hpsa: bring back deprecated PCI ids #CFHack #CFHack2024

mptsas: bring back deprecated PCI ids #CFHack #CFHack2024 megaraid_sas: bring back deprecated PCI ids #CFHack #CFHack2024 qla2xxx: bring back deprecated PCI ids #CFHack #CFHack2024 qla4xxx: bring back deprecated PCI ids lpfc: bring back deprecated PCI ids be2iscsi: bring back deprecated PCI ids kernel/rh_messages.h: enable all disabled pci devices by moving to unmaintained Use AlmaLinux OS secure boot cert Debrand for AlmaLinux OS
2026-05-20 14:23:33 +00:00 · 2026-05-20 14:23:33 +00:00 · 04364fd819
commit 04364fd819
parent 053da2e7bb b311f615f4
5 changed files with 16 additions and 199 deletions
--- a/.gitignore
+++ b/.gitignore
@ -2,7 +2,7 @@ SOURCES/centossecureboot201.cer
 SOURCES/centossecurebootca2.cer
 SOURCES/kernel-abi-stablelists-4.18.0-553.tar.bz2
 SOURCES/kernel-kabi-dw-4.18.0-553.tar.bz2
-SOURCES/linux-4.18.0-553.124.1.el8_10.tar.xz
+SOURCES/linux-4.18.0-553.125.1.el8_10.tar.xz
 SOURCES/redhatsecureboot302.cer
 SOURCES/redhatsecureboot303.cer
 SOURCES/redhatsecureboot501.cer
--- a/.kernel.metadata
+++ b/.kernel.metadata
@ -1,8 +1,8 @@
 2ba40bf9138b48311e5aa1b737b7f0a8ad66066f SOURCES/centossecureboot201.cer
 bfdb3d7cffc43f579655af5155d50c08671d95e5 SOURCES/centossecurebootca2.cer
-fd1739a125daaa36c88c27d65c82982ea8c72e30 SOURCES/kernel-abi-stablelists-4.18.0-553.tar.bz2
+d9da29e9dcfe3f9a9d7e5109d7ee4039488bd80a SOURCES/kernel-abi-stablelists-4.18.0-553.tar.bz2
 2318474e4033305aa0461e29d5962ca0a5dc24cb SOURCES/kernel-kabi-dw-4.18.0-553.tar.bz2
-f423c7e25012fe223823503f126066d48577331b SOURCES/linux-4.18.0-553.124.1.el8_10.tar.xz
+4effeb41b8928930492898172c72e705fc7894e8 SOURCES/linux-4.18.0-553.125.1.el8_10.tar.xz
 13e5cd3f856b472fde80a4deb75f4c18dfb5b255 SOURCES/redhatsecureboot302.cer
 e89890ca0ded2f9058651cc5fa838b78db2e6cc2 SOURCES/redhatsecureboot303.cer
 ba0b760e594ff668ee72ae348adf3e49b97f75fb SOURCES/redhatsecureboot501.cer
--- a/SOURCES/1100-net-skbuff-propagate-shared-frag-marker.patch
+++ b/SOURCES/1100-net-skbuff-propagate-shared-frag-marker.patch
@ -1,119 +0,0 @@
-From: Eduard Abdullin <eabdullin@almalinux.org>
-Subject: [PATCH AlmaLinux 8] net: skbuff: propagate shared-frag marker through frag-transfer helpers
-
-Backport of upstream v3 patch posted at
-https://lore.kernel.org/all/agW4vC0r8QOUKtRT@v4bel/
-(sibling to upstream commit f4c50a4034e6 "xfrm: esp: avoid in-place
-decrypt on shared skb frags").
-
-Three frag-transfer helpers in net/core/skbuff.c
-(__pskb_copy_fclone(), skb_try_coalesce(), skb_shift()) and two
-helpers in the same file on AlmaLinux 8 (skb_gro_receive() and
-skb_gro_receive_list(), which upstream split out to net/core/gro.c
-in v5.19) fail to propagate the SKBFL_SHARED_FRAG bit (named
-SKBTX_SHARED_FRAG in 4.18) when moving frag descriptors from source
-to destination.  As a result, the destination skb keeps a reference
-to the same externally-owned or page-cache-backed pages while
-reporting skb_has_shared_frag() as false.
-
-The mismatch is harmful in any in-place writer that uses
-skb_has_shared_frag() to decide whether shared pages must be detoured
-through skb_cow_data().  ESP input is one such writer (esp4.c,
-esp6.c).  Combined with an nft 'dup to <local>' rule, an
-nf_dup_ipv4() / xt_TEE caller, or ESP-over-UDP with UDP GRO, this
