[rocky9_6] History Rebuild through kernel-5.14.0-570.52.1.el9_6 #625
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jira LE-4355 cve CVE-2025-38351 Rebuild_History Non-Buildable kernel-5.14.0-570.51.1.el9_6 commit-author Manuel Andreas <[email protected]> commit fa787ac In KVM guests with Hyper-V hypercalls enabled, the hypercalls HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST and HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST_EX allow a guest to request invalidation of portions of a virtual TLB. For this, the hypercall parameter includes a list of GVAs that are supposed to be invalidated. However, when non-canonical GVAs are passed, there is currently no filtering in place and they are eventually passed to checked invocations of INVVPID on Intel / INVLPGA on AMD. While AMD's INVLPGA silently ignores non-canonical addresses (effectively a no-op), Intel's INVVPID explicitly signals VM-Fail and ultimately triggers the WARN_ONCE in invvpid_error(): invvpid failed: ext=0x0 vpid=1 gva=0xaaaaaaaaaaaaa000 WARNING: CPU: 6 PID: 326 at arch/x86/kvm/vmx/vmx.c:482 invvpid_error+0x91/0xa0 [kvm_intel] Modules linked in: kvm_intel kvm 9pnet_virtio irqbypass fuse CPU: 6 UID: 0 PID: 326 Comm: kvm-vm Not tainted 6.15.0 #14 PREEMPT(voluntary) RIP: 0010:invvpid_error+0x91/0xa0 [kvm_intel] Call Trace: vmx_flush_tlb_gva+0x320/0x490 [kvm_intel] kvm_hv_vcpu_flush_tlb+0x24f/0x4f0 [kvm] kvm_arch_vcpu_ioctl_run+0x3013/0x5810 [kvm] Hyper-V documents that invalid GVAs (those that are beyond a partition's GVA space) are to be ignored. While not completely clear whether this ruling also applies to non-canonical GVAs, it is likely fine to make that assumption, and manual testing on Azure confirms "real" Hyper-V interprets the specification in the same way. Skip non-canonical GVAs when processing the list of address to avoid tripping the INVVPID failure. Alternatively, KVM could filter out "bad" GVAs before inserting into the FIFO, but practically speaking the only downside of pushing validation to the final processing is that doing so is suboptimal for the guest, and no well-behaved guest will request TLB flushes for non-canonical addresses. Fixes: 2609708 ("KVM: x86: hyper-v: Handle HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST{,EX} calls gently") Cc: [email protected] Signed-off-by: Manuel Andreas <[email protected]> Suggested-by: Vitaly Kuznetsov <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Sean Christopherson <[email protected]> (cherry picked from commit fa787ac) Signed-off-by: Jonathan Maple <[email protected]>
jira LE-4355 cve CVE-2024-50301 Rebuild_History Non-Buildable kernel-5.14.0-570.51.1.el9_6 commit-author Chen Ridong <[email protected]> commit 4a74da0 KASAN reports an out of bounds read: BUG: KASAN: slab-out-of-bounds in __kuid_val include/linux/uidgid.h:36 BUG: KASAN: slab-out-of-bounds in uid_eq include/linux/uidgid.h:63 [inline] BUG: KASAN: slab-out-of-bounds in key_task_permission+0x394/0x410 security/keys/permission.c:54 Read of size 4 at addr ffff88813c3ab618 by task stress-ng/4362 CPU: 2 PID: 4362 Comm: stress-ng Not tainted 5.10.0-14930-gafbffd6c3ede #15 Call Trace: __dump_stack lib/dump_stack.c:82 [inline] dump_stack+0x107/0x167 lib/dump_stack.c:123 print_address_description.constprop.0+0x19/0x170 mm/kasan/report.c:400 __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560 kasan_report+0x3a/0x50 mm/kasan/report.c:585 __kuid_val include/linux/uidgid.h:36 [inline] uid_eq include/linux/uidgid.h:63 [inline] key_task_permission+0x394/0x410 security/keys/permission.c:54 search_nested_keyrings+0x90e/0xe90 security/keys/keyring.c:793 This issue was also reported by syzbot. It can be reproduced by following these steps(more details [1]): 1. Obtain more than 32 inputs that have similar hashes, which ends with the pattern '0xxxxxxxe6'. 2. Reboot and add the keys obtained in step 1. The reproducer demonstrates how this issue happened: 1. In the search_nested_keyrings function, when it iterates through the slots in a node(below tag ascend_to_node), if the slot pointer is meta and node->back_pointer != NULL(it means a root), it will proceed to descend_to_node. However, there is an exception. If node is the root, and one of the slots points to a shortcut, it will be treated as a keyring. 2. Whether the ptr is keyring decided by keyring_ptr_is_keyring function. However, KEYRING_PTR_SUBTYPE is 0x2UL, the same as ASSOC_ARRAY_PTR_SUBTYPE_MASK. 3. When 32 keys with the similar hashes are added to the tree, the ROOT has keys with hashes that are not similar (e.g. slot 0) and it splits NODE A without using a shortcut. When NODE A is filled with keys that all hashes are xxe6, the keys are similar, NODE A will split with a shortcut. Finally, it forms the tree as shown below, where slot 6 points to a shortcut. NODE A +------>+---+ ROOT | | 0 | xxe6 +---+ | +---+ xxxx | 0 | shortcut : : xxe6 +---+ | +---+ xxe6 : : | | | xxe6 +---+ | +---+ | 6 |---+ : : xxe6 +---+ +---+ xxe6 : : | f | xxe6 +---+ +---+ xxe6 | f | +---+ 4. As mentioned above, If a slot(slot 6) of the root points to a shortcut, it may be mistakenly transferred to a key*, leading to a read out-of-bounds read. To fix this issue, one should jump to descend_to_node if the ptr is a shortcut, regardless of whether the node is root or not. [1] https://lore.kernel.org/linux-kernel/[email protected]/ [jarkko: tweaked the commit message a bit to have an appropriate closes tag.] Fixes: b2a4df2 ("KEYS: Expand the capacity of a keyring") Reported-by: [email protected] Closes: https://lore.kernel.org/all/[email protected]/T/ Signed-off-by: Chen Ridong <[email protected]> Reviewed-by: Jarkko Sakkinen <[email protected]> Signed-off-by: Jarkko Sakkinen <[email protected]> (cherry picked from commit 4a74da0) Signed-off-by: Jonathan Maple <[email protected]>
