[rocky10_0] History Rebuild to kernel-6.12.0-55.32.1.el10_0 #588

PlaidCat · 2025-09-23T20:41:19Z

Download all unprocessed src.rpm
for each src,pm
- Find all commits in changelog up to last known tag ... in this case 6.12.0-55
- Re-play commits in reverse order (oldest in change log to newest) with git cherry-pick
- After replay replace ENTIRE code in branch with rpmbuild -bp from corresponding src.rpm.
- Tag Rebuild branch
Use New Local Build with prodman and test (note test results will be different than usual)

Checking Rebuild Commits for potentially missing commits:

kkernel-6.12.0-55.31.1.el10_0

[jmaple@devbox kernel-src-tree]$ cat ciq/ciq_backports/kernel-6.12.0-55.31.1.el10_0/rebuild.details.txt
Rebuild_History BUILDABLE
Rebuilding Kernel from rpm changelog with Fuzz Limit: 87.50%
Number of commits in upstream range v6.12~1..kernel-mainline: 66177
Number of commits in rpm: 22
Number of commits matched with upstream: 18 (81.82%)
Number of commits in upstream but not in rpm: 66159
Number of commits NOT found in upstream: 4 (18.18%)

Rebuilding Kernel on Branch rocky10_0_rebuild_kernel-6.12.0-55.31.1.el10_0 for kernel-6.12.0-55.31.1.el10_0
Clean Cherry Picks: 10 (55.56%)
Empty Cherry Picks: 3 (16.67%)
_______________________________

__EMPTY COMMITS__________________________
00817f0f1c45b007965f5676b9a2013bb39c7228 nvme-ioctl: fix leaked requests on mapping error
eada75467fca0b016b9b22212637c07216135c20 nvme/ioctl: don't warn on vectorized uring_cmd with fixed buffer
021ba7f1babd029e714d13a6bf2571b08af96d0f udmabuf: fix a buf size overflow issue during udmabuf creation

__CHANGES NOT IN UPSTREAM________________
Porting to Rocky Linux 10, debranding and Rocky Linux branding'
Add partial riscv64 support for build root'
Provide basic VisionFive 2 support'
Revert "cxl/acpi: Fix load failures due to single window creation failure"

kernel-6.12.0-55.32.1.el10_0

[jmaple@devbox kernel-src-tree]$ cat ciq/ciq_backports/kernel-6.12.0-55.32.1.el10_0/rebuild.details.txt
Rebuild_History BUILDABLE
Rebuilding Kernel from rpm changelog with Fuzz Limit: 87.50%
Number of commits in upstream range v6.12~1..kernel-mainline: 66177
Number of commits in rpm: 4
Number of commits matched with upstream: 1 (25.00%)
Number of commits in upstream but not in rpm: 66176
Number of commits NOT found in upstream: 3 (75.00%)

Rebuilding Kernel on Branch rocky10_0_rebuild_kernel-6.12.0-55.32.1.el10_0 for kernel-6.12.0-55.32.1.el10_0
Clean Cherry Picks: 1 (100.00%)
Empty Cherry Picks: 0 (0.00%)
_______________________________

__EMPTY COMMITS__________________________

__CHANGES NOT IN UPSTREAM________________
Porting to Rocky Linux 10, debranding and Rocky Linux branding'
Add partial riscv64 support for build root'
Provide basic VisionFive 2 support'

