diff --git a/SPECS/kernel-headers/kernel-headers.signatures.json b/SPECS/kernel-headers/kernel-headers.signatures.json index 7412256530..3859e27b5f 100644 --- a/SPECS/kernel-headers/kernel-headers.signatures.json +++ b/SPECS/kernel-headers/kernel-headers.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "linux-6.12.61.tar.gz": "7fb34abab0902a47ce1d47de58442e69e0e79d17f565b41fcb11249ea5b23801" + "linux-6.12.67.tar.gz": "b4c0b2ed9cd5002478c7c699d69eece548c84d7c7e1ad48cff61cd951424c745" } } diff --git a/SPECS/kernel-headers/kernel-headers.spec b/SPECS/kernel-headers/kernel-headers.spec index a2bb4afd4f..4c22487bc3 100644 --- a/SPECS/kernel-headers/kernel-headers.spec +++ b/SPECS/kernel-headers/kernel-headers.spec @@ -13,14 +13,14 @@ Summary: Linux API header files Name: kernel-headers -Version: 6.12.61 -Release: 2%{?dist} +Version: 6.12.67 +Release: 1%{?dist} License: GPLv2 Vendor: Intel Corporation Distribution: Edge Microvisor Toolkit Group: System Environment/Kernel URL: https://www.kernel.org/pub/linux/kernel -Source0: https://www.kernel.org/pub/linux/kernel/v6.x/linux-6.12.61.tar.gz +Source0: https://www.kernel.org/pub/linux/kernel/v6.x/linux-6.12.67.tar.gz # Historical name shipped by other distros Provides: glibc-kernheaders = %{version}-%{release} BuildArch: noarch @@ -41,7 +41,7 @@ cross-glibc package. %endif %prep -%setup -q -n linux-6.12.61 +%setup -q -n linux-6.12.67 %build make mrproper @@ -76,6 +76,10 @@ done %endif %changelog +* Thu Feb 05 2026 Lishan Liu - 6.12.67-1 +- Update kernel to 6.12.67-1 +- lts-v6.12.67-emt-cve-260128T180434Z + * Fri Jan 9 2026 Lishan Liu - 6.12.61-2 - Update kernel to 6.12.61-2 - lts-v6.12.61-emt-cve-260106T193826Z diff --git a/SPECS/kernel-rt/0075-drm-xe-gsc-mei-interrupt-top-half-should-be-in-irq-d.patch b/SPECS/kernel-rt/0075-drm-xe-gsc-mei-interrupt-top-half-should-be-in-irq-d.patch deleted file mode 100644 index 1f9977ab9f..0000000000 --- a/SPECS/kernel-rt/0075-drm-xe-gsc-mei-interrupt-top-half-should-be-in-irq-d.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 28f4a8fd24ecc9f0d4a956fcdcec3126952e0326 Mon Sep 17 00:00:00 2001 -From: Junxiao Chang -Date: Wed, 2 Jul 2025 08:53:30 +0800 -Subject: [PATCH 75/76] drm/xe/gsc: mei interrupt top half should be in irq - disabled context - -MEI GSC interrupt comes from xe. It has top half and bottom half. -Top half is called from xe interrupt handler. It should be in irq -disabled context. - -With RT kernel, by default xe IRQ handler is in threaded IRQ. MEI GSC -top half might be in threaded IRQ context. generic_handle_irq_safe API -could be called from either IRQ or process context, it disables local -IRQ then calls MEI GSC interrupt top half. - -This change fixes B580 GPU boot hang issue with RT kernel. - -Signed-off-by: Junxiao Chang ---- - drivers/gpu/drm/xe/xe_heci_gsc.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/drivers/gpu/drm/xe/xe_heci_gsc.c b/drivers/gpu/drm/xe/xe_heci_gsc.c -index 65b2e147c4b92..894a6bd332853 100644 ---- a/drivers/gpu/drm/xe/xe_heci_gsc.c -+++ b/drivers/gpu/drm/xe/xe_heci_gsc.c -@@ -230,7 +230,7 @@ void xe_heci_gsc_irq_handler(struct xe_device *xe, u32 iir) - if (xe->heci_gsc.irq < 0) - return; - -- ret = generic_handle_irq(xe->heci_gsc.irq); -+ ret = generic_handle_irq_safe(xe->heci_gsc.irq); - if (ret) - drm_err_ratelimited(&xe->drm, "error handling GSC irq: %d\n", ret); - } -@@ -250,7 +250,7 @@ void xe_heci_csc_irq_handler(struct xe_device *xe, u32 iir) - if (xe->heci_gsc.irq < 0) - return; - -- ret = generic_handle_irq(xe->heci_gsc.irq); -+ ret = generic_handle_irq_safe(xe->heci_gsc.irq); - if (ret) - drm_err_ratelimited(&xe->drm, "error handling GSC irq: %d\n", ret); - } --- -2.43.0 - diff --git a/SPECS/kernel-rt/CVE-2025-22111.patch b/SPECS/kernel-rt/CVE-2025-22111.patch deleted file mode 100644 index 79e36106d6..0000000000 --- a/SPECS/kernel-rt/CVE-2025-22111.patch +++ /dev/null @@ -1,303 +0,0 @@ -From b4cafa219eeb0a97a52ee615f2e4c4f5afdd2d0b Mon Sep 17 00:00:00 2001 -From: Kuniyuki Iwashima -Date: Sun, 16 Mar 2025 12:28:37 -0700 -Subject: [PATCH] net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF. - -SIOCBRDELIF is passed to dev_ioctl() first and later forwarded to -br_ioctl_call(), which causes unnecessary RTNL dance and the splat -below [0] under RTNL pressure. - -Let's say Thread A is trying to detach a device from a bridge and -Thread B is trying to remove the bridge. - -In dev_ioctl(), Thread A bumps the bridge device's refcnt by -netdev_hold() and releases RTNL because the following br_ioctl_call() -also re-acquires RTNL. - -In the race window, Thread B could acquire RTNL and try to remove -the bridge device. Then, rtnl_unlock() by Thread B will release RTNL -and wait for netdev_put() by Thread A. - -Thread A, however, must hold RTNL after the unlock in dev_ifsioc(), -which may take long under RTNL pressure, resulting in the splat by -Thread B. - - Thread A (SIOCBRDELIF) Thread B (SIOCBRDELBR) - ---------------------- ---------------------- - sock_ioctl sock_ioctl - `- sock_do_ioctl `- br_ioctl_call - `- dev_ioctl `- br_ioctl_stub - |- rtnl_lock | - |- dev_ifsioc ' - ' |- dev = __dev_get_by_name(...) - |- netdev_hold(dev, ...) . - / |- rtnl_unlock ------. | - | |- br_ioctl_call `---> |- rtnl_lock - Race | | `- br_ioctl_stub |- br_del_bridge - Window | | | |- dev = __dev_get_by_name(...) - | | | May take long | `- br_dev_delete(dev, ...) - | | | under RTNL pressure | `- unregister_netdevice_queue(dev, ...) - | | | | `- rtnl_unlock - \ | |- rtnl_lock <-' `- netdev_run_todo - | |- ... `- netdev_run_todo - | `- rtnl_unlock |- __rtnl_unlock - | |- netdev_wait_allrefs_any - |- netdev_put(dev, ...) <----------------' - Wait refcnt decrement - and log splat below - -To avoid blocking SIOCBRDELBR unnecessarily, let's not call -dev_ioctl() for SIOCBRADDIF and SIOCBRDELIF. - -In the dev_ioctl() path, we do the following: - - 1. Copy struct ifreq by get_user_ifreq in sock_do_ioctl() - 2. Check CAP_NET_ADMIN in dev_ioctl() - 3. Call dev_load() in dev_ioctl() - 4. Fetch the master dev from ifr.ifr_name in dev_ifsioc() - -3. can be done by request_module() in br_ioctl_call(), so we move -1., 2., and 4. to br_ioctl_stub(). - -Note that 2. is also checked later in add_del_if(), but it's better -performed before RTNL. - -SIOCBRADDIF and SIOCBRDELIF have been processed in dev_ioctl() since -the pre-git era, and there seems to be no specific reason to process -them there. - -[0]: -unregister_netdevice: waiting for wpan3 to become free. Usage count = 2 -ref_tracker: wpan3@ffff8880662d8608 has 1/1 users at - __netdev_tracker_alloc include/linux/netdevice.h:4282 [inline] - netdev_hold include/linux/netdevice.h:4311 [inline] - dev_ifsioc+0xc6a/0x1160 net/core/dev_ioctl.c:624 - dev_ioctl+0x255/0x10c0 net/core/dev_ioctl.c:826 - sock_do_ioctl+0x1ca/0x260 net/socket.c:1213 - sock_ioctl+0x23a/0x6c0 net/socket.c:1318 - vfs_ioctl fs/ioctl.c:51 [inline] - __do_sys_ioctl fs/ioctl.c:906 [inline] - __se_sys_ioctl fs/ioctl.c:892 [inline] - __x64_sys_ioctl+0x1a4/0x210 fs/ioctl.c:892 - do_syscall_x64 arch/x86/entry/common.c:52 [inline] - do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83 - entry_SYSCALL_64_after_hwframe+0x77/0x7f - -Fixes: 893b19587534 ("net: bridge: fix ioctl locking") -Reported-by: syzkaller -Reported-by: yan kang -Reported-by: yue sun -Closes: https://lore.kernel.org/netdev/SY8P300MB0421225D54EB92762AE8F0F2A1D32@SY8P300MB0421.AUSP300.PROD.OUTLOOK.COM/ -Signed-off-by: Kuniyuki Iwashima -Acked-by: Stanislav Fomichev -Reviewed-by: Ido Schimmel -Acked-by: Nikolay Aleksandrov -Link: https://patch.msgid.link/20250316192851.19781-1-kuniyu@amazon.com -Signed-off-by: Paolo Abeni ---- - include/linux/if_bridge.h | 6 ++---- - net/bridge/br_ioctl.c | 36 +++++++++++++++++++++++++++++++++--- - net/bridge/br_private.h | 3 +-- - net/core/dev_ioctl.c | 16 ---------------- - net/socket.c | 19 +++++++++---------- - 5 files changed, 45 insertions(+), 35 deletions(-) - -diff --git a/include/linux/if_bridge.h b/include/linux/if_bridge.h -index 3ff96ae31bf6..c5fe3b2a53e8 100644 ---- a/include/linux/if_bridge.h -+++ b/include/linux/if_bridge.h -@@ -65,11 +65,9 @@ struct br_ip_list { - #define BR_DEFAULT_AGEING_TIME (300 * HZ) - - struct net_bridge; --void brioctl_set(int (*hook)(struct net *net, struct net_bridge *br, -- unsigned int cmd, struct ifreq *ifr, -+void brioctl_set(int (*hook)(struct net *net, unsigned int cmd, - void __user *uarg)); --int br_ioctl_call(struct net *net, struct net_bridge *br, unsigned int cmd, -- struct ifreq *ifr, void __user *uarg); -+int br_ioctl_call(struct net *net, unsigned int cmd, void __user *uarg); - - #if IS_ENABLED(CONFIG_BRIDGE) && IS_ENABLED(CONFIG_BRIDGE_IGMP_SNOOPING) - int br_multicast_list_adjacent(struct net_device *dev, -diff --git a/net/bridge/br_ioctl.c b/net/bridge/br_ioctl.c -index f213ed108361..6bc0a11f2ed3 100644 ---- a/net/bridge/br_ioctl.c -+++ b/net/bridge/br_ioctl.c -@@ -394,10 +394,26 @@ static int old_deviceless(struct net *net, void __user *data) - return -EOPNOTSUPP; - } - --int br_ioctl_stub(struct net *net, struct net_bridge *br, unsigned int cmd, -- struct ifreq *ifr, void __user *uarg) -+int br_ioctl_stub(struct net *net, unsigned int cmd, void __user *uarg) - { - int ret = -EOPNOTSUPP; -+ struct ifreq ifr; -+ -+ if (cmd == SIOCBRADDIF || cmd == SIOCBRDELIF) { -+ void __user *data; -+ char *colon; -+ -+ if (!ns_capable(net->user_ns, CAP_NET_ADMIN)) -+ return -EPERM; -+ -+ if (get_user_ifreq(&ifr, &data, uarg)) -+ return -EFAULT; -+ -+ ifr.ifr_name[IFNAMSIZ - 1] = 0; -+ colon = strchr(ifr.ifr_name, ':'); -+ if (colon) -+ *colon = 0; -+ } - - rtnl_lock(); - -@@ -430,7 +446,21 @@ int br_ioctl_stub(struct net *net, struct net_bridge *br, unsigned int cmd, - break; - case SIOCBRADDIF: - case SIOCBRDELIF: -- ret = add_del_if(br, ifr->ifr_ifindex, cmd == SIOCBRADDIF); -+ { -+ struct net_device *dev; -+ -+ dev = __dev_get_by_name(net, ifr.ifr_name); -+ if (!dev || !netif_device_present(dev)) { -+ ret = -ENODEV; -+ break; -+ } -+ if (!netif_is_bridge_master(dev)) { -+ ret = -EOPNOTSUPP; -+ break; -+ } -+ -+ ret = add_del_if(netdev_priv(dev), ifr.ifr_ifindex, cmd == SIOCBRADDIF); -+ } - break; - } - -diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h -index 041f6e571a20..e6f880f4028d 100644 ---- a/net/bridge/br_private.h -+++ b/net/bridge/br_private.h -@@ -949,8 +949,7 @@ br_port_get_check_rtnl(const struct net_device *dev) - /* br_ioctl.c */ - int br_dev_siocdevprivate(struct net_device *dev, struct ifreq *rq, - void __user *data, int cmd); --int br_ioctl_stub(struct net *net, struct net_bridge *br, unsigned int cmd, -- struct ifreq *ifr, void __user *uarg); -+int br_ioctl_stub(struct net *net, unsigned int cmd, void __user *uarg); - - /* br_multicast.c */ - #ifdef CONFIG_BRIDGE_IGMP_SNOOPING -diff --git a/net/core/dev_ioctl.c b/net/core/dev_ioctl.c -index 473c437b6b53..81cd8df798c0 100644 ---- a/net/core/dev_ioctl.c -+++ b/net/core/dev_ioctl.c -@@ -514,7 +514,6 @@ static int dev_ifsioc(struct net *net, struct ifreq *ifr, void __user *data, - int err; - struct net_device *dev = __dev_get_by_name(net, ifr->ifr_name); - const struct net_device_ops *ops; -- netdevice_tracker dev_tracker; - - if (!dev) - return -ENODEV; -@@ -577,19 +576,6 @@ static int dev_ifsioc(struct net *net, struct ifreq *ifr, void __user *data, - case SIOCWANDEV: - return dev_siocwandev(dev, &ifr->ifr_settings); - -- case SIOCBRADDIF: -- case SIOCBRDELIF: -- if (!netif_device_present(dev)) -- return -ENODEV; -- if (!netif_is_bridge_master(dev)) -- return -EOPNOTSUPP; -- netdev_hold(dev, &dev_tracker, GFP_KERNEL); -- rtnl_unlock(); -- err = br_ioctl_call(net, netdev_priv(dev), cmd, ifr, NULL); -- netdev_put(dev, &dev_tracker); -- rtnl_lock(); -- return err; -- - case SIOCDEVPRIVATE ... SIOCDEVPRIVATE + 15: - return dev_siocdevprivate(dev, ifr, data, cmd); - -@@ -770,8 +756,6 @@ int dev_ioctl(struct net *net, unsigned int cmd, struct ifreq *ifr, - case SIOCBONDRELEASE: - case SIOCBONDSETHWADDR: - case SIOCBONDCHANGEACTIVE: -- case SIOCBRADDIF: -- case SIOCBRDELIF: - case SIOCSHWTSTAMP: - if (!ns_capable(net->user_ns, CAP_NET_ADMIN)) - return -EPERM; -diff --git a/net/socket.c b/net/socket.c -index 042451f01c65..a0f6f8b3376d 100644 ---- a/net/socket.c -+++ b/net/socket.c -@@ -1173,12 +1173,10 @@ static ssize_t sock_write_iter(struct kiocb *iocb, struct iov_iter *from) - */ - - static DEFINE_MUTEX(br_ioctl_mutex); --static int (*br_ioctl_hook)(struct net *net, struct net_bridge *br, -- unsigned int cmd, struct ifreq *ifr, -+static int (*br_ioctl_hook)(struct net *net, unsigned int cmd, - void __user *uarg); - --void brioctl_set(int (*hook)(struct net *net, struct net_bridge *br, -- unsigned int cmd, struct ifreq *ifr, -+void brioctl_set(int (*hook)(struct net *net, unsigned int cmd, - void __user *uarg)) - { - mutex_lock(&br_ioctl_mutex); -@@ -1187,8 +1185,7 @@ void brioctl_set(int (*hook)(struct net *net, struct net_bridge *br, - } - EXPORT_SYMBOL(brioctl_set); - --int br_ioctl_call(struct net *net, struct net_bridge *br, unsigned int cmd, -- struct ifreq *ifr, void __user *uarg) -+int br_ioctl_call(struct net *net, unsigned int cmd, void __user *uarg) - { - int err = -ENOPKG; - -@@ -1197,7 +1194,7 @@ int br_ioctl_call(struct net *net, struct net_bridge *br, unsigned int cmd, - - mutex_lock(&br_ioctl_mutex); - if (br_ioctl_hook) -- err = br_ioctl_hook(net, br, cmd, ifr, uarg); -+ err = br_ioctl_hook(net, cmd, uarg); - mutex_unlock(&br_ioctl_mutex); - - return err; -@@ -1297,7 +1294,9 @@ static long sock_ioctl(struct file *file, unsigned cmd, unsigned long arg) - case SIOCSIFBR: - case SIOCBRADDBR: - case SIOCBRDELBR: -- err = br_ioctl_call(net, NULL, cmd, NULL, argp); -+ case SIOCBRADDIF: -+ case SIOCBRDELIF: -+ err = br_ioctl_call(net, cmd, argp); - break; - case SIOCGIFVLAN: - case SIOCSIFVLAN: -@@ -3466,6 +3465,8 @@ static int compat_sock_ioctl_trans(struct file *file, struct socket *sock, - case SIOCGPGRP: - case SIOCBRADDBR: - case SIOCBRDELBR: -+ case SIOCBRADDIF: -+ case SIOCBRDELIF: - case SIOCGIFVLAN: - case SIOCSIFVLAN: - case SIOCGSKNS: -@@ -3505,8 +3506,6 @@ static int compat_sock_ioctl_trans(struct file *file, struct socket *sock, - case SIOCGIFPFLAGS: - case SIOCGIFTXQLEN: - case SIOCSIFTXQLEN: -- case SIOCBRADDIF: -- case SIOCBRDELIF: - case SIOCGIFNAME: - case SIOCSIFNAME: - case SIOCGMIIPHY: --- -2.25.1 - diff --git a/SPECS/kernel-rt/CVE-2025-38234.patch b/SPECS/kernel-rt/CVE-2025-38234.patch deleted file mode 100644 index 4f7a9ce581..0000000000 --- a/SPECS/kernel-rt/CVE-2025-38234.patch +++ /dev/null @@ -1,291 +0,0 @@ -From 393793ca4cecac391c5df793b7735b8782900650 Mon Sep 17 00:00:00 2001 -From: Harshit Agarwal -Date: Tue, 25 Feb 2025 18:05:53 +0000 -Subject: [PATCH 5/8] sched/rt: Fix race in push_rt_task -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Overview -======== -When a CPU chooses to call push_rt_task and picks a task to push to -another CPU's runqueue then it will call find_lock_lowest_rq method -which would take a double lock on both CPUs' runqueues. If one of the -locks aren't readily available, it may lead to dropping the current -runqueue lock and reacquiring both the locks at once. During this window -it is possible that the task is already migrated and is running on some -other CPU. These cases are already handled. However, if the task is -migrated and has already been executed and another CPU is now trying to -wake it up (ttwu) such that it is queued again on the runqeue -(on_rq is 1) and also if the task was run by the same CPU, then the -current checks will pass even though the task was migrated out and is no -longer in the pushable tasks list. - -Crashes -======= -This bug resulted in quite a few flavors of crashes triggering kernel -panics with various crash signatures such as assert failures, page -faults, null pointer dereferences, and queue corruption errors all -coming from scheduler itself. - -Some of the crashes: --> kernel BUG at kernel/sched/rt.c:1616! BUG_ON(idx >= MAX_RT_PRIO) - Call Trace: - ? __die_body+0x1a/0x60 - ? die+0x2a/0x50 - ? do_trap+0x85/0x100 - ? pick_next_task_rt+0x6e/0x1d0 - ? do_error_trap+0x64/0xa0 - ? pick_next_task_rt+0x6e/0x1d0 - ? exc_invalid_op+0x4c/0x60 - ? pick_next_task_rt+0x6e/0x1d0 - ? asm_exc_invalid_op+0x12/0x20 - ? pick_next_task_rt+0x6e/0x1d0 - __schedule+0x5cb/0x790 - ? update_ts_time_stats+0x55/0x70 - schedule_idle+0x1e/0x40 - do_idle+0x15e/0x200 - cpu_startup_entry+0x19/0x20 - start_secondary+0x117/0x160 - secondary_startup_64_no_verify+0xb0/0xbb - --> BUG: kernel NULL pointer dereference, address: 00000000000000c0 - Call Trace: - ? __die_body+0x1a/0x60 - ? no_context+0x183/0x350 - ? __warn+0x8a/0xe0 - ? exc_page_fault+0x3d6/0x520 - ? asm_exc_page_fault+0x1e/0x30 - ? pick_next_task_rt+0xb5/0x1d0 - ? pick_next_task_rt+0x8c/0x1d0 - __schedule+0x583/0x7e0 - ? update_ts_time_stats+0x55/0x70 - schedule_idle+0x1e/0x40 - do_idle+0x15e/0x200 - cpu_startup_entry+0x19/0x20 - start_secondary+0x117/0x160 - secondary_startup_64_no_verify+0xb0/0xbb - --> BUG: unable to handle page fault for address: ffff9464daea5900 - kernel BUG at kernel/sched/rt.c:1861! BUG_ON(rq->cpu != task_cpu(p)) - --> kernel BUG at kernel/sched/rt.c:1055! BUG_ON(!rq->nr_running) - Call Trace: - ? __die_body+0x1a/0x60 - ? die+0x2a/0x50 - ? do_trap+0x85/0x100 - ? dequeue_top_rt_rq+0xa2/0xb0 - ? do_error_trap+0x64/0xa0 - ? dequeue_top_rt_rq+0xa2/0xb0 - ? exc_invalid_op+0x4c/0x60 - ? dequeue_top_rt_rq+0xa2/0xb0 - ? asm_exc_invalid_op+0x12/0x20 - ? dequeue_top_rt_rq+0xa2/0xb0 - dequeue_rt_entity+0x1f/0x70 - dequeue_task_rt+0x2d/0x70 - __schedule+0x1a8/0x7e0 - ? blk_finish_plug+0x25/0x40 - schedule+0x3c/0xb0 - futex_wait_queue_me+0xb6/0x120 - futex_wait+0xd9/0x240 - do_futex+0x344/0xa90 - ? get_mm_exe_file+0x30/0x60 - ? audit_exe_compare+0x58/0x70 - ? audit_filter_rules.constprop.26+0x65e/0x1220 - __x64_sys_futex+0x148/0x1f0 - do_syscall_64+0x30/0x80 - entry_SYSCALL_64_after_hwframe+0x62/0xc7 - --> BUG: unable to handle page fault for address: ffff8cf3608bc2c0 - Call Trace: - ? __die_body+0x1a/0x60 - ? no_context+0x183/0x350 - ? spurious_kernel_fault+0x171/0x1c0 - ? exc_page_fault+0x3b6/0x520 - ? plist_check_list+0x15/0x40 - ? plist_check_list+0x2e/0x40 - ? asm_exc_page_fault+0x1e/0x30 - ? _cond_resched+0x15/0x30 - ? futex_wait_queue_me+0xc8/0x120 - ? futex_wait+0xd9/0x240 - ? try_to_wake_up+0x1b8/0x490 - ? futex_wake+0x78/0x160 - ? do_futex+0xcd/0xa90 - ? plist_check_list+0x15/0x40 - ? plist_check_list+0x2e/0x40 - ? plist_del+0x6a/0xd0 - ? plist_check_list+0x15/0x40 - ? plist_check_list+0x2e/0x40 - ? dequeue_pushable_task+0x20/0x70 - ? __schedule+0x382/0x7e0 - ? asm_sysvec_reschedule_ipi+0xa/0x20 - ? schedule+0x3c/0xb0 - ? exit_to_user_mode_prepare+0x9e/0x150 - ? irqentry_exit_to_user_mode+0x5/0x30 - ? asm_sysvec_reschedule_ipi+0x12/0x20 - -Above are some of the common examples of the crashes that were observed -due to this issue. - -Details -======= -Let's look at the following scenario to understand this race. - -1) CPU A enters push_rt_task - a) CPU A has chosen next_task = task p. - b) CPU A calls find_lock_lowest_rq(Task p, CPU Z’s rq). - c) CPU A identifies CPU X as a destination CPU (X < Z). - d) CPU A enters double_lock_balance(CPU Z’s rq, CPU X’s rq). - e) Since X is lower than Z, CPU A unlocks CPU Z’s rq. Someone else has - locked CPU X’s rq, and thus, CPU A must wait. - -2) At CPU Z - a) Previous task has completed execution and thus, CPU Z enters - schedule, locks its own rq after CPU A releases it. - b) CPU Z dequeues previous task and begins executing task p. - c) CPU Z unlocks its rq. - d) Task p yields the CPU (ex. by doing IO or waiting to acquire a - lock) which triggers the schedule function on CPU Z. - e) CPU Z enters schedule again, locks its own rq, and dequeues task p. - f) As part of dequeue, it sets p.on_rq = 0 and unlocks its rq. - -3) At CPU B - a) CPU B enters try_to_wake_up with input task p. - b) Since CPU Z dequeued task p, p.on_rq = 0, and CPU B updates - B.state = WAKING. - c) CPU B via select_task_rq determines CPU Y as the target CPU. - -4) The race - a) CPU A acquires CPU X’s lock and relocks CPU Z. - b) CPU A reads task p.cpu = Z and incorrectly concludes task p is - still on CPU Z. - c) CPU A failed to notice task p had been dequeued from CPU Z while - CPU A was waiting for locks in double_lock_balance. If CPU A knew - that task p had been dequeued, it would return NULL forcing - push_rt_task to give up the task p's migration. - d) CPU B updates task p.cpu = Y and calls ttwu_queue. - e) CPU B locks Ys rq. CPU B enqueues task p onto Y and sets task - p.on_rq = 1. - f) CPU B unlocks CPU Y, triggering memory synchronization. - g) CPU A reads task p.on_rq = 1, cementing its assumption that task p - has not migrated. - h) CPU A decides to migrate p to CPU X. - -This leads to A dequeuing p from Y's queue and various crashes down the -line. - -Solution -======== -The solution here is fairly simple. After obtaining the lock (at 4a), -the check is enhanced to make sure that the task is still at the head of -the pushable tasks list. If not, then it is anyway not suitable for -being pushed out. - -Testing -======= -The fix is tested on a cluster of 3 nodes, where the panics due to this -are hit every couple of days. A fix similar to this was deployed on such -cluster and was stable for more than 30 days. - -Co-developed-by: Jon Kohler -Signed-off-by: Jon Kohler -Co-developed-by: Gauri Patwardhan -Signed-off-by: Gauri Patwardhan -Co-developed-by: Rahul Chunduru -Signed-off-by: Rahul Chunduru -Signed-off-by: Harshit Agarwal -Signed-off-by: Peter Zijlstra (Intel) -Reviewed-by: "Steven Rostedt (Google)" -Reviewed-by: Phil Auld -Tested-by: Will Ton -Cc: stable@vger.kernel.org -Link: https://lore.kernel.org/r/20250225180553.167995-1-harshit@nutanix.com ---- - kernel/sched/rt.c | 52 +++++++++++++++++++++++------------------------ - 1 file changed, 25 insertions(+), 27 deletions(-) - -diff --git a/kernel/sched/rt.c b/kernel/sched/rt.c -index 172c588de542..f2190ec58cb8 100644 ---- a/kernel/sched/rt.c -+++ b/kernel/sched/rt.c -@@ -1895,6 +1895,26 @@ static int find_lowest_rq(struct task_struct *task) - return -1; - } - -+static struct task_struct *pick_next_pushable_task(struct rq *rq) -+{ -+ struct task_struct *p; -+ -+ if (!has_pushable_tasks(rq)) -+ return NULL; -+ -+ p = plist_first_entry(&rq->rt.pushable_tasks, -+ struct task_struct, pushable_tasks); -+ -+ BUG_ON(rq->cpu != task_cpu(p)); -+ BUG_ON(task_current(rq, p)); -+ BUG_ON(p->nr_cpus_allowed <= 1); -+ -+ BUG_ON(!task_on_rq_queued(p)); -+ BUG_ON(!rt_task(p)); -+ -+ return p; -+} -+ - /* Will lock the rq it finds */ - static struct rq *find_lock_lowest_rq(struct task_struct *task, struct rq *rq) - { -@@ -1925,18 +1945,16 @@ static struct rq *find_lock_lowest_rq(struct task_struct *task, struct rq *rq) - /* - * We had to unlock the run queue. In - * the mean time, task could have -- * migrated already or had its affinity changed. -- * Also make sure that it wasn't scheduled on its rq. -+ * migrated already or had its affinity changed, -+ * therefore check if the task is still at the -+ * head of the pushable tasks list. - * It is possible the task was scheduled, set - * "migrate_disabled" and then got preempted, so we must - * check the task migration disable flag here too. - */ -- if (unlikely(task_rq(task) != rq || -+ if (unlikely(is_migration_disabled(task) || - !cpumask_test_cpu(lowest_rq->cpu, &task->cpus_mask) || -- task_on_cpu(rq, task) || -- !rt_task(task) || -- is_migration_disabled(task) || -- !task_on_rq_queued(task))) { -+ task != pick_next_pushable_task(rq))) { - - double_unlock_balance(rq, lowest_rq); - lowest_rq = NULL; -@@ -1956,26 +1974,6 @@ static struct rq *find_lock_lowest_rq(struct task_struct *task, struct rq *rq) - return lowest_rq; - } - --static struct task_struct *pick_next_pushable_task(struct rq *rq) --{ -- struct task_struct *p; -- -- if (!has_pushable_tasks(rq)) -- return NULL; -- -- p = plist_first_entry(&rq->rt.pushable_tasks, -- struct task_struct, pushable_tasks); -- -- BUG_ON(rq->cpu != task_cpu(p)); -- BUG_ON(task_current(rq, p)); -- BUG_ON(p->nr_cpus_allowed <= 1); -- -- BUG_ON(!task_on_rq_queued(p)); -- BUG_ON(!rt_task(p)); -- -- return p; --} -- - /* - * If the current CPU has more than one RT task, see if the non - * running task can migrate over to a CPU that is running a task --- -2.43.0 - diff --git a/SPECS/kernel-rt/CVE-2025-38248.patch b/SPECS/kernel-rt/CVE-2025-38248.patch deleted file mode 100644 index 914db01bb0..0000000000 --- a/SPECS/kernel-rt/CVE-2025-38248.patch +++ /dev/null @@ -1,179 +0,0 @@ -From b070428858b063a6baff62509478c9429ff4bf23 Mon Sep 17 00:00:00 2001 -From: Ido Schimmel -Date: Thu, 19 Jun 2025 21:22:28 +0300 -Subject: [PATCH 4/8] bridge: mcast: Fix use-after-free during router port - configuration - -The bridge maintains a global list of ports behind which a multicast -router resides. The list is consulted during forwarding to ensure -multicast packets are forwarded to these ports even if the ports are not -member in the matching MDB entry. - -When per-VLAN multicast snooping is enabled, the per-port multicast -context is disabled on each port and the port is removed from the global -router port list: - - # ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1 - # ip link add name dummy1 up master br1 type dummy - # ip link set dev dummy1 type bridge_slave mcast_router 2 - $ bridge -d mdb show | grep router - router ports on br1: dummy1 - # ip link set dev br1 type bridge mcast_vlan_snooping 1 - $ bridge -d mdb show | grep router - -However, the port can be re-added to the global list even when per-VLAN -multicast snooping is enabled: - - # ip link set dev dummy1 type bridge_slave mcast_router 0 - # ip link set dev dummy1 type bridge_slave mcast_router 2 - $ bridge -d mdb show | grep router - router ports on br1: dummy1 - -Since commit 4b30ae9adb04 ("net: bridge: mcast: re-implement -br_multicast_{enable, disable}_port functions"), when per-VLAN multicast -snooping is enabled, multicast disablement on a port will disable the -per-{port, VLAN} multicast contexts and not the per-port one. As a -result, a port will remain in the global router port list even after it -is deleted. This will lead to a use-after-free [1] when the list is -traversed (when adding a new port to the list, for example): - - # ip link del dev dummy1 - # ip link add name dummy2 up master br1 type dummy - # ip link set dev dummy2 type bridge_slave mcast_router 2 - -Similarly, stale entries can also be found in the per-VLAN router port -list. When per-VLAN multicast snooping is disabled, the per-{port, VLAN} -contexts are disabled on each port and the port is removed from the -per-VLAN router port list: - - # ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1 mcast_vlan_snooping 1 - # ip link add name dummy1 up master br1 type dummy - # bridge vlan add vid 2 dev dummy1 - # bridge vlan global set vid 2 dev br1 mcast_snooping 1 - # bridge vlan set vid 2 dev dummy1 mcast_router 2 - $ bridge vlan global show dev br1 vid 2 | grep router - router ports: dummy1 - # ip link set dev br1 type bridge mcast_vlan_snooping 0 - $ bridge vlan global show dev br1 vid 2 | grep router - -However, the port can be re-added to the per-VLAN list even when -per-VLAN multicast snooping is disabled: - - # bridge vlan set vid 2 dev dummy1 mcast_router 0 - # bridge vlan set vid 2 dev dummy1 mcast_router 2 - $ bridge vlan global show dev br1 vid 2 | grep router - router ports: dummy1 - -When the VLAN is deleted from the port, the per-{port, VLAN} multicast -context will not be disabled since multicast snooping is not enabled -on the VLAN. As a result, the port will remain in the per-VLAN router -port list even after it is no longer member in the VLAN. This will lead -to a use-after-free [2] when the list is traversed (when adding a new -port to the list, for example): - - # ip link add name dummy2 up master br1 type dummy - # bridge vlan add vid 2 dev dummy2 - # bridge vlan del vid 2 dev dummy1 - # bridge vlan set vid 2 dev dummy2 mcast_router 2 - -Fix these issues by removing the port from the relevant (global or -per-VLAN) router port list in br_multicast_port_ctx_deinit(). The -function is invoked during port deletion with the per-port multicast -context and during VLAN deletion with the per-{port, VLAN} multicast -context. - -Note that deleting the multicast router timer is not enough as it only -takes care of the temporary multicast router states (1 or 3) and not the -permanent one (2). - -[1] -BUG: KASAN: slab-out-of-bounds in br_multicast_add_router.part.0+0x3f1/0x560 -Write of size 8 at addr ffff888004a67328 by task ip/384 -[...] -Call Trace: - - dump_stack_lvl+0x6f/0xa0 - print_address_description.constprop.0+0x6f/0x350 - print_report+0x108/0x205 - kasan_report+0xdf/0x110 - br_multicast_add_router.part.0+0x3f1/0x560 - br_multicast_set_port_router+0x74e/0xac0 - br_setport+0xa55/0x1870 - br_port_slave_changelink+0x95/0x120 - __rtnl_newlink+0x5e8/0xa40 - rtnl_newlink+0x627/0xb00 - rtnetlink_rcv_msg+0x6fb/0xb70 - netlink_rcv_skb+0x11f/0x350 - netlink_unicast+0x426/0x710 - netlink_sendmsg+0x75a/0xc20 - __sock_sendmsg+0xc1/0x150 - ____sys_sendmsg+0x5aa/0x7b0 - ___sys_sendmsg+0xfc/0x180 - __sys_sendmsg+0x124/0x1c0 - do_syscall_64+0xbb/0x360 - entry_SYSCALL_64_after_hwframe+0x4b/0x53 - -[2] -BUG: KASAN: slab-use-after-free in br_multicast_add_router.part.0+0x378/0x560 -Read of size 8 at addr ffff888009f00840 by task bridge/391 -[...] -Call Trace: - - dump_stack_lvl+0x6f/0xa0 - print_address_description.constprop.0+0x6f/0x350 - print_report+0x108/0x205 - kasan_report+0xdf/0x110 - br_multicast_add_router.part.0+0x378/0x560 - br_multicast_set_port_router+0x6f9/0xac0 - br_vlan_process_options+0x8b6/0x1430 - br_vlan_rtm_process_one+0x605/0xa30 - br_vlan_rtm_process+0x396/0x4c0 - rtnetlink_rcv_msg+0x2f7/0xb70 - netlink_rcv_skb+0x11f/0x350 - netlink_unicast+0x426/0x710 - netlink_sendmsg+0x75a/0xc20 - __sock_sendmsg+0xc1/0x150 - ____sys_sendmsg+0x5aa/0x7b0 - ___sys_sendmsg+0xfc/0x180 - __sys_sendmsg+0x124/0x1c0 - do_syscall_64+0xbb/0x360 - entry_SYSCALL_64_after_hwframe+0x4b/0x53 - -Fixes: 2796d846d74a ("net: bridge: vlan: convert mcast router global option to per-vlan entry") -Fixes: 4b30ae9adb04 ("net: bridge: mcast: re-implement br_multicast_{enable, disable}_port functions") -Reported-by: syzbot+7bfa4b72c6a5da128d32@syzkaller.appspotmail.com -Closes: https://lore.kernel.org/all/684c18bd.a00a0220.279073.000b.GAE@google.com/T/ -Signed-off-by: Ido Schimmel -Link: https://patch.msgid.link/20250619182228.1656906-1-idosch@nvidia.com -Signed-off-by: Jakub Kicinski ---- - net/bridge/br_multicast.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c -index 733ff6b758f6..025811965d58 100644 ---- a/net/bridge/br_multicast.c -+++ b/net/bridge/br_multicast.c -@@ -2014,10 +2014,19 @@ void br_multicast_port_ctx_init(struct net_bridge_port *port, - - void br_multicast_port_ctx_deinit(struct net_bridge_mcast_port *pmctx) - { -+ struct net_bridge *br = pmctx->port->br; -+ bool del = false; -+ - #if IS_ENABLED(CONFIG_IPV6) - del_timer_sync(&pmctx->ip6_mc_router_timer); - #endif - del_timer_sync(&pmctx->ip4_mc_router_timer); -+ -+ spin_lock_bh(&br->multicast_lock); -+ del |= br_ip6_multicast_rport_del(pmctx); -+ del |= br_ip4_multicast_rport_del(pmctx); -+ br_multicast_rport_del_notify(pmctx, del); -+ spin_unlock_bh(&br->multicast_lock); - } - - int br_multicast_add_port(struct net_bridge_port *port) --- -2.43.0 - diff --git a/SPECS/kernel-rt/CVE-2025-38591.patch b/SPECS/kernel-rt/CVE-2025-38591.patch deleted file mode 100644 index 41b4d40967..0000000000 --- a/SPECS/kernel-rt/CVE-2025-38591.patch +++ /dev/null @@ -1,165 +0,0 @@ -From a40bd4e44ba2ef84d7f780383dd811dc8bf2c025 Mon Sep 17 00:00:00 2001 -From: Paul Chaignon -Date: Tue, 22 Jul 2025 16:32:32 +0200 -Subject: [PATCH 14/15] bpf: Reject narrower access to pointer ctx fields - -The following BPF program, simplified from a syzkaller repro, causes a -kernel warning: - - r0 = *(u8 *)(r1 + 169); - exit; - -With pointer field sk being at offset 168 in __sk_buff. This access is -detected as a narrower read in bpf_skb_is_valid_access because it -doesn't match offsetof(struct __sk_buff, sk). It is therefore allowed -and later proceeds to bpf_convert_ctx_access. Note that for the -"is_narrower_load" case in the convert_ctx_accesses(), the insn->off -is aligned, so the cnt may not be 0 because it matches the -offsetof(struct __sk_buff, sk) in the bpf_convert_ctx_access. However, -the target_size stays 0 and the verifier errors with a kernel warning: - - verifier bug: error during ctx access conversion(1) - -This patch fixes that to return a proper "invalid bpf_context access -off=X size=Y" error on the load instruction. - -The same issue affects multiple other fields in context structures that -allow narrow access. Some other non-affected fields (for sk_msg, -sk_lookup, and sockopt) were also changed to use bpf_ctx_range_ptr for -consistency. - -Note this syzkaller crash was reported in the "Closes" link below, which -used to be about a different bug, fixed in -commit fce7bd8e385a ("bpf/verifier: Handle BPF_LOAD_ACQ instructions -in insn_def_regno()"). Because syzbot somehow confused the two bugs, -the new crash and repro didn't get reported to the mailing list. - -Fixes: f96da09473b52 ("bpf: simplify narrower ctx access") -Fixes: 0df1a55afa832 ("bpf: Warn on internal verifier errors") -Reported-by: syzbot+0ef84a7bdf5301d4cbec@syzkaller.appspotmail.com -Closes: https://syzkaller.appspot.com/bug?extid=0ef84a7bdf5301d4cbec -Signed-off-by: Paul Chaignon -Signed-off-by: Martin KaFai Lau -Acked-by: Eduard Zingerman -Link: https://patch.msgid.link/3b8dcee67ff4296903351a974ddd9c4dca768b64.1753194596.git.paul.chaignon@gmail.com ---- - kernel/bpf/cgroup.c | 8 ++++---- - net/core/filter.c | 20 ++++++++++---------- - 2 files changed, 14 insertions(+), 14 deletions(-) - -diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c -index c0d606c40195..1ebf40badbf6 100644 ---- a/kernel/bpf/cgroup.c -+++ b/kernel/bpf/cgroup.c -@@ -2418,22 +2418,22 @@ static bool cg_sockopt_is_valid_access(int off, int size, - } - - switch (off) { -- case offsetof(struct bpf_sockopt, sk): -+ case bpf_ctx_range_ptr(struct bpf_sockopt, sk): - if (size != sizeof(__u64)) - return false; - info->reg_type = PTR_TO_SOCKET; - break; -- case offsetof(struct bpf_sockopt, optval): -+ case bpf_ctx_range_ptr(struct bpf_sockopt, optval): - if (size != sizeof(__u64)) - return false; - info->reg_type = PTR_TO_PACKET; - break; -- case offsetof(struct bpf_sockopt, optval_end): -+ case bpf_ctx_range_ptr(struct bpf_sockopt, optval_end): - if (size != sizeof(__u64)) - return false; - info->reg_type = PTR_TO_PACKET_END; - break; -- case offsetof(struct bpf_sockopt, retval): -+ case bpf_ctx_range(struct bpf_sockopt, retval): - if (size != size_default) - return false; - return prog->expected_attach_type == BPF_CGROUP_GETSOCKOPT; -diff --git a/net/core/filter.c b/net/core/filter.c -index 89ed625e1474..4bf298695bd1 100644 ---- a/net/core/filter.c -+++ b/net/core/filter.c -@@ -8652,7 +8652,7 @@ static bool bpf_skb_is_valid_access(int off, int size, enum bpf_access_type type - if (size != sizeof(__u64)) - return false; - break; -- case offsetof(struct __sk_buff, sk): -+ case bpf_ctx_range_ptr(struct __sk_buff, sk): - if (type == BPF_WRITE || size != sizeof(__u64)) - return false; - info->reg_type = PTR_TO_SOCK_COMMON_OR_NULL; -@@ -9229,7 +9229,7 @@ static bool sock_addr_is_valid_access(int off, int size, - return false; - } - break; -- case offsetof(struct bpf_sock_addr, sk): -+ case bpf_ctx_range_ptr(struct bpf_sock_addr, sk): - if (type != BPF_READ) - return false; - if (size != sizeof(__u64)) -@@ -9283,17 +9283,17 @@ static bool sock_ops_is_valid_access(int off, int size, - if (size != sizeof(__u64)) - return false; - break; -- case offsetof(struct bpf_sock_ops, sk): -+ case bpf_ctx_range_ptr(struct bpf_sock_ops, sk): - if (size != sizeof(__u64)) - return false; - info->reg_type = PTR_TO_SOCKET_OR_NULL; - break; -- case offsetof(struct bpf_sock_ops, skb_data): -+ case bpf_ctx_range_ptr(struct bpf_sock_ops, skb_data): - if (size != sizeof(__u64)) - return false; - info->reg_type = PTR_TO_PACKET; - break; -- case offsetof(struct bpf_sock_ops, skb_data_end): -+ case bpf_ctx_range_ptr(struct bpf_sock_ops, skb_data_end): - if (size != sizeof(__u64)) - return false; - info->reg_type = PTR_TO_PACKET_END; -@@ -9302,7 +9302,7 @@ static bool sock_ops_is_valid_access(int off, int size, - bpf_ctx_record_field_size(info, size_default); - return bpf_ctx_narrow_access_ok(off, size, - size_default); -- case offsetof(struct bpf_sock_ops, skb_hwtstamp): -+ case bpf_ctx_range(struct bpf_sock_ops, skb_hwtstamp): - if (size != sizeof(__u64)) - return false; - break; -@@ -9372,17 +9372,17 @@ static bool sk_msg_is_valid_access(int off, int size, - return false; - - switch (off) { -- case offsetof(struct sk_msg_md, data): -+ case bpf_ctx_range_ptr(struct sk_msg_md, data): - info->reg_type = PTR_TO_PACKET; - if (size != sizeof(__u64)) - return false; - break; -- case offsetof(struct sk_msg_md, data_end): -+ case bpf_ctx_range_ptr(struct sk_msg_md, data_end): - info->reg_type = PTR_TO_PACKET_END; - if (size != sizeof(__u64)) - return false; - break; -- case offsetof(struct sk_msg_md, sk): -+ case bpf_ctx_range_ptr(struct sk_msg_md, sk): - if (size != sizeof(__u64)) - return false; - info->reg_type = PTR_TO_SOCKET; -@@ -11595,7 +11595,7 @@ static bool sk_lookup_is_valid_access(int off, int size, - return false; - - switch (off) { -- case offsetof(struct bpf_sk_lookup, sk): -+ case bpf_ctx_range_ptr(struct bpf_sk_lookup, sk): - info->reg_type = PTR_TO_SOCKET_OR_NULL; - return size == sizeof(__u64); - --- -2.43.0 - diff --git a/SPECS/kernel-rt/CVE-2025-40075-1.patch b/SPECS/kernel-rt/CVE-2025-40075-1.patch deleted file mode 100644 index ebd905650d..0000000000 --- a/SPECS/kernel-rt/CVE-2025-40075-1.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 5713e8f87ebb86cf78123c967d2fdf6a1c1a04d3 Mon Sep 17 00:00:00 2001 -From: Eric Dumazet -Date: Thu, 28 Aug 2025 19:58:21 +0000 -Subject: [PATCH 4/8] tcp_metrics: use dst_dev_net_rcu() - -Replace three dst_dev() with a lockdep enabled helper. - -Fixes: 4a6ce2b6f2ec ("net: introduce a new function dst_dev_put()") -Signed-off-by: Eric Dumazet -Reviewed-by: David Ahern -Link: https://patch.msgid.link/20250828195823.3958522-7-edumazet@google.com -Signed-off-by: Jakub Kicinski ---- - net/ipv4/tcp_metrics.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/net/ipv4/tcp_metrics.c b/net/ipv4/tcp_metrics.c -index 03c068ea27b6..10e86f1008e9 100644 ---- a/net/ipv4/tcp_metrics.c -+++ b/net/ipv4/tcp_metrics.c -@@ -170,7 +170,7 @@ static struct tcp_metrics_block *tcpm_new(struct dst_entry *dst, - struct net *net; - - spin_lock_bh(&tcp_metrics_lock); -- net = dev_net_rcu(dst_dev(dst)); -+ net = dst_dev_net_rcu(dst); - - /* While waiting for the spin-lock the cache might have been populated - * with this entry and so we have to check again. -@@ -273,7 +273,7 @@ static struct tcp_metrics_block *__tcp_get_metrics_req(struct request_sock *req, - return NULL; - } - -- net = dev_net_rcu(dst_dev(dst)); -+ net = dst_dev_net_rcu(dst); - hash ^= net_hash_mix(net); - hash = hash_32(hash, tcp_metrics_hash_log); - -@@ -318,7 +318,7 @@ static struct tcp_metrics_block *tcp_get_metrics(struct sock *sk, - else - return NULL; - -- net = dev_net_rcu(dst_dev(dst)); -+ net = dst_dev_net_rcu(dst); - hash ^= net_hash_mix(net); - hash = hash_32(hash, tcp_metrics_hash_log); - --- -2.34.1 - diff --git a/SPECS/kernel-rt/CVE-2025-40075.patch b/SPECS/kernel-rt/CVE-2025-40075.patch deleted file mode 100644 index 84376b1590..0000000000 --- a/SPECS/kernel-rt/CVE-2025-40075.patch +++ /dev/null @@ -1,105 +0,0 @@ -From 7649135be0cd3d9c9083b623f086573ae448589c Mon Sep 17 00:00:00 2001 -From: Eric Dumazet -Date: Thu, 28 Aug 2025 19:58:16 +0000 -Subject: [PATCH 3/8] net: dst: introduce dst->dev_rcu - -Followup of commit 88fe14253e18 ("net: dst: add four helpers -to annotate data-races around dst->dev"). - -We want to gradually add explicit RCU protection to dst->dev, -including lockdep support. - -Add an union to alias dst->dev_rcu and dst->dev. - -Add dst_dev_net_rcu() helper. - -Fixes: 4a6ce2b6f2ec ("net: introduce a new function dst_dev_put()") -Signed-off-by: Eric Dumazet -Reviewed-by: David Ahern -Link: https://patch.msgid.link/20250828195823.3958522-2-edumazet@google.com -Signed-off-by: Jakub Kicinski ---- - include/net/dst.h | 16 +++++++++++----- - net/core/dst.c | 2 +- - net/ipv4/route.c | 4 ++-- - 3 files changed, 14 insertions(+), 8 deletions(-) - -diff --git a/include/net/dst.h b/include/net/dst.h -index e5c9ea188383..e7c1eb69570e 100644 ---- a/include/net/dst.h -+++ b/include/net/dst.h -@@ -24,7 +24,10 @@ - struct sk_buff; - - struct dst_entry { -- struct net_device *dev; -+ union { -+ struct net_device *dev; -+ struct net_device __rcu *dev_rcu; -+ }; - struct dst_ops *ops; - unsigned long _metrics; - unsigned long expires; -@@ -568,9 +571,12 @@ static inline struct net_device *dst_dev(const struct dst_entry *dst) - - static inline struct net_device *dst_dev_rcu(const struct dst_entry *dst) - { -- /* In the future, use rcu_dereference(dst->dev) */ -- WARN_ON_ONCE(!rcu_read_lock_held()); -- return READ_ONCE(dst->dev); -+ return rcu_dereference(dst->dev_rcu); -+} -+ -+static inline struct net *dst_dev_net_rcu(const struct dst_entry *dst) -+{ -+ return dev_net_rcu(dst_dev_rcu(dst)); - } - - static inline struct net_device *skb_dst_dev(const struct sk_buff *skb) -@@ -590,7 +596,7 @@ static inline struct net *skb_dst_dev_net(const struct sk_buff *skb) - - static inline struct net *skb_dst_dev_net_rcu(const struct sk_buff *skb) - { -- return dev_net_rcu(skb_dst_dev(skb)); -+ return dev_net_rcu(skb_dst_dev_rcu(skb)); - } - - struct dst_entry *dst_blackhole_check(struct dst_entry *dst, u32 cookie); -diff --git a/net/core/dst.c b/net/core/dst.c -index 9a0ddef8bee4..8dbb54148c03 100644 ---- a/net/core/dst.c -+++ b/net/core/dst.c -@@ -150,7 +150,7 @@ void dst_dev_put(struct dst_entry *dst) - dst->ops->ifdown(dst, dev); - WRITE_ONCE(dst->input, dst_discard); - WRITE_ONCE(dst->output, dst_discard_out); -- WRITE_ONCE(dst->dev, blackhole_netdev); -+ rcu_assign_pointer(dst->dev_rcu, blackhole_netdev); - netdev_ref_replace(dev, blackhole_netdev, &dst->dev_tracker, - GFP_ATOMIC); - } -diff --git a/net/ipv4/route.c b/net/ipv4/route.c -index 96a01eb33653..8c54a3ecbddf 100644 ---- a/net/ipv4/route.c -+++ b/net/ipv4/route.c -@@ -1025,7 +1025,7 @@ static void __ip_rt_update_pmtu(struct rtable *rt, struct flowi4 *fl4, u32 mtu) - return; - - rcu_read_lock(); -- net = dev_net_rcu(dst_dev(dst)); -+ net = dst_dev_net_rcu(dst); - if (mtu < net->ipv4.ip_rt_min_pmtu) { - lock = true; - mtu = min(old_mtu, net->ipv4.ip_rt_min_pmtu); -@@ -1323,7 +1323,7 @@ static unsigned int ipv4_default_advmss(const struct dst_entry *dst) - struct net *net; - - rcu_read_lock(); -- net = dev_net_rcu(dst_dev(dst)); -+ net = dst_dev_net_rcu(dst); - advmss = max_t(unsigned int, ipv4_mtu(dst) - header_size, - net->ipv4.ip_rt_min_advmss); - rcu_read_unlock(); --- -2.34.1 - diff --git a/SPECS/kernel-rt/CVE-2025-40135.patch b/SPECS/kernel-rt/CVE-2025-40135.patch deleted file mode 100644 index b5abe69e31..0000000000 --- a/SPECS/kernel-rt/CVE-2025-40135.patch +++ /dev/null @@ -1,107 +0,0 @@ -From 18ea99d5d1722719ce866d5b0cf5dc64a73f5f33 Mon Sep 17 00:00:00 2001 -From: Eric Dumazet -Date: Thu, 28 Aug 2025 19:58:18 +0000 -Subject: [PATCH 10/15] ipv6: use RCU in ip6_xmit() - -Use RCU in ip6_xmit() in order to use dst_dev_rcu() to prevent -possible UAF. - -Fixes: 4a6ce2b6f2ec ("net: introduce a new function dst_dev_put()") -Signed-off-by: Eric Dumazet -Reviewed-by: David Ahern -Link: https://patch.msgid.link/20250828195823.3958522-4-edumazet@google.com -Signed-off-by: Jakub Kicinski ---- - net/ipv6/ip6_output.c | 35 +++++++++++++++++++++-------------- - 1 file changed, 21 insertions(+), 14 deletions(-) - -diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c -index dca8b17bc713..19af5dbbddd1 100644 ---- a/net/ipv6/ip6_output.c -+++ b/net/ipv6/ip6_output.c -@@ -269,35 +269,36 @@ bool ip6_autoflowlabel(struct net *net, const struct sock *sk) - int ip6_xmit(const struct sock *sk, struct sk_buff *skb, struct flowi6 *fl6, - __u32 mark, struct ipv6_txoptions *opt, int tclass, u32 priority) - { -- struct net *net = sock_net(sk); - const struct ipv6_pinfo *np = inet6_sk(sk); - struct in6_addr *first_hop = &fl6->daddr; - struct dst_entry *dst = skb_dst(skb); -- struct net_device *dev = dst->dev; - struct inet6_dev *idev = ip6_dst_idev(dst); - struct hop_jumbo_hdr *hop_jumbo; - int hoplen = sizeof(*hop_jumbo); -+ struct net *net = sock_net(sk); - unsigned int head_room; -+ struct net_device *dev; - struct ipv6hdr *hdr; - u8 proto = fl6->flowi6_proto; - int seg_len = skb->len; -- int hlimit = -1; -+ int ret, hlimit = -1; - u32 mtu; - -+ rcu_read_lock(); -+ -+ dev = dst_dev_rcu(dst); - head_room = sizeof(struct ipv6hdr) + hoplen + LL_RESERVED_SPACE(dev); - if (opt) - head_room += opt->opt_nflen + opt->opt_flen; - - if (unlikely(head_room > skb_headroom(skb))) { -- /* Make sure idev stays alive */ -- rcu_read_lock(); -+ /* idev stays alive while we hold rcu_read_lock(). */ - skb = skb_expand_head(skb, head_room); - if (!skb) { - IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS); -- rcu_read_unlock(); -- return -ENOBUFS; -+ ret = -ENOBUFS; -+ goto unlock; - } -- rcu_read_unlock(); - } - - if (opt) { -@@ -359,17 +360,21 @@ int ip6_xmit(const struct sock *sk, struct sk_buff *skb, struct flowi6 *fl6, - * skb to its handler for processing - */ - skb = l3mdev_ip6_out((struct sock *)sk, skb); -- if (unlikely(!skb)) -- return 0; -+ if (unlikely(!skb)) { -+ ret = 0; -+ goto unlock; -+ } - - /* hooks should never assume socket lock is held. - * we promote our socket to non const - */ -- return NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, -- net, (struct sock *)sk, skb, NULL, dev, -- dst_output); -+ ret = NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, -+ net, (struct sock *)sk, skb, NULL, dev, -+ dst_output); -+ goto unlock; - } - -+ ret = -EMSGSIZE; - skb->dev = dev; - /* ipv6_local_error() does not require socket lock, - * we promote our socket to non const -@@ -378,7 +383,9 @@ int ip6_xmit(const struct sock *sk, struct sk_buff *skb, struct flowi6 *fl6, - - IP6_INC_STATS(net, idev, IPSTATS_MIB_FRAGFAILS); - kfree_skb(skb); -- return -EMSGSIZE; -+unlock: -+ rcu_read_unlock(); -+ return ret; - } - EXPORT_SYMBOL(ip6_xmit); - --- -2.43.0 - diff --git a/SPECS/kernel-rt/CVE-2025-40149.patch b/SPECS/kernel-rt/CVE-2025-40149.patch deleted file mode 100644 index ad146854d5..0000000000 --- a/SPECS/kernel-rt/CVE-2025-40149.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 1a26f422f57cca0823041c8e535aed7551b5a1b1 Mon Sep 17 00:00:00 2001 -From: Kuniyuki Iwashima -Date: Tue, 16 Sep 2025 21:47:23 +0000 -Subject: [PATCH 06/15] tls: Use __sk_dst_get() and dst_dev_rcu() in - get_netdev_for_sock(). - -get_netdev_for_sock() is called during setsockopt(), -so not under RCU. - -Using sk_dst_get(sk)->dev could trigger UAF. - -Let's use __sk_dst_get() and dst_dev_rcu(). - -Note that the only ->ndo_sk_get_lower_dev() user is -bond_sk_get_lower_dev(), which uses RCU. - -Fixes: e8f69799810c ("net/tls: Add generic NIC offload infrastructure") -Signed-off-by: Kuniyuki Iwashima -Reviewed-by: Eric Dumazet -Reviewed-by: Sabrina Dubroca -Link: https://patch.msgid.link/20250916214758.650211-6-kuniyu@google.com -Signed-off-by: Jakub Kicinski ---- - net/tls/tls_device.c | 18 ++++++++++-------- - 1 file changed, 10 insertions(+), 8 deletions(-) - -diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c -index dc063c2c7950..62e6b62559e2 100644 ---- a/net/tls/tls_device.c -+++ b/net/tls/tls_device.c -@@ -123,17 +123,19 @@ static void tls_device_queue_ctx_destruction(struct tls_context *ctx) - /* We assume that the socket is already connected */ - static struct net_device *get_netdev_for_sock(struct sock *sk) - { -- struct dst_entry *dst = sk_dst_get(sk); -- struct net_device *netdev = NULL; -+ struct net_device *dev, *lowest_dev = NULL; -+ struct dst_entry *dst; - -- if (likely(dst)) { -- netdev = netdev_sk_get_lowest_dev(dst->dev, sk); -- dev_hold(netdev); -+ rcu_read_lock(); -+ dst = __sk_dst_get(sk); -+ dev = dst ? dst_dev_rcu(dst) : NULL; -+ if (likely(dev)) { -+ lowest_dev = netdev_sk_get_lowest_dev(dev, sk); -+ dev_hold(lowest_dev); - } -+ rcu_read_unlock(); - -- dst_release(dst); -- -- return netdev; -+ return lowest_dev; - } - - static void destroy_record(struct tls_record_info *record) --- -2.43.0 - diff --git a/SPECS/kernel-rt/CVE-2025-40158.patch b/SPECS/kernel-rt/CVE-2025-40158.patch deleted file mode 100644 index f6b64288db..0000000000 --- a/SPECS/kernel-rt/CVE-2025-40158.patch +++ /dev/null @@ -1,114 +0,0 @@ -From 675f47b6f5b933d55746c0c5cbf5db0316946ece Mon Sep 17 00:00:00 2001 -From: Eric Dumazet -Date: Thu, 28 Aug 2025 19:58:19 +0000 -Subject: [PATCH 05/15] ipv6: use RCU in ip6_output() - -Use RCU in ip6_output() in order to use dst_dev_rcu() to prevent -possible UAF. - -We can remove rcu_read_lock()/rcu_read_unlock() pairs -from ip6_finish_output2(). - -Fixes: 4a6ce2b6f2ec ("net: introduce a new function dst_dev_put()") -Signed-off-by: Eric Dumazet -Reviewed-by: David Ahern -Link: https://patch.msgid.link/20250828195823.3958522-5-edumazet@google.com -Signed-off-by: Jakub Kicinski ---- - net/ipv6/ip6_output.c | 30 ++++++++++++++++-------------- - 1 file changed, 16 insertions(+), 14 deletions(-) - -diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c -index f0e5431c2d46..dca8b17bc713 100644 ---- a/net/ipv6/ip6_output.c -+++ b/net/ipv6/ip6_output.c -@@ -60,7 +60,7 @@ - static int ip6_finish_output2(struct net *net, struct sock *sk, struct sk_buff *skb) - { - struct dst_entry *dst = skb_dst(skb); -- struct net_device *dev = dst->dev; -+ struct net_device *dev = dst_dev_rcu(dst); - struct inet6_dev *idev = ip6_dst_idev(dst); - unsigned int hh_len = LL_RESERVED_SPACE(dev); - const struct in6_addr *daddr, *nexthop; -@@ -70,15 +70,12 @@ static int ip6_finish_output2(struct net *net, struct sock *sk, struct sk_buff * - - /* Be paranoid, rather than too clever. */ - if (unlikely(hh_len > skb_headroom(skb)) && dev->header_ops) { -- /* Make sure idev stays alive */ -- rcu_read_lock(); -+ /* idev stays alive because we hold rcu_read_lock(). */ - skb = skb_expand_head(skb, hh_len); - if (!skb) { - IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS); -- rcu_read_unlock(); - return -ENOMEM; - } -- rcu_read_unlock(); - } - - hdr = ipv6_hdr(skb); -@@ -123,7 +120,6 @@ static int ip6_finish_output2(struct net *net, struct sock *sk, struct sk_buff * - - IP6_UPD_PO_STATS(net, idev, IPSTATS_MIB_OUT, skb->len); - -- rcu_read_lock(); - nexthop = rt6_nexthop(dst_rt6_info(dst), daddr); - neigh = __ipv6_neigh_lookup_noref(dev, nexthop); - -@@ -131,7 +127,6 @@ static int ip6_finish_output2(struct net *net, struct sock *sk, struct sk_buff * - if (unlikely(!neigh)) - neigh = __neigh_create(&nd_tbl, nexthop, dev, false); - if (IS_ERR(neigh)) { -- rcu_read_unlock(); - IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTNOROUTES); - kfree_skb_reason(skb, SKB_DROP_REASON_NEIGH_CREATEFAIL); - return -EINVAL; -@@ -139,7 +134,6 @@ static int ip6_finish_output2(struct net *net, struct sock *sk, struct sk_buff * - } - sock_confirm_neigh(skb, neigh); - ret = neigh_output(neigh, skb, false); -- rcu_read_unlock(); - return ret; - } - -@@ -232,22 +226,30 @@ static int ip6_finish_output(struct net *net, struct sock *sk, struct sk_buff *s - - int ip6_output(struct net *net, struct sock *sk, struct sk_buff *skb) - { -- struct net_device *dev = skb_dst(skb)->dev, *indev = skb->dev; -- struct inet6_dev *idev = ip6_dst_idev(skb_dst(skb)); -+ struct dst_entry *dst = skb_dst(skb); -+ struct net_device *dev, *indev = skb->dev; -+ struct inet6_dev *idev; -+ int ret; - - skb->protocol = htons(ETH_P_IPV6); -+ rcu_read_lock(); -+ dev = dst_dev_rcu(dst); -+ idev = ip6_dst_idev(dst); - skb->dev = dev; - - if (unlikely(!idev || READ_ONCE(idev->cnf.disable_ipv6))) { - IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS); -+ rcu_read_unlock(); - kfree_skb_reason(skb, SKB_DROP_REASON_IPV6DISABLED); - return 0; - } - -- return NF_HOOK_COND(NFPROTO_IPV6, NF_INET_POST_ROUTING, -- net, sk, skb, indev, dev, -- ip6_finish_output, -- !(IP6CB(skb)->flags & IP6SKB_REROUTED)); -+ ret = NF_HOOK_COND(NFPROTO_IPV6, NF_INET_POST_ROUTING, -+ net, sk, skb, indev, dev, -+ ip6_finish_output, -+ !(IP6CB(skb)->flags & IP6SKB_REROUTED)); -+ rcu_read_unlock(); -+ return ret; - } - EXPORT_SYMBOL(ip6_output); - --- -2.43.0 - diff --git a/SPECS/kernel-rt/CVE-2025-40164.patch b/SPECS/kernel-rt/CVE-2025-40164.patch deleted file mode 100644 index ebde4eed72..0000000000 --- a/SPECS/kernel-rt/CVE-2025-40164.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 741d90c0ea551686d62fbe567448d37d8d100535 Mon Sep 17 00:00:00 2001 -From: Zqiang -Date: Sat, 11 Oct 2025 15:05:18 +0800 -Subject: [PATCH 04/15] usbnet: Fix using smp_processor_id() in preemptible - code warnings - -Syzbot reported the following warning: - -BUG: using smp_processor_id() in preemptible [00000000] code: dhcpcd/2879 -caller is usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331 -CPU: 1 UID: 0 PID: 2879 Comm: dhcpcd Not tainted 6.15.0-rc4-syzkaller-00098-g615dca38c2ea #0 PREEMPT(voluntary) -Call Trace: - - __dump_stack lib/dump_stack.c:94 [inline] - dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 - check_preemption_disabled+0xd0/0xe0 lib/smp_processor_id.c:49 - usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331 - usbnet_resume_rx+0x4b/0x170 drivers/net/usb/usbnet.c:708 - usbnet_change_mtu+0x1be/0x220 drivers/net/usb/usbnet.c:417 - __dev_set_mtu net/core/dev.c:9443 [inline] - netif_set_mtu_ext+0x369/0x5c0 net/core/dev.c:9496 - netif_set_mtu+0xb0/0x160 net/core/dev.c:9520 - dev_set_mtu+0xae/0x170 net/core/dev_api.c:247 - dev_ifsioc+0xa31/0x18d0 net/core/dev_ioctl.c:572 - dev_ioctl+0x223/0x10e0 net/core/dev_ioctl.c:821 - sock_do_ioctl+0x19d/0x280 net/socket.c:1204 - sock_ioctl+0x42f/0x6a0 net/socket.c:1311 - vfs_ioctl fs/ioctl.c:51 [inline] - __do_sys_ioctl fs/ioctl.c:906 [inline] - __se_sys_ioctl fs/ioctl.c:892 [inline] - __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892 - do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] - do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94 - entry_SYSCALL_64_after_hwframe+0x77/0x7f - -For historical and portability reasons, the netif_rx() is usually -run in the softirq or interrupt context, this commit therefore add -local_bh_disable/enable() protection in the usbnet_resume_rx(). - -Fixes: 43daa96b166c ("usbnet: Stop RX Q on MTU change") -Link: https://syzkaller.appspot.com/bug?id=81f55dfa587ee544baaaa5a359a060512228c1e1 -Suggested-by: Jakub Kicinski -Signed-off-by: Zqiang -Link: https://patch.msgid.link/20251011070518.7095-1-qiang.zhang@linux.dev -Signed-off-by: Paolo Abeni ---- - drivers/net/usb/usbnet.