jira LE-4355 Rebuild_History Non-Buildable kernel-5.14.0-570.51.1.el9_6 commit-author Anumula Murali Mohan Reddy <[email protected]> commit 42e6ddd This patch sends IB_EVENT_QP_LAST_WQE_REACHED event on a QP that is in error state and associated with an SRQ. This behaviour is incorporated in flush_qp() which is called when QP transitions to error state. Supports SRQ drain functionality added by commit 844bc12 ("IB/core: add support for draining Shared receive queues") Fixes: 844bc12 ("IB/core: add support for draining Shared receive queues") Signed-off-by: Anumula Murali Mohan Reddy <[email protected]> Signed-off-by: Potnuri Bharat Teja <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Leon Romanovsky <[email protected]> (cherry picked from commit 42e6ddd) Signed-off-by: Jonathan Maple <[email protected]>
jira LE-4355 cve CVE-2025-39761 Rebuild_History Non-Buildable kernel-5.14.0-570.51.1.el9_6 commit-author Karthikeyan Kathirvel <[email protected]> commit 7c0884f Currently, TID is not decremented before peer cleanup, during error handling path of ath12k_dp_rx_peer_frag_setup(). This could lead to out-of-bounds access in peer->rx_tid[]. Hence, add a decrement operation for TID, before peer cleanup to ensures proper cleanup and prevents out-of-bounds access issues when the RX peer frag setup fails. Found during code review. Compile tested only. Signed-off-by: Karthikeyan Kathirvel <[email protected]> Signed-off-by: Sarika Sharma <[email protected]> Reviewed-by: Vasanthakumar Thiagarajan <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Jeff Johnson <[email protected]> (cherry picked from commit 7c0884f) Signed-off-by: Jonathan Maple <[email protected]>
Rebuild_History BUILDABLE Rebuilding Kernel from rpm changelog with Fuzz Limit: 87.50% Number of commits in upstream range v5.14~1..kernel-mainline: 324124 Number of commits in rpm: 6 Number of commits matched with upstream: 4 (66.67%) Number of commits in upstream but not in rpm: 324120 Number of commits NOT found in upstream: 2 (33.33%) Rebuilding Kernel on Branch rocky9_6_rebuild_kernel-5.14.0-570.51.1.el9_6 for kernel-5.14.0-570.51.1.el9_6 Clean Cherry Picks: 4 (100.00%) Empty Cherry Picks: 0 (0.00%) _______________________________ Full Details Located here: ciq/ciq_backports/kernel-5.14.0-570.51.1.el9_6/rebuild.details.txt Includes: * git commit header above * Empty Commits with upstream SHA * RPM ChangeLog Entries that could not be matched Individual Empty Commit failures contained in the same containing directory. The git message for empty commits will have the path for the failed commit. File names are the first 8 characters of the upstream SHA
jira LE-4385 Rebuild_History Non-Buildable kernel-5.14.0-570.52.1.el9_6 commit-author Paulo Alcantara <[email protected]> commit be77ab6 Zero-length AV pairs should be considered as valid target infos. Don't skip the next AV pairs that follow them. Cc: [email protected] Cc: David Howells <[email protected]> Fixes: 0e8ae9b ("smb: client: parse av pair type 4 in CHALLENGE_MESSAGE") Signed-off-by: Paulo Alcantara (Red Hat) <[email protected]> Signed-off-by: Steve French <[email protected]> (cherry picked from commit be77ab6) Signed-off-by: Jonathan Maple <[email protected]>
jira LE-4385 Rebuild_History Non-Buildable kernel-5.14.0-570.52.1.el9_6 commit-author Paulo Alcantara <[email protected]> commit 33cfdd7 Some servers might enforce the SPN to be set in the target info blob (AV pairs) when sending NTLMSSP_AUTH message. In Windows Server, this could be enforced with SmbServerNameHardeningLevel set to 2. Fix this by always appending SPN (cifs/<hostname>) to the existing list of target infos when setting up NTLMv2 response blob. Cc: [email protected] Cc: David Howells <[email protected]> Reported-by: Pierguido Lambri <[email protected]> Signed-off-by: Paulo Alcantara (Red Hat) <[email protected]> Signed-off-by: Steve French <[email protected]> (cherry picked from commit 33cfdd7) Signed-off-by: Jonathan Maple <[email protected]>
jira LE-4385 cve CVE-2025-38614 Rebuild_History Non-Buildable kernel-5.14.0-570.52.1.el9_6 commit-author Jann Horn <[email protected]> commit f2e467a Ensure that epoll instances can never form a graph deeper than EP_MAX_NESTS+1 links. Currently, ep_loop_check_proc() ensures that the graph is loop-free and does some recursion depth checks, but those recursion depth checks don't limit the depth of the resulting tree for two reasons: - They don't look upwards in the tree. - If there are multiple downwards paths of different lengths, only one of the paths is actually considered for the depth check since commit 28d82dc ("epoll: limit paths"). Essentially, the current recursion depth check in ep_loop_check_proc() just serves to prevent it from recursing too deeply while checking for loops. A more thorough check is done in reverse_path_check() after the new graph edge has already been created; this checks, among other things, that no paths going upwards from any non-epoll file with a length of more than 5 edges exist. However, this check does not apply to non-epoll files. As a result, it is possible to recurse to a depth of at least roughly 500, tested on v6.15. (I am unsure if deeper recursion is possible; and this may have changed with commit 8c44dac ("eventpoll: Fix priority inversion problem").) To fix it: 1. In ep_loop_check_proc(), note the subtree depth of each visited node, and use subtree depths for the total depth calculation even when a subtree has already been visited. 