Recreate RHEL 6.12.0-211.29.1 from CS10/upstream backports

This commit is contained in:
Andrew Lukoshko 2026-07-01 11:47:56 +00:00
parent 674503c679
commit 1cd3d0ece2
14 changed files with 1253 additions and 2 deletions

View File

@ -0,0 +1,110 @@
From a10f13521226dba6ce396abb8b1b91570f5b61ec Mon Sep 17 00:00:00 2001
From: Jaroslav Kysela <jkysela@redhat.com>
Date: Mon, 20 Apr 2026 14:32:13 +0200
Subject: [PATCH] ALSA: usb-audio: Add sanity check for OOB writes at silencing
JIRA: https://issues.redhat.com/browse/RHEL-168082
commit fba2105a157fffcf19825e4eea498346738c9948
Author: Takashi Iwai <tiwai@suse.de>
Date: Mon Feb 16 15:12:07 2026 +0100
ALSA: usb-audio: Add sanity check for OOB writes at silencing
At silencing the playback URB packets in the implicit fb mode before
the actual playback, we blindly assume that the received packets fit
with the buffer size. But when the setup in the capture stream
differs from the playback stream (e.g. due to the USB core limitation
of max packet size), such an inconsistency may lead to OOB writes to
the buffer, resulting in a crash.
For addressing it, add a sanity check of the transfer buffer size at
prepare_silent_urb(), and stop the data copy if the received data
overflows. Also, report back the transfer error properly from there,
too.
Note that this doesn't fix the root cause of the playback error
itself, but this merely covers the kernel Oops.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=221076
Link: https://patch.msgid.link/20260216141209.1849200-4-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <jkysela@redhat.com>
diff --git a/sound/usb/endpoint.c b/sound/usb/endpoint.c
index 08cc2ee5707d..6e443f762de8 100644
--- a/sound/usb/endpoint.c
+++ b/sound/usb/endpoint.c
@@ -275,8 +275,8 @@ static inline bool has_tx_length_quirk(struct snd_usb_audio *chip)
return chip->quirk_flags & QUIRK_FLAG_TX_LENGTH;
}
-static void prepare_silent_urb(struct snd_usb_endpoint *ep,
- struct snd_urb_ctx *ctx)
+static int prepare_silent_urb(struct snd_usb_endpoint *ep,
+ struct snd_urb_ctx *ctx)
{
struct urb *urb = ctx->urb;
unsigned int offs = 0;
@@ -289,28 +289,34 @@ static void prepare_silent_urb(struct snd_usb_endpoint *ep,
extra = sizeof(packet_length);
for (i = 0; i < ctx->packets; ++i) {
- unsigned int offset;
- unsigned int length;
- int counts;
-
- counts = snd_usb_endpoint_next_packet_size(ep, ctx, i, 0);
- length = counts * ep->stride; /* number of silent bytes */
- offset = offs * ep->stride + extra * i;
- urb->iso_frame_desc[i].offset = offset;
+ int length;
+
+ length = snd_usb_endpoint_next_packet_size(ep, ctx, i, 0);
+ if (length < 0)
+ return length;
+ length *= ep->stride; /* number of silent bytes */
+ if (offs + length + extra > ctx->buffer_size)
+ break;
+ urb->iso_frame_desc[i].offset = offs;
urb->iso_frame_desc[i].length = length + extra;
if (extra) {
packet_length = cpu_to_le32(length);
- memcpy(urb->transfer_buffer + offset,
+ memcpy(urb->transfer_buffer + offs,
&packet_length, sizeof(packet_length));
+ offs += extra;
}
- memset(urb->transfer_buffer + offset + extra,
+ memset(urb->transfer_buffer + offs,
ep->silence_value, length);
- offs += counts;
+ offs += length;
}
- urb->number_of_packets = ctx->packets;
- urb->transfer_buffer_length = offs * ep->stride + ctx->packets * extra;
+ if (!offs)
+ return -EPIPE;
+
+ urb->number_of_packets = i;
+ urb->transfer_buffer_length = offs;
ctx->queued = 0;
+ return 0;
}
/*
@@ -332,8 +338,7 @@ static int prepare_outbound_urb(struct snd_usb_endpoint *ep,
if (data_subs && ep->prepare_data_urb)
return ep->prepare_data_urb(data_subs, urb, in_stream_lock);
/* no data provider, so send silence */
- prepare_silent_urb(ep, ctx);
- break;
+ return prepare_silent_urb(ep, ctx);
case SND_USB_ENDPOINT_TYPE_SYNC:
if (snd_usb_get_speed(ep->chip->dev) >= USB_SPEED_HIGH) {
--
2.50.1 (Apple Git-155)

View File

@ -0,0 +1,137 @@
From aef881da47f3c07173c5357b36a45fc4b754eb55 Mon Sep 17 00:00:00 2001
From: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>
Date: Wed, 27 May 2026 17:21:48 +0000
Subject: [PATCH] ALSA: aloop: Fix peer runtime UAF during format-change stop
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
JIRA: https://redhat.atlassian.net/browse/RHEL-179311
CVE: CVE-2026-46090
Backported from tree(s): linux
commit e5c33cdc6f402eab8abd36ecf436b22c9d3a8aff
Author: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Date: Fri Apr 24 09:48:41 2026 -0300
ALSA: aloop: Fix peer runtime UAF during format-change stop
loopback_check_format() may stop the capture side when playback starts
with parameters that no longer match a running capture stream. Commit
826af7fa62e3 ("ALSA: aloop: Fix racy access at PCM trigger") moved
the peer lookup under cable->lock, but the actual snd_pcm_stop() still
runs after dropping that lock.
A concurrent close can clear the capture entry from cable->streams[] and
detach or free its runtime while the playback trigger path still holds a
stale peer substream pointer.
Keep a per-cable count of in-flight peer stops before dropping
cable->lock, and make free_cable() wait for those stops before
detaching the runtime. This preserves the existing behavior while
making the peer runtime lifetime explicit.
Reported-by: syzbot+8fa95c41eafbc9d2ff6f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=8fa95c41eafbc9d2ff6f
Fixes: 597603d615d2 ("ALSA: introduce the snd-aloop module for the PCM loopback")
Cc: stable@vger.kernel.org
Suggested-by: Takashi Iwai <tiwai@suse.com>
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260424-alsa-aloop-peer-stop-uaf-v2-1-94e68101db8a@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>
diff --git a/sound/drivers/aloop.c b/sound/drivers/aloop.c
index aa0d2fcb1a18..a37a1695f51c 100644
--- a/sound/drivers/aloop.c
+++ b/sound/drivers/aloop.c
@@ -99,6 +99,9 @@ struct loopback_ops {
struct loopback_cable {
spinlock_t lock;
struct loopback_pcm *streams[2];
+ /* in-flight peer stops running outside cable->lock */
+ atomic_t stop_count;
+ wait_queue_head_t stop_wait;
struct snd_pcm_hardware hw;
/* flags */
unsigned int valid;
@@ -366,8 +369,11 @@ static int loopback_check_format(struct loopback_cable *cable, int stream)
return 0;
if (stream == SNDRV_PCM_STREAM_CAPTURE)
return -EIO;
- else if (cruntime->state == SNDRV_PCM_STATE_RUNNING)
+ else if (cruntime->state == SNDRV_PCM_STATE_RUNNING) {
+ /* close must not free the peer runtime below */
+ atomic_inc(&cable->stop_count);
stop_capture = true;
+ }
}
setup = get_setup(dpcm_play);
@@ -396,8 +402,11 @@ static int loopback_check_format(struct loopback_cable *cable, int stream)
}
}
- if (stop_capture)
+ if (stop_capture) {
snd_pcm_stop(dpcm_capt->substream, SNDRV_PCM_STATE_DRAINING);
+ if (atomic_dec_and_test(&cable->stop_count))
+ wake_up(&cable->stop_wait);
+ }
return 0;
}
@@ -1049,23 +1058,29 @@ static void free_cable(struct snd_pcm_substream *substream)
struct loopback *loopback = substream->private_data;
int dev = get_cable_index(substream);
struct loopback_cable *cable;
+ struct loopback_pcm *dpcm;
+ bool other_alive;
cable = loopback->cables[substream->number][dev];
if (!cable)
return;
- if (cable->streams[!substream->stream]) {
- /* other stream is still alive */
- guard(spinlock_irq)(&cable->lock);
- cable->streams[substream->stream] = NULL;
- } else {
- struct loopback_pcm *dpcm = substream->runtime->private_data;
- if (cable->ops && cable->ops->close_cable && dpcm)
- cable->ops->close_cable(dpcm);
- /* free the cable */
- loopback->cables[substream->number][dev] = NULL;
- kfree(cable);
+ scoped_guard(spinlock_irq, &cable->lock) {
+ cable->streams[substream->stream] = NULL;
+ other_alive = cable->streams[!substream->stream];
}
+
+ /* Pair with the stop_count increment in loopback_check_format(). */
+ wait_event(cable->stop_wait, !atomic_read(&cable->stop_count));
+ if (other_alive)
+ return;
+
+ dpcm = substream->runtime->private_data;
+ if (cable->ops && cable->ops->close_cable && dpcm)
+ cable->ops->close_cable(dpcm);
+ /* free the cable */
+ loopback->cables[substream->number][dev] = NULL;
+ kfree(cable);
}
static int loopback_jiffies_timer_open(struct loopback_pcm *dpcm)
@@ -1260,6 +1275,8 @@ static int loopback_open(struct snd_pcm_substream *substream)
goto unlock;
}
spin_lock_init(&cable->lock);
+ atomic_set(&cable->stop_count, 0);
+ init_waitqueue_head(&cable->stop_wait);
cable->hw = loopback_pcm_hardware;
if (loopback->timer_source)
cable->ops = &loopback_snd_timer_ops;
--
2.50.1 (Apple Git-155)

