[rocky10_2] History Rebuild through kernel-6.12.0-211.7.3.el10_2#1249
Draft
PlaidCat wants to merge 123 commits into
Draft
[rocky10_2] History Rebuild through kernel-6.12.0-211.7.3.el10_2#1249PlaidCat wants to merge 123 commits into
PlaidCat wants to merge 123 commits into
Conversation
jira KERNEL-1029 Rebuild_History Non-Buildable kernel-6.12.0-211.7.1.el10_2 commit-author Ivan Vecera <ivecera@redhat.com> commit 5d41f95 The output pin phase adjustment functions incorrectly negate the phase compensation value. Per the ZL3073x datasheet, the output phase compensation register is simply a signed two's complement integer where: - Positive values move the phase later in time - Negative values move the phase earlier in time No negation is required. The erroneous negation caused phase adjustments to be applied in the wrong direction. Note that input pin phase adjustment correctly uses negation because the hardware has an inverted convention for input references (positive moves phase earlier, negative moves phase later). Fixes: 6287262 ("dpll: zl3073x: Add support to adjust phase") Signed-off-by: Ivan Vecera <ivecera@redhat.com> Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev> Link: https://patch.msgid.link/20260205181055.129768-1-ivecera@redhat.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit 5d41f95) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1029 Rebuild_History Non-Buildable kernel-6.12.0-211.7.1.el10_2 commit-author Ivan Vecera <ivecera@redhat.com> commit d0f4771 Extend the DPLL core to support associating a DPLL pin with a firmware node. This association is required to allow other subsystems (such as network drivers) to locate and request specific DPLL pins defined in the Device Tree or ACPI. * Add a .fwnode field to the struct dpll_pin * Introduce dpll_pin_fwnode_set() helper to allow the provider driver to associate a pin with a fwnode after the pin has been allocated * Introduce fwnode_dpll_pin_find() helper to allow consumers to search for a registered DPLL pin using its associated fwnode handle * Ensure the fwnode reference is properly released in dpll_pin_put() Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com> Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev> Signed-off-by: Ivan Vecera <ivecera@redhat.com> Reviewed-by: Arkadiusz Kubalewski <arkadiusz.kubalewski@intel.com> Link: https://patch.msgid.link/20260203174002.705176-2-ivecera@redhat.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> (cherry picked from commit d0f4771) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1029 Rebuild_History Non-Buildable kernel-6.12.0-211.7.1.el10_2 commit-author Ivan Vecera <ivecera@redhat.com> commit e6dc772 Associate the registered DPLL pin with its firmware node by calling dpll_pin_fwnode_set(). This links the created pin object to its corresponding DT/ACPI node in the DPLL core. Consequently, this enables consumer drivers (such as network drivers) to locate and request this specific pin using the fwnode_dpll_pin_find() helper. Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com> Signed-off-by: Ivan Vecera <ivecera@redhat.com> Reviewed-by: Arkadiusz Kubalewski <arkadiusz.kubalewski@intel.com> Link: https://patch.msgid.link/20260203174002.705176-3-ivecera@redhat.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> (cherry picked from commit e6dc772) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1029 Rebuild_History Non-Buildable kernel-6.12.0-211.7.1.el10_2 commit-author Petr Oros <poros@redhat.com> commit 2be4675 Currently, the DPLL subsystem reports events (creation, deletion, changes) to userspace via Netlink. However, there is no mechanism for other kernel components to be notified of these events directly. Add a raw notifier chain to the DPLL core protected by dpll_lock. This allows other kernel subsystems or drivers to register callbacks and receive notifications when DPLL devices or pins are created, deleted, or modified. Define the following: - Registration helpers: {,un}register_dpll_notifier() - Event types: DPLL_DEVICE_CREATED, DPLL_PIN_CREATED, etc. - Context structures: dpll_{device,pin}_notifier_info to pass relevant data to the listeners. The notification chain is invoked alongside the existing Netlink event generation to ensure in-kernel listeners are kept in sync with the subsystem state. Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev> Co-developed-by: Ivan Vecera <ivecera@redhat.com> Signed-off-by: Ivan Vecera <ivecera@redhat.com> Signed-off-by: Petr Oros <poros@redhat.com> Reviewed-by: Arkadiusz Kubalewski <arkadiusz.kubalewski@intel.com> Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com> Link: https://patch.msgid.link/20260203174002.705176-4-ivecera@redhat.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> (cherry picked from commit 2be4675) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1029 Rebuild_History Non-Buildable kernel-6.12.0-211.7.1.el10_2 commit-author Ivan Vecera <ivecera@redhat.com> commit 711696b Allow drivers to register DPLL pins without manually specifying a pin index. Currently, drivers must provide a unique pin index when calling dpll_pin_get(). This works well for hardware-mapped pins but creates friction for drivers handling virtual pins or those without a strict hardware indexing scheme. Introduce DPLL_PIN_IDX_UNSPEC (U32_MAX). When a driver passes this value as the pin index: 1. The core allocates a unique index using an IDA 2. The allocated index is mapped to a range starting above `INT_MAX` This separation ensures that dynamically allocated indices never collide with standard driver-provided hardware indices, which are assumed to be within the `0` to `INT_MAX` range. The index is automatically freed when the pin is released in dpll_pin_put(). Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com> Signed-off-by: Ivan Vecera <ivecera@redhat.com> Reviewed-by: Arkadiusz Kubalewski <arkadiusz.kubalewski@intel.com> Link: https://patch.msgid.link/20260203174002.705176-5-ivecera@redhat.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> (cherry picked from commit 711696b) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1029 Rebuild_History Non-Buildable kernel-6.12.0-211.7.1.el10_2 commit-author Ivan Vecera <ivecera@redhat.com> commit fdad05e Add parsing for the "mux" string in the 'connection-type' pin property mapping it to DPLL_PIN_TYPE_MUX. Recognizing this type in the driver allows these pins to be taken as parent pins for pin-on-pin pins coming from different modules (e.g. network drivers). Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com> Signed-off-by: Ivan Vecera <ivecera@redhat.com> Reviewed-by: Arkadiusz Kubalewski <arkadiusz.kubalewski@intel.com> Link: https://patch.msgid.link/20260203174002.705176-6-ivecera@redhat.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> (cherry picked from commit fdad05e) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1029 Rebuild_History Non-Buildable kernel-6.12.0-211.7.1.el10_2 commit-author Ivan Vecera <ivecera@redhat.com> commit 729f5e0 Refactor the reference counting mechanism for DPLL devices and pins to improve consistency and prevent potential lifetime issues. Introduce internal helpers __dpll_{device,pin}_{hold,put}() to centralize reference management. Update the internal XArray reference helpers (dpll_xa_ref_*) to automatically grab a reference to the target object when it is added to a list, and release it when removed. This ensures that objects linked internally (e.g., pins referenced by parent pins) are properly kept alive without relying on the caller to manually manage the count. Consequently, remove the now redundant manual `refcount_inc/dec` calls in dpll_pin_on_pin_{,un}register()`, as ownership is now correctly handled by the dpll_xa_ref_* functions. Additionally, ensure that dpll_device_{,un}register()` takes/releases a reference to the device, ensuring the device object remains valid for the duration of its registration. Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com> Signed-off-by: Ivan Vecera <ivecera@redhat.com> Reviewed-by: Arkadiusz Kubalewski <arkadiusz.kubalewski@intel.com> Link: https://patch.msgid.link/20260203174002.705176-7-ivecera@redhat.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> (cherry picked from commit 729f5e0) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1029 Rebuild_History Non-Buildable kernel-6.12.0-211.7.1.el10_2 commit-author Ivan Vecera <ivecera@redhat.com> commit 3c0da10 Add support for the REF_TRACKER infrastructure to the DPLL subsystem. When enabled, this allows developers to track and debug reference counting leaks or imbalances for dpll_device and dpll_pin objects. It records stack traces for every get/put operation and exposes this information via debugfs at: /sys/kernel/debug/ref_tracker/dpll_device_* /sys/kernel/debug/ref_tracker/dpll_pin_* The following API changes are made to support this: 1. dpll_device_get() / dpll_device_put() now accept a 'dpll_tracker *' (which is a typedef to 'struct ref_tracker *' when enabled, or an empty struct otherwise). 2. dpll_pin_get() / dpll_pin_put() and fwnode_dpll_pin_find() similarly accept the tracker argument. 3. Internal registration structures now hold a tracker to associate the reference held by the registration with the specific owner. All existing in-tree drivers (ice, mlx5, ptp_ocp, zl3073x) are updated to pass NULL for the new tracker argument, maintaining current behavior while enabling future debugging capabilities. Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com> Co-developed-by: Petr Oros <poros@redhat.com> Signed-off-by: Petr Oros <poros@redhat.com> Signed-off-by: Ivan Vecera <ivecera@redhat.com> Reviewed-by: Arkadiusz Kubalewski <arkadiusz.kubalewski@intel.com> Link: https://patch.msgid.link/20260203174002.705176-8-ivecera@redhat.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> (cherry picked from commit 3c0da10) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1029 Rebuild_History Non-Buildable kernel-6.12.0-211.7.1.el10_2 commit-author Ivan Vecera <ivecera@redhat.com> commit 085ca5d Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-6.12.0-211.7.1.el10_2/085ca5d2.failed Update existing DPLL drivers to utilize the DPLL reference count tracking infrastructure. Add dpll_tracker fields to the drivers' internal device and pin structures. Pass pointers to these trackers when calling dpll_device_get/put() and dpll_pin_get/put(). This allows developers to inspect the specific references held by this driver via debugfs when CONFIG_DPLL_REFCNT_TRACKER is enabled, aiding in the debugging of resource leaks. Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com> Signed-off-by: Ivan Vecera <ivecera@redhat.com> Reviewed-by: Arkadiusz Kubalewski <arkadiusz.kubalewski@intel.com> Link: https://patch.msgid.link/20260203174002.705176-9-ivecera@redhat.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> (cherry picked from commit 085ca5d) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # drivers/ptp/ptp_ocp.c
jira KERNEL-1029 Rebuild_History Non-Buildable kernel-6.12.0-211.7.1.el10_2 commit-author Arkadiusz Kubalewski <arkadiusz.kubalewski@intel.com> commit ad1df4f Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-6.12.0-211.7.1.el10_2/ad1df4f2.failed Implement SyncE support for the E825-C Ethernet controller using the DPLL subsystem. Unlike E810, the E825-C architecture relies on platform firmware (ACPI) to describe connections between the NIC's recovered clock outputs and external DPLL inputs. Implement the following mechanisms to support this architecture: 1. Discovery Mechanism: The driver parses the 'dpll-pins' and 'dpll-pin names' firmware properties to identify the external DPLL pins (parents) corresponding to its RCLK outputs ("rclk0", "rclk1"). It uses fwnode_dpll_pin_find() to locate these parent pins in the DPLL core. 2. Asynchronous Registration: Since the platform DPLL driver (e.g. zl3073x) may probe independently of the network driver, utilize the DPLL notifier chain The driver listens for DPLL_PIN_CREATED events to detect when the parent MUX pins become available, then registers its own Recovered Clock (RCLK) pins as children of those parents. 3. Hardware Configuration: Implement the specific register access logic for E825-C CGU (Clock Generation Unit) registers (R10, R11). This includes configuring the bypass MUXes and clock dividers required to drive SyncE signals. 4. Split Initialization: Refactor `ice_dpll_init()` to separate the static initialization path of E810 from the dynamic, firmware-driven path required for E825-C. Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com> Co-developed-by: Ivan Vecera <ivecera@redhat.com> Signed-off-by: Ivan Vecera <ivecera@redhat.com> Co-developed-by: Grzegorz Nitka <grzegorz.nitka@intel.com> Signed-off-by: Grzegorz Nitka <grzegorz.nitka@intel.com> Signed-off-by: Arkadiusz Kubalewski <arkadiusz.kubalewski@intel.com> Link: https://patch.msgid.link/20260203174002.705176-10-ivecera@redhat.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> (cherry picked from commit ad1df4f) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # drivers/net/ethernet/intel/ice/ice_dpll.c # drivers/net/ethernet/intel/ice/ice_dpll.h
jira KERNEL-1029 Rebuild_History Non-Buildable kernel-6.12.0-211.7.1.el10_2 commit-author Maurizio Lombardi <mlombard@redhat.com> commit bbdaa8c When loading the nvme module, if the 'quirks' parameter is specified via both the kernel command line (e.g., nvme.quirks=...) and the modprobe command line (e.g., modprobe nvme quirks=...), the quirks_param_set() callback is invoked twice. Currently, in the double-invocation scenario, the second call overwrites the nvme_pci_quirk_list pointer, causing the memory allocated in the first call to leak. Fix this by freeing the existing list before assigning the new one. Fixes: b4247c8317c5 ("nvme: add support for dynamic quirk configuration via module parameter") Reviewed-by: Daniel Wagner <dwagner@suse.de> Reviewed-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Maurizio Lombardi <mlombard@redhat.com> Signed-off-by: Keith Busch <kbusch@kernel.org> (cherry picked from commit bbdaa8c) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1029 Rebuild_History Non-Buildable kernel-6.12.0-211.7.1.el10_2 commit-author Stefano Garzarella <sgarzare@redhat.com> commit a07c33c Add documentation for the vsock per-namespace sysctls (`ns_mode` and `child_ns_mode`) to Documentation/admin-guide/sysctl/net.rst. These sysctls were introduced by commit eafb64f ("vsock: add netns to vsock core"). Document the two namespace modes (`global` and `local`), the inheritance behavior of `child_ns_mode`, and the restriction preventing local namespaces from setting `child_ns_mode` to `global`. Signed-off-by: Stefano Garzarella <sgarzare@redhat.com> Tested-by: Randy Dunlap <rdunlap@infradead.org> Acked-by: Randy Dunlap <rdunlap@infradead.org> Link: https://patch.msgid.link/20260216163147.236844-1-sgarzare@redhat.