2. Add ep_get_upwards_depth_proc() for similarly determining the maximum depth of an upwards walk. 3. In ep_loop_check(), use these values to limit the total path length between epoll nodes to EP_MAX_NESTS edges. Fixes: 22bacca ("epoll: prevent creating circular epoll structures") Cc: [email protected] Signed-off-by: Jann Horn <[email protected]> Link: https://lore.kernel.org/[email protected] Signed-off-by: Christian Brauner <[email protected]> (cherry picked from commit f2e467a) Signed-off-by: Jonathan Maple <[email protected]>
jira LE-4385 cve CVE-2025-38556 Rebuild_History Non-Buildable kernel-5.14.0-570.52.1.el9_6 commit-author Dmitry Torokhov <[email protected]> commit ae9b956 snto32() does exactly what sign_extend32() does, but handles potentially malformed data coming from the device. Keep the checks, but then call sign_extend32() to perform the actual conversion. Signed-off-by: Dmitry Torokhov <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Benjamin Tissoires <[email protected]> (cherry picked from commit ae9b956) Signed-off-by: Jonathan Maple <[email protected]>
jira LE-4385 cve CVE-2025-38556 Rebuild_History Non-Buildable kernel-5.14.0-570.52.1.el9_6 commit-author Dmitry Torokhov <[email protected]> commit c653ffc The only user of hid_snto32() is Logitech HID++ driver, which always calls hid_snto32() with valid size (constant, either 12 or 8) and therefore can simply use sign_extend32(). Make the switch and remove hid_snto32(). Move snto32() and s32ton() to avoid introducing forward declaration. Signed-off-by: Dmitry Torokhov <[email protected]> Link: https://patch.msgid.link/[email protected] [bentiss: fix checkpatch warning] Signed-off-by: Benjamin Tissoires <[email protected]> (cherry picked from commit c653ffc) Signed-off-by: Jonathan Maple <[email protected]>
jira LE-4385 cve CVE-2025-38556 Rebuild_History Non-Buildable kernel-5.14.0-570.52.1.el9_6 commit-author Alan Stern <[email protected]> commit a6b87bf Testing by the syzbot fuzzer showed that the HID core gets a shift-out-of-bounds exception when it tries to convert a 32-bit quantity to a 0-bit quantity. Ideally this should never occur, but there are buggy devices and some might have a report field with size set to zero; we shouldn't reject the report or the device just because of that. Instead, harden the s32ton() routine so that it returns a reasonable result instead of crashing when it is called with the number of bits set to 0 -- the same as what snto32() does. Signed-off-by: Alan Stern <[email protected]> Reported-by: [email protected] Closes: https://lore.kernel.org/linux-usb/[email protected]/ Tested-by: [email protected] Fixes: dde5845 ("[PATCH] Generic HID layer - code split") Cc: [email protected] Link: https://patch.msgid.link/[email protected] Signed-off-by: Benjamin Tissoires <[email protected]> (cherry picked from commit a6b87bf) Signed-off-by: Jonathan Maple <[email protected]>
jira LE-4385 cve CVE-2025-39757 Rebuild_History Non-Buildable kernel-5.14.0-570.52.1.el9_6 commit-author Takashi Iwai <[email protected]> commit ecfd411 UAC3 class segment descriptors need to be verified whether their sizes match with the declared lengths and whether they fit with the allocated buffer sizes, too. Otherwise malicious firmware may lead to the unexpected OOB accesses. Fixes: 11785ef ("ALSA: usb-audio: Initial Power Domain support") Reported-and-tested-by: Youngjun Lee <[email protected]> Cc: <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Takashi Iwai <[email protected]> (cherry picked from commit ecfd411) Signed-off-by: Jonathan Maple <[email protected]>
jira LE-4385 Rebuild_History Non-Buildable kernel-5.14.0-570.52.1.el9_6 commit-author Dan Carpenter <[email protected]> commit 89f0add The "p" pointer is void so sizeof(*p) is 1. The intent was to check sizeof(*cs_desc), which is 3, instead. Fixes: ecfd411 ("ALSA: usb-audio: Validate UAC3 cluster segment descriptors") Signed-off-by: Dan Carpenter <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Takashi Iwai <[email protected]> (cherry picked from commit 89f0add) Signed-off-by: Jonathan Maple <[email protected]>
jira LE-4385 cve CVE-2025-38729 Rebuild_History Non-Buildable kernel-5.14.0-570.52.1.el9_6 commit-author Takashi Iwai <[email protected]> commit d832ccb UAC3 power domain descriptors need to be verified with its variable bLength for avoiding the unexpected OOB accesses by malicious firmware, too. Fixes: 9a2fe9b ("ALSA: usb: initial USB Audio Device Class 3.0 support") Reported-and-tested-by: Youngjun Lee <[email protected]> Cc: <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Takashi Iwai <[email protected]> (cherry picked from commit d832ccb) Signed-off-by: Jonathan Maple <[email protected]>
