Apply ssh-keysign-pwn fix

(cherry picked from commit 1b378ac076)
Apply Fragnesia fixes
2026-05-18 13:02:29 +00:00 · 2026-05-15 08:46:44 +00:00 · 2026-05-08 13:05:37 +00:00 · 2026-05-08 08:52:42 +00:00 · 2026-04-30 15:09:52 +00:00 · 2026-04-30 14:20:43 +00:00
14 changed files with 1807 additions and 262546 deletions
--- a/.raspberrypi2.metadata
+++ b/.raspberrypi2.metadata
@ -1,3 +1,2 @@
-62f4117436e8eaa59e4974300a4481174a4ef1af SOURCES/cb9500d6021e083a182ba168fe4424e3db2494cf.tar.gz
-30996d7c1c59ddbd495bd9eb37c8dfdb1a67c1c3 SOURCES/linux-6.1.tar.xz
-7fb75dae049c3687780b214931dca33820ebddc9 SOURCES/patch-6.1.31.xz
+25cfd4609f553d2dfecf70664da814f5064c194b SOURCES/stable_20250916.tar.gz
+be897efea93afd8c6ccc39a2667166f7398fc97a SOURCES/1.20250915.tar.gz
--- a/SOURCES/1100-CVE-2026-31431-crypto-Copy-Fail-fixes.patch
+++ b/SOURCES/1100-CVE-2026-31431-crypto-Copy-Fail-fixes.patch
@ -0,0 +1,952 @@
+From: AlmaLinux Backport <packager@almalinux.org>
+Subject: [PATCH] CVE-2026-31431 ("Copy Fail"): crypto AEAD/algif fixes from linux-6.12.y
+
+Combined backport addressing CVE-2026-31431 ("Copy Fail"), reported by
+Taeyang Lee <0wn@theori.io>. Pulls one prerequisite (committed 2026-01-30
+to linux-6.12.y) plus eight 2026-04-30 stable fixes:
+
+  161bdc90fce2 crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec
+  41c3aa511e6e crypto: scatterwalk - Backport memcpy_sglist()
+  183137264401 crypto: algif_aead - use memcpy_sglist() instead of null skcipher
+  8b88d99341f1 crypto: algif_aead - Revert to operating out-of-place
+  46fdb39e8322 crypto: algif_aead - snapshot IV for async AEAD requests
+  7bc058a9b82b crypto: authenc - use memcpy_sglist() instead of null skcipher
+  89fe118b6470 crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption
+  129f12934401 crypto: authencesn - Fix src offset when decrypting in-place
+  c8369a6d62f5 crypto: af_alg - Fix page reassignment overflow in af_alg_pull_tsgl
+
+161bdc90 is the prerequisite for 89fe118b6470 to apply.
+
+Signed-off-by: Andrew Lukoshko <alukoshko@almalinux.org>
+---
+--- a/crypto/af_alg.c
+++ b/crypto/af_alg.c
+@@ -635,15 +635,13 @@
+ /**
+  * af_alg_count_tsgl - Count number of TX SG entries
+  *
+- * The counting starts from the beginning of the SGL to @bytes. If
+- * an @offset is provided, the counting of the SG entries starts at the @offset.
+ * The counting starts from the beginning of the SGL to @bytes.
+  *
+  * @sk: socket of connection to user space
+  * @bytes: Count the number of SG entries holding given number of bytes.
+- * @offset: Start the counting of SG entries from the given offset.
+  * Return: Number of TX SG entries found given the constraints
+  */
+-unsigned int af_alg_count_tsgl(struct sock *sk, size_t bytes, size_t offset)
+unsigned int af_alg_count_tsgl(struct sock *sk, size_t bytes)
+ {
+ 	const struct alg_sock *ask = alg_sk(sk);
+ 	const struct af_alg_ctx *ctx = ask->private;
+@@ -658,25 +656,11 @@
+ 		const struct scatterlist *sg = sgl->sg;
+ 
+ 		for (i = 0; i < sgl->cur; i++) {
+-			size_t bytes_count;
+-
+-			/* Skip offset */
+-			if (offset >= sg[i].length) {
+-				offset -= sg[i].length;
+-				bytes -= sg[i].length;
+-				continue;
+-			}
+-
+-			bytes_count = sg[i].length - offset;
+-
+-			offset = 0;
+ 			sgl_count++;
+-
+-			/* If we have seen requested number of bytes, stop */
+-			if (bytes_count >= bytes)
+			if (sg[i].length >= bytes)
+ 				return sgl_count;
+ 
+-			bytes -= bytes_count;
+			bytes -= sg[i].length;
+ 		}
+ 	}
+ 
+@@ -688,19 +672,14 @@
+  * af_alg_pull_tsgl - Release the specified buffers from TX SGL
+  *
+  * If @dst is non-null, reassign the pages to @dst. The caller must release
+- * the pages. If @dst_offset is given only reassign the pages to @dst starting
+- * at the @dst_offset (byte). The caller must ensure that @dst is large
+- * enough (e.g. by using af_alg_count_tsgl with the same offset).
+ * the pages.
+  *
+  * @sk: socket of connection to user space
+  * @used: Number of bytes to pull from TX SGL
+  * @dst: If non-NULL, buffer is reassigned to dst SGL instead of releasing. The
+  *	 caller must release the buffers in dst.
+- * @dst_offset: Reassign the TX SGL from given offset. All buffers before
+- *	        reaching the offset is released.
+  */
+-void af_alg_pull_tsgl(struct sock *sk, size_t used, struct scatterlist *dst,
+-		      size_t dst_offset)
+void af_alg_pull_tsgl(struct sock *sk, size_t used, struct scatterlist *dst)
+ {
+ 	struct alg_sock *ask = alg_sk(sk);
+ 	struct af_alg_ctx *ctx = ask->private;
+@@ -724,19 +703,11 @@
+ 			 * Assumption: caller created af_alg_count_tsgl(len)
+ 			 * SG entries in dst.
+ 			 */
+-			if (dst) {
+-				if (dst_offset >= plen) {
+-					/* discard page before offset */
+-					dst_offset -= plen;
+-				} else {
+-					/* reassign page to dst after offset */
+-					get_page(page);
+-					sg_set_page(dst + j, page,
+-						    plen - dst_offset,
+-						    sg[i].offset + dst_offset);
+-					dst_offset = 0;
+-					j++;
+-				}
+			if (dst && plen) {
+				/* reassign page to dst */
+				get_page(page);
+				sg_set_page(dst + j, page, plen, sg[i].offset);
+				j++;
+ 			}
+ 
+ 			sg[i].length -= plen;
+--- a/crypto/algif_aead.c
+++ b/crypto/algif_aead.c
+@@ -26,8 +26,6 @@
+ #include <crypto/internal/aead.h>
+ #include <crypto/scatterwalk.h>
+ #include <crypto/if_alg.h>
+-#include <crypto/skcipher.h>
+-#include <crypto/null.h>
+ #include <linux/init.h>
+ #include <linux/list.h>
+ #include <linux/kernel.h>
+@@ -36,19 +34,13 @@
+ #include <linux/net.h>
+ #include <net/sock.h>
+ 
+-struct aead_tfm {
+-	struct crypto_aead *aead;
+-	struct crypto_sync_skcipher *null_tfm;
+-};
+-
+ static inline bool aead_sufficient_data(struct sock *sk)
+ {
+ 	struct alg_sock *ask = alg_sk(sk);
+ 	struct sock *psk = ask->parent;
+ 	struct alg_sock *pask = alg_sk(psk);
+ 	struct af_alg_ctx *ctx = ask->private;
+-	struct aead_tfm *aeadc = pask->private;
+-	struct crypto_aead *tfm = aeadc->aead;
+	struct crypto_aead *tfm = pask->private;
+ 	unsigned int as = crypto_aead_authsize(tfm);
+ 
+ 	/*
+@@ -64,27 +56,12 @@
+ 	struct alg_sock *ask = alg_sk(sk);
+ 	struct sock *psk = ask->parent;
+ 	struct alg_sock *pask = alg_sk(psk);
+-	struct aead_tfm *aeadc = pask->private;
+-	struct crypto_aead *tfm = aeadc->aead;
+	struct crypto_aead *tfm = pask->private;
+ 	unsigned int ivsize = crypto_aead_ivsize(tfm);
+ 
+ 	return af_alg_sendmsg(sock, msg, size, ivsize);
+ }
+ 
+-static int crypto_aead_copy_sgl(struct crypto_sync_skcipher *null_tfm,
+-				struct scatterlist *src,
+-				struct scatterlist *dst, unsigned int len)
+-{
+-	SYNC_SKCIPHER_REQUEST_ON_STACK(skreq, null_tfm);
+-
+-	skcipher_request_set_sync_tfm(skreq, null_tfm);
+-	skcipher_request_set_callback(skreq, CRYPTO_TFM_REQ_MAY_SLEEP,
+-				      NULL, NULL);
+-	skcipher_request_set_crypt(skreq, src, dst, len, NULL);
+-
+-	return crypto_skcipher_encrypt(skreq);
+-}
+-
+ static int _aead_recvmsg(struct socket *sock, struct msghdr *msg,
+ 			 size_t ignored, int flags)
+ {
+@@ -93,13 +70,12 @@
+ 	struct sock *psk = ask->parent;
+ 	struct alg_sock *pask = alg_sk(psk);
+ 	struct af_alg_ctx *ctx = ask->private;
+-	struct aead_tfm *aeadc = pask->private;
+-	struct crypto_aead *tfm = aeadc->aead;
+-	struct crypto_sync_skcipher *null_tfm = aeadc->null_tfm;
+-	unsigned int i, as = crypto_aead_authsize(tfm);
+	struct crypto_aead *tfm = pask->private;
+	unsigned int as = crypto_aead_authsize(tfm);
+	unsigned int ivsize = crypto_aead_ivsize(tfm);
+ 	struct af_alg_async_req *areq;
+-	struct af_alg_tsgl *tsgl, *tmp;
+ 	struct scatterlist *rsgl_src, *tsgl_src = NULL;
+	void *iv;
+ 	int err = 0;
+ 	size_t used = 0;		/* [in]  TX bufs to be en/decrypted */
+ 	size_t outlen = 0;		/* [out] RX bufs produced by kernel */
+@@ -151,10 +127,14 @@
+ 
+ 	/* Allocate cipher request for current operation. */
+ 	areq = af_alg_alloc_areq(sk, sizeof(struct af_alg_async_req) +
+-				     crypto_aead_reqsize(tfm));
+				     crypto_aead_reqsize(tfm) + ivsize);
+ 	if (IS_ERR(areq))
+ 		return PTR_ERR(areq);
+ 
+	iv = (u8 *)aead_request_ctx(&areq->cra_u.aead_req) +
+	     crypto_aead_reqsize(tfm);
+	memcpy(iv, ctx->iv, ivsize);
+
+ 	/* convert iovecs of output buffers into RX SGL */
+ 	err = af_alg_get_rsgl(sk, msg, flags, areq, outlen, &usedpages);
+ 	if (err)
+@@ -178,23 +158,24 @@
+ 		outlen -= less;
+ 	}
+ 
+	/*
+	 * Create a per request TX SGL for this request which tracks the
+	 * SG entries from the global TX SGL.
+	 */
+ 	processed = used + ctx->aead_assoclen;
+-	list_for_each_entry_safe(tsgl, tmp, &ctx->tsgl_list, list) {
+-		for (i = 0; i < tsgl->cur; i++) {
+-			struct scatterlist *process_sg = tsgl->sg + i;
+-
+-			if (!(process_sg->length) || !sg_page(process_sg))
+-				continue;
+-			tsgl_src = process_sg;
+-			break;
+-		}
+-		if (tsgl_src)
+-			break;
+-	}
+-	if (processed && !tsgl_src) {
+-		err = -EFAULT;
+	areq->tsgl_entries = af_alg_count_tsgl(sk, processed);
+	if (!areq->tsgl_entries)
+		areq->tsgl_entries = 1;
+	areq->tsgl = sock_kmalloc(sk, array_size(sizeof(*areq->tsgl),
+					         areq->tsgl_entries),
+				  GFP_KERNEL);
+	if (!areq->tsgl) {
+		err = -ENOMEM;
+ 		goto free;
+ 	}
+	sg_init_table(areq->tsgl, areq->tsgl_entries);
+	af_alg_pull_tsgl(sk, processed, areq->tsgl);
+	tsgl_src = areq->tsgl;
+ 
+ 	/*
+ 	 * Copy of AAD from source to destination
+@@ -203,84 +184,16 @@
+ 	 * when user space uses an in-place cipher operation, the kernel
+ 	 * will copy the data as it does not see whether such in-place operation
+ 	 * is initiated.
+-	 *
+-	 * To ensure efficiency, the following implementation ensure that the
+-	 * ciphers are invoked to perform a crypto operation in-place. This
+-	 * is achieved by memory management specified as follows.
+ 	 */
+ 
+ 	/* Use the RX SGL as source (and destination) for crypto op. */
+ 	rsgl_src = areq->first_rsgl.sgl.sgt.sgl;
+ 
+-	if (ctx->enc) {
+-		/*
+-		 * Encryption operation - The in-place cipher operation is
+-		 * achieved by the following operation:
+-		 *
+-		 * TX SGL: AAD || PT
+-		 *	    |	   |
+-		 *	    | copy |
+-		 *	    v	   v
+-		 * RX SGL: AAD || PT || Tag
+-		 */
+-		err = crypto_aead_copy_sgl(null_tfm, tsgl_src,
+-					   areq->first_rsgl.sgl.sgt.sgl,
+-					   processed);
+-		if (err)
+-			goto free;
+-		af_alg_pull_tsgl(sk, processed, NULL, 0);
+-	} else {
+-		/*
+-		 * Decryption operation - To achieve an in-place cipher
+-		 * operation, the following  SGL structure is used:
+-		 *
+-		 * TX SGL: AAD || CT || Tag
+-		 *	    |	   |	 ^
+-		 *	    | copy |	 | Create SGL link.
+-		 *	    v	   v	 |
+-		 * RX SGL: AAD || CT ----+
+-		 */
+-
+-		 /* Copy AAD || CT to RX SGL buffer for in-place operation. */
+-		err = crypto_aead_copy_sgl(null_tfm, tsgl_src,
+-					   areq->first_rsgl.sgl.sgt.sgl,
+-					   outlen);
+-		if (err)
+-			goto free;
+-
+-		/* Create TX SGL for tag and chain it to RX SGL. */
+-		areq->tsgl_entries = af_alg_count_tsgl(sk, processed,
+-						       processed - as);
+-		if (!areq->tsgl_entries)
+-			areq->tsgl_entries = 1;
+-		areq->tsgl = sock_kmalloc(sk, array_size(sizeof(*areq->tsgl),
+-							 areq->tsgl_entries),
+-					  GFP_KERNEL);
+-		if (!areq->tsgl) {
+-			err = -ENOMEM;
+-			goto free;
+-		}
+-		sg_init_table(areq->tsgl, areq->tsgl_entries);
+-
+-		/* Release TX SGL, except for tag data and reassign tag data. */
+-		af_alg_pull_tsgl(sk, processed, areq->tsgl, processed - as);