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c -index 0ff7357c3c91..f1f61d85d949 100644 ---- a/drivers/net/usb/usbnet.c -+++ b/drivers/net/usb/usbnet.c -@@ -702,6 +702,7 @@ void usbnet_resume_rx(struct usbnet *dev) - struct sk_buff *skb; - int num = 0; - -+ local_bh_disable(); - clear_bit(EVENT_RX_PAUSED, &dev->flags); - - while ((skb = skb_dequeue(&dev->rxq_pause)) != NULL) { -@@ -710,6 +711,7 @@ void usbnet_resume_rx(struct usbnet *dev) - } - - tasklet_schedule(&dev->bh); -+ local_bh_enable(); - - netif_dbg(dev, rx_status, dev->net, - "paused rx queue disabled, %d skbs requeued\n", num); --- -2.43.0 - diff --git a/SPECS/kernel-rt/CVE-2025-40170.patch b/SPECS/kernel-rt/CVE-2025-40170.patch deleted file mode 100644 index 84d3449594..0000000000 --- a/SPECS/kernel-rt/CVE-2025-40170.patch +++ /dev/null @@ -1,138 +0,0 @@ -From 9fd9125f380d8004b8418915725a459518c8501b Mon Sep 17 00:00:00 2001 -From: Eric Dumazet -Date: Thu, 28 Aug 2025 19:58:20 +0000 -Subject: [PATCH 02/15] net: use dst_dev_rcu() in sk_setup_caps() - -Use RCU to protect accesses to dst->dev from sk_setup_caps() -and sk_dst_gso_max_size(). - -Also use dst_dev_rcu() in ip6_dst_mtu_maybe_forward(), -and ip_dst_mtu_maybe_forward(). - -ip4_dst_hoplimit() can use dst_dev_net_rcu(). - -Fixes: 4a6ce2b6f2ec ("net: introduce a new function dst_dev_put()") -Signed-off-by: Eric Dumazet -Reviewed-by: David Ahern -Link: https://patch.msgid.link/20250828195823.3958522-6-edumazet@google.com -Signed-off-by: Jakub Kicinski ---- - include/net/ip.h | 6 ++++-- - include/net/ip6_route.h | 2 +- - include/net/route.h | 2 +- - net/core/sock.c | 16 ++++++++++------ - 4 files changed, 16 insertions(+), 10 deletions(-) - -diff --git a/include/net/ip.h b/include/net/ip.h -index 5f0f1215d2f9..c65ca2765e29 100644 ---- a/include/net/ip.h -+++ b/include/net/ip.h -@@ -470,12 +470,14 @@ static inline unsigned int ip_dst_mtu_maybe_forward(const struct dst_entry *dst, - bool forwarding) - { - const struct rtable *rt = dst_rtable(dst); -+ const struct net_device *dev; - unsigned int mtu, res; - struct net *net; - - rcu_read_lock(); - -- net = dev_net_rcu(dst_dev(dst)); -+ dev = dst_dev_rcu(dst); -+ net = dev_net_rcu(dev); - if (READ_ONCE(net->ipv4.sysctl_ip_fwd_use_pmtu) || - ip_mtu_locked(dst) || - !forwarding) { -@@ -489,7 +491,7 @@ static inline unsigned int ip_dst_mtu_maybe_forward(const struct dst_entry *dst, - if (mtu) - goto out; - -- mtu = READ_ONCE(dst_dev(dst)->mtu); -+ mtu = READ_ONCE(dev->mtu); - - if (unlikely(ip_mtu_locked(dst))) { - if (rt->rt_uses_gateway && mtu > 576) -diff --git a/include/net/ip6_route.h b/include/net/ip6_route.h -index 6dbdf60b342f..ede44cde7fe5 100644 ---- a/include/net/ip6_route.h -+++ b/include/net/ip6_route.h -@@ -337,7 +337,7 @@ static inline unsigned int ip6_dst_mtu_maybe_forward(const struct dst_entry *dst - - mtu = IPV6_MIN_MTU; - rcu_read_lock(); -- idev = __in6_dev_get(dst->dev); -+ idev = __in6_dev_get(dst_dev_rcu(dst)); - if (idev) - mtu = READ_ONCE(idev->cnf.mtu6); - rcu_read_unlock(); -diff --git a/include/net/route.h b/include/net/route.h -index 232b7bf55ba2..cbb4d5523062 100644 ---- a/include/net/route.h -+++ b/include/net/route.h -@@ -369,7 +369,7 @@ static inline int ip4_dst_hoplimit(const struct dst_entry *dst) - const struct net *net; - - rcu_read_lock(); -- net = dev_net_rcu(dst_dev(dst)); -+ net = dst_dev_net_rcu(dst); - hoplimit = READ_ONCE(net->ipv4.sysctl_ip_default_ttl); - rcu_read_unlock(); - } -diff --git a/net/core/sock.c b/net/core/sock.c -index 1781f3a642b4..97cc796a1d33 100644 ---- a/net/core/sock.c -+++ b/net/core/sock.c -@@ -2524,7 +2524,7 @@ void sk_free_unlock_clone(struct sock *sk) - } - EXPORT_SYMBOL_GPL(sk_free_unlock_clone); - --static u32 sk_dst_gso_max_size(struct sock *sk, struct dst_entry *dst) -+static u32 sk_dst_gso_max_size(struct sock *sk, const struct net_device *dev) - { - bool is_ipv6 = false; - u32 max_size; -@@ -2534,8 +2534,8 @@ static u32 sk_dst_gso_max_size(struct sock *sk, struct dst_entry *dst) - !ipv6_addr_v4mapped(&sk->sk_v6_rcv_saddr)); - #endif - /* pairs with the WRITE_ONCE() in netif_set_gso(_ipv4)_max_size() */ -- max_size = is_ipv6 ? READ_ONCE(dst_dev(dst)->gso_max_size) : -- READ_ONCE(dst_dev(dst)->gso_ipv4_max_size); -+ max_size = is_ipv6 ? READ_ONCE(dev->gso_max_size) : -+ READ_ONCE(dev->gso_ipv4_max_size); - if (max_size > GSO_LEGACY_MAX_SIZE && !sk_is_tcp(sk)) - max_size = GSO_LEGACY_MAX_SIZE; - -@@ -2544,9 +2544,12 @@ static u32 sk_dst_gso_max_size(struct sock *sk, struct dst_entry *dst) - - void sk_setup_caps(struct sock *sk, struct dst_entry *dst) - { -+ const struct net_device *dev; - u32 max_segs = 1; - -- sk->sk_route_caps = dst_dev(dst)->features; -+ rcu_read_lock(); -+ dev = dst_dev_rcu(dst); -+ sk->sk_route_caps = dev->features; - if (sk_is_tcp(sk)) { - struct inet_connection_sock *icsk = inet_csk(sk); - -@@ -2562,13 +2565,14 @@ void sk_setup_caps(struct sock *sk, struct dst_entry *dst) - sk->sk_route_caps &= ~NETIF_F_GSO_MASK; - } else { - sk->sk_route_caps |= NETIF_F_SG | NETIF_F_HW_CSUM; -- sk->sk_gso_max_size = sk_dst_gso_max_size(sk, dst); -+ sk->sk_gso_max_size = sk_dst_gso_max_size(sk, dev); - /* pairs with the WRITE_ONCE() in netif_set_gso_max_segs() */ -- max_segs = max_t(u32, READ_ONCE(dst_dev(dst)->gso_max_segs), 1); -+ max_segs = max_t(u32, READ_ONCE(dev->gso_max_segs), 1); - } - } - sk->sk_gso_max_segs = max_segs; - sk_dst_set(sk, dst); -+ rcu_read_unlock(); - } - EXPORT_SYMBOL_GPL(sk_setup_caps); - --- -2.43.0 - diff --git a/SPECS/kernel-rt/CVE-2025-40215.patch b/SPECS/kernel-rt/CVE-2025-40215.patch deleted file mode 100644 index 644a85a3e8..0000000000 --- a/SPECS/kernel-rt/CVE-2025-40215.patch +++ /dev/null @@ -1,191 +0,0 @@ -From 39992c2053e7eff318860d12ae26b2a57385a772 Mon Sep 17 00:00:00 2001 -From: Sabrina Dubroca -Date: Fri, 4 Jul 2025 16:54:33 +0200 -Subject: [PATCH] xfrm: delete x->tunnel as we delete x - -The ipcomp fallback tunnels currently get deleted (from the various -lists and hashtables) as the last user state that needed that fallback -is destroyed (not deleted). If a reference to that user state still -exists, the fallback state will remain on the hashtables/lists, -triggering the WARN in xfrm_state_fini. Because of those remaining -references, the fix in commit f75a2804da39 ("xfrm: destroy xfrm_state -synchronously on net exit path") is not complete. - -We recently fixed one such situation in TCP due to defered freeing of -skbs (commit 9b6412e6979f ("tcp: drop secpath at the same time as we -currently drop dst")). This can also happen due to IP reassembly: skbs -with a secpath remain on the reassembly queue until netns -destruction. If we can't guarantee that the queues are flushed by the -time xfrm_state_fini runs, there may still be references to a (user) -xfrm_state, preventing the timely deletion of the corresponding -fallback state. - -Instead of chasing each instance of skbs holding a secpath one by one, -this patch fixes the issue directly within xfrm, by deleting the -fallback state as soon as the last user state depending on it has been -deleted. Destruction will still happen when the final reference is -dropped. - -A separate lockdep class for the fallback state is required since -we're going to lock x->tunnel while x is locked. - -Fixes: 9d4139c76905 ("netns xfrm: per-netns xfrm_state_all list") -Signed-off-by: Sabrina Dubroca -Signed-off-by: Steffen Klassert ---- - include/net/xfrm.h | 1 - - net/ipv4/ipcomp.c | 2 ++ - net/ipv6/ipcomp6.c | 2 ++ - net/ipv6/xfrm6_tunnel.c | 2 +- - net/xfrm/xfrm_ipcomp.c | 1 - - net/xfrm/xfrm_state.c | 19 ++++++++----------- - 6 files changed, 13 insertions(+), 14 deletions(-) - -diff --git a/include/net/xfrm.h b/include/net/xfrm.h -index caaff61601a0..d51204041bf7 100644 ---- a/include/net/xfrm.h -+++ b/include/net/xfrm.h -@@ -424,7 +424,6 @@ int xfrm_input_register_afinfo(const struct xfrm_input_afinfo *afinfo); - int xfrm_input_unregister_afinfo(const struct xfrm_input_afinfo *afinfo); - - void xfrm_flush_gc(void); --void xfrm_state_delete_tunnel(struct xfrm_state *x); - - struct xfrm_type { - struct module *owner; -diff --git a/net/ipv4/ipcomp.c b/net/ipv4/ipcomp.c -index 5a4fb2539b08..9a45aed508d1 100644 ---- a/net/ipv4/ipcomp.c -+++ b/net/ipv4/ipcomp.c -@@ -54,6 +54,7 @@ static int ipcomp4_err(struct sk_buff *skb, u32 info) - } - - /* We always hold one tunnel user reference to indicate a tunnel */ -+static struct lock_class_key xfrm_state_lock_key; - static struct xfrm_state *ipcomp_tunnel_create(struct xfrm_state *x) - { - struct net *net = xs_net(x); -@@ -62,6 +63,7 @@ static struct xfrm_state *ipcomp_tunnel_create(struct xfrm_state *x) - t = xfrm_state_alloc(net); - if (!t) - goto out; -+ lockdep_set_class(&t->lock, &xfrm_state_lock_key); - - t->id.proto = IPPROTO_IPIP; - t->id.spi = x->props.saddr.a4; -diff --git a/net/ipv6/ipcomp6.c b/net/ipv6/ipcomp6.c -index 72d4858dec18..8607569de34f 100644 ---- a/net/ipv6/ipcomp6.c -+++ b/net/ipv6/ipcomp6.c -@@ -71,6 +71,7 @@ static int ipcomp6_err(struct sk_buff *skb, struct inet6_skb_parm *opt, - return 0; - } - -+static struct lock_class_key xfrm_state_lock_key; - static struct xfrm_state *ipcomp6_tunnel_create(struct xfrm_state *x) - { - struct net *net = xs_net(x); -@@ -79,6 +80,7 @@ static struct xfrm_state *ipcomp6_tunnel_create(struct xfrm_state *x) - t = xfrm_state_alloc(net); - if (!t) - goto out; -+ lockdep_set_class(&t->lock, &xfrm_state_lock_key); - - t->id.proto = IPPROTO_IPV6; - t->id.spi = xfrm6_tunnel_alloc_spi(net, (xfrm_address_t *)&x->props.saddr); -diff --git a/net/ipv6/xfrm6_tunnel.c b/net/ipv6/xfrm6_tunnel.c -index bf140ef781c1..7fd8bc08e6eb 100644 ---- a/net/ipv6/xfrm6_tunnel.c -+++ b/net/ipv6/xfrm6_tunnel.c -@@ -334,8 +334,8 @@ static void __net_exit xfrm6_tunnel_net_exit(struct net *net) - struct xfrm6_tunnel_net *xfrm6_tn = xfrm6_tunnel_pernet(net); - unsigned int i; - -- xfrm_flush_gc(); - xfrm_state_flush(net, 0, false, true); -+ xfrm_flush_gc(); - - for (i = 0; i < XFRM6_TUNNEL_SPI_BYADDR_HSIZE; i++) - WARN_ON_ONCE(!hlist_empty(&xfrm6_tn->spi_byaddr[i])); -diff --git a/net/xfrm/xfrm_ipcomp.c b/net/xfrm/xfrm_ipcomp.c -index 9c0fa0e1786a..f2e70e918f11 100644 ---- a/net/xfrm/xfrm_ipcomp.c -+++ b/net/xfrm/xfrm_ipcomp.c -@@ -315,7 +315,6 @@ void ipcomp_destroy(struct xfrm_state *x) - struct ipcomp_data *ipcd = x->data; - if (!ipcd) - return; -- xfrm_state_delete_tunnel(x); - mutex_lock(&ipcomp_resource_mutex); - ipcomp_free_data(ipcd); - mutex_unlock(&ipcomp_resource_mutex); -diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c -index f8cb033f102e..e4500d481e26 100644 ---- a/net/xfrm/xfrm_state.c -+++ b/net/xfrm/xfrm_state.c -@@ -748,6 +748,7 @@ void __xfrm_state_destroy(struct xfrm_state *x, bool sync) - } - EXPORT_SYMBOL(__xfrm_state_destroy); - -+static void xfrm_state_delete_tunnel(struct xfrm_state *x); - int __xfrm_state_delete(struct xfrm_state *x) - { - struct net *net = xs_net(x); -@@ -775,6 +776,8 @@ int __xfrm_state_delete(struct xfrm_state *x) - - xfrm_dev_state_delete(x); - -+ xfrm_state_delete_tunnel(x); -+ - /* All xfrm_state objects are created by xfrm_state_alloc. - * The xfrm_state_alloc call gives a reference, and that - * is what we are dropping here. -@@ -878,10 +881,7 @@ int xfrm_state_flush(struct net *net, u8 proto, bool task_valid, bool sync) - err = xfrm_state_delete(x); - xfrm_audit_state_delete(x, err ? 0 : 1, - task_valid); -- if (sync) -- xfrm_state_put_sync(x); -- else -- xfrm_state_put(x); -+ xfrm_state_put(x); - if (!err) - cnt++; - -@@ -3008,20 +3008,17 @@ void xfrm_flush_gc(void) - } - EXPORT_SYMBOL(xfrm_flush_gc); - --/* Temporarily located here until net/xfrm/xfrm_tunnel.c is created */ --void xfrm_state_delete_tunnel(struct xfrm_state *x) -+static void xfrm_state_delete_tunnel(struct xfrm_state *x) - { - if (x->tunnel) { - struct xfrm_state *t = x->tunnel; - -- if (atomic_read(&t->tunnel_users) == 2) -+ if (atomic_dec_return(&t->tunnel_users) == 1) - xfrm_state_delete(t); -- atomic_dec(&t->tunnel_users); -- xfrm_state_put_sync(t); -+ xfrm_state_put(t); - x->tunnel = NULL; - } - } --EXPORT_SYMBOL(xfrm_state_delete_tunnel); - - u32 xfrm_state_mtu(struct xfrm_state *x, int mtu) - { -@@ -3221,8 +3218,8 @@ void xfrm_state_fini(struct net *net) - unsigned int sz; - - flush_work(&net->xfrm.state_hash_work); -- flush_work(&xfrm_state_gc_work); - xfrm_state_flush(net, 0, false, true); -+ flush_work(&xfrm_state_gc_work); - - WARN_ON(!list_empty(&net->xfrm.state_all)); - --- -2.43.0 - diff --git a/SPECS/kernel-rt/CVE-2025-40325.patch b/SPECS/kernel-rt/CVE-2025-40325.patch deleted file mode 100644 index 61d5a72e16..0000000000 --- a/SPECS/kernel-rt/CVE-2025-40325.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 9918ef3a9010cb1b131fe3e7bbae19786b074ff5 Mon Sep 17 00:00:00 2001 -From: Xiao Ni -Date: Thu, 6 Mar 2025 17:49:38 +0800 -Subject: [PATCH 01/27] md/raid10: wait barrier before returning discard - request with REQ_NOWAIT - -raid10_handle_discard should wait barrier before returning a discard bio -which has REQ_NOWAIT. And there is no need to print warning calltrace -if a discard bio has REQ_NOWAIT flag. Quality engineer usually checks -dmesg and reports error if dmesg has warning/error calltrace. - -Fixes: c9aa889b035f ("md: raid10 add nowait support") -Signed-off-by: Xiao Ni -Acked-by: Coly Li -Link: https://lore.kernel.org/linux-raid/20250306094938.48952-1-xni@redhat.com -Signed-off-by: Yu Kuai ---- - drivers/md/raid10.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c -index 5cdc599fcad3..8825457f6a70 100644 ---- a/drivers/md/raid10.c -+++ b/drivers/md/raid10.c -@@ -1591,11 +1591,10 @@ static int raid10_handle_discard(struct mddev *mddev, struct bio *bio) - if (test_bit(MD_RECOVERY_RESHAPE, &mddev->recovery)) - return -EAGAIN; - -- if (WARN_ON_ONCE(bio->bi_opf & REQ_NOWAIT)) { -+ if (!wait_barrier(conf, bio->bi_opf & REQ_NOWAIT)) { - bio_wouldblock_error(bio); - return 0; - } -- wait_barrier(conf, false); - - /* - * Check reshape again to avoid reshape happens after checking --- -2.43.0 - diff --git a/SPECS/kernel-rt/CVE-2025-68206.patch b/SPECS/kernel-rt/CVE-2025-68206.patch deleted file mode 100644 index 55348ebbc6..0000000000 --- a/SPECS/kernel-rt/CVE-2025-68206.patch +++ /dev/null @@ -1,109 +0,0 @@ -From c43fb751a35eebdb90abf7217ed8d1096f25e27d Mon Sep 17 00:00:00 2001 -From: Andrii Melnychenko -Date: Fri, 24 Oct 2025 18:22:16 +0200 -Subject: [PATCH 42/45] netfilter: nft_ct: add seqadj extension for natted - connections - -Sequence adjustment may be required for FTP traffic with PASV/EPSV modes. -due to need to re-write packet payload (IP, port) on the ftp control -connection. This can require changes to the TCP length and expected -seq / ack_seq. - -The easiest way to reproduce this issue is with PASV mode. -Example ruleset: -table inet ftp_nat { - ct helper ftp_helper { - type "ftp" protocol tcp - l3proto inet - } - - chain prerouting { - type filter hook prerouting priority 0; policy accept; - tcp dport 21 ct state new ct helper set "ftp_helper" - } -} -table ip nat { - chain prerouting { - type nat hook prerouting priority -100; policy accept; - tcp dport 21 dnat ip prefix to ip daddr map { - 192.168.100.1 : 192.168.13.2/32 } - } - - chain postrouting { - type nat hook postrouting priority 100 ; policy accept; - tcp sport 21 snat ip prefix to ip saddr map { - 192.168.13.2 : 192.168.100.1/32 } - } -} - -Note that the ftp helper gets assigned *after* the dnat setup. - -The inverse (nat after helper assign) is handled by an existing -check in nf_nat_setup_info() and will not show the problem. - -Topoloy: - - +-------------------+ +----------------------------------+ - | FTP: 192.168.13.2 | <-> | NAT: 192.168.13.3, 192.168.100.1 | - +-------------------+ +----------------------------------+ - | - +-----------------------+ - | Client: 192.168.100.2 | - +-----------------------+ - -ftp nat changes do not work as expected in this case: -Connected to 192.168.100.1. -[..] -ftp> epsv -EPSV/EPRT on IPv4 off. -ftp> ls -227 Entering passive mode (192,168,100,1,209,129). -421 Service not available, remote server has closed connection. - -Kernel logs: -Missing nfct_seqadj_ext_add() setup call -WARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_seqadj.c:41 -[..] - __nf_nat_mangle_tcp_packet+0x100/0x160 [nf_nat] - nf_nat_ftp+0x142/0x280 [nf_nat_ftp] - help+0x4d1/0x880 [nf_conntrack_ftp] - nf_confirm+0x122/0x2e0 [nf_conntrack] - nf_hook_slow+0x3c/0xb0 - .. - -Fix this by adding the required extension when a conntrack helper is assigned -to a connection that has a nat binding. - -Fixes: 1a64edf54f55 ("netfilter: nft_ct: add helper set support") -Signed-off-by: Andrii Melnychenko -Signed-off-by: Florian Westphal ---- - net/netfilter/nft_ct.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c -index a1b373b99f7b..58a6ad7ed7a4 100644 ---- a/net/netfilter/nft_ct.c -+++ b/net/netfilter/nft_ct.c -@@ -22,6 +22,7 @@ - #include - #include - #include -+#include - - struct nft_ct_helper_obj { - struct nf_conntrack_helper *helper4; -@@ -1173,6 +1174,10 @@ static void nft_ct_helper_obj_eval(struct nft_object *obj, - if (help) { - rcu_assign_pointer(help->helper, to_assign); - set_bit(IPS_HELPER_BIT, &ct->status); -+ -+ if ((ct->status & IPS_NAT_MASK) && !nfct_seqadj(ct)) -+ if (!nfct_seqadj_ext_add(ct)) -+ regs->verdict.code = NF_DROP; - } - } - --- -2.43.0 - diff --git a/SPECS/kernel-rt/CVE-2025-68254.patch b/SPECS/kernel-rt/CVE-2025-68254.patch deleted file mode 100644 index 21361a120e..0000000000 --- a/SPECS/kernel-rt/CVE-2025-68254.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 16c1bc832b694b818117327950eccdbb0f5ab2f3 Mon Sep 17 00:00:00 2001 -From: Navaneeth K -Date: Thu, 20 Nov 2025 16:35:20 +0000 -Subject: [PATCH 41/45] staging: rtl8723bs: fix out-of-bounds read in OnBeacon - ESR IE parsing - -The Extended Supported Rates (ESR) IE handling in OnBeacon accessed -*(p + 1 + ielen) and *(p + 2 + ielen) without verifying that these -offsets lie within the received frame buffer. A malformed beacon with -an ESR IE positioned at the end of the buffer could cause an -out-of-bounds read, potentially triggering a kernel panic. - -Add a boundary check to ensure that the ESR IE body and the subsequent -bytes are within the limits of the frame before attempting to access -them. - -This prevents OOB reads caused by malformed beacon frames. - -Signed-off-by: Navaneeth K -Cc: stable -Signed-off-by: Greg Kroah-Hartman ---- - drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) - -diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c -index c51e7e551300..2569b92e6a87 100644 ---- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c -+++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c -@@ -579,9 +579,11 @@ unsigned int OnBeacon(struct adapter *padapter, union recv_frame *precv_frame) - - p = rtw_get_ie(pframe + sizeof(struct ieee80211_hdr_3addr) + _BEACON_IE_OFFSET_, WLAN_EID_EXT_SUPP_RATES, &ielen, precv_frame->u.hdr.len - sizeof(struct ieee80211_hdr_3addr) - _BEACON_IE_OFFSET_); - if (p && ielen > 0) { -- if ((*(p + 1 + ielen) == 0x2D) && (*(p + 2 + ielen) != 0x2D)) -- /* Invalid value 0x2D is detected in Extended Supported Rates (ESR) IE. Try to fix the IE length to avoid failed Beacon parsing. */ -- *(p + 1) = ielen - 1; -+ if (p + 2 + ielen < pframe + len) { -+ if ((*(p + 1 + ielen) == 0x2D) && (*(p + 2 + ielen) != 0x2D)) -+ /* Invalid value 0x2D is detected in Extended Supported Rates (ESR) IE. Try to fix the IE length to avoid failed Beacon parsing. */ -+ *(p + 1) = ielen - 1; -+ } - } - - if (pmlmeext->sitesurvey_res.state == SCAN_PROCESS) { --- -2.43.0 - diff --git a/SPECS/kernel-rt/CVE-2025-68255.patch b/SPECS/kernel-rt/CVE-2025-68255.patch deleted file mode 100644 index 953a42a0f0..0000000000 --- a/SPECS/kernel-rt/CVE-2025-68255.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 1b4a578275665dcf61b5dcfc8e2f20d501bc506d Mon Sep 17 00:00:00 2001 -From: Navaneeth K -Date: Thu, 20 Nov 2025 16:33:08 +0000 -Subject: [PATCH 40/45] staging: rtl8723bs: fix stack buffer overflow in - OnAssocReq IE parsing - -The Supported Rates IE length from an incoming Association Request frame -was used directly as the memcpy() length when copying into a fixed-size -16-byte stack buffer (supportRate). A malicious station can advertise an -IE length larger than 16 bytes, causing a stack buffer overflow. - -Clamp ie_len to the buffer size before copying the Supported Rates IE, -and correct the bounds check when merging Extended Supported Rates to -prevent a second potential overflow. - -This prevents kernel stack corruption triggered by malformed association -requests. - -Signed-off-by: Navaneeth K -Cc: stable -Signed-off-by: Greg Kroah-Hartman ---- - drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c -index 4d4bec47d187..c51e7e551300 100644 ---- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c -+++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c -@@ -1033,6 +1033,9 @@ unsigned int OnAssocReq(struct adapter *padapter, union recv_frame *precv_frame) - status = WLAN_STATUS_CHALLENGE_FAIL; - goto OnAssocReqFail; - } else { -+ if (ie_len > sizeof(supportRate)) -+ ie_len = sizeof(supportRate); -+ - memcpy(supportRate, p+2, ie_len); - supportRateNum = ie_len; - -@@ -1040,7 +1043,7 @@ unsigned int OnAssocReq(struct adapter *padapter, union recv_frame *precv_frame) - pkt_len - WLAN_HDR_A3_LEN - ie_offset); - if (p) { - -- if (supportRateNum <= sizeof(supportRate)) { -+ if (supportRateNum + ie_len <= sizeof(supportRate)) { - memcpy(supportRate+supportRateNum, p+2, ie_len); - supportRateNum += ie_len; - } --- -2.43.0 - diff --git a/SPECS/kernel-rt/CVE-2025-68256.patch b/SPECS/kernel-rt/CVE-2025-68256.patch deleted file mode 100644 index b6236c7ab9..0000000000 --- a/SPECS/kernel-rt/CVE-2025-68256.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 9a072e4b9f9fc9796decbdde3c61a1d26c4616ec Mon Sep 17 00:00:00 2001 -From: Navaneeth K -Date: Thu, 20 Nov 2025 16:23:52 +0000 -Subject: [PATCH 39/45] staging: rtl8723bs: fix out-of-bounds read in - rtw_get_ie() parser - -The Information Element (IE) parser rtw_get_ie() trusted the length -byte of each IE without validating that the IE body (len bytes after -the 2-byte header) fits inside the remaining frame buffer. A malformed -frame can advertise an IE length larger than the available data, causing -the parser to increment its pointer beyond the buffer end. This results -in out-of-bounds reads or, depending on the pattern, an infinite loop. - -Fix by validating that (offset + 2 + len) does not exceed the limit -before accepting the IE or advancing to the next element. - -This prevents OOB reads and ensures the parser terminates safely on -malformed frames. - -Signed-off-by: Navaneeth K -Cc: stable -Signed-off-by: Greg Kroah-Hartman ---- - drivers/staging/rtl8723bs/core/rtw_ieee80211.c | 14 ++++++++------ - 1 file changed, 8 insertions(+), 6 deletions(-) - -diff --git a/drivers/staging/rtl8723bs/core/rtw_ieee80211.c b/drivers/staging/rtl8723bs/core/rtw_ieee80211.c -index 0ed420f3d096..5abe2fddc3d7 100644 ---- a/drivers/staging/rtl8723bs/core/rtw_ieee80211.c -+++ b/drivers/staging/rtl8723bs/core/rtw_ieee80211.c -@@ -140,22 +140,24 @@ u8 *rtw_get_ie(u8 *pbuf, signed int index, signed int *len, signed int limit) - signed int tmp, i; - u8 *p; - -- if (limit < 1) -+ if (limit < 2) - return NULL; - - p = pbuf; - i = 0; - *len = 0; -- while (1) { -+ while (i + 2 <= limit) { -+ tmp = *(p + 1); -+ if (i + 2 + tmp > limit) -+ break; -+ - if (*p == index) { -- *len = *(p + 1); -+ *len = tmp; - return p; - } -- tmp = *(p + 1); -+ - p += (tmp + 2); - i += (tmp + 2); -- if (i >= limit) -- break; - } - return NULL; - } --- -2.43.0 - diff --git a/SPECS/kernel-rt/CVE-2025-68259.patch b/SPECS/kernel-rt/CVE-2025-68259.patch deleted file mode 100644 index 0d95142d91..0000000000 --- a/SPECS/kernel-rt/CVE-2025-68259.patch +++ /dev/null @@ -1,203 +0,0 @@ -From fbde4b2683a4a878f0a3ead58b796f9d6aa9d228 Mon Sep 17 00:00:00 2001 -From: Omar Sandoval -Date: Tue, 4 Nov 2025 09:55:26 -0800 -Subject: [PATCH 38/45] KVM: SVM: Don't skip unrelated instruction if INT3/INTO - is replaced - -When re-injecting a soft interrupt from an INT3, INT0, or (select) INTn -instruction, discard the exception and retry the instruction if the code -stream is changed (e.g. by a different vCPU) between when the CPU -executes the instruction and when KVM decodes the instruction to get the -next RIP. - -As effectively predicted by commit 6ef88d6e36c2 ("KVM: SVM: Re-inject -INT3/INTO instead of retrying the instruction"), failure to verify that -the correct INTn instruction was decoded can effectively clobber guest -state due to decoding the wrong instruction and thus specifying the -wrong next RIP. - -The bug most often manifests as "Oops: int3" panics on static branch -checks in Linux guests. Enabling or disabling a static branch in Linux -uses the kernel's "text poke" code patching mechanism. To modify code -while other CPUs may be executing that code, Linux (temporarily) -replaces the first byte of the original instruction with an int3 (opcode -0xcc), then patches in the new code stream except for the first byte, -and finally replaces the int3 with the first byte of the new code -stream. If a CPU hits the int3, i.e. executes the code while it's being -modified, then the guest kernel must look up the RIP to determine how to -handle the #BP, e.g. by emulating the new instruction. If the RIP is -incorrect, then this lookup fails and the guest kernel panics. - -The bug reproduces almost instantly by hacking the guest kernel to -repeatedly check a static branch[1] while running a drgn script[2] on -the host to constantly swap out the memory containing the guest's TSS. - -[1]: https://gist.github.com/osandov/44d17c51c28c0ac998ea0334edf90b5a -[2]: https://gist.github.com/osandov/10e45e45afa29b11e0c7209247afc00b - -Fixes: 6ef88d6e36c2 ("KVM: SVM: Re-inject INT3/INTO instead of retrying the instruction") -Cc: stable@vger.kernel.org -Co-developed-by: Sean Christopherson -Signed-off-by: Omar Sandoval -Link: https://patch.msgid.link/1cc6dcdf36e3add7ee7c8d90ad58414eeb6c3d34.1762278762.git.osandov@fb.com -Signed-off-by: Sean Christopherson ---- - arch/x86/include/asm/kvm_host.h | 9 +++++++++ - arch/x86/kvm/svm/svm.c | 24 +++++++++++++----------- - arch/x86/kvm/x86.c | 21 +++++++++++++++++++++ - 3 files changed, 43 insertions(+), 11 deletions(-) - -diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h -index d27df86aa62c..c6c8c21106ef 100644 ---- a/arch/x86/include/asm/kvm_host.h -+++ b/arch/x86/include/asm/kvm_host.h -@@ -2059,6 +2059,11 @@ u64 vcpu_tsc_khz(struct kvm_vcpu *vcpu); - * the gfn, i.e. retrying the instruction will hit a - * !PRESENT fault, which results in a new shadow page - * and sends KVM back to square one. -+ * -+ * EMULTYPE_SKIP_SOFT_INT - Set in combination with EMULTYPE_SKIP to only skip -+ * an instruction if it could generate a given software -+ * interrupt, which must be encoded via -+ * EMULTYPE_SET_SOFT_INT_VECTOR(). - */ - #define EMULTYPE_NO_DECODE (1 << 0) - #define EMULTYPE_TRAP_UD (1 << 1) -@@ -2069,6 +2074,10 @@ u64 vcpu_tsc_khz(struct kvm_vcpu *vcpu); - #define EMULTYPE_PF (1 << 6) - #define EMULTYPE_COMPLETE_USER_EXIT (1 << 7) - #define EMULTYPE_WRITE_PF_TO_SP (1 << 8) -+#define EMULTYPE_SKIP_SOFT_INT (1 << 9) -+ -+#define EMULTYPE_SET_SOFT_INT_VECTOR(v) ((u32)((v) & 0xff) << 16) -+#define EMULTYPE_GET_SOFT_INT_VECTOR(e) (((e) >> 16) & 0xff) - - int kvm_emulate_instruction(struct kvm_vcpu *vcpu, int emulation_type); - int kvm_emulate_instruction_from_buffer(struct kvm_vcpu *vcpu, -diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c -index 71b32e64e801..63c578e03f29 100644 ---- a/arch/x86/kvm/svm/svm.c -+++ b/arch/x86/kvm/svm/svm.c -@@ -369,6 +369,7 @@ static void svm_set_interrupt_shadow(struct kvm_vcpu *vcpu, int mask) - } - - static int __svm_skip_emulated_instruction(struct kvm_vcpu *vcpu, -+ int emul_type, - bool commit_side_effects) - { - struct vcpu_svm *svm = to_svm(vcpu); -@@ -390,7 +391,7 @@ static int __svm_skip_emulated_instruction(struct kvm_vcpu *vcpu, - if (unlikely(!commit_side_effects)) - old_rflags = svm->vmcb->save.rflags; - -- if (!kvm_emulate_instruction(vcpu, EMULTYPE_SKIP)) -+ if (!kvm_emulate_instruction(vcpu, emul_type)) - return 0; - - if (unlikely(!commit_side_effects)) -@@ -408,11 +409,13 @@ static int __svm_skip_emulated_instruction(struct kvm_vcpu *vcpu, - - static int svm_skip_emulated_instruction(struct kvm_vcpu *vcpu) - { -- return __svm_skip_emulated_instruction(vcpu, true); -+ return __svm_skip_emulated_instruction(vcpu, EMULTYPE_SKIP, true); - } - --static int svm_update_soft_interrupt_rip(struct kvm_vcpu *vcpu) -+static int svm_update_soft_interrupt_rip(struct kvm_vcpu *vcpu, u8 vector) - { -+ const int emul_type = EMULTYPE_SKIP | EMULTYPE_SKIP_SOFT_INT | -+ EMULTYPE_SET_SOFT_INT_VECTOR(vector); - unsigned long rip, old_rip = kvm_rip_read(vcpu); - struct vcpu_svm *svm = to_svm(vcpu); - -@@ -428,7 +431,7 @@ static int svm_update_soft_interrupt_rip(struct kvm_vcpu *vcpu) - * in use, the skip must not commit any side effects such as clearing - * the interrupt shadow or RFLAGS.RF. - */ -- if (!__svm_skip_emulated_instruction(vcpu, !nrips)) -+ if (!__svm_skip_emulated_instruction(vcpu, emul_type, !nrips)) - return -EIO; - - rip = kvm_rip_read(vcpu); -@@ -464,7 +467,7 @@ static void svm_inject_exception(struct kvm_vcpu *vcpu) - kvm_deliver_exception_payload(vcpu, ex); - - if (kvm_exception_is_soft(ex->vector) && -- svm_update_soft_interrupt_rip(vcpu)) -+ svm_update_soft_interrupt_rip(vcpu, ex->vector)) - return; - - svm->vmcb->control.event_inj = ex->vector -@@ -3743,11 +3746,12 @@ static bool svm_set_vnmi_pending(struct kvm_vcpu *vcpu) - - static void svm_inject_irq(struct kvm_vcpu *vcpu, bool reinjected) - { -+ struct kvm_queued_interrupt *intr = &vcpu->arch.interrupt; - struct vcpu_svm *svm = to_svm(vcpu); - u32 type; - -- if (vcpu->arch.interrupt.soft) { -- if (svm_update_soft_interrupt_rip(vcpu)) -+ if (intr->soft) { -+ if (svm_update_soft_interrupt_rip(vcpu, intr->nr)) - return; - - type = SVM_EVTINJ_TYPE_SOFT; -@@ -3755,12 +3759,10 @@ static void svm_inject_irq(struct kvm_vcpu *vcpu, bool reinjected) - type = SVM_EVTINJ_TYPE_INTR; - } - -- trace_kvm_inj_virq(vcpu->arch.interrupt.nr, -- vcpu->arch.interrupt.soft, reinjected); -+ trace_kvm_inj_virq(intr->nr, intr->soft, reinjected); - ++vcpu->stat.irq_injections; - -- svm->vmcb->control.event_inj = vcpu->arch.interrupt.nr | -- SVM_EVTINJ_VALID | type; -+ svm->vmcb->control.event_inj = intr->nr | SVM_EVTINJ_VALID | type; - } - - void svm_complete_interrupt_delivery(struct kvm_vcpu *vcpu, int delivery_mode, -diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c -index 20f89bceaeae..c12d7e28243d 100644 ---- a/arch/x86/kvm/x86.c -+++ b/arch/x86/kvm/x86.c -@@ -9055,6 +9055,23 @@ static bool is_vmware_backdoor_opcode(struct x86_emulate_ctxt *ctxt) - return false; - } - -+static bool is_soft_int_instruction(struct x86_emulate_ctxt *ctxt, -+ int emulation_type) -+{ -+ u8 vector = EMULTYPE_GET_SOFT_INT_VECTOR(emulation_type); -+ -+ switch (ctxt->b) { -+ case 0xcc: -+ return vector == BP_VECTOR; -+ case 0xcd: -+ return vector == ctxt->src.val; -+ case 0xce: -+ return vector == OF_VECTOR; -+ default: -+ return false; -+ } -+} -+ - /* - * Decode an instruction for emulation. The caller is responsible for handling - * code breakpoints. Note, manually detecting code breakpoints is unnecessary -@@ -9156,6 +9173,10 @@ int x86_emulate_instruction(struct kvm_vcpu *vcpu, gpa_t cr2_or_gpa, - * injecting single-step #DBs. - */ - if (emulation_type & EMULTYPE_SKIP) { -+ if (emulation_type & EMULTYPE_SKIP_SOFT_INT && -+ !is_soft_int_instruction(ctxt, emulation_type)) -+ return 0; -+ - if (ctxt->mode != X86EMUL_MODE_PROT64) - ctxt->eip = (u32)ctxt->_eip; - else --- -2.43.0 - diff --git a/SPECS/kernel-rt/CVE-2025-68261.patch b/SPECS/kernel-rt/CVE-2025-68261.patch deleted file mode 100644 index 94822cb858..0000000000 --- a/SPECS/kernel-rt/CVE-2025-68261.patch +++ /dev/null @@ -1,89 +0,0 @@ -From f367893e3dc76dfdd688dd87661c554cb8116b87 Mon Sep 17 00:00:00 2001 -From: Alexey Nepomnyashih -Date: Tue, 4 Nov 2025 09:33:25 +0000 -Subject: [PATCH 31/45] ext4: add i_data_sem protection in - ext4_destroy_inline_data_nolock() - -Fix a race between inline data destruction and block mapping. - -The function ext4_destroy_inline_data_nolock() changes the inode data -layout by clearing EXT4_INODE_INLINE_DATA and setting EXT4_INODE_EXTENTS. -At the same time, another thread may execute ext4_map_blocks(), which -tests EXT4_INODE_EXTENTS to decide whether to call ext4_ext_map_blocks() -or ext4_ind_map_blocks(). - -Without i_data_sem protection, ext4_ind_map_blocks() may receive inode -with EXT4_INODE_EXTENTS flag and triggering assert. - -kernel BUG at fs/ext4/indirect.c:546! -EXT4-fs (loop2): unmounting filesystem. -invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI -Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 -RIP: 0010:ext4_ind_map_blocks.cold+0x2b/0x5a fs/ext4/indirect.c:546 - -Call Trace: - - ext4_map_blocks+0xb9b/0x16f0 fs/ext4/inode.c:681 - _ext4_get_block+0x242/0x590 fs/ext4/inode.c:822 - ext4_block_write_begin+0x48b/0x12c0 fs/ext4/inode.c:1124 - ext4_write_begin+0x598/0xef0 fs/ext4/inode.c:1255 - ext4_da_write_begin+0x21e/0x9c0 fs/ext4/inode.c:3000 - generic_perform_write+0x259/0x5d0 mm/filemap.c:3846 - ext4_buffered_write_iter+0x15b/0x470 fs/ext4/file.c:285 - ext4_file_write_iter+0x8e0/0x17f0 fs/ext4/file.c:679 - call_write_iter include/linux/fs.h:2271 [inline] - do_iter_readv_writev+0x212/0x3c0 fs/read_write.c:735 - do_iter_write+0x186/0x710 fs/read_write.c:861 - vfs_iter_write+0x70/0xa0 fs/read_write.c:902 - iter_file_splice_write+0x73b/0xc90 fs/splice.c:685 - do_splice_from fs/splice.c:763 [inline] - direct_splice_actor+0x10f/0x170 fs/splice.c:950 - splice_direct_to_actor+0x33a/0xa10 fs/splice.c:896 - do_splice_direct+0x1a9/0x280 fs/splice.c:1002 - do_sendfile+0xb13/0x12c0 fs/read_write.c:1255 - __do_sys_sendfile64 fs/read_write.c:1323 [inline] - __se_sys_sendfile64 fs/read_write.c:1309 [inline] - __x64_sys_sendfile64+0x1cf/0x210 fs/read_write.c:1309 - do_syscall_x64 arch/x86/entry/common.c:51 [inline] - do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81 - entry_SYSCALL_64_after_hwframe+0x6e/0xd8 - -Fixes: c755e251357a ("ext4: fix deadlock between inline_data and ext4_expand_extra_isize_ea()") -Cc: stable@vger.kernel.org # v4.11+ -Signed-off-by: Alexey Nepomnyashih -Message-ID: <20251104093326.697381-1-sdl@nppct.ru> -Signed-off-by: Theodore Ts'o ---- - fs/ext4/inline.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c -index 9fb5e0f172a7..b55a2164bc51 100644 ---- a/fs/ext4/inline.c -+++ b/fs/ext4/inline.c -@@ -441,9 +441,13 @@ static int ext4_destroy_inline_data_nolock(handle_t *handle, - if (!ei->i_inline_off) - return 0; - -+ down_write(&ei->i_data_sem); -+ - error = ext4_get_inode_loc(inode, &is.iloc); -- if (error) -+ if (error) { -+ up_write(&ei->i_data_sem); - return error; -+ } - - error = ext4_xattr_ibody_find(inode, &i, &is); - if (error) -@@ -482,6 +486,7 @@ static int ext4_destroy_inline_data_nolock(handle_t *handle, - brelse(is.iloc.bh); - if (error == -ENODATA) - error = 0; -+ up_write(&ei->i_data_sem); - return error; - } - --- -2.43.0 - diff --git a/SPECS/kernel-rt/CVE-2025-68263.patch b/SPECS/kernel-rt/CVE-2025-68263.patch deleted file mode 100644 index 9f23a2fd3b..0000000000 --- a/SPECS/kernel-rt/CVE-2025-68263.patch +++ /dev/null @@ -1,80 +0,0 @@ -From a9fa20ba33df3cb40398808b89a7ceacbcc718d4 Mon Sep 17 00:00:00 2001 -From: Qianchang Zhao -Date: Wed, 26 Nov 2025 12:24:18 +0900 -Subject: [PATCH 32/45] ksmbd: ipc: fix use-after-free in ipc_msg_send_request - -ipc_msg_send_request() waits for a generic netlink reply using an -ipc_msg_table_entry on the stack. The generic netlink handler -(handle_generic_event()/handle_response()) fills entry->response under -ipc_msg_table_lock, but ipc_msg_send_request() used to validate and free -entry->response without holding the same lock. - -Under high concurrency this allows a race where handle_response() is -copying data into entry->response while ipc_msg_send_request() has just -freed it, leading to a slab-use-after-free reported by KASAN in -handle_generic_event(): - - BUG: KASAN: slab-use-after-free in handle_generic_event+0x3c4/0x5f0 [ksmbd] - Write of size 12 at addr ffff888198ee6e20 by task pool/109349 - ... - Freed by task: - kvfree - ipc_msg_send_request [ksmbd] - ksmbd_rpc_open -> ksmbd_session_rpc_open [ksmbd] - -Fix by: -- Taking ipc_msg_table_lock in ipc_msg_send_request() while validating - entry->response, freeing it when invalid, and removing the entry from - ipc_msg_table. -- Returning the final entry->response pointer to the caller only after - the hash entry is removed under the lock. -- Returning NULL in the error path, preserving the original API - semantics. - -This makes all accesses to entry->response consistent with -handle_response(), which already updates and fills the response buffer -under ipc_msg_table_lock, and closes the race that allowed the UAF. - -Cc: stable@vger.kernel.org -Reported-by: Qianchang Zhao -Reported-by: Zhitong Liu -Signed-off-by: Qianchang Zhao -Acked-by: Namjae Jeon -Signed-off-by: Steve French ---- - fs/smb/server/transport_ipc.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/fs/smb/server/transport_ipc.c b/fs/smb/server/transport_ipc.c -index ce5c50ac987c..52a71775b38e 100644 ---- a/fs/smb/server/transport_ipc.c -+++ b/fs/smb/server/transport_ipc.c -@@ -553,12 +553,16 @@ static void *ipc_msg_send_request(struct ksmbd_ipc_msg *msg, unsigned int handle - up_write(&ipc_msg_table_lock); - - ret = ipc_msg_send(msg); -- if (ret) -+ if (ret) { -+ down_write(&ipc_msg_table_lock); - goto out; -+ } - - ret = wait_event_interruptible_timeout(entry.wait, - entry.response != NULL, - IPC_WAIT_TIMEOUT); -+ -+ down_write(&ipc_msg_table_lock); - if (entry.response) { - ret = ipc_validate_msg(&entry); - if (ret) { -@@ -567,7 +571,6 @@ static void *ipc_msg_send_request(struct ksmbd_ipc_msg *msg, unsigned int handle - } - } - out: -- down_write(&ipc_msg_table_lock); - hash_del(&entry.ipc_table_hlist); - up_write(&ipc_msg_table_lock); - return entry.response; --- -2.43.0 - diff --git a/SPECS/kernel-rt/CVE-2025-68264.patch b/SPECS/kernel-rt/CVE-2025-68264.patch deleted file mode 100644 index a07b94601d..0000000000 --- a/SPECS/kernel-rt/CVE-2025-68264.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 4dc41f5497bec7ddc8f4dd61f44834065115af20 Mon Sep 17 00:00:00 2001 -From: Deepanshu Kartikey -Date: Mon, 20 Oct 2025 11:39:36 +0530 -Subject: [PATCH 33/45] ext4: refresh inline data size before write operations - -The cached ei->i_inline_size can become stale between the initial size -check and when ext4_update_inline_data()/ext4_create_inline_data() use -it. Although ext4_get_max_inline_size() reads the correct value at the -time of the check, concurrent xattr operations can modify i_inline_size -before ext4_write_lock_xattr() is acquired. - -This causes ext4_update_inline_data() and ext4_create_inline_data() to -work with stale capacity values, leading to a BUG_ON() crash in -ext4_write_inline_data(): - - kernel BUG at fs/ext4/inline.c:1331! - BUG_ON(pos + len > EXT4_I(inode)->i_inline_size); - -The race window: -1. ext4_get_max_inline_size() reads i_inline_size = 60 (correct) -2. Size check passes for 50-byte write -3. [Another thread adds xattr, i_inline_size changes to 40] -4. ext4_write_lock_xattr() acquires lock -5. ext4_update_inline_data() uses stale i_inline_size = 60 -6. Attempts to write 50 bytes but only 40 bytes actually available -7. BUG_ON() triggers - -Fix this by recalculating i_inline_size via ext4_find_inline_data_nolock() -immediately after acquiring xattr_sem. This ensures ext4_update_inline_data() -and ext4_create_inline_data() work with current values that are protected -from concurrent modifications. - -This is similar to commit a54c4613dac1 ("ext4: fix race writing to an -inline_data file while its xattrs are changing") which fixed i_inline_off -staleness. This patch addresses the related i_inline_size staleness issue. - -Reported-by: syzbot+f3185be57d7e8dda32b8@syzkaller.appspotmail.com -Link: https://syzkaller.appspot.com/bug?extid=f3185be57d7e8dda32b8 -Cc: stable@kernel.org -Signed-off-by: Deepanshu Kartikey -Message-ID: <20251020060936.474314-1-kartikey406@gmail.com> -Signed-off-by: Theodore Ts'o ---- - fs/ext4/inline.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c -index b55a2164bc51..bb0e46130beb 100644 ---- a/fs/ext4/inline.c -+++ b/fs/ext4/inline.c -@@ -413,7 +413,12 @@ static int ext4_prepare_inline_data(handle_t *handle, struct inode *inode, - return -ENOSPC; - - ext4_write_lock_xattr(inode, &no_expand); -- -+ /* -+ * ei->i_inline_size may have changed since the initial check -+ * if other xattrs were added. Recalculate to ensure -+ * ext4_update_inline_data() validates against current capacity. -+ */ -+ (void) ext4_find_inline_data_nolock(inode); - if (ei->i_inline_off) - ret = ext4_update_inline_data(handle, inode, len); - else --- -2.43.0 - diff --git a/SPECS/kernel-rt/CVE-2025-68265.patch b/SPECS/kernel-rt/CVE-2025-68265.patch deleted file mode 100644 index 5780fa1fad..0000000000 --- a/SPECS/kernel-rt/CVE-2025-68265.patch +++ /dev/null @@ -1,93 +0,0 @@ -From 6aefffa086d02a1e805cb70981122297dae278b3 Mon Sep 17 00:00:00 2001 -From: Keith Busch -Date: Tue, 4 Nov 2025 14:48:30 -0800 -Subject: [PATCH 34/45] nvme: fix admin request_queue lifetime - -The namespaces can access the controller's admin request_queue, and -stale references on the namespaces may exist after tearing down the -controller. Ensure the admin request_queue is active by moving the -controller's 'put' to after all controller references have been released -to ensure no one is can access the request_queue. This fixes a reported -use-after-free bug: - - BUG: KASAN: slab-use-after-free in blk_queue_enter+0x41c/0x4a0 - Read of size 8 at addr ffff88c0a53819f8 by task nvme/3287 - CPU: 67 UID: 0 PID: 3287 Comm: nvme Tainted: G E 6.13.2-ga1582f1a031e #15 - Tainted: [E]=UNSIGNED_MODULE - Hardware name: Jabil /EGS 2S MB1, BIOS 1.00 06/18/2025 - Call Trace: - - dump_stack_lvl+0x4f/0x60 - print_report+0xc4/0x620 - ? _raw_spin_lock_irqsave+0x70/0xb0 - ? _raw_read_unlock_irqrestore+0x30/0x30 - ? blk_queue_enter+0x41c/0x4a0 - kasan_report+0xab/0xe0 - ? blk_queue_enter+0x41c/0x4a0 - blk_queue_enter+0x41c/0x4a0 - ? __irq_work_queue_local+0x75/0x1d0 - ? blk_queue_start_drain+0x70/0x70 - ? irq_work_queue+0x18/0x20 - ? vprintk_emit.part.0+0x1cc/0x350 - ? wake_up_klogd_work_func+0x60/0x60 - blk_mq_alloc_request+0x2b7/0x6b0 - ? __blk_mq_alloc_requests+0x1060/0x1060 - ? __switch_to+0x5b7/0x1060 - nvme_submit_user_cmd+0xa9/0x330 - nvme_user_cmd.isra.0+0x240/0x3f0 - ? force_sigsegv+0xe0/0xe0 - ? nvme_user_cmd64+0x400/0x400 - ? vfs_fileattr_set+0x9b0/0x9b0 - ? cgroup_update_frozen_flag+0x24/0x1c0 - ? cgroup_leave_frozen+0x204/0x330 - ? nvme_ioctl+0x7c/0x2c0 - blkdev_ioctl+0x1a8/0x4d0 - ? blkdev_common_ioctl+0x1930/0x1930 - ? fdget+0x54/0x380 - __x64_sys_ioctl+0x129/0x190 - do_syscall_64+0x5b/0x160 - entry_SYSCALL_64_after_hwframe+0x4b/0x53 - RIP: 0033:0x7f765f703b0b - Code: ff ff ff 85 c0 79 9b 49 c7 c4 ff ff ff ff 5b 5d 4c 89 e0 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d dd 52 0f 00 f7 d8 64 89 01 48 - RSP: 002b:00007ffe2cefe808 EFLAGS: 00000202 ORIG_RAX: 0000000000000010 - RAX: ffffffffffffffda RBX: 00007ffe2cefe860 RCX: 00007f765f703b0b - RDX: 00007ffe2cefe860 RSI: 00000000c0484e41 RDI: 0000000000000003 - RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000000 - R10: 00007f765f611d50 R11: 0000000000000202 R12: 0000000000000003 - R13: 00000000c0484e41 R14: 0000000000000001 R15: 00007ffe2cefea60 - - -Reported-by: Casey Chen -Reviewed-by: Christoph Hellwig -Reviewed-by: Hannes Reinecke -Reviewed-by: Ming Lei -Reviewed-by: Chaitanya Kulkarni -Signed-off-by: Keith Busch ---- - drivers/nvme/host/core.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c -index a3b9f8ea235f..a766290b1ee8 100644 ---- a/drivers/nvme/host/core.c -+++ b/drivers/nvme/host/core.c -@@ -4645,7 +4645,6 @@ void nvme_remove_admin_tag_set(struct nvme_ctrl *ctrl) - */ - nvme_stop_keep_alive(ctrl); - blk_mq_destroy_queue(ctrl->admin_q); -- blk_put_queue(ctrl->admin_q); - if (ctrl->ops->flags & NVME_F_FABRICS) { - blk_mq_destroy_queue(ctrl->fabrics_q); - blk_put_queue(ctrl->fabrics_q); -@@ -4790,6 +4789,8 @@ static void nvme_free_ctrl(struct device *dev) - container_of(dev, struct nvme_ctrl, ctrl_device); - struct nvme_subsystem *subsys = ctrl->subsys; - -+ if (ctrl->admin_q) -+ blk_put_queue(ctrl->admin_q); - if (!subsys || ctrl->instance != subsys->instance) - ida_free(&nvme_instance_ida, ctrl->instance); - nvme_free_cels(ctrl); --- -2.43.0 - diff --git a/SPECS/kernel-rt/CVE-2025-68336.patch b/SPECS/kernel-rt/CVE-2025-68336.patch deleted file mode 100644 index c33925269c..0000000000 --- a/SPECS/kernel-rt/CVE-2025-68336.patch +++ /dev/null @@ -1,66 +0,0 @@ -From f04fb07e5331f910b2fbf9a8227ff6bd75b2b11a Mon Sep 17 00:00:00 2001 -From: Alexander Sverdlin -Date: Fri, 19 Sep 2025 11:12:38 +0200 -Subject: [PATCH 37/45] locking/spinlock/debug: Fix data-race in - do_raw_write_lock - -KCSAN reports: - -BUG: KCSAN: data-race in do_raw_write_lock / do_raw_write_lock - -write (marked) to 0xffff800009cf504c of 4 bytes by task 1102 on cpu 1: - do_raw_write_lock+0x120/0x204 - _raw_write_lock_irq - do_exit - call_usermodehelper_exec_async - ret_from_fork - -read to 0xffff800009cf504c of 4 bytes by task 1103 on cpu 0: - do_raw_write_lock+0x88/0x204 - _raw_write_lock_irq - do_exit - call_usermodehelper_exec_async - ret_from_fork - -value changed: 0xffffffff -> 0x00000001 - -Reported by Kernel Concurrency Sanitizer on: -CPU: 0 PID: 1103 Comm: kworker/u4:1 6.1.111 - -Commit 1a365e822372 ("locking/spinlock/debug: Fix various data races") has -adressed most of these races, but seems to be not consistent/not complete. - ->From do_raw_write_lock() only debug_write_lock_after() part has been -converted to WRITE_ONCE(), but not debug_write_lock_before() part. -Do it now. - -Fixes: 1a365e822372 ("locking/spinlock/debug: Fix various data races") -Reported-by: Adrian Freihofer -Signed-off-by: Alexander Sverdlin -Signed-off-by: Boqun Feng -Signed-off-by: Peter Zijlstra (Intel) -Reviewed-by: Paul E. McKenney -Acked-by: Waiman Long -Cc: stable@vger.kernel.org ---- - kernel/locking/spinlock_debug.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/kernel/locking/spinlock_debug.c b/kernel/locking/spinlock_debug.c -index 87b03d2e41db..2338b3adfb55 100644 ---- a/kernel/locking/spinlock_debug.c -+++ b/kernel/locking/spinlock_debug.c -@@ -184,8 +184,8 @@ void do_raw_read_unlock(rwlock_t *lock) - static inline void debug_write_lock_before(rwlock_t *lock) - { - RWLOCK_BUG_ON(lock->magic != RWLOCK_MAGIC, lock, "bad magic"); -- RWLOCK_BUG_ON(lock->owner == current, lock, "recursion"); -- RWLOCK_BUG_ON(lock->owner_cpu == raw_smp_processor_id(), -+ RWLOCK_BUG_ON(READ_ONCE(lock->owner) == current, lock, "recursion"); -+ RWLOCK_BUG_ON(READ_ONCE(lock->owner_cpu) == raw_smp_processor_id(), - lock, "cpu recursion"); - } - --- -2.43.0 - diff --git a/SPECS/kernel-rt/CVE-2025-68337.patch b/SPECS/kernel-rt/CVE-2025-68337.patch deleted file mode 100644 index 1b37caccae..0000000000 --- a/SPECS/kernel-rt/CVE-2025-68337.patch +++ /dev/null @@ -1,96 +0,0 @@ -From 67ef76dbc92035768b6ece6630bfb464b6205315 Mon Sep 17 00:00:00 2001 -From: Ye Bin -Date: Sat, 25 Oct 2025 15:26:57 +0800 -Subject: [PATCH 23/45] jbd2: avoid bug_on in jbd2_journal_get_create_access() - when file system corrupted - -There's issue when file system corrupted: -------------[ cut here ]------------ -kernel BUG at fs/jbd2/transaction.c:1289! -Oops: invalid opcode: 0000 [#1] SMP KASAN PTI -CPU: 5 UID: 0 PID: 2031 Comm: mkdir Not tainted 6.18.0-rc1-next -RIP: 0010:jbd2_journal_get_create_access+0x3b6/0x4d0 -RSP: 0018:ffff888117aafa30 EFLAGS: 00010202 -RAX: 0000000000000000 RBX: ffff88811a86b000 RCX: ffffffff89a63534 -RDX: 1ffff110200ec602 RSI: 0000000000000004 RDI: ffff888100763010 -RBP: ffff888100763000 R08: 0000000000000001 R09: ffff888100763028 -R10: 0000000000000003 R11: 0000000000000000 R12: 0000000000000000 -R13: ffff88812c432000 R14: ffff88812c608000 R15: ffff888120bfc000 -CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -CR2: 00007f91d6970c99 CR3: 00000001159c4000 CR4: 00000000000006f0 -Call Trace: - - __ext4_journal_get_create_access+0x42/0x170 - ext4_getblk+0x319/0x6f0 - ext4_bread+0x11/0x100 - ext4_append+0x1e6/0x4a0 - ext4_init_new_dir+0x145/0x1d0 - ext4_mkdir+0x326/0x920 - vfs_mkdir+0x45c/0x740 - do_mkdirat+0x234/0x2f0 - __x64_sys_mkdir+0xd6/0x120 - do_syscall_64+0x5f/0xfa0 - entry_SYSCALL_64_after_hwframe+0x76/0x7e - -The above issue occurs with us in errors=continue mode when accompanied by -storage failures. There have been many inconsistencies in the file system -data. -In the case of file system data inconsistency, for example, if the block -bitmap of a referenced block is not set, it can lead to the situation where -a block being committed is allocated and used again. As a result, the -following condition will not be satisfied then trigger BUG_ON. Of course, -it is entirely possible to construct a problematic image that can trigger -this BUG_ON through specific operations. In fact, I have constructed such -an image and easily reproduced this issue. -Therefore, J_ASSERT() holds true only under ideal conditions, but it may -not necessarily be satisfied in exceptional scenarios. Using J_ASSERT() -directly in abnormal situations would cause the system to crash, which is -clearly not what we want. So here we directly trigger a JBD abort instead -of immediately invoking BUG_ON. - -Fixes: 470decc613ab ("[PATCH] jbd2: initial copy of files from jbd") -Signed-off-by: Ye Bin -Reviewed-by: Jan Kara -Message-ID: <20251025072657.307851-1-yebin@huaweicloud.com> -Signed-off-by: Theodore Ts'o -Cc: stable@kernel.org ---- - fs/jbd2/transaction.c | 19 ++++++++++++++----- - 1 file changed, 14 insertions(+), 5 deletions(-) - -diff --git a/fs/jbd2/transaction.c b/fs/jbd2/transaction.c -index ae43920ce395..c50bec6e5405 100644 ---- a/fs/jbd2/transaction.c -+++ b/fs/jbd2/transaction.c -@@ -1288,14 +1288,23 @@ int jbd2_journal_get_create_access(handle_t *handle, struct buffer_head *bh) - * committing transaction's lists, but it HAS to be in Forget state in - * that case: the transaction must have deleted the buffer for it to be - * reused here. -+ * In the case of file system data inconsistency, for example, if the -+ * block bitmap of a referenced block is not set, it can lead to the -+ * situation where a block being committed is allocated and used again. -+ * As a result, the following condition will not be satisfied, so here -+ * we directly trigger a JBD abort instead of immediately invoking -+ * bugon. - */ - spin_lock(&jh->b_state_lock); -- J_ASSERT_JH(jh, (jh->b_transaction == transaction || -- jh->b_transaction == NULL || -- (jh->b_transaction == journal->j_committing_transaction && -- jh->b_jlist == BJ_Forget))); -+ if (!(jh->b_transaction == transaction || jh->b_transaction == NULL || -+ (jh->b_transaction == journal->j_committing_transaction && -+ jh->b_jlist == BJ_Forget)) || jh->b_next_transaction != NULL) { -+ err = -EROFS; -+ spin_unlock(&jh->b_state_lock); -+ jbd2_journal_abort(journal, err); -+ goto out; -+ } - -- J_ASSERT_JH(jh, jh->b_next_transaction == NULL); - J_ASSERT_JH(jh, buffer_locked(jh2bh(jh))); - - if (jh->b_transaction == NULL) { --- -2.43.0 - diff --git a/SPECS/kernel-rt/CVE-2025-68345.patch b/SPECS/kernel-rt/CVE-2025-68345.patch deleted file mode 100644 index b403a0ebde..0000000000 --- a/SPECS/kernel-rt/CVE-2025-68345.patch +++ /dev/null @@ -1,38 +0,0 @@ -From d5081978b1413ec030fd8d3f70bda55b1abdc3d2 Mon Sep 17 00:00:00 2001 -From: Denis Arefev -Date: Tue, 2 Dec 2025 13:13:36 +0300 -Subject: [PATCH 24/45] ALSA: hda: cs35l41: Fix NULL pointer dereference in - cs35l41_hda_read_acpi() - -The acpi_get_first_physical_node() function can return NULL, in which -case the get_device() function also returns NULL, but this value is -then dereferenced without checking,so add a check to prevent a crash. - -Found by Linux Verification Center (linuxtesting.org) with SVACE. - -Fixes: 7b2f3eb492da ("ALSA: hda: cs35l41: Add support for CS35L41 in HDA systems") -Cc: stable@vger.kernel.org -Signed-off-by: Denis Arefev -Reviewed-by: Richard Fitzgerald -Signed-off-by: Takashi Iwai -Link: https://patch.msgid.link/20251202101338.11437-1-arefev@swemel.ru ---- - sound/pci/hda/cs35l41_hda.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/sound/pci/hda/cs35l41_hda.c b/sound/pci/hda/cs35l41_hda.c -index d68bf7591d90..e115b9bd7ce3 100644 ---- a/sound/pci/hda/cs35l41_hda.c -+++ b/sound/pci/hda/cs35l41_hda.c -@@ -1865,6 +1865,8 @@ static int cs35l41_hda_read_acpi(struct cs35l41_hda *cs35l41, const char *hid, i - - cs35l41->dacpi = adev; - physdev = get_device(acpi_get_first_physical_node(adev)); -+ if (!physdev) -+ return -ENODEV; - - sub = acpi_get_subsystem_id(ACPI_HANDLE(physdev)); - if (IS_ERR(sub)) --- -2.43.0 - diff --git a/SPECS/kernel-rt/CVE-2025-68346.patch b/SPECS/kernel-rt/CVE-2025-68346.patch deleted file mode 100644 index bb6987befc..0000000000 --- a/SPECS/kernel-rt/CVE-2025-68346.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 35eb53a983da639e00dfa708326d9dd0b0cfaad1 Mon Sep 17 00:00:00 2001 -From: Junrui Luo -Date: Fri, 28 Nov 2025 12:06:31 +0800 -Subject: [PATCH 25/45] ALSA: dice: fix buffer overflow in - detect_stream_formats() - -The function detect_stream_formats() reads the stream_count value directly -from a FireWire device without validating it. This can lead to -out-of-bounds writes when a malicious device provides a stream_count value -greater than MAX_STREAMS. - -Fix by applying the same validation to both TX and RX stream counts in -detect_stream_formats(). - -Reported-by: Yuhao Jiang -Reported-by: Junrui Luo -Fixes: 58579c056c1c ("ALSA: dice: use extended protocol to detect available stream formats") -Cc: stable@vger.kernel.org -Reviewed-by: Takashi Sakamoto -Signed-off-by: Junrui Luo -Link: https://patch.msgid.link/SYBPR01MB7881B043FC68B4C0DA40B73DAFDCA@SYBPR01MB7881.ausprd01.prod.outlook.com -Signed-off-by: Takashi Iwai ---- - sound/firewire/dice/dice-extension.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/sound/firewire/dice/dice-extension.c b/sound/firewire/dice/dice-extension.c -index 02f4a8318e38..48bfb3ad93ce 100644 ---- a/sound/firewire/dice/dice-extension.c -+++ b/sound/firewire/dice/dice-extension.c -@@ -116,7 +116,7 @@ static int detect_stream_formats(struct snd_dice *dice, u64 section_addr) - break; - - base_offset += EXT_APP_STREAM_ENTRIES; -- stream_count = be32_to_cpu(reg[0]); -+ stream_count = min_t(unsigned int, be32_to_cpu(reg[0]), MAX_STREAMS); - err = read_stream_entries(dice, section_addr, base_offset, - stream_count, mode, - dice->tx_pcm_chs, -@@ -125,7 +125,7 @@ static int detect_stream_formats(struct snd_dice *dice, u64 section_addr) - break; - - base_offset += stream_count * EXT_APP_STREAM_ENTRY_SIZE; -- stream_count = be32_to_cpu(reg[1]); -+ stream_count = min_t(unsigned int, be32_to_cpu(reg[1]), MAX_STREAMS); - err = read_stream_entries(dice, section_addr, base_offset, - stream_count, - mode, dice->rx_pcm_chs, --- -2.43.0 - diff --git a/SPECS/kernel-rt/CVE-2025-68347.patch b/SPECS/kernel-rt/CVE-2025-68347.patch deleted file mode 100644 index fa285cac61..0000000000 --- a/SPECS/kernel-rt/CVE-2025-68347.patch +++ /dev/null @@ -1,44 +0,0 @@ -From c009107b13a633f42c9275010a760a0f4b3a6d25 Mon Sep 17 00:00:00 2001 -From: Junrui Luo -Date: Wed, 3 Dec 2025 12:27:03 +0800 -Subject: [PATCH 26/45] ALSA: firewire-motu: fix buffer overflow in hwdep read - for DSP events - -The DSP event handling code in hwdep_read() could write more bytes to -the user buffer than requested, when a user provides a buffer smaller -than the event header size (8 bytes). - -Fix by using min_t() to clamp the copy size, This ensures we never copy -more than the user requested. - -Reported-by: Yuhao Jiang -Reported-by: Junrui Luo -Fixes: 634ec0b2906e ("ALSA: firewire-motu: notify event for parameter change in register DSP model") -Signed-off-by: Junrui Luo -Link: https://patch.msgid.link/SYBPR01MB78810656377E79E58350D951AFD9A@SYBPR01MB7881.ausprd01.prod.outlook.com -Signed-off-by: Takashi Iwai ---- - sound/firewire/motu/motu-hwdep.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/sound/firewire/motu/motu-hwdep.c b/sound/firewire/motu/motu-hwdep.c -index a220ac0c8eb8..28885c8004ae 100644 ---- a/sound/firewire/motu/motu-hwdep.c -+++ b/sound/firewire/motu/motu-hwdep.c -@@ -83,10 +83,11 @@ static long hwdep_read(struct snd_hwdep *hwdep, char __user *buf, long count, - event.motu_register_dsp_change.type = SNDRV_FIREWIRE_EVENT_MOTU_REGISTER_DSP_CHANGE; - event.motu_register_dsp_change.count = - (consumed - sizeof(event.motu_register_dsp_change)) / 4; -- if (copy_to_user(buf, &event, sizeof(event.motu_register_dsp_change))) -+ if (copy_to_user(buf, &event, -+ min_t(long, count, sizeof(event.motu_register_dsp_change)))) - return -EFAULT; - -- count = consumed; -+ count = min_t(long, count, consumed); - } else { - spin_unlock_irq(&motu->lock); - --- -2.43.0 - diff --git a/SPECS/kernel-rt/CVE-2025-68348.patch b/SPECS/kernel-rt/CVE-2025-68348.patch deleted file mode 100644 index 93cdf48a82..0000000000 --- a/SPECS/kernel-rt/CVE-2025-68348.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 7575abdc01cb9eb49e136aac91d64e57c77ac3ad Mon Sep 17 00:00:00 2001 -From: Shaurya Rane -Date: Thu, 4 Dec 2025 23:42:59 +0530 -Subject: [PATCH 27/45] block: fix memory leak in __blkdev_issue_zero_pages - -Move the fatal signal check before bio_alloc() to prevent a memory -leak when BLKDEV_ZERO_KILLABLE is set and a fatal signal is pending. - -Previously, the bio was allocated before checking for a fatal signal. -If a signal was pending, the code would break out of the loop without -freeing or chaining the just-allocated bio, causing a memory leak. - -This matches the pattern already used in __blkdev_issue_write_zeroes() -where the signal check precedes the allocation. - -Fixes: bf86bcdb4012 ("blk-lib: check for kill signal in ioctl BLKZEROOUT") -Reported-by: syzbot+527a7e48a3d3d315d862@syzkaller.appspotmail.com -Closes: https://syzkaller.appspot.com/bug?extid=527a7e48a3d3d315d862 -Signed-off-by: Shaurya Rane -Reviewed-by: Keith Busch -Tested-by: syzbot+527a7e48a3d3d315d862@syzkaller.appspotmail.com -Signed-off-by: Jens Axboe ---- - block/blk-lib.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/block/blk-lib.c b/block/blk-lib.c -index 4c9f20a689f7..8cb2987db786 100644 ---- a/block/blk-lib.c -+++ b/block/blk-lib.c -@@ -200,13 +200,13 @@ static void __blkdev_issue_zero_pages(struct block_device *bdev, - unsigned int nr_vecs = __blkdev_sectors_to_bio_pages(nr_sects); - struct bio *bio; - -- bio = bio_alloc(bdev, nr_vecs, REQ_OP_WRITE, gfp_mask); -- bio->bi_iter.bi_sector = sector; -- - if ((flags & BLKDEV_ZERO_KILLABLE) && - fatal_signal_pending(current)) - break; - -+ bio = bio_alloc(bdev, nr_vecs, REQ_OP_WRITE, gfp_mask); -+ bio->bi_iter.bi_sector = sector; -+ - do { - unsigned int len, added; - --- -2.43.0 - diff --git a/SPECS/kernel-rt/CVE-2025-68349.patch b/SPECS/kernel-rt/CVE-2025-68349.patch deleted file mode 100644 index 15987860e5..0000000000 --- a/SPECS/kernel-rt/CVE-2025-68349.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 4d64351a8725f3d7b6afaadbaee18204b97313ca Mon Sep 17 00:00:00 2001 -From: Jonathan Curley -Date: Wed, 12 Nov 2025 18:02:42 +0000 -Subject: [PATCH 28/45] NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in - pnfs_mark_layout_stateid_invalid - -Fixes a crash when layout is null during this call stack: - -write_inode - -> nfs4_write_inode - -> pnfs_layoutcommit_inode - -pnfs_set_layoutcommit relies on the lseg refcount to keep the layout -around. Need to clear NFS_INO_LAYOUTCOMMIT otherwise we might attempt -to reference a null layout. - -Fixes: fe1cf9469d7bc ("pNFS: Clear all layout segment state in pnfs_mark_layout_stateid_invalid") -Signed-off-by: Jonathan Curley -Signed-off-by: Trond Myklebust ---- - fs/nfs/pnfs.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c -index 89d49dd3978f..7a742bcff687 100644 ---- a/fs/nfs/pnfs.c -+++ b/fs/nfs/pnfs.c -@@ -466,6 +466,7 @@ pnfs_mark_layout_stateid_invalid(struct pnfs_layout_hdr *lo, - struct pnfs_layout_segment *lseg, *next; - - set_bit(NFS_LAYOUT_INVALID_STID, &lo->plh_flags); -+ clear_bit(NFS_INO_LAYOUTCOMMIT, &NFS_I(lo->plh_inode)->flags); - list_for_each_entry_safe(lseg, next, &lo->plh_segs, pls_list) - pnfs_clear_lseg_state(lseg, lseg_list); - pnfs_clear_layoutreturn_info(lo); --- -2.43.0 - diff --git a/SPECS/kernel-rt/CVE-2025-68354.patch b/SPECS/kernel-rt/CVE-2025-68354.patch deleted file mode 100644 index 6faa938a20..0000000000 --- a/SPECS/kernel-rt/CVE-2025-68354.patch +++ /dev/null @@ -1,103 +0,0 @@ -From 708fd3a48f6cafdce6c0c305a84bd3ceae9677b2 Mon Sep 17 00:00:00 2001 -From: sparkhuang -Date: Thu, 27 Nov 2025 10:57:16 +0800 -Subject: [PATCH 12/45] regulator: core: Protect regulator_supply_alias_list - with regulator_list_mutex - -regulator_supply_alias_list was accessed without any locking in -regulator_supply_alias(), regulator_register_supply_alias(), and -regulator_unregister_supply_alias(). Concurrent registration, -unregistration and lookups can race, leading to: - -1 use-after-free if an alias entry is removed while being read, -2 duplicate entries when two threads register the same alias, -3 inconsistent alias mappings observed by consumers. - -Protect all traversals, insertions and deletions on -regulator_supply_alias_list with the existing regulator_list_mutex. - -Fixes: a06ccd9c3785f ("regulator: core: Add ability to create a lookup alias for supply") -Signed-off-by: sparkhuang -Reviewed-by: Charles Keepax -Link: https://patch.msgid.link/20251127025716.5440-1-huangshaobo3@xiaomi.com -Signed-off-by: Mark Brown ---- - drivers/regulator/core.c | 32 ++++++++++++++++++++------------ - 1 file changed, 20 insertions(+), 12 deletions(-) - -diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c -index e7f2a8b65947..af0f5f8a3404 100644 ---- a/drivers/regulator/core.c -+++ b/drivers/regulator/core.c -@@ -1909,6 +1909,7 @@ static void regulator_supply_alias(struct device **dev, const char **supply) - { - struct regulator_supply_alias *map; - -+ mutex_lock(®ulator_list_mutex); - map = regulator_find_supply_alias(*dev, *supply); - if (map) { - dev_dbg(*dev, "Mapping supply %s to %s,%s\n", -@@ -1917,6 +1918,7 @@ static void regulator_supply_alias(struct device **dev, const char **supply) - *dev = map->alias_dev; - *supply = map->alias_supply; - } -+ mutex_unlock(®ulator_list_mutex); - } - - static int regulator_match(struct device *dev, const void *data) -@@ -2437,22 +2439,26 @@ int regulator_register_supply_alias(struct device *dev, const char *id, - const char *alias_id) - { - struct regulator_supply_alias *map; -+ struct regulator_supply_alias *new_map; - -- map = regulator_find_supply_alias(dev, id); -- if (map) -- return -EEXIST; -- -- map = kzalloc(sizeof(struct regulator_supply_alias), GFP_KERNEL); -- if (!map) -+ new_map = kzalloc(sizeof(struct regulator_supply_alias), GFP_KERNEL); -+ if (!new_map) - return -ENOMEM; - -- map->src_dev = dev; -- map->src_supply = id; -- map->alias_dev = alias_dev; -- map->alias_supply = alias_id; -- -- list_add(&map->list, ®ulator_supply_alias_list); -+ mutex_lock(®ulator_list_mutex); -+ map = regulator_find_supply_alias(dev, id); -+ if (map) { -+ mutex_unlock(®ulator_list_mutex); -+ kfree(new_map); -+ return -EEXIST; -+ } - -+ new_map->src_dev = dev; -+ new_map->src_supply = id; -+ new_map->alias_dev = alias_dev; -+ new_map->alias_supply = alias_id; -+ list_add(&new_map->list, ®ulator_supply_alias_list); -+ mutex_unlock(®ulator_list_mutex); - pr_info("Adding alias for supply %s,%s -> %s,%s\n", - id, dev_name(dev), alias_id, dev_name(alias_dev)); - -@@ -2472,11 +2478,13 @@ void regulator_unregister_supply_alias(struct device *dev, const char *id) - { - struct regulator_supply_alias *map; - -+ mutex_lock(®ulator_list_mutex); - map = regulator_find_supply_alias(dev, id); - if (map) { - list_del(&map->list); - kfree(map); - } -+ mutex_unlock(®ulator_list_mutex); - } - EXPORT_SYMBOL_GPL(regulator_unregister_supply_alias); - --- -2.43.0 - diff --git a/SPECS/kernel-rt/CVE-2025-68357.patch b/SPECS/kernel-rt/CVE-2025-68357.patch deleted file mode 100644 index 8a512e5173..0000000000 --- a/SPECS/kernel-rt/CVE-2025-68357.