Skip to content

[rocky9_8] History Rebuild through kernel-5.14.0-687.20.1.el9_8#1394

Open
PlaidCat wants to merge 419 commits into
rocky9_8from
rocky9_8_rebuild
Open

[rocky9_8] History Rebuild through kernel-5.14.0-687.20.1.el9_8#1394
PlaidCat wants to merge 419 commits into
rocky9_8from
rocky9_8_rebuild

Conversation

@PlaidCat

@PlaidCat PlaidCat commented Jul 1, 2026

Copy link
Copy Markdown
Collaborator

This is an automated kernel history rebuild using cron and internal tooling. It follows the same process used for previous history rebuilds:

  • Download all unprocessed src.rpm packages
  • For each src.rpm:
    • Identify all commits in the changelog up to the last known tag (5.14.0-687)
    • Replay commits in chronological order (oldest to newest in the changelog) using git cherry-pick
    • Replace the code in the branch with the output of rpmbuild -bp for the corresponding src.rpm
    • Tag the rebuild branch

JIRA Tickets

Rebuild Splat Inspection

kernel-5.14.0-687.20.1.el9_8

$ cat ciq/ciq_backports/kernel-5.14.0-687.20.1.el9_8/rebuild.details.txt
Rebuild_History BUILDABLE
Rebuilding Kernel from rpm changelog with Fuzz Limit: 87.50%
Number of commits in upstream range v5.14~1..kernel-mainline: 394115
Number of commits in rpm: 400
Number of commits matched with upstream: 396 (99.00%)
Number of commits in upstream but not in rpm: 393719
Number of commits NOT found in upstream: 4 (1.00%)

Rebuilding Kernel on Branch rocky9_8_rebuild_kernel-5.14.0-687.20.1.el9_8 for kernel-5.14.0-687.20.1.el9_8
Clean Cherry Picks: 353 (89.14%)
Empty Cherry Picks: 42 (10.61%)
_______________________________

__EMPTY COMMITS__________________________
cbb0b9d4bbcfa96e7872808a63be03202536f1bc fs: use a helper for opening kernel internal files
8a05a8c31d06c5d0d67b273a4a00f87269adde82 fs: move kmem_cache_zalloc() into alloc_empty_file*() helpers
62d53c4a1dfe347bd87ede46ffad38c9a3870338 fs: use backing_file container for internal files with "fake" f_path
dff745c1221a402b4921d54f292288373cff500c fs: move cleanup from init_file() into its callers
35931eb3945b8d38c31f8e956aee3cf31c52121b fs: Fix kernel-doc warnings
3e15dcf77b23b8e9b9b7f3c0d4def8fe9c12c534 fs: rename __mnt_{want,drop}_write*() helpers
83bc1d294130cc471a89ce10770daa281a93fcb0 fs: get mnt_writers count for an open backing file's real path
08582d678fcf11fc86188f0b92239d3d49667d8e fs: create helper file_user_path() for user displayed mapped file path
def3ae83da02f87005210fa3d448c5dd37ba4105 fs: store real path instead of fake path in backing file f_path
f91a704f7161c2cf0fcd41fa9fbec4355b813fff fs: prepare for stackable filesystems backing file helpers
a6293b3e285cd0d7692141d7981a5f144f0e2f0b fs: factor out backing_file_{read,write}_iter() helpers
9b7e9e2f5d5c3d079ec46bc71b114012e362ea6e fs: factor out backing_file_splice_{read,write}() helpers
f567377e406c032fff0799bde4fdf4a977529b84 fs: factor out backing_file_mmap() helper
09001284eebfc1b684e81d1db0f006787d35f3e1 lsm: add helper for blob allocations
924577e4f6ca473de1528953a0e13505fae61d7b ovl: Fix nested backing file paths
4e301d858af17ae2ce56886296e5458c5a08219a fs: constify file ptr in backing_file accessor helpers
3ec2529eca6f175f4e3e87c4534010e044839b38 ovl: remove unneeded non-const conversion
7933a585d70ee496fa341b50b8b0a95b131867ff ovl: remove redundant IOCB_DIO_CALLER_COMP clearing
880bd496ec72a6dcb00cb70c430ef752ba242ae7 fs: prepare for adding LSM blob to backing_file
6af36aeb147a06dea47c49859cd6ca5659aeb987 lsm: add backing_file LSM hooks
82544d36b1729153c8aeb179e84750f0c085d3b1 selinux: fix overlayfs mmap() and mprotect() access checks
888a7776f4fb04c19bec70c737c61c2f383c6b1e net/mlx5: Add support for device steering tag
520369ef43a8504f9d54ee219bb6c692d2e40028 net/mlx5: Support disabling host PFs
673d7ab7563e1268ac4ca62914b2b99d16219500 net/mlx5e: Prepare for using multiple TX doorbells
71fb4832d50b01f0af2d257360c239879ce93a8e net/mlx5e: Use multiple TX doorbells
11bbcfb7668c6f4d97260f7caaefea22678bc31e net/mlx5e: Use the 'num_doorbells' devlink param
2dc768c05217e667f987907a3404926e7ba89ff3 net/mlx5e: Trim the length of the num_doorbell error
4b6b6233f50f72353b54295ba594990b19f33223 RDMA: Use %pe format specifier for error pointers
2d838c11e10e9169cae4f7778345c11b5447ef05 net/mlx5: Add direct ST mode support for RDMA
d4aa0cc9bd31f3e0cd5f067d649bf39135e4b46b net/mlx5e: Support XDP target xmit with dummy program
2ae8c7edea87f54609bda30963a099cd3c64b0bb net/mlx5: Fix Unbinding uplink-netdev in switchdev mode
665a7e13c220bbde55531a24bd5524320648df10 net/mlx5e: SHAMPO, Fix header mapping for 64K pages
d8a7ed9586c7579a99e9e2d90988c9eceeee61ff net/mlx5e: SHAMPO, Fix header formulas for higher MTUs and 64K pages
76324e4041c0efb4808702b05426d7a0a7d8df5b net/mlx5: Fix peer miss rules host disabled checks
a6413e6f6c9d9bb9833324cb3753582f7bc0f2fa net/mlx5e: RX, Fix XDP multi-buf frag counting for legacy RQ
db25c42c2e1f9c0d136420fff5e5700f7e771a6f net/mlx5e: RX, Fix XDP multi-buf frag counting for striding RQ
43c249ea0b1e10baac4a1264a25d69723ce5d2c2 compiler-gcc.h: remove ancient workaround for gcc PR 58670
4356e9f841f7fbb945521cef3577ba394c65f3fc work around gcc bugs with 'asm goto' with outputs
68fb3ca0e408e00db1c3f8fccdfa19e274c033be update workarounds for gcc "asm goto" issue
f2f6a8e8871725035959b90bac048cde555aa0e9 init/Kconfig: remove CONFIG_GCC_ASM_GOTO_OUTPUT_WORKAROUND
0e124af675ebabddacfeb0958abd443265dddf13 scsi: qla2xxx: Add support to report MPI FW state
858d2a4f67ff69e645a43487ef7ea7f28f06deae tcp: fix potential race in tcp_v6_syn_recv_sock()

__CHANGES NOT IN UPSTREAM________________
Replace sbat with Rocky Linux sbat
Change bug tracker URL
Ensure appended release in sbat is removed'
selinux: RHEL-only hotfix for execmem regression

BUILD

$ grep -E -B 5 -A 5 "\[TIMER\]|^Starting Build" $(ls -t kbuild* | head -n1)
/mnt/code/kernel-src-tree-build
Running make mrproper...
  CLEAN   scripts/basic
  CLEAN   scripts/kconfig
  CLEAN   include/config include/generated
[TIMER]{MRPROPER}: 5s
x86_64 architecture detected, copying config
'configs/kernel-x86_64-rhel.config' -> '.config'
Setting Local Version for build
CONFIG_LOCALVERSION="-rocky9_8_rebuild-ccaa0c849bbe"
Making olddefconfig
--
  HOSTCC  scripts/kconfig/util.o
  HOSTLD  scripts/kconfig/conf
#
# configuration written to .config
#
Starting Build
  SYSHDR  arch/x86/include/generated/uapi/asm/unistd_32.h
  SYSHDR  arch/x86/include/generated/uapi/asm/unistd_64.h
  SYSHDR  arch/x86/include/generated/uapi/asm/unistd_x32.h
  SYSTBL  arch/x86/include/generated/asm/syscalls_32.h
  SYSHDR  arch/x86/include/generated/asm/unistd_32_ia32.h
--
  BTF [M] sound/usb/usx2y/snd-usb-us144mkii.ko
  BTF [M] sound/usb/usx2y/snd-usb-usx2y.ko
  BTF [M] sound/x86/snd-hdmi-lpe-audio.ko
  BTF [M] sound/virtio/virtio_snd.ko
  BTF [M] sound/xen/snd_xen_front.ko
[TIMER]{BUILD}: 1558s
Making Modules
  INSTALL /lib/modules/5.14.0-rocky9_8_rebuild-ccaa0c849bbe/kernel/arch/x86/crypto/blake2s-x86_64.ko
  INSTALL /lib/modules/5.14.0-rocky9_8_rebuild-ccaa0c849bbe/kernel/arch/x86/crypto/blowfish-x86_64.ko
  INSTALL /lib/modules/5.14.0-rocky9_8_rebuild-ccaa0c849bbe/kernel/arch/x86/crypto/camellia-aesni-avx-x86_64.ko
  INSTALL /lib/modules/5.14.0-rocky9_8_rebuild-ccaa0c849bbe/kernel/arch/x86/crypto/camellia-aesni-avx2.ko
--
  SIGN    /lib/modules/5.14.0-rocky9_8_rebuild-ccaa0c849bbe/kernel/sound/usb/usx2y/snd-usb-usx2y.ko
  SIGN    /lib/modules/5.14.0-rocky9_8_rebuild-ccaa0c849bbe/kernel/sound/x86/snd-hdmi-lpe-audio.ko
  SIGN    /lib/modules/5.14.0-rocky9_8_rebuild-ccaa0c849bbe/kernel/sound/virtio/virtio_snd.ko
  SIGN    /lib/modules/5.14.0-rocky9_8_rebuild-ccaa0c849bbe/kernel/sound/xen/snd_xen_front.ko
  DEPMOD  /lib/modules/5.14.0-rocky9_8_rebuild-ccaa0c849bbe
[TIMER]{MODULES}: 12s
Making Install
sh ./arch/x86/boot/install.sh 5.14.0-rocky9_8_rebuild-ccaa0c849bbe \
	arch/x86/boot/bzImage System.map "/boot"
[TIMER]{INSTALL}: 27s
Checking kABI
kABI check passed
Setting Default Kernel to /boot/vmlinuz-5.14.0-rocky9_8_rebuild-ccaa0c849bbe and Index to 0
Hopefully Grub2.0 took everything ... rebooting after time metrices
[TIMER]{MRPROPER}: 5s
[TIMER]{BUILD}: 1558s
[TIMER]{MODULES}: 12s
[TIMER]{INSTALL}: 27s
[TIMER]{TOTAL} 1607s
Rebooting in 10 seconds