View File

@ -0,0 +1,34 @@
From 45d25e3ec17900bf5a9d6876ff16ceee31c4c0e0 Mon Sep 17 00:00:00 2001
From: Jason Gunthorpe <jgg@nvidia.com>
Date: Tue, 28 Apr 2026 13:17:43 -0300
Subject: [PATCH] RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext()
error path
commit e38e86995df27f1f854063dab1f0c6a513db3faf upstream.
Sashiko points out that pvrdma_uar_free() is already called within
pvrdma_dealloc_ucontext(), so calling it before triggers a double free.
Cc: stable@vger.kernel.org
Fixes: 29c8d9eba550 ("IB: Add vmw_pvrdma driver")
Link: https://sashiko.dev/#/patchset/0-v1-e911b76a94d1%2B65d95-rdma_udata_rep_jgg%40nvidia.com?part=4
Link: https://patch.msgid.link/r/10-v1-41f3135e5565+9d2-rdma_ai_fixes1_jgg@nvidia.com
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
diff --git a/drivers/infiniband/hw/vmw_pvrdma/pvrdma_verbs.c b/drivers/infiniband/hw/vmw_pvrdma/pvrdma_verbs.c
index 9f54aa90a35a..dde1910dd8b1 100644
--- a/drivers/infiniband/hw/vmw_pvrdma/pvrdma_verbs.c
+++ b/drivers/infiniband/hw/vmw_pvrdma/pvrdma_verbs.c
@@ -350,7 +350,7 @@ int pvrdma_alloc_ucontext(struct ib_ucontext *uctx, struct ib_udata *udata)
uresp.qp_tab_size = vdev->dsr->caps.max_qp;
ret = ib_copy_to_udata(udata, &uresp, sizeof(uresp));
if (ret) {
- pvrdma_uar_free(vdev, &context->uar);
+ /* pvrdma_dealloc_ucontext() also frees the UAR */
pvrdma_dealloc_ucontext(&context->ibucontext);
return -EFAULT;
}
--
2.50.1 (Apple Git-155)

View File

@ -0,0 +1,166 @@
From 93e4b63cd923391c972220739a5fcc7bc01a4cb7 Mon Sep 17 00:00:00 2001
From: Nilesh Javali <njavali@redhat.com>
Date: Thu, 19 Mar 2026 15:01:53 +0530
Subject: [PATCH] scsi: qla2xxx: Add support to report MPI FW state
JIRA: https://redhat.atlassian.net/browse/RHEL-157286
Upstream Status: git://git.kernel.org/pub/scm/linux/kernel/git/mkp/scsi.git
commit 0e124af675ebabddacfeb0958abd443265dddf13
Author: Nilesh Javali <njavali@marvell.com>
Date: Thu Mar 5 15:03:37 2026 +0530
scsi: qla2xxx: Add support to report MPI FW state
MPI firmware state was returned as 0. Get MPI FW state to proceed with
flash image validation.
A new sysfs node 'mpi_fw_state' is added to report MPI firmware state:
/sys/class/scsi_host/hostXX/mpi_fw_state
Fixes: d74181ca110e ("scsi: qla2xxx: Add bsg interface to support firmware img validation")
Signed-off-by: Nilesh Javali <njavali@marvell.com>
Link: https://patch.msgid.link/20260305093337.2007205-1-njavali@marvell.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Nilesh Javali <njavali@redhat.com>
diff --git a/drivers/scsi/qla2xxx/qla_attr.c b/drivers/scsi/qla2xxx/qla_attr.c
index 2e584a8bf66b..6a05ce195aa0 100644
--- a/drivers/scsi/qla2xxx/qla_attr.c
+++ b/drivers/scsi/qla2xxx/qla_attr.c
@@ -1638,7 +1638,7 @@ qla2x00_fw_state_show(struct device *dev, struct device_attribute *attr,
{
scsi_qla_host_t *vha = shost_priv(class_to_shost(dev));
int rval = QLA_FUNCTION_FAILED;
- uint16_t state[6];
+ uint16_t state[16];
uint32_t pstate;
if (IS_QLAFX00(vha->hw)) {
@@ -2402,6 +2402,63 @@ qla2x00_dport_diagnostics_show(struct device *dev,
vha->dport_data[0], vha->dport_data[1],
vha->dport_data[2], vha->dport_data[3]);
}
+
+static ssize_t
+qla2x00_mpi_fw_state_show(struct device *dev, struct device_attribute *attr,
+ char *buf)
+{
+ scsi_qla_host_t *vha = shost_priv(class_to_shost(dev));
+ int rval = QLA_FUNCTION_FAILED;
+ u16 state[16];
+ u16 mpi_state;
+ struct qla_hw_data *ha = vha->hw;
+
+ if (!(IS_QLA27XX(ha) || IS_QLA28XX(ha)))
+ return scnprintf(buf, PAGE_SIZE,
+ "MPI state reporting is not supported for this HBA.\n");
+
+ memset(state, 0, sizeof(state));
+
+ mutex_lock(&vha->hw->optrom_mutex);
+ if (qla2x00_chip_is_down(vha)) {
+ mutex_unlock(&vha->hw->optrom_mutex);
+ ql_dbg(ql_dbg_user, vha, 0x70df,
+ "ISP reset is in progress, failing mpi_fw_state.\n");
+ return -EBUSY;
+ } else if (vha->hw->flags.eeh_busy) {
+ mutex_unlock(&vha->hw->optrom_mutex);
+ ql_dbg(ql_dbg_user, vha, 0x70ea,
+ "HBA in PCI error state, failing mpi_fw_state.\n");
+ return -EBUSY;
+ }
+
+ rval = qla2x00_get_firmware_state(vha, state);
+ mutex_unlock(&vha->hw->optrom_mutex);
+ if (rval != QLA_SUCCESS) {
+ ql_dbg(ql_dbg_user, vha, 0x70eb,
+ "MB Command to retrieve MPI state failed (%d), failing mpi_fw_state.\n",
+ rval);
+ return -EIO;
+ }
+
+ mpi_state = state[11];
+
+ if (!(mpi_state & BIT_15))
+ return scnprintf(buf, PAGE_SIZE,
+ "MPI firmware state reporting is not supported by this firmware. (0x%02x)\n",
+ mpi_state);
+
+ if (!(mpi_state & BIT_8))
+ return scnprintf(buf, PAGE_SIZE,
+ "MPI firmware is disabled. (0x%02x)\n",
+ mpi_state);
+
+ return scnprintf(buf, PAGE_SIZE,
+ "MPI firmware is enabled, state is %s. (0x%02x)\n",
+ mpi_state & BIT_9 ? "active" : "inactive",
+ mpi_state);
+}
+
static DEVICE_ATTR(dport_diagnostics, 0444,
qla2x00_dport_diagnostics_show, NULL);
@@ -2469,6 +2526,8 @@ static DEVICE_ATTR(port_speed, 0644, qla2x00_port_speed_show,
qla2x00_port_speed_store);
static DEVICE_ATTR(port_no, 0444, qla2x00_port_no_show, NULL);
static DEVICE_ATTR(fw_attr, 0444, qla2x00_fw_attr_show, NULL);
+static DEVICE_ATTR(mpi_fw_state, 0444, qla2x00_mpi_fw_state_show, NULL);
+
static struct attribute *qla2x00_host_attrs[] = {
&dev_attr_driver_version.attr.attr,
@@ -2517,6 +2576,7 @@ static struct attribute *qla2x00_host_attrs[] = {
&dev_attr_qlini_mode.attr,
&dev_attr_ql2xiniexchg.attr,
&dev_attr_ql2xexchoffld.attr,
+ &dev_attr_mpi_fw_state.attr,
NULL,
};
diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c
index 93ca7319bd6a..bee76b8d9e35 100644
--- a/drivers/scsi/qla2xxx/qla_init.c
+++ b/drivers/scsi/qla2xxx/qla_init.c
@@ -4916,7 +4916,7 @@ qla2x00_fw_ready(scsi_qla_host_t *vha)
unsigned long wtime, mtime, cs84xx_time;
uint16_t min_wait; /* Minimum wait time if loop is down */
uint16_t wait_time; /* Wait time if loop is coming ready */
- uint16_t state[6];
+ uint16_t state[16];
struct qla_hw_data *ha = vha->hw;
if (IS_QLAFX00(vha->hw))
diff --git a/drivers/scsi/qla2xxx/qla_mbx.c b/drivers/scsi/qla2xxx/qla_mbx.c
index d0f09f0a2459..e3ee26058901 100644
--- a/drivers/scsi/qla2xxx/qla_mbx.c
+++ b/drivers/scsi/qla2xxx/qla_mbx.c
@@ -2266,6 +2266,13 @@ qla2x00_get_firmware_state(scsi_qla_host_t *vha, uint16_t *states)
mcp->in_mb = MBX_6|MBX_5|MBX_4|MBX_3|MBX_2|MBX_1|MBX_0;
else
mcp->in_mb = MBX_1|MBX_0;
+
+ if (IS_QLA27XX(ha) || IS_QLA28XX(ha)) {
+ mcp->mb[12] = 0;
+ mcp->out_mb |= MBX_12;
+ mcp->in_mb |= MBX_12;
+ }
+
mcp->tov = MBX_TOV_SECONDS;
mcp->flags = 0;
rval = qla2x00_mailbox_command(vha, mcp);
@@ -2278,6 +2285,8 @@ qla2x00_get_firmware_state(scsi_qla_host_t *vha, uint16_t *states)
states[3] = mcp->mb[4];
states[4] = mcp->mb[5];
states[5] = mcp->mb[6]; /* DPORT status */
+ if (IS_QLA27XX(ha) || IS_QLA28XX(ha))
+ states[11] = mcp->mb[12]; /* MPI state. */
}
if (rval != QLA_SUCCESS) {
--
2.50.1 (Apple Git-155)

