From: Greg Kroah-Hartman Date: Mon, 14 Jul 2025 09:14:46 +0000 (+0200) Subject: 6.6-stable patches X-Git-Tag: v5.15.188~22 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=707f9c7ed8364d92179f2736828276a805c50edd;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: erofs-fix-to-add-missing-tracepoint-in-erofs_read_folio.patch erofs-fix-to-add-missing-tracepoint-in-erofs_readahead.patch ksmbd-fix-a-mount-write-count-leak-in-ksmbd_vfs_kern_path_locked.patch smb-server-make-use-of-rdma_destroy_qp.patch x86-mm-disable-hugetlb-page-table-sharing-on-32-bit.patch x86-rdrand-disable-rdseed-on-amd-cyan-skillfish.patch --- diff --git a/queue-6.6/erofs-fix-to-add-missing-tracepoint-in-erofs_read_folio.patch b/queue-6.6/erofs-fix-to-add-missing-tracepoint-in-erofs_read_folio.patch new file mode 100644 index 0000000000..cc17ddd8d4 --- /dev/null +++ b/queue-6.6/erofs-fix-to-add-missing-tracepoint-in-erofs_read_folio.patch @@ -0,0 +1,34 @@ +From 99f7619a77a0a2e3e2bcae676d0f301769167754 Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Tue, 8 Jul 2025 19:19:42 +0800 +Subject: erofs: fix to add missing tracepoint in erofs_read_folio() + +From: Chao Yu + +commit 99f7619a77a0a2e3e2bcae676d0f301769167754 upstream. + +Commit 771c994ea51f ("erofs: convert all uncompressed cases to iomap") +converts to use iomap interface, it removed trace_erofs_readpage() +tracepoint in the meantime, let's add it back. + +Fixes: 771c994ea51f ("erofs: convert all uncompressed cases to iomap") +Signed-off-by: Chao Yu +Reviewed-by: Gao Xiang +Link: https://lore.kernel.org/r/20250708111942.3120926-1-chao@kernel.org +Signed-off-by: Gao Xiang +Signed-off-by: Greg Kroah-Hartman +--- + fs/erofs/data.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/erofs/data.c ++++ b/fs/erofs/data.c +@@ -358,6 +358,8 @@ int erofs_fiemap(struct inode *inode, st + */ + static int erofs_read_folio(struct file *file, struct folio *folio) + { ++ trace_erofs_read_folio(folio, true); ++ + return iomap_read_folio(folio, &erofs_iomap_ops); + } + diff --git a/queue-6.6/erofs-fix-to-add-missing-tracepoint-in-erofs_readahead.patch b/queue-6.6/erofs-fix-to-add-missing-tracepoint-in-erofs_readahead.patch new file mode 100644 index 0000000000..7d6c738c26 --- /dev/null +++ b/queue-6.6/erofs-fix-to-add-missing-tracepoint-in-erofs_readahead.patch @@ -0,0 +1,35 @@ +From d53238b614e01266a3d36b417b60a502e0698504 Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Mon, 7 Jul 2025 16:48:32 +0800 +Subject: erofs: fix to add missing tracepoint in erofs_readahead() + +From: Chao Yu + +commit d53238b614e01266a3d36b417b60a502e0698504 upstream. + +Commit 771c994ea51f ("erofs: convert all uncompressed cases to iomap") +converts to use iomap interface, it removed trace_erofs_readahead() +tracepoint in the meantime, let's add it back. + +Fixes: 771c994ea51f ("erofs: convert all uncompressed cases to iomap") +Signed-off-by: Chao Yu +Reviewed-by: Gao Xiang +Link: https://lore.kernel.org/r/20250707084832.2725677-1-chao@kernel.org +Signed-off-by: Gao Xiang +Signed-off-by: Greg Kroah-Hartman +--- + fs/erofs/data.