Linux/linux 9207d47drivers/infiniband/hw/hns hns_roce_qp.c hns_roce_srq.c, drivers/infiniband/hw/mana qp.c

Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma

Pull rdma fixes from Jason Gunthorpe:

 - Several error unwind misses on system calls in mlx5, mana, ocrdma,
   vmw_pvrdma, mlx4, and hns

 - More rxe bugs processing network packets

 - User triggerable races in mlx5 when destroying and creating the same
   same object when the FW returns the same object ID

 - Incorrect passing of an IPv6 address through netlink
   RDMA_NL_LS_OP_IP_RESOLVE

 - Add memory ordering for mlx5's lock avoidance pattenr

 - Protect mana from kernel memory overflow


    [24 lines not shown]
DeltaFile
+10-6drivers/infiniband/hw/mana/qp.c
+13-1drivers/infiniband/sw/rxe/rxe_resp.c
+7-6drivers/net/ethernet/mellanox/mlx4/srq.c
+10-3drivers/infiniband/hw/hns/hns_roce_qp.c
+6-6drivers/infiniband/hw/hns/hns_roce_srq.c
+11-0drivers/infiniband/sw/rxe/rxe_recv.c
+57-2214 files not shown
+113-4520 files

Linux/linux 4e38654drivers/media/platform/qcom/camss camss.c camss-csiphy.c, drivers/media/platform/qcom/iris iris_vpu4x.c iris_vpu_common.c

Merge tag 'media/v7.1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media

Pull media fixes from Mauro Carvalho Chehab:

 - rc: ttusbir: fix inverted error logic

 - Venus/Iris fixes:
      - Kconfig cross compile build testing for x86
      - Use-after-free fix for internal buffers
      - dma_free_attrs size fix
      - Switch to hardware mode clocks
      - Use-after-free fix for a concurrency path
      - Fix H265D_MAX_SLICE size for sc7280 devices

 - camoss: fix some clock-related issues

* tag 'media/v7.1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media:
  media: qcom: camss: avoid format string warning
  media: qcom: camss: Add missing clocks for VFE lite on sa8775p

    [9 lines not shown]
DeltaFile
+40-40drivers/media/platform/qcom/camss/camss.c
+13-11drivers/media/platform/qcom/iris/iris_vpu4x.c
+10-6drivers/media/platform/qcom/iris/iris_vpu_common.c
+7-3drivers/media/platform/qcom/camss/camss-csiphy.c
+3-6drivers/media/platform/qcom/iris/iris_vpu3x.c
+5-3drivers/media/platform/qcom/iris/iris_buffer.c
+78-6914 files not shown
+99-9420 files

Linux/linux a293ec2tools/testing/selftests kselftest_harness.h kselftest.h

Merge tag 'linux_kselftest-fixes-7.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest

Pull kselftest fixes from Shuah Khan:

 - Fix extra test number increment in ksft_exit_skip() that results in
   incorrect KTAP result

 - Fix regression introduced by addition of explicit constructor orders
   for fixture tests. This addition broke the ordering of those relative
   to non-fixture tests and the reverse-constructor-order detection

* tag 'linux_kselftest-fixes-7.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest:
  selftests: harness: Restore order of test functions
  selftests: kselftest: fix wrong test number in ksft_exit_skip
DeltaFile
+6-6tools/testing/selftests/kselftest_harness.h
+1-1tools/testing/selftests/kselftest.h
+7-72 files

Linux/linux c7e4e4ddrivers/char/ipmi ipmi_si_intf.c ipmi_ssif.c

Merge tag 'for-linus-7.1-2' of https://github.com/cminyard/linux-ipmi

Pull IPMI fixes from Corey Minyard:
 "Fix a number of issues that came up recently

  The first two fixes are workarounds for buggy IPMI hardware. The
  hardware says it has data for the IPMI driver to read constantly, so
  the driver reads the data constantly, causing any new requests to be
  blocked.

  The first fix was to check for invalid data right when the data was
  read from the device and stop the operation there (there was a later
  check for invalid data, but it could not stop the operation at that
  point). It turned out the device was providing good data, so that
  didn't fix the issue, but it's still a good check.