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit a07c33c) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1029 Rebuild_History Non-Buildable kernel-6.12.0-211.7.1.el10_2 commit-author Greg Kroah-Hartman <gregkh@linuxfoundation.org> commit 5cc6195 current->nsproxy is should not be accessed directly as syzbot has found that it could be NULL at times, causing crashes. Fix up the af_vsock sysctl handlers to use container_of() to deal with the current net namespace instead of attempting to rely on current. This is the same type of change done in commit 7f5611c ("rds: sysctl: rds_tcp_{rcv,snd}buf: avoid using current->nsproxy") Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Reviewed-by: Bobby Eshleman <bobbyeshleman@meta.com> Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> Fixes: eafb64f ("vsock: add netns to vsock core") Link: https://patch.msgid.link/2026022318-rearview-gallery-ae13@gregkh Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit 5cc6195) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1029 Rebuild_History Non-Buildable kernel-6.12.0-211.7.1.el10_2 commit-author Bobby Eshleman <bobbyeshleman@meta.com> commit 102eab9 Two administrator processes may race when setting child_ns_mode as one process sets child_ns_mode to "local" and then creates a namespace, but another process changes child_ns_mode to "global" between the write and the namespace creation. The first process ends up with a namespace in "global" mode instead of "local". While this can be detected after the fact by reading ns_mode and retrying, it is fragile and error-prone. Make child_ns_mode write-once so that a namespace manager can set it once and be sure it won't change. Writing a different value after the first write returns -EBUSY. This applies to all namespaces, including init_net, where an init process can write "local" to lock all future namespaces into local mode. Fixes: eafb64f ("vsock: add netns to vsock core") Suggested-by: Daan De Meyer <daan.j.demeyer@gmail.com> Suggested-by: Stefano Garzarella <sgarzare@redhat.com> Co-developed-by: Stefano Garzarella <sgarzare@redhat.com> Signed-off-by: Stefano Garzarella <sgarzare@redhat.com> Signed-off-by: Bobby Eshleman <bobbyeshleman@meta.com> Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> Link: https://patch.msgid.link/20260223-vsock-ns-write-once-v3-2-c0cde6959923@meta.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> (cherry picked from commit 102eab9) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1029 Rebuild_History Non-Buildable kernel-6.12.0-211.7.1.el10_2 commit-author Bobby Eshleman <bobbyeshleman@meta.com> commit b6302e0 Update the vsock child_ns_mode documentation to include the new write-once semantics of setting child_ns_mode. The semantics are implemented in a preceding patch in this series. Signed-off-by: Bobby Eshleman <bobbyeshleman@meta.com> Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> Link: https://patch.msgid.link/20260223-vsock-ns-write-once-v3-3-c0cde6959923@meta.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> (cherry picked from commit b6302e0) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1029 Rebuild_History Non-Buildable kernel-6.12.0-211.7.1.el10_2 commit-author YiFei Zhu <zhuyifei@google.com> commit 13a4be4 The logic is similar to idpf_rx_hwtstamp, but the data is exported as a BPF kfunc instead of appended to an skb to support grabbing timestamps in xsk packets. A idpf_queue_has(PTP, rxq) condition is added to check the queue supports PTP similar to idpf_rx_process_skb_fields. Tested using an xsk connection and checking xdp timestamps are retrievable in received packets. Cc: intel-wired-lan@lists.osuosl.org Signed-off-by: YiFei Zhu <zhuyifei@google.com> Signed-off-by: Mina Almasry <almasrymina@google.com> Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com> Reviewed-by: Alexander Lobakin <aleksander.lobakin@intel.com> Reviewed-by: Simon Horman <horms@kernel.org> Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com> (cherry picked from commit 13a4be4) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1029 Rebuild_History Non-Buildable kernel-6.12.0-211.7.1.el10_2 commit-author Sean Christopherson <seanjc@google.com> commit 7b39b6c Add support for handling #DE (divide error) exceptions in KVM selftests so that the fastops test can verify KVM correctly handles #DE when emulating DIV or IDIV on behalf of the guest. Morph #DE to 0xff (i.e. to -1) as a mostly-arbitrary vector to indicate #DE, so that '0' (the real #DE vector) can still be used to indicate "no exception". Link: https://lore.kernel.org/r/20250909202835.333554-2-seanjc@google.com Signed-off-by: Sean Christopherson <seanjc@google.com> (cherry picked from commit 7b39b6c) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1029 Rebuild_History Non-Buildable kernel-6.12.0-211.7.1.el10_2 commit-author Sean Christopherson <seanjc@google.com> commit d37cc48 Add XM_VECTOR and VE_VECTOR pretty-printing for trace_kvm_inj_exception(). Reviewed-by: Binbin Wu <binbin.wu@linux.intel.com> Link: https://lore.kernel.org/r/20250919223258.1604852-42-seanjc@google.com Signed-off-by: Sean Christopherson <seanjc@google.com> (cherry picked from commit d37cc48) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1029 Rebuild_History Non-Buildable kernel-6.12.0-211.7.1.el10_2 commit-author Sean Christopherson <seanjc@google.com> commit f2f5519 Add a CP_VECTOR definition for CET's Control Protection Exception (#CP), along with human friendly formatting for trace_kvm_inj_exception(). Reviewed-by: Binbin Wu <binbin.wu@linux.intel.com> Link: https://lore.kernel.org/r/20250919223258.1604852-43-seanjc@google.com Signed-off-by: Sean Christopherson <seanjc@google.com> (cherry picked from commit f2f5519) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1029 Rebuild_History Non-Buildable kernel-6.12.0-211.7.1.el10_2 commit-author Sean Christopherson <seanjc@google.com> commit fddd076 Add {HV,CP,SX}_VECTOR definitions for AMD's Hypervisor Injection Exception, VMM Communication Exception, and SVM Security Exception vectors, along with human friendly formatting for trace_kvm_inj_exception(). Note, KVM is all but guaranteed to never observe or inject #SX, and #HV is also unlikely to go unused. Add the architectural collateral mostly for completeness, and on the off chance that hardware goes off the rails. Link: https://lore.kernel.org/r/20250919223258.1604852-44-seanjc@google.com Signed-off-by: Sean Christopherson <seanjc@google.com> (cherry picked from commit fddd076) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
