Recreate RHEL 6.12.0-211.30.1 from CS10/upstream backports
This commit is contained in:
parent
1cd3d0ece2
commit
fa067cacb0
186
1399-rxrpc-fix-potential-uaf-after-skb-unshare-failure.patch
Normal file
186
1399-rxrpc-fix-potential-uaf-after-skb-unshare-failure.patch
Normal file
@ -0,0 +1,186 @@
|
||||
From b8d88f6d6f316bb8cea7643117c5f075875b12df Mon Sep 17 00:00:00 2001
|
||||
From: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>
|
||||
Date: Wed, 27 May 2026 21:45:04 +0000
|
||||
Subject: [PATCH] rxrpc: Fix potential UAF after skb_unshare() failure
|
||||
|
||||
JIRA: https://redhat.atlassian.net/browse/RHEL-179565
|
||||
CVE: CVE-2026-45998
|
||||
Backported from tree(s): linux
|
||||
|
||||
commit 1f2740150f904bfa60e4bad74d65add3ccb5e7f8
|
||||
Author: David Howells <dhowells@redhat.com>
|
||||
Date: Wed Apr 22 17:14:32 2026 +0100
|
||||
|
||||
rxrpc: Fix potential UAF after skb_unshare() failure
|
||||
|
||||
If skb_unshare() fails to unshare a packet due to allocation failure in
|
||||
rxrpc_input_packet(), the skb pointer in the parent (rxrpc_io_thread())
|
||||
will be NULL'd out. This will likely cause the call to
|
||||
trace_rxrpc_rx_done() to oops.
|
||||
|
||||
Fix this by moving the unsharing down to where rxrpc_input_call_event()
|
||||
calls rxrpc_input_call_packet(). There are a number of places prior to
|
||||
that where we ignore DATA packets for a variety of reasons (such as the
|
||||
call already being complete) for which an unshare is then avoided.
|
||||
|
||||
And with that, rxrpc_input_packet() doesn't need to take a pointer to the
|
||||
pointer to the packet, so change that to just a pointer.
|
||||
|
||||
Fixes: 2d1faf7a0ca3 ("rxrpc: Simplify skbuff accounting in receive path")
|
||||
Closes: https://sashiko.dev/#/patchset/20260408121252.2249051-1-dhowells%40redhat.com
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
cc: Marc Dionne <marc.dionne@auristor.com>
|
||||
cc: Jeffrey Altman <jaltman@auristor.com>
|
||||
cc: Simon Horman <horms@kernel.org>
|
||||
cc: linux-afs@lists.infradead.org
|
||||
cc: stable@kernel.org
|
||||
Link: https://patch.msgid.link/20260422161438.2593376-4-dhowells@redhat.com
|
||||
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
|
||||
|
||||
Signed-off-by: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>
|
||||
|
||||
diff --git a/include/trace/events/rxrpc.h b/include/trace/events/rxrpc.h
|
||||
index de6f6d2..863956a 100644
|
||||
--- a/include/trace/events/rxrpc.h
|
||||
+++ b/include/trace/events/rxrpc.h
|
||||
@@ -161,8 +161,6 @@
|
||||
E_(rxrpc_call_poke_timer_now, "Timer-now")
|
||||
|
||||
#define rxrpc_skb_traces \
|
||||
- EM(rxrpc_skb_eaten_by_unshare, "ETN unshare ") \
|
||||
- EM(rxrpc_skb_eaten_by_unshare_nomem, "ETN unshar-nm") \
|
||||
EM(rxrpc_skb_get_call_rx, "GET call-rx ") \
|
||||
EM(rxrpc_skb_get_conn_secured, "GET conn-secd") \
|
||||
EM(rxrpc_skb_get_conn_work, "GET conn-work") \
|
||||
@@ -188,6 +186,7 @@
|
||||
EM(rxrpc_skb_put_purge, "PUT purge ") \
|
||||
EM(rxrpc_skb_put_purge_oob, "PUT purge-oob") \
|
||||
EM(rxrpc_skb_put_response, "PUT response ") \
|
||||
+ EM(rxrpc_skb_put_response_copy, "PUT resp-cpy ") \
|
||||
EM(rxrpc_skb_put_rotate, "PUT rotate ") \
|
||||
EM(rxrpc_skb_put_unknown, "PUT unknown ") \
|
||||
EM(rxrpc_skb_see_conn_work, "SEE conn-work") \
|
||||
@@ -196,6 +195,7 @@
|
||||
EM(rxrpc_skb_see_recvmsg_oob, "SEE recvm-oob") \
|
||||
EM(rxrpc_skb_see_reject, "SEE reject ") \
|
||||
EM(rxrpc_skb_see_rotate, "SEE rotate ") \
|
||||
+ EM(rxrpc_skb_see_unshare_nomem, "SEE unshar-nm") \
|
||||
E_(rxrpc_skb_see_version, "SEE version ")
|
||||
|
||||
#define rxrpc_local_traces \
|
||||
diff --git a/net/rxrpc/ar-internal.h b/net/rxrpc/ar-internal.h
|
||||
index 5b7342d..2baa99b 100644
|
||||
--- a/net/rxrpc/ar-internal.h
|
||||
+++ b/net/rxrpc/ar-internal.h
|
||||
@@ -1479,7 +1479,6 @@ int rxrpc_server_keyring(struct rxrpc_sock *, sockptr_t, int);
|
||||
void rxrpc_kernel_data_consumed(struct rxrpc_call *, struct sk_buff *);
|
||||
void rxrpc_new_skb(struct sk_buff *, enum rxrpc_skb_trace);
|
||||
void rxrpc_see_skb(struct sk_buff *, enum rxrpc_skb_trace);
|
||||
-void rxrpc_eaten_skb(struct sk_buff *, enum rxrpc_skb_trace);
|
||||
void rxrpc_get_skb(struct sk_buff *, enum rxrpc_skb_trace);
|
||||
void rxrpc_free_skb(struct sk_buff *, enum rxrpc_skb_trace);
|
||||
void rxrpc_purge_queue(struct sk_buff_head *);
|
||||
diff --git a/net/rxrpc/call_event.c b/net/rxrpc/call_event.c
|
||||
index fec59d9..cc8f9df 100644
|
||||
--- a/net/rxrpc/call_event.c
|
||||
+++ b/net/rxrpc/call_event.c
|
||||
@@ -332,7 +332,24 @@ bool rxrpc_input_call_event(struct rxrpc_call *call)
|
||||
|
||||
saw_ack |= sp->hdr.type == RXRPC_PACKET_TYPE_ACK;
|
||||
|
||||
- rxrpc_input_call_packet(call, skb);
|
||||
+ if (sp->hdr.securityIndex != 0 &&
|
||||
+ skb_cloned(skb)) {
|
||||
+ /* Unshare the packet so that it can be
|
||||
+ * modified by in-place decryption.
|
||||
+ */
|
||||
+ struct sk_buff *nskb = skb_copy(skb, GFP_ATOMIC);
|
||||
+
|
||||
+ if (nskb) {
|
||||
+ rxrpc_new_skb(nskb, rxrpc_skb_new_unshared);
|
||||
+ rxrpc_input_call_packet(call, nskb);
|
||||
+ rxrpc_free_skb(nskb, rxrpc_skb_put_call_rx);
|
||||
+ } else {
|
||||
+ /* OOM - Drop the packet. */
|
||||
+ rxrpc_see_skb(skb, rxrpc_skb_see_unshare_nomem);
|
||||
+ }
|
||||
+ } else {
|
||||
+ rxrpc_input_call_packet(call, skb);
|
||||
+ }
|
||||
rxrpc_free_skb(skb, rxrpc_skb_put_call_rx);
|
||||
did_receive = true;
|
||||
}
|
||||
diff --git a/net/rxrpc/io_thread.c b/net/rxrpc/io_thread.c
|
||||
index e939ecf..6ff30af 100644
|
||||
--- a/net/rxrpc/io_thread.c
|
||||
+++ b/net/rxrpc/io_thread.c
|
||||
@@ -192,13 +192,12 @@ static bool rxrpc_extract_abort(struct sk_buff *skb)
|
||||
/*
|
||||
* Process packets received on the local endpoint
|
||||
*/
|
||||
-static bool rxrpc_input_packet(struct rxrpc_local *local, struct sk_buff **_skb)
|
||||
+static bool rxrpc_input_packet(struct rxrpc_local *local, struct sk_buff *skb)
|
||||
{
|
||||
struct rxrpc_connection *conn;
|
||||
struct sockaddr_rxrpc peer_srx;
|
||||
struct rxrpc_skb_priv *sp;
|
||||
struct rxrpc_peer *peer = NULL;
|
||||
- struct sk_buff *skb = *_skb;
|
||||
bool ret = false;
|
||||
|
||||
skb_pull(skb, sizeof(struct udphdr));
|
||||
@@ -244,25 +243,6 @@ static bool rxrpc_input_packet(struct rxrpc_local *local, struct sk_buff **_skb)
|
||||
return rxrpc_bad_message(skb, rxrpc_badmsg_zero_call);
|
||||
if (sp->hdr.seq == 0)
|
||||
return rxrpc_bad_message(skb, rxrpc_badmsg_zero_seq);
|
||||
-
|
||||
- /* Unshare the packet so that it can be modified for in-place
|
||||
- * decryption.
|
||||
- */
|
||||
- if (sp->hdr.securityIndex != 0) {
|
||||
- skb = skb_unshare(skb, GFP_ATOMIC);
|
||||
- if (!skb) {
|
||||
- rxrpc_eaten_skb(*_skb, rxrpc_skb_eaten_by_unshare_nomem);
|
||||
- *_skb = NULL;
|
||||
- return just_discard;
|
||||
- }
|
||||
-
|
||||
- if (skb != *_skb) {
|
||||
- rxrpc_eaten_skb(*_skb, rxrpc_skb_eaten_by_unshare);
|
||||
- *_skb = skb;
|
||||
- rxrpc_new_skb(skb, rxrpc_skb_new_unshared);
|
||||
- sp = rxrpc_skb(skb);
|
||||
- }
|
||||
- }
|
||||
break;
|
||||
|
||||
case RXRPC_PACKET_TYPE_CHALLENGE:
|
||||
@@ -493,7 +473,7 @@ int rxrpc_io_thread(void *data)
|
||||
switch (skb->mark) {
|
||||
case RXRPC_SKB_MARK_PACKET:
|
||||
skb->priority = 0;
|
||||
- if (!rxrpc_input_packet(local, &skb))
|
||||
+ if (!rxrpc_input_packet(local, skb))
|
||||
rxrpc_reject_packet(local, skb);
|
||||
trace_rxrpc_rx_done(skb->mark, skb->priority);
|
||||
rxrpc_free_skb(skb, rxrpc_skb_put_input);
|
||||
diff --git a/net/rxrpc/skbuff.c b/net/rxrpc/skbuff.c
|
||||
index 3bcd6ee..e2169d1 100644
|
||||
--- a/net/rxrpc/skbuff.c
|
||||
+++ b/net/rxrpc/skbuff.c
|
||||
@@ -46,15 +46,6 @@ void rxrpc_get_skb(struct sk_buff *skb, enum rxrpc_skb_trace why)
|
||||
skb_get(skb);
|
||||
}
|
||||
|
||||
-/*
|
||||
- * Note the dropping of a ref on a socket buffer by the core.
|
||||
- */
|
||||
-void rxrpc_eaten_skb(struct sk_buff *skb, enum rxrpc_skb_trace why)
|
||||
-{
|
||||
- int n = atomic_inc_return(&rxrpc_n_rx_skbs);
|
||||
- trace_rxrpc_skb(skb, 0, n, why);
|
||||
-}
|
||||
-
|
||||
/*
|
||||
* Note the destruction of a socket buffer.
|
||||
*/
|
||||
@ -0,0 +1,49 @@
|
||||
From 3598448f9c9742ef3e28f20e8050dacc046c9941 Mon Sep 17 00:00:00 2001
|
||||
From: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>
|
||||
Date: Wed, 27 May 2026 21:45:06 +0000
|
||||
Subject: [PATCH] rxrpc: Fix rxrpc_input_call_event() to only unshare DATA
|
||||
packets
|
||||
|
||||
JIRA: https://redhat.atlassian.net/browse/RHEL-179565
|
||||
CVE: CVE-2026-45998
|
||||
Backported from tree(s): linux
|
||||
|
||||
commit 55b2984c96c37f909bbfe8851f13152693951382
|
||||
Author: David Howells <dhowells@redhat.com>
|
||||
Date: Thu Apr 23 21:09:06 2026 +0100
|
||||
|
||||
rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets
|
||||
|
||||
Fix rxrpc_input_call_event() to only unshare DATA packets and not ACK,
|
||||
ABORT, etc..