BUILD

[jmaple@devbox code]$ egrep -B 5 -A 5 "\[TIMER\]|^Starting Build" $(ls -t kbuild* | head -n1)
  CLEAN   scripts/mod
  CLEAN   scripts/selinux/genheaders
  CLEAN   scripts/selinux/mdp
  CLEAN   scripts
  CLEAN   include/config include/generated arch/x86/include/generated .config .config.old .version Module.symvers certs/signing_key.pem certs/x509.genkey
[TIMER]{MRPROPER}: 10s
x86_64 architecture detected, copying config
'configs/kernel-x86_64-rhel.config' -> '.config'
Setting Local Version for build
CONFIG_LOCALVERSION="-rocky10_0_rebuild-919393e21315"
Making olddefconfig
--
  HOSTCC  scripts/kconfig/util.o
  HOSTLD  scripts/kconfig/conf
#
# configuration written to .config
#
Starting Build
  GEN     arch/x86/include/generated/asm/orc_hash.h
  WRAP    arch/x86/include/generated/uapi/asm/bpf_perf_event.h
  WRAP    arch/x86/include/generated/uapi/asm/fcntl.h
  WRAP    arch/x86/include/generated/uapi/asm/errno.h
  WRAP    arch/x86/include/generated/uapi/asm/ioctl.h
--
  LD [M]  net/qrtr/qrtr.ko
  BTF [M] net/hsr/hsr.ko
  BTF [M] net/qrtr/qrtr.ko
  LD [M]  net/qrtr/qrtr-mhi.ko
  BTF [M] net/qrtr/qrtr-mhi.ko
[TIMER]{BUILD}: 2072s
Making Modules
  SYMLINK /lib/modules/6.12.0-rocky10_0_rebuild-919393e21315+/build
  INSTALL /lib/modules/6.12.0-rocky10_0_rebuild-919393e21315+/modules.order
  INSTALL /lib/modules/6.12.0-rocky10_0_rebuild-919393e21315+/modules.builtin
  INSTALL /lib/modules/6.12.0-rocky10_0_rebuild-919393e21315+/modules.builtin.modinfo
--
  STRIP   /lib/modules/6.12.0-rocky10_0_rebuild-919393e21315+/kernel/net/qrtr/qrtr-mhi.ko
  SIGN    /lib/modules/6.12.0-rocky10_0_rebuild-919393e21315+/kernel/net/qrtr/qrtr-mhi.ko
  SIGN    /lib/modules/6.12.0-rocky10_0_rebuild-919393e21315+/kernel/net/qrtr/qrtr.ko
  SIGN    /lib/modules/6.12.0-rocky10_0_rebuild-919393e21315+/kernel/net/hsr/hsr.ko
  DEPMOD  /lib/modules/6.12.0-rocky10_0_rebuild-919393e21315+
[TIMER]{MODULES}: 8s
Making Install
  INSTALL /boot
[TIMER]{INSTALL}: 15s
Checking kABI
kABI check passed
Setting Default Kernel to /boot/vmlinuz-6.12.0-rocky10_0_rebuild-919393e21315+ and Index to 2
Hopefully Grub2.0 took everything ... rebooting after time metrices
[TIMER]{MRPROPER}: 10s
[TIMER]{BUILD}: 2072s
[TIMER]{MODULES}: 8s
[TIMER]{INSTALL}: 15s
[TIMER]{TOTAL} 2110s
Rebooting in 10 seconds

KselfTest

[jmaple@devbox code]$ ls -rt kselftest.* | tail -n4 | while read line; do echo $line; grep '^ok ' $line | wc -l ; done
kselftest.6.12.0-jmaple_sig-cloud-10_6.12.0-55.27.1.el10_0-7f919518cf4+.log
498
kselftest.6.12.0-rocky10_0_rebuild-0b50c952cd24+.log
497
kselftest.6.12.0-jmaple_sig-cloud-10_6.12.0-55.30.1.el10_0-cdc6b6f80cf+.log
505
kselftest.6.12.0-rocky10_0_rebuild-919393e21315+.log
528

Notes the number have been all overt the place lately @kerneltoast introduced a new change to show the delta between successes.
In this case SKIP = OK 🤷

[jmaple@devbox code]$ grep ok <(diff -adU0 <(grep ^ok kselftest.6.12.0-rocky10_0_rebuild-0b50c952cd24+.log | sort -h) <(grep ^ok kselftest.6.12.0-rocky10_0_rebuild-919393e21315+.log | sort -h))
+ok 10 selftests: net/netfilter: conntrack_reverse_clash.sh # SKIP
+ok 11 selftests: net/netfilter: ipvs.sh # SKIP
+ok 12 selftests: net/netfilter: nf_conntrack_packetdrill.sh # SKIP
+ok 13 selftests: net/netfilter: nf_nat_edemux.sh # SKIP
+ok 14 selftests: net/netfilter: nft_audit.sh # SKIP
+ok 16 selftests: net/netfilter: nft_conntrack_helper.sh # SKIP
+ok 17 selftests: net/netfilter: nft_fib.sh # SKIP
+ok 19 selftests: net/netfilter: nft_meta.sh # SKIP
+ok 1 selftests: capabilities: test_execve
+ok 1 selftests: livepatch: test-livepatch.sh # SKIP
+ok 20 selftests: net/netfilter: nft_nat.sh # SKIP
+ok 21 selftests: net/netfilter: nft_nat_zones.sh # SKIP
+ok 22 selftests: net/netfilter: nft_queue.sh # SKIP
+ok 24 selftests: net/netfilter: nft_tproxy_tcp.sh # SKIP
+ok 25 selftests: net/netfilter: nft_tproxy_udp.sh # SKIP
+ok 26 selftests: net/netfilter: nft_zones_many.sh # SKIP
+ok 29 selftests: net/netfilter: xt_string.sh # SKIP
+ok 2 selftests: livepatch: test-callbacks.sh # SKIP
+ok 2 selftests: net/netfilter: br_netfilter.sh # SKIP
+ok 2 selftests: seccomp: seccomp_benchmark
+ok 3 selftests: livepatch: test-shadow-vars.sh # SKIP
+ok 3 selftests: memfd: run_hugetlbfs_test.sh # SKIP
+ok 3 selftests: net/netfilter: bridge_brouter.sh # SKIP
+ok 4 selftests: livepatch: test-state.sh # SKIP
+ok 5 selftests: livepatch: test-ftrace.sh # SKIP
+ok 6 selftests: livepatch: test-sysfs.sh # SKIP
+ok 6 selftests: net/netfilter: conntrack_ipip_mtu.sh # SKIP
+ok 7 selftests: livepatch: test-syscall.sh # SKIP
+ok 7 selftests: net/netfilter: conntrack_tcp_unreplied.sh # SKIP
+ok 8 selftests: net/netfilter: conntrack_sctp_collision.sh # SKIP
+ok 9 selftests: net/netfilter: conntrack_vrf.sh # SKIP

