diff --git a/1352-s390-ap-expose-ap-bindings-complete-count-counter-via-sysfs.patch b/1352-s390-ap-expose-ap-bindings-complete-count-counter-via-sysfs.patch new file mode 100644 index 000000000..16f06a1d9 --- /dev/null +++ b/1352-s390-ap-expose-ap-bindings-complete-count-counter-via-sysfs.patch @@ -0,0 +1,66 @@ +From 274bd4477e9c0ac5f42dcc960f4841bc5d2e5171 Mon Sep 17 00:00:00 2001 +From: Mete Durlu +Date: Fri, 13 Mar 2026 16:12:26 +0100 +Subject: [PATCH] s390/ap: Expose ap_bindings_complete_count counter via sysfs + +JIRA: https://issues.redhat.com/browse/RHEL-155896 + +commit 51d921a613b1e89a47c2c262bbef1d7b0b032ac7 +Author: Harald Freudenberger +Date: Fri Oct 17 16:51:52 2025 +0200 + + s390/ap: Expose ap_bindings_complete_count counter via sysfs + + The AP bus udev event BINDINGS=complete is sent out when the + first time all devices detected by the AP bus scan have been + bound to device drivers. This is the ideal time to for example + change the AP bus masks apmask and aqmask to re-establish a + persistent change on the decision about which cards/domains + should be available for the host and which should go into the + pool for kvm guests. + + However, if exactly this initial udev event is sent out early + in the boot process a udev rule may not have been established + yet and thus this event will never be recognized. To have + some indication about if the AP bus binding complete has + already happened, the internal ap_bindings_complete_count + counter is exposed via sysfs with this patch. + + Suggested-by: Matthew Rosato + Signed-off-by: Harald Freudenberger + Tested-by: Matthew Rosato + Signed-off-by: Heiko Carstens + +Signed-off-by: Mete Durlu + +diff --git a/drivers/s390/crypto/ap_bus.c b/drivers/s390/crypto/ap_bus.c +index 15f663e3343a..7345b8c179c7 100644 +--- a/drivers/s390/crypto/ap_bus.c ++++ b/drivers/s390/crypto/ap_bus.c +@@ -1584,6 +1584,15 @@ static ssize_t bindings_show(const struct bus_type *bus, char *buf) + + static BUS_ATTR_RO(bindings); + ++static ssize_t bindings_complete_count_show(const struct bus_type *bus, ++ char *buf) ++{ ++ return sysfs_emit(buf, "%llu\n", ++ atomic64_read(&ap_bindings_complete_count)); ++} ++ ++static BUS_ATTR_RO(bindings_complete_count); ++ + static ssize_t features_show(const struct bus_type *bus, char *buf) + { + int n = 0; +@@ -1624,6 +1633,7 @@ static struct attribute *ap_bus_attrs[] = { + &bus_attr_aqmask.attr, + &bus_attr_scans.attr, + &bus_attr_bindings.attr, ++ &bus_attr_bindings_complete_count.attr, + &bus_attr_features.attr, + NULL, + }; +-- +2.50.1 (Apple Git-155) + diff --git a/1353-rxrpc-fix-rxgk-token-loading-to-check-bounds.patch b/1353-rxrpc-fix-rxgk-token-loading-to-check-bounds.patch new file mode 100644 index 000000000..9fbc7c4e7 --- /dev/null +++ b/1353-rxrpc-fix-rxgk-token-loading-to-check-bounds.patch @@ -0,0 +1,135 @@ +From f8d027e5525d00e6de81cebce1912c9e9d18de2a Mon Sep 17 00:00:00 2001 +From: CKI Backport Bot +Date: Tue, 28 Apr 2026 11:23:37 +0000 +Subject: [PATCH] rxrpc: Fix RxGK token loading to check bounds + +JIRA: https://redhat.atlassian.net/browse/RHEL-171420 +CVE: CVE-2026-31641 + +commit d179a868dd755b0cfcf7582e00943d702b9943b8 +Author: Oleh Konko +Date: Wed Apr 8 13:12:33 2026 +0100 + + rxrpc: Fix RxGK token loading to check bounds + + rxrpc_preparse_xdr_yfs_rxgk() reads the raw key length and ticket length + from the XDR token as u32 values and passes each through round_up(x, 4) + before using the rounded value for validation and allocation. When the raw + length is >= 0xfffffffd, round_up() wraps to 0, so the bounds check and + kzalloc both use 0 while the subsequent memcpy still copies the original + ~4 GiB value, producing a heap buffer overflow reachable from an + unprivileged add_key() call. + + Fix this by: + + (1) Rejecting raw key lengths above AFSTOKEN_GK_KEY_MAX and raw ticket + lengths above AFSTOKEN_GK_TOKEN_MAX before rounding, consistent with + the caps that the RxKAD path already enforces via AFSTOKEN_RK_TIX_MAX. + + (2) Sizing the flexible-array allocation from the validated raw key + length via struct_size_t() instead of the rounded value. + + (3) Caching the raw lengths so that the later field assignments and + memcpy calls do not re-read from the token, eliminating a class of + TOCTOU re-parse. + + The control path (valid token with lengths within bounds) is unaffected. + + Fixes: 0ca100ff4df6 ("rxrpc: Add YFS RxGK (GSSAPI) security class") + Signed-off-by: Oleh Konko + Signed-off-by: David Howells + Reviewed-by: Jeffrey Altman + cc: Marc Dionne + cc: Simon Horman + cc: linux-afs@lists.infradead.org + cc: stable@kernel.org + Link: https://patch.msgid.link/20260408121252.2249051-6-dhowells@redhat.com + Signed-off-by: Jakub Kicinski + +Signed-off-by: CKI Backport Bot + +diff --git a/net/rxrpc/key.c b/net/rxrpc/key.c +index 9fdc1f031c9d..6ff2c504dd41 100644 +--- a/net/rxrpc/key.c ++++ b/net/rxrpc/key.c +@@ -13,6 +13,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -171,7 +172,7 @@ static int rxrpc_preparse_xdr_yfs_rxgk(struct key_preparsed_payload *prep, + size_t plen; + const __be32 *ticket, *key; + s64 tmp; +- u32 tktlen, keylen; ++ size_t raw_keylen, raw_tktlen, keylen, tktlen; + + _enter(",{%x,%x,%x,%x},%x", + ntohl(xdr[0]), ntohl(xdr[1]), ntohl(xdr[2]), ntohl(xdr[3]), +@@ -181,18 +182,22 @@ static int rxrpc_preparse_xdr_yfs_rxgk(struct key_preparsed_payload *prep, + goto reject; + + key = xdr + (6 * 2 + 1); +- keylen = ntohl(key[-1]); +- _debug("keylen: %x", keylen); +- keylen = round_up(keylen, 4); ++ raw_keylen = ntohl(key[-1]); ++ _debug("keylen: %zx", raw_keylen); ++ if (raw_keylen > AFSTOKEN_GK_KEY_MAX) ++ goto reject; ++ keylen = round_up(raw_keylen, 4); + if ((6 * 2 + 2) * 4 + keylen > toklen) + goto reject; + + ticket = xdr + (6 * 2 + 1 + (keylen / 4) + 1); +- tktlen = ntohl(ticket[-1]); +- _debug("tktlen: %x", tktlen); +- tktlen = round_up(tktlen, 4); ++ raw_tktlen = ntohl(ticket[-1]); ++ _debug("tktlen: %zx", raw_tktlen); ++ if (raw_tktlen > AFSTOKEN_GK_TOKEN_MAX) ++ goto reject; ++ tktlen = round_up(raw_tktlen, 4); + if ((6 * 2 + 2) * 4 + keylen + tktlen != toklen) { +- kleave(" = -EKEYREJECTED [%x!=%x, %x,%x]", ++ kleave(" = -EKEYREJECTED [%zx!=%x, %zx,%zx]", + (6 * 2 + 2) * 4 + keylen + tktlen, toklen, + keylen, tktlen); + goto reject; +@@ -206,7 +211,7 @@ static int rxrpc_preparse_xdr_yfs_rxgk(struct key_preparsed_payload *prep, + if (!token) + goto nomem; + +- token->rxgk = kzalloc(sizeof(*token->rxgk) + keylen, GFP_KERNEL); ++ token->rxgk = kzalloc(struct_size_t(struct rxgk_key, _key, raw_keylen), GFP_KERNEL); + if (!token->rxgk) + goto nomem_token; + +@@ -221,9 +226,9 @@ static int rxrpc_preparse_xdr_yfs_rxgk(struct key_preparsed_payload *prep, + token->rxgk->enctype = tmp = xdr_dec64(xdr + 5 * 2); + if (tmp < 0 || tmp > UINT_MAX) + goto reject_token; +- token->rxgk->key.len = ntohl(key[-1]); ++ token->rxgk->key.len = raw_keylen; + token->rxgk->key.data = token->rxgk->_key; +- token->rxgk->ticket.len = ntohl(ticket[-1]); ++ token->rxgk->ticket.len = raw_tktlen; + + if (token->rxgk->endtime != 0) { + expiry = rxrpc_s64_to_time64(token->rxgk->endtime); +@@ -236,8 +241,7 @@ static int rxrpc_preparse_xdr_yfs_rxgk(struct key_preparsed_payload *prep, + memcpy(token->rxgk->key.data, key, token->rxgk->key.len); + + /* Pad the ticket so that we can use it directly in XDR */ +- token->rxgk->ticket.data = kzalloc(round_up(token->rxgk->ticket.len, 4), +- GFP_KERNEL); ++ token->rxgk->ticket.data = kzalloc(tktlen, GFP_KERNEL); + if (!token->rxgk->ticket.data) + goto nomem_yrxgk; + memcpy(token->rxgk->ticket.data, ticket, token->rxgk->ticket.len); +-- +2.50.1 (Apple Git-155) + diff --git a/1354-xen-privcmd-fix-double-free-via-vma-splitting.patch b/1354-xen-privcmd-fix-double-free-via-vma-splitting.patch new file mode 100644 index 000000000..9da1bf693 --- /dev/null +++ b/1354-xen-privcmd-fix-double-free-via-vma-splitting.patch @@ -0,0 +1,62 @@ +From 2894a351fe2ea8684919d36df3188b9a35e3926f Mon Sep 17 00:00:00 2001 +From: Juergen Gross +Date: Fri, 10 Apr 2026 09:20:04 +0200 +Subject: [PATCH] xen/privcmd: fix double free via VMA splitting + +commit 24daca4fc07f3ff8cd0e3f629cd982187f48436a upstream. + +privcmd_vm_ops defines .close (privcmd_close), but neither .may_split +nor .open. When userspace does a partial munmap() on a privcmd mapping, +the kernel splits the VMA via __split_vma(). Since may_split is NULL, +the split is allowed. vm_area_dup() copies vm_private_data (a pages +array allocated in alloc_empty_pages()) into the new VMA without any +fixup, because there is no .open callback. + +Both VMAs now point to the same pages array. When the unmapped portion +is closed, privcmd_close() calls: + - xen_unmap_domain_gfn_range() + - xen_free_unpopulated_pages() + - kvfree(pages) + +The surviving VMA still holds the dangling pointer. When it is later +destroyed, the same sequence runs again, which leads to a double free. + +Fix this issue by adding a .may_split callback denying the VMA split. + +This is XSA-487 / CVE-2026-31787 + +Fixes: d71f513985c2 ("xen: privcmd: support autotranslated physmap guests.") +Reported-by: Atharva Vartak +Suggested-by: Atharva Vartak +Signed-off-by: Juergen Gross +Reviewed-by: Jan Beulich +Signed-off-by: Greg Kroah-Hartman + +diff --git a/drivers/xen/privcmd.c b/drivers/xen/privcmd.c +index d7d9d427e51a..115b54c3805b 100644 +--- a/drivers/xen/privcmd.c ++++ b/drivers/xen/privcmd.c +@@ -1639,6 +1639,12 @@ static void privcmd_close(struct vm_area_struct *vma) + kvfree(pages); + } + ++static int privcmd_may_split(struct vm_area_struct *area, unsigned long addr) ++{ ++ /* Forbid splitting, avoids double free via privcmd_close(). */ ++ return -EINVAL; ++} ++ + static vm_fault_t privcmd_fault(struct vm_fault *vmf) + { + printk(KERN_DEBUG "privcmd_fault: vma=%p %lx-%lx, pgoff=%lx, uv=%p\n", +@@ -1650,6 +1656,7 @@ static vm_fault_t privcmd_fault(struct vm_fault *vmf) + + static const struct vm_operations_struct privcmd_vm_ops = { + .close = privcmd_close, ++ .may_split = privcmd_may_split, + .fault = privcmd_fault + }; + +-- +2.50.1 (Apple Git-155) + diff --git a/1355-bluetooth-hci-sync-fix-stack-buffer-overflow-in-hci-le-big-c.patch b/1355-bluetooth-hci-sync-fix-stack-buffer-overflow-in-hci-le-big-c.patch new file mode 100644 index 000000000..7d840c273 --- /dev/null +++ b/1355-bluetooth-hci-sync-fix-stack-buffer-overflow-in-hci-le-big-c.patch @@ -0,0 +1,65 @@ +From 4bdf131363bf22e4cfb8dbaaf0cf38ae0e18dfe7 Mon Sep 17 00:00:00 2001 +From: David Marlin +Date: Thu, 7 May 2026 18:01:01 -0500 +Subject: [PATCH] Bluetooth: hci_sync: fix stack buffer overflow in + hci_le_big_create_sync +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +JIRA: https://issues.redhat.com/browse/RHEL-172460 + +JIRA: https://issues.redhat.com/browse/RHEL-172865 +CVE: CVE-2026-31772 + +commit bc39a094730ce062fa034a529c93147c096cb488 +Author: hkbinbin +Date: Tue Mar 31 05:39:16 2026 +0000 + + Bluetooth: hci_sync: fix stack buffer overflow in hci_le_big_create_sync + + hci_le_big_create_sync() uses DEFINE_FLEX to allocate a + struct hci_cp_le_big_create_sync on the stack with room for 0x11 (17) + BIS entries. However, conn->num_bis can hold up to HCI_MAX_ISO_BIS (31) + entries — validated against ISO_MAX_NUM_BIS (0x1f) in the caller + hci_conn_big_create_sync(). When conn->num_bis is between 18 and 31, + the memcpy that copies conn->bis into cp->bis writes up to 14 bytes + past the stack buffer, corrupting adjacent stack memory. + + This is trivially reproducible: binding an ISO socket with + bc_num_bis = ISO_MAX_NUM_BIS (31) and calling listen() will + eventually trigger hci_le_big_create_sync() from the HCI command + sync worker, causing a KASAN-detectable stack-out-of-bounds write: + + BUG: KASAN: stack-out-of-bounds in hci_le_big_create_sync+0x256/0x3b0 + Write of size 31 at addr ffffc90000487b48 by task kworker/u9:0/71 + + Fix this by changing the DEFINE_FLEX count from the incorrect 0x11 to + HCI_MAX_ISO_BIS, which matches the maximum number of BIS entries that + conn->bis can actually carry. + + Fixes: 42ecf1947135 ("Bluetooth: ISO: Do not emit LE BIG Create Sync if previous is pending") + Cc: stable@vger.kernel.org + Signed-off-by: hkbinbin + Reviewed-by: Paul Menzel + Signed-off-by: Luiz Augusto von Dentz + +Signed-off-by: David Marlin + +diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c +index 092118b12e18..9096f6ba940b 100644 +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -7241,7 +7241,8 @@ static void create_big_complete(struct hci_dev *hdev, void *data, int err) + + static int hci_le_big_create_sync(struct hci_dev *hdev, void *data) + { +- DEFINE_FLEX(struct hci_cp_le_big_create_sync, cp, bis, num_bis, 0x11); ++ DEFINE_FLEX(struct hci_cp_le_big_create_sync, cp, bis, num_bis, ++ HCI_MAX_ISO_BIS); + struct hci_conn *conn = data; + struct bt_iso_qos *qos = &conn->iso_qos; + int err; +-- +2.50.1 (Apple Git-155) + diff --git a/1356-buffer-overflow-in-drivers-xen-sys-hypervisor-c.patch b/1356-buffer-overflow-in-drivers-xen-sys-hypervisor-c.patch new file mode 100644 index 000000000..4ec00005c --- /dev/null +++ b/1356-buffer-overflow-in-drivers-xen-sys-hypervisor-c.patch @@ -0,0 +1,63 @@ +From 5c5ff7c7bd15bb536f44b10b3fb5b8408f344d0a Mon Sep 17 00:00:00 2001 +From: Juergen Gross +Date: Fri, 27 Mar 2026 14:13:38 +0100 +Subject: [PATCH] Buffer overflow in drivers/xen/sys-hypervisor.c + +commit 27fdbab4221b375de54bf91919798d88520c6e28 upstream. + +The build id returned by HYPERVISOR_xen_version(XENVER_build_id) is +neither NUL terminated nor a string. + +The first causes a buffer overflow as sprintf in buildid_show will +read and copy till it finds a NUL. + +00000000 f4 91 51 f4 dd 38 9e 9d 65 47 52 eb 10 71 db 50 |..Q..8..eGR..q.P| +00000010 b9 a8 01 42 6f 2e 32 |...Bo.2| +00000017 + +So use a memcpy instead of sprintf to have the correct value: + +00000000 f4 91 51 f4 dd 00 9e 9d 65 47 52 eb 10 71 db 50 |..Q.....eGR..q.P| +00000010 b9 a8 01 42 |...B| +00000014 + +(the above have a hack to embed a zero inside and check it's +returned correctly). + +This is XSA-485 / CVE-2026-31786 + +Fixes: 84b7625728ea ("xen: add sysfs node for hypervisor build id") +Signed-off-by: Frediano Ziglio +Reviewed-by: Juergen Gross +Signed-off-by: Juergen Gross +Signed-off-by: Greg Kroah-Hartman + +diff --git a/drivers/xen/sys-hypervisor.c b/drivers/xen/sys-hypervisor.c +index 2f880374b463..c1a0ca1b1b5f 100644 +--- a/drivers/xen/sys-hypervisor.c ++++ b/drivers/xen/sys-hypervisor.c +@@ -366,6 +366,8 @@ static ssize_t buildid_show(struct hyp_sysfs_attr *attr, char *buffer) + ret = sprintf(buffer, ""); + return ret; + } ++ if (ret > PAGE_SIZE) ++ return -ENOSPC; + + buildid = kmalloc(sizeof(*buildid) + ret, GFP_KERNEL); + if (!buildid) +@@ -373,8 +375,10 @@ static ssize_t buildid_show(struct hyp_sysfs_attr *attr, char *buffer) + + buildid->len = ret; + ret = HYPERVISOR_xen_version(XENVER_build_id, buildid); +- if (ret > 0) +- ret = sprintf(buffer, "%s", buildid->buf); ++ if (ret > 0) { ++ /* Build id is binary, not a string. */ ++ memcpy(buffer, buildid->buf, ret); ++ } + kfree(buildid); + + return ret; +-- +2.50.1 (Apple Git-155) + diff --git a/1357-can-isotp-fix-tx-buf-use-after-free-in-isotp-sendmsg.patch b/1357-can-isotp-fix-tx-buf-use-after-free-in-isotp-sendmsg.patch new file mode 100644 index 000000000..2dcb7832e --- /dev/null +++ b/1357-can-isotp-fix-tx-buf-use-after-free-in-isotp-sendmsg.patch @@ -0,0 +1,91 @@ +From a3d5e28fb3f0f40b12dff60955e3961c64e679ff Mon Sep 17 00:00:00 2001 +From: CKI Backport Bot +Date: Tue, 12 May 2026 14:05:16 +0000 +Subject: [PATCH] can: isotp: fix tx.buf use-after-free in isotp_sendmsg() + +JIRA: https://redhat.atlassian.net/browse/RHEL-175537 +CVE: CVE-2026-31474 + +commit 424e95d62110cdbc8fd12b40918f37e408e35a92 +Author: Oliver Hartkopp +Date: Thu Mar 19 16:47:45 2026 +0100 + + can: isotp: fix tx.buf use-after-free in isotp_sendmsg() + + isotp_sendmsg() uses only cmpxchg() on so->tx.state to serialize access + to so->tx.buf. isotp_release() waits for ISOTP_IDLE via + wait_event_interruptible() and then calls kfree(so->tx.buf). + + If a signal interrupts the wait_event_interruptible() inside close() + while tx.state is ISOTP_SENDING, the loop exits early and release + proceeds to force ISOTP_SHUTDOWN and continues to kfree(so->tx.buf) + while sendmsg may still be reading so->tx.buf for the final CAN frame + in isotp_fill_dataframe(). + + The so->tx.buf can be allocated once when the standard tx.buf length needs + to be extended. Move the kfree() of this potentially extended tx.buf to + sk_destruct time when either isotp_sendmsg() and isotp_release() are done. + + Fixes: 96d1c81e6a04 ("can: isotp: add module parameter for maximum pdu size") + Cc: stable@vger.kernel.org + Reported-by: Ali Norouzi + Co-developed-by: Ali Norouzi + Signed-off-by: Ali Norouzi + Signed-off-by: Oliver Hartkopp + Link: https://patch.msgid.link/20260319-fix-can-gw-and-can-isotp-v2-2-c45d52c6d2d8@pengutronix.de + Signed-off-by: Marc Kleine-Budde + +Signed-off-by: CKI Backport Bot + +diff --git a/net/can/isotp.c b/net/can/isotp.c +index 515ab62b0943..23efb4d79228 100644 +--- a/net/can/isotp.c ++++ b/net/can/isotp.c +@@ -1230,12 +1230,6 @@ static int isotp_release(struct socket *sock) + so->ifindex = 0; + so->bound = 0; + +- if (so->rx.buf != so->rx.sbuf) +- kfree(so->rx.buf); +- +- if (so->tx.buf != so->tx.sbuf) +- kfree(so->tx.buf); +- + sock_orphan(sk); + sock->sk = NULL; + +@@ -1603,6 +1597,21 @@ static int isotp_notifier(struct notifier_block *nb, unsigned long msg, + return NOTIFY_DONE; + } + ++static void isotp_sock_destruct(struct sock *sk) ++{ ++ struct isotp_sock *so = isotp_sk(sk); ++ ++ /* do the standard CAN sock destruct work */ ++ can_sock_destruct(sk); ++ ++ /* free potential extended PDU buffers */ ++ if (so->rx.buf != so->rx.sbuf) ++ kfree(so->rx.buf); ++ ++ if (so->tx.buf != so->tx.sbuf) ++ kfree(so->tx.buf); ++} ++ + static int isotp_init(struct sock *sk) + { + struct isotp_sock *so = isotp_sk(sk); +@@ -1647,6 +1656,9 @@ static int isotp_init(struct sock *sk) + list_add_tail(&so->notifier, &isotp_notifier_list); + spin_unlock(&isotp_notifier_lock); + ++ /* re-assign default can_sock_destruct() reference */ ++ sk->sk_destruct = isotp_sock_destruct; ++ + return 0; + } + +-- +2.50.1 (Apple Git-155) + diff --git a/1358-scsi-lpfc-fix-reusing-an-ndlp-that-is-marked-nlp-dropped-dur.patch b/1358-scsi-lpfc-fix-reusing-an-ndlp-that-is-marked-nlp-dropped-dur.patch new file mode 100644 index 000000000..2f2beb85f --- /dev/null +++ b/1358-scsi-lpfc-fix-reusing-an-ndlp-that-is-marked-nlp-dropped-dur.patch @@ -0,0 +1,126 @@ +From a1229adf21035776936072b77d724e9e79cdf813 Mon Sep 17 00:00:00 2001 +From: Paul Ely +Date: Wed, 3 Dec 2025 20:18:59 -0500 +Subject: [PATCH] scsi: lpfc: Fix reusing an ndlp that is marked NLP_DROPPED + during FLOGI + +JIRA: https://issues.redhat.com/browse/RHEL-127898 + +commit 07caedc6a3887938813727beafea40f07c497705 +Author: Justin Tee +Date: Thu Nov 6 14:46:36 2025 -0800 + + scsi: lpfc: Fix reusing an ndlp that is marked NLP_DROPPED during FLOGI + + It's possible for an unstable link to repeatedly bounce allowing a FLOGI + retry, but then bounce again forcing an abort of the FLOGI. Ensure that + the initial reference count on the FLOGI ndlp is restored in this faulty + link scenario. + + Signed-off-by: Justin Tee + Link: https://patch.msgid.link/20251106224639.139176-8-justintee8345@gmail.com + Signed-off-by: Martin K. Petersen + +Signed-off-by: Paul Ely + +diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c +index f8df66009c35..ef6e4ee9b608 100644 +--- a/drivers/scsi/lpfc/lpfc_els.c ++++ b/drivers/scsi/lpfc/lpfc_els.c +@@ -934,10 +934,15 @@ lpfc_cmpl_els_flogi(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb, + /* Check to see if link went down during discovery */ + if (lpfc_els_chk_latt(vport)) { + /* One additional decrement on node reference count to +- * trigger the release of the node ++ * trigger the release of the node. Make sure the ndlp ++ * is marked NLP_DROPPED. + */ +- if (!(ndlp->fc4_xpt_flags & SCSI_XPT_REGD)) ++ if (!test_bit(NLP_IN_DEV_LOSS, &ndlp->nlp_flag) && ++ !test_bit(NLP_DROPPED, &ndlp->nlp_flag) && ++ !(ndlp->fc4_xpt_flags & SCSI_XPT_REGD)) { ++ set_bit(NLP_DROPPED, &ndlp->nlp_flag); + lpfc_nlp_put(ndlp); ++ } + goto out; + } + +@@ -995,9 +1000,10 @@ lpfc_cmpl_els_flogi(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb, + IOERR_LOOP_OPEN_FAILURE))) + lpfc_vlog_msg(vport, KERN_WARNING, LOG_ELS, + "2858 FLOGI Status:x%x/x%x TMO" +- ":x%x Data x%lx x%x\n", ++ ":x%x Data x%lx x%x x%lx x%x\n", + ulp_status, ulp_word4, tmo, +- phba->hba_flag, phba->fcf.fcf_flag); ++ phba->hba_flag, phba->fcf.fcf_flag, ++ ndlp->nlp_flag, ndlp->fc4_xpt_flags); + + /* Check for retry */ + if (lpfc_els_retry(phba, cmdiocb, rspiocb)) { +@@ -1015,14 +1021,17 @@ lpfc_cmpl_els_flogi(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb, + * reference to trigger node release. + */ + if (!test_bit(NLP_IN_DEV_LOSS, &ndlp->nlp_flag) && +- !(ndlp->fc4_xpt_flags & SCSI_XPT_REGD)) ++ !test_bit(NLP_DROPPED, &ndlp->nlp_flag) && ++ !