From 1cd3d0ece267eb7bdd464b4acf3e8aa618931feb Mon Sep 17 00:00:00 2001 From: Andrew Lukoshko Date: Wed, 1 Jul 2026 11:47:56 +0000 Subject: [PATCH] Recreate RHEL 6.12.0-211.29.1 from CS10/upstream backports --- ...ty-check-for-oob-writes-at-silencing.patch | 110 +++++++++ ...untime-uaf-during-format-change-stop.patch | 137 +++++++++++ ...le-free-on-pvrdma-alloc-ucontext-err.patch | 34 +++ ...x-add-support-to-report-mpi-fw-state.patch | 166 +++++++++++++ ...ove-unneeded-crypto-engine-stop-call.patch | 46 ++++ ...pi-helpers-to-setup-fallback-request.patch | 131 ++++++++++ ...egra-remove-the-use-of-dev-err-probe.patch | 46 ++++ ...t-type-to-store-negative-error-codes.patch | 43 ++++ ...o-tegra-add-missing-crypto-alg-async.patch | 224 ++++++++++++++++++ ...h-bo-refcount-in-host1x-bo-pin-unpin.patch | 48 ++++ ...gra-fix-dma-free-coherent-size-error.patch | 127 ++++++++++ ...em-when-input-buffer-allocation-fail.patch | 52 ++++ ...-fall-through-in-mlx5-ib-dev-res-srq.patch | 41 ++++ kernel.spec | 50 +++- 14 files changed, 1253 insertions(+), 2 deletions(-) create mode 100644 1386-alsa-usb-audio-add-sanity-check-for-oob-writes-at-silencing.patch create mode 100644 1387-alsa-aloop-fix-peer-runtime-uaf-during-format-change-stop.patch create mode 100644 1388-rdma-vmw-pvrdma-fix-double-free-on-pvrdma-alloc-ucontext-err.patch create mode 100644 1389-scsi-qla2xxx-add-support-to-report-mpi-fw-state.patch create mode 100644 1390-crypto-tegra-remove-unneeded-crypto-engine-stop-call.patch create mode 100644 1391-crypto-tegra-use-api-helpers-to-setup-fallback-request.patch create mode 100644 1392-crypto-tegra-remove-the-use-of-dev-err-probe.patch create mode 100644 1393-crypto-tegra-use-int-type-to-store-negative-error-codes.patch create mode 100644 1394-crypto-tegra-add-missing-crypto-alg-async.patch create mode 100644 1395-crypto-tegra-don-t-touch-bo-refcount-in-host1x-bo-pin-unpin.patch create mode 100644 1396-crypto-tegra-fix-dma-free-coherent-size-error.patch create mode 100644 1397-crypto-tegra-return-enomem-when-input-buffer-allocation-fail.patch create mode 100644 1398-rdma-mlx5-fix-error-path-fall-through-in-mlx5-ib-dev-res-srq.patch diff --git a/1386-alsa-usb-audio-add-sanity-check-for-oob-writes-at-silencing.patch b/1386-alsa-usb-audio-add-sanity-check-for-oob-writes-at-silencing.patch new file mode 100644 index 000000000..f76dd5f19 --- /dev/null +++ b/1386-alsa-usb-audio-add-sanity-check-for-oob-writes-at-silencing.patch @@ -0,0 +1,110 @@ +From a10f13521226dba6ce396abb8b1b91570f5b61ec Mon Sep 17 00:00:00 2001 +From: Jaroslav Kysela +Date: Mon, 20 Apr 2026 14:32:13 +0200 +Subject: [PATCH] ALSA: usb-audio: Add sanity check for OOB writes at silencing + +JIRA: https://issues.redhat.com/browse/RHEL-168082 + +commit fba2105a157fffcf19825e4eea498346738c9948 +Author: Takashi Iwai +Date: Mon Feb 16 15:12:07 2026 +0100 + + ALSA: usb-audio: Add sanity check for OOB writes at silencing + + At silencing the playback URB packets in the implicit fb mode before + the actual playback, we blindly assume that the received packets fit + with the buffer size. But when the setup in the capture stream + differs from the playback stream (e.g. due to the USB core limitation + of max packet size), such an inconsistency may lead to OOB writes to + the buffer, resulting in a crash. + + For addressing it, add a sanity check of the transfer buffer size at + prepare_silent_urb(), and stop the data copy if the received data + overflows. Also, report back the transfer error properly from there, + too. + + Note that this doesn't fix the root cause of the playback error + itself, but this merely covers the kernel Oops. + + Link: https://bugzilla.kernel.org/show_bug.cgi?id=221076 + Link: https://patch.msgid.link/20260216141209.1849200-4-tiwai@suse.de + Signed-off-by: Takashi Iwai + +Signed-off-by: Jaroslav Kysela + +diff --git a/sound/usb/endpoint.c b/sound/usb/endpoint.c +index 08cc2ee5707d..6e443f762de8 100644 +--- a/sound/usb/endpoint.c ++++ b/sound/usb/endpoint.c +@@ -275,8 +275,8 @@ static inline bool has_tx_length_quirk(struct snd_usb_audio *chip) + return chip->quirk_flags & QUIRK_FLAG_TX_LENGTH; + } + +-static void prepare_silent_urb(struct snd_usb_endpoint *ep, +- struct snd_urb_ctx *ctx) ++static int prepare_silent_urb(struct snd_usb_endpoint *ep, ++ struct snd_urb_ctx *ctx) + { + struct urb *urb = ctx->urb; + unsigned int offs = 0; +@@ -289,28 +289,34 @@ static void prepare_silent_urb(struct snd_usb_endpoint *ep, + extra = sizeof(packet_length); + + for (i = 0; i < ctx->packets; ++i) { +- unsigned int offset; +- unsigned int length; +- int counts; +- +- counts = snd_usb_endpoint_next_packet_size(ep, ctx, i, 0); +- length = counts * ep->stride; /* number of silent bytes */ +- offset = offs * ep->stride + extra * i; +- urb->iso_frame_desc[i].offset = offset; ++ int length; ++ ++ length = snd_usb_endpoint_next_packet_size(ep, ctx, i, 0); ++ if (length < 0) ++ return length; ++ length *= ep->stride; /* number of silent bytes */ ++ if (offs + length + extra > ctx->buffer_size) ++ break; ++ urb->iso_frame_desc[i].offset = offs; + urb->iso_frame_desc[i].length = length + extra; + if (extra) { + packet_length = cpu_to_le32(length); +- memcpy(urb->transfer_buffer + offset, ++ memcpy(urb->transfer_buffer + offs, + &packet_length, sizeof(packet_length)); ++ offs += extra; + } +- memset(urb->transfer_buffer + offset + extra, ++ memset(urb->transfer_buffer + offs, + ep->silence_value, length); +- offs += counts; ++ offs += length; + } + +- urb->number_of_packets = ctx->packets; +- urb->transfer_buffer_length = offs * ep->stride + ctx->packets * extra; ++ if (!offs) ++ return -EPIPE; ++ ++ urb->number_of_packets = i; ++ urb->transfer_buffer_length = offs; + ctx->queued = 0; ++ return 0; + } + + /* +@@ -332,8 +338,7 @@ static int prepare_outbound_urb(struct snd_usb_endpoint *ep, + if (data_subs && ep->prepare_data_urb) + return ep->prepare_data_urb(data_subs, urb, in_stream_lock); + /* no data provider, so send silence */ +- prepare_silent_urb(ep, ctx); +- break; ++ return prepare_silent_urb(ep, ctx); + + case SND_USB_ENDPOINT_TYPE_SYNC: + if (snd_usb_get_speed(ep->chip->dev) >= USB_SPEED_HIGH) { +-- +2.50.1 (Apple Git-155) + diff --git a/1387-alsa-aloop-fix-peer-runtime-uaf-during-format-change-stop.patch b/1387-alsa-aloop-fix-peer-runtime-uaf-during-format-change-stop.patch new file mode 100644 index 000000000..0ec10f33a --- /dev/null +++ b/1387-alsa-aloop-fix-peer-runtime-uaf-during-format-change-stop.patch @@ -0,0 +1,137 @@ +From aef881da47f3c07173c5357b36a45fc4b754eb55 Mon Sep 17 00:00:00 2001 +From: CKI Backport Bot +Date: Wed, 27 May 2026 17:21:48 +0000 +Subject: [PATCH] ALSA: aloop: Fix peer runtime UAF during format-change stop +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +JIRA: https://redhat.atlassian.net/browse/RHEL-179311 +CVE: CVE-2026-46090 +Backported from tree(s): linux + +commit e5c33cdc6f402eab8abd36ecf436b22c9d3a8aff +Author: Cássio Gabriel +Date: Fri Apr 24 09:48:41 2026 -0300 + + ALSA: aloop: Fix peer runtime UAF during format-change stop + + loopback_check_format() may stop the capture side when playback starts + with parameters that no longer match a running capture stream. Commit + 826af7fa62e3 ("ALSA: aloop: Fix racy access at PCM trigger") moved + the peer lookup under cable->lock, but the actual snd_pcm_stop() still + runs after dropping that lock. + + A concurrent close can clear the capture entry from cable->streams[] and + detach or free its runtime while the playback trigger path still holds a + stale peer substream pointer. + + Keep a per-cable count of in-flight peer stops before dropping + cable->lock, and make free_cable() wait for those stops before + detaching the runtime. This preserves the existing behavior while + making the peer runtime lifetime explicit. + + Reported-by: syzbot+8fa95c41eafbc9d2ff6f@syzkaller.appspotmail.com + Closes: https://syzkaller.appspot.com/bug?extid=8fa95c41eafbc9d2ff6f + Fixes: 597603d615d2 ("ALSA: introduce the snd-aloop module for the PCM loopback") + Cc: stable@vger.kernel.org + Suggested-by: Takashi Iwai + Signed-off-by: Cássio Gabriel + Link: https://patch.msgid.link/20260424-alsa-aloop-peer-stop-uaf-v2-1-94e68101db8a@gmail.com + Signed-off-by: Takashi Iwai + +Signed-off-by: CKI Backport Bot + +diff --git a/sound/drivers/aloop.c b/sound/drivers/aloop.c +index aa0d2fcb1a18..a37a1695f51c 100644 +--- a/sound/drivers/aloop.c ++++ b/sound/drivers/aloop.c +@@ -99,6 +99,9 @@ struct loopback_ops { + struct loopback_cable { + spinlock_t lock; + struct loopback_pcm *streams[2]; ++ /* in-flight peer stops running outside cable->lock */ ++ atomic_t stop_count; ++ wait_queue_head_t stop_wait; + struct snd_pcm_hardware hw; + /* flags */ + unsigned int valid; +@@ -366,8 +369,11 @@ static int loopback_check_format(struct loopback_cable *cable, int stream) + return 0; + if (stream == SNDRV_PCM_STREAM_CAPTURE) + return -EIO; +- else if (cruntime->state == SNDRV_PCM_STATE_RUNNING) ++ else if (cruntime->state == SNDRV_PCM_STATE_RUNNING) { ++ /* close must not free the peer runtime below */ ++ atomic_inc(&cable->stop_count); + stop_capture = true; ++ } + } + + setup = get_setup(dpcm_play); +@@ -396,8 +402,11 @@ static int loopback_check_format(struct loopback_cable *cable, int stream) + } + } + +- if (stop_capture) ++ if (stop_capture) { + snd_pcm_stop(dpcm_capt->substream, SNDRV_PCM_STATE_DRAINING); ++ if (atomic_dec_and_test(&cable->stop_count)) ++ wake_up(&cable->stop_wait); ++ } + + return 0; + } +@@ -1049,23 +1058,29 @@ static void free_cable(struct snd_pcm_substream *substream) + struct loopback *loopback = substream->private_data; + int dev = get_cable_index(substream); + struct loopback_cable *cable; ++ struct loopback_pcm *dpcm; ++ bool other_alive; + + cable = loopback->cables[substream->number][dev]; + if (!cable) + return; +- if (cable->streams[!substream->stream]) { +- /* other stream is still alive */ +- guard(spinlock_irq)(&cable->lock); +- cable->streams[substream->stream] = NULL; +- } else { +- struct loopback_pcm *dpcm = substream->runtime->private_data; + +- if (cable->ops && cable->ops->close_cable && dpcm) +- cable->ops->close_cable(dpcm); +- /* free the cable */ +- loopback->cables[substream->number][dev] = NULL; +- kfree(cable); ++ scoped_guard(spinlock_irq, &cable->lock) { ++ cable->streams[substream->stream] = NULL; ++ other_alive = cable->streams[!substream->stream]; + } ++ ++ /* Pair with the stop_count increment in loopback_check_format(). */ ++ wait_event(cable->stop_wait, !atomic_read(&cable->stop_count)); ++ if (other_alive) ++ return; ++ ++ dpcm = substream->runtime->private_data; ++ if (cable->ops && cable->ops->close_cable && dpcm) ++ cable->ops->close_cable(dpcm); ++ /* free the cable */ ++ loopback->cables[substream->number][dev] = NULL; ++ kfree(cable); + } + + static int loopback_jiffies_timer_open(struct loopback_pcm *dpcm) +@@ -1260,6 +1275,8 @@ static int loopback_open(struct snd_pcm_substream *substream) + goto unlock; + } + spin_lock_init(&cable->lock); ++ atomic_set(&cable->stop_count, 0); ++ init_waitqueue_head(&cable->stop_wait); + cable->hw = loopback_pcm_hardware; + if (loopback->timer_source) + cable->ops = &loopback_snd_timer_ops; +-- +2.50.1 (Apple Git-155) + diff --git a/1388-rdma-vmw-pvrdma-fix-double-free-on-pvrdma-alloc-ucontext-err.patch b/1388-rdma-vmw-pvrdma-fix-double-free-on-pvrdma-alloc-ucontext-err.patch new file mode 100644 index 000000000..8d54e15bc --- /dev/null +++ b/1388-rdma-vmw-pvrdma-fix-double-free-on-pvrdma-alloc-ucontext-err.patch @@ -0,0 +1,34 @@ +From 45d25e3ec17900bf5a9d6876ff16ceee31c4c0e0 Mon Sep 17 00:00:00 2001 +From: Jason Gunthorpe +Date: Tue, 28 Apr 2026 13:17:43 -0300 +Subject: [PATCH] RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() + error path + +commit e38e86995df27f1f854063dab1f0c6a513db3faf upstream. + +Sashiko points out that pvrdma_uar_free() is already called within +pvrdma_dealloc_ucontext(), so calling it before triggers a double free. + +Cc: stable@vger.kernel.org +Fixes: 29c8d9eba550 ("IB: Add vmw_pvrdma driver") +Link: https://sashiko.dev/#/patchset/0-v1-e911b76a94d1%2B65d95-rdma_udata_rep_jgg%40nvidia.com?part=4 +Link: https://patch.msgid.link/r/10-v1-41f3135e5565+9d2-rdma_ai_fixes1_jgg@nvidia.com +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +diff --git a/drivers/infiniband/hw/vmw_pvrdma/pvrdma_verbs.c b/drivers/infiniband/hw/vmw_pvrdma/pvrdma_verbs.c +index 9f54aa90a35a..dde1910dd8b1 100644 +--- a/drivers/infiniband/hw/vmw_pvrdma/pvrdma_verbs.c ++++ b/drivers/infiniband/hw/vmw_pvrdma/pvrdma_verbs.c +@@ -350,7 +350,7 @@ int pvrdma_alloc_ucontext(struct ib_ucontext *uctx, struct ib_udata *udata) + uresp.qp_tab_size = vdev->dsr->caps.max_qp; + ret = ib_copy_to_udata(udata, &uresp, sizeof(uresp)); + if (ret) { +- pvrdma_uar_free(vdev, &context->uar); ++ /* pvrdma_dealloc_ucontext() also frees the UAR */ + pvrdma_dealloc_ucontext(&context->ibucontext); + return -EFAULT; + } +-- +2.50.1 (Apple Git-155) + diff --git a/1389-scsi-qla2xxx-add-support-to-report-mpi-fw-state.patch b/1389-scsi-qla2xxx-add-support-to-report-mpi-fw-state.patch new file mode 100644 index 000000000..879961997 --- /dev/null +++ b/1389-scsi-qla2xxx-add-support-to-report-mpi-fw-state.patch @@ -0,0 +1,166 @@ +From 93e4b63cd923391c972220739a5fcc7bc01a4cb7 Mon Sep 17 00:00:00 2001 +From: Nilesh Javali +Date: Thu, 19 Mar 2026 15:01:53 +0530 +Subject: [PATCH] scsi: qla2xxx: Add support to report MPI FW state + +JIRA: https://redhat.atlassian.net/browse/RHEL-157286 + +Upstream Status: git://git.kernel.org/pub/scm/linux/kernel/git/mkp/scsi.git + +commit 0e124af675ebabddacfeb0958abd443265dddf13 +Author: Nilesh Javali +Date: Thu Mar 5 15:03:37 2026 +0530 + + scsi: qla2xxx: Add support to report MPI FW state + + MPI firmware state was returned as 0. Get MPI FW state to proceed with + flash image validation. + + A new sysfs node 'mpi_fw_state' is added to report MPI firmware state: + + /sys/class/scsi_host/hostXX/mpi_fw_state + + Fixes: d74181ca110e ("scsi: qla2xxx: Add bsg interface to support firmware img validation") + Signed-off-by: Nilesh Javali + Link: https://patch.msgid.link/20260305093337.2007205-1-njavali@marvell.com + Signed-off-by: Martin K. Petersen + +Signed-off-by: Nilesh Javali + +diff --git a/drivers/scsi/qla2xxx/qla_attr.c b/drivers/scsi/qla2xxx/qla_attr.c +index 2e584a8bf66b..6a05ce195aa0 100644 +--- a/drivers/scsi/qla2xxx/qla_attr.c ++++ b/drivers/scsi/qla2xxx/qla_attr.c +@@ -1638,7 +1638,7 @@ qla2x00_fw_state_show(struct device *dev, struct device_attribute *attr, + { + scsi_qla_host_t *vha = shost_priv(class_to_shost(dev)); + int rval = QLA_FUNCTION_FAILED; +- uint16_t state[6]; ++ uint16_t state[16]; + uint32_t pstate; + + if (IS_QLAFX00(vha->hw)) { +@@ -2402,6 +2402,63 @@ qla2x00_dport_diagnostics_show(struct device *dev, + vha->dport_data[0], vha->dport_data[1], + vha->dport_data[2], vha->dport_data[3]); + } ++ ++static ssize_t ++qla2x00_mpi_fw_state_show(struct device *dev, struct device_attribute *attr, ++ char *buf) ++{ ++ scsi_qla_host_t *vha = shost_priv(class_to_shost(dev)); ++ int rval = QLA_FUNCTION_FAILED; ++ u16 state[16]; ++ u16 mpi_state; ++ struct qla_hw_data *ha = vha->hw; ++ ++ if (!(IS_QLA27XX(ha) || IS_QLA28XX(ha))) ++ return scnprintf(buf, PAGE_SIZE, ++ "MPI state reporting is not supported for this HBA.\n"); ++ ++ memset(state, 0, sizeof(state)); ++ ++ mutex_lock(&vha->hw->optrom_mutex); ++ if (qla2x00_chip_is_down(vha)) { ++ mutex_unlock(&vha->hw->optrom_mutex); ++ ql_dbg(ql_dbg_user, vha, 0x70df, ++ "ISP reset is in progress, failing mpi_fw_state.\n"); ++ return -EBUSY; ++ } else if (vha->hw->flags.eeh_busy) { ++ mutex_unlock(&vha->hw->optrom_mutex); ++ ql_dbg(ql_dbg_user, vha, 0x70ea, ++ "HBA in PCI error state, failing mpi_fw_state.\n"); ++ return -EBUSY; ++ } ++ ++ rval = qla2x00_get_firmware_state(vha, state); ++ mutex_unlock(&vha->hw->optrom_mutex); ++ if (rval != QLA_SUCCESS) { ++ ql_dbg(ql_dbg_user, vha, 0x70eb, ++ "MB Command to retrieve MPI state failed (%d), failing mpi_fw_state.\n", ++ rval); ++ return -EIO; ++ } ++ ++ mpi_state = state[11]; ++ ++ if (!(mpi_state & BIT_15)) ++ return scnprintf(buf, PAGE_SIZE, ++ "MPI firmware state reporting is not supported by this firmware. (0x%02x)\n", ++ mpi_state); ++ ++ if (!(mpi_state & BIT_8)) ++ return scnprintf(buf, PAGE_SIZE, ++ "MPI firmware is disabled. (0x%02x)\n", ++ mpi_state); ++ ++ return scnprintf(buf, PAGE_SIZE, ++ "MPI firmware is enabled, state is %s. (0x%02x)\n", ++ mpi_state & BIT_9 ? "active" : "inactive", ++ mpi_state); ++} ++ + static DEVICE_ATTR(dport_diagnostics, 0444, + qla2x00_dport_diagnostics_show, NULL); + +@@ -2469,6 +2526,8 @@ static DEVICE_ATTR(port_speed, 0644, qla2x00_port_speed_show, + qla2x00_port_speed_store); + static DEVICE_ATTR(port_no, 0444, qla2x00_port_no_show, NULL); + static DEVICE_ATTR(fw_attr, 0444, qla2x00_fw_attr_show, NULL); ++static DEVICE_ATTR(mpi_fw_state, 0444, qla2x00_mpi_fw_state_show, NULL); ++ + + static struct attribute *qla2x00_host_attrs[] = { + &dev_attr_driver_version.attr.attr, +@@ -2517,6 +2576,7 @@ static struct attribute *qla2x00_host_attrs[] = { + &dev_attr_qlini_mode.attr, + &dev_attr_ql2xiniexchg.attr, + &dev_attr_ql2xexchoffld.attr, ++ &dev_attr_mpi_fw_state.attr, + NULL, + }; + +diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c +index 93ca7319bd6a..bee76b8d9e35 100644 +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -4916,7 +4916,7 @@ qla2x00_fw_ready(scsi_qla_host_t *vha) + unsigned long wtime, mtime, cs84xx_time; + uint16_t min_wait; /* Minimum wait time if loop is down */ + uint16_t wait_time; /* Wait time if loop is coming ready */ +- uint16_t state[6]; ++ uint16_t state[16]; + struct qla_hw_data *ha = vha->hw; + + if (IS_QLAFX00(vha->hw)) +diff --git a/drivers/scsi/qla2xxx/qla_mbx.c b/drivers/scsi/qla2xxx/qla_mbx.c +index d0f09f0a2459..e3ee26058901 100644 +--- a/drivers/scsi/qla2xxx/qla_mbx.c ++++ b/drivers/scsi/qla2xxx/qla_mbx.c +@@ -2266,6 +2266,13 @@ qla2x00_get_firmware_state(scsi_qla_host_t *vha, uint16_t *states) + mcp->in_mb = MBX_6|MBX_5|MBX_4|MBX_3|MBX_2|MBX_1|MBX_0; + else + mcp->in_mb = MBX_1|MBX_0; ++ ++ if (IS_QLA27XX(ha) || IS_QLA28XX(ha)) { ++ mcp->mb[12] = 0; ++ mcp->out_mb |= MBX_12; ++ mcp->in_mb |= MBX_12; ++ } ++ + mcp->tov = MBX_TOV_SECONDS; + mcp->flags = 0; + rval = qla2x00_mailbox_command(vha, mcp); +@@ -2278,6 +2285,8 @@ qla2x00_get_firmware_state(scsi_qla_host_t *vha, uint16_t *states) + states[3] = mcp->mb[4]; + states[4] = mcp->mb[5]; + states[5] = mcp->mb[6]; /* DPORT status */ ++ if (IS_QLA27XX(ha) || IS_QLA28XX(ha)) ++ states[11] = mcp->mb[12]; /* MPI state. */ + } + + if (rval != QLA_SUCCESS) { +-- +2.50.1 (Apple Git-155) + diff --git a/1390-crypto-tegra-remove-unneeded-crypto-engine-stop-call.patch b/1390-crypto-tegra-remove-unneeded-crypto-engine-stop-call.patch new file mode 100644 index 000000000..fca9e8400 --- /dev/null +++ b/1390-crypto-tegra-remove-unneeded-crypto-engine-stop-call.patch @@ -0,0 +1,46 @@ +From 2f96df36f51ba409638b0111c4b1d7b30a88008c Mon Sep 17 00:00:00 2001 +From: Vladislav Dronov +Date: Sun, 7 Jun 2026 23:23:19 +0200 +Subject: [PATCH] crypto: tegra - remove unneeded crypto_engine_stop() call + +JIRA: https://redhat.atlassian.net/browse/RHEL-176465 +Upstream Status: merged into the upstream linux.git + +commit 6ef46fec4171433fd9a3162b88ec2ce808676193 +Author: Ovidiu Panait +Date: Sun Oct 20 22:25:31 2024 +0300 + + crypto: tegra - remove unneeded crypto_engine_stop() call + + The explicit crypto_engine_stop() call is not needed, as it is already + called internally by crypto_engine_exit(). + + Signed-off-by: Ovidiu Panait + Acked-by: Thierry Reding + Signed-off-by: Herbert Xu + +Signed-off-by: Vladislav Dronov + +diff --git a/drivers/crypto/tegra/tegra-se-main.c b/drivers/crypto/tegra/tegra-se-main.c +index db5890c7f098..15ed363d09c9 100644 +--- a/drivers/crypto/tegra/tegra-se-main.c ++++ b/drivers/crypto/tegra/tegra-se-main.c +@@ -320,7 +320,6 @@ static int tegra_se_probe(struct platform_device *pdev) + + ret = tegra_se_host1x_register(se); + if (ret) { +- crypto_engine_stop(se->engine); + crypto_engine_exit(se->engine); + return dev_err_probe(dev, ret, "failed to init host1x params\n"); + } +@@ -332,7 +331,6 @@ static void tegra_se_remove(struct platform_device *pdev) + { + struct tegra_se *se = platform_get_drvdata(pdev); + +- crypto_engine_stop(se->engine); + crypto_engine_exit(se->engine); + host1x_client_unregister(&se->client); + } +-- +2.50.1 (Apple Git-155) + diff --git a/1391-crypto-tegra-use-api-helpers-to-setup-fallback-request.patch b/1391-crypto-tegra-use-api-helpers-to-setup-fallback-request.patch new file mode 100644 index 000000000..39ac125a7 --- /dev/null +++ b/1391-crypto-tegra-use-api-helpers-to-setup-fallback-request.patch @@ -0,0 +1,131 @@ +From 219a1eb51634836cdf22208c1b6589c3533f89fd Mon Sep 17 00:00:00 2001 +From: Vladislav Dronov +Date: Sun, 7 Jun 2026 23:23:19 +0200 +Subject: [PATCH] crypto: tegra - use API helpers to setup fallback request + +JIRA: https://redhat.atlassian.net/browse/RHEL-176465 +Upstream Status: merged into the upstream linux.git + +commit c1024581ff2c34db4fdfe857b29f606e5117eb12 +Author: Ovidiu Panait +Date: Mon Apr 7 15:36:04 2025 +0300 + + crypto: tegra - use API helpers to setup fallback request + + Rather than setting up the fallback request by hand, use + ahash_request_set_callback() and ahash_request_set_crypt() API helpers + to properly setup the new request. + + Signed-off-by: Ovidiu Panait + Signed-off-by: Herbert Xu + +Signed-off-by: Vladislav Dronov + +diff --git a/drivers/crypto/tegra/tegra-se-hash.c b/drivers/crypto/tegra/tegra-se-hash.c +index 90bf34eb3578..e3fe5911a324 100644 +--- a/drivers/crypto/tegra/tegra-se-hash.c ++++ b/drivers/crypto/tegra/tegra-se-hash.c +@@ -118,8 +118,9 @@ static int tegra_sha_fallback_init(struct ahash_request *req) + struct tegra_sha_ctx *ctx = crypto_ahash_ctx(tfm); + + ahash_request_set_tfm(&rctx->fallback_req, ctx->fallback_tfm); +- rctx->fallback_req.base.flags = req->base.flags & +- CRYPTO_TFM_REQ_MAY_SLEEP; ++ ahash_request_set_callback(&rctx->fallback_req, ++ req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP, ++ req->base.complete, req->base.data); + + return crypto_ahash_init(&rctx->fallback_req); + } +@@ -131,10 +132,10 @@ static int tegra_sha_fallback_update(struct ahash_request *req) + struct tegra_sha_ctx *ctx = crypto_ahash_ctx(tfm); + + ahash_request_set_tfm(&rctx->fallback_req, ctx->fallback_tfm); +- rctx->fallback_req.base.flags = req->base.flags & +- CRYPTO_TFM_REQ_MAY_SLEEP; +- rctx->fallback_req.nbytes = req->nbytes; +- rctx->fallback_req.src = req->src; ++ ahash_request_set_callback(&rctx->fallback_req, ++ req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP, ++ req->base.complete, req->base.data); ++ ahash_request_set_crypt(&rctx->fallback_req, req->src, NULL, req->nbytes); + + return crypto_ahash_update(&rctx->fallback_req); + } +@@ -146,9 +147,10 @@ static int tegra_sha_fallback_final(struct ahash_request *req) + struct tegra_sha_ctx *ctx = crypto_ahash_ctx(tfm); + + ahash_request_set_tfm(&rctx->fallback_req, ctx->fallback_tfm); +- rctx->fallback_req.base.flags = req->base.flags & +- CRYPTO_TFM_REQ_MAY_SLEEP; +- rctx->fallback_req.result = req->result; ++ ahash_request_set_callback(&rctx->fallback_req, ++ req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP, ++ req->base.complete, req->base.data); ++ ahash_request_set_crypt(&rctx->fallback_req, NULL, req->result, 0); + + return crypto_ahash_final(&rctx->fallback_req); + } +@@ -160,12 +162,11 @@ static int tegra_sha_fallback_finup(struct ahash_request *req) + struct tegra_sha_ctx *ctx = crypto_ahash_ctx(tfm); + + ahash_request_set_tfm(&rctx->fallback_req, ctx->fallback_tfm); +- rctx->fallback_req.base.flags = req->base.flags & +- CRYPTO_TFM_REQ_MAY_SLEEP; +- +- rctx->fallback_req.nbytes = req->nbytes; +- rctx->fallback_req.src = req->src; +- rctx->fallback_req.result = req->result; ++ ahash_request_set_callback(&rctx->fallback_req, ++ req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP, ++ req->base.complete, req->base.data); ++ ahash_request_set_crypt(&rctx->fallback_req, req->src, req->result, ++ req->nbytes); + + return crypto_ahash_finup(&rctx->fallback_req); + } +@@ -177,12 +178,11 @@ static int tegra_sha_fallback_digest(struct ahash_request *req) + struct tegra_sha_ctx *ctx = crypto_ahash_ctx(tfm); + + ahash_request_set_tfm(&rctx->fallback_req, ctx->fallback_tfm); +- rctx->fallback_req.base.flags = req->base.flags & +- CRYPTO_TFM_REQ_MAY_SLEEP; +- +- rctx->fallback_req.nbytes = req->nbytes; +- rctx->fallback_req.src = req->src; +- rctx->fallback_req.result = req->result; ++ ahash_request_set_callback(&rctx->fallback_req, ++ req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP, ++ req->base.complete, req->base.data); ++ ahash_request_set_crypt(&rctx->fallback_req, req->src, req->result, ++ req->nbytes); + + return crypto_ahash_digest(&rctx->fallback_req); + } +@@ -194,8 +194,9 @@ static int tegra_sha_fallback_import(struct ahash_request *req, const void *in) + struct tegra_sha_ctx *ctx = crypto_ahash_ctx(tfm); + + ahash_request_set_tfm(&rctx->fallback_req, ctx->fallback_tfm); +- rctx->fallback_req.base.flags = req->base.flags & +- CRYPTO_TFM_REQ_MAY_SLEEP; ++ ahash_request_set_callback(&rctx->fallback_req, ++ req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP, ++ req->base.complete, req->base.data); + + return crypto_ahash_import(&rctx->fallback_req, in); + } +@@ -207,8 +208,9 @@ static int tegra_sha_fallback_export(struct ahash_request *req, void *out) + struct tegra_sha_ctx *ctx = crypto_ahash_ctx(tfm); + + ahash_request_set_tfm(&rctx->fallback_req, ctx->fallback_tfm); +- rctx->fallback_req.base.flags = req->base.flags & +- CRYPTO_TFM_REQ_MAY_SLEEP; ++ ahash_request_set_callback(&rctx->fallback_req, ++ req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP, ++ req->base.complete, req->base.data); + + return crypto_ahash_export(&rctx->fallback_req, out); + } +-- +2.50.1 (Apple Git-155) + diff --git a/1392-crypto-tegra-remove-the-use-of-dev-err-probe.patch b/1392-crypto-tegra-remove-the-use-of-dev-err-probe.patch new file mode 100644 index 000000000..211ee6342 --- /dev/null +++ b/1392-crypto-tegra-remove-the-use-of-dev-err-probe.patch @@ -0,0 +1,46 @@ +From d7e26cf1c6ec1ec012332f9b1ef126087c968d13 Mon Sep 17 00:00:00 2001 +From: Vladislav Dronov +Date: Sun, 7 Jun 2026 23:23:19 +0200 +Subject: [PATCH] crypto: tegra - Remove the use of dev_err_probe() + +JIRA: https://redhat.atlassian.net/browse/RHEL-176465 +Upstream Status: merged into the upstream linux.git + +commit 8595bcb09b05a6c712c35f03ef701e7785895b51 +Author: Liao Yuanhong +Date: Wed Aug 20 20:37:52 2025 +0800 + + crypto: tegra - Remove the use of dev_err_probe() + + Logging messages that show some type of "out of memory" error are generally + unnecessary as there is a generic message and a stack dump done by the + memory subsystem. These messages generally increase kernel size without + much added value[1]. + + The dev_err_probe() doesn't do anything when error is '-ENOMEM'. Therefore, + remove the useless call to dev_err_probe(), and just return the value + instead. + + [1]: https://lore.kernel.org/lkml/1402419340.30479.18.camel@joe-AO725/ + + Signed-off-by: Liao Yuanhong + Signed-off-by: Herbert Xu + +Signed-off-by: Vladislav Dronov + +diff --git a/drivers/crypto/tegra/tegra-se-main.c