|
||||
|
||||
And with that, rxrpc_input_packet() doesn't need to take a pointer to the
|
||||
pointer to the packet, so change that to just a pointer.
|
||||
|
||||
Fixes: 1f2740150f90 ("rxrpc: Fix potential UAF after skb_unshare() failure")
|
||||
Closes: https://sashiko.dev/#/patchset/20260422161438.2593376-4-dhowells@redhat.com
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
cc: Marc Dionne <marc.dionne@auristor.com>
|
||||
cc: Jeffrey Altman <jaltman@auristor.com>
|
||||
cc: Simon Horman <horms@kernel.org>
|
||||
cc: linux-afs@lists.infradead.org
|
||||
cc: stable@kernel.org
|
||||
Link: https://patch.msgid.link/20260423200909.3049438-2-dhowells@redhat.com
|
||||
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
|
||||
|
||||
Signed-off-by: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>
|
||||
|
||||
diff --git a/net/rxrpc/call_event.c b/net/rxrpc/call_event.c
|
||||
index cc8f9df..fdd6832 100644
|
||||
--- a/net/rxrpc/call_event.c
|
||||
+++ b/net/rxrpc/call_event.c
|
||||
@@ -332,7 +332,8 @@ bool rxrpc_input_call_event(struct rxrpc_call *call)
|
||||
|
||||
saw_ack |= sp->hdr.type == RXRPC_PACKET_TYPE_ACK;
|
||||
|
||||
- if (sp->hdr.securityIndex != 0 &&
|
||||
+ if (sp->hdr.type == RXRPC_PACKET_TYPE_DATA &&
|
||||
+ sp->hdr.securityIndex != 0 &&
|
||||
skb_cloned(skb)) {
|
||||
/* Unshare the packet so that it can be
|
||||
* modified by in-place decryption.
|
||||
@ -0,0 +1,63 @@
|
||||
From 97b8798760568e666030571c7fff4b2d93ce1f7b Mon Sep 17 00:00:00 2001
|
||||
From: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>
|
||||
Date: Thu, 28 May 2026 13:34:21 +0000
|
||||
Subject: [PATCH] drm/gem: Fix inconsistent plane dimension calculation in
|
||||
drm_gem_fb_init_with_funcs()
|
||||
|
||||
JIRA: https://redhat.atlassian.net/browse/RHEL-179911
|
||||
CVE: CVE-2026-46209
|
||||
Backported from tree(s): linux
|
||||
|
||||
commit 3d4c2268bd7243c3780fe32bf24ff876da272acf
|
||||
Author: Ashutosh Desai <ashutoshdesai993@gmail.com>
|
||||
Date: Mon Apr 20 01:36:37 2026 +0000
|
||||
|
||||
drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs()
|
||||
|
||||
drm_gem_fb_init_with_funcs() computes sub-sampled plane dimensions
|
||||
using plain integer division:
|
||||
|
||||
unsigned int width = mode_cmd->width / (i ? info->hsub : 1);
|
||||
unsigned int height = mode_cmd->height / (i ? info->vsub : 1);
|
||||
|
||||
However, the ioctl-level framebuffer_check() in drm_framebuffer.c uses
|
||||
drm_format_info_plane_width/height() which round up dimensions via
|
||||
DIV_ROUND_UP(). This inconsistency corrupts the subsequent GEM object
|
||||
size check for certain pixel format and dimension combinations.
|
||||
|
||||
For example, with NV12 (vsub=2) and a 1-pixel-tall framebuffer the
|
||||
GEM size validation path sees height=0 instead of height=1. The
|
||||
expression (height - 1) then wraps to UINT_MAX as an unsigned int,
|
||||
causing min_size to overflow and wrap back to a small value. A tiny
|
||||
GEM object therefore passes the size guard, yet when the GPU accesses
|
||||
the chroma plane it will read or write memory beyond the object's
|
||||
bounds.
|
||||
|
||||
Fix by replacing the open-coded divisions with drm_format_info_plane_width()
|
||||
and drm_format_info_plane_height(), which use DIV_ROUND_UP() and match
|
||||
the calculation already used in framebuffer_check().
|
||||
|
||||
Fixes: 4c3dbb2c312c ("drm: Add GEM backed framebuffer library")
|
||||
Cc: stable@vger.kernel.org # v4.14+
|
||||
Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
|
||||
Signed-off-by: Ashutosh Desai <ashutoshdesai993@gmail.com>
|
||||
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
|
||||
Link: https://patch.msgid.link/20260420013637.457751-1-ashutoshdesai993@gmail.com
|
||||
|
||||
Signed-off-by: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>
|
||||
|
||||
diff --git a/drivers/gpu/drm/drm_gem_framebuffer_helper.c b/drivers/gpu/drm/drm_gem_framebuffer_helper.c
|
||||
index 4bc89d3..daa5471 100644
|
||||
--- a/drivers/gpu/drm/drm_gem_framebuffer_helper.c
|
||||
+++ b/drivers/gpu/drm/drm_gem_framebuffer_helper.c
|
||||
@@ -171,8 +171,8 @@ int drm_gem_fb_init_with_funcs(struct drm_device *dev,
|
||||
}
|
||||
|
||||
for (i = 0; i < info->num_planes; i++) {
|
||||
- unsigned int width = mode_cmd->width / (i ? info->hsub : 1);
|
||||
- unsigned int height = mode_cmd->height / (i ? info->vsub : 1);
|
||||
+ unsigned int width = drm_format_info_plane_width(info, mode_cmd->width, i);
|
||||
+ unsigned int height = drm_format_info_plane_height(info, mode_cmd->height, i);
|
||||
unsigned int min_size;
|
||||
|
||||
objs[i] = drm_gem_object_lookup(file, mode_cmd->handles[i]);
|
||||
58
1402-netfilter-nft-inner-fix-ipv6-inner-thoff-desync.patch
Normal file
58
1402-netfilter-nft-inner-fix-ipv6-inner-thoff-desync.patch
Normal file
@ -0,0 +1,58 @@
|
||||
From f13fa4268ca4f296019b22954e6153e50f87350f Mon Sep 17 00:00:00 2001
|
||||
From: Florian Westphal <fwestpha@redhat.com>
|
||||
Date: Wed, 20 May 2026 11:48:57 +0200
|
||||
Subject: [PATCH] netfilter: nft_inner: Fix IPv6 inner_thoff desync
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
JIRA: https://redhat.atlassian.net/browse/RHEL-168848
|
||||
Upstream Status: commit b6a91f68ebfe
|
||||
|
||||
commit b6a91f68ebfed9c38e0e9150f58a9b85da07181c
|
||||
Author: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
|
||||
Date: Tue May 12 01:30:41 2026 +0800
|
||||
|
||||
netfilter: nft_inner: Fix IPv6 inner_thoff desync
|
||||
|
||||
In nft_inner_parse_l2l3(), when processing inner IPv6 packets,
|
||||
ipv6_find_hdr() correctly computes the transport header offset
|
||||
traversing all extension headers, but the result is immediately
|
||||
overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only
|
||||
accounts for the IPv6 base header. This creates a desync between
|
||||
inner_thoff (wrong — points to extension header start) and l4proto
|
||||
(correct — e.g., IPPROTO_TCP), enabling transport header forgery
|
||||
and potential firewall bypass. This issue affects stable versions
|
||||
from Linux 6.2.
|
||||
|
||||
For comparison, the normal (non-inner) IPv6 path correctly
|
||||
preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite
|
||||
ensures that ipv6_find_hdr()'s calculated transport header offset is
|
||||
preserved, thereby fixing the desynchronization.
|
||||
|
||||
Fixes: 3a07327d10a0 ("netfilter: nft_inner: support for inner tunnel header matching")
|
||||
Cc: stable@vger.kernel.org
|
||||
Reported-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
|
||||
Reported-by: Yuxiang Yang <yangyx22@mails.tsinghua.edu.cn>
|
||||
Reported-by: Xuewei Feng <fengxw06@126.com>
|
||||
Reported-by: Qi Li <qli01@tsinghua.edu.cn>
|
||||
Reported-by: Ke Xu <xuke@tsinghua.edu.cn>
|
||||
Assisted-by: GLM:5.1 Z.ai
|
||||
Signed-off-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
|
||||
Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
|
||||
Signed-off-by: Florian Westphal <fwestpha@redhat.com>
|
||||
|
||||
diff --git a/net/netfilter/nft_inner.c b/net/netfilter/nft_inner.c
|
||||
index c4569d4..1b3e7a9 100644
|
||||
--- a/net/netfilter/nft_inner.c
|
||||
+++ b/net/netfilter/nft_inner.c
|
||||
@@ -163,7 +163,6 @@ static int nft_inner_parse_l2l3(const struct nft_inner *priv,
|
||||
return -1;
|
||||
|
||||
if (fragoff == 0) {
|
||||
- thoff = nhoff + sizeof(_ip6h);
|
||||
ctx->flags |= NFT_PAYLOAD_CTX_INNER_TH;
|
||||
ctx->inner_thoff = thoff;
|
||||
ctx->l4proto = l4proto;
|
||||
@ -0,0 +1,110 @@
|
||||
From 9a4895059bb6a8505098a9f75de187fd15631fc8 Mon Sep 17 00:00:00 2001
|
||||
From: Kean Ren <rh_king@163.com>
|
||||
Date: Thu, 11 Jun 2026 10:37:57 +0800
|
||||
Subject: [PATCH] ASoC: SDCA: fix NULL pointer dereference in
|
||||
sdca_dev_unregister_functions
|
||||
|
||||
[ Upstream commit e4c60a1d4b6ccc66aefb3789cd908d4f9482eefd ]
|
||||
|
||||
sdca_dev_unregister_functions() iterates over all SDCA function
|
||||
descriptors and calls sdca_dev_unregister() on each func_dev without
|
||||
checking for NULL. When a function registration has failed partway
|
||||
through, or the device cleanup races with probe deferral, func_dev
|
||||
entries may be NULL, leading to a kernel oops:
|
||||
|
||||
BUG: kernel NULL pointer dereference, address: 0000000000000040
|
||||
RIP: 0010:device_del+0x1e/0x3e0
|
||||
Call Trace:
|
||||
sdca_dev_unregister_functions+0x37/0x60 [snd_soc_sdca]
|
||||
release_nodes+0x35/0xb0
|
||||
devres_release_all+0x90/0x100
|
||||
device_unbind_cleanup+0xe/0x80
|
||||
device_release_driver_internal+0x1c1/0x200
|
||||
bus_remove_device+0xc6/0x130
|
||||
device_del+0x161/0x3e0
|
||||
device_unregister+0x17/0x60
|
||||
sdw_delete_slave+0xb6/0xd0 [soundwire_bus]
|
||||
sdw_bus_master_delete+0x1e/0x50 [soundwire_bus]
|
||||
...
|
||||
sof_probe_work+0x19/0x30 [snd_sof]
|
||||
|
||||
This was observed on a Lenovo ThinkPad X1 Carbon G14 (Panther Lake)
|
||||
with the SOF audio driver probe failing due to missing Panther Lake
|
||||
firmware, causing the subsequent cleanup of SoundWire devices to
|
||||
trigger the crash.
|
||||
|
||||
Fix this with three changes:
|
||||
|
||||
1) Add a NULL guard in sdca_dev_unregister() so that callers do not
|
||||
need to pre-validate the pointer (defense in depth).
|
||||
|
||||
2) In sdca_dev_unregister_functions(), skip NULL func_dev entries
|
||||
and clear func_dev to NULL after unregistration, making the
|
||||
function idempotent and safe against double-invocation.
|
||||
|
||||
3) In sdca_dev_register_functions(), roll back all previously
|
||||
registered functions when a later one fails, so the function
|
||||
array is never left in a partially-populated state.
