From 7e878ba50089034208290102aa3aa37cd736de70 Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Tue, 27 Aug 2024 11:28:15 -0600 Subject: [PATCH] kernel-6.11.0-0.rc5.20240827git3e9bff3bbe13.44 * Tue Aug 27 2024 Fedora Kernel Team [6.11.0-0.rc5.3e9bff3bbe13.44] - Linux v6.11.0-0.rc5.3e9bff3bbe13 Resolves: RHEL-49398 Signed-off-by: Justin M. Forbes --- Makefile.rhelver | 2 +- Patchlist.changelog | 16 ++- kernel-aarch64-64k-debug-rhel.config | 5 +- kernel-aarch64-64k-rhel.config | 5 +- kernel-aarch64-debug-rhel.config | 5 +- kernel-aarch64-rhel.config | 5 +- kernel-aarch64-rt-debug-rhel.config | 5 +- kernel-aarch64-rt-rhel.config | 5 +- kernel-ppc64le-debug-rhel.config | 5 +- kernel-ppc64le-rhel.config | 5 +- kernel-s390x-debug-rhel.config | 5 +- kernel-s390x-rhel.config | 5 +- kernel-s390x-zfcpdump-rhel.config | 1 - kernel-x86_64-debug-rhel.config | 5 +- kernel-x86_64-rhel.config | 5 +- kernel-x86_64-rt-debug-rhel.config | 5 +- kernel-x86_64-rt-rhel.config | 5 +- kernel.changelog | 15 +- kernel.spec | 18 ++- patch-6.11-redhat.patch | 199 ++++++++++++++++++++------- sources | 6 +- 21 files changed, 221 insertions(+), 106 deletions(-) diff --git a/Makefile.rhelver b/Makefile.rhelver index 8ceb9d970..e266cc0cd 100644 --- a/Makefile.rhelver +++ b/Makefile.rhelver @@ -12,7 +12,7 @@ RHEL_MINOR = 99 # # Use this spot to avoid future merge conflicts. # Do not trim this comment. -RHEL_RELEASE = 43 +RHEL_RELEASE = 44 # # RHEL_REBASE_NUM diff --git a/Patchlist.changelog b/Patchlist.changelog index d1b85c3c6..e8c0861c0 100644 --- a/Patchlist.changelog +++ b/Patchlist.changelog @@ -1,9 +1,21 @@ -https://gitlab.com/cki-project/kernel-ark/-/commit/f0422a4f19781da4d37e9d95c8df8eae5db72d0c - f0422a4f19781da4d37e9d95c8df8eae5db72d0c Revert "pidfd: prevent creation of pidfds for kthreads" +https://gitlab.com/cki-project/kernel-ark/-/commit/b0c8e7622950ce4bd430980be9a93e56bda43672 + b0c8e7622950ce4bd430980be9a93e56bda43672 crypto: akcipher - Disable signing and decryption + +https://gitlab.com/cki-project/kernel-ark/-/commit/a09122a7a65c8e9f1a0982f6a9c768bf040f6df9 + a09122a7a65c8e9f1a0982f6a9c768bf040f6df9 crypto: dh - implement FIPS PCT + +https://gitlab.com/cki-project/kernel-ark/-/commit/a9c9a82dfe33e40861d7d0a13ae9fe50a5b49c12 + a9c9a82dfe33e40861d7d0a13ae9fe50a5b49c12 crypto: ecdh - disallow plain "ecdh" usage in FIPS mode + +https://gitlab.com/cki-project/kernel-ark/-/commit/135f5f0257aaf5fc358eb35665b88f78cfa9882d + 135f5f0257aaf5fc358eb35665b88f78cfa9882d crypto: seqiv - flag instantiations as FIPS compliant https://gitlab.com/cki-project/kernel-ark/-/commit/6425c2e128af3870617dd29da8110e7fa17b9ba9 6425c2e128af3870617dd29da8110e7fa17b9ba9 not upstream: Disable vdso getrandom when FIPS is enabled +https://gitlab.com/cki-project/kernel-ark/-/commit/ecb1311a2f2e5baf8cd394850d03d33e18c8ba41 + ecb1311a2f2e5baf8cd394850d03d33e18c8ba41 [kernel] bpf: set default value for bpf_jit_harden + https://gitlab.com/cki-project/kernel-ark/-/commit/6ae23a2899f457adcbd4e081dec7a49a62b5ec87 6ae23a2899f457adcbd4e081dec7a49a62b5ec87 Add support to rh_waived cmdline boot parameter diff --git a/kernel-aarch64-64k-debug-rhel.config