Debrand for AlmaLinux OS

Use AlmaLinux OS secure boot cert

Enable Btrfs support for all kernel variants

hpsa: bring back deprecated PCI ids #CFHack #CFHack2024

mptsas: bring back deprecated PCI ids #CFHack #CFHack2024

megaraid_sas: bring back deprecated PCI ids #CFHack #CFHack2024

qla2xxx: bring back deprecated PCI ids #CFHack #CFHack2024

qla4xxx: bring back deprecated PCI ids

lpfc: bring back deprecated PCI ids

be2iscsi: bring back deprecated PCI ids

kernel/rh_messages.h: enable all disabled pci devices by moving to unmaintained

.gitignore

@@ -1,7 +1,7 @@
 fedoraimaca.x509
-kernel-abi-stablelists-6.12.0-124.55.1.el10_1.tar.xz
-kernel-kabi-dw-6.12.0-124.55.1.el10_1.tar.xz
-linux-6.12.0-124.55.1.el10_1.tar.xz
+kernel-abi-stablelists-6.12.0-124.56.1.el10_1.tar.xz
+kernel-kabi-dw-6.12.0-124.56.1.el10_1.tar.xz
+linux-6.12.0-124.56.1.el10_1.tar.xz
 nvidiagpuoot001.x509
 olima1.x509
 olimaca1.x509

1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch

@@ -1,77 +0,0 @@
-From: Andrew Lukoshko <alukoshko@almalinux.org>
-Subject: [PATCH AlmaLinux 10] xfrm: esp: avoid in-place decrypt on shared skb frags
-
-Direct cherry-pick of upstream commit f4c50a4034e6 for AlmaLinux 10
-(6.12 kernel).
-
-Verified to apply with `patch -p1 -F0` (no offset, no fuzz, no rejects)
-against kernel-6.12.0-124.55.1.el10_1.
-
-ESP-in-UDP packets built from MSG_SPLICE_PAGES (pipe pages) look like
-ordinary uncloned nonlinear skbs to ESP input, which takes the no-COW
-fast path and decrypts in place over data that is not owned privately
-by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG
-matching TCP, and make ESP input fall back to skb_cow_data() when the
-flag is present.
-
-Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
-Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")
-Fixes: 7da0dde68486 ("ip, udp: Support MSG_SPLICE_PAGES")
-Fixes: 6d8192bd69bb ("ip6, udp6: Support MSG_SPLICE_PAGES")
-(cherry picked from commit f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4)
-Signed-off-by: Andrew Lukoshko <alukoshko@almalinux.org>
----
- net/ipv4/esp4.c       | 3 ++-
- net/ipv4/ip_output.c  | 2 ++
- net/ipv6/esp6.c       | 3 ++-
- net/ipv6/ip6_output.c | 2 ++
- 4 files changed, 8 insertions(+), 2 deletions(-)
-
---- a/net/ipv4/esp4.c
-+++ b/net/ipv4/esp4.c
-@@ -908,7 +908,8 @@
- 			nfrags = 1;
- 
- 			goto skip_cow;
--		} else if (!skb_has_frag_list(skb)) {
-+		} else if (!skb_has_frag_list(skb) &&
-+			   !skb_has_shared_frag(skb)) {
- 			nfrags = skb_shinfo(skb)->nr_frags;
- 			nfrags++;
- 
---- a/net/ipv4/ip_output.c
-+++ b/net/ipv4/ip_output.c
-@@ -1236,6 +1236,8 @@
- 			if (err < 0)
- 				goto error;
- 			copy = err;
-+			if (!(flags & MSG_NO_SHARED_FRAGS))
-+				skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG;
- 			wmem_alloc_delta += copy;
- 		} else if (!zc) {
- 			int i = skb_shinfo(skb)->nr_frags;
---- a/net/ipv6/esp6.c
-+++ b/net/ipv6/esp6.c
-@@ -950,7 +950,8 @@
- 			nfrags = 1;
- 
- 			goto skip_cow;
--		} else if (!skb_has_frag_list(skb)) {
-+		} else if (!skb_has_frag_list(skb) &&
-+			   !skb_has_shared_frag(skb)) {
- 			nfrags = skb_shinfo(skb)->nr_frags;
- 			nfrags++;
- 
---- a/net/ipv6/ip6_output.c
-+++ b/net/ipv6/ip6_output.c
-@@ -1769,6 +1769,8 @@
- 			if (err < 0)
- 				goto error;
- 			copy = err;
-+			if (!(flags & MSG_NO_SHARED_FRAGS))
-+				skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG;
- 			wmem_alloc_delta += copy;
- 		} else if (!zc) {
- 			int i = skb_shinfo(skb)->nr_frags;
---
-2.43.0