|
||||
|
||||
Fixes: 4496d1c65bad ("ASoC: SDCA: add function devices")
|
||||
Signed-off-by: Kean Ren <rh_king@163.com>
|
||||
Reviewed-by: Charles Keepax <ckeepax@opensource.cirrus.com>
|
||||
Link: https://patch.msgid.link/20260611023757.1553960-1-rh_king@163.com
|
||||
Signed-off-by: Mark Brown <broonie@kernel.org>
|
||||
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||||
|
||||
diff --git a/sound/soc/sdca/sdca_function_device.c b/sound/soc/sdca/sdca_function_device.c
|
||||
index c6cc880..b206158 100644
|
||||
--- a/sound/soc/sdca/sdca_function_device.c
|
||||
+++ b/sound/soc/sdca/sdca_function_device.c
|
||||
@@ -82,6 +82,9 @@ static struct sdca_dev *sdca_dev_register(struct device *parent,
|
||||
|
||||
static void sdca_dev_unregister(struct sdca_dev *sdev)
|
||||
{
|
||||
+ if (!sdev)
|
||||
+ return;
|
||||
+
|
||||
auxiliary_device_delete(&sdev->auxdev);
|
||||
auxiliary_device_uninit(&sdev->auxdev);
|
||||
}
|
||||
@@ -90,14 +93,24 @@ int sdca_dev_register_functions(struct sdw_slave *slave)
|
||||
{
|
||||
struct sdca_device_data *sdca_data = &slave->sdca_data;
|
||||
int i;
|
||||
+ int ret;
|
||||
|
||||
for (i = 0; i < sdca_data->num_functions; i++) {
|
||||
struct sdca_dev *func_dev;
|
||||
|
||||
func_dev = sdca_dev_register(&slave->dev,
|
||||
&sdca_data->function[i]);
|
||||
- if (IS_ERR(func_dev))
|
||||
- return PTR_ERR(func_dev);
|
||||
+ if (IS_ERR(func_dev)) {
|
||||
+ ret = PTR_ERR(func_dev);
|
||||
+ /*
|
||||
+ * Unregister functions that were successfully
|
||||
+ * registered before this failure. This also
|
||||
+ * sets func_dev to NULL so the caller will not
|
||||
+ * try to unregister them again.
|
||||
+ */
|
||||
+ sdca_dev_unregister_functions(slave);
|
||||
+ return ret;
|
||||
+ }
|
||||
|
||||
sdca_data->function[i].func_dev = func_dev;
|
||||
}
|
||||
@@ -111,7 +124,12 @@ void sdca_dev_unregister_functions(struct sdw_slave *slave)
|
||||
struct sdca_device_data *sdca_data = &slave->sdca_data;
|
||||
int i;
|
||||
|
||||
- for (i = 0; i < sdca_data->num_functions; i++)
|
||||
+ for (i = 0; i < sdca_data->num_functions; i++) {
|
||||
+ if (!sdca_data->function[i].func_dev)
|
||||
+ continue;
|
||||
+
|
||||
sdca_dev_unregister(sdca_data->function[i].func_dev);
|
||||
+ sdca_data->function[i].func_dev = NULL;
|
||||
+ }
|
||||
}
|
||||
EXPORT_SYMBOL_NS(sdca_dev_unregister_functions, "SND_SOC_SDCA");
|
||||
@ -0,0 +1,42 @@
|
||||
From 48c0f60921a07b8020b0c90fc8082673e0e9cb59 Mon Sep 17 00:00:00 2001
|
||||
From: Ilya Dryomov <idryomov@redhat.com>
|
||||
Date: Thu, 4 Jun 2026 13:06:53 +0200
|
||||
Subject: [PATCH] crypto: testmgr - allow
|
||||
authenc(hmac(sha{256,384}),cts(cbc(aes))) in FIPS mode
|
||||
|
||||
JIRA: https://redhat.atlassian.net/browse/RHEL-182119
|
||||
Upstream Status: Posted https://lore.kernel.org/linux-crypto/20260603155008.736872-1-idryomov@gmail.com/
|
||||
|
||||
hmac(sha256), hmac(sha384) and cts(cbc(aes)) algorithms have been
|
||||
marked as FIPS allowed for years. Mark the respective authenc()
|
||||
constructions per RFC 8009 ("AES Encryption with HMAC-SHA2 for
|
||||
Kerberos 5") as such as well.
|
||||
|
||||
SP 800-57 Part 3 Rev. 1 from Jan 2015 [1] links the draft of what
|
||||
became RFC 8009 in Oct 2016 as approved in section 6.3 Procurement
|
||||
Guidance (item/recommendation 3).
|
||||
|
||||
[1] https://csrc.nist.gov/pubs/sp/800/57/pt3/r1/final
|
||||
|
||||
Signed-off-by: Ilya Dryomov <idryomov@redhat.com>
|
||||
|
||||
diff --git a/crypto/testmgr.c b/crypto/testmgr.c
|
||||
index 8330187..de1c9bc 100644
|
||||
--- a/crypto/testmgr.c
|
||||
+++ b/crypto/testmgr.c
|
||||
@@ -4451,6 +4451,7 @@ static const struct alg_test_desc alg_test_descs[] = {
|
||||
}, {
|
||||
.alg = "authenc(hmac(sha256),cts(cbc(aes)))",
|
||||
.test = alg_test_aead,
|
||||
+ .fips_allowed = 1,
|
||||
.suite = {
|
||||
.aead = __VECS(krb5_test_aes128_cts_hmac_sha256_128)
|
||||
}
|
||||
@@ -4477,6 +4478,7 @@ static const struct alg_test_desc alg_test_descs[] = {
|
||||
}, {
|
||||
.alg = "authenc(hmac(sha384),cts(cbc(aes)))",
|
||||
.test = alg_test_aead,
|
||||
+ .fips_allowed = 1,
|
||||
.suite = {
|
||||
.aead = __VECS(krb5_test_aes256_cts_hmac_sha384_192)
|
||||
}
|
||||
@ -0,0 +1,57 @@
|
||||
From d681e9e0ec7d613a8af38985083b59595930c5fb Mon Sep 17 00:00:00 2001
|
||||
From: Ilya Dryomov <idryomov@redhat.com>
|
||||
Date: Thu, 4 Jun 2026 13:24:21 +0200
|
||||
Subject: [PATCH] crypto: krb5enc - fix sleepable flag handling in encrypt
|
||||
dispatch
|
||||
|
||||
JIRA: https://redhat.atlassian.net/browse/RHEL-182119
|
||||
|
||||
commit 2ef3bac16fb5e9eee4fb1d722578a79b751ea58a
|
||||
Author: Wesley Atwell <atwellwea@gmail.com>
|
||||
Date: Mon Mar 9 00:26:24 2026 -0600
|
||||
|
||||
crypto: krb5enc - fix sleepable flag handling in encrypt dispatch
|
||||
|
||||
krb5enc_encrypt_ahash_done() continues encryption from an ahash
|
||||
completion callback by calling krb5enc_dispatch_encrypt().
|
||||
|
||||
That helper takes a flags argument for this continuation path, but it
|
||||
ignored that argument and reused aead_request_flags(req) when setting
|
||||
up the skcipher subrequest callback. This can incorrectly preserve
|
||||
CRYPTO_TFM_REQ_MAY_SLEEP when the encrypt step is started from callback
|
||||
context.
|
||||
|
||||
Preserve the original request flags but clear
|
||||
CRYPTO_TFM_REQ_MAY_SLEEP for the callback continuation path, and use
|
||||
the caller-supplied flags when setting up the skcipher subrequest.
|
||||
|
||||
Fixes: d1775a177f7f ("crypto: Add 'krb5enc' hash and cipher AEAD algorithm")
|
||||
Assisted-by: Codex:GPT-5
|
||||
Signed-off-by: Wesley Atwell <atwellwea@gmail.com>
|
||||
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
|
||||
|
||||
Signed-off-by: Ilya Dryomov <idryomov@redhat.com>
|
||||
|
||||
diff --git a/crypto/krb5enc.c b/crypto/krb5enc.c
|
||||
index d07769b..5bd5f42 100644
|
||||
--- a/crypto/krb5enc.c
|
||||
+++ b/crypto/krb5enc.c
|
||||
@@ -154,7 +154,7 @@ static int krb5enc_dispatch_encrypt(struct aead_request *req,
|
||||
dst = scatterwalk_ffwd(areq_ctx->dst, req->dst, req->assoclen);
|
||||
|
||||
skcipher_request_set_tfm(skreq, enc);
|
||||
- skcipher_request_set_callback(skreq, aead_request_flags(req),
|
||||
+ skcipher_request_set_callback(skreq, flags,
|
||||
krb5enc_encrypt_done, req);
|
||||
skcipher_request_set_crypt(skreq, src, dst, req->cryptlen, req->iv);
|
||||
|
||||
@@ -192,7 +192,8 @@ static void krb5enc_encrypt_ahash_done(void *data, int err)
|
||||
|
||||
krb5enc_insert_checksum(req, ahreq->result);
|
||||
|
||||
- err = krb5enc_dispatch_encrypt(req, 0);
|
||||
+ err = krb5enc_dispatch_encrypt(req,
|
||||
+ aead_request_flags(req) & ~CRYPTO_TFM_REQ_MAY_SLEEP);
|
||||
if (err != -EINPROGRESS)
|
||||
aead_request_complete(req, err);
|
||||
}
|
||||
@ -0,0 +1,164 @@
|
||||
From 55ecb8636f05d99e611b025ec58ad54350df0640 Mon Sep 17 00:00:00 2001
|
||||
From: Ilya Dryomov <idryomov@redhat.com>
|
||||
Date: Thu, 4 Jun 2026 13:24:35 +0200
|
||||
Subject: [PATCH] crypto: krb5enc - fix async decrypt skipping hash
|
||||
verification
|
||||
|
||||
JIRA: https://redhat.atlassian.net/browse/RHEL-182119
|
||||
|
||||
commit 3bfbf5f0a99c991769ec562721285df7ab69240b
|
||||
Author: Dudu Lu <phx0fer@gmail.com>
|
||||
Date: Mon Apr 20 12:40:27 2026 +0800
|
||||
|
||||
crypto: krb5enc - fix async decrypt skipping hash verification
|
||||
|
||||
krb5enc_dispatch_decrypt() sets req->base.complete as the skcipher
|
||||
callback, which is the caller's own completion handler. When the
|
||||
skcipher completes asynchronously, this signals "done" to the caller
|
||||
without executing krb5enc_dispatch_decrypt_hash(), completely bypassing
|
||||
the integrity verification (hash check).
|
||||
|
||||
Compare with the encrypt path which correctly uses
|
||||
krb5enc_encrypt_done as an intermediate callback to chain into the
|
||||
hash computation on async completion.
|
||||
|
||||
Fix by adding krb5enc_decrypt_done as an intermediate callback that
|
||||
chains into krb5enc_dispatch_decrypt_hash() upon async skcipher
|
||||
completion, matching the encrypt path's callback pattern.
|
||||
|
||||
Also fix EBUSY/EINPROGRESS handling throughout: remove
|
||||
krb5enc_request_complete() which incorrectly swallowed EINPROGRESS
|
||||
notifications that must be passed up to callers waiting on backlogged
|
||||
requests, and add missing EBUSY checks in krb5enc_encrypt_ahash_done
|
||||
for the dispatch_encrypt return value.
|
||||
|
||||
Fixes: d1775a177f7f ("crypto: Add 'krb5enc' hash and cipher AEAD algorithm")
|
||||
Signed-off-by: Dudu Lu <phx0fer@gmail.com>
|
||||
|
||||
Unset MAY_BACKLOG on the async completion path so the user won't
|
||||
see back-to-back EINPROGRESS notifications.
|
||||
|
||||
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
|
||||
|
||||
Signed-off-by: Ilya Dryomov <idryomov@redhat.com>
|
||||
|
||||
diff --git a/crypto/krb5enc.c b/crypto/krb5enc.c
|
||||
index 5bd5f42..3fecc14 100644
|
||||
--- a/crypto/krb5enc.c
|
||||
+++ b/crypto/krb5enc.c
|
||||
@@ -39,12 +39,6 @@ struct krb5enc_request_ctx {
|
||||
char tail[];
|
||||
};
|
||||
|
||||
-static void krb5enc_request_complete(struct aead_request *req, int err)
|
||||
-{
|
||||
- if (err != -EINPROGRESS)
|
||||
- aead_request_complete(req, err);
|
||||
-}
|
||||
-
|
||||
/**
|
||||
* crypto_krb5enc_extractkeys - Extract Ke and Ki keys from the key blob.