KSelfTests

$ get_kselftest_diff.sh
kselftest.5.14.0-rocky9_8_rebuild-f89ef56bfe6d.log
311
kselftest.5.14.0-rocky9_8_rebuild-49e9701ac83b.log
311
kselftest.5.14.0-rocky9_8_rebuild-37e80bde7a74.log
311
kselftest.5.14.0-rocky9_8_rebuild-ccaa0c849bbe.log
311
Before: kselftest.5.14.0-rocky9_8_rebuild-37e80bde7a74.log
After: kselftest.5.14.0-rocky9_8_rebuild-ccaa0c849bbe.log
Diff:
No differences found.

PlaidCat added 30 commits July 1, 2026 00:02
…or path

jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Lama Kayal <lkayal@nvidia.com>
commit 00a50e4

In mlx5hws_pat_get_pattern(), when mlx5hws_pat_add_pattern_to_cache()
fails, the function attempts to clean up the pattern created by
mlx5hws_cmd_header_modify_pattern_create(). However, it incorrectly
uses *pattern_id which hasn't been set yet, instead of the local
ptrn_id variable that contains the actual pattern ID.

This results in attempting to destroy a pattern using uninitialized
data from the output parameter, rather than the valid pattern ID
returned by the firmware.

Use ptrn_id instead of *pattern_id in the cleanup path to properly
destroy the created pattern.

Fixes: aefc15a ("net/mlx5: HWS, added modify header pattern and args handling")
	Signed-off-by: Lama Kayal <lkayal@nvidia.com>
	Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
	Signed-off-by: Mark Bloch <mbloch@nvidia.com>
Link: https://patch.msgid.link/20250825143435.598584-5-mbloch@nvidia.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 00a50e4)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Moshe Shemesh <moshe@nvidia.com>
commit 34cc6a5

The devlink reload fw_activate command performs firmware activation
followed by driver reload, while devlink reload driver_reinit triggers
only driver reload. However, the driver reload logic differs between the
two modes, as on driver_reinit mode mlx5 also reloads auxiliary drivers,
while in fw_activate mode the auxiliary drivers are suspended where
applicable.

Additionally, following the cited commit, if the device has multiple PFs,
the behavior during fw_activate may vary between PFs: one PF may suspend
auxiliary drivers, while another reloads them.

Align devlink dev reload fw_activate behavior with devlink dev reload
driver_reinit, to reload all auxiliary drivers.

Fixes: 72ed5d5 ("net/mlx5: Suspend auxiliary devices only in case of PCI device suspend")
	Signed-off-by: Moshe Shemesh <moshe@nvidia.com>
	Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
	Reviewed-by: Akiva Goldberger <agoldberger@nvidia.com>
	Signed-off-by: Mark Bloch <mbloch@nvidia.com>
Link: https://patch.msgid.link/20250825143435.598584-6-mbloch@nvidia.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 34cc6a5)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Moshe Shemesh <moshe@nvidia.com>
commit 902a8bc

Fix lockdep assertion triggered during sync reset unload event. When the
sync reset flow is initiated using the devlink reload fw_activate
option, the PF already holds the devlink lock while handling unload
event. In this case, delegate sync reset unload event handling back to
the devlink callback process to avoid double-locking and resolve the
lockdep warning.

Kernel log:
WARNING: CPU: 9 PID: 1578 at devl_assert_locked+0x31/0x40
[...]
Call Trace:
<TASK>
 mlx5_unload_one_devl_locked+0x2c/0xc0 [mlx5_core]
 mlx5_sync_reset_unload_event+0xaf/0x2f0 [mlx5_core]
 process_one_work+0x222/0x640
 worker_thread+0x199/0x350
 kthread+0x10b/0x230
 ? __pfx_worker_thread+0x10/0x10
 ? __pfx_kthread+0x10/0x10
 ret_from_fork+0x8e/0x100
 ? __pfx_kthread+0x10/0x10
 ret_from_fork_asm+0x1a/0x30
</TASK>

Fixes: 7a9770f ("net/mlx5: Handle sync reset unload event")
	Signed-off-by: Moshe Shemesh <moshe@nvidia.com>
	Signed-off-by: Mark Bloch <mbloch@nvidia.com>
Link: https://patch.msgid.link/20250825143435.598584-7-mbloch@nvidia.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 902a8bc)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Moshe Shemesh <moshe@nvidia.com>
commit 26e42ec

If PF (Physical Function) has SFs (Sub-Functions), since the SFs are not
taking part in the synchronization flow, sync reset can lead to fatal
error on the SFs, as the function will be closed unexpectedly from the
SF point of view.

Add a check to prevent sync reset when there are SFs on a PF device
which is not ECPF, as ECPF is teardowned gracefully before reset.

Fixes: 92501fa ("net/mlx5: Ack on sync_reset_request only if PF can do reset_now")
	Signed-off-by: Moshe Shemesh <moshe@nvidia.com>
	Reviewed-by: Parav Pandit <parav@nvidia.com>
	Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
	Signed-off-by: Mark Bloch <mbloch@nvidia.com>
Link: https://patch.msgid.link/20250825143435.598584-8-mbloch@nvidia.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 26e42ec)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Moshe Shemesh <moshe@nvidia.com>
commit cf9a862

Changing flow steering modes is not allowed when eswitch is in switchdev
mode. This fix ensures that any steering mode change, including to
firmware steering, is correctly blocked while eswitch mode is switchdev.

Fixes: e890acd ("net/mlx5: Add devlink flow_steering_mode parameter")
	Signed-off-by: Moshe Shemesh <moshe@nvidia.com>
	Signed-off-by: Mark Bloch <mbloch@nvidia.com>
Link: https://patch.msgid.link/20250825143435.598584-9-mbloch@nvidia.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit cf9a862)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Alexei Lazar <alazar@nvidia.com>
commit aca0c31

The local Xoff value is being set before the firmware (FW) update.
In case of a failure where the FW is not updated with the new value,
there is no fallback to the previous value.
Update the local Xoff value after the FW has been successfully set.

Fixes: 0696d60 ("net/mlx5e: Receive buffer configuration")
	Signed-off-by: Alexei Lazar <alazar@nvidia.com>
	Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
	Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
	Signed-off-by: Mark Bloch <mbloch@nvidia.com>
Link: https://patch.msgid.link/20250825143435.598584-12-mbloch@nvidia.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit aca0c31)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Jianbo Liu <jianbol@nvidia.com>
commit 6b4be64

The function mlx5_uplink_netdev_get() gets the uplink netdevice
pointer from mdev->mlx5e_res.uplink_netdev. However, the netdevice can
be removed and its pointer cleared when unbound from the mlx5_core.eth
driver. This results in a NULL pointer, causing a kernel panic.

 BUG: unable to handle page fault for address: 0000000000001300
 at RIP: 0010:mlx5e_vport_rep_load+0x22a/0x270 [mlx5_core]
 Call Trace:
  <TASK>
  mlx5_esw_offloads_rep_load+0x68/0xe0 [mlx5_core]
  esw_offloads_enable+0x593/0x910 [mlx5_core]
  mlx5_eswitch_enable_locked+0x341/0x420 [mlx5_core]
  mlx5_devlink_eswitch_mode_set+0x17e/0x3a0 [mlx5_core]
  devlink_nl_eswitch_set_doit+0x60/0xd0
  genl_family_rcv_msg_doit+0xe0/0x130
  genl_rcv_msg+0x183/0x290
  netlink_rcv_skb+0x4b/0xf0
  genl_rcv+0x24/0x40
  netlink_unicast+0x255/0x380
  netlink_sendmsg+0x1f3/0x420
  __sock_sendmsg+0x38/0x60
  __sys_sendto+0x119/0x180
  do_syscall_64+0x53/0x1d0
  entry_SYSCALL_64_after_hwframe+0x4b/0x53

Ensure the pointer is valid before use by checking it for NULL. If it
is valid, immediately call netdev_hold() to take a reference, and
preventing the netdevice from being freed while it is in use.