-lets an unprivileged user write into the page cache of a root-owned
-read-only file via authencesn-ESN stray writes (CVE-2026-46300,
-"Fragnesia").
-
-Set SKBTX_SHARED_FRAG on the destination whenever frag descriptors
-were actually moved from the source.  skb_copy() and skb_copy_expand()
-share skb_copy_header() too but linearize all paged data into freshly
-allocated head storage and emerge with nr_frags == 0, so
-skb_has_shared_frag() returns false on its own; they need no change.
-
-The same omission exists in skb_gro_receive() and
-skb_gro_receive_list().  The former moves the incoming skb's frag
-descriptors into the accumulator's last sub-skb via two paths (a
-direct frag-move loop and the head_frag + memcpy path) plus a
-"merge:" fallback that chains the whole skb onto frag_list; the
-latter chains the incoming skb whole onto p's frag_list.  Downstream
-skb_segment() reads only skb_shinfo(p)->tx_flags, and
-skb_segment_list() reuses each sub-skb's shinfo as the nskb -- both
-p and lp must carry the marker.
-
-Tree adaptation:
-  * Upstream uses skb_shinfo()->flags and SKBFL_SHARED_FRAG (commit
-    06b4feb37e69, v5.16) and lives in net/core/gro.c (split off in
-    v5.19).  AlmaLinux 8 (4.18 kernel) still keeps skb_gro_receive()
-    and skb_gro_receive_list() in net/core/skbuff.c and uses the
-    original SKBTX_SHARED_FRAG bit in skb_shinfo()->tx_flags, which
-    is also what skb_has_shared_frag() consults here.  Translate the
-    new field/macro back to the legacy ones and target
-    net/core/skbuff.c for all five hunks.
-  * Upstream skb_shift() uses skb_len_add() helpers (v5.16+); AL 8
-    still has the open-coded `skb->len -= shiftlen; ...` block.  The
-    insertion point (right after both ip_summed assignments) is the
-    same.
-
-Fixes: cef401de7be8 ("net: fix possible wrong checksum generation")
-Fixes: f4c50a4034e6 ("xfrm: esp: avoid in-place decrypt on shared skb frags")
-Reported-by: Sultan Alsawaf <sultan@kerneltoast.com>
-Reported-by: William Bowling <vakzz@zellic.io>
-Reported-by: Hyunwoo Kim <imv4bel@gmail.com>
-Signed-off-by: Eduard Abdullin <eabdullin@almalinux.org>
---
- net/core/skbuff.c | 14 ++++++++++++++
- 1 file changed, 14 insertions(+)
-
--- a/net/core/skbuff.c
-+++ b/net/core/skbuff.c
-@@ -1807,6 +1807,7 @@ struct sk_buff *__pskb_copy_fclone(struct sk_buff *skb, int headroom,
- 			skb_frag_ref(skb, i);
- 		}
- 		skb_shinfo(n)->nr_frags = i;
-+		skb_shinfo(n)->tx_flags |= skb_shinfo(skb)->tx_flags & SKBTX_SHARED_FRAG;
- 	}
-
- 	if (skb_has_frag_list(skb)) {
-@@ -3586,6 +3587,8 @@ int skb_shift(struct sk_buff *tgt, struct sk_buff *skb, int shiftlen)
- 	tgt->ip_summed = CHECKSUM_PARTIAL;
- 	skb->ip_summed = CHECKSUM_PARTIAL;
-
-+	skb_shinfo(tgt)->tx_flags |= skb_shinfo(skb)->tx_flags & SKBTX_SHARED_FRAG;
-+
- 	/* Yak, is it really working this way? Some helper please? */
- 	skb->len -= shiftlen;
- 	skb->data_len -= shiftlen;
-@@ -4004,6 +4007,8 @@ int skb_gro_receive_list(struct sk_buff *p, struct sk_buff *skb)
- 	p->truesize += skb->truesize;
- 	p->len += skb->len;
-
-+	skb_shinfo(p)->tx_flags |= skb_shinfo(skb)->tx_flags & SKBTX_SHARED_FRAG;
-+
- 	NAPI_GRO_CB(skb)->same_flow = 1;
-
- 	return 0;
-@@ -4462,10 +4467,12 @@ int skb_gro_receive(struct sk_buff *p, struct sk_buff *skb)
