From: Greg Kroah-Hartman Date: Mon, 14 Jul 2025 09:15:02 +0000 (+0200) Subject: 6.12-stable patches X-Git-Tag: v5.15.188~21 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7e03c4db61c06aa4327bf96868cd0fd3add1e143;p=thirdparty%2Fkernel%2Fstable-queue.git 6.12-stable patches added patches: clk-imx-fix-an-out-of-bounds-access-in-dispmix_csr_clk_dev_data.patch clk-scmi-handle-case-where-child-clocks-are-initialized-before-their-parents.patch erofs-address-d-cache-aliasing.patch erofs-fix-to-add-missing-tracepoint-in-erofs_read_folio.patch erofs-fix-to-add-missing-tracepoint-in-erofs_readahead.patch ksmbd-fix-a-mount-write-count-leak-in-ksmbd_vfs_kern_path_locked.patch smb-server-make-use-of-rdma_destroy_qp.patch x86-mm-disable-hugetlb-page-table-sharing-on-32-bit.patch x86-rdrand-disable-rdseed-on-amd-cyan-skillfish.patch --- diff --git a/queue-6.12/clk-imx-fix-an-out-of-bounds-access-in-dispmix_csr_clk_dev_data.patch b/queue-6.12/clk-imx-fix-an-out-of-bounds-access-in-dispmix_csr_clk_dev_data.patch new file mode 100644 index 0000000000..9613341326 --- /dev/null +++ b/queue-6.12/clk-imx-fix-an-out-of-bounds-access-in-dispmix_csr_clk_dev_data.patch @@ -0,0 +1,76 @@ +From aacc875a448d363332b9df0621dde6d3a225ea9f Mon Sep 17 00:00:00 2001 +From: Xiaolei Wang +Date: Thu, 19 Jun 2025 14:21:08 +0800 +Subject: clk: imx: Fix an out-of-bounds access in dispmix_csr_clk_dev_data + +From: Xiaolei Wang + +commit aacc875a448d363332b9df0621dde6d3a225ea9f upstream. + +When num_parents is 4, __clk_register() occurs an out-of-bounds +when accessing parent_names member. Use ARRAY_SIZE() instead of +hardcode number here. + + BUG: KASAN: global-out-of-bounds in __clk_register+0x1844/0x20d8 + Read of size 8 at addr ffff800086988e78 by task kworker/u24:3/59 + Hardware name: NXP i.MX95 19X19 board (DT) + Workqueue: events_unbound deferred_probe_work_func + Call trace: + dump_backtrace+0x94/0xec + show_stack+0x18/0x24 + dump_stack_lvl+0x8c/0xcc + print_report+0x398/0x5fc + kasan_report+0xd4/0x114 + __asan_report_load8_noabort+0x20/0x2c + __clk_register+0x1844/0x20d8 + clk_hw_register+0x44/0x110 + __clk_hw_register_mux+0x284/0x3a8 + imx95_bc_probe+0x4f4/0xa70 + +Fixes: 5224b189462f ("clk: imx: add i.MX95 BLK CTL clk driver") +Cc: stable@vger.kernel.org +Reviewed-by: Frank Li +Signed-off-by: Xiaolei Wang +Link: https://lore.kernel.org/r/20250619062108.2016511-1-xiaolei.wang@windriver.com +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/imx/clk-imx95-blk-ctl.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/drivers/clk/imx/clk-imx95-blk-ctl.c b/drivers/clk/imx/clk-imx95-blk-ctl.c +index 25974947ad0c..cc2ee2be1819 100644 +--- a/drivers/clk/imx/clk-imx95-blk-ctl.c ++++ b/drivers/clk/imx/clk-imx95-blk-ctl.c +@@ -219,11 +219,15 @@ static const struct imx95_blk_ctl_dev_data lvds_csr_dev_data = { + .clk_reg_offset = 0, + }; + ++static const char * const disp_engine_parents[] = { ++ "videopll1", "dsi_pll", "ldb_pll_div7" ++}; ++ + static const struct imx95_blk_ctl_clk_dev_data dispmix_csr_clk_dev_data[] = { + [IMX95_CLK_DISPMIX_ENG0_SEL] = { + .name = "disp_engine0_sel", +- .parent_names = (const char *[]){"videopll1", "dsi_pll", "ldb_pll_div7", }, +- .num_parents = 4, ++ .parent_names = disp_engine_parents, ++ .num_parents = ARRAY_SIZE(disp_engine_parents), + .reg = 0, + .bit_idx = 0, + .bit_width = 2, +@@ -232,8 +236,8 @@ static const struct imx95_blk_ctl_clk_dev_data dispmix_csr_clk_dev_data[] = { + }, + [IMX95_CLK_DISPMIX_ENG1_SEL] = { + .name = "disp_engine1_sel", +- .parent_names = (const char *[]){"videopll1", "dsi_pll", "ldb_pll_div7", }, +- .num_parents = 4, ++ .parent_names = disp_engine_parents, ++ .num_parents = ARRAY_SIZE(disp_engine_parents), + .reg = 0, + .bit_idx = 2, + .bit_width = 2, +-- +2.50.1 + diff --git a/queue-6.12/clk-scmi-handle-case-where-child-clocks-are-initialized-before-their-parents.patch b/queue-6.12/clk-scmi-handle-case-where-child-clocks-are-initialized-before-their-parents.patch new file mode 100644 index 0000000000..5cd20e910c --- /dev/null +++ b/queue-6.12/clk-scmi-handle-case-where-child-clocks-are-initialized-before-their-parents.patch @@ -0,0 +1,93 @@ +From 6306e0c5a0d28e9df2b5902f4a021204bee75173 Mon Sep 17 00:00:00 2001 +From: Sascha Hauer +Date: Thu, 12 Jun 2025 14:56:57 +0200 +Subject: clk: scmi: Handle case where child clocks are initialized before their parents + +From: Sascha Hauer + +commit 6306e0c5a0d28e9df2b5902f4a021204bee75173 upstream. + +The SCMI clock driver currently assumes that parent clocks are always +initialized before their children. However, this assumption can fail if +a child clock is encountered before its parent during probe. + +This leads to an issue during initialization of the parent_data array: + + sclk->parent_data[i].hw = hws[sclk->info->parents[i]]; + +If the parent clock's hardware structure has not been initialized yet, +this assignment results in invalid data. + +To resolve this, allocate all struct scmi_clk instances as a contiguous +array at the beginning of the probe and populate the hws[] array +upfront. This ensures that any parent referenced later is already +initialized, regardless of the order in which clocks are processed. + +Note that we can no longer free individual scmi_clk instances if +scmi_clk_ops_init() fails which shouldn't be a problem if the SCMI +platform has proper per-agent clock discovery. + +Fixes: 65a8a3dd3b95f ("clk: scmi: Add support for clock {set,get}_parent") +Reviewed-by: peng.fan@nxp.com +Reviewed-by: Cristian Marussi +Reviewed-by: Sudeep Holla +Signed-off-by: Sascha Hauer +Link: https://lore.kernel.org/r/20250612-clk-scmi-children-parent-fix-v3-1-7de52a27593d@pengutronix.de +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/clk-scmi.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +--- a/drivers/clk/clk-scmi.c ++++ b/drivers/clk/clk-scmi.c +@@ -404,6 +404,7 @@ static int scmi_clocks_probe(struct scmi + const struct scmi_handle *handle = sdev->handle; + struct scmi_protocol_handle *ph; + const struct clk_ops *scmi_clk_ops_db[SCMI_MAX_CLK_OPS] = {}; ++ struct scmi_clk *sclks; + + if (!handle) + return -ENODEV; +@@ -430,18 +431,21 @@ static int scmi_clocks_probe(struct scmi + transport_is_atomic = handle->is_transport_atomic(handle, + &atomic_threshold_us); + ++ sclks = devm_kcalloc(dev, count, sizeof(*sclks), GFP_KERNEL); ++ if (!sclks) ++ return -ENOMEM; ++ ++ for (idx = 0; idx < count; idx++) ++ hws[idx] = &sclks[idx].hw; ++ + for (idx = 0; idx < count; idx++) { +- struct