Skip to content

[rocky9_8] History Rebuild through kernel-5.14.0-687.20.1.el9_8#1394

Open
PlaidCat wants to merge 396 commits into
rocky9_8from
rocky9_8_rebuild
Open

[rocky9_8] History Rebuild through kernel-5.14.0-687.20.1.el9_8#1394
PlaidCat wants to merge 396 commits into
rocky9_8from
rocky9_8_rebuild

Conversation

@PlaidCat

@PlaidCat PlaidCat commented Jul 1, 2026

Copy link
Copy Markdown
Collaborator

This is an automated kernel history rebuild using cron and internal tooling. It follows the same process used for previous history rebuilds:

  • Download all unprocessed src.rpm packages
  • For each src.rpm:
    • Identify all commits in the changelog up to the last known tag (5.14.0-687)
    • Replay commits in chronological order (oldest to newest in the changelog) using git cherry-pick
    • Replace the code in the branch with the output of rpmbuild -bp for the corresponding src.rpm
    • Tag the rebuild branch

JIRA Tickets

Rebuild Splat Inspection

kernel-5.14.0-687.20.1.el9_8

$ cat ciq/ciq_backports/kernel-5.14.0-687.20.1.el9_8/rebuild.details.txt
Rebuild_History BUILDABLE
Rebuilding Kernel from rpm changelog with Fuzz Limit: 87.50%
Number of commits in upstream range v5.14~1..kernel-mainline: 394115
Number of commits in rpm: 400
Number of commits matched with upstream: 396 (99.00%)
Number of commits in upstream but not in rpm: 393719
Number of commits NOT found in upstream: 4 (1.00%)

Rebuilding Kernel on Branch rocky9_8_rebuild_kernel-5.14.0-687.20.1.el9_8 for kernel-5.14.0-687.20.1.el9_8
Clean Cherry Picks: 353 (89.14%)
Empty Cherry Picks: 42 (10.61%)
_______________________________

__EMPTY COMMITS__________________________
cbb0b9d4bbcfa96e7872808a63be03202536f1bc fs: use a helper for opening kernel internal files
8a05a8c31d06c5d0d67b273a4a00f87269adde82 fs: move kmem_cache_zalloc() into alloc_empty_file*() helpers
62d53c4a1dfe347bd87ede46ffad38c9a3870338 fs: use backing_file container for internal files with "fake" f_path
dff745c1221a402b4921d54f292288373cff500c fs: move cleanup from init_file() into its callers
35931eb3945b8d38c31f8e956aee3cf31c52121b fs: Fix kernel-doc warnings
3e15dcf77b23b8e9b9b7f3c0d4def8fe9c12c534 fs: rename __mnt_{want,drop}_write*() helpers
83bc1d294130cc471a89ce10770daa281a93fcb0 fs: get mnt_writers count for an open backing file's real path
08582d678fcf11fc86188f0b92239d3d49667d8e fs: create helper file_user_path() for user displayed mapped file path
def3ae83da02f87005210fa3d448c5dd37ba4105 fs: store real path instead of fake path in backing file f_path
f91a704f7161c2cf0fcd41fa9fbec4355b813fff fs: prepare for stackable filesystems backing file helpers
a6293b3e285cd0d7692141d7981a5f144f0e2f0b fs: factor out backing_file_{read,write}_iter() helpers
9b7e9e2f5d5c3d079ec46bc71b114012e362ea6e fs: factor out backing_file_splice_{read,write}() helpers
f567377e406c032fff0799bde4fdf4a977529b84 fs: factor out backing_file_mmap() helper
09001284eebfc1b684e81d1db0f006787d35f3e1 lsm: add helper for blob allocations
924577e4f6ca473de1528953a0e13505fae61d7b ovl: Fix nested backing file paths
4e301d858af17ae2ce56886296e5458c5a08219a fs: constify file ptr in backing_file accessor helpers
3ec2529eca6f175f4e3e87c4534010e044839b38 ovl: remove unneeded non-const conversion
7933a585d70ee496fa341b50b8b0a95b131867ff ovl: remove redundant IOCB_DIO_CALLER_COMP clearing
880bd496ec72a6dcb00cb70c430ef752ba242ae7 fs: prepare for adding LSM blob to backing_file
6af36aeb147a06dea47c49859cd6ca5659aeb987 lsm: add backing_file LSM hooks
82544d36b1729153c8aeb179e84750f0c085d3b1 selinux: fix overlayfs mmap() and mprotect() access checks
888a7776f4fb04c19bec70c737c61c2f383c6b1e net/mlx5: Add support for device steering tag
520369ef43a8504f9d54ee219bb6c692d2e40028 net/mlx5: Support disabling host PFs
673d7ab7563e1268ac4ca62914b2b99d16219500 net/mlx5e: Prepare for using multiple TX doorbells
71fb4832d50b01f0af2d257360c239879ce93a8e net/mlx5e: Use multiple TX doorbells
11bbcfb7668c6f4d97260f7caaefea22678bc31e net/mlx5e: Use the 'num_doorbells' devlink param
2dc768c05217e667f987907a3404926e7ba89ff3 net/mlx5e: Trim the length of the num_doorbell error
4b6b6233f50f72353b54295ba594990b19f33223 RDMA: Use %pe format specifier for error pointers
2d838c11e10e9169cae4f7778345c11b5447ef05 net/mlx5: Add direct ST mode support for RDMA
d4aa0cc9bd31f3e0cd5f067d649bf39135e4b46b net/mlx5e: Support XDP target xmit with dummy program
2ae8c7edea87f54609bda30963a099cd3c64b0bb net/mlx5: Fix Unbinding uplink-netdev in switchdev mode
665a7e13c220bbde55531a24bd5524320648df10 net/mlx5e: SHAMPO, Fix header mapping for 64K pages
d8a7ed9586c7579a99e9e2d90988c9eceeee61ff net/mlx5e: SHAMPO, Fix header formulas for higher MTUs and 64K pages
76324e4041c0efb4808702b05426d7a0a7d8df5b net/mlx5: Fix peer miss rules host disabled checks
a6413e6f6c9d9bb9833324cb3753582f7bc0f2fa net/mlx5e: RX, Fix XDP multi-buf frag counting for legacy RQ
db25c42c2e1f9c0d136420fff5e5700f7e771a6f net/mlx5e: RX, Fix XDP multi-buf frag counting for striding RQ
43c249ea0b1e10baac4a1264a25d69723ce5d2c2 compiler-gcc.h: remove ancient workaround for gcc PR 58670
4356e9f841f7fbb945521cef3577ba394c65f3fc work around gcc bugs with 'asm goto' with outputs
68fb3ca0e408e00db1c3f8fccdfa19e274c033be update workarounds for gcc "asm goto" issue
f2f6a8e8871725035959b90bac048cde555aa0e9 init/Kconfig: remove CONFIG_GCC_ASM_GOTO_OUTPUT_WORKAROUND
0e124af675ebabddacfeb0958abd443265dddf13 scsi: qla2xxx: Add support to report MPI FW state
858d2a4f67ff69e645a43487ef7ea7f28f06deae tcp: fix potential race in tcp_v6_syn_recv_sock()

__CHANGES NOT IN UPSTREAM________________
Replace sbat with Rocky Linux sbat
Change bug tracker URL
Ensure appended release in sbat is removed'
selinux: RHEL-only hotfix for execmem regression

BUILD

$ grep -E -B 5 -A 5 "\[TIMER\]|^Starting Build" $(ls -t kbuild* | head -n1)
/mnt/code/kernel-src-tree-build
Running make mrproper...
  CLEAN   scripts/basic
  CLEAN   scripts/kconfig
  CLEAN   include/config include/generated
[TIMER]{MRPROPER}: 5s
x86_64 architecture detected, copying config
'configs/kernel-x86_64-rhel.config' -> '.config'
Setting Local Version for build
CONFIG_LOCALVERSION="-rocky9_8_rebuild-ccaa0c849bbe"
Making olddefconfig
--
  HOSTCC  scripts/kconfig/util.o
  HOSTLD  scripts/kconfig/conf
#
# configuration written to .config
#
Starting Build
  SYSHDR  arch/x86/include/generated/uapi/asm/unistd_32.h
  SYSHDR  arch/x86/include/generated/uapi/asm/unistd_64.h
  SYSHDR  arch/x86/include/generated/uapi/asm/unistd_x32.h
  SYSTBL  arch/x86/include/generated/asm/syscalls_32.h
  SYSHDR  arch/x86/include/generated/asm/unistd_32_ia32.h
--
  BTF [M] sound/usb/usx2y/snd-usb-us144mkii.ko
  BTF [M] sound/usb/usx2y/snd-usb-usx2y.ko
  BTF [M] sound/x86/snd-hdmi-lpe-audio.ko
  BTF [M] sound/virtio/virtio_snd.ko
  BTF [M] sound/xen/snd_xen_front.ko
[TIMER]{BUILD}: 1558s
Making Modules
  INSTALL /lib/modules/5.14.0-rocky9_8_rebuild-ccaa0c849bbe/kernel/arch/x86/crypto/blake2s-x86_64.ko
  INSTALL /lib/modules/5.14.0-rocky9_8_rebuild-ccaa0c849bbe/kernel/arch/x86/crypto/blowfish-x86_64.ko
  INSTALL /lib/modules/5.14.0-rocky9_8_rebuild-ccaa0c849bbe/kernel/arch/x86/crypto/camellia-aesni-avx-x86_64.ko
  INSTALL /lib/modules/5.14.0-rocky9_8_rebuild-ccaa0c849bbe/kernel/arch/x86/crypto/camellia-aesni-avx2.ko
--
  SIGN    /lib/modules/5.14.0-rocky9_8_rebuild-ccaa0c849bbe/kernel/sound/usb/usx2y/snd-usb-usx2y.ko
  SIGN    /lib/modules/5.14.0-rocky9_8_rebuild-ccaa0c849bbe/kernel/sound/x86/snd-hdmi-lpe-audio.ko
  SIGN    /lib/modules/5.14.0-rocky9_8_rebuild-ccaa0c849bbe/kernel/sound/virtio/virtio_snd.ko
  SIGN    /lib/modules/5.14.0-rocky9_8_rebuild-ccaa0c849bbe/kernel/sound/xen/snd_xen_front.ko
  DEPMOD  /lib/modules/5.14.0-rocky9_8_rebuild-ccaa0c849bbe
[TIMER]{MODULES}: 12s
Making Install
sh ./arch/x86/boot/install.sh 5.14.0-rocky9_8_rebuild-ccaa0c849bbe \
	arch/x86/boot/bzImage System.map "/boot"
[TIMER]{INSTALL}: 27s
Checking kABI
kABI check passed
Setting Default Kernel to /boot/vmlinuz-5.14.0-rocky9_8_rebuild-ccaa0c849bbe and Index to 0
Hopefully Grub2.0 took everything ... rebooting after time metrices
[TIMER]{MRPROPER}: 5s
[TIMER]{BUILD}: 1558s
[TIMER]{MODULES}: 12s
[TIMER]{INSTALL}: 27s
[TIMER]{TOTAL} 1607s
Rebooting in 10 seconds

KSelfTests

$ get_kselftest_diff.sh
kselftest.5.14.0-rocky9_8_rebuild-f89ef56bfe6d.log
311
kselftest.5.14.0-rocky9_8_rebuild-49e9701ac83b.log
311
kselftest.5.14.0-rocky9_8_rebuild-37e80bde7a74.log
311
kselftest.5.14.0-rocky9_8_rebuild-ccaa0c849bbe.log
311
Before: kselftest.5.14.0-rocky9_8_rebuild-37e80bde7a74.log
After: kselftest.5.14.0-rocky9_8_rebuild-ccaa0c849bbe.log
Diff:
No differences found.