View File

@ -0,0 +1,46 @@
From 2f96df36f51ba409638b0111c4b1d7b30a88008c Mon Sep 17 00:00:00 2001
From: Vladislav Dronov <vdronov@redhat.com>
Date: Sun, 7 Jun 2026 23:23:19 +0200
Subject: [PATCH] crypto: tegra - remove unneeded crypto_engine_stop() call
JIRA: https://redhat.atlassian.net/browse/RHEL-176465
Upstream Status: merged into the upstream linux.git
commit 6ef46fec4171433fd9a3162b88ec2ce808676193
Author: Ovidiu Panait <ovidiu.panait.oss@gmail.com>
Date: Sun Oct 20 22:25:31 2024 +0300
crypto: tegra - remove unneeded crypto_engine_stop() call
The explicit crypto_engine_stop() call is not needed, as it is already
called internally by crypto_engine_exit().
Signed-off-by: Ovidiu Panait <ovidiu.panait.oss@gmail.com>
Acked-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Vladislav Dronov <vdronov@redhat.com>
diff --git a/drivers/crypto/tegra/tegra-se-main.c b/drivers/crypto/tegra/tegra-se-main.c
index db5890c7f098..15ed363d09c9 100644
--- a/drivers/crypto/tegra/tegra-se-main.c
+++ b/drivers/crypto/tegra/tegra-se-main.c
@@ -320,7 +320,6 @@ static int tegra_se_probe(struct platform_device *pdev)
ret = tegra_se_host1x_register(se);
if (ret) {
- crypto_engine_stop(se->engine);
crypto_engine_exit(se->engine);
return dev_err_probe(dev, ret, "failed to init host1x params\n");
}
@@ -332,7 +331,6 @@ static void tegra_se_remove(struct platform_device *pdev)
{
struct tegra_se *se = platform_get_drvdata(pdev);
- crypto_engine_stop(se->engine);
crypto_engine_exit(se->engine);
host1x_client_unregister(&se->client);
}
--
2.50.1 (Apple Git-155)

