From b9d46fff4673c329f05af34cf64302cec922c225 Mon Sep 17 00:00:00 2001 From: Andrew Lukoshko Date: Sun, 7 Jun 2026 00:04:03 +0000 Subject: [PATCH] Recreate RHEL 6.12.0-211.18.1 from CS10/upstream backports Add the RHEL 211.17.1..211.18.1 backports (1162-1244) from centos-stream-10 and upstream, on top of 211.16.1. Includes the lpfc 14.4.0.x revert batch and the RHEL-only lpfc_nlp_get UAF guard. Bump to 211.18.1. --- ...ase-flowtable-after-rcu-grace-period.patch | 46 ++ ...ssion-new-fix-skb-reference-counting.patch | 38 + ...ig-flag-when-setting-or-removing-non.patch | 159 ++++ ...323-check-for-zero-length-in-decodeq.patch | 43 ++ ...pfc-update-lpfc-version-to-14-4-0-12.patch | 16 + ...ability-to-register-platform-name-id.patch | 329 +++++++++ ...upport-for-bb-credit-recovery-in-poi.patch | 27 + ...sing-an-ndlp-that-is-marked-nlp-drop.patch | 101 +++ ...kref-handling-for-fabric-controller-.patch | 231 ++++++ ...ked-ndlp-krefs-when-in-point-to-poin.patch | 166 +++++ ...unregistration-of-rpis-for-received-.patch | 51 ++ ...redundant-null-ptr-assignment-in-lpf.patch | 22 + ...discovery-related-function-headers-a.patch | 104 +++ ...various-npiv-diagnostic-log-messagin.patch | 44 ++ ...yright-updates-for-14-4-0-11-patches.patch | 55 ++ ...pfc-update-lpfc-version-to-14-4-0-11.patch | 16 + ...-debugfs-directory-counts-from-atomi.patch | 89 +++ ...fc-clean-up-extraneous-phba-dentries.patch | 680 ++++++++++++++++++ ...tch-case-statements-in-dif-debugfs-h.patch | 195 +++++ ...ory-leak-when-nvmeio-trc-debugfs-ent.patch | 15 + ...size-of-debugfs-entry-for-xri-rebala.patch | 17 + ...plogi-acc-is-sent-prior-to-prli-in-p.patch | 75 ++ ...eturn-status-of-lpfc-reset-flush-io-.patch | 42 ++ ...nt-ndlp-kref-after-fdisc-retries-exh.patch | 19 + ...ndlp-kref-decrement-clause-for-f-por.patch | 38 + ...p-allocated-queues-when-queue-setup-.patch | 24 + ...utstanding-els-wqes-regardless-of-if.patch | 31 + ...unused-member-variables-in-struct-lp.patch | 58 ++ ...t-type-to-store-negative-error-codes.patch | 16 + ...rt-scsi-lpfc-use-min-to-improve-code.patch | 38 + ...rong-function-reference-in-a-comment.patch | 16 + ...e-file-f-path-dentry-for-comparisons.patch | 203 ++++++ ...yright-updates-for-14-4-0-10-patches.patch | 68 ++ ...pfc-update-lpfc-version-to-14-4-0-10.patch | 16 + ...end-of-life-adapters-model-descripti.patch | 138 ++++ ...cq-create-set-mailbox-bitfield-defin.patch | 102 +++ ...earing-of-hba-setup-flag-to-before-l.patch | 37 + ...hba-setup-flag-is-used-only-for-sli4.patch | 17 + ...e-clearing-initial-phba-flags-from-l.patch | 45 ++ ...y-error-handling-for-failed-lpfc-get.patch | 50 ++ ...eturn-out-of-fdmi-cmpl-for-locally-r.patch | 39 + ...cn-processing-when-fc-unloading-flag.patch | 21 + ...or-hdwq-null-ptr-when-cleaning-up-lp.patch | 18 + ...debugfs-trace-ring-initialization-me.patch | 53 ++ ...logging-format-for-failed-ct-mib-req.patch | 29 + ...d-crashing-in-lpfc-nlp-get-rhel-only.patch | 31 + ...mgag200-fix-mgag200-bmc-stop-scanout.patch | 210 ++++++ ...ct-csum-validate-nested-vlan-headers.patch | 55 ++ ...ect-invalid-mac-header-for-all-packe.patch | 47 ++ ...e-unnecessary-tracing-after-put-tcon.patch | 52 ++ ...ake-default-value-of-retrans-as-zero.patch | 41 ++ ...073x-add-output-pin-frequency-helper.patch | 158 ++++ ...rent-frequency-in-supported-frequenc.patch | 124 ++++ ...ll-zl3073x-fix-ref-frequency-setting.patch | 58 ++ ...se-offset-comp-register-width-for-so.patch | 175 +++++ ...-redundant-cleanup-in-devm-dpll-init.patch | 45 ++ ...ject-zero-length-fixed-buffer-import.patch | 63 ++ ...helper-pass-helper-to-expect-cleanup.patch | 58 ++ ...f-bounds-read-in-wacom-intuos-bt-irq.patch | 63 ++ ...gs-enable-config-aqtion-on-all-archs.patch | 41 ++ ...validate-bsscfg-indices-in-if-events.patch | 40 ++ ...sure-safe-access-to-master-conntrack.patch | 207 ++++++ ...k-remaining-length-before-reading-op.patch | 38 + ...rcu-tasks-stall-in-threaded-busypoll.patch | 120 ++++ ...use-netif-get-num-default-rss-queues.patch | 93 +++ ...set-max-queues-in-alloc-etherdev-mqs.patch | 128 ++++ ...n-inode-use-a-proper-mode-internally.patch | 132 ++++ 1229-pidfs-use-anon-inode-getattr.patch | 65 ++ ...-anon-inode-explicitly-block-setattr.patch | 93 +++ 1231-pidfs-use-anon-inode-setattr.patch | 39 + ...ode-raise-sb-i-nodev-and-sb-i-noexec.patch | 51 ++ 1233-fs-add-s-anon-inode.patch | 170 +++++ ...ny-thp-for-files-on-anonymous-inodes.patch | 99 +++ ...o-size-ptr-dereference-when-num-ifs-.patch | 59 ++ ...m-ifs-to-prevent-out-of-bounds-write.patch | 63 ++ ...r-page-private-in-free-pages-prepare.patch | 71 ++ ...ate-disable-objtool-werror-for-gcov-.patch | 36 + ...thin-fix-metadata-refcount-underflow.patch | 55 ++ ...e-softirqs-before-finalizing-request.patch | 99 +++ ...h-mgmt-validate-ltk-enc-size-on-load.patch | 48 ++ ...-race-conditions-in-sco-sock-connect.patch | 149 ++++ ...attr-leaf-freemap-entries-when-empty.patch | 78 ++ ...nts-when-adding-xattrs-to-leaf-block.patch | 141 ++++ kernel.spec | 259 ++++++- 84 files changed, 7190 insertions(+), 1 deletion(-) create mode 100644 1162-netfilter-nf-tables-release-flowtable-after-rcu-grace-period.patch create mode 100644 1163-can-j1939-j1939-session-new-fix-skb-reference-counting.patch create mode 100644 1164-ima-don-t-clear-ima-digsig-flag-when-setting-or-removing-non.patch create mode 100644 1165-netfilter-nf-conntrack-h323-check-for-zero-length-in-decodeq.patch create mode 100644 1166-revert-scsi-lpfc-update-lpfc-version-to-14-4-0-12.patch create mode 100644 1167-revert-scsi-lpfc-add-capability-to-register-platform-name-id.patch create mode 100644 1168-revert-scsi-lpfc-allow-support-for-bb-credit-recovery-in-poi.patch create mode 100644 1169-revert-scsi-lpfc-fix-reusing-an-ndlp-that-is-marked-nlp-drop.patch create mode 100644 1170-revert-scsi-lpfc-modify-kref-handling-for-fabric-controller-.patch create mode 100644 1171-revert-scsi-lpfc-fix-leaked-ndlp-krefs-when-in-point-to-poin.patch create mode 100644 1172-revert-scsi-lpfc-ensure-unregistration-of-rpis-for-received-.patch create mode 100644 1173-revert-scsi-lpfc-remove-redundant-null-ptr-assignment-in-lpf.patch create mode 100644 1174-revert-scsi-lpfc-revise-discovery-related-function-headers-a.patch create mode 100644 1175-revert-scsi-lpfc-update-various-npiv-diagnostic-log-messagin.patch create mode 100644 1176-revert-scsi-lpfc-copyright-updates-for-14-4-0-11-patches.patch create mode 100644 1177-revert-scsi-lpfc-update-lpfc-version-to-14-4-0-11.patch create mode 100644 1178-revert-scsi-lpfc-convert-debugfs-directory-counts-from-atomi.patch create mode 100644 1179-revert-scsi-lpfc-clean-up-extraneous-phba-dentries.patch create mode 100644 1180-revert-scsi-lpfc-use-switch-case-statements-in-dif-debugfs-h.patch create mode 100644 1181-revert-scsi-lpfc-fix-memory-leak-when-nvmeio-trc-debugfs-ent.patch create mode 100644 1182-revert-scsi-lpfc-define-size-of-debugfs-entry-for-xri-rebala.patch create mode 100644 1183-revert-scsi-lpfc-ensure-plogi-acc-is-sent-prior-to-prli-in-p.patch create mode 100644 1184-revert-scsi-lpfc-check-return-status-of-lpfc-reset-flush-io-.patch create mode 100644 1185-revert-scsi-lpfc-decrement-ndlp-kref-after-fdisc-retries-exh.patch create mode 100644 1186-revert-scsi-lpfc-remove-ndlp-kref-decrement-clause-for-f-por.patch create mode 100644 1187-revert-scsi-lpfc-clean-up-allocated-queues-when-queue-setup-.patch create mode 100644 1188-revert-scsi-lpfc-abort-outstanding-els-wqes-regardless-of-if.patch create mode 100644 1189-revert-scsi-lpfc-remove-unused-member-variables-in-struct-lp.patch create mode 100644 1190-revert-scsi-lpfc-use-int-type-to-store-negative-error-codes.patch create mode 100644 1191-revert-scsi-lpfc-use-min-to-improve-code.patch create mode 100644 1192-revert-scsi-lpfc-fix-wrong-function-reference-in-a-comment.patch create mode 100644 1193-revert-lpfc-don-t-use-file-f-path-dentry-for-comparisons.patch create mode 100644 1194-revert-scsi-lpfc-copyright-updates-for-14-4-0-10-patches.patch create mode 100644 1195-revert-scsi-lpfc-update-lpfc-version-to-14-4-0-10.patch create mode 100644 1196-revert-scsi-lpfc-modify-end-of-life-adapters-model-descripti.patch create mode 100644 1197-revert-scsi-lpfc-revise-cq-create-set-mailbox-bitfield-defin.patch create mode 100644 1198-revert-scsi-lpfc-move-clearing-of-hba-setup-flag-to-before-l.patch create mode 100644 1199-revert-scsi-lpfc-ensure-hba-setup-flag-is-used-only-for-sli4.patch create mode 100644 1200-revert-scsi-lpfc-relocate-clearing-initial-phba-flags-from-l.patch create mode 100644 1201-revert-scsi-lpfc-simplify-error-handling-for-failed-lpfc-get.patch create mode 100644 1202-revert-scsi-lpfc-early-return-out-of-fdmi-cmpl-for-locally-r.patch create mode 100644 1203-revert-scsi-lpfc-skip-rscn-processing-when-fc-unloading-flag.patch create mode 100644 1204-revert-scsi-lpfc-check-for-hdwq-null-ptr-when-cleaning-up-lp.patch create mode 100644 1205-revert-scsi-lpfc-update-debugfs-trace-ring-initialization-me.patch create mode 100644 1206-revert-scsi-lpfc-revise-logging-format-for-failed-ct-mib-req.patch create mode 100644 1207-scsi-lpfc-avoid-crashing-in-lpfc-nlp-get-rhel-only.patch create mode 100644 1208-drm-mgag200-fix-mgag200-bmc-stop-scanout.patch create mode 100644 1209-net-sched-act-csum-validate-nested-vlan-headers.patch create mode 100644 1210-netfilter-ip6t-eui64-reject-invalid-mac-header-for-all-packe.patch create mode 100644 1211-cifs-remove-unnecessary-tracing-after-put-tcon.patch create mode 100644 1212-cifs-make-default-value-of-retrans-as-zero.patch create mode 100644 1213-dpll-zl3073x-add-output-pin-frequency-helper.patch create mode 100644 1214-dpll-zl3073x-include-current-frequency-in-supported-frequenc.patch create mode 100644 1215-dpll-zl3073x-fix-ref-frequency-setting.patch create mode 100644 1216-dpll-zl3073x-fix-ref-phase-offset-comp-register-width-for-so.patch create mode 100644 1217-dpll-zl3073x-remove-redundant-cleanup-in-devm-dpll-init.patch create mode 100644 1218-io-uring-rsrc-reject-zero-length-fixed-buffer-import.patch create mode 100644 1219-netfilter-nf-conntrack-helper-pass-helper-to-expect-cleanup.patch create mode 100644 1220-hid-wacom-fix-out-of-bounds-read-in-wacom-intuos-bt-irq.patch create mode 100644 1221-redhat-configs-enable-config-aqtion-on-all-archs.patch create mode 100644 1222-wifi-brcmfmac-validate-bsscfg-indices-in-if-events.patch create mode 100644 1223-netfilter-ctnetlink-ensure-safe-access-to-master-conntrack.patch create mode 100644 1224-netfilter-xt-tcpmss-check-remaining-length-before-reading-op.patch create mode 100644 1225-net-fix-rcu-tasks-stall-in-threaded-busypoll.patch create mode 100644 1226-ice-use-netif-get-num-default-rss-queues.patch create mode 100644 1227-ice-set-max-queues-in-alloc-etherdev-mqs.patch create mode 100644 1228-anon-inode-use-a-proper-mode-internally.patch create mode 100644 1229-pidfs-use-anon-inode-getattr.patch create mode 100644 1230-anon-inode-explicitly-block-setattr.patch create mode 100644 1231-pidfs-use-anon-inode-setattr.patch create mode 100644 1232-anon-inode-raise-sb-i-nodev-and-sb-i-noexec.patch create mode 100644 1233-fs-add-s-anon-inode.patch create mode 100644 1234-mm-thp-deny-thp-for-files-on-anonymous-inodes.patch create mode 100644 1235-dpaa2-switch-prevent-zero-size-ptr-dereference-when-num-ifs-.patch create mode 100644 1236-dpaa2-switch-validate-num-ifs-to-prevent-out-of-bounds-write.patch create mode 100644 1237-mm-page-alloc-clear-page-private-in-free-pages-prepare.patch create mode 100644 1238-redhat-kernel-spec-template-disable-objtool-werror-for-gcov-.patch create mode 100644 1239-dm-thin-fix-metadata-refcount-underflow.patch create mode 100644 1240-crypto-tegra-disable-softirqs-before-finalizing-request.patch create mode 100644 1241-bluetooth-mgmt-validate-ltk-enc-size-on-load.patch create mode 100644 1242-bluetooth-sco-fix-race-conditions-in-sco-sock-connect.patch create mode 100644 1243-xfs-delete-attr-leaf-freemap-entries-when-empty.patch create mode 100644 1244-xfs-fix-freemap-adjustments-when-adding-xattrs-to-leaf-block.patch diff --git a/1162-netfilter-nf-tables-release-flowtable-after-rcu-grace-period.patch b/1162-netfilter-nf-tables-release-flowtable-after-rcu-grace-period.patch new file mode 100644 index 000000000..55c092659 --- /dev/null +++ b/1162-netfilter-nf-tables-release-flowtable-after-rcu-grace-period.patch @@ -0,0 +1,46 @@ +From 7e3955b282eae20d61c75e499c75eade51c20060 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Tue, 17 Mar 2026 20:00:26 +0100 +Subject: [PATCH] netfilter: nf_tables: release flowtable after rcu grace + period on error + +[ Upstream commit d73f4b53aaaea4c95f245e491aa5eeb8a21874ce ] + +Call synchronize_rcu() after unregistering the hooks from error path, +since a hook that already refers to this flowtable can be already +registered, exposing this flowtable to packet path and nfnetlink_hook +control plane. + +This error path is rare, it should only happen by reaching the maximum +number hooks or by failing to set up to hardware offload, just call +synchronize_rcu(). + +There is a check for already used device hooks by different flowtable +that could result in EEXIST at this late stage. The hook parser can be +updated to perform this check earlier to this error path really becomes +rarely exercised. + +Uncovered by KASAN reported as use-after-free from nfnetlink_hook path +when dumping hooks. + +Fixes: 3b49e2e94e6e ("netfilter: nf_tables: add flow table netlink frontend") +Reported-by: Yiming Qian +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 0c12560e94f3..663c06413518 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -8966,6 +8966,7 @@ static int nf_tables_newflowtable(struct sk_buff *skb, + return 0; + + err_flowtable_hooks: ++ synchronize_rcu(); + nft_trans_destroy(trans); + err_flowtable_trans: + nft_hooks_destroy(&flowtable->hook_list); +-- +2.50.1 (Apple Git-155) + diff --git a/1163-can-j1939-j1939-session-new-fix-skb-reference-counting.patch b/1163-can-j1939-j1939-session-new-fix-skb-reference-counting.patch new file mode 100644 index 000000000..8af06b6eb --- /dev/null +++ b/1163-can-j1939-j1939-session-new-fix-skb-reference-counting.patch @@ -0,0 +1,38 @@ +From 68fceb143b635cdc59fed3896d5910aff38f345e Mon Sep 17 00:00:00 2001 +From: Dmitry Antipov +Date: Tue, 5 Nov 2024 12:48:23 +0300 +Subject: [PATCH] can: j1939: j1939_session_new(): fix skb reference counting + +[ Upstream commit a8c695005bfe6569acd73d777ca298ddddd66105 ] + +Since j1939_session_skb_queue() does an extra skb_get() for each new +skb, do the same for the initial one in j1939_session_new() to avoid +refcount underflow. + +Reported-by: syzbot+d4e8dc385d9258220c31@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=d4e8dc385d9258220c31 +Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") +Signed-off-by: Dmitry Antipov +Tested-by: Oleksij Rempel +Acked-by: Oleksij Rempel +Link: https://patch.msgid.link/20241105094823.2403806-1-dmantipov@yandex.ru +[mkl: clean up commit message] +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin + +diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c +index 319f47df3330..95f7a7e65a73 100644 +--- a/net/can/j1939/transport.c ++++ b/net/can/j1939/transport.c +@@ -1505,7 +1505,7 @@ static struct j1939_session *j1939_session_new(struct j1939_priv *priv, + session->state = J1939_SESSION_NEW; + + skb_queue_head_init(&session->skb_queue); +- skb_queue_tail(&session->skb_queue, skb); ++ skb_queue_tail(&session->skb_queue, skb_get(skb)); + + skcb = j1939_skb_to_cb(skb); + memcpy(&session->skcb, skcb, sizeof(session->skcb)); +-- +2.50.1 (Apple Git-155) + diff --git a/1164-ima-don-t-clear-ima-digsig-flag-when-setting-or-removing-non.patch b/1164-ima-don-t-clear-ima-digsig-flag-when-setting-or-removing-non.patch new file mode 100644 index 000000000..bd30e90e4 --- /dev/null +++ b/1164-ima-don-t-clear-ima-digsig-flag-when-setting-or-removing-non.patch @@ -0,0 +1,159 @@ +From 3c673dcebb6ae37885e3bf6960cac602bb0ae089 Mon Sep 17 00:00:00 2001 +From: CKI Backport Bot +Date: Tue, 21 Apr 2026 10:10:02 +0000 +Subject: [PATCH] ima: don't clear IMA_DIGSIG flag when setting or removing + non-IMA xattr + +JIRA: https://redhat.atlassian.net/browse/RHEL-169737 +CVE: CVE-2025-68183 + +commit 88b4cbcf6b041ae0f2fc8a34554a5b6a83a2b7cd +Author: Coiby Xu +Date: Mon Sep 15 13:55:23 2025 +0800 + + ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr + + Currently when both IMA and EVM are in fix mode, the IMA signature will + be reset to IMA hash if a program first stores IMA signature in + security.ima and then writes/removes some other security xattr for the + file. + + For example, on Fedora, after booting the kernel with "ima_appraise=fix + evm=fix ima_policy=appraise_tcb" and installing rpm-plugin-ima, + installing/reinstalling a package will not make good reference IMA + signature generated. Instead IMA hash is generated, + + # getfattr -m - -d -e hex /usr/bin/bash + # file: usr/bin/bash + security.ima=0x0404... + + This happens because when setting security.selinux, the IMA_DIGSIG flag + that had been set early was cleared. As a result, IMA hash is generated + when the file is closed. + + Similarly, IMA signature can be cleared on file close after removing + security xattr like security.evm or setting/removing ACL. + + Prevent replacing the IMA file signature with a file hash, by preventing + the IMA_DIGSIG flag from being reset. + + Here's a minimal C reproducer which sets security.selinux as the last + step which can also replaced by removing security.evm or setting ACL, + + #include + #include + #include + #include + #include + #include + + int main() { + const char* file_path = "/usr/sbin/test_binary"; + const char* hex_string = "030204d33204490066306402304"; + int length = strlen(hex_string); + char* ima_attr_value; + int fd; + + fd = open(file_path, O_WRONLY|O_CREAT|O_EXCL, 0644); + if (fd == -1) { + perror("Error opening file"); + return 1; + } + + ima_attr_value = (char*)malloc(length / 2 ); + for (int i = 0, j = 0; i < length; i += 2, j++) { + sscanf(hex_string + i, "%2hhx", &ima_attr_value[j]); + } + + if (fsetxattr(fd, "security.ima", ima_attr_value, length/2, 0) == -1) { + perror("Error setting extended attribute"); + close(fd); + return 1; + } + + const char* selinux_value= "system_u:object_r:bin_t:s0"; + if (fsetxattr(fd, "security.selinux", selinux_value, strlen(selinux_value), 0) == -1) { + perror("Error setting extended attribute"); + close(fd); + return 1; + } + + close(fd); + + return 0; + } + + Signed-off-by: Coiby Xu + Signed-off-by: Mimi Zohar + +Signed-off-by: CKI Backport Bot + +diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c +index 656c709b974f..f7770c24995b 100644 +--- a/security/integrity/ima/ima_appraise.c ++++ b/security/integrity/ima/ima_appraise.c +@@ -671,6 +671,15 @@ static int ima_protect_xattr(struct dentry *dentry, const char *xattr_name, + return 0; + } + ++/* ++ * ima_reset_appraise_flags - reset ima_iint_cache flags ++ * ++ * @digsig: whether to clear/set IMA_DIGSIG flag, tristate values ++ * 0: clear IMA_DIGSIG ++ * 1: set IMA_DIGSIG ++ * -1: don't change IMA_DIGSIG ++ * ++ */ + static void ima_reset_appraise_flags(struct inode *inode, int digsig) + { + struct ima_iint_cache *iint; +@@ -683,9 +692,9 @@ static void ima_reset_appraise_flags(struct inode *inode, int digsig) + return; + iint->measured_pcrs = 0; + set_bit(IMA_CHANGE_XATTR, &iint->atomic_flags); +- if (digsig) ++ if (digsig == 1) + set_bit(IMA_DIGSIG, &iint->atomic_flags); +- else ++ else if (digsig == 0) + clear_bit(IMA_DIGSIG, &iint->atomic_flags); + } + +@@ -771,6 +780,8 @@ static int ima_inode_setxattr(struct mnt_idmap *idmap, struct dentry *dentry, + digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG); + } else if (!strcmp(xattr_name, XATTR_NAME_EVM) && xattr_value_len > 0) { + digsig = (xvalue->type == EVM_XATTR_PORTABLE_DIGSIG); ++ } else { ++ digsig = -1; + } + if (result == 1 || evm_revalidate_status(xattr_name)) { + ima_reset_appraise_flags(d_backing_inode(dentry), digsig); +@@ -784,7 +795,7 @@ static int ima_inode_set_acl(struct mnt_idmap *idmap, struct dentry *dentry, + const char *acl_name, struct posix_acl *kacl) + { + if (evm_revalidate_status(acl_name)) +- ima_reset_appraise_flags(d_backing_inode(dentry), 0); ++ ima_reset_appraise_flags(d_backing_inode(dentry), -1); + + return 0; + } +@@ -792,11 +803,13 @@ static int ima_inode_set_acl(struct mnt_idmap *idmap, struct dentry *dentry, + static int ima_inode_removexattr(struct mnt_idmap *idmap, struct dentry *dentry, + const char *xattr_name) + { +- int result; ++ int result, digsig = -1; + + result = ima_protect_xattr(dentry, xattr_name, NULL, 0); + if (result == 1 || evm_revalidate_status(xattr_name)) { +- ima_reset_appraise_flags(d_backing_inode(dentry), 0); ++ if (!strcmp(xattr_name, XATTR_NAME_IMA)) ++ digsig = 0; ++ ima_reset_appraise_flags(d_backing_inode(dentry), digsig); + if (result == 1) + result = 0; + } +-- +2.50.1 (Apple Git-155) + diff --git a/1165-netfilter-nf-conntrack-h323-check-for-zero-length-in-decodeq.patch b/1165-netfilter-nf-conntrack-h323-check-for-zero-length-in-decodeq.patch new file mode 100644 index 000000000..5a1ee2d51 --- /dev/null +++ b/1165-netfilter-nf-conntrack-h323-check-for-zero-length-in-decodeq.patch @@ -0,0 +1,43 @@ +From 633e8f87dad32263f6a57dccdb873f042c062111 Mon Sep 17 00:00:00 2001 +From: Jenny Guanni Qu +Date: Thu, 12 Mar 2026 14:49:50 +0000 +Subject: [PATCH] netfilter: nf_conntrack_h323: check for zero length in + DecodeQ931() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit f173d0f4c0f689173f8cdac79991043a4a89bf66 ] + +In DecodeQ931(), the UserUserIE code path reads a 16-bit length from +the packet, then decrements it by 1 to skip the protocol discriminator +byte before passing it to DecodeH323_UserInformation(). If the encoded +length is 0, the decrement wraps to -1, which is then passed as a +large value to the decoder, leading to an out-of-bounds read. + +Add a check to ensure len is positive after the decrement. + +Fixes: 5e35941d9901 ("[NETFILTER]: Add H.323 conntrack/NAT helper") +Reported-by: Klaudia Kloc +Reported-by: Dawid Moczadło +Tested-by: Jenny Guanni Qu +Signed-off-by: Jenny Guanni Qu +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin + +diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c +index c972e9488e16..7b1497ed97d2 100644 +--- a/net/netfilter/nf_conntrack_h323_asn1.c ++++ b/net/netfilter/nf_conntrack_h323_asn1.c +@@ -924,6 +924,8 @@ int DecodeQ931(unsigned char *buf, size_t sz, Q931 *q931) + break; + p++; + len--; ++ if (len <= 0) ++ break; + return DecodeH323_UserInformation(buf, p, len, + &q931->UUIE); + } +-- +2.50.1 (Apple Git-155) + diff --git a/1166-revert-scsi-lpfc-update-lpfc-version-to-14-4-0-12.patch b/1166-revert-scsi-lpfc-update-lpfc-version-to-14-4-0-12.patch new file mode 100644 index 000000000..07773cf9c --- /dev/null +++ b/1166-revert-scsi-lpfc-update-lpfc-version-to-14-4-0-12.patch @@ -0,0 +1,16 @@ +Subject: [PATCH] Revert "scsi: lpfc: Update lpfc version to 14.4.0.12" +# reverse of cs10 14af547a198d243a0ef02f489884ffb113e8c54f + +diff --git a/drivers/scsi/lpfc/lpfc_version.h b/drivers/scsi/lpfc/lpfc_version.h +index f3dada5bf7c1..31c3c5abdca6 100644 +--- a/drivers/scsi/lpfc/lpfc_version.h ++++ b/drivers/scsi/lpfc/lpfc_version.h +@@ -20,7 +20,7 @@ + * included with this package. * + *******************************************************************/ + +-#define LPFC_DRIVER_VERSION "14.4.0.12" ++#define LPFC_DRIVER_VERSION "14.4.0.11" + #define LPFC_DRIVER_NAME "lpfc" + + /* Used for SLI 2/3 */ diff --git a/1167-revert-scsi-lpfc-add-capability-to-register-platform-name-id.patch b/1167-revert-scsi-lpfc-add-capability-to-register-platform-name-id.patch new file mode 100644 index 000000000..fc1f9c5c5 --- /dev/null +++ b/1167-revert-scsi-lpfc-add-capability-to-register-platform-name-id.patch @@ -0,0 +1,329 @@ +Subject: [PATCH] Revert "scsi: lpfc: Add capability to register Platform Name ID to fabric" +# reverse of cs10 71f3928a71657839d9362695e7446414fa25ebad + +diff --git a/drivers/scsi/lpfc/lpfc.h b/drivers/scsi/lpfc/lpfc.h +index 8b6386e2e3a5..ad8f5dee23a3 100644 +--- a/drivers/scsi/lpfc/lpfc.h ++++ b/drivers/scsi/lpfc/lpfc.h +@@ -634,7 +634,6 @@ struct lpfc_vport { + #define FC_CT_RSPN_ID 0x8 /* RSPN_ID accepted by switch */ + #define FC_CT_RFT_ID 0x10 /* RFT_ID accepted by switch */ + #define FC_CT_RPRT_DEFER 0x20 /* Defer issuing FDMI RPRT */ +-#define FC_CT_RSPNI_PNI 0x40 /* RSPNI_PNI accepted by switch */ + + struct list_head fc_nodes; + spinlock_t fc_nodes_list_lock; /* spinlock for fc_nodes list */ +@@ -1079,8 +1078,6 @@ struct lpfc_hba { + + uint32_t nport_event_cnt; /* timestamp for nlplist entry */ + +- unsigned long pni; /* 64-bit Platform Name Identifier */ +- + uint8_t wwnn[8]; + uint8_t wwpn[8]; + uint32_t RandomData[7]; +diff --git a/drivers/scsi/lpfc/lpfc_ct.c b/drivers/scsi/lpfc/lpfc_ct.c +index 817b02901c9d..cc8af576f57c 100644 +--- a/drivers/scsi/lpfc/lpfc_ct.c ++++ b/drivers/scsi/lpfc/lpfc_ct.c +@@ -1742,28 +1742,6 @@ lpfc_cmpl_ct_cmd_rsnn_nn(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb, + return; + } + +-static void +-lpfc_cmpl_ct_cmd_rspni_pni(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb, +- struct lpfc_iocbq *rspiocb) +-{ +- struct lpfc_vport *vport; +- struct lpfc_dmabuf *outp; +- struct lpfc_sli_ct_request *ctrsp; +- u32 ulp_status; +- +- vport = cmdiocb->vport; +- ulp_status = get_job_ulpstatus(phba, rspiocb); +- +- if (ulp_status == IOSTAT_SUCCESS) { +- outp = cmdiocb->rsp_dmabuf; +- ctrsp = (struct lpfc_sli_ct_request *)outp->virt; +- if (be16_to_cpu(ctrsp->CommandResponse.bits.CmdRsp) == +- SLI_CT_RESPONSE_FS_ACC) +- vport->ct_flags |= FC_CT_RSPNI_PNI; +- } +- lpfc_cmpl_ct(phba, cmdiocb, rspiocb); +-} +- + static void + lpfc_cmpl_ct_cmd_da_id(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb, + struct lpfc_iocbq *rspiocb) +@@ -1978,8 +1956,6 @@ lpfc_ns_cmd(struct lpfc_vport *vport, int cmdcode, + bpl->tus.f.bdeSize = RSPN_REQUEST_SZ; + else if (cmdcode == SLI_CTNS_RSNN_NN) + bpl->tus.f.bdeSize = RSNN_REQUEST_SZ; +- else if (cmdcode == SLI_CTNS_RSPNI_PNI) +- bpl->tus.f.bdeSize = RSPNI_REQUEST_SZ; + else if (cmdcode == SLI_CTNS_DA_ID) + bpl->tus.f.bdeSize = DA_ID_REQUEST_SZ; + else if (cmdcode == SLI_CTNS_RFF_ID) +@@ -2101,18 +2077,6 @@ lpfc_ns_cmd(struct lpfc_vport *vport, int cmdcode, + CtReq->un.rsnn.symbname, size); + cmpl = lpfc_cmpl_ct_cmd_rsnn_nn; + break; +- case SLI_CTNS_RSPNI_PNI: +- vport->ct_flags &= ~FC_CT_RSPNI_PNI; +- CtReq->CommandResponse.bits.CmdRsp = +- cpu_to_be16(SLI_CTNS_RSPNI_PNI); +- CtReq->un.rspni.pni = cpu_to_be64(phba->pni); +- scnprintf(CtReq->un.rspni.symbname, +- sizeof(CtReq->un.rspni.symbname), "OS Host Name::%s", +- phba->os_host_name); +- CtReq->un.rspni.len = strnlen(CtReq->un.rspni.symbname, +- sizeof(CtReq->un.rspni.symbname)); +- cmpl = lpfc_cmpl_ct_cmd_rspni_pni; +- break; + case SLI_CTNS_DA_ID: + /* Implement DA_ID Nameserver request */ + CtReq->CommandResponse.bits.CmdRsp = +diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c +index 009d72ed08b0..15c062c1566d 100644 +--- a/drivers/scsi/lpfc/lpfc_els.c ++++ b/drivers/scsi/lpfc/lpfc_els.c +@@ -650,6 +650,8 @@ lpfc_cmpl_els_flogi_fabric(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp, + ndlp->nlp_class_sup |= FC_COS_CLASS2; + if (sp->cls3.classValid) + ndlp->nlp_class_sup |= FC_COS_CLASS3; ++ if (sp->cls4.classValid) ++ ndlp->nlp_class_sup |= FC_COS_CLASS4; + ndlp->nlp_maxframe = ((sp->cmn.bbRcvSizeMsb & 0x0F) << 8) | + sp->cmn.bbRcvSizeLsb; + +@@ -1354,14 +1356,6 @@ lpfc_issue_els_flogi(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp, + /* Can't do SLI4 class2 without support sequence coalescing */ + sp->cls2.classValid = 0; + sp->cls2.seqDelivery = 0; +- +- /* Fill out Auxiliary Parameter Data */ +- if (phba->pni) { +- sp->aux.flags = +- AUX_PARM_DATA_VALID | AUX_PARM_PNI_VALID; +- sp->aux.pni = cpu_to_be64(phba->pni); +- sp->aux.npiv_cnt = cpu_to_be16(phba->max_vpi - 1); +- } + } else { + /* Historical, setting sequential-delivery bit for SLI3 */ + sp->cls2.seqDelivery = (sp->cls2.classValid) ? 1 : 0; +@@ -5662,6 +5656,7 @@ lpfc_els_rsp_acc(struct lpfc_vport *vport, uint32_t flag, + sp->cls1.classValid = 0; + sp->cls2.classValid = 0; + sp->cls3.classValid = 0; ++ sp->cls4.classValid = 0; + + /* Copy our worldwide names */ + memcpy(&sp->portName, &vport->fc_sparam.portName, +@@ -11515,13 +11510,6 @@ lpfc_issue_els_fdisc(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp, + sp->cls2.seqDelivery = 1; + sp->cls3.seqDelivery = 1; + +- /* Fill out Auxiliary Parameter Data */ +- if (phba->pni) { +- sp->aux.flags = +- AUX_PARM_DATA_VALID | AUX_PARM_PNI_VALID; +- sp->aux.pni = cpu_to_be64(phba->pni); +- } +- + pcmd += sizeof(uint32_t); /* CSP Word 2 */ + pcmd += sizeof(uint32_t); /* CSP Word 3 */ + pcmd += sizeof(uint32_t); /* CSP Word 4 */ +diff --git a/drivers/scsi/lpfc/lpfc_hbadisc.c b/drivers/scsi/lpfc/lpfc_hbadisc.c +index d0bc07fd58e1..dcf78ea77a7d 100644 +--- a/drivers/scsi/lpfc/lpfc_hbadisc.c ++++ b/drivers/scsi/lpfc/lpfc_hbadisc.c +@@ -4373,8 +4373,6 @@ lpfc_mbx_cmpl_ns_reg_login(struct lpfc_hba *phba, LPFC_MBOXQ_t *pmb) + lpfc_ns_cmd(vport, SLI_CTNS_RNN_ID, 0, 0); + lpfc_ns_cmd(vport, SLI_CTNS_RSNN_NN, 0, 0); + lpfc_ns_cmd(vport, SLI_CTNS_RSPN_ID, 0, 0); +- if (phba->pni) +- lpfc_ns_cmd(vport, SLI_CTNS_RSPNI_PNI, 0, 0); + lpfc_ns_cmd(vport, SLI_CTNS_RFT_ID, 0, 0); + + if ((vport->cfg_enable_fc4_type == LPFC_ENABLE_BOTH) || +diff --git a/drivers/scsi/lpfc/lpfc_hw.h b/drivers/scsi/lpfc/lpfc_hw.h +index b2e353590ebb..3bc0efa7453e 100644 +--- a/drivers/scsi/lpfc/lpfc_hw.h ++++ b/drivers/scsi/lpfc/lpfc_hw.h +@@ -168,11 +168,6 @@ struct lpfc_sli_ct_request { + uint8_t len; + uint8_t symbname[255]; + } rspn; +- struct rspni { /* For RSPNI_PNI requests */ +- __be64 pni; +- u8 len; +- u8 symbname[255]; +- } rspni; + struct gff { + uint32_t PortId; + } gff; +@@ -218,8 +213,6 @@ struct lpfc_sli_ct_request { + sizeof(struct da_id)) + #define RSPN_REQUEST_SZ (offsetof(struct lpfc_sli_ct_request, un) + \ + sizeof(struct rspn)) +-#define RSPNI_REQUEST_SZ (offsetof(struct lpfc_sli_ct_request, un) + \ +- sizeof(struct rspni)) + + /* + * FsType Definitions +@@ -316,7 +309,6 @@ struct lpfc_sli_ct_request { + #define SLI_CTNS_RIP_NN 0x0235 + #define SLI_CTNS_RIPA_NN 0x0236 + #define SLI_CTNS_RSNN_NN 0x0239 +-#define SLI_CTNS_RSPNI_PNI 0x0240 + #define SLI_CTNS_DA_ID 0x0300 + + /* +@@ -520,21 +512,6 @@ struct class_parms { + uint8_t word3Reserved2; /* Fc Word 3, bit 0: 7 */ + }; + +-enum aux_parm_flags { +- AUX_PARM_PNI_VALID = 0x20, /* FC Word 0, bit 29 */ +- AUX_PARM_DATA_VALID = 0x40, /* FC Word 0, bit 30 */ +-}; +- +-struct aux_parm { +- u8 flags; /* FC Word 0, bit 31:24 */ +- u8 ext_feat[3]; /* FC Word 0, bit 23:0 */ +- +- __be64 pni; /* FC Word 1 and 2, platform name identifier */ +- +- __be16 rsvd; /* FC Word 3, bit 31:16 */ +- __be16 npiv_cnt; /* FC Word 3, bit 15:0 */ +-} __packed; +- + struct serv_parm { /* Structure is in Big Endian format */ + struct csp cmn; + struct lpfc_name portName; +@@ -542,7 +519,7 @@ struct serv_parm { /* Structure is in Big Endian format */ + struct class_parms cls1; + struct class_parms cls2; + struct class_parms cls3; +- struct aux_parm aux; ++ struct class_parms cls4; + union { + uint8_t vendorVersion[16]; + struct { +diff --git a/drivers/scsi/lpfc/lpfc_nportdisc.c b/drivers/scsi/lpfc/lpfc_nportdisc.c +index 9e785bbf6785..e16370da3e45 100644 +--- a/drivers/scsi/lpfc/lpfc_nportdisc.c ++++ b/drivers/scsi/lpfc/lpfc_nportdisc.c +@@ -432,6 +432,8 @@ lpfc_rcv_plogi(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp, + ndlp->nlp_class_sup |= FC_COS_CLASS2; + if (sp->cls3.classValid) + ndlp->nlp_class_sup |= FC_COS_CLASS3; ++ if (sp->cls4.classValid) ++ ndlp->nlp_class_sup |= FC_COS_CLASS4; + ndlp->nlp_maxframe = + ((sp->cmn.bbRcvSizeMsb & 0x0F) << 8) | sp->cmn.bbRcvSizeLsb; + /* if already logged in, do implicit logout */ +@@ -1415,6 +1417,8 @@ lpfc_cmpl_plogi_plogi_issue(struct lpfc_vport *vport, + ndlp->nlp_class_sup |= FC_COS_CLASS2; + if (sp->cls3.classValid) + ndlp->nlp_class_sup |= FC_COS_CLASS3; ++ if (sp->cls4.classValid) ++ ndlp->nlp_class_sup |= FC_COS_CLASS4; + ndlp->nlp_maxframe = + ((sp->cmn.bbRcvSizeMsb & 0x0F) << 8) | sp->cmn.bbRcvSizeLsb; + +diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c +index a4ae0e5c0bfa..8b9fcd9c0d36 100644 +--- a/drivers/scsi/lpfc/lpfc_sli.c ++++ b/drivers/scsi/lpfc/lpfc_sli.c +@@ -27,8 +27,6 @@ + #include + #include + #include +-#include +-#include + + #include + #include +@@ -8441,70 +8439,6 @@ lpfc_set_host_tm(struct lpfc_hba *phba) + return rc; + } + +-/** +- * lpfc_get_platform_uuid - Attempts to extract a platform uuid +- * @phba: pointer to lpfc hba data structure. +- * +- * This routine attempts to first read SMBIOS DMI data for the System +- * Information structure offset 08h called System UUID. Else, no platform +- * UUID will be advertised. +- **/ +-static void +-lpfc_get_platform_uuid(struct lpfc_hba *phba) +-{ +- int rc; +- const char *uuid; +- char pni[17] = {0}; /* 16 characters + '\0' */ +- bool is_ff = true, is_00 = true; +- u8 i; +- +- /* First attempt SMBIOS DMI */ +- uuid = dmi_get_system_info(DMI_PRODUCT_UUID); +- if (uuid) { +- lpfc_printf_log(phba, KERN_INFO, LOG_INIT, +- "2088 SMBIOS UUID %s\n", +- uuid); +- } else { +- lpfc_printf_log(phba, KERN_INFO, LOG_INIT, +- "2099 Could not extract UUID\n"); +- } +- +- if (uuid && uuid_is_valid(uuid)) { +- /* Generate PNI from UUID format. +- * +- * 1.) Extract lower 64 bits from UUID format. +- * 2.) Set 3h for NAA Locally Assigned Name Identifier format. +- * +- * e.g. xxxxxxxx-xxxx-xxxx-yyyy-yyyyyyyyyyyy +- * +- * extract the yyyy-yyyyyyyyyyyy portion +- * final PNI 3yyyyyyyyyyyyyyy +- */ +- scnprintf(pni, sizeof(pni), "3%c%c%c%s", +- uuid[20], uuid[21], uuid[22], &uuid[24]); +- +- /* Sanitize the converted PNI */ +- for (i = 1; i < 16 && (is_ff || is_00); i++) { +- if (pni[i] != '0') +- is_00 = false; +- if (pni[i] != 'f' && pni[i] != 'F') +- is_ff = false; +- } +- +- /* Convert from char* to unsigned long */ +- rc = kstrtoul(pni, 16, &phba->pni); +- if (!rc && !is_ff && !is_00) { +- lpfc_printf_log(phba, KERN_INFO, LOG_INIT, +- "2100 PNI 0x%016lx\n", phba->pni); +- } else { +- lpfc_printf_log(phba, KERN_INFO, LOG_INIT, +- "2101 PNI %s generation status %d\n", +- pni, rc); +- phba->pni = 0; +- } +- } +-} +- + /** + * lpfc_sli4_hba_setup - SLI4 device initialization PCI function + * @phba: Pointer to HBA context object. +@@ -8588,10 +8522,6 @@ lpfc_sli4_hba_setup(struct lpfc_hba *phba) + clear_bit(HBA_FCOE_MODE, &phba->hba_flag); + } + +- /* Obtain platform UUID, only for SLI4 FC adapters */ +- if (!test_bit(HBA_FCOE_MODE, &phba->hba_flag)) +- lpfc_get_platform_uuid(phba); +- + if (bf_get(lpfc_mbx_rd_rev_cee_ver, &mqe->un.read_rev) == + LPFC_DCBX_CEE_MODE) + set_bit(HBA_FIP_SUPPORT, &phba->hba_flag); diff --git a/1168-revert-scsi-lpfc-allow-support-for-bb-credit-recovery-in-poi.patch b/1168-revert-scsi-lpfc-allow-support-for-bb-credit-recovery-in-poi.patch new file mode 100644 index 000000000..1570e5f75 --- /dev/null +++ b/1168-revert-scsi-lpfc-allow-support-for-bb-credit-recovery-in-poi.patch @@ -0,0 +1,27 @@ +Subject: [PATCH] Revert "scsi: lpfc: Allow support for BB credit recovery in point-to-point topology" +# reverse of cs10 db29ff738106f5cd68a5fd5299f937c124aaef2a + +diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c +index 15c062c1566d..ef6e4ee9b608 100644 +--- a/drivers/scsi/lpfc/lpfc_els.c ++++ b/drivers/scsi/lpfc/lpfc_els.c +@@ -2279,8 +2279,7 @@ lpfc_issue_els_plogi(struct lpfc_vport *vport, uint32_t did, uint8_t retry) + + sp->cmn.valid_vendor_ver_level = 0; + memset(sp->un.vendorVersion, 0, sizeof(sp->un.vendorVersion)); +- if (!test_bit(FC_PT2PT, &vport->fc_flag)) +- sp->cmn.bbRcvSizeMsb &= 0xF; ++ sp->cmn.bbRcvSizeMsb &= 0xF; + + /* Check if the destination port supports VMID */ + ndlp->vmid_support = 0; +@@ -5670,8 +5669,7 @@ lpfc_els_rsp_acc(struct lpfc_vport *vport, uint32_t flag, + sp->cmn.valid_vendor_ver_level = 0; + memset(sp->un.vendorVersion, 0, + sizeof(sp->un.vendorVersion)); +- if (!test_bit(FC_PT2PT, &vport->fc_flag)) +- sp->cmn.bbRcvSizeMsb &= 0xF; ++ sp->cmn.bbRcvSizeMsb &= 0xF; + + /* If our firmware supports this feature, convey that + * info to the target using the vendor specific field. diff --git a/1169-revert-scsi-lpfc-fix-reusing-an-ndlp-that-is-marked-nlp-drop.patch b/1169-revert-scsi-lpfc-fix-reusing-an-ndlp-that-is-marked-nlp-drop.patch new file mode 100644 index 000000000..c9de2a9a6 --- /dev/null +++ b/1169-revert-scsi-lpfc-fix-reusing-an-ndlp-that-is-marked-nlp-drop.patch @@ -0,0 +1,101 @@ +Subject: [PATCH] Revert "scsi: lpfc: Fix reusing an ndlp that is marked NLP_DROPPED during FLOGI" +# reverse of cs10 a1229adf21035776936072b77d724e9e79cdf813 + +diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c +index ef6e4ee9b608..f8df66009c35 100644 +--- a/drivers/scsi/lpfc/lpfc_els.c ++++ b/drivers/scsi/lpfc/lpfc_els.c +@@ -934,15 +934,10 @@ lpfc_cmpl_els_flogi(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb, + /* Check to see if link went down during discovery */ + if (lpfc_els_chk_latt(vport)) { + /* One additional decrement on node reference count to +- * trigger the release of the node. Make sure the ndlp +- * is marked NLP_DROPPED. ++ * trigger the release of the node + */ +- if (!test_bit(NLP_IN_DEV_LOSS, &ndlp->nlp_flag) && +- !test_bit(NLP_DROPPED, &ndlp->nlp_flag) && +- !(ndlp->fc4_xpt_flags & SCSI_XPT_REGD)) { +- set_bit(NLP_DROPPED, &ndlp->nlp_flag); ++ if (!