[rocky10_1] History Rebuild to kernel-6.12.0-124.27.1.el10_1 #818
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jira KERNEL-452 Rebuild_History Non-Buildable kernel-6.12.0-124.27.1.el10_1 commit-author kuyo chang <[email protected]> commit 421fc59 [Symptom] The fair server mechanism, which is intended to prevent fair starvation when higher-priority tasks monopolize the CPU. Specifically, RT tasks on the runqueue may not be scheduled as expected. [Analysis] The log "sched: DL replenish lagged too much" triggered. By memory dump of dl_server: curr = 0xFFFFFF80D6A0AC00 ( dl_server = 0xFFFFFF83CD5B1470( dl_runtime = 0x02FAF080, dl_deadline = 0x3B9ACA00, dl_period = 0x3B9ACA00, dl_bw = 0xCCCC, dl_density = 0xCCCC, runtime = 0x02FAF080, deadline = 0x0000082031EB0E80, flags = 0x0, dl_throttled = 0x0, dl_yielded = 0x0, dl_non_contending = 0x0, dl_overrun = 0x0, dl_server = 0x1, dl_server_active = 0x1, dl_defer = 0x1, dl_defer_armed = 0x0, dl_defer_running = 0x1, dl_timer = ( node = ( expires = 0x000008199756E700), _softexpires = 0x000008199756E700, function = 0xFFFFFFDB9AF44D30 = dl_task_timer, base = 0xFFFFFF83CD5A12C0, state = 0x0, is_rel = 0x0, is_soft = 0x0, clock_update_flags = 0x4, clock = 0x000008204A496900, - The timer expiration time (rq->curr->dl_server->dl_timer->expires) is already in the past, indicating the timer has expired. - The timer state (rq->curr->dl_server->dl_timer->state) is 0. [Suspected Root Cause] The relevant code flow in the throttle path of update_curr_dl_se() as follows: dequeue_dl_entity(dl_se, 0); // the DL entity is dequeued if (unlikely(is_dl_boosted(dl_se) || !start_dl_timer(dl_se))) { if (dl_server(dl_se)) // timer registration fails enqueue_dl_entity(dl_se, ENQUEUE_REPLENISH);//enqueue immediately ... } The failure of `start_dl_timer` is caused by attempting to register a timer with an expiration time that is already in the past. When this situation persists, the code repeatedly re-enqueues the DL entity without properly replenishing or restarting the timer, resulting in RT task may not be scheduled as expected. [Proposed Solution]: Instead of immediately re-enqueuing the DL entity on timer registration failure, this change ensures the DL entity is properly replenished and the timer is restarted, preventing RT potential starvation. Fixes: 63ba842 ("sched/deadline: Introduce deadline servers") Signed-off-by: kuyo chang <[email protected]> Signed-off-by: Peter Zijlstra (Intel) <[email protected]> Closes: https://lore.kernel.org/CAMuHMdXn4z1pioTtBGMfQM0jsLviqS2jwysaWXpoLxWYoGa82w@mail.gmail.com Tested-by: Geert Uytterhoeven <[email protected]> Tested-by: Jiri Slaby <[email protected]> Tested-by: Diederik de Haas <[email protected]> Link: https://lkml.kernel.org/r/[email protected] (cherry picked from commit 421fc59) Signed-off-by: Jonathan Maple <[email protected]>
jira KERNEL-452 cve CVE-2025-40176 Rebuild_History Non-Buildable kernel-6.12.0-124.27.1.el10_1 commit-author Sabrina Dubroca <[email protected]> commit b8a6ff8 Async decryption calls tls_strp_msg_hold to create a clone of the input skb to hold references to the memory it uses. If we fail to allocate that clone, proceeding with async decryption can lead to various issues (UAF on the skb, writing into userspace memory after the recv() call has returned). In this case, wait for all pending decryption requests. Fixes: 84c61fe ("tls: rx: do not use the standard strparser") Reported-by: Jann Horn <[email protected]> Signed-off-by: Sabrina Dubroca <[email protected]> Link: https://patch.msgid.link/b9fe61dcc07dab15da9b35cf4c7d86382a98caf2.1760432043.git.sd@queasysnail.net Signed-off-by: Jakub Kicinski <[email protected]> (cherry picked from commit b8a6ff8) Signed-off-by: Jonathan Maple <[email protected]>
jira KERNEL-452 Rebuild_History Non-Buildable kernel-6.12.0-124.27.1.el10_1 commit-author Simon Trimmer <[email protected]> commit f7690d0 These Lenovo Laptops have the DMICs connected to the host instead of the CS42L43 and so need the SOC_SDW_CODEC_MIC quirk. Signed-off-by: Simon Trimmer <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Mark Brown <[email protected]> (cherry picked from commit f7690d0) Signed-off-by: Jonathan Maple <[email protected]>
jira KERNEL-452 Rebuild_History Non-Buildable kernel-6.12.0-124.27.1.el10_1 commit-author Ivan Vecera <[email protected]> commit 259ede9 Besides the device host registers that are directly accessible, there are also hardware registers that can be accessed indirectly via specific host registers. Add register definitions for accessing hardware registers and provide helper functions for working with them. Additionally, extend the number of pages in the regmap configuration to 256, as the host registers used for accessing hardware registers are located on page 255. Reviewed-by: Przemek Kitszel <[email protected]> Signed-off-by: Ivan Vecera <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Jakub Kicinski <[email protected]> (cherry picked from commit 259ede9) Signed-off-by: Jonathan Maple <[email protected]>