1101-rxrpc-linearize-paged-frags.patch

@@ -1,68 +0,0 @@
-From: Andrew Lukoshko <alukoshko@almalinux.org>
-Subject: [PATCH AlmaLinux 10] rxrpc: linearize incoming DATA packet when it has paged frags
-
-AlmaLinux-specific backport of the intent of the upstream rxrpc fix
-posted at https://lore.kernel.org/all/afKV2zGR6rrelPC7@v4bel/
-(sibling to upstream commit f4c50a4034e6 in the ESP/xfrm subsystem).
-
-The upstream patch can not be cherry-picked against this 6.12 tree:
-its target lines were introduced by upstream commit d0d5c0cd1e71
-("rxrpc: Use skb_unshare() rather than skb_cow_data()") which is not
-present here. The age-equivalent code path on AlmaLinux 10 is the
-centralized skb_unshare() in net/rxrpc/io_thread.c that is run for
-every DATA packet with a non-zero securityIndex before in-place
-decryption.
-
-skb_unshare() only handles cloned skbs. An skb that is non-cloned but
-carries paged fragments (skb->data_len != 0) — e.g. pages attached via
-udp_sendpage() / splice() / MSG_SPLICE_PAGES on a UDP socket carrying
-rxrpc traffic — slips through and is decrypted in place over data the
-skb does not own privately. With kernel-modules-partner installed
-(rxrpc.ko enabled), this is exploitable.
-
-Replace the unconditional skb_unshare() with skb_copy() whenever the
-skb is cloned OR carries paged fragments. skb_copy() always returns a
-freshly allocated linear skb, so subsequent in-place decryption only
-touches kernel-owned memory. The original skb is consumed explicitly
-(skb_unshare did this internally via consume_skb()).
-
-Verified to apply with `patch -p1 -F0` (no offset, no fuzz, no
-rejects) against kernel-6.12.0-124.55.1.el10_1.
-
-Fixes: cac2661c53f3 ("rxrpc: Use skb_cow_data() in rxrpc_recvmsg_data()")
-Signed-off-by: Andrew Lukoshko <alukoshko@almalinux.org>
----
- net/rxrpc/io_thread.c | 18 ++++++++++--------
- 1 file changed, 10 insertions(+), 8 deletions(-)
-
---- a/net/rxrpc/io_thread.c
-+++ b/net/rxrpc/io_thread.c
-@@ -235,16 +235,18 @@
- 		 * decryption.
- 		 */
- 		if (sp->hdr.securityIndex != 0) {
--			skb = skb_unshare(skb, GFP_ATOMIC);
--			if (!skb) {
--				rxrpc_eaten_skb(*_skb, rxrpc_skb_eaten_by_unshare_nomem);
--				*_skb = NULL;
--				return just_discard;
--			}
-+			if (skb_cloned(skb) || skb->data_len) {
-+				struct sk_buff *nskb = skb_copy(skb, GFP_ATOMIC);
-+
-+				if (!nskb) {
-+					rxrpc_eaten_skb(*_skb, rxrpc_skb_eaten_by_unshare_nomem);
-+					return just_discard;
-+				}
- 
--			if (skb != *_skb) {
- 				rxrpc_eaten_skb(*_skb, rxrpc_skb_eaten_by_unshare);
--				*_skb = skb;
-+				consume_skb(*_skb);
-+				*_skb = nskb;
-+				skb = nskb;
- 				rxrpc_new_skb(skb, rxrpc_skb_new_unshared);
- 				sp = rxrpc_skb(skb);
- 			}
---
-2.43.0