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/erofs/data.c ++++ b/fs/erofs/data.c +@@ -363,6 +363,9 @@ static int erofs_read_folio(struct file + + static void erofs_readahead(struct readahead_control *rac) + { ++ trace_erofs_readahead(rac->mapping->host, readahead_index(rac), ++ readahead_count(rac), true); ++ + return iomap_readahead(rac, &erofs_iomap_ops); + } + diff --git a/queue-6.6/ksmbd-fix-a-mount-write-count-leak-in-ksmbd_vfs_kern_path_locked.patch b/queue-6.6/ksmbd-fix-a-mount-write-count-leak-in-ksmbd_vfs_kern_path_locked.patch new file mode 100644 index 0000000000..e43eb99c1d --- /dev/null +++ b/queue-6.6/ksmbd-fix-a-mount-write-count-leak-in-ksmbd_vfs_kern_path_locked.patch @@ -0,0 +1,34 @@ +From 277627b431a0a6401635c416a21b2a0f77a77347 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sun, 6 Jul 2025 02:26:45 +0100 +Subject: ksmbd: fix a mount write count leak in ksmbd_vfs_kern_path_locked() + +From: Al Viro + +commit 277627b431a0a6401635c416a21b2a0f77a77347 upstream. + +If the call of ksmbd_vfs_lock_parent() fails, we drop the parent_path +references and return an error. We need to drop the write access we +just got on parent_path->mnt before we drop the mount reference - callers +assume that ksmbd_vfs_kern_path_locked() returns with mount write +access grabbed if and only if it has returned 0. + +Fixes: 864fb5d37163 ("ksmbd: fix possible deadlock in smb2_open") +Signed-off-by: Al Viro +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/vfs.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/smb/server/vfs.c ++++ b/fs/smb/server/vfs.c +@@ -1293,6 +1293,7 @@ out1: + + err = ksmbd_vfs_lock_parent(parent_path->dentry, path->dentry); + if (err) { ++ mnt_drop_write(parent_path->mnt); + path_put(path); + path_put(parent_path); + } diff --git a/queue-6.6/series b/queue-6.6/series index 544e846747..061fd51205 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -57,3 +57,9 @@ scripts-gdb-de-reference-per-cpu-mce-interrupts.patch scripts-gdb-fix-interrupts.py-after-maple-tree-conversion.patch mm-vmalloc-leave-lazy-mmu-mode-on-pte-mapping-error.patch pwm-mediatek-ensure-to-disable-clocks-in-error-path.patch +x86-rdrand-disable-rdseed-on-amd-cyan-skillfish.patch +x86-mm-disable-hugetlb-page-table-sharing-on-32-bit.patch +smb-server-make-use-of-rdma_destroy_qp.patch +ksmbd-fix-a-mount-write-count-leak-in-ksmbd_vfs_kern_path_locked.patch +erofs-fix-to-add-missing-tracepoint-in-erofs_readahead.patch +erofs-fix-to-add-missing-tracepoint-in-erofs_read_folio.patch diff --git a/queue-6.6/smb-server-make-use-of-rdma_destroy_qp.patch b/queue-6.6/smb-server-make-use-of-rdma_destroy_qp.patch new file mode 100644 index 0000000000..27d420c690 --- /dev/null +++ b/queue-6.6/smb-server-make-use-of-rdma_destroy_qp.patch @@ -0,0 +1,67 @@ +From 0c2b53997e8f5e2ec9e0fbd17ac0436466b65488 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 2 Jul 2025 09:18:05 +0200 +Subject: smb: server: make use of rdma_destroy_qp() + +From: Stefan Metzmacher + +commit 0c2b53997e8f5e2ec9e0fbd17ac0436466b65488 upstream. + +The qp is created by rdma_create_qp() as t->cm_id->qp +and t->qp is just a shortcut. + +rdma_destroy_qp() also calls ib_destroy_qp(cm_id->qp) internally, +but it is protected by a mutex, clears the cm_id and also calls +trace_cm_qp_destroy(). + +This should make the tracing more useful as both +rdma_create_qp() and rdma_destroy_qp() are traces and it makes +the code look more sane as functions from the same layer are used +for the specific qp object. + +trace-cmd stream -e rdma_cma:cm_qp_create -e rdma_cma:cm_qp_destroy +shows this now while doing a mount and unmount from a client: + + <...