PlaidCat added 30 commits July 1, 2026 00:02
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Jianbo Liu <jianbol@nvidia.com>
commit 6d19c44

Hardware returns a unique identifier for a decrypted packet's xfrm
state, this state is looked up in an xarray. However, the state might
have been freed by the time of this lookup.

Currently, if the state is not found, only a counter is incremented.
The secpath (sp) extension on the skb is not removed, resulting in
sp->len becoming 0.

Subsequently, functions like __xfrm_policy_check() attempt to access
fields such as xfrm_input_state(skb)->xso.type (which dereferences
sp->xvec[sp->len - 1]) without first validating sp->len. This leads to
a crash when dereferencing an invalid state pointer.

This patch prevents the crash by explicitly removing the secpath
extension from the skb if the xfrm state is not found after hardware
decryption. This ensures downstream functions do not operate on a
zero-length secpath.

 BUG: unable to handle page fault for address: ffffffff000002c8
 #PF: supervisor read access in kernel mode
 #PF: error_code(0x0000) - not-present page
 PGD 282e067 P4D 282e067 PUD 0
 Oops: Oops: 0000 [#1] SMP
 CPU: 12 UID: 0 PID: 0 Comm: swapper/12 Not tainted 6.15.0-rc7_for_upstream_min_debug_2025_05_27_22_44 #1 NONE
 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
 RIP: 0010:__xfrm_policy_check+0x61a/0xa30
 Code: b6 77 7f 83 e6 02 74 14 4d 8b af d8 00 00 00 41 0f b6 45 05 c1 e0 03 48 98 49 01 c5 41 8b 45 00 83 e8 01 48 98 49 8b 44 c5 10 <0f> b6 80 c8 02 00 00 83 e0 0c 3c 04 0f 84 0c 02 00 00 31 ff 80 fa
 RSP: 0018:ffff88885fb04918 EFLAGS: 00010297
 RAX: ffffffff00000000 RBX: 0000000000000002 RCX: 0000000000000000
 RDX: 0000000000000002 RSI: 0000000000000002 RDI: 0000000000000000
 RBP: ffffffff8311af80 R08: 0000000000000020 R09: 00000000c2eda353
 R10: ffff88812be2bbc8 R11: 000000001faab533 R12: ffff88885fb049c8
 R13: ffff88812be2bbc8 R14: 0000000000000000 R15: ffff88811896ae00
 FS:  0000000000000000(0000) GS:ffff8888dca82000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: ffffffff000002c8 CR3: 0000000243050002 CR4: 0000000000372eb0
 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
 Call Trace:
  <IRQ>
  ? try_to_wake_up+0x108/0x4c0
  ? udp4_lib_lookup2+0xbe/0x150
  ? udp_lib_lport_inuse+0x100/0x100
  ? __udp4_lib_lookup+0x2b0/0x410
  __xfrm_policy_check2.constprop.0+0x11e/0x130
  udp_queue_rcv_one_skb+0x1d/0x530
  udp_unicast_rcv_skb+0x76/0x90
  __udp4_lib_rcv+0xa64/0xe90
  ip_protocol_deliver_rcu+0x20/0x130
  ip_local_deliver_finish+0x75/0xa0
  ip_local_deliver+0xc1/0xd0
  ? ip_protocol_deliver_rcu+0x130/0x130
  ip_sublist_rcv+0x1f9/0x240
  ? ip_rcv_finish_core+0x430/0x430
  ip_list_rcv+0xfc/0x130
  __netif_receive_skb_list_core+0x181/0x1e0
  netif_receive_skb_list_internal+0x200/0x360
  ? mlx5e_build_rx_skb+0x1bc/0xda0 [mlx5_core]
  gro_receive_skb+0xfd/0x210
  mlx5e_handle_rx_cqe_mpwrq+0x141/0x280 [mlx5_core]
  mlx5e_poll_rx_cq+0xcc/0x8e0 [mlx5_core]
  ? mlx5e_handle_rx_dim+0x91/0xd0 [mlx5_core]
  mlx5e_napi_poll+0x114/0xab0 [mlx5_core]
  __napi_poll+0x25/0x170
  net_rx_action+0x32d/0x3a0
  ? mlx5_eq_comp_int+0x8d/0x280 [mlx5_core]
  ? notifier_call_chain+0x33/0xa0
  handle_softirqs+0xda/0x250
  irq_exit_rcu+0x6d/0xc0
  common_interrupt+0x81/0xa0
  </IRQ>

Fixes: b2ac754 ("net/mlx5e: IPsec: Add Connect-X IPsec Rx data path offload")
	Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
	Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
	Reviewed-by: Yael Chemla <ychemla@nvidia.com>
	Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/1753256672-337784-3-git-send-email-tariqt@nvidia.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 6d19c44)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Shahar Shitrit <shshitrit@nvidia.com>
commit e80d655

mlx5e_reporter_rx_timeout() is currently invoked synchronously
in the driver's open error flow. This causes the thread holding
priv->state_lock to attempt acquiring the devlink lock, which
can result in a circular dependency with other devlink operations.

For example:

- Devlink health diagnose flow:
  - __devlink_nl_pre_doit() acquires the devlink lock.
  - devlink_nl_health_reporter_diagnose_doit() invokes the
    driver's diagnose callback.
  - mlx5e_rx_reporter_diagnose() then attempts to acquire
    priv->state_lock.

- Driver open flow:
  - mlx5e_open() acquires priv->state_lock.
  - If an error occurs, devlink_health_reporter may be called,
    attempting to acquire the devlink lock.

To prevent this circular locking scenario, defer the RX timeout
recovery by scheduling it via a workqueue. This ensures that the
recovery work acquires locks in a consistent order: first the
devlink lock, then priv->state_lock.

Additionally, make the recovery work acquire the netdev instance
lock to safely synchronize with the open/close channel flows,
similar to mlx5e_tx_timeout_work. Repeatedly attempt to acquire
the netdev instance lock until it is taken or the target RQ is no
longer active, as indicated by the MLX5E_STATE_CHANNELS_ACTIVE bit.

Fixes: 32c57fb ("net/mlx5e: Report and recover from rx timeout")
	Signed-off-by: Shahar Shitrit <shshitrit@nvidia.com>
	Reviewed-by: Cosmin Ratiu <cratiu@nvidia.com>
	Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
	Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/1753256672-337784-4-git-send-email-tariqt@nvidia.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit e80d655)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Alexandre Cassen <acassen@corp.free.fr>
commit 71670f7

Remote IPsec tunnel endpoint may refer to a network segment that is
not directly connected to the host. In such a case, IPsec tunnel
endpoints are connected to a router and reachable via a routing path.
In IPsec packet offload mode, HW is initialized with the MAC address
of both IPsec tunnel endpoints.

Extend the current IPsec init MACs procedure to resolve nexthop for
routed networks. Direct neighbour lookup and probe is still used
for directly connected networks and as a fallback mechanism if fib
lookup fails.

	Signed-off-by: Alexandre Cassen <acassen@corp.free.fr>
	Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
	Reviewed-by: Cosmin Ratiu <cratiu@nvidia.com>
	Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
	Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
Link: https://patch.msgid.link/1753194228-333722-2-git-send-email-tariqt@nvidia.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 71670f7)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Feng Liu <feliu@nvidia.com>
commit 5474ca2

Underneath "TIS Config" tag expose TIS diagnostic information.
Expose the tisn of each TC under each lag port.

$ sudo devlink health diagnose auxiliary/mlx5_core.eth.2/131072 reporter tx
......
  TIS Config:
      lag port: 0 tc: 0 tisn: 0
      lag port: 1 tc: 0 tisn: 8
......

	Signed-off-by: Feng Liu <feliu@nvidia.com>
	Reviewed-by: Aya Levin <ayal@nvidia.com>
	Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
	Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
Link: https://patch.msgid.link/1753194228-333722-3-git-send-email-tariqt@nvidia.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 5474ca2)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Christoph Paasch <cpaasch@openai.com>
commit 77bf1c5

When gso_segs is left at 0, a number of assumptions will end up being
incorrect throughout the stack.

For example, in the GRO-path, we set NAPI_GRO_CB()->count to gso_segs.
So, if a non-LRO'ed packet followed by an LRO'ed packet is being
processed in GRO, the first one will have NAPI_GRO_CB()->count set to 1 and
the next one to 0 (in dev_gro_receive()).
Since commit 531d0d3
("net/mlx5: Correctly set gso_size when LRO is used")
these packets will get merged (as their gso_size now matches).
So, we end up in gro_complete() with NAPI_GRO_CB()->count == 1 and thus
don't call inet_gro_complete(). Meaning, checksum-validation in
tcp_checksum_complete() will fail with a "hw csum failure".

Even before the above mentioned commit, incorrect gso_segs means that other
things like TCP's accounting of incoming packets (tp->segs_in,
data_segs_in, rcv_ooopack) will be incorrect. Which means that if one
does bytes_received/data_segs_in, the result will be bigger than the
MTU.

Fix this by initializing gso_segs correctly when LRO is used.

Fixes: e586b3b ("net/mlx5: Ethernet Datapath files")
	Reported-by: Gal Pressman <gal@nvidia.com>
Closes: https://lore.kernel.org/netdev/6583783f-f0fb-4fb1-a415-feec8155bc69@nvidia.com/
	Signed-off-by: Christoph Paasch <cpaasch@openai.com>
	Reviewed-by: Gal Pressman <gal@nvidia.com>
	Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20250729-mlx5_gso_segs-v1-1-b48c480c1c12@openai.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 77bf1c5)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Yevgeny Kliteynik <kliteyn@nvidia.com>
commit 2462c1b

'cqe_sz' valid value should be 0 for 64-byte CQE.

