From 1e42e1c8205293bf8b9ce90a562c797b3fe7955b Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 1 Sep 2025 15:43:30 +0200
Subject: [PATCH] 6.6-stable patches

added patches:
	net-mlx5-sf-fix-add-port-error-handling.patch
	net-rose-fix-a-typo-in-rose_clear_routes.patch
---
 ...-mlx5-sf-fix-add-port-error-handling.patch | 37 ++++++++++++++
 ...rose-fix-a-typo-in-rose_clear_routes.patch | 51 +++++++++++++++++++
 queue-6.6/series                              |  2 +
 3 files changed, 90 insertions(+)
 create mode 100644 queue-6.6/net-mlx5-sf-fix-add-port-error-handling.patch
 create mode 100644 queue-6.6/net-rose-fix-a-typo-in-rose_clear_routes.patch

diff --git a/queue-6.6/net-mlx5-sf-fix-add-port-error-handling.patch b/queue-6.6/net-mlx5-sf-fix-add-port-error-handling.patch
new file mode 100644
index 0000000000..115c4acc68
--- /dev/null
+++ b/queue-6.6/net-mlx5-sf-fix-add-port-error-handling.patch
@@ -0,0 +1,37 @@
+From 2011a2a18ef00b5b8e4b753acbe6451a8c5f2260 Mon Sep 17 00:00:00 2001
+From: Chris Mi <cmi@nvidia.com>
+Date: Wed, 15 Jan 2025 13:39:06 +0200
+Subject: net/mlx5: SF, Fix add port error handling
+
+From: Chris Mi <cmi@nvidia.com>
+
+commit 2011a2a18ef00b5b8e4b753acbe6451a8c5f2260 upstream.
+
+If failed to add SF, error handling doesn't delete the SF from the
+SF table. But the hw resources are deleted. So when unload driver,
+hw resources will be deleted again. Firmware will report syndrome
+0x68def3 which means "SF is not allocated can not deallocate".
+
+Fix it by delete SF from SF table if failed to add SF.
+
+Fixes: 2597ee190b4e ("net/mlx5: Call mlx5_sf_id_erase() once in mlx5_sf_dealloc()")
+Signed-off-by: Chris Mi <cmi@nvidia.com>
+Reviewed-by: Shay Drori <shayd@nvidia.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/sf/devlink.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/sf/devlink.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/sf/devlink.c
+@@ -280,6 +280,7 @@ static int mlx5_sf_add(struct mlx5_core_
+ 	return 0;
+ 
+ esw_err:
++	mlx5_sf_function_id_erase(table, sf);
+ 	mlx5_sf_free(table, sf);
+ 	return err;
+ }
diff --git a/queue-6.6/net-rose-fix-a-typo-in-rose_clear_routes.patch b/queue-6.6/net-rose-fix-a-typo-in-rose_clear_routes.patch
new file mode 100644
index 0000000000..28d4bf76d1
--- /dev/null
+++ b/queue-6.6/net-rose-fix-a-typo-in-rose_clear_routes.patch
@@ -0,0 +1,51 @@
+From 1cc8a5b534e5f9b5e129e54ee2e63c9f5da4f39a Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 27 Aug 2025 17:21:49 +0000
+Subject: net: rose: fix a typo in rose_clear_routes()
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 1cc8a5b534e5f9b5e129e54ee2e63c9f5da4f39a upstream.
+
+syzbot crashed in rose_clear_routes(), after a recent patch typo.
+
+KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
+CPU: 0 UID: 0 PID: 10591 Comm: syz.3.1856 Not tainted syzkaller #0 PREEMPT(full)
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
+ RIP: 0010:rose_clear_routes net/rose/rose_route.c:565 [inline]
+ RIP: 0010:rose_rt_ioctl+0x162/0x1250 net/rose/rose_route.c:760
+ <TASK>
+  rose_ioctl+0x3ce/0x8b0 net/rose/af_rose.c:1381
+  sock_do_ioctl+0xd9/0x300 net/socket.c:1238
+  sock_ioctl+0x576/0x790 net/socket.c:1359
+  vfs_ioctl fs/ioctl.c:51 [inline]
+  __do_sys_ioctl fs/ioctl.c:598 [inline]
+  __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:584
+  do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+  do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Fixes: da9c9c877597 ("net: rose: include node references in rose_neigh refcount")
+Reported-by: syzbot+2eb8d1719f7cfcfa6840@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/68af3e29.a70a0220.3cafd4.002e.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Takamitsu Iwai <takamitz@amazon.co.jp>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
+Link: https://patch.msgid.link/20250827172149.5359-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rose/rose_route.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/rose/rose_route.c
++++ b/net/rose/rose_route.c
+@@ -562,7 +562,7 @@ static int rose_clear_routes(void)
+ 		rose_node = rose_node->next;
+ 
+ 		if (!t->loopback) {
+-			for (i = 0; i < rose_node->count; i++)
++			for (i = 0; i < t->count; i++)
+ 				rose_neigh_put(t->neighbour[i]);
+ 			rose_remove_node(t);
+ 		}
diff --git a/queue-6.6/series b/queue-6.6/series
index 1c4a3305db..8719f41e74 100644
--- a/queue-6.6/series
+++ b/queue-6.6/series
@@ -67,3 +67,5 @@ fs-smb-fix-inconsistent-refcnt-update.patch
 net-usb-qmi_wwan-add-telit-cinterion-le910c4-wwx-new-compositions.patch
 smb3-client-fix-return-code-mapping-of-remap_file_range.patch
 drm-nouveau-disp-always-accept-linear-modifier.patch
+net-rose-fix-a-typo-in-rose_clear_routes.patch
+net-mlx5-sf-fix-add-port-error-handling.patch
-- 
2.47.3