>-80 [002] 378.514182: cm_qp_create: cm.id=1 src=172.31.9.167:5445 dst=172.31.9.166:37113 tos=0 pd.id=0 qp_type=RC send_wr=867 recv_wr=255 qp_num=1 rc=0 + <...>-6283 [001] 381.686172: cm_qp_destroy: cm.id=1 src=172.31.9.167:5445 dst=172.31.9.166:37113 tos=0 qp_num=1 + +Before we only saw the first line. + +Cc: Namjae Jeon +Cc: Steve French +Cc: Sergey Senozhatsky +Cc: Hyunchul Lee +Cc: Tom Talpey +Cc: linux-cifs@vger.kernel.org +Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers") +Signed-off-by: Stefan Metzmacher +Reviewed-by: Tom Talpey +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/transport_rdma.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/smb/server/transport_rdma.c ++++ b/fs/smb/server/transport_rdma.c +@@ -426,7 +426,8 @@ static void free_transport(struct smb_di + if (t->qp) { + ib_drain_qp(t->qp); + ib_mr_pool_destroy(t->qp, &t->qp->rdma_mrs); +- ib_destroy_qp(t->qp); ++ t->qp = NULL; ++ rdma_destroy_qp(t->cm_id); + } + + ksmbd_debug(RDMA, "drain the reassembly queue\n"); +@@ -1934,8 +1935,8 @@ static int smb_direct_create_qpair(struc + return 0; + err: + if (t->qp) { +- ib_destroy_qp(t->qp); + t->qp = NULL; ++ rdma_destroy_qp(t->cm_id); + } + if (t->recv_cq) { + ib_destroy_cq(t->recv_cq); diff --git a/queue-6.6/x86-mm-disable-hugetlb-page-table-sharing-on-32-bit.patch b/queue-6.6/x86-mm-disable-hugetlb-page-table-sharing-on-32-bit.patch new file mode 100644 index 0000000000..076b0d572e --- /dev/null +++ b/queue-6.6/x86-mm-disable-hugetlb-page-table-sharing-on-32-bit.patch @@ -0,0 +1,55 @@ +From 76303ee8d54bff6d9a6d55997acd88a6c2ba63cf Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Wed, 2 Jul 2025 10:32:04 +0200 +Subject: x86/mm: Disable hugetlb page table sharing on 32-bit + +From: Jann Horn + +commit 76303ee8d54bff6d9a6d55997acd88a6c2ba63cf upstream. + +Only select ARCH_WANT_HUGE_PMD_SHARE on 64-bit x86. +Page table sharing requires at least three levels because it involves +shared references to PMD tables; 32-bit x86 has either two-level paging +(without PAE) or three-level paging (with PAE), but even with +three-level paging, having a dedicated PGD entry for hugetlb is only +barely possible (because the PGD only has four entries), and it seems +unlikely anyone's actually using PMD sharing on 32-bit. + +Having ARCH_WANT_HUGE_PMD_SHARE enabled on non-PAE 32-bit X86 (which +has 2-level paging) became particularly problematic after commit +59d9094df3d7 ("mm: hugetlb: independent PMD page table shared count"), +since that changes `struct ptdesc` such that the `pt_mm` (for PGDs) and +the `pt_share_count` (for PMDs) share the same union storage - and with +2-level paging, PMDs are PGDs. + +(For comparison, arm64 also gates ARCH_WANT_HUGE_PMD_SHARE on the +configuration of page tables such that it is never enabled with 2-level +paging.) + +Closes: https://lore.kernel.org/r/srhpjxlqfna67blvma5frmy3aa@altlinux.org +Fixes: cfe28c5d63d8 ("x86: mm: Remove x86 version of huge_pmd_share.") +Reported-by: Vitaly Chikunov +Suggested-by: Dave Hansen +Signed-off-by: Jann Horn +Signed-off-by: Dave Hansen +Acked-by: Oscar Salvador +Acked-by: David Hildenbrand +Tested-by: Vitaly Chikunov +Cc:stable@vger.kernel.org +Link: https://lore.kernel.org/all/20250702-x86-2level-hugetlb-v2-1-1a98096edf92%40google.