Fixes: 7a9fb35 ("net/mlx5e: Do not reload ethernet ports when changing eswitch mode")
	Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
	Reviewed-by: Cosmin Ratiu <cratiu@nvidia.com>
	Reviewed-by: Jiri Pirko <jiri@nvidia.com>
	Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
	Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/1757939074-617281-2-git-send-email-tariqt@nvidia.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 6b4be64)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Lama Kayal <lkayal@nvidia.com>
commit 7601a0a

The cited commit adds a miss table for switchdev mode. But it
uses the same level as policy table. Will hit the following error
when running command:

 # ip xfrm state add src 192.168.1.22 dst 192.168.1.21 proto	\
	esp spi 1001 reqid 10001 aead 'rfc4106(gcm(aes))'	\
	0x3a189a7f9374955d3817886c8587f1da3df387ff 128		\
	mode tunnel offload dev enp8s0f0 dir in
 Error: mlx5_core: Device failed to offload this state.

The dmesg error is:

 mlx5_core 0000:03:00.0: ipsec_miss_create:578:(pid 311797): fail to create IPsec miss_rule err=-22

Fix it by adding a new miss level to avoid the error.

Fixes: 7d9e292 ("net/mlx5e: Move IPSec policy check after decryption")
	Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
	Signed-off-by: Chris Mi <cmi@nvidia.com>
	Signed-off-by: Lama Kayal <lkayal@nvidia.com>
	Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/1757939074-617281-4-git-send-email-tariqt@nvidia.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 7601a0a)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Yevgeny Kliteynik <kliteyn@nvidia.com>
commit efb877c

When HWS creates multi-dest FW table and adds rules to
forward to other tables, ignore the flow level enforcement
in FW, because HWS is responsible for table levels.

This fixes the following error:

  mlx5_core 0000:08:00.0: mlx5_cmd_out_err:818:(pid 192306):
     SET_FLOW_TABLE_ENTRY(0x936) op_mod(0x0) failed,
     status bad parameter(0x3), syndrome (0x6ae84c), err(-22)

Fixes: 504e536 ("net/mlx5: HWS, added actions handling")
	Signed-off-by: Yevgeny Kliteynik <kliteyn@nvidia.com>
	Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
	Reviewed-by: Mark Bloch <mbloch@nvidia.com>
	Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/1758525094-816583-3-git-send-email-tariqt@nvidia.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit efb877c)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Carolina Jubran <cjubran@nvidia.com>
commit 6d0477d

Include MLX5E_FEC_RS_544_514_INTERLEAVED_QUAD in the FEC RS stats
handling. This addresses a gap introduced when adding support for
200G/lane link modes.

Fixes: 4e343c1 ("net/mlx5e: Support FEC settings for 200G per lane link modes")
	Signed-off-by: Carolina Jubran <cjubran@nvidia.com>
	Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
	Reviewed-by: Yael Chemla <ychemla@nvidia.com>
	Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/1758525094-816583-4-git-send-email-tariqt@nvidia.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 6d0477d)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Mark Zhang <markzhang@nvidia.com>
commit b5eeb83

- pre_destroy_cq: Destroy FW CQ object so that no new CQ event would
                  be generated;
- post_destroy_cq: Release all resources.

This patch, along with last one, fixes the crash below.

 Unable to handle kernel paging request at virtual address ffff8000114b1180
 Mem abort info:
   ESR = 0x96000047
   EC = 0x25: DABT (current EL), IL = 32 bits
   SET = 0, FnV = 0
   EA = 0, S1PTW = 0
 Data abort info:
   ISV = 0, ISS = 0x00000047
   CM = 0, WnR = 1
 swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000000f4582000
 [ffff8000114b1180] pgd=00000447fffff003, p4d=00000447fffff003, pud=00000447ffffe003, pmd=00000447ffffb003, pte=0000000000000000
 Internal error: Oops: 96000047 [#1] SMP
 Modules linked in: udp_diag uio_pci_generic uio tcp_diag inet_diag binfmt_misc sn_core_odd(OE) rpcrdma(OE) xprtrdma(OE) ib_isert(OE) ib_iser(OE) ib_srpt(OE) ib_srp(OE) ib_ipoib(OE) kpatch_9658536(OK) kpatch_9322385(OK) kpatch_8843421(OK) kpatch_8636216(OK) vfat fat aes_ce_blk crypto_simd cryptd aes_ce_cipher crct10dif_ce ghash_ce sm4_ce sha2_ce sha256_arm64 sha1_ce sbsa_gwdt sg acpi_ipmi ipmi_si ipmi_msghandler m1_uncore_ddrss_pmu m1_uncore_cmn_pmu team_yosemite9rc6(OE) vnic(OE) ip_tables mlx5_ib(OE) sd_mod ast mlx5_core(OE) i2c_algo_bit drm_vram_helper psample drm_kms_helper mlxdevm(OE) auxiliary(OE) mlxfw(OE) syscopyarea sysfillrect tls sysimgblt fb_sys_fops drm_ttm_helper nvme ttm nvme_core drm t10_pi i2c_designware_platform i2c_designware_core i2c_core ahci libahci libata rdma_ucm(OE) ib_uverbs(OE) rdma_cm(OE) iw_cm(OE) ib_cm(OE) ib_umad(OE) ib_core(OE) ib_ucm(OE) mlx_compat(OE) [last unloaded: ipmi_devintf]
 CPU: 83 PID: 59375 Comm: kworker/u253:1 Kdump: loaded Tainted: G           OE K   5.10.84-004.ali5000.alios7.aarch64 #1
 Hardware name: Inspur AliServer-Xuanwu2.0AM-02-2UM1P-5B/AS1221MG1, BIOS 1.2.M1.AL.P.158.00 08/31/2023
 Workqueue: ib-comp-unb-wq ib_cq_poll_work [ib_core]
 pstate: 82c00089 (Nzcv daIf +PAN +UAO +TCO BTYPE=--)
 pc : native_queued_spin_lock_slowpath+0x1c4/0x31c
 lr : mlx5_ib_poll_cq+0x18c/0x2f8 [mlx5_ib]
 sp : ffff80002be1bc80
 x29: ffff80002be1bc80 x28: ffff000810e69000
 x27: ffff000810e69000 x26: ffff000810e69200
 x25: 0000000000000000 x24: ffff8000117db000
 x23: ffff04000156b780 x22: 0000000000000000
 x21: ffff04000ce6c160 x20: ffff0008196a4000
 x19: 0000000000000010 x18: 0000000000000020
 x17: 0000000000000000 x16: 0000000000000000
 x15: ffff040055a364e8 x14: ffffffffffffffff
 x13: ffff80002318bda8 x12: ffff0400358836e8
 x11: 0000000000000040 x10: 0000000000000eb0
 x9 : 0000000000000000 x8 : 0000000000000000
 x7 : ffff04477fa20140 x6 : ffff8000114b1140
 x5 : ffff04477fa20140 x4 : ffff8000114b1180
 x3 : ffff000810e69200 x2 : ffff8000114b1180
 x1 : 0000000001500000 x0 : ffff04477fa20148
 Call trace:
  native_queued_spin_lock_slowpath+0x1c4/0x31c
  __ib_process_cq+0x74/0x1b8 [ib_core]
  ib_cq_poll_work+0x34/0xa0 [ib_core]
  process_one_work+0x1d8/0x4b0
  worker_thread+0x180/0x440
  kthread+0x114/0x120
 Code: 910020e0 8b0400c4 f862d929 aa0403e2 (f8296847)
 ---[ end trace 387be2290557729c ]---
 Kernel panic - not syncing: Oops: Fatal exception
 SMP: stopping secondary CPUs
 Kernel Offset: disabled
 CPU features: 0x9850817,7a60aa38
 Memory Limit: none
 Starting crashdump kernel...
 Bye!

	Signed-off-by: Mark Zhang <markzhang@nvidia.com>
Link: https://patch.msgid.link/aaf0072f350d1c7e8731f43b79e11a560bafb9e0.1750070205.git.leon@kernel.org
	Signed-off-by: Leon Romanovsky <leon@kernel.org>
(cherry picked from commit b5eeb83)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
…e tables

jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Patrisious Haddad <phaddad@nvidia.com>
commit 40852c8

Support the creation of RDMA TRANSPORT tables over multiple priorities
via matcher creation.

	Signed-off-by: Patrisious Haddad <phaddad@nvidia.com>
	Reviewed-by: Mark Bloch <mbloch@nvidia.com>
Link: https://patch.msgid.link/bb38e50ae4504e979c6568d41939402a4cf15635.1750148083.git.leon@kernel.org
	Signed-off-by: Leon Romanovsky <leon@kernel.org>
(cherry picked from commit 40852c8)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Parav Pandit <parav@nvidia.com>
commit 95a89ec

Currently, the capability check is done in the default
init_user_ns user namespace. When a process runs in a
non default user namespace, such check fails. Due to this
when a process is running using Podman, it fails to create
the flow.

Since the RDMA device is a resource within a network namespace,
use the network namespace associated with the RDMA device to
determine its owning user namespace.

Fixes: 3226944 ("IB/mlx5: Introduce driver create and destroy flow methods")
	Signed-off-by: Parav Pandit <parav@nvidia.com>
Link: https://patch.msgid.link/a4dcd5e3ac6904ef50b19e56942ca6ab0728794c.1750963874.git.leon@kernel.org
	Signed-off-by: Leon Romanovsky <leon@kernel.org>
(cherry picked from commit 95a89ec)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Parav Pandit <parav@nvidia.com>
commit 14957e8

Currently, the capability check is done in the default
init_user_ns user namespace. When a process runs in a
non default user namespace, such check fails. Due to this
when a process is running using Podman, it fails to create
the anchor.