jira LE-4192 Rebuild_History Non-Buildable kernel-6.12.0-55.31.1.el10_0 commit-author Keith Busch <kbusch@kernel.org> commit 00817f0 Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-6.12.0-55.31.1.el10_0/00817f0f.failed All the callers assume nvme_map_user_request() frees the request on a failure. This wasn't happening on invalid metadata or io_uring command flags, so we've been leaking those requests. Fixes: 23fd22e ("nvme: wire up fixed buffer support for nvme passthrough") Fixes: 7c2fd76 ("nvme: fix metadata handling in nvme-passthrough") Reviewed-by: Damien Le Moal <dlemoal@kernel.org> Reviewed-by: Kanchan Joshi <joshi.k@samsung.com> Reviewed-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Keith Busch <kbusch@kernel.org> (cherry picked from commit 00817f0) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # drivers/nvme/host/ioctl.c

jira LE-4192 Rebuild_History Non-Buildable kernel-6.12.0-55.31.1.el10_0 commit-author Caleb Sander Mateos <csander@purestorage.com> commit eada754 Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-6.12.0-55.31.1.el10_0/eada7546.failed The vectorized io_uring NVMe passthru opcodes don't yet support fixed buffers. But since userspace can trigger this condition based on the io_uring SQE parameters, it shouldn't cause a kernel warning. Signed-off-by: Caleb Sander Mateos <csander@purestorage.com> Reviewed-by: Jens Axboe <axboe@kernel.dk> Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com> Reviewed-by: Christoph Hellwig <hch@lst.de> Fixes: 23fd22e ("nvme: wire up fixed buffer support for nvme passthrough") Signed-off-by: Keith Busch <kbusch@kernel.org> (cherry picked from commit eada754) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # drivers/nvme/host/ioctl.c

jira LE-4192 cve CVE-2025-38449 Rebuild_History Non-Buildable kernel-6.12.0-55.31.1.el10_0 commit-author Thomas Zimmermann <tzimmermann@suse.de> commit 5307dce A GEM handle can be released while the GEM buffer object is attached to a DRM framebuffer. This leads to the release of the dma-buf backing the buffer object, if any. [1] Trying to use the framebuffer in further mode-setting operations leads to a segmentation fault. Most easily happens with driver that use shadow planes for vmap-ing the dma-buf during a page flip. An example is shown below. [ 156.791968] ------------[ cut here ]------------ [ 156.796830] WARNING: CPU: 2 PID: 2255 at drivers/dma-buf/dma-buf.c:1527 dma_buf_vmap+0x224/0x430 [...] [ 156.942028] RIP: 0010:dma_buf_vmap+0x224/0x430 [ 157.043420] Call Trace: [ 157.045898] <TASK> [ 157.048030] ? show_trace_log_lvl+0x1af/0x2c0 [ 157.052436] ? show_trace_log_lvl+0x1af/0x2c0 [ 157.056836] ? show_trace_log_lvl+0x1af/0x2c0 [ 157.061253] ? drm_gem_shmem_vmap+0x74/0x710 [ 157.065567] ? dma_buf_vmap+0x224/0x430 [ 157.069446] ? __warn.cold+0x58/0xe4 [ 157.073061] ? dma_buf_vmap+0x224/0x430 [ 157.077111] ? report_bug+0x1dd/0x390 [ 157.080842] ? handle_bug+0x5e/0xa0 [ 157.084389] ? exc_invalid_op+0x14/0x50 [ 157.088291] ? asm_exc_invalid_op+0x16/0x20 [ 157.092548] ? dma_buf_vmap+0x224/0x430 [ 157.096663] ? dma_resv_get_singleton+0x6d/0x230 [ 157.101341] ? __pfx_dma_buf_vmap+0x10/0x10 [ 157.105588] ? __pfx_dma_resv_get_singleton+0x10/0x10 [ 157.110697] drm_gem_shmem_vmap+0x74/0x710 [ 157.114866] drm_gem_vmap+0xa9/0x1b0 [ 157.118763] drm_gem_vmap_unlocked+0x46/0xa0 [ 157.123086] drm_gem_fb_vmap+0xab/0x300 [ 157.126979] drm_atomic_helper_prepare_planes.part.0+0x487/0xb10 [ 157.133032] ? lockdep_init_map_type+0x19d/0x880 [ 157.137701] drm_atomic_helper_commit+0x13d/0x2e0 [ 157.142671] ? drm_atomic_nonblocking_commit+0xa0/0x180 [ 157.147988] drm_mode_atomic_ioctl+0x766/0xe40 [...] [ 157.346424] ---[ end trace 0000000000000000 ]--- Acquiring GEM handles for the framebuffer's GEM buffer objects prevents this from happening. The framebuffer's cleanup later puts the handle references. Commit 1a148af ("drm/gem-shmem: Use dma_buf from GEM object instance") triggers the segmentation fault easily by using the dma-buf field more widely. The underlying issue with reference counting has been present before. v2: - acquire the handle instead of the BO (Christian) - fix comment style (Christian) - drop the Fixes tag (Christian) - rename err_ gotos - add missing Link tag Suggested-by: Christian König <christian.koenig@amd.com> Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de> Link: https://elixir.bootlin.com/linux/v6.15/source/drivers/gpu/drm/drm_gem.c#L241 # [1] Cc: Thomas Zimmermann <tzimmermann@suse.de> Cc: Anusha Srivatsa <asrivats@redhat.com> Cc: Christian König <christian.koenig@amd.com> Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com> Cc: Maxime Ripard <mripard@kernel.org> Cc: Sumit Semwal <sumit.semwal@linaro.org> Cc: "Christian König" <christian.koenig@amd.com> Cc: linux-media@vger.kernel.org Cc: dri-devel@lists.freedesktop.org Cc: linaro-mm-sig@lists.linaro.org Cc: <stable@vger.kernel.org> Reviewed-by: Christian König <christian.koenig@amd.com> Link: https://lore.kernel.org/r/20250630084001.293053-1-tzimmermann@suse.de (cherry picked from commit 5307dce) Signed-off-by: Jonathan Maple <jmaple@ciq.com>