jira KERNEL-452 Rebuild_History Non-Buildable kernel-6.12.0-124.27.1.el10_1 commit-author Ivan Vecera <[email protected]> commit 3639bd0 To implement the devlink device flash functionality, the driver needs to access both the device memory and the internal flash memory. The flash memory is accessed using a device-specific program (called the flash utility). This flash utility must be downloaded by the driver into the device memory and then executed by the device CPU. Once running, the flash utility provides a flash API to access the flash memory itself. During this operation, the normal functionality provided by the standard firmware is not available. Therefore, the driver must ensure that DPLL callbacks and monitoring functions are not executed during the flash operation. Add all necessary functions for downloading the utility to device memory, entering and exiting flash mode, and performing flash operations. Reviewed-by: Przemek Kitszel <[email protected]> Signed-off-by: Ivan Vecera <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Jakub Kicinski <[email protected]> (cherry picked from commit 3639bd0) Signed-off-by: Jonathan Maple <[email protected]>
jira KERNEL-452 Rebuild_History Non-Buildable kernel-6.12.0-124.27.1.el10_1 commit-author Ivan Vecera <[email protected]> commit ca01740 Add functionality for loading firmware files provided by the vendor to be flashed into the device's internal flash memory. The firmware consists of several components, such as the firmware executable itself, chip-specific customizations, and configuration files. The firmware file contains at least a flash utility, which is executed on the device side, and one or more flashable components. Each component has its own specific properties, such as the address where it should be loaded during flashing, one or more destination flash pages, and the flashing method that should be used. Reviewed-by: Przemek Kitszel <[email protected]> Signed-off-by: Ivan Vecera <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Jakub Kicinski <[email protected]> (cherry picked from commit ca01740) Signed-off-by: Jonathan Maple <[email protected]>
jira KERNEL-452 Rebuild_History Non-Buildable kernel-6.12.0-124.27.1.el10_1 commit-author Ivan Vecera <[email protected]> commit a1e891f Use the introduced functionality to read firmware files and flash their contents into the device's internal flash memory to implement the devlink flash update callback. Sample output on EDS2 development board: # devlink -j dev info i2c/1-0070 | jq '.[][]["versions"]["running"]' { "fw": "6026" } # devlink dev flash i2c/1-0070 file firmware_fw2.hex [utility] Prepare flash mode [utility] Downloading image 100% [utility] Flash mode enabled [firmware1-part1] Downloading image 100% [firmware1-part1] Flashing image [firmware1-part2] Downloading image 100% [firmware1-part2] Flashing image [firmware1] Flashing done [firmware2] Downloading image 100% [firmware2] Flashing image 100% [firmware2] Flashing done [utility] Leaving flash mode Flashing done # devlink -j dev info i2c/1-0070 | jq '.[][]["versions"]["running"]' { "fw": "7006" } Reviewed-by: Przemek Kitszel <[email protected]> Signed-off-by: Ivan Vecera <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Jakub Kicinski <[email protected]> (cherry picked from commit a1e891f) Signed-off-by: Jonathan Maple <[email protected]>
jira KERNEL-452 Rebuild_History Non-Buildable kernel-6.12.0-124.27.1.el10_1 commit-author Dan Carpenter <[email protected]> commit 347afa3 The zl3073x_devlink_flash_prepare() function calls zl3073x_fw_free() and the caller, zl3073x_devlink_flash_update(), also calls that same free function so it leads to a double free. Delete the extra free. Fixes: a1e891f ("dpll: zl3073x: Implement devlink flash callback") Signed-off-by: Dan Carpenter <[email protected]> Reviewed-by: Simon Horman <[email protected]> Reviewed-by: Ivan Vecera <[email protected]> Reviewed-by: Vadim Fedorenko <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Jakub Kicinski <[email protected]> (cherry picked from commit 347afa3) Signed-off-by: Jonathan Maple <[email protected]>
jira KERNEL-452 Rebuild_History Non-Buildable kernel-6.12.0-124.27.1.el10_1 commit-author Ivan Vecera <[email protected]> commit f3426ac Newer firmware bundles contain a flash utility whose size exceeds the currently allowed limit. Increase the maximum allowed size to accommodate the newer utility version. Without this patch: # devlink dev flash i2c/1-0070 file fw_nosplit_v3.hex Failed to load firmware Flashing failed Error: zl3073x: FW load failed: [utility] component is too big (11000 bytes) Fixes: ca01740 ("dpll: zl3073x: Add firmware loading functionality") Suggested-by: Prathosh Satish <[email protected]> Signed-off-by: Ivan Vecera <[email protected]> Reviewed-by: Vadim Fedorenko <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Paolo Abeni <[email protected]> (cherry picked from commit f3426ac) Signed-off-by: Jonathan Maple <[email protected]>
