--- /dev/null
+From stable+bounces-132662-greg=kroah.com@vger.kernel.org Mon Apr 14 20:50:55 2025
+From: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+Date: Mon, 14 Apr 2025 11:50:19 -0700
+Subject: bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq
+To: stable@vger.kernel.org
+Cc: vegard.nossum@oracle.com, Michal Schmidt <mschmidt@redhat.com>, Selvin Xavier <selvin.xavier@broadcom.com>, Leon Romanovsky <leon@kernel.org>, Xiangyu Chen <xiangyu.chen@windriver.com>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+Message-ID: <20250414185023.2165422-3-harshit.m.mogalapalli@oracle.com>
+
+From: Michal Schmidt <mschmidt@redhat.com>
+
+commit 78cfd17142ef70599d6409cbd709d94b3da58659 upstream.
+
+Undefined behavior is triggered when bnxt_qplib_alloc_init_hwq is called
+with hwq_attr->aux_depth != 0 and hwq_attr->aux_stride == 0.
+In that case, "roundup_pow_of_two(hwq_attr->aux_stride)" gets called.
+roundup_pow_of_two is documented as undefined for 0.
+
+Fix it in the one caller that had this combination.
+
+The undefined behavior was detected by UBSAN:
+ UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13
+ shift exponent 64 is too large for 64-bit type 'long unsigned int'
+ CPU: 24 PID: 1075 Comm: (udev-worker) Not tainted 6.9.0-rc6+ #4
+ Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.7 10/25/2023
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0x5d/0x80
+ ubsan_epilogue+0x5/0x30
+ __ubsan_handle_shift_out_of_bounds.cold+0x61/0xec
+ __roundup_pow_of_two+0x25/0x35 [bnxt_re]
+ bnxt_qplib_alloc_init_hwq+0xa1/0x470 [bnxt_re]
+ bnxt_qplib_create_qp+0x19e/0x840 [bnxt_re]
+ bnxt_re_create_qp+0x9b1/0xcd0 [bnxt_re]
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ ? __kmalloc+0x1b6/0x4f0
+ ? create_qp.part.0+0x128/0x1c0 [ib_core]
+ ? __pfx_bnxt_re_create_qp+0x10/0x10 [bnxt_re]
+ create_qp.part.0+0x128/0x1c0 [ib_core]
+ ib_create_qp_kernel+0x50/0xd0 [ib_core]
+ create_mad_qp+0x8e/0xe0 [ib_core]
+ ? __pfx_qp_event_handler+0x10/0x10 [ib_core]
+ ib_mad_init_device+0x2be/0x680 [ib_core]
+ add_client_context+0x10d/0x1a0 [ib_core]
+ enable_device_and_get+0xe0/0x1d0 [ib_core]
+ ib_register_device+0x53c/0x630 [ib_core]
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ bnxt_re_probe+0xbd8/0xe50 [bnxt_re]
+ ? __pfx_bnxt_re_probe+0x10/0x10 [bnxt_re]
+ auxiliary_bus_probe+0x49/0x80
+ ? driver_sysfs_add+0x57/0xc0
+ really_probe+0xde/0x340
+ ? pm_runtime_barrier+0x54/0x90
+ ? __pfx___driver_attach+0x10/0x10
+ __driver_probe_device+0x78/0x110
+ driver_probe_device+0x1f/0xa0
+ __driver_attach+0xba/0x1c0
+ bus_for_each_dev+0x8f/0xe0
+ bus_add_driver+0x146/0x220
+ driver_register+0x72/0xd0
+ __auxiliary_driver_register+0x6e/0xd0
+ ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]
+ bnxt_re_mod_init+0x3e/0xff0 [bnxt_re]
+ ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]
+ do_one_initcall+0x5b/0x310
+ do_init_module+0x90/0x250
+ init_module_from_file+0x86/0xc0
+ idempotent_init_module+0x121/0x2b0
+ __x64_sys_finit_module+0x5e/0xb0
+ do_syscall_64+0x82/0x160
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ ? syscall_exit_to_user_mode_prepare+0x149/0x170
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ ? syscall_exit_to_user_mode+0x75/0x230
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ ? do_syscall_64+0x8e/0x160
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ ? __count_memcg_events+0x69/0x100
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ ? count_memcg_events.constprop.0+0x1a/0x30
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ ? handle_mm_fault+0x1f0/0x300
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ ? do_user_addr_fault+0x34e/0x640
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+ RIP: 0033:0x7f4e5132821d
+ Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e3 db 0c 00 f7 d8 64 89 01 48
+ RSP: 002b:00007ffca9c906a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
+ RAX: ffffffffffffffda RBX: 0000563ec8a8f130 RCX: 00007f4e5132821d
+ RDX: 0000000000000000 RSI: 00007f4e518fa07d RDI: 000000000000003b
+ RBP: 00007ffca9c90760 R08: 00007f4e513f6b20 R09: 00007ffca9c906f0
+ R10: 0000563ec8a8faa0 R11: 0000000000000246 R12: 00007f4e518fa07d
+ R13: 0000000000020000 R14: 0000563ec8409e90 R15: 0000563ec8a8fa60
+ </TASK>
+ ---[ end trace ]---
+
+Fixes: 0c4dcd602817 ("RDMA/bnxt_re: Refactor hardware queue memory allocation")
+Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
+Link: https://lore.kernel.org/r/20240507103929.30003-1-mschmidt@redhat.com
+Acked-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+[Harshit: backport to 5.15.y, this is a clean cherrypick from 6.1.y
+commit ]
+Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/bnxt_re/qplib_fp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.c
+@@ -1013,7 +1013,8 @@ int bnxt_qplib_create_qp(struct bnxt_qpl
+ hwq_attr.stride = sizeof(struct sq_sge);
+ hwq_attr.depth = bnxt_qplib_get_depth(sq);
+ hwq_attr.aux_stride = psn_sz;
+- hwq_attr.aux_depth = bnxt_qplib_set_sq_size(sq, qp->wqe_mode);
++ hwq_attr.aux_depth = psn_sz ? bnxt_qplib_set_sq_size(sq, qp->wqe_mode)
++ : 0;
+ hwq_attr.type = HWQ_TYPE_QUEUE;
+ rc = bnxt_qplib_alloc_init_hwq(&sq->hwq, &hwq_attr);
+ if (rc)
--- /dev/null
+From stable+bounces-132664-greg=kroah.com@vger.kernel.org Mon Apr 14 20:50:56 2025
+From: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+Date: Mon, 14 Apr 2025 11:50:22 -0700
+Subject: filemap: Fix bounds checking in filemap_read()
+To: stable@vger.kernel.org
+Cc: vegard.nossum@oracle.com, Trond Myklebust <trond.myklebust@hammerspace.com>, Mike Snitzer <snitzer@kernel.org>, Linus Torvalds <torvalds@linux-foundation.org>, Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+Message-ID: <20250414185023.2165422-6-harshit.m.mogalapalli@oracle.com>
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit ace149e0830c380ddfce7e466fe860ca502fe4ee ]
+
+If the caller supplies an iocb->ki_pos value that is close to the
+filesystem upper limit, and an iterator with a count that causes us to
+overflow that limit, then filemap_read() enters an infinite loop.
+
+This behaviour was discovered when testing xfstests generic/525 with the
+"localio" optimisation for loopback NFS mounts.
+
+Reported-by: Mike Snitzer <snitzer@kernel.org>
+Fixes: c2a9737f45e2 ("vfs,mm: fix a dead loop in truncate_inode_pages_range()")
+Tested-by: Mike Snitzer <snitzer@kernel.org>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+(cherry picked from commit ace149e0830c380ddfce7e466fe860ca502fe4ee)
+[Harshit: Minor conflict resolved due to missing commit: 25d6a23e8d28
+("filemap: Convert filemap_get_read_batch() to use a folio_batch") in
+5.15.y]
+Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/filemap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/filemap.c
++++ b/mm/filemap.c
+@@ -2617,7 +2617,7 @@ ssize_t filemap_read(struct kiocb *iocb,
+ if (unlikely(!iov_iter_count(iter)))
+ return 0;
+
+- iov_iter_truncate(iter, inode->i_sb->s_maxbytes);
++ iov_iter_truncate(iter, inode->i_sb->s_maxbytes - iocb->ki_pos);
+ pagevec_init(&pvec);
+
+ do {
--- /dev/null
+From stable+bounces-132666-greg=kroah.com@vger.kernel.org Mon Apr 14 20:51:11 2025
+From: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+Date: Mon, 14 Apr 2025 11:50:23 -0700
+Subject: ipv6: release nexthop on device removal
+To: stable@vger.kernel.org