|
||||
* @keys: Where to put the key sizes and pointers
|
||||
@@ -127,7 +121,7 @@ static void krb5enc_encrypt_done(void *data, int err)
|
||||
{
|
||||
struct aead_request *req = data;
|
||||
|
||||
- krb5enc_request_complete(req, err);
|
||||
+ aead_request_complete(req, err);
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -188,14 +182,16 @@ static void krb5enc_encrypt_ahash_done(void *data, int err)
|
||||
struct ahash_request *ahreq = (void *)(areq_ctx->tail + ictx->reqoff);
|
||||
|
||||
if (err)
|
||||
- return krb5enc_request_complete(req, err);
|
||||
+ goto out;
|
||||
|
||||
krb5enc_insert_checksum(req, ahreq->result);
|
||||
|
||||
- err = krb5enc_dispatch_encrypt(req,
|
||||
- aead_request_flags(req) & ~CRYPTO_TFM_REQ_MAY_SLEEP);
|
||||
- if (err != -EINPROGRESS)
|
||||
- aead_request_complete(req, err);
|
||||
+ err = krb5enc_dispatch_encrypt(req, 0);
|
||||
+ if (err == -EINPROGRESS)
|
||||
+ return;
|
||||
+
|
||||
+out:
|
||||
+ aead_request_complete(req, err);
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -265,17 +261,16 @@ static void krb5enc_decrypt_hash_done(void *data, int err)
|
||||
{
|
||||
struct aead_request *req = data;
|
||||
|
||||
- if (err)
|
||||
- return krb5enc_request_complete(req, err);
|
||||
-
|
||||
- err = krb5enc_verify_hash(req);
|
||||
- krb5enc_request_complete(req, err);
|
||||
+ if (!err)
|
||||
+ err = krb5enc_verify_hash(req);
|
||||
+ aead_request_complete(req, err);
|
||||
}
|
||||
|
||||
/*
|
||||
* Dispatch the hashing of the plaintext after we've done the decryption.
|
||||
*/
|
||||
-static int krb5enc_dispatch_decrypt_hash(struct aead_request *req)
|
||||
+static int krb5enc_dispatch_decrypt_hash(struct aead_request *req,
|
||||
+ unsigned int flags)
|
||||
{
|
||||
struct crypto_aead *krb5enc = crypto_aead_reqtfm(req);
|
||||
struct aead_instance *inst = aead_alg_instance(krb5enc);
|
||||
@@ -291,7 +286,7 @@ static int krb5enc_dispatch_decrypt_hash(struct aead_request *req)
|
||||
ahash_request_set_tfm(ahreq, auth);
|
||||
ahash_request_set_crypt(ahreq, req->dst, hash,
|
||||
req->assoclen + req->cryptlen - authsize);
|
||||
- ahash_request_set_callback(ahreq, aead_request_flags(req),
|
||||
+ ahash_request_set_callback(ahreq, flags,
|
||||
krb5enc_decrypt_hash_done, req);
|
||||
|
||||
err = crypto_ahash_digest(ahreq);
|
||||
@@ -301,6 +296,21 @@ static int krb5enc_dispatch_decrypt_hash(struct aead_request *req)
|
||||
return krb5enc_verify_hash(req);
|
||||
}
|
||||
|
||||
+static void krb5enc_decrypt_done(void *data, int err)
|
||||
+{
|
||||
+ struct aead_request *req = data;
|
||||
+
|
||||
+ if (err)
|
||||
+ goto out;
|
||||
+
|
||||
+ err = krb5enc_dispatch_decrypt_hash(req, 0);
|
||||
+ if (err == -EINPROGRESS)
|
||||
+ return;
|
||||
+
|
||||
+out:
|
||||
+ aead_request_complete(req, err);
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* Dispatch the decryption of the ciphertext.
|
||||
*/
|
||||
@@ -324,7 +334,7 @@ static int krb5enc_dispatch_decrypt(struct aead_request *req)
|
||||
|
||||
skcipher_request_set_tfm(skreq, ctx->enc);
|
||||
skcipher_request_set_callback(skreq, aead_request_flags(req),
|
||||
- req->base.complete, req->base.data);
|
||||
+ krb5enc_decrypt_done, req);
|
||||
skcipher_request_set_crypt(skreq, src, dst,
|
||||
req->cryptlen - authsize, req->iv);
|
||||
|
||||
@@ -339,7 +349,7 @@ static int krb5enc_decrypt(struct aead_request *req)
|
||||
if (err < 0)
|
||||
return err;
|
||||
|
||||
- return krb5enc_dispatch_decrypt_hash(req);
|
||||
+ return krb5enc_dispatch_decrypt_hash(req, aead_request_flags(req));
|
||||
}
|
||||
|
||||
static int krb5enc_init_tfm(struct crypto_aead *tfm)
|
||||
@ -0,0 +1,59 @@
|
||||
From 91e2b13c3f9a470daee57990a7022cee6d8389d8 Mon Sep 17 00:00:00 2001
|
||||
From: Ilya Dryomov <idryomov@redhat.com>
|
||||
Date: Thu, 4 Jun 2026 13:24:44 +0200
|
||||
Subject: [PATCH] crypto: krb5 - filter out async aead implementations at alloc
|
||||
|
||||
JIRA: https://redhat.atlassian.net/browse/RHEL-182119
|
||||
Upstream Status: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
|
||||
|
||||
commit 6c9dddeb582fde005360f4fe02c760d45ca05fb5
|
||||
Author: Michael Bommarito <michael.bommarito@gmail.com>
|
||||
Date: Sun May 10 19:24:55 2026 -0400
|
||||
|
||||
crypto: krb5 - filter out async aead implementations at alloc
|
||||
|
||||
krb5_aead_encrypt(), krb5_aead_decrypt() in rfc3961_simplified.c and
|
||||
rfc8009_encrypt(), rfc8009_decrypt() in rfc8009_aes2.c set a NULL
|
||||
completion callback and treat any negative return from
|
||||
crypto_aead_{encrypt,decrypt}() as terminal, falling through to
|
||||
kfree_sensitive(buffer). When the encrypt_name resolves to an
|
||||
async AEAD instance the request returns -EINPROGRESS, the buffer
|
||||
is freed while the backend's worker still holds a pointer, and the
|
||||
worker dereferences the freed slab on completion.
|
||||
|
||||
KASAN report under UML+SLUB with a synthetic async aead backend
|
||||
bound to krb5->encrypt_name:
|
||||
|
||||
BUG: KASAN: slab-use-after-free in t5_stub_complete+0x7d/0xc7
|
||||
|
||||
The helpers were written synchronously, so filter the async
|
||||
instances out at allocation time instead of plumbing
|
||||
crypto_wait_req() through every call site.
|
||||
|
||||
Reachable via net/rxrpc/rxgk.c, fs/afs/cm_security.c and
|
||||
net/ceph/crypto.c on systems with an async AEAD provider bound to
|
||||
the krb5 enctype name.
|
||||
|
||||
Fixes: 00244da40f78 ("crypto/krb5: Implement the Kerberos5 rfc3961 encrypt and decrypt functions")
|
||||
Fixes: 6c3c0e86c2ac ("crypto/krb5: Implement the AES enctypes from rfc8009")
|
||||
Cc: stable@vger.kernel.org
|
||||
Suggested-by: Herbert Xu <herbert@gondor.apana.org.au>
|
||||
Assisted-by: Claude:claude-opus-4-7
|
||||
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
|
||||
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
|
||||
|
||||
Signed-off-by: Ilya Dryomov <idryomov@redhat.com>
|
||||
|
||||
diff --git a/crypto/krb5/krb5_api.c b/crypto/krb5/krb5_api.c
|
||||
index 23026d4..2b20284 100644
|
||||
--- a/crypto/krb5/krb5_api.c
|
||||
+++ b/crypto/krb5/krb5_api.c
|
||||
@@ -165,7 +165,7 @@ struct crypto_aead *krb5_prepare_encryption(const struct krb5_enctype *krb5,
|
||||
struct crypto_aead *ci = NULL;
|
||||
int ret = -ENOMEM;
|
||||
|
||||
- ci = crypto_alloc_aead(krb5->encrypt_name, 0, 0);
|
||||
+ ci = crypto_alloc_aead(krb5->encrypt_name, 0, CRYPTO_ALG_ASYNC);
|
||||
if (IS_ERR(ci)) {
|
||||
ret = PTR_ERR(ci);
|
||||
if (ret == -ENOENT)
|
||||
42
1408-arm64-cputype-add-c1-pro-definitions.patch
Normal file
42
1408-arm64-cputype-add-c1-pro-definitions.patch
Normal file
@ -0,0 +1,42 @@
|
||||
From ee5ce483d42809b6c9e5bb25c33601e54229128f Mon Sep 17 00:00:00 2001
|
||||
From: Catalin Marinas <catalin.marinas@arm.com>
|
||||
Date: Tue, 21 Apr 2026 11:00:16 +0100
|
||||
Subject: [PATCH] arm64: cputype: Add C1-Pro definitions
|
||||
|
||||
commit 2c99561016c591f4c3d5ad7d22a61b8726e79735 upstream.
|
||||
|
||||
Add cputype definitions for C1-Pro. These will be used for errata
|
||||
detection in subsequent patches.
|
||||
|
||||
These values can be found in "Table A-303: MIDR_EL1 bit descriptions" in
|
||||
issue 07 of the C1-Pro TRM:
|
||||
|
||||
https://documentation-service.arm.com/static/6930126730f8f55a656570af
|
||||
|
||||
Acked-by: Mark Rutland <mark.rutland@arm.com>
|
||||
Cc: Will Deacon <will@kernel.org>
|
||||
Cc: James Morse <james.morse@arm.com>
|
||||
Reviewed-by: Will Deacon <will@kernel.org>
|
||||
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
|
||||
diff --git a/arch/arm64/include/asm/cputype.h b/arch/arm64/include/asm/cputype.h
|
||||
index a580531..c2add67 100644
|
||||
--- a/arch/arm64/include/asm/cputype.h
|
||||
+++ b/arch/arm64/include/asm/cputype.h
|
||||
@@ -98,6 +98,7 @@
|
||||
#define ARM_CPU_PART_CORTEX_A725 0xD87
|
||||
#define ARM_CPU_PART_CORTEX_A720AE 0xD89
|
||||
#define ARM_CPU_PART_NEOVERSE_N3 0xD8E
|
||||
+#define ARM_CPU_PART_C1_PRO 0xD8B
|
||||
|
||||
#define APM_CPU_PART_XGENE 0x000
|
||||
#define APM_CPU_VAR_POTENZA 0x00
|
||||
@@ -188,6 +189,7 @@
|
||||
#define MIDR_CORTEX_A725 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A725)
|
||||
#define MIDR_CORTEX_A720AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A720AE)
|
||||
#define MIDR_NEOVERSE_N3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N3)
|
||||
+#define MIDR_C1_PRO MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_PRO)
|
||||
#define MIDR_THUNDERX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX)
|
||||
#define MIDR_THUNDERX_81XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX_81XX)
|
||||
#define MIDR_THUNDERX_83XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX_83XX)
|
||||
44
1409-arm64-cputype-add-c1-premium-definitions.patch
Normal file
44
1409-arm64-cputype-add-c1-premium-definitions.patch
Normal file
@ -0,0 +1,44 @@
|
||||
From 2125f57780e4d81424f47d9ec432ac733e9a2fb2 Mon Sep 17 00:00:00 2001
|
||||
From: Mark Rutland <mark.rutland@arm.com>
|
||||
Date: Tue, 16 Jun 2026 06:15:49 +0100
|
||||
Subject: [PATCH] arm64: cputype: Add C1-Premium definitions
|
||||
|
||||
commit d28413bfc5a255957241f1df5d7fd0c2cd74fe18 upstream.
|
||||
|
||||
Add cputype definitions for C1-Premium. These will be used for errata
|
||||
detection in subsequent patches.
|
||||
|
||||
These values can be found in the C1-Premium TRM:
|
||||
|
||||
https://developer.arm.com/documentation/109416/0100/
|
||||
|
||||
... in section A.5.1 ("MIDR_EL1, Main ID Register").
|
||||
|
||||
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
|
||||
Cc: Catalin Marinas <catalin.marinas@arm.com>
|
||||
Cc: Will Deacon <will@kernel.org>
|
||||
Signed-off-by: Will Deacon <will@kernel.org>
|
||||
[Mark: backport to v6.12.y]
|
||||
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
|
||||
diff --git a/arch/arm64/include/asm/cputype.h b/arch/arm64/include/asm/cputype.h
|
||||
index c2add67..4efa7c9 100644
|
||||
--- a/arch/arm64/include/asm/cputype.h
|
||||
+++ b/arch/arm64/include/asm/cputype.h
|
||||
@@ -99,6 +99,7 @@
|
||||
#define ARM_CPU_PART_CORTEX_A720AE 0xD89
|
||||
#define ARM_CPU_PART_NEOVERSE_N3 0xD8E
|
||||
#define ARM_CPU_PART_C1_PRO 0xD8B
|
||||
+#define ARM_CPU_PART_C1_PREMIUM 0xD90
|
||||
|
||||
#define APM_CPU_PART_XGENE 0x000
|
||||
#define APM_CPU_VAR_POTENZA 0x00
|
||||
@@ -189,6 +190,7 @@
|
||||
#define MIDR_CORTEX_A725 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A725)
|
||||
#define MIDR_CORTEX_A720AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A720AE)
|
||||
#define MIDR_NEOVERSE_N3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N3)
|
||||
+#define MIDR_C1_PREMIUM MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_PREMIUM)
|
||||
#define MIDR_C1_PRO MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_PRO)
|
||||
#define MIDR_THUNDERX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX)
|
||||
#define MIDR_THUNDERX_81XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX_81XX)
|
||||
48
1410-arm64-cputype-add-c1-ultra-definitions.patch
Normal file
48
1410-arm64-cputype-add-c1-ultra-definitions.patch
Normal file
@ -0,0 +1,48 @@
|
||||
From cce1ef3711fd5a41144c4d7d6125f0b244982ca8 Mon Sep 17 00:00:00 2001
|
||||
From: Mark Rutland <mark.rutland@arm.com>
|
||||
Date: Tue, 16 Jun 2026 06:15:48 +0100
|
||||
Subject: [PATCH] arm64: cputype: Add C1-Ultra definitions
|
||||
|
||||
commit 60349e64a6c65f9f0aa118af711b3c7e137f07ff upstream.
