From f0dae293c4a480e23c255ed26cd82fbaf31d6daa Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 14 Jul 2025 11:15:22 +0200 Subject: [PATCH] 6.15-stable patches added patches: clk-imx-fix-an-out-of-bounds-access-in-dispmix_csr_clk_dev_data.patch clk-scmi-handle-case-where-child-clocks-are-initialized-before-their-parents.patch dt-bindings-clock-mediatek-add-reset-cells-property-for-mt8188.patch erofs-address-d-cache-aliasing.patch erofs-fix-large-fragment-handling.patch erofs-fix-to-add-missing-tracepoint-in-erofs_read_folio.patch erofs-fix-to-add-missing-tracepoint-in-erofs_readahead.patch ksmbd-fix-a-mount-write-count-leak-in-ksmbd_vfs_kern_path_locked.patch smb-server-make-use-of-rdma_destroy_qp.patch x86-cpu-amd-disable-invlpgb-on-zen2.patch x86-mm-disable-hugetlb-page-table-sharing-on-32-bit.patch x86-rdrand-disable-rdseed-on-amd-cyan-skillfish.patch --- ...s-access-in-dispmix_csr_clk_dev_data.patch | 71 +++++++ ...are-initialized-before-their-parents.patch | 93 ++++++++++ ...-add-reset-cells-property-for-mt8188.patch | 40 ++++ .../erofs-address-d-cache-aliasing.patch | 174 ++++++++++++++++++ .../erofs-fix-large-fragment-handling.patch | 96 ++++++++++ ...ssing-tracepoint-in-erofs_read_folio.patch | 34 ++++ ...issing-tracepoint-in-erofs_readahead.patch | 35 ++++ ...t-leak-in-ksmbd_vfs_kern_path_locked.patch | 34 ++++ queue-6.15/series | 12 ++ ...b-server-make-use-of-rdma_destroy_qp.patch | 67 +++++++ .../x86-cpu-amd-disable-invlpgb-on-zen2.patch | 41 +++++ ...hugetlb-page-table-sharing-on-32-bit.patch | 55 ++++++ ...disable-rdseed-on-amd-cyan-skillfish.patch | 64 +++++++ 13 files changed, 816 insertions(+) create mode 100644 queue-6.15/clk-imx-fix-an-out-of-bounds-access-in-dispmix_csr_clk_dev_data.patch create mode 100644 queue-6.15/clk-scmi-handle-case-where-child-clocks-are-initialized-before-their-parents.patch create mode 100644 queue-6.15/dt-bindings-clock-mediatek-add-reset-cells-property-for-mt8188.patch create mode 100644 queue-6.15/erofs-address-d-cache-aliasing.patch create mode 100644 queue-6.15/erofs-fix-large-fragment-handling.patch create mode 100644 queue-6.15/erofs-fix-to-add-missing-tracepoint-in-erofs_read_folio.patch create mode 100644 queue-6.15/erofs-fix-to-add-missing-tracepoint-in-erofs_readahead.patch create mode 100644 queue-6.15/ksmbd-fix-a-mount-write-count-leak-in-ksmbd_vfs_kern_path_locked.patch create mode 100644 queue-6.15/smb-server-make-use-of-rdma_destroy_qp.patch create mode 100644 queue-6.15/x86-cpu-amd-disable-invlpgb-on-zen2.patch create mode 100644 queue-6.15/x86-mm-disable-hugetlb-page-table-sharing-on-32-bit.patch create mode 100644 queue-6.15/x86-rdrand-disable-rdseed-on-amd-cyan-skillfish.patch diff --git a/queue-6.15/clk-imx-fix-an-out-of-bounds-access-in-dispmix_csr_clk_dev_data.patch b/queue-6.15/clk-imx-fix-an-out-of-bounds-access-in-dispmix_csr_clk_dev_data.patch new file mode 100644 index 0000000000..9d02fc8e6b --- /dev/null +++ b/queue-6.15/clk-imx-fix-an-out-of-bounds-access-in-dispmix_csr_clk_dev_data.patch @@ -0,0 +1,71 @@ +From aacc875a448d363332b9df0621dde6d3a225ea9f Mon Sep 17 00:00:00 2001 +From: Xiaolei Wang +Date: Thu, 19 Jun 2025 14:21:08 +0800 +Subject: clk: imx: Fix an out-of-bounds access in dispmix_csr_clk_dev_data + +From: Xiaolei Wang + +commit aacc875a448d363332b9df0621dde6d3a225ea9f upstream. + +When num_parents is 4, __clk_register() occurs an out-of-bounds +when accessing parent_names member. Use ARRAY_SIZE() instead of +hardcode number here. + + BUG: KASAN: global-out-of-bounds in __clk_register+0x1844/0x20d8 + Read of size 8 at addr ffff800086988e78 by task kworker/u24:3/59 + Hardware name: NXP i.MX95 19X19 board (DT) + Workqueue: events_unbound deferred_probe_work_func + Call trace: + dump_backtrace+0x94/0xec + show_stack+0x18/0x24 + dump_stack_lvl+0x8c/0xcc + print_report+0x398/0x5fc + kasan_report+0xd4/0x114 + __asan_report_load8_noabort+0x20/0x2c + __clk_register+0x1844/0x20d8 + clk_hw_register+0x44/0x110 + __clk_hw_register_mux+0x284/0x3a8 + imx95_bc_probe+0x4f4/0xa70 + +Fixes: 5224b189462f ("clk: imx: add i.MX95 BLK CTL clk driver") +Cc: stable@vger.kernel.org +Reviewed-by: Frank Li +Signed-off-by: Xiaolei Wang +Link: https://lore.kernel.org/r/20250619062108.2016511-1-xiaolei.wang@windriver.com +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/imx/clk-imx95-blk-ctl.