diff --git a/.gitignore b/.gitignore index 187aa2514..b615045ee 100644 --- a/.gitignore +++ b/.gitignore @@ -1,7 +1,7 @@ fedoraimaca.x509 -kernel-abi-stablelists-6.12.0-124.55.1.el10_1.tar.xz -kernel-kabi-dw-6.12.0-124.55.1.el10_1.tar.xz -linux-6.12.0-124.55.1.el10_1.tar.xz +kernel-abi-stablelists-6.12.0-124.56.1.el10_1.tar.xz +kernel-kabi-dw-6.12.0-124.56.1.el10_1.tar.xz +linux-6.12.0-124.56.1.el10_1.tar.xz nvidiagpuoot001.x509 olima1.x509 olimaca1.x509 diff --git a/1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch b/1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch deleted file mode 100644 index 0fe6a5691..000000000 --- a/1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch +++ /dev/null @@ -1,77 +0,0 @@ -From: Andrew Lukoshko -Subject: [PATCH AlmaLinux 10] xfrm: esp: avoid in-place decrypt on shared skb frags - -Direct cherry-pick of upstream commit f4c50a4034e6 for AlmaLinux 10 -(6.12 kernel). - -Verified to apply with `patch -p1 -F0` (no offset, no fuzz, no rejects) -against kernel-6.12.0-124.55.1.el10_1. - -ESP-in-UDP packets built from MSG_SPLICE_PAGES (pipe pages) look like -ordinary uncloned nonlinear skbs to ESP input, which takes the no-COW -fast path and decrypts in place over data that is not owned privately -by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG -matching TCP, and make ESP input fall back to skb_cow_data() when the -flag is present. - -Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible") -Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible") -Fixes: 7da0dde68486 ("ip, udp: Support MSG_SPLICE_PAGES") -Fixes: 6d8192bd69bb ("ip6, udp6: Support MSG_SPLICE_PAGES") -(cherry picked from commit f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4) -Signed-off-by: Andrew Lukoshko ---- - net/ipv4/esp4.c | 3 ++- - net/ipv4/ip_output.c | 2 ++ - net/ipv6/esp6.c | 3 ++- - net/ipv6/ip6_output.c | 2 ++ - 4 files changed, 8 insertions(+), 2 deletions(-) - ---- a/net/ipv4/esp4.c -+++ b/net/ipv4/esp4.c -@@ -908,7 +908,8 @@ - nfrags = 1; - - goto skip_cow; -- } else if (!skb_has_frag_list(skb)) { -+ } else if (!skb_has_frag_list(skb) && -+ !skb_has_shared_frag(skb)) { - nfrags = skb_shinfo(skb)->nr_frags; - nfrags++; - ---- a/net/ipv4/ip_output.c -+++ b/net/ipv4/ip_output.c -@@ -1236,6 +1236,8 @@ - if (err < 0) - goto error; - copy = err; -+ if (!(flags & MSG_NO_SHARED_FRAGS)) -+ skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG; - wmem_alloc_delta += copy; - } else if (!zc) { - int i = skb_shinfo(skb)->nr_frags; ---- a/net/ipv6/esp6.c -+++ b/net/ipv6/esp6.c -@@ -950,7 +950,8 @@ - nfrags = 1; - - goto skip_cow; -- } else if (!skb_has_frag_list(skb)) { -+ } else if (!skb_has_frag_list(skb) && -+ !skb_has_shared_frag(skb)) { - nfrags = skb_shinfo(skb)->nr_frags; - nfrags++; - ---- a/net/ipv6/ip6_output.c -+++ b/net/ipv6/ip6_output.c -@@ -1769,6 +1769,8 @@ - if (err < 0) - goto error; - copy = err; -+ if (!