Since the RDMA device is a resource within a network namespace,
use the network namespace associated with the RDMA device to
determine its owning user namespace.

Fixes: 0c6ab0c ("RDMA/mlx5: Expose steering anchor to userspace")
	Signed-off-by: Parav Pandit <parav@nvidia.com>
Link: https://patch.msgid.link/c2376ca75e7658e2cbd1f619cf28fbe98c906419.1750963874.git.leon@kernel.org
	Signed-off-by: Leon Romanovsky <leon@kernel.org>
(cherry picked from commit 14957e8)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Parav Pandit <parav@nvidia.com>
commit bd82467

Currently, the capability check is done in the default
init_user_ns user namespace. When a process runs in a
non default user namespace, such check fails. Due to this
when a process is running using Podman, it fails to create
the devx object.

Since the RDMA device is a resource within a network namespace,
use the network namespace associated with the RDMA device to
determine its owning user namespace.

Fixes: a8b92ca ("IB/mlx5: Introduce DEVX")
	Signed-off-by: Parav Pandit <parav@nvidia.com>
Link: https://patch.msgid.link/36ee87e92defd81410c6a2b33f9d6c0d6dcfd64c.1750963874.git.leon@kernel.org
	Signed-off-by: Leon Romanovsky <leon@kernel.org>
(cherry picked from commit bd82467)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Michael Guralnik <michaelgur@nvidia.com>
commit fcfb035

Align the capabilities checked when using the log_page_size 6th bit in the
mkey context to the PRM definition. The upper and lower bounds are set by
max/min caps, and modification of the 6th bit by UMR is allowed only when
a specific UMR cap is set.
Current implementation falsely assumes all page sizes up-to 2^63 are
supported when the UMR cap is set. In case the upper bound cap is lower
than 63, this might result a FW syndrome on mkey creation, e.g:
mlx5_core 0000:c1:00.0: mlx5_cmd_out_err:832:(pid 0): CREATE_MKEY(0×200) op_mod(0×0) failed, status bad parameter(0×3), syndrome (0×38a711), err(-22)

Previous cap enforcement is still correct for all current HW, FW and
driver combinations. However, this patch aligns the code to be PRM
compliant in the general case.

	Signed-off-by: Michael Guralnik <michaelgur@nvidia.com>
Link: https://patch.msgid.link/eab4eeb4785105a4bb5eb362dc0b3662cd840412.1751979184.git.leon@kernel.org
	Signed-off-by: Leon Romanovsky <leon@kernel.org>
(cherry picked from commit fcfb035)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Edward Srouji <edwards@nvidia.com>
commit e73242a

The current implementation of DMABUF memory registration uses a fixed
page size for the memory key (mkey), which can lead to suboptimal
performance when the underlying memory layout may offer better page
size.

The optimization improves performance by reducing the number of page
table entries required for the mkey, leading to less MTT/KSM descriptors
that the HCA must go through to find translations, fewer cache-lines,
and shorter UMR work requests on mkey updates such as when
re-registering or reusing a cacheable mkey.

To ensure safe page size updates, the implementation uses a 5-step
process:
1. Make the first X entries non-present, while X is calculated to be
   minimal according to a large page shift that can be used to cover the
   MR length.
2. Update the page size to the large supported page size
3. Load the remaining N-X entries according to the (optimized)
   page shift
4. Update the page size according to the (optimized) page shift
5. Load the first X entries with the correct translations

This ensures that at no point is the MR accessible with a partially
updated translation table, maintaining correctness and preventing
access to stale or inconsistent mappings, such as having an mkey
advertising the new page size while some of the underlying page table
entries still contain the old page size translations.

	Signed-off-by: Edward Srouji <edwards@nvidia.com>
	Reviewed-by: Michael Guralnik <michaelgur@nvidia.com>
Link: https://patch.msgid.link/bc05a6b2142c02f96a90635f9a4458ee4bbbf39f.1751979184.git.leon@kernel.org
	Signed-off-by: Leon Romanovsky <leon@kernel.org>
(cherry picked from commit e73242a)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Colin Ian King <colin.i.king@gmail.com>
commit aee80e6

Currently all paths that set err and then check it for an error
perform immediate returns, hence err always zero at the end of
the function _mlx5r_umr_zap_mkey.  The return expression
err ? err : nblocks has a redundant check on the err since err
is always zero, so just return nblocks instead.

	Signed-off-by: Colin Ian King <colin.i.king@gmail.com>
Link: https://patch.msgid.link/20250717112108.4036171-1-colin.i.king@gmail.com
	Signed-off-by: Leon Romanovsky <leon@kernel.org>
(cherry picked from commit aee80e6)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Leon Romanovsky <leon@kernel.org>
commit d59ebb4

As Colin reported:
 "The variable zapped_blocks is a size_t type and is being assigned a int
  return value from the call to _mlx5r_umr_zap_mkey. Since zapped_blocks is an
  unsigned type, the error check for zapped_blocks < 0 will never be true."

So separate return error and nblocks assignment.

Fixes: e73242a ("RDMA/mlx5: Optimize DMABUF mkey page size")
	Reported-by: Colin King (gmail) <colin.i.king@gmail.com>
Closes: https://lore.kernel.org/all/79166fb1-3b73-4d37-af02-a17b22eb8e64@gmail.com
Link: https://patch.msgid.link/71d8ea208ac7eaa4438af683b9afaed78625e419.1753003467.git.leon@kernel.org
	Reviewed-by: Zhu Yanjun <yanjun.zhu@linux.dev>
	Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
(cherry picked from commit d59ebb4)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Leon Romanovsky <leon@kernel.org>
commit b834407

mkey_mask is __be64 type, while MLX5_MKEY_MASK_PAGE_SIZE is declared as
unsigned long long. This causes to the static checkers errors:

drivers/infiniband/hw/mlx5/umr.c:663:49: warning: invalid assignment: &=
drivers/infiniband/hw/mlx5/umr.c:663:49:    left side has type restricted __be64
drivers/infiniband/hw/mlx5/umr.c:663:49:    right side has type int

Fixes: e73242a ("RDMA/mlx5: Optimize DMABUF mkey page size")
Link: https://patch.msgid.link/e354d70b98dfa5ecf4c236a36cd36b64add9d9de.1753003467.git.leon@kernel.org
	Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
(cherry picked from commit b834407)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Yishai Hadas <yishaih@nvidia.com>
commit 3c81907

This patch introduces support for allocating and deallocating the DMAH
object.

Further details:
----------------
The DMAH API is exposed to upper layers only if the underlying device
supports TPH.

It uses the mlx5_core steering tag (ST) APIs to get a steering tag index
based on the provided input.

The obtained index is stored in the device-specific mlx5_dmah structure
for future use.

Upcoming patches in the series will integrate the allocated DMAH into
the memory region (MR) registration process.

	Signed-off-by: Yishai Hadas <yishaih@nvidia.com>
	Reviewed-by: Edward Srouji <edwards@nvidia.com>
Link: https://patch.msgid.link/778550776799d82edb4d05da249a1cff00160b50.1752752567.git.leon@kernel.org
	Signed-off-by: Leon Romanovsky <leon@kernel.org>
(cherry picked from commit 3c81907)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Yishai Hadas <yishaih@nvidia.com>
commit e1bed9a

As part of this enhancement, allow the creation of an MKEY associated
with a DMA handle.

Additional notes:

MKEYs with TPH (i.e. TLP Processing Hints) attributes are currently not
UMR-capable unless explicitly enabled by firmware or hardware.
Therefore, to maintain such MKEYs in the MR cache, the TPH fields have
been added to the rb_key structure, with a dedicated hash bucket.

The ability to bypass the kernel verbs flow and create an MKEY with TPH
attributes using DEVX has been restricted. TPH must follow the standard
InfiniBand flow, where a DMAH is created with the appropriate security
checks and management mechanisms in place.

DMA handles are currently not supported in conjunction with On-Demand
Paging (ODP).

Re-registration of memory regions originally created with TPH attributes
is currently not supported.

	Signed-off-by: Yishai Hadas <yishaih@nvidia.com>
	Reviewed-by: Edward Srouji <edwards@nvidia.com>
Link: https://patch.msgid.link/1c485651cf8417694ddebb80446c5093d5a791a9.1752752567.git.leon@kernel.org
	Signed-off-by: Leon Romanovsky <leon@kernel.org>
(cherry picked from commit e1bed9a)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Patrisious Haddad <phaddad@nvidia.com>
commit 10d4de4

Currently there isn't a clear layer separation between the counters and
the steering code, whereas the steering code is doing redundant access
to the counter struct.

Separate the fs.c and counters.c, where fs code won't access or be
aware of counter structs but only the objects it needs.

As a result, move mlx5_rdma_counter struct from the header file to be
an internal struct for the counters file only.

	Signed-off-by: Patrisious Haddad <phaddad@nvidia.com>
	Reviewed-by: Edward Srouji <edwards@nvidia.com>
Link: https://patch.msgid.link/9854d1fdb140e4a6552b7a2fd1a028cfe488a935.1753004208.git.leon@kernel.org
	Signed-off-by: Leon Romanovsky <leon@kernel.org>
(cherry picked from commit 10d4de4)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Or Har-Toov <ohartoov@nvidia.com>
commit 85fe9f5

Fix a bug where the driver's event subscription logic for SRQ-related
events incorrectly sets obj_type for RMP objects.

