[rocky10_2] History Rebuild through kernel-6.12.0-211.20.1.el10_2#1315
Merged
Conversation
…d_iter et.al jira KERNEL-1122 cve CVE-2025-38653 Rebuild_History Non-Buildable kernel-6.12.0-211.20.1.el10_2 commit-author wangzijie <wangzijie1@honor.com> commit ff7ec8d Check pde->proc_ops->proc_lseek directly may cause UAF in rmmod scenario. It's a gap in proc_reg_open() after commit 654b33a("proc: fix UAF in proc_get_inode()"). Followed by AI Viro's suggestion, fix it in same manner. Link: https://lkml.kernel.org/r/20250607021353.1127963-1-wangzijie1@honor.com Fixes: 3f61631 ("take care to handle NULL ->proc_lseek()") Signed-off-by: wangzijie <wangzijie1@honor.com> Reviewed-by: Alexey Dobriyan <adobriyan@gmail.com> Cc: Alexei Starovoitov <ast@kernel.org> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: "Edgecombe, Rick P" <rick.p.edgecombe@intel.com> Cc: Kirill A. Shuemov <kirill.shutemov@linux.intel.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> (cherry picked from commit ff7ec8d) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1122 cve CVE-2025-38653 Rebuild_History Non-Buildable kernel-6.12.0-211.20.1.el10_2 commit-author wangzijie <wangzijie1@honor.com> commit 2ce3d28 To avoid potential UAF issues during module removal races, we use pde_set_flags() to save proc_ops flags in PDE itself before proc_register(), and then use pde_has_proc_*() helpers instead of directly dereferencing pde->proc_ops->*. However, the pde_set_flags() call was missing when creating net related proc files. This omission caused incorrect behavior which FMODE_LSEEK was being cleared inappropriately in proc_reg_open() for net proc files. Lars reported it in this link[1]. Fix this by ensuring pde_set_flags() is called when register proc entry, and add NULL check for proc_ops in pde_set_flags(). [wangzijie1@honor.com: stash pde->proc_ops in a local const variable, per Christian] Link: https://lkml.kernel.org/r/20250821105806.1453833-1-wangzijie1@honor.com Link: https://lkml.kernel.org/r/20250818123102.959595-1-wangzijie1@honor.com Link: https://lore.kernel.org/all/20250815195616.64497967@chagall.paradoxon.rec/ [1] Fixes: ff7ec8d ("proc: use the same treatment to check proc_lseek as ones for proc_read_iter et.al") Signed-off-by: wangzijie <wangzijie1@honor.com> Reported-by: Lars Wendler <polynomial-c@gmx.de> Tested-by: Stefano Brivio <sbrivio@redhat.com> Tested-by: Petr Vaněk <pv@excello.cz> Tested by: Lars Wendler <polynomial-c@gmx.de> Cc: Alexei Starovoitov <ast@kernel.org> Cc: Alexey Dobriyan <adobriyan@gmail.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: "Edgecombe, Rick P" <rick.p.edgecombe@intel.com> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Jiri Slaby <jirislaby@kernel.org> Cc: Kirill A. Shutemov <k.shutemov@gmail.com> Cc: wangzijie <wangzijie1@honor.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> (cherry picked from commit 2ce3d28) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1122 cve CVE-2025-38653 Rebuild_History Non-Buildable kernel-6.12.0-211.20.1.el10_2 commit-author wangzijie <wangzijie1@honor.com> commit 0ce9398 Commit 2ce3d28 ("proc: fix missing pde_set_flags() for net proc files") missed a key part in the definition of proc_dir_entry: union { const struct proc_ops *proc_ops; const struct file_operations *proc_dir_ops; }; So dereference of ->proc_ops assumes it is a proc_ops structure results in type confusion and make NULL check for 'proc_ops' not work for proc dir. Add !S_ISDIR(dp->mode) test before calling pde_set_flags() to fix it. Link: https://lkml.kernel.org/r/20250904135715.3972782-1-wangzijie1@honor.com Fixes: 2ce3d28 ("proc: fix missing pde_set_flags() for net proc files") Signed-off-by: wangzijie <wangzijie1@honor.com> Reported-by: Brad Spengler <spender@grsecurity.net> Closes: https://lore.kernel.org/all/20250903065758.3678537-1-wangzijie1@honor.com/ Cc: Alexey Dobriyan <adobriyan@gmail.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Christian Brauner <brauner@kernel.org> Cc: Jiri Slaby <jirislaby@kernel.org> Cc: Stefano Brivio <sbrivio@redhat.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> (cherry picked from commit 0ce9398) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1122 cve CVE-2025-68366 Rebuild_History Non-Buildable kernel-6.12.0-211.20.1.el10_2 commit-author Zheng Qixing <zhengqixing@huawei.com> commit 1649714 There is one use-after-free warning when running NBD_CMD_CONNECT and NBD_CLEAR_SOCK: nbd_genl_connect nbd_alloc_and_init_config // config_refs=1 nbd_start_device // config_refs=2 set NBD_RT_HAS_CONFIG_REF open nbd // config_refs=3 recv_work done // config_refs=2 NBD_CLEAR_SOCK // config_refs=1 close nbd // config_refs=0 refcount_inc -> uaf ------------[ cut here ]------------ refcount_t: addition on 0; use-after-free. WARNING: CPU: 24 PID: 1014 at lib/refcount.c:25 refcount_warn_saturate+0x12e/0x290 nbd_genl_connect+0x16d0/0x1ab0 genl_family_rcv_msg_doit+0x1f3/0x310 genl_rcv_msg+0x44a/0x790 The issue can be easily reproduced by adding a small delay before refcount_inc(&nbd->config_refs) in nbd_genl_connect(): mutex_unlock(&nbd->config_lock); if (!ret) { set_bit(NBD_RT_HAS_CONFIG_REF, &config->runtime_flags); + printk("before sleep\n"); + mdelay(5 * 1000); + printk("after sleep\n"); refcount_inc(&nbd->config_refs); nbd_connect_reply(info, nbd->index); } Fixes: e46c728 ("nbd: add a basic netlink interface") Signed-off-by: Zheng Qixing <zhengqixing@huawei.com> Reviewed-by: Yu Kuai <yukuai@fnnas.com> Signed-off-by: Jens Axboe <axboe@kernel.dk> (cherry picked from commit 1649714) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1122 Rebuild_History Non-Buildable kernel-6.12.0-211.20.1.el10_2 commit-author Herbert Xu <herbert@gondor.apana.org.au> commit 96feb73 When authenc is invoked with MAY_BACKLOG, it needs to pass EINPROGRESS notifications back up to the caller when the underlying algorithm returns EBUSY synchronously. However, if the EBUSY comes from the second part of an authenc call, i.e., it is asynchronous, both the EBUSY and the subsequent EINPROGRESS notification must not be passed to the caller. Implement this by passing a mask to the function that starts the second half of authenc and using it to determine whether EBUSY and EINPROGRESS should be passed to the caller. This was a deficiency in the original implementation of authenc because it was not expected to be used with MAY_BACKLOG. Reported-by: Ingo Franzki <ifranzki@linux.ibm.com> Reported-by: Mikulas Patocka <mpatocka@redhat.com> Fixes: 180ce7e ("crypto: authenc - Add EINPROGRESS check") Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> (cherry picked from commit 96feb73) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1122 Rebuild_History Non-Buildable kernel-6.12.0-211.20.1.el10_2 commit-author Ivan Vecera <ivecera@redhat.com> commit 4845f2f Replace the five per-variant zl3073x_chip_info structures and their exported symbol definitions with a single consolidated chip ID lookup table. The chip variant is now detected at runtime by reading the chip ID register from hardware and looking it up in the table, rather than being selected at compile time via the bus driver match data. Repurpose struct zl3073x_chip_info to hold a single chip ID, its channel count, and a flags field. Introduce enum zl3073x_flags with ZL3073X_FLAG_REF_PHASE_COMP_32 to replace the chip_id switch statement in zl3073x_dev_is_ref_phase_comp_32bit(). Store a pointer to the detected chip_info entry in struct zl3073x_dev for runtime access. This simplifies the bus drivers by removing per-variant .data and .driver_data references from the I2C/SPI match tables, and makes adding support for new chip variants a single-line table addition. Signed-off-by: Ivan Vecera <ivecera@redhat.com> Link: https://patch.msgid.link/20260227105300.710272-2-ivecera@redhat.com Reviewed-by: Simon Horman <horms@kernel.org> Signed-off-by: Paolo Abeni <pabeni@redhat.com> (cherry picked from commit 4845f2f) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1122 Rebuild_History Non-Buildable kernel-6.12.0-211.20.1.el10_2 commit-author Ivan Vecera <ivecera@redhat.com> commit 3a97e02 Some zl3073x chip variants (0x1Exx, 0x2Exx and 0x3FC4) provide a die temperature status register with 0.1 C resolution. Add a ZL3073X_FLAG_DIE_TEMP chip flag to identify these variants and implement zl3073x_dpll_temp_get() as the dpll_device_ops.temp_get callback. The register value is converted from 0.1 C units to millidegrees as expected by the DPLL subsystem. To support per-instance ops selection, copy the base dpll_device_ops into struct zl3073x_dpll and conditionally set .temp_get during device registration based on the chip flag. Signed-off-by: Ivan Vecera <ivecera@redhat.com> Link: https://patch.msgid.link/20260227105300.710272-3-ivecera@redhat.com Reviewed-by: Simon Horman <horms@kernel.org> Signed-off-by: Paolo Abeni <pabeni@redhat.com> (cherry picked from commit 3a97e02) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1122 Rebuild_History Non-Buildable kernel-6.12.0-211.20.1.el10_2 commit-author Ivan Vecera <ivecera@redhat.com> commit f327f5a Organize the zl3073x_out, zl3073x_ref, and zl3073x_synth structures using struct_group() to partition fields into semantic groups: * cfg: mutable configuration written to HW via state_set * inv: invariant fields set once during state_fetch * stat: read-only status This enables group-level operations in place of field-by-field copies: * state_set validates invariants haven't changed (WARN_ON + -EINVAL) * state_set short-circuits when cfg is unchanged * state_set copy entire groups in a single assignment instead of enumerating each field Add kernel doc for zl3073x_out_state_set and zl3073x_ref_state_set documenting the new invariant validation and short-circuit semantics. Remove forward declaration of zl3073x_synth_state_set(). Signed-off-by: Ivan Vecera <ivecera@redhat.com> Link: https://patch.msgid.link/20260315174224.399074-2-ivecera@redhat.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit f327f5a) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1122 Rebuild_History Non-Buildable kernel-6.12.0-211.20.1.el10_2 commit-author Ivan Vecera <ivecera@redhat.com> commit 05ea2ab Extract the per-reference monitor status HW read into a dedicated zl3073x_ref_state_update() helper in the ref module. Rename zl3073x_dev_ref_status_update() to zl3073x_dev_ref_states_update() and use the new helper in it. Call it from zl3073x_ref_state_fetch() as well so that mon_status is initialized at device startup. This keeps direct register access and struct field writes behind the ref module's interface, consistent with the state management pattern used for other ref operations. Signed-off-by: Ivan Vecera <ivecera@redhat.com> Link: https://patch.msgid.link/20260315174224.399074-3-ivecera@redhat.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit 05ea2ab) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1122 Rebuild_History Non-Buildable kernel-6.12.0-211.20.1.el10_2 commit-author Ivan Vecera <ivecera@redhat.com> commit 3032e95 Extract DPLL channel state management into a dedicated zl3073x_chan module, following the pattern already established by zl3073x_ref, zl3073x_out and zl3073x_synth. The new struct zl3073x_chan caches the raw mode_refsel register value in a cfg group with inline getters and setters to extract and update the bitfields. Three standard state management functions are provided: - zl3073x_chan_state_fetch: read the mode_refsel register from HW - zl3073x_chan_state_get: return cached channel state - zl3073x_chan_state_set: write changed state to HW, skip if unchanged The channel state array chan[ZL3073X_MAX_CHANNELS] is added to struct zl3073x_dev. Channel state is fetched as part of zl3073x_dev_state_fetch, using the chip-specific channel count. The refsel_mode and forced_ref fields are removed from struct zl3073x_dpll and all direct register accesses in dpll.c are replaced with the new chan state operations. Signed-off-by: Ivan Vecera <ivecera@redhat.com> Link: https://patch.msgid.link/20260315174224.399074-4-ivecera@redhat.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit 3032e95) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1122 Rebuild_History Non-Buildable kernel-6.12.0-211.20.1.el10_2 commit-author Ivan Vecera <ivecera@redhat.com> commit 41bab55 Add mon_status and refsel_status fields to struct zl3073x_chan in a stat group to cache the 'dpll_mon_status' and 'dpll_refsel_status' registers. Add zl3073x_chan_lock_state_get(), zl3073x_chan_is_ho_ready(), zl3073x_chan_refsel_state_get() and zl3073x_chan_refsel_ref_get() inline helpers for reading cached state, and zl3073x_chan_state_update() for refreshing both registers from hardware. Call it from zl3073x_chan_state_fetch() as well so that channel status is initialized at device startup. Call zl3073x_dev_chan_states_update() from the periodic work to keep the cached state up to date and convert zl3073x_dpll_lock_status_get() and zl3073x_dpll_selected_ref_get() to use the cached state via the new helpers instead of direct register reads. Signed-off-by: Ivan Vecera <ivecera@redhat.com> Link: https://patch.msgid.link/20260315174224.399074-5-ivecera@redhat.