Recreate RHEL 6.12.0-211.32.1 from upstream backports
- Drop AlmaLinux ahead-of-RHEL KVM x86 shadow paging fixes (1415, 1416), superseded by RHEL's copies in 211.32.1 - Add RHEL 211.32.1 backports recreated from upstream stable (1447-1450) - Keep the rtmutex remove_waiter() fixes (1445, 1446)
This commit is contained in:
parent
98fac998eb
commit
df2a0315c5
@ -0,0 +1,77 @@
|
||||
From 6187a172d6ed57d6b2c327836e4407c6456e639d Mon Sep 17 00:00:00 2001
|
||||
From: Ben Morris <bmorris@anthropic.com>
|
||||
Date: Thu, 7 May 2026 17:14:55 -0700
|
||||
Subject: [PATCH] sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in
|
||||
SCTP_SENDALL
|
||||
|
||||
commit abb5f36771cc4c05899b34000829a787572a8817 upstream.
|
||||
|
||||
The SCTP_SENDALL path in sctp_sendmsg() iterates ep->asocs with
|
||||
list_for_each_entry_safe(), which caches the next entry in @tmp before
|
||||
the loop body runs. The body calls sctp_sendmsg_to_asoc(), which may
|
||||
drop the socket lock inside sctp_wait_for_sndbuf().
|
||||
|
||||
While the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the
|
||||
association cached in @tmp, migrating it to a new endpoint via
|
||||
sctp_sock_migrate() (list_del_init() + list_add_tail() to
|
||||
newep->asocs), and optionally close the new socket which frees the
|
||||
association via kfree_rcu(). The cached @tmp can also be freed by a
|
||||
network ABORT for that association, processed in softirq while the
|
||||
lock is dropped.
|
||||
|
||||
sctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock
|
||||
via the "sk != asoc->base.sk" and "asoc->base.dead" checks, but nothing
|
||||
revalidates @tmp. After a successful return, the iterator advances to
|
||||
the stale @tmp, yielding either a use-after-free (if the peeled socket
|
||||
was closed) or a list-walk onto the new endpoint's list head (type
|
||||
confusion of &newep->asocs as a struct sctp_association *).
|
||||
|
||||
Both are reachable from CapEff=0; the type-confusion path gives
|
||||
controlled indirect call via the outqueue.sched->init_sid pointer.
|
||||
|
||||
Fix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc()
|
||||
returns. @asoc is known to still be on ep->asocs at that point: the
|
||||
only callers that list_del an association from ep->asocs are
|
||||
sctp_association_free() (which sets asoc->base.dead) and
|
||||
sctp_assoc_migrate() (which changes asoc->base.sk), and
|
||||
sctp_wait_for_sndbuf() checks both under the lock before any
|
||||
successful return; a tripped check propagates as err < 0 and the loop
|
||||
bails before the re-derive.
|
||||
|
||||
The SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the
|
||||
loop hits 'continue' before sctp_sendmsg_to_asoc() is ever called, so
|
||||
the @tmp cached by list_for_each_entry_safe() still covers the
|
||||
lock-held free that ba59fb027307 ("sctp: walk the list of asoc
|
||||
safely") was added for.
|
||||
|
||||
Fixes: 4910280503f3 ("sctp: add support for snd flag SCTP_SENDALL process in sendmsg")
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Ben Morris <bmorris@anthropic.com>
|
||||
Acked-by: Xin Long <lucien.xin@gmail.com>
|
||||
Link: https://patch.msgid.link/20260508001455.3137-1-joycathacker@gmail.com
|
||||
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
|
||||
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
|
||||
index b6956b25b33d..c8038b4b67c7 100644
|
||||
--- a/net/sctp/socket.c
|
||||
+++ b/net/sctp/socket.c
|
||||
@@ -1986,6 +1986,15 @@ static int sctp_sendmsg(struct sock *sk, struct msghdr *msg, size_t msg_len)
|
||||
goto out_unlock;
|
||||
|
||||
iov_iter_revert(&msg->msg_iter, err);
|
||||
+
|
||||
+ /* sctp_sendmsg_to_asoc() may have released the socket
|
||||
+ * lock (sctp_wait_for_sndbuf), during which other
|
||||
+ * associations on ep->asocs could have been peeled
|
||||
+ * off or freed. @asoc itself is revalidated by the
|
||||
+ * base.dead and base.sk checks in sctp_wait_for_sndbuf,
|
||||
+ * so re-derive the cached cursor from it.