When subscribing to SRQ events, get_legacy_obj_type() did not handle
the MLX5_CMD_OP_CREATE_RMP case, which caused obj_type to be 0
(default).
This led to a mismatch between the obj_type used during subscription
(0) and the value used during notification (1, taken from the event's
type field). As a result, event mapping for SRQ objects could fail and
event notification would not be delivered correctly.

This fix adds handling for MLX5_CMD_OP_CREATE_RMP in get_legacy_obj_type,
returning MLX5_EVENT_QUEUE_TYPE_RQ so obj_type is consistent between
subscription and notification.

Fixes: 7597385 ("IB/mlx5: Enable subscription for device events over DEVX")
Link: https://patch.msgid.link/r/8f1048e3fdd1fde6b90607ce0ed251afaf8a148c.1755088962.git.leon@kernel.org
	Signed-off-by: Or Har-Toov <ohartoov@nvidia.com>
	Reviewed-by: Edward Srouji <edwards@nvidia.com>
	Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
	Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
(cherry picked from commit 85fe9f5)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Thomas Weißschuh <thomas.weissschuh@linutronix.de>
commit e2068f7

In the past %pK was preferable to %p as it would not leak raw pointer
values into the kernel log.
Since commit ad67b74 ("printk: hash addresses printed with %p")
the regular %p has been improved to avoid this issue.
Furthermore, restricted pointers ("%pK") were never meant to be used
through tracepoints. They can still unintentionally leak raw pointers or
acquire sleeping locks in atomic contexts.

Switch to the regular pointer formatting which is safer and
easier to reason about.
There are still a few users of %pK left, but these use it through seq_file,
for which its usage is safe.

	Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
	Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
	Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
	Reviewed-by: Simon Horman <horms@kernel.org>
	Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
	Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/20250811-restricted-pointers-net-v5-2-2e2fdc7d3f2c@linutronix.de
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit e2068f7)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Saeed Mahameed <saeedm@nvidia.com>
commit 2335b3f

Next patches will implement the discovery and creation of adjacent
functions vports, this patch introduces the hardware structures
definitions needed for the driver implementation.

	Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
	Reviewed-by: Mark Bloch <mbloch@nvidia.com>
	Reviewed-by: Parav Pandit <parav@nvidia.com>
	Reviewed-by: Jack Morgenstein <jackm@nvidia.com>
	Signed-off-by: Alexei Lazar <alazar@nvidia.com>
(cherry picked from commit 2335b3f)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Saeed Mahameed <saeedm@nvidia.com>
commit 864c05b

We need vhca_id to set up the vhca_id to vport mapping for every vport,
for that we query the firmware in mlx5_esw_vport_vhca_id_set, and it is
redundant since in esw_vport_setup, we already query hca caps which has
the vhca_id, cache it there and save 2 extra fw queries per vport.

	Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
	Reviewed-by: Mark Bloch <mbloch@nvidia.com>
	Reviewed-by: Parav Pandit <parav@nvidia.com>
	Signed-off-by: Alexei Lazar <alazar@nvidia.com>
	Reviewed-by: Feng Liu <feliu@nvidia.com>
(cherry picked from commit 864c05b)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Saeed Mahameed <saeedm@nvidia.com>
commit 1baf304

Dynamically created vports require vhca id as input to set/query other
vport hca cap, when FW is capable and the vhca id of a vport is valid
use it instead of the local function id.

	Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
	Signed-off-by: Adithya Jayachandran <ajayachandra@nvidia.com>
	Reviewed-by: Parav Pandit <parav@nvidia.com>
	Reviewed-by: Feng Liu <feliu@nvidia.com>
	Reviewed-by: William Tu <witu@nvidia.com>
	Reviewed-by: Mark Bloch <mbloch@nvidia.com>
(cherry picked from commit 1baf304)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Saeed Mahameed <saeedm@nvidia.com>
commit 40653f2

vhca id is already cached in the vport structure no need to query on
every mlx5 layer, use the mlx5_vport_get_vhca_id, where possible.

	Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
	Reviewed-by: Mark Bloch <mbloch@nvidia.com>
	Reviewed-by: Parav Pandit <parav@nvidia.com>
	Signed-off-by: Alexei Lazar <alazar@nvidia.com>
	Reviewed-by: Feng Liu <feliu@nvidia.com>
	Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
(cherry picked from commit 40653f2)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Daniel Jurgens <danielj@nvidia.com>
commit 9e84de7

The host PF can be disabled, query firmware to check if the host PF of
this function exists.

	Signed-off-by: Daniel Jurgens <danielj@nvidia.com>
	Reviewed-by: William Tu <witu@nvidia.com>
	Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/1755112796-467444-2-git-send-email-tariqt@nvidia.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 9e84de7)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
@PlaidCat PlaidCat self-assigned this Jul 1, 2026
@PlaidCat PlaidCat requested review from a team July 1, 2026 04:50
bmastbergen
bmastbergen previously approved these changes Jul 1, 2026

@bmastbergen bmastbergen left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🥌

roxanan1996
roxanan1996 previously approved these changes Jul 6, 2026
PlaidCat added 23 commits July 7, 2026 00:01
jira KERNEL-1259
Rebuild_History Non-Buildable kernel-5.14.0-687.22.1.el9_8
commit-author Dave Airlie <airlied@redhat.com>
commit 9478c16

These WARN_ONs seem to trigger a lot, and we don't seem to have a
plan to fix them, so just drop them, as they are most likely
harmless.

	Cc: stable@vger.kernel.org
Fixes: 176fdcb ("drm/nouveau/gsp/r535: add support for booting GSP-RM")
	Signed-off-by: Dave Airlie <airlied@redhat.com>
Link: https://patch.msgid.link/20241121014601.229391-1-airlied@gmail.com
	Signed-off-by: Danilo Krummrich <dakr@kernel.org>
(cherry picked from commit 9478c16)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
…DALL

jira KERNEL-1259
cve CVE-2026-46227
Rebuild_History Non-Buildable kernel-5.14.0-687.22.1.el9_8
commit-author Ben Morris <bmorris@anthropic.com>
commit abb5f36

The SCTP_SENDALL path in sctp_sendmsg() iterates ep->asocs with
list_for_each_entry_safe(), which caches the next entry in @tmp before
the loop body runs.  The body calls sctp_sendmsg_to_asoc(), which may
drop the socket lock inside sctp_wait_for_sndbuf().

While the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the
association cached in @tmp, migrating it to a new endpoint via
sctp_sock_migrate() (list_del_init() + list_add_tail() to
newep->asocs), and optionally close the new socket which frees the
association via kfree_rcu().  The cached @tmp can also be freed by a
network ABORT for that association, processed in softirq while the
lock is dropped.

sctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock
via the "sk != asoc->base.sk" and "asoc->base.dead" checks, but nothing
revalidates @tmp.  After a successful return, the iterator advances to
the stale @tmp, yielding either a use-after-free (if the peeled socket
was closed) or a list-walk onto the new endpoint's list head (type
confusion of &newep->asocs as a struct sctp_association *).

Both are reachable from CapEff=0; the type-confusion path gives
controlled indirect call via the outqueue.sched->init_sid pointer.

Fix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc()
returns.  @asoc is known to still be on ep->asocs at that point: the
only callers that list_del an association from ep->asocs are
sctp_association_free() (which sets asoc->base.dead) and
sctp_assoc_migrate() (which changes asoc->base.sk), and
sctp_wait_for_sndbuf() checks both under the lock before any
successful return; a tripped check propagates as err < 0 and the loop
bails before the re-derive.

The SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the
loop hits 'continue' before sctp_sendmsg_to_asoc() is ever called, so
the @tmp cached by list_for_each_entry_safe() still covers the
lock-held free that ba59fb0 ("sctp: walk the list of asoc
safely") was added for.

Fixes: 4910280 ("sctp: add support for snd flag SCTP_SENDALL process in sendmsg")
	Cc: stable@vger.kernel.org
	Signed-off-by: Ben Morris <bmorris@anthropic.com>
	Acked-by: Xin Long <lucien.xin@gmail.com>
Link: https://patch.msgid.link/20260508001455.3137-1-joycathacker@gmail.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit abb5f36)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
…nit_with_funcs()

jira KERNEL-1259
cve CVE-2026-46209
Rebuild_History Non-Buildable kernel-5.14.0-687.22.1.el9_8
commit-author Ashutosh Desai <ashutoshdesai993@gmail.com>
commit 3d4c226

drm_gem_fb_init_with_funcs() computes sub-sampled plane dimensions
using plain integer division:

  unsigned int width  = mode_cmd->width  / (i ? info->hsub : 1);
  unsigned int height = mode_cmd->height / (i ? info->vsub : 1);

However, the ioctl-level framebuffer_check() in drm_framebuffer.c uses
drm_format_info_plane_width/height() which round up dimensions via
DIV_ROUND_UP(). This inconsistency corrupts the subsequent GEM object
size check for certain pixel format and dimension combinations.

For example, with NV12 (vsub=2) and a 1-pixel-tall framebuffer the
GEM size validation path sees height=0 instead of height=1. The
expression (height - 1) then wraps to UINT_MAX as an unsigned int,
causing min_size to overflow and wrap back to a small value. A tiny
GEM object therefore passes the size guard, yet when the GPU accesses
the chroma plane it will read or write memory beyond the object's
bounds.

Fix by replacing the open-coded divisions with drm_format_info_plane_width()
and drm_format_info_plane_height(), which use DIV_ROUND_UP() and match
the calculation already used in framebuffer_check().

