hpsa: bring back deprecated PCI ids #CFHack #CFHack2024
mptsas: bring back deprecated PCI ids #CFHack #CFHack2024 megaraid_sas: bring back deprecated PCI ids #CFHack #CFHack2024 qla2xxx: bring back deprecated PCI ids #CFHack #CFHack2024 qla4xxx: bring back deprecated PCI ids lpfc: bring back deprecated PCI ids be2iscsi: bring back deprecated PCI ids kernel/rh_messages.h: enable all disabled pci devices by moving to unmaintained Use AlmaLinux OS secure boot cert Debrand for AlmaLinux OS
This commit is contained in:
commit
7ad90037a7
2
.gitignore
vendored
2
.gitignore
vendored
@ -2,7 +2,7 @@ SOURCES/centossecureboot201.cer
|
||||
SOURCES/centossecurebootca2.cer
|
||||
SOURCES/kernel-abi-stablelists-4.18.0-553.tar.bz2
|
||||
SOURCES/kernel-kabi-dw-4.18.0-553.tar.bz2
|
||||
SOURCES/linux-4.18.0-553.139.1.el8_10.tar.xz
|
||||
SOURCES/linux-4.18.0-553.140.1.el8_10.tar.xz
|
||||
SOURCES/redhatsecureboot302.cer
|
||||
SOURCES/redhatsecureboot303.cer
|
||||
SOURCES/redhatsecureboot501.cer
|
||||
|
||||
@ -1,8 +1,8 @@
|
||||
2ba40bf9138b48311e5aa1b737b7f0a8ad66066f SOURCES/centossecureboot201.cer
|
||||
bfdb3d7cffc43f579655af5155d50c08671d95e5 SOURCES/centossecurebootca2.cer
|
||||
01f536d6c4d739d91dccb30d23ed66059f7b6863 SOURCES/kernel-abi-stablelists-4.18.0-553.tar.bz2
|
||||
37a0c01e60bb7aa700be883e371fadf0f3043dba SOURCES/kernel-kabi-dw-4.18.0-553.tar.bz2
|
||||
8025202b3e62117a3a5c189c12f8b9c103e68058 SOURCES/linux-4.18.0-553.139.1.el8_10.tar.xz
|
||||
9a64909d26286a0785223215919f155eeb31bbbb SOURCES/kernel-abi-stablelists-4.18.0-553.tar.bz2
|
||||
3f5da751289c90692af60f204c87e1e24f64f143 SOURCES/kernel-kabi-dw-4.18.0-553.tar.bz2
|
||||
73b7cd18e6d1f7f0965a70bbb60bb49748dfad28 SOURCES/linux-4.18.0-553.140.1.el8_10.tar.xz
|
||||
13e5cd3f856b472fde80a4deb75f4c18dfb5b255 SOURCES/redhatsecureboot302.cer
|
||||
e89890ca0ded2f9058651cc5fa838b78db2e6cc2 SOURCES/redhatsecureboot303.cer
|
||||
ba0b760e594ff668ee72ae348adf3e49b97f75fb SOURCES/redhatsecureboot501.cer
|
||||
|
||||
@ -1,253 +0,0 @@
|
||||
kpatch-cve: CVE-2026-46113
|
||||
kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2026-46113
|
||||
kpatch-cvss: 8.8
|
||||
kpatch-description: KVM: x86: Fix shadow paging use-after-free due to unexpected GFN/role
|
||||
kpatch-kernel: 4.18.0-553.139.1.el8_10
|
||||
kpatch-patch-url: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0cb2af2ea66ad8ff195c156ea690f11216285bdf
|
||||
|
||||
From: KernelCare Security Team
|
||||
Subject: [PATCH] KVM: x86: Fix shadow paging use-after-free due to unexpected GFN/role
|
||||
|
||||
CVE: CVE-2026-46113
|
||||
|
||||
Upstream Status: manually adapted, not a literal cherry-pick. This
|
||||
combines the effect of two upstream fixes:
|
||||
- commit 0cb2af2ea66a ("KVM: x86: Fix shadow paging use-after-free
|
||||
due to unexpected GFN"), which is the fix CVE-2026-46113 refers to
|
||||
- commit 81ccda30b4e8 ("KVM: x86: Fix shadow paging use-after-free
|
||||
due to unexpected role"), a follow-up closing a second, related
|
||||
hole in the same code path (found while hardening it after the
|
||||
first fix)
|
||||
|
||||
Neither commit applies to this kernel: both are written against
|
||||
upstream's post-refactor MMU (kvm_mmu_get_child_sp()/
|
||||
kvm_mmu_get_shadow_page()/__link_shadow_page(), introduced by a large
|
||||
prerequisite series -- e.g. "KVM: x86/mmu: Derive shadow MMU page role
|
||||
from parent" and "KVM: x86/mmu: pull call to drop_large_spte() into
|
||||
__link_shadow_page()" -- that this 4.18-based kernel does not carry).
|
||||
This kernel still uses the older, pre-refactor shape: each of the
|
||||
three "walk into an existing non-leaf SPTE or install a new one" call
|
||||
sites (kvm_mmu_get_page()+link_shadow_page() in __direct_map() and in
|
||||
both loops of FNAME(fetch)) independently does:
|
||||
|
||||
drop_large_spte(vcpu, it.sptep);
|
||||
if (!is_shadow_present_pte(*it.sptep)) {
|
||||
sp = kvm_mmu_get_page(...);
|
||||
link_shadow_page(vcpu, it.sptep, sp);
|
||||
}
|
||||
|
||||
i.e. if *it.sptep is already present (and not a large leaf,
|
||||
already handled by drop_large_spte()), the walk just continues into
|
||||
whatever child it already points to, without checking that the child
|
||||
actually matches the gfn/role being walked to. This is exactly the
|
||||
root cause both upstream commits describe: if the guest's page tables
|
||||
are modified between VM entries (shadow paging) such that a PDE now
|
||||
resolves to a different gfn, or to a translation requiring a
|
||||
differently-shaped shadow page (e.g. a 2MB direct-mapped leaf split
|
||||
into a 4KB indirect page table), the stale child is reused as-is.
|
||||
When that stale child is later zapped, kvm_mmu_page_get_gfn() derives
|
||||
the wrong gfn for its rmap entries (sp->gfn + index, or sp->gfn
|
||||
itself, instead of the actual mapped gfn), so rmap_remove() cannot
|
||||
find and remove them. If the memslot backing the old translation is
|
||||
then dropped, the shadow page is freed while the stale rmap entry
|
||||
survives; any later rmap walk over that gfn (dirty logging, MMU
|
||||
notifier invalidation such as MADV_DONTNEED, ...) dereferences freed
|
||||
memory.
|
||||
|
||||
Fix this at each of the three call sites by validating, before
|
||||
falling through to "reuse the existing child", that the present
|
||||
non-large SPTE actually points to a child with the expected gfn *and*
|
||||
role (mirroring 81ccda30b4e8's role check on top of 0cb2af2ea66a's gfn
|
||||
check). If it doesn't, the stale SPTE (and its subtree) is torn down
|
||||
via mmu_page_zap_pte() + kvm_mmu_remote_flush_or_zap() -- the same
|
||||
primitives upstream's __link_shadow_page() now uses -- before
|
||||
installing the correct child. This preserves the existing fast path
|
||||
(no hash-table lookup) for the common case where the already-linked
|
||||
child is correct.
|
||||
|
||||
The role/gfn comparison itself is factored into two small helpers,
|
||||
kvm_mmu_child_role() (the role computation already done at the top of
|
||||
kvm_mmu_get_page(), extracted unchanged so both functions share it)
|
||||
and shadow_page_role_matches().
|
||||
|
||||
Note on kernel commit a955cad84cda ("KVM: x86/mmu: Retry page fault if
|
||||
root is invalidated by memslot update"): during upstream's stable
|
||||
backport of 0cb2af2ea66a to 5.10.y/5.15.y, this turned out to be a
|
||||
required prerequisite -- without it, testers hit WARN_ON regressions
|
||||
in kvm_mmu_zap_all_fast()/kvm_mmu_zap_all() (see the "stable backports
|
||||
for ..." thread on kvm@vger.kernel.org, message
|
||||
20260630223723.83727-1-zcgao@amazon.com). This kernel already has the
|
||||
equivalent logic (is_page_fault_stale()/is_obsolete_sp(), used in both
|
||||
direct_page_fault() and FNAME(page_fault)), confirmed present before
|
||||
writing this patch, so no separate prerequisite patch is needed here.
|
||||
|
||||
Reported-by: Hyunwoo Kim <imv4bel@gmail.com>
|
||||
Reported-by: Alexander Bulekov <bkov@amazon.com>
|
||||
Reported-by: Fred Griffoul <fgriffo@amazon.co.uk>
|
||||
---
|
||||
arch/x86/kvm/mmu/mmu.c | 72 ++++++++++++++++++++++++++++++++++-------
|
||||
arch/x86/kvm/mmu/paging_tmpl.h | 40 ++++++++++++++++++++--
|
||||
2 files changed, 96 insertions(+), 16 deletions(-)
|
||||
|
||||
diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c
|
||||
index c4854dc02..696c3b4c6 100644
|
||||
--- a/arch/x86/kvm/mmu/mmu.c
|
||||
+++ b/arch/x86/kvm/mmu/mmu.c
|
||||
@@ -2002,21 +2002,13 @@ static void clear_sp_write_flooding_count(u64 *spte)
|
||||
__clear_sp_write_flooding_count(sptep_to_sp(spte));
|
||||
}
|
||||
|
||||
-static struct kvm_mmu_page *kvm_mmu_get_page(struct kvm_vcpu *vcpu,
|
||||
- gfn_t gfn,
|
||||
- gva_t gaddr,
|
||||
- unsigned level,
|
||||
- int direct,
|
||||
- unsigned int access)
|
||||
+static union kvm_mmu_page_role kvm_mmu_child_role(struct kvm_vcpu *vcpu,
|
||||
+ gva_t gaddr, unsigned level,
|
||||
+ int direct,
|
||||
+ unsigned int access)
|
||||
{
|
||||
- bool direct_mmu = vcpu->arch.mmu->direct_map;
|
||||
union kvm_mmu_page_role role;
|
||||
- struct hlist_head *sp_list;
|
||||
unsigned quadrant;
|
||||
- struct kvm_mmu_page *sp;
|
||||
- int ret;
|
||||
- int collisions = 0;
|
||||
- LIST_HEAD(invalid_list);
|
||||
|
||||
role = vcpu->arch.mmu->mmu_role.base;
|
||||
role.level = level;
|
||||
@@ -2028,6 +2020,46 @@ static struct kvm_mmu_page *kvm_mmu_get_page(struct kvm_vcpu *vcpu,
|
||||
role.quadrant = quadrant;
|
||||
}
|
||||
|
||||
+ return role;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Returns true if @sptep already links to a present, non-large shadow page
|
||||
+ * that matches @gfn and @role, i.e. it is safe to keep walking through the
|
||||
+ * existing child instead of replacing it. The gfn of a direct shadow page
|
||||
+ * only tracks its *first* mapping, so an intervening guest PTE change can
|
||||
+ * leave a present SPTE pointing at a child that was allocated for a
|
||||
+ * different gfn and/or role; blindly reusing it leads to a stale rmap entry
|
||||
+ * (and eventually a use-after-free) once the mismatched child is zapped.
|
||||
+ */
|
||||
+static bool shadow_page_role_matches(u64 *sptep, gfn_t gfn,
|
||||
+ union kvm_mmu_page_role role)
|
||||
+{
|
||||
+ struct kvm_mmu_page *child;
|
||||
+
|
||||
+ if (!is_shadow_present_pte(*sptep) || is_large_pte(*sptep))
|
||||
+ return false;
|
||||
+
|
||||
+ child = to_shadow_page(*sptep & PT64_BASE_ADDR_MASK);
|
||||
+ return child->gfn == gfn && child->role.word == role.word;
|
||||
+}
|
||||
+
|
||||
+static struct kvm_mmu_page *kvm_mmu_get_page(struct kvm_vcpu *vcpu,
|
||||
+ gfn_t gfn,
|
||||
+ gva_t gaddr,
|
||||
+ unsigned level,
|
||||
+ int direct,
|
||||
+ unsigned int access)
|
||||
+{
|
||||
+ bool direct_mmu = vcpu->arch.mmu->direct_map;
|
||||
+ union kvm_mmu_page_role role = kvm_mmu_child_role(vcpu, gaddr, level,
|
||||
+ direct, access);
|
||||
+ struct hlist_head *sp_list;
|
||||
+ struct kvm_mmu_page *sp;
|
||||
+ int ret;
|
||||
+ int collisions = 0;
|
||||
+ LIST_HEAD(invalid_list);
|
||||
+
|
||||
sp_list = &vcpu->kvm->arch.mmu_page_hash[kvm_page_table_hashfn(gfn)];
|
||||
for_each_valid_sp(vcpu->kvm, sp, sp_list) {
|
||||
if (sp->gfn != gfn) {
|
||||
@@ -2946,8 +2978,20 @@ static int __direct_map(struct kvm_vcpu *vcpu, struct kvm_page_fault *fault)
|
||||
break;
|
||||
|
||||
drop_large_spte(vcpu, it.sptep);
|
||||
- if (is_shadow_present_pte(*it.sptep))
|
||||
- continue;
|
||||
+ if (is_shadow_present_pte(*it.sptep)) {
|
||||
+ union kvm_mmu_page_role role;
|
||||
+ LIST_HEAD(invalid_list);
|
||||
+
|
||||
+ role = kvm_mmu_child_role(vcpu, it.addr, it.level - 1,
|
||||
+ true, ACC_ALL);
|
||||
+ if (shadow_page_role_matches(it.sptep, base_gfn, role))
|
||||
+ continue;
|
||||
+
|
||||
+ mmu_page_zap_pte(vcpu->kvm, sptep_to_sp(it.sptep),
|
||||
+ it.sptep, &invalid_list);
|
||||
+ kvm_mmu_remote_flush_or_zap(vcpu->kvm, &invalid_list,
|
||||
+ true);
|
||||
+ }
|
||||
|
||||
sp = kvm_mmu_get_page(vcpu, base_gfn, it.addr,
|
||||
it.level - 1, true, ACC_ALL);
|
||||
diff --git a/arch/x86/kvm/mmu/paging_tmpl.h b/arch/x86/kvm/mmu/paging_tmpl.h
|
||||
index 3b825e60a..911dbe698 100644
|
||||
--- a/arch/x86/kvm/mmu/paging_tmpl.h
|
||||
+++ b/arch/x86/kvm/mmu/paging_tmpl.h
|
||||
@@ -676,10 +676,28 @@ static int FNAME(fetch)(struct kvm_vcpu *vcpu, struct kvm_page_fault *fault,
|
||||
clear_sp_write_flooding_count(it.sptep);
|
||||
drop_large_spte(vcpu, it.sptep);
|
||||
|
||||
+ table_gfn = gw->table_gfn[it.level - 2];
|
||||
+ access = gw->pt_access[it.level - 2];
|
||||
+
|
||||
+ if (is_shadow_present_pte(*it.sptep)) {
|
||||
+ union kvm_mmu_page_role role;
|
||||
+ LIST_HEAD(invalid_list);
|
||||
+
|
||||
+ role = kvm_mmu_child_role(vcpu, fault->addr,
|
||||
+ it.level - 1, false, access);
|
||||
+ if (!shadow_page_role_matches(it.sptep, table_gfn,
|
||||
+ role)) {
|
||||
+ mmu_page_zap_pte(vcpu->kvm,
|
||||
+ sptep_to_sp(it.sptep),
|
||||
+ it.sptep, &invalid_list);
|
||||
+ kvm_mmu_remote_flush_or_zap(vcpu->kvm,
|
||||
+ &invalid_list,
|
||||
+ true);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
sp = NULL;
|
||||
if (!is_shadow_present_pte(*it.sptep)) {
|
||||
- table_gfn = gw->table_gfn[it.level - 2];
|
||||
- access = gw->pt_access[it.level - 2];
|
||||
sp = kvm_mmu_get_page(vcpu, table_gfn, fault->addr,
|
||||
it.level-1, false, access);
|
||||
/*
|
||||
@@ -736,6 +754,24 @@ static int FNAME(fetch)(struct kvm_vcpu *vcpu, struct kvm_page_fault *fault,
|
||||
|
||||
drop_large_spte(vcpu, it.sptep);
|
||||
|
||||
+ if (is_shadow_present_pte(*it.sptep)) {
|
||||
+ union kvm_mmu_page_role role;
|
||||
+ LIST_HEAD(invalid_list);
|
||||
+
|
||||
+ role = kvm_mmu_child_role(vcpu, fault->addr,
|
||||
+ it.level - 1, true,
|
||||
+ direct_access);
|
||||
+ if (!shadow_page_role_matches(it.sptep, base_gfn,
|
||||
+ role)) {
|
||||
+ mmu_page_zap_pte(vcpu->kvm,
|
||||
+ sptep_to_sp(it.sptep),
|
||||
+ it.sptep, &invalid_list);
|
||||
+ kvm_mmu_remote_flush_or_zap(vcpu->kvm,
|
||||
+ &invalid_list,
|
||||
+ true);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
if (!is_shadow_present_pte(*it.sptep)) {
|
||||
sp = kvm_mmu_get_page(vcpu, base_gfn, fault->addr,
|
||||
it.level - 1, true, direct_access);
|
||||
--
|
||||
2.39.2
|
||||
@ -1,134 +0,0 @@
|
||||
From: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Date: Fri, 26 Jun 2026 19:46:19 +0200
|
||||
Subject: KVM: x86/mmu: Ensure hugepage is in by slot before checking max mapping level
|
||||
|
||||
From: Sean Christopherson <seanjc@google.com>
|
||||
|
||||
commit ef057cbf825e03b63f6edf5980f96abf3c53089d upstream.
|
||||
|
||||
When recovering hugepages in the shadow MMU, verify that the base gfn of
|
||||
the shadow page is actually contained within the target memslot, *before*
|
||||
querying the max mapping level given the shadow page's gfn. Failure to
|
||||
pre-check the validity of the gfn can lead to an out-of-bounds access to
|
||||
the slot's lpage_info (which typically manifests as a host #PF because the
|
||||
lpage_info is vmalloc'd) if the guest creates a hugepage mapping (in its
|
||||
PTEs) that extends "below" the bounds of a memslot.
|
||||
|
||||
When faulting in memory for a guest, and the size of the guest mapping is
|
||||
greater than KVM's (current) max mapping, then KVM will create a "direct"
|
||||
shadow page (direct in that there are no gPTEs to shadow, and so the target
|
||||
gfn is a direct calculation given the base gfn of the shadow page). The
|
||||
hugepage recovery flow looks for such direct shadow pages, as forcing 4KiB
|
||||
mappings when dirty logging generates the guest > host mapping size case.
|
||||
When the 4KiB restriction is lifted, then KVM can replace the shadow page
|
||||
with a hugepage.
|
||||
|
||||
But if KVM originally used a smaller mapping than the guest because the
|
||||
range of memory covered by the guest hugepage exceeds the bounds of a
|
||||
memslot, then KVM will link a direct shadow page with a gfn that is outside
|
||||
the bounds of the memslot being used to fault in memory. The rmap entry
|
||||
added for the leaf mapping is correct and within bounds, but the gfn of the
|
||||
leaf SPTE's parent shadow page will be out of bounds.
|
||||
|
||||
BUG: unable to handle page fault for address: ffffc90000806ffc
|
||||
#PF: supervisor read access in kernel mode
|
||||
#PF: error_code(0x0000) - not-present page
|
||||
PGD 100000067 P4D 100000067 PUD 1002a7067 PMD 10612f067 PTE 0
|
||||
Oops: Oops: 0000 [#1] SMP
|
||||
CPU: 13 UID: 1000 PID: 757 Comm: mmu_stress_test Not tainted 7.1.0-rc1-48ce1e26eace-x86_pir_to_irr_comments-vm #341 PREEMPT
|
||||
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
|
||||
RIP: 0010:kvm_mmu_max_mapping_level+0x79/0x2b0 [kvm]
|
||||
Call Trace:
|
||||
<TASK>
|
||||
kvm_mmu_recover_huge_pages+0x21b/0x320 [kvm]
|
||||
kvm_set_memslot+0x1ee/0x590 [kvm]
|
||||
kvm_set_memory_region.part.0+0x3a1/0x4d0 [kvm]
|
||||
kvm_vm_ioctl+0x9bf/0x15d0 [kvm]
|
||||
__x64_sys_ioctl+0x8a/0xd0
|
||||
do_syscall_64+0xb7/0xbb0
|
||||
entry_SYSCALL_64_after_hwframe+0x4b/0x53
|
||||
RIP: 0033:0x7f21c0f1a9bf
|
||||
</TASK>
|
||||
|
||||
Don't bother pre-checking the bounds of the potential hugepage, i.e. don't
|
||||
check that e.g. sp->gfn + KVM_PAGES_PER_HPAGE(sp->role.level + 1) is also
|
||||
within the memslot, as the checks performed by kvm_mmu_max_mapping_level()
|
||||
are a superset of the basic bounds checks. I.e. pre-checking the full
|
||||
range would be a dubious micro-optimization.
|
||||
|
||||
Fixes: 9eba50f8d7fc ("KVM: x86/mmu: Consult max mapping level when zapping collapsible SPTEs")
|
||||
Cc: stable@vger.kernel.org
|
||||
Cc: David Matlack <dmatlack@google.com>
|
||||
Cc: James Houghton <jthoughton@google.com>
|
||||
Cc: Alexander Bulekov <bkov@amazon.com>
|
||||
Cc: Fred Griffoul <fgriffo@amazon.co.uk>
|
||||
Cc: Alexander Graf <graf@amazon.de>
|
||||
Cc: David Woodhouse <dwmw@amazon.co.uk>
|
||||
Cc: Filippo Sironi <sironi@amazon.de>
|
||||
Cc: Ivan Orlov <iorlov@amazon.co.uk>
|
||||
Signed-off-by: Sean Christopherson <seanjc@google.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
---
|
||||
arch/x86/kvm/mmu/mmu.c | 19 +++++++++++++------
|
||||
include/linux/kvm_host.h | 7 ++++++-
|
||||
2 files changed, 19 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c
|
||||
index 9597112..12d3e1f 100644
|
||||
--- a/arch/x86/kvm/mmu/mmu.c
|
||||
+++ b/arch/x86/kvm/mmu/mmu.c
|
||||
@@ -6045,13 +6045,20 @@ restart:
|
||||
pfn = spte_to_pfn(*sptep);
|
||||
|
||||
/*
|
||||
- * We cannot do huge page mapping for indirect shadow pages,
|
||||
- * which are found on the last rmap (level = 1) when not using
|
||||
- * tdp; such shadow pages are synced with the page table in
|
||||
- * the guest, and the guest page table is using 4K page size
|
||||
- * mapping if the indirect sp has level = 1.
|
||||
+ * Direct shadow page can be replaced by a hugepage if the host
|
||||
+ * mapping level allows it and the memslot maps all of the host
|
||||
+ * hugepage. Note! If the memslot maps only part of the
|
||||
+ * hugepage, sp->gfn may be below slot->base_gfn, and querying
|
||||
+ * the max mapping level would cause an out-of-bounds lpage_info
|
||||
+ * access. So the gfn bounds check *must* be done first.
|
||||
+ *
|
||||
+ * Indirect shadow pages are created when the guest page tables
|
||||
+ * are using 4K pages. Since the host mapping is always
|
||||
+ * constrained by the page size in the guest, indirect shadow
|
||||
+ * pages are never collapsible.
|
||||
*/
|
||||
- if (sp->role.direct && !kvm_is_reserved_pfn(pfn) &&
|
||||
+ if (sp->role.direct && is_gfn_in_memslot(slot, sp->gfn) &&
|
||||
+ !kvm_is_reserved_pfn(pfn) &&
|
||||
sp->role.level < kvm_mmu_max_mapping_level(kvm, slot, sp->gfn,
|
||||
pfn, PG_LEVEL_NUM)) {
|
||||
pte_list_remove(kvm, rmap_head, sptep);
|
||||
diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h
|
||||
index eaebea6..c37570a 100644
|
||||
--- a/include/linux/kvm_host.h
|
||||
+++ b/include/linux/kvm_host.h
|
||||
@@ -1378,6 +1378,11 @@ static inline struct rcuwait *kvm_arch_vcpu_get_wait(struct kvm_vcpu *vcpu)
|
||||
#endif
|
||||
}
|
||||
|
||||
+static inline bool is_gfn_in_memslot(const struct kvm_memory_slot *slot, gfn_t gfn)
|
||||
+{
|
||||
+ return gfn >= slot->base_gfn && gfn < slot->base_gfn + slot->npages;
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* Wake a vCPU if necessary, but don't do any stats/metadata updates. Returns
|
||||
* true if the vCPU was blocking and was awakened, false otherwise.
|
||||
@@ -1464,7 +1469,7 @@ try_get_memslot(struct kvm_memory_slot *slot, gfn_t gfn)
|
||||
if (!slot)
|
||||
return NULL;
|
||||
|
||||
- if (gfn >= slot->base_gfn && gfn < slot->base_gfn + slot->npages)
|
||||
+ if (is_gfn_in_memslot(slot, gfn))
|
||||
return slot;
|
||||
else
|
||||
return NULL;
|
||||
--
|
||||
2.43.0
|
||||
|
||||
@ -2532,6 +2532,7 @@ CONFIG_ARM64_CRYPTO=y
|
||||
CONFIG_ARM64_E0PD=y
|
||||
CONFIG_ARM64_ERRATUM_1024718=y
|
||||
CONFIG_ARM64_ERRATUM_1542419=y
|
||||
CONFIG_ARM64_ERRATUM_4118414=y
|
||||
CONFIG_ARM64_ERRATUM_819472=y
|
||||
CONFIG_ARM64_ERRATUM_824069=y
|
||||
CONFIG_ARM64_ERRATUM_826319=y
|
||||
|
||||
@ -2604,6 +2604,7 @@ CONFIG_ARM64_CRYPTO=y
|
||||
CONFIG_ARM64_E0PD=y
|
||||
CONFIG_ARM64_ERRATUM_1024718=y
|
||||
CONFIG_ARM64_ERRATUM_1542419=y
|
||||
CONFIG_ARM64_ERRATUM_4118414=y
|
||||
CONFIG_ARM64_ERRATUM_819472=y
|
||||
CONFIG_ARM64_ERRATUM_824069=y
|
||||
CONFIG_ARM64_ERRATUM_826319=y
|
||||
|
||||
@ -49,11 +49,10 @@
|
||||
# define buildid .local
|
||||
|
||||
%define specversion 4.18.0
|
||||
%define pkgrelease 553.139.4.el8_10
|
||||
%define tarfile_release 553.139.1.el8_10
|
||||
%define pkgrelease 553.140.1.el8_10
|
||||
|
||||
# allow pkg_release to have configurable %%{?dist} tag
|
||||
%define specrelease 553.139.4%{?dist}
|
||||
%define specrelease 553.140.1%{?dist}
|
||||
|
||||
%define pkg_release %{specrelease}%{?buildid}
|
||||
|
||||
@ -447,7 +446,7 @@ BuildRequires: xmlto
|
||||
BuildRequires: asciidoc
|
||||
%endif
|
||||
|
||||
Source0: linux-%{specversion}-%{tarfile_release}.tar.xz
|
||||
Source0: linux-%{specversion}-%{pkgrelease}.tar.xz
|
||||
|
||||
Source9: x509.genkey
|
||||
|
||||
@ -552,10 +551,6 @@ Patch2006: 0006-Bring-back-deprecated-pci-ids-to-lpfc-driver.patch
|
||||
Patch2007: 0007-Bring-back-deprecated-pci-ids-to-qla4xxx-driver.patch
|
||||
Patch2008: 0008-Bring-back-deprecated-pci-ids-to-be2iscsi-driver.patch
|
||||
|
||||
# AlmaLinux ahead-of-RHEL security fixes
|
||||
Patch1100: 1100-kvm-x86-fix-shadow-paging-use-after-free.patch
|
||||
Patch1101: 1101-kvm-x86-mmu-ensure-hugepage-is-in-by-slot.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
BuildRoot: %{_tmppath}/%{name}-%{KVERREL}-root
|
||||
@ -1113,9 +1108,9 @@ ApplyOptionalPatch()
|
||||
fi
|
||||
}
|
||||
|
||||
%setup -q -n %{name}-%{specversion}-%{tarfile_release} -c
|
||||
cp -v %{SOURCE9000} linux-%{specversion}-%{tarfile_release}/certs/rhel.pem
|
||||
mv linux-%{specversion}-%{tarfile_release} linux-%{KVERREL}
|
||||
%setup -q -n %{name}-%{specversion}-%{pkgrelease} -c
|
||||
cp -v %{SOURCE9000} linux-%{specversion}-%{pkgrelease}/certs/rhel.pem
|
||||
mv linux-%{specversion}-%{pkgrelease} linux-%{KVERREL}
|
||||
|
||||
cd linux-%{KVERREL}
|
||||
|
||||
@ -1133,10 +1128,6 @@ ApplyPatch 0006-Bring-back-deprecated-pci-ids-to-lpfc-driver.patch
|
||||
ApplyPatch 0007-Bring-back-deprecated-pci-ids-to-qla4xxx-driver.patch
|
||||
ApplyPatch 0008-Bring-back-deprecated-pci-ids-to-be2iscsi-driver.patch
|
||||
|
||||
# AlmaLinux ahead-of-RHEL security fixes
|
||||
ApplyPatch 1100-kvm-x86-fix-shadow-paging-use-after-free.patch
|
||||
ApplyPatch 1101-kvm-x86-mmu-ensure-hugepage-is-in-by-slot.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
# Any further pre-build tree manipulations happen here.
|
||||
@ -2738,21 +2729,7 @@ fi
|
||||
#
|
||||
#
|
||||
%changelog
|
||||
* Thu Jul 02 2026 Andrei Lukoshko <alukoshko@almalinux.org> - 4.18.0-553.139.4
|
||||
- Ensure hugepage is in by slot before checking max mapping level in KVM
|
||||
hugepage recovery, upstream ef057cbf825e (1101)
|
||||
|
||||
* Thu Jul 02 2026 Andrei Lukoshko <alukoshko@almalinux.org> - 4.18.0-553.139.3
|
||||
- Replace CVE-2026-46113 backport patch series with a single combined
|
||||
adaptation of upstream 0cb2af2ea66a and 81ccda30b4e8 (1100)
|
||||
|
||||
* Thu Jul 02 2026 Andrei Lukoshko <alukoshko@almalinux.org> - 4.18.0-553.139.2
|
||||
- Fix CVE-2026-46113: KVM x86 shadow paging use-after-free due to unexpected
|
||||
GFN, backported ahead of RHEL from the 5.15.y stable series with its
|
||||
prerequisites and the follow-up unexpected-role and hugepage-recovery
|
||||
fixes (1100-1107)
|
||||
|
||||
* Tue Jun 30 2026 Andrei Lukoshko <alukoshko@almalinux.org> - 4.18.0-553.139.1
|
||||
* Tue Jul 07 2026 Andrei Lukoshko <alukoshko@almalinux.org> - 4.18.0-553.140.1
|
||||
- hpsa: bring back deprecated PCI ids #CFHack #CFHack2024
|
||||
- mptsas: bring back deprecated PCI ids #CFHack #CFHack2024
|
||||
- megaraid_sas: bring back deprecated PCI ids #CFHack #CFHack2024
|
||||
@ -2763,10 +2740,41 @@ fi
|
||||
- kernel/rh_messages.h: enable all disabled pci devices by moving to
|
||||
unmaintained
|
||||
|
||||
* Tue Jun 30 2026 Eduard Abdullin <eabdullin@almalinux.org> - 4.18.0-553.139.1
|
||||
* Tue Jul 07 2026 Eduard Abdullin <eabdullin@almalinux.org> - 4.18.0-553.140.1
|
||||
- Use AlmaLinux OS secure boot cert
|
||||
- Debrand for AlmaLinux OS
|
||||
|
||||
* Thu Jul 02 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [4.18.0-553.140.1.el8_10]
|
||||
- Enable workaround for ARM64 ERRATUM 4118414 (Mark Salter) [RHEL-183619] {CVE-2025-10263}
|
||||
- arm64: errata: Mitigate TLBI errata on Microsoft Azure Cobalt 100 CPU (Mark Salter) [RHEL-183619] {CVE-2025-10263}
|
||||
- arm64: errata: Mitigate TLBI errata on NVIDIA Olympus CPU (Mark Salter) [RHEL-183619] {CVE-2025-10263}
|
||||
- arm64: errata: Mitigate TLBI errata on various Arm CPUs (Mark Salter) [RHEL-183619] {CVE-2025-10263}
|
||||
- arm64: Add part number for Arm Cortex-A78AE (Mark Salter) [RHEL-183619] {CVE-2025-10263}
|
||||
- arm64: Subscribe Microsoft Azure Cobalt 100 to ARM Neoverse N2 errata (Mark Salter) [RHEL-183619] {CVE-2025-10263}
|
||||
- arm64: cputype: Add NVIDIA Olympus definitions (Mark Salter) [RHEL-183619] {CVE-2025-10263}
|
||||
- arm64: cputype: Add C1-Premium definitions (Mark Salter) [RHEL-183619] {CVE-2025-10263}
|
||||
- arm64: cputype: Add C1-Ultra definitions (Mark Salter) [RHEL-183619] {CVE-2025-10263}
|
||||
- arm64: cputype: Add C1-Pro definitions (Mark Salter) [RHEL-183619] {CVE-2025-10263}
|
||||
- arm64: cputype: Add Cortex-A720AE definitions (Mark Salter) [RHEL-183619] {CVE-2025-10263}
|
||||
- arm64: cputype: Add Neoverse-N3 definitions (Mark Salter) [RHEL-183619] {CVE-2025-10263}
|
||||
- arm64: cputype: Add Cortex-A725 definitions (Mark Salter) [RHEL-183619] {CVE-2025-10263}
|
||||
- arm64: cputype: Add Cortex-A720 definitions (Mark Salter) [RHEL-183619] {CVE-2025-10263}
|
||||
- arm64: Add Cortex-715 CPU part definition (Mark Salter) [RHEL-183619] {CVE-2025-10263}
|
||||
- arm64: cputype: Add Neoverse-V3AE definitions (Mark Salter) [RHEL-183619] {CVE-2025-10263}
|
||||
- arm64: cputype: Add MIDR_CORTEX_A76AE (Mark Salter) [RHEL-183619] {CVE-2025-10263}
|
||||
- arm64: cputype: Add Cortex-X1C definitions (Mark Salter) [RHEL-183619] {CVE-2025-10263}
|
||||
- arm64: cputype: Add Cortex-X925 definitions (Mark Salter) [RHEL-183619] {CVE-2025-10263}
|
||||
- arm64: cputype: Add Cortex-X3 definitions (Mark Salter) [RHEL-183619] {CVE-2025-10263}
|
||||
- arm64: cputype: Add Neoverse-V3 definitions (Mark Salter) [RHEL-183619] {CVE-2025-10263}
|
||||
- arm64: cputype: Add Cortex-X4 definitions (Mark Salter) [RHEL-183619] {CVE-2025-10263}
|
||||
- arm64: Add Neoverse-V2 part (Mark Salter) [RHEL-183619] {CVE-2025-10263}
|
||||
- tcp: fix potential race in tcp_v6_syn_recv_sock() (Antoine Tenart) [RHEL-174237] {CVE-2026-43198}
|
||||
- procfs: fix missing RCU protection when reading real_parent in do_task_stat() (CKI Backport Bot) [RHEL-181898] {CVE-2026-46259}
|
||||
- drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs() (CKI Backport Bot) [RHEL-179907] {CVE-2026-46209}
|
||||
- sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL (CKI Backport Bot) [RHEL-179857] {CVE-2026-46227}
|
||||
- netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table() (CKI Backport Bot) [RHEL-179736] {CVE-2026-43450}
|
||||
- vfs: validate inode i_link before use in get_link() (Ian Kent) [RHEL-152759]
|
||||
|
||||
* Mon Jun 29 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [4.18.0-553.139.1.el8_10]
|
||||
- NFS: improve "Server wrote zero bytes" error (Olga Kornievskaia) [RHEL-147665]
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user