Fixes: 2ca6259 ("net/mlx5: HWS, added send engine and context handling")
	Signed-off-by: Yevgeny Kliteynik <kliteyn@nvidia.com>
	Reviewed-by: Vlad Dogaru <vdogaru@nvidia.com>
	Signed-off-by: Mark Bloch <mbloch@nvidia.com>
Link: https://patch.msgid.link/20250817202323.308604-2-mbloch@nvidia.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 2462c1b)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Yevgeny Kliteynik <kliteyn@nvidia.com>
commit 615b690

Moving rules from matcher to matcher should not fail.
However, if it does fail due to various reasons, the error flow
should allow the kernel to continue functioning (albeit with broken
steering rules) instead of going into series of soft lock-ups or
some other problematic behaviour.

This patch fixes the error flow for moving simple rules:
 - If new rule creation fails before it was even enqeued, do not
   poll for completion
 - If TIMEOUT happened while moving the rule, no point trying
   to poll for completions for other rules. Something is broken,
   completion won't come, just abort the rehash sequence.
 - If some other completion with error received, don't give up.
   Continue handling rest of the rules to minimize the damage.
 - Make sure that the first error code that was received will
   be actually returned to the caller instead of replacing it
   with the generic error code.

All the aforementioned issues stem from the same bad error flow,
so no point fixing them one by one and leaving partially broken
code - fixing them in one patch.

Fixes: ef94799 ("net/mlx5: HWS, rework rehash loop")
	Signed-off-by: Yevgeny Kliteynik <kliteyn@nvidia.com>
	Reviewed-by: Vlad Dogaru <vdogaru@nvidia.com>
	Signed-off-by: Mark Bloch <mbloch@nvidia.com>
Link: https://patch.msgid.link/20250817202323.308604-3-mbloch@nvidia.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 615b690)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Yevgeny Kliteynik <kliteyn@nvidia.com>
commit 4a842b1

Moving rules from matcher to matcher should not fail.
However, if it does fail due to various reasons, the error flow
should allow the kernel to continue functioning (albeit with broken
steering rules) instead of going into series of soft lock-ups or
some other problematic behaviour.

Similar to the simple rules, complex rules rehash logic suffers
from the same problems. This patch fixes the error flow for moving
complex rules:
 - If new rule creation fails before it was even enqeued, do not
   poll for completion
 - If TIMEOUT happened while moving the rule, no point trying
   to poll for completions for other rules. Something is broken,
   completion won't come, just abort the rehash sequence.
 - If some other completion with error received, don't give up.
   Continue handling rest of the rules to minimize the damage.
 - Make sure that the first error code that was received will
   be actually returned to the caller instead of replacing it
   with the generic error code.

All the aforementioned issues stem from the same bad error flow,
so no point fixing them one by one and leaving partially broken
code - fixing them in one patch.

Fixes: 17e0acc ("net/mlx5: HWS, support complex matchers")
	Signed-off-by: Yevgeny Kliteynik <kliteyn@nvidia.com>
	Reviewed-by: Vlad Dogaru <vdogaru@nvidia.com>
	Signed-off-by: Mark Bloch <mbloch@nvidia.com>
Link: https://patch.msgid.link/20250817202323.308604-4-mbloch@nvidia.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 4a842b1)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Yevgeny Kliteynik <kliteyn@nvidia.com>
commit 1a72298

While moving the rules during rehash, CQ is not drained. The flush
and drain happens only when all the rules of a certain queue have been
moved. This behaviour can lead to accumulating large quantity of rules
that haven't got their completion yet, and eventually will fill up
the queue and will cause the rehash to fail.

Fix this problem by requiring drain once the number of outstanding
completions reaches a certain threshold.

Fixes: ef94799 ("net/mlx5: HWS, rework rehash loop")
	Signed-off-by: Yevgeny Kliteynik <kliteyn@nvidia.com>
	Reviewed-by: Vlad Dogaru <vdogaru@nvidia.com>
	Signed-off-by: Mark Bloch <mbloch@nvidia.com>
Link: https://patch.msgid.link/20250817202323.308604-5-mbloch@nvidia.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 1a72298)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Yevgeny Kliteynik <kliteyn@nvidia.com>
commit 7c60952

If rule creation failed due to a full queue, due to timeout
in polling for completion, or due to matcher being in resize,
don't try to initiate rehash sequence - rehash would have
failed anyway.

Fixes: 2111bb9 ("net/mlx5: HWS, added backward-compatible API handling")
	Signed-off-by: Yevgeny Kliteynik <kliteyn@nvidia.com>
	Reviewed-by: Vlad Dogaru <vdogaru@nvidia.com>
	Signed-off-by: Mark Bloch <mbloch@nvidia.com>
Link: https://patch.msgid.link/20250817202323.308604-6-mbloch@nvidia.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 7c60952)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Alex Vesker <valex@nvidia.com>
commit 8a51507

During table creation, caller passes a UID using ft_attr. The UID
value was ignored, which leads to problems when the caller sets the
UID to a non-zero value, such as SHARED_RESOURCE_UID (0xffff) - the
internal FT objects will be created with UID=0.

Fixes: 0869701 ("net/mlx5: HWS, added FW commands handling")
	Signed-off-by: Alex Vesker <valex@nvidia.com>
	Reviewed-by: Yevgeny Kliteynik <kliteyn@nvidia.com>
	Signed-off-by: Mark Bloch <mbloch@nvidia.com>
Link: https://patch.msgid.link/20250817202323.308604-7-mbloch@nvidia.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 8a51507)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Vlad Dogaru <vdogaru@nvidia.com>
commit d2d6f95

Specifying the counter action is not enough, as it is used by multiple
counters that were allocated in a bulk. By omitting the offset, rules
will be associated with a different counter from the same bulk.
Subsequently, the CT subsystem checks the correct counter, assumes that
no traffic has triggered the rule, and ages out the rule. The end result
is intermittent offloading of long lived connections, as rules are aged
out then promptly re-added.

Fix this by specifying the correct offset along with the counter rule.

Fixes: 34eea5b ("net/mlx5e: CT: Add initial support for Hardware Steering")
	Signed-off-by: Vlad Dogaru <vdogaru@nvidia.com>
	Reviewed-by: Yevgeny Kliteynik <kliteyn@nvidia.com>
	Signed-off-by: Mark Bloch <mbloch@nvidia.com>
Link: https://patch.msgid.link/20250817202323.308604-8-mbloch@nvidia.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit d2d6f95)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Daniel Jurgens <danielj@nvidia.com>
commit bc17455

Adjust the vport number by the base ECVF vport number so the port
attributes start at 0. Previously the port attributes would start 1
after the maximum number of host VFs.

Fixes: dc13180 ("net/mlx5: Enable devlink port for embedded cpu VF vports")
	Signed-off-by: Daniel Jurgens <danielj@nvidia.com>
	Reviewed-by: Parav Pandit <parav@nvidia.com>
	Reviewed-by: Saeed Mahameed <saeedm@nvidia.com>
	Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
	Signed-off-by: Mark Bloch <mbloch@nvidia.com>
Link: https://patch.msgid.link/20250820133209.389065-2-mbloch@nvidia.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit bc17455)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
… TSAR

jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Carolina Jubran <cjubran@nvidia.com>
commit 330f0f6

Currently, the driver creates a default group (`node0`) and attaches
all vports to it unless the user explicitly sets a parent group. As a
result, when a user configures tx_share on a group and tx_share on
a VF, the expectation is for the group and the VF to share bandwidth
relatively. However, since the VF is not connected to the same parent
(but to the default node), the proportional share logic is not applied
correctly.

To fix this, remove the default group (`node0`) and instead connect
vports directly to the root TSAR when no parent is specified. This
ensures that vports and groups share the same root scheduler and their
tx_share values are compared directly under the same hierarchy.

Fixes: 0fe132e ("net/mlx5: E-switch, Allow to add vports to rate groups")
	Signed-off-by: Carolina Jubran <cjubran@nvidia.com>
	Reviewed-by: Cosmin Ratiu <cratiu@nvidia.com>
	Signed-off-by: Mark Bloch <mbloch@nvidia.com>
Link: https://patch.msgid.link/20250820133209.389065-3-mbloch@nvidia.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 330f0f6)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Carolina Jubran <cjubran@nvidia.com>
commit e8f9735

When changing parent of a node/leaf with tc-bw configured, the code
saves and restores tc-bw values. However, it was reading the converted
hardware bw_share values (where 0 becomes 1) instead of the original
user values, causing incorrect tc-bw calculations after parent change.

Store original tc-bw values in the node structure and use them directly
for save/restore operations.

Fixes: cf7e737 ("net/mlx5: Manage TC arbiter nodes and implement full support for tc-bw")
	Signed-off-by: Carolina Jubran <cjubran@nvidia.com>
	Reviewed-by: Cosmin Ratiu <cratiu@nvidia.com>
	Signed-off-by: Mark Bloch <mbloch@nvidia.com>
Link: https://patch.msgid.link/20250820133209.389065-4-mbloch@nvidia.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit e8f9735)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Carolina Jubran <cjubran@nvidia.com>
commit b697ef4

If a VF has been configured and the user later clears all QoS settings,
the vport element remains in the firmware QoS tree. This leads to
inconsistent behavior compared to VFs that were never configured, since
the FW assumes that unconfigured VFs are outside the QoS hierarchy.
As a result, the bandwidth share across VFs may differ, even though
none of them appear to have any configuration.

Align the driver behavior with the FW expectation by destroying the
vport QoS element when all configurations are removed.

Fixes: c9497c9 ("net/mlx5: Add support for setting VF min rate")
Fixes: cf7e737 ("net/mlx5: Manage TC arbiter nodes and implement full support for tc-bw")
	Signed-off-by: Carolina Jubran <cjubran@nvidia.com>
	Reviewed-by: Cosmin Ratiu <cratiu@nvidia.com>
	Signed-off-by: Mark Bloch <mbloch@nvidia.com>
	Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Link: https://patch.msgid.link/20250820133209.389065-5-mbloch@nvidia.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit b697ef4)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Carolina Jubran <cjubran@nvidia.com>
commit 3c114fb

Add missing esw_qos_put() call when __esw_qos_alloc_node() fails in
mlx5_esw_qos_vport_enable().