jira KERNEL-452 cve CVE-2025-39843 Rebuild_History Non-Buildable kernel-6.12.0-124.27.1.el10_1 commit-author yangshiguang <[email protected]> commit 850470a set_track_prepare() can incur lock recursion. The issue is that it is called from hrtimer_start_range_ns holding the per_cpu(hrtimer_bases)[n].lock, but when enabled CONFIG_DEBUG_OBJECTS_TIMERS, may wake up kswapd in set_track_prepare, and try to hold the per_cpu(hrtimer_bases)[n].lock. Avoid deadlock caused by implicitly waking up kswapd by passing in allocation flags, which do not contain __GFP_KSWAPD_RECLAIM in the debug_objects_fill_pool() case. Inside stack depot they are processed by gfp_nested_mask(). Since ___slab_alloc() has preemption disabled, we mask out __GFP_DIRECT_RECLAIM from the flags there. The oops looks something like: BUG: spinlock recursion on CPU#3, swapper/3/0 lock: 0xffffff8a4bf29c80, .magic: dead4ead, .owner: swapper/3/0, .owner_cpu: 3 Hardware name: Qualcomm Technologies, Inc. Popsicle based on SM8850 (DT) Call trace: spin_bug+0x0 _raw_spin_lock_irqsave+0x80 hrtimer_try_to_cancel+0x94 task_contending+0x10c enqueue_dl_entity+0x2a4 dl_server_start+0x74 enqueue_task_fair+0x568 enqueue_task+0xac do_activate_task+0x14c ttwu_do_activate+0xcc try_to_wake_up+0x6c8 default_wake_function+0x20 autoremove_wake_function+0x1c __wake_up+0xac wakeup_kswapd+0x19c wake_all_kswapds+0x78 __alloc_pages_slowpath+0x1ac __alloc_pages_noprof+0x298 stack_depot_save_flags+0x6b0 stack_depot_save+0x14 set_track_prepare+0x5c ___slab_alloc+0xccc __kmalloc_cache_noprof+0x470 __set_page_owner+0x2bc post_alloc_hook[jt]+0x1b8 prep_new_page+0x28 get_page_from_freelist+0x1edc __alloc_pages_noprof+0x13c alloc_slab_page+0x244 allocate_slab+0x7c ___slab_alloc+0x8e8 kmem_cache_alloc_noprof+0x450 debug_objects_fill_pool+0x22c debug_object_activate+0x40 enqueue_hrtimer[jt]+0xdc hrtimer_start_range_ns+0x5f8 ... Signed-off-by: yangshiguang <[email protected]> Fixes: 5cf909c ("mm/slub: use stackdepot to save stack trace in objects") Cc: [email protected] Signed-off-by: Vlastimil Babka <[email protected]> (cherry picked from commit 850470a) Signed-off-by: Jonathan Maple <[email protected]>
jira KERNEL-452 Rebuild_History Non-Buildable kernel-6.12.0-124.27.1.el10_1 commit-author Paulo Alcantara <[email protected]> commit fac56c4 In very rare cases, DFS mounts could end up with SMB sessions without any IPC connections. These mounts are only possible when having unexpired cached DFS referrals, hence not requiring any IPC connections during the mount process. Try to establish those missing IPC connections when refreshing DFS referrals. If the server is still rejecting it, then simply ignore and leave expired cached DFS referral for any potential DFS failovers. Reported-by: Jay Shin <[email protected]> Signed-off-by: Paulo Alcantara (Red Hat) <[email protected]> Cc: David Howells <[email protected]> Cc: [email protected] Signed-off-by: Steve French <[email protected]> (cherry picked from commit fac56c4) Signed-off-by: Jonathan Maple <[email protected]>
jira KERNEL-452 cve CVE-2025-39966 Rebuild_History Non-Buildable kernel-6.12.0-124.27.1.el10_1 commit-author Jason Gunthorpe <[email protected]> commit 4e034bf Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-6.12.0-124.27.1.el10_1/4e034bf0.failed fput() doesn't actually call file_operations release() synchronously, it puts the file on a work queue and it will be released eventually. This is normally fine, except for iommufd the file and the iommufd_object are tied to gether. The file has the object as it's private_data and holds a users refcount, while the object is expected to remain alive as long as the file is. When the allocation of a new object aborts before installing the file it will fput() the file and then go on to immediately kfree() the obj. This causes a UAF once the workqueue completes the fput() and tries to decrement the users refcount. Fix this by putting the core code in charge of the file lifetime, and call __fput_sync() during abort to ensure that release() is called before kfree. __fput_sync() is a bit too tricky to open code in all the object implementations. Instead the objects tell the core code where the file pointer is and the core will take care of the life cycle. If the object is successfully allocated then the file will hold a users refcount and the iommufd_object cannot be destroyed. It is worth noting that close(); ioctl(IOMMU_DESTROY); doesn't have an issue because close() is already using a synchronous version of fput(). The UAF looks like this: BUG: KASAN: slab-use-after-free in iommufd_eventq_fops_release+0x45/0xc0 