b/drivers/crypto/tegra/tegra-se-main.c +index 15ed363d09c9..4e7115b247e7 100644 +--- a/drivers/crypto/tegra/tegra-se-main.c ++++ b/drivers/crypto/tegra/tegra-se-main.c +@@ -310,7 +310,7 @@ static int tegra_se_probe(struct platform_device *pdev) + + se->engine = crypto_engine_alloc_init(dev, 0); + if (!se->engine) +- return dev_err_probe(dev, -ENOMEM, "failed to init crypto engine\n"); ++ return -ENOMEM; + + ret = crypto_engine_start(se->engine); + if (ret) { +-- +2.50.1 (Apple Git-155) + diff --git a/1393-crypto-tegra-use-int-type-to-store-negative-error-codes.patch b/1393-crypto-tegra-use-int-type-to-store-negative-error-codes.patch new file mode 100644 index 000000000..a0f9250b7 --- /dev/null +++ b/1393-crypto-tegra-use-int-type-to-store-negative-error-codes.patch @@ -0,0 +1,43 @@ +From a1d28aa82ab3b030bc0df6b55781f5b0f6d621cc Mon Sep 17 00:00:00 2001 +From: Vladislav Dronov +Date: Sun, 7 Jun 2026 23:23:19 +0200 +Subject: [PATCH] crypto: tegra - Use int type to store negative error codes + +JIRA: https://redhat.atlassian.net/browse/RHEL-176465 +Upstream Status: merged into the upstream linux.git + +commit a710a71cd8ad294937e03b352cd71deb7ad08700 +Author: Qianfeng Rong +Date: Wed Sep 3 21:25:37 2025 +0800 + + crypto: tegra - Use int type to store negative error codes + + Change the 'ret' variable in tegra_sha_do_update() from unsigned int to + int, as it needs to store either negative error codes or zero returned + by tegra_se_host1x_submit(). + + No effect on runtime. + + Signed-off-by: Qianfeng Rong + Signed-off-by: Herbert Xu + +Signed-off-by: Vladislav Dronov + +diff --git a/drivers/crypto/tegra/tegra-se-hash.c b/drivers/crypto/tegra/tegra-se-hash.c +index e3fe5911a324..79f1e5c9b729 100644 +--- a/drivers/crypto/tegra/tegra-se-hash.c ++++ b/drivers/crypto/tegra/tegra-se-hash.c +@@ -401,8 +401,9 @@ static int tegra_sha_do_update(struct ahash_request *req) + struct tegra_sha_ctx *ctx = crypto_ahash_ctx(crypto_ahash_reqtfm(req)); + struct tegra_sha_reqctx *rctx = ahash_request_ctx(req); + struct tegra_se *se = ctx->se; +- unsigned int nblks, nresidue, size, ret; ++ unsigned int nblks, nresidue, size; + u32 *cpuvaddr = se->cmdbuf->addr; ++ int ret; + + nresidue = (req->nbytes + rctx->residue.size) % rctx->blk_size; + nblks = (req->nbytes + rctx->residue.size) / rctx->blk_size; +-- +2.50.1 (Apple Git-155) + diff --git a/1394-crypto-tegra-add-missing-crypto-alg-async.patch b/1394-crypto-tegra-add-missing-crypto-alg-async.patch new file mode 100644 index 000000000..33689f4d7 --- /dev/null +++ b/1394-crypto-tegra-add-missing-crypto-alg-async.patch @@ -0,0 +1,224 @@ +From cc5bf4cbc38613252229691b5e3a5a4c5aea92af Mon Sep 17 00:00:00 2001 +From: Vladislav Dronov +Date: Sun, 7 Jun 2026 23:23:19 +0200 +Subject: [PATCH] crypto: tegra - Add missing CRYPTO_ALG_ASYNC + +JIRA: https://redhat.atlassian.net/browse/RHEL-176465 +Upstream Status: merged into the upstream linux.git +CVE: CVE-2026-31739 + +commit 4b56770d345524fc2acc143a2b85539cf7d74bc1 +Author: Eric Biggers +Date: Mon Mar 16 13:21:19 2026 -0700 + + crypto: tegra - Add missing CRYPTO_ALG_ASYNC + + The tegra crypto driver failed to set the CRYPTO_ALG_ASYNC on its + asynchronous algorithms, causing the crypto API to select them for users + that request only synchronous algorithms. This causes crashes (at + least). Fix this by adding the flag like what the other drivers do. + Also remove the unnecessary CRYPTO_ALG_TYPE_* flags, since those just + get ignored and overridden by the registration function anyway. + + Reported-by: Zorro Lang + Closes: https://lore.kernel.org/r/20260314080937.pghb4aa7d4je3mhh@dell-per750-06-vm-08.rhts.eng.pek2.redhat.com + Fixes: 0880bb3b00c8 ("crypto: tegra - Add Tegra Security Engine driver") + Cc: stable@vger.kernel.org + Cc: Akhil R + Signed-off-by: Eric Biggers + Signed-off-by: Herbert Xu + +Signed-off-by: Vladislav Dronov + +diff --git a/drivers/crypto/tegra/tegra-se-aes.c b/drivers/crypto/tegra/tegra-se-aes.c +index 8b91f00b9c31..30c78afe3dea 100644 +--- a/drivers/crypto/tegra/tegra-se-aes.c ++++ b/drivers/crypto/tegra/tegra-se-aes.c +@@ -532,7 +532,7 @@ static struct tegra_se_alg tegra_aes_algs[] = { + .cra_name = "cbc(aes)", + .cra_driver_name = "cbc-aes-tegra", + .cra_priority = 500, +- .cra_flags = CRYPTO_ALG_TYPE_SKCIPHER | CRYPTO_ALG_ASYNC, ++ .cra_flags = CRYPTO_ALG_ASYNC, + .cra_blocksize = AES_BLOCK_SIZE, + .cra_ctxsize = sizeof(struct tegra_aes_ctx), + .cra_alignmask = 0xf, +@@ -553,7 +553,7 @@ static struct tegra_se_alg tegra_aes_algs[] = { + .cra_name = "ecb(aes)", + .cra_driver_name = "ecb-aes-tegra", + .cra_priority = 500, +- .cra_flags = CRYPTO_ALG_TYPE_SKCIPHER | CRYPTO_ALG_ASYNC, ++ .cra_flags = CRYPTO_ALG_ASYNC, + .cra_blocksize = AES_BLOCK_SIZE, + .cra_ctxsize = sizeof(struct tegra_aes_ctx), + .cra_alignmask = 0xf, +@@ -575,7 +575,7 @@ static struct tegra_se_alg tegra_aes_algs[] = { + .cra_name = "ctr(aes)", + .cra_driver_name = "ctr-aes-tegra", + .cra_priority = 500, +- .cra_flags = CRYPTO_ALG_TYPE_SKCIPHER | CRYPTO_ALG_ASYNC, ++ .cra_flags = CRYPTO_ALG_ASYNC, + .cra_blocksize = 1, + .cra_ctxsize = sizeof(struct tegra_aes_ctx), + .cra_alignmask = 0xf, +@@ -597,6 +597,7 @@ static struct tegra_se_alg tegra_aes_algs[] = { + .cra_name = "xts(aes)", + .cra_driver_name = "xts-aes-tegra", + .cra_priority = 500, ++ .cra_flags = CRYPTO_ALG_ASYNC, + .cra_blocksize = AES_BLOCK_SIZE, + .cra_ctxsize = sizeof(struct tegra_aes_ctx), + .cra_alignmask = (__alignof__(u64) - 1), +@@ -1931,6 +1932,7 @@ static struct tegra_se_alg tegra_aead_algs[] = { + .cra_name = "gcm(aes)", + .cra_driver_name = "gcm-aes-tegra", + .cra_priority = 500, ++ .cra_flags = CRYPTO_ALG_ASYNC, + .cra_blocksize = 1, + .cra_ctxsize = sizeof(struct tegra_aead_ctx), + .cra_alignmask = 0xf, +@@ -1953,6 +1955,7 @@ static struct tegra_se_alg tegra_aead_algs[] = { + .cra_name = "ccm(aes)", + .cra_driver_name = "ccm-aes-tegra", + .cra_priority = 500, ++ .cra_flags = CRYPTO_ALG_ASYNC, + .cra_blocksize = 1, + .cra_ctxsize = sizeof(struct tegra_aead_ctx), + .cra_alignmask = 0xf, +@@ -1980,7 +1983,7 @@ static struct tegra_se_alg tegra_cmac_algs[] = { + .cra_name = "cmac(aes)", + .cra_driver_name = "tegra-se-cmac", + .cra_priority = 300, +- .cra_flags = CRYPTO_ALG_TYPE_AHASH, ++ .cra_flags = CRYPTO_ALG_ASYNC, + .cra_blocksize = AES_BLOCK_SIZE, + .cra_ctxsize = sizeof(struct tegra_cmac_ctx), + .cra_alignmask = 0, +diff --git a/drivers/crypto/tegra/tegra-se-hash.c b/drivers/crypto/tegra/tegra-se-hash.c +index 79f1e5c9b729..23d549801612 100644 +--- a/drivers/crypto/tegra/tegra-se-hash.c ++++ b/drivers/crypto/tegra/tegra-se-hash.c +@@ -764,7 +764,7 @@ static struct tegra_se_alg tegra_hash_algs[] = { + .cra_name = "sha1", + .cra_driver_name = "tegra-se-sha1", + .cra_priority = 300, +- .cra_flags = CRYPTO_ALG_TYPE_AHASH, ++ .cra_flags = CRYPTO_ALG_ASYNC, + .cra_blocksize = SHA1_BLOCK_SIZE, + .cra_ctxsize = sizeof(struct tegra_sha_ctx), + .cra_alignmask = 0, +@@ -789,7 +789,7 @@ static struct tegra_se_alg tegra_hash_algs[] = { + .cra_name = "sha224", + .cra_driver_name = "tegra-se-sha224", + .cra_priority = 300, +- .cra_flags = CRYPTO_ALG_TYPE_AHASH, ++ .cra_flags = CRYPTO_ALG_ASYNC, + .cra_blocksize = SHA224_BLOCK_SIZE, + .cra_ctxsize = sizeof(struct tegra_sha_ctx), + .cra_alignmask = 0, +@@ -814,7 +814,7 @@ static struct tegra_se_alg tegra_hash_algs[] = { + .cra_name = "sha256", + .cra_driver_name = "tegra-se-sha256", + .cra_priority = 300, +- .cra_flags = CRYPTO_ALG_TYPE_AHASH, ++ .cra_flags = CRYPTO_ALG_ASYNC, + .cra_blocksize = SHA256_BLOCK_SIZE, + .cra_ctxsize = sizeof(struct tegra_sha_ctx), + .cra_alignmask = 0, +@@ -839,7 +839,7 @@ static struct tegra_se_alg tegra_hash_algs[] = { + .cra_name = "sha384", + .cra_driver_name = "tegra-se-sha384", + .cra_priority = 300, +- .cra_flags = CRYPTO_ALG_TYPE_AHASH, ++ .cra_flags = CRYPTO_ALG_ASYNC, + .cra_blocksize = SHA384_BLOCK_SIZE, + .cra_ctxsize = sizeof(struct tegra_sha_ctx), + .cra_alignmask = 0, +@@ -864,7 +864,7 @@ static struct tegra_se_alg tegra_hash_algs[] = { + .cra_name = "sha512", + .cra_driver_name = "tegra-se-sha512", + .cra_priority = 300, +- .cra_flags = CRYPTO_ALG_TYPE_AHASH, ++ .cra_flags = CRYPTO_ALG_ASYNC, + .cra_blocksize = SHA512_BLOCK_SIZE, + .cra_ctxsize = sizeof(struct tegra_sha_ctx), + .cra_alignmask = 0, +@@ -889,7 +889,7 @@ static struct tegra_se_alg tegra_hash_algs[] = { + .cra_name = "sha3-224", + .cra_driver_name = "tegra-se-sha3-224", + .cra_priority = 300, +- .cra_flags = CRYPTO_ALG_TYPE_AHASH, ++ .cra_flags = CRYPTO_ALG_ASYNC, + .cra_blocksize = SHA3_224_BLOCK_SIZE, + .cra_ctxsize = sizeof(struct tegra_sha_ctx), + .cra_alignmask = 0, +@@ -914,7 +914,7 @@ static struct tegra_se_alg tegra_hash_algs[] = { + .cra_name = "sha3-256", + .cra_driver_name = "tegra-se-sha3-256", + .cra_priority = 300, +- .cra_flags = CRYPTO_ALG_TYPE_AHASH, ++ .cra_flags = CRYPTO_ALG_ASYNC, + .cra_blocksize = SHA3_256_BLOCK_SIZE, + .cra_ctxsize = sizeof(struct tegra_sha_ctx), + .cra_alignmask = 0, +@@ -939,7 +939,7 @@ static struct tegra_se_alg tegra_hash_algs[] = { + .cra_name = "sha3-384", + .cra_driver_name = "tegra-se-sha3-384", + .cra_priority = 300, +- .cra_flags = CRYPTO_ALG_TYPE_AHASH, ++ .cra_flags = CRYPTO_ALG_ASYNC, + .cra_blocksize = SHA3_384_BLOCK_SIZE, + .cra_ctxsize = sizeof(struct tegra_sha_ctx), + .cra_alignmask = 0, +@@ -964,7 +964,7 @@ static struct tegra_se_alg tegra_hash_algs[] = { + .cra_name = "sha3-512", + .cra_driver_name = "tegra-se-sha3-512", + .cra_priority = 300, +- .cra_flags = CRYPTO_ALG_TYPE_AHASH, ++ .cra_flags = CRYPTO_ALG_ASYNC, + .cra_blocksize = SHA3_512_BLOCK_SIZE, + .cra_ctxsize = sizeof(struct tegra_sha_ctx), + .cra_alignmask = 0, +@@ -991,7 +991,8 @@ static struct tegra_se_alg tegra_hash_algs[] = { + .cra_name = "hmac(sha224)", + .cra_driver_name = "tegra-se-hmac-sha224", + .cra_priority = 300, +- .cra_flags = CRYPTO_ALG_TYPE_AHASH | CRYPTO_ALG_NEED_FALLBACK, ++ .cra_flags = CRYPTO_ALG_ASYNC | ++ CRYPTO_ALG_NEED_FALLBACK, + .cra_blocksize = SHA224_BLOCK_SIZE, + .cra_ctxsize = sizeof(struct tegra_sha_ctx), + .cra_alignmask = 0, +@@ -1018,7 +1019,8 @@ static struct tegra_se_alg tegra_hash_algs[] = { + .cra_name = "hmac(sha256)", + .cra_driver_name = "tegra-se-hmac-sha256", + .cra_priority = 300, +- .cra_flags = CRYPTO_ALG_TYPE_AHASH | CRYPTO_ALG_NEED_FALLBACK, ++ .cra_flags = CRYPTO_ALG_ASYNC | ++ CRYPTO_ALG_NEED_FALLBACK, + .cra_blocksize = SHA256_BLOCK_SIZE, + .cra_ctxsize = sizeof(struct tegra_sha_ctx), + .cra_alignmask = 0, +@@ -1045,7 +1047,8 @@ static struct tegra_se_alg tegra_hash_algs[] = { + .cra_name = "hmac(sha384)", + .cra_driver_name = "tegra-se-hmac-sha384", + .cra_priority = 300, +- .cra_flags = CRYPTO_ALG_TYPE_AHASH | CRYPTO_ALG_NEED_FALLBACK, ++ .cra_flags = CRYPTO_ALG_ASYNC | ++ CRYPTO_ALG_NEED_FALLBACK, + .cra_blocksize = SHA384_BLOCK_SIZE, + .cra_ctxsize = sizeof(struct tegra_sha_ctx), + .cra_alignmask = 0, +@@ -1072,7 +1075,8 @@ static struct tegra_se_alg tegra_hash_algs[] = { + .cra_name = "hmac(sha512)", + .cra_driver_name = "tegra-se-hmac-sha512", + .cra_priority = 300, +- .cra_flags = CRYPTO_ALG_TYPE_AHASH | CRYPTO_ALG_NEED_FALLBACK, ++ .cra_flags = CRYPTO_ALG_ASYNC | ++ CRYPTO_ALG_NEED_FALLBACK, + .cra_blocksize = SHA512_BLOCK_SIZE, + .cra_ctxsize = sizeof(struct tegra_sha_ctx), + .cra_alignmask = 0, +-- +2.50.1 (Apple Git-155) + diff --git a/1395-crypto-tegra-don-t-touch-bo-refcount-in-host1x-bo-pin-unpin.patch b/1395-crypto-tegra-don-t-touch-bo-refcount-in-host1x-bo-pin-unpin.patch new file mode 100644 index 000000000..4e670e226 --- /dev/null +++ b/1395-crypto-tegra-don-t-touch-bo-refcount-in-host1x-bo-pin-unpin.patch @@ -0,0 +1,48 @@ +From c5fe58117093d6c4612c61902602e27df0ebe69a Mon Sep 17 00:00:00 2001 +From: Vladislav Dronov +Date: Sun, 7 Jun 2026 23:23:19 +0200 +Subject: [PATCH] crypto: tegra - Don't touch bo refcount in host1x bo + pin/unpin + +JIRA: https://redhat.atlassian.net/browse/RHEL-176465 +Upstream Status: merged into the upstream linux.git + +commit f8c9c57d750346abd213ffed2ae3cacb0268e9f1 +Author: Mikko Perttunen +Date: Fri May 15 11:34:52 2026 +0900 + + crypto: tegra - Don't touch bo refcount in host1x bo pin/unpin + + Since commit "gpu: host1x: Allow entries in BO caches to be freed", + host1x_bo_pin() and host1x_bo_unpin() handle the bo's refcount + themselves. .pin/.unpin callbacks should not adjust it. + + Signed-off-by: Mikko Perttunen + Signed-off-by: Herbert Xu + +Signed-off-by: Vladislav Dronov + +diff --git a/drivers/crypto/tegra/tegra-se-main.c b/drivers/crypto/tegra/tegra-se-main.c +index 4e7115b247e7..f0b6c4f0548f 100644 +--- a/drivers/crypto/tegra/tegra-se-main.c ++++ b/drivers/crypto/tegra/tegra-se-main.c +@@ -52,7 +52,7 @@ tegra_se_cmdbuf_pin(struct device *dev, struct host1x_bo *bo, enum dma_data_dire + return ERR_PTR(-ENOMEM); + + kref_init(&map->ref); +- map->bo = host1x_bo_get(bo); ++ map->bo = bo; + map->direction = direction; + map->dev = dev; + +@@ -93,7 +93,6 @@ static void tegra_se_cmdbuf_unpin(struct host1x_bo_mapping *map) + dma_unmap_sgtable(map->dev, map->sgt, map->direction, 0); + sg_free_table(map->sgt); + kfree(map->sgt); +- host1x_bo_put(map->bo); + + kfree(map); + } +-- +2.50.1 (Apple Git-155) + diff --git a/1396-crypto-tegra-fix-dma-free-coherent-size-error.patch b/1396-crypto-tegra-fix-dma-free-coherent-size-error.patch new file mode 100644 index 000000000..ee0f2ec87 --- /dev/null +++ b/1396-crypto-tegra-fix-dma-free-coherent-size-error.patch @@ -0,0 +1,127 @@ +From 5a7dc49ebe22d776913e8fd4fd3c835d1ac57db8 Mon Sep 17 00:00:00 2001 +From: Vladislav Dronov +Date: Sun, 7 Jun 2026 23:23:19 +0200 +Subject: [PATCH] crypto: tegra - Fix dma_free_coherent size error + +JIRA: https://redhat.atlassian.net/browse/RHEL-176465 +Upstream Status: merged into herbert/crypto-2.6.git + +commit 03215b8457784540acc741e6331e355b62c6c8ab +Author: Herbert Xu +Date: Tue May 19 12:22:18 2026 +0800 + + crypto: tegra - Fix dma_free_coherent size error + + When freeing a coherent DMA buffer, the size must match the value + that was used during the allocation. + + Unfortunately the size field in the tegra driver gets overwritten + by this point so it no longer matches and creates a warning. + + Fix this by saving a copy of the size on the stack. + + Note that the ccm function actually mixes up the inbuf and outbuf + sizes, but it doesn't matter because the two sizes are actually + equal. + + Fixes: 1cb328da4e8f ("crypto: tegra - Do not use fixed size buffers") + Reporeted-by: Patrick Talbert + Signed-off-by: Herbert Xu + Reviewed-by: Vladislav Dronov + Signed-off-by: Herbert Xu + +Signed-off-by: Vladislav Dronov + +diff --git a/drivers/crypto/tegra/tegra-se-aes.c b/drivers/crypto/tegra/tegra-se-aes.c +index 30c78afe3dea..5086e7f140c3 100644 +--- a/drivers/crypto/tegra/tegra-se-aes.c ++++ b/drivers/crypto/tegra/tegra-se-aes.c +@@ -1201,6 +1201,7 @@ static int tegra_ccm_do_one_req(struct crypto_engine *engine, void *areq) + struct crypto_aead *tfm = crypto_aead_reqtfm(req); + struct tegra_aead_ctx *ctx = crypto_aead_ctx(tfm); + struct tegra_se *se = ctx->se; ++ unsigned int bufsize; + int ret; + + ret = tegra_ccm_crypt_init(req, se, rctx); +@@ -1210,14 +1211,15 @@ static int tegra_ccm_do_one_req(struct crypto_engine *engine, void *areq) + rctx->key_id = ctx->key_id; + + /* Allocate buffers required */ +- rctx->inbuf.size = rctx->assoclen + rctx->authsize + rctx->cryptlen + 100; +- rctx->inbuf.buf = dma_alloc_coherent(ctx->se->dev, rctx->inbuf.size, ++ bufsize = rctx->assoclen + rctx->authsize + rctx->cryptlen + 100; ++ rctx->inbuf.size = bufsize; ++ rctx->inbuf.buf = dma_alloc_coherent(ctx->se->dev, bufsize, + &rctx->inbuf.addr, GFP_KERNEL); + if (!rctx->inbuf.buf) + goto out_finalize; + +- rctx->outbuf.size = rctx->assoclen + rctx->authsize + rctx->cryptlen + 100; +- rctx->outbuf.buf = dma_alloc_coherent(ctx->se->dev, rctx->outbuf.size, ++ rctx->outbuf.size = bufsize; ++ rctx->outbuf.buf = dma_alloc_coherent(ctx->se->dev, bufsize, + &rctx->outbuf.addr, GFP_KERNEL); + if (!rctx->outbuf.buf) { + ret = -ENOMEM; +@@ -1254,11 +1256,11 @@ static int tegra_ccm_do_one_req(struct crypto_engine *engine, void *areq) + } + + out: +- dma_free_coherent(ctx->se->dev, rctx->inbuf.size, ++ dma_free_coherent(ctx->se->dev, bufsize, + rctx->outbuf.buf, rctx->outbuf.addr); + + out_free_inbuf: +- dma_free_coherent(ctx->se->dev, rctx->outbuf.size, ++ dma_free_coherent(ctx->se->dev, bufsize, + rctx->inbuf.buf, rctx->inbuf.addr); + + if (tegra_key_is_reserved(rctx->key_id)) +@@ -1278,6 +1280,7 @@ static int tegra_gcm_do_one_req(struct crypto_engine *engine, void *areq) + struct crypto_aead *tfm = crypto_aead_reqtfm(req); + struct tegra_aead_ctx *ctx = crypto_aead_ctx(tfm); + struct tegra_aead_reqctx *rctx = aead_request_ctx(req); ++ unsigned int bufsize; + int ret; + + rctx->src_sg = req->src; +@@ -1296,16 +1299,17 @@ static int tegra_gcm_do_one_req(struct crypto_engine *engine, void *areq) + rctx->key_id = ctx->key_id; + + /* Allocate buffers required */ +- rctx->inbuf.size = rctx->assoclen + rctx->authsize + rctx->cryptlen; +- rctx->inbuf.buf = dma_alloc_coherent(ctx->se->dev, rctx->inbuf.size, ++ bufsize = rctx->assoclen + rctx->authsize + rctx->cryptlen; ++ rctx->inbuf.size = bufsize; ++ rctx->inbuf.buf = dma_alloc_coherent(ctx->se->dev, bufsize, + &rctx->inbuf.addr, GFP_KERNEL); + if (!rctx->inbuf.buf) { + ret = -ENOMEM; + goto out_finalize; + } + +- rctx->outbuf.size = rctx->assoclen + rctx->authsize + rctx->cryptlen; +- rctx->outbuf.buf = dma_alloc_coherent(ctx->se->dev, rctx->outbuf.size, ++ rctx->outbuf.size = bufsize; ++ rctx->outbuf.buf = dma_alloc_coherent(ctx->se->dev, bufsize, + &rctx->outbuf.addr, GFP_KERNEL); + if (!rctx->outbuf.buf) { + ret = -ENOMEM; +@@ -1342,11 +1346,11 @@ static int tegra_gcm_do_one_req(struct crypto_engine *engine, void *areq) + ret = tegra_gcm_do_verify(ctx->se, rctx); + + out: +- dma_free_coherent(ctx->se->dev, rctx->outbuf.size, ++ dma_free_coherent(ctx->se->dev, bufsize, + rctx->outbuf.buf, rctx->outbuf.addr); + + out_free_inbuf: +- dma_free_coherent(ctx->se->dev, rctx->inbuf.size, ++ dma_free_coherent(ctx->se->dev, bufsize, + rctx->inbuf.buf, rctx->inbuf.addr); + + if (tegra_key_is_reserved(rctx->key_id)) +-- +2.50.1 (Apple Git-155) + diff --git a/1397-crypto-tegra-return-enomem-when-input-buffer-allocation-fail.patch b/1397-crypto-tegra-return-enomem-when-input-buffer-allocation-fail.patch new file mode 100644 index 000000000..f3ceb1e9c --- /dev/null +++ b/1397-crypto-tegra-return-enomem-when-input-buffer-allocation-fail.patch @@ -0,0 +1,52 @@ +From c6c84318cd97fe4fdbc511248e126bf2d5eaceba Mon Sep 17 00:00:00 2001 +From: Vladislav Dronov +Date: Sun, 7 Jun 2026 23:23:19 +0200 +Subject: [PATCH] crypto: tegra - Return ENOMEM when input buffer allocation + fails for ccm + +JIRA: https://redhat.atlassian.net/browse/RHEL-176465 +Upstream Status: merged into herbert/crypto-2.6.git + +commit 690a5f9e5c972a580565ce544ed1627ccf1e84de +Author: Herbert Xu +Date: Wed May 20 10:51:14 2026 +0800 + + crypto: tegra - Return ENOMEM when input buffer allocation fails for ccm + + Ensure the ENOMEM error value is set when the input buffer allocation + fails in tegra_ccm_do_one_req. + + Fixes: 1e245948ca0c ("crypto: tegra - finalize crypto req on error") + Reported-by: Vladislav Dronov + Signed-off-by: Herbert Xu + Reviewed-by: Vladislav Dronov + Signed-off-by: Herbert Xu + +Signed-off-by: Vladislav Dronov + +diff --git a/drivers/crypto/tegra/tegra-se-aes.c b/drivers/crypto/tegra/tegra-se-aes.c +index 5086e7f140c3..9094c03e991f 100644 +--- a/drivers/crypto/tegra/tegra-se-aes.c ++++ b/drivers/crypto/tegra/tegra-se-aes.c +@@ -1215,16 +1215,15 @@ static int tegra_ccm_do_one_req(struct crypto_engine *engine, void *areq) + rctx->inbuf.size = bufsize; + rctx->inbuf.buf = dma_alloc_coherent(ctx->se->dev, bufsize, + &rctx->inbuf.addr, GFP_KERNEL); ++ ret = -ENOMEM; + if (!rctx->inbuf.buf) + goto out_finalize; + + rctx->outbuf.size = bufsize; + rctx->outbuf.buf = dma_alloc_coherent(ctx->se->dev, bufsize, + &rctx->outbuf.addr, GFP_KERNEL); +- if (!rctx->outbuf.buf) { +- ret = -ENOMEM; ++ if (!rctx->outbuf.buf) + goto out_free_inbuf; +- } + + if (!ctx->key_id) { + ret = tegra_key_submit_reserved_aes(ctx->se, ctx->key, +-- +2.50.1 (Apple Git-155) + diff --git a/1398-rdma-mlx5-fix-error-path-fall-through-in-mlx5-ib-dev-res-srq.patch b/1398-rdma-mlx5-fix-error-path-fall-through-in-mlx5-ib-dev-res-srq.patch new file mode 100644 index 000000000..194bb8956 --- /dev/null +++ b/1398-rdma-mlx5-fix-error-path-fall-through-in-mlx5-ib-dev-res-srq.patch @@ -0,0 +1,41 @@ +From