--- /dev/null
+From aacc875a448d363332b9df0621dde6d3a225ea9f Mon Sep 17 00:00:00 2001
+From: Xiaolei Wang <xiaolei.wang@windriver.com>
+Date: Thu, 19 Jun 2025 14:21:08 +0800
+Subject: clk: imx: Fix an out-of-bounds access in dispmix_csr_clk_dev_data
+
+From: Xiaolei Wang <xiaolei.wang@windriver.com>
+
+commit aacc875a448d363332b9df0621dde6d3a225ea9f upstream.
+
+When num_parents is 4, __clk_register() occurs an out-of-bounds
+when accessing parent_names member. Use ARRAY_SIZE() instead of
+hardcode number here.
+
+ BUG: KASAN: global-out-of-bounds in __clk_register+0x1844/0x20d8
+ Read of size 8 at addr ffff800086988e78 by task kworker/u24:3/59
+ Hardware name: NXP i.MX95 19X19 board (DT)
+ Workqueue: events_unbound deferred_probe_work_func
+ Call trace:
+ dump_backtrace+0x94/0xec
+ show_stack+0x18/0x24
+ dump_stack_lvl+0x8c/0xcc
+ print_report+0x398/0x5fc
+ kasan_report+0xd4/0x114
+ __asan_report_load8_noabort+0x20/0x2c
+ __clk_register+0x1844/0x20d8
+ clk_hw_register+0x44/0x110
+ __clk_hw_register_mux+0x284/0x3a8
+ imx95_bc_probe+0x4f4/0xa70
+
+Fixes: 5224b189462f ("clk: imx: add i.MX95 BLK CTL clk driver")
+Cc: stable@vger.kernel.org
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Xiaolei Wang <xiaolei.wang@windriver.com>
+Link: https://lore.kernel.org/r/20250619062108.2016511-1-xiaolei.wang@windriver.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/imx/clk-imx95-blk-ctl.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/clk/imx/clk-imx95-blk-ctl.c b/drivers/clk/imx/clk-imx95-blk-ctl.c
+index 25974947ad0c..cc2ee2be1819 100644
+--- a/drivers/clk/imx/clk-imx95-blk-ctl.c
++++ b/drivers/clk/imx/clk-imx95-blk-ctl.c
+@@ -219,11 +219,15 @@ static const struct imx95_blk_ctl_dev_data lvds_csr_dev_data = {
+ .clk_reg_offset = 0,
+ };
+
++static const char * const disp_engine_parents[] = {
++ "videopll1", "dsi_pll", "ldb_pll_div7"
++};
++
+ static const struct imx95_blk_ctl_clk_dev_data dispmix_csr_clk_dev_data[] = {
+ [IMX95_CLK_DISPMIX_ENG0_SEL] = {
+ .name = "disp_engine0_sel",
+- .parent_names = (const char *[]){"videopll1", "dsi_pll", "ldb_pll_div7", },
+- .num_parents = 4,
++ .parent_names = disp_engine_parents,
++ .num_parents = ARRAY_SIZE(disp_engine_parents),
+ .reg = 0,
+ .bit_idx = 0,
+ .bit_width = 2,
+@@ -232,8 +236,8 @@ static const struct imx95_blk_ctl_clk_dev_data dispmix_csr_clk_dev_data[] = {
+ },
+ [IMX95_CLK_DISPMIX_ENG1_SEL] = {
+ .name = "disp_engine1_sel",
+- .parent_names = (const char *[]){"videopll1", "dsi_pll", "ldb_pll_div7", },
+- .num_parents = 4,
++ .parent_names = disp_engine_parents,
++ .num_parents = ARRAY_SIZE(disp_engine_parents),
+ .reg = 0,
+ .bit_idx = 2,
+ .bit_width = 2,
+--
+2.50.1
+
--- /dev/null
+From 6306e0c5a0d28e9df2b5902f4a021204bee75173 Mon Sep 17 00:00:00 2001
+From: Sascha Hauer <s.hauer@pengutronix.de>
+Date: Thu, 12 Jun 2025 14:56:57 +0200
+Subject: clk: scmi: Handle case where child clocks are initialized before their parents
+
+From: Sascha Hauer <s.hauer@pengutronix.de>
+
+commit 6306e0c5a0d28e9df2b5902f4a021204bee75173 upstream.