|
||||
|
||||
Add cputype definitions for C1-Ultra. These will be used for errata
|
||||
detection in subsequent patches.
|
||||
|
||||
These values can be found in the C1-Ultra TRM:
|
||||
|
||||
https://developer.arm.com/documentation/108014/0100/
|
||||
|
||||
... in section A.5.1 ("MIDR_EL1, Main ID Register").
|
||||
|
||||
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
|
||||
Cc: Catalin Marinas <catalin.marinas@arm.com>
|
||||
Cc: Will Deacon <will@kernel.org>
|
||||
Signed-off-by: Will Deacon <will@kernel.org>
|
||||
[Mark: backport to v6.12.y]
|
||||
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
|
||||
diff --git a/arch/arm64/include/asm/cputype.h b/arch/arm64/include/asm/cputype.h
|
||||
index 4efa7c9..55565b7 100644
|
||||
--- a/arch/arm64/include/asm/cputype.h
|
||||
+++ b/arch/arm64/include/asm/cputype.h
|
||||
@@ -97,6 +97,7 @@
|
||||
#define ARM_CPU_PART_CORTEX_X925 0xD85
|
||||
#define ARM_CPU_PART_CORTEX_A725 0xD87
|
||||
#define ARM_CPU_PART_CORTEX_A720AE 0xD89
|
||||
+#define ARM_CPU_PART_C1_ULTRA 0xD8C
|
||||
#define ARM_CPU_PART_NEOVERSE_N3 0xD8E
|
||||
#define ARM_CPU_PART_C1_PRO 0xD8B
|
||||
#define ARM_CPU_PART_C1_PREMIUM 0xD90
|
||||
@@ -189,9 +190,10 @@
|
||||
#define MIDR_CORTEX_X925 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X925)
|
||||
#define MIDR_CORTEX_A725 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A725)
|
||||
#define MIDR_CORTEX_A720AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A720AE)
|
||||
+#define MIDR_C1_ULTRA MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_ULTRA)
|
||||
#define MIDR_NEOVERSE_N3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N3)
|
||||
-#define MIDR_C1_PREMIUM MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_PREMIUM)
|
||||
#define MIDR_C1_PRO MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_PRO)
|
||||
+#define MIDR_C1_PREMIUM MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_PREMIUM)
|
||||
#define MIDR_THUNDERX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX)
|
||||
#define MIDR_THUNDERX_81XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX_81XX)
|
||||
#define MIDR_THUNDERX_83XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX_83XX)
|
||||
268
1411-arm64-errata-mitigate-tlbi-errata-on-various-arm-cpus.patch
Normal file
268
1411-arm64-errata-mitigate-tlbi-errata-on-various-arm-cpus.patch
Normal file
@ -0,0 +1,268 @@
|
||||
From 4e7c80742e6dada9f8b9ad63f3a49c03af07ecb8 Mon Sep 17 00:00:00 2001
|
||||
From: Mark Rutland <mark.rutland@arm.com>
|
||||
Date: Tue, 16 Jun 2026 06:15:50 +0100
|
||||
Subject: [PATCH] arm64: errata: Mitigate TLBI errata on various Arm CPUs
|
||||
|
||||
commit cfd391e74134db664feb499d43af286380b10ba8 upstream.
|
||||
|
||||
A number of CPUs developed by Arm suffer from errata whereby a broadcast
|
||||
TLBI;DSB sequence may complete before the global observation of writes
|
||||
which are translated by an affected TLB entry.
|
||||
|
||||
These errata ONLY affect the completion of memory accesses which have
|
||||
been translated by an invalidated TLB entry, and these errata DO NOT
|
||||
affect the actual invalidation of TLB entries. TLB entries are removed
|
||||
correctly.
|
||||
|
||||
This issue has been assigned CVE ID CVE-2025-10263.
|
||||
|
||||
To mitigate this issue, Arm recommends that software follows any
|
||||
affected TLBI;DSB sequence with an additional TLBI;DSB, which will
|
||||
ensure that all memory write effects affected by the first TLBI have
|
||||
been globally observed. The additional TLBI can use any operation that
|
||||
is broadcast to affected CPUs, and the additional DSB can use any option
|
||||
that is sufficient to complete the additional TLBI.
|
||||
|
||||
The ARM64_WORKAROUND_REPEAT_TLBI workaround is sufficient to mitigate
|
||||
the issue. Enable this workaround for affected CPUs, and update the
|
||||
silicon errata documentation accordingly.
|
||||
|
||||
Note that due to the manner in which Arm develops IP and tracks errata,
|
||||
some CPUs share a common erratum number.
|
||||
|
||||
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
|
||||
Cc: Catalin Marinas <catalin.marinas@arm.com>
|
||||
Cc: Will Deacon <will@kernel.org>
|
||||
Signed-off-by: Will Deacon <will@kernel.org>
|
||||
[Mark: backport to v6.12.y]
|
||||
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
|
||||
diff --git a/Documentation/arch/arm64/silicon-errata.rst b/Documentation/arch/arm64/silicon-errata.rst
|
||||
index a7ec570..e06d991 100644
|
||||
--- a/Documentation/arch/arm64/silicon-errata.rst
|
||||
+++ b/Documentation/arch/arm64/silicon-errata.rst
|
||||
@@ -128,16 +128,28 @@ stable kernels.
|
||||
+----------------+-----------------+-----------------+-----------------------------+
|
||||
| ARM | Cortex-A76 | #3324349 | ARM64_ERRATUM_3194386 |
|
||||
+----------------+-----------------+-----------------+-----------------------------+
|
||||
+| ARM | Cortex-A76 | #4193800 | ARM64_ERRATUM_4118414 |
|
||||
++----------------+-----------------+-----------------+-----------------------------+
|
||||
+| ARM | Cortex-A76AE | #4193801 | ARM64_ERRATUM_4118414 |
|
||||
++----------------+-----------------+-----------------+-----------------------------+
|
||||
| ARM | Cortex-A77 | #1491015 | N/A |
|
||||
+----------------+-----------------+-----------------+-----------------------------+
|
||||
| ARM | Cortex-A77 | #1508412 | ARM64_ERRATUM_1508412 |
|
||||
+----------------+-----------------+-----------------+-----------------------------+
|
||||
| ARM | Cortex-A77 | #3324348 | ARM64_ERRATUM_3194386 |
|
||||
+----------------+-----------------+-----------------+-----------------------------+
|
||||
+| ARM | Cortex-A77 | #4193798 | ARM64_ERRATUM_4118414 |
|
||||
++----------------+-----------------+-----------------+-----------------------------+
|
||||
| ARM | Cortex-A78 | #3324344 | ARM64_ERRATUM_3194386 |
|
||||
+----------------+-----------------+-----------------+-----------------------------+
|
||||
+| ARM | Cortex-A78 | #4193791 | ARM64_ERRATUM_4118414 |
|
||||
++----------------+-----------------+-----------------+-----------------------------+
|
||||
+| ARM | Cortex-A78AE | #4193793 | ARM64_ERRATUM_4118414 |
|
||||
++----------------+-----------------+-----------------+-----------------------------+
|
||||
| ARM | Cortex-A78C | #3324346,3324347| ARM64_ERRATUM_3194386 |
|
||||
+----------------+-----------------+-----------------+-----------------------------+
|
||||
+| ARM | Cortex-A78C | #4193794 | ARM64_ERRATUM_4118414 |
|
||||
++----------------+-----------------+-----------------+-----------------------------+
|
||||
| ARM | Cortex-A710 | #2119858 | ARM64_ERRATUM_2119858 |
|
||||
+----------------+-----------------+-----------------+-----------------------------+
|
||||
| ARM | Cortex-A710 | #2054223 | ARM64_ERRATUM_2054223 |
|
||||
@@ -146,6 +158,8 @@ stable kernels.
|
||||
+----------------+-----------------+-----------------+-----------------------------+
|
||||
| ARM | Cortex-A710 | #3324338 | ARM64_ERRATUM_3194386 |
|
||||
+----------------+-----------------+-----------------+-----------------------------+
|
||||
+| ARM | Cortex-A710 | #4193788 | ARM64_ERRATUM_4118414 |
|
||||
++----------------+-----------------+-----------------+-----------------------------+
|
||||
| ARM | Cortex-A715 | #2645198 | ARM64_ERRATUM_2645198 |
|
||||
+----------------+-----------------+-----------------+-----------------------------+
|
||||
| ARM | Cortex-A715 | #3456084 | ARM64_ERRATUM_3194386 |
|
||||
@@ -158,20 +172,32 @@ stable kernels.
|
||||
+----------------+-----------------+-----------------+-----------------------------+
|
||||
| ARM | Cortex-X1 | #3324344 | ARM64_ERRATUM_3194386 |
|
||||
+----------------+-----------------+-----------------+-----------------------------+
|
||||
+| ARM | Cortex-X1 | #4193791 | ARM64_ERRATUM_4118414 |
|
||||
++----------------+-----------------+-----------------+-----------------------------+
|
||||
| ARM | Cortex-X1C | #3324346 | ARM64_ERRATUM_3194386 |
|
||||
+----------------+-----------------+-----------------+-----------------------------+
|
||||
+| ARM | Cortex-X1C | #4193792 | ARM64_ERRATUM_4118414 |
|
||||
++----------------+-----------------+-----------------+-----------------------------+
|
||||
| ARM | Cortex-X2 | #2119858 | ARM64_ERRATUM_2119858 |
|
||||
+----------------+-----------------+-----------------+-----------------------------+
|
||||
| ARM | Cortex-X2 | #2224489 | ARM64_ERRATUM_2224489 |
|
||||
+----------------+-----------------+-----------------+-----------------------------+
|
||||
| ARM | Cortex-X2 | #3324338 | ARM64_ERRATUM_3194386 |
|
||||
+----------------+-----------------+-----------------+-----------------------------+
|
||||
+| ARM | Cortex-X2 | #4193788 | ARM64_ERRATUM_4118414 |
|
||||
++----------------+-----------------+-----------------+-----------------------------+
|
||||
| ARM | Cortex-X3 | #3324335 | ARM64_ERRATUM_3194386 |
|
||||
+----------------+-----------------+-----------------+-----------------------------+
|
||||
+| ARM | Cortex-X3 | #4193786 | ARM64_ERRATUM_4118414 |
|
||||
++----------------+-----------------+-----------------+-----------------------------+
|
||||
| ARM | Cortex-X4 | #3194386 | ARM64_ERRATUM_3194386 |
|
||||
+----------------+-----------------+-----------------+-----------------------------+
|
||||
+| ARM | Cortex-X4 | #4118414 | ARM64_ERRATUM_4118414 |
|
||||
++----------------+-----------------+-----------------+-----------------------------+
|
||||
| ARM | Cortex-X925 | #3324334 | ARM64_ERRATUM_3194386 |
|
||||
+----------------+-----------------+-----------------+-----------------------------+
|
||||
+| ARM | Cortex-X925 | #4193781 | ARM64_ERRATUM_4118414 |
|
||||
++----------------+-----------------+-----------------+-----------------------------+
|
||||
| ARM | Neoverse-N1 | #1188873,1418040| ARM64_ERRATUM_1418040 |
|
||||
+----------------+-----------------+-----------------+-----------------------------+
|
||||
| ARM | Neoverse-N1 | #1349291 | N/A |
|
||||
@@ -182,6 +208,8 @@ stable kernels.