jira LE-4385 Rebuild_History Non-Buildable kernel-5.14.0-570.52.1.el9_6 commit-author Haiyang Zhang <[email protected]> commit 32316f6 The MANA driver's RX buffer alloc_size is passed into napi_build_skb() to create SKB. skb_shinfo(skb) is located at the end of skb, and its alignment is affected by the alloc_size passed into napi_build_skb(). The size needs to be aligned properly for better performance and atomic operations. Otherwise, on ARM64 CPU, for certain MTU settings like 4000, atomic operations may panic on the skb_shinfo(skb)->dataref due to alignment fault. To fix this bug, add proper alignment to the alloc_size calculation. Sample panic info: [ 253.298819] Unable to handle kernel paging request at virtual address ffff000129ba5cce [ 253.300900] Mem abort info: [ 253.301760] ESR = 0x0000000096000021 [ 253.302825] EC = 0x25: DABT (current EL), IL = 32 bits [ 253.304268] SET = 0, FnV = 0 [ 253.305172] EA = 0, S1PTW = 0 [ 253.306103] FSC = 0x21: alignment fault Call trace: __skb_clone+0xfc/0x198 skb_clone+0x78/0xe0 raw6_local_deliver+0xfc/0x228 ip6_protocol_deliver_rcu+0x80/0x500 ip6_input_finish+0x48/0x80 ip6_input+0x48/0xc0 ip6_sublist_rcv_finish+0x50/0x78 ip6_sublist_rcv+0x1cc/0x2b8 ipv6_list_rcv+0x100/0x150 __netif_receive_skb_list_core+0x180/0x220 netif_receive_skb_list_internal+0x198/0x2a8 __napi_poll+0x138/0x250 net_rx_action+0x148/0x330 handle_softirqs+0x12c/0x3a0 Cc: [email protected] Fixes: 80f6215 ("net: mana: Add support for jumbo frame") Signed-off-by: Haiyang Zhang <[email protected]> Reviewed-by: Long Li <[email protected]> Signed-off-by: David S. Miller <[email protected]> (cherry picked from commit 32316f6) Signed-off-by: Jonathan Maple <[email protected]>
…doorbell rings jira LE-4385 Rebuild_History Non-Buildable kernel-5.14.0-570.52.1.el9_6 commit-author Long Li <[email protected]> commit 58a6372 After napi_complete_done() is called when NAPI is polling in the current process context, another NAPI may be scheduled and start running in softirq on another CPU and may ring the doorbell before the current CPU does. When combined with unnecessary rings when there is no need to arm the CQ, it triggers error paths in the hardware. This patch fixes this by calling napi_complete_done() after doorbell rings. It limits the number of unnecessary rings when there is no need to arm. MANA hardware specifies that there must be one doorbell ring every 8 CQ wraparounds. This driver guarantees one doorbell ring as soon as the number of consumed CQEs exceeds 4 CQ wraparounds. In practical workloads, the 4 CQ wraparounds proves to be big enough that it rarely exceeds this limit before all the napi weight is consumed. To implement this, add a per-CQ counter cq->work_done_since_doorbell, and make sure the CQ is armed as soon as passing 4 wraparounds of the CQ. Cc: [email protected] Fixes: e1b5683 ("net: mana: Move NAPI from EQ to CQ") Reviewed-by: Haiyang Zhang <[email protected]> Signed-off-by: Long Li <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Paolo Abeni <[email protected]> (cherry picked from commit 58a6372) Signed-off-by: Jonathan Maple <[email protected]>
… size jira LE-4385 Rebuild_History Non-Buildable kernel-5.14.0-570.52.1.el9_6 commit-author Long Li <[email protected]> commit 9e517a8 MANA hardware uses 4k page size. When calculating the page table index, it should use the hardware page size, not the system page size. Cc: [email protected] Fixes: 0266a17 ("RDMA/mana_ib: Add a driver for Microsoft Azure Network Adapter") Signed-off-by: Long Li <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Leon Romanovsky <[email protected]> (cherry picked from commit 9e517a8) Signed-off-by: Jonathan Maple <[email protected]>
…l page jira LE-4385 Rebuild_History Non-Buildable kernel-5.14.0-570.52.1.el9_6 commit-author Long Li <[email protected]> commit 4a3b99b When mapping doorbell page from user-mode, the driver should use the system page size as this memory is allocated via mmap() from user-mode. Cc: [email protected] Fixes: 0266a17 ("RDMA/mana_ib: Add a driver for Microsoft Azure Network Adapter") Signed-off-by: Long Li <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Leon Romanovsky <[email protected]> (cherry picked from commit 4a3b99b) Signed-off-by: Jonathan Maple <[email protected]>
jira LE-4385 Rebuild_History Non-Buildable kernel-5.14.0-570.52.1.el9_6 commit-author Joe Damato <[email protected]> commit 8b641b5 Use netif_queue_set_napi to link queues to NAPI instances so that they can be queried with netlink. Shradha Gupta tested the patch and reported that the results are as expected: $ ./tools/net/ynl/cli.py --spec Documentation/netlink/specs/netdev.yaml \ --dump queue-get --json='{"ifindex": 2}' [{'id': 0, 'ifindex': 2, 'napi-id': 8193, 'type': 'rx'}, {'id': 1, 'ifindex': 2, 'napi-id': 8194, 'type': 'rx'}, {'id': 2, 'ifindex': 2, 'napi-id': 8195, 'type': 'rx'}, {'id': 3, 'ifindex': 2, 'napi-id': 8196, 'type': 'rx'}, {'id': 4, 'ifindex': 2, 'napi-id': 8197, 'type': 'rx'}, {'id': 5, 'ifindex': 2, 'napi-id': 8198, 'type': 'rx'}, {'id': 6, 'ifindex': 2, 'napi-id': 8199, 'type': 'rx'}, {'id': 7, 'ifindex': 2, 'napi-id': 8200, 'type': 'rx'}, {'id': 0, 'ifindex': 2, 'napi-id': 8193, 'type': 'tx'}, {'id': 1, 'ifindex': 2, 'napi-id': 8194, 'type': 'tx'}, {'id': 2, 'ifindex': 2, 'napi-id': 8195, 'type': 'tx'}, {'id': 3, 'ifindex': 2, 'napi-id': 8196, 'type': 'tx'}, {'id': 4, 'ifindex': 2, 'napi-id': 8197, 'type': 'tx'}, {'id': 5, 'ifindex': 2, 'napi-id': 8198, 'type': 'tx'}, {'id': 6, 'ifindex': 2, 'napi-id': 8199, 'type': 'tx'}, {'id': 7, 'ifindex': 2, 'napi-id': 8200, 'type': 'tx'}] Signed-off-by: Joe Damato <[email protected]> Reviewed-by: Haiyang Zhang <[email protected]> Tested-by: Shradha Gupta <[email protected]> Signed-off-by: David S. Miller <[email protected]> (cherry picked from commit 8b641b5) Signed-off-by: Jonathan Maple <[email protected]>