jira LE-4192 cve CVE-2025-38449 Rebuild_History Non-Buildable kernel-6.12.0-55.31.1.el10_0 commit-author Thomas Zimmermann <tzimmermann@suse.de> commit f6bfc9a Acquire GEM handles in drm_framebuffer_init() and release them in the corresponding drm_framebuffer_cleanup(). Ties the handle's lifetime to the framebuffer. Not all GEM buffer objects have GEM handles. If not set, no refcounting takes place. This is the case for some fbdev emulation. This is not a problem as these GEM objects do not use dma-bufs and drivers will not release them while fbdev emulation is running. Framebuffer flags keep a bit per color plane of which the framebuffer holds a GEM handle reference. As all drivers use drm_framebuffer_init(), they will now all hold dma-buf references as fixed in commit 5307dce ("drm/gem: Acquire references on GEM handles for framebuffers"). In the GEM framebuffer helpers, restore the original ref counting on buffer objects. As the helpers for handle refcounting are now no longer called from outside the DRM core, unexport the symbols. v3: - don't mix internal flags with mode flags (Christian) v2: - track framebuffer handle refs by flag - drop gma500 cleanup (Christian) Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de> Fixes: 5307dce ("drm/gem: Acquire references on GEM handles for framebuffers") Reported-by: Bert Karwatzki <spasswolf@web.de> Closes: https://lore.kernel.org/dri-devel/20250703115915.3096-1-spasswolf@web.de/ Tested-by: Bert Karwatzki <spasswolf@web.de> Tested-by: Mario Limonciello <superm1@kernel.org> Tested-by: Borislav Petkov (AMD) <bp@alien8.de> Cc: Thomas Zimmermann <tzimmermann@suse.de> Cc: Anusha Srivatsa <asrivats@redhat.com> Cc: Christian König <christian.koenig@amd.com> Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com> Cc: Maxime Ripard <mripard@kernel.org> Cc: Sumit Semwal <sumit.semwal@linaro.org> Cc: "Christian König" <christian.koenig@amd.com> Cc: linux-media@vger.kernel.org Cc: dri-devel@lists.freedesktop.org Cc: linaro-mm-sig@lists.linaro.org Cc: <stable@vger.kernel.org> Reviewed-by: Christian König <christian.koenig@amd.com> Link: https://lore.kernel.org/r/20250707131224.249496-1-tzimmermann@suse.de (cherry picked from commit f6bfc9a) Signed-off-by: Jonathan Maple <jmaple@ciq.com>

jira LE-4192 cve CVE-2025-37803 Rebuild_History Non-Buildable kernel-6.12.0-55.31.1.el10_0 commit-author Xiaogang Chen <xiaogang.chen@amd.com> commit 021ba7f Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-6.12.0-55.31.1.el10_0/021ba7f1.failed by casting size_limit_mb to u64 when calculate pglimit. Signed-off-by: Xiaogang Chen<Xiaogang.Chen@amd.com> Link: https://patchwork.freedesktop.org/patch/msgid/20250321164126.329638-1-xiaogang.chen@amd.com Signed-off-by: Christian König <christian.koenig@amd.com> (cherry picked from commit 021ba7f) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # drivers/dma-buf/udmabuf.c