Fixes: be034ba ("net/mlx5: Make vport QoS enablement more flexible for future extensions")
	Signed-off-by: Carolina Jubran <cjubran@nvidia.com>
	Reviewed-by: Cosmin Ratiu <cratiu@nvidia.com>
	Signed-off-by: Mark Bloch <mbloch@nvidia.com>
Link: https://patch.msgid.link/20250820133209.389065-6-mbloch@nvidia.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 3c114fb)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
…lure

jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Carolina Jubran <cjubran@nvidia.com>
commit 51b17c9

Restore the __esw_qos_free_node() call removed by the offending commit.

Fixes: 97733d1 ("net/mlx5: Add traffic class scheduling support for vport QoS")
	Signed-off-by: Carolina Jubran <cjubran@nvidia.com>
	Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
	Reviewed-by: Cosmin Ratiu <cratiu@nvidia.com>
	Signed-off-by: Mark Bloch <mbloch@nvidia.com>
Link: https://patch.msgid.link/20250820133209.389065-7-mbloch@nvidia.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 51b17c9)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Alexei Lazar <alazar@nvidia.com>
commit 451d284

The SW currently saves local buffer ownership when setting
the buffer.
This means that the SW assumes it has ownership of the buffer
after the command is set.

If setting the buffer fails and we remain in FW ownership,
the local buffer ownership state incorrectly remains as SW-owned.
This leads to incorrect behavior in subsequent PFC commands,
causing failures.

Instead of saving local buffer ownership in SW,
query the FW for buffer ownership when setting the buffer.
This ensures that the buffer ownership state is accurately
reflected, avoiding the issues caused by incorrect ownership
states.

Fixes: ecdf2da ("net/mlx5e: Receive buffer support for DCBX")
	Signed-off-by: Alexei Lazar <alazar@nvidia.com>
	Reviewed-by: Shahar Shitrit <shshitrit@nvidia.com>
	Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
	Signed-off-by: Mark Bloch <mbloch@nvidia.com>
Link: https://patch.msgid.link/20250820133209.389065-8-mbloch@nvidia.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 451d284)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Armen Ratner <armeng@nvidia.com>
commit 8b0587a

When port buffer headroom changes, port_update_shared_buffer()
recalculates the shared buffer size and splits it in a 3:1 ratio
(lossy:lossless) - Currently, the calculation is:
lossless = shared / 4;
lossy = (shared / 4) * 3;

Meaning, the calculation dropped the remainder of shared % 4 due to
integer division, unintentionally reducing the total shared buffer
by up to three cells on each update. Over time, this could shrink
the buffer below usable size.

Fix it by changing the calculation to:
lossless = shared / 4;
lossy = shared - lossless;

This retains all buffer cells while still approximating the
intended 3:1 split, preventing capacity loss over time.

While at it, perform headroom calculations in units of cells rather than
in bytes for more accurate calculations avoiding extra divisions.

Fixes: a440030 ("net/mlx5e: Update shared buffer along with device buffer changes")
	Signed-off-by: Armen Ratner <armeng@nvidia.com>
	Signed-off-by: Maher Sanalla <msanalla@nvidia.com>
	Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
	Signed-off-by: Alexei Lazar <alazar@nvidia.com>
	Signed-off-by: Mark Bloch <mbloch@nvidia.com>
	Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Link: https://patch.msgid.link/20250820133209.389065-9-mbloch@nvidia.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 8b0587a)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Lama Kayal <lkayal@nvidia.com>
commit 2c0a959

In the error path of hws_pool_buddy_init(), the buddy allocator cleanup
doesn't free the allocator structure itself, causing a memory leak.

Add the missing kfree() to properly release all allocated memory.

Fixes: c61afff ("net/mlx5: HWS, added memory management handling")
	Signed-off-by: Lama Kayal <lkayal@nvidia.com>
	Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
	Signed-off-by: Mark Bloch <mbloch@nvidia.com>
Link: https://patch.msgid.link/20250825143435.598584-2-mbloch@nvidia.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 2c0a959)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
… flow

jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Lama Kayal <lkayal@nvidia.com>
commit a630f83

When an invalid stc_type is provided, the function allocates memory for
shared_stc but jumps to unlock_and_out without freeing it, causing a
memory leak.

Fix by jumping to free_shared_stc label instead to ensure proper cleanup.

Fixes: 504e536 ("net/mlx5: HWS, added actions handling")
	Signed-off-by: Lama Kayal <lkayal@nvidia.com>
	Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
	Signed-off-by: Mark Bloch <mbloch@nvidia.com>
Link: https://patch.msgid.link/20250825143435.598584-3-mbloch@nvidia.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit a630f83)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
…ror flow

jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Lama Kayal <lkayal@nvidia.com>
commit 24b6e53

In mlx5hws_pat_calc_nop(), src_field and dst_field are passed to
hws_action_modify_get_target_fields() which should set their values.
However, if an invalid action type is encountered, these variables
remain uninitialized and are later used to update prev_src_field
and prev_dst_field.

Initialize both variables to INVALID_FIELD to ensure they have
defined values in all code paths.

Fixes: 01e035f ("net/mlx5: HWS, handle modify header actions dependency")
	Signed-off-by: Lama Kayal <lkayal@nvidia.com>
	Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
	Signed-off-by: Mark Bloch <mbloch@nvidia.com>
Link: https://patch.msgid.link/20250825143435.598584-4-mbloch@nvidia.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 24b6e53)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
…or path

jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Lama Kayal <lkayal@nvidia.com>
commit 00a50e4

In mlx5hws_pat_get_pattern(), when mlx5hws_pat_add_pattern_to_cache()
fails, the function attempts to clean up the pattern created by
mlx5hws_cmd_header_modify_pattern_create(). However, it incorrectly
uses *pattern_id which hasn't been set yet, instead of the local
ptrn_id variable that contains the actual pattern ID.

This results in attempting to destroy a pattern using uninitialized
data from the output parameter, rather than the valid pattern ID
returned by the firmware.

Use ptrn_id instead of *pattern_id in the cleanup path to properly
destroy the created pattern.

Fixes: aefc15a ("net/mlx5: HWS, added modify header pattern and args handling")
	Signed-off-by: Lama Kayal <lkayal@nvidia.com>
	Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
	Signed-off-by: Mark Bloch <mbloch@nvidia.com>
Link: https://patch.msgid.link/20250825143435.598584-5-mbloch@nvidia.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 00a50e4)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Moshe Shemesh <moshe@nvidia.com>
commit 34cc6a5

The devlink reload fw_activate command performs firmware activation
followed by driver reload, while devlink reload driver_reinit triggers
only driver reload. However, the driver reload logic differs between the
two modes, as on driver_reinit mode mlx5 also reloads auxiliary drivers,
while in fw_activate mode the auxiliary drivers are suspended where
applicable.

Additionally, following the cited commit, if the device has multiple PFs,
the behavior during fw_activate may vary between PFs: one PF may suspend
auxiliary drivers, while another reloads them.

Align devlink dev reload fw_activate behavior with devlink dev reload
driver_reinit, to reload all auxiliary drivers.

Fixes: 72ed5d5 ("net/mlx5: Suspend auxiliary devices only in case of PCI device suspend")
	Signed-off-by: Moshe Shemesh <moshe@nvidia.com>
	Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
	Reviewed-by: Akiva Goldberger <agoldberger@nvidia.com>
	Signed-off-by: Mark Bloch <mbloch@nvidia.com>
Link: https://patch.msgid.link/20250825143435.598584-6-mbloch@nvidia.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 34cc6a5)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Moshe Shemesh <moshe@nvidia.com>
commit 902a8bc

Fix lockdep assertion triggered during sync reset unload event. When the
sync reset flow is initiated using the devlink reload fw_activate
option, the PF already holds the devlink lock while handling unload
event. In this case, delegate sync reset unload event handling back to
the devlink callback process to avoid double-locking and resolve the
lockdep warning.

Kernel log:
WARNING: CPU: 9 PID: 1578 at devl_assert_locked+0x31/0x40
[...]
Call Trace:
<TASK>
 mlx5_unload_one_devl_locked+0x2c/0xc0 [mlx5_core]
 mlx5_sync_reset_unload_event+0xaf/0x2f0 [mlx5_core]
 process_one_work+0x222/0x640
 worker_thread+0x199/0x350
 kthread+0x10b/0x230
 ? __pfx_worker_thread+0x10/0x10
 ? __pfx_kthread+0x10/0x10
 ret_from_fork+0x8e/0x100
 ? __pfx_kthread+0x10/0x10
 ret_from_fork_asm+0x1a/0x30
</TASK>

Fixes: 7a9770f ("net/mlx5: Handle sync reset unload event")
	Signed-off-by: Moshe Shemesh <moshe@nvidia.com>
	Signed-off-by: Mark Bloch <mbloch@nvidia.com>
Link: https://patch.msgid.link/20250825143435.598584-7-mbloch@nvidia.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 902a8bc)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Moshe Shemesh <moshe@nvidia.com>
commit 26e42ec

If PF (Physical Function) has SFs (Sub-Functions), since the SFs are not
taking part in the synchronization flow, sync reset can lead to fatal
error on the SFs, as the function will be closed unexpectedly from the
SF point of view.

Add a check to prevent sync reset when there are SFs on a PF device
which is not ECPF, as ECPF is teardowned gracefully before reset.

Fixes: 92501fa ("net/mlx5: Ack on sync_reset_request only if PF can do reset_now")
	Signed-off-by: Moshe Shemesh <moshe@nvidia.com>
	Reviewed-by: Parav Pandit <parav@nvidia.com>
	Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
	Signed-off-by: Mark Bloch <mbloch@nvidia.com>
Link: https://patch.msgid.link/20250825143435.598584-8-mbloch@nvidia.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 26e42ec)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Moshe Shemesh <moshe@nvidia.com>
commit cf9a862

Changing flow steering modes is not allowed when eswitch is in switchdev
mode. This fix ensures that any steering mode change, including to
firmware steering, is correctly blocked while eswitch mode is switchdev.

Fixes: e890acd ("net/mlx5: Add devlink flow_steering_mode parameter")
	Signed-off-by: Moshe Shemesh <moshe@nvidia.com>
	Signed-off-by: Mark Bloch <mbloch@nvidia.com>
Link: https://patch.msgid.link/20250825143435.598584-9-mbloch@nvidia.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit cf9a862)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Alexei Lazar <alazar@nvidia.com>
commit aca0c31

The local Xoff value is being set before the firmware (FW) update.
In case of a failure where the FW is not updated with the new value,
there is no fallback to the previous value.
Update the local Xoff value after the FW has been successfully set.