(ndlp->fc4_xpt_flags & SCSI_XPT_REGD)) + lpfc_nlp_put(ndlp); +- } + goto out; + } + +@@ -1000,10 +995,9 @@ lpfc_cmpl_els_flogi(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb, + IOERR_LOOP_OPEN_FAILURE))) + lpfc_vlog_msg(vport, KERN_WARNING, LOG_ELS, + "2858 FLOGI Status:x%x/x%x TMO" +- ":x%x Data x%lx x%x x%lx x%x\n", ++ ":x%x Data x%lx x%x\n", + ulp_status, ulp_word4, tmo, +- phba->hba_flag, phba->fcf.fcf_flag, +- ndlp->nlp_flag, ndlp->fc4_xpt_flags); ++ phba->hba_flag, phba->fcf.fcf_flag); + + /* Check for retry */ + if (lpfc_els_retry(phba, cmdiocb, rspiocb)) { +@@ -1021,17 +1015,14 @@ lpfc_cmpl_els_flogi(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb, + * reference to trigger node release. + */ + if (!test_bit(NLP_IN_DEV_LOSS, &ndlp->nlp_flag) && +- !test_bit(NLP_DROPPED, &ndlp->nlp_flag) && +- !(ndlp->fc4_xpt_flags & SCSI_XPT_REGD)) { +- set_bit(NLP_DROPPED, &ndlp->nlp_flag); ++ !(ndlp->fc4_xpt_flags & SCSI_XPT_REGD)) + lpfc_nlp_put(ndlp); +- } + + lpfc_printf_vlog(vport, KERN_WARNING, LOG_ELS, + "0150 FLOGI Status:x%x/x%x " +- "xri x%x iotag x%x TMO:x%x refcnt %d\n", ++ "xri x%x TMO:x%x refcnt %d\n", + ulp_status, ulp_word4, cmdiocb->sli4_xritag, +- cmdiocb->iotag, tmo, kref_read(&ndlp->kref)); ++ tmo, kref_read(&ndlp->kref)); + + /* If this is not a loop open failure, bail out */ + if (!(ulp_status == IOSTAT_LOCAL_REJECT && +@@ -1288,19 +1279,6 @@ lpfc_issue_els_flogi(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp, + uint32_t tmo, did; + int rc; + +- /* It's possible for lpfc to reissue a FLOGI on an ndlp that is marked +- * NLP_DROPPED. This happens when the FLOGI completed with the XB bit +- * set causing lpfc to reference the ndlp until the XRI_ABORTED CQE is +- * issued. The time window for the XRI_ABORTED CQE can be as much as +- * 2*2*RA_TOV allowing for ndlp reuse of this type when the link is +- * cycling quickly. When true, restore the initial reference and remove +- * the NLP_DROPPED flag as lpfc is retrying. +- */ +- if (test_and_clear_bit(NLP_DROPPED, &ndlp->nlp_flag)) { +- if (!lpfc_nlp_get(ndlp)) +- return 1; +- } +- + cmdsize = (sizeof(uint32_t) + sizeof(struct serv_parm)); + elsiocb = lpfc_prep_els_iocb(vport, 1, cmdsize, retry, ndlp, + ndlp->nlp_DID, ELS_CMD_FLOGI); +diff --git a/drivers/scsi/lpfc/lpfc_hbadisc.c b/drivers/scsi/lpfc/lpfc_hbadisc.c +index dcf78ea77a7d..1510ed28f5a4 100644 +--- a/drivers/scsi/lpfc/lpfc_hbadisc.c ++++ b/drivers/scsi/lpfc/lpfc_hbadisc.c +@@ -424,7 +424,6 @@ lpfc_check_nlp_post_devloss(struct lpfc_vport *vport, + struct lpfc_nodelist *ndlp) + { + if (test_and_clear_bit(NLP_IN_RECOV_POST_DEV_LOSS, &ndlp->save_flags)) { +- clear_bit(NLP_DROPPED, &ndlp->nlp_flag); + lpfc_nlp_get(ndlp); + lpfc_printf_vlog(vport, KERN_INFO, LOG_DISCOVERY | LOG_NODE, + "8438 Devloss timeout reversed on DID x%x " +@@ -567,8 +566,7 @@ lpfc_dev_loss_tmo_handler(struct lpfc_nodelist *ndlp) + return fcf_inuse; + } + +- if (!test_and_set_bit(NLP_DROPPED, &ndlp->nlp_flag)) +- lpfc_nlp_put(ndlp); ++ lpfc_nlp_put(ndlp); + return fcf_inuse; + } + diff --git a/1170-revert-scsi-lpfc-modify-kref-handling-for-fabric-controller-.patch b/1170-revert-scsi-lpfc-modify-kref-handling-for-fabric-controller-.patch new file mode 100644 index 000000000..b55002875 --- /dev/null +++ b/1170-revert-scsi-lpfc-modify-kref-handling-for-fabric-controller-.patch @@ -0,0 +1,231 @@ +Subject: [PATCH] Revert "scsi: lpfc: Modify kref handling for Fabric Controller ndlps" +# reverse of cs10 4cdd701db602453946844b4900c2da8637acc343 + +diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c +index f8df66009c35..fea93a585fc9 100644 +--- a/drivers/scsi/lpfc/lpfc_els.c ++++ b/drivers/scsi/lpfc/lpfc_els.c +@@ -3390,21 +3390,11 @@ lpfc_cmpl_els_disc_cmd(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb, + lpfc_cmpl_els_edc(phba, cmdiocb, rspiocb); + return; + } +- + if (ulp_status) { + /* ELS discovery cmd completes with error */ + lpfc_printf_vlog(vport, KERN_WARNING, LOG_ELS | LOG_CGN_MGMT, + "4203 ELS cmd x%x error: x%x x%X\n", cmd, + ulp_status, ulp_word4); +- +- /* In the case where the ELS cmd completes with an error and +- * the node does not have RPI registered, the node is +- * outstanding and should put its initial reference. +- */ +- if ((cmd == ELS_CMD_SCR || cmd == ELS_CMD_RDF) && +- !(ndlp->fc4_xpt_flags & SCSI_XPT_REGD) && +- !test_and_set_bit(NLP_DROPPED, &ndlp->nlp_flag)) +- lpfc_nlp_put(ndlp); + goto out; + } + +@@ -3473,7 +3463,6 @@ lpfc_issue_els_scr(struct lpfc_vport *vport, uint8_t retry) + uint8_t *pcmd; + uint16_t cmdsize; + struct lpfc_nodelist *ndlp; +- bool node_created = false; + + cmdsize = (sizeof(uint32_t) + sizeof(SCR)); + +@@ -3483,21 +3472,21 @@ lpfc_issue_els_scr(struct lpfc_vport *vport, uint8_t retry) + if (!ndlp) + return 1; + lpfc_enqueue_node(vport, ndlp); +- node_created = true; + } + + elsiocb = lpfc_prep_els_iocb(vport, 1, cmdsize, retry, ndlp, + ndlp->nlp_DID, ELS_CMD_SCR); + if (!elsiocb) +- goto out_node_created; ++ return 1; + + if (phba->sli_rev == LPFC_SLI_REV4) { + rc = lpfc_reg_fab_ctrl_node(vport, ndlp); + if (rc) { ++ lpfc_els_free_iocb(phba, elsiocb); + lpfc_printf_vlog(vport, KERN_ERR, LOG_NODE, + "0937 %s: Failed to reg fc node, rc %d\n", + __func__, rc); +- goto out_free_iocb; ++ return 1; + } + } + pcmd = (uint8_t *)elsiocb->cmd_dmabuf->virt; +@@ -3516,27 +3505,23 @@ lpfc_issue_els_scr(struct lpfc_vport *vport, uint8_t retry) + phba->fc_stat.elsXmitSCR++; + elsiocb->cmd_cmpl = lpfc_cmpl_els_disc_cmd; + elsiocb->ndlp = lpfc_nlp_get(ndlp); +- if (!elsiocb->ndlp) +- goto out_free_iocb; ++ if (!elsiocb->ndlp) { ++ lpfc_els_free_iocb(phba, elsiocb); ++ return 1; ++ } + + lpfc_debugfs_disc_trc(vport, LPFC_DISC_TRC_ELS_CMD, + "Issue SCR: did:x%x refcnt %d", + ndlp->nlp_DID, kref_read(&ndlp->kref), 0); + + rc = lpfc_sli_issue_iocb(phba, LPFC_ELS_RING, elsiocb, 0); +- if (rc == IOCB_ERROR) +- goto out_iocb_error; ++ if (rc == IOCB_ERROR) { ++ lpfc_els_free_iocb(phba, elsiocb); ++ lpfc_nlp_put(ndlp); ++ return 1; ++ } + + return 0; +- +-out_iocb_error: +- lpfc_nlp_put(ndlp); +-out_free_iocb: +- lpfc_els_free_iocb(phba, elsiocb); +-out_node_created: +- if (node_created) +- lpfc_nlp_put(ndlp); +- return 1; + } + + /** +@@ -3749,12 +3734,7 @@ lpfc_issue_els_farpr(struct lpfc_vport *vport, uint32_t nportid, uint8_t retry) + * + * Return code + * 0 - Successfully issued rdf command +- * < 0 - Failed to issue rdf command +- * -EACCES - RDF not required for NPIV_PORT +- * -ENODEV - No fabric controller device available +- * -ENOMEM - No available memory +- * -EIO - The mailbox failed to complete successfully. +- * ++ * 1 - Failed to issue rdf command + **/ + int + lpfc_issue_els_rdf(struct lpfc_vport *vport, uint8_t retry) +@@ -3765,30 +3745,25 @@ lpfc_issue_els_rdf(struct lpfc_vport *vport, uint8_t retry) + struct lpfc_nodelist *ndlp; + uint16_t cmdsize; + int rc; +- bool node_created = false; +- int err; + + cmdsize = sizeof(*prdf); + +- /* RDF ELS is not required on an NPIV VN_Port. */ +- if (vport->port_type == LPFC_NPIV_PORT) +- return -EACCES; +- + ndlp = lpfc_findnode_did(vport, Fabric_Cntl_DID); + if (!ndlp) { + ndlp = lpfc_nlp_init(vport, Fabric_Cntl_DID); + if (!ndlp) + return -ENODEV; + lpfc_enqueue_node(vport, ndlp); +- node_created = true; + } + ++ /* RDF ELS is not required on an NPIV VN_Port. */ ++ if (vport->port_type == LPFC_NPIV_PORT) ++ return -EACCES; ++ + elsiocb = lpfc_prep_els_iocb(vport, 1, cmdsize, retry, ndlp, + ndlp->nlp_DID, ELS_CMD_RDF); +- if (!elsiocb) { +- err = -ENOMEM; +- goto out_node_created; +- } ++ if (!elsiocb) ++ return -ENOMEM; + + /* Configure the payload for the supported FPIN events. */ + prdf = (struct lpfc_els_rdf_req *)elsiocb->cmd_dmabuf->virt; +@@ -3814,8 +3789,8 @@ lpfc_issue_els_rdf(struct lpfc_vport *vport, uint8_t retry) + elsiocb->cmd_cmpl = lpfc_cmpl_els_disc_cmd; + elsiocb->ndlp = lpfc_nlp_get(ndlp); + if (!elsiocb->ndlp) { +- err = -EIO; +- goto out_free_iocb; ++ lpfc_els_free_iocb(phba, elsiocb); ++ return -EIO; + } + + lpfc_debugfs_disc_trc(vport, LPFC_DISC_TRC_ELS_CMD, +@@ -3824,19 +3799,11 @@ lpfc_issue_els_rdf(struct lpfc_vport *vport, uint8_t retry) + + rc = lpfc_sli_issue_iocb(phba, LPFC_ELS_RING, elsiocb, 0); + if (rc == IOCB_ERROR) { +- err = -EIO; +- goto out_iocb_error; ++ lpfc_els_free_iocb(phba, elsiocb); ++ lpfc_nlp_put(ndlp); ++ return -EIO; + } + return 0; +- +-out_iocb_error: +- lpfc_nlp_put(ndlp); +-out_free_iocb: +- lpfc_els_free_iocb(phba, elsiocb); +-out_node_created: +- if (node_created) +- lpfc_nlp_put(ndlp); +- return err; + } + + /** +@@ -3857,23 +3824,19 @@ static int + lpfc_els_rcv_rdf(struct lpfc_vport *vport, struct lpfc_iocbq *cmdiocb, + struct lpfc_nodelist *ndlp) + { +- int rc; +- +- rc = lpfc_els_rsp_acc(vport, ELS_CMD_RDF, cmdiocb, ndlp, NULL); + /* Send LS_ACC */ +- if (rc) { ++ if (lpfc_els_rsp_acc(vport, ELS_CMD_RDF, cmdiocb, ndlp, NULL)) { + lpfc_printf_vlog(vport, KERN_INFO, LOG_ELS | LOG_CGN_MGMT, +- "1623 Failed to RDF_ACC from x%x for x%x Data: %d\n", +- ndlp->nlp_DID, vport->fc_myDID, rc); ++ "1623 Failed to RDF_ACC from x%x for x%x\n", ++ ndlp->nlp_DID, vport->fc_myDID); + return -EIO; + } + +- rc = lpfc_issue_els_rdf(vport, 0); + /* Issue new RDF for reregistering */ +- if (rc) { ++ if (lpfc_issue_els_rdf(vport, 0)) { + lpfc_printf_vlog(vport, KERN_INFO, LOG_ELS | LOG_CGN_MGMT, +- "2623 Failed to re register RDF for x%x Data: %d\n", +- vport->fc_myDID, rc); ++ "2623 Failed to re register RDF for x%x\n", ++ vport->fc_myDID); + return -EIO; + } + +diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c +index f9682ad0b888..e4f627eeb707 100644 +--- a/drivers/scsi/lpfc/lpfc_init.c ++++ b/drivers/scsi/lpfc/lpfc_init.c +@@ -3057,6 +3057,12 @@ lpfc_cleanup(struct lpfc_vport *vport) + lpfc_vmid_vport_cleanup(vport); + + list_for_each_entry_safe(ndlp, next_ndlp, &vport->fc_nodes, nlp_listp) { ++ if (ndlp->nlp_DID == Fabric_Cntl_DID && ++ ndlp->nlp_state == NLP_STE_UNUSED_NODE) { ++ lpfc_nlp_put(ndlp); ++ continue; ++ } ++ + /* Fabric Ports not in UNMAPPED state are cleaned up in the + * DEVICE_RM event. + */ diff --git a/1171-revert-scsi-lpfc-fix-leaked-ndlp-krefs-when-in-point-to-poin.patch b/1171-revert-scsi-lpfc-fix-leaked-ndlp-krefs-when-in-point-to-poin.patch new file mode 100644 index 000000000..256d33ea2 --- /dev/null +++ b/1171-revert-scsi-lpfc-fix-leaked-ndlp-krefs-when-in-point-to-poin.patch @@ -0,0 +1,166 @@ +Subject: [PATCH] Revert "scsi: lpfc: Fix leaked ndlp krefs when in point-to-point topology" +# reverse of cs10 6613865f84be09ec32bee8199827f6bc7f9a36b8 + +diff --git a/drivers/scsi/lpfc/lpfc.h b/drivers/scsi/lpfc/lpfc.h +index ad8f5dee23a3..a3d1ba92c07c 100644 +--- a/drivers/scsi/lpfc/lpfc.h ++++ b/drivers/scsi/lpfc/lpfc.h +@@ -312,6 +312,7 @@ struct lpfc_defer_flogi_acc { + u16 rx_id; + u16 ox_id; + struct lpfc_nodelist *ndlp; ++ + }; + + #define LPFC_VMID_TIMER 300 /* timer interval in seconds */ +diff --git a/drivers/scsi/lpfc/lpfc_disc.h b/drivers/scsi/lpfc/lpfc_disc.h +index 51cb8571c049..3d47dc7458d1 100644 +--- a/drivers/scsi/lpfc/lpfc_disc.h ++++ b/drivers/scsi/lpfc/lpfc_disc.h +@@ -1,7 +1,7 @@ + /******************************************************************* + * This file is part of the Emulex Linux Device Driver for * + * Fibre Channel Host Bus Adapters. * +- * Copyright (C) 2017-2025 Broadcom. All Rights Reserved. The term * ++ * Copyright (C) 2017-2024 Broadcom. All Rights Reserved. The term * + * “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. * + * Copyright (C) 2004-2013 Emulex. All rights reserved. * + * EMULEX and SLI are trademarks of Emulex. * +@@ -208,7 +208,6 @@ enum lpfc_nlp_flag { + NPR list */ + NLP_RM_DFLT_RPI = 26, /* need to remove leftover dflt RPI */ + NLP_NODEV_REMOVE = 27, /* Defer removal till discovery ends */ +- NLP_FLOGI_DFR_ACC = 28, /* FLOGI LS_ACC was Deferred */ + NLP_SC_REQ = 29, /* Target requires authentication */ + NLP_FIRSTBURST = 30, /* Target supports FirstBurst */ + NLP_RPI_REGISTERED = 31 /* nlp_rpi is valid */ +diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c +index fea93a585fc9..79688e12bae2 100644 +--- a/drivers/scsi/lpfc/lpfc_els.c ++++ b/drivers/scsi/lpfc/lpfc_els.c +@@ -1413,12 +1413,11 @@ lpfc_issue_els_flogi(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp, + phba->defer_flogi_acc.ox_id; + } + +- /* The LS_ACC completion needs to drop the initial reference. +- * This is a special case for Pt2Pt because both FLOGIs need +- * to complete and lpfc defers the LS_ACC when the remote +- * FLOGI arrives before the driver's FLOGI. +- */ +- set_bit(NLP_FLOGI_DFR_ACC, &ndlp->nlp_flag); ++ lpfc_printf_vlog(vport, KERN_INFO, LOG_ELS, ++ "3354 Xmit deferred FLOGI ACC: rx_id: x%x," ++ " ox_id: x%x, hba_flag x%lx\n", ++ phba->defer_flogi_acc.rx_id, ++ phba->defer_flogi_acc.ox_id, phba->hba_flag); + + /* Send deferred FLOGI ACC */ + lpfc_els_rsp_acc(vport, ELS_CMD_FLOGI, &defer_flogi_acc, +@@ -1434,14 +1433,6 @@ lpfc_issue_els_flogi(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp, + phba->defer_flogi_acc.ndlp = NULL; + } + +- lpfc_printf_vlog(vport, KERN_INFO, LOG_ELS, +- "3354 Xmit deferred FLOGI ACC: rx_id: x%x," +- " ox_id: x%x, ndlp x%px hba_flag x%lx\n", +- phba->defer_flogi_acc.rx_id, +- phba->defer_flogi_acc.ox_id, +- phba->defer_flogi_acc.ndlp, +- phba->hba_flag); +- + vport->fc_myDID = did; + } + +@@ -5310,12 +5301,11 @@ lpfc_cmpl_els_rsp(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb, + IOCB_t *irsp; + LPFC_MBOXQ_t *mbox = NULL; + u32 ulp_status, ulp_word4, tmo, did, iotag; +- u32 cmd; + + if (!vport) { + lpfc_printf_log(phba, KERN_WARNING, LOG_ELS, + "3177 null vport in ELS rsp\n"); +- goto release; ++ goto out; + } + if (cmdiocb->context_un.mbox) + mbox = cmdiocb->context_un.mbox; +@@ -5425,7 +5415,7 @@ lpfc_cmpl_els_rsp(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb, + * these conditions because it doesn't need the login. + */ + if (phba->sli_rev == LPFC_SLI_REV4 && +- vport->port_type == LPFC_NPIV_PORT && ++ vport && vport->port_type == LPFC_NPIV_PORT && + !(ndlp->fc4_xpt_flags & SCSI_XPT_REGD)) { + if (ndlp->nlp_state != NLP_STE_PLOGI_ISSUE && + ndlp->nlp_state != NLP_STE_REG_LOGIN_ISSUE && +@@ -5441,27 +5431,6 @@ lpfc_cmpl_els_rsp(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb, + } + } + +- /* The driver's unsolicited deferred FLOGI ACC in Pt2Pt needs to +- * release the initial reference because the put after the free_iocb +- * call removes only the reference from the defer logic. This FLOGI +- * is never registered with the SCSI transport. +- */ +- if (test_bit(FC_PT2PT, &vport->fc_flag) && +- test_and_clear_bit(NLP_FLOGI_DFR_ACC, &ndlp->nlp_flag)) { +- lpfc_printf_vlog(vport, KERN_INFO, +- LOG_ELS | LOG_NODE | LOG_DISCOVERY, +- "3357 Pt2Pt Defer FLOGI ACC ndlp x%px, " +- "nflags x%lx, fc_flag x%lx\n", +- ndlp, ndlp->nlp_flag, +- vport->fc_flag); +- cmd = *((u32 *)cmdiocb->cmd_dmabuf->virt); +- if (cmd == ELS_CMD_ACC) { +- if (!test_and_set_bit(NLP_DROPPED, &ndlp->nlp_flag)) +- lpfc_nlp_put(ndlp); +- } +- } +- +-release: + /* Release the originating I/O reference. */ + lpfc_els_free_iocb(phba, cmdiocb); + lpfc_nlp_put(ndlp); +@@ -8430,6 +8399,13 @@ lpfc_els_rcv_flogi(struct lpfc_vport *vport, struct lpfc_iocbq *cmdiocb, + &wqe->xmit_els_rsp.wqe_com); + + vport->fc_myDID = did; ++ ++ lpfc_printf_vlog(vport, KERN_INFO, LOG_ELS, ++ "3344 Deferring FLOGI ACC: rx_id: x%x," ++ " ox_id: x%x, hba_flag x%lx\n", ++ phba->defer_flogi_acc.rx_id, ++ phba->defer_flogi_acc.ox_id, phba->hba_flag); ++ + phba->defer_flogi_acc.flag = true; + + /* This nlp_get is paired with nlp_puts that reset the +@@ -8438,14 +8414,6 @@ lpfc_els_rcv_flogi(struct lpfc_vport *vport, struct lpfc_iocbq *cmdiocb, + * processed or cancelled. + */ + phba->defer_flogi_acc.ndlp = lpfc_nlp_get(ndlp); +- +- lpfc_printf_vlog(vport, KERN_INFO, LOG_ELS, +- "3344 Deferring FLOGI ACC: rx_id: x%x," +- " ox_id: x%x, ndlp x%px, hba_flag x%lx\n", +- phba->defer_flogi_acc.rx_id, +- phba->defer_flogi_acc.ox_id, +- phba->defer_flogi_acc.ndlp, +- phba->hba_flag); + return 0; + } + +@@ -10386,8 +10354,11 @@ lpfc_els_unsol_buffer(struct lpfc_hba *phba, struct lpfc_sli_ring *pring, + * Do not process any unsolicited ELS commands + * if the ndlp is in DEV_LOSS + */ +- if (test_bit(NLP_IN_DEV_LOSS, &ndlp->nlp_flag)) ++ if (test_bit(NLP_IN_DEV_LOSS, &ndlp->nlp_flag)) { ++ if (newnode) ++ lpfc_nlp_put(ndlp); + goto dropit; ++ } + + elsiocb->ndlp = lpfc_nlp_get(ndlp); + if (!elsiocb->ndlp) diff --git a/1172-revert-scsi-lpfc-ensure-unregistration-of-rpis-for-received-.patch b/1172-revert-scsi-lpfc-ensure-unregistration-of-rpis-for-received-.patch new file mode 100644 index 000000000..55c1e865e --- /dev/null +++ b/1172-revert-scsi-lpfc-ensure-unregistration-of-rpis-for-received-.patch @@ -0,0 +1,51 @@ +Subject: [PATCH] Revert "scsi: lpfc: Ensure unregistration of rpis for received PLOGIs" +# reverse of cs10 f695221fbfe2235768a0d33cce97523eb1d12399 + +diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c +index 79688e12bae2..458b46374189 100644 +--- a/drivers/scsi/lpfc/lpfc_els.c ++++ b/drivers/scsi/lpfc/lpfc_els.c +@@ -3263,7 +3263,7 @@ lpfc_reg_fab_ctrl_node(struct lpfc_vport *vport, struct lpfc_nodelist *fc_ndlp) + return -ENOMEM; + } + rc = lpfc_reg_rpi(phba, vport->vpi, fc_ndlp->nlp_DID, +- (u8 *)&ns_ndlp->fc_sparam, mbox, fc_ndlp->nlp_rpi); ++ (u8 *)&vport->fc_sparam, mbox, fc_ndlp->nlp_rpi); + if (rc) { + rc = -EACCES; + goto out; +diff --git a/drivers/scsi/lpfc/lpfc_nportdisc.c b/drivers/scsi/lpfc/lpfc_nportdisc.c +index e16370da3e45..99aefc54ac35 100644 +--- a/drivers/scsi/lpfc/lpfc_nportdisc.c ++++ b/drivers/scsi/lpfc/lpfc_nportdisc.c +@@ -452,7 +452,18 @@ lpfc_rcv_plogi(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp, + */ + if (!(ndlp->nlp_type & NLP_FABRIC) && + !(phba->nvmet_support)) { +- break; ++ /* Clear ndlp info, since follow up PRLI may have ++ * updated ndlp information ++ */ ++ ndlp->nlp_type &= ~(NLP_FCP_TARGET | NLP_FCP_INITIATOR); ++ ndlp->nlp_type &= ~(NLP_NVME_TARGET | NLP_NVME_INITIATOR); ++ ndlp->nlp_fcp_info &= ~NLP_FCP_2_DEVICE; ++ ndlp->nlp_nvme_info &= ~NLP_NVME_NSLER; ++ clear_bit(NLP_FIRSTBURST, &ndlp->nlp_flag); ++ ++ lpfc_els_rsp_acc(vport, ELS_CMD_PLOGI, cmdiocb, ++ ndlp, NULL); ++ return 1; + } + if (nlp_portwwn != 0 && + nlp_portwwn != wwn_to_u64(sp->portName.u.wwn)) +@@ -474,9 +485,7 @@ lpfc_rcv_plogi(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp, + lpfc_nlp_set_state(vport, ndlp, NLP_STE_NPR_NODE); + break; + } +- /* Clear ndlp info, since follow up processes may have +- * updated ndlp information +- */ ++ + ndlp->nlp_type &= ~(NLP_FCP_TARGET | NLP_FCP_INITIATOR); + ndlp->nlp_type &= ~(NLP_NVME_TARGET | NLP_NVME_INITIATOR); + ndlp->nlp_fcp_info &= ~NLP_FCP_2_DEVICE; diff --git a/1173-revert-scsi-lpfc-remove-redundant-null-ptr-assignment-in-lpf.patch b/1173-revert-scsi-lpfc-remove-redundant-null-ptr-assignment-in-lpf.patch new file mode 100644 index 000000000..8578ebaf4 --- /dev/null +++ b/1173-revert-scsi-lpfc-remove-redundant-null-ptr-assignment-in-lpf.patch @@ -0,0 +1,22 @@ +Subject: [PATCH] Revert "scsi: lpfc: Remove redundant NULL ptr assignment in lpfc_els_free_iocb()" +# reverse of cs10 834ef5ff877b17409e754a04a433e05441938a3d + +diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c +index 458b46374189..073c4c69d646 100644 +--- a/drivers/scsi/lpfc/lpfc_els.c ++++ b/drivers/scsi/lpfc/lpfc_els.c +@@ -5158,12 +5158,14 @@ lpfc_els_free_iocb(struct lpfc_hba *phba, struct lpfc_iocbq *elsiocb) + } else { + buf_ptr1 = elsiocb->cmd_dmabuf; + lpfc_els_free_data(phba, buf_ptr1); ++ elsiocb->cmd_dmabuf = NULL; + } + } + + if (elsiocb->bpl_dmabuf) { + buf_ptr = elsiocb->bpl_dmabuf; + lpfc_els_free_bpl(phba, buf_ptr); ++ elsiocb->bpl_dmabuf = NULL; + } + lpfc_sli_release_iocbq(phba, elsiocb); + return 0; diff --git a/1174-revert-scsi-lpfc-revise-discovery-related-function-headers-a.patch b/1174-revert-scsi-lpfc-revise-discovery-related-function-headers-a.patch new file mode 100644 index 000000000..2758a4138 --- /dev/null +++ b/1174-revert-scsi-lpfc-revise-discovery-related-function-headers-a.patch @@ -0,0 +1,104 @@ +Subject: [PATCH] Revert "scsi: lpfc: Revise discovery related function headers and comments" +# reverse of cs10 5e8d3ec786a04644f14f881e4017a450c305f786 + +diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c +index 073c4c69d646..f9a08704b78e 100644 +--- a/drivers/scsi/lpfc/lpfc_els.c ++++ b/drivers/scsi/lpfc/lpfc_els.c +@@ -3024,7 +3024,6 @@ lpfc_cmpl_els_logo(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb, + ndlp->nlp_DID, ulp_status, + ulp_word4); + +- /* Call NLP_EVT_DEVICE_RM if link is down or LOGO is aborted */ + if (lpfc_error_lost_link(vport, ulp_status, ulp_word4)) + skip_recovery = 1; + } +@@ -3307,8 +3306,7 @@ lpfc_reg_fab_ctrl_node(struct lpfc_vport *vport, struct lpfc_nodelist *fc_ndlp) + * + * This routine is a generic completion callback function for Discovery ELS cmd. + * Currently used by the ELS command issuing routines for the ELS State Change +- * Request (SCR), lpfc_issue_els_scr(), Exchange Diagnostic Capabilities (EDC), +- * lpfc_issue_els_edc() and the ELS RDF, lpfc_issue_els_rdf(). ++ * Request (SCR), lpfc_issue_els_scr() and the ELS RDF, lpfc_issue_els_rdf(). + * These commands will be retried once only for ELS timeout errors. + **/ + static void +@@ -3707,7 +3705,10 @@ lpfc_issue_els_farpr(struct lpfc_vport *vport, uint32_t nportid, uint8_t retry) + lpfc_nlp_put(ndlp); + return 1; + } +- ++ /* This will cause the callback-function lpfc_cmpl_els_cmd to ++ * trigger the release of the node. ++ */ ++ /* Don't release reference count as RDF is likely outstanding */ + return 0; + } + +@@ -4298,7 +4299,7 @@ lpfc_issue_els_edc(struct lpfc_vport *vport, uint8_t retry) + rc = lpfc_sli_issue_iocb(phba, LPFC_ELS_RING, elsiocb, 0); + if (rc == IOCB_ERROR) { + /* The additional lpfc_nlp_put will cause the following +- * lpfc_els_free_iocb routine to trigger the release of ++ * lpfc_els_free_iocb routine to trigger the rlease of + * the node. + */ + lpfc_els_free_iocb(phba, elsiocb); +@@ -5125,7 +5126,7 @@ lpfc_els_free_iocb(struct lpfc_hba *phba, struct lpfc_iocbq *elsiocb) + { + struct lpfc_dmabuf *buf_ptr, *buf_ptr1; + +- /* The I/O iocb is complete. Clear the node and first dmabuf */ ++ /* The I/O iocb is complete. Clear the node and first dmbuf */ + elsiocb->ndlp = NULL; + + /* cmd_dmabuf = cmd, cmd_dmabuf->next = rsp, bpl_dmabuf = bpl */ +@@ -8733,7 +8734,7 @@ lpfc_els_rcv_rls(struct lpfc_vport *vport, struct lpfc_iocbq *cmdiocb, + * @cmdiocb: pointer to lpfc command iocb data structure. + * @ndlp: pointer to a node-list data structure. + * +- * This routine processes Read Timeout Value (RTV) IOCB received as an ++ * This routine processes Read Timout Value (RTV) IOCB received as an + * ELS unsolicited event. It first checks the remote port state. If the + * remote port is not in NLP_STE_UNMAPPED_NODE state or NLP_STE_MAPPED_NODE + * state, it invokes the lpfc_els_rsl_reject() routine to send the reject +@@ -10842,7 +10843,7 @@ lpfc_els_unsol_event(struct lpfc_hba *phba, struct lpfc_sli_ring *pring, + lpfc_els_unsol_buffer(phba, pring, vport, elsiocb); + /* + * The different unsolicited event handlers would tell us +- * if they are done with "mp" by setting cmd_dmabuf/bpl_dmabuf to NULL. ++ * if they are done with "mp" by setting cmd_dmabuf to NULL. + */ + if (elsiocb->cmd_dmabuf) { + lpfc_in_buf_free(phba, elsiocb->cmd_dmabuf); +diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c +index 8b9fcd9c0d36..08d16552c4b7 100644 +--- a/drivers/scsi/lpfc/lpfc_sli.c ++++ b/drivers/scsi/lpfc/lpfc_sli.c +@@ -19857,15 +19857,13 @@ lpfc_sli4_remove_rpis(struct lpfc_hba *phba) + } + + /** +- * lpfc_sli4_resume_rpi - Resume traffic relative to an RPI ++ * lpfc_sli4_resume_rpi - Remove the rpi bitmask region + * @ndlp: pointer to lpfc nodelist data structure. + * @cmpl: completion call-back. + * @iocbq: data to load as mbox ctx_u information + * +- * Return codes +- * 0 - successful +- * -ENOMEM - No available memory +- * -EIO - The mailbox failed to complete successfully. ++ * This routine is invoked to remove the memory region that ++ * provided rpi via a bitmask. + **/ + int + lpfc_sli4_resume_rpi(struct lpfc_nodelist *ndlp, +@@ -19895,6 +19893,7 @@ lpfc_sli4_resume_rpi(struct lpfc_nodelist *ndlp, + return -EIO; + } + ++ /* Post all rpi memory regions to the port. */ + lpfc_resume_rpi(mboxq, ndlp); + if (cmpl) { + mboxq->mbox_cmpl = cmpl; diff --git a/1175-revert-scsi-lpfc-update-various-npiv-diagnostic-log-messagin.patch b/1175-revert-scsi-lpfc-update-various-npiv-diagnostic-log-messagin.patch new file mode 100644 index 000000000..6ddf56e66 --- /dev/null +++ b/1175-revert-scsi-lpfc-update-various-npiv-diagnostic-log-messagin.patch @@ -0,0 +1,44 @@ +Subject: [PATCH] Revert "scsi: lpfc: Update various NPIV diagnostic log messaging" +# reverse of cs10 a4b8d188c3e27a0335f85a2cfb877d3f684df5c9 + +diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c +index f9a08704b78e..9a20a08f4bd9 100644 +--- a/drivers/scsi/lpfc/lpfc_els.c ++++ b/drivers/scsi/lpfc/lpfc_els.c +@@ -2367,7 +2367,7 @@ lpfc_cmpl_els_prli(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb, + mode = KERN_INFO; + + /* Warn PRLI status */ +- lpfc_vlog_msg(vport, mode, LOG_ELS, ++ lpfc_printf_vlog(vport, mode, LOG_ELS, + "2754 PRLI DID:%06X Status:x%x/x%x, " + "data: x%x x%x x%lx\n", + ndlp->nlp_DID, ulp_status, +@@ -3597,8 +3597,8 @@ lpfc_issue_els_rscn(struct lpfc_vport *vport, uint8_t retry) + } + + lpfc_debugfs_disc_trc(vport, LPFC_DISC_TRC_ELS_CMD, +- "Issue RSCN: did:x%x refcnt %d", +- ndlp->nlp_DID, kref_read(&ndlp->kref), 0); ++ "Issue RSCN: did:x%x", ++ ndlp->nlp_DID, 0, 0); + + rc = lpfc_sli_issue_iocb(phba, LPFC_ELS_RING, elsiocb, 0); + if (rc == IOCB_ERROR) { +diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c +index e4f627eeb707..fd4317b9484c 100644 +--- a/drivers/scsi/lpfc/lpfc_init.c ++++ b/drivers/scsi/lpfc/lpfc_init.c +@@ -9082,9 +9082,9 @@ lpfc_setup_fdmi_mask(struct lpfc_vport *vport) + vport->fdmi_port_mask = LPFC_FDMI2_PORT_ATTR; + } + +- lpfc_printf_vlog(vport, KERN_INFO, LOG_DISCOVERY, +- "6077 Setup FDMI mask: hba x%x port x%x\n", +- vport->fdmi_hba_mask, vport->fdmi_port_mask); ++ lpfc_printf_log(phba, KERN_INFO, LOG_DISCOVERY, ++ "6077 Setup FDMI mask: hba x%x port x%x\n", ++ vport->fdmi_hba_mask, vport->fdmi_port_mask); + } + + /** diff --git a/1176-revert-scsi-lpfc-copyright-updates-for-14-4-0-11-patches.patch b/1176-revert-scsi-lpfc-copyright-updates-for-14-4-0-11-patches.patch new file mode 100644 index 000000000..3bd8566f1 --- /dev/null +++ b/1176-revert-scsi-lpfc-copyright-updates-for-14-4-0-11-patches.patch @@ -0,0 +1,55 @@ +Subject: [PATCH] Revert "scsi: lpfc: Copyright updates for 14.4.0.11 patches" +# reverse of cs10 80c5e57a6da70af590e98e8e30455e83bd70d3a2 + +diff --git a/drivers/scsi/lpfc/lpfc.h b/drivers/scsi/lpfc/lpfc.h +index a3d1ba92c07c..426a0e8d5731 100644 +--- a/drivers/scsi/lpfc/lpfc.h ++++ b/drivers/scsi/lpfc/lpfc.h +@@ -1,7 +1,7 @@ + /******************************************************************* + * This file is part of the Emulex Linux Device Driver for * + * Fibre Channel Host Bus Adapters. * +- * Copyright (C) 2017-2025 Broadcom. All Rights Reserved. The term * ++ * Copyright (C) 2017-2024 Broadcom. All Rights Reserved. The term * + * “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. * + * Copyright (C) 2004-2016 Emulex. All rights reserved. * + * EMULEX and SLI are trademarks of Emulex. * +diff --git a/drivers/scsi/lpfc/lpfc_debugfs.h b/drivers/scsi/lpfc/lpfc_debugfs.h +index a1464f8ac331..566dd84e0677 100644 +--- a/drivers/scsi/lpfc/lpfc_debugfs.h ++++ b/drivers/scsi/lpfc/lpfc_debugfs.h +@@ -1,7 +1,7 @@ + /******************************************************************* + * This file is part of the Emulex Linux Device Driver for * + * Fibre Channel Host Bus Adapters. * +- * Copyright (C) 2017-2025 Broadcom. All Rights Reserved. The term * ++ * Copyright (C) 2017-2022 Broadcom. All Rights Reserved. The term * + * “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. * + * Copyright (C) 2007-2011 Emulex. All rights reserved. * + * EMULEX and SLI are trademarks of Emulex. * +diff --git a/drivers/scsi/lpfc/lpfc_hw.h b/drivers/scsi/lpfc/lpfc_hw.h +index 3bc0efa7453e..b287d39ad033 100644 +--- a/drivers/scsi/lpfc/lpfc_hw.h ++++ b/drivers/scsi/lpfc/lpfc_hw.h +@@ -1,7 +1,7 @@ + /******************************************************************* + * This file is part of the Emulex Linux Device Driver for * + * Fibre Channel Host Bus Adapters. * +- * Copyright (C) 2017-2025 Broadcom. All Rights Reserved. The term * ++ * Copyright (C) 2017-2024 Broadcom. All Rights Reserved. The term * + * “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. * + * Copyright (C) 2004-2016 Emulex. All rights reserved. * + * EMULEX and SLI are trademarks of Emulex. * +diff --git a/drivers/scsi/lpfc/lpfc_nportdisc.c b/drivers/scsi/lpfc/lpfc_nportdisc.c +index 99aefc54ac35..1e331b76dff4 100644 +--- a/drivers/scsi/lpfc/lpfc_nportdisc.c ++++ b/drivers/scsi/lpfc/lpfc_nportdisc.c +@@ -1,7 +1,7 @@ + /******************************************************************* + * This file is part of the Emulex Linux Device Driver for * + * Fibre Channel Host Bus Adapters. * +- * Copyright (C) 2017-2025 Broadcom. All Rights Reserved. The term * ++ * Copyright (C) 2017-2024 Broadcom. All Rights Reserved. The term * + * “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. * + * Copyright (C) 2004-2016 Emulex. All rights reserved. * + * EMULEX and SLI are trademarks of Emulex. * diff --git a/1177-revert-scsi-lpfc-update-lpfc-version-to-14-4-0-11.patch b/1177-revert-scsi-lpfc-update-lpfc-version-to-14-4-0-11.patch new file mode 100644 index 000000000..8e3c38dcf --- /dev/null +++ b/1177-revert-scsi-lpfc-update-lpfc-version-to-14-4-0-11.patch @@ -0,0 +1,16 @@ +Subject: [PATCH] Revert "scsi: lpfc: Update lpfc version to 14.4.0.11" +# reverse of cs10 a34163398eef02a5c95e52c2be3e2025799273e7 + +diff --git a/drivers/scsi/lpfc/lpfc_version.h b/drivers/scsi/lpfc/lpfc_version.h +index 31c3c5abdca6..9ee3a3a4ec4d 100644 +--- a/drivers/scsi/lpfc/lpfc_version.h ++++ b/drivers/scsi/lpfc/lpfc_version.h +@@ -20,7 +20,7 @@ + * included with this package. * + *******************************************************************/ + +-#define LPFC_DRIVER_VERSION "14.4.0.11" ++#define LPFC_DRIVER_VERSION "14.4.0.10" + #define LPFC_DRIVER_NAME "lpfc" + + /* Used for SLI 2/3 */ diff --git a/1178-revert-scsi-lpfc-convert-debugfs-directory-counts-from-atomi.patch b/1178-revert-scsi-lpfc-convert-debugfs-directory-counts-from-atomi.patch new file mode 100644 index 000000000..726fa6845 --- /dev/null +++ b/1178-revert-scsi-lpfc-convert-debugfs-directory-counts-from-atomi.patch @@ -0,0 +1,89 @@ +Subject: [PATCH] Revert "scsi: lpfc: Convert debugfs directory counts from atomic to unsigned int" +# reverse of cs10 91f7d8fdec311ec1d75aa4cc8d76ffd65da74689 + +diff --git a/drivers/scsi/lpfc/lpfc.h b/drivers/scsi/lpfc/lpfc.h +index 426a0e8d5731..1293d145b94e 100644 +--- a/drivers/scsi/lpfc/lpfc.h ++++ b/drivers/scsi/lpfc/lpfc.h +@@ -1333,7 +1333,7 @@ struct lpfc_hba { + unsigned long last_ramp_down_time; + #ifdef CONFIG_SCSI_LPFC_DEBUG_FS + struct dentry *hba_debugfs_root; +- unsigned int debugfs_vport_count; ++ atomic_t debugfs_vport_count; + + struct lpfc_debugfs_nvmeio_trc *nvmeio_trc; + atomic_t nvmeio_trc_cnt; +diff --git a/drivers/scsi/lpfc/lpfc_debugfs.c b/drivers/scsi/lpfc/lpfc_debugfs.c +index 92b5b2dbe847..eaedbaff5a78 100644 +--- a/drivers/scsi/lpfc/lpfc_debugfs.c ++++ b/drivers/scsi/lpfc/lpfc_debugfs.c +@@ -5752,7 +5752,7 @@ static const struct file_operations lpfc_debugfs_op_slow_ring_trc = { + }; + + static struct dentry *lpfc_debugfs_root = NULL; +-static unsigned int lpfc_debugfs_hba_count; ++static atomic_t lpfc_debugfs_hba_count; + + /* + * File operations for the iDiag debugfs +@@ -6074,7 +6074,7 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport) + /* Setup lpfc root directory */ + if (!lpfc_debugfs_root) { + lpfc_debugfs_root = debugfs_create_dir("lpfc", NULL); +- lpfc_debugfs_hba_count = 0; ++ atomic_set(&lpfc_debugfs_hba_count, 0); + if (IS_ERR(lpfc_debugfs_root)) { + lpfc_vlog_msg(vport, KERN_WARNING, LOG_INIT, + "0527 Cannot create debugfs lpfc\n"); +@@ -6090,13 +6090,13 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport) + pport_setup = true; + phba->hba_debugfs_root = + debugfs_create_dir(name, lpfc_debugfs_root); +- phba->debugfs_vport_count = 0; ++ atomic_set(&phba->debugfs_vport_count, 0); + if (IS_ERR(phba->hba_debugfs_root)) { + lpfc_vlog_msg(vport, KERN_WARNING, LOG_INIT, + "0528 Cannot create debugfs %s\n", name); + return; + } +- lpfc_debugfs_hba_count++; ++ atomic_inc(&lpfc_debugfs_hba_count); + + /* Multi-XRI pools */ + debugfs_create_file("multixripools", 0644, +@@ -6268,7 +6268,7 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport) + "0529 Cannot create debugfs %s\n", name); + return; + } +- phba->debugfs_vport_count++; ++ atomic_inc(&phba->debugfs_vport_count); + } + + if (lpfc_debugfs_max_disc_trc) { +@@ -6402,10 +6402,10 @@ lpfc_debugfs_terminate(struct lpfc_vport *vport) + if (vport->vport_debugfs_root) { + debugfs_remove(vport->vport_debugfs_root); /* vportX */ + vport->vport_debugfs_root = NULL; +- phba->debugfs_vport_count--; ++ atomic_dec(&phba->debugfs_vport_count); + } + +- if (!phba->debugfs_vport_count) { ++ if (atomic_read(&phba->debugfs_vport_count) == 0) { + kfree(phba->slow_ring_trc); + phba->slow_ring_trc = NULL; + +@@ -6415,10 +6415,10 @@ lpfc_debugfs_terminate(struct lpfc_vport *vport) + if (phba->hba_debugfs_root) { + debugfs_remove(phba->hba_debugfs_root); /* fnX */ + phba->hba_debugfs_root = NULL; +- lpfc_debugfs_hba_count--; ++ atomic_dec(&lpfc_debugfs_hba_count); + } + +- if (!lpfc_debugfs_hba_count) { ++ if (atomic_read(&lpfc_debugfs_hba_count) == 0) { + debugfs_remove(lpfc_debugfs_root); /* lpfc */ + lpfc_debugfs_root = NULL; + } diff --git a/1179-revert-scsi-lpfc-clean-up-extraneous-phba-dentries.patch b/1179-revert-scsi-lpfc-clean-up-extraneous-phba-dentries.patch new file mode 100644 index 000000000..19f30a950 --- /dev/null +++ b/1179-revert-scsi-lpfc-clean-up-extraneous-phba-dentries.patch @@ -0,0 +1,680 @@ +Subject: [PATCH] Revert "scsi: lpfc: Clean up extraneous phba dentries" +# reverse of cs10 0602f03214fe3d617fa735dfdc7aace47c0d2f54 + +diff --git a/drivers/scsi/lpfc/lpfc.h b/drivers/scsi/lpfc/lpfc.h +index 1293d145b94e..9389e3def94e 100644 +--- a/drivers/scsi/lpfc/lpfc.h ++++ b/drivers/scsi/lpfc/lpfc.h +@@ -742,6 +742,12 @@ struct lpfc_vport { + struct lpfc_vmid_priority_info vmid_priority; + + #ifdef CONFIG_SCSI_LPFC_DEBUG_FS ++ struct dentry *debug_disc_trc; ++ struct dentry *debug_nodelist; ++ struct dentry *debug_nvmestat; ++ struct dentry *debug_scsistat; ++ struct dentry *debug_ioktime; ++ struct dentry *debug_hdwqstat; + struct dentry *vport_debugfs_root; + struct lpfc_debugfs_trc *disc_trc; + atomic_t disc_trc_cnt; +@@ -1334,8 +1340,29 @@ struct lpfc_hba { + #ifdef CONFIG_SCSI_LPFC_DEBUG_FS + struct dentry *hba_debugfs_root; + atomic_t debugfs_vport_count; +- ++ struct dentry *debug_multixri_pools; ++ struct dentry *debug_hbqinfo; ++ struct dentry *debug_dumpHostSlim; ++ struct dentry *debug_dumpHBASlim; ++ struct dentry *debug_InjErrLBA; /* LBA to inject errors at */ ++ struct dentry *debug_InjErrNPortID; /* NPortID to inject errors at */ ++ struct dentry *debug_InjErrWWPN; /* WWPN to inject errors at */ ++ struct dentry *debug_writeGuard; /* inject write guard_tag errors */ ++ struct dentry *debug_writeApp; /* inject write app_tag errors */ ++ struct dentry *debug_writeRef; /* inject write ref_tag errors */ ++ struct dentry *debug_readGuard; /* inject read guard_tag errors */ ++ struct dentry *debug_readApp; /* inject read app_tag errors */ ++ struct dentry *debug_readRef; /* inject read ref_tag errors */ ++ ++ struct dentry *debug_nvmeio_trc; + struct lpfc_debugfs_nvmeio_trc *nvmeio_trc; ++ struct dentry *debug_hdwqinfo; ++#ifdef LPFC_HDWQ_LOCK_STAT ++ struct dentry *debug_lockstat; ++#endif ++ struct dentry *debug_cgn_buffer; ++ struct dentry *debug_rx_monitor; ++ struct dentry *debug_ras_log; + atomic_t nvmeio_trc_cnt; + uint32_t nvmeio_trc_size; + uint32_t nvmeio_trc_output_idx; +@@ -1352,10 +1379,19 @@ struct lpfc_hba { + sector_t lpfc_injerr_lba; + #define LPFC_INJERR_LBA_OFF (sector_t)(-1) + ++ struct dentry *debug_slow_ring_trc; + struct lpfc_debugfs_trc *slow_ring_trc; + atomic_t slow_ring_trc_cnt; + /* iDiag debugfs sub-directory */ + struct dentry *idiag_root; ++ struct dentry *idiag_pci_cfg; ++ struct dentry *idiag_bar_acc; ++ struct dentry *idiag_que_info; ++ struct dentry *idiag_que_acc; ++ struct dentry *idiag_drb_acc; ++ struct dentry *idiag_ctl_acc; ++ struct dentry *idiag_mbx_acc; ++ struct dentry *idiag_ext_acc; + uint8_t lpfc_idiag_last_eq; + #endif + uint16_t nvmeio_trc_on; +diff --git a/drivers/scsi/lpfc/lpfc_debugfs.c b/drivers/scsi/lpfc/lpfc_debugfs.c +index eaedbaff5a78..691314c68b59 100644 +--- a/drivers/scsi/lpfc/lpfc_debugfs.c ++++ b/drivers/scsi/lpfc/lpfc_debugfs.c +@@ -6075,11 +6075,6 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport) + if (!lpfc_debugfs_root) { + lpfc_debugfs_root = debugfs_create_dir("lpfc", NULL); + atomic_set(&lpfc_debugfs_hba_count, 0); +- if (IS_ERR(lpfc_debugfs_root)) { +- lpfc_vlog_msg(vport, KERN_WARNING, LOG_INIT, +- "0527 Cannot create debugfs lpfc\n"); +- return; +- } + } + if (!lpfc_debugfs_start_time) + lpfc_debugfs_start_time = jiffies; +@@ -6090,96 +6085,150 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport) + pport_setup = true; + phba->hba_debugfs_root = + debugfs_create_dir(name, lpfc_debugfs_root); +- atomic_set(&phba->debugfs_vport_count, 0); +- if (IS_ERR(phba->hba_debugfs_root)) { +- lpfc_vlog_msg(vport, KERN_WARNING, LOG_INIT, +- "0528 Cannot create debugfs %s\n", name); +- return; +- } + atomic_inc(&lpfc_debugfs_hba_count); ++ atomic_set(&phba->debugfs_vport_count, 0); + + /* Multi-XRI pools */ +- debugfs_create_file("multixripools", 0644, +- phba->hba_debugfs_root, phba, +- &lpfc_debugfs_op_multixripools); ++ snprintf(name, sizeof(name), "multixripools"); ++ phba->debug_multixri_pools = ++ debugfs_create_file(name, S_IFREG | 0644, ++ phba->hba_debugfs_root, ++ phba, ++ &lpfc_debugfs_op_multixripools); ++ if (IS_ERR(phba->debug_multixri_pools)) { ++ lpfc_printf_vlog(vport, KERN_ERR, LOG_INIT, ++ "0527 Cannot create debugfs multixripools\n"); ++ goto debug_failed; ++ } + + /* Congestion Info Buffer */ +- debugfs_create_file("cgn_buffer", 0644, phba->hba_debugfs_root, +- phba, &lpfc_cgn_buffer_op); ++ scnprintf(name, sizeof(name), "cgn_buffer"); ++ phba->debug_cgn_buffer = ++ debugfs_create_file(name, S_IFREG | 0644, ++ phba->hba_debugfs_root, ++ phba, &lpfc_cgn_buffer_op); ++ if (IS_ERR(phba->debug_cgn_buffer)) { ++ lpfc_printf_vlog(vport, KERN_ERR, LOG_INIT, ++ "6527 Cannot create debugfs " ++ "cgn_buffer\n"); ++ goto debug_failed; ++ } + + /* RX Monitor */ +- debugfs_create_file("rx_monitor", 0644, phba->hba_debugfs_root, +- phba, &lpfc_rx_monitor_op); ++ scnprintf(name, sizeof(name), "rx_monitor"); ++ phba->debug_rx_monitor = ++ debugfs_create_file(name, S_IFREG | 0644, ++ phba->hba_debugfs_root, ++ phba, &lpfc_rx_monitor_op); ++ if (IS_ERR(phba->debug_rx_monitor)) { ++ lpfc_printf_vlog(vport, KERN_ERR, LOG_INIT, ++ "6528 Cannot create debugfs " ++ "rx_monitor\n"); ++ goto debug_failed; ++ } + + /* RAS log */ +- debugfs_create_file("ras_log", 0644, phba->hba_debugfs_root, +- phba, &lpfc_debugfs_ras_log); ++ snprintf(name, sizeof(name), "ras_log"); ++ phba->debug_ras_log = ++ debugfs_create_file(name, 0644, ++ phba->hba_debugfs_root, ++ phba, &lpfc_debugfs_ras_log); ++ if (IS_ERR(phba->debug_ras_log)) { ++ lpfc_printf_vlog(vport, KERN_ERR, LOG_INIT, ++ "6148 Cannot create debugfs" ++ " ras_log\n"); ++ goto debug_failed; ++ } + + /* Setup hbqinfo */ +- debugfs_create_file("hbqinfo", 0644, phba->hba_debugfs_root, +- phba, &lpfc_debugfs_op_hbqinfo); ++ snprintf(name, sizeof(name), "hbqinfo"); ++ phba->debug_hbqinfo = ++ debugfs_create_file(name, S_IFREG | 0644, ++ phba->hba_debugfs_root, ++ phba, &lpfc_debugfs_op_hbqinfo); + + #ifdef LPFC_HDWQ_LOCK_STAT + /* Setup lockstat */ +- debugfs_create_file("lockstat", 0644, phba->hba_debugfs_root, +- phba, &lpfc_debugfs_op_lockstat); ++ snprintf(name, sizeof(name), "lockstat"); ++ phba->debug_lockstat = ++ debugfs_create_file(name, S_IFREG | 0644, ++ phba->hba_debugfs_root, ++ phba, &lpfc_debugfs_op_lockstat); ++ if (IS_ERR(phba->debug_lockstat)) { ++ lpfc_printf_vlog(vport, KERN_ERR, LOG_INIT, ++ "4610 Can't create debugfs lockstat\n"); ++ goto debug_failed; ++ } + #endif ++ ++ /* Setup dumpHBASlim */ + if (phba->sli_rev < LPFC_SLI_REV4) { +- /* Setup dumpHBASlim */ +- debugfs_create_file("dumpHBASlim", 0644, +- phba->hba_debugfs_root, phba, +- &lpfc_debugfs_op_dumpHBASlim); +- } ++ snprintf(name, sizeof(name), "dumpHBASlim"); ++ phba->debug_dumpHBASlim = ++ debugfs_create_file(name, ++ S_IFREG|S_IRUGO|S_IWUSR, ++ phba->hba_debugfs_root, ++ phba, &lpfc_debugfs_op_dumpHBASlim); ++ } else ++ phba->debug_dumpHBASlim = NULL; + ++ /* Setup dumpHostSlim */ + if (phba->sli_rev < LPFC_SLI_REV4) { +- /* Setup dumpHostSlim */ +- debugfs_create_file("dumpHostSlim", 0644, +- phba->hba_debugfs_root, phba, +- &lpfc_debugfs_op_dumpHostSlim); +- } ++ snprintf(name, sizeof(name), "dumpHostSlim"); ++ phba->debug_dumpHostSlim = ++ debugfs_create_file(name, ++ S_IFREG|S_IRUGO|S_IWUSR, ++ phba->hba_debugfs_root, ++ phba, &lpfc_debugfs_op_dumpHostSlim); ++ } else ++ phba->debug_dumpHostSlim = NULL; + + /* Setup DIF Error Injections */ +- debugfs_create_file_aux_num("InjErrLBA", 0644, +- phba->hba_debugfs_root, phba, +- InjErrLBA, +- &lpfc_debugfs_op_dif_err); ++ phba->debug_InjErrLBA = ++ debugfs_create_file_aux_num("InjErrLBA", 0644, ++ phba->hba_debugfs_root, ++ phba, InjErrLBA, &lpfc_debugfs_op_dif_err); + phba->lpfc_injerr_lba = LPFC_INJERR_LBA_OFF; + +- debugfs_create_file_aux_num("InjErrNPortID", 0644, +- phba->hba_debugfs_root, phba, +- InjErrNPortID, +- &lpfc_debugfs_op_dif_err); +- +- debugfs_create_file_aux_num("InjErrWWPN", 0644, +- phba->hba_debugfs_root, phba, +- InjErrWWPN, +- &lpfc_debugfs_op_dif_err); +- +- debugfs_create_file_aux_num("writeGuardInjErr", 0644, +- phba->hba_debugfs_root, phba, +- writeGuard, +- &lpfc_debugfs_op_dif_err); +- +- debugfs_create_file_aux_num("writeAppInjErr", 0644, +- phba->hba_debugfs_root, phba, +- writeApp, &lpfc_debugfs_op_dif_err); +- +- debugfs_create_file_aux_num("writeRefInjErr", 0644, +- phba->hba_debugfs_root, phba, +- writeRef, &lpfc_debugfs_op_dif_err); +- +- debugfs_create_file_aux_num("readGuardInjErr", 0644, +- phba->hba_debugfs_root, phba, +- readGuard, +- &lpfc_debugfs_op_dif_err); +- +- debugfs_create_file_aux_num("readAppInjErr", 0644, +- phba->hba_debugfs_root, phba, +- readApp, &lpfc_debugfs_op_dif_err); +- +- debugfs_create_file_aux_num("readRefInjErr", 0644, +- phba->hba_debugfs_root, phba, +- readRef, &lpfc_debugfs_op_dif_err); ++ phba->debug_InjErrNPortID = ++ debugfs_create_file_aux_num("InjErrNPortID", 0644, ++ phba->hba_debugfs_root, ++ phba, InjErrNPortID, &lpfc_debugfs_op_dif_err); ++ ++ phba->debug_InjErrWWPN = ++ debugfs_create_file_aux_num("InjErrWWPN", 0644, ++ phba->hba_debugfs_root, ++ phba, InjErrWWPN, &lpfc_debugfs_op_dif_err); ++ ++ phba->debug_writeGuard = ++ debugfs_create_file_aux_num("writeGuardInjErr", 0644, ++ phba->hba_debugfs_root, ++ phba, writeGuard, &lpfc_debugfs_op_dif_err); ++ ++ phba->debug_writeApp = ++ debugfs_create_file_aux_num("writeAppInjErr", 0644, ++ phba->hba_debugfs_root, ++ phba, writeApp, &lpfc_debugfs_op_dif_err); ++ ++ phba->debug_writeRef = ++ debugfs_create_file_aux_num("writeRefInjErr", 0644, ++ phba->hba_debugfs_root, ++ phba, writeRef, &lpfc_debugfs_op_dif_err); ++ ++ phba->debug_readGuard = ++ debugfs_create_file_aux_num("readGuardInjErr", 0644, ++ phba->hba_debugfs_root, ++ phba, readGuard, &lpfc_debugfs_op_dif_err); ++ ++ phba->debug_readApp = ++ debugfs_create_file_aux_num("readAppInjErr", 0644, ++ phba->hba_debugfs_root, ++ phba, readApp, &lpfc_debugfs_op_dif_err); ++ ++ phba->debug_readRef = ++ debugfs_create_file_aux_num("readRefInjErr", 0644, ++ phba->hba_debugfs_root, ++ phba, readRef, &lpfc_debugfs_op_dif_err); + + /* Setup slow ring trace */ + if (lpfc_debugfs_max_slow_ring_trc) { +@@ -6199,9 +6248,11 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport) + } + } + +- debugfs_create_file("slow_ring_trace", 0644, +- phba->hba_debugfs_root, phba, +- &lpfc_debugfs_op_slow_ring_trc); ++ snprintf(name, sizeof(name), "slow_ring_trace"); ++ phba->debug_slow_ring_trc = ++ debugfs_create_file(name, S_IFREG|S_IRUGO|S_IWUSR, ++ phba->hba_debugfs_root, ++ phba, &lpfc_debugfs_op_slow_ring_trc); + if (!phba->slow_ring_trc) { + phba->slow_ring_trc = kcalloc( + lpfc_debugfs_max_slow_ring_trc, +@@ -6211,13 +6262,16 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport) + lpfc_printf_vlog(vport, KERN_ERR, LOG_INIT, + "0416 Cannot create debugfs " + "slow_ring buffer\n"); +- goto out; ++ goto debug_failed; + } + atomic_set(&phba->slow_ring_trc_cnt, 0); + } + +- debugfs_create_file("nvmeio_trc", 0644, phba->hba_debugfs_root, +- phba, &lpfc_debugfs_op_nvmeio_trc); ++ snprintf(name, sizeof(name), "nvmeio_trc"); ++ phba->debug_nvmeio_trc = ++ debugfs_create_file(name, 0644, ++ phba->hba_debugfs_root, ++ phba, &lpfc_debugfs_op_nvmeio_trc); + + atomic_set(&phba->nvmeio_trc_cnt, 0); + if (lpfc_debugfs_max_nvmeio_trc) { +@@ -6263,11 +6317,6 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport) + if (!vport->vport_debugfs_root) { + vport->vport_debugfs_root = + debugfs_create_dir(name, phba->hba_debugfs_root); +- if (IS_ERR(vport->vport_debugfs_root)) { +- lpfc_vlog_msg(vport, KERN_WARNING, LOG_INIT, +- "0529 Cannot create debugfs %s\n", name); +- return; +- } + atomic_inc(&phba->debugfs_vport_count); + } + +@@ -6295,27 +6344,54 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport) + lpfc_printf_vlog(vport, KERN_ERR, LOG_INIT, + "0418 Cannot create debugfs disc trace " + "buffer\n"); +- goto out; ++ goto debug_failed; + } + atomic_set(&vport->disc_trc_cnt, 0); + +- debugfs_create_file("discovery_trace", 0644, vport->vport_debugfs_root, +- vport, &lpfc_debugfs_op_disc_trc); +- +- debugfs_create_file("nodelist", 0644, vport->vport_debugfs_root, vport, +- &lpfc_debugfs_op_nodelist); +- +- debugfs_create_file("nvmestat", 0644, vport->vport_debugfs_root, vport, +- &lpfc_debugfs_op_nvmestat); +- +- debugfs_create_file("scsistat", 0644, vport->vport_debugfs_root, vport, +- &lpfc_debugfs_op_scsistat); ++ snprintf(name, sizeof(name), "discovery_trace"); ++ vport->debug_disc_trc = ++ debugfs_create_file(name, S_IFREG|S_IRUGO|S_IWUSR, ++ vport->vport_debugfs_root, ++ vport, &lpfc_debugfs_op_disc_trc); ++ snprintf(name, sizeof(name), "nodelist"); ++ vport->debug_nodelist = ++ debugfs_create_file(name, S_IFREG|S_IRUGO|S_IWUSR, ++ vport->vport_debugfs_root, ++ vport, &lpfc_debugfs_op_nodelist); ++ ++ snprintf(name, sizeof(name), "nvmestat"); ++ vport->debug_nvmestat = ++ debugfs_create_file(name, 0644, ++ vport->vport_debugfs_root, ++ vport, &lpfc_debugfs_op_nvmestat); ++ ++ snprintf(name, sizeof(name), "scsistat"); ++ vport->debug_scsistat = ++ debugfs_create_file(name, 0644, ++ vport->vport_debugfs_root, ++ vport, &lpfc_debugfs_op_scsistat); ++ if (IS_ERR(vport->debug_scsistat)) { ++ lpfc_printf_vlog(vport, KERN_ERR, LOG_INIT, ++ "4611 Cannot create debugfs scsistat\n"); ++ goto debug_failed; ++ } + +- debugfs_create_file("ioktime", 0644, vport->vport_debugfs_root, vport, +- &lpfc_debugfs_op_ioktime); ++ snprintf(name, sizeof(name), "ioktime"); ++ vport->debug_ioktime = ++ debugfs_create_file(name, 0644, ++ vport->vport_debugfs_root, ++ vport, &lpfc_debugfs_op_ioktime); ++ if (IS_ERR(vport->debug_ioktime)) { ++ lpfc_printf_vlog(vport, KERN_ERR, LOG_INIT, ++ "0815 Cannot create debugfs ioktime\n"); ++ goto debug_failed; ++ } + +- debugfs_create_file("hdwqstat", 0644, vport->vport_debugfs_root, vport, +- &lpfc_debugfs_op_hdwqstat); ++ snprintf(name, sizeof(name), "hdwqstat"); ++ vport->debug_hdwqstat = ++ debugfs_create_file(name, 0644, ++ vport->vport_debugfs_root, ++ vport, &lpfc_debugfs_op_hdwqstat); + + /* + * The following section is for additional directories/files for the +@@ -6323,58 +6399,93 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport) + */ + + if (!pport_setup) +- return; ++ goto debug_failed; + + /* + * iDiag debugfs root entry points for SLI4 device only + */ + if (phba->sli_rev < LPFC_SLI_REV4) +- return; ++ goto debug_failed; + ++ snprintf(name, sizeof(name), "iDiag"); + if (!phba->idiag_root) { + phba->idiag_root = +- debugfs_create_dir("iDiag", phba->hba_debugfs_root); ++ debugfs_create_dir(name, phba->hba_debugfs_root); + /* Initialize iDiag data structure */ + memset(&idiag, 0, sizeof(idiag)); + } + + /* iDiag read PCI config space */ +- debugfs_create_file("pciCfg", 0644, phba->idiag_root, phba, +- &lpfc_idiag_op_pciCfg); +- idiag.offset.last_rd = 0; ++ snprintf(name, sizeof(name), "pciCfg"); ++ if (!phba->idiag_pci_cfg) { ++ phba->idiag_pci_cfg = ++ debugfs_create_file(name, S_IFREG|S_IRUGO|S_IWUSR, ++ phba->idiag_root, phba, &lpfc_idiag_op_pciCfg); ++ idiag.offset.last_rd = 0; ++ } + + /* iDiag PCI BAR access */ +- debugfs_create_file("barAcc", 0644, phba->idiag_root, phba, +- &lpfc_idiag_op_barAcc); +- idiag.offset.last_rd = 0; ++ snprintf(name, sizeof(name), "barAcc"); ++ if (!phba->idiag_bar_acc) { ++ phba->idiag_bar_acc = ++ debugfs_create_file(name, S_IFREG|S_IRUGO|S_IWUSR, ++ phba->idiag_root, phba, &lpfc_idiag_op_barAcc); ++ idiag.offset.last_rd = 0; ++ } + + /* iDiag get PCI function queue information */ +- debugfs_create_file("queInfo", 0444, phba->idiag_root, phba, +- &lpfc_idiag_op_queInfo); ++ snprintf(name, sizeof(name), "queInfo"); ++ if (!phba->idiag_que_info) { ++ phba->idiag_que_info = ++ debugfs_create_file(name, S_IFREG|S_IRUGO, ++ phba->idiag_root, phba, &lpfc_idiag_op_queInfo); ++ } + + /* iDiag access PCI function queue */ +- debugfs_create_file("queAcc", 0644, phba->idiag_root, phba, +- &lpfc_idiag_op_queAcc); ++ snprintf(name, sizeof(name), "queAcc"); ++ if (!phba->idiag_que_acc) { ++ phba->idiag_que_acc = ++ debugfs_create_file(name, S_IFREG|S_IRUGO|S_IWUSR, ++ phba->idiag_root, phba, &lpfc_idiag_op_queAcc); ++ } + + /* iDiag access PCI function doorbell registers */ +- debugfs_create_file("drbAcc", 0644, phba->idiag_root, phba, +- &lpfc_idiag_op_drbAcc); ++ snprintf(name, sizeof(name), "drbAcc"); ++ if (!phba->idiag_drb_acc) { ++ phba->idiag_drb_acc = ++ debugfs_create_file(name, S_IFREG|S_IRUGO|S_IWUSR, ++ phba->idiag_root, phba, &lpfc_idiag_op_drbAcc); ++ } + + /* iDiag access PCI function control registers */ +- debugfs_create_file("ctlAcc", 0644, phba->idiag_root, phba, +- &lpfc_idiag_op_ctlAcc); ++ snprintf(name, sizeof(name), "ctlAcc"); ++ if (!phba->idiag_ctl_acc) { ++ phba->idiag_ctl_acc = ++ debugfs_create_file(name, S_IFREG|S_IRUGO|S_IWUSR, ++ phba->idiag_root, phba, &lpfc_idiag_op_ctlAcc); ++ } + + /* iDiag access mbox commands */ +- debugfs_create_file("mbxAcc", 0644, phba->idiag_root, phba, +- &lpfc_idiag_op_mbxAcc); ++ snprintf(name, sizeof(name), "mbxAcc"); ++ if (!phba->idiag_mbx_acc) { ++ phba->idiag_mbx_acc = ++ debugfs_create_file(name, S_IFREG|S_IRUGO|S_IWUSR, ++ phba->idiag_root, phba, &lpfc_idiag_op_mbxAcc); ++ } + + /* iDiag extents access commands */ + if (phba->sli4_hba.extents_in_use) { +- debugfs_create_file("extAcc", 0644, phba->idiag_root, phba, +- &lpfc_idiag_op_extAcc); ++ snprintf(name, sizeof(name), "extAcc"); ++ if (!phba->idiag_ext_acc) { ++ phba->idiag_ext_acc = ++ debugfs_create_file(name, ++ S_IFREG|S_IRUGO|S_IWUSR, ++ phba->idiag_root, phba, ++ &lpfc_idiag_op_extAcc); ++ } + } +-out: +- /* alloc'ed items are kfree'd in lpfc_debugfs_terminate */ ++ ++debug_failed: + return; + #endif + } +@@ -6399,6 +6510,24 @@ lpfc_debugfs_terminate(struct lpfc_vport *vport) + kfree(vport->disc_trc); + vport->disc_trc = NULL; + ++ debugfs_remove(vport->debug_disc_trc); /* discovery_trace */ ++ vport->debug_disc_trc = NULL; ++ ++ debugfs_remove(vport->debug_nodelist); /* nodelist */ ++ vport->debug_nodelist = NULL; ++ ++ debugfs_remove(vport->debug_nvmestat); /* nvmestat */ ++ vport->debug_nvmestat = NULL; ++ ++ debugfs_remove(vport->debug_scsistat); /* scsistat */ ++ vport->debug_scsistat = NULL; ++ ++ debugfs_remove(vport->debug_ioktime); /* ioktime */ ++ vport->debug_ioktime = NULL; ++ ++ debugfs_remove(vport->debug_hdwqstat); /* hdwqstat */ ++ vport->debug_hdwqstat = NULL; ++ + if (vport->vport_debugfs_root) { + debugfs_remove(vport->vport_debugfs_root); /* vportX */ + vport->vport_debugfs_root = NULL; +@@ -6406,12 +6535,113 @@ lpfc_debugfs_terminate(struct lpfc_vport *vport) + } + + if (atomic_read(&phba->debugfs_vport_count) == 0) { ++ ++ debugfs_remove(phba->debug_multixri_pools); /* multixripools*/ ++ phba->debug_multixri_pools = NULL; ++ ++ debugfs_remove(phba->debug_hbqinfo); /* hbqinfo */ ++ phba->debug_hbqinfo = NULL; ++ ++ debugfs_remove(phba->debug_cgn_buffer); ++ phba->debug_cgn_buffer = NULL; ++ ++ debugfs_remove(phba->debug_rx_monitor); ++ phba->debug_rx_monitor = NULL; ++ ++ debugfs_remove(phba->debug_ras_log); ++ phba->debug_ras_log = NULL; ++ ++#ifdef LPFC_HDWQ_LOCK_STAT ++ debugfs_remove(phba->debug_lockstat); /* lockstat */ ++ phba->debug_lockstat = NULL; ++#endif ++ debugfs_remove(phba->debug_dumpHBASlim); /* HBASlim */ ++ phba->debug_dumpHBASlim = NULL; ++ ++ debugfs_remove(phba->debug_dumpHostSlim); /* HostSlim */ ++ phba->debug_dumpHostSlim = NULL; ++ ++ debugfs_remove(phba->debug_InjErrLBA); /* InjErrLBA */ ++ phba->debug_InjErrLBA = NULL; ++ ++ debugfs_remove(phba->debug_InjErrNPortID); ++ phba->debug_InjErrNPortID = NULL; ++ ++ debugfs_remove(phba->debug_InjErrWWPN); /* InjErrWWPN */ ++ phba->debug_InjErrWWPN = NULL; ++ ++ debugfs_remove(phba->debug_writeGuard); /* writeGuard */ ++ phba->debug_writeGuard = NULL; ++ ++ debugfs_remove(phba->debug_writeApp); /* writeApp */ ++ phba->debug_writeApp = NULL; ++ ++ debugfs_remove(phba->debug_writeRef); /* writeRef */ ++ phba->debug_writeRef = NULL; ++ ++ debugfs_remove(phba->debug_readGuard); /* readGuard */ ++ phba->debug_readGuard = NULL; ++ ++ debugfs_remove(phba->debug_readApp); /* readApp */ ++ phba->debug_readApp = NULL; ++ ++ debugfs_remove(phba->debug_readRef); /* readRef */ ++ phba->debug_readRef = NULL; ++ + kfree(phba->slow_ring_trc); + phba->slow_ring_trc = NULL; + ++ /* slow_ring_trace */ ++ debugfs_remove(phba->debug_slow_ring_trc); ++ phba->debug_slow_ring_trc = NULL; ++ ++ debugfs_remove(phba->debug_nvmeio_trc); ++ phba->debug_nvmeio_trc = NULL; ++ + kfree(phba->nvmeio_trc); + phba->nvmeio_trc = NULL; + ++ /* ++ * iDiag release ++ */ ++ if (phba->sli_rev == LPFC_SLI_REV4) { ++ /* iDiag extAcc */ ++ debugfs_remove(phba->idiag_ext_acc); ++ phba->idiag_ext_acc = NULL; ++ ++ /* iDiag mbxAcc */ ++ debugfs_remove(phba->idiag_mbx_acc); ++ phba->idiag_mbx_acc = NULL; ++ ++ /* iDiag ctlAcc */ ++ debugfs_remove(phba->idiag_ctl_acc); ++ phba->idiag_ctl_acc = NULL; ++ ++ /* iDiag drbAcc */ ++ debugfs_remove(phba->idiag_drb_acc); ++ phba->idiag_drb_acc = NULL; ++ ++ /* iDiag queAcc */ ++ debugfs_remove(phba->idiag_que_acc); ++ phba->idiag_que_acc = NULL; ++ ++ /* iDiag queInfo */ ++ debugfs_remove(phba->idiag_que_info); ++ phba->idiag_que_info = NULL; ++ ++ /* iDiag barAcc */ ++ debugfs_remove(phba->idiag_bar_acc); ++ phba->idiag_bar_acc = NULL; ++ ++ /* iDiag pciCfg */ ++ debugfs_remove(phba->idiag_pci_cfg); ++ phba->idiag_pci_cfg = NULL; ++ ++ /* Finally remove the iDiag debugfs root */ ++ debugfs_remove(phba->idiag_root); ++ phba->idiag_root = NULL; ++ } ++ + if (phba->hba_debugfs_root) { + debugfs_remove(phba->hba_debugfs_root); /* fnX */ + phba->hba_debugfs_root = NULL; diff --git a/1180-revert-scsi-lpfc-use-switch-case-statements-in-dif-debugfs-h.patch b/1180-revert-scsi-lpfc-use-switch-case-statements-in-dif-debugfs-h.patch new file mode 100644 index 000000000..1f555abd4 --- /dev/null +++ b/1180-revert-scsi-lpfc-use-switch-case-statements-in-dif-debugfs-h.patch @@ -0,0 +1,195 @@ +Subject: [PATCH] Revert "scsi: lpfc: Use switch case statements in DIF debugfs handlers" +# reverse of cs10 d19023a336a31f49111b96a266610a4d923f9cad + +diff --git a/drivers/scsi/lpfc/lpfc_debugfs.c b/drivers/scsi/lpfc/lpfc_debugfs.c +index 691314c68b59..7c4d7bb3a56f 100644 +--- a/drivers/scsi/lpfc/lpfc_debugfs.c ++++ b/drivers/scsi/lpfc/lpfc_debugfs.c +@@ -2373,117 +2373,93 @@ lpfc_debugfs_dumpHostSlim_open(struct inode *inode, struct file *file) + + static ssize_t + lpfc_debugfs_dif_err_read(struct file *file, char __user *buf, +- size_t nbytes, loff_t *ppos) ++ size_t nbytes, loff_t *ppos) + { + struct lpfc_hba *phba = file->private_data; + int kind = debugfs_get_aux_num(file); +- char cbuf[32] = {0}; ++ char cbuf[32]; ++ uint64_t tmp = 0; + int cnt = 0; + +- switch (kind) { +- case writeGuard: +- cnt = scnprintf(cbuf, sizeof(cbuf), "%u\n", +- phba->lpfc_injerr_wgrd_cnt); +- break; +- case writeApp: +- cnt = scnprintf(cbuf, sizeof(cbuf), "%u\n", +- phba->lpfc_injerr_wapp_cnt); +- break; +- case writeRef: +- cnt = scnprintf(cbuf, sizeof(cbuf), "%u\n", +- phba->lpfc_injerr_wref_cnt); +- break; +- case readGuard: +- cnt = scnprintf(cbuf, sizeof(cbuf), "%u\n", +- phba->lpfc_injerr_rgrd_cnt); +- break; +- case readApp: +- cnt = scnprintf(cbuf, sizeof(cbuf), "%u\n", +- phba->lpfc_injerr_rapp_cnt); +- break; +- case readRef: +- cnt = scnprintf(cbuf, sizeof(cbuf), "%u\n", +- phba->lpfc_injerr_rref_cnt); +- break; +- case InjErrNPortID: +- cnt = scnprintf(cbuf, sizeof(cbuf), "0x%06x\n", ++ if (kind == writeGuard) ++ cnt = scnprintf(cbuf, 32, "%u\n", phba->lpfc_injerr_wgrd_cnt); ++ else if (kind == writeApp) ++ cnt = scnprintf(cbuf, 32, "%u\n", phba->lpfc_injerr_wapp_cnt); ++ else if (kind == writeRef) ++ cnt = scnprintf(cbuf, 32, "%u\n", phba->lpfc_injerr_wref_cnt); ++ else if (kind == readGuard) ++ cnt = scnprintf(cbuf, 32, "%u\n", phba->lpfc_injerr_rgrd_cnt); ++ else if (kind == readApp) ++ cnt = scnprintf(cbuf, 32, "%u\n", phba->lpfc_injerr_rapp_cnt); ++ else if (kind == readRef) ++ cnt = scnprintf(cbuf, 32, "%u\n", phba->lpfc_injerr_rref_cnt); ++ else if (kind == InjErrNPortID) ++ cnt = scnprintf(cbuf, 32, "0x%06x\n", + phba->lpfc_injerr_nportid); +- break; +- case InjErrWWPN: +- cnt = scnprintf(cbuf, sizeof(cbuf), "0x%016llx\n", +- be64_to_cpu(phba->lpfc_injerr_wwpn.u.wwn_be)); +- break; +- case InjErrLBA: +- if (phba->lpfc_injerr_lba == LPFC_INJERR_LBA_OFF) +- cnt = scnprintf(cbuf, sizeof(cbuf), "off\n"); ++ else if (kind == InjErrWWPN) { ++ memcpy(&tmp, &phba->lpfc_injerr_wwpn, sizeof(struct lpfc_name)); ++ tmp = cpu_to_be64(tmp); ++ cnt = scnprintf(cbuf, 32, "0x%016llx\n", tmp); ++ } else if (kind == InjErrLBA) { ++ if (phba->lpfc_injerr_lba == (sector_t)(-1)) ++ cnt = scnprintf(cbuf, 32, "off\n"); + else +- cnt = scnprintf(cbuf, sizeof(cbuf), "0x%llx\n", +- (uint64_t)phba->lpfc_injerr_lba); +- break; +- default: +- lpfc_log_msg(phba, KERN_WARNING, LOG_INIT, +- "0547 Unknown debugfs error injection entry\n"); +- break; +- } ++ cnt = scnprintf(cbuf, 32, "0x%llx\n", ++ (uint64_t) phba->lpfc_injerr_lba); ++ } else ++ lpfc_printf_log(phba, KERN_ERR, LOG_INIT, ++ "0547 Unknown debugfs error injection entry\n"); + + return simple_read_from_buffer(buf, nbytes, ppos, &cbuf, cnt); + } + + static ssize_t + lpfc_debugfs_dif_err_write(struct file *file, const char __user *buf, +- size_t nbytes, loff_t *ppos) ++ size_t nbytes, loff_t *ppos) + { + struct lpfc_hba *phba = file->private_data; + int kind = debugfs_get_aux_num(file); +- char dstbuf[33] = {0}; +- unsigned long long tmp; +- unsigned long size; ++ char dstbuf[33]; ++ uint64_t tmp = 0; ++ int size; + +- size = (nbytes < (sizeof(dstbuf) - 1)) ? nbytes : (sizeof(dstbuf) - 1); ++ memset(dstbuf, 0, 33); ++ size = (nbytes < 32) ? nbytes : 32; + if (copy_from_user(dstbuf, buf, size)) + return -EFAULT; + +- if (kstrtoull(dstbuf, 0, &tmp)) { +- if (kind != InjErrLBA || !strstr(dstbuf, "off")) +- return -EINVAL; ++ if (kind == InjErrLBA) { ++ if ((dstbuf[0] == 'o') && (dstbuf[1] == 'f') && ++ (dstbuf[2] == 'f')) ++ tmp = (uint64_t)(-1); + } + +- switch (kind) { +- case writeGuard: ++ if ((tmp == 0) && (kstrtoull(dstbuf, 0, &tmp))) ++ return -EINVAL; ++ ++ if (kind == writeGuard) + phba->lpfc_injerr_wgrd_cnt = (uint32_t)tmp; +- break; +- case writeApp: ++ else if (kind == writeApp) + phba->lpfc_injerr_wapp_cnt = (uint32_t)tmp; +- break; +- case writeRef: ++ else if (kind == writeRef) + phba->lpfc_injerr_wref_cnt = (uint32_t)tmp; +- break; +- case readGuard: ++ else if (kind == readGuard) + phba->lpfc_injerr_rgrd_cnt = (uint32_t)tmp; +- break; +- case readApp: ++ else if (kind == readApp) + phba->lpfc_injerr_rapp_cnt = (uint32_t)tmp; +- break; +- case readRef: ++ else if (kind == readRef) + phba->lpfc_injerr_rref_cnt = (uint32_t)tmp; +- break; +- case InjErrLBA: +- if (strstr(dstbuf, "off")) +- phba->lpfc_injerr_lba = LPFC_INJERR_LBA_OFF; +- else +- phba->lpfc_injerr_lba = (sector_t)tmp; +- break; +- case InjErrNPortID: ++ else if (kind == InjErrLBA) ++ phba->lpfc_injerr_lba = (sector_t)tmp; ++ else if (kind == InjErrNPortID) + phba->lpfc_injerr_nportid = (uint32_t)(tmp & Mask_DID); +- break; +- case InjErrWWPN: +- phba->lpfc_injerr_wwpn.u.wwn_be = cpu_to_be64(tmp); +- break; +- default: +- lpfc_log_msg(phba, KERN_WARNING, LOG_INIT, +- "0548 Unknown debugfs error injection entry\n"); +- break; +- } ++ else if (kind == InjErrWWPN) { ++ tmp = cpu_to_be64(tmp); ++ memcpy(&phba->lpfc_injerr_wwpn, &tmp, sizeof(struct lpfc_name)); ++ } else ++ lpfc_printf_log(phba, KERN_ERR, LOG_INIT, ++ "0548 Unknown debugfs error injection entry\n"); ++ + return nbytes; + } + +diff --git a/drivers/scsi/lpfc/lpfc_hw.h b/drivers/scsi/lpfc/lpfc_hw.h +index b287d39ad033..32298285ea5e 100644 +--- a/drivers/scsi/lpfc/lpfc_hw.h ++++ b/drivers/scsi/lpfc/lpfc_hw.h +@@ -366,7 +366,6 @@ struct lpfc_name { + } s; + uint8_t wwn[8]; + uint64_t name __packed __aligned(4); +- __be64 wwn_be __packed __aligned(4); + } u; + }; + diff --git a/1181-revert-scsi-lpfc-fix-memory-leak-when-nvmeio-trc-debugfs-ent.patch b/1181-revert-scsi-lpfc-fix-memory-leak-when-nvmeio-trc-debugfs-ent.patch new file mode 100644 index 000000000..6b311410b --- /dev/null +++ b/1181-revert-scsi-lpfc-fix-memory-leak-when-nvmeio-trc-debugfs-ent.patch @@ -0,0 +1,15 @@ +Subject: [PATCH] Revert "scsi: lpfc: Fix memory leak when nvmeio_trc debugfs entry is used" +# reverse of cs10 1b923bbb0077b6f1679b13b26a46342034b0c794 + +diff --git a/drivers/scsi/lpfc/lpfc_debugfs.c b/drivers/scsi/lpfc/lpfc_debugfs.c +index 7c4d7bb3a56f..2db8d9529b8f 100644 +--- a/drivers/scsi/lpfc/lpfc_debugfs.c ++++ b/drivers/scsi/lpfc/lpfc_debugfs.c +@@ -6280,6 +6280,7 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport) + } + phba->nvmeio_trc_on = 1; + phba->nvmeio_trc_output_idx = 0; ++ phba->nvmeio_trc = NULL; + } else { + nvmeio_off: + phba->nvmeio_trc_size = 0; diff --git a/1182-revert-scsi-lpfc-define-size-of-debugfs-entry-for-xri-rebala.patch b/1182-revert-scsi-lpfc-define-size-of-debugfs-entry-for-xri-rebala.patch new file mode 100644 index 000000000..b91b60125 --- /dev/null +++ b/1182-revert-scsi-lpfc-define-size-of-debugfs-entry-for-xri-rebala.patch @@ -0,0 +1,17 @@ +Subject: [PATCH] Revert "scsi: lpfc: Define size of debugfs entry for xri rebalancing" +# reverse of cs10 60dc76d9e94b45301a874cede2364bf4d7a4c16e + +diff --git a/drivers/scsi/lpfc/lpfc_debugfs.h b/drivers/scsi/lpfc/lpfc_debugfs.h +index 566dd84e0677..f319f3af0400 100644 +--- a/drivers/scsi/lpfc/lpfc_debugfs.h ++++ b/drivers/scsi/lpfc/lpfc_debugfs.h +@@ -44,9 +44,6 @@ + /* hbqinfo output buffer size */ + #define LPFC_HBQINFO_SIZE 8192 + +-/* hdwqinfo output buffer size */ +-#define LPFC_HDWQINFO_SIZE 8192 +- + /* nvmestat output buffer size */ + #define LPFC_NVMESTAT_SIZE 8192 + #define LPFC_IOKTIME_SIZE 8192 diff --git a/1183-revert-scsi-lpfc-ensure-plogi-acc-is-sent-prior-to-prli-in-p.patch b/1183-revert-scsi-lpfc-ensure-plogi-acc-is-sent-prior-to-prli-in-p.patch new file mode 100644 index 000000000..3b2fe4178 --- /dev/null +++ b/1183-revert-scsi-lpfc-ensure-plogi-acc-is-sent-prior-to-prli-in-p.patch @@ -0,0 +1,75 @@ +Subject: [PATCH] Revert "scsi: lpfc: Ensure PLOGI_ACC is sent prior to PRLI in Point to Point topology" +# reverse of cs10 6dcd096ed524a8b9dcc82b80bfcebca892be8ea2 + +diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c +index 9a20a08f4bd9..941027b329a2 100644 +--- a/drivers/scsi/lpfc/lpfc_els.c ++++ b/drivers/scsi/lpfc/lpfc_els.c +@@ -5338,12 +5338,12 @@ lpfc_cmpl_els_rsp(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb, + ulp_status, ulp_word4, did); + /* ELS response tag completes */ + lpfc_printf_vlog(vport, KERN_INFO, LOG_ELS, +- "0110 ELS response tag x%x completes fc_flag x%lx" ++ "0110 ELS response tag x%x completes " + "Data: x%x x%x x%x x%x x%lx x%x x%x x%x %p %p\n", +- iotag, vport->fc_flag, ulp_status, ulp_word4, tmo, ++ iotag, ulp_status, ulp_word4, tmo, + ndlp->nlp_DID, ndlp->nlp_flag, ndlp->nlp_state, + ndlp->nlp_rpi, kref_read(&ndlp->kref), mbox, ndlp); +- if (mbox && !test_bit(FC_PT2PT, &vport->fc_flag)) { ++ if (mbox) { + if (ulp_status == 0 && + test_bit(NLP_ACC_REGLOGIN, &ndlp->nlp_flag)) { + if (!lpfc_unreg_rpi(vport, ndlp) && +@@ -5402,10 +5402,6 @@ lpfc_cmpl_els_rsp(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb, + } + out_free_mbox: + lpfc_mbox_rsrc_cleanup(phba, mbox, MBOX_THD_UNLOCKED); +- } else if (mbox && test_bit(FC_PT2PT, &vport->fc_flag) && +- test_bit(NLP_ACC_REGLOGIN, &ndlp->nlp_flag)) { +- lpfc_mbx_cmpl_reg_login(phba, mbox); +- clear_bit(NLP_ACC_REGLOGIN, &ndlp->nlp_flag); + } + out: + if (ndlp && shost) { +diff --git a/drivers/scsi/lpfc/lpfc_nportdisc.c b/drivers/scsi/lpfc/lpfc_nportdisc.c +index 1e331b76dff4..5aa21c683ac6 100644 +--- a/drivers/scsi/lpfc/lpfc_nportdisc.c ++++ b/drivers/scsi/lpfc/lpfc_nportdisc.c +@@ -326,14 +326,8 @@ lpfc_defer_plogi_acc(struct lpfc_hba *phba, LPFC_MBOXQ_t *login_mbox) + /* Now that REG_RPI completed successfully, + * we can now proceed with sending the PLOGI ACC. + */ +- if (test_bit(FC_PT2PT, &ndlp->vport->fc_flag)) { +- rc = lpfc_els_rsp_acc(login_mbox->vport, ELS_CMD_PLOGI, +- save_iocb, ndlp, login_mbox); +- } else { +- rc = lpfc_els_rsp_acc(login_mbox->vport, ELS_CMD_PLOGI, +- save_iocb, ndlp, NULL); +- } +- ++ rc = lpfc_els_rsp_acc(login_mbox->vport, ELS_CMD_PLOGI, ++ save_iocb, ndlp, NULL); + if (rc) { + lpfc_printf_log(phba, KERN_ERR, LOG_TRACE_EVENT, + "4576 PLOGI ACC fails pt2pt discovery: " +@@ -341,16 +335,9 @@ lpfc_defer_plogi_acc(struct lpfc_hba *phba, LPFC_MBOXQ_t *login_mbox) + } + } + +- /* If this is a fabric topology, complete the reg_rpi and prli now. +- * For Pt2Pt, the reg_rpi and PRLI are deferred until after the LS_ACC +- * completes. This ensures, in Pt2Pt, that the PLOGI LS_ACC is sent +- * before the PRLI. +- */ +- if (!test_bit(FC_PT2PT, &ndlp->vport->fc_flag)) { +- /* Now process the REG_RPI cmpl */ +- lpfc_mbx_cmpl_reg_login(phba, login_mbox); +- clear_bit(NLP_ACC_REGLOGIN, &ndlp->nlp_flag); +- } ++ /* Now process the REG_RPI cmpl */ ++ lpfc_mbx_cmpl_reg_login(phba, login_mbox); ++ clear_bit(NLP_ACC_REGLOGIN, &ndlp->nlp_flag); + kfree(save_iocb); + } + diff --git a/1184-revert-scsi-lpfc-check-return-status-of-lpfc-reset-flush-io-.patch b/1184-revert-scsi-lpfc-check-return-status-of-lpfc-reset-flush-io-.patch new file mode 100644 index 000000000..b25115019 --- /dev/null +++ b/1184-revert-scsi-lpfc-check-return-status-of-lpfc-reset-flush-io-.patch @@ -0,0 +1,42 @@ +Subject: [PATCH] Revert "scsi: lpfc: Check return status of lpfc_reset_flush_io_context during TGT_RESET" +# reverse of cs10 df9467ebb13f73db4517d73b5445c0ea4233ab36 + +diff --git a/drivers/scsi/lpfc/lpfc_scsi.c b/drivers/scsi/lpfc/lpfc_scsi.c +index be709f12c6a1..a9c8c6c021b9 100644 +--- a/drivers/scsi/lpfc/lpfc_scsi.c ++++ b/drivers/scsi/lpfc/lpfc_scsi.c +@@ -5936,7 +5936,7 @@ lpfc_chk_tgt_mapped(struct lpfc_vport *vport, struct fc_rport *rport) + /** + * lpfc_reset_flush_io_context - + * @vport: The virtual port (scsi_host) for the flush context +- * @tgt_id: If aborting by Target context - specifies the target id ++ * @tgt_id: If aborting by Target contect - specifies the target id + * @lun_id: If aborting by Lun context - specifies the lun id + * @context: specifies the context level to flush at. + * +@@ -6110,14 +6110,8 @@ lpfc_target_reset_handler(struct scsi_cmnd *cmnd) + pnode->nlp_fcp_info &= ~NLP_FCP_2_DEVICE; + spin_unlock_irqrestore(&pnode->lock, flags); + } +- status = lpfc_reset_flush_io_context(vport, tgt_id, lun_id, +- LPFC_CTX_TGT); +- if (status != SUCCESS) { +- lpfc_printf_vlog(vport, KERN_ERR, LOG_FCP, +- "0726 Target Reset flush status x%x\n", +- status); +- return status; +- } ++ lpfc_reset_flush_io_context(vport, tgt_id, lun_id, ++ LPFC_CTX_TGT); + return FAST_IO_FAIL; + } + +@@ -6210,7 +6204,7 @@ lpfc_host_reset_handler(struct scsi_cmnd *cmnd) + int rc, ret = SUCCESS; + + lpfc_printf_vlog(vport, KERN_ERR, LOG_FCP, +- "3172 SCSI layer issued Host Reset\n"); ++ "3172 SCSI layer issued Host Reset Data:\n"); + + lpfc_offline_prep(phba, LPFC_MBX_WAIT); + lpfc_offline(phba); diff --git a/1185-revert-scsi-lpfc-decrement-ndlp-kref-after-fdisc-retries-exh.patch b/1185-revert-scsi-lpfc-decrement-ndlp-kref-after-fdisc-retries-exh.patch new file mode 100644 index 000000000..40f51c3cd --- /dev/null +++ b/1185-revert-scsi-lpfc-decrement-ndlp-kref-after-fdisc-retries-exh.patch @@ -0,0 +1,19 @@ +Subject: [PATCH] Revert "scsi: lpfc: Decrement ndlp kref after FDISC retries exhausted" +# reverse of cs10 14172e24e848ad269867eae4464dd5704c041c92 + +diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c +index 941027b329a2..17390e5075cb 100644 +--- a/drivers/scsi/lpfc/lpfc_els.c ++++ b/drivers/scsi/lpfc/lpfc_els.c +@@ -11259,11 +11259,6 @@ lpfc_cmpl_els_fdisc(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb, + lpfc_vlog_msg(vport, KERN_WARNING, LOG_ELS, + "0126 FDISC cmpl status: x%x/x%x)\n", + ulp_status, ulp_word4); +- +- /* drop initial reference */ +- if (!test_and_set_bit(NLP_DROPPED, &ndlp->nlp_flag)) +- lpfc_nlp_put(ndlp); +- + goto fdisc_failed; + } + diff --git a/1186-revert-scsi-lpfc-remove-ndlp-kref-decrement-clause-for-f-por.patch b/1186-revert-scsi-lpfc-remove-ndlp-kref-decrement-clause-for-f-por.patch new file mode 100644 index 000000000..a41fdc582 --- /dev/null +++ b/1186-revert-scsi-lpfc-remove-ndlp-kref-decrement-clause-for-f-por.patch @@ -0,0 +1,38 @@ +Subject: [PATCH] Revert "scsi: lpfc: Remove ndlp kref decrement clause for F_Port_Ctrl in lpfc_cleanup" +# reverse of cs10 1073b98315bf10385a9bfdb2859415d38f641dc2 + +diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c +index 17390e5075cb..71e76e681621 100644 +--- a/drivers/scsi/lpfc/lpfc_els.c ++++ b/drivers/scsi/lpfc/lpfc_els.c +@@ -12007,11 +12007,7 @@ lpfc_sli4_els_xri_aborted(struct lpfc_hba *phba, + sglq_entry->state = SGL_FREED; + spin_unlock_irqrestore(&phba->sli4_hba.sgl_list_lock, + iflag); +- lpfc_printf_log(phba, KERN_INFO, LOG_ELS | LOG_SLI | +- LOG_DISCOVERY | LOG_NODE, +- "0732 ELS XRI ABORT on Node: ndlp=x%px " +- "xri=x%x\n", +- ndlp, xri); ++ + if (ndlp) { + lpfc_set_rrq_active(phba, ndlp, + sglq_entry->sli4_lxritag, +diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c +index fd4317b9484c..0555b85ba9e7 100644 +--- a/drivers/scsi/lpfc/lpfc_init.c ++++ b/drivers/scsi/lpfc/lpfc_init.c +@@ -3057,6 +3057,13 @@ lpfc_cleanup(struct lpfc_vport *vport) + lpfc_vmid_vport_cleanup(vport); + + list_for_each_entry_safe(ndlp, next_ndlp, &vport->fc_nodes, nlp_listp) { ++ if (vport->port_type != LPFC_PHYSICAL_PORT && ++ ndlp->nlp_DID == Fabric_DID) { ++ /* Just free up ndlp with Fabric_DID for vports */ ++ lpfc_nlp_put(ndlp); ++ continue; ++ } ++ + if (ndlp->nlp_DID == Fabric_Cntl_DID && + ndlp->nlp_state == NLP_STE_UNUSED_NODE) { + lpfc_nlp_put(ndlp); diff --git a/1187-revert-scsi-lpfc-clean-up-allocated-queues-when-queue-setup-.patch b/1187-revert-scsi-lpfc-clean-up-allocated-queues-when-queue-setup-.patch new file mode 100644 index 000000000..f786438f8 --- /dev/null +++ b/1187-revert-scsi-lpfc-clean-up-allocated-queues-when-queue-setup-.patch @@ -0,0 +1,24 @@ +Subject: [PATCH] Revert "scsi: lpfc: Clean up allocated queues when queue setup mbox commands fail" +# reverse of cs10 82a9e6041f61db2763bfbec1e19b17ff5ea1cc8b + +diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c +index 08d16552c4b7..4ab7edf53103 100644 +--- a/drivers/scsi/lpfc/lpfc_sli.c ++++ b/drivers/scsi/lpfc/lpfc_sli.c +@@ -8813,7 +8813,7 @@ lpfc_sli4_hba_setup(struct lpfc_hba *phba) + if (unlikely(rc)) { + lpfc_printf_log(phba, KERN_ERR, LOG_TRACE_EVENT, + "0381 Error %d during queue setup.