jira LE-4192 cve CVE-2025-22097 Rebuild_History Non-Buildable kernel-6.12.0-55.31.1.el10_0 commit-author José Expósito <jose.exposito89@gmail.com> commit ed15511 If the driver initialization fails, the vkms_exit() function might access an uninitialized or freed default_config pointer and it might double free it. Fix both possible errors by initializing default_config only when the driver initialization succeeded. Reported-by: Louis Chauvet <louis.chauvet@bootlin.com> Closes: https://lore.kernel.org/all/Z5uDHcCmAwiTsGte@louis-chauvet-laptop/ Fixes: 2df7af9 ("drm/vkms: Add vkms_config type") Signed-off-by: José Expósito <jose.exposito89@gmail.com> Reviewed-by: Thomas Zimmermann <tzimmremann@suse.de> Reviewed-by: Louis Chauvet <louis.chauvet@bootlin.com> Link: https://patchwork.freedesktop.org/patch/msgid/20250212084912.3196-1-jose.exposito89@gmail.com Signed-off-by: Louis Chauvet <louis.chauvet@bootlin.com> (cherry picked from commit ed15511) Signed-off-by: Jonathan Maple <jmaple@ciq.com>

jira LE-4192 cve CVE-2025-38107 Rebuild_History Non-Buildable kernel-6.12.0-55.31.1.el10_0 commit-author Eric Dumazet <edumazet@google.com> commit d92adac Gerrard Tai reported a race condition in ETS, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put() This can be abused to underflow a parent's qlen. Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog() should fix the race, because all packets will be purged from the qdisc before releasing the lock. Fixes: b05972f ("net: sched: tbf: don't call qdisc_put() while holding tree lock") Reported-by: Gerrard Tai <gerrard.tai@starlabs.sg> Suggested-by: Gerrard Tai <gerrard.tai@starlabs.sg> Signed-off-by: Eric Dumazet <edumazet@google.com> Link: https://patch.msgid.link/20250611111515.1983366-5-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit d92adac) Signed-off-by: Jonathan Maple <jmaple@ciq.com>

jira LE-4192 cve CVE-2025-38350 Rebuild_History Non-Buildable kernel-6.12.0-55.31.1.el10_0 commit-author Lion Ackermann <nnamrec@gmail.com> commit 103406b Certain classful qdiscs may invoke their classes' dequeue handler on an enqueue operation. This may unexpectedly empty the child qdisc and thus make an in-flight class passive via qlen_notify(). Most qdiscs do not expect such behaviour at this point in time and may re-activate the class eventually anyways which will lead to a use-after-free. The referenced fix commit attempted to fix this behavior for the HFSC case by moving the backlog accounting around, though this turned out to be incomplete since the parent's parent may run into the issue too. The following reproducer demonstrates this use-after-free: tc qdisc add dev lo root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo parent 1: classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: hfsc def 1 tc class add dev lo parent 2: classid 2:1 hfsc rt m1 8 d 1 m2 0 tc qdisc add dev lo parent 2:1 handle 3: netem tc qdisc add dev lo parent 3:1 handle 4: blackhole echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 tc class delete dev lo classid 1:1 echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 Since backlog accounting issues leading to a use-after-frees on stale class pointers is a recurring pattern at this point, this patch takes a different approach. Instead of trying to fix the accounting, the patch ensures that qdisc_tree_reduce_backlog always calls qlen_notify when the child qdisc is empty. This solves the problem because deletion of qdiscs always involves a call to qdisc_reset() and / or qdisc_purge_queue() which ultimately resets its qlen to 0 thus causing the following qdisc_tree_reduce_backlog() to report to the parent. Note that this may call qlen_notify on passive classes multiple times. This is not a problem after the recent patch series that made all the classful qdiscs qlen_notify() handlers idempotent. Fixes: 3f98113 ("sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()") Signed-off-by: Lion Ackermann <nnamrec@gmail.com> Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com> Acked-by: Cong Wang <xiyou.wangcong@gmail.com> Acked-by: Jamal Hadi Salim <jhs@mojatatu.com> Link: https://patch.msgid.link/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit 103406b) Signed-off-by: Jonathan Maple <jmaple@ciq.com>

