hpsa: bring back deprecated PCI ids #CFHack #CFHack2024
mptsas: bring back deprecated PCI ids #CFHack #CFHack2024 megaraid_sas: bring back deprecated PCI ids #CFHack #CFHack2024 qla2xxx: bring back deprecated PCI ids #CFHack #CFHack2024 qla4xxx: bring back deprecated PCI ids lpfc: bring back deprecated PCI ids be2iscsi: bring back deprecated PCI ids kernel/rh_messages.h: enable all disabled pci devices by moving to unmaintained Use AlmaLinux OS secure boot cert Debrand for AlmaLinux OS
This commit is contained in:
root
commit
13193e6166
2
.gitignore
vendored
2
.gitignore
vendored
@ -2,7 +2,7 @@ SOURCES/centossecureboot201.cer
|
||||
SOURCES/centossecurebootca2.cer
|
||||
SOURCES/kernel-abi-stablelists-4.18.0-553.tar.bz2
|
||||
SOURCES/kernel-kabi-dw-4.18.0-553.tar.bz2
|
||||
SOURCES/linux-4.18.0-553.126.1.el8_10.tar.xz
|
||||
SOURCES/linux-4.18.0-553.129.1.el8_10.tar.xz
|
||||
SOURCES/redhatsecureboot302.cer
|
||||
SOURCES/redhatsecureboot303.cer
|
||||
SOURCES/redhatsecureboot501.cer
|
||||
|
||||
@ -1,8 +1,8 @@
|
||||
2ba40bf9138b48311e5aa1b737b7f0a8ad66066f SOURCES/centossecureboot201.cer
|
||||
bfdb3d7cffc43f579655af5155d50c08671d95e5 SOURCES/centossecurebootca2.cer
|
||||
49a61800f679818fca986bfc9c514faa2b368ef2 SOURCES/kernel-abi-stablelists-4.18.0-553.tar.bz2
|
||||
a19619db377884811bec5a2de6ff19c3a78c23c8 SOURCES/kernel-kabi-dw-4.18.0-553.tar.bz2
|
||||
94908d687351961d0d28c1c3e0116eb95e7348e3 SOURCES/linux-4.18.0-553.126.1.el8_10.tar.xz
|
||||
58e959545555dbee3c2480b2a5a82de711c66e82 SOURCES/kernel-abi-stablelists-4.18.0-553.tar.bz2
|
||||
a9412293ca3fa02952c7aa91ac7089b13d017b6a SOURCES/kernel-kabi-dw-4.18.0-553.tar.bz2
|
||||
4d1d35f4fd8435065c2a9f77aa4be2c002893a82 SOURCES/linux-4.18.0-553.129.1.el8_10.tar.xz
|
||||
13e5cd3f856b472fde80a4deb75f4c18dfb5b255 SOURCES/redhatsecureboot302.cer
|
||||
e89890ca0ded2f9058651cc5fa838b78db2e6cc2 SOURCES/redhatsecureboot303.cer
|
||||
ba0b760e594ff668ee72ae348adf3e49b97f75fb SOURCES/redhatsecureboot501.cer
|
||||
|
||||
@ -1,66 +0,0 @@
|
||||
From 3da1fdf4efbc490041eb4f836bf596201203f8f2 Mon Sep 17 00:00:00 2001
|
||||
From: Asim Viladi Oglu Manizada <manizada@pm.me>
|
||||
Date: Sat, 16 May 2026 21:15:39 +0000
|
||||
Subject: smb: client: reject userspace cifs.spnego descriptions
|
||||
|
||||
cifs.spnego key descriptions contain authority-bearing fields such as
|
||||
pid, uid, creduid, and upcall_target that cifs.upcall treats as
|
||||
kernel-originating inputs. However, userspace can also create keys of
|
||||
this type through request_key(2) or add_key(2), allowing those fields to
|
||||
be supplied without CIFS origin.
|
||||
|
||||
Only accept cifs.spnego descriptions while CIFS is using its private
|
||||
spnego_cred to request the key.