+
+The SCMI clock driver currently assumes that parent clocks are always
+initialized before their children. However, this assumption can fail if
+a child clock is encountered before its parent during probe.
+
+This leads to an issue during initialization of the parent_data array:
+
+ sclk->parent_data[i].hw = hws[sclk->info->parents[i]];
+
+If the parent clock's hardware structure has not been initialized yet,
+this assignment results in invalid data.
+
+To resolve this, allocate all struct scmi_clk instances as a contiguous
+array at the beginning of the probe and populate the hws[] array
+upfront. This ensures that any parent referenced later is already
+initialized, regardless of the order in which clocks are processed.
+
+Note that we can no longer free individual scmi_clk instances if
+scmi_clk_ops_init() fails which shouldn't be a problem if the SCMI
+platform has proper per-agent clock discovery.
+
+Fixes: 65a8a3dd3b95f ("clk: scmi: Add support for clock {set,get}_parent")
+Reviewed-by: peng.fan@nxp.com
+Reviewed-by: Cristian Marussi <cristian.marussi@arm.com>
+Reviewed-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
+Link: https://lore.kernel.org/r/20250612-clk-scmi-children-parent-fix-v3-1-7de52a27593d@pengutronix.de
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/clk-scmi.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+--- a/drivers/clk/clk-scmi.c
++++ b/drivers/clk/clk-scmi.c
+@@ -404,6 +404,7 @@ static int scmi_clocks_probe(struct scmi
+ const struct scmi_handle *handle = sdev->handle;
+ struct scmi_protocol_handle *ph;
+ const struct clk_ops *scmi_clk_ops_db[SCMI_MAX_CLK_OPS] = {};
++ struct scmi_clk *sclks;
+
+ if (!handle)
+ return -ENODEV;
+@@ -430,18 +431,21 @@ static int scmi_clocks_probe(struct scmi
+ transport_is_atomic = handle->is_transport_atomic(handle,
+ &atomic_threshold_us);
+
++ sclks = devm_kcalloc(dev, count, sizeof(*sclks), GFP_KERNEL);
++ if (!sclks)
++ return -ENOMEM;
++
++ for (idx = 0; idx < count; idx++)
++ hws[idx] = &sclks[idx].hw;
++
+ for (idx = 0; idx < count; idx++) {
+- struct scmi_clk *sclk;
++ struct scmi_clk *sclk = &sclks[idx];
+ const struct clk_ops *scmi_ops;
+
+- sclk = devm_kzalloc(dev, sizeof(*sclk), GFP_KERNEL);
+- if (!sclk)
+- return -ENOMEM;
+-
+ sclk->info = scmi_proto_clk_ops->info_get(ph, idx);
+ if (!sclk->info) {
+ dev_dbg(dev, "invalid clock info for idx %d\n", idx);
+- devm_kfree(dev, sclk);
++ hws[idx] = NULL;
+ continue;
+ }
+
+@@ -479,13 +483,11 @@ static int scmi_clocks_probe(struct scmi
+ if (err) {
+ dev_err(dev, "failed to register clock %d\n", idx);
+ devm_kfree(dev, sclk->parent_data);
+- devm_kfree(dev, sclk);
+ hws[idx] = NULL;
+ } else {
+ dev_dbg(dev, "Registered clock:%s%s\n",
+ sclk->info->name,
+ scmi_ops->enable ? " (atomic ops)" : "");
+- hws[idx] = &sclk->hw;
+ }
+ }
+
--- /dev/null
+From 27917e8194f91dffd8b4825350c63cb68e98ce58 Mon Sep 17 00:00:00 2001
+From: Gao Xiang <hsiangkao@linux.alibaba.com>
+Date: Wed, 9 Jul 2025 11:46:14 +0800
+Subject: erofs: address D-cache aliasing
+
+From: Gao Xiang <hsiangkao@linux.alibaba.com>
+
+commit 27917e8194f91dffd8b4825350c63cb68e98ce58 upstream.
+
+Flush the D-cache before unlocking folios for compressed inodes, as
+they are dirtied during decompression.
+
+Avoid calling flush_dcache_folio() on every CPU write, since it's more
+like playing whack-a-mole without real benefit.
+
+It has no impact on x86 and arm64/risc-v: on x86, flush_dcache_folio()
+is a no-op, and on arm64/risc-v, PG_dcache_clean (PG_arch_1) is clear
+for new page cache folios. However, certain ARM boards are affected,
+as reported.
