From d590ae252862e317119afc2683d32fadcb11ef1e Mon Sep 17 00:00:00 2001 From: Andrew Lukoshko Date: Tue, 7 Jul 2026 14:26:20 +0000 Subject: [PATCH] Recreate RHEL 5.14.0-687.22.1 from CS9/upstream backports; keep ahead-of-RHEL CVE fixes --- ...veau-gsp-drop-warn-on-in-acpi-probes.patch | 55 +++++ ...sor-after-sctp-sendmsg-to-asoc-in-sc.patch | 83 +++++++ ...t-plane-dimension-calculation-in-drm.patch | 54 +++++ ...rotection-when-reading-real-parent-i.patch | 60 ++++++ ...ft-inner-fix-ipv6-inner-thoff-desync.patch | 59 +++++ ...arm64-cputype-add-c1-pro-definitions.patch | 42 ++++ ...4-cputype-add-c1-premium-definitions.patch | 44 ++++ ...m64-cputype-add-c1-ultra-definitions.patch | 44 ++++ ...putype-add-neoverse-v3ae-definitions.patch | 46 ++++ ...-apply-workarounds-for-neoverse-v3ae.patch | 62 ++++++ ...gate-tlbi-errata-on-various-arm-cpus.patch | 171 +++++++++++++++ ...te-tlbi-errata-on-nvidia-olympus-cpu.patch | 73 +++++++ ...lbi-errata-on-microsoft-azure-cobalt.patch | 55 +++++ ...utype-add-nvidia-olympus-definitions.patch | 35 +++ ...ation-mess-left-by-previous-backport.patch | 204 ++++++++++++++++++ ...-bounds-read-in-cifs-sanitize-prepat.patch | 45 ++++ ...troy-workqueue-on-service-rescan-pci.patch | 82 +++++++ ...-on-setup-error-to-prevent-double-de.patch | 33 +++ .../1732-net-gro-don-t-merge-zcopy-skbs.patch | 43 ++++ ...xfrm-state-lists-in-xfrm-state-delet.patch | 114 ++++++++++ ...f-by-8-bounds-check-in-check-wsl-eas.patch | 59 +++++ ...t-of-bounds-read-in-smb2-compound-op.patch | 70 ++++++ SOURCES/kernel-aarch64-64k-debug-rhel.config | 1 + SOURCES/kernel-aarch64-64k-rhel.config | 1 + SOURCES/kernel-aarch64-debug-rhel.config | 1 + SOURCES/kernel-aarch64-rhel.config | 1 + .../kernel-aarch64-rt-64k-debug-rhel.config | 1 + SOURCES/kernel-aarch64-rt-64k-rhel.config | 1 + SOURCES/kernel-aarch64-rt-debug-rhel.config | 1 + SOURCES/kernel-aarch64-rt-rhel.config | 1 + SPECS/kernel.spec | 85 +++++++- 31 files changed, 1624 insertions(+), 2 deletions(-) create mode 100644 SOURCES/1713-nouveau-gsp-drop-warn-on-in-acpi-probes.patch create mode 100644 SOURCES/1714-sctp-revalidate-list-cursor-after-sctp-sendmsg-to-asoc-in-sc.patch create mode 100644 SOURCES/1715-drm-gem-fix-inconsistent-plane-dimension-calculation-in-drm.patch create mode 100644 SOURCES/1716-procfs-fix-missing-rcu-protection-when-reading-real-parent-i.patch create mode 100644 SOURCES/1717-netfilter-nft-inner-fix-ipv6-inner-thoff-desync.patch create mode 100644 SOURCES/1719-arm64-cputype-add-c1-pro-definitions.patch create mode 100644 SOURCES/1720-arm64-cputype-add-c1-premium-definitions.patch create mode 100644 SOURCES/1721-arm64-cputype-add-c1-ultra-definitions.patch create mode 100644 SOURCES/1722-arm64-cputype-add-neoverse-v3ae-definitions.patch create mode 100644 SOURCES/1723-arm64-errata-apply-workarounds-for-neoverse-v3ae.patch create mode 100644 SOURCES/1724-arm64-errata-mitigate-tlbi-errata-on-various-arm-cpus.patch create mode 100644 SOURCES/1725-arm64-errata-mitigate-tlbi-errata-on-nvidia-olympus-cpu.patch create mode 100644 SOURCES/1726-arm64-errata-mitigate-tlbi-errata-on-microsoft-azure-cobalt.patch create mode 100644 SOURCES/1727-arm64-cputype-add-nvidia-olympus-definitions.patch create mode 100644 SOURCES/1728-clean-up-documentation-mess-left-by-previous-backport.patch create mode 100644 SOURCES/1729-fs-smb-client-fix-out-of-bounds-read-in-cifs-sanitize-prepat.patch create mode 100644 SOURCES/1730-net-mana-fix-double-destroy-workqueue-on-service-rescan-pci.patch create mode 100644 SOURCES/1731-net-mana-null-service-wq-on-setup-error-to-prevent-double-de.patch create mode 100644 SOURCES/1732-net-gro-don-t-merge-zcopy-skbs.patch create mode 100644 SOURCES/1733-xfrm-defensively-unhash-xfrm-state-lists-in-xfrm-state-delet.patch create mode 100644 SOURCES/1734-smb-client-fix-off-by-8-bounds-check-in-check-wsl-eas.patch create mode 100644 SOURCES/1735-smb-client-fix-out-of-bounds-read-in-smb2-compound-op.patch diff --git a/SOURCES/1713-nouveau-gsp-drop-warn-on-in-acpi-probes.patch b/SOURCES/1713-nouveau-gsp-drop-warn-on-in-acpi-probes.patch new file mode 100644 index 000000000..3a87b0159 --- /dev/null +++ b/SOURCES/1713-nouveau-gsp-drop-warn-on-in-acpi-probes.patch @@ -0,0 +1,55 @@ +From d1c991c860496d97044802ea54b30f20db468c1d Mon Sep 17 00:00:00 2001 +From: Dave Airlie +Date: Thu, 21 Nov 2024 11:46:01 +1000 +Subject: [PATCH] nouveau/gsp: drop WARN_ON in ACPI probes + +commit 9478c166c46934160135e197b049b5a05753f2ad upstream. + +These WARN_ONs seem to trigger a lot, and we don't seem to have a +plan to fix them, so just drop them, as they are most likely +harmless. + +Cc: stable@vger.kernel.org +Fixes: 176fdcbddfd2 ("drm/nouveau/gsp/r535: add support for booting GSP-RM") +Signed-off-by: Dave Airlie +Link: https://patch.msgid.link/20241121014601.229391-1-airlied@gmail.com +Signed-off-by: Danilo Krummrich +Signed-off-by: Greg Kroah-Hartman + +diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/gsp.c b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/gsp.c +index 7fb13434c..a575a8dbf 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/gsp.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/gsp.c +@@ -737,8 +737,8 @@ r535_gsp_acpi_caps(acpi_handle handle, CAPS_METHOD_DATA *caps) + if (!obj) + goto done; + +- if (WARN_ON(obj->type != ACPI_TYPE_BUFFER) || +- WARN_ON(obj->buffer.length != 4)) ++ if (obj->type != ACPI_TYPE_BUFFER || ++ obj->buffer.length != 4) + goto done; + + caps->status = 0; +@@ -773,8 +773,8 @@ r535_gsp_acpi_jt(acpi_handle handle, JT_METHOD_DATA *jt) + if (!obj) + goto done; + +- if (WARN_ON(obj->type != ACPI_TYPE_BUFFER) || +- WARN_ON(obj->buffer.length != 4)) ++ if (obj->type != ACPI_TYPE_BUFFER || ++ obj->buffer.length != 4) + goto done; + + jt->status = 0; +@@ -861,8 +861,8 @@ r535_gsp_acpi_dod(acpi_handle handle, DOD_METHOD_DATA *dod) + + _DOD = output.pointer; + +- if (WARN_ON(_DOD->type != ACPI_TYPE_PACKAGE) || +- WARN_ON(_DOD->package.count > ARRAY_SIZE(dod->acpiIdList))) ++ if (_DOD->type != ACPI_TYPE_PACKAGE || ++ _DOD->package.count > ARRAY_SIZE(dod->acpiIdList)) + return; + + for (int i = 0; i < _DOD->package.count; i++) { diff --git a/SOURCES/1714-sctp-revalidate-list-cursor-after-sctp-sendmsg-to-asoc-in-sc.patch b/SOURCES/1714-sctp-revalidate-list-cursor-after-sctp-sendmsg-to-asoc-in-sc.patch new file mode 100644 index 000000000..9ebed0768 --- /dev/null +++ b/SOURCES/1714-sctp-revalidate-list-cursor-after-sctp-sendmsg-to-asoc-in-sc.patch @@ -0,0 +1,83 @@ +From 00c03cd13c65e9e641347130541d9a58b57e6152 Mon Sep 17 00:00:00 2001 +From: CKI Backport Bot +Date: Thu, 28 May 2026 12:43:00 +0000 +Subject: [PATCH] sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in + SCTP_SENDALL + +JIRA: https://redhat.atlassian.net/browse/RHEL-179859 +CVE: CVE-2026-46227 +Backported from tree(s): linux + +commit abb5f36771cc4c05899b34000829a787572a8817 +Author: Ben Morris +Date: Thu May 7 17:14:55 2026 -0700 + + sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL + + The SCTP_SENDALL path in sctp_sendmsg() iterates ep->asocs with + list_for_each_entry_safe(), which caches the next entry in @tmp before + the loop body runs. The body calls sctp_sendmsg_to_asoc(), which may + drop the socket lock inside sctp_wait_for_sndbuf(). + + While the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the + association cached in @tmp, migrating it to a new endpoint via + sctp_sock_migrate() (list_del_init() + list_add_tail() to + newep->asocs), and optionally close the new socket which frees the + association via kfree_rcu(). The cached @tmp can also be freed by a + network ABORT for that association, processed in softirq while the + lock is dropped. + + sctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock + via the "sk != asoc->base.sk" and "asoc->base.dead" checks, but nothing + revalidates @tmp. After a successful return, the iterator advances to + the stale @tmp, yielding either a use-after-free (if the peeled socket + was closed) or a list-walk onto the new endpoint's list head (type + confusion of &newep->asocs as a struct sctp_association *). + + Both are reachable from CapEff=0; the type-confusion path gives + controlled indirect call via the outqueue.sched->init_sid pointer. + + Fix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc() + returns. @asoc is known to still be on ep->asocs at that point: the + only callers that list_del an association from ep->asocs are + sctp_association_free() (which sets asoc->base.dead) and + sctp_assoc_migrate() (which changes asoc->base.sk), and + sctp_wait_for_sndbuf() checks both under the lock before any + successful return; a tripped check propagates as err < 0 and the loop + bails before the re-derive. + + The SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the + loop hits 'continue' before sctp_sendmsg_to_asoc() is ever called, so + the @tmp cached by list_for_each_entry_safe() still covers the + lock-held free that ba59fb027307 ("sctp: walk the list of asoc + safely") was added for. + + Fixes: 4910280503f3 ("sctp: add support for snd flag SCTP_SENDALL process in sendmsg") + Cc: stable@vger.kernel.org + Signed-off-by: Ben Morris + Acked-by: Xin Long + Link: https://patch.msgid.link/20260508001455.3137-1-joycathacker@gmail.com + Signed-off-by: Jakub Kicinski + +Signed-off-by: CKI Backport Bot + +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index f99382c11..43ad2cb7a 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -1988,6 +1988,15 @@ static int sctp_sendmsg(struct sock *sk, struct msghdr *msg, size_t msg_len) + goto out_unlock; + + iov_iter_revert(&msg->msg_iter, err); ++ ++ /* sctp_sendmsg_to_asoc() may have released the socket ++ * lock (sctp_wait_for_sndbuf), during which other ++ * associations on ep->asocs could have been peeled ++ * off or freed. @asoc itself is revalidated by the ++ * base.dead and base.sk checks in sctp_wait_for_sndbuf, ++ * so re-derive the cached cursor from it. ++ */ ++ tmp = list_next_entry(asoc, asocs); + } + + goto out_unlock; diff --git a/SOURCES/1715-drm-gem-fix-inconsistent-plane-dimension-calculation-in-drm.patch b/SOURCES/1715-drm-gem-fix-inconsistent-plane-dimension-calculation-in-drm.patch new file mode 100644 index 000000000..bcd6b4f30 --- /dev/null +++ b/SOURCES/1715-drm-gem-fix-inconsistent-plane-dimension-calculation-in-drm.patch @@ -0,0 +1,54 @@ +From adfc5ba4ef4dd2bca5969f40e8fc7b41fb3902ad Mon Sep 17 00:00:00 2001 +From: Ashutosh Desai +Date: Mon, 20 Apr 2026 01:36:37 +0000 +Subject: [PATCH] drm/gem: Fix inconsistent plane dimension calculation in + drm_gem_fb_init_with_funcs() + +commit 3d4c2268bd7243c3780fe32bf24ff876da272acf upstream. + +drm_gem_fb_init_with_funcs() computes