[rocky9_6] History Rebuild for kernel-5.14.0-570.30.1.el9_6

Makefile.rhelver

@@ -12,7 +12,7 @@ RHEL_MINOR = 6
 #
 # Use this spot to avoid future merge conflicts.
 # Do not trim this comment.
-RHEL_RELEASE = 570.28.1
+RHEL_RELEASE = 570.30.1
 
 #
 # ZSTREAM

ciq/ciq_backports/kernel-5.14.0-570.30.1.el9_6/3d9b8ac5.failed

@@ -0,0 +1,39 @@
+r8169: enable RTL8168H/RTL8168EP/RTL8168FP ASPM support
+
+jira LE-3666
+Rebuild_History Non-Buildable kernel-5.14.0-570.30.1.el9_6
+commit-author ChunHao Lin <[email protected]>
+commit 3d9b8ac5341269d31e59fd5d58d47266ac78bc32
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-5.14.0-570.30.1.el9_6/3d9b8ac5.failed
+
+This patch will enable RTL8168H/RTL8168EP/RTL8168FP ASPM support on
+the platforms that have tested with ASPM enabled.
+
+	Signed-off-by: ChunHao Lin <[email protected]>
+	Reviewed-by: Heiner Kallweit <[email protected]>
+Link: https://patch.msgid.link/[email protected]
+	Signed-off-by: Jakub Kicinski <[email protected]>
+(cherry picked from commit 3d9b8ac5341269d31e59fd5d58d47266ac78bc32)
+	Signed-off-by: Jonathan Maple <[email protected]>
+
+# Conflicts:
+#	drivers/net/ethernet/realtek/r8169_main.c
+diff --cc drivers/net/ethernet/realtek/r8169_main.c
+index a0ab75958a84,5c5e256fb9fa..000000000000
+--- a/drivers/net/ethernet/realtek/r8169_main.c
++++ b/drivers/net/ethernet/realtek/r8169_main.c
+@@@ -5508,7 -5398,7 +5508,11 @@@ done
+  /* register is set if system vendor successfully tested ASPM 1.2 */
+  static bool rtl_aspm_is_safe(struct rtl8169_private *tp)
+  {
+++<<<<<<< HEAD
+ +	if (tp->mac_version >= RTL_GIGA_MAC_VER_60 &&
+++=======
++ 	if (tp->mac_version >= RTL_GIGA_MAC_VER_46 &&
+++>>>>>>> 3d9b8ac53412 (r8169: enable RTL8168H/RTL8168EP/RTL8168FP ASPM support)
+  	    r8168_mac_ocp_read(tp, 0xc0b2) & 0xf)
+  		return true;
+
+* Unmerged path drivers/net/ethernet/realtek/r8169_main.c