(ndlp->fc4_xpt_flags & SCSI_XPT_REGD)) { ++ set_bit(NLP_DROPPED, &ndlp->nlp_flag); + lpfc_nlp_put(ndlp); ++ } + + lpfc_printf_vlog(vport, KERN_WARNING, LOG_ELS, + "0150 FLOGI Status:x%x/x%x " +- "xri x%x TMO:x%x refcnt %d\n", ++ "xri x%x iotag x%x TMO:x%x refcnt %d\n", + ulp_status, ulp_word4, cmdiocb->sli4_xritag, +- tmo, kref_read(&ndlp->kref)); ++ cmdiocb->iotag, tmo, kref_read(&ndlp->kref)); + + /* If this is not a loop open failure, bail out */ + if (!(ulp_status == IOSTAT_LOCAL_REJECT && +@@ -1279,6 +1288,19 @@ lpfc_issue_els_flogi(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp, + uint32_t tmo, did; + int rc; + ++ /* It's possible for lpfc to reissue a FLOGI on an ndlp that is marked ++ * NLP_DROPPED. This happens when the FLOGI completed with the XB bit ++ * set causing lpfc to reference the ndlp until the XRI_ABORTED CQE is ++ * issued. The time window for the XRI_ABORTED CQE can be as much as ++ * 2*2*RA_TOV allowing for ndlp reuse of this type when the link is ++ * cycling quickly. When true, restore the initial reference and remove ++ * the NLP_DROPPED flag as lpfc is retrying. ++ */ ++ if (test_and_clear_bit(NLP_DROPPED, &ndlp->nlp_flag)) { ++ if (!lpfc_nlp_get(ndlp)) ++ return 1; ++ } ++ + cmdsize = (sizeof(uint32_t) + sizeof(struct serv_parm)); + elsiocb = lpfc_prep_els_iocb(vport, 1, cmdsize, retry, ndlp, + ndlp->nlp_DID, ELS_CMD_FLOGI); +diff --git a/drivers/scsi/lpfc/lpfc_hbadisc.c b/drivers/scsi/lpfc/lpfc_hbadisc.c +index 1510ed28f5a4..dcf78ea77a7d 100644 +--- a/drivers/scsi/lpfc/lpfc_hbadisc.c ++++ b/drivers/scsi/lpfc/lpfc_hbadisc.c +@@ -424,6 +424,7 @@ lpfc_check_nlp_post_devloss(struct lpfc_vport *vport, + struct lpfc_nodelist *ndlp) + { + if (test_and_clear_bit(NLP_IN_RECOV_POST_DEV_LOSS, &ndlp->save_flags)) { ++ clear_bit(NLP_DROPPED, &ndlp->nlp_flag); + lpfc_nlp_get(ndlp); + lpfc_printf_vlog(vport, KERN_INFO, LOG_DISCOVERY | LOG_NODE, + "8438 Devloss timeout reversed on DID x%x " +@@ -566,7 +567,8 @@ lpfc_dev_loss_tmo_handler(struct lpfc_nodelist *ndlp) + return fcf_inuse; + } + +- lpfc_nlp_put(ndlp); ++ if (!test_and_set_bit(NLP_DROPPED, &ndlp->nlp_flag)) ++ lpfc_nlp_put(ndlp); + return fcf_inuse; + } + +-- +2.50.1 (Apple Git-155) + diff --git a/1359-bluetooth-hci-event-fix-potential-uaf-in-ssp-passkey-handler.patch b/1359-bluetooth-hci-event-fix-potential-uaf-in-ssp-passkey-handler.patch new file mode 100644 index 000000000..b28becf3d --- /dev/null +++ b/1359-bluetooth-hci-event-fix-potential-uaf-in-ssp-passkey-handler.patch @@ -0,0 +1,98 @@ +From 22386453397f34a0238d452c87184b741aaaee80 Mon Sep 17 00:00:00 2001 +From: David Marlin +Date: Thu, 7 May 2026 18:01:01 -0500 +Subject: [PATCH] Bluetooth: hci_event: fix potential UAF in SSP passkey + handlers + +JIRA: https://issues.redhat.com/browse/RHEL-172460 + +commit 85fa3512048793076eef658f66489112dcc91993 +Author: Shuvam Pandey +Date: Thu Apr 9 00:32:30 2026 +0545 + + Bluetooth: hci_event: fix potential UAF in SSP passkey handlers + + hci_conn lookup and field access must be covered by hdev lock in + hci_user_passkey_notify_evt() and hci_keypress_notify_evt(), otherwise + the connection can be freed concurrently. + + Extend the hci_dev_lock critical section to cover all conn usage in both + handlers. + + Keep the existing keypress notification behavior unchanged by routing + the early exits through a common unlock path. + + Fixes: 92a25256f142 ("Bluetooth: mgmt: Implement support for passkey notification") + Cc: stable@vger.kernel.org + Signed-off-by: Shuvam Pandey + Signed-off-by: Luiz Augusto von Dentz + +Signed-off-by: David Marlin + +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index 3ebc5e6d45d9..6500f7a327f6 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -5498,9 +5498,11 @@ static void hci_user_passkey_notify_evt(struct hci_dev *hdev, void *data, + + bt_dev_dbg(hdev, ""); + ++ hci_dev_lock(hdev); ++ + conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); + if (!conn) +- return; ++ goto unlock; + + conn->passkey_notify = __le32_to_cpu(ev->passkey); + conn->passkey_entered = 0; +@@ -5509,6 +5511,9 @@ static void hci_user_passkey_notify_evt(struct hci_dev *hdev, void *data, + mgmt_user_passkey_notify(hdev, &conn->dst, conn->type, + conn->dst_type, conn->passkey_notify, + conn->passkey_entered); ++ ++unlock: ++ hci_dev_unlock(hdev); + } + + static void hci_keypress_notify_evt(struct hci_dev *hdev, void *data, +@@ -5519,14 +5524,16 @@ static void hci_keypress_notify_evt(struct hci_dev *hdev, void *data, + + bt_dev_dbg(hdev, ""); + ++ hci_dev_lock(hdev); ++ + conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); + if (!conn) +- return; ++ goto unlock; + + switch (ev->type) { + case HCI_KEYPRESS_STARTED: + conn->passkey_entered = 0; +- return; ++ goto unlock; + + case HCI_KEYPRESS_ENTERED: + conn->passkey_entered++; +@@ -5541,13 +5548,16 @@ static void hci_keypress_notify_evt(struct hci_dev *hdev, void *data, + break; + + case HCI_KEYPRESS_COMPLETED: +- return; ++ goto unlock; + } + + if (hci_dev_test_flag(hdev, HCI_MGMT)) + mgmt_user_passkey_notify(hdev, &conn->dst, conn->type, + conn->dst_type, conn->passkey_notify, + conn->passkey_entered); ++ ++unlock: ++ hci_dev_unlock(hdev); + } + + static void hci_simple_pair_complete_evt(struct hci_dev *hdev, void *data, +-- +2.50.1 (Apple Git-155) + diff --git a/1360-wifi-mac80211-use-safe-list-iteration-in-radar-detect-work.patch b/1360-wifi-mac80211-use-safe-list-iteration-in-radar-detect-work.patch new file mode 100644 index 000000000..92e47eb59 --- /dev/null +++ b/1360-wifi-mac80211-use-safe-list-iteration-in-radar-detect-work.patch @@ -0,0 +1,39 @@ +From 887ece6c23b49d02a6678e7a8d5ad213d75883ce Mon Sep 17 00:00:00 2001 +From: Benjamin Berg +Date: Tue, 5 May 2026 15:15:40 +0200 +Subject: [PATCH] wifi: mac80211: use safe list iteration in radar detect work + +commit ac8eb3e18f41e2cc8492cc1d358bcb786c850270 upstream. + +The call to ieee80211_dfs_cac_cancel can cause the iterated chanctx to +be freed and removed from the list. Guard against this to avoid a +slab-use-after-free error. + +Cc: stable@vger.kernel.org +Fixes: bca8bc0399ac ("wifi: mac80211: handle ieee80211_radar_detected() for MLO") +Signed-off-by: Benjamin Berg +Link: https://patch.msgid.link/20260505151539.236d63a1b736.I35dbb9e96a2d4a480be208770fdd99ba3b817b79@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +diff --git a/net/mac80211/util.c b/net/mac80211/util.c +index 77638e965726..5bb9e1d2479f 100644 +--- a/net/mac80211/util.c ++++ b/net/mac80211/util.c +@@ -3504,11 +3504,11 @@ void ieee80211_dfs_radar_detected_work(struct wiphy *wiphy, + struct ieee80211_local *local = + container_of(work, struct ieee80211_local, radar_detected_work); + struct cfg80211_chan_def chandef; +- struct ieee80211_chanctx *ctx; ++ struct ieee80211_chanctx *ctx, *tmp; + + lockdep_assert_wiphy(local->hw.wiphy); + +- list_for_each_entry(ctx, &local->chanctx_list, list) { ++ list_for_each_entry_safe(ctx, tmp, &local->chanctx_list, list) { + if (ctx->replace_state == IEEE80211_CHANCTX_REPLACES_OTHER) + continue; + +-- +2.50.1 (Apple Git-155) + diff --git a/1361-wifi-mac80211-drop-stray-static-from-fast-rx-rx-result.patch b/1361-wifi-mac80211-drop-stray-static-from-fast-rx-rx-result.patch new file mode 100644 index 000000000..b3defedde --- /dev/null +++ b/1361-wifi-mac80211-drop-stray-static-from-fast-rx-rx-result.patch @@ -0,0 +1,41 @@ +From 1739fc31b4de06c5c78ce0741182770fb079091e Mon Sep 17 00:00:00 2001 +From: Catherine +Date: Fri, 24 Apr 2026 21:14:36 +0800 +Subject: [PATCH] wifi: mac80211: drop stray 'static' from fast-RX rx_result + +commit 7a5b81e0c87a075afd572f659d8eb68c9c4cd2ba upstream. + +ieee80211_invoke_fast_rx() is documented as safe for parallel RX, but +its per-invocation rx_result is declared static. Concurrent callers then +share one instance and can overwrite each other's result between +ieee80211_rx_mesh_data() and the switch on res. + +That can make a packet that was queued or consumed by +ieee80211_rx_mesh_data() fall through into ieee80211_rx_8023(), or make +a packet that should continue return as queued. + +Make res an automatic variable so each invocation keeps its own result. + +Fixes: 3468e1e0c639 ("wifi: mac80211: add mesh fast-rx support") +Cc: stable@vger.kernel.org +Signed-off-by: Catherine +Link: https://patch.msgid.link/20260424131435.83212-2-enderaoelyther@gmail.com +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c +index e4a3ce716f6b..590702838392 100644 +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -4882,7 +4882,7 @@ static bool ieee80211_invoke_fast_rx(struct ieee80211_rx_data *rx, + struct sk_buff *skb = rx->skb; + struct ieee80211_hdr *hdr = (void *)skb->data; + struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); +- static ieee80211_rx_result res; ++ ieee80211_rx_result res; + int orig_len = skb->len; + int hdrlen = ieee80211_hdrlen(hdr->frame_control); + int snap_offs = hdrlen; +-- +2.50.1 (Apple Git-155) + diff --git a/1362-wifi-mac80211-remove-station-if-connection-prep-fails.patch b/1362-wifi-mac80211-remove-station-if-connection-prep-fails.patch new file mode 100644 index 000000000..11f664fd6 --- /dev/null +++ b/1362-wifi-mac80211-remove-station-if-connection-prep-fails.patch @@ -0,0 +1,59 @@ +From afcbaed89cdc1a001b43270cbf5394bb4804270a Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Tue, 5 May 2026 15:15:34 +0200 +Subject: [PATCH] wifi: mac80211: remove station if connection prep fails + +commit 283fc9e44ff5b5ac967439b4951b80bd4299f4e4 upstream. + +If connection preparation fails for MLO connections, then the +interface is completely reset to non-MLD. In this case, we must +not keep the station since it's related to the link of the vif +being removed. Delete an existing station. Any "new_sta" is +already being removed, so that doesn't need changes. + +This fixes a use-after-free/double-free in debugfs if that's +enabled, because a vif going from MLD (and to MLD, but that's +not relevant here) recreates its entire debugfs. + +Cc: stable@vger.kernel.org +Fixes: 81151ce462e5 ("wifi: mac80211: support MLO authentication/association with one link") +Reviewed-by: Miriam Rachel Korenblit +Link: https://patch.msgid.link/20260505151533.c4e52deb06ad.Iafe56cec7de8512626169496b134bce3a6c17010@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c +index f3138d1..11caa4e 100644 +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -8890,7 +8890,7 @@ static int ieee80211_prep_connection(struct ieee80211_sub_if_data *sdata, + struct ieee80211_bss *bss = (void *)cbss->priv; + struct sta_info *new_sta = NULL; + struct ieee80211_link_data *link; +- bool