From 66a31f23e04ed2895f106f7ef92b301cb54607c2 Mon Sep 17 00:00:00 2001 From: Andrew Lukoshko Date: Fri, 26 Jun 2026 14:48:55 +0000 Subject: [PATCH] Recreate RHEL 6.12.0-211.28.1 from CS10/upstream backports --- ...kb2-cb-in-ip6-err-gen-icmpv6-unreach.patch | 63 ++++ 1376-rdma-mana-validate-rx-hash-key-len.patch | 36 ++ ...en-icreq-handling-and-queue-teardown.patch | 107 ++++++ ...sponse-authenticator-parser-oob-read.patch | 81 +++++ ...list-corruption-by-removing-work-lis.patch | 208 ++++++++++++ ...iggerable-warn-on-in-mana-ib-create-.patch | 40 +++ ...xx-completely-fix-fcport-double-free.patch | 42 +++ ...tential-race-in-tcp-v6-syn-recv-sock.patch | 307 ++++++++++++++++++ ...l-only-hotfix-for-execmem-regression.patch | 131 ++++++++ kernel.spec | 40 ++- 10 files changed, 1053 insertions(+), 2 deletions(-) create mode 100644 1375-ipv6-icmp-clear-skb2-cb-in-ip6-err-gen-icmpv6-unreach.patch create mode 100644 1376-rdma-mana-validate-rx-hash-key-len.patch create mode 100644 1377-nvmet-tcp-fix-race-between-icreq-handling-and-queue-teardown.patch create mode 100644 1378-rxrpc-fix-response-authenticator-parser-oob-read.patch create mode 100644 1379-rdma-iwcm-fix-workqueue-list-corruption-by-removing-work-lis.patch create mode 100644 1380-rdma-mana-remove-user-triggerable-warn-on-in-mana-ib-create-.patch create mode 100644 1381-scsi-qla2xxx-completely-fix-fcport-double-free.patch create mode 100644 1382-tcp-fix-potential-race-in-tcp-v6-syn-recv-sock.patch create mode 100644 1383-selinux-rhel-only-hotfix-for-execmem-regression.patch diff --git a/1375-ipv6-icmp-clear-skb2-cb-in-ip6-err-gen-icmpv6-unreach.patch b/1375-ipv6-icmp-clear-skb2-cb-in-ip6-err-gen-icmpv6-unreach.patch new file mode 100644 index 000000000..c2b0f3e18 --- /dev/null +++ b/1375-ipv6-icmp-clear-skb2-cb-in-ip6-err-gen-icmpv6-unreach.patch @@ -0,0 +1,63 @@ +From e41953e7d118e2702bcb217879c173d9d1d3cd4e Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 26 Mar 2026 20:26:08 +0000 +Subject: [PATCH] ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach() + +[ Upstream commit 86ab3e55673a7a49a841838776f1ab18d23a67b5 ] + +Sashiko AI-review observed: + + In ip6_err_gen_icmpv6_unreach(), the skb is an outer IPv4 ICMP error packet + where its cb contains an IPv4 inet_skb_parm. When skb is cloned into skb2 + and passed to icmp6_send(), it uses IP6CB(skb2). + + IP6CB interprets the IPv4 inet_skb_parm as an inet6_skb_parm. The cipso + offset in inet_skb_parm.opt directly overlaps with dsthao in inet6_skb_parm + at offset 18. + + If an attacker sends a forged ICMPv4 error with a CIPSO IP option, dsthao + would be a non-zero offset. Inside icmp6_send(), mip6_addr_swap() is called + and uses ipv6_find_tlv(skb, opt->dsthao, IPV6_TLV_HAO). + + This would scan the inner, attacker-controlled IPv6 packet starting at that + offset, potentially returning a fake TLV without checking if the remaining + packet length can hold the full 18-byte struct ipv6_destopt_hao. + + Could mip6_addr_swap() then perform a 16-byte swap that extends past the end + of the packet data into skb_shared_info? + + Should the cb array also be cleared in ip6_err_gen_icmpv6_unreach() and + ip6ip6_err() to prevent this? + +This patch implements the first suggestion. + +I am not sure if ip6ip6_err() needs to be changed. +A separate patch would be better anyway. + +Fixes: ca15a078bd90 ("sit: generate icmpv6 error when receiving icmpv4 error") +Reported-by: Ido Schimmel +Closes: https://sashiko.dev/#/patchset/20260326155138.2429480-1-edumazet%40google.com +Signed-off-by: Eric Dumazet +Cc: Oskar Kjos +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/20260326202608.2976021-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin + +diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c +index e43b49f1ddbb..387400829b20 100644 +--- a/net/ipv6/icmp.c ++++ b/net/ipv6/icmp.c +@@ -681,6 +681,9 @@ int ip6_err_gen_icmpv6_unreach(struct sk_buff *skb, int nhs, int type, + if (!skb2) + return 1; + ++ /* Remove debris left by IPv4 stack. */ ++ memset(IP6CB(skb2), 0, sizeof(*IP6CB(skb2))); ++ + skb_dst_drop(skb2); + skb_pull(skb2, nhs); + skb_reset_network_header(skb2); +-- +2.50.1 (Apple Git-155) + diff --git a/1376-rdma-mana-validate-rx-hash-key-len.patch b/1376-rdma-mana-validate-rx-hash-key-len.patch new file mode 100644 index 000000000..3767362ae --- /dev/null +++ b/1376-rdma-mana-validate-rx-hash-key-len.patch @@ -0,0 +1,36 @@ +From 11c1431d641e0e4e0529e96957995820600c7287 Mon Sep 17 00:00:00 2001 +From: Jason Gunthorpe +Date: Tue, 28 Apr 2026 13:17:37 -0300 +Subject: [PATCH] RDMA/mana: Validate rx_hash_key_len + +commit 6dd2d4ad9c8429523b1c220c5132bd551c006425 upstream. + +Sashiko points out that rx_hash_key_len comes from a uAPI structure and is +blindly passed to memcpy, allowing the userspace to trash kernel +memory. Bounds check it so the memcpy cannot overflow. + +Cc: stable@vger.kernel.org +Fixes: 0266a177631d ("RDMA/mana_ib: Add a driver for Microsoft Azure Network Adapter") +Link: https://sashiko.dev/#/patchset/0-v2-1c49eeb88c48%2B91-rdma_udata_rep_jgg%40nvidia.com?part=1 +Link: https://patch.msgid.link/r/4-v1-41f3135e5565+9d2-rdma_ai_fixes1_jgg@nvidia.com +Reviewed-by: Long Li +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +diff --git a/drivers/infiniband/hw/mana/qp.c b/drivers/infiniband/hw/mana/qp.c +index 2741eec6f26f..f3394ded785c 100644 +--- a/drivers/infiniband/hw/mana/qp.c ++++ b/drivers/infiniband/hw/mana/qp.c +@@ -21,6 +21,9 @@ static int mana_ib_cfg_vport_steering(struct mana_ib_dev *dev, + + gc = mdev_to_gc(dev); + ++ if (rx_hash_key_len > sizeof(req->hashkey)) ++ return -EINVAL; ++ + req_buf_size = struct_size(req, indir_tab, MANA_INDIRECT_TABLE_DEF_SIZE); + req = kzalloc(req_buf_size, GFP_KERNEL); + if (!req) +-- +2.50.1 (Apple Git-155) + diff --git a/1377-nvmet-tcp-fix-race-between-icreq-handling-and-queue-teardown.patch b/1377-nvmet-tcp-fix-race-between-icreq-handling-and-queue-teardown.patch new file mode 100644 index 000000000..b9e29e1b8 --- /dev/null +++ b/1377-nvmet-tcp-fix-race-between-icreq-handling-and-queue-teardown.patch @@ -0,0 +1,107 @@ +From 57d67f7ed0069067f1452835c7ec175e2a7f7631 Mon Sep 17 00:00:00 2001 +From: CKI Backport Bot +Date: Thu, 28 May 2026 17:25:12 +0000 +Subject: [PATCH] nvmet-tcp: fix race between ICReq handling and queue teardown + +JIRA: https://redhat.atlassian.net/browse/RHEL-180107 +CVE: CVE-2026-46135 +Backported from tree(s): linux + +commit 5293a8882c549fab4a878bc76b0b6c951f980a61 +Author: Chaitanya Kulkarni +Date: Wed Apr 8 00:51:31 2026 -0700 + + nvmet-tcp: fix race between ICReq handling and queue teardown + + nvmet_tcp_handle_icreq() updates queue->state after sending an + Initialization Connection Response (ICResp), but it does so without + serializing against target-side queue teardown. + + If an NVMe/TCP host sends an Initialization Connection Request + (ICReq) and immediately closes the connection, target-side teardown + may start in softirq context before io_work drains the already + buffered ICReq. In that case, nvmet_tcp_schedule_release_queue() + sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue + reference under state_lock. + + If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can + still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the + DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and + allows a later socket state change to re-enter teardown and issue a + second kref_put() on an already released queue. + + The ICResp send failure path has the same problem. If teardown has + already moved the queue to DISCONNECTING, a send error can still + overwrite the state with NVMET_TCP_Q_FAILED, again reopening the + window for a second teardown path to drop the queue reference. + + Fix this by serializing both post-send state transitions with + state_lock and bailing out if teardown has already started. + + Use -ESHUTDOWN as an internal sentinel for that bail-out path rather + than propagating it as a transport error like -ECONNRESET. Keep + nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before + honoring that sentinel so receive-side parsing stays quiesced until the + existing release path completes. + + Fixes: c46a6465bac2 ("nvmet-tcp: add NVMe over TCP target driver") + Cc: stable@vger.kernel.org + Reported-by: Shivam Kumar + Tested-by: Shivam Kumar + Signed-off-by: Chaitanya Kulkarni + Signed-off-by: Keith Busch + +Signed-off-by: CKI Backport Bot + +diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c +index 63ffbb853351..0442cb7d2b56 100644 +--- a/drivers/nvme/target/tcp.c ++++ b/drivers/nvme/target/tcp.c +@@ -407,6 +407,19 @@ static void nvmet_tcp_fatal_error(struct nvmet_tcp_queue *queue) + + static void nvmet_tcp_socket_error(struct nvmet_tcp_queue *queue, int status) + { ++ /* ++ * Keep rcv_state at RECV_ERR even for the internal -ESHUTDOWN path. ++ * nvmet_tcp_handle_icreq() can return -ESHUTDOWN after the ICReq has ++ * already been consumed and queue teardown has started. ++ * ++ * If nvmet_tcp_data_ready() or nvmet_tcp_write_space() queues ++ * nvmet_tcp_io_work() again before nvmet_tcp_release_queue_work() ++ * cancels it, the queue must not keep that old receive state. ++ * Otherwise the next nvmet_tcp_io_work() run can reach ++ * nvmet_tcp_done_recv_pdu() and try to handle the same ICReq again. ++ * ++ * That is why queue->rcv_state needs to be updated before we return. ++ */ + queue->rcv_state = NVMET_TCP_RECV_ERR; + if (status == -EPIPE || status == -ECONNRESET) + kernel_sock_shutdown(queue->sock, SHUT_RDWR); +@@ -923,11 +936,24 @@ static int nvmet_tcp_handle_icreq(struct nvmet_tcp_queue *queue) + iov.iov_len = sizeof(*icresp); + ret = kernel_sendmsg(queue->sock, &msg, &iov, 1, iov.iov_len); + if (ret < 0) { ++ spin_lock_bh(&queue->state_lock); ++ if (queue->state == NVMET_TCP_Q_DISCONNECTING) { ++ spin_unlock_bh(&queue->state_lock); ++ return -ESHUTDOWN; ++ } + queue->state = NVMET_TCP_Q_FAILED; ++ spin_unlock_bh(&queue->state_lock); + return ret; /* queue removal will cleanup */ + } + ++ spin_lock_bh(&queue->state_lock); ++ if (queue->state == NVMET_TCP_Q_DISCONNECTING) { ++ spin_unlock_bh(&queue->state_lock); ++ /* Tell nvmet_tcp_socket_error() teardown is in progress. */ ++ return -ESHUTDOWN; ++ } + queue->state = NVMET_TCP_Q_LIVE; ++ spin_unlock_bh(&queue->state_lock); + nvmet_prepare_receive_pdu(queue); + return 0; + } +-- +2.50.1 (Apple Git-155) + diff --git a/1378-rxrpc-fix-response-authenticator-parser-oob-read.patch b/1378-rxrpc-fix-response-authenticator-parser-oob-read.patch new file mode 100644 index 000000000..0bb434f00 --- /dev/null +++ b/1378-rxrpc-fix-response-authenticator-parser-oob-read.patch @@ -0,0 +1,81 @@ +From 773433ec58bc8fd361d7c27607f00d18869322ab Mon Sep 17 00:00:00 2001 +From: CKI Backport Bot +Date: Tue, 28 Apr 2026 11:53:43 +0000 +Subject: [PATCH] rxrpc: fix RESPONSE authenticator parser OOB read + +JIRA: https://redhat.atlassian.net/browse/RHEL-171457 +CVE: CVE-2026-31636 + +commit 3e3138007887504ee9206d0bfb5acb062c600025 +Author: Keenan Dong +Date: Wed Apr 8 13:12:40 2026 +0100 + + rxrpc: fix RESPONSE authenticator parser OOB read + + rxgk_verify_authenticator() copies auth_len bytes into a temporary + buffer and then passes p + auth_len as the parser limit to + rxgk_do_verify_authenticator(). Since p is a __be32 *, that inflates the + parser end pointer by a factor of four and lets malformed RESPONSE + authenticators read past the kmalloc() buffer. + + Decoded from