From 4ce490ce487de191e62b02bd8ead4b3c410f26f3 Mon Sep 17 00:00:00 2001 From: Andrew Lukoshko Date: Mon, 13 Jul 2026 14:49:58 +0000 Subject: [PATCH] Recreate RHEL 5.14.0-687.25.1 from CS9/upstream backports - Drop AlmaLinux ahead-of-RHEL rtmutex remove_waiter() fixes (1756, 1757), superseded by RHEL's CVE-2026-43499 copies in 687.25.1 - Add RHEL 687.25.1 backports recreated from CS9/upstream (1761-1769), including the futex/requeue guard and its same-release revert (net zero, kept for changelog fidelity) --- ...tex-use-waiter-task-in-remove-waiter.patch | 90 --------- ...to-ccp-copy-iv-using-skcipher-ivsize.patch | 42 +++++ ...-in-skb-segment-list-for-gro-packets.patch | 100 ++++++++++ ...odname-and-modbuildid-initialization.patch | 77 ++++++++ ...llsyms-bpf-rename-bpf-address-lookup.patch | 175 ++++++++++++++++++ ...able-fdb-dst-snapshot-in-rcu-readers.patch | 171 +++++++++++++++++ ...-instead-of-current-in-remove-waiter.patch | 91 +++++++++ ...pointer-dereference-in-remove-waiter.patch | 42 +++++ ...-waiter-when-waiter-is-not-enqueued.patch} | 23 +-- ...ert-prevent-null-pointer-dereference.patch | 48 +++++ SPECS/kernel.spec | 43 ++++- 11 files changed, 788 insertions(+), 114 deletions(-) delete mode 100644 SOURCES/1756-rtmutex-use-waiter-task-in-remove-waiter.patch create mode 100644 SOURCES/1761-crypto-ccp-copy-iv-using-skcipher-ivsize.patch create mode 100644 SOURCES/1762-net-fix-memory-leak-in-skb-segment-list-for-gro-packets.patch create mode 100644 SOURCES/1763-kallsyms-clean-up-modname-and-modbuildid-initialization.patch create mode 100644 SOURCES/1764-kallsyms-bpf-rename-bpf-address-lookup.patch create mode 100644 SOURCES/1765-net-bridge-use-a-stable-fdb-dst-snapshot-in-rcu-readers.patch create mode 100644 SOURCES/1766-rtmutex-use-waiter-task-instead-of-current-in-remove-waiter.patch create mode 100644 SOURCES/1767-futex-requeue-prevent-null-pointer-dereference-in-remove-waiter.patch rename SOURCES/{1757-rtmutex-skip-remove-waiter-when-not-enqueued.patch => 1768-locking-rtmutex-skip-remove-waiter-when-waiter-is-not-enqueued.patch} (73%) create mode 100644 SOURCES/1769-futex-requeue-revert-prevent-null-pointer-dereference.patch diff --git a/SOURCES/1756-rtmutex-use-waiter-task-in-remove-waiter.patch b/SOURCES/1756-rtmutex-use-waiter-task-in-remove-waiter.patch deleted file mode 100644 index 87ed85eb4..000000000 --- a/SOURCES/1756-rtmutex-use-waiter-task-in-remove-waiter.patch +++ /dev/null @@ -1,90 +0,0 @@ -From 3bfdc63936dd4773109b7b8c280c0f3b5ae7d349 Mon Sep 17 00:00:00 2001 -From: Keenan Dong -Date: Wed, 8 Apr 2026 16:46:00 +0800 -Subject: [PATCH] rtmutex: Use waiter::task instead of current in - remove_waiter() - -remove_waiter() is used by the slowlock paths, but it is also used for -proxy-lock rollback in rt_mutex_start_proxy_lock() when invoked from -futex_requeue(). - -In the latter case waiter::task is not current, but remove_waiter() -operates on current for the dequeue operation. That results in several -problems: - - 1) the rbtree dequeue happens without waiter::task::pi_lock being held - - 2) the waiter task's pi_blocked_on state is not cleared, which leaves a - dangling pointer primed for UAF around. - - 3) rt_mutex_adjust_prio_chain() operates on the wrong top priority waiter - task - -Use waiter::task instead of current in all related operations in -remove_waiter() to cure those problems. - -[ tglx: Fixup rt_mutex_adjust_prio_chain(), add a comment and amend the - changelog ] - -Fixes: 8161239a8bcc ("rtmutex: Simplify PI algorithm and make highest prio task get lock") -Reported-by: Yuan Tan -Reported-by: Yifan Wu -Reported-by: Juefei Pu -Reported-by: Xin Liu -Signed-off-by: Keenan Dong -Signed-off-by: Thomas Gleixner -Cc: stable@vger.kernel.org - -[ AlmaLinux: adapted to a9 (5.14.0-687.5.1.el9_8). No functional change vs - upstream commit 3bfdc63936dd; only diff hunk offsets differ. The - scoped_guard(raw_spinlock, ...) form is used verbatim: it is available in - this tree via include/linux/cleanup.h and DEFINE_LOCK_GUARD_1(raw_spinlock, - ...) in include/linux/spinlock.h. ] ---- - kernel/locking/rtmutex.c | 13 ++++++++----- - 1 file changed, 8 insertions(+), 5 deletions(-) - -diff --git a/kernel/locking/rtmutex.c b/kernel/locking/rtmutex.c -index 1eb4f9499..e881d9548 100644 ---- a/kernel/locking/rtmutex.c -+++ b/kernel/locking/rtmutex.c -@@ -1534,20 +1534,23 @@ static bool rtmutex_spin_on_owner(struct rt_mutex_base *lock, - * - * Must be called with lock->wait_lock held and interrupts disabled. It must - * have just failed to try_to_take_rt_mutex(). -+ * -+ * When invoked from rt_mutex_start_proxy_lock() waiter::task != current ! - */ - static void __sched remove_waiter(struct rt_mutex_base *lock, - struct rt_mutex_waiter *waiter) - { - bool is_top_waiter = (waiter == rt_mutex_top_waiter(lock)); - struct task_struct *owner = rt_mutex_owner(lock); -+ struct task_struct *waiter_task = waiter->task; - struct rt_mutex_base *next_lock; - - lockdep_assert_held(&lock->wait_lock); - -- raw_spin_lock(¤t->pi_lock); -- rt_mutex_dequeue(lock, waiter); -- current->pi_blocked_on = NULL; -- raw_spin_unlock(¤t->pi_lock); -+ scoped_guard(raw_spinlock, &waiter_task->pi_lock) { -+ rt_mutex_dequeue(lock, waiter); -+ waiter_task->pi_blocked_on = NULL; -+ } - - /* - * Only update priority if the waiter was the highest priority -@@ -1583,7 +1586,7 @@ static void __sched remove_waiter(struct rt_mutex_base *lock, - raw_spin_unlock_irq(&lock->wait_lock); - - rt_mutex_adjust_prio_chain(owner, RT_MUTEX_MIN_CHAINWALK, lock, -- next_lock, NULL, current); -+ next_lock, NULL, waiter_task); - - raw_spin_lock_irq(&lock->wait_lock); - } --- -2.43.7 - diff --git a/SOURCES/1761-crypto-ccp-copy-iv-using-skcipher-ivsize.patch b/SOURCES/1761-crypto-ccp-copy-iv-using-skcipher-ivsize.patch new file mode 100644 index 000000000..141f714b7 --- /dev/null +++ b/SOURCES/1761-crypto-ccp-copy-iv-using-skcipher-ivsize.patch @@ -0,0 +1,42 @@ +From 798d409a8949f3f495f238549b86de2886b129bd Mon Sep 17 00:00:00 2001 +From: Paul Moses +Date: Wed, 1 Apr 2026 03:07:49 -0500 +Subject: [PATCH] crypto: ccp - copy IV using skcipher ivsize + +[ Upstream commit a7a1f3cdd64d8a165d9b8c9e9ad7fb46ac19dfc4 ] + +AF_ALG rfc3686-ctr-aes-ccp requests pass an 8-byte IV to the driver. + +ccp_aes_complete() restores AES_BLOCK_SIZE bytes into the caller's IV +buffer while RFC3686 skciphers expose an 8-byte IV, so the restore +overruns the provided buffer. + +Use crypto_skcipher_ivsize() to copy only the algorithm's IV length. + +Fixes: 2b789435d7f3 ("crypto: ccp - CCP AES crypto API support") +Signed-off-by: Paul Moses +Reviewed-by: Tom Lendacky +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin + +diff --git a/drivers/crypto/ccp/ccp-crypto-aes.c b/drivers/crypto/ccp/ccp-crypto-aes.c +index e6dcd8cedd53..b03ed5e83c3e 100644 +--- a/drivers/crypto/ccp/ccp-crypto-aes.c ++++ b/drivers/crypto/ccp/ccp-crypto-aes.c +@@ -28,8 +28,11 @@ static int ccp_aes_complete(struct crypto_async_request *async_req, int ret) + if (ret) + return ret; + +- if (ctx->u.aes.mode != CCP_AES_MODE_ECB) +- memcpy(req->iv, rctx->iv, AES_BLOCK_SIZE); ++ if (ctx->u.aes.mode != CCP_AES_MODE_ECB) { ++ size_t ivsize = crypto_skcipher_ivsize(crypto_skcipher_reqtfm(req)); ++ ++ memcpy(req->iv, rctx->iv, ivsize); ++ } + + return 0; + } +-- +2.50.1 (Apple Git-155) + diff --git a/SOURCES/1762-net-fix-memory-leak-in-skb-segment-list-for-gro-packets.patch b/SOURCES/1762-net-fix-memory-leak-in-skb-segment-list-for-gro-packets.patch new file mode 100644 index 000000000..705bdc95d --- /dev/null +++ b/SOURCES/1762-net-fix-memory-leak-in-skb-segment-list-for-gro-packets.patch @@ -0,0 +1,100 @@ +From 238e03d0466239410b72294b79494e43d4fabe77 Mon Sep 17 00:00:00 2001 +From: Mohammad Heib +Date: Sun, 4 Jan 2026 23:31:01 +0200 +Subject: [PATCH] net: fix memory leak in skb_segment_list for GRO packets + +When skb_segment_list() is called during packet forwarding, it handles +packets that were aggregated by the GRO engine. + +Historically, the segmentation logic in skb_segment_list assumes that +individual segments are split from a parent SKB and may need to carry +their own socket memory accounting. Accordingly, the code transfers +truesize from the parent to the newly created segments. + +Prior to commit ed4cccef64c1 ("gro: fix ownership transfer"), this +truesize subtraction in skb_segment_list() was valid because fragments +still carry a reference to the original socket. + +However, commit ed4cccef64c1 ("gro: fix ownership transfer") changed +this behavior by ensuring that fraglist entries are explicitly +orphaned (skb->sk = NULL) to prevent illegal orphaning later in the +stack. This change meant that the entire socket memory charge remained +with the head SKB, but the corresponding accounting logic in +skb_segment_list() was never updated. + +As a result, the current code unconditionally adds each fragment's +truesize to delta_truesize and subtracts it from the parent SKB. Since +the fragments are no longer charged to the socket, this subtraction +results in an effective under-count of memory when the head is freed. +This causes sk_wmem_alloc to remain non-zero, preventing socket +destruction and leading to a persistent memory leak. + +The leak can be observed via KMEMLEAK when tearing down the networking +environment: + +unreferenced object 0xffff8881e6eb9100 (size 2048): + comm "ping", pid 6720, jiffies 4295492526 + backtrace: + kmem_cache_alloc_noprof+0x5c6/0x800 + sk_prot_alloc+0x5b/0x220 + sk_alloc+0x35/0xa00 + inet6_create.part.0+0x303/0x10d0 + __sock_create+0x248/0x640 + __sys_socket+0x11b/0x1d0 + +Since skb_segment_list() is exclusively used for SKB_GSO_FRAGLIST +packets constructed by GRO, the truesize adjustment is removed. + +The call to skb_release_head_state() must be preserved. As documented in +commit cf673ed0e057 ("net: fix fraglist segmentation reference count +leak"), it is still required to correctly drop references to SKB +extensions that may be overwritten during __copy_skb_header(). + +Fixes: ed4cccef64c1 ("gro: fix ownership transfer") +Signed-off-by: Mohammad Heib +Reviewed-by: Willem de Bruijn +Link: https://patch.msgid.link/20260104213101.352887-1-mheib@redhat.com +Signed-off-by: Jakub Kicinski + +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index a00808f7be6a..a56133902c0d 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -4636,12 +4636,14 @@ struct sk_buff *skb_segment_list(struct sk_buff *skb, + { + struct sk_buff *list_skb = skb_shinfo(skb)->frag_list; + unsigned int tnl_hlen = skb_tnl_header_len(skb); +- unsigned int delta_truesize = 0; + unsigned int delta_len = 0; + struct sk_buff *tail = NULL; + struct sk_buff *nskb, *tmp; + int len_diff, err; + ++ /* Only skb_gro_receive_list generated skbs arrive here */ ++ DEBUG_NET_WARN_ON_ONCE(!