+Cc: vegard.nossum@oracle.com, Paolo Abeni <pabeni@redhat.com>, Eric Dumazet <edumazet@google.com>, David Ahern <dsahern@kernel.org>, Jakub Kicinski <kuba@kernel.org>, Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+Message-ID: <20250414185023.2165422-7-harshit.m.mogalapalli@oracle.com>
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit eb02688c5c45c3e7af7e71f036a7144f5639cbfe ]
+
+The CI is hitting some aperiodic hangup at device removal time in the
+pmtu.sh self-test:
+
+unregister_netdevice: waiting for veth_A-R1 to become free. Usage count = 6
+ref_tracker: veth_A-R1@ffff888013df15d8 has 1/5 users at
+ dst_init+0x84/0x4a0
+ dst_alloc+0x97/0x150
+ ip6_dst_alloc+0x23/0x90
+ ip6_rt_pcpu_alloc+0x1e6/0x520
+ ip6_pol_route+0x56f/0x840
+ fib6_rule_lookup+0x334/0x630
+ ip6_route_output_flags+0x259/0x480
+ ip6_dst_lookup_tail.constprop.0+0x5c2/0x940
+ ip6_dst_lookup_flow+0x88/0x190
+ udp_tunnel6_dst_lookup+0x2a7/0x4c0
+ vxlan_xmit_one+0xbde/0x4a50 [vxlan]
+ vxlan_xmit+0x9ad/0xf20 [vxlan]
+ dev_hard_start_xmit+0x10e/0x360
+ __dev_queue_xmit+0xf95/0x18c0
+ arp_solicit+0x4a2/0xe00
+ neigh_probe+0xaa/0xf0
+
+While the first suspect is the dst_cache, explicitly tracking the dst
+owing the last device reference via probes proved such dst is held by
+the nexthop in the originating fib6_info.
+
+Similar to commit f5b51fe804ec ("ipv6: route: purge exception on
+removal"), we need to explicitly release the originating fib info when
+disconnecting a to-be-removed device from a live ipv6 dst: move the
+fib6_info cleanup into ip6_dst_ifdown().
+
+Tested running:
+
+./pmtu.sh cleanup_ipv6_exception
+
+in a tight loop for more than 400 iterations with no spat, running an
+unpatched kernel I observed a splat every ~10 iterations.
+
+Fixes: f88d8ea67fbd ("ipv6: Plumb support for nexthop object in a fib6_info")
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://patch.msgid.link/604c45c188c609b732286b47ac2a451a40f6cf6d.1730828007.git.pabeni@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+(cherry picked from commit eb02688c5c45c3e7af7e71f036a7144f5639cbfe)
+[Harshit: Resolved conflict due to missing commit: e5f80fcf869a ("ipv6:
+give an IPv6 dev to blackhole_netdev") and commit: b4cb4a1391dc ("net:
+use unrcu_pointer() helper") in linux-5.15.y]
+Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/route.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -377,6 +377,7 @@ static void ip6_dst_ifdown(struct dst_en
+ struct inet6_dev *idev = rt->rt6i_idev;
+ struct net_device *loopback_dev =
+ dev_net(dev)->loopback_dev;
++ struct fib6_info *from;
+
+ if (idev && idev->dev != loopback_dev) {
+ struct inet6_dev *loopback_idev = in6_dev_get(loopback_dev);
+@@ -385,6 +386,8 @@ static void ip6_dst_ifdown(struct dst_en
+ in6_dev_put(idev);
+ }
+ }
++ from = xchg((__force struct fib6_info **)&rt->from, NULL);
++ fib6_info_release(from);
+ }
+
+ static bool __rt6_check_expired(const struct rt6_info *rt)
+@@ -1443,7 +1446,6 @@ static DEFINE_SPINLOCK(rt6_exception_loc
+ static void rt6_remove_exception(struct rt6_exception_bucket *bucket,
+ struct rt6_exception *rt6_ex)
+ {
+- struct fib6_info *from;
+ struct net *net;
+
+ if (!bucket || !rt6_ex)
+@@ -1455,8 +1457,6 @@ static void rt6_remove_exception(struct
+ /* purge completely the exception to allow releasing the held resources:
+ * some [sk] cache may keep the dst around for unlimited time
+ */
+- from = xchg((__force struct fib6_info **)&rt6_ex->rt6i->from, NULL);
+- fib6_info_release(from);
+ dst_dev_put(&rt6_ex->rt6i->dst);
+
+ hlist_del_rcu(&rt6_ex->hlist);
--- /dev/null
+From f6cb7828c8e17520d4f5afb416515d3fae1af9a9 Mon Sep 17 00:00:00 2001
+From: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
+Date: Tue, 25 Feb 2025 20:02:48 +0900
+Subject: misc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
+
+commit f6cb7828c8e17520d4f5afb416515d3fae1af9a9 upstream.