ciq/ciq_backports/kernel-5.14.0-570.30.1.el9_6/be6e843f.failed

@@ -0,0 +1,106 @@
+mm/huge_memory: fix dereferencing invalid pmd migration entry
+
+jira LE-3666
+cve CVE-2025-37958
+Rebuild_History Non-Buildable kernel-5.14.0-570.30.1.el9_6
+commit-author Gavin Guo <[email protected]>
+commit be6e843fc51a584672dfd9c4a6a24c8cb81d5fb7
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-5.14.0-570.30.1.el9_6/be6e843f.failed
+
+When migrating a THP, concurrent access to the PMD migration entry during
+a deferred split scan can lead to an invalid address access, as
+illustrated below.  To prevent this invalid access, it is necessary to
+check the PMD migration entry and return early.  In this context, there is
+no need to use pmd_to_swp_entry and pfn_swap_entry_to_page to verify the
+equality of the target folio.  Since the PMD migration entry is locked, it
+cannot be served as the target.
+
+Mailing list discussion and explanation from Hugh Dickins: "An anon_vma
+lookup points to a location which may contain the folio of interest, but
+might instead contain another folio: and weeding out those other folios is
+precisely what the "folio != pmd_folio((*pmd)" check (and the "risk of
+replacing the wrong folio" comment a few lines above it) is for."
+
+BUG: unable to handle page fault for address: ffffea60001db008
+CPU: 0 UID: 0 PID: 2199114 Comm: tee Not tainted 6.14.0+ #4 NONE
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+RIP: 0010:split_huge_pmd_locked+0x3b5/0x2b60
+Call Trace:
+<TASK>
+try_to_migrate_one+0x28c/0x3730
+rmap_walk_anon+0x4f6/0x770
+unmap_folio+0x196/0x1f0
+split_huge_page_to_list_to_order+0x9f6/0x1560
+deferred_split_scan+0xac5/0x12a0
+shrinker_debugfs_scan_write+0x376/0x470
+full_proxy_write+0x15c/0x220
+vfs_write+0x2fc/0xcb0
+ksys_write+0x146/0x250
+do_syscall_64+0x6a/0x120
+entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+The bug is found by syzkaller on an internal kernel, then confirmed on
+upstream.
+
+Link: https://lkml.kernel.org/r/[email protected]
+Link: https://lore.kernel.org/all/[email protected]/
+Link: https://lore.kernel.org/all/[email protected]/
+Fixes: 84c3fc4e9c56 ("mm: thp: check pmd migration entry in common path")
+	Signed-off-by: Gavin Guo <[email protected]>
+	Acked-by: David Hildenbrand <[email protected]>
+	Acked-by: Hugh Dickins <[email protected]>
+	Acked-by: Zi Yan <[email protected]>
+	Reviewed-by: Gavin Shan <[email protected]>
+	Cc: Florent Revest <[email protected]>
+	Cc: Matthew Wilcox (Oracle) <[email protected]>
+	Cc: Miaohe Lin <[email protected]>
+	Cc: <[email protected]>
+	Signed-off-by: Andrew Morton <[email protected]>
+(cherry picked from commit be6e843fc51a584672dfd9c4a6a24c8cb81d5fb7)
+	Signed-off-by: Jonathan Maple <[email protected]>
+
+# Conflicts:
+#	mm/huge_memory.c
+diff --cc mm/huge_memory.c
+index c1cdbd21ddde,47d76d03ce30..000000000000
+--- a/mm/huge_memory.c
++++ b/mm/huge_memory.c
+@@@ -2279,6 -3072,32 +2279,35 @@@ static void __split_huge_pmd_locked(str
+  	pmd_populate(mm, pmd, pgtable);
+  }
+
+++<<<<<<< HEAD
+++=======
++ void split_huge_pmd_locked(struct vm_area_struct *vma, unsigned long address,
++ 			   pmd_t *pmd, bool freeze, struct folio *folio)
++ {
++ 	bool pmd_migration = is_pmd_migration_entry(*pmd);
++ 
++ 	VM_WARN_ON_ONCE(folio && !folio_test_pmd_mappable(folio));
++ 	VM_WARN_ON_ONCE(!IS_ALIGNED(address, HPAGE_PMD_SIZE));
++ 	VM_WARN_ON_ONCE(folio && !folio_test_locked(folio));
++ 	VM_BUG_ON(freeze && !folio);
++ 
++ 	/*
++ 	 * When the caller requests to set up a migration entry, we
++ 	 * require a folio to check the PMD against. Otherwise, there
++ 	 * is a risk of replacing the wrong folio.
++ 	 */
++ 	if (pmd_trans_huge(*pmd) || pmd_devmap(*pmd) || pmd_migration) {
++ 		/*
++ 		 * Do not apply pmd_folio() to a migration entry; and folio lock
++ 		 * guarantees that it must be of the wrong folio anyway.
++ 		 */
++ 		if (folio && (pmd_migration || folio != pmd_folio(*pmd)))
++ 			return;
++ 		__split_huge_pmd_locked(vma, pmd, address, freeze);
++ 	}
++ }
++ 
+++>>>>>>> be6e843fc51a (mm/huge_memory: fix dereferencing invalid pmd migration entry)
+  void __split_huge_pmd(struct vm_area_struct *vma, pmd_t *pmd,
+  		unsigned long address, bool freeze, struct folio *folio)
+  {
+* Unmerged path mm/huge_memory.c

