synth = zl3073x_synth_state_get(zldev, zl3073x_out_synth_get(out));
- synth_freq = zl3073x_synth_freq_get(synth);
-
- switch (zl3073x_out_signal_format_get(out)) {
- case ZL_OUTPUT_MODE_SIGNAL_FORMAT_2_NDIV:
- case ZL_OUTPUT_MODE_SIGNAL_FORMAT_2_NDIV_INV:
- /* In case of divided format we have to distiguish between
- * given output pin type.
- *
- * For P-pin the resulting frequency is computed as simple
- * division of synth frequency and output divisor.
- *
- * For N-pin we have to divide additionally by divisor stored
- * in esync_n_period output mailbox register that is used as
- * N-pin divisor for these modes.
- */
- *frequency = synth_freq / out->div;
-
- if (!zl3073x_dpll_is_p_pin(pin))
- *frequency = (u32)*frequency / out->esync_n_period;
-
- break;
- default:
- /* In other modes the resulting frequency is computed as
- * division of synth frequency and output divisor.
- */
- *frequency = synth_freq / out->div;
- break;
- }
+ *frequency = zl3073x_dev_output_pin_freq_get(zldpll->dev, pin->id);
return 0;
}
diff --git a/drivers/dpll/zl3073x/out.h b/drivers/dpll/zl3073x/out.h
index e8ea7a0e0f07..318f9bb8da3a 100644
--- a/drivers/dpll/zl3073x/out.h
+++ b/drivers/dpll/zl3073x/out.h
@@ -79,6 +79,23 @@ static inline bool zl3073x_out_is_enabled(const struct zl3073x_out *out)
return !!FIELD_GET(ZL_OUTPUT_CTRL_EN, out->ctrl);
}
+/**
+ * zl3073x_out_is_ndiv - check if the given output is in N-div mode
+ * @out: pointer to out state
+ *
+ * Return: true if output is in N-div mode, false otherwise
+ */
+static inline bool zl3073x_out_is_ndiv(const struct zl3073x_out *out)
+{
+ switch (zl3073x_out_signal_format_get(out)) {
+ case ZL_OUTPUT_MODE_SIGNAL_FORMAT_2_NDIV:
+ case ZL_OUTPUT_MODE_SIGNAL_FORMAT_2_NDIV_INV:
+ return true;
+ default:
+ return false;
+ }
+}
+
/**
* zl3073x_out_synth_get - get synth connected to given output
* @out: pointer to out state
--
2.50.1 (Apple Git-155)

124
1214-dpll-zl3073x-include-current-frequency-in-supported-frequenc.patch Normal file
View File

@ -0,0 +1,124 @@
From 6a744fc1c97d1a5dc7def15f6ecadd9e428a6ab8 Mon Sep 17 00:00:00 2001
From: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>
Date: Thu, 2 Apr 2026 14:24:20 +0000
Subject: [PATCH] dpll: zl3073x: Include current frequency in supported
frequencies list
JIRA: https://redhat.atlassian.net/browse/RHEL-164429
commit 85a9aaac4a38a7ce68f30bd7678fca4e8c687fe2
Author: Ivan Vecera <ivecera@redhat.com>
Date: Thu Feb 5 16:43:50 2026 +0100
dpll: zl3073x: Include current frequency in supported frequencies list
Ensure the current pin frequency is always present in the list of
supported frequencies reported to userspace. Previously, if the
firmware node was missing or didn't include the current operating
frequency in the supported-frequencies-hz property, the pin would
report a frequency that wasn't in its supported list.
Get the current frequency early in zl3073x_pin_props_get():
- For input pins: use zl3073x_dev_ref_freq_get()
- For output pins: use zl3073x_dev_output_pin_freq_get()
Place the current frequency at index 0 of the supported frequencies
array, then append frequencies from the firmware node (if present),
skipping any duplicate of the current frequency.
Signed-off-by: Ivan Vecera <ivecera@redhat.com>
Link: https://patch.msgid.link/20260205154350.3180465-3-ivecera@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>
diff --git a/drivers/dpll/zl3073x/prop.c b/drivers/dpll/zl3073x/prop.c
index ad1f099cbe2b..8523dc8c226e 100644
--- a/drivers/dpll/zl3073x/prop.c
+++ b/drivers/dpll/zl3073x/prop.c
@@ -193,9 +193,10 @@ struct zl3073x_pin_props *zl3073x_pin_props_get(struct zl3073x_dev *zldev,
{
struct dpll_pin_frequency *ranges;
struct zl3073x_pin_props *props;
- int i, j, num_freqs, rc;
+ int i, j, num_freqs = 0, rc;
+ u64 *freqs = NULL;
const char *type;
- u64 *freqs;
+ u32 curr_freq;
props = kzalloc(sizeof(*props), GFP_KERNEL);
if (!props)
@@ -207,6 +208,7 @@ struct zl3073x_pin_props *zl3073x_pin_props_get(struct zl3073x_dev *zldev,
props->dpll_props.capabilities =
DPLL_PIN_CAPABILITIES_PRIORITY_CAN_CHANGE |
DPLL_PIN_CAPABILITIES_STATE_CAN_CHANGE;
+ curr_freq = zl3073x_dev_ref_freq_get(zldev, index);
} else {
u8 out, synth;
u32 f;
@@ -220,6 +222,7 @@ struct zl3073x_pin_props *zl3073x_pin_props_get(struct zl3073x_dev *zldev,
synth = zl3073x_dev_out_synth_get(zldev, out);
f = 2 * zl3073x_dev_synth_freq_get(zldev, synth);
props->dpll_props.phase_gran = f ? div_u64(PSEC_PER_SEC, f) : 1;
+ curr_freq = zl3073x_dev_output_pin_freq_get(zldev, index);
}
props->dpll_props.phase_range.min = S32_MIN;
@@ -230,7 +233,7 @@ struct zl3073x_pin_props *zl3073x_pin_props_get(struct zl3073x_dev *zldev,
/* Get firmware node for the given pin */
rc = zl3073x_prop_pin_fwnode_get(zldev, props, dir, index);
if (rc)
- return props; /* Return if it does not exist */
+ goto skip_fwnode_props;
/* Look for label property and store the value as board label */
fwnode_property_read_string(props->fwnode, "label",
@@ -264,9 +267,10 @@ struct zl3073x_pin_props *zl3073x_pin_props_get(struct zl3073x_dev *zldev,
/* Read supported frequencies property if it is specified */
num_freqs = fwnode_property_count_u64(props->fwnode,
"supported-frequencies-hz");
- if (num_freqs <= 0)
- /* Return if the property does not exist or number is 0 */
- return props;
+ if (num_freqs <= 0) {
+ num_freqs = 0;
+ goto skip_fwnode_props;
+ }
/* The firmware node specifies list of supported frequencies while
* DPLL core pin properties requires list of frequency ranges.
@@ -283,19 +287,25 @@ struct zl3073x_pin_props *zl3073x_pin_props_get(struct zl3073x_dev *zldev,
"supported-frequencies-hz", freqs,
num_freqs);
- /* Allocate frequency ranges list and fill it */
- ranges = kcalloc(num_freqs, sizeof(*ranges), GFP_KERNEL);
+skip_fwnode_props:
+ /* Allocate frequency ranges list - extra slot for current frequency */
+ ranges = kcalloc(num_freqs + 1, sizeof(*ranges), GFP_KERNEL);
if (!ranges) {
rc = -ENOMEM;
goto err_alloc_ranges;
}
- /* Convert list of frequencies to list of frequency ranges but
- * filter-out frequencies that are not representable by device
+ /* Start with current frequency at index 0 */
+ ranges[0] = (struct dpll_pin_frequency)DPLL_PIN_FREQUENCY(curr_freq);
+
+ /* Add frequencies from firmware node, skipping current frequency
+ * and filtering out frequencies not representable by device
*/
- for (i = 0, j = 0; i < num_freqs; i++) {
+ for (i = 0, j = 1; i < num_freqs; i++) {
struct dpll_pin_frequency freq = DPLL_PIN_FREQUENCY(freqs[i]);
+ if (freqs[i] == curr_freq)
+ continue;
if (zl3073x_pin_check_freq(zldev, dir, index, freqs[i])) {
ranges[j] = freq;
j++;
--
2.50.1 (Apple Git-155)

58
1215-dpll-zl3073x-fix-ref-frequency-setting.patch Normal file
View File

@ -0,0 +1,58 @@
From bbc528495d5ec657906c684f5805b3a410941cb6 Mon Sep 17 00:00:00 2001
From: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>
Date: Thu, 2 Apr 2026 14:24:21 +0000
Subject: [PATCH] dpll: zl3073x: Fix ref frequency setting
JIRA: https://redhat.atlassian.net/browse/RHEL-164429
commit a047497f952831e377564b606dcb74a7cb309384
Author: Ivan Vecera <ivecera@redhat.com>
Date: Mon Feb 16 20:40:07 2026 +0100
dpll: zl3073x: Fix ref frequency setting
The frequency for an input reference is computed as:
frequency = freq_base * freq_mult * freq_ratio_m / freq_ratio_n
Before commit 5bc02b190a3fb ("dpll: zl3073x: Cache all reference
properties in zl3073x_ref"), zl3073x_dpll_input_pin_frequency_set()
explicitly wrote 1 to both the REF_RATIO_M and REF_RATIO_N hardware
registers whenever a new frequency was set. This ensured the FEC ratio
was always reset to 1:1 alongside the new base/multiplier values.
The refactoring in that commit introduced zl3073x_ref_freq_set() to
update the cached ref state, but this helper only sets freq_base and
freq_mult without resetting freq_ratio_m and freq_ratio_n to 1. Because
zl3073x_ref_state_set() uses a compare-and-write strategy, unchanged
ratio fields are never written to the hardware. If the device previously
had non-unity FEC ratio values, they remain in effect after a frequency
change, resulting in an incorrect computed frequency.
Explicitly set freq_ratio_m and freq_ratio_n to 1 in zl3073x_ref_freq_set()
to restore the original behavior.
Fixes: 5bc02b190a3fb ("dpll: zl3073x: Cache all reference properties in zl3073x_ref")
Signed-off-by: Ivan Vecera <ivecera@redhat.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260216194007.680416-1-ivecera@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>
diff --git a/drivers/dpll/zl3073x/ref.h b/drivers/dpll/zl3073x/ref.h
index efc7f59cd9f9..0d8618f5ce8d 100644
--- a/drivers/dpll/zl3073x/ref.h
+++ b/drivers/dpll/zl3073x/ref.h
@@ -91,6 +91,8 @@ zl3073x_ref_freq_set(struct zl3073x_ref *ref, u32 freq)
ref->freq_base = base;
ref->freq_mult = mult;
+ ref->freq_ratio_m = 1;
+ ref->freq_ratio_n = 1;
return 0;
}
--
2.50.1 (Apple Git-155)

175
1216-dpll-zl3073x-fix-ref-phase-offset-comp-register-width-for-so.patch Normal file
View File

@ -0,0 +1,175 @@
From 63c8ab56209fe06421d0f0ee0d254c8755d2d0ca Mon Sep 17 00:00:00 2001
From: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>
Date: Thu, 2 Apr 2026 14:24:22 +0000
Subject: [PATCH] dpll: zl3073x: fix REF_PHASE_OFFSET_COMP register width for
some chip IDs
JIRA: https://redhat.atlassian.net/browse/RHEL-164429
commit 4cfe066a82cdf9e83e48b16000f55280efc98325
Author: Ivan Vecera <ivecera@redhat.com>
Date: Fri Feb 20 16:57:54 2026 +0100
dpll: zl3073x: fix REF_PHASE_OFFSET_COMP register width for some chip IDs
The REF_PHASE_OFFSET_COMP register is 48-bit wide on most zl3073x chip
variants, but only 32-bit wide on chip IDs 0x0E30, 0x0E93..0x0E97 and
0x1F60. The driver unconditionally uses 48-bit read/write operations,
which on 32-bit variants causes reading 2 bytes past the register
boundary (corrupting the value) and writing 2 bytes into the adjacent
register.
Fix this by storing the chip ID in the device structure during probe
and adding a helper to detect the affected variants. Use the correct
register width for read/write operations and the matching sign extension
bit (31 vs 47) when interpreting the phase compensation value.
Fixes: 6287262f761e ("dpll: zl3073x: Add support to adjust phase")
Signed-off-by: Ivan Vecera <ivecera@redhat.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260220155755.448185-1-ivecera@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>
diff --git a/drivers/dpll/zl3073x/core.c b/drivers/dpll/zl3073x/core.c
index 63bd97181b9e..8c5ee28e02f4 100644
--- a/drivers/dpll/zl3073x/core.c
+++ b/drivers/dpll/zl3073x/core.c
@@ -1026,6 +1026,7 @@ int zl3073x_dev_probe(struct zl3073x_dev *zldev,
"Unknown or non-match chip ID: 0x%0x\n",
id);
}
+ zldev->chip_id = id;
/* Read revision, firmware version and custom config version */
rc = zl3073x_read_u16(zldev, ZL_REG_REVISION, &revision);
diff --git a/drivers/dpll/zl3073x/core.h b/drivers/dpll/zl3073x/core.h
index dddfcacea5c0..fd2af3c62a7d 100644
--- a/drivers/dpll/zl3073x/core.h
+++ b/drivers/dpll/zl3073x/core.h
@@ -35,6 +35,7 @@ struct zl3073x_dpll;
* @dev: pointer to device
* @regmap: regmap to access device registers
* @multiop_lock: to serialize multiple register operations
+ * @chip_id: chip ID read from hardware
* @ref: array of input references' invariants
* @out: array of outs' invariants
* @synth: array of synths' invariants
@@ -48,6 +49,7 @@ struct zl3073x_dev {
struct device *dev;
struct regmap *regmap;
struct mutex multiop_lock;
+ u16 chip_id;
/* Invariants */
struct zl3073x_ref ref[ZL3073X_NUM_REFS];
@@ -144,6 +146,32 @@ int zl3073x_write_hwreg_seq(struct zl3073x_dev *zldev,
int zl3073x_ref_phase_offsets_update(struct zl3073x_dev *zldev, int channel);
+/**
+ * zl3073x_dev_is_ref_phase_comp_32bit - check ref phase comp register size
+ * @zldev: pointer to zl3073x device
+ *
+ * Some chip IDs have a 32-bit wide ref_phase_offset_comp register instead
+ * of the default 48-bit.
+ *
+ * Return: true if the register is 32-bit, false if 48-bit
+ */
+static inline bool
+zl3073x_dev_is_ref_phase_comp_32bit(struct zl3073x_dev *zldev)
+{
+ switch (zldev->chip_id) {
+ case 0x0E30:
+ case 0x0E93:
+ case 0x0E94:
+ case 0x0E95:
+ case 0x0E96:
+ case 0x0E97:
+ case 0x1F60:
+ return true;
+ default:
+ return false;
+ }
+}
+
static inline bool
zl3073x_is_n_pin(u8 id)
{
diff --git a/drivers/dpll/zl3073x/dpll.c b/drivers/dpll/zl3073x/dpll.c
index 78edc36b17fb..8ffbede117c6 100644
--- a/drivers/dpll/zl3073x/dpll.c
+++ b/drivers/dpll/zl3073x/dpll.c
@@ -475,8 +475,11 @@ zl3073x_dpll_input_pin_phase_adjust_get(const struct dpll_pin *dpll_pin,
ref_id = zl3073x_input_pin_ref_get(pin->id);
ref = zl3073x_ref_state_get(zldev, ref_id);
- /* Perform sign extension for 48bit signed value */
- phase_comp = sign_extend64(ref->phase_comp, 47);
+ /* Perform sign extension based on register width */
+ if (zl3073x_dev_is_ref_phase_comp_32bit(zldev))
+ phase_comp = sign_extend64(ref->phase_comp, 31);
+ else
+ phase_comp = sign_extend64(ref->phase_comp, 47);
/* Reverse two's complement negation applied during set and convert
* to 32bit signed int
diff --git a/drivers/dpll/zl3073x/ref.c b/drivers/dpll/zl3073x/ref.c
index aa2de13effa8..6b65e6103999 100644
--- a/drivers/dpll/zl3073x/ref.c
+++ b/drivers/dpll/zl3073x/ref.c
@@ -121,8 +121,16 @@ int zl3073x_ref_state_fetch(struct zl3073x_dev *zldev, u8 index)
return rc;
/* Read phase compensation register */
- rc = zl3073x_read_u48(zldev, ZL_REG_REF_PHASE_OFFSET_COMP,
- &ref->phase_comp);
+ if (zl3073x_dev_is_ref_phase_comp_32bit(zldev)) {
+ u32 val;
+
+ rc = zl3073x_read_u32(zldev, ZL_REG_REF_PHASE_OFFSET_COMP_32,
+ &val);
+ ref->phase_comp = val;
+ } else {
+ rc = zl3073x_read_u48(zldev, ZL_REG_REF_PHASE_OFFSET_COMP,
+ &ref->phase_comp);
+ }
if (rc)
return rc;
@@ -179,9 +187,16 @@ int zl3073x_ref_state_set(struct zl3073x_dev *zldev, u8 index,
if (!rc && dref->sync_ctrl != ref->sync_ctrl)
rc = zl3073x_write_u8(zldev, ZL_REG_REF_SYNC_CTRL,
ref->sync_ctrl);
- if (!rc && dref->phase_comp != ref->phase_comp)
- rc = zl3073x_write_u48(zldev, ZL_REG_REF_PHASE_OFFSET_COMP,
- ref->phase_comp);
+ if (!rc && dref->phase_comp != ref->phase_comp) {
+ if (zl3073x_dev_is_ref_phase_comp_32bit(zldev))
+ rc = zl3073x_write_u32(zldev,
+ ZL_REG_REF_PHASE_OFFSET_COMP_32,
+ ref->phase_comp);
+ else
+ rc = zl3073x_write_u48(zldev,
+ ZL_REG_REF_PHASE_OFFSET_COMP,
+ ref->phase_comp);
+ }
if (rc)
return rc;
diff --git a/drivers/dpll/zl3073x/regs.h b/drivers/dpll/zl3073x/regs.h
index d837bee72b17..5573d7188406 100644
--- a/drivers/dpll/zl3073x/regs.h
+++ b/drivers/dpll/zl3073x/regs.h
@@ -194,6 +194,7 @@
#define ZL_REF_CONFIG_DIFF_EN BIT(2)
#define ZL_REG_REF_PHASE_OFFSET_COMP ZL_REG(10, 0x28, 6)
+#define ZL_REG_REF_PHASE_OFFSET_COMP_32 ZL_REG(10, 0x28, 4)
#define ZL_REG_REF_SYNC_CTRL ZL_REG(10, 0x2e, 1)
#define ZL_REF_SYNC_CTRL_MODE GENMASK(2, 0)
--
2.50.1 (Apple Git-155)