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit 41bab55) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1122 Rebuild_History Non-Buildable kernel-6.12.0-211.20.1.el10_2 commit-author Ivan Vecera <ivecera@redhat.com> commit f6b075b Cache the ZL_REG_DPLL_REF_PRIO registers in the zl3073x_chan cfg group. These mailbox-based registers store per-reference priority values (4 bits each, P/N packed) used for automatic reference selection. Add ref_prio[] array to struct zl3073x_chan and provide inline helpers zl3073x_chan_ref_prio_get(), zl3073x_chan_ref_prio_set(), and zl3073x_chan_ref_is_selectable() for nibble-level access and priority queries. Extend state_fetch and state_set with DPLL mailbox operations to read and write the priority registers. Replace the ad-hoc zl3073x_dpll_ref_prio_get/set functions in dpll.c with the cached state pattern, removing direct mailbox access from the DPLL layer. This also simplifies pin registration since reading priority from cached state cannot fail. Remove the pin->selectable flag from struct zl3073x_dpll_pin and derive the selectable state from the cached ref priority via zl3073x_chan_ref_is_selectable(), eliminating a redundant cache. Inline zl3073x_dpll_selected_ref_set() into zl3073x_dpll_input_pin_state_on_dpll_set(), unifying all manual and automatic mode paths to commit changes through a single zl3073x_chan_state_set() call at the end of the function. Move hardware limit constants from core.h to regs.h so that chan.h can reference ZL3073X_NUM_REFS for the ref_prio array size. Signed-off-by: Ivan Vecera <ivecera@redhat.com> Link: https://patch.msgid.link/20260315174224.399074-6-ivecera@redhat.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit f6b075b) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1122 Rebuild_History Non-Buildable kernel-6.12.0-211.20.1.el10_2 commit-author Ivan Vecera <ivecera@redhat.com> commit acee049 The HW reports the currently selected reference in the dpll_refsel_status register regardless of the DPLL mode. Use this to delete zl3073x_dpll_selected_ref_get() and have callers read the register directly via the cached channel state. Simplify zl3073x_dpll_connected_ref_get() to check refsel_state for LOCK directly and return the reference index, changing the return type from int to u8. The redundant ref_is_status_ok check is removed since the DPLL cannot be in LOCK state with a failed reference. In zl3073x_dpll_mode_set(), replace the selected_ref_get() call with zl3073x_chan_refsel_ref_get() to read the currently selected reference directly from the cached channel state. Signed-off-by: Ivan Vecera <ivecera@redhat.com> Link: https://patch.msgid.link/20260315174224.399074-7-ivecera@redhat.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit acee049) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1122 Rebuild_History Non-Buildable kernel-6.12.0-211.20.1.el10_2 commit-author Ivan Vecera <ivecera@redhat.com> commit 3fdea79 Add DPLL_A_FREQUENCY_MONITOR device attribute to allow control over the frequency monitor feature. The attribute uses the existing dpll_feature_state enum (enable/disable) and is present in both device-get reply and device-set request. Add DPLL_A_PIN_MEASURED_FREQUENCY pin attribute to expose the measured input frequency in millihertz (mHz). The attribute is present in the pin-get reply. Add DPLL_PIN_MEASURED_FREQUENCY_DIVIDER constant to allow userspace to extract integer and fractional parts. Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev> Signed-off-by: Ivan Vecera <ivecera@redhat.com> Link: https://patch.msgid.link/20260402184057.1890514-2-ivecera@redhat.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit 3fdea79) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1122 Rebuild_History Non-Buildable kernel-6.12.0-211.20.1.el10_2 commit-author Ivan Vecera <ivecera@redhat.com> commit 15ed91a Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-6.12.0-211.20.1.el10_2/15ed91aa.failed Add new callback operations for a dpll device: - freq_monitor_get(..) - to obtain current state of frequency monitor feature from dpll device, - freq_monitor_set(..) - to allow feature configuration. Add new callback operation for a dpll pin: - measured_freq_get(..) - to obtain the measured frequency in mHz. Obtain the feature state value using the get callback and provide it to the user if the device driver implements callbacks. The measured_freq_get pin callback is only invoked when the frequency monitor is enabled. The freq_monitor_get device callback is required when measured_freq_get is provided by the driver. Execute the set callback upon user requests. Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev> Signed-off-by: Ivan Vecera <ivecera@redhat.com> Link: https://patch.msgid.link/20260402184057.1890514-3-ivecera@redhat.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit 15ed91a) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # include/linux/dpll.h
jira KERNEL-1122 Rebuild_History Non-Buildable kernel-6.12.0-211.20.1.el10_2 commit-author Ivan Vecera <ivecera@redhat.com> commit bfc923b Extract common measurement latch logic from zl3073x_ref_ffo_update() into a new zl3073x_ref_freq_meas_latch() helper and add zl3073x_ref_freq_meas_update() that uses it to latch and read absolute input reference frequencies in Hz. Add meas_freq field to struct zl3073x_ref and the corresponding zl3073x_ref_meas_freq_get() accessor. The measured frequencies are updated periodically alongside the existing FFO measurements. Add freq_monitor boolean to struct zl3073x_dpll and implement the freq_monitor_set/get device callbacks to enable/disable frequency monitoring via the DPLL netlink interface. Implement measured_freq_get pin callback for input pins that returns the measured input frequency in mHz. Reviewed-by: Petr Oros <poros@redhat.com> Signed-off-by: Ivan Vecera <ivecera@redhat.com> Link: https://patch.msgid.link/20260402184057.1890514-4-ivecera@redhat.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit bfc923b) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1122 Rebuild_History Non-Buildable kernel-6.12.0-211.20.1.el10_2 commit-author Ivan Vecera <ivecera@redhat.com> commit 3c8c397 Return -EOPNOTSUPP early in esync_get callbacks when esync is not supported instead of conditionally populating the range at the end. This simplifies the control flow by removing the finish label/goto in the output variant and the conditional range assignment in both input and output variants. Replace open-coded N-div signal format switch statements with zl3073x_out_is_ndiv() helper in esync_get, esync_set and frequency_set callbacks. Reviewed-by: Petr Oros <poros@redhat.com> Reviewed-by: Prathosh Satish <Prathosh.Satish@microchip.com> Signed-off-by: Ivan Vecera <ivecera@redhat.com> Link: https://patch.msgid.link/20260408102716.443099-2-ivecera@redhat.