sub-sampled plane dimensions +using plain integer division: + + unsigned int width = mode_cmd->width / (i ? info->hsub : 1); + unsigned int height = mode_cmd->height / (i ? info->vsub : 1); + +However, the ioctl-level framebuffer_check() in drm_framebuffer.c uses +drm_format_info_plane_width/height() which round up dimensions via +DIV_ROUND_UP(). This inconsistency corrupts the subsequent GEM object +size check for certain pixel format and dimension combinations. + +For example, with NV12 (vsub=2) and a 1-pixel-tall framebuffer the +GEM size validation path sees height=0 instead of height=1. The +expression (height - 1) then wraps to UINT_MAX as an unsigned int, +causing min_size to overflow and wrap back to a small value. A tiny +GEM object therefore passes the size guard, yet when the GPU accesses +the chroma plane it will read or write memory beyond the object's +bounds. + +Fix by replacing the open-coded divisions with drm_format_info_plane_width() +and drm_format_info_plane_height(), which use DIV_ROUND_UP() and match +the calculation already used in framebuffer_check(). + +Fixes: 4c3dbb2c312c ("drm: Add GEM backed framebuffer library") +Cc: stable@vger.kernel.org # v4.14+ +Reviewed-by: Thomas Zimmermann +Signed-off-by: Ashutosh Desai +Signed-off-by: Thomas Zimmermann +Link: https://patch.msgid.link/20260420013637.457751-1-ashutoshdesai993@gmail.com +Signed-off-by: Greg Kroah-Hartman + +diff --git a/drivers/gpu/drm/drm_gem_framebuffer_helper.c b/drivers/gpu/drm/drm_gem_framebuffer_helper.c +index 167be6f3c..219fa736c 100644 +--- a/drivers/gpu/drm/drm_gem_framebuffer_helper.c ++++ b/drivers/gpu/drm/drm_gem_framebuffer_helper.c +@@ -171,8 +171,8 @@ int drm_gem_fb_init_with_funcs(struct drm_device *dev, + } + + for (i = 0; i < info->num_planes; i++) { +- unsigned int width = mode_cmd->width / (i ? info->hsub : 1); +- unsigned int height = mode_cmd->height / (i ? info->vsub : 1); ++ unsigned int width = drm_format_info_plane_width(info, mode_cmd->width, i); ++ unsigned int height = drm_format_info_plane_height(info, mode_cmd->height, i); + unsigned int min_size; + + objs[i] = drm_gem_object_lookup(file, mode_cmd->handles[i]); diff --git a/SOURCES/1716-procfs-fix-missing-rcu-protection-when-reading-real-parent-i.patch b/SOURCES/1716-procfs-fix-missing-rcu-protection-when-reading-real-parent-i.patch new file mode 100644 index 000000000..a69c1742a --- /dev/null +++ b/SOURCES/1716-procfs-fix-missing-rcu-protection-when-reading-real-parent-i.patch @@ -0,0 +1,60 @@ +From d64340a9a54b2dfe5db7ba3d5649107eb9b4a5a5 Mon Sep 17 00:00:00 2001 +From: CKI Backport Bot +Date: Wed, 3 Jun 2026 18:59:39 +0000 +Subject: [PATCH] procfs: fix missing RCU protection when reading real_parent + in do_task_stat() + +JIRA: https://redhat.atlassian.net/browse/RHEL-181904 +CVE: CVE-2026-46259 +Backported from tree(s): linux + +commit 76149d53502cf17ef3ae454ff384551236fba867 +Author: Jinliang Zheng +Date: Wed Jan 28 16:30:07 2026 +0800 + + procfs: fix missing RCU protection when reading real_parent in do_task_stat() + + When reading /proc/[pid]/stat, do_task_stat() accesses task->real_parent + without proper RCU protection, which leads to: + + cpu 0 cpu 1 + ----- ----- + do_task_stat + var = task->real_parent + release_task + call_rcu(delayed_put_task_struct) + task_tgid_nr_ns(var) + rcu_read_lock <--- Too late to protect task->real_parent! + task_pid_ptr <--- UAF! + rcu_read_unlock + + This patch uses task_ppid_nr_ns() instead of task_tgid_nr_ns() to add + proper RCU protection for accessing task->real_parent. + + Link: https://lkml.kernel.org/r/20260128083007.3173016-1-alexjlzheng@tencent.com + Fixes: 06fffb1267c9 ("do_task_stat: don't take rcu_read_lock()") + Signed-off-by: Jinliang Zheng + Acked-by: Oleg Nesterov + Cc: David Hildenbrand + Cc: Ingo Molnar + Cc: Lorenzo Stoakes + Cc: Mateusz Guzik + Cc: ruippan + Cc: Usama Arif + Signed-off-by: Andrew Morton + +Signed-off-by: CKI Backport Bot + +diff --git a/fs/proc/array.c b/fs/proc/array.c +index 0e414fc4e..87798c51b 100644 +--- a/fs/proc/array.c ++++ b/fs/proc/array.c +@@ -539,7 +539,7 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, + } + + sid = task_session_nr_ns(task, ns); +- ppid = task_tgid_nr_ns(task->real_parent, ns); ++ ppid = task_ppid_nr_ns(task, ns); + pgid = task_pgrp_nr_ns(task, ns); + + unlock_task_sighand(task, &flags); diff --git a/SOURCES/1717-netfilter-nft-inner-fix-ipv6-inner-thoff-desync.patch b/SOURCES/1717-netfilter-nft-inner-fix-ipv6-inner-thoff-desync.patch new file mode 100644 index 000000000..b104af76a --- /dev/null +++ b/SOURCES/1717-netfilter-nft-inner-fix-ipv6-inner-thoff-desync.patch @@ -0,0 +1,59 @@ +From 73b5b9723557438d6c599146896627089504f03a Mon Sep 17 00:00:00 2001 +From: CKI Backport Bot +Date: Wed, 3 Jun 2026 21:42:17 +0000 +Subject: [PATCH] netfilter: nft_inner: Fix IPv6 inner_thoff desync +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +JIRA: https://redhat.atlassian.net/browse/RHEL-181932 +CVE: CVE-2026-46244 +Backported from tree(s): linux + +commit b6a91f68ebfed9c38e0e9150f58a9b85da07181c +Author: Yizhou Zhao +Date: Tue May 12 01:30:41 2026 +0800 + + netfilter: nft_inner: Fix IPv6 inner_thoff desync + + In nft_inner_parse_l2l3(), when processing inner IPv6 packets, + ipv6_find_hdr() correctly computes the transport header offset + traversing all extension headers, but the result is immediately + overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only + accounts for the IPv6 base header. This creates a desync between + inner_thoff (wrong — points to extension header start) and l4proto + (correct — e.g., IPPROTO_TCP), enabling transport header forgery + and potential firewall bypass. This issue affects stable versions + from Linux 6.2. + + For comparison, the normal (non-inner) IPv6 path correctly + preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite + ensures that ipv6_find_hdr()'s calculated transport header offset is + preserved, thereby fixing the desynchronization. + + Fixes: 3a07327d10a0 ("netfilter: nft_inner: support for inner tunnel header matching") + Cc: stable@vger.kernel.org + Reported-by: Yizhou Zhao + Reported-by: Yuxiang Yang + Reported-by: Xuewei Feng + Reported-by: Qi Li + Reported-by: Ke Xu + Assisted-by: GLM:5.1 Z.ai + Signed-off-by: Yizhou Zhao + Reviewed-by: Fernando Fernandez Mancera + Signed-off-by: Pablo Neira Ayuso + +Signed-off-by: CKI Backport Bot + +diff --git a/net/netfilter/nft_inner.c b/net/netfilter/nft_inner.c +index 817ab978d..5e6a1d370 100644 +--- a/net/netfilter/nft_inner.c ++++ b/net/netfilter/nft_inner.c +@@ -156,7 +156,6 @@ static int nft_inner_parse_l2l3(const struct nft_inner *priv, + return -1; + + if (fragoff == 0) { +- thoff = nhoff + sizeof(_ip6h); + ctx->flags |= NFT_PAYLOAD_CTX_INNER_TH; + ctx->inner_thoff = thoff; + ctx->l4proto = l4proto; diff --git a/SOURCES/1719-arm64-cputype-add-c1-pro-definitions.patch b/SOURCES/1719-arm64-cputype-add-c1-pro-definitions.patch new file mode 100644 index 000000000..52329cdae --- /dev/null +++ b/SOURCES/1719-arm64-cputype-add-c1-pro-definitions.patch @@ -0,0 +1,42 @@ +From ee5ce483d42809b6c9e5bb25c33601e54229128f Mon Sep 17 00:00:00 2001 +From: Catalin Marinas +Date: Tue, 21 Apr 2026 11:00:16 +0100 +Subject: [PATCH] arm64: cputype: Add C1-Pro definitions + +commit 2c99561016c591f4c3d5ad7d22a61b8726e79735 upstream. + +Add cputype definitions for C1-Pro. These will be used for errata +detection in subsequent patches. + +These values can be found in "Table A-303: MIDR_EL1 bit descriptions" in +issue 07 of the C1-Pro TRM: + + https://documentation-service.arm.com/static/6930126730f8f55a656570af + +Acked-by: Mark Rutland +Cc: Will Deacon +Cc: James Morse +Reviewed-by: Will Deacon +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman + +diff --git a/arch/arm64/include/asm/cputype.h b/arch/arm64/include/asm/cputype.h +index 751b78cd3..b0a90d6a4 100644 +--- a/arch/arm64/include/asm/cputype.h ++++ b/arch/arm64/include/asm/cputype.h +@@ -98,6 +98,7 @@ + #define ARM_CPU_PART_CORTEX_A725 0xD87 + #define ARM_CPU_PART_CORTEX_A720AE 0xD89 + #define ARM_CPU_PART_NEOVERSE_N3 0xD8E ++#define ARM_CPU_PART_C1_PRO 0xD8B + + #define APM_CPU_PART_XGENE 0x000 + #define APM_CPU_VAR_POTENZA 0x00 +@@ -185,6 +186,7 @@ + #define MIDR_CORTEX_A725 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A725) + #define MIDR_CORTEX_A720AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A720AE) + #define MIDR_NEOVERSE_N3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N3) ++#define MIDR_C1_PRO MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_PRO) + #define MIDR_THUNDERX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX) + #define MIDR_THUNDERX_81XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX_81XX) + #define MIDR_THUNDERX_83XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX_83XX) diff --git a/SOURCES/1720-arm64-cputype-add-c1-premium-definitions.patch b/SOURCES/1720-arm64-cputype-add-c1-premium-definitions.patch new file mode 100644 index 000000000..ce7aace14 --- /dev/null +++ b/SOURCES/1720-arm64-cputype-add-c1-premium-definitions.patch @@ -0,0 +1,44 @@ +From 521008bee0c5c6a1d7db31bc77f2b488b859958e Mon Sep 17 00:00:00 2001 +From: Mark Rutland +Date: Tue, 16 Jun 2026 06:23:04 +0100 +Subject: [PATCH] arm64: cputype: Add C1-Premium definitions + +commit d28413bfc5a255957241f1df5d7fd0c2cd74fe18 upstream. + +Add cputype definitions for C1-Premium. These will be used for errata +detection in subsequent patches. + +These values can be found in the C1-Premium TRM: + + https://developer.arm.com/documentation/109416/0100/ + +... in section A.5.1 ("MIDR_EL1, Main ID Register"). + +Signed-off-by: Mark Rutland +Cc: Catalin Marinas +Cc: Will Deacon +Signed-off-by: Will Deacon +[Mark: backport to v5.15.y] +Signed-off-by: Mark Rutland +Signed-off-by: Greg Kroah-Hartman + +diff --git a/arch/arm64/include/asm/cputype.h b/arch/arm64/include/asm/cputype.h +index b0a90d6a4..e075a0c96 100644 +--- a/arch/arm64/include/asm/cputype.h ++++ b/arch/arm64/include/asm/cputype.h +@@ -99,6 +99,7 @@ + #define ARM_CPU_PART_CORTEX_A720AE 0xD89 + #define ARM_CPU_PART_NEOVERSE_N3 0xD8E + #define ARM_CPU_PART_C1_PRO 0xD8B ++#define ARM_CPU_PART_C1_PREMIUM 0xD90 + + #define APM_CPU_PART_XGENE 0x000 + #define APM_CPU_VAR_POTENZA 0x00 +@@ -169,6 +170,7 @@ + #define MIDR_CORTEX_A78AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78AE) + #define MIDR_CORTEX_X1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X1) + #define MIDR_CORTEX_A510 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A510) ++#define MIDR_C1_PREMIUM MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_PREMIUM) + #define MIDR_CORTEX_X1C MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X1C) + #define