From ec1d838ee0bbece09a12c4678080174a415c9849 Mon Sep 17 00:00:00 2001 From: Koichiro Iwao Date: Tue, 24 Jun 2025 16:36:15 +0900 Subject: [PATCH 1/9] Sync with a10, reintroduce initramfs (cherry picked from commit af6ad76c4b2ec498b43aaab9d8fb5a0c4acf6b37) --- SPECS/raspberrypi2.spec | 130 +++++++++++++++++++++++++++++++++------- 1 file changed, 108 insertions(+), 22 deletions(-) diff --git a/SPECS/raspberrypi2.spec b/SPECS/raspberrypi2.spec index 48d6b2e..5e538b2 100644 --- a/SPECS/raspberrypi2.spec +++ b/SPECS/raspberrypi2.spec @@ -11,7 +11,7 @@ ExclusiveArch: aarch64 %define local_version v8 %define bcmmodel 2711 -%define extra_version 1 +%define extra_version 2 # This originally implies Kernel 4.x for RPi 2 and is not appropriate now. # Be careful to change this not to disturb the seamless package update. @@ -21,6 +21,12 @@ ExclusiveArch: aarch64 %define kversion 6.12 %define patchlevel 25 +%if 0%{?rhel} >= 10 +%define pathfix %{__python3} %{_rpmconfigdir}/redhat/pathfix.py +%else +%define pathfix pathfix.py +%endif + # standard kernel %define with_up %{?_without_up: 0} %{?!_without_up: 1} # tools @@ -35,9 +41,9 @@ Version: %{kversion}.%{patchlevel} Release: %{version_tag}.%{local_version}.%{extra_version}%{?dist} Summary: Specific kernel and bootcode for Raspberry Pi -License: GPLv2 +License: GPL-2.0 WITH Linux-syscall-note URL: https://github.com/raspberrypi/linux -Source0: https://github.com/raspberrypi/linux/archive/refs/tags/stable_%{version_tag}.tar.gz +Source0: https://github.com/raspberrypi/linux/archive/stable_%{version_tag}.tar.gz Source1: https://github.com/raspberrypi/firmware/archive/refs/tags/%{firmware_tag}.tar.gz Patch100: config_2711.patch Patch101: config_2712.patch @@ -69,9 +75,10 @@ Specific kernel and bootcode for Raspberry Pi Group: System Environment/Kernel Summary: The Linux kernel Provides: kernel = %{version}-%{release} +Provides: kernel-core = %{version}-%{release} Provides: installonlypkg(kernel) -Requires: coreutils - +Requires: coreutils +Requires: dracut %description kernel%{?ksuffix} The kernel package contains the Linux kernel (vmlinuz), the core of any Linux operating system. The kernel handles the basic functions @@ -88,11 +95,54 @@ Autoreq: no Requires(pre): findutils Requires: findutils Requires: perl-interpreter - %description kernel%{?ksuffix}-devel This package provides kernel headers and makefiles sufficient to build modules against the kernel package. +%if 0%{?rhel} >= 10 +%package kernel%{?ksuffix}-modules +Summary: Pseudo package for kernel modules +Group: System Environment/Kernel +Provides: installonlypkg(kernel-module) +Provides: kernel-modules = %{version}-%{release} +Provides: kernel-modules-uname-r = %{version}-%{release} +Obsoletes: kernel-modules < %{version}-%{release} +Requires: %{name}-kernel%{?ksuffix} = %{version}-%{release} +AutoReq: no +AutoProv: yes +%description kernel%{?ksuffix}-modules +This package provides pseudo dependency for the packages that depends on regular +kernel-modules packages. + +%package kernel%{?ksuffix}-modules-core +Summary: Pseudo package for core kernel modules +Group: System Environment/Kernel +Provides: installonlypkg(kernel-module) +Provides: kernel-modules-core = %{version}-%{release} +Provides: kernel-modules-core-uname-r = %{version}-%{release} +Obsoletes: kernel-modules-core < %{version}-%{release} +Requires: %{name}-kernel%{?ksuffix} = %{version}-%{release} +AutoReq: no +AutoProv: yes +%description kernel%{?ksuffix}-modules-core +This package provides pseudo dependency for the packages that depends on regular +kernel-modules-core packages. + +%package kernel%{?ksuffix}-modules-extra +Summary: Pseudo package for extra kernel modules +Group: System Environment/Kernel +Provides: kernel-modules-extra = %{version}-%{release} +Provides: kernel-modules-extra-uname-r = %{version}-%{release} +Provides: installonlypkg(kernel-module) +Obsoletes: kernel-modules-extra < %{version}-%{release} +Requires: %{name}-kernel%{?ksuffix} = %{version}-%{release} +AutoReq: no +AutoProv: yes +%description kernel%{?ksuffix}-modules-extra +This package provides pseudo dependency for the packages that depends on regular +kernel-modules-extra packages. +%endif + %if %{with_tools} %package kernel%{?ksuffix}-tools Summary: Assortment of tools for the Linux kernel @@ -152,7 +202,7 @@ Obsoletes: kernel-headers < %{version} Provides: kernel-headers = %{version}-%{release} Obsoletes: glibc-kernheaders < 3.0-46 Provides: glibc-kernheaders = 3.0-46 -Summary: Header files for the Linux kernel for use by glibc +Summary: Header files for the Linux kernel for use by glibc %description kernel%{?ksuffix}-headers Kernel-headers includes the C header files that specify the interface @@ -164,8 +214,8 @@ glibc package. %prep %setup -q -n linux-stable_%{version_tag} -%patch100 -p1 -%patch101 -p1 +%patch -P 100 -p1 +%patch -P 101 -p1 perl -p -i -e "s/^EXTRAVERSION.*/EXTRAVERSION = -%{release}/" Makefile perl -p -i -e "s/^CONFIG_LOCALVERSION=.*/CONFIG_LOCALVERSION=/" arch/%{Arch}/configs/bcm2711_defconfig perl -p -i -e "s/^CONFIG_LOCALVERSION=.*/CONFIG_LOCALVERSION=/" arch/%{Arch}/configs/bcm2712_defconfig @@ -176,9 +226,9 @@ perl -p -i -e "s/^CONFIG_LOCALVERSION=.*/CONFIG_LOCALVERSION=/" arch/%{Arch}/con # -p preserves timestamps # -n prevents creating ~backup files # -i specifies the interpreter for the shebang -pathfix.py -pni "%{__python3} %{py3_shbang_opts}" scripts/ -pathfix.py -pni "%{__python3} %{py3_shbang_opts}" scripts/diffconfig scripts/bloat-o-meter scripts/show_delta scripts/jobserver-exec -pathfix.py -pni "%{__python3} %{py3_shbang_opts}" tools/ tools/perf/scripts/python/*.py tools/kvm/kvm_stat/kvm_stat scripts/clang-tools/*.py +%{pathfix} -pni "%{__python3} %{py3_shbang_opts}" scripts/ +%{pathfix} -pni "%{__python3} %{py3_shbang_opts}" scripts/diffconfig scripts/bloat-o-meter scripts/show_delta scripts/jobserver-exec +%{pathfix} -pni "%{__python3} %{py3_shbang_opts}" tools/ tools/perf/scripts/python/*.py tools/kvm/kvm_stat/kvm_stat scripts/clang-tools/*.py %endif %build @@ -376,13 +426,19 @@ if [ -d /boot ]; then cp /usr/share/%{name}-kernel%{?ksuffix}/%{version}-%{release}/boot/overlays/*.dtb* /boot/overlays/ cp /usr/share/%{name}-kernel%{?ksuffix}/%{version}-%{release}/boot/overlays/README /boot/overlays/ cp /boot/config-kernel-%{version}-%{release}.inc /boot/config-kernel.inc + + /usr/bin/dracut --no-hostonly /boot/initramfs-%{version}-%{release}.img %{version}-%{release} + cp /boot/initramfs-%{version}-%{release}.img /boot/initramfs%{armtarget} fi %postun kernel%{?ksuffix} -if [ -f /boot/kernel%{armtarget}.img ];then +if [ -f /boot/kernel%{armtarget}.img ]; then #only restore kernel%{armtarget}.img if it exists, we may have moved to initramfs cp $(ls -1 /boot/kernel-*-*|sort -V|tail -1) /boot/kernel%{armtarget}.img fi +if [ -f /boot/initramfs%{armtarget} ]; then + cp $(ls -1 /boot/initramfs-*-*|sort -V| tail -1) /boot/initramfs%{armtarget} +fi cp $(ls -1d /usr/share/%{name}-kernel%{?ksuffix}/*-*/|sort -V|tail -1)/boot/*.dtb /boot/ cp $(ls -1d /usr/share/%{name}-kernel%{?ksuffix}/*-*/|sort -V|tail -1)/boot/overlays/*.dtb* /boot/overlays/ cp $(ls -1d /usr/share/%{name}-kernel%{?ksuffix}/*-*/|sort -V|tail -1)/boot/overlays/README /boot/overlays/ @@ -392,6 +448,20 @@ cp $(ls -1 /boot/config-kernel-*-*|sort -V|tail -1) /boot/config-kernel.inc %files kernel%{?ksuffix}-devel %defattr(-,root,root) /usr/src/kernels/%{version}-%{release} + +%if 0%{?rhel} >= 10 +%files kernel%{?ksuffix}-modules +# empty package +%defattr(-,root,root) + +%files kernel%{?ksuffix}-modules-core +# empty package +%defattr(-,root,root) + +%files kernel%{?ksuffix}-modules-extra +# empty package +%defattr(-,root,root) +%endif %endif %if %{with_tools} @@ -445,22 +515,38 @@ cp $(ls -1 /boot/config-kernel-*-*|sort -V|tail -1) /boot/config-kernel.inc %endif %changelog +* Mon Jun 23 2025 Koichiro Iwao - 6.12.25-20250428.v8.2 +- Reintroduce initramfs for XFS / LUKS + https://github.com/AlmaLinux/raspberry-pi/issues/65 + https://github.com/AlmaLinux/raspberry-pi/issues/86 + * Mon May 26 2025 Koichiro Iwao - 6.12.25-20250428.v8.1 -- Update kernel to 6.12.25 stable_20250428 +- Update kernel to v6.12.25 stable_20250428 - Update firmware to 1.20250430 - Regenerate patches -- Apply the consistent directory under /usr/share (fix missed cases) - -* Mon Apr 14 2025 Koichiro Iwao - 6.6.74-20250127.v8.2 -- Fixes to enable bootc -- Enable EROFS - Use the consistent directory under /usr/share with the package name +- Enable EROFS bootc container (contributed by Kevin Fox) +- Fixes to enable bootc (contributed by Kevin Fox) -* Thu Feb 20 2025 Koichiro Iwao - 6.6.74-20250127.v8.1 -- Update kernel to v6.6.74 stable_20250127 -- Update firmware to 1.20250127 +* Mon Jan 27 2025 Koichiro Iwao - 6.12.1-20241206.v8.2 +- Add pseudo subpackages for kernel modules to resolve dependency issue +- The main kernel package now provides kernel-core +- Convert license to SPDX expression - Remove dracut as initramfs is not needed (mentioned in 4.4.21-2) +* Wed Dec 25 2024 Koichiro Iwao - 6.12.1-20241206.v8.1 +- Update kernel to v6.12.1 rpi-6.12.y_20241206_2 +- Update firmware to 1.20241126 + +* Tue Nov 12 2024 Koichiro Iwao - 6.12.0-20241111.v8.1 +- Update kernel to v6.12.0-rc7 20241110 bf70ebd2 + +* Tue Nov 12 2024 Koichiro Iwao - 6.11.7-20241110.v8.1 +- Update kernel to v6.11.7 20241110 efda653d + +* Fri Nov 08 2024 Koichiro Iwao - 6.6.51-20241008.v8.2 +- Fix build for AL10 Kitten + * Mon Oct 21 2024 Koichiro Iwao - 6.6.51-20241008.v8.1 - Update kernel to version v6.6.51 stable_20241008 - Update firmware to 1.20241008 From e84683959cb6f2b3303b4874fc7c6816659afa28 Mon Sep 17 00:00:00 2001 From: Koichiro Iwao Date: Fri, 11 Jul 2025 10:12:42 +0900 Subject: [PATCH 2/9] Update kernel to v6.12.34 stable_20240702 (cherry picked from commit e1b954d5fba0e27b92b7956b26b4cbf75f11fe30) --- .raspberrypi2.metadata | 2 +- SPECS/raspberrypi2.spec | 9 ++++++--- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/.raspberrypi2.metadata b/.raspberrypi2.metadata index