+
+After devm_request_irq() fails with error in pci_endpoint_test_request_irq(),
+the pci_endpoint_test_free_irq_vectors() is called assuming that all IRQs
+have been released.
+
+However, some requested IRQs remain unreleased, so there are still
+/proc/irq/* entries remaining, and this results in WARN() with the
+following message:
+
+ remove_proc_entry: removing non-empty directory 'irq/30', leaking at least 'pci-endpoint-test.0'
+ WARNING: CPU: 0 PID: 202 at fs/proc/generic.c:719 remove_proc_entry +0x190/0x19c
+
+To solve this issue, set the number of remaining IRQs to test->num_irqs,
+and release IRQs in advance by calling pci_endpoint_test_release_irq().
+
+Cc: stable@vger.kernel.org
+Fixes: e03327122e2c ("pci_endpoint_test: Add 2 ioctl commands")
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
+Link: https://lore.kernel.org/r/20250225110252.28866-3-hayashi.kunihiko@socionext.com
+[kwilczynski: commit log]
+Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
+Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/pci_endpoint_test.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/misc/pci_endpoint_test.c
++++ b/drivers/misc/pci_endpoint_test.c
+@@ -262,6 +262,9 @@ fail:
+ break;
+ }
+
++ test->num_irqs = i;
++ pci_endpoint_test_release_irq(test);
++
+ return false;
+ }
+
--- /dev/null
+From 919d14603dab6a9cf03ebbeb2cfa556df48737c8 Mon Sep 17 00:00:00 2001
+From: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
+Date: Tue, 25 Feb 2025 20:02:49 +0900
+Subject: misc: pci_endpoint_test: Fix displaying 'irq_type' after 'request_irq' error
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
+
+commit 919d14603dab6a9cf03ebbeb2cfa556df48737c8 upstream.
+
+There are two variables that indicate the interrupt type to be used
+in the next test execution, global "irq_type" and "test->irq_type".
+
+The former is referenced from pci_endpoint_test_get_irq() to preserve
+the current type for ioctl(PCITEST_GET_IRQTYPE).
+
+In the pci_endpoint_test_request_irq(), since this global variable
+is referenced when an error occurs, the unintended error message is
+displayed.
+
+For example, after running "pcitest -i 2", the following message
+shows "MSI 3" even if the current IRQ type becomes "MSI-X":
+
+ pci-endpoint-test 0000:01:00.0: Failed to request IRQ 30 for MSI 3
+ SET IRQ TYPE TO MSI-X: NOT OKAY
+
+Fix this issue by using "test->irq_type" instead of global "irq_type".
+
+Cc: stable@vger.kernel.org
+Fixes: b2ba9225e031 ("misc: pci_endpoint_test: Avoid using module parameter to determine irqtype")
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
+Link: https://lore.kernel.org/r/20250225110252.28866-4-hayashi.kunihiko@socionext.com
+[kwilczynski: commit log]
+Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
+Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/pci_endpoint_test.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/misc/pci_endpoint_test.c
++++ b/drivers/misc/pci_endpoint_test.c
+@@ -245,7 +245,7 @@ static bool pci_endpoint_test_request_ir
+ return true;
+
+ fail:
+- switch (irq_type) {
++ switch (test->irq_type) {
+ case IRQ_TYPE_LEGACY:
+ dev_err(dev, "Failed to request IRQ %d for Legacy\n",
+ pci_irq_vector(pdev, i));
--- /dev/null
+From baaef0a274cfb75f9b50eab3ef93205e604f662c Mon Sep 17 00:00:00 2001
+From: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
+Date: Tue, 25 Feb 2025 20:02:50 +0900
+Subject: misc: pci_endpoint_test: Fix 'irq_type' to convey the correct type
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
+
+commit baaef0a274cfb75f9b50eab3ef93205e604f662c upstream.
+
+There are two variables that indicate the interrupt type to be used
+in the next test execution, "irq_type" as global and "test->irq_type".
+
+The global is referenced from pci_endpoint_test_get_irq() to preserve
+the current type for ioctl(PCITEST_GET_IRQTYPE).
+
+The type set in this function isn't reflected in the global "irq_type",
+so ioctl(PCITEST_GET_IRQTYPE) returns the previous type.
+
+As a result, the wrong type is displayed in old version of "pcitest"
+as follows:
+
+ - Result of running "pcitest -i 0"
+
+ SET IRQ TYPE TO LEGACY: OKAY
+
+ - Result of running "pcitest -I"
+
+ GET IRQ TYPE: MSI
+
+Whereas running the new version of "pcitest" in kselftest results in an
+error as follows:
+
+ # RUN pci_ep_basic.LEGACY_IRQ_TEST ...