MIDR_CORTEX_A520 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A520) + #define MIDR_CORTEX_A710 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A710) diff --git a/SOURCES/1721-arm64-cputype-add-c1-ultra-definitions.patch b/SOURCES/1721-arm64-cputype-add-c1-ultra-definitions.patch new file mode 100644 index 000000000..85baa2304 --- /dev/null +++ b/SOURCES/1721-arm64-cputype-add-c1-ultra-definitions.patch @@ -0,0 +1,44 @@ +From 6bb606b134779251805f07433df85d8bd874dcfc Mon Sep 17 00:00:00 2001 +From: Mark Rutland +Date: Tue, 16 Jun 2026 06:23:03 +0100 +Subject: [PATCH] arm64: cputype: Add C1-Ultra definitions + +commit 60349e64a6c65f9f0aa118af711b3c7e137f07ff upstream. + +Add cputype definitions for C1-Ultra. These will be used for errata +detection in subsequent patches. + +These values can be found in the C1-Ultra TRM: + + https://developer.arm.com/documentation/108014/0100/ + +... in section A.5.1 ("MIDR_EL1, Main ID Register"). + +Signed-off-by: Mark Rutland +Cc: Catalin Marinas +Cc: Will Deacon +Signed-off-by: Will Deacon +[Mark: backport to v5.15.y] +Signed-off-by: Mark Rutland +Signed-off-by: Greg Kroah-Hartman + +diff --git a/arch/arm64/include/asm/cputype.h b/arch/arm64/include/asm/cputype.h +index e075a0c96..0fe5fea9b 100644 +--- a/arch/arm64/include/asm/cputype.h ++++ b/arch/arm64/include/asm/cputype.h +@@ -97,6 +97,7 @@ + #define ARM_CPU_PART_CORTEX_X925 0xD85 + #define ARM_CPU_PART_CORTEX_A725 0xD87 + #define ARM_CPU_PART_CORTEX_A720AE 0xD89 ++#define ARM_CPU_PART_C1_ULTRA 0xD8C + #define ARM_CPU_PART_NEOVERSE_N3 0xD8E + #define ARM_CPU_PART_C1_PRO 0xD8B + #define ARM_CPU_PART_C1_PREMIUM 0xD90 +@@ -166,6 +167,7 @@ + #define MIDR_CORTEX_A77 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A77) + #define MIDR_CORTEX_A76AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A76AE) + #define MIDR_NEOVERSE_V1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V1) ++#define MIDR_C1_ULTRA MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_ULTRA) + #define MIDR_CORTEX_A78 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78) + #define MIDR_CORTEX_A78AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78AE) + #define MIDR_CORTEX_X1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X1) diff --git a/SOURCES/1722-arm64-cputype-add-neoverse-v3ae-definitions.patch b/SOURCES/1722-arm64-cputype-add-neoverse-v3ae-definitions.patch new file mode 100644 index 000000000..fd14dfffc --- /dev/null +++ b/SOURCES/1722-arm64-cputype-add-neoverse-v3ae-definitions.patch @@ -0,0 +1,46 @@ +From a6ef05314d5a8ab238088ae708843ec59b58b082 Mon Sep 17 00:00:00 2001 +From: Mark Rutland +Date: Fri, 19 Sep 2025 15:58:28 +0100 +Subject: [PATCH] arm64: cputype: Add Neoverse-V3AE definitions + +commit 3bbf004c4808e2c3241e5c1ad6cc102f38a03c39 upstream. + +Add cputype definitions for Neoverse-V3AE. These will be used for errata +detection in subsequent patches. + +These values can be found in the Neoverse-V3AE TRM: + + https://developer.arm.com/documentation/SDEN-2615521/9-0/ + +... in section A.6.1 ("MIDR_EL1, Main ID Register"). + +Signed-off-by: Mark Rutland +Cc: James Morse +Cc: Will Deacon +Cc: Catalin Marinas +Signed-off-by: Ryan Roberts +Signed-off-by: Will Deacon +[ Ryan: Trivial backport ] +Signed-off-by: Ryan Roberts +Signed-off-by: Greg Kroah-Hartman + +diff --git a/arch/arm64/include/asm/cputype.h b/arch/arm64/include/asm/cputype.h +index 0fe5fea9b..986bd0fc0 100644 +--- a/arch/arm64/include/asm/cputype.h ++++ b/arch/arm64/include/asm/cputype.h +@@ -93,6 +93,7 @@ + #define ARM_CPU_PART_NEOVERSE_V2 0xD4F + #define ARM_CPU_PART_CORTEX_A720 0xD81 + #define ARM_CPU_PART_CORTEX_X4 0xD82 ++#define ARM_CPU_PART_NEOVERSE_V3AE 0xD83 + #define ARM_CPU_PART_NEOVERSE_V3 0xD84 + #define ARM_CPU_PART_CORTEX_X925 0xD85 + #define ARM_CPU_PART_CORTEX_A725 0xD87 +@@ -185,6 +186,7 @@ + #define MIDR_NEOVERSE_V2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V2) + #define MIDR_CORTEX_A720 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A720) + #define MIDR_CORTEX_X4 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X4) ++#define MIDR_NEOVERSE_V3AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3AE) + #define MIDR_NEOVERSE_V3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3) + #define MIDR_CORTEX_X925 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X925) + #define MIDR_CORTEX_A725 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A725) diff --git a/SOURCES/1723-arm64-errata-apply-workarounds-for-neoverse-v3ae.patch b/SOURCES/1723-arm64-errata-apply-workarounds-for-neoverse-v3ae.patch new file mode 100644 index 000000000..acba4f75a --- /dev/null +++ b/SOURCES/1723-arm64-errata-apply-workarounds-for-neoverse-v3ae.patch @@ -0,0 +1,62 @@ +From dc9f91f849860591bf4b02c75e6407780cf2df69 Mon Sep 17 00:00:00 2001 +From: Mark Rutland +Date: Fri, 19 Sep 2025 15:58:29 +0100 +Subject: [PATCH] arm64: errata: Apply workarounds for Neoverse-V3AE + +commit 0c33aa1804d101c11ba1992504f17a42233f0e11 upstream. + +Neoverse-V3AE is also affected by erratum #3312417, as described in its +Software Developer Errata Notice (SDEN) document: + + Neoverse V3AE (MP172) SDEN v9.0, erratum 3312417 + https://developer.arm.com/documentation/SDEN-2615521/9-0/ + +Enable the workaround for Neoverse-V3AE, and document this. + +Signed-off-by: Mark Rutland +Cc: James Morse +Cc: Will Deacon +Cc: Catalin Marinas +Signed-off-by: Ryan Roberts +Signed-off-by: Will Deacon +[ Ryan: Trivial backport ] +Signed-off-by: Ryan Roberts +Signed-off-by: Greg Kroah-Hartman + +diff --git a/Documentation/arm64/silicon-errata.rst b/Documentation/arm64/silicon-errata.rst +index 29c8e3936..95227fbba 100644 +--- a/Documentation/arm64/silicon-errata.rst ++++ b/Documentation/arm64/silicon-errata.rst +@@ -160,6 +160,8 @@ stable kernels. + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-A715 | #3456084 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Neoverse-V3AE | #3312417 | ARM64_ERRATUM_3194386 | +++----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-A720 | #3456091 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-A725 | #3456106 | ARM64_ERRATUM_3194386 | +diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig +index 60c6bfae4..903aec08c 100644 +--- a/arch/arm64/Kconfig ++++ b/arch/arm64/Kconfig +@@ -1106,6 +1106,7 @@ config ARM64_ERRATUM_3194386 + * ARM Neoverse-V1 erratum 3324341 + * ARM Neoverse V2 erratum 3324336 + * ARM Neoverse-V3 erratum 3312417 ++ * ARM Neoverse-V3AE erratum 3312417 + + On affected cores "MSR SSBS, #0" instructions may not affect + subsequent speculative instructions, which may permit unexepected +diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c +index e08910c40..f3c2d766c 100644 +--- a/arch/arm64/kernel/cpu_errata.c ++++ b/arch/arm64/kernel/cpu_errata.c +@@ -456,6 +456,7 @@ static const struct midr_range erratum_spec_ssbs_list[] = { + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V1), + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V2), + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3), ++ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3AE), + {} + }; + #endif diff --git a/SOURCES/1724-arm64-errata-mitigate-tlbi-errata-on-various-arm-cpus.patch b/SOURCES/1724-arm64-errata-mitigate-tlbi-errata-on-various-arm-cpus.patch new file mode 100644 index 000000000..c7f1f592b --- /dev/null +++ b/SOURCES/1724-arm64-errata-mitigate-tlbi-errata-on-various-arm-cpus.patch @@ -0,0 +1,171 @@ +From 8364384ae82fbffdf8968abaac3455ed854da18d Mon Sep 17 00:00:00 2001 +From: Mark Rutland +Date: Tue, 16 Jun 2026 06:23:05 +0100 +Subject: [PATCH] arm64: errata: Mitigate TLBI errata on various Arm CPUs + +commit cfd391e74134db664feb499d43af286380b10ba8 upstream. + +A number of CPUs developed by Arm suffer from errata whereby a broadcast +TLBI;DSB sequence may complete before the global observation of writes +which are translated by an affected TLB entry. + +These errata ONLY affect the completion of memory accesses which have +been translated by an invalidated TLB entry, and these errata DO NOT +affect the actual invalidation of TLB entries. TLB entries are removed +correctly. + +This issue has been assigned CVE ID CVE-2025-10263. + +To mitigate this issue, Arm recommends that software follows any +affected TLBI;DSB sequence with an additional TLBI;DSB, which will +ensure that all memory write effects affected by the first TLBI have +been globally observed. The additional TLBI can use any operation that +is broadcast to affected CPUs, and the additional DSB can use any option +that is sufficient to complete the additional TLBI. + +The ARM64_WORKAROUND_REPEAT_TLBI workaround is sufficient to mitigate +the issue. Enable this workaround for affected CPUs, and update the +silicon errata documentation accordingly. + +Note that due to the manner in which Arm develops IP and tracks errata, +some CPUs share a common erratum number. + +Signed-off-by: Mark Rutland +Cc: Catalin Marinas +Cc: Will Deacon +Signed-off-by: Will Deacon +[Mark: backport to v5.15.y] +Signed-off-by: Mark Rutland +Signed-off-by: Greg Kroah-Hartman + +diff --git a/Documentation/arm64/silicon-errata.rst b/Documentation/arm64/silicon-errata.rst +index 95227fbba..3960a75ab 100644 +--- a/Documentation/arm64/silicon-errata.rst ++++ b/Documentation/arm64/silicon-errata.rst +@@ -158,6 +158,8 @@ stable kernels. + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-A715 | #2645198 | ARM64_ERRATUM_2645198 | + +----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Cortex-A710 | #4193788 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-A715 | #3456084 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Neoverse-V3AE | #3312417 | ARM64_ERRATUM_3194386 | +@@ -194,6 +196,8 @@ stable kernels. + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Neoverse-N1 | #3324349 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Neoverse-N1 | #4193800 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ + | ARM | Neoverse-N2 | #2139208 | ARM64_ERRATUM_2139208 | + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Neoverse-N2 | #2067961 | ARM64_ERRATUM_2067961 | +diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig +index 903aec08c..030ccd4b3 100644 +--- a/arch/arm64/Kconfig ++++ b/arch/arm64/Kconfig +@@ -1120,6 +1120,54 @@ config ARM64_ERRATUM_3194386 + + If unsure, say Y. + ++config ARM64_ERRATUM_4193714 ++ bool "C1-Pro: 4193714: SME DVMSync early acknowledgement" ++ depends on ARM64_SME ++ default y ++ help ++ Enable workaround for C1-Pro acknowledging the DVMSync before ++ the SME memory accesses are complete. This will cause TLB ++ maintenance for processes using SME to also issue an IPI to ++ the affected CPUs. ++ ++ If unsure, say Y. ++ ++config ARM64_ERRATUM_4118414 ++ bool "Cortex-*/Neoverse-*/C1-*: Completion of affected memory accesses might not be guaranteed by completion of a TLBI" ++ default y ++ select ARM64_WORKAROUND_REPEAT_TLBI ++ help ++ This option adds a workaround for the following errata: ++ ++ * ARM C1-Premium erratum 4193780 ++ * ARM C1-Ultra erratum 4193780 ++ * ARM Cortex-A76 erratum 4193800 ++ * ARM Cortex-A76AE erratum 4193801 ++ * ARM Cortex-A77 erratum 4193798 ++ * ARM Cortex-A78 erratum 4193791 ++ * ARM Cortex-A78AE erratum 4193793 ++ * ARM Cortex-A78C erratum 4193794 ++ * ARM Cortex-A710 erratum 4193788 ++ * ARM Cortex-X1 erratum 4193791 ++ * ARM Cortex-X1C erratum 4193792 ++ * ARM Cortex-X2 erratum 4193788 ++ * ARM Cortex-X3 erratum 4193786 ++ * ARM Cortex-X4 erratum 4118414 ++ * ARM Cortex-X925 erratum 4193781 ++ * ARM Neoverse-N1 erratum 4193800 ++ * ARM Neoverse-N2 erratum 4193789 ++ * ARM Neoverse-V1 erratum 4193790 ++ * ARM Neoverse-V2 erratum 4193787 ++ * ARM Neoverse-V3 erratum 4193784 ++ * ARM Neoverse-V3AE erratum 4193784 ++ ++ On affected cores, some memory accesses might not be completed by ++ broadcast TLB invalidation. ++ ++ This issue is also known as CVE-2025-10263. ++ ++ If unsure, say Y. ++ + config CAVIUM_ERRATUM_22375 + bool "Cavium erratum 22375, 24313" + default y +diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c +index f3c2d766c..7010c152d 100644 +--- a/arch/arm64/kernel/cpu_errata.c ++++ b/arch/arm64/kernel/cpu_errata.c +@@ -225,7 +225,35 @@ static const struct arm64_cpu_capabilities arm64_repeat_tlbi_list[] = { + ERRATA_MIDR_RANGE(MIDR_CORTEX_A510, 0, 0, 1, 1), + }, + #endif +- {}, ++#ifdef CONFIG_ARM64_ERRATUM_4118414 ++ { ++ ERRATA_MIDR_RANGE_LIST(((const struct midr_range[]) { ++ MIDR_ALL_VERSIONS(MIDR_C1_PREMIUM), ++ MIDR_ALL_VERSIONS(MIDR_C1_ULTRA), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A76), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A76AE), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A77), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A78), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A78AE), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A78C), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A710), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_X1), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_X1C), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_X2), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_X3), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_X4), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_X925), ++ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1), ++ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2), ++ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V1), ++ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V2), ++ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3), ++ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3AE), ++ {} ++ })), ++ }, ++#endif ++ {} + }; + #endif + +@@ -561,7 +589,7 @@ const struct arm64_cpu_capabilities arm64_errata[] = { + #endif + #ifdef CONFIG_ARM64_WORKAROUND_REPEAT_TLBI + { +- .desc = "Qualcomm erratum 1009, or ARM erratum 1286807, 2441009", ++ .desc = "Broken broadcast TLBI completion", + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + .type = ARM64_CPUCAP_LOCAL_CPU_ERRATUM, + .matches = cpucap_multi_entry_cap_matches, diff --git a/SOURCES/1725-arm64-errata-mitigate-tlbi-errata-on-nvidia-olympus-cpu.patch b/SOURCES/1725-arm64-errata-mitigate-tlbi-errata-on-nvidia-olympus-cpu.patch new file mode 100644 index 000000000..be35e3c3b --- /dev/null +++ b/SOURCES/1725-arm64-errata-mitigate-tlbi-errata-on-nvidia-olympus-cpu.patch @@ -0,0 +1,73 @@ +From f040e78cde73c9363beec35514ea0242725402ef Mon Sep 17 00:00:00 2001 +From: Shanker Donthineni +Date: Tue, 16 Jun 2026 06:23:06 +0100 +Subject: [PATCH] arm64: errata: Mitigate TLBI errata on NVIDIA Olympus CPU + +commit ec7216f92e4ebd485b1c6dc6aa3f6064b71a5768 upstream. + +NVIDIA Olympus cores are affected by the TLBI completion issue tracked as +CVE-2025-10263. The existing ARM64_ERRATUM_4118414 handling already uses +ARM64_WORKAROUND_REPEAT_TLBI to issue an additional broadcast TLBI;DSB +sequence and ensure affected memory write effects are globally observed. + +Add MIDR_NVIDIA_OLYMPUS to the repeat-TLBI match list so the same +mitigation is enabled on affected Olympus systems. Also document the +NVIDIA Olympus erratum in the arm64 silicon errata table and list it in +the Kconfig help text. + +Signed-off-by: Shanker Donthineni +Cc: Catalin Marinas +Cc: Will Deacon +Cc: Mark Rutland +Acked-by: Mark Rutland +Signed-off-by: Will Deacon +[Mark: backport to v5.15.y] +Signed-off-by: Shanker Donthineni +Signed-off-by: Greg Kroah-Hartman + +diff --git a/Documentation/arm64/silicon-errata.rst b/Documentation/arm64/silicon-errata.rst +index 3960a75ab..9307f17f0 100644 +--- a/Documentation/arm64/silicon-errata.rst ++++ b/Documentation/arm64/silicon-errata.rst +@@ -252,6 +252,8 @@ stable kernels. + +----------------+-----------------+-----------------+-----------------------------+ + | Cavium | ThunderX2 Core | #219 | CAVIUM_TX2_ERRATUM_219 | + +----------------+-----------------+-----------------+-----------------------------+ ++| NVIDIA | Olympus core | T410-OLY-1029 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ + +----------------+-----------------+-----------------+-----------------------------+ + | Marvell | ARM-MMU-500 | #582743 | N/A | + +----------------+-----------------+-----------------+-----------------------------+ +diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig +index 030ccd4b3..da3eb91c3 100644 +--- a/arch/arm64/Kconfig ++++ b/arch/arm64/Kconfig +@@ -1133,7 +1133,7 @@ config ARM64_ERRATUM_4193714 + If unsure, say Y. + + config ARM64_ERRATUM_4118414 +- bool "Cortex-*/Neoverse-*/C1-*: Completion of affected memory accesses might not be guaranteed by completion of a TLBI" ++ bool "Various: Completion of affected memory accesses might not be guaranteed by completion of a TLBI" + default y + select ARM64_WORKAROUND_REPEAT_TLBI + help +@@ -1160,6 +1160,7 @@ config ARM64_ERRATUM_4118414 + * ARM Neoverse-V2 erratum 4193787 + * ARM Neoverse-V3 erratum 4193784 + * ARM Neoverse-V3AE erratum 4193784 ++ * NVIDIA Olympus erratum T410-OLY-1029 + + On affected cores, some memory accesses might not be completed by + broadcast TLB invalidation. +diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c +index 7010c152d..48f867d5d 100644 +--- a/arch/arm64/kernel/cpu_errata.c ++++ b/arch/arm64/kernel/cpu_errata.c +@@ -249,6 +249,7 @@ static const struct arm64_cpu_capabilities arm64_repeat_tlbi_list[] = { + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V2), + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3), + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3AE), ++ MIDR_ALL_VERSIONS(MIDR_NVIDIA_OLYMPUS), + {} + })), + }, diff --git a/SOURCES/1726-arm64-errata-mitigate-tlbi-errata-on-microsoft-azure-cobalt.patch b/SOURCES/1726-arm64-errata-mitigate-tlbi-errata-on-microsoft-azure-cobalt.patch new file mode 100644 index 000000000..f0a2fc329 --- /dev/null +++ b/SOURCES/1726-arm64-errata-mitigate-tlbi-errata-on-microsoft-azure-cobalt.patch @@ -0,0 +1,55 @@ +From 6a26fd2e6b6fccb15f1aeb2056a84f46cba08e52 Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Tue, 16 Jun 2026 06:23:07 +0100 +Subject: [PATCH] arm64: errata: Mitigate TLBI errata on Microsoft Azure Cobalt + 100 CPU + +commit 1940e70a8144bf75e6df26bf6f600862ea7f7ea1 upstream. + +Commit fb091ff39479 ("arm64: Subscribe Microsoft Azure Cobalt 100 to ARM +Neoverse N2 errata") states that Microsoft Azure Cobalt 100 CPU "is a +Microsoft implemented CPU based on r0p0 of the ARM Neoverse N2 CPU, and +therefore suffers from all the same errata.". + +So enable the workaround for the latest broadcast TLB invalidation bug +on these parts. + +Signed-off-by: Will Deacon +[Mark: backport to v5.15.y] +Signed-off-by: Mark Rutland +Signed-off-by: Greg Kroah-Hartman + +diff --git a/Documentation/arm64/silicon-errata.rst b/Documentation/arm64/silicon-errata.rst +index 9307f17f0..35be36ad8 100644 +--- a/Documentation/arm64/silicon-errata.rst ++++ b/Documentation/arm64/silicon-errata.rst +@@ -316,3 +316,5 @@ stable kernels. + +----------------+-----------------+-----------------+-----------------------------+ + | Microsoft | Azure Cobalt 100| #3324339 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ ++| Microsoft | Azure Cobalt 100| #4193789 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ +diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig +index da3eb91c3..6f0d6c160 100644 +--- a/arch/arm64/Kconfig ++++ b/arch/arm64/Kconfig +@@ -1160,6 +1160,7 @@ config ARM64_ERRATUM_4118414 + * ARM Neoverse-V2 erratum 4193787 + * ARM Neoverse-V3 erratum 4193784 + * ARM Neoverse-V3AE erratum 4193784 ++ * Microsoft Azure Cobalt 100 4193789 + * NVIDIA Olympus erratum T410-OLY-1029 + + On affected cores, some memory accesses might not be completed by +diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c +index 48f867d5d..9b991fbba 100644 +--- a/arch/arm64/kernel/cpu_errata.c ++++ b/arch/arm64/kernel/cpu_errata.c +@@ -250,6 +250,7 @@ static const struct arm64_cpu_capabilities arm64_repeat_tlbi_list[] = { + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3), + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3AE), + MIDR_ALL_VERSIONS(MIDR_NVIDIA_OLYMPUS), ++ MIDR_ALL_VERSIONS(MIDR_MICROSOFT_AZURE_COBALT_100), + {} + })), + }, diff --git a/SOURCES/1727-arm64-cputype-add-nvidia-olympus-definitions.patch b/SOURCES/1727-arm64-cputype-add-nvidia-olympus-definitions.patch new file mode 100644 index 000000000..8f3686eb5 --- /dev/null +++ b/SOURCES/1727-arm64-cputype-add-nvidia-olympus-definitions.patch @@ -0,0 +1,35 @@ +From 401fbd171e5e9c3ff3023bf5756c51689281025f Mon Sep 17 00:00:00 2001 +From: Shanker Donthineni +Date: Tue, 16 Jun 2026 06:23:02 +0100 +Subject: [PATCH] arm64: cputype: Add NVIDIA Olympus definitions + +commit e185c8a0d84236d14af61faff8147c953a878a77 upstream. + +Add cpu part and model macro definitions for NVIDIA Olympus core. + +Signed-off-by: Shanker Donthineni +Signed-off-by: Will Deacon +[Mark: backport to v5.15.y] +Signed-off-by: Mark Rutland +Signed-off-by: Greg Kroah-Hartman + +diff --git a/arch/arm64/include/asm/cputype.h b/arch/arm64/include/asm/cputype.h +index 986bd0fc0..e779252ad 100644 +--- a/arch/arm64/include/asm/cputype.h ++++ b/arch/arm64/include/asm/cputype.h +@@ -132,6 +132,7 @@ + + #define NVIDIA_CPU_PART_DENVER 0x003 + #define NVIDIA_CPU_PART_CARMEL 0x004 ++#define NVIDIA_CPU_PART_OLYMPUS 0x010 + + #define