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 0c2ef70b27af690b4f42c5cb96778c7cbc36fd45 Mon Sep 17 00:00:00 2001 -From: Christoph Hellwig -Date: Mon, 24 Nov 2025 15:00:13 +0100 -Subject: [PATCH 13/45] iomap: allocate s_dio_done_wq for async reads as well - -Since commit 222f2c7c6d14 ("iomap: always run error completions in user -context"), read error completions are deferred to s_dio_done_wq. This -means the workqueue also needs to be allocated for async reads. - -Fixes: 222f2c7c6d14 ("iomap: always run error completions in user context") -Reported-by: syzbot+a2b9a4ed0d61b1efb3f5@syzkaller.appspotmail.com -Signed-off-by: Christoph Hellwig -Link: https://patch.msgid.link/20251124140013.902853-1-hch@lst.de -Tested-by: syzbot+a2b9a4ed0d61b1efb3f5@syzkaller.appspotmail.com -Reviewed-by: Dave Chinner -Reviewed-by: Darrick J. Wong -Signed-off-by: Christian Brauner ---- - fs/iomap/direct-io.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/fs/iomap/direct-io.c b/fs/iomap/direct-io.c -index f637aa0706a3..c984baccb079 100644 ---- a/fs/iomap/direct-io.c -+++ b/fs/iomap/direct-io.c -@@ -663,12 +663,12 @@ __iomap_dio_rw(struct kiocb *iocb, struct iov_iter *iter, - } - goto out_free_dio; - } -+ } - -- if (!wait_for_completion && !inode->i_sb->s_dio_done_wq) { -- ret = sb_init_dio_done_wq(inode->i_sb); -- if (ret < 0) -- goto out_free_dio; -- } -+ if (!wait_for_completion && !inode->i_sb->s_dio_done_wq) { -+ ret = sb_init_dio_done_wq(inode->i_sb); -+ if (ret < 0) -+ goto out_free_dio; - } - - inode_dio_begin(inode); --- -2.43.0 - diff --git a/SPECS/kernel-rt/CVE-2025-68363.patch b/SPECS/kernel-rt/CVE-2025-68363.patch deleted file mode 100644 index 0113204c7f..0000000000 --- a/SPECS/kernel-rt/CVE-2025-68363.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 9958effe805bd9a18ee4fedbb9aef913f5213a56 Mon Sep 17 00:00:00 2001 -From: Martin KaFai Lau -Date: Wed, 12 Nov 2025 15:23:30 -0800 -Subject: [PATCH 17/45] bpf: Check skb->transport_header is set in - bpf_skb_check_mtu - -The bpf_skb_check_mtu helper needs to use skb->transport_header when -the BPF_MTU_CHK_SEGS flag is used: - - bpf_skb_check_mtu(skb, ifindex, &mtu_len, 0, BPF_MTU_CHK_SEGS) - -The transport_header is not always set. There is a WARN_ON_ONCE -report when CONFIG_DEBUG_NET is enabled + skb->gso_size is set + -bpf_prog_test_run is used: - -WARNING: CPU: 1 PID: 2216 at ./include/linux/skbuff.h:3071 - skb_gso_validate_network_len - bpf_skb_check_mtu - bpf_prog_3920e25740a41171_tc_chk_segs_flag # A test in the next patch - bpf_test_run - bpf_prog_test_run_skb - -For a normal ingress skb (not test_run), skb_reset_transport_header -is performed but there is plan to avoid setting it as described in -commit 2170a1f09148 ("net: no longer reset transport_header in __netif_receive_skb_core()"). - -This patch fixes the bpf helper by checking -skb_transport_header_was_set(). The check is done just before -skb->transport_header is used, to avoid breaking the existing bpf prog. -The WARN_ON_ONCE is limited to bpf_prog_test_run, so targeting bpf-next. - -Fixes: 34b2021cc616 ("bpf: Add BPF-helper for MTU checking") -Cc: Jesper Dangaard Brouer -Reported-by: Kaiyan Mei -Reported-by: Yinhao Hu -Signed-off-by: Martin KaFai Lau -Link: https://lore.kernel.org/r/20251112232331.1566074-1-martin.lau@linux.dev -Signed-off-by: Alexei Starovoitov ---- - net/core/filter.c | 9 ++++++--- - 1 file changed, 6 insertions(+), 3 deletions(-) - -diff --git a/net/core/filter.c b/net/core/filter.c -index 3d0e31101c68..fd2129fe9db3 100644 ---- a/net/core/filter.c -+++ b/net/core/filter.c -@@ -6360,9 +6360,12 @@ BPF_CALL_5(bpf_skb_check_mtu, struct sk_buff *, skb, - */ - if (skb_is_gso(skb)) { - ret = BPF_MTU_CHK_RET_SUCCESS; -- if (flags & BPF_MTU_CHK_SEGS && -- !skb_gso_validate_network_len(skb, mtu)) -- ret = BPF_MTU_CHK_RET_SEGS_TOOBIG; -+ if (flags & BPF_MTU_CHK_SEGS) { -+ if (!skb_transport_header_was_set(skb)) -+ return -EINVAL; -+ if (!skb_gso_validate_network_len(skb, mtu)) -+ ret = BPF_MTU_CHK_RET_SEGS_TOOBIG; -+ } - } - out: - *mtu_len = mtu; --- -2.43.0 - diff --git a/SPECS/kernel-rt/CVE-2025-68366.patch b/SPECS/kernel-rt/CVE-2025-68366.patch deleted file mode 100644 index a98b3f9735..0000000000 --- a/SPECS/kernel-rt/CVE-2025-68366.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 6acb73a408345df86f90f598557ac9d12ff2b14d Mon Sep 17 00:00:00 2001 -From: Zheng Qixing -Date: Mon, 10 Nov 2025 20:49:20 +0800 -Subject: [PATCH 18/45] nbd: defer config unlock in nbd_genl_connect - -There is one use-after-free warning when running NBD_CMD_CONNECT and -NBD_CLEAR_SOCK: - -nbd_genl_connect - nbd_alloc_and_init_config // config_refs=1 - nbd_start_device // config_refs=2 - set NBD_RT_HAS_CONFIG_REF open nbd // config_refs=3 - recv_work done // config_refs=2 - NBD_CLEAR_SOCK // config_refs=1 - close nbd // config_refs=0 - refcount_inc -> uaf - -------------[ cut here ]------------ -refcount_t: addition on 0; use-after-free. -WARNING: CPU: 24 PID: 1014 at lib/refcount.c:25 refcount_warn_saturate+0x12e/0x290 - nbd_genl_connect+0x16d0/0x1ab0 - genl_family_rcv_msg_doit+0x1f3/0x310 - genl_rcv_msg+0x44a/0x790 - -The issue can be easily reproduced by adding a small delay before -refcount_inc(&nbd->config_refs) in nbd_genl_connect(): - - mutex_unlock(&nbd->config_lock); - if (!ret) { - set_bit(NBD_RT_HAS_CONFIG_REF, &config->runtime_flags); -+ printk("before sleep\n"); -+ mdelay(5 * 1000); -+ printk("after sleep\n"); - refcount_inc(&nbd->config_refs); - nbd_connect_reply(info, nbd->index); - } - -Fixes: e46c7287b1c2 ("nbd: add a basic netlink interface") -Signed-off-by: Zheng Qixing -Reviewed-by: Yu Kuai -Signed-off-by: Jens Axboe ---- - drivers/block/nbd.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c -index deb298371a6a..dcb04bc88897 100644 ---- a/drivers/block/nbd.c -+++ b/drivers/block/nbd.c -@@ -2169,12 +2169,13 @@ static int nbd_genl_connect(struct sk_buff *skb, struct genl_info *info) - - ret = nbd_start_device(nbd); - out: -- mutex_unlock(&nbd->config_lock); - if (!ret) { - set_bit(NBD_RT_HAS_CONFIG_REF, &config->runtime_flags); - refcount_inc(&nbd->config_refs); - nbd_connect_reply(info, nbd->index); - } -+ mutex_unlock(&nbd->config_lock); -+ - nbd_config_put(nbd); - if (put_dev) - nbd_put(nbd); --- -2.43.0 - diff --git a/SPECS/kernel-rt/CVE-2025-68371.patch b/SPECS/kernel-rt/CVE-2025-68371.patch deleted file mode 100644 index 42567c6a19..0000000000 --- a/SPECS/kernel-rt/CVE-2025-68371.patch +++ /dev/null @@ -1,90 +0,0 @@ -From ea41b3b3b55169adfdec974a76c5c55a29731be9 Mon Sep 17 00:00:00 2001 -From: Mike McGowen -Date: Thu, 6 Nov 2025 10:38:20 -0600 -Subject: [PATCH 30/45] scsi: smartpqi: Fix device resources accessed after - device removal - -Correct possible race conditions during device removal. - -Previously, a scheduled work item to reset a LUN could still execute -after the device was removed, leading to use-after-free and other -resource access issues. - -This race condition occurs because the abort handler may schedule a LUN -reset concurrently with device removal via sdev_destroy(), leading to -use-after-free and improper access to freed resources. - - - Check in the device reset handler if the device is still present in - the controller's SCSI device list before running; if not, the reset - is skipped. - - - Cancel any pending TMF work that has not started in sdev_destroy(). - - - Ensure device freeing in sdev_destroy() is done while holding the - LUN reset mutex to avoid races with ongoing resets. - -Fixes: 2d80f4054f7f ("scsi: smartpqi: Update deleting a LUN via sysfs") -Reviewed-by: Scott Teel -Reviewed-by: Scott Benesh -Signed-off-by: Mike McGowen -Signed-off-by: Don Brace -Link: https://patch.msgid.link/20251106163823.786828-3-don.brace@microchip.com -Signed-off-by: Martin K. Petersen ---- - drivers/scsi/smartpqi/smartpqi_init.c | 19 +++++++++++++++++++ - 1 file changed, 19 insertions(+) - -diff --git a/drivers/scsi/smartpqi/smartpqi_init.c b/drivers/scsi/smartpqi/smartpqi_init.c -index c5a21e369e16..018f5428a07d 100644 ---- a/drivers/scsi/smartpqi/smartpqi_init.c -+++ b/drivers/scsi/smartpqi/smartpqi_init.c -@@ -6395,10 +6395,22 @@ static int pqi_device_reset(struct pqi_ctrl_info *ctrl_info, struct pqi_scsi_dev - - static int pqi_device_reset_handler(struct pqi_ctrl_info *ctrl_info, struct pqi_scsi_dev *device, u8 lun, struct scsi_cmnd *scmd, u8 scsi_opcode) - { -+ unsigned long flags; - int rc; - - mutex_lock(&ctrl_info->lun_reset_mutex); - -+ spin_lock_irqsave(&ctrl_info->scsi_device_list_lock, flags); -+ if (pqi_find_scsi_dev(ctrl_info, device->bus, device->target, device->lun) == NULL) { -+ dev_warn(&ctrl_info->pci_dev->dev, -+ "skipping reset of scsi %d:%d:%d:%u, device has been removed\n", -+ ctrl_info->scsi_host->host_no, device->bus, device->target, device->lun); -+ spin_unlock_irqrestore(&ctrl_info->scsi_device_list_lock, flags); -+ mutex_unlock(&ctrl_info->lun_reset_mutex); -+ return 0; -+ } -+ spin_unlock_irqrestore(&ctrl_info->scsi_device_list_lock, flags); -+ - dev_err(&ctrl_info->pci_dev->dev, - "resetting scsi %d:%d:%d:%u SCSI cmd at %p due to cmd opcode 0x%02x\n", - ctrl_info->scsi_host->host_no, device->bus, device->target, lun, scmd, scsi_opcode); -@@ -6578,7 +6590,9 @@ static void pqi_slave_destroy(struct scsi_device *sdev) - { - struct pqi_ctrl_info *ctrl_info; - struct pqi_scsi_dev *device; -+ struct pqi_tmf_work *tmf_work; - int mutex_acquired; -+ unsigned int lun; - unsigned long flags; - - ctrl_info = shost_to_hba(sdev->host); -@@ -6605,8 +6619,13 @@ static void pqi_slave_destroy(struct scsi_device *sdev) - - mutex_unlock(&ctrl_info->scan_mutex); - -+ for (lun = 0, tmf_work = device->tmf_work; lun < PQI_MAX_LUNS_PER_DEVICE; lun++, tmf_work++) -+ cancel_work_sync(&tmf_work->work_struct); -+ -+ mutex_lock(&ctrl_info->lun_reset_mutex); - pqi_dev_info(ctrl_info, "removed", device); - pqi_free_device(device); -+ mutex_unlock(&ctrl_info->lun_reset_mutex); - } - - static int pqi_getpciinfo_ioctl(struct pqi_ctrl_info *ctrl_info, void __user *arg) --- -2.43.0 - diff --git a/SPECS/kernel-rt/CVE-2025-68372.patch b/SPECS/kernel-rt/CVE-2025-68372.patch deleted file mode 100644 index 7ffc6026aa..0000000000 --- a/SPECS/kernel-rt/CVE-2025-68372.patch +++ /dev/null @@ -1,97 +0,0 @@ -From fccf2e01ee8619c9380fff3a52f543a620b78977 Mon Sep 17 00:00:00 2001 -From: Zheng Qixing -Date: Sat, 8 Nov 2025 15:02:02 +0800 -Subject: [PATCH 20/45] nbd: defer config put in recv_work - -There is one uaf issue in recv_work when running NBD_CLEAR_SOCK and -NBD_CMD_RECONFIGURE: - nbd_genl_connect // conf_ref=2 (connect and recv_work A) - nbd_open // conf_ref=3 - recv_work A done // conf_ref=2 - NBD_CLEAR_SOCK // conf_ref=1 - nbd_genl_reconfigure // conf_ref=2 (trigger recv_work B) - close nbd // conf_ref=1 - recv_work B - config_put // conf_ref=0 - atomic_dec(&config->recv_threads); -> UAF - -Or only running NBD_CLEAR_SOCK: - nbd_genl_connect // conf_ref=2 - nbd_open // conf_ref=3 - NBD_CLEAR_SOCK // conf_ref=2 - close nbd - nbd_release - config_put // conf_ref=1 - recv_work - config_put // conf_ref=0 - atomic_dec(&config->recv_threads); -> UAF - -Commit 87aac3a80af5 ("nbd: call nbd_config_put() before notifying the -waiter") moved nbd_config_put() to run before waking up the waiter in -recv_work, in order to ensure that nbd_start_device_ioctl() would not -be woken up while nbd->task_recv was still uncleared. - -However, in nbd_start_device_ioctl(), after being woken up it explicitly -calls flush_workqueue() to make sure all current works are finished. -Therefore, there is no need to move the config put ahead of the wakeup. - -Move nbd_config_put() to the end of recv_work, so that the reference is -held for the whole lifetime of the worker thread. This makes sure the -config cannot be freed while recv_work is still running, even if clear -+ reconfigure interleave. - -In addition, we don't need to worry about recv_work dropping the last -nbd_put (which causes deadlock): - -path A (netlink with NBD_CFLAG_DESTROY_ON_DISCONNECT): - connect // nbd_refs=1 (trigger recv_work) - open nbd // nbd_refs=2 - NBD_CLEAR_SOCK - close nbd - nbd_release - nbd_disconnect_and_put - flush_workqueue // recv_work done - nbd_config_put - nbd_put // nbd_refs=1 - nbd_put // nbd_refs=0 - queue_work - -path B (netlink without NBD_CFLAG_DESTROY_ON_DISCONNECT): - connect // nbd_refs=2 (trigger recv_work) - open nbd // nbd_refs=3 - NBD_CLEAR_SOCK // conf_refs=2 - close nbd - nbd_release - nbd_config_put // conf_refs=1 - nbd_put // nbd_refs=2 - recv_work done // conf_refs=0, nbd_refs=1 - rmmod // nbd_refs=0 - -Reported-by: syzbot+56fbf4c7ddf65e95c7cc@syzkaller.appspotmail.com -Closes: https://lore.kernel.org/all/6907edce.a70a0220.37351b.0014.GAE@google.com/T/ -Fixes: 87aac3a80af5 ("nbd: make the config put is called before the notifying the waiter") -Depends-on: e2daec488c57 ("nbd: Fix hungtask when nbd_config_put") -Signed-off-by: Zheng Qixing -Signed-off-by: Jens Axboe ---- - drivers/block/nbd.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c -index dcb04bc88897..958bd115a341 100644 ---- a/drivers/block/nbd.c -+++ b/drivers/block/nbd.c -@@ -963,9 +963,9 @@ static void recv_work(struct work_struct *work) - nbd_mark_nsock_dead(nbd, nsock, 1); - mutex_unlock(&nsock->tx_lock); - -- nbd_config_put(nbd); - atomic_dec(&config->recv_threads); - wake_up(&config->recv_wq); -+ nbd_config_put(nbd); - kfree(args); - } - --- -2.43.0 - diff --git a/SPECS/kernel-rt/CVE-2025-68374.patch b/SPECS/kernel-rt/CVE-2025-68374.patch deleted file mode 100644 index 372e884c0e..0000000000 --- a/SPECS/kernel-rt/CVE-2025-68374.patch +++ /dev/null @@ -1,109 +0,0 @@ -From 067d0664657083155b8635f7bd7675244969dc45 Mon Sep 17 00:00:00 2001 -From: Yun Zhou -Date: Wed, 15 Oct 2025 16:32:27 +0800 -Subject: [PATCH 21/45] md: fix rcu protection in md_wakeup_thread - -We attempted to use RCU to protect the pointer 'thread', but directly -passed the value when calling md_wakeup_thread(). This means that the -RCU pointer has been acquired before rcu_read_lock(), which renders -rcu_read_lock() ineffective and could lead to a use-after-free. - -Link: https://lore.kernel.org/linux-raid/20251015083227.1079009-1-yun.zhou@windriver.com -Fixes: 446931543982 ("md: protect md_thread with rcu") -Signed-off-by: Yun Zhou -Reviewed-by: Li Nan -Reviewed-by: Yu Kuai -Signed-off-by: Yu Kuai ---- - drivers/md/md.c | 14 ++++++-------- - drivers/md/md.h | 8 +++++++- - 2 files changed, 13 insertions(+), 9 deletions(-) - -diff --git a/drivers/md/md.c b/drivers/md/md.c -index 2df47aa4f2db..cb81c0c61746 100644 ---- a/drivers/md/md.c -+++ b/drivers/md/md.c -@@ -106,7 +106,7 @@ static int remove_and_add_spares(struct mddev *mddev, - struct md_rdev *this); - static void mddev_detach(struct mddev *mddev); - static void export_rdev(struct md_rdev *rdev, struct mddev *mddev); --static void md_wakeup_thread_directly(struct md_thread __rcu *thread); -+static void md_wakeup_thread_directly(struct md_thread __rcu **thread); - - /* - * Default number of read corrections we'll attempt on an rdev -@@ -4926,7 +4926,7 @@ static void stop_sync_thread(struct mddev *mddev, bool locked) - * Thread might be blocked waiting for metadata update which will now - * never happen - */ -- md_wakeup_thread_directly(mddev->sync_thread); -+ md_wakeup_thread_directly(&mddev->sync_thread); - if (work_pending(&mddev->sync_work)) - flush_work(&mddev->sync_work); - -@@ -8051,22 +8051,21 @@ static int md_thread(void *arg) - return 0; - } - --static void md_wakeup_thread_directly(struct md_thread __rcu *thread) -+static void md_wakeup_thread_directly(struct md_thread __rcu **thread) - { - struct md_thread *t; - - rcu_read_lock(); -- t = rcu_dereference(thread); -+ t = rcu_dereference(*thread); - if (t) - wake_up_process(t->tsk); - rcu_read_unlock(); - } - --void md_wakeup_thread(struct md_thread __rcu *thread) -+void __md_wakeup_thread(struct md_thread __rcu *thread) - { - struct md_thread *t; - -- rcu_read_lock(); - t = rcu_dereference(thread); - if (t) { - pr_debug("md: waking up MD thread %s.\n", t->tsk->comm); -@@ -8074,9 +8073,8 @@ void md_wakeup_thread(struct md_thread __rcu *thread) - if (wq_has_sleeper(&t->wqueue)) - wake_up(&t->wqueue); - } -- rcu_read_unlock(); - } --EXPORT_SYMBOL(md_wakeup_thread); -+EXPORT_SYMBOL(__md_wakeup_thread); - - struct md_thread *md_register_thread(void (*run) (struct md_thread *), - struct mddev *mddev, const char *name) -diff --git a/drivers/md/md.h b/drivers/md/md.h -index 8826dce9717d..20857b898462 100644 ---- a/drivers/md/md.h -+++ b/drivers/md/md.h -@@ -838,6 +838,12 @@ struct md_io_clone { - - #define THREAD_WAKEUP 0 - -+#define md_wakeup_thread(thread) do { \ -+ rcu_read_lock(); \ -+ __md_wakeup_thread(thread); \ -+ rcu_read_unlock(); \ -+} while (0) -+ - static inline void safe_put_page(struct page *p) - { - if (p) put_page(p); -@@ -855,7 +861,7 @@ extern struct md_thread *md_register_thread( - struct mddev *mddev, - const char *name); - extern void md_unregister_thread(struct mddev *mddev, struct md_thread __rcu **threadp); --extern void md_wakeup_thread(struct md_thread __rcu *thread); -+extern void __md_wakeup_thread(struct md_thread __rcu *thread); - extern void md_check_recovery(struct mddev *mddev); - extern void md_reap_sync_thread(struct mddev *mddev); - extern enum sync_action md_sync_action(struct mddev *mddev); --- -2.43.0 - diff --git a/SPECS/kernel-rt/CVE-2025-68378.patch b/SPECS/kernel-rt/CVE-2025-68378.patch deleted file mode 100644 index 93010531a5..0000000000 --- a/SPECS/kernel-rt/CVE-2025-68378.patch +++ /dev/null @@ -1,107 +0,0 @@ -From ce2cdaf02b160e95e7d280485140b5cb29df51b8 Mon Sep 17 00:00:00 2001 -From: Arnaud Lecomte -Date: Tue, 30 Dec 2025 01:21:18 -0800 -Subject: [PATCH 22/45] bpf: Fix stackmap overflow check in __bpf_get_stackid() - -Syzkaller reported a KASAN slab-out-of-bounds write in __bpf_get_stackid() -when copying stack trace data. The issue occurs when the perf trace - contains more stack entries than the stack map bucket can hold, - leading to an out-of-bounds write in the bucket's data array. - -Fixes: ee2a098851bf ("bpf: Adjust BPF stack helper functions to accommodate skip > 0") -Reported-by: syzbot+c9b724fbb41cf2538b7b@syzkaller.appspotmail.com -Signed-off-by: Arnaud Lecomte -Signed-off-by: Andrii Nakryiko -Acked-by: Yonghong Song -Acked-by: Song Liu -Link: https://lore.kernel.org/bpf/20251025192941.1500-1-contact@arnaud-lcm.com - -Closes: https://syzkaller.appspot.com/bug?extid=c9b724fbb41cf2538b7b ---- - kernel/bpf/stackmap.c | 37 ++++++++++++++++++++++++++++++------- - 1 file changed, 30 insertions(+), 7 deletions(-) - -diff --git a/kernel/bpf/stackmap.c b/kernel/bpf/stackmap.c -index 3615c06b7dfa..891cdb562c3a 100644 ---- a/kernel/bpf/stackmap.c -+++ b/kernel/bpf/stackmap.c -@@ -42,6 +42,28 @@ static inline int stack_map_data_size(struct bpf_map *map) - sizeof(struct bpf_stack_build_id) : sizeof(u64); - } - -+/** -+ * stack_map_calculate_max_depth - Calculate maximum allowed stack trace depth -+ * @size: Size of the buffer/map value in bytes -+ * @elem_size: Size of each stack trace element -+ * @flags: BPF stack trace flags (BPF_F_USER_STACK, BPF_F_USER_BUILD_ID, ...) -+ * -+ * Return: Maximum number of stack trace entries that can be safely stored. -+ */ -+static u32 stack_map_calculate_max_depth(u32 size, u32 elem_size, u64 flags) -+{ -+ u32 skip = flags & BPF_F_SKIP_FIELD_MASK; -+ u32 max_depth; -+ u32 curr_sysctl_max_stack = READ_ONCE(sysctl_perf_event_max_stack); -+ -+ max_depth = size / elem_size; -+ max_depth += skip; -+ if (max_depth > curr_sysctl_max_stack) -+ return curr_sysctl_max_stack; -+ -+ return max_depth; -+} -+ - static int prealloc_elems_and_freelist(struct bpf_stack_map *smap) - { - u64 elem_size = sizeof(struct stack_map_bucket) + -@@ -229,8 +251,8 @@ static long __bpf_get_stackid(struct bpf_map *map, - { - struct bpf_stack_map *smap = container_of(map, struct bpf_stack_map, map); - struct stack_map_bucket *bucket, *new_bucket, *old_bucket; -+ u32 hash, id, trace_nr, trace_len, i, max_depth; - u32 skip = flags & BPF_F_SKIP_FIELD_MASK; -- u32 hash, id, trace_nr, trace_len, i; - bool user = flags & BPF_F_USER_STACK; - u64 *ips; - bool hash_matches; -@@ -239,7 +261,8 @@ static long __bpf_get_stackid(struct bpf_map *map, - /* skipping more than usable stack trace */ - return -EFAULT; - -- trace_nr = trace->nr - skip; -+ max_depth = stack_map_calculate_max_depth(map->value_size, stack_map_data_size(map), flags); -+ trace_nr = min_t(u32, trace->nr - skip, max_depth - skip); - trace_len = trace_nr * sizeof(u64); - ips = trace->ip + skip; - hash = jhash2((u32 *)ips, trace_len / sizeof(u32), 0); -@@ -371,15 +394,11 @@ BPF_CALL_3(bpf_get_stackid_pe, struct bpf_perf_event_data_kern *, ctx, - return -EFAULT; - - nr_kernel = count_kernel_ip(trace); -+ __u64 nr = trace->nr; /* save original */ - - if (kernel) { -- __u64 nr = trace->nr; -- - trace->nr = nr_kernel; - ret = __bpf_get_stackid(map, trace, flags); -- -- /* restore nr */ -- trace->nr = nr; - } else { /* user */ - u64 skip = flags & BPF_F_SKIP_FIELD_MASK; - -@@ -390,6 +409,10 @@ BPF_CALL_3(bpf_get_stackid_pe, struct bpf_perf_event_data_kern *, ctx, - flags = (flags & ~BPF_F_SKIP_FIELD_MASK) | skip; - ret = __bpf_get_stackid(map, trace, flags); - } -+ -+ /* restore nr */ -+ trace->nr = nr; -+ - return ret; - } - --- -2.43.0 - diff --git a/SPECS/kernel-rt/CVE-2025-68379.patch b/SPECS/kernel-rt/CVE-2025-68379.patch deleted file mode 100644 index 090304aec5..0000000000 --- a/SPECS/kernel-rt/CVE-2025-68379.patch +++ /dev/null @@ -1,90 +0,0 @@ -From ad8ec7c18be327eef543ea0a64218c8a256d8e48 Mon Sep 17 00:00:00 2001 -From: Zhu Yanjun -Date: Mon, 27 Oct 2025 14:52:03 -0700 -Subject: [PATCH 10/45] RDMA/rxe: Fix null deref on srq->rq.queue after resize - failure - -A NULL pointer dereference can occur in rxe_srq_chk_attr() when -ibv_modify_srq() is invoked twice in succession under certain error -conditions. The first call may fail in rxe_queue_resize(), which leads -rxe_srq_from_attr() to set srq->rq.queue = NULL. The second call then -triggers a crash (null deref) when accessing -srq->rq.queue->buf->index_mask. - -Call Trace: - -rxe_modify_srq+0x170/0x480 [rdma_rxe] -? __pfx_rxe_modify_srq+0x10/0x10 [rdma_rxe] -? uverbs_try_lock_object+0x4f/0xa0 [ib_uverbs] -? rdma_lookup_get_uobject+0x1f0/0x380 [ib_uverbs] -ib_uverbs_modify_srq+0x204/0x290 [ib_uverbs] -? __pfx_ib_uverbs_modify_srq+0x10/0x10 [ib_uverbs] -? tryinc_node_nr_active+0xe6/0x150 -? uverbs_fill_udata+0xed/0x4f0 [ib_uverbs] -ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x2c0/0x470 [ib_uverbs] -? __pfx_ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x10/0x10 [ib_uverbs] -? uverbs_fill_udata+0xed/0x4f0 [ib_uverbs] -ib_uverbs_run_method+0x55a/0x6e0 [ib_uverbs] -? __pfx_ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x10/0x10 [ib_uverbs] -ib_uverbs_cmd_verbs+0x54d/0x800 [ib_uverbs] -? __pfx_ib_uverbs_cmd_verbs+0x10/0x10 [ib_uverbs] -? __pfx___raw_spin_lock_irqsave+0x10/0x10 -? __pfx_do_vfs_ioctl+0x10/0x10 -? ioctl_has_perm.constprop.0.isra.0+0x2c7/0x4c0 -? __pfx_ioctl_has_perm.constprop.0.isra.0+0x10/0x10 -ib_uverbs_ioctl+0x13e/0x220 [ib_uverbs] -? __pfx_ib_uverbs_ioctl+0x10/0x10 [ib_uverbs] -__x64_sys_ioctl+0x138/0x1c0 -do_syscall_64+0x82/0x250 -? fdget_pos+0x58/0x4c0 -? ksys_write+0xf3/0x1c0 -? __pfx_ksys_write+0x10/0x10 -? do_syscall_64+0xc8/0x250 -? __pfx_vm_mmap_pgoff+0x10/0x10 -? fget+0x173/0x230 -? fput+0x2a/0x80 -? ksys_mmap_pgoff+0x224/0x4c0 -? do_syscall_64+0xc8/0x250 -? do_user_addr_fault+0x37b/0xfe0 -? clear_bhb_loop+0x50/0xa0 -? clear_bhb_loop+0x50/0xa0 -? clear_bhb_loop+0x50/0xa0 -entry_SYSCALL_64_after_hwframe+0x76/0x7e - -Fixes: 8700e3e7c485 ("Soft RoCE driver") -Tested-by: Liu Yi -Signed-off-by: Zhu Yanjun -Link: https://patch.msgid.link/20251027215203.1321-1-yanjun.zhu@linux.dev -Signed-off-by: Leon Romanovsky ---- - drivers/infiniband/sw/rxe/rxe_srq.c | 7 +------ - 1 file changed, 1 insertion(+), 6 deletions(-) - -diff --git a/drivers/infiniband/sw/rxe/rxe_srq.c b/drivers/infiniband/sw/rxe/rxe_srq.c -index 3661cb627d28..2a234f26ac10 100644 ---- a/drivers/infiniband/sw/rxe/rxe_srq.c -+++ b/drivers/infiniband/sw/rxe/rxe_srq.c -@@ -171,7 +171,7 @@ int rxe_srq_from_attr(struct rxe_dev *rxe, struct rxe_srq *srq, - udata, mi, &srq->rq.producer_lock, - &srq->rq.consumer_lock); - if (err) -- goto err_free; -+ return err; - - srq->rq.max_wr = attr->max_wr; - } -@@ -180,11 +180,6 @@ int rxe_srq_from_attr(struct rxe_dev *rxe, struct rxe_srq *srq, - srq->limit = attr->srq_limit; - - return 0; -- --err_free: -- rxe_queue_cleanup(q); -- srq->rq.queue = NULL; -- return err; - } - - void rxe_srq_cleanup(struct rxe_pool_elem *elem) --- -2.43.0 - diff --git a/SPECS/kernel-rt/CVE-2025-68724.patch b/SPECS/kernel-rt/CVE-2025-68724.patch deleted file mode 100644 index 31cc0f2e41..0000000000 --- a/SPECS/kernel-rt/CVE-2025-68724.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 21ca32cbb3c0dcdfe3b62e555a32f163e4882a76 Mon Sep 17 00:00:00 2001 -From: Thorsten Blum -Date: Mon, 13 Oct 2025 13:40:10 +0200 -Subject: [PATCH 14/45] crypto: asymmetric_keys - prevent overflow in - asymmetric_key_generate_id - -Use check_add_overflow() to guard against potential integer overflows -when adding the binary blob lengths and the size of an asymmetric_key_id -structure and return ERR_PTR(-EOVERFLOW) accordingly. This prevents a -possible buffer overflow when copying data from potentially malicious -X.509 certificate fields that can be arbitrarily large, such as ASN.1 -INTEGER serial numbers, issuer names, etc. - -Fixes: 7901c1a8effb ("KEYS: Implement binary asymmetric key ID handling") -Signed-off-by: Thorsten Blum -Reviewed-by: Lukas Wunner -Signed-off-by: Herbert Xu ---- - crypto/asymmetric_keys/asymmetric_type.c | 14 ++++++++++---- - 1 file changed, 10 insertions(+), 4 deletions(-) - -diff --git a/crypto/asymmetric_keys/asymmetric_type.c b/crypto/asymmetric_keys/asymmetric_type.c -index 43af5fa510c0..7859b0692b42 100644 ---- a/crypto/asymmetric_keys/asymmetric_type.c -+++ b/crypto/asymmetric_keys/asymmetric_type.c -@@ -11,6 +11,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -151,12 +152,17 @@ struct asymmetric_key_id *asymmetric_key_generate_id(const void *val_1, - size_t len_2) - { - struct asymmetric_key_id *kid; -- -- kid = kmalloc(sizeof(struct asymmetric_key_id) + len_1 + len_2, -- GFP_KERNEL); -+ size_t kid_sz; -+ size_t len; -+ -+ if (check_add_overflow(len_1, len_2, &len)) -+ return ERR_PTR(-EOVERFLOW); -+ if (check_add_overflow(sizeof(struct asymmetric_key_id), len, &kid_sz)) -+ return ERR_PTR(-EOVERFLOW); -+ kid = kmalloc(kid_sz, GFP_KERNEL); - if (!kid) - return ERR_PTR(-ENOMEM); -- kid->len = len_1 + len_2; -+ kid->len = len; - memcpy(kid->data, val_1, len_1); - memcpy(kid->data + len_1, val_2, len_2); - return kid; --- -2.43.0 - diff --git a/SPECS/kernel-rt/CVE-2025-68732.patch b/SPECS/kernel-rt/CVE-2025-68732.patch deleted file mode 100644 index 8ecc818668..0000000000 --- a/SPECS/kernel-rt/CVE-2025-68732.patch +++ /dev/null @@ -1,53 +0,0 @@ -From fc458c8c62d80bcdf944f82ca55c90f245b7b4f0 Mon Sep 17 00:00:00 2001 -From: Mainak Sen -Date: Mon, 7 Jul 2025 18:17:39 +0900 -Subject: [PATCH 11/45] gpu: host1x: Fix race in syncpt alloc/free - -Fix race condition between host1x_syncpt_alloc() -and host1x_syncpt_put() by using kref_put_mutex() -instead of kref_put() + manual mutex locking. - -This ensures no thread can acquire the -syncpt_mutex after the refcount drops to zero -but before syncpt_release acquires it. -This prevents races where syncpoints could -be allocated while still being cleaned up -from a previous release. - -Remove explicit mutex locking in syncpt_release -as kref_put_mutex() handles this atomically. - -Signed-off-by: Mainak Sen -Fixes: f5ba33fb9690 ("gpu: host1x: Reserve VBLANK syncpoints at initialization") -Signed-off-by: Mikko Perttunen -Signed-off-by: Thierry Reding -Link: https://lore.kernel.org/r/20250707-host1x-syncpt-race-fix-v1-1-28b0776e70bc@nvidia.com ---- - drivers/gpu/host1x/syncpt.c | 4 +--- - 1 file changed, 1 insertion(+), 3 deletions(-) - -diff --git a/drivers/gpu/host1x/syncpt.c b/drivers/gpu/host1x/syncpt.c -index f63d14a57a1d..acc7d82e0585 100644 ---- a/drivers/gpu/host1x/syncpt.c -+++ b/drivers/gpu/host1x/syncpt.c -@@ -345,8 +345,6 @@ static void syncpt_release(struct kref *ref) - - sp->locked = false; - -- mutex_lock(&sp->host->syncpt_mutex); -- - host1x_syncpt_base_free(sp->base); - kfree(sp->name); - sp->base = NULL; -@@ -369,7 +367,7 @@ void host1x_syncpt_put(struct host1x_syncpt *sp) - if (!sp) - return; - -- kref_put(&sp->ref, syncpt_release); -+ kref_put_mutex(&sp->ref, syncpt_release, &sp->host->syncpt_mutex); - } - EXPORT_SYMBOL(host1x_syncpt_put); - --- -2.43.0 - diff --git a/SPECS/kernel-rt/CVE-2025-68733.patch b/SPECS/kernel-rt/CVE-2025-68733.patch deleted file mode 100644 index 0de373e72f..0000000000 --- a/SPECS/kernel-rt/CVE-2025-68733.patch +++ /dev/null @@ -1,96 +0,0 @@ -From a55c1fb9fbd38b4980901866f3b768208702a488 Mon Sep 17 00:00:00 2001 -From: Konstantin Andreev -Date: Tue, 17 Jun 2025 00:32:16 +0300 -Subject: [PATCH 07/45] smack: fix bug: unprivileged task can create labels - -If an unprivileged task is allowed to relabel itself -(/smack/relabel-self is not empty), -it can freely create new labels by writing their -names into own /proc/PID/attr/smack/current - -This occurs because do_setattr() imports -the provided label in advance, -before checking "relabel-self" list. - -This change ensures that the "relabel-self" list -is checked before importing the label. - -Fixes: 38416e53936e ("Smack: limited capability for changing process label") -Signed-off-by: Konstantin Andreev -Signed-off-by: Casey Schaufler ---- - security/smack/smack_lsm.c | 41 +++++++++++++++++++++++++------------- - 1 file changed, 27 insertions(+), 14 deletions(-) - -diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c -index 9e13fd392063..178de6e71f77 100644 ---- a/security/smack/smack_lsm.c -+++ b/security/smack/smack_lsm.c -@@ -3739,8 +3739,8 @@ static int do_setattr(u64 attr, void *value, size_t size) - struct task_smack *tsp = smack_cred(current_cred()); - struct cred *new; - struct smack_known *skp; -- struct smack_known_list_elem *sklep; -- int rc; -+ char *labelstr; -+ int rc = 0; - - if (!smack_privileged(CAP_MAC_ADMIN) && list_empty(&tsp->smk_relabel)) - return -EPERM; -@@ -3751,28 +3751,41 @@ static int do_setattr(u64 attr, void *value, size_t size) - if (attr != LSM_ATTR_CURRENT) - return -EOPNOTSUPP; - -- skp = smk_import_entry(value, size); -- if (IS_ERR(skp)) -- return PTR_ERR(skp); -+ labelstr = smk_parse_smack(value, size); -+ if (IS_ERR(labelstr)) -+ return PTR_ERR(labelstr); - - /* - * No process is ever allowed the web ("@") label - * and the star ("*") label. - */ -- if (skp == &smack_known_web || skp == &smack_known_star) -- return -EINVAL; -+ if (labelstr[1] == '\0' /* '@', '*' */) { -+ const char c = labelstr[0]; -+ -+ if (c == *smack_known_web.smk_known || -+ c == *smack_known_star.smk_known) { -+ rc = -EPERM; -+ goto free_labelstr; -+ } -+ } - - if (!smack_privileged(CAP_MAC_ADMIN)) { -- rc = -EPERM; -+ const struct smack_known_list_elem *sklep; - list_for_each_entry(sklep, &tsp->smk_relabel, list) -- if (sklep->smk_label == skp) { -- rc = 0; -- break; -- } -- if (rc) -- return rc; -+ if (strcmp(sklep->smk_label->smk_known, labelstr) == 0) -+ goto free_labelstr; -+ rc = -EPERM; - } - -+free_labelstr: -+ kfree(labelstr); -+ if (rc) -+ return -EPERM; -+ -+ skp = smk_import_entry(value, size); -+ if (IS_ERR(skp)) -+ return PTR_ERR(skp); -+ - new = prepare_creds(); - if (new == NULL) - return -ENOMEM; --- -2.43.0 - diff --git a/SPECS/kernel-rt/CVE-2025-68740.patch b/SPECS/kernel-rt/CVE-2025-68740.patch deleted file mode 100644 index 664cf64303..0000000000 --- a/SPECS/kernel-rt/CVE-2025-68740.patch +++ /dev/null @@ -1,70 +0,0 @@ -From e1638a14812cf194c0bd7368b45ac69ac09d2bc3 Mon Sep 17 00:00:00 2001 -From: Zhao Yipeng -Date: Thu, 20 Nov 2025 15:18:05 +0800 -Subject: [PATCH 08/45] ima: Handle error code returned by - ima_filter_rule_match() - -In ima_match_rules(), if ima_filter_rule_match() returns -ENOENT due to -the rule being NULL, the function incorrectly skips the 'if (!rc)' check -and sets 'result = true'. The LSM rule is considered a match, causing -extra files to be measured by IMA. - -This issue can be reproduced in the following scenario: -After unloading the SELinux policy module via 'semodule -d', if an IMA -measurement is triggered before ima_lsm_rules is updated, -in ima_match_rules(), the first call to ima_filter_rule_match() returns --ESTALE. This causes the code to enter the 'if (rc == -ESTALE && -!rule_reinitialized)' block, perform ima_lsm_copy_rule() and retry. In -ima_lsm_copy_rule(), since the SELinux module has been removed, the rule -becomes NULL, and the second call to ima_filter_rule_match() returns --ENOENT. This bypasses the 'if (!rc)' check and results in a false match. - -Call trace: - selinux_audit_rule_match+0x310/0x3b8 - security_audit_rule_match+0x60/0xa0 - ima_match_rules+0x2e4/0x4a0 - ima_match_policy+0x9c/0x1e8 - ima_get_action+0x48/0x60 - process_measurement+0xf8/0xa98 - ima_bprm_check+0x98/0xd8 - security_bprm_check+0x5c/0x78 - search_binary_handler+0x6c/0x318 - exec_binprm+0x58/0x1b8 - bprm_execve+0xb8/0x130 - do_execveat_common.isra.0+0x1a8/0x258 - __arm64_sys_execve+0x48/0x68 - invoke_syscall+0x50/0x128 - el0_svc_common.constprop.0+0xc8/0xf0 - do_el0_svc+0x24/0x38 - el0_svc+0x44/0x200 - el0t_64_sync_handler+0x100/0x130 - el0t_64_sync+0x3c8/0x3d0 - -Fix this by changing 'if (!rc)' to 'if (rc <= 0)' to ensure that error -codes like -ENOENT do not bypass the check and accidentally result in a -successful match. - -Fixes: 4af4662fa4a9d ("integrity: IMA policy") -Signed-off-by: Zhao Yipeng -Reviewed-by: Roberto Sassu -Signed-off-by: Mimi Zohar ---- - security/integrity/ima/ima_policy.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c -index 09da8e639239..11b3ea1099ba 100644 ---- a/security/integrity/ima/ima_policy.c -+++ b/security/integrity/ima/ima_policy.c -@@ -672,7 +672,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, - goto retry; - } - } -- if (!rc) { -+ if (rc <= 0) { - result = false; - goto out; - } --- -2.43.0 - diff --git a/SPECS/kernel-rt/CVE-2025-68741.patch b/SPECS/kernel-rt/CVE-2025-68741.patch deleted file mode 100644 index 4b9959d100..0000000000 --- a/SPECS/kernel-rt/CVE-2025-68741.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 1305606afa33d05b0f3d0f1089ea7cb4aa7cb6ee Mon Sep 17 00:00:00 2001 -From: Zilin Guan -Date: Thu, 13 Nov 2025 15:12:46 +0000 -Subject: [PATCH 05/45] scsi: qla2xxx: Fix improper freeing of purex item - -In qla2xxx_process_purls_iocb(), an item is allocated via -qla27xx_copy_multiple_pkt(), which internally calls -qla24xx_alloc_purex_item(). - -The qla24xx_alloc_purex_item() function may return a pre-allocated item -from a per-adapter pool for small allocations, instead of dynamically -allocating memory with kzalloc(). - -An error handling path in qla2xxx_process_purls_iocb() incorrectly uses -kfree() to release the item. If the item was from the pre-allocated -pool, calling kfree() on it is a bug that can lead to memory corruption. - -Fix this by using the correct deallocation function, -qla24xx_free_purex_item(), which properly handles both dynamically -allocated and pre-allocated items. - -Fixes: 875386b98857 ("scsi: qla2xxx: Add Unsolicited LS Request and Response Support for NVMe") -Signed-off-by: Zilin Guan -Reviewed-by: Himanshu Madhani -Link: https://patch.msgid.link/20251113151246.762510-1-zilin@seu.edu.cn -Signed-off-by: Martin K. Petersen ---- - drivers/scsi/qla2xxx/qla_nvme.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/scsi/qla2xxx/qla_nvme.c b/drivers/scsi/qla2xxx/qla_nvme.c -index 316594aa40cc..42eb65a62f1f 100644 ---- a/drivers/scsi/qla2xxx/qla_nvme.c -+++ b/drivers/scsi/qla2xxx/qla_nvme.c -@@ -1292,7 +1292,7 @@ void qla2xxx_process_purls_iocb(void **pkt, struct rsp_que **rsp) - a.reason = FCNVME_RJT_RC_LOGIC; - a.explanation = FCNVME_RJT_EXP_NONE; - xmt_reject = true; -- kfree(item); -+ qla24xx_free_purex_item(item); - goto out; - } - --- -2.43.0 - diff --git a/SPECS/kernel-rt/CVE-2025-68742.patch b/SPECS/kernel-rt/CVE-2025-68742.patch deleted file mode 100644 index 2a1e92fa34..0000000000 --- a/SPECS/kernel-rt/CVE-2025-68742.patch +++ /dev/null @@ -1,87 +0,0 @@ -From d625c15cc3356906e709ce4f59cada3557e15e9e Mon Sep 17 00:00:00 2001 -From: Pu Lehui -Date: Sat, 15 Nov 2025 10:23:43 +0000 -Subject: [PATCH 04/45] bpf: Fix invalid prog->stats access when - update_effective_progs fails - -Syzkaller triggers an invalid memory access issue following fault -injection in update_effective_progs. The issue can be described as -follows: - -__cgroup_bpf_detach - update_effective_progs - compute_effective_progs - bpf_prog_array_alloc <-- fault inject - purge_effective_progs - /* change to dummy_bpf_prog */ - array->items[index] = &dummy_bpf_prog.prog - ----softirq start--- -__do_softirq - ... - __cgroup_bpf_run_filter_skb - __bpf_prog_run_save_cb - bpf_prog_run - stats = this_cpu_ptr(prog->stats) - /* invalid memory access */ - flags = u64_stats_update_begin_irqsave(&stats->syncp) ----softirq end--- - - static_branch_dec(&cgroup_bpf_enabled_key[atype]) - -The reason is that fault injection caused update_effective_progs to fail -and then changed the original prog into dummy_bpf_prog.prog in -purge_effective_progs. Then a softirq came, and accessing the members of -dummy_bpf_prog.prog in the softirq triggers invalid mem access. - -To fix it, skip updating stats when stats is NULL. - -Fixes: 492ecee892c2 ("bpf: enable program stats") -Signed-off-by: Pu Lehui -Link: https://lore.kernel.org/r/20251115102343.2200727-1-pulehui@huaweicloud.com -Signed-off-by: Alexei Starovoitov ---- - include/linux/filter.h | 12 +++++++----- - kernel/bpf/syscall.c | 3 +++ - 2 files changed, 10 insertions(+), 5 deletions(-) - -diff --git a/include/linux/filter.h b/include/linux/filter.h -index 9b6908291de7..a91f2babf425 100644 ---- a/include/linux/filter.h -+++ b/include/linux/filter.h -@@ -692,11 +692,13 @@ static __always_inline u32 __bpf_prog_run(const struct bpf_prog *prog, - ret = dfunc(ctx, prog->insnsi, prog->bpf_func); - - duration = sched_clock() - start; -- stats = this_cpu_ptr(prog->stats); -- flags = u64_stats_update_begin_irqsave(&stats->syncp); -- u64_stats_inc(&stats->cnt); -- u64_stats_add(&stats->nsecs, duration); -- u64_stats_update_end_irqrestore(&stats->syncp, flags); -+ if (likely(prog->stats)) { -+ stats = this_cpu_ptr(prog->stats); -+ flags = u64_stats_update_begin_irqsave(&stats->syncp); -+ u64_stats_inc(&stats->cnt); -+ u64_stats_add(&stats->nsecs, duration); -+ u64_stats_update_end_irqrestore(&stats->syncp, flags); -+ } - } else { - ret = dfunc(ctx, prog->insnsi, prog->bpf_func); - } -diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c -index ba4543e771a6..04c8755c0b95 100644 ---- a/kernel/bpf/syscall.c -+++ b/kernel/bpf/syscall.c -@@ -2281,6 +2281,9 @@ void notrace bpf_prog_inc_misses_counter(struct bpf_prog *prog) - struct bpf_prog_stats *stats; - unsigned int flags; - -+ if (unlikely(!prog->stats)) -+ return; -+ - stats = this_cpu_ptr(prog->stats); - flags = u64_stats_update_begin_irqsave(&stats->syncp); - u64_stats_inc(&stats->misses); --- -2.43.0 - diff --git a/SPECS/kernel-rt/CVE-2025-68744.patch b/SPECS/kernel-rt/CVE-2025-68744.patch deleted file mode 100644 index 67f2b96abf..0000000000 --- a/SPECS/kernel-rt/CVE-2025-68744.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 2be35b43c19a1faf7ffda7c42b82b65bc0f80c36 Mon Sep 17 00:00:00 2001 -From: Leon Hwang -Date: Wed, 5 Nov 2025 23:14:06 +0800 -Subject: [PATCH 03/45] bpf: Free special fields when update [lru_,]percpu_hash - maps - -As [lru_,]percpu_hash maps support BPF_KPTR_{REF,PERCPU}, missing -calls to 'bpf_obj_free_fields()' in 'pcpu_copy_value()' could cause the -memory referenced by BPF_KPTR_{REF,PERCPU} fields to be held until the -map gets freed. - -Fix this by calling 'bpf_obj_free_fields()' after -'copy_map_value[,_long]()' in 'pcpu_copy_value()'. - -Fixes: 65334e64a493 ("bpf: Support kptrs in percpu hashmap and percpu LRU hashmap") -Signed-off-by: Leon Hwang -Acked-by: Yonghong Song -Link: https://lore.kernel.org/r/20251105151407.12723-2-leon.hwang@linux.dev -Signed-off-by: Alexei Starovoitov ---- - kernel/bpf/hashtab.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c -index 570e2f723144..26883a997e71 100644 ---- a/kernel/bpf/hashtab.c -+++ b/kernel/bpf/hashtab.c -@@ -961,15 +961,21 @@ static void free_htab_elem(struct bpf_htab *htab, struct htab_elem *l) - static void pcpu_copy_value(struct bpf_htab *htab, void __percpu *pptr, - void *value, bool onallcpus) - { -+ void *ptr; -+ - if (!onallcpus) { - /* copy true value_size bytes */ -- copy_map_value(&htab->map, this_cpu_ptr(pptr), value); -+ ptr = this_cpu_ptr(pptr); -+ copy_map_value(&htab->map, ptr, value); -+ bpf_obj_free_fields(htab->map.record, ptr); - } else { - u32 size = round_up(htab->map.value_size, 8); - int off = 0, cpu; - - for_each_possible_cpu(cpu) { -- copy_map_value_long(&htab->map, per_cpu_ptr(pptr, cpu), value + off); -+ ptr = per_cpu_ptr(pptr, cpu); -+ copy_map_value_long(&htab->map, ptr, value + off); -+ bpf_obj_free_fields(htab->map.record, ptr); - off += size; - } - } --- -2.43.0 - diff --git a/SPECS/kernel-rt/CVE-2025-68768.patch b/SPECS/kernel-rt/CVE-2025-68768.patch new file mode 100644 index 0000000000..65e4deb39f --- /dev/null +++ b/SPECS/kernel-rt/CVE-2025-68768.patch @@ -0,0 +1,200 @@ +From b0eb6cf20f1f2a8687d785ddc7daf969f8929b2c Mon Sep 17 00:00:00 2001 +From: Jakub Kicinski +Date: Sat, 6 Dec 2025 17:09:41 -0800 +Subject: [PATCH 9/9] inet: frags: flush pending skbs in fqdir_pre_exit() + +We have been seeing occasional deadlocks on pernet_ops_rwsem since +September in NIPA. The stuck task was usually modprobe (often loading +a driver like ipvlan), trying to take the lock as a Writer. +lockdep does not track readers for rwsems so the read wasn't obvious +from the reports. + +On closer inspection the Reader holding the lock was conntrack looping +forever in nf_conntrack_cleanup_net_list(). Based on past experience +with occasional NIPA crashes I looked thru the tests which run before +the crash and noticed that the crash follows ip_defrag.sh. An immediate +red flag. Scouring thru (de)fragmentation queues reveals skbs sitting +around, holding conntrack references. + +The problem is that since conntrack depends on nf_defrag_ipv6, +nf_defrag_ipv6 will load first. Since nf_defrag_ipv6 loads first its +netns exit hooks run _after_ conntrack's netns exit hook. + +Flush all fragment queue SKBs during fqdir_pre_exit() to release +conntrack references before conntrack cleanup runs. Also flush +the queues in timer expiry handlers when they discover fqdir->dead +is set, in case packet sneaks in while we're running the pre_exit +flush. + +The commit under Fixes is not exactly the culprit, but I think +previously the timer firing would eventually unblock the spinning +conntrack. + +Fixes: d5dd88794a13 ("inet: fix various use-after-free in defrags units") +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20251207010942.1672972-4-kuba@kernel.org +Signed-off-by: Jakub Kicinski +--- + include/net/inet_frag.h | 15 +++---------- + include/net/ipv6_frag.h | 9 +++++--- + net/ipv4/inet_fragment.c | 46 ++++++++++++++++++++++++++++++++++++++++ + net/ipv4/ip_fragment.c | 12 ++++++----- + 4 files changed, 62 insertions(+), 20 deletions(-) + +diff --git a/include/net/inet_frag.h b/include/net/inet_frag.h +index 5af6eb14c5db..5287ceb9f0d7 100644 +--- a/include/net/inet_frag.h ++++ b/include/net/inet_frag.h +@@ -123,18 +123,7 @@ void inet_frags_fini(struct inet_frags *); + + int fqdir_init(struct fqdir **fqdirp, struct inet_frags *f, struct net *net); + +-static inline void fqdir_pre_exit(struct fqdir *fqdir) +-{ +- /* Prevent creation of new frags. +- * Pairs with READ_ONCE() in inet_frag_find(). +- */ +- WRITE_ONCE(fqdir->high_thresh, 0); +- +- /* Pairs with READ_ONCE() in inet_frag_kill(), ip_expire() +- * and ip6frag_expire_frag_queue(). +- */ +- WRITE_ONCE(fqdir->dead, true); +-} ++void fqdir_pre_exit(struct fqdir *fqdir); + void fqdir_exit(struct fqdir *fqdir); + + void inet_frag_kill(struct inet_frag_queue *q); +@@ -144,6 +133,8 @@ struct inet_frag_queue *inet_frag_find(struct fqdir *fqdir, void *key); + /* Free all skbs in the queue; return the sum of their truesizes. */ + unsigned int inet_frag_rbtree_purge(struct rb_root *root, + enum skb_drop_reason reason); ++void inet_frag_queue_flush(struct inet_frag_queue *q, ++ enum skb_drop_reason reason); + + static inline void inet_frag_put(struct inet_frag_queue *q) + { +diff --git a/include/net/ipv6_frag.h b/include/net/ipv6_frag.h +index 7321ffe3a108..df61b98b5215 100644 +--- a/include/net/ipv6_frag.h ++++ b/include/net/ipv6_frag.h +@@ -68,9 +68,6 @@ ip6frag_expire_frag_queue(struct net *net, struct frag_queue *fq) + struct sk_buff *head; + + rcu_read_lock(); +- /* Paired with the WRITE_ONCE() in fqdir_pre_exit(). */ +- if (READ_ONCE(fq->q.fqdir->dead)) +- goto out_rcu_unlock; + spin_lock(&fq->q.lock); + + if (fq->q.flags & INET_FRAG_COMPLETE) +@@ -79,6 +76,12 @@ ip6frag_expire_frag_queue(struct net *net, struct frag_queue *fq) + fq->q.flags |= INET_FRAG_DROP; + inet_frag_kill(&fq->q); + ++ /* Paired with the WRITE_ONCE() in fqdir_pre_exit(). */ ++ if (READ_ONCE(fq->q.fqdir->dead)) { ++ inet_frag_queue_flush(&fq->q, 0); ++ goto out; ++ } ++ + dev = dev_get_by_index_rcu(net, fq->iif); + if (!dev) + goto out; +diff --git a/net/ipv4/inet_fragment.c b/net/ipv4/inet_fragment.c +index d179a2c84222..cbe006276028 100644 +--- a/net/ipv4/inet_fragment.c ++++ b/net/ipv4/inet_fragment.c +@@ -219,6 +219,41 @@ static int __init inet_frag_wq_init(void) + + pure_initcall(inet_frag_wq_init); + ++void fqdir_pre_exit(struct fqdir *fqdir) ++{ ++ struct inet_frag_queue *fq; ++ struct rhashtable_iter hti; ++ ++ /* Prevent creation of new frags. ++ * Pairs with READ_ONCE() in inet_frag_find(). ++ */ ++ WRITE_ONCE(fqdir->high_thresh, 0); ++ ++ /* Pairs with READ_ONCE() in inet_frag_kill(), ip_expire() ++ * and ip6frag_expire_frag_queue(). ++ */ ++ WRITE_ONCE(fqdir->dead, true); ++ ++ rhashtable_walk_enter(&fqdir->rhashtable, &hti); ++ rhashtable_walk_start(&hti); ++ ++ while ((fq = rhashtable_walk_next(&hti))) { ++ if (IS_ERR(fq)) { ++ if (PTR_ERR(fq) != -EAGAIN) ++ break; ++ continue; ++ } ++ spin_lock_bh(&fq->lock); ++ if (!(fq->flags & INET_FRAG_COMPLETE)) ++ inet_frag_queue_flush(fq, 0); ++ spin_unlock_bh(&fq->lock); ++ } ++ ++ rhashtable_walk_stop(&hti); ++ rhashtable_walk_exit(&hti); ++} ++EXPORT_SYMBOL(fqdir_pre_exit); ++ + void fqdir_exit(struct fqdir *fqdir) + { + INIT_WORK(&fqdir->destroy_work, fqdir_work_fn); +@@ -287,6 +322,17 @@ unsigned int inet_frag_rbtree_purge(struct rb_root *root, + } + EXPORT_SYMBOL(inet_frag_rbtree_purge); + ++void inet_frag_queue_flush(struct inet_frag_queue *q, ++ enum skb_drop_reason reason) ++{ ++ unsigned int sum; ++ ++ reason = reason ?: SKB_DROP_REASON_FRAG_REASM_TIMEOUT; ++ sum = inet_frag_rbtree_purge(&q->rb_fragments, reason); ++ sub_frag_mem_limit(q->fqdir, sum); ++} ++EXPORT_SYMBOL(inet_frag_queue_flush); ++ + void inet_frag_destroy(struct inet_frag_queue *q) + { + unsigned int sum, sum_truesize = 0; +diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c +index 183856b0b740..13f7aaf79f03 100644 +--- a/net/ipv4/ip_fragment.c ++++ b/net/ipv4/ip_fragment.c +@@ -148,11 +148,6 @@ static void ip_expire(struct timer_list *t) + net = qp->q.fqdir->net; + + rcu_read_lock(); +- +- /* Paired with WRITE_ONCE() in fqdir_pre_exit(). */ +- if (READ_ONCE(qp->q.fqdir->dead)) +- goto out_rcu_unlock; +- + spin_lock(&qp->q.lock); + + if (qp->q.flags & INET_FRAG_COMPLETE) +@@ -160,6 +155,13 @@ static void ip_expire(struct timer_list *t) + + qp->q.flags |= INET_FRAG_DROP; + ipq_kill(qp); ++ ++ /* Paired with WRITE_ONCE() in fqdir_pre_exit(). */ ++ if (READ_ONCE(qp->q.fqdir->dead)) { ++ inet_frag_queue_flush(&qp->q, 0); ++ goto out; ++ } ++ + __IP_INC_STATS(net, IPSTATS_MIB_REASMFAILS); + __IP_INC_STATS(net, IPSTATS_MIB_REASMTIMEOUT); + +-- +2.43.0 + diff --git a/SPECS/kernel-rt/CVE-2025-68823.patch b/SPECS/kernel-rt/CVE-2025-68823.patch new file mode 100644 index 0000000000..3f644d17c5 --- /dev/null +++ b/SPECS/kernel-rt/CVE-2025-68823.patch @@ -0,0 +1,104 @@ +From e5245e86825a5c453b7a4330de35a2843a44d21c Mon Sep 17 00:00:00 2001 +From: Ming Lei +Date: Fri, 12 Dec 2025 22:34:15 +0800 +Subject: [PATCH 7/9] ublk: fix deadlock when reading partition table + +When one process(such as udev) opens ublk block device (e.g., to read +the partition table via bdev_open()), a deadlock[1] can occur: + +1. bdev_open() grabs disk->open_mutex +2. The process issues read I/O to ublk backend to read partition table +3. In __ublk_complete_rq(), blk_update_request() or blk_mq_end_request() + runs bio->bi_end_io() callbacks +4. If this triggers fput() on file descriptor of ublk block device, the + work may be deferred to current task's task work (see fput() implementation) +5. This eventually calls blkdev_release() from the same context +6. blkdev_release() tries to grab disk->open_mutex again +7. Deadlock: same task waiting for a mutex it already holds + +The fix is to run blk_update_request() and blk_mq_end_request() with bottom +halves disabled. This forces blkdev_release() to run in kernel work-queue +context instead of current task work context, and allows ublk server to make +forward progress, and avoids the deadlock. + +Fixes: 71f28f3136af ("ublk_drv: add io_uring based userspace block driver") +Link: https://github.com/ublk-org/ublksrv/issues/170 [1] +Signed-off-by: Ming Lei +Reviewed-by: Caleb Sander Mateos +[axboe: rewrite comment in ublk] +Signed-off-by: Jens Axboe +--- + drivers/block/ublk_drv.c | 30 +++++++++++++++++++++++++++--- + 1 file changed, 27 insertions(+), 3 deletions(-) + +diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c +index b874cb84bad9..2d46383e8d26 100644 +--- a/drivers/block/ublk_drv.c ++++ b/drivers/block/ublk_drv.c +@@ -1020,6 +1020,13 @@ static inline bool ubq_daemon_is_dying(struct ublk_queue *ubq) + return ubq->ubq_daemon->flags & PF_EXITING; + } + ++static void ublk_end_request(struct request *req, blk_status_t error) ++{ ++ local_bh_disable(); ++ blk_mq_end_request(req, error); ++ local_bh_enable(); ++} ++ + /* todo: handle partial completion */ + static inline void __ublk_complete_rq(struct request *req) + { +@@ -1027,6 +1034,7 @@ static inline void __ublk_complete_rq(struct request *req) + struct ublk_io *io = &ubq->ios[req->tag]; + unsigned int unmapped_bytes; + blk_status_t res = BLK_STS_OK; ++ bool requeue; + + /* called from ublk_abort_queue() code path */ + if (io->flags & UBLK_IO_FLAG_ABORTED) { +@@ -1064,14 +1072,30 @@ static inline void __ublk_complete_rq(struct request *req) + if (unlikely(unmapped_bytes < io->res)) + io->res = unmapped_bytes; + +- if (blk_update_request(req, BLK_STS_OK, io->res)) ++ /* ++ * Run bio->bi_end_io() with softirqs disabled. If the final fput ++ * happens off this path, then that will prevent ublk's blkdev_release() ++ * from being called on current's task work, see fput() implementation. ++ * ++ * Otherwise, ublk server may not provide forward progress in case of ++ * reading the partition table from bdev_open() with disk->open_mutex ++ * held, and causes dead lock as we could already be holding ++ * disk->open_mutex here. ++ * ++ * Preferably we would not be doing IO with a mutex held that is also ++ * used for release, but this work-around will suffice for now. ++ */ ++ local_bh_disable(); ++ requeue = blk_update_request(req, BLK_STS_OK, io->res); ++ local_bh_enable(); ++ if (requeue) + blk_mq_requeue_request(req, true); + else + __blk_mq_end_request(req, BLK_STS_OK); + + return; + exit: +- blk_mq_end_request(req, res); ++ ublk_end_request(req, res); + } + + static void ublk_complete_rq(struct kref *ref) +@@ -1149,7 +1173,7 @@ static inline void __ublk_abort_rq(struct ublk_queue *ubq, + if (ublk_nosrv_dev_should_queue_io(ubq->dev)) + blk_mq_requeue_request(rq, false); + else +- blk_mq_end_request(rq, BLK_STS_IOERR); ++ ublk_end_request(rq, BLK_STS_IOERR); + } + + static inline void __ublk_rq_task_work(struct request *req, +-- +2.43.0 + diff --git a/SPECS/kernel-rt/CVE-2025-71074.patch b/SPECS/kernel-rt/CVE-2025-71074.patch new file mode 100644 index 0000000000..7ffcae08b7 --- /dev/null +++ b/SPECS/kernel-rt/CVE-2025-71074.patch @@ -0,0 +1,137 @@ +From 60188d3e31ae3865f777f746d8ca751a1294f3e7 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Fri, 14 Nov 2025 02:18:22 -0500 +Subject: [PATCH 8/9] functionfs: fix the open/removal races + +ffs_epfile_open() can race with removal, ending up with file->private_data +pointing to freed object. + +There is a total count of opened files on functionfs (both ep0 and +dynamic ones) and when it hits zero, dynamic files get removed. +Unfortunately, that removal can happen while another thread is +in ffs_epfile_open(), but has not incremented the count yet. +In that case open will succeed, leaving us with UAF on any subsequent +read() or write(). + +The root cause is that ffs->opened is misused; atomic_dec_and_test() vs. +atomic_add_return() is not a good idea, when object remains visible all +along. + +To untangle that + * serialize openers on ffs->mutex (both for ep0 and for dynamic files) + * have dynamic ones use atomic_inc_not_zero() and fail if we had +zero ->opened; in that case the file we are opening is doomed. + * have the inodes of dynamic files marked on removal (from the +callback of simple_recursive_removal()) - clear ->i_private there. + * have open of dynamic ones verify they hadn't been already removed, +along with checking that state is FFS_ACTIVE. + +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Al Viro +--- + drivers/usb/gadget/function/f_fs.c | 54 ++++++++++++++++++++++++------ + 1 file changed, 43 insertions(+), 11 deletions(-) + +diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c +index f7be1548cc18..00e00f451dbd 100644 +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -640,13 +640,22 @@ static ssize_t ffs_ep0_read(struct file *file, char __user *buf, + + static int ffs_ep0_open(struct inode *inode, struct file *file) + { +- struct ffs_data *ffs = inode->i_private; ++ struct ffs_data *ffs = inode->i_sb->s_fs_info; ++ int ret; + +- if (ffs->state == FFS_CLOSING) +- return -EBUSY; ++ /* Acquire mutex */ ++ ret = ffs_mutex_lock(&ffs->mutex, file->f_flags & O_NONBLOCK); ++ if (ret < 0) ++ return ret; + +- file->private_data = ffs; + ffs_data_opened(ffs); ++ if (ffs->state == FFS_CLOSING) { ++ ffs_data_closed(ffs); ++ mutex_unlock(&ffs->mutex); ++ return -EBUSY; ++ } ++ mutex_unlock(&ffs->mutex); ++ file->private_data = ffs; + + return stream_open(inode, file); + } +@@ -1197,14 +1206,33 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data) + static int + ffs_epfile_open(struct inode *inode, struct file *file) + { +- struct ffs_epfile *epfile = inode->i_private; ++ struct ffs_data *ffs = inode->i_sb->s_fs_info; ++ struct ffs_epfile *epfile; ++ int ret; + +- if (WARN_ON(epfile->ffs->state != FFS_ACTIVE)) ++ /* Acquire mutex */ ++ ret = ffs_mutex_lock(&ffs->mutex, file->f_flags & O_NONBLOCK); ++ if (ret < 0) ++ return ret; ++ ++ if (!atomic_inc_not_zero(&ffs->opened)) { ++ mutex_unlock(&ffs->mutex); ++ return -ENODEV; ++ } ++ /* ++ * we want the state to be FFS_ACTIVE; FFS_ACTIVE alone is ++ * not enough, though - we might have been through FFS_CLOSING ++ * and back to FFS_ACTIVE, with our file already removed. ++ */ ++ epfile = smp_load_acquire(&inode->i_private); ++ if (unlikely(ffs->state != FFS_ACTIVE || !epfile)) { ++ mutex_unlock(&ffs->mutex); ++ ffs_data_closed(ffs); + return -ENODEV; ++ } ++ mutex_unlock(&ffs->mutex); + + file->private_data = epfile; +- ffs_data_opened(epfile->ffs); +- + return stream_open(inode, file); + } + +@@ -1342,7 +1370,7 @@ static void ffs_dmabuf_put(struct dma_buf_attachment *attach) + static int + ffs_epfile_release(struct inode *inode, struct file *file) + { +- struct ffs_epfile *epfile = inode->i_private; ++ struct ffs_epfile *epfile = file->private_data; + struct ffs_dmabuf_priv *priv, *tmp; + struct ffs_data *ffs = epfile->ffs; + +@@ -2362,6 +2390,11 @@ static int ffs_epfiles_create(struct ffs_data *ffs) + return 0; + } + ++static void clear_one(struct dentry *dentry) ++{ ++ smp_store_release(&dentry->d_inode->i_private, NULL); ++} ++ + static void ffs_epfiles_destroy(struct ffs_epfile *epfiles, unsigned count) + { + struct ffs_epfile *epfile = epfiles; +@@ -2369,8 +2402,7 @@ static void ffs_epfiles_destroy(struct ffs_epfile *epfiles, unsigned count) + for (; count; --count, ++epfile) { + BUG_ON(mutex_is_locked(&epfile->mutex)); + if (epfile->dentry) { +- d_delete(epfile->dentry); +- dput(epfile->dentry); ++ simple_recursive_removal(epfile->dentry, clear_one); + epfile->dentry = NULL; + } + } +-- +2.43.0 + diff --git a/SPECS/kernel-rt/CVE-2025-71161.patch b/SPECS/kernel-rt/CVE-2025-71161.patch new file mode 100644 index 0000000000..853bc5cb32 --- /dev/null +++ b/SPECS/kernel-rt/CVE-2025-71161.patch @@ -0,0 +1,76 @@ +From df13aca7214e72e11d9ca8abd849cf5ce379f89a Mon Sep 17 00:00:00 2001 +From: "LIOU, Mei Fan" +Date: Wed, 28 Jan 2026 20:43:52 -0800 +Subject: [PATCH 6/9] dm-verity: disable recursive forward error correction + +There are two problems with the recursive correction: + +1. It may cause denial-of-service. In fec_read_bufs, there is a loop that +has 253 iterations. For each iteration, we may call verity_hash_for_block +recursively. There is a limit of 4 nested recursions - that means that +there may be at most 253^4 (4 billion) iterations. Red Hat QE team +actually created an image that pushes dm-verity to this limit - and this +image just makes the udev-worker process get stuck in the 'D' state. + +2. It doesn't work. In fec_read_bufs we store data into the variable +"fio->bufs", but fio bufs is shared between recursive invocations, if +"verity_hash_for_block" invoked correction recursively, it would +overwrite partially filled fio->bufs. + +Signed-off-by: Mikulas Patocka +Reported-by: Guangwu Zhang +Reviewed-by: Sami Tolvanen +Reviewed-by: Eric Biggers +(cherry picked from commit d9f3e47d3fae0c101d9094bc956ed24e7a0ee801) +--- + drivers/md/dm-verity-fec.c | 4 +--- + drivers/md/dm-verity-fec.h | 3 --- + drivers/md/dm-verity-target.c | 2 +- + 3 files changed, 2 insertions(+), 7 deletions(-) + +diff --git a/drivers/md/dm-verity-fec.c b/drivers/md/dm-verity-fec.c +index 7d477ff6f26b..c55f454ff979 100644 +--- a/drivers/md/dm-verity-fec.c ++++ b/drivers/md/dm-verity-fec.c +@@ -424,10 +424,8 @@ int verity_fec_decode(struct dm_verity *v, struct dm_verity_io *io, + if (!verity_fec_is_enabled(v)) + return -EOPNOTSUPP; + +- if (fio->level >= DM_VERITY_FEC_MAX_RECURSION) { +- DMWARN_LIMIT("%s: FEC: recursion too deep", v->data_dev->name); ++ if (fio->level) + return -EIO; +- } + + fio->level++; + +diff --git a/drivers/md/dm-verity-fec.h b/drivers/md/dm-verity-fec.h +index 09123a612953..ec37e607cb3f 100644 +--- a/drivers/md/dm-verity-fec.h ++++ b/drivers/md/dm-verity-fec.h +@@ -23,9 +23,6 @@ + #define DM_VERITY_FEC_BUF_MAX \ + (1 << (PAGE_SHIFT - DM_VERITY_FEC_BUF_RS_BITS)) + +-/* maximum recursion level for verity_fec_decode */ +-#define DM_VERITY_FEC_MAX_RECURSION 4 +- + #define DM_VERITY_OPT_FEC_DEV "use_fec_from_device" + #define DM_VERITY_OPT_FEC_BLOCKS "fec_blocks" + #define DM_VERITY_OPT_FEC_START "fec_start" +diff --git a/drivers/md/dm-verity-target.c b/drivers/md/dm-verity-target.c +index ce0462e751a6..05101e8671db 100644 +--- a/drivers/md/dm-verity-target.c ++++ b/drivers/md/dm-verity-target.c +@@ -1774,7 +1774,7 @@ static struct target_type verity_target = { + .name = "verity", + /* Note: the LSMs depend on the singleton and immutable features */ + .features = DM_TARGET_SINGLETON | DM_TARGET_IMMUTABLE, +- .version = {1, 10, 0}, ++ .version = {1, 13, 0}, + .module = THIS_MODULE, + .ctr = verity_ctr, + .dtr = verity_dtr, +-- +2.43.0 + diff --git a/SPECS/kernel-rt/CVE-2026-22981.patch b/SPECS/kernel-rt/CVE-2026-22981.patch new file mode 100644 index 0000000000..190a1400e1 --- /dev/null +++ b/SPECS/kernel-rt/CVE-2026-22981.patch @@ -0,0 +1,269 @@ +From eb33176264cced7681a9913fed2894b4d8f5828c Mon Sep 17 00:00:00 2001 +From: Emil Tantilov +Date: Thu, 20 Nov 2025 16:12:15 -0800 +Subject: [PATCH 2/9] idpf: detach and close netdevs while handling a reset + +Protect the reset path from callbacks by setting the netdevs to detached +state and close any netdevs in UP state until the reset handling has +completed. During a reset, the driver will de-allocate resources for the +vport, and there is no guarantee that those will recover, which is why the +existing vport_ctrl_lock does not provide sufficient protection. + +idpf_detach_and_close() is called right before reset handling. If the +reset handling succeeds, the netdevs state is recovered via call to +idpf_attach_and_open(). If the reset handling fails the netdevs remain +down. The detach/down calls are protected with RTNL lock to avoid racing +with callbacks. On the recovery side the attach can be done without +holding the RTNL lock as there are no callbacks expected at that point, +due to detach/close always being done first in that flow. + +The previous logic restoring the netdevs state based on the +IDPF_VPORT_UP_REQUESTED flag in the init task is not needed anymore, hence +the removal of idpf_set_vport_state(). The IDPF_VPORT_UP_REQUESTED is +still being used to restore the state of the netdevs following the reset, +but has no use outside of the reset handling flow. + +idpf_init_hard_reset() is converted to void, since it was used as such and +there is no error handling being done based on its return value. + +Before this change, invoking hard and soft resets simultaneously will +cause the driver to lose the vport state: +ip -br a + UP +echo 1 > /sys/class/net/ens801f0/device/reset& \ +ethtool -L ens801f0 combined 8 +ip -br a + DOWN +ip link set up +ip -br a + DOWN + +Also in case of a failure in the reset path, the netdev is left +exposed to external callbacks, while vport resources are not +initialized, leading to a crash on subsequent ifup/down: +[408471.398966] idpf 0000:83:00.0: HW reset detected +[408471.411744] idpf 0000:83:00.0: Device HW Reset initiated +[408472.277901] idpf 0000:83:00.0: The driver was unable to contact the device's firmware. Check that the FW is running. Driver state= 0x2 +[408508.125551] BUG: kernel NULL pointer dereference, address: 0000000000000078 +[408508.126112] #PF: supervisor read access in kernel mode +[408508.126687] #PF: error_code(0x0000) - not-present page +[408508.127256] PGD 2aae2f067 P4D 0 +[408508.127824] Oops: Oops: 0000 [#1] SMP NOPTI +... +[408508.130871] RIP: 0010:idpf_stop+0x39/0x70 [idpf] +... +[408508.139193] Call Trace: +[408508.139637] +[408508.140077] __dev_close_many+0xbb/0x260 +[408508.140533] __dev_change_flags+0x1cf/0x280 +[408508.140987] netif_change_flags+0x26/0x70 +[408508.141434] dev_change_flags+0x3d/0xb0 +[408508.141878] devinet_ioctl+0x460/0x890 +[408508.142321] inet_ioctl+0x18e/0x1d0 +[408508.142762] ? _copy_to_user+0x22/0x70 +[408508.143207] sock_do_ioctl+0x3d/0xe0 +[408508.143652] sock_ioctl+0x10e/0x330 +[408508.144091] ? find_held_lock+0x2b/0x80 +[408508.144537] __x64_sys_ioctl+0x96/0xe0 +[408508.144979] do_syscall_64+0x79/0x3d0 +[408508.145415] entry_SYSCALL_64_after_hwframe+0x76/0x7e +[408508.145860] RIP: 0033:0x7f3e0bb4caff + +Fixes: 0fe45467a104 ("idpf: add create vport and netdev configuration") +Signed-off-by: Emil Tantilov +Reviewed-by: Madhu Chittim +Tested-by: Samuel Salin +Signed-off-by: Tony Nguyen +--- + drivers/net/ethernet/intel/idpf/idpf_lib.c | 116 +++++++++++++-------- + 1 file changed, 71 insertions(+), 45 deletions(-) + +diff --git a/drivers/net/ethernet/intel/idpf/idpf_lib.c b/drivers/net/ethernet/intel/idpf/idpf_lib.c +index a0677b327783..bba7b06c8153 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_lib.