\n", rc); +- goto out_destroy_queue; ++ goto out_stop_timers; + } + /* Initialize the driver internal SLI layer lists. */ + lpfc_sli4_setup(phba); +@@ -9096,6 +9096,7 @@ lpfc_sli4_hba_setup(struct lpfc_hba *phba) + lpfc_free_iocb_list(phba); + out_destroy_queue: + lpfc_sli4_queue_destroy(phba); ++out_stop_timers: + lpfc_stop_hba_timers(phba); + out_free_mbox: + mempool_free(mboxq, phba->mbox_mem_pool); diff --git a/1188-revert-scsi-lpfc-abort-outstanding-els-wqes-regardless-of-if.patch b/1188-revert-scsi-lpfc-abort-outstanding-els-wqes-regardless-of-if.patch new file mode 100644 index 000000000..09e2a778b --- /dev/null +++ b/1188-revert-scsi-lpfc-abort-outstanding-els-wqes-regardless-of-if.patch @@ -0,0 +1,31 @@ +Subject: [PATCH] Revert "scsi: lpfc: Abort outstanding ELS WQEs regardless of if rmmod is in progress" +# reverse of cs10 9009d1c6b30ca0c790618ddfa962012b89a46f01 + +diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c +index 4ab7edf53103..e1fdce8d6bfd 100644 +--- a/drivers/scsi/lpfc/lpfc_sli.c ++++ b/drivers/scsi/lpfc/lpfc_sli.c +@@ -12436,11 +12436,19 @@ lpfc_sli_issue_abort_iotag(struct lpfc_hba *phba, struct lpfc_sli_ring *pring, + } + + /* +- * Always abort the outstanding WQE and set the IA bit correctly +- * for the context. This is necessary for correctly removing +- * outstanding ndlp reference counts when the CQE completes with +- * the XB bit set. ++ * If we're unloading, don't abort iocb on the ELS ring, but change ++ * the callback so that nothing happens when it finishes. + */ ++ if (test_bit(FC_UNLOADING, &vport->load_flag) && ++ pring->ringno == LPFC_ELS_RING) { ++ if (cmdiocb->cmd_flag & LPFC_IO_FABRIC) ++ cmdiocb->fabric_cmd_cmpl = lpfc_ignore_els_cmpl; ++ else ++ cmdiocb->cmd_cmpl = lpfc_ignore_els_cmpl; ++ return retval; ++ } ++ ++ /* issue ABTS for this IOCB based on iotag */ + abtsiocbp = __lpfc_sli_get_iocbq(phba); + if (abtsiocbp == NULL) + return IOCB_NORESOURCE; diff --git a/1189-revert-scsi-lpfc-remove-unused-member-variables-in-struct-lp.patch b/1189-revert-scsi-lpfc-remove-unused-member-variables-in-struct-lp.patch new file mode 100644 index 000000000..c3e9c507b --- /dev/null +++ b/1189-revert-scsi-lpfc-remove-unused-member-variables-in-struct-lp.patch @@ -0,0 +1,58 @@ +Subject: [PATCH] Revert "scsi: lpfc: Remove unused member variables in struct lpfc_hba and lpfc_vport" +# reverse of cs10 65bf58f972704e641faa9302b8ba54512707b9f0 + +diff --git a/drivers/scsi/lpfc/lpfc.h b/drivers/scsi/lpfc/lpfc.h +index 9389e3def94e..e5a9c5a323f8 100644 +--- a/drivers/scsi/lpfc/lpfc.h ++++ b/drivers/scsi/lpfc/lpfc.h +@@ -662,12 +662,15 @@ struct lpfc_vport { + uint32_t num_disc_nodes; /* in addition to hba_state */ + uint32_t gidft_inp; /* cnt of outstanding GID_FTs */ + ++ uint32_t fc_nlp_cnt; /* outstanding NODELIST requests */ + uint32_t fc_rscn_id_cnt; /* count of RSCNs payloads in list */ + uint32_t fc_rscn_flush; /* flag use of fc_rscn_id_list */ + struct lpfc_dmabuf *fc_rscn_id_list[FC_MAX_HOLD_RSCN]; + struct lpfc_name fc_nodename; /* fc nodename */ + struct lpfc_name fc_portname; /* fc portname */ + ++ struct lpfc_work_evt disc_timeout_evt; ++ + struct timer_list fc_disctmo; /* Discovery rescue timer */ + uint8_t fc_ns_retry; /* retries for fabric nameserver */ + uint32_t fc_prli_sent; /* cntr for outstanding PRLIs */ +@@ -765,6 +768,7 @@ struct lpfc_vport { + /* There is a single nvme instance per vport. */ + struct nvme_fc_local_port *localport; + uint8_t nvmei_support; /* driver supports NVME Initiator */ ++ uint32_t last_fcp_wqidx; + uint32_t rcv_flogi_cnt; /* How many unsol FLOGIs ACK'd. */ + }; + +@@ -1057,6 +1061,8 @@ struct lpfc_hba { + + struct lpfc_dmabuf hbqslimp; + ++ uint16_t pci_cfg_value; ++ + uint8_t fc_linkspeed; /* Link speed after last READ_LA */ + + uint32_t fc_eventTag; /* event tag for link attention */ +@@ -1083,6 +1089,7 @@ struct lpfc_hba { + + struct lpfc_stats fc_stat; + ++ struct lpfc_nodelist fc_fcpnodev; /* nodelist entry for no device */ + uint32_t nport_event_cnt; /* timestamp for nlplist entry */ + + uint8_t wwnn[8]; +@@ -1223,6 +1230,9 @@ struct lpfc_hba { + uint32_t hbq_count; /* Count of configured HBQs */ + struct hbq_s hbqs[LPFC_MAX_HBQS]; /* local copy of hbq indicies */ + ++ atomic_t fcp_qidx; /* next FCP WQ (RR Policy) */ ++ atomic_t nvme_qidx; /* next NVME WQ (RR Policy) */ ++ + phys_addr_t pci_bar0_map; /* Physical address for PCI BAR0 */ + phys_addr_t pci_bar1_map; /* Physical address for PCI BAR1 */ + phys_addr_t pci_bar2_map; /* Physical address for PCI BAR2 */ diff --git a/1190-revert-scsi-lpfc-use-int-type-to-store-negative-error-codes.patch b/1190-revert-scsi-lpfc-use-int-type-to-store-negative-error-codes.patch new file mode 100644 index 000000000..2b1a65fe1 --- /dev/null +++ b/1190-revert-scsi-lpfc-use-int-type-to-store-negative-error-codes.patch @@ -0,0 +1,16 @@ +Subject: [PATCH] Revert "scsi: lpfc: Use int type to store negative error codes" +# reverse of cs10 1aeb9b98c42dfb8a653f27359979d2e769a0e492 + +diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c +index e1fdce8d6bfd..585c80944832 100644 +--- a/drivers/scsi/lpfc/lpfc_sli.c ++++ b/drivers/scsi/lpfc/lpfc_sli.c +@@ -21372,7 +21372,7 @@ lpfc_sli4_issue_wqe(struct lpfc_hba *phba, struct lpfc_sli4_hdw_queue *qp, + struct lpfc_sglq *sglq; + struct lpfc_sli_ring *pring; + unsigned long iflags; +- int ret = 0; ++ uint32_t ret = 0; + + /* NVME_LS and NVME_LS ABTS requests. */ + if (pwqe->cmd_flag & LPFC_IO_NVME_LS) { diff --git a/1191-revert-scsi-lpfc-use-min-to-improve-code.patch b/1191-revert-scsi-lpfc-use-min-to-improve-code.patch new file mode 100644 index 000000000..720b2faf8 --- /dev/null +++ b/1191-revert-scsi-lpfc-use-min-to-improve-code.patch @@ -0,0 +1,38 @@ +Subject: [PATCH] Revert "scsi: lpfc: use min() to improve code" +# reverse of cs10 e891063a53bdd334d714e6769e385508722ceef6 + +diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c +index 0555b85ba9e7..29503ceb8e7a 100644 +--- a/drivers/scsi/lpfc/lpfc_init.c ++++ b/drivers/scsi/lpfc/lpfc_init.c +@@ -8300,7 +8300,10 @@ lpfc_sli4_driver_resource_setup(struct lpfc_hba *phba) + phba->cfg_total_seg_cnt, phba->cfg_scsi_seg_cnt, + phba->cfg_nvme_seg_cnt); + +- i = min(phba->cfg_sg_dma_buf_size, SLI4_PAGE_SIZE); ++ if (phba->cfg_sg_dma_buf_size < SLI4_PAGE_SIZE) ++ i = phba->cfg_sg_dma_buf_size; ++ else ++ i = SLI4_PAGE_SIZE; + + phba->lpfc_sg_dma_buf_pool = + dma_pool_create("lpfc_sg_dma_buf_pool", +diff --git a/drivers/scsi/lpfc/lpfc_nvme.c b/drivers/scsi/lpfc/lpfc_nvme.c +index 2dd148fd3ea1..1d7488b9e7b9 100644 +--- a/drivers/scsi/lpfc/lpfc_nvme.c ++++ b/drivers/scsi/lpfc/lpfc_nvme.c +@@ -1234,8 +1234,12 @@ lpfc_nvme_prep_io_cmd(struct lpfc_vport *vport, + if ((phba->cfg_nvme_enable_fb) && + test_bit(NLP_FIRSTBURST, &pnode->nlp_flag)) { + req_len = lpfc_ncmd->nvmeCmd->payload_length; +- wqe->fcp_iwrite.initial_xfer_len = min(req_len, +- pnode->nvme_fb_size); ++ if (req_len < pnode->nvme_fb_size) ++ wqe->fcp_iwrite.initial_xfer_len = ++ req_len; ++ else ++ wqe->fcp_iwrite.initial_xfer_len = ++ pnode->nvme_fb_size; + } else { + wqe->fcp_iwrite.initial_xfer_len = 0; + } diff --git a/1192-revert-scsi-lpfc-fix-wrong-function-reference-in-a-comment.patch b/1192-revert-scsi-lpfc-fix-wrong-function-reference-in-a-comment.patch new file mode 100644 index 000000000..382f56188 --- /dev/null +++ b/1192-revert-scsi-lpfc-fix-wrong-function-reference-in-a-comment.patch @@ -0,0 +1,16 @@ +Subject: [PATCH] Revert "scsi: lpfc: Fix wrong function reference in a comment" +# reverse of cs10 7feab3ea585404dd34641c698930e7fc6bb8043a + +diff --git a/drivers/scsi/lpfc/lpfc_vport.c b/drivers/scsi/lpfc/lpfc_vport.c +index 8653839ee728..3d70cc517573 100644 +--- a/drivers/scsi/lpfc/lpfc_vport.c ++++ b/drivers/scsi/lpfc/lpfc_vport.c +@@ -666,7 +666,7 @@ lpfc_vport_delete(struct fc_vport *fc_vport) + * Take early refcount for outstanding I/O requests we schedule during + * delete processing for unreg_vpi. Always keep this before + * scsi_remove_host() as we can no longer obtain a reference through +- * scsi_host_get() after scsi_remove_host as shost is set to SHOST_DEL. ++ * scsi_host_get() after scsi_host_remove as shost is set to SHOST_DEL. + */ + if (!scsi_host_get(shost)) + return VPORT_INVAL; diff --git a/1193-revert-lpfc-don-t-use-file-f-path-dentry-for-comparisons.patch b/1193-revert-lpfc-don-t-use-file-f-path-dentry-for-comparisons.patch new file mode 100644 index 000000000..0c302d2f9 --- /dev/null +++ b/1193-revert-lpfc-don-t-use-file-f-path-dentry-for-comparisons.patch @@ -0,0 +1,203 @@ +Subject: [PATCH] Revert "lpfc: don't use file->f_path.dentry for comparisons" +# reverse of cs10 ba0a8d52eb98a4f44818f9abf664eeeeb8558255 + +diff --git a/drivers/scsi/lpfc/lpfc_debugfs.c b/drivers/scsi/lpfc/lpfc_debugfs.c +index 2db8d9529b8f..2c7d876c64c7 100644 +--- a/drivers/scsi/lpfc/lpfc_debugfs.c ++++ b/drivers/scsi/lpfc/lpfc_debugfs.c +@@ -2375,32 +2375,32 @@ static ssize_t + lpfc_debugfs_dif_err_read(struct file *file, char __user *buf, + size_t nbytes, loff_t *ppos) + { ++ struct dentry *dent = file->f_path.dentry; + struct lpfc_hba *phba = file->private_data; +- int kind = debugfs_get_aux_num(file); + char cbuf[32]; + uint64_t tmp = 0; + int cnt = 0; + +- if (kind == writeGuard) ++ if (dent == phba->debug_writeGuard) + cnt = scnprintf(cbuf, 32, "%u\n", phba->lpfc_injerr_wgrd_cnt); +- else if (kind == writeApp) ++ else if (dent == phba->debug_writeApp) + cnt = scnprintf(cbuf, 32, "%u\n", phba->lpfc_injerr_wapp_cnt); +- else if (kind == writeRef) ++ else if (dent == phba->debug_writeRef) + cnt = scnprintf(cbuf, 32, "%u\n", phba->lpfc_injerr_wref_cnt); +- else if (kind == readGuard) ++ else if (dent == phba->debug_readGuard) + cnt = scnprintf(cbuf, 32, "%u\n", phba->lpfc_injerr_rgrd_cnt); +- else if (kind == readApp) ++ else if (dent == phba->debug_readApp) + cnt = scnprintf(cbuf, 32, "%u\n", phba->lpfc_injerr_rapp_cnt); +- else if (kind == readRef) ++ else if (dent == phba->debug_readRef) + cnt = scnprintf(cbuf, 32, "%u\n", phba->lpfc_injerr_rref_cnt); +- else if (kind == InjErrNPortID) ++ else if (dent == phba->debug_InjErrNPortID) + cnt = scnprintf(cbuf, 32, "0x%06x\n", + phba->lpfc_injerr_nportid); +- else if (kind == InjErrWWPN) { ++ else if (dent == phba->debug_InjErrWWPN) { + memcpy(&tmp, &phba->lpfc_injerr_wwpn, sizeof(struct lpfc_name)); + tmp = cpu_to_be64(tmp); + cnt = scnprintf(cbuf, 32, "0x%016llx\n", tmp); +- } else if (kind == InjErrLBA) { ++ } else if (dent == phba->debug_InjErrLBA) { + if (phba->lpfc_injerr_lba == (sector_t)(-1)) + cnt = scnprintf(cbuf, 32, "off\n"); + else +@@ -2417,8 +2417,8 @@ static ssize_t + lpfc_debugfs_dif_err_write(struct file *file, const char __user *buf, + size_t nbytes, loff_t *ppos) + { ++ struct dentry *dent = file->f_path.dentry; + struct lpfc_hba *phba = file->private_data; +- int kind = debugfs_get_aux_num(file); + char dstbuf[33]; + uint64_t tmp = 0; + int size; +@@ -2428,7 +2428,7 @@ lpfc_debugfs_dif_err_write(struct file *file, const char __user *buf, + if (copy_from_user(dstbuf, buf, size)) + return -EFAULT; + +- if (kind == InjErrLBA) { ++ if (dent == phba->debug_InjErrLBA) { + if ((dstbuf[0] == 'o') && (dstbuf[1] == 'f') && + (dstbuf[2] == 'f')) + tmp = (uint64_t)(-1); +@@ -2437,23 +2437,23 @@ lpfc_debugfs_dif_err_write(struct file *file, const char __user *buf, + if ((tmp == 0) && (kstrtoull(dstbuf, 0, &tmp))) + return -EINVAL; + +- if (kind == writeGuard) ++ if (dent == phba->debug_writeGuard) + phba->lpfc_injerr_wgrd_cnt = (uint32_t)tmp; +- else if (kind == writeApp) ++ else if (dent == phba->debug_writeApp) + phba->lpfc_injerr_wapp_cnt = (uint32_t)tmp; +- else if (kind == writeRef) ++ else if (dent == phba->debug_writeRef) + phba->lpfc_injerr_wref_cnt = (uint32_t)tmp; +- else if (kind == readGuard) ++ else if (dent == phba->debug_readGuard) + phba->lpfc_injerr_rgrd_cnt = (uint32_t)tmp; +- else if (kind == readApp) ++ else if (dent == phba->debug_readApp) + phba->lpfc_injerr_rapp_cnt = (uint32_t)tmp; +- else if (kind == readRef) ++ else if (dent == phba->debug_readRef) + phba->lpfc_injerr_rref_cnt = (uint32_t)tmp; +- else if (kind == InjErrLBA) ++ else if (dent == phba->debug_InjErrLBA) + phba->lpfc_injerr_lba = (sector_t)tmp; +- else if (kind == InjErrNPortID) ++ else if (dent == phba->debug_InjErrNPortID) + phba->lpfc_injerr_nportid = (uint32_t)(tmp & Mask_DID); +- else if (kind == InjErrWWPN) { ++ else if (dent == phba->debug_InjErrWWPN) { + tmp = cpu_to_be64(tmp); + memcpy(&phba->lpfc_injerr_wwpn, &tmp, sizeof(struct lpfc_name)); + } else +@@ -6160,51 +6160,60 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport) + phba->debug_dumpHostSlim = NULL; + + /* Setup DIF Error Injections */ ++ snprintf(name, sizeof(name), "InjErrLBA"); + phba->debug_InjErrLBA = +- debugfs_create_file_aux_num("InjErrLBA", 0644, ++ debugfs_create_file(name, S_IFREG|S_IRUGO|S_IWUSR, + phba->hba_debugfs_root, +- phba, InjErrLBA, &lpfc_debugfs_op_dif_err); ++ phba, &lpfc_debugfs_op_dif_err); + phba->lpfc_injerr_lba = LPFC_INJERR_LBA_OFF; + ++ snprintf(name, sizeof(name), "InjErrNPortID"); + phba->debug_InjErrNPortID = +- debugfs_create_file_aux_num("InjErrNPortID", 0644, ++ debugfs_create_file(name, S_IFREG|S_IRUGO|S_IWUSR, + phba->hba_debugfs_root, +- phba, InjErrNPortID, &lpfc_debugfs_op_dif_err); ++ phba, &lpfc_debugfs_op_dif_err); + ++ snprintf(name, sizeof(name), "InjErrWWPN"); + phba->debug_InjErrWWPN = +- debugfs_create_file_aux_num("InjErrWWPN", 0644, ++ debugfs_create_file(name, S_IFREG|S_IRUGO|S_IWUSR, + phba->hba_debugfs_root, +- phba, InjErrWWPN, &lpfc_debugfs_op_dif_err); ++ phba, &lpfc_debugfs_op_dif_err); + ++ snprintf(name, sizeof(name), "writeGuardInjErr"); + phba->debug_writeGuard = +- debugfs_create_file_aux_num("writeGuardInjErr", 0644, ++ debugfs_create_file(name, S_IFREG|S_IRUGO|S_IWUSR, + phba->hba_debugfs_root, +- phba, writeGuard, &lpfc_debugfs_op_dif_err); ++ phba, &lpfc_debugfs_op_dif_err); + ++ snprintf(name, sizeof(name), "writeAppInjErr"); + phba->debug_writeApp = +- debugfs_create_file_aux_num("writeAppInjErr", 0644, ++ debugfs_create_file(name, S_IFREG|S_IRUGO|S_IWUSR, + phba->hba_debugfs_root, +- phba, writeApp, &lpfc_debugfs_op_dif_err); ++ phba, &lpfc_debugfs_op_dif_err); + ++ snprintf(name, sizeof(name), "writeRefInjErr"); + phba->debug_writeRef = +- debugfs_create_file_aux_num("writeRefInjErr", 0644, ++ debugfs_create_file(name, S_IFREG|S_IRUGO|S_IWUSR, + phba->hba_debugfs_root, +- phba, writeRef, &lpfc_debugfs_op_dif_err); ++ phba, &lpfc_debugfs_op_dif_err); + ++ snprintf(name, sizeof(name), "readGuardInjErr"); + phba->debug_readGuard = +- debugfs_create_file_aux_num("readGuardInjErr", 0644, ++ debugfs_create_file(name, S_IFREG|S_IRUGO|S_IWUSR, + phba->hba_debugfs_root, +- phba, readGuard, &lpfc_debugfs_op_dif_err); ++ phba, &lpfc_debugfs_op_dif_err); + ++ snprintf(name, sizeof(name), "readAppInjErr"); + phba->debug_readApp = +- debugfs_create_file_aux_num("readAppInjErr", 0644, ++ debugfs_create_file(name, S_IFREG|S_IRUGO|S_IWUSR, + phba->hba_debugfs_root, +- phba, readApp, &lpfc_debugfs_op_dif_err); ++ phba, &lpfc_debugfs_op_dif_err); + ++ snprintf(name, sizeof(name), "readRefInjErr"); + phba->debug_readRef = +- debugfs_create_file_aux_num("readRefInjErr", 0644, ++ debugfs_create_file(name, S_IFREG|S_IRUGO|S_IWUSR, + phba->hba_debugfs_root, +- phba, readRef, &lpfc_debugfs_op_dif_err); ++ phba, &lpfc_debugfs_op_dif_err); + + /* Setup slow ring trace */ + if (lpfc_debugfs_max_slow_ring_trc) { +diff --git a/drivers/scsi/lpfc/lpfc_debugfs.h b/drivers/scsi/lpfc/lpfc_debugfs.h +index f319f3af0400..8d2e8d05bbc0 100644 +--- a/drivers/scsi/lpfc/lpfc_debugfs.h ++++ b/drivers/scsi/lpfc/lpfc_debugfs.h +@@ -322,17 +322,6 @@ enum { + * discovery */ + #endif /* H_LPFC_DEBUG_FS */ + +-enum { +- writeGuard = 1, +- writeApp, +- writeRef, +- readGuard, +- readApp, +- readRef, +- InjErrLBA, +- InjErrNPortID, +- InjErrWWPN, +-}; + + /* + * Driver debug utility routines outside of debugfs. The debug utility diff --git a/1194-revert-scsi-lpfc-copyright-updates-for-14-4-0-10-patches.patch b/1194-revert-scsi-lpfc-copyright-updates-for-14-4-0-10-patches.patch new file mode 100644 index 000000000..bdb9a7b33 --- /dev/null +++ b/1194-revert-scsi-lpfc-copyright-updates-for-14-4-0-10-patches.patch @@ -0,0 +1,68 @@ +Subject: [PATCH] Revert "scsi: lpfc: Copyright updates for 14.4.0.10 patches" +# reverse of cs10 b681f59c801919396f35f2e33060d37b0732f1d1 + +diff --git a/drivers/scsi/lpfc/lpfc_ct.c b/drivers/scsi/lpfc/lpfc_ct.c +index cc8af576f57c..daba94529b45 100644 +--- a/drivers/scsi/lpfc/lpfc_ct.c ++++ b/drivers/scsi/lpfc/lpfc_ct.c +@@ -1,7 +1,7 @@ + /******************************************************************* + * This file is part of the Emulex Linux Device Driver for * + * Fibre Channel Host Bus Adapters. * +- * Copyright (C) 2017-2025 Broadcom. All Rights Reserved. The term * ++ * Copyright (C) 2017-2024 Broadcom. All Rights Reserved. The term * + * “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. * + * Copyright (C) 2004-2016 Emulex. All rights reserved. * + * EMULEX and SLI are trademarks of Emulex. * +diff --git a/drivers/scsi/lpfc/lpfc_debugfs.c b/drivers/scsi/lpfc/lpfc_debugfs.c +index 2c7d876c64c7..061a5e4e525d 100644 +--- a/drivers/scsi/lpfc/lpfc_debugfs.c ++++ b/drivers/scsi/lpfc/lpfc_debugfs.c +@@ -1,7 +1,7 @@ + /******************************************************************* + * This file is part of the Emulex Linux Device Driver for * + * Fibre Channel Host Bus Adapters. * +- * Copyright (C) 2017-2025 Broadcom. All Rights Reserved. The term * ++ * Copyright (C) 2017-2024 Broadcom. All Rights Reserved. The term * + * “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. * + * Copyright (C) 2007-2015 Emulex. All rights reserved. * + * EMULEX and SLI are trademarks of Emulex. * +diff --git a/drivers/scsi/lpfc/lpfc_hw4.h b/drivers/scsi/lpfc/lpfc_hw4.h +index bc709786e6af..dd9f170fbdc8 100644 +--- a/drivers/scsi/lpfc/lpfc_hw4.h ++++ b/drivers/scsi/lpfc/lpfc_hw4.h +@@ -1,7 +1,7 @@ + /******************************************************************* + * This file is part of the Emulex Linux Device Driver for * + * Fibre Channel Host Bus Adapters. * +- * Copyright (C) 2017-2025 Broadcom. All Rights Reserved. The term * ++ * Copyright (C) 2017-2024 Broadcom. All Rights Reserved. The term * + * “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. * + * Copyright (C) 2009-2016 Emulex. All rights reserved. * + * EMULEX and SLI are trademarks of Emulex. * +diff --git a/drivers/scsi/lpfc/lpfc_scsi.c b/drivers/scsi/lpfc/lpfc_scsi.c +index a9c8c6c021b9..71188060dc08 100644 +--- a/drivers/scsi/lpfc/lpfc_scsi.c ++++ b/drivers/scsi/lpfc/lpfc_scsi.c +@@ -1,7 +1,7 @@ + /******************************************************************* + * This file is part of the Emulex Linux Device Driver for * + * Fibre Channel Host Bus Adapters. * +- * Copyright (C) 2017-2025 Broadcom. All Rights Reserved. The term * ++ * Copyright (C) 2017-2024 Broadcom. All Rights Reserved. The term * + * “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. * + * Copyright (C) 2004-2016 Emulex. All rights reserved. * + * EMULEX and SLI are trademarks of Emulex. * +diff --git a/drivers/scsi/lpfc/lpfc_sli4.h b/drivers/scsi/lpfc/lpfc_sli4.h +index fd6dab157887..e42b44fcc7f6 100644 +--- a/drivers/scsi/lpfc/lpfc_sli4.h ++++ b/drivers/scsi/lpfc/lpfc_sli4.h +@@ -1,7 +1,7 @@ + /******************************************************************* + * This file is part of the Emulex Linux Device Driver for * + * Fibre Channel Host Bus Adapters. * +- * Copyright (C) 2017-2025 Broadcom. All Rights Reserved. The term * ++ * Copyright (C) 2017-2024 Broadcom. All Rights Reserved. The term * + * “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. * + * Copyright (C) 2009-2016 Emulex. All rights reserved. * + * EMULEX and SLI are trademarks of Emulex. * diff --git a/1195-revert-scsi-lpfc-update-lpfc-version-to-14-4-0-10.patch b/1195-revert-scsi-lpfc-update-lpfc-version-to-14-4-0-10.patch new file mode 100644 index 000000000..8d87c29db --- /dev/null +++ b/1195-revert-scsi-lpfc-update-lpfc-version-to-14-4-0-10.patch @@ -0,0 +1,16 @@ +Subject: [PATCH] Revert "scsi: lpfc: Update lpfc version to 14.4.0.10" +# reverse of cs10 25abc74ff90b76294454ae9d19b06b1cbc489a4b + +diff --git a/drivers/scsi/lpfc/lpfc_version.h b/drivers/scsi/lpfc/lpfc_version.h +index 9ee3a3a4ec4d..749688aa8a82 100644 +--- a/drivers/scsi/lpfc/lpfc_version.h ++++ b/drivers/scsi/lpfc/lpfc_version.h +@@ -20,7 +20,7 @@ + * included with this package. * + *******************************************************************/ + +-#define LPFC_DRIVER_VERSION "14.4.0.10" ++#define LPFC_DRIVER_VERSION "14.4.0.9" + #define LPFC_DRIVER_NAME "lpfc" + + /* Used for SLI 2/3 */ diff --git a/1196-revert-scsi-lpfc-modify-end-of-life-adapters-model-descripti.patch b/1196-revert-scsi-lpfc-modify-end-of-life-adapters-model-descripti.patch new file mode 100644 index 000000000..53b6b5574 --- /dev/null +++ b/1196-revert-scsi-lpfc-modify-end-of-life-adapters-model-descripti.patch @@ -0,0 +1,138 @@ +Subject: [PATCH] Revert "scsi: lpfc: Modify end-of-life adapters' model descriptions" +# reverse of cs10 5e442a469bde8240d35a7242dd888dc9dab5b9a7 + +diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c +index 29503ceb8e7a..0876fcf07b5a 100644 +--- a/drivers/scsi/lpfc/lpfc_init.c ++++ b/drivers/scsi/lpfc/lpfc_init.c +@@ -2627,33 +2627,27 @@ lpfc_get_hba_model_desc(struct lpfc_hba *phba, uint8_t *mdp, uint8_t *descp) + "Obsolete, Unsupported Fibre Channel Adapter"}; + break; + case PCI_DEVICE_ID_BMID: +- m = (typeof(m)){"LP1150", "PCI-X2", +- "Obsolete, Unsupported Fibre Channel Adapter"}; ++ m = (typeof(m)){"LP1150", "PCI-X2", "Fibre Channel Adapter"}; + break; + case PCI_DEVICE_ID_BSMB: + m = (typeof(m)){"LP111", "PCI-X2", + "Obsolete, Unsupported Fibre Channel Adapter"}; + break; + case PCI_DEVICE_ID_ZEPHYR: +- m = (typeof(m)){"LPe11000", "PCIe", +- "Obsolete, Unsupported Fibre Channel Adapter"}; ++ m = (typeof(m)){"LPe11000", "PCIe", "Fibre Channel Adapter"}; + break; + case PCI_DEVICE_ID_ZEPHYR_SCSP: +- m = (typeof(m)){"LPe11000", "PCIe", +- "Obsolete, Unsupported Fibre Channel Adapter"}; ++ m = (typeof(m)){"LPe11000", "PCIe", "Fibre Channel Adapter"}; + break; + case PCI_DEVICE_ID_ZEPHYR_DCSP: +- m = (typeof(m)){"LP2105", "PCIe", +- "Obsolete, Unsupported FCoE Adapter"}; ++ m = (typeof(m)){"LP2105", "PCIe", "FCoE Adapter"}; + GE = 1; + break; + case PCI_DEVICE_ID_ZMID: +- m = (typeof(m)){"LPe1150", "PCIe", +- "Obsolete, Unsupported Fibre Channel Adapter"}; ++ m = (typeof(m)){"LPe1150", "PCIe", "Fibre Channel Adapter"}; + break; + case PCI_DEVICE_ID_ZSMB: +- m = (typeof(m)){"LPe111", "PCIe", +- "Obsolete, Unsupported Fibre Channel Adapter"}; ++ m = (typeof(m)){"LPe111", "PCIe", "Fibre Channel Adapter"}; + break; + case PCI_DEVICE_ID_LP101: + m = (typeof(m)){"LP101", "PCI-X", +@@ -2672,28 +2666,22 @@ lpfc_get_hba_model_desc(struct lpfc_hba *phba, uint8_t *mdp, uint8_t *descp) + "Obsolete, Unsupported Fibre Channel Adapter"}; + break; + case PCI_DEVICE_ID_SAT: +- m = (typeof(m)){"LPe12000", "PCIe", +- "Obsolete, Unsupported Fibre Channel Adapter"}; ++ m = (typeof(m)){"LPe12000", "PCIe", "Fibre Channel Adapter"}; + break; + case PCI_DEVICE_ID_SAT_MID: +- m = (typeof(m)){"LPe1250", "PCIe", +- "Obsolete, Unsupported Fibre Channel Adapter"}; ++ m = (typeof(m)){"LPe1250", "PCIe", "Fibre Channel Adapter"}; + break; + case PCI_DEVICE_ID_SAT_SMB: +- m = (typeof(m)){"LPe121", "PCIe", +- "Obsolete, Unsupported Fibre Channel Adapter"}; ++ m = (typeof(m)){"LPe121", "PCIe", "Fibre Channel Adapter"}; + break; + case PCI_DEVICE_ID_SAT_DCSP: +- m = (typeof(m)){"LPe12002-SP", "PCIe", +- "Obsolete, Unsupported Fibre Channel Adapter"}; ++ m = (typeof(m)){"LPe12002-SP", "PCIe", "Fibre Channel Adapter"}; + break; + case PCI_DEVICE_ID_SAT_SCSP: +- m = (typeof(m)){"LPe12000-SP", "PCIe", +- "Obsolete, Unsupported Fibre Channel Adapter"}; ++ m = (typeof(m)){"LPe12000-SP", "PCIe", "Fibre Channel Adapter"}; + break; + case PCI_DEVICE_ID_SAT_S: +- m = (typeof(m)){"LPe12000-S", "PCIe", +- "Obsolete, Unsupported Fibre Channel Adapter"}; ++ m = (typeof(m)){"LPe12000-S", "PCIe", "Fibre Channel Adapter"}; + break; + case PCI_DEVICE_ID_PROTEUS_VF: + m = (typeof(m)){"LPev12000", "PCIe IOV", +@@ -2709,25 +2697,22 @@ lpfc_get_hba_model_desc(struct lpfc_hba *phba, uint8_t *mdp, uint8_t *descp) + break; + case PCI_DEVICE_ID_TIGERSHARK: + oneConnect = 1; +- m = (typeof(m)){"OCe10100", "PCIe", +- "Obsolete, Unsupported FCoE Adapter"}; ++ m = (typeof(m)){"OCe10100", "PCIe", "FCoE"}; + break; + case PCI_DEVICE_ID_TOMCAT: + oneConnect = 1; +- m = (typeof(m)){"OCe11100", "PCIe", +- "Obsolete, Unsupported FCoE Adapter"}; ++ m = (typeof(m)){"OCe11100", "PCIe", "FCoE"}; + break; + case PCI_DEVICE_ID_FALCON: + m = (typeof(m)){"LPSe12002-ML1-E", "PCIe", +- "Obsolete, Unsupported Fibre Channel Adapter"}; ++ "EmulexSecure Fibre"}; + break; + case PCI_DEVICE_ID_BALIUS: + m = (typeof(m)){"LPVe12002", "PCIe Shared I/O", + "Obsolete, Unsupported Fibre Channel Adapter"}; + break; + case PCI_DEVICE_ID_LANCER_FC: +- m = (typeof(m)){"LPe16000", "PCIe", +- "Obsolete, Unsupported Fibre Channel Adapter"}; ++ m = (typeof(m)){"LPe16000", "PCIe", "Fibre Channel Adapter"}; + break; + case PCI_DEVICE_ID_LANCER_FC_VF: + m = (typeof(m)){"LPe16000", "PCIe", +@@ -2735,13 +2720,12 @@ lpfc_get_hba_model_desc(struct lpfc_hba *phba, uint8_t *mdp, uint8_t *descp) + break; + case PCI_DEVICE_ID_LANCER_FCOE: + oneConnect = 1; +- m = (typeof(m)){"OCe15100", "PCIe", +- "Obsolete, Unsupported FCoE Adapter"}; ++ m = (typeof(m)){"OCe15100", "PCIe", "FCoE"}; + break; + case PCI_DEVICE_ID_LANCER_FCOE_VF: + oneConnect = 1; + m = (typeof(m)){"OCe15100", "PCIe", +- "Obsolete, Unsupported FCoE Adapter"}; ++ "Obsolete, Unsupported FCoE"}; + break; + case PCI_DEVICE_ID_LANCER_G6_FC: + m = (typeof(m)){"LPe32000", "PCIe", "Fibre Channel Adapter"}; +@@ -2755,8 +2739,7 @@ lpfc_get_hba_model_desc(struct lpfc_hba *phba, uint8_t *mdp, uint8_t *descp) + case PCI_DEVICE_ID_SKYHAWK: + case PCI_DEVICE_ID_SKYHAWK_VF: + oneConnect = 1; +- m = (typeof(m)){"OCe14000", "PCIe", +- "Obsolete, Unsupported FCoE Adapter"}; ++ m = (typeof(m)){"OCe14000", "PCIe", "FCoE"}; + break; + default: + m = (typeof(m)){"Unknown", "", ""}; diff --git a/1197-revert-scsi-lpfc-revise-cq-create-set-mailbox-bitfield-defin.patch b/1197-revert-scsi-lpfc-revise-cq-create-set-mailbox-bitfield-defin.patch new file mode 100644 index 000000000..782b4bf3d --- /dev/null +++ b/1197-revert-scsi-lpfc-revise-cq-create-set-mailbox-bitfield-defin.patch @@ -0,0 +1,102 @@ +Subject: [PATCH] Revert "scsi: lpfc: Revise CQ_CREATE_SET mailbox bitfield definitions" +# reverse of cs10 ee3715dad64c5b70516cac33ed1c31e66dfb1ebd + +diff --git a/drivers/scsi/lpfc/lpfc_hw4.h b/drivers/scsi/lpfc/lpfc_hw4.h +index dd9f170fbdc8..2dedb273b091 100644 +--- a/drivers/scsi/lpfc/lpfc_hw4.h ++++ b/drivers/scsi/lpfc/lpfc_hw4.h +@@ -1328,9 +1328,6 @@ struct cq_context { + #define LPFC_CQ_CNT_512 0x1 + #define LPFC_CQ_CNT_1024 0x2 + #define LPFC_CQ_CNT_WORD7 0x3 +-#define lpfc_cq_context_cqe_sz_SHIFT 25 +-#define lpfc_cq_context_cqe_sz_MASK 0x00000003 +-#define lpfc_cq_context_cqe_sz_WORD word0 + #define lpfc_cq_context_autovalid_SHIFT 15 + #define lpfc_cq_context_autovalid_MASK 0x00000001 + #define lpfc_cq_context_autovalid_WORD word0 +@@ -1386,9 +1383,9 @@ struct lpfc_mbx_cq_create_set { + #define lpfc_mbx_cq_create_set_valid_SHIFT 29 + #define lpfc_mbx_cq_create_set_valid_MASK 0x00000001 + #define lpfc_mbx_cq_create_set_valid_WORD word1 +-#define lpfc_mbx_cq_create_set_cqecnt_SHIFT 27 +-#define lpfc_mbx_cq_create_set_cqecnt_MASK 0x00000003 +-#define lpfc_mbx_cq_create_set_cqecnt_WORD word1 ++#define lpfc_mbx_cq_create_set_cqe_cnt_SHIFT 27 ++#define lpfc_mbx_cq_create_set_cqe_cnt_MASK 0x00000003 ++#define lpfc_mbx_cq_create_set_cqe_cnt_WORD word1 + #define lpfc_mbx_cq_create_set_cqe_size_SHIFT 25 + #define lpfc_mbx_cq_create_set_cqe_size_MASK 0x00000003 + #define lpfc_mbx_cq_create_set_cqe_size_WORD word1 +@@ -1401,16 +1398,13 @@ struct lpfc_mbx_cq_create_set { + #define lpfc_mbx_cq_create_set_clswm_SHIFT 12 + #define lpfc_mbx_cq_create_set_clswm_MASK 0x00000003 + #define lpfc_mbx_cq_create_set_clswm_WORD word1 +-#define lpfc_mbx_cq_create_set_cqe_cnt_hi_SHIFT 0 +-#define lpfc_mbx_cq_create_set_cqe_cnt_hi_MASK 0x0000001F +-#define lpfc_mbx_cq_create_set_cqe_cnt_hi_WORD word1 + uint32_t word2; + #define lpfc_mbx_cq_create_set_arm_SHIFT 31 + #define lpfc_mbx_cq_create_set_arm_MASK 0x00000001 + #define lpfc_mbx_cq_create_set_arm_WORD word2 +-#define lpfc_mbx_cq_create_set_cqe_cnt_lo_SHIFT 16 +-#define lpfc_mbx_cq_create_set_cqe_cnt_lo_MASK 0x00007FFF +-#define lpfc_mbx_cq_create_set_cqe_cnt_lo_WORD word2 ++#define lpfc_mbx_cq_create_set_cq_cnt_SHIFT 16 ++#define lpfc_mbx_cq_create_set_cq_cnt_MASK 0x00007FFF ++#define lpfc_mbx_cq_create_set_cq_cnt_WORD word2 + #define lpfc_mbx_cq_create_set_num_cq_SHIFT 0 + #define lpfc_mbx_cq_create_set_num_cq_MASK 0x0000FFFF + #define lpfc_mbx_cq_create_set_num_cq_WORD word2 +diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c +index 585c80944832..a96e6489594c 100644 +--- a/drivers/scsi/lpfc/lpfc_sli.c ++++ b/drivers/scsi/lpfc/lpfc_sli.c +@@ -16476,10 +16476,10 @@ lpfc_cq_create_set(struct lpfc_hba *phba, struct lpfc_queue **cqp, + case 4096: + if (phba->sli4_hba.pc_sli4_params.cqv == + LPFC_Q_CREATE_VERSION_2) { +- bf_set(lpfc_mbx_cq_create_set_cqe_cnt_lo, ++ bf_set(lpfc_mbx_cq_create_set_cqe_cnt, + &cq_set->u.request, +- cq->entry_count); +- bf_set(lpfc_mbx_cq_create_set_cqecnt, ++ cq->entry_count); ++ bf_set(lpfc_mbx_cq_create_set_cqe_cnt, + &cq_set->u.request, + LPFC_CQ_CNT_WORD7); + break; +@@ -16495,15 +16495,15 @@ lpfc_cq_create_set(struct lpfc_hba *phba, struct lpfc_queue **cqp, + } + fallthrough; /* otherwise default to smallest */ + case 256: +- bf_set(lpfc_mbx_cq_create_set_cqecnt, ++ bf_set(lpfc_mbx_cq_create_set_cqe_cnt, + &cq_set->u.request, LPFC_CQ_CNT_256); + break; + case 512: +- bf_set(lpfc_mbx_cq_create_set_cqecnt, ++ bf_set(lpfc_mbx_cq_create_set_cqe_cnt, + &cq_set->u.request, LPFC_CQ_CNT_512); + break; + case 1024: +- bf_set(lpfc_mbx_cq_create_set_cqecnt, ++ bf_set(lpfc_mbx_cq_create_set_cqe_cnt, + &cq_set->u.request, LPFC_CQ_CNT_1024); + break; + } +diff --git a/drivers/scsi/lpfc/lpfc_sli4.h b/drivers/scsi/lpfc/lpfc_sli4.h +index e42b44fcc7f6..9be3da91c923 100644 +--- a/drivers/scsi/lpfc/lpfc_sli4.h ++++ b/drivers/scsi/lpfc/lpfc_sli4.h +@@ -575,10 +575,8 @@ struct lpfc_pc_sli4_params { + + #define LPFC_CQ_4K_PAGE_SZ 0x1 + #define LPFC_CQ_16K_PAGE_SZ 0x4 +-#define LPFC_CQ_32K_PAGE_SZ 0x8 + #define LPFC_WQ_4K_PAGE_SZ 0x1 + #define LPFC_WQ_16K_PAGE_SZ 0x4 +-#define LPFC_WQ_32K_PAGE_SZ 0x8 + + struct lpfc_iov { + uint32_t pf_number; diff --git a/1198-revert-scsi-lpfc-move-clearing-of-hba-setup-flag-to-before-l.patch b/1198-revert-scsi-lpfc-move-clearing-of-hba-setup-flag-to-before-l.patch new file mode 100644 index 000000000..d050825be --- /dev/null +++ b/1198-revert-scsi-lpfc-move-clearing-of-hba-setup-flag-to-before-l.patch @@ -0,0 +1,37 @@ +Subject: [PATCH] Revert "scsi: lpfc: Move clearing of HBA_SETUP flag to before lpfc_sli4_queue_unset" +# reverse of cs10 034b060b9f17847aeb3475fb2c579a6c87d87667 + +diff --git a/drivers/scsi/lpfc/lpfc_scsi.c b/drivers/scsi/lpfc/lpfc_scsi.c +index 71188060dc08..0afc5fe013bc 100644 +--- a/drivers/scsi/lpfc/lpfc_scsi.c ++++ b/drivers/scsi/lpfc/lpfc_scsi.c +@@ -536,8 +536,7 @@ lpfc_sli4_io_xri_aborted(struct lpfc_hba *phba, + psb = container_of(iocbq, struct lpfc_io_buf, cur_iocbq); + psb->flags &= ~LPFC_SBUF_XBUSY; + spin_unlock_irqrestore(&phba->hbalock, iflag); +- if (test_bit(HBA_SETUP, &phba->hba_flag) && +- !list_empty(&pring->txq)) ++ if (!list_empty(&pring->txq)) + lpfc_worker_wake_up(phba); + return; + } +diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c +index a96e6489594c..b9a5d377f336 100644 +--- a/drivers/scsi/lpfc/lpfc_sli.c ++++ b/drivers/scsi/lpfc/lpfc_sli.c +@@ -5160,6 +5160,7 @@ lpfc_sli4_brdreset(struct lpfc_hba *phba) + phba->link_events = 0; + phba->pport->fc_myDID = 0; + phba->pport->fc_prevDID = 0; ++ clear_bit(HBA_SETUP, &phba->hba_flag); + + spin_lock_irq(&phba->hbalock); + psli->sli_flag &= ~(LPFC_PROCESS_LA); +@@ -5276,7 +5277,6 @@ lpfc_sli_brdrestart_s4(struct lpfc_hba *phba) + "0296 Restart HBA Data: x%x x%x\n", + phba->pport->port_state, psli->sli_flag); + +- clear_bit(HBA_SETUP, &phba->hba_flag); + lpfc_sli4_queue_unset(phba); + + rc = lpfc_sli4_brdreset(phba); diff --git a/1199-revert-scsi-lpfc-ensure-hba-setup-flag-is-used-only-for-sli4.patch b/1199-revert-scsi-lpfc-ensure-hba-setup-flag-is-used-only-for-sli4.patch new file mode 100644 index 000000000..97147d0e8 --- /dev/null +++ b/1199-revert-scsi-lpfc-ensure-hba-setup-flag-is-used-only-for-sli4.patch @@ -0,0 +1,17 @@ +Subject: [PATCH] Revert "scsi: lpfc: Ensure HBA_SETUP flag is used only for SLI4 in dev_loss_tmo_callbk" +# reverse of cs10 68ce87a35f24f9dbfee4c60bc0bcdb3f88734db5 + +diff --git a/drivers/scsi/lpfc/lpfc_hbadisc.c b/drivers/scsi/lpfc/lpfc_hbadisc.c +index 1510ed28f5a4..d8a0915d1df0 100644 +--- a/drivers/scsi/lpfc/lpfc_hbadisc.c ++++ b/drivers/scsi/lpfc/lpfc_hbadisc.c +@@ -183,8 +183,7 @@ lpfc_dev_loss_tmo_callbk(struct fc_rport *rport) + + /* Don't schedule a worker thread event if the vport is going down. */ + if (test_bit(FC_UNLOADING, &vport->load_flag) || +- (phba->sli_rev == LPFC_SLI_REV4 && +- !test_bit(HBA_SETUP, &phba->hba_flag))) { ++ !test_bit(HBA_SETUP, &phba->hba_flag)) { + + spin_lock_irqsave(&ndlp->lock, iflags); + ndlp->rport = NULL; diff --git a/1200-revert-scsi-lpfc-relocate-clearing-initial-phba-flags-from-l.patch b/1200-revert-scsi-lpfc-relocate-clearing-initial-phba-flags-from-l.patch new file mode 100644 index 000000000..d5ae0f72c --- /dev/null +++ b/1200-revert-scsi-lpfc-relocate-clearing-initial-phba-flags-from-l.patch @@ -0,0 +1,45 @@ +Subject: [PATCH] Revert "scsi: lpfc: Relocate clearing initial phba flags from link up to link down hdlr" +# reverse of cs10 f13e1a401181a22b42c52a1c5ef3271a239606e6 + +diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c +index 71e76e681621..3cbacc923fbd 100644 +--- a/drivers/scsi/lpfc/lpfc_els.c ++++ b/drivers/scsi/lpfc/lpfc_els.c +@@ -8376,9 +8376,9 @@ lpfc_els_rcv_flogi(struct lpfc_vport *vport, struct lpfc_iocbq *cmdiocb, + clear_bit(FC_PUBLIC_LOOP, &vport->fc_flag); + lpfc_printf_vlog(vport, KERN_INFO, LOG_ELS, + "3311 Rcv Flogi PS x%x new PS x%x " +- "fc_flag x%lx new fc_flag x%lx, hba_flag x%lx\n", ++ "fc_flag x%lx new fc_flag x%lx\n", + port_state, vport->port_state, +- fc_flag, vport->fc_flag, phba->hba_flag); ++ fc_flag, vport->fc_flag); + + /* + * We temporarily set fc_myDID to make it look like we are +diff --git a/drivers/scsi/lpfc/lpfc_hbadisc.c b/drivers/scsi/lpfc/lpfc_hbadisc.c +index d8a0915d1df0..aff0740a5510 100644 +--- a/drivers/scsi/lpfc/lpfc_hbadisc.c ++++ b/drivers/scsi/lpfc/lpfc_hbadisc.c +@@ -1266,10 +1266,6 @@ lpfc_linkdown(struct lpfc_hba *phba) + } + phba->defer_flogi_acc.flag = false; + +- /* reinitialize initial HBA flag */ +- clear_bit(HBA_FLOGI_ISSUED, &phba->hba_flag); +- clear_bit(HBA_RHBA_CMPL, &phba->hba_flag); +- + /* Clear external loopback plug detected flag */ + phba->link_flag &= ~LS_EXTERNAL_LOOPBACK; + +@@ -1440,6 +1436,10 @@ lpfc_linkup(struct lpfc_hba *phba) + phba->pport->rcv_flogi_cnt = 0; + spin_unlock_irq(shost->host_lock); + ++ /* reinitialize initial HBA flag */ ++ clear_bit(HBA_FLOGI_ISSUED, &phba->hba_flag); ++ clear_bit(HBA_RHBA_CMPL, &phba->hba_flag); ++ + return 0; + } + diff --git a/1201-revert-scsi-lpfc-simplify-error-handling-for-failed-lpfc-get.patch b/1201-revert-scsi-lpfc-simplify-error-handling-for-failed-lpfc-get.patch new file mode 100644 index 000000000..283d3260f --- /dev/null +++ b/1201-revert-scsi-lpfc-simplify-error-handling-for-failed-lpfc-get.patch @@ -0,0 +1,50 @@ +Subject: [PATCH] Revert "scsi: lpfc: Simplify error handling for failed lpfc_get_sli4_parameters cmd" +# reverse of cs10 9cf927d02bc932338017864503fc177d8a0a4f2b + +diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c +index 0876fcf07b5a..5b848288f522 100644 +--- a/drivers/scsi/lpfc/lpfc_init.c ++++ b/drivers/scsi/lpfc/lpfc_init.c +@@ -7918,6 +7918,8 @@ lpfc_sli4_driver_resource_setup(struct lpfc_hba *phba) + int longs; + int extra; + uint64_t wwn; ++ u32 if_type; ++ u32 if_fam; + + phba->sli4_hba.num_present_cpu = lpfc_present_cpu; + phba->sli4_hba.num_possible_cpu = cpumask_last(cpu_possible_mask) + 1; +@@ -8178,11 +8180,28 @@ lpfc_sli4_driver_resource_setup(struct lpfc_hba *phba) + */ + rc = lpfc_get_sli4_parameters(phba, mboxq); + if (rc) { +- lpfc_log_msg(phba, KERN_WARNING, LOG_INIT, +- "2999 Could not get SLI4 parameters\n"); +- rc = -EIO; +- mempool_free(mboxq, phba->mbox_mem_pool); +- goto out_free_bsmbx; ++ if_type = bf_get(lpfc_sli_intf_if_type, ++ &phba->sli4_hba.sli_intf); ++ if_fam = bf_get(lpfc_sli_intf_sli_family, ++ &phba->sli4_hba.sli_intf); ++ if (phba->sli4_hba.extents_in_use && ++ phba->sli4_hba.rpi_hdrs_in_use) { ++ lpfc_printf_log(phba, KERN_ERR, LOG_TRACE_EVENT, ++ "2999 Unsupported SLI4 Parameters " ++ "Extents and RPI headers enabled.\n"); ++ if (if_type == LPFC_SLI_INTF_IF_TYPE_0 && ++ if_fam == LPFC_SLI_INTF_FAMILY_BE2) { ++ mempool_free(mboxq, phba->mbox_mem_pool); ++ rc = -EIO; ++ goto out_free_bsmbx; ++ } ++ } ++ if (!(if_type == LPFC_SLI_INTF_IF_TYPE_0 && ++ if_fam == LPFC_SLI_INTF_FAMILY_BE2)) { ++ mempool_free(mboxq, phba->mbox_mem_pool); ++ rc = -EIO; ++ goto out_free_bsmbx; ++ } + } + + /* diff --git a/1202-revert-scsi-lpfc-early-return-out-of-fdmi-cmpl-for-locally-r.patch b/1202-revert-scsi-lpfc-early-return-out-of-fdmi-cmpl-for-locally-r.patch new file mode 100644 index 000000000..d6da3ed8e --- /dev/null +++ b/1202-revert-scsi-lpfc-early-return-out-of-fdmi-cmpl-for-locally-r.patch @@ -0,0 +1,39 @@ +Subject: [PATCH] Revert "scsi: lpfc: Early return out of FDMI cmpl for locally rejected statuses" +# reverse of cs10 0c985d88af920e163f033fca2fd907a1ea3199fe + +diff --git a/drivers/scsi/lpfc/lpfc_ct.c b/drivers/scsi/lpfc/lpfc_ct.c +index daba94529b45..72ff92ac5321 100644 +--- a/drivers/scsi/lpfc/lpfc_ct.c ++++ b/drivers/scsi/lpfc/lpfc_ct.c +@@ -2229,6 +2229,21 @@ lpfc_cmpl_ct_disc_fdmi(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb, + /* Look for a retryable error */ + if (ulp_status == IOSTAT_LOCAL_REJECT) { + switch ((ulp_word4 & IOERR_PARAM_MASK)) { ++ case IOERR_SLI_ABORTED: ++ case IOERR_SLI_DOWN: ++ /* Driver aborted this IO. No retry as error ++ * is likely Offline->Online or some adapter ++ * error. Recovery will try again, but if port ++ * is not active there's no point to continue ++ * issuing follow up FDMI commands. ++ */ ++ if (!(phba->sli.sli_flag & LPFC_SLI_ACTIVE)) { ++ free_ndlp = cmdiocb->ndlp; ++ lpfc_ct_free_iocb(phba, cmdiocb); ++ lpfc_nlp_put(free_ndlp); ++ return; ++ } ++ break; + case IOERR_ABORT_IN_PROGRESS: + case IOERR_SEQUENCE_TIMEOUT: + case IOERR_ILLEGAL_FRAME: +@@ -2254,9 +2269,6 @@ lpfc_cmpl_ct_disc_fdmi(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb, + lpfc_ct_free_iocb(phba, cmdiocb); + lpfc_nlp_put(free_ndlp); + +- if (ulp_status != IOSTAT_SUCCESS) +- return; +- + ndlp = lpfc_findnode_did(vport, FDMI_DID); + if (!ndlp) + return; diff --git a/1203-revert-scsi-lpfc-skip-rscn-processing-when-fc-unloading-flag.patch b/1203-revert-scsi-lpfc-skip-rscn-processing-when-fc-unloading-flag.patch new file mode 100644 index 000000000..7ec197406 --- /dev/null +++ b/1203-revert-scsi-lpfc-skip-rscn-processing-when-fc-unloading-flag.patch @@ -0,0 +1,21 @@ +Subject: [PATCH] Revert "scsi: lpfc: Skip RSCN processing when FC_UNLOADING flag is set" +# reverse of cs10 78262dda794a4ef21146664546d2cf058132113d + +diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c +index 3cbacc923fbd..9ab2e98cf693 100644 +--- a/drivers/scsi/lpfc/lpfc_els.c ++++ b/drivers/scsi/lpfc/lpfc_els.c +@@ -7860,13 +7860,6 @@ lpfc_rscn_recovery_check(struct lpfc_vport *vport) + + /* Move all affected nodes by pending RSCNs to NPR state. */ + list_for_each_entry_safe(ndlp, n, &vport->fc_nodes, nlp_listp) { +- if (test_bit(FC_UNLOADING, &vport->load_flag)) { +- lpfc_printf_vlog(vport, KERN_INFO, LOG_ELS, +- "1000 %s Unloading set\n", +- __func__); +- return 0; +- } +- + if ((ndlp->nlp_state == NLP_STE_UNUSED_NODE) || + !lpfc_rscn_payload_check(vport, ndlp->nlp_DID)) + continue; diff --git a/1204-revert-scsi-lpfc-check-for-hdwq-null-ptr-when-cleaning-up-lp.patch b/1204-revert-scsi-lpfc-check-for-hdwq-null-ptr-when-cleaning-up-lp.patch new file mode 100644 index 000000000..30bd977a3 --- /dev/null +++ b/1204-revert-scsi-lpfc-check-for-hdwq-null-ptr-when-cleaning-up-lp.patch @@ -0,0 +1,18 @@ +Subject: [PATCH] Revert "scsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport structure" +# reverse of cs10 935d1d90f2dfbfeb3fde78b925df9eea248e7523 + +diff --git a/drivers/scsi/lpfc/lpfc_scsi.c b/drivers/scsi/lpfc/lpfc_scsi.c +index 0afc5fe013bc..055ed632c14d 100644 +--- a/drivers/scsi/lpfc/lpfc_scsi.c ++++ b/drivers/scsi/lpfc/lpfc_scsi.c +@@ -390,10 +390,6 @@ lpfc_sli4_vport_delete_fcp_xri_aborted(struct lpfc_vport *vport) + if (!