(skb_shinfo(skb)->gso_type & SKB_GSO_FRAGLIST)); ++ + skb_push(skb, -skb_network_offset(skb) + offset); + + /* Ensure the head is writeable before touching the shared info */ +@@ -4655,8 +4657,9 @@ struct sk_buff *skb_segment_list(struct sk_buff *skb, + nskb = list_skb; + list_skb = list_skb->next; + ++ DEBUG_NET_WARN_ON_ONCE(nskb->sk); ++ + err = 0; +- delta_truesize += nskb->truesize; + if (skb_shared(nskb)) { + tmp = skb_clone(nskb, GFP_ATOMIC); + if (tmp) { +@@ -4699,7 +4702,6 @@ struct sk_buff *skb_segment_list(struct sk_buff *skb, + goto err_linearize; + } + +- skb->truesize = skb->truesize - delta_truesize; + skb->data_len = skb->data_len - delta_len; + skb->len = skb->len - delta_len; + +-- +2.50.1 (Apple Git-155) + diff --git a/SOURCES/1763-kallsyms-clean-up-modname-and-modbuildid-initialization.patch b/SOURCES/1763-kallsyms-clean-up-modname-and-modbuildid-initialization.patch new file mode 100644 index 000000000..f67ad55f9 --- /dev/null +++ b/SOURCES/1763-kallsyms-clean-up-modname-and-modbuildid-initialization.patch @@ -0,0 +1,77 @@ +From bba6d3303088d0f68a34859079a4656d6e86e164 Mon Sep 17 00:00:00 2001 +From: Anubhav Shelat +Date: Tue, 12 May 2026 12:55:02 -0400 +Subject: [PATCH] kallsyms: clean up modname and modbuildid initialization in + kallsyms_lookup_buildid() + +JIRA: https://issues.redhat.com/browse/RHEL-164306 + +upstream +======== +commit fda024fb64769e9d6b3916d013c78d6b189129f8 +Author: Petr Mladek +Date: Fri Nov 28 14:59:15 2025 +0100 + +description +=========== +The @modname and @modbuildid optional return parameters are set only when +the symbol is in a module. + +Always initialize them so that they do not need to be cleared when the +module is not in a module. It simplifies the logic and makes the code +even slightly more safe. + +Note that bpf_address_lookup() function will get updated in a separate +patch. + + Link: https://lkml.kernel.org/r/20251128135920.217303-3-pmladek@suse.com + Signed-off-by: Petr Mladek + Cc: Aaron Tomlin + Cc: Alexei Starovoitov + Cc: Daniel Borkman + Cc: Daniel Gomez + Cc: John Fastabend + Cc: Kees Cook + Cc: Luis Chamberalin + Cc: Marc Rutland + Cc: "Masami Hiramatsu (Google)" + Cc: Petr Pavlu + Cc: Sami Tolvanen + Cc: Steven Rostedt (Google) + Signed-off-by: Andrew Morton + +Signed-off-by: Anubhav Shelat + +diff --git a/kernel/kallsyms.c b/kernel/kallsyms.c +index 8deb399d45c7..859435335c6f 100644 +--- a/kernel/kallsyms.c ++++ b/kernel/kallsyms.c +@@ -403,6 +403,14 @@ static const char *kallsyms_lookup_buildid(unsigned long addr, + + namebuf[KSYM_NAME_LEN - 1] = 0; + namebuf[0] = 0; ++ /* ++ * Initialize the module-related return values. They are not set ++ * when the symbol is in vmlinux or it is a bpf address. ++ */ ++ if (modname) ++ *modname = NULL; ++ if (modbuildid) ++ *modbuildid = NULL; + + if (is_ksym_addr(addr)) { + unsigned long pos; +@@ -411,10 +419,6 @@ static const char *kallsyms_lookup_buildid(unsigned long addr, + /* Grab name */ + kallsyms_expand_symbol(get_symbol_offset(pos), + namebuf, KSYM_NAME_LEN); +- if (modname) +- *modname = NULL; +- if (modbuildid) +- *modbuildid = NULL; + + ret = namebuf; + goto found; +-- +2.50.1 (Apple Git-155) + diff --git a/SOURCES/1764-kallsyms-bpf-rename-bpf-address-lookup.patch b/SOURCES/1764-kallsyms-bpf-rename-bpf-address-lookup.patch new file mode 100644 index 000000000..9e2345165 --- /dev/null +++ b/SOURCES/1764-kallsyms-bpf-rename-bpf-address-lookup.patch @@ -0,0 +1,175 @@ +From f4175fcdb3d3d06d76caf08a7e6cb8f56da32f94 Mon Sep 17 00:00:00 2001 +From: Anubhav Shelat +Date: Tue, 12 May 2026 17:50:20 -0400 +Subject: [PATCH] kallsyms/bpf: rename __bpf_address_lookup() to + bpf_address_lookup() + +JIRA: https://issues.redhat.com/browse/RHEL-164306 + +Conflict: Code difference due to missing +7e1f4eb9a60d40dd17a97d9b76818682a024a127 (kallsyms: rework symbol lookup +return codes). + +upstream +======== +commit cd6735896d0343942cf3dafb48ce32eb79341990 +Author: Petr Mladek +Date: Fri Nov 28 14:59:18 2025 +0100 + +description +=========== + +bpf_address_lookup() has been used only in kallsyms_lookup_buildid(). It +was supposed to set @modname and @modbuildid when the symbol was in a +module. + +But it always just cleared @modname because BPF symbols were never in a +module. And it did not clear @modbuildid because the pointer was not +passed. + +The wrapper is no longer needed. Both @modname and @modbuildid are now +always initialized to NULL in kallsyms_lookup_buildid(). + +Remove the wrapper and rename __bpf_address_lookup() to +bpf_address_lookup() because this variant is used everywhere. + + [akpm@linux-foundation.org: fix loongarch] + Link: https://lkml.kernel.org/r/20251128135920.217303-6-pmladek@suse.com + Fixes: 9294523e3768 ("module: add printk formats to add module build ID to stacktraces") + Signed-off-by: Petr Mladek + Acked-by: Alexei Starovoitov + Cc: Aaron Tomlin + Cc: Daniel Borkman + Cc: Daniel Gomez + Cc: John Fastabend + Cc: Kees Cook + Cc: Luis Chamberalin + Cc: Marc Rutland + Cc: "Masami Hiramatsu (Google)" + Cc: Petr Pavlu + Cc: Sami Tolvanen + Cc: Steven Rostedt (Google) + Signed-off-by: Andrew Morton + +Signed-off-by: Anubhav Shelat + +diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c +index c2afc5533..0f32892f0 100644 +--- a/arch/arm64/net/bpf_jit_comp.c ++++ b/arch/arm64/net/bpf_jit_comp.c +@@ -2567,7 +2567,7 @@ int bpf_arch_text_poke(void *ip, enum bpf_text_poke_type poke_type, + u64 plt_target = 0ULL; + bool poking_bpf_entry; + +- if (!