45
1217-dpll-zl3073x-remove-redundant-cleanup-in-devm-dpll-init.patch Normal file
View File

@ -0,0 +1,45 @@
From b8350c49178e346cd8c90a0d950918d1985ec92d Mon Sep 17 00:00:00 2001
From: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>
Date: Thu, 2 Apr 2026 14:24:24 +0000
Subject: [PATCH] dpll: zl3073x: Remove redundant cleanup in devm_dpll_init()
JIRA: https://redhat.atlassian.net/browse/RHEL-164429
commit 676c7af91fcd740d34e7cb788cbc58e3bcafde39
Author: Felix Gu <ustc.gu@gmail.com>
Date: Tue Feb 24 19:04:04 2026 +0800
dpll: zl3073x: Remove redundant cleanup in devm_dpll_init()
The devm_add_action_or_reset() function already executes the cleanup
action on failure before returning an error, so the explicit goto error
and subsequent zl3073x_dev_dpll_fini() call causes double cleanup.
Fixes: ebb1031c5137 ("dpll: zl3073x: Refactor DPLL initialization")
Reviewed-by: Ivan Vecera <ivecera@redhat.com>
Signed-off-by: Felix Gu <ustc.gu@gmail.com>
Link: https://patch.msgid.link/20260224-dpll-v2-1-d7786414a830@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>
diff --git a/drivers/dpll/zl3073x/core.c b/drivers/dpll/zl3073x/core.c
index 8c5ee28e02f4..37f3c33570ee 100644
--- a/drivers/dpll/zl3073x/core.c
+++ b/drivers/dpll/zl3073x/core.c
@@ -981,11 +981,7 @@ zl3073x_devm_dpll_init(struct zl3073x_dev *zldev, u8 num_dplls)
}
/* Add devres action to release DPLL related resources */
- rc = devm_add_action_or_reset(zldev->dev, zl3073x_dev_dpll_fini, zldev);
- if (rc)
- goto error;
-
- return 0;
+ return devm_add_action_or_reset(zldev->dev, zl3073x_dev_dpll_fini, zldev);
error:
zl3073x_dev_dpll_fini(zldev);
--
2.50.1 (Apple Git-155)

63
1218-io-uring-rsrc-reject-zero-length-fixed-buffer-import.patch Normal file
View File

@ -0,0 +1,63 @@
From 78752da1c6bff4652005000d2dfb0171e13ca1b5 Mon Sep 17 00:00:00 2001
From: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>
Date: Fri, 1 May 2026 16:51:46 +0000
Subject: [PATCH] io_uring/rsrc: reject zero-length fixed buffer import
JIRA: https://redhat.atlassian.net/browse/RHEL-172557
CVE: CVE-2026-43006
commit 111a12b422a8cfa93deabaef26fec48237163214
Author: Qi Tang <tpluszz77@gmail.com>
Date: Mon Mar 30 00:49:36 2026 +0800
io_uring/rsrc: reject zero-length fixed buffer import
validate_fixed_range() admits buf_addr at the exact end of the
registered region when len is zero, because the check uses strict
greater-than (buf_end > imu->ubuf + imu->len). io_import_fixed()
then computes offset == imu->len, which causes the bvec skip logic
to advance past the last bio_vec entry and read bv_offset from
out-of-bounds slab memory.
Return early from io_import_fixed() when len is zero. A zero-length
import has no data to transfer and should not walk the bvec array
at all.
BUG: KASAN: slab-out-of-bounds in io_import_reg_buf+0x697/0x7f0
Read of size 4 at addr ffff888002bcc254 by task poc/103
Call Trace:
io_import_reg_buf+0x697/0x7f0
io_write_fixed+0xd9/0x250
__io_issue_sqe+0xad/0x710
io_issue_sqe+0x7d/0x1100
io_submit_sqes+0x86a/0x23c0
__do_sys_io_uring_enter+0xa98/0x1590
Allocated by task 103:
The buggy address is located 12 bytes to the right of
allocated 584-byte region [ffff888002bcc000, ffff888002bcc248)
Fixes: 8622b20f23ed ("io_uring: add validate_fixed_range() for validate fixed buffer")
Signed-off-by: Qi Tang <tpluszz77@gmail.com>
Link: https://patch.msgid.link/20260329164936.240871-1-tpluszz77@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>
diff --git a/io_uring/rsrc.c b/io_uring/rsrc.c
index 5b40f7992e41..3f0a7c0efd25 100644
--- a/io_uring/rsrc.c
+++ b/io_uring/rsrc.c
@@ -1072,6 +1072,10 @@ static int io_import_fixed(int ddir, struct iov_iter *iter,
return ret;
if (!(imu->dir & (1 << ddir)))
return -EFAULT;
+ if (unlikely(!len)) {
+ iov_iter_bvec(iter, ddir, NULL, 0, 0);
+ return 0;
+ }
offset = buf_addr - imu->ubuf;
--
2.50.1 (Apple Git-155)

58
1219-netfilter-nf-conntrack-helper-pass-helper-to-expect-cleanup.patch Normal file
View File

@ -0,0 +1,58 @@
From 2c16e4d64dd91227742dfe196a3e7b0568bef65a Mon Sep 17 00:00:00 2001
From: Qi Tang <tpluszz77@gmail.com>
Date: Mon, 30 Mar 2026 00:50:36 +0800
Subject: [PATCH] netfilter: nf_conntrack_helper: pass helper to expect cleanup
[ Upstream commit a242a9ae58aa46ff7dae51ce64150a93957abe65 ]
nf_conntrack_helper_unregister() calls nf_ct_expect_iterate_destroy()
to remove expectations belonging to the helper being unregistered.
However, it passes NULL instead of the helper pointer as the data
argument, so expect_iter_me() never matches any expectation and all
of them survive the cleanup.
After unregister returns, nfnl_cthelper_del() frees the helper
object immediately. Subsequent expectation dumps or packet-driven
init_conntrack() calls then dereference the freed exp->helper,
causing a use-after-free.
Pass the actual helper pointer so expectations referencing it are
properly destroyed before the helper object is freed.
BUG: KASAN: slab-use-after-free in string+0x38f/0x430
Read of size 1 at addr ffff888003b14d20 by task poc/103
Call Trace:
string+0x38f/0x430
vsnprintf+0x3cc/0x1170
seq_printf+0x17a/0x240
exp_seq_show+0x2e5/0x560
seq_read_iter+0x419/0x1280
proc_reg_read+0x1ac/0x270
vfs_read+0x179/0x930
ksys_read+0xef/0x1c0
Freed by task 103:
The buggy address is located 32 bytes inside of
freed 192-byte region [ffff888003b14d00, ffff888003b14dc0)
Fixes: ac7b84839003 ("netfilter: expect: add and use nf_ct_expect_iterate helpers")
Signed-off-by: Qi Tang <tpluszz77@gmail.com>
Reviewed-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c
index ceb48c3ca0a4..9d7d36ac8308 100644
--- a/net/netfilter/nf_conntrack_helper.c
+++ b/net/netfilter/nf_conntrack_helper.c
@@ -419,7 +419,7 @@ void nf_conntrack_helper_unregister(struct nf_conntrack_helper *me)
*/
synchronize_rcu();
- nf_ct_expect_iterate_destroy(expect_iter_me, NULL);
+ nf_ct_expect_iterate_destroy(expect_iter_me, me);
nf_ct_iterate_destroy(unhelp, me);
}
EXPORT_SYMBOL_GPL(nf_conntrack_helper_unregister);
--
2.50.1 (Apple Git-155)

63
1220-hid-wacom-fix-out-of-bounds-read-in-wacom-intuos-bt-irq.patch Normal file
View File

@ -0,0 +1,63 @@
From 210b53b805eca1a334bcb30d2d1899e7a4a5c927 Mon Sep 17 00:00:00 2001
From: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>
Date: Fri, 1 May 2026 19:07:14 +0000
Subject: [PATCH] HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
JIRA: https://redhat.atlassian.net/browse/RHEL-172748
CVE: CVE-2026-43051
commit 2f1763f62909ccb6386ac50350fa0abbf5bb16a9
Author: Benoît Sevens <bsevens@google.com>
Date: Tue Mar 3 13:58:28 2026 +0000
HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq
The wacom_intuos_bt_irq() function processes Bluetooth HID reports
without sufficient bounds checking. A maliciously crafted short report
can trigger an out-of-bounds read when copying data into the wacom
structure.
Specifically, report 0x03 requires at least 22 bytes to safely read
the processed data and battery status, while report 0x04 (which
falls through to 0x03) requires 32 bytes.
Add explicit length checks for these report IDs and log a warning if
a short report is received.
Signed-off-by: Benoît Sevens <bsevens@google.com>
Reviewed-by: Jason Gerecke <jason.gerecke@wacom.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>
diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c
index 9b2c710f8da1..da1f0ea85625 100644
--- a/drivers/hid/wacom_wac.c
+++ b/drivers/hid/wacom_wac.c
@@ -1208,10 +1208,20 @@ static int wacom_intuos_bt_irq(struct wacom_wac *wacom, size_t len)
switch (data[0]) {
case 0x04:
+ if (len < 32) {
+ dev_warn(wacom->pen_input->dev.parent,
+ "Report 0x04 too short: %zu bytes\n", len);
+ break;
+ }
wacom_intuos_bt_process_data(wacom, data + i);
i += 10;
fallthrough;
case 0x03:
+ if (i == 1 && len < 22) {
+ dev_warn(wacom->pen_input->dev.parent,
+ "Report 0x03 too short: %zu bytes\n", len);
+ break;
+ }
wacom_intuos_bt_process_data(wacom, data + i);
i += 10;
wacom_intuos_bt_process_data(wacom, data + i);
--
2.50.1 (Apple Git-155)

41
1221-redhat-configs-enable-config-aqtion-on-all-archs.patch Normal file
View File

@ -0,0 +1,41 @@
From fc27138508fcc8346d22d229d55424ee4f54d2b5 Mon Sep 17 00:00:00 2001
From: Michal Schmidt <mschmidt@redhat.com>
Date: Tue, 27 Jan 2026 14:57:53 +0100
Subject: [PATCH] redhat/configs: enable CONFIG_AQTION on all archs
JIRA: https://issues.redhat.com/browse/RHEL-150852
Upstream status: Posted https://gitlab.com/cki-project/kernel-ark/-/merge_requests/4391
The Aquantia "atlantic" network driver was previously enabled in RHEL
only for x86 and automotive aarch64. We know of at least one
non-automotive aarch64 computer model that needs this driver.
Let's just enable the driver for all archs, because it's not typical to
have NIC drivers selected for only some of them.
No more is there a difference between the fedora and rhel config for
CONFIG_AQTION, so put it in common.
Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
diff --git a/redhat/configs/rhel/automotive/generic/arm/aarch64/CONFIG_AQTION b/redhat/configs/common/generic/CONFIG_AQTION
similarity index 100%
rename from redhat/configs/rhel/automotive/generic/arm/aarch64/CONFIG_AQTION
rename to redhat/configs/common/generic/CONFIG_AQTION
diff --git a/redhat/configs/rhel/generic/CONFIG_AQTION b/redhat/configs/rhel/generic/CONFIG_AQTION
deleted file mode 100644
index 42dea55ccf3b..000000000000
--- a/redhat/configs/rhel/generic/CONFIG_AQTION
+++ /dev/null
@@ -1 +0,0 @@
-# CONFIG_AQTION is not set
diff --git a/redhat/configs/rhel/generic/x86/CONFIG_AQTION b/redhat/configs/rhel/generic/x86/CONFIG_AQTION
deleted file mode 100644
index 7812ca016377..000000000000
--- a/redhat/configs/rhel/generic/x86/CONFIG_AQTION
+++ /dev/null
@@ -1 +0,0 @@
-CONFIG_AQTION=m
--
2.50.1 (Apple Git-155)

40
1222-wifi-brcmfmac-validate-bsscfg-indices-in-if-events.patch Normal file
View File

@ -0,0 +1,40 @@
From 9fca68c2512a362cad258e4df12a307bb2ee4b8e Mon Sep 17 00:00:00 2001
From: Pengpeng Hou <pengpeng@iscas.ac.cn>
Date: Mon, 23 Mar 2026 15:45:51 +0800
Subject: [PATCH] wifi: brcmfmac: validate bsscfg indices in IF events
[ Upstream commit 304950a467d83678bd0b0f46331882e2ac23b12d ]
brcmf_fweh_handle_if_event() validates the firmware-provided interface
index before it touches drvr->iflist[], but it still uses the raw
bsscfgidx field as an array index without a matching range check.
Reject IF events whose bsscfg index does not fit in drvr->iflist[]
before indexing the interface array.
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Link: https://patch.msgid.link/20260323074551.93530-1-pengpeng@iscas.ac.cn
[add missing wifi prefix]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
index f0b6a7607f16..0e4461596466 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
@@ -152,6 +152,11 @@ static void brcmf_fweh_handle_if_event(struct brcmf_pub *drvr,
bphy_err(drvr, "invalid interface index: %u\n", ifevent->ifidx);
return;
}
+ if (ifevent->bsscfgidx >= BRCMF_MAX_IFS) {
+ bphy_err(drvr, "invalid bsscfg index: %u\n",
+ ifevent->bsscfgidx);
+ return;
+ }
ifp = drvr->iflist[ifevent->bsscfgidx];
--
2.50.1 (Apple Git-155)

207
1223-netfilter-ctnetlink-ensure-safe-access-to-master-conntrack.patch Normal file
View File

@ -0,0 +1,207 @@
From bffcaad9afdfe45d7fc777397d3b83c1e3ebffe5 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed, 25 Mar 2026 14:11:04 +0100
Subject: [PATCH] netfilter: ctnetlink: ensure safe access to master conntrack
Holding reference on the expectation is not sufficient, the master
conntrack object can just go away, making exp->master invalid.
To access exp->master safely:
- Grab the nf_conntrack_expect_lock, this gets serialized with
clean_from_lists() which also holds this lock when the master
conntrack goes away.
- Hold reference on master conntrack via nf_conntrack_find_get().
Not so easy since the master tuple to look up for the master conntrack
is not available in the existing problematic paths.
This patch goes for extending the nf_conntrack_expect_lock section
to address this issue for simplicity, in the cases that are described
below this is just slightly extending the lock section.
The add expectation command already holds a reference to the master
conntrack from ctnetlink_create_expect().
However, the delete expectation command needs to grab the spinlock
before looking up for the expectation. Expand the existing spinlock
section to address this to cover the expectation lookup. Note that,
the nf_ct_expect_iterate_net() calls already grabs the spinlock while
iterating over the expectation table, which is correct.
The get expectation command needs to grab the spinlock to ensure master
conntrack does not go away. This also expands the existing spinlock
section to cover the expectation lookup too. I needed to move the
netlink skb allocation out of the spinlock to keep it GFP_KERNEL.
For the expectation events, the IPEXP_DESTROY event is already delivered
under the spinlock, just move the delivery of IPEXP_NEW under the
spinlock too because the master conntrack event cache is reached through
exp->master.
While at it, add lockdep notations to help identify what codepaths need
to grab the spinlock.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
diff --git a/include/net/netfilter/nf_conntrack_core.h b/include/net/netfilter/nf_conntrack_core.h
index 3384859a8921..8883575adcc1 100644
--- a/include/net/netfilter/nf_conntrack_core.h
+++ b/include/net/netfilter/nf_conntrack_core.h
@@ -83,6 +83,11 @@ void nf_conntrack_lock(spinlock_t *lock);
extern spinlock_t nf_conntrack_expect_lock;
+static inline void lockdep_nfct_expect_lock_held(void)
+{
+ lockdep_assert_held(&nf_conntrack_expect_lock);
+}
+
/* ctnetlink code shared by both ctnetlink and nf_conntrack_bpf */
static inline void __nf_ct_set_timeout(struct nf_conn *ct, u64 timeout)
diff --git a/net/netfilter/nf_conntrack_ecache.c b/net/netfilter/nf_conntrack_ecache.c
index 81baf2082604..9df159448b89 100644
--- a/net/netfilter/nf_conntrack_ecache.c
+++ b/net/netfilter/nf_conntrack_ecache.c
@@ -247,6 +247,8 @@ void nf_ct_expect_event_report(enum ip_conntrack_expect_events event,
struct nf_ct_event_notifier *notify;
struct nf_conntrack_ecache *e;
+ lockdep_nfct_expect_lock_held();
+
rcu_read_lock();
notify = rcu_dereference(net->ct.nf_conntrack_event_cb);
if (!notify)
diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c
index 64977db12b1d..1cbe5f1108c2 100644
--- a/net/netfilter/nf_conntrack_expect.c
+++ b/net/netfilter/nf_conntrack_expect.c
@@ -51,6 +51,7 @@ void nf_ct_unlink_expect_report(struct nf_conntrack_expect *exp,
struct net *net = nf_ct_exp_net(exp);
struct nf_conntrack_net *cnet;
+ lockdep_nfct_expect_lock_held();
WARN_ON(!master_help);
WARN_ON(timer_pending(&exp->timeout));
@@ -118,6 +119,8 @@ nf_ct_exp_equal(const struct nf_conntrack_tuple *tuple,
bool nf_ct_remove_expect(struct nf_conntrack_expect *exp)
{
+ lockdep_nfct_expect_lock_held();
+
if (timer_delete(&exp->timeout)) {
nf_ct_unlink_expect(exp);
nf_ct_expect_put(exp);
@@ -177,6 +180,8 @@ nf_ct_find_expectation(struct net *net,
struct nf_conntrack_expect *i, *exp = NULL;
unsigned int h;
+ lockdep_nfct_expect_lock_held();
+
if (!cnet->expect_count)
return NULL;
@@ -454,6 +459,8 @@ static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect,
unsigned int h;
int ret = 0;
+ lockdep_nfct_expect_lock_held();
+
if (!master_help) {
ret = -ESHUTDOWN;
goto out;
@@ -510,8 +517,9 @@ int nf_ct_expect_related_report(struct nf_conntrack_expect *expect,
nf_ct_expect_insert(expect);
- spin_unlock_bh(&nf_conntrack_expect_lock);
nf_ct_expect_event_report(IPEXP_NEW, expect, portid, report);
+ spin_unlock_bh(&nf_conntrack_expect_lock);
+
return 0;
out:
spin_unlock_bh(&nf_conntrack_expect_lock);
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 8477c3736432..89540112d165 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -3355,31 +3355,37 @@ static int ctnetlink_get_expect(struct sk_buff *skb,
if (err < 0)
return err;
+ skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
+ if (!skb2)
+ return -ENOMEM;
+
+ spin_lock_bh(&nf_conntrack_expect_lock);
exp = nf_ct_expect_find_get(info->net, &zone, &tuple);
- if (!exp)
+ if (!exp) {
+ spin_unlock_bh(&nf_conntrack_expect_lock);
+ kfree_skb(skb2);
return -ENOENT;
+ }
if (cda[CTA_EXPECT_ID]) {
__be32 id = nla_get_be32(cda[CTA_EXPECT_ID]);
if (id != nf_expect_get_id(exp)) {
nf_ct_expect_put(exp);
+ spin_unlock_bh(&nf_conntrack_expect_lock);
+ kfree_skb(skb2);
return -ENOENT;
}
}
- skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
- if (!skb2) {
- nf_ct_expect_put(exp);
- return -ENOMEM;
- }
-
rcu_read_lock();
err = ctnetlink_exp_fill_info(skb2, NETLINK_CB(skb).portid,
info->nlh->nlmsg_seq, IPCTNL_MSG_EXP_NEW,
exp);
rcu_read_unlock();
nf_ct_expect_put(exp);
+ spin_unlock_bh(&nf_conntrack_expect_lock);
+
if (err <= 0) {
kfree_skb(skb2);
return -ENOMEM;
@@ -3426,22 +3432,26 @@ static int ctnetlink_del_expect(struct sk_buff *skb,
if (err < 0)
return err;
+ spin_lock_bh(&nf_conntrack_expect_lock);
+
/* bump usage count to 2 */
exp = nf_ct_expect_find_get(info->net, &zone, &tuple);
- if (!exp)
+ if (!exp) {
+ spin_unlock_bh(&nf_conntrack_expect_lock);
return -ENOENT;
+ }
if (cda[CTA_EXPECT_ID]) {
__be32 id = nla_get_be32(cda[CTA_EXPECT_ID]);
if (id != nf_expect_get_id(exp)) {
nf_ct_expect_put(exp);
+ spin_unlock_bh(&nf_conntrack_expect_lock);
return -ENOENT;
}
}
/* after list removal, usage count == 1 */
- spin_lock_bh(&nf_conntrack_expect_lock);
if (timer_delete(&exp->timeout)) {
nf_ct_unlink_expect_report(exp, NETLINK_CB(skb).portid,
nlmsg_report(info->nlh));
--
2.50.1 (Apple Git-155)