have_sta = false; ++ struct sta_info *have_sta = NULL; + bool mlo; + int err; + u16 new_links; +@@ -8909,11 +8909,8 @@ static int ieee80211_prep_connection(struct ieee80211_sub_if_data *sdata, + mlo = false; + } + +- if (assoc) { +- rcu_read_lock(); ++ if (assoc) + have_sta = sta_info_get(sdata, ap_mld_addr); +- rcu_read_unlock(); +- } + + if (mlo && !have_sta && + WARN_ON(sdata->vif.valid_links || sdata->vif.active_links)) +@@ -9072,6 +9069,8 @@ static int ieee80211_prep_connection(struct ieee80211_sub_if_data *sdata, + out_release_chan: + ieee80211_link_release_channel(link); + out_err: ++ if (mlo && have_sta) ++ WARN_ON(__sta_info_destroy(have_sta)); + ieee80211_vif_set_links(sdata, 0, 0); + return err; + } diff --git a/1363-bnxt-en-fix-rss-context-delete-logic.patch b/1363-bnxt-en-fix-rss-context-delete-logic.patch new file mode 100644 index 000000000..77c242f22 --- /dev/null +++ b/1363-bnxt-en-fix-rss-context-delete-logic.patch @@ -0,0 +1,72 @@ +From 6427dde01daa725ddd17ac84c033dba89b75011a Mon Sep 17 00:00:00 2001 +From: CKI Backport Bot +Date: Fri, 29 May 2026 08:33:51 +0000 +Subject: [PATCH] bnxt_en: Fix RSS context delete logic + +JIRA: https://redhat.atlassian.net/browse/RHEL-180316 +CVE: CVE-2026-43260 +Backported from tree(s): linux + +commit e123d9302d223767bd910bfbcfe607bae909f8ac +Author: Pavan Chebbi +Date: Thu Feb 19 10:53:11 2026 -0800 + + bnxt_en: Fix RSS context delete logic + + We need to free the corresponding RSS context VNIC + in FW everytime an RSS context is deleted in driver. + Commit 667ac333dbb7 added a check to delete the VNIC + in FW only when netif_running() is true to help delete + RSS contexts with interface down. + + Having that condition will make the driver leak VNICs + in FW whenever close() happens with active RSS contexts. + On the subsequent open(), as part of RSS context restoration, + we will end up trying to create extra VNICs for which we + did not make any reservation. FW can fail this request, + thereby making us lose active RSS contexts. + + Suppose an RSS context is deleted already and we try to + process a delete request again, then the HWRM functions + will check for validity of the request and they simply + return if the resource is already freed. So, even for + delete-when-down cases, netif_running() check is not + necessary. + + Remove the netif_running() condition check when deleting + an RSS context. + + Reported-by: Jakub Kicinski + Fixes: 667ac333dbb7 ("eth: bnxt: allow deleting RSS contexts when the device is down") + Reviewed-by: Andy Gospodarek + Signed-off-by: Pavan Chebbi + Signed-off-by: Michael Chan + Link: https://patch.msgid.link/20260219185313.2682148-2-michael.chan@broadcom.com + Signed-off-by: Jakub Kicinski + +Signed-off-by: CKI Backport Bot + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index d212468cf8aa..3a88c43cdf2b 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -10734,12 +10734,10 @@ void bnxt_del_one_rss_ctx(struct bnxt *bp, struct bnxt_rss_ctx *rss_ctx, + struct bnxt_ntuple_filter *ntp_fltr; + int i; + +- if (netif_running(bp->dev)) { +- bnxt_hwrm_vnic_free_one(bp, &rss_ctx->vnic); +- for (i = 0; i < BNXT_MAX_CTX_PER_VNIC; i++) { +- if (vnic->fw_rss_cos_lb_ctx[i] != INVALID_HW_RING_ID) +- bnxt_hwrm_vnic_ctx_free_one(bp, vnic, i); +- } ++ bnxt_hwrm_vnic_free_one(bp, &rss_ctx->vnic); ++ for (i = 0; i < BNXT_MAX_CTX_PER_VNIC; i++) { ++ if (vnic->fw_rss_cos_lb_ctx[i] != INVALID_HW_RING_ID) ++ bnxt_hwrm_vnic_ctx_free_one(bp, vnic, i); + } + if (!all) + return; +-- +2.50.1 (Apple Git-155) + diff --git a/1364-objtool-klp-fix-unexported-static-call-key-access-for-manual.patch b/1364-objtool-klp-fix-unexported-static-call-key-access-for-manual.patch new file mode 100644 index 000000000..9e3a759e4 --- /dev/null +++ b/1364-objtool-klp-fix-unexported-static-call-key-access-for-manual.patch @@ -0,0 +1,63 @@ +From 38c161cc88e827fd254aad30a0b7b19bbd85c014 Mon Sep 17 00:00:00 2001 +From: Yannick Cote +Date: Fri, 15 May 2026 23:45:14 +0000 +Subject: [PATCH] objtool/klp: Fix unexported static call key access for + manually built livepatch modules + +JIRA: https://redhat.atlassian.net/browse/RHEL-152189 + +commit f495054bd12e2abe5068e243bdf344b704c303c6 +Author: Josh Poimboeuf +Date: Mon Feb 2 11:00:17 2026 -0800 + + objtool/klp: Fix unexported static call key access for manually built livepatch modules + + Enabling CONFIG_MEM_ALLOC_PROFILING_DEBUG with CONFIG_SAMPLE_LIVEPATCH + results in the following error: + + samples/livepatch/livepatch-shadow-fix1.o: error: objtool: static_call: can't find static_call_key symbol: __SCK__WARN_trap + + This is caused an extra file->klp sanity check which was added by commit + 164c9201e1da ("objtool: Add base objtool support for livepatch + modules"). That check was intended to ensure that livepatch modules + built with klp-build always have full access to their static call keys. + + However, it failed to account for the fact that manually built livepatch + modules (i.e., not built with klp-build) might need access to unexported + static call keys, for which read-only access is typically allowed for + modules. + + While the livepatch-shadow-fix1 module doesn't explicitly use any static + calls, it does have a memory allocation, which can cause + CONFIG_MEM_ALLOC_PROFILING_DEBUG to insert a WARN() call. And WARN() is + now an unexported static call as of commit 860238af7a33 ("x86_64/bug: + Inline the UD1"). + + Fix it by removing the overzealous file->klp check, restoring the + original behavior for manually built livepatch modules. + + Fixes: 164c9201e1da ("objtool: Add base objtool support for livepatch modules") + Reported-by: Arnd Bergmann + Acked-by: Song Liu + Tested-by: Arnd Bergmann + Link: https://patch.msgid.link/0bd3ae9a53c3d743417fe842b740a7720e2bcd1c.1770058775.git.jpoimboe@kernel.org + Signed-off-by: Josh Poimboeuf + +Signed-off-by: Yannick Cote + +diff --git a/tools/objtool/check.c b/tools/objtool/check.c +index 55072399820d..e63670bab6c2 100644 +--- a/tools/objtool/check.c ++++ b/tools/objtool/check.c +@@ -683,7 +683,7 @@ static int create_static_call_sections(struct objtool_file *file) + + key_sym = find_symbol_by_name(file->elf, tmp); + if (!key_sym) { +- if (!opts.module || file->klp) { ++ if (!opts.module) { + ERROR("static_call: can't find static_call_key symbol: %s", tmp); + return -1; + } +-- +2.50.1 (Apple Git-155) + diff --git a/1365-rbd-eliminate-a-race-in-lock-dwork-draining-on-unmap.patch b/1365-rbd-eliminate-a-race-in-lock-dwork-draining-on-unmap.patch new file mode 100644 index 000000000..330080775 --- /dev/null +++ b/1365-rbd-eliminate-a-race-in-lock-dwork-draining-on-unmap.patch @@ -0,0 +1,109 @@ +From 60728887dfafe77e619af7c32215ceccf1d342e3 Mon Sep 17 00:00:00 2001 +From: CKI Backport Bot +Date: Thu, 28 May 2026 19:29:37 +0000 +Subject: [PATCH] rbd: eliminate a race in lock_dwork draining on unmap + +JIRA: https://redhat.atlassian.net/browse/RHEL-180187 +Backported from tree(s): linux + +commit 9fc75b71fdd38465c76c6f6a884cdd4ae3c72d90 +Author: Ilya Dryomov +Date: Tue May 19 23:07:26 2026 +0200 + + rbd: eliminate a race in lock_dwork draining on unmap + + Given how rbd_lock_add_request() and rbd_img_exclusive_lock() are + written, lock_dwork may be (re)queued more than it's actually needed: + for example in case a new I/O request comes in while we are in the + middle of rbd_acquire_lock() on behalf of another I/O request. This is + expected and with rbd_release_lock() preemptively canceling lock_dwork + is benign under normal operation. + + A more problematic example is maybe_kick_acquire(): + + if (have_requests || delayed_work_pending(&rbd_dev->lock_dwork)) { + dout("%s rbd_dev %p kicking lock_dwork\n", __func__, rbd_dev); + mod_delayed_work(rbd_dev->task_wq, &rbd_dev->lock_dwork, 0); + } + + It's not unrealistic for lock_dwork to get canceled right after + delayed_work_pending() returns true and for mod_delayed_work() to + requeue it right there anyway. This is a classic TOCTOU race. + + When it comes to unmapping the image, there is an implicit assumption + of no self-initiated exclusive lock activity past the point of return + from rbd_dev_image_unlock() which unlocks the lock if it happens to be + held. This unlock is assumed to be final and lock_dwork (as well as + all other exclusive lock tasks, really) isn't expected to get queued + again. However, lock_dwork is canceled only in cancel_tasks_sync() + (i.e. later in the unmap sequence) and on top of that the cancellation + can get in effect nullified by maybe_kick_acquire(). This may result + in rbd_acquire_lock() executing after rbd_dev_device_release() and + rbd_dev_image_release() run and free and/or reset a bunch of things. + One of the possible failure modes then is a violated + + rbd_assert(rbd_image_format_valid(rbd_dev->image_format)); + + in rbd_dev_header_info() which is called via rbd_dev_refresh() from + rbd_post_acquire_action(). + + Redo exclusive lock task draining to provide saner semantics and try + to meet the assumptions around rbd_dev_image_unlock(). + + Cc: stable@vger.kernel.org + Signed-off-by: Ilya Dryomov + Reviewed-by: Viacheslav Dubeyko + +Signed-off-by: CKI Backport Bot + +diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c +index af0e21149dbc..6e57a51a71eb 100644 +--- a/drivers/block/rbd.c ++++ b/drivers/block/rbd.c +@@ -4547,24 +4547,12 @@ static int rbd_register_watch(struct rbd_device *rbd_dev) + return ret; + } + +-static void cancel_tasks_sync(struct rbd_device *rbd_dev) +-{ +- dout("%s rbd_dev %p\n", __func__, rbd_dev); +- +- cancel_work_sync(&rbd_dev->acquired_lock_work); +- cancel_work_sync(&rbd_dev->released_lock_work); +- cancel_delayed_work_sync(&rbd_dev->lock_dwork); +- cancel_work_sync(&rbd_dev->unlock_work); +-} +- + /* + * header_rwsem must not be held to avoid a deadlock with + * rbd_dev_refresh() when flushing notifies. + */ + static void rbd_unregister_watch(struct rbd_device *rbd_dev) + { +- cancel_tasks_sync(rbd_dev); +- + mutex_lock(&rbd_dev->watch_mutex); + if (rbd_dev->watch_state == RBD_WATCH_STATE_REGISTERED) + __rbd_unregister_watch(rbd_dev); +@@ -6539,10 +6527,18 @@ static int rbd_add_parse_args(const char *buf, + + static void rbd_dev_image_unlock(struct rbd_device *rbd_dev) + { ++ dout("%s rbd_dev %p\n", __func__, rbd_dev); ++ ++ disable_delayed_work_sync(&rbd_dev->lock_dwork); ++ disable_work_sync(&rbd_dev->unlock_work); ++ + down_write(&rbd_dev->lock_rwsem); + if (__rbd_is_lock_owner(rbd_dev)) + __rbd_release_lock(rbd_dev); + up_write(&rbd_dev->lock_rwsem); ++ ++ flush_work(&rbd_dev->acquired_lock_work); ++ flush_work(&rbd_dev->released_lock_work); + } + + /* +-- +2.50.1 (Apple Git-155) + diff --git a/1366-ibmveth-disable-gso-for-packets-with-small-mss.patch b/1366-ibmveth-disable-gso-for-packets-with-small-mss.patch new file mode 100644 index 000000000..1e2a46218 --- /dev/null +++ b/1366-ibmveth-disable-gso-for-packets-with-small-mss.patch @@ -0,0 +1,107 @@ +From b38e69cdb077b6213147efc33e96ff2e15b5a947 Mon Sep 17 00:00:00 2001 +From: Mamatha Inamdar +Date: Fri, 15 May 2026 06:11:36 -0400 +Subject: [PATCH] ibmveth: Disable GSO for packets with small MSS + +JIRA: https://issues.redhat.com/browse/RHEL-175521 + +commit cc427d24ac6442ffdeafd157a63c7c5b73ed4de4 +Author: Mingming Cao +Date: Fri Apr 24 09:29:17 2026 -0700 + + ibmveth: Disable GSO for packets with small MSS + + Some physical adapters on Power systems do not support segmentation + offload when the MSS is less than 224 bytes. Attempting to send such + packets causes the adapter to freeze, stopping all traffic until + manually reset. + + Implement ndo_features_check to disable GSO for packets with small MSS + values. The network stack will perform software segmentation instead. + + The 224-byte minimum matches ibmvnic + commit ("ibmvnic: Enforce stronger sanity checks + on GSO packets") + which uses the same physical adapters in SEA configurations. + + The issue occurs specifically when the hardware attempts to perform + segmentation (gso_segs > 1) with a small MSS. Single-segment GSO packets + (gso_segs == 1) do not trigger the problematic LSO code path and are + transmitted normally without segmentation. + + Add an ndo_features_check callback to disable GSO when MSS < 224 bytes. + Also call vlan_features_check() to ensure proper handling of VLAN packets, + particularly QinQ (802.1ad) configurations where the hardware parser may + not support certain offload features. + + Validated using iptables to force small MSS values. Without the fix, + the adapter freezes. With the fix, packets are segmented in software + and transmission succeeds. Comprehensive regression testing completedd + (MSS tests, performance, stability). + + Fixes: 8641dd85799f ("ibmveth: Add support for TSO") + Cc: stable@vger.kernel.org + Reviewed-by: Brian King + Tested-by: Shaik Abdulla + Tested-by: Naveed Ahmed + Signed-off-by: Mingming Cao + Link: https://patch.msgid.link/20260424162917.65725-1-mmc@linux.ibm.com + Signed-off-by: Jakub Kicinski + +Signed-off-by: Mamatha Inamdar + +diff --git a/drivers/net/ethernet/ibm/ibmveth.c b/drivers/net/ethernet/ibm/ibmveth.c +index 7f94e84d0955..02a95cf57bd0 100644 +--- a/drivers/net/ethernet/ibm/ibmveth.c ++++ b/drivers/net/ethernet/ibm/ibmveth.c +@@ -1756,6 +1756,27 @@ static int ibmveth_set_mac_addr(struct net_device *dev, void *p) + return 0; + } + ++static netdev_features_t ibmveth_features_check(struct sk_buff *skb, ++ struct net_device *dev, ++ netdev_features_t features) ++{ ++ /* Some physical adapters do not support segmentation offload with ++ * MSS < 224. Disable GSO for such packets to avoid adapter freeze. ++ * Note: Single-segment packets (gso_segs == 1) don't need this check ++ * as they bypass the LSO path and are transmitted without segmentation. ++ */ ++ if (skb_is_gso(skb)) { ++ if (skb_shinfo(skb)->gso_size < IBMVETH_MIN_LSO_MSS) { ++ netdev_warn_once(dev, ++ "MSS %u too small for LSO, disabling GSO\n", ++ skb_shinfo(skb)->gso_size); ++ features &= ~NETIF_F_GSO_MASK; ++ } ++ } ++ ++ return vlan_features_check(skb, features); ++} ++ + static const struct net_device_ops ibmveth_netdev_ops = { + .ndo_open = ibmveth_open, + .ndo_stop = ibmveth_close, +@@ -1767,6 +1788,7 @@ static const struct net_device_ops ibmveth_netdev_ops = { + .ndo_set_features = ibmveth_set_features, + .ndo_validate_addr = eth_validate_addr, + .ndo_set_mac_address = ibmveth_set_mac_addr, ++ .ndo_features_check = ibmveth_features_check, + #ifdef CONFIG_NET_POLL_CONTROLLER + .ndo_poll_controller = ibmveth_poll_controller, + #endif +diff --git a/drivers/net/ethernet/ibm/ibmveth.h b/drivers/net/ethernet/ibm/ibmveth.h +index dc8aae1309f8..059ca498b2d0 100644 +--- a/drivers/net/ethernet/ibm/ibmveth.h ++++ b/drivers/net/ethernet/ibm/ibmveth.h +@@ -37,6 +37,7 @@ + #define IBMVETH_ILLAN_IPV4_TCP_CSUM 0x0000000000000002UL + #define IBMVETH_ILLAN_ACTIVE_TRUNK 0x0000000000000001UL + ++#define IBMVETH_MIN_LSO_MSS 224 /* Minimum MSS for LSO */ + /* hcall macros */ + #define h_register_logical_lan(ua, buflst, rxq, fltlst, mac) \ + plpar_hcall_norets(H_REGISTER_LOGICAL_LAN, ua, buflst, rxq, fltlst, mac) +-- +2.50.1 (Apple Git-155) + diff --git a/1367-s390-mm-add-missing-secure-storage-access-fixups-for-donated.patch b/1367-s390-mm-add-missing-secure-storage-access-fixups-for-donated.patch new file mode 100644 index 000000000..07060249a --- /dev/null +++ b/1367-s390-mm-add-missing-secure-storage-access-fixups-for-donated.patch @@ -0,0 +1,69 @@ +From 9f9e1223ef56442c1767dfd2ae175a74d8b7d20a Mon Sep 17 00:00:00 2001 +From: Mete Durlu +Date: Thu, 16 Apr 2026 18:13:59 +0200 +Subject: [PATCH] s390/mm: Add missing secure storage access fixups for donated + memory + +JIRA: https://redhat.atlassian.net/browse/RHEL-168792 +Conflicts: Minor change when accessing folio flags which +were made a struct in 6.18 but are still an integer in 6.12 + +commit b00be77302d7ec4ad0367bb236494fce7172b730 +Author: Janosch Frank +Date: Wed Mar 4 10:18:37 2026 +0000 + + s390/mm: Add missing secure storage access fixups for donated memory + + There are special cases where secure storage access exceptions happen + in a kernel context for pages that don't have the PG_arch_1 bit + set. That bit is set for non-exported guest secure storage (memory) + but is absent on storage donated to the Ultravisor since the kernel + isn't allowed to export donated pages. + + Prior to this patch we would try to export the page by calling + arch_make_folio_accessible() which would instantly return since the + arch bit is absent signifying that the page was already exported and + no further action is necessary. This leads to secure storage access + exception loops which can never be resolved. + + With this patch we unconditionally try to export and if that fails we + fixup. + + Fixes: 084ea4d611a3 ("s390/mm: add (non)secure page access exceptions handlers") + Reported-by: Heiko Carstens + Suggested-by: Heiko Carstens + Reviewed-by: Claudio Imbrenda + Tested-by: Christian Borntraeger + Signed-off-by: Janosch Frank + Signed-off-by: Christian Borntraeger + +Signed-off-by: Janosch Frank +Signed-off-by: Mete Durlu + +diff --git a/arch/s390/mm/fault.c b/arch/s390/mm/fault.c +index d0cfbc4bdfd7..7dd16ff7efd0 100644 +--- a/arch/s390/mm/fault.c ++++ b/arch/s390/mm/fault.c +@@ -428,10 +428,17 @@ void do_secure_storage_access(struct pt_regs *regs) + folio = phys_to_folio(addr); + if (unlikely(!folio_try_get(folio))) + return; +- rc = arch_make_folio_accessible(folio); ++ rc = uv_convert_from_secure(folio_to_phys(folio)); ++ if (!rc) ++ clear_bit(PG_arch_1, &folio->flags); + folio_put(folio); ++ /* ++ * There are some valid fixup types for kernel ++ * accesses to donated secure memory. zeropad is one ++ * of them. ++ */ + if (rc) +- BUG(); ++ return handle_fault_error_nolock(regs, 0); + } else { + mm = current->mm; + mmap_read_lock(mm); +-- +2.50.1 (Apple Git-155) + diff --git a/1368-mptcp-fix-slab-use-after-free-in-inet-lookup-established.patch b/1368-mptcp-fix-slab-use-after-free-in-inet-lookup-established.patch new file mode 100644 index 000000000..39552a6df --- /dev/null +++ b/1368-mptcp-fix-slab-use-after-free-in-inet-lookup-established.patch @@ -0,0 +1,103 @@ +From eb9c6aeb512f877cf397deb1e4526f646c70e4a7 Mon Sep 17 00:00:00 2001 +From: Jiayuan Chen +Date: Mon, 6 Apr 2026 11:15:10 +0800 +Subject: [PATCH] mptcp: fix slab-use-after-free in __inet_lookup_established + +commit 9b55b253907e7431210483519c5ad711a37dafa1 upstream. + +The ehash table lookups are lockless and rely on +SLAB_TYPESAFE_BY_RCU to guarantee socket memory stability +during RCU read-side critical sections. Both tcp_prot and +tcpv6_prot have their slab caches created with this flag +via proto_register(). + +However, MPTCP's mptcp_subflow_init() copies tcpv6_prot into +tcpv6_prot_override during inet_init() (fs_initcall, level 5), +before inet6_init() (module_init/device_initcall, level 6) has +called proto_register(&tcpv6_prot). At that point, +tcpv6_prot.slab is still NULL, so tcpv6_prot_override.slab +remains NULL permanently. + +This causes MPTCP v6 subflow child sockets to be allocated via +kmalloc (falling into kmalloc-4k) instead of the TCPv6 slab +cache. The kmalloc-4k cache lacks SLAB_TYPESAFE_BY_RCU, so +when these sockets are freed without SOCK_RCU_FREE (which is +cleared for child sockets by design), the memory can be +immediately reused. Concurrent ehash lookups under +rcu_read_lock can then access freed memory, triggering a +slab-use-after-free in __inet_lookup_established. + +Fix this by splitting the IPv6-specific initialization out of +mptcp_subflow_init() into a new mptcp_subflow_v6_init(), called +from mptcp_proto_v6_init() before protocol registration. This +ensures tcpv6_prot_override.slab correctly inherits the +SLAB_TYPESAFE_BY_RCU slab cache. + +Fixes: b19bc2945b40 ("mptcp: implement delegated actions") +Cc: stable@vger.kernel.org +Signed-off-by: Jiayuan Chen +Reviewed-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20260406031512.189159-1-jiayuan.chen@linux.dev +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman + +diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c +index e682d52a06b7..1a223af18907 100644 +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -4338,6 +4338,8 @@ int __init mptcp_proto_v6_init(void) + { + int err; + ++ mptcp_subflow_v6_init(); ++ + mptcp_v6_prot = mptcp_prot; + strscpy(mptcp_v6_prot.name, "MPTCPv6", sizeof(mptcp_v6_prot.name)); + mptcp_v6_prot.slab = NULL; +diff --git a/net/mptcp/protocol.h b/net/mptcp/protocol.h +index 669991bbae75..391a8026cb48 100644 +--- a/net/mptcp/protocol.h ++++ b/net/mptcp/protocol.h +@@ -821,6 +821,7 @@ static inline void mptcp_subflow_tcp_fallback(struct sock *sk, + void __init mptcp_proto_init(void); + #if IS_ENABLED(CONFIG_MPTCP_IPV6) + int __init mptcp_proto_v6_init(void); ++void __init mptcp_subflow_v6_init(void); + #endif + + struct sock *mptcp_sk_clone_init(const struct sock *sk, +diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c +index 1618483b05e8..0f70f5360c6b 100644 +--- a/net/mptcp/subflow.c ++++ b/net/mptcp/subflow.c +@@ -2147,7 +2147,15 @@ void __init