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -128,7 +128,7 @@ config X86 + select ARCH_WANTS_DYNAMIC_TASK_STRUCT + select ARCH_WANTS_NO_INSTR + select ARCH_WANT_GENERAL_HUGETLB +- select ARCH_WANT_HUGE_PMD_SHARE ++ select ARCH_WANT_HUGE_PMD_SHARE if X86_64 + select ARCH_WANT_LD_ORPHAN_WARN + select ARCH_WANT_OPTIMIZE_DAX_VMEMMAP if X86_64 + select ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP if X86_64 diff --git a/queue-6.6/x86-rdrand-disable-rdseed-on-amd-cyan-skillfish.patch b/queue-6.6/x86-rdrand-disable-rdseed-on-amd-cyan-skillfish.patch new file mode 100644 index 0000000000..d6797a035f --- /dev/null +++ b/queue-6.6/x86-rdrand-disable-rdseed-on-amd-cyan-skillfish.patch @@ -0,0 +1,64 @@ +From 5b937a1ed64ebeba8876e398110a5790ad77407c Mon Sep 17 00:00:00 2001 +From: Mikhail Paulyshka +Date: Sat, 24 May 2025 17:53:19 +0300 +Subject: x86/rdrand: Disable RDSEED on AMD Cyan Skillfish + +From: Mikhail Paulyshka + +commit 5b937a1ed64ebeba8876e398110a5790ad77407c upstream. + +AMD Cyan Skillfish (Family 17h, Model 47h, Stepping 0h) has an error that +causes RDSEED to always return 0xffffffff, while RDRAND works correctly. + +Mask the RDSEED cap for this CPU so that both /proc/cpuinfo and direct CPUID +read report RDSEED as unavailable. + + [ bp: Move to amd.c, massage. ] + +Signed-off-by: Mikhail Paulyshka +Signed-off-by: Borislav Petkov (AMD) +Cc: +Link: https://lore.kernel.org/20250524145319.209075-1-me@mixaill.net +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/msr-index.h | 1 + + arch/x86/kernel/cpu/amd.c | 7 +++++++ + tools/arch/x86/include/asm/msr-index.h | 1 + + 3 files changed, 9 insertions(+) + +--- a/arch/x86/include/asm/msr-index.h ++++ b/arch/x86/include/asm/msr-index.h +@@ -575,6 +575,7 @@ + #define MSR_AMD64_OSVW_STATUS 0xc0010141 + #define MSR_AMD_PPIN_CTL 0xc00102f0 + #define MSR_AMD_PPIN 0xc00102f1 ++#define MSR_AMD64_CPUID_FN_7 0xc0011002 + #define MSR_AMD64_CPUID_FN_1 0xc0011004 + #define MSR_AMD64_LS_CFG 0xc0011020 + #define MSR_AMD64_DC_CFG 0xc0011022 +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -1154,6 +1154,13 @@ static void init_amd_zen2(struct cpuinfo + { + fix_erratum_1386(c); + zen2_zenbleed_check(c); ++ ++ /* Disable RDSEED on AMD Cyan Skillfish because of an error. */ ++ if (c->x86_model == 0x47 && c->x86_stepping == 0x0) { ++ clear_cpu_cap(c, X86_FEATURE_RDSEED); ++ msr_clear_bit(MSR_AMD64_CPUID_FN_7, 18); ++ pr_emerg("RDSEED is not reliable on this platform; disabling.\n"); ++ } + } + + static void init_amd_zen3(struct cpuinfo_x86 *c) +--- a/tools/arch/x86/include/asm/msr-index.h ++++ b/tools/arch/x86/include/asm/msr-index.h +@@ -550,6 +550,7 @@ + #define MSR_AMD64_OSVW_STATUS 0xc0010141 + #define MSR_AMD_PPIN_CTL 0xc00102f0 + #define MSR_AMD_PPIN 0xc00102f1 ++#define MSR_AMD64_CPUID_FN_7 0xc0011002 + #define MSR_AMD64_CPUID_FN_1 0xc0011004 + #define MSR_AMD64_LS_CFG 0xc0011020 + #define MSR_AMD64_DC_CFG 0xc0011022