diff --git a/1447-sctp-revalidate-list-cursor-after-sctp-sendmsg-to-asoc-in-sctp-sendall.patch b/1447-sctp-revalidate-list-cursor-after-sctp-sendmsg-to-asoc-in-sctp-sendall.patch new file mode 100644 index 000000000..46aa7ba93 --- /dev/null +++ b/1447-sctp-revalidate-list-cursor-after-sctp-sendmsg-to-asoc-in-sctp-sendall.patch @@ -0,0 +1,77 @@ +From 6187a172d6ed57d6b2c327836e4407c6456e639d Mon Sep 17 00:00:00 2001 +From: Ben Morris +Date: Thu, 7 May 2026 17:14:55 -0700 +Subject: [PATCH] sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in + SCTP_SENDALL + +commit abb5f36771cc4c05899b34000829a787572a8817 upstream. + +The SCTP_SENDALL path in sctp_sendmsg() iterates ep->asocs with +list_for_each_entry_safe(), which caches the next entry in @tmp before +the loop body runs. The body calls sctp_sendmsg_to_asoc(), which may +drop the socket lock inside sctp_wait_for_sndbuf(). + +While the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the +association cached in @tmp, migrating it to a new endpoint via +sctp_sock_migrate() (list_del_init() + list_add_tail() to +newep->asocs), and optionally close the new socket which frees the +association via kfree_rcu(). The cached @tmp can also be freed by a +network ABORT for that association, processed in softirq while the +lock is dropped. + +sctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock +via the "sk != asoc->base.sk" and "asoc->base.dead" checks, but nothing +revalidates @tmp. After a successful return, the iterator advances to +the stale @tmp, yielding either a use-after-free (if the peeled socket +was closed) or a list-walk onto the new endpoint's list head (type +confusion of &newep->asocs as a struct sctp_association *). + +Both are reachable from CapEff=0; the type-confusion path gives +controlled indirect call via the outqueue.sched->init_sid pointer. + +Fix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc() +returns. @asoc is known to still be on ep->asocs at that point: the +only callers that list_del an association from ep->asocs are +sctp_association_free() (which sets asoc->base.dead) and +sctp_assoc_migrate() (which changes asoc->base.sk), and +sctp_wait_for_sndbuf() checks both under the lock before any +successful return; a tripped check propagates as err < 0 and the loop +bails before the re-derive. + +The SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the +loop hits 'continue' before sctp_sendmsg_to_asoc() is ever called, so +the @tmp cached by list_for_each_entry_safe() still covers the +lock-held free that ba59fb027307 ("sctp: walk the list of asoc +safely") was added for. + +Fixes: 4910280503f3 ("sctp: add support for snd flag SCTP_SENDALL process in sendmsg") +Cc: stable@vger.kernel.org +Signed-off-by: Ben Morris +Acked-by: Xin Long +Link: https://patch.msgid.link/20260508001455.3137-1-joycathacker@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman + +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index b6956b25b33d..c8038b4b67c7 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -1986,6 +1986,15 @@ static int sctp_sendmsg(struct sock *sk, struct msghdr *msg, size_t