…n vectors jira KERNEL-1029 Rebuild_History Non-Buildable kernel-6.12.0-211.7.1.el10_2 commit-author Sean Christopherson <seanjc@google.com> commit df1f294 Steal exception_mnemonic() from KVM-Unit-Tests as ex_str() (to keep line lengths reasonable) and use it in assert messages that currently print the raw vector number. Co-developed-by: Chao Gao <chao.gao@intel.com> Signed-off-by: Chao Gao <chao.gao@intel.com> Link: https://lore.kernel.org/r/20250919223258.1604852-45-seanjc@google.com Signed-off-by: Sean Christopherson <seanjc@google.com> (cherry picked from commit df1f294) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1029 Rebuild_History Non-Buildable kernel-6.12.0-211.7.1.el10_2 Rebuild_CHGLOG: - x86/fpu: Clear XSTATE_BV[i] in guest XSAVE state whenever XFD[i]=1 (Maxim Levitsky) [RHEL-148618] Rebuild_FUZZ: 96.88% commit-author Sean Christopherson <seanjc@google.com> commit b45f721 When loading guest XSAVE state via KVM_SET_XSAVE, and when updating XFD in response to a guest WRMSR, clear XFD-disabled features in the saved (or to be restored) XSTATE_BV to ensure KVM doesn't attempt to load state for features that are disabled via the guest's XFD. Because the kernel executes XRSTOR with the guest's XFD, saving XSTATE_BV[i]=1 with XFD[i]=1 will cause XRSTOR to #NM and panic the kernel. E.g. if fpu_update_guest_xfd() sets XFD without clearing XSTATE_BV: ------------[ cut here ]------------ WARNING: arch/x86/kernel/traps.c:1524 at exc_device_not_available+0x101/0x110, CPU#29: amx_test/848 Modules linked in: kvm_intel kvm irqbypass CPU: 29 UID: 1000 PID: 848 Comm: amx_test Not tainted 6.19.0-rc2-ffa07f7fd437-x86_amx_nm_xfd_non_init-vm #171 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:exc_device_not_available+0x101/0x110 Call Trace: <TASK> asm_exc_device_not_available+0x1a/0x20 RIP: 0010:restore_fpregs_from_fpstate+0x36/0x90 switch_fpu_return+0x4a/0xb0 kvm_arch_vcpu_ioctl_run+0x1245/0x1e40 [kvm] kvm_vcpu_ioctl+0x2c3/0x8f0 [kvm] __x64_sys_ioctl+0x8f/0xd0 do_syscall_64+0x62/0x940 entry_SYSCALL_64_after_hwframe+0x4b/0x53 </TASK> ---[ end trace 0000000000000000 ]--- This can happen if the guest executes WRMSR(MSR_IA32_XFD) to set XFD[18] = 1, and a host IRQ triggers kernel_fpu_begin() prior to the vmexit handler's call to fpu_update_guest_xfd(). and if userspace stuffs XSTATE_BV[i]=1 via KVM_SET_XSAVE: ------------[ cut here ]------------ WARNING: arch/x86/kernel/traps.c:1524 at exc_device_not_available+0x101/0x110, CPU#14: amx_test/867 Modules linked in: kvm_intel kvm irqbypass CPU: 14 UID: 1000 PID: 867 Comm: amx_test Not tainted 6.19.0-rc2-2dace9faccd6-x86_amx_nm_xfd_non_init-vm #168 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:exc_device_not_available+0x101/0x110 Call Trace: <TASK> asm_exc_device_not_available+0x1a/0x20 RIP: 0010:restore_fpregs_from_fpstate+0x36/0x90 fpu_swap_kvm_fpstate+0x6b/0x120 kvm_load_guest_fpu+0x30/0x80 [kvm] kvm_arch_vcpu_ioctl_run+0x85/0x1e40 [kvm] kvm_vcpu_ioctl+0x2c3/0x8f0 [kvm] __x64_sys_ioctl+0x8f/0xd0 do_syscall_64+0x62/0x940 entry_SYSCALL_64_after_hwframe+0x4b/0x53 </TASK> ---[ end trace 0000000000000000 ]--- The new behavior is consistent with the AMX architecture. Per Intel's SDM, XSAVE saves XSTATE_BV as '0' for components that are disabled via XFD (and non-compacted XSAVE saves the initial configuration of the state component): If XSAVE, XSAVEC, XSAVEOPT, or XSAVES is saving the state component i, the instruction does not generate #NM when XCR0[i] = IA32_XFD[i] = 1; instead, it operates as if XINUSE[i] = 0 (and the state component was in its initial state): it saves bit i of XSTATE_BV field of the XSAVE header as 0; in addition, XSAVE saves the initial configuration of the state component (the other instructions do not save state component i). Alternatively, KVM could always do XRSTOR with XFD=0, e.g. by using a constant XFD based on the set of enabled features when XSAVEing for a struct fpu_guest. However, having XSTATE_BV[i]=1 for XFD-disabled features can only happen in the above interrupt case, or in similar scenarios involving preemption on preemptible kernels, because fpu_swap_kvm_fpstate()'s call to save_fpregs_to_fpstate() saves the outgoing FPU state with the current XFD; and that is (on all but the first WRMSR to XFD) the guest XFD. Therefore, XFD can only go out of sync with XSTATE_BV in the above interrupt case, or in similar scenarios involving preemption on preemptible kernels, and it we can consider it (de facto) part of KVM ABI that KVM_GET_XSAVE returns XSTATE_BV[i]=0 for XFD-disabled features. Reported-by: Paolo Bonzini <pbonzini@redhat.com> Cc: stable@vger.kernel.org Fixes: 820a6ee ("kvm: x86: Add emulation for IA32_XFD", 2022-01-14) Signed-off-by: Sean Christopherson <seanjc@google.com> [Move clearing of XSTATE_BV from fpu_copy_uabi_to_guest_fpstate to kvm_vcpu_ioctl_x86_set_xsave. - Paolo] Reviewed-by: Binbin Wu <binbin.wu@linux.intel.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit b45f721) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1029 Rebuild_History Non-Buildable kernel-6.12.0-211.7.1.el10_2 commit-author Paolo Bonzini <pbonzini@redhat.com> commit a1025dc Rework the guest=>host syncs in the AMX test to use named actions instead of arbitrary, incrementing numbers. The "stage" of the test has no real meaning, what matters is what action the test wants the host to perform. The incrementing numbers are somewhat helpful for triaging failures, but fully debugging failures almost always requires a much deeper dive into the test (and KVM). Using named actions not only makes it easier to extend the test without having to shift all sync point numbers, it makes the code easier to read. [Commit message by Sean Christopherson] Cc: stable@vger.kernel.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit a1025dc) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1029 Rebuild_History Non-Buildable kernel-6.12.0-211.7.1.el10_2 commit-author Paolo Bonzini <pbonzini@redhat.com> commit 0383a8e The host is allowed to set FPU state that includes a disabled xstate component. Check that this does not cause bad effects. Cc: stable@vger.kernel.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 0383a8e) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1029 Rebuild_History Non-Buildable kernel-6.12.0-211.7.1.el10_2 commit-author Sean Christopherson <seanjc@google.com> commit 3611ca7 Rework the AMX test's #NM handling to use kvm_asm_safe() to verify an #NM actually occurs. As is, a completely missing #NM could go unnoticed. Signed-off-by: Sean Christopherson <seanjc@google.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 3611ca7) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1029 Rebuild_History Non-Buildable kernel-6.12.0-211.7.1.el10_2 commit-author Stanislav Fomichev <sdf@fomichev.me> commit 27b9180 With the device instance lock, there is now a possibility of a deadlock: [ 1.211455] ============================================ [ 1.211571] WARNING: possible recursive locking detected [ 1.211687] 6.14.0-rc5-01215-g032756b4ca7a-dirty #5 Not tainted [ 1.211823] -------------------------------------------- [ 1.211936] ip/184 is trying to acquire lock: [ 1.212032] ffff8881024a4c30 (&dev->lock){+.+.}-{4:4}, at: dev_set_allmulti+0x4e/0xb0 [ 1.212207] [ 1.212207] but task is already holding lock: [ 1.212332] ffff8881024a4c30 (&dev->lock){+.+.}-{4:4}, at: dev_open+0x50/0xb0 [ 1.212487] [ 1.212487] other info that might help us debug this: [ 1.212626] Possible unsafe locking scenario: [ 1.212626] [ 1.212751] CPU0 [ 1.212815] ---- [ 1.212871] lock(&dev->lock); [ 1.212944] lock(&dev->lock); [ 1.213016] [ 1.213016] *** DEADLOCK *** [ 1.213016] [ 1.213143] May be due to missing lock nesting notation [ 1.213143] [ 1.213294] 3 locks held by ip/184: [ 1.213371] #0: ffffffff838b53e0 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock+0x1b/0xa0 [ 1.213543] #1: ffffffff84e5fc70 (&net->rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock+0x37/0xa0 [ 1.213727] #2: ffff8881024a4c30 (&dev->lock){+.+.