jira LE-4385 Rebuild_History Non-Buildable kernel-5.14.0-570.52.1.el9_6 commit-author Konstantin Taranov <[email protected]> commit 29b7bb9 Allocate a PAGE aligned doorbell index to ensure each process gets a separate PAGE sized doorbell area space remapped to it in mana_ib_mmap Fixes: 0266a17 ("RDMA/mana_ib: Add a driver for Microsoft Azure Network Adapter") Signed-off-by: Shiraz Saleem <[email protected]> Signed-off-by: Konstantin Taranov <[email protected]> Link: https://patch.msgid.link/[email protected] Reviewed-by: Long Li <[email protected]> Signed-off-by: Leon Romanovsky <[email protected]> (cherry picked from commit 29b7bb9) Signed-off-by: Jonathan Maple <[email protected]>
jira LE-4385 Rebuild_History Non-Buildable kernel-5.14.0-570.52.1.el9_6 commit-author Haiyang Zhang <[email protected]> commit 2fc8a34 According to GDMA protocol, holes (zeros) are allowed at the beginning or middle of the gdma_list_devices_resp message. The existing code cannot properly handle this, and may miss some devices in the list. To fix, scan the entire list until the num_of_devs are found, or until the end of the list. Cc: [email protected] Fixes: ca9c54d ("net: mana: Add a driver for Microsoft Azure Network Adapter (MANA)") Signed-off-by: Haiyang Zhang <[email protected]> Reviewed-by: Long Li <[email protected]> Reviewed-by: Shradha Gupta <[email protected]> Reviewed-by: Michal Swiatkowski <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Paolo Abeni <[email protected]> (cherry picked from commit 2fc8a34) Signed-off-by: Jonathan Maple <[email protected]>
jira LE-4385 Rebuild_History Non-Buildable kernel-5.14.0-570.52.1.el9_6 commit-author Shiraz Saleem <[email protected]> commit bad4480 Extend the mana_ib_gd_query_adapter_caps function to retrieve and store the feature_flags from the firmware response. Signed-off-by: Shiraz Saleem <[email protected]> Signed-off-by: Konstantin Taranov <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Leon Romanovsky <[email protected]> (cherry picked from commit bad4480) Signed-off-by: Jonathan Maple <[email protected]>
jira LE-4385 Rebuild_History Non-Buildable kernel-5.14.0-570.52.1.el9_6 commit-author Konstantin Taranov <[email protected]> commit cd3c5dd Request an adapter with error CQEs when it is supported. Signed-off-by: Konstantin Taranov <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Leon Romanovsky <[email protected]> (cherry picked from commit cd3c5dd) Signed-off-by: Jonathan Maple <[email protected]>
jira LE-4385 Rebuild_History Non-Buildable kernel-5.14.0-570.52.1.el9_6 commit-author Shradha Gupta <[email protected]> commit 2731583 Allow the max aggregated pkt size to go up-to GSO_MAX_SIZE for MANA NIC. This patch only increases the max allowable gso/gro pkt size for MANA devices and does not change the defaults. Following are the perf benefits by increasing the pkt aggregate size from legacy gso_max_size value(64K) to newer one(up-to 511K IPv4 tests for i in {1..10}; do netperf -t TCP_RR -H 10.0.0.5 -p50000 -- -r80000,80000 -O MIN_LATENCY,P90_LATENCY,P99_LATENCY,THROUGHPUT|tail -1; done min p90 p99 Throughput gso_max_size 93 171 194 6594.25 97 154 180 7183.74 95 165 189 6927.86 96 165 188 6976.04 93 154 185 7338.05 64K 93 168 189 6938.03 94 169 189 6784.93 92 166 189 7117.56 94 179 191 6678.44 95 157 183 7277.81 min p90 p99 Throughput 93 134 146 8448.75 95 134 140 8396.54 94 137 148 8204.12 94 137 148 8244.41 94 128 139 8666.52 80K 94 141 153 8116.86 94 138 149 8163.92 92 135 142 8362.72 92 134 142 8497.57 93 136 148 8393.23 IPv6 Tests for i in {1..10}; do netperf -t TCP_RR -H fd00:9013:cadd::4 -p50000 -- -r80000,80000 -O MIN_LATENCY,P90_LATENCY,P99_LATENCY,THROUGHPUT|tail -1; done min p90 p99 Throughput gso_max_size 108 165 170 6673.2 101 169 189 6451.69 101 165 169 6737.65 102 167 175 6614.64 101 178 189 6247.13 64K 107 163 169 6678.63 106 176 187 6350.86 100 164 169 6617.36 102 163 170 6849.21 102 168 175 6605.7 min p90 p99 Throughput 108 155 166 7183 110 154 163 7268.87 109 152 159 7434.35 107 145 157 7569.15 107 149 164 7496.17 80K 110 154 159 7245.85 108 156 162 7266.24 109 145 158 7526.66 106 145 151 7785.75 111 148 157 7246.65 Tested on azure env with Accelerated Networking enabled and disabled. Signed-off-by: Shradha Gupta <[email protected]> Reviewed-by: Haiyang Zhang <[email protected]> Signed-off-by: David S. Miller <[email protected]> (cherry picked from commit 2731583) Signed-off-by: Jonathan Maple <[email protected]>
