From 2f3b668c3ca6de8b9d669272400de9f3656eb9ee Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 21 Oct 2025 20:05:22 +0200 Subject: [PATCH] 6.12-stable patches added patches: arm64-cputype-add-neoverse-v3ae-definitions.patch arm64-errata-apply-workarounds-for-neoverse-v3ae.patch dmaengine-add-missing-cleanup-on-module-unload.patch mm-ksm-fix-flag-dropping-behavior-in-ksm_madvise.patch --- ...putype-add-neoverse-v3ae-definitions.patch | 48 ++++++++ ...-apply-workarounds-for-neoverse-v3ae.patch | 61 ++++++++++ ...add-missing-cleanup-on-module-unload.patch | 48 ++++++++ ...lag-dropping-behavior-in-ksm_madvise.patch | 110 ++++++++++++++++++ queue-6.12/series | 4 + 5 files changed, 271 insertions(+) create mode 100644 queue-6.12/arm64-cputype-add-neoverse-v3ae-definitions.patch create mode 100644 queue-6.12/arm64-errata-apply-workarounds-for-neoverse-v3ae.patch create mode 100644 queue-6.12/dmaengine-add-missing-cleanup-on-module-unload.patch create mode 100644 queue-6.12/mm-ksm-fix-flag-dropping-behavior-in-ksm_madvise.patch diff --git a/queue-6.12/arm64-cputype-add-neoverse-v3ae-definitions.patch b/queue-6.12/arm64-cputype-add-neoverse-v3ae-definitions.patch new file mode 100644 index 0000000000..e600036616 --- /dev/null +++ b/queue-6.12/arm64-cputype-add-neoverse-v3ae-definitions.patch @@ -0,0 +1,48 @@ +From 3bbf004c4808e2c3241e5c1ad6cc102f38a03c39 Mon Sep 17 00:00:00 2001 +From: Mark Rutland +Date: Fri, 19 Sep 2025 15:58:28 +0100 +Subject: arm64: cputype: Add Neoverse-V3AE definitions + +From: Mark Rutland + +commit 3bbf004c4808e2c3241e5c1ad6cc102f38a03c39 upstream. + +Add cputype definitions for Neoverse-V3AE. These will be used for errata +detection in subsequent patches. + +These values can be found in the Neoverse-V3AE TRM: + + https://developer.arm.com/documentation/SDEN-2615521/9-0/ + +... in section A.6.1 ("MIDR_EL1, Main ID Register"). + +Signed-off-by: Mark Rutland +Cc: James Morse +Cc: Will Deacon +Cc: Catalin Marinas +Signed-off-by: Ryan Roberts +Signed-off-by: Will Deacon +Signed-off-by: Ryan Roberts +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/cputype.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm64/include/asm/cputype.h ++++ b/arch/arm64/include/asm/cputype.h +@@ -93,6 +93,7 @@ + #define ARM_CPU_PART_NEOVERSE_V2 0xD4F + #define ARM_CPU_PART_CORTEX_A720 0xD81 + #define ARM_CPU_PART_CORTEX_X4 0xD82 ++#define ARM_CPU_PART_NEOVERSE_V3AE 0xD83 + #define ARM_CPU_PART_NEOVERSE_V3 0xD84 + #define ARM_CPU_PART_CORTEX_X925 0xD85 + #define ARM_CPU_PART_CORTEX_A725 0xD87 +@@ -180,6 +181,7 @@ + #define MIDR_NEOVERSE_V2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V2) + #define MIDR_CORTEX_A720 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A720) + #define MIDR_CORTEX_X4 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X4) ++#define MIDR_NEOVERSE_V3AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3AE) + #define MIDR_NEOVERSE_V3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3) + #define MIDR_CORTEX_X925 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X925) + #define MIDR_CORTEX_A725 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A725) diff --git a/queue-6.12/arm64-errata-apply-workarounds-for-neoverse-v3ae.patch b/queue-6.12/arm64-errata-apply-workarounds-for-neoverse-v3ae.patch new file mode 100644 index 