the original latest-net reproduction logs with + scripts/decode_stacktrace.sh: + + BUG: KASAN: slab-out-of-bounds in rxgk_verify_response() + Call Trace: + dump_stack_lvl() [lib/dump_stack.c:123] + print_report() [mm/kasan/report.c:379 mm/kasan/report.c:482] + kasan_report() [mm/kasan/report.c:597] + rxgk_verify_response() + [net/rxrpc/rxgk.c:1103 net/rxrpc/rxgk.c:1167 + net/rxrpc/rxgk.c:1274] + rxrpc_process_connection() + [net/rxrpc/conn_event.c:266 net/rxrpc/conn_event.c:364 + net/rxrpc/conn_event.c:386] + process_one_work() [kernel/workqueue.c:3281] + worker_thread() + [kernel/workqueue.c:3353 kernel/workqueue.c:3440] + kthread() [kernel/kthread.c:436] + ret_from_fork() [arch/x86/kernel/process.c:164] + + Allocated by task 54: + rxgk_verify_response() + [include/linux/slab.h:954 net/rxrpc/rxgk.c:1155 + net/rxrpc/rxgk.c:1274] + rxrpc_process_connection() + [net/rxrpc/conn_event.c:266 net/rxrpc/conn_event.c:364 + net/rxrpc/conn_event.c:386] + + Convert the byte count to __be32 units before constructing the parser + limit. + + Fixes: 9d1d2b59341f ("rxrpc: rxgk: Implement the yfs-rxgk security class (GSSAPI)") + Signed-off-by: Keenan Dong + Signed-off-by: David Howells + cc: Marc Dionne + cc: Simon Horman + cc: Willy Tarreau + cc: linux-afs@lists.infradead.org + cc: stable@kernel.org + Link: https://patch.msgid.link/20260408121252.2249051-13-dhowells@redhat.com + Signed-off-by: Jakub Kicinski + +Signed-off-by: CKI Backport Bot + +diff --git a/net/rxrpc/rxgk.c b/net/rxrpc/rxgk.c +index dce5a3d8a964..8d17b49e4f13 100644 +--- a/net/rxrpc/rxgk.c ++++ b/net/rxrpc/rxgk.c +@@ -1164,7 +1164,8 @@ static int rxgk_verify_authenticator(struct rxrpc_connection *conn, + } + + p = auth; +- ret = rxgk_do_verify_authenticator(conn, krb5, skb, p, p + auth_len); ++ ret = rxgk_do_verify_authenticator(conn, krb5, skb, p, ++ p + auth_len / sizeof(*p)); + error: + kfree(auth); + return ret; +-- +2.50.1 (Apple Git-155) + diff --git a/1379-rdma-iwcm-fix-workqueue-list-corruption-by-removing-work-lis.patch b/1379-rdma-iwcm-fix-workqueue-list-corruption-by-removing-work-lis.patch new file mode 100644 index 000000000..1e5f4f725 --- /dev/null +++ b/1379-rdma-iwcm-fix-workqueue-list-corruption-by-removing-work-lis.patch @@ -0,0 +1,208 @@ +From e14687fd732e40bafca7fc88be4be89a80e96d5e Mon Sep 17 00:00:00 2001 +From: Kamal Heib +Date: Tue, 7 Apr 2026 21:43:30 -0400 +Subject: [PATCH] RDMA/iwcm: Fix workqueue list corruption by removing + work_list + +JIRA: https://redhat.atlassian.net/browse/RHEL-163515 + +commit 7874eeacfa42177565c01d5198726671acf7adf2 +Author: Jacob Moroni +Date: Mon Jan 12 02:00:06 2026 +0000 + + RDMA/iwcm: Fix workqueue list corruption by removing work_list + + The commit e1168f0 ("RDMA/iwcm: Simplify cm_event_handler()") + changed the work submission logic to unconditionally call + queue_work() with the expectation that queue_work() would + have no effect if work was already pending. The problem is + that a free list of struct iwcm_work is used (for which + struct work_struct is embedded), so each call to queue_work() + is basically unique and therefore does indeed queue the work. + + This causes a problem in the work handler which walks the work_list + until it's empty to process entries. This means that a single + run of the work handler could process item N+1 and release it + back to the free list while the actual workqueue entry is still + queued. It could then get reused (INIT_WORK...) and lead to + list corruption in the workqueue logic. + + Fix this by just removing the work_list. The workqueue already + does this for us. + + This fixes the following error that was observed when stress + testing with ucmatose on an Intel E830 in iWARP mode: + + [ 151.465780] list_del corruption. next->prev should be ffff9f0915c69c08, but was ffff9f0a1116be08. (next=ffff9f0a15b11c08) + [ 151.466639] ------------[ cut here ]------------ + [ 151.466986] kernel BUG at lib/list_debug.c:67! + [ 151.467349] Oops: invalid opcode: 0000 [#1] SMP NOPTI + [ 151.467753] CPU: 14 UID: 0 PID: 2306 Comm: kworker/u64:18 Not tainted 6.19.0-rc4+ #1 PREEMPT(voluntary) + [ 151.468466] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 + [ 151.469192] Workqueue: 0x0 (iw_cm_wq) + [ 151.469478] RIP: 0010:__list_del_entry_valid_or_report+0xf0/0x100 + [ 151.469942] Code: c7 58 5f 4c b2 e8 10 50 aa ff 0f 0b 48 89 ef e8 36 57 cb ff 48 8b 55 08 48 89 e9 48 89 de 48 c7 c7 a8 5f 4c b2 e8 f0 4f aa ff <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 90 90 90 90 90 90 + [ 151.471323] RSP: 0000:ffffb15644e7bd68 EFLAGS: 00010046 + [ 151.471712] RAX: 000000000000006d RBX: ffff9f0915c69c08 RCX: 0000000000000027 + [ 151.472243] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9f0a37d9c600 + [ 151.472768] RBP: ffff9f0a15b11c08 R08: 0000000000000000 R09: c0000000ffff7fff + [ 151.473294] R10: 0000000000000001 R11: ffffb15644e7bba8 R12: ffff9f092339ee68 + [ 151.473817] R13: ffff9f0900059c28 R14: ffff9f092339ee78 R15: 0000000000000000 + [ 151.474344] FS: 0000000000000000(0000) GS:ffff9f0a847b5000(0000) knlGS:0000000000000000 + [ 151.474934] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [ 151.475362] CR2: 0000559e233a9088 CR3: 000000020296b004 CR4: 0000000000770ef0 + [ 151.475895] PKRU: 55555554 + [ 151.476118] Call Trace: + [ 151.476331] + [ 151.476497] move_linked_works+0x49/0xa0 + [ 151.476792] __pwq_activate_work.isra.46+0x2f/0xa0 + [ 151.477151] pwq_dec_nr_in_flight+0x1e0/0x2f0 + [ 151.477479] process_scheduled_works+0x1c8/0x410 + [ 151.477823] worker_thread+0x125/0x260 + [ 151.478108] ? __pfx_worker_thread+0x10/0x10 + [ 151.478430] kthread+0xfe/0x240 + [ 151.478671] ? __pfx_kthread+0x10/0x10 + [ 151.478955] ? __pfx_kthread+0x10/0x10 + [ 151.479240] ret_from_fork+0x208/0x270 + [ 151.479523] ? __pfx_kthread+0x10/0x10 + [ 151.479806] ret_from_fork_asm+0x1a/0x30 + [ 151.480103] + + Fixes: e1168f09b331 ("RDMA/iwcm: Simplify cm_event_handler()") + Signed-off-by: Jacob Moroni + Link: https://patch.msgid.link/20260112020006.1352438-1-jmoroni@google.com + Reviewed-by: Bart Van Assche + Signed-off-by: Leon Romanovsky + +Signed-off-by: Kamal Heib + +diff --git a/drivers/infiniband/core/iwcm.c b/drivers/infiniband/core/iwcm.c +index 62410578dec3..eb942ab9c405 100644 +--- a/drivers/infiniband/core/iwcm.c ++++ b/drivers/infiniband/core/iwcm.c +@@ -95,7 +95,6 @@ static struct workqueue_struct *iwcm_wq; + struct iwcm_work { + struct work_struct work; + struct iwcm_id_private *cm_id; +- struct list_head list; + struct iw_cm_event event; + struct list_head free_list; + }; +@@ -178,7 +177,6 @@ static int alloc_work_entries(struct iwcm_id_private *cm_id_priv, int count) + return -ENOMEM; + } + work->cm_id = cm_id_priv; +- INIT_LIST_HEAD(&work->list); + put_work(work); + } + return 0; +@@ -213,7 +211,6 @@ static void free_cm_id(struct iwcm_id_private *cm_id_priv) + static bool iwcm_deref_id(struct iwcm_id_private *cm_id_priv) + { + if (refcount_dec_and_test(&cm_id_priv->refcount)) { +- BUG_ON(!list_empty(&cm_id_priv->work_list)); + free_cm_id(cm_id_priv); + return true; + } +@@ -260,7 +257,6 @@ struct iw_cm_id *iw_create_cm_id(struct ib_device *device, + refcount_set(&cm_id_priv->refcount, 1); + init_waitqueue_head(&cm_id_priv->connect_wait); + init_completion(&cm_id_priv->destroy_comp); +- INIT_LIST_HEAD(&cm_id_priv->work_list); + INIT_LIST_HEAD(&cm_id_priv->work_free_list); + + return &cm_id_priv->id; +@@ -1007,13 +1003,13 @@ static int process_event(struct iwcm_id_private *cm_id_priv, + } + + /* +- * Process events on the work_list for the cm_id. If the callback +- * function requests that the cm_id be deleted, a flag is set in the +- * cm_id flags to indicate that when the last reference is +- * removed, the cm_id is to be destroyed. This is necessary to +- * distinguish between an object that will be destroyed by the app +- * thread asleep on the destroy_comp list vs. an object destroyed +- * here synchronously when the last reference is removed. ++ * Process events for the cm_id. If the callback function requests ++ * that the cm_id be deleted, a flag is set in the cm_id flags to ++ * indicate that when the last reference is removed, the cm_id is ++ * to be destroyed. This is necessary to distinguish between an ++ * object that will be destroyed by the app thread asleep on the ++ * destroy_comp list vs. an object destroyed here synchronously ++ * when the last reference is removed. + */ + static void cm_work_handler(struct work_struct *_work) + { +@@ -1024,35 +1020,26 @@ static void cm_work_handler(struct work_struct *_work) + int ret = 0; + + spin_lock_irqsave(&cm_id_priv->lock, flags); +- while (!list_empty(&cm_id_priv->work_list)) { +- work = list_first_entry(&cm_id_priv->work_list, +- struct iwcm_work, list); +- list_del_init(&work->list); +- levent = work->event; +- put_work(work); +- spin_unlock_irqrestore(&cm_id_priv->lock, flags); +- +- if (!test_bit(IWCM_F_DROP_EVENTS, &cm_id_priv->flags)) { +- ret = process_event(cm_id_priv, &levent); +- if (ret) { +- destroy_cm_id(&cm_id_priv->id); +- WARN_ON_ONCE(iwcm_deref_id(cm_id_priv)); +- } +- } else +- pr_debug("dropping event %d\n", levent.event); +- if (iwcm_deref_id(cm_id_priv)) +- return; +- spin_lock_irqsave(&cm_id_priv->lock, flags); +- } ++ levent = work->event; ++ put_work(work); + spin_unlock_irqrestore(&cm_id_priv->lock, flags); ++ ++ if (!test_bit(IWCM_F_DROP_EVENTS, &cm_id_priv->flags)) { ++ ret = process_event(cm_id_priv, &levent); ++ if (ret) { ++ destroy_cm_id(&cm_id_priv->id); ++ WARN_ON_ONCE(iwcm_deref_id(cm_id_priv)); ++ } ++ } else ++ pr_debug("dropping event %d\n", levent.event); ++ if (iwcm_deref_id(cm_id_priv)) ++ return; + } + + /* + * This function is called on interrupt context. Schedule events on + * the iwcm_wq thread to allow callback functions to downcall into +- * the CM and/or block. Events are queued to a per-CM_ID +- * work_list. If this is the first event on the work_list, the work +- * element is also queued on the iwcm_wq thread. ++ * the CM and/or block. + * + * Each event holds a reference on the cm_id. Until the last posted + * event has been delivered and processed, the cm_id cannot be +@@ -1094,7 +1081,6 @@ static int cm_event_handler(struct iw_cm_id *cm_id, + } + + refcount_inc(&cm_id_priv->refcount); +- list_add_tail(&work->list, &cm_id_priv->work_list); + queue_work(iwcm_wq, &work->work); + out: + spin_unlock_irqrestore(&cm_id_priv->lock, flags); +diff --git a/drivers/infiniband/core/iwcm.h b/drivers/infiniband/core/iwcm.h +index bf74639be128..b56fb12edece 100644 +--- a/drivers/infiniband/core/iwcm.h ++++ b/drivers/infiniband/core/iwcm.h +@@ -50,7 +50,6 @@ struct iwcm_id_private { + struct ib_qp *qp; + struct completion destroy_comp; + wait_queue_head_t connect_wait; +- struct list_head work_list; + spinlock_t lock; + refcount_t refcount; + struct list_head work_free_list; +-- +2.50.1 (Apple Git-155) + diff --git a/1380-rdma-mana-remove-user-triggerable-warn-on-in-mana-ib-create-.patch b/1380-rdma-mana-remove-user-triggerable-warn-on-in-mana-ib-create-.patch new file mode 100644 index 000000000..29adb1410 --- /dev/null +++ b/1380-rdma-mana-remove-user-triggerable-warn-on-in-mana-ib-create-.patch @@ -0,0 +1,40 @@ +From 9cc0c6b1ba8cd5c55aef043e1384de0a8b4efa71 Mon Sep 17 00:00:00 2001 +From: Jason Gunthorpe +Date: Sun, 17 May 2026 21:23:44 -0400 +Subject: [PATCH] RDMA/mana: Remove user triggerable WARN_ON() in + mana_ib_create_qp_rss() + +[ Upstream commit 159f2efabc89d3f931d38f2d35876535d4abf0a3 ] + +Sashiko