View File

@ -0,0 +1,131 @@
From 219a1eb51634836cdf22208c1b6589c3533f89fd Mon Sep 17 00:00:00 2001
From: Vladislav Dronov <vdronov@redhat.com>
Date: Sun, 7 Jun 2026 23:23:19 +0200
Subject: [PATCH] crypto: tegra - use API helpers to setup fallback request
JIRA: https://redhat.atlassian.net/browse/RHEL-176465
Upstream Status: merged into the upstream linux.git
commit c1024581ff2c34db4fdfe857b29f606e5117eb12
Author: Ovidiu Panait <ovidiu.panait.oss@gmail.com>
Date: Mon Apr 7 15:36:04 2025 +0300
crypto: tegra - use API helpers to setup fallback request
Rather than setting up the fallback request by hand, use
ahash_request_set_callback() and ahash_request_set_crypt() API helpers
to properly setup the new request.
Signed-off-by: Ovidiu Panait <ovidiu.panait.oss@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Vladislav Dronov <vdronov@redhat.com>
diff --git a/drivers/crypto/tegra/tegra-se-hash.c b/drivers/crypto/tegra/tegra-se-hash.c
index 90bf34eb3578..e3fe5911a324 100644
--- a/drivers/crypto/tegra/tegra-se-hash.c
+++ b/drivers/crypto/tegra/tegra-se-hash.c
@@ -118,8 +118,9 @@ static int tegra_sha_fallback_init(struct ahash_request *req)
struct tegra_sha_ctx *ctx = crypto_ahash_ctx(tfm);
ahash_request_set_tfm(&rctx->fallback_req, ctx->fallback_tfm);
- rctx->fallback_req.base.flags = req->base.flags &
- CRYPTO_TFM_REQ_MAY_SLEEP;
+ ahash_request_set_callback(&rctx->fallback_req,
+ req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP,
+ req->base.complete, req->base.data);
return crypto_ahash_init(&rctx->fallback_req);
}
@@ -131,10 +132,10 @@ static int tegra_sha_fallback_update(struct ahash_request *req)
struct tegra_sha_ctx *ctx = crypto_ahash_ctx(tfm);
ahash_request_set_tfm(&rctx->fallback_req, ctx->fallback_tfm);
- rctx->fallback_req.base.flags = req->base.flags &
- CRYPTO_TFM_REQ_MAY_SLEEP;
- rctx->fallback_req.nbytes = req->nbytes;
- rctx->fallback_req.src = req->src;
+ ahash_request_set_callback(&rctx->fallback_req,
+ req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP,
+ req->base.complete, req->base.data);
+ ahash_request_set_crypt(&rctx->fallback_req, req->src, NULL, req->nbytes);
return crypto_ahash_update(&rctx->fallback_req);
}
@@ -146,9 +147,10 @@ static int tegra_sha_fallback_final(struct ahash_request *req)
struct tegra_sha_ctx *ctx = crypto_ahash_ctx(tfm);
ahash_request_set_tfm(&rctx->fallback_req, ctx->fallback_tfm);
- rctx->fallback_req.base.flags = req->base.flags &
- CRYPTO_TFM_REQ_MAY_SLEEP;
- rctx->fallback_req.result = req->result;
+ ahash_request_set_callback(&rctx->fallback_req,
+ req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP,
+ req->base.complete, req->base.data);
+ ahash_request_set_crypt(&rctx->fallback_req, NULL, req->result, 0);
return crypto_ahash_final(&rctx->fallback_req);
}
@@ -160,12 +162,11 @@ static int tegra_sha_fallback_finup(struct ahash_request *req)
struct tegra_sha_ctx *ctx = crypto_ahash_ctx(tfm);
ahash_request_set_tfm(&rctx->fallback_req, ctx->fallback_tfm);
- rctx->fallback_req.base.flags = req->base.flags &
- CRYPTO_TFM_REQ_MAY_SLEEP;
-
- rctx->fallback_req.nbytes = req->nbytes;
- rctx->fallback_req.src = req->src;
- rctx->fallback_req.result = req->result;
+ ahash_request_set_callback(&rctx->fallback_req,
+ req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP,
+ req->base.complete, req->base.data);
+ ahash_request_set_crypt(&rctx->fallback_req, req->src, req->result,
+ req->nbytes);
return crypto_ahash_finup(&rctx->fallback_req);
}
@@ -177,12 +178,11 @@ static int tegra_sha_fallback_digest(struct ahash_request *req)
struct tegra_sha_ctx *ctx = crypto_ahash_ctx(tfm);
ahash_request_set_tfm(&rctx->fallback_req, ctx->fallback_tfm);
- rctx->fallback_req.base.flags = req->base.flags &
- CRYPTO_TFM_REQ_MAY_SLEEP;
-
- rctx->fallback_req.nbytes = req->nbytes;
- rctx->fallback_req.src = req->src;
- rctx->fallback_req.result = req->result;
+ ahash_request_set_callback(&rctx->fallback_req,
+ req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP,
+ req->base.complete, req->base.data);
+ ahash_request_set_crypt(&rctx->fallback_req, req->src, req->result,
+ req->nbytes);
return crypto_ahash_digest(&rctx->fallback_req);
}
@@ -194,8 +194,9 @@ static int tegra_sha_fallback_import(struct ahash_request *req, const void *in)
struct tegra_sha_ctx *ctx = crypto_ahash_ctx(tfm);
ahash_request_set_tfm(&rctx->fallback_req, ctx->fallback_tfm);
- rctx->fallback_req.base.flags = req->base.flags &
- CRYPTO_TFM_REQ_MAY_SLEEP;
+ ahash_request_set_callback(&rctx->fallback_req,
+ req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP,
+ req->base.complete, req->base.data);
return crypto_ahash_import(&rctx->fallback_req, in);
}
@@ -207,8 +208,9 @@ static int tegra_sha_fallback_export(struct ahash_request *req, void *out)
struct tegra_sha_ctx *ctx = crypto_ahash_ctx(tfm);
ahash_request_set_tfm(&rctx->fallback_req, ctx->fallback_tfm);
- rctx->fallback_req.base.flags = req->base.flags &
- CRYPTO_TFM_REQ_MAY_SLEEP;
+ ahash_request_set_callback(&rctx->fallback_req,
+ req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP,
+ req->base.complete, req->base.data);
return crypto_ahash_export(&rctx->fallback_req, out);
}
--
2.50.1 (Apple Git-155)

View File

@ -0,0 +1,46 @@
From d7e26cf1c6ec1ec012332f9b1ef126087c968d13 Mon Sep 17 00:00:00 2001
From: Vladislav Dronov <vdronov@redhat.com>
Date: Sun, 7 Jun 2026 23:23:19 +0200
Subject: [PATCH] crypto: tegra - Remove the use of dev_err_probe()
JIRA: https://redhat.atlassian.net/browse/RHEL-176465
Upstream Status: merged into the upstream linux.git
commit 8595bcb09b05a6c712c35f03ef701e7785895b51
Author: Liao Yuanhong <liaoyuanhong@vivo.com>
Date: Wed Aug 20 20:37:52 2025 +0800
crypto: tegra - Remove the use of dev_err_probe()
Logging messages that show some type of "out of memory" error are generally
unnecessary as there is a generic message and a stack dump done by the
memory subsystem. These messages generally increase kernel size without
much added value[1].
The dev_err_probe() doesn't do anything when error is '-ENOMEM'. Therefore,
remove the useless call to dev_err_probe(), and just return the value
instead.
[1]: https://lore.kernel.org/lkml/1402419340.30479.18.camel@joe-AO725/
Signed-off-by: Liao Yuanhong <liaoyuanhong@vivo.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Vladislav Dronov <vdronov@redhat.com>
diff --git a/drivers/crypto/tegra/tegra-se-main.c b/drivers/crypto/tegra/tegra-se-main.c
index 15ed363d09c9..4e7115b247e7 100644
--- a/drivers/crypto/tegra/tegra-se-main.c
+++ b/drivers/crypto/tegra/tegra-se-main.c
@@ -310,7 +310,7 @@ static int tegra_se_probe(struct platform_device *pdev)
se->engine = crypto_engine_alloc_init(dev, 0);
if (!se->engine)
- return dev_err_probe(dev, -ENOMEM, "failed to init crypto engine\n");
+ return -ENOMEM;
ret = crypto_engine_start(se->engine);
if (ret) {
--
2.50.1 (Apple Git-155)

View File

@ -0,0 +1,43 @@
From a1d28aa82ab3b030bc0df6b55781f5b0f6d621cc Mon Sep 17 00:00:00 2001
From: Vladislav Dronov <vdronov@redhat.com>
Date: Sun, 7 Jun 2026 23:23:19 +0200
Subject: [PATCH] crypto: tegra - Use int type to store negative error codes
JIRA: https://redhat.atlassian.net/browse/RHEL-176465
Upstream Status: merged into the upstream linux.git
commit a710a71cd8ad294937e03b352cd71deb7ad08700
Author: Qianfeng Rong <rongqianfeng@vivo.com>
Date: Wed Sep 3 21:25:37 2025 +0800
crypto: tegra - Use int type to store negative error codes
Change the 'ret' variable in tegra_sha_do_update() from unsigned int to
int, as it needs to store either negative error codes or zero returned
by tegra_se_host1x_submit().
No effect on runtime.
Signed-off-by: Qianfeng Rong <rongqianfeng@vivo.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Vladislav Dronov <vdronov@redhat.com>
diff --git a/drivers/crypto/tegra/tegra-se-hash.c b/drivers/crypto/tegra/tegra-se-hash.c
index e3fe5911a324..79f1e5c9b729 100644
--- a/drivers/crypto/tegra/tegra-se-hash.c
+++ b/drivers/crypto/tegra/tegra-se-hash.c
@@ -401,8 +401,9 @@ static int tegra_sha_do_update(struct ahash_request *req)
struct tegra_sha_ctx *ctx = crypto_ahash_ctx(crypto_ahash_reqtfm(req));
struct tegra_sha_reqctx *rctx = ahash_request_ctx(req);
struct tegra_se *se = ctx->se;
- unsigned int nblks, nresidue, size, ret;
+ unsigned int nblks, nresidue, size;
u32 *cpuvaddr = se->cmdbuf->addr;
+ int ret;
nresidue = (req->nbytes + rctx->residue.size) % rctx->blk_size;
nblks = (req->nbytes + rctx->residue.size) / rctx->blk_size;
--
2.50.1 (Apple Git-155)