|
||||
+ */
|
||||
+ tmp = list_next_entry(asoc, asocs);
|
||||
}
|
||||
|
||||
goto out_unlock;
|
||||
--
|
||||
2.50.1 (Apple Git-155)
|
||||
|
||||
@ -0,0 +1,227 @@
|
||||
From 06bfb66a7c8b45e3fed01351a4b087410ae5ef39 Mon Sep 17 00:00:00 2001
|
||||
From: Jamal Hadi Salim <jhs@mojatatu.com>
|
||||
Date: Fri, 28 Nov 2025 10:19:19 -0500
|
||||
Subject: [PATCH] net/sched: ets: Always remove class from active list before
|
||||
deleting in ets_qdisc_change
|
||||
|
||||
[ Upstream commit ce052b9402e461a9aded599f5b47e76bc727f7de ]
|
||||
|
||||
zdi-disclosures@trendmicro.com says:
|
||||
|
||||
The vulnerability is a race condition between `ets_qdisc_dequeue` and
|
||||
`ets_qdisc_change`. It leads to UAF on `struct Qdisc` object.
|
||||
Attacker requires the capability to create new user and network namespace
|
||||
in order to trigger the bug.
|
||||
See my additional commentary at the end of the analysis.
|
||||
|
||||
Analysis:
|
||||
|
||||
static int ets_qdisc_change(struct Qdisc *sch, struct nlattr *opt,
|
||||
struct netlink_ext_ack *extack)
|
||||
{
|
||||
...
|
||||
|
||||
// (1) this lock is preventing .change handler (`ets_qdisc_change`)
|
||||
//to race with .dequeue handler (`ets_qdisc_dequeue`)
|
||||
sch_tree_lock(sch);
|
||||
|
||||
for (i = nbands; i < oldbands; i++) {
|
||||
if (i >= q->nstrict && q->classes[i].qdisc->q.qlen)
|
||||
list_del_init(&q->classes[i].alist);
|
||||
qdisc_purge_queue(q->classes[i].qdisc);
|
||||
}
|
||||
|
||||
WRITE_ONCE(q->nbands, nbands);
|
||||
for (i = nstrict; i < q->nstrict; i++) {
|
||||
if (q->classes[i].qdisc->q.qlen) {
|
||||
// (2) the class is added to the q->active
|
||||
list_add_tail(&q->classes[i].alist, &q->active);
|
||||
q->classes[i].deficit = quanta[i];
|
||||
}
|
||||
}
|
||||
WRITE_ONCE(q->nstrict, nstrict);
|
||||
memcpy(q->prio2band, priomap, sizeof(priomap));
|
||||
|
||||
for (i = 0; i < q->nbands; i++)
|
||||
WRITE_ONCE(q->classes[i].quantum, quanta[i]);
|
||||
|
||||
for (i = oldbands; i < q->nbands; i++) {
|
||||
q->classes[i].qdisc = queues[i];
|
||||
if (q->classes[i].qdisc != &noop_qdisc)
|
||||
qdisc_hash_add(q->classes[i].qdisc, true);
|
||||
}
|
||||
|
||||
// (3) the qdisc is unlocked, now dequeue can be called in parallel
|
||||
// to the rest of .change handler
|
||||
sch_tree_unlock(sch);
|
||||
|
||||
ets_offload_change(sch);
|
||||
for (i = q->nbands; i < oldbands; i++) {
|
||||
// (4) we're reducing the refcount for our class's qdisc and
|
||||
// freeing it
|
||||
qdisc_put(q->classes[i].qdisc);
|
||||
// (5) If we call .dequeue between (4) and (5), we will have
|
||||
// a strong UAF and we can control RIP
|
||||
q->classes[i].qdisc = NULL;
|
||||
WRITE_ONCE(q->classes[i].quantum, 0);
|
||||
q->classes[i].deficit = 0;
|
||||
gnet_stats_basic_sync_init(&q->classes[i].bstats);
|
||||
memset(&q->classes[i].qstats, 0, sizeof(q->classes[i].qstats));
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
Comment:
|
||||
This happens because some of the classes have their qdiscs assigned to
|
||||
NULL, but remain in the active list. This commit fixes this issue by always
|
||||
removing the class from the active list before deleting and freeing its
|
||||
associated qdisc
|
||||
|
||||
Reproducer Steps
|
||||
(trimmed version of what was sent by zdi-disclosures@trendmicro.com)
|
||||
|
||||
```
|
||||
DEV="${DEV:-lo}"
|
||||
ROOT_HANDLE="${ROOT_HANDLE:-1:}"
|
||||
BAND2_HANDLE="${BAND2_HANDLE:-20:}" # child under 1:2
|
||||
PING_BYTES="${PING_BYTES:-48}"
|
||||
PING_COUNT="${PING_COUNT:-200000}"
|
||||
PING_DST="${PING_DST:-127.0.0.1}"
|
||||
|
||||
SLOW_TBF_RATE="${SLOW_TBF_RATE:-8bit}"
|
||||
SLOW_TBF_BURST="${SLOW_TBF_BURST:-100b}"
|
||||
SLOW_TBF_LAT="${SLOW_TBF_LAT:-1s}"
|
||||
|
||||
cleanup() {
|
||||
tc qdisc del dev "$DEV" root 2>/dev/null
|
||||
}
|
||||
trap cleanup EXIT
|
||||
|
||||
ip link set "$DEV" up
|
||||
|
||||
tc qdisc del dev "$DEV" root 2>/dev/null || true
|
||||
|
||||
tc qdisc add dev "$DEV" root handle "$ROOT_HANDLE" ets bands 2 strict 2
|
||||
|
||||
tc qdisc add dev "$DEV" parent 1:2 handle "$BAND2_HANDLE" \
|
||||
tbf rate "$SLOW_TBF_RATE" burst "$SLOW_TBF_BURST" latency "$SLOW_TBF_LAT"
|
||||
|
||||
tc filter add dev "$DEV" parent 1: protocol all prio 1 u32 match u32 0 0 flowid 1:2
|
||||
tc -s qdisc ls dev $DEV
|
||||
|
||||
ping -I "$DEV" -f -c "$PING_COUNT" -s "$PING_BYTES" -W 0.001 "$PING_DST" \
|
||||
>/dev/null 2>&1 &
|
||||
tc qdisc change dev "$DEV" root handle "$ROOT_HANDLE" ets bands 2 strict 0
|
||||
tc qdisc change dev "$DEV" root handle "$ROOT_HANDLE" ets bands 2 strict 2
|
||||
tc -s qdisc ls dev $DEV
|
||||
tc qdisc del dev "$DEV" parent 1:2 || true
|
||||
tc -s qdisc ls dev $DEV
|
||||
tc qdisc change dev "$DEV" root handle "$ROOT_HANDLE" ets bands 1 strict 1
|
||||
```
|
||||
|
||||
KASAN report
|
||||
```
|
||||
==================================================================
|
||||
BUG: KASAN: slab-use-after-free in ets_qdisc_dequeue+0x1071/0x11b0 kernel/net/sched/sch_ets.c:481
|
||||
Read of size 8 at addr ffff8880502fc018 by task ping/12308
|
||||
>
|
||||