ciq/ciq_backports/kernel-5.14.0-570.30.1.el9_6/ce2f26e7.failed

@@ -0,0 +1,175 @@
+ext4: avoid journaling sb update on error if journal is destroying
+
+jira LE-3666
+cve CVE-2025-22113
+Rebuild_History Non-Buildable kernel-5.14.0-570.30.1.el9_6
+commit-author Ojaswin Mujoo <[email protected]>
+commit ce2f26e73783b4a7c46a86e3af5b5c8de0971790
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-5.14.0-570.30.1.el9_6/ce2f26e7.failed
+
+Presently we always BUG_ON if trying to start a transaction on a journal marked
+with JBD2_UNMOUNT, since this should never happen. However, while ltp running
+stress tests, it was observed that in case of some error handling paths, it is
+possible for update_super_work to start a transaction after the journal is
+destroyed eg:
+
+(umount)
+ext4_kill_sb
+  kill_block_super
+    generic_shutdown_super
+      sync_filesystem /* commits all txns */
+      evict_inodes
+        /* might start a new txn */
+      ext4_put_super
+	flush_work(&sbi->s_sb_upd_work) /* flush the workqueue */
+        jbd2_journal_destroy
+          journal_kill_thread
+            journal->j_flags |= JBD2_UNMOUNT;
+          jbd2_journal_commit_transaction
+            jbd2_journal_get_descriptor_buffer
+              jbd2_journal_bmap
+                ext4_journal_bmap
+                  ext4_map_blocks
+                    ...
+                    ext4_inode_error
+                      ext4_handle_error
+                        schedule_work(&sbi->s_sb_upd_work)
+
+                                               /* work queue kicks in */
+                                               update_super_work
+                                                 jbd2_journal_start
+                                                   start_this_handle
+                                                     BUG_ON(journal->j_flags &
+                                                            JBD2_UNMOUNT)
+
+Hence, introduce a new mount flag to indicate journal is destroying and only do
+a journaled (and deferred) update of sb if this flag is not set. Otherwise, just
+fallback to an un-journaled commit.
+
+Further, in the journal destroy path, we have the following sequence:
+
+  1. Set mount flag indicating journal is destroying
+  2. force a commit and wait for it
+  3. flush pending sb updates
+
+This sequence is important as it ensures that, after this point, there is no sb
+update that might be journaled so it is safe to update the sb outside the
+journal. (To avoid race discussed in 2d01ddc86606)
+
+Also, we don't need a similar check in ext4_grp_locked_error since it is only
+called from mballoc and AFAICT it would be always valid to schedule work here.
+
+Fixes: 2d01ddc86606 ("ext4: save error info to sb through journal if available")
+	Reported-by: Mahesh Kumar <[email protected]>
+	Signed-off-by: Ojaswin Mujoo <[email protected]>
+	Reviewed-by: Jan Kara <[email protected]>
+Link: https://patch.msgid.link/9613c465d6ff00cd315602f99283d5f24018c3f7.1742279837.git.ojaswin@linux.ibm.com
+	Signed-off-by: Theodore Ts'o <[email protected]>
+(cherry picked from commit ce2f26e73783b4a7c46a86e3af5b5c8de0971790)
+	Signed-off-by: Jonathan Maple <[email protected]>
+
+# Conflicts:
+#	fs/ext4/ext4.h
+diff --cc fs/ext4/ext4.h
+index 3ded4c5738ad,797b5b3d69ba..000000000000
+--- a/fs/ext4/ext4.h
++++ b/fs/ext4/ext4.h
+@@@ -1833,8 -1824,8 +1833,13 @@@ static inline int ext4_valid_inum(struc
+   */
+  enum {
+  	EXT4_MF_MNTDIR_SAMPLED,
+++<<<<<<< HEAD
+ +	EXT4_MF_FS_ABORTED,	/* Fatal error detected */
+ +	EXT4_MF_FC_INELIGIBLE	/* Fast commit ineligible */
+++=======
++ 	EXT4_MF_FC_INELIGIBLE,	/* Fast commit ineligible */
++ 	EXT4_MF_JOURNAL_DESTROY	/* Journal is in process of destroying */
+++>>>>>>> ce2f26e73783 (ext4: avoid journaling sb update on error if journal is destroying)
+  };
+
+  static inline void ext4_set_mount_flag(struct super_block *sb, int bit)
+* Unmerged path fs/ext4/ext4.h
+diff --git a/fs/ext4/ext4_jbd2.h b/fs/ext4/ext4_jbd2.h
+index 930778e507cc..ada46189b086 100644
+--- a/fs/ext4/ext4_jbd2.h
++++ b/fs/ext4/ext4_jbd2.h
+@@ -521,6 +521,21 @@ static inline int ext4_journal_destroy(struct ext4_sb_info *sbi, journal_t *jour
+ {
+ 	int err = 0;
+
++	/*
++	 * At this point only two things can be operating on the journal.
++	 * JBD2 thread performing transaction commit and s_sb_upd_work
++	 * issuing sb update through the journal. Once we set
++	 * EXT4_JOURNAL_DESTROY, new ext4_handle_error() calls will not
++	 * queue s_sb_upd_work and ext4_force_commit() makes sure any
++	 * ext4_handle_error() calls from the running transaction commit are
++	 * finished. Hence no new s_sb_upd_work can be queued after we
++	 * flush it here.
++	 */
++	ext4_set_mount_flag(sbi->s_sb, EXT4_MF_JOURNAL_DESTROY);
++
++	ext4_force_commit(sbi->s_sb);
++	flush_work(&sbi->s_sb_upd_work);
++
+ 	err = jbd2_journal_destroy(journal);
+ 	sbi->s_journal = NULL;
+
+diff --git a/fs/ext4/super.c b/fs/ext4/super.c
+index d1b0b170401b..353682e75438 100644
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -720,9 +720,13 @@ static void ext4_handle_error(struct super_block *sb, bool force_ro, int error,
+ 		 * In case the fs should keep running, we need to writeout
+ 		 * superblock through the journal. Due to lock ordering
+ 		 * constraints, it may not be safe to do it right here so we
+-		 * defer superblock flushing to a workqueue.
++		 * defer superblock flushing to a workqueue. We just need to be
++		 * careful when the journal is already shutting down. If we get
++		 * here in that case, just update the sb directly as the last
++		 * transaction won't commit anyway.
+ 		 */
+-		if (continue_fs && journal)
++		if (continue_fs && journal &&
++		    !ext4_test_mount_flag(sb, EXT4_MF_JOURNAL_DESTROY))
+ 			schedule_work(&EXT4_SB(sb)->s_sb_upd_work);
+ 		else
+ 			ext4_commit_super(sb);
+@@ -1252,7 +1256,6 @@ static void ext4_put_super(struct super_block *sb)
+ 	ext4_unregister_li_request(sb);
+ 	ext4_quota_off_umount(sb);
+
+-	flush_work(&sbi->s_sb_upd_work);
+ 	destroy_workqueue(sbi->rsv_conversion_wq);
+ 	ext4_release_orphan_info(sb);
+
+@@ -1262,7 +1265,8 @@ static void ext4_put_super(struct super_block *sb)
+ 		if ((err < 0) && !aborted) {
+ 			ext4_abort(sb, -err, "Couldn't clean up the journal");
+ 		}
+-	}
++	} else
++		flush_work(&sbi->s_sb_upd_work);
+
+ 	ext4_es_unregister_shrinker(sbi);
+ 	timer_shutdown_sync(&sbi->s_err_report);
+@@ -4920,8 +4924,6 @@ static int ext4_load_and_init_journal(struct super_block *sb,
+ 	return 0;
+
+ out:
+-	/* flush s_sb_upd_work before destroying the journal. */
+-	flush_work(&sbi->s_sb_upd_work);
+ 	ext4_journal_destroy(sbi, sbi->s_journal);
+ 	return -EINVAL;
+ }
+@@ -5684,8 +5686,6 @@ failed_mount8: __maybe_unused
+ 	sbi->s_ea_block_cache = NULL;
+
+ 	if (sbi->s_journal) {
+-		/* flush s_sb_upd_work before journal destroy. */
+-		flush_work(&sbi->s_sb_upd_work);
+ 		ext4_journal_destroy(sbi, sbi->s_journal);
+ 	}
+ failed_mount3a:

ciq/ciq_backports/kernel-5.14.0-570.30.1.el9_6/rebuild.details.txt

@@ -0,0 +1,23 @@
+Rebuild_History BUILDABLE
+Rebuilding Kernel from rpm changelog with Fuzz Limit: 87.50%
+Number of commits in upstream range v5.14~1..kernel-mainline: 309912
+Number of commits in rpm: 22
+Number of commits matched with upstream: 18 (81.82%)
+Number of commits in upstream but not in rpm: 309894
+Number of commits NOT found in upstream: 4 (18.18%)
+
+Rebuilding Kernel on Branch rocky9_6_rebuild_kernel-5.14.0-570.30.1.el9_6 for kernel-5.14.0-570.30.1.el9_6
+Clean Cherry Picks: 15 (83.33%)
+Empty Cherry Picks: 3 (16.67%)
+_______________________________
+
+__EMPTY COMMITS__________________________
+be6e843fc51a584672dfd9c4a6a24c8cb81d5fb7 mm/huge_memory: fix dereferencing invalid pmd migration entry
+3d9b8ac5341269d31e59fd5d58d47266ac78bc32 r8169: enable RTL8168H/RTL8168EP/RTL8168FP ASPM support
+ce2f26e73783b4a7c46a86e3af5b5c8de0971790 ext4: avoid journaling sb update on error if journal is destroying
+
+__CHANGES NOT IN UPSTREAM________________
+Porting to Rocky Linux 9, debranding and Rocky branding'
+Ensure aarch64 kernel is not compressed'
+smb: client: fix regression with native SMB symlinks
+redhat/configs: remove automotive directory