diff --git a/1399-rxrpc-fix-potential-uaf-after-skb-unshare-failure.patch b/1399-rxrpc-fix-potential-uaf-after-skb-unshare-failure.patch new file mode 100644 index 000000000..4ffad7e70 --- /dev/null +++ b/1399-rxrpc-fix-potential-uaf-after-skb-unshare-failure.patch @@ -0,0 +1,186 @@ +From b8d88f6d6f316bb8cea7643117c5f075875b12df Mon Sep 17 00:00:00 2001 +From: CKI Backport Bot +Date: Wed, 27 May 2026 21:45:04 +0000 +Subject: [PATCH] rxrpc: Fix potential UAF after skb_unshare() failure + +JIRA: https://redhat.atlassian.net/browse/RHEL-179565 +CVE: CVE-2026-45998 +Backported from tree(s): linux + +commit 1f2740150f904bfa60e4bad74d65add3ccb5e7f8 +Author: David Howells +Date: Wed Apr 22 17:14:32 2026 +0100 + + rxrpc: Fix potential UAF after skb_unshare() failure + + If skb_unshare() fails to unshare a packet due to allocation failure in + rxrpc_input_packet(), the skb pointer in the parent (rxrpc_io_thread()) + will be NULL'd out. This will likely cause the call to + trace_rxrpc_rx_done() to oops. + + Fix this by moving the unsharing down to where rxrpc_input_call_event() + calls rxrpc_input_call_packet(). There are a number of places prior to + that where we ignore DATA packets for a variety of reasons (such as the + call already being complete) for which an unshare is then avoided. + + And with that, rxrpc_input_packet() doesn't need to take a pointer to the + pointer to the packet, so change that to just a pointer. + + Fixes: 2d1faf7a0ca3 ("rxrpc: Simplify skbuff accounting in receive path") + Closes: https://sashiko.dev/#/patchset/20260408121252.2249051-1-dhowells%40redhat.com + Signed-off-by: David Howells + cc: Marc Dionne + cc: Jeffrey Altman + cc: Simon Horman + cc: linux-afs@lists.infradead.org + cc: stable@kernel.org + Link: https://patch.msgid.link/20260422161438.2593376-4-dhowells@redhat.com + Signed-off-by: Jakub Kicinski + +Signed-off-by: CKI Backport Bot + +diff --git a/include/trace/events/rxrpc.h b/include/trace/events/rxrpc.h +index de6f6d2..863956a 100644 +--- a/include/trace/events/rxrpc.h ++++ b/include/trace/events/rxrpc.h +@@ -161,8 +161,6 @@ + E_(rxrpc_call_poke_timer_now, "Timer-now") + + #define rxrpc_skb_traces \ +- EM(rxrpc_skb_eaten_by_unshare, "ETN unshare ") \ +- EM(rxrpc_skb_eaten_by_unshare_nomem, "ETN unshar-nm") \ + EM(rxrpc_skb_get_call_rx, "GET call-rx ") \ + EM(rxrpc_skb_get_conn_secured, "GET conn-secd") \ + EM(rxrpc_skb_get_conn_work, "GET conn-work") \ +@@ -188,6 +186,7 @@ + EM(rxrpc_skb_put_purge, "PUT purge ") \ + EM(rxrpc_skb_put_purge_oob, "PUT purge-oob") \ + EM(rxrpc_skb_put_response, "PUT response ") \ ++ EM(rxrpc_skb_put_response_copy, "PUT resp-cpy ") \ + EM(rxrpc_skb_put_rotate, "PUT rotate ") \ + EM(rxrpc_skb_put_unknown, "PUT unknown ") \ + EM(rxrpc_skb_see_conn_work, "SEE conn-work") \ +@@ -196,6 +195,7 @@ + EM(rxrpc_skb_see_recvmsg_oob, "SEE recvm-oob") \ + EM(rxrpc_skb_see_reject, "SEE reject ") \ + EM(rxrpc_skb_see_rotate, "SEE rotate ") \ ++ EM(rxrpc_skb_see_unshare_nomem, "SEE unshar-nm") \ + E_(rxrpc_skb_see_version, "SEE version ") + + #define rxrpc_local_traces \ +diff --git a/net/rxrpc/ar-internal.h b/net/rxrpc/ar-internal.h +index 5b7342d..2baa99b 100644 +--- a/net/rxrpc/ar-internal.h ++++ b/net/rxrpc/ar-internal.h +@@ -1479,7 +1479,6 @@ int rxrpc_server_keyring(struct rxrpc_sock *, sockptr_t, int); + void rxrpc_kernel_data_consumed(struct rxrpc_call *, struct sk_buff *); + void rxrpc_new_skb(struct sk_buff *, enum rxrpc_skb_trace); + void rxrpc_see_skb(struct sk_buff *, enum rxrpc_skb_trace); +-void rxrpc_eaten_skb(struct sk_buff *, enum rxrpc_skb_trace); + void rxrpc_get_skb(struct sk_buff *, enum rxrpc_skb_trace); + void rxrpc_free_skb(struct sk_buff *, enum rxrpc_skb_trace); + void rxrpc_purge_queue(struct sk_buff_head *); +diff --git a/net/rxrpc/call_event.c b/net/rxrpc/call_event.c +index fec59d9..cc8f9df 100644 +--- a/net/rxrpc/call_event.c ++++ b/net/rxrpc/call_event.c +@@ -332,7 +332,24 @@ bool rxrpc_input_call_event(struct rxrpc_call *call) + + saw_ack |= sp->hdr.type == RXRPC_PACKET_TYPE_ACK; + +- rxrpc_input_call_packet(call, skb); ++ if (sp->hdr.securityIndex != 0 && ++ skb_cloned(skb)) { ++ /* Unshare the packet so that it can be ++ * modified by in-place decryption. ++ */ ++ struct sk_buff *nskb = skb_copy(skb, GFP_ATOMIC); ++ ++ if (nskb) { ++ rxrpc_new_skb(nskb, rxrpc_skb_new_unshared); ++ rxrpc_input_call_packet(call, nskb); ++ rxrpc_free_skb(nskb, rxrpc_skb_put_call_rx); ++ } else { ++ /* OOM - Drop the packet. */ ++ rxrpc_see_skb(skb, rxrpc_skb_see_unshare_nomem); ++ } ++ } else { ++ rxrpc_input_call_packet(call, skb); ++ } + rxrpc_free_skb(skb, rxrpc_skb_put_call_rx); + did_receive = true; + } +diff --git a/net/rxrpc/io_thread.c b/net/rxrpc/io_thread.c +index e939ecf..6ff30af 100644 +--- a/net/rxrpc/io_thread.c ++++ b/net/rxrpc/io_thread.c +@@ -192,13 +192,12 @@ static bool rxrpc_extract_abort(struct sk_buff *skb) + /* + * Process packets received on the local endpoint + */ +-static bool rxrpc_input_packet(struct rxrpc_local *local, struct sk_buff **_skb) ++static bool rxrpc_input_packet(struct rxrpc_local *local, struct sk_buff *skb) + { + struct rxrpc_connection *conn; + struct sockaddr_rxrpc peer_srx; + struct rxrpc_skb_priv *sp; + struct rxrpc_peer *peer = NULL; +- struct sk_buff *skb = *_skb; + bool ret = false; + + skb_pull(skb, sizeof(struct udphdr)); +@@ -244,25 +243,6 @@ static bool rxrpc_input_packet(struct rxrpc_local *local, struct sk_buff **_skb) + return rxrpc_bad_message(skb, rxrpc_badmsg_zero_call); + if (sp->hdr.seq == 0) + return rxrpc_bad_message(skb, rxrpc_badmsg_zero_seq); +- +- /* Unshare the packet so that it can be modified for in-place +- * decryption. +- */ +- if (sp->hdr.securityIndex != 0) { +- skb = skb_unshare(skb, GFP_ATOMIC); +- if (!skb) { +- rxrpc_eaten_skb(*_skb, rxrpc_skb_eaten_by_unshare_nomem); +- *_skb = NULL; +- return just_discard; +- } +- +- if (skb != *_skb) { +- rxrpc_eaten_skb(*_skb, rxrpc_skb_eaten_by_unshare); +- *_skb = skb; +- rxrpc_new_skb(skb, rxrpc_skb_new_unshared); +- sp = rxrpc_skb(skb); +- } +- } + break; + + case RXRPC_PACKET_TYPE_CHALLENGE: +@@ -493,7 +473,7 @@ int rxrpc_io_thread(void *data) + switch (skb->mark) { + case RXRPC_SKB_MARK_PACKET: + skb->priority = 0; +- if (!rxrpc_input_packet(local, &skb)) ++ if (!rxrpc_input_packet(local, skb)) + rxrpc_reject_packet(local, skb); + trace_rxrpc_rx_done(skb->mark, skb->priority); + rxrpc_free_skb(skb, rxrpc_skb_put_input); +diff --git a/net/rxrpc/skbuff.c b/net/rxrpc/skbuff.c +index 3bcd6ee..e2169d1 100644 +--- a/net/rxrpc/skbuff.c ++++ b/net/rxrpc/skbuff.c +@@ -46,15 +46,6 @@ void rxrpc_get_skb(struct sk_buff *skb, enum rxrpc_skb_trace why) + skb_get(skb); + } + +-/* +- * Note the dropping of a ref on a socket buffer by the core. +- */ +-void rxrpc_eaten_skb(struct sk_buff *skb, enum rxrpc_skb_trace why) +-{ +- int n = atomic_inc_return(&rxrpc_n_rx_skbs); +- trace_rxrpc_skb(skb, 0, n, why); +-} +- + /* + * Note the destruction of a socket buffer. + */ diff --git a/1400-rxrpc-fix-rxrpc-input-call-event-to-only-unshare-data-packet.patch b/1400-rxrpc-fix-rxrpc-input-call-event-to-only-unshare-data-packet.patch new file mode 100644 index 000000000..ce2a0b342 --- /dev/null +++ b/1400-rxrpc-fix-rxrpc-input-call-event-to-only-unshare-data-packet.patch @@ -0,0 +1,49 @@ +From 3598448f9c9742ef3e28f20e8050dacc046c9941 Mon Sep 17 00:00:00 2001 +From: CKI Backport Bot +Date: Wed, 27 May 2026 21:45:06 +0000 +Subject: [PATCH] rxrpc: Fix rxrpc_input_call_event() to only unshare DATA + packets + +JIRA: https://redhat.atlassian.net/browse/RHEL-179565 +CVE: CVE-2026-45998 +Backported from tree(s): linux + +commit 55b2984c96c37f909bbfe8851f13152693951382 +Author: David Howells +Date: Thu Apr 23 21:09:06 2026 +0100 + + rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets + + Fix rxrpc_input_call_event() to only unshare DATA packets and not ACK, + ABORT, etc.. + + And with that, rxrpc_input_packet() doesn't need to take a pointer to the + pointer to the packet, so change that to just a pointer. + + Fixes: 1f2740150f90 ("rxrpc: Fix potential UAF after skb_unshare() failure") + Closes: https://sashiko.dev/#/patchset/20260422161438.2593376-4-dhowells@redhat.com + Signed-off-by: David Howells + cc: Marc Dionne + cc: Jeffrey Altman + cc: Simon Horman + cc: linux-afs@lists.infradead.org + cc: stable@kernel.org + Link: https://patch.msgid.link/20260423200909.3049438-2-dhowells@redhat.com + Signed-off-by: Jakub Kicinski + +Signed-off-by: CKI Backport Bot + +diff --git a/net/rxrpc/call_event.c b/net/rxrpc/call_event.c +index cc8f9df..fdd6832 100644 +--- a/net/rxrpc/call_event.c ++++ b/net/rxrpc/call_event.c +@@ -332,7 +332,8 @@ bool rxrpc_input_call_event(struct rxrpc_call *call) + + saw_ack |= sp->hdr.type == RXRPC_PACKET_TYPE_ACK; + +- if (sp->hdr.securityIndex != 0 && ++ if (sp->hdr.type == RXRPC_PACKET_TYPE_DATA && ++ sp->hdr.securityIndex != 0 && + skb_cloned(skb)) { + /* Unshare the packet so that it can be + * modified by in-place decryption. diff --git a/1401-drm-gem-fix-inconsistent-plane-dimension-calculation-in-drm.patch b/1401-drm-gem-fix-inconsistent-plane-dimension-calculation-in-drm.patch new file mode 100644 index 000000000..daf23ae64 --- /dev/null +++ b/1401-drm-gem-fix-inconsistent-plane-dimension-calculation-in-drm.patch @@ -0,0 +1,63 @@ +From 97b8798760568e666030571c7fff4b2d93ce1f7b Mon Sep 17 00:00:00 2001 +From: CKI Backport Bot +Date: Thu, 28 May 2026 13:34:21 +0000 +Subject: [PATCH] drm/gem: Fix inconsistent plane dimension calculation in + drm_gem_fb_init_with_funcs() + +JIRA: https://redhat.atlassian.net/browse/RHEL-179911 +CVE: CVE-2026-46209 +Backported from tree(s): linux + +commit 3d4c2268bd7243c3780fe32bf24ff876da272acf +Author: Ashutosh Desai +Date: Mon Apr 20 01:36:37 2026 +0000 + + drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs() + + drm_gem_fb_init_with_funcs() computes sub-sampled plane dimensions + using plain integer division: + + unsigned int width = mode_cmd->width / (i ? info->hsub : 1); + unsigned int height = mode_cmd->height / (i ? info->vsub : 1); + + However, the ioctl-level framebuffer_check() in drm_framebuffer.c uses + drm_format_info_plane_width/height() which round up dimensions via + DIV_ROUND_UP(). This inconsistency corrupts the subsequent GEM object + size check for certain pixel format and dimension combinations. + + For example, with NV12 (vsub=2) and a 1-pixel-tall framebuffer the + GEM size validation path sees height=0 instead of height=1. The + expression (height - 1) then wraps to UINT_MAX as an unsigned int, + causing min_size to overflow and wrap back to a small value. A tiny + GEM object therefore passes the size guard, yet when the GPU accesses + the chroma plane it will read or write memory beyond the object's + bounds. + + Fix by replacing the open-coded divisions with drm_format_info_plane_width() + and drm_format_info_plane_height(), which use DIV_ROUND_UP() and match + the calculation already used in framebuffer_check(). + + Fixes: 4c3dbb2c312c ("drm: Add GEM backed framebuffer library") + Cc: stable@vger.kernel.org # v4.14+ + Reviewed-by: Thomas Zimmermann + Signed-off-by: Ashutosh Desai + Signed-off-by: Thomas Zimmermann + Link: https://patch.msgid.link/20260420013637.457751-1-ashutoshdesai993@gmail.com + +Signed-off-by: CKI Backport Bot + +diff --git a/drivers/gpu/drm/drm_gem_framebuffer_helper.c b/drivers/gpu/drm/drm_gem_framebuffer_helper.c +index 4bc89d3..daa5471 100644 +--- a/drivers/gpu/drm/drm_gem_framebuffer_helper.c ++++ b/drivers/gpu/drm/drm_gem_framebuffer_helper.c +@@ -171,8 +171,8 @@ int drm_gem_fb_init_with_funcs(struct drm_device *dev, + } + + for (i = 0; i < info->num_planes; i++) { +- unsigned int width = mode_cmd->width / (i ? info->hsub : 1); +- unsigned int height = mode_cmd->height / (i ? info->vsub : 1); ++ unsigned int width = drm_format_info_plane_width(info, mode_cmd->width, i); ++ unsigned int height = drm_format_info_plane_height(info, mode_cmd->height, i); + unsigned int min_size; + + objs[i] = drm_gem_object_lookup(file, mode_cmd->handles[i]); diff --git a/1402-netfilter-nft-inner-fix-ipv6-inner-thoff-desync.patch b/1402-netfilter-nft-inner-fix-ipv6-inner-thoff-desync.patch new file mode 100644 index 000000000..fe79bfebb --- /dev/null +++ b/1402-netfilter-nft-inner-fix-ipv6-inner-thoff-desync.patch @@ -0,0 +1,58 @@ +From f13fa4268ca4f296019b22954e6153e50f87350f Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Wed, 20 May 2026 11:48:57 +0200 +Subject: [PATCH] netfilter: nft_inner: Fix IPv6 inner_thoff desync +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +JIRA: https://redhat.atlassian.net/browse/RHEL-168848 +Upstream Status: commit b6a91f68ebfe + +commit b6a91f68ebfed9c38e0e9150f58a9b85da07181c +Author: Yizhou Zhao +Date: Tue May 12 01:30:41 2026 +0800 + + netfilter: nft_inner: Fix IPv6 inner_thoff desync + + In nft_inner_parse_l2l3(), when processing inner IPv6 packets, + ipv6_find_hdr() correctly computes the transport header offset + traversing all extension headers, but the result is immediately + overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only + accounts for the IPv6 base header. This creates a desync between + inner_thoff (wrong — points to extension header start) and l4proto + (correct — e.g., IPPROTO_TCP), enabling transport header forgery + and potential firewall bypass. This issue affects stable versions + from Linux 6.2. + + For comparison, the normal (non-inner) IPv6 path correctly + preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite + ensures that ipv6_find_hdr()'s calculated transport header offset is + preserved, thereby fixing the desynchronization. + + Fixes: 3a07327d10a0 ("netfilter: nft_inner: support for inner tunnel header matching") + Cc: stable@vger.kernel.org + Reported-by: Yizhou Zhao + Reported-by: Yuxiang Yang + Reported-by: Xuewei Feng + Reported-by: Qi Li + Reported-by: Ke Xu + Assisted-by: GLM:5.1 Z.ai + Signed-off-by: Yizhou Zhao + Reviewed-by: Fernando Fernandez Mancera + Signed-off-by: Pablo Neira Ayuso + +Signed-off-by: Florian Westphal + +diff --git a/net/netfilter/nft_inner.c b/net/netfilter/nft_inner.c +index c4569d4..1b3e7a9 100644 +--- a/net/netfilter/nft_inner.c ++++ b/net/netfilter/nft_inner.c +@@ -163,7 +163,6 @@ static int nft_inner_parse_l2l3(const struct nft_inner *priv, + return -1; + + if (fragoff == 0) { +- thoff = nhoff + sizeof(_ip6h); + ctx->flags |= NFT_PAYLOAD_CTX_INNER_TH; + ctx->inner_thoff = thoff; + ctx->l4proto = l4proto; diff --git a/1403-asoc-sdca-fix-null-pointer-dereference-in-sdca-dev-unregiste.patch b/1403-asoc-sdca-fix-null-pointer-dereference-in-sdca-dev-unregiste.patch new file mode 100644 index 000000000..4d85019a5 --- /dev/null +++ b/1403-asoc-sdca-fix-null-pointer-dereference-in-sdca-dev-unregiste.patch @@ -0,0 +1,110 @@ +From 9a4895059bb6a8505098a9f75de187fd15631fc8 Mon Sep 17 00:00:00 2001 +From: Kean Ren +Date: Thu, 11 Jun 2026 10:37:57 +0800 +Subject: [PATCH] ASoC: SDCA: fix NULL pointer dereference in + sdca_dev_unregister_functions + +[ Upstream commit e4c60a1d4b6ccc66aefb3789cd908d4f9482eefd ] + +sdca_dev_unregister_functions() iterates over all SDCA function +descriptors and calls sdca_dev_unregister() on each func_dev without +checking for NULL. When a function registration has failed partway +through, or the device cleanup races with probe deferral, func_dev +entries may be NULL, leading to a kernel oops: + + BUG: kernel NULL pointer dereference, address: 0000000000000040 + RIP: 0010:device_del+0x1e/0x3e0 + Call Trace: + sdca_dev_unregister_functions+0x37/0x60 [snd_soc_sdca] + release_nodes+0x35/0xb0 + devres_release_all+0x90/0x100 + device_unbind_cleanup+0xe/0x80 + device_release_driver_internal+0x1c1/0x200 + bus_remove_device+0xc6/0x130 + device_del+0x161/0x3e0 + device_unregister+0x17/0x60 + sdw_delete_slave+0xb6/0xd0 [soundwire_bus] + sdw_bus_master_delete+0x1e/0x50 [soundwire_bus] + ... + sof_probe_work+0x19/0x30 [snd_sof] + +This was observed on a Lenovo ThinkPad X1 Carbon G14 (Panther Lake) +with the SOF audio driver probe failing due to missing Panther Lake +firmware, causing the subsequent cleanup of SoundWire devices to +trigger the crash. + +Fix this with three changes: + +1) Add a NULL guard in sdca_dev_unregister() so that callers do not + need to pre-validate the pointer (defense in depth). + +2) In sdca_dev_unregister_functions(), skip NULL func_dev entries + and clear func_dev to NULL after unregistration, making the + function idempotent and safe against double-invocation. + +3) In sdca_dev_register_functions(), roll back all previously + registered functions when a later one fails, so the function + array is never left in a partially-populated state. + +Fixes: 4496d1c65bad ("ASoC: SDCA: add function devices") +Signed-off-by: Kean Ren +Reviewed-by: Charles Keepax +Link: https://patch.msgid.link/20260611023757.1553960-1-rh_king@163.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin + +diff --git a/sound/soc/sdca/sdca_function_device.c b/sound/soc/sdca/sdca_function_device.c +index c6cc880..b206158 100644 +--- a/sound/soc/sdca/sdca_function_device.c ++++ b/sound/soc/sdca/sdca_function_device.c +@@ -82,6 +82,9 @@ static struct sdca_dev *sdca_dev_register(struct device *parent, + + static void sdca_dev_unregister(struct sdca_dev *sdev) + { ++ if (!sdev) ++ return; ++ + auxiliary_device_delete(&sdev->auxdev); + auxiliary_device_uninit(&sdev->auxdev); + } +@@ -90,14 +93,24 @@ int sdca_dev_register_functions(struct sdw_slave *slave) + { + struct sdca_device_data *sdca_data = &slave->sdca_data; + int i; ++ int ret; + + for (i = 0; i < sdca_data->num_functions; i++) { + struct sdca_dev *func_dev; + + func_dev = sdca_dev_register(&slave->dev, + &sdca_data->function[i]); +- if (IS_ERR(func_dev)) +- return PTR_ERR(func_dev); ++ if (IS_ERR(func_dev)) { ++ ret = PTR_ERR(func_dev); ++ /* ++ * Unregister functions that were successfully ++ * registered before this failure. This also ++ * sets func_dev to NULL so the caller will not ++ * try to unregister them again. ++ */ ++ sdca_dev_unregister_functions(slave); ++ return ret; ++ } + + sdca_data->function[i].func_dev = func_dev; + } +@@ -111,7 +124,12 @@ void sdca_dev_unregister_functions(struct sdw_slave *slave) + struct sdca_device_data *sdca_data = &slave->sdca_data; + int i; + +- for (i = 0; i < sdca_data->num_functions; i++) ++ for (i = 0; i < sdca_data->num_functions; i++) { ++ if (!sdca_data->function[i].func_dev) ++ continue; ++ + sdca_dev_unregister(sdca_data->function[i].func_dev); ++ sdca_data->function[i].func_dev = NULL; ++ } + } + EXPORT_SYMBOL_NS(sdca_dev_unregister_functions, "SND_SOC_SDCA"); diff --git a/1404-crypto-testmgr-allow-authenc-hmac-sha-256-384-cts-cbc-aes-in.patch b/1404-crypto-testmgr-allow-authenc-hmac-sha-256-384-cts-cbc-aes-in.patch new file mode 100644 index 000000000..d68ffb3a9 --- /dev/null +++ b/1404-crypto-testmgr-allow-authenc-hmac-sha-256-384-cts-cbc-aes-in.patch @@ -0,0 +1,42 @@ +From 48c0f60921a07b8020b0c90fc8082673e0e9cb59 Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Thu, 4 Jun 2026 13:06:53 +0200 +Subject: [PATCH] crypto: testmgr - allow + authenc(hmac(sha{256,384}),cts(cbc(aes))) in FIPS mode + +JIRA: https://redhat.atlassian.net/browse/RHEL-182119 +Upstream Status: Posted https://lore.kernel.org/linux-crypto/20260603155008.736872-1-idryomov@gmail.com/ + +hmac(sha256), hmac(sha384) and cts(cbc(aes)) algorithms have been +marked as FIPS allowed for years. Mark the respective authenc() +constructions per RFC 8009 ("AES Encryption with HMAC-SHA2 for +Kerberos 5") as such as well. + +SP 800-57 Part 3 Rev. 1 from Jan 2015 [1] links the draft of what +became RFC 8009 in Oct 2016 as approved in section 6.3 Procurement +Guidance (item/recommendation 3). + +[1] https://csrc.nist.gov/pubs/sp/800/57/pt3/r1/final + +Signed-off-by: Ilya Dryomov + +diff --git a/crypto/testmgr.c b/crypto/testmgr.c +index 8330187..de1c9bc 100644 +--- a/crypto/testmgr.c ++++ b/crypto/testmgr.c +@@ -4451,6 +4451,7 @@ static const struct alg_test_desc alg_test_descs[] = { + }, { + .alg = "authenc(hmac(sha256),cts(cbc(aes)))", + .test = alg_test_aead, ++ .fips_allowed = 1, + .suite = { + .aead = __VECS(krb5_test_aes128_cts_hmac_sha256_128) + } +@@ -4477,6 +4478,7 @@ static const struct alg_test_desc alg_test_descs[] = { + }, { + .alg = "authenc(hmac(sha384),cts(cbc(aes)))", + .test = alg_test_aead, ++ .fips_allowed = 1, + .suite = { + .aead = __VECS(krb5_test_aes256_cts_hmac_sha384_192) + } diff --git a/1405-crypto-krb5enc-fix-sleepable-flag-handling-in-encrypt-dispat.patch b/1405-crypto-krb5enc-fix-sleepable-flag-handling-in-encrypt-dispat.patch new file mode 100644 index 000000000..b8ca12aba --- /dev/null +++ b/1405-crypto-krb5enc-fix-sleepable-flag-handling-in-encrypt-dispat.patch @@ -0,0 +1,57 @@ +From d681e9e0ec7d613a8af38985083b59595930c5fb Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Thu, 4 Jun 2026 13:24:21 +0200 +Subject: [PATCH] crypto: krb5enc - fix sleepable flag handling in encrypt + dispatch + +JIRA: https://redhat.atlassian.net/browse/RHEL-182119 + +commit 2ef3bac16fb5e9eee4fb1d722578a79b751ea58a +Author: Wesley Atwell +Date: Mon Mar 9 00:26:24 2026 -0600 + + crypto: krb5enc - fix sleepable flag handling in encrypt dispatch + + krb5enc_encrypt_ahash_done() continues encryption from an ahash + completion callback by calling krb5enc_dispatch_encrypt(). + + That helper takes a flags argument for this continuation path, but it + ignored that argument and reused aead_request_flags(req) when setting + up the skcipher subrequest callback. This can incorrectly preserve + CRYPTO_TFM_REQ_MAY_SLEEP when the encrypt step is started from callback + context. + + Preserve the original request flags but clear + CRYPTO_TFM_REQ_MAY_SLEEP for the callback continuation path, and use + the caller-supplied flags when setting up the skcipher subrequest. + + Fixes: d1775a177f7f ("crypto: Add 'krb5enc' hash and cipher AEAD algorithm") + Assisted-by: Codex:GPT-5 + Signed-off-by: Wesley Atwell + Signed-off-by: Herbert Xu + +Signed-off-by: Ilya Dryomov + +diff --git a/crypto/krb5enc.c b/crypto/krb5enc.c +index d07769b..5bd5f42 100644 +--- a/crypto/krb5enc.c ++++ b/crypto/krb5enc.c +@@ -154,7 +154,7 @@ static int krb5enc_dispatch_encrypt(struct aead_request *req, + dst = scatterwalk_ffwd(areq_ctx->dst, req->dst, req->assoclen); + + skcipher_request_set_tfm(skreq, enc); +- skcipher_request_set_callback(skreq, aead_request_flags(req), ++ skcipher_request_set_callback(skreq, flags, + krb5enc_encrypt_done, req); + skcipher_request_set_crypt(skreq, src, dst, req->cryptlen, req->iv); + +@@ -192,7 +192,8 @@ static void krb5enc_encrypt_ahash_done(void *data, int err) + + krb5enc_insert_checksum(req, ahreq->result); + +- err = krb5enc_dispatch_encrypt(req, 0); ++ err = krb5enc_dispatch_encrypt(req, ++ aead_request_flags(req) & ~CRYPTO_TFM_REQ_MAY_SLEEP); + if (err != -EINPROGRESS) + aead_request_complete(req, err); + } diff --git a/1406-crypto-krb5enc-fix-async-decrypt-skipping-hash-verification.patch b/1406-crypto-krb5enc-fix-async-decrypt-skipping-hash-verification.patch new file mode 100644 index 000000000..ff6f4cf17 --- /dev/null +++ b/1406-crypto-krb5enc-fix-async-decrypt-skipping-hash-verification.patch @@ -0,0 +1,164 @@ +From 55ecb8636f05d99e611b025ec58ad54350df0640 Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Thu, 4 Jun 2026 13:24:35 +0200 +Subject: [PATCH] crypto: krb5enc - fix async decrypt skipping hash + verification + +JIRA: https://redhat.atlassian.net/browse/RHEL-182119 + +commit 3bfbf5f0a99c991769ec562721285df7ab69240b +Author: Dudu Lu +Date: Mon Apr 20 12:40:27 2026 +0800 + + crypto: krb5enc - fix async decrypt skipping hash verification + + krb5enc_dispatch_decrypt() sets req->base.complete as the skcipher + callback, which is the caller's own completion handler. When the + skcipher completes asynchronously, this signals "done" to the caller + without executing krb5enc_dispatch_decrypt_hash(), completely bypassing + the integrity verification (hash check). + + Compare with the encrypt path which correctly uses + krb5enc_encrypt_done as an intermediate callback to chain into the + hash computation on async completion. + + Fix by adding krb5enc_decrypt_done as an intermediate callback that + chains into krb5enc_dispatch_decrypt_hash() upon async skcipher + completion, matching the encrypt path's callback pattern. + + Also fix EBUSY/EINPROGRESS handling throughout: remove + krb5enc_request_complete() which incorrectly swallowed EINPROGRESS + notifications that must be passed up to callers waiting on backlogged + requests, and add missing EBUSY checks in krb5enc_encrypt_ahash_done + for the dispatch_encrypt return value. + + Fixes: d1775a177f7f ("crypto: Add 'krb5enc' hash and cipher AEAD algorithm") + Signed-off-by: Dudu Lu + + Unset MAY_BACKLOG on the async completion path so the user won't + see back-to-back EINPROGRESS notifications. + + Signed-off-by: Herbert Xu + +Signed-off-by: Ilya Dryomov + +diff --git a/crypto/krb5enc.c b/crypto/krb5enc.c +index 5bd5f42..3fecc14 100644 +--- a/crypto/krb5enc.c ++++ b/crypto/krb5enc.c +@@ -39,12 +39,6 @@ struct krb5enc_request_ctx { + char tail[]; + }; + +-static void krb5enc_request_complete(struct aead_request *req, int err) +-{ +- if (err != -EINPROGRESS) +- aead_request_complete(req, err); +-} +- + /** + * crypto_krb5enc_extractkeys - Extract Ke and Ki keys from the key blob. + * @keys: Where to put the key sizes and pointers +@@ -127,7 +121,7 @@ static void krb5enc_encrypt_done(void *data, int err) + { + struct aead_request *req = data; + +- krb5enc_request_complete(req, err); ++ aead_request_complete(req, err); + } + + /* +@@ -188,14 +182,16 @@ static void krb5enc_encrypt_ahash_done(void *data, int err) + struct ahash_request *ahreq = (void *)(areq_ctx->tail + ictx->reqoff); + + if (err) +- return krb5enc_request_complete(req, err); ++ goto out; + + krb5enc_insert_checksum(req, ahreq->result); + +- err = krb5enc_dispatch_encrypt(req, +- aead_request_flags(req) & ~CRYPTO_TFM_REQ_MAY_SLEEP); +- if (err != -EINPROGRESS) +- aead_request_complete(req, err); ++ err = krb5enc_dispatch_encrypt(req, 0); ++ if (err == -EINPROGRESS) ++ return; ++ ++out: ++ aead_request_complete(req, err); + } + + /* +@@ -265,17 +261,16 @@ static void krb5enc_decrypt_hash_done(void *data, int err) + { + struct aead_request *req = data; + +- if (err) +- return krb5enc_request_complete(req, err); +- +- err = krb5enc_verify_hash(req); +- krb5enc_request_complete(req, err); ++ if (!err) ++ err = krb5enc_verify_hash(req); ++ aead_request_complete(req, err); + } + + /* + * Dispatch the hashing of the plaintext after we've done the decryption. + */ +-static int krb5enc_dispatch_decrypt_hash(struct aead_request *req) ++static int krb5enc_dispatch_decrypt_hash(struct aead_request *req, ++ unsigned int flags) + { + struct crypto_aead *krb5enc = crypto_aead_reqtfm(req); + struct aead_instance *inst = aead_alg_instance(krb5enc); +@@ -291,7 +286,7 @@ static int krb5enc_dispatch_decrypt_hash(struct aead_request *req) + ahash_request_set_tfm(ahreq, auth); + ahash_request_set_crypt(ahreq, req->dst, hash, + req->assoclen + req->cryptlen - authsize); +- ahash_request_set_callback(ahreq, aead_request_flags(req), ++ ahash_request_set_callback(ahreq, flags, + krb5enc_decrypt_hash_done, req); + + err = crypto_ahash_digest(ahreq); +@@ -301,6 +296,21 @@ static int krb5enc_dispatch_decrypt_hash(struct aead_request *req) + return krb5enc_verify_hash(req); + } + ++static void krb5enc_decrypt_done(void *data, int err) ++{ ++ struct aead_request *req = data; ++ ++ if (err) ++ goto out; ++ ++ err = krb5enc_dispatch_decrypt_hash(req, 0); ++ if (err == -EINPROGRESS) ++ return; ++ ++out: ++ aead_request_complete(req, err); ++} ++ + /* + * Dispatch the decryption of the ciphertext. + */ +@@ -324,7 +334,7 @@ static int krb5enc_dispatch_decrypt(struct aead_request *req) + + skcipher_request_set_tfm(skreq, ctx->enc); + skcipher_request_set_callback(skreq, aead_request_flags(req), +- req->base.complete, req->base.data); ++ krb5enc_decrypt_done, req); + skcipher_request_set_crypt(skreq, src, dst, + req->cryptlen - authsize, req->iv); + +@@ -339,7 +349,7 @@ static int krb5enc_decrypt(struct aead_request *req) + if (err < 0) + return err; + +- return krb5enc_dispatch_decrypt_hash(req); ++ return krb5enc_dispatch_decrypt_hash(req, aead_request_flags(req)); + } + + static int krb5enc_init_tfm(struct crypto_aead *tfm) diff --git a/1407-crypto-krb5-filter-out-async-aead-implementations-at-alloc.patch b/1407-crypto-krb5-filter-out-async-aead-implementations-at-alloc.patch new file mode 100644 index 000000000..f941935ce --- /dev/null +++ b/1407-crypto-krb5-filter-out-async-aead-implementations-at-alloc.patch @@ -0,0 +1,59 @@ +From 91e2b13c3f9a470daee57990a7022cee6d8389d8 Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Thu, 4 Jun 2026 13:24:44 +0200 +Subject: [PATCH] crypto: krb5 - filter out async aead implementations at alloc + +JIRA: https://redhat.atlassian.net/browse/RHEL-182119 +Upstream Status: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git + +commit 6c9dddeb582fde005360f4fe02c760d45ca05fb5 +Author: Michael Bommarito +Date: Sun May 10 19:24:55 2026 -0400 + + crypto: krb5 - filter out async aead implementations at alloc + + krb5_aead_encrypt(), krb5_aead_decrypt() in rfc3961_simplified.c and + rfc8009_encrypt(), rfc8009_decrypt() in rfc8009_aes2.c set a NULL + completion callback and treat any negative return from + crypto_aead_{encrypt,decrypt}() as terminal, falling through to + kfree_sensitive(buffer). When the encrypt_name resolves to an + async AEAD instance the request returns -EINPROGRESS, the buffer + is freed while the backend's worker still holds a pointer, and the + worker dereferences the freed slab on completion. + + KASAN report under UML+SLUB with a synthetic async aead backend + bound to krb5->encrypt_name: + + BUG: KASAN: slab-use-after-free in t5_stub_complete+0x7d/0xc7 + + The helpers were written synchronously, so filter the async + instances out at allocation time instead of plumbing + crypto_wait_req() through every call site. + + Reachable via net/rxrpc/rxgk.c, fs/afs/cm_security.c and + net/ceph/crypto.c on systems with an async AEAD provider bound to + the krb5 enctype name. + + Fixes: 00244da40f78 ("crypto/krb5: Implement the Kerberos5 rfc3961 encrypt and decrypt functions") + Fixes: 6c3c0e86c2ac ("crypto/krb5: Implement the AES enctypes from rfc8009") + Cc: stable@vger.kernel.org + Suggested-by: Herbert Xu + Assisted-by: Claude:claude-opus-4-7 + Signed-off-by: Michael Bommarito + Signed-off-by: Herbert Xu + +Signed-off-by: Ilya Dryomov + +diff --git a/crypto/krb5/krb5_api.c b/crypto/krb5/krb5_api.c +index 23026d4..2b20284 100644 +--- a/crypto/krb5/krb5_api.c ++++ b/crypto/krb5/krb5_api.c +@@ -165,7 +165,7 @@ struct crypto_aead *krb5_prepare_encryption(const struct krb5_enctype *krb5, + struct crypto_aead *ci = NULL; + int ret = -ENOMEM; + +- ci = crypto_alloc_aead(krb5->encrypt_name, 0, 0); ++ ci = crypto_alloc_aead(krb5->encrypt_name, 0, CRYPTO_ALG_ASYNC); + if (IS_ERR(ci)) { + ret = PTR_ERR(ci); + if (ret == -ENOENT) diff --git a/1408-arm64-cputype-add-c1-pro-definitions.patch b/1408-arm64-cputype-add-c1-pro-definitions.patch new file mode 100644 index 000000000..2be15e68d --- /dev/null +++ b/1408-arm64-cputype-add-c1-pro-definitions.patch @@ -0,0 +1,42 @@ +From ee5ce483d42809b6c9e5bb25c33601e54229128f Mon Sep 17 00:00:00 2001 +From: Catalin Marinas +Date: Tue, 21 Apr 2026 11:00:16 +0100 +Subject: [PATCH] arm64: cputype: Add C1-Pro definitions + +commit 2c99561016c591f4c3d5ad7d22a61b8726e79735 upstream. + +Add cputype definitions for C1-Pro. These will be used for errata +detection in subsequent patches. + +These values can be found in "Table A-303: MIDR_EL1 bit descriptions" in +issue 07 of the C1-Pro TRM: + + https://documentation-service.arm.com/static/6930126730f8f55a656570af + +Acked-by: Mark Rutland +Cc: Will Deacon +Cc: James Morse +Reviewed-by: Will Deacon +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman + +diff --git a/arch/arm64/include/asm/cputype.h b/arch/arm64/include/asm/cputype.h +index a580531..c2add67 100644 +--- a/arch/arm64/include/asm/cputype.h ++++ b/arch/arm64/include/asm/cputype.h +@@ -98,6 +98,7 @@ + #define ARM_CPU_PART_CORTEX_A725 0xD87 + #define ARM_CPU_PART_CORTEX_A720AE 0xD89 + #define ARM_CPU_PART_NEOVERSE_N3 0xD8E ++#define ARM_CPU_PART_C1_PRO 0xD8B + + #define APM_CPU_PART_XGENE 0x000 + #define APM_CPU_VAR_POTENZA 0x00 +@@ -188,6 +189,7 @@ + #define MIDR_CORTEX_A725 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A725) + #define MIDR_CORTEX_A720AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A720AE) + #define MIDR_NEOVERSE_N3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N3) ++#define MIDR_C1_PRO MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_PRO) + #define MIDR_THUNDERX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX) + #define MIDR_THUNDERX_81XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX_81XX) + #define MIDR_THUNDERX_83XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX_83XX) diff --git a/1409-arm64-cputype-add-c1-premium-definitions.patch b/1409-arm64-cputype-add-c1-premium-definitions.patch new file mode 100644 index 000000000..33f2e5f00 --- /dev/null +++ b/1409-arm64-cputype-add-c1-premium-definitions.patch @@ -0,0 +1,44 @@ +From 2125f57780e4d81424f47d9ec432ac733e9a2fb2 Mon Sep 17 00:00:00 2001 +From: Mark Rutland +Date: Tue, 16 Jun 2026 06:15:49 +0100 +Subject: [PATCH] arm64: cputype: Add C1-Premium definitions + +commit d28413bfc5a255957241f1df5d7fd0c2cd74fe18 upstream. + +Add cputype definitions for C1-Premium. These will be used for errata +detection in subsequent patches. + +These values can be found in the C1-Premium TRM: + + https://developer.arm.com/documentation/109416/0100/ + +... in section A.5.1 ("MIDR_EL1, Main ID Register"). + +Signed-off-by: Mark Rutland +Cc: Catalin Marinas +Cc: Will Deacon +Signed-off-by: Will Deacon +[Mark: backport to v6.12.y] +Signed-off-by: Mark Rutland +Signed-off-by: Greg Kroah-Hartman + +diff --git a/arch/arm64/include/asm/cputype.h b/arch/arm64/include/asm/cputype.h +index c2add67..4efa7c9 100644 +--- a/arch/arm64/include/asm/cputype.h ++++ b/arch/arm64/include/asm/cputype.h +@@ -99,6 +99,7 @@ + #define ARM_CPU_PART_CORTEX_A720AE 0xD89 + #define ARM_CPU_PART_NEOVERSE_N3 0xD8E + #define ARM_CPU_PART_C1_PRO 0xD8B ++#define ARM_CPU_PART_C1_PREMIUM 0xD90 + + #define APM_CPU_PART_XGENE 0x000 + #define APM_CPU_VAR_POTENZA 0x00 +@@ -189,6 +190,7 @@ + #define MIDR_CORTEX_A725 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A725) + #define MIDR_CORTEX_A720AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A720AE) + #define MIDR_NEOVERSE_N3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N3) ++#define MIDR_C1_PREMIUM MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_PREMIUM) + #define MIDR_C1_PRO MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_PRO) + #define MIDR_THUNDERX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX) + #define MIDR_THUNDERX_81XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX_81XX) diff --git a/1410-arm64-cputype-add-c1-ultra-definitions.patch b/1410-arm64-cputype-add-c1-ultra-definitions.patch new file mode 100644 index 000000000..0965ea487 --- /dev/null +++ b/1410-arm64-cputype-add-c1-ultra-definitions.patch @@ -0,0 +1,48 @@ +From cce1ef3711fd5a41144c4d7d6125f0b244982ca8 Mon Sep 17 00:00:00 2001 +From: Mark Rutland +Date: Tue, 16 Jun 2026 06:15:48 +0100 +Subject: [PATCH] arm64: cputype: Add C1-Ultra definitions + +commit 60349e64a6c65f9f0aa118af711b3c7e137f07ff upstream. + +Add cputype definitions for C1-Ultra. These will be used for errata +detection in subsequent patches. + +These values can be found in the C1-Ultra TRM: + + https://developer.arm.com/documentation/108014/0100/ + +... in section A.5.1 ("MIDR_EL1, Main ID Register"). + +Signed-off-by: Mark Rutland +Cc: Catalin Marinas +Cc: Will Deacon +Signed-off-by: Will Deacon +[Mark: backport to v6.12.y] +Signed-off-by: Mark Rutland +Signed-off-by: Greg Kroah-Hartman + +diff --git a/arch/arm64/include/asm/cputype.h b/arch/arm64/include/asm/cputype.h +index 4efa7c9..55565b7 100644 +--- a/arch/arm64/include/asm/cputype.h ++++ b/arch/arm64/include/asm/cputype.h +@@ -97,6 +97,7 @@ + #define ARM_CPU_PART_CORTEX_X925 0xD85 + #define ARM_CPU_PART_CORTEX_A725 0xD87 + #define ARM_CPU_PART_CORTEX_A720AE 0xD89 ++#define ARM_CPU_PART_C1_ULTRA 0xD8C + #define ARM_CPU_PART_NEOVERSE_N3 0xD8E + #define ARM_CPU_PART_C1_PRO 0xD8B + #define ARM_CPU_PART_C1_PREMIUM 0xD90 +@@ -189,9 +190,10 @@ + #define MIDR_CORTEX_X925 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X925) + #define MIDR_CORTEX_A725 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A725) + #define MIDR_CORTEX_A720AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A720AE) ++#define MIDR_C1_ULTRA MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_ULTRA) + #define MIDR_NEOVERSE_N3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N3) +-#define MIDR_C1_PREMIUM MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_PREMIUM) + #define MIDR_C1_PRO MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_PRO) ++#define MIDR_C1_PREMIUM MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_PREMIUM) + #define MIDR_THUNDERX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX) + #define MIDR_THUNDERX_81XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX_81XX) + #define MIDR_THUNDERX_83XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX_83XX) diff --git a/1411-arm64-errata-mitigate-tlbi-errata-on-various-arm-cpus.patch b/1411-arm64-errata-mitigate-tlbi-errata-on-various-arm-cpus.patch new file mode 100644 index 000000000..c16a4e443 --- /dev/null +++ b/1411-arm64-errata-mitigate-tlbi-errata-on-various-arm-cpus.patch @@ -0,0 +1,268 @@ +From 4e7c80742e6dada9f8b9ad63f3a49c03af07ecb8 Mon Sep 17 00:00:00 2001 +From: Mark Rutland +Date: Tue, 16 Jun 2026 06:15:50 +0100 +Subject: [PATCH] arm64: errata: Mitigate TLBI errata on various Arm CPUs + +commit cfd391e74134db664feb499d43af286380b10ba8 upstream. + +A number of CPUs developed by Arm suffer from errata whereby a broadcast +TLBI;DSB sequence may complete before the global observation of writes +which are translated by an affected TLB entry. + +These errata ONLY affect the completion of memory accesses which have +been translated by an invalidated TLB entry, and these errata DO NOT +affect the actual invalidation of TLB entries. TLB entries are removed +correctly. + +This issue has been assigned CVE ID CVE-2025-10263. + +To mitigate this issue, Arm recommends that software follows any +affected TLBI;DSB sequence with an additional TLBI;DSB, which will +ensure that all memory write effects affected by the first TLBI have +been globally observed. The additional TLBI can use any operation that +is broadcast to affected CPUs, and the additional DSB can use any option +that is sufficient to complete the additional TLBI. + +The ARM64_WORKAROUND_REPEAT_TLBI workaround is sufficient to mitigate +the issue. Enable this workaround for affected CPUs, and update the +silicon errata documentation accordingly. + +Note that due to the manner in which Arm develops IP and tracks errata, +some CPUs share a common erratum number. + +Signed-off-by: Mark Rutland +Cc: Catalin Marinas +Cc: Will Deacon +Signed-off-by: Will Deacon +[Mark: backport to v6.12.y] +Signed-off-by: Mark Rutland +Signed-off-by: Greg Kroah-Hartman + +diff --git a/Documentation/arch/arm64/silicon-errata.rst b/Documentation/arch/arm64/silicon-errata.rst +index a7ec570..e06d991 100644 +--- a/Documentation/arch/arm64/silicon-errata.rst ++++ b/Documentation/arch/arm64/silicon-errata.rst +@@ -128,16 +128,28 @@ stable kernels. + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-A76 | #3324349 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Cortex-A76 | #4193800 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Cortex-A76AE | #4193801 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-A77 | #1491015 | N/A | + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-A77 | #1508412 | ARM64_ERRATUM_1508412 | + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-A77 | #3324348 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Cortex-A77 | #4193798 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-A78 | #3324344 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Cortex-A78 | #4193791 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Cortex-A78AE | #4193793 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-A78C | #3324346,3324347| ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Cortex-A78C | #4193794 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-A710 | #2119858 | ARM64_ERRATUM_2119858 | + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-A710 | #2054223 | ARM64_ERRATUM_2054223 | +@@ -146,6 +158,8 @@ stable kernels. + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-A710 | #3324338 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Cortex-A710 | #4193788 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-A715 | #2645198 | ARM64_ERRATUM_2645198 | + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-A715 | #3456084 | ARM64_ERRATUM_3194386 | +@@ -158,20 +172,32 @@ stable kernels. + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-X1 | #3324344 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Cortex-X1 | #4193791 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-X1C | #3324346 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Cortex-X1C | #4193792 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-X2 | #2119858 | ARM64_ERRATUM_2119858 | + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-X2 | #2224489 | ARM64_ERRATUM_2224489 | + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-X2 | #3324338 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Cortex-X2 | #4193788 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-X3 | #3324335 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Cortex-X3 | #4193786 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-X4 | #3194386 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Cortex-X4 | #4118414 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-X925 | #3324334 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Cortex-X925 | #4193781 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ + | ARM | Neoverse-N1 | #1188873,1418040| ARM64_ERRATUM_1418040 | + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Neoverse-N1 | #1349291 | N/A | +@@ -182,6 +208,8 @@ stable kernels. + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Neoverse-N1 | #3324349 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Neoverse-N1 | #4193800 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ + | ARM | Neoverse-N2 | #2139208 | ARM64_ERRATUM_2139208 | + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Neoverse-N2 | #2067961 | ARM64_ERRATUM_2067961 | +@@ -190,18 +218,34 @@ stable kernels. + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Neoverse-N2 | #3324339 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Neoverse-N2 | #4193789 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ + | ARM | Neoverse-N3 | #3456111 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Neoverse-V1 | #1619801 | N/A | + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Neoverse-V1 | #3324341 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Neoverse-V1 | #4193790 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ + | ARM | Neoverse-V2 | #3324336 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Neoverse-V2 | #4193787 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ + | ARM | Neoverse-V3 | #3312417 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Neoverse-V3 | #4193784 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ + | ARM | Neoverse-V3AE | #3312417 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Neoverse-V3AE | #4193784 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ ++| ARM | C1-Premium | #4193780 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ ++| ARM | C1-Pro | #4193714 | ARM64_ERRATUM_4193714 | +++----------------+-----------------+-----------------+-----------------------------+ ++| ARM | C1-Ultra | #4193780 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ + | ARM | MMU-500 | #841119,826419 | ARM_SMMU_MMU_500_CPRE_ERRATA| + | | | #562869,1047329 | | + +----------------+-----------------+-----------------+-----------------------------+ +diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig +index 7d2f7f2..6cdcc7a 100644 +--- a/arch/arm64/Kconfig ++++ b/arch/arm64/Kconfig +@@ -1155,6 +1155,54 @@ config ARM64_ERRATUM_3194386 + + If unsure, say Y. + ++config ARM64_ERRATUM_4193714 ++ bool "C1-Pro: 4193714: SME DVMSync early acknowledgement" ++ depends on ARM64_SME ++ default y ++ help ++ Enable workaround for C1-Pro acknowledging the DVMSync before ++ the SME memory accesses are complete. This will cause TLB ++ maintenance for processes using SME to also issue an IPI to ++ the affected CPUs. ++ ++ If unsure, say Y. ++ ++config ARM64_ERRATUM_4118414 ++ bool "Cortex-*/Neoverse-*/C1-*: Completion of affected memory accesses might not be guaranteed by completion of a TLBI" ++ default y ++ select ARM64_WORKAROUND_REPEAT_TLBI ++ help ++ This option adds a workaround for the following errata: ++ ++ * ARM C1-Premium erratum 4193780 ++ * ARM C1-Ultra erratum 4193780 ++ * ARM Cortex-A76 erratum 4193800 ++ * ARM Cortex-A76AE erratum 4193801 ++ * ARM Cortex-A77 erratum 4193798 ++ * ARM Cortex-A78 erratum 4193791 ++ * ARM Cortex-A78AE erratum 4193793 ++ * ARM Cortex-A78C erratum 4193794 ++ * ARM Cortex-A710 erratum 4193788 ++ * ARM Cortex-X1 erratum 4193791 ++ * ARM Cortex-X1C erratum 4193792 ++ * ARM Cortex-X2 erratum 4193788 ++ * ARM Cortex-X3 erratum 4193786 ++ * ARM Cortex-X4 erratum 4118414 ++ * ARM Cortex-X925 erratum 4193781 ++ * ARM Neoverse-N1 erratum 4193800 ++ * ARM Neoverse-N2 erratum 4193789 ++ * ARM Neoverse-V1 erratum 4193790 ++ * ARM Neoverse-V2 erratum 4193787 ++ * ARM Neoverse-V3 erratum 4193784 ++ * ARM Neoverse-V3AE erratum 4193784 ++ ++ On affected cores, some memory accesses might not be completed by ++ broadcast TLB invalidation. ++ ++ This issue is also known as CVE-2025-10263. ++ ++ If unsure, say Y. ++ + config CAVIUM_ERRATUM_22375 + bool "Cavium erratum 22375, 24313" + default y +diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c +index 46cd811..80a920d 100644 +--- a/arch/arm64/kernel/cpu_errata.c ++++ b/arch/arm64/kernel/cpu_errata.c +@@ -278,7 +278,35 @@ static const struct arm64_cpu_capabilities arm64_repeat_tlbi_list[] = { + ERRATA_MIDR_RANGE(MIDR_CORTEX_A510, 0, 0, 1, 1), + }, + #endif +- {}, ++#ifdef CONFIG_ARM64_ERRATUM_4118414 ++ { ++ ERRATA_MIDR_RANGE_LIST(((const struct midr_range[]) { ++ MIDR_ALL_VERSIONS(MIDR_C1_PREMIUM), ++ MIDR_ALL_VERSIONS(MIDR_C1_ULTRA), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A76), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A76AE), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A77), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A78), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A78AE), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A78C), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A710), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_X1), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_X1C), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_X2), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_X3), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_X4), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_X925), ++ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1), ++ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2), ++ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V1), ++ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V2), ++ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3), ++ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3AE), ++ {} ++ })), ++ }, ++#endif ++ {} + }; + #endif + +@@ -614,7 +642,7 @@ const struct arm64_cpu_capabilities arm64_errata[] = { + #endif + #ifdef CONFIG_ARM64_WORKAROUND_REPEAT_TLBI + { +- .desc = "Qualcomm erratum 1009, or ARM erratum 1286807, 2441009", ++ .desc = "Broken broadcast TLBI completion", + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + .type = ARM64_CPUCAP_LOCAL_CPU_ERRATUM, + .matches = cpucap_multi_entry_cap_matches, diff --git a/1412-arm64-errata-mitigate-tlbi-errata-on-nvidia-olympus-cpu.patch b/1412-arm64-errata-mitigate-tlbi-errata-on-nvidia-olympus-cpu.patch new file mode 100644 index 000000000..736a3d6a1 --- /dev/null +++ b/1412-arm64-errata-mitigate-tlbi-errata-on-nvidia-olympus-cpu.patch @@ -0,0 +1,73 @@ +From fd0781fcbf4d867807bb3f9432f5582e5619f7df Mon Sep 17 00:00:00 2001 +From: Shanker Donthineni +Date: Tue, 16 Jun 2026 06:15:51 +0100 +Subject: [PATCH] arm64: errata: Mitigate TLBI errata on NVIDIA Olympus CPU + +commit ec7216f92e4ebd485b1c6dc6aa3f6064b71a5768 upstream. + +NVIDIA Olympus cores are affected by the TLBI completion issue tracked as +CVE-2025-10263. The existing ARM64_ERRATUM_4118414 handling already uses +ARM64_WORKAROUND_REPEAT_TLBI to issue an additional broadcast TLBI;DSB +sequence and ensure affected memory write effects are globally observed. + +Add MIDR_NVIDIA_OLYMPUS to the repeat-TLBI match list so the same +mitigation is enabled on affected Olympus systems. Also document the +NVIDIA Olympus erratum in the arm64 silicon errata table and list it in +the Kconfig help text. + +Signed-off-by: Shanker Donthineni +Cc: Catalin Marinas +Cc: Will Deacon +Cc: Mark Rutland +Acked-by: Mark Rutland +Signed-off-by: Will Deacon +[Mark: backport to v6.12.y] +Signed-off-by: Shanker Donthineni +Signed-off-by: Greg Kroah-Hartman + +diff --git a/Documentation/arch/arm64/silicon-errata.rst b/Documentation/arch/arm64/silicon-errata.rst +index e06d991..bf898b7 100644 +--- a/Documentation/arch/arm64/silicon-errata.rst ++++ b/Documentation/arch/arm64/silicon-errata.rst +@@ -288,6 +288,8 @@ stable kernels. + +----------------+-----------------+-----------------+-----------------------------+ + | NVIDIA | Carmel Core | N/A | NVIDIA_CARMEL_CNP_ERRATUM | + +----------------+-----------------+-----------------+-----------------------------+ ++| NVIDIA | Olympus core | T410-OLY-1029 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ + | NVIDIA | T241 GICv3/4.x | T241-FABRIC-4 | N/A | + +----------------+-----------------+-----------------+-----------------------------+ + +----------------+-----------------+-----------------+-----------------------------+ +diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig +index 6cdcc7a..6f7bbe2 100644 +--- a/arch/arm64/Kconfig ++++ b/arch/arm64/Kconfig +@@ -1168,7 +1168,7 @@ config ARM64_ERRATUM_4193714 + If unsure, say Y. + + config ARM64_ERRATUM_4118414 +- bool "Cortex-*/Neoverse-*/C1-*: Completion of affected memory accesses might not be guaranteed by completion of a TLBI" ++ bool "Various: Completion of affected memory accesses might not be guaranteed by completion of a TLBI" + default y + select ARM64_WORKAROUND_REPEAT_TLBI + help +@@ -1195,6 +1195,7 @@ config ARM64_ERRATUM_4118414 + * ARM Neoverse-V2 erratum 4193787 + * ARM Neoverse-V3 erratum 4193784 + * ARM Neoverse-V3AE erratum 4193784 ++ * NVIDIA Olympus erratum T410-OLY-1029 + + On affected cores, some memory accesses might not be completed by + broadcast TLB invalidation. +diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c +index 80a920d..06d9a92 100644 +--- a/arch/arm64/kernel/cpu_errata.c ++++ b/arch/arm64/kernel/cpu_errata.c +@@ -302,6 +302,7 @@ static const struct arm64_cpu_capabilities arm64_repeat_tlbi_list[] = { + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V2), + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3), + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3AE), ++ MIDR_ALL_VERSIONS(MIDR_NVIDIA_OLYMPUS), + {} + })), + }, diff --git a/1413-arm64-errata-mitigate-tlbi-errata-on-microsoft-azure-cobalt.patch b/1413-arm64-errata-mitigate-tlbi-errata-on-microsoft-azure-cobalt.patch new file mode 100644 index 000000000..ed49d786f --- /dev/null +++ b/1413-arm64-errata-mitigate-tlbi-errata-on-microsoft-azure-cobalt.patch @@ -0,0 +1,107 @@ +From 2321cb9e80eaeedbc22ede60ee03404fe521cd56 Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Tue, 16 Jun 2026 06:15:52 +0100 +Subject: [PATCH] arm64: errata: Mitigate TLBI errata on Microsoft Azure Cobalt + 100 CPU + +commit 1940e70a8144bf75e6df26bf6f600862ea7f7ea1 upstream. + +Commit fb091ff39479 ("arm64: Subscribe Microsoft Azure Cobalt 100 to ARM +Neoverse N2 errata") states that Microsoft Azure Cobalt 100 CPU "is a +Microsoft implemented CPU based on r0p0 of the ARM Neoverse N2 CPU, and +therefore suffers from all the same errata.". + +So enable the workaround for the latest broadcast TLB invalidation bug +on these parts. + +Signed-off-by: Will Deacon +[Mark: backport to v6.12.y] +Signed-off-by: Mark Rutland +Signed-off-by: Greg Kroah-Hartman + +diff --git a/Documentation/arch/arm64/silicon-errata.rst b/Documentation/arch/arm64/silicon-errata.rst +index bf898b7..e9558e8 100644 +--- a/Documentation/arch/arm64/silicon-errata.rst ++++ b/Documentation/arch/arm64/silicon-errata.rst +@@ -131,7 +131,7 @@ stable kernels. + | ARM | Cortex-A76 | #4193800 | ARM64_ERRATUM_4118414 | + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-A76AE | #4193801 | ARM64_ERRATUM_4118414 | +-+----------------+-----------------+-----------------+-----------------------------+ ++++----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-A77 | #1491015 | N/A | + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-A77 | #1508412 | ARM64_ERRATUM_1508412 | +@@ -195,7 +195,7 @@ stable kernels. + | ARM | Cortex-X4 | #4118414 | ARM64_ERRATUM_4118414 | + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-X925 | #3324334 | ARM64_ERRATUM_3194386 | +-+----------------+-----------------+-----------------+-----------------------------+ ++----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-X925 | #4193781 | ARM64_ERRATUM_4118414 | + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Neoverse-N1 | #1188873,1418040| ARM64_ERRATUM_1418040 | +@@ -237,13 +237,11 @@ stable kernels. + | ARM | Neoverse-V3 | #4193784 | ARM64_ERRATUM_4118414 | + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Neoverse-V3AE | #3312417 | ARM64_ERRATUM_3194386 | +-+----------------+-----------------+-----------------+-----------------------------+ ++----------------+-----------------+-----------------+-----------------------------+ + | ARM | Neoverse-V3AE | #4193784 | ARM64_ERRATUM_4118414 | + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | C1-Premium | #4193780 | ARM64_ERRATUM_4118414 | + +----------------+-----------------+-----------------+-----------------------------+ +-| ARM | C1-Pro | #4193714 | ARM64_ERRATUM_4193714 | +-+----------------+-----------------+-----------------+-----------------------------+ + | ARM | C1-Ultra | #4193780 | ARM64_ERRATUM_4118414 | + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | MMU-500 | #841119,826419 | ARM_SMMU_MMU_500_CPRE_ERRATA| +@@ -351,3 +349,5 @@ stable kernels. + +----------------+-----------------+-----------------+-----------------------------+ + | Microsoft | Azure Cobalt 100| #3324339 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ ++| Microsoft | Azure Cobalt 100| #4193789 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ +diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig +index 6f7bbe2..49506a7 100644 +--- a/arch/arm64/Kconfig ++++ b/arch/arm64/Kconfig +@@ -1155,18 +1155,6 @@ config ARM64_ERRATUM_3194386 + + If unsure, say Y. + +-config ARM64_ERRATUM_4193714 +- bool "C1-Pro: 4193714: SME DVMSync early acknowledgement" +- depends on ARM64_SME +- default y +- help +- Enable workaround for C1-Pro acknowledging the DVMSync before +- the SME memory accesses are complete. This will cause TLB +- maintenance for processes using SME to also issue an IPI to +- the affected CPUs. +- +- If unsure, say Y. +- + config ARM64_ERRATUM_4118414 + bool "Various: Completion of affected memory accesses might not be guaranteed by completion of a TLBI" + default y +@@ -1195,6 +1183,7 @@ config ARM64_ERRATUM_4118414 + * ARM Neoverse-V2 erratum 4193787 + * ARM Neoverse-V3 erratum 4193784 + * ARM Neoverse-V3AE erratum 4193784 ++ * Microsoft Azure Cobalt 100 4193789 + * NVIDIA Olympus erratum T410-OLY-1029 + + On affected cores, some memory accesses might not be completed by +diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c +index 06d9a92..72caeca 100644 +--- a/arch/arm64/kernel/cpu_errata.c ++++ b/arch/arm64/kernel/cpu_errata.c +@@ -303,6 +303,7 @@ static const struct arm64_cpu_capabilities arm64_repeat_tlbi_list[] = { + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3), + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3AE), + MIDR_ALL_VERSIONS(MIDR_NVIDIA_OLYMPUS), ++ MIDR_ALL_VERSIONS(MIDR_MICROSOFT_AZURE_COBALT_100), + {} + })), + }, diff --git a/1414-fs-smb-client-fix-out-of-bounds-read-in-cifs-sanitize-prepa.patch b/1414-fs-smb-client-fix-out-of-bounds-read-in-cifs-sanitize-prepa.patch new file mode 100644 index 000000000..d42c7e7b9 --- /dev/null +++ b/1414-fs-smb-client-fix-out-of-bounds-read-in-cifs-sanitize-prepa.patch @@ -0,0 +1,40 @@ +From 2d29214448ec0f4e7e18bb1c14dd4a6c07f1c439 Mon Sep 17 00:00:00 2001 +From: Fredric Cover +Date: Mon, 30 Mar 2026 13:11:27 -0700 +Subject: [PATCH] fs/smb/client: fix out-of-bounds read in + cifs_sanitize_prepath + +[ Upstream commit 78ec5bf2f589ec7fd8f169394bfeca541b077317 ] + +When cifs_sanitize_prepath is called with an empty string or a string +containing only delimiters (e.g., "/"), the current logic attempts to +check *(cursor2 - 1) before cursor2 has advanced. This results in an +out-of-bounds read. + +This patch adds an early exit check after stripping prepended +delimiters. If no path content remains, the function returns NULL. + +The bug was identified via manual audit and verified using a +standalone test case compiled with AddressSanitizer, which +triggered a SEGV on affected inputs. + +Signed-off-by: Fredric Cover +Reviewed-by: Henrique Carvalho <[2]henrique.carvalho@suse.com> +Signed-off-by: Steve French +Signed-off-by: Sasha Levin + +diff --git a/fs/smb/client/fs_context.c b/fs/smb/client/fs_context.c +index c1a0363..287c847 100644 +--- a/fs/smb/client/fs_context.c ++++ b/fs/smb/client/fs_context.c +@@ -589,6 +589,10 @@ char *cifs_sanitize_prepath(char *prepath, gfp_t gfp) + while (IS_DELIM(*cursor1)) + cursor1++; + ++ /* exit in case of only delimiters */ ++ if (!*cursor1) ++ return NULL; ++ + /* copy the first letter */ + *cursor2 = *cursor1; + diff --git a/kernel-aarch64-64k-debug-rhel.config b/kernel-aarch64-64k-debug-rhel.config index ed16848fd..c3d04da0d 100644 --- a/kernel-aarch64-64k-debug-rhel.config +++ b/kernel-aarch64-64k-debug-rhel.config @@ -364,6 +364,7 @@ CONFIG_ARM64_ERRATUM_2966298=y CONFIG_ARM64_ERRATUM_3117295=y CONFIG_ARM64_ERRATUM_3194386=y CONFIG_ARM64_ERRATUM_3312417=y +CONFIG_ARM64_ERRATUM_4118414=y CONFIG_ARM64_ERRATUM_819472=y CONFIG_ARM64_ERRATUM_824069=y CONFIG_ARM64_ERRATUM_826319=y diff --git a/kernel-aarch64-64k-rhel.config b/kernel-aarch64-64k-rhel.config index 2ab62b0bd..fd97f2e1e 100644 --- a/kernel-aarch64-64k-rhel.config +++ b/kernel-aarch64-64k-rhel.config @@ -364,6 +364,7 @@ CONFIG_ARM64_ERRATUM_2966298=y CONFIG_ARM64_ERRATUM_3117295=y CONFIG_ARM64_ERRATUM_3194386=y CONFIG_ARM64_ERRATUM_3312417=y +CONFIG_ARM64_ERRATUM_4118414=y CONFIG_ARM64_ERRATUM_819472=y CONFIG_ARM64_ERRATUM_824069=y CONFIG_ARM64_ERRATUM_826319=y diff --git a/kernel-aarch64-debug-rhel.config b/kernel-aarch64-debug-rhel.config index 34eae8781..711135f90 100644 --- a/kernel-aarch64-debug-rhel.config +++ b/kernel-aarch64-debug-rhel.config @@ -364,6 +364,7 @@ CONFIG_ARM64_ERRATUM_2966298=y CONFIG_ARM64_ERRATUM_3117295=y CONFIG_ARM64_ERRATUM_3194386=y CONFIG_ARM64_ERRATUM_3312417=y +CONFIG_ARM64_ERRATUM_4118414=y CONFIG_ARM64_ERRATUM_819472=y CONFIG_ARM64_ERRATUM_824069=y CONFIG_ARM64_ERRATUM_826319=y diff --git a/kernel-aarch64-rhel.config b/kernel-aarch64-rhel.config index 744bed3cf..f058db44d 100644 --- a/kernel-aarch64-rhel.config +++ b/kernel-aarch64-rhel.config @@ -364,6 +364,7 @@ CONFIG_ARM64_ERRATUM_2966298=y CONFIG_ARM64_ERRATUM_3117295=y CONFIG_ARM64_ERRATUM_3194386=y CONFIG_ARM64_ERRATUM_3312417=y +CONFIG_ARM64_ERRATUM_4118414=y CONFIG_ARM64_ERRATUM_819472=y CONFIG_ARM64_ERRATUM_824069=y CONFIG_ARM64_ERRATUM_826319=y diff --git a/kernel-aarch64-rt-64k-debug-rhel.config b/kernel-aarch64-rt-64k-debug-rhel.config index 707eabd95..027682b3f 100644 --- a/kernel-aarch64-rt-64k-debug-rhel.config +++ b/kernel-aarch64-rt-64k-debug-rhel.config @@ -364,6 +364,7 @@ CONFIG_ARM64_ERRATUM_2966298=y CONFIG_ARM64_ERRATUM_3117295=y CONFIG_ARM64_ERRATUM_3194386=y CONFIG_ARM64_ERRATUM_3312417=y +CONFIG_ARM64_ERRATUM_4118414=y CONFIG_ARM64_ERRATUM_819472=y CONFIG_ARM64_ERRATUM_824069=y CONFIG_ARM64_ERRATUM_826319=y diff --git a/kernel-aarch64-rt-64k-rhel.config b/kernel-aarch64-rt-64k-rhel.config index d74ef0117..26f715829 100644 --- a/kernel-aarch64-rt-64k-rhel.config +++ b/kernel-aarch64-rt-64k-rhel.config @@ -364,6 +364,7 @@ CONFIG_ARM64_ERRATUM_2966298=y CONFIG_ARM64_ERRATUM_3117295=y CONFIG_ARM64_ERRATUM_3194386=y CONFIG_ARM64_ERRATUM_3312417=y +CONFIG_ARM64_ERRATUM_4118414=y CONFIG_ARM64_ERRATUM_819472=y CONFIG_ARM64_ERRATUM_824069=y CONFIG_ARM64_ERRATUM_826319=y diff --git a/kernel-aarch64-rt-debug-rhel.config b/kernel-aarch64-rt-debug-rhel.config index 7d2ddd942..ce65e735e 100644 --- a/kernel-aarch64-rt-debug-rhel.config +++ b/kernel-aarch64-rt-debug-rhel.config @@ -364,6 +364,7 @@ CONFIG_ARM64_ERRATUM_2966298=y CONFIG_ARM64_ERRATUM_3117295=y CONFIG_ARM64_ERRATUM_3194386=y CONFIG_ARM64_ERRATUM_3312417=y +CONFIG_ARM64_ERRATUM_4118414=y CONFIG_ARM64_ERRATUM_819472=y CONFIG_ARM64_ERRATUM_824069=y CONFIG_ARM64_ERRATUM_826319=y diff --git a/kernel-aarch64-rt-rhel.config b/kernel-aarch64-rt-rhel.config index 0f4309c11..61cce3368 100644 --- a/kernel-aarch64-rt-rhel.config +++ b/kernel-aarch64-rt-rhel.config @@ -364,6 +364,7 @@ CONFIG_ARM64_ERRATUM_2966298=y CONFIG_ARM64_ERRATUM_3117295=y CONFIG_ARM64_ERRATUM_3194386=y CONFIG_ARM64_ERRATUM_3312417=y +CONFIG_ARM64_ERRATUM_4118414=y CONFIG_ARM64_ERRATUM_819472=y CONFIG_ARM64_ERRATUM_824069=y CONFIG_ARM64_ERRATUM_826319=y diff --git a/kernel.spec b/kernel.spec index e3143da2b..5cd53fce2 100644 --- a/kernel.spec +++ b/kernel.spec @@ -176,13 +176,13 @@ Summary: The Linux kernel %define specrpmversion 6.12.0 %define specversion 6.12.0 %define patchversion 6.12 -%define pkgrelease 211.29.1 +%define pkgrelease 211.30.1 %define kversion 6 %define tarfile_release 6.12.0-211.7.1.el10_2 # This is needed to do merge window version magic %define patchlevel 12 # This allows pkg_release to have configurable %%{?dist} tag -%define specrelease 211.29.1%{?buildid}%{?dist} +%define specrelease 211.30.1%{?buildid}%{?dist} # This defines the kabi tarball version %define kabiversion 6.12.0-211.7.1.el10_2 @@ -1433,6 +1433,22 @@ Patch1395: 1395-crypto-tegra-don-t-touch-bo-refcount-in-host1x-bo-pin-unpin.patc Patch1396: 1396-crypto-tegra-fix-dma-free-coherent-size-error.patch Patch1397: 1397-crypto-tegra-return-enomem-when-input-buffer-allocation-fail.patch Patch1398: 1398-rdma-mlx5-fix-error-path-fall-through-in-mlx5-ib-dev-res-srq.patch +Patch1399: 1399-rxrpc-fix-potential-uaf-after-skb-unshare-failure.patch +Patch1400: 1400-rxrpc-fix-rxrpc-input-call-event-to-only-unshare-data-packet.patch +Patch1401: 1401-drm-gem-fix-inconsistent-plane-dimension-calculation-in-drm.patch +Patch1402: 1402-netfilter-nft-inner-fix-ipv6-inner-thoff-desync.patch +Patch1403: 1403-asoc-sdca-fix-null-pointer-dereference-in-sdca-dev-unregiste.patch +Patch1404: 1404-crypto-testmgr-allow-authenc-hmac-sha-256-384-cts-cbc-aes-in.patch +Patch1405: 1405-crypto-krb5enc-fix-sleepable-flag-handling-in-encrypt-dispat.patch +Patch1406: 1406-crypto-krb5enc-fix-async-decrypt-skipping-hash-verification.patch +Patch1407: 1407-crypto-krb5-filter-out-async-aead-implementations-at-alloc.patch +Patch1408: 1408-arm64-cputype-add-c1-pro-definitions.patch +Patch1409: 1409-arm64-cputype-add-c1-premium-definitions.patch +Patch1410: 1410-arm64-cputype-add-c1-ultra-definitions.patch +Patch1411: 1411-arm64-errata-mitigate-tlbi-errata-on-various-arm-cpus.patch +Patch1412: 1412-arm64-errata-mitigate-tlbi-errata-on-nvidia-olympus-cpu.patch +Patch1413: 1413-arm64-errata-mitigate-tlbi-errata-on-microsoft-azure-cobalt.patch +Patch1414: 1414-fs-smb-client-fix-out-of-bounds-read-in-cifs-sanitize-prepa.patch # END OF PATCH DEFINITIONS %description @@ -2588,6 +2604,22 @@ ApplyPatch 1395-crypto-tegra-don-t-touch-bo-refcount-in-host1x-bo-pin-unpin.patc ApplyPatch 1396-crypto-tegra-fix-dma-free-coherent-size-error.patch ApplyPatch 1397-crypto-tegra-return-enomem-when-input-buffer-allocation-fail.patch ApplyPatch 1398-rdma-mlx5-fix-error-path-fall-through-in-mlx5-ib-dev-res-srq.patch +ApplyPatch 1399-rxrpc-fix-potential-uaf-after-skb-unshare-failure.patch +ApplyPatch 1400-rxrpc-fix-rxrpc-input-call-event-to-only-unshare-data-packet.patch +ApplyPatch 1401-drm-gem-fix-inconsistent-plane-dimension-calculation-in-drm.patch +ApplyPatch 1402-netfilter-nft-inner-fix-ipv6-inner-thoff-desync.patch +ApplyPatch 1403-asoc-sdca-fix-null-pointer-dereference-in-sdca-dev-unregiste.patch +ApplyPatch 1404-crypto-testmgr-allow-authenc-hmac-sha-256-384-cts-cbc-aes-in.patch +ApplyPatch 1405-crypto-krb5enc-fix-sleepable-flag-handling-in-encrypt-dispat.patch +ApplyPatch 1406-crypto-krb5enc-fix-async-decrypt-skipping-hash-verification.patch +ApplyPatch 1407-crypto-krb5-filter-out-async-aead-implementations-at-alloc.patch +ApplyPatch 1408-arm64-cputype-add-c1-pro-definitions.patch +ApplyPatch 1409-arm64-cputype-add-c1-premium-definitions.patch +ApplyPatch 1410-arm64-cputype-add-c1-ultra-definitions.patch +ApplyPatch 1411-arm64-errata-mitigate-tlbi-errata-on-various-arm-cpus.patch +ApplyPatch 1412-arm64-errata-mitigate-tlbi-errata-on-nvidia-olympus-cpu.patch +ApplyPatch 1413-arm64-errata-mitigate-tlbi-errata-on-microsoft-azure-cobalt.patch +ApplyPatch 1414-fs-smb-client-fix-out-of-bounds-read-in-cifs-sanitize-prepa.patch # END OF PATCH APPLICATIONS # Any further pre-build tree manipulations happen here. @@ -5092,6 +5124,36 @@ fi\ # # %changelog +* Fri Jul 03 2026 Andrew Lukoshko - 6.12.0-211.30.1 +- Recreate RHEL 6.12.0-211.30.1 from CentOS Stream 10 and upstream stable backports (1399-1414) +- RHEL 6.12.0-211.30.1 now also carries the vgic-its (CVE-2026-46316) and ipv4/ipv6 + fraggap fixes AlmaLinux shipped ahead; the AlmaLinux patches (1374, 1384-1385) are + retained and RHEL's duplicate copies omitted +- CONFIG_ARM64_ERRATUM_4118414 enabled for aarch64 (CVE-2025-10263) +- RHEL changelog for 211.30.1 follows: + +* Wed Jul 01 2026 CKI KWF Bot [6.12.0-211.30.1.el10_2] +- ipv6: account for fraggap on the paged allocation path (Sabrina Dubroca) [RHEL-191349] +- ipv4: account for fraggap on the paged allocation path (Sabrina Dubroca) [RHEL-191349] +- fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath (CKI Backport Bot) [RHEL-189491] {CVE-2026-43112} +- Enable workaround for ARM64 ERRATUM 4118414 (Mark Salter) [RHEL-183592] {CVE-2025-10263} +- arm64: errata: Mitigate TLBI errata on Microsoft Azure Cobalt 100 CPU (Mark Salter) [RHEL-183592] {CVE-2025-10263} +- arm64: errata: Mitigate TLBI errata on NVIDIA Olympus CPU (Mark Salter) [RHEL-183592] {CVE-2025-10263} +- arm64: errata: Mitigate TLBI errata on various Arm CPUs (Mark Salter) [RHEL-183592] {CVE-2025-10263} +- arm64: cputype: Add C1-Ultra definitions (Mark Salter) [RHEL-183592] {CVE-2025-10263} +- arm64: cputype: Add C1-Premium definitions (Mark Salter) [RHEL-183592] {CVE-2025-10263} +- arm64: cputype: Add C1-Pro definitions (Mark Salter) [RHEL-183592] {CVE-2025-10263} +- crypto: krb5 - filter out async aead implementations at alloc (CKI Backport Bot) [RHEL-182537] +- crypto: krb5enc - fix async decrypt skipping hash verification (CKI Backport Bot) [RHEL-182537] +- crypto: krb5enc - fix sleepable flag handling in encrypt dispatch (CKI Backport Bot) [RHEL-182537] +- crypto: testmgr - allow authenc(hmac(sha{256,384}),cts(cbc(aes))) in FIPS mode (CKI Backport Bot) [RHEL-182537] +- ASoC: SDCA: fix NULL pointer dereference in sdca_dev_unregister_functions (CKI Backport Bot) [RHEL-185110] +- KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry (CKI Backport Bot) [RHEL-183965] {CVE-2026-46316} +- netfilter: nft_inner: Fix IPv6 inner_thoff desync (CKI Backport Bot) [RHEL-181936] {CVE-2026-46244} +- drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs() (CKI Backport Bot) [RHEL-179912] {CVE-2026-46209} +- rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets (CKI Backport Bot) [RHEL-179566] {CVE-2026-45998} +- rxrpc: Fix potential UAF after skb_unshare() failure (CKI Backport Bot) [RHEL-179566] {CVE-2026-45998} + * Wed Jul 01 2026 Andrew Lukoshko - 6.12.0-211.29.1 - Recreate RHEL 6.12.0-211.29.1 from CentOS Stream 10 and upstream stable backports (1386-1398) - Retain AlmaLinux ahead-of-RHEL fixes: CVE-2026-46316 (1374), ipv4/ipv6 fraggap (1384-1385)