c972d5d..7fffdbf 100644 --- a/.raspberrypi2.metadata +++ b/.raspberrypi2.metadata @@ -1,2 +1,2 @@ 716cf8d994e7c3794489e9c33de8c77c466d2a46 SOURCES/1.20250430.tar.gz -37b6749bb055db30a8496f0bf60e14465304416e SOURCES/stable_20250428.tar.gz +4056ee652e15cec45f318082124f9ef6c2fa250e SOURCES/stable_20250702.tar.gz diff --git a/SPECS/raspberrypi2.spec b/SPECS/raspberrypi2.spec index 5e538b2..f1d69f0 100644 --- a/SPECS/raspberrypi2.spec +++ b/SPECS/raspberrypi2.spec @@ -1,5 +1,5 @@ %global firmware_tag 1.20250430 -%global version_tag 20250428 +%global version_tag 20250702 ExclusiveArch: aarch64 @@ -11,7 +11,7 @@ ExclusiveArch: aarch64 %define local_version v8 %define bcmmodel 2711 -%define extra_version 2 +%define extra_version 1 # This originally implies Kernel 4.x for RPi 2 and is not appropriate now. # Be careful to change this not to disturb the seamless package update. @@ -19,7 +19,7 @@ ExclusiveArch: aarch64 %define ksuffix 4 %define kversion 6.12 -%define patchlevel 25 +%define patchlevel 34 %if 0%{?rhel} >= 10 %define pathfix %{__python3} %{_rpmconfigdir}/redhat/pathfix.py @@ -515,6 +515,9 @@ cp $(ls -1 /boot/config-kernel-*-*|sort -V|tail -1) /boot/config-kernel.inc %endif %changelog +* Wed Jul 09 2025 Koichiro Iwao - 6.12.34-20250702.v8.1 +- Update kernel to v6.12.34 stable_20240702 + * Mon Jun 23 2025 Koichiro Iwao - 6.12.25-20250428.v8.2 - Reintroduce initramfs for XFS / LUKS https://github.com/AlmaLinux/raspberry-pi/issues/65 From b41dc0ae080379146bf2701f56ca2064273c0caa Mon Sep 17 00:00:00 2001 From: ryosuke-nakayama Date: Thu, 25 Sep 2025 14:10:55 +0900 Subject: [PATCH 3/9] Update firmware to 1.20250915 (cherry picked from commit 755dc489f9b669ddd12fecdf902abe0153ef71c4) --- SPECS/raspberrypi2.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/SPECS/raspberrypi2.spec b/SPECS/raspberrypi2.spec index f1d69f0..26846d0 100644 --- a/SPECS/raspberrypi2.spec +++ b/SPECS/raspberrypi2.spec @@ -1,4 +1,4 @@ -%global firmware_tag 1.20250430 +%global firmware_tag 1.20250915 %global version_tag 20250702 ExclusiveArch: aarch64 @@ -11,7 +11,7 @@ ExclusiveArch: aarch64 %define local_version v8 %define bcmmodel 2711 -%define extra_version 1 +%define extra_version 2 # This originally implies Kernel 4.x for RPi 2 and is not appropriate now. # Be careful to change this not to disturb the seamless package update. @@ -515,6 +515,9 @@ cp $(ls -1 /boot/config-kernel-*-*|sort -V|tail -1) /boot/config-kernel.inc %endif %changelog +* Wed Sep 24 2025 Ryosuke Nakayama - 6.12.34-20250702.v8.2 +- Update firmware to 1.20250915 + * Wed Jul 09 2025 Koichiro Iwao - 6.12.34-20250702.v8.1 - Update kernel to v6.12.34 stable_20240702 From 5e3770422f0e1d9e8da5cf9d6759e5c45d8bc62b Mon Sep 17 00:00:00 2001 From: Andrew Lukoshko Date: Thu, 2 Oct 2025 08:42:24 +0000 Subject: [PATCH 4/9] Update .raspberrypi2.metadata with new sources (cherry picked from commit e4f802b73bc107307709901978165ca414b2f17f) --- .raspberrypi2.metadata | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.raspberrypi2.metadata b/.raspberrypi2.metadata index 7fffdbf..564f126 100644 --- a/.raspberrypi2.metadata +++ b/.raspberrypi2.metadata @@ -1,2 +1,2 @@ -716cf8d994e7c3794489e9c33de8c77c466d2a46 SOURCES/1.20250430.tar.gz -4056ee652e15cec45f318082124f9ef6c2fa250e SOURCES/stable_20250702.tar.gz +4056ee652e15cec45f318082124f9ef6c2fa250e SOURCES/stable_20250702.tar.gz +be897efea93afd8c6ccc39a2667166f7398fc97a SOURCES/1.20250915.tar.gz From d745366d45cbfd855589863a98bb67ad4061224f Mon Sep 17 00:00:00 2001 From: Koichiro Iwao Date: Fri, 3 Oct 2025 14:10:10 +0900 Subject: [PATCH 5/9] Update kernel to v6.12.47 stable_20250916 (cherry picked from commit 7e3eb0e36b5e99a03b3e475b1f914093d2c63bdd) --- .raspberrypi2.metadata | 2 +- SPECS/raspberrypi2.spec | 21 +++++++++++++-------- 2 files changed, 14 insertions(+), 9 deletions(-) diff --git a/.raspberrypi2.metadata b/.raspberrypi2.metadata index 564f126..202cc02 100644 --- a/.raspberrypi2.metadata +++ b/.raspberrypi2.metadata @@ -1,2 +1,2 @@ -4056ee652e15cec45f318082124f9ef6c2fa250e SOURCES/stable_20250702.tar.gz +25cfd4609f553d2dfecf70664da814f5064c194b SOURCES/stable_20250916.tar.gz be897efea93afd8c6ccc39a2667166f7398fc97a SOURCES/1.20250915.tar.gz diff --git a/SPECS/raspberrypi2.spec b/SPECS/raspberrypi2.spec index 26846d0..b574701 100644 --- a/SPECS/raspberrypi2.spec +++ b/SPECS/raspberrypi2.spec @@ -1,5 +1,5 @@ %global firmware_tag 1.20250915 -%global version_tag 20250702 +%global version_tag 20250916 ExclusiveArch: aarch64 @@ -11,7 +11,7 @@ ExclusiveArch: aarch64 %define local_version v8 %define bcmmodel 2711 -%define extra_version 2 +%define extra_version 1 # This originally implies Kernel 4.x for RPi 2 and is not appropriate now. # Be careful to change this not to disturb the seamless package update. @@ -19,9 +19,9 @@ ExclusiveArch: aarch64 %define ksuffix 4 %define kversion 6.12 -%define patchlevel 34 +%define patchlevel 47 -%if 0%{?rhel} >= 10 +%if 0%{?rhel} >= 10 || 0%{?fedora} >= 40 %define pathfix %{__python3} %{_rpmconfigdir}/redhat/pathfix.py %else %define pathfix pathfix.py @@ -220,15 +220,16 @@ perl -p -i -e "s/^EXTRAVERSION.*/EXTRAVERSION = -%{release}/" Makefile perl -p -i -e "s/^CONFIG_LOCALVERSION=.*/CONFIG_LOCALVERSION=/" arch/%{Arch}/configs/bcm2711_defconfig perl -p -i -e "s/^CONFIG_LOCALVERSION=.*/CONFIG_LOCALVERSION=/" arch/%{Arch}/configs/bcm2712_defconfig -%if 0%{?rhel} >= 8 +%if 0%{?rhel} >= 8 || 0%{?fedora} >= 28 # Mangle /usr/bin/python shebangs to /usr/bin/python3 # Mangle all Python shebangs to be Python 3 explicitly # -p preserves timestamps # -n prevents creating ~backup files # -i specifies the interpreter for the shebang %{pathfix} -pni "%{__python3} %{py3_shbang_opts}" scripts/ -%{pathfix} -pni "%{__python3} %{py3_shbang_opts}" scripts/diffconfig scripts/bloat-o-meter scripts/show_delta scripts/jobserver-exec -%{pathfix} -pni "%{__python3} %{py3_shbang_opts}" tools/ tools/perf/scripts/python/*.py tools/kvm/kvm_stat/kvm_stat scripts/clang-tools/*.py +%{pathfix} -pni "%{__python3} %{py3_shbang_opts}" scripts/diffconfig scripts/bloat-o-meter scripts/show_delta \ + scripts/jobserver-exec scripts/dtc/dt-extract-compatibles +%{pathfix} -pni "%{__python3} %{py3_shbang_opts}" tools/ tools/kvm/kvm_stat/kvm_stat %endif %build @@ -515,6 +516,10 @@ cp $(ls -1 /boot/config-kernel-*-*|sort -V|tail -1) /boot/config-kernel.inc %endif %changelog +* Fri Oct 03 2025 Koichiro Iwao - 6.12.47-20250916.v8.1 +- Update kernel to v6.12.47 stable_20250916 +- Make it buildable on Fedora + * Wed Sep 24 2025 Ryosuke Nakayama - 6.12.34-20250702.v8.2 - Update firmware to 1.20250915 @@ -534,7 +539,7 @@ cp $(ls -1 /boot/config-kernel-*-*|sort -V|tail -1) /boot/config-kernel.inc - Enable EROFS bootc container (contributed by Kevin Fox) - Fixes to enable bootc (contributed by Kevin Fox) -* Mon Jan 27 2025 Koichiro Iwao - 6.12.1-20241206.v8.2 +* Mon Jan 27 2025 Koichiro Iwao - 6.12.1-20241206.v8.2 - Add pseudo subpackages for kernel modules to resolve dependency issue - The main kernel package now provides kernel-core - Convert license to SPDX expression From a4b12618a52a74d761a5383c5b2207c21f953c74 Mon Sep 17 00:00:00 2001 From: Koichiro Iwao Date: Mon, 2 Mar 2026 02:30:41 +0000 Subject: [PATCH 6/9] Add a pseudo subpackage -modules-extra-matched to resolve dependency issue (cherry picked from commit 52258891d45ecc8f3d68adb8982522da2f3db1c4) --- SPECS/raspberrypi2.spec | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/SPECS/raspberrypi2.spec b/SPECS/raspberrypi2.spec index b574701..5332e12 100644 --- a/SPECS/raspberrypi2.spec +++ b/SPECS/raspberrypi2.spec @@ -11,7 +11,7 @@ ExclusiveArch: aarch64 %define local_version v8 %define bcmmodel 2711 -%define extra_version 1 +%define extra_version 2 # This originally implies Kernel 4.x for RPi 2 and is not appropriate now. # Be careful to change this not to disturb the seamless package update. @@ -141,6 +141,20 @@ AutoProv: yes %description kernel%{?ksuffix}-modules-extra This package provides pseudo dependency for the packages that depends on regular kernel-modules-extra packages. + +%package kernel%{?ksuffix}-modules-extra-matched +Summary: Pseudo package for extra kernel modules +Group: System Environment/Kernel +Provides: kernel-modules-extra-matched = %{version}-%{release} +Provides: kernel-modules-extra-matched-uname-r = %{version}-%{release} +Provides: installonlypkg(kernel-module) +Obsoletes: kernel-modules-extra-matched < %{version}-%{release} +Requires: %{name}-kernel%{?ksuffix} = %{version}-%{release} +AutoReq: no +AutoProv: yes +%description kernel%{?ksuffix}-modules-extra-matched +This package provides pseudo dependency for the packages that depends on regular +kernel-modules-extra-matched packages. %endif %if %{with_tools} @@ -462,6 +476,10 @@ cp $(ls -1 /boot/config-kernel-*-*|sort -V|tail -1) /boot/config-kernel.inc %files kernel%{?ksuffix}-modules-extra # empty package %defattr(-,root,root) + +%files kernel%{?ksuffix}-modules-extra-matched +# empty package +%defattr(-,root,root) %endif %endif @@ -516,6 +534,9 @@ cp $(ls -1 /boot/config-kernel-*-*|sort -V|tail -1) /boot/config-kernel.inc %endif %changelog +* Mon Mar 02 2026 Koichiro Iwao - 6.12.47-20250916.v8.2 +- Add a pseudo subpackage -modules-extra-matched to resolve dependency issue + * Fri Oct 03 2025 Koichiro Iwao - 6.12.47-20250916.v8.1 - Update kernel to v6.12.47 stable_20250916 - Make it buildable on Fedora From d36a5552878c4aeed33706bf3d5213e9c8ce3e53 Mon Sep 17 00:00:00 2001 From: Koichiro Iwao Date: Thu, 30 Apr 2026 02:10:59 +0000 Subject: [PATCH 7/9] Apply fix for CVE-2026-31431 Copy Fail (cherry picked from commit b9bc6b4858457a33756e73befe627cb9c507b402) --- ...ead-Revert-to-operating-out-of-place.patch | 310 ++++++++++++++++++ SPECS/raspberrypi2.spec | 9 +- 2 files changed, 318 insertions(+), 1 deletion(-) create mode 100644 SOURCES/1100-crypto-algif_aead-Revert-to-operating-out-of-place.patch diff --git a/SOURCES/1100-crypto-algif_aead-Revert-to-operating-out-of-place.patch b/SOURCES/1100-crypto-algif_aead-Revert-to-operating-out-of-place.patch