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_lib.c +@@ -693,6 +693,65 @@ static int idpf_init_mac_addr(struct idpf_vport *vport, + return 0; + } + ++static void idpf_detach_and_close(struct idpf_adapter *adapter) ++{ ++ int max_vports = adapter->max_vports; ++ ++ for (int i = 0; i < max_vports; i++) { ++ struct net_device *netdev = adapter->netdevs[i]; ++ ++ /* If the interface is in detached state, that means the ++ * previous reset was not handled successfully for this ++ * vport. ++ */ ++ if (!netif_device_present(netdev)) ++ continue; ++ ++ /* Hold RTNL to protect racing with callbacks */ ++ rtnl_lock(); ++ netif_device_detach(netdev); ++ if (netif_running(netdev)) { ++ set_bit(IDPF_VPORT_UP_REQUESTED, ++ adapter->vport_config[i]->flags); ++ dev_close(netdev); ++ } ++ rtnl_unlock(); ++ } ++} ++ ++static void idpf_attach_and_open(struct idpf_adapter *adapter) ++{ ++ int max_vports = adapter->max_vports; ++ ++ for (int i = 0; i < max_vports; i++) { ++ struct idpf_vport *vport = adapter->vports[i]; ++ struct idpf_vport_config *vport_config; ++ struct net_device *netdev; ++ ++ /* In case of a critical error in the init task, the vport ++ * will be freed. Only continue to restore the netdevs ++ * if the vport is allocated. ++ */ ++ if (!vport) ++ continue; ++ ++ /* No need for RTNL on attach as this function is called ++ * following detach and dev_close(). We do take RTNL for ++ * dev_open() below as it can race with external callbacks ++ * following the call to netif_device_attach(). ++ */ ++ netdev = adapter->netdevs[i]; ++ netif_device_attach(netdev); ++ vport_config = adapter->vport_config[vport->idx]; ++ if (test_and_clear_bit(IDPF_VPORT_UP_REQUESTED, ++ vport_config->flags)) { ++ rtnl_lock(); ++ dev_open(netdev, NULL); ++ rtnl_unlock(); ++ } ++ } ++} ++ + /** + * idpf_cfg_netdev - Allocate, configure and register a netdev + * @vport: main vport structure +@@ -986,10 +1045,11 @@ static void idpf_vport_dealloc(struct idpf_vport *vport) + unsigned int i = vport->idx; + + idpf_deinit_mac_addr(vport); +- idpf_vport_stop(vport); + +- if (!test_bit(IDPF_HR_RESET_IN_PROG, adapter->flags)) ++ if (!test_bit(IDPF_HR_RESET_IN_PROG, adapter->flags)) { ++ idpf_vport_stop(vport); + idpf_decfg_netdev(vport); ++ } + if (test_bit(IDPF_REMOVE_IN_PROG, adapter->flags)) + idpf_del_all_mac_filters(vport); + +@@ -1467,7 +1527,6 @@ void idpf_init_task(struct work_struct *work) + struct idpf_vport_config *vport_config; + struct idpf_vport_max_q max_q; + struct idpf_adapter *adapter; +- struct idpf_netdev_priv *np; + struct idpf_vport *vport; + u16 num_default_vports; + struct pci_dev *pdev; +@@ -1524,12 +1583,6 @@ void idpf_init_task(struct work_struct *work) + if (idpf_cfg_netdev(vport)) + goto unwind_vports; + +- /* Once state is put into DOWN, driver is ready for dev_open */ +- np = netdev_priv(vport->netdev); +- np->state = __IDPF_VPORT_DOWN; +- if (test_and_clear_bit(IDPF_VPORT_UP_REQUESTED, vport_config->flags)) +- idpf_vport_open(vport); +- + /* Spawn and return 'idpf_init_task' work queue until all the + * default vports are created + */ +@@ -1696,27 +1749,6 @@ static int idpf_check_reset_complete(struct idpf_hw *hw, + return -EBUSY; + } + +-/** +- * idpf_set_vport_state - Set the vport state to be after the reset +- * @adapter: Driver specific private structure +- */ +-static void idpf_set_vport_state(struct idpf_adapter *adapter) +-{ +- u16 i; +- +- for (i = 0; i < adapter->max_vports; i++) { +- struct idpf_netdev_priv *np; +- +- if (!adapter->netdevs[i]) +- continue; +- +- np = netdev_priv(adapter->netdevs[i]); +- if (np->state == __IDPF_VPORT_UP) +- set_bit(IDPF_VPORT_UP_REQUESTED, +- adapter->vport_config[i]->flags); +- } +-} +- + /** + * idpf_init_hard_reset - Initiate a hardware reset + * @adapter: Driver specific private structure +@@ -1725,35 +1757,23 @@ static void idpf_set_vport_state(struct idpf_adapter *adapter) + * reallocate. Also reinitialize the mailbox. Return 0 on success, + * negative on failure. + */ +-static int idpf_init_hard_reset(struct idpf_adapter *adapter) ++static void idpf_init_hard_reset(struct idpf_adapter *adapter) + { + struct idpf_reg_ops *reg_ops = &adapter->dev_ops.reg_ops; + struct device *dev = &adapter->pdev->dev; +- struct net_device *netdev; + int err; +- u16 i; + ++ idpf_detach_and_close(adapter); + mutex_lock(&adapter->vport_ctrl_lock); + + dev_info(dev, "Device HW Reset initiated\n"); + +- /* Avoid TX hangs on reset */ +- for (i = 0; i < adapter->max_vports; i++) { +- netdev = adapter->netdevs[i]; +- if (!netdev) +- continue; +- +- netif_carrier_off(netdev); +- netif_tx_disable(netdev); +- } +- + /* Prepare for reset */ + if (test_and_clear_bit(IDPF_HR_DRV_LOAD, adapter->flags)) { + reg_ops->trigger_reset(adapter, IDPF_HR_DRV_LOAD); + } else if (test_and_clear_bit(IDPF_HR_FUNC_RESET, adapter->flags)) { + bool is_reset = idpf_is_reset_detected(adapter); + +- idpf_set_vport_state(adapter); + idpf_vc_core_deinit(adapter); + if (!is_reset) + reg_ops->trigger_reset(adapter, IDPF_HR_FUNC_RESET); +@@ -1800,7 +1820,13 @@ static int idpf_init_hard_reset(struct idpf_adapter *adapter) + unlock_mutex: + mutex_unlock(&adapter->vport_ctrl_lock); + +- return err; ++ /* Attempt to restore netdevs and initialize RDMA CORE AUX device, ++ * provided vc_core_init succeeded. It is still possible that ++ * vports are not allocated at this point if the init task failed. ++ */ ++ if (!err) { ++ idpf_attach_and_open(adapter); ++ } + } + + /** +-- +2.43.0 + diff --git a/SPECS/kernel-rt/CVE-2026-22985.patch b/SPECS/kernel-rt/CVE-2026-22985.patch new file mode 100644 index 0000000000..6023b558a9 --- /dev/null +++ b/SPECS/kernel-rt/CVE-2026-22985.patch @@ -0,0 +1,255 @@ +From bf5c1e9b7788995bbf0491635b3c65f3de8f59c8 Mon Sep 17 00:00:00 2001 +From: Emil Tantilov +Date: Tue, 25 Nov 2025 14:36:24 -0800 +Subject: [PATCH 3/9] idpf: convert vport state to bitmap + +Convert vport state to a bitmap and remove the DOWN state which is +redundant in the existing logic. There are no functional changes aside +from the use of bitwise operations when setting and checking the states. +Removed the double underscore to be consistent with the naming of other +bitmaps in the header and renamed current_state to vport_is_up to match +the meaning of the new variable. + +Reviewed-by: Przemek Kitszel +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Chittim Madhu +Signed-off-by: Emil Tantilov +Tested-by: Samuel Salin +Signed-off-by: Tony Nguyen +Link: https://patch.msgid.link/20251125223632.1857532-6-anthony.l.nguyen@intel.com +Signed-off-by: Jakub Kicinski +--- + drivers/net/ethernet/intel/idpf/idpf.h | 12 +++++------ + .../net/ethernet/intel/idpf/idpf_ethtool.c | 10 +++++----- + drivers/net/ethernet/intel/idpf/idpf_lib.c | 20 +++++++++---------- + .../ethernet/intel/idpf/idpf_singleq_txrx.c | 2 +- + drivers/net/ethernet/intel/idpf/idpf_txrx.c | 2 +- + .../net/ethernet/intel/idpf/idpf_virtchnl.c | 4 ++-- + 6 files changed, 24 insertions(+), 26 deletions(-) + +diff --git a/drivers/net/ethernet/intel/idpf/idpf.h b/drivers/net/ethernet/intel/idpf/idpf.h +index f4d51c885f33..44db60611178 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf.h ++++ b/drivers/net/ethernet/intel/idpf/idpf.h +@@ -126,14 +126,12 @@ enum idpf_cap_field { + + /** + * enum idpf_vport_state - Current vport state +- * @__IDPF_VPORT_DOWN: Vport is down +- * @__IDPF_VPORT_UP: Vport is up +- * @__IDPF_VPORT_STATE_LAST: Must be last, number of states ++ * @IDPF_VPORT_UP: Vport is up ++ * @IDPF_VPORT_STATE_NBITS: Must be last, number of states + */ + enum idpf_vport_state { +- __IDPF_VPORT_DOWN, +- __IDPF_VPORT_UP, +- __IDPF_VPORT_STATE_LAST, ++ IDPF_VPORT_UP, ++ IDPF_VPORT_STATE_NBITS + }; + + /** +@@ -157,7 +155,7 @@ struct idpf_netdev_priv { + u16 vport_idx; + u16 max_tx_hdr_size; + u16 tx_max_bufs; +- enum idpf_vport_state state; ++ DECLARE_BITMAP(state, IDPF_VPORT_STATE_NBITS); + struct rtnl_link_stats64 netstats; + spinlock_t stats_lock; + }; +diff --git a/drivers/net/ethernet/intel/idpf/idpf_ethtool.c b/drivers/net/ethernet/intel/idpf/idpf_ethtool.c +index f0f0ced0d95f..58e2894cbe54 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_ethtool.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_ethtool.c +@@ -98,7 +98,7 @@ static int idpf_get_rxfh(struct net_device *netdev, + } + + rss_data = &adapter->vport_config[np->vport_idx]->user_config.rss_data; +- if (np->state != __IDPF_VPORT_UP) ++ if (!test_bit(IDPF_VPORT_UP, np->state)) + goto unlock_mutex; + + rxfh->hfunc = ETH_RSS_HASH_TOP; +@@ -148,7 +148,7 @@ static int idpf_set_rxfh(struct net_device *netdev, + } + + rss_data = &adapter->vport_config[vport->idx]->user_config.rss_data; +- if (np->state != __IDPF_VPORT_UP) ++ if (!test_bit(IDPF_VPORT_UP, np->state)) + goto unlock_mutex; + + if (rxfh->hfunc != ETH_RSS_HASH_NO_CHANGE && +@@ -879,7 +879,7 @@ static void idpf_get_ethtool_stats(struct net_device *netdev, + idpf_vport_ctrl_lock(netdev); + vport = idpf_netdev_to_vport(netdev); + +- if (np->state != __IDPF_VPORT_UP) { ++ if (!test_bit(IDPF_VPORT_UP, np->state)) { + idpf_vport_ctrl_unlock(netdev); + + return; +@@ -1031,7 +1031,7 @@ static int idpf_get_q_coalesce(struct net_device *netdev, + idpf_vport_ctrl_lock(netdev); + vport = idpf_netdev_to_vport(netdev); + +- if (np->state != __IDPF_VPORT_UP) ++ if (!test_bit(IDPF_VPORT_UP, np->state)) + goto unlock_mutex; + + if (q_num >= vport->num_rxq && q_num >= vport->num_txq) { +@@ -1219,7 +1219,7 @@ static int idpf_set_coalesce(struct net_device *netdev, + idpf_vport_ctrl_lock(netdev); + vport = idpf_netdev_to_vport(netdev); + +- if (np->state != __IDPF_VPORT_UP) ++ if (!test_bit(IDPF_VPORT_UP, np->state)) + goto unlock_mutex; + + for (i = 0; i < vport->num_txq; i++) { +diff --git a/drivers/net/ethernet/intel/idpf/idpf_lib.c b/drivers/net/ethernet/intel/idpf/idpf_lib.c +index bba7b06c8153..73efbfc773b6 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_lib.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_lib.c +@@ -483,7 +483,7 @@ static int idpf_del_mac_filter(struct idpf_vport *vport, + } + spin_unlock_bh(&vport_config->mac_filter_list_lock); + +- if (np->state == __IDPF_VPORT_UP) { ++ if (test_bit(IDPF_VPORT_UP, np->state)) { + int err; + + err = idpf_add_del_mac_filters(vport, np, false, async); +@@ -554,7 +554,7 @@ static int idpf_add_mac_filter(struct idpf_vport *vport, + if (err) + return err; + +- if (np->state == __IDPF_VPORT_UP) ++ if (test_bit(IDPF_VPORT_UP, np->state)) + err = idpf_add_del_mac_filters(vport, np, true, async); + + return err; +@@ -909,7 +909,7 @@ static void idpf_vport_stop(struct idpf_vport *vport) + { + struct idpf_netdev_priv *np = netdev_priv(vport->netdev); + +- if (np->state <= __IDPF_VPORT_DOWN) ++ if (!test_bit(IDPF_VPORT_UP, np->state)) + return; + + netif_carrier_off(vport->netdev); +@@ -932,7 +932,7 @@ static void idpf_vport_stop(struct idpf_vport *vport) + idpf_vport_intr_deinit(vport); + idpf_vport_queues_rel(vport); + idpf_vport_intr_rel(vport); +- np->state = __IDPF_VPORT_DOWN; ++ clear_bit(IDPF_VPORT_UP, np->state); + } + + /** +@@ -1350,7 +1350,7 @@ static int idpf_up_complete(struct idpf_vport *vport) + netif_tx_start_all_queues(vport->netdev); + } + +- np->state = __IDPF_VPORT_UP; ++ set_bit(IDPF_VPORT_UP, np->state); + + return 0; + } +@@ -1395,7 +1395,7 @@ static int idpf_vport_open(struct idpf_vport *vport) + struct idpf_vport_config *vport_config; + int err; + +- if (np->state != __IDPF_VPORT_DOWN) ++ if (test_bit(IDPF_VPORT_UP, np->state)) + return -EBUSY; + + /* we do not allow interface up just yet */ +@@ -1869,7 +1869,7 @@ int idpf_initiate_soft_reset(struct idpf_vport *vport, + enum idpf_vport_reset_cause reset_cause) + { + struct idpf_netdev_priv *np = netdev_priv(vport->netdev); +- enum idpf_vport_state current_state = np->state; ++ bool vport_is_up = test_bit(IDPF_VPORT_UP, np->state); + struct idpf_adapter *adapter = vport->adapter; + struct idpf_vport *new_vport; + int err; +@@ -1917,7 +1917,7 @@ int idpf_initiate_soft_reset(struct idpf_vport *vport, + goto free_vport; + } + +- if (current_state <= __IDPF_VPORT_DOWN) { ++ if (!vport_is_up) { + idpf_send_delete_queues_msg(vport); + } else { + set_bit(IDPF_VPORT_DEL_QUEUES, vport->flags); +@@ -1950,7 +1950,7 @@ int idpf_initiate_soft_reset(struct idpf_vport *vport, + if (err) + goto err_open; + +- if (current_state == __IDPF_VPORT_UP) ++ if (vport_is_up) + err = idpf_vport_open(vport); + + kfree(new_vport); +@@ -1962,7 +1962,7 @@ int idpf_initiate_soft_reset(struct idpf_vport *vport, + vport->num_rxq, vport->num_bufq); + + err_open: +- if (current_state == __IDPF_VPORT_UP) ++ if (vport_is_up) + idpf_vport_open(vport); + + free_vport: +diff --git a/drivers/net/ethernet/intel/idpf/idpf_singleq_txrx.c b/drivers/net/ethernet/intel/idpf/idpf_singleq_txrx.c +index ea0eec59a072..33f4e89d0c67 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_singleq_txrx.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_singleq_txrx.c +@@ -571,7 +571,7 @@ static bool idpf_tx_singleq_clean(struct idpf_tx_queue *tx_q, int napi_budget, + np = netdev_priv(tx_q->netdev); + nq = netdev_get_tx_queue(tx_q->netdev, tx_q->idx); + +- dont_wake = np->state != __IDPF_VPORT_UP || ++ dont_wake = !test_bit(IDPF_VPORT_UP, np->state) || + !netif_carrier_ok(tx_q->netdev); + __netif_txq_completed_wake(nq, ss.packets, ss.bytes, + IDPF_DESC_UNUSED(tx_q), IDPF_TX_WAKE_THRESH, +diff --git a/drivers/net/ethernet/intel/idpf/idpf_txrx.c b/drivers/net/ethernet/intel/idpf/idpf_txrx.c +index 3ddf7b1e85ef..646f19e4d0fa 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_txrx.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_txrx.c +@@ -1845,7 +1845,7 @@ static bool idpf_tx_clean_complq(struct idpf_compl_queue *complq, int budget, + /* Update BQL */ + nq = netdev_get_tx_queue(tx_q->netdev, tx_q->idx); + +- dont_wake = !complq_ok || np->state != __IDPF_VPORT_UP || ++ dont_wake = !complq_ok || !test_bit(IDPF_VPORT_UP, np->state) || + !netif_carrier_ok(tx_q->netdev); + /* Check if the TXQ needs to and can be restarted */ + __netif_txq_completed_wake(nq, tx_q->cleaned_pkts, tx_q->cleaned_bytes, +diff --git a/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c b/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c +index d1f374da0098..5480b4aa567b 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c +@@ -148,7 +148,7 @@ static void idpf_handle_event_link(struct idpf_adapter *adapter, + + vport->link_up = v2e->link_status; + +- if (np->state != __IDPF_VPORT_UP) ++ if (!test_bit(IDPF_VPORT_UP, np->state)) + return; + + if (vport->link_up) { +@@ -2297,7 +2297,7 @@ int idpf_send_get_stats_msg(struct idpf_vport *vport) + + + /* Don't send get_stats message if the link is down */ +- if (np->state <= __IDPF_VPORT_DOWN) ++ if (!test_bit(IDPF_VPORT_UP, np->state)) + return 0; + + stats_msg.vport_id = cpu_to_le32(vport->vport_id); +-- +2.43.0 + diff --git a/SPECS/kernel-rt/CVE-2026-22985_2.patch b/SPECS/kernel-rt/CVE-2026-22985_2.patch new file mode 100644 index 0000000000..f796740fbb --- /dev/null +++ b/SPECS/kernel-rt/CVE-2026-22985_2.patch @@ -0,0 +1,400 @@ +From fdc6a5ca9d6a3cabc7d8bc4bd3f97a3a73f6f1a8 Mon Sep 17 00:00:00 2001 +From: Sreedevi Joshi +Date: Mon, 24 Nov 2025 12:47:48 -0600 +Subject: [PATCH 4/9] idpf: Fix RSS LUT NULL pointer crash on early ethtool + operations + +The RSS LUT is not initialized until the interface comes up, causing +the following NULL pointer crash when ethtool operations like rxhash on/off +are performed before the interface is brought up for the first time. + +Move RSS LUT initialization from ndo_open to vport creation to ensure LUT +is always available. This enables RSS configuration via ethtool before +bringing the interface up. Simplify LUT management by maintaining all +changes in the driver's soft copy and programming zeros to the indirection +table when rxhash is disabled. Defer HW programming until the interface +comes up if it is down during rxhash and LUT configuration changes. + +Steps to reproduce: +** Load idpf driver; interfaces will be created + modprobe idpf +** Before bringing the interfaces up, turn rxhash off + ethtool -K eth2 rxhash off + +[89408.371875] BUG: kernel NULL pointer dereference, address: 0000000000000000 +[89408.371908] #PF: supervisor read access in kernel mode +[89408.371924] #PF: error_code(0x0000) - not-present page +[89408.371940] PGD 0 P4D 0 +[89408.371953] Oops: Oops: 0000 [#1] SMP NOPTI + +[89408.372052] RIP: 0010:memcpy_orig+0x16/0x130 +[89408.372310] Call Trace: +[89408.372317] +[89408.372326] ? idpf_set_features+0xfc/0x180 [idpf] +[89408.372363] __netdev_update_features+0x295/0xde0 +[89408.372384] ethnl_set_features+0x15e/0x460 +[89408.372406] genl_family_rcv_msg_doit+0x11f/0x180 +[89408.372429] genl_rcv_msg+0x1ad/0x2b0 +[89408.372446] ? __pfx_ethnl_set_features+0x10/0x10 +[89408.372465] ? __pfx_genl_rcv_msg+0x10/0x10 +[89408.372482] netlink_rcv_skb+0x58/0x100 +[89408.372502] genl_rcv+0x2c/0x50 +[89408.372516] netlink_unicast+0x289/0x3e0 +[89408.372533] netlink_sendmsg+0x215/0x440 +[89408.372551] __sys_sendto+0x234/0x240 +[89408.372571] __x64_sys_sendto+0x28/0x30 +[89408.372585] x64_sys_call+0x1909/0x1da0 +[89408.372604] do_syscall_64+0x7a/0xfa0 +[89408.373140] ? clear_bhb_loop+0x60/0xb0 +[89408.373647] entry_SYSCALL_64_after_hwframe+0x76/0x7e +[89408.378887] + + +Fixes: a251eee62133 ("idpf: add SRIOV support and other ndo_ops") +Signed-off-by: Sreedevi Joshi +Reviewed-by: Sridhar Samudrala +Reviewed-by: Emil Tantilov +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Paul Menzel +Reviewed-by: Simon Horman +Tested-by: Samuel Salin +Signed-off-by: Tony Nguyen +--- + drivers/net/ethernet/intel/idpf/idpf.h | 2 - + drivers/net/ethernet/intel/idpf/idpf_lib.c | 94 +++++++++---------- + drivers/net/ethernet/intel/idpf/idpf_txrx.c | 36 +++---- + drivers/net/ethernet/intel/idpf/idpf_txrx.h | 4 +- + .../net/ethernet/intel/idpf/idpf_virtchnl.c | 9 +- + 5 files changed, 66 insertions(+), 79 deletions(-) + +diff --git a/drivers/net/ethernet/intel/idpf/idpf.h b/drivers/net/ethernet/intel/idpf/idpf.h +index 44db60611178..7f0e642b703b 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf.h ++++ b/drivers/net/ethernet/intel/idpf/idpf.h +@@ -359,14 +359,12 @@ enum idpf_user_flags { + * @rss_key: RSS hash key + * @rss_lut_size: Size of RSS lookup table + * @rss_lut: RSS lookup table +- * @cached_lut: Used to restore previously init RSS lut + */ + struct idpf_rss_data { + u16 rss_key_size; + u8 *rss_key; + u16 rss_lut_size; + u32 *rss_lut; +- u32 *cached_lut; + }; + + /** +diff --git a/drivers/net/ethernet/intel/idpf/idpf_lib.c b/drivers/net/ethernet/intel/idpf/idpf_lib.c +index 73efbfc773b6..958b9ac25a70 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_lib.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_lib.c +@@ -995,7 +995,7 @@ static void idpf_vport_rel(struct idpf_vport *vport) + u16 idx = vport->idx; + + vport_config = adapter->vport_config[vport->idx]; +- idpf_deinit_rss(vport); ++ idpf_deinit_rss_lut(vport); + rss_data = &vport_config->user_config.rss_data; + kfree(rss_data->rss_key); + rss_data->rss_key = NULL; +@@ -1144,6 +1144,7 @@ static struct idpf_vport *idpf_vport_alloc(struct idpf_adapter *adapter, + u16 idx = adapter->next_vport; + struct idpf_vport *vport; + u16 num_max_q; ++ int err; + + if (idx == IDPF_NO_FREE_SLOT) + return NULL; +@@ -1194,10 +1195,11 @@ static struct idpf_vport *idpf_vport_alloc(struct idpf_adapter *adapter, + + idpf_vport_init(vport, max_q); + +- /* This alloc is done separate from the LUT because it's not strictly +- * dependent on how many queues we have. If we change number of queues +- * and soft reset we'll need a new LUT but the key can remain the same +- * for as long as the vport exists. ++ /* LUT and key are both initialized here. Key is not strictly dependent ++ * on how many queues we have. If we change number of queues and soft ++ * reset is initiated, LUT will be freed and a new LUT will be allocated ++ * as per the updated number of queues during vport bringup. However, ++ * the key remains the same for as long as the vport exists. + */ + rss_data = &adapter->vport_config[idx]->user_config.rss_data; + rss_data->rss_key = kzalloc(rss_data->rss_key_size, GFP_KERNEL); +@@ -1207,6 +1209,11 @@ static struct idpf_vport *idpf_vport_alloc(struct idpf_adapter *adapter, + /* Initialize default rss key */ + netdev_rss_key_fill((void *)rss_data->rss_key, rss_data->rss_key_size); + ++ /* Initialize default rss LUT */ ++ err = idpf_init_rss_lut(vport); ++ if (err) ++ goto free_rss_key; ++ + /* fill vport slot in the adapter struct */ + adapter->vports[idx] = vport; + adapter->vport_ids[idx] = idpf_get_vport_id(vport); +@@ -1217,6 +1224,8 @@ static struct idpf_vport *idpf_vport_alloc(struct idpf_adapter *adapter, + + return vport; + ++free_rss_key: ++ kfree(rss_data->rss_key); + free_vector_idxs: + kfree(vport->q_vector_idxs); + free_vport: +@@ -1393,6 +1402,7 @@ static int idpf_vport_open(struct idpf_vport *vport) + struct idpf_netdev_priv *np = netdev_priv(vport->netdev); + struct idpf_adapter *adapter = vport->adapter; + struct idpf_vport_config *vport_config; ++ struct idpf_rss_data *rss_data; + int err; + + if (test_bit(IDPF_VPORT_UP, np->state)) +@@ -1475,12 +1485,21 @@ static int idpf_vport_open(struct idpf_vport *vport) + idpf_restore_features(vport); + + vport_config = adapter->vport_config[vport->idx]; +- if (vport_config->user_config.rss_data.rss_lut) +- err = idpf_config_rss(vport); +- else +- err = idpf_init_rss(vport); ++ rss_data = &vport_config->user_config.rss_data; ++ ++ if (!rss_data->rss_lut) { ++ err = idpf_init_rss_lut(vport); ++ if (err) { ++ dev_err(&adapter->pdev->dev, ++ "Failed to initialize RSS LUT for vport %u: %d\n", ++ vport->vport_id, err); ++ goto disable_vport; ++ } ++ } ++ ++ err = idpf_config_rss(vport); + if (err) { +- dev_err(&adapter->pdev->dev, "Failed to initialize RSS for vport %u: %d\n", ++ dev_err(&adapter->pdev->dev, "Failed to configure RSS for vport %u: %d\n", + vport->vport_id, err); + goto disable_vport; + } +@@ -1489,13 +1508,11 @@ static int idpf_vport_open(struct idpf_vport *vport) + if (err) { + dev_err(&adapter->pdev->dev, "Failed to complete interface up for vport %u: %d\n", + vport->vport_id, err); +- goto deinit_rss; ++ goto disable_vport; + } + + return 0; + +-deinit_rss: +- idpf_deinit_rss(vport); + disable_vport: + idpf_send_disable_vport_msg(vport); + disable_queues: +@@ -1924,7 +1941,7 @@ int idpf_initiate_soft_reset(struct idpf_vport *vport, + idpf_vport_stop(vport); + } + +- idpf_deinit_rss(vport); ++ idpf_deinit_rss_lut(vport); + /* We're passing in vport here because we need its wait_queue + * to send a message and it should be getting all the vport + * config data out of the adapter but we need to be careful not +@@ -2090,40 +2107,6 @@ static void idpf_set_rx_mode(struct net_device *netdev) + dev_err(dev, "Failed to set promiscuous mode: %d\n", err); + } + +-/** +- * idpf_vport_manage_rss_lut - disable/enable RSS +- * @vport: the vport being changed +- * +- * In the event of disable request for RSS, this function will zero out RSS +- * LUT, while in the event of enable request for RSS, it will reconfigure RSS +- * LUT with the default LUT configuration. +- */ +-static int idpf_vport_manage_rss_lut(struct idpf_vport *vport) +-{ +- bool ena = idpf_is_feature_ena(vport, NETIF_F_RXHASH); +- struct idpf_rss_data *rss_data; +- u16 idx = vport->idx; +- int lut_size; +- +- rss_data = &vport->adapter->vport_config[idx]->user_config.rss_data; +- lut_size = rss_data->rss_lut_size * sizeof(u32); +- +- if (ena) { +- /* This will contain the default or user configured LUT */ +- memcpy(rss_data->rss_lut, rss_data->cached_lut, lut_size); +- } else { +- /* Save a copy of the current LUT to be restored later if +- * requested. +- */ +- memcpy(rss_data->cached_lut, rss_data->rss_lut, lut_size); +- +- /* Zero out the current LUT to disable */ +- memset(rss_data->rss_lut, 0, lut_size); +- } +- +- return idpf_config_rss(vport); +-} +- + /** + * idpf_set_features - set the netdev feature flags + * @netdev: ptr to the netdev being adjusted +@@ -2149,10 +2132,19 @@ static int idpf_set_features(struct net_device *netdev, + } + + if (changed & NETIF_F_RXHASH) { ++ struct idpf_netdev_priv *np = netdev_priv(netdev); ++ + netdev->features ^= NETIF_F_RXHASH; +- err = idpf_vport_manage_rss_lut(vport); +- if (err) +- goto unlock_mutex; ++ ++ /* If the interface is not up when changing the rxhash, update ++ * to the HW is skipped. The updated LUT will be committed to ++ * the HW when the interface is brought up. ++ */ ++ if (test_bit(IDPF_VPORT_UP, np->state)) { ++ err = idpf_config_rss(vport); ++ if (err) ++ goto unlock_mutex; ++ } + } + + if (changed & NETIF_F_GRO_HW) { +diff --git a/drivers/net/ethernet/intel/idpf/idpf_txrx.c b/drivers/net/ethernet/intel/idpf/idpf_txrx.c +index 646f19e4d0fa..3b2938aa15ab 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_txrx.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_txrx.c +@@ -4068,57 +4068,47 @@ static void idpf_fill_dflt_rss_lut(struct idpf_vport *vport) + + rss_data = &adapter->vport_config[vport->idx]->user_config.rss_data; + +- for (i = 0; i < rss_data->rss_lut_size; i++) { ++ for (i = 0; i < rss_data->rss_lut_size; i++) + rss_data->rss_lut[i] = i % num_active_rxq; +- rss_data->cached_lut[i] = rss_data->rss_lut[i]; +- } + } + + /** +- * idpf_init_rss - Allocate and initialize RSS resources ++ * idpf_init_rss_lut - Allocate and initialize RSS LUT + * @vport: virtual port + * +- * Return 0 on success, negative on failure ++ * Return: 0 on success, negative on failure + */ +-int idpf_init_rss(struct idpf_vport *vport) ++int idpf_init_rss_lut(struct idpf_vport *vport) + { + struct idpf_adapter *adapter = vport->adapter; + struct idpf_rss_data *rss_data; +- u32 lut_size; + + rss_data = &adapter->vport_config[vport->idx]->user_config.rss_data; ++ if (!rss_data->rss_lut) { ++ u32 lut_size; + +- lut_size = rss_data->rss_lut_size * sizeof(u32); +- rss_data->rss_lut = kzalloc(lut_size, GFP_KERNEL); +- if (!rss_data->rss_lut) +- return -ENOMEM; +- +- rss_data->cached_lut = kzalloc(lut_size, GFP_KERNEL); +- if (!rss_data->cached_lut) { +- kfree(rss_data->rss_lut); +- rss_data->rss_lut = NULL; +- +- return -ENOMEM; ++ lut_size = rss_data->rss_lut_size * sizeof(u32); ++ rss_data->rss_lut = kzalloc(lut_size, GFP_KERNEL); ++ if (!rss_data->rss_lut) ++ return -ENOMEM; + } + + /* Fill the default RSS lut values */ + idpf_fill_dflt_rss_lut(vport); + +- return idpf_config_rss(vport); ++ return 0; + } + + /** +- * idpf_deinit_rss - Release RSS resources ++ * idpf_deinit_rss_lut - Release RSS LUT + * @vport: virtual port + */ +-void idpf_deinit_rss(struct idpf_vport *vport) ++void idpf_deinit_rss_lut(struct idpf_vport *vport) + { + struct idpf_adapter *adapter = vport->adapter; + struct idpf_rss_data *rss_data; + + rss_data = &adapter->vport_config[vport->idx]->user_config.rss_data; +- kfree(rss_data->cached_lut); +- rss_data->cached_lut = NULL; + kfree(rss_data->rss_lut); + rss_data->rss_lut = NULL; + } +diff --git a/drivers/net/ethernet/intel/idpf/idpf_txrx.h b/drivers/net/ethernet/intel/idpf/idpf_txrx.h +index 5f8a9b9f5d5d..ddba70d4b8ee 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_txrx.h ++++ b/drivers/net/ethernet/intel/idpf/idpf_txrx.h +@@ -1018,8 +1018,8 @@ void idpf_vport_intr_deinit(struct idpf_vport *vport); + int idpf_vport_intr_init(struct idpf_vport *vport); + void idpf_vport_intr_ena(struct idpf_vport *vport); + int idpf_config_rss(struct idpf_vport *vport); +-int idpf_init_rss(struct idpf_vport *vport); +-void idpf_deinit_rss(struct idpf_vport *vport); ++int idpf_init_rss_lut(struct idpf_vport *vport); ++void idpf_deinit_rss_lut(struct idpf_vport *vport); + int idpf_rx_bufs_init_all(struct idpf_vport *vport); + void idpf_rx_add_frag(struct idpf_rx_buf *rx_buf, struct sk_buff *skb, + unsigned int size); +diff --git a/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c b/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c +index 5480b4aa567b..ef13468851c1 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c +@@ -2341,6 +2341,10 @@ int idpf_send_get_stats_msg(struct idpf_vport *vport) + * @vport: virtual port data structure + * @get: flag to set or get rss look up table + * ++ * When rxhash is disabled, RSS LUT will be configured with zeros. If rxhash ++ * is enabled, the LUT values stored in driver's soft copy will be used to setup ++ * the HW. ++ * + * Returns 0 on success, negative on failure. + */ + int idpf_send_get_set_rss_lut_msg(struct idpf_vport *vport, bool get) +@@ -2351,10 +2355,12 @@ int idpf_send_get_set_rss_lut_msg(struct idpf_vport *vport, bool get) + struct idpf_rss_data *rss_data; + int buf_size, lut_buf_size; + ssize_t reply_sz; ++ bool rxhash_ena; + int i; + + rss_data = + &vport->adapter->vport_config[vport->idx]->user_config.rss_data; ++ rxhash_ena = idpf_is_feature_ena(vport, NETIF_F_RXHASH); + buf_size = struct_size(rl, lut, rss_data->rss_lut_size); + rl = kzalloc(buf_size, GFP_KERNEL); + if (!rl) +@@ -2376,7 +2382,8 @@ int idpf_send_get_set_rss_lut_msg(struct idpf_vport *vport, bool get) + } else { + rl->lut_entries = cpu_to_le16(rss_data->rss_lut_size); + for (i = 0; i < rss_data->rss_lut_size; i++) +- rl->lut[i] = cpu_to_le32(rss_data->rss_lut[i]); ++ rl->lut[i] = rxhash_ena ? ++ cpu_to_le32(rss_data->rss_lut[i]) : 0; + + xn_params.vc_op = VIRTCHNL2_OP_SET_RSS_LUT; + } +-- +2.43.0 + diff --git a/SPECS/kernel-rt/CVE-2026-22993.patch b/SPECS/kernel-rt/CVE-2026-22993.patch new file mode 100644 index 0000000000..014b7d2979 --- /dev/null +++ b/SPECS/kernel-rt/CVE-2026-22993.patch @@ -0,0 +1,149 @@ +From ebdfe2d47169ed8db3b63b12c938cd4ee9f8fd99 Mon Sep 17 00:00:00 2001 +From: Sreedevi Joshi +Date: Mon, 24 Nov 2025 12:47:50 -0600 +Subject: [PATCH 5/9] idpf: Fix RSS LUT NULL ptr issue after soft reset + +During soft reset, the RSS LUT is freed and not restored unless the +interface is up. If an ethtool command that accesses the rss lut is +attempted immediately after reset, it will result in NULL ptr +dereference. Also, there is no need to reset the rss lut if the soft reset +does not involve queue count change. + +After soft reset, set the RSS LUT to default values based on the updated +queue count only if the reset was a result of a queue count change and +the LUT was not configured by the user. In all other cases, don't touch +the LUT. + +Steps to reproduce: + +** Bring the interface down (if up) +ifconfig eth1 down + +** update the queue count (eg., 27->20) +ethtool -L eth1 combined 20 + +** display the RSS LUT +ethtool -x eth1 + +[82375.558338] BUG: kernel NULL pointer dereference, address: 0000000000000000 +[82375.558373] #PF: supervisor read access in kernel mode +[82375.558391] #PF: error_code(0x0000) - not-present page +[82375.558408] PGD 0 P4D 0 +[82375.558421] Oops: Oops: 0000 [#1] SMP NOPTI + +[82375.558516] RIP: 0010:idpf_get_rxfh+0x108/0x150 [idpf] +[82375.558786] Call Trace: +[82375.558793] +[82375.558804] rss_prepare.isra.0+0x187/0x2a0 +[82375.558827] rss_prepare_data+0x3a/0x50 +[82375.558845] ethnl_default_doit+0x13d/0x3e0 +[82375.558863] genl_family_rcv_msg_doit+0x11f/0x180 +[82375.558886] genl_rcv_msg+0x1ad/0x2b0 +[82375.558902] ? __pfx_ethnl_default_doit+0x10/0x10 +[82375.558920] ? __pfx_genl_rcv_msg+0x10/0x10 +[82375.558937] netlink_rcv_skb+0x58/0x100 +[82375.558957] genl_rcv+0x2c/0x50 +[82375.558971] netlink_unicast+0x289/0x3e0 +[82375.558988] netlink_sendmsg+0x215/0x440 +[82375.559005] __sys_sendto+0x234/0x240 +[82375.559555] __x64_sys_sendto+0x28/0x30 +[82375.560068] x64_sys_call+0x1909/0x1da0 +[82375.560576] do_syscall_64+0x7a/0xfa0 +[82375.561076] ? clear_bhb_loop+0x60/0xb0 +[82375.561567] entry_SYSCALL_64_after_hwframe+0x76/0x7e + + +Fixes: 02cbfba1add5 ("idpf: add ethtool callbacks") +Signed-off-by: Sreedevi Joshi +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Sridhar Samudrala +Reviewed-by: Emil Tantilov +Reviewed-by: Simon Horman +Tested-by: Samuel Salin +Signed-off-by: Tony Nguyen +--- + drivers/net/ethernet/intel/idpf/idpf_lib.c | 20 ++++---------------- + drivers/net/ethernet/intel/idpf/idpf_txrx.c | 2 +- + drivers/net/ethernet/intel/idpf/idpf_txrx.h | 1 + + 3 files changed, 6 insertions(+), 17 deletions(-) + +diff --git a/drivers/net/ethernet/intel/idpf/idpf_lib.c b/drivers/net/ethernet/intel/idpf/idpf_lib.c +index 958b9ac25a70..d66745c9bd36 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_lib.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_lib.c +@@ -1401,8 +1401,6 @@ static int idpf_vport_open(struct idpf_vport *vport) + { + struct idpf_netdev_priv *np = netdev_priv(vport->netdev); + struct idpf_adapter *adapter = vport->adapter; +- struct idpf_vport_config *vport_config; +- struct idpf_rss_data *rss_data; + int err; + + if (test_bit(IDPF_VPORT_UP, np->state)) +@@ -1484,19 +1482,6 @@ static int idpf_vport_open(struct idpf_vport *vport) + + idpf_restore_features(vport); + +- vport_config = adapter->vport_config[vport->idx]; +- rss_data = &vport_config->user_config.rss_data; +- +- if (!rss_data->rss_lut) { +- err = idpf_init_rss_lut(vport); +- if (err) { +- dev_err(&adapter->pdev->dev, +- "Failed to initialize RSS LUT for vport %u: %d\n", +- vport->vport_id, err); +- goto disable_vport; +- } +- } +- + err = idpf_config_rss(vport); + if (err) { + dev_err(&adapter->pdev->dev, "Failed to configure RSS for vport %u: %d\n", +@@ -1941,7 +1926,6 @@ int idpf_initiate_soft_reset(struct idpf_vport *vport, + idpf_vport_stop(vport); + } + +- idpf_deinit_rss_lut(vport); + /* We're passing in vport here because we need its wait_queue + * to send a message and it should be getting all the vport + * config data out of the adapter but we need to be careful not +@@ -1967,6 +1951,10 @@ int idpf_initiate_soft_reset(struct idpf_vport *vport, + if (err) + goto err_open; + ++ if (reset_cause == IDPF_SR_Q_CHANGE && ++ !netif_is_rxfh_configured(vport->netdev)) ++ idpf_fill_dflt_rss_lut(vport); ++ + if (vport_is_up) + err = idpf_vport_open(vport); + +diff --git a/drivers/net/ethernet/intel/idpf/idpf_txrx.c b/drivers/net/ethernet/intel/idpf/idpf_txrx.c +index 3b2938aa15ab..b0be89463323 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_txrx.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_txrx.c +@@ -4059,7 +4059,7 @@ int idpf_config_rss(struct idpf_vport *vport) + * idpf_fill_dflt_rss_lut - Fill the indirection table with the default values + * @vport: virtual port structure + */ +-static void idpf_fill_dflt_rss_lut(struct idpf_vport *vport) ++void idpf_fill_dflt_rss_lut(struct idpf_vport *vport) + { + struct idpf_adapter *adapter = vport->adapter; + u16 num_active_rxq = vport->num_rxq; +diff --git a/drivers/net/ethernet/intel/idpf/idpf_txrx.h b/drivers/net/ethernet/intel/idpf/idpf_txrx.h +index ddba70d4b8ee..a34c791c4608 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_txrx.h ++++ b/drivers/net/ethernet/intel/idpf/idpf_txrx.h +@@ -1017,6 +1017,7 @@ void idpf_vport_intr_update_itr_ena_irq(struct idpf_q_vector *q_vector); + void idpf_vport_intr_deinit(struct idpf_vport *vport); + int idpf_vport_intr_init(struct idpf_vport *vport); + void idpf_vport_intr_ena(struct idpf_vport *vport); ++void idpf_fill_dflt_rss_lut(struct idpf_vport *vport); + int idpf_config_rss(struct idpf_vport *vport); + int idpf_init_rss_lut(struct idpf_vport *vport); + void idpf_deinit_rss_lut(struct idpf_vport *vport); +-- +2.43.0 + diff --git a/SPECS/kernel-rt/CVE-2026-23004.patch b/SPECS/kernel-rt/CVE-2026-23004.patch new file mode 100644 index 0000000000..dad2002768 --- /dev/null +++ b/SPECS/kernel-rt/CVE-2026-23004.patch @@ -0,0 +1,264 @@ +From 9a99adb41d2400dc0b2a7cc027e04a745c82b42c Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Mon, 12 Jan 2026 10:38:25 +0000 +Subject: [PATCH 1/9] dst: fix races in rt6_uncached_list_del() and + rt_del_uncached_list() + +syzbot was able to crash the kernel in rt6_uncached_list_flush_dev() +in an interesting way [1] + +Crash happens in list_del_init()/INIT_LIST_HEAD() while writing +list->prev, while the prior write on list->next went well. + +static inline void INIT_LIST_HEAD(struct list_head *list) +{ + WRITE_ONCE(list->next, list); // This went well + WRITE_ONCE(list->prev, list); // Crash, @list has been freed. +} + +Issue here is that rt6_uncached_list_del() did not attempt to lock +ul->lock, as list_empty(&rt->dst.rt_uncached) returned +true because the WRITE_ONCE(list->next, list) happened on the other CPU. + +We might use list_del_init_careful() and list_empty_careful(), +or make sure rt6_uncached_list_del() always grabs the spinlock +whenever rt->dst.rt_uncached_list has been set. + +A similar fix is neeed for IPv4. + +[1] + + BUG: KASAN: slab-use-after-free in INIT_LIST_HEAD include/linux/list.h:46 [inline] + BUG: KASAN: slab-use-after-free in list_del_init include/linux/list.h:296 [inline] + BUG: KASAN: slab-use-after-free in rt6_uncached_list_flush_dev net/ipv6/route.c:191 [inline] + BUG: KASAN: slab-use-after-free in rt6_disable_ip+0x633/0x730 net/ipv6/route.c:5020 +Write of size 8 at addr ffff8880294cfa78 by task kworker/u8:14/3450 + +CPU: 0 UID: 0 PID: 3450 Comm: kworker/u8:14 Tainted: G L syzkaller #0 PREEMPT_{RT,(full)} +Tainted: [L]=SOFTLOCKUP +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 +Workqueue: netns cleanup_net +Call Trace: + + dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0xca/0x240 mm/kasan/report.c:482 + kasan_report+0x118/0x150 mm/kasan/report.c:595 + INIT_LIST_HEAD include/linux/list.h:46 [inline] + list_del_init include/linux/list.h:296 [inline] + rt6_uncached_list_flush_dev net/ipv6/route.c:191 [inline] + rt6_disable_ip+0x633/0x730 net/ipv6/route.c:5020 + addrconf_ifdown+0x143/0x18a0 net/ipv6/addrconf.c:3853 + addrconf_notify+0x1bc/0x1050 net/ipv6/addrconf.c:-1 + notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85 + call_netdevice_notifiers_extack net/core/dev.c:2268 [inline] + call_netdevice_notifiers net/core/dev.c:2282 [inline] + netif_close_many+0x29c/0x410 net/core/dev.c:1785 + unregister_netdevice_many_notify+0xb50/0x2330 net/core/dev.c:12353 + ops_exit_rtnl_list net/core/net_namespace.c:187 [inline] + ops_undo_list+0x3dc/0x990 net/core/net_namespace.c:248 + cleanup_net+0x4de/0x7b0 net/core/net_namespace.c:696 + process_one_work kernel/workqueue.c:3257 [inline] + process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340 + worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421 + kthread+0x711/0x8a0 kernel/kthread.c:463 + ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 + + +Allocated by task 803: + kasan_save_stack mm/kasan/common.c:57 [inline] + kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 + unpoison_slab_object mm/kasan/common.c:340 [inline] + __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366 + kasan_slab_alloc include/linux/kasan.h:253 [inline] + slab_post_alloc_hook mm/slub.c:4953 [inline] + slab_alloc_node mm/slub.c:5263 [inline] + kmem_cache_alloc_noprof+0x18d/0x6c0 mm/slub.c:5270 + dst_alloc+0x105/0x170 net/core/dst.c:89 + ip6_dst_alloc net/ipv6/route.c:342 [inline] + icmp6_dst_alloc+0x75/0x460 net/ipv6/route.c:3333 + mld_sendpack+0x683/0xe60 net/ipv6/mcast.c:1844 + mld_send_cr net/ipv6/mcast.c:2154 [inline] + mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693 + process_one_work kernel/workqueue.c:3257 [inline] + process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340 + worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421 + kthread+0x711/0x8a0 kernel/kthread.c:463 + ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 + +Freed by task 20: + kasan_save_stack mm/kasan/common.c:57 [inline] + kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 + kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 + poison_slab_object mm/kasan/common.c:253 [inline] + __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285 + kasan_slab_free include/linux/kasan.h:235 [inline] + slab_free_hook mm/slub.c:2540 [inline] + slab_free mm/slub.c:6670 [inline] + kmem_cache_free+0x18f/0x8d0 mm/slub.c:6781 + dst_destroy+0x235/0x350 net/core/dst.c:121 + rcu_do_batch kernel/rcu/tree.c:2605 [inline] + rcu_core kernel/rcu/tree.c:2857 [inline] + rcu_cpu_kthread+0xba5/0x1af0 kernel/rcu/tree.c:2945 + smpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:160 + kthread+0x711/0x8a0 kernel/kthread.c:463 + ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 + +Last potentially related work creation: + kasan_save_stack+0x3e/0x60 mm/kasan/common.c:57 + kasan_record_aux_stack+0xbd/0xd0 mm/kasan/generic.c:556 + __call_rcu_common kernel/rcu/tree.c:3119 [inline] + call_rcu+0xee/0x890 kernel/rcu/tree.c:3239 + refdst_drop include/net/dst.h:266 [inline] + skb_dst_drop include/net/dst.h:278 [inline] + skb_release_head_state+0x71/0x360 net/core/skbuff.c:1156 + skb_release_all net/core/skbuff.c:1180 [inline] + __kfree_skb net/core/skbuff.c:1196 [inline] + sk_skb_reason_drop+0xe9/0x170 net/core/skbuff.c:1234 + kfree_skb_reason include/linux/skbuff.h:1322 [inline] + tcf_kfree_skb_list include/net/sch_generic.h:1127 [inline] + __dev_xmit_skb net/core/dev.c:4260 [inline] + __dev_queue_xmit+0x26aa/0x3210 net/core/dev.c:4785 + NF_HOOK_COND include/linux/netfilter.h:307 [inline] + ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247 + NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318 + mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855 + mld_send_cr net/ipv6/mcast.c:2154 [inline] + mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693 + process_one_work kernel/workqueue.c:3257 [inline] + process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340 + worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421 + kthread+0x711/0x8a0 kernel/kthread.c:463 + ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 + +The buggy address belongs to the object at ffff8880294cfa00 + which belongs to the cache ip6_dst_cache of size 232 +The buggy address is located 120 bytes inside of + freed 232-byte region [ffff8880294cfa00, ffff8880294cfae8) + +The buggy address belongs to the physical page: +page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x294cf +memcg:ffff88803536b781 +flags: 0x80000000000000(node=0|zone=1) +page_type: f5(slab) +raw: 0080000000000000 ffff88802ff1c8c0 ffffea0000bf2bc0 dead000000000006 +raw: 0000000000000000 00000000800c000c 00000000f5000000 ffff88803536b781 +page dumped because: kasan: bad access detected +page_owner tracks the page as allocated +page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 9, tgid 9 (kworker/0:0), ts 91119585830, free_ts 91088628818 + set_page_owner include/linux/page_owner.h:32 [inline] + post_alloc_hook+0x234/0x290 mm/page_alloc.c:1857 + prep_new_page mm/page_alloc.c:1865 [inline] + get_page_from_freelist+0x28c0/0x2960 mm/page_alloc.c:3915 + __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5210 + alloc_pages_mpol+0xd1/0x380 mm/mempolicy.c:2486 + alloc_slab_page mm/slub.c:3075 [inline] + allocate_slab+0x86/0x3b0 mm/slub.c:3248 + new_slab mm/slub.c:3302 [inline] + ___slab_alloc+0xb10/0x13e0 mm/slub.c:4656 + __slab_alloc+0xc6/0x1f0 mm/slub.c:4779 + __slab_alloc_node mm/slub.c:4855 [inline] + slab_alloc_node mm/slub.c:5251 [inline] + kmem_cache_alloc_noprof+0x101/0x6c0 mm/slub.c:5270 + dst_alloc+0x105/0x170 net/core/dst.c:89 + ip6_dst_alloc net/ipv6/route.c:342 [inline] + icmp6_dst_alloc+0x75/0x460 net/ipv6/route.c:3333 + mld_sendpack+0x683/0xe60 net/ipv6/mcast.c:1844 + mld_send_cr net/ipv6/mcast.c:2154 [inline] + mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693 + process_one_work kernel/workqueue.c:3257 [inline] + process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340 + worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421 + kthread+0x711/0x8a0 kernel/kthread.c:463 + ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158 +page last free pid 5859 tgid 5859 stack trace: + reset_page_owner include/linux/page_owner.h:25 [inline] + free_pages_prepare mm/page_alloc.c:1406 [inline] + __free_frozen_pages+0xfe1/0x1170 mm/page_alloc.c:2943 + discard_slab mm/slub.c:3346 [inline] + __put_partials+0x149/0x170 mm/slub.c:3886 + __slab_free+0x2af/0x330 mm/slub.c:5952 + qlink_free mm/kasan/quarantine.c:163 [inline] + qlist_free_all+0x97/0x100 mm/kasan/quarantine.c:179 + kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286 + __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:350 + kasan_slab_alloc include/linux/kasan.h:253 [inline] + slab_post_alloc_hook mm/slub.c:4953 [inline] + slab_alloc_node mm/slub.c:5263 [inline] + kmem_cache_alloc_noprof+0x18d/0x6c0 mm/slub.c:5270 + getname_flags+0xb8/0x540 fs/namei.c:146 + getname include/linux/fs.h:2498 [inline] + do_sys_openat2+0xbc/0x200 fs/open.c:1426 + do_sys_open fs/open.c:1436 [inline] + __do_sys_openat fs/open.c:1452 [inline] + __se_sys_openat fs/open.c:1447 [inline] + __x64_sys_openat+0x138/0x170 fs/open.c:1447 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94 + +Fixes: 8d0b94afdca8 ("ipv6: Keep track of DST_NOCACHE routes in case of iface down/unregister") +Fixes: 78df76a065ae ("ipv4: take rt_uncached_lock only if needed") +Reported-by: syzbot+179fc225724092b8b2b2@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/6964cdf2.050a0220.eaf7.009d.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: Martin KaFai Lau +Reviewed-by: David Ahern +Link: https://patch.msgid.link/20260112103825.3810713-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +--- + net/core/dst.c | 1 + + net/ipv4/route.c | 4 ++-- + net/ipv6/route.c | 4 ++-- + 3 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/net/core/dst.c b/net/core/dst.c +index 8dbb54148c03..92aa81b2f331 100644 +--- a/net/core/dst.c ++++ b/net/core/dst.c +@@ -68,6 +68,7 @@ void dst_init(struct dst_entry *dst, struct dst_ops *ops, + dst->lwtstate = NULL; + rcuref_init(&dst->__rcuref, 1); + INIT_LIST_HEAD(&dst->rt_uncached); ++ dst->rt_uncached_list = NULL; + dst->__use = 0; + dst->lastuse = jiffies; + dst->flags = flags; +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index 7579001d5b29..4dce0de6ab89 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -1533,9 +1533,9 @@ void rt_add_uncached_list(struct rtable *rt) + + void rt_del_uncached_list(struct rtable *rt) + { +- if (!list_empty(&rt->dst.rt_uncached)) { +- struct uncached_list *ul = rt->dst.rt_uncached_list; ++ struct uncached_list *ul = rt->dst.rt_uncached_list; + ++ if (ul) { + spin_lock_bh(&ul->lock); + list_del_init(&rt->dst.rt_uncached); + spin_unlock_bh(&ul->lock); +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index aeac45af3a22..8bcd5f38d94c 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -148,9 +148,9 @@ void rt6_uncached_list_add(struct rt6_info *rt) + + void rt6_uncached_list_del(struct rt6_info *rt) + { +- if (!list_empty(&rt->dst.rt_uncached)) { +- struct uncached_list *ul = rt->dst.rt_uncached_list; ++ struct uncached_list *ul = rt->dst.rt_uncached_list; + ++ if (ul) { + spin_lock_bh(&ul->lock); + list_del_init(&rt->dst.rt_uncached); + spin_unlock_bh(&ul->lock); +-- +2.43.0 + diff --git a/SPECS/kernel-rt/kernel-rt.signatures.json b/SPECS/kernel-rt/kernel-rt.signatures.json index dcd553d09d..c336354e0a 100644 --- a/SPECS/kernel-rt/kernel-rt.signatures.json +++ b/SPECS/kernel-rt/kernel-rt.signatures.json @@ -5,6 +5,6 @@ "cpupower": "d7518767bf2b1110d146a49c7d42e76b803f45eb8bd14d931aa6d0d346fae985", "cpupower.service": "b057fe9e5d0e8c36f485818286b80e3eba8ff66ff44797940e99b1fd5361bb98", "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f", - "linux-6.12.61.tar.gz": "7fb34abab0902a47ce1d47de58442e69e0e79d17f565b41fcb11249ea5b23801" + "linux-6.12.67.tar.gz": "b4c0b2ed9cd5002478c7c699d69eece548c84d7c7e1ad48cff61cd951424c745" } -} +} \ No newline at end of file diff --git a/SPECS/kernel-rt/kernel-rt.spec b/SPECS/kernel-rt/kernel-rt.spec index 586aa3aaac..56bfde404c 100644 --- a/SPECS/kernel-rt/kernel-rt.spec +++ b/SPECS/kernel-rt/kernel-rt.spec @@ -1,13 +1,13 @@ Summary: Preempt RT Linux Kernel Name: kernel-rt -Version: 6.12.61 -Release: 2%{?dist} +Version: 6.12.67 +Release: 1%{?dist} License: GPLv2 Vendor: Intel Corporation Distribution: Edge Microvisor Toolkit Group: System Environment/Kernel URL: https://www.kernel.org/pub/linux/kernel -Source0: https://www.kernel.org/pub/linux/kernel/v6.x/linux-6.12.61.tar.gz +Source0: https://www.kernel.org/pub/linux/kernel/v6.x/linux-6.12.67.tar.gz Source1: config Source3: sha512hmac-openssl.sh Source4: emt-ca-20211013.pem @@ -15,745 +15,637 @@ Source5: cpupower Source6: cpupower.service -# Intel not-upstreamed kernel features -# Series file for v6.12.61 linux kernel -# dcbeffaf66d03 Linux 6.12.61 +# Intel Kernel Patches +# Series file for v6.12.67 linux kernel +# abf529abd660d Linux 6.12.67 #sriov -Patch0: 0001-drm-i915-mtl-Add-C10-table-for-HDMI-Clock-25175.sriov -Patch1: 0002-drm-i915-mtl-Copy-c10-phy-pll-sw-state-from-master-t.sriov -Patch2: 0003-drm-i915-guc-Define-MAX_DWORDS-for-CTB-HXG-Message.sriov -Patch3: 0004-drm-i915-call-taint_for_CI-on-FLR-failure.sriov -Patch4: 0005-drm-i915-huc-load-HuC-via-non-POR-GSC-engine-flow.sriov -Patch5: 0006-drm-i915-SR-IOV-Enabling-and-Support.sriov -Patch6: 0007-Revert-drm-i915-move-platform_engine_mask-and-memory.sriov -Patch7: 0008-drm-i915-gt-Enable-the-early-register-to-working-win.sriov -Patch8: 0009-drm-i915-gt-Modify-the-adls-mocs-table-same-as-tgl-m.sriov -Patch9: 0010-drm-i915-Bypass-gem_set_tiling-and-gem_get_tiling.sriov -Patch10: 0011-drm-i915-enable-CCS-on-DG1-and-TGL-for-testing.sriov -Patch11: 0012-drm-i915-force-VF-using-v70-GuC-API.sriov -Patch12: 0013-drm-i915-fix-regression-on-sriov-vf-failures-due-to-.sriov -Patch13: 0014-drm-i915-add-null-pointer-protection-inside-intel_fb.sriov -Patch14: 0015-drm-i915-use-the-original-Wa_14010685332-for-PCH_ADP.sriov -Patch15: 0016-drm-i915-fix-bitmap-clear-API-region-start-issue.sriov -Patch16: 0017-drm-i915-iov-Expose-early-runtime-registers-for-MTL.sriov -Patch17: 0018-drm-i915-gt-fix-empty-workaround-list-access-issue.sriov -Patch18: 0019-drm-i915-mtl-Add-module-parameter-override-for-Wa_16.sriov -Patch19: 0020-drm-i915-mtl-Provide-user-the-option-to-disable-ccs.sriov -Patch20: 0021-drm-i915-mtl-Turn-on-Wa_16019325821-Wa_14019159160-b.sriov -Patch21: 0022-drm-i915-pf-Use-GPU-to-set-PTE-owner.sriov -Patch22: 0023-drm-i915-pf-Use-GPU-to-set-PTE-owner-on-platforms-wi.sriov -Patch23: 0024-drm-i915-access-ddc-pointer-only-if-it-is-available.sriov -Patch24: 0025-drm-i915-guc-Upgrade-GuC-fw-version-to-70.20.0.sriov -Patch25: 0026-drm-i915-iov-Adding-runtime-reg-for-MTL-HuC-status.sriov -Patch26: 0027-drm-i915-guc-Upgrade-GuC-fw-version-to-70.29.2.sriov -Patch27: 0028-drm-i915-Re-add-enable_rc6-modparam.sriov -Patch28: 0032-drm-virtio-freeze-and-restore-hooks-to-support-suspe.sriov -Patch29: 0033-drm-virtio-save-and-restore-virtio_gpu_objects.sriov -Patch30: 0001-drm-virtio-Use-drm_gem_plane_helper_prepare_fb.patch -Patch31: 0034-drm-i915-pf-Introduce-i915_ggtt_save_ptes-and-i915_g.sriov -Patch32: 0035-drm-i915-iov-Introduce-VFs-shadow-copy-of-GGTT-on-PF.sriov -Patch33: 0036-drm-i915-iov-Shadow-GGTT-mock-selftestes.sriov -Patch34: 0037-drm-i915-gt-Don-t-support-GGTT-save-restore-via-BAR-.sriov -Patch35: 0038-drm-i915-pf-Add-helpers-for-saving-loading-GGTT-stat.sriov -Patch36: 0039-drm-i915-pf-Handle-VF-pause-complete-notification.sriov -Patch37: 0040-drm-i915-pf-Allow-to-save-restore-GuC-VF-state.sriov -Patch38: 0041-drm-i915-pf-Save-and-restore-VFs-state-during-S2idle.sriov -Patch39: 0042-drm-i915-pf-Skip-VF-save-restore-on-S2idle-S3-S4-if-.sriov -Patch40: 0043-drm-i915-pf-Start-use-shadow-GGTT-to-save-restore-du.sriov -Patch41: 0044-drm-i915-pf-Export-API-to-be-used-by-i915-vfio-pci.sriov -Patch42: 0045-drm-i915-iov-Flag-which-tells-whether-PAUSE-is-in-pr.sriov -Patch43: 0046-drm-i915-iov-Remember-run-state-on-suspend-and-resto.sriov -Patch44: 0047-drm-i915-pf-Pause-VF-before-restore-GuC-state-after-.sriov -Patch45: 0048-drm-i915-iov-fix-i915-sriov-build-issue.sriov -Patch46: 0001-drm-i915-CTB-TLB-invalidation-fix-on-VM.sriov -Patch47: 0002-vfio-i915-Add-vfio_pci-driver-for-Intel-graphics.sriov -Patch48: 0003-drm-i915-guc-Upgrade-GuC-fw-version-to-70.36.0.sriov -Patch49: 0001-drm-i915-Fix-logic-for-GUC-Process.sriov -Patch50: 0001-vfio-i915-Add-support-for-MMIO-save-restore.sriov -Patch51: 0002-drm-i915-SR-IOV-Save-Restore-Feature-support.sriov -Patch52: 0001-i915-Enable-w-a-16026508708.sriov -Patch53: 0001-virtio-hookup-irq_get_affinity-callback.sriov -Patch54: 0002-virtio-break-and-reset-virtio-devices-on-device_shut.sriov -Patch55: 0003-virtgpu-don-t-reset-on-shutdown.sriov -Patch56: 0004-drm-virtio-implement-virtio_gpu_shutdown.sriov -Patch57: 0001-drm-virtio-Wait-until-the-control-and-cursor-queues-.sriov -Patch58: 0001-drm-i915-move-sriov-selftest-buffer-out-of-stack.sriov -Patch59: 0001-drm-i915-Do-not-advertise-about-CCS.sriov -Patch60: 0001-Revert-drm-i915-Do-not-advertise-about-CCS.sriov +Patch01001: 0001-drm-i915-mtl-Add-C10-table-for-HDMI-Clock-25175.sriov +Patch01002: 0002-drm-i915-mtl-Copy-c10-phy-pll-sw-state-from-master-t.sriov +Patch01003: 0003-drm-i915-guc-Define-MAX_DWORDS-for-CTB-HXG-Message.sriov +Patch01004: 0004-drm-i915-call-taint_for_CI-on-FLR-failure.sriov +Patch01005: 0005-drm-i915-huc-load-HuC-via-non-POR-GSC-engine-flow.sriov +Patch01006: 0006-drm-i915-SR-IOV-Enabling-and-Support.sriov +Patch01007: 0007-Revert-drm-i915-move-platform_engine_mask-and-memory.sriov +Patch01008: 0008-drm-i915-gt-Enable-the-early-register-to-working-win.sriov +Patch01009: 0009-drm-i915-gt-Modify-the-adls-mocs-table-same-as-tgl-m.sriov +Patch01010: 0010-drm-i915-Bypass-gem_set_tiling-and-gem_get_tiling.sriov +Patch01011: 0011-drm-i915-enable-CCS-on-DG1-and-TGL-for-testing.sriov +Patch01012: 0012-drm-i915-force-VF-using-v70-GuC-API.sriov +Patch01013: 0013-drm-i915-fix-regression-on-sriov-vf-failures-due-to-.sriov +Patch01014: 0014-drm-i915-add-null-pointer-protection-inside-intel_fb.sriov +Patch01015: 0015-drm-i915-use-the-original-Wa_14010685332-for-PCH_ADP.sriov +Patch01016: 0016-drm-i915-fix-bitmap-clear-API-region-start-issue.sriov +Patch01017: 0017-drm-i915-iov-Expose-early-runtime-registers-for-MTL.sriov +Patch01018: 0018-drm-i915-gt-fix-empty-workaround-list-access-issue.sriov +Patch01019: 0019-drm-i915-mtl-Add-module-parameter-override-for-Wa_16.sriov +Patch01020: 0020-drm-i915-mtl-Provide-user-the-option-to-disable-ccs.sriov +Patch01021: 0021-drm-i915-mtl-Turn-on-Wa_16019325821-Wa_14019159160-b.sriov +Patch01022: 0022-drm-i915-pf-Use-GPU-to-set-PTE-owner.sriov +Patch01023: 0023-drm-i915-pf-Use-GPU-to-set-PTE-owner-on-platforms-wi.sriov +Patch01024: 0024-drm-i915-access-ddc-pointer-only-if-it-is-available.sriov +Patch01025: 0025-drm-i915-guc-Upgrade-GuC-fw-version-to-70.20.0.sriov +Patch01026: 0026-drm-i915-iov-Adding-runtime-reg-for-MTL-HuC-status.sriov +Patch01027: 0027-drm-i915-guc-Upgrade-GuC-fw-version-to-70.29.2.sriov +Patch01028: 0028-drm-i915-Re-add-enable_rc6-modparam.sriov +Patch01029: 0032-drm-virtio-freeze-and-restore-hooks-to-support-suspe.sriov +Patch01030: 0033-drm-virtio-save-and-restore-virtio_gpu_objects.sriov +Patch01031: 0001-drm-virtio-Use-drm_gem_plane_helper_prepare_fb.patch +Patch01032: 0034-drm-i915-pf-Introduce-i915_ggtt_save_ptes-and-i915_g.sriov +Patch01033: 0035-drm-i915-iov-Introduce-VFs-shadow-copy-of-GGTT-on-PF.sriov +Patch01034: 0036-drm-i915-iov-Shadow-GGTT-mock-selftestes.sriov +Patch01035: 0037-drm-i915-gt-Don-t-support-GGTT-save-restore-via-BAR-.sriov +Patch01036: 0038-drm-i915-pf-Add-helpers-for-saving-loading-GGTT-stat.sriov +Patch01037: 0039-drm-i915-pf-Handle-VF-pause-complete-notification.sriov +Patch01038: 0040-drm-i915-pf-Allow-to-save-restore-GuC-VF-state.sriov +Patch01039: 0041-drm-i915-pf-Save-and-restore-VFs-state-during-S2idle.sriov +Patch01040: 0042-drm-i915-pf-Skip-VF-save-restore-on-S2idle-S3-S4-if-.sriov +Patch01041: 0043-drm-i915-pf-Start-use-shadow-GGTT-to-save-restore-du.sriov +Patch01042: 0044-drm-i915-pf-Export-API-to-be-used-by-i915-vfio-pci.sriov +Patch01043: 0045-drm-i915-iov-Flag-which-tells-whether-PAUSE-is-in-pr.sriov +Patch01044: 0046-drm-i915-iov-Remember-run-state-on-suspend-and-resto.sriov +Patch01045: 0047-drm-i915-pf-Pause-VF-before-restore-GuC-state-after-.sriov +Patch01046: 0048-drm-i915-iov-fix-i915-sriov-build-issue.sriov +Patch01047: 0001-drm-i915-CTB-TLB-invalidation-fix-on-VM.sriov +Patch01048: 0002-vfio-i915-Add-vfio_pci-driver-for-Intel-graphics.sriov +Patch01049: 0003-drm-i915-guc-Upgrade-GuC-fw-version-to-70.36.0.sriov +Patch01050: 0001-drm-i915-Fix-logic-for-GUC-Process.sriov +Patch01051: 0001-vfio-i915-Add-support-for-MMIO-save-restore.sriov +Patch01052: 0002-drm-i915-SR-IOV-Save-Restore-Feature-support.sriov +Patch01053: 0001-i915-Enable-w-a-16026508708.sriov +Patch01054: 0001-virtio-hookup-irq_get_affinity-callback.sriov +Patch01055: 0002-virtio-break-and-reset-virtio-devices-on-device_shut.sriov +Patch01056: 0003-virtgpu-don-t-reset-on-shutdown.sriov +Patch01057: 0004-drm-virtio-implement-virtio_gpu_shutdown.sriov +Patch01058: 0001-drm-virtio-Wait-until-the-control-and-cursor-queues-.sriov +Patch01059: 0001-drm-i915-move-sriov-selftest-buffer-out-of-stack.sriov +Patch01060: 0001-drm-i915-Do-not-advertise-about-CCS.sriov +Patch01061: 0001-Revert-drm-i915-Do-not-advertise-about-CCS.sriov #security -Patch61: 0001-mei-bus-add-api-to-query-capabilities-of-ME-clien.security -Patch62: 0002-mei-virtio-virtualization-frontend-driver.security -Patch63: 0003-INTEL_DII-mei-avoid-reset-if-fw-is-down.security -Patch64: 0004-INTEL_DII-FIXME-mei-iaf-add-iaf-Intel-Accelerator.security -Patch65: 0005-INTEL_DII-mei-add-check-for-offline-bit-in-every-.security -Patch66: 0006-INTEL_DII-mei-add-empty-handlers-for-ops-function.security -Patch67: 0007-INTEL_DII-mei-gsc-add-fields-to-support-force-wak.security -Patch68: 0008-INTEL_DII-mei-add-waitqueue-for-device-state-chan.security -Patch69: 0009-INTEL_DII-mei-add-force-wake-workaround-infra.security -Patch70: 0010-INTEL_DII-mei-add-force-wake-workaround-in-init.security -Patch71: 0011-INTEL_DII-mei-add-force-wake-workaround-on-sessio.security -Patch72: 0012-INTEL_DII-mei-add-force-wake-workaround-in-runtim.security -Patch73: 0013-INTEL_DII-mei-add-force-wake-workaround-in-resume.security -Patch74: 0014-INTEL_DII-mei-disable-immediate-enum-if-forcewake.security -Patch75: 0015-INTEL_DII-mei-put-force-wake-in-error-flows.security -Patch76: 0016-INTEL_DII-mei-add-force-wake-callbacks-to-empty-h.security -Patch77: 0017-INTEL_DII-mei-optimize-force-wake-wait.security -Patch78: 0018-mei-me-apply-GSC-error-supression-to-systems-with.security -Patch79: 0019-INTEL_DII-mei-bus-fixup-disable-version-retrieval.security +Patch02001: 0001-mei-bus-add-api-to-query-capabilities-of-ME-clien.security +Patch02002: 0002-mei-virtio-virtualization-frontend-driver.security +Patch02003: 0003-INTEL_DII-mei-avoid-reset-if-fw-is-down.security +Patch02004: 0004-INTEL_DII-FIXME-mei-iaf-add-iaf-Intel-Accelerator.security +Patch02005: 0005-INTEL_DII-mei-add-check-for-offline-bit-in-every-.security +Patch02006: 0006-INTEL_DII-mei-add-empty-handlers-for-ops-function.security +Patch02007: 0007-INTEL_DII-mei-gsc-add-fields-to-support-force-wak.security +Patch02008: 0008-INTEL_DII-mei-add-waitqueue-for-device-state-chan.security +Patch02009: 0009-INTEL_DII-mei-add-force-wake-workaround-infra.security +Patch02010: 0010-INTEL_DII-mei-add-force-wake-workaround-in-init.security +Patch02011: 0011-INTEL_DII-mei-add-force-wake-workaround-on-sessio.security +Patch02012: 0012-INTEL_DII-mei-add-force-wake-workaround-in-runtim.security +Patch02013: 0013-INTEL_DII-mei-add-force-wake-workaround-in-resume.security +Patch02014: 0014-INTEL_DII-mei-disable-immediate-enum-if-forcewake.security +Patch02015: 0015-INTEL_DII-mei-put-force-wake-in-error-flows.security +Patch02016: 0016-INTEL_DII-mei-add-force-wake-callbacks-to-empty-h.security +Patch02017: 0017-INTEL_DII-mei-optimize-force-wake-wait.security +Patch02018: 0018-mei-me-apply-GSC-error-supression-to-systems-with.security +Patch02019: 0019-INTEL_DII-mei-bus-fixup-disable-version-retrieval.security #tgpio -Patch80: 0001-Revert-timekeeping-Add-function-to-convert-realtime-.tgpio -Patch81: 0002-Revert-x86-tsc-Remove-obsolete-ART-to-TSC-conversion.tgpio -Patch82: 0003-Revert-ice-ptp-Remove-convert_art_to_tsc.tgpio -Patch83: 0004-Revert-ALSA-hda-Remove-convert_art_to_tsc.tgpio -Patch84: 0005-Revert-stmmac-intel-Remove-convert_art_to_tsc.tgpio -Patch85: 0006-Revert-igc-Remove-convert_art_ns_to_tsc.tgpio -Patch86: 0007-Revert-e1000e-Replace-convert_art_to_tsc.tgpio -Patch87: 0008-Revert-x86-tsc-Provide-ART-base-clock-information-fo.tgpio -Patch88: 0009-Revert-timekeeping-Provide-infrastructure-for-conver.tgpio -Patch89: 0010-drivers-ptp-Add-Enhanced-handling-of-reserve-fields.tgpio -Patch90: 0011-drivers-ptp-Add-PEROUT2-ioctl-frequency-adjustment-i.tgpio -Patch91: 0012-drivers-ptp-Add-user-space-input-polling-interface.tgpio -Patch92: 0013-x86-tsc-Add-TSC-support-functions-to-support-ART-dri.tgpio -Patch93: 0014-drivers-ptp-Add-support-for-PMC-Time-Aware-GPIO-Driv.tgpio -Patch94: 0015-x86-core-TSC-reliable-kernel-arg-prevents-DQ-of-TSC-.tgpio -Patch95: 0016-mfd-intel-ehl-gpio-Introduce-MFD-framework-to-PSE-GP.tgpio -Patch96: 0017-TGPIO-Calling-power-management-calls-without-enterin.tgpio -Patch97: 0018-TGPIO-Fix-PSE-TGPIO-PTP-driver-ioctls-fail.tgpio -Patch98: 0019-Kernel-Argument-Bypassing-ART-Detection.tgpio -Patch99: 0020-GPIO-Fix-for-PSE-GPIO-generating-only-one-event-as-i.tgpio -Patch100: 0021-Added-TGPIO-pin-check-before-input-event-read.tgpio -Patch101: 0022-Added-an-Example-to-adjust-frequency-for-output.tgpio -Patch102: 0023-ptp-tgpio-PSE-TGPIO-crosststamp-counttstamp.tgpio -Patch103: 0024-ptp-Fixed-read-issue-on-PHC-with-zero-n_pins.tgpio -Patch104: 0025-ptp-S-W-workaround-for-PMC-TGPIO-h-w-bug.tgpio -Patch105: 0026-ptp-Fix-for-PSE-TGPIO-Oneshot-output-and-counttstamp.tgpio -Patch106: 0027-ptp-Fix-for-PSE-TGPIO-frequency-Adjustment-issue.tgpio -Patch107: 0028-tgpio-Fix-compilation-errors-for-PSE-TGPIO.tgpio -Patch108: 0029-Added-single-shot-output-mode-support-for-TGPIO.tgpio -Patch109: 0030-Added-an-example-to-poll-for-edges.tgpio -Patch110: 0031-Added-support-to-get-TGPIO-System-Clock-Offset.tgpio -Patch111: 0032-Added-single-shot-output-mode-option-for-TGPIO-pin.tgpio -Patch112: 0033-selftests-ptp-Added-COMPV-GPIO-Input-Mode-for-TGPIO.tgpio -Patch113: 0034-ptp-Introduce-PTP_PINDESC_INPUTPOLL-for-Intel-PMC-TG.tgpio -Patch114: 0035-drivers-ptp-Add-COMPV-GPIO-Mode-for-PSE-TGPIO.tgpio -Patch115: 0036-net-ice-fix-braces-around-scalar-initializer.tgpio -Patch116: 0037-ptp-Add-PTP_EVENT_COUNTER_MODE-in-v1-valid-flags.tgpio -Patch117: 0038-ptp-Enable-preempt-if-it-is-disabled.tgpio -Patch118: 0039-ptp-Generate-sqaure-wave-on-PSE-TGPIO.tgpio -Patch119: 0040-ptp-tgpio-Add-an-edge-if-the-output-signal-ends-high.tgpio -Patch120: 0041-ptp-pmc-tgpio-Initialize-variable-to-zero.tgpio -Patch121: 0042-ptp-tgpio-Fix-return-type-of-remove-function-in-tgpi.tgpio -Patch122: 0043-net-mlx5-reuse-convert_art_ns_to_tsc-to-convert-ART-.tgpio +Patch03001: 0001-Revert-timekeeping-Add-function-to-convert-realtime-.tgpio +Patch03002: 0002-Revert-x86-tsc-Remove-obsolete-ART-to-TSC-conversion.tgpio +Patch03003: 0003-Revert-ice-ptp-Remove-convert_art_to_tsc.tgpio +Patch03004: 0004-Revert-ALSA-hda-Remove-convert_art_to_tsc.tgpio +Patch03005: 0005-Revert-stmmac-intel-Remove-convert_art_to_tsc.tgpio +Patch03006: 0006-Revert-igc-Remove-convert_art_ns_to_tsc.tgpio +Patch03007: 0007-Revert-e1000e-Replace-convert_art_to_tsc.tgpio +Patch03008: 0008-Revert-x86-tsc-Provide-ART-base-clock-information-fo.tgpio +Patch03009: 0009-Revert-timekeeping-Provide-infrastructure-for-conver.tgpio +Patch03010: 0010-drivers-ptp-Add-Enhanced-handling-of-reserve-fields.tgpio +Patch03011: 0011-drivers-ptp-Add-PEROUT2-ioctl-frequency-adjustment-i.tgpio +Patch03012: 0012-drivers-ptp-Add-user-space-input-polling-interface.tgpio +Patch03013: 0013-x86-tsc-Add-TSC-support-functions-to-support-ART-dri.tgpio +Patch03014: 0014-drivers-ptp-Add-support-for-PMC-Time-Aware-GPIO-Driv.tgpio +Patch03015: 0015-x86-core-TSC-reliable-kernel-arg-prevents-DQ-of-TSC-.tgpio +Patch03016: 0016-mfd-intel-ehl-gpio-Introduce-MFD-framework-to-PSE-GP.tgpio +Patch03017: 0017-TGPIO-Calling-power-management-calls-without-enterin.tgpio +Patch03018: 0018-TGPIO-Fix-PSE-TGPIO-PTP-driver-ioctls-fail.tgpio +Patch03019: 0019-Kernel-Argument-Bypassing-ART-Detection.tgpio +Patch03020: 0020-GPIO-Fix-for-PSE-GPIO-generating-only-one-event-as-i.tgpio +Patch03021: 0021-Added-TGPIO-pin-check-before-input-event-read.tgpio +Patch03022: 0022-Added-an-Example-to-adjust-frequency-for-output.tgpio +Patch03023: 0023-ptp-tgpio-PSE-TGPIO-crosststamp-counttstamp.tgpio +Patch03024: 0024-ptp-Fixed-read-issue-on-PHC-with-zero-n_pins.tgpio +Patch03025: 0025-ptp-S-W-workaround-for-PMC-TGPIO-h-w-bug.tgpio +Patch03026: 0026-ptp-Fix-for-PSE-TGPIO-Oneshot-output-and-counttstamp.tgpio +Patch03027: 0027-ptp-Fix-for-PSE-TGPIO-frequency-Adjustment-issue.tgpio +Patch03028: 0028-tgpio-Fix-compilation-errors-for-PSE-TGPIO.tgpio +Patch03029: 0029-Added-single-shot-output-mode-support-for-TGPIO.tgpio +Patch03030: 0030-Added-an-example-to-poll-for-edges.tgpio +Patch03031: 0031-Added-support-to-get-TGPIO-System-Clock-Offset.tgpio +Patch03032: 0032-Added-single-shot-output-mode-option-for-TGPIO-pin.tgpio +Patch03033: 0033-selftests-ptp-Added-COMPV-GPIO-Input-Mode-for-TGPIO.tgpio +Patch03034: 0034-ptp-Introduce-PTP_PINDESC_INPUTPOLL-for-Intel-PMC-TG.tgpio +Patch03035: 0035-drivers-ptp-Add-COMPV-GPIO-Mode-for-PSE-TGPIO.tgpio +Patch03036: 0036-net-ice-fix-braces-around-scalar-initializer.tgpio +Patch03037: 0037-ptp-Add-PTP_EVENT_COUNTER_MODE-in-v1-valid-flags.tgpio +Patch03038: 0038-ptp-Enable-preempt-if-it-is-disabled.tgpio +Patch03039: 0039-ptp-Generate-sqaure-wave-on-PSE-TGPIO.tgpio +Patch03040: 0040-ptp-tgpio-Add-an-edge-if-the-output-signal-ends-high.tgpio +Patch03041: 0041-ptp-pmc-tgpio-Initialize-variable-to-zero.tgpio +Patch03042: 0042-ptp-tgpio-Fix-return-type-of-remove-function-in-tgpi.tgpio +Patch03043: 0043-net-mlx5-reuse-convert_art_ns_to_tsc-to-convert-ART-.tgpio #edac -Patch123: 0001-x86-mce-Add-MCACOD-code-for-generic-I-O-error.edac -Patch124: 0002-EDAC-ieh-Add-I-O-device-EDAC-driver-for-Intel-CPUs-wi.edac -Patch125: 0003-EDAC-ieh-Add-I-O-device-EDAC-support-for-Intel-Tiger-.edac -Patch126: 0004-EDAC-igen6-Add-registration-APIs-for-In-Band-ECC-erro.edac -Patch127: 0005-EDAC-i10nm-Print-DRAM-rules-debug-purpose.edac -Patch128: 0006-EDAC-skx_common-skx-i10nm-Make-skx_register_mci-indep.edac -Patch129: 0007-EDAC-skx_common-Prepare-skx_get_edac_list.edac -Patch130: 0008-EDAC-skx_common-Prepare-skx_set_hi_lo.edac -Patch131: 0009-EDAC-igen6-Add-Intel-Pnther-Lake-H-SoCs-support.edac -Patch132: 0002-EDAC-ie31200-Add-Kaby-Lake-S-dual-core-host-bridge-ID.edac -Patch133: 0006-EDAC-ie31200-Fix-the-3rd-parameter-name-of-populate_d.edac -Patch134: 0007-EDAC-ie31200-Simplify-the-pci_device_id-table.edac -Patch135: 0008-EDAC-ie31200-Make-the-memory-controller-resources-con.edac -Patch136: 0009-EDAC-ie31200-Make-struct-dimm_data-contain-decoded-in.edac -Patch137: 0010-EDAC-ie31200-Fold-the-two-channel-loops-into-one-loop.edac -Patch138: 0011-EDAC-ie31200-Break-up-ie31200_probe1.edac -Patch139: 0012-EDAC-ie31200-Add-Intel-Raptor-Lake-S-SoCs-support.edac -Patch140: 0013-EDAC-ie31200-Switch-Raptor-Lake-S-to-interrupt-mode.edac -Patch141: 0001-EDAC-ie31200-Add-two-Intel-SoCs-for-EDAC-support.edac -Patch142: 0002-ie31200-EDAC-Add-Intel-Bartlett-Lake-S-SoCs-support.edac -Patch143: 0001-EDAC-igen6-Add-Intel-Amston-Lake-SoCs-support.edac -Patch144: 0002-EDAC-igen6-Add-additional-Intel-Amston-Lake-SoC-compu.edac -Patch145: 0001-EDAC-igen6-Initialize-edac_op_state-according-to-the-.edac -Patch146: 0002-EDAC-igen6-Add-polling-support.edac -Patch147: 0003-EDAC-igen6-Fix-the-flood-of-invalid-error-reports.edac -Patch148: 0004-EDAC-igen6-Constify-struct-res_config.edac -Patch149: 0005-EDAC-igen6-Skip-absent-memory-controllers.edac -Patch150: 0006-EDAC-igen6-Fix-NULL-pointer-dereference.edac +Patch04001: 0001-x86-mce-Add-MCACOD-code-for-generic-I-O-error.edac +Patch04002: 0002-EDAC-ieh-Add-I-O-device-EDAC-driver-for-Intel-CPUs-wi.edac +Patch04003: 0003-EDAC-ieh-Add-I-O-device-EDAC-support-for-Intel-Tiger-.edac +Patch04004: 0004-EDAC-igen6-Add-registration-APIs-for-In-Band-ECC-erro.edac +Patch04005: 0005-EDAC-i10nm-Print-DRAM-rules-debug-purpose.edac +Patch04006: 0006-EDAC-skx_common-skx-i10nm-Make-skx_register_mci-indep.edac +Patch04007: 0007-EDAC-skx_common-Prepare-skx_get_edac_list.edac +Patch04008: 0008-EDAC-skx_common-Prepare-skx_set_hi_lo.edac +Patch04009: 0009-EDAC-igen6-Add-Intel-Pnther-Lake-H-SoCs-support.edac +Patch04010: 0002-EDAC-ie31200-Add-Kaby-Lake-S-dual-core-host-bridge-ID.edac +Patch04011: 0006-EDAC-ie31200-Fix-the-3rd-parameter-name-of-populate_d.edac +Patch04012: 0007-EDAC-ie31200-Simplify-the-pci_device_id-table.edac +Patch04013: 0008-EDAC-ie31200-Make-the-memory-controller-resources-con.edac +Patch04014: 0009-EDAC-ie31200-Make-struct-dimm_data-contain-decoded-in.edac +Patch04015: 0010-EDAC-ie31200-Fold-the-two-channel-loops-into-one-loop.edac +Patch04016: 0011-EDAC-ie31200-Break-up-ie31200_probe1.edac +Patch04017: 0012-EDAC-ie31200-Add-Intel-Raptor-Lake-S-SoCs-support.edac +Patch04018: 0013-EDAC-ie31200-Switch-Raptor-Lake-S-to-interrupt-mode.edac +Patch04019: 0001-EDAC-ie31200-Add-two-Intel-SoCs-for-EDAC-support.edac +Patch04020: 0002-ie31200-EDAC-Add-Intel-Bartlett-Lake-S-SoCs-support.edac +Patch04021: 0001-EDAC-igen6-Add-Intel-Amston-Lake-SoCs-support.edac +Patch04022: 0002-EDAC-igen6-Add-additional-Intel-Amston-Lake-SoC-compu.edac +Patch04023: 0001-EDAC-igen6-Initialize-edac_op_state-according-to-the-.edac +Patch04024: 0002-EDAC-igen6-Add-polling-support.edac +Patch04025: 0003-EDAC-igen6-Fix-the-flood-of-invalid-error-reports.edac +Patch04026: 0004-EDAC-igen6-Constify-struct-res_config.edac +Patch04027: 0005-EDAC-igen6-Skip-absent-memory-controllers.edac +Patch04028: 0006-EDAC-igen6-Fix-NULL-pointer-dereference.edac #tsn -Patch151: 0001-net-pcs-xpcs-enable-xpcs-reset-skipping.tsn -Patch152: 0002-net-stmmac-Bugfix-on-stmmac_interrupt-for-WOL.tsn -Patch153: 0003-net-phy-increase-gpy-loopback-test-delay.tsn -Patch154: 0004-net-stmmac-Resolve-poor-line-rate-after-switching-from.tsn -Patch155: 0005-net-phy-dp83867-perform-restart-AN-after-modifying-AN-.tsn -Patch156: 0006-stmmac-intel-Separate-ADL-N-and-RPL-P-device-ID-from-T.tsn -Patch157: 0007-net-stmmac-Adjust-mac_capabilities-for-Intel-mGbE-2.5G.tsn -Patch158: 0008-stmmac-intel-skip-xpcs-reset-for-2.5Gbps-on-Intel-Alde.tsn -Patch159: 0009-net-stmmac-add-check-for-2.5G-mode-to-prevent-MAC-capa.tsn -Patch160: 0010-stmmac-intel-Enable-PHY-WoL-in-ADL-N.tsn -Patch161: 0011-net-phy-reconfigure-PHY-WoL-when-WoL-option-is-enabled.tsn -Patch162: 0012-net-stmmac-fix-MAC-and-phylink-mismatch-issue-after-re.tsn -Patch163: 0013-net-stmmac-restructure-Rx-Tx-hardware-timestamping-fun.tsn -Patch164: 0014-net-stmmac-Add-per-packet-time-based-scheduling-for-XD.tsn -Patch165: 0015-net-stmmac-introduce-AF_XDP-ZC-RX-HW-timestamps.tsn -Patch166: 0016-net-stmmac-add-fsleep-in-HW-Rx-timestamp-checking-loop.tsn -Patch167: 0017-net-stmmac-select-PCS-negotiation-mode-according-to-th.tsn -Patch168: 0018-net-pcs-xpcs-re-initiate-clause-37-Auto-negotiation.tsn -Patch169: 0019-arch-x86-Add-IPC-mailbox-accessor-function-and-add-SoC.tsn -Patch170: 0020-net-stmmac-configure-SerDes-according-to-the-interface.tsn -Patch171: 0021-stmmac-intel-interface-switching-support-for-intel-pla.tsn -Patch172: 0022-net-stmmac-Set-mac_managed_pm-flag-from-stmmac-to-reso.tsn -Patch173: 0023-net-phylink-Add-module_exit.tsn -Patch174: 0024-net-stmmac-introduce-AF_XDP-ZC-TX-HW-timestamps.tsn -Patch175: 0025-net-sched-taprio-fix-too-early-schedules-switching.tsn -Patch176: 0026-net-sched-taprio-fix-cycle-time-adjustment-for-next-en.tsn -Patch177: 0027-net-sched-taprio-fix-impacted-fields-value-during-cycl.tsn -Patch178: 0028-net-sched-taprio-get-corrected-value-of-cycle_time-and.tsn -Patch179: 0029-xsk-add-txtime-field-in-xdp_desc-struct.tsn -Patch180: 0030-Revert-net-stmmac-silence-FPE-kernel-logs.tsn -Patch181: 0031-Revert-net-stmmac-support-fp-parameter-of-tc-taprio.tsn -Patch182: 0032-Revert-net-stmmac-support-fp-parameter-of-tc-mqprio.tsn -Patch183: 0033-Revert-net-stmmac-configure-FPE-via-ethtool-mm.tsn -Patch184: 0034-Revert-net-stmmac-refactor-FPE-verification-process.tsn -Patch185: 0035-Revert-net-stmmac-drop-stmmac_fpe_handshake.tsn -Patch186: 0036-Revert-net-stmmac-move-stmmac_fpe_cfg-to-stmmac_priv-d.tsn -Patch187: 0037-net-stmmac-add-FPE-preempt-setting-for-TxQ-preemptible.tsn -Patch188: 0038-taprio-Add-support-for-frame-preemption-offload.tsn -Patch189: 0039-net-stmmac-set-initial-EEE-policy-configuration.tsn -Patch190: 0040-net-phy-fix-phylib-s-dual-eee_enabled.tsn -Patch191: 0041-net-phy-ensure-that-genphy_c45_an_config_eee_aneg-sees.tsn -Patch192: 0042-net-phy-fix-phy_ethtool_set_eee-incorrectly-enabling-L.tsn -Patch193: 0001-igc-Set-the-RX-packet-buffer-size-for-TSN-mode.tsn -Patch194: 0002-igc-Only-dump-registers-if-configured-to-dump-HW-infor.tsn -Patch195: 0003-ethtool-Add-support-for-configuring-frame-preemption.tsn -Patch196: 0004-ethtool-Add-support-for-Frame-Preemption-verification.tsn -Patch197: 0005-igc-Add-support-for-enabling-frame-preemption-via-etht.tsn -Patch198: 0006-igc-Add-support-for-TC_SETUP_PREEMPT.tsn -Patch199: 0007-igc-Add-support-for-setting-frame-preemption-configura.tsn -Patch200: 0008-igc-Add-support-for-Frame-Preemption-verification.tsn -Patch201: 0009-igc-Add-support-for-exposing-frame-preemption-stats-re.tsn -Patch202: 0010-igc-Optimize-the-packet-buffer-utilization.tsn -Patch203: 0011-igc-Add-support-for-enabling-all-packets-to-be-receive.tsn -Patch204: 0012-igc-Add-support-for-DMA-timestamp-for-non-PTP-packets.tsn -Patch205: 0013-bpf-add-btf-register-unregister-API.tsn -Patch206: 0014-net-core-XDP-metadata-BTF-netlink-API.tsn -Patch207: 0015-rtnetlink-Fix-unchecked-return-value-of-dev_xdp_query_.tsn -Patch208: 0016-rtnetlink-Add-return-value-check.tsn -Patch209: 0017-tools-bpf-Query-XDP-metadata-BTF-ID.tsn -Patch210: 0018-tools-bpf-Add-xdp-set-command-for-md-btf.tsn -Patch211: 0019-igc-Add-BTF-based-metadata-for-XDP.tsn -Patch212: 0020-igc-Enable-HW-RX-Timestamp-for-AF_XDP-ZC.tsn -Patch213: 0021-igc-Take-care-of-DMA-timestamp-rollover.tsn -Patch214: 0022-igc-Add-SO_TXTIME-for-AF_XDP-ZC.tsn -Patch215: 0023-igc-Reodering-the-empty-packet-buffers-and-descriptors.tsn -Patch216: 0024-Revert-igc-Add-support-for-PTP-.getcyclesx64.tsn -Patch217: 0025-core-Introduce-netdev_tc_map_to_queue_mask.tsn -Patch218: 0026-taprio-Replace-tc_map_to_queue_mask.tsn -Patch219: 0027-mqprio-Add-support-for-frame-preemption-offload.tsn -Patch220: 0030-igc-Reduce-retry-count-to-a-more-reasonable-number.tsn -Patch221: 0001-igc-Enable-HW-TX-Timestamp-for-AF_XDP-ZC.tsn -Patch222: 0002-igc-Enable-trace-for-HW-TX-Timestamp-AF_XDP-ZC.tsn -Patch223: 0003-igc-Remove-the-CONFIG_DEBUG_MISC-condition-for-trace.tsn -Patch224: 0006-Revert-net-stmmac-set-initial-EEE-policy-configurati.tsn -Patch225: 0001-net-phy-Set-eee_cfg.eee_enabled-according-to-PHY.tsn -Patch226: 0001-Revert-net-stmmac-add-FPE-preempt-setting-for-TxQ-pree.tsn -Patch227: 0002-Reapply-net-stmmac-move-stmmac_fpe_cfg-to-stmmac_priv-.tsn -Patch228: 0003-Reapply-net-stmmac-drop-stmmac_fpe_handshake.tsn -Patch229: 0004-Reapply-net-stmmac-refactor-FPE-verification-process.tsn -Patch230: 0005-Reapply-net-stmmac-configure-FPE-via-ethtool-mm.tsn -Patch231: 0006-Reapply-net-stmmac-support-fp-parameter-of-tc-mqprio.tsn -Patch232: 0007-Reapply-net-stmmac-support-fp-parameter-of-tc-taprio.tsn -Patch233: 0008-Reapply-net-stmmac-silence-FPE-kernel-logs.tsn +Patch05001: 0001-net-pcs-xpcs-enable-xpcs-reset-skipping.tsn +Patch05002: 0002-net-stmmac-Bugfix-on-stmmac_interrupt-for-WOL.tsn +Patch05003: 0003-net-phy-increase-gpy-loopback-test-delay.tsn +Patch05004: 0004-net-stmmac-Resolve-poor-line-rate-after-switching-from.tsn +Patch05005: 0005-net-phy-dp83867-perform-restart-AN-after-modifying-AN-.tsn +Patch05006: 0006-stmmac-intel-Separate-ADL-N-and-RPL-P-device-ID-from-T.tsn +Patch05007: 0007-net-stmmac-Adjust-mac_capabilities-for-Intel-mGbE-2.5G.tsn +Patch05008: 0008-stmmac-intel-skip-xpcs-reset-for-2.5Gbps-on-Intel-Alde.tsn +Patch05009: 0009-net-stmmac-add-check-for-2.5G-mode-to-prevent-MAC-capa.tsn +Patch05010: 0010-stmmac-intel-Enable-PHY-WoL-in-ADL-N.tsn +Patch05011: 0011-net-phy-reconfigure-PHY-WoL-when-WoL-option-is-enabled.tsn +Patch05012: 0012-net-stmmac-fix-MAC-and-phylink-mismatch-issue-after-re.tsn +Patch05013: 0013-net-stmmac-restructure-Rx-Tx-hardware-timestamping-fun.tsn +Patch05014: 0014-net-stmmac-Add-per-packet-time-based-scheduling-for-XD.tsn +Patch05015: 0015-net-stmmac-introduce-AF_XDP-ZC-RX-HW-timestamps.tsn +Patch05016: 0016-net-stmmac-add-fsleep-in-HW-Rx-timestamp-checking-loop.tsn +Patch05017: 0017-net-stmmac-select-PCS-negotiation-mode-according-to-th.tsn +Patch05018: 0018-net-pcs-xpcs-re-initiate-clause-37-Auto-negotiation.tsn +Patch05019: 0019-arch-x86-Add-IPC-mailbox-accessor-function-and-add-SoC.tsn +Patch05020: 0020-net-stmmac-configure-SerDes-according-to-the-interface.tsn +Patch05021: 0021-stmmac-intel-interface-switching-support-for-intel-pla.tsn +Patch05022: 0022-net-stmmac-Set-mac_managed_pm-flag-from-stmmac-to-reso.tsn +Patch05023: 0023-net-phylink-Add-module_exit.tsn +Patch05024: 0024-net-stmmac-introduce-AF_XDP-ZC-TX-HW-timestamps.tsn +Patch05025: 0025-net-sched-taprio-fix-too-early-schedules-switching.tsn +Patch05026: 0026-net-sched-taprio-fix-cycle-time-adjustment-for-next-en.tsn +Patch05027: 0027-net-sched-taprio-fix-impacted-fields-value-during-cycl.tsn +Patch05028: 0028-net-sched-taprio-get-corrected-value-of-cycle_time-and.tsn +Patch05029: 0029-xsk-add-txtime-field-in-xdp_desc-struct.tsn +Patch05030: 0030-Revert-net-stmmac-silence-FPE-kernel-logs.tsn +Patch05031: 0031-Revert-net-stmmac-support-fp-parameter-of-tc-taprio.tsn +Patch05032: 0032-Revert-net-stmmac-support-fp-parameter-of-tc-mqprio.tsn +Patch05033: 0033-Revert-net-stmmac-configure-FPE-via-ethtool-mm.tsn +Patch05034: 0034-Revert-net-stmmac-refactor-FPE-verification-process.tsn +Patch05035: 0035-Revert-net-stmmac-drop-stmmac_fpe_handshake.tsn +Patch05036: 0036-Revert-net-stmmac-move-stmmac_fpe_cfg-to-stmmac_priv-d.tsn +Patch05037: 0037-net-stmmac-add-FPE-preempt-setting-for-TxQ-preemptible.tsn +Patch05038: 0038-taprio-Add-support-for-frame-preemption-offload.tsn +Patch05039: 0039-net-stmmac-set-initial-EEE-policy-configuration.tsn +Patch05040: 0040-net-phy-fix-phylib-s-dual-eee_enabled.tsn +Patch05041: 0041-net-phy-ensure-that-genphy_c45_an_config_eee_aneg-sees.tsn +Patch05042: 0042-net-phy-fix-phy_ethtool_set_eee-incorrectly-enabling-L.tsn +Patch05043: 0001-igc-Set-the-RX-packet-buffer-size-for-TSN-mode.tsn +Patch05044: 0002-igc-Only-dump-registers-if-configured-to-dump-HW-infor.tsn +Patch05045: 0003-ethtool-Add-support-for-configuring-frame-preemption.tsn +Patch05046: 0004-ethtool-Add-support-for-Frame-Preemption-verification.tsn +Patch05047: 0005-igc-Add-support-for-enabling-frame-preemption-via-etht.tsn +Patch05048: 0006-igc-Add-support-for-TC_SETUP_PREEMPT.tsn +Patch05049: 0007-igc-Add-support-for-setting-frame-preemption-configura.tsn +Patch05050: 0008-igc-Add-support-for-Frame-Preemption-verification.tsn +Patch05051: 0009-igc-Add-support-for-exposing-frame-preemption-stats-re.tsn +Patch05052: 0010-igc-Optimize-the-packet-buffer-utilization.tsn +Patch05053: 0011-igc-Add-support-for-enabling-all-packets-to-be-receive.tsn +Patch05054: 0012-igc-Add-support-for-DMA-timestamp-for-non-PTP-packets.tsn +Patch05055: 0013-bpf-add-btf-register-unregister-API.tsn +Patch05056: 0014-net-core-XDP-metadata-BTF-netlink-API.tsn +Patch05057: 0015-rtnetlink-Fix-unchecked-return-value-of-dev_xdp_query_.tsn +Patch05058: 0016-rtnetlink-Add-return-value-check.tsn +Patch05059: 0017-tools-bpf-Query-XDP-metadata-BTF-ID.tsn +Patch05060: 0018-tools-bpf-Add-xdp-set-command-for-md-btf.tsn +Patch05061: 0019-igc-Add-BTF-based-metadata-for-XDP.tsn +Patch05062: 0020-igc-Enable-HW-RX-Timestamp-for-AF_XDP-ZC.tsn +Patch05063: 0021-igc-Take-care-of-DMA-timestamp-rollover.tsn +Patch05064: 0022-igc-Add-SO_TXTIME-for-AF_XDP-ZC.tsn +Patch05065: 0023-igc-Reodering-the-empty-packet-buffers-and-descriptors.tsn +Patch05066: 0024-Revert-igc-Add-support-for-PTP-.getcyclesx64.tsn +Patch05067: 0025-core-Introduce-netdev_tc_map_to_queue_mask.tsn +Patch05068: 0026-taprio-Replace-tc_map_to_queue_mask.tsn +Patch05069: 0027-mqprio-Add-support-for-frame-preemption-offload.tsn +Patch05070: 0030-igc-Reduce-retry-count-to-a-more-reasonable-number.tsn +Patch05071: 0001-igc-Enable-HW-TX-Timestamp-for-AF_XDP-ZC.tsn +Patch05072: 0002-igc-Enable-trace-for-HW-TX-Timestamp-AF_XDP-ZC.tsn +Patch05073: 0003-igc-Remove-the-CONFIG_DEBUG_MISC-condition-for-trace.tsn +Patch05074: 0006-Revert-net-stmmac-set-initial-EEE-policy-configurati.tsn +Patch05075: 0001-net-phy-Set-eee_cfg.eee_enabled-according-to-PHY.tsn +Patch05076: 0001-Revert-net-stmmac-add-FPE-preempt-setting-for-TxQ-pree.tsn +Patch05077: 0002-Reapply-net-stmmac-move-stmmac_fpe_cfg-to-stmmac_priv-.tsn +Patch05078: 0003-Reapply-net-stmmac-drop-stmmac_fpe_handshake.tsn +Patch05079: 0004-Reapply-net-stmmac-refactor-FPE-verification-process.tsn +Patch05080: 0005-Reapply-net-stmmac-configure-FPE-via-ethtool-mm.tsn +Patch05081: 0006-Reapply-net-stmmac-support-fp-parameter-of-tc-mqprio.tsn +Patch05082: 0007-Reapply-net-stmmac-support-fp-parameter-of-tc-taprio.tsn +Patch05083: 0008-Reapply-net-stmmac-silence-FPE-kernel-logs.tsn #camera -Patch234: 0001-media-intel-ipu6-remove-buttress-ish-structure.camera -Patch235: 0001-media-i2c-Add-ar0234-camera-sensor-driver.camera -Patch236: 0002-media-i2c-add-support-for-lt6911uxe.camera -Patch237: 0003-INT3472-Support-LT6911UXE.camera -Patch238: 0004-upstream-Use-module-parameter-to-set-isys-freq.camera -Patch239: 0005-upstream-Use-module-parameter-to-set-psys-freq.camera -Patch240: 0006-media-pci-Enable-ISYS-reset.camera -Patch241: 0007-media-i2c-add-support-for-ar0234-and-lt6911uxe.camera -Patch242: 0008-driver-media-i2c-remove-useless-header-file.camera -Patch243: 0009-media-i2c-update-lt6911uxe-for-upstream-and-bug-fix.camera -Patch244: 0010-media-i2c-add-support-for-lt6911uxc.camera -Patch245: 0011-media-i2c-add-lt6911uxc-driver-and-enable-in-ipu-br.camera -Patch246: 0012-media-pci-intel-psys-driver.camera -Patch247: 0013-media-i2c-Remove-unused-variables-in-Lontium-driver.camera -Patch248: 0001-media-intel-ipu6-remove-buttress-ish-structure-1.camera -Patch249: 0002-media-pci-intel-include-psys-driver.camera -Patch250: 0003-Revert-media-ipu6-use-the-IPU6-DMA-mapping-APIs-to-.camera -Patch251: 0004-Revert-media-ipu6-remove-architecture-DMA-ops-depen.camera -Patch252: 0005-Revert-media-ipu6-not-override-the-dma_ops-of-devic.camera -Patch253: 0001-Reapply-media-ipu6-not-override-the-dma_ops-of-devi.camera -Patch254: 0002-Reapply-media-ipu6-remove-architecture-DMA-ops-depe.camera -Patch255: 0003-Reapply-media-ipu6-use-the-IPU6-DMA-mapping-APIs-to.camera -Patch256: 0001-media-pci-update-IPU6-PSYS-driver.camera -Patch257: 0002-media-i2c-update-lt6911uxc-driver-to-fix-COV-issue.camera -Patch258: 0003-lt6911-2-pads-linked-to-ipu-2-ports-for-split-mode.camera -Patch259: 0004-media-i2c-add-dv_timings-api-in-lt6911uxe.camera -Patch260: 0005-media-intel-ipu6-use-vc1-dma-for-MTL-and-ARL.camera -Patch261: 0006-media-i2c-some-changes-in-lt6911uxe.camera -Patch262: 0001-Revert-media-intel-ipu6-use-vc1-dma-for-MTL-and-ARL.camera -Patch263: 0002-media-i2c-update-format-in-irq-for-lt6911uxe.camera -Patch264: 0003-media-i2c-remove-unused-func-in-lt6911uxe.camera -Patch265: 0001-media-intel-ipu6-use-vc1-dma-for-MTL-and-ARL.camera -Patch266: 0002-media-ipu-Dma-sync-at-buffer_prepare-callback-as-DM.camera -Patch267: 0003-Support-IPU6-ISYS-FW-trace-dump-for-upstream-driver.camera -Patch268: 0004-Support-IPU6-PSYS-FW-trace-dump-for-upstream-driver.camera -Patch269: 0005-media-pci-The-order-of-return-buffers-should-be-FIF.camera -Patch270: 0006-media-i2c-fix-power-on-issue-for-on-board-LT6911UXC.camera -Patch271: 0007-media-i2c-fix-power-on-issue-for-on-board-LT6911UXE.camera -Patch272: 0001-media-pci-Modify-enble-disable-stream-in-CSI2.camera -Patch273: 0002-media-pci-Set-the-correct-SOF-for-different-stream.camera -Patch274: 0003-media-pci-support-imx390-for-6.11.0-rc3.camera -Patch275: 0004-i2c-media-fix-cov-issue.camera -Patch276: 0005-mv-ipu-acpi-module-to-linux-drivers.camera -Patch277: 0006-kernel-enable-VC-support-in-v4l2.camera -Patch278: 0007-media-pci-intel-support-PDATA-in-Kconfig-Makefile.camera -Patch279: 0008-media-pci-unregister-i2c-device-to-complete-ext_sub.camera -Patch280: 0009-media-pci-align-params-for-non-MIPI-split-and-split.camera -Patch281: 0010-media-pci-add-missing-if-for-PDATA.camera -Patch282: 0011-media-platform-fix-allyesconfig-build-error.camera -Patch283: 0012-media-pci-refine-PDATA-related-config.camera -Patch284: 0013-kernel-align-ACPI-PDATA-and-ACPI-fwnode-build-for-E.camera -Patch285: 0014-media-i2c-add-gmsl-isx031-support.camera -Patch286: 0015-media-i2c-add-support-for-isx031-max9296.camera -Patch287: 0016-fix-S4-issue-on-TWL.camera -Patch288: 0017-code-changes-for-link-frequency-and-sensor-physical.camera +Patch06001: 0001-media-intel-ipu6-remove-buttress-ish-structure.camera +Patch06002: 0001-media-i2c-Add-ar0234-camera-sensor-driver.camera +Patch06003: 0002-media-i2c-add-support-for-lt6911uxe.camera +Patch06004: 0003-INT3472-Support-LT6911UXE.camera +Patch06005: 0004-upstream-Use-module-parameter-to-set-isys-freq.camera +Patch06006: 0005-upstream-Use-module-parameter-to-set-psys-freq.camera +Patch06007: 0006-media-pci-Enable-ISYS-reset.camera +Patch06008: 0007-media-i2c-add-support-for-ar0234-and-lt6911uxe.camera +Patch06009: 0008-driver-media-i2c-remove-useless-header-file.camera +Patch06010: 0009-media-i2c-update-lt6911uxe-for-upstream-and-bug-fix.camera +Patch06011: 0010-media-i2c-add-support-for-lt6911uxc.camera +Patch06012: 0011-media-i2c-add-lt6911uxc-driver-and-enable-in-ipu-br.camera +Patch06013: 0012-media-pci-intel-psys-driver.camera +Patch06014: 0013-media-i2c-Remove-unused-variables-in-Lontium-driver.camera +Patch06015: 0001-media-intel-ipu6-remove-buttress-ish-structure-1.camera +Patch06016: 0002-media-pci-intel-include-psys-driver.camera +Patch06017: 0003-Revert-media-ipu6-use-the-IPU6-DMA-mapping-APIs-to-.camera +Patch06018: 0004-Revert-media-ipu6-remove-architecture-DMA-ops-depen.camera +Patch06019: 0005-Revert-media-ipu6-not-override-the-dma_ops-of-devic.camera +Patch06020: 0001-Reapply-media-ipu6-not-override-the-dma_ops-of-devi.camera +Patch06021: 0002-Reapply-media-ipu6-remove-architecture-DMA-ops-depe.camera +Patch06022: 0003-Reapply-media-ipu6-use-the-IPU6-DMA-mapping-APIs-to.camera +Patch06023: 0001-media-pci-update-IPU6-PSYS-driver.camera +Patch06024: 0002-media-i2c-update-lt6911uxc-driver-to-fix-COV-issue.camera +Patch06025: 0003-lt6911-2-pads-linked-to-ipu-2-ports-for-split-mode.camera +Patch06026: 0004-media-i2c-add-dv_timings-api-in-lt6911uxe.camera +Patch06027: 0005-media-intel-ipu6-use-vc1-dma-for-MTL-and-ARL.camera +Patch06028: 0006-media-i2c-some-changes-in-lt6911uxe.camera +Patch06029: 0001-Revert-media-intel-ipu6-use-vc1-dma-for-MTL-and-ARL.camera +Patch06030: 0002-media-i2c-update-format-in-irq-for-lt6911uxe.camera +Patch06031: 0003-media-i2c-remove-unused-func-in-lt6911uxe.camera +Patch06032: 0001-media-intel-ipu6-use-vc1-dma-for-MTL-and-ARL.camera +Patch06033: 0002-media-ipu-Dma-sync-at-buffer_prepare-callback-as-DM.camera +Patch06034: 0003-Support-IPU6-ISYS-FW-trace-dump-for-upstream-driver.camera +Patch06035: 0004-Support-IPU6-PSYS-FW-trace-dump-for-upstream-driver.camera +Patch06036: 0005-media-pci-The-order-of-return-buffers-should-be-FIF.camera +Patch06037: 0006-media-i2c-fix-power-on-issue-for-on-board-LT6911UXC.camera +Patch06038: 0007-media-i2c-fix-power-on-issue-for-on-board-LT6911UXE.camera +Patch06039: 0001-media-pci-Modify-enble-disable-stream-in-CSI2.camera +Patch06040: 0002-media-pci-Set-the-correct-SOF-for-different-stream.camera +Patch06041: 0003-media-pci-support-imx390-for-6.11.0-rc3.camera +Patch06042: 0004-i2c-media-fix-cov-issue.camera +Patch06043: 0005-mv-ipu-acpi-module-to-linux-drivers.camera +Patch06044: 0006-kernel-enable-VC-support-in-v4l2.camera +Patch06045: 0007-media-pci-intel-support-PDATA-in-Kconfig-Makefile.camera +Patch06046: 0008-media-pci-unregister-i2c-device-to-complete-ext_sub.camera +Patch06047: 0009-media-pci-align-params-for-non-MIPI-split-and-split.camera +Patch06048: 0010-media-pci-add-missing-if-for-PDATA.camera +Patch06049: 0011-media-platform-fix-allyesconfig-build-error.camera +Patch06050: 0012-media-pci-refine-PDATA-related-config.camera +Patch06051: 0013-kernel-align-ACPI-PDATA-and-ACPI-fwnode-build-for-E.camera +Patch06052: 0014-media-i2c-add-gmsl-isx031-support.camera +Patch06053: 0015-media-i2c-add-support-for-isx031-max9296.camera +Patch06054: 0016-fix-S4-issue-on-TWL.camera +Patch06055: 0017-code-changes-for-link-frequency-and-sensor-physical.camera #wwan -Patch289: 0001-Revert-bus-mhi-host-pci_generic-add-support-for-sc828.wwan -Patch290: 0002-wwan-add-SAHARA-device.wwan -Patch291: 0003-bus-mhi-host-allow-SBL-as-initial-EE.wwan -Patch292: 0004-drivers-bus-mhi-let-userspace-manage-xfp-fw-update-st.wwan -Patch293: 0005-wwan-add-NMEA-type.wwan -Patch294: 0006-drivers-bus-mhi-add-FN980-v2-support.wwan -Patch295: 0007-drivers-bus-mhi-add-FN990-NMEA-and-DIAG-in-SBL-device.wwan -Patch296: 0008-drivers-net-wwan-add-simple-DTR-driver.wwan -Patch297: 0009-drivers-bus-mhi-host-fix-recovery-process-when-modem-.wwan -Patch298: 0001-Revert-drivers-bus-mhi-host-fix-recovery-process-when.wwan -Patch299: 0002-Revert-drivers-net-wwan-add-simple-DTR-driver.wwan -Patch300: 0003-Revert-drivers-bus-mhi-add-FN990-NMEA-and-DIAG-in-SBL.wwan -Patch301: 0004-Revert-drivers-bus-mhi-add-FN980-v2-support.wwan -Patch302: 0005-Revert-wwan-add-NMEA-type.wwan -Patch303: 0006-Revert-drivers-bus-mhi-let-userspace-manage-xfp-fw-up.wwan -Patch304: 0007-Revert-bus-mhi-host-allow-SBL-as-initial-EE.wwan -Patch305: 0008-Revert-wwan-add-SAHARA-device.wwan -Patch306: 0009-Revert-Revert-bus-mhi-host-pci_generic-add-support-fo.wwan +Patch07001: 0001-Revert-bus-mhi-host-pci_generic-add-support-for-sc828.wwan +Patch07002: 0002-wwan-add-SAHARA-device.wwan +Patch07003: 0003-bus-mhi-host-allow-SBL-as-initial-EE.wwan +Patch07004: 0004-drivers-bus-mhi-let-userspace-manage-xfp-fw-update-st.wwan +Patch07005: 0005-wwan-add-NMEA-type.wwan +Patch07006: 0006-drivers-bus-mhi-add-FN980-v2-support.wwan +Patch07007: 0007-drivers-bus-mhi-add-FN990-NMEA-and-DIAG-in-SBL-device.wwan +Patch07008: 0008-drivers-net-wwan-add-simple-DTR-driver.wwan +Patch07009: 0009-drivers-bus-mhi-host-fix-recovery-process-when-modem-.wwan +Patch07010: 0001-Revert-drivers-bus-mhi-host-fix-recovery-process-when.wwan +Patch07011: 0002-Revert-drivers-net-wwan-add-simple-DTR-driver.wwan +Patch07012: 0003-Revert-drivers-bus-mhi-add-FN990-NMEA-and-DIAG-in-SBL.wwan +Patch07013: 0004-Revert-drivers-bus-mhi-add-FN980-v2-support.wwan +Patch07014: 0005-Revert-wwan-add-NMEA-type.wwan +Patch07015: 0006-Revert-drivers-bus-mhi-let-userspace-manage-xfp-fw-up.wwan +Patch07016: 0007-Revert-bus-mhi-host-allow-SBL-as-initial-EE.wwan +Patch07017: 0008-Revert-wwan-add-SAHARA-device.wwan +Patch07018: 0009-Revert-Revert-bus-mhi-host-pci_generic-add-support-fo.wwan #pmc_core -Patch307: 0001-platform-x86-intel-pmc-Add-Arrow-Lake-U-H-support.pmc_core -Patch308: 0002-platform-x86-intel-pmc-Add-Bartlett-Lake-support-to-.pmc_core -Patch309: 0001-platform-x86-intel-pmc-Fix-Arrow-Lake-U-H-NPU-PCI.pmc_core +Patch08001: 0001-platform-x86-intel-pmc-Add-Arrow-Lake-U-H-support.pmc_core +Patch08002: 0002-platform-x86-intel-pmc-Add-Bartlett-Lake-support-to-.pmc_core +Patch08003: 0001-platform-x86-intel-pmc-Fix-Arrow-Lake-U-H-NPU-PCI.pmc_core #lpss -Patch310: 0001-Added-spi_set_cs-for-more-stable-r-w-operations-in-S.lpss -Patch311: 0002-mtd-core-Don-t-fail-mtd_device_parse_register-if-OTP.lpss -Patch312: 0003-spi-intel-pci-Add-support-for-Arrow-Lake-H-SPI-seria.lpss -Patch313: 0004-spi-intel-Add-protected-and-locked-attributes.lpss +Patch09001: 0001-Added-spi_set_cs-for-more-stable-r-w-operations-in-S.lpss +Patch09002: 0002-mtd-core-Don-t-fail-mtd_device_parse_register-if-OTP.lpss +Patch09003: 0003-spi-intel-pci-Add-support-for-Arrow-Lake-H-SPI-seria.lpss +Patch09004: 0004-spi-intel-Add-protected-and-locked-attributes.lpss #preempt_rt patches backported -Patch314: 0001-Revert-sched-core-Remove-the-unnecessary-need_resche.rt -Patch315: 0001-hrtimer-Use-__raise_softirq_irqoff-to-raise-the-softirq.rt -Patch316: 0002-timers-Use-__raise_softirq_irqoff-to-raise-the-softirq.rt -Patch317: 0003-softirq-Use-a-dedicated-thread-for-timer-wakeups-on-PRE.rt -Patch318: 0004-serial-8250-Switch-to-nbcon-console.rt -Patch319: 0005-serial-8250-Revert-drop-lockdep-annotation-from-serial8.rt -Patch320: 0006-locking-rt-Remove-one-__cond_lock-in-RT-s-spin_trylock_.rt -Patch321: 0007-locking-rt-Add-sparse-annotation-for-RCU.rt -Patch322: 0008-locking-rt-Annotate-unlock-followed-by-lock-for-sparse.rt -Patch323: 0009-drm-i915-Use-preempt_disable-enable_rt-where-recommende.rt -Patch324: 0010-drm-i915-Don-t-disable-interrupts-on-PREEMPT_RT-during-.rt -Patch325: 0011-drm-i915-Don-t-check-for-atomic-context-on-PREEMPT_RT.rt -Patch326: 0012-drm-i915-Disable-tracing-points-on-PREEMPT_RT.rt -Patch327: 0013-drm-i915-gt-Use-spin_lock_irq-instead-of-local_irq_disa.rt -Patch328: 0014-drm-i915-Drop-the-irqs_disabled-check.rt -Patch329: 0015-drm-i915-guc-Consider-also-RCU-depth-in-busy-loop.rt -Patch330: 0016-Revert-drm-i915-Depend-on-PREEMPT_RT.rt -Patch331: 0017-sched-Add-TIF_NEED_RESCHED_LAZY-infrastructure.rt -Patch332: 0018-sched-Add-Lazy-preemption-model.rt -Patch333: 0019-sched-Enable-PREEMPT_DYNAMIC-for-PREEMPT_RT.rt -Patch334: 0020-sched-x86-Enable-Lazy-preemption.rt -Patch335: 0021-sched-Add-laziest-preempt-model.rt -Patch336: 0022-sched-Fixup-the-IS_ENABLED-check-for-PREEMPT_LAZY.rt -Patch337: 0023-tracing-Remove-TRACE_FLAG_IRQS_NOSUPPORT.rt -Patch338: 0024-tracing-Record-task-flag-NEED_RESCHED_LAZY.rt -Patch339: 0025-sysfs-Add-sys-kernel-realtime-entry.rt -Patch340: 0001-serial-8250-enable-original-console-by-default.rt -Patch341: 0001-kernel-trace-Add-DISALLOW_TRACE_PRINTK-make-option.rt -Patch342: 0002-Revert-scripts-remove-bin2c.rt -Patch343: 0003-extend-uio-driver-to-supports-msix.rt -Patch344: 0004-virtio-add-VIRTIO_PMD-support.rt -Patch345: 0005-virt-acrn-Introduce-interfaces-for-PIO-device.rt -Patch346: 0006-Add-hypercall-to-access-MSR.rt -Patch347: 0007-Revert-spi-Remove-unused-function-spi_busnum_to_master.rt -Patch348: 0008-igc-add-CONFIG_IGC_TSN_TRACE-conditional-trace_printk-u.rt -Patch349: 0009-stmmac_pci-add-CONFIG_STMMAC_TSN_TRACE-conditional-trac.rt -Patch350: 0010-igb-prepare-for-AF_XDP-zero-copy-support.rt -Patch351: 0011-igb-Introduce-XSK-data-structures-and-helpers.rt -Patch352: 0012-igb-add-AF_XDP-zero-copy-Rx-support.rt -Patch353: 0013-igb-add-AF_XDP-zero-copy-Tx-support.rt -Patch354: 0014-igb-Add-BTF-based-metadata-for-XDP.rt -Patch355: 0015-ANDROID-trace-power-add-trace_clock_set_parent.rt -Patch356: 0016-ANDROID-trace-net-use-pK-for-kernel-pointers.rt -Patch357: 0017-ANDROID-trace-add-non-hierarchical-function_graph-optio.rt -Patch358: 0018-virtio-fix-VIRTIO_PMD-support.rt -Patch359: 0019-drm-i915-add-i915-perf-event-capacity.rt -Patch360: 0020-drm-xe-pm-allow-xe-with-CONFIG_PM.rt +Patch09005: 0001-Revert-sched-core-Remove-the-unnecessary-need_resche.rt +Patch09006: 0001-hrtimer-Use-__raise_softirq_irqoff-to-raise-the-softirq.rt +Patch09007: 0002-timers-Use-__raise_softirq_irqoff-to-raise-the-softirq.rt +Patch09008: 0003-softirq-Use-a-dedicated-thread-for-timer-wakeups-on-PRE.rt +Patch09009: 0004-serial-8250-Switch-to-nbcon-console.rt +Patch09010: 0005-serial-8250-Revert-drop-lockdep-annotation-from-serial8.rt +Patch09011: 0006-locking-rt-Remove-one-__cond_lock-in-RT-s-spin_trylock_.rt +Patch09012: 0007-locking-rt-Add-sparse-annotation-for-RCU.rt +Patch09013: 0008-locking-rt-Annotate-unlock-followed-by-lock-for-sparse.rt +Patch09014: 0009-drm-i915-Use-preempt_disable-enable_rt-where-recommende.rt +Patch09015: 0010-drm-i915-Don-t-disable-interrupts-on-PREEMPT_RT-during-.rt +Patch09016: 0011-drm-i915-Don-t-check-for-atomic-context-on-PREEMPT_RT.rt +Patch09017: 0012-drm-i915-Disable-tracing-points-on-PREEMPT_RT.rt +Patch09018: 0013-drm-i915-gt-Use-spin_lock_irq-instead-of-local_irq_disa.rt +Patch09019: 0014-drm-i915-Drop-the-irqs_disabled-check.rt +Patch09020: 0015-drm-i915-guc-Consider-also-RCU-depth-in-busy-loop.rt +Patch09021: 0016-Revert-drm-i915-Depend-on-PREEMPT_RT.rt +Patch09022: 0017-sched-Add-TIF_NEED_RESCHED_LAZY-infrastructure.rt +Patch09023: 0018-sched-Add-Lazy-preemption-model.rt +Patch09024: 0019-sched-Enable-PREEMPT_DYNAMIC-for-PREEMPT_RT.rt +Patch09025: 0020-sched-x86-Enable-Lazy-preemption.rt +Patch09026: 0021-sched-Add-laziest-preempt-model.rt +Patch09027: 0022-sched-Fixup-the-IS_ENABLED-check-for-PREEMPT_LAZY.rt +Patch09028: 0023-tracing-Remove-TRACE_FLAG_IRQS_NOSUPPORT.rt +Patch09029: 0024-tracing-Record-task-flag-NEED_RESCHED_LAZY.rt +Patch09030: 0025-sysfs-Add-sys-kernel-realtime-entry.rt +Patch09031: 0001-serial-8250-enable-original-console-by-default.rt +Patch09032: 0001-kernel-trace-Add-DISALLOW_TRACE_PRINTK-make-option.rt +Patch09033: 0002-Revert-scripts-remove-bin2c.rt +Patch09034: 0003-extend-uio-driver-to-supports-msix.rt +Patch09035: 0004-virtio-add-VIRTIO_PMD-support.rt +Patch09036: 0005-virt-acrn-Introduce-interfaces-for-PIO-device.rt +Patch09037: 0006-Add-hypercall-to-access-MSR.rt +Patch09038: 0007-Revert-spi-Remove-unused-function-spi_busnum_to_master.rt +Patch09039: 0008-igc-add-CONFIG_IGC_TSN_TRACE-conditional-trace_printk-u.rt +Patch09040: 0009-stmmac_pci-add-CONFIG_STMMAC_TSN_TRACE-conditional-trac.rt +Patch09041: 0010-igb-prepare-for-AF_XDP-zero-copy-support.rt +Patch09042: 0011-igb-Introduce-XSK-data-structures-and-helpers.rt +Patch09043: 0012-igb-add-AF_XDP-zero-copy-Rx-support.rt +Patch09044: 0013-igb-add-AF_XDP-zero-copy-Tx-support.rt +Patch09045: 0014-igb-Add-BTF-based-metadata-for-XDP.rt +Patch09046: 0015-ANDROID-trace-power-add-trace_clock_set_parent.rt +Patch09047: 0016-ANDROID-trace-net-use-pK-for-kernel-pointers.rt +Patch09048: 0017-ANDROID-trace-add-non-hierarchical-function_graph-optio.rt +Patch09049: 0018-virtio-fix-VIRTIO_PMD-support.rt +Patch09050: 0019-drm-i915-add-i915-perf-event-capacity.rt +Patch09051: 0020-drm-xe-pm-allow-xe-with-CONFIG_PM.rt #drm -Patch361: 0001-drm-i915-enable-guc-submission-for-ADLs-by-default.drm -Patch362: 0001-drm-i915-disable-a-couple-of-RT-functions-if-RT-is-d.drm -Patch363: 0001-drm-i915-disable-dGPU-support-with-RT-kernel.drm -Patch364: 0001-i915-Update-GUC-to-v70.44.1-for-i915-platforms.drm -Patch365: 0001-Revert-drm-i915-disable-dGPU-support-with-RT-kernel.drm -Patch366: 0001-drm-i915-gt-Avoid-using-masked-workaround-for-CCS_MODE.drm -Patch367: 0002-drm-i915-gt-Move-the-CCS-mode-variable-to-a-global-pos.drm -Patch368: 0003-drm-i915-gt-Allow-the-creation-of-multi-mode-CCS-masks.drm -Patch369: 0004-drm-i915-gt-Refactor-uabi-engine-class-instance-list-c.drm -Patch370: 0005-drm-i915-gem-Mark-and-verify-UABI-engine-validity.drm -Patch371: 0006-drm-i915-gt-Introduce-for_each_enabled_engine-and-appl.drm -Patch372: 0007-drm-i915-gt-Manage-CCS-engine-creation-within-UABI-exp.drm -Patch373: 0008-drm-i915-gt-Remove-cslices-mask-value-from-the-CCS-str.drm -Patch374: 0009-drm-i915-gt-Expose-the-number-of-total-CCS-slices.drm -Patch375: 0010-drm-i915-gt-Store-engine-related-sysfs-kobjects.drm -Patch376: 0011-drm-i915-gt-Store-active-CCS-mask.drm -Patch377: 0012-drm-i915-Protect-access-to-the-UABI-engines-list-with-.drm -Patch378: 0013-drm-i915-gt-Isolate-single-sysfs-engine-file-creation.drm -Patch379: 0014-drm-i915-gt-Implement-creation-and-removal-routines-fo.drm -Patch380: 0015-drm-i915-gt-Allow-the-user-to-change-the-CCS-mode-thro.drm -Patch381: 0016-drm-i915-gt-Refactor-CCS-mode-handling-and-improve-app.drm -Patch382: 0017-drm-i915-no-waiting-for-page-flip-in-vpp-case.drm -Patch383: 0001-Remove-unneeded-files.patch -Patch384: 0001-i915-gt-Upgrade-GuC-70.44.1-70.49.4.drm -Patch385: 0001-drm-i915-no-force-probe-needed-for-mtl-platform.drm +Patch10001: 0001-drm-i915-enable-guc-submission-for-ADLs-by-default.drm +Patch10002: 0001-drm-i915-disable-a-couple-of-RT-functions-if-RT-is-d.drm +Patch10003: 0001-drm-i915-disable-dGPU-support-with-RT-kernel.drm +Patch10004: 0001-i915-Update-GUC-to-v70.44.1-for-i915-platforms.drm +Patch10005: 0001-Revert-drm-i915-disable-dGPU-support-with-RT-kernel.drm +Patch10006: 0001-drm-i915-gt-Avoid-using-masked-workaround-for-CCS_MODE.drm +Patch10007: 0002-drm-i915-gt-Move-the-CCS-mode-variable-to-a-global-pos.drm +Patch10008: 0003-drm-i915-gt-Allow-the-creation-of-multi-mode-CCS-masks.drm +Patch10009: 0004-drm-i915-gt-Refactor-uabi-engine-class-instance-list-c.drm +Patch10010: 0005-drm-i915-gem-Mark-and-verify-UABI-engine-validity.drm +Patch10011: 0006-drm-i915-gt-Introduce-for_each_enabled_engine-and-appl.drm +Patch10012: 0007-drm-i915-gt-Manage-CCS-engine-creation-within-UABI-exp.drm +Patch10013: 0008-drm-i915-gt-Remove-cslices-mask-value-from-the-CCS-str.drm +Patch10014: 0009-drm-i915-gt-Expose-the-number-of-total-CCS-slices.drm +Patch10015: 0010-drm-i915-gt-Store-engine-related-sysfs-kobjects.drm +Patch10016: 0011-drm-i915-gt-Store-active-CCS-mask.drm +Patch10017: 0012-drm-i915-Protect-access-to-the-UABI-engines-list-with-.drm +Patch10018: 0013-drm-i915-gt-Isolate-single-sysfs-engine-file-creation.drm +Patch10019: 0014-drm-i915-gt-Implement-creation-and-removal-routines-fo.drm +Patch10020: 0015-drm-i915-gt-Allow-the-user-to-change-the-CCS-mode-thro.drm +Patch10021: 0016-drm-i915-gt-Refactor-CCS-mode-handling-and-improve-app.drm +Patch10022: 0017-drm-i915-no-waiting-for-page-flip-in-vpp-case.drm +Patch10023: 0001-Remove-unneeded-files.patch +Patch10024: 0001-i915-gt-Upgrade-GuC-70.44.1-70.49.4.drm +Patch10025: 0001-drm-i915-no-force-probe-needed-for-mtl-platform.drm #rapl -Patch386: 0001-powercap-intel_rapl-Add-support-for-Bartlett-Lake-pl.rapl +Patch11001: 0001-powercap-intel_rapl-Add-support-for-Bartlett-Lake-pl.rapl #misc -Patch387: 0001-Add-security.md-file.misc +Patch12001: 0001-Add-security.md-file.misc #iommu -Patch388: 0001-driver-core-add-a-faux-bus-for-use-when-a-simple-dev.iommu -Patch389: 0002-iommu-io-pgtable-arm-dynamically-allocate-selftest-d.iommu +Patch13001: 0001-driver-core-add-a-faux-bus-for-use-when-a-simple-dev.iommu +Patch13002: 0002-iommu-io-pgtable-arm-dynamically-allocate-selftest-d.iommu #emt-drm -Patch390: 0075-drm-xe-gsc-mei-interrupt-top-half-should-be-in-irq-d.patch #CVE-2025-21709 -Patch391: CVE-2025-21709.patch +Patch15001: CVE-2025-21709.patch #CVE-2025-21817 -Patch392: CVE-2025-21817.patch +Patch15002: CVE-2025-21817.patch #CVE-2025-22104 -Patch393: CVE-2025-22104.patch +Patch15003: CVE-2025-22104.patch #CVE-2025-22108 -Patch394: CVE-2025-22108.patch - -#CVE-2025-22111 -Patch395: CVE-2025-22111.patch +Patch15004: CVE-2025-22108.patch #CVE-2025-22116 -Patch396: CVE-2025-22116.patch +Patch15005: CVE-2025-22116.patch #CVE-2025-22117 -Patch397: CVE-2025-22117.patch +Patch15006: CVE-2025-22117.patch #CVE-2025-23131 -Patch398: CVE-2025-23131.patch +Patch15007: CVE-2025-23131.patch #CVE-2025-37746 -Patch399: CVE-2025-37746.patch -Patch400: CVE-2025-37746-1.patch +Patch15008: CVE-2025-37746.patch +Patch15009: CVE-2025-37746-1.patch #CVE-2025-37906 -Patch401: CVE-2025-37906.patch +Patch15010: CVE-2025-37906.patch #CVE-2025-38041 -Patch402: CVE-2025-38041.patch -Patch403: CVE-2025-38041-1.patch -Patch404: CVE-2025-38041-2.patch +Patch15011: CVE-2025-38041.patch +Patch15012: CVE-2025-38041-1.patch +Patch15013: CVE-2025-38041-2.patch #CVE-2025-38029 -Patch405: CVE-2025-38029.patch +Patch15014: CVE-2025-38029.patch #CVE-2025-38311 -Patch406: CVE-2025-38311.patch - -#CVE-2025-38248 -Patch407: CVE-2025-38248.patch - -#CVE-2025-38234 -Patch408: CVE-2025-38234.patch +Patch15015: CVE-2025-38311.patch #CVE-2025-38207 -Patch409: CVE-2025-38207.patch +Patch15016: CVE-2025-38207.patch #CVE-2025-38137 -Patch410: CVE-2025-38137.patch - -#CVE-2025-40325 -Patch411: CVE-2025-40325.patch +Patch15017: CVE-2025-38137.patch #CVE-2025-38284 -Patch412: CVE-2025-38284.patch -Patch413: CVE-2025-38284-1.patch -Patch414: CVE-2025-38284-2.patch +Patch15018: CVE-2025-38284.patch +Patch15019: CVE-2025-38284-1.patch +Patch15020: CVE-2025-38284-2.patch #CVE-2025-38199 -Patch415: CVE-2025-38199.patch +Patch15021: CVE-2025-38199.patch #CVE-2025-38140 -Patch416: CVE-2025-38140.patch +Patch15022: CVE-2025-38140.patch #CVE-2025-38132 -Patch417: CVE-2025-38132.patch -Patch418: CVE-2025-38132-1.patch +Patch15023: CVE-2025-38132.patch +Patch15024: CVE-2025-38132-1.patch #CVE-2025-37743 -Patch419: CVE-2025-37743.patch +Patch15025: CVE-2025-37743.patch #CVE-2025-23132 -Patch420: CVE-2025-23132.patch +Patch15026: CVE-2025-23132.patch #CVE-2025-22127 -Patch421: CVE-2025-22127.patch +Patch15027: CVE-2025-22127.patch #CVE-2025-22109 -Patch422: CVE-2025-22109.patch +Patch15028: CVE-2025-22109.patch #CVE-2025-21752 -Patch423: CVE-2025-21752.patch -Patch424: CVE-2025-21752-1.patch +Patch15029: CVE-2025-21752.patch +Patch15030: CVE-2025-21752-1.patch #CVE-2024-58095 -Patch425: CVE-2024-58095.patch +Patch15031: CVE-2024-58095.patch #CVE-2024-58094 -Patch426: CVE-2024-58094.patch +Patch15032: CVE-2024-58094.patch #CVE-2024-52560 -Patch427: CVE-2024-52560.patch -Patch428: CVE-2024-52560-1.patch +Patch15033: CVE-2024-52560.patch +Patch15034: CVE-2024-52560-1.patch #CVE-2025-38621 -Patch429: CVE-2025-38621.patch +Patch15035: CVE-2025-38621.patch #CVE-2025-38627 -Patch430: CVE-2025-38627.patch +Patch15036: CVE-2025-38627.patch #CVE-2025-39789 -Patch431: CVE-2025-39789.patch +Patch15037: CVE-2025-39789.patch #CVE-2025-39764 -Patch432: CVE-2025-39764.patch +Patch15038: CVE-2025-39764.patch #CVE-2025-39745 -Patch433: CVE-2025-39745.patch +Patch15039: CVE-2025-39745.patch #CVE-2025-39677 -Patch434: CVE-2025-39677.patch +Patch15040: CVE-2025-39677.patch #CVE-2025-39933 -Patch435: CVE-2025-39933.patch +Patch15041: CVE-2025-39933.patch #CVE-2025-39833 -Patch436: CVE-2025-39833.patch +Patch15042: CVE-2025-39833.patch #CVE-2025-39925 -Patch437: CVE-2025-39925.patch +Patch15043: CVE-2025-39925.patch #CVE-2025-39905 -Patch438: CVE-2025-39905.patch +Patch15044: CVE-2025-39905.patch #CVE-2025-39859 -Patch439: CVE-2025-39859.patch +Patch15045: CVE-2025-39859.patch #CVE-2025-39910 -Patch440: CVE-2025-39910.patch +Patch15046: CVE-2025-39910.patch #CVE-2025-40098 -Patch441: CVE-2025-40098.patch - -#CVE-2025-40075 -Patch442: CVE-2025-40075.patch -Patch443: CVE-2025-40075-1.patch +Patch15047: CVE-2025-40098.patch #CVE-2025-40074 -Patch444: CVE-2025-40074.patch +Patch15048: CVE-2025-40074.patch #CVE-2025-40064 -Patch445: CVE-2025-40064.patch +Patch15049: CVE-2025-40064.patch #CVE-2025-40086 -Patch446: CVE-2025-40086.patch -Patch447: CVE-2025-40086-1.patch +Patch15050: CVE-2025-40086.patch +Patch15051: CVE-2025-40086-1.patch #CVE-2025-40168 -Patch448: CVE-2025-40168.patch - -#CVE-2025-40170 -Patch449: CVE-2025-40170.patch - -#CVE-2025-40164 -Patch450: CVE-2025-40164.patch - -#CVE-2025-40158 -Patch451: CVE-2025-40158.patch - -#CVE-2025-40149 -Patch452: CVE-2025-40149.patch +Patch15052: CVE-2025-40168.patch #CVE-2025-40147 -Patch453: CVE-2025-40147.patch +Patch15053: CVE-2025-40147.patch #CVE-2025-40139 -Patch454: CVE-2025-40139.patch +Patch15054: CVE-2025-40139.patch #CVE-2025-40136 -Patch455: CVE-2025-40136.patch - -#CVE-2025-40135 -Patch456: CVE-2025-40135.patch +Patch15055: CVE-2025-40136.patch #CVE-2025-40130 -Patch457: CVE-2025-40130.patch +Patch15056: CVE-2025-40130.patch #CVE-2025-38656 -Patch458: CVE-2025-38656.patch -Patch459: CVE-2025-38656-2.patch - -#CVE-2025-38591 -Patch460: CVE-2025-38591.patch +Patch15057: CVE-2025-38656.patch +Patch15058: CVE-2025-38656-2.patch #CVE-2025-38584 -Patch461: CVE-2025-38584.patch - -#CVE-2025-40215 -Patch462: CVE-2025-40215.patch +Patch15059: CVE-2025-38584.patch #CVE-2025-68749 -Patch463: CVE-2025-68749.patch +Patch15060: CVE-2025-68749.patch #CVE-2025-68745 -Patch464: CVE-2025-68745.patch - -#CVE-2025-68744 -Patch465: CVE-2025-68744.patch - -#CVE-2025-68742 -Patch466: CVE-2025-68742.patch - -#CVE-2025-68741 -Patch467: CVE-2025-68741.patch +Patch15061: CVE-2025-68745.patch #CVE-2025-68736 -Patch468: CVE-2025-68736.patch - -#CVE-2025-68733 -Patch469: CVE-2025-68733.patch - -#CVE-2025-68740 -Patch470: CVE-2025-68740.patch +Patch15062: CVE-2025-68736.patch #CVE-2025-68725 -Patch471: CVE-2025-68725.patch - -#CVE-2025-68379 -Patch472: CVE-2025-68379.patch - -#CVE-2025-68732 -Patch473: CVE-2025-68732.patch - -#CVE-2025-68354 -Patch474: CVE-2025-68354.patch - -#CVE-2025-68357 -Patch475: CVE-2025-68357.patch - -#CVE-2025-68724 -Patch476: CVE-2025-68724.patch +Patch15063: CVE-2025-68725.patch #CVE-2025-68358 -Patch477: CVE-2025-68358.patch +Patch15064: CVE-2025-68358.patch #CVE-2025-68359 -Patch478: CVE-2025-68359.patch - -#CVE-2025-68363 -Patch479: CVE-2025-68363.patch - -#CVE-2025-68366 -Patch480: CVE-2025-68366.patch +Patch15065: CVE-2025-68359.patch #CVE-2025-68368 -Patch481: CVE-2025-68368.patch - -#CVE-2025-68372 -Patch482: CVE-2025-68372.patch - -#CVE-2025-68374 -Patch483: CVE-2025-68374.patch - -#CVE-2025-68378 -Patch484: CVE-2025-68378.patch - -#CVE-2025-68337 -Patch485: CVE-2025-68337.patch - -#CVE-2025-68345 -Patch486: CVE-2025-68345.patch - -#CVE-2025-68346 -Patch487: CVE-2025-68346.patch - -#CVE-2025-68347 -Patch488: CVE-2025-68347.patch - -#CVE-2025-68348 -Patch489: CVE-2025-68348.patch - -#CVE-2025-68349 -Patch490: CVE-2025-68349.patch +Patch15066: CVE-2025-68368.patch #CVE-2025-68353 -Patch491: CVE-2025-68353.patch - -#CVE-2025-68371 -Patch492: CVE-2025-68371.patch - -#CVE-2025-68261 -Patch493: CVE-2025-68261.patch +Patch15067: CVE-2025-68353.patch -#CVE-2025-68263 -Patch494: CVE-2025-68263.patch +#CVE-2025-68319 +Patch15068: CVE-2025-68319.patch -#CVE-2025-68264 -Patch495: CVE-2025-68264.patch +#CVE-2025-68333 +Patch15069: CVE-2025-68333.patch -#CVE-2025-68265 -Patch496: CVE-2025-68265.patch +#CVE-2025-68193 +Patch15070: CVE-2025-68193.patch -#CVE-2025-68319 -Patch497: CVE-2025-68319.patch +#CVE-2025-40355 +Patch15071: CVE-2025-40355.patch -#CVE-2025-68333 -Patch498: CVE-2025-68333.patch +#CVE-2025-40338 +Patch15072: CVE-2025-40338.patch -#CVE-2025-68336 -Patch499: CVE-2025-68336.patch +#CVE-2026-23004 +Patch15073: CVE-2026-23004.patch -#CVE-2025-68259 -Patch500: CVE-2025-68259.patch +#CVE-2026-22981 +Patch15074: CVE-2026-22981.patch -#CVE-2025-68256 -Patch501: CVE-2025-68256.patch +#CVE-2026-22985 +Patch15075: CVE-2026-22985.patch +Patch15076: CVE-2026-22985_2.patch -#CVE-2025-68255 -Patch502: CVE-2025-68255.patch +#CVE-2026-22993 +Patch15077: CVE-2026-22993.patch -#CVE-2025-68254 -Patch503: CVE-2025-68254.patch +#CVE-2025-71161 +Patch15078: CVE-2025-71161.patch -#CVE-2025-68206 -Patch504: CVE-2025-68206.patch +#CVE-2025-68823 +Patch15079: CVE-2025-68823.patch -#CVE-2025-68193 -Patch505: CVE-2025-68193.patch +#CVE-2025-71074 +Patch15080: CVE-2025-71074.patch -#CVE-2025-40355 -Patch506: CVE-2025-40355.patch +#CVE-2025-68768 +Patch15081: CVE-2025-68768.patch -#CVE-2025-40338 -Patch507: CVE-2025-40338.patch -# CVE Patches +# End of Patch Section %global security_hardening none %global sha512hmac bash %{_sourcedir}/sha512hmac-openssl.sh @@ -901,8 +793,8 @@ manipulation of eBPF programs and maps. %prep %define _default_patch_flags -p1 --fuzz=3 --force -%setup -q -n linux-6.12.61 -%autosetup -p1 -n linux-6.12.61 +%setup -q -n linux-6.12.67 +%autosetup -p1 -n linux-6.12.67 # %patch 0 -p1 make mrproper @@ -1174,6 +1066,10 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %{_sysconfdir}/bash_completion.d/bpftool %changelog +* Thu Feb 05 2026 Lishan Liu - 6.12.67-1 +- Update kernel to 6.12.67-1 +- lts-v6.12.67-emt-cve-260128T180434Z + * Fri Jan 9 2026 Lishan Liu - 6.12.61-2 - Update kernel to 6.12.61-2 - lts-v6.12.61-emt-cve-260106T193826Z diff --git a/SPECS/kernel-rt/series b/SPECS/kernel-rt/series index e5876384f2..7723f860a2 100644 --- a/SPECS/kernel-rt/series +++ b/SPECS/kernel-rt/series @@ -1,5 +1,5 @@ -# Series file for v6.12.61 linux kernel -# dcbeffaf66d03 Linux 6.12.61 +# Series file for v6.12.67 linux kernel +# abf529abd660d Linux 6.12.67 #sriov 0001-drm-i915-mtl-Add-C10-table-for-HDMI-Clock-25175.sriov 0002-drm-i915-mtl-Copy-c10-phy-pll-sw-state-from-master-t.sriov @@ -405,7 +405,6 @@ 0001-driver-core-add-a-faux-bus-for-use-when-a-simple-dev.iommu 0002-iommu-io-pgtable-arm-dynamically-allocate-selftest-d.iommu #emt-drm -0075-drm-xe-gsc-mei-interrupt-top-half-should-be-in-irq-d.patch #CVE-2025-21709 CVE-2025-21709.patch @@ -418,9 +417,6 @@ CVE-2025-22104.patch #CVE-2025-22108 CVE-2025-22108.patch -#CVE-2025-22111 -CVE-2025-22111.patch - #CVE-2025-22116 CVE-2025-22116.patch @@ -448,21 +444,12 @@ CVE-2025-38029.patch #CVE-2025-38311 CVE-2025-38311.patch -#CVE-2025-38248 -CVE-2025-38248.patch - -#CVE-2025-38234 -CVE-2025-38234.patch - #CVE-2025-38207 CVE-2025-38207.patch #CVE-2025-38137 CVE-2025-38137.patch -#CVE-2025-40325 -CVE-2025-40325.patch - #CVE-2025-38284 CVE-2025-38284.patch CVE-2025-38284-1.patch @@ -543,10 +530,6 @@ CVE-2025-39910.patch #CVE-2025-40098 CVE-2025-40098.patch -#CVE-2025-40075 -CVE-2025-40075.patch -CVE-2025-40075-1.patch - #CVE-2025-40074 CVE-2025-40074.patch @@ -560,18 +543,6 @@ CVE-2025-40086-1.patch #CVE-2025-40168 CVE-2025-40168.patch -#CVE-2025-40170 -CVE-2025-40170.patch - -#CVE-2025-40164 -CVE-2025-40164.patch - -#CVE-2025-40158 -CVE-2025-40158.patch - -#CVE-2025-40149 -CVE-2025-40149.patch - #CVE-2025-40147 CVE-2025-40147.patch @@ -581,9 +552,6 @@ CVE-2025-40139.patch #CVE-2025-40136 CVE-2025-40136.patch -#CVE-2025-40135 -CVE-2025-40135.patch - #CVE-2025-40130 CVE-2025-40130.patch @@ -591,141 +559,39 @@ CVE-2025-40130.patch CVE-2025-38656.patch CVE-2025-38656-2.patch -#CVE-2025-38591 -CVE-2025-38591.patch - #CVE-2025-38584 CVE-2025-38584.patch -#CVE-2025-40215 -CVE-2025-40215.patch - #CVE-2025-68749 CVE-2025-68749.patch #CVE-2025-68745 CVE-2025-68745.patch -#CVE-2025-68744 -CVE-2025-68744.patch - -#CVE-2025-68742 -CVE-2025-68742.patch - -#CVE-2025-68741 -CVE-2025-68741.patch - #CVE-2025-68736 CVE-2025-68736.patch -#CVE-2025-68733 -CVE-2025-68733.patch - -#CVE-2025-68740 -CVE-2025-68740.patch - #CVE-2025-68725 CVE-2025-68725.patch -#CVE-2025-68379 -CVE-2025-68379.patch - -#CVE-2025-68732 -CVE-2025-68732.patch - -#CVE-2025-68354 -CVE-2025-68354.patch - -#CVE-2025-68357 -CVE-2025-68357.patch - -#CVE-2025-68724 -CVE-2025-68724.patch - #CVE-2025-68358 CVE-2025-68358.patch #CVE-2025-68359 CVE-2025-68359.patch -#CVE-2025-68363 -CVE-2025-68363.patch - -#CVE-2025-68366 -CVE-2025-68366.patch - #CVE-2025-68368 CVE-2025-68368.patch -#CVE-2025-68372 -CVE-2025-68372.patch - -#CVE-2025-68374 -CVE-2025-68374.patch - -#CVE-2025-68378 -CVE-2025-68378.patch - -#CVE-2025-68337 -CVE-2025-68337.patch - -#CVE-2025-68345 -CVE-2025-68345.patch - -#CVE-2025-68346 -CVE-2025-68346.patch - -#CVE-2025-68347 -CVE-2025-68347.patch - -#CVE-2025-68348 -CVE-2025-68348.patch - -#CVE-2025-68349 -CVE-2025-68349.patch - #CVE-2025-68353 CVE-2025-68353.patch -#CVE-2025-68371 -CVE-2025-68371.patch - -#CVE-2025-68261 -CVE-2025-68261.patch - -#CVE-2025-68263 -CVE-2025-68263.patch - -#CVE-2025-68264 -CVE-2025-68264.patch - -#CVE-2025-68265 -CVE-2025-68265.patch - #CVE-2025-68319 CVE-2025-68319.patch #CVE-2025-68333 CVE-2025-68333.patch -#CVE-2025-68336 -CVE-2025-68336.patch - -#CVE-2025-68259 -CVE-2025-68259.patch - -#CVE-2025-68256 -CVE-2025-68256.patch - -#CVE-2025-68255 -CVE-2025-68255.patch - -#CVE-2025-68254 -CVE-2025-68254.patch - -#CVE-2025-68206 -CVE-2025-68206.patch - #CVE-2025-68193 CVE-2025-68193.patch @@ -735,3 +601,29 @@ CVE-2025-40355.patch #CVE-2025-40338 CVE-2025-40338.patch +#CVE-2026-23004 +CVE-2026-23004.patch + +#CVE-2026-22981 +CVE-2026-22981.patch + +#CVE-2026-22985 +CVE-2026-22985.patch +CVE-2026-22985_2.patch + +#CVE-2026-22993 +CVE-2026-22993.patch + +#CVE-2025-71161 +CVE-2025-71161.patch + +#CVE-2025-68823 +CVE-2025-68823.patch + +#CVE-2025-71074 +CVE-2025-71074.patch + +#CVE-2025-68768 +CVE-2025-68768.patch + + diff --git a/SPECS/kernel/0075-drm-xe-gsc-mei-interrupt-top-half-should-be-in-irq-d.patch b/SPECS/kernel/0075-drm-xe-gsc-mei-interrupt-top-half-should-be-in-irq-d.patch deleted file mode 100644 index 1f9977ab9f..0000000000 --- a/SPECS/kernel/0075-drm-xe-gsc-mei-interrupt-top-half-should-be-in-irq-d.