0000000000..0bbb88b569 --- /dev/null +++ b/queue-6.12/arm64-errata-apply-workarounds-for-neoverse-v3ae.patch @@ -0,0 +1,61 @@ +From 0c33aa1804d101c11ba1992504f17a42233f0e11 Mon Sep 17 00:00:00 2001 +From: Mark Rutland +Date: Fri, 19 Sep 2025 15:58:29 +0100 +Subject: arm64: errata: Apply workarounds for Neoverse-V3AE + +From: Mark Rutland + +commit 0c33aa1804d101c11ba1992504f17a42233f0e11 upstream. + +Neoverse-V3AE is also affected by erratum #3312417, as described in its +Software Developer Errata Notice (SDEN) document: + + Neoverse V3AE (MP172) SDEN v9.0, erratum 3312417 + https://developer.arm.com/documentation/SDEN-2615521/9-0/ + +Enable the workaround for Neoverse-V3AE, and document this. + +Signed-off-by: Mark Rutland +Cc: James Morse +Cc: Will Deacon +Cc: Catalin Marinas +Signed-off-by: Ryan Roberts +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/arch/arm64/silicon-errata.rst | 2 ++ + arch/arm64/Kconfig | 1 + + arch/arm64/kernel/cpu_errata.c | 1 + + 3 files changed, 4 insertions(+) + +--- a/Documentation/arch/arm64/silicon-errata.rst ++++ b/Documentation/arch/arm64/silicon-errata.rst +@@ -198,6 +198,8 @@ stable kernels. + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Neoverse-V3 | #3312417 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Neoverse-V3AE | #3312417 | ARM64_ERRATUM_3194386 | +++----------------+-----------------+-----------------+-----------------------------+ + | ARM | MMU-500 | #841119,826419 | N/A | + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | MMU-600 | #1076982,1209401| N/A | +--- a/arch/arm64/Kconfig ++++ b/arch/arm64/Kconfig +@@ -1111,6 +1111,7 @@ config ARM64_ERRATUM_3194386 + * ARM Neoverse-V1 erratum 3324341 + * ARM Neoverse V2 erratum 3324336 + * ARM Neoverse-V3 erratum 3312417 ++ * ARM Neoverse-V3AE erratum 3312417 + + On affected cores "MSR SSBS, #0" instructions may not affect + subsequent speculative instructions, which may permit unexepected +--- a/arch/arm64/kernel/cpu_errata.c ++++ b/arch/arm64/kernel/cpu_errata.c +@@ -455,6 +455,7 @@ static const struct midr_range erratum_s + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V1), + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V2), + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3), ++ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3AE), + {} + }; + #endif diff --git a/queue-6.12/dmaengine-add-missing-cleanup-on-module-unload.patch b/queue-6.12/dmaengine-add-missing-cleanup-on-module-unload.patch new file mode 100644 index 0000000000..0eae523d95 --- /dev/null +++ b/queue-6.12/dmaengine-add-missing-cleanup-on-module-unload.patch @@ -0,0 +1,48 @@ +From linux@roeck-us.net Tue Oct 21 20:04:38 2025 +From: Guenter Roeck +Date: Mon, 20 Oct 2025 10:04:22 -0700 +Subject: dmaengine: Add missing cleanup on module unload +To: stable@vger.kernel.org, Greg Kroah-Hartman +Cc: dmaengine@vger.kernel.org, Guenter Roeck , Yi Sun , Shuai Xue , Dave Jiang , Vinicius Costa Gomes , Vinod Koul +Message-ID: <20251020170422.2630360-1-linux@roeck-us.net> + +From: Guenter Roeck + +Upstream commit b7cb9a034305 ("dmaengine: idxd: Fix refcount underflow +on module unload") fixes a refcount underflow by replacing the call to +idxd_cleanup() in the remove function with direct cleanup calls. That works +fine upstream. However, upstream removed support for IOMMU_DEV_FEAT_IOPF, +which