msg_len) + goto out_unlock; + + iov_iter_revert(&msg->msg_iter, err); ++ ++ /* sctp_sendmsg_to_asoc() may have released the socket ++ * lock (sctp_wait_for_sndbuf), during which other ++ * associations on ep->asocs could have been peeled ++ * off or freed. @asoc itself is revalidated by the ++ * base.dead and base.sk checks in sctp_wait_for_sndbuf, ++ * so re-derive the cached cursor from it. ++ */ ++ tmp = list_next_entry(asoc, asocs); + } + + goto out_unlock; +-- +2.50.1 (Apple Git-155) + diff --git a/1448-net-sched-ets-always-remove-class-from-active-list-before-deleting.patch b/1448-net-sched-ets-always-remove-class-from-active-list-before-deleting.patch new file mode 100644 index 000000000..11010b35a --- /dev/null +++ b/1448-net-sched-ets-always-remove-class-from-active-list-before-deleting.patch @@ -0,0 +1,227 @@ +From 06bfb66a7c8b45e3fed01351a4b087410ae5ef39 Mon Sep 17 00:00:00 2001 +From: Jamal Hadi Salim +Date: Fri, 28 Nov 2025 10:19:19 -0500 +Subject: [PATCH] net/sched: ets: Always remove class from active list before + deleting in ets_qdisc_change + +[ Upstream commit ce052b9402e461a9aded599f5b47e76bc727f7de ] + +zdi-disclosures@trendmicro.com says: + +The vulnerability is a race condition between `ets_qdisc_dequeue` and +`ets_qdisc_change`. It leads to UAF on `struct Qdisc` object. +Attacker requires the capability to create new user and network namespace +in order to trigger the bug. +See my additional commentary at the end of the analysis. + +Analysis: + +static int ets_qdisc_change(struct Qdisc *sch, struct nlattr *opt, + struct netlink_ext_ack *extack) +{ +... + + // (1) this lock is preventing .change handler (`ets_qdisc_change`) + //to race with .dequeue handler (`ets_qdisc_dequeue`) + sch_tree_lock(sch); + + for (i = nbands; i < oldbands; i++) { + if (i >= q->nstrict && q->classes[i].qdisc->q.qlen) + list_del_init(&q->classes[i].alist); + qdisc_purge_queue(q->classes[i].qdisc); + } + + WRITE_ONCE(q->nbands, nbands); + for (i = nstrict; i < q->nstrict; i++) { + if (q->classes[i].qdisc->q.qlen) { + // (2) the class is added to the q->active + list_add_tail(&q->classes[i].alist, &q->active); + q->classes[i].deficit = quanta[i]; + } + } + WRITE_ONCE(q->nstrict, nstrict); + memcpy(q->prio2band, priomap, sizeof(priomap)); + + for (i = 0; i < q->nbands; i++) + WRITE_ONCE(q->classes[i].quantum, quanta[i]); + + for (i = oldbands; i < q->nbands; i++) { + q->classes[i].qdisc = queues[i]; + if (q->classes[i].qdisc != &noop_qdisc) + qdisc_hash_add(q->classes[i].qdisc, true); + } + + // (3) the qdisc is unlocked, now dequeue can be called in parallel + // to the rest of .change handler + sch_tree_unlock(sch); + + ets_offload_change(sch); + for (i = q->nbands; i < oldbands; i++) { + // (4) we're reducing the refcount for our class's qdisc and + // freeing it + qdisc_put(q->classes[i].qdisc); + // (5) If we call .dequeue between (4) and (5), we will have + // a strong UAF and we can control RIP + q->classes[i].qdisc = NULL; + WRITE_ONCE(q->classes[i].quantum, 0); + q->classes[i].deficit = 0; + gnet_stats_basic_sync_init(&q->classes[i].bstats); + memset(&q->classes[i].qstats, 