b/kernel-aarch64-64k-debug-rhel.config index 5dffdd762..e7c30e7eb 100644 --- a/kernel-aarch64-64k-debug-rhel.config +++ b/kernel-aarch64-64k-debug-rhel.config @@ -2132,7 +2132,7 @@ CONFIG_FRONTSWAP=y CONFIG_FSCACHE_STATS=y CONFIG_FSCACHE=y CONFIG_FS_DAX=y -# CONFIG_FS_ENCRYPTION is not set +CONFIG_FS_ENCRYPTION=y # CONFIG_FSI is not set # CONFIG_FSL_BMAN_TEST is not set CONFIG_FSL_DPAA2_ETH_DCB=y @@ -4282,8 +4282,7 @@ CONFIG_NET_IPGRE_DEMUX=m CONFIG_NET_IPGRE=m CONFIG_NET_IPIP=m CONFIG_NET_IPVTI=m -CONFIG_NET_KEY=m -CONFIG_NET_KEY_MIGRATE=y +# CONFIG_NET_KEY is not set # CONFIG_NETKIT is not set CONFIG_NET_L3_MASTER_DEV=y CONFIG_NETLABEL=y diff --git a/kernel-aarch64-64k-rhel.config b/kernel-aarch64-64k-rhel.config index 407718e76..e3d9adab2 100644 --- a/kernel-aarch64-64k-rhel.config +++ b/kernel-aarch64-64k-rhel.config @@ -2116,7 +2116,7 @@ CONFIG_FRONTSWAP=y CONFIG_FSCACHE_STATS=y CONFIG_FSCACHE=y CONFIG_FS_DAX=y -# CONFIG_FS_ENCRYPTION is not set +CONFIG_FS_ENCRYPTION=y # CONFIG_FSI is not set # CONFIG_FSL_BMAN_TEST is not set CONFIG_FSL_DPAA2_ETH_DCB=y @@ -4261,8 +4261,7 @@ CONFIG_NET_IPGRE_DEMUX=m CONFIG_NET_IPGRE=m CONFIG_NET_IPIP=m CONFIG_NET_IPVTI=m -CONFIG_NET_KEY=m -CONFIG_NET_KEY_MIGRATE=y +# CONFIG_NET_KEY is not set # CONFIG_NETKIT is not set CONFIG_NET_L3_MASTER_DEV=y CONFIG_NETLABEL=y diff --git a/kernel-aarch64-debug-rhel.config b/kernel-aarch64-debug-rhel.config index 7ad1024ef..a5c83268c 100644 --- a/kernel-aarch64-debug-rhel.config +++ b/kernel-aarch64-debug-rhel.config @@ -2129,7 +2129,7 @@ CONFIG_FRONTSWAP=y CONFIG_FSCACHE_STATS=y CONFIG_FSCACHE=y CONFIG_FS_DAX=y -# CONFIG_FS_ENCRYPTION is not set +CONFIG_FS_ENCRYPTION=y # CONFIG_FSI is not set # CONFIG_FSL_BMAN_TEST is not set CONFIG_FSL_DPAA2_ETH_DCB=y @@ -4279,8 +4279,7 @@ CONFIG_NET_IPGRE_DEMUX=m CONFIG_NET_IPGRE=m CONFIG_NET_IPIP=m CONFIG_NET_IPVTI=m -CONFIG_NET_KEY=m -CONFIG_NET_KEY_MIGRATE=y +# CONFIG_NET_KEY is not set # CONFIG_NETKIT is not set CONFIG_NET_L3_MASTER_DEV=y CONFIG_NETLABEL=y diff --git a/kernel-aarch64-rhel.config b/kernel-aarch64-rhel.config index a26b31403..cb33a6578 100644 --- a/kernel-aarch64-rhel.config +++ b/kernel-aarch64-rhel.config @@ -2113,7 +2113,7 @@ CONFIG_FRONTSWAP=y CONFIG_FSCACHE_STATS=y CONFIG_FSCACHE=y CONFIG_FS_DAX=y -# CONFIG_FS_ENCRYPTION is not set +CONFIG_FS_ENCRYPTION=y # CONFIG_FSI is not set # CONFIG_FSL_BMAN_TEST is not set CONFIG_FSL_DPAA2_ETH_DCB=y @@ -4258,8 +4258,7 @@ CONFIG_NET_IPGRE_DEMUX=m CONFIG_NET_IPGRE=m CONFIG_NET_IPIP=m CONFIG_NET_IPVTI=m -CONFIG_NET_KEY=m -CONFIG_NET_KEY_MIGRATE=y +# CONFIG_NET_KEY is not set # CONFIG_NETKIT is not set CONFIG_NET_L3_MASTER_DEV=y CONFIG_NETLABEL=y diff --git a/kernel-aarch64-rt-debug-rhel.config b/kernel-aarch64-rt-debug-rhel.config index 2c2f7a9ea..4765f7809 100644 --- a/kernel-aarch64-rt-debug-rhel.config +++ b/kernel-aarch64-rt-debug-rhel.config @@ -2167,7 +2167,7 @@ CONFIG_FRONTSWAP=y CONFIG_FSCACHE_STATS=y CONFIG_FSCACHE=y CONFIG_FS_DAX=y -# CONFIG_FS_ENCRYPTION is not set +CONFIG_FS_ENCRYPTION=y # CONFIG_FSI is not set # CONFIG_FSL_BMAN_TEST is not set CONFIG_FSL_DPAA2_ETH_DCB=y @@ -4319,8 +4319,7 @@ CONFIG_NET_IPGRE_DEMUX=m CONFIG_NET_IPGRE=m CONFIG_NET_IPIP=m CONFIG_NET_IPVTI=m -CONFIG_NET_KEY=m -CONFIG_NET_KEY_MIGRATE=y +# CONFIG_NET_KEY is not set # CONFIG_NETKIT is not set CONFIG_NET_L3_MASTER_DEV=y CONFIG_NETLABEL=y diff --git a/kernel-aarch64-rt-rhel.config b/kernel-aarch64-rt-rhel.config index a55089b23..52b7cbc8f 100644 --- a/kernel-aarch64-rt-rhel.config +++ b/kernel-aarch64-rt-rhel.config @@ -2151,7 +2151,7 @@ CONFIG_FRONTSWAP=y CONFIG_FSCACHE_STATS=y CONFIG_FSCACHE=y CONFIG_FS_DAX=y -# CONFIG_FS_ENCRYPTION is not set +CONFIG_FS_ENCRYPTION=y # CONFIG_FSI is not set # CONFIG_FSL_BMAN_TEST is not set CONFIG_FSL_DPAA2_ETH_DCB=y @@ -4298,8 +4298,7 @@ CONFIG_NET_IPGRE_DEMUX=m CONFIG_NET_IPGRE=m CONFIG_NET_IPIP=m CONFIG_NET_IPVTI=m -CONFIG_NET_KEY=m -CONFIG_NET_KEY_MIGRATE=y +# CONFIG_NET_KEY is not set # CONFIG_NETKIT is not set CONFIG_NET_L3_MASTER_DEV=y CONFIG_NETLABEL=y diff --git a/kernel-ppc64le-debug-rhel.config b/kernel-ppc64le-debug-rhel.config index 0d42c2585..0a962b55b 100644 --- a/kernel-ppc64le-debug-rhel.config +++ b/kernel-ppc64le-debug-rhel.config @@ -1883,7 +1883,7 @@ CONFIG_FRONTSWAP=y CONFIG_FSCACHE_STATS=y CONFIG_FSCACHE=y CONFIG_FS_DAX=y -# CONFIG_FS_ENCRYPTION is not set +CONFIG_FS_ENCRYPTION=y # CONFIG_FSI is not set # CONFIG_FSL_EDMA is not set # CONFIG_FSL_ENETC_IERB is not set @@ -3927,8 +3927,7 @@ CONFIG_NET_IPGRE_DEMUX=m CONFIG_NET_IPGRE=m CONFIG_NET_IPIP=m CONFIG_NET_IPVTI=m -CONFIG_NET_KEY=m -CONFIG_NET_KEY_MIGRATE=y +# CONFIG_NET_KEY is not set # CONFIG_NETKIT is not set CONFIG_NET_L3_MASTER_DEV=y CONFIG_NETLABEL=y diff --git a/kernel-ppc64le-rhel.config b/kernel-ppc64le-rhel.config index 66df18151..1c2552e61 100644 --- a/kernel-ppc64le-rhel.config +++ b/kernel-ppc64le-rhel.config @@ -1867,7 +1867,7 @@ CONFIG_FRONTSWAP=y CONFIG_FSCACHE_STATS=y CONFIG_FSCACHE=y CONFIG_FS_DAX=y -# CONFIG_FS_ENCRYPTION is not set +CONFIG_FS_ENCRYPTION=y # CONFIG_FSI is not set # CONFIG_FSL_EDMA is not set # CONFIG_FSL_ENETC_IERB is not set @@ -3907,8 +3907,7 @@ CONFIG_NET_IPGRE_DEMUX=m CONFIG_NET_IPGRE=m CONFIG_NET_IPIP=m CONFIG_NET_IPVTI=m -CONFIG_NET_KEY=m -CONFIG_NET_KEY_MIGRATE=y +# CONFIG_NET_KEY is not set # CONFIG_NETKIT is not set CONFIG_NET_L3_MASTER_DEV=y CONFIG_NETLABEL=y diff --git a/kernel-s390x-debug-rhel.config b/kernel-s390x-debug-rhel.config index 978e4aea3..ca50a4c19 100644 --- a/kernel-s390x-debug-rhel.config +++ b/kernel-s390x-debug-rhel.config @@ -1886,7 +1886,7 @@ CONFIG_FRONTSWAP=y CONFIG_FSCACHE_STATS=y CONFIG_FSCACHE=y CONFIG_FS_DAX=y -# CONFIG_FS_ENCRYPTION is not set +CONFIG_FS_ENCRYPTION=y # CONFIG_FSI is not set # CONFIG_FSL_EDMA is not set # CONFIG_FSL_ENETC_IERB is not set @@ -3907,8 +3907,7 @@ CONFIG_NET_IPGRE=m CONFIG_NET_IPIP=m CONFIG_NET_IPVTI=m # CONFIG_NETIUCV is not set -CONFIG_NET_KEY=m -CONFIG_NET_KEY_MIGRATE=y +# CONFIG_NET_KEY is not set # CONFIG_NETKIT is not set CONFIG_NET_L3_MASTER_DEV=y CONFIG_NETLABEL=y diff --git a/kernel-s390x-rhel.config b/kernel-s390x-rhel.config index dc17a5339..f94a92cf9 100644 --- a/kernel-s390x-rhel.config +++ b/kernel-s390x-rhel.config @@ -1870,7 +1870,7 @@ CONFIG_FRONTSWAP=y