[rocky10_1] History Rebuild through kernel-6.12.0-124.31.1.el10_1

Documentation/networking/devlink/devlink-params.rst

@@ -143,3 +143,7 @@ own name.
    * - ``clock_id``
      - u64
      - Clock ID used by the device for registering DPLL devices and pins.
+   * - ``max_mac_per_vf``
+     - u32
+     - Controls the maximum number of MAC address filters that can be assigned
+       to a Virtual Function (VF).

Documentation/networking/devlink/i40e.rst

@@ -7,6 +7,40 @@ i40e devlink support
 This document describes the devlink features implemented by the ``i40e``
 device driver.
 
+Parameters
+==========
+
+.. list-table:: Generic parameters implemented
+    :widths: 5 5 90
+
+    * - Name
+      - Mode
+      - Notes
+    * - ``max_mac_per_vf``
+      - runtime
+      - Controls the maximum number of MAC addresses a VF can use
+        on i40e devices.
+
+        By default (``0``), the driver enforces its internally calculated per-VF
+        MAC filter limit, which is based on the number of allocated VFS.
+
+        If set to a non-zero value, this parameter acts as a strict cap:
+        the driver will use the user-provided value instead of its internal
+        calculation.
+
+        **Important notes:**
+
+        - This value **must be set before enabling SR-IOV**.
+          Attempting to change it while SR-IOV is enabled will return an error.
+        - MAC filters are a **shared hardware resource** across all VFs.
+          Setting a high value may cause other VFs to be starved of filters.
+        - This value is a **Administrative policy**. The hardware may return
+          errors when its absolute limit is reached, regardless of the value
+          set here.
+
+        The default value is ``0`` (internal calculation is used).
+
+
 Info versions
 =============
 

Makefile.rhelver

@@ -12,7 +12,7 @@ RHEL_MINOR = 1
 #
 # Use this spot to avoid future merge conflicts.
 # Do not trim this comment.
-RHEL_RELEASE = 124.29.1
+RHEL_RELEASE = 124.31.1
 
 #
 # RHEL_REBASE_NUM

arch/arm64/kvm/sys_regs.c

@@ -1639,6 +1639,7 @@ static u64 __kvm_read_sanitised_id_reg(const struct kvm_vcpu *vcpu,
 		break;
 	case SYS_ID_AA64MMFR2_EL1:
 		val &= ~ID_AA64MMFR2_EL1_CCIDX_MASK;
+		val &= ~ID_AA64MMFR2_EL1_NV;
 		break;
 	case SYS_ID_AA64MMFR3_EL1:
 		val &= ID_AA64MMFR3_EL1_TCRX | ID_AA64MMFR3_EL1_S1POE |
@@ -2005,6 +2006,22 @@ static int set_id_aa64mmfr0_el1(struct kvm_vcpu *vcpu,
 	return set_id_reg(vcpu, rd, user_val);
 }
 
+static int set_id_aa64mmfr2_el1(struct kvm_vcpu *vcpu,
+				const struct sys_reg_desc *rd, u64 user_val)
+{
+	u64 hw_val = read_sanitised_ftr_reg(SYS_ID_AA64MMFR2_EL1);
+	u64 nv_mask = ID_AA64MMFR2_EL1_NV_MASK;
+
+	/*
+	 * We made the mistake to expose the now deprecated NV field,
+	 * so allow userspace to write it, but silently ignore it.
+	 */
+	if ((hw_val & nv_mask) == (user_val & nv_mask))
+		user_val &= ~nv_mask;
+
+	return set_id_reg(vcpu, rd, user_val);
+}
+
 static int set_ctr_el0(struct kvm_vcpu *vcpu,
 		       const struct sys_reg_desc *rd, u64 user_val)
 {
@@ -2890,7 +2907,8 @@ static const struct sys_reg_desc sys_reg_descs[] = {
 					ID_AA64MMFR1_EL1_XNX |
 					ID_AA64MMFR1_EL1_VH |
 					ID_AA64MMFR1_EL1_VMIDBits)),
-	ID_WRITABLE(ID_AA64MMFR2_EL1, ~(ID_AA64MMFR2_EL1_RES0 |
+	ID_FILTERED(ID_AA64MMFR2_EL1,
+		    id_aa64mmfr2_el1, ~(ID_AA64MMFR2_EL1_RES0 |
 					ID_AA64MMFR2_EL1_EVT |
 					ID_AA64MMFR2_EL1_FWB |
 					ID_AA64MMFR2_EL1_IDS |