FUJITSU_CPU_PART_A64FX 0x001 + +@@ -215,6 +216,7 @@ + #define MIDR_QCOM_KRYO_4XX_SILVER MIDR_CPU_MODEL(ARM_CPU_IMP_QCOM, QCOM_CPU_PART_KRYO_4XX_SILVER) + #define MIDR_NVIDIA_DENVER MIDR_CPU_MODEL(ARM_CPU_IMP_NVIDIA, NVIDIA_CPU_PART_DENVER) + #define MIDR_NVIDIA_CARMEL MIDR_CPU_MODEL(ARM_CPU_IMP_NVIDIA, NVIDIA_CPU_PART_CARMEL) ++#define MIDR_NVIDIA_OLYMPUS MIDR_CPU_MODEL(ARM_CPU_IMP_NVIDIA, NVIDIA_CPU_PART_OLYMPUS) + #define MIDR_FUJITSU_A64FX MIDR_CPU_MODEL(ARM_CPU_IMP_FUJITSU, FUJITSU_CPU_PART_A64FX) + #define MIDR_HISI_TSV110 MIDR_CPU_MODEL(ARM_CPU_IMP_HISI, HISI_CPU_PART_TSV110) + #define MIDR_HISI_HIP09 MIDR_CPU_MODEL(ARM_CPU_IMP_HISI, HISI_CPU_PART_HIP09) diff --git a/SOURCES/1728-clean-up-documentation-mess-left-by-previous-backport.patch b/SOURCES/1728-clean-up-documentation-mess-left-by-previous-backport.patch new file mode 100644 index 000000000..791f8862d --- /dev/null +++ b/SOURCES/1728-clean-up-documentation-mess-left-by-previous-backport.patch @@ -0,0 +1,204 @@ +From: Mark Salter +Date: Mon, 6 Jul 2026 00:00:00 +0000 +Subject: [PATCH] Clean up documentation mess left by previous backport + +RHEL-only reconciliation of arch/arm64 (silicon-errata.rst, Kconfig, +cpu_errata.c, cputype.h) after the CVE-2025-10263 TLBI errata backport, +to match RHEL 5.14.0-687.22.1.el9_8. No public upstream commit. + +CVE: CVE-2025-10263 +--- +diff --git a/Documentation/arm64/silicon-errata.rst b/Documentation/arm64/silicon-errata.rst +index 35be36ad8..d19ff3a69 100644 +--- a/Documentation/arm64/silicon-errata.rst ++++ b/Documentation/arm64/silicon-errata.rst +@@ -128,25 +128,27 @@ stable kernels. + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-A76 | #3324349 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Cortex-A76 | #4193800 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Cortex-A76AE | #4193801 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-A77 | #1491015 | N/A | + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-A77 | #1508412 | ARM64_ERRATUM_1508412 | + +----------------+-----------------+-----------------+-----------------------------+ +-<<<<<<< HEAD:Documentation/arm64/silicon-errata.rst +-| ARM | Cortex-A510 | #2051678 | ARM64_ERRATUM_2051678 | ++| ARM | Cortex-A77 | #3324348 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ +-| ARM | Cortex-A510 | #2077057 | ARM64_ERRATUM_2077057 | ++| ARM | Cortex-A77 | #4193798 | ARM64_ERRATUM_4118414 | + +----------------+-----------------+-----------------+-----------------------------+ +-| ARM | Cortex-A510 | #2441009 | ARM64_ERRATUM_2441009 | ++| ARM | Cortex-A78 | #3324344 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ +-| ARM | Cortex-A510 | #2658417 | ARM64_ERRATUM_2658417 | +-======= +-| ARM | Cortex-A77 | #3324348 | ARM64_ERRATUM_3194386 | ++| ARM | Cortex-A78 | #4193791 | ARM64_ERRATUM_4118414 | + +----------------+-----------------+-----------------+-----------------------------+ +-| ARM | Cortex-A78 | #3324344 | ARM64_ERRATUM_3194386 | ++| ARM | Cortex-A78AE | #4193793 | ARM64_ERRATUM_4118414 | + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-A78C | #3324346,3324347| ARM64_ERRATUM_3194386 | +->>>>>>> adeec61a4723 (arm64: errata: Expand speculative SSBS workaround (again)):Documentation/arch/arm64/silicon-errata.rst +++----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Cortex-A78C | #4193794 | ARM64_ERRATUM_4118414 | + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-A710 | #2119858 | ARM64_ERRATUM_2119858 | + +----------------+-----------------+-----------------+-----------------------------+ +@@ -156,13 +158,11 @@ stable kernels. + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-A710 | #3324338 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ +-| ARM | Cortex-A715 | #2645198 | ARM64_ERRATUM_2645198 | +-+----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-A710 | #4193788 | ARM64_ERRATUM_4118414 | + +----------------+-----------------+-----------------+-----------------------------+ +-| ARM | Cortex-A715 | #3456084 | ARM64_ERRATUM_3194386 | ++| ARM | Cortex-A715 | #2645198 | ARM64_ERRATUM_2645198 | + +----------------+-----------------+-----------------+-----------------------------+ +-| ARM | Neoverse-V3AE | #3312417 | ARM64_ERRATUM_3194386 | ++| ARM | Cortex-A715 | #3456084 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-A720 | #3456091 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ +@@ -172,20 +172,32 @@ stable kernels. + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-X1 | #3324344 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Cortex-X1 | #4193791 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-X1C | #3324346 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Cortex-X1C | #4193792 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-X2 | #2119858 | ARM64_ERRATUM_2119858 | + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-X2 | #2224489 | ARM64_ERRATUM_2224489 | + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-X2 | #3324338 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Cortex-X2 | #4193788 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-X3 | #3324335 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Cortex-X3 | #4193786 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-X4 | #3194386 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Cortex-X4 | #4118414 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-X925 | #3324334 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Cortex-X925 | #4193781 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ + | ARM | Neoverse-N1 | #1188873,1418040| ARM64_ERRATUM_1418040 | + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Neoverse-N1 | #1349291 | N/A | +@@ -206,16 +218,32 @@ stable kernels. + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Neoverse-N2 | #3324339 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Neoverse-N2 | #4193789 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ + | ARM | Neoverse-N3 | #3456111 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Neoverse-V1 | #1619801 | N/A | + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Neoverse-V1 | #3324341 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Neoverse-V1 | #4193790 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ + | ARM | Neoverse-V2 | #3324336 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Neoverse-V2 | #4193787 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ + | ARM | Neoverse-V3 | #3312417 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Neoverse-V3 | #4193784 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Neoverse-V3AE | #3312417 | ARM64_ERRATUM_3194386 | +++----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Neoverse-V3AE | #4193784 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ ++| ARM | C1-Premium | #4193780 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ ++| ARM | C1-Ultra | #4193780 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ + | ARM | MMU-500 | #841119,826419 | ARM_SMMU_MMU_500_CPRE_ERRATA| + | | | #562869,1047329 | | + +----------------+-----------------+-----------------+-----------------------------+ +@@ -252,14 +280,14 @@ stable kernels. + +----------------+-----------------+-----------------+-----------------------------+ + | Cavium | ThunderX2 Core | #219 | CAVIUM_TX2_ERRATUM_219 | + +----------------+-----------------+-----------------+-----------------------------+ +-| NVIDIA | Olympus core | T410-OLY-1029 | ARM64_ERRATUM_4118414 | +-+----------------+-----------------+-----------------+-----------------------------+ + +----------------+-----------------+-----------------+-----------------------------+ + | Marvell | ARM-MMU-500 | #582743 | N/A | + +----------------+-----------------+-----------------+-----------------------------+ + +----------------+-----------------+-----------------+-----------------------------+ + | NVIDIA | Carmel Core | N/A | NVIDIA_CARMEL_CNP_ERRATUM | + +----------------+-----------------+-----------------+-----------------------------+ ++| NVIDIA | Olympus core | T410-OLY-1029 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ + | NVIDIA | T241 GICv3/4.x | T241-FABRIC-4 | N/A | + +----------------+-----------------+-----------------+-----------------------------+ + +----------------+-----------------+-----------------+-----------------------------+ +diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig +index 6f0d6c160..1b77efe71 100644 +--- a/arch/arm64/Kconfig ++++ b/arch/arm64/Kconfig +@@ -1120,18 +1120,6 @@ config ARM64_ERRATUM_3194386 + + If unsure, say Y. + +-config ARM64_ERRATUM_4193714 +- bool "C1-Pro: 4193714: SME DVMSync early acknowledgement" +- depends on ARM64_SME +- default y +- help +- Enable workaround for C1-Pro acknowledging the DVMSync before +- the SME memory accesses are complete. This will cause TLB +- maintenance for processes using SME to also issue an IPI to +- the affected CPUs. +- +- If unsure, say Y. +- + config ARM64_ERRATUM_4118414 + bool "Various: Completion of affected memory accesses might not be guaranteed by completion of a TLBI" + default y +diff --git a/arch/arm64/include/asm/cputype.h b/arch/arm64/include/asm/cputype.h +index e779252ad..34440a3cb 100644 +--- a/arch/arm64/include/asm/cputype.h ++++ b/arch/arm64/include/asm/cputype.h +@@ -169,12 +169,10 @@ + #define MIDR_CORTEX_A77 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A77) + #define MIDR_CORTEX_A76AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A76AE) + #define MIDR_NEOVERSE_V1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V1) +-#define MIDR_C1_ULTRA MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_ULTRA) + #define MIDR_CORTEX_A78 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78) + #define MIDR_CORTEX_A78AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78AE) + #define MIDR_CORTEX_X1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X1) + #define MIDR_CORTEX_A510 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A510) +-#define MIDR_C1_PREMIUM MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_PREMIUM) + #define MIDR_CORTEX_X1C MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X1C) + #define MIDR_CORTEX_A520 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A520) + #define MIDR_CORTEX_A710 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A710) +@@ -192,8 +190,10 @@ + #define MIDR_CORTEX_X925 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X925) + #define MIDR_CORTEX_A725 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A725) + #define MIDR_CORTEX_A720AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A720AE) ++#define MIDR_C1_ULTRA MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_ULTRA) + #define