CONFIG_FSCACHE_STATS=y CONFIG_FSCACHE=y CONFIG_FS_DAX=y -# CONFIG_FS_ENCRYPTION is not set +CONFIG_FS_ENCRYPTION=y # CONFIG_FSI is not set # CONFIG_FSL_EDMA is not set # CONFIG_FSL_ENETC_IERB is not set @@ -3887,8 +3887,7 @@ CONFIG_NET_IPGRE=m CONFIG_NET_IPIP=m CONFIG_NET_IPVTI=m # CONFIG_NETIUCV is not set -CONFIG_NET_KEY=m -CONFIG_NET_KEY_MIGRATE=y +# CONFIG_NET_KEY is not set # CONFIG_NETKIT is not set CONFIG_NET_L3_MASTER_DEV=y CONFIG_NETLABEL=y diff --git a/kernel-s390x-zfcpdump-rhel.config b/kernel-s390x-zfcpdump-rhel.config index 83702e7ad..e99848246 100644 --- a/kernel-s390x-zfcpdump-rhel.config +++ b/kernel-s390x-zfcpdump-rhel.config @@ -3897,7 +3897,6 @@ CONFIG_NET_IPIP=m CONFIG_NET_IPVTI=m # CONFIG_NETIUCV is not set # CONFIG_NET_KEY is not set -CONFIG_NET_KEY_MIGRATE=y # CONFIG_NETKIT is not set CONFIG_NET_L3_MASTER_DEV=y CONFIG_NETLABEL=y diff --git a/kernel-x86_64-debug-rhel.config b/kernel-x86_64-debug-rhel.config index 8a8a6f504..038205fcf 100644 --- a/kernel-x86_64-debug-rhel.config +++ b/kernel-x86_64-debug-rhel.config @@ -2015,7 +2015,7 @@ CONFIG_FRONTSWAP=y CONFIG_FSCACHE_STATS=y CONFIG_FSCACHE=y CONFIG_FS_DAX=y -# CONFIG_FS_ENCRYPTION is not set +CONFIG_FS_ENCRYPTION=y # CONFIG_FSI is not set # CONFIG_FSL_EDMA is not set # CONFIG_FSL_ENETC_IERB is not set @@ -4144,8 +4144,7 @@ CONFIG_NET_IPGRE_DEMUX=m CONFIG_NET_IPGRE=m CONFIG_NET_IPIP=m CONFIG_NET_IPVTI=m -CONFIG_NET_KEY=m -CONFIG_NET_KEY_MIGRATE=y +# CONFIG_NET_KEY is not set # CONFIG_NETKIT is not set CONFIG_NET_L3_MASTER_DEV=y CONFIG_NETLABEL=y diff --git a/kernel-x86_64-rhel.config b/kernel-x86_64-rhel.config index 3225541b7..1098fd433 100644 --- a/kernel-x86_64-rhel.config +++ b/kernel-x86_64-rhel.config @@ -1999,7 +1999,7 @@ CONFIG_FRONTSWAP=y CONFIG_FSCACHE_STATS=y CONFIG_FSCACHE=y CONFIG_FS_DAX=y -# CONFIG_FS_ENCRYPTION is not set +CONFIG_FS_ENCRYPTION=y # CONFIG_FSI is not set # CONFIG_FSL_EDMA is not set # CONFIG_FSL_ENETC_IERB is not set @@ -4124,8 +4124,7 @@ CONFIG_NET_IPGRE_DEMUX=m CONFIG_NET_IPGRE=m CONFIG_NET_IPIP=m CONFIG_NET_IPVTI=m -CONFIG_NET_KEY=m -CONFIG_NET_KEY_MIGRATE=y +# CONFIG_NET_KEY is not set # CONFIG_NETKIT is not set CONFIG_NET_L3_MASTER_DEV=y CONFIG_NETLABEL=y diff --git a/kernel-x86_64-rt-debug-rhel.config b/kernel-x86_64-rt-debug-rhel.config index dd39a2550..c320ec322 100644 --- a/kernel-x86_64-rt-debug-rhel.config +++ b/kernel-x86_64-rt-debug-rhel.config @@ -2053,7 +2053,7 @@ CONFIG_FRONTSWAP=y CONFIG_FSCACHE_STATS=y CONFIG_FSCACHE=y CONFIG_FS_DAX=y -# CONFIG_FS_ENCRYPTION is not set +CONFIG_FS_ENCRYPTION=y # CONFIG_FSI is not set # CONFIG_FSL_EDMA is not set # CONFIG_FSL_ENETC_IERB is not set @@ -4184,8 +4184,7 @@ CONFIG_NET_IPGRE_DEMUX=m CONFIG_NET_IPGRE=m CONFIG_NET_IPIP=m CONFIG_NET_IPVTI=m -CONFIG_NET_KEY=m -CONFIG_NET_KEY_MIGRATE=y +# CONFIG_NET_KEY is not set # CONFIG_NETKIT is not set CONFIG_NET_L3_MASTER_DEV=y CONFIG_NETLABEL=y diff --git a/kernel-x86_64-rt-rhel.config b/kernel-x86_64-rt-rhel.config index 22cf53846..2b6528506 100644 --- a/kernel-x86_64-rt-rhel.config +++ b/kernel-x86_64-rt-rhel.config @@ -2037,7 +2037,7 @@ CONFIG_FRONTSWAP=y CONFIG_FSCACHE_STATS=y