Fixes: 0696d60 ("net/mlx5e: Receive buffer configuration")
	Signed-off-by: Alexei Lazar <alazar@nvidia.com>
	Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
	Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
	Signed-off-by: Mark Bloch <mbloch@nvidia.com>
Link: https://patch.msgid.link/20250825143435.598584-12-mbloch@nvidia.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit aca0c31)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Jianbo Liu <jianbol@nvidia.com>
commit 6b4be64

The function mlx5_uplink_netdev_get() gets the uplink netdevice
pointer from mdev->mlx5e_res.uplink_netdev. However, the netdevice can
be removed and its pointer cleared when unbound from the mlx5_core.eth
driver. This results in a NULL pointer, causing a kernel panic.

 BUG: unable to handle page fault for address: 0000000000001300
 at RIP: 0010:mlx5e_vport_rep_load+0x22a/0x270 [mlx5_core]
 Call Trace:
  <TASK>
  mlx5_esw_offloads_rep_load+0x68/0xe0 [mlx5_core]
  esw_offloads_enable+0x593/0x910 [mlx5_core]
  mlx5_eswitch_enable_locked+0x341/0x420 [mlx5_core]
  mlx5_devlink_eswitch_mode_set+0x17e/0x3a0 [mlx5_core]
  devlink_nl_eswitch_set_doit+0x60/0xd0
  genl_family_rcv_msg_doit+0xe0/0x130
  genl_rcv_msg+0x183/0x290
  netlink_rcv_skb+0x4b/0xf0
  genl_rcv+0x24/0x40
  netlink_unicast+0x255/0x380
  netlink_sendmsg+0x1f3/0x420
  __sock_sendmsg+0x38/0x60
  __sys_sendto+0x119/0x180
  do_syscall_64+0x53/0x1d0
  entry_SYSCALL_64_after_hwframe+0x4b/0x53

Ensure the pointer is valid before use by checking it for NULL. If it
is valid, immediately call netdev_hold() to take a reference, and
preventing the netdevice from being freed while it is in use.

Fixes: 7a9fb35 ("net/mlx5e: Do not reload ethernet ports when changing eswitch mode")
	Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
	Reviewed-by: Cosmin Ratiu <cratiu@nvidia.com>
	Reviewed-by: Jiri Pirko <jiri@nvidia.com>
	Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
	Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/1757939074-617281-2-git-send-email-tariqt@nvidia.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 6b4be64)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
PlaidCat added 26 commits July 1, 2026 00:03
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Xin Long <lucien.xin@gmail.com>
commit 8a92cb4

After an association reaches ESTABLISHED, the peer’s init_tag is already
known from the handshake. Any subsequent INIT with the same init_tag is
not a valid restart, but a delayed or duplicate INIT.

Drop such INIT chunks in sctp_sf_do_unexpected_init() instead of
processing them as new association attempts.

Fixes: 1da177e ("Linux-2.6.12-rc2")
	Signed-off-by: Xin Long <lucien.xin@gmail.com>
	Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Link: https://patch.msgid.link/5788c76c1ee122a3ed00189e88dcf9df1fba226c.1777214801.git.lucien.xin@gmail.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 8a92cb4)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
cve CVE-2026-46189
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Jason Gunthorpe <jgg@ziepe.ca>
commit e38e869

Sashiko points out that pvrdma_uar_free() is already called within
pvrdma_dealloc_ucontext(), so calling it before triggers a double free.

	Cc: stable@vger.kernel.org
Fixes: 29c8d9e ("IB: Add vmw_pvrdma driver")
Link: https://sashiko.dev/#/patchset/0-v1-e911b76a94d1%2B65d95-rdma_udata_rep_jgg%40nvidia.com?part=4
Link: https://patch.msgid.link/r/10-v1-41f3135e5565+9d2-rdma_ai_fixes1_jgg@nvidia.com
	Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
(cherry picked from commit e38e869)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Tim Chen <tim.c.chen@linux.intel.com>
commit 3324b21

The NUMA sched domain sets the SD_SERIALIZE flag by default, allowing
only one NUMA load balancing operation to run system-wide at a time.

Currently, each sched group leader directly under NUMA domain attempts
to acquire the global sched_balance_running flag via cmpxchg() before
checking whether load balancing is due or whether it is the designated
load balancer for that NUMA domain. On systems with a large number
of cores, this causes significant cache contention on the shared
sched_balance_running flag.

This patch reduces unnecessary cmpxchg() operations by first checking
that the balancer is the designated leader for a NUMA domain from
should_we_balance(), and the balance interval has expired before
trying to acquire sched_balance_running to load balance a NUMA
domain.

On a 2-socket Granite Rapids system with sub-NUMA clustering enabled,
running an OLTP workload, 7.8% of total CPU cycles were previously spent
in sched_balance_domain() contending on sched_balance_running before
this change.

         : 104              static __always_inline int arch_atomic_cmpxchg(atomic_t *v, int old, int new)
         : 105              {
         : 106              return arch_cmpxchg(&v->counter, old, new);
    0.00 :   ffffffff81326e6c:       xor    %eax,%eax
    0.00 :   ffffffff81326e6e:       mov    $0x1,%ecx
    0.00 :   ffffffff81326e73:       lock cmpxchg %ecx,0x2394195(%rip)        # ffffffff836bb010 <sched_balance_running>
         : 110              sched_balance_domains():
         : 12234            if (atomic_cmpxchg_acquire(&sched_balance_running, 0, 1))
   99.39 :   ffffffff81326e7b:       test   %eax,%eax
    0.00 :   ffffffff81326e7d:       jne    ffffffff81326e99 <sched_balance_domains+0x209>
         : 12238            if (time_after_eq(jiffies, sd->last_balance + interval)) {
    0.00 :   ffffffff81326e7f:       mov    0x14e2b3a(%rip),%rax        # ffffffff828099c0 <jiffies_64>
    0.00 :   ffffffff81326e86:       sub    0x48(%r14),%rax
    0.00 :   ffffffff81326e8a:       cmp    %rdx,%rax

After applying this fix, sched_balance_domain() is gone from the profile
and there is a 5% throughput improvement.

[peterz: made it so that redo retains the 'lock' and split out the
         CPU_NEWLY_IDLE change to a separate patch]
	Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com>
	Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
	Reviewed-by: Chen Yu <yu.c.chen@intel.com>
	Reviewed-by: Vincent Guittot <vincent.guittot@linaro.org>
	Reviewed-by: Shrikanth Hegde <sshegde@linux.ibm.com>
	Reviewed-by: K Prateek Nayak <kprateek.nayak@amd.com>
	Reviewed-by: Srikar Dronamraju <srikar@linux.ibm.com>
	Tested-by: Mohini Narkhede <mohini.narkhede@intel.com>
	Tested-by: Shrikanth Hegde <sshegde@linux.ibm.com>
Link: https://patch.msgid.link/6fed119b723c71552943bfe5798c93851b30a361.1762800251.git.tim.c.chen@linux.intel.com
(cherry picked from commit 3324b21)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Peter Zijlstra <peterz@infradead.org>
commit 522fb20

Also serialize the possiblty much more frequent newidle balancing for
the 'expensive' domains that have SD_BALANCE set.

Initial benchmarking by K Prateek and Tim showed no negative effect.

Split out from the larger patch moving sched_balance_running around
for ease of bisect and such.

	Suggested-by: Shrikanth Hegde <sshegde@linux.ibm.com>
Seconded-by: K Prateek Nayak <kprateek.nayak@amd.com>
	Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lkml.kernel.org/r/df068896-82f9-458d-8fff-5a2f654e8ffd@amd.com
Link: https://patch.msgid.link/6fed119b723c71552943bfe5798c93851b30a361.1762800251.git.tim.c.chen@linux.intel.com

# Conflicts:
#	kernel/sched/fair.c
(cherry picked from commit 522fb20)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Christophe Leroy <christophe.leroy@csgroup.eu>
commit 7929939

A ppc64_defconfig build exhibits about 10 copied of
prevent_user_access(). It also have one copy of set_kuap().

	c000000000017340 <.prevent_user_access.constprop.0>:
	c00000000001a038:	4b ff d3 09 	bl      c000000000017340 <.prevent_user_access.constprop.0>
	c00000000001aabc:	4b ff c8 85 	bl      c000000000017340 <.prevent_user_access.constprop.0>
	c00000000001ab38:	4b ff c8 09 	bl      c000000000017340 <.prevent_user_access.constprop.0>
	c00000000001ade0:	4b ff c5 61 	bl      c000000000017340 <.prevent_user_access.constprop.0>
	c000000000039b90 <.prevent_user_access.constprop.0>:
	c00000000003ac08:	4b ff ef 89 	bl      c000000000039b90 <.prevent_user_access.constprop.0>
	c00000000003b9d0:	4b ff e1 c1 	bl      c000000000039b90 <.prevent_user_access.constprop.0>
	c00000000003ba54:	4b ff e1 3d 	bl      c000000000039b90 <.prevent_user_access.constprop.0>
	c00000000003bbfc:	4b ff df 95 	bl      c000000000039b90 <.prevent_user_access.constprop.0>
	c00000000015dde0 <.prevent_user_access.constprop.0>:
	c0000000001612c0:	4b ff cb 21 	bl      c00000000015dde0 <.prevent_user_access.constprop.0>
	c000000000161b54:	4b ff c2 8d 	bl      c00000000015dde0 <.prevent_user_access.constprop.0>
	c000000000188cf0 <.prevent_user_access.constprop.0>:
	c00000000018d658:	4b ff b6 99 	bl      c000000000188cf0 <.prevent_user_access.constprop.0>
	c00000000030fe20 <.prevent_user_access.constprop.0>:
	c0000000003123d4:	4b ff da 4d 	bl      c00000000030fe20 <.prevent_user_access.constprop.0>
	c000000000313970:	4b ff c4 b1 	bl      c00000000030fe20 <.prevent_user_access.constprop.0>
	c0000000005e6bd0 <.prevent_user_access.constprop.0>:
	c0000000005e7d8c:	4b ff ee 45 	bl      c0000000005e6bd0 <.prevent_user_access.constprop.0>
	c0000000007bcae0 <.prevent_user_access.constprop.0>:
	c0000000007bda10:	4b ff f0 d1 	bl      c0000000007bcae0 <.prevent_user_access.constprop.0>
	c0000000007bda54:	4b ff f0 8d 	bl      c0000000007bcae0 <.prevent_user_access.constprop.0>
	c0000000007bdd28:	4b ff ed b9 	bl      c0000000007bcae0 <.prevent_user_access.constprop.0>
	c0000000007c0390:	4b ff c7 51 	bl      c0000000007bcae0 <.prevent_user_access.constprop.0>
	c00000000094e4f0 <.prevent_user_access.constprop.0>:
	c000000000950e40:	4b ff d6 b1 	bl      c00000000094e4f0 <.prevent_user_access.constprop.0>
	c00000000097d2d0 <.prevent_user_access.constprop.0>:
	c0000000009813fc:	4b ff be d5 	bl      c00000000097d2d0 <.prevent_user_access.constprop.0>
	c000000000acd540 <.prevent_user_access.constprop.0>:
	c000000000ad1d60:	4b ff b7 e1 	bl      c000000000acd540 <.prevent_user_access.constprop.0>
	c000000000e5d680 <.prevent_user_access.constprop.0>:
	c000000000e64b60:	4b ff 8b 21 	bl      c000000000e5d680 <.prevent_user_access.constprop.0>
	c000000000e64b6c:	4b ff 8b 15 	bl      c000000000e5d680 <.prevent_user_access.constprop.0>
	c000000000e64c38:	4b ff 8a 49 	bl      c000000000e5d680 <.prevent_user_access.constprop.0>