mptcp_subflow_init(void) + tcp_prot_override.psock_update_sk_prot = NULL; + #endif + ++ mptcp_diag_subflow_init(&subflow_ulp_ops); ++ ++ if (tcp_register_ulp(&subflow_ulp_ops) != 0) ++ panic("MPTCP: failed to register subflows to ULP\n"); ++} ++ + #if IS_ENABLED(CONFIG_MPTCP_IPV6) ++void __init mptcp_subflow_v6_init(void) ++{ + /* In struct mptcp_subflow_request_sock, we assume the TCP request sock + * structures for v4 and v6 have the same size. It should not changed in + * the future but better to make sure to be warned if it is no longer +@@ -2186,10 +2194,5 @@ void __init mptcp_subflow_init(void) + /* Disable sockmap processing for subflows */ + tcpv6_prot_override.psock_update_sk_prot = NULL; + #endif +-#endif +- +- mptcp_diag_subflow_init(&subflow_ulp_ops); +- +- if (tcp_register_ulp(&subflow_ulp_ops) != 0) +- panic("MPTCP: failed to register subflows to ULP\n"); + } ++#endif +-- +2.50.1 (Apple Git-155) + diff --git a/1369-watchdog-wdat-wdt-fix-acpi-table-leak-in-probe-function.patch b/1369-watchdog-wdat-wdt-fix-acpi-table-leak-in-probe-function.patch new file mode 100644 index 000000000..0d4a0eb3b --- /dev/null +++ b/1369-watchdog-wdat-wdt-fix-acpi-table-leak-in-probe-function.patch @@ -0,0 +1,164 @@ +From 1bc19c992fa29f855aacbc998609799d0570889a Mon Sep 17 00:00:00 2001 +From: David Arcari +Date: Tue, 7 Apr 2026 08:14:39 -0400 +Subject: [PATCH] watchdog: wdat_wdt: Fix ACPI table leak in probe function + +JIRA: https://issues.redhat.com/browse/RHEL-164699 + +commit 25c0b472eab8379683d4eef681185c104bed8ffd +Author: Haotian Zhang +Date: Thu Nov 13 10:30:32 2025 +0800 + + watchdog: wdat_wdt: Fix ACPI table leak in probe function + + wdat_wdt_probe() calls acpi_get_table() to obtain the WDAT ACPI table but + never calls acpi_put_table() on any paths. This causes a permanent ACPI + table memory leak. + + Add a single cleanup path which calls acpi_put_table() to ensure + the ACPI table is always released. + + Fixes: 058dfc767008 ("ACPI / watchdog: Add support for WDAT hardware watchdog") + Suggested-by: Guenter Roeck + Signed-off-by: Haotian Zhang + Reviewed-by: Guenter Roeck + Signed-off-by: Guenter Roeck + Signed-off-by: Wim Van Sebroeck + +(cherry picked from commit 25c0b472eab8379683d4eef681185c104bed8ffd) +Assisted-by: Patchpal +Signed-off-by: David Arcari + +diff --git a/drivers/watchdog/wdat_wdt.c b/drivers/watchdog/wdat_wdt.c +index 650fdc7996e1..dd3c2d69c9df 100644 +--- a/drivers/watchdog/wdat_wdt.c ++++ b/drivers/watchdog/wdat_wdt.c +@@ -326,19 +326,27 @@ static int wdat_wdt_probe(struct platform_device *pdev) + return -ENODEV; + + wdat = devm_kzalloc(dev, sizeof(*wdat), GFP_KERNEL); +- if (!wdat) +- return -ENOMEM; ++ if (!wdat) { ++ ret = -ENOMEM; ++ goto out_put_table; ++ } + + regs = devm_kcalloc(dev, pdev->num_resources, sizeof(*regs), + GFP_KERNEL); +- if (!regs) +- return -ENOMEM; ++ if (!regs) { ++ ret = -ENOMEM; ++ goto out_put_table; ++ } + + /* WDAT specification wants to have >= 1ms period */ +- if (tbl->timer_period < 1) +- return -EINVAL; +- if (tbl->min_count > tbl->max_count) +- return -EINVAL; ++ if (tbl->timer_period < 1) { ++ ret = -EINVAL; ++ goto out_put_table; ++ } ++ if (tbl->min_count > tbl->max_count) { ++ ret = -EINVAL; ++ goto out_put_table; ++ } + + wdat->period = tbl->timer_period; + wdat->wdd.min_timeout = DIV_ROUND_UP(wdat->period * tbl->min_count, 1000); +@@ -355,15 +363,20 @@ static int wdat_wdt_probe(struct platform_device *pdev) + res = &pdev->resource[i]; + if (resource_type(res) == IORESOURCE_MEM) { + reg = devm_ioremap_resource(dev, res); +- if (IS_ERR(reg)) +- return PTR_ERR(reg); ++ if (IS_ERR(reg)) { ++ ret = PTR_ERR(reg); ++ goto out_put_table; ++ } + } else if (resource_type(res) == IORESOURCE_IO) { + reg = devm_ioport_map(dev, res->start, 1); +- if (!reg) +- return -ENOMEM; ++ if (!reg) { ++ ret = -ENOMEM; ++ goto out_put_table; ++ } + } else { + dev_err(dev, "Unsupported resource\n"); +- return -EINVAL; ++ ret = -EINVAL; ++ goto out_put_table; + } + + regs[i] = reg; +@@ -385,8 +398,10 @@ static int wdat_wdt_probe(struct platform_device *pdev) + } + + instr = devm_kzalloc(dev, sizeof(*instr), GFP_KERNEL); +- if (!instr) +- return -ENOMEM; ++ if (!instr) { ++ ret = -ENOMEM; ++ goto out_put_table; ++ } + + INIT_LIST_HEAD(&instr->node); + instr->entry = entries[i]; +@@ -417,7 +432,8 @@ static int wdat_wdt_probe(struct platform_device *pdev) + + if (!instr->reg) { + dev_err(dev, "I/O resource not found\n"); +- return -EINVAL; ++ ret = -EINVAL; ++ goto out_put_table; + } + + instructions = wdat->instructions[action]; +@@ -425,8 +441,10 @@ static int wdat_wdt_probe(struct platform_device *pdev) + instructions = devm_kzalloc(dev, + sizeof(*instructions), + GFP_KERNEL); +- if (!instructions) +- return -ENOMEM; ++ if (!instructions) { ++ ret = -ENOMEM; ++ goto out_put_table; ++ } + + INIT_LIST_HEAD(instructions); + wdat->instructions[action] = instructions; +@@ -443,7 +461,7 @@ static int wdat_wdt_probe(struct platform_device *pdev) + + ret = wdat_wdt_enable_reboot(wdat); + if (ret) +- return ret; ++ goto out_put_table; + + platform_set_drvdata(pdev, wdat); + +@@ -460,12 +478,16 @@ static int wdat_wdt_probe(struct platform_device *pdev) + + ret = wdat_wdt_set_timeout(&wdat->wdd, timeout); + if (ret) +- return ret; ++ goto out_put_table; + + watchdog_set_nowayout(&wdat->wdd, nowayout); + watchdog_stop_on_reboot(&wdat->wdd); + watchdog_stop_on_unregister(&wdat->wdd); +- return devm_watchdog_register_device(dev, &wdat->wdd); ++ ret = devm_watchdog_register_device(dev, &wdat->wdd); ++ ++out_put_table: ++ acpi_put_table((struct acpi_table_header *)tbl); ++ return ret; + } + + static int wdat_wdt_suspend_noirq(struct device *dev) +-- +2.50.1 (Apple Git-155) + diff --git a/1370-net-mana-fix-use-after-free-in-add-adev-error-path.patch b/1370-net-mana-fix-use-after-free-in-add-adev-error-path.patch new file mode 100644 index 000000000..8c265a91b --- /dev/null +++ b/1370-net-mana-fix-use-after-free-in-add-adev-error-path.patch @@ -0,0 +1,59 @@ +From 43f5b19fd190fea20d052bc84741b28031d5baa9 Mon Sep 17 00:00:00 2001 +From: Guangshuo Li +Date: Tue, 31 Mar 2026 13:09:32 -0400 +Subject: [PATCH] net: mana: fix use-after-free in add_adev() error path + +[ Upstream commit c4ea7d8907cf72b259bf70bd8c2e791e1c4ff70f ] + +If auxiliary_device_add() fails, add_adev() jumps to add_fail and calls +auxiliary_device_uninit(adev). + +The auxiliary device has its release callback set to adev_release(), +which frees the containing struct mana_adev. Since adev is embedded in +struct mana_adev, the subsequent fall-through to init_fail and access +to adev->id may result in a use-after-free. + +Fix this by saving the allocated auxiliary device id in a local +variable before calling auxiliary_device_add(), and use that saved id +in the cleanup path after auxiliary_device_uninit(). + +Fixes: a69839d4327d ("net: mana: Add support for auxiliary device") +Cc: stable@vger.kernel.org +Reviewed-by: Long Li +Signed-off-by: Guangshuo Li +Link: https://patch.msgid.link/20260323165730.945365-1-lgs201920130244@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman + +diff --git a/drivers/net/ethernet/microsoft/mana/mana_en.c b/drivers/net/ethernet/microsoft/mana/mana_en.c +index 396b5f1..5276e2d 100644 +--- a/drivers/net/ethernet/microsoft/mana/mana_en.c ++++ b/drivers/net/ethernet/microsoft/mana/mana_en.c +@@ -3355,6 +3355,7 @@ static int add_adev(struct gdma_dev *gd, const char *name) + struct auxiliary_device *adev; + struct mana_adev *madev; + int ret; ++ int id; + + madev = kzalloc(sizeof(*madev), GFP_KERNEL); + if (!madev) +@@ -3364,7 +3365,8 @@ static int add_adev(struct gdma_dev *gd, const char *name) + ret = mana_adev_idx_alloc(); + if (ret < 0) + goto idx_fail; +- adev->id = ret; ++ id = ret; ++ adev->id = id; + + adev->name = name; + adev->dev.parent = gd->gdma_context->dev; +@@ -3390,7 +3392,7 @@ add_fail: + auxiliary_device_uninit(adev); + + init_fail: +- mana_adev_idx_free(adev->id); ++ mana_adev_idx_free(id); + + idx_fail: + kfree(madev); diff --git a/1371-crypto-caam-fix-overflow-on-long-hmac-keys.patch b/1371-crypto-caam-fix-overflow-on-long-hmac-keys.patch new file mode 100644 index 000000000..945ea8408 --- /dev/null +++ b/1371-crypto-caam-fix-overflow-on-long-hmac-keys.patch @@ -0,0 +1,43 @@ +From c2fb4984fe09fc176fe4c12d5e3edf626df6511d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Horia=20Geant=C4=83?= +Date: Tue, 17 Mar 2026 12:25:14 +0200 +Subject: [PATCH] crypto: caam - fix overflow on long hmac keys +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 80688afb9c35b3934ce2d6be9973758915e2e0ef ] + +When a key longer than block size is supplied, it is copied and then +hashed into the real key. The memory allocated for the copy needs to +be rounded to DMA cache alignment, as otherwise the hashed key may +corrupt neighbouring memory. + +The copying is performed using kmemdup, however this leads to an overflow: +reading more bytes (aligned_len - keylen) from the keylen source buffer. +Fix this by replacing kmemdup with kmalloc, followed by memcpy. + +Fixes: 199354d7fb6e ("crypto: caam - Remove GFP_DMA and add DMA alignment padding") +Signed-off-by: Horia Geantă +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin + +diff --git a/drivers/crypto/caam/caamalg_qi2.c b/drivers/crypto/caam/caamalg_qi2.c +index ece9f1e5a689..9ef8ee77c52a 100644 +--- a/drivers/crypto/caam/caamalg_qi2.c ++++ b/drivers/crypto/caam/caamalg_qi2.c +@@ -3325,9 +3325,10 @@ static int ahash_setkey(struct crypto_ahash *ahash, const u8 *key, + if (aligned_len < keylen) + return -EOVERFLOW; + +- hashed_key = kmemdup(key, aligned_len, GFP_KERNEL); ++ hashed_key = kmalloc(aligned_len, GFP_KERNEL); + if (!hashed_key) + return -ENOMEM; ++ memcpy(hashed_key, key, keylen); + ret = hash_digest_key(ctx, &keylen, hashed_key, digestsize); + if (ret) + goto bad_free_key; +-- +2.50.1 (Apple Git-155) + diff --git a/1372-exit-prevent-preemption-of-oopsing-task-dead-task.patch b/1372-exit-prevent-preemption-of-oopsing-task-dead-task.patch new file mode 100644 index 000000000..79882282e --- /dev/null +++ b/1372-exit-prevent-preemption-of-oopsing-task-dead-task.patch @@ -0,0 +1,59 @@ +From e3a2695b21d64968b1ef7a928f88e2262ac2fb9b Mon Sep 17 00:00:00 2001 +From: CKI Backport Bot +Date: Thu, 28 May 2026 15:09:40 +0000 +Subject: [PATCH] exit: prevent preemption of oopsing TASK_DEAD task + +JIRA: https://redhat.atlassian.net/browse/RHEL-180014 +CVE: CVE-2026-46173 +Backported from tree(s): linux + +commit c1fa0bb633e4a6b11e83ffc57fa5abe8ebb87891 +Author: Jann Horn +Date: Mon May 11 08:55:11 2026 -0700 + + exit: prevent preemption of oopsing TASK_DEAD task + + When an already-exiting task oopses, make_task_dead() currently calls + do_task_dead() with preemption enabled. That is forbidden: + do_task_dead() calls __schedule(), which has a comment saying "WARNING: + must be called with preemption disabled!". + + If an oopsing task is preempted in do_task_dead(), between becoming + TASK_DEAD and entering the scheduler explicitly, bad things happen: + finish_task_switch() assumes that once the scheduler has switched away + from a TASK_DEAD task, the task can never run again and its stack is no + longer needed; but that assumption apparently doesn't hold if the dead + task was preempted (the SM_PREEMPT case). + + This means that the scheduler ends up repeatedly dropping references on + the dead task's stack, which can lead to use-after-free or double-free + of the entire task stack; in other words, two tasks can end up running + on the same stack, resulting in various kinds of memory corruption. + + (This does not just affect "recursively oopsing" tasks; it is enough to + oops once during task exit, for example in a file_operations::release + handler) + + Fixes: 7f80a2fd7db9 ("exit: Stop poorly open coding do_task_dead in make_task_dead") + Cc: stable@kernel.org + Signed-off-by: Jann Horn + Acked-by: Peter Zijlstra + Signed-off-by: Linus Torvalds + +Signed-off-by: CKI Backport Bot + +diff --git a/kernel/exit.c b/kernel/exit.c +index a310ea845726..4ccfdf5e2964 100644 +--- a/kernel/exit.c ++++ b/kernel/exit.c +@@ -1048,6 +1048,7 @@ void __noreturn make_task_dead(int signr) + futex_exit_recursive(tsk); + tsk->exit_state = EXIT_DEAD; + refcount_inc(&tsk->rcu_users); ++ preempt_disable(); + do_task_dead(); + } + +-- +2.50.1 (Apple Git-155) + diff --git a/1373-net-sched-fix-pedit-partial-cow-leading-to-page-cache-corrup.patch b/1373-net-sched-fix-pedit-partial-cow-leading-to-page-cache-corrup.patch new file mode 100644 index 000000000..cd363b591 --- /dev/null +++ b/1373-net-sched-fix-pedit-partial-cow-leading-to-page-cache-corrup.patch @@ -0,0 +1,220 @@ +From 2bec122b9fb91507a758ab5e3e5c4fbe7cb3f61b Mon Sep 17 00:00:00 2001 +From: Rajat Gupta +Date: Sun, 31 May 2026 08:32:21 -0400 +Subject: [PATCH] net/sched: fix pedit partial COW leading to page cache + corruption +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 899ee91156e57784090c5565e4f31bd7dbffbc5a ] + +tcf_pedit_act() computes the COW range for skb_ensure_writable() +once before the key loop using tcfp_off_max_hint, but the hint does +not account for the runtime header offset added by typed keys. This +can leave part of the write region un-COW'd. + +Fix by moving skb_ensure_writable() inside the per-key loop where +the actual write offset is known, and add overflow checking on the +offset arithmetic. For negative offsets (e.g. Ethernet header edits +at ingress), use skb_cow() to COW the headroom instead. Guard +offset_valid() against INT_MIN, where negation is undefined. + +Fixes: 8b796475fd78 ("net/sched: act_pedit: really ensure the skb is writable") +Reported-by: Yiming Qian +Reported-by: Keenan Dong +Reported-by: Han Guidong <2045gemini@gmail.com> +Reported-by: Zhang Cen +Reviewed-by: Han Guidong <2045gemini@gmail.com> +Tested-by: Han Guidong <2045gemini@gmail.com> +Reviewed-by: Davide Caratti +Tested-by: Davide Caratti +Reviewed-by: Toke Høiland-Jørgensen +Tested-by: Toke Høiland-Jørgensen +Reviewed-by: Victor Nogueira +Tested-by: Victor Nogueira +Acked-by: Jamal Hadi Salim +Signed-off-by: Rajat Gupta +Link: https://patch.msgid.link/20260531123221.48732-1-jhs@mojatatu.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin + +diff --git a/include/net/tc_act/tc_pedit.h b/include/net/tc_act/tc_pedit.h +index 83fe399..a26d4cd 100644 +--- a/include/net/tc_act/tc_pedit.h ++++ b/include/net/tc_act/tc_pedit.h +@@ -14,7 +14,6 @@ struct tcf_pedit_key_ex { + struct tcf_pedit_parms { + struct tc_pedit_key *tcfp_keys; + struct tcf_pedit_key_ex *tcfp_keys_ex; +- u32 tcfp_off_max_hint; + unsigned char tcfp_nkeys; + unsigned char tcfp_flags; + struct rcu_head rcu; +diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c +index fc0a35a..fad1d9c 100644 +--- a/net/sched/act_pedit.c ++++ b/net/sched/act_pedit.c +@@ -16,6 +16,8 @@ + #include + #include + #include ++#include ++#include + #include + #include + #include +@@ -242,7 +244,6 @@ static int tcf_pedit_init(struct net *net, struct nlattr *nla, + goto out_free_ex; + } + +- nparms->tcfp_off_max_hint = 0; + nparms->tcfp_flags = parm->flags; + nparms->tcfp_nkeys = parm->nkeys; + +@@ -268,14 +269,6 @@ static int tcf_pedit_init(struct net *net, struct nlattr *nla, + BITS_PER_TYPE(int) - 1, + nparms->tcfp_keys[i].shift); + +- /* The AT option can read a single byte, we can bound the actual +- * value with uchar max. +- */ +- cur += (0xff & offmask) >> nparms->tcfp_keys[i].shift; +- +- /* Each key touches 4 bytes starting from the computed offset */ +- nparms->tcfp_off_max_hint = +- max(nparms->tcfp_off_max_hint, cur + 4); + } + + p = to_pedit(*a); +@@ -318,15 +311,12 @@ static void tcf_pedit_cleanup(struct tc_action *a) + call_rcu(&parms->rcu, tcf_pedit_cleanup_rcu); + } + +-static bool offset_valid(struct sk_buff *skb, int offset) ++static bool offset_valid(struct sk_buff *skb, int offset, int len) + { +- if (offset > 0 && offset > skb->len) +- return false; +- +- if (offset < 0 && -offset > skb_headroom(skb)) ++ if (offset < -(int)skb_headroom(skb)) + return false; + +- return true; ++ return offset <= (int)skb->len - len; + } + + static int pedit_l4_skb_offset(struct sk_buff *skb, int *hoffset, const int header_type) +@@ -393,18 +383,10 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb, + struct tcf_pedit_key_ex *tkey_ex; + struct tcf_pedit_parms *parms; + struct tc_pedit_key *tkey; +- u32 max_offset; + int i; + + parms = rcu_dereference_bh(p->parms); + +- max_offset = (skb_transport_header_was_set(skb) ? +- skb_transport_offset(skb) : +- skb_network_offset(skb)) + +- parms->tcfp_off_max_hint; +- if (skb_ensure_writable(skb, min(skb->len, max_offset))) +- goto done; +- + tcf_lastuse_update(&p->tcf_tm); + tcf_action_update_bstats(&p->common, skb); + +@@ -412,10 +394,11 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb, + tkey_ex = parms->tcfp_keys_ex; + + for (i = parms->tcfp_nkeys; i > 0; i--, tkey++) { ++ int write_offset, write_len; + int offset = tkey->off; + int hoffset = 0; +- u32 *ptr, hdata; +- u32 val; ++ u32 cur_val, val; ++ u32 *ptr; + int rc; + + if (tkey_ex) { +@@ -433,13 +416,15 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb, + + if (tkey->offmask) { + u8 *d, _d; ++ int at_offset; + +- if (!offset_valid(skb, hoffset + tkey->at)) { ++ if (check_add_overflow(hoffset, (int)tkey->at, &at_offset) || ++ !offset_valid(skb, at_offset, sizeof(_d))) { + pr_info_ratelimited("tc action pedit 'at' offset %d out of bounds\n", + hoffset + tkey->at); + goto bad; + } +- d = skb_header_pointer(skb, hoffset + tkey->at, ++ d = skb_header_pointer(skb, at_offset, + sizeof(_d), &_d); + if (!d) + goto bad; +@@ -451,31 +436,51 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb, + } + } + +- if (!offset_valid(skb, hoffset + offset)) { +- pr_info_ratelimited("tc action pedit offset %d out of bounds\n", hoffset + offset); ++ if (check_add_overflow(hoffset, offset, &write_offset)) { ++ pr_info_ratelimited("tc action pedit offset overflow\n"); + goto bad; + } + +- ptr = skb_header_pointer(skb, hoffset + offset, +- sizeof(hdata), &hdata); +- if (!ptr) ++ if (!offset_valid(skb, write_offset, sizeof(*ptr))) { ++ pr_info_ratelimited("tc action pedit offset %d out of bounds\n", ++ write_offset); + goto bad; ++ } ++ ++ if (write_offset < 0) { ++ if (skb_cow(skb, -write_offset)) ++ goto bad; ++ if (write_offset + (int)sizeof(*ptr) > 0) { ++ if (skb_ensure_writable(skb, ++ min_t(int, skb->len, ++ write_offset + (int)sizeof(*ptr)))) ++ goto bad; ++ } ++ } else { ++ if (check_add_overflow(write_offset, (int)sizeof(*ptr), ++ &write_len)) ++ goto bad; ++ if (skb_ensure_writable(skb, min_t(int, skb->len, ++ write_len))) ++ goto bad; ++ } ++ ++ ptr = (u32 *)(skb->data + write_offset); ++ cur_val = get_unaligned(ptr); + /* just do it, baby */ + switch (cmd) { + case TCA_PEDIT_KEY_EX_CMD_SET: + val = tkey->val; + break; + case TCA_PEDIT_KEY_EX_CMD_ADD: +- val = (*ptr + tkey->val) & ~tkey->mask; ++ val = (cur_val + tkey->val) & ~tkey->mask; + break; + default: + pr_info_ratelimited("tc action pedit bad command (%d)\n", cmd); + goto bad; + } + +- *ptr = ((*ptr & tkey->mask) ^ val); +- if (ptr == &hdata) +- skb_store_bits(skb, hoffset + offset, ptr, 4); ++ put_unaligned((cur_val & tkey->mask) ^ val, ptr); + } + + goto done; diff --git a/kernel-x86_64-debug-rhel.config b/kernel-x86_64-debug-rhel.config index 405f6e3af..ac77779b5 100644 --- a/kernel-x86_64-debug-rhel.config +++ b/kernel-x86_64-debug-rhel.config @@ -7006,6 +7006,7 @@ CONFIG_SND_XEN_FRONTEND=m # CONFIG_SOFTLOCKUP_DETECTOR_INTR_STORM is not set CONFIG_SOFTLOCKUP_DETECTOR=y CONFIG_SOFT_WATCHDOG=m +# CONFIG_SOFT_WATCHDOG_PRETIMEOUT is not set CONFIG_SOLARIS_X86_PARTITION=y CONFIG_SONY_FF=y CONFIG_SONY_LAPTOP=m @@ -8235,10 +8236,14 @@ CONFIG_WAN=y # CONFIG_WARN_ALL_UNSEEDED_RANDOM is not set CONFIG_WATCHDOG_CORE=y CONFIG_WATCHDOG_HANDLE_BOOT_ENABLED=y -# CONFIG_WATCHDOG_HRTIMER_PRETIMEOUT is not set +CONFIG_WATCHDOG_HRTIMER_PRETIMEOUT=y # CONFIG_WATCHDOG_NOWAYOUT is not set CONFIG_WATCHDOG_OPEN_TIMEOUT=0 -# CONFIG_WATCHDOG_PRETIMEOUT_GOV is not set +# CONFIG_WATCHDOG_PRETIMEOUT_DEFAULT_GOV_NOOP is not set +CONFIG_WATCHDOG_PRETIMEOUT_DEFAULT_GOV_PANIC=y +# CONFIG_WATCHDOG_PRETIMEOUT_GOV_NOOP is not set +CONFIG_WATCHDOG_PRETIMEOUT_GOV_PANIC=y +CONFIG_WATCHDOG_PRETIMEOUT_GOV=y CONFIG_WATCHDOG_SYSFS=y CONFIG_WATCHDOG=y CONFIG_WATCH_QUEUE=y diff --git a/kernel-x86_64-rhel.config b/kernel-x86_64-rhel.config index 56090442b..217178f90 100644 --- a/kernel-x86_64-rhel.config +++ b/kernel-x86_64-rhel.config @@ -6982,6 +6982,7 @@ CONFIG_SND_XEN_FRONTEND=m # CONFIG_SOFTLOCKUP_DETECTOR_INTR_STORM is not set CONFIG_SOFTLOCKUP_DETECTOR=y CONFIG_SOFT_WATCHDOG=m +# CONFIG_SOFT_WATCHDOG_PRETIMEOUT is not set CONFIG_SOLARIS_X86_PARTITION=y CONFIG_SONY_FF=y CONFIG_SONY_LAPTOP=m @@ -8211,10 +8212,14 @@ CONFIG_WAN=y # CONFIG_WARN_ALL_UNSEEDED_RANDOM is not set CONFIG_WATCHDOG_CORE=y CONFIG_WATCHDOG_HANDLE_BOOT_ENABLED=y -# CONFIG_WATCHDOG_HRTIMER_PRETIMEOUT is not set +CONFIG_WATCHDOG_HRTIMER_PRETIMEOUT=y # CONFIG_WATCHDOG_NOWAYOUT is not set CONFIG_WATCHDOG_OPEN_TIMEOUT=0 -# CONFIG_WATCHDOG_PRETIMEOUT_GOV is not set +# CONFIG_WATCHDOG_PRETIMEOUT_DEFAULT_GOV_NOOP