drivers/iommu/iommufd/eventq.c:376 Write of size 4 at addr ffff888059c97804 by task syz.0.46/6164 CPU: 0 UID: 0 PID: 6164 Comm: syz.0.46 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xcd/0x630 mm/kasan/report.c:482 kasan_report+0xe0/0x110 mm/kasan/report.c:595 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0x100/0x1b0 mm/kasan/generic.c:189 instrument_atomic_read_write include/linux/instrumented.h:96 [inline] atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:400 [inline] __refcount_dec include/linux/refcount.h:455 [inline] refcount_dec include/linux/refcount.h:476 [inline] iommufd_eventq_fops_release+0x45/0xc0 drivers/iommu/iommufd/eventq.c:376 __fput+0x402/0xb70 fs/file_table.c:468 task_work_run+0x14d/0x240 kernel/task_work.c:227 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline] do_syscall_64+0x41c/0x4c0 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f Link: https://patch.msgid.link/r/[email protected] Cc: [email protected] Fixes: 07838f7 ("iommufd: Add iommufd fault object") Reviewed-by: Nicolin Chen <[email protected]> Reviewed-by: Nirmoy Das <[email protected]> Reviewed-by: Kevin Tian <[email protected]> Tested-by: Nicolin Chen <[email protected]> Reported-by: [email protected] Closes: https://lore.kernel.org/r/[email protected] Signed-off-by: Jason Gunthorpe <[email protected]> (cherry picked from commit 4e034bf) Signed-off-by: Jonathan Maple <[email protected]> # Conflicts: # drivers/iommu/iommufd/eventq.c # drivers/iommu/iommufd/main.c
jira KERNEL-452 cve CVE-2025-39840 Rebuild_History Non-Buildable kernel-6.12.0-124.27.1.el10_1 commit-author Stanislav Fort <[email protected]> commit 4540f1d When a watch on dir=/ is combined with an fsnotify event for a single-character name directly under / (e.g., creating /a), an out-of-bounds read can occur in audit_compare_dname_path(). The helper parent_len() returns 1 for "/". In audit_compare_dname_path(), when parentlen equals the full path length (1), the code sets p = path + 1 and pathlen = 1 - 1 = 0. The subsequent loop then dereferences p[pathlen - 1] (i.e., p[-1]), causing an out-of-bounds read. Fix this by adding a pathlen > 0 check to the while loop condition to prevent the out-of-bounds access. Cc: [email protected] Fixes: e92eebb ("audit: fix suffixed '/' filename matching") Reported-by: Stanislav Fort <[email protected]> Suggested-by: Linus Torvalds <[email protected]> Signed-off-by: Stanislav Fort <[email protected]> [PM: subject tweak, sign-off email fixes] Signed-off-by: Paul Moore <[email protected]> (cherry picked from commit 4540f1d) Signed-off-by: Jonathan Maple <[email protected]>
jira KERNEL-452 Rebuild_History Non-Buildable kernel-6.12.0-124.27.1.el10_1 commit-author Eric Dumazet <[email protected]> commit 661cd8f All callers of inet_getpeer_v4() and inet_getpeer_v6() want to create an inetpeer. Signed-off-by: Eric Dumazet <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Jakub Kicinski <[email protected]> (cherry picked from commit 661cd8f) Signed-off-by: Jonathan Maple <[email protected]>
jira KERNEL-452 Rebuild_History Non-Buildable kernel-6.12.0-124.27.1.el10_1 commit-author Eric Dumazet <[email protected]> commit 7a596a5 All callers of inet_getpeer() want to create an inetpeer. Signed-off-by: Eric Dumazet <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Jakub Kicinski <[email protected]> (cherry picked from commit 7a596a5) Signed-off-by: Jonathan Maple <[email protected]>
jira KERNEL-452 Rebuild_History Non-Buildable kernel-6.12.0-124.27.1.el10_1 commit-author Eric Dumazet <[email protected]> commit 50b362f inet_putpeer() will be removed in the following patch, because we will no longer use refcounts. Update inetpeer timestamp (p->dtime) at lookup time. Signed-off-by: Eric Dumazet <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Jakub Kicinski <[email protected]> (cherry picked from commit 50b362f) Signed-off-by: Jonathan Maple <[email protected]>
jira KERNEL-452 Rebuild_History Non-Buildable kernel-6.12.0-124.27.1.el10_1 commit-author Eric Dumazet <[email protected]> commit a853c60 All inet_getpeer() callers except ip4_frag_init() don't need to acquire a permanent refcount on the inetpeer. They can switch to full RCU protection. Move the refcount_inc_not_zero() into ip4_frag_init(), so that all the other callers no longer have to perform a pair of expensive atomic operations on a possibly contended cache line. inet_putpeer() no longer needs to be exported. After this patch, my DUT can receive 8,400,000 UDP packets per second targeting closed ports, using 50% less cpu cycles than before. Also change two calls to l3mdev_master_ifindex() by l3mdev_master_ifindex_rcu() (Ido ideas) Fixes: 8c2bd38 ("icmp: change the order of rate limits") Signed-off-by: Eric Dumazet <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Jakub Kicinski <[email protected]> (cherry picked from commit a853c60) Signed-off-by: Jonathan Maple <[email protected]>