View File

@ -0,0 +1,224 @@
From cc5bf4cbc38613252229691b5e3a5a4c5aea92af Mon Sep 17 00:00:00 2001
From: Vladislav Dronov <vdronov@redhat.com>
Date: Sun, 7 Jun 2026 23:23:19 +0200
Subject: [PATCH] crypto: tegra - Add missing CRYPTO_ALG_ASYNC
JIRA: https://redhat.atlassian.net/browse/RHEL-176465
Upstream Status: merged into the upstream linux.git
CVE: CVE-2026-31739
commit 4b56770d345524fc2acc143a2b85539cf7d74bc1
Author: Eric Biggers <ebiggers@kernel.org>
Date: Mon Mar 16 13:21:19 2026 -0700
crypto: tegra - Add missing CRYPTO_ALG_ASYNC
The tegra crypto driver failed to set the CRYPTO_ALG_ASYNC on its
asynchronous algorithms, causing the crypto API to select them for users
that request only synchronous algorithms. This causes crashes (at
least). Fix this by adding the flag like what the other drivers do.
Also remove the unnecessary CRYPTO_ALG_TYPE_* flags, since those just
get ignored and overridden by the registration function anyway.
Reported-by: Zorro Lang <zlang@redhat.com>
Closes: https://lore.kernel.org/r/20260314080937.pghb4aa7d4je3mhh@dell-per750-06-vm-08.rhts.eng.pek2.redhat.com
Fixes: 0880bb3b00c8 ("crypto: tegra - Add Tegra Security Engine driver")
Cc: stable@vger.kernel.org
Cc: Akhil R <akhilrajeev@nvidia.com>
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Vladislav Dronov <vdronov@redhat.com>
diff --git a/drivers/crypto/tegra/tegra-se-aes.c b/drivers/crypto/tegra/tegra-se-aes.c
index 8b91f00b9c31..30c78afe3dea 100644
--- a/drivers/crypto/tegra/tegra-se-aes.c
+++ b/drivers/crypto/tegra/tegra-se-aes.c
@@ -532,7 +532,7 @@ static struct tegra_se_alg tegra_aes_algs[] = {
.cra_name = "cbc(aes)",
.cra_driver_name = "cbc-aes-tegra",
.cra_priority = 500,
- .cra_flags = CRYPTO_ALG_TYPE_SKCIPHER | CRYPTO_ALG_ASYNC,
+ .cra_flags = CRYPTO_ALG_ASYNC,
.cra_blocksize = AES_BLOCK_SIZE,
.cra_ctxsize = sizeof(struct tegra_aes_ctx),
.cra_alignmask = 0xf,
@@ -553,7 +553,7 @@ static struct tegra_se_alg tegra_aes_algs[] = {
.cra_name = "ecb(aes)",
.cra_driver_name = "ecb-aes-tegra",
.cra_priority = 500,
- .cra_flags = CRYPTO_ALG_TYPE_SKCIPHER | CRYPTO_ALG_ASYNC,
+ .cra_flags = CRYPTO_ALG_ASYNC,
.cra_blocksize = AES_BLOCK_SIZE,
.cra_ctxsize = sizeof(struct tegra_aes_ctx),
.cra_alignmask = 0xf,
@@ -575,7 +575,7 @@ static struct tegra_se_alg tegra_aes_algs[] = {
.cra_name = "ctr(aes)",
.cra_driver_name = "ctr-aes-tegra",
.cra_priority = 500,
- .cra_flags = CRYPTO_ALG_TYPE_SKCIPHER | CRYPTO_ALG_ASYNC,
+ .cra_flags = CRYPTO_ALG_ASYNC,
.cra_blocksize = 1,
.cra_ctxsize = sizeof(struct tegra_aes_ctx),
.cra_alignmask = 0xf,
@@ -597,6 +597,7 @@ static struct tegra_se_alg tegra_aes_algs[] = {
.cra_name = "xts(aes)",
.cra_driver_name = "xts-aes-tegra",
.cra_priority = 500,
+ .cra_flags = CRYPTO_ALG_ASYNC,
.cra_blocksize = AES_BLOCK_SIZE,
.cra_ctxsize = sizeof(struct tegra_aes_ctx),
.cra_alignmask = (__alignof__(u64) - 1),
@@ -1931,6 +1932,7 @@ static struct tegra_se_alg tegra_aead_algs[] = {
.cra_name = "gcm(aes)",
.cra_driver_name = "gcm-aes-tegra",
.cra_priority = 500,
+ .cra_flags = CRYPTO_ALG_ASYNC,
.cra_blocksize = 1,
.cra_ctxsize = sizeof(struct tegra_aead_ctx),
.cra_alignmask = 0xf,
@@ -1953,6 +1955,7 @@ static struct tegra_se_alg tegra_aead_algs[] = {
.cra_name = "ccm(aes)",
.cra_driver_name = "ccm-aes-tegra",
.cra_priority = 500,
+ .cra_flags = CRYPTO_ALG_ASYNC,
.cra_blocksize = 1,
.cra_ctxsize = sizeof(struct tegra_aead_ctx),
.cra_alignmask = 0xf,
@@ -1980,7 +1983,7 @@ static struct tegra_se_alg tegra_cmac_algs[] = {
.cra_name = "cmac(aes)",
.cra_driver_name = "tegra-se-cmac",
.cra_priority = 300,
- .cra_flags = CRYPTO_ALG_TYPE_AHASH,
+ .cra_flags = CRYPTO_ALG_ASYNC,
.cra_blocksize = AES_BLOCK_SIZE,
.cra_ctxsize = sizeof(struct tegra_cmac_ctx),
.cra_alignmask = 0,
diff --git a/drivers/crypto/tegra/tegra-se-hash.c b/drivers/crypto/tegra/tegra-se-hash.c
index 79f1e5c9b729..23d549801612 100644
--- a/drivers/crypto/tegra/tegra-se-hash.c
+++ b/drivers/crypto/tegra/tegra-se-hash.c
@@ -764,7 +764,7 @@ static struct tegra_se_alg tegra_hash_algs[] = {
.cra_name = "sha1",
.cra_driver_name = "tegra-se-sha1",
.cra_priority = 300,
- .cra_flags = CRYPTO_ALG_TYPE_AHASH,
+ .cra_flags = CRYPTO_ALG_ASYNC,
.cra_blocksize = SHA1_BLOCK_SIZE,
.cra_ctxsize = sizeof(struct tegra_sha_ctx),
.cra_alignmask = 0,
@@ -789,7 +789,7 @@ static struct tegra_se_alg tegra_hash_algs[] = {
.cra_name = "sha224",
.cra_driver_name = "tegra-se-sha224",
.cra_priority = 300,
- .cra_flags = CRYPTO_ALG_TYPE_AHASH,
+ .cra_flags = CRYPTO_ALG_ASYNC,
.cra_blocksize = SHA224_BLOCK_SIZE,
.cra_ctxsize = sizeof(struct tegra_sha_ctx),
.cra_alignmask = 0,
@@ -814,7 +814,7 @@ static struct tegra_se_alg tegra_hash_algs[] = {
.cra_name = "sha256",
.cra_driver_name = "tegra-se-sha256",
.cra_priority = 300,
- .cra_flags = CRYPTO_ALG_TYPE_AHASH,
+ .cra_flags = CRYPTO_ALG_ASYNC,
.cra_blocksize = SHA256_BLOCK_SIZE,
.cra_ctxsize = sizeof(struct tegra_sha_ctx),
.cra_alignmask = 0,
@@ -839,7 +839,7 @@ static struct tegra_se_alg tegra_hash_algs[] = {
.cra_name = "sha384",
.cra_driver_name = "tegra-se-sha384",
.cra_priority = 300,
- .cra_flags = CRYPTO_ALG_TYPE_AHASH,
+ .cra_flags = CRYPTO_ALG_ASYNC,
.cra_blocksize = SHA384_BLOCK_SIZE,
.cra_ctxsize = sizeof(struct tegra_sha_ctx),
.cra_alignmask = 0,
@@ -864,7 +864,7 @@ static struct tegra_se_alg tegra_hash_algs[] = {
.cra_name = "sha512",
.cra_driver_name = "tegra-se-sha512",
.cra_priority = 300,
- .cra_flags = CRYPTO_ALG_TYPE_AHASH,
+ .cra_flags = CRYPTO_ALG_ASYNC,
.cra_blocksize = SHA512_BLOCK_SIZE,
.cra_ctxsize = sizeof(struct tegra_sha_ctx),
.cra_alignmask = 0,
@@ -889,7 +889,7 @@ static struct tegra_se_alg tegra_hash_algs[] = {
.cra_name = "sha3-224",
.cra_driver_name = "tegra-se-sha3-224",
.cra_priority = 300,
- .cra_flags = CRYPTO_ALG_TYPE_AHASH,
+ .cra_flags = CRYPTO_ALG_ASYNC,
.cra_blocksize = SHA3_224_BLOCK_SIZE,
.cra_ctxsize = sizeof(struct tegra_sha_ctx),
.cra_alignmask = 0,
@@ -914,7 +914,7 @@ static struct tegra_se_alg tegra_hash_algs[] = {
.cra_name = "sha3-256",
.cra_driver_name = "tegra-se-sha3-256",
.cra_priority = 300,
- .cra_flags = CRYPTO_ALG_TYPE_AHASH,
+ .cra_flags = CRYPTO_ALG_ASYNC,
.cra_blocksize = SHA3_256_BLOCK_SIZE,
.cra_ctxsize = sizeof(struct tegra_sha_ctx),
.cra_alignmask = 0,
@@ -939,7 +939,7 @@ static struct tegra_se_alg tegra_hash_algs[] = {
.cra_name = "sha3-384",
.cra_driver_name = "tegra-se-sha3-384",
.cra_priority = 300,
- .cra_flags = CRYPTO_ALG_TYPE_AHASH,
+ .cra_flags = CRYPTO_ALG_ASYNC,
.cra_blocksize = SHA3_384_BLOCK_SIZE,
.cra_ctxsize = sizeof(struct tegra_sha_ctx),
.cra_alignmask = 0,
@@ -964,7 +964,7 @@ static struct tegra_se_alg tegra_hash_algs[] = {
.cra_name = "sha3-512",
.cra_driver_name = "tegra-se-sha3-512",
.cra_priority = 300,
- .cra_flags = CRYPTO_ALG_TYPE_AHASH,
+ .cra_flags = CRYPTO_ALG_ASYNC,
.cra_blocksize = SHA3_512_BLOCK_SIZE,
.cra_ctxsize = sizeof(struct tegra_sha_ctx),
.cra_alignmask = 0,
@@ -991,7 +991,8 @@ static struct tegra_se_alg tegra_hash_algs[] = {
.cra_name = "hmac(sha224)",
.cra_driver_name = "tegra-se-hmac-sha224",
.cra_priority = 300,
- .cra_flags = CRYPTO_ALG_TYPE_AHASH | CRYPTO_ALG_NEED_FALLBACK,
+ .cra_flags = CRYPTO_ALG_ASYNC |
+ CRYPTO_ALG_NEED_FALLBACK,
.cra_blocksize = SHA224_BLOCK_SIZE,
.cra_ctxsize = sizeof(struct tegra_sha_ctx),
.cra_alignmask = 0,
@@ -1018,7 +1019,8 @@ static struct tegra_se_alg tegra_hash_algs[] = {
.cra_name = "hmac(sha256)",
.cra_driver_name = "tegra-se-hmac-sha256",
.cra_priority = 300,
- .cra_flags = CRYPTO_ALG_TYPE_AHASH | CRYPTO_ALG_NEED_FALLBACK,
+ .cra_flags = CRYPTO_ALG_ASYNC |
+ CRYPTO_ALG_NEED_FALLBACK,
.cra_blocksize = SHA256_BLOCK_SIZE,
.cra_ctxsize = sizeof(struct tegra_sha_ctx),
.cra_alignmask = 0,
@@ -1045,7 +1047,8 @@ static struct tegra_se_alg tegra_hash_algs[] = {
.cra_name = "hmac(sha384)",
.cra_driver_name = "tegra-se-hmac-sha384",
.cra_priority = 300,
- .cra_flags = CRYPTO_ALG_TYPE_AHASH | CRYPTO_ALG_NEED_FALLBACK,
+ .cra_flags = CRYPTO_ALG_ASYNC |
+ CRYPTO_ALG_NEED_FALLBACK,
.cra_blocksize = SHA384_BLOCK_SIZE,
.cra_ctxsize = sizeof(struct tegra_sha_ctx),
.cra_alignmask = 0,
@@ -1072,7 +1075,8 @@ static struct tegra_se_alg tegra_hash_algs[] = {
.cra_name = "hmac(sha512)",
.cra_driver_name = "tegra-se-hmac-sha512",
.cra_priority = 300,
- .cra_flags = CRYPTO_ALG_TYPE_AHASH | CRYPTO_ALG_NEED_FALLBACK,
+ .cra_flags = CRYPTO_ALG_ASYNC |
+ CRYPTO_ALG_NEED_FALLBACK,
.cra_blocksize = SHA512_BLOCK_SIZE,
.cra_ctxsize = sizeof(struct tegra_sha_ctx),
.cra_alignmask = 0,
--
2.50.1 (Apple Git-155)