bc2cf5935b4665172235341163315905197ae91d Mon Sep 17 00:00:00 2001 +From: Junrui Luo +Date: Fri, 24 Apr 2026 13:51:02 +0800 +Subject: [PATCH] RDMA/mlx5: Fix error path fall-through in + mlx5_ib_dev_res_srq_init() + +commit c488df06bd552bb8b6e14fa0cfd5ad986c6e9525 upstream. + +mlx5_ib_dev_res_srq_init() allocates two SRQs, s0 and s1. When +ib_create_srq() fails for s1, the error branch destroys s0 but falls +through and unconditionally assigns the freed s0 and the ERR_PTR s1 to +devr->s0 and devr->s1. + +This leads to several problems: the lock-free fast path checks +"if (devr->s1) return 0;" and treats the ERR_PTR as already initialised; +users in mlx5_ib_create_qp() dereference the freed SRQ or ERR_PTR via +to_msrq(devr->s0)->msrq.srqn; and mlx5_ib_dev_res_cleanup() dereferences +the ERR_PTR and double-frees s0 on teardown. + +Fix by adding the same `goto unlock` in the s1 failure path. + +Cc: stable@vger.kernel.org +Fixes: 5895e70f2e6e ("IB/mlx5: Allocate resources just before first QP/SRQ is created") +Link: https://patch.msgid.link/r/SYBPR01MB7881E1E0970268BD69C0BA75AF2B2@SYBPR01MB7881.ausprd01.prod.outlook.com +Reported-by: Yuhao Jiang +Signed-off-by: Junrui Luo +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c +index 4077815..082a7e9 100644 +--- a/drivers/infiniband/hw/mlx5/main.c ++++ b/drivers/infiniband/hw/mlx5/main.c +@@ -3121,6 +3121,7 @@ int mlx5_ib_dev_res_srq_init(struct mlx5_ib_dev *dev) + "Couldn't create SRQ 1 for res init, err=%pe\n", + s1); + ib_destroy_srq(s0); ++ goto unlock; + } + + devr->s0 = s0; diff --git a/kernel.spec b/kernel.spec index 5d4e3db9c..e3143da2b 100644 --- a/kernel.spec +++ b/kernel.spec @@ -176,13 +176,13 @@ Summary: The Linux kernel %define specrpmversion 6.12.0 %define specversion 6.12.0 %define patchversion 6.12 -%define pkgrelease 211.28.2 +%define pkgrelease 211.29.1 %define kversion 6 %define tarfile_release 6.12.0-211.7.1.el10_2 # This is needed to do merge window version magic %define patchlevel 12 # This allows pkg_release to have configurable %%{?dist} tag -%define specrelease 211.28.2%{?buildid}%{?dist} +%define specrelease 211.29.1%{?buildid}%{?dist} # This defines the kabi tarball version %define kabiversion 6.12.0-211.7.1.el10_2 @@ -1420,6 +1420,19 @@ Patch1382: 1382-tcp-fix-potential-race-in-tcp-v6-syn-recv-sock.patch Patch1383: 1383-selinux-rhel-only-hotfix-for-execmem-regression.patch Patch1384: 1384-ipv4-account-for-fraggap-on-the-paged-allocation-path.patch Patch1385: 1385-ipv6-account-for-fraggap-on-the-paged-allocation-path.patch +Patch1386: 1386-alsa-usb-audio-add-sanity-check-for-oob-writes-at-silencing.patch +Patch1387: 1387-alsa-aloop-fix-peer-runtime-uaf-during-format-change-stop.patch +Patch1388: 1388-rdma-vmw-pvrdma-fix-double-free-on-pvrdma-alloc-ucontext-err.patch +Patch1389: 1389-scsi-qla2xxx-add-support-to-report-mpi-fw-state.patch +Patch1390: 1390-crypto-tegra-remove-unneeded-crypto-engine-stop-call.patch +Patch1391: 1391-crypto-tegra-use-api-helpers-to-setup-fallback-request.patch +Patch1392: 1392-crypto-tegra-remove-the-use-of-dev-err-probe.patch +Patch1393: 1393-crypto-tegra-use-int-type-to-store-negative-error-codes.patch +Patch1394: 1394-crypto-tegra-add-missing-crypto-alg-async.patch +Patch1395: 1395-crypto-tegra-don-t-touch-bo-refcount-in-host1x-bo-pin-unpin.patch +Patch1396: 1396-crypto-tegra-fix-dma-free-coherent-size-error.patch +Patch1397: 1397-crypto-tegra-return-enomem-when-input-buffer-allocation-fail.patch +Patch1398: 1398-rdma-mlx5-fix-error-path-fall-through-in-mlx5-ib-dev-res-srq.patch # END OF PATCH DEFINITIONS %description @@ -2562,6 +2575,19 @@ ApplyPatch 1382-tcp-fix-potential-race-in-tcp-v6-syn-recv-sock.patch ApplyPatch 1383-selinux-rhel-only-hotfix-for-execmem-regression.patch ApplyPatch 1384-ipv4-account-for-fraggap-on-the-paged-allocation-path.patch ApplyPatch 1385-ipv6-account-for-fraggap-on-the-paged-allocation-path.patch +ApplyPatch 1386-alsa-usb-audio-add-sanity-check-for-oob-writes-at-silencing.patch +ApplyPatch 1387-alsa-aloop-fix-peer-runtime-uaf-during-format-change-stop.patch +ApplyPatch 1388-rdma-vmw-pvrdma-fix-double-free-on-pvrdma-alloc-ucontext-err.patch +ApplyPatch 1389-scsi-qla2xxx-add-support-to-report-mpi-fw-state.patch +ApplyPatch 1390-crypto-tegra-remove-unneeded-crypto-engine-stop-call.patch +ApplyPatch 1391-crypto-tegra-use-api-helpers-to-setup-fallback-request.patch +ApplyPatch 1392-crypto-tegra-remove-the-use-of-dev-err-probe.patch +ApplyPatch 1393-crypto-tegra-use-int-type-to-store-negative-error-codes.patch +ApplyPatch 1394-crypto-tegra-add-missing-crypto-alg-async.patch +ApplyPatch 1395-crypto-tegra-don-t-touch-bo-refcount-in-host1x-bo-pin-unpin.patch +ApplyPatch 1396-crypto-tegra-fix-dma-free-coherent-size-error.patch +ApplyPatch 1397-crypto-tegra-return-enomem-when-input-buffer-allocation-fail.patch +ApplyPatch 1398-rdma-mlx5-fix-error-path-fall-through-in-mlx5-ib-dev-res-srq.patch # END OF PATCH APPLICATIONS # Any further pre-build tree manipulations happen here. @@ -5066,6 +5092,26 @@ fi\ # # %changelog +* Wed Jul 01 2026 Andrew Lukoshko - 6.12.0-211.29.1 +- Recreate RHEL 6.12.0-211.29.1 from CentOS Stream 10 and upstream stable backports (1386-1398) +- Retain AlmaLinux ahead-of-RHEL fixes: CVE-2026-46316 (1374), ipv4/ipv6 fraggap (1384-1385) +- RHEL changelog for 211.29.1 follows: + +* Mon Jun 29 2026 CKI KWF Bot [6.12.0-211.29.1.el10_2] +- RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init() (CKI Backport Bot) [RHEL-180001] {CVE-2026-46176} +- crypto: tegra - Return ENOMEM when input buffer allocation fails for ccm (Vladislav Dronov) [RHEL-182759] +- crypto: tegra - Fix dma_free_coherent size error (Vladislav Dronov) [RHEL-182759] +- crypto: tegra - Don't touch bo refcount in host1x bo pin/unpin (Vladislav Dronov) [RHEL-182759] +- crypto: tegra - Add missing CRYPTO_ALG_ASYNC (Vladislav Dronov) [RHEL-182759] {CVE-2026-31739} +- crypto: tegra - Use int type to store negative error codes (Vladislav Dronov) [RHEL-182759] +- crypto: tegra - Remove the use of dev_err_probe() (Vladislav Dronov) [RHEL-182759] +- crypto: tegra - use API helpers to setup fallback request (Vladislav Dronov) [RHEL-182759] +- crypto: tegra - remove unneeded crypto_engine_stop() call (Vladislav Dronov) [RHEL-182759] +- scsi: qla2xxx: Add support to report MPI FW state (Ewan D. Milne) [RHEL-181887] +- RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path (CKI Backport Bot) [RHEL-179965] {CVE-2026-46189} +- ALSA: aloop: Fix peer runtime UAF during format-change stop (CKI Backport Bot) [RHEL-179317] {CVE-2026-46090} +- ALSA: usb-audio: Add sanity check for OOB writes at silencing (CKI Backport Bot) [RHEL-173937] {CVE-2026-43279} + * Tue Jun 30 2026 Andrew Lukoshko - 6.12.0-211.28.2 - Add upstream ipv4/ipv6 fraggap paged-allocation fixes (1384-1385) eca856950f7c ipv4: account for fraggap on the paged allocation path