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/clk/imx/clk-imx95-blk-ctl.c ++++ b/drivers/clk/imx/clk-imx95-blk-ctl.c +@@ -219,11 +219,15 @@ static const struct imx95_blk_ctl_dev_da + .clk_reg_offset = 0, + }; + ++static const char * const disp_engine_parents[] = { ++ "videopll1", "dsi_pll", "ldb_pll_div7" ++}; ++ + static const struct imx95_blk_ctl_clk_dev_data dispmix_csr_clk_dev_data[] = { + [IMX95_CLK_DISPMIX_ENG0_SEL] = { + .name = "disp_engine0_sel", +- .parent_names = (const char *[]){"videopll1", "dsi_pll", "ldb_pll_div7", }, +- .num_parents = 4, ++ .parent_names = disp_engine_parents, ++ .num_parents = ARRAY_SIZE(disp_engine_parents), + .reg = 0, + .bit_idx = 0, + .bit_width = 2, +@@ -232,8 +236,8 @@ static const struct imx95_blk_ctl_clk_de + }, + [IMX95_CLK_DISPMIX_ENG1_SEL] = { + .name = "disp_engine1_sel", +- .parent_names = (const char *[]){"videopll1", "dsi_pll", "ldb_pll_div7", }, +- .num_parents = 4, ++ .parent_names = disp_engine_parents, ++ .num_parents = ARRAY_SIZE(disp_engine_parents), + .reg = 0, + .bit_idx = 2, + .bit_width = 2, diff --git a/queue-6.15/clk-scmi-handle-case-where-child-clocks-are-initialized-before-their-parents.patch b/queue-6.15/clk-scmi-handle-case-where-child-clocks-are-initialized-before-their-parents.patch new file mode 100644 index 0000000000..5cd20e910c --- /dev/null +++ b/queue-6.15/clk-scmi-handle-case-where-child-clocks-are-initialized-before-their-parents.patch @@ -0,0 +1,93 @@ +From 6306e0c5a0d28e9df2b5902f4a021204bee75173 Mon Sep 17 00:00:00 2001 +From: Sascha Hauer +Date: Thu, 12 Jun 2025 14:56:57 +0200 +Subject: clk: scmi: Handle case where child clocks are initialized before their parents + +From: Sascha Hauer + +commit 6306e0c5a0d28e9df2b5902f4a021204bee75173 upstream. + +The SCMI clock driver currently assumes that parent clocks are always +initialized before their children. However, this assumption can fail if +a child clock is encountered before its parent during probe. + +This leads to an issue during initialization of the parent_data array: + + sclk->parent_data[i].hw = hws[sclk->info->parents[i]]; + +If the parent clock's hardware structure has not been initialized yet, +this assignment results in invalid data. + +To resolve this, allocate all struct scmi_clk instances as a contiguous +array at the beginning of the probe and populate the hws[] array +upfront. This ensures that any parent referenced later is already +initialized, regardless of the order in which clocks are processed. + +Note that we can no longer free individual scmi_clk instances if +scmi_clk_ops_init() fails which shouldn't be a problem if the SCMI +platform has proper per-agent clock discovery. + +Fixes: 65a8a3dd3b95f ("clk: scmi: Add support for clock {set,get}_parent") +Reviewed-by: peng.fan@nxp.com +Reviewed-by: Cristian Marussi +Reviewed-by: Sudeep Holla +Signed-off-by: Sascha Hauer +Link: https://lore.kernel.org/r/20250612-clk-scmi-children-parent-fix-v3-1-7de52a27593d@pengutronix.de +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/clk-scmi.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +--- a/drivers/clk/clk-scmi.c ++++ b/drivers/clk/clk-scmi.c +@@ -404,6 +404,7 @@ static int scmi_clocks_probe(struct scmi + const struct scmi_handle *handle = sdev->handle; + struct scmi_protocol_handle *ph; + const struct clk_ops *scmi_clk_ops_db[SCMI_MAX_CLK_OPS] = {}; ++ struct scmi_clk *sclks; + + if (!handle) + return -ENODEV; +@@ -430,18 +431,21 @@ static int scmi_clocks_probe(struct scmi + transport_is_atomic = handle->is_transport_atomic(handle, + &atomic_threshold_us); + ++ sclks = devm_kcalloc(dev, count, sizeof(*sclks), GFP_KERNEL); ++ if (!sclks) ++ return -ENOMEM; ++ ++ for (idx = 0; idx < count; idx++) ++ hws[idx] = &sclks[idx].hw; ++ + for (idx = 0; idx < count; idx++) { +- struct scmi_clk *sclk; ++ struct scmi_clk *sclk = &sclks[idx]; + const struct clk_ops *scmi_ops; + +- sclk = devm_kzalloc(dev, sizeof(*sclk), GFP_KERNEL); +- if (!sclk) +- return -ENOMEM; +- + sclk->info = scmi_proto_clk_ops->info_get(ph, idx); + if (!sclk->info) { + dev_dbg(dev, "invalid clock info for idx %d\n", idx); +- devm_kfree(dev, sclk); ++ hws[idx] = NULL; + continue; + } + +@@ -479,13 +483,11 @@ static int scmi_clocks_probe(struct scmi + if (err) { + dev_err(dev, "failed to register clock %d\n", idx); + devm_kfree(dev, sclk->parent_data); +- devm_kfree(dev, sclk); + hws[idx] = NULL; + } else { + dev_dbg(dev, "Registered clock:%s%s\n", + sclk->info->name, + scmi_ops->enable ? " (atomic ops)" : ""); +- hws[idx] = &sclk->hw; + } + } + diff --git a/queue-6.15/dt-bindings-clock-mediatek-add-reset-cells-property-for-mt8188.patch b/queue-6.15/dt-bindings-clock-mediatek-add-reset-cells-property-for-mt8188.patch new file mode 100644 index 0000000000..4fb6eb461e --- /dev/null +++ b/queue-6.15/dt-bindings-clock-mediatek-add-reset-cells-property-for-mt8188.patch @@ -0,0 +1,40 @@ +From a42b4dcc4f9f309a23e6de5ae57a680b9fd2ea10 Mon Sep 17 00:00:00 2001 +From: Julien Massot +Date: Fri, 16 May 2025 16:12:13 +0200 +Subject: dt-bindings: clock: mediatek: Add #reset-cells property for MT8188 + +From: Julien Massot + +commit a42b4dcc4f9f309a23e6de5ae57a680b9fd2ea10 upstream. + +The '#reset-cells' property is permitted for some of the MT8188 +clock controllers, but not listed as a valid property. + +Fixes: 9a5cd59640ac ("dt-bindings: clock: mediatek: Add SMI LARBs reset for MT8188") +Reviewed-by: AngeloGioacchino Del Regno +Signed-off-by: Julien Massot +Link: https://lore.kernel.org/r/20250516-dtb-check-mt8188-v2-1-fb60bef1b8e1@collabora.com +Acked-by: Conor Dooley +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman +--- + .../devicetree/bindings/clock/mediatek,mt8188-clock.yaml | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/Documentation/devicetree/bindings/clock/mediatek,mt8188-clock.yaml b/Documentation/devicetree/bindings/clock/mediatek,mt8188-clock.yaml +index 2985c8c717d7..5403242545ab 100644 +--- a/Documentation/devicetree/bindings/clock/mediatek,mt8188-clock.yaml ++++ b/Documentation/devicetree/bindings/clock/mediatek,mt8188-clock.yaml +@@ -52,6 +52,9 @@ properties: + '#clock-cells': + const: 1 + ++ '#reset-cells': ++ const: 1 ++ + required: + - compatible + - reg +-- +2.50.1 + diff --git a/queue-6.15/erofs-address-d-cache-aliasing.patch b/queue-6.15/erofs-address-d-cache-aliasing.patch new file mode 100644 index 0000000000..24278f1142 --- /dev/null +++ b/queue-6.15/erofs-address-d-cache-aliasing.patch @@ -0,0 +1,174 @@ +From 27917e8194f91dffd8b4825350c63cb68e98ce58 Mon Sep 17 00:00:00 2001 +From: Gao Xiang +Date: Wed, 9 Jul 2025 11:46:14 +0800 +Subject: erofs: address D-cache aliasing + +From: Gao Xiang + +commit 27917e8194f91dffd8b4825350c63cb68e98ce58 upstream. + +Flush the D-cache before unlocking folios for compressed inodes, as +they are dirtied during decompression. + +Avoid calling flush_dcache_folio() on every CPU write, since it's more +like playing whack-a-mole without real benefit. + +It has no impact on x86 and arm64/risc-v: on x86, flush_dcache_folio() +is a no-op, and on arm64/risc-v, PG_dcache_clean (PG_arch_1) is clear +for new page cache folios. However, certain ARM boards are affected, +as reported. + +Fixes: 3883a79abd02 ("staging: erofs: introduce VLE decompression support") +Closes: https://lore.kernel.org/r/c1e51e16-6cc6-49d0-a63e-4e9ff6c4dd53@pengutronix.de +Closes: https://lore.kernel.org/r/38d43fae-1182-4155-9c5b-ffc7382d9917@siemens.com +Tested-by: Jan Kiszka +Tested-by: Stefan Kerkmann +Signed-off-by: Gao Xiang +Link: https://lore.kernel.org/r/20250709034614.2780117-2-hsiangkao@linux.alibaba.com +Signed-off-by: Greg Kroah-Hartman +--- + fs/erofs/data.c | 16 +++++++++++----- + fs/erofs/decompressor.c | 12 ++++-------- + fs/erofs/fileio.c | 4 ++-- + fs/erofs/internal.h | 2 +- + fs/erofs/zdata.c | 6 +++--- + 5 files changed, 21 insertions(+), 19 deletions(-) + +--- a/fs/erofs/data.c ++++ b/fs/erofs/data.c +@@ -213,9 +213,11 @@ int erofs_map_dev(struct super_block *sb + + /* + * bit 30: I/O error occurred on this folio ++ * bit 29: CPU has dirty data in D-cache (needs aliasing handling); + * bit 0 - 29: remaining parts to complete this folio + */ +-#define EROFS_ONLINEFOLIO_EIO (1 << 30) ++#define EROFS_ONLINEFOLIO_EIO 30 ++#define EROFS_ONLINEFOLIO_DIRTY 29 + + void erofs_onlinefolio_init(struct folio *folio) + { +@@ -232,19 +234,23 @@ void erofs_onlinefolio_split(struct foli + atomic_inc((atomic_t *)&folio->private); + } + +-void erofs_onlinefolio_end(struct folio *folio, int err) ++void erofs_onlinefolio_end(struct folio *folio, int err, bool dirty) + { + int orig, v; + + do { + orig = atomic_read((atomic_t *)&folio->private); +- v = (orig - 1) | (err ? EROFS_ONLINEFOLIO_EIO : 0); ++ DBG_BUGON(orig <= 0); ++ v = dirty << EROFS_ONLINEFOLIO_DIRTY; ++ v |= (orig - 1) | (!!err << EROFS_ONLINEFOLIO_EIO); + } while (atomic_cmpxchg((atomic_t *)&folio->private, orig, v) != orig); + +- if (v & ~EROFS_ONLINEFOLIO_EIO) ++ if (v & (BIT(EROFS_ONLINEFOLIO_DIRTY) - 1)) + return; + folio->private = 0; +- folio_end_read(folio, !