arch/s390/Kconfig

@@ -142,7 +142,6 @@ config S390
 	select ARCH_WANT_IPC_PARSE_VERSION
 	select ARCH_WANT_KERNEL_PMD_MKWRITE
 	select ARCH_WANT_LD_ORPHAN_WARN
-	select ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP
 	select BUILDTIME_TABLE_SORT
 	select CLONE_BACKWARDS2
 	select DCACHE_WORD_ACCESS if !KMSAN

arch/s390/mm/hugetlbpage.c

@@ -15,6 +15,17 @@
 #include <linux/mman.h>
 #include <linux/sched/mm.h>
 #include <linux/security.h>
+#include <linux/jump_label.h>
+
+/*
+ * RHEL-only: Since the 'hugetlb_optimize_vmemmap_key' static key is part
+ * of the kABI, we need stub definitions to avoid breaking the build
+ * when CONFIG_ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP=n.
+ */
+#ifndef CONFIG_ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP
+DEFINE_STATIC_KEY_FALSE(hugetlb_optimize_vmemmap_key);
+EXPORT_SYMBOL(hugetlb_optimize_vmemmap_key);
+#endif
 
 /*
  * If the bit selected by single-bit bitmask "a" is set within "x", move

arch/x86/boot/compressed/kaslr.c

@@ -25,10 +25,6 @@
 #include "efi.h"
 
 #include <generated/compile.h>
-#include <linux/module.h>
-#include <linux/uts.h>
-#include <linux/utsname.h>
-#include <linux/ctype.h>
 #include <generated/utsversion.h>
 #include <generated/utsrelease.h>
 

arch/x86/kernel/alternative.c

@@ -2741,3 +2741,6 @@ void __ref text_poke_bp(void *addr, const void *opcode, size_t len, const void *
 	text_poke_loc_init(&tp, addr, opcode, len, emulate);
 	text_poke_bp_batch(&tp, 1);
 }
+
+struct alt_instr __kabi__alt_instr[0];
+EXPORT_SYMBOL_GPL(__kabi__alt_instr);

arch/x86/mm/init_64.c

@@ -967,9 +967,18 @@ int add_pages(int nid, unsigned long start_pfn, unsigned long nr_pages,
 	ret = __add_pages(nid, start_pfn, nr_pages, params);
 	WARN_ON_ONCE(ret);
 
-	/* update max_pfn, max_low_pfn and high_memory */
-	update_end_of_memory_vars(start_pfn << PAGE_SHIFT,
-				  nr_pages << PAGE_SHIFT);
+	/*
+	 * Special case: add_pages() is called by memremap_pages() for adding device
+	 * private pages. Do not bump up max_pfn in the device private path,
+	 * because max_pfn changes affect dma_addressing_limited().
+	 *
+	 * dma_addressing_limited() returning true when max_pfn is the device's
+	 * addressable memory can force device drivers to use bounce buffers
+	 * and impact their performance negatively:
+	 */
+	if (!params->pgmap)
+		/* update max_pfn, max_low_pfn and high_memory */
+		update_end_of_memory_vars(start_pfn << PAGE_SHIFT, nr_pages << PAGE_SHIFT);
 
 	return ret;
 }

arch/x86/mm/kaslr.c

@@ -113,8 +113,14 @@ void __init kernel_randomize_memory(void)
 	memory_tb = DIV_ROUND_UP(max_pfn << PAGE_SHIFT, 1UL << TB_SHIFT) +
 		CONFIG_RANDOMIZE_MEMORY_PHYSICAL_PADDING;
 
-	/* Adapt physical memory region size based on available memory */
-	if (memory_tb < kaslr_regions[0].size_tb)
+	/*
+	 * Adapt physical memory region size based on available memory,
+	 * except when CONFIG_PCI_P2PDMA is enabled. P2PDMA exposes the
+	 * device BAR space assuming the direct map space is large enough
+	 * for creating a ZONE_DEVICE mapping in the direct map corresponding
+	 * to the physical BAR address.
+	 */
+	if (!IS_ENABLED(CONFIG_PCI_P2PDMA) && (memory_tb < kaslr_regions[0].size_tb))
 		kaslr_regions[0].size_tb = memory_tb;
 