jira LE-4192 cve CVE-2025-38350 Rebuild_History Non-Buildable kernel-6.12.0-55.31.1.el10_0 commit-author Davide Caratti <dcaratti@redhat.com> commit 87c6efc Shuang reported sch_ets test-case [1] crashing in ets_class_qlen_notify() after recent changes from Lion [2]. The problem is: in ets_qdisc_change() we purge unused DWRR queues; the value of 'q->nbands' is the new one, and the cleanup should be done with the old one. The problem is here since my first attempts to fix ets_qdisc_change(), but it surfaced again after the recent qdisc len accounting fixes. Fix it purging idle DWRR queues before assigning a new value of 'q->nbands', so that all purge operations find a consistent configuration: - old 'q->nbands' because it's needed by ets_class_find() - old 'q->nstrict' because it's needed by ets_class_is_strict() BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 62 UID: 0 PID: 39457 Comm: tc Kdump: loaded Not tainted 6.12.0-116.el10.x86_64 #1 PREEMPT(voluntary) Hardware name: Dell Inc. PowerEdge R640/06DKY5, BIOS 2.12.2 07/09/2021 RIP: 0010:__list_del_entry_valid_or_report+0x4/0x80 Code: ff 4c 39 c7 0f 84 39 19 8e ff b8 01 00 00 00 c3 cc cc cc cc 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa <48> 8b 17 48 8b 4f 08 48 85 d2 0f 84 56 19 8e ff 48 85 c9 0f 84 ab RSP: 0018:ffffba186009f400 EFLAGS: 00010202 RAX: 00000000000000d6 RBX: 0000000000000000 RCX: 0000000000000004 RDX: ffff9f0fa29b69c0 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffffffc12c2400 R08: 0000000000000008 R09: 0000000000000004 R10: ffffffffffffffff R11: 0000000000000004 R12: 0000000000000000 R13: ffff9f0f8cfe0000 R14: 0000000000100005 R15: 0000000000000000 FS: 00007f2154f37480(0000) GS:ffff9f269c1c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000001530be001 CR4: 00000000007726f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ets_class_qlen_notify+0x65/0x90 [sch_ets] qdisc_tree_reduce_backlog+0x74/0x110 ets_qdisc_change+0x630/0xa40 [sch_ets] __tc_modify_qdisc.constprop.0+0x216/0x7f0 tc_modify_qdisc+0x7c/0x120 rtnetlink_rcv_msg+0x145/0x3f0 netlink_rcv_skb+0x53/0x100 netlink_unicast+0x245/0x390 netlink_sendmsg+0x21b/0x470 ____sys_sendmsg+0x39d/0x3d0 ___sys_sendmsg+0x9a/0xe0 __sys_sendmsg+0x7a/0xd0 do_syscall_64+0x7d/0x160 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f2155114084 Code: 89 02 b8 ff ff ff ff eb bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 80 3d 25 f0 0c 00 00 74 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89 RSP: 002b:00007fff1fd7a988 EFLAGS: 00000202 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000560ec063e5e0 RCX: 00007f2155114084 RDX: 0000000000000000 RSI: 00007fff1fd7a9f0 RDI: 0000000000000003 RBP: 00007fff1fd7aa60 R08: 0000000000000010 R09: 000000000000003f R10: 0000560ee9b3a010 R11: 0000000000000202 R12: 00007fff1fd7aae0 R13: 000000006891ccde R14: 0000560ec063e5e0 R15: 00007fff1fd7aad0 </TASK> [1] https://lore.kernel.org/netdev/e08c7f4a6882f260011909a868311c6e9b54f3e4.1639153474.git.dcaratti@redhat.com/ [2] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/ Cc: stable@vger.kernel.org Fixes: 103406b ("net/sched: Always pass notifications when child class becomes empty") Fixes: c062f2a ("net/sched: sch_ets: don't remove idle classes from the round-robin list") Fixes: dcc68b4 ("net: sch_ets: Add a new Qdisc") Reported-by: Li Shuang <shuali@redhat.com> Closes: https://issues.redhat.com/browse/RHEL-108026 Reviewed-by: Petr Machata <petrm@nvidia.com> Co-developed-by: Ivan Vecera <ivecera@redhat.com> Signed-off-by: Ivan Vecera <ivecera@redhat.com> Signed-off-by: Davide Caratti <dcaratti@redhat.com> Link: https://patch.msgid.link/7928ff6d17db47a2ae7cc205c44777b1f1950545.1755016081.git.dcaratti@redhat.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit 87c6efc) Signed-off-by: Jonathan Maple <jmaple@ciq.com>

jira LE-4192 Rebuild_History Non-Buildable kernel-6.12.0-55.31.1.el10_0 commit-author Huang Shijie <shijie@os.amperecomputing.com> commit 4423af8 When PLACE_LAG is enabled, from the relationship: vl_i = (W + w_i)*vl'_i / W we know that if vl'_i(se->vlag) is zero, the vl_i is zero too. So if se->vlag is zero, there is no need to waste cycles to do the calculation. Signed-off-by: Huang Shijie <shijie@os.amperecomputing.com> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Reviewed-by: Christoph Lameter (Ampere) <cl@linux.com> Link: https://lkml.kernel.org/r/20241001070021.10626-1-shijie@os.amperecomputing.com (cherry picked from commit 4423af8) Signed-off-by: Jonathan Maple <jmaple@ciq.com>