scmi_clk *sclk; ++ struct scmi_clk *sclk = &sclks[idx]; + const struct clk_ops *scmi_ops; + +- sclk = devm_kzalloc(dev, sizeof(*sclk), GFP_KERNEL); +- if (!sclk) +- return -ENOMEM; +- + sclk->info = scmi_proto_clk_ops->info_get(ph, idx); + if (!sclk->info) { + dev_dbg(dev, "invalid clock info for idx %d\n", idx); +- devm_kfree(dev, sclk); ++ hws[idx] = NULL; + continue; + } + +@@ -479,13 +483,11 @@ static int scmi_clocks_probe(struct scmi + if (err) { + dev_err(dev, "failed to register clock %d\n", idx); + devm_kfree(dev, sclk->parent_data); +- devm_kfree(dev, sclk); + hws[idx] = NULL; + } else { + dev_dbg(dev, "Registered clock:%s%s\n", + sclk->info->name, + scmi_ops->enable ? " (atomic ops)" : ""); +- hws[idx] = &sclk->hw; + } + } + diff --git a/queue-6.12/erofs-address-d-cache-aliasing.patch b/queue-6.12/erofs-address-d-cache-aliasing.patch new file mode 100644 index 0000000000..42a9b3063f --- /dev/null +++ b/queue-6.12/erofs-address-d-cache-aliasing.patch @@ -0,0 +1,174 @@ +From 27917e8194f91dffd8b4825350c63cb68e98ce58 Mon Sep 17 00:00:00 2001 +From: Gao Xiang +Date: Wed, 9 Jul 2025 11:46:14 +0800 +Subject: erofs: address D-cache aliasing + +From: Gao Xiang + +commit 27917e8194f91dffd8b4825350c63cb68e98ce58 upstream. + +Flush the D-cache before unlocking folios for compressed inodes, as +they are dirtied during decompression. + +Avoid calling flush_dcache_folio() on every CPU write, since it's more +like playing whack-a-mole without real benefit. + +It has no impact on x86 and arm64/risc-v: on x86, flush_dcache_folio() +is a no-op, and on arm64/risc-v, PG_dcache_clean (PG_arch_1) is clear +for new page cache folios. However, certain ARM boards are affected, +as reported. + +Fixes: 3883a79abd02 ("staging: erofs: introduce VLE decompression support") +Closes: https://lore.kernel.org/r/c1e51e16-6cc6-49d0-a63e-4e9ff6c4dd53@pengutronix.de +Closes: https://lore.kernel.org/r/38d43fae-1182-4155-9c5b-ffc7382d9917@siemens.com +Tested-by: Jan Kiszka +Tested-by: Stefan Kerkmann +Signed-off-by: Gao Xiang +Link: https://lore.kernel.org/r/20250709034614.2780117-2-hsiangkao@linux.alibaba.com +Signed-off-by: Greg Kroah-Hartman +--- + fs/erofs/data.c | 16 +++++++++++----- + fs/erofs/decompressor.c | 12 ++++-------- + fs/erofs/fileio.c | 4 ++-- + fs/erofs/internal.h | 2 +- + fs/erofs/zdata.c | 6 +++--- + 5 files changed, 21 insertions(+), 19 deletions(-) + +--- a/fs/erofs/data.c ++++ b/fs/erofs/data.c +@@ -240,9 +240,11 @@ int erofs_map_dev(struct super_block *sb + + /* + * bit 30: I/O error occurred on this folio ++ * bit 29: CPU has dirty data in D-cache (needs aliasing handling); + * bit 0 - 29: remaining parts to complete this folio + */ +-#define EROFS_ONLINEFOLIO_EIO (1 << 30) ++#define EROFS_ONLINEFOLIO_EIO 30 ++#define EROFS_ONLINEFOLIO_DIRTY 29 + + void erofs_onlinefolio_init(struct folio *folio) + { +@@ -259,19 +261,23 @@ void erofs_onlinefolio_split(struct foli + atomic_inc((atomic_t *)&folio->private); + } + +-void erofs_onlinefolio_end(struct folio *folio, int err) ++void erofs_onlinefolio_end(struct folio *folio, int err, bool dirty) + { + int orig, v; + + do { + orig = atomic_read((atomic_t *)&folio->private); +- v = (orig - 1) | (err ? EROFS_ONLINEFOLIO_EIO : 0); ++ DBG_BUGON(orig <= 0); ++ v = dirty << EROFS_ONLINEFOLIO_DIRTY; ++ v |= (orig - 1) | (!!err << EROFS_ONLINEFOLIO_EIO); + } while (atomic_cmpxchg((atomic_t *)&folio->private, orig, v) != orig); + +- if (v & ~EROFS_ONLINEFOLIO_EIO) ++ if (v & (BIT(EROFS_ONLINEFOLIO_DIRTY) - 1)) + return; + folio->private = 0; +- folio_end_read(folio, !