(v & EROFS_ONLINEFOLIO_EIO)); ++ if (v & BIT(EROFS_ONLINEFOLIO_DIRTY)) ++ flush_dcache_folio(folio); ++ folio_end_read(folio, !(v & BIT(EROFS_ONLINEFOLIO_EIO))); + } + + static int erofs_iomap_begin(struct inode *inode, loff_t offset, loff_t length, +--- a/fs/erofs/decompressor.c ++++ b/fs/erofs/decompressor.c +@@ -301,13 +301,11 @@ static int z_erofs_transform_plain(struc + cur = min(cur, rq->outputsize); + if (cur && rq->out[0]) { + kin = kmap_local_page(rq->in[nrpages_in - 1]); +- if (rq->out[0] == rq->in[nrpages_in - 1]) { ++ if (rq->out[0] == rq->in[nrpages_in - 1]) + memmove(kin + rq->pageofs_out, kin + pi, cur); +- flush_dcache_page(rq->out[0]); +- } else { ++ else + memcpy_to_page(rq->out[0], rq->pageofs_out, + kin + pi, cur); +- } + kunmap_local(kin); + } + rq->outputsize -= cur; +@@ -325,14 +323,12 @@ static int z_erofs_transform_plain(struc + po = (rq->pageofs_out + cur + pi) & ~PAGE_MASK; + DBG_BUGON(no >= nrpages_out); + cnt = min(insz - pi, PAGE_SIZE - po); +- if (rq->out[no] == rq->in[ni]) { ++ if (rq->out[no] == rq->in[ni]) + memmove(kin + po, + kin + rq->pageofs_in + pi, cnt); +- flush_dcache_page(rq->out[no]); +- } else if (rq->out[no]) { ++ else if (rq->out[no]) + memcpy_to_page(rq->out[no], po, + kin + rq->pageofs_in + pi, cnt); +- } + pi += cnt; + } while (pi < insz); + kunmap_local(kin); +--- a/fs/erofs/fileio.c ++++ b/fs/erofs/fileio.c +@@ -38,7 +38,7 @@ static void erofs_fileio_ki_complete(str + } else { + bio_for_each_folio_all(fi, &rq->bio) { + DBG_BUGON(folio_test_uptodate(fi.folio)); +- erofs_onlinefolio_end(fi.folio, ret); ++ erofs_onlinefolio_end(fi.folio, ret, false); + } + } + bio_uninit(&rq->bio); +@@ -158,7 +158,7 @@ io_retry: + } + cur += len; + } +- erofs_onlinefolio_end(folio, err); ++ erofs_onlinefolio_end(folio, err, false); + return err; + } + +--- a/fs/erofs/internal.h ++++ b/fs/erofs/internal.h +@@ -389,7 +389,7 @@ int erofs_fiemap(struct inode *inode, st + int erofs_map_blocks(struct inode *inode, struct erofs_map_blocks *map); + void erofs_onlinefolio_init(struct folio *folio); + void erofs_onlinefolio_split(struct folio *folio); +-void erofs_onlinefolio_end(struct folio *folio, int err); ++void erofs_onlinefolio_end(struct folio *folio, int err, bool dirty); + struct inode *erofs_iget(struct super_block *sb, erofs_nid_t nid); + int erofs_getattr(struct mnt_idmap *idmap, const struct path *path, + struct kstat *stat, u32 request_mask, +--- a/fs/erofs/zdata.c ++++ b/fs/erofs/zdata.c +@@ -1060,7 +1060,7 @@ static int z_erofs_scan_folio(struct z_e + tight = (bs == PAGE_SIZE); + } + } while ((end = cur) > 0); +- erofs_onlinefolio_end(folio, err); ++ erofs_onlinefolio_end(folio, err, false); + return err; + } + +@@ -1165,7 +1165,7 @@ static void z_erofs_fill_other_copies(st + cur += len; + } + kunmap_local(dst); +- erofs_onlinefolio_end(page_folio(bvi->bvec.page), err); ++ erofs_onlinefolio_end(page_folio(bvi->bvec.page), err, true); + list_del(p); + kfree(bvi); + } +@@ -1324,7 +1324,7 @@ static int z_erofs_decompress_pcluster(s + + DBG_BUGON(z_erofs_page_is_invalidated(page)); + if (!z_erofs_is_shortlived_page(page)) { +- erofs_onlinefolio_end(page_folio(page), err); ++ erofs_onlinefolio_end(page_folio(page), err, true); + continue; + } + if (pcl->algorithmformat != Z_EROFS_COMPRESSION_LZ4) { diff --git a/queue-6.15/erofs-fix-large-fragment-handling.patch b/queue-6.15/erofs-fix-large-fragment-handling.patch new file mode 100644 index 0000000000..0ae3a08399 --- /dev/null +++ b/queue-6.15/erofs-fix-large-fragment-handling.patch @@ -0,0 +1,96 @@ +From b44686c8391b427fb1c85a31c35077e6947c6d90 Mon Sep 17 00:00:00 2001 +From: Gao Xiang +Date: Sat, 12 Jul 2025 03:58:26 +0800 +Subject: erofs: fix large fragment handling + +From: Gao Xiang + +commit b44686c8391b427fb1c85a31c35077e6947c6d90 upstream. + +Fragments aren't limited by Z_EROFS_PCLUSTER_MAX_DSIZE. However, if +a fragment's logical length is larger than Z_EROFS_PCLUSTER_MAX_DSIZE +but the fragment is not the whole inode, it currently returns +-EOPNOTSUPP because m_flags