jira LE-4192 Rebuild_History Non-Buildable kernel-6.12.0-55.31.1.el10_0 commit-author Peter Zijlstra <peterz@infradead.org> commit 6d71a9c I noticed this in my traces today: turbostat-1222 [006] d..2. 311.935649: reweight_entity: (ffff888108f13e00-ffff88885ef38440-6) { weight: 1048576 avg_vruntime: 3184159639071 vruntime: 3184159640194 (-1123) deadline: 3184162621107 } -> { weight: 2 avg_vruntime: 3184177463330 vruntime: 3184748414495 (-570951165) deadline: 4747605329439 } turbostat-1222 [006] d..2. 311.935651: reweight_entity: (ffff888108f13e00-ffff88885ef38440-6) { weight: 2 avg_vruntime: 3184177463330 vruntime: 3184748414495 (-570951165) deadline: 4747605329439 } -> { weight: 1048576 avg_vruntime: 3184176414812 vruntime: 3184177464419 (-1049607) deadline: 3184180445332 } Which is a weight transition: 1048576 -> 2 -> 1048576. One would expect the lag to shoot out *AND* come back, notably: -1123*1048576/2 = -588775424 -588775424*2/1048576 = -1123 Except the trace shows it is all off. Worse, subsequent cycles shoot it out further and further. This made me have a very hard look at reweight_entity(), and specifically the ->on_rq case, which is more prominent with DELAY_DEQUEUE. And indeed, it is all sorts of broken. While the computation of the new lag is correct, the computation for the new vruntime, using the new lag is broken for it does not consider the logic set out in place_entity(). With the below patch, I now see things like: migration/12-55 [012] d..3. 309.006650: reweight_entity: (ffff8881e0e6f600-ffff88885f235f40-12) { weight: 977582 avg_vruntime: 4860513347366 vruntime: 4860513347908 (-542) deadline: 4860516552475 } -> { weight: 2 avg_vruntime: 4860528915984 vruntime: 4860793840706 (-264924722) deadline: 6427157349203 } migration/14-62 [014] d..3. 309.006698: reweight_entity: (ffff8881e0e6cc00-ffff88885f3b5f40-15) { weight: 2 avg_vruntime: 4874472992283 vruntime: 4939833828823 (-65360836540) deadline: 6316614641111 } -> { weight: 967149 avg_vruntime: 4874217684324 vruntime: 4874217688559 (-4235) deadline: 4874220535650 } Which isn't perfect yet, but much closer. Reported-by: Doug Smythies <dsmythies@telus.net> Reported-by: Ingo Molnar <mingo@kernel.org> Tested-by: Ingo Molnar <mingo@kernel.org> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Signed-off-by: Ingo Molnar <mingo@kernel.org> Fixes: eab03c2 ("sched/eevdf: Fix vruntime adjustment on reweight") Link: https://lore.kernel.org/r/20250109105959.GA2981@noisy.programming.kicks-ass.net (cherry picked from commit 6d71a9c) Signed-off-by: Jonathan Maple <jmaple@ciq.com>

jira LE-4192 Rebuild_History Non-Buildable kernel-6.12.0-55.31.1.el10_0 commit-author Peter Zijlstra <peterz@infradead.org> commit 66951e4 Normally dequeue_entities() will continue to dequeue an empty group entity; except DELAY_DEQUEUE changes things -- it retains empty entities such that they might continue to compete and burn off some lag. However, doing this results in update_cfs_group() re-computing the cgroup weight 'slice' for an empty group, which it (rightly) figures isn't much at all. This in turn means that the delayed entity is not competing at the expected weight. Worse, the very low weight causes its lag to be inflated, which combined with avg_vruntime() using scale_load_down(), leads to artifacts. As such, don't adjust the weight for empty group entities and let them compete at their original weight. Fixes: 152e11f ("sched/fair: Implement delayed dequeue") Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Link: https://lkml.kernel.org/r/20250110115720.GA17405@noisy.programming.kicks-ass.net (cherry picked from commit 66951e4) Signed-off-by: Jonathan Maple <jmaple@ciq.com>

jira LE-4192 Rebuild_History Non-Buildable kernel-6.12.0-55.31.1.el10_0 commit-author Peter Zijlstra <peterz@infradead.org> commit c70fc32 Mike reports that commit 6d71a9c ("sched/fair: Fix EEVDF entity placement bug causing scheduling lag") relies on commit 4423af8 ("sched/fair: optimize the PLACE_LAG when se->vlag is zero") to not trip a WARN in place_entity(). What happens is that the lag of the very last entity is 0 per definition -- the average of one element matches the value of that element. Therefore place_entity() will match the condition skipping the lag adjustment: if (sched_feat(PLACE_LAG) && cfs_rq->nr_queued && se->vlag) { Without the 'se->vlag' condition -- it will attempt to adjust the zero lag even though we're inserting into an empty tree. Notably, we should have failed the 'cfs_rq->nr_queued' condition, but don't because they didn't get updated. Additionally, move update_load_add() after placement() as is consistent with other place_entity() users -- this change is non-functional, place_entity() does not use cfs_rq->load. Fixes: 6d71a9c ("sched/fair: Fix EEVDF entity placement bug causing scheduling lag") Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Reported-by: Mike Galbraith <efault@gmx.de> Signed-off-by: "Peter Zijlstra (Intel)" <peterz@infradead.org> Signed-off-by: Mike Galbraith <efault@gmx.de> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/c216eb4ef0e0e0029c600aefc69d56681cee5581.camel@gmx.de (cherry picked from commit c70fc32) Signed-off-by: Jonathan Maple <jmaple@ciq.com>