(v & EROFS_ONLINEFOLIO_EIO)); ++ if (v & BIT(EROFS_ONLINEFOLIO_DIRTY)) ++ flush_dcache_folio(folio); ++ folio_end_read(folio, !(v & BIT(EROFS_ONLINEFOLIO_EIO))); + } + + static int erofs_iomap_begin(struct inode *inode, loff_t offset, loff_t length, +--- a/fs/erofs/decompressor.c ++++ b/fs/erofs/decompressor.c +@@ -331,13 +331,11 @@ static int z_erofs_transform_plain(struc + cur = min(cur, rq->outputsize); + if (cur && rq->out[0]) { + kin = kmap_local_page(rq->in[nrpages_in - 1]); +- if (rq->out[0] == rq->in[nrpages_in - 1]) { ++ if (rq->out[0] == rq->in[nrpages_in - 1]) + memmove(kin + rq->pageofs_out, kin + pi, cur); +- flush_dcache_page(rq->out[0]); +- } else { ++ else + memcpy_to_page(rq->out[0], rq->pageofs_out, + kin + pi, cur); +- } + kunmap_local(kin); + } + rq->outputsize -= cur; +@@ -355,14 +353,12 @@ static int z_erofs_transform_plain(struc + po = (rq->pageofs_out + cur + pi) & ~PAGE_MASK; + DBG_BUGON(no >= nrpages_out); + cnt = min(insz - pi, PAGE_SIZE - po); +- if (rq->out[no] == rq->in[ni]) { ++ if (rq->out[no] == rq->in[ni]) + memmove(kin + po, + kin + rq->pageofs_in + pi, cnt); +- flush_dcache_page(rq->out[no]); +- } else if (rq->out[no]) { ++ else if (rq->out[no]) + memcpy_to_page(rq->out[no], po, + kin + rq->pageofs_in + pi, cnt); +- } + pi += cnt; + } while (pi < insz); + kunmap_local(kin); +--- a/fs/erofs/fileio.c ++++ b/fs/erofs/fileio.c +@@ -38,7 +38,7 @@ static void erofs_fileio_ki_complete(str + } else { + bio_for_each_folio_all(fi, &rq->bio) { + DBG_BUGON(folio_test_uptodate(fi.folio)); +- erofs_onlinefolio_end(fi.folio, ret); ++ erofs_onlinefolio_end(fi.folio, ret, false); + } + } + bio_uninit(&rq->bio); +@@ -158,7 +158,7 @@ io_retry: + } + cur += len; + } +- erofs_onlinefolio_end(folio, err); ++ erofs_onlinefolio_end(folio, err, false); + return err; + } + +--- a/fs/erofs/internal.h ++++ b/fs/erofs/internal.h +@@ -405,7 +405,7 @@ int erofs_fiemap(struct inode *inode, st + int erofs_map_blocks(struct inode *inode, struct erofs_map_blocks *map); + void erofs_onlinefolio_init(struct folio *folio); + void erofs_onlinefolio_split(struct folio *folio); +-void erofs_onlinefolio_end(struct folio *folio, int err); ++void erofs_onlinefolio_end(struct folio *folio, int err, bool dirty); + struct inode *erofs_iget(struct super_block *sb, erofs_nid_t nid); + int erofs_getattr(struct mnt_idmap *idmap, const struct path *path, + struct kstat *stat, u32 request_mask, +--- a/fs/erofs/zdata.c ++++ b/fs/erofs/zdata.c +@@ -1087,7 +1087,7 @@ static int z_erofs_scan_folio(struct z_e + tight = (bs == PAGE_SIZE); + } + } while ((end = cur) > 0); +- erofs_onlinefolio_end(folio, err); ++ erofs_onlinefolio_end(folio, err, false); + return err; + } + +@@ -1193,7 +1193,7 @@ static void z_erofs_fill_other_copies(st + cur += len; + } + kunmap_local(dst); +- erofs_onlinefolio_end(page_folio(bvi->bvec.page), err); ++ erofs_onlinefolio_end(page_folio(bvi->bvec.page), err, true); + list_del(p); + kfree(bvi); + } +@@ -1348,7 +1348,7 @@ static int z_erofs_decompress_pcluster(s + + DBG_BUGON(z_erofs_page_is_invalidated(page)); + if (!z_erofs_is_shortlived_page(page)) { +- erofs_onlinefolio_end(page_folio(page), err); ++ erofs_onlinefolio_end(page_folio(page), err, true); + continue; + } + if (pcl->algorithmformat != Z_EROFS_COMPRESSION_LZ4) { diff --git a/queue-6.12/erofs-fix-to-add-missing-tracepoint-in-erofs_read_folio.patch b/queue-6.12/erofs-fix-to-add-missing-tracepoint-in-erofs_read_folio.patch new file mode 100644 index 0000000000..d7c0dbf793 --- /dev/null +++ b/queue-6.12/erofs-fix-to-add-missing-tracepoint-in-erofs_read_folio.patch @@ -0,0 +1,34 @@ +From 99f7619a77a0a2e3e2bcae676d0f301769167754 Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Tue, 8 Jul 2025 19:19:42 +0800 +Subject: erofs: fix to add missing tracepoint in erofs_read_folio() + +From: Chao Yu + +commit 99f7619a77a0a2e3e2bcae676d0f301769167754 upstream. + +Commit 771c994ea51f ("erofs: convert all uncompressed cases to iomap") +converts to use iomap interface, it removed trace_erofs_readpage() +tracepoint in the meantime, let's add it back. + +Fixes: 771c994ea51f ("erofs: convert all uncompressed cases to iomap") +Signed-off-by: Chao Yu +Reviewed-by: Gao Xiang +Link: https://lore.kernel.org/r/20250708111942.3120926-1-chao@kernel.org +Signed-off-by: Gao Xiang +Signed-off-by: Greg Kroah-Hartman +--- + fs/erofs/data.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/erofs/data.c ++++ b/fs/erofs/data.c +@@ -378,6 +378,8 @@ int erofs_fiemap(struct inode *inode, st + */ + static int erofs_read_folio(struct file *file, struct folio *folio) + { ++ trace_erofs_read_folio(folio, true); ++ + return iomap_read_folio(folio, &erofs_iomap_ops); + } + diff --git a/queue-6.12/erofs-fix-to-add-missing-tracepoint-in-erofs_readahead.patch b/queue-6.12/erofs-fix-to-add-missing-tracepoint-in-erofs_readahead.patch new file mode 100644 index 0000000000..ba1c719aeb --- /dev/null +++ b/queue-6.12/erofs-fix-to-add-missing-tracepoint-in-erofs_readahead.patch @@ -0,0 +1,35 @@ +From d53238b614e01266a3d36b417b60a502e0698504 Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Mon, 7 Jul 2025 16:48:32 +0800 +Subject: erofs: fix to add missing tracepoint in erofs_readahead() + +From: Chao Yu + +commit d53238b614e01266a3d36b417b60a502e0698504 upstream. + +Commit 771c994ea51f ("erofs: convert all uncompressed cases to iomap") +converts to use iomap interface, it removed trace_erofs_readahead() +tracepoint in the meantime, let's add it back. + +Fixes: 771c994ea51f ("erofs: convert all uncompressed cases to iomap") +Signed-off-by: Chao Yu +Reviewed-by: Gao Xiang +Link: https://lore.kernel.org/r/20250707084832.2725677-1-chao@kernel.org +Signed-off-by: Gao Xiang +Signed-off-by: Greg Kroah-Hartman +--- + fs/erofs/data.