jira LE-4385 Rebuild_History Non-Buildable kernel-5.14.0-570.52.1.el9_6 commit-author Shradha Gupta <[email protected]> commit 6859209 On Azure, increasing VF's gso/gro packet size to up-to GSO_MAX_SIZE is not possible without allowing the same for netvsc NIC (as the NICs are bonded together). For bonded NICs, the min of the max aggregated pkt size of the members is propagated in the stack. Therefore, we use netif_set_tso_max_size() to set max aggregated pkt size to VF's packet size for netvsc too, when the data path is switched over to the VF Tested on azure env with Accelerated Networking enabled and disabled. Signed-off-by: Shradha Gupta <[email protected]> Reviewed-by: Haiyang Zhang <[email protected]> Signed-off-by: David S. Miller <[email protected]> (cherry picked from commit 6859209) Signed-off-by: Jonathan Maple <[email protected]>
jira LE-4385 Rebuild_History Non-Buildable kernel-5.14.0-570.52.1.el9_6 commit-author Erni Sri Satya Vennela <[email protected]> commit 47dfd7a Add more logs to assist in debugging and monitoring driver behaviour, making it easier to identify potential issues during development and testing. Signed-off-by: Erni Sri Satya Vennela <[email protected]> Reviewed-by: Haiyang Zhang <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Jakub Kicinski <[email protected]> (cherry picked from commit 47dfd7a) Signed-off-by: Jonathan Maple <[email protected]>
jira LE-4385 Rebuild_History Non-Buildable kernel-5.14.0-570.52.1.el9_6 commit-author Kees Bakker <[email protected]> commit be35a31 In the function mana_ib_gd_create_dma_region if there are no dma blocks to process the variable `err` remains uninitialized. Fixes: 0266a17 ("RDMA/mana_ib: Add a driver for Microsoft Azure Network Adapter") Signed-off-by: Kees Bakker <[email protected]> Link: https://patch.msgid.link/[email protected] Reviewed-by: Long Li <[email protected]> Signed-off-by: Leon Romanovsky <[email protected]> (cherry picked from commit be35a31) Signed-off-by: Jonathan Maple <[email protected]>
jira LE-4385 Rebuild_History Non-Buildable kernel-5.14.0-570.52.1.el9_6 commit-author Long Li <[email protected]> commit a8445cf Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-5.14.0-570.52.1.el9_6/a8445cfe.failed Change mana_get_primary_netdev_rcu() to mana_get_primary_netdev(), and return the ndev with refcount held. The caller is responsible for dropping the refcount. Also drop the check for IFF_SLAVE as it is not necessary if the upper device is present. Signed-off-by: Long Li <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Leon Romanovsky <[email protected]> (cherry picked from commit a8445cf) Signed-off-by: Jonathan Maple <[email protected]> # Conflicts: # drivers/infiniband/hw/mana/mana_ib.h # drivers/net/ethernet/microsoft/mana/mana_en.c
jira LE-4385 Rebuild_History Non-Buildable kernel-5.14.0-570.52.1.el9_6 commit-author Long Li <[email protected]> commit bee35b7 Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-5.14.0-570.52.1.el9_6/bee35b71.failed When running under Hyper-V, the master device to the RDMA device is always bonded to this RDMA device. This is not user-configurable. The master device can be unbind/bind from the kernel. During those events, the RDMA device should set to the current netdev to reflect the change of master device from those events. Signed-off-by: Long Li <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Leon Romanovsky <[email protected]> (cherry picked from commit bee35b7) Signed-off-by: Jonathan Maple <[email protected]> # Conflicts: # drivers/infiniband/hw/mana/device.c # drivers/infiniband/hw/mana/mana_ib.h
jira LE-4385 Rebuild_History Non-Buildable kernel-5.14.0-570.52.1.el9_6 commit-author Lorenzo Bianconi <[email protected]> commit c313d35 Set metadata size building the skb from xdp_buff in mana driver. mana driver sets xdp headroom to XDP_PACKET_HEADROOM so the headroom is large enough to contain xdp_frame and xdp metadata. Please note this patch is just compiled tested. Reviewed-by: Michal Kubiak <[email protected]> Signed-off-by: Lorenzo Bianconi <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Jakub Kicinski <[email protected]> (cherry picked from commit c313d35) Signed-off-by: Jonathan Maple <[email protected]>
jira LE-4385 Rebuild_History Non-Buildable kernel-5.14.0-570.52.1.el9_6 commit-author Haiyang Zhang <[email protected]> commit fa37a88 Frag allocators, such as netdev_alloc_frag(), were not designed to work for fragsz > PAGE_SIZE. So, switch to page pool for jumbo frames instead of using page frag allocators. This driver is using page pool for smaller MTUs already. Cc: [email protected] Fixes: 80f6215 ("net: mana: Add support for jumbo frame") Signed-off-by: Haiyang Zhang <[email protected]> Reviewed-by: Long Li <[email protected]> Reviewed-by: Shradha Gupta <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Jakub Kicinski <[email protected]> (cherry picked from commit fa37a88) Signed-off-by: Jonathan Maple <[email protected]>
jira LE-4385 Rebuild_History Non-Buildable kernel-5.14.0-570.52.1.el9_6 commit-author Haiyang Zhang <[email protected]> commit 290e5d3 To support Multi Vports on Bare metal, increase the device config response version. And, skip the register HW vport, and register filter steps, when the Bare metal hostmode is set. Signed-off-by: Haiyang Zhang <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Paolo Abeni <[email protected]> (cherry picked from commit 290e5d3) Signed-off-by: Jonathan Maple <[email protected]>