has the wrong EROFS_MAP_ENCODED flag set. +It is not intended by design but should be rare, as it can only be +reproduced by mkfs with `-Eall-fragments` in a specific case. + +Let's normalize fragment m_flags using the new EROFS_MAP_FRAGMENT. + +Reported-by: Axel Fontaine +Closes: https://github.com/erofs/erofs-utils/issues/23 +Fixes: 7c3ca1838a78 ("erofs: restrict pcluster size limitations") +Signed-off-by: Gao Xiang +Link: https://lore.kernel.org/r/20250711195826.3601157-1-hsiangkao@linux.alibaba.com +Signed-off-by: Greg Kroah-Hartman +--- + fs/erofs/internal.h | 4 +++- + fs/erofs/zdata.c | 2 +- + fs/erofs/zmap.c | 9 ++++----- + 3 files changed, 8 insertions(+), 7 deletions(-) + +--- a/fs/erofs/internal.h ++++ b/fs/erofs/internal.h +@@ -314,10 +314,12 @@ static inline struct folio *erofs_grab_f + /* The length of extent is full */ + #define EROFS_MAP_FULL_MAPPED 0x0008 + /* Located in the special packed inode */ +-#define EROFS_MAP_FRAGMENT 0x0010 ++#define __EROFS_MAP_FRAGMENT 0x0010 + /* The extent refers to partial decompressed data */ + #define EROFS_MAP_PARTIAL_REF 0x0020 + ++#define EROFS_MAP_FRAGMENT (EROFS_MAP_MAPPED | __EROFS_MAP_FRAGMENT) ++ + struct erofs_map_blocks { + struct erofs_buf buf; + +--- a/fs/erofs/zdata.c ++++ b/fs/erofs/zdata.c +@@ -1003,7 +1003,7 @@ static int z_erofs_scan_folio(struct z_e + if (!(map->m_flags & EROFS_MAP_MAPPED)) { + folio_zero_segment(folio, cur, end); + tight = false; +- } else if (map->m_flags & EROFS_MAP_FRAGMENT) { ++ } else if (map->m_flags & __EROFS_MAP_FRAGMENT) { + erofs_off_t fpos = offset + cur - map->m_la; + + err = z_erofs_read_fragment(inode->i_sb, folio, cur, +--- a/fs/erofs/zmap.c ++++ b/fs/erofs/zmap.c +@@ -413,8 +413,7 @@ static int z_erofs_map_blocks_fo(struct + !vi->z_tailextent_headlcn) { + map->m_la = 0; + map->m_llen = inode->i_size; +- map->m_flags = EROFS_MAP_MAPPED | +- EROFS_MAP_FULL_MAPPED | EROFS_MAP_FRAGMENT; ++ map->m_flags = EROFS_MAP_FRAGMENT; + return 0; + } + initial_lcn = ofs >> lclusterbits; +@@ -489,7 +488,7 @@ static int z_erofs_map_blocks_fo(struct + goto unmap_out; + } + } else if (fragment && m.lcn == vi->z_tailextent_headlcn) { +- map->m_flags |= EROFS_MAP_FRAGMENT; ++ map->m_flags = EROFS_MAP_FRAGMENT; + } else { + map->m_pa = erofs_pos(sb, m.pblk); + err = z_erofs_get_extent_compressedlen(&m, initial_lcn); +@@ -617,7 +616,7 @@ static int z_erofs_map_blocks_ext(struct + if (lstart < lend) { + map->m_la = lstart; + if (last && (vi->z_advise & Z_EROFS_ADVISE_FRAGMENT_PCLUSTER)) { +- map->m_flags |= EROFS_MAP_MAPPED | EROFS_MAP_FRAGMENT; ++ map->m_flags = EROFS_MAP_FRAGMENT; + vi->z_fragmentoff = map->m_plen; + if (recsz > offsetof(struct z_erofs_extent, pstart_lo)) + vi->z_fragmentoff |= map->m_pa << 32; +@@ -797,7 +796,7 @@ static int z_erofs_iomap_begin_report(st + iomap->length = map.m_llen; + if (map.m_flags & EROFS_MAP_MAPPED) { + iomap->type = IOMAP_MAPPED; +- iomap->addr = map.m_flags & EROFS_MAP_FRAGMENT ? ++ iomap->addr = map.m_flags & __EROFS_MAP_FRAGMENT ? + IOMAP_NULL_ADDR : map.m_pa; + } else { + iomap->type = IOMAP_HOLE; diff --git a/queue-6.15/erofs-fix-to-add-missing-tracepoint-in-erofs_read_folio.patch b/queue-6.15/erofs-fix-to-add-missing-tracepoint-in-erofs_read_folio.patch new file mode 100644 index 0000000000..bdcc4b95d1 --- /dev/null +++ b/queue-6.15/erofs-fix-to-add-missing-tracepoint-in-erofs_read_folio.patch @@ -0,0 +1,34 @@ +From 99f7619a77a0a2e3e2bcae676d0f301769167754 Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Tue, 8 Jul 2025 19:19:42 +0800 +Subject: erofs: fix to add missing tracepoint in erofs_read_folio() + +From: Chao Yu + +commit 99f7619a77a0a2e3e2bcae676d0f301769167754 upstream. + +Commit 771c994ea51f ("erofs: convert all uncompressed cases to iomap") +converts to use iomap interface, it removed trace_erofs_readpage() +tracepoint in the meantime, let's add it back. + +Fixes: 771c994ea51f ("erofs: convert all uncompressed cases to iomap") +Signed-off-by: Chao Yu +Reviewed-by: Gao Xiang +Link: https://lore.kernel.org/r/20250708111942.3120926-1-chao@kernel.org +Signed-off-by: Gao Xiang +Signed-off-by: Greg Kroah-Hartman +--- + fs/erofs/data.