|
||||
|
||||
Fixes: f1d662a7d5e5 ("[CIFS] Add upcall files for cifs to use spnego/kerberos")
|
||||
Assisted-by: avom-custom-harness:gpt-5.5-qwen3.6-mod-mix
|
||||
Reviewed-by: David Howells <dhowells@redhat.com>
|
||||
Signed-off-by: Asim Viladi Oglu Manizada <manizada@pm.me>
|
||||
Signed-off-by: Steve French <stfrench@microsoft.com>
|
||||
---
|
||||
fs/cifs/cifs_spnego.c | 16 ++++++++++++++++
|
||||
1 file changed, 16 insertions(+)
|
||||
|
||||
diff --git a/fs/cifs/cifs_spnego.c b/fs/cifs/cifs_spnego.c
|
||||
index 3a41bbada04c76..44c40727568042 100644
|
||||
--- a/fs/cifs/cifs_spnego.c
|
||||
+++ b/fs/cifs/cifs_spnego.c
|
||||
@@ -8,6 +8,7 @@
|
||||
*/
|
||||
|
||||
#include <linux/list.h>
|
||||
+#include <linux/cred.h>
|
||||
#include <linux/slab.h>
|
||||
#include <linux/string.h>
|
||||
#include <keys/user-type.h>
|
||||
@@ -40,12 +41,27 @@ cifs_spnego_key_destroy(struct key *key)
|
||||
kfree(key->payload.data[0]);
|
||||
}
|
||||
|
||||
+static int
|
||||
+cifs_spnego_key_vet_description(const char *description)
|
||||
+{
|
||||
+ /*
|
||||
+ * cifs.spnego descriptions are authority-bearing inputs to cifs.upcall.
|
||||
+ * They are only valid when produced by CIFS while using the private
|
||||
+ * spnego_cred installed below. Do not let userspace create this type
|
||||
+ * of key through request_key(2)/add_key(2), since the helper treats
|
||||
+ * pid/uid/creduid/upcall_target as kernel-originating fields.
|
||||
+ */
|
||||
+ if (current_cred() != spnego_cred)
|
||||
+ return -EPERM;
|
||||
+ return 0;
|
||||
+}
|
||||
|
||||
/*
|
||||
* keytype for CIFS spnego keys
|
||||
*/
|
||||
struct key_type cifs_spnego_key_type = {
|
||||
.name = "cifs.spnego",
|
||||
+ .vet_description = cifs_spnego_key_vet_description,
|
||||
.instantiate = cifs_spnego_key_instantiate,
|
||||
.destroy = cifs_spnego_key_destroy,
|
||||
.describe = user_describe,
|
||||
--
|
||||
cgit 1.3-korg
|
||||
|
||||
@ -38,11 +38,10 @@
|
||||
# define buildid .local
|
||||
|
||||
%define specversion 4.18.0
|
||||
%define pkgrelease 553.126.2.el8_10
|
||||
%define tarfile_release 553.126.1.el8_10
|
||||
%define pkgrelease 553.129.1.el8_10
|
||||
|
||||
# allow pkg_release to have configurable %%{?dist} tag
|
||||
%define specrelease 553.126.2%{?dist}
|
||||
%define specrelease 553.129.1%{?dist}
|
||||
|
||||
%define pkg_release %{specrelease}%{?buildid}
|
||||
|
||||
@ -436,7 +435,7 @@ BuildRequires: xmlto
|
||||
BuildRequires: asciidoc
|
||||
%endif
|
||||
|
||||
Source0: linux-%{specversion}-%{tarfile_release}.tar.xz
|
||||
Source0: linux-%{specversion}-%{pkgrelease}.tar.xz
|
||||
|
||||
Source9: x509.genkey
|
||||
|
||||
@ -531,8 +530,6 @@ Patch999999: linux-kernel-test.patch
|
||||
# AlmaLinux Patch
|
||||
Patch1000: debrand-single-cpu.patch
|
||||
Patch1002: debrand-rh-i686-cpu.patch
|
||||
Patch1100: 1100-smb-client-reject-userspace-cifs.spnego-descriptions.patch
|
||||
|
||||
Patch2001: 0001-Enable-all-disabled-pci-devices-by-moving-to-unmaint.patch
|
||||
Patch2002: 0002-Bring-back-deprecated-pci-ids-to-megaraid_sas-driver.patch
|
||||
Patch2003: 0003-Bring-back-deprecated-pci-ids-to-mptsas-mptspi-drive.patch
|
||||
@ -1099,9 +1096,9 @@ ApplyOptionalPatch()
|
||||
fi
|
||||
}
|
||||
|
||||
%setup -q -n %{name}-%{specversion}-%{tarfile_release} -c
|
||||
cp -v %{SOURCE9000} linux-%{specversion}-%{tarfile_release}/certs/rhel.pem
|
||||
mv linux-%{specversion}-%{tarfile_release} linux-%{KVERREL}
|
||||