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 28f4a8fd24ecc9f0d4a956fcdcec3126952e0326 Mon Sep 17 00:00:00 2001 -From: Junxiao Chang -Date: Wed, 2 Jul 2025 08:53:30 +0800 -Subject: [PATCH 75/76] drm/xe/gsc: mei interrupt top half should be in irq - disabled context - -MEI GSC interrupt comes from xe. It has top half and bottom half. -Top half is called from xe interrupt handler. It should be in irq -disabled context. - -With RT kernel, by default xe IRQ handler is in threaded IRQ. MEI GSC -top half might be in threaded IRQ context. generic_handle_irq_safe API -could be called from either IRQ or process context, it disables local -IRQ then calls MEI GSC interrupt top half. - -This change fixes B580 GPU boot hang issue with RT kernel. - -Signed-off-by: Junxiao Chang ---- - drivers/gpu/drm/xe/xe_heci_gsc.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/drivers/gpu/drm/xe/xe_heci_gsc.c b/drivers/gpu/drm/xe/xe_heci_gsc.c -index 65b2e147c4b92..894a6bd332853 100644 ---- a/drivers/gpu/drm/xe/xe_heci_gsc.c -+++ b/drivers/gpu/drm/xe/xe_heci_gsc.c -@@ -230,7 +230,7 @@ void xe_heci_gsc_irq_handler(struct xe_device *xe, u32 iir) - if (xe->heci_gsc.irq < 0) - return; - -- ret = generic_handle_irq(xe->heci_gsc.irq); -+ ret = generic_handle_irq_safe(xe->heci_gsc.irq); - if (ret) - drm_err_ratelimited(&xe->drm, "error handling GSC irq: %d\n", ret); - } -@@ -250,7 +250,7 @@ void xe_heci_csc_irq_handler(struct xe_device *xe, u32 iir) - if (xe->heci_gsc.irq < 0) - return; - -- ret = generic_handle_irq(xe->heci_gsc.irq); -+ ret = generic_handle_irq_safe(xe->heci_gsc.irq); - if (ret) - drm_err_ratelimited(&xe->drm, "error handling GSC irq: %d\n", ret); - } --- -2.43.0 - diff --git a/SPECS/kernel/CVE-2025-22111.patch b/SPECS/kernel/CVE-2025-22111.patch deleted file mode 100644 index 79e36106d6..0000000000 --- a/SPECS/kernel/CVE-2025-22111.patch +++ /dev/null @@ -1,303 +0,0 @@ -From b4cafa219eeb0a97a52ee615f2e4c4f5afdd2d0b Mon Sep 17 00:00:00 2001 -From: Kuniyuki Iwashima -Date: Sun, 16 Mar 2025 12:28:37 -0700 -Subject: [PATCH] net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF. - -SIOCBRDELIF is passed to dev_ioctl() first and later forwarded to -br_ioctl_call(), which causes unnecessary RTNL dance and the splat -below [0] under RTNL pressure. - -Let's say Thread A is trying to detach a device from a bridge and -Thread B is trying to remove the bridge. - -In dev_ioctl(), Thread A bumps the bridge device's refcnt by -netdev_hold() and releases RTNL because the following br_ioctl_call() -also re-acquires RTNL. - -In the race window, Thread B could acquire RTNL and try to remove -the bridge device. Then, rtnl_unlock() by Thread B will release RTNL -and wait for netdev_put() by Thread A. - -Thread A, however, must hold RTNL after the unlock in dev_ifsioc(), -which may take long under RTNL pressure, resulting in the splat by -Thread B. - - Thread A (SIOCBRDELIF) Thread B (SIOCBRDELBR) - ---------------------- ---------------------- - sock_ioctl sock_ioctl - `- sock_do_ioctl `- br_ioctl_call - `- dev_ioctl `- br_ioctl_stub - |- rtnl_lock | - |- dev_ifsioc ' - ' |- dev = __dev_get_by_name(...) - |- netdev_hold(dev, ...) . - / |- rtnl_unlock ------. | - | |- br_ioctl_call `---> |- rtnl_lock - Race | | `- br_ioctl_stub |- br_del_bridge - Window | | | |- dev = __dev_get_by_name(...) - | | | May take long | `- br_dev_delete(dev, ...) - | | | under RTNL pressure | `- unregister_netdevice_queue(dev, ...) - | | | | `- rtnl_unlock - \ | |- rtnl_lock <-' `- netdev_run_todo - | |- ... `- netdev_run_todo - | `- rtnl_unlock |- __rtnl_unlock - | |- netdev_wait_allrefs_any - |- netdev_put(dev, ...) <----------------' - Wait refcnt decrement - and log splat below - -To avoid blocking SIOCBRDELBR unnecessarily, let's not call -dev_ioctl() for SIOCBRADDIF and SIOCBRDELIF. - -In the dev_ioctl() path, we do the following: - - 1. Copy struct ifreq by get_user_ifreq in sock_do_ioctl() - 2. Check CAP_NET_ADMIN in dev_ioctl() - 3. Call dev_load() in dev_ioctl() - 4. Fetch the master dev from ifr.ifr_name in dev_ifsioc() - -3. can be done by request_module() in br_ioctl_call(), so we move -1., 2., and 4. to br_ioctl_stub(). - -Note that 2. is also checked later in add_del_if(), but it's better -performed before RTNL. - -SIOCBRADDIF and SIOCBRDELIF have been processed in dev_ioctl() since -the pre-git era, and there seems to be no specific reason to process -them there. - -[0]: -unregister_netdevice: waiting for wpan3 to become free. Usage count = 2 -ref_tracker: wpan3@ffff8880662d8608 has 1/1 users at - __netdev_tracker_alloc include/linux/netdevice.h:4282 [inline] - netdev_hold include/linux/netdevice.h:4311 [inline] - dev_ifsioc+0xc6a/0x1160 net/core/dev_ioctl.c:624 - dev_ioctl+0x255/0x10c0 net/core/dev_ioctl.c:826 - sock_do_ioctl+0x1ca/0x260 net/socket.c:1213 - sock_ioctl+0x23a/0x6c0 net/socket.c:1318 - vfs_ioctl fs/ioctl.c:51 [inline] - __do_sys_ioctl fs/ioctl.c:906 [inline] - __se_sys_ioctl fs/ioctl.c:892 [inline] - __x64_sys_ioctl+0x1a4/0x210 fs/ioctl.c:892 - do_syscall_x64 arch/x86/entry/common.c:52 [inline] - do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83 - entry_SYSCALL_64_after_hwframe+0x77/0x7f - -Fixes: 893b19587534 ("net: bridge: fix ioctl locking") -Reported-by: syzkaller -Reported-by: yan kang -Reported-by: yue sun -Closes: https://lore.kernel.org/netdev/SY8P300MB0421225D54EB92762AE8F0F2A1D32@SY8P300MB0421.AUSP300.PROD.OUTLOOK.COM/ -Signed-off-by: Kuniyuki Iwashima -Acked-by: Stanislav Fomichev -Reviewed-by: Ido Schimmel -Acked-by: Nikolay Aleksandrov -Link: https://patch.msgid.link/20250316192851.19781-1-kuniyu@amazon.com -Signed-off-by: Paolo Abeni ---- - include/linux/if_bridge.h | 6 ++---- - net/bridge/br_ioctl.c | 36 +++++++++++++++++++++++++++++++++--- - net/bridge/br_private.h | 3 +-- - net/core/dev_ioctl.c | 16 ---------------- - net/socket.c | 19 +++++++++---------- - 5 files changed, 45 insertions(+), 35 deletions(-) - -diff --git a/include/linux/if_bridge.h b/include/linux/if_bridge.h -index 3ff96ae31bf6..c5fe3b2a53e8 100644 ---- a/include/linux/if_bridge.h -+++ b/include/linux/if_bridge.h -@@ -65,11 +65,9 @@ struct br_ip_list { - #define BR_DEFAULT_AGEING_TIME (300 * HZ) - - struct net_bridge; --void brioctl_set(int (*hook)(struct net *net, struct net_bridge *br, -- unsigned int cmd, struct ifreq *ifr, -+void brioctl_set(int (*hook)(struct net *net, unsigned int cmd, - void __user *uarg)); --int br_ioctl_call(struct net *net, struct net_bridge *br, unsigned int cmd, -- struct ifreq *ifr, void __user *uarg); -+int br_ioctl_call(struct net *net, unsigned int cmd, void __user *uarg); - - #if IS_ENABLED(CONFIG_BRIDGE) && IS_ENABLED(CONFIG_BRIDGE_IGMP_SNOOPING) - int br_multicast_list_adjacent(struct net_device *dev, -diff --git a/net/bridge/br_ioctl.c b/net/bridge/br_ioctl.c -index f213ed108361..6bc0a11f2ed3 100644 ---- a/net/bridge/br_ioctl.c -+++ b/net/bridge/br_ioctl.c -@@ -394,10 +394,26 @@ static int old_deviceless(struct net *net, void __user *data) - return -EOPNOTSUPP; - } - --int br_ioctl_stub(struct net *net, struct net_bridge *br, unsigned int cmd, -- struct ifreq *ifr, void __user *uarg) -+int br_ioctl_stub(struct net *net, unsigned int cmd, void __user *uarg) - { - int ret = -EOPNOTSUPP; -+ struct ifreq ifr; -+ -+ if (cmd == SIOCBRADDIF || cmd == SIOCBRDELIF) { -+ void __user *data; -+ char *colon; -+ -+ if (!ns_capable(net->user_ns, CAP_NET_ADMIN)) -+ return -EPERM; -+ -+ if (get_user_ifreq(&ifr, &data, uarg)) -+ return -EFAULT; -+ -+ ifr.ifr_name[IFNAMSIZ - 1] = 0; -+ colon = strchr(ifr.ifr_name, ':'); -+ if (colon) -+ *colon = 0; -+ } - - rtnl_lock(); - -@@ -430,7 +446,21 @@ int br_ioctl_stub(struct net *net, struct net_bridge *br, unsigned int cmd, - break; - case SIOCBRADDIF: - case SIOCBRDELIF: -- ret = add_del_if(br, ifr->ifr_ifindex, cmd == SIOCBRADDIF); -+ { -+ struct net_device *dev; -+ -+ dev = __dev_get_by_name(net, ifr.ifr_name); -+ if (!dev || !netif_device_present(dev)) { -+ ret = -ENODEV; -+ break; -+ } -+ if (!netif_is_bridge_master(dev)) { -+ ret = -EOPNOTSUPP; -+ break; -+ } -+ -+ ret = add_del_if(netdev_priv(dev), ifr.ifr_ifindex, cmd == SIOCBRADDIF); -+ } - break; - } - -diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h -index 041f6e571a20..e6f880f4028d 100644 ---- a/net/bridge/br_private.h -+++ b/net/bridge/br_private.h -@@ -949,8 +949,7 @@ br_port_get_check_rtnl(const struct net_device *dev) - /* br_ioctl.c */ - int br_dev_siocdevprivate(struct net_device *dev, struct ifreq *rq, - void __user *data, int cmd); --int br_ioctl_stub(struct net *net, struct net_bridge *br, unsigned int cmd, -- struct ifreq *ifr, void __user *uarg); -+int br_ioctl_stub(struct net *net, unsigned int cmd, void __user *uarg); - - /* br_multicast.c */ - #ifdef CONFIG_BRIDGE_IGMP_SNOOPING -diff --git a/net/core/dev_ioctl.c b/net/core/dev_ioctl.c -index 473c437b6b53..81cd8df798c0 100644 ---- a/net/core/dev_ioctl.c -+++ b/net/core/dev_ioctl.c -@@ -514,7 +514,6 @@ static int dev_ifsioc(struct net *net, struct ifreq *ifr, void __user *data, - int err; - struct net_device *dev = __dev_get_by_name(net, ifr->ifr_name); - const struct net_device_ops *ops; -- netdevice_tracker dev_tracker; - - if (!dev) - return -ENODEV; -@@ -577,19 +576,6 @@ static int dev_ifsioc(struct net *net, struct ifreq *ifr, void __user *data, - case SIOCWANDEV: - return dev_siocwandev(dev, &ifr->ifr_settings); - -- case SIOCBRADDIF: -- case SIOCBRDELIF: -- if (!netif_device_present(dev)) -- return -ENODEV; -- if (!netif_is_bridge_master(dev)) -- return -EOPNOTSUPP; -- netdev_hold(dev, &dev_tracker, GFP_KERNEL); -- rtnl_unlock(); -- err = br_ioctl_call(net, netdev_priv(dev), cmd, ifr, NULL); -- netdev_put(dev, &dev_tracker); -- rtnl_lock(); -- return err; -- - case SIOCDEVPRIVATE ... SIOCDEVPRIVATE + 15: - return dev_siocdevprivate(dev, ifr, data, cmd); - -@@ -770,8 +756,6 @@ int dev_ioctl(struct net *net, unsigned int cmd, struct ifreq *ifr, - case SIOCBONDRELEASE: - case SIOCBONDSETHWADDR: - case SIOCBONDCHANGEACTIVE: -- case SIOCBRADDIF: -- case SIOCBRDELIF: - case SIOCSHWTSTAMP: - if (!ns_capable(net->user_ns, CAP_NET_ADMIN)) - return -EPERM; -diff --git a/net/socket.c b/net/socket.c -index 042451f01c65..a0f6f8b3376d 100644 ---- a/net/socket.c -+++ b/net/socket.c -@@ -1173,12 +1173,10 @@ static ssize_t sock_write_iter(struct kiocb *iocb, struct iov_iter *from) - */ - - static DEFINE_MUTEX(br_ioctl_mutex); --static int (*br_ioctl_hook)(struct net *net, struct net_bridge *br, -- unsigned int cmd, struct ifreq *ifr, -+static int (*br_ioctl_hook)(struct net *net, unsigned int cmd, - void __user *uarg); - --void brioctl_set(int (*hook)(struct net *net, struct net_bridge *br, -- unsigned int cmd, struct ifreq *ifr, -+void brioctl_set(int (*hook)(struct net *net, unsigned int cmd, - void __user *uarg)) - { - mutex_lock(&br_ioctl_mutex); -@@ -1187,8 +1185,7 @@ void brioctl_set(int (*hook)(struct net *net, struct net_bridge *br, - } - EXPORT_SYMBOL(brioctl_set); - --int br_ioctl_call(struct net *net, struct net_bridge *br, unsigned int cmd, -- struct ifreq *ifr, void __user *uarg) -+int br_ioctl_call(struct net *net, unsigned int cmd, void __user *uarg) - { - int err = -ENOPKG; - -@@ -1197,7 +1194,7 @@ int br_ioctl_call(struct net *net, struct net_bridge *br, unsigned int cmd, - - mutex_lock(&br_ioctl_mutex); - if (br_ioctl_hook) -- err = br_ioctl_hook(net, br, cmd, ifr, uarg); -+ err = br_ioctl_hook(net, cmd, uarg); - mutex_unlock(&br_ioctl_mutex); - - return err; -@@ -1297,7 +1294,9 @@ static long sock_ioctl(struct file *file, unsigned cmd, unsigned long arg) - case SIOCSIFBR: - case SIOCBRADDBR: - case SIOCBRDELBR: -- err = br_ioctl_call(net, NULL, cmd, NULL, argp); -+ case SIOCBRADDIF: -+ case SIOCBRDELIF: -+ err = br_ioctl_call(net, cmd, argp); - break; - case SIOCGIFVLAN: - case SIOCSIFVLAN: -@@ -3466,6 +3465,8 @@ static int compat_sock_ioctl_trans(struct file *file, struct socket *sock, - case SIOCGPGRP: - case SIOCBRADDBR: - case SIOCBRDELBR: -+ case SIOCBRADDIF: -+ case SIOCBRDELIF: - case SIOCGIFVLAN: - case SIOCSIFVLAN: - case SIOCGSKNS: -@@ -3505,8 +3506,6 @@ static int compat_sock_ioctl_trans(struct file *file, struct socket *sock, - case SIOCGIFPFLAGS: - case SIOCGIFTXQLEN: - case SIOCSIFTXQLEN: -- case SIOCBRADDIF: -- case SIOCBRDELIF: - case SIOCGIFNAME: - case SIOCSIFNAME: - case SIOCGMIIPHY: --- -2.25.1 - diff --git a/SPECS/kernel/CVE-2025-38234.patch b/SPECS/kernel/CVE-2025-38234.patch deleted file mode 100644 index 4f7a9ce581..0000000000 --- a/SPECS/kernel/CVE-2025-38234.patch +++ /dev/null @@ -1,291 +0,0 @@ -From 393793ca4cecac391c5df793b7735b8782900650 Mon Sep 17 00:00:00 2001 -From: Harshit Agarwal -Date: Tue, 25 Feb 2025 18:05:53 +0000 -Subject: [PATCH 5/8] sched/rt: Fix race in push_rt_task -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Overview -======== -When a CPU chooses to call push_rt_task and picks a task to push to -another CPU's runqueue then it will call find_lock_lowest_rq method -which would take a double lock on both CPUs' runqueues. If one of the -locks aren't readily available, it may lead to dropping the current -runqueue lock and reacquiring both the locks at once. During this window -it is possible that the task is already migrated and is running on some -other CPU. These cases are already handled. However, if the task is -migrated and has already been executed and another CPU is now trying to -wake it up (ttwu) such that it is queued again on the runqeue -(on_rq is 1) and also if the task was run by the same CPU, then the -current checks will pass even though the task was migrated out and is no -longer in the pushable tasks list. - -Crashes -======= -This bug resulted in quite a few flavors of crashes triggering kernel -panics with various crash signatures such as assert failures, page -faults, null pointer dereferences, and queue corruption errors all -coming from scheduler itself. - -Some of the crashes: --> kernel BUG at kernel/sched/rt.c:1616! BUG_ON(idx >= MAX_RT_PRIO) - Call Trace: - ? __die_body+0x1a/0x60 - ? die+0x2a/0x50 - ? do_trap+0x85/0x100 - ? pick_next_task_rt+0x6e/0x1d0 - ? do_error_trap+0x64/0xa0 - ? pick_next_task_rt+0x6e/0x1d0 - ? exc_invalid_op+0x4c/0x60 - ? pick_next_task_rt+0x6e/0x1d0 - ? asm_exc_invalid_op+0x12/0x20 - ? pick_next_task_rt+0x6e/0x1d0 - __schedule+0x5cb/0x790 - ? update_ts_time_stats+0x55/0x70 - schedule_idle+0x1e/0x40 - do_idle+0x15e/0x200 - cpu_startup_entry+0x19/0x20 - start_secondary+0x117/0x160 - secondary_startup_64_no_verify+0xb0/0xbb - --> BUG: kernel NULL pointer dereference, address: 00000000000000c0 - Call Trace: - ? __die_body+0x1a/0x60 - ? no_context+0x183/0x350 - ? __warn+0x8a/0xe0 - ? exc_page_fault+0x3d6/0x520 - ? asm_exc_page_fault+0x1e/0x30 - ? pick_next_task_rt+0xb5/0x1d0 - ? pick_next_task_rt+0x8c/0x1d0 - __schedule+0x583/0x7e0 - ? update_ts_time_stats+0x55/0x70 - schedule_idle+0x1e/0x40 - do_idle+0x15e/0x200 - cpu_startup_entry+0x19/0x20 - start_secondary+0x117/0x160 - secondary_startup_64_no_verify+0xb0/0xbb - --> BUG: unable to handle page fault for address: ffff9464daea5900 - kernel BUG at kernel/sched/rt.c:1861! BUG_ON(rq->cpu != task_cpu(p)) - --> kernel BUG at kernel/sched/rt.c:1055! BUG_ON(!rq->nr_running) - Call Trace: - ? __die_body+0x1a/0x60 - ? die+0x2a/0x50 - ? do_trap+0x85/0x100 - ? dequeue_top_rt_rq+0xa2/0xb0 - ? do_error_trap+0x64/0xa0 - ? dequeue_top_rt_rq+0xa2/0xb0 - ? exc_invalid_op+0x4c/0x60 - ? dequeue_top_rt_rq+0xa2/0xb0 - ? asm_exc_invalid_op+0x12/0x20 - ? dequeue_top_rt_rq+0xa2/0xb0 - dequeue_rt_entity+0x1f/0x70 - dequeue_task_rt+0x2d/0x70 - __schedule+0x1a8/0x7e0 - ? blk_finish_plug+0x25/0x40 - schedule+0x3c/0xb0 - futex_wait_queue_me+0xb6/0x120 - futex_wait+0xd9/0x240 - do_futex+0x344/0xa90 - ? get_mm_exe_file+0x30/0x60 - ? audit_exe_compare+0x58/0x70 - ? audit_filter_rules.constprop.26+0x65e/0x1220 - __x64_sys_futex+0x148/0x1f0 - do_syscall_64+0x30/0x80 - entry_SYSCALL_64_after_hwframe+0x62/0xc7 - --> BUG: unable to handle page fault for address: ffff8cf3608bc2c0 - Call Trace: - ? __die_body+0x1a/0x60 - ? no_context+0x183/0x350 - ? spurious_kernel_fault+0x171/0x1c0 - ? exc_page_fault+0x3b6/0x520 - ? plist_check_list+0x15/0x40 - ? plist_check_list+0x2e/0x40 - ? asm_exc_page_fault+0x1e/0x30 - ? _cond_resched+0x15/0x30 - ? futex_wait_queue_me+0xc8/0x120 - ? futex_wait+0xd9/0x240 - ? try_to_wake_up+0x1b8/0x490 - ? futex_wake+0x78/0x160 - ? do_futex+0xcd/0xa90 - ? plist_check_list+0x15/0x40 - ? plist_check_list+0x2e/0x40 - ? plist_del+0x6a/0xd0 - ? plist_check_list+0x15/0x40 - ? plist_check_list+0x2e/0x40 - ? dequeue_pushable_task+0x20/0x70 - ? __schedule+0x382/0x7e0 - ? asm_sysvec_reschedule_ipi+0xa/0x20 - ? schedule+0x3c/0xb0 - ? exit_to_user_mode_prepare+0x9e/0x150 - ? irqentry_exit_to_user_mode+0x5/0x30 - ? asm_sysvec_reschedule_ipi+0x12/0x20 - -Above are some of the common examples of the crashes that were observed -due to this issue. - -Details -======= -Let's look at the following scenario to understand this race. - -1) CPU A enters push_rt_task - a) CPU A has chosen next_task = task p. - b) CPU A calls find_lock_lowest_rq(Task p, CPU Z’s rq). - c) CPU A identifies CPU X as a destination CPU (X < Z). - d) CPU A enters double_lock_balance(CPU Z’s rq, CPU X’s rq). - e) Since X is lower than Z, CPU A unlocks CPU Z’s rq. Someone else has - locked CPU X’s rq, and thus, CPU A must wait. - -2) At CPU Z - a) Previous task has completed execution and thus, CPU Z enters - schedule, locks its own rq after CPU A releases it. - b) CPU Z dequeues previous task and begins executing task p. - c) CPU Z unlocks its rq. - d) Task p yields the CPU (ex. by doing IO or waiting to acquire a - lock) which triggers the schedule function on CPU Z. - e) CPU Z enters schedule again, locks its own rq, and dequeues task p. - f) As part of dequeue, it sets p.on_rq = 0 and unlocks its rq. - -3) At CPU B - a) CPU B enters try_to_wake_up with input task p. - b) Since CPU Z dequeued task p, p.on_rq = 0, and CPU B updates - B.state = WAKING. - c) CPU B via select_task_rq determines CPU Y as the target CPU. - -4) The race - a) CPU A acquires CPU X’s lock and relocks CPU Z. - b) CPU A reads task p.cpu = Z and incorrectly concludes task p is - still on CPU Z. - c) CPU A failed to notice task p had been dequeued from CPU Z while - CPU A was waiting for locks in double_lock_balance. If CPU A knew - that task p had been dequeued, it would return NULL forcing - push_rt_task to give up the task p's migration. - d) CPU B updates task p.cpu = Y and calls ttwu_queue. - e) CPU B locks Ys rq. CPU B enqueues task p onto Y and sets task - p.on_rq = 1. - f) CPU B unlocks CPU Y, triggering memory synchronization. - g) CPU A reads task p.on_rq = 1, cementing its assumption that task p - has not migrated. - h) CPU A decides to migrate p to CPU X. - -This leads to A dequeuing p from Y's queue and various crashes down the -line. - -Solution -======== -The solution here is fairly simple. After obtaining the lock (at 4a), -the check is enhanced to make sure that the task is still at the head of -the pushable tasks list. If not, then it is anyway not suitable for -being pushed out. - -Testing -======= -The fix is tested on a cluster of 3 nodes, where the panics due to this -are hit every couple of days. A fix similar to this was deployed on such -cluster and was stable for more than 30 days. - -Co-developed-by: Jon Kohler -Signed-off-by: Jon Kohler -Co-developed-by: Gauri Patwardhan -Signed-off-by: Gauri Patwardhan -Co-developed-by: Rahul Chunduru -Signed-off-by: Rahul Chunduru -Signed-off-by: Harshit Agarwal -Signed-off-by: Peter Zijlstra (Intel) -Reviewed-by: "Steven Rostedt (Google)" -Reviewed-by: Phil Auld -Tested-by: Will Ton -Cc: stable@vger.kernel.org -Link: https://lore.kernel.org/r/20250225180553.167995-1-harshit@nutanix.com ---- - kernel/sched/rt.c | 52 +++++++++++++++++++++++------------------------ - 1 file changed, 25 insertions(+), 27 deletions(-) - -diff --git a/kernel/sched/rt.c b/kernel/sched/rt.c -index 172c588de542..f2190ec58cb8 100644 ---- a/kernel/sched/rt.c -+++ b/kernel/sched/rt.c -@@ -1895,6 +1895,26 @@ static int find_lowest_rq(struct task_struct *task) - return -1; - } - -+static struct task_struct *pick_next_pushable_task(struct rq *rq) -+{ -+ struct task_struct *p; -+ -+ if (!has_pushable_tasks(rq)) -+ return NULL; -+ -+ p = plist_first_entry(&rq->rt.pushable_tasks, -+ struct task_struct, pushable_tasks); -+ -+ BUG_ON(rq->cpu != task_cpu(p)); -+ BUG_ON(task_current(rq, p)); -+ BUG_ON(p->nr_cpus_allowed <= 1); -+ -+ BUG_ON(!task_on_rq_queued(p)); -+ BUG_ON(!rt_task(p)); -+ -+ return p; -+} -+ - /* Will lock the rq it finds */ - static struct rq *find_lock_lowest_rq(struct task_struct *task, struct rq *rq) - { -@@ -1925,18 +1945,16 @@ static struct rq *find_lock_lowest_rq(struct task_struct *task, struct rq *rq) - /* - * We had to unlock the run queue. In - * the mean time, task could have -- * migrated already or had its affinity changed. -- * Also make sure that it wasn't scheduled on its rq. -+ * migrated already or had its affinity changed, -+ * therefore check if the task is still at the -+ * head of the pushable tasks list. - * It is possible the task was scheduled, set - * "migrate_disabled" and then got preempted, so we must - * check the task migration disable flag here too. - */ -- if (unlikely(task_rq(task) != rq || -+ if (unlikely(is_migration_disabled(task) || - !cpumask_test_cpu(lowest_rq->cpu, &task->cpus_mask) || -- task_on_cpu(rq, task) || -- !rt_task(task) || -- is_migration_disabled(task) || -- !task_on_rq_queued(task))) { -+ task != pick_next_pushable_task(rq))) { - - double_unlock_balance(rq, lowest_rq); - lowest_rq = NULL; -@@ -1956,26 +1974,6 @@ static struct rq *find_lock_lowest_rq(struct task_struct *task, struct rq *rq) - return lowest_rq; - } - --static struct task_struct *pick_next_pushable_task(struct rq *rq) --{ -- struct task_struct *p; -- -- if (!has_pushable_tasks(rq)) -- return NULL; -- -- p = plist_first_entry(&rq->rt.pushable_tasks, -- struct task_struct, pushable_tasks); -- -- BUG_ON(rq->cpu != task_cpu(p)); -- BUG_ON(task_current(rq, p)); -- BUG_ON(p->nr_cpus_allowed <= 1); -- -- BUG_ON(!task_on_rq_queued(p)); -- BUG_ON(!rt_task(p)); -- -- return p; --} -- - /* - * If the current CPU has more than one RT task, see if the non - * running task can migrate over to a CPU that is running a task --- -2.43.0 - diff --git a/SPECS/kernel/CVE-2025-38248.patch b/SPECS/kernel/CVE-2025-38248.patch deleted file mode 100644 index 914db01bb0..0000000000 --- a/SPECS/kernel/CVE-2025-38248.patch +++ /dev/null @@ -1,179 +0,0 @@ -From b070428858b063a6baff62509478c9429ff4bf23 Mon Sep 17 00:00:00 2001 -From: Ido Schimmel -Date: Thu, 19 Jun 2025 21:22:28 +0300 -Subject: [PATCH 4/8] bridge: mcast: Fix use-after-free during router port - configuration - -The bridge maintains a global list of ports behind which a multicast -router resides. The list is consulted during forwarding to ensure -multicast packets are forwarded to these ports even if the ports are not -member in the matching MDB entry. - -When per-VLAN multicast snooping is enabled, the per-port multicast -context is disabled on each port and the port is removed from the global -router port list: - - # ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1 - # ip link add name dummy1 up master br1 type dummy - # ip link set dev dummy1 type bridge_slave mcast_router 2 - $ bridge -d mdb show | grep router - router ports on br1: dummy1 - # ip link set dev br1 type bridge mcast_vlan_snooping 1 - $ bridge -d mdb show | grep router - -However, the port can be re-added to the global list even when per-VLAN -multicast snooping is enabled: - - # ip link set dev dummy1 type bridge_slave mcast_router 0 - # ip link set dev dummy1 type bridge_slave mcast_router 2 - $ bridge -d mdb show | grep router - router ports on br1: dummy1 - -Since commit 4b30ae9adb04 ("net: bridge: mcast: re-implement -br_multicast_{enable, disable}_port functions"), when per-VLAN multicast -snooping is enabled, multicast disablement on a port will disable the -per-{port, VLAN} multicast contexts and not the per-port one. As a -result, a port will remain in the global router port list even after it -is deleted. This will lead to a use-after-free [1] when the list is -traversed (when adding a new port to the list, for example): - - # ip link del dev dummy1 - # ip link add name dummy2 up master br1 type dummy - # ip link set dev dummy2 type bridge_slave mcast_router 2 - -Similarly, stale entries can also be found in the per-VLAN router port -list. When per-VLAN multicast snooping is disabled, the per-{port, VLAN} -contexts are disabled on each port and the port is removed from the -per-VLAN router port list: - - # ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1 mcast_vlan_snooping 1 - # ip link add name dummy1 up master br1 type dummy - # bridge vlan add vid 2 dev dummy1 - # bridge vlan global set vid 2 dev br1 mcast_snooping 1 - # bridge vlan set vid 2 dev dummy1 mcast_router 2 - $ bridge vlan global show dev br1 vid 2 | grep router - router ports: dummy1 - # ip link set dev br1 type bridge mcast_vlan_snooping 0 - $ bridge vlan global show dev br1 vid 2 | grep router - -However, the port can be re-added to the per-VLAN list even when -per-VLAN multicast snooping is disabled: - - # bridge vlan set vid 2 dev dummy1 mcast_router 0 - # bridge vlan set vid 2 dev dummy1 mcast_router 2 - $ bridge vlan global show dev br1 vid 2 | grep router - router ports: dummy1 - -When the VLAN is deleted from the port, the per-{port, VLAN} multicast -context will not be disabled since multicast snooping is not enabled -on the VLAN. As a result, the port will remain in the per-VLAN router -port list even after it is no longer member in the VLAN. This will lead -to a use-after-free [2] when the list is traversed (when adding a new -port to the list, for example): - - # ip link add name dummy2 up master br1 type dummy - # bridge vlan add vid 2 dev dummy2 - # bridge vlan del vid 2 dev dummy1 - # bridge vlan set vid 2 dev dummy2 mcast_router 2 - -Fix these issues by removing the port from the relevant (global or -per-VLAN) router port list in br_multicast_port_ctx_deinit(). The -function is invoked during port deletion with the per-port multicast -context and during VLAN deletion with the per-{port, VLAN} multicast -context. - -Note that deleting the multicast router timer is not enough as it only -takes care of the temporary multicast router states (1 or 3) and not the -permanent one (2). - -[1] -BUG: KASAN: slab-out-of-bounds in br_multicast_add_router.part.0+0x3f1/0x560 -Write of size 8 at addr ffff888004a67328 by task ip/384 -[...] -Call Trace: - - dump_stack_lvl+0x6f/0xa0 - print_address_description.constprop.0+0x6f/0x350 - print_report+0x108/0x205 - kasan_report+0xdf/0x110 - br_multicast_add_router.part.0+0x3f1/0x560 - br_multicast_set_port_router+0x74e/0xac0 - br_setport+0xa55/0x1870 - br_port_slave_changelink+0x95/0x120 - __rtnl_newlink+0x5e8/0xa40 - rtnl_newlink+0x627/0xb00 - rtnetlink_rcv_msg+0x6fb/0xb70 - netlink_rcv_skb+0x11f/0x350 - netlink_unicast+0x426/0x710 - netlink_sendmsg+0x75a/0xc20 - __sock_sendmsg+0xc1/0x150 - ____sys_sendmsg+0x5aa/0x7b0 - ___sys_sendmsg+0xfc/0x180 - __sys_sendmsg+0x124/0x1c0 - do_syscall_64+0xbb/0x360 - entry_SYSCALL_64_after_hwframe+0x4b/0x53 - -[2] -BUG: KASAN: slab-use-after-free in br_multicast_add_router.part.0+0x378/0x560 -Read of size 8 at addr ffff888009f00840 by task bridge/391 -[...] -Call Trace: - - dump_stack_lvl+0x6f/0xa0 - print_address_description.constprop.0+0x6f/0x350 - print_report+0x108/0x205 - kasan_report+0xdf/0x110 - br_multicast_add_router.part.0+0x378/0x560 - br_multicast_set_port_router+0x6f9/0xac0 - br_vlan_process_options+0x8b6/0x1430 - br_vlan_rtm_process_one+0x605/0xa30 - br_vlan_rtm_process+0x396/0x4c0 - rtnetlink_rcv_msg+0x2f7/0xb70 - netlink_rcv_skb+0x11f/0x350 - netlink_unicast+0x426/0x710 - netlink_sendmsg+0x75a/0xc20 - __sock_sendmsg+0xc1/0x150 - ____sys_sendmsg+0x5aa/0x7b0 - ___sys_sendmsg+0xfc/0x180 - __sys_sendmsg+0x124/0x1c0 - do_syscall_64+0xbb/0x360 - entry_SYSCALL_64_after_hwframe+0x4b/0x53 - -Fixes: 2796d846d74a ("net: bridge: vlan: convert mcast router global option to per-vlan entry") -Fixes: 4b30ae9adb04 ("net: bridge: mcast: re-implement br_multicast_{enable, disable}_port functions") -Reported-by: syzbot+7bfa4b72c6a5da128d32@syzkaller.appspotmail.com -Closes: https://lore.kernel.org/all/684c18bd.a00a0220.279073.000b.GAE@google.com/T/ -Signed-off-by: Ido Schimmel -Link: https://patch.msgid.link/20250619182228.1656906-1-idosch@nvidia.com -Signed-off-by: Jakub Kicinski ---- - net/bridge/br_multicast.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c -index 733ff6b758f6..025811965d58 100644 ---- a/net/bridge/br_multicast.c -+++ b/net/bridge/br_multicast.c -@@ -2014,10 +2014,19 @@ void br_multicast_port_ctx_init(struct net_bridge_port *port, - - void br_multicast_port_ctx_deinit(struct net_bridge_mcast_port *pmctx) - { -+ struct net_bridge *br = pmctx->port->br; -+ bool del = false; -+ - #if IS_ENABLED(CONFIG_IPV6) - del_timer_sync(&pmctx->ip6_mc_router_timer); - #endif - del_timer_sync(&pmctx->ip4_mc_router_timer); -+ -+ spin_lock_bh(&br->multicast_lock); -+ del |= br_ip6_multicast_rport_del(pmctx); -+ del |= br_ip4_multicast_rport_del(pmctx); -+ br_multicast_rport_del_notify(pmctx, del); -+ spin_unlock_bh(&br->multicast_lock); - } - - int br_multicast_add_port(struct net_bridge_port *port) --- -2.43.0 - diff --git a/SPECS/kernel/CVE-2025-38591.patch b/SPECS/kernel/CVE-2025-38591.patch deleted file mode 100644 index 41b4d40967..0000000000 --- a/SPECS/kernel/CVE-2025-38591.patch +++ /dev/null @@ -1,165 +0,0 @@ -From a40bd4e44ba2ef84d7f780383dd811dc8bf2c025 Mon Sep 17 00:00:00 2001 -From: Paul Chaignon -Date: Tue, 22 Jul 2025 16:32:32 +0200 -Subject: [PATCH 14/15] bpf: Reject narrower access to pointer ctx fields - -The following BPF program, simplified from a syzkaller repro, causes a -kernel warning: - - r0 = *(u8 *)(r1 + 169); - exit; - -With pointer field sk being at offset 168 in __sk_buff. This access is -detected as a narrower read in bpf_skb_is_valid_access because it -doesn't match offsetof(struct __sk_buff, sk). It is therefore allowed -and later proceeds to bpf_convert_ctx_access. Note that for the -"is_narrower_load" case in the convert_ctx_accesses(), the insn->off -is aligned, so the cnt may not be 0 because it matches the -offsetof(struct __sk_buff, sk) in the bpf_convert_ctx_access. However, -the target_size stays 0 and the verifier errors with a kernel warning: - - verifier bug: error during ctx access conversion(1) - -This patch fixes that to return a proper "invalid bpf_context access -off=X size=Y" error on the load instruction. - -The same issue affects multiple other fields in context structures that -allow narrow access. Some other non-affected fields (for sk_msg, -sk_lookup, and sockopt) were also changed to use bpf_ctx_range_ptr for -consistency. - -Note this syzkaller crash was reported in the "Closes" link below, which -used to be about a different bug, fixed in -commit fce7bd8e385a ("bpf/verifier: Handle BPF_LOAD_ACQ instructions -in insn_def_regno()"). Because syzbot somehow confused the two bugs, -the new crash and repro didn't get reported to the mailing list. - -Fixes: f96da09473b52 ("bpf: simplify narrower ctx access") -Fixes: 0df1a55afa832 ("bpf: Warn on internal verifier errors") -Reported-by: syzbot+0ef84a7bdf5301d4cbec@syzkaller.appspotmail.com -Closes: https://syzkaller.appspot.com/bug?extid=0ef84a7bdf5301d4cbec -Signed-off-by: Paul Chaignon -Signed-off-by: Martin KaFai Lau -Acked-by: Eduard Zingerman -Link: https://patch.msgid.link/3b8dcee67ff4296903351a974ddd9c4dca768b64.1753194596.git.paul.chaignon@gmail.com ---- - kernel/bpf/cgroup.c | 8 ++++---- - net/core/filter.c | 20 ++++++++++---------- - 2 files changed, 14 insertions(+), 14 deletions(-) - -diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c -index c0d606c40195..1ebf40badbf6 100644 ---- a/kernel/bpf/cgroup.c -+++ b/kernel/bpf/cgroup.c -@@ -2418,22 +2418,22 @@ static bool cg_sockopt_is_valid_access(int off, int size, - } - - switch (off) { -- case offsetof(struct bpf_sockopt, sk): -+ case bpf_ctx_range_ptr(struct bpf_sockopt, sk): - if (size != sizeof(__u64)) - return false; - info->reg_type = PTR_TO_SOCKET; - break; -- case offsetof(struct bpf_sockopt, optval): -+ case bpf_ctx_range_ptr(struct bpf_sockopt, optval): - if (size != sizeof(__u64)) - return false; - info->reg_type = PTR_TO_PACKET; - break; -- case offsetof(struct bpf_sockopt, optval_end): -+ case bpf_ctx_range_ptr(struct bpf_sockopt, optval_end): - if (size != sizeof(__u64)) - return false; - info->reg_type = PTR_TO_PACKET_END; - break; -- case offsetof(struct bpf_sockopt, retval): -+ case bpf_ctx_range(struct bpf_sockopt, retval): - if (size != size_default) - return false; - return prog->expected_attach_type == BPF_CGROUP_GETSOCKOPT; -diff --git a/net/core/filter.c b/net/core/filter.c -index 89ed625e1474..4bf298695bd1 100644 ---- a/net/core/filter.c -+++ b/net/core/filter.c -@@ -8652,7 +8652,7 @@ static bool bpf_skb_is_valid_access(int off, int size, enum bpf_access_type type - if (size != sizeof(__u64)) - return false; - break; -- case offsetof(struct __sk_buff, sk): -+ case bpf_ctx_range_ptr(struct __sk_buff, sk): - if (type == BPF_WRITE || size != sizeof(__u64)) - return false; - info->reg_type = PTR_TO_SOCK_COMMON_OR_NULL; -@@ -9229,7 +9229,7 @@ static bool sock_addr_is_valid_access(int off, int size, - return false; - } - break; -- case offsetof(struct bpf_sock_addr, sk): -+ case bpf_ctx_range_ptr(struct bpf_sock_addr, sk): - if (type != BPF_READ) - return false; - if (size != sizeof(__u64)) -@@ -9283,17 +9283,17 @@ static bool sock_ops_is_valid_access(int off, int size, - if (size != sizeof(__u64)) - return false; - break; -- case offsetof(struct bpf_sock_ops, sk): -+ case bpf_ctx_range_ptr(struct bpf_sock_ops, sk): - if (size != sizeof(__u64)) - return false; - info->reg_type = PTR_TO_SOCKET_OR_NULL; - break; -- case offsetof(struct bpf_sock_ops, skb_data): -+ case bpf_ctx_range_ptr(struct bpf_sock_ops, skb_data): - if (size != sizeof(__u64)) - return false; - info->reg_type = PTR_TO_PACKET; - break; -- case offsetof(struct bpf_sock_ops, skb_data_end): -+ case bpf_ctx_range_ptr(struct bpf_sock_ops, skb_data_end): - if (size != sizeof(__u64)) - return false; - info->reg_type = PTR_TO_PACKET_END; -@@ -9302,7 +9302,7 @@ static bool sock_ops_is_valid_access(int off, int size, - bpf_ctx_record_field_size(info, size_default); - return bpf_ctx_narrow_access_ok(off, size, - size_default); -- case offsetof(struct bpf_sock_ops, skb_hwtstamp): -+ case bpf_ctx_range(struct bpf_sock_ops, skb_hwtstamp): - if (size != sizeof(__u64)) - return false; - break; -@@ -9372,17 +9372,17 @@ static bool sk_msg_is_valid_access(int off, int size, - return false; - - switch (off) { -- case offsetof(struct sk_msg_md, data): -+ case bpf_ctx_range_ptr(struct sk_msg_md, data): - info->reg_type = PTR_TO_PACKET; - if (size != sizeof(__u64)) - return false; - break; -- case offsetof(struct sk_msg_md, data_end): -+ case bpf_ctx_range_ptr(struct sk_msg_md, data_end): - info->reg_type = PTR_TO_PACKET_END; - if (size != sizeof(__u64)) - return false; - break; -- case offsetof(struct sk_msg_md, sk): -+ case bpf_ctx_range_ptr(struct sk_msg_md, sk): - if (size != sizeof(__u64)) - return false; - info->reg_type = PTR_TO_SOCKET; -@@ -11595,7 +11595,7 @@ static bool sk_lookup_is_valid_access(int off, int size, - return false; - - switch (off) { -- case offsetof(struct bpf_sk_lookup, sk): -+ case bpf_ctx_range_ptr(struct bpf_sk_lookup, sk): - info->reg_type = PTR_TO_SOCKET_OR_NULL; - return size == sizeof(__u64); - --- -2.43.0 - diff --git a/SPECS/kernel/CVE-2025-40075-1.patch b/SPECS/kernel/CVE-2025-40075-1.patch deleted file mode 100644 index ebd905650d..0000000000 --- a/SPECS/kernel/CVE-2025-40075-1.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 5713e8f87ebb86cf78123c967d2fdf6a1c1a04d3 Mon Sep 17 00:00:00 2001 -From: Eric Dumazet -Date: Thu, 28 Aug 2025 19:58:21 +0000 -Subject: [PATCH 4/8] tcp_metrics: use dst_dev_net_rcu() - -Replace three dst_dev() with a lockdep enabled helper. - -Fixes: 4a6ce2b6f2ec ("net: introduce a new function dst_dev_put()") -Signed-off-by: Eric Dumazet -Reviewed-by: David Ahern -Link: https://patch.msgid.link/20250828195823.3958522-7-edumazet@google.com -Signed-off-by: Jakub Kicinski ---- - net/ipv4/tcp_metrics.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/net/ipv4/tcp_metrics.c b/net/ipv4/tcp_metrics.c -index 03c068ea27b6..10e86f1008e9 100644 ---- a/net/ipv4/tcp_metrics.c -+++ b/net/ipv4/tcp_metrics.c -@@ -170,7 +170,7 @@ static struct tcp_metrics_block *tcpm_new(struct dst_entry *dst, - struct net *net; - - spin_lock_bh(&tcp_metrics_lock); -- net = dev_net_rcu(dst_dev(dst)); -+ net = dst_dev_net_rcu(dst); - - /* While waiting for the spin-lock the cache might have been populated - * with this entry and so we have to check again. -@@ -273,7 +273,7 @@ static struct tcp_metrics_block *__tcp_get_metrics_req(struct request_sock *req, - return NULL; - } - -- net = dev_net_rcu(dst_dev(dst)); -+ net = dst_dev_net_rcu(dst); - hash ^= net_hash_mix(net); - hash = hash_32(hash, tcp_metrics_hash_log); - -@@ -318,7 +318,7 @@ static struct tcp_metrics_block *tcp_get_metrics(struct sock *sk, - else - return NULL; - -- net = dev_net_rcu(dst_dev(dst)); -+ net = dst_dev_net_rcu(dst); - hash ^= net_hash_mix(net); - hash = hash_32(hash, tcp_metrics_hash_log); - --- -2.34.1 - diff --git a/SPECS/kernel/CVE-2025-40075.patch b/SPECS/kernel/CVE-2025-40075.patch deleted file mode 100644 index 84376b1590..0000000000 --- a/SPECS/kernel/CVE-2025-40075.patch +++ /dev/null @@ -1,105 +0,0 @@ -From 7649135be0cd3d9c9083b623f086573ae448589c Mon Sep 17 00:00:00 2001 -From: Eric Dumazet -Date: Thu, 28 Aug 2025 19:58:16 +0000 -Subject: [PATCH 3/8] net: dst: introduce dst->dev_rcu - -Followup of commit 88fe14253e18 ("net: dst: add four helpers -to annotate data-races around dst->dev"). - -We want to gradually add explicit RCU protection to dst->dev, -including lockdep support. - -Add an union to alias dst->dev_rcu and dst->dev. - -Add dst_dev_net_rcu() helper. - -Fixes: 4a6ce2b6f2ec ("net: introduce a new function dst_dev_put()") -Signed-off-by: Eric Dumazet -Reviewed-by: David Ahern -Link: https://patch.msgid.link/20250828195823.3958522-2-edumazet@google.com -Signed-off-by: Jakub Kicinski ---- - include/net/dst.h | 16 +++++++++++----- - net/core/dst.c | 2 +- - net/ipv4/route.c | 4 ++-- - 3 files changed, 14 insertions(+), 8 deletions(-) - -diff --git a/include/net/dst.h b/include/net/dst.h -index e5c9ea188383..e7c1eb69570e 100644 ---- a/include/net/dst.h -+++ b/include/net/dst.h -@@ -24,7 +24,10 @@ - struct sk_buff; - - struct dst_entry { -- struct net_device *dev; -+ union { -+ struct net_device *dev; -+ struct net_device __rcu *dev_rcu; -+ }; - struct dst_ops *ops; - unsigned long _metrics; - unsigned long expires; -@@ -568,9 +571,12 @@ static inline struct net_device *dst_dev(const struct dst_entry *dst) - - static inline struct net_device *dst_dev_rcu(const struct dst_entry *dst) - { -- /* In the future, use rcu_dereference(dst->dev) */ -- WARN_ON_ONCE(!rcu_read_lock_held()); -- return READ_ONCE(dst->dev); -+ return rcu_dereference(dst->dev_rcu); -+} -+ -+static inline struct net *dst_dev_net_rcu(const struct dst_entry *dst) -+{ -+ return dev_net_rcu(dst_dev_rcu(dst)); - } - - static inline struct net_device *skb_dst_dev(const struct sk_buff *skb) -@@ -590,7 +596,7 @@ static inline struct net *skb_dst_dev_net(const struct sk_buff *skb) - - static inline struct net *skb_dst_dev_net_rcu(const struct sk_buff *skb) - { -- return dev_net_rcu(skb_dst_dev(skb)); -+ return dev_net_rcu(skb_dst_dev_rcu(skb)); - } - - struct dst_entry *dst_blackhole_check(struct dst_entry *dst, u32 cookie); -diff --git a/net/core/dst.c b/net/core/dst.c -index 9a0ddef8bee4..8dbb54148c03 100644 ---- a/net/core/dst.c -+++ b/net/core/dst.c -@@ -150,7 +150,7 @@ void dst_dev_put(struct dst_entry *dst) - dst->ops->ifdown(dst, dev); - WRITE_ONCE(dst->input, dst_discard); - WRITE_ONCE(dst->output, dst_discard_out); -- WRITE_ONCE(dst->dev, blackhole_netdev); -+ rcu_assign_pointer(dst->dev_rcu, blackhole_netdev); - netdev_ref_replace(dev, blackhole_netdev, &dst->dev_tracker, - GFP_ATOMIC); - } -diff --git a/net/ipv4/route.c b/net/ipv4/route.c -index 96a01eb33653..8c54a3ecbddf 100644 ---- a/net/ipv4/route.c -+++ b/net/ipv4/route.c -@@ -1025,7 +1025,7 @@ static void __ip_rt_update_pmtu(struct rtable *rt, struct flowi4 *fl4, u32 mtu) - return; - - rcu_read_lock(); -- net = dev_net_rcu(dst_dev(dst)); -+ net = dst_dev_net_rcu(dst); - if (mtu < net->ipv4.ip_rt_min_pmtu) { - lock = true; - mtu = min(old_mtu, net->ipv4.ip_rt_min_pmtu); -@@ -1323,7 +1323,7 @@ static unsigned int ipv4_default_advmss(const struct dst_entry *dst) - struct net *net; - - rcu_read_lock(); -- net = dev_net_rcu(dst_dev(dst)); -+ net = dst_dev_net_rcu(dst); - advmss = max_t(unsigned int, ipv4_mtu(dst) - header_size, - net->ipv4.ip_rt_min_advmss); - rcu_read_unlock(); --- -2.34.1 - diff --git a/SPECS/kernel/CVE-2025-40135.patch b/SPECS/kernel/CVE-2025-40135.patch deleted file mode 100644 index b5abe69e31..0000000000 --- a/SPECS/kernel/CVE-2025-40135.patch +++ /dev/null @@ -1,107 +0,0 @@ -From 18ea99d5d1722719ce866d5b0cf5dc64a73f5f33 Mon Sep 17 00:00:00 2001 -From: Eric Dumazet -Date: Thu, 28 Aug 2025 19:58:18 +0000 -Subject: [PATCH 10/15] ipv6: use RCU in ip6_xmit() - -Use RCU in ip6_xmit() in order to use dst_dev_rcu() to prevent -possible UAF. - -Fixes: 4a6ce2b6f2ec ("net: introduce a new function dst_dev_put()") -Signed-off-by: Eric Dumazet -Reviewed-by: David Ahern -Link: https://patch.msgid.link/20250828195823.3958522-4-edumazet@google.com -Signed-off-by: Jakub Kicinski ---- - net/ipv6/ip6_output.c | 35 +++++++++++++++++++++-------------- - 1 file changed, 21 insertions(+), 14 deletions(-) - -diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c -index dca8b17bc713..19af5dbbddd1 100644 ---- a/net/ipv6/ip6_output.c -+++ b/net/ipv6/ip6_output.c -@@ -269,35 +269,36 @@ bool ip6_autoflowlabel(struct net *net, const struct sock *sk) - int ip6_xmit(const struct sock *sk, struct sk_buff *skb, struct flowi6 *fl6, - __u32 mark, struct ipv6_txoptions *opt, int tclass, u32 priority) - { -- struct net *net = sock_net(sk); - const struct ipv6_pinfo *np = inet6_sk(sk); - struct in6_addr *first_hop = &fl6->daddr; - struct dst_entry *dst = skb_dst(skb); -- struct net_device *dev = dst->dev; - struct inet6_dev *idev = ip6_dst_idev(dst); - struct hop_jumbo_hdr *hop_jumbo; - int hoplen = sizeof(*hop_jumbo); -+ struct net *net = sock_net(sk); - unsigned int head_room; -+ struct net_device *dev; - struct ipv6hdr *hdr; - u8 proto = fl6->flowi6_proto; - int seg_len = skb->len; -- int hlimit = -1; -+ int ret, hlimit = -1; - u32 mtu; - -+ rcu_read_lock(); -+ -+ dev = dst_dev_rcu(dst); - head_room = sizeof(struct ipv6hdr) + hoplen + LL_RESERVED_SPACE(dev); - if (opt) - head_room += opt->opt_nflen + opt->opt_flen; - - if (unlikely(head_room > skb_headroom(skb))) { -- /* Make sure idev stays alive */ -- rcu_read_lock(); -+ /* idev stays alive while we hold rcu_read_lock(). */ - skb = skb_expand_head(skb, head_room); - if (!skb) { - IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS); -- rcu_read_unlock(); -- return -ENOBUFS; -+ ret = -ENOBUFS; -+ goto unlock; - } -- rcu_read_unlock(); - } - - if (opt) { -@@ -359,17 +360,21 @@ int ip6_xmit(const struct sock *sk, struct sk_buff *skb, struct flowi6 *fl6, - * skb to its handler for processing - */ - skb = l3mdev_ip6_out((struct sock *)sk, skb); -- if (unlikely(!skb)) -- return 0; -+ if (unlikely(!skb)) { -+ ret = 0; -+ goto unlock; -+ } - - /* hooks should never assume socket lock is held. - * we promote our socket to non const - */ -- return NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, -- net, (struct sock *)sk, skb, NULL, dev, -- dst_output); -+ ret = NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, -+ net, (struct sock *)sk, skb, NULL, dev, -+ dst_output); -+ goto unlock; - } - -+ ret = -EMSGSIZE; - skb->dev = dev; - /* ipv6_local_error() does not require socket lock, - * we promote our socket to non const -@@ -378,7 +383,9 @@ int ip6_xmit(const struct sock *sk, struct sk_buff *skb, struct flowi6 *fl6, - - IP6_INC_STATS(net, idev, IPSTATS_MIB_FRAGFAILS); - kfree_skb(skb); -- return -EMSGSIZE; -+unlock: -+ rcu_read_unlock(); -+ return ret; - } - EXPORT_SYMBOL(ip6_xmit); - --- -2.43.0 - diff --git a/SPECS/kernel/CVE-2025-40149.patch b/SPECS/kernel/CVE-2025-40149.patch deleted file mode 100644 index ad146854d5..0000000000 --- a/SPECS/kernel/CVE-2025-40149.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 1a26f422f57cca0823041c8e535aed7551b5a1b1 Mon Sep 17 00:00:00 2001 -From: Kuniyuki Iwashima -Date: Tue, 16 Sep 2025 21:47:23 +0000 -Subject: [PATCH 06/15] tls: Use __sk_dst_get() and dst_dev_rcu() in - get_netdev_for_sock(). - -get_netdev_for_sock() is called during setsockopt(), -so not under RCU. - -Using sk_dst_get(sk)->dev could trigger UAF. - -Let's use __sk_dst_get() and dst_dev_rcu(). - -Note that the only ->ndo_sk_get_lower_dev() user is -bond_sk_get_lower_dev(), which uses RCU. - -Fixes: e8f69799810c ("net/tls: Add generic NIC offload infrastructure") -Signed-off-by: Kuniyuki Iwashima -Reviewed-by: Eric Dumazet -Reviewed-by: Sabrina Dubroca -Link: https://patch.msgid.link/20250916214758.650211-6-kuniyu@google.com -Signed-off-by: Jakub Kicinski ---- - net/tls/tls_device.c | 18 ++++++++++-------- - 1 file changed, 10 insertions(+), 8 deletions(-) - -diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c -index dc063c2c7950..62e6b62559e2 100644 ---- a/net/tls/tls_device.c -+++ b/net/tls/tls_device.c -@@ -123,17 +123,19 @@ static void tls_device_queue_ctx_destruction(struct tls_context *ctx) - /* We assume that the socket is already connected */ - static struct net_device *get_netdev_for_sock(struct sock *sk) - { -- struct dst_entry *dst = sk_dst_get(sk); -- struct net_device *netdev = NULL; -+ struct net_device *dev, *lowest_dev = NULL; -+ struct dst_entry *dst; - -- if (likely(dst)) { -- netdev = netdev_sk_get_lowest_dev(dst->dev, sk); -- dev_hold(netdev); -+ rcu_read_lock(); -+ dst = __sk_dst_get(sk); -+ dev = dst ? dst_dev_rcu(dst) : NULL; -+ if (likely(dev)) { -+ lowest_dev = netdev_sk_get_lowest_dev(dev, sk); -+ dev_hold(lowest_dev); - } -+ rcu_read_unlock(); - -- dst_release(dst); -- -- return netdev; -+ return lowest_dev; - } - - static void destroy_record(struct tls_record_info *record) --- -2.43.0 - diff --git a/SPECS/kernel/CVE-2025-40158.patch b/SPECS/kernel/CVE-2025-40158.patch deleted file mode 100644 index f6b64288db..0000000000 --- a/SPECS/kernel/CVE-2025-40158.patch +++ /dev/null @@ -1,114 +0,0 @@ -From 675f47b6f5b933d55746c0c5cbf5db0316946ece Mon Sep 17 00:00:00 2001 -From: Eric Dumazet -Date: Thu, 28 Aug 2025 19:58:19 +0000 -Subject: [PATCH 05/15] ipv6: use RCU in ip6_output() - -Use RCU in ip6_output() in order to use dst_dev_rcu() to prevent -possible UAF. - -We can remove rcu_read_lock()/rcu_read_unlock() pairs -from ip6_finish_output2(). - -Fixes: 4a6ce2b6f2ec ("net: introduce a new function dst_dev_put()") -Signed-off-by: Eric Dumazet -Reviewed-by: David Ahern -Link: https://patch.msgid.link/20250828195823.3958522-5-edumazet@google.com -Signed-off-by: Jakub Kicinski ---- - net/ipv6/ip6_output.c | 30 ++++++++++++++++-------------- - 1 file changed, 16 insertions(+), 14 deletions(-) - -diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c -index f0e5431c2d46..dca8b17bc713 100644 ---- a/net/ipv6/ip6_output.c -+++ b/net/ipv6/ip6_output.c -@@ -60,7 +60,7 @@ - static int ip6_finish_output2(struct net *net, struct sock *sk, struct sk_buff *skb) - { - struct dst_entry *dst = skb_dst(skb); -- struct net_device *dev = dst->dev; -+ struct net_device *dev = dst_dev_rcu(dst); - struct inet6_dev *idev = ip6_dst_idev(dst); - unsigned int hh_len = LL_RESERVED_SPACE(dev); - const struct in6_addr *daddr, *nexthop; -@@ -70,15 +70,12 @@ static int ip6_finish_output2(struct net *net, struct sock *sk, struct sk_buff * - - /* Be paranoid, rather than too clever. */ - if (unlikely(hh_len > skb_headroom(skb)) && dev->header_ops) { -- /* Make sure idev stays alive */ -- rcu_read_lock(); -+ /* idev stays alive because we hold rcu_read_lock(). */ - skb = skb_expand_head(skb, hh_len); - if (!skb) { - IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS); -- rcu_read_unlock(); - return -ENOMEM; - } -- rcu_read_unlock(); - } - - hdr = ipv6_hdr(skb); -@@ -123,7 +120,6 @@ static int ip6_finish_output2(struct net *net, struct sock *sk, struct sk_buff * - - IP6_UPD_PO_STATS(net, idev, IPSTATS_MIB_OUT, skb->len); - -- rcu_read_lock(); - nexthop = rt6_nexthop(dst_rt6_info(dst), daddr); - neigh = __ipv6_neigh_lookup_noref(dev, nexthop); - -@@ -131,7 +127,6 @@ static int ip6_finish_output2(struct net *net, struct sock *sk, struct sk_buff * - if (unlikely(!neigh)) - neigh = __neigh_create(&nd_tbl, nexthop, dev, false); - if (IS_ERR(neigh)) { -- rcu_read_unlock(); - IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTNOROUTES); - kfree_skb_reason(skb, SKB_DROP_REASON_NEIGH_CREATEFAIL); - return -EINVAL; -@@ -139,7 +134,6 @@ static int ip6_finish_output2(struct net *net, struct sock *sk, struct sk_buff * - } - sock_confirm_neigh(skb, neigh); - ret = neigh_output(neigh, skb, false); -- rcu_read_unlock(); - return ret; - } - -@@ -232,22 +226,30 @@ static int ip6_finish_output(struct net *net, struct sock *sk, struct sk_buff *s - - int ip6_output(struct net *net, struct sock *sk, struct sk_buff *skb) - { -- struct net_device *dev = skb_dst(skb)->dev, *indev = skb->dev; -- struct inet6_dev *idev = ip6_dst_idev(skb_dst(skb)); -+ struct dst_entry *dst = skb_dst(skb); -+ struct net_device *dev, *indev = skb->dev; -+ struct inet6_dev *idev; -+ int ret; - - skb->protocol = htons(ETH_P_IPV6); -+ rcu_read_lock(); -+ dev = dst_dev_rcu(dst); -+ idev = ip6_dst_idev(dst); - skb->dev = dev; - - if (unlikely(!idev || READ_ONCE(idev->cnf.disable_ipv6))) { - IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS); -+ rcu_read_unlock(); - kfree_skb_reason(skb, SKB_DROP_REASON_IPV6DISABLED); - return 0; - } - -- return NF_HOOK_COND(NFPROTO_IPV6, NF_INET_POST_ROUTING, -- net, sk, skb, indev, dev, -- ip6_finish_output, -- !(IP6CB(skb)->flags & IP6SKB_REROUTED)); -+ ret = NF_HOOK_COND(NFPROTO_IPV6, NF_INET_POST_ROUTING, -+ net, sk, skb, indev, dev, -+ ip6_finish_output, -+ !(IP6CB(skb)->flags & IP6SKB_REROUTED)); -+ rcu_read_unlock(); -+ return ret; - } - EXPORT_SYMBOL(ip6_output); - --- -2.43.0 - diff --git a/SPECS/kernel/CVE-2025-40164.patch b/SPECS/kernel/CVE-2025-40164.patch deleted file mode 100644 index ebde4eed72..0000000000 --- a/SPECS/kernel/CVE-2025-40164.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 741d90c0ea551686d62fbe567448d37d8d100535 Mon Sep 17 00:00:00 2001 -From: Zqiang -Date: Sat, 11 Oct 2025 15:05:18 +0800 -Subject: [PATCH 04/15] usbnet: Fix using smp_processor_id() in preemptible - code warnings - -Syzbot reported the following warning: - -BUG: using smp_processor_id() in preemptible [00000000] code: dhcpcd/2879 -caller is usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331 -CPU: 1 UID: 0 PID: 2879 Comm: dhcpcd Not tainted 6.15.0-rc4-syzkaller-00098-g615dca38c2ea #0 PREEMPT(voluntary) -Call Trace: - - __dump_stack lib/dump_stack.c:94 [inline] - dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 - check_preemption_disabled+0xd0/0xe0 lib/smp_processor_id.c:49 - usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331 - usbnet_resume_rx+0x4b/0x170 drivers/net/usb/usbnet.c:708 - usbnet_change_mtu+0x1be/0x220 drivers/net/usb/usbnet.c:417 - __dev_set_mtu net/core/dev.c:9443 [inline] - netif_set_mtu_ext+0x369/0x5c0 net/core/dev.c:9496 - netif_set_mtu+0xb0/0x160 net/core/dev.c:9520 - dev_set_mtu+0xae/0x170 net/core/dev_api.c:247 - dev_ifsioc+0xa31/0x18d0 net/core/dev_ioctl.c:572 - dev_ioctl+0x223/0x10e0 net/core/dev_ioctl.c:821 - sock_do_ioctl+0x19d/0x280 net/socket.c:1204 - sock_ioctl+0x42f/0x6a0 net/socket.c:1311 - vfs_ioctl fs/ioctl.c:51 [inline] - __do_sys_ioctl fs/ioctl.c:906 [inline] - __se_sys_ioctl fs/ioctl.c:892 [inline] - __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892 - do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] - do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94 - entry_SYSCALL_64_after_hwframe+0x77/0x7f - -For historical and portability reasons, the netif_rx() is usually -run in the softirq or interrupt context, this commit therefore add -local_bh_disable/enable() protection in the usbnet_resume_rx(). - -Fixes: 43daa96b166c ("usbnet: Stop RX Q on MTU change") -Link: https://syzkaller.appspot.com/bug?id=81f55dfa587ee544baaaa5a359a060512228c1e1 -Suggested-by: Jakub Kicinski -Signed-off-by: Zqiang -Link: https://patch.msgid.link/20251011070518.7095-1-qiang.zhang@linux.dev -Signed-off-by: Paolo Abeni ---- - drivers/net/usb/usbnet.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c -index 0ff7357c3c91..f1f61d85d949 100644 ---- a/drivers/net/usb/usbnet.c -+++ b/drivers/net/usb/usbnet.c -@@ -702,6 +702,7 @@ void usbnet_resume_rx(struct usbnet *dev) - struct sk_buff *skb; - int num = 0; - -+ local_bh_disable(); - clear_bit(EVENT_RX_PAUSED, &dev->flags); - - while ((skb = skb_dequeue(&dev->rxq_pause)) != NULL) { -@@ -710,6 +711,7 @@ void usbnet_resume_rx(struct usbnet *dev) - } - - tasklet_schedule(&dev->bh); -+ local_bh_enable(); - - netif_dbg(dev, rx_status, dev->net, - "paused rx queue disabled, %d skbs requeued\n", num); --- -2.43.0 - diff --git a/SPECS/kernel/CVE-2025-40170.patch b/SPECS/kernel/CVE-2025-40170.patch deleted file mode 100644 index 84d3449594..0000000000 --- a/SPECS/kernel/CVE-2025-40170.patch +++ /dev/null @@ -1,138 +0,0 @@ -From 9fd9125f380d8004b8418915725a459518c8501b Mon Sep 17 00:00:00 2001 -From: Eric Dumazet -Date: Thu, 28 Aug 2025 19:58:20 +0000 -Subject: [PATCH 02/15] net: use dst_dev_rcu() in sk_setup_caps() - -Use RCU to protect accesses to dst->dev from sk_setup_caps() -and sk_dst_gso_max_size(). - -Also use dst_dev_rcu() in ip6_dst_mtu_maybe_forward(), -and ip_dst_mtu_maybe_forward(). - -ip4_dst_hoplimit() can use dst_dev_net_rcu(). - -Fixes: 4a6ce2b6f2ec ("net: introduce a new function dst_dev_put()") -Signed-off-by: Eric Dumazet -Reviewed-by: David Ahern -Link: https://patch.msgid.link/20250828195823.3958522-6-edumazet@google.com -Signed-off-by: Jakub Kicinski ---- - include/net/ip.h | 6 ++++-- - include/net/ip6_route.h | 2 +- - include/net/route.h | 2 +- - net/core/sock.c | 16 ++++++++++------ - 4 files changed, 16 insertions(+), 10 deletions(-) - -diff --git a/include/net/ip.h b/include/net/ip.h -index 5f0f1215d2f9..c65ca2765e29 100644 ---- a/include/net/ip.h -+++ b/include/net/ip.h -@@ -470,12 +470,14 @@ static inline unsigned int ip_dst_mtu_maybe_forward(const struct dst_entry *dst, - bool forwarding) - { - const struct rtable *rt = dst_rtable(dst); -+ const struct net_device *dev; - unsigned int mtu, res; - struct net *net; - - rcu_read_lock(); - -- net = dev_net_rcu(dst_dev(dst)); -+ dev = dst_dev_rcu(dst); -+ net = dev_net_rcu(dev); - if (READ_ONCE(net->ipv4.sysctl_ip_fwd_use_pmtu) || - ip_mtu_locked(dst) || - !forwarding) { -@@ -489,7 +491,7 @@ static inline unsigned int ip_dst_mtu_maybe_forward(const struct dst_entry *dst, - if (mtu) - goto out; - -- mtu = READ_ONCE(dst_dev(dst)->mtu); -+ mtu = READ_ONCE(dev->mtu); - - if (unlikely(ip_mtu_locked(dst))) { - if (rt->rt_uses_gateway && mtu > 576) -diff --git a/include/net/ip6_route.h b/include/net/ip6_route.h -index 6dbdf60b342f..ede44cde7fe5 100644 ---- a/include/net/ip6_route.h -+++ b/include/net/ip6_route.h -@@ -337,7 +337,7 @@ static inline unsigned int ip6_dst_mtu_maybe_forward(const struct dst_entry *dst - - mtu = IPV6_MIN_MTU; - rcu_read_lock(); -- idev = __in6_dev_get(dst->dev); -+ idev = __in6_dev_get(dst_dev_rcu(dst)); - if (idev) - mtu = READ_ONCE(idev->cnf.mtu6); - rcu_read_unlock(); -diff --git a/include/net/route.h b/include/net/route.h -index 232b7bf55ba2..cbb4d5523062 100644 ---- a/include/net/route.h -+++ b/include/net/route.h -@@ -369,7 +369,7 @@ static inline int ip4_dst_hoplimit(const struct dst_entry *dst) - const struct net *net; - - rcu_read_lock(); -- net = dev_net_rcu(dst_dev(dst)); -+ net = dst_dev_net_rcu(dst); - hoplimit = READ_ONCE(net->ipv4.sysctl_ip_default_ttl); - rcu_read_unlock(); - } -diff --git a/net/core/sock.c b/net/core/sock.c -index 1781f3a642b4..97cc796a1d33 100644 ---- a/net/core/sock.c -+++ b/net/core/sock.c -@@ -2524,7 +2524,7 @@ void sk_free_unlock_clone(struct sock *sk) - } - EXPORT_SYMBOL_GPL(sk_free_unlock_clone); - --static u32 sk_dst_gso_max_size(struct sock *sk, struct dst_entry *dst) -+static u32 sk_dst_gso_max_size(struct sock *sk, const struct net_device *dev) - { - bool is_ipv6 = false; - u32 max_size; -@@ -2534,8 +2534,8 @@ static u32 sk_dst_gso_max_size(struct sock *sk, struct dst_entry *dst) - !ipv6_addr_v4mapped(&sk->sk_v6_rcv_saddr)); - #endif - /* pairs with the WRITE_ONCE() in netif_set_gso(_ipv4)_max_size() */ -- max_size = is_ipv6 ? READ_ONCE(dst_dev(dst)->gso_max_size) : -- READ_ONCE(dst_dev(dst)->gso_ipv4_max_size); -+ max_size = is_ipv6 ? READ_ONCE(dev->gso_max_size) : -+ READ_ONCE(dev->gso_ipv4_max_size); - if (max_size > GSO_LEGACY_MAX_SIZE && !sk_is_tcp(sk)) - max_size = GSO_LEGACY_MAX_SIZE; - -@@ -2544,9 +2544,12 @@ static u32 sk_dst_gso_max_size(struct sock *sk, struct dst_entry *dst) - - void sk_setup_caps(struct sock *sk, struct dst_entry *dst) - { -+ const struct net_device *dev; - u32 max_segs = 1; - -- sk->sk_route_caps = dst_dev(dst)->features; -+ rcu_read_lock(); -+ dev = dst_dev_rcu(dst); -+ sk->sk_route_caps = dev->features; - if (sk_is_tcp(sk)) { - struct inet_connection_sock *icsk = inet_csk(sk); - -@@ -2562,13 +2565,14 @@ void sk_setup_caps(struct sock *sk, struct dst_entry *dst) - sk->sk_route_caps &= ~NETIF_F_GSO_MASK; - } else { - sk->sk_route_caps |= NETIF_F_SG | NETIF_F_HW_CSUM; -- sk->sk_gso_max_size = sk_dst_gso_max_size(sk, dst); -+ sk->sk_gso_max_size = sk_dst_gso_max_size(sk, dev); - /* pairs with the WRITE_ONCE() in netif_set_gso_max_segs() */ -- max_segs = max_t(u32, READ_ONCE(dst_dev(dst)->gso_max_segs), 1); -+ max_segs = max_t(u32, READ_ONCE(dev->gso_max_segs), 1); - } - } - sk->sk_gso_max_segs = max_segs; - sk_dst_set(sk, dst); -+ rcu_read_unlock(); - } - EXPORT_SYMBOL_GPL(sk_setup_caps); - --- -2.43.0 - diff --git a/SPECS/kernel/CVE-2025-40215.patch b/SPECS/kernel/CVE-2025-40215.patch deleted file mode 100644 index 644a85a3e8..0000000000 --- a/SPECS/kernel/CVE-2025-40215.patch +++ /dev/null @@ -1,191 +0,0 @@ -From 39992c2053e7eff318860d12ae26b2a57385a772 Mon Sep 17 00:00:00 2001 -From: Sabrina Dubroca -Date: Fri, 4 Jul 2025 16:54:33 +0200 -Subject: [PATCH] xfrm: delete x->tunnel as we delete x - -The ipcomp fallback tunnels currently get deleted (from the various -lists and hashtables) as the last user state that needed that fallback -is destroyed (not deleted). If a reference to that user state still -exists, the fallback state will remain on the hashtables/lists, -triggering the WARN in xfrm_state_fini. Because of those remaining -references, the fix in commit f75a2804da39 ("xfrm: destroy xfrm_state -synchronously on net exit path") is not complete. - -We recently fixed one such situation in TCP due to defered freeing of -skbs (commit 9b6412e6979f ("tcp: drop secpath at the same time as we -currently drop dst")). This can also happen due to IP reassembly: skbs -with a secpath remain on the reassembly queue until netns -destruction. If we can't guarantee that the queues are flushed by the -time xfrm_state_fini runs, there may still be references to a (user) -xfrm_state, preventing the timely deletion of the corresponding -fallback state. - -Instead of chasing each instance of skbs holding a secpath one by one, -this patch fixes the issue directly within xfrm, by deleting the -fallback state as soon as the last user state depending on it has been -deleted. Destruction will still happen when the final reference is -dropped. - -A separate lockdep class for the fallback state is required since -we're going to lock x->tunnel while x is locked. - -Fixes: 9d4139c76905 ("netns xfrm: per-netns xfrm_state_all list") -Signed-off-by: Sabrina Dubroca -Signed-off-by: Steffen Klassert ---- - include/net/xfrm.h | 1 - - net/ipv4/ipcomp.c | 2 ++ - net/ipv6/ipcomp6.c | 2 ++ - net/ipv6/xfrm6_tunnel.c | 2 +- - net/xfrm/xfrm_ipcomp.c | 1 - - net/xfrm/xfrm_state.c | 19 ++++++++----------- - 6 files changed, 13 insertions(+), 14 deletions(-) - -diff --git a/include/net/xfrm.h b/include/net/xfrm.h -index caaff61601a0..d51204041bf7 100644 ---- a/include/net/xfrm.h -+++ b/include/net/xfrm.h -@@ -424,7 +424,6 @@ int xfrm_input_register_afinfo(const struct xfrm_input_afinfo *afinfo); - int xfrm_input_unregister_afinfo(const struct xfrm_input_afinfo *afinfo); - - void xfrm_flush_gc(void); --void xfrm_state_delete_tunnel(struct xfrm_state *x); - - struct xfrm_type { - struct module *owner; -diff --git a/net/ipv4/ipcomp.c b/net/ipv4/ipcomp.c -index 5a4fb2539b08..9a45aed508d1 100644 ---- a/net/ipv4/ipcomp.c -+++ b/net/ipv4/ipcomp.c -@@ -54,6 +54,7 @@ static int ipcomp4_err(struct sk_buff *skb, u32 info) - } - - /* We always hold one tunnel user reference to indicate a tunnel */ -+static struct lock_class_key xfrm_state_lock_key; - static struct xfrm_state *ipcomp_tunnel_create(struct xfrm_state *x) - { - struct net *net = xs_net(x); -@@ -62,6 +63,7 @@ static struct xfrm_state *ipcomp_tunnel_create(struct xfrm_state *x) - t = xfrm_state_alloc(net); - if (!t) - goto out; -+ lockdep_set_class(&t->lock, &xfrm_state_lock_key); - - t->id.proto = IPPROTO_IPIP; - t->id.spi = x->props.saddr.a4; -diff --git a/net/ipv6/ipcomp6.c b/net/ipv6/ipcomp6.c -index 72d4858dec18..8607569de34f 100644 ---- a/net/ipv6/ipcomp6.c -+++ b/net/ipv6/ipcomp6.c -@@ -71,6 +71,7 @@ static int ipcomp6_err(struct sk_buff *skb, struct inet6_skb_parm *opt, - return 0; - } - -+static struct lock_class_key xfrm_state_lock_key; - static struct xfrm_state *ipcomp6_tunnel_create(struct xfrm_state *x) - { - struct net *net = xs_net(x); -@@ -79,6 +80,7 @@ static struct xfrm_state *ipcomp6_tunnel_create(struct xfrm_state *x) - t = xfrm_state_alloc(net); - if (!t) - goto out; -+ lockdep_set_class(&t->lock, &xfrm_state_lock_key); - - t->id.proto = IPPROTO_IPV6; - t->id.spi = xfrm6_tunnel_alloc_spi(net, (xfrm_address_t *)&x->props.saddr); -diff --git a/net/ipv6/xfrm6_tunnel.c b/net/ipv6/xfrm6_tunnel.c -index bf140ef781c1..7fd8bc08e6eb 100644 ---- a/net/ipv6/xfrm6_tunnel.c -+++ b/net/ipv6/xfrm6_tunnel.c -@@ -334,8 +334,8 @@ static void __net_exit xfrm6_tunnel_net_exit(struct net *net) - struct xfrm6_tunnel_net *xfrm6_tn = xfrm6_tunnel_pernet(net); - unsigned int i; - -- xfrm_flush_gc(); - xfrm_state_flush(net, 0, false, true); -+ xfrm_flush_gc(); - - for (i = 0; i < XFRM6_TUNNEL_SPI_BYADDR_HSIZE; i++) - WARN_ON_ONCE(!hlist_empty(&xfrm6_tn->spi_byaddr[i])); -diff --git a/net/xfrm/xfrm_ipcomp.c b/net/xfrm/xfrm_ipcomp.c -index 9c0fa0e1786a..f2e70e918f11 100644 ---- a/net/xfrm/xfrm_ipcomp.c -+++ b/net/xfrm/xfrm_ipcomp.c -@@ -315,7 +315,6 @@ void ipcomp_destroy(struct xfrm_state *x) - struct ipcomp_data *ipcd = x->data; - if (!ipcd) - return; -- xfrm_state_delete_tunnel(x); - mutex_lock(&ipcomp_resource_mutex); - ipcomp_free_data(ipcd); - mutex_unlock(&ipcomp_resource_mutex); -diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c -index f8cb033f102e..e4500d481e26 100644 ---- a/net/xfrm/xfrm_state.c -+++ b/net/xfrm/xfrm_state.c -@@ -748,6 +748,7 @@ void __xfrm_state_destroy(struct xfrm_state *x, bool sync) - } - EXPORT_SYMBOL(__xfrm_state_destroy); - -+static void xfrm_state_delete_tunnel(struct xfrm_state *x); - int __xfrm_state_delete(struct xfrm_state *x) - { - struct net *net = xs_net(x); -@@ -775,6 +776,8 @@ int __xfrm_state_delete(struct xfrm_state *x) - - xfrm_dev_state_delete(x); - -+ xfrm_state_delete_tunnel(x); -+ - /* All xfrm_state objects are created by xfrm_state_alloc. - * The xfrm_state_alloc call gives a reference, and that - * is what we are dropping here. -@@ -878,10 +881,7 @@ int xfrm_state_flush(struct net *net, u8 proto, bool task_valid, bool sync) - err = xfrm_state_delete(x); - xfrm_audit_state_delete(x, err ? 