38
1224-netfilter-xt-tcpmss-check-remaining-length-before-reading-op.patch Normal file
View File

@ -0,0 +1,38 @@
From 8b300f726640c48c3edfe9c453334dd801f4b74e Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@strlen.de>
Date: Mon, 19 Jan 2026 12:30:42 +0100
Subject: [PATCH] netfilter: xt_tcpmss: check remaining length before reading
optlen
[ Upstream commit 735ee8582da3d239eb0c7a53adca61b79fb228b3 ]
Quoting reporter:
In net/netfilter/xt_tcpmss.c (lines 53-68), the TCP option parser reads
op[i+1] directly without validating the remaining option length.
If the last byte of the option field is not EOL/NOP (0/1), the code attempts
to index op[i+1]. In the case where i + 1 == optlen, this causes an
out-of-bounds read, accessing memory past the optlen boundary
(either reading beyond the stack buffer _opt or the
following payload).
Reported-by: sungzii <sungzii@pm.me>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
diff --git a/net/netfilter/xt_tcpmss.c b/net/netfilter/xt_tcpmss.c
index 37704ab01799..0d32d4841cb3 100644
--- a/net/netfilter/xt_tcpmss.c
+++ b/net/netfilter/xt_tcpmss.c
@@ -61,7 +61,7 @@ tcpmss_mt(const struct sk_buff *skb, struct xt_action_param *par)
return (mssval >= info->mss_min &&
mssval <= info->mss_max) ^ info->invert;
}
- if (op[i] < 2)
+ if (op[i] < 2 || i == optlen - 1)
i++;
else
i += op[i+1] ? : 1;
--
2.50.1 (Apple Git-155)

120
1225-net-fix-rcu-tasks-stall-in-threaded-busypoll.patch Normal file
View File

@ -0,0 +1,120 @@
From 1a86a1f7d88996085934139fa4c063b6299a2dd3 Mon Sep 17 00:00:00 2001
From: YiFei Zhu <zhuyifei@google.com>
Date: Fri, 27 Feb 2026 22:19:37 +0000
Subject: [PATCH] net: Fix rcu_tasks stall in threaded busypoll
I was debugging a NIC driver when I noticed that when I enable
threaded busypoll, bpftrace hangs when starting up. dmesg showed:
rcu_tasks_wait_gp: rcu_tasks grace period number 85 (since boot) is 10658 jiffies old.
rcu_tasks_wait_gp: rcu_tasks grace period number 85 (since boot) is 40793 jiffies old.
rcu_tasks_wait_gp: rcu_tasks grace period number 85 (since boot) is 131273 jiffies old.
rcu_tasks_wait_gp: rcu_tasks grace period number 85 (since boot) is 402058 jiffies old.
INFO: rcu_tasks detected stalls on tasks:
00000000769f52cd: .N nvcsw: 2/2 holdout: 1 idle_cpu: -1/64
task:napi/eth2-8265 state:R running task stack:0 pid:48300 tgid:48300 ppid:2 task_flags:0x208040 flags:0x00004000
Call Trace:
<TASK>
? napi_threaded_poll_loop+0x27c/0x2c0
? __pfx_napi_threaded_poll+0x10/0x10
? napi_threaded_poll+0x26/0x80
? kthread+0xfa/0x240
? __pfx_kthread+0x10/0x10
? ret_from_fork+0x31/0x50
? __pfx_kthread+0x10/0x10
? ret_from_fork_asm+0x1a/0x30
</TASK>
The cause is that in threaded busypoll, the main loop is in
napi_threaded_poll rather than napi_threaded_poll_loop, where the
latter rarely iterates more than once within its loop. For
rcu_softirq_qs_periodic inside napi_threaded_poll_loop to report its
qs state, the last_qs must be 100ms behind, and this can't happen
because napi_threaded_poll_loop rarely iterates in threaded busypoll,
and each time napi_threaded_poll_loop is called last_qs is reset to
latest jiffies.
This patch changes so that in threaded busypoll, last_qs is saved
in the outer napi_threaded_poll, and whether busy_poll_last_qs
is NULL indicates whether napi_threaded_poll_loop is called for
busypoll. This way last_qs would not reset to latest jiffies on
each invocation of napi_threaded_poll_loop.
Fixes: c18d4b190a46 ("net: Extend NAPI threaded polling to allow kthread based busy polling")
Cc: stable@vger.kernel.org
Signed-off-by: YiFei Zhu <zhuyifei@google.com>
Reviewed-by: Samiullah Khawaja <skhawaja@google.com>
Link: https://patch.msgid.link/20260227221937.1060857-1-zhuyifei@google.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
diff --git a/net/core/dev.c b/net/core/dev.c
index c1a9f7fdcffa..4af4cf2d63a4 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -7794,11 +7794,12 @@ static int napi_thread_wait(struct napi_struct *napi)
return -1;
}
-static void napi_threaded_poll_loop(struct napi_struct *napi, bool busy_poll)
+static void napi_threaded_poll_loop(struct napi_struct *napi,
+ unsigned long *busy_poll_last_qs)
{
+ unsigned long last_qs = busy_poll_last_qs ? *busy_poll_last_qs : jiffies;
struct bpf_net_context __bpf_net_ctx, *bpf_net_ctx;
struct softnet_data *sd;
- unsigned long last_qs = jiffies;
for (;;) {
bool repoll = false;
@@ -7827,12 +7828,12 @@ static void napi_threaded_poll_loop(struct napi_struct *napi, bool busy_poll)
/* When busy poll is enabled, the old packets are not flushed in
* napi_complete_done. So flush them here.
*/
- if (busy_poll)
+ if (busy_poll_last_qs)
gro_flush_normal(&napi->gro, HZ >= 1000);
local_bh_enable();
/* Call cond_resched here to avoid watchdog warnings. */
- if (repoll || busy_poll) {
+ if (repoll || busy_poll_last_qs) {
rcu_softirq_qs_periodic(last_qs);
cond_resched();
}
@@ -7840,11 +7841,15 @@ static void napi_threaded_poll_loop(struct napi_struct *napi, bool busy_poll)
if (!repoll)
break;
}
+
+ if (busy_poll_last_qs)
+ *busy_poll_last_qs = last_qs;
}
static int napi_threaded_poll(void *data)
{
struct napi_struct *napi = data;
+ unsigned long last_qs = jiffies;
bool want_busy_poll;
bool in_busy_poll;
unsigned long val;
@@ -7862,7 +7867,7 @@ static int napi_threaded_poll(void *data)
assign_bit(NAPI_STATE_IN_BUSY_POLL, &napi->state,
want_busy_poll);
- napi_threaded_poll_loop(napi, want_busy_poll);
+ napi_threaded_poll_loop(napi, want_busy_poll ? &last_qs : NULL);
}
return 0;
@@ -13175,7 +13180,7 @@ static void run_backlog_napi(unsigned int cpu)
{
struct softnet_data *sd = per_cpu_ptr(&softnet_data, cpu);
- napi_threaded_poll_loop(&sd->backlog, false);
+ napi_threaded_poll_loop(&sd->backlog, NULL);
}
static void backlog_napi_setup(unsigned int cpu)
--
2.50.1 (Apple Git-155)

93
1226-ice-use-netif-get-num-default-rss-queues.patch Normal file
View File

@ -0,0 +1,93 @@
From 6f111820b89b5076991ab62d7833a48951a09d4c Mon Sep 17 00:00:00 2001
From: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>
Date: Thu, 7 May 2026 09:35:56 +0000
Subject: [PATCH] ice: use netif_get_num_default_rss_queues()
JIRA: https://redhat.atlassian.net/browse/RHEL-172305
commit ee13aa1a2c5a68943a730ddbde300ba11b84229c
Author: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
Date: Thu Oct 30 09:30:53 2025 +0100
ice: use netif_get_num_default_rss_queues()
On some high-core systems (like AMD EPYC Bergamo, Intel Clearwater
Forest) loading ice driver with default values can lead to queue/irq
exhaustion. It will result in no additional resources for SR-IOV.
In most cases there is no performance reason for more than half
num_cpus(). Limit the default value to it using generic
netif_get_num_default_rss_queues().
Still, using ethtool the number of queues can be changed up to
num_online_cpus(). It can be done by calling:
$ethtool -L ethX combined $(nproc)
This change affects only the default queue amount.
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Signed-off-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>
diff --git a/drivers/net/ethernet/intel/ice/ice_irq.c b/drivers/net/ethernet/intel/ice/ice_irq.c
index 30801fd375f0..1d9b2d646474 100644
--- a/drivers/net/ethernet/intel/ice/ice_irq.c
+++ b/drivers/net/ethernet/intel/ice/ice_irq.c
@@ -106,9 +106,10 @@ static struct ice_irq_entry *ice_get_irq_res(struct ice_pf *pf,
#define ICE_RDMA_AEQ_MSIX 1
static int ice_get_default_msix_amount(struct ice_pf *pf)
{
- return ICE_MIN_LAN_OICR_MSIX + num_online_cpus() +
+ return ICE_MIN_LAN_OICR_MSIX + netif_get_num_default_rss_queues() +
(test_bit(ICE_FLAG_FD_ENA, pf->flags) ? ICE_FDIR_MSIX : 0) +
- (ice_is_rdma_ena(pf) ? num_online_cpus() + ICE_RDMA_AEQ_MSIX : 0);
+ (ice_is_rdma_ena(pf) ? netif_get_num_default_rss_queues() +
+ ICE_RDMA_AEQ_MSIX : 0);
}
/**
diff --git a/drivers/net/ethernet/intel/ice/ice_lib.c b/drivers/net/ethernet/intel/ice/ice_lib.c
index 32c2f4c315c7..c8e463e73426 100644
--- a/drivers/net/ethernet/intel/ice/ice_lib.c
+++ b/drivers/net/ethernet/intel/ice/ice_lib.c
@@ -155,12 +155,14 @@ static void ice_vsi_set_num_desc(struct ice_vsi *vsi)
static u16 ice_get_rxq_count(struct ice_pf *pf)
{
- return min(ice_get_avail_rxq_count(pf), num_online_cpus());
+ return min(ice_get_avail_rxq_count(pf),
+ netif_get_num_default_rss_queues());
}
static u16 ice_get_txq_count(struct ice_pf *pf)
{
- return min(ice_get_avail_txq_count(pf), num_online_cpus());
+ return min(ice_get_avail_txq_count(pf),
+ netif_get_num_default_rss_queues());
}
/**
@@ -909,13 +911,15 @@ static void ice_vsi_set_rss_params(struct ice_vsi *vsi)
if (vsi->type == ICE_VSI_CHNL)
vsi->rss_size = min_t(u16, vsi->num_rxq, max_rss_size);
else
- vsi->rss_size = min_t(u16, num_online_cpus(),
+ vsi->rss_size = min_t(u16,
+ netif_get_num_default_rss_queues(),
max_rss_size);
vsi->rss_lut_type = ICE_LUT_PF;
break;
case ICE_VSI_SF:
vsi->rss_table_size = ICE_LUT_VSI_SIZE;
- vsi->rss_size = min_t(u16, num_online_cpus(), max_rss_size);
+ vsi->rss_size = min_t(u16, netif_get_num_default_rss_queues(),
+ max_rss_size);
vsi->rss_lut_type = ICE_LUT_VSI;
break;
case ICE_VSI_VF:
--
2.50.1 (Apple Git-155)

128
1227-ice-set-max-queues-in-alloc-etherdev-mqs.patch Normal file
View File

@ -0,0 +1,128 @@
From 7e7d215f3f0eb53e12f2374ecc7cfe68abda3463 Mon Sep 17 00:00:00 2001
From: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>
Date: Thu, 7 May 2026 09:35:57 +0000
Subject: [PATCH] ice: set max queues in alloc_etherdev_mqs()
JIRA: https://redhat.atlassian.net/browse/RHEL-172305
commit c7fcd269e1e07b2aa4bb37ffce7543c340796433
Author: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
Date: Mon Feb 23 13:51:57 2026 +0100
ice: set max queues in alloc_etherdev_mqs()
When allocating netdevice using alloc_etherdev_mqs() the maximum
supported queues number should be passed. The vsi->alloc_txq/rxq is
storing current number of queues, not the maximum ones.
Use the same function for getting max Tx and Rx queues which is used
during ethtool -l call to set maximum number of queues during netdev
allocation.
Reproduction steps:
$ethtool -l $pf # says current 16, max 64
$ethtool -S $pf # fine
$ethtool -L $pf combined 40 # crash
[491187.472594] Call Trace:
[491187.472829] <TASK>
[491187.473067] netif_set_xps_queue+0x26/0x40
[491187.473305] ice_vsi_cfg_txq+0x265/0x3d0 [ice]
[491187.473619] ice_vsi_cfg_lan_txqs+0x68/0xa0 [ice]
[491187.473918] ice_vsi_cfg_lan+0x2b/0xa0 [ice]
[491187.474202] ice_vsi_open+0x71/0x170 [ice]
[491187.474484] ice_vsi_recfg_qs+0x17f/0x230 [ice]
[491187.474759] ? dev_get_min_mp_channel_count+0xab/0xd0
[491187.474987] ice_set_channels+0x185/0x3d0 [ice]
[491187.475278] ethnl_set_channels+0x26f/0x340
Fixes: ee13aa1a2c5a ("ice: use netif_get_num_default_rss_queues()")
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Signed-off-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Tested-by: Alexander Nowlin <alexander.nowlin@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>
diff --git a/drivers/net/ethernet/intel/ice/ice.h b/drivers/net/ethernet/intel/ice/ice.h
index 00f75d87c73f..ae1ebf507f29 100644
--- a/drivers/net/ethernet/intel/ice/ice.h
+++ b/drivers/net/ethernet/intel/ice/ice.h
@@ -839,6 +839,28 @@ static inline void ice_tx_xsk_pool(struct ice_vsi *vsi, u16 qid)
WRITE_ONCE(ring->xsk_pool, ice_get_xp_from_qid(vsi, qid));
}
+/**
+ * ice_get_max_txq - return the maximum number of Tx queues for in a PF
+ * @pf: PF structure
+ *
+ * Return: maximum number of Tx queues
+ */
+static inline int ice_get_max_txq(struct ice_pf *pf)
+{
+ return min(num_online_cpus(), pf->hw.func_caps.common_cap.num_txq);
+}
+
+/**
+ * ice_get_max_rxq - return the maximum number of Rx queues for in a PF
+ * @pf: PF structure
+ *
+ * Return: maximum number of Rx queues
+ */
+static inline int ice_get_max_rxq(struct ice_pf *pf)
+{
+ return min(num_online_cpus(), pf->hw.func_caps.common_cap.num_rxq);
+}
+
/**
* ice_get_main_vsi - Get the PF VSI
* @pf: PF instance
diff --git a/drivers/net/ethernet/intel/ice/ice_ethtool.c b/drivers/net/ethernet/intel/ice/ice_ethtool.c
index e9f2618950c8..33c818226565 100644
--- a/drivers/net/ethernet/intel/ice/ice_ethtool.c
+++ b/drivers/net/ethernet/intel/ice/ice_ethtool.c
@@ -3756,24 +3756,6 @@ ice_get_ts_info(struct net_device *dev, struct kernel_ethtool_ts_info *info)
return 0;
}
-/**
- * ice_get_max_txq - return the maximum number of Tx queues for in a PF
- * @pf: PF structure
- */
-static int ice_get_max_txq(struct ice_pf *pf)
-{
- return min(num_online_cpus(), pf->hw.func_caps.common_cap.num_txq);
-}
-
-/**
- * ice_get_max_rxq - return the maximum number of Rx queues for in a PF
- * @pf: PF structure
- */
-static int ice_get_max_rxq(struct ice_pf *pf)
-{
- return min(num_online_cpus(), pf->hw.func_caps.common_cap.num_rxq);
-}
-
/**
* ice_get_combined_cnt - return the current number of combined channels
* @vsi: PF VSI pointer
diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c
index 27c519918fb2..c77c95e4f5c6 100644
--- a/drivers/net/ethernet/intel/ice/ice_main.c
+++ b/drivers/net/ethernet/intel/ice/ice_main.c
@@ -4699,8 +4699,8 @@ static int ice_cfg_netdev(struct ice_vsi *vsi)
struct net_device *netdev;
u8 mac_addr[ETH_ALEN];
- netdev = alloc_etherdev_mqs(sizeof(*np), vsi->alloc_txq,
- vsi->alloc_rxq);
+ netdev = alloc_etherdev_mqs(sizeof(*np), ice_get_max_txq(vsi->back),
+ ice_get_max_rxq(vsi->back));
if (!netdev)
return -ENOMEM;
--
2.50.1 (Apple Git-155)