is still supported in v6.12.y. The backport of commit b7cb9a034305 +into v6.12.y misses the call to disable it. This results in a warning +backtrace when unloading and reloading the module. + +WARNING: CPU: 0 PID: 665849 at drivers/pci/ats.c:337 pci_reset_pri+0x4c/0x60 +... +RIP: 0010:pci_reset_pri+0xa7/0x130 + +Add the missing cleanup call to fix the problem. + +Fixes: ce81905bec91 ("dmaengine: idxd: Fix refcount underflow on module unload") +Cc: Yi Sun +Cc: Shuai Xue +Cc: Dave Jiang +Cc: Vinicius Costa Gomes +Cc: Vinod Koul +Signed-off-by: Guenter Roeck +Acked-by: Vinicius Costa Gomes +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/idxd/init.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/dma/idxd/init.c ++++ b/drivers/dma/idxd/init.c +@@ -923,6 +923,8 @@ static void idxd_remove(struct pci_dev * + idxd_cleanup_interrupts(idxd); + if (device_pasid_enabled(idxd)) + idxd_disable_system_pasid(idxd); ++ if (device_user_pasid_enabled(idxd)) ++ idxd_disable_sva(idxd->pdev); + pci_iounmap(pdev, idxd->reg_base); + put_device(idxd_confdev(idxd)); + pci_disable_device(pdev); diff --git a/queue-6.12/mm-ksm-fix-flag-dropping-behavior-in-ksm_madvise.patch b/queue-6.12/mm-ksm-fix-flag-dropping-behavior-in-ksm_madvise.patch new file mode 100644 index 0000000000..a1af7c614c --- /dev/null +++ b/queue-6.12/mm-ksm-fix-flag-dropping-behavior-in-ksm_madvise.patch @@ -0,0 +1,110 @@ +From f04aad36a07cc17b7a5d5b9a2d386ce6fae63e93 Mon Sep 17 00:00:00 2001 +From: Jakub Acs +Date: Wed, 1 Oct 2025 09:03:52 +0000 +Subject: mm/ksm: fix flag-dropping behavior in ksm_madvise + +From: Jakub Acs + +commit f04aad36a07cc17b7a5d5b9a2d386ce6fae63e93 upstream. + +syzkaller discovered the following crash: (kernel BUG) + +[ 44.607039] ------------[ cut here ]------------ +[ 44.607422] kernel BUG at mm/userfaultfd.c:2067! +[ 44.608148] Oops: invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI +[ 44.608814] CPU: 1 UID: 0 PID: 2475 Comm: reproducer Not tainted 6.16.0-rc6 #1 PREEMPT(none) +[ 44.609635] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 +[ 44.610695] RIP: 0010:userfaultfd_release_all+0x3a8/0x460 + + + +[ 44.617726] Call Trace: +[ 44.617926] +[ 44.619284] userfaultfd_release+0xef/0x1b0 +[ 44.620976] __fput+0x3f9/0xb60 +[ 44.621240] fput_close_sync+0x110/0x210 +[ 44.622222] __x64_sys_close+0x8f/0x120 +[ 44.622530] do_syscall_64+0x5b/0x2f0 +[ 44.622840] entry_SYSCALL_64_after_hwframe+0x76/0x7e +[ 44.623244] RIP: 0033:0x7f365bb3f227 + +Kernel panics because it detects UFFD inconsistency during +userfaultfd_release_all(). Specifically, a VMA which has a valid pointer +to vma->vm_userfaultfd_ctx, but no UFFD flags in vma->vm_flags. + +The inconsistency is caused in ksm_madvise(): when user calls madvise() +with MADV_UNMEARGEABLE on a VMA that is registered for UFFD in MINOR mode, +it accidentally clears all flags stored in the upper 32 bits of +vma->vm_flags. + +Assuming x86_64 kernel build, unsigned long is 64-bit and unsigned int and +int are 32-bit wide. This setup causes the following mishap during the &= +~VM_MERGEABLE assignment. + +VM_MERGEABLE is a 32-bit constant of type unsigned int, 0x8000'0000. +After ~ is applied, it becomes 0x7fff'ffff unsigned int, which is then +promoted to unsigned long before the & operation. This promotion fills +upper 32 bits with leading 