Fixes: 4c3dbb2 ("drm: Add GEM backed framebuffer library")
	Cc: stable@vger.kernel.org # v4.14+
	Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
	Signed-off-by: Ashutosh Desai <ashutoshdesai993@gmail.com>
	Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://patch.msgid.link/20260420013637.457751-1-ashutoshdesai993@gmail.com
(cherry picked from commit 3d4c226)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
…k_stat()

jira KERNEL-1259
cve CVE-2026-46259
Rebuild_History Non-Buildable kernel-5.14.0-687.22.1.el9_8
commit-author Jinliang Zheng <alexjlzheng@tencent.com>
commit 76149d5

When reading /proc/[pid]/stat, do_task_stat() accesses task->real_parent
without proper RCU protection, which leads to:

  cpu 0                               cpu 1
  -----                               -----
  do_task_stat
    var = task->real_parent
                                      release_task
                                        call_rcu(delayed_put_task_struct)
    task_tgid_nr_ns(var)
      rcu_read_lock   <--- Too late to protect task->real_parent!
      task_pid_ptr    <--- UAF!
      rcu_read_unlock

This patch uses task_ppid_nr_ns() instead of task_tgid_nr_ns() to add
proper RCU protection for accessing task->real_parent.

Link: https://lkml.kernel.org/r/20260128083007.3173016-1-alexjlzheng@tencent.com
Fixes: 06fffb1 ("do_task_stat: don't take rcu_read_lock()")
	Signed-off-by: Jinliang Zheng <alexjlzheng@tencent.com>
	Acked-by: Oleg Nesterov <oleg@redhat.com>
	Cc: David Hildenbrand <david@kernel.org>
	Cc: Ingo Molnar <mingo@kernel.org>
	Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
	Cc: Mateusz Guzik <mjguzik@gmail.com>
	Cc: ruippan <ruippan@tencent.com>
	Cc: Usama Arif <usamaarif642@gmail.com>
	Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
(cherry picked from commit 76149d5)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1259
cve CVE-2026-46244
Rebuild_History Non-Buildable kernel-5.14.0-687.22.1.el9_8
commit-author Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
commit b6a91f6

In nft_inner_parse_l2l3(), when processing inner IPv6 packets,
ipv6_find_hdr() correctly computes the transport header offset
traversing all extension headers, but the result is immediately
overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only
accounts for the IPv6 base header. This creates a desync between
inner_thoff (wrong — points to extension header start) and l4proto
(correct — e.g., IPPROTO_TCP), enabling transport header forgery
and potential firewall bypass. This issue affects stable versions
from Linux 6.2.

For comparison, the normal (non-inner) IPv6 path correctly
preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite
ensures that ipv6_find_hdr()'s calculated transport header offset is
preserved, thereby fixing the desynchronization.

Fixes: 3a07327 ("netfilter: nft_inner: support for inner tunnel header matching")
	Cc: stable@vger.kernel.org
	Reported-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
	Reported-by: Yuxiang Yang <yangyx22@mails.tsinghua.edu.cn>
	Reported-by: Xuewei Feng <fengxw06@126.com>
	Reported-by: Qi Li <qli01@tsinghua.edu.cn>
	Reported-by: Ke Xu <xuke@tsinghua.edu.cn>
Assisted-by: GLM:5.1 Z.ai
	Signed-off-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
	Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
	Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit b6a91f6)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
…he erased entry

jira KERNEL-1259
cve CVE-2026-46316
Rebuild_History Non-Buildable kernel-5.14.0-687.22.1.el9_8
commit-author Hyunwoo Kim <imv4bel@gmail.com>
commit 13031fb

vgic_its_invalidate_cache() walks the per-ITS translation cache with
xa_for_each() and drops the cache's reference on each entry with
vgic_put_irq(). It puts the iterated pointer, though, rather than the
value returned by xa_erase().

The function is called from contexts that do not exclude one another: the
ITS command handlers hold its_lock, the GITS_CTLR write path holds
cmd_lock, and the path that clears EnableLPIs in a redistributor's
GICR_CTLR holds neither. Two or more of them can drain the same cache
concurrently, and if each one observes the same entry, erases it and then
puts it, the single reference the cache holds on that entry is dropped
more than once. The entry can then be freed while an ITE still maps it.

xa_erase() is atomic and returns the previous entry, so put only the entry
that this context actually removed. The cache reference is then dropped
exactly once per entry even when the invalidations run concurrently, and
the behavior is unchanged when only one context runs.

Fixes: 8201d10 ("KVM: arm64: vgic-its: Maintain a translation cache per ITS")
	Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
	Reviewed-by: Oliver Upton <oupton@kernel.org>
Link: https://patch.msgid.link/ah2c5lu4JbUg7dj-@v4bel
	Signed-off-by: Marc Zyngier <maz@kernel.org>
	Cc: stable@vger.kernel.org
(cherry picked from commit 13031fb)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1259
cve CVE-2025-10263
Rebuild_History Non-Buildable kernel-5.14.0-687.22.1.el9_8
commit-author Catalin Marinas <catalin.marinas@arm.com>
commit 2c99561

Add cputype definitions for C1-Pro. These will be used for errata
detection in subsequent patches.

These values can be found in "Table A-303: MIDR_EL1 bit descriptions" in
issue 07 of the C1-Pro TRM:

  https://documentation-service.arm.com/static/6930126730f8f55a656570af

	Acked-by: Mark Rutland <mark.rutland@arm.com>
	Cc: Will Deacon <will@kernel.org>
	Cc: James Morse <james.morse@arm.com>
	Reviewed-by: Will Deacon <will@kernel.org>
	Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
(cherry picked from commit 2c99561)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1259
cve CVE-2025-10263
Rebuild_History Non-Buildable kernel-5.14.0-687.22.1.el9_8
commit-author Mark Rutland <mark.rutland@arm.com>
commit d28413b

Add cputype definitions for C1-Premium. These will be used for errata
detection in subsequent patches.

These values can be found in the C1-Premium TRM:

  https://developer.arm.com/documentation/109416/0100/

... in section A.5.1 ("MIDR_EL1, Main ID Register").

	Signed-off-by: Mark Rutland <mark.rutland@arm.com>
	Cc: Catalin Marinas <catalin.marinas@arm.com>
	Cc: Will Deacon <will@kernel.org>
	Signed-off-by: Will Deacon <will@kernel.org>
(cherry picked from commit d28413b)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1259
cve CVE-2025-10263
Rebuild_History Non-Buildable kernel-5.14.0-687.22.1.el9_8
commit-author Mark Rutland <mark.rutland@arm.com>
commit 60349e6

Add cputype definitions for C1-Ultra. These will be used for errata
detection in subsequent patches.

These values can be found in the C1-Ultra TRM:

  https://developer.arm.com/documentation/108014/0100/

... in section A.5.1 ("MIDR_EL1, Main ID Register").

	Signed-off-by: Mark Rutland <mark.rutland@arm.com>
	Cc: Catalin Marinas <catalin.marinas@arm.com>
	Cc: Will Deacon <will@kernel.org>
	Signed-off-by: Will Deacon <will@kernel.org>
(cherry picked from commit 60349e6)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1259
cve CVE-2025-10263
Rebuild_History Non-Buildable kernel-5.14.0-687.22.1.el9_8
commit-author Mark Rutland <mark.rutland@arm.com>
commit 3bbf004

Add cputype definitions for Neoverse-V3AE. These will be used for errata
detection in subsequent patches.

These values can be found in the Neoverse-V3AE TRM:

  https://developer.arm.com/documentation/SDEN-2615521/9-0/

... in section A.6.1 ("MIDR_EL1, Main ID Register").

	Signed-off-by: Mark Rutland <mark.rutland@arm.com>
	Cc: James Morse <james.morse@arm.com>
	Cc: Will Deacon <will@kernel.org>
	Cc: Catalin Marinas <catalin.marinas@arm.com>
	Signed-off-by: Ryan Roberts <ryan.roberts@arm.com>
	Signed-off-by: Will Deacon <will@kernel.org>
(cherry picked from commit 3bbf004)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1259
cve CVE-2025-10263
Rebuild_History Non-Buildable kernel-5.14.0-687.22.1.el9_8
commit-author Mark Rutland <mark.rutland@arm.com>
commit 0c33aa1

Neoverse-V3AE is also affected by erratum #3312417, as described in its
Software Developer Errata Notice (SDEN) document:

  Neoverse V3AE (MP172) SDEN v9.0, erratum 3312417
  https://developer.arm.com/documentation/SDEN-2615521/9-0/

Enable the workaround for Neoverse-V3AE, and document this.

	Signed-off-by: Mark Rutland <mark.rutland@arm.com>
	Cc: James Morse <james.morse@arm.com>
	Cc: Will Deacon <will@kernel.org>
	Cc: Catalin Marinas <catalin.marinas@arm.com>
	Signed-off-by: Ryan Roberts <ryan.roberts@arm.com>
	Signed-off-by: Will Deacon <will@kernel.org>
(cherry picked from commit 0c33aa1)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1259
cve CVE-2025-10263
Rebuild_History Non-Buildable kernel-5.14.0-687.22.1.el9_8
commit-author Mark Rutland <mark.rutland@arm.com>
commit cfd391e
Empty-Commit: Cherry-Pick Conflicts during history rebuild.
Will be included in final tarball splat. Ref for failed cherry-pick at:
ciq/ciq_backports/kernel-5.14.0-687.22.1.el9_8/cfd391e7.failed

A number of CPUs developed by Arm suffer from errata whereby a broadcast
TLBI;DSB sequence may complete before the global observation of writes
which are translated by an affected TLB entry.