(vport->cfg_enable_fc4_type & LPFC_ENABLE_FCP)) + return; + +- /* may be called before queues established if hba_setup fails */ +- if (!phba->sli4_hba.hdwq) +- return; +- + spin_lock_irqsave(&phba->hbalock, iflag); + for (idx = 0; idx < phba->cfg_hdw_queue; idx++) { + qp = &phba->sli4_hba.hdwq[idx]; diff --git a/1205-revert-scsi-lpfc-update-debugfs-trace-ring-initialization-me.patch b/1205-revert-scsi-lpfc-update-debugfs-trace-ring-initialization-me.patch new file mode 100644 index 000000000..09785707f --- /dev/null +++ b/1205-revert-scsi-lpfc-update-debugfs-trace-ring-initialization-me.patch @@ -0,0 +1,53 @@ +Subject: [PATCH] Revert "scsi: lpfc: Update debugfs trace ring initialization messages" +# reverse of cs10 0bacc04f93bb5b7334c7197ce716e378e9887081 + +diff --git a/drivers/scsi/lpfc/lpfc_debugfs.c b/drivers/scsi/lpfc/lpfc_debugfs.c +index 061a5e4e525d..3fd1aa5cc78c 100644 +--- a/drivers/scsi/lpfc/lpfc_debugfs.c ++++ b/drivers/scsi/lpfc/lpfc_debugfs.c +@@ -6227,9 +6227,8 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport) + i++; + } + lpfc_debugfs_max_slow_ring_trc = (1 << i); +- pr_info("lpfc_debugfs_max_slow_ring_trc " +- "changed to %d\n", +- lpfc_debugfs_max_slow_ring_trc); ++ pr_err("lpfc_debugfs_max_disc_trc changed to " ++ "%d\n", lpfc_debugfs_max_disc_trc); + } + } + +@@ -6261,7 +6260,7 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport) + atomic_set(&phba->nvmeio_trc_cnt, 0); + if (lpfc_debugfs_max_nvmeio_trc) { + num = lpfc_debugfs_max_nvmeio_trc - 1; +- if (num & lpfc_debugfs_max_nvmeio_trc) { ++ if (num & lpfc_debugfs_max_disc_trc) { + /* Change to be a power of 2 */ + num = lpfc_debugfs_max_nvmeio_trc; + i = 0; +@@ -6270,9 +6269,10 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport) + i++; + } + lpfc_debugfs_max_nvmeio_trc = (1 << i); +- pr_info("lpfc_debugfs_max_nvmeio_trc changed " +- "to %d\n", +- lpfc_debugfs_max_nvmeio_trc); ++ lpfc_printf_log(phba, KERN_ERR, LOG_INIT, ++ "0575 lpfc_debugfs_max_nvmeio_trc " ++ "changed to %d\n", ++ lpfc_debugfs_max_nvmeio_trc); + } + phba->nvmeio_trc_size = lpfc_debugfs_max_nvmeio_trc; + +@@ -6317,8 +6317,8 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport) + i++; + } + lpfc_debugfs_max_disc_trc = (1 << i); +- pr_info("lpfc_debugfs_max_disc_trc changed to %d\n", +- lpfc_debugfs_max_disc_trc); ++ pr_err("lpfc_debugfs_max_disc_trc changed to %d\n", ++ lpfc_debugfs_max_disc_trc); + } + } + diff --git a/1206-revert-scsi-lpfc-revise-logging-format-for-failed-ct-mib-req.patch b/1206-revert-scsi-lpfc-revise-logging-format-for-failed-ct-mib-req.patch new file mode 100644 index 000000000..7f200561d --- /dev/null +++ b/1206-revert-scsi-lpfc-revise-logging-format-for-failed-ct-mib-req.patch @@ -0,0 +1,29 @@ +Subject: [PATCH] Revert "scsi: lpfc: Revise logging format for failed CT MIB requests" +# reverse of cs10 dc6d2aecdbfe696ca05464d29ad974e73b02d52c + +diff --git a/drivers/scsi/lpfc/lpfc_ct.c b/drivers/scsi/lpfc/lpfc_ct.c +index 72ff92ac5321..12c67cdd7c19 100644 +--- a/drivers/scsi/lpfc/lpfc_ct.c ++++ b/drivers/scsi/lpfc/lpfc_ct.c +@@ -264,9 +264,9 @@ lpfc_ct_reject_event(struct lpfc_nodelist *ndlp, + ct_free_mp: + kfree(mp); + ct_exit: +- lpfc_vlog_msg(vport, KERN_WARNING, LOG_ELS, +- "6440 Unsol CT: Rsp err %d Data: x%lx\n", +- rc, vport->fc_flag); ++ lpfc_printf_vlog(vport, KERN_ERR, LOG_ELS, ++ "6440 Unsol CT: Rsp err %d Data: x%lx\n", ++ rc, vport->fc_flag); + } + + /** +@@ -313,7 +313,7 @@ lpfc_ct_handle_mibreq(struct lpfc_hba *phba, struct lpfc_iocbq *ctiocbq) + + mi_cmd = be16_to_cpu(ct_req->CommandResponse.bits.CmdRsp); + lpfc_vlog_msg(vport, KERN_WARNING, LOG_ELS, +- "6442 MI Cmd: x%x Not Supported\n", mi_cmd); ++ "6442 MI Cmd : x%x Not Supported\n", mi_cmd); + lpfc_ct_reject_event(ndlp, ct_req, + bf_get(wqe_ctxt_tag, + &ctiocbq->wqe.xmit_els_rsp.wqe_com), diff --git a/1207-scsi-lpfc-avoid-crashing-in-lpfc-nlp-get-rhel-only.patch b/1207-scsi-lpfc-avoid-crashing-in-lpfc-nlp-get-rhel-only.patch new file mode 100644 index 000000000..4cc15c9cb --- /dev/null +++ b/1207-scsi-lpfc-avoid-crashing-in-lpfc-nlp-get-rhel-only.patch @@ -0,0 +1,31 @@ +Subject: [PATCH] scsi: lpfc: avoid crashing in lpfc_nlp_get() if lpfc_nodelist was freed +# RHEL-only (no CS10/upstream commit); reconstructed use-after-free guard. + +diff --git a/drivers/scsi/lpfc/lpfc_hbadisc.c b/drivers/scsi/lpfc/lpfc_hbadisc.c +index f6fb92f..d8b5896 100644 +--- a/drivers/scsi/lpfc/lpfc_hbadisc.c ++++ b/drivers/scsi/lpfc/lpfc_hbadisc.c +@@ -6595,11 +6595,6 @@ lpfc_nlp_get(struct lpfc_nodelist *ndlp) + unsigned long flags; + + if (ndlp) { +- lpfc_debugfs_disc_trc(ndlp->vport, LPFC_DISC_TRC_NODE, +- "node get: did:x%x flg:x%lx refcnt:x%x", +- ndlp->nlp_DID, ndlp->nlp_flag, +- kref_read(&ndlp->kref)); +- + /* The check of ndlp usage to prevent incrementing the + * ndlp reference count that is in the process of being + * released. +@@ -6607,9 +6602,8 @@ lpfc_nlp_get(struct lpfc_nodelist *ndlp) + spin_lock_irqsave(&ndlp->lock, flags); + if (!kref_get_unless_zero(&ndlp->kref)) { + spin_unlock_irqrestore(&ndlp->lock, flags); +- lpfc_printf_vlog(ndlp->vport, KERN_WARNING, LOG_NODE, +- "0276 %s: ndlp:x%px refcnt:%d\n", +- __func__, (void *)ndlp, kref_read(&ndlp->kref)); ++ pr_info("0276 %s: NDLP has zero reference count. " ++ "Exiting\n", __func__); + return NULL; + } + spin_unlock_irqrestore(&ndlp->lock, flags); diff --git a/1208-drm-mgag200-fix-mgag200-bmc-stop-scanout.patch b/1208-drm-mgag200-fix-mgag200-bmc-stop-scanout.patch new file mode 100644 index 000000000..cb5626617 --- /dev/null +++ b/1208-drm-mgag200-fix-mgag200-bmc-stop-scanout.patch @@ -0,0 +1,210 @@ +From 1aacebe9d4ccb1a89caa9eb9fe3bb24723e80564 Mon Sep 17 00:00:00 2001 +From: Jacob Keller +Date: Mon, 2 Feb 2026 16:16:39 -0800 +Subject: [PATCH] drm/mgag200: fix mgag200_bmc_stop_scanout() + +[ Upstream commit 0e0c8f4d16de92520623aa1ea485cadbf64e6929 ] + +The mgag200_bmc_stop_scanout() function is called by the .atomic_disable() +handler for the MGA G200 VGA BMC encoder. This function performs a few +register writes to inform the BMC of an upcoming mode change, and then +polls to wait until the BMC actually stops. + +The polling is implemented using a busy loop with udelay() and an iteration +timeout of 300, resulting in the function blocking for 300 milliseconds. + +The function gets called ultimately by the output_poll_execute work thread +for the DRM output change polling thread of the mgag200 driver: + +kworker/0:0-mm_ 3528 [000] 4555.315364: + ffffffffaa0e25b3 delay_halt.part.0+0x33 + ffffffffc03f6188 mgag200_bmc_stop_scanout+0x178 + ffffffffc087ae7a disable_outputs+0x12a + ffffffffc087c12a drm_atomic_helper_commit_tail+0x1a + ffffffffc03fa7b6 mgag200_mode_config_helper_atomic_commit_tail+0x26 + ffffffffc087c9c1 commit_tail+0x91 + ffffffffc087d51b drm_atomic_helper_commit+0x11b + ffffffffc0509694 drm_atomic_commit+0xa4 + ffffffffc05105e8 drm_client_modeset_commit_atomic+0x1e8 + ffffffffc0510ce6 drm_client_modeset_commit_locked+0x56 + ffffffffc0510e24 drm_client_modeset_commit+0x24 + ffffffffc088a743 __drm_fb_helper_restore_fbdev_mode_unlocked+0x93 + ffffffffc088a683 drm_fb_helper_hotplug_event+0xe3 + ffffffffc050f8aa drm_client_dev_hotplug+0x9a + ffffffffc088555a output_poll_execute+0x29a + ffffffffa9b35924 process_one_work+0x194 + ffffffffa9b364ee worker_thread+0x2fe + ffffffffa9b3ecad kthread+0xdd + ffffffffa9a08549 ret_from_fork+0x29 + +On a server running ptp4l with the mgag200 driver loaded, we found that +ptp4l would sometimes get blocked from execution because of this busy +waiting loop. + +Every so often, approximately once every 20 minutes -- though with large +variance -- the output_poll_execute() thread would detect some sort of +change that required performing a hotplug event which results in attempting +to stop the BMC scanout, resulting in a 300msec delay on one CPU. + +On this system, ptp4l was pinned to a single CPU. When the +output_poll_execute() thread ran on that CPU, it blocked ptp4l from +executing for its 300 millisecond duration. + +This resulted in PTP service disruptions such as failure to send a SYNC +message on time, failure to handle ANNOUNCE messages on time, and clock +check warnings from the application. All of this despite the application +being configured with FIFO_RT and a higher priority than the background +workqueue tasks. (However, note that the kernel did not use +CONFIG_PREEMPT...) + +It is unclear if the event is due to a faulty VGA connection, another bug, +or actual events causing a change in the connection. At least on the system +under test it is not a one-time event and consistently causes disruption to +the time sensitive applications. + +The function has some helpful comments explaining what steps it is +attempting to take. In particular, step 3a and 3b are explained as such: + + 3a - The third step is to verify if there is an active scan. We are + waiting on a 0 on remhsyncsts (. + + 3b - This step occurs only if the remove is actually scanning. We are + waiting for the end of the frame which is a 1 on remvsyncsts + (). + +The actual steps 3a and 3b are implemented as while loops with a +non-sleeping udelay(). The first step iterates while the tmp value at +position 0 is *not* set. That is, it keeps iterating as long as the bit is +zero. If the bit is already 0 (because there is no active scan), it will +iterate the entire 300 attempts which wastes 300 milliseconds in total. +This is opposite of what the description claims. + +The step 3b logic only executes if we do not iterate over the entire 300 +attempts in the first loop. If it does trigger, it is trying to check and +wait for a 1 on the remvsyncsts. However, again the condition is actually +inverted and it will loop as long as the bit is 1, stopping once it hits +zero (rather than the explained attempt to wait until we see a 1). + +Worse, both loops are implemented using non-sleeping waits which spin +instead of allowing the scheduler to run other processes. If the kernel is +not configured to allow arbitrary preemption, it will waste valuable CPU +time doing nothing. + +There does not appear to be any documentation for the BMC register +interface, beyond what is in the comments here. It seems more probable that +the comment here is correct and the implementation accidentally got +inverted from the intended logic. + +Reading through other DRM driver implementations, it does not appear that +the .atomic_enable or .atomic_disable handlers need to delay instead of +sleep. For example, the ast_astdp_encoder_helper_atomic_disable() function +calls ast_dp_set_phy_sleep() which uses msleep(). The "atomic" in the name +is referring to the atomic modesetting support, which is the support to +enable atomic configuration from userspace, and not to the "atomic context" +of the kernel. There is no reason to use udelay() here if a sleep would be +sufficient. + +Replace the while loops with a read_poll_timeout() based implementation +that will sleep between iterations, and which stops polling once the +condition is met (instead of looping as long as the condition is met). This +aligns with the commented behavior and avoids blocking on the CPU while +doing nothing. + +Note the RREG_DAC is implemented using a statement expression to allow +working properly with the read_poll_timeout family of functions. The other +RREG_ macros ought to be cleaned up to have better semantics, and +several places in the mgag200 driver could make use of RREG_DAC or similar +RREG_* macros should likely be cleaned up for better semantics as well, but +that task has been left as a future cleanup for a non-bugfix. + +Fixes: 414c45310625 ("mgag200: initial g200se driver (v2)") +Suggested-by: Thomas Zimmermann +Signed-off-by: Jacob Keller +Reviewed-by: Thomas Zimmermann +Reviewed-by: Jocelyn Falempe +Signed-off-by: Thomas Zimmermann +Link: https://patch.msgid.link/20260202-jk-mgag200-fix-bad-udelay-v2-1-ce1e9665987d@intel.com +Signed-off-by: Sasha Levin + +diff --git a/drivers/gpu/drm/mgag200/mgag200_bmc.c b/drivers/gpu/drm/mgag200/mgag200_bmc.c +index a689c71ff165..bbdeb791c5b3 100644 +--- a/drivers/gpu/drm/mgag200/mgag200_bmc.c ++++ b/drivers/gpu/drm/mgag200/mgag200_bmc.c +@@ -1,6 +1,7 @@ + // SPDX-License-Identifier: GPL-2.0-only + + #include ++#include + + #include + #include +@@ -12,7 +13,7 @@ + void mgag200_bmc_stop_scanout(struct mga_device *mdev) + { + u8 tmp; +- int iter_max; ++ int ret; + + /* + * 1 - The first step is to inform the BMC of an upcoming mode +@@ -42,30 +43,22 @@ void mgag200_bmc_stop_scanout(struct mga_device *mdev) + + /* + * 3a- The third step is to verify if there is an active scan. +- * We are waiting for a 0 on remhsyncsts ). ++ * We are waiting for a 0 on remhsyncsts (). + */ +- iter_max = 300; +- while (!(tmp & 0x1) && iter_max) { +- WREG8(DAC_INDEX, MGA1064_SPAREREG); +- tmp = RREG8(DAC_DATA); +- udelay(1000); +- iter_max--; +- } ++ ret = read_poll_timeout(RREG_DAC, tmp, !(tmp & 0x1), ++ 1000, 300000, false, ++ MGA1064_SPAREREG); ++ if (ret == -ETIMEDOUT) ++ return; + + /* +- * 3b- This step occurs only if the remove is actually ++ * 3b- This step occurs only if the remote BMC is actually + * scanning. We are waiting for the end of the frame which is + * a 1 on remvsyncsts (XSPAREREG<1>) + */ +- if (iter_max) { +- iter_max = 300; +- while ((tmp & 0x2) && iter_max) { +- WREG8(DAC_INDEX, MGA1064_SPAREREG); +- tmp = RREG8(DAC_DATA); +- udelay(1000); +- iter_max--; +- } +- } ++ (void)read_poll_timeout(RREG_DAC, tmp, (tmp & 0x2), ++ 1000, 300000, false, ++ MGA1064_SPAREREG); + } + + void mgag200_bmc_start_scanout(struct mga_device *mdev) +diff --git a/drivers/gpu/drm/mgag200/mgag200_drv.h b/drivers/gpu/drm/mgag200/mgag200_drv.h +index 988967eafbf2..c67007348142 100644 +--- a/drivers/gpu/drm/mgag200/mgag200_drv.h ++++ b/drivers/gpu/drm/mgag200/mgag200_drv.h +@@ -112,6 +112,12 @@ + #define DAC_INDEX 0x3c00 + #define DAC_DATA 0x3c0a + ++#define RREG_DAC(reg) \ ++ ({ \ ++ WREG8(DAC_INDEX, reg); \ ++ RREG8(DAC_DATA); \ ++ }) \ ++ + #define WREG_DAC(reg, v) \ + do { \ + WREG8(DAC_INDEX, reg); \ +-- +2.50.1 (Apple Git-155) + diff --git a/1209-net-sched-act-csum-validate-nested-vlan-headers.patch b/1209-net-sched-act-csum-validate-nested-vlan-headers.patch new file mode 100644 index 000000000..1c6e86c20 --- /dev/null +++ b/1209-net-sched-act-csum-validate-nested-vlan-headers.patch @@ -0,0 +1,55 @@ +From a69738efea0996d05a3c7d2178551b891744df1b Mon Sep 17 00:00:00 2001 +From: Ruide Cao +Date: Thu, 2 Apr 2026 22:46:20 +0800 +Subject: [PATCH] net: sched: act_csum: validate nested VLAN headers + +[ Upstream commit c842743d073bdd683606cb414eb0ca84465dd834 ] + +tcf_csum_act() walks nested VLAN headers directly from skb->data when an +skb still carries in-payload VLAN tags. The current code reads +vlan->h_vlan_encapsulated_proto and then pulls VLAN_HLEN bytes without +first ensuring that the full VLAN header is present in the linear area. + +If only part of an inner VLAN header is linearized, accessing +h_vlan_encapsulated_proto reads past the linear area, and the following +skb_pull(VLAN_HLEN) may violate skb invariants. + +Fix this by requiring pskb_may_pull(skb, VLAN_HLEN) before accessing and +pulling each nested VLAN header. If the header still is not fully +available, drop the packet through the existing error path. + +Fixes: 2ecba2d1e45b ("net: sched: act_csum: Fix csum calc for tagged packets") +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Tested-by: Ren Wei +Signed-off-by: Ruide Cao +Signed-off-by: Ren Wei +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/22df2fcb49f410203eafa5d97963dd36089f4ecf.1774892775.git.caoruide123@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin + +diff --git a/net/sched/act_csum.c b/net/sched/act_csum.c +index 5cc8e407e791..8ea37c2c3c54 100644 +--- a/net/sched/act_csum.c ++++ b/net/sched/act_csum.c +@@ -603,8 +603,12 @@ TC_INDIRECT_SCOPE int tcf_csum_act(struct sk_buff *skb, + protocol = skb->protocol; + orig_vlan_tag_present = true; + } else { +- struct vlan_hdr *vlan = (struct vlan_hdr *)skb->data; ++ struct vlan_hdr *vlan; + ++ if (!pskb_may_pull(skb, VLAN_HLEN)) ++ goto drop; ++ ++ vlan = (struct vlan_hdr *)skb->data; + protocol = vlan->h_vlan_encapsulated_proto; + skb_pull(skb, VLAN_HLEN); + skb_reset_network_header(skb); +-- +2.50.1 (Apple Git-155) + diff --git a/1210-netfilter-ip6t-eui64-reject-invalid-mac-header-for-all-packe.patch b/1210-netfilter-ip6t-eui64-reject-invalid-mac-header-for-all-packe.patch new file mode 100644 index 000000000..1171ae923 --- /dev/null +++ b/1210-netfilter-ip6t-eui64-reject-invalid-mac-header-for-all-packe.patch @@ -0,0 +1,47 @@ +From 9eda5478746ef7dc0e4e537b5a5e4b0ca1027091 Mon Sep 17 00:00:00 2001 +From: Zhengchuan Liang +Date: Sat, 4 Apr 2026 17:39:47 +0800 +Subject: [PATCH] netfilter: ip6t_eui64: reject invalid MAC header for all + packets + +[ Upstream commit fdce0b3590f724540795b874b4c8850c90e6b0a8 ] + +`eui64_mt6()` derives a modified EUI-64 from the Ethernet source address +and compares it with the low 64 bits of the IPv6 source address. + +The existing guard only rejects an invalid MAC header when +`par->fragoff != 0`. For packets with `par->fragoff == 0`, `eui64_mt6()` +can still reach `eth_hdr(skb)` even when the MAC header is not valid. + +Fix this by removing the `par->fragoff != 0` condition so that packets +with an invalid MAC header are rejected before accessing `eth_hdr(skb)`. + +Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2") +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Tested-by: Ren Wei +Signed-off-by: Zhengchuan Liang +Signed-off-by: Ren Wei +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin + +diff --git a/net/ipv6/netfilter/ip6t_eui64.c b/net/ipv6/netfilter/ip6t_eui64.c +index d704f7ed300c..da69a27e8332 100644 +--- a/net/ipv6/netfilter/ip6t_eui64.c ++++ b/net/ipv6/netfilter/ip6t_eui64.c +@@ -22,8 +22,7 @@ eui64_mt6(const struct sk_buff *skb, struct xt_action_param *par) + unsigned char eui64[8]; + + if (!(skb_mac_header(skb) >= skb->head && +- skb_mac_header(skb) + ETH_HLEN <= skb->data) && +- par->fragoff != 0) { ++ skb_mac_header(skb) + ETH_HLEN <= skb->data)) { + par->hotdrop = true; + return false; + } +-- +2.50.1 (Apple Git-155) + diff --git a/1211-cifs-remove-unnecessary-tracing-after-put-tcon.patch b/1211-cifs-remove-unnecessary-tracing-after-put-tcon.patch new file mode 100644 index 000000000..a49924303 --- /dev/null +++ b/1211-cifs-remove-unnecessary-tracing-after-put-tcon.patch @@ -0,0 +1,52 @@ +From ccfb4a950c79db99c153de111d0b4d05edaf193d Mon Sep 17 00:00:00 2001 +From: Paulo Alcantara +Date: Wed, 18 Feb 2026 18:34:03 -0300 +Subject: [PATCH] cifs: remove unnecessary tracing after put tcon + +JIRA: https://issues.redhat.com/browse/RHEL-150776 + +commit a5a50f1415692a0fe3bf0ec17f422cac8e158e65 +Author: Shyam Prasad N +Date: Sat Feb 14 13:05:50 2026 +0530 + + cifs: remove unnecessary tracing after put tcon + + This code was recently changed from manually decrementing + tcon ref to using cifs_put_tcon. But even before that change + this tracing happened after decrementing the ref count, which + is wrong. With cifs_put_tcon, tracing already happens inside it. + So just removing the extra tracing here. + + Signed-off-by: Shyam Prasad N + Signed-off-by: Steve French + +Signed-off-by: Paulo Alcantara + +diff --git a/fs/smb/client/smb2ops.c b/fs/smb/client/smb2ops.c +index 1e13dd0a24c3..61c521712f86 100644 +--- a/fs/smb/client/smb2ops.c ++++ b/fs/smb/client/smb2ops.c +@@ -3181,8 +3181,6 @@ smb2_get_dfs_refer(const unsigned int xid, struct cifs_ses *ses, + if (tcon && !tcon->ipc) { + /* ipc tcons are not refcounted */ + cifs_put_tcon(tcon, netfs_trace_tcon_ref_put_dfs_refer); +- trace_smb3_tcon_ref(tcon->debug_id, tcon->tc_count, +- netfs_trace_tcon_ref_dec_dfs_refer); + } + kfree(utf16_path); + kfree(dfs_req); +diff --git a/fs/smb/client/trace.h b/fs/smb/client/trace.h +index 191f02344dcd..9228f95cae2b 100644 +--- a/fs/smb/client/trace.h ++++ b/fs/smb/client/trace.h +@@ -168,7 +168,6 @@ + E_(cifs_trace_rw_credits_zero_in_flight, "ZERO-IN-FLT") + + #define smb3_tcon_ref_traces \ +- EM(netfs_trace_tcon_ref_dec_dfs_refer, "DEC DfsRef") \ + EM(netfs_trace_tcon_ref_free, "FRE ") \ + EM(netfs_trace_tcon_ref_free_fail, "FRE Fail ") \ + EM(netfs_trace_tcon_ref_free_ipc, "FRE Ipc ") \ +-- +2.50.1 (Apple Git-155) + diff --git a/1212-cifs-make-default-value-of-retrans-as-zero.patch b/1212-cifs-make-default-value-of-retrans-as-zero.patch new file mode 100644 index 000000000..fd44085a5 --- /dev/null +++ b/1212-cifs-make-default-value-of-retrans-as-zero.patch @@ -0,0 +1,41 @@ +From e96124d5b440c57a270d3903e7cec81d14fc2e07 Mon Sep 17 00:00:00 2001 +From: Paulo Alcantara +Date: Tue, 28 Apr 2026 18:52:21 -0300 +Subject: [PATCH] cifs: make default value of retrans as zero + +JIRA: https://issues.redhat.com/browse/RHEL-171638 + +commit e3beefd3af09f8e460ddaf39063d3d7664d7ab59 +Author: Shyam Prasad N +Date: Wed Mar 11 10:48:54 2026 +0530 + + cifs: make default value of retrans as zero + + When retrans mount option was introduced, the default value was set + as 1. However, in the light of some bugs that this has exposed recently + we should change it to 0 and retain the old behaviour before this option + was introduced. + + Cc: + Reviewed-by: Bharath SM + Signed-off-by: Shyam Prasad N + Signed-off-by: Steve French + +Signed-off-by: Paulo Alcantara + +diff --git a/fs/smb/client/fs_context.c b/fs/smb/client/fs_context.c +index a5c336f8f2b7..943f4d3610ee 100644 +--- a/fs/smb/client/fs_context.c ++++ b/fs/smb/client/fs_context.c +@@ -2000,7 +2000,7 @@ int smb3_init_fs_context(struct fs_context *fc) + ctx->backupuid_specified = false; /* no backup intent for a user */ + ctx->backupgid_specified = false; /* no backup intent for a group */ + +- ctx->retrans = 1; ++ ctx->retrans = 0; + ctx->reparse_type = CIFS_REPARSE_TYPE_DEFAULT; + ctx->symlink_type = CIFS_SYMLINK_TYPE_DEFAULT; + ctx->nonativesocket = 0; +-- +2.50.1 (Apple Git-155) + diff --git a/1213-dpll-zl3073x-add-output-pin-frequency-helper.patch b/1213-dpll-zl3073x-add-output-pin-frequency-helper.patch new file mode 100644 index 000000000..6517c21e3 --- /dev/null +++ b/1213-dpll-zl3073x-add-output-pin-frequency-helper.patch @@ -0,0 +1,158 @@ +From 6482a608b65938f2fdacc01e93dd4f62b1f298c7 Mon Sep 17 00:00:00 2001 +From: CKI Backport Bot +Date: Thu, 2 Apr 2026 14:24:19 +0000 +Subject: [PATCH] dpll: zl3073x: Add output pin frequency helper + +JIRA: https://redhat.atlassian.net/browse/RHEL-164429 + +commit 24e4336a87f5c51263535201218889b5f324511f +Author: Ivan Vecera +Date: Thu Feb 5 16:43:49 2026 +0100 + + dpll: zl3073x: Add output pin frequency helper + + Introduce zl3073x_dev_output_pin_freq_get() helper function to compute + the output pin frequency based on synthesizer frequency, output divisor, + and signal format. For N-div signal formats, the N-pin frequency is + additionally divided by esync_n_period. + + Add zl3073x_out_is_ndiv() helper to check if an output is configured + in N-div mode (2_NDIV or 2_NDIV_INV signal formats). + + Refactor zl3073x_dpll_output_pin_frequency_get() callback to use the + new helper, reducing code duplication and enabling reuse of the + frequency calculation logic in other contexts. + + This is a preparatory change for adding current frequency to the + supported frequencies list in pin properties. + + Signed-off-by: Ivan Vecera + Link: https://patch.msgid.link/20260205154350.3180465-2-ivecera@redhat.com + Signed-off-by: Jakub Kicinski + +Signed-off-by: CKI Backport Bot + +diff --git a/drivers/dpll/zl3073x/core.h b/drivers/dpll/zl3073x/core.h +index 09bca2d0926d..dddfcacea5c0 100644 +--- a/drivers/dpll/zl3073x/core.h ++++ b/drivers/dpll/zl3073x/core.h +@@ -301,6 +301,36 @@ u8 zl3073x_dev_out_dpll_get(struct zl3073x_dev *zldev, u8 index) + return zl3073x_synth_dpll_get(synth); + } + ++/** ++ * zl3073x_dev_output_pin_freq_get - get output pin frequency ++ * @zldev: pointer to zl3073x device ++ * @id: output pin id ++ * ++ * Computes the output pin frequency based on the synth frequency, output ++ * divisor, and signal format. For N-div formats, N-pin frequency is ++ * additionally divided by esync_n_period. ++ * ++ * Return: frequency of the given output pin in Hz ++ */ ++static inline u32 ++zl3073x_dev_output_pin_freq_get(struct zl3073x_dev *zldev, u8 id) ++{ ++ const struct zl3073x_synth *synth; ++ const struct zl3073x_out *out; ++ u8 out_id; ++ u32 freq; ++ ++ out_id = zl3073x_output_pin_out_get(id); ++ out = zl3073x_out_state_get(zldev, out_id); ++ synth = zl3073x_synth_state_get(zldev, zl3073x_out_synth_get(out)); ++ freq = zl3073x_synth_freq_get(synth) / out->div; ++ ++ if (zl3073x_out_is_ndiv(out) && zl3073x_is_n_pin(id)) ++ freq /= out->esync_n_period; ++ ++ return freq; ++} ++ + /** + * zl3073x_dev_out_is_diff - check if the given output is differential + * @zldev: pointer to zl3073x device +diff --git a/drivers/dpll/zl3073x/dpll.c b/drivers/dpll/zl3073x/dpll.c +index 897ed682dbf9..78edc36b17fb 100644 +--- a/drivers/dpll/zl3073x/dpll.c ++++ b/drivers/dpll/zl3073x/dpll.c +@@ -916,46 +916,9 @@ zl3073x_dpll_output_pin_frequency_get(const struct dpll_pin *dpll_pin, + struct netlink_ext_ack *extack) + { + struct zl3073x_dpll *zldpll = dpll_priv; +- struct zl3073x_dev *zldev = zldpll->dev; + struct zl3073x_dpll_pin *pin = pin_priv; +- const struct zl3073x_synth *synth; +- const struct zl3073x_out *out; +- u32 synth_freq; +- u8 out_id; + +- out_id = zl3073x_output_pin_out_get(pin->id); +- out = zl3073x_out_state_get(zldev, out_id); +- +- /* Get attached synth frequency */ +- synth = zl3073x_synth_state_get(zldev, zl3073x_out_synth_get(out)); +- synth_freq = zl3073x_synth_freq_get(synth); +- +- switch (zl3073x_out_signal_format_get(out)) { +- case ZL_OUTPUT_MODE_SIGNAL_FORMAT_2_NDIV: +- case ZL_OUTPUT_MODE_SIGNAL_FORMAT_2_NDIV_INV: +- /* In case of divided format we have to distiguish between +- * given output pin type. +- * +- * For P-pin the resulting frequency is computed as simple +- * division of synth frequency and output divisor. +- * +- * For N-pin we have to divide additionally by divisor stored +- * in esync_n_period output mailbox register that is used as +- * N-pin divisor for these modes. +- */ +- *frequency = synth_freq / out->div; +- +- if (!zl3073x_dpll_is_p_pin(pin)) +- *frequency = (u32)*frequency / out->esync_n_period; +- +- break; +- default: +- /* In other modes the resulting frequency is computed as +- * division of synth frequency and output divisor. +- */ +- *frequency = synth_freq / out->div; +- break; +- } ++ *frequency = zl3073x_dev_output_pin_freq_get(zldpll->dev, pin->id); + + return 0; + } +diff --git a/drivers/dpll/zl3073x/out.h b/drivers/dpll/zl3073x/out.h +index e8ea7a0e0f07..318f9bb8da3a 100644 +--- a/drivers/dpll/zl3073x/out.h ++++ b/drivers/dpll/zl3073x/out.h +@@ -79,6 +79,23 @@ static inline bool zl3073x_out_is_enabled(const struct zl3073x_out *out) + return !!FIELD_GET(ZL_OUTPUT_CTRL_EN, out->ctrl); + } + ++/** ++ * zl3073x_out_is_ndiv - check if the given output is in N-div mode ++ * @out: pointer to out state ++ * ++ * Return: true if output is in N-div mode, false otherwise ++ */ ++static inline bool zl3073x_out_is_ndiv(const struct zl3073x_out *out) ++{ ++ switch (zl3073x_out_signal_format_get(out)) { ++ case ZL_OUTPUT_MODE_SIGNAL_FORMAT_2_NDIV: ++ case ZL_OUTPUT_MODE_SIGNAL_FORMAT_2_NDIV_INV: ++ return true; ++ default: ++ return false; ++ } ++} ++ + /** + * zl3073x_out_synth_get - get synth connected to given output + * @out: pointer to out state +-- +2.50.1 (Apple Git-155) + diff --git a/1214-dpll-zl3073x-include-current-frequency-in-supported-frequenc.patch b/1214-dpll-zl3073x-include-current-frequency-in-supported-frequenc.patch new file mode 100644 index 000000000..916439c51 --- /dev/null +++ b/1214-dpll-zl3073x-include-current-frequency-in-supported-frequenc.patch @@ -0,0 +1,124 @@ +From 6a744fc1c97d1a5dc7def15f6ecadd9e428a6ab8 Mon Sep 17 00:00:00 2001 +From: CKI Backport Bot +Date: Thu, 2 Apr 2026 14:24:20 +0000 +Subject: [PATCH] dpll: zl3073x: Include current frequency in supported + frequencies list + +JIRA: https://redhat.atlassian.net/browse/RHEL-164429 + +commit 85a9aaac4a38a7ce68f30bd7678fca4e8c687fe2 +Author: Ivan Vecera +Date: Thu Feb 5 16:43:50 2026 +0100 + + dpll: zl3073x: Include current frequency in supported frequencies list + + Ensure the current pin frequency is always present in the list of + supported frequencies reported to userspace. Previously, if the + firmware node was missing or didn't include the current operating + frequency in the supported-frequencies-hz property, the pin would + report a frequency that wasn't in its supported list. + + Get the current frequency early in zl3073x_pin_props_get(): + - For input pins: use zl3073x_dev_ref_freq_get() + - For output pins: use zl3073x_dev_output_pin_freq_get() + + Place the current frequency at index 0 of the supported frequencies + array, then append frequencies from the firmware node (if present), + skipping any duplicate of the current frequency. + + Signed-off-by: Ivan Vecera + Link: https://patch.msgid.link/20260205154350.3180465-3-ivecera@redhat.com + Signed-off-by: Jakub Kicinski + +Signed-off-by: CKI Backport Bot + +diff --git a/drivers/dpll/zl3073x/prop.c b/drivers/dpll/zl3073x/prop.c +index ad1f099cbe2b..8523dc8c226e 100644 +--- a/drivers/dpll/zl3073x/prop.c ++++ b/drivers/dpll/zl3073x/prop.c +@@ -193,9 +193,10 @@ struct zl3073x_pin_props *zl3073x_pin_props_get(struct zl3073x_dev *zldev, + { + struct dpll_pin_frequency *ranges; + struct zl3073x_pin_props *props; +- int i, j, num_freqs, rc; ++ int i, j, num_freqs = 0, rc; ++ u64 *freqs = NULL; + const char *type; +- u64 *freqs; ++ u32 curr_freq; + + props = kzalloc(sizeof(*props), GFP_KERNEL); + if (!props) +@@ -207,6 +208,7 @@ struct zl3073x_pin_props *zl3073x_pin_props_get(struct zl3073x_dev *zldev, + props->dpll_props.capabilities = + DPLL_PIN_CAPABILITIES_PRIORITY_CAN_CHANGE | + DPLL_PIN_CAPABILITIES_STATE_CAN_CHANGE; ++ curr_freq = zl3073x_dev_ref_freq_get(zldev, index); + } else { + u8 out, synth; + u32 f; +@@ -220,6 +222,7 @@ struct zl3073x_pin_props *zl3073x_pin_props_get(struct zl3073x_dev *zldev, + synth = zl3073x_dev_out_synth_get(zldev, out); + f = 2 * zl3073x_dev_synth_freq_get(zldev, synth); + props->dpll_props.phase_gran = f ? div_u64(PSEC_PER_SEC, f) : 1; ++ curr_freq = zl3073x_dev_output_pin_freq_get(zldev, index); + } + + props->dpll_props.phase_range.min = S32_MIN; +@@ -230,7 +233,7 @@ struct zl3073x_pin_props *zl3073x_pin_props_get(struct zl3073x_dev *zldev, + /* Get firmware node for the given pin */ + rc = zl3073x_prop_pin_fwnode_get(zldev, props, dir, index); + if (rc) +- return props; /* Return if it does not exist */ ++ goto skip_fwnode_props; + + /* Look for label property and store the value as board label */ + fwnode_property_read_string(props->fwnode, "label", +@@ -264,9 +267,10 @@ struct zl3073x_pin_props *zl3073x_pin_props_get(struct zl3073x_dev *zldev, + /* Read supported frequencies property if it is specified */ + num_freqs = fwnode_property_count_u64(props->fwnode, + "supported-frequencies-hz"); +- if (num_freqs <= 0) +- /* Return if the property does not exist or number is 0 */ +- return props; ++ if (num_freqs <= 0) { ++ num_freqs = 0; ++ goto skip_fwnode_props; ++ } + + /* The firmware node specifies list of supported frequencies while + * DPLL core pin properties requires list of frequency ranges. +@@ -283,19 +287,25 @@ struct zl3073x_pin_props *zl3073x_pin_props_get(struct zl3073x_dev *zldev, + "supported-frequencies-hz", freqs, + num_freqs); + +- /* Allocate frequency ranges list and fill it */ +- ranges = kcalloc(num_freqs, sizeof(*ranges), GFP_KERNEL); ++skip_fwnode_props: ++ /* Allocate frequency ranges list - extra slot for current frequency */ ++ ranges = kcalloc(num_freqs + 1, sizeof(*ranges), GFP_KERNEL); + if (!ranges) { + rc = -ENOMEM; + goto err_alloc_ranges; + } + +- /* Convert list of frequencies to list of frequency ranges but +- * filter-out frequencies that are not representable by device ++ /* Start with current frequency at index 0 */ ++ ranges[0] = (struct dpll_pin_frequency)DPLL_PIN_FREQUENCY(curr_freq); ++ ++ /* Add frequencies from firmware node, skipping current frequency ++ * and filtering out frequencies not representable by device + */ +- for (i = 0, j = 0; i < num_freqs; i++) { ++ for (i = 0, j = 1; i < num_freqs; i++) { + struct dpll_pin_frequency freq = DPLL_PIN_FREQUENCY(freqs[i]); + ++ if (freqs[i] == curr_freq) ++ continue; + if (zl3073x_pin_check_freq(zldev, dir, index, freqs[i])) { + ranges[j] = freq; + j++; +-- +2.50.1 (Apple Git-155) + diff --git a/1215-dpll-zl3073x-fix-ref-frequency-setting.patch b/1215-dpll-zl3073x-fix-ref-frequency-setting.patch new file mode 100644 index 000000000..5be556a15 --- /dev/null +++ b/1215-dpll-zl3073x-fix-ref-frequency-setting.patch @@ -0,0 +1,58 @@ +From bbc528495d5ec657906c684f5805b3a410941cb6 Mon Sep 17 00:00:00 2001 +From: CKI Backport Bot +Date: Thu, 2 Apr 2026 14:24:21 +0000 +Subject: [PATCH] dpll: zl3073x: Fix ref frequency setting + +JIRA: https://redhat.atlassian.net/browse/RHEL-164429 + +commit a047497f952831e377564b606dcb74a7cb309384 +Author: Ivan Vecera +Date: Mon Feb 16 20:40:07 2026 +0100 + + dpll: zl3073x: Fix ref frequency setting + + The frequency for an input reference is computed as: + + frequency = freq_base * freq_mult * freq_ratio_m / freq_ratio_n + + Before commit 5bc02b190a3fb ("dpll: zl3073x: Cache all reference + properties in zl3073x_ref"), zl3073x_dpll_input_pin_frequency_set() + explicitly wrote 1 to both the REF_RATIO_M and REF_RATIO_N hardware + registers whenever a new frequency was set. This ensured the FEC ratio + was always reset to 1:1 alongside the new base/multiplier values. + + The refactoring in that commit introduced zl3073x_ref_freq_set() to + update the cached ref state, but this helper only sets freq_base and + freq_mult without resetting freq_ratio_m and freq_ratio_n to 1. Because + zl3073x_ref_state_set() uses a compare-and-write strategy, unchanged + ratio fields are never written to the hardware. If the device previously + had non-unity FEC ratio values, they remain in effect after a frequency + change, resulting in an incorrect computed frequency. + + Explicitly set freq_ratio_m and freq_ratio_n to 1 in zl3073x_ref_freq_set() + to restore the original behavior. + + Fixes: 5bc02b190a3fb ("dpll: zl3073x: Cache all reference properties in zl3073x_ref") + Signed-off-by: Ivan Vecera + Reviewed-by: Simon Horman + Link: https://patch.msgid.link/20260216194007.680416-1-ivecera@redhat.com + Signed-off-by: Jakub Kicinski + +Signed-off-by: CKI Backport Bot + +diff --git a/drivers/dpll/zl3073x/ref.h b/drivers/dpll/zl3073x/ref.h +index efc7f59cd9f9..0d8618f5ce8d 100644 +--- a/drivers/dpll/zl3073x/ref.h ++++ b/drivers/dpll/zl3073x/ref.h +@@ -91,6 +91,8 @@ zl3073x_ref_freq_set(struct zl3073x_ref *ref, u32 freq) + + ref->freq_base = base; + ref->freq_mult = mult; ++ ref->freq_ratio_m = 1; ++ ref->freq_ratio_n = 1; + + return 0; + } +-- +2.50.1 (Apple Git-155) + diff --git a/1216-dpll-zl3073x-fix-ref-phase-offset-comp-register-width-for-so.patch b/1216-dpll-zl3073x-fix-ref-phase-offset-comp-register-width-for-so.patch new file mode 100644 index 000000000..d65625817 --- /dev/null +++ b/1216-dpll-zl3073x-fix-ref-phase-offset-comp-register-width-for-so.patch @@ -0,0 +1,175 @@ +From 63c8ab56209fe06421d0f0ee0d254c8755d2d0ca Mon Sep 17 00:00:00 2001 +From: CKI Backport Bot +Date: Thu, 2 Apr 2026 14:24:22 +0000 +Subject: [PATCH] dpll: zl3073x: fix REF_PHASE_OFFSET_COMP register width for + some chip IDs + +JIRA: https://redhat.atlassian.net/browse/RHEL-164429 + +commit 4cfe066a82cdf9e83e48b16000f55280efc98325 +Author: Ivan Vecera +Date: Fri Feb 20 16:57:54 2026 +0100 + + dpll: zl3073x: fix REF_PHASE_OFFSET_COMP register width for some chip IDs + + The REF_PHASE_OFFSET_COMP register is 48-bit wide on most zl3073x chip + variants, but only 32-bit wide on chip IDs 0x0E30, 0x0E93..0x0E97 and + 0x1F60. The driver unconditionally uses 48-bit read/write operations, + which on 32-bit variants causes reading 2 bytes past the register + boundary (corrupting the value) and writing 2 bytes into the adjacent + register. + + Fix this by storing the chip ID in the device structure during probe + and adding a helper to detect the affected variants. Use the correct + register width for read/write operations and the matching sign extension + bit (31 vs 47) when interpreting the phase compensation value. + + Fixes: 6287262f761e ("dpll: zl3073x: Add support to adjust phase") + Signed-off-by: Ivan Vecera + Reviewed-by: Simon Horman + Link: https://patch.msgid.link/20260220155755.448185-1-ivecera@redhat.com + Signed-off-by: Jakub Kicinski + +Signed-off-by: CKI Backport Bot + +diff --git a/drivers/dpll/zl3073x/core.c b/drivers/dpll/zl3073x/core.c +index 63bd97181b9e..8c5ee28e02f4 100644 +--- a/drivers/dpll/zl3073x/core.c ++++ b/drivers/dpll/zl3073x/core.c +@@ -1026,6 +1026,7 @@ int zl3073x_dev_probe(struct zl3073x_dev *zldev, + "Unknown or non-match chip ID: 0x%0x\n", + id); + } ++ zldev->chip_id = id; + + /* Read revision, firmware version and custom config version */ + rc = zl3073x_read_u16(zldev, ZL_REG_REVISION, &revision); +diff --git a/drivers/dpll/zl3073x/core.h b/drivers/dpll/zl3073x/core.h +index dddfcacea5c0..fd2af3c62a7d 100644 +--- a/drivers/dpll/zl3073x/core.h ++++ b/drivers/dpll/zl3073x/core.h +@@ -35,6 +35,7 @@ struct zl3073x_dpll; + * @dev: pointer to device + * @regmap: regmap to access device registers + * @multiop_lock: to serialize multiple register operations ++ * @chip_id: chip ID read from hardware + * @ref: array of input references' invariants + * @out: array of outs' invariants + * @synth: array of synths' invariants +@@ -48,6 +49,7 @@ struct zl3073x_dev { + struct device *dev; + struct regmap *regmap; + struct mutex multiop_lock; ++ u16 chip_id; + + /* Invariants */ + struct zl3073x_ref ref[ZL3073X_NUM_REFS]; +@@ -144,6 +146,32 @@ int zl3073x_write_hwreg_seq(struct zl3073x_dev *zldev, + + int zl3073x_ref_phase_offsets_update(struct zl3073x_dev *zldev, int channel); + ++/** ++ * zl3073x_dev_is_ref_phase_comp_32bit - check ref phase comp register size ++ * @zldev: pointer to zl3073x device ++ * ++ * Some chip IDs have a 32-bit wide ref_phase_offset_comp register instead ++ * of the default 48-bit. ++ * ++ * Return: true if the register is 32-bit, false if 48-bit ++ */ ++static inline bool ++zl3073x_dev_is_ref_phase_comp_32bit(struct zl3073x_dev *zldev) ++{ ++ switch (zldev->chip_id) { ++ case 0x0E30: ++ case 0x0E93: ++ case 0x0E94: ++ case 0x0E95: ++ case 0x0E96: ++ case 0x0E97: ++ case 0x1F60: ++ return true; ++ default: ++ return false; ++ } ++} ++ + static inline bool + zl3073x_is_n_pin(u8 id) + { +diff --git a/drivers/dpll/zl3073x/dpll.c b/drivers/dpll/zl3073x/dpll.c +index 78edc36b17fb..8ffbede117c6 100644 +--- a/drivers/dpll/zl3073x/dpll.c ++++ b/drivers/dpll/zl3073x/dpll.c +@@ -475,8 +475,11 @@ zl3073x_dpll_input_pin_phase_adjust_get(const struct dpll_pin *dpll_pin, + ref_id = zl3073x_input_pin_ref_get(pin->id); + ref = zl3073x_ref_state_get(zldev, ref_id); + +- /* Perform sign extension for 48bit signed value */ +- phase_comp = sign_extend64(ref->phase_comp, 47); ++ /* Perform sign extension based on register width */ ++ if (zl3073x_dev_is_ref_phase_comp_32bit(zldev)) ++ phase_comp = sign_extend64(ref->phase_comp, 31); ++ else ++ phase_comp = sign_extend64(ref->phase_comp, 47); + + /* Reverse two's complement negation applied during set and convert + * to 32bit signed int +diff --git a/drivers/dpll/zl3073x/ref.c b/drivers/dpll/zl3073x/ref.c +index aa2de13effa8..6b65e6103999 100644 +--- a/drivers/dpll/zl3073x/ref.c ++++ b/drivers/dpll/zl3073x/ref.c +@@ -121,8 +121,16 @@ int zl3073x_ref_state_fetch(struct zl3073x_dev *zldev, u8 index) + return rc; + + /* Read phase compensation register */ +- rc = zl3073x_read_u48(zldev, ZL_REG_REF_PHASE_OFFSET_COMP, +- &ref->phase_comp); ++ if (zl3073x_dev_is_ref_phase_comp_32bit(zldev)) { ++ u32 val; ++ ++ rc = zl3073x_read_u32(zldev, ZL_REG_REF_PHASE_OFFSET_COMP_32, ++ &val); ++ ref->phase_comp = val; ++ } else { ++ rc = zl3073x_read_u48(zldev, ZL_REG_REF_PHASE_OFFSET_COMP, ++ &ref->phase_comp); ++ } + if (rc) + return rc; + +@@ -179,9 +187,16 @@ int zl3073x_ref_state_set(struct zl3073x_dev *zldev, u8 index, + if (!rc && dref->sync_ctrl != ref->sync_ctrl) + rc = zl3073x_write_u8(zldev, ZL_REG_REF_SYNC_CTRL, + ref->sync_ctrl); +- if (!rc && dref->phase_comp != ref->phase_comp) +- rc = zl3073x_write_u48(zldev, ZL_REG_REF_PHASE_OFFSET_COMP, +- ref->phase_comp); ++ if (!rc && dref->phase_comp != ref->phase_comp) { ++ if (zl3073x_dev_is_ref_phase_comp_32bit(zldev)) ++ rc = zl3073x_write_u32(zldev, ++ ZL_REG_REF_PHASE_OFFSET_COMP_32, ++ ref->phase_comp); ++ else ++ rc = zl3073x_write_u48(zldev, ++ ZL_REG_REF_PHASE_OFFSET_COMP, ++ ref->phase_comp); ++ } + if (rc) + return rc; + +diff --git a/drivers/dpll/zl3073x/regs.h b/drivers/dpll/zl3073x/regs.h +index d837bee72b17..5573d7188406 100644 +--- a/drivers/dpll/zl3073x/regs.h ++++ b/drivers/dpll/zl3073x/regs.h +@@ -194,6 +194,7 @@ + #define ZL_REF_CONFIG_DIFF_EN BIT(2) + + #define ZL_REG_REF_PHASE_OFFSET_COMP ZL_REG(10, 0x28, 6) ++#define ZL_REG_REF_PHASE_OFFSET_COMP_32 ZL_REG(10, 0x28, 4) + + #define ZL_REG_REF_SYNC_CTRL ZL_REG(10, 0x2e, 1) + #define ZL_REF_SYNC_CTRL_MODE GENMASK(2, 0) +-- +2.50.1 (Apple Git-155) + diff --git a/1217-dpll-zl3073x-remove-redundant-cleanup-in-devm-dpll-init.patch b/1217-dpll-zl3073x-remove-redundant-cleanup-in-devm-dpll-init.patch new file mode 100644 index 000000000..0cf53bfc9 --- /dev/null +++ b/1217-dpll-zl3073x-remove-redundant-cleanup-in-devm-dpll-init.patch @@ -0,0 +1,45 @@ +From b8350c49178e346cd8c90a0d950918d1985ec92d Mon Sep 17 00:00:00 2001 +From: CKI Backport Bot +Date: Thu, 2 Apr 2026 14:24:24 +0000 +Subject: [PATCH] dpll: zl3073x: Remove redundant cleanup in devm_dpll_init() + +JIRA: https://redhat.atlassian.net/browse/RHEL-164429 + +commit 676c7af91fcd740d34e7cb788cbc58e3bcafde39 +Author: Felix Gu +Date: Tue Feb 24 19:04:04 2026 +0800 + + dpll: zl3073x: Remove redundant cleanup in devm_dpll_init() + + The devm_add_action_or_reset() function already executes the cleanup + action on failure before returning an error, so the explicit goto error + and subsequent zl3073x_dev_dpll_fini() call causes double cleanup. + + Fixes: ebb1031c5137 ("dpll: zl3073x: Refactor DPLL initialization") + Reviewed-by: Ivan Vecera + Signed-off-by: Felix Gu + Link: https://patch.msgid.link/20260224-dpll-v2-1-d7786414a830@gmail.com + Signed-off-by: Jakub Kicinski + +Signed-off-by: CKI Backport Bot + +diff --git a/drivers/dpll/zl3073x/core.c b/drivers/dpll/zl3073x/core.c +index 8c5ee28e02f4..37f3c33570ee 100644 +--- a/drivers/dpll/zl3073x/core.c ++++ b/drivers/dpll/zl3073x/core.c +@@ -981,11 +981,7 @@ zl3073x_devm_dpll_init(struct zl3073x_dev *zldev, u8 num_dplls) + } + + /* Add devres action to release DPLL related resources */ +- rc = devm_add_action_or_reset(zldev->dev, zl3073x_dev_dpll_fini, zldev); +- if (rc) +- goto error; +- +- return 0; ++ return devm_add_action_or_reset(zldev->dev, zl3073x_dev_dpll_fini, zldev); + + error: + zl3073x_dev_dpll_fini(zldev); +-- +2.50.1 (Apple Git-155) + diff --git a/1218-io-uring-rsrc-reject-zero-length-fixed-buffer-import.patch b/1218-io-uring-rsrc-reject-zero-length-fixed-buffer-import.patch new file mode 100644 index 000000000..8bf12c316 --- /dev/null +++ b/1218-io-uring-rsrc-reject-zero-length-fixed-buffer-import.patch @@ -0,0 +1,63 @@ +From 78752da1c6bff4652005000d2dfb0171e13ca1b5 Mon Sep 17 00:00:00 2001 +From: CKI Backport Bot +Date: Fri, 1 May 2026 16:51:46 +0000 +Subject: [PATCH] io_uring/rsrc: reject zero-length fixed buffer import + +JIRA: https://redhat.atlassian.net/browse/RHEL-172557 +CVE: CVE-2026-43006 + +commit 111a12b422a8cfa93deabaef26fec48237163214 +Author: Qi Tang +Date: Mon Mar 30 00:49:36 2026 +0800 + + io_uring/rsrc: reject zero-length fixed buffer import + + validate_fixed_range() admits buf_addr at the exact end of the + registered region when len is zero, because the check uses strict + greater-than (buf_end > imu->ubuf + imu->len). io_import_fixed() + then computes offset == imu->len, which causes the bvec skip logic + to advance past the last bio_vec entry and read bv_offset from + out-of-bounds slab memory. + + Return early from io_import_fixed() when len is zero. A zero-length + import has no data to transfer and should not walk the bvec array + at all. + + BUG: KASAN: slab-out-of-bounds in io_import_reg_buf+0x697/0x7f0 + Read of size 4 at addr ffff888002bcc254 by task poc/103 + Call Trace: + io_import_reg_buf+0x697/0x7f0 + io_write_fixed+0xd9/0x250 + __io_issue_sqe+0xad/0x710 + io_issue_sqe+0x7d/0x1100 + io_submit_sqes+0x86a/0x23c0 + __do_sys_io_uring_enter+0xa98/0x1590 + Allocated by task 103: + The buggy address is located 12 bytes to the right of + allocated 584-byte region [ffff888002bcc000, ffff888002bcc248) + + Fixes: 8622b20f23ed ("io_uring: add validate_fixed_range() for validate fixed buffer") + Signed-off-by: Qi Tang + Link: https://patch.msgid.link/20260329164936.240871-1-tpluszz77@gmail.com + Signed-off-by: Jens Axboe + +Signed-off-by: CKI Backport Bot + +diff --git a/io_uring/rsrc.c b/io_uring/rsrc.c +index 5b40f7992e41..3f0a7c0efd25 100644 +--- a/io_uring/rsrc.c ++++ b/io_uring/rsrc.c +@@ -1072,6 +1072,10 @@ static int io_import_fixed(int ddir, struct iov_iter *iter, + return ret; + if (!(imu->dir & (1 << ddir))) + return -EFAULT; ++ if (unlikely(!len)) { ++ iov_iter_bvec(iter, ddir, NULL, 0, 0); ++ return 0; ++ } + + offset = buf_addr - imu->ubuf; + +-- +2.50.1 (Apple Git-155) + diff --git a/1219-netfilter-nf-conntrack-helper-pass-helper-to-expect-cleanup.patch b/1219-netfilter-nf-conntrack-helper-pass-helper-to-expect-cleanup.patch new file mode 100644 index 000000000..80f00c4b5 --- /dev/null +++ b/1219-netfilter-nf-conntrack-helper-pass-helper-to-expect-cleanup.patch @@ -0,0 +1,58 @@ +From 2c16e4d64dd91227742dfe196a3e7b0568bef65a Mon Sep 17 00:00:00 2001 +From: Qi Tang +Date: Mon, 30 Mar 2026 00:50:36 +0800 +Subject: [PATCH] netfilter: nf_conntrack_helper: pass helper to expect cleanup + +[ Upstream commit a242a9ae58aa46ff7dae51ce64150a93957abe65 ] + +nf_conntrack_helper_unregister() calls nf_ct_expect_iterate_destroy() +to remove expectations belonging to the helper being unregistered. +However, it passes NULL instead of the helper pointer as the data +argument, so expect_iter_me() never matches any expectation and all +of them survive the cleanup. + +After unregister returns, nfnl_cthelper_del() frees the helper +object immediately. Subsequent expectation dumps or packet-driven +init_conntrack() calls then dereference the freed exp->helper, +causing a use-after-free. + +Pass the actual helper pointer so expectations referencing it are +properly destroyed before the helper object is freed. + + BUG: KASAN: slab-use-after-free in string+0x38f/0x430 + Read of size 1 at addr ffff888003b14d20 by task poc/103 + Call Trace: + string+0x38f/0x430 + vsnprintf+0x3cc/0x1170 + seq_printf+0x17a/0x240 + exp_seq_show+0x2e5/0x560 + seq_read_iter+0x419/0x1280 + proc_reg_read+0x1ac/0x270 + vfs_read+0x179/0x930 + ksys_read+0xef/0x1c0 + Freed by task 103: + The buggy address is located 32 bytes inside of + freed 192-byte region [ffff888003b14d00, ffff888003b14dc0) + +Fixes: ac7b84839003 ("netfilter: expect: add and use nf_ct_expect_iterate helpers") +Signed-off-by: Qi Tang +Reviewed-by: Phil Sutter +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin + +diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c +index ceb48c3ca0a4..9d7d36ac8308 100644 +--- a/net/netfilter/nf_conntrack_helper.c ++++ b/net/netfilter/nf_conntrack_helper.c +@@ -419,7 +419,7 @@ void nf_conntrack_helper_unregister(struct nf_conntrack_helper *me) + */ + synchronize_rcu(); + +- nf_ct_expect_iterate_destroy(expect_iter_me, NULL); ++ nf_ct_expect_iterate_destroy(expect_iter_me, me); + nf_ct_iterate_destroy(unhelp, me); + } + EXPORT_SYMBOL_GPL(nf_conntrack_helper_unregister); +-- +2.50.1 (Apple Git-155) + diff --git a/1220-hid-wacom-fix-out-of-bounds-read-in-wacom-intuos-bt-irq.patch b/1220-hid-wacom-fix-out-of-bounds-read-in-wacom-intuos-bt-irq.patch new file mode 100644 index 000000000..dfc1c8cc4 --- /dev/null +++ b/1220-hid-wacom-fix-out-of-bounds-read-in-wacom-intuos-bt-irq.patch @@ -0,0 +1,63 @@ +From 210b53b805eca1a334bcb30d2d1899e7a4a5c927 Mon Sep 17 00:00:00 2001 +From: CKI Backport Bot +Date: Fri, 1 May 2026 19:07:14 +0000 +Subject: [PATCH] HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +JIRA: https://redhat.atlassian.net/browse/RHEL-172748 +CVE: CVE-2026-43051 + +commit 2f1763f62909ccb6386ac50350fa0abbf5bb16a9 +Author: Benoît Sevens +Date: Tue Mar 3 13:58:28 2026 +0000 + + HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq + + The wacom_intuos_bt_irq() function processes Bluetooth HID reports + without sufficient bounds checking. A maliciously crafted short report + can trigger an out-of-bounds read when copying data into the wacom + structure. + + Specifically, report 0x03 requires at least 22 bytes to safely read + the processed data and battery status, while report 0x04 (which + falls through to 0x03) requires 32 bytes. + + Add explicit length checks for these report IDs and log a warning if + a short report is received. + + Signed-off-by: Benoît Sevens + Reviewed-by: Jason Gerecke + Signed-off-by: Jiri Kosina + +Signed-off-by: CKI Backport Bot + +diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c +index 9b2c710f8da1..da1f0ea85625 100644 +--- a/drivers/hid/wacom_wac.c ++++ b/drivers/hid/wacom_wac.c +@@ -1208,10 +1208,20 @@ static int wacom_intuos_bt_irq(struct wacom_wac *wacom, size_t len) + + switch (data[0]) { + case 0x04: ++ if (len < 32) { ++ dev_warn(wacom->pen_input->dev.parent, ++ "Report 0x04 too short: %zu bytes\n", len); ++ break; ++ } + wacom_intuos_bt_process_data(wacom, data + i); + i += 10; + fallthrough; + case 0x03: ++ if (i == 1 && len < 22) { ++ dev_warn(wacom->pen_input->dev.parent, ++ "Report 0x03 too short: %zu bytes\n", len); ++ break; ++ } + wacom_intuos_bt_process_data(wacom, data + i); + i += 10; + wacom_intuos_bt_process_data(wacom, data + i); +-- +2.50.1 (Apple Git-155) + diff --git a/1221-redhat-configs-enable-config-aqtion-on-all-archs.patch b/1221-redhat-configs-enable-config-aqtion-on-all-archs.patch new file mode 100644 index 000000000..bd1a4073f --- /dev/null +++ b/1221-redhat-configs-enable-config-aqtion-on-all-archs.patch @@ -0,0 +1,41 @@ +From fc27138508fcc8346d22d229d55424ee4f54d2b5 Mon Sep 17 00:00:00 2001 +From: Michal Schmidt +Date: Tue, 27 Jan 2026 14:57:53 +0100 +Subject: [PATCH] redhat/configs: enable CONFIG_AQTION on all archs + +JIRA: https://issues.redhat.com/browse/RHEL-150852 +Upstream status: Posted https://gitlab.com/cki-project/kernel-ark/-/merge_requests/4391 + +The Aquantia "atlantic" network driver was previously enabled in RHEL +only for x86 and automotive aarch64. We know of at least one +non-automotive aarch64 computer model that needs this driver. + +Let's just enable the driver for all archs, because it's not typical to +have NIC drivers selected for only some of them. + +No more is there a difference between the fedora and rhel config for +CONFIG_AQTION, so put it in common. + +Signed-off-by: Michal Schmidt + +diff --git a/redhat/configs/rhel/automotive/generic/arm/aarch64/CONFIG_AQTION b/redhat/configs/common/generic/CONFIG_AQTION +similarity index 100% +rename from redhat/configs/rhel/automotive/generic/arm/aarch64/CONFIG_AQTION +rename to redhat/configs/common/generic/CONFIG_AQTION +diff --git a/redhat/configs/rhel/generic/CONFIG_AQTION b/redhat/configs/rhel/generic/CONFIG_AQTION +deleted file mode 100644 +index 42dea55ccf3b..000000000000 +--- a/redhat/configs/rhel/generic/CONFIG_AQTION ++++ /dev/null +@@ -1 +0,0 @@ +-# CONFIG_AQTION is not set +diff --git a/redhat/configs/rhel/generic/x86/CONFIG_AQTION b/redhat/configs/rhel/generic/x86/CONFIG_AQTION +deleted file mode 100644 +index 7812ca016377..000000000000 +--- a/redhat/configs/rhel/generic/x86/CONFIG_AQTION ++++ /dev/null +@@ -1 +0,0 @@ +-CONFIG_AQTION=m +-- +2.50.1 (Apple Git-155) + diff --git a/1222-wifi-brcmfmac-validate-bsscfg-indices-in-if-events.patch b/1222-wifi-brcmfmac-validate-bsscfg-indices-in-if-events.patch new file mode 100644 index 000000000..d936c7a40 --- /dev/null +++ b/1222-wifi-brcmfmac-validate-bsscfg-indices-in-if-events.patch @@ -0,0 +1,40 @@ +From 9fca68c2512a362cad258e4df12a307bb2ee4b8e Mon Sep 17 00:00:00 2001 +From: Pengpeng Hou +Date: Mon, 23 Mar 2026 15:45:51 +0800 +Subject: [PATCH] wifi: brcmfmac: validate bsscfg indices in IF events + +[ Upstream commit 304950a467d83678bd0b0f46331882e2ac23b12d ] + +brcmf_fweh_handle_if_event() validates the firmware-provided interface +index before it touches drvr->iflist[], but it still uses the raw +bsscfgidx field as an array index without a matching range check. + +Reject IF events whose bsscfg index does not fit in drvr->iflist[] +before indexing the interface array. + +Signed-off-by: Pengpeng Hou +Acked-by: Arend van Spriel +Link: https://patch.msgid.link/20260323074551.93530-1-pengpeng@iscas.ac.cn +[add missing wifi prefix] +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c +index f0b6a7607f16..0e4461596466 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c +@@ -152,6 +152,11 @@ static void brcmf_fweh_handle_if_event(struct brcmf_pub *drvr, + bphy_err(drvr, "invalid interface index: %u\n", ifevent->ifidx); + return; + } ++ if (ifevent->bsscfgidx >= BRCMF_MAX_IFS) { ++ bphy_err(drvr, "invalid bsscfg index: %u\n", ++ ifevent->bsscfgidx); ++ return; ++ } + + ifp = drvr->iflist[ifevent->bsscfgidx]; + +-- +2.50.1 (Apple Git-155) + diff --git a/1223-netfilter-ctnetlink-ensure-safe-access-to-master-conntrack.patch b/1223-netfilter-ctnetlink-ensure-safe-access-to-master-conntrack.patch new file mode 100644 index 000000000..48b4caef7 --- /dev/null +++ b/1223-netfilter-ctnetlink-ensure-safe-access-to-master-conntrack.patch @@ -0,0 +1,207 @@ +From bffcaad9afdfe45d7fc777397d3b83c1e3ebffe5 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Wed, 25 Mar 2026 14:11:04 +0100 +Subject: [PATCH] netfilter: ctnetlink: ensure safe access to master conntrack + +Holding reference on the expectation is not sufficient, the master +conntrack object can just go away, making exp->master invalid. + +To access exp->master safely: + +- Grab the nf_conntrack_expect_lock, this gets serialized with + clean_from_lists() which also holds this lock when the master + conntrack goes away. + +- Hold reference on master conntrack via nf_conntrack_find_get(). + Not so easy since the master tuple to look up for the master conntrack + is not available in the existing problematic paths. + +This patch goes for extending the nf_conntrack_expect_lock section +to address this issue for simplicity, in the cases that are described +below this is just slightly extending the lock section. + +The add expectation command already holds a reference to the master +conntrack from ctnetlink_create_expect(). + +However, the delete expectation command needs to grab the spinlock +before looking up for the expectation. Expand the existing spinlock +section to address this to cover the expectation lookup. Note that, +the nf_ct_expect_iterate_net() calls already grabs the spinlock while +iterating over the expectation table, which is correct. + +The get expectation command needs to grab the spinlock to ensure master +conntrack does not go away. This also expands the existing spinlock +section to cover the expectation lookup too. I needed to move the +netlink skb allocation out of the spinlock to keep it GFP_KERNEL. + +For the expectation events, the IPEXP_DESTROY event is already delivered +under the spinlock, just move the delivery of IPEXP_NEW under the +spinlock too because the master conntrack event cache is reached through +exp->master. + +While at it, add lockdep notations to help identify what codepaths need +to grab the spinlock. + +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso + +diff --git a/include/net/netfilter/nf_conntrack_core.h b/include/net/netfilter/nf_conntrack_core.h +index 3384859a8921..8883575adcc1 100644 +--- a/include/net/netfilter/nf_conntrack_core.h ++++ b/include/net/netfilter/nf_conntrack_core.h +@@ -83,6 +83,11 @@ void nf_conntrack_lock(spinlock_t *lock); + + extern spinlock_t nf_conntrack_expect_lock; + ++static inline void lockdep_nfct_expect_lock_held(void) ++{ ++ lockdep_assert_held(&nf_conntrack_expect_lock); ++} ++ + /* ctnetlink code shared by both ctnetlink and nf_conntrack_bpf */ + + static inline void __nf_ct_set_timeout(struct nf_conn *ct, u64 timeout) +diff --git a/net/netfilter/nf_conntrack_ecache.c b/net/netfilter/nf_conntrack_ecache.c +index 81baf2082604..9df159448b89 100644 +--- a/net/netfilter/nf_conntrack_ecache.c ++++ b/net/netfilter/nf_conntrack_ecache.c +@@ -247,6 +247,8 @@ void nf_ct_expect_event_report(enum ip_conntrack_expect_events event, + struct nf_ct_event_notifier *notify; + struct nf_conntrack_ecache *e; + ++ lockdep_nfct_expect_lock_held(); ++ + rcu_read_lock(); + notify = rcu_dereference(net->ct.nf_conntrack_event_cb); + if (!notify) +diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c +index 64977db12b1d..1cbe5f1108c2 100644 +--- a/net/netfilter/nf_conntrack_expect.c ++++ b/net/netfilter/nf_conntrack_expect.c +@@ -51,6 +51,7 @@ void nf_ct_unlink_expect_report(struct nf_conntrack_expect *exp, + struct net *net = nf_ct_exp_net(exp); + struct nf_conntrack_net *cnet; + ++ lockdep_nfct_expect_lock_held(); + WARN_ON(!master_help); + WARN_ON(timer_pending(&exp->timeout)); + +@@ -118,6 +119,8 @@ nf_ct_exp_equal(const struct nf_conntrack_tuple *tuple, + + bool nf_ct_remove_expect(struct nf_conntrack_expect *exp) + { ++ lockdep_nfct_expect_lock_held(); ++ + if (timer_delete(&exp->timeout)) { + nf_ct_unlink_expect(exp); + nf_ct_expect_put(exp); +@@ -177,6 +180,8 @@ nf_ct_find_expectation(struct net *net, + struct nf_conntrack_expect *i, *exp = NULL; + unsigned int h; + ++ lockdep_nfct_expect_lock_held(); ++ + if (!cnet->expect_count) + return NULL; + +@@ -454,6 +459,8 @@ static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect, + unsigned int h; + int ret = 0; + ++ lockdep_nfct_expect_lock_held(); ++ + if (!master_help) { + ret = -ESHUTDOWN; + goto out; +@@ -510,8 +517,9 @@ int nf_ct_expect_related_report(struct nf_conntrack_expect *expect, + + nf_ct_expect_insert(expect); + +- spin_unlock_bh(&nf_conntrack_expect_lock); + nf_ct_expect_event_report(IPEXP_NEW, expect, portid, report); ++ spin_unlock_bh(&nf_conntrack_expect_lock); ++ + return 0; + out: + spin_unlock_bh(&nf_conntrack_expect_lock); +diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c +index 8477c3736432..89540112d165 100644 +--- a/net/netfilter/nf_conntrack_netlink.c ++++ b/net/netfilter/nf_conntrack_netlink.c +@@ -3355,31 +3355,37 @@ static int ctnetlink_get_expect(struct sk_buff *skb, + if (err < 0) + return err; + ++ skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); ++ if (!skb2) ++ return -ENOMEM; ++ ++ spin_lock_bh(&nf_conntrack_expect_lock); + exp = nf_ct_expect_find_get(info->net, &zone, &tuple); +- if (!exp) ++ if (!exp) { ++ spin_unlock_bh(&nf_conntrack_expect_lock); ++ kfree_skb(skb2); + return -ENOENT; ++ } + + if (cda[CTA_EXPECT_ID]) { + __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]); + + if (id != nf_expect_get_id(exp)) { + nf_ct_expect_put(exp); ++ spin_unlock_bh(&nf_conntrack_expect_lock); ++ kfree_skb(skb2); + return -ENOENT; + } + } + +- skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); +- if (!skb2) { +- nf_ct_expect_put(exp); +- return -ENOMEM; +- } +- + rcu_read_lock(); + err = ctnetlink_exp_fill_info(skb2, NETLINK_CB(skb).portid, + info->nlh->nlmsg_seq, IPCTNL_MSG_EXP_NEW, + exp); + rcu_read_unlock(); + nf_ct_expect_put(exp); ++ spin_unlock_bh(&nf_conntrack_expect_lock); ++ + if (err <= 0) { + kfree_skb(skb2); + return -ENOMEM; +@@ -3426,22 +3432,26 @@ static int ctnetlink_del_expect(struct sk_buff *skb, + if (err < 0) + return err; + ++ spin_lock_bh(&nf_conntrack_expect_lock); ++ + /* bump usage count to 2 */ + exp = nf_ct_expect_find_get(info->net, &zone, &tuple); +- if (!exp) ++ if (!exp) { ++ spin_unlock_bh(&nf_conntrack_expect_lock); + return -ENOENT; ++ } + + if (cda[CTA_EXPECT_ID]) { + __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]); + + if (id != nf_expect_get_id(exp)) { + nf_ct_expect_put(exp); ++ spin_unlock_bh(&nf_conntrack_expect_lock); + return -ENOENT; + } + } + + /* after list removal, usage count == 1 */ +- spin_lock_bh(&nf_conntrack_expect_lock); + if (timer_delete(&exp->timeout)) { + nf_ct_unlink_expect_report(exp, NETLINK_CB(skb).portid, + nlmsg_report(info->nlh)); +-- +2.50.1 (Apple Git-155) + diff --git a/1224-netfilter-xt-tcpmss-check-remaining-length-before-reading-op.patch b/1224-netfilter-xt-tcpmss-check-remaining-length-before-reading-op.patch new file mode 100644 index 000000000..05cad53dd --- /dev/null +++ b/1224-netfilter-xt-tcpmss-check-remaining-length-before-reading-op.patch @@ -0,0 +1,38 @@ +From 8b300f726640c48c3edfe9c453334dd801f4b74e Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Mon, 19 Jan 2026 12:30:42 +0100 +Subject: [PATCH] netfilter: xt_tcpmss: check remaining length before reading + optlen + +[ Upstream commit 735ee8582da3d239eb0c7a53adca61b79fb228b3 ] + +Quoting reporter: + In net/netfilter/xt_tcpmss.c (lines 53-68), the TCP option parser reads + op[i+1] directly without validating the remaining option length. + + If the last byte of the option field is not EOL/NOP (0/1), the code attempts + to index op[i+1]. In the case where i + 1 == optlen, this causes an + out-of-bounds read, accessing memory past the optlen boundary + (either reading beyond the stack buffer _opt or the + following payload). + +Reported-by: sungzii +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin + +diff --git a/net/netfilter/xt_tcpmss.c b/net/netfilter/xt_tcpmss.c +index 37704ab01799..0d32d4841cb3 100644 +--- a/net/netfilter/xt_tcpmss.c ++++ b/net/netfilter/xt_tcpmss.c +@@ -61,7 +61,7 @@ tcpmss_mt(const struct sk_buff *skb, struct xt_action_param *par) + return (mssval >= info->mss_min && + mssval <= info->mss_max) ^ info->invert; + } +- if (op[i] < 2) ++ if (op[i] < 2 || i == optlen - 1) + i++; + else + i += op[i+1] ? : 1; +-- +2.50.1 (Apple Git-155) + diff --git a/1225-net-fix-rcu-tasks-stall-in-threaded-busypoll.patch b/1225-net-fix-rcu-tasks-stall-in-threaded-busypoll.patch new file mode 100644 index 000000000..b5effc706 --- /dev/null +++ b/1225-net-fix-rcu-tasks-stall-in-threaded-busypoll.patch @@ -0,0 +1,120 @@ +From 1a86a1f7d88996085934139fa4c063b6299a2dd3 Mon Sep 17 00:00:00 2001 +From: YiFei Zhu +Date: Fri, 27 Feb 2026 22:19:37 +0000 +Subject: [PATCH] net: Fix rcu_tasks stall in threaded busypoll + +I was debugging a NIC driver when I noticed that when I enable +threaded busypoll, bpftrace hangs when starting up. dmesg showed: + + rcu_tasks_wait_gp: rcu_tasks grace period number 85 (since boot) is 10658 jiffies old. + rcu_tasks_wait_gp: rcu_tasks grace period number 85 (since boot) is 40793 jiffies old. + rcu_tasks_wait_gp: rcu_tasks grace period number 85 (since boot) is 131273 jiffies old. + rcu_tasks_wait_gp: rcu_tasks grace period number 85 (since boot) is 402058 jiffies old. + INFO: rcu_tasks detected stalls on tasks: + 00000000769f52cd: .N nvcsw: 2/2 holdout: 1 idle_cpu: -1/64 + task:napi/eth2-8265 state:R running task stack:0 pid:48300 tgid:48300 ppid:2 task_flags:0x208040 flags:0x00004000 + Call Trace: + + ? napi_threaded_poll_loop+0x27c/0x2c0 + ? __pfx_napi_threaded_poll+0x10/0x10 + ? napi_threaded_poll+0x26/0x80 + ? kthread+0xfa/0x240 + ? __pfx_kthread+0x10/0x10 + ? ret_from_fork+0x31/0x50 + ? __pfx_kthread+0x10/0x10 + ? ret_from_fork_asm+0x1a/0x30 + + +The cause is that in threaded busypoll, the main loop is in +napi_threaded_poll rather than napi_threaded_poll_loop, where the +latter rarely iterates more than once within its loop. For +rcu_softirq_qs_periodic inside napi_threaded_poll_loop to report its +qs state, the last_qs must be 100ms behind, and this can't happen +because napi_threaded_poll_loop rarely iterates in threaded busypoll, +and each time napi_threaded_poll_loop is called last_qs is reset to +latest jiffies. + +This patch changes so that in threaded busypoll, last_qs is saved +in the outer napi_threaded_poll, and whether busy_poll_last_qs +is NULL indicates whether napi_threaded_poll_loop is called for +busypoll. This way last_qs would not reset to latest jiffies on +each invocation of napi_threaded_poll_loop. + +Fixes: c18d4b190a46 ("net: Extend NAPI threaded polling to allow kthread based busy polling") +Cc: stable@vger.kernel.org +Signed-off-by: YiFei Zhu +Reviewed-by: Samiullah Khawaja +Link: https://patch.msgid.link/20260227221937.1060857-1-zhuyifei@google.com +Signed-off-by: Paolo Abeni + +diff --git a/net/core/dev.c b/net/core/dev.c +index c1a9f7fdcffa..4af4cf2d63a4 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -7794,11 +7794,12 @@ static int napi_thread_wait(struct napi_struct *napi) + return -1; + } + +-static void napi_threaded_poll_loop(struct napi_struct *napi, bool busy_poll) ++static void napi_threaded_poll_loop(struct napi_struct *napi, ++ unsigned long *busy_poll_last_qs) + { ++ unsigned long last_qs = busy_poll_last_qs ? *busy_poll_last_qs : jiffies; + struct bpf_net_context __bpf_net_ctx, *bpf_net_ctx; + struct softnet_data *sd; +- unsigned long last_qs = jiffies; + + for (;;) { + bool repoll = false; +@@ -7827,12 +7828,12 @@ static void napi_threaded_poll_loop(struct napi_struct *napi, bool busy_poll) + /* When busy poll is enabled, the old packets are not flushed in + * napi_complete_done. So flush them here. + */ +- if (busy_poll) ++ if (busy_poll_last_qs) + gro_flush_normal(&napi->gro, HZ >= 1000); + local_bh_enable(); + + /* Call cond_resched here to avoid watchdog warnings. */ +- if (repoll || busy_poll) { ++ if (repoll || busy_poll_last_qs) { + rcu_softirq_qs_periodic(last_qs); + cond_resched(); + } +@@ -7840,11 +7841,15 @@ static void napi_threaded_poll_loop(struct napi_struct *napi, bool busy_poll) + if (!repoll) + break; + } ++ ++ if (busy_poll_last_qs) ++ *busy_poll_last_qs = last_qs; + } + + static int napi_threaded_poll(void *data) + { + struct napi_struct *napi = data; ++ unsigned long last_qs = jiffies; + bool want_busy_poll; + bool in_busy_poll; + unsigned long val; +@@ -7862,7 +7867,7 @@ static int napi_threaded_poll(void *data) + assign_bit(NAPI_STATE_IN_BUSY_POLL, &napi->state, + want_busy_poll); + +- napi_threaded_poll_loop(napi, want_busy_poll); ++ napi_threaded_poll_loop(napi, want_busy_poll ? &last_qs : NULL); + } + + return 0; +@@ -13175,7 +13180,7 @@ static void run_backlog_napi(unsigned int cpu) + { + struct softnet_data *sd = per_cpu_ptr(&softnet_data, cpu); + +- napi_threaded_poll_loop(&sd->backlog, false); ++ napi_threaded_poll_loop(&sd->backlog, NULL); + } + + static void backlog_napi_setup(unsigned int cpu) +-- +2.50.1 (Apple Git-155) + diff --git a/1226-ice-use-netif-get-num-default-rss-queues.patch b/1226-ice-use-netif-get-num-default-rss-queues.patch new file mode 100644 index 000000000..c4a68c7b2 --- /dev/null +++ b/1226-ice-use-netif-get-num-default-rss-queues.patch @@ -0,0 +1,93 @@ +From 6f111820b89b5076991ab62d7833a48951a09d4c Mon Sep 17 00:00:00 2001 +From: CKI Backport Bot +Date: Thu, 7 May 2026 09:35:56 +0000 +Subject: [PATCH] ice: use netif_get_num_default_rss_queues() + +JIRA: https://redhat.atlassian.net/browse/RHEL-172305 + +commit ee13aa1a2c5a68943a730ddbde300ba11b84229c +Author: Michal Swiatkowski +Date: Thu Oct 30 09:30:53 2025 +0100 + + ice: use netif_get_num_default_rss_queues() + + On some high-core systems (like AMD EPYC Bergamo, Intel Clearwater + Forest) loading ice driver with default values can lead to queue/irq + exhaustion. It will result in no additional resources for SR-IOV. + + In most cases there is no performance reason for more than half + num_cpus(). Limit the default value to it using generic + netif_get_num_default_rss_queues(). + + Still, using ethtool the number of queues can be changed up to + num_online_cpus(). It can be done by calling: + $ethtool -L ethX combined $(nproc) + + This change affects only the default queue amount. + + Reviewed-by: Aleksandr Loktionov + Signed-off-by: Michal Swiatkowski + Tested-by: Rafal Romanowski + Signed-off-by: Tony Nguyen + +Signed-off-by: CKI Backport Bot + +diff --git a/drivers/net/ethernet/intel/ice/ice_irq.c b/drivers/net/ethernet/intel/ice/ice_irq.c +index 30801fd375f0..1d9b2d646474 100644 +--- a/drivers/net/ethernet/intel/ice/ice_irq.c ++++ b/drivers/net/ethernet/intel/ice/ice_irq.c +@@ -106,9 +106,10 @@ static struct ice_irq_entry *ice_get_irq_res(struct ice_pf *pf, + #define ICE_RDMA_AEQ_MSIX 1 + static int ice_get_default_msix_amount(struct ice_pf *pf) + { +- return ICE_MIN_LAN_OICR_MSIX + num_online_cpus() + ++ return ICE_MIN_LAN_OICR_MSIX + netif_get_num_default_rss_queues() + + (test_bit(ICE_FLAG_FD_ENA, pf->flags) ? ICE_FDIR_MSIX : 0) + +- (ice_is_rdma_ena(pf) ? num_online_cpus() + ICE_RDMA_AEQ_MSIX : 0); ++ (ice_is_rdma_ena(pf) ? netif_get_num_default_rss_queues() + ++ ICE_RDMA_AEQ_MSIX : 0); + } + + /** +diff --git a/drivers/net/ethernet/intel/ice/ice_lib.c b/drivers/net/ethernet/intel/ice/ice_lib.c +index 32c2f4c315c7..c8e463e73426 100644 +--- a/drivers/net/ethernet/intel/ice/ice_lib.c ++++ b/drivers/net/ethernet/intel/ice/ice_lib.c +@@ -155,12 +155,14 @@ static void ice_vsi_set_num_desc(struct ice_vsi *vsi) + + static u16 ice_get_rxq_count(struct ice_pf *pf) + { +- return min(ice_get_avail_rxq_count(pf), num_online_cpus()); ++ return min(ice_get_avail_rxq_count(pf), ++ netif_get_num_default_rss_queues()); + } + + static u16 ice_get_txq_count(struct ice_pf *pf) + { +- return min(ice_get_avail_txq_count(pf), num_online_cpus()); ++ return min(ice_get_avail_txq_count(pf), ++ netif_get_num_default_rss_queues()); + } + + /** +@@ -909,13 +911,15 @@ static void ice_vsi_set_rss_params(struct ice_vsi *vsi) + if (vsi->type == ICE_VSI_CHNL) + vsi->rss_size = min_t(u16, vsi->num_rxq, max_rss_size); + else +- vsi->rss_size = min_t(u16, num_online_cpus(), ++ vsi->rss_size = min_t(u16, ++ netif_get_num_default_rss_queues(), + max_rss_size); + vsi->rss_lut_type = ICE_LUT_PF; + break; + case ICE_VSI_SF: + vsi->rss_table_size = ICE_LUT_VSI_SIZE; +- vsi->rss_size = min_t(u16, num_online_cpus(), max_rss_size); ++ vsi->rss_size = min_t(u16, netif_get_num_default_rss_queues(), ++ max_rss_size); + vsi->rss_lut_type = ICE_LUT_VSI; + break; + case ICE_VSI_VF: +-- +2.50.1 (Apple Git-155) + diff --git a/1227-ice-set-max-queues-in-alloc-etherdev-mqs.patch b/1227-ice-set-max-queues-in-alloc-etherdev-mqs.patch new file mode 100644 index 000000000..4eb6839ea --- /dev/null +++ b/1227-ice-set-max-queues-in-alloc-etherdev-mqs.patch @@ -0,0 +1,128 @@ +From 7e7d215f3f0eb53e12f2374ecc7cfe68abda3463 Mon Sep 17 00:00:00 2001 +From: CKI Backport Bot +Date: Thu, 7 May 2026 09:35:57 +0000 +Subject: [PATCH] ice: set max queues in alloc_etherdev_mqs() + +JIRA: https://redhat.atlassian.net/browse/RHEL-172305 + +commit c7fcd269e1e07b2aa4bb37ffce7543c340796433 +Author: Michal Swiatkowski +Date: Mon Feb 23 13:51:57 2026 +0100 + + ice: set max queues in alloc_etherdev_mqs() + + When allocating netdevice using alloc_etherdev_mqs() the maximum + supported queues number should be passed. The vsi->alloc_txq/rxq is + storing current number of queues, not the maximum ones. + + Use the same function for getting max Tx and Rx queues which is used + during ethtool -l call to set maximum number of queues during netdev + allocation. + + Reproduction steps: + $ethtool -l $pf # says current 16, max 64 + $ethtool -S $pf # fine + $ethtool -L $pf combined 40 # crash + + [491187.472594] Call Trace: + [491187.472829] + [491187.473067] netif_set_xps_queue+0x26/0x40 + [491187.473305] ice_vsi_cfg_txq+0x265/0x3d0 [ice] + [491187.473619] ice_vsi_cfg_lan_txqs+0x68/0xa0 [ice] + [491187.473918] ice_vsi_cfg_lan+0x2b/0xa0 [ice] + [491187.474202] ice_vsi_open+0x71/0x170 [ice] + [491187.474484] ice_vsi_recfg_qs+0x17f/0x230 [ice] + [491187.474759] ? dev_get_min_mp_channel_count+0xab/0xd0 + [491187.474987] ice_set_channels+0x185/0x3d0 [ice] + [491187.475278] ethnl_set_channels+0x26f/0x340 + + Fixes: ee13aa1a2c5a ("ice: use netif_get_num_default_rss_queues()") + Reviewed-by: Przemek Kitszel + Signed-off-by: Michal Swiatkowski + Reviewed-by: Simon Horman + Reviewed-by: Paul Menzel + Tested-by: Alexander Nowlin + Signed-off-by: Tony Nguyen + +Signed-off-by: CKI Backport Bot + +diff --git a/drivers/net/ethernet/intel/ice/ice.h b/drivers/net/ethernet/intel/ice/ice.h +index 00f75d87c73f..ae1ebf507f29 100644 +--- a/drivers/net/ethernet/intel/ice/ice.h ++++ b/drivers/net/ethernet/intel/ice/ice.h +@@ -839,6 +839,28 @@ static inline void ice_tx_xsk_pool(struct ice_vsi *vsi, u16 qid) + WRITE_ONCE(ring->xsk_pool, ice_get_xp_from_qid(vsi, qid)); + } + ++/** ++ * ice_get_max_txq - return the maximum number of Tx queues for in a PF ++ * @pf: PF structure ++ * ++ * Return: maximum number of Tx queues ++ */ ++static inline int ice_get_max_txq(struct ice_pf *pf) ++{ ++ return min(num_online_cpus(), pf->hw.func_caps.common_cap.num_txq); ++} ++ ++/** ++ * ice_get_max_rxq - return the maximum number of Rx queues for in a PF ++ * @pf: PF structure ++ * ++ * Return: maximum number of Rx queues ++ */ ++static inline int ice_get_max_rxq(struct ice_pf *pf) ++{ ++ return min(num_online_cpus(), pf->hw.func_caps.common_cap.num_rxq); ++} ++ + /** + * ice_get_main_vsi - Get the PF VSI + * @pf: PF instance +diff --git a/drivers/net/ethernet/intel/ice/ice_ethtool.c b/drivers/net/ethernet/intel/ice/ice_ethtool.c +index e9f2618950c8..33c818226565 100644 +--- a/drivers/net/ethernet/intel/ice/ice_ethtool.c ++++ b/drivers/net/ethernet/intel/ice/ice_ethtool.c +@@ -3756,24 +3756,6 @@ ice_get_ts_info(struct net_device *dev, struct kernel_ethtool_ts_info *info) + return 0; + } + +-/** +- * ice_get_max_txq - return the maximum number of Tx queues for in a PF +- * @pf: PF structure +- */ +-static int ice_get_max_txq(struct ice_pf *pf) +-{ +- return min(num_online_cpus(), pf->hw.func_caps.common_cap.num_txq); +-} +- +-/** +- * ice_get_max_rxq - return the maximum number of Rx queues for in a PF +- * @pf: PF structure +- */ +-static int ice_get_max_rxq(struct ice_pf *pf) +-{ +- return min(num_online_cpus(), pf->hw.func_caps.common_cap.num_rxq); +-} +- + /** + * ice_get_combined_cnt - return the current number of combined channels + * @vsi: PF VSI pointer +diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c +index 27c519918fb2..c77c95e4f5c6 100644 +--- a/drivers/net/ethernet/intel/ice/ice_main.c ++++ b/drivers/net/ethernet/intel/ice/ice_main.c +@@ -4699,8 +4699,8 @@ static int ice_cfg_netdev(struct ice_vsi *vsi) + struct net_device *netdev; + u8 mac_addr[ETH_ALEN]; + +- netdev = alloc_etherdev_mqs(sizeof(*np), vsi->alloc_txq, +- vsi->alloc_rxq); ++ netdev = alloc_etherdev_mqs(sizeof(*np), ice_get_max_txq(vsi->back), ++ ice_get_max_rxq(vsi->back)); + if (!netdev) + return -ENOMEM; + +-- +2.50.1 (Apple Git-155) + diff --git a/1228-anon-inode-use-a-proper-mode-internally.patch b/1228-anon-inode-use-a-proper-mode-internally.patch new file mode 100644 index 000000000..3b4e1049f --- /dev/null +++ b/1228-anon-inode-use-a-proper-mode-internally.patch @@ -0,0 +1,132 @@ +From ad4c21b7a2a9f224f45989127541560ccf7cdf53 Mon Sep 17 00:00:00 2001 +From: Rafael Aquini +Date: Mon, 11 May 2026 