__bpf_address_lookup((unsigned long)ip, &size, &offset, namebuf)) ++ if (!bpf_address_lookup((unsigned long)ip, &size, &offset, namebuf)) + /* Only poking bpf text is supported. Since kernel function + * entry is set up by ftrace, we reply on ftrace to poke kernel + * functions. +diff --git a/arch/powerpc/net/bpf_jit_comp.c b/arch/powerpc/net/bpf_jit_comp.c +index b381ab8d1..325d494e2 100644 +--- a/arch/powerpc/net/bpf_jit_comp.c ++++ b/arch/powerpc/net/bpf_jit_comp.c +@@ -1096,7 +1096,7 @@ int bpf_arch_text_poke(void *ip, enum bpf_text_poke_type poke_type, + branch_flags = poke_type == BPF_MOD_CALL ? BRANCH_SET_LINK : 0; + + /* We currently only support poking bpf programs */ +- if (!__bpf_address_lookup(bpf_func, &size, &offset, name)) { ++ if (!bpf_address_lookup(bpf_func, &size, &offset, name)) { + pr_err("%s (0x%lx): kernel/modules are not supported\n", __func__, bpf_func); + return -EOPNOTSUPP; + } +diff --git a/include/linux/filter.h b/include/linux/filter.h +index c04fbf7f0..057626c3b 100644 +--- a/include/linux/filter.h ++++ b/include/linux/filter.h +@@ -1249,24 +1249,13 @@ static inline bool bpf_jit_kallsyms_enabled(void) + return false; + } + +-const char *__bpf_address_lookup(unsigned long addr, unsigned long *size, +- unsigned long *off, char *sym); ++const char *bpf_address_lookup(unsigned long addr, unsigned long *size, ++ unsigned long *off, char *sym); + bool is_bpf_text_address(unsigned long addr); + int bpf_get_kallsym(unsigned int symnum, unsigned long *value, char *type, + char *sym); + struct bpf_prog *bpf_prog_ksym_find(unsigned long addr); + +-static inline const char * +-bpf_address_lookup(unsigned long addr, unsigned long *size, +- unsigned long *off, char **modname, char *sym) +-{ +- const char *ret = __bpf_address_lookup(addr, size, off, sym); +- +- if (ret && modname) +- *modname = NULL; +- return ret; +-} +- + void bpf_prog_kallsyms_add(struct bpf_prog *fp); + void bpf_prog_kallsyms_del(struct bpf_prog *fp); + +@@ -1305,8 +1294,8 @@ static inline bool bpf_jit_kallsyms_enabled(void) + } + + static inline const char * +-__bpf_address_lookup(unsigned long addr, unsigned long *size, +- unsigned long *off, char *sym) ++bpf_address_lookup(unsigned long addr, unsigned long *size, ++ unsigned long *off, char *sym) + { + return NULL; + } +@@ -1327,13 +1316,6 @@ static inline struct bpf_prog *bpf_prog_ksym_find(unsigned long addr) + return NULL; + } + +-static inline const char * +-bpf_address_lookup(unsigned long addr, unsigned long *size, +- unsigned long *off, char **modname, char *sym) +-{ +- return NULL; +-} +- + static inline void bpf_prog_kallsyms_add(struct bpf_prog *fp) + { + } +diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c +index 07dda7c6a..5c07d9a7d 100644 +--- a/kernel/bpf/core.c ++++ b/kernel/bpf/core.c +@@ -742,8 +742,8 @@ static struct bpf_ksym *bpf_ksym_find(unsigned long addr) + return n ? container_of(n, struct bpf_ksym, tnode) : NULL; + } + +-const char *__bpf_address_lookup(unsigned long addr, unsigned long *size, +- unsigned long *off, char *sym) ++const char *bpf_address_lookup(unsigned long addr, unsigned long *size, ++ unsigned long *off, char *sym) + { + struct bpf_ksym *ksym; + char *ret = NULL; +diff --git a/kernel/kallsyms.c b/kernel/kallsyms.c +index 859435335..8ff04b11e 100644 +--- a/kernel/kallsyms.c ++++ b/kernel/kallsyms.c +@@ -391,7 +391,7 @@ int kallsyms_lookup_size_offset(unsigned long addr, unsigned long *symbolsize, + return 1; + } + return !!module_address_lookup(addr, symbolsize, offset, NULL, NULL, namebuf) || +- !!__bpf_address_lookup(addr, symbolsize, offset, namebuf); ++ !!bpf_address_lookup(addr, symbolsize, offset, namebuf); + } + + static const char *kallsyms_lookup_buildid(unsigned long addr, +@@ -428,8 +428,7 @@ static const char *kallsyms_lookup_buildid(unsigned long addr, + ret = module_address_lookup(addr, symbolsize, offset, + modname, modbuildid, namebuf); + if (!ret) +- ret = bpf_address_lookup(addr, symbolsize, +- offset, modname, namebuf); ++ ret = bpf_address_lookup(addr, symbolsize, offset, namebuf); + + if (!ret) + ret = ftrace_mod_address_lookup(addr, symbolsize, diff --git a/SOURCES/1765-net-bridge-use-a-stable-fdb-dst-snapshot-in-rcu-readers.patch b/SOURCES/1765-net-bridge-use-a-stable-fdb-dst-snapshot-in-rcu-readers.patch new file mode 100644 index 000000000..4672e2341 --- /dev/null +++ b/SOURCES/1765-net-bridge-use-a-stable-fdb-dst-snapshot-in-rcu-readers.patch @@ -0,0 +1,171 @@ +From a6ae4511c07b91f597e461406c6330f0d4ff810e Mon Sep 17 00:00:00 2001 +From: Zhengchuan Liang +Date: Mon, 4 May 2026 08:16:28 -0400 +Subject: [PATCH] net: bridge: use a stable FDB dst snapshot in RCU readers + +[ Upstream commit