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit 3c8c397) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1122 Rebuild_History Non-Buildable kernel-6.12.0-211.20.1.el10_2 commit-author Ivan Vecera <ivecera@redhat.com> commit 737cb61 Replace open-coded clear-and-set bitfield operations with FIELD_MODIFY(). Reviewed-by: Petr Oros <poros@redhat.com> Reviewed-by: Prathosh Satish <Prathosh.Satish@microchip.com> Signed-off-by: Ivan Vecera <ivecera@redhat.com> Link: https://patch.msgid.link/20260408102716.443099-3-ivecera@redhat.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit 737cb61) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1122 Rebuild_History Non-Buildable kernel-6.12.0-211.20.1.el10_2 commit-author Ivan Vecera <ivecera@redhat.com> commit 63009eb Add ZL_REF_SYNC_CTRL_MODE_REFSYNC_PAIR and ZL_REF_SYNC_CTRL_PAIR register definitions. Add inline helpers to get and set the sync control mode and sync pair fields of the reference sync control register: zl3073x_ref_sync_mode_get/set() - ZL_REF_SYNC_CTRL_MODE field zl3073x_ref_sync_pair_get/set() - ZL_REF_SYNC_CTRL_PAIR field Add inline helpers to get and set the clock type field of the output mode register: zl3073x_out_clock_type_get/set() - ZL_OUTPUT_MODE_CLOCK_TYPE field Convert existing esync callbacks to use the new helpers. Reviewed-by: Petr Oros <poros@redhat.com> Reviewed-by: Prathosh Satish <Prathosh.Satish@microchip.com> Signed-off-by: Ivan Vecera <ivecera@redhat.com> Link: https://patch.msgid.link/20260408102716.443099-4-ivecera@redhat.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit 63009eb) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1122 Rebuild_History Non-Buildable kernel-6.12.0-211.20.1.el10_2 commit-author Ivan Vecera <ivecera@redhat.com> commit 14f269a Add support for ref-sync pair registration using the 'ref-sync-sources' phandle property from device tree. A ref-sync pair consists of a clock reference and a low-frequency sync signal where the DPLL locks to the clock reference but phase-aligns to the sync reference. The implementation: - Stores fwnode handle in zl3073x_dpll_pin during pin registration - Adds ref_sync_get/set callbacks to read and write the sync control mode and pair registers - Validates ref-sync frequency constraints: sync signal must be 8 kHz or less, clock reference must be 1 kHz or more and higher than sync - Excludes sync source from automatic reference selection by setting its priority to NONE on connect; on disconnect the priority is left as NONE and the user must explicitly make the pin selectable again - Iterates ref-sync-sources phandles to register declared pairings via dpll_pin_ref_sync_pair_add() Reviewed-by: Petr Oros <poros@redhat.com> Reviewed-by: Prathosh Satish <Prathosh.Satish@microchip.com> Signed-off-by: Ivan Vecera <ivecera@redhat.com> Link: https://patch.msgid.link/20260408102716.443099-6-ivecera@redhat.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit 14f269a) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1122 cve CVE-2026-31709 Rebuild_History Non-Buildable kernel-6.12.0-211.20.1.el10_2 commit-author Michael Bommarito <michael.bommarito@gmail.com> commit 0a8cf16 Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-6.12.0-211.20.1.el10_2/0a8cf165.failed build_sec_desc() and id_mode_to_cifs_acl() derive a DACL pointer from a server-supplied dacloffset and then use the incoming ACL to rebuild the chmod/chown security descriptor. The original fix only checked that the struct smb_acl header fits before reading dacl_ptr->size or dacl_ptr->num_aces. That avoids the immediate header-field OOB read, but the rewrite helpers still walk ACEs based on pdacl->num_aces with no structural validation of the incoming DACL body. A malicious server can return a truncated DACL that still contains a header, claims one or more ACEs, and then drive replace_sids_and_copy_aces() or set_chmod_dacl() past the validated extent while they compare or copy attacker-controlled ACEs. Factor the DACL structural checks into validate_dacl(), extend them to validate each ACE against the DACL bounds, and use the shared validator before the chmod/chown rebuild paths. parse_dacl() reuses the same validator so the read-side parser and write-side rewrite paths agree on what constitutes a well-formed incoming DACL. Fixes: bc3e9dd ("cifs: Change SIDs in ACEs while transferring file ownership.") Cc: stable@vger.kernel.org Assisted-by: Claude:claude-opus-4-6 Assisted-by: Codex:gpt-5-4 Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com> Signed-off-by: Steve French <stfrench@microsoft.com> (cherry picked from commit 0a8cf16) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # fs/smb/client/cifsacl.c
jira KERNEL-1122 Rebuild_History Non-Buildable kernel-6.12.0-211.20.1.el10_2 commit-author Michael Bommarito <michael.bommarito@gmail.com> commit 2757ad3 parse_dacl() treats an ACE SID matching sid_unix_NFS_mode as an NFS mode SID and reads sid.sub_auth[2] to recover the mode bits. That assumes the ACE carries three subauthorities, but compare_sids() only compares min(a, b) subauthorities. A malicious server can return an ACE with num_subauth = 2 and sub_auth[] = {88, 3}, which still matches sid_unix_NFS_mode and then drives the sub_auth[2] read four bytes past the end of the ACE. Require num_subauth >= 3 before treating the ACE as an NFS mode SID. This keeps the fix local to the special-SID mode path without changing compare_sids() semantics for the rest of cifsacl. Fixes: e2f8fbf ("cifs: get mode bits from special sid on stat") Cc: stable@vger.kernel.org Assisted-by: Claude:claude-opus-4-6 Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com> Signed-off-by: Steve French <stfrench@microsoft.com> (cherry picked from commit 2757ad3) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1122 Rebuild_History Non-Buildable kernel-6.12.0-211.20.1.el10_2 commit-author Michael Bommarito <michael.bommarito@gmail.com> commit a55a608 Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-6.12.0-211.20.1.el10_2/a55a6088.failed After validate_dacl() was factored out in commit 149822e5541c, the local end_of_dacl in parse_dacl() is only read by the dump_ace() call under #ifdef CONFIG_CIFS_DEBUG2. With CIFS_DEBUG2 off the variable is assigned but never used, which gcc -W=1 flags as -Wunused-but-set-variable. Remove the local and compute the end-of-dacl pointer inline at the single call site inside the existing CIFS_DEBUG2 guard. No functional change: when CIFS_DEBUG2 is enabled the argument value is identical to what the removed local carried; when CIFS_DEBUG2 is disabled the code was already dead. Reported-by: kernel test robot <lkp@intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202604220046.tGkRxVtS-lkp@intel.com/ Fixes: 149822e5541c ("smb: client: validate the whole DACL before rewriting it in cifsacl") Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com> Assisted-by: Claude:claude-opus-4-7 Signed-off-by: Steve French <stfrench@microsoft.com> (cherry picked from commit a55a608) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # fs/smb/client/cifsacl.c