  The second fix stops fetching this data after a few fetches and allows
  other operations to occur. The driver won't work very well, but at
  least it won't wedge. This seems to fix the issue.

    [13 lines not shown]
DeltaFile
+56-14drivers/char/ipmi/ipmi_si_intf.c
+22-2drivers/char/ipmi/ipmi_ssif.c
+78-162 files

Linux/linux 6d35786arch/x86/kvm lapic.c hyperv.c, arch/x86/kvm/mmu mmu.c

Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm

Pull kvm fixes from Paolo Bonzini:
 "Three bug fixes for x86:

   - Check that nEPT/nNPT is enabled in slow flush hypercalls. If it is
     not, the hypercalls can be processed as usual even while running a
     nested guest

   - Fix shadow paging use-after-free due to page tables changing
     outside execution of the guest. A bug that is 16 years old and
     stems from an imprecision in the very first KVM series

   - Scan IRR whenever PID.ON is true, even if PIR is empty, which
     avoids a somewhat rare WARN"

* tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
  KVM: x86: Fix shadow paging use-after-free due to unexpected GFN
  KVM: x86: Fix misleading variable names and add more comments for PIR=>IRR flow

    [2 lines not shown]
DeltaFile
+32-8arch/x86/kvm/vmx/vmx.c
+14-21arch/x86/kvm/mmu/mmu.c
+13-11arch/x86/kvm/lapic.c
+1-1arch/x86/kvm/hyperv.c
+60-414 files

Linux/linux 7fd2df2. Makefile

Linux 7.1-rc2
DeltaFile
+1-1Makefile
+1-11 files

Linux/linux 0cb2af2arch/x86/kvm/mmu mmu.c

KVM: x86: Fix shadow paging use-after-free due to unexpected GFN

The shadow MMU computes GFNs for direct shadow pages using sp->gfn plus
the SPTE index. This assumption breaks for shadow paging if the guest
page tables are modified between VM entries (similar to commit
aad885e77496, "KVM: x86/mmu: Drop/zap existing present SPTE even
when creating an MMIO SPTE", 2026-03-27).  The flow is as follows:

- a PDE is installed for a 2MB mapping, and a page in that area is
  accessed.  KVM creates a kvm_mmu_page consisting of 512 4KB pages;
  the kvm_mmu_page is marked by FNAME(fetch) as direct-mapped because
  the guest's mapping is a huge page (and thus contiguous).

- the PDE mapping is changed from outside the guest.

- the guest accesses another page in the same 2MB area.  KVM installs
  a new leaf SPTE and rmap entry; the SPTE uses the "correct" GFN
  (i.e. based on the new mapping, as changed in the previous step) but
  that GFN is outside of the [sp->gfn, sp->gfn + 511] range; therefore

    [37 lines not shown]
DeltaFile
+14-21arch/x86/kvm/mmu/mmu.c
+14-211 files

Linux/linux 0aec99farch/x86/kvm lapic.c, arch/x86/kvm/vmx vmx.c

KVM: x86: Fix misleading variable names and add more comments for PIR=>IRR flow

Rename kvm_apic_update_irr()'s "irr_updated" and vmx_sync_pir_to_irr()'s
"got_posted_interrupt" to a more accurate "max_irr_is_from_pir", as neither
"irr_updated" nor "got_posted_interrupt" is accurate.
__kvm_apic_update_irr() and thus kvm_apic_update_irr() specifically return
true if and only if the highest priority IRQ, i.e. max_irr, is a "new"
pending IRQ from the PIR.  I.e. it's possible for the IRR to be updated,
i.e. for a posted IRQ to be "got", *without* the APIs returning true.

Expand vmx_sync_pir_to_irr()'s comment to explain why it's necessary to
set KVM_REQ_EVENT only if a "new" IRQ was found, and to explain why it's
safe to do so only if a new IRQ is also the highest priority pending IRQ.

No functional change intended.