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/erofs/data.c ++++ b/fs/erofs/data.c +@@ -350,6 +350,8 @@ int erofs_fiemap(struct inode *inode, st + */ + static int erofs_read_folio(struct file *file, struct folio *folio) + { ++ trace_erofs_read_folio(folio, true); ++ + return iomap_read_folio(folio, &erofs_iomap_ops); + } + diff --git a/queue-6.15/erofs-fix-to-add-missing-tracepoint-in-erofs_readahead.patch b/queue-6.15/erofs-fix-to-add-missing-tracepoint-in-erofs_readahead.patch new file mode 100644 index 0000000000..25324bbcda --- /dev/null +++ b/queue-6.15/erofs-fix-to-add-missing-tracepoint-in-erofs_readahead.patch @@ -0,0 +1,35 @@ +From d53238b614e01266a3d36b417b60a502e0698504 Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Mon, 7 Jul 2025 16:48:32 +0800 +Subject: erofs: fix to add missing tracepoint in erofs_readahead() + +From: Chao Yu + +commit d53238b614e01266a3d36b417b60a502e0698504 upstream. + +Commit 771c994ea51f ("erofs: convert all uncompressed cases to iomap") +converts to use iomap interface, it removed trace_erofs_readahead() +tracepoint in the meantime, let's add it back. + +Fixes: 771c994ea51f ("erofs: convert all uncompressed cases to iomap") +Signed-off-by: Chao Yu +Reviewed-by: Gao Xiang +Link: https://lore.kernel.org/r/20250707084832.2725677-1-chao@kernel.org +Signed-off-by: Gao Xiang +Signed-off-by: Greg Kroah-Hartman +--- + fs/erofs/data.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/erofs/data.c ++++ b/fs/erofs/data.c +@@ -355,6 +355,9 @@ static int erofs_read_folio(struct file + + static void erofs_readahead(struct readahead_control *rac) + { ++ trace_erofs_readahead(rac->mapping->host, readahead_index(rac), ++ readahead_count(rac), true); ++ + return iomap_readahead(rac, &erofs_iomap_ops); + } + diff --git a/queue-6.15/ksmbd-fix-a-mount-write-count-leak-in-ksmbd_vfs_kern_path_locked.patch b/queue-6.15/ksmbd-fix-a-mount-write-count-leak-in-ksmbd_vfs_kern_path_locked.patch new file mode 100644 index 0000000000..5f85d034aa --- /dev/null +++ b/queue-6.15/ksmbd-fix-a-mount-write-count-leak-in-ksmbd_vfs_kern_path_locked.patch @@ -0,0 +1,34 @@ +From 277627b431a0a6401635c416a21b2a0f77a77347 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sun, 6 Jul 2025 02:26:45 +0100 +Subject: ksmbd: fix a mount write count leak in ksmbd_vfs_kern_path_locked() + +From: Al Viro + +commit 277627b431a0a6401635c416a21b2a0f77a77347 upstream. + +If the call of ksmbd_vfs_lock_parent() fails, we drop the parent_path +references and return an error. We need to drop the write access we +just got on parent_path->mnt before we drop the mount reference - callers +assume that ksmbd_vfs_kern_path_locked() returns with mount write +access grabbed if and only if it has returned 0. + +Fixes: 864fb5d37163 ("ksmbd: fix possible deadlock in smb2_open") +Signed-off-by: Al Viro +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/vfs.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/smb/server/vfs.c ++++ b/fs/smb/server/vfs.c +@@ -1280,6 +1280,7 @@ out1: + + err = ksmbd_vfs_lock_parent(parent_path->dentry, path->dentry); + if (err) { ++ mnt_drop_write(parent_path->mnt); + path_put(path); + path_put(parent_path); + } diff --git a/queue-6.15/series b/queue-6.15/series index bb14b582b2..b1b43d0026 100644 --- a/queue-6.15/series +++ b/queue-6.15/series @@ -110,3 +110,15 @@ mm-damon-fix-divide-by-zero-in-damon_get_intervals_score.patch samples-damon-fix-damon-sample-prcl-for-start-failure.patch samples-damon-fix-damon-sample-wsse-for-start-failure.patch lib-alloc_tag-do-not-acquire-non-existent-lock-in-alloc_tag_top_users.patch +clk-imx-fix-an-out-of-bounds-access-in-dispmix_csr_clk_dev_data.patch +x86-rdrand-disable-rdseed-on-amd-cyan-skillfish.patch +x86-mm-disable-hugetlb-page-table-sharing-on-32-bit.patch +x86-cpu-amd-disable-invlpgb-on-zen2.patch +dt-bindings-clock-mediatek-add-reset-cells-property-for-mt8188.patch +clk-scmi-handle-case-where-child-clocks-are-initialized-before-their-parents.patch +smb-server-make-use-of-rdma_destroy_qp.patch +ksmbd-fix-a-mount-write-count-leak-in-ksmbd_vfs_kern_path_locked.patch +erofs-fix-to-add-missing-tracepoint-in-erofs_readahead.patch +erofs-fix-to-add-missing-tracepoint-in-erofs_read_folio.patch +erofs-address-d-cache-aliasing.patch +erofs-fix-large-fragment-handling.patch diff --git a/queue-6.15/smb-server-make-use-of-rdma_destroy_qp.patch b/queue-6.15/smb-server-make-use-of-rdma_destroy_qp.patch new file mode 100644 index 0000000000..ac1948b8aa --- /dev/null +++ b/queue-6.15/smb-server-make-use-of-rdma_destroy_qp.patch @@ -0,0 +1,67 @@ +From 0c2b53997e8f5e2ec9e0fbd17ac0436466b65488 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 2 Jul 2025 09:18:05 +0200 +Subject: smb: server: make use of rdma_destroy_qp() + +From: Stefan Metzmacher + +commit 0c2b53997e8f5e2ec9e0fbd17ac0436466b65488 upstream. + +The qp is created by rdma_create_qp() as t->cm_id->qp +and t->qp is just a shortcut. + +rdma_destroy_qp() also calls ib_destroy_qp(cm_id->qp) internally, +but it is protected by a mutex, clears the cm_id and also calls +trace_cm_qp_destroy(). + +This should make the tracing more useful as both +rdma_create_qp() and rdma_destroy_qp() are traces and it makes +the code look more sane as functions from the same layer are used +for the specific qp object. + +trace-cmd stream -e rdma_cma:cm_qp_create -e rdma_cma:cm_qp_destroy +shows this now while doing a mount and unmount from a client: + + <...>-80 [002] 378.514182: cm_qp_create: cm.id=1 src=172.31.9.167:5445 dst=172.31.9.166:37113 tos=0 pd.id=0 qp_type=RC send_wr=867 recv_wr=255 qp_num=1 rc=0 + <...>-6283 [001] 381.686172: cm_qp_destroy: cm.id=1 src=172.31.9.167:5445 dst=172.31.9.166:37113 tos=0 qp_num=1 + +Before we only saw the first line. + +Cc: Namjae Jeon +Cc: Steve French +Cc: Sergey Senozhatsky +Cc: Hyunchul Lee +Cc: Tom Talpey +Cc: linux-cifs@vger.kernel.org +Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers") +Signed-off-by: Stefan Metzmacher +Reviewed-by: Tom Talpey +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/transport_rdma.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/smb/server/transport_rdma.c ++++ b/fs/smb/server/transport_rdma.c +@@ -433,7 +433,8 @@ static void free_transport(struct smb_di + if (t->qp) { + ib_drain_qp(t->qp); + ib_mr_pool_destroy(t->qp, &t->qp->rdma_mrs); +- ib_destroy_qp(t->qp); ++ t->qp = NULL; ++ rdma_destroy_qp(t->cm_id); + } + + ksmbd_debug(RDMA, "drain the reassembly queue\n"); +@@ -1940,8 +1941,8 @@ static int smb_direct_create_qpair(struc + return 0; + err: + if (t->qp) { +- ib_destroy_qp(t->qp); + t->qp = NULL; ++ rdma_destroy_qp(t->cm_id); + } + if (t->recv_cq) { + ib_destroy_cq(t->recv_cq); diff --git a/queue-6.15/x86-cpu-amd-disable-invlpgb-on-zen2.patch b/queue-6.15/x86-cpu-amd-disable-invlpgb-on-zen2.patch new file mode 100644 index 0000000000..836a30b1b5 --- /dev/null +++ b/queue-6.15/x86-cpu-amd-disable-invlpgb-on-zen2.patch @@ -0,0 +1,41 @@ +From a74bb5f202dabddfea96abc1328fcedae8aa140a Mon Sep 17 00:00:00 2001 +From: Mikhail Paulyshka +Date: Tue, 8 Jul 2025 16:39:10 +0200 +Subject: x86/CPU/AMD: Disable INVLPGB on Zen2 + +From: Mikhail Paulyshka + +commit a74bb5f202dabddfea96abc1328fcedae8aa140a upstream. + +AMD Cyan Skillfish (Family 17h, Model 47h, Stepping 0h) has an issue +that causes system oopses and panics when performing TLB flush using +INVLPGB. + +However, the problem is that that machine has misconfigured CPUID and +should not report the INVLPGB bit in the first place. So zap the +kernel's representation of the flag so that nothing gets confused. + + [ bp: Massage. ] + +Fixes: 767ae437a32d ("x86/mm: Add INVLPGB feature and Kconfig entry") +Signed-off-by: Mikhail Paulyshka +Signed-off-by: Borislav Petkov (AMD) +Cc: +Link: https://lore.kernel.org/r/1ebe845b-322b-4929-9093-b41074e9e939@mixaill.net +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/amd.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -979,6 +979,9 @@ static void init_amd_zen2(struct cpuinfo + msr_clear_bit(MSR_AMD64_CPUID_FN_7, 18); + pr_emerg("RDSEED is not reliable on this platform; disabling.\n"); + } ++ ++ /* Correct misconfigured CPUID on some clients. */ ++ clear_cpu_cap(c, X86_FEATURE_INVLPGB); + } + + static void init_amd_zen3(struct cpuinfo_x86 *c) diff --git a/queue-6.15/x86-mm-disable-hugetlb-page-table-sharing-on-32-bit.patch b/queue-6.15/x86-mm-disable-hugetlb-page-table-sharing-on-32-bit.patch new file mode 100644 index 0000000000..3c0bf6a086 --- /dev/null +++ b/queue-6.15/x86-mm-disable-hugetlb-page-table-sharing-on-32-bit.patch @@ -0,0 +1,55 @@ +From 76303ee8d54bff6d9a6d55997acd88a6c2ba63cf Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Wed, 2 Jul 2025 10:32:04 +0200 +Subject: x86/mm: Disable hugetlb page table sharing on 32-bit + +From: Jann Horn + +commit 76303ee8d54bff6d9a6d55997acd88a6c2ba63cf upstream. + +Only select ARCH_WANT_HUGE_PMD_SHARE on 64-bit x86. +Page table