132
1228-anon-inode-use-a-proper-mode-internally.patch Normal file
View File

@ -0,0 +1,132 @@
From ad4c21b7a2a9f224f45989127541560ccf7cdf53 Mon Sep 17 00:00:00 2001
From: Rafael Aquini <raquini@redhat.com>
Date: Mon, 11 May 2026 10:39:34 -0400
Subject: [PATCH] anon_inode: use a proper mode internally
JIRA: https://issues.redhat.com/browse/RHEL-171616
Conflicts:
* fs/anon_inodes.c: minor context difference due to RHEL-10 missing unrelated
commit c1feab95e0b2 ("add a string-to-qstr constructor")
* fs/internal.h: minor context difference due to RHEL-10 missing unrelated
commits da06e3c51794 ("fs: don't needlessly acquire f_lock") and
37c4a9590e1e ("statmount: allow to retrieve idmappings")
commit cfd86ef7e8e7b9e015707e46479a6b1de141eed0
Author: Christian Brauner <brauner@kernel.org>
Date: Mon Apr 7 11:54:15 2025 +0200
anon_inode: use a proper mode internally
This allows the VFS to not trip over anonymous inodes and we can add
asserts based on the mode into the vfs. When we report it to userspace
we can simply hide the mode to avoid regressions. I've audited all
direct callers of alloc_anon_inode() and only secretmen overrides i_mode
and i_op inode operations but it already uses a regular file.
Link: https://lore.kernel.org/20250407-work-anon_inode-v1-1-53a44c20d44e@kernel.org
Fixes: af153bb63a336 ("vfs: catch invalid modes in may_open()")
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Cc: stable@vger.kernel.org # all LTS kernels
Reported-by: syzbot+5d8e79d323a13aa0b248@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/67ed3fb3.050a0220.14623d.0009.GAE@google.com
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Rafael Aquini <raquini@redhat.com>
diff --git a/fs/anon_inodes.c b/fs/anon_inodes.c
index 5a070be69922..7c07b22c1d47 100644
--- a/fs/anon_inodes.c
+++ b/fs/anon_inodes.c
@@ -24,9 +24,43 @@
#include <linux/uaccess.h>
+#include "internal.h"
+
static struct vfsmount *anon_inode_mnt __ro_after_init;
static struct inode *anon_inode_inode __ro_after_init;
+/*
+ * User space expects anonymous inodes to have no file type in st_mode.
+ *
+ * In particular, 'lsof' has this legacy logic:
+ *
+ * type = s->st_mode & S_IFMT;
+ * switch (type) {
+ * ...
+ * case 0:
+ * if (!strcmp(p, "anon_inode"))
+ * Lf->ntype = Ntype = N_ANON_INODE;
+ *
+ * to detect our old anon_inode logic.
+ *
+ * Rather than mess with our internal sane inode data, just fix it
+ * up here in getattr() by masking off the format bits.
+ */
+int anon_inode_getattr(struct mnt_idmap *idmap, const struct path *path,
+ struct kstat *stat, u32 request_mask,
+ unsigned int query_flags)
+{
+ struct inode *inode = d_inode(path->dentry);
+
+ generic_fillattr(&nop_mnt_idmap, request_mask, inode, stat);
+ stat->mode &= ~S_IFMT;
+ return 0;
+}
+
+static const struct inode_operations anon_inode_operations = {
+ .getattr = anon_inode_getattr,
+};
+
/*
* anon_inodefs_dname() is called from d_path().
*/
@@ -78,6 +112,7 @@ struct inode *anon_inode_make_secure_inode(struct super_block *sb, const char *n
if (IS_ERR(inode))
return inode;
inode->i_flags &= ~S_PRIVATE;
+ inode->i_op = &anon_inode_operations;
error = security_inode_init_security_anon(inode, &qname, context_inode);
if (error) {
iput(inode);
@@ -326,6 +361,7 @@ static int __init anon_inode_init(void)
anon_inode_inode = alloc_anon_inode(anon_inode_mnt->mnt_sb);
if (IS_ERR(anon_inode_inode))
panic("anon_inode_init() inode allocation failed (%ld)\n", PTR_ERR(anon_inode_inode));
+ anon_inode_inode->i_op = &anon_inode_operations;
return 0;
}
diff --git a/fs/internal.h b/fs/internal.h
index b555366c7974..afa926ccee7e 100644
--- a/fs/internal.h
+++ b/fs/internal.h
@@ -338,3 +338,6 @@ static inline bool path_mounted(const struct path *path)
return path->mnt->mnt_root == path->dentry;
}
void file_f_owner_release(struct file *file);
+int anon_inode_getattr(struct mnt_idmap *idmap, const struct path *path,
+ struct kstat *stat, u32 request_mask,
+ unsigned int query_flags);
diff --git a/fs/libfs.c b/fs/libfs.c
index 7fd661bb935f..4e9de5aa4d7f 100644
--- a/fs/libfs.c
+++ b/fs/libfs.c
@@ -1651,7 +1651,13 @@ struct inode *alloc_anon_inode(struct super_block *s)
* that it already _is_ on the dirty list.
*/
inode->i_state = I_DIRTY;
- inode->i_mode = S_IRUSR | S_IWUSR;
+ /*
+ * Historically anonymous inodes didn't have a type at all and
+ * userspace has come to rely on this. Internally they're just
+ * regular files but S_IFREG is masked off when reporting
+ * information to userspace.
+ */
+ inode->i_mode = S_IFREG | S_IRUSR | S_IWUSR;
inode->i_uid = current_fsuid();
inode->i_gid = current_fsgid();
inode->i_flags |= S_PRIVATE;
--
2.50.1 (Apple Git-155)

65
1229-pidfs-use-anon-inode-getattr.patch Normal file
View File

@ -0,0 +1,65 @@
From a858622b427be763192f8557cc9cafa3076d845b Mon Sep 17 00:00:00 2001
From: Rafael Aquini <raquini@redhat.com>
Date: Mon, 11 May 2026 10:39:35 -0400
Subject: [PATCH] pidfs: use anon_inode_getattr()
JIRA: https://issues.redhat.com/browse/RHEL-171616
commit 37e62dafbfaba467975b0a8c11b9ffaa678f8559
Author: Christian Brauner <brauner@kernel.org>
Date: Mon Apr 7 11:54:16 2025 +0200
pidfs: use anon_inode_getattr()
So far pidfs did use it's own version. Just use the generic version. We
use our own wrappers because we're going to be implementing our own
retrieval properties soon.
Link: https://lore.kernel.org/20250407-work-anon_inode-v1-2-53a44c20d44e@kernel.org
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Rafael Aquini <raquini@redhat.com>
diff --git a/fs/pidfs.c b/fs/pidfs.c
index 4a76e19ba7ed..27d6d9328b57 100644
--- a/fs/pidfs.c
+++ b/fs/pidfs.c
@@ -571,33 +571,11 @@ static int pidfs_setattr(struct mnt_idmap *idmap, struct dentry *dentry,
return -EOPNOTSUPP;
}
-
-/*
- * User space expects pidfs inodes to have no file type in st_mode.
- *
- * In particular, 'lsof' has this legacy logic:
- *
- * type = s->st_mode & S_IFMT;
- * switch (type) {
- * ...
- * case 0:
- * if (!strcmp(p, "anon_inode"))
- * Lf->ntype = Ntype = N_ANON_INODE;
- *
- * to detect our old anon_inode logic.
- *
- * Rather than mess with our internal sane inode data, just fix it
- * up here in getattr() by masking off the format bits.
- */
static int pidfs_getattr(struct mnt_idmap *idmap, const struct path *path,
struct kstat *stat, u32 request_mask,
unsigned int query_flags)
{
- struct inode *inode = d_inode(path->dentry);
-
- generic_fillattr(&nop_mnt_idmap, request_mask, inode, stat);
- stat->mode &= ~S_IFMT;
- return 0;
+ return anon_inode_getattr(idmap, path, stat, request_mask, query_flags);
}
static const struct inode_operations pidfs_inode_operations = {
--
2.50.1 (Apple Git-155)

93
1230-anon-inode-explicitly-block-setattr.patch Normal file
View File

@ -0,0 +1,93 @@
From b71e05c047c7f227e96201fa4eb9e4929ac96deb Mon Sep 17 00:00:00 2001
From: Rafael Aquini <raquini@redhat.com>
Date: Mon, 11 May 2026 10:39:35 -0400
Subject: [PATCH] anon_inode: explicitly block ->setattr()
JIRA: https://issues.redhat.com/browse/RHEL-171616
commit 22bdf3d6581af6d06ed8a46c6835648421cca0ea
Author: Christian Brauner <brauner@kernel.org>
Date: Mon Apr 7 11:54:17 2025 +0200
anon_inode: explicitly block ->setattr()
It is currently possible to change the mode and owner of the single
anonymous inode in the kernel:
int main(int argc, char *argv[])
{
int ret, sfd;
sigset_t mask;
struct signalfd_siginfo fdsi;
sigemptyset(&mask);
sigaddset(&mask, SIGINT);
sigaddset(&mask, SIGQUIT);
ret = sigprocmask(SIG_BLOCK, &mask, NULL);
if (ret < 0)
_exit(1);
sfd = signalfd(-1, &mask, 0);
if (sfd < 0)
_exit(2);
ret = fchown(sfd, 5555, 5555);
if (ret < 0)
_exit(3);
ret = fchmod(sfd, 0777);
if (ret < 0)
_exit(3);
_exit(4);
}
This is a bug. It's not really a meaningful one because anonymous inodes
don't really figure into path lookup and they cannot be reopened via
/proc/<pid>/fd/<nr> and can't be used for lookup itself. So they can
only ever serve as direct references.
But it is still completely bogus to allow the mode and ownership or any
of the properties of the anonymous inode to be changed. Block this!
Link: https://lore.kernel.org/20250407-work-anon_inode-v1-3-53a44c20d44e@kernel.org
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Cc: stable@vger.kernel.org # all LTS kernels
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Rafael Aquini <raquini@redhat.com>
diff --git a/fs/anon_inodes.c b/fs/anon_inodes.c
index 7c07b22c1d47..344355616d3a 100644
--- a/fs/anon_inodes.c
+++ b/fs/anon_inodes.c
@@ -57,8 +57,15 @@ int anon_inode_getattr(struct mnt_idmap *idmap, const struct path *path,
return 0;
}
+int anon_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry,
+ struct iattr *attr)
+{
+ return -EOPNOTSUPP;
+}
+
static const struct inode_operations anon_inode_operations = {
.getattr = anon_inode_getattr,
+ .setattr = anon_inode_setattr,
};
/*
diff --git a/fs/internal.h b/fs/internal.h
index afa926ccee7e..dd13dfde4adb 100644
--- a/fs/internal.h
+++ b/fs/internal.h
@@ -341,3 +341,5 @@ void file_f_owner_release(struct file *file);
int anon_inode_getattr(struct mnt_idmap *idmap, const struct path *path,
struct kstat *stat, u32 request_mask,
unsigned int query_flags);
+int anon_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry,
+ struct iattr *attr);
--
2.50.1 (Apple Git-155)

39
1231-pidfs-use-anon-inode-setattr.patch Normal file
View File

@ -0,0 +1,39 @@
From 28d6f8e1f875929ce59405c0b04fa0a5ec700a4e Mon Sep 17 00:00:00 2001
From: Rafael Aquini <raquini@redhat.com>
Date: Mon, 11 May 2026 10:39:35 -0400
Subject: [PATCH] pidfs: use anon_inode_setattr()
JIRA: https://issues.redhat.com/browse/RHEL-171616
commit c83b9024966090fe0df92aab16975b8d00089e1f
Author: Christian Brauner <brauner@kernel.org>
Date: Mon Apr 7 11:54:18 2025 +0200
pidfs: use anon_inode_setattr()
So far pidfs did use it's own version. Just use the generic version.
We use our own wrappers because we're going to be implementing
properties soon.
Link: https://lore.kernel.org/20250407-work-anon_inode-v1-4-53a44c20d44e@kernel.org
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Rafael Aquini <raquini@redhat.com>
diff --git a/fs/pidfs.c b/fs/pidfs.c
index 27d6d9328b57..d6c0ed79ea24 100644
--- a/fs/pidfs.c
+++ b/fs/pidfs.c
@@ -568,7 +568,7 @@ static struct vfsmount *pidfs_mnt __ro_after_init;
static int pidfs_setattr(struct mnt_idmap *idmap, struct dentry *dentry,
struct iattr *attr)
{
- return -EOPNOTSUPP;
+ return anon_inode_setattr(idmap, dentry, attr);
}
static int pidfs_getattr(struct mnt_idmap *idmap, const struct path *path,
--
2.50.1 (Apple Git-155)

51
1232-anon-inode-raise-sb-i-nodev-and-sb-i-noexec.patch Normal file
View File

@ -0,0 +1,51 @@
From d4ba40dd8868449ba10ac26798718c4e0336a241 Mon Sep 17 00:00:00 2001
From: Rafael Aquini <raquini@redhat.com>
Date: Mon, 11 May 2026 10:39:36 -0400
Subject: [PATCH] anon_inode: raise SB_I_NODEV and SB_I_NOEXEC
JIRA: https://issues.redhat.com/browse/RHEL-171616
commit 1ed95281c0c77dbb1540f9855cd3c5f19900f7a5
Author: Christian Brauner <brauner@kernel.org>
Date: Mon Apr 7 11:54:19 2025 +0200
anon_inode: raise SB_I_NODEV and SB_I_NOEXEC
It isn't possible to execute anonymous inodes because they cannot be
opened in any way after they have been created. This includes execution:
execveat(fd_anon_inode, "", NULL, NULL, AT_EMPTY_PATH)
Anonymous inodes have inode->f_op set to no_open_fops which sets
no_open() which returns ENXIO. That means any call to do_dentry_open()
which is the endpoint of the do_open_execat() will fail. There's no
chance to execute an anonymous inode. Unless a given subsystem overrides
it ofc.
However, we should still harden this and raise SB_I_NODEV and
SB_I_NOEXEC on the superblock itself so that no one gets any creative
ideas.
Link: https://lore.kernel.org/20250407-work-anon_inode-v1-5-53a44c20d44e@kernel.org
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Cc: stable@vger.kernel.org # all LTS kernels
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Rafael Aquini <raquini@redhat.com>
diff --git a/fs/anon_inodes.c b/fs/anon_inodes.c
index 344355616d3a..b3445f5c8544 100644
--- a/fs/anon_inodes.c
+++ b/fs/anon_inodes.c
@@ -86,6 +86,8 @@ static int anon_inodefs_init_fs_context(struct fs_context *fc)
struct pseudo_fs_context *ctx = init_pseudo(fc, ANON_INODE_FS_MAGIC);
if (!ctx)
return -ENOMEM;
+ fc->s_iflags |= SB_I_NOEXEC;
+ fc->s_iflags |= SB_I_NODEV;
ctx->dops = &anon_inodefs_dentry_operations;
return 0;
}
--
2.50.1 (Apple Git-155)