+
+Fixes: 3883a79abd02 ("staging: erofs: introduce VLE decompression support")
+Closes: https://lore.kernel.org/r/c1e51e16-6cc6-49d0-a63e-4e9ff6c4dd53@pengutronix.de
+Closes: https://lore.kernel.org/r/38d43fae-1182-4155-9c5b-ffc7382d9917@siemens.com
+Tested-by: Jan Kiszka <jan.kiszka@siemens.com>
+Tested-by: Stefan Kerkmann <s.kerkmann@pengutronix.de>
+Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Link: https://lore.kernel.org/r/20250709034614.2780117-2-hsiangkao@linux.alibaba.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/erofs/data.c | 16 +++++++++++-----
+ fs/erofs/decompressor.c | 12 ++++--------
+ fs/erofs/fileio.c | 4 ++--
+ fs/erofs/internal.h | 2 +-
+ fs/erofs/zdata.c | 6 +++---
+ 5 files changed, 21 insertions(+), 19 deletions(-)
+
+--- a/fs/erofs/data.c
++++ b/fs/erofs/data.c
+@@ -240,9 +240,11 @@ int erofs_map_dev(struct super_block *sb
+
+ /*
+ * bit 30: I/O error occurred on this folio
++ * bit 29: CPU has dirty data in D-cache (needs aliasing handling);
+ * bit 0 - 29: remaining parts to complete this folio
+ */
+-#define EROFS_ONLINEFOLIO_EIO (1 << 30)
++#define EROFS_ONLINEFOLIO_EIO 30
++#define EROFS_ONLINEFOLIO_DIRTY 29
+
+ void erofs_onlinefolio_init(struct folio *folio)
+ {
+@@ -259,19 +261,23 @@ void erofs_onlinefolio_split(struct foli
+ atomic_inc((atomic_t *)&folio->private);
+ }
+
+-void erofs_onlinefolio_end(struct folio *folio, int err)
++void erofs_onlinefolio_end(struct folio *folio, int err, bool dirty)
+ {
+ int orig, v;
+
+ do {
+ orig = atomic_read((atomic_t *)&folio->private);
+- v = (orig - 1) | (err ? EROFS_ONLINEFOLIO_EIO : 0);
++ DBG_BUGON(orig <= 0);
++ v = dirty << EROFS_ONLINEFOLIO_DIRTY;
++ v |= (orig - 1) | (!!err << EROFS_ONLINEFOLIO_EIO);
+ } while (atomic_cmpxchg((atomic_t *)&folio->private, orig, v) != orig);
+
+- if (v & ~EROFS_ONLINEFOLIO_EIO)
++ if (v & (BIT(EROFS_ONLINEFOLIO_DIRTY) - 1))
+ return;
+ folio->private = 0;
+- folio_end_read(folio, !(v & EROFS_ONLINEFOLIO_EIO));
++ if (v & BIT(EROFS_ONLINEFOLIO_DIRTY))
++ flush_dcache_folio(folio);
++ folio_end_read(folio, !(v & BIT(EROFS_ONLINEFOLIO_EIO)));
+ }
+
+ static int erofs_iomap_begin(struct inode *inode, loff_t offset, loff_t length,
+--- a/fs/erofs/decompressor.c
++++ b/fs/erofs/decompressor.c
+@@ -331,13 +331,11 @@ static int z_erofs_transform_plain(struc
+ cur = min(cur, rq->outputsize);
+ if (cur && rq->out[0]) {
+ kin = kmap_local_page(rq->in[nrpages_in - 1]);
+- if (rq->out[0] == rq->in[nrpages_in - 1]) {
++ if (rq->out[0] == rq->in[nrpages_in - 1])
+ memmove(kin + rq->pageofs_out, kin + pi, cur);
+- flush_dcache_page(rq->out[0]);
+- } else {
++ else
+ memcpy_to_page(rq->out[0], rq->pageofs_out,
+ kin + pi, cur);
+- }
+ kunmap_local(kin);
+ }
+ rq->outputsize -= cur;
+@@ -355,14 +353,12 @@ static int z_erofs_transform_plain(struc
+ po = (rq->pageofs_out + cur + pi) & ~PAGE_MASK;
+ DBG_BUGON(no >= nrpages_out);