CPU: 0 UID: 0 PID: 12308 Comm: ping Not tainted 6.18.0-rc4-dirty #1 PREEMPT(full)
|
||||
Hardware name: QEMU Ubuntu 25.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
|
||||
Call Trace:
|
||||
<IRQ>
|
||||
__dump_stack kernel/lib/dump_stack.c:94
|
||||
dump_stack_lvl+0x100/0x190 kernel/lib/dump_stack.c:120
|
||||
print_address_description kernel/mm/kasan/report.c:378
|
||||
print_report+0x156/0x4c9 kernel/mm/kasan/report.c:482
|
||||
kasan_report+0xdf/0x110 kernel/mm/kasan/report.c:595
|
||||
ets_qdisc_dequeue+0x1071/0x11b0 kernel/net/sched/sch_ets.c:481
|
||||
dequeue_skb kernel/net/sched/sch_generic.c:294
|
||||
qdisc_restart kernel/net/sched/sch_generic.c:399
|
||||
__qdisc_run+0x1c9/0x1b00 kernel/net/sched/sch_generic.c:417
|
||||
__dev_xmit_skb kernel/net/core/dev.c:4221
|
||||
__dev_queue_xmit+0x2848/0x4410 kernel/net/core/dev.c:4729
|
||||
dev_queue_xmit kernel/./include/linux/netdevice.h:3365
|
||||
[...]
|
||||
|
||||
Allocated by task 17115:
|
||||
kasan_save_stack+0x30/0x50 kernel/mm/kasan/common.c:56
|
||||
kasan_save_track+0x14/0x30 kernel/mm/kasan/common.c:77
|
||||
poison_kmalloc_redzone kernel/mm/kasan/common.c:400
|
||||
__kasan_kmalloc+0xaa/0xb0 kernel/mm/kasan/common.c:417
|
||||
kasan_kmalloc kernel/./include/linux/kasan.h:262
|
||||
__do_kmalloc_node kernel/mm/slub.c:5642
|
||||
__kmalloc_node_noprof+0x34e/0x990 kernel/mm/slub.c:5648
|
||||
kmalloc_node_noprof kernel/./include/linux/slab.h:987
|
||||
qdisc_alloc+0xb8/0xc30 kernel/net/sched/sch_generic.c:950
|
||||
qdisc_create_dflt+0x93/0x490 kernel/net/sched/sch_generic.c:1012
|
||||
ets_class_graft+0x4fd/0x800 kernel/net/sched/sch_ets.c:261
|
||||
qdisc_graft+0x3e4/0x1780 kernel/net/sched/sch_api.c:1196
|
||||
[...]
|
||||
|
||||
Freed by task 9905:
|
||||
kasan_save_stack+0x30/0x50 kernel/mm/kasan/common.c:56
|
||||
kasan_save_track+0x14/0x30 kernel/mm/kasan/common.c:77
|
||||
__kasan_save_free_info+0x3b/0x70 kernel/mm/kasan/generic.c:587
|
||||
kasan_save_free_info kernel/mm/kasan/kasan.h:406
|
||||
poison_slab_object kernel/mm/kasan/common.c:252
|
||||
__kasan_slab_free+0x5f/0x80 kernel/mm/kasan/common.c:284
|
||||
kasan_slab_free kernel/./include/linux/kasan.h:234
|
||||
slab_free_hook kernel/mm/slub.c:2539
|
||||
slab_free kernel/mm/slub.c:6630
|
||||
kfree+0x144/0x700 kernel/mm/slub.c:6837
|
||||
rcu_do_batch kernel/kernel/rcu/tree.c:2605
|
||||
rcu_core+0x7c0/0x1500 kernel/kernel/rcu/tree.c:2861
|
||||
handle_softirqs+0x1ea/0x8a0 kernel/kernel/softirq.c:622
|
||||
__do_softirq kernel/kernel/softirq.c:656
|
||||
[...]