sharing requires at least three levels because it involves +shared references to PMD tables; 32-bit x86 has either two-level paging +(without PAE) or three-level paging (with PAE), but even with +three-level paging, having a dedicated PGD entry for hugetlb is only +barely possible (because the PGD only has four entries), and it seems +unlikely anyone's actually using PMD sharing on 32-bit. + +Having ARCH_WANT_HUGE_PMD_SHARE enabled on non-PAE 32-bit X86 (which +has 2-level paging) became particularly problematic after commit +59d9094df3d7 ("mm: hugetlb: independent PMD page table shared count"), +since that changes `struct ptdesc` such that the `pt_mm` (for PGDs) and +the `pt_share_count` (for PMDs) share the same union storage - and with +2-level paging, PMDs are PGDs. + +(For comparison, arm64 also gates ARCH_WANT_HUGE_PMD_SHARE on the +configuration of page tables such that it is never enabled with 2-level +paging.) + +Closes: https://lore.kernel.org/r/srhpjxlqfna67blvma5frmy3aa@altlinux.org +Fixes: cfe28c5d63d8 ("x86: mm: Remove x86 version of huge_pmd_share.") +Reported-by: Vitaly Chikunov +Suggested-by: Dave Hansen +Signed-off-by: Jann Horn +Signed-off-by: Dave Hansen +Acked-by: Oscar Salvador +Acked-by: David Hildenbrand +Tested-by: Vitaly Chikunov +Cc:stable@vger.kernel.org +Link: https://lore.kernel.org/all/20250702-x86-2level-hugetlb-v2-1-1a98096edf92%40google.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -146,7 +146,7 @@ config X86 + select ARCH_WANTS_DYNAMIC_TASK_STRUCT + select ARCH_WANTS_NO_INSTR + select ARCH_WANT_GENERAL_HUGETLB +- select ARCH_WANT_HUGE_PMD_SHARE ++ select ARCH_WANT_HUGE_PMD_SHARE if X86_64 + select ARCH_WANT_LD_ORPHAN_WARN + select ARCH_WANT_OPTIMIZE_DAX_VMEMMAP if X86_64 + select ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP if X86_64 diff --git a/queue-6.15/x86-rdrand-disable-rdseed-on-amd-cyan-skillfish.patch b/queue-6.15/x86-rdrand-disable-rdseed-on-amd-cyan-skillfish.patch new file mode 100644 index 0000000000..2b54cb8751 --- /dev/null +++ b/queue-6.15/x86-rdrand-disable-rdseed-on-amd-cyan-skillfish.patch @@ -0,0 +1,64 @@ +From 5b937a1ed64ebeba8876e398110a5790ad77407c Mon Sep 17 00:00:00 2001 +From: Mikhail Paulyshka +Date: Sat, 24 May 2025 17:53:19 +0300 +Subject: x86/rdrand: Disable RDSEED on AMD Cyan Skillfish + +From: Mikhail Paulyshka + +commit 5b937a1ed64ebeba8876e398110a5790ad77407c upstream. + +AMD Cyan Skillfish (Family 17h, Model 47h, Stepping 0h) has an error that +causes RDSEED to always return 0xffffffff, while RDRAND works correctly. + +Mask the RDSEED cap for this CPU so that both /proc/cpuinfo and direct CPUID +read report RDSEED as unavailable. + + [ bp: Move to amd.c, massage. ] + +Signed-off-by: Mikhail Paulyshka +Signed-off-by: Borislav Petkov (AMD) +Cc: +Link: https://lore.kernel.org/20250524145319.209075-1-me@mixaill.net +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/msr-index.h | 1 + + arch/x86/kernel/cpu/amd.c | 7 +++++++ + tools/arch/x86/include/asm/msr-index.h | 1 + + 3 files changed, 9 insertions(+) + +--- a/arch/x86/include/asm/msr-index.h ++++ b/arch/x86/include/asm/msr-index.h +@@ -624,6 +624,7 @@ + #define MSR_AMD64_OSVW_STATUS 0xc0010141 + #define MSR_AMD_PPIN_CTL 0xc00102f0 + #define MSR_AMD_PPIN 0xc00102f1 ++#define MSR_AMD64_CPUID_FN_7 0xc0011002 + #define MSR_AMD64_CPUID_FN_1 0xc0011004 + #define MSR_AMD64_LS_CFG 0xc0011020 + #define MSR_AMD64_DC_CFG 0xc0011022 +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -972,6 +972,13 @@ static void init_amd_zen2(struct cpuinfo + init_spectral_chicken(c); + fix_erratum_1386(c); + zen2_zenbleed_check(c); ++ ++ /* Disable RDSEED on AMD Cyan Skillfish because of an error. */ ++ if (c->x86_model == 0x47 && c->x86_stepping == 0x0) { ++ clear_cpu_cap(c, X86_FEATURE_RDSEED); ++ msr_clear_bit(MSR_AMD64_CPUID_FN_7, 18); ++ pr_emerg("RDSEED is not reliable on this platform; disabling.\n"); ++ } + } + + static void init_amd_zen3(struct cpuinfo_x86 *c) +--- a/tools/arch/x86/include/asm/msr-index.h ++++ b/tools/arch/x86/include/asm/msr-index.h +@@ -616,6 +616,7 @@ + #define MSR_AMD64_OSVW_STATUS 0xc0010141 + #define MSR_AMD_PPIN_CTL 0xc00102f0 + #define MSR_AMD_PPIN 0xc00102f1 ++#define MSR_AMD64_CPUID_FN_7 0xc0011002 + #define MSR_AMD64_CPUID_FN_1 0xc0011004 + #define MSR_AMD64_LS_CFG 0xc0011020 + #define MSR_AMD64_DC_CFG 0xc0011022 -- 2.47.2