+ # pci_endpoint_test.c:104:LEGACY_IRQ_TEST:Expected 0 (0) == ret (1)
+ # pci_endpoint_test.c:104:LEGACY_IRQ_TEST:Can't get Legacy IRQ type
+
+Fix this issue by propagating the current type to the global "irq_type".
+
+Fixes: b2ba9225e031 ("misc: pci_endpoint_test: Avoid using module parameter to determine irqtype")
+Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
+[kwilczynski: commit log]
+Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
+Reviewed-by: Niklas Cassel <cassel@kernel.org>
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250225110252.28866-5-hayashi.kunihiko@socionext.com
+Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/pci_endpoint_test.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/misc/pci_endpoint_test.c
++++ b/drivers/misc/pci_endpoint_test.c
+@@ -717,6 +717,7 @@ static bool pci_endpoint_test_set_irq(st
+ if (!pci_endpoint_test_request_irq(test))
+ goto err;
+
++ irq_type = test->irq_type;
+ return true;
+
+ err:
--- /dev/null
+From 8c39633759885b6ff85f6d96cf445560e74df5e8 Mon Sep 17 00:00:00 2001
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Date: Fri, 14 Mar 2025 21:11:32 +0100
+Subject: mptcp: sockopt: fix getting IPV6_V6ONLY
+
+From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+
+commit 8c39633759885b6ff85f6d96cf445560e74df5e8 upstream.
+
+When adding a socket option support in MPTCP, both the get and set parts
+are supposed to be implemented.
+
+IPV6_V6ONLY support for the setsockopt part has been added a while ago,
+but it looks like the get part got forgotten. It should have been
+present as a way to verify a setting has been set as expected, and not
+to act differently from TCP or any other socket types.
+
+Not supporting this getsockopt(IPV6_V6ONLY) blocks some apps which want
+to check the default value, before doing extra actions. On Linux, the
+default value is 0, but this can be changed with the net.ipv6.bindv6only
+sysctl knob. On Windows, it is set to 1 by default. So supporting the
+get part, like for all other socket options, is important.
+
+Everything was in place to expose it, just the last step was missing.
+Only new code is added to cover this specific getsockopt(), that seems
+safe.
+
+Fixes: c9b95a135987 ("mptcp: support IPV6_V6ONLY setsockopt")
+Cc: stable@vger.kernel.org
+Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/550
+Reviewed-by: Mat Martineau <martineau@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250314-net-mptcp-fix-data-stream-corr-sockopt-v1-2-122dbb249db3@kernel.org
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+[ Conflicts in sockopt.c in the context, because commit 3b1e21eb60e8
+ ("mptcp: getsockopt: add support for IP_TOS") is not in this release.
+ The conflicts are in the context, the new helper can be added without
+ issue. It depends on mptcp_put_int_option() which has been added via
+ another backport, see commit 874aae15fbef ("mptcp: fix full TCP
+ keep-alive support"). ]
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/sockopt.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/net/mptcp/sockopt.c
++++ b/net/mptcp/sockopt.c
+@@ -793,6 +793,20 @@ static int mptcp_getsockopt_sol_tcp(stru
+ return -EOPNOTSUPP;
+ }
+
++static int mptcp_getsockopt_v6(struct mptcp_sock *msk, int optname,
++ char __user *optval, int __user *optlen)
++{
++ struct sock *sk = (void *)msk;
++
++ switch (optname) {
++ case IPV6_V6ONLY:
++ return mptcp_put_int_option(msk, optval, optlen,
++ sk->sk_ipv6only);
++ }
++
++ return -EOPNOTSUPP;
++}
++
+ int mptcp_getsockopt(struct sock *sk, int level, int optname,
+ char __user *optval, int __user *option)
+ {
+@@ -813,6 +827,8 @@ int mptcp_getsockopt(struct sock *sk, in
+ if (ssk)
+ return tcp_getsockopt(ssk, level, optname, optval, option);
+
++ if (level == SOL_IPV6)
++ return mptcp_getsockopt_v6(msk, optname, optval, option);
+ if (level == SOL_TCP)
+ return mptcp_getsockopt_sol_tcp(msk, optname, optval, option);
+ return -EOPNOTSUPP;
--- /dev/null
+From stable+bounces-132665-greg=kroah.com@vger.kernel.org Mon Apr 14 20:50:59 2025
+From: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+Date: Mon, 14 Apr 2025 11:50:21 -0700
+Subject: net: fix crash when config small gso_max_size/gso_ipv4_max_size
+To: stable@vger.kernel.org
+Cc: vegard.nossum@oracle.com, Wang Liang <wangliang74@huawei.com>, Eric Dumazet <edumazet@google.com>, Jakub Kicinski <kuba@kernel.org>, Bin Lan <bin.lan.cn@windriver.com>, Sasha Levin <sashal@kernel.org>, Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+Message-ID: <20250414185023.2165422-5-harshit.m.mogalapalli@oracle.com>
+
+From: Wang Liang <wangliang74@huawei.com>
+
+[ Upstream commit 9ab5cf19fb0e4680f95e506d6c544259bf1111c4 ]
+
+Config a small gso_max_size/gso_ipv4_max_size will lead to an underflow
+in sk_dst_gso_max_size(), which may trigger a BUG_ON crash,
+because sk->sk_gso_max_size would be much bigger than device limits.