%setup -q -n %{name}-%{specversion}-%{pkgrelease} -c
|
||||
cp -v %{SOURCE9000} linux-%{specversion}-%{pkgrelease}/certs/rhel.pem
|
||||
mv linux-%{specversion}-%{pkgrelease} linux-%{KVERREL}
|
||||
|
||||
cd linux-%{KVERREL}
|
||||
|
||||
@ -1110,7 +1107,6 @@ ApplyOptionalPatch linux-kernel-test.patch
|
||||
# Applying AlmaLinux Patch
|
||||
ApplyPatch debrand-single-cpu.patch
|
||||
ApplyPatch debrand-rh-i686-cpu.patch
|
||||
ApplyPatch 1100-smb-client-reject-userspace-cifs.spnego-descriptions.patch
|
||||
ApplyPatch 0001-Enable-all-disabled-pci-devices-by-moving-to-unmaint.patch
|
||||
ApplyPatch 0002-Bring-back-deprecated-pci-ids-to-megaraid_sas-driver.patch
|
||||
ApplyPatch 0003-Bring-back-deprecated-pci-ids-to-mptsas-mptspi-drive.patch
|
||||
@ -2717,11 +2713,7 @@ fi
|
||||
#
|
||||
#
|
||||
%changelog
|
||||
* Thu May 28 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 4.18.0-553.126.2
|
||||
- smb: client: reject userspace cifs.spnego descriptions (upstream commit
|
||||
3da1fdf4efbc)
|
||||
|
||||
* Thu May 28 2026 Andrei Lukoshko <alukoshko@almalinux.org> - 4.18.0-553.126.1
|
||||
* Thu Jun 04 2026 Andrei Lukoshko <alukoshko@almalinux.org> - 4.18.0-553.129.1
|
||||
- hpsa: bring back deprecated PCI ids #CFHack #CFHack2024
|
||||
- mptsas: bring back deprecated PCI ids #CFHack #CFHack2024
|
||||
- megaraid_sas: bring back deprecated PCI ids #CFHack #CFHack2024
|
||||
@ -2732,10 +2724,25 @@ fi
|
||||
- kernel/rh_messages.h: enable all disabled pci devices by moving to
|
||||
unmaintained
|
||||
|
||||
* Thu May 28 2026 Eduard Abdullin <eabdullin@almalinux.org> - 4.18.0-553.126.1
|
||||
* Thu Jun 04 2026 Eduard Abdullin <eabdullin@almalinux.org> - 4.18.0-553.129.1
|
||||
- Use AlmaLinux OS secure boot cert
|
||||
- Debrand for AlmaLinux OS
|
||||
|
||||
* Tue Jun 02 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [4.18.0-553.129.1.el8_10]
|
||||
- smb: client: reject userspace cifs.spnego descriptions (Paulo Alcantara) [RHEL-178938] {CVE-2026-46243}
|
||||
|
||||
* Fri May 29 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [4.18.0-553.128.1.el8_10]
|
||||
- smb: client: fix OOB reads parsing symlink error response (Paulo Alcantara) [RHEL-171465] {CVE-2026-31613}
|
||||
- geneve: Suppress list corruption splat in geneve_destroy_tunnels(). (Antoine Tenart) [RHEL-168961]
|
||||
- geneve: Fix use-after-free in geneve_find_dev(). (Antoine Tenart) [RHEL-168961] {CVE-2025-21858}
|
||||
- netfilter: nf_tables: release flowtable after rcu grace period on error (Florian Westphal) [RHEL-160514] {CVE-2026-23392}
|
||||
|
||||
* Wed May 27 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [4.18.0-553.127.1.el8_10]
|
||||
- smc: Fix use-after-free in tcp_write_timer_handler(). (Steve Best) [RHEL-167084] {CVE-2023-53781}
|
||||
- nbd: defer config unlock in nbd_genl_connect (CKI Backport Bot) [RHEL-166939] {CVE-2025-68366}
|
||||
- libceph: prevent potential out-of-bounds reads in handle_auth_done() (CKI Backport Bot) [RHEL-143892] {CVE-2026-22984}
|
||||
- libceph: replace overzealous BUG_ON in osdmap_apply_incremental() (CKI Backport Bot) [RHEL-143874] {CVE-2026-22990}
|
||||
|
||||
* Wed May 20 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [4.18.0-553.126.1.el8_10]
|
||||
- crypto: af_alg - Work around empty control messages without MSG_MORE (Thomas Huth) [RHEL-175772]
|
||||
- crypto: af_alg - Fix regression on empty requests (Thomas Huth) [RHEL-175772]
|
||||
|
||||
Loading…
Reference in New Issue
Block a user