170
1233-fs-add-s-anon-inode.patch Normal file
View File

@ -0,0 +1,170 @@
From 0e6f0c4069e34ae66ce960879b5a88ae0ce9aab8 Mon Sep 17 00:00:00 2001
From: Rafael Aquini <raquini@redhat.com>
Date: Mon, 11 May 2026 10:39:37 -0400
Subject: [PATCH] fs: add S_ANON_INODE
JIRA: https://issues.redhat.com/browse/RHEL-171616
Conflicts:
* mm/readahead.c: in order to reduce differences and make the porting cleaner
we are folding the hunk from 6348be02eead ("fdget(), trivial conversions")
commit 19bbfe7b5fcc04d8711e8e1352acc77c1a5c3955
Author: Christian Brauner <brauner@kernel.org>
Date: Mon Apr 21 10:27:40 2025 +0200
fs: add S_ANON_INODE
This makes it easy to detect proper anonymous inodes and to ensure that
we can detect them in codepaths such as readahead().
Readahead on anonymous inodes didn't work because they didn't have a
proper mode. Now that they have we need to retain EINVAL being returned
otherwise LTP will fail.
We also need to ensure that ioctls aren't simply fired like they are for
regular files so things like inotify inodes continue to correctly call
their own ioctl handlers as in [1].
Reported-by: Xilin Wu <sophon@radxa.com>
Link: https://lore.kernel.org/3A9139D5CD543962+89831381-31b9-4392-87ec-a84a5b3507d8@radxa.com [1]
Link: https://lore.kernel.org/7a1a7076-ff6b-4cb0-94e7-7218a0a44028@sirena.org.uk
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Rafael Aquini <raquini@redhat.com>
diff --git a/fs/ioctl.c b/fs/ioctl.c
index 6e0c954388d4..4dbd5627af8f 100644
--- a/fs/ioctl.c
+++ b/fs/ioctl.c
@@ -822,7 +822,8 @@ static int do_vfs_ioctl(struct file *filp, unsigned int fd,
return ioctl_fioasync(fd, filp, argp);
case FIOQSIZE:
- if (S_ISDIR(inode->i_mode) || S_ISREG(inode->i_mode) ||
+ if (S_ISDIR(inode->i_mode) ||
+ (S_ISREG(inode->i_mode) && !IS_ANON_FILE(inode)) ||
S_ISLNK(inode->i_mode)) {
loff_t res = inode_get_bytes(inode);
return copy_to_user(argp, &res, sizeof(res)) ?
@@ -857,7 +858,7 @@ static int do_vfs_ioctl(struct file *filp, unsigned int fd,
return ioctl_file_dedupe_range(filp, argp);
case FIONREAD:
- if (!S_ISREG(inode->i_mode))
+ if (!S_ISREG(inode->i_mode) || IS_ANON_FILE(inode))
return vfs_ioctl(filp, cmd, arg);
return put_user(i_size_read(inode) - filp->f_pos,
@@ -882,7 +883,7 @@ static int do_vfs_ioctl(struct file *filp, unsigned int fd,
return ioctl_get_fs_sysfs_path(filp, argp);
default:
- if (S_ISREG(inode->i_mode))
+ if (S_ISREG(inode->i_mode) && !IS_ANON_FILE(inode))
return file_ioctl(filp, cmd, argp);
break;
}
diff --git a/fs/libfs.c b/fs/libfs.c
index 4e9de5aa4d7f..c4a305967619 100644
--- a/fs/libfs.c
+++ b/fs/libfs.c
@@ -1660,7 +1660,7 @@ struct inode *alloc_anon_inode(struct super_block *s)
inode->i_mode = S_IFREG | S_IRUSR | S_IWUSR;
inode->i_uid = current_fsuid();
inode->i_gid = current_fsgid();
- inode->i_flags |= S_PRIVATE;
+ inode->i_flags |= S_PRIVATE | S_ANON_INODE;
simple_inode_init_ts(inode);
return inode;
}
diff --git a/fs/pidfs.c b/fs/pidfs.c
index d6c0ed79ea24..7e10fac8e623 100644
--- a/fs/pidfs.c
+++ b/fs/pidfs.c
@@ -804,7 +804,7 @@ static int pidfs_init_inode(struct inode *inode, void *data)
const struct pid *pid = data;
inode->i_private = data;
- inode->i_flags |= S_PRIVATE;
+ inode->i_flags |= S_PRIVATE | S_ANON_INODE;
inode->i_mode |= S_IRWXU;
inode->i_op = &pidfs_inode_operations;
inode->i_fop = &pidfs_file_operations;
diff --git a/include/linux/fs.h b/include/linux/fs.h
index 3e14c4eb64f4..fa47510429f0 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -2319,6 +2319,7 @@ struct super_operations {
#define S_CASEFOLD (1 << 15) /* Casefolded file */
#define S_VERITY (1 << 16) /* Verity file (using fs/verity/) */
#define S_KERNEL_FILE (1 << 17) /* File is in use by the kernel (eg. fs/cachefiles) */
+#define S_ANON_INODE (1 << 19) /* Inode is an anonymous inode */
/*
* Note that nosuid etc flags are inode-specific: setting some file-system
@@ -2375,6 +2376,7 @@ static inline bool sb_rdonly(const struct super_block *sb) { return sb->s_flags
#define IS_WHITEOUT(inode) (S_ISCHR(inode->i_mode) && \
(inode)->i_rdev == WHITEOUT_DEV)
+#define IS_ANON_FILE(inode) ((inode)->i_flags & S_ANON_INODE)
static inline bool HAS_UNMAPPED_ID(struct mnt_idmap *idmap,
struct inode *inode)
diff --git a/mm/readahead.c b/mm/readahead.c
index 2dbe5993b6aa..a3547f923249 100644
--- a/mm/readahead.c
+++ b/mm/readahead.c
@@ -678,29 +678,34 @@ EXPORT_SYMBOL_GPL(page_cache_async_ra);
ssize_t ksys_readahead(int fd, loff_t offset, size_t count)
{
- ssize_t ret;
- struct fd f;
+ struct file *file;
+ const struct inode *inode;
- ret = -EBADF;
- f = fdget(fd);
- if (!fd_file(f) || !(fd_file(f)->f_mode & FMODE_READ))
- goto out;
+ CLASS(fd, f)(fd);
+ if (fd_empty(f))
+ return -EBADF;
+
+ file = fd_file(f);
+ if (!(file->f_mode & FMODE_READ))
+ return -EBADF;
/*
* The readahead() syscall is intended to run only on files
* that can execute readahead. If readahead is not possible
* on this file, then we must return -EINVAL.
*/
- ret = -EINVAL;
- if (!fd_file(f)->f_mapping || !fd_file(f)->f_mapping->a_ops ||
- (!S_ISREG(file_inode(fd_file(f))->i_mode) &&
- !S_ISBLK(file_inode(fd_file(f))->i_mode)))
- goto out;
-
- ret = vfs_fadvise(fd_file(f), offset, count, POSIX_FADV_WILLNEED);
-out:
- fdput(f);
- return ret;
+ if (!file->f_mapping)
+ return -EINVAL;
+ if (!file->f_mapping->a_ops)
+ return -EINVAL;
+
+ inode = file_inode(file);
+ if (!S_ISREG(inode->i_mode) && !S_ISBLK(inode->i_mode))
+ return -EINVAL;
+ if (IS_ANON_FILE(inode))
+ return -EINVAL;
+
+ return vfs_fadvise(fd_file(f), offset, count, POSIX_FADV_WILLNEED);
}
SYSCALL_DEFINE3(readahead, int, fd, loff_t, offset, size_t, count)
--
2.50.1 (Apple Git-155)

99
1234-mm-thp-deny-thp-for-files-on-anonymous-inodes.patch Normal file
View File

@ -0,0 +1,99 @@
From 48e45ffbeff0fbb5ef475a31ae664106312862a6 Mon Sep 17 00:00:00 2001
From: Rafael Aquini <raquini@redhat.com>
Date: Mon, 11 May 2026 10:39:39 -0400
Subject: [PATCH] mm: thp: deny THP for files on anonymous inodes
JIRA: https://issues.redhat.com/browse/RHEL-171616
CVE: CVE-2026-23375
commit dd085fe9a8ebfc5d10314c60452db38d2b75e609
Author: Deepanshu Kartikey <kartikey406@gmail.com>
Date: Sat Feb 14 05:45:35 2026 +0530
mm: thp: deny THP for files on anonymous inodes
file_thp_enabled() incorrectly allows THP for files on anonymous inodes
(e.g. guest_memfd and secretmem). These files are created via
alloc_file_pseudo(), which does not call get_write_access() and leaves
inode->i_writecount at 0. Combined with S_ISREG(inode->i_mode) being
true, they appear as read-only regular files when
CONFIG_READ_ONLY_THP_FOR_FS is enabled, making them eligible for THP
collapse.
Anonymous inodes can never pass the inode_is_open_for_write() check
since their i_writecount is never incremented through the normal VFS
open path. The right thing to do is to exclude them from THP eligibility
altogether, since CONFIG_READ_ONLY_THP_FOR_FS was designed for real
filesystem files (e.g. shared libraries), not for pseudo-filesystem
inodes.
For guest_memfd, this allows khugepaged and MADV_COLLAPSE to create
large folios in the page cache via the collapse path, but the
guest_memfd fault handler does not support large folios. This triggers
WARN_ON_ONCE(folio_test_large(folio)) in kvm_gmem_fault_user_mapping().
For secretmem, collapse_file() tries to copy page contents through the
direct map, but secretmem pages are removed from the direct map. This
can result in a kernel crash:
BUG: unable to handle page fault for address: ffff88810284d000
RIP: 0010:memcpy_orig+0x16/0x130
Call Trace:
collapse_file
hpage_collapse_scan_file
madvise_collapse
Secretmem is not affected by the crash on upstream as the memory failure
recovery handles the failed copy gracefully, but it still triggers
confusing false memory failure reports:
Memory failure: 0x106d96f: recovery action for clean unevictable
LRU page: Recovered
Check IS_ANON_FILE(inode) in file_thp_enabled() to deny THP for all
anonymous inode files.
Link: https://syzkaller.appspot.com/bug?extid=33a04338019ac7e43a44
Link: https://lore.kernel.org/linux-mm/CAEvNRgHegcz3ro35ixkDw39ES8=U6rs6S7iP0gkR9enr7HoGtA@mail.gmail.com
Link: https://lkml.kernel.org/r/20260214001535.435626-1-kartikey406@gmail.com
Fixes: 7fbb5e188248 ("mm: remove VM_EXEC requirement for THP eligibility")
Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
Reported-by: syzbot+33a04338019ac7e43a44@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=33a04338019ac7e43a44
Tested-by: syzbot+33a04338019ac7e43a44@syzkaller.appspotmail.com
Tested-by: Lance Yang <lance.yang@linux.dev>
Acked-by: David Hildenbrand (Arm) <david@kernel.org>
Reviewed-by: Barry Song <baohua@kernel.org>
Reviewed-by: Ackerley Tng <ackerleytng@google.com>
Tested-by: Ackerley Tng <ackerleytng@google.com>
Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: Baolin Wang <baolin.wang@linux.alibaba.com>
Cc: Dev Jain <dev.jain@arm.com>
Cc: Fangrui Song <i@maskray.me>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: Nico Pache <npache@redhat.com>
Cc: Ryan Roberts <ryan.roberts@arm.com>
Cc: Yang Shi <shy828301@gmail.com>
Cc: Zi Yan <ziy@nvidia.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Rafael Aquini <raquini@redhat.com>
diff --git a/mm/huge_memory.c b/mm/huge_memory.c
index 832dafc300cd..3b996dedfeae 100644
--- a/mm/huge_memory.c
+++ b/mm/huge_memory.c
@@ -95,6 +95,9 @@ static inline bool file_thp_enabled(struct vm_area_struct *vma)
inode = file_inode(vma->vm_file);
+ if (IS_ANON_FILE(inode))
+ return false;
+
return !inode_is_open_for_write(inode) && S_ISREG(inode->i_mode);
}
--
2.50.1 (Apple Git-155)

59
1235-dpaa2-switch-prevent-zero-size-ptr-dereference-when-num-ifs-.patch Normal file
View File

@ -0,0 +1,59 @@
From a62505231a34f83c11618b0922e5b09739252a2b Mon Sep 17 00:00:00 2001
From: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>
Date: Mon, 11 May 2026 19:40:32 +0000
Subject: [PATCH] dpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs
is zero
JIRA: https://redhat.atlassian.net/browse/RHEL-174253
CVE: CVE-2026-43205
commit ed48a84a72fefb20a82dd90a7caa7807e90c6f66
Author: Junrui Luo <moonafterrain@outlook.com>
Date: Wed Jan 28 16:07:34 2026 +0800
dpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs is zero
The driver allocates arrays for ports, FDBs, and filter blocks using
kcalloc() with ethsw->sw_attr.num_ifs as the element count. When the
device reports zero interfaces (either due to hardware configuration
or firmware issues), kcalloc(0, ...) returns ZERO_SIZE_PTR (0x10)
instead of NULL.
Later in dpaa2_switch_probe(), the NAPI initialization unconditionally
accesses ethsw->ports[0]->netdev, which attempts to dereference
ZERO_SIZE_PTR (address 0x10), resulting in a kernel panic.
Add a check to ensure num_ifs is greater than zero after retrieving
device attributes. This prevents the zero-sized allocations and
subsequent invalid pointer dereference.
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Reported-by: Junrui Luo <moonafterrain@outlook.com>
Fixes: 0b1b71370458 ("staging: dpaa2-switch: handle Rx path on control interface")
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://patch.msgid.link/SYBPR01MB7881BEABA8DA896947962470AF91A@SYBPR01MB7881.ausprd01.prod.outlook.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>
diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c
index a293b08f36d4..527c78f4d27d 100644
--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c
+++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c
@@ -3014,6 +3014,12 @@ static int dpaa2_switch_init(struct fsl_mc_device *sw_dev)
goto err_close;
}
+ if (!ethsw->sw_attr.num_ifs) {
+ dev_err(dev, "DPSW device has no interfaces\n");
+ err = -ENODEV;
+ goto err_close;
+ }
+
err = dpsw_get_api_version(ethsw->mc_io, 0,
&ethsw->major,
&ethsw->minor);
--
2.50.1 (Apple Git-155)

63
1236-dpaa2-switch-validate-num-ifs-to-prevent-out-of-bounds-write.patch Normal file
View File

@ -0,0 +1,63 @@
From 6548cef4d0e49c99a72be88b236c36a486b38feb Mon Sep 17 00:00:00 2001
From: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>
Date: Mon, 11 May 2026 19:40:34 +0000
Subject: [PATCH] dpaa2-switch: validate num_ifs to prevent out-of-bounds write
JIRA: https://redhat.atlassian.net/browse/RHEL-174253
CVE: CVE-2026-43205
commit 8a5752c6dcc085a3bfc78589925182e4e98468c5
Author: Junrui Luo <moonafterrain@outlook.com>
Date: Tue Feb 24 19:05:56 2026 +0800
dpaa2-switch: validate num_ifs to prevent out-of-bounds write
The driver obtains sw_attr.num_ifs from firmware via dpsw_get_attributes()
but never validates it against DPSW_MAX_IF (64). This value controls
iteration in dpaa2_switch_fdb_get_flood_cfg(), which writes port indices
into the fixed-size cfg->if_id[DPSW_MAX_IF] array. When firmware reports
num_ifs >= 64, the loop can write past the array bounds.
Add a bound check for num_ifs in dpaa2_switch_init().
dpaa2_switch_fdb_get_flood_cfg() appends the control interface (port
num_ifs) after all matched ports. When num_ifs == DPSW_MAX_IF and all
ports match the flood filter, the loop fills all 64 slots and the control
interface write overflows by one entry.
The check uses >= because num_ifs == DPSW_MAX_IF is also functionally
broken.
build_if_id_bitmap() silently drops any ID >= 64:
if (id[i] < DPSW_MAX_IF)
bmap[id[i] / 64] |= ...
Fixes: 539dda3c5d19 ("staging: dpaa2-switch: properly setup switching domains")
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Reviewed-by: Ioana Ciornei <ioana.ciornei@nxp.com>
Link: https://patch.msgid.link/SYBPR01MB78812B47B7F0470B617C408AAF74A@SYBPR01MB7881.ausprd01.prod.outlook.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>
diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c
index 527c78f4d27d..2eb47789422e 100644
--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c
+++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c
@@ -3020,6 +3020,13 @@ static int dpaa2_switch_init(struct fsl_mc_device *sw_dev)
goto err_close;
}
+ if (ethsw->sw_attr.num_ifs >= DPSW_MAX_IF) {
+ dev_err(dev, "DPSW num_ifs %u exceeds max %u\n",
+ ethsw->sw_attr.num_ifs, DPSW_MAX_IF);
+ err = -EINVAL;
+ goto err_close;
+ }
+
err = dpsw_get_api_version(ethsw->mc_io, 0,
&ethsw->major,
&ethsw->minor);
--
2.50.1 (Apple Git-155)

71
1237-mm-page-alloc-clear-page-private-in-free-pages-prepare.patch Normal file
View File

@ -0,0 +1,71 @@
From 5ef3d81484dc39a21467dfa1f36da3ada378be74 Mon Sep 17 00:00:00 2001
From: Rafael Aquini <raquini@redhat.com>
Date: Mon, 11 May 2026 16:41:59 -0400
Subject: [PATCH] mm/page_alloc: clear page->private in free_pages_prepare()
JIRA: https://issues.redhat.com/browse/RHEL-174757
CVE: CVE-2026-43303
Conflicts:
* minor context difference due to RHEL-10 missing upstream commit
53fbef56e07d ("mm: introduce memdesc_flags_t") and its series.
commit ac1ea219590c09572ed5992dc233bbf7bb70fef9
Author: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
Date: Sat Feb 7 22:36:14 2026 +0500
mm/page_alloc: clear page->private in free_pages_prepare()
Several subsystems (slub, shmem, ttm, etc.) use page->private but don't
clear it before freeing pages. When these pages are later allocated as
high-order pages and split via split_page(), tail pages retain stale
page->private values.
This causes a use-after-free in the swap subsystem. The swap code uses
page->private to track swap count continuations, assuming freshly
allocated pages have page->private == 0. When stale values are present,
swap_count_continued() incorrectly assumes the continuation list is valid
and iterates over uninitialized page->lru containing LIST_POISON values,
causing a crash:
KASAN: maybe wild-memory-access in range [0xdead000000000100-0xdead000000000107]
RIP: 0010:__do_sys_swapoff+0x1151/0x1860
Fix this by clearing page->private in free_pages_prepare(), ensuring all
freed pages have clean state regardless of previous use.
Link: https://lkml.kernel.org/r/20260207173615.146159-1-mikhail.v.gavrilov@gmail.com
Fixes: 3b8000ae185c ("mm/vmalloc: huge vmalloc backing pages should be split rather than compound")
Signed-off-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
Suggested-by: Zi Yan <ziy@nvidia.com>
Acked-by: Zi Yan <ziy@nvidia.com>
Acked-by: David Hildenbrand (Arm) <david@kernel.org>
Reviewed-by: Vlastimil Babka <vbabka@suse.cz>
Cc: Brendan Jackman <jackmanb@google.com>
Cc: Chris Li <chrisl@kernel.org>
Cc: Hugh Dickins <hughd@google.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Kairui Song <ryncsn@gmail.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Nicholas Piggin <npiggin@gmail.com>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Rafael Aquini <raquini@redhat.com>
diff --git a/mm/page_alloc.c b/mm/page_alloc.c
index 73a45cc33a86..72c979ea3121 100644
--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -1135,6 +1135,7 @@ __always_inline bool free_pages_prepare(struct page *page,
page_cpupid_reset_last(page);
page->flags &= ~PAGE_FLAGS_CHECK_AT_PREP;
+ page->private = 0;
reset_page_owner(page, order);
page_table_check_free(page, order);
pgalloc_tag_sub(page, 1 << order);
--
2.50.1 (Apple Git-155)