Makefile.rhelver

@@ -12,7 +12,7 @@ RHEL_MINOR = 1
 #
 # Use this spot to avoid future merge conflicts.
 # Do not trim this comment.
-RHEL_RELEASE = 124.55.1
+RHEL_RELEASE = 124.56.1
 
 #
 # RHEL_REBASE_NUM

kernel.changelog

@@ -1,3 +1,7 @@
+* Sat May 09 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-124.56.1.el10_1]
+- xfrm: esp: avoid in-place decrypt on shared skb frags (CKI Backport Bot) [RHEL-174548] {CVE-2026-43284}
+Resolves: RHEL-174548
+
 * Sat May 02 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-124.55.1.el10_1]
 - crypto: algif_aead - snapshot IV for async AEAD requests (Vladislav Dronov) [RHEL-172211]
 - crypto: algif_aead - Fix minimum RX size check for decryption (Vladislav Dronov) [RHEL-172211]

kernel.spec

@@ -176,15 +176,15 @@ Summary: The Linux kernel
 %define specrpmversion 6.12.0
 %define specversion 6.12.0
 %define patchversion 6.12
-%define pkgrelease 124.55.3
+%define pkgrelease 124.56.1
 %define kversion 6
-%define tarfile_release 6.12.0-124.55.1.el10_1
+%define tarfile_release 6.12.0-124.56.1.el10_1
 # This is needed to do merge window version magic
 %define patchlevel 12
 # This allows pkg_release to have configurable %%{?dist} tag
-%define specrelease 124.55.3%{?buildid}%{?dist}
+%define specrelease 124.56.1%{?buildid}%{?dist}
 # This defines the kabi tarball version
-%define kabiversion 6.12.0-124.55.1.el10_1
+%define kabiversion 6.12.0-124.56.1.el10_1
 
 # If this variable is set to 1, a bpf selftests build failure will cause a
 # fatal kernel package build error
@@ -1128,8 +1128,6 @@ Patch2007: 0007-Bring-back-deprecated-pci-ids-to-be2iscsi-driver.patch
 Patch2008: 0008-Bring-back-deprecated-pci-ids-to-megaraid_sas-driver.patch
 Patch2009: 0009-Bring-back-deprecated-pci-ids-to-mpt3sas-driver.patch
 Patch2010: 0010-Bring-back-deprecated-pci-ids-to-aacraid-driver.patch
-Patch1100: 1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch
-Patch1101: 1101-rxrpc-linearize-paged-frags.patch
 
 # END OF PATCH DEFINITIONS
 
@@ -1991,8 +1989,6 @@ ApplyPatch 0007-Bring-back-deprecated-pci-ids-to-be2iscsi-driver.patch
 ApplyPatch 0008-Bring-back-deprecated-pci-ids-to-megaraid_sas-driver.patch
 ApplyPatch 0009-Bring-back-deprecated-pci-ids-to-mpt3sas-driver.patch
 ApplyPatch 0010-Bring-back-deprecated-pci-ids-to-aacraid-driver.patch
-ApplyPatch 1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch
-ApplyPatch 1101-rxrpc-linearize-paged-frags.patch
 
 %{log_msg "End of patch applications"}
 # END OF PATCH APPLICATIONS
@@ -4381,20 +4377,14 @@ fi\
 #
 #
 %changelog
-* Thu May 07 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 6.12.0-124.55.3
-- rxrpc: linearize incoming DATA packet when it has paged frags
-
-* Thu May 07 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 6.12.0-124.55.2
-- xfrm: esp: avoid in-place decrypt on shared skb frags
-
-* Wed May 06 2026 Eduard Abdullin <eabdullin@almalinux.org> - 6.12.0-124.55.1
+* Wed May 13 2026 Eduard Abdullin <eabdullin@almalinux.org> - 6.12.0-124.56.1
 - Debrand for AlmaLinux OS
 - Use AlmaLinux OS secure boot cert
 
-* Wed May 06 2026 Neal Gompa <ngompa@almalinux.org> - 6.12.0-124.55.1
+* Wed May 13 2026 Neal Gompa <ngompa@almalinux.org> - 6.12.0-124.56.1
 - Enable Btrfs support for all kernel variants
 
-* Wed May 06 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 6.12.0-124.55.1
+* Wed May 13 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 6.12.0-124.56.1
 - hpsa: bring back deprecated PCI ids #CFHack #CFHack2024
 - mptsas: bring back deprecated PCI ids #CFHack #CFHack2024
 - megaraid_sas: bring back deprecated PCI ids #CFHack #CFHack2024
@@ -4405,6 +4395,9 @@ fi\
 - kernel/rh_messages.h: enable all disabled pci devices by moving to
   unmaintained
 
+* Sat May 09 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-124.56.1.el10_1]
+- xfrm: esp: avoid in-place decrypt on shared skb frags (CKI Backport Bot) [RHEL-174548] {CVE-2026-43284}
+
 * Sat May 02 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-124.55.1.el10_1]
 - crypto: algif_aead - snapshot IV for async AEAD requests (Vladislav Dronov) [RHEL-172211]
 - crypto: algif_aead - Fix minimum RX size check for decryption (Vladislav Dronov) [RHEL-172211]

sources

@@ -1,7 +1,7 @@
 SHA512 (fedoraimaca.x509) = e04809394f4472c17e86d7024dee34f03fb68e82a85502fd5b00535202c72e57626a8376b2cf991b7e1e46404aa5ab8d189ebf320e0dd37d49e7efbc925c7a2e
-SHA512 (kernel-abi-stablelists-6.12.0-124.55.1.el10_1.tar.xz) = bc9f892d7c338518905762f178bac555706d6629482589f6d29a16707fe65a7604fb705d9b37d2e2f587d4d4927b4774af3324172a3e92791302932bb1276d07
-SHA512 (kernel-kabi-dw-6.12.0-124.55.1.el10_1.tar.xz) = 1520a7381b4196646e93c388c7314240f1fc9944287ce90d1ea3b6afe16879548719c1ed09f5cca64ffc007ca17f8ac6c65612a8f972b138d8cda244030f49ab
-SHA512 (linux-6.12.0-124.55.1.el10_1.tar.xz) = 3e9c81009004ccc294f52270dd1405801aa496ed2526cb6497971086e23055869f2f47918bb1968369f038a0f24c18a4e6785065ebd56bbebf2d6d871afe6203
+SHA512 (kernel-abi-stablelists-6.12.0-124.56.1.el10_1.tar.xz) = ef6bfb858e1b5fcd14b5a45dbf1de5891fb2df15eb90f79f7fc09a8d7cef2dd20fe9014a1b6109382ba08b3f756513e0225c3cf62dfca1b1b280f36b99e63855
+SHA512 (kernel-kabi-dw-6.12.0-124.56.1.el10_1.tar.xz) = 5b48e2764dd6a3c940af371b2b7714d34cae6452765bd96f08add7cb9dfe9c6f2997e38d053ddec7ff54bc98e62e4adf5c74cf26c3d17c30051371522dea4f33
+SHA512 (linux-6.12.0-124.56.1.el10_1.tar.xz) = 4d15851de0020c3a79d3728f309d8c2bd7183f0da47366ed293cbdf09f421ec1bf9375e55b03faa9a7564c4a1d0d0504587cabef1c9139e6d676087270e6cde5
 SHA512 (nvidiagpuoot001.x509) = b42f836e1cfa07890cb6ca13de9c3950e306c9ec7686c4c09f050bb68869f5d82962b2cd5f3aa0eb7a0f3a3ae54e9c480eafbac5df53aa92c295ff511a8c59fe
 SHA512 (olima1.x509) = 123c26c1d698cc8523845c6e1103b9c72abf855acd225d37baf1f3388a47f912166d6d786fb367fe46de39e011b586ad7f3963aa2e8923da30a6ea9ae0d76ad3
 SHA512 (olimaca1.x509) = 3a779415fad29d6f7250ec97ab1f0a5eb62c351b724feee06b22e17f065bf74a558f32cc524d3222c4485635ae5b9cd5287855c94010fe743b51a4d954340c4c