|
||||
|
||||
Commentary:
|
||||
|
||||
1. Maher Azzouzi working with Trend Micro Zero Day Initiative was reported as
|
||||
the person who found the issue. I requested to get a proper email to add to the
|
||||
reported-by tag but got no response. For this reason i will credit the person
|
||||
i exchanged emails with i.e zdi-disclosures@trendmicro.com
|
||||
|
||||
2. Neither i nor Victor who did a much more thorough testing was able to
|
||||
reproduce a UAF with the PoC or other approaches we tried. We were both able to
|
||||
reproduce a null ptr deref. After exchange with zdi-disclosures@trendmicro.com
|
||||
they sent a small change to be made to the code to add an extra delay which
|
||||
was able to simulate the UAF. i.e, this:
|
||||
qdisc_put(q->classes[i].qdisc);
|
||||
mdelay(90);
|
||||
q->classes[i].qdisc = NULL;
|
||||
|
||||
I was informed by Thomas Gleixner(tglx@linutronix.de) that adding delays was
|
||||
acceptable approach for demonstrating the bug, quote:
|
||||
"Adding such delays is common exploit validation practice"
|
||||
The equivalent delay could happen "by virt scheduling the vCPU out, SMIs,
|
||||
NMIs, PREEMPT_RT enabled kernel"
|
||||
|
||||
3. I asked the OP to test and report back but got no response and after a
|
||||
few days gave up and proceeded to submit this fix.
|
||||
|
||||
Fixes: de6d25924c2a ("net/sched: sch_ets: don't peek at classes beyond 'nbands'")
|
||||
Reported-by: zdi-disclosures@trendmicro.com
|
||||
Tested-by: Victor Nogueira <victor@mojatatu.com>
|
||||
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
|
||||
Reviewed-by: Davide Caratti <dcaratti@redhat.com>
|
||||
Link: https://patch.msgid.link/20251128151919.576920-1-jhs@mojatatu.com
|
||||
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
|
||||
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||||
|
||||
diff --git a/net/sched/sch_ets.c b/net/sched/sch_ets.c
|
||||
index 82635dd2cfa5..ae46643e596d 100644
|
||||
--- a/net/sched/sch_ets.c
|
||||
+++ b/net/sched/sch_ets.c
|
||||
@@ -652,7 +652,7 @@ static int ets_qdisc_change(struct Qdisc *sch, struct nlattr *opt,
|
||||
sch_tree_lock(sch);
|
||||
|
||||
for (i = nbands; i < oldbands; i++) {
|
||||
- if (i >= q->nstrict && q->classes[i].qdisc->q.qlen)
|
||||
+ if (cl_is_active(&q->classes[i]))
|
||||
list_del_init(&q->classes[i].alist);
|
||||
qdisc_purge_queue(q->classes[i].qdisc);
|
||||
}
|
||||
--
|
||||
2.50.1 (Apple Git-155)
|
||||
|
||||
@ -1,9 +1,11 @@
|
||||
From 0cb2af2ea66ad8ff195c156ea690f11216285bdf Mon Sep 17 00:00:00 2001
|
||||
From 06c19c967b845b63172601fe459667d973b7e6b7 Mon Sep 17 00:00:00 2001
|
||||
From: Sean Christopherson <seanjc@google.com>
|
||||
Date: Wed, 15 Apr 2026 00:52:34 +0000
|
||||
Date: Tue, 5 May 2026 08:59:56 +0200
|
||||
Subject: [PATCH] KVM: x86: Fix shadow paging use-after-free due to unexpected
|
||||
GFN
|
||||
|
||||
commit 0cb2af2ea66ad8ff195c156ea690f11216285bdf upstream.