0, sizeof(q->classes[i].qstats)); + } + return 0; +} + +Comment: +This happens because some of the classes have their qdiscs assigned to +NULL, but remain in the active list. This commit fixes this issue by always +removing the class from the active list before deleting and freeing its +associated qdisc + +Reproducer Steps +(trimmed version of what was sent by zdi-disclosures@trendmicro.com) + +``` +DEV="${DEV:-lo}" +ROOT_HANDLE="${ROOT_HANDLE:-1:}" +BAND2_HANDLE="${BAND2_HANDLE:-20:}" # child under 1:2 +PING_BYTES="${PING_BYTES:-48}" +PING_COUNT="${PING_COUNT:-200000}" +PING_DST="${PING_DST:-127.0.0.1}" + +SLOW_TBF_RATE="${SLOW_TBF_RATE:-8bit}" +SLOW_TBF_BURST="${SLOW_TBF_BURST:-100b}" +SLOW_TBF_LAT="${SLOW_TBF_LAT:-1s}" + +cleanup() { + tc qdisc del dev "$DEV" root 2>/dev/null +} +trap cleanup EXIT + +ip link set "$DEV" up + +tc qdisc del dev "$DEV" root 2>/dev/null || true + +tc qdisc add dev "$DEV" root handle "$ROOT_HANDLE" ets bands 2 strict 2 + +tc qdisc add dev "$DEV" parent 1:2 handle "$BAND2_HANDLE" \ + tbf rate "$SLOW_TBF_RATE" burst "$SLOW_TBF_BURST" latency "$SLOW_TBF_LAT" + +tc filter add dev "$DEV" parent 1: protocol all prio 1 u32 match u32 0 0 flowid 1:2 +tc -s qdisc ls dev $DEV + +ping -I "$DEV" -f -c "$PING_COUNT" -s "$PING_BYTES" -W 0.001 "$PING_DST" \ + >/dev/null 2>&1 & +tc qdisc change dev "$DEV" root handle "$ROOT_HANDLE" ets bands 2 strict 0 +tc qdisc change dev "$DEV" root handle "$ROOT_HANDLE" ets bands 2 strict 2 +tc -s qdisc ls dev $DEV +tc qdisc del dev "$DEV" parent 1:2 || true +tc -s qdisc ls dev $DEV +tc qdisc change dev "$DEV" root handle "$ROOT_HANDLE" ets bands 1 strict 1 +``` + +KASAN report +``` +================================================================== +BUG: KASAN: slab-use-after-free in ets_qdisc_dequeue+0x1071/0x11b0 kernel/net/sched/sch_ets.c:481 +Read of size 8 at addr ffff8880502fc018 by task ping/12308 +> +CPU: 0 UID: 0 PID: 12308 Comm: ping Not tainted 6.18.0-rc4-dirty #1 PREEMPT(full) +Hardware name: QEMU Ubuntu 25.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +Call Trace: + + __dump_stack kernel/lib/dump_stack.c:94 + dump_stack_lvl+0x100/0x190 kernel/lib/dump_stack.c:120 + print_address_description kernel/mm/kasan/report.c:378 + print_report+0x156/0x4c9 kernel/mm/kasan/report.c:482 + kasan_report+0xdf/0x110 kernel/mm/kasan/report.c:595 + ets_qdisc_dequeue+0x1071/0x11b0 kernel/net/sched/sch_ets.c:481 + dequeue_skb kernel/net/sched/sch_generic.c:294 + qdisc_restart kernel/net/sched/sch_generic.c:399 + __qdisc_run+0x1c9/0x1b00 kernel/net/sched/sch_generic.c:417 + __dev_xmit_skb kernel/net/core/dev.c:4221 + __dev_queue_xmit+0x2848/0x4410 kernel/net/core/dev.c:4729 + dev_queue_xmit kernel/./include/linux/netdevice.h:3365 +[...] + +Allocated by task 17115: + kasan_save_stack+0x30/0x50 kernel/mm/kasan/common.c:56 + kasan_save_track+0x14/0x30 kernel/mm/kasan/common.c:77 + poison_kmalloc_redzone kernel/mm/kasan/common.c:400 + __kasan_kmalloc+0xaa/0xb0 kernel/mm/kasan/common.c:417 + kasan_kmalloc kernel/./include/linux/kasan.h:262 + __do_kmalloc_node kernel/mm/slub.c:5642 + __kmalloc_node_noprof+0x34e/0x990 kernel/mm/slub.c:5648 + kmalloc_node_noprof kernel/./include/linux/slab.h:987 + qdisc_alloc+0xb8/0xc30 kernel/net/sched/sch_generic.c:950 + qdisc_create_dflt+0x93/0x490 kernel/net/sched/sch_generic.c:1012 + ets_class_graft+0x4fd/0x800 kernel/net/sched/sch_ets.c:261 + qdisc_graft+0x3e4/0x1780 kernel/net/sched/sch_api.c:1196 +[...] + +Freed by task 9905: + kasan_save_stack+0x30/0x50 kernel/mm/kasan/common.c:56 + kasan_save_track+0x14/0x30 kernel/mm/kasan/common.c:77 + __kasan_save_free_info+0x3b/0x70 kernel/mm/kasan/generic.c:587 + kasan_save_free_info kernel/mm/kasan/kasan.h:406 + poison_slab_object kernel/mm/kasan/common.c:252 + __kasan_slab_free+0x5f/0x80 kernel/mm/kasan/common.c:284 + kasan_slab_free kernel/./include/linux/kasan.h:234 + slab_free_hook kernel/mm/slub.c:2539 + slab_free kernel/mm/slub.c:6630 + kfree+0x144/0x700 kernel/mm/slub.c:6837 + rcu_do_batch kernel/kernel/rcu/tree.c:2605 + rcu_core+0x7c0/0x1500 kernel/kernel/rcu/tree.c:2861 + handle_softirqs+0x1ea/0x8a0 kernel/kernel/softirq.c:622 + __do_softirq kernel/kernel/softirq.c:656 +[...] + +Commentary: + +1. Maher Azzouzi working with Trend Micro Zero Day Initiative was reported as +the person who found the issue. I requested to get a proper email to add to the +reported-by tag but got no response. For this reason i will credit the person +i exchanged emails with i.e zdi-disclosures@trendmicro.com + +2. Neither i nor Victor who did a much more thorough testing was able to +reproduce a UAF with the PoC or other approaches we tried. We were both able to +reproduce a null ptr deref. After exchange with zdi-disclosures@trendmicro.com +they sent a small change to be made to the code to add an extra delay which +was able to simulate the UAF. i.e, this: + qdisc_put(q->classes[i].qdisc); + mdelay(90); + q->classes[i].qdisc = NULL; + +I was informed by Thomas Gleixner(tglx@linutronix.de) that adding delays was +acceptable approach for demonstrating the bug, quote: +"Adding such delays is common exploit validation practice" +The equivalent delay could happen "by virt scheduling the vCPU out, SMIs, +NMIs, PREEMPT_RT enabled kernel" + +3. I asked the OP to test and report back but got no response and after a +few days gave up and proceeded to submit this fix. + +Fixes: de6d25924c2a ("net/sched: sch_ets: don't peek at classes beyond 'nbands'") +Reported-by: zdi-disclosures@trendmicro.com +Tested-by: Victor Nogueira +Signed-off-by: Jamal Hadi Salim +Reviewed-by: Davide Caratti +Link: https://patch.msgid.link/20251128151919.576920-1-jhs@mojatatu.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin + +diff --git a/net/sched/sch_ets.c b/net/sched/sch_ets.c +index 82635dd2cfa5..ae46643e596d 100644 +--- a/net/sched/sch_ets.c ++++ b/net/sched/sch_ets.c +@@ -652,7 +652,7 @@ static int ets_qdisc_change(struct Qdisc *sch, struct nlattr *opt, + sch_tree_lock(sch); + + for (i = nbands; i < oldbands; i++) { +- if (i >= q->nstrict && q->classes[i].qdisc->q.qlen) ++ if (cl_is_active(&q->classes[i])) + list_del_init(&q->classes[i].alist); + qdisc_purge_queue(q->classes[i].qdisc); + } +-- +2.50.1 (Apple