+Call Trace:
+tcp_write_xmit
+ tso_segs = tcp_init_tso_segs(skb, mss_now);
+ tcp_set_skb_tso_segs
+ tcp_skb_pcount_set
+ // skb->len = 524288, mss_now = 8
+ // u16 tso_segs = 524288/8 = 65535 -> 0
+ tso_segs = DIV_ROUND_UP(skb->len, mss_now)
+ BUG_ON(!tso_segs)
+Add check for the minimum value of gso_max_size and gso_ipv4_max_size.
+
+Fixes: 46e6b992c250 ("rtnetlink: allow GSO maximums to be set on device creation")
+Fixes: 9eefedd58ae1 ("net: add gso_ipv4_max_size and gro_ipv4_max_size per device")
+Signed-off-by: Wang Liang <wangliang74@huawei.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20241023035213.517386-1-wangliang74@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[ Resolve minor conflicts to fix CVE-2024-50258 ]
+Signed-off-by: Bin Lan <bin.lan.cn@windriver.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+[Harshit: Clean cherrypick from 6.1.y commit]
+Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/rtnetlink.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -1899,7 +1899,7 @@ static const struct nla_policy ifla_poli
+ [IFLA_NUM_TX_QUEUES] = { .type = NLA_U32 },
+ [IFLA_NUM_RX_QUEUES] = { .type = NLA_U32 },
+ [IFLA_GSO_MAX_SEGS] = { .type = NLA_U32 },
+- [IFLA_GSO_MAX_SIZE] = { .type = NLA_U32 },
++ [IFLA_GSO_MAX_SIZE] = NLA_POLICY_MIN(NLA_U32, MAX_TCP_HEADER + 1),
+ [IFLA_PHYS_PORT_ID] = { .type = NLA_BINARY, .len = MAX_PHYS_ITEM_ID_LEN },
+ [IFLA_CARRIER_CHANGES] = { .type = NLA_U32 }, /* ignored */
+ [IFLA_PHYS_SWITCH_ID] = { .type = NLA_BINARY, .len = MAX_PHYS_ITEM_ID_LEN },
--- /dev/null
+From stable+bounces-132661-greg=kroah.com@vger.kernel.org Mon Apr 14 20:50:44 2025
+From: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+Date: Mon, 14 Apr 2025 11:50:18 -0700
+Subject: net: mana: Fix error handling in mana_create_txq/rxq's NAPI cleanup
+To: stable@vger.kernel.org
+Cc: vegard.nossum@oracle.com, Souradeep Chakrabarti <schakrabarti@linux.microsoft.com>, Haiyang Zhang <haiyangz@microsoft.com>, Shradha Gupta <shradhagupta@linux.microsoft.com>, "David S. Miller" <davem@davemloft.net>, Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+Message-ID: <20250414185023.2165422-2-harshit.m.mogalapalli@oracle.com>
+
+From: Souradeep Chakrabarti <schakrabarti@linux.microsoft.com>
+
+[ Upstream commit b6ecc662037694488bfff7c9fd21c405df8411f2 ]
+
+Currently napi_disable() gets called during rxq and txq cleanup,
+even before napi is enabled and hrtimer is initialized. It causes
+kernel panic.