points out that the user can specify WQs sharing the same CQ as a +part of the uAPI and this will trigger the WARN_ON() then go on to corrupt +the kernel. + +Just reject it outright and fail the QP creation. + +Cc: stable@vger.kernel.org +Fixes: c15d7802a424 ("RDMA/mana_ib: Add CQ interrupt support for RAW QP") +Link: https://sashiko.dev/#/patchset/0-v2-1c49eeb88c48%2B91-rdma_udata_rep_jgg%40nvidia.com?part=1 +Link: https://patch.msgid.link/r/5-v1-41f3135e5565+9d2-rdma_ai_fixes1_jgg@nvidia.com +Reviewed-by: Long Li +Signed-off-by: Jason Gunthorpe +[ adjusted context ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman + +diff --git a/drivers/infiniband/hw/mana/cq.c b/drivers/infiniband/hw/mana/cq.c +index 1becc87..e3c3c7e 100644 +--- a/drivers/infiniband/hw/mana/cq.c ++++ b/drivers/infiniband/hw/mana/cq.c +@@ -140,8 +140,9 @@ int mana_ib_install_cq_cb(struct mana_ib_dev *mdev, struct mana_ib_cq *cq) + + if (cq->queue.id >= gc->max_num_cqs) + return -EINVAL; +- /* Create CQ table entry */ +- WARN_ON(gc->cq_table[cq->queue.id]); ++ /* Create CQ table entry, sharing a CQ between WQs is not supported */ ++ if (gc->cq_table[cq->queue.id]) ++ return -EINVAL; + if (cq->queue.kmem) + gdma_cq = cq->queue.kmem; + else diff --git a/1381-scsi-qla2xxx-completely-fix-fcport-double-free.patch b/1381-scsi-qla2xxx-completely-fix-fcport-double-free.patch new file mode 100644 index 000000000..c8cb92a93 --- /dev/null +++ b/1381-scsi-qla2xxx-completely-fix-fcport-double-free.patch @@ -0,0 +1,42 @@ +From c0b7da13a04bd70ef6070bfb9ea85f582294560a Mon Sep 17 00:00:00 2001 +From: Vladimir Riabchun +Date: Tue, 10 Feb 2026 11:08:22 +0100 +Subject: [PATCH] scsi: qla2xxx: Completely fix fcport double free + +In qla24xx_els_dcmd_iocb() sp->free is set to qla2x00_els_dcmd_sp_free(). +When an error happens, this function is called by qla2x00_sp_release(), +when kref_put() releases the first and the last reference. + +qla2x00_els_dcmd_sp_free() frees fcport by calling qla2x00_free_fcport(). +Doing it one more time after kref_put() is a bad idea. + +Fixes: 82f522ae0d97 ("scsi: qla2xxx: Fix double free of fcport") +Fixes: 4895009c4bb7 ("scsi: qla2xxx: Prevent command send on chip reset") +Signed-off-by: Vladimir Riabchun +Signed-off-by: Farhat Abbas +Link: https://patch.msgid.link/aYsDln9NFQQsPDgg@vova-pc +Signed-off-by: Martin K. Petersen + +diff --git a/drivers/scsi/qla2xxx/qla_iocb.c b/drivers/scsi/qla2xxx/qla_iocb.c +index 9038f6723444..dbe3cd4e274c 100644 +--- a/drivers/scsi/qla2xxx/qla_iocb.c ++++ b/drivers/scsi/qla2xxx/qla_iocb.c +@@ -2751,7 +2751,6 @@ qla24xx_els_dcmd_iocb(scsi_qla_host_t *vha, int els_opcode, + if (!elsio->u.els_logo.els_logo_pyld) { + /* ref: INIT */ + kref_put(&sp->cmd_kref, qla2x00_sp_release); +- qla2x00_free_fcport(fcport); + return QLA_FUNCTION_FAILED; + } + +@@ -2776,7 +2775,6 @@ qla24xx_els_dcmd_iocb(scsi_qla_host_t *vha, int els_opcode, + if (rval != QLA_SUCCESS) { + /* ref: INIT */ + kref_put(&sp->cmd_kref, qla2x00_sp_release); +- qla2x00_free_fcport(fcport); + return QLA_FUNCTION_FAILED; + } + +-- +2.50.1 (Apple Git-155) + diff --git a/1382-tcp-fix-potential-race-in-tcp-v6-syn-recv-sock.patch b/1382-tcp-fix-potential-race-in-tcp-v6-syn-recv-sock.patch new file mode 100644 index 000000000..3c3eee7bd --- /dev/null +++ b/1382-tcp-fix-potential-race-in-tcp-v6-syn-recv-sock.patch @@ -0,0 +1,307 @@ +From 492819afce989204328bb5fd0e7a2fc82fdcb3ac Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Mon, 30 Mar 2026 19:24:36 +0200 +Subject: [PATCH] tcp: fix potential race in tcp_v6_syn_recv_sock() + +JIRA: https://issues.redhat.com/browse/RHEL-152718 +Conflicts: ipv6_fl_list still belongs to struct ipv6_pinfo, as rhel-10 \ + lacks the upstream commit 1c17f4373d4d ("ipv6: Move ipv6_fl_list from \ + ipv6_pinfo to inet_sock."). Adapt the tcp_v6_mapped_child_init() chunck + to init such field properly. + +Upstream commit: +commit 858d2a4f67ff69e645a43487ef7ea7f28f06deae +Author: Eric Dumazet +Date: Tue Feb 17 16:12:05 2026 +0000 + + tcp: fix potential race in tcp_v6_syn_recv_sock() + + Code in tcp_v6_syn_recv_sock() after the call to tcp_v4_syn_recv_sock() + is done too late. + + After tcp_v4_syn_recv_sock(), the child socket is already visible + from TCP ehash table and other cpus might use it. + + Since newinet->pinet6 is still pointing to the listener ipv6_pinfo + bad things can happen as syzbot found. + + Move the problematic code in tcp_v6_mapped_child_init() + and call this new helper from tcp_v4_syn_recv_sock() before + the ehash insertion. + + This allows the removal of one tcp_sync_mss(), since + tcp_v4_syn_recv_sock() will call it with the correct + context. + + Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") + Reported-by: syzbot+937b5bbb6a815b3e5d0b@syzkaller.appspotmail.com + Closes: https://lore.kernel.org/netdev/69949275.050a0220.2eeac1.0145.GAE@google.com/ + Signed-off-by: Eric Dumazet + Reviewed-by: Kuniyuki Iwashima + Link: https://patch.msgid.link/20260217161205.2079883-1-edumazet@google.com + Signed-off-by: Jakub Kicinski + +Signed-off-by: Paolo Abeni + +diff --git a/include/net/inet_connection_sock.h b/include/net/inet_connection_sock.h +index 4dc8646..b607c8e 100644 +--- a/include/net/inet_connection_sock.h ++++ b/include/net/inet_connection_sock.h +@@ -42,7 +42,9 @@ struct inet_connection_sock_af_ops { + struct request_sock *req, + struct dst_entry *dst, + struct request_sock *req_unhash, +- bool *own_req); ++ bool *own_req, ++ void (*opt_child_init)(struct sock *newsk, ++ const struct sock *sk)); + u16 net_header_len; + u16 sockaddr_len; + int (*setsockopt)(struct sock *sk, int level, int optname, +diff --git a/include/net/tcp.h b/include/net/tcp.h +index a910e50..6a472ed 