+ cnt = min(insz - pi, PAGE_SIZE - po);
+- if (rq->out[no] == rq->in[ni]) {
++ if (rq->out[no] == rq->in[ni])
+ memmove(kin + po,
+ kin + rq->pageofs_in + pi, cnt);
+- flush_dcache_page(rq->out[no]);
+- } else if (rq->out[no]) {
++ else if (rq->out[no])
+ memcpy_to_page(rq->out[no], po,
+ kin + rq->pageofs_in + pi, cnt);
+- }
+ pi += cnt;
+ } while (pi < insz);
+ kunmap_local(kin);
+--- a/fs/erofs/fileio.c
++++ b/fs/erofs/fileio.c
+@@ -38,7 +38,7 @@ static void erofs_fileio_ki_complete(str
+ } else {
+ bio_for_each_folio_all(fi, &rq->bio) {
+ DBG_BUGON(folio_test_uptodate(fi.folio));
+- erofs_onlinefolio_end(fi.folio, ret);
++ erofs_onlinefolio_end(fi.folio, ret, false);
+ }
+ }
+ bio_uninit(&rq->bio);
+@@ -158,7 +158,7 @@ io_retry:
+ }
+ cur += len;
+ }
+- erofs_onlinefolio_end(folio, err);
++ erofs_onlinefolio_end(folio, err, false);
+ return err;
+ }
+
+--- a/fs/erofs/internal.h
++++ b/fs/erofs/internal.h
+@@ -405,7 +405,7 @@ int erofs_fiemap(struct inode *inode, st
+ int erofs_map_blocks(struct inode *inode, struct erofs_map_blocks *map);
+ void erofs_onlinefolio_init(struct folio *folio);
+ void erofs_onlinefolio_split(struct folio *folio);
+-void erofs_onlinefolio_end(struct folio *folio, int err);
++void erofs_onlinefolio_end(struct folio *folio, int err, bool dirty);
+ struct inode *erofs_iget(struct super_block *sb, erofs_nid_t nid);
+ int erofs_getattr(struct mnt_idmap *idmap, const struct path *path,
+ struct kstat *stat, u32 request_mask,
+--- a/fs/erofs/zdata.c
++++ b/fs/erofs/zdata.c
+@@ -1087,7 +1087,7 @@ static int z_erofs_scan_folio(struct z_e
+ tight = (bs == PAGE_SIZE);
+ }
+ } while ((end = cur) > 0);
+- erofs_onlinefolio_end(folio, err);
++ erofs_onlinefolio_end(folio, err, false);
+ return err;
+ }
+
+@@ -1193,7 +1193,7 @@ static void z_erofs_fill_other_copies(st
+ cur += len;
+ }
+ kunmap_local(dst);
+- erofs_onlinefolio_end(page_folio(bvi->bvec.page), err);
++ erofs_onlinefolio_end(page_folio(bvi->bvec.page), err, true);
+ list_del(p);
+ kfree(bvi);
+ }
+@@ -1348,7 +1348,7 @@ static int z_erofs_decompress_pcluster(s
+
+ DBG_BUGON(z_erofs_page_is_invalidated(page));
+ if (!z_erofs_is_shortlived_page(page)) {
+- erofs_onlinefolio_end(page_folio(page), err);
++ erofs_onlinefolio_end(page_folio(page), err, true);
+ continue;
+ }
+ if (pcl->algorithmformat != Z_EROFS_COMPRESSION_LZ4) {
--- /dev/null
+From 99f7619a77a0a2e3e2bcae676d0f301769167754 Mon Sep 17 00:00:00 2001
+From: Chao Yu <chao@kernel.org>
+Date: Tue, 8 Jul 2025 19:19:42 +0800
+Subject: erofs: fix to add missing tracepoint in erofs_read_folio()
+
+From: Chao Yu <chao@kernel.org>
+
+commit 99f7619a77a0a2e3e2bcae676d0f301769167754 upstream.
+
+Commit 771c994ea51f ("erofs: convert all uncompressed cases to iomap")
+converts to use iomap interface, it removed trace_erofs_readpage()
+tracepoint in the meantime, let's add it back.