Git-155) + diff --git a/1415-kvm-x86-fix-shadow-paging-use-after-free-due-to-unexpected-gfn.patch b/1449-kvm-x86-fix-shadow-paging-use-after-free-due-to-unexpected-gfn.patch similarity index 91% rename from 1415-kvm-x86-fix-shadow-paging-use-after-free-due-to-unexpected-gfn.patch rename to 1449-kvm-x86-fix-shadow-paging-use-after-free-due-to-unexpected-gfn.patch index 2e9f22033..df33630b1 100644 --- a/1415-kvm-x86-fix-shadow-paging-use-after-free-due-to-unexpected-gfn.patch +++ b/1449-kvm-x86-fix-shadow-paging-use-after-free-due-to-unexpected-gfn.patch @@ -1,9 +1,11 @@ -From 0cb2af2ea66ad8ff195c156ea690f11216285bdf Mon Sep 17 00:00:00 2001 +From 06c19c967b845b63172601fe459667d973b7e6b7 Mon Sep 17 00:00:00 2001 From: Sean Christopherson -Date: Wed, 15 Apr 2026 00:52:34 +0000 +Date: Tue, 5 May 2026 08:59:56 +0200 Subject: [PATCH] KVM: x86: Fix shadow paging use-after-free due to unexpected GFN +commit 0cb2af2ea66ad8ff195c156ea690f11216285bdf upstream. + The shadow MMU computes GFNs for direct shadow pages using sp->gfn plus the SPTE index. This assumption breaks for shadow paging if the guest page tables are modified between VM entries (similar to commit @@ -58,9 +60,10 @@ Cc: stable@vger.kernel.org Signed-off-by: Sean Christopherson Link: https://patch.msgid.link/20260503201029.106481-1-pbonzini@redhat.com/ Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c -index 24fbc9ea502a..892246204435 100644 +index e82da76e1..274223ef0 100644 --- a/arch/x86/kvm/mmu/mmu.c +++ b/arch/x86/kvm/mmu/mmu.c @@ -182,6 +182,8 @@ static struct kmem_cache *pte_list_desc_cache; @@ -72,7 +75,7 @@ index 24fbc9ea502a..892246204435 100644 struct kvm_mmu_role_regs { const unsigned long cr0; -@@ -1287,19 +1289,6 @@ static void drop_spte(struct kvm *kvm, u64 *sptep) +@@ -1283,19 +1285,6 @@ static void drop_spte(struct kvm *kvm, u64 *sptep) rmap_remove(kvm, sptep); } @@ -92,7 +95,7 @@ index 24fbc9ea502a..892246204435 100644 /* * Write-protect on the specified @sptep, @pt_protect indicates whether * spte write-protection is caused by protecting shadow page table. -@@ -2466,7 +2455,8 @@ static struct kvm_mmu_page *kvm_mmu_get_child_sp(struct kvm_vcpu *vcpu, +@@ -2462,7 +2451,8 @@ static struct kvm_mmu_page *kvm_mmu_get_child_sp(struct kvm_vcpu *vcpu, { union kvm_mmu_page_role role; @@ -102,7 +105,7 @@ index 24fbc9ea502a..892246204435 100644 return ERR_PTR(-EEXIST); role = kvm_mmu_child_role(sptep, direct, access); -@@ -2544,13 +2534,16 @@ static void __link_shadow_page(struct kvm *kvm, +@@ -2540,13 +2530,16 @@ static void __link_shadow_page(struct kvm *kvm, BUILD_BUG_ON(VMX_EPT_WRITABLE_MASK != PT_WRITABLE_MASK); @@ -126,6 +129,3 @@ index 24fbc9ea502a..892246204435 100644 spte = make_nonleaf_spte(sp->spt, sp_ad_disabled(sp)); --- -2.50.1 (Apple Git-155) - diff --git a/1416-kvm-x86-fix-shadow-paging-use-after-free-due-to-unexpected-role.patch b/1450-kvm-x86-fix-shadow-paging-use-after-free-due-to-unexpected-role.patch similarity index 89% rename from 1416-kvm-x86-fix-shadow-paging-use-after-free-due-to-unexpected-role.patch rename to 1450-kvm-x86-fix-shadow-paging-use-after-free-due-to-unexpected-role.patch