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -465,7 +465,9 @@ struct sock *tcp_v4_syn_recv_sock(const struct sock *sk, struct sk_buff *skb, + struct request_sock *req, + struct dst_entry *dst, + struct request_sock *req_unhash, +- bool *own_req); ++ bool *own_req, ++ void (*opt_child_init)(struct sock *newsk, ++ const struct sock *sk)); + int tcp_v4_do_rcv(struct sock *sk, struct sk_buff *skb); + int tcp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len); + int tcp_connect(struct sock *sk); +diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c +index 1948d15..3976c82 100644 +--- a/net/ipv4/syncookies.c ++++ b/net/ipv4/syncookies.c +@@ -202,7 +202,7 @@ struct sock *tcp_get_cookie_sock(struct sock *sk, struct sk_buff *skb, + bool own_req; + + child = icsk->icsk_af_ops->syn_recv_sock(sk, skb, req, dst, +- NULL, &own_req); ++ NULL, &own_req, NULL); + if (child) { + refcount_set(&req->rsk_refcnt, 1); + sock_rps_save_rxhash(child, skb); +diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c +index 8f3cbc2..9c1173f 100644 +--- a/net/ipv4/tcp_fastopen.c ++++ b/net/ipv4/tcp_fastopen.c +@@ -247,7 +247,7 @@ static struct sock *tcp_fastopen_create_child(struct sock *sk, + bool own_req; + + child = inet_csk(sk)->icsk_af_ops->syn_recv_sock(sk, skb, req, NULL, +- NULL, &own_req); ++ NULL, &own_req, NULL); + if (!child) + return NULL; + +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index 7f2f7b9..6ff7aaa 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -1739,7 +1739,9 @@ struct sock *tcp_v4_syn_recv_sock(const struct sock *sk, struct sk_buff *skb, + struct request_sock *req, + struct dst_entry *dst, + struct request_sock *req_unhash, +- bool *own_req) ++ bool *own_req, ++ void (*opt_child_init)(struct sock *newsk, ++ const struct sock *sk)) + { + struct inet_request_sock *ireq; + bool found_dup_sk = false; +@@ -1795,6 +1797,10 @@ struct sock *tcp_v4_syn_recv_sock(const struct sock *sk, struct sk_buff *skb, + } + sk_setup_caps(newsk, dst); + ++#if IS_ENABLED(CONFIG_IPV6) ++ if (opt_child_init) ++ opt_child_init(newsk, sk); ++#endif + tcp_ca_openreq_child(newsk, dst); + + tcp_sync_mss(newsk, dst_mtu(dst)); +diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c +index 8ff8f5c..bc1393d 100644 +--- a/net/ipv4/tcp_minisocks.c ++++ b/net/ipv4/tcp_minisocks.c +@@ -862,7 +862,7 @@ struct sock *tcp_check_req(struct sock *sk, struct sk_buff *skb, + * socket is created, wait for troubles. + */ + child = inet_csk(sk)->icsk_af_ops->syn_recv_sock(sk, skb, req, NULL, +- req, &own_req); ++ req, &own_req, NULL); + if (!child) + goto listen_overflow; + +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c +index 66f08ab..15059ba 100644 +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -1343,11 +1343,48 @@ static void tcp_v6_restore_cb(struct sk_buff *skb) + sizeof(struct inet6_skb_parm)); + } + ++/* Called from tcp_v4_syn_recv_sock() for v6_mapped children. */ ++static void tcp_v6_mapped_child_init(struct sock *newsk, const struct sock *sk) ++{ ++ struct inet_sock *newinet = inet_sk(newsk); ++ struct ipv6_pinfo *newnp; ++ ++ newinet->pinet6 = newnp = tcp_inet6_sk(newsk); ++ ++ memcpy(newnp, tcp_inet6_sk(sk), sizeof(struct ipv6_pinfo)); ++ ++ newnp->saddr = newsk->sk_v6_rcv_saddr; ++ ++ inet_csk(newsk)->icsk_af_ops = &ipv6_mapped; ++ if (sk_is_mptcp(newsk)) ++ mptcpv6_handle_mapped(newsk, true); ++ newsk->sk_backlog_rcv = tcp_v4_do_rcv; ++#if defined(CONFIG_TCP_MD5SIG) || defined(CONFIG_TCP_AO) ++ tcp_sk(newsk)->af_specific = &tcp_sock_ipv6_mapped_specific; ++#endif ++ ++ newnp->ipv6_mc_list = NULL; ++ newnp->ipv6_ac_list = NULL; ++ newnp->ipv6_fl_list = NULL; ++ newnp->pktoptions = NULL; ++ newnp->opt = NULL; ++ ++ /* tcp_v4_syn_recv_sock() has initialized newinet->mc_{index,ttl} */ ++ newnp->mcast_oif = newinet->mc_index; ++ newnp->mcast_hops = newinet->mc_ttl; ++ ++ newnp->rcv_flowinfo = 0; ++ if (inet6_test_bit(REPFLOW, sk)) ++ newnp->flow_label = 0; ++} ++ + static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff *skb, + struct request_sock *req, + struct dst_entry *dst, + struct request_sock *req_unhash, +- bool *own_req) ++ bool *own_req, ++ void (*opt_child_init)(struct sock *newsk, ++ const struct sock *sk)) + { + struct inet_request_sock *ireq; + struct ipv6_pinfo *newnp; +@@ -1363,60 +1400,10 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff * + #endif + struct flowi6 fl6; + +- if (skb->protocol == htons(ETH_P_IP)) { +- /* +- * v6 mapped +- */ +- +- newsk = tcp_v4_syn_recv_sock(sk, skb, req, dst, +- req_unhash, own_req); +- +- if (!newsk) +- return NULL; +- +- inet_sk(newsk)->pinet6 = tcp_inet6_sk(newsk); +- +- newnp = tcp_inet6_sk(newsk); +- newtp = tcp_sk(newsk); +- +- memcpy(newnp, np, sizeof(struct ipv6_pinfo)); +- +- newnp->saddr = newsk->sk_v6_rcv_saddr; +- +- inet_csk(newsk)->icsk_af_ops = &ipv6_mapped; +- if (sk_is_mptcp(newsk)) +- mptcpv6_handle_mapped(newsk, true); +- newsk->sk_backlog_rcv = tcp_v4_do_rcv; +-#if defined(CONFIG_TCP_MD5SIG) || defined(CONFIG_TCP_AO) +- newtp->af_specific = &tcp_sock_ipv6_mapped_specific; +-#endif +- +- newnp->ipv6_mc_list = NULL; +- newnp->ipv6_ac_list = NULL; +- newnp->ipv6_fl_list = NULL; +- newnp->pktoptions = NULL; +- newnp->opt = NULL; +- newnp->mcast_oif = inet_iif(skb); +- newnp->mcast_hops = ip_hdr(skb)->ttl; +- newnp->rcv_flowinfo = 0; +- if (inet6_test_bit(REPFLOW, sk)) +- newnp->flow_label = 0; +- +- /* +- * No need to charge this sock to the relevant IPv6 refcnt debug socks count +- * here, tcp_create_openreq_child now does this for us, see the comment in +- * that function for the gory details. -acme +- */ +- +- /* It is tricky place. Until this moment IPv4 tcp +- worked with IPv6 icsk.icsk_af_ops. +- Sync it now. +- */ +- tcp_sync_mss(newsk, inet_csk(newsk)->icsk_pmtu_cookie); +- +- return