}-{4:4}, at: dev_open+0x50/0xb0 [ 1.213895] [ 1.213895] stack backtrace: [ 1.213991] CPU: 0 UID: 0 PID: 184 Comm: ip Not tainted 6.14.0-rc5-01215-g032756b4ca7a-dirty #5 [ 1.213993] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014 [ 1.213994] Call Trace: [ 1.213995] <TASK> [ 1.213996] dump_stack_lvl+0x8e/0xd0 [ 1.214000] print_deadlock_bug+0x28b/0x2a0 [ 1.214020] lock_acquire+0xea/0x2a0 [ 1.214027] __mutex_lock+0xbf/0xd40 [ 1.214038] dev_set_allmulti+0x4e/0xb0 # real_dev->flags & IFF_ALLMULTI [ 1.214040] vlan_dev_open+0xa5/0x170 # ndo_open on vlandev [ 1.214042] __dev_open+0x145/0x270 [ 1.214046] __dev_change_flags+0xb0/0x1e0 [ 1.214051] netif_change_flags+0x22/0x60 # IFF_UP vlandev [ 1.214053] dev_change_flags+0x61/0xb0 # for each device in group from dev->vlan_info [ 1.214055] vlan_device_event+0x766/0x7c0 # on netdevsim0 [ 1.214058] notifier_call_chain+0x78/0x120 [ 1.214062] netif_open+0x6d/0x90 [ 1.214064] dev_open+0x5b/0xb0 # locks netdevsim0 [ 1.214066] bond_enslave+0x64c/0x1230 [ 1.214075] do_set_master+0x175/0x1e0 # on netdevsim0 [ 1.214077] do_setlink+0x516/0x13b0 [ 1.214094] rtnl_newlink+0xaba/0xb80 [ 1.214132] rtnetlink_rcv_msg+0x440/0x490 [ 1.214144] netlink_rcv_skb+0xeb/0x120 [ 1.214150] netlink_unicast+0x1f9/0x320 [ 1.214153] netlink_sendmsg+0x346/0x3f0 [ 1.214157] __sock_sendmsg+0x86/0xb0 [ 1.214160] ____sys_sendmsg+0x1c8/0x220 [ 1.214164] ___sys_sendmsg+0x28f/0x2d0 [ 1.214179] __x64_sys_sendmsg+0xef/0x140 [ 1.214184] do_syscall_64+0xec/0x1d0 [ 1.214190] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 1.214191] RIP: 0033:0x7f2d1b4a7e56 Device setup: netdevsim0 (down) ^ ^ bond netdevsim1.100@netdevsim1 allmulticast=on (down) When we enslave the lower device (netdevsim0) which has a vlan, we propagate vlan's allmuti/promisc flags during ndo_open. This causes (re)locking on of the real_dev. Propagate allmulti/promisc on flags change, not on the open. There is a slight semantics change that vlans that are down now propagate the flags, but this seems unlikely to result in the real issues. Reproducer: echo 0 1 > /sys/bus/netdevsim/new_device dev_path=$(ls -d /sys/bus/netdevsim/devices/netdevsim0/net/*) dev=$(echo $dev_path | rev | cut -d/ -f1 | rev) ip link set dev $dev name netdevsim0 ip link set dev netdevsim0 up ip link add link netdevsim0 name netdevsim0.100 type vlan id 100 ip link set dev netdevsim0.100 allmulticast on down ip link add name bond1 type bond mode 802.3ad ip link set dev netdevsim0 down ip link set dev netdevsim0 master bond1 ip link set dev bond1 up ip link show Reported-by: syzbot+b0c03d76056ef6cd12a6@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/Z9CfXjLMKn6VLG5d@mini-arch/T/#m15ba130f53227c883e79fb969687d69d670337a0 Signed-off-by: Stanislav Fomichev <sdf@fomichev.me> Reviewed-by: Simon Horman <horms@kernel.org> Link: https://patch.msgid.link/20250313100657.2287455-1-sdf@fomichev.me Signed-off-by: Paolo Abeni <pabeni@redhat.com> (cherry picked from commit 27b9180) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1029 Rebuild_History Non-Buildable kernel-6.12.0-211.7.1.el10_2 commit-author George D Sworo <george.d.sworo@intel.com> commit 255c891 Add VMD Device ID Support for PTL-H/P/U processors. Signed-off-by: George D Sworo <george.d.sworo@intel.com> [mani: expanded PTL] Signed-off-by: Manivannan Sadhasivam <mani@kernel.org> Link: https://patch.msgid.link/20250606210230.340803-2-george.d.sworo@intel.com (cherry picked from commit 255c891) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
…nfo() jira KERNEL-1029 Rebuild_History Non-Buildable kernel-6.12.0-211.7.1.el10_2 commit-author Inochi Amaoto <inochiama@gmail.com> commit e433110 Since commit 54f45a3 ("PCI/MSI: Add startup/shutdown for per device domains") set callback irq_startup() and irq_shutdown() of the struct pci_msi[x]_template, __irq_startup() will always invokes irq_startup() callback instead of irq_enable() callback overridden in vmd_init_dev_msi_info(). This will not start the IRQ correctly. Also override irq_startup()/irq_shutdown() in vmd_init_dev_msi_info(), so the irq_startup() can invoke the real logic. Fixes: 54f45a3 ("PCI/MSI: Add startup/shutdown for per device domains") Reported-by: Kenneth Crudup <kenny@panix.com> Closes: https://lore.kernel.org/r/8a923590-5b3a-406f-a324-7bd1cf894d8f@panix.com/ Reported-by: Genes Lists <lists@sapience.com> Closes: https://lore.kernel.org/r/4b392af8847cc19720ffcd53865f60ab3edc56b3.camel@sapience.com Reported-by: Todd Brandt <todd.e.brandt@intel.com> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220658 Reported-by: Oliver Hartkopp <socketcan@hartkopp.net> Closes: https://lore.kernel.org/r/8d6887a5-60bc-423c-8f7a-87b4ab739f6a@hartkopp.net Reported-by: Hervé <herve@dxcv.net> Signed-off-by: Inochi Amaoto <inochiama@gmail.com> Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> Tested-by: Kenneth R. Crudup <kenny@panix.com> Tested-by: Genes Lists <lists@sapience.com> Tested-by: Oliver Hartkopp <socketcan@hartkopp.net> Tested-by: Todd Brandt <todd.e.brandt@linux.intel.com> Tested-by: Hervé <herve@dxcv.net> Cc: stable@vger.kernel.org Link: https://patch.msgid.link/20251014014607.612586-1-inochiama@gmail.com (cherry picked from commit e433110) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1029 Rebuild_History Non-Buildable kernel-6.12.0-211.7.1.el10_2 commit-author Sami Tolvanen <samitolvanen@google.com> commit b40a5d7 With CONFIG_CFI enabled, the kernel strictly enforces that indirect function calls use a function pointer type that matches the target function. I ran into the following type mismatch when running BPF self-tests: CFI failure at bpf_obj_free_fields+0x190/0x238 (target: bpf_crypto_ctx_release+0x0/0x94; expected type: 0xa488ebfc) Internal error: Oops - CFI: 00000000f2008228 [#1] SMP ... As bpf_crypto_ctx_release() is also used in BPF programs and using a void pointer as the argument would make the verifier unhappy, add a simple stub function with the correct type and register it as the destructor kfunc instead. Signed-off-by: Sami Tolvanen <samitolvanen@google.com> Acked-by: Yonghong Song <yonghong.song@linux.dev> Tested-by: Viktor Malik <vmalik@redhat.com> Link: https://lore.kernel.org/r/20260110082548.113748-7-samitolvanen@google.com Signed-off-by: Alexei Starovoitov <ast@kernel.org> (cherry picked from commit b40a5d7) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1029 Rebuild_History Non-Buildable kernel-6.12.0-211.7.1.el10_2 commit-author Sami Tolvanen <samitolvanen@google.com> commit ba7f102 With CONFIG_CFI enabled, the kernel strictly enforces that indirect function calls use a function pointer type that matches the target function. As bpf_testmod_ctx_release() signature differs from the btf_dtor_kfunc_t pointer type used for the destructor calls in bpf_obj_free_fields(), add a stub function with the correct type to fix the type mismatch. Signed-off-by: Sami Tolvanen <samitolvanen@google.com> Acked-by: Yonghong Song <yonghong.song@linux.dev> Link: https://lore.kernel.org/r/20260110082548.113748-9-samitolvanen@google.com Signed-off-by: Alexei Starovoitov <ast@kernel.org> (cherry picked from commit ba7f102) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1029 Rebuild_History Non-Buildable kernel-6.12.0-211.7.1.el10_2 commit-author Shyam Prasad N <sprasad@microsoft.com> commit 14f66f4 In several places in the code, we have a label to signify the start of the code where a request can be replayed if necessary. However, some of these places were missing the necessary reinitializations of certain local variables before replay. This change makes sure that these variables get initialized after the label. Cc: stable@vger.kernel.org Reported-by: Yuchan Nam <entropy1110@gmail.com> Tested-by: Yuchan Nam <entropy1110@gmail.com> Signed-off-by: Shyam Prasad N <sprasad@microsoft.com> Signed-off-by: Steve French <stfrench@microsoft.com> (cherry picked from commit 14f66f4) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1029 Rebuild_History Non-Buildable kernel-6.12.0-211.7.1.el10_2 commit-author Paulo Alcantara <pc@manguebit.org> commit 048efe1 