df4601653201de21b487c3e7fffd464790cab808 ] + +Local FDB entries can be rewritten in place by `fdb_delete_local()`, which +updates `f->dst` to another port or to `NULL` while keeping the entry +alive. Several bridge RCU readers inspect `f->dst`, including +`br_fdb_fillbuf()` through the `brforward_read()` sysfs path. + +These readers currently load `f->dst` multiple times and can therefore +observe inconsistent values across the check and later dereference. +In `br_fdb_fillbuf()`, this means a concurrent local-FDB update can change +`f->dst` after the NULL check and before the `port_no` dereference, +leading to a NULL-ptr-deref. + +Fix this by taking a single `READ_ONCE()` snapshot of `f->dst` in each +affected RCU reader and using that snapshot for the rest of the access +sequence. Also publish the in-place `f->dst` updates in `fdb_delete_local()` +with `WRITE_ONCE()` so the readers and writer use matching access patterns. + +Fixes: 960b589f86c7 ("bridge: Properly check if local fdb entry can be deleted in br_fdb_change_mac_address") +Cc: stable@kernel.org +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Tested-by: Ren Wei +Signed-off-by: Zhengchuan Liang +Signed-off-by: Ren Wei +Reviewed-by: Ido Schimmel +Acked-by: Nikolay Aleksandrov +Link: https://patch.msgid.link/6570fabb85ecadb8baaf019efe856f407711c7b9.1776043229.git.zcliangcn@gmail.com +Signed-off-by: Paolo Abeni +[ kept combined-flag check `(dst->flags & (BR_PROXYARP_WIFI | BR_NEIGH_SUPPRESS))` and `cb->args[2]` indexing instead of `br_is_neigh_suppress_enabled()` helper and `ctx->fdb_idx` ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman + +diff --git a/net/bridge/br_arp_nd_proxy.c b/net/bridge/br_arp_nd_proxy.c +index 1e2b51769..1f37b8cff 100644 +--- a/net/bridge/br_arp_nd_proxy.c ++++ b/net/bridge/br_arp_nd_proxy.c +@@ -202,11 +202,12 @@ void br_do_proxy_suppress_arp(struct sk_buff *skb, struct net_bridge *br, + + f = br_fdb_find_rcu(br, n->ha, vid); + if (f) { ++ const struct net_bridge_port *dst = READ_ONCE(f->dst); + bool replied = false; + + if ((p && (p->flags & BR_PROXYARP)) || +- (f->dst && (f->dst->flags & BR_PROXYARP_WIFI)) || +- br_is_neigh_suppress_enabled(f->dst, vid)) { ++ (dst && (dst->flags & BR_PROXYARP_WIFI)) || ++ br_is_neigh_suppress_enabled(dst, vid)) { + if (!vid) + br_arp_send(br, p, skb->dev, sip, tip, + sha, n->ha, sha, 0, 0); +@@ -466,9 +467,10 @@ void br_do_suppress_nd(struct sk_buff *skb, struct net_bridge *br, + + f = br_fdb_find_rcu(br, n->ha, vid); + if (f) { ++ const struct net_bridge_port *dst = READ_ONCE(f->dst); + bool replied = false; + +- if (br_is_neigh_suppress_enabled(f->dst, vid)) { ++ if (br_is_neigh_suppress_enabled(dst, vid)) { + if (vid != 0) + br_nd_send(br, p, skb, n, + skb->vlan_proto, +diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c +index 83483ea12..53abd9d9a 100644 +--- a/net/bridge/br_fdb.c ++++ b/net/bridge/br_fdb.c +@@ -243,6 +243,7 @@ struct net_device *br_fdb_find_port(const struct net_device *br_dev, + const unsigned char *addr, + __u16 vid) + { ++ const struct net_bridge_port *dst; + struct net_bridge_fdb_entry *f; + struct net_device *dev = NULL; + struct net_bridge *br; +@@ -255,8 +256,11 @@ struct net_device *br_fdb_find_port(const struct net_device *br_dev, + br = netdev_priv(br_dev); + rcu_read_lock(); + f = br_fdb_find_rcu(br, addr, vid); +- if (f && f->dst) +- dev = f->dst->dev; ++ if (f) { ++ dst = READ_ONCE(f->dst); ++ if (dst) ++ dev = dst->dev; ++ } + rcu_read_unlock(); + + return dev; +@@ -353,7 +357,7 @@ static void fdb_delete_local(struct net_bridge *br, + vg = nbp_vlan_group(op); + if (op != p && ether_addr_equal(op->dev->dev_addr, addr) && + (!vid || br_vlan_find(vg, vid))) { +- f->dst = op; ++ WRITE_ONCE(f->dst, op); + clear_bit(BR_FDB_ADDED_BY_USER, &f->flags); + return; + } +@@ -364,7 +368,7 @@ static void fdb_delete_local(struct net_bridge *br, + /* Maybe bridge device has same hw addr? */ + if (p && ether_addr_equal(br->dev->dev_addr, addr) && + (!vid || (v && br_vlan_should_use(v)))) { +- f->dst = NULL; ++ WRITE_ONCE(f->dst, NULL); + clear_bit(BR_FDB_ADDED_BY_USER, &f->flags); + return; + } +@@ -827,6 +831,7 @@ int br_fdb_test_addr(struct net_device *dev, unsigned char *addr) + int br_fdb_fillbuf(struct net_bridge *br, void *buf, + unsigned long maxnum, unsigned long skip) + { ++ const struct net_bridge_port *dst; + struct net_bridge_fdb_entry *f; + struct __fdb_entry *fe = buf; + int num = 0; +@@ -842,7 +847,8 @@ int br_fdb_fillbuf(struct net_bridge *br, void *buf, + continue; + + /* ignore pseudo entry for local MAC address */ +- if (!f->dst) ++ dst = READ_ONCE(f->dst); ++ if (!dst) + continue; + + if (skip) { +@@ -854,8 +860,8 @@ int br_fdb_fillbuf(struct net_bridge *br, void *buf, + memcpy(fe->mac_addr, f->key.addr.addr, ETH_ALEN); + + /* due to ABI compat need to split into hi/lo */ +- fe->port_no = f->dst->port_no; +- fe->port_hi = f->dst->port_no >> 8; ++ fe->port_no = dst->port_no; ++ fe->port_hi = dst->port_no >> 8; + + fe->is_local = test_bit(BR_FDB_LOCAL, &f->flags); + if (!test_bit(BR_FDB_STATIC, &f->flags)) +@@ -977,9 +983,11 @@ int br_fdb_dump(struct sk_buff *skb, + + rcu_read_lock(); + hlist_for_each_entry_rcu(f, &br->fdb_list, fdb_node) { ++ const struct net_bridge_port *dst = READ_ONCE(f->dst); ++ + if (*idx < cb->args[2]) + goto skip; +- if (filter_dev && (!f->dst || f->dst->dev != filter_dev)) { ++ if (filter_dev && (!dst || dst->dev != filter_dev)) { + if (filter_dev != dev) + goto skip; + /* !f->dst is a special case for bridge +@@ -987,10 +995,10 @@ int br_fdb_dump(struct sk_buff *skb, + * Therefore need a little more filtering + * we only want to dump the !f->dst case + */ +- if (f->dst) ++ if (dst) + goto skip; + } +- if (!filter_dev && f->dst) ++ if (!filter_dev && dst) + goto skip; + + err = fdb_fill_info(skb, br, f, diff --git a/SOURCES/1766-rtmutex-use-waiter-task-instead-of-current-in-remove-waiter.patch b/SOURCES/1766-rtmutex-use-waiter-task-instead-of-current-in-remove-waiter.patch new file mode 100644 index 000000000..5ca391956 --- /dev/null +++ b/SOURCES/1766-rtmutex-use-waiter-task-instead-of-current-in-remove-waiter.patch @@ -0,0 +1,91 @@ +From 4e5a31ae1fa995362e4a828f36369ea3e7b44cc1 Mon Sep 17 00:00:00 2001 +From: Waiman Long +Date: Tue, 28 Apr 2026 21:48:18 -0400 +Subject: [PATCH] rtmutex: Use waiter::task instead of current in + remove_waiter() + +JIRA: https://redhat.atlassian.net/browse/RHEL-171802 + +commit 3bfdc63936dd4773109b7b8c280c0f3b5ae7d349 +Author: Keenan Dong +Date: Wed, 8 Apr 2026 16:46:00 +0800 + + rtmutex: Use waiter::task instead of current in remove_waiter() + + remove_waiter() is used by the slowlock paths, but it is also used for + proxy-lock rollback in rt_mutex_start_proxy_lock() when invoked from + futex_requeue(). + + In the latter case waiter::task is not current, but remove_waiter() + operates on current for the dequeue operation. That results in several + problems: + + 1) the rbtree dequeue happens without waiter::task::pi_lock being held + + 2) the waiter task's pi_blocked_on state is not cleared, which leaves a + dangling pointer primed for UAF around. + + 3) rt_mutex_adjust_prio_chain() operates on the wrong top priority waiter + task + + Use waiter::task instead of current in all related operations in + remove_waiter() to cure those problems. + + [ tglx: Fixup rt_mutex_adjust_prio_chain(), add a comment and amend the + changelog ] + + Fixes: 8161239a8bcc ("rtmutex: Simplify PI algorithm and make highest prio task get lock") + Reported-by: Yuan Tan + Reported-by: Yifan Wu + Reported-by: Juefei Pu + Reported-by: Xin Liu + Signed-off-by: Keenan Dong + Signed-off-by: Thomas Gleixner + Cc: stable@vger.kernel.org + +Signed-off-by: Waiman Long + +diff --git a/kernel/locking/rtmutex.c b/kernel/locking/rtmutex.c +index 1eb4f949909c..e881d9548030 100644 +--- a/kernel/locking/rtmutex.c ++++ b/kernel/locking/rtmutex.c +@@ -1534,20 +1534,23 @@ static bool rtmutex_spin_on_owner(struct rt_mutex_base *lock, + * + * Must be called with lock->wait_lock held and interrupts disabled. It must + * have just failed to try_to_take_rt_mutex(). ++ * ++ * When invoked from rt_mutex_start_proxy_lock() waiter::task != current ! + */ + static void __sched remove_waiter(struct rt_mutex_base *lock, + struct rt_mutex_waiter *waiter) + { + bool is_top_waiter = (waiter == rt_mutex_top_waiter(lock)); + struct task_struct *owner = rt_mutex_owner(lock); ++ struct task_struct *waiter_task = waiter->task; + struct rt_mutex_base *next_lock; + + lockdep_assert_held(&lock->wait_lock); + +- raw_spin_lock(¤t->pi_lock); +- rt_mutex_dequeue(lock, waiter); +- current->pi_blocked_on = NULL; +- raw_spin_unlock(¤t->pi_lock); ++ scoped_guard(raw_spinlock, &waiter_task->pi_lock) { ++ rt_mutex_dequeue(lock, waiter); ++ waiter_task->pi_blocked_on = NULL; ++ } + + /* + * Only update priority if the waiter was the highest priority +@@ -1583,7 +1586,7 @@ static void __sched remove_waiter(struct rt_mutex_base *lock, + raw_spin_unlock_irq(&lock->wait_lock); + + rt_mutex_adjust_prio_chain(owner, RT_MUTEX_MIN_CHAINWALK, lock, +- next_lock, NULL, current); ++ next_lock, NULL, waiter_task); + + raw_spin_lock_irq(&lock->wait_lock); + } +-- +2.50.1 (Apple Git-155) + diff --git a/SOURCES/1767-futex-requeue-prevent-null-pointer-dereference-in-remove-waiter.patch b/SOURCES/1767-futex-requeue-prevent-null-pointer-dereference-in-remove-waiter.patch new file mode 100644 index 000000000..c8d3af944 --- /dev/null +++ b/SOURCES/1767-futex-requeue-prevent-null-pointer-dereference-in-remove-waiter.patch @@ -0,0 +1,42 @@ +From 74e144274af39935b0f410c0ee4d2b91c3730414 Mon Sep 17 00:00:00 2001 +From: Ji'an Zhou +Date: Tue, 2 Jun 2026 09:12:04 +0000 +Subject: [PATCH] futex/requeue: Prevent NULL pointer dereference in + remove_waiter() on self-deadlock + +When FUTEX_CMP_REQUEUE_PI requeues a non-top waiter that already owns the +target PI futex, task_blocks_on_rt_mutex() returns -EDEADLK before setting +waiter->task. + +The subsequent remove_waiter() in rt_mutex_start_proxy_lock() dereferences +the NULL waiter->task, causing a kernel crash. + +Add a self-deadlock check for non-top waiters before calling +rt_mutex_start_proxy_lock(), analogous to the top-waiter check in +futex_lock_pi_atomic(). + +Fixes: 3bfdc63936dd4773109b7b8c280c0f3b5ae7d349 ("rtmutex: Use waiter::task instead of current in remove_waiter()") +Signed-off-by: Ji'an Zhou +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org + +diff --git a/kernel/futex/requeue.c b/kernel/futex/requeue.c +index b597cb3d17fc..1d99a84dc9ad 100644 +--- a/kernel/futex/requeue.c ++++ b/kernel/futex/requeue.c +@@ -643,6 +643,12 @@ int futex_requeue(u32 __user *uaddr1, unsigned int flags1, + continue; + } + ++ /* Self-deadlock: non-top waiter already owns the PI futex. */ ++ if (rt_mutex_owner(&pi_state->pi_mutex) == this->task) { ++ ret = -EDEADLK; ++ break; ++ } ++ + ret = rt_mutex_start_proxy_lock(&pi_state->pi_mutex, + this->rt_waiter, + this->task); +-- +2.50.1 (Apple Git-155) + diff --git a/SOURCES/1757-rtmutex-skip-remove-waiter-when-not-enqueued.patch b/SOURCES/1768-locking-rtmutex-skip-remove-waiter-when-waiter-is-not-enqueued.patch similarity index 73% rename from SOURCES/1757-rtmutex-skip-remove-waiter-when-not-enqueued.patch rename to SOURCES/1768-locking-rtmutex-skip-remove-waiter-when-waiter-is-not-enqueued.patch index 9959b05ad..5f8a34337 100644 --- a/SOURCES/1757-rtmutex-skip-remove-waiter-when-not-enqueued.patch +++ b/SOURCES/1768-locking-rtmutex-skip-remove-waiter-when-waiter-is-not-enqueued.patch @@ -32,24 +32,11 @@ Cc: stable@vger.kernel.org Closes: https://lore.kernel.org/all/69f114ac.050a0220.ac8b.0003.GAE@google.com/ Link: https://patch.msgid.link/20260507112913.1019537-1-dave@stgolabs.net -[ AlmaLinux: adapted to a9 (5.14.0-687.5.1.el9_8). No change vs upstream - commit 40a25d59e85b. Both hunks apply cleanly: kernel/locking/rtmutex.c - remove_waiter() (the waiter_task local comes from the earlier - "rtmutex: Use waiter::task ..." patch) and kernel/locking/rtmutex_api.c - rt_mutex_start_proxy_lock(). The "ret < 0" tightening is meaningful in this - tree: __rt_mutex_start_proxy_lock() returns 1 on try_to_take_rt_mutex() - success, so the prior "if (unlikely(ret))" wrongly invoked remove_waiter() - after acquiring the lock. ] ---- - kernel/locking/rtmutex.c | 3 +++ - kernel/locking/rtmutex_api.c | 2 +- - 2 files changed, 4 insertions(+), 1 deletion(-) - diff --git a/kernel/locking/rtmutex.c b/kernel/locking/rtmutex.c -index e881d9548..1cecc1092 100644 +index 4f386ea6c792..daeeeef973e2 100644 --- a/kernel/locking/rtmutex.c +++ b/kernel/locking/rtmutex.c -@@ -1547,6 +1547,9 @@ static void __sched remove_waiter(struct rt_mutex_base *lock, +@@ -1558,6 +1558,9 @@ static void __sched remove_waiter(struct rt_mutex_base *lock, lockdep_assert_held(&lock->wait_lock); @@ -60,10 +47,10 @@ index e881d9548..1cecc1092 100644 rt_mutex_dequeue(lock, waiter); waiter_task->pi_blocked_on = NULL; diff --git a/kernel/locking/rtmutex_api.c b/kernel/locking/rtmutex_api.c -index 6614ccdc1..341a540f6 100644 +index 124219aea46e..514fce7a4e0a 100644 --- a/kernel/locking/rtmutex_api.c +++ b/kernel/locking/rtmutex_api.c -@@ -347,7 +347,7 @@ int __sched rt_mutex_start_proxy_lock(struct rt_mutex_base *lock, +@@ -365,7 +365,7 @@ int __sched rt_mutex_start_proxy_lock(struct rt_mutex_base *lock, raw_spin_lock_irq(&lock->wait_lock); ret = __rt_mutex_start_proxy_lock(lock, waiter, task, &wake_q); @@ -73,5 +60,5 @@ index 6614ccdc1..341a540f6 100644 preempt_disable(); raw_spin_unlock_irq(&lock->wait_lock); -- -2.43.7 +2.50.1 (Apple Git-155) diff --git a/SOURCES/1769-futex-requeue-revert-prevent-null-pointer-dereference.patch b/SOURCES/1769-futex-requeue-revert-prevent-null-pointer-dereference.patch new file mode 100644 index 000000000..1aeddd19c --- /dev/null +++ b/SOURCES/1769-futex-requeue-revert-prevent-null-pointer-dereference.patch @@ -0,0 +1,48 @@ +From 39def6d250d370298f86c116f4ac60093cefadaa Mon Sep 17 00:00:00 2001 +From: Sebastian Andrzej Siewior +Date: Wed, 1 Jul 2026 15:11:50 +0200 +Subject: [PATCH] futex/requeue: Revert "Prevent NULL pointer dereference in + remove_waiter() on self-deadlock"" + +The commit cited below should not have been merged. It attemted to fix an +existing problem ansd thereby introduced new problems by keeping the +pi_state in state Q_REQUEUE_PI_IN_PROGRESS and leaking it. + +Based on the commit description the intention was to handle the case +when task_blocks_on_rt_mutex() returns -EDEADLK and the following +remove_waiter() dereferences the NULL pointer in waiter->task. + +That is already handled by Davidlohr in commit 40a25d59e85b3 +("locking/rtmutex: Skip remove_waiter() when waiter is not enqueued") and +requires no further acting. + +Revert the commit breaking the "waiter == owner" case again. + +Fixes: 74e144274af39 ("futex/requeue: Prevent NULL pointer dereference in remove_waiter() on self-deadlock") +Reported-by: Michael Bommarito +Signed-off-by: Sebastian Andrzej Siewior +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20260701131150.0Ijhq4Dw@linutronix.de +Closes: https://lore.kernel.org/all/20260629020049.2082397-1-michael.bommarito@gmail.com + +diff --git a/kernel/futex/requeue.c b/kernel/futex/requeue.c +index 7384672916fb..79823ad13683 100644 +--- a/kernel/futex/requeue.c ++++ b/kernel/futex/requeue.c +@@ -645,12 +645,6 @@ int futex_requeue(u32 __user *uaddr1, unsigned int flags1, + continue; + } + +- /* Self-deadlock: non-top waiter already owns the PI futex. */ +- if (rt_mutex_owner(&pi_state->pi_mutex) == this->task) { +- ret = -EDEADLK; +- break; +- } +- + ret = rt_mutex_start_proxy_lock(&pi_state->pi_mutex, + this->rt_waiter, + this->task); +-- +2.50.1 (Apple Git-155) + diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec index 7c9cc471f..fde5a933a 100644 --- a/SPECS/kernel.spec +++ b/SPECS/kernel.spec @@ -176,13 +176,13 @@ Summary: The Linux kernel # define buildid .local %define specversion 5.14.0 %define patchversion 5.14 -%define pkgrelease 687.24.1 +%define pkgrelease 687.25.1 %define kversion 5 %define tarfile_release 5.14.0-687.5.1.el9_8 # This is needed to do merge window version magic %define patchlevel 14 # This allows pkg_release to have configurable %%{?dist} tag -%define specrelease 687.24.1%{?buildid}%{?dist} +%define specrelease 687.25.1%{?buildid}%{?dist} # This defines the kabi tarball version %define kabiversion 5.14.0-687.5.1.el9_8 @@ -1626,11 +1626,18 @@ Patch1752: 1752-eventpoll-drop-dead-bool-return-from-ep-remove-epi.patch Patch1753: 1753-eventpoll-drop-vestigial-epi-dying-flag.patch Patch1754: 1754-eventpoll-fix-integer-overflow-in-ep-loop-check-proc.patch Patch1755: 1755-eventpoll-refresh-epi-fget-ep-remove-file-comments.patch -Patch1756: 1756-rtmutex-use-waiter-task-in-remove-waiter.patch -Patch1757: 1757-rtmutex-skip-remove-waiter-when-not-enqueued.patch Patch1758: 1758-net-sched-ets-always-remove-class-from-active-list-before-deleting.patch Patch1759: 1759-kvm-x86-fix-shadow-paging-use-after-free-due-to-unexpected-gfn.patch Patch1760: 1760-kvm-x86-fix-shadow-paging-use-after-free-due-to-unexpected-role.patch +Patch1761: 1761-crypto-ccp-copy-iv-using-skcipher-ivsize.patch +Patch1762: 1762-net-fix-memory-leak-in-skb-segment-list-for-gro-packets.patch +Patch1763: 1763-kallsyms-clean-up-modname-and-modbuildid-initialization.patch +Patch1764: 1764-kallsyms-bpf-rename-bpf-address-lookup.patch +Patch1765: 1765-net-bridge-use-a-stable-fdb-dst-snapshot-in-rcu-readers.patch +Patch1766: 1766-rtmutex-use-waiter-task-instead-of-current-in-remove-waiter.patch +Patch1767: 1767-futex-requeue-prevent-null-pointer-dereference-in-remove-waiter.patch +Patch1768: 1768-locking-rtmutex-skip-remove-waiter-when-waiter-is-not-enqueued.patch +Patch1769: 1769-futex-requeue-revert-prevent-null-pointer-dereference.patch # END OF PATCH DEFINITIONS %description @@ -3024,11 +3031,18 @@ ApplyPatch 1752-eventpoll-drop-dead-bool-return-from-ep-remove-epi.patch ApplyPatch 1753-eventpoll-drop-vestigial-epi-dying-flag.patch ApplyPatch 1754-eventpoll-fix-integer-overflow-in-ep-loop-check-proc.patch ApplyPatch 1755-eventpoll-refresh-epi-fget-ep-remove-file-comments.patch -ApplyPatch 1756-rtmutex-use-waiter-task-in-remove-waiter.patch -ApplyPatch 1757-rtmutex-skip-remove-waiter-when-not-enqueued.patch ApplyPatch 1758-net-sched-ets-always-remove-class-from-active-list-before-deleting.patch ApplyPatch 1759-kvm-x86-fix-shadow-paging-use-after-free-due-to-unexpected-gfn.patch ApplyPatch 1760-kvm-x86-fix-shadow-paging-use-after-free-due-to-unexpected-role.patch +ApplyPatch 1761-crypto-ccp-copy-iv-using-skcipher-ivsize.patch +ApplyPatch 1762-net-fix-memory-leak-in-skb-segment-list-for-gro-packets.patch +ApplyPatch 1763-kallsyms-clean-up-modname-and-modbuildid-initialization.patch +ApplyPatch 1764-kallsyms-bpf-rename-bpf-address-lookup.patch +ApplyPatch 1765-net-bridge-use-a-stable-fdb-dst-snapshot-in-rcu-readers.patch +ApplyPatch 1766-rtmutex-use-waiter-task-instead-of-current-in-remove-waiter.patch +ApplyPatch 1767-futex-requeue-prevent-null-pointer-dereference-in-remove-waiter.patch +ApplyPatch 1768-locking-rtmutex-skip-remove-waiter-when-waiter-is-not-enqueued.patch +ApplyPatch 1769-futex-requeue-revert-prevent-null-pointer-dereference.patch # END OF PATCH APPLICATIONS # Any further pre-build tree manipulations happen here. @@ -5103,6 +5117,23 @@ fi # # %changelog +* Mon Jul 13 2026 Andrew Lukoshko - 5.14.0-687.25.1 +- Recreate RHEL 5.14.0-687.25.1 from CentOS Stream 9 and upstream stable backports (1761-1769) +- The AlmaLinux ahead-of-RHEL rtmutex remove_waiter() fixes for CVE-2026-43499 + (1756, 1757) are superseded by RHEL's copies and dropped +- RHEL changelog for 687.25.1 follows: + +* Thu Jul 09 2026 CKI KWF Bot [5.14.0-687.25.1.el9_8] +- futex/requeue: Revert "Prevent NULL pointer dereference in remove_waiter() on self-deadlock"" (Phil Auld) [RHEL-193245] {CVE-2026-53166} +- locking/rtmutex: Skip remove_waiter() when waiter is not enqueued (Phil Auld) [RHEL-193245] {CVE-2026-53166} +- futex/requeue: Prevent NULL pointer dereference in remove_waiter() on self-deadlock (Phil Auld) [RHEL-193151] {CVE-2026-43499} +- rtmutex: Use waiter::task instead of current in remove_waiter() (Phil Auld) [RHEL-193151] {CVE-2026-43499} +- net: bridge: use a stable FDB dst snapshot in RCU readers (Mohammad Heib) [RHEL-179330] {CVE-2026-46086} +- kallsyms/bpf: rename __bpf_address_lookup() to bpf_address_lookup() (Anubhav Shelat) [RHEL-183236] +- kallsyms: clean up modname and modbuildid initialization in kallsyms_lookup_buildid() (Anubhav Shelat) [RHEL-183236] +- net: fix memory leak in skb_segment_list for GRO packets (CKI Backport Bot) [RHEL-189959] {CVE-2026-22979} +- crypto: ccp - copy IV using skcipher ivsize (CKI Backport Bot) [RHEL-188459] {CVE-2026-53016} + * Thu Jul 09 2026 Andrew Lukoshko - 5.14.0-687.24.1 - Recreate RHEL 5.14.0-687.24.1 from upstream stable backports (1758-1760) - The AlmaLinux ahead-of-RHEL KVM x86 shadow paging fixes (1710, 1711) are