+
+? page_fault_oops+0x136/0x2b0
+ ? page_counter_cancel+0x2e/0x80
+ ? do_user_addr_fault+0x2f2/0x640
+ ? refill_obj_stock+0xc4/0x110
+ ? exc_page_fault+0x71/0x160
+ ? asm_exc_page_fault+0x27/0x30
+ ? __mmdrop+0x10/0x180
+ ? __mmdrop+0xec/0x180
+ ? hrtimer_active+0xd/0x50
+ hrtimer_try_to_cancel+0x2c/0xf0
+ hrtimer_cancel+0x15/0x30
+ napi_disable+0x65/0x90
+ mana_destroy_rxq+0x4c/0x2f0
+ mana_create_rxq.isra.0+0x56c/0x6d0
+ ? mana_uncfg_vport+0x50/0x50
+ mana_alloc_queues+0x21b/0x320
+ ? skb_dequeue+0x5f/0x80
+
+Cc: stable@vger.kernel.org
+Fixes: e1b5683ff62e ("net: mana: Move NAPI from EQ to CQ")
+Signed-off-by: Souradeep Chakrabarti <schakrabarti@linux.microsoft.com>
+Reviewed-by: Haiyang Zhang <haiyangz@microsoft.com>
+Reviewed-by: Shradha Gupta <shradhagupta@linux.microsoft.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+(cherry picked from commit b6ecc662037694488bfff7c9fd21c405df8411f2)
+[Harshit: conflicts resolved due to missing commit: ed5356b53f07 ("net:
+mana: Add XDP support") and commit: d356abb95b98 ("net: mana: Add
+counter for XDP_TX") in 5.15.y]
+Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/microsoft/mana/mana.h | 2 ++
+ drivers/net/ethernet/microsoft/mana/mana_en.c | 21 +++++++++++++--------
+ 2 files changed, 15 insertions(+), 8 deletions(-)
+
+--- a/drivers/net/ethernet/microsoft/mana/mana.h
++++ b/drivers/net/ethernet/microsoft/mana/mana.h
+@@ -76,6 +76,8 @@ struct mana_txq {
+
+ atomic_t pending_sends;
+
++ bool napi_initialized;
++
+ struct mana_stats stats;
+ };
+
+--- a/drivers/net/ethernet/microsoft/mana/mana_en.c
++++ b/drivers/net/ethernet/microsoft/mana/mana_en.c
+@@ -1154,10 +1154,12 @@ static void mana_destroy_txq(struct mana
+
+ for (i = 0; i < apc->num_queues; i++) {
+ napi = &apc->tx_qp[i].tx_cq.napi;
+- napi_synchronize(napi);
+- napi_disable(napi);
+- netif_napi_del(napi);
+-
++ if (apc->tx_qp[i].txq.napi_initialized) {
++ napi_synchronize(napi);
++ napi_disable(napi);
++ netif_napi_del(napi);
++ apc->tx_qp[i].txq.napi_initialized = false;
++ }
+ mana_destroy_wq_obj(apc, GDMA_SQ, apc->tx_qp[i].tx_object);
+
+ mana_deinit_cq(apc, &apc->tx_qp[i].tx_cq);
+@@ -1213,6 +1215,7 @@ static int mana_create_txq(struct mana_p
+ txq->ndev = net;
+ txq->net_txq = netdev_get_tx_queue(net, i);
+ txq->vp_offset = apc->tx_vp_offset;
++ txq->napi_initialized = false;
+ skb_queue_head_init(&txq->pending_skbs);
+
+ memset(&spec, 0, sizeof(spec));
+@@ -1277,6 +1280,7 @@ static int mana_create_txq(struct mana_p
+
+ netif_tx_napi_add(net, &cq->napi, mana_poll, NAPI_POLL_WEIGHT);
+ napi_enable(&cq->napi);
++ txq->napi_initialized = true;
+
+ mana_gd_ring_cq(cq->gdma_cq, SET_ARM_BIT);
+ }
+@@ -1288,7 +1292,7 @@ out:
+ }
+
+ static void mana_destroy_rxq(struct mana_port_context *apc,
+- struct mana_rxq *rxq, bool validate_state)
++ struct mana_rxq *rxq, bool napi_initialized)
+
+ {
+ struct gdma_context *gc = apc->ac->gdma_dev->gdma_context;
+@@ -1302,12 +1306,13 @@ static void mana_destroy_rxq(struct mana
+
+ napi = &rxq->rx_cq.napi;
+
+- if (validate_state)
++ if (napi_initialized) {
+ napi_synchronize(napi);
+
+- napi_disable(napi);
+- netif_napi_del(napi);
++ napi_disable(napi);
+
++ netif_napi_del(napi);
++ }
+ mana_destroy_wq_obj(apc, GDMA_RQ, rxq->rxobj);
+
+ mana_deinit_cq(apc, &rxq->rx_cq);
--- /dev/null
+From stable+bounces-132663-greg=kroah.com@vger.kernel.org Mon Apr 14 20:50:55 2025
+From: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+Date: Mon, 14 Apr 2025 11:50:20 -0700
+Subject: phonet/pep: fix racy skb_queue_empty() use
+To: stable@vger.kernel.org
+Cc: vegard.nossum@oracle.com, "Rémi Denis-Courmont" <courmisch@gmail.com>, "Paolo Abeni" <pabeni@redhat.com>, "Sasha Levin" <sashal@kernel.org>, "Harshit Mogalapalli" <harshit.m.mogalapalli@oracle.com>
+Message-ID: <20250414185023.2165422-4-harshit.m.mogalapalli@oracle.com>
+
+From: Rémi Denis-Courmont <courmisch@gmail.com>
+
+[ Upstream commit 7d2a894d7f487dcb894df023e9d3014cf5b93fe5 ]
+
+The receive queues are protected by their respective spin-lock, not
+the socket lock. This could lead to skb_peek() unexpectedly
+returning NULL or a pointer to an already dequeued socket buffer.