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/erofs/data.c ++++ b/fs/erofs/data.c +@@ -383,6 +383,9 @@ static int erofs_read_folio(struct file + + static void erofs_readahead(struct readahead_control *rac) + { ++ trace_erofs_readahead(rac->mapping->host, readahead_index(rac), ++ readahead_count(rac), true); ++ + return iomap_readahead(rac, &erofs_iomap_ops); + } + diff --git a/queue-6.12/ksmbd-fix-a-mount-write-count-leak-in-ksmbd_vfs_kern_path_locked.patch b/queue-6.12/ksmbd-fix-a-mount-write-count-leak-in-ksmbd_vfs_kern_path_locked.patch new file mode 100644 index 0000000000..32f428f6dd --- /dev/null +++ b/queue-6.12/ksmbd-fix-a-mount-write-count-leak-in-ksmbd_vfs_kern_path_locked.patch @@ -0,0 +1,34 @@ +From 277627b431a0a6401635c416a21b2a0f77a77347 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sun, 6 Jul 2025 02:26:45 +0100 +Subject: ksmbd: fix a mount write count leak in ksmbd_vfs_kern_path_locked() + +From: Al Viro + +commit 277627b431a0a6401635c416a21b2a0f77a77347 upstream. + +If the call of ksmbd_vfs_lock_parent() fails, we drop the parent_path +references and return an error. We need to drop the write access we +just got on parent_path->mnt before we drop the mount reference - callers +assume that ksmbd_vfs_kern_path_locked() returns with mount write +access grabbed if and only if it has returned 0. + +Fixes: 864fb5d37163 ("ksmbd: fix possible deadlock in smb2_open") +Signed-off-by: Al Viro +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/vfs.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/smb/server/vfs.c ++++ b/fs/smb/server/vfs.c +@@ -1298,6 +1298,7 @@ out1: + + err = ksmbd_vfs_lock_parent(parent_path->dentry, path->dentry); + if (err) { ++ mnt_drop_write(parent_path->mnt); + path_put(path); + path_put(parent_path); + } diff --git a/queue-6.12/series b/queue-6.12/series index 7e89fbc383..cc0fa47d66 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -93,3 +93,12 @@ scripts-gdb-fix-interrupts.py-after-maple-tree-conversion.patch mm-vmalloc-leave-lazy-mmu-mode-on-pte-mapping-error.patch lib-alloc_tag-do-not-acquire-non-existent-lock-in-alloc_tag_top_users.patch rust-init-allow-dead_code-warnings-for-rust-1.89.0.patch +clk-imx-fix-an-out-of-bounds-access-in-dispmix_csr_clk_dev_data.patch +x86-rdrand-disable-rdseed-on-amd-cyan-skillfish.patch +x86-mm-disable-hugetlb-page-table-sharing-on-32-bit.patch +clk-scmi-handle-case-where-child-clocks-are-initialized-before-their-parents.patch +smb-server-make-use-of-rdma_destroy_qp.patch +ksmbd-fix-a-mount-write-count-leak-in-ksmbd_vfs_kern_path_locked.patch +erofs-fix-to-add-missing-tracepoint-in-erofs_readahead.patch +erofs-fix-to-add-missing-tracepoint-in-erofs_read_folio.patch +erofs-address-d-cache-aliasing.patch diff --git a/queue-6.12/smb-server-make-use-of-rdma_destroy_qp.patch b/queue-6.12/smb-server-make-use-of-rdma_destroy_qp.patch new file mode 100644 index 0000000000..fc42782a9e --- /dev/null +++ b/queue-6.12/smb-server-make-use-of-rdma_destroy_qp.patch @@ -0,0 +1,67 @@ +From 0c2b53997e8f5e2ec9e0fbd17ac0436466b65488 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 2 Jul 2025 09:18:05 +0200 +Subject: smb: server: make use of rdma_destroy_qp() + +From: Stefan Metzmacher + +commit 0c2b53997e8f5e2ec9e0fbd17ac0436466b65488 upstream. + +The qp is created by rdma_create_qp() as t->cm_id->qp +and t->qp is just a shortcut. + +rdma_destroy_qp() also calls ib_destroy_qp(cm_id->qp) internally, +but it is protected by a mutex, clears the cm_id and also calls +trace_cm_qp_destroy(). + +This should make the tracing more useful as both +rdma_create_qp() and rdma_destroy_qp() are traces and it makes +the code look more sane as functions from the same layer are used +for the specific qp object. + +trace-cmd stream -e rdma_cma:cm_qp_create -e rdma_cma:cm_qp_destroy +shows this now while doing a mount and unmount from a client: + + <...