 	/*

ciq/ciq_backports/kernel-6.12.0-124.31.1.el10_1/11709573.failed

@@ -0,0 +1,65 @@
+ipv6: use RCU in ip6_output()
+
+jira KERNEL-572
+cve CVE-2025-40158
+Rebuild_History Non-Buildable kernel-6.12.0-124.31.1.el10_1
+commit-author Eric Dumazet <edumazet@google.com>
+commit 11709573cc4e48dc34c80fc7ab9ce5b159e29695
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-6.12.0-124.31.1.el10_1/11709573.failed
+
+Use RCU in ip6_output() in order to use dst_dev_rcu() to prevent
+possible UAF.
+
+We can remove rcu_read_lock()/rcu_read_unlock() pairs
+from ip6_finish_output2().
+
+Fixes: 4a6ce2b6f2ec ("net: introduce a new function dst_dev_put()")
+	Signed-off-by: Eric Dumazet <edumazet@google.com>
+	Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://patch.msgid.link/20250828195823.3958522-5-edumazet@google.com
+	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+(cherry picked from commit 11709573cc4e48dc34c80fc7ab9ce5b159e29695)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	net/ipv6/ip6_output.c
+diff --cc net/ipv6/ip6_output.c
+index 5a364b352115,9d64c13bab5e..000000000000
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@@ -60,7 -60,7 +60,11 @@@
+  static int ip6_finish_output2(struct net *net, struct sock *sk, struct sk_buff *skb)
+  {
+  	struct dst_entry *dst = skb_dst(skb);
+++<<<<<<< HEAD
+ +	struct net_device *dev = dst->dev;
+++=======
++ 	struct net_device *dev = dst_dev_rcu(dst);
+++>>>>>>> 11709573cc4e (ipv6: use RCU in ip6_output())
+  	struct inet6_dev *idev = ip6_dst_idev(dst);
+  	unsigned int hh_len = LL_RESERVED_SPACE(dev);
+  	const struct in6_addr *daddr, *nexthop;
+@@@ -232,10 -226,15 +230,20 @@@ static int ip6_finish_output(struct ne
+
+  int ip6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
+  {
+++<<<<<<< HEAD
+ +	struct net_device *dev = skb_dst(skb)->dev, *indev = skb->dev;
+ +	struct inet6_dev *idev = ip6_dst_idev(skb_dst(skb));
+++=======
++ 	struct dst_entry *dst = skb_dst(skb);
++ 	struct net_device *dev, *indev = skb->dev;
++ 	struct inet6_dev *idev;
++ 	int ret;
+++>>>>>>> 11709573cc4e (ipv6: use RCU in ip6_output())
+
+  	skb->protocol = htons(ETH_P_IPV6);
++ 	rcu_read_lock();
++ 	dev = dst_dev_rcu(dst);
++ 	idev = ip6_dst_idev(dst);
+  	skb->dev = dev;
+
+  	if (unlikely(!idev || READ_ONCE(idev->cnf.disable_ipv6))) {
+* Unmerged path net/ipv6/ip6_output.c