CONFIG_FSCACHE=y CONFIG_FS_DAX=y -# CONFIG_FS_ENCRYPTION is not set +CONFIG_FS_ENCRYPTION=y # CONFIG_FSI is not set # CONFIG_FSL_EDMA is not set # CONFIG_FSL_ENETC_IERB is not set @@ -4164,8 +4164,7 @@ CONFIG_NET_IPGRE_DEMUX=m CONFIG_NET_IPGRE=m CONFIG_NET_IPIP=m CONFIG_NET_IPVTI=m -CONFIG_NET_KEY=m -CONFIG_NET_KEY_MIGRATE=y +# CONFIG_NET_KEY is not set # CONFIG_NETKIT is not set CONFIG_NET_L3_MASTER_DEV=y CONFIG_NETLABEL=y diff --git a/kernel.changelog b/kernel.changelog index c586897c2..a181b762f 100644 --- a/kernel.changelog +++ b/kernel.changelog @@ -1,7 +1,16 @@ -* Sun Aug 25 2024 Fedora Kernel Team [6.11.0-0.rc5.43] -- Revert "pidfd: prevent creation of pidfds for kthreads" (Christian Brauner) +* Tue Aug 27 2024 Fedora Kernel Team [6.11.0-0.rc5.3e9bff3bbe13.44] +- Linux v6.11.0-0.rc5.3e9bff3bbe13 +Resolves: RHEL-49398 + +* Mon Aug 26 2024 Fedora Kernel Team [6.11.0-0.rc5.43] - Add weakdep support to the kernel spec (Justin M. Forbes) -Resolves: +- redhat: configs: disable PF_KEY in RHEL (Sabrina Dubroca) +- crypto: akcipher - Disable signing and decryption (Vladis Dronov) [RHEL-54183] {CVE-2023-6240} +- crypto: dh - implement FIPS PCT (Vladis Dronov) [RHEL-54183] +- crypto: ecdh - disallow plain "ecdh" usage in FIPS mode (Vladis Dronov) [RHEL-54183] +- crypto: seqiv - flag instantiations as FIPS compliant (Vladis Dronov) [RHEL-54183] +- [kernel] bpf: set default value for bpf_jit_harden (Artem Savkov) [RHEL-51896] +Resolves: RHEL-51896, RHEL-54183 * Sun Aug 25 2024 Fedora Kernel Team [6.11.0-0.rc5.42] - Linux v6.11.0-0.rc5 diff --git a/kernel.spec b/kernel.spec index 173b6c837..46f00cd82 100644 --- a/kernel.spec +++ b/kernel.spec @@ -163,13 +163,13 @@ Summary: The Linux kernel %define specrpmversion 6.11.0 %define specversion 6.11.0 %define patchversion 6.11 -%define pkgrelease 0.rc5.43 +%define pkgrelease 0.rc5.20240827git3e9bff3bbe13.44 %define kversion 6 -%define tarfile_release 6.11-rc5 +%define tarfile_release 6.11-rc5-15-g3e9bff3bbe13 # This is needed to do merge window version magic %define patchlevel 11 # This allows pkg_release to have configurable %%{?dist} tag -%define specrelease 0.rc5.43%{?buildid}%{?dist} +%define specrelease 0.rc5.20240827git3e9bff3bbe13.44%{?buildid}%{?dist} # This defines the kabi tarball version %define kabiversion 6.11.0 @@ -4098,9 +4098,17 @@ fi\ # # %changelog -* Sun Aug 25 2024 Fedora Kernel Team [6.11.0-0.rc5.43] -- Revert "pidfd: prevent creation of pidfds for kthreads" (Christian Brauner) +* Tue Aug 27 2024 Fedora Kernel Team [6.11.0-0.rc5.3e9bff3bbe13.44] +- Linux v6.11.0-0.rc5.3e9bff3bbe13 + +* Mon Aug 26 2024 Fedora Kernel Team [6.11.0-0.rc5.43] - Add weakdep support to the kernel spec (Justin M. Forbes) +- redhat: configs: disable PF_KEY in RHEL (Sabrina Dubroca) +- crypto: akcipher - Disable signing and decryption (Vladis Dronov) [RHEL-54183] {CVE-2023-6240} +- crypto: dh - implement FIPS PCT (Vladis Dronov) [RHEL-54183] +- crypto: ecdh - disallow plain "ecdh" usage in FIPS mode (Vladis Dronov) [RHEL-54183] +- crypto: seqiv - flag instantiations as FIPS compliant (Vladis Dronov) [RHEL-54183] +- [kernel] bpf: set default value