new file mode 100644 index 0000000..b50d4be --- /dev/null +++ b/SOURCES/1100-crypto-algif_aead-Revert-to-operating-out-of-place.patch @@ -0,0 +1,310 @@ +From a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5 Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Thu, 26 Mar 2026 15:30:20 +0900 +Subject: [PATCH] crypto: algif_aead - Revert to operating out-of-place + +This mostly reverts commit 72548b093ee3 except for the copying of +the associated data. + +There is no benefit in operating in-place in algif_aead since the +source and destination come from different mappings. Get rid of +all the complexity added for in-place operation and just copy the +AD directly. + +Backported to kernel-6.12.0-124.52.1.el10_1: this tree pre-dates upstream's +memcpy_sglist() helper, so the AAD copy keeps using +crypto_aead_copy_sgl(null_tfm, ...). The function signatures of +af_alg_count_tsgl() and af_alg_pull_tsgl() are reverted to drop the +offset parameters as in upstream. + +Fixes: 72548b093ee3 ("crypto: algif_aead - copy AAD from src to dst") +Reported-by: Taeyang Lee <0wn@theori.io> +Signed-off-by: Herbert Xu +--- +--- a/crypto/af_alg.c ++++ b/crypto/af_alg.c +@@ -635,15 +635,13 @@ + /** + * af_alg_count_tsgl - Count number of TX SG entries + * +- * The counting starts from the beginning of the SGL to @bytes. If +- * an @offset is provided, the counting of the SG entries starts at the @offset. ++ * The counting starts from the beginning of the SGL to @bytes. + * + * @sk: socket of connection to user space + * @bytes: Count the number of SG entries holding given number of bytes. +- * @offset: Start the counting of SG entries from the given offset. + * Return: Number of TX SG entries found given the constraints + */ +-unsigned int af_alg_count_tsgl(struct sock *sk, size_t bytes, size_t offset) ++unsigned int af_alg_count_tsgl(struct sock *sk, size_t bytes) + { + const struct alg_sock *ask = alg_sk(sk); + const struct af_alg_ctx *ctx = ask->private; +@@ -658,25 +656,11 @@ + const struct scatterlist *sg = sgl->sg; + + for (i = 0; i < sgl->cur; i++) { +- size_t bytes_count; +- +- /* Skip offset */ +- if (offset >= sg[i].length) { +- offset -= sg[i].length; +- bytes -= sg[i].length; +- continue; +- } +- +- bytes_count = sg[i].length - offset; +- +- offset = 0; + sgl_count++; +- +- /* If we have seen requested number of bytes, stop */ +- if (bytes_count >= bytes) ++ if (sg[i].length >= bytes) + return sgl_count; + +- bytes -= bytes_count; ++ bytes -= sg[i].length; + } + } + +@@ -688,19 +672,14 @@ + * af_alg_pull_tsgl - Release the specified buffers from TX SGL + * + * If @dst is non-null, reassign the pages to @dst. The caller must release +- * the pages. If @dst_offset is given only reassign the pages to @dst starting +- * at the @dst_offset (byte). The caller must ensure that @dst is large +- * enough (e.g. by using af_alg_count_tsgl with the same offset). ++ * the pages. + * + * @sk: socket of connection to user space + * @used: Number of bytes to pull from TX SGL + * @dst: If non-NULL, buffer is reassigned to dst SGL instead of releasing. The + * caller must release the buffers in dst. +- * @dst_offset: Reassign the TX SGL from given offset. All buffers before +- * reaching the offset is released. + */ +-void af_alg_pull_tsgl(struct sock *sk, size_t used, struct scatterlist *dst, +- size_t dst_offset) ++void af_alg_pull_tsgl(struct sock *sk, size_t used, struct scatterlist *dst) + { + struct alg_sock *ask = alg_sk(sk); + struct af_alg_ctx *ctx = ask->private; +@@ -725,18 +704,10 @@ + * SG entries in dst. + */ + if (dst) { +- if (dst_offset >= plen) { +- /* discard page before offset */ +- dst_offset -= plen; +- } else { +- /* reassign page to dst after offset */ +- get_page(page); +- sg_set_page(dst + j, page, +- plen - dst_offset, +- sg[i].offset + dst_offset); +- dst_offset = 0; +- j++; +- } ++ /* reassign page to dst after offset */ ++ get_page(page); ++ sg_set_page(dst + j, page, plen, sg[i].offset); ++ j++; + } + + sg[i].length -= plen; +--- a/crypto/algif_aead.c ++++ b/crypto/algif_aead.c +@@ -96,9 +96,8 @@ + struct aead_tfm *aeadc = pask->private; + struct crypto_aead *tfm = aeadc->aead; + struct crypto_sync_skcipher *null_tfm = aeadc->null_tfm; +- unsigned int i, as = crypto_aead_authsize(tfm); ++ unsigned int as = crypto_aead_authsize(tfm); + struct af_alg_async_req *areq; +- struct af_alg_tsgl *tsgl, *tmp; + struct scatterlist *rsgl_src, *tsgl_src = NULL; + int err = 0; + size_t used = 0; /* [in] TX bufs to be en/decrypted */ +@@ -178,23 +177,24 @@ + outlen -= less; + } + ++ /* ++ * Create a per request TX SGL for this request which tracks the ++ * SG entries from the global TX SGL. ++ */ + processed = used + ctx->aead_assoclen; +- list_for_each_entry_safe(tsgl, tmp, &ctx->tsgl_list, list) { +- for (i = 0; i < tsgl->cur; i++) { +- struct scatterlist *process_sg = tsgl->sg + i; +- +- if (!(process_sg->length) || !sg_page(process_sg)) +- continue; +- tsgl_src = process_sg; +- break; +- } +- if (tsgl_src) +- break; +- } +- if (processed && !tsgl_src) { +- err = -EFAULT; ++ areq->tsgl_entries = af_alg_count_tsgl(sk, processed); ++ if (!areq->tsgl_entries) ++ areq->tsgl_entries = 1; ++ areq->tsgl = sock_kmalloc(sk, array_size(sizeof(*areq->tsgl), ++ areq->tsgl_entries), ++ GFP_KERNEL); ++ if (!areq->tsgl) { ++ err = -ENOMEM; + goto free; + } ++ sg_init_table(areq->tsgl, areq->tsgl_entries); ++ af_alg_pull_tsgl(sk, processed, areq->tsgl); ++ tsgl_src = areq->tsgl; + + /* + * Copy of AAD from source to destination +@@ -203,83 +203,18 @@ + * when user space uses an in-place cipher operation, the kernel + * will copy the data as it does not see whether such in-place operation + * is initiated. +- * +- * To ensure efficiency, the following implementation ensure that the +- * ciphers are invoked to perform a crypto operation in-place. This +- * is achieved by memory management specified as follows. + */ + +- /* Use the RX SGL as source (and destination) for crypto op. */ ++ /* Use the RX SGL as destination for crypto op. */ + rsgl_src = areq->first_rsgl.sgl.sgt.sgl; + +- if (ctx->enc) { +- /* +- * Encryption operation - The in-place cipher operation is +- * achieved by the following operation: +- * +- * TX SGL: AAD || PT +- * | | +- * | copy | +- * v v +- * RX SGL: AAD || PT || Tag +- */ +- err = crypto_aead_copy_sgl(null_tfm, tsgl_src, +- areq->first_rsgl.sgl.sgt.sgl, +- processed); +- if (err) +- goto free; +- af_alg_pull_tsgl(sk, processed, NULL, 0); +- } else { +- /* +- * Decryption operation - To achieve an in-place cipher +- * operation, the following SGL structure is used: +- * +- * TX SGL: AAD || CT || Tag +- * | | ^ +- * | copy | | Create SGL link. +- * v v | +- * RX SGL: AAD || CT ----+ +- */ +- +- /* Copy AAD || CT to RX SGL buffer for in-place operation. */ +- err = crypto_aead_copy_sgl(null_tfm, tsgl_src, +- areq->first_rsgl.sgl.sgt.sgl, +- outlen); +- if (err) +- goto free; +- +- /* Create TX SGL for tag and chain it to RX SGL. */ +- areq->tsgl_entries = af_alg_count_tsgl(sk, processed, +- processed - as); +- if (!areq->tsgl_entries) +- areq->tsgl_entries = 1; +- areq->tsgl = sock_kmalloc(sk, array_size(sizeof(*areq->tsgl), +- areq->tsgl_entries), +- GFP_KERNEL); +- if (!areq->tsgl) { +- err = -ENOMEM; +- goto free; +- } +- sg_init_table(areq->tsgl, areq->tsgl_entries); +- +- /* Release TX SGL, except for tag data and reassign tag data. */ +- af_alg_pull_tsgl(sk, processed, areq->tsgl, processed - as); +- +- /* chain the areq TX SGL holding the tag with RX SGL */ +- if (usedpages) { +- /* RX SGL present */ +- struct af_alg_sgl *sgl_prev = &areq->last_rsgl->sgl; +- struct scatterlist *sg = sgl_prev->sgt.sgl; +- +- sg_unmark_end(sg + sgl_prev->sgt.nents - 1); +- sg_chain(sg, sgl_prev->sgt.nents + 1, areq->tsgl); +- } else +- /* no RX SGL present (e.g. authentication only) */ +- rsgl_src = areq->tsgl; +- } ++ err = crypto_aead_copy_sgl(null_tfm, tsgl_src, rsgl_src, ++ ctx->aead_assoclen); ++ if (err) ++ goto free; + + /* Initialize the crypto operation */ +- aead_request_set_crypt(&areq->cra_u.aead_req, rsgl_src, ++ aead_request_set_crypt(&areq->cra_u.aead_req, tsgl_src, + areq->first_rsgl.sgl.sgt.sgl, used, ctx->iv); + aead_request_set_ad(&areq->cra_u.aead_req, ctx->aead_assoclen); + aead_request_set_tfm(&areq->cra_u.aead_req, tfm); +@@ -514,7 +449,7 @@ + struct crypto_aead *tfm = aeadc->aead; + unsigned int ivlen = crypto_aead_ivsize(tfm); + +- af_alg_pull_tsgl(sk, ctx->used, NULL, 0); ++ af_alg_pull_tsgl(sk, ctx->used, NULL); + sock_kzfree_s(sk, ctx->iv, ivlen); + sock_kfree_s(sk, ctx, ctx->len); + af_alg_release_parent(sk); +--- a/crypto/algif_skcipher.c ++++ b/crypto/algif_skcipher.c +@@ -138,7 +138,7 @@ + * Create a per request TX SGL for this request which tracks the + * SG entries from the global TX SGL. + */ +- areq->tsgl_entries = af_alg_count_tsgl(sk, len, 0); ++ areq->tsgl_entries = af_alg_count_tsgl(sk, len); + if (!areq->tsgl_entries) + areq->tsgl_entries = 1; + areq->tsgl = sock_kmalloc(sk, array_size(sizeof(*areq->tsgl), +@@ -149,7 +149,7 @@ + goto free; + } + sg_init_table(areq->tsgl, areq->tsgl_entries); +- af_alg_pull_tsgl(sk, len, areq->tsgl, 0); ++ af_alg_pull_tsgl(sk, len, areq->tsgl); + + /* Initialize the crypto operation */ + skcipher_request_set_tfm(&areq->cra_u.skcipher_req, tfm); +@@ -363,7 +363,7 @@ + struct alg_sock *pask = alg_sk(psk); + struct crypto_skcipher *tfm = pask->private; + +- af_alg_pull_tsgl(sk, ctx->used, NULL, 0); ++ af_alg_pull_tsgl(sk, ctx->used, NULL); + sock_kzfree_s(sk, ctx->iv, crypto_skcipher_ivsize(tfm)); + if (ctx->state) + sock_kzfree_s(sk, ctx->state, crypto_skcipher_statesize(tfm)); +--- a/include/crypto/if_alg.h ++++ b/include/crypto/if_alg.h +@@ -228,9 +228,8 @@ + return PAGE_SIZE <= af_alg_rcvbuf(sk); + } + +-unsigned int af_alg_count_tsgl(struct sock *sk, size_t bytes, size_t offset); +-void af_alg_pull_tsgl(struct sock *sk, size_t used, struct scatterlist *dst, +- size_t dst_offset); ++unsigned int af_alg_count_tsgl(struct sock *sk, size_t bytes); ++void af_alg_pull_tsgl(struct sock *sk, size_t used, struct scatterlist *dst); + void af_alg_wmem_wakeup(struct sock *sk); + int af_alg_wait_for_data(struct sock *sk, unsigned flags, unsigned min); + int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size, diff --git a/SPECS/raspberrypi2.spec b/SPECS/raspberrypi2.spec index 5332e12..bd30ce6 100644 --- a/SPECS/raspberrypi2.spec +++ b/SPECS/raspberrypi2.spec @@ -11,7 +11,7 @@ ExclusiveArch: aarch64 %define local_version v8 %define bcmmodel 2711 -%define extra_version 2 +%define extra_version 3 # This originally implies Kernel 4.x for RPi 2 and is not appropriate now. # Be careful to change this not to disturb the seamless package update. @@ -51,6 +51,9 @@ Patch101: config_2712.patch Source2000: cpupower.service Source2001: cpupower.config Source2002: kvm_stat.logrotate +# AlmaLinux patches +## CVE-2026-31431 +Patch1100: 1100-crypto-algif_aead-Revert-to-operating-out-of-place.patch BuildRequires: kmod, patch, bash, coreutils, tar BuildRequires: bzip2, xz, findutils, gzip, m4, perl, perl-Carp, make, diffutils, gawk @@ -230,6 +233,7 @@ glibc package. %setup -q -n linux-stable_%{version_tag} %patch -P 100 -p1 %patch -P 101 -p1 +%patch -P 1100 -p1 perl -p -i -e "s/^EXTRAVERSION.