ciq/ciq_backports/kernel-6.12.0-124.31.1.el10_1/1dbf1d59.failed

@@ -0,0 +1,131 @@
+net: Add locking to protect skb->dev access in ip_output
+
+jira KERNEL-572
+Rebuild_History Non-Buildable kernel-6.12.0-124.31.1.el10_1
+commit-author Sharath Chandra Vurukala <quic_sharathv@quicinc.com>
+commit 1dbf1d590d10a6d1978e8184f8dfe20af22d680a
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-6.12.0-124.31.1.el10_1/1dbf1d59.failed
+
+In ip_output() skb->dev is updated from the skb_dst(skb)->dev
+this can become invalid when the interface is unregistered and freed,
+
+Introduced new skb_dst_dev_rcu() function to be used instead of
+skb_dst_dev() within rcu_locks in ip_output.This will ensure that
+all the skb's associated with the dev being deregistered will
+be transnmitted out first, before freeing the dev.
+
+Given that ip_output() is called within an rcu_read_lock()
+critical section or from a bottom-half context, it is safe to introduce
+an RCU read-side critical section within it.
+
+Multiple panic call stacks were observed when UL traffic was run
+in concurrency with device deregistration from different functions,
+pasting one sample for reference.
+
+[496733.627565][T13385] Call trace:
+[496733.627570][T13385] bpf_prog_ce7c9180c3b128ea_cgroupskb_egres+0x24c/0x7f0
+[496733.627581][T13385] __cgroup_bpf_run_filter_skb+0x128/0x498
+[496733.627595][T13385] ip_finish_output+0xa4/0xf4
+[496733.627605][T13385] ip_output+0x100/0x1a0
+[496733.627613][T13385] ip_send_skb+0x68/0x100
+[496733.627618][T13385] udp_send_skb+0x1c4/0x384
+[496733.627625][T13385] udp_sendmsg+0x7b0/0x898
+[496733.627631][T13385] inet_sendmsg+0x5c/0x7c
+[496733.627639][T13385] __sys_sendto+0x174/0x1e4
+[496733.627647][T13385] __arm64_sys_sendto+0x28/0x3c
+[496733.627653][T13385] invoke_syscall+0x58/0x11c
+[496733.627662][T13385] el0_svc_common+0x88/0xf4
+[496733.627669][T13385] do_el0_svc+0x2c/0xb0
+[496733.627676][T13385] el0_svc+0x2c/0xa4
+[496733.627683][T13385] el0t_64_sync_handler+0x68/0xb4
+[496733.627689][T13385] el0t_64_sync+0x1a4/0x1a8
+
+Changes in v3:
+- Replaced WARN_ON() with  WARN_ON_ONCE(), as suggested by Willem de Bruijn.
+- Dropped legacy lines mistakenly pulled in from an outdated branch.
+
+Changes in v2:
+- Addressed review comments from Eric Dumazet
+- Used READ_ONCE() to prevent potential load/store tearing
+- Added skb_dst_dev_rcu() and used along with rcu_read_lock() in ip_output
+
+	Signed-off-by: Sharath Chandra Vurukala <quic_sharathv@quicinc.com>
+	Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20250730105118.GA26100@hu-sharathv-hyd.qualcomm.com
+	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+(cherry picked from commit 1dbf1d590d10a6d1978e8184f8dfe20af22d680a)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	include/net/dst.h
+#	net/ipv4/ip_output.c
+diff --cc include/net/dst.h
+index 08647c99d79c,bab01363bb97..000000000000
+--- a/include/net/dst.h
++++ b/include/net/dst.h
+@@@ -561,6 -563,38 +561,41 @@@ static inline void skb_dst_update_pmtu_
+  		dst->ops->update_pmtu(dst, NULL, skb, mtu, false);
+  }
+
+++<<<<<<< HEAD
+++=======
++ static inline struct net_device *dst_dev(const struct dst_entry *dst)
++ {
++ 	return READ_ONCE(dst->dev);
++ }
++ 
++ static inline struct net_device *dst_dev_rcu(const struct dst_entry *dst)
++ {
++ 	/* In the future, use rcu_dereference(dst->dev) */
++ 	WARN_ON_ONCE(!rcu_read_lock_held());
++ 	return READ_ONCE(dst->dev);
++ }
++ 
++ static inline struct net_device *skb_dst_dev(const struct sk_buff *skb)
++ {
++ 	return dst_dev(skb_dst(skb));
++ }
++ 
++ static inline struct net_device *skb_dst_dev_rcu(const struct sk_buff *skb)
++ {
++ 	return dst_dev_rcu(skb_dst(skb));
++ }
++ 
++ static inline struct net *skb_dst_dev_net(const struct sk_buff *skb)
++ {
++ 	return dev_net(skb_dst_dev(skb));
++ }
++ 
++ static inline struct net *skb_dst_dev_net_rcu(const struct sk_buff *skb)
++ {
++ 	return dev_net_rcu(skb_dst_dev(skb));
++ }
++ 
+++>>>>>>> 1dbf1d590d10 (net: Add locking to protect skb->dev access in ip_output)
+  struct dst_entry *dst_blackhole_check(struct dst_entry *dst, u32 cookie);
+  void dst_blackhole_update_pmtu(struct dst_entry *dst, struct sock *sk,
+  			       struct sk_buff *skb, u32 mtu, bool confirm_neigh);
+diff --cc net/ipv4/ip_output.c
+index 0065b1996c94,84e7f8a2f50f..000000000000
+--- a/net/ipv4/ip_output.c
++++ b/net/ipv4/ip_output.c
+@@@ -426,8 -425,11 +426,15 @@@ int ip_mc_output(struct net *net, struc
+
+  int ip_output(struct net *net, struct sock *sk, struct sk_buff *skb)
+  {
+++<<<<<<< HEAD
+ +	struct net_device *dev = skb_dst(skb)->dev, *indev = skb->dev;
+++=======
++ 	struct net_device *dev, *indev = skb->dev;
++ 	int ret_val;
+++>>>>>>> 1dbf1d590d10 (net: Add locking to protect skb->dev access in ip_output)
+
++ 	rcu_read_lock();
++ 	dev = skb_dst_dev_rcu(skb);
+  	skb->dev = dev;
+  	skb->protocol = htons(ETH_P_IP);
+
+* Unmerged path include/net/dst.h
+* Unmerged path net/ipv4/ip_output.c