10:39:34 -0400 +Subject: [PATCH] anon_inode: use a proper mode internally + +JIRA: https://issues.redhat.com/browse/RHEL-171616 +Conflicts: + * fs/anon_inodes.c: minor context difference due to RHEL-10 missing unrelated + commit c1feab95e0b2 ("add a string-to-qstr constructor") + * fs/internal.h: minor context difference due to RHEL-10 missing unrelated + commits da06e3c51794 ("fs: don't needlessly acquire f_lock") and + 37c4a9590e1e ("statmount: allow to retrieve idmappings") + +commit cfd86ef7e8e7b9e015707e46479a6b1de141eed0 +Author: Christian Brauner +Date: Mon Apr 7 11:54:15 2025 +0200 + + anon_inode: use a proper mode internally + + This allows the VFS to not trip over anonymous inodes and we can add + asserts based on the mode into the vfs. When we report it to userspace + we can simply hide the mode to avoid regressions. I've audited all + direct callers of alloc_anon_inode() and only secretmen overrides i_mode + and i_op inode operations but it already uses a regular file. + + Link: https://lore.kernel.org/20250407-work-anon_inode-v1-1-53a44c20d44e@kernel.org + Fixes: af153bb63a336 ("vfs: catch invalid modes in may_open()") + Reviewed-by: Jeff Layton + Cc: stable@vger.kernel.org # all LTS kernels + Reported-by: syzbot+5d8e79d323a13aa0b248@syzkaller.appspotmail.com + Closes: https://lore.kernel.org/all/67ed3fb3.050a0220.14623d.0009.GAE@google.com + Signed-off-by: Christian Brauner + +Signed-off-by: Rafael Aquini + +diff --git a/fs/anon_inodes.c b/fs/anon_inodes.c +index 5a070be69922..7c07b22c1d47 100644 +--- a/fs/anon_inodes.c ++++ b/fs/anon_inodes.c +@@ -24,9 +24,43 @@ + + #include + ++#include "internal.h" ++ + static struct vfsmount *anon_inode_mnt __ro_after_init; + static struct inode *anon_inode_inode __ro_after_init; + ++/* ++ * User space expects anonymous inodes to have no file type in st_mode. ++ * ++ * In particular, 'lsof' has this legacy logic: ++ * ++ * type = s->st_mode & S_IFMT; ++ * switch (type) { ++ * ... ++ * case 0: ++ * if (!strcmp(p, "anon_inode")) ++ * Lf->ntype = Ntype = N_ANON_INODE; ++ * ++ * to detect our old anon_inode logic. ++ * ++ * Rather than mess with our internal sane inode data, just fix it ++ * up here in getattr() by masking off the format bits. ++ */ ++int anon_inode_getattr(struct mnt_idmap *idmap, const struct path *path, ++ struct kstat *stat, u32 request_mask, ++ unsigned int query_flags) ++{ ++ struct inode *inode = d_inode(path->dentry); ++ ++ generic_fillattr(&nop_mnt_idmap, request_mask, inode, stat); ++ stat->mode &= ~S_IFMT; ++ return 0; ++} ++ ++static const struct inode_operations anon_inode_operations = { ++ .getattr = anon_inode_getattr, ++}; ++ + /* + * anon_inodefs_dname() is called from d_path(). + */ +@@ -78,6 +112,7 @@ struct inode *anon_inode_make_secure_inode(struct super_block *sb, const char *n + if (IS_ERR(inode)) + return inode; + inode->i_flags &= ~S_PRIVATE; ++ inode->i_op = &anon_inode_operations; + error = security_inode_init_security_anon(inode, &qname, context_inode); + if (error) { + iput(inode); +@@ -326,6 +361,7 @@ static int __init anon_inode_init(void) + anon_inode_inode = alloc_anon_inode(anon_inode_mnt->mnt_sb); + if (IS_ERR(anon_inode_inode)) + panic("anon_inode_init() inode allocation failed (%ld)\n", PTR_ERR(anon_inode_inode)); ++ anon_inode_inode->i_op = &anon_inode_operations; + + return 0; + } +diff --git a/fs/internal.h b/fs/internal.h +index b555366c7974..afa926ccee7e 100644 +--- a/fs/internal.h ++++ b/fs/internal.h +@@ -338,3 +338,6 @@ static inline bool path_mounted(const struct path *path) + return path->mnt->mnt_root == path->dentry; + } + void file_f_owner_release(struct file *file); ++int anon_inode_getattr(struct mnt_idmap *idmap, const struct path *path, ++ struct kstat *stat, u32 request_mask, ++ unsigned int query_flags); +diff --git a/fs/libfs.c b/fs/libfs.c +index 7fd661bb935f..4e9de5aa4d7f 100644 +--- a/fs/libfs.c ++++ b/fs/libfs.c +@@ -1651,7 +1651,13 @@ struct inode *alloc_anon_inode(struct super_block *s) + * that it already _is_ on the dirty list. + */ + inode->i_state = I_DIRTY; +- inode->i_mode = S_IRUSR | S_IWUSR; ++ /* ++ * Historically anonymous inodes didn't have a type at all and ++ * userspace has come to rely on this. Internally they're just ++ * regular files but S_IFREG is masked off when reporting ++ * information to userspace. ++ */ ++ inode->i_mode = S_IFREG | S_IRUSR | S_IWUSR; + inode->i_uid = current_fsuid(); + inode->i_gid = current_fsgid(); + inode->i_flags |= S_PRIVATE; +-- +2.50.1 (Apple Git-155) + diff --git a/1229-pidfs-use-anon-inode-getattr.patch b/1229-pidfs-use-anon-inode-getattr.patch new file mode 100644 index 000000000..0540b9b24 --- /dev/null +++ b/1229-pidfs-use-anon-inode-getattr.patch @@ -0,0 +1,65 @@ +From a858622b427be763192f8557cc9cafa3076d845b Mon Sep 17 00:00:00 2001 +From: Rafael Aquini +Date: Mon, 11 May 2026 10:39:35 -0400 +Subject: [PATCH] pidfs: use anon_inode_getattr() + +JIRA: https://issues.redhat.com/browse/RHEL-171616 + +commit 37e62dafbfaba467975b0a8c11b9ffaa678f8559 +Author: Christian Brauner +Date: Mon Apr 7 11:54:16 2025 +0200 + + pidfs: use anon_inode_getattr() + + So far pidfs did use it's own version. Just use the generic version. We + use our own wrappers because we're going to be implementing our own + retrieval properties soon. + + Link: https://lore.kernel.org/20250407-work-anon_inode-v1-2-53a44c20d44e@kernel.org + Reviewed-by: Jeff Layton + Signed-off-by: Christian Brauner + +Signed-off-by: Rafael Aquini + +diff --git a/fs/pidfs.c b/fs/pidfs.c +index 4a76e19ba7ed..27d6d9328b57 100644 +--- a/fs/pidfs.c ++++ b/fs/pidfs.c +@@ -571,33 +571,11 @@ static int pidfs_setattr(struct mnt_idmap *idmap, struct dentry *dentry, + return -EOPNOTSUPP; + } + +- +-/* +- * User space expects pidfs inodes to have no file type in st_mode. +- * +- * In particular, 'lsof' has this legacy logic: +- * +- * type = s->st_mode & S_IFMT; +- * switch (type) { +- * ... +- * case 0: +- * if (!strcmp(p, "anon_inode")) +- * Lf->ntype = Ntype = N_ANON_INODE; +- * +- * to detect our old anon_inode logic. +- * +- * Rather than mess with our internal sane inode data, just fix it +- * up here in getattr() by masking off the format bits. +- */ + static int pidfs_getattr(struct mnt_idmap *idmap, const struct path *path, + struct kstat *stat, u32 request_mask, + unsigned int query_flags) + { +- struct inode *inode = d_inode(path->dentry); +- +- generic_fillattr(&nop_mnt_idmap, request_mask, inode, stat); +- stat->mode &= ~S_IFMT; +- return 0; ++ return anon_inode_getattr(idmap, path, stat, request_mask, query_flags); + } + + static const struct inode_operations pidfs_inode_operations = { +-- +2.50.1 (Apple Git-155) + diff --git a/1230-anon-inode-explicitly-block-setattr.patch b/1230-anon-inode-explicitly-block-setattr.patch new file mode 100644 index 000000000..8b2dbda2f --- /dev/null +++ b/1230-anon-inode-explicitly-block-setattr.patch @@ -0,0 +1,93 @@ +From b71e05c047c7f227e96201fa4eb9e4929ac96deb Mon Sep 17 00:00:00 2001 +From: Rafael Aquini +Date: Mon, 11 May 2026 10:39:35 -0400 +Subject: [PATCH] anon_inode: explicitly block ->setattr() + +JIRA: https://issues.redhat.com/browse/RHEL-171616 + +commit 22bdf3d6581af6d06ed8a46c6835648421cca0ea +Author: Christian Brauner +Date: Mon Apr 7 11:54:17 2025 +0200 + + anon_inode: explicitly block ->setattr() + + It is currently possible to change the mode and owner of the single + anonymous inode in the kernel: + + int main(int argc, char *argv[]) + { + int ret, sfd; + sigset_t mask; + struct signalfd_siginfo fdsi; + + sigemptyset(&mask); + sigaddset(&mask, SIGINT); + sigaddset(&mask, SIGQUIT); + + ret = sigprocmask(SIG_BLOCK, &mask, NULL); + if (ret < 0) + _exit(1); + + sfd = signalfd(-1, &mask, 0); + if (sfd < 0) + _exit(2); + + ret = fchown(sfd, 5555, 5555); + if (ret < 0) + _exit(3); + + ret = fchmod(sfd, 0777); + if (ret < 0) + _exit(3); + + _exit(4); + } + + This is a bug. It's not really a meaningful one because anonymous inodes + don't really figure into path lookup and they cannot be reopened via + /proc//fd/ and can't be used for lookup itself. So they can + only ever serve as direct references. + + But it is still completely bogus to allow the mode and ownership or any + of the properties of the anonymous inode to be changed. Block this! + + Link: https://lore.kernel.org/20250407-work-anon_inode-v1-3-53a44c20d44e@kernel.org + Reviewed-by: Jeff Layton + Cc: stable@vger.kernel.org # all LTS kernels + Signed-off-by: Christian Brauner + +Signed-off-by: Rafael Aquini + +diff --git a/fs/anon_inodes.c b/fs/anon_inodes.c +index 7c07b22c1d47..344355616d3a 100644 +--- a/fs/anon_inodes.c ++++ b/fs/anon_inodes.c +@@ -57,8 +57,15 @@ int anon_inode_getattr(struct mnt_idmap *idmap, const struct path *path, + return 0; + } + ++int anon_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry, ++ struct iattr *attr) ++{ ++ return -EOPNOTSUPP; ++} ++ + static const struct inode_operations anon_inode_operations = { + .getattr = anon_inode_getattr, ++ .setattr = anon_inode_setattr, + }; + + /* +diff --git a/fs/internal.h b/fs/internal.h +index afa926ccee7e..dd13dfde4adb 100644 +--- a/fs/internal.h ++++ b/fs/internal.h +@@ -341,3 +341,5 @@ void file_f_owner_release(struct file *file); + int anon_inode_getattr(struct mnt_idmap *idmap, const struct path *path, + struct kstat *stat, u32 request_mask, + unsigned int query_flags); ++int anon_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry, ++ struct iattr *attr); +-- +2.50.1 (Apple Git-155) + diff --git a/1231-pidfs-use-anon-inode-setattr.patch b/1231-pidfs-use-anon-inode-setattr.patch new file mode 100644 index 000000000..bf4d87918 --- /dev/null +++ b/1231-pidfs-use-anon-inode-setattr.patch @@ -0,0 +1,39 @@ +From 28d6f8e1f875929ce59405c0b04fa0a5ec700a4e Mon Sep 17 00:00:00 2001 +From: Rafael Aquini +Date: Mon, 11 May 2026 10:39:35 -0400 +Subject: [PATCH] pidfs: use anon_inode_setattr() + +JIRA: https://issues.redhat.com/browse/RHEL-171616 + +commit c83b9024966090fe0df92aab16975b8d00089e1f +Author: Christian Brauner +Date: Mon Apr 7 11:54:18 2025 +0200 + + pidfs: use anon_inode_setattr() + + So far pidfs did use it's own version. Just use the generic version. + We use our own wrappers because we're going to be implementing + properties soon. + + Link: https://lore.kernel.org/20250407-work-anon_inode-v1-4-53a44c20d44e@kernel.org + Reviewed-by: Jeff Layton + Signed-off-by: Christian Brauner + +Signed-off-by: Rafael Aquini + +diff --git a/fs/pidfs.c b/fs/pidfs.c +index 27d6d9328b57..d6c0ed79ea24 100644 +--- a/fs/pidfs.c ++++ b/fs/pidfs.c +@@ -568,7 +568,7 @@ static struct vfsmount *pidfs_mnt __ro_after_init; + static int pidfs_setattr(struct mnt_idmap *idmap, struct dentry *dentry, + struct iattr *attr) + { +- return -EOPNOTSUPP; ++ return anon_inode_setattr(idmap, dentry, attr); + } + + static int pidfs_getattr(struct mnt_idmap *idmap, const struct path *path, +-- +2.50.1 (Apple Git-155) + diff --git a/1232-anon-inode-raise-sb-i-nodev-and-sb-i-noexec.patch b/1232-anon-inode-raise-sb-i-nodev-and-sb-i-noexec.patch new file mode 100644 index 000000000..dda4c52f5 --- /dev/null +++ b/1232-anon-inode-raise-sb-i-nodev-and-sb-i-noexec.patch @@ -0,0 +1,51 @@ +From d4ba40dd8868449ba10ac26798718c4e0336a241 Mon Sep 17 00:00:00 2001 +From: Rafael Aquini +Date: Mon, 11 May 2026 10:39:36 -0400 +Subject: [PATCH] anon_inode: raise SB_I_NODEV and SB_I_NOEXEC + +JIRA: https://issues.redhat.com/browse/RHEL-171616 + +commit 1ed95281c0c77dbb1540f9855cd3c5f19900f7a5 +Author: Christian Brauner +Date: Mon Apr 7 11:54:19 2025 +0200 + + anon_inode: raise SB_I_NODEV and SB_I_NOEXEC + + It isn't possible to execute anonymous inodes because they cannot be + opened in any way after they have been created. This includes execution: + + execveat(fd_anon_inode, "", NULL, NULL, AT_EMPTY_PATH) + + Anonymous inodes have inode->f_op set to no_open_fops which sets + no_open() which returns ENXIO. That means any call to do_dentry_open() + which is the endpoint of the do_open_execat() will fail. There's no + chance to execute an anonymous inode. Unless a given subsystem overrides + it ofc. + + However, we should still harden this and raise SB_I_NODEV and + SB_I_NOEXEC on the superblock itself so that no one gets any creative + ideas. + + Link: https://lore.kernel.org/20250407-work-anon_inode-v1-5-53a44c20d44e@kernel.org + Reviewed-by: Jeff Layton + Cc: stable@vger.kernel.org # all LTS kernels + Signed-off-by: Christian Brauner + +Signed-off-by: Rafael Aquini + +diff --git a/fs/anon_inodes.c b/fs/anon_inodes.c +index 344355616d3a..b3445f5c8544 100644 +--- a/fs/anon_inodes.c ++++ b/fs/anon_inodes.c +@@ -86,6 +86,8 @@ static int anon_inodefs_init_fs_context(struct fs_context *fc) + struct pseudo_fs_context *ctx = init_pseudo(fc, ANON_INODE_FS_MAGIC); + if (!ctx) + return -ENOMEM; ++ fc->s_iflags |= SB_I_NOEXEC; ++ fc->s_iflags |= SB_I_NODEV; + ctx->dops = &anon_inodefs_dentry_operations; + return 0; + } +-- +2.50.1 (Apple Git-155) + diff --git a/1233-fs-add-s-anon-inode.patch b/1233-fs-add-s-anon-inode.patch new file mode 100644 index 000000000..e274854a3 --- /dev/null +++ b/1233-fs-add-s-anon-inode.patch @@ -0,0 +1,170 @@ +From 0e6f0c4069e34ae66ce960879b5a88ae0ce9aab8 Mon Sep 17 00:00:00 2001 +From: Rafael Aquini +Date: Mon, 11 May 2026 10:39:37 -0400 +Subject: [PATCH] fs: add S_ANON_INODE + +JIRA: https://issues.redhat.com/browse/RHEL-171616 +Conflicts: + * mm/readahead.c: in order to reduce differences and make the porting cleaner + we are folding the hunk from 6348be02eead ("fdget(), trivial conversions") + +commit 19bbfe7b5fcc04d8711e8e1352acc77c1a5c3955 +Author: Christian Brauner +Date: Mon Apr 21 10:27:40 2025 +0200 + + fs: add S_ANON_INODE + + This makes it easy to detect proper anonymous inodes and to ensure that + we can detect them in codepaths such as readahead(). + + Readahead on anonymous inodes didn't work because they didn't have a + proper mode. Now that they have we need to retain EINVAL being returned + otherwise LTP will fail. + + We also need to ensure that ioctls aren't simply fired like they are for + regular files so things like inotify inodes continue to correctly call + their own ioctl handlers as in [1]. + + Reported-by: Xilin Wu + Link: https://lore.kernel.org/3A9139D5CD543962+89831381-31b9-4392-87ec-a84a5b3507d8@radxa.com [1] + Link: https://lore.kernel.org/7a1a7076-ff6b-4cb0-94e7-7218a0a44028@sirena.org.uk + Signed-off-by: Christian Brauner + +Signed-off-by: Rafael Aquini + +diff --git a/fs/ioctl.c b/fs/ioctl.c +index 6e0c954388d4..4dbd5627af8f 100644 +--- a/fs/ioctl.c ++++ b/fs/ioctl.c +@@ -822,7 +822,8 @@ static int do_vfs_ioctl(struct file *filp, unsigned int fd, + return ioctl_fioasync(fd, filp, argp); + + case FIOQSIZE: +- if (S_ISDIR(inode->i_mode) || S_ISREG(inode->i_mode) || ++ if (S_ISDIR(inode->i_mode) || ++ (S_ISREG(inode->i_mode) && !IS_ANON_FILE(inode)) || + S_ISLNK(inode->i_mode)) { + loff_t res = inode_get_bytes(inode); + return copy_to_user(argp, &res, sizeof(res)) ? +@@ -857,7 +858,7 @@ static int do_vfs_ioctl(struct file *filp, unsigned int fd, + return ioctl_file_dedupe_range(filp, argp); + + case FIONREAD: +- if (!S_ISREG(inode->i_mode)) ++ if (!S_ISREG(inode->i_mode) || IS_ANON_FILE(inode)) + return vfs_ioctl(filp, cmd, arg); + + return put_user(i_size_read(inode) - filp->f_pos, +@@ -882,7 +883,7 @@ static int do_vfs_ioctl(struct file *filp, unsigned int fd, + return ioctl_get_fs_sysfs_path(filp, argp); + + default: +- if (S_ISREG(inode->i_mode)) ++ if (S_ISREG(inode->i_mode) && !IS_ANON_FILE(inode)) + return file_ioctl(filp, cmd, argp); + break; + } +diff --git a/fs/libfs.c b/fs/libfs.c +index 4e9de5aa4d7f..c4a305967619 100644 +--- a/fs/libfs.c ++++ b/fs/libfs.c +@@ -1660,7 +1660,7 @@ struct inode *alloc_anon_inode(struct super_block *s) + inode->i_mode = S_IFREG | S_IRUSR | S_IWUSR; + inode->i_uid = current_fsuid(); + inode->i_gid = current_fsgid(); +- inode->i_flags |= S_PRIVATE; ++ inode->i_flags |= S_PRIVATE | S_ANON_INODE; + simple_inode_init_ts(inode); + return inode; + } +diff --git a/fs/pidfs.c b/fs/pidfs.c +index d6c0ed79ea24..7e10fac8e623 100644 +--- a/fs/pidfs.c ++++ b/fs/pidfs.c +@@ -804,7 +804,7 @@ static int pidfs_init_inode(struct inode *inode, void *data) + const struct pid *pid = data; + + inode->i_private = data; +- inode->i_flags |= S_PRIVATE; ++ inode->i_flags |= S_PRIVATE | S_ANON_INODE; + inode->i_mode |= S_IRWXU; + inode->i_op = &pidfs_inode_operations; + inode->i_fop = &pidfs_file_operations; +diff --git a/include/linux/fs.h b/include/linux/fs.h +index 3e14c4eb64f4..fa47510429f0 100644 +--- a/include/linux/fs.h ++++ b/include/linux/fs.h +@@ -2319,6 +2319,7 @@ struct super_operations { + #define S_CASEFOLD (1 << 15) /* Casefolded file */ + #define S_VERITY (1 << 16) /* Verity file (using fs/verity/) */ + #define S_KERNEL_FILE (1 << 17) /* File is in use by the kernel (eg. fs/cachefiles) */ ++#define S_ANON_INODE (1 << 19) /* Inode is an anonymous inode */ + + /* + * Note that nosuid etc flags are inode-specific: setting some file-system +@@ -2375,6 +2376,7 @@ static inline bool sb_rdonly(const struct super_block *sb) { return sb->s_flags + + #define IS_WHITEOUT(inode) (S_ISCHR(inode->i_mode) && \ + (inode)->i_rdev == WHITEOUT_DEV) ++#define IS_ANON_FILE(inode) ((inode)->i_flags & S_ANON_INODE) + + static inline bool HAS_UNMAPPED_ID(struct mnt_idmap *idmap, + struct inode *inode) +diff --git a/mm/readahead.c b/mm/readahead.c +index 2dbe5993b6aa..a3547f923249 100644 +--- a/mm/readahead.c ++++ b/mm/readahead.c +@@ -678,29 +678,34 @@ EXPORT_SYMBOL_GPL(page_cache_async_ra); + + ssize_t ksys_readahead(int fd, loff_t offset, size_t count) + { +- ssize_t ret; +- struct fd f; ++ struct file *file; ++ const struct inode *inode; + +- ret = -EBADF; +- f = fdget(fd); +- if (!fd_file(f) || !(fd_file(f)->f_mode & FMODE_READ)) +- goto out; ++ CLASS(fd, f)(fd); ++ if (fd_empty(f)) ++ return -EBADF; ++ ++ file = fd_file(f); ++ if (!(file->f_mode & FMODE_READ)) ++ return -EBADF; + + /* + * The readahead() syscall is intended to run only on files + * that can execute readahead. If readahead is not possible + * on this file, then we must return -EINVAL. + */ +- ret = -EINVAL; +- if (!fd_file(f)->f_mapping || !fd_file(f)->f_mapping->a_ops || +- (!S_ISREG(file_inode(fd_file(f))->i_mode) && +- !S_ISBLK(file_inode(fd_file(f))->i_mode))) +- goto out; +- +- ret = vfs_fadvise(fd_file(f), offset, count, POSIX_FADV_WILLNEED); +-out: +- fdput(f); +- return ret; ++ if (!file->f_mapping) ++ return -EINVAL; ++ if (!file->f_mapping->a_ops) ++ return -EINVAL; ++ ++ inode = file_inode(file); ++ if (!S_ISREG(inode->i_mode) && !S_ISBLK(inode->i_mode)) ++ return -EINVAL; ++ if (IS_ANON_FILE(inode)) ++ return -EINVAL; ++ ++ return vfs_fadvise(fd_file(f), offset, count, POSIX_FADV_WILLNEED); + } + + SYSCALL_DEFINE3(readahead, int, fd, loff_t, offset, size_t, count) +-- +2.50.1 (Apple Git-155) + diff --git a/1234-mm-thp-deny-thp-for-files-on-anonymous-inodes.patch b/1234-mm-thp-deny-thp-for-files-on-anonymous-inodes.patch new file mode 100644 index 000000000..ba850dda8 --- /dev/null +++ b/1234-mm-thp-deny-thp-for-files-on-anonymous-inodes.patch @@ -0,0 +1,99 @@ +From 48e45ffbeff0fbb5ef475a31ae664106312862a6 Mon Sep 17 00:00:00 2001 +From: Rafael Aquini +Date: Mon, 11 May 2026 10:39:39 -0400 +Subject: [PATCH] mm: thp: deny THP for files on anonymous inodes + +JIRA: https://issues.redhat.com/browse/RHEL-171616 +CVE: CVE-2026-23375 + +commit dd085fe9a8ebfc5d10314c60452db38d2b75e609 +Author: Deepanshu Kartikey +Date: Sat Feb 14 05:45:35 2026 +0530 + + mm: thp: deny THP for files on anonymous inodes + + file_thp_enabled() incorrectly allows THP for files on anonymous inodes + (e.g. guest_memfd and secretmem). These files are created via + alloc_file_pseudo(), which does not call get_write_access() and leaves + inode->i_writecount at 0. Combined with S_ISREG(inode->i_mode) being + true, they appear as read-only regular files when + CONFIG_READ_ONLY_THP_FOR_FS is enabled, making them eligible for THP + collapse. + + Anonymous inodes can never pass the inode_is_open_for_write() check + since their i_writecount is never incremented through the normal VFS + open path. The right thing to do is to exclude them from THP eligibility + altogether, since CONFIG_READ_ONLY_THP_FOR_FS was designed for real + filesystem files (e.g. shared libraries), not for pseudo-filesystem + inodes. + + For guest_memfd, this allows khugepaged and MADV_COLLAPSE to create + large folios in the page cache via the collapse path, but the + guest_memfd fault handler does not support large folios. This triggers + WARN_ON_ONCE(folio_test_large(folio)) in kvm_gmem_fault_user_mapping(). + + For secretmem, collapse_file() tries to copy page contents through the + direct map, but secretmem pages are removed from the direct map. This + can result in a kernel crash: + + BUG: unable to handle page fault for address: ffff88810284d000 + RIP: 0010:memcpy_orig+0x16/0x130 + Call Trace: + collapse_file + hpage_collapse_scan_file + madvise_collapse + + Secretmem is not affected by the crash on upstream as the memory failure + recovery handles the failed copy gracefully, but it still triggers + confusing false memory failure reports: + + Memory failure: 0x106d96f: recovery action for clean unevictable + LRU page: Recovered + + Check IS_ANON_FILE(inode) in file_thp_enabled() to deny THP for all + anonymous inode files. + + Link: https://syzkaller.appspot.com/bug?extid=33a04338019ac7e43a44 + Link: https://lore.kernel.org/linux-mm/CAEvNRgHegcz3ro35ixkDw39ES8=U6rs6S7iP0gkR9enr7HoGtA@mail.gmail.com + Link: https://lkml.kernel.org/r/20260214001535.435626-1-kartikey406@gmail.com + Fixes: 7fbb5e188248 ("mm: remove VM_EXEC requirement for THP eligibility") + Signed-off-by: Deepanshu Kartikey + Reported-by: syzbot+33a04338019ac7e43a44@syzkaller.appspotmail.com + Closes: https://syzkaller.appspot.com/bug?extid=33a04338019ac7e43a44 + Tested-by: syzbot+33a04338019ac7e43a44@syzkaller.appspotmail.com + Tested-by: Lance Yang + Acked-by: David Hildenbrand (Arm) + Reviewed-by: Barry Song + Reviewed-by: Ackerley Tng + Tested-by: Ackerley Tng + Reviewed-by: Lorenzo Stoakes + Cc: Baolin Wang + Cc: Dev Jain + Cc: Fangrui Song + Cc: Liam Howlett + Cc: Nico Pache + Cc: Ryan Roberts + Cc: Yang Shi + Cc: Zi Yan + Cc: + Signed-off-by: Andrew Morton + +Signed-off-by: Rafael Aquini + +diff --git a/mm/huge_memory.c b/mm/huge_memory.c +index 832dafc300cd..3b996dedfeae 100644 +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -95,6 +95,9 @@ static inline bool file_thp_enabled(struct vm_area_struct *vma) + + inode = file_inode(vma->vm_file); + ++ if (IS_ANON_FILE(inode)) ++ return false; ++ + return !inode_is_open_for_write(inode) && S_ISREG(inode->i_mode); + } + +-- +2.50.1 (Apple Git-155) + diff --git a/1235-dpaa2-switch-prevent-zero-size-ptr-dereference-when-num-ifs-.patch b/1235-dpaa2-switch-prevent-zero-size-ptr-dereference-when-num-ifs-.patch new file mode 100644 index 000000000..21655e85f --- /dev/null +++ b/1235-dpaa2-switch-prevent-zero-size-ptr-dereference-when-num-ifs-.patch @@ -0,0 +1,59 @@ +From a62505231a34f83c11618b0922e5b09739252a2b Mon Sep 17 00:00:00 2001 +From: CKI Backport Bot +Date: Mon, 11 May 2026 19:40:32 +0000 +Subject: [PATCH] dpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs + is zero + +JIRA: https://redhat.atlassian.net/browse/RHEL-174253 +CVE: CVE-2026-43205 + +commit ed48a84a72fefb20a82dd90a7caa7807e90c6f66 +Author: Junrui Luo +Date: Wed Jan 28 16:07:34 2026 +0800 + + dpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs is zero + + The driver allocates arrays for ports, FDBs, and filter blocks using + kcalloc() with ethsw->sw_attr.num_ifs as the element count. When the + device reports zero interfaces (either due to hardware configuration + or firmware issues), kcalloc(0, ...) returns ZERO_SIZE_PTR (0x10) + instead of NULL. + + Later in dpaa2_switch_probe(), the NAPI initialization unconditionally + accesses ethsw->ports[0]->netdev, which attempts to dereference + ZERO_SIZE_PTR (address 0x10), resulting in a kernel panic. + + Add a check to ensure num_ifs is greater than zero after retrieving + device attributes. This prevents the zero-sized allocations and + subsequent invalid pointer dereference. + + Reported-by: Yuhao Jiang + Reported-by: Junrui Luo + Fixes: 0b1b71370458 ("staging: dpaa2-switch: handle Rx path on control interface") + Signed-off-by: Junrui Luo + Reviewed-by: Andrew Lunn + Link: https://patch.msgid.link/SYBPR01MB7881BEABA8DA896947962470AF91A@SYBPR01MB7881.ausprd01.prod.outlook.com + Signed-off-by: Jakub Kicinski + +Signed-off-by: CKI Backport Bot + +diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c +index a293b08f36d4..527c78f4d27d 100644 +--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c ++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c +@@ -3014,6 +3014,12 @@ static int dpaa2_switch_init(struct fsl_mc_device *sw_dev) + goto err_close; + } + ++ if (!ethsw->sw_attr.num_ifs) { ++ dev_err(dev, "DPSW device has no interfaces\n"); ++ err = -ENODEV; ++ goto err_close; ++ } ++ + err = dpsw_get_api_version(ethsw->mc_io, 0, + ðsw->major, + ðsw->minor); +-- +2.50.1 (Apple Git-155) + diff --git a/1236-dpaa2-switch-validate-num-ifs-to-prevent-out-of-bounds-write.patch b/1236-dpaa2-switch-validate-num-ifs-to-prevent-out-of-bounds-write.patch new file mode 100644 index 000000000..b666e803c --- /dev/null +++ b/1236-dpaa2-switch-validate-num-ifs-to-prevent-out-of-bounds-write.patch @@ -0,0 +1,63 @@ +From 6548cef4d0e49c99a72be88b236c36a486b38feb Mon Sep 17 00:00:00 2001 +From: CKI Backport Bot +Date: Mon, 11 May 2026 19:40:34 +0000 +Subject: [PATCH] dpaa2-switch: validate num_ifs to prevent out-of-bounds write + +JIRA: https://redhat.atlassian.net/browse/RHEL-174253 +CVE: CVE-2026-43205 + +commit 8a5752c6dcc085a3bfc78589925182e4e98468c5 +Author: Junrui Luo +Date: Tue Feb 24 19:05:56 2026 +0800 + + dpaa2-switch: validate num_ifs to prevent out-of-bounds write + + The driver obtains sw_attr.num_ifs from firmware via dpsw_get_attributes() + but never validates it against DPSW_MAX_IF (64). This value controls + iteration in dpaa2_switch_fdb_get_flood_cfg(), which writes port indices + into the fixed-size cfg->if_id[DPSW_MAX_IF] array. When firmware reports + num_ifs >= 64, the loop can write past the array bounds. + + Add a bound check for num_ifs in dpaa2_switch_init(). + + dpaa2_switch_fdb_get_flood_cfg() appends the control interface (port + num_ifs) after all matched ports. When num_ifs == DPSW_MAX_IF and all + ports match the flood filter, the loop fills all 64 slots and the control + interface write overflows by one entry. + + The check uses >= because num_ifs == DPSW_MAX_IF is also functionally + broken. + + build_if_id_bitmap() silently drops any ID >= 64: + if (id[i] < DPSW_MAX_IF) + bmap[id[i] / 64] |= ... + + Fixes: 539dda3c5d19 ("staging: dpaa2-switch: properly setup switching domains") + Signed-off-by: Junrui Luo + Reviewed-by: Ioana Ciornei + Link: https://patch.msgid.link/SYBPR01MB78812B47B7F0470B617C408AAF74A@SYBPR01MB7881.ausprd01.prod.outlook.com + Signed-off-by: Paolo Abeni + +Signed-off-by: CKI Backport Bot + +diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c +index 527c78f4d27d..2eb47789422e 100644 +--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c ++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c +@@ -3020,6 +3020,13 @@ static int dpaa2_switch_init(struct fsl_mc_device *sw_dev) + goto err_close; + } + ++ if (ethsw->sw_attr.num_ifs >= DPSW_MAX_IF) { ++ dev_err(dev, "DPSW num_ifs %u exceeds max %u\n", ++ ethsw->sw_attr.num_ifs, DPSW_MAX_IF); ++ err = -EINVAL; ++ goto err_close; ++ } ++ + err = dpsw_get_api_version(ethsw->mc_io, 0, + ðsw->major, + ðsw->minor); +-- +2.50.1 (Apple Git-155) + diff --git a/1237-mm-page-alloc-clear-page-private-in-free-pages-prepare.patch b/1237-mm-page-alloc-clear-page-private-in-free-pages-prepare.patch new file mode 100644 index 000000000..a079ccfd1 --- /dev/null +++ b/1237-mm-page-alloc-clear-page-private-in-free-pages-prepare.patch @@ -0,0 +1,71 @@ +From 5ef3d81484dc39a21467dfa1f36da3ada378be74 Mon Sep 17 00:00:00 2001 +From: Rafael Aquini +Date: Mon, 11 May 2026 16:41:59 -0400 +Subject: [PATCH] mm/page_alloc: clear page->private in free_pages_prepare() + +JIRA: https://issues.redhat.com/browse/RHEL-174757 +CVE: CVE-2026-43303 +Conflicts: + * minor context difference due to RHEL-10 missing upstream commit + 53fbef56e07d ("mm: introduce memdesc_flags_t") and its series. + +commit ac1ea219590c09572ed5992dc233bbf7bb70fef9 +Author: Mikhail Gavrilov +Date: Sat Feb 7 22:36:14 2026 +0500 + + mm/page_alloc: clear page->private in free_pages_prepare() + + Several subsystems (slub, shmem, ttm, etc.) use page->private but don't + clear it before freeing pages. When these pages are later allocated as + high-order pages and split via split_page(), tail pages retain stale + page->private values. + + This causes a use-after-free in the swap subsystem. The swap code uses + page->private to track swap count continuations, assuming freshly + allocated pages have page->private == 0. When stale values are present, + swap_count_continued() incorrectly assumes the continuation list is valid + and iterates over uninitialized page->lru containing LIST_POISON values, + causing a crash: + + KASAN: maybe wild-memory-access in range [0xdead000000000100-0xdead000000000107] + RIP: 0010:__do_sys_swapoff+0x1151/0x1860 + + Fix this by clearing page->private in free_pages_prepare(), ensuring all + freed pages have clean state regardless of previous use. + + Link: https://lkml.kernel.org/r/20260207173615.146159-1-mikhail.v.gavrilov@gmail.com + Fixes: 3b8000ae185c ("mm/vmalloc: huge vmalloc backing pages should be split rather than compound") + Signed-off-by: Mikhail Gavrilov + Suggested-by: Zi Yan + Acked-by: Zi Yan + Acked-by: David Hildenbrand (Arm) + Reviewed-by: Vlastimil Babka + Cc: Brendan Jackman + Cc: Chris Li + Cc: Hugh Dickins + Cc: Johannes Weiner + Cc: Kairui Song + Cc: Matthew Wilcox (Oracle) + Cc: Michal Hocko + Cc: Nicholas Piggin + Cc: Suren Baghdasaryan + Cc: + Signed-off-by: Andrew Morton + +Signed-off-by: Rafael Aquini + +diff --git a/mm/page_alloc.c b/mm/page_alloc.c +index 73a45cc33a86..72c979ea3121 100644 +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -1135,6 +1135,7 @@ __always_inline bool free_pages_prepare(struct page *page, + + page_cpupid_reset_last(page); + page->flags &= ~PAGE_FLAGS_CHECK_AT_PREP; ++ page->private = 0; + reset_page_owner(page, order); + page_table_check_free(page, order); + pgalloc_tag_sub(page, 1 << order); +-- +2.50.1 (Apple Git-155) + diff --git a/1238-redhat-kernel-spec-template-disable-objtool-werror-for-gcov-.patch b/1238-redhat-kernel-spec-template-disable-objtool-werror-for-gcov-.patch new file mode 100644 index 000000000..a4263e125 --- /dev/null +++ b/1238-redhat-kernel-spec-template-disable-objtool-werror-for-gcov-.patch @@ -0,0 +1,36 @@ +From 1689ee487def887a6e105f5bd858545cbafa8ba5 Mon Sep 17 00:00:00 2001 +From: Oleksii Baranov +Date: Tue, 2 Jun 2026 10:12:10 +0200 +Subject: [PATCH] redhat/kernel.spec.template: disable OBJTOOL_WERROR for gcov + builds + +JIRA: INTERNAL +Upstream Status: RHEL only + +There is a known issue with the gcov builds related to vmlinux.o: error: +objtool: pvh_start_xen+0x64: relocation to !ENDBR: pvh_start_xen+0x0. +Disabling the WERROR to make that error a warning and pass the build. + +Signed-off-by: Oleksii Baranov + +diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template +index 9f6983c1a6dc..306afba015a4 100644 +--- a/redhat/kernel.spec.template ++++ b/redhat/kernel.spec.template +@@ -2118,6 +2118,13 @@ do + done + rm -f $i.tmp + done ++%if %{with_gcov} ++%{log_msg "Disabling CONFIG_OBJTOOL_WERROR for gcov build"} ++for i in %{all_configs} ++do ++ sed -i "s|CONFIG_OBJTOOL_WERROR=y|# CONFIG_OBJTOOL_WERROR is not set|g" $i ++done ++%endif + %endif + + %if %{signkernel}%{signmodules} +-- +2.50.1 (Apple Git-155) + diff --git a/1239-dm-thin-fix-metadata-refcount-underflow.patch b/1239-dm-thin-fix-metadata-refcount-underflow.patch new file mode 100644 index 000000000..aff64b0f0 --- /dev/null +++ b/1239-dm-thin-fix-metadata-refcount-underflow.patch @@ -0,0 +1,55 @@ +From 323d252a4a378834e4fe68298ca61cfc5dd3a460 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Mon, 20 Apr 2026 19:56:44 +0200 +Subject: [PATCH] dm-thin: fix metadata refcount underflow + +commit 09a65adc7d8bbfce06392cb6d375468e2728ead5 upstream. + +There's a bug in dm-thin in the function rebalance_children. If the +internal btree node has one entry, the code tries to copy all btree +entries from the node's child to the node itself and then decrement the +child's reference count. + +If the child node is shared (it has reference count > 1), we won't free +it, so there would be two pointers to each of the grandchildren nodes. +But the reference counts of the grandchildren is not increased, thus the +reference count doesn't match the number of pointers that point to the +grandchildren. This results in "device mapper: space map common: unable +to decrement block" errors. + +Fix this bug by incrementing reference counts on the grandchildren if the +btree node is shared. + +Signed-off-by: Mikulas Patocka +Fixes: 3241b1d3e0aa ("dm: add persistent data library") +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +diff --git a/drivers/md/persistent-data/dm-btree-remove.c b/drivers/md/persistent-data/dm-btree-remove.c +index 942cd47eb52d..aeec5b9a1dd5 100644 +--- a/drivers/md/persistent-data/dm-btree-remove.c ++++ b/drivers/md/persistent-data/dm-btree-remove.c +@@ -490,12 +490,20 @@ static int rebalance_children(struct shadow_spine *s, + + if (le32_to_cpu(n->header.nr_entries) == 1) { + struct dm_block *child; ++ int is_shared; + dm_block_t b = value64(n, 0); + ++ r = dm_tm_block_is_shared(info->tm, b, &is_shared); ++ if (r) ++ return r; ++ + r = dm_tm_read_lock(info->tm, b, &btree_node_validator, &child); + if (r) + return r; + ++ if (is_shared) ++ inc_children(info->tm, dm_block_data(child), vt); ++ + memcpy(n, dm_block_data(child), + dm_bm_block_size(dm_tm_get_bm(info->tm))); + +-- +2.50.1 (Apple Git-155) + diff --git a/1240-crypto-tegra-disable-softirqs-before-finalizing-request.patch b/1240-crypto-tegra-disable-softirqs-before-finalizing-request.patch new file mode 100644 index 000000000..53c730b4f --- /dev/null +++ b/1240-crypto-tegra-disable-softirqs-before-finalizing-request.patch @@ -0,0 +1,99 @@ +From 93a786612ec17d0146d05b71dbf5931b6ee04400 Mon Sep 17 00:00:00 2001 +From: CKI Backport Bot +Date: Fri, 24 Apr 2026 14:07:14 +0000 +Subject: [PATCH] crypto: tegra - Disable softirqs before finalizing request + +JIRA: https://redhat.atlassian.net/browse/RHEL-159000 + +commit 2aeec9af775fb53aa086419b953302c6f4ad4984 +Author: Herbert Xu +Date: Tue Mar 10 18:28:29 2026 +0900 + + crypto: tegra - Disable softirqs before finalizing request + + Softirqs must be disabled when calling the finalization fucntion on + a request. + + Reported-by: Guangwu Zhang + Fixes: 0880bb3b00c8 ("crypto: tegra - Add Tegra Security Engine driver") + Signed-off-by: Herbert Xu + +Signed-off-by: CKI Backport Bot + +diff --git a/drivers/crypto/tegra/tegra-se-aes.c b/drivers/crypto/tegra/tegra-se-aes.c +index 0e07d0523291..8b91f00b9c31 100644 +--- a/drivers/crypto/tegra/tegra-se-aes.c ++++ b/drivers/crypto/tegra/tegra-se-aes.c +@@ -4,6 +4,7 @@ + * Crypto driver to handle block cipher algorithms using NVIDIA Security Engine. + */ + ++#include + #include + #include + #include +@@ -333,7 +334,9 @@ static int tegra_aes_do_one_req(struct crypto_engine *engine, void *areq) + tegra_key_invalidate_reserved(ctx->se, key2_id, ctx->alg); + + out_finalize: ++ local_bh_disable(); + crypto_finalize_skcipher_request(se->engine, req, ret); ++ local_bh_enable(); + + return 0; + } +@@ -1261,7 +1264,9 @@ static int tegra_ccm_do_one_req(struct crypto_engine *engine, void *areq) + tegra_key_invalidate_reserved(ctx->se, rctx->key_id, ctx->alg); + + out_finalize: ++ local_bh_disable(); + crypto_finalize_aead_request(ctx->se->engine, req, ret); ++ local_bh_enable(); + + return 0; + } +@@ -1347,7 +1352,9 @@ static int tegra_gcm_do_one_req(struct crypto_engine *engine, void *areq) + tegra_key_invalidate_reserved(ctx->se, rctx->key_id, ctx->alg); + + out_finalize: ++ local_bh_disable(); + crypto_finalize_aead_request(ctx->se->engine, req, ret); ++ local_bh_enable(); + + return 0; + } +@@ -1745,7 +1752,9 @@ static int tegra_cmac_do_one_req(struct crypto_engine *engine, void *areq) + if (tegra_key_is_reserved(rctx->key_id)) + tegra_key_invalidate_reserved(ctx->se, rctx->key_id, ctx->alg); + ++ local_bh_disable(); + crypto_finalize_hash_request(se->engine, req, ret); ++ local_bh_enable(); + + return 0; + } +diff --git a/drivers/crypto/tegra/tegra-se-hash.c b/drivers/crypto/tegra/tegra-se-hash.c +index 42d007b7af45..90bf34eb3578 100644 +--- a/drivers/crypto/tegra/tegra-se-hash.c ++++ b/drivers/crypto/tegra/tegra-se-hash.c +@@ -4,6 +4,7 @@ + * Crypto driver to handle HASH algorithms using NVIDIA Security Engine. + */ + ++#include + #include + #include + #include +@@ -543,7 +544,9 @@ static int tegra_sha_do_one_req(struct crypto_engine *engine, void *areq) + } + + out: ++ local_bh_disable(); + crypto_finalize_hash_request(se->engine, req, ret); ++ local_bh_enable(); + + return 0; + } +-- +2.50.1 (Apple Git-155) + diff --git a/1241-bluetooth-mgmt-validate-ltk-enc-size-on-load.patch b/1241-bluetooth-mgmt-validate-ltk-enc-size-on-load.patch new file mode 100644 index 000000000..22849353a --- /dev/null +++ b/1241-bluetooth-mgmt-validate-ltk-enc-size-on-load.patch @@ -0,0 +1,48 @@ +From cd80e4a498a4387b0d597b2edd74c834ae730c5f Mon Sep 17 00:00:00 2001 +From: David Marlin +Date: Thu, 7 May 2026 18:00:59 -0500 +Subject: [PATCH] Bluetooth: MGMT: validate LTK enc_size on