MIDR_NEOVERSE_N3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N3) + #define MIDR_C1_PRO MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_PRO) ++#define MIDR_C1_PREMIUM MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_PREMIUM) + #define MIDR_THUNDERX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX) + #define MIDR_THUNDERX_81XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX_81XX) + #define MIDR_THUNDERX_83XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX_83XX) +-- +2.43.0 + diff --git a/SOURCES/1729-fs-smb-client-fix-out-of-bounds-read-in-cifs-sanitize-prepat.patch b/SOURCES/1729-fs-smb-client-fix-out-of-bounds-read-in-cifs-sanitize-prepat.patch new file mode 100644 index 000000000..ced97fedd --- /dev/null +++ b/SOURCES/1729-fs-smb-client-fix-out-of-bounds-read-in-cifs-sanitize-prepat.patch @@ -0,0 +1,45 @@ +From 23372f29f9fdbdf360b9b8812d8bce59d6caf6ac Mon Sep 17 00:00:00 2001 +From: CKI Backport Bot +Date: Mon, 29 Jun 2026 08:46:34 +0000 +Subject: [PATCH] fs/smb/client: fix out-of-bounds read in + cifs_sanitize_prepath + +JIRA: https://redhat.atlassian.net/browse/RHEL-189496 +CVE: CVE-2026-43112 +Backported from tree(s): linux + +fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath + +When cifs_sanitize_prepath is called with an empty string or a string +containing only delimiters (e.g., "/"), the current logic attempts to +check *(cursor2 - 1) before cursor2 has advanced. This results in an +out-of-bounds read. + +This patch adds an early exit check after stripping prepended +delimiters. If no path content remains, the function returns NULL. + +The bug was identified via manual audit and verified using a +standalone test case compiled with AddressSanitizer, which +triggered a SEGV on affected inputs. + +Signed-off-by: Fredric Cover +Reviewed-by: Henrique Carvalho <[2]henrique.carvalho@suse.com> +Signed-off-by: Steve French +(cherry picked from commit 78ec5bf2f589ec7fd8f169394bfeca541b077317) +Signed-off-by: CKI Backport Bot + +diff --git a/fs/smb/client/fs_context.c b/fs/smb/client/fs_context.c +index 296a231e8..fdfe1508b 100644 +--- a/fs/smb/client/fs_context.c ++++ b/fs/smb/client/fs_context.c +@@ -587,6 +587,10 @@ char *cifs_sanitize_prepath(char *prepath, gfp_t gfp) + while (IS_DELIM(*cursor1)) + cursor1++; + ++ /* exit in case of only delimiters */ ++ if (!*cursor1) ++ return NULL; ++ + /* copy the first letter */ + *cursor2 = *cursor1; + diff --git a/SOURCES/1730-net-mana-fix-double-destroy-workqueue-on-service-rescan-pci.patch b/SOURCES/1730-net-mana-fix-double-destroy-workqueue-on-service-rescan-pci.patch new file mode 100644 index 000000000..34c2b2b2a --- /dev/null +++ b/SOURCES/1730-net-mana-fix-double-destroy-workqueue-on-service-rescan-pci.patch @@ -0,0 +1,82 @@ +From a9a7c3203fdc4d4a8d8a7a3b1ed05d2bb4c6e77e Mon Sep 17 00:00:00 2001 +From: Dipayaan Roy +Date: Tue, 24 Feb 2026 04:38:36 -0800 +Subject: [PATCH] net: mana: Fix double destroy_workqueue on service rescan PCI + path + +[ Upstream commit f975a0955276579e2176a134366ed586071c7c6a ] + +While testing corner cases in the driver, a use-after-free crash +was found on the service rescan PCI path. + +When mana_serv_reset() calls mana_gd_suspend(), mana_gd_cleanup() +destroys gc->service_wq. If the subsequent mana_gd_resume() fails +with -ETIMEDOUT or -EPROTO, the code falls through to +mana_serv_rescan() which triggers pci_stop_and_remove_bus_device(). +This invokes the PCI .remove callback (mana_gd_remove), which calls +mana_gd_cleanup() a second time, attempting to destroy the already- +freed workqueue. Fix this by NULL-checking gc->service_wq in +mana_gd_cleanup() and setting it to NULL after destruction. + +Call stack of issue for reference: +[Sat Feb 21 18:53:48 2026] Call Trace: +[Sat Feb 21 18:53:48 2026] +[Sat Feb 21 18:53:48 2026] mana_gd_cleanup+0x33/0x70 [mana] +[Sat Feb 21 18:53:48 2026] mana_gd_remove+0x3a/0xc0 [mana] +[Sat Feb 21 18:53:48 2026] pci_device_remove+0x41/0xb0 +[Sat Feb 21 18:53:48 2026] device_remove+0x46/0x70 +[Sat Feb 21 18:53:48 2026] device_release_driver_internal+0x1e3/0x250 +[Sat Feb 21 18:53:48 2026] device_release_driver+0x12/0x20 +[Sat Feb 21 18:53:48 2026] pci_stop_bus_device+0x6a/0x90 +[Sat Feb 21 18:53:48 2026] pci_stop_and_remove_bus_device+0x13/0x30 +[Sat Feb 21 18:53:48 2026] mana_do_service+0x180/0x290 [mana] +[Sat Feb 21 18:53:48 2026] mana_serv_func+0x24/0x50 [mana] +[Sat Feb 21 18:53:48 2026] process_one_work+0x190/0x3d0 +[Sat Feb 21 18:53:48 2026] worker_thread+0x16e/0x2e0 +[Sat Feb 21 18:53:48 2026] kthread+0xf7/0x130 +[Sat Feb 21 18:53:48 2026] ? __pfx_worker_thread+0x10/0x10 +[Sat Feb 21 18:53:48 2026] ? __pfx_kthread+0x10/0x10 +[Sat Feb 21 18:53:48 2026] ret_from_fork+0x269/0x350 +[Sat Feb 21 18:53:48 2026] ? __pfx_kthread+0x10/0x10 +[Sat Feb 21 18:53:48 2026] ret_from_fork_asm+0x1a/0x30 +[Sat Feb 21 18:53:48 2026] + +Fixes: 505cc26bcae0 ("net: mana: Add support for auxiliary device servicing events") +Reviewed-by: Haiyang Zhang +Signed-off-by: Dipayaan Roy +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/aZ2bzL64NagfyHpg@linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin + +diff --git a/drivers/net/ethernet/microsoft/mana/gdma_main.c b/drivers/net/ethernet/microsoft/mana/gdma_main.c +index 43c5b6efc..674df4782 100644 +--- a/drivers/net/ethernet/microsoft/mana/gdma_main.c ++++ b/drivers/net/ethernet/microsoft/mana/gdma_main.c +@@ -1947,7 +1947,10 @@ static void mana_gd_cleanup(struct pci_dev *pdev) + + mana_gd_remove_irqs(pdev); + +- destroy_workqueue(gc->service_wq); ++ if (gc->service_wq) { ++ destroy_workqueue(gc->service_wq); ++ gc->service_wq = NULL; ++ } + dev_dbg(&pdev->dev, "mana gdma cleanup successful\n"); + } + +diff --git a/drivers/net/ethernet/microsoft/mana/mana_en.c b/drivers/net/ethernet/microsoft/mana/mana_en.c +index a64ef3e22..a98227b5a 100644 +--- a/drivers/net/ethernet/microsoft/mana/mana_en.c ++++ b/drivers/net/ethernet/microsoft/mana/mana_en.c +@@ -3525,7 +3525,9 @@ void mana_rdma_remove(struct gdma_dev *gd) + } + + WRITE_ONCE(gd->rdma_teardown, true); +- flush_workqueue(gc->service_wq); ++ ++ if (gc->service_wq) ++ flush_workqueue(gc->service_wq); + + if (gd->adev) + remove_adev(gd); diff --git a/SOURCES/1731-net-mana-null-service-wq-on-setup-error-to-prevent-double-de.patch b/SOURCES/1731-net-mana-null-service-wq-on-setup-error-to-prevent-double-de.patch new file mode 100644 index 000000000..2d7155640 --- /dev/null +++ b/SOURCES/1731-net-mana-null-service-wq-on-setup-error-to-prevent-double-de.patch @@ -0,0 +1,33 @@ +From 6c92392602b451e3869f15ab685f8f650e942b13 Mon Sep 17 00:00:00 2001 +From: Shiraz Saleem +Date: Mon, 9 Mar 2026 10:24:43 -0700 +Subject: [PATCH] net/mana: Null service_wq on setup error to prevent double + destroy + +[ Upstream commit 87c2302813abc55c46485711a678e3c312b00666 ] + +In mana_gd_setup() error path, set gc->service_wq to NULL after +destroy_workqueue() to match the cleanup in mana_gd_cleanup(). +This prevents a use-after-free if the workqueue pointer is checked +after a failed setup. + +Fixes: f975a0955276 ("net: mana: Fix double destroy_workqueue on service rescan PCI path") +Signed-off-by: Shiraz Saleem +Signed-off-by: Konstantin Taranov +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20260309172443.688392-1-kotaranov@linux.microsoft.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin + +diff --git a/drivers/net/ethernet/microsoft/mana/gdma_main.c b/drivers/net/ethernet/microsoft/mana/gdma_main.c +index 674df4782..2e72838af 100644 +--- a/drivers/net/ethernet/microsoft/mana/gdma_main.c ++++ b/drivers/net/ethernet/microsoft/mana/gdma_main.c +@@ -1935,6 +1935,7 @@ static int mana_gd_setup(struct pci_dev *pdev) + mana_gd_remove_irqs(pdev); + free_workqueue: + destroy_workqueue(gc->service_wq); ++ gc->service_wq = NULL; + dev_err(&pdev->dev, "%s failed (error %d)\n", __func__, err); + return err; + } diff --git a/SOURCES/1732-net-gro-don-t-merge-zcopy-skbs.patch b/SOURCES/1732-net-gro-don-t-merge-zcopy-skbs.patch new file mode 100644 index 000000000..04ce9fcf7 --- /dev/null +++ b/SOURCES/1732-net-gro-don-t-merge-zcopy-skbs.patch @@ -0,0 +1,43 @@ +From 3c6cc9f2ca65b6dd61b1af75452dc0e1cd0aad8d Mon Sep 17 00:00:00 2001 +From: Sabrina Dubroca +Date: Wed, 20 May 2026 22:44:42 +0200 +Subject: [PATCH] net: gro: don't merge zcopy skbs + +[ Upstream commit 4db79a322db8c97f7b73b8a347395ef4d685eb40 ] + +skb_gro_receive() can currently copy frags between the source and GRO +skb, without checking the zerocopy status, and in particular the +SKBFL_MANAGED_FRAG_REFS flag. + +When SKBFL_MANAGED_FRAG_REFS is set, the skb doesn't hold a reference +on the pages in shinfo->frags. Appending those frags to another skb's +frags without fixing up the page refcount can lead to UAF. + +When either the last skb in the GRO chain (the one we would append +frags to) or the source skb is zerocopy, don't merge the skbs. + +Fixes: 753f1ca4e1e5 ("net: introduce managed frags infrastructure") +Reported-by: Huzaifa Sidhpurwala +Signed-off-by: Sabrina Dubroca +Reviewed-by: Willem de Bruijn +Link: https://patch.msgid.link/c3b7f906bbfcbdfd7b4fa9d6c18a438870df85be.1779307748.git.sd@queasysnail.net +Signed-off-by: Jakub Kicinski +[Salvatore Bonaccorso: Adjust for context in 6.1.y series without +e8d4d34df715 ("net: Add netif_get_gro_max_size helper for GRO")] +Signed-off-by: Salvatore Bonaccorso +Signed-off-by: Sasha Levin + +diff --git a/net/core/gro.c b/net/core/gro.c +index a1b6faeb2..de524b613 100644 +--- a/net/core/gro.c ++++ b/net/core/gro.c +@@ -113,6 +113,9 @@ int skb_gro_receive(struct sk_buff *p, struct sk_buff *skb) + if (p->pp_recycle != skb->pp_recycle) + return -ETOOMANYREFS; + ++ if (skb_zcopy(p) || skb_zcopy(skb)) ++ return -ETOOMANYREFS; ++ + /* pairs with WRITE_ONCE() in netif_set_gro(_ipv4)_max_size() */ + gro_max_size = p->protocol == htons(ETH_P_IPV6) ? + READ_ONCE(p->dev->gro_max_size) : diff --git a/SOURCES/1733-xfrm-defensively-unhash-xfrm-state-lists-in-xfrm-state-delet.patch b/SOURCES/1733-xfrm-defensively-unhash-xfrm-state-lists-in-xfrm-state-delet.patch new file mode 100644 index 000000000..c712bbb3c --- /dev/null +++ b/SOURCES/1733-xfrm-defensively-unhash-xfrm-state-lists-in-xfrm-state-delet.patch @@ -0,0 +1,114 @@ +From 3943fcad7694a7d0b15aeabe7d3cc2a2eb8e92e8 Mon Sep 17 00:00:00 2001 +From: Michal Kosiorek +Date: Wed, 13 May 2026 13:44:48 -0400 +Subject: [PATCH] xfrm: defensively unhash xfrm_state lists in + __xfrm_state_delete + +[ Upstream commit 14acf9652e5690de3c7486c6db5fb8dafd0a32a3 ] + +KASAN reproduces a slab-use-after-free in __xfrm_state_delete()'s +hlist_del_rcu calls under syzkaller load on linux-6.12.y stable +(reproduced on 6.12.47, also reachable via