0s, as we're doing unsigned conversion (and +even for a signed conversion, this wouldn't help as the leading bit is 0). +& operation thus ends up AND-ing vm_flags with 0x0000'0000'7fff'ffff +instead of intended 0xffff'ffff'7fff'ffff and hence accidentally clears +the upper 32-bits of its value. + +Fix it by changing `VM_MERGEABLE` constant to unsigned long, using the +BIT() macro. + +Note: other VM_* flags are not affected: This only happens to the +VM_MERGEABLE flag, as the other VM_* flags are all constants of type int +and after ~ operation, they end up with leading 1 and are thus converted +to unsigned long with leading 1s. + +Note 2: +After commit 31defc3b01d9 ("userfaultfd: remove (VM_)BUG_ON()s"), this is +no longer a kernel BUG, but a WARNING at the same place: + +[ 45.595973] WARNING: CPU: 1 PID: 2474 at mm/userfaultfd.c:2067 + +but the root-cause (flag-drop) remains the same. + +[akpm@linux-foundation.org: rust bindgen wasn't able to handle BIT(), from Miguel] + Link: https://lore.kernel.org/oe-kbuild-all/202510030449.VfSaAjvd-lkp@intel.com/ +Link: https://lkml.kernel.org/r/20251001090353.57523-2-acsjakub@amazon.de +Fixes: 7677f7fd8be7 ("userfaultfd: add minor fault registration mode") +Signed-off-by: Jakub Acs +Signed-off-by: Miguel Ojeda +Acked-by: David Hildenbrand +Acked-by: SeongJae Park +Tested-by: Alice Ryhl +Tested-by: Miguel Ojeda +Cc: Xu Xin +Cc: Chengming Zhou +Cc: Peter Xu +Cc: Axel Rasmussen +Cc: +Signed-off-by: Andrew Morton +[acsjakub@amazon.de: adjust context in bindgings_helper.h] +Signed-off-by: Jakub Acs +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/mm.h | 2 +- + rust/bindings/bindings_helper.h | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -320,7 +320,7 @@ extern unsigned int kobjsize(const void + #define VM_MIXEDMAP 0x10000000 /* Can contain "struct page" and pure PFN pages */ + #define VM_HUGEPAGE 0x20000000 /* MADV_HUGEPAGE marked this vma */ + #define VM_NOHUGEPAGE 0x40000000 /* MADV_NOHUGEPAGE marked this vma */ +-#define VM_MERGEABLE 0x80000000 /* KSM may merge identical pages */ ++#define VM_MERGEABLE BIT(31) /* KSM may merge identical pages */ + + #ifdef CONFIG_ARCH_USES_HIGH_VMA_FLAGS + #define VM_HIGH_ARCH_BIT_0 32 /* bit only usable on 64-bit architectures */ +--- a/rust/bindings/bindings_helper.h ++++ b/rust/bindings/bindings_helper.h +@@ -33,3 +33,4 @@ const gfp_t RUST_CONST_HELPER___GFP_ZERO + const gfp_t RUST_CONST_HELPER___GFP_HIGHMEM = ___GFP_HIGHMEM; + const gfp_t RUST_CONST_HELPER___GFP_NOWARN = ___GFP_NOWARN; + const blk_features_t RUST_CONST_HELPER_BLK_FEAT_ROTATIONAL = BLK_FEAT_ROTATIONAL; ++const vm_flags_t RUST_CONST_HELPER_VM_MERGEABLE = VM_MERGEABLE; diff --git a/queue-6.12/series b/queue-6.12/series index 9621ee9334..c53c7a993a 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -130,3 +130,7 @@ mptcp-use-__sk_dst_get-and-dst_dev_rcu-in-mptcp_active_enable.patch mptcp-reset-blackhole-on-success-with-non-loopback-ifaces.patch phy-cadence-cdns-dphy-update-calibration-wait-time-for-startup-state-machine.patch nfsd-define-a-proc_layoutcommit-for-the-flexfiles-layout-type.patch +mm-ksm-fix-flag-dropping-behavior-in-ksm_madvise.patch +arm64-cputype-add-neoverse-v3ae-definitions.patch +arm64-errata-apply-workarounds-for-neoverse-v3ae.patch +dmaengine-add-missing-cleanup-on-module-unload.patch -- 2.47.3