View File

@ -0,0 +1,48 @@
From c5fe58117093d6c4612c61902602e27df0ebe69a Mon Sep 17 00:00:00 2001
From: Vladislav Dronov <vdronov@redhat.com>
Date: Sun, 7 Jun 2026 23:23:19 +0200
Subject: [PATCH] crypto: tegra - Don't touch bo refcount in host1x bo
pin/unpin
JIRA: https://redhat.atlassian.net/browse/RHEL-176465
Upstream Status: merged into the upstream linux.git
commit f8c9c57d750346abd213ffed2ae3cacb0268e9f1
Author: Mikko Perttunen <mperttunen@nvidia.com>
Date: Fri May 15 11:34:52 2026 +0900
crypto: tegra - Don't touch bo refcount in host1x bo pin/unpin
Since commit "gpu: host1x: Allow entries in BO caches to be freed",
host1x_bo_pin() and host1x_bo_unpin() handle the bo's refcount
themselves. .pin/.unpin callbacks should not adjust it.
Signed-off-by: Mikko Perttunen <mperttunen@nvidia.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Vladislav Dronov <vdronov@redhat.com>
diff --git a/drivers/crypto/tegra/tegra-se-main.c b/drivers/crypto/tegra/tegra-se-main.c
index 4e7115b247e7..f0b6c4f0548f 100644
--- a/drivers/crypto/tegra/tegra-se-main.c
+++ b/drivers/crypto/tegra/tegra-se-main.c
@@ -52,7 +52,7 @@ tegra_se_cmdbuf_pin(struct device *dev, struct host1x_bo *bo, enum dma_data_dire
return ERR_PTR(-ENOMEM);
kref_init(&map->ref);
- map->bo = host1x_bo_get(bo);
+ map->bo = bo;
map->direction = direction;
map->dev = dev;
@@ -93,7 +93,6 @@ static void tegra_se_cmdbuf_unpin(struct host1x_bo_mapping *map)
dma_unmap_sgtable(map->dev, map->sgt, map->direction, 0);
sg_free_table(map->sgt);
kfree(map->sgt);
- host1x_bo_put(map->bo);
kfree(map);
}
--
2.50.1 (Apple Git-155)