|
||||
+----------------+-----------------+-----------------+-----------------------------+
|
||||
| ARM | Neoverse-N1 | #3324349 | ARM64_ERRATUM_3194386 |
|
||||
+----------------+-----------------+-----------------+-----------------------------+
|
||||
+| ARM | Neoverse-N1 | #4193800 | ARM64_ERRATUM_4118414 |
|
||||
++----------------+-----------------+-----------------+-----------------------------+
|
||||
| ARM | Neoverse-N2 | #2139208 | ARM64_ERRATUM_2139208 |
|
||||
+----------------+-----------------+-----------------+-----------------------------+
|
||||
| ARM | Neoverse-N2 | #2067961 | ARM64_ERRATUM_2067961 |
|
||||
@@ -190,18 +218,34 @@ stable kernels.
|
||||
+----------------+-----------------+-----------------+-----------------------------+
|
||||
| ARM | Neoverse-N2 | #3324339 | ARM64_ERRATUM_3194386 |
|
||||
+----------------+-----------------+-----------------+-----------------------------+
|
||||
+| ARM | Neoverse-N2 | #4193789 | ARM64_ERRATUM_4118414 |
|
||||
++----------------+-----------------+-----------------+-----------------------------+
|
||||
| ARM | Neoverse-N3 | #3456111 | ARM64_ERRATUM_3194386 |
|
||||
+----------------+-----------------+-----------------+-----------------------------+
|
||||
| ARM | Neoverse-V1 | #1619801 | N/A |
|
||||
+----------------+-----------------+-----------------+-----------------------------+
|
||||
| ARM | Neoverse-V1 | #3324341 | ARM64_ERRATUM_3194386 |
|
||||
+----------------+-----------------+-----------------+-----------------------------+
|
||||
+| ARM | Neoverse-V1 | #4193790 | ARM64_ERRATUM_4118414 |
|
||||
++----------------+-----------------+-----------------+-----------------------------+
|
||||
| ARM | Neoverse-V2 | #3324336 | ARM64_ERRATUM_3194386 |
|
||||
+----------------+-----------------+-----------------+-----------------------------+
|
||||
+| ARM | Neoverse-V2 | #4193787 | ARM64_ERRATUM_4118414 |
|
||||
++----------------+-----------------+-----------------+-----------------------------+
|
||||
| ARM | Neoverse-V3 | #3312417 | ARM64_ERRATUM_3194386 |
|
||||
+----------------+-----------------+-----------------+-----------------------------+
|
||||
+| ARM | Neoverse-V3 | #4193784 | ARM64_ERRATUM_4118414 |
|
||||
++----------------+-----------------+-----------------+-----------------------------+
|
||||
| ARM | Neoverse-V3AE | #3312417 | ARM64_ERRATUM_3194386 |
|
||||
+----------------+-----------------+-----------------+-----------------------------+
|
||||
+| ARM | Neoverse-V3AE | #4193784 | ARM64_ERRATUM_4118414 |
|
||||
++----------------+-----------------+-----------------+-----------------------------+
|
||||
+| ARM | C1-Premium | #4193780 | ARM64_ERRATUM_4118414 |
|
||||
++----------------+-----------------+-----------------+-----------------------------+
|
||||
+| ARM | C1-Pro | #4193714 | ARM64_ERRATUM_4193714 |
|
||||
++----------------+-----------------+-----------------+-----------------------------+
|
||||
+| ARM | C1-Ultra | #4193780 | ARM64_ERRATUM_4118414 |
|
||||
++----------------+-----------------+-----------------+-----------------------------+
|
||||
| ARM | MMU-500 | #841119,826419 | ARM_SMMU_MMU_500_CPRE_ERRATA|
|
||||
| | | #562869,1047329 | |
|
||||
+----------------+-----------------+-----------------+-----------------------------+
|
||||
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
|
||||
index 7d2f7f2..6cdcc7a 100644
|
||||
--- a/arch/arm64/Kconfig
|
||||
+++ b/arch/arm64/Kconfig
|
||||
@@ -1155,6 +1155,54 @@ config ARM64_ERRATUM_3194386
|
||||
|
||||
If unsure, say Y.
|
||||
|
||||
+config ARM64_ERRATUM_4193714
|
||||
+ bool "C1-Pro: 4193714: SME DVMSync early acknowledgement"
|
||||
+ depends on ARM64_SME
|
||||
+ default y
|
||||
+ help
|
||||
+ Enable workaround for C1-Pro acknowledging the DVMSync before
|
||||
+ the SME memory accesses are complete. This will cause TLB
|
||||
+ maintenance for processes using SME to also issue an IPI to
|
||||
+ the affected CPUs.
|
||||
+
|
||||
+ If unsure, say Y.
|
||||
+
|
||||
+config ARM64_ERRATUM_4118414
|
||||
+ bool "Cortex-*/Neoverse-*/C1-*: Completion of affected memory accesses might not be guaranteed by completion of a TLBI"
|
||||
+ default y
|
||||
+ select ARM64_WORKAROUND_REPEAT_TLBI
|
||||
+ help
|
||||
+ This option adds a workaround for the following errata:
|
||||
+
|
||||
+ * ARM C1-Premium erratum 4193780
|
||||
+ * ARM C1-Ultra erratum 4193780
|
||||
+ * ARM Cortex-A76 erratum 4193800
|
||||
+ * ARM Cortex-A76AE erratum 4193801
|
||||
+ * ARM Cortex-A77 erratum 4193798
|
||||
+ * ARM Cortex-A78 erratum 4193791
|
||||
+ * ARM Cortex-A78AE erratum 4193793
|
||||
+ * ARM Cortex-A78C erratum 4193794
|
||||
+ * ARM Cortex-A710 erratum 4193788
|
||||
+ * ARM Cortex-X1 erratum 4193791
|
||||
+ * ARM Cortex-X1C erratum 4193792
|
||||
+ * ARM Cortex-X2 erratum 4193788
|
||||
+ * ARM Cortex-X3 erratum 4193786
|
||||
+ * ARM Cortex-X4 erratum 4118414
|
||||
+ * ARM Cortex-X925 erratum 4193781
|
||||
+ * ARM Neoverse-N1 erratum 4193800
|
||||
+ * ARM Neoverse-N2 erratum 4193789
|
||||
+ * ARM Neoverse-V1 erratum 4193790
|
||||
+ * ARM Neoverse-V2 erratum 4193787
|
||||
+ * ARM Neoverse-V3 erratum 4193784
|
||||
+ * ARM Neoverse-V3AE erratum 4193784
|
||||
+
|
||||
+ On affected cores, some memory accesses might not be completed by
|
||||
+ broadcast TLB invalidation.
|
||||
+
|
||||
+ This issue is also known as CVE-2025-10263.
|
||||
+
|
||||
+ If unsure, say Y.
|
||||
+
|
||||
config CAVIUM_ERRATUM_22375
|
||||
bool "Cavium erratum 22375, 24313"
|
||||
default y
|
||||
diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c
|
||||
index 46cd811..80a920d 100644
|
||||
--- a/arch/arm64/kernel/cpu_errata.c
|
||||
+++ b/arch/arm64/kernel/cpu_errata.c
|
||||
@@ -278,7 +278,35 @@ static const struct arm64_cpu_capabilities arm64_repeat_tlbi_list[] = {
|
||||
ERRATA_MIDR_RANGE(MIDR_CORTEX_A510, 0, 0, 1, 1),
|
||||
},
|
||||
#endif
|
||||
- {},
|
||||
+#ifdef CONFIG_ARM64_ERRATUM_4118414
|
||||
+ {
|
||||
+ ERRATA_MIDR_RANGE_LIST(((const struct midr_range[]) {
|
||||
+ MIDR_ALL_VERSIONS(MIDR_C1_PREMIUM),
|
||||
+ MIDR_ALL_VERSIONS(MIDR_C1_ULTRA),
|
||||
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A76),
|
||||
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A76AE),
|
||||
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A77),
|
||||
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A78),
|
||||
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A78AE),
|
||||
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A78C),
|
||||
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A710),
|
||||
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_X1),
|
||||
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_X1C),
|
||||
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_X2),
|
||||
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_X3),
|
||||
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_X4),
|
||||
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_X925),
|
||||
+ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1),
|
||||
+ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2),
|
||||
+ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V1),
|
||||
+ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V2),
|
||||
+ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3),
|
||||
+ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3AE),
|
||||
+ {}
|
||||
+ })),
|
||||
+ },
|
||||
+#endif
|
||||
+ {}
|
||||
};
|
||||
#endif
|
||||
|
||||
@@ -614,7 +642,7 @@ const struct arm64_cpu_capabilities arm64_errata[] = {
|
||||
#endif
|
||||
#ifdef CONFIG_ARM64_WORKAROUND_REPEAT_TLBI
|
||||
{
|
||||
- .desc = "Qualcomm erratum 1009, or ARM erratum 1286807, 2441009",
|
||||
+ .desc = "Broken broadcast TLBI completion",
|
||||
.capability = ARM64_WORKAROUND_REPEAT_TLBI,
|
||||
.type = ARM64_CPUCAP_LOCAL_CPU_ERRATUM,
|
||||
.matches = cpucap_multi_entry_cap_matches,
|
||||
@ -0,0 +1,73 @@
|
||||
From fd0781fcbf4d867807bb3f9432f5582e5619f7df Mon Sep 17 00:00:00 2001
|
||||
From: Shanker Donthineni <sdonthineni@nvidia.com>
|
||||
Date: Tue, 16 Jun 2026 06:15:51 +0100
|
||||
Subject: [PATCH] arm64: errata: Mitigate TLBI errata on NVIDIA Olympus CPU
|
||||
|
||||
commit ec7216f92e4ebd485b1c6dc6aa3f6064b71a5768 upstream.
|
||||
|
||||
NVIDIA Olympus cores are affected by the TLBI completion issue tracked as
|
||||
CVE-2025-10263. The existing ARM64_ERRATUM_4118414 handling already uses
|
||||
ARM64_WORKAROUND_REPEAT_TLBI to issue an additional broadcast TLBI;DSB
|
||||
sequence and ensure affected memory write effects are globally observed.
|
||||
|
||||
Add MIDR_NVIDIA_OLYMPUS to the repeat-TLBI match list so the same
|
||||
mitigation is enabled on affected Olympus systems. Also document the
|
||||
NVIDIA Olympus erratum in the arm64 silicon errata table and list it in
|
||||
the Kconfig help text.
|
||||
|
||||
Signed-off-by: Shanker Donthineni <sdonthineni@nvidia.com>
|
||||
Cc: Catalin Marinas <catalin.marinas@arm.com>
|
||||
Cc: Will Deacon <will@kernel.org>
|
||||
Cc: Mark Rutland <mark.rutland@arm.com>
|
||||
Acked-by: Mark Rutland <mark.rutland@arm.com>
|
||||
Signed-off-by: Will Deacon <will@kernel.org>
|
||||
[Mark: backport to v6.12.y]
|
||||
Signed-off-by: Shanker Donthineni <sdonthineni@nvidia.com>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
|
||||
diff --git a/Documentation/arch/arm64/silicon-errata.rst b/Documentation/arch/arm64/silicon-errata.rst
|
||||
index e06d991..bf898b7 100644
|
||||
--- a/Documentation/arch/arm64/silicon-errata.rst
|
||||
+++ b/Documentation/arch/arm64/silicon-errata.rst
|
||||
@@ -288,6 +288,8 @@ stable kernels.
|
||||
+----------------+-----------------+-----------------+-----------------------------+
|
||||
| NVIDIA | Carmel Core | N/A | NVIDIA_CARMEL_CNP_ERRATUM |
|
||||
+----------------+-----------------+-----------------+-----------------------------+
|
||||
+| NVIDIA | Olympus core | T410-OLY-1029 | ARM64_ERRATUM_4118414 |
|
||||
++----------------+-----------------+-----------------+-----------------------------+
|
||||
| NVIDIA | T241 GICv3/4.x | T241-FABRIC-4 | N/A |
|
||||
+----------------+-----------------+-----------------+-----------------------------+
|
||||
+----------------+-----------------+-----------------+-----------------------------+
|
||||
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
|
||||
index 6cdcc7a..6f7bbe2 100644
|
||||
--- a/arch/arm64/Kconfig
|
||||
+++ b/arch/arm64/Kconfig
|
||||
@@ -1168,7 +1168,7 @@ config ARM64_ERRATUM_4193714
|
||||
If unsure, say Y.