for bpf_jit_harden (Artem Savkov) [RHEL-51896] * Sun Aug 25 2024 Fedora Kernel Team [6.11.0-0.rc5.42] - Linux v6.11.0-0.rc5 diff --git a/patch-6.11-redhat.patch b/patch-6.11-redhat.patch index ff85ee030..92f63e173 100644 --- a/patch-6.11-redhat.patch +++ b/patch-6.11-redhat.patch @@ -11,8 +11,12 @@ arch/x86/kernel/cpu/common.c | 1 + arch/x86/kernel/setup.c | 98 +++- certs/extract-cert.c | 25 +- + crypto/akcipher.c | 6 +- + crypto/dh.c | 25 + crypto/drbg.c | 18 +- crypto/rng.c | 149 +++++- + crypto/seqiv.c | 15 +- + crypto/testmgr.c | 4 +- drivers/acpi/apei/hest.c | 8 + drivers/acpi/irq.c | 17 +- drivers/acpi/scan.c | 9 + @@ -48,7 +52,7 @@ fs/afs/main.c | 3 + fs/erofs/super.c | 9 + fs/ext4/super.c | 11 + - include/linux/crypto.h | 1 + + include/linux/crypto.h | 3 + include/linux/efi.h | 22 +- include/linux/kernel.h | 16 + include/linux/lsm_hook_defs.h | 2 + @@ -63,8 +67,8 @@ include/linux/security.h | 5 + init/main.c | 3 + kernel/Makefile | 1 + + kernel/bpf/core.c | 5 + kernel/bpf/syscall.c | 23 + - kernel/fork.c | 25 +- kernel/module/main.c | 13 + kernel/module/signing.c | 9 +- kernel/panic.c | 13 + @@ -79,7 +83,7 @@ security/lockdown/Kconfig | 13 + security/lockdown/lockdown.c | 1 + security/security.c | 12 + - 81 files changed, 2688 insertions(+), 280 deletions(-) + 85 files changed, 2734 insertions(+), 266 deletions(-) diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 09126bb8cc9f..ee2984e46c06 100644 @@ -501,6 +505,67 @@ index 70e9ec89d87d..f5fb74916cee 100644 } else { BIO *b; X509 *x509; +diff --git a/crypto/akcipher.c b/crypto/akcipher.c +index e0ff5f4dda6d..098a52ded759 100644 +--- a/crypto/akcipher.c ++++ b/crypto/akcipher.c +@@ -126,14 +126,12 @@ int crypto_register_akcipher(struct akcipher_alg *alg) + { + struct crypto_alg *base = &alg->base; + +- if (!alg->sign) +- alg->sign = akcipher_default_op; ++ alg->sign = akcipher_default_op; + if (!alg->verify) + alg->verify = akcipher_default_op; + if (!alg->encrypt) + alg->encrypt = akcipher_default_op; +- if (!alg->decrypt) +- alg->decrypt = akcipher_default_op; ++ alg->decrypt = akcipher_default_op; + if (!alg->set_priv_key) + alg->set_priv_key = akcipher_default_set_key; + +diff --git a/crypto/dh.c b/crypto/dh.c +index 68d11d66c0b5..6e3e515b2452 100644 +--- a/crypto/dh.c ++++ b/crypto/dh.c +@@ -227,10 +227,35 @@ static int dh_compute_value(struct kpp_request *req) + + /* SP800-56A rev 3 5.6.2.1.3 key check */ + } else { ++ MPI val_pct; ++ + if (dh_is_pubkey_valid(ctx, val)) { + ret = -EAGAIN; + goto err_free_val; + } ++ ++ /* ++ * SP800-56Arev3, 5.6.2.1.4: ("Owner Assurance ++ * of Pair-wise Consistency"): recompute the ++ * public key and check if the results match. ++ */ ++ val_pct = mpi_alloc(0); ++ if (!val_pct) { ++ ret = -ENOMEM; ++ goto err_free_val; ++ } ++ ++ ret = _compute_val(ctx, base, val_pct); ++ if (ret) { ++ mpi_free(val_pct); ++ goto err_free_val; ++ } ++ ++ if (mpi_cmp(val, val_pct) != 0) { ++ fips_fail_notify(); ++ panic("dh: pair-wise consistency test failed\n"); ++ } ++ mpi_free(val_pct); + } + } + diff --git a/crypto/drbg.c b/crypto/drbg.c index 3addce90930c..730b03de596a 100644 --- a/crypto/drbg.c @@ -775,6 +840,67 @@ index 9d8804e46422..5ccb0485ff4b 100644 + MODULE_LICENSE("GPL"); MODULE_DESCRIPTION("Random Number Generator"); +diff --git a/crypto/seqiv.c b/crypto/seqiv.c +index 17e11d51ddc3..9c136a3b6267 100644 +--- a/crypto/seqiv.c ++++ b/crypto/seqiv.c +@@ -132,6 +132,19 @@ static int seqiv_aead_decrypt(struct aead_request *req) + return crypto_aead_decrypt(subreq); + } + ++static int aead_init_seqiv(struct crypto_aead *aead) ++{ ++ int err; ++ ++ err = aead_init_geniv(aead); ++ if (err) ++ return err; ++ ++ crypto_aead_set_flags(aead, CRYPTO_TFM_FIPS_COMPLIANCE); ++ ++ return 0; ++} ++ + static int seqiv_aead_create(struct crypto_template *tmpl, struct rtattr **tb) + { + struct aead_instance *inst; +@@ -149,7 +162,7 @@ static int seqiv_aead_create(struct crypto_template *tmpl, struct rtattr **tb) + inst->alg.encrypt = seqiv_aead_encrypt; + inst->alg.decrypt = seqiv_aead_decrypt; + +- inst->alg.init = aead_init_geniv; ++ inst->alg.init = aead_init_seqiv; + inst->alg.exit = aead_exit_geniv; + + inst->alg.base.cra_ctxsize = sizeof(struct aead_geniv_ctx); +diff --git a/crypto/testmgr.c b/crypto/testmgr.c +index f02cb075bd68..669e306f1cb2 100644 +--- a/crypto/testmgr.c ++++ b/crypto/testmgr.c +@@ -4216,7 +4216,7 @@ static int test_akcipher_one(struct crypto_akcipher *tfm, + * Don't invoke (decrypt or sign) test which require a private key + * for vectors with only a public key. + */ +- if (vecs->public_key_vec) { ++ if (1 || vecs->public_key_vec) { + err = 0; + goto free_all; + } +@@ -5093,14 +5093,12 @@ static const struct alg_test_desc alg_test_descs[] = { + }, { + .alg = "ecdh-nist-p256", + .test = alg_test_kpp, +- .fips_allowed = 1, + .suite = { + .kpp = __VECS(ecdh_p256_tv_template) + } + }, { + .alg = "ecdh-nist-p384", + .test = alg_test_kpp, +- .fips_allowed = 1, + .suite = { + .kpp = __VECS(ecdh_p384_tv_template) + } diff --git a/drivers/acpi/apei/hest.c b/drivers/acpi/apei/hest.c index 20d757687e3d..90a13f20f052 100644 --- a/drivers/acpi/apei/hest.c @@ -2390,14 +2516,16 @@ index e72145c4ae5a..7522b976a836 100644 err = ext4_register_sysfs(sb); if (err) diff --git a/include/linux/crypto.h b/include/linux/crypto.h -index b164da5e129e..59021b8609a7 100644 +index b164da5e129e..cd78d16ee5d6 100644 --- a/include/linux/crypto.h +++ b/include/linux/crypto.h -@@ -133,6 +133,7 @@ +@@ -133,6 +133,9 @@ #define CRYPTO_TFM_REQ_FORBID_WEAK_KEYS 0x00000100 #define CRYPTO_TFM_REQ_MAY_SLEEP 0x00000200 #define CRYPTO_TFM_REQ_MAY_BACKLOG 0x00000400 +#define CRYPTO_TFM_REQ_NEED_RESEED 0x00000800 ++ ++#define CRYPTO_TFM_FIPS_COMPLIANCE 0x80000000 /* * Miscellaneous stuff. @@ -3281,6 +3409,23 @@ index 3c13240dfc9f..dc6723d84302 100644 obj-$(CONFIG_USERMODE_DRIVER) += usermode_driver.o obj-$(CONFIG_MULTIUSER) += groups.o obj-$(CONFIG_VHOST_TASK) += vhost_task.o +diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c +index 7ee62e38faf0..63817aceb71f 100644 +--- a/kernel/bpf/core.c ++++ b/kernel/bpf/core.c +@@ -566,7 +566,12 @@ void bpf_prog_kallsyms_del_all(struct bpf_prog *fp) + /* All BPF JIT sysctl knobs here. */ + int bpf_jit_enable __read_mostly = IS_BUILTIN(CONFIG_BPF_JIT_DEFAULT_ON); + int