+-
+-		/* chain the areq TX SGL holding the tag with RX SGL */
+-		if (usedpages) {
+-			/* RX SGL present */
+-			struct af_alg_sgl *sgl_prev = &areq->last_rsgl->sgl;
+-			struct scatterlist *sg = sgl_prev->sgt.sgl;
+-
+-			sg_unmark_end(sg + sgl_prev->sgt.nents - 1);
+-			sg_chain(sg, sgl_prev->sgt.nents + 1, areq->tsgl);
+-		} else
+-			/* no RX SGL present (e.g. authentication only) */
+-			rsgl_src = areq->tsgl;
+-	}
+	memcpy_sglist(rsgl_src, tsgl_src, ctx->aead_assoclen);
+ 
+ 	/* Initialize the crypto operation */
+-	aead_request_set_crypt(&areq->cra_u.aead_req, rsgl_src,
+-			       areq->first_rsgl.sgl.sgt.sgl, used, ctx->iv);
+	aead_request_set_crypt(&areq->cra_u.aead_req, tsgl_src,
+			       areq->first_rsgl.sgl.sgt.sgl, used, iv);
+ 	aead_request_set_ad(&areq->cra_u.aead_req, ctx->aead_assoclen);
+ 	aead_request_set_tfm(&areq->cra_u.aead_req, tfm);
+ 
+@@ -379,7 +292,7 @@
+ 	int err = 0;
+ 	struct sock *psk;
+ 	struct alg_sock *pask;
+-	struct aead_tfm *tfm;
+	struct crypto_aead *tfm;
+ 	struct sock *sk = sock->sk;
+ 	struct alg_sock *ask = alg_sk(sk);
+ 
+@@ -393,7 +306,7 @@
+ 
+ 	err = -ENOKEY;
+ 	lock_sock_nested(psk, SINGLE_DEPTH_NESTING);
+-	if (crypto_aead_get_flags(tfm->aead) & CRYPTO_TFM_NEED_KEY)
+	if (crypto_aead_get_flags(tfm) & CRYPTO_TFM_NEED_KEY)
+ 		goto unlock;
+ 
+ 	atomic_dec(&pask->nokey_refcnt);
+@@ -454,54 +367,22 @@
+ 
+ static void *aead_bind(const char *name, u32 type, u32 mask)
+ {
+-	struct aead_tfm *tfm;
+-	struct crypto_aead *aead;
+-	struct crypto_sync_skcipher *null_tfm;
+-
+-	tfm = kzalloc(sizeof(*tfm), GFP_KERNEL);
+-	if (!tfm)
+-		return ERR_PTR(-ENOMEM);
+-
+-	aead = crypto_alloc_aead(name, type, mask);
+-	if (IS_ERR(aead)) {
+-		kfree(tfm);
+-		return ERR_CAST(aead);
+-	}
+-
+-	null_tfm = crypto_get_default_null_skcipher();
+-	if (IS_ERR(null_tfm)) {
+-		crypto_free_aead(aead);
+-		kfree(tfm);
+-		return ERR_CAST(null_tfm);
+-	}
+-
+-	tfm->aead = aead;
+-	tfm->null_tfm = null_tfm;
+-
+-	return tfm;
+	return crypto_alloc_aead(name, type, mask);
+ }
+ 
+ static void aead_release(void *private)
+ {
+-	struct aead_tfm *tfm = private;
+-
+-	crypto_free_aead(tfm->aead);
+-	crypto_put_default_null_skcipher();
+-	kfree(tfm);
+	crypto_free_aead(private);
+ }
+ 
+ static int aead_setauthsize(void *private, unsigned int authsize)
+ {
+-	struct aead_tfm *tfm = private;
+-
+-	return crypto_aead_setauthsize(tfm->aead, authsize);
+	return crypto_aead_setauthsize(private, authsize);
+ }
+ 
+ static int aead_setkey(void *private, const u8 *key, unsigned int keylen)
+ {
+-	struct aead_tfm *tfm = private;
+-
+-	return crypto_aead_setkey(tfm->aead, key, keylen);
+	return crypto_aead_setkey(private, key, keylen);
+ }
+ 
+ static void aead_sock_destruct(struct sock *sk)
+@@ -510,11 +391,10 @@
+ 	struct af_alg_ctx *ctx = ask->private;
+ 	struct sock *psk = ask->parent;
+ 	struct alg_sock *pask = alg_sk(psk);
+-	struct aead_tfm *aeadc = pask->private;
+-	struct crypto_aead *tfm = aeadc->aead;
+	struct crypto_aead *tfm = pask->private;
+ 	unsigned int ivlen = crypto_aead_ivsize(tfm);
+ 
+-	af_alg_pull_tsgl(sk, ctx->used, NULL, 0);
+	af_alg_pull_tsgl(sk, ctx->used, NULL);
+ 	sock_kzfree_s(sk, ctx->iv, ivlen);
+ 	sock_kfree_s(sk, ctx, ctx->len);
+ 	af_alg_release_parent(sk);
+@@ -524,10 +404,9 @@
+ {
+ 	struct af_alg_ctx *ctx;
+ 	struct alg_sock *ask = alg_sk(sk);
+-	struct aead_tfm *tfm = private;
+-	struct crypto_aead *aead = tfm->aead;
+	struct crypto_aead *tfm = private;
+ 	unsigned int len = sizeof(*ctx);
+-	unsigned int ivlen = crypto_aead_ivsize(aead);
+	unsigned int ivlen = crypto_aead_ivsize(tfm);
+ 
+ 	ctx = sock_kmalloc(sk, len, GFP_KERNEL);
+ 	if (!ctx)
+@@ -554,9 +433,9 @@
+ 
+ static int aead_accept_parent(void *private, struct sock *sk)
+ {
+-	struct aead_tfm *tfm = private;
+	struct crypto_aead *tfm = private;
+ 
+-	if (crypto_aead_get_flags(tfm->aead) & CRYPTO_TFM_NEED_KEY)
+	if (crypto_aead_get_flags(tfm) & CRYPTO_TFM_NEED_KEY)
+ 		return -ENOKEY;
+ 
+ 	return aead_accept_parent_nokey(private, sk);
+--- a/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
+@@ -138,7 +138,7 @@
+ 	 * Create a per request TX SGL for this request which tracks the
+ 	 * SG entries from the global TX SGL.
+ 	 */
+-	areq->tsgl_entries = af_alg_count_tsgl(sk, len, 0);
+	areq->tsgl_entries = af_alg_count_tsgl(sk, len);
+ 	if (!areq->tsgl_entries)
+ 		areq->tsgl_entries = 1;
+ 	areq->tsgl = sock_kmalloc(sk, array_size(sizeof(*areq->tsgl),
+@@ -149,7 +149,7 @@
+ 		goto free;
+ 	}
+ 	sg_init_table(areq->tsgl, areq->tsgl_entries);
+-	af_alg_pull_tsgl(sk, len, areq->tsgl, 0);
+	af_alg_pull_tsgl(sk, len, areq->tsgl);
+ 
+ 	/* Initialize the crypto operation */
+ 	skcipher_request_set_tfm(&areq->cra_u.skcipher_req, tfm);
+@@ -363,7 +363,7 @@
+ 	struct alg_sock *pask = alg_sk(psk);
+ 	struct crypto_skcipher *tfm = pask->private;
+ 
+-	af_alg_pull_tsgl(sk, ctx->used, NULL, 0);
+	af_alg_pull_tsgl(sk, ctx->used, NULL);
+ 	sock_kzfree_s(sk, ctx->iv, crypto_skcipher_ivsize(tfm));
+ 	if (ctx->state)
+ 		sock_kzfree_s(sk, ctx->state, crypto_skcipher_statesize(tfm));
+--- a/crypto/authenc.c
+++ b/crypto/authenc.c
+@@ -9,7 +9,6 @@
+ #include <crypto/internal/hash.h>
+ #include <crypto/internal/skcipher.h>
+ #include <crypto/authenc.h>
+-#include <crypto/null.h>
+ #include <crypto/scatterwalk.h>
+ #include <linux/err.h>
+ #include <linux/init.h>
+@@ -28,7 +27,6 @@
+ struct crypto_authenc_ctx {
+ 	struct crypto_ahash *auth;
+ 	struct crypto_skcipher *enc;
+-	struct crypto_sync_skcipher *null;
+ };
+ 
+ struct authenc_request_ctx {
+@@ -170,21 +168,6 @@
+ 	authenc_request_complete(areq, err);
+ }
+ 
+-static int crypto_authenc_copy_assoc(struct aead_request *req)
+-{
+-	struct crypto_aead *authenc = crypto_aead_reqtfm(req);
+-	struct crypto_authenc_ctx *ctx = crypto_aead_ctx(authenc);
+-	SYNC_SKCIPHER_REQUEST_ON_STACK(skreq, ctx->null);
+-
+-	skcipher_request_set_sync_tfm(skreq, ctx->null);
+-	skcipher_request_set_callback(skreq, aead_request_flags(req),
+-				      NULL, NULL);
+-	skcipher_request_set_crypt(skreq, req->src, req->dst, req->assoclen,
+-				   NULL);
+-
+-	return crypto_skcipher_encrypt(skreq);
+-}
+-
+ static int crypto_authenc_encrypt(struct aead_request *req)
+ {
+ 	struct crypto_aead *authenc = crypto_aead_reqtfm(req);
+@@ -203,10 +186,7 @@
+ 	dst = src;
+ 
+ 	if (req->src != req->dst) {
+-		err = crypto_authenc_copy_assoc(req);
+-		if (err)
+-			return err;
+-
+		memcpy_sglist(req->dst, req->src, req->assoclen);
+ 		dst = scatterwalk_ffwd(areq_ctx->dst, req->dst, req->assoclen);
+ 	}
+ 
+@@ -303,7 +283,6 @@
+ 	struct crypto_authenc_ctx *ctx = crypto_aead_ctx(tfm);
+ 	struct crypto_ahash *auth;
+ 	struct crypto_skcipher *enc;
+-	struct crypto_sync_skcipher *null;
+ 	int err;
+ 
+ 	auth = crypto_spawn_ahash(&ictx->auth);
+@@ -315,14 +294,8 @@
+ 	if (IS_ERR(enc))
+ 		goto err_free_ahash;
+ 
+-	null = crypto_get_default_null_skcipher();
+-	err = PTR_ERR(null);
+-	if (IS_ERR(null))
+-		goto err_free_skcipher;
+-
+ 	ctx->auth = auth;
+ 	ctx->enc = enc;
+-	ctx->null = null;
+ 
+ 	crypto_aead_set_reqsize(
+ 		tfm,
+@@ -336,8 +309,6 @@
+ 
+ 	return 0;
+ 
+-err_free_skcipher:
+-	crypto_free_skcipher(enc);
+ err_free_ahash:
+ 	crypto_free_ahash(auth);
+ 	return err;
+@@ -349,7 +320,6 @@
+ 
+ 	crypto_free_ahash(ctx->auth);
+ 	crypto_free_skcipher(ctx->enc);
+-	crypto_put_default_null_skcipher();
+ }
+ 
+ static void crypto_authenc_free(struct aead_instance *inst)
+--- a/crypto/authencesn.c
+++ b/crypto/authencesn.c
+@@ -12,7 +12,6 @@
+ #include <crypto/internal/hash.h>
+ #include <crypto/internal/skcipher.h>
+ #include <crypto/authenc.h>
+-#include <crypto/null.h>
+ #include <crypto/scatterwalk.h>
+ #include <linux/err.h>
+ #include <linux/init.h>
+@@ -31,7 +30,6 @@
+ 	unsigned int reqoff;
+ 	struct crypto_ahash *auth;
+ 	struct crypto_skcipher *enc;
+-	struct crypto_sync_skcipher *null;
+ };
+ 
+ struct authenc_esn_request_ctx {
+@@ -158,20 +156,6 @@
+ 	authenc_esn_request_complete(areq, err);
+ }
+ 
+-static int crypto_authenc_esn_copy(struct aead_request *req, unsigned int len)
+-{
+-	struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
+-	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
+-	SYNC_SKCIPHER_REQUEST_ON_STACK(skreq, ctx->null);
+-
+-	skcipher_request_set_sync_tfm(skreq, ctx->null);
+-	skcipher_request_set_callback(skreq, aead_request_flags(req),
+-				      NULL, NULL);
+-	skcipher_request_set_crypt(skreq, req->src, req->dst, len, NULL);
+-
+-	return crypto_skcipher_encrypt(skreq);
+-}
+-
+ static int crypto_authenc_esn_encrypt(struct aead_request *req)
+ {
+ 	struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
+@@ -185,15 +169,15 @@
+ 	struct scatterlist *src, *dst;
+ 	int err;
+ 
+	if (assoclen < 8)
+		return -EINVAL;
+
+ 	sg_init_table(areq_ctx->src, 2);
+ 	src = scatterwalk_ffwd(areq_ctx->src, req->src, assoclen);
+ 	dst = src;
+ 
+ 	if (req->src != req->dst) {
+-		err = crypto_authenc_esn_copy(req, assoclen);
+-		if (err)
+-			return err;
+-
+		memcpy_sglist(req->dst, req->src, assoclen);
+ 		sg_init_table(areq_ctx->dst, 2);
+ 		dst = scatterwalk_ffwd(areq_ctx->dst, req->dst, assoclen);
+ 	}
+@@ -223,6 +207,7 @@
+ 	u8 *ohash = areq_ctx->tail;
+ 	unsigned int cryptlen = req->cryptlen - authsize;
+ 	unsigned int assoclen = req->assoclen;
+	struct scatterlist *src = req->src;
+ 	struct scatterlist *dst = req->dst;
+ 	u8 *ihash = ohash + crypto_ahash_digestsize(auth);
+ 	u32 tmp[2];
+@@ -230,23 +215,29 @@
+ 	if (!authsize)
+ 		goto decrypt;
+ 
+-	/* Move high-order bits of sequence number back. */
+-	scatterwalk_map_and_copy(tmp, dst, 4, 4, 0);
+-	scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen, 4, 0);
+-	scatterwalk_map_and_copy(tmp, dst, 0, 8, 1);
+	if (src == dst) {
+		/* Move high-order bits of sequence number back. */
+		scatterwalk_map_and_copy(tmp, dst, 4, 4, 0);
+		scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen, 4, 0);
+		scatterwalk_map_and_copy(tmp, dst, 0, 8, 1);
+	} else
+		memcpy_sglist(dst, src, assoclen);
+ 
+ 	if (crypto_memneq(ihash, ohash, authsize))
+ 		return -EBADMSG;
+ 
+ decrypt:
+ 
+-	sg_init_table(areq_ctx->dst, 2);
+ 	dst = scatterwalk_ffwd(areq_ctx->dst, dst, assoclen);
+	if (req->src == req->dst)
+		src = dst;
+	else
+		src = scatterwalk_ffwd(areq_ctx->src, src, assoclen);
+ 
+ 	skcipher_request_set_tfm(skreq, ctx->enc);
+ 	skcipher_request_set_callback(skreq, flags,
+ 				      req->base.complete, req->base.data);
+-	skcipher_request_set_crypt(skreq, dst, dst, cryptlen, req->iv);
+	skcipher_request_set_crypt(skreq, src, dst, cryptlen, req->iv);
+ 
+ 	return crypto_skcipher_decrypt(skreq);
+ }
+@@ -271,31 +262,36 @@
+ 	unsigned int assoclen = req->assoclen;
+ 	unsigned int cryptlen = req->cryptlen;
+ 	u8 *ihash = ohash + crypto_ahash_digestsize(auth);
+	struct scatterlist *src = req->src;
+ 	struct scatterlist *dst = req->dst;
+ 	u32 tmp[2];
+ 	int err;
+ 
+-	cryptlen -= authsize;
+	if (assoclen < 8)
+		return -EINVAL;
+ 
+-	if (req->src != dst) {
+-		err = crypto_authenc_esn_copy(req, assoclen + cryptlen);
+-		if (err)
+-			return err;
+-	}
+	if (!authsize)
+		goto tail;
+ 
+	cryptlen -= authsize;
+ 	scatterwalk_map_and_copy(ihash, req->src, assoclen + cryptlen,
+ 				 authsize, 0);
+ 
+-	if (!authsize)
+-		goto tail;
+-
+ 	/* Move high-order bits of sequence number to the end. */
+-	scatterwalk_map_and_copy(tmp, dst, 0, 8, 0);