36
1238-redhat-kernel-spec-template-disable-objtool-werror-for-gcov-.patch Normal file
View File

@ -0,0 +1,36 @@
From 1689ee487def887a6e105f5bd858545cbafa8ba5 Mon Sep 17 00:00:00 2001
From: Oleksii Baranov <olebaran@redhat.com>
Date: Tue, 2 Jun 2026 10:12:10 +0200
Subject: [PATCH] redhat/kernel.spec.template: disable OBJTOOL_WERROR for gcov
builds
JIRA: INTERNAL
Upstream Status: RHEL only
There is a known issue with the gcov builds related to vmlinux.o: error:
objtool: pvh_start_xen+0x64: relocation to !ENDBR: pvh_start_xen+0x0.
Disabling the WERROR to make that error a warning and pass the build.
Signed-off-by: Oleksii Baranov <olebaran@redhat.com>
diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template
index 9f6983c1a6dc..306afba015a4 100644
--- a/redhat/kernel.spec.template
+++ b/redhat/kernel.spec.template
@@ -2118,6 +2118,13 @@ do
done
rm -f $i.tmp
done
+%if %{with_gcov}
+%{log_msg "Disabling CONFIG_OBJTOOL_WERROR for gcov build"}
+for i in %{all_configs}
+do
+ sed -i "s|CONFIG_OBJTOOL_WERROR=y|# CONFIG_OBJTOOL_WERROR is not set|g" $i
+done
+%endif
%endif
%if %{signkernel}%{signmodules}
--
2.50.1 (Apple Git-155)

55
1239-dm-thin-fix-metadata-refcount-underflow.patch Normal file
View File

@ -0,0 +1,55 @@
From 323d252a4a378834e4fe68298ca61cfc5dd3a460 Mon Sep 17 00:00:00 2001
From: Mikulas Patocka <mpatocka@redhat.com>
Date: Mon, 20 Apr 2026 19:56:44 +0200
Subject: [PATCH] dm-thin: fix metadata refcount underflow
commit 09a65adc7d8bbfce06392cb6d375468e2728ead5 upstream.
There's a bug in dm-thin in the function rebalance_children. If the
internal btree node has one entry, the code tries to copy all btree
entries from the node's child to the node itself and then decrement the
child's reference count.
If the child node is shared (it has reference count > 1), we won't free
it, so there would be two pointers to each of the grandchildren nodes.
But the reference counts of the grandchildren is not increased, thus the
reference count doesn't match the number of pointers that point to the
grandchildren. This results in "device mapper: space map common: unable
to decrement block" errors.
Fix this bug by incrementing reference counts on the grandchildren if the
btree node is shared.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Fixes: 3241b1d3e0aa ("dm: add persistent data library")
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
diff --git a/drivers/md/persistent-data/dm-btree-remove.c b/drivers/md/persistent-data/dm-btree-remove.c
index 942cd47eb52d..aeec5b9a1dd5 100644
--- a/drivers/md/persistent-data/dm-btree-remove.c
+++ b/drivers/md/persistent-data/dm-btree-remove.c
@@ -490,12 +490,20 @@ static int rebalance_children(struct shadow_spine *s,
if (le32_to_cpu(n->header.nr_entries) == 1) {
struct dm_block *child;
+ int is_shared;
dm_block_t b = value64(n, 0);
+ r = dm_tm_block_is_shared(info->tm, b, &is_shared);
+ if (r)
+ return r;
+
r = dm_tm_read_lock(info->tm, b, &btree_node_validator, &child);
if (r)
return r;
+ if (is_shared)
+ inc_children(info->tm, dm_block_data(child), vt);
+
memcpy(n, dm_block_data(child),
dm_bm_block_size(dm_tm_get_bm(info->tm)));
--
2.50.1 (Apple Git-155)

99
1240-crypto-tegra-disable-softirqs-before-finalizing-request.patch Normal file
View File

@ -0,0 +1,99 @@
From 93a786612ec17d0146d05b71dbf5931b6ee04400 Mon Sep 17 00:00:00 2001
From: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>
Date: Fri, 24 Apr 2026 14:07:14 +0000
Subject: [PATCH] crypto: tegra - Disable softirqs before finalizing request
JIRA: https://redhat.atlassian.net/browse/RHEL-159000
commit 2aeec9af775fb53aa086419b953302c6f4ad4984
Author: Herbert Xu <herbert@gondor.apana.org.au>
Date: Tue Mar 10 18:28:29 2026 +0900
crypto: tegra - Disable softirqs before finalizing request
Softirqs must be disabled when calling the finalization fucntion on
a request.
Reported-by: Guangwu Zhang <guazhang@redhat.com>
Fixes: 0880bb3b00c8 ("crypto: tegra - Add Tegra Security Engine driver")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>
diff --git a/drivers/crypto/tegra/tegra-se-aes.c b/drivers/crypto/tegra/tegra-se-aes.c
index 0e07d0523291..8b91f00b9c31 100644
--- a/drivers/crypto/tegra/tegra-se-aes.c
+++ b/drivers/crypto/tegra/tegra-se-aes.c
@@ -4,6 +4,7 @@
* Crypto driver to handle block cipher algorithms using NVIDIA Security Engine.
*/
+#include <linux/bottom_half.h>
#include <linux/clk.h>
#include <linux/dma-mapping.h>
#include <linux/module.h>
@@ -333,7 +334,9 @@ static int tegra_aes_do_one_req(struct crypto_engine *engine, void *areq)
tegra_key_invalidate_reserved(ctx->se, key2_id, ctx->alg);
out_finalize:
+ local_bh_disable();
crypto_finalize_skcipher_request(se->engine, req, ret);
+ local_bh_enable();
return 0;
}
@@ -1261,7 +1264,9 @@ static int tegra_ccm_do_one_req(struct crypto_engine *engine, void *areq)
tegra_key_invalidate_reserved(ctx->se, rctx->key_id, ctx->alg);
out_finalize:
+ local_bh_disable();
crypto_finalize_aead_request(ctx->se->engine, req, ret);
+ local_bh_enable();
return 0;
}
@@ -1347,7 +1352,9 @@ static int tegra_gcm_do_one_req(struct crypto_engine *engine, void *areq)
tegra_key_invalidate_reserved(ctx->se, rctx->key_id, ctx->alg);
out_finalize:
+ local_bh_disable();
crypto_finalize_aead_request(ctx->se->engine, req, ret);
+ local_bh_enable();
return 0;
}
@@ -1745,7 +1752,9 @@ static int tegra_cmac_do_one_req(struct crypto_engine *engine, void *areq)
if (tegra_key_is_reserved(rctx->key_id))
tegra_key_invalidate_reserved(ctx->se, rctx->key_id, ctx->alg);
+ local_bh_disable();
crypto_finalize_hash_request(se->engine, req, ret);
+ local_bh_enable();
return 0;
}
diff --git a/drivers/crypto/tegra/tegra-se-hash.c b/drivers/crypto/tegra/tegra-se-hash.c
index 42d007b7af45..90bf34eb3578 100644
--- a/drivers/crypto/tegra/tegra-se-hash.c
+++ b/drivers/crypto/tegra/tegra-se-hash.c
@@ -4,6 +4,7 @@
* Crypto driver to handle HASH algorithms using NVIDIA Security Engine.
*/
+#include <linux/bottom_half.h>
#include <linux/clk.h>
#include <linux/dma-mapping.h>
#include <linux/module.h>
@@ -543,7 +544,9 @@ static int tegra_sha_do_one_req(struct crypto_engine *engine, void *areq)
}
out:
+ local_bh_disable();
crypto_finalize_hash_request(se->engine, req, ret);
+ local_bh_enable();
return 0;
}
--
2.50.1 (Apple Git-155)

48
1241-bluetooth-mgmt-validate-ltk-enc-size-on-load.patch Normal file
View File

@ -0,0 +1,48 @@
From cd80e4a498a4387b0d597b2edd74c834ae730c5f Mon Sep 17 00:00:00 2001
From: David Marlin <dmarlin@redhat.com>
Date: Thu, 7 May 2026 18:00:59 -0500
Subject: [PATCH] Bluetooth: MGMT: validate LTK enc_size on load
JIRA: https://issues.redhat.com/browse/RHEL-172460
JIRA: https://issues.redhat.com/browse/RHEL-172580
CVE: CVE-2026-43020
commit b8dbe9648d69059cfe3a28917bfbf7e61efd7f15
Author: Keenan Dong <keenanat2000@gmail.com>
Date: Sat Mar 28 16:46:47 2026 +0800
Bluetooth: MGMT: validate LTK enc_size on load
Load Long Term Keys stores the user-provided enc_size and later uses
it to size fixed-size stack operations when replying to LE LTK
requests. An enc_size larger than the 16-byte key buffer can therefore
overflow the reply stack buffer.
Reject oversized enc_size values while validating the management LTK
record so invalid keys never reach the stored key state.
Fixes: 346af67b8d11 ("Bluetooth: Add MGMT handlers for dealing with SMP LTK's")
Reported-by: Keenan Dong <keenanat2000@gmail.com>
Signed-off-by: Keenan Dong <keenanat2000@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: David Marlin <dmarlin@redhat.com>
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 9bf95af598a0..66e58fc556a5 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -7248,6 +7248,9 @@ static bool ltk_is_valid(struct mgmt_ltk_info *key)
if (key->initiator != 0x00 && key->initiator != 0x01)
return false;
+ if (key->enc_size > sizeof(key->val))
+ return false;
+
switch (key->addr.type) {
case BDADDR_LE_PUBLIC:
return true;
--
2.50.1 (Apple Git-155)

149
1242-bluetooth-sco-fix-race-conditions-in-sco-sock-connect.patch Normal file
View File

@ -0,0 +1,149 @@
From bb04e329c1f71a2f22a865df447ae3b215253283 Mon Sep 17 00:00:00 2001
From: David Marlin <dmarlin@redhat.com>
Date: Thu, 7 May 2026 18:00:58 -0500
Subject: [PATCH] Bluetooth: SCO: fix race conditions in sco_sock_connect()
JIRA: https://issues.redhat.com/browse/RHEL-172460
JIRA: https://issues.redhat.com/browse/RHEL-172607
CVE: CVE-2026-43023
commit 8a5b0135d4a5d9683203a3d9a12a711ccec5936b
Author: Cen Zhang <zzzccc427@gmail.com>
Date: Thu Mar 26 23:16:45 2026 +0800
Bluetooth: SCO: fix race conditions in sco_sock_connect()
sco_sock_connect() checks sk_state and sk_type without holding
the socket lock. Two concurrent connect() syscalls on the same
socket can both pass the check and enter sco_connect(), leading
to use-after-free.
The buggy scenario involves three participants and was confirmed
with additional logging instrumentation:
Thread A (connect): HCI disconnect: Thread B (connect):
sco_sock_connect(sk) sco_sock_connect(sk)
sk_state==BT_OPEN sk_state==BT_OPEN
(pass, no lock) (pass, no lock)
sco_connect(sk): sco_connect(sk):
hci_dev_lock hci_dev_lock
hci_connect_sco <- blocked
-> hcon1
sco_conn_add->conn1
lock_sock(sk)
sco_chan_add:
conn1->sk = sk
sk->conn = conn1
sk_state=BT_CONNECT
release_sock
hci_dev_unlock
hci_dev_lock
sco_conn_del:
lock_sock(sk)
sco_chan_del:
sk->conn=NULL
conn1->sk=NULL
sk_state=
BT_CLOSED
SOCK_ZAPPED
release_sock
hci_dev_unlock
(unblocked)
hci_connect_sco
-> hcon2
sco_conn_add
-> conn2
lock_sock(sk)
sco_chan_add:
sk->conn=conn2
sk_state=
BT_CONNECT
// zombie sk!
release_sock
hci_dev_unlock
Thread B revives a BT_CLOSED + SOCK_ZAPPED socket back to
BT_CONNECT. Subsequent cleanup triggers double sock_put() and
use-after-free. Meanwhile conn1 is leaked as it was orphaned
when sco_conn_del() cleared the association.
Fix this by:
- Moving lock_sock() before the sk_state/sk_type checks in
sco_sock_connect() to serialize concurrent connect attempts
- Fixing the sk_type != SOCK_SEQPACKET check to actually
return the error instead of just assigning it
- Adding a state re-check in sco_connect() after lock_sock()
to catch state changes during the window between the locks
- Adding sco_pi(sk)->conn check in sco_chan_add() to prevent
double-attach of a socket to multiple connections
- Adding hci_conn_drop() on sco_chan_add failure to prevent
HCI connection leaks
Fixes: 9a8ec9e8ebb5 ("Bluetooth: SCO: Fix possible circular locking dependency on sco_connect_cfm")
Signed-off-by: Cen Zhang <zzzccc427@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: David Marlin <dmarlin@redhat.com>
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index 6fc0914c74cb..26e3020e6d87 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -298,7 +298,7 @@ static int sco_chan_add(struct sco_conn *conn, struct sock *sk,
int err = 0;
sco_conn_lock(conn);
- if (conn->sk)
+ if (conn->sk || sco_pi(sk)->conn)
err = -EBUSY;
else
__sco_chan_add(conn, sk, parent);
@@ -353,9 +353,20 @@ static int sco_connect(struct sock *sk)
lock_sock(sk);
+ /* Recheck state after reacquiring the socket lock, as another
+ * thread may have changed it (e.g., closed the socket).
+ */
+ if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND) {
+ release_sock(sk);
+ hci_conn_drop(hcon);
+ err = -EBADFD;
+ goto unlock;
+ }
+
err = sco_chan_add(conn, sk, NULL);
if (err) {
release_sock(sk);
+ hci_conn_drop(hcon);
goto unlock;
}
@@ -656,13 +667,18 @@ static int sco_sock_connect(struct socket *sock, struct sockaddr *addr, int alen
addr->sa_family != AF_BLUETOOTH)
return -EINVAL;
- if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND)
+ lock_sock(sk);
+
+ if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND) {
+ release_sock(sk);
return -EBADFD;
+ }
- if (sk->sk_type != SOCK_SEQPACKET)
- err = -EINVAL;
+ if (sk->sk_type != SOCK_SEQPACKET) {
+ release_sock(sk);
+ return -EINVAL;
+ }
- lock_sock(sk);
/* Set destination address and psm */
bacpy(&sco_pi(sk)->dst, &sa->sco_bdaddr);
release_sock(sk);
--
2.50.1 (Apple Git-155)

78
1243-xfs-delete-attr-leaf-freemap-entries-when-empty.patch Normal file
View File

@ -0,0 +1,78 @@
From 21df79956b1623ded470e38baa1058d1c641d896 Mon Sep 17 00:00:00 2001
From: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>
Date: Fri, 8 May 2026 14:00:52 +0000
Subject: [PATCH] xfs: delete attr leaf freemap entries when empty
JIRA: https://redhat.atlassian.net/browse/RHEL-174054
CVE: CVE-2026-43158
commit 6f13c1d2a6271c2e73226864a0e83de2770b6f34
Author: Darrick J. Wong <djwong@kernel.org>
Date: Fri Jan 23 09:27:30 2026 -0800
xfs: delete attr leaf freemap entries when empty
Back in commit 2a2b5932db6758 ("xfs: fix attr leaf header freemap.size
underflow"), Brian Foster observed that it's possible for a small
freemap at the end of the end of the xattr entries array to experience
a size underflow when subtracting the space consumed by an expansion of
the entries array. There are only three freemap entries, which means
that it is not a complete index of all free space in the leaf block.
This code can leave behind a zero-length freemap entry with a nonzero
base. Subsequent setxattr operations can increase the base up to the
point that it overlaps with another freemap entry. This isn't in and of
itself a problem because the code in _leaf_add that finds free space
ignores any freemap entry with zero size.
However, there's another bug in the freemap update code in _leaf_add,
which is that it fails to update a freemap entry that begins midway
through the xattr entry that was just appended to the array. That can
result in the freemap containing two entries with the same base but
different sizes (0 for the "pushed-up" entry, nonzero for the entry
that's actually tracking free space). A subsequent _leaf_add can then
allocate xattr namevalue entries on top of the entries array, leading to
data loss. But fixing that is for later.
For now, eliminate the possibility of confusion by zeroing out the base
of any freemap entry that has zero size. Because the freemap is not
intended to be a complete index of free space, a subsequent failure to
find any free space for a new xattr will trigger block compaction, which
regenerates the freemap.
It looks like this bug has been in the codebase for quite a long time.
Cc: <stable@vger.kernel.org> # v2.6.12
Fixes: 1da177e4c3f415 ("Linux-2.6.12-rc2")
Signed-off-by: "Darrick J. Wong" <djwong@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>
diff --git a/fs/xfs/libxfs/xfs_attr_leaf.c b/fs/xfs/libxfs/xfs_attr_leaf.c
index fddb55605e0c..8577c01c83bd 100644
--- a/fs/xfs/libxfs/xfs_attr_leaf.c
+++ b/fs/xfs/libxfs/xfs_attr_leaf.c
@@ -1593,6 +1593,19 @@ xfs_attr3_leaf_add_work(
min_t(uint16_t, ichdr->freemap[i].size,
sizeof(xfs_attr_leaf_entry_t));
}
+
+ /*
+ * Don't leave zero-length freemaps with nonzero base lying
+ * around, because we don't want the code in _remove that
+ * matches on base address to get confused and create
+ * overlapping freemaps. If we end up with no freemap entries
+ * then the next _add will compact the leaf block and
+ * regenerate the freemaps.
+ */
+ if (ichdr->freemap[i].size == 0 && ichdr->freemap[i].base > 0) {
+ ichdr->freemap[i].base = 0;
+ ichdr->holes = 1;
+ }
}
ichdr->usedbytes += xfs_attr_leaf_entsize(leaf, args->index);
}
--
2.50.1 (Apple Git-155)

141
1244-xfs-fix-freemap-adjustments-when-adding-xattrs-to-leaf-block.patch Normal file
View File