Signed-off-by: Sean Christopherson <seanjc at google.com>
Link: https://patch.msgid.link/20260503201703.108231-3-pbonzini@redhat.com/
Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
DeltaFile
+32-8arch/x86/kvm/vmx/vmx.c
+8-8arch/x86/kvm/lapic.c
+40-162 files

Linux/linux 33fd0ccarch/x86/kvm lapic.c

KVM: x86: Do IRR scan in __kvm_apic_update_irr even if PIR is empty

Fall back to apic_find_highest_vector() when PID.ON is set but PIR
turns out to be empty, to correctly report the highest pending interrupt
from the existing IRR.

In a nested VM stress test, the following WARNING fires in
vmx_check_nested_events() when kvm_cpu_has_interrupt() reports a pending
interrupt but the subsequent kvm_apic_has_interrupt() (which invokes
vmx_sync_pir_to_irr() again) returns -1:

  WARNING: CPU: 99 PID: 57767 at arch/x86/kvm/vmx/nested.c:4449 vmx_check_nested_events+0x6bf/0x6e0 [kvm_intel]
  Call Trace:
   kvm_check_and_inject_events
   vcpu_enter_guest.constprop.0
   vcpu_run
   kvm_arch_vcpu_ioctl_run
   kvm_vcpu_ioctl
   __x64_sys_ioctl

    [40 lines not shown]
DeltaFile
+5-3arch/x86/kvm/lapic.c
+5-31 files

Linux/linux 464af6farch/x86/kvm hyperv.c

KVM: x86: check for nEPT/nNPT in slow flush hypercalls

Checking is_guest_mode(vcpu) is incorrect, because translate_nested_gpa()
is only valid if an L2 guest is running *with nested EPT/NPT enabled*.
Instead use the same condition as translate_nested_gpa() itself.

Cc: stable at vger.kernel.org
Reviewed-by: Sean Christopherson <seanjc at google.com>
Fixes: aee738236dca ("KVM: x86: Prepare kvm_hv_flush_tlb() to handle L2's GPAs", 2022-11-18)
Link: https://patch.msgid.link/20260503200905.106077-1-pbonzini@redhat.com/
Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
DeltaFile
+1-1arch/x86/kvm/hyperv.c
+1-11 files

Linux/linux f377d00arch/sh/include/asm setup.h

Merge tag 'sh-for-v7.1-tag2' of git://git.kernel.org/pub/scm/linux/kernel/git/glaubitz/sh-linux

Pull sh fix from John Paul Adrian Glaubitz:
 "The ZERO_PAGE consolidation in v7.1, introduced a regression on sh
  which made these systems unbootable.

  The problem was that on sh, the initial boot parameters were
  previously referenced as an array and after 6215d9f4470f ("arch, mm:
  consolidate empty_zero_page"), they were referenced as a pointer which
  caused wrong code generation and boot hang.

  This changes the declaration back to being an array which fixes the
  boot hang"

* tag 'sh-for-v7.1-tag2' of git://git.kernel.org/pub/scm/linux/kernel/git/glaubitz/sh-linux:
  sh: Fix fallout from ZERO_PAGE consolidation
DeltaFile
+1-1arch/sh/include/asm/setup.h
+1-11 files

Linux/linux 8111292mm page_alloc.c slub.c

Merge tag 'slab-for-7.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/vbabka/slab

Pull slab fixes from Vlastimil Babka:

 - Stable fixes for CONFIG_SMP=n where _nolock() allocations in NMI both
   at kmalloc and page allocator levels are not properly protected by
   the spin_trylock() semantics on !SMP (Harry Yoo)

* tag 'slab-for-7.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/vbabka/slab:
  mm/slab: return NULL early from kmalloc_nolock() in NMI on UP
  mm/page_alloc: return NULL early from alloc_frozen_pages_nolock() in NMI on UP
DeltaFile
+5-0mm/page_alloc.c
+4-0mm/slub.c
+9-02 files

Linux/linux cffcf52kernel/futex requeue.c

Merge tag 'locking-urgent-2026-05-03' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

Pull locking fix from Ingo Molnar:
 "Fix lockup in requeue-PI during signal/timeout wakeups, by Sebastian
  Andrzej Siewior"

