[rocky10_0] History Rebuild to kernel-6.12.0-55.27.1.el10_0

Documentation/admin-guide/kernel-parameters.txt

@@ -4665,7 +4665,7 @@
 				  '1' – force enabled
 				  'x' – unchanged
 				For example,
-				  pci=config_acs=10x
+				  pci=config_acs=10x@pci:0:0
 				would configure all devices that support
 				ACS to enable P2P Request Redirect, disable
 				Translation Blocking, and leave Source

Makefile.rhelver

@@ -12,7 +12,7 @@ RHEL_MINOR = 0
 #
 # Use this spot to avoid future merge conflicts.
 # Do not trim this comment.
-RHEL_RELEASE = 55.21.1
+RHEL_RELEASE = 55.27.1
 
 #
 # RHEL_REBASE_NUM

arch/powerpc/platforms/book3s/vas-api.c

@@ -485,6 +485,15 @@ static int coproc_mmap(struct file *fp, struct vm_area_struct *vma)
 		return -EINVAL;
 	}
 
+	/*
+	 * Map complete page to the paste address. So the user
+	 * space should pass 0ULL to the offset parameter.
+	 */
+	if (vma->vm_pgoff) {
+		pr_debug("Page offset unsupported to map paste address\n");
+		return -EINVAL;
+	}
+
 	/* Ensure instance has an open send window */
 	if (!txwin) {
 		pr_err("No send window open?\n");

arch/powerpc/platforms/powernv/memtrace.c

@@ -48,11 +48,15 @@ static ssize_t memtrace_read(struct file *filp, char __user *ubuf,
 static int memtrace_mmap(struct file *filp, struct vm_area_struct *vma)
 {
 	struct memtrace_entry *ent = filp->private_data;
+	unsigned long ent_nrpages = ent->size >> PAGE_SHIFT;
+	unsigned long vma_nrpages = vma_pages(vma);
 
-	if (ent->size < vma->vm_end - vma->vm_start)
+	/* The requested page offset should be within object's page count */
+	if (vma->vm_pgoff >= ent_nrpages)
 		return -EINVAL;
 
-	if (vma->vm_pgoff << PAGE_SHIFT >= ent->size)
+	/* The requested mapping range should remain within the bounds */
+	if (vma_nrpages > ent_nrpages - vma->vm_pgoff)
 		return -EINVAL;
 
 	vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot);

arch/x86/kernel/cpu/amd.c

@@ -798,6 +798,7 @@ static void init_amd_bd(struct cpuinfo_x86 *c)
 static const struct x86_cpu_desc erratum_1386_microcode[] = {
 	AMD_CPU_DESC(0x17,  0x1, 0x2, 0x0800126e),
 	AMD_CPU_DESC(0x17, 0x31, 0x0, 0x08301052),
+	{},
 };
 
 static void fix_erratum_1386(struct cpuinfo_x86 *c)

ciq/ciq_backports/kernel-6.12.0-55.22.1.el10_0/rebuild.details.txt

@@ -0,0 +1,19 @@
+Rebuild_History BUILDABLE
+Rebuilding Kernel from rpm changelog with Fuzz Limit: 87.50%
+Number of commits in upstream range v6.12~1..kernel-mainline: 52012
+Number of commits in rpm: 18
+Number of commits matched with upstream: 15 (83.33%)
+Number of commits in upstream but not in rpm: 51997
+Number of commits NOT found in upstream: 3 (16.67%)
+
+Rebuilding Kernel on Branch rocky10_0_rebuild_kernel-6.12.0-55.22.1.el10_0 for kernel-6.12.0-55.22.1.el10_0
+Clean Cherry Picks: 15 (100.00%)
+Empty Cherry Picks: 0 (0.00%)
+_______________________________
+
+__EMPTY COMMITS__________________________
+
+__CHANGES NOT IN UPSTREAM________________
+Porting to Rocky Linux 10, debranding and Rocky Linux branding'
+Add partial riscv64 support for build root'
+Provide basic VisionFive 2 support'

ciq/ciq_backports/kernel-6.12.0-55.24.1.el10_0/rebuild.details.txt

@@ -0,0 +1,19 @@
+Rebuild_History BUILDABLE
+Rebuilding Kernel from rpm changelog with Fuzz Limit: 87.50%
+Number of commits in upstream range v6.12~1..kernel-mainline: 52012
+Number of commits in rpm: 12
+Number of commits matched with upstream: 9 (75.00%)
+Number of commits in upstream but not in rpm: 52003
+Number of commits NOT found in upstream: 3 (25.00%)
+
+Rebuilding Kernel on Branch rocky10_0_rebuild_kernel-6.12.0-55.24.1.el10_0 for kernel-6.12.0-55.24.1.el10_0
+Clean Cherry Picks: 9 (100.00%)
+Empty Cherry Picks: 0 (0.00%)
+_______________________________
+
+__EMPTY COMMITS__________________________
+
+__CHANGES NOT IN UPSTREAM________________
+Porting to Rocky Linux 10, debranding and Rocky Linux branding'
+Add partial riscv64 support for build root'
+Provide basic VisionFive 2 support'