*/EXTRAVERSION = -%{release}/" Makefile perl -p -i -e "s/^CONFIG_LOCALVERSION=.*/CONFIG_LOCALVERSION=/" arch/%{Arch}/configs/bcm2711_defconfig perl -p -i -e "s/^CONFIG_LOCALVERSION=.*/CONFIG_LOCALVERSION=/" arch/%{Arch}/configs/bcm2712_defconfig @@ -534,6 +538,9 @@ cp $(ls -1 /boot/config-kernel-*-*|sort -V|tail -1) /boot/config-kernel.inc %endif %changelog +* Thu Apr 30 2026 Koichiro Iwao - 6.12.47-20250916.v8.3 +- Apply fix for CVE-2026-31431 Copy Fail + * Mon Mar 02 2026 Koichiro Iwao - 6.12.47-20250916.v8.2 - Add a pseudo subpackage -modules-extra-matched to resolve dependency issue From cb97468e797141ecdcbefcc55fa0db8615cd17d8 Mon Sep 17 00:00:00 2001 From: Koichiro Iwao Date: Thu, 30 Apr 2026 13:35:25 +0000 Subject: [PATCH 8/9] Update CVE-2026-31431 patch to include more upstream commits (cherry picked from commit f9abe6d6e4edf7155cb367d8dee976ecfe0945b3) --- ...VE-2026-31431-crypto-Copy-Fail-fixes.patch | 952 ++++++++++++++++++ ...ead-Revert-to-operating-out-of-place.patch | 310 ------ SPECS/raspberrypi2.spec | 7 +- 3 files changed, 957 insertions(+), 312 deletions(-) create mode 100644 SOURCES/1100-CVE-2026-31431-crypto-Copy-Fail-fixes.patch delete mode 100644 SOURCES/1100-crypto-algif_aead-Revert-to-operating-out-of-place.patch diff --git a/SOURCES/1100-CVE-2026-31431-crypto-Copy-Fail-fixes.patch b/SOURCES/1100-CVE-2026-31431-crypto-Copy-Fail-fixes.patch new file mode 100644 index 0000000..656decd --- /dev/null +++ b/SOURCES/1100-CVE-2026-31431-crypto-Copy-Fail-fixes.patch @@ -0,0 +1,952 @@ +From: AlmaLinux Backport +Subject: [PATCH] CVE-2026-31431 ("Copy Fail"): crypto AEAD/algif fixes from linux-6.12.y + +Combined backport addressing CVE-2026-31431 ("Copy Fail"), reported by +Taeyang Lee <0wn@theori.io>. Pulls one prerequisite (committed 2026-01-30 +to linux-6.12.y) plus eight 2026-04-30 stable fixes: + + 161bdc90fce2 crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec + 41c3aa511e6e crypto: scatterwalk - Backport memcpy_sglist() + 183137264401 crypto: algif_aead - use memcpy_sglist() instead of null skcipher + 8b88d99341f1 crypto: algif_aead - Revert to operating out-of-place + 46fdb39e8322 crypto: algif_aead - snapshot IV for async AEAD requests + 7bc058a9b82b crypto: authenc - use memcpy_sglist() instead of null skcipher + 89fe118b6470 crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption + 129f12934401 crypto: authencesn - Fix src offset when decrypting in-place + c8369a6d62f5 crypto: af_alg - Fix page reassignment overflow in af_alg_pull_tsgl + +161bdc90 is the prerequisite for 89fe118b6470 to apply. + +Signed-off-by: Andrew Lukoshko +--- +--- a/crypto/af_alg.c ++++ b/crypto/af_alg.c +@@ -635,15 +635,13 @@ + /** + * af_alg_count_tsgl - Count number of TX SG entries + * +- * The counting starts from the beginning of the SGL to @bytes. If +- * an @offset is provided, the counting of the SG entries starts at the @offset. ++ * The counting starts from the beginning of the SGL to @bytes. + * + * @sk: socket of connection to user space + * @bytes: Count the number of SG entries holding given number of bytes. +- * @offset: Start the counting of SG entries from the given offset. + * Return: Number of TX SG entries found given the constraints + */ +-unsigned int af_alg_count_tsgl(struct sock *sk, size_t bytes, size_t offset) ++unsigned int af_alg_count_tsgl(struct sock *sk, size_t bytes) + { + const struct alg_sock *ask = alg_sk(sk); + const struct af_alg_ctx *ctx = ask->private; +@@ -658,25 +656,11 @@ + const struct scatterlist *sg = sgl->sg; + + for (i = 0; i < sgl->cur; i++) { +- size_t bytes_count; +- +- /* Skip offset */ +- if (offset >= sg[i].length) { +- offset -= sg[i].length; +- bytes -= sg[i].length; +- continue; +- } +- +- bytes_count = sg[i].length - offset; +- +- offset = 0; + sgl_count++; +- +- /* If we have seen requested number of bytes, stop */ +- if (bytes_count >= bytes) ++ if (sg[i].length >= bytes) + return sgl_count; + +- bytes -= bytes_count; ++ bytes -= sg[i].length; + } + } + +@@ -688,19 +672,14 @@ + * af_alg_pull_tsgl - Release the specified buffers from TX SGL + * + * If @dst is non-null, reassign the pages to @dst. The caller must release +- * the pages. If @dst_offset is given only reassign the pages to @dst starting +- * at the @dst_offset (byte). The caller must ensure that @dst is large +- * enough (e.g. by using af_alg_count_tsgl with the same offset). ++ * the pages. + * + * @sk: socket of connection to user space + * @used: Number of bytes to pull from TX SGL + * @dst: If non-NULL, buffer is reassigned to dst SGL instead of releasing. The + * caller must release the buffers in dst. +- * @dst_offset: Reassign the TX SGL from given offset. All buffers before +- * reaching the offset is released. + */ +-void af_alg_pull_tsgl(struct sock *sk, size_t used, struct scatterlist *dst, +- size_t dst_offset) ++void af_alg_pull_tsgl(struct sock *sk, size_t used, struct scatterlist *dst) + { + struct alg_sock *ask = alg_sk(sk); + struct af_alg_ctx *ctx = ask->private; +@@ -724,19 +703,11 @@ + * Assumption: caller created af_alg_count_tsgl(len) + * SG entries in dst. + */ +- if (dst) { +- if (dst_offset >= plen) { +- /* discard page before offset */ +- dst_offset -= plen; +- } else { +- /* reassign page to dst after offset */ +- get_page(page); +- sg_set_page(dst + j, page, +- plen - dst_offset, +- sg[i].offset + dst_offset); +- dst_offset = 0; +- j++; +- } ++ if (dst && plen) { ++ /* reassign page to dst */ ++ get_page(page); ++ sg_set_page(dst + j, page, plen, sg[i].offset); ++ j++; + } + + sg[i].length -= plen; +--- a/crypto/algif_aead.c ++++ b/crypto/algif_aead.c +@@ -26,8 +26,6 @@ + #include + #include + #include +-#include +-#include + #include + #include + #include +@@ -36,19 +34,13 @@ + #include + #include + +-struct aead_tfm { +- struct crypto_aead *aead; +- struct crypto_sync_skcipher *null_tfm; +-}; +- + static inline bool aead_sufficient_data(struct sock *sk) + { + struct alg_sock *ask = alg_sk(sk); + struct sock *psk = ask->parent; + struct alg_sock *pask = alg_sk(psk); + struct af_alg_ctx *ctx = ask->private; +- struct aead_tfm *aeadc = pask->private; +- struct crypto_aead *tfm = aeadc->aead; ++ struct crypto_aead *tfm = pask->private; + unsigned int as = crypto_aead_authsize(tfm); + + /* +@@ -64,27 +56,12 @@ + struct alg_sock *ask = alg_sk(sk); + struct sock *psk = ask->parent; + struct alg_sock *pask = alg_sk(psk); +- struct aead_tfm *aeadc = pask->private; +- struct crypto_aead *tfm = aeadc->aead; ++ struct crypto_aead *tfm = pask->private; + unsigned int ivsize = crypto_aead_ivsize(tfm); + + return af_alg_sendmsg(sock, msg, size, ivsize); + } + +-static int crypto_aead_copy_sgl(struct crypto_sync_skcipher *null_tfm, +- struct scatterlist *src, +- struct scatterlist *dst, unsigned int len) +-{ +- SYNC_SKCIPHER_REQUEST_ON_STACK(skreq, null_tfm); +- +- skcipher_request_set_sync_tfm(skreq, null_tfm); +- skcipher_request_set_callback(skreq, CRYPTO_TFM_REQ_MAY_SLEEP, +- NULL, NULL); +- skcipher_request_set_crypt(skreq, src, dst, len, NULL); +- +- return crypto_skcipher_encrypt(skreq); +-} +- + static int _aead_recvmsg(struct socket *sock, struct msghdr *msg, + size_t ignored, int flags) + { +@@ -93,13 +70,12 @@ + struct sock *psk = ask->parent; + struct alg_sock *pask = alg_sk(psk); + struct af_alg_ctx *ctx = ask->private; +- struct aead_tfm *aeadc = pask->private; +- struct crypto_aead *tfm = aeadc->aead; +- struct crypto_sync_skcipher *null_tfm = aeadc->null_tfm; +- unsigned int i, as = crypto_aead_authsize(tfm); ++ struct crypto_aead *tfm = pask->private; ++ unsigned int as = crypto_aead_authsize(tfm); ++ unsigned int ivsize = crypto_aead_ivsize(tfm); + struct af_alg_async_req *areq; +- struct af_alg_tsgl *tsgl, *tmp; + struct scatterlist *rsgl_src, *tsgl_src = NULL; ++ void *iv; + int err = 0; + size_t used = 0; /* [in] TX bufs to be en/decrypted */ + size_t outlen = 0; /* [out] RX bufs produced by kernel */ +@@ -151,10 +127,14 @@ + + /* Allocate cipher request for current operation. */ + areq = af_alg_alloc_areq(sk, sizeof(struct af_alg_async_req) + +- crypto_aead_reqsize(tfm)); ++ crypto_aead_reqsize(tfm) + ivsize); + if (IS_ERR(areq)) + return PTR_ERR(areq); + ++ iv = (u8 *)aead_request_ctx(&areq->cra_u.aead_req) + ++ crypto_aead_reqsize(tfm); ++ memcpy(iv, ctx->iv, ivsize); ++ + /* convert iovecs of output buffers into RX SGL */ + err = af_alg_get_rsgl(sk, msg, flags, areq, outlen, &usedpages); + if (err) +@@ -178,23 +158,24 @@ + outlen -= less; + } + ++ /* ++ * Create a per request TX SGL for this request which tracks the ++ * SG entries from the global TX SGL. ++ */ + processed = used + ctx->aead_assoclen; +- list_for_each_entry_safe(tsgl, tmp, &ctx->tsgl_list, list) { +- for (i = 0; i < tsgl->cur; i++) { +- struct scatterlist *process_sg = tsgl->sg + i; +- +- if (!