|
||||
|
||||
config ARM64_ERRATUM_4118414
|
||||
- bool "Cortex-*/Neoverse-*/C1-*: Completion of affected memory accesses might not be guaranteed by completion of a TLBI"
|
||||
+ bool "Various: Completion of affected memory accesses might not be guaranteed by completion of a TLBI"
|
||||
default y
|
||||
select ARM64_WORKAROUND_REPEAT_TLBI
|
||||
help
|
||||
@@ -1195,6 +1195,7 @@ config ARM64_ERRATUM_4118414
|
||||
* ARM Neoverse-V2 erratum 4193787
|
||||
* ARM Neoverse-V3 erratum 4193784
|
||||
* ARM Neoverse-V3AE erratum 4193784
|
||||
+ * NVIDIA Olympus erratum T410-OLY-1029
|
||||
|
||||
On affected cores, some memory accesses might not be completed by
|
||||
broadcast TLB invalidation.
|
||||
diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c
|
||||
index 80a920d..06d9a92 100644
|
||||
--- a/arch/arm64/kernel/cpu_errata.c
|
||||
+++ b/arch/arm64/kernel/cpu_errata.c
|
||||
@@ -302,6 +302,7 @@ static const struct arm64_cpu_capabilities arm64_repeat_tlbi_list[] = {
|
||||
MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V2),
|
||||
MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3),
|
||||
MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3AE),
|
||||
+ MIDR_ALL_VERSIONS(MIDR_NVIDIA_OLYMPUS),
|
||||
{}
|
||||
})),
|
||||
},
|
||||
@ -0,0 +1,107 @@
|
||||
From 2321cb9e80eaeedbc22ede60ee03404fe521cd56 Mon Sep 17 00:00:00 2001
|
||||
From: Will Deacon <will@kernel.org>
|
||||
Date: Tue, 16 Jun 2026 06:15:52 +0100
|
||||
Subject: [PATCH] arm64: errata: Mitigate TLBI errata on Microsoft Azure Cobalt
|
||||
100 CPU
|
||||
|
||||
commit 1940e70a8144bf75e6df26bf6f600862ea7f7ea1 upstream.
|
||||
|
||||
Commit fb091ff39479 ("arm64: Subscribe Microsoft Azure Cobalt 100 to ARM
|
||||
Neoverse N2 errata") states that Microsoft Azure Cobalt 100 CPU "is a
|
||||
Microsoft implemented CPU based on r0p0 of the ARM Neoverse N2 CPU, and
|
||||
therefore suffers from all the same errata.".
|
||||
|
||||
So enable the workaround for the latest broadcast TLB invalidation bug
|
||||
on these parts.
|
||||
|
||||
Signed-off-by: Will Deacon <will@kernel.org>
|
||||
[Mark: backport to v6.12.y]
|
||||
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
|
||||
diff --git a/Documentation/arch/arm64/silicon-errata.rst b/Documentation/arch/arm64/silicon-errata.rst
|
||||
index bf898b7..e9558e8 100644
|
||||
--- a/Documentation/arch/arm64/silicon-errata.rst
|
||||
+++ b/Documentation/arch/arm64/silicon-errata.rst
|
||||
@@ -131,7 +131,7 @@ stable kernels.
|
||||
| ARM | Cortex-A76 | #4193800 | ARM64_ERRATUM_4118414 |
|
||||
+----------------+-----------------+-----------------+-----------------------------+
|
||||
| ARM | Cortex-A76AE | #4193801 | ARM64_ERRATUM_4118414 |
|
||||
-+----------------+-----------------+-----------------+-----------------------------+
|
||||
+++----------------+-----------------+-----------------+-----------------------------+
|
||||
| ARM | Cortex-A77 | #1491015 | N/A |
|
||||
+----------------+-----------------+-----------------+-----------------------------+
|
||||
| ARM | Cortex-A77 | #1508412 | ARM64_ERRATUM_1508412 |
|
||||
@@ -195,7 +195,7 @@ stable kernels.
|
||||
| ARM | Cortex-X4 | #4118414 | ARM64_ERRATUM_4118414 |
|
||||
+----------------+-----------------+-----------------+-----------------------------+
|
||||
| ARM | Cortex-X925 | #3324334 | ARM64_ERRATUM_3194386 |
|
||||
-+----------------+-----------------+-----------------+-----------------------------+
|
||||
+----------------+-----------------+-----------------+-----------------------------+
|
||||
| ARM | Cortex-X925 | #4193781 | ARM64_ERRATUM_4118414 |
|
||||
+----------------+-----------------+-----------------+-----------------------------+
|
||||
| ARM | Neoverse-N1 | #1188873,1418040| ARM64_ERRATUM_1418040 |
|
||||
@@ -237,13 +237,11 @@ stable kernels.
|
||||
| ARM | Neoverse-V3 | #4193784 | ARM64_ERRATUM_4118414 |
|
||||
+----------------+-----------------+-----------------+-----------------------------+
|
||||
| ARM | Neoverse-V3AE | #3312417 | ARM64_ERRATUM_3194386 |
|
||||
-+----------------+-----------------+-----------------+-----------------------------+
|
||||
+----------------+-----------------+-----------------+-----------------------------+
|
||||
| ARM | Neoverse-V3AE | #4193784 | ARM64_ERRATUM_4118414 |
|
||||
+----------------+-----------------+-----------------+-----------------------------+
|
||||
| ARM | C1-Premium | #4193780 | ARM64_ERRATUM_4118414 |
|
||||
+----------------+-----------------+-----------------+-----------------------------+
|
||||
-| ARM | C1-Pro | #4193714 | ARM64_ERRATUM_4193714 |
|
||||
-+----------------+-----------------+-----------------+-----------------------------+
|
||||
| ARM | C1-Ultra | #4193780 | ARM64_ERRATUM_4118414 |
|
||||
+----------------+-----------------+-----------------+-----------------------------+
|
||||
| ARM | MMU-500 | #841119,826419 | ARM_SMMU_MMU_500_CPRE_ERRATA|
|
||||
@@ -351,3 +349,5 @@ stable kernels.
|
||||
+----------------+-----------------+-----------------+-----------------------------+
|
||||
| Microsoft | Azure Cobalt 100| #3324339 | ARM64_ERRATUM_3194386 |
|
||||
+----------------+-----------------+-----------------+-----------------------------+
|
||||
+| Microsoft | Azure Cobalt 100| #4193789 | ARM64_ERRATUM_4118414 |
|
||||
++----------------+-----------------+-----------------+-----------------------------+
|
||||
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
|
||||
index 6f7bbe2..49506a7 100644
|
||||
--- a/arch/arm64/Kconfig
|
||||
+++ b/arch/arm64/Kconfig
|
||||
@@ -1155,18 +1155,6 @@ config ARM64_ERRATUM_3194386
|
||||
|
||||
If unsure, say Y.
|
||||
|
||||
-config ARM64_ERRATUM_4193714
|
||||
- bool "C1-Pro: 4193714: SME DVMSync early acknowledgement"
|
||||
- depends on ARM64_SME
|
||||
- default y
|
||||
- help
|
||||
- Enable workaround for C1-Pro acknowledging the DVMSync before
|
||||
- the SME memory accesses are complete. This will cause TLB
|
||||
- maintenance for processes using SME to also issue an IPI to
|
||||
- the affected CPUs.
|
||||
-
|
||||
- If unsure, say Y.
|
||||
-
|
||||
config ARM64_ERRATUM_4118414
|
||||
bool "Various: Completion of affected memory accesses might not be guaranteed by completion of a TLBI"
|
||||
default y
|
||||
@@ -1195,6 +1183,7 @@ config ARM64_ERRATUM_4118414
|
||||
* ARM Neoverse-V2 erratum 4193787
|
||||
* ARM Neoverse-V3 erratum 4193784
|
||||
* ARM Neoverse-V3AE erratum 4193784
|
||||
+ * Microsoft Azure Cobalt 100 4193789
|
||||
* NVIDIA Olympus erratum T410-OLY-1029
|
||||
|
||||
On affected cores, some memory accesses might not be completed by
|
||||
diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c
|
||||
index 06d9a92..72caeca 100644
|
||||
--- a/arch/arm64/kernel/cpu_errata.c
|
||||
+++ b/arch/arm64/kernel/cpu_errata.c
|
||||
@@ -303,6 +303,7 @@ static const struct arm64_cpu_capabilities arm64_repeat_tlbi_list[] = {
|
||||
MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3),
|
||||
MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3AE),
|
||||
MIDR_ALL_VERSIONS(MIDR_NVIDIA_OLYMPUS),
|
||||
+ MIDR_ALL_VERSIONS(MIDR_MICROSOFT_AZURE_COBALT_100),
|
||||
{}
|
||||
})),
|
||||
},
|
||||
@ -0,0 +1,40 @@
|
||||
From 2d29214448ec0f4e7e18bb1c14dd4a6c07f1c439 Mon Sep 17 00:00:00 2001
|
||||
From: Fredric Cover <FredTheDude@proton.me>
|
||||
Date: Mon, 30 Mar 2026 13:11:27 -0700
|
||||
Subject: [PATCH] fs/smb/client: fix out-of-bounds read in
|
||||
cifs_sanitize_prepath
|
||||
|
||||
[ Upstream commit 78ec5bf2f589ec7fd8f169394bfeca541b077317 ]
|
||||
|
||||
When cifs_sanitize_prepath is called with an empty string or a string
|
||||
containing only delimiters (e.g., "/"), the current logic attempts to
|
||||
check *(cursor2 - 1) before cursor2 has advanced. This results in an
|
||||
out-of-bounds read.
|
||||
|
||||
This patch adds an early exit check after stripping prepended
|
||||
delimiters. If no path content remains, the function returns NULL.
|
||||
|
||||
The bug was identified via manual audit and verified using a
|
||||
standalone test case compiled with AddressSanitizer, which
|
||||
triggered a SEGV on affected inputs.