is not set +CONFIG_WATCHDOG_PRETIMEOUT_DEFAULT_GOV_PANIC=y +# CONFIG_WATCHDOG_PRETIMEOUT_GOV_NOOP is not set +CONFIG_WATCHDOG_PRETIMEOUT_GOV_PANIC=y +CONFIG_WATCHDOG_PRETIMEOUT_GOV=y CONFIG_WATCHDOG_SYSFS=y CONFIG_WATCHDOG=y CONFIG_WATCH_QUEUE=y diff --git a/kernel-x86_64-rt-debug-rhel.config b/kernel-x86_64-rt-debug-rhel.config index 823667e3e..0ad2c14fe 100644 --- a/kernel-x86_64-rt-debug-rhel.config +++ b/kernel-x86_64-rt-debug-rhel.config @@ -7054,6 +7054,7 @@ CONFIG_SND_XEN_FRONTEND=m # CONFIG_SOFTLOCKUP_DETECTOR_INTR_STORM is not set CONFIG_SOFTLOCKUP_DETECTOR=y CONFIG_SOFT_WATCHDOG=m +# CONFIG_SOFT_WATCHDOG_PRETIMEOUT is not set CONFIG_SOLARIS_X86_PARTITION=y CONFIG_SONY_FF=y CONFIG_SONY_LAPTOP=m @@ -8284,10 +8285,14 @@ CONFIG_WAN=y # CONFIG_WARN_ALL_UNSEEDED_RANDOM is not set CONFIG_WATCHDOG_CORE=y CONFIG_WATCHDOG_HANDLE_BOOT_ENABLED=y -# CONFIG_WATCHDOG_HRTIMER_PRETIMEOUT is not set +CONFIG_WATCHDOG_HRTIMER_PRETIMEOUT=y # CONFIG_WATCHDOG_NOWAYOUT is not set CONFIG_WATCHDOG_OPEN_TIMEOUT=0 -# CONFIG_WATCHDOG_PRETIMEOUT_GOV is not set +# CONFIG_WATCHDOG_PRETIMEOUT_DEFAULT_GOV_NOOP is not set +CONFIG_WATCHDOG_PRETIMEOUT_DEFAULT_GOV_PANIC=y +# CONFIG_WATCHDOG_PRETIMEOUT_GOV_NOOP is not set +CONFIG_WATCHDOG_PRETIMEOUT_GOV_PANIC=y +CONFIG_WATCHDOG_PRETIMEOUT_GOV=y CONFIG_WATCHDOG_SYSFS=y CONFIG_WATCHDOG=y CONFIG_WATCH_QUEUE=y diff --git a/kernel-x86_64-rt-rhel.config b/kernel-x86_64-rt-rhel.config index d2be85697..5593efb6e 100644 --- a/kernel-x86_64-rt-rhel.config +++ b/kernel-x86_64-rt-rhel.config @@ -7030,6 +7030,7 @@ CONFIG_SND_XEN_FRONTEND=m # CONFIG_SOFTLOCKUP_DETECTOR_INTR_STORM is not set CONFIG_SOFTLOCKUP_DETECTOR=y CONFIG_SOFT_WATCHDOG=m +# CONFIG_SOFT_WATCHDOG_PRETIMEOUT is not set CONFIG_SOLARIS_X86_PARTITION=y CONFIG_SONY_FF=y CONFIG_SONY_LAPTOP=m @@ -8260,10 +8261,14 @@ CONFIG_WAN=y # CONFIG_WARN_ALL_UNSEEDED_RANDOM is not set CONFIG_WATCHDOG_CORE=y CONFIG_WATCHDOG_HANDLE_BOOT_ENABLED=y -# CONFIG_WATCHDOG_HRTIMER_PRETIMEOUT is not set +CONFIG_WATCHDOG_HRTIMER_PRETIMEOUT=y # CONFIG_WATCHDOG_NOWAYOUT is not set CONFIG_WATCHDOG_OPEN_TIMEOUT=0 -# CONFIG_WATCHDOG_PRETIMEOUT_GOV is not set +# CONFIG_WATCHDOG_PRETIMEOUT_DEFAULT_GOV_NOOP is not set +CONFIG_WATCHDOG_PRETIMEOUT_DEFAULT_GOV_PANIC=y +# CONFIG_WATCHDOG_PRETIMEOUT_GOV_NOOP is not set +CONFIG_WATCHDOG_PRETIMEOUT_GOV_PANIC=y +CONFIG_WATCHDOG_PRETIMEOUT_GOV=y CONFIG_WATCHDOG_SYSFS=y CONFIG_WATCHDOG=y CONFIG_WATCH_QUEUE=y diff --git a/kernel.spec b/kernel.spec index ec559cb91..0ce032ae5 100644 --- a/kernel.spec +++ b/kernel.spec @@ -176,13 +176,13 @@ Summary: The Linux kernel %define specrpmversion 6.12.0 %define specversion 6.12.0 %define patchversion 6.12 -%define pkgrelease 211.22.1 +%define pkgrelease 211.26.1 %define kversion 6 %define tarfile_release 6.12.0-211.7.1.el10_2 # This is needed to do merge window version magic %define patchlevel 12 # This allows pkg_release to have configurable %%{?dist} tag -%define specrelease 211.22.1%{?buildid}%{?dist} +%define specrelease 211.26.1%{?buildid}%{?dist} # This defines the kabi tarball version %define kabiversion 6.12.0-211.7.1.el10_2 @@ -1386,6 +1386,28 @@ Patch1348: 1348-ftrace-check-against-is-kernel-text-instead-of-kaslr-offset.patc Patch1349: 1349-scripts-sorttable-use-normal-sort-if-theres-no-relocs-in-the.patch Patch1350: 1350-scripts-sorttable-allow-matches-to-functions-before-function.patch Patch1351: 1351-scripts-sorttable-fix-endianness-handling-in-build-time-mcou.patch +Patch1352: 1352-s390-ap-expose-ap-bindings-complete-count-counter-via-sysfs.patch +Patch1353: 1353-rxrpc-fix-rxgk-token-loading-to-check-bounds.patch +Patch1354: 1354-xen-privcmd-fix-double-free-via-vma-splitting.patch +Patch1355: 1355-bluetooth-hci-sync-fix-stack-buffer-overflow-in-hci-le-big-c.patch +Patch1356: 1356-buffer-overflow-in-drivers-xen-sys-hypervisor-c.patch +Patch1357: 1357-can-isotp-fix-tx-buf-use-after-free-in-isotp-sendmsg.patch +Patch1358: 1358-scsi-lpfc-fix-reusing-an-ndlp-that-is-marked-nlp-dropped-dur.patch +Patch1359: 1359-bluetooth-hci-event-fix-potential-uaf-in-ssp-passkey-handler.patch +Patch1360: 1360-wifi-mac80211-use-safe-list-iteration-in-radar-detect-work.patch +Patch1361: 1361-wifi-mac80211-drop-stray-static-from-fast-rx-rx-result.patch +Patch1362: 1362-wifi-mac80211-remove-station-if-connection-prep-fails.patch +Patch1363: 1363-bnxt-en-fix-rss-context-delete-logic.patch +Patch1364: 1364-objtool-klp-fix-unexported-static-call-key-access-for-manual.patch +Patch1365: 1365-rbd-eliminate-a-race-in-lock-dwork-draining-on-unmap.patch +Patch1366: 1366-ibmveth-disable-gso-for-packets-with-small-mss.patch +Patch1367: 1367-s390-mm-add-missing-secure-storage-access-fixups-for-donated.patch +Patch1368: 1368-mptcp-fix-slab-use-after-free-in-inet-lookup-established.patch +Patch1369: 1369-watchdog-wdat-wdt-fix-acpi-table-leak-in-probe-function.patch +Patch1370: 1370-net-mana-fix-use-after-free-in-add-adev-error-path.patch +Patch1371: 1371-crypto-caam-fix-overflow-on-long-hmac-keys.patch +Patch1372: 1372-exit-prevent-preemption-of-oopsing-task-dead-task.patch +Patch1373: 1373-net-sched-fix-pedit-partial-cow-leading-to-page-cache-corrup.patch # END OF PATCH DEFINITIONS %description @@ -2494,6 +2516,28 @@ ApplyPatch 1348-ftrace-check-against-is-kernel-text-instead-of-kaslr-offset.patc ApplyPatch 1349-scripts-sorttable-use-normal-sort-if-theres-no-relocs-in-the.patch ApplyPatch 1350-scripts-sorttable-allow-matches-to-functions-before-function.patch ApplyPatch 1351-scripts-sorttable-fix-endianness-handling-in-build-time-mcou.patch +ApplyPatch 1352-s390-ap-expose-ap-bindings-complete-count-counter-via-sysfs.patch +ApplyPatch 1353-rxrpc-fix-rxgk-token-loading-to-check-bounds.patch +ApplyPatch 1354-xen-privcmd-fix-double-free-via-vma-splitting.patch +ApplyPatch 1355-bluetooth-hci-sync-fix-stack-buffer-overflow-in-hci-le-big-c.patch +ApplyPatch 1356-buffer-overflow-in-drivers-xen-sys-hypervisor-c.patch +ApplyPatch 1357-can-isotp-fix-tx-buf-use-after-free-in-isotp-sendmsg.patch +ApplyPatch 1358-scsi-lpfc-fix-reusing-an-ndlp-that-is-marked-nlp-dropped-dur.patch +ApplyPatch 1359-bluetooth-hci-event-fix-potential-uaf-in-ssp-passkey-handler.patch +ApplyPatch 1360-wifi-mac80211-use-safe-list-iteration-in-radar-detect-work.patch +ApplyPatch 1361-wifi-mac80211-drop-stray-static-from-fast-rx-rx-result.patch +ApplyPatch 1362-wifi-mac80211-remove-station-if-connection-prep-fails.patch +ApplyPatch 1363-bnxt-en-fix-rss-context-delete-logic.patch +ApplyPatch 1364-objtool-klp-fix-unexported-static-call-key-access-for-manual.patch +ApplyPatch 1365-rbd-eliminate-a-race-in-lock-dwork-draining-on-unmap.patch +ApplyPatch 1366-ibmveth-disable-gso-for-packets-with-small-mss.patch +ApplyPatch 1367-s390-mm-add-missing-secure-storage-access-fixups-for-donated.patch +ApplyPatch 1368-mptcp-fix-slab-use-after-free-in-inet-lookup-established.patch +ApplyPatch 1369-watchdog-wdat-wdt-fix-acpi-table-leak-in-probe-function.patch +ApplyPatch 1370-net-mana-fix-use-after-free-in-add-adev-error-path.patch +ApplyPatch 1371-crypto-caam-fix-overflow-on-long-hmac-keys.patch +ApplyPatch 1372-exit-prevent-preemption-of-oopsing-task-dead-task.patch +ApplyPatch 1373-net-sched-fix-pedit-partial-cow-leading-to-page-cache-corrup.patch # END OF PATCH APPLICATIONS # Any further pre-build tree manipulations happen here. @@ -4998,6 +5042,43 @@ fi\ # # %changelog +* Mon Jun 22 2026 Andrew Lukoshko - 6.12.0-211.26.1 +- Recreate RHEL 6.12.0-211.26.1 from CentOS Stream 10 and upstream stable backports (1352-1373) +- Enable watchdog pretimeout panic functionality for x86 via kernel config (RHEL-182299) +- RHEL changelog for 211.23.1..211.26.1 follows: + +* Thu Jun 18 2026 CKI KWF Bot [6.12.0-211.26.1.el10_2] +- net/sched: fix pedit partial COW leading to page cache corruption (Ivan Vecera) [RHEL-177380] {CVE-2026-46331} +- exit: prevent preemption of oopsing TASK_DEAD task (CKI Backport Bot) [RHEL-180009] {CVE-2026-46173} +- crypto: caam - fix overflow on long hmac keys (CKI Backport Bot) [RHEL-179769] {CVE-2026-43330} +- net: mana: fix use-after-free in add_adev() error path (CKI Backport Bot) [RHEL-172772] {CVE-2026-43056} + +* Wed Jun 17 2026 CKI KWF Bot [6.12.0-211.25.1.el10_2] +- gitlab-ci: use rhel10.2 builder image (Michael Krausch-Hofmann) +- redhat/configs: enable watchdog pretimout panic functionality for x86 (David Arcari) [RHEL-182299] +- watchdog: wdat_wdt: Fix ACPI table leak in probe function (David Arcari) [RHEL-182299] +- mptcp: fix slab-use-after-free in __inet_lookup_established (CKI Backport Bot) [RHEL-171510] {CVE-2026-31669} + +* Mon Jun 15 2026 CKI KWF Bot [6.12.0-211.24.1.el10_2] +- s390/mm: Add missing secure storage access fixups for donated memory (Jan Polensky) [RHEL-183319] +- ibmveth: Disable GSO for packets with small MSS (Mamatha Inamdar) [RHEL-179723] +- rbd: eliminate a race in lock_dwork draining on unmap (CKI Backport Bot) [RHEL-183127] +- objtool/klp: Fix unexported static call key access for manually built livepatch modules (Joe Lawrence) [RHEL-178495] +- bnxt_en: Fix RSS context delete logic (CKI Backport Bot) [RHEL-180307] {CVE-2026-43260} +- wifi: mac80211: remove station if connection prep fails (CKI Backport Bot) [RHEL-180126] {CVE-2026-46125} +- wifi: mac80211: drop stray 'static' from fast-RX rx_result (CKI Backport Bot) [RHEL-180060] {CVE-2026-46152} +- wifi: mac80211: use safe list iteration in radar detect work (CKI Backport Bot) [RHEL-180022] {CVE-2026-46166} +- Bluetooth: hci_event: fix potential UAF in SSP passkey handlers (CKI Backport Bot) [RHEL-179358] {CVE-2026-46056} +- scsi: lpfc: Fix reusing an ndlp that is marked NLP_DROPPED during FLOGI (Ewan D. Milne) [RHEL-171774] +- can: isotp: fix tx.buf use-after-free in isotp_sendmsg() (CKI Backport Bot) [RHEL-175533] {CVE-2026-31474} +- Buffer overflow in drivers/xen/sys-hypervisor.c (Vitaly Kuznetsov) [RHEL-172516] {CVE-2026-31786} +- Bluetooth: hci_sync: fix stack buffer overflow in hci_le_big_create_sync (CKI Backport Bot) [RHEL-172862] {CVE-2026-31772} +- xen/privcmd: fix double free via VMA splitting (CKI Backport Bot) [RHEL-172492] {CVE-2026-31787} +- rxrpc: Fix RxGK token loading to check bounds (CKI Backport Bot) [RHEL-171419] {CVE-2026-31641} + +* Thu Jun 11 2026 CKI KWF Bot [6.12.0-211.23.1.el10_2] +- s390/ap: Expose ap_bindings_complete_count counter via sysfs (Mircea Dragan) [RHEL-166047] + * Wed Jun 11 2026 Andrew Lukoshko - 6.12.0-211.22.1 - Recreate RHEL 6.12.0-211.22.1 from CentOS Stream 10 and upstream stable backports (1288-1352) - RHEL changelog for 211.21.1..211.22.1 follows: