hpsa: bring back deprecated PCI ids #CFHack #CFHack2024

mptsas: bring back deprecated PCI ids #CFHack #CFHack2024

megaraid_sas: bring back deprecated PCI ids #CFHack #CFHack2024

qla2xxx: bring back deprecated PCI ids #CFHack #CFHack2024

qla4xxx: bring back deprecated PCI ids

lpfc: bring back deprecated PCI ids

be2iscsi: bring back deprecated PCI ids

kernel/rh_messages.h: enable all disabled pci devices by moving to unmaintained

Use AlmaLinux OS secure boot cert

Debrand for AlmaLinux OS
This commit is contained in:
Andrew Lukoshko 2026-07-07 20:34:49 +00:00 committed by root
commit 7ad90037a7
7 changed files with 45 additions and 422 deletions

2
.gitignore vendored
View File

@ -2,7 +2,7 @@ SOURCES/centossecureboot201.cer
SOURCES/centossecurebootca2.cer
SOURCES/kernel-abi-stablelists-4.18.0-553.tar.bz2
SOURCES/kernel-kabi-dw-4.18.0-553.tar.bz2
SOURCES/linux-4.18.0-553.139.1.el8_10.tar.xz
SOURCES/linux-4.18.0-553.140.1.el8_10.tar.xz
SOURCES/redhatsecureboot302.cer
SOURCES/redhatsecureboot303.cer
SOURCES/redhatsecureboot501.cer

View File

@ -1,8 +1,8 @@
2ba40bf9138b48311e5aa1b737b7f0a8ad66066f SOURCES/centossecureboot201.cer
bfdb3d7cffc43f579655af5155d50c08671d95e5 SOURCES/centossecurebootca2.cer
01f536d6c4d739d91dccb30d23ed66059f7b6863 SOURCES/kernel-abi-stablelists-4.18.0-553.tar.bz2
37a0c01e60bb7aa700be883e371fadf0f3043dba SOURCES/kernel-kabi-dw-4.18.0-553.tar.bz2
8025202b3e62117a3a5c189c12f8b9c103e68058 SOURCES/linux-4.18.0-553.139.1.el8_10.tar.xz
9a64909d26286a0785223215919f155eeb31bbbb SOURCES/kernel-abi-stablelists-4.18.0-553.tar.bz2
3f5da751289c90692af60f204c87e1e24f64f143 SOURCES/kernel-kabi-dw-4.18.0-553.tar.bz2
73b7cd18e6d1f7f0965a70bbb60bb49748dfad28 SOURCES/linux-4.18.0-553.140.1.el8_10.tar.xz
13e5cd3f856b472fde80a4deb75f4c18dfb5b255 SOURCES/redhatsecureboot302.cer
e89890ca0ded2f9058651cc5fa838b78db2e6cc2 SOURCES/redhatsecureboot303.cer
ba0b760e594ff668ee72ae348adf3e49b97f75fb SOURCES/redhatsecureboot501.cer

View File

@ -1,253 +0,0 @@
kpatch-cve: CVE-2026-46113
kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2026-46113
kpatch-cvss: 8.8
kpatch-description: KVM: x86: Fix shadow paging use-after-free due to unexpected GFN/role
kpatch-kernel: 4.18.0-553.139.1.el8_10
kpatch-patch-url: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0cb2af2ea66ad8ff195c156ea690f11216285bdf
From: KernelCare Security Team
Subject: [PATCH] KVM: x86: Fix shadow paging use-after-free due to unexpected GFN/role
CVE: CVE-2026-46113
Upstream Status: manually adapted, not a literal cherry-pick. This
combines the effect of two upstream fixes:
- commit 0cb2af2ea66a ("KVM: x86: Fix shadow paging use-after-free
due to unexpected GFN"), which is the fix CVE-2026-46113 refers to
- commit 81ccda30b4e8 ("KVM: x86: Fix shadow paging use-after-free
due to unexpected role"), a follow-up closing a second, related
hole in the same code path (found while hardening it after the
first fix)
Neither commit applies to this kernel: both are written against
upstream's post-refactor MMU (kvm_mmu_get_child_sp()/
kvm_mmu_get_shadow_page()/__link_shadow_page(), introduced by a large
prerequisite series -- e.g. "KVM: x86/mmu: Derive shadow MMU page role
from parent" and "KVM: x86/mmu: pull call to drop_large_spte() into
__link_shadow_page()" -- that this 4.18-based kernel does not carry).
This kernel still uses the older, pre-refactor shape: each of the
three "walk into an existing non-leaf SPTE or install a new one" call
sites (kvm_mmu_get_page()+link_shadow_page() in __direct_map() and in
both loops of FNAME(fetch)) independently does:
drop_large_spte(vcpu, it.sptep);
if (!is_shadow_present_pte(*it.sptep)) {
sp = kvm_mmu_get_page(...);
link_shadow_page(vcpu, it.sptep, sp);
}
i.e. if *it.sptep is already present (and not a large leaf,
already handled by drop_large_spte()), the walk just continues into
whatever child it already points to, without checking that the child
actually matches the gfn/role being walked to. This is exactly the
root cause both upstream commits describe: if the guest's page tables
are modified between VM entries (shadow paging) such that a PDE now
resolves to a different gfn, or to a translation requiring a
differently-shaped shadow page (e.g. a 2MB direct-mapped leaf split
into a 4KB indirect page table), the stale child is reused as-is.
When that stale child is later zapped, kvm_mmu_page_get_gfn() derives
the wrong gfn for its rmap entries (sp->gfn + index, or sp->gfn
itself, instead of the actual mapped gfn), so rmap_remove() cannot
find and remove them. If the memslot backing the old translation is
then dropped, the shadow page is freed while the stale rmap entry
survives; any later rmap walk over that gfn (dirty logging, MMU
notifier invalidation such as MADV_DONTNEED, ...) dereferences freed
memory.
Fix this at each of the three call sites by validating, before
falling through to "reuse the existing child", that the present
non-large SPTE actually points to a child with the expected gfn *and*
role (mirroring 81ccda30b4e8's role check on top of 0cb2af2ea66a's gfn
check). If it doesn't, the stale SPTE (and its subtree) is torn down
via mmu_page_zap_pte() + kvm_mmu_remote_flush_or_zap() -- the same
primitives upstream's __link_shadow_page() now uses -- before
installing the correct child. This preserves the existing fast path
(no hash-table lookup) for the common case where the already-linked
child is correct.
The role/gfn comparison itself is factored into two small helpers,
kvm_mmu_child_role() (the role computation already done at the top of
kvm_mmu_get_page(), extracted unchanged so both functions share it)
and shadow_page_role_matches().
Note on kernel commit a955cad84cda ("KVM: x86/mmu: Retry page fault if
root is invalidated by memslot update"): during upstream's stable
backport of 0cb2af2ea66a to 5.10.y/5.15.y, this turned out to be a
required prerequisite -- without it, testers hit WARN_ON regressions
in kvm_mmu_zap_all_fast()/kvm_mmu_zap_all() (see the "stable backports
for ..." thread on kvm@vger.kernel.org, message
20260630223723.83727-1-zcgao@amazon.com). This kernel already has the
equivalent logic (is_page_fault_stale()/is_obsolete_sp(), used in both
direct_page_fault() and FNAME(page_fault)), confirmed present before
writing this patch, so no separate prerequisite patch is needed here.
Reported-by: Hyunwoo Kim <imv4bel@gmail.com>
Reported-by: Alexander Bulekov <bkov@amazon.com>
Reported-by: Fred Griffoul <fgriffo@amazon.co.uk>
---
arch/x86/kvm/mmu/mmu.c | 72 ++++++++++++++++++++++++++++++++++-------
arch/x86/kvm/mmu/paging_tmpl.h | 40 ++++++++++++++++++++--
2 files changed, 96 insertions(+), 16 deletions(-)
diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c
index c4854dc02..696c3b4c6 100644
--- a/arch/x86/kvm/mmu/mmu.c
+++ b/arch/x86/kvm/mmu/mmu.c
@@ -2002,21 +2002,13 @@ static void clear_sp_write_flooding_count(u64 *spte)
__clear_sp_write_flooding_count(sptep_to_sp(spte));
}
-static struct kvm_mmu_page *kvm_mmu_get_page(struct kvm_vcpu *vcpu,
- gfn_t gfn,
- gva_t gaddr,
- unsigned level,
- int direct,
- unsigned int access)
+static union kvm_mmu_page_role kvm_mmu_child_role(struct kvm_vcpu *vcpu,
+ gva_t gaddr, unsigned level,
+ int direct,
+ unsigned int access)
{
- bool direct_mmu = vcpu->arch.mmu->direct_map;
union kvm_mmu_page_role role;
- struct hlist_head *sp_list;
unsigned quadrant;
- struct kvm_mmu_page *sp;
- int ret;
- int collisions = 0;
- LIST_HEAD(invalid_list);
role = vcpu->arch.mmu->mmu_role.base;
role.level = level;
@@ -2028,6 +2020,46 @@ static struct kvm_mmu_page *kvm_mmu_get_page(struct kvm_vcpu *vcpu,
role.quadrant = quadrant;
}
+ return role;
+}
+
+/*
+ * Returns true if @sptep already links to a present, non-large shadow page
+ * that matches @gfn and @role, i.e. it is safe to keep walking through the
+ * existing child instead of replacing it. The gfn of a direct shadow page
+ * only tracks its *first* mapping, so an intervening guest PTE change can
+ * leave a present SPTE pointing at a child that was allocated for a
+ * different gfn and/or role; blindly reusing it leads to a stale rmap entry
+ * (and eventually a use-after-free) once the mismatched child is zapped.
+ */
+static bool shadow_page_role_matches(u64 *sptep, gfn_t gfn,
+ union kvm_mmu_page_role role)
+{
+ struct kvm_mmu_page *child;
+
+ if (!is_shadow_present_pte(*sptep) || is_large_pte(*sptep))
+ return false;
+
+ child = to_shadow_page(*sptep & PT64_BASE_ADDR_MASK);
+ return child->gfn == gfn && child->role.word == role.word;
+}
+
+static struct kvm_mmu_page *kvm_mmu_get_page(struct kvm_vcpu *vcpu,
+ gfn_t gfn,
+ gva_t gaddr,
+ unsigned level,
+ int direct,
+ unsigned int access)
+{
+ bool direct_mmu = vcpu->arch.mmu->direct_map;
+ union kvm_mmu_page_role role = kvm_mmu_child_role(vcpu, gaddr, level,
+ direct, access);
+ struct hlist_head *sp_list;
+ struct kvm_mmu_page *sp;
+ int ret;
+ int collisions = 0;
+ LIST_HEAD(invalid_list);
+
sp_list = &vcpu->kvm->arch.mmu_page_hash[kvm_page_table_hashfn(gfn)];
for_each_valid_sp(vcpu->kvm, sp, sp_list) {
if (sp->gfn != gfn) {
@@ -2946,8 +2978,20 @@ static int __direct_map(struct kvm_vcpu *vcpu, struct kvm_page_fault *fault)
break;
drop_large_spte(vcpu, it.sptep);
- if (is_shadow_present_pte(*it.sptep))
- continue;
+ if (is_shadow_present_pte(*it.sptep)) {
+ union kvm_mmu_page_role role;
+ LIST_HEAD(invalid_list);
+
+ role = kvm_mmu_child_role(vcpu, it.addr, it.level - 1,
+ true, ACC_ALL);
+ if (shadow_page_role_matches(it.sptep, base_gfn, role))
+ continue;
+
+ mmu_page_zap_pte(vcpu->kvm, sptep_to_sp(it.sptep),
+ it.sptep, &invalid_list);
+ kvm_mmu_remote_flush_or_zap(vcpu->kvm, &invalid_list,
+ true);
+ }
sp = kvm_mmu_get_page(vcpu, base_gfn, it.addr,
it.level - 1, true, ACC_ALL);
diff --git a/arch/x86/kvm/mmu/paging_tmpl.h b/arch/x86/kvm/mmu/paging_tmpl.h
index 3b825e60a..911dbe698 100644
--- a/arch/x86/kvm/mmu/paging_tmpl.h
+++ b/arch/x86/kvm/mmu/paging_tmpl.h
@@ -676,10 +676,28 @@ static int FNAME(fetch)(struct kvm_vcpu *vcpu, struct kvm_page_fault *fault,
clear_sp_write_flooding_count(it.sptep);
drop_large_spte(vcpu, it.sptep);
+ table_gfn = gw->table_gfn[it.level - 2];
+ access = gw->pt_access[it.level - 2];
+
+ if (is_shadow_present_pte(*it.sptep)) {
+ union kvm_mmu_page_role role;
+ LIST_HEAD(invalid_list);
+
+ role = kvm_mmu_child_role(vcpu, fault->addr,
+ it.level - 1, false, access);
+ if (!shadow_page_role_matches(it.sptep, table_gfn,
+ role)) {
+ mmu_page_zap_pte(vcpu->kvm,
+ sptep_to_sp(it.sptep),
+ it.sptep, &invalid_list);
+ kvm_mmu_remote_flush_or_zap(vcpu->kvm,
+ &invalid_list,
+ true);
+ }
+ }
+
sp = NULL;
if (!is_shadow_present_pte(*it.sptep)) {
- table_gfn = gw->table_gfn[it.level - 2];
- access = gw->pt_access[it.level - 2];
sp = kvm_mmu_get_page(vcpu, table_gfn, fault->addr,
it.level-1, false, access);
/*
@@ -736,6 +754,24 @@ static int FNAME(fetch)(struct kvm_vcpu *vcpu, struct kvm_page_fault *fault,
drop_large_spte(vcpu, it.sptep);
+ if (is_shadow_present_pte(*it.sptep)) {
+ union kvm_mmu_page_role role;
+ LIST_HEAD(invalid_list);
+
+ role = kvm_mmu_child_role(vcpu, fault->addr,
+ it.level - 1, true,
+ direct_access);
+ if (!shadow_page_role_matches(it.sptep, base_gfn,
+ role)) {
+ mmu_page_zap_pte(vcpu->kvm,
+ sptep_to_sp(it.sptep),
+ it.sptep, &invalid_list);
+ kvm_mmu_remote_flush_or_zap(vcpu->kvm,
+ &invalid_list,
+ true);
+ }
+ }
+
if (!is_shadow_present_pte(*it.sptep)) {
sp = kvm_mmu_get_page(vcpu, base_gfn, fault->addr,
it.level - 1, true, direct_access);
--
2.39.2

View File

@ -1,134 +0,0 @@
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Fri, 26 Jun 2026 19:46:19 +0200
Subject: KVM: x86/mmu: Ensure hugepage is in by slot before checking max mapping level
From: Sean Christopherson <seanjc@google.com>
commit ef057cbf825e03b63f6edf5980f96abf3c53089d upstream.
When recovering hugepages in the shadow MMU, verify that the base gfn of
the shadow page is actually contained within the target memslot, *before*
querying the max mapping level given the shadow page's gfn. Failure to
pre-check the validity of the gfn can lead to an out-of-bounds access to
the slot's lpage_info (which typically manifests as a host #PF because the
lpage_info is vmalloc'd) if the guest creates a hugepage mapping (in its
PTEs) that extends "below" the bounds of a memslot.
When faulting in memory for a guest, and the size of the guest mapping is
greater than KVM's (current) max mapping, then KVM will create a "direct"
shadow page (direct in that there are no gPTEs to shadow, and so the target
gfn is a direct calculation given the base gfn of the shadow page). The
hugepage recovery flow looks for such direct shadow pages, as forcing 4KiB
mappings when dirty logging generates the guest > host mapping size case.
When the 4KiB restriction is lifted, then KVM can replace the shadow page
with a hugepage.
But if KVM originally used a smaller mapping than the guest because the
range of memory covered by the guest hugepage exceeds the bounds of a
memslot, then KVM will link a direct shadow page with a gfn that is outside
the bounds of the memslot being used to fault in memory. The rmap entry
added for the leaf mapping is correct and within bounds, but the gfn of the
leaf SPTE's parent shadow page will be out of bounds.
BUG: unable to handle page fault for address: ffffc90000806ffc
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 100000067 P4D 100000067 PUD 1002a7067 PMD 10612f067 PTE 0
Oops: Oops: 0000 [#1] SMP
CPU: 13 UID: 1000 PID: 757 Comm: mmu_stress_test Not tainted 7.1.0-rc1-48ce1e26eace-x86_pir_to_irr_comments-vm #341 PREEMPT
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
RIP: 0010:kvm_mmu_max_mapping_level+0x79/0x2b0 [kvm]
Call Trace:
<TASK>
kvm_mmu_recover_huge_pages+0x21b/0x320 [kvm]
kvm_set_memslot+0x1ee/0x590 [kvm]
kvm_set_memory_region.part.0+0x3a1/0x4d0 [kvm]
kvm_vm_ioctl+0x9bf/0x15d0 [kvm]
__x64_sys_ioctl+0x8a/0xd0
do_syscall_64+0xb7/0xbb0
entry_SYSCALL_64_after_hwframe+0x4b/0x53
RIP: 0033:0x7f21c0f1a9bf
</TASK>
Don't bother pre-checking the bounds of the potential hugepage, i.e. don't
check that e.g. sp->gfn + KVM_PAGES_PER_HPAGE(sp->role.level + 1) is also
within the memslot, as the checks performed by kvm_mmu_max_mapping_level()
are a superset of the basic bounds checks. I.e. pre-checking the full
range would be a dubious micro-optimization.
Fixes: 9eba50f8d7fc ("KVM: x86/mmu: Consult max mapping level when zapping collapsible SPTEs")
Cc: stable@vger.kernel.org
Cc: David Matlack <dmatlack@google.com>
Cc: James Houghton <jthoughton@google.com>
Cc: Alexander Bulekov <bkov@amazon.com>
Cc: Fred Griffoul <fgriffo@amazon.co.uk>
Cc: Alexander Graf <graf@amazon.de>
Cc: David Woodhouse <dwmw@amazon.co.uk>
Cc: Filippo Sironi <sironi@amazon.de>
Cc: Ivan Orlov <iorlov@amazon.co.uk>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
arch/x86/kvm/mmu/mmu.c | 19 +++++++++++++------
include/linux/kvm_host.h | 7 ++++++-
2 files changed, 19 insertions(+), 7 deletions(-)
diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c
index 9597112..12d3e1f 100644
--- a/arch/x86/kvm/mmu/mmu.c
+++ b/arch/x86/kvm/mmu/mmu.c
@@ -6045,13 +6045,20 @@ restart:
pfn = spte_to_pfn(*sptep);
/*
- * We cannot do huge page mapping for indirect shadow pages,
- * which are found on the last rmap (level = 1) when not using
- * tdp; such shadow pages are synced with the page table in
- * the guest, and the guest page table is using 4K page size
- * mapping if the indirect sp has level = 1.
+ * Direct shadow page can be replaced by a hugepage if the host
+ * mapping level allows it and the memslot maps all of the host
+ * hugepage. Note! If the memslot maps only part of the
+ * hugepage, sp->gfn may be below slot->base_gfn, and querying
+ * the max mapping level would cause an out-of-bounds lpage_info
+ * access. So the gfn bounds check *must* be done first.
+ *
+ * Indirect shadow pages are created when the guest page tables
+ * are using 4K pages. Since the host mapping is always
+ * constrained by the page size in the guest, indirect shadow
+ * pages are never collapsible.
*/
- if (sp->role.direct && !kvm_is_reserved_pfn(pfn) &&
+ if (sp->role.direct && is_gfn_in_memslot(slot, sp->gfn) &&
+ !kvm_is_reserved_pfn(pfn) &&
sp->role.level < kvm_mmu_max_mapping_level(kvm, slot, sp->gfn,
pfn, PG_LEVEL_NUM)) {
pte_list_remove(kvm, rmap_head, sptep);
diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h
index eaebea6..c37570a 100644
--- a/include/linux/kvm_host.h
+++ b/include/linux/kvm_host.h
@@ -1378,6 +1378,11 @@ static inline struct rcuwait *kvm_arch_vcpu_get_wait(struct kvm_vcpu *vcpu)
#endif
}
+static inline bool is_gfn_in_memslot(const struct kvm_memory_slot *slot, gfn_t gfn)
+{
+ return gfn >= slot->base_gfn && gfn < slot->base_gfn + slot->npages;
+}
+
/*
* Wake a vCPU if necessary, but don't do any stats/metadata updates. Returns
* true if the vCPU was blocking and was awakened, false otherwise.
@@ -1464,7 +1469,7 @@ try_get_memslot(struct kvm_memory_slot *slot, gfn_t gfn)
if (!slot)
return NULL;
- if (gfn >= slot->base_gfn && gfn < slot->base_gfn + slot->npages)
+ if (is_gfn_in_memslot(slot, gfn))
return slot;
else
return NULL;
--
2.43.0

View File

@ -2532,6 +2532,7 @@ CONFIG_ARM64_CRYPTO=y
CONFIG_ARM64_E0PD=y
CONFIG_ARM64_ERRATUM_1024718=y
CONFIG_ARM64_ERRATUM_1542419=y
CONFIG_ARM64_ERRATUM_4118414=y
CONFIG_ARM64_ERRATUM_819472=y
CONFIG_ARM64_ERRATUM_824069=y
CONFIG_ARM64_ERRATUM_826319=y

View File

@ -2604,6 +2604,7 @@ CONFIG_ARM64_CRYPTO=y
CONFIG_ARM64_E0PD=y
CONFIG_ARM64_ERRATUM_1024718=y
CONFIG_ARM64_ERRATUM_1542419=y
CONFIG_ARM64_ERRATUM_4118414=y
CONFIG_ARM64_ERRATUM_819472=y
CONFIG_ARM64_ERRATUM_824069=y
CONFIG_ARM64_ERRATUM_826319=y

View File

@ -49,11 +49,10 @@
# define buildid .local
%define specversion 4.18.0
%define pkgrelease 553.139.4.el8_10
%define tarfile_release 553.139.1.el8_10
%define pkgrelease 553.140.1.el8_10
# allow pkg_release to have configurable %%{?dist} tag
%define specrelease 553.139.4%{?dist}
%define specrelease 553.140.1%{?dist}
%define pkg_release %{specrelease}%{?buildid}
@ -447,7 +446,7 @@ BuildRequires: xmlto
BuildRequires: asciidoc
%endif
Source0: linux-%{specversion}-%{tarfile_release}.tar.xz
Source0: linux-%{specversion}-%{pkgrelease}.tar.xz
Source9: x509.genkey
@ -552,10 +551,6 @@ Patch2006: 0006-Bring-back-deprecated-pci-ids-to-lpfc-driver.patch
Patch2007: 0007-Bring-back-deprecated-pci-ids-to-qla4xxx-driver.patch
Patch2008: 0008-Bring-back-deprecated-pci-ids-to-be2iscsi-driver.patch
# AlmaLinux ahead-of-RHEL security fixes
Patch1100: 1100-kvm-x86-fix-shadow-paging-use-after-free.patch
Patch1101: 1101-kvm-x86-mmu-ensure-hugepage-is-in-by-slot.patch
# END OF PATCH DEFINITIONS
BuildRoot: %{_tmppath}/%{name}-%{KVERREL}-root
@ -1113,9 +1108,9 @@ ApplyOptionalPatch()
fi
}
%setup -q -n %{name}-%{specversion}-%{tarfile_release} -c
cp -v %{SOURCE9000} linux-%{specversion}-%{tarfile_release}/certs/rhel.pem
mv linux-%{specversion}-%{tarfile_release} linux-%{KVERREL}
%setup -q -n %{name}-%{specversion}-%{pkgrelease} -c
cp -v %{SOURCE9000} linux-%{specversion}-%{pkgrelease}/certs/rhel.pem
mv linux-%{specversion}-%{pkgrelease} linux-%{KVERREL}
cd linux-%{KVERREL}
@ -1133,10 +1128,6 @@ ApplyPatch 0006-Bring-back-deprecated-pci-ids-to-lpfc-driver.patch
ApplyPatch 0007-Bring-back-deprecated-pci-ids-to-qla4xxx-driver.patch
ApplyPatch 0008-Bring-back-deprecated-pci-ids-to-be2iscsi-driver.patch
# AlmaLinux ahead-of-RHEL security fixes
ApplyPatch 1100-kvm-x86-fix-shadow-paging-use-after-free.patch
ApplyPatch 1101-kvm-x86-mmu-ensure-hugepage-is-in-by-slot.patch
# END OF PATCH APPLICATIONS
# Any further pre-build tree manipulations happen here.
@ -2738,21 +2729,7 @@ fi
#
#
%changelog
* Thu Jul 02 2026 Andrei Lukoshko <alukoshko@almalinux.org> - 4.18.0-553.139.4
- Ensure hugepage is in by slot before checking max mapping level in KVM
hugepage recovery, upstream ef057cbf825e (1101)
* Thu Jul 02 2026 Andrei Lukoshko <alukoshko@almalinux.org> - 4.18.0-553.139.3
- Replace CVE-2026-46113 backport patch series with a single combined
adaptation of upstream 0cb2af2ea66a and 81ccda30b4e8 (1100)
* Thu Jul 02 2026 Andrei Lukoshko <alukoshko@almalinux.org> - 4.18.0-553.139.2
- Fix CVE-2026-46113: KVM x86 shadow paging use-after-free due to unexpected
GFN, backported ahead of RHEL from the 5.15.y stable series with its
prerequisites and the follow-up unexpected-role and hugepage-recovery
fixes (1100-1107)
* Tue Jun 30 2026 Andrei Lukoshko <alukoshko@almalinux.org> - 4.18.0-553.139.1
* Tue Jul 07 2026 Andrei Lukoshko <alukoshko@almalinux.org> - 4.18.0-553.140.1
- hpsa: bring back deprecated PCI ids #CFHack #CFHack2024
- mptsas: bring back deprecated PCI ids #CFHack #CFHack2024
- megaraid_sas: bring back deprecated PCI ids #CFHack #CFHack2024
@ -2763,10 +2740,41 @@ fi
- kernel/rh_messages.h: enable all disabled pci devices by moving to
unmaintained
* Tue Jun 30 2026 Eduard Abdullin <eabdullin@almalinux.org> - 4.18.0-553.139.1
* Tue Jul 07 2026 Eduard Abdullin <eabdullin@almalinux.org> - 4.18.0-553.140.1
- Use AlmaLinux OS secure boot cert
- Debrand for AlmaLinux OS
* Thu Jul 02 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [4.18.0-553.140.1.el8_10]
- Enable workaround for ARM64 ERRATUM 4118414 (Mark Salter) [RHEL-183619] {CVE-2025-10263}
- arm64: errata: Mitigate TLBI errata on Microsoft Azure Cobalt 100 CPU (Mark Salter) [RHEL-183619] {CVE-2025-10263}
- arm64: errata: Mitigate TLBI errata on NVIDIA Olympus CPU (Mark Salter) [RHEL-183619] {CVE-2025-10263}
- arm64: errata: Mitigate TLBI errata on various Arm CPUs (Mark Salter) [RHEL-183619] {CVE-2025-10263}
- arm64: Add part number for Arm Cortex-A78AE (Mark Salter) [RHEL-183619] {CVE-2025-10263}
- arm64: Subscribe Microsoft Azure Cobalt 100 to ARM Neoverse N2 errata (Mark Salter) [RHEL-183619] {CVE-2025-10263}
- arm64: cputype: Add NVIDIA Olympus definitions (Mark Salter) [RHEL-183619] {CVE-2025-10263}
- arm64: cputype: Add C1-Premium definitions (Mark Salter) [RHEL-183619] {CVE-2025-10263}
- arm64: cputype: Add C1-Ultra definitions (Mark Salter) [RHEL-183619] {CVE-2025-10263}
- arm64: cputype: Add C1-Pro definitions (Mark Salter) [RHEL-183619] {CVE-2025-10263}
- arm64: cputype: Add Cortex-A720AE definitions (Mark Salter) [RHEL-183619] {CVE-2025-10263}
- arm64: cputype: Add Neoverse-N3 definitions (Mark Salter) [RHEL-183619] {CVE-2025-10263}
- arm64: cputype: Add Cortex-A725 definitions (Mark Salter) [RHEL-183619] {CVE-2025-10263}
- arm64: cputype: Add Cortex-A720 definitions (Mark Salter) [RHEL-183619] {CVE-2025-10263}
- arm64: Add Cortex-715 CPU part definition (Mark Salter) [RHEL-183619] {CVE-2025-10263}
- arm64: cputype: Add Neoverse-V3AE definitions (Mark Salter) [RHEL-183619] {CVE-2025-10263}
- arm64: cputype: Add MIDR_CORTEX_A76AE (Mark Salter) [RHEL-183619] {CVE-2025-10263}
- arm64: cputype: Add Cortex-X1C definitions (Mark Salter) [RHEL-183619] {CVE-2025-10263}
- arm64: cputype: Add Cortex-X925 definitions (Mark Salter) [RHEL-183619] {CVE-2025-10263}
- arm64: cputype: Add Cortex-X3 definitions (Mark Salter) [RHEL-183619] {CVE-2025-10263}
- arm64: cputype: Add Neoverse-V3 definitions (Mark Salter) [RHEL-183619] {CVE-2025-10263}
- arm64: cputype: Add Cortex-X4 definitions (Mark Salter) [RHEL-183619] {CVE-2025-10263}
- arm64: Add Neoverse-V2 part (Mark Salter) [RHEL-183619] {CVE-2025-10263}
- tcp: fix potential race in tcp_v6_syn_recv_sock() (Antoine Tenart) [RHEL-174237] {CVE-2026-43198}
- procfs: fix missing RCU protection when reading real_parent in do_task_stat() (CKI Backport Bot) [RHEL-181898] {CVE-2026-46259}
- drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs() (CKI Backport Bot) [RHEL-179907] {CVE-2026-46209}
- sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL (CKI Backport Bot) [RHEL-179857] {CVE-2026-46227}
- netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table() (CKI Backport Bot) [RHEL-179736] {CVE-2026-43450}
- vfs: validate inode i_link before use in get_link() (Ian Kent) [RHEL-152759]
* Mon Jun 29 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [4.18.0-553.139.1.el8_10]
- NFS: improve "Server wrote zero bytes" error (Olga Kornievskaia) [RHEL-147665]