(flags & MSG_NO_SHARED_FRAGS)) -+ skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG; - wmem_alloc_delta += copy; - } else if (!zc) { - int i = skb_shinfo(skb)->nr_frags; --- -2.43.0 diff --git a/1101-rxrpc-linearize-paged-frags.patch b/1101-rxrpc-linearize-paged-frags.patch deleted file mode 100644 index c57902b48..000000000 --- a/1101-rxrpc-linearize-paged-frags.patch +++ /dev/null @@ -1,68 +0,0 @@ -From: Andrew Lukoshko -Subject: [PATCH AlmaLinux 10] rxrpc: linearize incoming DATA packet when it has paged frags - -AlmaLinux-specific backport of the intent of the upstream rxrpc fix -posted at https://lore.kernel.org/all/afKV2zGR6rrelPC7@v4bel/ -(sibling to upstream commit f4c50a4034e6 in the ESP/xfrm subsystem). - -The upstream patch can not be cherry-picked against this 6.12 tree: -its target lines were introduced by upstream commit d0d5c0cd1e71 -("rxrpc: Use skb_unshare() rather than skb_cow_data()") which is not -present here. The age-equivalent code path on AlmaLinux 10 is the -centralized skb_unshare() in net/rxrpc/io_thread.c that is run for -every DATA packet with a non-zero securityIndex before in-place -decryption. - -skb_unshare() only handles cloned skbs. An skb that is non-cloned but -carries paged fragments (skb->data_len != 0) — e.g. pages attached via -udp_sendpage() / splice() / MSG_SPLICE_PAGES on a UDP socket carrying -rxrpc traffic — slips through and is decrypted in place over data the -skb does not own privately. With kernel-modules-partner installed -(rxrpc.ko enabled), this is exploitable. - -Replace the unconditional skb_unshare() with skb_copy() whenever the -skb is cloned OR carries paged fragments. skb_copy() always returns a -freshly allocated linear skb, so subsequent in-place decryption only -touches kernel-owned memory. The original skb is consumed explicitly -(skb_unshare did this internally via consume_skb()). - -Verified to apply with `patch -p1 -F0` (no offset, no fuzz, no -rejects) against kernel-6.12.0-124.55.1.el10_1. - -Fixes: cac2661c53f3 ("rxrpc: Use skb_cow_data() in rxrpc_recvmsg_data()") -Signed-off-by: Andrew Lukoshko ---- - net/rxrpc/io_thread.c | 18 ++++++++++-------- - 1 file changed, 10 insertions(+), 8 deletions(-) - ---- a/net/rxrpc/io_thread.c -+++ b/net/rxrpc/io_thread.c -@@ -235,16 +235,18 @@ - * decryption. - */ - if (sp->hdr.securityIndex != 0) { -- skb = skb_unshare(skb, GFP_ATOMIC); -- if (!skb) { -- rxrpc_eaten_skb(*_skb, rxrpc_skb_eaten_by_unshare_nomem); -- *_skb = NULL; -- return just_discard; -- } -+ if (skb_cloned(skb) || skb->data_len) { -+ struct sk_buff *nskb = skb_copy(skb, GFP_ATOMIC); -+ -+ if (!nskb) { -+ rxrpc_eaten_skb(*_skb, rxrpc_skb_eaten_by_unshare_nomem); -+ return just_discard; -+ } - -- if (skb != *_skb) { - rxrpc_eaten_skb(*_skb, rxrpc_skb_eaten_by_unshare); -- *_skb = skb; -+ consume_skb(*_skb); -+ *_skb = nskb; -+ skb = nskb; - rxrpc_new_skb(skb, rxrpc_skb_new_unshared); - sp = rxrpc_skb(skb); - } --- -2.43.0 diff --git a/Makefile.rhelver b/Makefile.rhelver