load + +JIRA: https://issues.redhat.com/browse/RHEL-172460 + +JIRA: https://issues.redhat.com/browse/RHEL-172580 +CVE: CVE-2026-43020 + +commit b8dbe9648d69059cfe3a28917bfbf7e61efd7f15 +Author: Keenan Dong +Date: Sat Mar 28 16:46:47 2026 +0800 + + Bluetooth: MGMT: validate LTK enc_size on load + + Load Long Term Keys stores the user-provided enc_size and later uses + it to size fixed-size stack operations when replying to LE LTK + requests. An enc_size larger than the 16-byte key buffer can therefore + overflow the reply stack buffer. + + Reject oversized enc_size values while validating the management LTK + record so invalid keys never reach the stored key state. + + Fixes: 346af67b8d11 ("Bluetooth: Add MGMT handlers for dealing with SMP LTK's") + Reported-by: Keenan Dong + Signed-off-by: Keenan Dong + Signed-off-by: Luiz Augusto von Dentz + +Signed-off-by: David Marlin + +diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c +index 9bf95af598a0..66e58fc556a5 100644 +--- a/net/bluetooth/mgmt.c ++++ b/net/bluetooth/mgmt.c +@@ -7248,6 +7248,9 @@ static bool ltk_is_valid(struct mgmt_ltk_info *key) + if (key->initiator != 0x00 && key->initiator != 0x01) + return false; + ++ if (key->enc_size > sizeof(key->val)) ++ return false; ++ + switch (key->addr.type) { + case BDADDR_LE_PUBLIC: + return true; +-- +2.50.1 (Apple Git-155) + diff --git a/1242-bluetooth-sco-fix-race-conditions-in-sco-sock-connect.patch b/1242-bluetooth-sco-fix-race-conditions-in-sco-sock-connect.patch new file mode 100644 index 000000000..bc5500d1b --- /dev/null +++ b/1242-bluetooth-sco-fix-race-conditions-in-sco-sock-connect.patch @@ -0,0 +1,149 @@ +From bb04e329c1f71a2f22a865df447ae3b215253283 Mon Sep 17 00:00:00 2001 +From: David Marlin +Date: Thu, 7 May 2026 18:00:58 -0500 +Subject: [PATCH] Bluetooth: SCO: fix race conditions in sco_sock_connect() + +JIRA: https://issues.redhat.com/browse/RHEL-172460 + +JIRA: https://issues.redhat.com/browse/RHEL-172607 +CVE: CVE-2026-43023 + +commit 8a5b0135d4a5d9683203a3d9a12a711ccec5936b +Author: Cen Zhang +Date: Thu Mar 26 23:16:45 2026 +0800 + + Bluetooth: SCO: fix race conditions in sco_sock_connect() + + sco_sock_connect() checks sk_state and sk_type without holding + the socket lock. Two concurrent connect() syscalls on the same + socket can both pass the check and enter sco_connect(), leading + to use-after-free. + + The buggy scenario involves three participants and was confirmed + with additional logging instrumentation: + + Thread A (connect): HCI disconnect: Thread B (connect): + + sco_sock_connect(sk) sco_sock_connect(sk) + sk_state==BT_OPEN sk_state==BT_OPEN + (pass, no lock) (pass, no lock) + sco_connect(sk): sco_connect(sk): + hci_dev_lock hci_dev_lock + hci_connect_sco <- blocked + -> hcon1 + sco_conn_add->conn1 + lock_sock(sk) + sco_chan_add: + conn1->sk = sk + sk->conn = conn1 + sk_state=BT_CONNECT + release_sock + hci_dev_unlock + hci_dev_lock + sco_conn_del: + lock_sock(sk) + sco_chan_del: + sk->conn=NULL + conn1->sk=NULL + sk_state= + BT_CLOSED + SOCK_ZAPPED + release_sock + hci_dev_unlock + (unblocked) + hci_connect_sco + -> hcon2 + sco_conn_add + -> conn2 + lock_sock(sk) + sco_chan_add: + sk->conn=conn2 + sk_state= + BT_CONNECT + // zombie sk! + release_sock + hci_dev_unlock + + Thread B revives a BT_CLOSED + SOCK_ZAPPED socket back to + BT_CONNECT. Subsequent cleanup triggers double sock_put() and + use-after-free. Meanwhile conn1 is leaked as it was orphaned + when sco_conn_del() cleared the association. + + Fix this by: + - Moving lock_sock() before the sk_state/sk_type checks in + sco_sock_connect() to serialize concurrent connect attempts + - Fixing the sk_type != SOCK_SEQPACKET check to actually + return the error instead of just assigning it + - Adding a state re-check in sco_connect() after lock_sock() + to catch state changes during the window between the locks + - Adding sco_pi(sk)->conn check in sco_chan_add() to prevent + double-attach of a socket to multiple connections + - Adding hci_conn_drop() on sco_chan_add failure to prevent + HCI connection leaks + + Fixes: 9a8ec9e8ebb5 ("Bluetooth: SCO: Fix possible circular locking dependency on sco_connect_cfm") + Signed-off-by: Cen Zhang + Signed-off-by: Luiz Augusto von Dentz + +Signed-off-by: David Marlin + +diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c +index 6fc0914c74cb..26e3020e6d87 100644 +--- a/net/bluetooth/sco.c ++++ b/net/bluetooth/sco.c +@@ -298,7 +298,7 @@ static int sco_chan_add(struct sco_conn *conn, struct sock *sk, + int err = 0; + + sco_conn_lock(conn); +- if (conn->sk) ++ if (conn->sk || sco_pi(sk)->conn) + err = -EBUSY; + else + __sco_chan_add(conn, sk, parent); +@@ -353,9 +353,20 @@ static int sco_connect(struct sock *sk) + + lock_sock(sk); + ++ /* Recheck state after reacquiring the socket lock, as another ++ * thread may have changed it (e.g., closed the socket). ++ */ ++ if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND) { ++ release_sock(sk); ++ hci_conn_drop(hcon); ++ err = -EBADFD; ++ goto unlock; ++ } ++ + err = sco_chan_add(conn, sk, NULL); + if (err) { + release_sock(sk); ++ hci_conn_drop(hcon); + goto unlock; + } + +@@ -656,13 +667,18 @@ static int sco_sock_connect(struct socket *sock, struct sockaddr *addr, int alen + addr->sa_family != AF_BLUETOOTH) + return -EINVAL; + +- if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND) ++ lock_sock(sk); ++ ++ if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND) { ++ release_sock(sk); + return -EBADFD; ++ } + +- if (sk->sk_type != SOCK_SEQPACKET) +- err = -EINVAL; ++ if (sk->sk_type != SOCK_SEQPACKET) { ++ release_sock(sk); ++ return -EINVAL; ++ } + +- lock_sock(sk); + /* Set destination address and psm */ + bacpy(&sco_pi(sk)->dst, &sa->sco_bdaddr); + release_sock(sk); +-- +2.50.1 (Apple Git-155) + diff --git a/1243-xfs-delete-attr-leaf-freemap-entries-when-empty.patch b/1243-xfs-delete-attr-leaf-freemap-entries-when-empty.patch new file mode 100644 index 000000000..cf47adc0c --- /dev/null +++ b/1243-xfs-delete-attr-leaf-freemap-entries-when-empty.patch @@ -0,0 +1,78 @@ +From 21df79956b1623ded470e38baa1058d1c641d896 Mon Sep 17 00:00:00 2001 +From: CKI Backport Bot +Date: Fri, 8 May 2026 14:00:52 +0000 +Subject: [PATCH] xfs: delete attr leaf freemap entries when empty + +JIRA: https://redhat.atlassian.net/browse/RHEL-174054 +CVE: CVE-2026-43158 + +commit 6f13c1d2a6271c2e73226864a0e83de2770b6f34 +Author: Darrick J. Wong +Date: Fri Jan 23 09:27:30 2026 -0800 + + xfs: delete attr leaf freemap entries when empty + + Back in commit 2a2b5932db6758 ("xfs: fix attr leaf header freemap.size + underflow"), Brian Foster observed that it's possible for a small + freemap at the end of the end of the xattr entries array to experience + a size underflow when subtracting the space consumed by an expansion of + the entries array. There are only three freemap entries, which means + that it is not a complete index of all free space in the leaf block. + + This code can leave behind a zero-length freemap entry with a nonzero + base. Subsequent setxattr operations can increase the base up to the + point that it overlaps with another freemap entry. This isn't in and of + itself a problem because the code in _leaf_add that finds free space + ignores any freemap entry with zero size. + + However, there's another bug in the freemap update code in _leaf_add, + which is that it fails to update a freemap entry that begins midway + through the xattr entry that was just appended to the array. That can + result in the freemap containing two entries with the same base but + different sizes (0 for the "pushed-up" entry, nonzero for the entry + that's actually tracking free space). A subsequent _leaf_add can then + allocate xattr namevalue entries on top of the entries array, leading to + data loss. But fixing that is for later. + + For now, eliminate the possibility of confusion by zeroing out the base + of any freemap entry that has zero size. Because the freemap is not + intended to be a complete index of free space, a subsequent failure to + find any free space for a new xattr will trigger block compaction, which + regenerates the freemap. + + It looks like this bug has been in the codebase for quite a long time. + + Cc: # v2.6.12 + Fixes: 1da177e4c3f415 ("Linux-2.6.12-rc2") + Signed-off-by: "Darrick J. Wong" + Reviewed-by: Christoph Hellwig + +Signed-off-by: CKI Backport Bot + +diff --git a/fs/xfs/libxfs/xfs_attr_leaf.c b/fs/xfs/libxfs/xfs_attr_leaf.c +index fddb55605e0c..8577c01c83bd 100644 +--- a/fs/xfs/libxfs/xfs_attr_leaf.c ++++ b/fs/xfs/libxfs/xfs_attr_leaf.c +@@ -1593,6 +1593,19 @@ xfs_attr3_leaf_add_work( + min_t(uint16_t, ichdr->freemap[i].size, + sizeof(xfs_attr_leaf_entry_t)); + } ++ ++ /* ++ * Don't leave zero-length freemaps with nonzero base lying ++ * around, because we don't want the code in _remove that ++ * matches on base address to get confused and create ++ * overlapping freemaps. If we end up with no freemap entries ++ * then the next _add will compact the leaf block and ++ * regenerate the freemaps. ++ */ ++ if (ichdr->freemap[i].size == 0 && ichdr->freemap[i].base > 0) { ++ ichdr->freemap[i].base = 0; ++ ichdr->holes = 1; ++ } + } + ichdr->usedbytes += xfs_attr_leaf_entsize(leaf, args->index); + } +-- +2.50.1 (Apple Git-155) + diff --git a/1244-xfs-fix-freemap-adjustments-when-adding-xattrs-to-leaf-block.patch b/1244-xfs-fix-freemap-adjustments-when-adding-xattrs-to-leaf-block.patch new file mode 100644 index 000000000..9f0a189c4 --- /dev/null +++ b/1244-xfs-fix-freemap-adjustments-when-adding-xattrs-to-leaf-block.patch @@ -0,0 +1,141 @@ +From 18713c87fe4f646250400dae3226ffd0659959d5 Mon Sep 17 00:00:00 2001 +From: CKI Backport Bot +Date: Fri, 8 May 2026 14:00:54 +0000 +Subject: [PATCH] xfs: fix freemap adjustments when adding xattrs to leaf + blocks + +JIRA: https://redhat.atlassian.net/browse/RHEL-174054 +CVE: CVE-2026-43158 + +commit 3eefc0c2b78444b64feeb3783c017d6adc3cd3ce +Author: Darrick J. Wong +Date: Fri Jan 23 09:27:31 2026 -0800 + + xfs: fix freemap adjustments when adding xattrs to leaf blocks + + xfs/592 and xfs/794 both trip this assertion in the leaf block freemap + adjustment code after ~20 minutes of running on my test VMs: + + ASSERT(ichdr->firstused >= ichdr->count * sizeof(xfs_attr_leaf_entry_t) + + xfs_attr3_leaf_hdr_size(leaf)); + + Upon enabling quite a lot more debugging code, I narrowed this down to + fsstress trying to set a local extended attribute with namelen=3 and + valuelen=71. This results in an entry size of 80 bytes. + + At the start of xfs_attr3_leaf_add_work, the freemap looks like this: + + i 0 base 448 size 0 rhs 448 count 46 + i 1 base 388 size 132 rhs 448 count 46 + i 2 base 2120 size 4 rhs 448 count 46 + firstused = 520 + + where "rhs" is the first byte past the end of the leaf entry array. + This is inconsistent -- the entries array ends at byte 448, but + freemap[1] says there's free space starting at byte 388! + + By the end of the function, the freemap is in worse shape: + + i 0 base 456 size 0 rhs 456 count 47 + i 1 base 388 size 52 rhs 456 count 47 + i 2 base 2120 size 4 rhs 456 count 47 + firstused = 440 + + Important note: 388 is not aligned with the entries array element size + of 8 bytes. + + Based on the incorrect freemap, the name area starts at byte 440, which + is below the end of the entries array! That's why the assertion + triggers and the filesystem shuts down. + + How did we end up here? First, recall from the previous patch that the + freemap array in an xattr leaf block is not intended to be a + comprehensive map of all free space in the leaf block. In other words, + it's perfectly legal to have a leaf block with: + + * 376 bytes in use by the entries array + * freemap[0] has [base = 376, size = 8] + * freemap[1] has [base = 388, size = 1500] + * the space between 376 and 388 is free, but the freemap stopped + tracking that some time ago + + If we add one xattr, the entries array grows to 384 bytes, and + freemap[0] becomes [base = 384, size = 0]. So far, so good. But if we + add a second xattr, the entries array grows to 392 bytes, and freemap[0] + gets pushed up to [base = 392, size = 0]. This is bad, because + freemap[1] hasn't been updated, and now the entries array and the free + space claim the same space. + + The fix here is to adjust all freemap entries so that none of them + collide with the entries array. Note that this fix relies on commit + 2a2b5932db6758 ("xfs: fix attr leaf header freemap.size underflow") and + the previous patch that resets zero length freemap entries to have + base = 0. + + Cc: # v2.6.12 + Fixes: 1da177e4c3f415 ("Linux-2.6.12-rc2") + Signed-off-by: "Darrick J. Wong" + Reviewed-by: Christoph Hellwig + +Signed-off-by: CKI Backport Bot + +diff --git a/fs/xfs/libxfs/xfs_attr_leaf.c b/fs/xfs/libxfs/xfs_attr_leaf.c +index 8577c01c83bd..bfcac9036c11 100644 +--- a/fs/xfs/libxfs/xfs_attr_leaf.c ++++ b/fs/xfs/libxfs/xfs_attr_leaf.c +@@ -1489,6 +1489,7 @@ xfs_attr3_leaf_add_work( + struct xfs_attr_leaf_name_local *name_loc; + struct xfs_attr_leaf_name_remote *name_rmt; + struct xfs_mount *mp; ++ int old_end, new_end; + int tmp; + int i; + +@@ -1581,17 +1582,36 @@ xfs_attr3_leaf_add_work( + if (be16_to_cpu(entry->nameidx) < ichdr->firstused) + ichdr->firstused = be16_to_cpu(entry->nameidx); + +- ASSERT(ichdr->firstused >= ichdr->count * sizeof(xfs_attr_leaf_entry_t) +- + xfs_attr3_leaf_hdr_size(leaf)); +- tmp = (ichdr->count - 1) * sizeof(xfs_attr_leaf_entry_t) +- + xfs_attr3_leaf_hdr_size(leaf); ++ new_end = ichdr->count * sizeof(struct xfs_attr_leaf_entry) + ++ xfs_attr3_leaf_hdr_size(leaf); ++ old_end = new_end - sizeof(struct xfs_attr_leaf_entry); ++ ++ ASSERT(ichdr->firstused >= new_end); + + for (i = 0; i < XFS_ATTR_LEAF_MAPSIZE; i++) { +- if (ichdr->freemap[i].base == tmp) { +- ichdr->freemap[i].base += sizeof(xfs_attr_leaf_entry_t); ++ int diff = 0; ++ ++ if (ichdr->freemap[i].base == old_end) { ++ /* ++ * This freemap entry starts at the old end of the ++ * leaf entry array, so we need to adjust its base ++ * upward to accomodate the larger array. ++ */ ++ diff = sizeof(struct xfs_attr_leaf_entry); ++ } else if (ichdr->freemap[i].size > 0 && ++ ichdr->freemap[i].base < new_end) { ++ /* ++ * This freemap entry starts in the space claimed by ++ * the new leaf entry. Adjust its base upward to ++ * reflect that. ++ */ ++ diff = new_end - ichdr->freemap[i].base; ++ } ++ ++ if (diff) { ++ ichdr->freemap[i].base += diff; + ichdr->freemap[i].size -= +- min_t(uint16_t, ichdr->freemap[i].size, +- sizeof(xfs_attr_leaf_entry_t)); ++ min_t(uint16_t, ichdr->freemap[i].size, diff); + } + + /* +-- +2.50.1 (Apple Git-155) + diff --git a/kernel.spec b/kernel.spec index e51b42b6e..87d91154a 100644 --- a/kernel.spec +++ b/kernel.spec @@ -182,7 +182,7 @@ Summary: The Linux kernel # This is needed to do merge window version magic %define patchlevel 12 # This allows pkg_release to have configurable %%{?dist} tag -%define specrelease 211.16.1%{?buildid}%{?dist} +%define specrelease 211.18.1%{?buildid}%{?dist} # This defines the kabi tarball version %define kabiversion 6.12.0-211.7.1.el10_2 @@ -1196,6 +1196,89 @@ Patch1158: 1158-rdma-umem-fix-double-dma-buf-unpin-in-failure-path.patch Patch1159: 1159-ptrace-slightly-saner-get-dumpable-logic.patch Patch1160: 1160-net-skbuff-preserve-shared-frag-marker-during-coalescing.patch Patch1161: 1161-net-skbuff-propagate-shared-frag-marker-through-frag-transfe.patch +Patch1162: 1162-netfilter-nf-tables-release-flowtable-after-rcu-grace-period.patch +Patch1163: 1163-can-j1939-j1939-session-new-fix-skb-reference-counting.patch +Patch1164: 1164-ima-don-t-clear-ima-digsig-flag-when-setting-or-removing-non.patch +Patch1165: 1165-netfilter-nf-conntrack-h323-check-for-zero-length-in-decodeq.patch +Patch1166: 1166-revert-scsi-lpfc-update-lpfc-version-to-14-4-0-12.patch +Patch1167: 1167-revert-scsi-lpfc-add-capability-to-register-platform-name-id.patch +Patch1168: 1168-revert-scsi-lpfc-allow-support-for-bb-credit-recovery-in-poi.patch +Patch1169: 1169-revert-scsi-lpfc-fix-reusing-an-ndlp-that-is-marked-nlp-drop.patch +Patch1170: 1170-revert-scsi-lpfc-modify-kref-handling-for-fabric-controller-.patch +Patch1171: 1171-revert-scsi-lpfc-fix-leaked-ndlp-krefs-when-in-point-to-poin.patch +Patch1172: 1172-revert-scsi-lpfc-ensure-unregistration-of-rpis-for-received-.patch +Patch1173: 1173-revert-scsi-lpfc-remove-redundant-null-ptr-assignment-in-lpf.patch +Patch1174: 1174-revert-scsi-lpfc-revise-discovery-related-function-headers-a.patch +Patch1175: 1175-revert-scsi-lpfc-update-various-npiv-diagnostic-log-messagin.patch +Patch1176: 1176-revert-scsi-lpfc-copyright-updates-for-14-4-0-11-patches.patch +Patch1177: 1177-revert-scsi-lpfc-update-lpfc-version-to-14-4-0-11.patch +Patch1178: 1178-revert-scsi-lpfc-convert-debugfs-directory-counts-from-atomi.patch +Patch1179: 1179-revert-scsi-lpfc-clean-up-extraneous-phba-dentries.patch +Patch1180: 1180-revert-scsi-lpfc-use-switch-case-statements-in-dif-debugfs-h.patch +Patch1181: 1181-revert-scsi-lpfc-fix-memory-leak-when-nvmeio-trc-debugfs-ent.patch +Patch1182: 1182-revert-scsi-lpfc-define-size-of-debugfs-entry-for-xri-rebala.patch +Patch1183: 1183-revert-scsi-lpfc-ensure-plogi-acc-is-sent-prior-to-prli-in-p.patch +Patch1184: 1184-revert-scsi-lpfc-check-return-status-of-lpfc-reset-flush-io-.patch +Patch1185: 1185-revert-scsi-lpfc-decrement-ndlp-kref-after-fdisc-retries-exh.patch +Patch1186: 1186-revert-scsi-lpfc-remove-ndlp-kref-decrement-clause-for-f-por.patch +Patch1187: 1187-revert-scsi-lpfc-clean-up-allocated-queues-when-queue-setup-.patch +Patch1188: 1188-revert-scsi-lpfc-abort-outstanding-els-wqes-regardless-of-if.patch +Patch1189: 1189-revert-scsi-lpfc-remove-unused-member-variables-in-struct-lp.patch +Patch1190: 1190-revert-scsi-lpfc-use-int-type-to-store-negative-error-codes.patch +Patch1191: 1191-revert-scsi-lpfc-use-min-to-improve-code.patch +Patch1192: 1192-revert-scsi-lpfc-fix-wrong-function-reference-in-a-comment.patch +Patch1193: 1193-revert-lpfc-don-t-use-file-f-path-dentry-for-comparisons.patch +Patch1194: 1194-revert-scsi-lpfc-copyright-updates-for-14-4-0-10-patches.patch +Patch1195: 1195-revert-scsi-lpfc-update-lpfc-version-to-14-4-0-10.patch +Patch1196: 1196-revert-scsi-lpfc-modify-end-of-life-adapters-model-descripti.patch +Patch1197: 1197-revert-scsi-lpfc-revise-cq-create-set-mailbox-bitfield-defin.patch +Patch1198: 1198-revert-scsi-lpfc-move-clearing-of-hba-setup-flag-to-before-l.patch +Patch1199: 1199-revert-scsi-lpfc-ensure-hba-setup-flag-is-used-only-for-sli4.patch +Patch1200: 1200-revert-scsi-lpfc-relocate-clearing-initial-phba-flags-from-l.patch +Patch1201: 1201-revert-scsi-lpfc-simplify-error-handling-for-failed-lpfc-get.patch +Patch1202: 1202-revert-scsi-lpfc-early-return-out-of-fdmi-cmpl-for-locally-r.patch +Patch1203: 1203-revert-scsi-lpfc-skip-rscn-processing-when-fc-unloading-flag.patch +Patch1204: 1204-revert-scsi-lpfc-check-for-hdwq-null-ptr-when-cleaning-up-lp.patch +Patch1205: 1205-revert-scsi-lpfc-update-debugfs-trace-ring-initialization-me.patch +Patch1206: 1206-revert-scsi-lpfc-revise-logging-format-for-failed-ct-mib-req.patch +Patch1207: 1207-scsi-lpfc-avoid-crashing-in-lpfc-nlp-get-rhel-only.patch +Patch1208: 1208-drm-mgag200-fix-mgag200-bmc-stop-scanout.patch +Patch1209: 1209-net-sched-act-csum-validate-nested-vlan-headers.patch +Patch1210: 1210-netfilter-ip6t-eui64-reject-invalid-mac-header-for-all-packe.patch +Patch1211: 1211-cifs-remove-unnecessary-tracing-after-put-tcon.patch +Patch1212: 1212-cifs-make-default-value-of-retrans-as-zero.patch +Patch1213: 1213-dpll-zl3073x-add-output-pin-frequency-helper.patch +Patch1214: 1214-dpll-zl3073x-include-current-frequency-in-supported-frequenc.patch +Patch1215: 1215-dpll-zl3073x-fix-ref-frequency-setting.patch +Patch1216: 1216-dpll-zl3073x-fix-ref-phase-offset-comp-register-width-for-so.patch +Patch1217: 1217-dpll-zl3073x-remove-redundant-cleanup-in-devm-dpll-init.patch +Patch1218: 1218-io-uring-rsrc-reject-zero-length-fixed-buffer-import.patch +Patch1219: 1219-netfilter-nf-conntrack-helper-pass-helper-to-expect-cleanup.patch +Patch1220: 1220-hid-wacom-fix-out-of-bounds-read-in-wacom-intuos-bt-irq.patch +Patch1221: 1221-redhat-configs-enable-config-aqtion-on-all-archs.patch +Patch1222: 1222-wifi-brcmfmac-validate-bsscfg-indices-in-if-events.patch +Patch1223: 1223-netfilter-ctnetlink-ensure-safe-access-to-master-conntrack.patch +Patch1224: 1224-netfilter-xt-tcpmss-check-remaining-length-before-reading-op.patch +Patch1225: 1225-net-fix-rcu-tasks-stall-in-threaded-busypoll.patch +Patch1226: 1226-ice-use-netif-get-num-default-rss-queues.patch +Patch1227: 1227-ice-set-max-queues-in-alloc-etherdev-mqs.patch +Patch1228: 1228-anon-inode-use-a-proper-mode-internally.patch +Patch1229: 1229-pidfs-use-anon-inode-getattr.patch +Patch1230: 1230-anon-inode-explicitly-block-setattr.patch +Patch1231: 1231-pidfs-use-anon-inode-setattr.patch +Patch1232: 1232-anon-inode-raise-sb-i-nodev-and-sb-i-noexec.patch +Patch1233: 1233-fs-add-s-anon-inode.patch +Patch1234: 1234-mm-thp-deny-thp-for-files-on-anonymous-inodes.patch +Patch1235: 1235-dpaa2-switch-prevent-zero-size-ptr-dereference-when-num-ifs-.patch +Patch1236: 1236-dpaa2-switch-validate-num-ifs-to-prevent-out-of-bounds-write.patch +Patch1237: 1237-mm-page-alloc-clear-page-private-in-free-pages-prepare.patch +Patch1238: 1238-redhat-kernel-spec-template-disable-objtool-werror-for-gcov-.patch +Patch1239: 1239-dm-thin-fix-metadata-refcount-underflow.patch +Patch1240: 1240-crypto-tegra-disable-softirqs-before-finalizing-request.patch +Patch1241: 1241-bluetooth-mgmt-validate-ltk-enc-size-on-load.patch +Patch1242: 1242-bluetooth-sco-fix-race-conditions-in-sco-sock-connect.patch +Patch1243: 1243-xfs-delete-attr-leaf-freemap-entries-when-empty.patch +Patch1244: 1244-xfs-fix-freemap-adjustments-when-adding-xattrs-to-leaf-block.patch # END OF PATCH DEFINITIONS %description @@ -2114,6 +2197,89 @@ ApplyPatch 1158-rdma-umem-fix-double-dma-buf-unpin-in-failure-path.patch ApplyPatch 1159-ptrace-slightly-saner-get-dumpable-logic.patch ApplyPatch 1160-net-skbuff-preserve-shared-frag-marker-during-coalescing.patch ApplyPatch 1161-net-skbuff-propagate-shared-frag-marker-through-frag-transfe.patch +ApplyPatch 1162-netfilter-nf-tables-release-flowtable-after-rcu-grace-period.patch +ApplyPatch 1163-can-j1939-j1939-session-new-fix-skb-reference-counting.patch +ApplyPatch 1164-ima-don-t-clear-ima-digsig-flag-when-setting-or-removing-non.patch +ApplyPatch 1165-netfilter-nf-conntrack-h323-check-for-zero-length-in-decodeq.patch +ApplyPatch 1166-revert-scsi-lpfc-update-lpfc-version-to-14-4-0-12.patch +ApplyPatch 1167-revert-scsi-lpfc-add-capability-to-register-platform-name-id.patch +ApplyPatch 1168-revert-scsi-lpfc-allow-support-for-bb-credit-recovery-in-poi.patch +ApplyPatch 1169-revert-scsi-lpfc-fix-reusing-an-ndlp-that-is-marked-nlp-drop.patch +ApplyPatch 1170-revert-scsi-lpfc-modify-kref-handling-for-fabric-controller-.patch +ApplyPatch 1171-revert-scsi-lpfc-fix-leaked-ndlp-krefs-when-in-point-to-poin.patch +ApplyPatch 1172-revert-scsi-lpfc-ensure-unregistration-of-rpis-for-received-.patch +ApplyPatch 1173-revert-scsi-lpfc-remove-redundant-null-ptr-assignment-in-lpf.patch +ApplyPatch 1174-revert-scsi-lpfc-revise-discovery-related-function-headers-a.patch +ApplyPatch 1175-revert-scsi-lpfc-update-various-npiv-diagnostic-log-messagin.patch +ApplyPatch 1176-revert-scsi-lpfc-copyright-updates-for-14-4-0-11-patches.patch +ApplyPatch 1177-revert-scsi-lpfc-update-lpfc-version-to-14-4-0-11.patch +ApplyPatch 1178-revert-scsi-lpfc-convert-debugfs-directory-counts-from-atomi.patch +ApplyPatch 1179-revert-scsi-lpfc-clean-up-extraneous-phba-dentries.patch +ApplyPatch 1180-revert-scsi-lpfc-use-switch-case-statements-in-dif-debugfs-h.patch +ApplyPatch 1181-revert-scsi-lpfc-fix-memory-leak-when-nvmeio-trc-debugfs-ent.patch +ApplyPatch 1182-revert-scsi-lpfc-define-size-of-debugfs-entry-for-xri-rebala.patch +ApplyPatch 1183-revert-scsi-lpfc-ensure-plogi-acc-is-sent-prior-to-prli-in-p.patch +ApplyPatch 1184-revert-scsi-lpfc-check-return-status-of-lpfc-reset-flush-io-.patch +ApplyPatch 1185-revert-scsi-lpfc-decrement-ndlp-kref-after-fdisc-retries-exh.patch +ApplyPatch 1186-revert-scsi-lpfc-remove-ndlp-kref-decrement-clause-for-f-por.patch +ApplyPatch 1187-revert-scsi-lpfc-clean-up-allocated-queues-when-queue-setup-.patch +ApplyPatch 1188-revert-scsi-lpfc-abort-outstanding-els-wqes-regardless-of-if.patch +ApplyPatch 1189-revert-scsi-lpfc-remove-unused-member-variables-in-struct-lp.patch +ApplyPatch 1190-revert-scsi-lpfc-use-int-type-to-store-negative-error-codes.patch +ApplyPatch 1191-revert-scsi-lpfc-use-min-to-improve-code.patch +ApplyPatch 1192-revert-scsi-lpfc-fix-wrong-function-reference-in-a-comment.patch +ApplyPatch 1193-revert-lpfc-don-t-use-file-f-path-dentry-for-comparisons.patch +ApplyPatch 1194-revert-scsi-lpfc-copyright-updates-for-14-4-0-10-patches.patch +ApplyPatch 1195-revert-scsi-lpfc-update-lpfc-version-to-14-4-0-10.patch +ApplyPatch 1196-revert-scsi-lpfc-modify-end-of-life-adapters-model-descripti.patch +ApplyPatch 1197-revert-scsi-lpfc-revise-cq-create-set-mailbox-bitfield-defin.patch +ApplyPatch 1198-revert-scsi-lpfc-move-clearing-of-hba-setup-flag-to-before-l.patch +ApplyPatch 1199-revert-scsi-lpfc-ensure-hba-setup-flag-is-used-only-for-sli4.patch +ApplyPatch 1200-revert-scsi-lpfc-relocate-clearing-initial-phba-flags-from-l.patch +ApplyPatch 1201-revert-scsi-lpfc-simplify-error-handling-for-failed-lpfc-get.patch +ApplyPatch 1202-revert-scsi-lpfc-early-return-out-of-fdmi-cmpl-for-locally-r.patch +ApplyPatch 1203-revert-scsi-lpfc-skip-rscn-processing-when-fc-unloading-flag.patch +ApplyPatch 1204-revert-scsi-lpfc-check-for-hdwq-null-ptr-when-cleaning-up-lp.patch +ApplyPatch 1205-revert-scsi-lpfc-update-debugfs-trace-ring-initialization-me.patch +ApplyPatch 1206-revert-scsi-lpfc-revise-logging-format-for-failed-ct-mib-req.patch +ApplyPatch 1207-scsi-lpfc-avoid-crashing-in-lpfc-nlp-get-rhel-only.patch +ApplyPatch 1208-drm-mgag200-fix-mgag200-bmc-stop-scanout.patch +ApplyPatch 1209-net-sched-act-csum-validate-nested-vlan-headers.patch +ApplyPatch 1210-netfilter-ip6t-eui64-reject-invalid-mac-header-for-all-packe.patch +ApplyPatch 1211-cifs-remove-unnecessary-tracing-after-put-tcon.patch +ApplyPatch 1212-cifs-make-default-value-of-retrans-as-zero.patch +ApplyPatch 1213-dpll-zl3073x-add-output-pin-frequency-helper.patch +ApplyPatch 1214-dpll-zl3073x-include-current-frequency-in-supported-frequenc.patch +ApplyPatch 1215-dpll-zl3073x-fix-ref-frequency-setting.patch +ApplyPatch 1216-dpll-zl3073x-fix-ref-phase-offset-comp-register-width-for-so.patch +ApplyPatch 1217-dpll-zl3073x-remove-redundant-cleanup-in-devm-dpll-init.patch +ApplyPatch 1218-io-uring-rsrc-reject-zero-length-fixed-buffer-import.patch +ApplyPatch 1219-netfilter-nf-conntrack-helper-pass-helper-to-expect-cleanup.patch +ApplyPatch 1220-hid-wacom-fix-out-of-bounds-read-in-wacom-intuos-bt-irq.patch +ApplyPatch 1221-redhat-configs-enable-config-aqtion-on-all-archs.patch +ApplyPatch 1222-wifi-brcmfmac-validate-bsscfg-indices-in-if-events.patch +ApplyPatch 1223-netfilter-ctnetlink-ensure-safe-access-to-master-conntrack.patch +ApplyPatch 1224-netfilter-xt-tcpmss-check-remaining-length-before-reading-op.patch +ApplyPatch 1225-net-fix-rcu-tasks-stall-in-threaded-busypoll.patch +ApplyPatch 1226-ice-use-netif-get-num-default-rss-queues.patch +ApplyPatch 1227-ice-set-max-queues-in-alloc-etherdev-mqs.patch +ApplyPatch 1228-anon-inode-use-a-proper-mode-internally.patch +ApplyPatch 1229-pidfs-use-anon-inode-getattr.patch +ApplyPatch 1230-anon-inode-explicitly-block-setattr.patch +ApplyPatch 1231-pidfs-use-anon-inode-setattr.patch +ApplyPatch 1232-anon-inode-raise-sb-i-nodev-and-sb-i-noexec.patch +ApplyPatch 1233-fs-add-s-anon-inode.patch +ApplyPatch 1234-mm-thp-deny-thp-for-files-on-anonymous-inodes.patch +ApplyPatch 1235-dpaa2-switch-prevent-zero-size-ptr-dereference-when-num-ifs-.patch +ApplyPatch 1236-dpaa2-switch-validate-num-ifs-to-prevent-out-of-bounds-write.patch +ApplyPatch 1237-mm-page-alloc-clear-page-private-in-free-pages-prepare.patch +ApplyPatch 1238-redhat-kernel-spec-template-disable-objtool-werror-for-gcov-.patch +ApplyPatch 1239-dm-thin-fix-metadata-refcount-underflow.patch +ApplyPatch 1240-crypto-tegra-disable-softirqs-before-finalizing-request.patch +ApplyPatch 1241-bluetooth-mgmt-validate-ltk-enc-size-on-load.patch +ApplyPatch 1242-bluetooth-sco-fix-race-conditions-in-sco-sock-connect.patch +ApplyPatch 1243-xfs-delete-attr-leaf-freemap-entries-when-empty.patch +ApplyPatch 1244-xfs-fix-freemap-adjustments-when-adding-xattrs-to-leaf-block.patch # END OF PATCH APPLICATIONS # Any further pre-build tree manipulations happen here. @@ -4618,6 +4784,97 @@ fi\ # # %changelog +* Sun Jun 07 2026 Andrew Lukoshko - 6.12.0-211.18.1 +- Recreate RHEL 6.12.0-211.18.1 from CentOS Stream 10 and upstream stable backports (1162-1244) +- RHEL changelog for 211.17.1..211.18.1 follows: + +* Thu May 21 2026 CKI KWF Bot [6.12.0-211.18.1.el10_2] +- xfs: fix freemap adjustments when adding xattrs to leaf blocks (CKI Backport Bot) [RHEL-174051] {CVE-2026-43158} +- xfs: delete attr leaf freemap entries when empty (CKI Backport Bot) [RHEL-174051] {CVE-2026-43158} +- Bluetooth: SCO: fix race conditions in sco_sock_connect() (CKI Backport Bot) [RHEL-172603] {CVE-2026-43023} +- Bluetooth: MGMT: validate LTK enc_size on load (CKI Backport Bot) [RHEL-172577] {CVE-2026-43020} +- crypto: tegra - Disable softirqs before finalizing request (CKI Backport Bot) [RHEL-133872] + +* Wed May 20 2026 CKI KWF Bot [6.12.0-211.17.1.el10_2] +- dm-thin: fix metadata refcount underflow (Benjamin Marzinski) [RHEL-169625] +- redhat/kernel.spec.template: disable OBJTOOL_WERROR for gcov builds (Oleksii Baranov) +- mm/page_alloc: clear page->private in free_pages_prepare() (Rafael Aquini) [RHEL-174756] {CVE-2026-43303} +- dpaa2-switch: validate num_ifs to prevent out-of-bounds write (CKI Backport Bot) [RHEL-174258] {CVE-2026-43205} +- dpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs is zero (CKI Backport Bot) [RHEL-174258] {CVE-2026-43205} +- mm: thp: deny THP for files on anonymous inodes (Rafael Aquini) [RHEL-171617] {CVE-2026-23375} +- fs: add S_ANON_INODE (Rafael Aquini) [RHEL-171617] +- anon_inode: raise SB_I_NODEV and SB_I_NOEXEC (Rafael Aquini) [RHEL-171617] +- pidfs: use anon_inode_setattr() (Rafael Aquini) [RHEL-171617] +- anon_inode: explicitly block ->setattr() (Rafael Aquini) [RHEL-171617] +- pidfs: use anon_inode_getattr() (Rafael Aquini) [RHEL-171617] +- anon_inode: use a proper mode internally (Rafael Aquini) [RHEL-171617] +- ice: set max queues in alloc_etherdev_mqs() (CKI Backport Bot) [RHEL-174331] +- ice: use netif_get_num_default_rss_queues() (CKI Backport Bot) [RHEL-174331] +- net: Fix rcu_tasks stall in threaded busypoll (CKI Backport Bot) [RHEL-170809] +- netfilter: xt_tcpmss: check remaining length before reading optlen (CKI Backport Bot) [RHEL-174217] {CVE-2026-43190} +- netfilter: ctnetlink: ensure safe access to master conntrack (CKI Backport Bot) [RHEL-173872] {CVE-2026-43116} +- wifi: brcmfmac: validate bsscfg indices in IF events (CKI Backport Bot) [RHEL-173857] {CVE-2026-43110} +- redhat/configs: enable CONFIG_AQTION on all archs (CKI Backport Bot) [RHEL-171944] +- HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq (CKI Backport Bot) [RHEL-172745] {CVE-2026-43051} +- netfilter: nf_conntrack_helper: pass helper to expect cleanup (CKI Backport Bot) [RHEL-172625] {CVE-2026-43027} +- io_uring/rsrc: reject zero-length fixed buffer import (CKI Backport Bot) [RHEL-172556] {CVE-2026-43006} +- dpll: zl3073x: Remove redundant cleanup in devm_dpll_init() (CKI Backport Bot) [RHEL-164434] +- dpll: zl3073x: fix REF_PHASE_OFFSET_COMP register width for some chip IDs (CKI Backport Bot) [RHEL-164434] +- dpll: zl3073x: Fix ref frequency setting (CKI Backport Bot) [RHEL-164434] +- dpll: zl3073x: Include current frequency in supported frequencies list (CKI Backport Bot) [RHEL-164434] +- dpll: zl3073x: Add output pin frequency helper (CKI Backport Bot) [RHEL-164434] +- cifs: make default value of retrans as zero (Paulo Alcantara) [RHEL-171637] +- cifs: remove unnecessary tracing after put tcon (Paulo Alcantara) [RHEL-171637] +- netfilter: ip6t_eui64: reject invalid MAC header for all packets (CKI Backport Bot) [RHEL-171159] {CVE-2026-31685} +- net: sched: act_csum: validate nested VLAN headers (CKI Backport Bot) [RHEL-171142] {CVE-2026-31684} +- drm/mgag200: fix mgag200_bmc_stop_scanout() (Jocelyn Falempe) [RHEL-150180] +- scsi: lpfc: avoid crashing in lpfc_nlp_get() if lpfc_nodelist was freed (Ewan D. Milne) [RHEL-169786] +- Revert "scsi: lpfc: Revise logging format for failed CT MIB requests" (Ewan D. Milne) [RHEL-169786] +- Revert "scsi: lpfc: Update debugfs trace ring initialization messages" (Ewan D. Milne) [RHEL-169786] +- Revert "scsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport structure" (Ewan D. Milne) [RHEL-169786] +- Revert "scsi: lpfc: Skip RSCN processing when FC_UNLOADING flag is set" (Ewan D. Milne) [RHEL-169786] +- Revert "scsi: lpfc: Early return out of FDMI cmpl for locally rejected statuses" (Ewan D. Milne) [RHEL-169786] +- Revert "scsi: lpfc: Simplify error handling for failed lpfc_get_sli4_parameters cmd" (Ewan D. Milne) [RHEL-169786] +- Revert "scsi: lpfc: Relocate clearing initial phba flags from link up to link down hdlr" (Ewan D. Milne) [RHEL-169786] +- Revert "scsi: lpfc: Ensure HBA_SETUP flag is used only for SLI4 in dev_loss_tmo_callbk" (Ewan D. Milne) [RHEL-169786] +- Revert "scsi: lpfc: Move clearing of HBA_SETUP flag to before lpfc_sli4_queue_unset" (Ewan D. Milne) [RHEL-169786] +- Revert "scsi: lpfc: Revise CQ_CREATE_SET mailbox bitfield definitions" (Ewan D. Milne) [RHEL-169786] +- Revert "scsi: lpfc: Modify end-of-life adapters' model descriptions" (Ewan D. Milne) [RHEL-169786] +- Revert "scsi: lpfc: Update lpfc version to 14.4.0.10" (Ewan D. Milne) [RHEL-169786] +- Revert "scsi: lpfc: Copyright updates for 14.4.0.10 patches" (Ewan D. Milne) [RHEL-169786] +- Revert "lpfc: don't use file->f_path.dentry for comparisons" (Ewan D. Milne) [RHEL-169786] +- Revert "scsi: lpfc: Fix wrong function reference in a comment" (Ewan D. Milne) [RHEL-169786] +- Revert "scsi: lpfc: use min() to improve code" (Ewan D. Milne) [RHEL-169786] +- Revert "scsi: lpfc: Use int type to store negative error codes" (Ewan D. Milne) [RHEL-169786] +- Revert "scsi: lpfc: Remove unused member variables in struct lpfc_hba and lpfc_vport" (Ewan D. Milne) [RHEL-169786] +- Revert "scsi: lpfc: Abort outstanding ELS WQEs regardless of if rmmod is in progress" (Ewan D. Milne) [RHEL-169786] +- Revert "scsi: lpfc: Clean up allocated queues when queue setup mbox commands fail" (Ewan D. Milne) [RHEL-169786] +- Revert "scsi: lpfc: Remove ndlp kref decrement clause for F_Port_Ctrl in lpfc_cleanup" (Ewan D. Milne) [RHEL-169786] +- Revert "scsi: lpfc: Decrement ndlp kref after FDISC retries exhausted" (Ewan D. Milne) [RHEL-169786] +- Revert "scsi: lpfc: Check return status of lpfc_reset_flush_io_context during TGT_RESET" (Ewan D. Milne) [RHEL-169786] +- Revert "scsi: lpfc: Ensure PLOGI_ACC is sent prior to PRLI in Point to Point topology" (Ewan D. Milne) [RHEL-169786] +- Revert "scsi: lpfc: Define size of debugfs entry for xri rebalancing" (Ewan D. Milne) [RHEL-169786] +- Revert "scsi: lpfc: Fix memory leak when nvmeio_trc debugfs entry is used" (Ewan D. Milne) [RHEL-169786] +- Revert "scsi: lpfc: Use switch case statements in DIF debugfs handlers" (Ewan D. Milne) [RHEL-169786] +- Revert "scsi: lpfc: Clean up extraneous phba dentries" (Ewan D. Milne) [RHEL-169786] +- Revert "scsi: lpfc: Convert debugfs directory counts from atomic to unsigned int" (Ewan D. Milne) [RHEL-169786] +- Revert "scsi: lpfc: Update lpfc version to 14.4.0.11" (Ewan D. Milne) [RHEL-169786] +- Revert "scsi: lpfc: Copyright updates for 14.4.0.11 patches" (Ewan D. Milne) [RHEL-169786] +- Revert "scsi: lpfc: Update various NPIV diagnostic log messaging" (Ewan D. Milne) [RHEL-169786] +- Revert "scsi: lpfc: Revise discovery related function headers and comments" (Ewan D. Milne) [RHEL-169786] +- Revert "scsi: lpfc: Remove redundant NULL ptr assignment in lpfc_els_free_iocb()" (Ewan D. Milne) [RHEL-169786] +- Revert "scsi: lpfc: Ensure unregistration of rpis for received PLOGIs" (Ewan D. Milne) [RHEL-169786] +- Revert "scsi: lpfc: Fix leaked ndlp krefs when in point-to-point topology" (Ewan D. Milne) [RHEL-169786] +- Revert "scsi: lpfc: Modify kref handling for Fabric Controller ndlps" (Ewan D. Milne) [RHEL-169786] +- Revert "scsi: lpfc: Fix reusing an ndlp that is marked NLP_DROPPED during FLOGI" (Ewan D. Milne) [RHEL-169786] +- Revert "scsi: lpfc: Allow support for BB credit recovery in point-to-point topology" (Ewan D. Milne) [RHEL-169786] +- Revert "scsi: lpfc: Add capability to register Platform Name ID to fabric" (Ewan D. Milne) [RHEL-169786] +- Revert "scsi: lpfc: Update lpfc version to 14.4.0.12" (Ewan D. Milne) [RHEL-169786] +- netfilter: nf_conntrack_h323: check for zero length in DecodeQ931() (CKI Backport Bot) [RHEL-166991] {CVE-2026-23455} +- ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr (Bruno Meneguele) [RHEL-169738] {CVE-2025-68183} +- can: j1939: j1939_session_new(): fix skb reference counting (CKI Backport Bot) [RHEL-162260] {CVE-2024-56645} +- netfilter: nf_tables: release flowtable after rcu grace period on error (CKI Backport Bot) [RHEL-160469] {CVE-2026-23392} + * Sun Jun 07 2026 Andrew Lukoshko - 6.12.0-211.16.1 - Recreate RHEL 6.12.0-211.16.1 from CentOS Stream 10 and upstream stable backports (1106-1161) - Drop 211.7.x security-ahead patches superseded by the RHEL backports (1100-1104: crypto authencesn/algif, xfrm-esp, rxrpc, net-skbuff fragnesia, ptrace)