When building signal_64.c with -Winline the following messages appear:

	./arch/powerpc/include/asm/book3s/64/kup.h:331:20: error: inlining failed in call to 'set_kuap': call is unlikely and code size would grow [-Werror=inline]
	./arch/powerpc/include/asm/book3s/64/kup.h:401:20: error: inlining failed in call to 'prevent_user_access.constprop': call is unlikely and code size would grow [-Werror=inline]

Those functions are used on hot pathes and have been
expected to be inlined at all time.

Force them inline.

This patch reduces the kernel text size by 700 bytes, confirming
that not inlining those functions is not worth it.

	Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
	Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/eff9b2b211957fa2e8707e46f31674097fd563a3.1644588972.git.christophe.leroy@csgroup.eu

(cherry picked from commit 7929939)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Uros Bizjak <ubizjak@gmail.com>
commit 43c249e
Empty-Commit: Cherry-Pick Conflicts during history rebuild.
Will be included in final tarball splat. Ref for failed cherry-pick at:
ciq/ciq_backports/kernel-5.14.0-687.20.1.el9_8/43c249ea.failed

The workaround for 'asm goto' miscompilation introduces a compiler barrier
quirk that inhibits many useful compiler optimizations.  For example,
__try_cmpxchg_user compiles to:

   11375:	41 8b 4d 00          	mov    0x0(%r13),%ecx
   11379:	41 8b 02             	mov    (%r10),%eax
   1137c:	f0 0f b1 0a          	lock cmpxchg %ecx,(%rdx)
   11380:	0f 94 c2             	sete   %dl
   11383:	84 d2                	test   %dl,%dl
   11385:	75 c4                	jne    1134b <...>
   11387:	41 89 02             	mov    %eax,(%r10)

where the barrier inhibits flags propagation from asm when compiled with
gcc-12.

When the mentioned quirk is removed, the following code is generated:

   11553:	41 8b 4d 00          	mov    0x0(%r13),%ecx
   11557:	41 8b 02             	mov    (%r10),%eax
   1155a:	f0 0f b1 0a          	lock cmpxchg %ecx,(%rdx)
   1155e:	74 c9                	je     11529 <...>
   11560:	41 89 02             	mov    %eax,(%r10)

The refered compiler bug:

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58670

was fixed for gcc-4.8.2.

Current minimum required version of GCC is version 5.1 which has the above
'asm goto' miscompilation fixed, so remove the workaround.

Link: https://lkml.kernel.org/r/20220624141412.72274-1-ubizjak@gmail.com
	Signed-off-by: Uros Bizjak <ubizjak@gmail.com>
	Cc: Ingo Molnar <mingo@kernel.org>
	Cc: "H. Peter Anvin" <hpa@zytor.com>
	Cc: Thomas Gleixner <tglx@linutronix.de>
	Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
(cherry picked from commit 43c249e)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>

# Conflicts:
#	include/linux/compiler-gcc.h
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Linus Torvalds <torvalds@linux-foundation.org>
commit 4356e9f
Empty-Commit: Cherry-Pick Conflicts during history rebuild.
Will be included in final tarball splat. Ref for failed cherry-pick at:
ciq/ciq_backports/kernel-5.14.0-687.20.1.el9_8/4356e9f8.failed

We've had issues with gcc and 'asm goto' before, and we created a
'asm_volatile_goto()' macro for that in the past: see commits
3f0116c ("compiler/gcc4: Add quirk for 'asm goto' miscompilation
bug") and a9f1803 ("compiler/gcc4: Make quirk for
asm_volatile_goto() unconditional").

Then, much later, we ended up removing the workaround in commit
43c249e ("compiler-gcc.h: remove ancient workaround for gcc PR
58670") because we no longer supported building the kernel with the
affected gcc versions, but we left the macro uses around.

Now, Sean Christopherson reports a new version of a very similar
problem, which is fixed by re-applying that ancient workaround.  But the
problem in question is limited to only the 'asm goto with outputs'
cases, so instead of re-introducing the old workaround as-is, let's
rename and limit the workaround to just that much less common case.

It looks like there are at least two separate issues that all hit in
this area:

 (a) some versions of gcc don't mark the asm goto as 'volatile' when it
     has outputs:

        https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98619
        https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110420

     which is easy to work around by just adding the 'volatile' by hand.

 (b) Internal compiler errors:

        https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110422

     which are worked around by adding the extra empty 'asm' as a
     barrier, as in the original workaround.

but the problem Sean sees may be a third thing since it involves bad
code generation (not an ICE) even with the manually added 'volatile'.

but the same old workaround works for this case, even if this feels a
bit like voodoo programming and may only be hiding the issue.

Reported-and-tested-by: Sean Christopherson <seanjc@google.com>
Link: https://lore.kernel.org/all/20240208220604.140859-1-seanjc@google.com/
	Cc: Nick Desaulniers <ndesaulniers@google.com>
	Cc: Uros Bizjak <ubizjak@gmail.com>
	Cc: Jakub Jelinek <jakub@redhat.com>
	Cc: Andrew Pinski <quic_apinski@quicinc.com>
	Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
(cherry picked from commit 4356e9f)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>

# Conflicts:
#	arch/csky/include/asm/jump_label.h
#	arch/loongarch/include/asm/jump_label.h
#	arch/powerpc/include/asm/uaccess.h
#	arch/powerpc/kernel/irq_64.c
#	arch/riscv/include/asm/arch_hweight.h
#	arch/riscv/include/asm/bitops.h
#	arch/riscv/include/asm/checksum.h
#	arch/riscv/include/asm/cpufeature.h
#	arch/riscv/include/asm/jump_label.h
#	arch/riscv/lib/csum.c
#	arch/x86/include/asm/cpufeature.h
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Alexandre Belloni <alexandre.belloni@bootlin.com>
commit 534bd70

When using dash as /bin/sh, the CC_HAS_ASM_GOTO_TIED_OUTPUT test fails
with a syntax error which is not the one we are looking for:

<stdin>: In function ‘foo’:
<stdin>:1:29: warning: missing terminating " character
<stdin>:1:29: error: missing terminating " character
<stdin>:2:5: error: expected ‘:’ before ‘+’ token
<stdin>:2:7: warning: missing terminating " character
<stdin>:2:7: error: missing terminating " character
<stdin>:2:5: error: expected declaration or statement at end of input

Removing '\n' solves this.

Fixes: 1aa0e8b ("Kconfig: Add option for asm goto w/ tied outputs to workaround clang-13 bug")
	Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
	Reviewed-by: Sean Christopherson <seanjc@google.com>
	Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
(cherry picked from commit 534bd70)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Linus Torvalds <torvalds@linux-foundation.org>
commit 68fb3ca
Empty-Commit: Cherry-Pick Conflicts during history rebuild.
Will be included in final tarball splat. Ref for failed cherry-pick at:
ciq/ciq_backports/kernel-5.14.0-687.20.1.el9_8/68fb3ca0.failed

In commit 4356e9f ("work around gcc bugs with 'asm goto' with
outputs") I did the gcc workaround unconditionally, because the cause of
the bad code generation wasn't entirely clear.

In the meantime, Jakub Jelinek debugged the issue, and has come up with
a fix in gcc [2], which also got backported to the still maintained
branches of gcc-11, gcc-12 and gcc-13.

Note that while the fix technically wasn't in the original gcc-14
branch, Jakub says:

 "while it is true that no GCC 14 snapshots until today (or whenever the
  fix will be committed) have the fix, for GCC trunk it is up to the
  distros to use the latest snapshot if they use it at all and would
  allow better testing of the kernel code without the workaround, so
  that if there are other issues they won't be discovered years later.
  Most userland code doesn't actually use asm goto with outputs..."

so we will consider gcc-14 to be fixed - if somebody is using gcc
snapshots of the gcc-14 before the fix, they should upgrade.

Note that while the bug goes back to gcc-11, in practice other gcc
changes seem to have effectively hidden it since gcc-12.1 as per a
bisect by Jakub.  So even a gcc-14 snapshot without the fix likely
doesn't show actual problems.

Also, make the default 'asm_goto_output()' macro mark the asm as
volatile by hand, because of an unrelated gcc issue [1] where it doesn't
match the documented behavior ("asm goto is always volatile").

Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103979 [1]
Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113921 [2]
Link: https://lore.kernel.org/all/20240208220604.140859-1-seanjc@google.com/
Requested-by: Jakub Jelinek <jakub@redhat.com>
	Cc: Uros Bizjak <ubizjak@gmail.com>
	Cc: Nick Desaulniers <ndesaulniers@google.com>
	Cc: Sean Christopherson <seanjc@google.com>
	Cc: Andrew Pinski <quic_apinski@quicinc.com>
	Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
(cherry picked from commit 68fb3ca)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>

# Conflicts:
#	include/linux/compiler-gcc.h
#	include/linux/compiler_types.h
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Mark Rutland <mark.rutland@arm.com>
commit f2f6a8e
Empty-Commit: Cherry-Pick Conflicts during history rebuild.
Will be included in final tarball splat. Ref for failed cherry-pick at:
ciq/ciq_backports/kernel-5.14.0-687.20.1.el9_8/f2f6a8e8.failed

Several versions of GCC mis-compile asm goto with outputs. We try to
workaround this, but our workaround is demonstrably incomplete and
liable to result in subtle bugs, especially on arm64 where get_user()
has recently been moved over to using asm goto with outputs.