the same code path on +torvalds/master and on the ipsec tree). Nine unique signatures cluster +in the xfrm_state lifecycle, the load-bearing one being: + + BUG: KASAN: slab-use-after-free in __hlist_del include/linux/list.h:990 [inline] + BUG: KASAN: slab-use-after-free in hlist_del_rcu include/linux/rculist.h:516 [inline] + BUG: KASAN: slab-use-after-free in __xfrm_state_delete net/xfrm/xfrm_state.c + Write of size 8 at addr ffff8881198bcb70 by task kworker/u8:9/435 + + Workqueue: netns cleanup_net + Call Trace: + __hlist_del / hlist_del_rcu + __xfrm_state_delete + xfrm_state_delete + xfrm_state_flush + xfrm_state_fini + ops_exit_list + cleanup_net + +The other observed signatures hit the same slab object from +__xfrm_state_lookup, xfrm_alloc_spi, __xfrm_state_insert and an OOB +write variant of __xfrm_state_delete, all on the byseq/byspi +hash chains. + +__xfrm_state_delete() guards its byseq and byspi unhashes with +value-based predicates: + + if (x->km.seq) + hlist_del_rcu(&x->byseq); + if (x->id.spi) + hlist_del_rcu(&x->byspi); + +while everywhere else in the file (e.g. state_cache, state_cache_input) +the safer hlist_unhashed() check is used. xfrm_alloc_spi() sets +x->id.spi = newspi inside xfrm_state_lock and then immediately inserts +into byspi, but a path that observes x->id.spi != 0 outside of +xfrm_state_lock can still skip-or-hit the byspi unhash inconsistently +with whether x is actually on the list. The same holds for x->km.seq +versus byseq, and the bydst/bysrc unhashes have no predicate at all, +so a second __xfrm_state_delete() on the same object writes through +LIST_POISON pprev. + +The defensive change here: + + - Use hlist_del_init_rcu() instead of hlist_del_rcu() on bydst, + bysrc, byseq and byspi so a second deletion is a no-op rather + than a write through LIST_POISON pprev. The byseq/byspi nodes + are already initialised in xfrm_state_alloc(). + - Test hlist_unhashed() rather than the value predicate for + byseq/byspi, so the unhash decision tracks list state rather than + mutable scalar fields. + +Empirical verification: applied this patch on top of v6.12.47, rebuilt, +and re-ran the same syzkaller harness for 1h16m on a previously-crashy +configuration that produced ~100 hits each of slab-use-after-free +Read in xfrm_alloc_spi / Read in __xfrm_state_lookup / Write in +__xfrm_state_delete. After the patch, 7.1M execs across 32 VMs at +~1550 exec/sec produced zero xfrm_state UAF/OOB hits. /proc/slabinfo +confirms the xfrm_state slab is actively allocated and freed during +the run (~143 KiB resident), so the fuzzer is still exercising those +code paths -- they just no longer crash. + +Reproduction: + + - Linux 6.12.47 x86_64 + KASAN_GENERIC + KASAN_INLINE + KCOV + - syzkaller @ 746545b8b1e4c3a128db8652b340d3df90ce61db + - 32 QEMU/KVM VMs x 2 vCPU on AWS c5.metal bare metal + - 9 unique signatures collected in ~9h, all within xfrm_state + lifecycle + +Fixes: fe9f1d8779cb ("xfrm: add state hashtable keyed by seq") +Fixes: 7b4dc3600e48 ("[XFRM]: Do not add a state whose SPI is zero to the SPI hash.") +Reported-by: Michal Kosiorek +Tested-by: Michal Kosiorek +Cc: stable@vger.kernel.org +Signed-off-by: Michal Kosiorek +Signed-off-by: Steffen Klassert +[ dropped state_cache/state_cache_input unhash hunks and xfrm_nat_keepalive_state_updated() call ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman + +diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c +index 3f5b630f7..93a8144d4 100644 +--- a/net/xfrm/xfrm_state.c ++++ b/net/xfrm/xfrm_state.c +@@ -751,12 +751,12 @@ int __xfrm_state_delete(struct xfrm_state *x) + x->km.state = XFRM_STATE_DEAD; + spin_lock(&net->xfrm.xfrm_state_lock); + list_del(&x->km.all); +- hlist_del_rcu(&x->bydst); +- hlist_del_rcu(&x->bysrc); +- if (x->km.seq) +- hlist_del_rcu(&x->byseq); +- if (x->id.spi) +- hlist_del_rcu(&x->byspi); ++ hlist_del_init_rcu(&x->bydst); ++ hlist_del_init_rcu(&x->bysrc); ++ if (!hlist_unhashed(&x->byseq)) ++ hlist_del_init_rcu(&x->byseq); ++ if (!hlist_unhashed(&x->byspi)) ++ hlist_del_init_rcu(&x->byspi); + net->xfrm.state_num--; + spin_unlock(&net->xfrm.xfrm_state_lock); + diff --git a/SOURCES/1734-smb-client-fix-off-by-8-bounds-check-in-check-wsl-eas.patch b/SOURCES/1734-smb-client-fix-off-by-8-bounds-check-in-check-wsl-eas.patch new file mode 100644 index 000000000..e7b045333 --- /dev/null +++ b/SOURCES/1734-smb-client-fix-off-by-8-bounds-check-in-check-wsl-eas.patch @@ -0,0 +1,59 @@ +From de1e5c0a53783dc22cba5cd5b520d81dd1ca0613 Mon Sep 17 00:00:00 2001 +From: Paulo Alcantara +Date: Wed, 1 Jul 2026 15:14:30 -0300 +Subject: [PATCH] smb: client: fix off-by-8 bounds check in check_wsl_eas() + +JIRA: https://redhat.atlassian.net/browse/RHEL-180044 + +commit 3d8b9d06bd3ac4c6846f5498800b0f5f8062e53b +Author: Greg Kroah-Hartman +Date: Mon Apr 6 15:49:37 2026 +0200 + + smb: client: fix off-by-8 bounds check in check_wsl_eas() + + The bounds check uses (u8 *)ea + nlen + 1 + vlen as the end of the EA + name and value, but ea_data sits at offset sizeof(struct + smb2_file_full_ea_info) = 8 from ea, not at offset 0. The strncmp() + later reads ea->ea_data[0..nlen-1] and the value bytes follow at + ea_data[nlen+1..nlen+vlen], so the actual end is ea->ea_data + nlen + 1 + + vlen. Isn't pointer math fun? + + The earlier check (u8 *)ea > end - sizeof(*ea) only guarantees the + 8-byte header is in bounds, but since the last EA is placed within 8 + bytes of the end of the response, the name and value bytes are read past + the end of iov. + + Fix this mess all up by using ea->ea_data as the base for the bounds + check. + + An "untrusted" server can use this to leak up to 8 bytes of kernel heap + into the EA name comparison and influence which WSL xattr the data is + interpreted as. + + Cc: Ronnie Sahlberg + Cc: Shyam Prasad N + Cc: Tom Talpey + Cc: Bharath SM + Cc: linux-cifs@vger.kernel.org + Cc: samba-technical@lists.samba.org + Cc: stable + Assisted-by: gregkh_clanker_t1000 + Reviewed-by: Paulo Alcantara (Red Hat) + Signed-off-by: Greg Kroah-Hartman + Signed-off-by: Steve French + +Signed-off-by: Paulo Alcantara + +diff --git a/fs/smb/client/smb2inode.c b/fs/smb/client/smb2inode.c +index 47bff865c..7f4e27613 100644 +--- a/fs/smb/client/smb2inode.c ++++ b/fs/smb/client/smb2inode.c +@@ -124,7 +124,7 @@ static int check_wsl_eas(struct kvec *rsp_iov) + nlen = ea->ea_name_length; + vlen = le16_to_cpu(ea->ea_value_length); + if (nlen != SMB2_WSL_XATTR_NAME_LEN || +- (u8 *)ea + nlen + 1 + vlen > end) ++ (u8 *)ea->ea_data + nlen + 1 + vlen > end) + return -EINVAL; + + switch (vlen) { diff --git a/SOURCES/1735-smb-client-fix-out-of-bounds-read-in-smb2-compound-op.patch b/SOURCES/1735-smb-client-fix-out-of-bounds-read-in-smb2-compound-op.patch new file mode 100644 index 000000000..77a95c3b2 --- /dev/null +++ b/SOURCES/1735-smb-client-fix-out-of-bounds-read-in-smb2-compound-op.patch @@ -0,0 +1,70 @@ +From a26414c13d61ee7ad429dc66d9c3eea15f3bb0e8 Mon Sep 17 00:00:00 2001 +From: Paulo Alcantara +Date: Wed, 1 Jul 2026 15:14:45 -0300 +Subject: [PATCH] smb/client: fix out-of-bounds read in smb2_compound_op() + +JIRA: https://redhat.atlassian.net/browse/RHEL-180044 +CVE: CVE-2026-46155 + +commit 8d09328dfda089675e4c049f3f256064a1d1996b +Author: Zisen Ye +Date: Wed May 6 11:49:08 2026 +0800 + + smb/client: fix out-of-bounds read in smb2_compound_op() + + If a server sends a truncated response but a large OutputBufferLength, and + terminates the EA list early, check_wsl_eas() returns success without + validating that the entire OutputBufferLength fits within iov_len. + + Then smb2_compound_op() does: + memcpy(idata->wsl.eas, data[0], size[0]); + + Where size[0] is OutputBufferLength. If iov_len is smaller than size[0], + memcpy can read beyond the end of the rsp_iov allocation and leak adjacent + kernel heap memory. + + Link: https://lore.kernel.org/linux-cifs/d998240c-aca9-420d-9dbd-f5ba24af19e0@chenxiaosong.com/ + Fixes: ea41367b2a60 ("smb: client: introduce SMB2_OP_QUERY_WSL_EA") + Cc: stable@vger.kernel.org + Signed-off-by: Zisen Ye + Reviewed-by: ChenXiaoSong + Signed-off-by: Steve French + +Signed-off-by: Paulo Alcantara + +diff --git a/fs/smb/client/smb2inode.c b/fs/smb/client/smb2inode.c +index 7f4e27613..f3c1ed362 100644 +--- a/fs/smb/client/smb2inode.c ++++ b/fs/smb/client/smb2inode.c +@@ -107,7 +107,7 @@ static int check_wsl_eas(struct kvec *rsp_iov) + u32 outlen, next; + u16 vlen; + u8 nlen; +- u8 *end; ++ u8 *ea_end, *iov_end; + + outlen = le32_to_cpu(rsp->OutputBufferLength); + if (outlen < SMB2_WSL_MIN_QUERY_EA_RESP_SIZE || +@@ -116,15 +116,19 @@ static int check_wsl_eas(struct kvec *rsp_iov) + + ea = (void *)((u8 *)rsp_iov->iov_base + + le16_to_cpu(rsp->OutputBufferOffset)); +- end = (u8 *)rsp_iov->iov_base + rsp_iov->iov_len; ++ ea_end = (u8 *)ea + outlen; ++ iov_end = (u8 *)rsp_iov->iov_base + rsp_iov->iov_len; ++ if (ea_end > iov_end) ++ return -EINVAL; ++ + for (;;) { +- if ((u8 *)ea > end - sizeof(*ea)) ++ if ((u8 *)ea > ea_end - sizeof(*ea)) + return -EINVAL; + + nlen = ea->ea_name_length; + vlen = le16_to_cpu(ea->ea_value_length); + if (nlen != SMB2_WSL_XATTR_NAME_LEN || +- (u8 *)ea->ea_data + nlen + 1 + vlen > end) ++ (u8 *)ea->ea_data + nlen + 1 + vlen > ea_end) + return -EINVAL; + + switch (vlen) { diff --git a/SOURCES/kernel-aarch64-64k-debug-rhel.config b/SOURCES/kernel-aarch64-64k-debug-rhel.config index 8e7b9c2cf..f2353f1fc 100644 --- a/SOURCES/kernel-aarch64-64k-debug-rhel.config +++ b/SOURCES/kernel-aarch64-64k-debug-rhel.config @@ -295,6 +295,7 @@ CONFIG_ARM64_ERRATUM_2658417=y CONFIG_ARM64_ERRATUM_2966298=y CONFIG_ARM64_ERRATUM_3117295=y CONFIG_ARM64_ERRATUM_3194386=y +CONFIG_ARM64_ERRATUM_4118414=y CONFIG_ARM64_ERRATUM_819472=y CONFIG_ARM64_ERRATUM_824069=y CONFIG_ARM64_ERRATUM_826319=y diff --git a/SOURCES/kernel-aarch64-64k-rhel.config b/SOURCES/kernel-aarch64-64k-rhel.config index 234d70089..7729f497a 100644 --- a/SOURCES/kernel-aarch64-64k-rhel.config +++ b/SOURCES/kernel-aarch64-64k-rhel.config @@ -295,6 +295,7 @@ CONFIG_ARM64_ERRATUM_2658417=y CONFIG_ARM64_ERRATUM_2966298=y CONFIG_ARM64_ERRATUM_3117295=y CONFIG_ARM64_ERRATUM_3194386=y +CONFIG_ARM64_ERRATUM_4118414=y CONFIG_ARM64_ERRATUM_819472=y CONFIG_ARM64_ERRATUM_824069=y CONFIG_ARM64_ERRATUM_826319=y diff --git a/SOURCES/kernel-aarch64-debug-rhel.config b/SOURCES/kernel-aarch64-debug-rhel.config index a00d91312..51a7d52bc 100644 --- a/SOURCES/kernel-aarch64-debug-rhel.config +++ b/SOURCES/kernel-aarch64-debug-rhel.config @@ -295,6 +295,7 @@ CONFIG_ARM64_ERRATUM_2658417=y CONFIG_ARM64_ERRATUM_2966298=y CONFIG_ARM64_ERRATUM_3117295=y CONFIG_ARM64_ERRATUM_3194386=y +CONFIG_ARM64_ERRATUM_4118414=y CONFIG_ARM64_ERRATUM_819472=y CONFIG_ARM64_ERRATUM_824069=y