+
+Fixes: 771c994ea51f ("erofs: convert all uncompressed cases to iomap")
+Signed-off-by: Chao Yu <chao@kernel.org>
+Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Link: https://lore.kernel.org/r/20250708111942.3120926-1-chao@kernel.org
+Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/erofs/data.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/erofs/data.c
++++ b/fs/erofs/data.c
+@@ -378,6 +378,8 @@ int erofs_fiemap(struct inode *inode, st
+ */
+ static int erofs_read_folio(struct file *file, struct folio *folio)
+ {
++ trace_erofs_read_folio(folio, true);
++
+ return iomap_read_folio(folio, &erofs_iomap_ops);
+ }
+
--- /dev/null
+From d53238b614e01266a3d36b417b60a502e0698504 Mon Sep 17 00:00:00 2001
+From: Chao Yu <chao@kernel.org>
+Date: Mon, 7 Jul 2025 16:48:32 +0800
+Subject: erofs: fix to add missing tracepoint in erofs_readahead()
+
+From: Chao Yu <chao@kernel.org>
+
+commit d53238b614e01266a3d36b417b60a502e0698504 upstream.
+
+Commit 771c994ea51f ("erofs: convert all uncompressed cases to iomap")
+converts to use iomap interface, it removed trace_erofs_readahead()
+tracepoint in the meantime, let's add it back.
+
+Fixes: 771c994ea51f ("erofs: convert all uncompressed cases to iomap")
+Signed-off-by: Chao Yu <chao@kernel.org>
+Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Link: https://lore.kernel.org/r/20250707084832.2725677-1-chao@kernel.org
+Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/erofs/data.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/erofs/data.c
++++ b/fs/erofs/data.c
+@@ -383,6 +383,9 @@ static int erofs_read_folio(struct file
+
+ static void erofs_readahead(struct readahead_control *rac)
+ {
++ trace_erofs_readahead(rac->mapping->host, readahead_index(rac),
++ readahead_count(rac), true);
++
+ return iomap_readahead(rac, &erofs_iomap_ops);
+ }
+
--- /dev/null
+From 277627b431a0a6401635c416a21b2a0f77a77347 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sun, 6 Jul 2025 02:26:45 +0100
+Subject: ksmbd: fix a mount write count leak in ksmbd_vfs_kern_path_locked()
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 277627b431a0a6401635c416a21b2a0f77a77347 upstream.
+
+If the call of ksmbd_vfs_lock_parent() fails, we drop the parent_path
+references and return an error. We need to drop the write access we
+just got on parent_path->mnt before we drop the mount reference - callers
+assume that ksmbd_vfs_kern_path_locked() returns with mount write
+access grabbed if and only if it has returned 0.
+
+Fixes: 864fb5d37163 ("ksmbd: fix possible deadlock in smb2_open")
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/vfs.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/smb/server/vfs.c
++++ b/fs/smb/server/vfs.c
+@@ -1298,6 +1298,7 @@ out1:
+
+ err = ksmbd_vfs_lock_parent(parent_path->dentry, path->dentry);
+ if (err) {
++ mnt_drop_write(parent_path->mnt);
+ path_put(path);
+ path_put(parent_path);
+ }
mm-vmalloc-leave-lazy-mmu-mode-on-pte-mapping-error.patch
lib-alloc_tag-do-not-acquire-non-existent-lock-in-alloc_tag_top_users.patch
rust-init-allow-dead_code-warnings-for-rust-1.89.0.patch
+clk-imx-fix-an-out-of-bounds-access-in-dispmix_csr_clk_dev_data.patch
+x86-rdrand-disable-rdseed-on-amd-cyan-skillfish.patch
+x86-mm-disable-hugetlb-page-table-sharing-on-32-bit.patch
+clk-scmi-handle-case-where-child-clocks-are-initialized-before-their-parents.patch
+smb-server-make-use-of-rdma_destroy_qp.patch
+ksmbd-fix-a-mount-write-count-leak-in-ksmbd_vfs_kern_path_locked.patch
+erofs-fix-to-add-missing-tracepoint-in-erofs_readahead.patch
+erofs-fix-to-add-missing-tracepoint-in-erofs_read_folio.patch
+erofs-address-d-cache-aliasing.patch
--- /dev/null
+From 0c2b53997e8f5e2ec9e0fbd17ac0436466b65488 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 2 Jul 2025 09:18:05 +0200
+Subject: smb: server: make use of rdma_destroy_qp()
+
+From: Stefan Metzmacher <metze@samba.org>
+
+commit 0c2b53997e8f5e2ec9e0fbd17ac0436466b65488 upstream.
+
+The qp is created by rdma_create_qp() as t->cm_id->qp
+and t->qp is just a shortcut.