+
+Fixes: 9641458d3ec4 ("Phonet: Pipe End Point for Phonet Pipes protocol")
+Signed-off-by: Rémi Denis-Courmont <courmisch@gmail.com>
+Link: https://lore.kernel.org/r/20240218081214.4806-2-remi@remlab.net
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+[Harshit: backport to 5.15.y, clean cherrypick from 6.1.y commit]
+Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/phonet/pep.c | 41 ++++++++++++++++++++++++++++++++---------
+ 1 file changed, 32 insertions(+), 9 deletions(-)
+
+--- a/net/phonet/pep.c
++++ b/net/phonet/pep.c
+@@ -916,6 +916,37 @@ static int pep_sock_enable(struct sock *
+ return 0;
+ }
+
++static unsigned int pep_first_packet_length(struct sock *sk)
++{
++ struct pep_sock *pn = pep_sk(sk);
++ struct sk_buff_head *q;
++ struct sk_buff *skb;
++ unsigned int len = 0;
++ bool found = false;
++
++ if (sock_flag(sk, SOCK_URGINLINE)) {
++ q = &pn->ctrlreq_queue;
++ spin_lock_bh(&q->lock);
++ skb = skb_peek(q);
++ if (skb) {
++ len = skb->len;
++ found = true;
++ }
++ spin_unlock_bh(&q->lock);
++ }
++
++ if (likely(!found)) {
++ q = &sk->sk_receive_queue;
++ spin_lock_bh(&q->lock);
++ skb = skb_peek(q);
++ if (skb)
++ len = skb->len;
++ spin_unlock_bh(&q->lock);
++ }
++
++ return len;
++}
++
+ static int pep_ioctl(struct sock *sk, int cmd, unsigned long arg)
+ {
+ struct pep_sock *pn = pep_sk(sk);
+@@ -929,15 +960,7 @@ static int pep_ioctl(struct sock *sk, in
+ break;
+ }
+
+- lock_sock(sk);
+- if (sock_flag(sk, SOCK_URGINLINE) &&
+- !skb_queue_empty(&pn->ctrlreq_queue))
+- answ = skb_peek(&pn->ctrlreq_queue)->len;
+- else if (!skb_queue_empty(&sk->sk_receive_queue))
+- answ = skb_peek(&sk->sk_receive_queue)->len;
+- else
+- answ = 0;
+- release_sock(sk);
++ answ = pep_first_packet_length(sk);
+ ret = put_user(answ, (int __user *)arg);
+ break;
+
kvm-arm64-eagerly-switch-zcr_el-1-2.patch
cpufreq-reference-count-policy-in-cpufreq_update_limits.patch
kbuild-add-fno-builtin-wcslen.patch
+mptcp-sockopt-fix-getting-ipv6_v6only.patch
+misc-pci_endpoint_test-avoid-issue-of-interrupts-remaining-after-request_irq-error.patch
+misc-pci_endpoint_test-fix-displaying-irq_type-after-request_irq-error.patch
+misc-pci_endpoint_test-fix-irq_type-to-convey-the-correct-type.patch
+ipv6-release-nexthop-on-device-removal.patch
+net-fix-crash-when-config-small-gso_max_size-gso_ipv4_max_size.patch
+filemap-fix-bounds-checking-in-filemap_read.patch
+phonet-pep-fix-racy-skb_queue_empty-use.patch
+bnxt_re-avoid-shift-undefined-behavior-in-bnxt_qplib_alloc_init_hwq.patch
+net-mana-fix-error-handling-in-mana_create_txq-rxq-s-napi-cleanup.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