bpf_jit_kallsyms __read_mostly = IS_BUILTIN(CONFIG_BPF_JIT_DEFAULT_ON); ++#ifdef CONFIG_RHEL_DIFFERENCES ++/* RHEL-only: set it to 1 by default */ ++int bpf_jit_harden __read_mostly = 1; ++#else + int bpf_jit_harden __read_mostly; ++#endif /* CONFIG_RHEL_DIFFERENCES */ + long bpf_jit_limit __read_mostly; + long bpf_jit_limit_max __read_mostly; + diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index bf6c5f685ea2..649f2fccaddd 100644 --- a/kernel/bpf/syscall.c @@ -3329,50 +3474,6 @@ index bf6c5f685ea2..649f2fccaddd 100644 *(int *)table->data = unpriv_enable; } -diff --git a/kernel/fork.c b/kernel/fork.c -index 18bdc87209d0..cc760491f201 100644 ---- a/kernel/fork.c -+++ b/kernel/fork.c -@@ -2053,23 +2053,10 @@ static int __pidfd_prepare(struct pid *pid, unsigned int flags, struct file **re - */ - int pidfd_prepare(struct pid *pid, unsigned int flags, struct file **ret) - { -- if (!pid) -- return -EINVAL; -- -- scoped_guard(rcu) { -- struct task_struct *tsk; -- -- if (flags & PIDFD_THREAD) -- tsk = pid_task(pid, PIDTYPE_PID); -- else -- tsk = pid_task(pid, PIDTYPE_TGID); -- if (!tsk) -- return -EINVAL; -+ bool thread = flags & PIDFD_THREAD; - -- /* Don't create pidfds for kernel threads for now. */ -- if (tsk->flags & PF_KTHREAD) -- return -EINVAL; -- } -+ if (!pid || !pid_has_task(pid, thread ? PIDTYPE_PID : PIDTYPE_TGID)) -+ return -EINVAL; - - return __pidfd_prepare(pid, flags, ret); - } -@@ -2416,12 +2403,6 @@ __latent_entropy struct task_struct *copy_process( - if (clone_flags & CLONE_PIDFD) { - int flags = (clone_flags & CLONE_THREAD) ? PIDFD_THREAD : 0; - -- /* Don't create pidfds for kernel threads for now. */ -- if (args->kthread) { -- retval = -EINVAL; -- goto bad_fork_free_pid; -- } -- - /* Note that no task has been attached to @pid yet. */ - retval = __pidfd_prepare(pid, flags, &pidfile); - if (retval < 0) diff --git a/kernel/module/main.c b/kernel/module/main.c index 71396e297499..29e469418075 100644 --- a/kernel/module/main.c diff --git a/sources b/sources index c44d714f7..644b6a04f 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (linux-6.11-rc5.tar.xz) = ff448b1f89c72e7f6b55049cd7cc090971b8fd138f37797ea75b2294aa47f6e625874b2bc5958d57f1c3535d3926374bafb15661e42dad34bb41692f0e0d016b -SHA512 (kernel-abi-stablelists-6.11.0.tar.xz) = f1335e684c694ca921a702c6e13dc7cf6184294db2b8671161b6689d483722cd7c2970bb74df7c2da55b5f9c80e9144adf0a7d6f7b7225022b2f368ec821da50 -SHA512 (kernel-kabi-dw-6.11.0.tar.xz) = ccd65f0cbf5f967b6a49f1d8e596e065f389177bd496715d5dd2bb8b7b735dcdeb1d4eff1cf55a62d1aaa92bcf98c9a7bc4f931e0ec2c09eba63acd573581e04 +SHA512 (linux-6.11-rc5-15-g3e9bff3bbe13.tar.xz) = ae746f6c59c27274d79861d16a9cbea3db179eeda2b5979622f91a8e1c49cb8acc5149171d6e9d43878f7b0dc2b418dc8c3b39fa8c076bdb73616ed8dad92832 +SHA512 (kernel-abi-stablelists-6.11.0.tar.xz) = 2c203d38dc30d67f52015828f8754eac49964d3c1996d0b667b87aa7aff20ed2fa5fae19a90b253d488bb54d5f9bd8200ae305879b6b5b9d41acb98fefd8c1f4 +SHA512 (kernel-kabi-dw-6.11.0.tar.xz) = 115ed2d2d87324b30eb4c078719913a80b3992ba9e3ac9df4711712b3de12a8f46732a468e8a5acd1c86983426d5a09d1df94c5cda27575a08f3622f4d7e5bc9