+
+rdma_destroy_qp() also calls ib_destroy_qp(cm_id->qp) internally,
+but it is protected by a mutex, clears the cm_id and also calls
+trace_cm_qp_destroy().
+
+This should make the tracing more useful as both
+rdma_create_qp() and rdma_destroy_qp() are traces and it makes
+the code look more sane as functions from the same layer are used
+for the specific qp object.
+
+trace-cmd stream -e rdma_cma:cm_qp_create -e rdma_cma:cm_qp_destroy
+shows this now while doing a mount and unmount from a client:
+
+ <...>-80 [002] 378.514182: cm_qp_create: cm.id=1 src=172.31.9.167:5445 dst=172.31.9.166:37113 tos=0 pd.id=0 qp_type=RC send_wr=867 recv_wr=255 qp_num=1 rc=0
+ <...>-6283 [001] 381.686172: cm_qp_destroy: cm.id=1 src=172.31.9.167:5445 dst=172.31.9.166:37113 tos=0 qp_num=1
+
+Before we only saw the first line.
+
+Cc: Namjae Jeon <linkinjeon@kernel.org>
+Cc: Steve French <stfrench@microsoft.com>
+Cc: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
+Cc: Hyunchul Lee <hyc.lee@gmail.com>
+Cc: Tom Talpey <tom@talpey.com>
+Cc: linux-cifs@vger.kernel.org
+Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers")
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Tom Talpey <tom@talpey.com>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/transport_rdma.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/smb/server/transport_rdma.c
++++ b/fs/smb/server/transport_rdma.c
+@@ -432,7 +432,8 @@ static void free_transport(struct smb_di
+ if (t->qp) {
+ ib_drain_qp(t->qp);
+ ib_mr_pool_destroy(t->qp, &t->qp->rdma_mrs);
+- ib_destroy_qp(t->qp);
++ t->qp = NULL;
++ rdma_destroy_qp(t->cm_id);
+ }
+
+ ksmbd_debug(RDMA, "drain the reassembly queue\n");
+@@ -1939,8 +1940,8 @@ static int smb_direct_create_qpair(struc
+ return 0;
+ err:
+ if (t->qp) {
+- ib_destroy_qp(t->qp);
+ t->qp = NULL;
++ rdma_destroy_qp(t->cm_id);
+ }
+ if (t->recv_cq) {
+ ib_destroy_cq(t->recv_cq);
--- /dev/null
+From 76303ee8d54bff6d9a6d55997acd88a6c2ba63cf Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Wed, 2 Jul 2025 10:32:04 +0200
+Subject: x86/mm: Disable hugetlb page table sharing on 32-bit
+
+From: Jann Horn <jannh@google.com>
+
+commit 76303ee8d54bff6d9a6d55997acd88a6c2ba63cf upstream.
+
+Only select ARCH_WANT_HUGE_PMD_SHARE on 64-bit x86.
+Page table sharing requires at least three levels because it involves
+shared references to PMD tables; 32-bit x86 has either two-level paging
+(without PAE) or three-level paging (with PAE), but even with
+three-level paging, having a dedicated PGD entry for hugetlb is only
+barely possible (because the PGD only has four entries), and it seems
+unlikely anyone's actually using PMD sharing on 32-bit.
+
+Having ARCH_WANT_HUGE_PMD_SHARE enabled on non-PAE 32-bit X86 (which
+has 2-level paging) became particularly problematic after commit
+59d9094df3d7 ("mm: hugetlb: independent PMD page table shared count"),
+since that changes `struct ptdesc` such that the `pt_mm` (for PGDs) and
+the `pt_share_count` (for PMDs) share the same union storage - and with
+2-level paging, PMDs are PGDs.
+
+(For comparison, arm64 also gates ARCH_WANT_HUGE_PMD_SHARE on the
+configuration of page tables such that it is never enabled with 2-level
+paging.)
+
+Closes: https://lore.kernel.org/r/srhpjxlqfna67blvma5frmy3aa@altlinux.org
+Fixes: cfe28c5d63d8 ("x86: mm: Remove x86 version of huge_pmd_share.")