- 	p->data_len += len;
- 	p->truesize += delta_truesize;
- 	p->len += len;
-+	skb_shinfo(p)->tx_flags |= skbinfo->tx_flags & SKBTX_SHARED_FRAG;
- 	if (lp != p) {
- 		lp->data_len += len;
- 		lp->truesize += delta_truesize;
- 		lp->len += len;
-+		skb_shinfo(lp)->tx_flags |= skbinfo->tx_flags & SKBTX_SHARED_FRAG;
- 	}
- 	NAPI_GRO_CB(skb)->same_flow = 1;
- 	return 0;
-@@ -5576,6 +5583,8 @@ bool skb_try_coalesce(struct sk_buff *to, struct sk_buff *from,
- 	       from_shinfo->frags,
- 	       from_shinfo->nr_frags * sizeof(skb_frag_t));
- 	to_shinfo->nr_frags += from_shinfo->nr_frags;
-+	if (from_shinfo->nr_frags)
-+		to_shinfo->tx_flags |= from_shinfo->tx_flags & SKBTX_SHARED_FRAG;
-
- 	if (!skb_cloned(from))
- 		from_shinfo->nr_frags = 0;
--
-2.43.0
--- a/SOURCES/1101-ptrace-require-cap-on-mm-less-task.patch
+++ b/SOURCES/1101-ptrace-require-cap-on-mm-less-task.patch
@ -1,55 +0,0 @@
-From: Andrew Lukoshko <alukoshko@almalinux.org>
-Subject: [PATCH AlmaLinux 8] ptrace: require CAP_SYS_PTRACE when task has no mm
-
-kABI-safe AlmaLinux backport of upstream commit 31e62c2ebbfd
-("ptrace: slightly saner 'get_dumpable()' logic") posted at
-https://github.com/torvalds/linux/commit/31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a
-
-The upstream fix adds a 'user_dumpable:1' bit to task_struct and
-caches the last dumpability in exit_mm() so __ptrace_may_access()
-can require CAP_SYS_PTRACE when the target has no mm (e.g. kernel
-threads or already-exited user tasks). That layout change to
-task_struct breaks kABI on RHEL/AlmaLinux 8 (the symtype
-signature of struct task_struct is referenced by stablelist exports
-such as set_cpus_allowed_ptr() and wake_up_process()), so we cannot
-import the field/exit_mm hunks as-is.
-
-Take the minimal kABI-safe slice instead: when task->mm == NULL,
-require CAP_SYS_PTRACE in init_user_ns unconditionally. This closes
-the Qualys Security Advisory hole -- mm-less targets no longer pass
-the dumpability check by default -- without touching task_struct or
-exit.c. The only behavioural delta versus upstream is that a user
-task that has already cleared its mm in exit_mm() (a dying/zombie
-task) now also requires CAP_SYS_PTRACE to attach, instead of being
-remembered as previously dumpable. Such targets are rarely ptraced
-in practice.
-
-Verified to apply with `patch -p1 -F0` (no offset, no fuzz, no rejects)
-against kernel-4.18.0-553.124.1.el8_10.
-
-Reported-by: Qualys Security Advisory <qsa@qualys.com>
-Signed-off-by: Andrew Lukoshko <alukoshko@almalinux.org>
---
- kernel/ptrace.c | 11 +++++++----
- 1 file changed, 7 insertions(+), 4 deletions(-)
-
--- a/kernel/ptrace.c
-+++ b/kernel/ptrace.c
-@@ -351,8 +351,11 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
- 	smp_rmb();
- 	mm = task->mm;
-	if (mm &&
-	    ((get_dumpable(mm) != SUID_DUMP_USER) &&
-	     !ptrace_has_cap(mm->user_ns, mode)))
-	    return -EPERM;
-+	if (mm) {
-+		if ((get_dumpable(mm) != SUID_DUMP_USER) &&
-+		    !ptrace_has_cap(mm->user_ns, mode))
-+			return -EPERM;
-+	} else if (!ptrace_has_cap(&init_user_ns, mode)) {
-+		return -EPERM;
-+	}
- 
- 	return security_ptrace_access_check(task, mode);
--
-2.43.0
--- a/SPECS/kernel.spec
+++ b/SPECS/kernel.spec
@ -38,11 +38,10 @@
 # define buildid .local