>-80 [002] 378.514182: cm_qp_create: cm.id=1 src=172.31.9.167:5445 dst=172.31.9.166:37113 tos=0 pd.id=0 qp_type=RC send_wr=867 recv_wr=255 qp_num=1 rc=0 + <...>-6283 [001] 381.686172: cm_qp_destroy: cm.id=1 src=172.31.9.167:5445 dst=172.31.9.166:37113 tos=0 qp_num=1 + +Before we only saw the first line. + +Cc: Namjae Jeon +Cc: Steve French +Cc: Sergey Senozhatsky +Cc: Hyunchul Lee +Cc: Tom Talpey +Cc: linux-cifs@vger.kernel.org +Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers") +Signed-off-by: Stefan Metzmacher +Reviewed-by: Tom Talpey +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/transport_rdma.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/smb/server/transport_rdma.c ++++ b/fs/smb/server/transport_rdma.c +@@ -432,7 +432,8 @@ static void free_transport(struct smb_di + if (t->qp) { + ib_drain_qp(t->qp); + ib_mr_pool_destroy(t->qp, &t->qp->rdma_mrs); +- ib_destroy_qp(t->qp); ++ t->qp = NULL; ++ rdma_destroy_qp(t->cm_id); + } + + ksmbd_debug(RDMA, "drain the reassembly queue\n"); +@@ -1939,8 +1940,8 @@ static int smb_direct_create_qpair(struc + return 0; + err: + if (t->qp) { +- ib_destroy_qp(t->qp); + t->qp = NULL; ++ rdma_destroy_qp(t->cm_id); + } + if (t->recv_cq) { + ib_destroy_cq(t->recv_cq); diff --git a/queue-6.12/x86-mm-disable-hugetlb-page-table-sharing-on-32-bit.patch b/queue-6.12/x86-mm-disable-hugetlb-page-table-sharing-on-32-bit.patch new file mode 100644 index 0000000000..e50c5157f8 --- /dev/null +++ b/queue-6.12/x86-mm-disable-hugetlb-page-table-sharing-on-32-bit.patch @@ -0,0 +1,55 @@ +From 76303ee8d54bff6d9a6d55997acd88a6c2ba63cf Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Wed, 2 Jul 2025 10:32:04 +0200 +Subject: x86/mm: Disable hugetlb page table sharing on 32-bit + +From: Jann Horn + +commit 76303ee8d54bff6d9a6d55997acd88a6c2ba63cf upstream. + +Only select ARCH_WANT_HUGE_PMD_SHARE on 64-bit x86. +Page table sharing requires at least three levels because it involves +shared references to PMD tables; 32-bit x86 has either two-level paging +(without PAE) or three-level paging (with PAE), but even with +three-level paging, having a dedicated PGD entry for hugetlb is only +barely possible (because the PGD only has four entries), and it seems +unlikely anyone's actually using PMD sharing on 32-bit. + +Having ARCH_WANT_HUGE_PMD_SHARE enabled on non-PAE 32-bit X86 (which +has 2-level paging) became particularly problematic after commit +59d9094df3d7 ("mm: hugetlb: independent PMD page table shared count"), +since that changes `struct ptdesc` such that the `pt_mm` (for PGDs) and +the `pt_share_count` (for PMDs) share the same union storage - and with +2-level paging, PMDs are PGDs. + +(For comparison, arm64 also gates ARCH_WANT_HUGE_PMD_SHARE on the +configuration of page tables such that it is never enabled with 2-level +paging.) + +Closes: https://lore.kernel.org/r/srhpjxlqfna67blvma5frmy3aa@altlinux.org +Fixes: cfe28c5d63d8 ("x86: mm: Remove x86 version of huge_pmd_share.") +Reported-by: Vitaly Chikunov +Suggested-by: Dave Hansen +Signed-off-by: Jann Horn +Signed-off-by: Dave Hansen +Acked-by: Oscar Salvador +Acked-by: David Hildenbrand +Tested-by: Vitaly Chikunov +Cc:stable@vger.kernel.org +Link: https://lore.kernel.org/all/20250702-x86-2level-hugetlb-v2-1-1a98096edf92%40google.