|
||||
|
||||
Signed-off-by: Fredric Cover <FredTheDude@proton.me>
|
||||
Reviewed-by: Henrique Carvalho <[2]henrique.carvalho@suse.com>
|
||||
Signed-off-by: Steve French <stfrench@microsoft.com>
|
||||
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||||
|
||||
diff --git a/fs/smb/client/fs_context.c b/fs/smb/client/fs_context.c
|
||||
index c1a0363..287c847 100644
|
||||
--- a/fs/smb/client/fs_context.c
|
||||
+++ b/fs/smb/client/fs_context.c
|
||||
@@ -589,6 +589,10 @@ char *cifs_sanitize_prepath(char *prepath, gfp_t gfp)
|
||||
while (IS_DELIM(*cursor1))
|
||||
cursor1++;
|
||||
|
||||
+ /* exit in case of only delimiters */
|
||||
+ if (!*cursor1)
|
||||
+ return NULL;
|
||||
+
|
||||
/* copy the first letter */
|
||||
*cursor2 = *cursor1;
|
||||
|
||||
@ -364,6 +364,7 @@ CONFIG_ARM64_ERRATUM_2966298=y
|
||||
CONFIG_ARM64_ERRATUM_3117295=y
|
||||
CONFIG_ARM64_ERRATUM_3194386=y
|
||||
CONFIG_ARM64_ERRATUM_3312417=y
|
||||
CONFIG_ARM64_ERRATUM_4118414=y
|
||||
CONFIG_ARM64_ERRATUM_819472=y
|
||||
CONFIG_ARM64_ERRATUM_824069=y
|
||||
CONFIG_ARM64_ERRATUM_826319=y
|
||||
|
||||
@ -364,6 +364,7 @@ CONFIG_ARM64_ERRATUM_2966298=y
|
||||
CONFIG_ARM64_ERRATUM_3117295=y
|
||||
CONFIG_ARM64_ERRATUM_3194386=y
|
||||
CONFIG_ARM64_ERRATUM_3312417=y
|
||||
CONFIG_ARM64_ERRATUM_4118414=y
|
||||
CONFIG_ARM64_ERRATUM_819472=y
|
||||
CONFIG_ARM64_ERRATUM_824069=y
|
||||
CONFIG_ARM64_ERRATUM_826319=y
|
||||
|
||||
@ -364,6 +364,7 @@ CONFIG_ARM64_ERRATUM_2966298=y
|
||||
CONFIG_ARM64_ERRATUM_3117295=y
|
||||
CONFIG_ARM64_ERRATUM_3194386=y
|
||||
CONFIG_ARM64_ERRATUM_3312417=y
|
||||
CONFIG_ARM64_ERRATUM_4118414=y
|
||||
CONFIG_ARM64_ERRATUM_819472=y
|
||||
CONFIG_ARM64_ERRATUM_824069=y
|
||||
CONFIG_ARM64_ERRATUM_826319=y
|
||||
|
||||
@ -364,6 +364,7 @@ CONFIG_ARM64_ERRATUM_2966298=y
|
||||
CONFIG_ARM64_ERRATUM_3117295=y
|
||||
CONFIG_ARM64_ERRATUM_3194386=y
|
||||
CONFIG_ARM64_ERRATUM_3312417=y
|
||||
CONFIG_ARM64_ERRATUM_4118414=y
|
||||
CONFIG_ARM64_ERRATUM_819472=y
|
||||
CONFIG_ARM64_ERRATUM_824069=y
|
||||
CONFIG_ARM64_ERRATUM_826319=y
|
||||
|
||||
@ -364,6 +364,7 @@ CONFIG_ARM64_ERRATUM_2966298=y
|
||||
CONFIG_ARM64_ERRATUM_3117295=y
|
||||
CONFIG_ARM64_ERRATUM_3194386=y
|
||||
CONFIG_ARM64_ERRATUM_3312417=y
|
||||
CONFIG_ARM64_ERRATUM_4118414=y
|
||||
CONFIG_ARM64_ERRATUM_819472=y
|
||||
CONFIG_ARM64_ERRATUM_824069=y
|
||||
CONFIG_ARM64_ERRATUM_826319=y
|
||||
|
||||
@ -364,6 +364,7 @@ CONFIG_ARM64_ERRATUM_2966298=y
|
||||
CONFIG_ARM64_ERRATUM_3117295=y
|
||||
CONFIG_ARM64_ERRATUM_3194386=y
|
||||
CONFIG_ARM64_ERRATUM_3312417=y
|
||||
CONFIG_ARM64_ERRATUM_4118414=y
|
||||
CONFIG_ARM64_ERRATUM_819472=y
|
||||
CONFIG_ARM64_ERRATUM_824069=y
|
||||
CONFIG_ARM64_ERRATUM_826319=y
|
||||
|
||||
@ -364,6 +364,7 @@ CONFIG_ARM64_ERRATUM_2966298=y
|
||||
CONFIG_ARM64_ERRATUM_3117295=y
|
||||
CONFIG_ARM64_ERRATUM_3194386=y
|
||||
CONFIG_ARM64_ERRATUM_3312417=y
|
||||
CONFIG_ARM64_ERRATUM_4118414=y
|
||||
CONFIG_ARM64_ERRATUM_819472=y
|
||||
CONFIG_ARM64_ERRATUM_824069=y
|
||||
CONFIG_ARM64_ERRATUM_826319=y
|
||||
|
||||
@ -364,6 +364,7 @@ CONFIG_ARM64_ERRATUM_2966298=y
|
||||
CONFIG_ARM64_ERRATUM_3117295=y
|
||||
CONFIG_ARM64_ERRATUM_3194386=y
|
||||
CONFIG_ARM64_ERRATUM_3312417=y
|
||||
CONFIG_ARM64_ERRATUM_4118414=y
|
||||
CONFIG_ARM64_ERRATUM_819472=y
|
||||
CONFIG_ARM64_ERRATUM_824069=y
|
||||
CONFIG_ARM64_ERRATUM_826319=y
|
||||
|
||||
66
kernel.spec
66
kernel.spec
@ -176,13 +176,13 @@ Summary: The Linux kernel
|
||||
%define specrpmversion 6.12.0
|
||||
%define specversion 6.12.0
|
||||
%define patchversion 6.12
|
||||
%define pkgrelease 211.29.1
|
||||
%define pkgrelease 211.30.1
|
||||
%define kversion 6
|
||||
%define tarfile_release 6.12.0-211.7.1.el10_2
|
||||
# This is needed to do merge window version magic
|
||||
%define patchlevel 12
|
||||
# This allows pkg_release to have configurable %%{?dist} tag
|
||||
%define specrelease 211.29.1%{?buildid}%{?dist}
|
||||
%define specrelease 211.30.1%{?buildid}%{?dist}
|
||||
# This defines the kabi tarball version
|
||||
%define kabiversion 6.12.0-211.7.1.el10_2
|
||||
|
||||
@ -1433,6 +1433,22 @@ Patch1395: 1395-crypto-tegra-don-t-touch-bo-refcount-in-host1x-bo-pin-unpin.patc
|
||||
Patch1396: 1396-crypto-tegra-fix-dma-free-coherent-size-error.patch
|
||||
Patch1397: 1397-crypto-tegra-return-enomem-when-input-buffer-allocation-fail.patch
|
||||
Patch1398: 1398-rdma-mlx5-fix-error-path-fall-through-in-mlx5-ib-dev-res-srq.patch
|
||||
Patch1399: 1399-rxrpc-fix-potential-uaf-after-skb-unshare-failure.patch
|
||||
Patch1400: 1400-rxrpc-fix-rxrpc-input-call-event-to-only-unshare-data-packet.patch
|
||||
Patch1401: 1401-drm-gem-fix-inconsistent-plane-dimension-calculation-in-drm.patch
|
||||
Patch1402: 1402-netfilter-nft-inner-fix-ipv6-inner-thoff-desync.patch
|
||||
Patch1403: 1403-asoc-sdca-fix-null-pointer-dereference-in-sdca-dev-unregiste.patch
|
||||
Patch1404: 1404-crypto-testmgr-allow-authenc-hmac-sha-256-384-cts-cbc-aes-in.patch
|
||||
Patch1405: 1405-crypto-krb5enc-fix-sleepable-flag-handling-in-encrypt-dispat.patch
|
||||
Patch1406: 1406-crypto-krb5enc-fix-async-decrypt-skipping-hash-verification.patch
|
||||
Patch1407: 1407-crypto-krb5-filter-out-async-aead-implementations-at-alloc.patch
|
||||
Patch1408: 1408-arm64-cputype-add-c1-pro-definitions.patch
|
||||
Patch1409: 1409-arm64-cputype-add-c1-premium-definitions.patch
|
||||
Patch1410: 1410-arm64-cputype-add-c1-ultra-definitions.patch
|
||||
Patch1411: 1411-arm64-errata-mitigate-tlbi-errata-on-various-arm-cpus.patch
|
||||
Patch1412: 1412-arm64-errata-mitigate-tlbi-errata-on-nvidia-olympus-cpu.patch
|
||||
Patch1413: 1413-arm64-errata-mitigate-tlbi-errata-on-microsoft-azure-cobalt.patch
|
||||
Patch1414: 1414-fs-smb-client-fix-out-of-bounds-read-in-cifs-sanitize-prepa.patch
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%description
|
||||
@ -2588,6 +2604,22 @@ ApplyPatch 1395-crypto-tegra-don-t-touch-bo-refcount-in-host1x-bo-pin-unpin.patc
|
||||
ApplyPatch 1396-crypto-tegra-fix-dma-free-coherent-size-error.patch
|
||||
ApplyPatch 1397-crypto-tegra-return-enomem-when-input-buffer-allocation-fail.patch
|
||||
ApplyPatch 1398-rdma-mlx5-fix-error-path-fall-through-in-mlx5-ib-dev-res-srq.patch
|
||||
ApplyPatch 1399-rxrpc-fix-potential-uaf-after-skb-unshare-failure.patch
|
||||
ApplyPatch 1400-rxrpc-fix-rxrpc-input-call-event-to-only-unshare-data-packet.patch
|
||||
ApplyPatch 1401-drm-gem-fix-inconsistent-plane-dimension-calculation-in-drm.patch
|
||||
ApplyPatch 1402-netfilter-nft-inner-fix-ipv6-inner-thoff-desync.patch
|
||||
ApplyPatch 1403-asoc-sdca-fix-null-pointer-dereference-in-sdca-dev-unregiste.patch
|
||||
ApplyPatch 1404-crypto-testmgr-allow-authenc-hmac-sha-256-384-cts-cbc-aes-in.patch
|
||||
ApplyPatch 1405-crypto-krb5enc-fix-sleepable-flag-handling-in-encrypt-dispat.patch
|
||||
ApplyPatch 1406-crypto-krb5enc-fix-async-decrypt-skipping-hash-verification.patch
|
||||
ApplyPatch 1407-crypto-krb5-filter-out-async-aead-implementations-at-alloc.patch
|
||||
ApplyPatch 1408-arm64-cputype-add-c1-pro-definitions.patch
|
||||
ApplyPatch 1409-arm64-cputype-add-c1-premium-definitions.patch
|
||||
ApplyPatch 1410-arm64-cputype-add-c1-ultra-definitions.patch
|
||||
ApplyPatch 1411-arm64-errata-mitigate-tlbi-errata-on-various-arm-cpus.patch
|
||||
ApplyPatch 1412-arm64-errata-mitigate-tlbi-errata-on-nvidia-olympus-cpu.patch
|
||||
ApplyPatch 1413-arm64-errata-mitigate-tlbi-errata-on-microsoft-azure-cobalt.patch
|
||||
ApplyPatch 1414-fs-smb-client-fix-out-of-bounds-read-in-cifs-sanitize-prepa.patch
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
# Any further pre-build tree manipulations happen here.
|
||||
@ -5092,6 +5124,36 @@ fi\
|
||||
#
|
||||
#
|
||||
%changelog
|
||||
* Fri Jul 03 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 6.12.0-211.30.1
|
||||
- Recreate RHEL 6.12.0-211.30.1 from CentOS Stream 10 and upstream stable backports (1399-1414)
|
||||
- RHEL 6.12.0-211.30.1 now also carries the vgic-its (CVE-2026-46316) and ipv4/ipv6
|
||||
fraggap fixes AlmaLinux shipped ahead; the AlmaLinux patches (1374, 1384-1385) are
|
||||
retained and RHEL's duplicate copies omitted
|
||||
- CONFIG_ARM64_ERRATUM_4118414 enabled for aarch64 (CVE-2025-10263)
|
||||
- RHEL changelog for 211.30.1 follows:
|
||||
|
||||
* Wed Jul 01 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-211.30.1.el10_2]
|
||||
- ipv6: account for fraggap on the paged allocation path (Sabrina Dubroca) [RHEL-191349]
|
||||
- ipv4: account for fraggap on the paged allocation path (Sabrina Dubroca) [RHEL-191349]
|
||||
- fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath (CKI Backport Bot) [RHEL-189491] {CVE-2026-43112}
|
||||
- Enable workaround for ARM64 ERRATUM 4118414 (Mark Salter) [RHEL-183592] {CVE-2025-10263}
|
||||
- arm64: errata: Mitigate TLBI errata on Microsoft Azure Cobalt 100 CPU (Mark Salter) [RHEL-183592] {CVE-2025-10263}
|
||||
- arm64: errata: Mitigate TLBI errata on NVIDIA Olympus CPU (Mark Salter) [RHEL-183592] {CVE-2025-10263}
|
||||
- arm64: errata: Mitigate TLBI errata on various Arm CPUs (Mark Salter) [RHEL-183592] {CVE-2025-10263}
|
||||
- arm64: cputype: Add C1-Ultra definitions (Mark Salter) [RHEL-183592] {CVE-2025-10263}
|
||||
- arm64: cputype: Add C1-Premium definitions (Mark Salter) [RHEL-183592] {CVE-2025-10263}
|
||||
- arm64: cputype: Add C1-Pro definitions (Mark Salter) [RHEL-183592] {CVE-2025-10263}
|
||||
- crypto: krb5 - filter out async aead implementations at alloc (CKI Backport Bot) [RHEL-182537]
|
||||
- crypto: krb5enc - fix async decrypt skipping hash verification (CKI Backport Bot) [RHEL-182537]
|
||||
- crypto: krb5enc - fix sleepable flag handling in encrypt dispatch (CKI Backport Bot) [RHEL-182537]
|
||||
- crypto: testmgr - allow authenc(hmac(sha{256,384}),cts(cbc(aes))) in FIPS mode (CKI Backport Bot) [RHEL-182537]
|
||||
- ASoC: SDCA: fix NULL pointer dereference in sdca_dev_unregister_functions (CKI Backport Bot) [RHEL-185110]
|
||||
- KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry (CKI Backport Bot) [RHEL-183965] {CVE-2026-46316}
|
||||
- netfilter: nft_inner: Fix IPv6 inner_thoff desync (CKI Backport Bot) [RHEL-181936] {CVE-2026-46244}
|
||||
- drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs() (CKI Backport Bot) [RHEL-179912] {CVE-2026-46209}
|
||||
- rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets (CKI Backport Bot) [RHEL-179566] {CVE-2026-45998}
|
||||
- rxrpc: Fix potential UAF after skb_unshare() failure (CKI Backport Bot) [RHEL-179566] {CVE-2026-45998}
|
||||
|
||||
* Wed Jul 01 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 6.12.0-211.29.1
|
||||
- Recreate RHEL 6.12.0-211.29.1 from CentOS Stream 10 and upstream stable backports (1386-1398)
|
||||
- Retain AlmaLinux ahead-of-RHEL fixes: CVE-2026-46316 (1374), ipv4/ipv6 fraggap (1384-1385)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user