Rebuild_History BUILDABLE Rebuilding Kernel from rpm changelog with Fuzz Limit: 87.50% Number of commits in upstream range v6.12~1..kernel-mainline: 66177 Number of commits in rpm: 22 Number of commits matched with upstream: 18 (81.82%) Number of commits in upstream but not in rpm: 66159 Number of commits NOT found in upstream: 4 (18.18%) Rebuilding Kernel on Branch rocky10_0_rebuild_kernel-6.12.0-55.31.1.el10_0 for kernel-6.12.0-55.31.1.el10_0 Clean Cherry Picks: 10 (55.56%) Empty Cherry Picks: 3 (16.67%) _______________________________ Full Details Located here: ciq/ciq_backports/kernel-6.12.0-55.31.1.el10_0/rebuild.details.txt Includes: * git commit header above * Empty Commits with upstream SHA * RPM ChangeLog Entries that could not be matched Individual Empty Commit failures contained in the same containing directory. The git message for empty commits will have the path for the failed commit. File names are the first 8 characters of the upstream SHA

…x_cpu_timer_del() jira LE-4192 cve CVE-2025-38352 Rebuild_History Non-Buildable kernel-6.12.0-55.32.1.el10_0 commit-author Oleg Nesterov <oleg@redhat.com> commit f90fff1 If an exiting non-autoreaping task has already passed exit_notify() and calls handle_posix_cpu_timers() from IRQ, it can be reaped by its parent or debugger right after unlock_task_sighand(). If a concurrent posix_cpu_timer_del() runs at that moment, it won't be able to detect timer->it.cpu.firing != 0: cpu_timer_task_rcu() and/or lock_task_sighand() will fail. Add the tsk->exit_state check into run_posix_cpu_timers() to fix this. This fix is not needed if CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y, because exit_task_work() is called before exit_notify(). But the check still makes sense, task_work_add(&tsk->posix_cputimers_work.work) will fail anyway in this case. Cc: stable@vger.kernel.org Reported-by: Benoît Sevens <bsevens@google.com> Fixes: 0bdd2ed ("sched: run_posix_cpu_timers: Don't check ->exit_state, use lock_task_sighand()") Signed-off-by: Oleg Nesterov <oleg@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit f90fff1) Signed-off-by: Jonathan Maple <jmaple@ciq.com>

Rebuild_History BUILDABLE Rebuilding Kernel from rpm changelog with Fuzz Limit: 87.50% Number of commits in upstream range v6.12~1..kernel-mainline: 66177 Number of commits in rpm: 4 Number of commits matched with upstream: 1 (25.00%) Number of commits in upstream but not in rpm: 66176 Number of commits NOT found in upstream: 3 (75.00%) Rebuilding Kernel on Branch rocky10_0_rebuild_kernel-6.12.0-55.32.1.el10_0 for kernel-6.12.0-55.32.1.el10_0 Clean Cherry Picks: 1 (100.00%) Empty Cherry Picks: 0 (0.00%) _______________________________ Full Details Located here: ciq/ciq_backports/kernel-6.12.0-55.32.1.el10_0/rebuild.details.txt Includes: * git commit header above * Empty Commits with upstream SHA * RPM ChangeLog Entries that could not be matched Individual Empty Commit failures contained in the same containing directory. The git message for empty commits will have the path for the failed commit. File names are the first 8 characters of the upstream SHA

bmastbergen

🥌

jdieter

LGTM

PlaidCat added 16 commits September 22, 2025 08:31

PlaidCat requested review from jdieter, kerneltoast, bmastbergen, thefossguy-ciq and shreeya-patel98 September 23, 2025 20:41

PlaidCat self-assigned this Sep 23, 2025

bmastbergen approved these changes Sep 23, 2025

View reviewed changes

jdieter approved these changes Sep 24, 2025

View reviewed changes

PlaidCat merged commit 919393e into rocky10_0 Sep 24, 2025
4 of 5 checks passed

PlaidCat deleted the rocky10_0_rebuild branch September 24, 2025 15:10

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[rocky10_0] History Rebuild to kernel-6.12.0-55.32.1.el10_0 #588

[rocky10_0] History Rebuild to kernel-6.12.0-55.32.1.el10_0 #588

Uh oh!

PlaidCat commented Sep 23, 2025

Uh oh!

bmastbergen left a comment

Uh oh!

jdieter left a comment

Uh oh!

Uh oh!

Uh oh!

[rocky10_0] History Rebuild to kernel-6.12.0-55.32.1.el10_0 #588

[rocky10_0] History Rebuild to kernel-6.12.0-55.32.1.el10_0 #588

Uh oh!

Conversation

PlaidCat commented Sep 23, 2025

Checking Rebuild Commits for potentially missing commits:

kkernel-6.12.0-55.31.1.el10_0

kernel-6.12.0-55.32.1.el10_0

BUILD

KselfTest

Uh oh!

bmastbergen left a comment

Choose a reason for hiding this comment

Uh oh!

jdieter left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!