0 : 1, - task_valid); -- if (sync) -- xfrm_state_put_sync(x); -- else -- xfrm_state_put(x); -+ xfrm_state_put(x); - if (!err) - cnt++; - -@@ -3008,20 +3008,17 @@ void xfrm_flush_gc(void) - } - EXPORT_SYMBOL(xfrm_flush_gc); - --/* Temporarily located here until net/xfrm/xfrm_tunnel.c is created */ --void xfrm_state_delete_tunnel(struct xfrm_state *x) -+static void xfrm_state_delete_tunnel(struct xfrm_state *x) - { - if (x->tunnel) { - struct xfrm_state *t = x->tunnel; - -- if (atomic_read(&t->tunnel_users) == 2) -+ if (atomic_dec_return(&t->tunnel_users) == 1) - xfrm_state_delete(t); -- atomic_dec(&t->tunnel_users); -- xfrm_state_put_sync(t); -+ xfrm_state_put(t); - x->tunnel = NULL; - } - } --EXPORT_SYMBOL(xfrm_state_delete_tunnel); - - u32 xfrm_state_mtu(struct xfrm_state *x, int mtu) - { -@@ -3221,8 +3218,8 @@ void xfrm_state_fini(struct net *net) - unsigned int sz; - - flush_work(&net->xfrm.state_hash_work); -- flush_work(&xfrm_state_gc_work); - xfrm_state_flush(net, 0, false, true); -+ flush_work(&xfrm_state_gc_work); - - WARN_ON(!list_empty(&net->xfrm.state_all)); - --- -2.43.0 - diff --git a/SPECS/kernel/CVE-2025-40325.patch b/SPECS/kernel/CVE-2025-40325.patch deleted file mode 100644 index 61d5a72e16..0000000000 --- a/SPECS/kernel/CVE-2025-40325.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 9918ef3a9010cb1b131fe3e7bbae19786b074ff5 Mon Sep 17 00:00:00 2001 -From: Xiao Ni -Date: Thu, 6 Mar 2025 17:49:38 +0800 -Subject: [PATCH 01/27] md/raid10: wait barrier before returning discard - request with REQ_NOWAIT - -raid10_handle_discard should wait barrier before returning a discard bio -which has REQ_NOWAIT. And there is no need to print warning calltrace -if a discard bio has REQ_NOWAIT flag. Quality engineer usually checks -dmesg and reports error if dmesg has warning/error calltrace. - -Fixes: c9aa889b035f ("md: raid10 add nowait support") -Signed-off-by: Xiao Ni -Acked-by: Coly Li -Link: https://lore.kernel.org/linux-raid/20250306094938.48952-1-xni@redhat.com -Signed-off-by: Yu Kuai ---- - drivers/md/raid10.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c -index 5cdc599fcad3..8825457f6a70 100644 ---- a/drivers/md/raid10.c -+++ b/drivers/md/raid10.c -@@ -1591,11 +1591,10 @@ static int raid10_handle_discard(struct mddev *mddev, struct bio *bio) - if (test_bit(MD_RECOVERY_RESHAPE, &mddev->recovery)) - return -EAGAIN; - -- if (WARN_ON_ONCE(bio->bi_opf & REQ_NOWAIT)) { -+ if (!wait_barrier(conf, bio->bi_opf & REQ_NOWAIT)) { - bio_wouldblock_error(bio); - return 0; - } -- wait_barrier(conf, false); - - /* - * Check reshape again to avoid reshape happens after checking --- -2.43.0 - diff --git a/SPECS/kernel/CVE-2025-68206.patch b/SPECS/kernel/CVE-2025-68206.patch deleted file mode 100644 index 55348ebbc6..0000000000 --- a/SPECS/kernel/CVE-2025-68206.patch +++ /dev/null @@ -1,109 +0,0 @@ -From c43fb751a35eebdb90abf7217ed8d1096f25e27d Mon Sep 17 00:00:00 2001 -From: Andrii Melnychenko -Date: Fri, 24 Oct 2025 18:22:16 +0200 -Subject: [PATCH 42/45] netfilter: nft_ct: add seqadj extension for natted - connections - -Sequence adjustment may be required for FTP traffic with PASV/EPSV modes. -due to need to re-write packet payload (IP, port) on the ftp control -connection. This can require changes to the TCP length and expected -seq / ack_seq. - -The easiest way to reproduce this issue is with PASV mode. -Example ruleset: -table inet ftp_nat { - ct helper ftp_helper { - type "ftp" protocol tcp - l3proto inet - } - - chain prerouting { - type filter hook prerouting priority 0; policy accept; - tcp dport 21 ct state new ct helper set "ftp_helper" - } -} -table ip nat { - chain prerouting { - type nat hook prerouting priority -100; policy accept; - tcp dport 21 dnat ip prefix to ip daddr map { - 192.168.100.1 : 192.168.13.2/32 } - } - - chain postrouting { - type nat hook postrouting priority 100 ; policy accept; - tcp sport 21 snat ip prefix to ip saddr map { - 192.168.13.2 : 192.168.100.1/32 } - } -} - -Note that the ftp helper gets assigned *after* the dnat setup. - -The inverse (nat after helper assign) is handled by an existing -check in nf_nat_setup_info() and will not show the problem. - -Topoloy: - - +-------------------+ +----------------------------------+ - | FTP: 192.168.13.2 | <-> | NAT: 192.168.13.3, 192.168.100.1 | - +-------------------+ +----------------------------------+ - | - +-----------------------+ - | Client: 192.168.100.2 | - +-----------------------+ - -ftp nat changes do not work as expected in this case: -Connected to 192.168.100.1. -[..] -ftp> epsv -EPSV/EPRT on IPv4 off. -ftp> ls -227 Entering passive mode (192,168,100,1,209,129). -421 Service not available, remote server has closed connection. - -Kernel logs: -Missing nfct_seqadj_ext_add() setup call -WARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_seqadj.c:41 -[..] - __nf_nat_mangle_tcp_packet+0x100/0x160 [nf_nat] - nf_nat_ftp+0x142/0x280 [nf_nat_ftp] - help+0x4d1/0x880 [nf_conntrack_ftp] - nf_confirm+0x122/0x2e0 [nf_conntrack] - nf_hook_slow+0x3c/0xb0 - .. - -Fix this by adding the required extension when a conntrack helper is assigned -to a connection that has a nat binding. - -Fixes: 1a64edf54f55 ("netfilter: nft_ct: add helper set support") -Signed-off-by: Andrii Melnychenko -Signed-off-by: Florian Westphal ---- - net/netfilter/nft_ct.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c -index a1b373b99f7b..58a6ad7ed7a4 100644 ---- a/net/netfilter/nft_ct.c -+++ b/net/netfilter/nft_ct.c -@@ -22,6 +22,7 @@ - #include - #include - #include -+#include - - struct nft_ct_helper_obj { - struct nf_conntrack_helper *helper4; -@@ -1173,6 +1174,10 @@ static void nft_ct_helper_obj_eval(struct nft_object *obj, - if (help) { - rcu_assign_pointer(help->helper, to_assign); - set_bit(IPS_HELPER_BIT, &ct->status); -+ -+ if ((ct->status & IPS_NAT_MASK) && !nfct_seqadj(ct)) -+ if (!nfct_seqadj_ext_add(ct)) -+ regs->verdict.code = NF_DROP; - } - } - --- -2.43.0 - diff --git a/SPECS/kernel/CVE-2025-68254.patch b/SPECS/kernel/CVE-2025-68254.patch deleted file mode 100644 index 21361a120e..0000000000 --- a/SPECS/kernel/CVE-2025-68254.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 16c1bc832b694b818117327950eccdbb0f5ab2f3 Mon Sep 17 00:00:00 2001 -From: Navaneeth K -Date: Thu, 20 Nov 2025 16:35:20 +0000 -Subject: [PATCH 41/45] staging: rtl8723bs: fix out-of-bounds read in OnBeacon - ESR IE parsing - -The Extended Supported Rates (ESR) IE handling in OnBeacon accessed -*(p + 1 + ielen) and *(p + 2 + ielen) without verifying that these -offsets lie within the received frame buffer. A malformed beacon with -an ESR IE positioned at the end of the buffer could cause an -out-of-bounds read, potentially triggering a kernel panic. - -Add a boundary check to ensure that the ESR IE body and the subsequent -bytes are within the limits of the frame before attempting to access -them. - -This prevents OOB reads caused by malformed beacon frames. - -Signed-off-by: Navaneeth K -Cc: stable -Signed-off-by: Greg Kroah-Hartman ---- - drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) - -diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c -index c51e7e551300..2569b92e6a87 100644 ---- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c -+++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c -@@ -579,9 +579,11 @@ unsigned int OnBeacon(struct adapter *padapter, union recv_frame *precv_frame) - - p = rtw_get_ie(pframe + sizeof(struct ieee80211_hdr_3addr) + _BEACON_IE_OFFSET_, WLAN_EID_EXT_SUPP_RATES, &ielen, precv_frame->u.hdr.len - sizeof(struct ieee80211_hdr_3addr) - _BEACON_IE_OFFSET_); - if (p && ielen > 0) { -- if ((*(p + 1 + ielen) == 0x2D) && (*(p + 2 + ielen) != 0x2D)) -- /* Invalid value 0x2D is detected in Extended Supported Rates (ESR) IE. Try to fix the IE length to avoid failed Beacon parsing. */ -- *(p + 1) = ielen - 1; -+ if (p + 2 + ielen < pframe + len) { -+ if ((*(p + 1 + ielen) == 0x2D) && (*(p + 2 + ielen) != 0x2D)) -+ /* Invalid value 0x2D is detected in Extended Supported Rates (ESR) IE. Try to fix the IE length to avoid failed Beacon parsing. */ -+ *(p + 1) = ielen - 1; -+ } - } - - if (pmlmeext->sitesurvey_res.state == SCAN_PROCESS) { --- -2.43.0 - diff --git a/SPECS/kernel/CVE-2025-68255.patch b/SPECS/kernel/CVE-2025-68255.patch deleted file mode 100644 index 953a42a0f0..0000000000 --- a/SPECS/kernel/CVE-2025-68255.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 1b4a578275665dcf61b5dcfc8e2f20d501bc506d Mon Sep 17 00:00:00 2001 -From: Navaneeth K -Date: Thu, 20 Nov 2025 16:33:08 +0000 -Subject: [PATCH 40/45] staging: rtl8723bs: fix stack buffer overflow in - OnAssocReq IE parsing - -The Supported Rates IE length from an incoming Association Request frame -was used directly as the memcpy() length when copying into a fixed-size -16-byte stack buffer (supportRate). A malicious station can advertise an -IE length larger than 16 bytes, causing a stack buffer overflow. - -Clamp ie_len to the buffer size before copying the Supported Rates IE, -and correct the bounds check when merging Extended Supported Rates to -prevent a second potential overflow. - -This prevents kernel stack corruption triggered by malformed association -requests. - -Signed-off-by: Navaneeth K -Cc: stable -Signed-off-by: Greg Kroah-Hartman ---- - drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c -index 4d4bec47d187..c51e7e551300 100644 ---- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c -+++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c -@@ -1033,6 +1033,9 @@ unsigned int OnAssocReq(struct adapter *padapter, union recv_frame *precv_frame) - status = WLAN_STATUS_CHALLENGE_FAIL; - goto OnAssocReqFail; - } else { -+ if (ie_len > sizeof(supportRate)) -+ ie_len = sizeof(supportRate); -+ - memcpy(supportRate, p+2, ie_len); - supportRateNum = ie_len; - -@@ -1040,7 +1043,7 @@ unsigned int OnAssocReq(struct adapter *padapter, union recv_frame *precv_frame) - pkt_len - WLAN_HDR_A3_LEN - ie_offset); - if (p) { - -- if (supportRateNum <= sizeof(supportRate)) { -+ if (supportRateNum + ie_len <= sizeof(supportRate)) { - memcpy(supportRate+supportRateNum, p+2, ie_len); - supportRateNum += ie_len; - } --- -2.43.0 - diff --git a/SPECS/kernel/CVE-2025-68256.patch b/SPECS/kernel/CVE-2025-68256.patch deleted file mode 100644 index b6236c7ab9..0000000000 --- a/SPECS/kernel/CVE-2025-68256.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 9a072e4b9f9fc9796decbdde3c61a1d26c4616ec Mon Sep 17 00:00:00 2001 -From: Navaneeth K -Date: Thu, 20 Nov 2025 16:23:52 +0000 -Subject: [PATCH 39/45] staging: rtl8723bs: fix out-of-bounds read in - rtw_get_ie() parser - -The Information Element (IE) parser rtw_get_ie() trusted the length -byte of each IE without validating that the IE body (len bytes after -the 2-byte header) fits inside the remaining frame buffer. A malformed -frame can advertise an IE length larger than the available data, causing -the parser to increment its pointer beyond the buffer end. This results -in out-of-bounds reads or, depending on the pattern, an infinite loop. - -Fix by validating that (offset + 2 + len) does not exceed the limit -before accepting the IE or advancing to the next element. - -This prevents OOB reads and ensures the parser terminates safely on -malformed frames. - -Signed-off-by: Navaneeth K -Cc: stable -Signed-off-by: Greg Kroah-Hartman ---- - drivers/staging/rtl8723bs/core/rtw_ieee80211.c | 14 ++++++++------ - 1 file changed, 8 insertions(+), 6 deletions(-) - -diff --git a/drivers/staging/rtl8723bs/core/rtw_ieee80211.c b/drivers/staging/rtl8723bs/core/rtw_ieee80211.c -index 0ed420f3d096..5abe2fddc3d7 100644 ---- a/drivers/staging/rtl8723bs/core/rtw_ieee80211.c -+++ b/drivers/staging/rtl8723bs/core/rtw_ieee80211.c -@@ -140,22 +140,24 @@ u8 *rtw_get_ie(u8 *pbuf, signed int index, signed int *len, signed int limit) - signed int tmp, i; - u8 *p; - -- if (limit < 1) -+ if (limit < 2) - return NULL; - - p = pbuf; - i = 0; - *len = 0; -- while (1) { -+ while (i + 2 <= limit) { -+ tmp = *(p + 1); -+ if (i + 2 + tmp > limit) -+ break; -+ - if (*p == index) { -- *len = *(p + 1); -+ *len = tmp; - return p; - } -- tmp = *(p + 1); -+ - p += (tmp + 2); - i += (tmp + 2); -- if (i >= limit) -- break; - } - return NULL; - } --- -2.43.0 - diff --git a/SPECS/kernel/CVE-2025-68259.patch b/SPECS/kernel/CVE-2025-68259.patch deleted file mode 100644 index 0d95142d91..0000000000 --- a/SPECS/kernel/CVE-2025-68259.patch +++ /dev/null @@ -1,203 +0,0 @@ -From fbde4b2683a4a878f0a3ead58b796f9d6aa9d228 Mon Sep 17 00:00:00 2001 -From: Omar Sandoval -Date: Tue, 4 Nov 2025 09:55:26 -0800 -Subject: [PATCH 38/45] KVM: SVM: Don't skip unrelated instruction if INT3/INTO - is replaced - -When re-injecting a soft interrupt from an INT3, INT0, or (select) INTn -instruction, discard the exception and retry the instruction if the code -stream is changed (e.g. by a different vCPU) between when the CPU -executes the instruction and when KVM decodes the instruction to get the -next RIP. - -As effectively predicted by commit 6ef88d6e36c2 ("KVM: SVM: Re-inject -INT3/INTO instead of retrying the instruction"), failure to verify that -the correct INTn instruction was decoded can effectively clobber guest -state due to decoding the wrong instruction and thus specifying the -wrong next RIP. - -The bug most often manifests as "Oops: int3" panics on static branch -checks in Linux guests. Enabling or disabling a static branch in Linux -uses the kernel's "text poke" code patching mechanism. To modify code -while other CPUs may be executing that code, Linux (temporarily) -replaces the first byte of the original instruction with an int3 (opcode -0xcc), then patches in the new code stream except for the first byte, -and finally replaces the int3 with the first byte of the new code -stream. If a CPU hits the int3, i.e. executes the code while it's being -modified, then the guest kernel must look up the RIP to determine how to -handle the #BP, e.g. by emulating the new instruction. If the RIP is -incorrect, then this lookup fails and the guest kernel panics. - -The bug reproduces almost instantly by hacking the guest kernel to -repeatedly check a static branch[1] while running a drgn script[2] on -the host to constantly swap out the memory containing the guest's TSS. - -[1]: https://gist.github.com/osandov/44d17c51c28c0ac998ea0334edf90b5a -[2]: https://gist.github.com/osandov/10e45e45afa29b11e0c7209247afc00b - -Fixes: 6ef88d6e36c2 ("KVM: SVM: Re-inject INT3/INTO instead of retrying the instruction") -Cc: stable@vger.kernel.org -Co-developed-by: Sean Christopherson -Signed-off-by: Omar Sandoval -Link: https://patch.msgid.link/1cc6dcdf36e3add7ee7c8d90ad58414eeb6c3d34.1762278762.git.osandov@fb.com -Signed-off-by: Sean Christopherson ---- - arch/x86/include/asm/kvm_host.h | 9 +++++++++ - arch/x86/kvm/svm/svm.c | 24 +++++++++++++----------- - arch/x86/kvm/x86.c | 21 +++++++++++++++++++++ - 3 files changed, 43 insertions(+), 11 deletions(-) - -diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h -index d27df86aa62c..c6c8c21106ef 100644 ---- a/arch/x86/include/asm/kvm_host.h -+++ b/arch/x86/include/asm/kvm_host.h -@@ -2059,6 +2059,11 @@ u64 vcpu_tsc_khz(struct kvm_vcpu *vcpu); - * the gfn, i.e. retrying the instruction will hit a - * !PRESENT fault, which results in a new shadow page - * and sends KVM back to square one. -+ * -+ * EMULTYPE_SKIP_SOFT_INT - Set in combination with EMULTYPE_SKIP to only skip -+ * an instruction if it could generate a given software -+ * interrupt, which must be encoded via -+ * EMULTYPE_SET_SOFT_INT_VECTOR(). - */ - #define EMULTYPE_NO_DECODE (1 << 0) - #define EMULTYPE_TRAP_UD (1 << 1) -@@ -2069,6 +2074,10 @@ u64 vcpu_tsc_khz(struct kvm_vcpu *vcpu); - #define EMULTYPE_PF (1 << 6) - #define EMULTYPE_COMPLETE_USER_EXIT (1 << 7) - #define EMULTYPE_WRITE_PF_TO_SP (1 << 8) -+#define EMULTYPE_SKIP_SOFT_INT (1 << 9) -+ -+#define EMULTYPE_SET_SOFT_INT_VECTOR(v) ((u32)((v) & 0xff) << 16) -+#define EMULTYPE_GET_SOFT_INT_VECTOR(e) (((e) >> 16) & 0xff) - - int kvm_emulate_instruction(struct kvm_vcpu *vcpu, int emulation_type); - int kvm_emulate_instruction_from_buffer(struct kvm_vcpu *vcpu, -diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c -index 71b32e64e801..63c578e03f29 100644 ---- a/arch/x86/kvm/svm/svm.c -+++ b/arch/x86/kvm/svm/svm.c -@@ -369,6 +369,7 @@ static void svm_set_interrupt_shadow(struct kvm_vcpu *vcpu, int mask) - } - - static int __svm_skip_emulated_instruction(struct kvm_vcpu *vcpu, -+ int emul_type, - bool commit_side_effects) - { - struct vcpu_svm *svm = to_svm(vcpu); -@@ -390,7 +391,7 @@ static int __svm_skip_emulated_instruction(struct kvm_vcpu *vcpu, - if (unlikely(!commit_side_effects)) - old_rflags = svm->vmcb->save.rflags; - -- if (!kvm_emulate_instruction(vcpu, EMULTYPE_SKIP)) -+ if (!kvm_emulate_instruction(vcpu, emul_type)) - return 0; - - if (unlikely(!commit_side_effects)) -@@ -408,11 +409,13 @@ static int __svm_skip_emulated_instruction(struct kvm_vcpu *vcpu, - - static int svm_skip_emulated_instruction(struct kvm_vcpu *vcpu) - { -- return __svm_skip_emulated_instruction(vcpu, true); -+ return __svm_skip_emulated_instruction(vcpu, EMULTYPE_SKIP, true); - } - --static int svm_update_soft_interrupt_rip(struct kvm_vcpu *vcpu) -+static int svm_update_soft_interrupt_rip(struct kvm_vcpu *vcpu, u8 vector) - { -+ const int emul_type = EMULTYPE_SKIP | EMULTYPE_SKIP_SOFT_INT | -+ EMULTYPE_SET_SOFT_INT_VECTOR(vector); - unsigned long rip, old_rip = kvm_rip_read(vcpu); - struct vcpu_svm *svm = to_svm(vcpu); - -@@ -428,7 +431,7 @@ static int svm_update_soft_interrupt_rip(struct kvm_vcpu *vcpu) - * in use, the skip must not commit any side effects such as clearing - * the interrupt shadow or RFLAGS.RF. - */ -- if (!__svm_skip_emulated_instruction(vcpu, !nrips)) -+ if (!__svm_skip_emulated_instruction(vcpu, emul_type, !nrips)) - return -EIO; - - rip = kvm_rip_read(vcpu); -@@ -464,7 +467,7 @@ static void svm_inject_exception(struct kvm_vcpu *vcpu) - kvm_deliver_exception_payload(vcpu, ex); - - if (kvm_exception_is_soft(ex->vector) && -- svm_update_soft_interrupt_rip(vcpu)) -+ svm_update_soft_interrupt_rip(vcpu, ex->vector)) - return; - - svm->vmcb->control.event_inj = ex->vector -@@ -3743,11 +3746,12 @@ static bool svm_set_vnmi_pending(struct kvm_vcpu *vcpu) - - static void svm_inject_irq(struct kvm_vcpu *vcpu, bool reinjected) - { -+ struct kvm_queued_interrupt *intr = &vcpu->arch.interrupt; - struct vcpu_svm *svm = to_svm(vcpu); - u32 type; - -- if (vcpu->arch.interrupt.soft) { -- if (svm_update_soft_interrupt_rip(vcpu)) -+ if (intr->soft) { -+ if (svm_update_soft_interrupt_rip(vcpu, intr->nr)) - return; - - type = SVM_EVTINJ_TYPE_SOFT; -@@ -3755,12 +3759,10 @@ static void svm_inject_irq(struct kvm_vcpu *vcpu, bool reinjected) - type = SVM_EVTINJ_TYPE_INTR; - } - -- trace_kvm_inj_virq(vcpu->arch.interrupt.nr, -- vcpu->arch.interrupt.soft, reinjected); -+ trace_kvm_inj_virq(intr->nr, intr->soft, reinjected); - ++vcpu->stat.irq_injections; - -- svm->vmcb->control.event_inj = vcpu->arch.interrupt.nr | -- SVM_EVTINJ_VALID | type; -+ svm->vmcb->control.event_inj = intr->nr | SVM_EVTINJ_VALID | type; - } - - void svm_complete_interrupt_delivery(struct kvm_vcpu *vcpu, int delivery_mode, -diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c -index 20f89bceaeae..c12d7e28243d 100644 ---- a/arch/x86/kvm/x86.c -+++ b/arch/x86/kvm/x86.c -@@ -9055,6 +9055,23 @@ static bool is_vmware_backdoor_opcode(struct x86_emulate_ctxt *ctxt) - return false; - } - -+static bool is_soft_int_instruction(struct x86_emulate_ctxt *ctxt, -+ int emulation_type) -+{ -+ u8 vector = EMULTYPE_GET_SOFT_INT_VECTOR(emulation_type); -+ -+ switch (ctxt->b) { -+ case 0xcc: -+ return vector == BP_VECTOR; -+ case 0xcd: -+ return vector == ctxt->src.val; -+ case 0xce: -+ return vector == OF_VECTOR; -+ default: -+ return false; -+ } -+} -+ - /* - * Decode an instruction for emulation. The caller is responsible for handling - * code breakpoints. Note, manually detecting code breakpoints is unnecessary -@@ -9156,6 +9173,10 @@ int x86_emulate_instruction(struct kvm_vcpu *vcpu, gpa_t cr2_or_gpa, - * injecting single-step #DBs. - */ - if (emulation_type & EMULTYPE_SKIP) { -+ if (emulation_type & EMULTYPE_SKIP_SOFT_INT && -+ !is_soft_int_instruction(ctxt, emulation_type)) -+ return 0; -+ - if (ctxt->mode != X86EMUL_MODE_PROT64) - ctxt->eip = (u32)ctxt->_eip; - else --- -2.43.0 - diff --git a/SPECS/kernel/CVE-2025-68261.patch b/SPECS/kernel/CVE-2025-68261.patch deleted file mode 100644 index 94822cb858..0000000000 --- a/SPECS/kernel/CVE-2025-68261.patch +++ /dev/null @@ -1,89 +0,0 @@ -From f367893e3dc76dfdd688dd87661c554cb8116b87 Mon Sep 17 00:00:00 2001 -From: Alexey Nepomnyashih -Date: Tue, 4 Nov 2025 09:33:25 +0000 -Subject: [PATCH 31/45] ext4: add i_data_sem protection in - ext4_destroy_inline_data_nolock() - -Fix a race between inline data destruction and block mapping. - -The function ext4_destroy_inline_data_nolock() changes the inode data -layout by clearing EXT4_INODE_INLINE_DATA and setting EXT4_INODE_EXTENTS. -At the same time, another thread may execute ext4_map_blocks(), which -tests EXT4_INODE_EXTENTS to decide whether to call ext4_ext_map_blocks() -or ext4_ind_map_blocks(). - -Without i_data_sem protection, ext4_ind_map_blocks() may receive inode -with EXT4_INODE_EXTENTS flag and triggering assert. - -kernel BUG at fs/ext4/indirect.c:546! -EXT4-fs (loop2): unmounting filesystem. -invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI -Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 -RIP: 0010:ext4_ind_map_blocks.cold+0x2b/0x5a fs/ext4/indirect.c:546 - -Call Trace: - - ext4_map_blocks+0xb9b/0x16f0 fs/ext4/inode.c:681 - _ext4_get_block+0x242/0x590 fs/ext4/inode.c:822 - ext4_block_write_begin+0x48b/0x12c0 fs/ext4/inode.c:1124 - ext4_write_begin+0x598/0xef0 fs/ext4/inode.c:1255 - ext4_da_write_begin+0x21e/0x9c0 fs/ext4/inode.c:3000 - generic_perform_write+0x259/0x5d0 mm/filemap.c:3846 - ext4_buffered_write_iter+0x15b/0x470 fs/ext4/file.c:285 - ext4_file_write_iter+0x8e0/0x17f0 fs/ext4/file.c:679 - call_write_iter include/linux/fs.h:2271 [inline] - do_iter_readv_writev+0x212/0x3c0 fs/read_write.c:735 - do_iter_write+0x186/0x710 fs/read_write.c:861 - vfs_iter_write+0x70/0xa0 fs/read_write.c:902 - iter_file_splice_write+0x73b/0xc90 fs/splice.c:685 - do_splice_from fs/splice.c:763 [inline] - direct_splice_actor+0x10f/0x170 fs/splice.c:950 - splice_direct_to_actor+0x33a/0xa10 fs/splice.c:896 - do_splice_direct+0x1a9/0x280 fs/splice.c:1002 - do_sendfile+0xb13/0x12c0 fs/read_write.c:1255 - __do_sys_sendfile64 fs/read_write.c:1323 [inline] - __se_sys_sendfile64 fs/read_write.c:1309 [inline] - __x64_sys_sendfile64+0x1cf/0x210 fs/read_write.c:1309 - do_syscall_x64 arch/x86/entry/common.c:51 [inline] - do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81 - entry_SYSCALL_64_after_hwframe+0x6e/0xd8 - -Fixes: c755e251357a ("ext4: fix deadlock between inline_data and ext4_expand_extra_isize_ea()") -Cc: stable@vger.kernel.org # v4.11+ -Signed-off-by: Alexey Nepomnyashih -Message-ID: <20251104093326.697381-1-sdl@nppct.ru> -Signed-off-by: Theodore Ts'o ---- - fs/ext4/inline.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c -index 9fb5e0f172a7..b55a2164bc51 100644 ---- a/fs/ext4/inline.c -+++ b/fs/ext4/inline.c -@@ -441,9 +441,13 @@ static int ext4_destroy_inline_data_nolock(handle_t *handle, - if (!ei->i_inline_off) - return 0; - -+ down_write(&ei->i_data_sem); -+ - error = ext4_get_inode_loc(inode, &is.iloc); -- if (error) -+ if (error) { -+ up_write(&ei->i_data_sem); - return error; -+ } - - error = ext4_xattr_ibody_find(inode, &i, &is); - if (error) -@@ -482,6 +486,7 @@ static int ext4_destroy_inline_data_nolock(handle_t *handle, - brelse(is.iloc.bh); - if (error == -ENODATA) - error = 0; -+ up_write(&ei->i_data_sem); - return error; - } - --- -2.43.0 - diff --git a/SPECS/kernel/CVE-2025-68263.patch b/SPECS/kernel/CVE-2025-68263.patch deleted file mode 100644 index 9f23a2fd3b..0000000000 --- a/SPECS/kernel/CVE-2025-68263.patch +++ /dev/null @@ -1,80 +0,0 @@ -From a9fa20ba33df3cb40398808b89a7ceacbcc718d4 Mon Sep 17 00:00:00 2001 -From: Qianchang Zhao -Date: Wed, 26 Nov 2025 12:24:18 +0900 -Subject: [PATCH 32/45] ksmbd: ipc: fix use-after-free in ipc_msg_send_request - -ipc_msg_send_request() waits for a generic netlink reply using an -ipc_msg_table_entry on the stack. The generic netlink handler -(handle_generic_event()/handle_response()) fills entry->response under -ipc_msg_table_lock, but ipc_msg_send_request() used to validate and free -entry->response without holding the same lock. - -Under high concurrency this allows a race where handle_response() is -copying data into entry->response while ipc_msg_send_request() has just -freed it, leading to a slab-use-after-free reported by KASAN in -handle_generic_event(): - - BUG: KASAN: slab-use-after-free in handle_generic_event+0x3c4/0x5f0 [ksmbd] - Write of size 12 at addr ffff888198ee6e20 by task pool/109349 - ... - Freed by task: - kvfree - ipc_msg_send_request [ksmbd] - ksmbd_rpc_open -> ksmbd_session_rpc_open [ksmbd] - -Fix by: -- Taking ipc_msg_table_lock in ipc_msg_send_request() while validating - entry->response, freeing it when invalid, and removing the entry from - ipc_msg_table. -- Returning the final entry->response pointer to the caller only after - the hash entry is removed under the lock. -- Returning NULL in the error path, preserving the original API - semantics. - -This makes all accesses to entry->response consistent with -handle_response(), which already updates and fills the response buffer -under ipc_msg_table_lock, and closes the race that allowed the UAF. - -Cc: stable@vger.kernel.org -Reported-by: Qianchang Zhao -Reported-by: Zhitong Liu -Signed-off-by: Qianchang Zhao -Acked-by: Namjae Jeon -Signed-off-by: Steve French ---- - fs/smb/server/transport_ipc.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/fs/smb/server/transport_ipc.c b/fs/smb/server/transport_ipc.c -index ce5c50ac987c..52a71775b38e 100644 ---- a/fs/smb/server/transport_ipc.c -+++ b/fs/smb/server/transport_ipc.c -@@ -553,12 +553,16 @@ static void *ipc_msg_send_request(struct ksmbd_ipc_msg *msg, unsigned int handle - up_write(&ipc_msg_table_lock); - - ret = ipc_msg_send(msg); -- if (ret) -+ if (ret) { -+ down_write(&ipc_msg_table_lock); - goto out; -+ } - - ret = wait_event_interruptible_timeout(entry.wait, - entry.response != NULL, - IPC_WAIT_TIMEOUT); -+ -+ down_write(&ipc_msg_table_lock); - if (entry.response) { - ret = ipc_validate_msg(&entry); - if (ret) { -@@ -567,7 +571,6 @@ static void *ipc_msg_send_request(struct ksmbd_ipc_msg *msg, unsigned int handle - } - } - out: -- down_write(&ipc_msg_table_lock); - hash_del(&entry.ipc_table_hlist); - up_write(&ipc_msg_table_lock); - return entry.response; --- -2.43.0 - diff --git a/SPECS/kernel/CVE-2025-68264.patch b/SPECS/kernel/CVE-2025-68264.patch deleted file mode 100644 index a07b94601d..0000000000 --- a/SPECS/kernel/CVE-2025-68264.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 4dc41f5497bec7ddc8f4dd61f44834065115af20 Mon Sep 17 00:00:00 2001 -From: Deepanshu Kartikey -Date: Mon, 20 Oct 2025 11:39:36 +0530 -Subject: [PATCH 33/45] ext4: refresh inline data size before write operations - -The cached ei->i_inline_size can become stale between the initial size -check and when ext4_update_inline_data()/ext4_create_inline_data() use -it. Although ext4_get_max_inline_size() reads the correct value at the -time of the check, concurrent xattr operations can modify i_inline_size -before ext4_write_lock_xattr() is acquired. - -This causes ext4_update_inline_data() and ext4_create_inline_data() to -work with stale capacity values, leading to a BUG_ON() crash in -ext4_write_inline_data(): - - kernel BUG at fs/ext4/inline.c:1331! - BUG_ON(pos + len > EXT4_I(inode)->i_inline_size); - -The race window: -1. ext4_get_max_inline_size() reads i_inline_size = 60 (correct) -2. Size check passes for 50-byte write -3. [Another thread adds xattr, i_inline_size changes to 40] -4. ext4_write_lock_xattr() acquires lock -5. ext4_update_inline_data() uses stale i_inline_size = 60 -6. Attempts to write 50 bytes but only 40 bytes actually available -7. BUG_ON() triggers - -Fix this by recalculating i_inline_size via ext4_find_inline_data_nolock() -immediately after acquiring xattr_sem. This ensures ext4_update_inline_data() -and ext4_create_inline_data() work with current values that are protected -from concurrent modifications. - -This is similar to commit a54c4613dac1 ("ext4: fix race writing to an -inline_data file while its xattrs are changing") which fixed i_inline_off -staleness. This patch addresses the related i_inline_size staleness issue. - -Reported-by: syzbot+f3185be57d7e8dda32b8@syzkaller.appspotmail.com -Link: https://syzkaller.appspot.com/bug?extid=f3185be57d7e8dda32b8 -Cc: stable@kernel.org -Signed-off-by: Deepanshu Kartikey -Message-ID: <20251020060936.474314-1-kartikey406@gmail.com> -Signed-off-by: Theodore Ts'o ---- - fs/ext4/inline.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c -index b55a2164bc51..bb0e46130beb 100644 ---- a/fs/ext4/inline.c -+++ b/fs/ext4/inline.c -@@ -413,7 +413,12 @@ static int ext4_prepare_inline_data(handle_t *handle, struct inode *inode, - return -ENOSPC; - - ext4_write_lock_xattr(inode, &no_expand); -- -+ /* -+ * ei->i_inline_size may have changed since the initial check -+ * if other xattrs were added. Recalculate to ensure -+ * ext4_update_inline_data() validates against current capacity. -+ */ -+ (void) ext4_find_inline_data_nolock(inode); - if (ei->i_inline_off) - ret = ext4_update_inline_data(handle, inode, len); - else --- -2.43.0 - diff --git a/SPECS/kernel/CVE-2025-68265.patch b/SPECS/kernel/CVE-2025-68265.patch deleted file mode 100644 index 5780fa1fad..0000000000 --- a/SPECS/kernel/CVE-2025-68265.patch +++ /dev/null @@ -1,93 +0,0 @@ -From 6aefffa086d02a1e805cb70981122297dae278b3 Mon Sep 17 00:00:00 2001 -From: Keith Busch -Date: Tue, 4 Nov 2025 14:48:30 -0800 -Subject: [PATCH 34/45] nvme: fix admin request_queue lifetime - -The namespaces can access the controller's admin request_queue, and -stale references on the namespaces may exist after tearing down the -controller. Ensure the admin request_queue is active by moving the -controller's 'put' to after all controller references have been released -to ensure no one is can access the request_queue. This fixes a reported -use-after-free bug: - - BUG: KASAN: slab-use-after-free in blk_queue_enter+0x41c/0x4a0 - Read of size 8 at addr ffff88c0a53819f8 by task nvme/3287 - CPU: 67 UID: 0 PID: 3287 Comm: nvme Tainted: G E 6.13.2-ga1582f1a031e #15 - Tainted: [E]=UNSIGNED_MODULE - Hardware name: Jabil /EGS 2S MB1, BIOS 1.00 06/18/2025 - Call Trace: - - dump_stack_lvl+0x4f/0x60 - print_report+0xc4/0x620 - ? _raw_spin_lock_irqsave+0x70/0xb0 - ? _raw_read_unlock_irqrestore+0x30/0x30 - ? blk_queue_enter+0x41c/0x4a0 - kasan_report+0xab/0xe0 - ? blk_queue_enter+0x41c/0x4a0 - blk_queue_enter+0x41c/0x4a0 - ? __irq_work_queue_local+0x75/0x1d0 - ? blk_queue_start_drain+0x70/0x70 - ? irq_work_queue+0x18/0x20 - ? vprintk_emit.part.0+0x1cc/0x350 - ? wake_up_klogd_work_func+0x60/0x60 - blk_mq_alloc_request+0x2b7/0x6b0 - ? __blk_mq_alloc_requests+0x1060/0x1060 - ? __switch_to+0x5b7/0x1060 - nvme_submit_user_cmd+0xa9/0x330 - nvme_user_cmd.isra.0+0x240/0x3f0 - ? force_sigsegv+0xe0/0xe0 - ? nvme_user_cmd64+0x400/0x400 - ? vfs_fileattr_set+0x9b0/0x9b0 - ? cgroup_update_frozen_flag+0x24/0x1c0 - ? cgroup_leave_frozen+0x204/0x330 - ? nvme_ioctl+0x7c/0x2c0 - blkdev_ioctl+0x1a8/0x4d0 - ? blkdev_common_ioctl+0x1930/0x1930 - ? fdget+0x54/0x380 - __x64_sys_ioctl+0x129/0x190 - do_syscall_64+0x5b/0x160 - entry_SYSCALL_64_after_hwframe+0x4b/0x53 - RIP: 0033:0x7f765f703b0b - Code: ff ff ff 85 c0 79 9b 49 c7 c4 ff ff ff ff 5b 5d 4c 89 e0 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d dd 52 0f 00 f7 d8 64 89 01 48 - RSP: 002b:00007ffe2cefe808 EFLAGS: 00000202 ORIG_RAX: 0000000000000010 - RAX: ffffffffffffffda RBX: 00007ffe2cefe860 RCX: 00007f765f703b0b - RDX: 00007ffe2cefe860 RSI: 00000000c0484e41 RDI: 0000000000000003 - RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000000 - R10: 00007f765f611d50 R11: 0000000000000202 R12: 0000000000000003 - R13: 00000000c0484e41 R14: 0000000000000001 R15: 00007ffe2cefea60 - - -Reported-by: Casey Chen -Reviewed-by: Christoph Hellwig -Reviewed-by: Hannes Reinecke -Reviewed-by: Ming Lei -Reviewed-by: Chaitanya Kulkarni -Signed-off-by: Keith Busch ---- - drivers/nvme/host/core.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c -index a3b9f8ea235f..a766290b1ee8 100644 ---- a/drivers/nvme/host/core.c -+++ b/drivers/nvme/host/core.c -@@ -4645,7 +4645,6 @@ void nvme_remove_admin_tag_set(struct nvme_ctrl *ctrl) - */ - nvme_stop_keep_alive(ctrl); - blk_mq_destroy_queue(ctrl->admin_q); -- blk_put_queue(ctrl->admin_q); - if (ctrl->ops->flags & NVME_F_FABRICS) { - blk_mq_destroy_queue(ctrl->fabrics_q); - blk_put_queue(ctrl->fabrics_q); -@@ -4790,6 +4789,8 @@ static void nvme_free_ctrl(struct device *dev) - container_of(dev, struct nvme_ctrl, ctrl_device); - struct nvme_subsystem *subsys = ctrl->subsys; - -+ if (ctrl->admin_q) -+ blk_put_queue(ctrl->admin_q); - if (!subsys || ctrl->instance != subsys->instance) - ida_free(&nvme_instance_ida, ctrl->instance); - nvme_free_cels(ctrl); --- -2.43.0 - diff --git a/SPECS/kernel/CVE-2025-68336.patch b/SPECS/kernel/CVE-2025-68336.patch deleted file mode 100644 index c33925269c..0000000000 --- a/SPECS/kernel/CVE-2025-68336.patch +++ /dev/null @@ -1,66 +0,0 @@ -From f04fb07e5331f910b2fbf9a8227ff6bd75b2b11a Mon Sep 17 00:00:00 2001 -From: Alexander Sverdlin -Date: Fri, 19 Sep 2025 11:12:38 +0200 -Subject: [PATCH 37/45] locking/spinlock/debug: Fix data-race in - do_raw_write_lock - -KCSAN reports: - -BUG: KCSAN: data-race in do_raw_write_lock / do_raw_write_lock - -write (marked) to 0xffff800009cf504c of 4 bytes by task 1102 on cpu 1: - do_raw_write_lock+0x120/0x204 - _raw_write_lock_irq - do_exit - call_usermodehelper_exec_async - ret_from_fork - -read to 0xffff800009cf504c of 4 bytes by task 1103 on cpu 0: - do_raw_write_lock+0x88/0x204 - _raw_write_lock_irq - do_exit - call_usermodehelper_exec_async - ret_from_fork - -value changed: 0xffffffff -> 0x00000001 - -Reported by Kernel Concurrency Sanitizer on: -CPU: 0 PID: 1103 Comm: kworker/u4:1 6.1.111 - -Commit 1a365e822372 ("locking/spinlock/debug: Fix various data races") has -adressed most of these races, but seems to be not consistent/not complete. - ->From do_raw_write_lock() only debug_write_lock_after() part has been -converted to WRITE_ONCE(), but not debug_write_lock_before() part. -Do it now. - -Fixes: 1a365e822372 ("locking/spinlock/debug: Fix various data races") -Reported-by: Adrian Freihofer -Signed-off-by: Alexander Sverdlin -Signed-off-by: Boqun Feng -Signed-off-by: Peter Zijlstra (Intel) -Reviewed-by: Paul E. McKenney -Acked-by: Waiman Long -Cc: stable@vger.kernel.org ---- - kernel/locking/spinlock_debug.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/kernel/locking/spinlock_debug.c b/kernel/locking/spinlock_debug.c -index 87b03d2e41db..2338b3adfb55 100644 ---- a/kernel/locking/spinlock_debug.c -+++ b/kernel/locking/spinlock_debug.c -@@ -184,8 +184,8 @@ void do_raw_read_unlock(rwlock_t *lock) - static inline void debug_write_lock_before(rwlock_t *lock) - { - RWLOCK_BUG_ON(lock->magic != RWLOCK_MAGIC, lock, "bad magic"); -- RWLOCK_BUG_ON(lock->owner == current, lock, "recursion"); -- RWLOCK_BUG_ON(lock->owner_cpu == raw_smp_processor_id(), -+ RWLOCK_BUG_ON(READ_ONCE(lock->owner) == current, lock, "recursion"); -+ RWLOCK_BUG_ON(READ_ONCE(lock->owner_cpu) == raw_smp_processor_id(), - lock, "cpu recursion"); - } - --- -2.43.0 - diff --git a/SPECS/kernel/CVE-2025-68337.patch b/SPECS/kernel/CVE-2025-68337.patch deleted file mode 100644 index 1b37caccae..0000000000 --- a/SPECS/kernel/CVE-2025-68337.patch +++ /dev/null @@ -1,96 +0,0 @@ -From 67ef76dbc92035768b6ece6630bfb464b6205315 Mon Sep 17 00:00:00 2001 -From: Ye Bin -Date: Sat, 25 Oct 2025 15:26:57 +0800 -Subject: [PATCH 23/45] jbd2: avoid bug_on in jbd2_journal_get_create_access() - when file system corrupted - -There's issue when file system corrupted: -------------[ cut here ]------------ -kernel BUG at fs/jbd2/transaction.c:1289! -Oops: invalid opcode: 0000 [#1] SMP KASAN PTI -CPU: 5 UID: 0 PID: 2031 Comm: mkdir Not tainted 6.18.0-rc1-next -RIP: 0010:jbd2_journal_get_create_access+0x3b6/0x4d0 -RSP: 0018:ffff888117aafa30 EFLAGS: 00010202 -RAX: 0000000000000000 RBX: ffff88811a86b000 RCX: ffffffff89a63534 -RDX: 1ffff110200ec602 RSI: 0000000000000004 RDI: ffff888100763010 -RBP: ffff888100763000 R08: 0000000000000001 R09: ffff888100763028 -R10: 0000000000000003 R11: 0000000000000000 R12: 0000000000000000 -R13: ffff88812c432000 R14: ffff88812c608000 R15: ffff888120bfc000 -CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -CR2: 00007f91d6970c99 CR3: 00000001159c4000 CR4: 00000000000006f0 -Call Trace: - - __ext4_journal_get_create_access+0x42/0x170 - ext4_getblk+0x319/0x6f0 - ext4_bread+0x11/0x100 - ext4_append+0x1e6/0x4a0 - ext4_init_new_dir+0x145/0x1d0 - ext4_mkdir+0x326/0x920 - vfs_mkdir+0x45c/0x740 - do_mkdirat+0x234/0x2f0 - __x64_sys_mkdir+0xd6/0x120 - do_syscall_64+0x5f/0xfa0 - entry_SYSCALL_64_after_hwframe+0x76/0x7e - -The above issue occurs with us in errors=continue mode when accompanied by -storage failures. There have been many inconsistencies in the file system -data. -In the case of file system data inconsistency, for example, if the block -bitmap of a referenced block is not set, it can lead to the situation where -a block being committed is allocated and used again. As a result, the -following condition will not be satisfied then trigger BUG_ON. Of course, -it is entirely possible to construct a problematic image that can trigger -this BUG_ON through specific operations. In fact, I have constructed such -an image and easily reproduced this issue. -Therefore, J_ASSERT() holds true only under ideal conditions, but it may -not necessarily be satisfied in exceptional scenarios. Using J_ASSERT() -directly in abnormal situations would cause the system to crash, which is -clearly not what we want. So here we directly trigger a JBD abort instead -of immediately invoking BUG_ON. - -Fixes: 470decc613ab ("[PATCH] jbd2: initial copy of files from jbd") -Signed-off-by: Ye Bin -Reviewed-by: Jan Kara -Message-ID: <20251025072657.307851-1-yebin@huaweicloud.com> -Signed-off-by: Theodore Ts'o -Cc: stable@kernel.org ---- - fs/jbd2/transaction.c | 19 ++++++++++++++----- - 1 file changed, 14 insertions(+), 5 deletions(-) - -diff --git a/fs/jbd2/transaction.c b/fs/jbd2/transaction.c -index ae43920ce395..c50bec6e5405 100644 ---- a/fs/jbd2/transaction.c -+++ b/fs/jbd2/transaction.c -@@ -1288,14 +1288,23 @@ int jbd2_journal_get_create_access(handle_t *handle, struct buffer_head *bh) - * committing transaction's lists, but it HAS to be in Forget state in - * that case: the transaction must have deleted the buffer for it to be - * reused here. -+ * In the case of file system data inconsistency, for example, if the -+ * block bitmap of a referenced block is not set, it can lead to the -+ * situation where a block being committed is allocated and used again. -+ * As a result, the following condition will not be satisfied, so here -+ * we directly trigger a JBD abort instead of immediately invoking -+ * bugon. - */ - spin_lock(&jh->b_state_lock); -- J_ASSERT_JH(jh, (jh->b_transaction == transaction || -- jh->b_transaction == NULL || -- (jh->b_transaction == journal->j_committing_transaction && -- jh->b_jlist == BJ_Forget))); -+ if (!(jh->b_transaction == transaction || jh->b_transaction == NULL || -+ (jh->b_transaction == journal->j_committing_transaction && -+ jh->b_jlist == BJ_Forget)) || jh->b_next_transaction != NULL) { -+ err = -EROFS; -+ spin_unlock(&jh->b_state_lock); -+ jbd2_journal_abort(journal, err); -+ goto out; -+ } - -- J_ASSERT_JH(jh, jh->b_next_transaction == NULL); - J_ASSERT_JH(jh, buffer_locked(jh2bh(jh))); - - if (jh->b_transaction == NULL) { --- -2.43.0 - diff --git a/SPECS/kernel/CVE-2025-68345.patch b/SPECS/kernel/CVE-2025-68345.patch deleted file mode 100644 index b403a0ebde..0000000000 --- a/SPECS/kernel/CVE-2025-68345.patch +++ /dev/null @@ -1,38 +0,0 @@ -From d5081978b1413ec030fd8d3f70bda55b1abdc3d2 Mon Sep 17 00:00:00 2001 -From: Denis Arefev -Date: Tue, 2 Dec 2025 13:13:36 +0300 -Subject: [PATCH 24/45] ALSA: hda: cs35l41: Fix NULL pointer dereference in - cs35l41_hda_read_acpi() - -The acpi_get_first_physical_node() function can return NULL, in which -case the get_device() function also returns NULL, but this value is -then dereferenced without checking,so add a check to prevent a crash. - -Found by Linux Verification Center (linuxtesting.org) with SVACE. - -Fixes: 7b2f3eb492da ("ALSA: hda: cs35l41: Add support for CS35L41 in HDA systems") -Cc: stable@vger.kernel.org -Signed-off-by: Denis Arefev -Reviewed-by: Richard Fitzgerald -Signed-off-by: Takashi Iwai -Link: https://patch.msgid.link/20251202101338.11437-1-arefev@swemel.ru ---- - sound/pci/hda/cs35l41_hda.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/sound/pci/hda/cs35l41_hda.c b/sound/pci/hda/cs35l41_hda.c -index d68bf7591d90..e115b9bd7ce3 100644 ---- a/sound/pci/hda/cs35l41_hda.c -+++ b/sound/pci/hda/cs35l41_hda.c -@@ -1865,6 +1865,8 @@ static int cs35l41_hda_read_acpi(struct cs35l41_hda *cs35l41, const char *hid, i - - cs35l41->dacpi = adev; - physdev = get_device(acpi_get_first_physical_node(adev)); -+ if (!physdev) -+ return -ENODEV; - - sub = acpi_get_subsystem_id(ACPI_HANDLE(physdev)); - if (IS_ERR(sub)) --- -2.43.0 - diff --git a/SPECS/kernel/CVE-2025-68346.patch b/SPECS/kernel/CVE-2025-68346.patch deleted file mode 100644 index bb6987befc..0000000000 --- a/SPECS/kernel/CVE-2025-68346.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 35eb53a983da639e00dfa708326d9dd0b0cfaad1 Mon Sep 17 00:00:00 2001 -From: Junrui Luo -Date: Fri, 28 Nov 2025 12:06:31 +0800 -Subject: [PATCH 25/45] ALSA: dice: fix buffer overflow in - detect_stream_formats() - -The function detect_stream_formats() reads the stream_count value directly -from a FireWire device without validating it. This can lead to -out-of-bounds writes when a malicious device provides a stream_count value -greater than MAX_STREAMS. - -Fix by applying the same validation to both TX and RX stream counts in -detect_stream_formats(). - -Reported-by: Yuhao Jiang -Reported-by: Junrui Luo -Fixes: 58579c056c1c ("ALSA: dice: use extended protocol to detect available stream formats") -Cc: stable@vger.kernel.org -Reviewed-by: Takashi Sakamoto -Signed-off-by: Junrui Luo -Link: https://patch.msgid.link/SYBPR01MB7881B043FC68B4C0DA40B73DAFDCA@SYBPR01MB7881.ausprd01.prod.outlook.com -Signed-off-by: Takashi Iwai ---- - sound/firewire/dice/dice-extension.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/sound/firewire/dice/dice-extension.c b/sound/firewire/dice/dice-extension.c -index 02f4a8318e38..48bfb3ad93ce 100644 ---- a/sound/firewire/dice/dice-extension.c -+++ b/sound/firewire/dice/dice-extension.c -@@ -116,7 +116,7 @@ static int detect_stream_formats(struct snd_dice *dice, u64 section_addr) - break; - - base_offset += EXT_APP_STREAM_ENTRIES; -- stream_count = be32_to_cpu(reg[0]); -+ stream_count = min_t(unsigned int, be32_to_cpu(reg[0]), MAX_STREAMS); - err = read_stream_entries(dice, section_addr, base_offset, - stream_count, mode, - dice->tx_pcm_chs, -@@ -125,7 +125,7 @@ static int detect_stream_formats(struct snd_dice *dice, u64 section_addr) - break; - - base_offset += stream_count * EXT_APP_STREAM_ENTRY_SIZE; -- stream_count = be32_to_cpu(reg[1]); -+ stream_count = min_t(unsigned int, be32_to_cpu(reg[1]), MAX_STREAMS); - err = read_stream_entries(dice, section_addr, base_offset, - stream_count, - mode, dice->rx_pcm_chs, --- -2.43.0 - diff --git a/SPECS/kernel/CVE-2025-68347.patch b/SPECS/kernel/CVE-2025-68347.patch deleted file mode 100644 index fa285cac61..0000000000 --- a/SPECS/kernel/CVE-2025-68347.patch +++ /dev/null @@ -1,44 +0,0 @@ -From c009107b13a633f42c9275010a760a0f4b3a6d25 Mon Sep 17 00:00:00 2001 -From: Junrui Luo -Date: Wed, 3 Dec 2025 12:27:03 +0800 -Subject: [PATCH 26/45] ALSA: firewire-motu: fix buffer overflow in hwdep read - for DSP events - -The DSP event handling code in hwdep_read() could write more bytes to -the user buffer than requested, when a user provides a buffer smaller -than the event header size (8 bytes). - -Fix by using min_t() to clamp the copy size, This ensures we never copy -more than the user requested. - -Reported-by: Yuhao Jiang -Reported-by: Junrui Luo -Fixes: 634ec0b2906e ("ALSA: firewire-motu: notify event for parameter change in register DSP model") -Signed-off-by: Junrui Luo -Link: https://patch.msgid.link/SYBPR01MB78810656377E79E58350D951AFD9A@SYBPR01MB7881.ausprd01.prod.outlook.com -Signed-off-by: Takashi Iwai ---- - sound/firewire/motu/motu-hwdep.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/sound/firewire/motu/motu-hwdep.c b/sound/firewire/motu/motu-hwdep.c -index a220ac0c8eb8..28885c8004ae 100644 ---- a/sound/firewire/motu/motu-hwdep.c -+++ b/sound/firewire/motu/motu-hwdep.c -@@ -83,10 +83,11 @@ static long hwdep_read(struct snd_hwdep *hwdep, char __user *buf, long count, - event.motu_register_dsp_change.type = SNDRV_FIREWIRE_EVENT_MOTU_REGISTER_DSP_CHANGE; - event.motu_register_dsp_change.count = - (consumed - sizeof(event.motu_register_dsp_change)) / 4; -- if (copy_to_user(buf, &event, sizeof(event.motu_register_dsp_change))) -+ if (copy_to_user(buf, &event, -+ min_t(long, count, sizeof(event.motu_register_dsp_change)))) - return -EFAULT; - -- count = consumed; -+ count = min_t(long, count, consumed); - } else { - spin_unlock_irq(&motu->lock); - --- -2.43.0 - diff --git a/SPECS/kernel/CVE-2025-68348.patch b/SPECS/kernel/CVE-2025-68348.patch deleted file mode 100644 index 93cdf48a82..0000000000 --- a/SPECS/kernel/CVE-2025-68348.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 7575abdc01cb9eb49e136aac91d64e57c77ac3ad Mon Sep 17 00:00:00 2001 -From: Shaurya Rane -Date: Thu, 4 Dec 2025 23:42:59 +0530 -Subject: [PATCH 27/45] block: fix memory leak in __blkdev_issue_zero_pages - -Move the fatal signal check before bio_alloc() to prevent a memory -leak when BLKDEV_ZERO_KILLABLE is set and a fatal signal is pending. - -Previously, the bio was allocated before checking for a fatal signal. -If a signal was pending, the code would break out of the loop without -freeing or chaining the just-allocated bio, causing a memory leak. - -This matches the pattern already used in __blkdev_issue_write_zeroes() -where the signal check precedes the allocation. - -Fixes: bf86bcdb4012 ("blk-lib: check for kill signal in ioctl BLKZEROOUT") -Reported-by: syzbot+527a7e48a3d3d315d862@syzkaller.appspotmail.com -Closes: https://syzkaller.appspot.com/bug?extid=527a7e48a3d3d315d862 -Signed-off-by: Shaurya Rane -Reviewed-by: Keith Busch -Tested-by: syzbot+527a7e48a3d3d315d862@syzkaller.appspotmail.com -Signed-off-by: Jens Axboe ---- - block/blk-lib.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/block/blk-lib.c b/block/blk-lib.c -index 4c9f20a689f7..8cb2987db786 100644 ---- a/block/blk-lib.c -+++ b/block/blk-lib.c -@@ -200,13 +200,13 @@ static void __blkdev_issue_zero_pages(struct block_device *bdev, - unsigned int nr_vecs = __blkdev_sectors_to_bio_pages(nr_sects); - struct bio *bio; - -- bio = bio_alloc(bdev, nr_vecs, REQ_OP_WRITE, gfp_mask); -- bio->bi_iter.bi_sector = sector; -- - if ((flags & BLKDEV_ZERO_KILLABLE) && - fatal_signal_pending(current)) - break; - -+ bio = bio_alloc(bdev, nr_vecs, REQ_OP_WRITE, gfp_mask); -+ bio->bi_iter.bi_sector = sector; -+ - do { - unsigned int len, added; - --- -2.43.0 - diff --git a/SPECS/kernel/CVE-2025-68349.patch b/SPECS/kernel/CVE-2025-68349.patch deleted file mode 100644 index 15987860e5..0000000000 --- a/SPECS/kernel/CVE-2025-68349.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 4d64351a8725f3d7b6afaadbaee18204b97313ca Mon Sep 17 00:00:00 2001 -From: Jonathan Curley -Date: Wed, 12 Nov 2025 18:02:42 +0000 -Subject: [PATCH 28/45] NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in - pnfs_mark_layout_stateid_invalid - -Fixes a crash when layout is null during this call stack: - -write_inode - -> nfs4_write_inode - -> pnfs_layoutcommit_inode - -pnfs_set_layoutcommit relies on the lseg refcount to keep the layout -around. Need to clear NFS_INO_LAYOUTCOMMIT otherwise we might attempt -to reference a null layout. - -Fixes: fe1cf9469d7bc ("pNFS: Clear all layout segment state in pnfs_mark_layout_stateid_invalid") -Signed-off-by: Jonathan Curley -Signed-off-by: Trond Myklebust ---- - fs/nfs/pnfs.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c -index 89d49dd3978f..7a742bcff687 100644 ---- a/fs/nfs/pnfs.c -+++ b/fs/nfs/pnfs.c -@@ -466,6 +466,7 @@ pnfs_mark_layout_stateid_invalid(struct pnfs_layout_hdr *lo, - struct pnfs_layout_segment *lseg, *next; - - set_bit(NFS_LAYOUT_INVALID_STID, &lo->plh_flags); -+ clear_bit(NFS_INO_LAYOUTCOMMIT, &NFS_I(lo->plh_inode)->flags); - list_for_each_entry_safe(lseg, next, &lo->plh_segs, pls_list) - pnfs_clear_lseg_state(lseg, lseg_list); - pnfs_clear_layoutreturn_info(lo); --- -2.43.0 - diff --git a/SPECS/kernel/CVE-2025-68354.patch b/SPECS/kernel/CVE-2025-68354.patch deleted file mode 100644 index 6faa938a20..0000000000 --- a/SPECS/kernel/CVE-2025-68354.patch +++ /dev/null @@ -1,103 +0,0 @@ -From 708fd3a48f6cafdce6c0c305a84bd3ceae9677b2 Mon Sep 17 00:00:00 2001 -From: sparkhuang -Date: Thu, 27 Nov 2025 10:57:16 +0800 -Subject: [PATCH 12/45] regulator: core: Protect regulator_supply_alias_list - with regulator_list_mutex - -regulator_supply_alias_list was accessed without any locking in -regulator_supply_alias(), regulator_register_supply_alias(), and -regulator_unregister_supply_alias(). Concurrent registration, -unregistration and lookups can race, leading to: - -1 use-after-free if an alias entry is removed while being read, -2 duplicate entries when two threads register the same alias, -3 inconsistent alias mappings observed by consumers. - -Protect all traversals, insertions and deletions on -regulator_supply_alias_list with the existing regulator_list_mutex. - -Fixes: a06ccd9c3785f ("regulator: core: Add ability to create a lookup alias for supply") -Signed-off-by: sparkhuang -Reviewed-by: Charles Keepax -Link: https://patch.msgid.link/20251127025716.5440-1-huangshaobo3@xiaomi.com -Signed-off-by: Mark Brown ---- - drivers/regulator/core.c | 32 ++++++++++++++++++++------------ - 1 file changed, 20 insertions(+), 12 deletions(-) - -diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c -index e7f2a8b65947..af0f5f8a3404 100644 ---- a/drivers/regulator/core.c -+++ b/drivers/regulator/core.c -@@ -1909,6 +1909,7 @@ static void regulator_supply_alias(struct device **dev, const char **supply) - { - struct regulator_supply_alias *map; - -+ mutex_lock(®ulator_list_mutex); - map = regulator_find_supply_alias(*dev, *supply); - if (map) { - dev_dbg(*dev, "Mapping supply %s to %s,%s\n", -@@ -1917,6 +1918,7 @@ static void regulator_supply_alias(struct device **dev, const char **supply) - *dev = map->alias_dev; - *supply = map->alias_supply; - } -+ mutex_unlock(®ulator_list_mutex); - } - - static int regulator_match(struct device *dev, const void *data) -@@ -2437,22 +2439,26 @@ int regulator_register_supply_alias(struct device *dev, const char *id, - const char *alias_id) - { - struct regulator_supply_alias *map; -+ struct regulator_supply_alias *new_map; - -- map = regulator_find_supply_alias(dev, id); -- if (map) -- return -EEXIST; -- -- map = kzalloc(sizeof(struct regulator_supply_alias), GFP_KERNEL); -- if (!map) -+ new_map = kzalloc(sizeof(struct regulator_supply_alias), GFP_KERNEL); -+ if (!new_map) - return -ENOMEM; - -- map->src_dev = dev; -- map->src_supply = id; -- map->alias_dev = alias_dev; -- map->alias_supply = alias_id; -- -- list_add(&map->list, ®ulator_supply_alias_list); -+ mutex_lock(®ulator_list_mutex); -+ map = regulator_find_supply_alias(dev, id); -+ if (map) { -+ mutex_unlock(®ulator_list_mutex); -+ kfree(new_map); -+ return -EEXIST; -+ } - -+ new_map->src_dev = dev; -+ new_map->src_supply = id; -+ new_map->alias_dev = alias_dev; -+ new_map->alias_supply = alias_id; -+ list_add(&new_map->list, ®ulator_supply_alias_list); -+ mutex_unlock(®ulator_list_mutex); - pr_info("Adding alias for supply %s,%s -> %s,%s\n", - id, dev_name(dev), alias_id, dev_name(alias_dev)); - -@@ -2472,11 +2478,13 @@ void regulator_unregister_supply_alias(struct device *dev, const char *id) - { - struct regulator_supply_alias *map; - -+ mutex_lock(®ulator_list_mutex); - map = regulator_find_supply_alias(dev, id); - if (map) { - list_del(&map->list); - kfree(map); - } -+ mutex_unlock(®ulator_list_mutex); - } - EXPORT_SYMBOL_GPL(regulator_unregister_supply_alias); - --- -2.43.0 - diff --git a/SPECS/kernel/CVE-2025-68357.patch b/SPECS/kernel/CVE-2025-68357.patch deleted file mode 100644 index 8a512e5173..0000000000 --- a/SPECS/kernel/CVE-2025-68357.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 0c2ef70b27af690b4f42c5cb96778c7cbc36fd45 Mon Sep 17 00:00:00 2001 -From: Christoph Hellwig -Date: Mon, 24 Nov 2025 15:00:13 +0100 -Subject: [PATCH 13/45] iomap: allocate s_dio_done_wq for async reads as well - -Since commit 222f2c7c6d14 ("iomap: always run error completions in user -context"), read error completions are deferred to s_dio_done_wq. This -means the workqueue also needs to be allocated for async reads. - -Fixes: 222f2c7c6d14 ("iomap: always run error completions in user context") -Reported-by: syzbot+a2b9a4ed0d61b1efb3f5@syzkaller.appspotmail.com -Signed-off-by: Christoph Hellwig -Link: https://patch.msgid.link/20251124140013.902853-1-hch@lst.de -Tested-by: syzbot+a2b9a4ed0d61b1efb3f5@syzkaller.appspotmail.com -Reviewed-by: Dave Chinner -Reviewed-by: Darrick J. Wong -Signed-off-by: Christian Brauner ---- - fs/iomap/direct-io.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/fs/iomap/direct-io.c b/fs/iomap/direct-io.c -index f637aa0706a3..c984baccb079 100644 ---- a/fs/iomap/direct-io.c -+++ b/fs/iomap/direct-io.c -@@ -663,12 +663,12 @@ __iomap_dio_rw(struct kiocb *iocb, struct iov_iter *iter, - } - goto out_free_dio; - } -+ } - -- if (!wait_for_completion && !inode->i_sb->s_dio_done_wq) { -- ret = sb_init_dio_done_wq(inode->i_sb); -- if (ret < 0) -- goto out_free_dio; -- } -+ if (!wait_for_completion && !inode->i_sb->s_dio_done_wq) { -+ ret = sb_init_dio_done_wq(inode->i_sb); -+ if (ret < 0) -+ goto out_free_dio; - } - - inode_dio_begin(inode); --- -2.43.0 - diff --git a/SPECS/kernel/CVE-2025-68363.patch b/SPECS/kernel/CVE-2025-68363.patch deleted file mode 100644 index 0113204c7f..0000000000 --- a/SPECS/kernel/CVE-2025-68363.