jira KERNEL-452 cve CVE-2025-39806 Rebuild_History Non-Buildable kernel-6.12.0-124.27.1.el10_1 commit-author Qasim Ijaz <[email protected]> commit 0379eb8 A malicious HID device can trigger a slab out-of-bounds during mt_report_fixup() by passing in report descriptor smaller than 607 bytes. mt_report_fixup() attempts to patch byte offset 607 of the descriptor with 0x25 by first checking if byte offset 607 is 0x15 however it lacks bounds checks to verify if the descriptor is big enough before conducting this check. Fix this bug by ensuring the descriptor size is at least 608 bytes before accessing it. Below is the KASAN splat after the out of bounds access happens: [ 13.671954] ================================================================== [ 13.672667] BUG: KASAN: slab-out-of-bounds in mt_report_fixup+0x103/0x110 [ 13.673297] Read of size 1 at addr ffff888103df39df by task kworker/0:1/10 [ 13.673297] [ 13.673297] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.15.0-00005-gec5d573d83f4-dirty #3 [ 13.673297] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/04 [ 13.673297] Call Trace: [ 13.673297] <TASK> [ 13.673297] dump_stack_lvl+0x5f/0x80 [ 13.673297] print_report+0xd1/0x660 [ 13.673297] kasan_report+0xe5/0x120 [ 13.673297] __asan_report_load1_noabort+0x18/0x20 [ 13.673297] mt_report_fixup+0x103/0x110 [ 13.673297] hid_open_report+0x1ef/0x810 [ 13.673297] mt_probe+0x422/0x960 [ 13.673297] hid_device_probe+0x2e2/0x6f0 [ 13.673297] really_probe+0x1c6/0x6b0 [ 13.673297] __driver_probe_device+0x24f/0x310 [ 13.673297] driver_probe_device+0x4e/0x220 [ 13.673297] __device_attach_driver+0x169/0x320 [ 13.673297] bus_for_each_drv+0x11d/0x1b0 [ 13.673297] __device_attach+0x1b8/0x3e0 [ 13.673297] device_initial_probe+0x12/0x20 [ 13.673297] bus_probe_device+0x13d/0x180 [ 13.673297] device_add+0xe3a/0x1670 [ 13.673297] hid_add_device+0x31d/0xa40 [...] Fixes: c8000de ("HID: multitouch: Add support for GT7868Q") Cc: [email protected] Signed-off-by: Qasim Ijaz <[email protected]> Reviewed-by: Jiri Slaby <[email protected]> Signed-off-by: Jiri Kosina <[email protected]> (cherry picked from commit 0379eb8) Signed-off-by: Jonathan Maple <[email protected]>
jira KERNEL-452 Rebuild_History Non-Buildable kernel-6.12.0-124.27.1.el10_1 commit-author Mario Limonciello (AMD) <[email protected]> commit 7d62beb Dell systems utilize an EC-based touchpad emulation when the ACPI touchpad _DSM is not invoked. This emulation acts as a secondary master on the I2C bus, designed for scenarios where the I2C touchpad driver is absent, such as in BIOS menus. Typically, loading the i2c-hid module triggers the _DSM at initialization, disabling the EC-based emulation. However, if the i2c-hid module is missing from the boot kernel used for hibernation snapshot restoration, the _DSM remains uncalled, resulting in dual masters on the I2C bus and subsequent arbitration errors. This issue arises when i2c-hid resides in the rootfs instead of the kernel or initramfs. To address this, switch from using the SYSTEM_SLEEP_PM_OPS() macro to dedicated callbacks, introducing a specific callback for restoring the S4 image. This callback ensures the _DSM is invoked. Signed-off-by: Mario Limonciello (AMD) <[email protected]> Signed-off-by: Benjamin Tissoires <[email protected]> (cherry picked from commit 7d62beb) Signed-off-by: Jonathan Maple <[email protected]>
jira KERNEL-452 cve CVE-2025-40240 Rebuild_History Non-Buildable kernel-6.12.0-124.27.1.el10_1 commit-author Alexey Simakov <[email protected]> commit 441f064 chunk->skb pointer is dereferenced in the if-block where it's supposed to be NULL only. chunk->skb can only be NULL if chunk->head_skb is not. Check for frag_list instead and do it just before replacing chunk->skb. We're sure that otherwise chunk->skb is non-NULL because of outer if() condition. Fixes: 90017ac ("sctp: Add GSO support") Signed-off-by: Alexey Simakov <[email protected]> Acked-by: Marcelo Ricardo Leitner <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Jakub Kicinski <[email protected]> (cherry picked from commit 441f064) Signed-off-by: Jonathan Maple <[email protected]>