newsk; +- } +- ++ if (skb->protocol == htons(ETH_P_IP)) ++ return tcp_v4_syn_recv_sock(sk, skb, req, dst, ++ req_unhash, own_req, ++ tcp_v6_mapped_child_init); + ireq = inet_rsk(req); + + if (sk_acceptq_is_full(sk)) +diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c +index 69b531b..040a7f1 100644 +--- a/net/mptcp/subflow.c ++++ b/net/mptcp/subflow.c +@@ -809,7 +809,9 @@ static struct sock *subflow_syn_recv_sock(const struct sock *sk, + struct request_sock *req, + struct dst_entry *dst, + struct request_sock *req_unhash, +- bool *own_req) ++ bool *own_req, ++ void (*opt_child_init)(struct sock *newsk, ++ const struct sock *sk)) + { + struct mptcp_subflow_context *listener = mptcp_subflow_ctx(sk); + struct mptcp_subflow_request_sock *subflow_req; +@@ -856,7 +858,7 @@ static struct sock *subflow_syn_recv_sock(const struct sock *sk, + + create_child: + child = listener->icsk_af_ops->syn_recv_sock(sk, skb, req, dst, +- req_unhash, own_req); ++ req_unhash, own_req, opt_child_init); + + if (child && *own_req) { + struct mptcp_subflow_context *ctx = mptcp_subflow_ctx(child); +diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c +index 848db1a..1271644 100644 +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -125,7 +125,9 @@ static struct sock *smc_tcp_syn_recv_sock(const struct sock *sk, + struct request_sock *req, + struct dst_entry *dst, + struct request_sock *req_unhash, +- bool *own_req) ++ bool *own_req, ++ void (*opt_child_init)(struct sock *newsk, ++ const struct sock *sk)) + { + struct smc_sock *smc; + struct sock *child; +@@ -143,7 +145,7 @@ static struct sock *smc_tcp_syn_recv_sock(const struct sock *sk, + + /* passthrough to original syn recv sock fct */ + child = smc->ori_af_ops->syn_recv_sock(sk, skb, req, dst, req_unhash, +- own_req); ++ own_req, opt_child_init); + /* child must not inherit smc or its ops */ + if (child) { + rcu_assign_sk_user_data(child, NULL); diff --git a/1383-selinux-rhel-only-hotfix-for-execmem-regression.patch b/1383-selinux-rhel-only-hotfix-for-execmem-regression.patch new file mode 100644 index 000000000..2a6113c14 --- /dev/null +++ b/1383-selinux-rhel-only-hotfix-for-execmem-regression.patch @@ -0,0 +1,131 @@ +From 7afc16c3e0cf718250da44444c47d04836225bb4 Mon Sep 17 00:00:00 2001 +From: Ondrej Mosnacek +Date: Tue, 16 Jun 2026 10:06:13 +0200 +Subject: [PATCH] selinux: RHEL-only hotfix for execmem regression +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +JIRA: https://redhat.atlassian.net/browse/RHEL-185115 +Upstream Status: RHEL10-only + +As discovered by image-mode/CoreOS testing, the fixes for CVE-2026-46054 +caused a regression that results in unexpected execmem denials in +specific scenarios involving overlayfs (or another stacked filesystem). + +Specifically in case of image mode / CoreOS there is often (always?) an +overlayfs filesystem mounted during early boot (before SELinux policy is +loaded), which means that overlayfs captures the kernel’s SELinux +context as part of the mounter credentials, which are later used by +overlayfs+SELinux to verify that file accesses through the overlay mount +don’t give the mounter a way to access underlying files it otherwise +wouldn’t have access to. This verification would normally pass, as the +policy grants the kernel context almost unrestricted access to the +filesystem. However, the new checks added to fix CVE-2026-46054 +erroneously include the execmem check for the mounter and in the policy +kernel_t doesn’t have the execmem permission, so mmapping an overlay +file with MAP_PRIVATE and PROT_WRITE|PROT_EXEC would now result in a +SELinux denial. + +Fix this by passing a boolean through the helper functions that allows +to distinguish the direct permission check from the mounter check and +skipping the execmem check in the mounter case. + +This is a transient RHEL-only fix to allow the CVE fix to go through +without breaking image mode/CoreOS deployments. Once an optimal solution +is figured out and applied upstream, this commit will be reverted and +replaced with the upstream fix (at least in Y-streams). I expect the +upstream solution to be functionally equivalent, though probably +cosmetically different. + +Signed-off-by: Ondrej Mosnacek + +diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c +index 853cf9cee2ec..2ad4a39f0ea8 100644 +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -3809,7 +3809,7 @@ static int default_noexec __ro_after_init; + + static int __file_map_prot_check(const struct cred *cred, + const struct file *file, unsigned long prot, +- bool shared, bool bf_user_file) ++ bool shared, bool mounter, bool bf_user_file) + { + struct inode *inode = NULL; + bool prot_exec = prot & PROT_EXEC; +@@ -3823,7 +3823,7 @@ static int __file_map_prot_check(const struct cred *cred, + } + + if (default_noexec && prot_exec && +- (!file || IS_PRIVATE(inode) || (!shared && prot_write))) { ++ (!file || IS_PRIVATE(inode) || (!shared && prot_write)) && !mounter) { + int rc; + u32 sid = cred_sid(cred); + +@@ -3853,9 +3853,9 @@ static int __file_map_prot_check(const struct cred *cred, + + static inline int file_map_prot_check(const struct cred *cred, + const struct file *file, +- unsigned long prot, bool shared) ++ unsigned long prot, bool shared, bool mounter) + { +- return __file_map_prot_check(cred, file, prot, shared, false); ++ return __file_map_prot_check(cred, file, prot, shared, mounter, false); + } + + static int selinux_mmap_addr(unsigned long addr) +@@ -3872,7 +3872,7 @@ static int selinux_mmap_addr(unsigned long addr) + } + + static int selinux_mmap_file_common(const struct cred *cred, struct file *file, +- unsigned long prot, bool shared) ++ unsigned long prot, bool shared, bool