index d4dc38b3c..52375295b 100644 --- a/1416-kvm-x86-fix-shadow-paging-use-after-free-due-to-unexpected-role.patch +++ b/1450-kvm-x86-fix-shadow-paging-use-after-free-due-to-unexpected-role.patch @@ -1,9 +1,11 @@ -From 81ccda30b4e83d8f5cc4fd50503c44e3a33abfeb Mon Sep 17 00:00:00 2001 +From 2ad3afa40ac6aa340dada122f9abfa46c0a6eb35 Mon Sep 17 00:00:00 2001 From: Paolo Bonzini -Date: Fri, 12 Jun 2026 22:18:12 +0200 +Date: Fri, 26 Jun 2026 13:24:04 +0200 Subject: [PATCH] KVM: x86: Fix shadow paging use-after-free due to unexpected role +commit 81ccda30b4e83d8f5cc4fd50503c44e3a33abfeb upstream. + Commit 0cb2af2ea66ad ("KVM: x86: Fix shadow paging use-after-free due to unexpected GFN") fixed a shadow paging mismatch between stored and computed GFNs; the bug could be triggered by changing a PDE mapping from @@ -34,12 +36,13 @@ use-after-free. Fixes: 2032a93d66fa ("KVM: MMU: Don't allocate gfns page for direct mmu pages") Reported-by: Hyunwoo Kim Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c -index 9368a71336fe..c13b80fe3125 100644 +index 274223ef0..641589165 100644 --- a/arch/x86/kvm/mmu/mmu.c +++ b/arch/x86/kvm/mmu/mmu.c -@@ -2459,13 +2459,15 @@ static struct kvm_mmu_page *kvm_mmu_get_child_sp(struct kvm_vcpu *vcpu, +@@ -2449,13 +2449,15 @@ static struct kvm_mmu_page *kvm_mmu_get_child_sp(struct kvm_vcpu *vcpu, u64 *sptep, gfn_t gfn, bool direct, unsigned int access) { @@ -59,6 +62,3 @@ index 9368a71336fe..c13b80fe3125 100644 return kvm_mmu_get_shadow_page(vcpu, gfn, role); } --- -2.50.1 (Apple Git-155) - diff --git a/kernel.spec b/kernel.spec index bbce7a759..ec2204744 100644 --- a/kernel.spec +++ b/kernel.spec @@ -176,13 +176,13 @@ Summary: The Linux kernel %define specrpmversion 6.12.0 %define specversion 6.12.0 %define patchversion 6.12 -%define pkgrelease 211.31.2 +%define pkgrelease 211.32.1 %define kversion 6 %define tarfile_release 6.12.0-211.7.1.el10_2 # This is needed to do merge window version magic %define patchlevel 12 # This allows pkg_release to have configurable %%{?dist} tag -%define specrelease 211.31.2%{?buildid}%{?dist} +%define specrelease 211.32.1%{?buildid}%{?dist} # This defines the kabi tarball version %define kabiversion 6.12.0-211.7.1.el10_2 @@ -1449,8 +1449,6 @@ Patch1411: 1411-arm64-errata-mitigate-tlbi-errata-on-various-arm-cpus.patch Patch1412: 1412-arm64-errata-mitigate-tlbi-errata-on-nvidia-olympus-cpu.patch Patch1413: 1413-arm64-errata-mitigate-tlbi-errata-on-microsoft-azure-cobalt.patch Patch1414: 1414-fs-smb-client-fix-out-of-bounds-read-in-cifs-sanitize-prepa.patch -Patch1415: 1415-kvm-x86-fix-shadow-paging-use-after-free-due-to-unexpected-gfn.patch -Patch1416: 1416-kvm-x86-fix-shadow-paging-use-after-free-due-to-unexpected-role.patch Patch1421: 1421-net-page-pool-avoid-false-positive-warning-if-napi-was-never.patch Patch1422: 1422-net-mana-fix-double-destroy-workqueue-on-service-rescan-pci.patch Patch1423: 1423-net-mana-null-service-wq-on-setup-error-to-prevent-double-de.patch @@ -1477,6 +1475,10 @@ Patch1443: 1443-eventpoll-fix-integer-overflow-in-ep-loop-check-proc.patch Patch1444: 