From discussion(s) with Linus at:

  https://lore.kernel.org/linux-arm-kernel/Zpfv2tnlQ-gOLGac@J2N7QTR9R3.cambridge.arm.com/
  https://lore.kernel.org/linux-arm-kernel/ZpfxLrJAOF2YNqCk@J2N7QTR9R3.cambridge.arm.com/

... it sounds like the best thing to do for now is to remove the
workaround and make CC_HAS_ASM_GOTO_OUTPUT depend on working compiler
versions.

The issue was originally reported to GCC by Sean Christopherson:

  https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113921

... and Jakub Jelinek fixed this for GCC 14, with the fix backported to
13.3.0, 12.4.0, and 11.5.0.

In the kernel, we tried to workaround broken compilers in commits:

  4356e9f ("work around gcc bugs with 'asm goto' with outputs")
  68fb3ca ("update workarounds for gcc "asm goto" issue")

... but the workaround of adding an empty asm("") after the asm volatile
goto(...) demonstrably does not always avoid the problem, as can be seen
in the following test case:

| #define asm_goto_output(x...) \
|         do { asm volatile goto(x); asm (""); } while (0)
|
| #define __good_or_bad(__val, __key)                                     \
| do {                                                                    \
|         __label__ __failed;                                             \
|         unsigned long __tmp;                                            \
|         asm_goto_output(                                                \
|         "       cbnz    %[key], %l[__failed]\n"                         \
|         "       mov     %[val], #0x900d\n"                              \
|         : [val] "=r" (__tmp)                                            \
|         : [key] "r" (__key)                                             \
|         :                                                               \
|         : __failed);                                                    \
|         (__val) = __tmp;                                                \
|         break;                                                          \
| __failed:                                                               \
|         (__val) = 0xbad;                                                \
| } while (0)
|
| unsigned long get_val(unsigned long key);
| unsigned long get_val(unsigned long key)
| {
|         unsigned long val = 0xbad;
|
|         __good_or_bad(val, key);
|
|         return val;
| }

GCC 13.2.0 (at -O2) compiles this to:

| 	cbnz    x0, .Lfailed
| 	mov     x0, #0x900d
| .Lfailed:
| 	ret

GCC 14.1.0 (at -O2) compiles this to:

| 	cbnz    x0, .Lfailed
| 	mov     x0, #0x900d
| 	ret
| .Lfailed:
| 	mov     x0, #0xbad
| 	ret

Note that GCC 13.2.0 erroneously omits the assignment to 'val' in the
error path (even though this does not depend on an output of the asm
goto). GCC 14.1.0 correctly retains the assignment.

This problem can be seen within the kernel with the following test case:

| #include <linux/uaccess.h>
| #include <linux/types.h>
|
| noinline unsigned long test_unsafe_get_user(unsigned long __user *ptr);
| noinline unsigned long test_unsafe_get_user(unsigned long __user *ptr)
| {
|         unsigned long val;
|
|         unsafe_get_user(val, ptr, Efault);
|         return val;
|
| Efault:
|         val = 0x900d;
|         return val;
| }

GCC 13.2.0 (arm64 defconfig) compiles this to:

|         and     x0, x0, #0xff7fffffffffffff
|         ldtr    x0, [x0]
| .Lextable_fixup:
|         ret

GCC 13.2.0 (x86_64 defconfig + MITIGATION_RETPOLINE=n) compiles this to:

|         endbr64
|         mov    (%rdi),%rax
| .Lextable_fixup:
|         ret

... omitting the assignment to 'val' in the error path, and leaving
garbage in the result register returned by the function (which happens
to contain the faulting address in the generated code).

GCC 14.1.0 (arm64 defconfig) compiles this to:

|         and     x0, x0, #0xff7fffffffffffff
|         ldtr    x0, [x0]
|         ret
| .Lextable_fixup:
|         mov     x0, #0x900d                     // #36877
|         ret

GCC 14.1.0 (x86_64 defconfig + MITIGATION_RETPOLINE=n) compiles this to:

|         endbr64
|         mov    (%rdi),%rax
|         ret
| .Lextable_fixup:
|         mov    $0x900d,%eax
|         ret

... retaining the expected assignment to 'val' in the error path.

We don't have a complete and reasonable workaround. While placing empty
asm("") blocks after each goto label *might* be sufficient, we don't
know for certain, this is tedious and error-prone, and there doesn't
seem to be a neat way to wrap this up (which is especially painful for
cases with multiple goto labels).

Avoid this issue by disabling CONFIG_CC_HAS_ASM_GOTO_OUTPUT for
known-broken compiler versions and removing the workaround (along with
the CONFIG_GCC_ASM_GOTO_OUTPUT_WORKAROUND config option).

For the moment I've left the default implementation of asm_goto_output()
unchanged. This should now be redundant since any compiler with the fix
for the clobbering issue whould also have a fix for the (earlier)
volatile issue, but it's far less churny to leave it around, which makes
it easier to backport this patch if necessary.

	Signed-off-by: Mark Rutland <mark.rutland@arm.com>
	Cc: Alex Coplan <alex.coplan@arm.com>
	Cc: Catalin Marinas <catalin.marinas@arm.com>
	Cc: Jakub Jelinek <jakub@gcc.gnu.org>
	Cc: Peter Zijlstra <peterz@infradead.org>
	Cc: Sean Christopherson <seanjc@google.com>
	Cc: Szabolcs Nagy <szabolcs.nagy@arm.com>
	Cc: Will Deacon <will@kernel.org>
	Cc: linux-arm-kernel@lists.infradead.org
	Cc: linux-kernel@vger.kernel.org
	Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
(cherry picked from commit f2f6a8e)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>

# Conflicts:
#	include/linux/compiler-gcc.h
jira KERNEL-1233
cve CVE-2026-46176
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Junrui Luo <moonafterrain@outlook.com>
commit c488df0

mlx5_ib_dev_res_srq_init() allocates two SRQs, s0 and s1. When
ib_create_srq() fails for s1, the error branch destroys s0 but falls
through and unconditionally assigns the freed s0 and the ERR_PTR s1 to
devr->s0 and devr->s1.

This leads to several problems: the lock-free fast path checks
"if (devr->s1) return 0;" and treats the ERR_PTR as already initialised;
users in mlx5_ib_create_qp() dereference the freed SRQ or ERR_PTR via
to_msrq(devr->s0)->msrq.srqn; and mlx5_ib_dev_res_cleanup() dereferences
the ERR_PTR and double-frees s0 on teardown.

Fix by adding the same `goto unlock` in the s1 failure path.

	Cc: stable@vger.kernel.org
Fixes: 5895e70 ("IB/mlx5: Allocate resources just before first QP/SRQ is created")
Link: https://patch.msgid.link/r/SYBPR01MB7881E1E0970268BD69C0BA75AF2B2@SYBPR01MB7881.ausprd01.prod.outlook.com
	Reported-by: Yuhao Jiang <danisjiang@gmail.com>
	Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
	Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
(cherry picked from commit c488df0)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
cve CVE-2026-31411
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Jiayuan Chen <jiayuan.chen@shopee.com>
commit ae88a5d

Reproducer available at [1].

The ATM send path (sendmsg -> vcc_sendmsg -> sigd_send) reads the vcc
pointer from msg->vcc and uses it directly without any validation. This
pointer comes from userspace via sendmsg() and can be arbitrarily forged:

    int fd = socket(AF_ATMSVC, SOCK_DGRAM, 0);
    ioctl(fd, ATMSIGD_CTRL);  // become ATM signaling daemon
    struct msghdr msg = { .msg_iov = &iov, ... };
    *(unsigned long *)(buf + 4) = 0xdeadbeef;  // fake vcc pointer
    sendmsg(fd, &msg, 0);  // kernel dereferences 0xdeadbeef

In normal operation, the kernel sends the vcc pointer to the signaling
daemon via sigd_enq() when processing operations like connect(), bind(),
or listen(). The daemon is expected to return the same pointer when
responding. However, a malicious daemon can send arbitrary pointer values.

Fix this by introducing find_get_vcc() which validates the pointer by
searching through vcc_hash (similar to how sigd_close() iterates over
all VCCs), and acquires a reference via sock_hold() if found.

Since struct atm_vcc embeds struct sock as its first member, they share
the same lifetime. Therefore using sock_hold/sock_put is sufficient to
keep the vcc alive while it is being used.

Note that there may be a race with sigd_close() which could mark the vcc
with various flags (e.g., ATM_VF_RELEASED) after find_get_vcc() returns.
However, sock_hold() guarantees the memory remains valid, so this race
only affects the logical state, not memory safety.

[1]: https://gist.github.com/mrpre/1ba5949c45529c511152e2f4c755b0f3
Fixes: 1da177e ("Linux-2.6.12-rc2")
	Reported-by: syzbot+1f22cb1769f249df9fa0@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/69039850.a70a0220.5b2ed.005d.GAE@google.com/T/
	Signed-off-by: Jiayuan Chen <jiayuan.chen@shopee.com>
Link: https://patch.msgid.link/20260205095501.131890-1-jiayuan.chen@linux.dev
	Signed-off-by: Paolo Abeni <pabeni@redhat.com>

(cherry picked from commit ae88a5d)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Nilesh Javali <njavali@marvell.com>
commit 0e124af
Empty-Commit: Cherry-Pick Conflicts during history rebuild.
Will be included in final tarball splat. Ref for failed cherry-pick at:
ciq/ciq_backports/kernel-5.14.0-687.20.1.el9_8/0e124af6.failed

MPI firmware state was returned as 0.  Get MPI FW state to proceed with
flash image validation.

A new sysfs node 'mpi_fw_state' is added to report MPI firmware state:

    /sys/class/scsi_host/hostXX/mpi_fw_state

Fixes: d74181c ("scsi: qla2xxx: Add bsg interface to support firmware img validation")
	Signed-off-by: Nilesh Javali <njavali@marvell.com>
Link: https://patch.msgid.link/20260305093337.2007205-1-njavali@marvell.com
	Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
(cherry picked from commit 0e124af)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>

# Conflicts:
#	drivers/scsi/qla2xxx/qla_attr.c
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Ovidiu Panait <ovidiu.panait.oss@gmail.com>
commit c102458

Rather than setting up the fallback request by hand, use
ahash_request_set_callback() and ahash_request_set_crypt() API helpers
to properly setup the new request.

	Signed-off-by: Ovidiu Panait <ovidiu.panait.oss@gmail.com>
	Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit c102458)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Liao Yuanhong <liaoyuanhong@vivo.com>
commit 8595bcb

Logging messages that show some type of "out of memory" error are generally
unnecessary as there is a generic message and a stack dump done by the
memory subsystem. These messages generally increase kernel size without
much added value[1].

