jira LE-4613
cve CVE-2025-39727
Rebuild_History Non-Buildable kernel-6.12.0-55.41.1.el10_0
commit-author Kemeng Shi <shikemeng@huaweicloud.com>
commit 152c133

In setup_swap_map(), we only ensure badpages are in range (0, last_page].
As maxpages might be < last_page, setup_clusters() will encounter a buffer
overflow when a badpage is >= maxpages.

Only call inc_cluster_info_page() for badpage which is < maxpages to fix
the issue.

Link: https://lkml.kernel.org/r/20250522122554.12209-4-shikemeng@huaweicloud.com
Fixes: b843786 ("mm: swapfile: fix SSD detection with swapfile on btrfs")
	Signed-off-by: Kemeng Shi <shikemeng@huaweicloud.com>
	Reviewed-by: Baoquan He <bhe@redhat.com>
	Cc: Johannes Weiner <hannes@cmpxchg.org>
	Cc: Kairui Song <kasong@tencent.com>
	Cc: <stable@vger.kernel.org>
	Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
(cherry picked from commit 152c133)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>

jira LE-4613
cve CVE-2025-39718
Rebuild_History Non-Buildable kernel-6.12.0-55.41.1.el10_0
commit-author Will Deacon <will@kernel.org>
commit 0dab924

When receiving a vsock packet in the guest, only the virtqueue buffer
size is validated prior to virtio_vsock_skb_rx_put(). Unfortunately,
virtio_vsock_skb_rx_put() uses the length from the packet header as the
length argument to skb_put(), potentially resulting in SKB overflow if
the host has gone wonky.

Validate the length as advertised by the packet header before calling
virtio_vsock_skb_rx_put().

	Cc: <stable@vger.kernel.org>
Fixes: 71dc9ec ("virtio/vsock: replace virtio_vsock_pkt with sk_buff")
	Signed-off-by: Will Deacon <will@kernel.org>
Message-Id: <20250717090116.11987-3-will@kernel.org>
	Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
	Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
(cherry picked from commit 0dab924)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>

jira LE-4613
cve CVE-2025-39697
Rebuild_History Non-Buildable kernel-6.12.0-55.41.1.el10_0
commit-author Trond Myklebust <trond.myklebust@hammerspace.com>
commit 76d2e38

After nfs_lock_and_join_requests() tests for whether the request is
still attached to the mapping, nothing prevents a call to
nfs_inode_remove_request() from succeeding until we actually lock the
page group.
The reason is that whoever called nfs_inode_remove_request() doesn't
necessarily have a lock on the page group head.

So in order to avoid races, let's take the page group lock earlier in
nfs_lock_and_join_requests(), and hold it across the removal of the
request in nfs_inode_remove_request().

	Reported-by: Jeff Layton <jlayton@kernel.org>
	Tested-by: Joe Quanaim <jdq@meta.com>
	Tested-by: Andrew Steffen <aksteffen@meta.com>
	Reviewed-by: Jeff Layton <jlayton@kernel.org>
Fixes: bd37d6f ("NFSv4: Convert nfs_lock_and_join_requests() to use nfs_page_find_head_request()")
	Cc: stable@vger.kernel.org
	Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
(cherry picked from commit 76d2e38)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>

jira LE-4613
Rebuild_History Non-Buildable kernel-6.12.0-55.41.1.el10_0
commit-author Vadim Fedorenko <vadim.fedorenko@linux.dev>
commit 0452a2d

The gettimex64() doesn't modify values in timecounter, that's why there
is no need to update sequence counter. Reduce the contention on sequence
lock for multi-thread PHC reading use-case.

	Signed-off-by: Vadim Fedorenko <vadfed@meta.com>
	Reviewed-by: Rahul Rameshbabu <rrameshbabu@nvidia.com>
	Acked-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/20241014170103.2473580-1-vadfed@meta.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 0452a2d)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>

jira LE-4613
Rebuild_History Non-Buildable kernel-6.12.0-55.41.1.el10_0
commit-author Vadim Fedorenko <vadim.fedorenko@linux.dev>
commit e61e6c4

The overflow_work is using system wq to do overflow checks and updates
for PHC device timecounter, which might be overhelmed by other tasks.
But there is dedicated kthread in PTP subsystem designed for such
things. This patch changes the work queue to proper align with PTP
subsystem and to avoid overloading system work queue.
The adjfine() function acts the same way as overflow check worker,
we can postpone ptp aux worker till the next overflow period after
adjfine() was called.

	Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
	Signed-off-by: Vadim Fedorenko <vadfed@meta.com>
	Acked-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/20250107104812.380225-1-vadfed@meta.com
	Signed-off-by: Paolo Abeni <pabeni@redhat.com>

(cherry picked from commit e61e6c4)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>

jira LE-4613
Rebuild_History Non-Buildable kernel-6.12.0-55.41.1.el10_0
commit-author Jianbo Liu <jianbol@nvidia.com>
commit e2685ef

Management Real Time Clock Query (MRTCQ) register is used to query
hardware clock identity.

	Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
	Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
	Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/20250109204231.1809851-3-tariqt@nvidia.com
	Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
	Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
	Signed-off-by: Leon Romanovsky <leon@kernel.org>
(cherry picked from commit e2685ef)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>

jira LE-4613
Rebuild_History Non-Buildable kernel-6.12.0-55.41.1.el10_0
commit-author Jianbo Liu <jianbol@nvidia.com>
commit e3ad54f

The PTP callback functions should not be used directly by internal
callers. Add helpers that can be used internally and externally.

	Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
	Reviewed-by: Carolina Jubran <cjubran@nvidia.com>
	Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
	Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
	Reviewed-by: Mateusz Polchlopek <mateusz.polchlopek@intel.com>
	Signed-off-by: Paolo Abeni <pabeni@redhat.com>

(cherry picked from commit e3ad54f)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>

jira LE-4613
Rebuild_History Non-Buildable kernel-6.12.0-55.41.1.el10_0
commit-author Jianbo Liu <jianbol@nvidia.com>
commit 9f722fb

In later patch, the mlx5_clock will be allocated dynamically, its
address can be obtained from mlx5_core_dev struct, but mdev can't be
obtained from mlx5_clock because it can be shared by multiple
interfaces. So change the parameter for such internal functions, only
mdev is passed down from the callers.

	Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
	Reviewed-by: Carolina Jubran <cjubran@nvidia.com>
	Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
	Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
	Signed-off-by: Paolo Abeni <pabeni@redhat.com>

(cherry picked from commit 9f722fb)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>

jira LE-4613
Rebuild_History Non-Buildable kernel-6.12.0-55.41.1.el10_0
commit-author Jianbo Liu <jianbol@nvidia.com>
commit ccb717a

Move hardware clock initialization and destruction to the functions,
which will be used for dynamically allocated clock. Such clock is
shared by all the devices if the queried clock identities are same.

The out_work is for PPS out event, which can't be triggered when clock
is shared, so INIT_WORK is not moved to the initialization function.
Besides, we still need to register notifier for each device.

	Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
	Reviewed-by: Carolina Jubran <cjubran@nvidia.com>
	Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
	Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
	Signed-off-by: Paolo Abeni <pabeni@redhat.com>

(cherry picked from commit ccb717a)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>

jira LE-4613
Rebuild_History Non-Buildable kernel-6.12.0-55.41.1.el10_0
commit-author Jianbo Liu <jianbol@nvidia.com>
commit 355f58f

The mdev is calculated directly from mlx5_clock, as it's one of the
fields in mlx5_core_dev. Move to a function so it can be easily
changed in next patch.

	Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
	Reviewed-by: Carolina Jubran <cjubran@nvidia.com>
	Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
	Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
	Signed-off-by: Paolo Abeni <pabeni@redhat.com>

(cherry picked from commit 355f58f)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>

jira LE-4613
Rebuild_History Non-Buildable kernel-6.12.0-55.41.1.el10_0
commit-author Jianbo Liu <jianbol@nvidia.com>
commit f9beaf4

Change clock member in mlx5_core_dev to a pointer, so it can point to
a clock shared by multiple functions in later patch.

For now, each function has its own clock, so mdev in mlx5_clock_priv
is the back pointer to the function. Later it points to one (normally
the first one) of the multiple functions sharing the same clock.

Change mlx5_init_clock() to return error if mlx5_clock is not
allocated. Besides, a null clock is defined and used when hardware
clock is not supported. So, the clock pointer is always pointing to
something valid.

	Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
	Reviewed-by: Carolina Jubran <cjubran@nvidia.com>
	Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
	Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
	Signed-off-by: Paolo Abeni <pabeni@redhat.com>

(cherry picked from commit f9beaf4)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>

jira LE-4613
Rebuild_History Non-Buildable kernel-6.12.0-55.41.1.el10_0
commit-author Jianbo Liu <jianbol@nvidia.com>
commit 574998c

Add new devcom component for hardware clock. When it is running in
real time mode, the functions are grouped by the identify they query.

According to firmware document, the clock identify size is 64 bits, so
it's safe to memcpy to component key, as the key size is also 64 bits.

	Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
	Reviewed-by: Carolina Jubran <cjubran@nvidia.com>
	Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
	Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
	Signed-off-by: Paolo Abeni <pabeni@redhat.com>

(cherry picked from commit 574998c)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>

jira LE-4613
Rebuild_History Non-Buildable kernel-6.12.0-55.41.1.el10_0
commit-author Jianbo Liu <jianbol@nvidia.com>
commit 79faf9d

The PPS notifier is currently in mlx5_clock, and mlx5_clock can be
shared in later patch, so the notifier should be registered for each
device to avoid any event miss. Besides, the out_work is scheduled by
PPS out event which is triggered only when the device is in free
running mode. So, both are moved to mlx5_core_dev's clock_state.

	Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
	Reviewed-by: Carolina Jubran <cjubran@nvidia.com>
	Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
	Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
	Signed-off-by: Paolo Abeni <pabeni@redhat.com>

(cherry picked from commit 79faf9d)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>

jira LE-4613
Rebuild_History Non-Buildable kernel-6.12.0-55.41.1.el10_0
commit-author Jianbo Liu <jianbol@nvidia.com>
commit f538ffb

Currently, mlx5 driver exposes a PTP device for each network interface,
resulting in multiple device nodes representing the same underlying
PHC (PTP hardware clock). This causes problem if it is trying to
synchronize to itself. For instance, when ptp4l operates on multiple
interfaces following different masters, phc2sys attempts to
synchronize them in automatic mode.

PHC can be configured to work as free running mode or real time mode.
All functions can access it directly. In this patch, we create one PTP
device for each PHC when it's running in real time mode. All the
functions share the same PTP device if the clock identifies they query
are same, and they are already grouped by devcom in previous commit.
The first mdev in the peer list is chosen when sending
MTPPS/MTUTC/MTPPSE/MRTCQ to firmware. Since the function can be
unloaded at any time, we need to use a mutex lock to protect the mdev
pointer used in PTP and PPS callbacks. Besides, new one should be
picked from the peer list when the current is not available.

The clock info, which is used by IB, is shared by all the interfaces
using the same hardware clock.

	Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
	Reviewed-by: Carolina Jubran <cjubran@nvidia.com>
	Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
	Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
	Signed-off-by: Paolo Abeni <pabeni@redhat.com>

(cherry picked from commit f538ffb)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>

jira LE-4613
Rebuild_History Non-Buildable kernel-6.12.0-55.41.1.el10_0
commit-author Jianbo Liu <jianbol@nvidia.com>
commit 39c1202

As a specific function (mdev) is chosen to send MTPPSE command to
firmware, the event is generated only on that function. When that
function is unloaded, the PPS event can't be forward to PTP device,
even when there are other functions in the group, and PTP device is
not destroyed. To resolve this problem, need to send MTPPSE again from
new function, and dis-arm the event on old function after that.

PPS events are handled by EQ notifier. The async EQs and notifiers are
destroyed in mlx5_eq_table_destroy() which is called before
mlx5_cleanup_clock(). During the period between
mlx5_eq_table_destroy() and mlx5_cleanup_clock(), the events can't be
handled. To avoid event loss, add mlx5_clock_unload() in mlx5_unload()
to arm the event on other available function, and mlx5_clock_load in
mlx5_load() for symmetry.

	Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
	Reviewed-by: Carolina Jubran <cjubran@nvidia.com>
	Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
	Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
	Signed-off-by: Paolo Abeni <pabeni@redhat.com>

(cherry picked from commit 39c1202)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>

jira LE-4613
cve CVE-2025-39730
Rebuild_History Non-Buildable kernel-6.12.0-55.41.1.el10_0
commit-author Trond Myklebust <trond.myklebust@hammerspace.com>
commit ef93a68

The function needs to check the minimal filehandle length before it can
access the embedded filehandle.

	Reported-by: zhangjian <zhangjian496@huawei.com>
Fixes: 20fa190 ("nfs: add export operations")
	Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
(cherry picked from commit ef93a68)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>

jira LE-4613
Rebuild_History Non-Buildable kernel-6.12.0-55.41.1.el10_0
commit-author Halil Pasic <pasic@linux.ibm.com>
commit 897e860

The s390x ISM device data sheet clearly states that only one
request-response sequence is allowable per ISM function at any point in
time.  Unfortunately as of today the s390/ism driver in Linux does not
honor that requirement. This patch aims to rectify that.

This problem was discovered based on Aliaksei's bug report which states
that for certain workloads the ISM functions end up entering error state
(with PEC 2 as seen from the logs) after a while and as a consequence
connections handled by the respective function break, and for future
connection requests the ISM device is not considered -- given it is in a
dysfunctional state. During further debugging PEC 3A was observed as
well.