jira KERNEL-1122 Rebuild_History Non-Buildable kernel-6.12.0-211.20.1.el10_2 commit-author Bjoern Doebel <doebel@amazon.de> commit 5e489c6 Commit 62e7dd0 ("smb: common: change the data type of num_aces to le16") split struct smb_acl's __le32 num_aces field into __le16 num_aces and __le16 reserved. The reserved field corresponds to Sbz2 in the MS-DTYP ACL wire format, which must be zero [1]. When building an ACL descriptor in build_sec_desc(), we are using a kmalloc()'ed descriptor buffer and writing the fields explicitly using le16() writes now. This never writes to the 2 byte reserved field, leaving it as uninitialized heap data. When the reserved field happens to contain non-zero slab garbage, Samba rejects the security descriptor with "ndr_pull_security_descriptor failed: Range Error", causing chmod to fail with EINVAL. Change kmalloc() to kzalloc() to ensure the entire buffer is zero-initialized. Fixes: 62e7dd0 ("smb: common: change the data type of num_aces to le16") Cc: stable@vger.kernel.org Signed-off-by: Bjoern Doebel <doebel@amazon.de> Assisted-by: Kiro:claude-opus-4.6 [1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/20233ed8-a6c6-4097-aafa-dd545ed24428 Signed-off-by: Steve French <stfrench@microsoft.com> (cherry picked from commit 5e489c6) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1122 Rebuild_History Non-Buildable kernel-6.12.0-211.20.1.el10_2 commit-author Michael Bommarito <michael.bommarito@gmail.com> commit f98b481 parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor. On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths. Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points. Fixes: bc3e9dd ("cifs: Change SIDs in ACEs while transferring file ownership.") Cc: stable@vger.kernel.org Assisted-by: Claude:claude-opus-4-6 Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com> Signed-off-by: Steve French <stfrench@microsoft.com> (cherry picked from commit f98b481) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1122 cve CVE-2026-43329 Rebuild_History Non-Buildable kernel-6.12.0-211.20.1.el10_2 commit-author Pablo Neira Ayuso <pablo@netfilter.org> commit 76522fc The maximum number of flowtable hardware offload actions in IPv6 is: * ethernet mangling (4 payload actions, 2 for each ethernet address) * SNAT (4 payload actions) * DNAT (4 payload actions) * Double VLAN (4 vlan actions, 2 for popping vlan, and 2 for pushing) for QinQ. * Redirect (1 action) Which makes 17, while the maximum is 16. But act_ct supports for tunnels actions too. Note that payload action operates at 32-bit word level, so mangling an IPv6 address takes 4 payload actions. Update flow_action_entry_next() calls to check for the maximum number of supported actions. While at it, rise the maximum number of actions per flow from 16 to 24 so this works fine with IPv6 setups. Fixes: c29f74e ("netfilter: nf_flow_table: hardware offload support") Reported-by: Hyunwoo Kim <imv4bel@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> (cherry picked from commit 76522fc) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1122 Rebuild_History Non-Buildable kernel-6.12.0-211.20.1.el10_2 commit-author Luiz Augusto von Dentz <luiz.von.dentz@intel.com> commit 33b2835 This adds PAST related commands (HCI_OP_LE_PAST, HCI_OP_LE_PAST_SET_INFO and HCI_OP_LE_PAST_PARAMS) and events (HCI_EV_LE_PAST_RECEIVED) along with handling of PAST sender and receiver features bits including new MGMG settings ( HCI_EV_LE_PAST_RECEIVED and MGMT_SETTING_PAST_RECEIVER) which userspace can use to determine if PAST is supported by the controller. Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> (cherry picked from commit 33b2835) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1122 Rebuild_History Non-Buildable kernel-6.12.0-211.20.1.el10_2 commit-author Luiz Augusto von Dentz <luiz.von.dentz@intel.com> commit d341370 Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-6.12.0-211.20.1.el10_2/d3413703.failed This makes it possible to bind to a different destination address after being connected (BT_CONNECTED, BT_CONNECT2) which then triggers PAST Sender proceedure to transfer the PA Sync to the destination address. Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> (cherry picked from commit d341370) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # net/bluetooth/iso.c
jira KERNEL-1122 Rebuild_History Non-Buildable kernel-6.12.0-211.20.1.el10_2 commit-author Luiz Augusto von Dentz <luiz.von.dentz@intel.com> commit a106e50 Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-6.12.0-211.20.1.el10_2/a106e50b.failed This adds support for emulating LL Extended Feature Set introduced in 6.0 that adds the following: Commands: - HCI_LE_Read_All_Local_Supported_Features(0x2087)(Feature:47,1) - HCI_LE_Read_All_Remote_Features(0x2088)(Feature:47,2) Events: - HCI_LE_Read_All_Remote_Features_Complete(0x2b)(Mask bit:42) Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> (cherry picked from commit a106e50) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # include/net/bluetooth/hci_sync.h # net/bluetooth/hci_sync.c
jira KERNEL-1122 Rebuild_History Non-Buildable kernel-6.12.0-211.20.1.el10_2 commit-author Luiz Augusto von Dentz <luiz.von.dentz@intel.com> commit 129d1ef Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-6.12.0-211.20.1.el10_2/129d1ef3.failed conn->le_{tx,rx}_phy is not actually a bitfield as it set by HCI_EV_LE_PHY_UPDATE_COMPLETE it is actually correspond to the current PHY in use not what is supported by the controller, so this introduces different fields (conn->le_{tx,rx}_def_phys) to track what PHYs are supported by the connection. Fixes: eab2404 ("Bluetooth: Add BT_PHY socket option") Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> (cherry picked from commit 129d1ef) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # net/bluetooth/hci_event.c