If SMB2_open_init() or SMB2_close_init() fails (e.g. reconnect), the iovs set @Rqst will be left uninitialised, hence calling SMB2_open_free(), SMB2_close_free() or smb2_set_related() on them will oops. Fix this by initialising @close_iov and @open_iov before setting them in @Rqst. Reported-by: Thiago Becker <tbecker@redhat.com> Fixes: 1cf9f2a ("smb: client: handle unlink(2) of files open by different clients") Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.org> Cc: David Howells <dhowells@redhat.com> Cc: linux-cifs@vger.kernel.org Cc: stable@vger.kernel.org Signed-off-by: Steve French <stfrench@microsoft.com> (cherry picked from commit 048efe1) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1029 Rebuild_History Non-Buildable kernel-6.12.0-211.7.1.el10_2 commit-author Petr Oros <poros@redhat.com> commit efc54fb Commit 7c01dbf ("iavf: periodically cache PHC time") introduced a worker to cache PHC time, but failed to stop it during reset or disable. This creates a race condition where `iavf_reset_task()` or `iavf_disable_vf()` free adapter resources (AQ) while the worker is still running. If the worker triggers `iavf_queue_ptp_cmd()` during teardown, it accesses freed memory/locks, leading to a crash. Fix this by calling `iavf_ptp_release()` before tearing down the adapter. This ensures `ptp_clock_unregister()` synchronously cancels the worker and cleans up the chardev before the backing resources are destroyed. Fixes: 7c01dbf ("iavf: periodically cache PHC time") Signed-off-by: Petr Oros <poros@redhat.com> Reviewed-by: Ivan Vecera <ivecera@redhat.com> Acked-by: Jacob Keller <jacob.e.keller@intel.com> Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev> Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de> Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com> Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com> (cherry picked from commit efc54fb) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1029 Rebuild_History Non-Buildable kernel-6.12.0-211.7.1.el10_2 commit-author Pei Xiao <xiaopei01@kylinos.cn> commit b5dbb8e Fix sparse warnings: expected 'void __iomem *addr', but got 'void *addr' Reported-by: kernel test robot <lkp@intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202411121935.cgFcEMO4-lkp@intel.com/ Fixes: 423c336 ("platform/mellanox: mlxbf-pmc: Add support for BlueField-3") Signed-off-by: Pei Xiao <xiaopei01@kylinos.cn> Reviewed-by: David Thompson <davthompson@nvidia.com> Link: https://lore.kernel.org/r/fece26ad40620b1e0beb733b9bba3de3ce325761.1732088929.git.xiaopei01@kylinos.cn Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> (cherry picked from commit b5dbb8e) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1029 Rebuild_History Non-Buildable kernel-6.12.0-211.7.1.el10_2 commit-author Shravan Kumar Ramani <shravankr@nvidia.com> commit 5efc800 Add support for programming any counter to monitor the cycle count. This will allow the user to repurpose and dedicate any of the counters in the block to counting cycles. Signed-off-by: Shravan Kumar Ramani <shravankr@nvidia.com> Reviewed-by: David Thompson <davthompson@nvidia.com> Reviewed-by: Vadim Pasternak <vadimp@nvidia.com> Link: https://lore.kernel.org/r/bd7747897cf1ce77e2e39e271cac21684830f7e7.1736413033.git.shravankr@nvidia.com Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> (cherry picked from commit 5efc800) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
…ce block jira KERNEL-1029 Rebuild_History Non-Buildable kernel-6.12.0-211.7.1.el10_2 commit-author Shravan Kumar Ramani <shravankr@nvidia.com> commit 8e3b3e1 The HW clock_measure counter info is passed to the driver from ACPI. Create a new sub-directory for clock_measure events and provide read access to the user. Writes are blocked since the fields are RO. Signed-off-by: Shravan Kumar Ramani <shravankr@nvidia.com> Reviewed-by: David Thompson <davthompson@nvidia.com> Reviewed-by: Vadim Pasternak <vadimp@nvidia.com> Link: https://lore.kernel.org/r/6ea0699497479dfde0a52fcb28aef55aee1bbc0b.1736413033.git.shravankr@nvidia.com Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> (cherry picked from commit 8e3b3e1) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1029 Rebuild_History Non-Buildable kernel-6.12.0-211.7.1.el10_2 commit-author Shravan Kumar Ramani <shravankr@nvidia.com> commit 3acb492 Add list of events and counters from the following blocks: APT (ARM Processor Tile), GGA (Global Generic Accelerator), MSN (Memory Stasher and Navigator), EMI (External Memory Interface) and PRNF (PCIe Request Node). If any of the fields populated from the ACPI table (like apt_num) cannot be read, assign the corresponding block count to be 0 instead of failing probe to maintain compatibility with older firmware. Signed-off-by: Shravan Kumar Ramani <shravankr@nvidia.com> Reviewed-by: David Thompson <davthompson@nvidia.com> Link: https://lore.kernel.org/r/20250423083103.5240-1-shravankr@nvidia.com Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> (cherry picked from commit 3acb492) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1029 Rebuild_History Non-Buildable kernel-6.12.0-211.7.1.el10_2 commit-author Alok Tiwari <alok.a.tiwari@oracle.com> commit 173bbec same ID (103) was assigned to both GDC_BANK0_G_RSE_PIPE_CACHE_DATA0 and GDC_BANK0_G_RSE_PIPE_CACHE_DATA1. This could lead to incorrect event mapping. Updated the ID to 104 to ensure uniqueness. Fixes: 423c336 ("platform/mellanox: mlxbf-pmc: Add support for BlueField-3") Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com> Reviewed-by: David Thompson <davthompson@nvidia.com> Link: https://lore.kernel.org/r/20250619060502.3594350-1-alok.a.tiwari@oracle.com Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> (cherry picked from commit 173bbec) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1029 Rebuild_History Non-Buildable kernel-6.12.0-211.7.1.el10_2 commit-author Shravan Kumar Ramani <shravankr@nvidia.com> commit 44e6ca8 Since the input string passed via the command line appends a newline char, it needs to be removed before comparison with the event_list. Fixes: 1a218d3 ("platform/mellanox: mlxbf-pmc: Add Mellanox BlueField PMC driver") Signed-off-by: Shravan Kumar Ramani <shravankr@nvidia.com> Reviewed-by: David Thompson <davthompson@nvidia.com> Link: https://lore.kernel.org/r/4978c18e33313b48fa2ae7f3aa6dbcfce40877e4.1751380187.git.shravankr@nvidia.com Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> (cherry picked from commit 44e6ca8) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1029 Rebuild_History Non-Buildable kernel-6.12.0-211.7.1.el10_2 commit-author Shravan Kumar Ramani <shravankr@nvidia.com> commit f8c1311 Before programming the event info, validate the event number received as input by checking if it exists in the event_list. Also fix a typo in the comment for mlxbf_pmc_get_event_name() to correctly mention that it returns the event name when taking the event number as input, and not the other way round. Fixes: 423c336 ("platform/mellanox: mlxbf-pmc: Add support for BlueField-3") Signed-off-by: Shravan Kumar Ramani <shravankr@nvidia.com> Reviewed-by: David Thompson <davthompson@nvidia.com> Link: https://lore.kernel.org/r/2ee618c59976bcf1379d5ddce2fc60ab5014b3a9.1751380187.git.shravankr@nvidia.com [ij: split kstrbool() change to own commit.] Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> (cherry picked from commit f8c1311) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1029 Rebuild_History Non-Buildable kernel-6.12.0-211.7.1.el10_2 commit-author Shravan Kumar Ramani <shravankr@nvidia.com> commit 0e2cebd For setting the enable value, the input should be 0 or 1 only. Use kstrtobool() in place of kstrtoint() in mlxbf_pmc_enable_store() to accept only valid input. Fixes: 423c336 ("platform/mellanox: mlxbf-pmc: Add support for BlueField-3") Signed-off-by: Shravan Kumar Ramani <shravankr@nvidia.com> Reviewed-by: David Thompson <davthompson@nvidia.com> Link: https://lore.kernel.org/r/2ee618c59976bcf1379d5ddce2fc60ab5014b3a9.1751380187.git.shravankr@nvidia.com [ij: split kstrbool() change to own commit.] Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> (cherry picked from commit 0e2cebd) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1029 Rebuild_History Non-Buildable kernel-6.12.0-211.7.1.el10_2 commit-author David Thompson <davthompson@nvidia.com> commit a7b4747 The lock-related debug logic (CONFIG_LOCK_STAT) in the kernel is noting the following warning when the BlueField-3 SOC is booted: BUG: key ffff00008a3402a8 has not been registered! ------------[ cut here ]------------ DEBUG_LOCKS_WARN_ON(1) WARNING: CPU: 4 PID: 592 at kernel/locking/lockdep.c:4801 lockdep_init_map_type+0x1d4/0x2a0 <snip> Call trace: lockdep_init_map_type+0x1d4/0x2a0 __kernfs_create_file+0x84/0x140 sysfs_add_file_mode_ns+0xcc/0x1cc internal_create_group+0x110/0x3d4 internal_create_groups.part.0+0x54/0xcc sysfs_create_groups+0x24/0x40 device_add+0x6e8/0x93c device_register+0x28/0x40 __hwmon_device_register+0x4b0/0x8a0 devm_hwmon_device_register_with_groups+0x7c/0xe0 mlxbf_pmc_probe+0x1e8/0x3e0 [mlxbf_pmc] platform_probe+0x70/0x110 The mlxbf_pmc driver must call sysfs_attr_init() during the initialization of the "count_clock" data structure to avoid this warning. Fixes: 5efc800 ("platform/mellanox: mlxbf-pmc: Add support for monitoring cycle count") Reviewed-by: Shravan Kumar Ramani <shravankr@nvidia.com> Signed-off-by: David Thompson <davthompson@nvidia.com> Link: https://patch.msgid.link/20251013155605.3589770-1-davthompson@nvidia.com Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> (cherry picked from commit a7b4747) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
Rebuild_History BUILDABLE Rebuilding Kernel from rpm changelog with Fuzz Limit: 87.50% Number of commits in upstream range v6.12~1..kernel-mainline: 122058 Number of commits in rpm: 125 Number of commits matched with upstream: 109 (87.20%) Number of commits in upstream but not in rpm: 121949 Number of commits NOT found in upstream: 16 (12.80%) Rebuilding Kernel on Branch rocky10_2_rebuild_kernel-6.12.0-211.7.1.el10_2 for kernel-6.12.0-211.7.1.el10_2 Clean Cherry Picks: 91 (83.49%) Empty Cherry Picks: 18 (16.51%) _______________________________ Full Details Located here: ciq/ciq_backports/kernel-6.12.0-211.7.1.el10_2/rebuild.details.txt Includes: * git commit header above * Empty Commits with upstream SHA * RPM ChangeLog Entries that could not be matched Individual Empty Commit failures contained in the same containing directory. The git message for empty commits will have the path for the failed commit. File names are the first 8 characters of the upstream SHA
jira KERNEL-1029 Rebuild_History Non-Buildable kernel-6.12.0-211.7.3.el10_2 commit-author Norbert Szetei <norbert@doyensec.com> commit 62397b4 The AF_ALG interface fails to unmark the end of a Scatter/Gather List (SGL) when chaining a new af_alg_tsgl structure. If a sendmsg() fills an SGL exactly to MAX_SGL_ENTS, the last entry is marked as the end. A subsequent sendmsg() allocates a new SGL and chains it, but fails to clear the end marker on the previous SGL's last data entry. This causes the crypto scatterwalk to hit a premature end, returning NULL on sg_next() and leading to a kernel panic during dereference. Fix this by explicitly unmarking the end of the previous SGL when performing sg_chain() in af_alg_alloc_tsgl(). Fixes: 8ff5909 ("crypto: algif_skcipher - User-space interface for skcipher operations") Signed-off-by: Norbert Szetei <norbert@doyensec.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> (cherry picked from commit 62397b4) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1029 cve CVE-2026-31431 Rebuild_History Non-Buildable kernel-6.12.0-211.7.3.el10_2 commit-author Herbert Xu <herbert@gondor.apana.org.au> commit a664bf3 Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-6.12.0-211.7.3.el10_2/a664bf3d.failed This mostly reverts commit 72548b0 except for the copying of the associated data. There is no benefit in operating in-place in algif_aead since the source and destination come from different mappings. Get rid of all the complexity added for in-place operation and just copy the AD directly. Fixes: 72548b0 ("crypto: algif_aead - copy AAD from src to dst") Reported-by: Taeyang Lee <0wn@theori.io> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> (cherry picked from commit a664bf3) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # crypto/algif_aead.c
jira KERNEL-1029 cve CVE-2026-31677 Rebuild_History Non-Buildable kernel-6.12.0-211.7.3.el10_2 commit-author Douya Le <ldy3087146292@gmail.com> commit 8eceab1 Make af_alg_get_rsgl() limit each RX scatterlist extraction to the remaining receive buffer budget. af_alg_get_rsgl() currently uses af_alg_readable() only as a gate before extracting data into the RX scatterlist. Limit each extraction to the remaining af_alg_rcvbuf(sk) budget so that receive-side accounting matches the amount of data attached to the request. If skcipher cannot obtain enough RX space for at least one chunk while more data remains to be processed, reject the recvmsg call instead of rounding the request length down to zero. Fixes: e870456 ("crypto: algif_skcipher - overhaul memory management") Reported-by: Yifan Wu <yifanwucs@gmail.com> Reported-by: Juefei Pu <tomapufckgml@gmail.com> Co-developed-by: Yuan Tan <yuantan098@gmail.com> Signed-off-by: Yuan Tan <yuantan098@gmail.com> Suggested-by: Xin Liu <bird@lzu.edu.cn> Signed-off-by: Douya Le <ldy3087146292@gmail.com> Signed-off-by: Ren Wei <n05ec@lzu.edu.cn> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> (cherry picked from commit 8eceab1) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1029 Rebuild_History Non-Buildable kernel-6.12.0-211.7.3.el10_2 commit-author Herbert Xu <herbert@gondor.apana.org.au> commit 31d0015 Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-6.12.0-211.7.3.el10_2/31d00156.failed When page reassignment was added to af_alg_pull_tsgl the original loop wasn't updated so it may try to reassign one more page than necessary. Add the check to the reassignment so that this does not happen. Also update the comment which still refers to the obsolete offset argument. Reported-by: syzbot+d23888375c2737c17ba5@syzkaller.appspotmail.com Fixes: e870456 ("crypto: algif_skcipher - overhaul memory management") Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> (cherry picked from commit 31d0015) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # crypto/af_alg.c
…SN spec jira KERNEL-1029 cve CVE-2026-23060 Rebuild_History Non-Buildable kernel-6.12.0-211.7.3.el10_2 commit-author Taeyang Lee <0wn@theori.io> commit 2397e92 authencesn assumes an ESP/ESN-formatted AAD. When assoclen is shorter than the minimum expected length, crypto_authenc_esn_decrypt() can advance past the end of the destination scatterlist and trigger a NULL pointer dereference in scatterwalk_map_and_copy(), leading to a kernel panic (DoS). Add a minimum AAD length check to fail fast on invalid inputs. Fixes: 104880a ("crypto: authencesn - Convert to new AEAD interface") Reported-By: Taeyang Lee <0wn@theori.io> Signed-off-by: Taeyang Lee <0wn@theori.io> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> (cherry picked from commit 2397e92) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