(process_sg->length) || !sg_page(process_sg)) +- continue; +- tsgl_src = process_sg; +- break; +- } +- if (tsgl_src) +- break; +- } +- if (processed && !tsgl_src) { +- err = -EFAULT; ++ areq->tsgl_entries = af_alg_count_tsgl(sk, processed); ++ if (!areq->tsgl_entries) ++ areq->tsgl_entries = 1; ++ areq->tsgl = sock_kmalloc(sk, array_size(sizeof(*areq->tsgl), ++ areq->tsgl_entries), ++ GFP_KERNEL); ++ if (!areq->tsgl) { ++ err = -ENOMEM; + goto free; + } ++ sg_init_table(areq->tsgl, areq->tsgl_entries); ++ af_alg_pull_tsgl(sk, processed, areq->tsgl); ++ tsgl_src = areq->tsgl; + + /* + * Copy of AAD from source to destination +@@ -203,84 +184,16 @@ + * when user space uses an in-place cipher operation, the kernel + * will copy the data as it does not see whether such in-place operation + * is initiated. +- * +- * To ensure efficiency, the following implementation ensure that the +- * ciphers are invoked to perform a crypto operation in-place. This +- * is achieved by memory management specified as follows. + */ + + /* Use the RX SGL as source (and destination) for crypto op. */ + rsgl_src = areq->first_rsgl.sgl.sgt.sgl; + +- if (ctx->enc) { +- /* +- * Encryption operation - The in-place cipher operation is +- * achieved by the following operation: +- * +- * TX SGL: AAD || PT +- * | | +- * | copy | +- * v v +- * RX SGL: AAD || PT || Tag +- */ +- err = crypto_aead_copy_sgl(null_tfm, tsgl_src, +- areq->first_rsgl.sgl.sgt.sgl, +- processed); +- if (err) +- goto free; +- af_alg_pull_tsgl(sk, processed, NULL, 0); +- } else { +- /* +- * Decryption operation - To achieve an in-place cipher +- * operation, the following SGL structure is used: +- * +- * TX SGL: AAD || CT || Tag +- * | | ^ +- * | copy | | Create SGL link. +- * v v | +- * RX SGL: AAD || CT ----+ +- */ +- +- /* Copy AAD || CT to RX SGL buffer for in-place operation. */ +- err = crypto_aead_copy_sgl(null_tfm, tsgl_src, +- areq->first_rsgl.sgl.sgt.sgl, +- outlen); +- if (err) +- goto free; +- +- /* Create TX SGL for tag and chain it to RX SGL. */ +- areq->tsgl_entries = af_alg_count_tsgl(sk, processed, +- processed - as); +- if (!areq->tsgl_entries) +- areq->tsgl_entries = 1; +- areq->tsgl = sock_kmalloc(sk, array_size(sizeof(*areq->tsgl), +- areq->tsgl_entries), +- GFP_KERNEL); +- if (!areq->tsgl) { +- err = -ENOMEM; +- goto free; +- } +- sg_init_table(areq->tsgl, areq->tsgl_entries); +- +- /* Release TX SGL, except for tag data and reassign tag data. */ +- af_alg_pull_tsgl(sk, processed, areq->tsgl, processed - as); +- +- /* chain the areq TX SGL holding the tag with RX SGL */ +- if (usedpages) { +- /* RX SGL present */ +- struct af_alg_sgl *sgl_prev = &areq->last_rsgl->sgl; +- struct scatterlist *sg = sgl_prev->sgt.sgl; +- +- sg_unmark_end(sg + sgl_prev->sgt.nents - 1); +- sg_chain(sg, sgl_prev->sgt.nents + 1, areq->tsgl); +- } else +- /* no RX SGL present (e.g. authentication only) */ +- rsgl_src = areq->tsgl; +- } ++ memcpy_sglist(rsgl_src, tsgl_src, ctx->aead_assoclen); + + /* Initialize the crypto operation */ +- aead_request_set_crypt(&areq->cra_u.aead_req, rsgl_src, +- areq->first_rsgl.sgl.sgt.sgl, used, ctx->iv); ++ aead_request_set_crypt(&areq->cra_u.aead_req, tsgl_src, ++ areq->first_rsgl.sgl.sgt.sgl, used, iv); + aead_request_set_ad(&areq->cra_u.aead_req, ctx->aead_assoclen); + aead_request_set_tfm(&areq->cra_u.aead_req, tfm); + +@@ -379,7 +292,7 @@ + int err = 0; + struct sock *psk; + struct alg_sock *pask; +- struct aead_tfm *tfm; ++ struct crypto_aead *tfm; + struct sock *sk = sock->sk; + struct alg_sock *ask = alg_sk(sk); + +@@ -393,7 +306,7 @@ + + err = -ENOKEY; + lock_sock_nested(psk, SINGLE_DEPTH_NESTING); +- if (crypto_aead_get_flags(tfm->aead) & CRYPTO_TFM_NEED_KEY) ++ if (crypto_aead_get_flags(tfm) & CRYPTO_TFM_NEED_KEY) + goto unlock; + + atomic_dec(&pask->nokey_refcnt); +@@ -454,54 +367,22 @@ + + static void *aead_bind(const char *name, u32 type, u32 mask) + { +- struct aead_tfm *tfm; +- struct crypto_aead *aead; +- struct crypto_sync_skcipher *null_tfm; +- +- tfm = kzalloc(sizeof(*tfm), GFP_KERNEL); +- if (!tfm) +- return ERR_PTR(-ENOMEM); +- +- aead = crypto_alloc_aead(name, type, mask); +- if (IS_ERR(aead)) { +- kfree(tfm); +- return ERR_CAST(aead); +- } +- +- null_tfm = crypto_get_default_null_skcipher(); +- if (IS_ERR(null_tfm)) { +- crypto_free_aead(aead); +- kfree(tfm); +- return ERR_CAST(null_tfm); +- } +- +- tfm->aead = aead; +- tfm->null_tfm = null_tfm; +- +- return tfm; ++ return crypto_alloc_aead(name, type, mask); + } + + static void aead_release(void *private) + { +- struct aead_tfm *tfm = private; +- +- crypto_free_aead(tfm->aead); +- crypto_put_default_null_skcipher(); +- kfree(tfm); ++ crypto_free_aead(private); + } + + static int aead_setauthsize(void *private, unsigned int authsize) + { +- struct aead_tfm *tfm = private; +- +- return crypto_aead_setauthsize(tfm->aead, authsize); ++ return crypto_aead_setauthsize(private, authsize); + } + + static int aead_setkey(void *private, const u8 *key, unsigned int keylen) + { +- struct aead_tfm *tfm = private; +- +- return crypto_aead_setkey(tfm->aead, key, keylen); ++ return crypto_aead_setkey(private, key, keylen); + } + + static void aead_sock_destruct(struct sock *sk) +@@ -510,11 +391,10 @@ + struct af_alg_ctx *ctx = ask->private; + struct sock *psk = ask->parent; + struct alg_sock *pask = alg_sk(psk); +- struct aead_tfm *aeadc = pask->private; +- struct crypto_aead *tfm = aeadc->aead; ++ struct crypto_aead *tfm = pask->private; + unsigned int ivlen = crypto_aead_ivsize(tfm); + +- af_alg_pull_tsgl(sk, ctx->used, NULL, 0); ++ af_alg_pull_tsgl(sk, ctx->used, NULL); + sock_kzfree_s(sk, ctx->iv, ivlen); + sock_kfree_s(sk, ctx, ctx->len); + af_alg_release_parent(sk); +@@ -524,10 +404,9 @@ + { + struct af_alg_ctx *ctx; + struct alg_sock *ask = alg_sk(sk); +- struct aead_tfm *tfm = private; +- struct crypto_aead *aead = tfm->aead; ++ struct crypto_aead *tfm = private; + unsigned int len = sizeof(*ctx); +- unsigned int ivlen = crypto_aead_ivsize(aead); ++ unsigned int ivlen = crypto_aead_ivsize(tfm); + + ctx = sock_kmalloc(sk, len, GFP_KERNEL); + if (!ctx) +@@ -554,9 +433,9 @@ + + static int aead_accept_parent(void *private, struct sock *sk) + { +- struct aead_tfm *tfm = private; ++ struct crypto_aead *tfm = private; + +- if (crypto_aead_get_flags(tfm->aead) & CRYPTO_TFM_NEED_KEY) ++ if (crypto_aead_get_flags(tfm) & CRYPTO_TFM_NEED_KEY) + return -ENOKEY; + + return aead_accept_parent_nokey(private, sk); +--- a/crypto/algif_skcipher.c ++++ b/crypto/algif_skcipher.c +@@ -138,7 +138,7 @@ + * Create a per request TX SGL for this request which tracks the + * SG entries from the global TX SGL. + */ +- areq->tsgl_entries = af_alg_count_tsgl(sk, len, 0); ++ areq->tsgl_entries = af_alg_count_tsgl(sk, len); + if (!areq->tsgl_entries) + areq->tsgl_entries = 1; + areq->tsgl = sock_kmalloc(sk, array_size(sizeof(*areq->tsgl), +@@ -149,7 +149,7 @@ + goto free; + } + sg_init_table(areq->tsgl, areq->tsgl_entries); +- af_alg_pull_tsgl(sk, len, areq->tsgl, 0); ++ af_alg_pull_tsgl(sk, len, areq->tsgl); + + /* Initialize the crypto operation */ + skcipher_request_set_tfm(&areq->cra_u.skcipher_req, tfm); +@@ -363,7 +363,7 @@ + struct alg_sock *pask = alg_sk(psk); + struct crypto_skcipher *tfm = pask->private; + +- af_alg_pull_tsgl(sk, ctx->used, NULL, 0); ++ af_alg_pull_tsgl(sk, ctx->used, NULL); + sock_kzfree_s(sk, ctx->iv, crypto_skcipher_ivsize(tfm)); + if (ctx->state) + sock_kzfree_s(sk, ctx->state, crypto_skcipher_statesize(tfm)); +--- a/crypto/authenc.c ++++ b/crypto/authenc.c +@@ -9,7 +9,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -28,7 +27,6 @@ + struct crypto_authenc_ctx { + struct crypto_ahash *auth; + struct crypto_skcipher *enc; +- struct crypto_sync_skcipher *null; + }; + + struct authenc_request_ctx { +@@ -170,21 +168,6 @@ + authenc_request_complete(areq, err); + } + +-static int crypto_authenc_copy_assoc(struct aead_request *req) +-{ +- struct crypto_aead *authenc = crypto_aead_reqtfm(req); +- struct crypto_authenc_ctx *ctx = crypto_aead_ctx(authenc); +- SYNC_SKCIPHER_REQUEST_ON_STACK(skreq, ctx->null); +- +- skcipher_request_set_sync_tfm(skreq, ctx->null); +- skcipher_request_set_callback(skreq, aead_request_flags(req), +- NULL, NULL); +- skcipher_request_set_crypt(skreq, req->src, req->dst, req->assoclen, +- NULL); +- +- return crypto_skcipher_encrypt(skreq); +-} +- + static int crypto_authenc_encrypt(struct aead_request *req) + { + struct crypto_aead *authenc = crypto_aead_reqtfm(req); +@@ -203,10 +186,7 @@ + dst = src; + + if (req->src != req->dst) { +- err = crypto_authenc_copy_assoc(req); +- if (err) +- return err; +- ++ memcpy_sglist(req->dst, req->src, req->assoclen); + dst = scatterwalk_ffwd(areq_ctx->dst, req->dst, req->assoclen); + } + +@@ -303,7 +283,6 @@ + struct crypto_authenc_ctx *ctx = crypto_aead_ctx(tfm); + struct crypto_ahash *auth; + struct crypto_skcipher *enc; +- struct crypto_sync_skcipher *null; + int err; + + auth = crypto_spawn_ahash(&ictx->auth); +@@ -315,14 +294,8 @@ + if (IS_ERR(enc)) + goto err_free_ahash; + +- null = crypto_get_default_null_skcipher(); +- err = PTR_ERR(null); +- if (IS_ERR(null)) +- goto err_free_skcipher; +- + ctx->auth = auth; + ctx->enc = enc; +- ctx->null = null; + + crypto_aead_set_reqsize( + tfm, +@@ -336,8 +309,6 @@ + + return 0; + +-err_free_skcipher: +- crypto_free_skcipher(enc); + err_free_ahash: + crypto_free_ahash(auth); + return err; +@@ -349,7 +320,6 @@ + + crypto_free_ahash(ctx->auth); + crypto_free_skcipher(ctx->enc); +- crypto_put_default_null_skcipher(); + } + + static void crypto_authenc_free(struct aead_instance *inst) +--- a/crypto/authencesn.c ++++ b/crypto/authencesn.c +@@ -12,7 +12,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -31,7 +30,6 @@ + unsigned int reqoff; + struct crypto_ahash *auth; + struct crypto_skcipher *enc; +- struct crypto_sync_skcipher *null; + }; + + struct authenc_esn_request_ctx { +@@ -158,20 +156,6 @@ + authenc_esn_request_complete(areq, err); + } + +-static int crypto_authenc_esn_copy(struct aead_request *req, unsigned int len) +-{ +- struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req); +- struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn); +- SYNC_SKCIPHER_REQUEST_ON_STACK(skreq, ctx->null); +- +- skcipher_request_set_sync_tfm(skreq, ctx->null); +- skcipher_request_set_callback(skreq, aead_request_flags(req), +- NULL, NULL); +- skcipher_request_set_crypt(skreq, req->src, req->dst, len, NULL); +- +- return crypto_skcipher_encrypt(skreq); +-} +- + static int crypto_authenc_esn_encrypt(struct aead_request *req) + { + struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req); +@@ -185,15 +169,15 @@ + struct scatterlist *src, *dst; + int err; + ++ if (assoclen < 8) ++ return -EINVAL; ++ + sg_init_table(areq_ctx->src, 2); + src = scatterwalk_ffwd(areq_ctx->src, req->src, assoclen); + dst = src; + + if (req->src != req->dst) { +- err = crypto_authenc_esn_copy(req, assoclen); +- if (err) +- return err; +- ++ memcpy_sglist(req->dst, req->src, assoclen); + sg_init_table(areq_ctx->dst, 2); + dst = scatterwalk_ffwd(areq_ctx->dst, req->dst, assoclen); + } +@@ -223,6 +207,7 @@ + u8 *ohash = areq_ctx->tail; + unsigned int cryptlen = req->cryptlen - authsize; + unsigned int assoclen = req->assoclen; ++ struct scatterlist *src = req->src; + struct scatterlist *dst = req->dst; + u8 *ihash = ohash + crypto_ahash_digestsize(auth); + u32 tmp[2]; +@@ -230,23 +215,29 @@ + if (!authsize) + goto decrypt; + +- /* Move high-order bits of sequence number back. */ +- scatterwalk_map_and_copy(tmp, dst, 4, 4, 0); +- scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen, 4, 0); +- scatterwalk_map_and_copy(tmp, dst, 0, 8, 1); ++ if (src == dst) { ++ /* Move high-order bits of sequence number back. */ ++ scatterwalk_map_and_copy(tmp, dst, 4, 4, 0); ++ scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen, 4, 0); ++ scatterwalk_map_and_copy(tmp, dst, 0, 8, 1); ++ } else ++ memcpy_sglist(dst, src, assoclen); + + if (crypto_memneq(ihash, ohash, authsize)) + return -EBADMSG; + + decrypt: + +- sg_init_table(areq_ctx->dst, 2); + dst = scatterwalk_ffwd(areq_ctx->dst, dst, assoclen); ++ if (req->src == req->dst) ++ src = dst; ++ else ++ src = scatterwalk_ffwd(areq_ctx->src, src, assoclen); + + skcipher_request_set_tfm(skreq, ctx->enc); + skcipher_request_set_callback(skreq, flags, + req->base.complete, req->base.data); +- skcipher_request_set_crypt(skreq, dst, dst, cryptlen, req->iv); ++ skcipher_request_set_crypt(skreq, src, dst, cryptlen, req->iv); + + return crypto_skcipher_decrypt(skreq); + } +@@ -271,31 +262,36 @@ + unsigned int assoclen = req->assoclen; + unsigned int cryptlen = req->cryptlen; + u8 *ihash = ohash + crypto_ahash_digestsize(auth); ++ struct scatterlist *src = req->src; + struct scatterlist *dst = req->dst; + u32 tmp[2]; + int err; + +- cryptlen -= authsize; ++ if (assoclen < 8) ++ return -EINVAL; + +- if (req->src != dst) { +- err = crypto_authenc_esn_copy(req, assoclen + cryptlen); +- if (err) +- return err; +- } ++ if (!authsize) ++ goto tail; + ++ cryptlen -= authsize; + scatterwalk_map_and_copy(ihash, req->src, assoclen + cryptlen, + authsize, 0); + +- if (!authsize) +- goto tail; +- + /* Move high-order bits of sequence number to the end. */ +- scatterwalk_map_and_copy(tmp, dst, 0, 8, 0); +- scatterwalk_map_and_copy(tmp, dst, 4, 4, 1); +- scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen, 4, 1); +- +- sg_init_table(areq_ctx->dst, 2); +- dst = scatterwalk_ffwd(areq_ctx->dst, dst, 4); ++ scatterwalk_map_and_copy(tmp, src, 0, 8, 0); ++ if (src == dst) { ++ scatterwalk_map_and_copy(tmp, dst, 4, 4, 1); ++ scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen, 4, 1); ++ dst = scatterwalk_ffwd(areq_ctx->dst, dst, 4); ++ } else { ++ scatterwalk_map_and_copy(tmp, dst, 0, 4, 1); ++ scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen - 4, 4, 1); ++ ++ src = scatterwalk_ffwd(areq_ctx->src, src, 8); ++ dst = scatterwalk_ffwd(areq_ctx->dst, dst, 4); ++ memcpy_sglist(dst, src, assoclen + cryptlen - 8); ++ dst = req->dst; ++ } + + ahash_request_set_tfm(ahreq, auth); + ahash_request_set_crypt(ahreq, dst, ohash, assoclen + cryptlen); +@@ -317,7 +313,6 @@ + struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(tfm); + struct crypto_ahash *auth; + struct crypto_skcipher *enc; +- struct crypto_sync_skcipher *null; + int err; + + auth = crypto_spawn_ahash(&ictx->auth); +@@ -329,14 +324,8 @@ + if (IS_ERR(enc)) + goto err_free_ahash; + +- null = crypto_get_default_null_skcipher(); +- err = PTR_ERR(null); +- if (IS_ERR(null)) +- goto err_free_skcipher; +- + ctx->auth = auth; + ctx->enc = enc; +- ctx->null = null; + + ctx->reqoff = 2 * crypto_ahash_digestsize(auth); + +@@ -352,8 +341,6 @@ + + return 0; + +-err_free_skcipher: +- crypto_free_skcipher(enc); + err_free_ahash: + crypto_free_ahash(auth); + return err; +@@ -365,7 +352,6 @@ + + crypto_free_ahash(ctx->auth); + crypto_free_skcipher(ctx->enc); +- crypto_put_default_null_skcipher(); + } + + static void crypto_authenc_esn_free(struct aead_instance *inst) +--- a/crypto/scatterwalk.c ++++ b/crypto/scatterwalk.c +@@ -69,6 +69,100 @@ + } + EXPORT_SYMBOL_GPL(scatterwalk_map_and_copy); + ++/** ++ * memcpy_sglist() - Copy data from one scatterlist to another ++ * @dst: The destination scatterlist. Can be NULL if @nbytes == 0. ++ * @src: The source scatterlist. Can be NULL if @nbytes == 0. ++ * @nbytes: Number of bytes to copy ++ * ++ * The scatterlists can describe exactly the same memory, in which case this ++ * function is a no-op. No other overlaps are supported. ++ * ++ * Context: Any context ++ */ ++void memcpy_sglist(struct scatterlist *dst, struct scatterlist *src, ++ unsigned int nbytes) ++{ ++ unsigned int src_offset, dst_offset; ++ ++ if (unlikely(nbytes == 0)) /* in case src and/or dst is NULL */ ++ return; ++ ++ src_offset = src->offset; ++ dst_offset = dst->offset; ++ for (;;) { ++ /* Compute the length to copy this step. */ ++ unsigned int len = min3(src->offset + src->length - src_offset, ++ dst->offset + dst->length - dst_offset, ++ nbytes); ++ struct page *src_page = sg_page(src); ++ struct page *dst_page = sg_page(dst); ++ const void *src_virt; ++ void *dst_virt; ++ ++ if (IS_ENABLED(CONFIG_HIGHMEM)) { ++ /* HIGHMEM: we may have to actually map the pages. */ ++ const unsigned int src_oip = offset_in_page(src_offset); ++ const unsigned int dst_oip = offset_in_page(dst_offset); ++ const unsigned int limit = PAGE_SIZE; ++ ++ /* Further limit len to not cross a page boundary. */ ++ len = min3(len, limit - src_oip, limit - dst_oip); ++ ++ /* Compute the source and destination pages. */ ++ src_page += src_offset / PAGE_SIZE; ++ dst_page += dst_offset / PAGE_SIZE; ++ ++ if (src_page != dst_page) { ++ /* Copy between different pages. */ ++ memcpy_page(dst_page, dst_oip, ++ src_page, src_oip, len); ++ flush_dcache_page(dst_page); ++ } else if (src_oip != dst_oip) { ++ /* Copy between different parts of same page. */ ++ dst_virt = kmap_local_page(dst_page); ++ memcpy(dst_virt + dst_oip, dst_virt + src_oip, ++ len); ++ kunmap_local(dst_virt); ++ flush_dcache_page(dst_page); ++ } /* Else, it's the same memory. No action needed. */ ++ } else { ++ /* ++ * !HIGHMEM: no mapping needed. Just work in the linear ++ * buffer of each sg entry. Note that we can cross page ++ * boundaries, as they are not significant in this case. ++ */ ++ src_virt = page_address(src_page) + src_offset; ++ dst_virt = page_address(dst_page) + dst_offset; ++ if (src_virt != dst_virt) { ++ memcpy(dst_virt, src_virt, len); ++ if (ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE) ++ __scatterwalk_flush_dcache_pages( ++ dst_page, dst_offset, len); ++ } /* Else, it's the same memory. No action needed. */ ++ } ++ nbytes -= len; ++ if (nbytes == 0) /* No more to copy? */ ++ break; ++ ++ /* ++ * There's more to copy. Advance the offsets by the length ++ * copied this step, and advance the sg entries as needed. ++ */ ++ src_offset += len; ++ if (src_offset >= src->offset + src->length) { ++ src = sg_next(src); ++ src_offset = src->offset; ++ } ++ dst_offset += len; ++ if (dst_offset >= dst->offset + dst->length) { ++ dst = sg_next(dst); ++ dst_offset = dst->offset; ++ } ++ } ++} ++EXPORT_SYMBOL_GPL(memcpy_sglist); ++ + struct scatterlist *scatterwalk_ffwd(struct scatterlist dst[2], + struct scatterlist *src, + unsigned int len) +--- a/crypto/Kconfig ++++ b/crypto/Kconfig +@@ -222,7 +222,6 @@ + select CRYPTO_SKCIPHER + select CRYPTO_MANAGER + select CRYPTO_HASH +- select CRYPTO_NULL + help + Authenc: Combined mode wrapper for IPsec. + +@@ -1421,7 +1420,6 @@ + depends on NET + select CRYPTO_AEAD + select CRYPTO_SKCIPHER +- select CRYPTO_NULL + select CRYPTO_USER_API + help + Enable the userspace interface for AEAD cipher algorithms. +--- a/include/crypto/if_alg.h ++++ b/include/crypto/if_alg.h +@@ -228,9 +228,8 @@ + return PAGE_SIZE <= af_alg_rcvbuf(sk); + } + +-unsigned int af_alg_count_tsgl(struct sock *sk, size_t bytes, size_t offset); +-void af_alg_pull_tsgl(struct sock *sk, size_t used, struct scatterlist *dst, +- size_t dst_offset); ++unsigned int af_alg_count_tsgl(struct sock *sk, size_t bytes); ++void af_alg_pull_tsgl(struct sock *sk, size_t used, struct scatterlist *dst); + void af_alg_wmem_wakeup(struct sock *sk); + int af_alg_wait_for_data(struct sock *sk, unsigned flags, unsigned min); + int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size, +--- a/include/crypto/scatterwalk.h ++++ b/include/crypto/scatterwalk.h +@@ -83,6 +83,34 @@ + scatterwalk_start(walk, sg_next(walk->sg)); + } + ++/* ++ * Flush the dcache of any pages that overlap the region ++ * [offset, offset + nbytes) relative to base_page. ++ * ++ * This should be called only when ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE, to ensure ++ * that all relevant code (including the call to sg_page() in the caller, if ++ * applicable) gets fully optimized out when !ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE. ++ */ ++static inline void __scatterwalk_flush_dcache_pages(struct page *base_page, ++ unsigned int offset, ++ unsigned int nbytes) ++{ ++ unsigned int num_pages; ++ ++ base_page += offset / PAGE_SIZE; ++ offset %= PAGE_SIZE; ++ ++ /* ++ * This is an overflow-safe version of ++ * num_pages = DIV_ROUND_UP(offset + nbytes, PAGE_SIZE). ++ */ ++ num_pages = nbytes / PAGE_SIZE; ++ num_pages += DIV_ROUND_UP(offset + (nbytes % PAGE_SIZE), PAGE_SIZE); ++ ++ for (unsigned int i = 0; i < num_pages; i++) ++ flush_dcache_page(base_page + i); ++} ++ + static inline void scatterwalk_done(struct scatter_walk *walk, int out, + int more) + { +@@ -94,6 +122,9 @@ + void scatterwalk_copychunks(void *buf, struct scatter_walk *walk, + size_t nbytes, int out); + ++void memcpy_sglist(struct scatterlist *dst, struct scatterlist *src, ++ unsigned int nbytes); ++ + void scatterwalk_map_and_copy(void *buf, struct scatterlist *sg, + unsigned int start, unsigned int nbytes, int out); + diff --git a/SOURCES/1100-crypto-algif_aead-Revert-to-operating-out-of-place.patch b/SOURCES/1100-crypto-algif_aead-Revert-to-operating-out-of-place.patch deleted file mode 100644 index b50d4be..0000000 --- a/SOURCES/1100-crypto-algif_aead-Revert-to-operating-out-of-place.patch +++ /dev/null @@ -1,310 +0,0 @@ -From a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5 Mon Sep 17 00:00:00 2001 -From: Herbert Xu -Date: Thu, 26 Mar 2026 15:30:20 +0900 -Subject: [PATCH] crypto: algif_aead - Revert to operating out-of-place - -This mostly reverts commit 72548b093ee3 except for the copying of -the associated data. - -There is no benefit in operating in-place in algif_aead since the -source and destination come from different mappings. Get rid of -all the complexity added for in-place operation and just copy the -AD directly. - -Backported to kernel-6.12.0-124.52.1.el10_1: this tree pre-dates upstream's -memcpy_sglist() helper, so the AAD copy keeps using -crypto_aead_copy_sgl(null_tfm, ...). The function signatures of -af_alg_count_tsgl() and af_alg_pull_tsgl() are reverted to drop the -offset parameters as in upstream. - -Fixes: 72548b093ee3 ("crypto: algif_aead - copy AAD from src to dst") -Reported-by: Taeyang Lee <0wn@theori.io> -Signed-off-by: Herbert Xu ---- ---- a/crypto/af_alg.c -+++ b/crypto/af_alg.c -@@ -635,15 +635,13 @@ - /** - * af_alg_count_tsgl - Count number of TX SG entries - * -- * The counting starts from the beginning of the SGL to @bytes. If -- * an @offset is provided, the counting of the SG entries starts at the @offset. -+ * The counting starts from the beginning of the SGL to @bytes. - * - * @sk: socket of connection to user space - * @bytes: Count the number of SG entries holding given number of bytes. -- * @offset: Start the counting of SG entries from the given offset. - * Return: Number of TX SG entries found given the constraints - */ --unsigned int af_alg_count_tsgl(struct sock *sk, size_t bytes, size_t offset) -+unsigned int af_alg_count_tsgl(struct sock *sk, size_t bytes) - { - const struct alg_sock *ask = alg_sk(sk); - const struct af_alg_ctx *ctx = ask->private; -@@ -658,25 +656,11 @@ - const struct scatterlist *sg = sgl->sg; - - for (i = 0; i < sgl->cur; i++) { -- size_t bytes_count; -- -- /* Skip offset */ -- if (offset >= sg[i].length) { -- offset -= sg[i].length; -- bytes -= sg[i].length; -- continue; -- } -- -- bytes_count = sg[i].length - offset; -- -- offset = 0; - sgl_count++; -- -- /* If we have seen requested number of bytes, stop */ -- if (bytes_count >= bytes) -+ if (sg[i].length >= bytes) - return sgl_count; - -- bytes -= bytes_count; -+ bytes -= sg[i].length; - } - } - -@@ -688,19 +672,14 @@ - * af_alg_pull_tsgl - Release the specified buffers from TX SGL - * - * If @dst is non-null, reassign the pages to @dst. The caller must release -- * the pages. If @dst_offset is given only reassign the pages to @dst starting -- * at the @dst_offset (byte). The caller must ensure that @dst is large -- * enough (e.g. by using af_alg_count_tsgl with the same offset). -+ * the pages. - * - * @sk: socket of connection to user space - * @used: Number of bytes to pull from TX SGL - * @dst: If non-NULL, buffer is reassigned to dst SGL instead of releasing. The - * caller must release the buffers in dst. -- * @dst_offset: Reassign the TX SGL from given offset. All buffers before -- * reaching the offset is released. - */ --void af_alg_pull_tsgl(struct sock *sk, size_t used, struct scatterlist *dst, -- size_t dst_offset) -+void af_alg_pull_tsgl(struct sock *sk, size_t used, struct scatterlist *dst) - { - struct alg_sock *ask = alg_sk(sk); - struct af_alg_ctx *ctx = ask->private; -@@ -725,18 +704,10 @@ - * SG entries in dst. - */ - if (dst) { -- if (dst_offset >= plen) { -- /* discard page before offset */ -- dst_offset -= plen; -- } else { -- /* reassign page to dst after offset */ -- get_page(page); -- sg_set_page(dst + j, page, -- plen - dst_offset, -- sg[i].offset + dst_offset); -- dst_offset = 0; -- j++; -- } -+ /* reassign page to dst after offset */ -+ get_page(page); -+ sg_set_page(dst + j, page, plen, sg[i].offset); -+ j++; - } - - sg[i].length -= plen; ---- a/crypto/algif_aead.c -+++ b/crypto/algif_aead.c -@@ -96,9 +96,8 @@ - struct aead_tfm *aeadc = pask->private; - struct crypto_aead *tfm = aeadc->aead; - struct crypto_sync_skcipher *null_tfm = aeadc->null_tfm; -- unsigned int i, as = crypto_aead_authsize(tfm); -+ unsigned int as = crypto_aead_authsize(tfm); - struct af_alg_async_req *areq; -- struct af_alg_tsgl *tsgl, *tmp; - struct scatterlist *rsgl_src, *tsgl_src = NULL; - int err = 0; - size_t used = 0; /* [in] TX bufs to be en/decrypted */ -@@ -178,23 +177,24 @@ - outlen -= less; - } - -+ /* -+ * Create a per request TX SGL for this request which tracks the -+ * SG entries from the global TX SGL. -+ */ - processed = used + ctx->aead_assoclen; -- list_for_each_entry_safe(tsgl, tmp, &ctx->tsgl_list, list) { -- for (i = 0; i < tsgl->cur; i++) { -- struct scatterlist *process_sg = tsgl->sg + i; -- -- if (!(process_sg->length) || !sg_page(process_sg)) -- continue; -- tsgl_src = process_sg; -- break; -- } -- if (tsgl_src) -- break; -- } -- if (processed && !tsgl_src) { -- err = -EFAULT; -+ areq->tsgl_entries = af_alg_count_tsgl(sk, processed); -+ if (!areq->tsgl_entries) -+ areq->tsgl_entries = 1; -+ areq->tsgl = sock_kmalloc(sk, array_size(sizeof(*areq->tsgl), -+ areq->tsgl_entries), -+ GFP_KERNEL); -+ if (!areq->tsgl) { -+ err = -ENOMEM; - goto free; - } -+ sg_init_table(areq->tsgl, areq->tsgl_entries); -+ af_alg_pull_tsgl(sk, processed, areq->tsgl); -+ tsgl_src = areq->tsgl; - - /* - * Copy of AAD from source to destination -@@ -203,83 +203,18 @@ - * when user space uses an in-place cipher operation, the kernel - * will copy the data as it does not see whether such in-place operation - * is initiated. -- * -- * To ensure efficiency, the following implementation ensure that the -- * ciphers are invoked to perform a crypto operation in-place. This -- * is achieved by memory management specified as follows. - */ - -- /* Use the RX SGL as source (and destination) for crypto op. */ -+ /* Use the RX SGL as destination for crypto op. */ - rsgl_src = areq->first_rsgl.sgl.sgt.sgl; - -- if (ctx->enc) { -- /* -- * Encryption operation - The in-place cipher operation is -- * achieved by the following operation: -- * -- * TX SGL: AAD || PT -- * | | -- * | copy | -- * v v -- * RX SGL: AAD || PT || Tag -- */ -- err = crypto_aead_copy_sgl(null_tfm, tsgl_src, -- areq->first_rsgl.sgl.sgt.sgl, -- processed); -- if (err) -- goto free; -- af_alg_pull_tsgl(sk, processed, NULL, 0); -- } else { -- /* -- * Decryption operation - To achieve an in-place cipher -- * operation, the following SGL structure is used: -- * -- * TX SGL: AAD || CT || Tag -- * | | ^ -- * | copy | | Create SGL link. -- * v v | -- * RX SGL: AAD || CT ----+ -- */ -- -- /* Copy AAD || CT to RX SGL buffer for in-place operation. */ -- err = crypto_aead_copy_sgl(null_tfm, tsgl_src, -- areq->first_rsgl.sgl.sgt.sgl, -- outlen); -- if (err) -- goto free; -- -- /* Create TX SGL for tag and chain it to RX SGL. */ -- areq->tsgl_entries = af_alg_count_tsgl(sk, processed, -- processed - as); -- if (!areq->tsgl_entries) -- areq->tsgl_entries = 1; -- areq->tsgl = sock_kmalloc(sk, array_size(sizeof(*areq->tsgl), -- areq->tsgl_entries), -- GFP_KERNEL); -- if (!areq->tsgl) { -- err = -ENOMEM; -- goto free; -- } -- sg_init_table(areq->tsgl, areq->tsgl_entries); -- -- /* Release TX SGL, except for tag data and reassign tag data. */ -- af_alg_pull_tsgl(sk, processed, areq->tsgl, processed - as); -- -- /* chain the areq TX SGL holding the tag with RX SGL */ -- if (usedpages) { -- /* RX SGL present */ -- struct af_alg_sgl *sgl_prev = &areq->last_rsgl->sgl; -- struct scatterlist *sg = sgl_prev->sgt.sgl; -- -- sg_unmark_end(sg + sgl_prev->sgt.nents - 1); -- sg_chain(sg, sgl_prev->sgt.nents + 1, areq->tsgl); -- } else -- /* no RX SGL present (e.g. authentication only) */ -- rsgl_src = areq->tsgl; -- } -+ err = crypto_aead_copy_sgl(null_tfm, tsgl_src, rsgl_src, -+ ctx->aead_assoclen); -+ if (err) -+ goto free; - - /* Initialize the crypto operation */ -- aead_request_set_crypt(&areq->cra_u.aead_req, rsgl_src, -+ aead_request_set_crypt(&areq->cra_u.aead_req, tsgl_src, - areq->first_rsgl.sgl.sgt.sgl, used, ctx->iv); - aead_request_set_ad(&areq->cra_u.aead_req, ctx->aead_assoclen); - aead_request_set_tfm(&areq->cra_u.aead_req, tfm); -@@ -514,7 +449,7 @@ - struct crypto_aead *tfm = aeadc->aead; - unsigned int ivlen = crypto_aead_ivsize(tfm); - -- af_alg_pull_tsgl(sk, ctx->used, NULL, 0); -+ af_alg_pull_tsgl(sk, ctx->used, NULL); - sock_kzfree_s(sk, ctx->iv, ivlen); - sock_kfree_s(sk, ctx, ctx->len); - af_alg_release_parent(sk); ---- a/crypto/algif_skcipher.c -+++ b/crypto/algif_skcipher.c -@@ -138,7 +138,7 @@ - * Create a per request TX SGL for this request which tracks the - * SG entries from the global TX SGL. - */ -- areq->tsgl_entries = af_alg_count_tsgl(sk, len, 0); -+ areq->tsgl_entries = af_alg_count_tsgl(sk, len); - if (!areq->tsgl_entries) - areq->tsgl_entries = 1; - areq->tsgl = sock_kmalloc(sk, array_size(sizeof(*areq->tsgl), -@@ -149,7 +149,7 @@ - goto