@ -0,0 +1,141 @@
From 18713c87fe4f646250400dae3226ffd0659959d5 Mon Sep 17 00:00:00 2001
From: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>
Date: Fri, 8 May 2026 14:00:54 +0000
Subject: [PATCH] xfs: fix freemap adjustments when adding xattrs to leaf
blocks
JIRA: https://redhat.atlassian.net/browse/RHEL-174054
CVE: CVE-2026-43158
commit 3eefc0c2b78444b64feeb3783c017d6adc3cd3ce
Author: Darrick J. Wong <djwong@kernel.org>
Date: Fri Jan 23 09:27:31 2026 -0800
xfs: fix freemap adjustments when adding xattrs to leaf blocks
xfs/592 and xfs/794 both trip this assertion in the leaf block freemap
adjustment code after ~20 minutes of running on my test VMs:
ASSERT(ichdr->firstused >= ichdr->count * sizeof(xfs_attr_leaf_entry_t)
+ xfs_attr3_leaf_hdr_size(leaf));
Upon enabling quite a lot more debugging code, I narrowed this down to
fsstress trying to set a local extended attribute with namelen=3 and
valuelen=71. This results in an entry size of 80 bytes.
At the start of xfs_attr3_leaf_add_work, the freemap looks like this:
i 0 base 448 size 0 rhs 448 count 46
i 1 base 388 size 132 rhs 448 count 46
i 2 base 2120 size 4 rhs 448 count 46
firstused = 520
where "rhs" is the first byte past the end of the leaf entry array.
This is inconsistent -- the entries array ends at byte 448, but
freemap[1] says there's free space starting at byte 388!
By the end of the function, the freemap is in worse shape:
i 0 base 456 size 0 rhs 456 count 47
i 1 base 388 size 52 rhs 456 count 47
i 2 base 2120 size 4 rhs 456 count 47
firstused = 440
Important note: 388 is not aligned with the entries array element size
of 8 bytes.
Based on the incorrect freemap, the name area starts at byte 440, which
is below the end of the entries array! That's why the assertion
triggers and the filesystem shuts down.
How did we end up here? First, recall from the previous patch that the
freemap array in an xattr leaf block is not intended to be a
comprehensive map of all free space in the leaf block. In other words,
it's perfectly legal to have a leaf block with:
* 376 bytes in use by the entries array
* freemap[0] has [base = 376, size = 8]
* freemap[1] has [base = 388, size = 1500]
* the space between 376 and 388 is free, but the freemap stopped
tracking that some time ago
If we add one xattr, the entries array grows to 384 bytes, and
freemap[0] becomes [base = 384, size = 0]. So far, so good. But if we
add a second xattr, the entries array grows to 392 bytes, and freemap[0]
gets pushed up to [base = 392, size = 0]. This is bad, because
freemap[1] hasn't been updated, and now the entries array and the free
space claim the same space.
The fix here is to adjust all freemap entries so that none of them
collide with the entries array. Note that this fix relies on commit
2a2b5932db6758 ("xfs: fix attr leaf header freemap.size underflow") and
the previous patch that resets zero length freemap entries to have
base = 0.
Cc: <stable@vger.kernel.org> # v2.6.12
Fixes: 1da177e4c3f415 ("Linux-2.6.12-rc2")
Signed-off-by: "Darrick J. Wong" <djwong@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>
diff --git a/fs/xfs/libxfs/xfs_attr_leaf.c b/fs/xfs/libxfs/xfs_attr_leaf.c
index 8577c01c83bd..bfcac9036c11 100644
--- a/fs/xfs/libxfs/xfs_attr_leaf.c
+++ b/fs/xfs/libxfs/xfs_attr_leaf.c
@@ -1489,6 +1489,7 @@ xfs_attr3_leaf_add_work(
struct xfs_attr_leaf_name_local *name_loc;
struct xfs_attr_leaf_name_remote *name_rmt;
struct xfs_mount *mp;
+ int old_end, new_end;
int tmp;
int i;
@@ -1581,17 +1582,36 @@ xfs_attr3_leaf_add_work(
if (be16_to_cpu(entry->nameidx) < ichdr->firstused)
ichdr->firstused = be16_to_cpu(entry->nameidx);
- ASSERT(ichdr->firstused >= ichdr->count * sizeof(xfs_attr_leaf_entry_t)
- + xfs_attr3_leaf_hdr_size(leaf));
- tmp = (ichdr->count - 1) * sizeof(xfs_attr_leaf_entry_t)
- + xfs_attr3_leaf_hdr_size(leaf);
+ new_end = ichdr->count * sizeof(struct xfs_attr_leaf_entry) +
+ xfs_attr3_leaf_hdr_size(leaf);
+ old_end = new_end - sizeof(struct xfs_attr_leaf_entry);
+
+ ASSERT(ichdr->firstused >= new_end);
for (i = 0; i < XFS_ATTR_LEAF_MAPSIZE; i++) {
- if (ichdr->freemap[i].base == tmp) {
- ichdr->freemap[i].base += sizeof(xfs_attr_leaf_entry_t);
+ int diff = 0;
+
+ if (ichdr->freemap[i].base == old_end) {
+ /*
+ * This freemap entry starts at the old end of the
+ * leaf entry array, so we need to adjust its base
+ * upward to accomodate the larger array.
+ */
+ diff = sizeof(struct xfs_attr_leaf_entry);
+ } else if (ichdr->freemap[i].size > 0 &&
+ ichdr->freemap[i].base < new_end) {
+ /*
+ * This freemap entry starts in the space claimed by
+ * the new leaf entry. Adjust its base upward to
+ * reflect that.
+ */
+ diff = new_end - ichdr->freemap[i].base;
+ }
+
+ if (diff) {
+ ichdr->freemap[i].base += diff;
ichdr->freemap[i].size -=
- min_t(uint16_t, ichdr->freemap[i].size,
- sizeof(xfs_attr_leaf_entry_t));
+ min_t(uint16_t, ichdr->freemap[i].size, diff);
}
/*
--
2.50.1 (Apple Git-155)