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -137,7 +137,7 @@ config X86 + select ARCH_WANTS_DYNAMIC_TASK_STRUCT + select ARCH_WANTS_NO_INSTR + select ARCH_WANT_GENERAL_HUGETLB +- select ARCH_WANT_HUGE_PMD_SHARE ++ select ARCH_WANT_HUGE_PMD_SHARE if X86_64 + select ARCH_WANT_LD_ORPHAN_WARN + select ARCH_WANT_OPTIMIZE_DAX_VMEMMAP if X86_64 + select ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP if X86_64 diff --git a/queue-6.12/x86-rdrand-disable-rdseed-on-amd-cyan-skillfish.patch b/queue-6.12/x86-rdrand-disable-rdseed-on-amd-cyan-skillfish.patch new file mode 100644 index 0000000000..d71104e052 --- /dev/null +++ b/queue-6.12/x86-rdrand-disable-rdseed-on-amd-cyan-skillfish.patch @@ -0,0 +1,64 @@ +From 5b937a1ed64ebeba8876e398110a5790ad77407c Mon Sep 17 00:00:00 2001 +From: Mikhail Paulyshka +Date: Sat, 24 May 2025 17:53:19 +0300 +Subject: x86/rdrand: Disable RDSEED on AMD Cyan Skillfish + +From: Mikhail Paulyshka + +commit 5b937a1ed64ebeba8876e398110a5790ad77407c upstream. + +AMD Cyan Skillfish (Family 17h, Model 47h, Stepping 0h) has an error that +causes RDSEED to always return 0xffffffff, while RDRAND works correctly. + +Mask the RDSEED cap for this CPU so that both /proc/cpuinfo and direct CPUID +read report RDSEED as unavailable. + + [ bp: Move to amd.c, massage. ] + +Signed-off-by: Mikhail Paulyshka +Signed-off-by: Borislav Petkov (AMD) +Cc: +Link: https://lore.kernel.org/20250524145319.209075-1-me@mixaill.net +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/msr-index.h | 1 + + arch/x86/kernel/cpu/amd.c | 7 +++++++ + tools/arch/x86/include/asm/msr-index.h | 1 + + 3 files changed, 9 insertions(+) + +--- a/arch/x86/include/asm/msr-index.h ++++ b/arch/x86/include/asm/msr-index.h +@@ -621,6 +621,7 @@ + #define MSR_AMD64_OSVW_STATUS 0xc0010141 + #define MSR_AMD_PPIN_CTL 0xc00102f0 + #define MSR_AMD_PPIN 0xc00102f1 ++#define MSR_AMD64_CPUID_FN_7 0xc0011002 + #define MSR_AMD64_CPUID_FN_1 0xc0011004 + #define MSR_AMD64_LS_CFG 0xc0011020 + #define MSR_AMD64_DC_CFG 0xc0011022 +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -977,6 +977,13 @@ static void init_amd_zen2(struct cpuinfo + init_spectral_chicken(c); + fix_erratum_1386(c); + zen2_zenbleed_check(c); ++ ++ /* Disable RDSEED on AMD Cyan Skillfish because of an error. */ ++ if (c->x86_model == 0x47 && c->x86_stepping == 0x0) { ++ clear_cpu_cap(c, X86_FEATURE_RDSEED); ++ msr_clear_bit(MSR_AMD64_CPUID_FN_7, 18); ++ pr_emerg("RDSEED is not reliable on this platform; disabling.\n"); ++ } + } + + static void init_amd_zen3(struct cpuinfo_x86 *c) +--- a/tools/arch/x86/include/asm/msr-index.h ++++ b/tools/arch/x86/include/asm/msr-index.h +@@ -612,6 +612,7 @@ + #define MSR_AMD64_OSVW_STATUS 0xc0010141 + #define MSR_AMD_PPIN_CTL 0xc00102f0 + #define MSR_AMD_PPIN 0xc00102f1 ++#define MSR_AMD64_CPUID_FN_7 0xc0011002 + #define MSR_AMD64_CPUID_FN_1 0xc0011004 + #define MSR_AMD64_LS_CFG 0xc0011020 + #define MSR_AMD64_DC_CFG 0xc0011022