mounter) + { + if (file) { + int rc; +@@ -3885,7 +3885,7 @@ static int selinux_mmap_file_common(const struct cred *cred, struct file *file, + return rc; + } + +- return file_map_prot_check(cred, file, prot, shared); ++ return file_map_prot_check(cred, file, prot, shared, mounter); + } + + static int selinux_mmap_file(struct file *file, +@@ -3893,7 +3893,8 @@ static int selinux_mmap_file(struct file *file, + unsigned long prot, unsigned long flags) + { + return selinux_mmap_file_common(current_cred(), file, prot, +- (flags & MAP_TYPE) == MAP_SHARED); ++ (flags & MAP_TYPE) == MAP_SHARED, ++ false); + } + + /** +@@ -3926,7 +3927,8 @@ static int selinux_mmap_backing_file(struct vm_area_struct *vma, + prot |= PROT_EXEC; + + return selinux_mmap_file_common(backing_file->f_cred, backing_file, +- prot, vma->vm_flags & VM_SHARED); ++ prot, vma->vm_flags & VM_SHARED, ++ true); + } + + static int selinux_file_mprotect(struct vm_area_struct *vma, +@@ -3987,11 +3989,11 @@ static int selinux_file_mprotect(struct vm_area_struct *vma, + } + } + +- rc = __file_map_prot_check(cred, file, prot, shared, backing_file); ++ rc = __file_map_prot_check(cred, file, prot, shared, false, backing_file); + if (rc) + return rc; + if (backing_file) { +- rc = file_map_prot_check(file->f_cred, file, prot, shared); ++ rc = file_map_prot_check(file->f_cred, file, prot, shared, true); + if (rc) + return rc; + } +-- +2.50.1 (Apple Git-155) + diff --git a/kernel.spec b/kernel.spec index d68069115..9b16ff044 100644 --- a/kernel.spec +++ b/kernel.spec @@ -176,13 +176,13 @@ Summary: The Linux kernel %define specrpmversion 6.12.0 %define specversion 6.12.0 %define patchversion 6.12 -%define pkgrelease 211.26.1 +%define pkgrelease 211.28.1 %define kversion 6 %define tarfile_release 6.12.0-211.7.1.el10_2 # This is needed to do merge window version magic %define patchlevel 12 # This allows pkg_release to have configurable %%{?dist} tag -%define specrelease 211.26.1%{?buildid}%{?dist} +%define specrelease 211.28.1%{?buildid}%{?dist} # This defines the kabi tarball version %define kabiversion 6.12.0-211.7.1.el10_2 @@ -1409,6 +1409,15 @@ Patch1371: 1371-crypto-caam-fix-overflow-on-long-hmac-keys.patch Patch1372: 1372-exit-prevent-preemption-of-oopsing-task-dead-task.patch Patch1373: 1373-net-sched-fix-pedit-partial-cow-leading-to-page-cache-corrup.patch Patch1374: 1374-kvm-arm64-vgic-its-drop-translation-cache-ref-only-for-eras.patch +Patch1375: 1375-ipv6-icmp-clear-skb2-cb-in-ip6-err-gen-icmpv6-unreach.patch +Patch1376: 1376-rdma-mana-validate-rx-hash-key-len.patch +Patch1377: 1377-nvmet-tcp-fix-race-between-icreq-handling-and-queue-teardown.patch +Patch1378: 1378-rxrpc-fix-response-authenticator-parser-oob-read.patch +Patch1379: 1379-rdma-iwcm-fix-workqueue-list-corruption-by-removing-work-lis.patch +Patch1380: 1380-rdma-mana-remove-user-triggerable-warn-on-in-mana-ib-create-.patch +Patch1381: 1381-scsi-qla2xxx-completely-fix-fcport-double-free.patch +Patch1382: 1382-tcp-fix-potential-race-in-tcp-v6-syn-recv-sock.patch +Patch1383: 1383-selinux-rhel-only-hotfix-for-execmem-regression.patch # END OF PATCH DEFINITIONS %description @@ -2540,6 +2549,15 @@ ApplyPatch 1371-crypto-caam-fix-overflow-on-long-hmac-keys.patch ApplyPatch 1372-exit-prevent-preemption-of-oopsing-task-dead-task.patch ApplyPatch 1373-net-sched-fix-pedit-partial-cow-leading-to-page-cache-corrup.patch ApplyPatch 1374-kvm-arm64-vgic-its-drop-translation-cache-ref-only-for-eras.patch +ApplyPatch 1375-ipv6-icmp-clear-skb2-cb-in-ip6-err-gen-icmpv6-unreach.patch +ApplyPatch 1376-rdma-mana-validate-rx-hash-key-len.patch +ApplyPatch 1377-nvmet-tcp-fix-race-between-icreq-handling-and-queue-teardown.patch +ApplyPatch 1378-rxrpc-fix-response-authenticator-parser-oob-read.patch +ApplyPatch 1379-rdma-iwcm-fix-workqueue-list-corruption-by-removing-work-lis.patch +ApplyPatch 1380-rdma-mana-remove-user-triggerable-warn-on-in-mana-ib-create-.patch +ApplyPatch 1381-scsi-qla2xxx-completely-fix-fcport-double-free.patch +ApplyPatch 1382-tcp-fix-potential-race-in-tcp-v6-syn-recv-sock.patch +ApplyPatch 1383-selinux-rhel-only-hotfix-for-execmem-regression.patch # END OF PATCH APPLICATIONS # Any further pre-build tree manipulations happen here. @@ -5044,6 +5062,24 @@ fi\ # # %changelog +* Fri Jun 26 2026 Andrew Lukoshko - 6.12.0-211.28.1 +- Recreate RHEL 6.12.0-211.28.1 from CentOS Stream 10 and upstream stable backports (1375-1383) +- Retain AlmaLinux ahead-of-RHEL fix for CVE-2026-46316 (1374) +- RHEL changelog for 211.27.1..211.28.1 follows: + +* Thu Jun 25 2026 CKI KWF Bot [6.12.0-211.28.1.el10_2] +- selinux: RHEL-only hotfix for execmem regression (Ondrej Mosnacek) [RHEL-185117] +- tcp: fix potential race in tcp_v6_syn_recv_sock() (Paolo Abeni) [RHEL-174242] {CVE-2026-43198} +- scsi: qla2xxx: Completely fix fcport double free (Ewan D. Milne) [RHEL-179755] {CVE-2026-43414} +- RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss() (CKI Backport Bot) [RHEL-180155] {CVE-2026-46117} +- RDMA/iwcm: Fix workqueue list corruption by removing work_list (CKI Backport Bot) [RHEL-179665] {CVE-2026-45898} +- rxrpc: fix RESPONSE authenticator parser OOB read (CKI Backport Bot) [RHEL-171456] {CVE-2026-31636} + +* Mon Jun 22 2026 CKI KWF Bot [6.12.0-211.27.1.el10_2] +- nvmet-tcp: fix race between ICReq handling and queue teardown (CKI Backport Bot) [RHEL-180106] {CVE-2026-46135} +- RDMA/mana: Validate rx_hash_key_len (CKI Backport Bot) [RHEL-180090] {CVE-2026-46145} +- ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach() (Guillaume Nault) [RHEL-172675] {CVE-2026-43038} + * Tue Jun 23 2026 Andrew Lukoshko - 6.12.0-211.26.1 - Add fix for CVE-2026-46316 (KVM arm64 vgic-its translation-cache use-after-free) ahead of RHEL (1374)