 %define specversion 4.18.0
-%define pkgrelease 553.124.4.el8_10
-%define tarfile_release 553.124.1.el8_10
+%define pkgrelease 553.125.1.el8_10

 # allow pkg_release to have configurable %%{?dist} tag
-%define specrelease 553.124.4%{?dist}
+%define specrelease 553.125.1%{?dist}

 %define pkg_release %{specrelease}%{?buildid}

@ -436,7 +435,7 @@ BuildRequires: xmlto
 BuildRequires: asciidoc
 %endif

-Source0: linux-%{specversion}-%{tarfile_release}.tar.xz
+Source0: linux-%{specversion}-%{pkgrelease}.tar.xz

 Source9: x509.genkey

@ -539,8 +538,6 @@ Patch2005: 0005-Bring-back-deprecated-pci-ids-to-qla2xxx-driver.patch
 Patch2006: 0006-Bring-back-deprecated-pci-ids-to-lpfc-driver.patch
 Patch2007: 0007-Bring-back-deprecated-pci-ids-to-qla4xxx-driver.patch
 Patch2008: 0008-Bring-back-deprecated-pci-ids-to-be2iscsi-driver.patch
-Patch1100: 1100-net-skbuff-propagate-shared-frag-marker.patch
-Patch1101: 1101-ptrace-require-cap-on-mm-less-task.patch

 # END OF PATCH DEFINITIONS

@ -1099,9 +1096,9 @@ ApplyOptionalPatch()
  fi
 }

-%setup -q -n %{name}-%{specversion}-%{tarfile_release} -c
-cp -v %{SOURCE9000} linux-%{specversion}-%{tarfile_release}/certs/rhel.pem
-mv linux-%{specversion}-%{tarfile_release} linux-%{KVERREL}
+%setup -q -n %{name}-%{specversion}-%{pkgrelease} -c
+cp -v %{SOURCE9000} linux-%{specversion}-%{pkgrelease}/certs/rhel.pem
+mv linux-%{specversion}-%{pkgrelease} linux-%{KVERREL}

 cd linux-%{KVERREL}

@ -1118,8 +1115,6 @@ ApplyPatch 0005-Bring-back-deprecated-pci-ids-to-qla2xxx-driver.patch
 ApplyPatch 0006-Bring-back-deprecated-pci-ids-to-lpfc-driver.patch
 ApplyPatch 0007-Bring-back-deprecated-pci-ids-to-qla4xxx-driver.patch
 ApplyPatch 0008-Bring-back-deprecated-pci-ids-to-be2iscsi-driver.patch
-ApplyPatch 1100-net-skbuff-propagate-shared-frag-marker.patch
-ApplyPatch 1101-ptrace-require-cap-on-mm-less-task.patch

 # END OF PATCH APPLICATIONS

@ -2718,16 +2713,7 @@ fi
 #
 #
 %changelog
-* Fri May 15 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 4.18.0-553.124.4
- ptrace: require CAP_SYS_PTRACE when task has no mm (kABI-safe)
-
-* Thu May 14 2026 Eduard Abdullin <eabdullin@almalinux.org> - 4.18.0-553.124.3
- net: skbuff: propagate shared-frag marker through frag-transfer helpers
-
-* Wed May 13 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 4.18.0-553.124.2
- net: skbuff: propagate shared-frag marker through pskb_copy()
-
-* Tue May 12 2026 Andrei Lukoshko <alukoshko@almalinux.org> - 4.18.0-553.124.1
+* Wed May 20 2026 Andrei Lukoshko <alukoshko@almalinux.org> - 4.18.0-553.125.1
 - hpsa: bring back deprecated PCI ids #CFHack #CFHack2024
 - mptsas: bring back deprecated PCI ids #CFHack #CFHack2024
 - megaraid_sas: bring back deprecated PCI ids #CFHack #CFHack2024
@ -2738,10 +2724,15 @@ fi
 - kernel/rh_messages.h: enable all disabled pci devices by moving to
  unmaintained

-* Tue May 12 2026 Eduard Abdullin <eabdullin@almalinux.org> - 4.18.0-553.124.1
+* Wed May 20 2026 Eduard Abdullin <eabdullin@almalinux.org> - 4.18.0-553.125.1
 - Use AlmaLinux OS secure boot cert
 - Debrand for AlmaLinux OS

+* Mon May 18 2026 Denys Vlasenko <dvlasenk@redhat.com> [4.18.0-553.125.1.el8_10]
+- net: skbuff: propagate shared-frag marker through frag-transfer helpers (Sabrina Dubroca) [RHEL-176090] {CVE-2026-46300}
+- net: skbuff: preserve shared-frag marker during coalescing (Sabrina Dubroca) [RHEL-176090] {CVE-2026-46300}
+- ptrace: slightly saner 'get_dumpable()' logic (Rafael Aquini) [RHEL-176445] {CVE-2026-46333}
+
 * Mon May 11 2026 Denys Vlasenko <dvlasenk@redhat.com> [4.18.0-553.124.1.el8_10]
 - xfrm: esp: avoid in-place decrypt on shared skb frags (Sabrina Dubroca) [RHEL-174586] {CVE-2026-43284}