These errata ONLY affect the completion of memory accesses which have
been translated by an invalidated TLB entry, and these errata DO NOT
affect the actual invalidation of TLB entries. TLB entries are removed
correctly.

This issue has been assigned CVE ID CVE-2025-10263.

To mitigate this issue, Arm recommends that software follows any
affected TLBI;DSB sequence with an additional TLBI;DSB, which will
ensure that all memory write effects affected by the first TLBI have
been globally observed. The additional TLBI can use any operation that
is broadcast to affected CPUs, and the additional DSB can use any option
that is sufficient to complete the additional TLBI.

The ARM64_WORKAROUND_REPEAT_TLBI workaround is sufficient to mitigate
the issue. Enable this workaround for affected CPUs, and update the
silicon errata documentation accordingly.

Note that due to the manner in which Arm develops IP and tracks errata,
some CPUs share a common erratum number.

	Signed-off-by: Mark Rutland <mark.rutland@arm.com>
	Cc: Catalin Marinas <catalin.marinas@arm.com>
	Cc: Will Deacon <will@kernel.org>
	Signed-off-by: Will Deacon <will@kernel.org>
(cherry picked from commit cfd391e)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>

# Conflicts:
#	Documentation/arm64/silicon-errata.rst
#	arch/arm64/Kconfig
jira KERNEL-1259
cve CVE-2025-10263
Rebuild_History Non-Buildable kernel-5.14.0-687.22.1.el9_8
commit-author Shanker Donthineni <sdonthineni@nvidia.com>
commit ec7216f
Empty-Commit: Cherry-Pick Conflicts during history rebuild.
Will be included in final tarball splat. Ref for failed cherry-pick at:
ciq/ciq_backports/kernel-5.14.0-687.22.1.el9_8/ec7216f9.failed

NVIDIA Olympus cores are affected by the TLBI completion issue tracked as
CVE-2025-10263. The existing ARM64_ERRATUM_4118414 handling already uses
ARM64_WORKAROUND_REPEAT_TLBI to issue an additional broadcast TLBI;DSB
sequence and ensure affected memory write effects are globally observed.

Add MIDR_NVIDIA_OLYMPUS to the repeat-TLBI match list so the same
mitigation is enabled on affected Olympus systems. Also document the
NVIDIA Olympus erratum in the arm64 silicon errata table and list it in
the Kconfig help text.

	Signed-off-by: Shanker Donthineni <sdonthineni@nvidia.com>
	Cc: Catalin Marinas <catalin.marinas@arm.com>
	Cc: Will Deacon <will@kernel.org>
	Cc: Mark Rutland <mark.rutland@arm.com>
	Acked-by: Mark Rutland <mark.rutland@arm.com>
	Signed-off-by: Will Deacon <will@kernel.org>
(cherry picked from commit ec7216f)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>

# Conflicts:
#	arch/arm64/Kconfig
#	arch/arm64/kernel/cpu_errata.c
jira KERNEL-1259
cve CVE-2025-10263
Rebuild_History Non-Buildable kernel-5.14.0-687.22.1.el9_8
commit-author Will Deacon <will@kernel.org>
commit 1940e70
Empty-Commit: Cherry-Pick Conflicts during history rebuild.
Will be included in final tarball splat. Ref for failed cherry-pick at:
ciq/ciq_backports/kernel-5.14.0-687.22.1.el9_8/1940e70a.failed

Commit fb091ff ("arm64: Subscribe Microsoft Azure Cobalt 100 to ARM
Neoverse N2 errata") states that Microsoft Azure Cobalt 100 CPU "is a
Microsoft implemented CPU based on r0p0 of the ARM Neoverse N2 CPU, and
therefore suffers from all the same errata.".

So enable the workaround for the latest broadcast TLB invalidation bug
on these parts.

	Signed-off-by: Will Deacon <will@kernel.org>
(cherry picked from commit 1940e70)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>

# Conflicts:
#	arch/arm64/Kconfig
#	arch/arm64/kernel/cpu_errata.c
jira KERNEL-1259
cve CVE-2025-10263
Rebuild_History Non-Buildable kernel-5.14.0-687.22.1.el9_8
commit-author Shanker Donthineni <sdonthineni@nvidia.com>
commit e185c8a

Add cpu part and model macro definitions for NVIDIA Olympus core.

	Signed-off-by: Shanker Donthineni <sdonthineni@nvidia.com>
	Signed-off-by: Will Deacon <will@kernel.org>
(cherry picked from commit e185c8a)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1259
cve CVE-2026-43112
Rebuild_History Non-Buildable kernel-5.14.0-687.22.1.el9_8
commit-author Fredric Cover <FredTheDude@proton.me>
commit 78ec5bf

When cifs_sanitize_prepath is called with an empty string or a string
containing only delimiters (e.g., "/"), the current logic attempts to
check *(cursor2 - 1) before cursor2 has advanced. This results in an
out-of-bounds read.

This patch adds an early exit check after stripping prepended
delimiters. If no path content remains, the function returns NULL.

The bug was identified via manual audit and verified using a
standalone test case compiled with AddressSanitizer, which
triggered a SEGV on affected inputs.

	Signed-off-by: Fredric Cover <FredTheDude@proton.me>
	Reviewed-by: Henrique Carvalho <[2]henrique.carvalho@suse.com>
	Signed-off-by: Steve French <stfrench@microsoft.com>
(cherry picked from commit 78ec5bf)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1259
cve CVE-2026-43276
Rebuild_History Non-Buildable kernel-5.14.0-687.22.1.el9_8
commit-author Dipayaan Roy <dipayanroy@linux.microsoft.com>
commit f975a09

While testing corner cases in the driver, a use-after-free crash
was found on the service rescan PCI path.

When mana_serv_reset() calls mana_gd_suspend(), mana_gd_cleanup()
destroys gc->service_wq. If the subsequent mana_gd_resume() fails
with -ETIMEDOUT or -EPROTO, the code falls through to
mana_serv_rescan() which triggers pci_stop_and_remove_bus_device().
This invokes the PCI .remove callback (mana_gd_remove), which calls
mana_gd_cleanup() a second time, attempting to destroy the already-
freed workqueue. Fix this by NULL-checking gc->service_wq in
mana_gd_cleanup() and setting it to NULL after destruction.

Call stack of issue for reference:
[Sat Feb 21 18:53:48 2026] Call Trace:
[Sat Feb 21 18:53:48 2026]  <TASK>
[Sat Feb 21 18:53:48 2026]  mana_gd_cleanup+0x33/0x70 [mana]
[Sat Feb 21 18:53:48 2026]  mana_gd_remove+0x3a/0xc0 [mana]
[Sat Feb 21 18:53:48 2026]  pci_device_remove+0x41/0xb0
[Sat Feb 21 18:53:48 2026]  device_remove+0x46/0x70
[Sat Feb 21 18:53:48 2026]  device_release_driver_internal+0x1e3/0x250
[Sat Feb 21 18:53:48 2026]  device_release_driver+0x12/0x20
[Sat Feb 21 18:53:48 2026]  pci_stop_bus_device+0x6a/0x90
[Sat Feb 21 18:53:48 2026]  pci_stop_and_remove_bus_device+0x13/0x30
[Sat Feb 21 18:53:48 2026]  mana_do_service+0x180/0x290 [mana]
[Sat Feb 21 18:53:48 2026]  mana_serv_func+0x24/0x50 [mana]
[Sat Feb 21 18:53:48 2026]  process_one_work+0x190/0x3d0
[Sat Feb 21 18:53:48 2026]  worker_thread+0x16e/0x2e0
[Sat Feb 21 18:53:48 2026]  kthread+0xf7/0x130
[Sat Feb 21 18:53:48 2026]  ? __pfx_worker_thread+0x10/0x10
[Sat Feb 21 18:53:48 2026]  ? __pfx_kthread+0x10/0x10
[Sat Feb 21 18:53:48 2026]  ret_from_fork+0x269/0x350
[Sat Feb 21 18:53:48 2026]  ? __pfx_kthread+0x10/0x10
[Sat Feb 21 18:53:48 2026]  ret_from_fork_asm+0x1a/0x30
[Sat Feb 21 18:53:48 2026]  </TASK>

Fixes: 505cc26 ("net: mana: Add support for auxiliary device servicing events")
	Reviewed-by: Haiyang Zhang <haiyangz@microsoft.com>
	Signed-off-by: Dipayaan Roy <dipayanroy@linux.microsoft.com>
	Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/aZ2bzL64NagfyHpg@linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit f975a09)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1259
cve CVE-2026-43276
Rebuild_History Non-Buildable kernel-5.14.0-687.22.1.el9_8
commit-author Shiraz Saleem <shirazsaleem@microsoft.com>
commit 87c2302

In mana_gd_setup() error path, set gc->service_wq to NULL after
destroy_workqueue() to match the cleanup in mana_gd_cleanup().
This prevents a use-after-free if the workqueue pointer is checked
after a failed setup.

Fixes: f975a09 ("net: mana: Fix double destroy_workqueue on service rescan PCI path")
	Signed-off-by: Shiraz Saleem <shirazsaleem@microsoft.com>
	Signed-off-by: Konstantin Taranov <kotaranov@microsoft.com>
	Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260309172443.688392-1-kotaranov@linux.microsoft.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 87c2302)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1259
cve CVE-2026-46323
Rebuild_History Non-Buildable kernel-5.14.0-687.22.1.el9_8
commit-author Sabrina Dubroca <sd@queasysnail.net>
commit 4db79a3
Empty-Commit: Cherry-Pick Conflicts during history rebuild.
Will be included in final tarball splat. Ref for failed cherry-pick at:
ciq/ciq_backports/kernel-5.14.0-687.22.1.el9_8/4db79a32.failed

skb_gro_receive() can currently copy frags between the source and GRO
skb, without checking the zerocopy status, and in particular the
SKBFL_MANAGED_FRAG_REFS flag.