CONFIG_ARM64_ERRATUM_826319=y diff --git a/SOURCES/kernel-aarch64-rhel.config b/SOURCES/kernel-aarch64-rhel.config index fd281bf82..eb4999d7c 100644 --- a/SOURCES/kernel-aarch64-rhel.config +++ b/SOURCES/kernel-aarch64-rhel.config @@ -295,6 +295,7 @@ CONFIG_ARM64_ERRATUM_2658417=y CONFIG_ARM64_ERRATUM_2966298=y CONFIG_ARM64_ERRATUM_3117295=y CONFIG_ARM64_ERRATUM_3194386=y +CONFIG_ARM64_ERRATUM_4118414=y CONFIG_ARM64_ERRATUM_819472=y CONFIG_ARM64_ERRATUM_824069=y CONFIG_ARM64_ERRATUM_826319=y diff --git a/SOURCES/kernel-aarch64-rt-64k-debug-rhel.config b/SOURCES/kernel-aarch64-rt-64k-debug-rhel.config index 7dea06b03..fa4ea605d 100644 --- a/SOURCES/kernel-aarch64-rt-64k-debug-rhel.config +++ b/SOURCES/kernel-aarch64-rt-64k-debug-rhel.config @@ -300,6 +300,7 @@ CONFIG_ARM64_ERRATUM_2658417=y CONFIG_ARM64_ERRATUM_2966298=y CONFIG_ARM64_ERRATUM_3117295=y CONFIG_ARM64_ERRATUM_3194386=y +CONFIG_ARM64_ERRATUM_4118414=y CONFIG_ARM64_ERRATUM_819472=y CONFIG_ARM64_ERRATUM_824069=y CONFIG_ARM64_ERRATUM_826319=y diff --git a/SOURCES/kernel-aarch64-rt-64k-rhel.config b/SOURCES/kernel-aarch64-rt-64k-rhel.config index a16847174..1678cc2dc 100644 --- a/SOURCES/kernel-aarch64-rt-64k-rhel.config +++ b/SOURCES/kernel-aarch64-rt-64k-rhel.config @@ -300,6 +300,7 @@ CONFIG_ARM64_ERRATUM_2658417=y CONFIG_ARM64_ERRATUM_2966298=y CONFIG_ARM64_ERRATUM_3117295=y CONFIG_ARM64_ERRATUM_3194386=y +CONFIG_ARM64_ERRATUM_4118414=y CONFIG_ARM64_ERRATUM_819472=y CONFIG_ARM64_ERRATUM_824069=y CONFIG_ARM64_ERRATUM_826319=y diff --git a/SOURCES/kernel-aarch64-rt-debug-rhel.config b/SOURCES/kernel-aarch64-rt-debug-rhel.config index ae4db8156..e27e35af2 100644 --- a/SOURCES/kernel-aarch64-rt-debug-rhel.config +++ b/SOURCES/kernel-aarch64-rt-debug-rhel.config @@ -300,6 +300,7 @@ CONFIG_ARM64_ERRATUM_2658417=y CONFIG_ARM64_ERRATUM_2966298=y CONFIG_ARM64_ERRATUM_3117295=y CONFIG_ARM64_ERRATUM_3194386=y +CONFIG_ARM64_ERRATUM_4118414=y CONFIG_ARM64_ERRATUM_819472=y CONFIG_ARM64_ERRATUM_824069=y CONFIG_ARM64_ERRATUM_826319=y diff --git a/SOURCES/kernel-aarch64-rt-rhel.config b/SOURCES/kernel-aarch64-rt-rhel.config index 215a702c4..a25c512e4 100644 --- a/SOURCES/kernel-aarch64-rt-rhel.config +++ b/SOURCES/kernel-aarch64-rt-rhel.config @@ -300,6 +300,7 @@ CONFIG_ARM64_ERRATUM_2658417=y CONFIG_ARM64_ERRATUM_2966298=y CONFIG_ARM64_ERRATUM_3117295=y CONFIG_ARM64_ERRATUM_3194386=y +CONFIG_ARM64_ERRATUM_4118414=y CONFIG_ARM64_ERRATUM_819472=y CONFIG_ARM64_ERRATUM_824069=y CONFIG_ARM64_ERRATUM_826319=y diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec index 602b54dc2..7ee12a255 100644 --- a/SPECS/kernel.spec +++ b/SPECS/kernel.spec @@ -176,13 +176,13 @@ Summary: The Linux kernel # define buildid .local %define specversion 5.14.0 %define patchversion 5.14 -%define pkgrelease 687.20.3 +%define pkgrelease 687.22.1 %define kversion 5 %define tarfile_release 5.14.0-687.5.1.el9_8 # This is needed to do merge window version magic %define patchlevel 14 # This allows pkg_release to have configurable %%{?dist} tag -%define specrelease 687.20.3%{?buildid}%{?dist} +%define specrelease 687.22.1%{?buildid}%{?dist} # This defines the kabi tarball version %define kabiversion 5.14.0-687.5.1.el9_8 @@ -1590,6 +1590,28 @@ Patch1709: 1709-crypto-krb5-filter-out-async-aead-implementations-at-alloc.patch Patch1710: 1710-kvm-x86-fix-shadow-paging-use-after-free-due-to-unexpected-gfn.patch Patch1711: 1711-kvm-x86-fix-shadow-paging-use-after-free-due-to-unexpected-role.patch Patch1712: 1712-eventpoll-fix-ep-remove-struct-eventpoll-struct-file-uaf.patch +Patch1713: 1713-nouveau-gsp-drop-warn-on-in-acpi-probes.patch +Patch1714: 1714-sctp-revalidate-list-cursor-after-sctp-sendmsg-to-asoc-in-sc.patch +Patch1715: 1715-drm-gem-fix-inconsistent-plane-dimension-calculation-in-drm.patch +Patch1716: 1716-procfs-fix-missing-rcu-protection-when-reading-real-parent-i.patch +Patch1717: 1717-netfilter-nft-inner-fix-ipv6-inner-thoff-desync.patch +Patch1719: 1719-arm64-cputype-add-c1-pro-definitions.patch +Patch1720: 1720-arm64-cputype-add-c1-premium-definitions.patch +Patch1721: 1721-arm64-cputype-add-c1-ultra-definitions.patch +Patch1722: 1722-arm64-cputype-add-neoverse-v3ae-definitions.patch +Patch1723: 1723-arm64-errata-apply-workarounds-for-neoverse-v3ae.patch +Patch1724: 1724-arm64-errata-mitigate-tlbi-errata-on-various-arm-cpus.patch +Patch1725: 1725-arm64-errata-mitigate-tlbi-errata-on-nvidia-olympus-cpu.patch +Patch1726: 1726-arm64-errata-mitigate-tlbi-errata-on-microsoft-azure-cobalt.patch +Patch1727: 1727-arm64-cputype-add-nvidia-olympus-definitions.patch +Patch1728: 1728-clean-up-documentation-mess-left-by-previous-backport.patch +Patch1729: 1729-fs-smb-client-fix-out-of-bounds-read-in-cifs-sanitize-prepat.patch +Patch1730: 1730-net-mana-fix-double-destroy-workqueue-on-service-rescan-pci.patch +Patch1731: 1731-net-mana-null-service-wq-on-setup-error-to-prevent-double-de.patch +Patch1732: 1732-net-gro-don-t-merge-zcopy-skbs.patch +Patch1733: 1733-xfrm-defensively-unhash-xfrm-state-lists-in-xfrm-state-delet.patch +Patch1734: 1734-smb-client-fix-off-by-8-bounds-check-in-check-wsl-eas.patch +Patch1735: 1735-smb-client-fix-out-of-bounds-read-in-smb2-compound-op.patch # END OF PATCH DEFINITIONS %description @@ -2947,6 +2969,28 @@ ApplyPatch 1709-crypto-krb5-filter-out-async-aead-implementations-at-alloc.patch ApplyPatch 1710-kvm-x86-fix-shadow-paging-use-after-free-due-to-unexpected-gfn.patch ApplyPatch 1711-kvm-x86-fix-shadow-paging-use-after-free-due-to-unexpected-role.patch ApplyPatch 1712-eventpoll-fix-ep-remove-struct-eventpoll-struct-file-uaf.patch +ApplyPatch 1713-nouveau-gsp-drop-warn-on-in-acpi-probes.patch +ApplyPatch 1714-sctp-revalidate-list-cursor-after-sctp-sendmsg-to-asoc-in-sc.patch +ApplyPatch 1715-drm-gem-fix-inconsistent-plane-dimension-calculation-in-drm.patch +ApplyPatch 1716-procfs-fix-missing-rcu-protection-when-reading-real-parent-i.patch +ApplyPatch 1717-netfilter-nft-inner-fix-ipv6-inner-thoff-desync.patch +ApplyPatch 1719-arm64-cputype-add-c1-pro-definitions.patch +ApplyPatch 1720-arm64-cputype-add-c1-premium-definitions.patch +ApplyPatch 1721-arm64-cputype-add-c1-ultra-definitions.patch +ApplyPatch 1722-arm64-cputype-add-neoverse-v3ae-definitions.patch +ApplyPatch 1723-arm64-errata-apply-workarounds-for-neoverse-v3ae.patch +ApplyPatch 1724-arm64-errata-mitigate-tlbi-errata-on-various-arm-cpus.patch +ApplyPatch 1725-arm64-errata-mitigate-tlbi-errata-on-nvidia-olympus-cpu.patch +ApplyPatch 1726-arm64-errata-mitigate-tlbi-errata-on-microsoft-azure-cobalt.patch +ApplyPatch 1727-arm64-cputype-add-nvidia-olympus-definitions.patch +ApplyPatch 1728-clean-up-documentation-mess-left-by-previous-backport.patch +ApplyPatch 1729-fs-smb-client-fix-out-of-bounds-read-in-cifs-sanitize-prepat.patch +ApplyPatch 1730-net-mana-fix-double-destroy-workqueue-on-service-rescan-pci.patch +ApplyPatch 1731-net-mana-null-service-wq-on-setup-error-to-prevent-double-de.patch +ApplyPatch 1732-net-gro-don-t-merge-zcopy-skbs.patch +ApplyPatch 1733-xfrm-defensively-unhash-xfrm-state-lists-in-xfrm-state-delet.patch +ApplyPatch 1734-smb-client-fix-off-by-8-bounds-check-in-check-wsl-eas.patch +ApplyPatch 1735-smb-client-fix-out-of-bounds-read-in-smb2-compound-op.patch # END OF PATCH APPLICATIONS # Any further pre-build tree manipulations happen here. @@ -5021,6 +5065,43 @@ fi # # %changelog +* Mon Jul 07 2026 Andrew Lukoshko - 5.14.0-687.22.1 +- Recreate RHEL 5.14.0-687.22.1 from CentOS Stream 9 and upstream stable backports (1713-1735) +- Retain AlmaLinux ahead-of-RHEL fixes: KVM x86 shadow paging (1710-1711), eventpoll + ep_remove use-after-free CVE-2026-46242 (1712) +- RHEL 5.14.0-687.21.1 now also carries the vgic-its fix (CVE-2026-46316); the AlmaLinux + ahead-patch (1312) is retained and RHEL's duplicate copy omitted +- CONFIG_ARM64_ERRATUM_4118414 enabled for aarch64 (CVE-2025-10263) +- RHEL changelog for 687.21.1..687.22.1 follows: + +* Mon Jul 06 2026 CKI KWF Bot [5.14.0-687.22.1.el9_8] +- smb/client: fix out-of-bounds read in smb2_compound_op() (Paulo Alcantara) [RHEL-180041] {CVE-2026-46155} +- smb: client: fix off-by-8 bounds check in check_wsl_eas() (Paulo Alcantara) [RHEL-180041] +- xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete (Sabrina Dubroca) [RHEL-180176] {CVE-2026-46116} +- net: gro: don't merge zcopy skbs (Sabrina Dubroca) [RHEL-177878] {CVE-2026-46323} +- net/mana: Null service_wq on setup error to prevent double destroy (CKI Backport Bot) [RHEL-180271] {CVE-2026-43276} +- net: mana: Fix double destroy_workqueue on service rescan PCI path (CKI Backport Bot) [RHEL-180271] {CVE-2026-43276} + +* Thu Jul 02 2026 CKI KWF Bot [5.14.0-687.21.1.el9_8] +- fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath (CKI Backport Bot) [RHEL-189503] {CVE-2026-43112} +- Enable workaround for ARM64 ERRATUM 4118414 (Mark Salter) [RHEL-183625] {CVE-2025-10263} +- arm64: cputype: Add NVIDIA Olympus definitions (Mark Salter) [RHEL-183625] {CVE-2025-10263} +- arm64: errata: Mitigate TLBI errata on Microsoft Azure Cobalt 100 CPU (Mark Salter) [RHEL-183625] {CVE-2025-10263} +- arm64: errata: Mitigate TLBI errata on NVIDIA Olympus CPU (Mark Salter) [RHEL-183625] {CVE-2025-10263} +- arm64: errata: Mitigate TLBI errata on various Arm CPUs (Mark Salter) [RHEL-183625] {CVE-2025-10263} +- arm64: errata: Apply workarounds for Neoverse-V3AE (Mark Salter) [RHEL-183625] {CVE-2025-10263} +- arm64: cputype: Add Neoverse-V3AE definitions (Mark Salter) [RHEL-183625] {CVE-2025-10263} +- arm64: cputype: Add C1-Ultra definitions (Mark Salter) [RHEL-183625] {CVE-2025-10263} +- arm64: cputype: Add C1-Premium definitions (Mark Salter) [RHEL-183625] {CVE-2025-10263} +- arm64: cputype: Add C1-Pro definitions (Mark Salter) [RHEL-183625] {CVE-2025-10263} +- Clean up documentation mess left by previous backport (Mark Salter) [RHEL-183625] {CVE-2025-10263} +- KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry (CKI Backport Bot) [RHEL-183969] {CVE-2026-46316} +- netfilter: nft_inner: Fix IPv6 inner_thoff desync (CKI Backport Bot) [RHEL-181929] {CVE-2026-46244} +- procfs: fix missing RCU protection when reading real_parent in do_task_stat() (CKI Backport Bot) [RHEL-181907] {CVE-2026-46259} +- drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs() (CKI Backport Bot) [RHEL-179909] {CVE-2026-46209} +- sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL (CKI Backport Bot) [RHEL-179865] {CVE-2026-46227} +- nouveau/gsp: drop WARN_ON in ACPI probes (Lyude Paul) [RHEL-160966] + * Mon Jul 06 2026 Andrew Lukoshko - 5.14.0-687.20.3 - Fix CVE-2026-46242: eventpoll ep_remove struct eventpoll / struct file use-after-free, adapted from upstream a6dc643c6931 ahead of RHEL (1712)