…ith resolver jira KERNEL-452 cve CVE-2025-39905 Rebuild_History Non-Buildable kernel-6.12.0-124.27.1.el10_1 commit-author Vladimir Oltean <[email protected]> commit 0ba5b2f Currently phylink_resolve() protects itself against concurrent phylink_bringup_phy() or phylink_disconnect_phy() calls which modify pl->phydev by relying on pl->state_mutex. The problem is that in phylink_resolve(), pl->state_mutex is in a lock inversion state with pl->phydev->lock. So pl->phydev->lock needs to be acquired prior to pl->state_mutex. But that requires dereferencing pl->phydev in the first place, and without pl->state_mutex, that is racy. Hence the reason for the extra lock. Currently it is redundant, but it will serve a functional purpose once mutex_lock(&phy->lock) will be moved outside of the mutex_lock(&pl->state_mutex) section. Another alternative considered would have been to let phylink_resolve() acquire the rtnl_mutex, which is also held when phylink_bringup_phy() and phylink_disconnect_phy() are called. But since phylink_disconnect_phy() runs under rtnl_lock(), it would deadlock with phylink_resolve() when calling flush_work(&pl->resolve). Additionally, it would have been undesirable because it would have unnecessarily blocked many other call paths as well in the entire kernel, so the smaller-scoped lock was preferred. Link: https://lore.kernel.org/netdev/[email protected]/ Signed-off-by: Vladimir Oltean <[email protected]> Reviewed-by: Russell King (Oracle) <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Jakub Kicinski <[email protected]> (cherry picked from commit 0ba5b2f) Signed-off-by: Jonathan Maple <[email protected]>
jira KERNEL-452 cve CVE-2025-40277 Rebuild_History Non-Buildable kernel-6.12.0-124.27.1.el10_1 commit-author Ian Forbes <[email protected]> commit 32b415a This data originates from userspace and is used in buffer offset calculations which could potentially overflow causing an out-of-bounds access. Fixes: 8ce75f8 ("drm/vmwgfx: Update device includes for DX device functionality") Reported-by: Rohit Keshri <[email protected]> Signed-off-by: Ian Forbes <[email protected]> Reviewed-by: Maaz Mombasawala <[email protected]> Signed-off-by: Zack Rusin <[email protected]> Link: https://patch.msgid.link/[email protected] (cherry picked from commit 32b415a) Signed-off-by: Jonathan Maple <[email protected]>
…() call paths jira KERNEL-452 cve CVE-2025-68287 Rebuild_History Non-Buildable kernel-6.12.0-124.27.1.el10_1 commit-author Manish Nagar <[email protected]> commit e403768 This patch addresses a race condition caused by unsynchronized execution of multiple call paths invoking `dwc3_remove_requests()`, leading to premature freeing of USB requests and subsequent crashes. Three distinct execution paths interact with `dwc3_remove_requests()`: Path 1: Triggered via `dwc3_gadget_reset_interrupt()` during USB reset handling. The call stack includes: - `dwc3_ep0_reset_state()` - `dwc3_ep0_stall_and_restart()` - `dwc3_ep0_out_start()` - `dwc3_remove_requests()` - `dwc3_gadget_del_and_unmap_request()` Path 2: Also initiated from `dwc3_gadget_reset_interrupt()`, but through `dwc3_stop_active_transfers()`. The call stack includes: - `dwc3_stop_active_transfers()` - `dwc3_remove_requests()` - `dwc3_gadget_del_and_unmap_request()` Path 3: Occurs independently during `adb root` execution, which triggers USB function unbind and bind operations. The sequence includes: - `gserial_disconnect()` - `usb_ep_disable()` - `dwc3_gadget_ep_disable()` - `dwc3_remove_requests()` with `-ESHUTDOWN` status Path 3 operates asynchronously and lacks synchronization with Paths 1 and 2. When Path 3 completes, it disables endpoints and frees 'out' requests. If Paths 1 or 2 are still processing these requests, accessing freed memory leads to a crash due to use-after-free conditions. To fix this added check for request completion and skip processing if already completed and added the request status for ep0 while queue. Fixes: 72246da ("usb: Introduce DesignWare USB3 DRD Driver") Cc: stable <[email protected]> Suggested-by: Thinh Nguyen <[email protected]> Acked-by: Thinh Nguyen <[email protected]> Signed-off-by: Manish Nagar <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]> (cherry picked from commit e403768) Signed-off-by: Jonathan Maple <[email protected]>
jira KERNEL-452 Rebuild_History Non-Buildable kernel-6.12.0-124.27.1.el10_1 commit-author Ruan Shiyang <[email protected]> commit 337135e Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-6.12.0-124.27.1.el10_1/337135e6.failed Goto-san reported confusing pgpromote statistics where the pgpromote_success count significantly exceeded pgpromote_candidate. On a system with three nodes (nodes 0-1: DRAM 4GB, node 2: NVDIMM 4GB): # Enable demotion only echo 1 > /sys/kernel/mm/numa/demotion_enabled numactl -m 0-1 memhog -r200 3500M >/dev/null & pid=$! sleep 2 numactl memhog -r100 2500M >/dev/null & sleep 10 kill -9 $pid # terminate the 1st memhog # Enable promotion echo 2 > /proc/sys/kernel/numa_balancing After a few seconds, we observeed `pgpromote_candidate < pgpromote_success` $ grep -e pgpromote /proc/vmstat pgpromote_success 2579 pgpromote_candidate 0 In this scenario, after terminating the first memhog, the conditions for pgdat_free_space_enough() are quickly met, and triggers promotion. However, these migrated pages are only counted for in PGPROMOTE_SUCCESS, not in PGPROMOTE_CANDIDATE. To solve these confusing statistics, introduce PGPROMOTE_CANDIDATE_NRL to count the missed promotion pages. And also, not counting these pages into PGPROMOTE_CANDIDATE is to avoid changing the existing algorithm or performance of the promotion rate limit. Link: https://lkml.kernel.org/r/[email protected] Link: https://lkml.kernel.org/r/[email protected] Fixes: c6833e1 ("memory tiering: rate limit NUMA migration throughput") Co-developed-by: Li Zhijian <[email protected]> Signed-off-by: Li Zhijian <[email protected]> Signed-off-by: Ruan Shiyang <[email protected]> Reported-by: Yasunori Gotou (Fujitsu) <[email protected]> Suggested-by: Huang Ying <[email protected]> Acked-by: Vlastimil Babka <[email protected]> Reviewed-by: Huang Ying <[email protected]> Cc: Ingo Molnar <[email protected]> Cc: Peter Zijlstra <[email protected]> Cc: Juri Lelli <[email protected]> Cc: Vincent Guittot <[email protected]> Cc: Dietmar Eggemann <[email protected]> Cc: Steven Rostedt <[email protected]> Cc: Ben Segall <[email protected]> Cc: Mel Gorman <[email protected]> Cc: Valentin Schneider <[email protected]> Signed-off-by: Andrew Morton <[email protected]> (cherry picked from commit 337135e) Signed-off-by: Jonathan Maple <[email protected]> # Conflicts: # mm/vmstat.c
jira KERNEL-452 Rebuild_History Non-Buildable kernel-6.12.0-124.27.1.el10_1 commit-author Wander Lairson Costa <[email protected]> commit dfd04ad The kmem_cache_free tracepoint includes a "name" field, which allows for easy identification and filtering of specific kmem's. However, the kmem_cache_alloc tracepoint lacks this field, making it difficult to pair corresponding alloc and free events for analysis. Add the "name" field to kmem_cache_alloc to enable consistent tracking and correlation of kmem alloc and free events. Link: https://lkml.kernel.org/r/[email protected] Signed-off-by: Wander Lairson Costa <[email protected]> Cc: David Hildenbrand <[email protected]> Cc: David Rientjes <[email protected]> Cc: Martin Liu <[email protected]> Cc: "Masami Hiramatsu (Google)" <[email protected]> Cc: Mathieu Desnoyers <[email protected]> Cc: Steven Rostedt <[email protected]> Cc: Zi Yan <[email protected]> Signed-off-by: Andrew Morton <[email protected]> (cherry picked from commit dfd04ad) Signed-off-by: Jonathan Maple <[email protected]>
…list jira KERNEL-452 Rebuild_History Non-Buildable kernel-6.12.0-124.27.1.el10_1 commit-author Douglas Anderson <[email protected]> commit 0c9fc6e Qualcomm has confirmed that, much like Cortex A53 and A55, KRYO 2XX/3XX/4XX silver cores are unaffected by Spectre BHB. Add them to the safe list. Fixes: 558c303 ("arm64: Mitigate spectre style branch history side channels") Cc: [email protected] Cc: Scott Bauer <[email protected]> Signed-off-by: Douglas Anderson <[email protected]> Acked-by: Trilok Soni <[email protected]> Link: https://lore.kernel.org/r/20250107120555.v4.3.Iab8dbfb5c9b1e143e7a29f410bce5f9525a0ba32@changeid Signed-off-by: Catalin Marinas <[email protected]> (cherry picked from commit 0c9fc6e) Signed-off-by: Jonathan Maple <[email protected]>
jira KERNEL-452 Rebuild_History Non-Buildable kernel-6.12.0-124.27.1.el10_1 commit-author Douglas Anderson <[email protected]> commit a9b5bd8 >From the TRM, MIDR_CORTEX_A76AE has a partnum of 0xDOE and an implementor of 0x41 (ARM). Add the values. Cc: [email protected] # dependency of the next fix in the series Signed-off-by: Douglas Anderson <[email protected]> Link: https://lore.kernel.org/r/20250107120555.v4.4.I151f3b7ee323bcc3082179b8c60c3cd03308aa94@changeid Signed-off-by: Catalin Marinas <[email protected]> (cherry picked from commit a9b5bd8) Signed-off-by: Jonathan Maple <[email protected]>
… lists jira KERNEL-452 Rebuild_History Non-Buildable kernel-6.12.0-124.27.1.el10_1 commit-author Douglas Anderson <[email protected]> commit a595138 Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-6.12.0-124.27.1.el10_1/a5951389.failed When comparing to the ARM list [1], it appears that several ARM cores were missing from the lists in spectre_bhb_loop_affected(). Add them. NOTE: for some of these cores it may not matter since other ways of clearing the BHB may be used (like the CLRBHB instruction or ECBHB), but it still seems good to have all the info from ARM's whitepaper included. [1] https://developer.arm.com/Arm%20Security%20Center/Spectre-BHB Fixes: 558c303 ("arm64: Mitigate spectre style branch history side channels") Cc: [email protected] Signed-off-by: Douglas Anderson <[email protected]> Reviewed-by: James Morse <[email protected]> Link: https://lore.kernel.org/r/20250107120555.v4.5.I4a9a527e03f663040721c5401c41de587d015c82@changeid Signed-off-by: Catalin Marinas <[email protected]> (cherry picked from commit a595138) Signed-off-by: Jonathan Maple <[email protected]> # Conflicts: # arch/arm64/kernel/proton-pack.c