index 98ed3cfa0..7d6f487d2 100644 --- a/Makefile.rhelver +++ b/Makefile.rhelver @@ -12,7 +12,7 @@ RHEL_MINOR = 1 # # Use this spot to avoid future merge conflicts. # Do not trim this comment. -RHEL_RELEASE = 124.55.1 +RHEL_RELEASE = 124.56.1 # # RHEL_REBASE_NUM diff --git a/kernel.changelog b/kernel.changelog index c71c43baf..c367349a3 100644 --- a/kernel.changelog +++ b/kernel.changelog @@ -1,3 +1,7 @@ +* Sat May 09 2026 CKI KWF Bot [6.12.0-124.56.1.el10_1] +- xfrm: esp: avoid in-place decrypt on shared skb frags (CKI Backport Bot) [RHEL-174548] {CVE-2026-43284} +Resolves: RHEL-174548 + * Sat May 02 2026 CKI KWF Bot [6.12.0-124.55.1.el10_1] - crypto: algif_aead - snapshot IV for async AEAD requests (Vladislav Dronov) [RHEL-172211] - crypto: algif_aead - Fix minimum RX size check for decryption (Vladislav Dronov) [RHEL-172211] diff --git a/kernel.spec b/kernel.spec index 3a7611a60..3217e8de7 100644 --- a/kernel.spec +++ b/kernel.spec @@ -176,15 +176,15 @@ Summary: The Linux kernel %define specrpmversion 6.12.0 %define specversion 6.12.0 %define patchversion 6.12 -%define pkgrelease 124.55.3 +%define pkgrelease 124.56.1 %define kversion 6 -%define tarfile_release 6.12.0-124.55.1.el10_1 +%define tarfile_release 6.12.0-124.56.1.el10_1 # This is needed to do merge window version magic %define patchlevel 12 # This allows pkg_release to have configurable %%{?dist} tag -%define specrelease 124.55.3%{?buildid}%{?dist} +%define specrelease 124.56.1%{?buildid}%{?dist} # This defines the kabi tarball version -%define kabiversion 6.12.0-124.55.1.el10_1 +%define kabiversion 6.12.0-124.56.1.el10_1 # If this variable is set to 1, a bpf selftests build failure will cause a # fatal kernel package build error @@ -1128,8 +1128,6 @@ Patch2007: 0007-Bring-back-deprecated-pci-ids-to-be2iscsi-driver.patch Patch2008: 0008-Bring-back-deprecated-pci-ids-to-megaraid_sas-driver.patch Patch2009: 0009-Bring-back-deprecated-pci-ids-to-mpt3sas-driver.patch Patch2010: 0010-Bring-back-deprecated-pci-ids-to-aacraid-driver.patch -Patch1100: 1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch -Patch1101: 1101-rxrpc-linearize-paged-frags.patch # END OF PATCH DEFINITIONS @@ -1991,8 +1989,6 @@ ApplyPatch 0007-Bring-back-deprecated-pci-ids-to-be2iscsi-driver.patch ApplyPatch 0008-Bring-back-deprecated-pci-ids-to-megaraid_sas-driver.patch ApplyPatch 0009-Bring-back-deprecated-pci-ids-to-mpt3sas-driver.patch ApplyPatch 0010-Bring-back-deprecated-pci-ids-to-aacraid-driver.patch -ApplyPatch 1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch -ApplyPatch 1101-rxrpc-linearize-paged-frags.patch %{log_msg "End of patch applications"} # END OF PATCH APPLICATIONS @@ -4381,20 +4377,14 @@ fi\ # # %changelog -* Thu May 07 2026 Andrew Lukoshko - 6.12.0-124.55.3 -- rxrpc: linearize incoming DATA packet when it has paged frags - -* Thu May 07 2026 Andrew Lukoshko - 6.12.0-124.55.2 -- xfrm: esp: avoid in-place decrypt on shared skb frags - -* Wed May 