ciq/ciq_backports/kernel-6.12.0-55.25.1.el10_0/rebuild.details.txt

@@ -0,0 +1,22 @@
+Rebuild_History BUILDABLE
+Rebuilding Kernel from rpm changelog with Fuzz Limit: 87.50%
+Number of commits in upstream range v6.12~1..kernel-mainline: 52012
+Number of commits in rpm: 28
+Number of commits matched with upstream: 22 (78.57%)
+Number of commits in upstream but not in rpm: 51990
+Number of commits NOT found in upstream: 6 (21.43%)
+
+Rebuilding Kernel on Branch rocky10_0_rebuild_kernel-6.12.0-55.25.1.el10_0 for kernel-6.12.0-55.25.1.el10_0
+Clean Cherry Picks: 22 (100.00%)
+Empty Cherry Picks: 0 (0.00%)
+_______________________________
+
+__EMPTY COMMITS__________________________
+
+__CHANGES NOT IN UPSTREAM________________
+Porting to Rocky Linux 10, debranding and Rocky Linux branding'
+Add partial riscv64 support for build root'
+Provide basic VisionFive 2 support'
+usb: hub: Fix flushing of delayed work used for post resume purposes
+usb: hub: Fix flushing and scheduling of delayed work that tunes runtime pm
+usb: hub: fix detection of high tier USB3 devices behind suspended hubs