jira KERNEL-1122 Rebuild_History Non-Buildable kernel-6.12.0-211.20.1.el10_2 commit-author Luiz Augusto von Dentz <luiz.von.dentz@intel.com> commit 132c077 Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-6.12.0-211.20.1.el10_2/132c0779.failed This enables client to use setsockopt(BT_PHY) to set the connection packet type/PHY: Example setting BT_PHY_BR_1M_1SLOT: < HCI Command: Change Conne.. (0x01|0x000f) plen 4 Handle: 1 Address: 00:AA:01:01:00:00 (Intel Corporation) Packet type: 0x331e 2-DH1 may not be used 3-DH1 may not be used DM1 may be used DH1 may be used 2-DH3 may not be used 3-DH3 may not be used 2-DH5 may not be used 3-DH5 may not be used > HCI Event: Command Status (0x0f) plen 4 Change Connection Packet Type (0x01|0x000f) ncmd 1 Status: Success (0x00) > HCI Event: Connection Packet Typ.. (0x1d) plen 5 Status: Success (0x00) Handle: 1 Address: 00:AA:01:01:00:00 (Intel Corporation) Packet type: 0x331e 2-DH1 may not be used 3-DH1 may not be used DM1 may be used DH1 may be used 2-DH3 may not be used 3-DH3 may not be used 2-DH5 may not be used Example setting BT_PHY_LE_1M_TX and BT_PHY_LE_1M_RX: < HCI Command: LE Set PHY (0x08|0x0032) plen 7 Handle: 1 Address: 00:AA:01:01:00:00 (Intel Corporation) All PHYs preference: 0x00 TX PHYs preference: 0x01 LE 1M RX PHYs preference: 0x01 LE 1M PHY options preference: Reserved (0x0000) > HCI Event: Command Status (0x0f) plen 4 LE Set PHY (0x08|0x0032) ncmd 1 Status: Success (0x00) > HCI Event: LE Meta Event (0x3e) plen 6 LE PHY Update Complete (0x0c) Status: Success (0x00) Handle: 1 Address: 00:AA:01:01:00:00 (Intel Corporation) TX PHY: LE 1M (0x01) RX PHY: LE 1M (0x01) Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> (cherry picked from commit 132c077) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # include/net/bluetooth/hci_sync.h # net/bluetooth/hci_sync.c
jira KERNEL-1122 Rebuild_History Non-Buildable kernel-6.12.0-211.20.1.el10_2 commit-author Pauli Virtanen <pav@iki.fi> commit 2969554 Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-6.12.0-211.20.1.el10_2/2969554b.failed hci_cmd_sync_queue_once() needs to indicate whether a queue item was added, so caller can know if callbacks are called, so it can avoid leaking resources. Change the function to return -EEXIST if queue item already exists. Modify all callsites to handle that. Signed-off-by: Pauli Virtanen <pav@iki.fi> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> (cherry picked from commit 2969554) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # net/bluetooth/hci_sync.c
jira KERNEL-1122 Rebuild_History Non-Buildable kernel-6.12.0-211.20.1.el10_2 commit-author Pauli Virtanen <pav@iki.fi> commit aca3772 Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-6.12.0-211.20.1.el10_2/aca37720.failed When hci_cmd_sync_queue_once() returns with error, the destroy callback will not be called. Fix leaking references / memory on these failures. Signed-off-by: Pauli Virtanen <pav@iki.fi> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> (cherry picked from commit aca3772) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # net/bluetooth/hci_sync.c
jira KERNEL-1122 cve CVE-2026-43322 Rebuild_History Non-Buildable kernel-6.12.0-211.20.1.el10_2 commit-author Luiz Augusto von Dentz <luiz.von.dentz@intel.com> commit 035c250 Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-6.12.0-211.20.1.el10_2/035c2500.failed This fixes the following backtrace caused by hci_conn being freed before le_read_features_complete but after hci_le_read_remote_features_sync so hci_conn_del -> hci_cmd_sync_dequeue is not able to prevent it: ================================================================== BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline] BUG: KASAN: slab-use-after-free in atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1383 [inline] BUG: KASAN: slab-use-after-free in hci_conn_drop include/net/bluetooth/hci_core.h:1688 [inline] BUG: KASAN: slab-use-after-free in le_read_features_complete+0x5b/0x340 net/bluetooth/hci_sync.c:7344 Write of size 4 at addr ffff8880796b0010 by task kworker/u9:0/52 CPU: 0 UID: 0 PID: 52 Comm: kworker/u9:0 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Workqueue: hci0 hci_cmd_sync_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xcd/0x630 mm/kasan/report.c:482 kasan_report+0xe0/0x110 mm/kasan/report.c:595 check_region_inline mm/kasan/generic.c:194 [inline] kasan_check_range+0x100/0x1b0 mm/kasan/generic.c:200 instrument_atomic_read_write include/linux/instrumented.h:96 [inline] atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1383 [inline] hci_conn_drop include/net/bluetooth/hci_core.h:1688 [inline] le_read_features_complete+0x5b/0x340 net/bluetooth/hci_sync.c:7344 hci_cmd_sync_work+0x1ff/0x430 net/bluetooth/hci_sync.c:334 process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257 process_scheduled_works kernel/workqueue.c:3340 [inline] worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421 kthread+0x3c5/0x780 kernel/kthread.c:463 ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 </TASK> Allocated by task 5932: kasan_save_stack+0x33/0x60 mm/kasan/common.c:56 kasan_save_track+0x14/0x30 mm/kasan/common.c:77 poison_kmalloc_redzone mm/kasan/common.c:400 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:417 kmalloc_noprof include/linux/slab.h:957 [inline] kzalloc_noprof include/linux/slab.h:1094 [inline] __hci_conn_add+0xf8/0x1c70 net/bluetooth/hci_conn.c:963 hci_conn_add_unset+0x76/0x100 net/bluetooth/hci_conn.c:1084 le_conn_complete_evt+0x639/0x1f20 net/bluetooth/hci_event.c:5714 hci_le_enh_conn_complete_evt+0x23d/0x380 net/bluetooth/hci_event.c:5861 hci_le_meta_evt+0x357/0x5e0 net/bluetooth/hci_event.c:7408 hci_event_func net/bluetooth/hci_event.c:7716 [inline] hci_event_packet+0x685/0x11c0 net/bluetooth/hci_event.c:7773 hci_rx_work+0x2c9/0xeb0 net/bluetooth/hci_core.c:4076 process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257 process_scheduled_works kernel/workqueue.c:3340 [inline] worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421 kthread+0x3c5/0x780 kernel/kthread.c:463 ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 Freed by task 5932: kasan_save_stack+0x33/0x60 mm/kasan/common.c:56 kasan_save_track+0x14/0x30 mm/kasan/common.c:77 __kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:587 kasan_save_free_info mm/kasan/kasan.h:406 [inline] poison_slab_object mm/kasan/common.c:252 [inline] __kasan_slab_free+0x5f/0x80 mm/kasan/common.c:284 kasan_slab_free include/linux/kasan.h:234 [inline] slab_free_hook mm/slub.c:2540 [inline] slab_free mm/slub.c:6663 [inline] kfree+0x2f8/0x6e0 mm/slub.c:6871 device_release+0xa4/0x240 drivers/base/core.c:2565 kobject_cleanup lib/kobject.c:689 [inline] kobject_release lib/kobject.c:720 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x1e7/0x590 lib/kobject.c:737 put_device drivers/base/core.c:3797 [inline] device_unregister+0x2f/0xc0 drivers/base/core.c:3920 hci_conn_del_sysfs+0xb4/0x180 net/bluetooth/hci_sysfs.c:79 hci_conn_cleanup net/bluetooth/hci_conn.c:173 [inline] hci_conn_del+0x657/0x1180 net/bluetooth/hci_conn.c:1234 hci_disconn_complete_evt+0x410/0xa00 net/bluetooth/hci_event.c:3451 hci_event_func net/bluetooth/hci_event.c:7719 [inline] hci_event_packet+0xa10/0x11c0 net/bluetooth/hci_event.c:7773 hci_rx_work+0x2c9/0xeb0 net/bluetooth/hci_core.c:4076 process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257 process_scheduled_works kernel/workqueue.c:3340 [inline] worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421 kthread+0x3c5/0x780 kernel/kthread.c:463 ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 The buggy address belongs to the object at ffff8880796b0000 which belongs to the cache kmalloc-8k of size 8192 The buggy address is located 16 bytes inside of freed 8192-byte region [ffff8880796b0000, ffff8880796b2000) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x796b0 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) page_type: f5(slab) raw: 00fff00000000040 ffff88813ff27280 0000000000000000 0000000000000001 raw: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000 head: 00fff00000000040 ffff88813ff27280 0000000000000000 0000000000000001 head: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000 head: 00fff00000000003 ffffea0001e5ac01 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5657, tgid 5657 (dhcpcd-run-hook), ts 79819636908, free_ts 79814310558 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1af/0x220 mm/page_alloc.c:1845 prep_new_page mm/page_alloc.c:1853 [inline] get_page_from_freelist+0xd0b/0x31a0 mm/page_alloc.c:3879 __alloc_frozen_pages_noprof+0x25f/0x2440 mm/page_alloc.c:5183 alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2416 alloc_slab_page mm/slub.c:3075 [inline] allocate_slab mm/slub.c:3248 [inline] new_slab+0x2c3/0x430 mm/slub.c:3302 ___slab_alloc+0xe18/0x1c90 mm/slub.c:4651 __slab_alloc.constprop.0+0x63/0x110 mm/slub.c:4774 __slab_alloc_node mm/slub.c:4850 [inline] slab_alloc_node mm/slub.c:5246 [inline] __kmalloc_cache_noprof+0x477/0x800 mm/slub.c:5766 kmalloc_noprof include/linux/slab.h:957 [inline] kzalloc_noprof include/linux/slab.h:1094 [inline] tomoyo_print_bprm security/tomoyo/audit.c:26 [inline] tomoyo_init_log+0xc8a/0x2140 security/tomoyo/audit.c:264 tomoyo_supervisor+0x302/0x13b0 security/tomoyo/common.c:2198 tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline] tomoyo_env_perm+0x191/0x200 security/tomoyo/environ.c:63 tomoyo_environ security/tomoyo/domain.c:672 [inline] tomoyo_find_next_domain+0xec1/0x20b0 security/tomoyo/domain.c:888 tomoyo_bprm_check_security security/tomoyo/tomoyo.c:102 [inline] tomoyo_bprm_check_security+0x12d/0x1d0 security/tomoyo/tomoyo.c:92 security_bprm_check+0x1b9/0x1e0 security/security.c:794 search_binary_handler fs/exec.c:1659 [inline] exec_binprm fs/exec.c:1701 [inline] bprm_execve fs/exec.c:1753 [inline] bprm_execve+0x81e/0x1620 fs/exec.c:1729 do_execveat_common.isra.0+0x4a5/0x610 fs/exec.c:1859 page last free pid 5657 tgid 5657 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1394 [inline] __free_frozen_pages+0x7df/0x1160 mm/page_alloc.c:2901 discard_slab mm/slub.c:3346 [inline] __put_partials+0x130/0x170 mm/slub.c:3886 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x4c/0xf0 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x195/0x1e0 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:352 kasan_slab_alloc include/linux/kasan.h:252 [inline] slab_post_alloc_hook mm/slub.c:4948 [inline] slab_alloc_node mm/slub.c:5258 [inline] __kmalloc_cache_noprof+0x274/0x800 mm/slub.c:5766 kmalloc_noprof include/linux/slab.h:957 [inline] tomoyo_print_header security/tomoyo/audit.c:156 [inline] tomoyo_init_log+0x197/0x2140 security/tomoyo/audit.c:255 tomoyo_supervisor+0x302/0x13b0 security/tomoyo/common.c:2198 tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline] tomoyo_env_perm+0x191/0x200 security/tomoyo/environ.c:63 tomoyo_environ security/tomoyo/domain.c:672 [inline] tomoyo_find_next_domain+0xec1/0x20b0 security/tomoyo/domain.c:888 tomoyo_bprm_check_security security/tomoyo/tomoyo.c:102 [inline] tomoyo_bprm_check_security+0x12d/0x1d0 security/tomoyo/tomoyo.c:92 security_bprm_check+0x1b9/0x1e0 security/security.c:794 search_binary_handler fs/exec.c:1659 [inline] exec_binprm fs/exec.c:1701 [inline] bprm_execve fs/exec.c:1753 [inline] bprm_execve+0x81e/0x1620 fs/exec.c:1729 do_execveat_common.isra.0+0x4a5/0x610 fs/exec.c:1859 do_execve fs/exec.c:1933 [inline] __do_sys_execve fs/exec.c:2009 [inline] __se_sys_execve fs/exec.c:2004 [inline] __x64_sys_execve+0x8e/0xb0 fs/exec.c:2004 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94 Memory state around the buggy address: ffff8880796aff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8880796aff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8880796b0000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880796b0080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880796b0100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Fixes: a106e50 ("Bluetooth: HCI: Add support for LL Extended Feature Set") Reported-by: syzbot+87badbb9094e008e0685@syzkaller.appspotmail.com Tested-by: syzbot+87badbb9094e008e0685@syzkaller.appspotmail.com Closes: https://syzbot.org/bug?extid=87badbb9094e008e0685 Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Signed-off-by: Pauli Virtanen <pav@iki.fi> (cherry picked from commit 035c250) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # net/bluetooth/hci_sync.c