View File

@ -0,0 +1,127 @@
From 5a7dc49ebe22d776913e8fd4fd3c835d1ac57db8 Mon Sep 17 00:00:00 2001
From: Vladislav Dronov <vdronov@redhat.com>
Date: Sun, 7 Jun 2026 23:23:19 +0200
Subject: [PATCH] crypto: tegra - Fix dma_free_coherent size error
JIRA: https://redhat.atlassian.net/browse/RHEL-176465
Upstream Status: merged into herbert/crypto-2.6.git
commit 03215b8457784540acc741e6331e355b62c6c8ab
Author: Herbert Xu <herbert@gondor.apana.org.au>
Date: Tue May 19 12:22:18 2026 +0800
crypto: tegra - Fix dma_free_coherent size error
When freeing a coherent DMA buffer, the size must match the value
that was used during the allocation.
Unfortunately the size field in the tegra driver gets overwritten
by this point so it no longer matches and creates a warning.
Fix this by saving a copy of the size on the stack.
Note that the ccm function actually mixes up the inbuf and outbuf
sizes, but it doesn't matter because the two sizes are actually
equal.
Fixes: 1cb328da4e8f ("crypto: tegra - Do not use fixed size buffers")
Reporeted-by: Patrick Talbert <ptalbert@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Reviewed-by: Vladislav Dronov <vdronov@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Vladislav Dronov <vdronov@redhat.com>
diff --git a/drivers/crypto/tegra/tegra-se-aes.c b/drivers/crypto/tegra/tegra-se-aes.c
index 30c78afe3dea..5086e7f140c3 100644
--- a/drivers/crypto/tegra/tegra-se-aes.c
+++ b/drivers/crypto/tegra/tegra-se-aes.c
@@ -1201,6 +1201,7 @@ static int tegra_ccm_do_one_req(struct crypto_engine *engine, void *areq)
struct crypto_aead *tfm = crypto_aead_reqtfm(req);
struct tegra_aead_ctx *ctx = crypto_aead_ctx(tfm);
struct tegra_se *se = ctx->se;
+ unsigned int bufsize;
int ret;
ret = tegra_ccm_crypt_init(req, se, rctx);
@@ -1210,14 +1211,15 @@ static int tegra_ccm_do_one_req(struct crypto_engine *engine, void *areq)
rctx->key_id = ctx->key_id;
/* Allocate buffers required */
- rctx->inbuf.size = rctx->assoclen + rctx->authsize + rctx->cryptlen + 100;
- rctx->inbuf.buf = dma_alloc_coherent(ctx->se->dev, rctx->inbuf.size,
+ bufsize = rctx->assoclen + rctx->authsize + rctx->cryptlen + 100;
+ rctx->inbuf.size = bufsize;
+ rctx->inbuf.buf = dma_alloc_coherent(ctx->se->dev, bufsize,
&rctx->inbuf.addr, GFP_KERNEL);
if (!rctx->inbuf.buf)
goto out_finalize;
- rctx->outbuf.size = rctx->assoclen + rctx->authsize + rctx->cryptlen + 100;
- rctx->outbuf.buf = dma_alloc_coherent(ctx->se->dev, rctx->outbuf.size,
+ rctx->outbuf.size = bufsize;
+ rctx->outbuf.buf = dma_alloc_coherent(ctx->se->dev, bufsize,
&rctx->outbuf.addr, GFP_KERNEL);
if (!rctx->outbuf.buf) {
ret = -ENOMEM;
@@ -1254,11 +1256,11 @@ static int tegra_ccm_do_one_req(struct crypto_engine *engine, void *areq)
}
out:
- dma_free_coherent(ctx->se->dev, rctx->inbuf.size,
+ dma_free_coherent(ctx->se->dev, bufsize,
rctx->outbuf.buf, rctx->outbuf.addr);
out_free_inbuf:
- dma_free_coherent(ctx->se->dev, rctx->outbuf.size,
+ dma_free_coherent(ctx->se->dev, bufsize,
rctx->inbuf.buf, rctx->inbuf.addr);
if (tegra_key_is_reserved(rctx->key_id))
@@ -1278,6 +1280,7 @@ static int tegra_gcm_do_one_req(struct crypto_engine *engine, void *areq)
struct crypto_aead *tfm = crypto_aead_reqtfm(req);
struct tegra_aead_ctx *ctx = crypto_aead_ctx(tfm);
struct tegra_aead_reqctx *rctx = aead_request_ctx(req);
+ unsigned int bufsize;
int ret;
rctx->src_sg = req->src;
@@ -1296,16 +1299,17 @@ static int tegra_gcm_do_one_req(struct crypto_engine *engine, void *areq)
rctx->key_id = ctx->key_id;
/* Allocate buffers required */
- rctx->inbuf.size = rctx->assoclen + rctx->authsize + rctx->cryptlen;
- rctx->inbuf.buf = dma_alloc_coherent(ctx->se->dev, rctx->inbuf.size,
+ bufsize = rctx->assoclen + rctx->authsize + rctx->cryptlen;
+ rctx->inbuf.size = bufsize;
+ rctx->inbuf.buf = dma_alloc_coherent(ctx->se->dev, bufsize,
&rctx->inbuf.addr, GFP_KERNEL);
if (!rctx->inbuf.buf) {
ret = -ENOMEM;
goto out_finalize;
}
- rctx->outbuf.size = rctx->assoclen + rctx->authsize + rctx->cryptlen;
- rctx->outbuf.buf = dma_alloc_coherent(ctx->se->dev, rctx->outbuf.size,
+ rctx->outbuf.size = bufsize;
+ rctx->outbuf.buf = dma_alloc_coherent(ctx->se->dev, bufsize,
&rctx->outbuf.addr, GFP_KERNEL);
if (!rctx->outbuf.buf) {
ret = -ENOMEM;
@@ -1342,11 +1346,11 @@ static int tegra_gcm_do_one_req(struct crypto_engine *engine, void *areq)
ret = tegra_gcm_do_verify(ctx->se, rctx);
out:
- dma_free_coherent(ctx->se->dev, rctx->outbuf.size,
+ dma_free_coherent(ctx->se->dev, bufsize,
rctx->outbuf.buf, rctx->outbuf.addr);
out_free_inbuf:
- dma_free_coherent(ctx->se->dev, rctx->inbuf.size,
+ dma_free_coherent(ctx->se->dev, bufsize,
rctx->inbuf.buf, rctx->inbuf.addr);
if (tegra_key_is_reserved(rctx->key_id))
--
2.50.1 (Apple Git-155)

View File

@ -0,0 +1,52 @@
From c6c84318cd97fe4fdbc511248e126bf2d5eaceba Mon Sep 17 00:00:00 2001
From: Vladislav Dronov <vdronov@redhat.com>
Date: Sun, 7 Jun 2026 23:23:19 +0200
Subject: [PATCH] crypto: tegra - Return ENOMEM when input buffer allocation
fails for ccm
JIRA: https://redhat.atlassian.net/browse/RHEL-176465
Upstream Status: merged into herbert/crypto-2.6.git
commit 690a5f9e5c972a580565ce544ed1627ccf1e84de
Author: Herbert Xu <herbert@gondor.apana.org.au>
Date: Wed May 20 10:51:14 2026 +0800
crypto: tegra - Return ENOMEM when input buffer allocation fails for ccm
Ensure the ENOMEM error value is set when the input buffer allocation
fails in tegra_ccm_do_one_req.
Fixes: 1e245948ca0c ("crypto: tegra - finalize crypto req on error")
Reported-by: Vladislav Dronov <vdronov@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Reviewed-by: Vladislav Dronov <vdronov@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Vladislav Dronov <vdronov@redhat.com>
diff --git a/drivers/crypto/tegra/tegra-se-aes.c b/drivers/crypto/tegra/tegra-se-aes.c
index 5086e7f140c3..9094c03e991f 100644
--- a/drivers/crypto/tegra/tegra-se-aes.c
+++ b/drivers/crypto/tegra/tegra-se-aes.c
@@ -1215,16 +1215,15 @@ static int tegra_ccm_do_one_req(struct crypto_engine *engine, void *areq)
rctx->inbuf.size = bufsize;
rctx->inbuf.buf = dma_alloc_coherent(ctx->se->dev, bufsize,
&rctx->inbuf.addr, GFP_KERNEL);
+ ret = -ENOMEM;
if (!rctx->inbuf.buf)
goto out_finalize;
rctx->outbuf.size = bufsize;
rctx->outbuf.buf = dma_alloc_coherent(ctx->se->dev, bufsize,
&rctx->outbuf.addr, GFP_KERNEL);
- if (!rctx->outbuf.buf) {
- ret = -ENOMEM;
+ if (!rctx->outbuf.buf)
goto out_free_inbuf;
- }
if (!ctx->key_id) {
ret = tegra_key_submit_reserved_aes(ctx->se, ctx->key,
--
2.50.1 (Apple Git-155)