free; - } - sg_init_table(areq->tsgl, areq->tsgl_entries); -- af_alg_pull_tsgl(sk, len, areq->tsgl, 0); -+ af_alg_pull_tsgl(sk, len, areq->tsgl); - - /* Initialize the crypto operation */ - skcipher_request_set_tfm(&areq->cra_u.skcipher_req, tfm); -@@ -363,7 +363,7 @@ - struct alg_sock *pask = alg_sk(psk); - struct crypto_skcipher *tfm = pask->private; - -- af_alg_pull_tsgl(sk, ctx->used, NULL, 0); -+ af_alg_pull_tsgl(sk, ctx->used, NULL); - sock_kzfree_s(sk, ctx->iv, crypto_skcipher_ivsize(tfm)); - if (ctx->state) - sock_kzfree_s(sk, ctx->state, crypto_skcipher_statesize(tfm)); ---- a/include/crypto/if_alg.h -+++ b/include/crypto/if_alg.h -@@ -228,9 +228,8 @@ - return PAGE_SIZE <= af_alg_rcvbuf(sk); - } - --unsigned int af_alg_count_tsgl(struct sock *sk, size_t bytes, size_t offset); --void af_alg_pull_tsgl(struct sock *sk, size_t used, struct scatterlist *dst, -- size_t dst_offset); -+unsigned int af_alg_count_tsgl(struct sock *sk, size_t bytes); -+void af_alg_pull_tsgl(struct sock *sk, size_t used, struct scatterlist *dst); - void af_alg_wmem_wakeup(struct sock *sk); - int af_alg_wait_for_data(struct sock *sk, unsigned flags, unsigned min); - int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size, diff --git a/SPECS/raspberrypi2.spec b/SPECS/raspberrypi2.spec index bd30ce6..2acf450 100644 --- a/SPECS/raspberrypi2.spec +++ b/SPECS/raspberrypi2.spec @@ -11,7 +11,7 @@ ExclusiveArch: aarch64 %define local_version v8 %define bcmmodel 2711 -%define extra_version 3 +%define extra_version 4 # This originally implies Kernel 4.x for RPi 2 and is not appropriate now. # Be careful to change this not to disturb the seamless package update. @@ -53,7 +53,7 @@ Source2001: cpupower.config Source2002: kvm_stat.logrotate # AlmaLinux patches ## CVE-2026-31431 -Patch1100: 1100-crypto-algif_aead-Revert-to-operating-out-of-place.patch +Patch1100: 1100-CVE-2026-31431-crypto-Copy-Fail-fixes.patch BuildRequires: kmod, patch, bash, coreutils, tar BuildRequires: bzip2, xz, findutils, gzip, m4, perl, perl-Carp, make, diffutils, gawk @@ -538,6 +538,9 @@ cp $(ls -1 /boot/config-kernel-*-*|sort -V|tail -1) /boot/config-kernel.inc %endif %changelog +* Thu Apr 30 2026 Koichiro Iwao - 6.12.47-20250916.v8.4 +- Update CVE-2026-31431 patch to include more upstream commits + * Thu Apr 30 2026 Koichiro Iwao - 6.12.47-20250916.v8.3 - Apply fix for CVE-2026-31431 Copy Fail From 786bdc4d7962b6b8779a21bb28890fd023f91d05 Mon Sep 17 00:00:00 2001 From: Koichiro Iwao Date: Fri, 8 May 2026 08:35:16 +0000 Subject: [PATCH 9/9] Apply Dirty Frag fixes (cherry picked from commit ea0ac154cff027ef3fa87729f5131cddf2fcb236) --- ...id-in-place-decrypt-shared-skb-frags.patch | 77 +++++++++++++++++++ .../1102-rxrpc-linearize-paged-frags.patch | 68 ++++++++++++++++ SPECS/raspberrypi2.spec | 11 ++- 3 files changed, 155 insertions(+), 1 deletion(-) create mode 100644 SOURCES/1101-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch create mode 100644 SOURCES/1102-rxrpc-linearize-paged-frags.patch diff --git a/SOURCES/1101-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch b/SOURCES/1101-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch new file mode 100644 index 0000000..0fe6a56 --- /dev/null +++ b/SOURCES/1101-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch @@ -0,0 +1,77 @@ +From: Andrew Lukoshko +Subject: [PATCH AlmaLinux 10] xfrm: esp: avoid in-place decrypt on shared skb frags + +Direct cherry-pick of upstream commit f4c50a4034e6 for AlmaLinux 10 +(6.12 kernel). + +Verified to apply with `patch -p1 -F0` (no offset, no fuzz, no rejects) +against kernel-6.12.0-124.55.1.el10_1. + +ESP-in-UDP packets built from MSG_SPLICE_PAGES (pipe pages) look like +ordinary uncloned nonlinear skbs to ESP input, which takes the no-COW +fast path and decrypts in place over data that is not owned privately +by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG +matching TCP, and make ESP input fall back to skb_cow_data() when the +flag is present. + +Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible") +Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible") +Fixes: 7da0dde68486 ("ip, udp: Support MSG_SPLICE_PAGES") +Fixes: 6d8192bd69bb ("ip6, udp6: Support MSG_SPLICE_PAGES") +(cherry picked from commit f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4) +Signed-off-by: Andrew Lukoshko +--- + net/ipv4/esp4.c | 3 ++- + net/ipv4/ip_output.c | 2 ++ + net/ipv6/esp6.c | 3 ++- + net/ipv6/ip6_output.c | 2 ++ + 4 files changed, 8 insertions(+), 2 deletions(-) + +--- a/net/ipv4/esp4.c ++++ b/net/ipv4/esp4.c +@@ -908,7 +908,8 @@ + nfrags = 1; + + goto skip_cow; +- } else if (!skb_has_frag_list(skb)) { ++ } else if (!skb_has_frag_list(skb) && ++ !skb_has_shared_frag(skb)) { + nfrags = skb_shinfo(skb)->nr_frags; + nfrags++; + +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -1236,6 +1236,8 @@ + if (err < 0) + goto error; + copy = err; ++ if (!(flags & MSG_NO_SHARED_FRAGS)) ++ skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG; + wmem_alloc_delta += copy; + } else if (!zc) { + int i = skb_shinfo(skb)->nr_frags; +--- a/net/ipv6/esp6.c ++++ b/net/ipv6/esp6.c +@@ -950,7 +950,8 @@ + nfrags = 1; + + goto skip_cow; +- } else if (!skb_has_frag_list(skb)) { ++ } else if (!skb_has_frag_list(skb) && ++ !skb_has_shared_frag(skb)) { + nfrags = skb_shinfo(skb)->nr_frags; + nfrags++; + +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -1769,6 +1769,8 @@ + if (err < 0) + goto error; + copy = err; ++ if (!(flags & MSG_NO_SHARED_FRAGS)) ++ skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG; + wmem_alloc_delta += copy; + } else if (!zc) { + int i = skb_shinfo(skb)->nr_frags; +-- +2.43.0 diff --git a/SOURCES/1102-rxrpc-linearize-paged-frags.patch b/SOURCES/1102-rxrpc-linearize-paged-frags.patch new file mode 100644 index 0000000..c57902b --- /dev/null +++ b/SOURCES/1102-rxrpc-linearize-paged-frags.patch @@ -0,0 +1,68 @@ +From: Andrew Lukoshko +Subject: [PATCH AlmaLinux 10] rxrpc: linearize incoming DATA packet when it has paged frags + +AlmaLinux-specific backport of the intent of the upstream rxrpc fix +posted at https://lore.kernel.org/all/afKV2zGR6rrelPC7@v4bel/ +(sibling to upstream commit f4c50a4034e6 in the ESP/xfrm subsystem). + +The upstream patch can not be cherry-picked against this 6.12 tree: +its target lines were introduced by upstream commit d0d5c0cd1e71 +("rxrpc: Use skb_unshare() rather than skb_cow_data()") which is not +present here. The age-equivalent code path on AlmaLinux 10 is the +centralized skb_unshare() in net/rxrpc/io_thread.c that is run for +every DATA packet with a non-zero securityIndex before in-place +decryption. + +skb_unshare() only handles cloned skbs. An skb that is non-cloned but +carries paged fragments (skb->data_len != 0) — e.g. pages attached via +udp_sendpage() / splice() / MSG_SPLICE_PAGES on a UDP socket carrying +rxrpc traffic — slips through and is decrypted in place over data the +skb does not own privately. With kernel-modules-partner installed +(rxrpc.ko enabled), this is exploitable. + +Replace the unconditional skb_unshare() with skb_copy() whenever the +skb is cloned OR carries paged fragments. skb_copy() always returns a +freshly allocated linear skb, so subsequent in-place decryption only +touches kernel-owned memory. The original skb is consumed explicitly +(skb_unshare did this internally via consume_skb()). + +Verified to apply with `patch -p1 -F0` (no offset, no fuzz, no +rejects) against kernel-6.12.0-124.55.1.el10_1. + +Fixes: cac2661c53f3 ("rxrpc: Use skb_cow_data() in rxrpc_recvmsg_data()") +Signed-off-by: Andrew Lukoshko +--- + net/rxrpc/io_thread.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +--- a/net/rxrpc/io_thread.c ++++ b/net/rxrpc/io_thread.c +@@ -235,16 +235,18 @@ + * decryption. + */ + if (sp->hdr.securityIndex != 0) { +- skb = skb_unshare(skb, GFP_ATOMIC); +- if (!skb) { +- rxrpc_eaten_skb(*_skb, rxrpc_skb_eaten_by_unshare_nomem); +- *_skb = NULL; +- return just_discard; +- } ++ if (skb_cloned(skb) || skb->data_len) { ++ struct sk_buff *nskb = skb_copy(skb, GFP_ATOMIC); ++ ++ if (!nskb) { ++ rxrpc_eaten_skb(*_skb, rxrpc_skb_eaten_by_unshare_nomem); ++ return just_discard; ++ } + +- if (skb != *_skb) { + rxrpc_eaten_skb(*_skb, rxrpc_skb_eaten_by_unshare); +- *_skb = skb; ++ consume_skb(*_skb); ++ *_skb = nskb; ++ skb = nskb; + rxrpc_new_skb(skb, rxrpc_skb_new_unshared); + sp = rxrpc_skb(skb); + } +-- +2.43.0 diff --git a/SPECS/raspberrypi2.spec b/SPECS/raspberrypi2.spec index 2acf450..0b875d0 100644 --- a/SPECS/raspberrypi2.spec +++ b/SPECS/raspberrypi2.spec @@ -11,7 +11,7 @@ ExclusiveArch: aarch64 %define local_version v8 %define bcmmodel 2711 -%define extra_version 4 +%define extra_version 5 # This originally implies Kernel 4.x for RPi 2 and is not appropriate now. # Be careful to change this not to disturb the seamless package update. @@ -54,6 +54,9 @@ Source2002: kvm_stat.logrotate # AlmaLinux patches ## CVE-2026-31431 Patch1100: 1100-CVE-2026-31431-crypto-Copy-Fail-fixes.patch +## Dirty Frag +Patch1101: 1101-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch +Patch1102: 1102-rxrpc-linearize-paged-frags.patch BuildRequires: kmod, patch, bash, coreutils, tar BuildRequires: bzip2, xz, findutils, gzip, m4, perl, perl-Carp, make, diffutils, gawk @@ -234,6 +237,8 @@ glibc package. %patch -P 100 -p1 %patch -P 101 -p1 %patch -P 1100 -p1 +%patch -P 1101 -p1 +%patch -P 1102 -p1 perl -p -i -e "s/^EXTRAVERSION.*/EXTRAVERSION = -%{release}/" Makefile perl -p -i -e "s/^CONFIG_LOCALVERSION=.*/CONFIG_LOCALVERSION=/" arch/%{Arch}/configs/bcm2711_defconfig perl -p -i -e "s/^CONFIG_LOCALVERSION=.*/CONFIG_LOCALVERSION=/" arch/%{Arch}/configs/bcm2712_defconfig @@ -538,6 +543,10 @@ cp $(ls -1 /boot/config-kernel-*-*|sort -V|tail -1) /boot/config-kernel.inc %endif %changelog +* Fri May 08 2026 Koichiro Iwao - 6.12.47-20250916.v8.5 +- rxrpc: linearize incoming DATA packet when it has paged frags +- xfrm: esp: avoid in-place decrypt on shared skb frags + * Thu Apr 30 2026 Koichiro Iwao - 6.12.47-20250916.v8.4 - Update CVE-2026-31431 patch to include more upstream commits