jira KERNEL-452 Rebuild_History Non-Buildable kernel-6.12.0-124.27.1.el10_1 commit-author Jinqian Yang <[email protected]> commit e18c09b The HIP09 processor is vulnerable to the Spectre-BHB (Branch History Buffer) attack, which can be exploited to leak information through branch prediction side channels. This commit adds the MIDR of HIP09 to the list for software mitigation. Signed-off-by: Jinqian Yang <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Catalin Marinas <[email protected]> (cherry picked from commit e18c09b) Signed-off-by: Jonathan Maple <[email protected]>
jira KERNEL-452 Rebuild_History Non-Buildable kernel-6.12.0-124.27.1.el10_1 commit-author Will Deacon <[email protected]> commit fee4d17 Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-6.12.0-124.27.1.el10_1/fee4d171.failed Commit a595138 ("arm64: errata: Add newer ARM cores to the spectre_bhb_loop_affected() lists") added some additional CPUs to the Spectre-BHB workaround, including some new arrays for designs that require new 'k' values for the workaround to be effective. Unfortunately, the new arrays omitted the sentinel entry and so is_midr_in_range_list() will walk off the end when it doesn't find a match. With UBSAN enabled, this leads to a crash during boot when is_midr_in_range_list() is inlined (which was more common prior to c8c2647 ("arm64: Make _midr_in_range_list() an exported function")): | Internal error: aarch64 BRK: 00000000f2000001 [#1] PREEMPT SMP | pstate: 804000c5 (Nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) | pc : spectre_bhb_loop_affected+0x28/0x30 | lr : is_spectre_bhb_affected+0x170/0x190 | [...] | Call trace: | spectre_bhb_loop_affected+0x28/0x30 | update_cpu_capabilities+0xc0/0x184 | init_cpu_features+0x188/0x1a4 | cpuinfo_store_boot_cpu+0x4c/0x60 | smp_prepare_boot_cpu+0x38/0x54 | start_kernel+0x8c/0x478 | __primary_switched+0xc8/0xd4 | Code: 6b09011f 54000061 52801080 d65f03c0 (d4200020) | ---[ end trace 0000000000000000 ]--- | Kernel panic - not syncing: aarch64 BRK: Fatal exception Add the missing sentinel entries. Cc: Lee Jones <[email protected]> Cc: James Morse <[email protected]> Cc: Doug Anderson <[email protected]> Cc: Shameer Kolothum <[email protected]> Cc: <[email protected]> Reported-by: Greg Kroah-Hartman <[email protected]> Fixes: a595138 ("arm64: errata: Add newer ARM cores to the spectre_bhb_loop_affected() lists") Signed-off-by: Will Deacon <[email protected]> Reviewed-by: Lee Jones <[email protected]> Reviewed-by: Douglas Anderson <[email protected]> Reviewed-by: Greg Kroah-Hartman <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Catalin Marinas <[email protected]> (cherry picked from commit fee4d17) Signed-off-by: Jonathan Maple <[email protected]> # Conflicts: # arch/arm64/kernel/proton-pack.c
jira KERNEL-452 Rebuild_History Non-Buildable kernel-6.12.0-124.27.1.el10_1 commit-author Kuninori Morimoto <[email protected]> commit f38c2c3 Add cputype definitions for Cortex-A720AE. These will be used for errata detection in subsequent patches. These values can be found in the Cortex-A720AE TRM: https://developer.arm.com/documentation/102828/0001/ ... in Table A-187 Signed-off-by: Kuninori Morimoto <[email protected]> Signed-off-by: Will Deacon <[email protected]> (cherry picked from commit f38c2c3) Signed-off-by: Jonathan Maple <[email protected]>
jira KERNEL-452 Rebuild_History Non-Buildable kernel-6.12.0-124.27.1.el10_1 commit-author Kuninori Morimoto <[email protected]> commit 3ba8d4a Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-6.12.0-124.27.1.el10_1/3ba8d4aa.failed It is same as Cortex-A720. Link: https://lore.kernel.org/all/[email protected]/ Signed-off-by: Kuninori Morimoto <[email protected]> Signed-off-by: Will Deacon <[email protected]> (cherry picked from commit 3ba8d4a) Signed-off-by: Jonathan Maple <[email protected]> # Conflicts: # arch/arm64/kernel/proton-pack.c
Rebuild_History BUILDABLE Rebuilding Kernel from rpm changelog with Fuzz Limit: 87.50% Number of commits in upstream range v6.12~1..kernel-mainline: 93416 Number of commits in rpm: 37 Number of commits matched with upstream: 32 (86.49%) Number of commits in upstream but not in rpm: 93384 Number of commits NOT found in upstream: 5 (13.51%) Rebuilding Kernel on Branch rocky10_1_rebuild_kernel-6.12.0-124.27.1.el10_1 for kernel-6.12.0-124.27.1.el10_1 Clean Cherry Picks: 27 (84.38%) Empty Cherry Picks: 5 (15.62%) _______________________________ Full Details Located here: ciq/ciq_backports/kernel-6.12.0-124.27.1.el10_1/rebuild.details.txt Includes: * git commit header above * Empty Commits with upstream SHA * RPM ChangeLog Entries that could not be matched Individual Empty Commit failures contained in the same containing directory. The git message for empty commits will have the path for the failed commit. File names are the first 8 characters of the upstream SHA
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
src.rpm6.12.0-124git cherry-pickrpmbuild -bpfrom corresponding src.rpm.Checking Rebuild Commits for potentially missing commits:
kernel-6.12.0-124.27.1.el10_1
Build
KSelfTest