1444-eventpoll-refresh-epi-fget-ep-remove-file-comments.patch Patch1445: 1445-rtmutex-use-waiter-task-in-remove-waiter.patch Patch1446: 1446-rtmutex-skip-remove-waiter-when-not-enqueued.patch +Patch1447: 1447-sctp-revalidate-list-cursor-after-sctp-sendmsg-to-asoc-in-sctp-sendall.patch +Patch1448: 1448-net-sched-ets-always-remove-class-from-active-list-before-deleting.patch +Patch1449: 1449-kvm-x86-fix-shadow-paging-use-after-free-due-to-unexpected-gfn.patch +Patch1450: 1450-kvm-x86-fix-shadow-paging-use-after-free-due-to-unexpected-role.patch # END OF PATCH DEFINITIONS %description @@ -2648,8 +2650,6 @@ ApplyPatch 1411-arm64-errata-mitigate-tlbi-errata-on-various-arm-cpus.patch ApplyPatch 1412-arm64-errata-mitigate-tlbi-errata-on-nvidia-olympus-cpu.patch ApplyPatch 1413-arm64-errata-mitigate-tlbi-errata-on-microsoft-azure-cobalt.patch ApplyPatch 1414-fs-smb-client-fix-out-of-bounds-read-in-cifs-sanitize-prepa.patch -ApplyPatch 1415-kvm-x86-fix-shadow-paging-use-after-free-due-to-unexpected-gfn.patch -ApplyPatch 1416-kvm-x86-fix-shadow-paging-use-after-free-due-to-unexpected-role.patch ApplyPatch 1421-net-page-pool-avoid-false-positive-warning-if-napi-was-never.patch ApplyPatch 1422-net-mana-fix-double-destroy-workqueue-on-service-rescan-pci.patch ApplyPatch 1423-net-mana-null-service-wq-on-setup-error-to-prevent-double-de.patch @@ -2676,6 +2676,10 @@ ApplyPatch 1443-eventpoll-fix-integer-overflow-in-ep-loop-check-proc.patch ApplyPatch 1444-eventpoll-refresh-epi-fget-ep-remove-file-comments.patch ApplyPatch 1445-rtmutex-use-waiter-task-in-remove-waiter.patch ApplyPatch 1446-rtmutex-skip-remove-waiter-when-not-enqueued.patch +ApplyPatch 1447-sctp-revalidate-list-cursor-after-sctp-sendmsg-to-asoc-in-sctp-sendall.patch +ApplyPatch 1448-net-sched-ets-always-remove-class-from-active-list-before-deleting.patch +ApplyPatch 1449-kvm-x86-fix-shadow-paging-use-after-free-due-to-unexpected-gfn.patch +ApplyPatch 1450-kvm-x86-fix-shadow-paging-use-after-free-due-to-unexpected-role.patch # END OF PATCH APPLICATIONS # Any further pre-build tree manipulations happen here. @@ -5180,6 +5184,18 @@ fi\ # # %changelog +* Thu Jul 09 2026 Andrew Lukoshko - 6.12.0-211.32.1 +- Recreate RHEL 6.12.0-211.32.1 from upstream stable backports (1447-1450) +- The AlmaLinux ahead-of-RHEL KVM x86 shadow paging fixes (1415, 1416) are + superseded by RHEL's copies and dropped +- RHEL changelog for 211.32.1 follows: + +* Tue Jul 07 2026 CKI KWF Bot [6.12.0-211.32.1.el10_2] +- KVM: x86: Fix shadow paging use-after-free due to unexpected role (Paolo Bonzini) [RHEL-192407] {CVE-2026-53359} +- KVM: x86: Fix shadow paging use-after-free due to unexpected GFN (CKI Backport Bot) [RHEL-186698] {CVE-2026-46113} +- net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change (CKI Backport Bot) [RHEL-183007] {CVE-2025-71066} +- sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL (CKI Backport Bot) [RHEL-179854] {CVE-2026-46227} + * Wed Jul 08 2026 Andrew Lukoshko - 6.12.0-211.31.2 - Bring back the rtmutex self-deadlock NULL pointer dereference fixes in remove_waiter() ahead of RHEL, upstream 3bfdc63936dd + 40a25d59e85b (1445, 1446)