|
||||
|
||||
The shadow MMU computes GFNs for direct shadow pages using sp->gfn plus
|
||||
the SPTE index. This assumption breaks for shadow paging if the guest
|
||||
page tables are modified between VM entries (similar to commit
|
||||
@ -58,9 +60,10 @@ Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Sean Christopherson <seanjc@google.com>
|
||||
Link: https://patch.msgid.link/20260503201029.106481-1-pbonzini@redhat.com/
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||||
|
||||
diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c
|
||||
index 24fbc9ea502a..892246204435 100644
|
||||
index e82da76e1..274223ef0 100644
|
||||
--- a/arch/x86/kvm/mmu/mmu.c
|
||||
+++ b/arch/x86/kvm/mmu/mmu.c
|
||||
@@ -182,6 +182,8 @@ static struct kmem_cache *pte_list_desc_cache;
|
||||
@ -72,7 +75,7 @@ index 24fbc9ea502a..892246204435 100644
|
||||
|
||||
struct kvm_mmu_role_regs {
|
||||
const unsigned long cr0;
|
||||
@@ -1287,19 +1289,6 @@ static void drop_spte(struct kvm *kvm, u64 *sptep)
|
||||
@@ -1283,19 +1285,6 @@ static void drop_spte(struct kvm *kvm, u64 *sptep)
|
||||
rmap_remove(kvm, sptep);
|
||||
}
|
||||
|
||||
@ -92,7 +95,7 @@ index 24fbc9ea502a..892246204435 100644
|
||||
/*
|
||||
* Write-protect on the specified @sptep, @pt_protect indicates whether
|
||||
* spte write-protection is caused by protecting shadow page table.
|
||||
@@ -2466,7 +2455,8 @@ static struct kvm_mmu_page *kvm_mmu_get_child_sp(struct kvm_vcpu *vcpu,
|
||||
@@ -2462,7 +2451,8 @@ static struct kvm_mmu_page *kvm_mmu_get_child_sp(struct kvm_vcpu *vcpu,
|
||||
{
|
||||
union kvm_mmu_page_role role;
|
||||
|
||||
@ -102,7 +105,7 @@ index 24fbc9ea502a..892246204435 100644
|
||||
return ERR_PTR(-EEXIST);
|
||||
|
||||
role = kvm_mmu_child_role(sptep, direct, access);
|
||||
@@ -2544,13 +2534,16 @@ static void __link_shadow_page(struct kvm *kvm,
|
||||
@@ -2540,13 +2530,16 @@ static void __link_shadow_page(struct kvm *kvm,
|
||||
|
||||
BUILD_BUG_ON(VMX_EPT_WRITABLE_MASK != PT_WRITABLE_MASK);
|
||||
|
||||
@ -126,6 +129,3 @@ index 24fbc9ea502a..892246204435 100644
|
||||
|
||||
spte = make_nonleaf_spte(sp->spt, sp_ad_disabled(sp));
|
||||
|
||||
--
|
||||
2.50.1 (Apple Git-155)
|
||||
|
||||
@ -1,9 +1,11 @@
|
||||
From 81ccda30b4e83d8f5cc4fd50503c44e3a33abfeb Mon Sep 17 00:00:00 2001
|
||||
From 2ad3afa40ac6aa340dada122f9abfa46c0a6eb35 Mon Sep 17 00:00:00 2001
|
||||
From: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Date: Fri, 12 Jun 2026 22:18:12 +0200
|
||||
Date: Fri, 26 Jun 2026 13:24:04 +0200
|
||||
Subject: [PATCH] KVM: x86: Fix shadow paging use-after-free due to unexpected
|
||||
role
|
||||
|
||||
commit 81ccda30b4e83d8f5cc4fd50503c44e3a33abfeb upstream.
|
||||
|
||||
Commit 0cb2af2ea66ad ("KVM: x86: Fix shadow paging use-after-free due
|
||||
to unexpected GFN") fixed a shadow paging mismatch between stored and
|
||||
computed GFNs; the bug could be triggered by changing a PDE mapping from
|
||||
@ -34,12 +36,13 @@ use-after-free.