* tag 'locking-urgent-2026-05-03' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  futex: Prevent lockup in requeue-PI during signal/ timeout wakeup
DeltaFile
+9-4kernel/futex/requeue.c
+9-41 files

Linux/linux c3cba36kernel/sched fair.c core.c

Merge tag 'sched-urgent-2026-05-03' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

Pull scheduler fixes from Ingo Molnar:

 - Fix the delayed dequeue negative lag increase fix in the
   fair scheduler (Peter Zijlstra)

 - Fix wakeup_preempt_fair() to do proper delayed dequeue
   (Vincent Guittot)

 - Clear sched_entity::rel_deadline when initializing
   forked entities, which bug can cause all tasks to be
   EEVDF-ineligible, causing a NULL pointer dereference
   crash in pick_next_entity() (Zicheng Qu)

* tag 'sched-urgent-2026-05-03' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  sched/fair: Clear rel_deadline when initializing forked entities
  sched/fair: Fix wakeup_preempt_fair() vs delayed dequeue
  sched/fair: Fix the negative lag increase fix
DeltaFile
+25-19kernel/sched/fair.c
+1-0kernel/sched/core.c
+26-192 files

Linux/linux b0aa5e4arch/sh/include/asm setup.h

sh: Fix fallout from ZERO_PAGE consolidation

Consolidation of empty_zero_page declarations broke boot on sh.

sh stores its initial boot parameters in a page reserved in
arch/sh/kernel/head_32.S. Before commit 6215d9f4470f ("arch, mm:
consolidate empty_zero_page") this page was referenced in C code
as an array and after that commit it is referenced as a pointer.

This causes wrong code generation and boot hang.

Declare boot_params_page as an array to fix the issue.

Reported-by: Thomas Weißschuh <thomas.weissschuh at linutronix.de>
Tested-by: Thomas Weißschuh <thomas.weissschuh at linutronix.de>
Fixes: 6215d9f4470f ("arch, mm: consolidate empty_zero_page")
Signed-off-by: Mike Rapoport (Microsoft) <rppt at kernel.org>
Reviewed-by: John Paul Adrian Glaubitz <glaubitz at physik.fu-berlin.de>
Tested-by: Geert Uytterhoeven <geert+renesas at glider.be>

    [2 lines not shown]
DeltaFile
+1-1arch/sh/include/asm/setup.h
+1-11 files

Linux/linux 66edb90crypto authencesn.c

Merge tag 'v7.1-p3' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6

Pull crypto fix from Herbert Xu:

 - Reject algorithms with authsizes that are too short in authencesn

* tag 'v7.1-p3' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
  crypto: authencesn - reject short ahash digests during instance creation
DeltaFile
+5-0crypto/authencesn.c
+5-01 files

Linux/linux 4c2ed2afs/ntfs runlist.c bitmap.c

Merge tag 'ntfs-for-7.1-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/linkinjeon/ntfs

Pull ntfs fixes from Namjae Jeon:

 - Fix a NULL pointer dereference in ntfs_index_walk_down() by
   validating index block allocation

 - Fix a memory leak of the symlink target string in
   ntfs_reparse_set_wsl_symlink() during error paths

 - Prevent VCN overflow and validate lowest_vcn in
   ntfs_mapping_pairs_decompress() to avoid runlist corruption

 - Fix a page reference leak in ntfs_write_iomap_end_resident()
   when attribute search context allocation fails

 - Fix an invalid PTR_ERR() usage on a valid folio pointer in
   __ntfs_bitmap_set_bits_in_run()


    [14 lines not shown]
DeltaFile
+21-3fs/ntfs/runlist.c
+11-8fs/ntfs/bitmap.c
+13-4fs/ntfs/index.c
+10-3fs/ntfs/dir.c
+11-2fs/ntfs/namei.c
+3-3fs/ntfs/iomap.c
+69-231 files not shown
+72-257 files

Linux/linux 7d51783drivers/infiniband/hw/hns hns_roce_qp.c

RDMA/hns: Fix xarray race in hns_roce_create_qp_common()

Similar to the SRQ case the hr_qp is stored in the xarray before it is
fully initialized. Unlike the SRQ case the error unwinds do not wait for
the completion so keep the refcount 0 until the function succeeds.