06 2026 Eduard Abdullin - 6.12.0-124.55.1 +* Wed May 13 2026 Eduard Abdullin - 6.12.0-124.56.1 - Debrand for AlmaLinux OS - Use AlmaLinux OS secure boot cert -* Wed May 06 2026 Neal Gompa - 6.12.0-124.55.1 +* Wed May 13 2026 Neal Gompa - 6.12.0-124.56.1 - Enable Btrfs support for all kernel variants -* Wed May 06 2026 Andrew Lukoshko - 6.12.0-124.55.1 +* Wed May 13 2026 Andrew Lukoshko - 6.12.0-124.56.1 - hpsa: bring back deprecated PCI ids #CFHack #CFHack2024 - mptsas: bring back deprecated PCI ids #CFHack #CFHack2024 - megaraid_sas: bring back deprecated PCI ids #CFHack #CFHack2024 @@ -4405,6 +4395,9 @@ fi\ - kernel/rh_messages.h: enable all disabled pci devices by moving to unmaintained +* Sat May 09 2026 CKI KWF Bot [6.12.0-124.56.1.el10_1] +- xfrm: esp: avoid in-place decrypt on shared skb frags (CKI Backport Bot) [RHEL-174548] {CVE-2026-43284} + * Sat May 02 2026 CKI KWF Bot [6.12.0-124.55.1.el10_1] - crypto: algif_aead - snapshot IV for async AEAD requests (Vladislav Dronov) [RHEL-172211] - crypto: algif_aead - Fix minimum RX size check for decryption (Vladislav Dronov) [RHEL-172211] diff --git a/sources b/sources index 441e6bc59..bb4a3c137 100644 --- a/sources +++ b/sources @@ -1,7 +1,7 @@ SHA512 (fedoraimaca.x509) = e04809394f4472c17e86d7024dee34f03fb68e82a85502fd5b00535202c72e57626a8376b2cf991b7e1e46404aa5ab8d189ebf320e0dd37d49e7efbc925c7a2e -SHA512 (kernel-abi-stablelists-6.12.0-124.55.1.el10_1.tar.xz) = bc9f892d7c338518905762f178bac555706d6629482589f6d29a16707fe65a7604fb705d9b37d2e2f587d4d4927b4774af3324172a3e92791302932bb1276d07 -SHA512 (kernel-kabi-dw-6.12.0-124.55.1.el10_1.tar.xz) = 1520a7381b4196646e93c388c7314240f1fc9944287ce90d1ea3b6afe16879548719c1ed09f5cca64ffc007ca17f8ac6c65612a8f972b138d8cda244030f49ab -SHA512 (linux-6.12.0-124.55.1.el10_1.tar.xz) = 3e9c81009004ccc294f52270dd1405801aa496ed2526cb6497971086e23055869f2f47918bb1968369f038a0f24c18a4e6785065ebd56bbebf2d6d871afe6203 +SHA512 (kernel-abi-stablelists-6.12.0-124.56.1.el10_1.tar.xz) = ef6bfb858e1b5fcd14b5a45dbf1de5891fb2df15eb90f79f7fc09a8d7cef2dd20fe9014a1b6109382ba08b3f756513e0225c3cf62dfca1b1b280f36b99e63855 +SHA512 (kernel-kabi-dw-6.12.0-124.56.1.el10_1.tar.xz) = 5b48e2764dd6a3c940af371b2b7714d34cae6452765bd96f08add7cb9dfe9c6f2997e38d053ddec7ff54bc98e62e4adf5c74cf26c3d17c30051371522dea4f33 +SHA512 (linux-6.12.0-124.56.1.el10_1.tar.xz) = 4d15851de0020c3a79d3728f309d8c2bd7183f0da47366ed293cbdf09f421ec1bf9375e55b03faa9a7564c4a1d0d0504587cabef1c9139e6d676087270e6cde5 SHA512 (nvidiagpuoot001.x509) = b42f836e1cfa07890cb6ca13de9c3950e306c9ec7686c4c09f050bb68869f5d82962b2cd5f3aa0eb7a0f3a3ae54e9c480eafbac5df53aa92c295ff511a8c59fe SHA512 (olima1.x509) = 123c26c1d698cc8523845c6e1103b9c72abf855acd225d37baf1f3388a47f912166d6d786fb367fe46de39e011b586ad7f3963aa2e8923da30a6ea9ae0d76ad3 SHA512 (olimaca1.x509) = 3a779415fad29d6f7250ec97ab1f0a5eb62c351b724feee06b22e17f065bf74a558f32cc524d3222c4485635ae5b9cd5287855c94010fe743b51a4d954340c4c