259
kernel.spec
View File

@ -182,7 +182,7 @@ Summary: The Linux kernel
# This is needed to do merge window version magic
%define patchlevel 12
# This allows pkg_release to have configurable %%{?dist} tag
%define specrelease 211.16.1%{?buildid}%{?dist}
%define specrelease 211.18.1%{?buildid}%{?dist}
# This defines the kabi tarball version
%define kabiversion 6.12.0-211.7.1.el10_2
@ -1196,6 +1196,89 @@ Patch1158: 1158-rdma-umem-fix-double-dma-buf-unpin-in-failure-path.patch
Patch1159: 1159-ptrace-slightly-saner-get-dumpable-logic.patch
Patch1160: 1160-net-skbuff-preserve-shared-frag-marker-during-coalescing.patch
Patch1161: 1161-net-skbuff-propagate-shared-frag-marker-through-frag-transfe.patch
Patch1162: 1162-netfilter-nf-tables-release-flowtable-after-rcu-grace-period.patch
Patch1163: 1163-can-j1939-j1939-session-new-fix-skb-reference-counting.patch
Patch1164: 1164-ima-don-t-clear-ima-digsig-flag-when-setting-or-removing-non.patch
Patch1165: 1165-netfilter-nf-conntrack-h323-check-for-zero-length-in-decodeq.patch
Patch1166: 1166-revert-scsi-lpfc-update-lpfc-version-to-14-4-0-12.patch
Patch1167: 1167-revert-scsi-lpfc-add-capability-to-register-platform-name-id.patch
Patch1168: 1168-revert-scsi-lpfc-allow-support-for-bb-credit-recovery-in-poi.patch
Patch1169: 1169-revert-scsi-lpfc-fix-reusing-an-ndlp-that-is-marked-nlp-drop.patch
Patch1170: 1170-revert-scsi-lpfc-modify-kref-handling-for-fabric-controller-.patch
Patch1171: 1171-revert-scsi-lpfc-fix-leaked-ndlp-krefs-when-in-point-to-poin.patch
Patch1172: 1172-revert-scsi-lpfc-ensure-unregistration-of-rpis-for-received-.patch
Patch1173: 1173-revert-scsi-lpfc-remove-redundant-null-ptr-assignment-in-lpf.patch
Patch1174: 1174-revert-scsi-lpfc-revise-discovery-related-function-headers-a.patch
Patch1175: 1175-revert-scsi-lpfc-update-various-npiv-diagnostic-log-messagin.patch
Patch1176: 1176-revert-scsi-lpfc-copyright-updates-for-14-4-0-11-patches.patch
Patch1177: 1177-revert-scsi-lpfc-update-lpfc-version-to-14-4-0-11.patch
Patch1178: 1178-revert-scsi-lpfc-convert-debugfs-directory-counts-from-atomi.patch
Patch1179: 1179-revert-scsi-lpfc-clean-up-extraneous-phba-dentries.patch
Patch1180: 1180-revert-scsi-lpfc-use-switch-case-statements-in-dif-debugfs-h.patch
Patch1181: 1181-revert-scsi-lpfc-fix-memory-leak-when-nvmeio-trc-debugfs-ent.patch
Patch1182: 1182-revert-scsi-lpfc-define-size-of-debugfs-entry-for-xri-rebala.patch
Patch1183: 1183-revert-scsi-lpfc-ensure-plogi-acc-is-sent-prior-to-prli-in-p.patch
Patch1184: 1184-revert-scsi-lpfc-check-return-status-of-lpfc-reset-flush-io-.patch
Patch1185: 1185-revert-scsi-lpfc-decrement-ndlp-kref-after-fdisc-retries-exh.patch
Patch1186: 1186-revert-scsi-lpfc-remove-ndlp-kref-decrement-clause-for-f-por.patch
Patch1187: 1187-revert-scsi-lpfc-clean-up-allocated-queues-when-queue-setup-.patch
Patch1188: 1188-revert-scsi-lpfc-abort-outstanding-els-wqes-regardless-of-if.patch
Patch1189: 1189-revert-scsi-lpfc-remove-unused-member-variables-in-struct-lp.patch
Patch1190: 1190-revert-scsi-lpfc-use-int-type-to-store-negative-error-codes.patch
Patch1191: 1191-revert-scsi-lpfc-use-min-to-improve-code.patch
Patch1192: 1192-revert-scsi-lpfc-fix-wrong-function-reference-in-a-comment.patch
Patch1193: 1193-revert-lpfc-don-t-use-file-f-path-dentry-for-comparisons.patch
Patch1194: 1194-revert-scsi-lpfc-copyright-updates-for-14-4-0-10-patches.patch
Patch1195: 1195-revert-scsi-lpfc-update-lpfc-version-to-14-4-0-10.patch
Patch1196: 1196-revert-scsi-lpfc-modify-end-of-life-adapters-model-descripti.patch
Patch1197: 1197-revert-scsi-lpfc-revise-cq-create-set-mailbox-bitfield-defin.patch
Patch1198: 1198-revert-scsi-lpfc-move-clearing-of-hba-setup-flag-to-before-l.patch
Patch1199: 1199-revert-scsi-lpfc-ensure-hba-setup-flag-is-used-only-for-sli4.patch
Patch1200: 1200-revert-scsi-lpfc-relocate-clearing-initial-phba-flags-from-l.patch
Patch1201: 1201-revert-scsi-lpfc-simplify-error-handling-for-failed-lpfc-get.patch
Patch1202: 1202-revert-scsi-lpfc-early-return-out-of-fdmi-cmpl-for-locally-r.patch
Patch1203: 1203-revert-scsi-lpfc-skip-rscn-processing-when-fc-unloading-flag.patch
Patch1204: 1204-revert-scsi-lpfc-check-for-hdwq-null-ptr-when-cleaning-up-lp.patch
Patch1205: 1205-revert-scsi-lpfc-update-debugfs-trace-ring-initialization-me.patch
Patch1206: 1206-revert-scsi-lpfc-revise-logging-format-for-failed-ct-mib-req.patch
Patch1207: 1207-scsi-lpfc-avoid-crashing-in-lpfc-nlp-get-rhel-only.patch
Patch1208: 1208-drm-mgag200-fix-mgag200-bmc-stop-scanout.patch
Patch1209: 1209-net-sched-act-csum-validate-nested-vlan-headers.patch
Patch1210: 1210-netfilter-ip6t-eui64-reject-invalid-mac-header-for-all-packe.patch
Patch1211: 1211-cifs-remove-unnecessary-tracing-after-put-tcon.patch
Patch1212: 1212-cifs-make-default-value-of-retrans-as-zero.patch
Patch1213: 1213-dpll-zl3073x-add-output-pin-frequency-helper.patch
Patch1214: 1214-dpll-zl3073x-include-current-frequency-in-supported-frequenc.patch
Patch1215: 1215-dpll-zl3073x-fix-ref-frequency-setting.patch
Patch1216: 1216-dpll-zl3073x-fix-ref-phase-offset-comp-register-width-for-so.patch
Patch1217: 1217-dpll-zl3073x-remove-redundant-cleanup-in-devm-dpll-init.patch
Patch1218: 1218-io-uring-rsrc-reject-zero-length-fixed-buffer-import.patch
Patch1219: 1219-netfilter-nf-conntrack-helper-pass-helper-to-expect-cleanup.patch
Patch1220: 1220-hid-wacom-fix-out-of-bounds-read-in-wacom-intuos-bt-irq.patch
Patch1221: 1221-redhat-configs-enable-config-aqtion-on-all-archs.patch
Patch1222: 1222-wifi-brcmfmac-validate-bsscfg-indices-in-if-events.patch
Patch1223: 1223-netfilter-ctnetlink-ensure-safe-access-to-master-conntrack.patch
Patch1224: 1224-netfilter-xt-tcpmss-check-remaining-length-before-reading-op.patch
Patch1225: 1225-net-fix-rcu-tasks-stall-in-threaded-busypoll.patch
Patch1226: 1226-ice-use-netif-get-num-default-rss-queues.patch
Patch1227: 1227-ice-set-max-queues-in-alloc-etherdev-mqs.patch
Patch1228: 1228-anon-inode-use-a-proper-mode-internally.patch
Patch1229: 1229-pidfs-use-anon-inode-getattr.patch
Patch1230: 1230-anon-inode-explicitly-block-setattr.patch
Patch1231: 1231-pidfs-use-anon-inode-setattr.patch
Patch1232: 1232-anon-inode-raise-sb-i-nodev-and-sb-i-noexec.patch
Patch1233: 1233-fs-add-s-anon-inode.patch
Patch1234: 1234-mm-thp-deny-thp-for-files-on-anonymous-inodes.patch
Patch1235: 1235-dpaa2-switch-prevent-zero-size-ptr-dereference-when-num-ifs-.patch
Patch1236: 1236-dpaa2-switch-validate-num-ifs-to-prevent-out-of-bounds-write.patch
Patch1237: 1237-mm-page-alloc-clear-page-private-in-free-pages-prepare.patch
Patch1238: 1238-redhat-kernel-spec-template-disable-objtool-werror-for-gcov-.patch
Patch1239: 1239-dm-thin-fix-metadata-refcount-underflow.patch
Patch1240: 1240-crypto-tegra-disable-softirqs-before-finalizing-request.patch
Patch1241: 1241-bluetooth-mgmt-validate-ltk-enc-size-on-load.patch
Patch1242: 1242-bluetooth-sco-fix-race-conditions-in-sco-sock-connect.patch
Patch1243: 1243-xfs-delete-attr-leaf-freemap-entries-when-empty.patch
Patch1244: 1244-xfs-fix-freemap-adjustments-when-adding-xattrs-to-leaf-block.patch
# END OF PATCH DEFINITIONS
%description
@ -2114,6 +2197,89 @@ ApplyPatch 1158-rdma-umem-fix-double-dma-buf-unpin-in-failure-path.patch
ApplyPatch 1159-ptrace-slightly-saner-get-dumpable-logic.patch
ApplyPatch 1160-net-skbuff-preserve-shared-frag-marker-during-coalescing.patch
ApplyPatch 1161-net-skbuff-propagate-shared-frag-marker-through-frag-transfe.patch
ApplyPatch 1162-netfilter-nf-tables-release-flowtable-after-rcu-grace-period.patch
ApplyPatch 1163-can-j1939-j1939-session-new-fix-skb-reference-counting.patch
ApplyPatch 1164-ima-don-t-clear-ima-digsig-flag-when-setting-or-removing-non.patch
ApplyPatch 1165-netfilter-nf-conntrack-h323-check-for-zero-length-in-decodeq.patch
ApplyPatch 1166-revert-scsi-lpfc-update-lpfc-version-to-14-4-0-12.patch
ApplyPatch 1167-revert-scsi-lpfc-add-capability-to-register-platform-name-id.patch
ApplyPatch 1168-revert-scsi-lpfc-allow-support-for-bb-credit-recovery-in-poi.patch
ApplyPatch 1169-revert-scsi-lpfc-fix-reusing-an-ndlp-that-is-marked-nlp-drop.patch
ApplyPatch 1170-revert-scsi-lpfc-modify-kref-handling-for-fabric-controller-.patch
ApplyPatch 1171-revert-scsi-lpfc-fix-leaked-ndlp-krefs-when-in-point-to-poin.patch
ApplyPatch 1172-revert-scsi-lpfc-ensure-unregistration-of-rpis-for-received-.patch
ApplyPatch 1173-revert-scsi-lpfc-remove-redundant-null-ptr-assignment-in-lpf.patch
ApplyPatch 1174-revert-scsi-lpfc-revise-discovery-related-function-headers-a.patch
ApplyPatch 1175-revert-scsi-lpfc-update-various-npiv-diagnostic-log-messagin.patch
ApplyPatch 1176-revert-scsi-lpfc-copyright-updates-for-14-4-0-11-patches.patch
ApplyPatch 1177-revert-scsi-lpfc-update-lpfc-version-to-14-4-0-11.patch
ApplyPatch 1178-revert-scsi-lpfc-convert-debugfs-directory-counts-from-atomi.patch
ApplyPatch 1179-revert-scsi-lpfc-clean-up-extraneous-phba-dentries.patch
ApplyPatch 1180-revert-scsi-lpfc-use-switch-case-statements-in-dif-debugfs-h.patch
ApplyPatch 1181-revert-scsi-lpfc-fix-memory-leak-when-nvmeio-trc-debugfs-ent.patch
ApplyPatch 1182-revert-scsi-lpfc-define-size-of-debugfs-entry-for-xri-rebala.patch
ApplyPatch 1183-revert-scsi-lpfc-ensure-plogi-acc-is-sent-prior-to-prli-in-p.patch
ApplyPatch 1184-revert-scsi-lpfc-check-return-status-of-lpfc-reset-flush-io-.patch
ApplyPatch 1185-revert-scsi-lpfc-decrement-ndlp-kref-after-fdisc-retries-exh.patch
ApplyPatch 1186-revert-scsi-lpfc-remove-ndlp-kref-decrement-clause-for-f-por.patch
ApplyPatch 1187-revert-scsi-lpfc-clean-up-allocated-queues-when-queue-setup-.patch
ApplyPatch 1188-revert-scsi-lpfc-abort-outstanding-els-wqes-regardless-of-if.patch
ApplyPatch 1189-revert-scsi-lpfc-remove-unused-member-variables-in-struct-lp.patch
ApplyPatch 1190-revert-scsi-lpfc-use-int-type-to-store-negative-error-codes.patch
ApplyPatch 1191-revert-scsi-lpfc-use-min-to-improve-code.patch
ApplyPatch 1192-revert-scsi-lpfc-fix-wrong-function-reference-in-a-comment.patch
ApplyPatch 1193-revert-lpfc-don-t-use-file-f-path-dentry-for-comparisons.patch
ApplyPatch 1194-revert-scsi-lpfc-copyright-updates-for-14-4-0-10-patches.patch
ApplyPatch 1195-revert-scsi-lpfc-update-lpfc-version-to-14-4-0-10.patch
ApplyPatch 1196-revert-scsi-lpfc-modify-end-of-life-adapters-model-descripti.patch
ApplyPatch 1197-revert-scsi-lpfc-revise-cq-create-set-mailbox-bitfield-defin.patch
ApplyPatch 1198-revert-scsi-lpfc-move-clearing-of-hba-setup-flag-to-before-l.patch
ApplyPatch 1199-revert-scsi-lpfc-ensure-hba-setup-flag-is-used-only-for-sli4.patch
ApplyPatch 1200-revert-scsi-lpfc-relocate-clearing-initial-phba-flags-from-l.patch
ApplyPatch 1201-revert-scsi-lpfc-simplify-error-handling-for-failed-lpfc-get.patch
ApplyPatch 1202-revert-scsi-lpfc-early-return-out-of-fdmi-cmpl-for-locally-r.patch
ApplyPatch 1203-revert-scsi-lpfc-skip-rscn-processing-when-fc-unloading-flag.patch
ApplyPatch 1204-revert-scsi-lpfc-check-for-hdwq-null-ptr-when-cleaning-up-lp.patch
ApplyPatch 1205-revert-scsi-lpfc-update-debugfs-trace-ring-initialization-me.patch
ApplyPatch 1206-revert-scsi-lpfc-revise-logging-format-for-failed-ct-mib-req.patch
ApplyPatch 1207-scsi-lpfc-avoid-crashing-in-lpfc-nlp-get-rhel-only.patch
ApplyPatch 1208-drm-mgag200-fix-mgag200-bmc-stop-scanout.patch
ApplyPatch 1209-net-sched-act-csum-validate-nested-vlan-headers.patch
ApplyPatch 1210-netfilter-ip6t-eui64-reject-invalid-mac-header-for-all-packe.patch
ApplyPatch 1211-cifs-remove-unnecessary-tracing-after-put-tcon.patch
ApplyPatch 1212-cifs-make-default-value-of-retrans-as-zero.patch
ApplyPatch 1213-dpll-zl3073x-add-output-pin-frequency-helper.patch
ApplyPatch 1214-dpll-zl3073x-include-current-frequency-in-supported-frequenc.patch
ApplyPatch 1215-dpll-zl3073x-fix-ref-frequency-setting.patch
ApplyPatch 1216-dpll-zl3073x-fix-ref-phase-offset-comp-register-width-for-so.patch
ApplyPatch 1217-dpll-zl3073x-remove-redundant-cleanup-in-devm-dpll-init.patch
ApplyPatch 1218-io-uring-rsrc-reject-zero-length-fixed-buffer-import.patch
ApplyPatch 1219-netfilter-nf-conntrack-helper-pass-helper-to-expect-cleanup.patch
ApplyPatch 1220-hid-wacom-fix-out-of-bounds-read-in-wacom-intuos-bt-irq.patch
ApplyPatch 1221-redhat-configs-enable-config-aqtion-on-all-archs.patch
ApplyPatch 1222-wifi-brcmfmac-validate-bsscfg-indices-in-if-events.patch
ApplyPatch 1223-netfilter-ctnetlink-ensure-safe-access-to-master-conntrack.patch
ApplyPatch 1224-netfilter-xt-tcpmss-check-remaining-length-before-reading-op.patch
ApplyPatch 1225-net-fix-rcu-tasks-stall-in-threaded-busypoll.patch
ApplyPatch 1226-ice-use-netif-get-num-default-rss-queues.patch
ApplyPatch 1227-ice-set-max-queues-in-alloc-etherdev-mqs.patch
ApplyPatch 1228-anon-inode-use-a-proper-mode-internally.patch
ApplyPatch 1229-pidfs-use-anon-inode-getattr.patch
ApplyPatch 1230-anon-inode-explicitly-block-setattr.patch
ApplyPatch 1231-pidfs-use-anon-inode-setattr.patch
ApplyPatch 1232-anon-inode-raise-sb-i-nodev-and-sb-i-noexec.patch
ApplyPatch 1233-fs-add-s-anon-inode.patch
ApplyPatch 1234-mm-thp-deny-thp-for-files-on-anonymous-inodes.patch
ApplyPatch 1235-dpaa2-switch-prevent-zero-size-ptr-dereference-when-num-ifs-.patch
ApplyPatch 1236-dpaa2-switch-validate-num-ifs-to-prevent-out-of-bounds-write.patch
ApplyPatch 1237-mm-page-alloc-clear-page-private-in-free-pages-prepare.patch
ApplyPatch 1238-redhat-kernel-spec-template-disable-objtool-werror-for-gcov-.patch
ApplyPatch 1239-dm-thin-fix-metadata-refcount-underflow.patch
ApplyPatch 1240-crypto-tegra-disable-softirqs-before-finalizing-request.patch
ApplyPatch 1241-bluetooth-mgmt-validate-ltk-enc-size-on-load.patch
ApplyPatch 1242-bluetooth-sco-fix-race-conditions-in-sco-sock-connect.patch
ApplyPatch 1243-xfs-delete-attr-leaf-freemap-entries-when-empty.patch
ApplyPatch 1244-xfs-fix-freemap-adjustments-when-adding-xattrs-to-leaf-block.patch
# END OF PATCH APPLICATIONS
# Any further pre-build tree manipulations happen here.
@ -4618,6 +4784,97 @@ fi\
#
#
%changelog
* Sun Jun 07 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 6.12.0-211.18.1
- Recreate RHEL 6.12.0-211.18.1 from CentOS Stream 10 and upstream stable backports (1162-1244)
- RHEL changelog for 211.17.1..211.18.1 follows:
* Thu May 21 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-211.18.1.el10_2]
- xfs: fix freemap adjustments when adding xattrs to leaf blocks (CKI Backport Bot) [RHEL-174051] {CVE-2026-43158}
- xfs: delete attr leaf freemap entries when empty (CKI Backport Bot) [RHEL-174051] {CVE-2026-43158}
- Bluetooth: SCO: fix race conditions in sco_sock_connect() (CKI Backport Bot) [RHEL-172603] {CVE-2026-43023}
- Bluetooth: MGMT: validate LTK enc_size on load (CKI Backport Bot) [RHEL-172577] {CVE-2026-43020}
- crypto: tegra - Disable softirqs before finalizing request (CKI Backport Bot) [RHEL-133872]
* Wed May 20 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-211.17.1.el10_2]
- dm-thin: fix metadata refcount underflow (Benjamin Marzinski) [RHEL-169625]
- redhat/kernel.spec.template: disable OBJTOOL_WERROR for gcov builds (Oleksii Baranov)
- mm/page_alloc: clear page->private in free_pages_prepare() (Rafael Aquini) [RHEL-174756] {CVE-2026-43303}
- dpaa2-switch: validate num_ifs to prevent out-of-bounds write (CKI Backport Bot) [RHEL-174258] {CVE-2026-43205}
- dpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs is zero (CKI Backport Bot) [RHEL-174258] {CVE-2026-43205}
- mm: thp: deny THP for files on anonymous inodes (Rafael Aquini) [RHEL-171617] {CVE-2026-23375}
- fs: add S_ANON_INODE (Rafael Aquini) [RHEL-171617]
- anon_inode: raise SB_I_NODEV and SB_I_NOEXEC (Rafael Aquini) [RHEL-171617]
- pidfs: use anon_inode_setattr() (Rafael Aquini) [RHEL-171617]
- anon_inode: explicitly block ->setattr() (Rafael Aquini) [RHEL-171617]
- pidfs: use anon_inode_getattr() (Rafael Aquini) [RHEL-171617]
- anon_inode: use a proper mode internally (Rafael Aquini) [RHEL-171617]
- ice: set max queues in alloc_etherdev_mqs() (CKI Backport Bot) [RHEL-174331]
- ice: use netif_get_num_default_rss_queues() (CKI Backport Bot) [RHEL-174331]
- net: Fix rcu_tasks stall in threaded busypoll (CKI Backport Bot) [RHEL-170809]
- netfilter: xt_tcpmss: check remaining length before reading optlen (CKI Backport Bot) [RHEL-174217] {CVE-2026-43190}
- netfilter: ctnetlink: ensure safe access to master conntrack (CKI Backport Bot) [RHEL-173872] {CVE-2026-43116}
- wifi: brcmfmac: validate bsscfg indices in IF events (CKI Backport Bot) [RHEL-173857] {CVE-2026-43110}
- redhat/configs: enable CONFIG_AQTION on all archs (CKI Backport Bot) [RHEL-171944]
- HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq (CKI Backport Bot) [RHEL-172745] {CVE-2026-43051}
- netfilter: nf_conntrack_helper: pass helper to expect cleanup (CKI Backport Bot) [RHEL-172625] {CVE-2026-43027}
- io_uring/rsrc: reject zero-length fixed buffer import (CKI Backport Bot) [RHEL-172556] {CVE-2026-43006}
- dpll: zl3073x: Remove redundant cleanup in devm_dpll_init() (CKI Backport Bot) [RHEL-164434]
- dpll: zl3073x: fix REF_PHASE_OFFSET_COMP register width for some chip IDs (CKI Backport Bot) [RHEL-164434]
- dpll: zl3073x: Fix ref frequency setting (CKI Backport Bot) [RHEL-164434]
- dpll: zl3073x: Include current frequency in supported frequencies list (CKI Backport Bot) [RHEL-164434]
- dpll: zl3073x: Add output pin frequency helper (CKI Backport Bot) [RHEL-164434]
- cifs: make default value of retrans as zero (Paulo Alcantara) [RHEL-171637]
- cifs: remove unnecessary tracing after put tcon (Paulo Alcantara) [RHEL-171637]
- netfilter: ip6t_eui64: reject invalid MAC header for all packets (CKI Backport Bot) [RHEL-171159] {CVE-2026-31685}
- net: sched: act_csum: validate nested VLAN headers (CKI Backport Bot) [RHEL-171142] {CVE-2026-31684}
- drm/mgag200: fix mgag200_bmc_stop_scanout() (Jocelyn Falempe) [RHEL-150180]
- scsi: lpfc: avoid crashing in lpfc_nlp_get() if lpfc_nodelist was freed (Ewan D. Milne) [RHEL-169786]
- Revert "scsi: lpfc: Revise logging format for failed CT MIB requests" (Ewan D. Milne) [RHEL-169786]
- Revert "scsi: lpfc: Update debugfs trace ring initialization messages" (Ewan D. Milne) [RHEL-169786]
- Revert "scsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport structure" (Ewan D. Milne) [RHEL-169786]
- Revert "scsi: lpfc: Skip RSCN processing when FC_UNLOADING flag is set" (Ewan D. Milne) [RHEL-169786]
- Revert "scsi: lpfc: Early return out of FDMI cmpl for locally rejected statuses" (Ewan D. Milne) [RHEL-169786]
- Revert "scsi: lpfc: Simplify error handling for failed lpfc_get_sli4_parameters cmd" (Ewan D. Milne) [RHEL-169786]
- Revert "scsi: lpfc: Relocate clearing initial phba flags from link up to link down hdlr" (Ewan D. Milne) [RHEL-169786]
- Revert "scsi: lpfc: Ensure HBA_SETUP flag is used only for SLI4 in dev_loss_tmo_callbk" (Ewan D. Milne) [RHEL-169786]
- Revert "scsi: lpfc: Move clearing of HBA_SETUP flag to before lpfc_sli4_queue_unset" (Ewan D. Milne) [RHEL-169786]
- Revert "scsi: lpfc: Revise CQ_CREATE_SET mailbox bitfield definitions" (Ewan D. Milne) [RHEL-169786]
- Revert "scsi: lpfc: Modify end-of-life adapters' model descriptions" (Ewan D. Milne) [RHEL-169786]
- Revert "scsi: lpfc: Update lpfc version to 14.4.0.10" (Ewan D. Milne) [RHEL-169786]
- Revert "scsi: lpfc: Copyright updates for 14.4.0.10 patches" (Ewan D. Milne) [RHEL-169786]
- Revert "lpfc: don't use file->f_path.dentry for comparisons" (Ewan D. Milne) [RHEL-169786]
- Revert "scsi: lpfc: Fix wrong function reference in a comment" (Ewan D. Milne) [RHEL-169786]
- Revert "scsi: lpfc: use min() to improve code" (Ewan D. Milne) [RHEL-169786]
- Revert "scsi: lpfc: Use int type to store negative error codes" (Ewan D. Milne) [RHEL-169786]
- Revert "scsi: lpfc: Remove unused member variables in struct lpfc_hba and lpfc_vport" (Ewan D. Milne) [RHEL-169786]
- Revert "scsi: lpfc: Abort outstanding ELS WQEs regardless of if rmmod is in progress" (Ewan D. Milne) [RHEL-169786]
- Revert "scsi: lpfc: Clean up allocated queues when queue setup mbox commands fail" (Ewan D. Milne) [RHEL-169786]
- Revert "scsi: lpfc: Remove ndlp kref decrement clause for F_Port_Ctrl in lpfc_cleanup" (Ewan D. Milne) [RHEL-169786]
- Revert "scsi: lpfc: Decrement ndlp kref after FDISC retries exhausted" (Ewan D. Milne) [RHEL-169786]
- Revert "scsi: lpfc: Check return status of lpfc_reset_flush_io_context during TGT_RESET" (Ewan D. Milne) [RHEL-169786]
- Revert "scsi: lpfc: Ensure PLOGI_ACC is sent prior to PRLI in Point to Point topology" (Ewan D. Milne) [RHEL-169786]
- Revert "scsi: lpfc: Define size of debugfs entry for xri rebalancing" (Ewan D. Milne) [RHEL-169786]
- Revert "scsi: lpfc: Fix memory leak when nvmeio_trc debugfs entry is used" (Ewan D. Milne) [RHEL-169786]
- Revert "scsi: lpfc: Use switch case statements in DIF debugfs handlers" (Ewan D. Milne) [RHEL-169786]
- Revert "scsi: lpfc: Clean up extraneous phba dentries" (Ewan D. Milne) [RHEL-169786]
- Revert "scsi: lpfc: Convert debugfs directory counts from atomic to unsigned int" (Ewan D. Milne) [RHEL-169786]
- Revert "scsi: lpfc: Update lpfc version to 14.4.0.11" (Ewan D. Milne) [RHEL-169786]
- Revert "scsi: lpfc: Copyright updates for 14.4.0.11 patches" (Ewan D. Milne) [RHEL-169786]
- Revert "scsi: lpfc: Update various NPIV diagnostic log messaging" (Ewan D. Milne) [RHEL-169786]
- Revert "scsi: lpfc: Revise discovery related function headers and comments" (Ewan D. Milne) [RHEL-169786]
- Revert "scsi: lpfc: Remove redundant NULL ptr assignment in lpfc_els_free_iocb()" (Ewan D. Milne) [RHEL-169786]
- Revert "scsi: lpfc: Ensure unregistration of rpis for received PLOGIs" (Ewan D. Milne) [RHEL-169786]
- Revert "scsi: lpfc: Fix leaked ndlp krefs when in point-to-point topology" (Ewan D. Milne) [RHEL-169786]
- Revert "scsi: lpfc: Modify kref handling for Fabric Controller ndlps" (Ewan D. Milne) [RHEL-169786]
- Revert "scsi: lpfc: Fix reusing an ndlp that is marked NLP_DROPPED during FLOGI" (Ewan D. Milne) [RHEL-169786]
- Revert "scsi: lpfc: Allow support for BB credit recovery in point-to-point topology" (Ewan D. Milne) [RHEL-169786]
- Revert "scsi: lpfc: Add capability to register Platform Name ID to fabric" (Ewan D. Milne) [RHEL-169786]
- Revert "scsi: lpfc: Update lpfc version to 14.4.0.12" (Ewan D. Milne) [RHEL-169786]
- netfilter: nf_conntrack_h323: check for zero length in DecodeQ931() (CKI Backport Bot) [RHEL-166991] {CVE-2026-23455}
- ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr (Bruno Meneguele) [RHEL-169738] {CVE-2025-68183}
- can: j1939: j1939_session_new(): fix skb reference counting (CKI Backport Bot) [RHEL-162260] {CVE-2024-56645}
- netfilter: nf_tables: release flowtable after rcu grace period on error (CKI Backport Bot) [RHEL-160469] {CVE-2026-23392}
* Sun Jun 07 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 6.12.0-211.16.1
- Recreate RHEL 6.12.0-211.16.1 from CentOS Stream 10 and upstream stable backports (1106-1161)
- Drop 211.7.x security-ahead patches superseded by the RHEL backports (1100-1104: crypto authencesn/algif, xfrm-esp, rxrpc, net-skbuff fragnesia, ptrace)