--- /dev/null
+From 2011a2a18ef00b5b8e4b753acbe6451a8c5f2260 Mon Sep 17 00:00:00 2001
+From: Chris Mi <cmi@nvidia.com>
+Date: Wed, 15 Jan 2025 13:39:06 +0200
+Subject: net/mlx5: SF, Fix add port error handling
+
+From: Chris Mi <cmi@nvidia.com>
+
+commit 2011a2a18ef00b5b8e4b753acbe6451a8c5f2260 upstream.
+
+If failed to add SF, error handling doesn't delete the SF from the
+SF table. But the hw resources are deleted. So when unload driver,
+hw resources will be deleted again. Firmware will report syndrome
+0x68def3 which means "SF is not allocated can not deallocate".
+
+Fix it by delete SF from SF table if failed to add SF.
+
+Fixes: 2597ee190b4e ("net/mlx5: Call mlx5_sf_id_erase() once in mlx5_sf_dealloc()")
+Signed-off-by: Chris Mi <cmi@nvidia.com>
+Reviewed-by: Shay Drori <shayd@nvidia.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/sf/devlink.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/sf/devlink.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/sf/devlink.c
+@@ -280,6 +280,7 @@ static int mlx5_sf_add(struct mlx5_core_
+ return 0;
+
+ esw_err:
++ mlx5_sf_function_id_erase(table, sf);
+ mlx5_sf_free(table, sf);
+ return err;
+ }
--- /dev/null
+From 1cc8a5b534e5f9b5e129e54ee2e63c9f5da4f39a Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 27 Aug 2025 17:21:49 +0000
+Subject: net: rose: fix a typo in rose_clear_routes()
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 1cc8a5b534e5f9b5e129e54ee2e63c9f5da4f39a upstream.
+
+syzbot crashed in rose_clear_routes(), after a recent patch typo.
+
+KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
+CPU: 0 UID: 0 PID: 10591 Comm: syz.3.1856 Not tainted syzkaller #0 PREEMPT(full)
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
+ RIP: 0010:rose_clear_routes net/rose/rose_route.c:565 [inline]
+ RIP: 0010:rose_rt_ioctl+0x162/0x1250 net/rose/rose_route.c:760
+ <TASK>
+ rose_ioctl+0x3ce/0x8b0 net/rose/af_rose.c:1381
+ sock_do_ioctl+0xd9/0x300 net/socket.c:1238
+ sock_ioctl+0x576/0x790 net/socket.c:1359
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:598 [inline]
+ __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:584
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Fixes: da9c9c877597 ("net: rose: include node references in rose_neigh refcount")
+Reported-by: syzbot+2eb8d1719f7cfcfa6840@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/68af3e29.a70a0220.3cafd4.002e.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Takamitsu Iwai <takamitz@amazon.co.jp>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
+Link: https://patch.msgid.link/20250827172149.5359-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rose/rose_route.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/rose/rose_route.c
++++ b/net/rose/rose_route.c
+@@ -562,7 +562,7 @@ static int rose_clear_routes(void)
+ rose_node = rose_node->next;
+
+ if (!t->loopback) {
+- for (i = 0; i < rose_node->count; i++)
++ for (i = 0; i < t->count; i++)
+ rose_neigh_put(t->neighbour[i]);
+ rose_remove_node(t);
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