jira LE-4385 Rebuild_History Non-Buildable kernel-5.14.0-570.52.1.el9_6 commit-author Long Li <[email protected]> commit e0fca6f MANA supports RDMA in PF mode. The driver should record the doorbell physical address when in PF mode. The doorbell physical address is used by the RDMA driver to map doorbell pages of the device to user-mode applications through RDMA verbs interface. In the past, they have been mapped to user-mode while the device is in VF mode. With the support for PF mode implemented, also expose those pages in PF mode. Support for PF mode is implemented in 290e5d3 ("net: mana: Add support for Multi Vports on Bare metal") Signed-off-by: Long Li <[email protected]> Reviewed-by: Simon Horman <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Jakub Kicinski <[email protected]> (cherry picked from commit e0fca6f) Signed-off-by: Jonathan Maple <[email protected]>
…t IPv6 addrconf jira LE-4385 Rebuild_History Non-Buildable kernel-5.14.0-570.52.1.el9_6 commit-author Li Tian <[email protected]> commit d7501e0 Set an additional flag IFF_NO_ADDRCONF to prevent ipv6 addrconf. Commit under Fixes added a new flag change that was not made to hv_netvsc resulting in the VF being assinged an IPv6. Fixes: 8a321cf ("net: add IFF_NO_ADDRCONF and use it in bonding to prevent ipv6 addrconf") Suggested-by: Cathy Avery <[email protected]> Signed-off-by: Li Tian <[email protected]> Reviewed-by: Xin Long <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Jakub Kicinski <[email protected]> (cherry picked from commit d7501e0) Signed-off-by: Jonathan Maple <[email protected]>
…htool. jira LE-4385 Rebuild_History Non-Buildable kernel-5.14.0-570.52.1.el9_6 commit-author Dipayaan Roy <[email protected]> commit c09ef59 Add support for reporting additional hardware counters for drop and TC using the ethtool -S interface. These counters include: - Aggregate Rx/Tx drop counters - Per-TC Rx/Tx packet counters - Per-TC Rx/Tx byte counters - Per-TC Rx/Tx pause frame counters The counters are exposed using ethtool_ops->get_ethtool_stats and ethtool_ops->get_strings. This feature/counters are not available to all versions of hardware. Signed-off-by: Dipayaan Roy <[email protected]> Reviewed-by: Subbaraya Sundeep <[email protected]> Reviewed-by: Haiyang Zhang <[email protected]> Link: https://patch.msgid.link/20250609100103.GA7102@linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net Signed-off-by: Jakub Kicinski <[email protected]> (cherry picked from commit c09ef59) Signed-off-by: Jonathan Maple <[email protected]>
jira LE-4385 Rebuild_History Non-Buildable kernel-5.14.0-570.52.1.el9_6 commit-author Haiyang Zhang <[email protected]> commit 7768c5f To collaborate with hardware servicing events, upon receiving the special EQE notification from the HW channel, remove the devices on this bus. Then, after a waiting period based on the device specs, rescan the parent bus to recover the devices. Signed-off-by: Haiyang Zhang <[email protected]> Reviewed-by: Shradha Gupta <[email protected]> Reviewed-by: Simon Horman <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Jakub Kicinski <[email protected]> (cherry picked from commit 7768c5f) Signed-off-by: Jonathan Maple <[email protected]>
jira LE-4385 Rebuild_History Non-Buildable kernel-5.14.0-570.52.1.el9_6 commit-author Erni Sri Satya Vennela <[email protected]> commit ca8ac48 Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-5.14.0-570.52.1.el9_6/ca8ac489.failed If any of the HWC commands are not recognized by the underlying hardware, the hardware returns the response header status of -1. Log the information using netdev_info_once to avoid multiple error logs in dmesg. Signed-off-by: Erni Sri Satya Vennela <[email protected]> Reviewed-by: Haiyang Zhang <[email protected]> Reviewed-by: Shradha Gupta <[email protected]> Reviewed-by: Saurabh Singh Sengar <[email protected]> Reviewed-by: Dipayaan Roy <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Paolo Abeni <[email protected]> (cherry picked from commit ca8ac48) Signed-off-by: Jonathan Maple <[email protected]> # Conflicts: # drivers/net/ethernet/microsoft/mana/mana_en.c
jira LE-4385 Rebuild_History Non-Buildable kernel-5.14.0-570.52.1.el9_6 commit-author Shradha Gupta <[email protected]> commit 7399ef9 Allow tx_packets and tx_bytes counter in the driver to represent the packets transmitted post GSO processing. Currently they are populated as bigger pre-GSO packets and bytes Signed-off-by: Shradha Gupta <[email protected]> Reviewed-by: Haiyang Zhang <[email protected]> Signed-off-by: David S. Miller <[email protected]> (cherry picked from commit 7399ef9) Signed-off-by: Jonathan Maple <[email protected]>
jira LE-4385 Rebuild_History Non-Buildable kernel-5.14.0-570.52.1.el9_6 commit-author Haiyang Zhang <[email protected]> commit fbe346c Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-5.14.0-570.52.1.el9_6/fbe346ce.failed Upon receiving the Reset Request, pause the connection and clean up queues, wait for the specified period, then resume the NIC. In the cleanup phase, the HWC is no longer responding, so set hwc_timeout to zero to skip waiting on the response. Signed-off-by: Haiyang Zhang <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Jakub Kicinski <[email protected]> (cherry picked from commit fbe346c) Signed-off-by: Jonathan Maple <[email protected]> # Conflicts: # drivers/net/ethernet/microsoft/mana/mana_en.c # include/net/mana/gdma.h