A kernel message like
[ 1211.244319] zpci: 061a:00:00.0: Event 0x2 reports an error for PCI function 0x61a
is a reliable indicator of the stated function entering error state
with PEC 2. Let me also point out that a kernel message like
[ 1211.244325] zpci: 061a:00:00.0: The ism driver bound to the device does not support error recovery
is a reliable indicator that the ISM function won't be auto-recovered
because the ISM driver currently lacks support for it.

On a technical level, without this synchronization, commands (inputs to
the FW) may be partially or fully overwritten (corrupted) by another CPU
trying to issue commands on the same function. There is hard evidence that
this can lead to DMB token values being used as DMB IOVAs, leading to
PEC 2 PCI events indicating invalid DMA. But this is only one of the
failure modes imaginable. In theory even completely losing one command
and executing another one twice and then trying to interpret the outputs
as if the command we intended to execute was actually executed and not
the other one is also possible.  Frankly, I don't feel confident about
providing an exhaustive list of possible consequences.

Fixes: 684b89b ("s390/ism: add device driver for internal shared memory")
	Reported-by: Aliaksei Makarau <Aliaksei.Makarau@ibm.com>
	Tested-by: Mahanta Jambigi <mjambigi@linux.ibm.com>
	Tested-by: Aliaksei Makarau <Aliaksei.Makarau@ibm.com>
	Signed-off-by: Halil Pasic <pasic@linux.ibm.com>
	Reviewed-by: Alexandra Winter <wintera@linux.ibm.com>
	Signed-off-by: Alexandra Winter <wintera@linux.ibm.com>
	Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250722161817.1298473-1-wintera@linux.ibm.com
	Signed-off-by: Paolo Abeni <pabeni@redhat.com>

(cherry picked from commit 897e860)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>

jira LE-4613
cve CVE-2024-56750
Rebuild_History Non-Buildable kernel-6.12.0-55.41.1.el10_0
commit-author Hongzhen Luo <hongzhen@linux.alibaba.com>
commit bae0854

Adjust sb->s_blocksize{,_bits} directly for file-backed
mounts when the fs block size is smaller than PAGE_SIZE.

Previously, EROFS used sb_set_blocksize(), which caused
a panic if bdev-backed mounts is not used.

Fixes: fb17675 ("erofs: add file-backed mount support")
	Signed-off-by: Hongzhen Luo <hongzhen@linux.alibaba.com>
Link: https://lore.kernel.org/r/20241015103836.3757438-1-hongzhen@linux.alibaba.com
	Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
(cherry picked from commit bae0854)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>

jira LE-4613
cve CVE-2025-39751
Rebuild_History Non-Buildable kernel-6.12.0-55.41.1.el10_0
commit-author Lucy Thrun <lucy.thrun@digital-rabbithole.de>
commit a409c60

The 'sprintf' call in 'add_tuning_control' may exceed the 44-byte
buffer if either string argument is too long. This triggers a compiler
warning.
Replaced 'sprintf' with 'snprintf' to limit string lengths to prevent
overflow.

	Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202506100642.95jpuMY1-lkp@intel.com/
	Signed-off-by: Lucy Thrun <lucy.thrun@digital-rabbithole.de>
Link: https://patch.msgid.link/20250610175012.918-3-lucy.thrun@digital-rabbithole.de
	Signed-off-by: Takashi Iwai <tiwai@suse.de>
(cherry picked from commit a409c60)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>

Rebuild_History BUILDABLE
Rebuilding Kernel from rpm changelog with Fuzz Limit: 87.50%
Number of commits in upstream range v6.12~1..kernel-mainline: 66177
Number of commits in rpm: 23
Number of commits matched with upstream: 20 (86.96%)
Number of commits in upstream but not in rpm: 66157
Number of commits NOT found in upstream: 3 (13.04%)

Rebuilding Kernel on Branch rocky10_0_rebuild_kernel-6.12.0-55.41.1.el10_0 for kernel-6.12.0-55.41.1.el10_0
Clean Cherry Picks: 20 (100.00%)
Empty Cherry Picks: 0 (0.00%)
_______________________________

Full Details Located here:
ciq/ciq_backports/kernel-6.12.0-55.41.1.el10_0/rebuild.details.txt

Includes:
* git commit header above
* Empty Commits with upstream SHA
* RPM ChangeLog Entries that could not be matched

Individual Empty Commit failures contained in the same containing directory.
The git message for empty commits will have the path for the failed commit.
File names are the first 8 characters of the upstream SHA