View File

@ -0,0 +1,41 @@
From bc2cf5935b4665172235341163315905197ae91d Mon Sep 17 00:00:00 2001
From: Junrui Luo <moonafterrain@outlook.com>
Date: Fri, 24 Apr 2026 13:51:02 +0800
Subject: [PATCH] RDMA/mlx5: Fix error path fall-through in
mlx5_ib_dev_res_srq_init()
commit c488df06bd552bb8b6e14fa0cfd5ad986c6e9525 upstream.
mlx5_ib_dev_res_srq_init() allocates two SRQs, s0 and s1. When
ib_create_srq() fails for s1, the error branch destroys s0 but falls
through and unconditionally assigns the freed s0 and the ERR_PTR s1 to
devr->s0 and devr->s1.
This leads to several problems: the lock-free fast path checks
"if (devr->s1) return 0;" and treats the ERR_PTR as already initialised;
users in mlx5_ib_create_qp() dereference the freed SRQ or ERR_PTR via
to_msrq(devr->s0)->msrq.srqn; and mlx5_ib_dev_res_cleanup() dereferences
the ERR_PTR and double-frees s0 on teardown.
Fix by adding the same `goto unlock` in the s1 failure path.
Cc: stable@vger.kernel.org
Fixes: 5895e70f2e6e ("IB/mlx5: Allocate resources just before first QP/SRQ is created")
Link: https://patch.msgid.link/r/SYBPR01MB7881E1E0970268BD69C0BA75AF2B2@SYBPR01MB7881.ausprd01.prod.outlook.com
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c
index 4077815..082a7e9 100644
--- a/drivers/infiniband/hw/mlx5/main.c
+++ b/drivers/infiniband/hw/mlx5/main.c
@@ -3121,6 +3121,7 @@ int mlx5_ib_dev_res_srq_init(struct mlx5_ib_dev *dev)
"Couldn't create SRQ 1 for res init, err=%pe\n",
s1);
ib_destroy_srq(s0);
+ goto unlock;
}
devr->s0 = s0;

View File

@ -176,13 +176,13 @@ Summary: The Linux kernel
%define specrpmversion 6.12.0
%define specversion 6.12.0
%define patchversion 6.12
%define pkgrelease 211.28.2
%define pkgrelease 211.29.1
%define kversion 6
%define tarfile_release 6.12.0-211.7.1.el10_2
# This is needed to do merge window version magic
%define patchlevel 12
# This allows pkg_release to have configurable %%{?dist} tag
%define specrelease 211.28.2%{?buildid}%{?dist}
%define specrelease 211.29.1%{?buildid}%{?dist}
# This defines the kabi tarball version
%define kabiversion 6.12.0-211.7.1.el10_2
@ -1420,6 +1420,19 @@ Patch1382: 1382-tcp-fix-potential-race-in-tcp-v6-syn-recv-sock.patch
Patch1383: 1383-selinux-rhel-only-hotfix-for-execmem-regression.patch
Patch1384: 1384-ipv4-account-for-fraggap-on-the-paged-allocation-path.patch
Patch1385: 1385-ipv6-account-for-fraggap-on-the-paged-allocation-path.patch
Patch1386: 1386-alsa-usb-audio-add-sanity-check-for-oob-writes-at-silencing.patch
Patch1387: 1387-alsa-aloop-fix-peer-runtime-uaf-during-format-change-stop.patch
Patch1388: 1388-rdma-vmw-pvrdma-fix-double-free-on-pvrdma-alloc-ucontext-err.patch
Patch1389: 1389-scsi-qla2xxx-add-support-to-report-mpi-fw-state.patch
Patch1390: 1390-crypto-tegra-remove-unneeded-crypto-engine-stop-call.patch
Patch1391: 1391-crypto-tegra-use-api-helpers-to-setup-fallback-request.patch
Patch1392: 1392-crypto-tegra-remove-the-use-of-dev-err-probe.patch
Patch1393: 1393-crypto-tegra-use-int-type-to-store-negative-error-codes.patch
Patch1394: 1394-crypto-tegra-add-missing-crypto-alg-async.patch
Patch1395: 1395-crypto-tegra-don-t-touch-bo-refcount-in-host1x-bo-pin-unpin.patch
Patch1396: 1396-crypto-tegra-fix-dma-free-coherent-size-error.patch
Patch1397: 1397-crypto-tegra-return-enomem-when-input-buffer-allocation-fail.patch
Patch1398: 1398-rdma-mlx5-fix-error-path-fall-through-in-mlx5-ib-dev-res-srq.patch
# END OF PATCH DEFINITIONS
%description
@ -2562,6 +2575,19 @@ ApplyPatch 1382-tcp-fix-potential-race-in-tcp-v6-syn-recv-sock.patch
ApplyPatch 1383-selinux-rhel-only-hotfix-for-execmem-regression.patch
ApplyPatch 1384-ipv4-account-for-fraggap-on-the-paged-allocation-path.patch
ApplyPatch 1385-ipv6-account-for-fraggap-on-the-paged-allocation-path.patch
ApplyPatch 1386-alsa-usb-audio-add-sanity-check-for-oob-writes-at-silencing.patch
ApplyPatch 1387-alsa-aloop-fix-peer-runtime-uaf-during-format-change-stop.patch
ApplyPatch 1388-rdma-vmw-pvrdma-fix-double-free-on-pvrdma-alloc-ucontext-err.patch
ApplyPatch 1389-scsi-qla2xxx-add-support-to-report-mpi-fw-state.patch
ApplyPatch 1390-crypto-tegra-remove-unneeded-crypto-engine-stop-call.patch
ApplyPatch 1391-crypto-tegra-use-api-helpers-to-setup-fallback-request.patch
ApplyPatch 1392-crypto-tegra-remove-the-use-of-dev-err-probe.patch
ApplyPatch 1393-crypto-tegra-use-int-type-to-store-negative-error-codes.patch
ApplyPatch 1394-crypto-tegra-add-missing-crypto-alg-async.patch
ApplyPatch 1395-crypto-tegra-don-t-touch-bo-refcount-in-host1x-bo-pin-unpin.patch
ApplyPatch 1396-crypto-tegra-fix-dma-free-coherent-size-error.patch
ApplyPatch 1397-crypto-tegra-return-enomem-when-input-buffer-allocation-fail.patch
ApplyPatch 1398-rdma-mlx5-fix-error-path-fall-through-in-mlx5-ib-dev-res-srq.patch
# END OF PATCH APPLICATIONS
# Any further pre-build tree manipulations happen here.
@ -5066,6 +5092,26 @@ fi\
#
#
%changelog
* Wed Jul 01 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 6.12.0-211.29.1
- Recreate RHEL 6.12.0-211.29.1 from CentOS Stream 10 and upstream stable backports (1386-1398)
- Retain AlmaLinux ahead-of-RHEL fixes: CVE-2026-46316 (1374), ipv4/ipv6 fraggap (1384-1385)
- RHEL changelog for 211.29.1 follows:
* Mon Jun 29 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-211.29.1.el10_2]
- RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init() (CKI Backport Bot) [RHEL-180001] {CVE-2026-46176}
- crypto: tegra - Return ENOMEM when input buffer allocation fails for ccm (Vladislav Dronov) [RHEL-182759]
- crypto: tegra - Fix dma_free_coherent size error (Vladislav Dronov) [RHEL-182759]
- crypto: tegra - Don't touch bo refcount in host1x bo pin/unpin (Vladislav Dronov) [RHEL-182759]
- crypto: tegra - Add missing CRYPTO_ALG_ASYNC (Vladislav Dronov) [RHEL-182759] {CVE-2026-31739}
- crypto: tegra - Use int type to store negative error codes (Vladislav Dronov) [RHEL-182759]
- crypto: tegra - Remove the use of dev_err_probe() (Vladislav Dronov) [RHEL-182759]
- crypto: tegra - use API helpers to setup fallback request (Vladislav Dronov) [RHEL-182759]
- crypto: tegra - remove unneeded crypto_engine_stop() call (Vladislav Dronov) [RHEL-182759]
- scsi: qla2xxx: Add support to report MPI FW state (Ewan D. Milne) [RHEL-181887]
- RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path (CKI Backport Bot) [RHEL-179965] {CVE-2026-46189}
- ALSA: aloop: Fix peer runtime UAF during format-change stop (CKI Backport Bot) [RHEL-179317] {CVE-2026-46090}
- ALSA: usb-audio: Add sanity check for OOB writes at silencing (CKI Backport Bot) [RHEL-173937] {CVE-2026-43279}
* Tue Jun 30 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 6.12.0-211.28.2
- Add upstream ipv4/ipv6 fraggap paged-allocation fixes (1384-1385)
eca856950f7c ipv4: account for fraggap on the paged allocation path