Fixes: 9a4435375cd1 ("IB/hns: Add driver files for hns RoCE driver")
Link: https://patch.msgid.link/r/14-v1-41f3135e5565+9d2-rdma_ai_fixes1_jgg@nvidia.com
Suggested-by: Junxian Huang <huangjunxian6 at hisilicon.com>
Reviewed-by: Junxian Huang <huangjunxian6 at hisilicon.com>
Signed-off-by: Jason Gunthorpe <jgg at nvidia.com>
DeltaFile
+3-3drivers/infiniband/hw/hns/hns_roce_qp.c
+3-31 files

Linux/linux 641858ddrivers/infiniband/hw/mlx5 qp.c

RDMA/mlx5: Restore zero-init to mlx5_ib_modify_qp() ucmd

Sashiko points out the check for inlen==0 got missed, the ={} was not
redundant, put it back.

Fixes: a9cd442a5347 ("RDMA: Remove redundant = {} for udata req structs")
Link: https://patch.msgid.link/r/2-v1-41f3135e5565+9d2-rdma_ai_fixes1_jgg@nvidia.com
Signed-off-by: Jason Gunthorpe <jgg at nvidia.com>
DeltaFile
+1-1drivers/infiniband/hw/mlx5/qp.c
+1-11 files

Linux/linux 70f780edrivers/infiniband/hw/ionic ionic_ibdev.c

RDMA/ionic: Fix typo in format string

Applying the corrupted patch by hand mangled the format string, put the s
in the right place.

Cc: stable at vger.kernel.org
Fixes: 654a27f25530 ("RDMA/ionic: bound node_desc sysfs read with %.64s")
Link: https://patch.msgid.link/r/1-v1-41f3135e5565+9d2-rdma_ai_fixes1_jgg@nvidia.com
Reported-by: Brad Spengler <brad.spengler at opensrcsec.com>
Signed-off-by: Jason Gunthorpe <jgg at nvidia.com>
DeltaFile
+1-1drivers/infiniband/hw/ionic/ionic_ibdev.c
+1-11 files

Linux/linux 48973c6drivers/infiniband/hw/hns hns_roce_srq.c

RDMA/hns: Fix xarray race in hns_roce_create_srq()

Sashiko points out that once the srq memory is stored into the xarray by
alloc_srqc() it can immediately be looked up by:

        xa_lock(&srq_table->xa);
        srq = xa_load(&srq_table->xa, srqn & (hr_dev->caps.num_srqs - 1));
        if (srq)
                refcount_inc(&srq->refcount);
        xa_unlock(&srq_table->xa);

Which will fail refcount debug because the refcount is 0 and then crash:

        srq->event(srq, event_type);

Because event is NULL.

Use refcount_inc_not_zero() instead to ensure a partially prepared srq is
never retrieved from the event handler and fix the ordering of the

    [10 lines not shown]
DeltaFile
+6-6drivers/infiniband/hw/hns/hns_roce_srq.c
+6-61 files

Linux/linux 34fbf48drivers/infiniband/hw/ocrdma ocrdma_verbs.c

RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()

Sashiko points out that pd->uctx isn't initialized until late in the
function so all these error flow references are NULL and will crash. Use
the uctx that isn't NULL.

Cc: stable at vger.kernel.org
Fixes: fe2caefcdf58 ("RDMA/ocrdma: Add driver for Emulex OneConnect IBoE RDMA adapter")
Link: https://sashiko.dev/#/patchset/0-v1-e911b76a94d1%2B65d95-rdma_udata_rep_jgg%40nvidia.com?part=4
Link: https://patch.msgid.link/r/9-v1-41f3135e5565+9d2-rdma_ai_fixes1_jgg@nvidia.com
Signed-off-by: Jason Gunthorpe <jgg at nvidia.com>
DeltaFile
+2-2drivers/infiniband/hw/ocrdma/ocrdma_verbs.c
+2-21 files

Linux/linux c934130drivers/net/ethernet/mellanox/mlx4 srq.c

RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()

Sashiko points out the radix_tree itself is RCU safe, but nothing ever
frees the mlx4_srq struct with RCU, and it isn't even accessed within the
RCU critical section. It also will crash if an event is delivered before
the srq object is finished initializing.