The dev_err_probe() doesn't do anything when error is '-ENOMEM'. Therefore,
remove the useless call to dev_err_probe(), and just return the value
instead.

[1]: https://lore.kernel.org/lkml/1402419340.30479.18.camel@joe-AO725/

	Signed-off-by: Liao Yuanhong <liaoyuanhong@vivo.com>
	Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit 8595bcb)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Qianfeng Rong <rongqianfeng@vivo.com>
commit a710a71

Change the 'ret' variable in tegra_sha_do_update() from unsigned int to
int, as it needs to store either negative error codes or zero returned
by tegra_se_host1x_submit().

No effect on runtime.

	Signed-off-by: Qianfeng Rong <rongqianfeng@vivo.com>
	Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit a710a71)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
cve CVE-2026-31739
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Eric Biggers <ebiggers@kernel.org>
commit 4b56770

The tegra crypto driver failed to set the CRYPTO_ALG_ASYNC on its
asynchronous algorithms, causing the crypto API to select them for users
that request only synchronous algorithms.  This causes crashes (at
least).  Fix this by adding the flag like what the other drivers do.
Also remove the unnecessary CRYPTO_ALG_TYPE_* flags, since those just
get ignored and overridden by the registration function anyway.

	Reported-by: Zorro Lang <zlang@redhat.com>
Closes: https://lore.kernel.org/r/20260314080937.pghb4aa7d4je3mhh@dell-per750-06-vm-08.rhts.eng.pek2.redhat.com
Fixes: 0880bb3 ("crypto: tegra - Add Tegra Security Engine driver")
	Cc: stable@vger.kernel.org
	Cc: Akhil R <akhilrajeev@nvidia.com>
	Signed-off-by: Eric Biggers <ebiggers@kernel.org>
	Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit 4b56770)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Mikko Perttunen <mperttunen@nvidia.com>
commit f8c9c57

Since commit "gpu: host1x: Allow entries in BO caches to be freed",
host1x_bo_pin() and host1x_bo_unpin() handle the bo's refcount
themselves. .pin/.unpin callbacks should not adjust it.

	Signed-off-by: Mikko Perttunen <mperttunen@nvidia.com>
	Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit f8c9c57)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Herbert Xu <herbert@gondor.apana.org.au>
commit 03215b8

When freeing a coherent DMA buffer, the size must match the value
that was used during the allocation.

Unfortunately the size field in the tegra driver gets overwritten
by this point so it no longer matches and creates a warning.

Fix this by saving a copy of the size on the stack.

Note that the ccm function actually mixes up the inbuf and outbuf
sizes, but it doesn't matter because the two sizes are actually
equal.

Fixes: 1cb328d ("crypto: tegra - Do not use fixed size buffers")
Reporeted-by: Patrick Talbert <ptalbert@redhat.com>
	Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
	Reviewed-by: Vladislav Dronov <vdronov@redhat.com>
	Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit 03215b8)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Herbert Xu <herbert@gondor.apana.org.au>
commit 690a5f9

Ensure the ENOMEM error value is set when the input buffer allocation
fails in tegra_ccm_do_one_req.

Fixes: 1e24594 ("crypto: tegra - finalize crypto req on error")
	Reported-by: Vladislav Dronov <vdronov@redhat.com>
	Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
	Reviewed-by: Vladislav Dronov <vdronov@redhat.com>
	Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit 690a5f9)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
cve CVE-2026-43198
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Eric Dumazet <edumazet@google.com>
commit 858d2a4
Empty-Commit: Cherry-Pick Conflicts during history rebuild.
Will be included in final tarball splat. Ref for failed cherry-pick at:
ciq/ciq_backports/kernel-5.14.0-687.20.1.el9_8/858d2a4f.failed

Code in tcp_v6_syn_recv_sock() after the call to tcp_v4_syn_recv_sock()
is done too late.

After tcp_v4_syn_recv_sock(), the child socket is already visible
from TCP ehash table and other cpus might use it.

Since newinet->pinet6 is still pointing to the listener ipv6_pinfo
bad things can happen as syzbot found.

Move the problematic code in tcp_v6_mapped_child_init()
and call this new helper from tcp_v4_syn_recv_sock() before
the ehash insertion.

This allows the removal of one tcp_sync_mss(), since
tcp_v4_syn_recv_sock() will call it with the correct
context.

Fixes: 1da177e ("Linux-2.6.12-rc2")
	Reported-by: syzbot+937b5bbb6a815b3e5d0b@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/69949275.050a0220.2eeac1.0145.GAE@google.com/
	Signed-off-by: Eric Dumazet <edumazet@google.com>
	Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20260217161205.2079883-1-edumazet@google.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 858d2a4)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>

# Conflicts:
#	net/ipv6/tcp_ipv6.c
…FIPS mode

jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Ilya Dryomov <idryomov@gmail.com>
commit 6b7e977

hmac(sha256), hmac(sha384) and cts(cbc(aes)) algorithms have been
marked as FIPS allowed for years.  Mark the respective authenc()
constructions per RFC 8009 ("AES Encryption with HMAC-SHA2 for
Kerberos 5") as such as well.

SP 800-57 Part 3 Rev. 1 from Jan 2015 [1] links the draft of what
became RFC 8009 in Oct 2016 as approved in section 6.3 Procurement
Guidance (item/recommendation 3).

[1] https://csrc.nist.gov/pubs/sp/800/57/pt3/r1/final

	Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
	Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
	Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit 6b7e977)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Wesley Atwell <atwellwea@gmail.com>
commit 2ef3bac

krb5enc_encrypt_ahash_done() continues encryption from an ahash
completion callback by calling krb5enc_dispatch_encrypt().

That helper takes a flags argument for this continuation path, but it
ignored that argument and reused aead_request_flags(req) when setting
up the skcipher subrequest callback. This can incorrectly preserve
CRYPTO_TFM_REQ_MAY_SLEEP when the encrypt step is started from callback
context.

Preserve the original request flags but clear
CRYPTO_TFM_REQ_MAY_SLEEP for the callback continuation path, and use
the caller-supplied flags when setting up the skcipher subrequest.

Fixes: d1775a1 ("crypto: Add 'krb5enc' hash and cipher AEAD algorithm")
Assisted-by: Codex:GPT-5
	Signed-off-by: Wesley Atwell <atwellwea@gmail.com>
	Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit 2ef3bac)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Dudu Lu <phx0fer@gmail.com>
commit 3bfbf5f

krb5enc_dispatch_decrypt() sets req->base.complete as the skcipher
callback, which is the caller's own completion handler. When the
skcipher completes asynchronously, this signals "done" to the caller
without executing krb5enc_dispatch_decrypt_hash(), completely bypassing
the integrity verification (hash check).

Compare with the encrypt path which correctly uses
krb5enc_encrypt_done as an intermediate callback to chain into the
hash computation on async completion.

Fix by adding krb5enc_decrypt_done as an intermediate callback that
chains into krb5enc_dispatch_decrypt_hash() upon async skcipher
completion, matching the encrypt path's callback pattern.

Also fix EBUSY/EINPROGRESS handling throughout: remove
krb5enc_request_complete() which incorrectly swallowed EINPROGRESS
notifications that must be passed up to callers waiting on backlogged
requests, and add missing EBUSY checks in krb5enc_encrypt_ahash_done
for the dispatch_encrypt return value.

Fixes: d1775a1 ("crypto: Add 'krb5enc' hash and cipher AEAD algorithm")
	Signed-off-by: Dudu Lu <phx0fer@gmail.com>

Unset MAY_BACKLOG on the async completion path so the user won't
see back-to-back EINPROGRESS notifications.

	Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit 3bfbf5f)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1233
Rebuild_History Non-Buildable kernel-5.14.0-687.20.1.el9_8
commit-author Michael Bommarito <michael.bommarito@gmail.com>
commit 6c9ddde

krb5_aead_encrypt(), krb5_aead_decrypt() in rfc3961_simplified.c and
rfc8009_encrypt(), rfc8009_decrypt() in rfc8009_aes2.c set a NULL
completion callback and treat any negative return from
crypto_aead_{encrypt,decrypt}() as terminal, falling through to
kfree_sensitive(buffer).  When the encrypt_name resolves to an
async AEAD instance the request returns -EINPROGRESS, the buffer
is freed while the backend's worker still holds a pointer, and the
worker dereferences the freed slab on completion.

KASAN report under UML+SLUB with a synthetic async aead backend
bound to krb5->encrypt_name:

  BUG: KASAN: slab-use-after-free in t5_stub_complete+0x7d/0xc7

The helpers were written synchronously, so filter the async
instances out at allocation time instead of plumbing
crypto_wait_req() through every call site.

Reachable via net/rxrpc/rxgk.c, fs/afs/cm_security.c and
net/ceph/crypto.c on systems with an async AEAD provider bound to
the krb5 enctype name.

Fixes: 00244da ("crypto/krb5: Implement the Kerberos5 rfc3961 encrypt and decrypt functions")
Fixes: 6c3c0e8 ("crypto/krb5: Implement the AES enctypes from rfc8009")
	Cc: stable@vger.kernel.org
	Suggested-by: Herbert Xu <herbert@gondor.apana.org.au>
Assisted-by: Claude:claude-opus-4-7
	Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
	Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit 6c9ddde)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
Rebuild_History BUILDABLE
Rebuilding Kernel from rpm changelog with Fuzz Limit: 87.50%
Number of commits in upstream range v5.14~1..kernel-mainline: 394115
Number of commits in rpm: 400
Number of commits matched with upstream: 396 (99.00%)
Number of commits in upstream but not in rpm: 393719
Number of commits NOT found in upstream: 4 (1.00%)

Rebuilding Kernel on Branch rocky9_8_rebuild_kernel-5.14.0-687.20.1.el9_8 for kernel-5.14.0-687.20.1.el9_8
Clean Cherry Picks: 353 (89.14%)
Empty Cherry Picks: 42 (10.61%)
_______________________________

Full Details Located here:
ciq/ciq_backports/kernel-5.14.0-687.20.1.el9_8/rebuild.details.txt

Includes:
* git commit header above
* Empty Commits with upstream SHA
* RPM ChangeLog Entries that could not be matched

Individual Empty Commit failures contained in the same containing directory.
The git message for empty commits will have the path for the failed commit.
File names are the first 8 characters of the upstream SHA
@PlaidCat PlaidCat self-assigned this Jul 1, 2026
@PlaidCat PlaidCat requested review from a team July 1, 2026 04:50

@bmastbergen bmastbergen left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🥌

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

2 participants