ciq/ciq_backports/kernel-6.12.0-55.27.1.el10_0/081056dc.failed

@@ -0,0 +1,247 @@
+mm/hugetlb: unshare page tables during VMA split, not before
+
+jira LE-3822
+cve CVE-2025-38084
+Rebuild_History Non-Buildable kernel-6.12.0-55.27.1.el10_0
+commit-author Jann Horn <[email protected]>
+commit 081056dc00a27bccb55ccc3c6f230a3d5fd3f7e0
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-6.12.0-55.27.1.el10_0/081056dc.failed
+
+Currently, __split_vma() triggers hugetlb page table unsharing through
+vm_ops->may_split().  This happens before the VMA lock and rmap locks are
+taken - which is too early, it allows racing VMA-locked page faults in our
+process and racing rmap walks from other processes to cause page tables to
+be shared again before we actually perform the split.
+
+Fix it by explicitly calling into the hugetlb unshare logic from
+__split_vma() in the same place where THP splitting also happens.  At that
+point, both the VMA and the rmap(s) are write-locked.
+
+An annoying detail is that we can now call into the helper
+hugetlb_unshare_pmds() from two different locking contexts:
+
+1. from hugetlb_split(), holding:
+    - mmap lock (exclusively)
+    - VMA lock
+    - file rmap lock (exclusively)
+2. hugetlb_unshare_all_pmds(), which I think is designed to be able to
+   call us with only the mmap lock held (in shared mode), but currently
+   only runs while holding mmap lock (exclusively) and VMA lock
+
+Backporting note:
+This commit fixes a racy protection that was introduced in commit
+b30c14cd6102 ("hugetlb: unshare some PMDs when splitting VMAs"); that
+commit claimed to fix an issue introduced in 5.13, but it should actually
+also go all the way back.
+
+[[email protected]: v2]
+  Link: https://lkml.kernel.org/r/[email protected]
+Link: https://lkml.kernel.org/r/[email protected]
+Link: https://lkml.kernel.org/r/[email protected]
+Fixes: 39dde65c9940 ("[PATCH] shared page table for hugetlb page")
+	Signed-off-by: Jann Horn <[email protected]>
+	Cc: Liam Howlett <[email protected]>
+	Reviewed-by: Lorenzo Stoakes <[email protected]>
+	Reviewed-by: Oscar Salvador <[email protected]>
+	Cc: Lorenzo Stoakes <[email protected]>
+	Cc: Vlastimil Babka <[email protected]>
+	Cc: <[email protected]>	[b30c14cd6102: hugetlb: unshare some PMDs when splitting VMAs]
+	Cc: <[email protected]>
+	Signed-off-by: Andrew Morton <[email protected]>
+(cherry picked from commit 081056dc00a27bccb55ccc3c6f230a3d5fd3f7e0)
+	Signed-off-by: Jonathan Maple <[email protected]>
+
+# Conflicts:
+#	include/linux/hugetlb.h
+#	mm/vma.c
+diff --cc include/linux/hugetlb.h
+index e4697539b665,42f374e828a2..000000000000
+--- a/include/linux/hugetlb.h
++++ b/include/linux/hugetlb.h
+@@@ -272,6 -278,8 +272,11 @@@ long hugetlb_change_protection(struct v
+  bool is_hugetlb_entry_migration(pte_t pte);
+  bool is_hugetlb_entry_hwpoisoned(pte_t pte);
+  void hugetlb_unshare_all_pmds(struct vm_area_struct *vma);
+++<<<<<<< HEAD
+++=======
++ void fixup_hugetlb_reservations(struct vm_area_struct *vma);
++ void hugetlb_split(struct vm_area_struct *vma, unsigned long addr);
+++>>>>>>> 081056dc00a2 (mm/hugetlb: unshare page tables during VMA split, not before)
+
+  #else /* !CONFIG_HUGETLB_PAGE */
+
+@@@ -465,6 -473,12 +470,15 @@@ static inline vm_fault_t hugetlb_fault(
+
+  static inline void hugetlb_unshare_all_pmds(struct vm_area_struct *vma) { }
+
+++<<<<<<< HEAD
+++=======
++ static inline void fixup_hugetlb_reservations(struct vm_area_struct *vma)
++ {
++ }
++ 
++ static inline void hugetlb_split(struct vm_area_struct *vma, unsigned long addr) {}
++ 
+++>>>>>>> 081056dc00a2 (mm/hugetlb: unshare page tables during VMA split, not before)
+  #endif /* !CONFIG_HUGETLB_PAGE */
+
+  #ifndef pgd_write
+diff --cc mm/vma.c
+index 7621384d64cf,7ebc9eb608f4..000000000000
+--- a/mm/vma.c
++++ b/mm/vma.c
+@@@ -416,7 -539,14 +416,18 @@@ static int __split_vma(struct vma_itera
+  	init_vma_prep(&vp, vma);
+  	vp.insert = new;
+  	vma_prepare(&vp);
+++<<<<<<< HEAD
+ +	vma_adjust_trans_huge(vma, vma->vm_start, addr, 0);
+++=======
++ 
++ 	/*
++ 	 * Get rid of huge pages and shared page tables straddling the split
++ 	 * boundary.
++ 	 */
++ 	vma_adjust_trans_huge(vma, vma->vm_start, addr, NULL);
++ 	if (is_vm_hugetlb_page(vma))
++ 		hugetlb_split(vma, addr);
+++>>>>>>> 081056dc00a2 (mm/hugetlb: unshare page tables during VMA split, not before)
+
+  	if (new_below) {
+  		vma->vm_start = addr;
+* Unmerged path include/linux/hugetlb.h
+diff --git a/mm/hugetlb.c b/mm/hugetlb.c
+index fefddd72918a..7fbf2283ec01 100644
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -87,7 +87,7 @@ static void hugetlb_vma_lock_free(struct vm_area_struct *vma);
+ static void hugetlb_vma_lock_alloc(struct vm_area_struct *vma);