Use the spinlock since it isn't easy to make RCU work, use
refcount_inc_not_zero() to protect against partially initialized objects,
and order the refcount_set() to be after the srq is fully initialized.

Cc: stable at vger.kernel.org
Fixes: 30353bfc43a1 ("net/mlx4_core: Use RCU to perform radix tree lookup for SRQ")
Link: https://sashiko.dev/#/patchset/0-v2-1c49eeb88c48%2B91-rdma_udata_rep_jgg%40nvidia.com?part=5
Link: https://patch.msgid.link/r/12-v1-41f3135e5565+9d2-rdma_ai_fixes1_jgg@nvidia.com
Signed-off-by: Jason Gunthorpe <jgg at nvidia.com>
DeltaFile
+7-6drivers/net/ethernet/mellanox/mlx4/srq.c
+7-61 files

Linux/linux ea4e4b1drivers/infiniband/hw/ocrdma ocrdma_verbs.c

RDMA/ocrdma: Clarify the mm_head searching

The intention of this code is to find matching entries exactly, the driver
never creates phys_addr's with different lens so the current expression is
not a bug, but it doesn't make sense and confuses review tooling.

Search for exact match instead.

Link: https://sashiko.dev/#/patchset/0-v1-e911b76a94d1%2B65d95-rdma_udata_rep_jgg%40nvidia.com?part=4
Link: https://patch.msgid.link/r/8-v1-41f3135e5565+9d2-rdma_ai_fixes1_jgg@nvidia.com
Signed-off-by: Jason Gunthorpe <jgg at nvidia.com>
DeltaFile
+2-2drivers/infiniband/hw/ocrdma/ocrdma_verbs.c
+2-21 files

Linux/linux 34ecf79drivers/infiniband/hw/mana qp.c

RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss()

Sashiko points out there are two bugs here in the error unwind flow, both
related to how the WQ table is unwound.

First there is a double i-- on the first failure path due to the while loop
having a i--, remove it.

Second if mana_ib_install_cq_cb() fails then mana_create_wq_obj() is not
undone due to the above i--.

Cc: stable at vger.kernel.org
Fixes: c15d7802a424 ("RDMA/mana_ib: Add CQ interrupt support for RAW QP")
Link: https://sashiko.dev/#/patchset/0-v2-1c49eeb88c48%2B91-rdma_udata_rep_jgg%40nvidia.com?part=1
Link: https://patch.msgid.link/r/6-v1-41f3135e5565+9d2-rdma_ai_fixes1_jgg@nvidia.com
Reviewed-by: Long Li <longli at microsoft.com>
Signed-off-by: Jason Gunthorpe <jgg at nvidia.com>
DeltaFile
+4-5drivers/infiniband/hw/mana/qp.c
+4-51 files

Linux/linux c54c7e4drivers/infiniband/hw/mlx4 srq.c

RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()

Sashiko points out that mlx4_srq_alloc() was not undone during error
unwind, add the missing call to mlx4_srq_free().

Cc: stable at vger.kernel.org
Fixes: 225c7b1feef1 ("IB/mlx4: Add a driver Mellanox ConnectX InfiniBand adapters")
Link: https://sashiko.dev/#/patchset/0-v1-e911b76a94d1%2B65d95-rdma_udata_rep_jgg%40nvidia.com?part=8
Link: https://patch.msgid.link/r/11-v1-41f3135e5565+9d2-rdma_ai_fixes1_jgg@nvidia.com
Signed-off-by: Jason Gunthorpe <jgg at nvidia.com>
DeltaFile
+3-1drivers/infiniband/hw/mlx4/srq.c
+3-11 files

Linux/linux 6aaa978drivers/infiniband/hw/mana qp.c

RDMA/mana: Fix error unwind in mana_ib_create_qp_rss()

Sashiko points out that mana_ib_cfg_vport_steering() is leaked, the normal
destroy path cleans it up.