…e decryption jira KERNEL-1029 cve CVE-2026-31431 Rebuild_History Non-Buildable kernel-6.12.0-211.7.3.el10_2 commit-author Herbert Xu <herbert@gondor.apana.org.au> commit e024941 Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-6.12.0-211.7.3.el10_2/e0249411.failed When decrypting data that is not in-place (src != dst), there is no need to save the high-order sequence bits in dst as it could simply be re-copied from the source. However, the data to be hashed need to be rearranged accordingly. Reported-by: Taeyang Lee <0wn@theori.io> Fixes: 104880a ("crypto: authencesn - Convert to new AEAD interface") Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Thanks, Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> (cherry picked from commit e024941) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # crypto/authencesn.c
jira KERNEL-1029 Rebuild_History Non-Buildable kernel-6.12.0-211.7.3.el10_2 commit-author Herbert Xu <herbert@gondor.apana.org.au> commit 1f48ad3 Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-6.12.0-211.7.3.el10_2/1f48ad3b.failed The src SG list offset wasn't set properly when decrypting in-place, fix it. Reported-by: Wolfgang Walter <linux@stwm.de> Fixes: e024941 ("crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption") Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> (cherry picked from commit 1f48ad3) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # crypto/authencesn.c
jira KERNEL-1029 Rebuild_History Non-Buildable kernel-6.12.0-211.7.3.el10_2 commit-author Yucheng Lu <kanolyc@gmail.com> commit 5db6ef9 authencesn requires either a zero authsize or an authsize of at least 4 bytes because the ESN encrypt/decrypt paths always move 4 bytes of high-order sequence number data at the end of the authenticated data. While crypto_authenc_esn_setauthsize() already rejects explicit non-zero authsizes in the range 1..3, crypto_authenc_esn_create() still copied auth->digestsize into inst->alg.maxauthsize without validating it. The AEAD core then initialized the tfm's default authsize from that value. As a result, selecting an ahash with digest size 1..3, such as cbcmac(cipher_null), exposed authencesn instances whose default authsize was invalid even though setauthsize() would have rejected the same value. AF_ALG could then trigger the ESN tail handling with a too-short tag and hit an out-of-bounds access. Reject authencesn instances whose ahash digest size is in the invalid non-zero range 1..3 so that no tfm can inherit an unsupported default authsize. Fixes: f15f05b ("crypto: ccm - switch to separate cbcmac driver") Cc: stable@kernel.org Reported-by: Yifan Wu <yifanwucs@gmail.com> Reported-by: Juefei Pu <tomapufckgml@gmail.com> Co-developed-by: Yuan Tan <yuantan098@gmail.com> Signed-off-by: Yuan Tan <yuantan098@gmail.com> Suggested-by: Xin Liu <bird@lzu.edu.cn> Tested-by: Yuhang Zheng <z1652074432@gmail.com> Reviewed-by: Eric Biggers <ebiggers@kernel.org> Signed-off-by: Yucheng Lu <kanolyc@gmail.com> Signed-off-by: Ren Wei <n05ec@lzu.edu.cn> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> (cherry picked from commit 5db6ef9) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1029 Rebuild_History Non-Buildable kernel-6.12.0-211.7.3.el10_2 commit-author Herbert Xu <herbert@gondor.apana.org.au> commit 3d14bd4 The check for the minimum receive buffer size did not take the tag size into account during decryption. Fix this by adding the required extra length. Reported-by: syzbot+aa11561819dc42ebbc7c@syzkaller.appspotmail.com Reported-by: Daniel Pouzzner <douzzer@mega.nu> Fixes: d887c52 ("crypto: algif_aead - overhaul memory management") Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> (cherry picked from commit 3d14bd4) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1029 Rebuild_History Non-Buildable kernel-6.12.0-211.7.3.el10_2 commit-author Douya Le <ldy3087146292@gmail.com> commit 5aa58c3 Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-6.12.0-211.7.3.el10_2/5aa58c3a.failed AF_ALG AEAD AIO requests currently use the socket-wide IV buffer during request processing. For async requests, later socket activity can update that shared state before the original request has fully completed, which can lead to inconsistent IV handling. Snapshot the IV into per-request storage when preparing the AEAD request, so in-flight operations no longer depend on mutable socket state. Fixes: d887c52 ("crypto: algif_aead - overhaul memory management") Cc: stable@kernel.org Reported-by: Yuan Tan <yuantan098@gmail.com> Reported-by: Yifan Wu <yifanwucs@gmail.com> Reported-by: Juefei Pu <tomapufckgml@gmail.com> Reported-by: Xin Liu <bird@lzu.edu.cn> Co-developed-by: Luxing Yin <tr0jan@lzu.edu.cn> Signed-off-by: Luxing Yin <tr0jan@lzu.edu.cn> Tested-by: Yucheng Lu <kanolyc@gmail.com> Signed-off-by: Douya Le <ldy3087146292@gmail.com> Signed-off-by: Ren Wei <n05ec@lzu.edu.cn> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> (cherry picked from commit 5aa58c3) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # crypto/algif_aead.c
Rebuild_History BUILDABLE Rebuilding Kernel from rpm changelog with Fuzz Limit: 87.50% Number of commits in upstream range v6.12~1..kernel-mainline: 122058 Number of commits in rpm: 13 Number of commits matched with upstream: 10 (76.92%) Number of commits in upstream but not in rpm: 122048 Number of commits NOT found in upstream: 3 (23.08%) Rebuilding Kernel on Branch rocky10_2_rebuild_kernel-6.12.0-211.7.3.el10_2 for kernel-6.12.0-211.7.3.el10_2 Clean Cherry Picks: 5 (50.00%) Empty Cherry Picks: 5 (50.00%) _______________________________ Full Details Located here: ciq/ciq_backports/kernel-6.12.0-211.7.3.el10_2/rebuild.details.txt Includes: * git commit header above * Empty Commits with upstream SHA * RPM ChangeLog Entries that could not be matched Individual Empty Commit failures contained in the same containing directory. The git message for empty commits will have the path for the failed commit. File names are the first 8 characters of the upstream SHA
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
NOTE this was edited from the original because there was an issue with the kabi check actually referencing the kabi from Rocky10_1. All I did was ssh to the build VM and run
../kernel-src-tree-tools/kernel_build.sh --skip-mrpoperto rebuild everything and execute the kabi check (i know this wasn't strictly nessicary but it also fills out the rest of the content as it was cut off due to theI also need to rerun the tests as they are not for the correct kernel.
This is an automated kernel history rebuild using cron and internal tooling. It follows the same process used for previous history rebuilds:
src.rpmpackagessrc.rpm:6.12.0-211)git cherry-pickrpmbuild -bpfor the correspondingsrc.rpmJIRA Tickets
Rebuild Splat Inspection
kernel-6.12.0-211.7.1.el10_2
kernel-6.12.0-211.7.3.el10_2
BUILD
NOTE this was edited from the original because there was an issue with the kabi check actually referencing the kabi from Rocky10_1. All I did was ssh to the build VM and run
../kernel-src-tree-tools/kernel_build.sh --skip-mrpoperto rebuild everything and execute the kabi check (i know this wasn't strictly nessicary but it also fills out the rest of the content as it was cut off due to theKSelfTests