|
||||
Fixes: 2032a93d66fa ("KVM: MMU: Don't allocate gfns page for direct mmu pages")
|
||||
Reported-by: Hyunwoo Kim <imv4bel@gmail.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||||
|
||||
diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c
|
||||
index 9368a71336fe..c13b80fe3125 100644
|
||||
index 274223ef0..641589165 100644
|
||||
--- a/arch/x86/kvm/mmu/mmu.c
|
||||
+++ b/arch/x86/kvm/mmu/mmu.c
|
||||
@@ -2459,13 +2459,15 @@ static struct kvm_mmu_page *kvm_mmu_get_child_sp(struct kvm_vcpu *vcpu,
|
||||
@@ -2449,13 +2449,15 @@ static struct kvm_mmu_page *kvm_mmu_get_child_sp(struct kvm_vcpu *vcpu,
|
||||
u64 *sptep, gfn_t gfn,
|
||||
bool direct, unsigned int access)
|
||||
{
|
||||
@ -59,6 +62,3 @@ index 9368a71336fe..c13b80fe3125 100644
|
||||
return kvm_mmu_get_shadow_page(vcpu, gfn, role);
|
||||
}
|
||||
|
||||
--
|
||||
2.50.1 (Apple Git-155)
|
||||
|
||||
28
kernel.spec
28
kernel.spec
@ -176,13 +176,13 @@ Summary: The Linux kernel
|
||||
%define specrpmversion 6.12.0
|
||||
%define specversion 6.12.0
|
||||
%define patchversion 6.12
|
||||
%define pkgrelease 211.31.2
|
||||
%define pkgrelease 211.32.1
|
||||
%define kversion 6
|
||||
%define tarfile_release 6.12.0-211.7.1.el10_2
|
||||
# This is needed to do merge window version magic
|
||||
%define patchlevel 12
|
||||
# This allows pkg_release to have configurable %%{?dist} tag
|
||||
%define specrelease 211.31.2%{?buildid}%{?dist}
|
||||
%define specrelease 211.32.1%{?buildid}%{?dist}
|
||||
# This defines the kabi tarball version
|
||||
%define kabiversion 6.12.0-211.7.1.el10_2
|
||||
|
||||
@ -1449,8 +1449,6 @@ Patch1411: 1411-arm64-errata-mitigate-tlbi-errata-on-various-arm-cpus.patch
|
||||
Patch1412: 1412-arm64-errata-mitigate-tlbi-errata-on-nvidia-olympus-cpu.patch
|
||||
Patch1413: 1413-arm64-errata-mitigate-tlbi-errata-on-microsoft-azure-cobalt.patch
|
||||
Patch1414: 1414-fs-smb-client-fix-out-of-bounds-read-in-cifs-sanitize-prepa.patch
|
||||
Patch1415: 1415-kvm-x86-fix-shadow-paging-use-after-free-due-to-unexpected-gfn.patch
|
||||
Patch1416: 1416-kvm-x86-fix-shadow-paging-use-after-free-due-to-unexpected-role.patch
|
||||
Patch1421: 1421-net-page-pool-avoid-false-positive-warning-if-napi-was-never.patch
|
||||
Patch1422: 1422-net-mana-fix-double-destroy-workqueue-on-service-rescan-pci.patch
|
||||
Patch1423: 1423-net-mana-null-service-wq-on-setup-error-to-prevent-double-de.patch
|
||||
@ -1477,6 +1475,10 @@ Patch1443: 1443-eventpoll-fix-integer-overflow-in-ep-loop-check-proc.patch
|
||||
Patch1444: 1444-eventpoll-refresh-epi-fget-ep-remove-file-comments.patch
|
||||
Patch1445: 1445-rtmutex-use-waiter-task-in-remove-waiter.patch
|
||||
Patch1446: 1446-rtmutex-skip-remove-waiter-when-not-enqueued.patch
|
||||
Patch1447: 1447-sctp-revalidate-list-cursor-after-sctp-sendmsg-to-asoc-in-sctp-sendall.patch
|
||||
Patch1448: 1448-net-sched-ets-always-remove-class-from-active-list-before-deleting.patch
|
||||
Patch1449: 1449-kvm-x86-fix-shadow-paging-use-after-free-due-to-unexpected-gfn.patch
|
||||