Cc: stable at vger.kernel.org
Fixes: 0266a177631d ("RDMA/mana_ib: Add a driver for Microsoft Azure Network Adapter")
Link: https://sashiko.dev/#/patchset/0-v1-e911b76a94d1%2B65d95-rdma_udata_rep_jgg%40nvidia.com?part=4
Link: https://patch.msgid.link/r/7-v1-41f3135e5565+9d2-rdma_ai_fixes1_jgg@nvidia.com
Reviewed-by: Long Li <longli at microsoft.com>
Signed-off-by: Jason Gunthorpe <jgg at nvidia.com>
DeltaFile
+3-1drivers/infiniband/hw/mana/qp.c
+3-11 files

Linux/linux 45e8ebcdrivers/infiniband/hw/mlx5 main.c umr.c

RDMA/mlx5: Add missing store/release for lock elision pattern

mlx5 has a common pattern implementing a device-global singleton resource
where it checks the resource pointer for !NULL and then skips obtaining
the lock.

This is not ordered properly as observing !NULL doesn't mean that all the
data under that pointer is also visible on this CPU when the lock is not
taken.

Use a release/acquire pairing to explicitly manage this.

Pointed out by sashiko, Codex found more cases.

Fixes: 5895e70f2e6e ("IB/mlx5: Allocate resources just before first QP/SRQ is created")
Fixes: 638420115cc4 ("IB/mlx5: Create UMR QP just before first reg_mr occurs")
Link: https://sashiko.dev/#/patchset/SYBPR01MB7881E1E0970268BD69C0BA75AF2B2%40SYBPR01MB7881.ausprd01.prod.outlook.com
Link: https://patch.msgid.link/r/3-v1-41f3135e5565+9d2-rdma_ai_fixes1_jgg@nvidia.com
Assisted-by: Codex:GPT-5.5
Signed-off-by: Jason Gunthorpe <jgg at nvidia.com>
DeltaFile
+4-4drivers/infiniband/hw/mlx5/main.c
+2-2drivers/infiniband/hw/mlx5/umr.c
+6-62 files

Linux/linux e38e869drivers/infiniband/hw/vmw_pvrdma pvrdma_verbs.c

RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path

Sashiko points out that pvrdma_uar_free() is already called within
pvrdma_dealloc_ucontext(), so calling it before triggers a double free.

Cc: stable at vger.kernel.org
Fixes: 29c8d9eba550 ("IB: Add vmw_pvrdma driver")
Link: https://sashiko.dev/#/patchset/0-v1-e911b76a94d1%2B65d95-rdma_udata_rep_jgg%40nvidia.com?part=4
Link: https://patch.msgid.link/r/10-v1-41f3135e5565+9d2-rdma_ai_fixes1_jgg@nvidia.com
Signed-off-by: Jason Gunthorpe <jgg at nvidia.com>
DeltaFile
+1-1drivers/infiniband/hw/vmw_pvrdma/pvrdma_verbs.c
+1-11 files

Linux/linux 6dd2d4adrivers/infiniband/hw/mana qp.c

RDMA/mana: Validate rx_hash_key_len

Sashiko points out that rx_hash_key_len comes from a uAPI structure and is
blindly passed to memcpy, allowing the userspace to trash kernel
memory. Bounds check it so the memcpy cannot overflow.

Cc: stable at vger.kernel.org
Fixes: 0266a177631d ("RDMA/mana_ib: Add a driver for Microsoft Azure Network Adapter")
Link: https://sashiko.dev/#/patchset/0-v2-1c49eeb88c48%2B91-rdma_udata_rep_jgg%40nvidia.com?part=1
Link: https://patch.msgid.link/r/4-v1-41f3135e5565+9d2-rdma_ai_fixes1_jgg@nvidia.com
Reviewed-by: Long Li <longli at microsoft.com>
Signed-off-by: Jason Gunthorpe <jgg at nvidia.com>
DeltaFile
+3-0drivers/infiniband/hw/mana/qp.c
+3-01 files