jira KERNEL-1122 Rebuild_History Non-Buildable kernel-6.12.0-211.20.1.el10_2 commit-author Olga Kornievskaia <okorniev@redhat.com> commit 5248d84 It is possible to have a task get stuck on waiting on the NFS_LAYOUT_DRAIN in the following scenario 1. cpu a: waiter test NFS_LAYOUT_DRAIN (1) and plh_outstanding (1) 2. cpu b: atomic_dec_and_test() -> clear bit -> wake up 3. cpu c: sets NFS_LAYOUT_DRAIN again 4. cpu a: calls wait_on_bit() sleeps forever. To expand on this we have say 2 outstanding pnfs write IO that get ESTALE which causes both to call pnfs_destroy_layout() and set the NFS_LAYOUT_DRAIN bit but the 1st one doesn't call the pnfs_put_layout_hdr() yet (as that would prevent the 2nd ESTALE write from trying to call pnfs_destroy_layout()). If the 1st ESTALE write is the one that initially sets the NFS_LAYOUT_DRAIN so that new IO on this file initiates new LAYOUTGET. Another new write would find NFS_LAYOUT_DRAIN set and phl_outstanding>0 (step 1) and would wait_on_bit(). LAYOUTGET completes doing step 2. Now, the 2nd of ESTALE writes is calling pnfs_destory_layout() and set the NFS_LAYOUT_DRAIN bit (step 3). Finally, the waiting write wakes up to check the bit and goes back to sleep. The problem revolves around the fact that if NFS_LAYOUT_INVALID_STID was already set, it should not do the work of pnfs_mark_layout_stateid_invalid(), thus NFS_LAYOUT_DRAIN will not be set more than once for an invalid layout. Suggested-by: Trond Myklebust <trond.myklebust@hammerspace.com> Fixes: 880265c ("pNFS: Avoid a live lock condition in pnfs_update_layout()") Signed-off-by: Olga Kornievskaia <okorniev@redhat.com> Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com> (cherry picked from commit 5248d84) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1122 cve CVE-2026-31613 Rebuild_History Non-Buildable kernel-6.12.0-211.20.1.el10_2 commit-author Greg Kroah-Hartman <gregkh@linuxfoundation.org> commit 3df690b When a CREATE returns STATUS_STOPPED_ON_SYMLINK, smb2_check_message() returns success without any length validation, leaving the symlink parsers as the only defense against an untrusted server. symlink_data() walks SMB 3.1.1 error contexts with the loop test "p < end", but reads p->ErrorId at offset 4 and p->ErrorDataLength at offset 0. When the server-controlled ErrorDataLength advances p to within 1-7 bytes of end, the next iteration will read past it. When the matching context is found, sym->SymLinkErrorTag is read at offset 4 from p->ErrorContextData with no check that the symlink header itself fits. smb2_parse_symlink_response() then bounds-checks the substitute name using SMB2_SYMLINK_STRUCT_SIZE as the offset of PathBuffer from iov_base. That value is computed as sizeof(smb2_err_rsp) + sizeof(smb2_symlink_err_rsp), which is correct only when ErrorContextCount == 0. With at least one error context the symlink data sits 8 bytes deeper, and each skipped non-matching context shifts it further by 8 + ALIGN(ErrorDataLength, 8). The check is too short, allowing the substitute name read to run past iov_len. The out-of-bound heap bytes are UTF-16-decoded into the symlink target and returned to userspace via readlink(2). Fix this all up by making the loops test require the full context header to fit, rejecting sym if its header runs past end, and bound the substitute name against the actual position of sym->PathBuffer rather than a fixed offset. Because sub_offs and sub_len are 16bits, the pointer math will not overflow here with the new greater-than. Cc: Ronnie Sahlberg <ronniesahlberg@gmail.com> Cc: Shyam Prasad N <sprasad@microsoft.com> Cc: Tom Talpey <tom@talpey.com> Cc: Bharath SM <bharathsm@microsoft.com> Cc: linux-cifs@vger.kernel.org Cc: samba-technical@lists.samba.org Cc: stable <stable@kernel.org> Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.org> Assisted-by: gregkh_clanker_t1000 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Steve French <stfrench@microsoft.com> (cherry picked from commit 3df690b) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1122 Rebuild_History Non-Buildable kernel-6.12.0-211.20.1.el10_2 commit-author Peter Zijlstra <peterz@infradead.org> commit e636ffb The dl_server time accounting code is a little odd. The normal scheduler pattern is to update curr before doing something, such that the old state is fully accounted before changing state. Notably, the dl_server_timer() needs to propagate the current time accounting since the current task could be ran by dl_server and thus this can affect dl_se->runtime. Similarly for dl_server_start(). And since the (deferred) dl_server wants idle time accounted, rework sched_idle_class time accounting to be more like all the others. Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Link: https://patch.msgid.link/20251020141130.GJ3245006@noisy.programming.kicks-ass.net (cherry picked from commit e636ffb) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-1122 cve CVE-2026-46243 Rebuild_History Non-Buildable kernel-6.12.0-211.20.1.el10_2 commit-author Asim Viladi Oglu Manizada <manizada@pm.me> commit 3da1fdf cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin. Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key. Fixes: f1d662a ("[CIFS] Add upcall files for cifs to use spnego/kerberos") Assisted-by: avom-custom-harness:gpt-5.5-qwen3.6-mod-mix Reviewed-by: David Howells <dhowells@redhat.com> Signed-off-by: Asim Viladi Oglu Manizada <manizada@pm.me> Signed-off-by: Steve French <stfrench@microsoft.com> (cherry picked from commit 3da1fdf) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
Rebuild_History BUILDABLE Rebuilding Kernel from rpm changelog with Fuzz Limit: 87.50% Number of commits in upstream range v6.12~1..kernel-mainline: 123983 Number of commits in rpm: 45 Number of commits matched with upstream: 38 (84.44%) Number of commits in upstream but not in rpm: 123945 Number of commits NOT found in upstream: 7 (15.56%) Rebuilding Kernel on Branch rocky10_2_rebuild_kernel-6.12.0-211.20.1.el10_2 for kernel-6.12.0-211.20.1.el10_2 Clean Cherry Picks: 28 (73.68%) Empty Cherry Picks: 10 (26.32%) _______________________________ Full Details Located here: ciq/ciq_backports/kernel-6.12.0-211.20.1.el10_2/rebuild.details.txt Includes: * git commit header above * Empty Commits with upstream SHA * RPM ChangeLog Entries that could not be matched Individual Empty Commit failures contained in the same containing directory. The git message for empty commits will have the path for the failed commit. File names are the first 8 characters of the upstream SHA
shreeya-patel98
approved these changes
Jun 10, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is an automated kernel history rebuild using cron and internal tooling. It follows the same process used for previous history rebuilds:
src.rpmpackagessrc.rpm:6.12.0-211)git cherry-pickrpmbuild -bpfor the correspondingsrc.rpmJIRA Tickets
Rebuild Splat Inspection
kernel-6.12.0-211.20.1.el10_2
BUILD
KSelfTests