Patch1450: 1450-kvm-x86-fix-shadow-paging-use-after-free-due-to-unexpected-role.patch
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%description
|
||||
@ -2648,8 +2650,6 @@ ApplyPatch 1411-arm64-errata-mitigate-tlbi-errata-on-various-arm-cpus.patch
|
||||
ApplyPatch 1412-arm64-errata-mitigate-tlbi-errata-on-nvidia-olympus-cpu.patch
|
||||
ApplyPatch 1413-arm64-errata-mitigate-tlbi-errata-on-microsoft-azure-cobalt.patch
|
||||
ApplyPatch 1414-fs-smb-client-fix-out-of-bounds-read-in-cifs-sanitize-prepa.patch
|
||||
ApplyPatch 1415-kvm-x86-fix-shadow-paging-use-after-free-due-to-unexpected-gfn.patch
|
||||
ApplyPatch 1416-kvm-x86-fix-shadow-paging-use-after-free-due-to-unexpected-role.patch
|
||||
ApplyPatch 1421-net-page-pool-avoid-false-positive-warning-if-napi-was-never.patch
|
||||
ApplyPatch 1422-net-mana-fix-double-destroy-workqueue-on-service-rescan-pci.patch
|
||||
ApplyPatch 1423-net-mana-null-service-wq-on-setup-error-to-prevent-double-de.patch
|
||||
@ -2676,6 +2676,10 @@ ApplyPatch 1443-eventpoll-fix-integer-overflow-in-ep-loop-check-proc.patch
|
||||
ApplyPatch 1444-eventpoll-refresh-epi-fget-ep-remove-file-comments.patch
|
||||
ApplyPatch 1445-rtmutex-use-waiter-task-in-remove-waiter.patch
|
||||
ApplyPatch 1446-rtmutex-skip-remove-waiter-when-not-enqueued.patch
|
||||
ApplyPatch 1447-sctp-revalidate-list-cursor-after-sctp-sendmsg-to-asoc-in-sctp-sendall.patch
|
||||
ApplyPatch 1448-net-sched-ets-always-remove-class-from-active-list-before-deleting.patch
|
||||
ApplyPatch 1449-kvm-x86-fix-shadow-paging-use-after-free-due-to-unexpected-gfn.patch
|
||||
ApplyPatch 1450-kvm-x86-fix-shadow-paging-use-after-free-due-to-unexpected-role.patch
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
# Any further pre-build tree manipulations happen here.
|
||||
@ -5180,6 +5184,18 @@ fi\
|
||||
#
|
||||
#
|
||||
%changelog
|
||||
* Thu Jul 09 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 6.12.0-211.32.1
|
||||
- Recreate RHEL 6.12.0-211.32.1 from upstream stable backports (1447-1450)
|
||||
- The AlmaLinux ahead-of-RHEL KVM x86 shadow paging fixes (1415, 1416) are
|
||||
superseded by RHEL's copies and dropped
|
||||
- RHEL changelog for 211.32.1 follows:
|
||||
|
||||
* Tue Jul 07 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-211.32.1.el10_2]
|
||||
- KVM: x86: Fix shadow paging use-after-free due to unexpected role (Paolo Bonzini) [RHEL-192407] {CVE-2026-53359}
|
||||
- KVM: x86: Fix shadow paging use-after-free due to unexpected GFN (CKI Backport Bot) [RHEL-186698] {CVE-2026-46113}
|
||||
- net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change (CKI Backport Bot) [RHEL-183007] {CVE-2025-71066}
|
||||
- sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL (CKI Backport Bot) [RHEL-179854] {CVE-2026-46227}
|
||||
|
||||
* Wed Jul 08 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 6.12.0-211.31.2
|
||||
- Bring back the rtmutex self-deadlock NULL pointer dereference fixes in
|
||||
remove_waiter() ahead of RHEL, upstream 3bfdc63936dd + 40a25d59e85b (1445, 1446)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user