+-	scatterwalk_map_and_copy(tmp, dst, 4, 4, 1);
+-	scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen, 4, 1);
+-
+-	sg_init_table(areq_ctx->dst, 2);
+-	dst = scatterwalk_ffwd(areq_ctx->dst, dst, 4);
+	scatterwalk_map_and_copy(tmp, src, 0, 8, 0);
+	if (src == dst) {
+		scatterwalk_map_and_copy(tmp, dst, 4, 4, 1);
+		scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen, 4, 1);
+		dst = scatterwalk_ffwd(areq_ctx->dst, dst, 4);
+	} else {
+		scatterwalk_map_and_copy(tmp, dst, 0, 4, 1);
+		scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen - 4, 4, 1);
+
+		src = scatterwalk_ffwd(areq_ctx->src, src, 8);
+		dst = scatterwalk_ffwd(areq_ctx->dst, dst, 4);
+		memcpy_sglist(dst, src, assoclen + cryptlen - 8);
+		dst = req->dst;
+	}
+ 
+ 	ahash_request_set_tfm(ahreq, auth);
+ 	ahash_request_set_crypt(ahreq, dst, ohash, assoclen + cryptlen);
+@@ -317,7 +313,6 @@
+ 	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(tfm);
+ 	struct crypto_ahash *auth;
+ 	struct crypto_skcipher *enc;
+-	struct crypto_sync_skcipher *null;
+ 	int err;
+ 
+ 	auth = crypto_spawn_ahash(&ictx->auth);
+@@ -329,14 +324,8 @@
+ 	if (IS_ERR(enc))
+ 		goto err_free_ahash;
+ 
+-	null = crypto_get_default_null_skcipher();
+-	err = PTR_ERR(null);
+-	if (IS_ERR(null))
+-		goto err_free_skcipher;
+-
+ 	ctx->auth = auth;
+ 	ctx->enc = enc;
+-	ctx->null = null;
+ 
+ 	ctx->reqoff = 2 * crypto_ahash_digestsize(auth);
+ 
+@@ -352,8 +341,6 @@
+ 
+ 	return 0;
+ 
+-err_free_skcipher:
+-	crypto_free_skcipher(enc);
+ err_free_ahash:
+ 	crypto_free_ahash(auth);
+ 	return err;
+@@ -365,7 +352,6 @@
+ 
+ 	crypto_free_ahash(ctx->auth);
+ 	crypto_free_skcipher(ctx->enc);
+-	crypto_put_default_null_skcipher();
+ }
+ 
+ static void crypto_authenc_esn_free(struct aead_instance *inst)
+--- a/crypto/scatterwalk.c
+++ b/crypto/scatterwalk.c
+@@ -69,6 +69,100 @@
+ }
+ EXPORT_SYMBOL_GPL(scatterwalk_map_and_copy);
+ 
+/**
+ * memcpy_sglist() - Copy data from one scatterlist to another
+ * @dst: The destination scatterlist.  Can be NULL if @nbytes == 0.
+ * @src: The source scatterlist.  Can be NULL if @nbytes == 0.
+ * @nbytes: Number of bytes to copy
+ *
+ * The scatterlists can describe exactly the same memory, in which case this
+ * function is a no-op.  No other overlaps are supported.
+ *
+ * Context: Any context
+ */
+void memcpy_sglist(struct scatterlist *dst, struct scatterlist *src,
+		   unsigned int nbytes)
+{
+	unsigned int src_offset, dst_offset;
+
+	if (unlikely(nbytes == 0)) /* in case src and/or dst is NULL */
+		return;
+
+	src_offset = src->offset;
+	dst_offset = dst->offset;
+	for (;;) {
+		/* Compute the length to copy this step. */
+		unsigned int len = min3(src->offset + src->length - src_offset,
+					dst->offset + dst->length - dst_offset,
+					nbytes);
+		struct page *src_page = sg_page(src);
+		struct page *dst_page = sg_page(dst);
+		const void *src_virt;
+		void *dst_virt;
+
+		if (IS_ENABLED(CONFIG_HIGHMEM)) {
+			/* HIGHMEM: we may have to actually map the pages. */
+			const unsigned int src_oip = offset_in_page(src_offset);
+			const unsigned int dst_oip = offset_in_page(dst_offset);
+			const unsigned int limit = PAGE_SIZE;
+
+			/* Further limit len to not cross a page boundary. */
+			len = min3(len, limit - src_oip, limit - dst_oip);
+
+			/* Compute the source and destination pages. */
+			src_page += src_offset / PAGE_SIZE;
+			dst_page += dst_offset / PAGE_SIZE;
+
+			if (src_page != dst_page) {
+				/* Copy between different pages. */
+				memcpy_page(dst_page, dst_oip,
+					    src_page, src_oip, len);
+				flush_dcache_page(dst_page);
+			} else if (src_oip != dst_oip) {
+				/* Copy between different parts of same page. */
+				dst_virt = kmap_local_page(dst_page);
+				memcpy(dst_virt + dst_oip, dst_virt + src_oip,
+				       len);
+				kunmap_local(dst_virt);
+				flush_dcache_page(dst_page);
+			} /* Else, it's the same memory.  No action needed. */
+		} else {
+			/*
+			 * !HIGHMEM: no mapping needed.  Just work in the linear
+			 * buffer of each sg entry.  Note that we can cross page
+			 * boundaries, as they are not significant in this case.
+			 */
+			src_virt = page_address(src_page) + src_offset;
+			dst_virt = page_address(dst_page) + dst_offset;
+			if (src_virt != dst_virt) {
+				memcpy(dst_virt, src_virt, len);
+				if (ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE)
+					__scatterwalk_flush_dcache_pages(
+						dst_page, dst_offset, len);
+			} /* Else, it's the same memory.  No action needed. */
+		}
+		nbytes -= len;
+		if (nbytes == 0) /* No more to copy? */
+			break;
+
+		/*
+		 * There's more to copy.  Advance the offsets by the length
+		 * copied this step, and advance the sg entries as needed.
+		 */
+		src_offset += len;
+		if (src_offset >= src->offset + src->length) {
+			src = sg_next(src);
+			src_offset = src->offset;
+		}
+		dst_offset += len;
+		if (dst_offset >= dst->offset + dst->length) {
+			dst = sg_next(dst);
+			dst_offset = dst->offset;
+		}
+	}
+}
+EXPORT_SYMBOL_GPL(memcpy_sglist);
+
+ struct scatterlist *scatterwalk_ffwd(struct scatterlist dst[2],
+ 				     struct scatterlist *src,
+ 				     unsigned int len)
+--- a/crypto/Kconfig
+++ b/crypto/Kconfig
+@@ -222,7 +222,6 @@
+ 	select CRYPTO_SKCIPHER
+ 	select CRYPTO_MANAGER
+ 	select CRYPTO_HASH
+-	select CRYPTO_NULL
+ 	help
+ 	  Authenc: Combined mode wrapper for IPsec.
+ 
+@@ -1421,7 +1420,6 @@
+ 	depends on NET
+ 	select CRYPTO_AEAD
+ 	select CRYPTO_SKCIPHER
+-	select CRYPTO_NULL
+ 	select CRYPTO_USER_API
+ 	help
+ 	  Enable the userspace interface for AEAD cipher algorithms.
+--- a/include/crypto/if_alg.h
+++ b/include/crypto/if_alg.h
+@@ -228,9 +228,8 @@
+ 	return PAGE_SIZE <= af_alg_rcvbuf(sk);
+ }
+ 
+-unsigned int af_alg_count_tsgl(struct sock *sk, size_t bytes, size_t offset);
+-void af_alg_pull_tsgl(struct sock *sk, size_t used, struct scatterlist *dst,
+-		      size_t dst_offset);
+unsigned int af_alg_count_tsgl(struct sock *sk, size_t bytes);
+void af_alg_pull_tsgl(struct sock *sk, size_t used, struct scatterlist *dst);
+ void af_alg_wmem_wakeup(struct sock *sk);
+ int af_alg_wait_for_data(struct sock *sk, unsigned flags, unsigned min);
+ int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size,
+--- a/include/crypto/scatterwalk.h
+++ b/include/crypto/scatterwalk.h
+@@ -83,6 +83,34 @@
+ 		scatterwalk_start(walk, sg_next(walk->sg));
+ }
+ 
+/*
+ * Flush the dcache of any pages that overlap the region
+ * [offset, offset + nbytes) relative to base_page.
+ *
+ * This should be called only when ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE, to ensure
+ * that all relevant code (including the call to sg_page() in the caller, if
+ * applicable) gets fully optimized out when !ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE.
+ */
+static inline void __scatterwalk_flush_dcache_pages(struct page *base_page,
+						    unsigned int offset,
+						    unsigned int nbytes)
+{
+	unsigned int num_pages;
+
+	base_page += offset / PAGE_SIZE;
+	offset %= PAGE_SIZE;
+
+	/*
+	 * This is an overflow-safe version of
+	 * num_pages = DIV_ROUND_UP(offset + nbytes, PAGE_SIZE).
+	 */
+	num_pages = nbytes / PAGE_SIZE;
+	num_pages += DIV_ROUND_UP(offset + (nbytes % PAGE_SIZE), PAGE_SIZE);
+
+	for (unsigned int i = 0; i < num_pages; i++)
+		flush_dcache_page(base_page + i);
+}
+
+ static inline void scatterwalk_done(struct scatter_walk *walk, int out,
+ 				    int more)
+ {
+@@ -94,6 +122,9 @@
+ void scatterwalk_copychunks(void *buf, struct scatter_walk *walk,
+ 			    size_t nbytes, int out);
+ 
+void memcpy_sglist(struct scatterlist *dst, struct scatterlist *src,
+		   unsigned int nbytes);
+
+ void scatterwalk_map_and_copy(void *buf, struct scatterlist *sg,
+ 			      unsigned int start, unsigned int nbytes, int out);
+ 
--- a/SOURCES/1101-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch
+++ b/SOURCES/1101-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch
@ -0,0 +1,77 @@
+From: Andrew Lukoshko <alukoshko@almalinux.org>
+Subject: [PATCH AlmaLinux 10] xfrm: esp: avoid in-place decrypt on shared skb frags
+
+Direct cherry-pick of upstream commit f4c50a4034e6 for AlmaLinux 10
+(6.12 kernel).
+
+Verified to apply with `patch -p1 -F0` (no offset, no fuzz, no rejects)
+against kernel-6.12.0-124.55.1.el10_1.
+
+ESP-in-UDP packets built from MSG_SPLICE_PAGES (pipe pages) look like
+ordinary uncloned nonlinear skbs to ESP input, which takes the no-COW
+fast path and decrypts in place over data that is not owned privately
+by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG
+matching TCP, and make ESP input fall back to skb_cow_data() when the
+flag is present.
+
+Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
+Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")
+Fixes: 7da0dde68486 ("ip, udp: Support MSG_SPLICE_PAGES")
+Fixes: 6d8192bd69bb ("ip6, udp6: Support MSG_SPLICE_PAGES")
+(cherry picked from commit f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4)
+Signed-off-by: Andrew Lukoshko <alukoshko@almalinux.org>
+---
+ net/ipv4/esp4.c       | 3 ++-
+ net/ipv4/ip_output.c  | 2 ++
+ net/ipv6/esp6.c       | 3 ++-
+ net/ipv6/ip6_output.c | 2 ++
+ 4 files changed, 8 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
+@@ -908,7 +908,8 @@
+ 			nfrags = 1;
+ 
+ 			goto skip_cow;
+-		} else if (!skb_has_frag_list(skb)) {
+		} else if (!skb_has_frag_list(skb) &&
+			   !skb_has_shared_frag(skb)) {
+ 			nfrags = skb_shinfo(skb)->nr_frags;
+ 			nfrags++;
+ 
+--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
+@@ -1236,6 +1236,8 @@
+ 			if (err < 0)
+ 				goto error;
+ 			copy = err;
+			if (!(flags & MSG_NO_SHARED_FRAGS))
+				skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG;
+ 			wmem_alloc_delta += copy;
+ 		} else if (!zc) {
+ 			int i = skb_shinfo(skb)->nr_frags;
+--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
+@@ -950,7 +950,8 @@
+ 			nfrags = 1;
+ 
+ 			goto skip_cow;
+-		} else if (!skb_has_frag_list(skb)) {
+		} else if (!skb_has_frag_list(skb) &&
+			   !skb_has_shared_frag(skb)) {
+ 			nfrags = skb_shinfo(skb)->nr_frags;
+ 			nfrags++;
+ 
+--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
+@@ -1769,6 +1769,8 @@
+ 			if (err < 0)
+ 				goto error;
+ 			copy = err;
+			if (!(flags & MSG_NO_SHARED_FRAGS))
+				skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG;
+ 			wmem_alloc_delta += copy;
+ 		} else if (!zc) {
+ 			int i = skb_shinfo(skb)->nr_frags;
+--
+2.43.0
--- a/SOURCES/1102-rxrpc-linearize-paged-frags.patch
+++ b/SOURCES/1102-rxrpc-linearize-paged-frags.patch
@ -0,0 +1,68 @@
+From: Andrew Lukoshko <alukoshko@almalinux.org>
+Subject: [PATCH AlmaLinux 10] rxrpc: linearize incoming DATA packet when it has paged frags
+
+AlmaLinux-specific backport of the intent of the upstream rxrpc fix
+posted at https://lore.kernel.org/all/afKV2zGR6rrelPC7@v4bel/
+(sibling to upstream commit f4c50a4034e6 in the ESP/xfrm subsystem).
+
+The upstream patch can not be cherry-picked against this 6.12 tree:
+its target lines were introduced by upstream commit d0d5c0cd1e71
+("rxrpc: Use skb_unshare() rather than skb_cow_data()") which is not
+present here. The age-equivalent code path on AlmaLinux 10 is the
+centralized skb_unshare() in net/rxrpc/io_thread.c that is run for
+every DATA packet with a non-zero securityIndex before in-place
+decryption.
+
+skb_unshare() only handles cloned skbs. An skb that is non-cloned but
+carries paged fragments (skb->data_len != 0) — e.g. pages attached via
+udp_sendpage() / splice() / MSG_SPLICE_PAGES on a UDP socket carrying
+rxrpc traffic — slips through and is decrypted in place over data the
+skb does not own privately. With kernel-modules-partner installed
+(rxrpc.ko enabled), this is exploitable.
+
+Replace the unconditional skb_unshare() with skb_copy() whenever the
+skb is cloned OR carries paged fragments. skb_copy() always returns a
+freshly allocated linear skb, so subsequent in-place decryption only
+touches kernel-owned memory. The original skb is consumed explicitly
+(skb_unshare did this internally via consume_skb()).
+
+Verified to apply with `patch -p1 -F0` (no offset, no fuzz, no
+rejects) against kernel-6.12.0-124.55.1.el10_1.
+
+Fixes: cac2661c53f3 ("rxrpc: Use skb_cow_data() in rxrpc_recvmsg_data()")
+Signed-off-by: Andrew Lukoshko <alukoshko@almalinux.org>
+---
+ net/rxrpc/io_thread.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+--- a/net/rxrpc/io_thread.c
+++ b/net/rxrpc/io_thread.c
+@@ -235,16 +235,18 @@
+ 		 * decryption.
+ 		 */
+ 		if (sp->hdr.securityIndex != 0) {
+-			skb = skb_unshare(skb, GFP_ATOMIC);
+-			if (!skb) {
+-				rxrpc_eaten_skb(*_skb, rxrpc_skb_eaten_by_unshare_nomem);
+-				*_skb = NULL;
+-				return just_discard;
+-			}
+			if (skb_cloned(skb) || skb->data_len) {
+				struct sk_buff *nskb = skb_copy(skb, GFP_ATOMIC);
+
+				if (!nskb) {
+					rxrpc_eaten_skb(*_skb, rxrpc_skb_eaten_by_unshare_nomem);
+					return just_discard;
+				}
+ 
+-			if (skb != *_skb) {
+ 				rxrpc_eaten_skb(*_skb, rxrpc_skb_eaten_by_unshare);
+-				*_skb = skb;
+				consume_skb(*_skb);
+				*_skb = nskb;
+				skb = nskb;
+ 				rxrpc_new_skb(skb, rxrpc_skb_new_unshared);
+ 				sp = rxrpc_skb(skb);
+ 			}
+--
+2.43.0
--- a/SOURCES/1103-net-skbuff-propagate-shared-frag-marker.patch
+++ b/SOURCES/1103-net-skbuff-propagate-shared-frag-marker.patch
@ -0,0 +1,64 @@
+From: Andrew Lukoshko <alukoshko@almalinux.org>
+Subject: [PATCH AlmaLinux 10] net: skbuff: propagate shared-frag marker through pskb_copy()
+
+Backport of upstream patch posted at
+https://lore.kernel.org/all/agRfuVOeMI5pbHhY@v4bel/
+(sibling to the xfrm/esp shared-frag fix upstream commit f4c50a4034e6,
+already merged into 6.12.0-124.56.1 via the c10s import).
+
+__pskb_copy_fclone() shallow-copies the source's frag descriptors and
+bumps each page's refcount via skb_frag_ref(), then defers the rest
+of the shinfo metadata to skb_copy_header().  That helper only carries
+over gso_{size,segs,type} and never touches skb_shinfo()->flags, so
+the destination skb keeps a reference to the same externally-owned or
+page-cache-backed pages while reporting skb_has_shared_frag() as
+false.
+
+The mismatch is harmful in any in-place writer that uses
+skb_has_shared_frag() to decide whether shared pages must be detoured
+through skb_cow_data().  ESP input is one such writer (esp4.c,
+esp6.c), and a single nft 'dup to <local>' rule -- or any other
+nf_dup_ipv4() / xt_TEE caller -- is enough to land a pskb_copy()'d
+skb in esp_input() with the marker stripped, letting an unprivileged
+user write into the page cache of a root-owned read-only file via
+authencesn-ESN stray writes.
+
+Set SKBFL_SHARED_FRAG on the destination whenever frag descriptors
+were actually moved from the source.  skb_copy() and skb_copy_expand()
+share skb_copy_header() too but linearize all paged data into freshly
+allocated head storage and emerge with nr_frags == 0, so
+skb_has_shared_frag() returns false on its own; they need no change.
+
+Verified to apply with `patch -p1 -F0` (no offset, no fuzz, no rejects)
+against kernel-6.12.0-124.56.1.el10_1.
+
+Fixes: cef401de7be8 ("net: fix possible wrong checksum generation")
+Fixes: f4c50a4034e6 ("xfrm: esp: avoid in-place decrypt on shared skb frags")
+Reported-by: William Bowling <vakzz@zellic.io>
+Reported-by: Hyunwoo Kim <imv4bel@gmail.com>
+Signed-off-by: Andrew Lukoshko <alukoshko@almalinux.org>
+---
+ net/core/skbuff.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
+@@ -2123,6 +2123,7 @@ struct sk_buff *__pskb_copy_fclone(struct sk_buff *skb, int headroom,
+ 			skb_frag_ref(skb, i);
+ 		}
+ 		skb_shinfo(n)->nr_frags = i;
+		skb_shinfo(n)->flags |= skb_shinfo(skb)->flags & SKBFL_SHARED_FRAG;
+ 	}
+
+ 	if (skb_has_frag_list(skb)) {
+@@ -6028,6 +6029,8 @@ bool skb_try_coalesce(struct sk_buff *to, struct sk_buff *from,
+ 	       from_shinfo->frags,
+ 	       from_shinfo->nr_frags * sizeof(skb_frag_t));
+ 	to_shinfo->nr_frags += from_shinfo->nr_frags;
+	if (from_shinfo->nr_frags)
+		to_shinfo->flags |= from_shinfo->flags & SKBFL_SHARED_FRAG;
+
+ 	if (!skb_cloned(from))
+ 		from_shinfo->nr_frags = 0;
+--
+2.43.0
--- a/SOURCES/1104-ptrace-require-cap-on-mm-less-task.patch
+++ b/SOURCES/1104-ptrace-require-cap-on-mm-less-task.patch
@ -0,0 +1,55 @@
+From: Andrew Lukoshko <alukoshko@almalinux.org>
+Subject: [PATCH AlmaLinux 10] ptrace: require CAP_SYS_PTRACE when task has no mm
+
+kABI-safe AlmaLinux backport of upstream commit 31e62c2ebbfd
+("ptrace: slightly saner 'get_dumpable()' logic") posted at
+https://github.com/torvalds/linux/commit/31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a
+
+The upstream fix adds a 'user_dumpable:1' bit to task_struct and
+caches the last dumpability in exit_mm() so __ptrace_may_access()
+can require CAP_SYS_PTRACE when the target has no mm (e.g. kernel
+threads or already-exited user tasks). That layout change to
+task_struct breaks kABI on AlmaLinux 10 (the symtype
+signature of struct task_struct is referenced by hundreds of
+stablelist exports), so we cannot import the field/exit_mm hunks
+as-is.
+
+Take the minimal kABI-safe slice instead: when task->mm == NULL,
+require CAP_SYS_PTRACE in init_user_ns unconditionally. This closes
+the Qualys Security Advisory hole -- mm-less targets no longer pass
+the dumpability check by default -- without touching task_struct or
+exit.c. The only behavioural delta versus upstream is that a user
+task that has already cleared its mm in exit_mm() (a dying/zombie
+task) now also requires CAP_SYS_PTRACE to attach, instead of being
+remembered as previously dumpable. Such targets are rarely ptraced
+in practice.
+
+Verified to apply with `patch -p1 -F0` (no offset, no fuzz, no rejects)
+against kernel-6.12.0-124.56.1.el10_1.
+
+Reported-by: Qualys Security Advisory <qsa@qualys.com>
+Signed-off-by: Andrew Lukoshko <alukoshko@almalinux.org>
+---
+ kernel/ptrace.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
+@@ -339,8 +339,11 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
+ 	smp_rmb();
+ 	mm = task->mm;
+-	if (mm &&
+-	    ((get_dumpable(mm) != SUID_DUMP_USER) &&
+-	     !ptrace_has_cap(mm->user_ns, mode)))
+-	    return -EPERM;
+	if (mm) {
+		if ((get_dumpable(mm) != SUID_DUMP_USER) &&
+		    !ptrace_has_cap(mm->user_ns, mode))
+			return -EPERM;
+	} else if (!ptrace_has_cap(&init_user_ns, mode)) {
+		return -EPERM;
+	}
+ 
+ 	return security_ptrace_access_check(task, mode);
+--
+2.43.0
--- a/SOURCES/bcm2711_selinux_config.patch
+++ b/SOURCES/bcm2711_selinux_config.patch
@ -1,118 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Pablo Greco <pgreco@centosproject.org>
-Date: Fri, 7 Aug 2020 02:59:05 +0000
-Subject: [PATCH 2/2] configs 2711
-
---
- arch/arm/configs/bcm2711_defconfig   | 35 +++++++++++++++++++++++++--
- arch/arm64/configs/bcm2711_defconfig | 36 ++++++++++++++++++++++++++--
- 2 files changed, 67 insertions(+), 4 deletions(-)
-
-diff --git a/arch/arm/configs/bcm2711_defconfig b/arch/arm/configs/bcm2711_defconfig
-index d31636c..28e0bbd 100644
--- a/arch/arm/configs/bcm2711_defconfig
-+++ b/arch/arm/configs/bcm2711_defconfig
-@@ -1556,8 +1556,6 @@ CONFIG_NLS_KOI8_R=m
- CONFIG_NLS_KOI8_U=m
- CONFIG_DLM=m
- CONFIG_SECURITY=y
-CONFIG_SECURITY_APPARMOR=y
-CONFIG_LSM=""
- CONFIG_CRYPTO_USER=m
- CONFIG_CRYPTO_CAST5=m
- CONFIG_CRYPTO_DES=y
-@@ -1595,3 +1593,38 @@ CONFIG_IRQSOFF_TRACER=y
- CONFIG_SCHED_TRACER=y
- CONFIG_BLK_DEV_IO_TRACE=y
- # CONFIG_UPROBE_EVENTS is not set
-+
-+# CentOS added
-+CONFIG_AUDIT=y
-+CONFIG_NETLABEL=y
-+CONFIG_NETFILTER_XT_TARGET_AUDIT=m
-+CONFIG_IP_NF_SECURITY=m
-+CONFIG_IP6_NF_SECURITY=m
-+CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y
-+CONFIG_NFSD_V4_SECURITY_LABEL=y
-+CONFIG_SECURITY_NETWORK=y
-+CONFIG_SECURITY_PATH=y
-+CONFIG_SECURITY_SELINUX=y
-+CONFIG_SECURITY_SELINUX_BOOTPARAM=y
-+CONFIG_SECURITY_SELINUX_DISABLE=y
-+CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
-+CONFIG_NET_TEAM=m
-+CONFIG_NET_TEAM_MODE_ACTIVEBACKUP=m
-+CONFIG_NET_TEAM_MODE_BROADCAST=m
-+CONFIG_NET_TEAM_MODE_LOADBALANCE=m
-+CONFIG_NET_TEAM_MODE_RANDOM=m
-+CONFIG_NET_TEAM_MODE_ROUNDROBIN=m
-+CONFIG_CRYPTO_BLAKE2S=m
-+CONFIG_CRYPTO_CURVE25519=m
-+CONFIG_CRYPTO_CURVE25519_NEON=m
-+CONFIG_CRYPTO_LIB_BLAKE2S=m
-+CONFIG_CRYPTO_LIB_CHACHA20POLY1305=m
-+CONFIG_CRYPTO_LIB_CHACHA=m
-+CONFIG_CRYPTO_LIB_CURVE25519=m
-+CONFIG_CRYPTO_LIB_POLY1305=m
-+CONFIG_CRYPTO_POLY1305_ARM=m
-+# CONFIG_WIREGUARD_DEBUG is not set
-+CONFIG_WIREGUARD=m
-+CONFIG_FW_LOADER_COMPRESS=y
-+CONFIG_FW_LOADER_COMPRESS_XZ=y
-+CONFIG_FW_LOADER_COMPRESS_ZSTD=y
-diff --git a/arch/arm64/configs/bcm2711_defconfig b/arch/arm64/configs/bcm2711_defconfig
-index 55e6082..b9acdbc 100644
--- a/arch/arm64/configs/bcm2711_defconfig
-+++ b/arch/arm64/configs/bcm2711_defconfig
-@@ -1573,8 +1573,6 @@ CONFIG_NLS_KOI8_R=m
- CONFIG_NLS_KOI8_U=m
- CONFIG_DLM=m
- CONFIG_SECURITY=y
-CONFIG_SECURITY_APPARMOR=y
-CONFIG_LSM=""
- CONFIG_CRYPTO_USER=m
- CONFIG_CRYPTO_CRYPTD=m
- CONFIG_CRYPTO_AES=m
-@@ -1614,3 +1612,39 @@ CONFIG_IRQSOFF_TRACER=y
- CONFIG_SCHED_TRACER=y
- CONFIG_BLK_DEV_IO_TRACE=y
- # CONFIG_UPROBE_EVENTS is not set
-+
-+# CentOS added
-+CONFIG_AUDIT=y
-+CONFIG_NETLABEL=y
-+CONFIG_NETFILTER_XT_TARGET_AUDIT=m
-+CONFIG_IP_NF_SECURITY=m
-+CONFIG_IP6_NF_SECURITY=m
-+CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y
-+CONFIG_NFSD_V4_SECURITY_LABEL=y
-+CONFIG_SECURITY_NETWORK=y
-+CONFIG_SECURITY_PATH=y
-+CONFIG_SECURITY_SELINUX=y
-+CONFIG_SECURITY_SELINUX_BOOTPARAM=y
-+CONFIG_SECURITY_SELINUX_DISABLE=y
-+CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
-+CONFIG_NET_TEAM=m
-+CONFIG_NET_TEAM_MODE_ACTIVEBACKUP=m
-+CONFIG_NET_TEAM_MODE_BROADCAST=m
-+CONFIG_NET_TEAM_MODE_LOADBALANCE=m
-+CONFIG_NET_TEAM_MODE_RANDOM=m
-+CONFIG_NET_TEAM_MODE_ROUNDROBIN=m
-+CONFIG_CRYPTO_BLAKE2S=m
-+CONFIG_CRYPTO_CURVE25519=m
-+CONFIG_CRYPTO_LIB_BLAKE2S=m
-+CONFIG_CRYPTO_LIB_CHACHA20POLY1305=m
-+CONFIG_CRYPTO_LIB_CHACHA=m
-+CONFIG_CRYPTO_LIB_CURVE25519=m
-+CONFIG_CRYPTO_LIB_POLY1305=m
-+CONFIG_CRYPTO_POLY1305_NEON=m
-+# CONFIG_EFI_CUSTOM_SSDT_OVERLAYS is not set
-+# CONFIG_WIREGUARD_DEBUG is not set
-+CONFIG_WIREGUARD=m
-+CONFIG_BLK_DEV_RBD=m
-+CONFIG_FW_LOADER_COMPRESS=y
-+CONFIG_FW_LOADER_COMPRESS_XZ=y
-+CONFIG_FW_LOADER_COMPRESS_ZSTD=y
-- 
-2.39.0
-
--- a/SOURCES/bcm2709_selinux_config.patch
+++ b/SOURCES/bcm2709_selinux_config.patch
@ -1,31 +1,34 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Pablo Greco <pgreco@centosproject.org>
-Date: Fri, 7 Aug 2020 02:59:05 +0000
-Subject: [PATCH 1/2] configs 2709
+From bdec30ca8e18bc7d9a5d25d7cd9ca7976aef8aa2 Mon Sep 17 00:00:00 2001
+From: Koichiro Iwao <meta@almalinux.org>
+Date: Mon, 19 May 2025 13:09:29 +0900
+Subject: [PATCH 1/2] Apply config patch for Raspberry Pi (BCM2711)

+The patch is originally provided by Pablo Greco <pgreco@centosproject.org>.
+
+Signed-off-by: Koichiro Iwao <meta@almalinux.org>
 ---
- arch/arm/configs/bcm2709_defconfig | 40 ++++++++++++++++++++++++++++--
- 1 file changed, 38 insertions(+), 2 deletions(-)
+ arch/arm64/configs/bcm2711_defconfig | 42 ++++++++++++++++++++++++++--
+ 1 file changed, 40 insertions(+), 2 deletions(-)

-diff --git a/arch/arm/configs/bcm2709_defconfig b/arch/arm/configs/bcm2709_defconfig
-index 4b1f46c..537c622 100644
--- a/arch/arm/configs/bcm2709_defconfig
-+++ b/arch/arm/configs/bcm2709_defconfig
-@@ -1530,8 +1530,6 @@ CONFIG_NLS_KOI8_R=m
- CONFIG_NLS_KOI8_U=m
- CONFIG_DLM=m
+diff --git a/arch/arm64/configs/bcm2711_defconfig b/arch/arm64/configs/bcm2711_defconfig
+index ce3e13572fb4..324800576e6a 100644
+--- a/arch/arm64/configs/bcm2711_defconfig
+++ b/arch/arm64/configs/bcm2711_defconfig
+@@ -1690,8 +1690,6 @@ CONFIG_DLM=m
+ CONFIG_UNICODE=m
+ CONFIG_KEY_DH_OPERATIONS=y
 CONFIG_SECURITY=y
 -CONFIG_SECURITY_APPARMOR=y
 -CONFIG_LSM=""
 CONFIG_CRYPTO_USER=m
- CONFIG_CRYPTO_CAST5=m
- CONFIG_CRYPTO_DES=y
-@@ -1569,3 +1567,38 @@ CONFIG_IRQSOFF_TRACER=y
- CONFIG_SCHED_TRACER=y
+ CONFIG_CRYPTO_CRYPTD=m
+ CONFIG_CRYPTO_AES=m
+@@ -1742,3 +1740,43 @@ CONFIG_SCHED_TRACER=y
 CONFIG_BLK_DEV_IO_TRACE=y
 # CONFIG_UPROBE_EVENTS is not set
+ # CONFIG_STRICT_DEVMEM is not set
 +
-+# CentOS added
+# CentOS/AlmaLinux added
 +CONFIG_AUDIT=y
 +CONFIG_NETLABEL=y
 +CONFIG_NETFILTER_XT_TARGET_AUDIT=m
@ -47,18 +50,23 @@ index 4b1f46c..537c622 100644
 +CONFIG_NET_TEAM_MODE_ROUNDROBIN=m
 +CONFIG_CRYPTO_BLAKE2S=m
 +CONFIG_CRYPTO_CURVE25519=m
-+CONFIG_CRYPTO_CURVE25519_NEON=m
 +CONFIG_CRYPTO_LIB_BLAKE2S=m
 +CONFIG_CRYPTO_LIB_CHACHA20POLY1305=m
 +CONFIG_CRYPTO_LIB_CHACHA=m
 +CONFIG_CRYPTO_LIB_CURVE25519=m
 +CONFIG_CRYPTO_LIB_POLY1305=m
-+CONFIG_CRYPTO_POLY1305_ARM=m
+CONFIG_CRYPTO_POLY1305_NEON=m
+# CONFIG_EFI_CUSTOM_SSDT_OVERLAYS is not set
 +# CONFIG_WIREGUARD_DEBUG is not set
 +CONFIG_WIREGUARD=m
+CONFIG_BLK_DEV_RBD=m
 +CONFIG_FW_LOADER_COMPRESS=y
 +CONFIG_FW_LOADER_COMPRESS_XZ=y
 +CONFIG_FW_LOADER_COMPRESS_ZSTD=y
+CONFIG_EROFS_FS=m
+CONFIG_EROFS_FS_XATTR=y
+CONFIG_EROFS_POSIX_ACL=y
+CONFIG_EROFS_FS_SECURITY=y
 -- 
-2.39.0
+2.49.0

--- a/SOURCES/config_2712.patch
+++ b/SOURCES/config_2712.patch
@ -0,0 +1,72 @@
+From c6064f14a8c32e3109ee83c736097e2ee03086ca Mon Sep 17 00:00:00 2001
+From: Koichiro Iwao <meta@almalinux.org>
+Date: Mon, 19 May 2025 13:10:35 +0900
+Subject: [PATCH 2/2] Apply config patch for Raspberry Pi (BCM2712)
+
+The patch is originally provided by Pablo Greco <pgreco@centosproject.org>.
+
+Signed-off-by: Koichiro Iwao <meta@almalinux.org>
+---
+ arch/arm64/configs/bcm2712_defconfig | 42 ++++++++++++++++++++++++++--
+ 1 file changed, 40 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/configs/bcm2712_defconfig b/arch/arm64/configs/bcm2712_defconfig
+index 9e2bda050f81..51afa99f75e3 100644
+--- a/arch/arm64/configs/bcm2712_defconfig
+++ b/arch/arm64/configs/bcm2712_defconfig
+@@ -1692,8 +1692,6 @@ CONFIG_DLM=m
+ CONFIG_UNICODE=m
+ CONFIG_KEY_DH_OPERATIONS=y
+ CONFIG_SECURITY=y
+-CONFIG_SECURITY_APPARMOR=y
+-CONFIG_LSM=""
+ CONFIG_CRYPTO_USER=m
+ CONFIG_CRYPTO_CRYPTD=m
+ CONFIG_CRYPTO_AES=m
+@@ -1744,3 +1742,43 @@ CONFIG_SCHED_TRACER=y
+ CONFIG_BLK_DEV_IO_TRACE=y
+ # CONFIG_UPROBE_EVENTS is not set
+ # CONFIG_STRICT_DEVMEM is not set
+
+# CentOS/AlmaLinux added
+CONFIG_AUDIT=y
+CONFIG_NETLABEL=y
+CONFIG_NETFILTER_XT_TARGET_AUDIT=m
+CONFIG_IP_NF_SECURITY=m
+CONFIG_IP6_NF_SECURITY=m
+CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y
+CONFIG_NFSD_V4_SECURITY_LABEL=y
+CONFIG_SECURITY_NETWORK=y
+CONFIG_SECURITY_PATH=y
+CONFIG_SECURITY_SELINUX=y
+CONFIG_SECURITY_SELINUX_BOOTPARAM=y
+CONFIG_SECURITY_SELINUX_DISABLE=y
+CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
+CONFIG_NET_TEAM=m
+CONFIG_NET_TEAM_MODE_ACTIVEBACKUP=m
+CONFIG_NET_TEAM_MODE_BROADCAST=m
+CONFIG_NET_TEAM_MODE_LOADBALANCE=m
+CONFIG_NET_TEAM_MODE_RANDOM=m
+CONFIG_NET_TEAM_MODE_ROUNDROBIN=m
+CONFIG_CRYPTO_BLAKE2S=m
+CONFIG_CRYPTO_CURVE25519=m
+CONFIG_CRYPTO_LIB_BLAKE2S=m
+CONFIG_CRYPTO_LIB_CHACHA20POLY1305=m
+CONFIG_CRYPTO_LIB_CHACHA=m
+CONFIG_CRYPTO_LIB_CURVE25519=m
+CONFIG_CRYPTO_LIB_POLY1305=m
+CONFIG_CRYPTO_POLY1305_NEON=m
+# CONFIG_EFI_CUSTOM_SSDT_OVERLAYS is not set
+# CONFIG_WIREGUARD_DEBUG is not set
+CONFIG_WIREGUARD=m
+CONFIG_BLK_DEV_RBD=m
+CONFIG_FW_LOADER_COMPRESS=y
+CONFIG_FW_LOADER_COMPRESS_XZ=y
+CONFIG_FW_LOADER_COMPRESS_ZSTD=y
+CONFIG_EROFS_FS=m
+CONFIG_EROFS_FS_XATTR=y
+CONFIG_EROFS_POSIX_ACL=y
+CONFIG_EROFS_FS_SECURITY=y
+-- 
+2.49.0
+
--- a/SOURCES/cpupower.config
+++ b/SOURCES/cpupower.config
@ -0,0 +1,3 @@
+# See 'cpupower help' and cpupower(1) for more info
+CPUPOWER_START_OPTS="frequency-set -g ondemand"
+CPUPOWER_STOP_OPTS="frequency-set -g powersave"
--- a/SOURCES/cpupower.service
+++ b/SOURCES/cpupower.service
@ -0,0 +1,13 @@
+[Unit]
+Description=Configure CPU power related settings
+After=syslog.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=/etc/sysconfig/cpupower
+ExecStart=/usr/bin/cpupower $CPUPOWER_START_OPTS
+ExecStop=/usr/bin/cpupower $CPUPOWER_STOP_OPTS
+
+[Install]
+WantedBy=multi-user.target
--- a/SOURCES/kvm_stat.logrotate
+++ b/SOURCES/kvm_stat.logrotate
@ -0,0 +1,11 @@
+/var/log/kvm_stat.csv {
+	size 10M
+	missingok
+	compress
+	maxage 30
+	rotate 5
+	nodateext
+	postrotate
+		/usr/bin/systemctl try-restart kvm_stat.service
+	endscript
+}
--- a/SOURCES/rpi-6.1.x.patch
+++ b/SOURCES/rpi-6.1.x.patch
--- a/SPECS/raspberrypi2.spec
+++ b/SPECS/raspberrypi2.spec
@ -1,71 +1,83 @@
-%global commit_firmware_long cb9500d6021e083a182ba168fe4424e3db2494cf
-%global commit_linux_long 4fc5a03ad1d2fb811d8652be67260312fa3125fc
+%global firmware_tag	1.20250915
+%global version_tag	20250916

-ExclusiveArch: aarch64 armv7hl
+ExclusiveArch: aarch64

 %undefine _debugsource_packages

-%ifarch aarch64
 %define Arch arm64
-%define build_image Image
+%define build_image Image.gz
 %define armtarget 8
-%define with_rpi4 1
-%else
-%define Arch arm
-%define build_image zImage
-%define armtarget 7
-%bcond_with rpi4
-%endif

-%if %{with rpi4}
-%ifarch aarch64
 %define local_version v8
-%else
-%define local_version v7l
-%endif
 %define bcmmodel 2711
+%define extra_version 6
+
+# This originally implies Kernel 4.x for RPi 2 and is not appropriate now.
+# Be careful to change this not to disturb the seamless package update.
+%define rpisuffix 2
 %define ksuffix 4
+
+%define kversion 6.12
+%define patchlevel 47
+
+%if 0%{?rhel} >= 10 || 0%{?fedora} >= 40
+%define pathfix %{__python3} %{_rpmconfigdir}/redhat/pathfix.py
 %else
-%define local_version v7
-%define bcmmodel 2709
+%define pathfix pathfix.py
 %endif
-%define extra_version 1

-%define kversion 6.1
-%define patchlevel 31
+# standard kernel
+%define with_up        %{?_without_up:        0} %{?!_without_up:        1}
+# tools
+%define with_tools     %{?_without_tools:     0} %{?!_without_tools:     1}
+# firmware
+%define with_firmware  %{?_without_firmware:  0} %{?!_without_firmware:  1}
+# kernel-headers
+%define with_headers   %{?_without_headers:   0} %{?!_without_headers:   1}

-Name:           raspberrypi2
+Name:           raspberrypi%{rpisuffix}
 Version:        %{kversion}.%{patchlevel}
-Release:        %{local_version}.%{extra_version}%{?dist}
+Release:        %{version_tag}.%{local_version}.%{extra_version}%{?dist}
 Summary:        Specific kernel and bootcode for Raspberry Pi

-License:        GPLv2
+License:        GPL-2.0 WITH Linux-syscall-note
 URL:            https://github.com/raspberrypi/linux
-Source0:        https://www.kernel.org/pub/linux/kernel/v6.x/linux-%{kversion}.tar.xz
-Source1:        https://github.com/raspberrypi/firmware/archive/%{commit_firmware_long}.tar.gz
-%if %{patchlevel} > 0
-Source2:        https://cdn.kernel.org/pub/linux/kernel/v6.x/patch-%{version}.xz
-%endif
-Source3:        rpi-6.1.x.patch
+Source0:        https://github.com/raspberrypi/linux/archive/stable_%{version_tag}.tar.gz
+Source1:        https://github.com/raspberrypi/firmware/archive/refs/tags/%{firmware_tag}.tar.gz
+Patch100:       config_2711.patch
+Patch101:       config_2712.patch
+# Sources for kernel-tools
+Source2000:    cpupower.service
+Source2001:    cpupower.config
+Source2002:    kvm_stat.logrotate
+# AlmaLinux patches
+## CVE-2026-31431: Copy Fail
+Patch1100:     1100-CVE-2026-31431-crypto-Copy-Fail-fixes.patch
+## CVE-2026-43284: Dirty Frag
+Patch1101:     1101-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch
+## CVE-2026-43500 Dirty Frag
+Patch1102:     1102-rxrpc-linearize-paged-frags.patch
+## CVE-2026-46300: Fragnesia
+Patch1103:     1103-net-skbuff-propagate-shared-frag-marker.patch 
+## CVE-2026-46333: ssh-keysign-pwn
+Patch1104:     1104-ptrace-require-cap-on-mm-less-task.patch

 BuildRequires: kmod, patch, bash, coreutils, tar
 BuildRequires: bzip2, xz, findutils, gzip, m4, perl, perl-Carp, make, diffutils, gawk
-BuildRequires: gcc, binutils, redhat-rpm-config, hmaccalc, git
+BuildRequires: gcc, binutils, redhat-rpm-config, hmaccalc
 BuildRequires: net-tools, hostname, bc
 BuildRequires: elfutils-devel zlib-devel binutils-devel newt-devel python3-devel perl(ExtUtils::Embed) bison flex xz-devel
 BuildRequires: audit-libs-devel
 BuildRequires: pciutils-devel gettext ncurses-devel
 BuildRequires: openssl-devel
-%if 0%{?rhel} == 7
-BuildRequires:  devtoolset-8-build
-BuildRequires:  devtoolset-8-binutils
-BuildRequires:  devtoolset-8-gcc
-BuildRequires:  devtoolset-8-make
+%if %{with_tools}
+# kernel-tools
+BuildRequires: asciidoc
+%endif
+%if %{with_headers}
+BuildRequires: rsync
 %endif
-
-# Compile with SELinux but disable per default
-Patch100:       bcm2709_selinux_config.patch
-Patch101:       bcm2711_selinux_config.patch

 %description
 Specific kernel and bootcode for Raspberry Pi
@ -74,31 +86,128 @@ Specific kernel and bootcode for Raspberry Pi
 Group:          System Environment/Kernel
 Summary:        The Linux kernel
 Provides:       kernel = %{version}-%{release}
-Requires:	coreutils
-#Requires:	dracut
-
+Provides:       kernel-core = %{version}-%{release}
+Provides:       installonlypkg(kernel)
+Requires:       coreutils
+Requires:       dracut
 %description kernel%{?ksuffix}
 The kernel package contains the Linux kernel (vmlinuz), the core of any
 Linux operating system.  The kernel handles the basic functions
 of the operating system: memory allocation, process allocation, device
 input and output, etc.

-
 %package kernel%{?ksuffix}-devel
 Group:          System Environment/Kernel
 Summary:        Development package for building kernel modules to match the kernel
 Provides:       kernel-devel = %{version}-%{release}
 Provides:       kernel-devel-uname-r = %{version}-%{release}
+Provides:       installonlypkg(kernel)
 Autoreq:        no
 Requires(pre):  findutils
 Requires:       findutils
 Requires:       perl-interpreter
-
 %description kernel%{?ksuffix}-devel
 This package provides kernel headers and makefiles sufficient to build modules
 against the kernel package.

+%if 0%{?rhel} >= 10
+%package kernel%{?ksuffix}-modules
+Summary:        Pseudo package for kernel modules
+Group:          System Environment/Kernel
+Provides:       installonlypkg(kernel-module)
+Provides:       kernel-modules = %{version}-%{release}
+Provides:       kernel-modules-uname-r = %{version}-%{release}
+Obsoletes:      kernel-modules < %{version}-%{release}
+Requires:       %{name}-kernel%{?ksuffix} = %{version}-%{release}
+AutoReq:        no
+AutoProv:       yes
+%description kernel%{?ksuffix}-modules
+This package provides pseudo dependency for the packages that depends on regular
+kernel-modules packages.

+%package kernel%{?ksuffix}-modules-core
+Summary:        Pseudo package for core kernel modules
+Group:          System Environment/Kernel
+Provides:       installonlypkg(kernel-module)
+Provides:       kernel-modules-core = %{version}-%{release}
+Provides:       kernel-modules-core-uname-r = %{version}-%{release}
+Obsoletes:      kernel-modules-core < %{version}-%{release}
+Requires:       %{name}-kernel%{?ksuffix} = %{version}-%{release}
+AutoReq:        no
+AutoProv:       yes
+%description kernel%{?ksuffix}-modules-core
+This package provides pseudo dependency for the packages that depends on regular
+kernel-modules-core packages.
+
+%package kernel%{?ksuffix}-modules-extra
+Summary:        Pseudo package for extra kernel modules
+Group:          System Environment/Kernel
+Provides:       kernel-modules-extra = %{version}-%{release}
+Provides:       kernel-modules-extra-uname-r = %{version}-%{release}
+Provides:       installonlypkg(kernel-module)
+Obsoletes:      kernel-modules-extra < %{version}-%{release}
+Requires:       %{name}-kernel%{?ksuffix} = %{version}-%{release}
+AutoReq:        no
+AutoProv:       yes
+%description kernel%{?ksuffix}-modules-extra
+This package provides pseudo dependency for the packages that depends on regular
+kernel-modules-extra packages.
+
+%package kernel%{?ksuffix}-modules-extra-matched
+Summary:        Pseudo package for extra kernel modules
+Group:          System Environment/Kernel
+Provides:       kernel-modules-extra-matched = %{version}-%{release}
+Provides:       kernel-modules-extra-matched-uname-r = %{version}-%{release}
+Provides:       installonlypkg(kernel-module)
+Obsoletes:      kernel-modules-extra-matched < %{version}-%{release}
+Requires:       %{name}-kernel%{?ksuffix} = %{version}-%{release}
+AutoReq:        no
+AutoProv:       yes
+%description kernel%{?ksuffix}-modules-extra-matched
+This package provides pseudo dependency for the packages that depends on regular
+kernel-modules-extra-matched packages.
+%endif
+
+%if %{with_tools}
+%package kernel%{?ksuffix}-tools
+Summary: Assortment of tools for the Linux kernel
+Provides:  cpupowerutils = 1:009-0.6.p1
+Obsoletes: cpupowerutils < 1:009-0.6.p1
+Provides:  cpufreq-utils = 1:009-0.6.p1
+Provides:  cpufrequtils = 1:009-0.6.p1
+Obsoletes: cpufreq-utils < 1:009-0.6.p1
+Obsoletes: cpufrequtils < 1:009-0.6.p1
+Obsoletes: cpuspeed < 1:1.5-16
+Requires: %{name}-kernel%{?ksuffix}-tools-libs = %{version}-%{release}
+Obsoletes: kernel-tools < %{version}
+Provides: kernel-tools = %{version}-%{release}
+%define __requires_exclude ^%{_bindir}/python
+%description kernel%{?ksuffix}-tools
+This package contains the tools/ directory from the kernel source
+and the supporting documentation.
+
+%package kernel%{?ksuffix}-tools-libs
+Summary: Libraries for the kernels-tools
+Obsoletes: kernel-tools-libs < %{version}
+Provides: kernel-tools-libs = %{version}-%{release}
+%description kernel%{?ksuffix}-tools-libs
+This package contains the libraries built from the tools/ directory
+from the kernel source.
+
+%package kernel%{?ksuffix}-tools-libs-devel
+Summary: Assortment of tools for the Linux kernel
+Requires: %{name}-kernel%{?ksuffix}-tools = %{version}-%{release}
+Provides:  cpupowerutils-devel = 1:009-0.6.p1
+Obsoletes: cpupowerutils-devel < 1:009-0.6.p1
+Requires: %{name}-kernel%{?ksuffix}-tools-libs = %{version}-%{release}
+Obsoletes: kernel-tools-libs-devel < %{version}
+Provides: kernel-tools-libs-devel = %{version}-%{release}
+%description kernel%{?ksuffix}-tools-libs-devel
+This package contains the development files for the tools/ directory from
+the kernel source.
+%endif
+
+%if %{with_firmware}
 %package firmware
 Summary:        GPU firmware for the Raspberry Pi computer
 License:        Redistributable, with restrictions; see LICENSE.broadcom
@ -110,70 +219,88 @@ Provides:        grubby=8.40-10
 %description firmware
 This package contains the GPU firmware for the Raspberry Pi BCM2835 SOC
 including the kernel bootloader.
+%endif

+%if %{with_headers}
+%package kernel%{?ksuffix}-headers
+Obsoletes: kernel-headers < %{version}
+Provides: kernel-headers = %{version}-%{release}
+Obsoletes: glibc-kernheaders < 3.0-46
+Provides: glibc-kernheaders = 3.0-46
+Summary: Header files for the Linux kernel for use by glibc
+
+%description kernel%{?ksuffix}-headers
+Kernel-headers includes the C header files that specify the interface
+between the Linux kernel and userspace libraries and programs.  The
+header files define structures and constants that are needed for
+building most standard programs and are also needed for rebuilding the
+glibc package.
+%endif

 %prep
-%if 0%{?rhel} == 7
-source scl_source enable devtoolset-8 || :
-%endif
-%setup -q -n linux-%{kversion}
-git init
-git config user.email "kernel-team@fedoraproject.org"
-git config user.name "Fedora Kernel Team"
-git config gc.auto 0
-git add .
-git commit -a -q -m "baseline"
-%if %{patchlevel} > 0
-xzcat %{SOURCE2} | patch -p1 -F1 -s
-git commit -a -q -m "%{version}"
-%endif
-git am %{SOURCE3}
-
-git am %{PATCH100}
-git am %{PATCH101}
-
+%setup -q -n linux-stable_%{version_tag}
+%patch -P 100 -p1
+%patch -P 101 -p1
+%patch -P 1100 -p1
+%patch -P 1101 -p1
+%patch -P 1102 -p1
+%patch -P 1103 -p1
+%patch -P 1104 -p1
 perl -p -i -e "s/^EXTRAVERSION.*/EXTRAVERSION = -%{release}/" Makefile
-perl -p -i -e "s/^CONFIG_LOCALVERSION=.*/CONFIG_LOCALVERSION=/" arch/%{Arch}/configs/bcm%{bcmmodel}_defconfig
+perl -p -i -e "s/^CONFIG_LOCALVERSION=.*/CONFIG_LOCALVERSION=/" arch/%{Arch}/configs/bcm2711_defconfig
+perl -p -i -e "s/^CONFIG_LOCALVERSION=.*/CONFIG_LOCALVERSION=/" arch/%{Arch}/configs/bcm2712_defconfig

-%if 0%{?rhel} >= 8
+%if 0%{?rhel} >= 8 || 0%{?fedora} >= 28
 # Mangle /usr/bin/python shebangs to /usr/bin/python3
 # Mangle all Python shebangs to be Python 3 explicitly
 # -p preserves timestamps
 # -n prevents creating ~backup files
 # -i specifies the interpreter for the shebang
-pathfix.py -pni "%{__python3} %{py3_shbang_opts}" scripts/
-pathfix.py -pni "%{__python3} %{py3_shbang_opts}" scripts/diffconfig scripts/bloat-o-meter scripts/show_delta scripts/jobserver-exec
-pathfix.py -pni "%{__python3} %{py3_shbang_opts}" tools/ tools/perf/scripts/python/*.py tools/kvm/kvm_stat/kvm_stat scripts/clang-tools/*.py
+%{pathfix} -pni "%{__python3} %{py3_shbang_opts}" scripts/
+%{pathfix} -pni "%{__python3} %{py3_shbang_opts}" scripts/diffconfig scripts/bloat-o-meter scripts/show_delta \
+                                                  scripts/jobserver-exec scripts/dtc/dt-extract-compatibles
+%{pathfix} -pni "%{__python3} %{py3_shbang_opts}" tools/ tools/kvm/kvm_stat/kvm_stat
 %endif

-# This Prevents scripts/setlocalversion from mucking with our version numbers.
-touch .scmversion
-git commit -a -q -m "modifs"
-
 %build
-%if 0%{?rhel} == 7
-source scl_source enable devtoolset-8 || :
-%endif
+# 16K page-size kernel optimized (bcmmodel=2712) for RPi 5 is not built at the moment
+# to support both RPi 4 and 5.
 export KERNEL=kernel%{armtarget}
 make bcm%{bcmmodel}_defconfig
+%if %{with_up}
 make %{?_smp_mflags} HOSTCFLAGS="%{?build_cflags}" HOSTLDFLAGS="%{?build_ldflags}" %{build_image} modules dtbs
+%endif
+
+# kernel-tools
+%if %{with_tools}
+make %{?_smp_mflags} -C tools/power/cpupower CPUFREQ_BENCH=false DEBUG=false
+pushd tools/thermal/tmon/
+make %{?_smp_mflags} HOSTCFLAGS="%{?build_cflags}" HOSTLDFLAGS="%{?build_ldflags}" 
+popd
+pushd tools/iio/
+make %{?_smp_mflags} HOSTCFLAGS="%{?build_cflags}" HOSTLDFLAGS="%{?build_ldflags}" 
+popd
+pushd tools/gpio/
+make %{?_smp_mflags} HOSTCFLAGS="%{?build_cflags}" HOSTLDFLAGS="%{?build_ldflags}" 
+popd
+pushd tools/mm/
+make %{?_smp_mflags} HOSTCFLAGS="%{?build_cflags}" HOSTLDFLAGS="%{?build_ldflags}" slabinfo page_owner_sort
+popd
+%endif

 %install
-%if 0%{?rhel} == 7
-source scl_source enable devtoolset-8 || :
-%endif
+%if %{with_up}
 # kernel
 mkdir -p %{buildroot}/boot/overlays/
-mkdir -p %{buildroot}/usr/share/%{name}-kernel/%{version}-%{release}/boot/overlays
+mkdir -p %{buildroot}/usr/share/%{name}-kernel%{?ksuffix}/%{version}-%{release}/boot/overlays
 cp -p -v COPYING %{buildroot}/boot/COPYING.linux-%{kversion}
+cp -p -v arch/%{Arch}/boot/dts/overlays/README %{buildroot}/usr/share/%{name}-kernel%{?ksuffix}/%{version}-%{release}/boot/overlays
 %ifarch aarch64
-cp -p -v arch/%{Arch}/boot/dts/broadcom/*.dtb %{buildroot}/usr/share/%{name}-kernel/%{version}-%{release}/boot
+cp -p -v arch/%{Arch}/boot/dts/broadcom/*.dtb %{buildroot}/usr/share/%{name}-kernel%{?ksuffix}/%{version}-%{release}/boot
 %else
-cp -p -v arch/%{Arch}/boot/dts/*.dtb %{buildroot}/usr/share/%{name}-kernel/%{version}-%{release}/boot
+cp -p -v arch/%{Arch}/boot/dts/*.dtb %{buildroot}/usr/share/%{name}-kernel%{?ksuffix}/%{version}-%{release}/boot
 %endif
-cp -p -v arch/%{Arch}/boot/dts/overlays/*.dtb* %{buildroot}/usr/share/%{name}-kernel/%{version}-%{release}/boot/overlays
-cp -p -v arch/%{Arch}/boot/dts/overlays/README %{buildroot}/usr/share/%{name}-kernel/%{version}-%{release}/boot/overlays
-#scripts/mkknlimg arch/%{Arch}/boot/zImage %{buildroot}/boot/kernel-%{version}-%{release}.img
+cp -p -v arch/%{Arch}/boot/dts/overlays/*.dtb* %{buildroot}/usr/share/%{name}-kernel%{?ksuffix}/%{version}-%{release}/boot/overlays
 cp -p -v arch/%{Arch}/boot/%{build_image} %{buildroot}/boot/kernel-%{version}-%{release}.img
 make INSTALL_MOD_PATH=%{buildroot} modules_install
 cat > %{buildroot}/boot/config-kernel-%{version}-%{release}.inc <<__EOF__
@ -220,30 +347,86 @@ touch -r %{buildroot}$DevelDir/Makefile %{buildroot}$DevelDir/include/linux/vers
 ln -T -s $DevelDir %{buildroot}/lib/modules/%{version}-%{release}/build --force
 ln -T -s build %{buildroot}/lib/modules/%{version}-%{release}/source --force

-# kernel-firmware
-#rm .config
-#make INSTALL_FW_PATH=%{buildroot}/lib/firmware firmware_install
+%endif

+%if %{with_firmware}
 # firmware
 #   precompiled GPU firmware and bootloader
 pushd %{buildroot}
-tar -xf %{_sourcedir}/%{commit_firmware_long}.tar.gz \
-    firmware-%{commit_firmware_long}/boot/start* \
-    firmware-%{commit_firmware_long}/boot/fixup* \
-    firmware-%{commit_firmware_long}/boot/LICENCE.broadcom \
-    firmware-%{commit_firmware_long}/boot/bootcode.bin \
+tar -xf %{_sourcedir}/%{firmware_tag}.tar.gz \
+    firmware-%{firmware_tag}/boot/start* \
+    firmware-%{firmware_tag}/boot/fixup* \
+    firmware-%{firmware_tag}/boot/LICENCE.broadcom \
+    firmware-%{firmware_tag}/boot/bootcode.bin \
    --strip-components=1
+%{__chmod} -x %{buildroot}/boot/start*.elf
 popd
+%endif

+%if %{with_tools}
+# kernel-tools
+make  -C tools/power/cpupower DESTDIR=$RPM_BUILD_ROOT libdir=%{_libdir} mandir=%{_mandir} CPUFREQ_BENCH=false install
+rm -f %{buildroot}%{_libdir}/*.{a,la}
+%find_lang cpupower
+
+install -D -m644 %{SOURCE2000} %{buildroot}%{_unitdir}/cpupower.service
+install -D -m644 %{SOURCE2001} %{buildroot}%{_sysconfdir}/sysconfig/cpupower
+pushd tools/thermal/tmon
+make INSTALL_ROOT=%{buildroot} install
+popd
+pushd tools/iio
+make DESTDIR=%{buildroot} install
+popd
+pushd tools/gpio
+make DESTDIR=%{buildroot} install
+popd
+install -m644 -D %{SOURCE2002} %{buildroot}%{_sysconfdir}/logrotate.d/kvm_stat
+pushd tools/kvm/kvm_stat
+%{__make} INSTALL_ROOT=%{buildroot} install-tools
+%{__make} INSTALL_ROOT=%{buildroot} install-man
+install -m644 -D kvm_stat.service %{buildroot}%{_unitdir}/kvm_stat.service
+popd
+pushd tools/mm/
+install -m755 slabinfo %{buildroot}%{_bindir}/slabinfo
+install -m755 page_owner_sort %{buildroot}%{_bindir}/page_owner_sort
+popd
+%endif
+
+%if %{with_headers}
+%{__make} ARCH=%{Arch} INSTALL_HDR_PATH=%{buildroot}/usr headers_install
+
+find %{buildroot}/usr/include \
+    \( -name .install -o -name .check -o \
+       -name ..install.cmd -o -name ..check.cmd \) -delete
+%endif
+
+%if %{with_tools}
+%post kernel%{?ksuffix}-tools
+%systemd_post cpupower.service
+
+%preun kernel%{?ksuffix}-tools
+%systemd_preun cpupower.service
+
+%postun kernel%{?ksuffix}-tools
+%systemd_postun cpupower.service
+
+%post kernel%{?ksuffix}-tools-libs
+/sbin/ldconfig
+
+%postun kernel%{?ksuffix}-tools-libs
+/sbin/ldconfig
+%endif
+
+%if %{with_up}
 %files kernel%{?ksuffix}
 %defattr(-,root,root,-)
 /lib/modules/%{version}-%{release}
-/usr/share/%{name}-kernel/%{version}-%{release}
-/usr/share/%{name}-kernel/%{version}-%{release}/boot
-/usr/share/%{name}-kernel/%{version}-%{release}/boot/*.dtb
+/usr/share/%{name}-kernel%{?ksuffix}/%{version}-%{release}
+/usr/share/%{name}-kernel%{?ksuffix}/%{version}-%{release}/boot
+/usr/share/%{name}-kernel%{?ksuffix}/%{version}-%{release}/boot/*.dtb
 /boot/config-%{version}-%{release}
 /boot/overlays/
-/usr/share/%{name}-kernel/%{version}-%{release}/boot/overlays/*
+/usr/share/%{name}-kernel%{?ksuffix}/%{version}-%{release}/boot/overlays/*
 %attr(0755,root,root) /boot/kernel-%{version}-%{release}.img
 %ghost /boot/initramfs-%{version}-%{release}.img
 /boot/config-kernel-%{version}-%{release}.inc
@ -251,25 +434,45 @@ popd


 %posttrans kernel%{?ksuffix}
-if [ -f /boot/kernel%{armtarget}.img ] || [ ! -f /boot/config-kernel.inc ];then
-    # if nothing exists, fall back to generating the file, but don't create it
-    # if we have moved to initramfs
-    cp /boot/kernel-%{version}-%{release}.img /boot/kernel%{armtarget}.img
+if [ -d /usr/lib/ostree-boot ]; then
+  mkdir -p /usr/lib/modules/%{version}-%{release}
+  pushd /usr/lib/ostree-boot
+  [ -e config-%{version}-%{release} ] && \
+    mv config-%{version}-%{release} /usr/lib/modules/%{version}-%{release}/
+  [ -e config-kernel-%{version}-%{release}.inc ] && \
+    mv config-kernel-%{version}-%{release}.inc /usr/lib/modules/%{version}-%{release}/
+  [ -e initramfs-%{version}-%{release}.img ] && \ 
+    mv initramfs-%{version}-%{release}.img /usr/lib/modules/%{version}-%{release}/initramfs
+  [ -e kernel-%{version}-%{release}.img ] && \
+    mv kernel-%{version}-%{release}.img /usr/lib/modules/%{version}-%{release}/vmlinuz
+  popd
+fi
+if [ -d /boot ]; then
+  if [ -f /boot/kernel%{armtarget}.img ] || [ ! -f /boot/config-kernel.inc ];then
+      # if nothing exists, fall back to generating the file, but don't create it
+      # if we have moved to initramfs
+      cp /boot/kernel-%{version}-%{release}.img /boot/kernel%{armtarget}.img
+  fi
+  cp /usr/share/%{name}-kernel%{?ksuffix}/%{version}-%{release}/boot/*.dtb /boot/
+  cp /usr/share/%{name}-kernel%{?ksuffix}/%{version}-%{release}/boot/overlays/*.dtb* /boot/overlays/
+  cp /usr/share/%{name}-kernel%{?ksuffix}/%{version}-%{release}/boot/overlays/README /boot/overlays/
+  cp /boot/config-kernel-%{version}-%{release}.inc /boot/config-kernel.inc
+
+  /usr/bin/dracut --no-hostonly /boot/initramfs-%{version}-%{release}.img %{version}-%{release}
+  cp /boot/initramfs-%{version}-%{release}.img /boot/initramfs%{armtarget}
 fi
-cp /usr/share/%{name}-kernel/%{version}-%{release}/boot/*.dtb /boot/
-cp /usr/share/%{name}-kernel/%{version}-%{release}/boot/overlays/*.dtb* /boot/overlays/
-cp /usr/share/%{name}-kernel/%{version}-%{release}/boot/overlays/README /boot/overlays/
-/usr/bin/dracut /boot/initramfs-%{version}-%{release}.img %{version}-%{release}
-cp /boot/config-kernel-%{version}-%{release}.inc /boot/config-kernel.inc

 %postun kernel%{?ksuffix}
-if [ -f /boot/kernel%{armtarget}.img ];then
+if [ -f /boot/kernel%{armtarget}.img ]; then
    #only restore kernel%{armtarget}.img if it exists, we may have moved to initramfs
    cp $(ls -1 /boot/kernel-*-*|sort -V|tail -1) /boot/kernel%{armtarget}.img
 fi
-cp $(ls -1d /usr/share/%{name}-kernel/*-*/|sort -V|tail -1)/boot/*.dtb /boot/
-cp $(ls -1d /usr/share/%{name}-kernel/*-*/|sort -V|tail -1)/boot/overlays/*.dtb* /boot/overlays/
-cp $(ls -1d /usr/share/%{name}-kernel/*-*/|sort -V|tail -1)/boot/overlays/README /boot/overlays/
+if [ -f /boot/initramfs%{armtarget} ]; then
+    cp $(ls -1 /boot/initramfs-*-*|sort -V| tail -1) /boot/initramfs%{armtarget}
+fi
+cp $(ls -1d /usr/share/%{name}-kernel%{?ksuffix}/*-*/|sort -V|tail -1)/boot/*.dtb /boot/
+cp $(ls -1d /usr/share/%{name}-kernel%{?ksuffix}/*-*/|sort -V|tail -1)/boot/overlays/*.dtb* /boot/overlays/
+cp $(ls -1d /usr/share/%{name}-kernel%{?ksuffix}/*-*/|sort -V|tail -1)/boot/overlays/README /boot/overlays/
 cp $(ls -1 /boot/config-kernel-*-*|sort -V|tail -1) /boot/config-kernel.inc


@ -277,20 +480,164 @@ cp $(ls -1 /boot/config-kernel-*-*|sort -V|tail -1) /boot/config-kernel.inc
 %defattr(-,root,root)
 /usr/src/kernels/%{version}-%{release}

+%if 0%{?rhel} >= 10
+%files kernel%{?ksuffix}-modules
+# empty package
+%defattr(-,root,root)

-#%files kernel-firmware
-#%defattr(-,root,root)
-#/lib/firmware/*
+%files kernel%{?ksuffix}-modules-core
+# empty package
+%defattr(-,root,root)

+%files kernel%{?ksuffix}-modules-extra
+# empty package
+%defattr(-,root,root)

+%files kernel%{?ksuffix}-modules-extra-matched
+# empty package
+%defattr(-,root,root)
+%endif
+%endif
+
+%if %{with_tools}
+%files kernel%{?ksuffix}-tools -f cpupower.lang
+%{_bindir}/cpupower
+%{_datadir}/bash-completion/completions/cpupower
+%{_unitdir}/cpupower.service
+%{_mandir}/man[1-8]/cpupower*
+%config(noreplace) %{_sysconfdir}/sysconfig/cpupower
+%{_bindir}/tmon
+%{_bindir}/iio_event_monitor
+%{_bindir}/iio_generic_buffer
+%{_bindir}/lsiio
+%{_bindir}/lsgpio
+%{_bindir}/gpio-hammer
+%{_bindir}/gpio-event-mon
+%{_bindir}/gpio-watch
+%{_mandir}/man1/kvm_stat*
+%{_bindir}/kvm_stat
+%{_unitdir}/kvm_stat.service
+%config(noreplace) %{_sysconfdir}/logrotate.d/kvm_stat
+%{_bindir}/page_owner_sort
+%{_bindir}/slabinfo
+
+%files kernel%{?ksuffix}-tools-libs
+%{_libdir}/libcpupower.so.1
+%{_libdir}/libcpupower.so.0.0.1
+
+%files kernel%{?ksuffix}-tools-libs-devel
+%{_libdir}/libcpupower.so
+%{_includedir}/cpufreq.h
+%{_includedir}/cpuidle.h
+%{_includedir}/powercap.h
+%endif
+
+%if %{with_firmware}
 %files firmware
 %defattr(-,root,root,-)
 /boot/bootcode.bin
 /boot/fixup*
 /boot/start*
 %doc /boot/LICENCE.broadcom
+%endif
+
+%if %{with_headers}
+%files kernel%{?ksuffix}-headers
+/usr/include/*
+%exclude %{_includedir}/cpufreq.h
+%exclude %{_includedir}/internal/
+%exclude %{_includedir}/perf/
+%endif

 %changelog
+* Thu May 14 2026 Koichiro Iwao <meta@almalinux.org> - 6.12.47-20250916.v8.6
+- net: skbuff: propagate shared-frag marker through pskb_copy() {CVE-2026-46300}
+- ptrace: require CAP_SYS_PTRACE when task has no mm {CVE-2026-46333}
+
+* Fri May 08 2026 Koichiro Iwao <meta@almalinux.org> - 6.12.47-20250916.v8.5
+- rxrpc: linearize incoming DATA packet when it has paged frags {CVE-2026-43500}
+- xfrm: esp: avoid in-place decrypt on shared skb frags {CVE-2026-43284}
+
+* Thu Apr 30 2026 Koichiro Iwao <meta@almalinux.org> - 6.12.47-20250916.v8.4
+- Update CVE-2026-31431 patch to include more upstream commits 
+
+* Thu Apr 30 2026 Koichiro Iwao <meta@almalinux.org> - 6.12.47-20250916.v8.3
+- Apply fix for CVE-2026-31431 Copy Fail
+
+* Mon Mar 02 2026 Koichiro Iwao <meta@almalinux.org> - 6.12.47-20250916.v8.2
+- Add a pseudo subpackage -modules-extra-matched to resolve dependency issue
+
+* Fri Oct 03 2025 Koichiro Iwao <meta@almalinux.org> - 6.12.47-20250916.v8.1
+- Update kernel to v6.12.47 stable_20250916
+- Make it buildable on Fedora
+
+* Wed Sep 24 2025 Ryosuke Nakayama <ryosuke_666@icloud.com> - 6.12.34-20250702.v8.2
+- Update firmware to 1.20250915
+
+* Wed Jul 09 2025 Koichiro Iwao <meta@almalinux.org> - 6.12.34-20250702.v8.1
+- Update kernel to v6.12.34 stable_20240702
+
+* Mon Jun 23 2025 Koichiro Iwao <meta@almalinux.org> - 6.12.25-20250428.v8.2
+- Reintroduce initramfs for XFS / LUKS
+  https://github.com/AlmaLinux/raspberry-pi/issues/65
+  https://github.com/AlmaLinux/raspberry-pi/issues/86 
+
+* Mon May 26 2025 Koichiro Iwao <meta@almalinux.org> - 6.12.25-20250428.v8.1
+- Update kernel to v6.12.25 stable_20250428
+- Update firmware to 1.20250430
+- Regenerate patches
+- Use the consistent directory under /usr/share with the package name
+- Enable EROFS bootc container (contributed by Kevin Fox)
+- Fixes to enable bootc (contributed by Kevin Fox)
+
+* Mon Jan 27 2025 Koichiro Iwao <meta@almalinux.org> - 6.12.1-20241206.v8.2
+- Add pseudo subpackages for kernel modules to resolve dependency issue
+- The main kernel package now provides kernel-core
+- Convert license to SPDX expression 
+- Remove dracut as initramfs is not needed (mentioned in 4.4.21-2)
+
+* Wed Dec 25 2024 Koichiro Iwao <meta@almalinux.org> - 6.12.1-20241206.v8.1
+- Update kernel to v6.12.1 rpi-6.12.y_20241206_2
+- Update firmware to 1.20241126
+
+* Tue Nov 12 2024 Koichiro Iwao <meta@almalinux.org> - 6.12.0-20241111.v8.1
+- Update kernel to v6.12.0-rc7 20241110 bf70ebd2
+
+* Tue Nov 12 2024 Koichiro Iwao <meta@almalinux.org> - 6.11.7-20241110.v8.1
+- Update kernel to v6.11.7 20241110 efda653d
+
+* Fri Nov 08 2024 Koichiro Iwao <meta@almalinux.org> - 6.6.51-20241008.v8.2
+- Fix build for AL10 Kitten
+
+* Mon Oct 21 2024 Koichiro Iwao <meta@almalinux.org> - 6.6.51-20241008.v8.1
+- Update kernel to version v6.6.51 stable_20241008
+- Update firmware to 1.20241008
+
+* Thu Sep 05 2024 Koichiro Iwao <meta@almalinux.org> - 6.6.31-20240529.v8.4
+- Add kernel-headers subpackage
+
+* Fri Aug 30 2024 Andrew Lukoshko <alukoshko@almalinux.org> - 6.6.31-20240529.v8.3
+- Fix kernel-tools dependencies
+
+* Thu Jun 20 2024 Koichiro Iwao <meta@almalinux.org> - 6.6.31-20240529.v8.2
+- Add kernel-tools to optimize CPU clock (cpupower.service)
+
+* Mon Jun 10 2024 Koichiro Iwao <meta@almalinux.org> - 6.6.31-20240529.v8.1
+- Update to v6.6.31 stable_20240529
+
+* Tue Jun 04 2024 Koichiro Iwao <meta@almalinux.org> - 6.6.28-20240423.v8.2
+- Add installonlypkg(kernel) to kernel and -devel subpackages 
+  Resolves: https://github.com/AlmaLinux/raspberry-pi/issues/39
+  See also: https://src.fedoraproject.org/rpms/kernel/c/aba3940
+
+* Thu May 30 2024 Koichiro Iwao <meta@almalinux.org> - 6.6.28-20240423.v8.1
+- Update to version v6.6.28
+- Support both Raspberry Pi 4 and 5
+- Refine package based on Linux for Raspberry Pi (raspberrypi/linux)
+- Generate gzip compressed kernel image
+- Drop armv7hl support
+- Drop EL7 support
+
 * Sun Jun 04 2023 Pablo Greco <pgreco@centosproject.org> - 6.1.31
 - Update to version v6.1.31
Author	SHA1	Message	Date
Koichiro Iwao	637232f87f	Apply ssh-keysign-pwn fix (cherry picked from commit `1b378ac076`)	2026-05-18 13:02:29 +00:00
Koichiro Iwao	b91ed68b31	Apply Fragnesia fixes (cherry picked from commit `527de344c7`)	2026-05-15 08:46:44 +00:00
Koichiro Iwao	7e436cbe54	Merge pull request 'Apply Dirty Frag fixes' (#37 ) from metalefty/raspberrypi:a9 into a9 Reviewed-on: #37	2026-05-08 13:05:37 +00:00
Koichiro Iwao	68486b4b3a	Apply Dirty Frag fixes (cherry picked from commit `ea0ac154cf`)	2026-05-08 08:52:42 +00:00
Koichiro Iwao	15cf77c3f3	Merge pull request 'Update CVE-2026-31431 patch to include more upstream commits' (#35 ) from metalefty/raspberrypi:a9 into a9 Reviewed-on: #35	2026-04-30 15:09:52 +00:00
Koichiro Iwao	8d26eb907e	Update CVE-2026-31431 patch to include more upstream commits (cherry picked from commit `f9abe6d6e4`)	2026-04-30 14:20:43 +00:00
Koichiro Iwao	0f9b8a0510	Merge pull request 'Sync with a10' (#33 ) from metalefty/raspberrypi:a9 into a9 Reviewed-on: #33	2026-04-30 08:09:18 +00:00
Koichiro Iwao	b4df67967b	Apply fix for CVE-2026-31431 Copy Fail (cherry picked from commit `b9bc6b4858`)	2026-04-30 02:56:09 +00:00
Koichiro Iwao	0f497a26a8	Add a pseudo subpackage -modules-extra-matched to resolve dependency issue (cherry picked from commit `52258891d4`)	2026-04-30 02:56:02 +00:00
Andrew Lukoshko	c215a95f3e	Merge pull request 'Sync with a10' (#30 ) from metalefty/raspberrypi:a9 into a9 Reviewed-on: #30	2025-10-07 08:25:14 +00:00
Koichiro Iwao	12da461068	Update kernel to v6.12.47 stable_20250916 (cherry picked from commit `7e3eb0e36b`)	2025-10-07 07:11:12 +00:00
Andrew Lukoshko	d4e40de57b	Update .raspberrypi2.metadata with new sources (cherry picked from commit `e4f802b73b`)	2025-10-07 07:11:12 +00:00
ryosuke-nakayama	9be423ad06	Update firmware to 1.20250915 (cherry picked from commit `755dc489f9`)	2025-10-07 07:11:12 +00:00
Andrew Lukoshko	9fa6c5ff1e	Merge pull request 'Update kernel to v6.12.34 stable_20240702' (#27 ) from metalefty/raspberrypi:a9 into a9 Reviewed-on: #27	2025-07-18 15:18:25 +00:00
Koichiro Iwao	5de771047f	Update kernel to v6.12.34 stable_20240702 (cherry picked from commit `e1b954d5fb`)	2025-07-17 13:43:06 +09:00
Andrew Lukoshko	33a18106a9	Merge pull request 'Sync with a10, reintroduce initramfs' (#25 ) from metalefty/raspberrypi:a9-initramfs into a9 Reviewed-on: #25	2025-06-30 12:03:16 +00:00
Koichiro Iwao	af6ad76c4b	Sync with a10, reintroduce initramfs	2025-06-24 16:36:15 +09:00
Andrew Lukoshko	0572266e92	Merge pull request 'Update to 6.12.25 stable_20250428' (#21 ) from metalefty/raspberrypi:a9 into a9 Reviewed-on: #21	2025-05-26 14:18:37 +00:00
Koichiro Iwao	6627c4c42b	Update to 6.12.25 stable_20250428	2025-05-26 22:52:02 +09:00
Andrew Lukoshko	eebe4c438d	Merge pull request 'Fixes to enable bootc' (#19 ) from metalefty/raspberrypi:a9-bootc into a9 Reviewed-on: #19	2025-05-19 09:18:57 +00:00
Koichiro Iwao	863a2f1858	Bump package version and update changelog	2025-05-19 18:11:20 +09:00
Koichiro Iwao	b560a57125	Add existence checks before moving bootc related files	2025-05-19 18:10:18 +09:00
Koichiro Iwao	0a27438f03	Fixes to enable bootc Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>	2025-04-03 13:30:05 +09:00
Koichiro Iwao	49f7d4205e	Enable EROFS	2025-04-01 15:56:09 +09:00
Koichiro Iwao	9820b4550a	Use the consistent directory under /usr/share with the package name	2025-03-28 17:52:28 +09:00
Andrew Lukoshko	a9965eae4e	Merge pull request 'Update to v6.6.74 stable_20250127' (#16 ) from metalefty/raspberrypi:a9 into a9 Reviewed-on: #16	2025-02-20 14:59:40 +00:00
Koichiro Iwao	0707826cc8	Update to v6.6.74 stable_20250127 While here, Remove dracut as initramfs is not needed.	2025-02-20 16:21:12 +09:00
Andrew Lukoshko	438247604a	Update sources metadata	2024-10-25 13:11:01 +00:00
Andrew Lukoshko	0c7ed5e275	Merge pull request 'Update to v6.6.51 stable_20241008' (#12 ) from metalefty/raspberrypi:a9 into a9 Reviewed-on: #12	2024-10-22 20:32:44 +00:00
Koichiro Iwao	629db978e7	Update to v6.6.51 stable_20241008	2024-10-21 05:41:18 +00:00
Andrew Lukoshko	c9fe821615	Merge pull request 'Add kernel-headers subpackage' (#9 ) from metalefty/raspberrypi:a9 into a9 Reviewed-on: #9	2024-09-24 13:37:29 +00:00
Koichiro Iwao	e0ac6af001	Add kernel-headers subpackage	2024-09-05 18:31:15 +09:00
Andrew Lukoshko	7922b49d1c	a9-kernel-tools-fix (#7 ) Reviewed-on: #7 Co-authored-by: Andrew Lukoshko <andrew.lukoshko@gmail.com> Co-committed-by: Andrew Lukoshko <andrew.lukoshko@gmail.com>	2024-09-04 09:10:30 +00:00
Andrew Lukoshko	0d7acfc5f7	Merge pull request 'Add kernel-tools to optimize CPU clock (cpupower.service)' (#5 ) from metalefty/raspberrypi:a9 into a9 Reviewed-on: #5	2024-06-24 11:58:09 +00:00
Koichiro Iwao	bf0795b47b	Add kernel-tools to optimize CPU clock (cpupower.service)	2024-06-21 06:07:31 +00:00
Andrew Lukoshko	fc957b49f9	Merge pull request 'Add installonlypkg(kernel) to kernel and -devel subpackages and update to v6.6.31' (#2 ) from metalefty/raspberrypi:a9 into a9 Reviewed-on: #2	2024-06-13 08:27:45 +00:00
Koichiro Iwao	176ca9d665	Update to v6.6.31 stable_20240529	2024-06-13 07:15:22 +00:00
Koichiro Iwao	5d99ce2b74	Add installonlypkg(kernel) to kernel and -devel subpackages Resolves: https://github.com/AlmaLinux/raspberry-pi/issues/39 See also: https://src.fedoraproject.org/rpms/kernel/c/aba3940	2024-06-04 09:12:46 +00:00
Andrew Lukoshko	1168a780ef	Merge pull request 'Update to 6.6.28 and Raspberry Pi 5 support' (#1 ) from metalefty/raspberrypi:a9 into a9 Reviewed-on: #1	2024-05-31 09:28:17 +00:00
Koichiro Iwao	063e282cb8	Update to 6.6.28 and Raspberry Pi 5 support	2024-05-30 08:17:30 +00:00