When SKBFL_MANAGED_FRAG_REFS is set, the skb doesn't hold a reference
on the pages in shinfo->frags. Appending those frags to another skb's
frags without fixing up the page refcount can lead to UAF.

When either the last skb in the GRO chain (the one we would append
frags to) or the source skb is zerocopy, don't merge the skbs.

Fixes: 753f1ca ("net: introduce managed frags infrastructure")
	Reported-by: Huzaifa Sidhpurwala <huzaifas@redhat.com>
	Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
	Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/c3b7f906bbfcbdfd7b4fa9d6c18a438870df85be.1779307748.git.sd@queasysnail.net
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 4db79a3)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>

# Conflicts:
#	net/core/gro.c
jira KERNEL-1259
cve CVE-2026-46116
Rebuild_History Non-Buildable kernel-5.14.0-687.22.1.el9_8
commit-author Michal Kosiorek <mkosiorek121@gmail.com>
commit 14acf96
Empty-Commit: Cherry-Pick Conflicts during history rebuild.
Will be included in final tarball splat. Ref for failed cherry-pick at:
ciq/ciq_backports/kernel-5.14.0-687.22.1.el9_8/14acf965.failed

KASAN reproduces a slab-use-after-free in __xfrm_state_delete()'s
hlist_del_rcu calls under syzkaller load on linux-6.12.y stable
(reproduced on 6.12.47, also reachable via the same code path on
torvalds/master and on the ipsec tree). Nine unique signatures cluster
in the xfrm_state lifecycle, the load-bearing one being:

  BUG: KASAN: slab-use-after-free in __hlist_del include/linux/list.h:990 [inline]
  BUG: KASAN: slab-use-after-free in hlist_del_rcu include/linux/rculist.h:516 [inline]
  BUG: KASAN: slab-use-after-free in __xfrm_state_delete net/xfrm/xfrm_state.c
  Write of size 8 at addr ffff8881198bcb70 by task kworker/u8:9/435

  Workqueue: netns cleanup_net
  Call Trace:
   __hlist_del / hlist_del_rcu
   __xfrm_state_delete
   xfrm_state_delete
   xfrm_state_flush
   xfrm_state_fini
   ops_exit_list
   cleanup_net

The other observed signatures hit the same slab object from
__xfrm_state_lookup, xfrm_alloc_spi, __xfrm_state_insert and an OOB
write variant of __xfrm_state_delete, all on the byseq/byspi
hash chains.

__xfrm_state_delete() guards its byseq and byspi unhashes with
value-based predicates:

	if (x->km.seq)
		hlist_del_rcu(&x->byseq);
	if (x->id.spi)
		hlist_del_rcu(&x->byspi);

while everywhere else in the file (e.g. state_cache, state_cache_input)
the safer hlist_unhashed() check is used. xfrm_alloc_spi() sets
x->id.spi = newspi inside xfrm_state_lock and then immediately inserts
into byspi, but a path that observes x->id.spi != 0 outside of
xfrm_state_lock can still skip-or-hit the byspi unhash inconsistently
with whether x is actually on the list. The same holds for x->km.seq
versus byseq, and the bydst/bysrc unhashes have no predicate at all,
so a second __xfrm_state_delete() on the same object writes through
LIST_POISON pprev.

The defensive change here:

  - Use hlist_del_init_rcu() instead of hlist_del_rcu() on bydst,
    bysrc, byseq and byspi so a second deletion is a no-op rather
    than a write through LIST_POISON pprev. The byseq/byspi nodes
    are already initialised in xfrm_state_alloc().
  - Test hlist_unhashed() rather than the value predicate for
    byseq/byspi, so the unhash decision tracks list state rather than
    mutable scalar fields.

Empirical verification: applied this patch on top of v6.12.47, rebuilt,
and re-ran the same syzkaller harness for 1h16m on a previously-crashy
configuration that produced ~100 hits each of slab-use-after-free
Read in xfrm_alloc_spi / Read in __xfrm_state_lookup / Write in
__xfrm_state_delete. After the patch, 7.1M execs across 32 VMs at
~1550 exec/sec produced zero xfrm_state UAF/OOB hits. /proc/slabinfo
confirms the xfrm_state slab is actively allocated and freed during
the run (~143 KiB resident), so the fuzzer is still exercising those
code paths -- they just no longer crash.

Reproduction:

  - Linux 6.12.47 x86_64 + KASAN_GENERIC + KASAN_INLINE + KCOV
  - syzkaller @ 746545b8b1e4c3a128db8652b340d3df90ce61db
  - 32 QEMU/KVM VMs x 2 vCPU on AWS c5.metal bare metal
  - 9 unique signatures collected in ~9h, all within xfrm_state
    lifecycle

Fixes: fe9f1d8 ("xfrm: add state hashtable keyed by seq")
Fixes: 7b4dc36 ("[XFRM]: Do not add a state whose SPI is zero to the SPI hash.")
	Reported-by: Michal Kosiorek <mkosiorek121@gmail.com>
	Tested-by: Michal Kosiorek <mkosiorek121@gmail.com>
	Cc: stable@vger.kernel.org
	Signed-off-by: Michal Kosiorek <mkosiorek121@gmail.com>
	Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
(cherry picked from commit 14acf96)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>

# Conflicts:
#	net/xfrm/xfrm_state.c
jira KERNEL-1259
Rebuild_History Non-Buildable kernel-5.14.0-687.22.1.el9_8
commit-author Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 3d8b9d0

The bounds check uses (u8 *)ea + nlen + 1 + vlen as the end of the EA
name and value, but ea_data sits at offset sizeof(struct
smb2_file_full_ea_info) = 8 from ea, not at offset 0.  The strncmp()
later reads ea->ea_data[0..nlen-1] and the value bytes follow at
ea_data[nlen+1..nlen+vlen], so the actual end is ea->ea_data + nlen + 1
+ vlen.  Isn't pointer math fun?

The earlier check (u8 *)ea > end - sizeof(*ea) only guarantees the
8-byte header is in bounds, but since the last EA is placed within 8
bytes of the end of the response, the name and value bytes are read past
the end of iov.

Fix this mess all up by using ea->ea_data as the base for the bounds
check.

An "untrusted" server can use this to leak up to 8 bytes of kernel heap
into the EA name comparison and influence which WSL xattr the data is
interpreted as.

	Cc: Ronnie Sahlberg <ronniesahlberg@gmail.com>
	Cc: Shyam Prasad N <sprasad@microsoft.com>
	Cc: Tom Talpey <tom@talpey.com>
	Cc: Bharath SM <bharathsm@microsoft.com>
	Cc: linux-cifs@vger.kernel.org
	Cc: samba-technical@lists.samba.org
	Cc: stable <stable@kernel.org>
Assisted-by: gregkh_clanker_t1000
	Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Signed-off-by: Steve French <stfrench@microsoft.com>
(cherry picked from commit 3d8b9d0)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1259
cve CVE-2026-46155
Rebuild_History Non-Buildable kernel-5.14.0-687.22.1.el9_8
commit-author Zisen Ye <zisenye@stu.xidian.edu.cn>
commit 8d09328

If a server sends a truncated response but a large OutputBufferLength, and
terminates the EA list early, check_wsl_eas() returns success without
validating that the entire OutputBufferLength fits within iov_len.

Then smb2_compound_op() does:
    memcpy(idata->wsl.eas, data[0], size[0]);

Where size[0] is OutputBufferLength. If iov_len is smaller than size[0],
memcpy can read beyond the end of the rsp_iov allocation and leak adjacent
kernel heap memory.

Link: https://lore.kernel.org/linux-cifs/d998240c-aca9-420d-9dbd-f5ba24af19e0@chenxiaosong.com/
Fixes: ea41367 ("smb: client: introduce SMB2_OP_QUERY_WSL_EA")
	Cc: stable@vger.kernel.org
	Signed-off-by: Zisen Ye <zisenye@stu.xidian.edu.cn>
	Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
	Signed-off-by: Steve French <stfrench@microsoft.com>
(cherry picked from commit 8d09328)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
Rebuild_History BUILDABLE
Rebuilding Kernel from rpm changelog with Fuzz Limit: 87.50%
Number of commits in upstream range v5.14~1..kernel-mainline: 394115
Number of commits in rpm: 27
Number of commits matched with upstream: 22 (81.48%)
Number of commits in upstream but not in rpm: 394093
Number of commits NOT found in upstream: 5 (18.52%)

Rebuilding Kernel on Branch rocky9_8_rebuild_kernel-5.14.0-687.22.1.el9_8 for kernel-5.14.0-687.22.1.el9_8
Clean Cherry Picks: 17 (77.27%)
Empty Cherry Picks: 5 (22.73%)
_______________________________

Full Details Located here:
ciq/ciq_backports/kernel-5.14.0-687.22.1.el9_8/rebuild.details.txt

Includes:
* git commit header above
* Empty Commits with upstream SHA
* RPM ChangeLog Entries that could not be matched

Individual Empty Commit failures contained in the same containing directory.
The git message for empty commits will have the path for the failed commit.
File names are the first 8 characters of the upstream SHA
@PlaidCat PlaidCat dismissed stale reviews from roxanan1996 and bmastbergen via 68774cf July 7, 2026 04:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

3 participants