jira LE-4385 Rebuild_History Non-Buildable kernel-5.14.0-570.52.1.el9_6 commit-author Shiraz Saleem <[email protected]> commit 62de0e6 Convert the traffic_class in GRH to a DSCP value as required by the HW. Fixes: e095405 ("RDMA/mana_ib: Modify QP state") Signed-off-by: Shiraz Saleem <[email protected]> Signed-off-by: Konstantin Taranov <[email protected]> Link: https://patch.msgid.link/[email protected] Reviewed-by: Long Li <[email protected]> Signed-off-by: Leon Romanovsky <[email protected]> (cherry picked from commit 62de0e6) Signed-off-by: Jonathan Maple <[email protected]>
jira LE-4385 Rebuild_History Non-Buildable kernel-5.14.0-570.52.1.el9_6 commit-author Haiyang Zhang <[email protected]> commit 33caa20 The existing code move the VF NIC to new namespace when NETDEV_REGISTER is received on netvsc NIC. During deletion of the namespace, default_device_exit_batch() >> default_device_exit_net() is called. When netvsc NIC is moved back and registered to the default namespace, it automatically brings VF NIC back to the default namespace. This will cause the default_device_exit_net() >> for_each_netdev_safe loop unable to detect the list end, and hit NULL ptr: [ 231.449420] mana 7870:00:00.0 enP30832s1: Moved VF to namespace with: eth0 [ 231.449656] BUG: kernel NULL pointer dereference, address: 0000000000000010 [ 231.450246] #PF: supervisor read access in kernel mode [ 231.450579] #PF: error_code(0x0000) - not-present page [ 231.450916] PGD 17b8a8067 P4D 0 [ 231.451163] Oops: Oops: 0000 [#1] SMP NOPTI [ 231.451450] CPU: 82 UID: 0 PID: 1394 Comm: kworker/u768:1 Not tainted 6.16.0-rc4+ #3 VOLUNTARY [ 231.452042] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 11/21/2024 [ 231.452692] Workqueue: netns cleanup_net [ 231.452947] RIP: 0010:default_device_exit_batch+0x16c/0x3f0 [ 231.453326] Code: c0 0c f5 b3 e8 d5 db fe ff 48 85 c0 74 15 48 c7 c2 f8 fd ca b2 be 10 00 00 00 48 8d 7d c0 e8 7b 77 25 00 49 8b 86 28 01 00 00 <48> 8b 50 10 4c 8b 2a 4c 8d 62 f0 49 83 ed 10 4c 39 e0 0f 84 d6 00 [ 231.454294] RSP: 0018:ff75fc7c9bf9fd00 EFLAGS: 00010246 [ 231.454610] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 61c8864680b583eb [ 231.455094] RDX: ff1fa9f71462d800 RSI: ff75fc7c9bf9fd38 RDI: 0000000030766564 [ 231.455686] RBP: ff75fc7c9bf9fd78 R08: 0000000000000000 R09: 0000000000000000 [ 231.456126] R10: 0000000000000001 R11: 0000000000000004 R12: ff1fa9f70088e340 [ 231.456621] R13: ff1fa9f70088e340 R14: ffffffffb3f50c20 R15: ff1fa9f7103e6340 [ 231.457161] FS: 0000000000000000(0000) GS:ff1faa6783a08000(0000) knlGS:0000000000000000 [ 231.457707] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 231.458031] CR2: 0000000000000010 CR3: 0000000179ab2006 CR4: 0000000000b73ef0 [ 231.458434] Call Trace: [ 231.458600] <TASK> [ 231.458777] ops_undo_list+0x100/0x220 [ 231.459015] cleanup_net+0x1b8/0x300 [ 231.459285] process_one_work+0x184/0x340 To fix it, move the ns change to a workqueue, and take rtnl_lock to avoid changing the netdev list when default_device_exit_net() is using it. Cc: [email protected] Fixes: 4c26280 ("hv_netvsc: Fix VF namespace also in synthetic NIC NETDEV_REGISTER event") Signed-off-by: Haiyang Zhang <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Jakub Kicinski <[email protected]> (cherry picked from commit 33caa20) Signed-off-by: Jonathan Maple <[email protected]>
jira LE-4385 cve CVE-2023-53373 Rebuild_History Non-Buildable kernel-5.14.0-570.52.1.el9_6 commit-author Herbert Xu <[email protected]> commit 32e6202 As it is seqiv only handles the special return value of EINPROGERSS, which means that in all other cases it will free data related to the request. However, as the caller of seqiv may specify MAY_BACKLOG, we also need to expect EBUSY and treat it in the same way. Otherwise backlogged requests will trigger a use-after-free. Fixes: 0a27032 ("[CRYPTO] seqiv: Add Sequence Number IV Generator") Signed-off-by: Herbert Xu <[email protected]> (cherry picked from commit 32e6202) Signed-off-by: Jonathan Maple <[email protected]>
Rebuild_History BUILDABLE Rebuilding Kernel from rpm changelog with Fuzz Limit: 87.50% Number of commits in upstream range v5.14~1..kernel-mainline: 324124 Number of commits in rpm: 40 Number of commits matched with upstream: 37 (92.50%) Number of commits in upstream but not in rpm: 324087 Number of commits NOT found in upstream: 3 (7.50%) Rebuilding Kernel on Branch rocky9_6_rebuild_kernel-5.14.0-570.52.1.el9_6 for kernel-5.14.0-570.52.1.el9_6 Clean Cherry Picks: 33 (89.19%) Empty Cherry Picks: 4 (10.81%) _______________________________ Full Details Located here: ciq/ciq_backports/kernel-5.14.0-570.52.1.el9_6/rebuild.details.txt Includes: * git commit header above * Empty Commits with upstream SHA * RPM ChangeLog Entries that could not be matched Individual Empty Commit failures contained in the same containing directory. The git message for empty commits will have the path for the failed commit. File names are the first 8 characters of the upstream SHA
jdieter
approved these changes
Oct 15, 2025
shreeya-patel98
approved these changes
Oct 15, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is the attempt at a re-builder built on Cron and some internal tools, but the same process is as follows as previous rebuilds
src.rpm5.14.0-570git cherry-pickrpmbuild -bpfrom corresponding src.rpm.Rebuild Splat Inspection
kernel-5.14.0-570.51.1.el9_6
kernel-5.14.0-570.52.1.el9_6
BUILD
KSelfTests