+ static void __hugetlb_vma_unlock_write_free(struct vm_area_struct *vma);
+ static void hugetlb_unshare_pmds(struct vm_area_struct *vma,
+-		unsigned long start, unsigned long end);
++		unsigned long start, unsigned long end, bool take_locks);
+ static struct resv_map *vma_resv_map(struct vm_area_struct *vma);
+
+ static void hugetlb_free_folio(struct folio *folio)
+@@ -5093,26 +5093,40 @@ static int hugetlb_vm_op_split(struct vm_area_struct *vma, unsigned long addr)
+ {
+ 	if (addr & ~(huge_page_mask(hstate_vma(vma))))
+ 		return -EINVAL;
++	return 0;
++}
+
++void hugetlb_split(struct vm_area_struct *vma, unsigned long addr)
++{
+ 	/*
+ 	 * PMD sharing is only possible for PUD_SIZE-aligned address ranges
+ 	 * in HugeTLB VMAs. If we will lose PUD_SIZE alignment due to this
+ 	 * split, unshare PMDs in the PUD_SIZE interval surrounding addr now.
++	 * This function is called in the middle of a VMA split operation, with
++	 * MM, VMA and rmap all write-locked to prevent concurrent page table
++	 * walks (except hardware and gup_fast()).
+ 	 */
++	vma_assert_write_locked(vma);
++	i_mmap_assert_write_locked(vma->vm_file->f_mapping);
++
+ 	if (addr & ~PUD_MASK) {
+-		/*
+-		 * hugetlb_vm_op_split is called right before we attempt to
+-		 * split the VMA. We will need to unshare PMDs in the old and
+-		 * new VMAs, so let's unshare before we split.
+-		 */
+ 		unsigned long floor = addr & PUD_MASK;
+ 		unsigned long ceil = floor + PUD_SIZE;
+
+-		if (floor >= vma->vm_start && ceil <= vma->vm_end)
+-			hugetlb_unshare_pmds(vma, floor, ceil);
++		if (floor >= vma->vm_start && ceil <= vma->vm_end) {
++			/*
++			 * Locking:
++			 * Use take_locks=false here.
++			 * The file rmap lock is already held.
++			 * The hugetlb VMA lock can't be taken when we already
++			 * hold the file rmap lock, and we don't need it because
++			 * its purpose is to synchronize against concurrent page
++			 * table walks, which are not possible thanks to the
++			 * locks held by our caller.
++			 */
++			hugetlb_unshare_pmds(vma, floor, ceil, /* take_locks = */ false);
++		}
+ 	}
+-
+-	return 0;
+ }
+
+ static unsigned long hugetlb_vm_op_pagesize(struct vm_area_struct *vma)
+@@ -7497,9 +7511,16 @@ void move_hugetlb_state(struct folio *old_folio, struct folio *new_folio, int re
+ 	}
+ }
+
++/*
++ * If @take_locks is false, the caller must ensure that no concurrent page table
++ * access can happen (except for gup_fast() and hardware page walks).
++ * If @take_locks is true, we take the hugetlb VMA lock (to lock out things like
++ * concurrent page fault handling) and the file rmap lock.
++ */
+ static void hugetlb_unshare_pmds(struct vm_area_struct *vma,
+ 				   unsigned long start,
+-				   unsigned long end)
++				   unsigned long end,
++				   bool take_locks)
+ {
+ 	struct hstate *h = hstate_vma(vma);
+ 	unsigned long sz = huge_page_size(h);
+@@ -7523,8 +7544,12 @@ static void hugetlb_unshare_pmds(struct vm_area_struct *vma,
+ 	mmu_notifier_range_init(&range, MMU_NOTIFY_CLEAR, 0, mm,
+ 				start, end);
+ 	mmu_notifier_invalidate_range_start(&range);
+-	hugetlb_vma_lock_write(vma);
+-	i_mmap_lock_write(vma->vm_file->f_mapping);
++	if (take_locks) {
++		hugetlb_vma_lock_write(vma);
++		i_mmap_lock_write(vma->vm_file->f_mapping);
++	} else {
++		i_mmap_assert_write_locked(vma->vm_file->f_mapping);
++	}
+ 	for (address = start; address < end; address += PUD_SIZE) {
+ 		ptep = hugetlb_walk(vma, address, sz);
+ 		if (!ptep)
+@@ -7534,8 +7559,10 @@ static void hugetlb_unshare_pmds(struct vm_area_struct *vma,
+ 		spin_unlock(ptl);
+ 	}
+ 	flush_hugetlb_tlb_range(vma, start, end);
+-	i_mmap_unlock_write(vma->vm_file->f_mapping);
+-	hugetlb_vma_unlock_write(vma);
++	if (take_locks) {
++		i_mmap_unlock_write(vma->vm_file->f_mapping);
++		hugetlb_vma_unlock_write(vma);
++	}
+ 	/*
+ 	 * No need to call mmu_notifier_arch_invalidate_secondary_tlbs(), see
+ 	 * Documentation/mm/mmu_notifier.rst.
+@@ -7550,7 +7577,8 @@ static void hugetlb_unshare_pmds(struct vm_area_struct *vma,
+ void hugetlb_unshare_all_pmds(struct vm_area_struct *vma)
+ {
+ 	hugetlb_unshare_pmds(vma, ALIGN(vma->vm_start, PUD_SIZE),
+-			ALIGN_DOWN(vma->vm_end, PUD_SIZE));
++			ALIGN_DOWN(vma->vm_end, PUD_SIZE),
++			/* take_locks = */ true);
+ }
+
+ #ifdef CONFIG_CMA
+* Unmerged path mm/vma.c
+diff --git a/tools/testing/vma/vma_internal.h b/tools/testing/vma/vma_internal.h
+index c5b9da034511..1d5bbc8464f1 100644
+--- a/tools/testing/vma/vma_internal.h
++++ b/tools/testing/vma/vma_internal.h
+@@ -735,6 +735,8 @@ static inline void vma_adjust_trans_huge(struct vm_area_struct *vma,
+ 	(void)adjust_next;
+ }
+
++static inline void hugetlb_split(struct vm_area_struct *, unsigned long) {}
++
+ static inline void vma_iter_free(struct vma_iterator *vmi)
+ {
+ 	mas_destroy(&vmi->mas);