+Reported-by: Vitaly Chikunov <vt@altlinux.org>
+Suggested-by: Dave Hansen <dave.hansen@intel.com>
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Acked-by: Oscar Salvador <osalvador@suse.de>
+Acked-by: David Hildenbrand <david@redhat.com>
+Tested-by: Vitaly Chikunov <vt@altlinux.org>
+Cc:stable@vger.kernel.org
+Link: https://lore.kernel.org/all/20250702-x86-2level-hugetlb-v2-1-1a98096edf92%40google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/Kconfig
++++ b/arch/x86/Kconfig
+@@ -137,7 +137,7 @@ config X86
+ select ARCH_WANTS_DYNAMIC_TASK_STRUCT
+ select ARCH_WANTS_NO_INSTR
+ select ARCH_WANT_GENERAL_HUGETLB
+- select ARCH_WANT_HUGE_PMD_SHARE
++ select ARCH_WANT_HUGE_PMD_SHARE if X86_64
+ select ARCH_WANT_LD_ORPHAN_WARN
+ select ARCH_WANT_OPTIMIZE_DAX_VMEMMAP if X86_64
+ select ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP if X86_64
--- /dev/null
+From 5b937a1ed64ebeba8876e398110a5790ad77407c Mon Sep 17 00:00:00 2001
+From: Mikhail Paulyshka <me@mixaill.net>
+Date: Sat, 24 May 2025 17:53:19 +0300
+Subject: x86/rdrand: Disable RDSEED on AMD Cyan Skillfish
+
+From: Mikhail Paulyshka <me@mixaill.net>
+
+commit 5b937a1ed64ebeba8876e398110a5790ad77407c upstream.
+
+AMD Cyan Skillfish (Family 17h, Model 47h, Stepping 0h) has an error that
+causes RDSEED to always return 0xffffffff, while RDRAND works correctly.
+
+Mask the RDSEED cap for this CPU so that both /proc/cpuinfo and direct CPUID
+read report RDSEED as unavailable.
+
+ [ bp: Move to amd.c, massage. ]
+
+Signed-off-by: Mikhail Paulyshka <me@mixaill.net>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Cc: <stable@kernel.org>
+Link: https://lore.kernel.org/20250524145319.209075-1-me@mixaill.net
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/asm/msr-index.h | 1 +
+ arch/x86/kernel/cpu/amd.c | 7 +++++++
+ tools/arch/x86/include/asm/msr-index.h | 1 +
+ 3 files changed, 9 insertions(+)
+
+--- a/arch/x86/include/asm/msr-index.h
++++ b/arch/x86/include/asm/msr-index.h
+@@ -621,6 +621,7 @@
+ #define MSR_AMD64_OSVW_STATUS 0xc0010141
+ #define MSR_AMD_PPIN_CTL 0xc00102f0
+ #define MSR_AMD_PPIN 0xc00102f1
++#define MSR_AMD64_CPUID_FN_7 0xc0011002
+ #define MSR_AMD64_CPUID_FN_1 0xc0011004
+ #define MSR_AMD64_LS_CFG 0xc0011020
+ #define MSR_AMD64_DC_CFG 0xc0011022
+--- a/arch/x86/kernel/cpu/amd.c
++++ b/arch/x86/kernel/cpu/amd.c
+@@ -977,6 +977,13 @@ static void init_amd_zen2(struct cpuinfo
+ init_spectral_chicken(c);
+ fix_erratum_1386(c);
+ zen2_zenbleed_check(c);
++
++ /* Disable RDSEED on AMD Cyan Skillfish because of an error. */
++ if (c->x86_model == 0x47 && c->x86_stepping == 0x0) {
++ clear_cpu_cap(c, X86_FEATURE_RDSEED);
++ msr_clear_bit(MSR_AMD64_CPUID_FN_7, 18);
++ pr_emerg("RDSEED is not reliable on this platform; disabling.\n");
++ }
+ }
+
+ static void init_amd_zen3(struct cpuinfo_x86 *c)
+--- a/tools/arch/x86/include/asm/msr-index.h
++++ b/tools/arch/x86/include/asm/msr-index.h
+@@ -612,6 +612,7 @@
+ #define MSR_AMD64_OSVW_STATUS 0xc0010141
+ #define MSR_AMD_PPIN_CTL 0xc00102f0
+ #define MSR_AMD_PPIN 0xc00102f1
++#define MSR_AMD64_CPUID_FN_7 0xc0011002
+ #define MSR_AMD64_CPUID_FN_1 0xc0011004
+ #define MSR_AMD64_LS_CFG 0xc0011020
+ #define MSR_AMD64_DC_CFG 0xc0011022
projects / thirdparty / kernel / stable-queue.git / commitdiff