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 9958effe805bd9a18ee4fedbb9aef913f5213a56 Mon Sep 17 00:00:00 2001 -From: Martin KaFai Lau -Date: Wed, 12 Nov 2025 15:23:30 -0800 -Subject: [PATCH 17/45] bpf: Check skb->transport_header is set in - bpf_skb_check_mtu - -The bpf_skb_check_mtu helper needs to use skb->transport_header when -the BPF_MTU_CHK_SEGS flag is used: - - bpf_skb_check_mtu(skb, ifindex, &mtu_len, 0, BPF_MTU_CHK_SEGS) - -The transport_header is not always set. There is a WARN_ON_ONCE -report when CONFIG_DEBUG_NET is enabled + skb->gso_size is set + -bpf_prog_test_run is used: - -WARNING: CPU: 1 PID: 2216 at ./include/linux/skbuff.h:3071 - skb_gso_validate_network_len - bpf_skb_check_mtu - bpf_prog_3920e25740a41171_tc_chk_segs_flag # A test in the next patch - bpf_test_run - bpf_prog_test_run_skb - -For a normal ingress skb (not test_run), skb_reset_transport_header -is performed but there is plan to avoid setting it as described in -commit 2170a1f09148 ("net: no longer reset transport_header in __netif_receive_skb_core()"). - -This patch fixes the bpf helper by checking -skb_transport_header_was_set(). The check is done just before -skb->transport_header is used, to avoid breaking the existing bpf prog. -The WARN_ON_ONCE is limited to bpf_prog_test_run, so targeting bpf-next. - -Fixes: 34b2021cc616 ("bpf: Add BPF-helper for MTU checking") -Cc: Jesper Dangaard Brouer -Reported-by: Kaiyan Mei -Reported-by: Yinhao Hu -Signed-off-by: Martin KaFai Lau -Link: https://lore.kernel.org/r/20251112232331.1566074-1-martin.lau@linux.dev -Signed-off-by: Alexei Starovoitov ---- - net/core/filter.c | 9 ++++++--- - 1 file changed, 6 insertions(+), 3 deletions(-) - -diff --git a/net/core/filter.c b/net/core/filter.c -index 3d0e31101c68..fd2129fe9db3 100644 ---- a/net/core/filter.c -+++ b/net/core/filter.c -@@ -6360,9 +6360,12 @@ BPF_CALL_5(bpf_skb_check_mtu, struct sk_buff *, skb, - */ - if (skb_is_gso(skb)) { - ret = BPF_MTU_CHK_RET_SUCCESS; -- if (flags & BPF_MTU_CHK_SEGS && -- !skb_gso_validate_network_len(skb, mtu)) -- ret = BPF_MTU_CHK_RET_SEGS_TOOBIG; -+ if (flags & BPF_MTU_CHK_SEGS) { -+ if (!skb_transport_header_was_set(skb)) -+ return -EINVAL; -+ if (!skb_gso_validate_network_len(skb, mtu)) -+ ret = BPF_MTU_CHK_RET_SEGS_TOOBIG; -+ } - } - out: - *mtu_len = mtu; --- -2.43.0 - diff --git a/SPECS/kernel/CVE-2025-68366.patch b/SPECS/kernel/CVE-2025-68366.patch deleted file mode 100644 index a98b3f9735..0000000000 --- a/SPECS/kernel/CVE-2025-68366.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 6acb73a408345df86f90f598557ac9d12ff2b14d Mon Sep 17 00:00:00 2001 -From: Zheng Qixing -Date: Mon, 10 Nov 2025 20:49:20 +0800 -Subject: [PATCH 18/45] nbd: defer config unlock in nbd_genl_connect - -There is one use-after-free warning when running NBD_CMD_CONNECT and -NBD_CLEAR_SOCK: - -nbd_genl_connect - nbd_alloc_and_init_config // config_refs=1 - nbd_start_device // config_refs=2 - set NBD_RT_HAS_CONFIG_REF open nbd // config_refs=3 - recv_work done // config_refs=2 - NBD_CLEAR_SOCK // config_refs=1 - close nbd // config_refs=0 - refcount_inc -> uaf - -------------[ cut here ]------------ -refcount_t: addition on 0; use-after-free. -WARNING: CPU: 24 PID: 1014 at lib/refcount.c:25 refcount_warn_saturate+0x12e/0x290 - nbd_genl_connect+0x16d0/0x1ab0 - genl_family_rcv_msg_doit+0x1f3/0x310 - genl_rcv_msg+0x44a/0x790 - -The issue can be easily reproduced by adding a small delay before -refcount_inc(&nbd->config_refs) in nbd_genl_connect(): - - mutex_unlock(&nbd->config_lock); - if (!ret) { - set_bit(NBD_RT_HAS_CONFIG_REF, &config->runtime_flags); -+ printk("before sleep\n"); -+ mdelay(5 * 1000); -+ printk("after sleep\n"); - refcount_inc(&nbd->config_refs); - nbd_connect_reply(info, nbd->index); - } - -Fixes: e46c7287b1c2 ("nbd: add a basic netlink interface") -Signed-off-by: Zheng Qixing -Reviewed-by: Yu Kuai -Signed-off-by: Jens Axboe ---- - drivers/block/nbd.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c -index deb298371a6a..dcb04bc88897 100644 ---- a/drivers/block/nbd.c -+++ b/drivers/block/nbd.c -@@ -2169,12 +2169,13 @@ static int nbd_genl_connect(struct sk_buff *skb, struct genl_info *info) - - ret = nbd_start_device(nbd); - out: -- mutex_unlock(&nbd->config_lock); - if (!ret) { - set_bit(NBD_RT_HAS_CONFIG_REF, &config->runtime_flags); - refcount_inc(&nbd->config_refs); - nbd_connect_reply(info, nbd->index); - } -+ mutex_unlock(&nbd->config_lock); -+ - nbd_config_put(nbd); - if (put_dev) - nbd_put(nbd); --- -2.43.0 - diff --git a/SPECS/kernel/CVE-2025-68371.patch b/SPECS/kernel/CVE-2025-68371.patch deleted file mode 100644 index 42567c6a19..0000000000 --- a/SPECS/kernel/CVE-2025-68371.patch +++ /dev/null @@ -1,90 +0,0 @@ -From ea41b3b3b55169adfdec974a76c5c55a29731be9 Mon Sep 17 00:00:00 2001 -From: Mike McGowen -Date: Thu, 6 Nov 2025 10:38:20 -0600 -Subject: [PATCH 30/45] scsi: smartpqi: Fix device resources accessed after - device removal - -Correct possible race conditions during device removal. - -Previously, a scheduled work item to reset a LUN could still execute -after the device was removed, leading to use-after-free and other -resource access issues. - -This race condition occurs because the abort handler may schedule a LUN -reset concurrently with device removal via sdev_destroy(), leading to -use-after-free and improper access to freed resources. - - - Check in the device reset handler if the device is still present in - the controller's SCSI device list before running; if not, the reset - is skipped. - - - Cancel any pending TMF work that has not started in sdev_destroy(). - - - Ensure device freeing in sdev_destroy() is done while holding the - LUN reset mutex to avoid races with ongoing resets. - -Fixes: 2d80f4054f7f ("scsi: smartpqi: Update deleting a LUN via sysfs") -Reviewed-by: Scott Teel -Reviewed-by: Scott Benesh -Signed-off-by: Mike McGowen -Signed-off-by: Don Brace -Link: https://patch.msgid.link/20251106163823.786828-3-don.brace@microchip.com -Signed-off-by: Martin K. Petersen ---- - drivers/scsi/smartpqi/smartpqi_init.c | 19 +++++++++++++++++++ - 1 file changed, 19 insertions(+) - -diff --git a/drivers/scsi/smartpqi/smartpqi_init.c b/drivers/scsi/smartpqi/smartpqi_init.c -index c5a21e369e16..018f5428a07d 100644 ---- a/drivers/scsi/smartpqi/smartpqi_init.c -+++ b/drivers/scsi/smartpqi/smartpqi_init.c -@@ -6395,10 +6395,22 @@ static int pqi_device_reset(struct pqi_ctrl_info *ctrl_info, struct pqi_scsi_dev - - static int pqi_device_reset_handler(struct pqi_ctrl_info *ctrl_info, struct pqi_scsi_dev *device, u8 lun, struct scsi_cmnd *scmd, u8 scsi_opcode) - { -+ unsigned long flags; - int rc; - - mutex_lock(&ctrl_info->lun_reset_mutex); - -+ spin_lock_irqsave(&ctrl_info->scsi_device_list_lock, flags); -+ if (pqi_find_scsi_dev(ctrl_info, device->bus, device->target, device->lun) == NULL) { -+ dev_warn(&ctrl_info->pci_dev->dev, -+ "skipping reset of scsi %d:%d:%d:%u, device has been removed\n", -+ ctrl_info->scsi_host->host_no, device->bus, device->target, device->lun); -+ spin_unlock_irqrestore(&ctrl_info->scsi_device_list_lock, flags); -+ mutex_unlock(&ctrl_info->lun_reset_mutex); -+ return 0; -+ } -+ spin_unlock_irqrestore(&ctrl_info->scsi_device_list_lock, flags); -+ - dev_err(&ctrl_info->pci_dev->dev, - "resetting scsi %d:%d:%d:%u SCSI cmd at %p due to cmd opcode 0x%02x\n", - ctrl_info->scsi_host->host_no, device->bus, device->target, lun, scmd, scsi_opcode); -@@ -6578,7 +6590,9 @@ static void pqi_slave_destroy(struct scsi_device *sdev) - { - struct pqi_ctrl_info *ctrl_info; - struct pqi_scsi_dev *device; -+ struct pqi_tmf_work *tmf_work; - int mutex_acquired; -+ unsigned int lun; - unsigned long flags; - - ctrl_info = shost_to_hba(sdev->host); -@@ -6605,8 +6619,13 @@ static void pqi_slave_destroy(struct scsi_device *sdev) - - mutex_unlock(&ctrl_info->scan_mutex); - -+ for (lun = 0, tmf_work = device->tmf_work; lun < PQI_MAX_LUNS_PER_DEVICE; lun++, tmf_work++) -+ cancel_work_sync(&tmf_work->work_struct); -+ -+ mutex_lock(&ctrl_info->lun_reset_mutex); - pqi_dev_info(ctrl_info, "removed", device); - pqi_free_device(device); -+ mutex_unlock(&ctrl_info->lun_reset_mutex); - } - - static int pqi_getpciinfo_ioctl(struct pqi_ctrl_info *ctrl_info, void __user *arg) --- -2.43.0 - diff --git a/SPECS/kernel/CVE-2025-68372.patch b/SPECS/kernel/CVE-2025-68372.patch deleted file mode 100644 index 7ffc6026aa..0000000000 --- a/SPECS/kernel/CVE-2025-68372.patch +++ /dev/null @@ -1,97 +0,0 @@ -From fccf2e01ee8619c9380fff3a52f543a620b78977 Mon Sep 17 00:00:00 2001 -From: Zheng Qixing -Date: Sat, 8 Nov 2025 15:02:02 +0800 -Subject: [PATCH 20/45] nbd: defer config put in recv_work - -There is one uaf issue in recv_work when running NBD_CLEAR_SOCK and -NBD_CMD_RECONFIGURE: - nbd_genl_connect // conf_ref=2 (connect and recv_work A) - nbd_open // conf_ref=3 - recv_work A done // conf_ref=2 - NBD_CLEAR_SOCK // conf_ref=1 - nbd_genl_reconfigure // conf_ref=2 (trigger recv_work B) - close nbd // conf_ref=1 - recv_work B - config_put // conf_ref=0 - atomic_dec(&config->recv_threads); -> UAF - -Or only running NBD_CLEAR_SOCK: - nbd_genl_connect // conf_ref=2 - nbd_open // conf_ref=3 - NBD_CLEAR_SOCK // conf_ref=2 - close nbd - nbd_release - config_put // conf_ref=1 - recv_work - config_put // conf_ref=0 - atomic_dec(&config->recv_threads); -> UAF - -Commit 87aac3a80af5 ("nbd: call nbd_config_put() before notifying the -waiter") moved nbd_config_put() to run before waking up the waiter in -recv_work, in order to ensure that nbd_start_device_ioctl() would not -be woken up while nbd->task_recv was still uncleared. - -However, in nbd_start_device_ioctl(), after being woken up it explicitly -calls flush_workqueue() to make sure all current works are finished. -Therefore, there is no need to move the config put ahead of the wakeup. - -Move nbd_config_put() to the end of recv_work, so that the reference is -held for the whole lifetime of the worker thread. This makes sure the -config cannot be freed while recv_work is still running, even if clear -+ reconfigure interleave. - -In addition, we don't need to worry about recv_work dropping the last -nbd_put (which causes deadlock): - -path A (netlink with NBD_CFLAG_DESTROY_ON_DISCONNECT): - connect // nbd_refs=1 (trigger recv_work) - open nbd // nbd_refs=2 - NBD_CLEAR_SOCK - close nbd - nbd_release - nbd_disconnect_and_put - flush_workqueue // recv_work done - nbd_config_put - nbd_put // nbd_refs=1 - nbd_put // nbd_refs=0 - queue_work - -path B (netlink without NBD_CFLAG_DESTROY_ON_DISCONNECT): - connect // nbd_refs=2 (trigger recv_work) - open nbd // nbd_refs=3 - NBD_CLEAR_SOCK // conf_refs=2 - close nbd - nbd_release - nbd_config_put // conf_refs=1 - nbd_put // nbd_refs=2 - recv_work done // conf_refs=0, nbd_refs=1 - rmmod // nbd_refs=0 - -Reported-by: syzbot+56fbf4c7ddf65e95c7cc@syzkaller.appspotmail.com -Closes: https://lore.kernel.org/all/6907edce.a70a0220.37351b.0014.GAE@google.com/T/ -Fixes: 87aac3a80af5 ("nbd: make the config put is called before the notifying the waiter") -Depends-on: e2daec488c57 ("nbd: Fix hungtask when nbd_config_put") -Signed-off-by: Zheng Qixing -Signed-off-by: Jens Axboe ---- - drivers/block/nbd.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c -index dcb04bc88897..958bd115a341 100644 ---- a/drivers/block/nbd.c -+++ b/drivers/block/nbd.c -@@ -963,9 +963,9 @@ static void recv_work(struct work_struct *work) - nbd_mark_nsock_dead(nbd, nsock, 1); - mutex_unlock(&nsock->tx_lock); - -- nbd_config_put(nbd); - atomic_dec(&config->recv_threads); - wake_up(&config->recv_wq); -+ nbd_config_put(nbd); - kfree(args); - } - --- -2.43.0 - diff --git a/SPECS/kernel/CVE-2025-68374.patch b/SPECS/kernel/CVE-2025-68374.patch deleted file mode 100644 index 372e884c0e..0000000000 --- a/SPECS/kernel/CVE-2025-68374.patch +++ /dev/null @@ -1,109 +0,0 @@ -From 067d0664657083155b8635f7bd7675244969dc45 Mon Sep 17 00:00:00 2001 -From: Yun Zhou -Date: Wed, 15 Oct 2025 16:32:27 +0800 -Subject: [PATCH 21/45] md: fix rcu protection in md_wakeup_thread - -We attempted to use RCU to protect the pointer 'thread', but directly -passed the value when calling md_wakeup_thread(). This means that the -RCU pointer has been acquired before rcu_read_lock(), which renders -rcu_read_lock() ineffective and could lead to a use-after-free. - -Link: https://lore.kernel.org/linux-raid/20251015083227.1079009-1-yun.zhou@windriver.com -Fixes: 446931543982 ("md: protect md_thread with rcu") -Signed-off-by: Yun Zhou -Reviewed-by: Li Nan -Reviewed-by: Yu Kuai -Signed-off-by: Yu Kuai ---- - drivers/md/md.c | 14 ++++++-------- - drivers/md/md.h | 8 +++++++- - 2 files changed, 13 insertions(+), 9 deletions(-) - -diff --git a/drivers/md/md.c b/drivers/md/md.c -index 2df47aa4f2db..cb81c0c61746 100644 ---- a/drivers/md/md.c -+++ b/drivers/md/md.c -@@ -106,7 +106,7 @@ static int remove_and_add_spares(struct mddev *mddev, - struct md_rdev *this); - static void mddev_detach(struct mddev *mddev); - static void export_rdev(struct md_rdev *rdev, struct mddev *mddev); --static void md_wakeup_thread_directly(struct md_thread __rcu *thread); -+static void md_wakeup_thread_directly(struct md_thread __rcu **thread); - - /* - * Default number of read corrections we'll attempt on an rdev -@@ -4926,7 +4926,7 @@ static void stop_sync_thread(struct mddev *mddev, bool locked) - * Thread might be blocked waiting for metadata update which will now - * never happen - */ -- md_wakeup_thread_directly(mddev->sync_thread); -+ md_wakeup_thread_directly(&mddev->sync_thread); - if (work_pending(&mddev->sync_work)) - flush_work(&mddev->sync_work); - -@@ -8051,22 +8051,21 @@ static int md_thread(void *arg) - return 0; - } - --static void md_wakeup_thread_directly(struct md_thread __rcu *thread) -+static void md_wakeup_thread_directly(struct md_thread __rcu **thread) - { - struct md_thread *t; - - rcu_read_lock(); -- t = rcu_dereference(thread); -+ t = rcu_dereference(*thread); - if (t) - wake_up_process(t->tsk); - rcu_read_unlock(); - } - --void md_wakeup_thread(struct md_thread __rcu *thread) -+void __md_wakeup_thread(struct md_thread __rcu *thread) - { - struct md_thread *t; - -- rcu_read_lock(); - t = rcu_dereference(thread); - if (t) { - pr_debug("md: waking up MD thread %s.\n", t->tsk->comm); -@@ -8074,9 +8073,8 @@ void md_wakeup_thread(struct md_thread __rcu *thread) - if (wq_has_sleeper(&t->wqueue)) - wake_up(&t->wqueue); - } -- rcu_read_unlock(); - } --EXPORT_SYMBOL(md_wakeup_thread); -+EXPORT_SYMBOL(__md_wakeup_thread); - - struct md_thread *md_register_thread(void (*run) (struct md_thread *), - struct mddev *mddev, const char *name) -diff --git a/drivers/md/md.h b/drivers/md/md.h -index 8826dce9717d..20857b898462 100644 ---- a/drivers/md/md.h -+++ b/drivers/md/md.h -@@ -838,6 +838,12 @@ struct md_io_clone { - - #define THREAD_WAKEUP 0 - -+#define md_wakeup_thread(thread) do { \ -+ rcu_read_lock(); \ -+ __md_wakeup_thread(thread); \ -+ rcu_read_unlock(); \ -+} while (0) -+ - static inline void safe_put_page(struct page *p) - { - if (p) put_page(p); -@@ -855,7 +861,7 @@ extern struct md_thread *md_register_thread( - struct mddev *mddev, - const char *name); - extern void md_unregister_thread(struct mddev *mddev, struct md_thread __rcu **threadp); --extern void md_wakeup_thread(struct md_thread __rcu *thread); -+extern void __md_wakeup_thread(struct md_thread __rcu *thread); - extern void md_check_recovery(struct mddev *mddev); - extern void md_reap_sync_thread(struct mddev *mddev); - extern enum sync_action md_sync_action(struct mddev *mddev); --- -2.43.0 - diff --git a/SPECS/kernel/CVE-2025-68378.patch b/SPECS/kernel/CVE-2025-68378.patch deleted file mode 100644 index 93010531a5..0000000000 --- a/SPECS/kernel/CVE-2025-68378.patch +++ /dev/null @@ -1,107 +0,0 @@ -From ce2cdaf02b160e95e7d280485140b5cb29df51b8 Mon Sep 17 00:00:00 2001 -From: Arnaud Lecomte -Date: Tue, 30 Dec 2025 01:21:18 -0800 -Subject: [PATCH 22/45] bpf: Fix stackmap overflow check in __bpf_get_stackid() - -Syzkaller reported a KASAN slab-out-of-bounds write in __bpf_get_stackid() -when copying stack trace data. The issue occurs when the perf trace - contains more stack entries than the stack map bucket can hold, - leading to an out-of-bounds write in the bucket's data array. - -Fixes: ee2a098851bf ("bpf: Adjust BPF stack helper functions to accommodate skip > 0") -Reported-by: syzbot+c9b724fbb41cf2538b7b@syzkaller.appspotmail.com -Signed-off-by: Arnaud Lecomte -Signed-off-by: Andrii Nakryiko -Acked-by: Yonghong Song -Acked-by: Song Liu -Link: https://lore.kernel.org/bpf/20251025192941.1500-1-contact@arnaud-lcm.com - -Closes: https://syzkaller.appspot.com/bug?extid=c9b724fbb41cf2538b7b ---- - kernel/bpf/stackmap.c | 37 ++++++++++++++++++++++++++++++------- - 1 file changed, 30 insertions(+), 7 deletions(-) - -diff --git a/kernel/bpf/stackmap.c b/kernel/bpf/stackmap.c -index 3615c06b7dfa..891cdb562c3a 100644 ---- a/kernel/bpf/stackmap.c -+++ b/kernel/bpf/stackmap.c -@@ -42,6 +42,28 @@ static inline int stack_map_data_size(struct bpf_map *map) - sizeof(struct bpf_stack_build_id) : sizeof(u64); - } - -+/** -+ * stack_map_calculate_max_depth - Calculate maximum allowed stack trace depth -+ * @size: Size of the buffer/map value in bytes -+ * @elem_size: Size of each stack trace element -+ * @flags: BPF stack trace flags (BPF_F_USER_STACK, BPF_F_USER_BUILD_ID, ...) -+ * -+ * Return: Maximum number of stack trace entries that can be safely stored. -+ */ -+static u32 stack_map_calculate_max_depth(u32 size, u32 elem_size, u64 flags) -+{ -+ u32 skip = flags & BPF_F_SKIP_FIELD_MASK; -+ u32 max_depth; -+ u32 curr_sysctl_max_stack = READ_ONCE(sysctl_perf_event_max_stack); -+ -+ max_depth = size / elem_size; -+ max_depth += skip; -+ if (max_depth > curr_sysctl_max_stack) -+ return curr_sysctl_max_stack; -+ -+ return max_depth; -+} -+ - static int prealloc_elems_and_freelist(struct bpf_stack_map *smap) - { - u64 elem_size = sizeof(struct stack_map_bucket) + -@@ -229,8 +251,8 @@ static long __bpf_get_stackid(struct bpf_map *map, - { - struct bpf_stack_map *smap = container_of(map, struct bpf_stack_map, map); - struct stack_map_bucket *bucket, *new_bucket, *old_bucket; -+ u32 hash, id, trace_nr, trace_len, i, max_depth; - u32 skip = flags & BPF_F_SKIP_FIELD_MASK; -- u32 hash, id, trace_nr, trace_len, i; - bool user = flags & BPF_F_USER_STACK; - u64 *ips; - bool hash_matches; -@@ -239,7 +261,8 @@ static long __bpf_get_stackid(struct bpf_map *map, - /* skipping more than usable stack trace */ - return -EFAULT; - -- trace_nr = trace->nr - skip; -+ max_depth = stack_map_calculate_max_depth(map->value_size, stack_map_data_size(map), flags); -+ trace_nr = min_t(u32, trace->nr - skip, max_depth - skip); - trace_len = trace_nr * sizeof(u64); - ips = trace->ip + skip; - hash = jhash2((u32 *)ips, trace_len / sizeof(u32), 0); -@@ -371,15 +394,11 @@ BPF_CALL_3(bpf_get_stackid_pe, struct bpf_perf_event_data_kern *, ctx, - return -EFAULT; - - nr_kernel = count_kernel_ip(trace); -+ __u64 nr = trace->nr; /* save original */ - - if (kernel) { -- __u64 nr = trace->nr; -- - trace->nr = nr_kernel; - ret = __bpf_get_stackid(map, trace, flags); -- -- /* restore nr */ -- trace->nr = nr; - } else { /* user */ - u64 skip = flags & BPF_F_SKIP_FIELD_MASK; - -@@ -390,6 +409,10 @@ BPF_CALL_3(bpf_get_stackid_pe, struct bpf_perf_event_data_kern *, ctx, - flags = (flags & ~BPF_F_SKIP_FIELD_MASK) | skip; - ret = __bpf_get_stackid(map, trace, flags); - } -+ -+ /* restore nr */ -+ trace->nr = nr; -+ - return ret; - } - --- -2.43.0 - diff --git a/SPECS/kernel/CVE-2025-68379.patch b/SPECS/kernel/CVE-2025-68379.patch deleted file mode 100644 index 090304aec5..0000000000 --- a/SPECS/kernel/CVE-2025-68379.patch +++ /dev/null @@ -1,90 +0,0 @@ -From ad8ec7c18be327eef543ea0a64218c8a256d8e48 Mon Sep 17 00:00:00 2001 -From: Zhu Yanjun -Date: Mon, 27 Oct 2025 14:52:03 -0700 -Subject: [PATCH 10/45] RDMA/rxe: Fix null deref on srq->rq.queue after resize - failure - -A NULL pointer dereference can occur in rxe_srq_chk_attr() when -ibv_modify_srq() is invoked twice in succession under certain error -conditions. The first call may fail in rxe_queue_resize(), which leads -rxe_srq_from_attr() to set srq->rq.queue = NULL. The second call then -triggers a crash (null deref) when accessing -srq->rq.queue->buf->index_mask. - -Call Trace: - -rxe_modify_srq+0x170/0x480 [rdma_rxe] -? __pfx_rxe_modify_srq+0x10/0x10 [rdma_rxe] -? uverbs_try_lock_object+0x4f/0xa0 [ib_uverbs] -? rdma_lookup_get_uobject+0x1f0/0x380 [ib_uverbs] -ib_uverbs_modify_srq+0x204/0x290 [ib_uverbs] -? __pfx_ib_uverbs_modify_srq+0x10/0x10 [ib_uverbs] -? tryinc_node_nr_active+0xe6/0x150 -? uverbs_fill_udata+0xed/0x4f0 [ib_uverbs] -ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x2c0/0x470 [ib_uverbs] -? __pfx_ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x10/0x10 [ib_uverbs] -? uverbs_fill_udata+0xed/0x4f0 [ib_uverbs] -ib_uverbs_run_method+0x55a/0x6e0 [ib_uverbs] -? __pfx_ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x10/0x10 [ib_uverbs] -ib_uverbs_cmd_verbs+0x54d/0x800 [ib_uverbs] -? __pfx_ib_uverbs_cmd_verbs+0x10/0x10 [ib_uverbs] -? __pfx___raw_spin_lock_irqsave+0x10/0x10 -? __pfx_do_vfs_ioctl+0x10/0x10 -? ioctl_has_perm.constprop.0.isra.0+0x2c7/0x4c0 -? __pfx_ioctl_has_perm.constprop.0.isra.0+0x10/0x10 -ib_uverbs_ioctl+0x13e/0x220 [ib_uverbs] -? __pfx_ib_uverbs_ioctl+0x10/0x10 [ib_uverbs] -__x64_sys_ioctl+0x138/0x1c0 -do_syscall_64+0x82/0x250 -? fdget_pos+0x58/0x4c0 -? ksys_write+0xf3/0x1c0 -? __pfx_ksys_write+0x10/0x10 -? do_syscall_64+0xc8/0x250 -? __pfx_vm_mmap_pgoff+0x10/0x10 -? fget+0x173/0x230 -? fput+0x2a/0x80 -? ksys_mmap_pgoff+0x224/0x4c0 -? do_syscall_64+0xc8/0x250 -? do_user_addr_fault+0x37b/0xfe0 -? clear_bhb_loop+0x50/0xa0 -? clear_bhb_loop+0x50/0xa0 -? clear_bhb_loop+0x50/0xa0 -entry_SYSCALL_64_after_hwframe+0x76/0x7e - -Fixes: 8700e3e7c485 ("Soft RoCE driver") -Tested-by: Liu Yi -Signed-off-by: Zhu Yanjun -Link: https://patch.msgid.link/20251027215203.1321-1-yanjun.zhu@linux.dev -Signed-off-by: Leon Romanovsky ---- - drivers/infiniband/sw/rxe/rxe_srq.c | 7 +------ - 1 file changed, 1 insertion(+), 6 deletions(-) - -diff --git a/drivers/infiniband/sw/rxe/rxe_srq.c b/drivers/infiniband/sw/rxe/rxe_srq.c -index 3661cb627d28..2a234f26ac10 100644 ---- a/drivers/infiniband/sw/rxe/rxe_srq.c -+++ b/drivers/infiniband/sw/rxe/rxe_srq.c -@@ -171,7 +171,7 @@ int rxe_srq_from_attr(struct rxe_dev *rxe, struct rxe_srq *srq, - udata, mi, &srq->rq.producer_lock, - &srq->rq.consumer_lock); - if (err) -- goto err_free; -+ return err; - - srq->rq.max_wr = attr->max_wr; - } -@@ -180,11 +180,6 @@ int rxe_srq_from_attr(struct rxe_dev *rxe, struct rxe_srq *srq, - srq->limit = attr->srq_limit; - - return 0; -- --err_free: -- rxe_queue_cleanup(q); -- srq->rq.queue = NULL; -- return err; - } - - void rxe_srq_cleanup(struct rxe_pool_elem *elem) --- -2.43.0 - diff --git a/SPECS/kernel/CVE-2025-68724.patch b/SPECS/kernel/CVE-2025-68724.patch deleted file mode 100644 index 31cc0f2e41..0000000000 --- a/SPECS/kernel/CVE-2025-68724.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 21ca32cbb3c0dcdfe3b62e555a32f163e4882a76 Mon Sep 17 00:00:00 2001 -From: Thorsten Blum -Date: Mon, 13 Oct 2025 13:40:10 +0200 -Subject: [PATCH 14/45] crypto: asymmetric_keys - prevent overflow in - asymmetric_key_generate_id - -Use check_add_overflow() to guard against potential integer overflows -when adding the binary blob lengths and the size of an asymmetric_key_id -structure and return ERR_PTR(-EOVERFLOW) accordingly. This prevents a -possible buffer overflow when copying data from potentially malicious -X.509 certificate fields that can be arbitrarily large, such as ASN.1 -INTEGER serial numbers, issuer names, etc. - -Fixes: 7901c1a8effb ("KEYS: Implement binary asymmetric key ID handling") -Signed-off-by: Thorsten Blum -Reviewed-by: Lukas Wunner -Signed-off-by: Herbert Xu ---- - crypto/asymmetric_keys/asymmetric_type.c | 14 ++++++++++---- - 1 file changed, 10 insertions(+), 4 deletions(-) - -diff --git a/crypto/asymmetric_keys/asymmetric_type.c b/crypto/asymmetric_keys/asymmetric_type.c -index 43af5fa510c0..7859b0692b42 100644 ---- a/crypto/asymmetric_keys/asymmetric_type.c -+++ b/crypto/asymmetric_keys/asymmetric_type.c -@@ -11,6 +11,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -151,12 +152,17 @@ struct asymmetric_key_id *asymmetric_key_generate_id(const void *val_1, - size_t len_2) - { - struct asymmetric_key_id *kid; -- -- kid = kmalloc(sizeof(struct asymmetric_key_id) + len_1 + len_2, -- GFP_KERNEL); -+ size_t kid_sz; -+ size_t len; -+ -+ if (check_add_overflow(len_1, len_2, &len)) -+ return ERR_PTR(-EOVERFLOW); -+ if (check_add_overflow(sizeof(struct asymmetric_key_id), len, &kid_sz)) -+ return ERR_PTR(-EOVERFLOW); -+ kid = kmalloc(kid_sz, GFP_KERNEL); - if (!kid) - return ERR_PTR(-ENOMEM); -- kid->len = len_1 + len_2; -+ kid->len = len; - memcpy(kid->data, val_1, len_1); - memcpy(kid->data + len_1, val_2, len_2); - return kid; --- -2.43.0 - diff --git a/SPECS/kernel/CVE-2025-68732.patch b/SPECS/kernel/CVE-2025-68732.patch deleted file mode 100644 index 8ecc818668..0000000000 --- a/SPECS/kernel/CVE-2025-68732.patch +++ /dev/null @@ -1,53 +0,0 @@ -From fc458c8c62d80bcdf944f82ca55c90f245b7b4f0 Mon Sep 17 00:00:00 2001 -From: Mainak Sen -Date: Mon, 7 Jul 2025 18:17:39 +0900 -Subject: [PATCH 11/45] gpu: host1x: Fix race in syncpt alloc/free - -Fix race condition between host1x_syncpt_alloc() -and host1x_syncpt_put() by using kref_put_mutex() -instead of kref_put() + manual mutex locking. - -This ensures no thread can acquire the -syncpt_mutex after the refcount drops to zero -but before syncpt_release acquires it. -This prevents races where syncpoints could -be allocated while still being cleaned up -from a previous release. - -Remove explicit mutex locking in syncpt_release -as kref_put_mutex() handles this atomically. - -Signed-off-by: Mainak Sen -Fixes: f5ba33fb9690 ("gpu: host1x: Reserve VBLANK syncpoints at initialization") -Signed-off-by: Mikko Perttunen -Signed-off-by: Thierry Reding -Link: https://lore.kernel.org/r/20250707-host1x-syncpt-race-fix-v1-1-28b0776e70bc@nvidia.com ---- - drivers/gpu/host1x/syncpt.c | 4 +--- - 1 file changed, 1 insertion(+), 3 deletions(-) - -diff --git a/drivers/gpu/host1x/syncpt.c b/drivers/gpu/host1x/syncpt.c -index f63d14a57a1d..acc7d82e0585 100644 ---- a/drivers/gpu/host1x/syncpt.c -+++ b/drivers/gpu/host1x/syncpt.c -@@ -345,8 +345,6 @@ static void syncpt_release(struct kref *ref) - - sp->locked = false; - -- mutex_lock(&sp->host->syncpt_mutex); -- - host1x_syncpt_base_free(sp->base); - kfree(sp->name); - sp->base = NULL; -@@ -369,7 +367,7 @@ void host1x_syncpt_put(struct host1x_syncpt *sp) - if (!sp) - return; - -- kref_put(&sp->ref, syncpt_release); -+ kref_put_mutex(&sp->ref, syncpt_release, &sp->host->syncpt_mutex); - } - EXPORT_SYMBOL(host1x_syncpt_put); - --- -2.43.0 - diff --git a/SPECS/kernel/CVE-2025-68733.patch b/SPECS/kernel/CVE-2025-68733.patch deleted file mode 100644 index 0de373e72f..0000000000 --- a/SPECS/kernel/CVE-2025-68733.patch +++ /dev/null @@ -1,96 +0,0 @@ -From a55c1fb9fbd38b4980901866f3b768208702a488 Mon Sep 17 00:00:00 2001 -From: Konstantin Andreev -Date: Tue, 17 Jun 2025 00:32:16 +0300 -Subject: [PATCH 07/45] smack: fix bug: unprivileged task can create labels - -If an unprivileged task is allowed to relabel itself -(/smack/relabel-self is not empty), -it can freely create new labels by writing their -names into own /proc/PID/attr/smack/current - -This occurs because do_setattr() imports -the provided label in advance, -before checking "relabel-self" list. - -This change ensures that the "relabel-self" list -is checked before importing the label. - -Fixes: 38416e53936e ("Smack: limited capability for changing process label") -Signed-off-by: Konstantin Andreev -Signed-off-by: Casey Schaufler ---- - security/smack/smack_lsm.c | 41 +++++++++++++++++++++++++------------- - 1 file changed, 27 insertions(+), 14 deletions(-) - -diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c -index 9e13fd392063..178de6e71f77 100644 ---- a/security/smack/smack_lsm.c -+++ b/security/smack/smack_lsm.c -@@ -3739,8 +3739,8 @@ static int do_setattr(u64 attr, void *value, size_t size) - struct task_smack *tsp = smack_cred(current_cred()); - struct cred *new; - struct smack_known *skp; -- struct smack_known_list_elem *sklep; -- int rc; -+ char *labelstr; -+ int rc = 0; - - if (!smack_privileged(CAP_MAC_ADMIN) && list_empty(&tsp->smk_relabel)) - return -EPERM; -@@ -3751,28 +3751,41 @@ static int do_setattr(u64 attr, void *value, size_t size) - if (attr != LSM_ATTR_CURRENT) - return -EOPNOTSUPP; - -- skp = smk_import_entry(value, size); -- if (IS_ERR(skp)) -- return PTR_ERR(skp); -+ labelstr = smk_parse_smack(value, size); -+ if (IS_ERR(labelstr)) -+ return PTR_ERR(labelstr); - - /* - * No process is ever allowed the web ("@") label - * and the star ("*") label. - */ -- if (skp == &smack_known_web || skp == &smack_known_star) -- return -EINVAL; -+ if (labelstr[1] == '\0' /* '@', '*' */) { -+ const char c = labelstr[0]; -+ -+ if (c == *smack_known_web.smk_known || -+ c == *smack_known_star.smk_known) { -+ rc = -EPERM; -+ goto free_labelstr; -+ } -+ } - - if (!smack_privileged(CAP_MAC_ADMIN)) { -- rc = -EPERM; -+ const struct smack_known_list_elem *sklep; - list_for_each_entry(sklep, &tsp->smk_relabel, list) -- if (sklep->smk_label == skp) { -- rc = 0; -- break; -- } -- if (rc) -- return rc; -+ if (strcmp(sklep->smk_label->smk_known, labelstr) == 0) -+ goto free_labelstr; -+ rc = -EPERM; - } - -+free_labelstr: -+ kfree(labelstr); -+ if (rc) -+ return -EPERM; -+ -+ skp = smk_import_entry(value, size); -+ if (IS_ERR(skp)) -+ return PTR_ERR(skp); -+ - new = prepare_creds(); - if (new == NULL) - return -ENOMEM; --- -2.43.0 - diff --git a/SPECS/kernel/CVE-2025-68740.patch b/SPECS/kernel/CVE-2025-68740.patch deleted file mode 100644 index 664cf64303..0000000000 --- a/SPECS/kernel/CVE-2025-68740.patch +++ /dev/null @@ -1,70 +0,0 @@ -From e1638a14812cf194c0bd7368b45ac69ac09d2bc3 Mon Sep 17 00:00:00 2001 -From: Zhao Yipeng -Date: Thu, 20 Nov 2025 15:18:05 +0800 -Subject: [PATCH 08/45] ima: Handle error code returned by - ima_filter_rule_match() - -In ima_match_rules(), if ima_filter_rule_match() returns -ENOENT due to -the rule being NULL, the function incorrectly skips the 'if (!rc)' check -and sets 'result = true'. The LSM rule is considered a match, causing -extra files to be measured by IMA. - -This issue can be reproduced in the following scenario: -After unloading the SELinux policy module via 'semodule -d', if an IMA -measurement is triggered before ima_lsm_rules is updated, -in ima_match_rules(), the first call to ima_filter_rule_match() returns --ESTALE. This causes the code to enter the 'if (rc == -ESTALE && -!rule_reinitialized)' block, perform ima_lsm_copy_rule() and retry. In -ima_lsm_copy_rule(), since the SELinux module has been removed, the rule -becomes NULL, and the second call to ima_filter_rule_match() returns --ENOENT. This bypasses the 'if (!rc)' check and results in a false match. - -Call trace: - selinux_audit_rule_match+0x310/0x3b8 - security_audit_rule_match+0x60/0xa0 - ima_match_rules+0x2e4/0x4a0 - ima_match_policy+0x9c/0x1e8 - ima_get_action+0x48/0x60 - process_measurement+0xf8/0xa98 - ima_bprm_check+0x98/0xd8 - security_bprm_check+0x5c/0x78 - search_binary_handler+0x6c/0x318 - exec_binprm+0x58/0x1b8 - bprm_execve+0xb8/0x130 - do_execveat_common.isra.0+0x1a8/0x258 - __arm64_sys_execve+0x48/0x68 - invoke_syscall+0x50/0x128 - el0_svc_common.constprop.0+0xc8/0xf0 - do_el0_svc+0x24/0x38 - el0_svc+0x44/0x200 - el0t_64_sync_handler+0x100/0x130 - el0t_64_sync+0x3c8/0x3d0 - -Fix this by changing 'if (!rc)' to 'if (rc <= 0)' to ensure that error -codes like -ENOENT do not bypass the check and accidentally result in a -successful match. - -Fixes: 4af4662fa4a9d ("integrity: IMA policy") -Signed-off-by: Zhao Yipeng -Reviewed-by: Roberto Sassu -Signed-off-by: Mimi Zohar ---- - security/integrity/ima/ima_policy.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c -index 09da8e639239..11b3ea1099ba 100644 ---- a/security/integrity/ima/ima_policy.c -+++ b/security/integrity/ima/ima_policy.c -@@ -672,7 +672,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, - goto retry; - } - } -- if (!rc) { -+ if (rc <= 0) { - result = false; - goto out; - } --- -2.43.0 - diff --git a/SPECS/kernel/CVE-2025-68741.patch b/SPECS/kernel/CVE-2025-68741.patch deleted file mode 100644 index 4b9959d100..0000000000 --- a/SPECS/kernel/CVE-2025-68741.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 1305606afa33d05b0f3d0f1089ea7cb4aa7cb6ee Mon Sep 17 00:00:00 2001 -From: Zilin Guan -Date: Thu, 13 Nov 2025 15:12:46 +0000 -Subject: [PATCH 05/45] scsi: qla2xxx: Fix improper freeing of purex item - -In qla2xxx_process_purls_iocb(), an item is allocated via -qla27xx_copy_multiple_pkt(), which internally calls -qla24xx_alloc_purex_item(). - -The qla24xx_alloc_purex_item() function may return a pre-allocated item -from a per-adapter pool for small allocations, instead of dynamically -allocating memory with kzalloc(). - -An error handling path in qla2xxx_process_purls_iocb() incorrectly uses -kfree() to release the item. If the item was from the pre-allocated -pool, calling kfree() on it is a bug that can lead to memory corruption. - -Fix this by using the correct deallocation function, -qla24xx_free_purex_item(), which properly handles both dynamically -allocated and pre-allocated items. - -Fixes: 875386b98857 ("scsi: qla2xxx: Add Unsolicited LS Request and Response Support for NVMe") -Signed-off-by: Zilin Guan -Reviewed-by: Himanshu Madhani -Link: https://patch.msgid.link/20251113151246.762510-1-zilin@seu.edu.cn -Signed-off-by: Martin K. Petersen ---- - drivers/scsi/qla2xxx/qla_nvme.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/scsi/qla2xxx/qla_nvme.c b/drivers/scsi/qla2xxx/qla_nvme.c -index 316594aa40cc..42eb65a62f1f 100644 ---- a/drivers/scsi/qla2xxx/qla_nvme.c -+++ b/drivers/scsi/qla2xxx/qla_nvme.c -@@ -1292,7 +1292,7 @@ void qla2xxx_process_purls_iocb(void **pkt, struct rsp_que **rsp) - a.reason = FCNVME_RJT_RC_LOGIC; - a.explanation = FCNVME_RJT_EXP_NONE; - xmt_reject = true; -- kfree(item); -+ qla24xx_free_purex_item(item); - goto out; - } - --- -2.43.0 - diff --git a/SPECS/kernel/CVE-2025-68742.patch b/SPECS/kernel/CVE-2025-68742.patch deleted file mode 100644 index 2a1e92fa34..0000000000 --- a/SPECS/kernel/CVE-2025-68742.patch +++ /dev/null @@ -1,87 +0,0 @@ -From d625c15cc3356906e709ce4f59cada3557e15e9e Mon Sep 17 00:00:00 2001 -From: Pu Lehui -Date: Sat, 15 Nov 2025 10:23:43 +0000 -Subject: [PATCH 04/45] bpf: Fix invalid prog->stats access when - update_effective_progs fails - -Syzkaller triggers an invalid memory access issue following fault -injection in update_effective_progs. The issue can be described as -follows: - -__cgroup_bpf_detach - update_effective_progs - compute_effective_progs - bpf_prog_array_alloc <-- fault inject - purge_effective_progs - /* change to dummy_bpf_prog */ - array->items[index] = &dummy_bpf_prog.prog - ----softirq start--- -__do_softirq - ... - __cgroup_bpf_run_filter_skb - __bpf_prog_run_save_cb - bpf_prog_run - stats = this_cpu_ptr(prog->stats) - /* invalid memory access */ - flags = u64_stats_update_begin_irqsave(&stats->syncp) ----softirq end--- - - static_branch_dec(&cgroup_bpf_enabled_key[atype]) - -The reason is that fault injection caused update_effective_progs to fail -and then changed the original prog into dummy_bpf_prog.prog in -purge_effective_progs. Then a softirq came, and accessing the members of -dummy_bpf_prog.prog in the softirq triggers invalid mem access. - -To fix it, skip updating stats when stats is NULL. - -Fixes: 492ecee892c2 ("bpf: enable program stats") -Signed-off-by: Pu Lehui -Link: https://lore.kernel.org/r/20251115102343.2200727-1-pulehui@huaweicloud.com -Signed-off-by: Alexei Starovoitov ---- - include/linux/filter.h | 12 +++++++----- - kernel/bpf/syscall.c | 3 +++ - 2 files changed, 10 insertions(+), 5 deletions(-) - -diff --git a/include/linux/filter.h b/include/linux/filter.h -index 9b6908291de7..a91f2babf425 100644 ---- a/include/linux/filter.h -+++ b/include/linux/filter.h -@@ -692,11 +692,13 @@ static __always_inline u32 __bpf_prog_run(const struct bpf_prog *prog, - ret = dfunc(ctx, prog->insnsi, prog->bpf_func); - - duration = sched_clock() - start; -- stats = this_cpu_ptr(prog->stats); -- flags = u64_stats_update_begin_irqsave(&stats->syncp); -- u64_stats_inc(&stats->cnt); -- u64_stats_add(&stats->nsecs, duration); -- u64_stats_update_end_irqrestore(&stats->syncp, flags); -+ if (likely(prog->stats)) { -+ stats = this_cpu_ptr(prog->stats); -+ flags = u64_stats_update_begin_irqsave(&stats->syncp); -+ u64_stats_inc(&stats->cnt); -+ u64_stats_add(&stats->nsecs, duration); -+ u64_stats_update_end_irqrestore(&stats->syncp, flags); -+ } - } else { - ret = dfunc(ctx, prog->insnsi, prog->bpf_func); - } -diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c -index ba4543e771a6..04c8755c0b95 100644 ---- a/kernel/bpf/syscall.c -+++ b/kernel/bpf/syscall.c -@@ -2281,6 +2281,9 @@ void notrace bpf_prog_inc_misses_counter(struct bpf_prog *prog) - struct bpf_prog_stats *stats; - unsigned int flags; - -+ if (unlikely(!prog->stats)) -+ return; -+ - stats = this_cpu_ptr(prog->stats); - flags = u64_stats_update_begin_irqsave(&stats->syncp); - u64_stats_inc(&stats->misses); --- -2.43.0 - diff --git a/SPECS/kernel/CVE-2025-68744.patch b/SPECS/kernel/CVE-2025-68744.patch deleted file mode 100644 index 67f2b96abf..0000000000 --- a/SPECS/kernel/CVE-2025-68744.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 2be35b43c19a1faf7ffda7c42b82b65bc0f80c36 Mon Sep 17 00:00:00 2001 -From: Leon Hwang -Date: Wed, 5 Nov 2025 23:14:06 +0800 -Subject: [PATCH 03/45] bpf: Free special fields when update [lru_,]percpu_hash - maps - -As [lru_,]percpu_hash maps support BPF_KPTR_{REF,PERCPU}, missing -calls to 'bpf_obj_free_fields()' in 'pcpu_copy_value()' could cause the -memory referenced by BPF_KPTR_{REF,PERCPU} fields to be held until the -map gets freed. - -Fix this by calling 'bpf_obj_free_fields()' after -'copy_map_value[,_long]()' in 'pcpu_copy_value()'. - -Fixes: 65334e64a493 ("bpf: Support kptrs in percpu hashmap and percpu LRU hashmap") -Signed-off-by: Leon Hwang -Acked-by: Yonghong Song -Link: https://lore.kernel.org/r/20251105151407.12723-2-leon.hwang@linux.dev -Signed-off-by: Alexei Starovoitov ---- - kernel/bpf/hashtab.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c -index 570e2f723144..26883a997e71 100644 ---- a/kernel/bpf/hashtab.c -+++ b/kernel/bpf/hashtab.c -@@ -961,15 +961,21 @@ static void free_htab_elem(struct bpf_htab *htab, struct htab_elem *l) - static void pcpu_copy_value(struct bpf_htab *htab, void __percpu *pptr, - void *value, bool onallcpus) - { -+ void *ptr; -+ - if (!onallcpus) { - /* copy true value_size bytes */ -- copy_map_value(&htab->map, this_cpu_ptr(pptr), value); -+ ptr = this_cpu_ptr(pptr); -+ copy_map_value(&htab->map, ptr, value); -+ bpf_obj_free_fields(htab->map.record, ptr); - } else { - u32 size = round_up(htab->map.value_size, 8); - int off = 0, cpu; - - for_each_possible_cpu(cpu) { -- copy_map_value_long(&htab->map, per_cpu_ptr(pptr, cpu), value + off); -+ ptr = per_cpu_ptr(pptr, cpu); -+ copy_map_value_long(&htab->map, ptr, value + off); -+ bpf_obj_free_fields(htab->map.record, ptr); - off += size; - } - } --- -2.43.0 - diff --git a/SPECS/kernel/CVE-2025-68768.patch b/SPECS/kernel/CVE-2025-68768.patch new file mode 100644 index 0000000000..65e4deb39f --- /dev/null +++ b/SPECS/kernel/CVE-2025-68768.patch @@ -0,0 +1,200 @@ +From b0eb6cf20f1f2a8687d785ddc7daf969f8929b2c Mon Sep 17 00:00:00 2001 +From: Jakub Kicinski +Date: Sat, 6 Dec 2025 17:09:41 -0800 +Subject: [PATCH 9/9] inet: frags: flush pending skbs in fqdir_pre_exit() + +We have been seeing occasional deadlocks on pernet_ops_rwsem since +September in NIPA. The stuck task was usually modprobe (often loading +a driver like ipvlan), trying to take the lock as a Writer. +lockdep does not track readers for rwsems so the read wasn't obvious +from the reports. + +On closer inspection the Reader holding the lock was conntrack looping +forever in nf_conntrack_cleanup_net_list(). Based on past experience +with occasional NIPA crashes I looked thru the tests which run before +the crash and noticed that the crash follows ip_defrag.sh. An immediate +red flag. Scouring thru (de)fragmentation queues reveals skbs sitting +around, holding conntrack references. + +The problem is that since conntrack depends on nf_defrag_ipv6, +nf_defrag_ipv6 will load first. Since nf_defrag_ipv6 loads first its +netns exit hooks run _after_ conntrack's netns exit hook. + +Flush all fragment queue SKBs during fqdir_pre_exit() to release +conntrack references before conntrack cleanup runs. Also flush +the queues in timer expiry handlers when they discover fqdir->dead +is set, in case packet sneaks in while we're running the pre_exit +flush. + +The commit under Fixes is not exactly the culprit, but I think +previously the timer firing would eventually unblock the spinning +conntrack. + +Fixes: d5dd88794a13 ("inet: fix various use-after-free in defrags units") +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20251207010942.1672972-4-kuba@kernel.org +Signed-off-by: Jakub Kicinski +--- + include/net/inet_frag.h | 15 +++---------- + include/net/ipv6_frag.h | 9 +++++--- + net/ipv4/inet_fragment.c | 46 ++++++++++++++++++++++++++++++++++++++++ + net/ipv4/ip_fragment.c | 12 ++++++----- + 4 files changed, 62 insertions(+), 20 deletions(-) + +diff --git a/include/net/inet_frag.h b/include/net/inet_frag.h +index 5af6eb14c5db..5287ceb9f0d7 100644 +--- a/include/net/inet_frag.h ++++ b/include/net/inet_frag.h +@@ -123,18 +123,7 @@ void inet_frags_fini(struct inet_frags *); + + int fqdir_init(struct fqdir **fqdirp, struct inet_frags *f, struct net *net); + +-static inline void fqdir_pre_exit(struct fqdir *fqdir) +-{ +- /* Prevent creation of new frags. +- * Pairs with READ_ONCE() in inet_frag_find(). +- */ +- WRITE_ONCE(fqdir->high_thresh, 0); +- +- /* Pairs with READ_ONCE() in inet_frag_kill(), ip_expire() +- * and ip6frag_expire_frag_queue(). +- */ +- WRITE_ONCE(fqdir->dead, true); +-} ++void fqdir_pre_exit(struct fqdir *fqdir); + void fqdir_exit(struct fqdir *fqdir); + + void inet_frag_kill(struct inet_frag_queue *q); +@@ -144,6 +133,8 @@ struct inet_frag_queue *inet_frag_find(struct fqdir *fqdir, void *key); + /* Free all skbs in the queue; return the sum of their truesizes. */ + unsigned int inet_frag_rbtree_purge(struct rb_root *root, + enum skb_drop_reason reason); ++void inet_frag_queue_flush(struct inet_frag_queue *q, ++ enum skb_drop_reason reason); + + static inline void inet_frag_put(struct inet_frag_queue *q) + { +diff --git a/include/net/ipv6_frag.h b/include/net/ipv6_frag.h +index 7321ffe3a108..df61b98b5215 100644 +--- a/include/net/ipv6_frag.h ++++ b/include/net/ipv6_frag.h +@@ -68,9 +68,6 @@ ip6frag_expire_frag_queue(struct net *net, struct frag_queue *fq) + struct sk_buff *head; + + rcu_read_lock(); +- /* Paired with the WRITE_ONCE() in fqdir_pre_exit(). */ +- if (READ_ONCE(fq->q.fqdir->dead)) +- goto out_rcu_unlock; + spin_lock(&fq->q.lock); + + if (fq->q.flags & INET_FRAG_COMPLETE) +@@ -79,6 +76,12 @@ ip6frag_expire_frag_queue(struct net *net, struct frag_queue *fq) + fq->q.flags |= INET_FRAG_DROP; + inet_frag_kill(&fq->q); + ++ /* Paired with the WRITE_ONCE() in fqdir_pre_exit(). */ ++ if (READ_ONCE(fq->q.fqdir->dead)) { ++ inet_frag_queue_flush(&fq->q, 0); ++ goto out; ++ } ++ + dev = dev_get_by_index_rcu(net, fq->iif); + if (!dev) + goto out; +diff --git a/net/ipv4/inet_fragment.c b/net/ipv4/inet_fragment.c +index d179a2c84222..cbe006276028 100644 +--- a/net/ipv4/inet_fragment.c ++++ b/net/ipv4/inet_fragment.c +@@ -219,6 +219,41 @@ static int __init inet_frag_wq_init(void) + + pure_initcall(inet_frag_wq_init); + ++void fqdir_pre_exit(struct fqdir *fqdir) ++{ ++ struct inet_frag_queue *fq; ++ struct rhashtable_iter hti; ++ ++ /* Prevent creation of new frags. ++ * Pairs with READ_ONCE() in inet_frag_find(). ++ */ ++ WRITE_ONCE(fqdir->high_thresh, 0); ++ ++ /* Pairs with READ_ONCE() in inet_frag_kill(), ip_expire() ++ * and ip6frag_expire_frag_queue(). ++ */ ++ WRITE_ONCE(fqdir->dead, true); ++ ++ rhashtable_walk_enter(&fqdir->rhashtable, &hti); ++ rhashtable_walk_start(&hti); ++ ++ while ((fq = rhashtable_walk_next(&hti))) { ++ if (IS_ERR(fq)) { ++ if (PTR_ERR(fq) != -EAGAIN) ++ break; ++ continue; ++ } ++ spin_lock_bh(&fq->lock); ++ if (!(fq->flags & INET_FRAG_COMPLETE)) ++ inet_frag_queue_flush(fq, 0); ++ spin_unlock_bh(&fq->lock); ++ } ++ ++ rhashtable_walk_stop(&hti); ++ rhashtable_walk_exit(&hti); ++} ++EXPORT_SYMBOL(fqdir_pre_exit); ++ + void fqdir_exit(struct fqdir *fqdir) + { + INIT_WORK(&fqdir->destroy_work, fqdir_work_fn); +@@ -287,6 +322,17 @@ unsigned int inet_frag_rbtree_purge(struct rb_root *root, + } + EXPORT_SYMBOL(inet_frag_rbtree_purge); + ++void inet_frag_queue_flush(struct inet_frag_queue *q, ++ enum skb_drop_reason reason) ++{ ++ unsigned int sum; ++ ++ reason = reason ?: SKB_DROP_REASON_FRAG_REASM_TIMEOUT; ++ sum = inet_frag_rbtree_purge(&q->rb_fragments, reason); ++ sub_frag_mem_limit(q->fqdir, sum); ++} ++EXPORT_SYMBOL(inet_frag_queue_flush); ++ + void inet_frag_destroy(struct inet_frag_queue *q) + { + unsigned int sum, sum_truesize = 0; +diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c +index 183856b0b740..13f7aaf79f03 100644 +--- a/net/ipv4/ip_fragment.c ++++ b/net/ipv4/ip_fragment.c +@@ -148,11 +148,6 @@ static void ip_expire(struct timer_list *t) + net = qp->q.fqdir->net; + + rcu_read_lock(); +- +- /* Paired with WRITE_ONCE() in fqdir_pre_exit(). */ +- if (READ_ONCE(qp->q.fqdir->dead)) +- goto out_rcu_unlock; +- + spin_lock(&qp->q.lock); + + if (qp->q.flags & INET_FRAG_COMPLETE) +@@ -160,6 +155,13 @@ static void ip_expire(struct timer_list *t) + + qp->q.flags |= INET_FRAG_DROP; + ipq_kill(qp); ++ ++ /* Paired with WRITE_ONCE() in fqdir_pre_exit(). */ ++ if (READ_ONCE(qp->q.fqdir->dead)) { ++ inet_frag_queue_flush(&qp->q, 0); ++ goto out; ++ } ++ + __IP_INC_STATS(net, IPSTATS_MIB_REASMFAILS); + __IP_INC_STATS(net, IPSTATS_MIB_REASMTIMEOUT); + +-- +2.43.0 + diff --git a/SPECS/kernel/CVE-2025-68823.patch b/SPECS/kernel/CVE-2025-68823.patch new file mode 100644 index 0000000000..3f644d17c5 --- /dev/null +++ b/SPECS/kernel/CVE-2025-68823.patch @@ -0,0 +1,104 @@ +From e5245e86825a5c453b7a4330de35a2843a44d21c Mon Sep 17 00:00:00 2001 +From: Ming Lei +Date: Fri, 12 Dec 2025 22:34:15 +0800 +Subject: [PATCH 7/9] ublk: fix deadlock when reading partition table + +When one process(such as udev) opens ublk block device (e.g., to read +the partition table via bdev_open()), a deadlock[1] can occur: + +1. bdev_open() grabs disk->open_mutex +2. The process issues read I/O to ublk backend to read partition table +3. In __ublk_complete_rq(), blk_update_request() or blk_mq_end_request() + runs bio->bi_end_io() callbacks +4. If this triggers fput() on file descriptor of ublk block device, the + work may be deferred to current task's task work (see fput() implementation) +5. This eventually calls blkdev_release() from the same context +6. blkdev_release() tries to grab disk->open_mutex again +7. Deadlock: same task waiting for a mutex it already holds + +The fix is to run blk_update_request() and blk_mq_end_request() with bottom +halves disabled. This forces blkdev_release() to run in kernel work-queue +context instead of current task work context, and allows ublk server to make +forward progress, and avoids the deadlock. + +Fixes: 71f28f3136af ("ublk_drv: add io_uring based userspace block driver") +Link: https://github.com/ublk-org/ublksrv/issues/170 [1] +Signed-off-by: Ming Lei +Reviewed-by: Caleb Sander Mateos +[axboe: rewrite comment in ublk] +Signed-off-by: Jens Axboe +--- + drivers/block/ublk_drv.c | 30 +++++++++++++++++++++++++++--- + 1 file changed, 27 insertions(+), 3 deletions(-) + +diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c +index b874cb84bad9..2d46383e8d26 100644 +--- a/drivers/block/ublk_drv.c ++++ b/drivers/block/ublk_drv.c +@@ -1020,6 +1020,13 @@ static inline bool ubq_daemon_is_dying(struct ublk_queue *ubq) + return ubq->ubq_daemon->flags & PF_EXITING; + } + ++static void ublk_end_request(struct request *req, blk_status_t error) ++{ ++ local_bh_disable(); ++ blk_mq_end_request(req, error); ++ local_bh_enable(); ++} ++ + /* todo: handle partial completion */ + static inline void __ublk_complete_rq(struct request *req) + { +@@ -1027,6 +1034,7 @@ static inline void __ublk_complete_rq(struct request *req) + struct ublk_io *io = &ubq->ios[req->tag]; + unsigned int unmapped_bytes; + blk_status_t res = BLK_STS_OK; ++ bool requeue; + + /* called from ublk_abort_queue() code path */ + if (io->flags & UBLK_IO_FLAG_ABORTED) { +@@ -1064,14 +1072,30 @@ static inline void __ublk_complete_rq(struct request *req) + if (unlikely(unmapped_bytes < io->res)) + io->res = unmapped_bytes; + +- if (blk_update_request(req, BLK_STS_OK, io->res)) ++ /* ++ * Run bio->bi_end_io() with softirqs disabled. If the final fput ++ * happens off this path, then that will prevent ublk's blkdev_release() ++ * from being called on current's task work, see fput() implementation. ++ * ++ * Otherwise, ublk server may not provide forward progress in case of ++ * reading the partition table from bdev_open() with disk->open_mutex ++ * held, and causes dead lock as we could already be holding ++ * disk->open_mutex here. ++ * ++ * Preferably we would not be doing IO with a mutex held that is also ++ * used for release, but this work-around will suffice for now. ++ */ ++ local_bh_disable(); ++ requeue = blk_update_request(req, BLK_STS_OK, io->res); ++ local_bh_enable(); ++ if (requeue) + blk_mq_requeue_request(req, true); + else + __blk_mq_end_request(req, BLK_STS_OK); + + return; + exit: +- blk_mq_end_request(req, res); ++ ublk_end_request(req, res); + } + + static void ublk_complete_rq(struct kref *ref) +@@ -1149,7 +1173,7 @@ static inline void __ublk_abort_rq(struct ublk_queue *ubq, + if (ublk_nosrv_dev_should_queue_io(ubq->dev)) + blk_mq_requeue_request(rq, false); + else +- blk_mq_end_request(rq, BLK_STS_IOERR); ++ ublk_end_request(rq, BLK_STS_IOERR); + } + + static inline void __ublk_rq_task_work(struct request *req, +-- +2.43.0 + diff --git a/SPECS/kernel/CVE-2025-71074.patch b/SPECS/kernel/CVE-2025-71074.patch new file mode 100644 index 0000000000..7ffcae08b7 --- /dev/null +++ b/SPECS/kernel/CVE-2025-71074.patch @@ -0,0 +1,137 @@ +From 60188d3e31ae3865f777f746d8ca751a1294f3e7 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Fri, 14 Nov 2025 02:18:22 -0500 +Subject: [PATCH 8/9] functionfs: fix the open/removal races + +ffs_epfile_open() can race with removal, ending up with file->private_data +pointing to freed object. + +There is a total count of opened files on functionfs (both ep0 and +dynamic ones) and when it hits zero, dynamic files get removed. +Unfortunately, that removal can happen while another thread is +in ffs_epfile_open(), but has not incremented the count yet. +In that case open will succeed, leaving us with UAF on any subsequent +read() or write(). + +The root cause is that ffs->opened is misused; atomic_dec_and_test() vs. +atomic_add_return() is not a good idea, when object remains visible all +along. + +To untangle that + * serialize openers on ffs->mutex (both for ep0 and for dynamic files) + * have dynamic ones use atomic_inc_not_zero() and fail if we had +zero ->opened; in that case the file we are opening is doomed. + * have the inodes of dynamic files marked on removal (from the +callback of simple_recursive_removal()) - clear ->i_private there. + * have open of dynamic ones verify they hadn't been already removed, +along with checking that state is FFS_ACTIVE. + +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Al Viro +--- + drivers/usb/gadget/function/f_fs.c | 54 ++++++++++++++++++++++++------ + 1 file changed, 43 insertions(+), 11 deletions(-) + +diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c +index f7be1548cc18..00e00f451dbd 100644 +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -640,13 +640,22 @@ static ssize_t ffs_ep0_read(struct file *file, char __user *buf, + + static int ffs_ep0_open(struct inode *inode, struct file *file) + { +- struct ffs_data *ffs = inode->i_private; ++ struct ffs_data *ffs = inode->i_sb->s_fs_info; ++ int ret; + +- if (ffs->state == FFS_CLOSING) +- return -EBUSY; ++ /* Acquire mutex */ ++ ret = ffs_mutex_lock(&ffs->mutex, file->f_flags & O_NONBLOCK); ++ if (ret < 0) ++ return ret; + +- file->private_data = ffs; + ffs_data_opened(ffs); ++ if (ffs->state == FFS_CLOSING) { ++ ffs_data_closed(ffs); ++ mutex_unlock(&ffs->mutex); ++ return -EBUSY; ++ } ++ mutex_unlock(&ffs->mutex); ++ file->private_data = ffs; + + return stream_open(inode, file); + } +@@ -1197,14 +1206,33 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data) + static int + ffs_epfile_open(struct inode *inode, struct file *file) + { +- struct ffs_epfile *epfile = inode->i_private; ++ struct ffs_data *ffs = inode->i_sb->s_fs_info; ++ struct ffs_epfile *epfile; ++ int ret; + +- if (WARN_ON(epfile->ffs->state != FFS_ACTIVE)) ++ /* Acquire mutex */ ++ ret = ffs_mutex_lock(&ffs->mutex, file->f_flags & O_NONBLOCK); ++ if (ret < 0) ++ return ret; ++ ++ if (!atomic_inc_not_zero(&ffs->opened)) { ++ mutex_unlock(&ffs->mutex); ++ return -ENODEV; ++ } ++ /* ++ * we want the state to be FFS_ACTIVE; FFS_ACTIVE alone is ++ * not enough, though - we might have been through FFS_CLOSING ++ * and back to FFS_ACTIVE, with our file already removed. ++ */ ++ epfile = smp_load_acquire(&inode->i_private); ++ if (unlikely(ffs->state != FFS_ACTIVE || !epfile)) { ++ mutex_unlock(&ffs->mutex); ++ ffs_data_closed(ffs); + return -ENODEV; ++ } ++ mutex_unlock(&ffs->mutex); + + file->private_data = epfile; +- ffs_data_opened(epfile->ffs); +- + return stream_open(inode, file); + } + +@@ -1342,7 +1370,7 @@ static void ffs_dmabuf_put(struct dma_buf_attachment *attach) + static int + ffs_epfile_release(struct inode *inode, struct file *file) + { +- struct ffs_epfile *epfile = inode->i_private; ++ struct ffs_epfile *epfile = file->private_data; + struct ffs_dmabuf_priv *priv, *tmp; + struct ffs_data *ffs = epfile->ffs; + +@@ -2362,6 +2390,11 @@ static int ffs_epfiles_create(struct ffs_data *ffs) + return 0; + } + ++static void clear_one(struct dentry *dentry) ++{ ++ smp_store_release(&dentry->d_inode->i_private, NULL); ++} ++ + static void ffs_epfiles_destroy(struct ffs_epfile *epfiles, unsigned count) + { + struct ffs_epfile *epfile = epfiles; +@@ -2369,8 +2402,7 @@ static void ffs_epfiles_destroy(struct ffs_epfile *epfiles, unsigned count) + for (; count; --count, ++epfile) { + BUG_ON(mutex_is_locked(&epfile->mutex)); + if (epfile->dentry) { +- d_delete(epfile->dentry); +- dput(epfile->dentry); ++ simple_recursive_removal(epfile->dentry, clear_one); + epfile->dentry = NULL; + } + } +-- +2.43.0 + diff --git a/SPECS/kernel/CVE-2025-71161.patch b/SPECS/kernel/CVE-2025-71161.patch new file mode 100644 index 0000000000..853bc5cb32 --- /dev/null +++ b/SPECS/kernel/CVE-2025-71161.patch @@ -0,0 +1,76 @@ +From df13aca7214e72e11d9ca8abd849cf5ce379f89a Mon Sep 17 00:00:00 2001 +From: "LIOU, Mei Fan" +Date: Wed, 28 Jan 2026 20:43:52 -0800 +Subject: [PATCH 6/9] dm-verity: disable recursive forward error correction + +There are two problems with the recursive correction: + +1. It may cause denial-of-service. In fec_read_bufs, there is a loop that +has 253 iterations. For each iteration, we may call verity_hash_for_block +recursively. There is a limit of 4 nested recursions - that means that +there may be at most 253^4 (4 billion) iterations. Red Hat QE team +actually created an image that pushes dm-verity to this limit - and this +image just makes the udev-worker process get stuck in the 'D' state. + +2. It doesn't work. In fec_read_bufs we store data into the variable +"fio->bufs", but fio bufs is shared between recursive invocations, if +"verity_hash_for_block" invoked correction recursively, it would +overwrite partially filled fio->bufs. + +Signed-off-by: Mikulas Patocka +Reported-by: Guangwu Zhang +Reviewed-by: Sami Tolvanen +Reviewed-by: Eric Biggers +(cherry picked from commit d9f3e47d3fae0c101d9094bc956ed24e7a0ee801) +--- + drivers/md/dm-verity-fec.c | 4 +--- + drivers/md/dm-verity-fec.h | 3 --- + drivers/md/dm-verity-target.c | 2 +- + 3 files changed, 2 insertions(+), 7 deletions(-) + +diff --git a/drivers/md/dm-verity-fec.c b/drivers/md/dm-verity-fec.c +index 7d477ff6f26b..c55f454ff979 100644 +--- a/drivers/md/dm-verity-fec.c ++++ b/drivers/md/dm-verity-fec.c +@@ -424,10 +424,8 @@ int verity_fec_decode(struct dm_verity *v, struct dm_verity_io *io, + if (!verity_fec_is_enabled(v)) + return -EOPNOTSUPP; + +- if (fio->level >= DM_VERITY_FEC_MAX_RECURSION) { +- DMWARN_LIMIT("%s: FEC: recursion too deep", v->data_dev->name); ++ if (fio->level) + return -EIO; +- } + + fio->level++; + +diff --git a/drivers/md/dm-verity-fec.h b/drivers/md/dm-verity-fec.h +index 09123a612953..ec37e607cb3f 100644 +--- a/drivers/md/dm-verity-fec.h ++++ b/drivers/md/dm-verity-fec.h +@@ -23,9 +23,6 @@ + #define DM_VERITY_FEC_BUF_MAX \ + (1 << (PAGE_SHIFT - DM_VERITY_FEC_BUF_RS_BITS)) + +-/* maximum recursion level for verity_fec_decode */ +-#define DM_VERITY_FEC_MAX_RECURSION 4 +- + #define DM_VERITY_OPT_FEC_DEV "use_fec_from_device" + #define DM_VERITY_OPT_FEC_BLOCKS "fec_blocks" + #define DM_VERITY_OPT_FEC_START "fec_start" +diff --git a/drivers/md/dm-verity-target.c b/drivers/md/dm-verity-target.c +index ce0462e751a6..05101e8671db 100644 +--- a/drivers/md/dm-verity-target.c ++++ b/drivers/md/dm-verity-target.c +@@ -1774,7 +1774,7 @@ static struct target_type verity_target = { + .name = "verity", + /* Note: the LSMs depend on the singleton and immutable features */ + .features = DM_TARGET_SINGLETON | DM_TARGET_IMMUTABLE, +- .version = {1, 10, 0}, ++ .version = {1, 13, 0}, + .module = THIS_MODULE, + .ctr = verity_ctr, + .dtr = verity_dtr, +-- +2.43.0 + diff --git a/SPECS/kernel/CVE-2026-22981.patch b/SPECS/kernel/CVE-2026-22981.patch new file mode 100644 index 0000000000..190a1400e1 --- /dev/null +++ b/SPECS/kernel/CVE-2026-22981.patch @@ -0,0 +1,269 @@ +From eb33176264cced7681a9913fed2894b4d8f5828c Mon Sep 17 00:00:00 2001 +From: Emil Tantilov +Date: Thu, 20 Nov 2025 16:12:15 -0800 +Subject: [PATCH 2/9] idpf: detach and close netdevs while handling a reset + +Protect the reset path from callbacks by setting the netdevs to detached +state and close any netdevs in UP state until the reset handling has +completed. During a reset, the driver will de-allocate resources for the +vport, and there is no guarantee that those will recover, which is why the +existing vport_ctrl_lock does not provide sufficient protection. + +idpf_detach_and_close() is called right before reset handling. If the +reset handling succeeds, the netdevs state is recovered via call to +idpf_attach_and_open(). If the reset handling fails the netdevs remain +down. The detach/down calls are protected with RTNL lock to avoid racing +with callbacks. On the recovery side the attach can be done without +holding the RTNL lock as there are no callbacks expected at that point, +due to detach/close always being done first in that flow. + +The previous logic restoring the netdevs state based on the +IDPF_VPORT_UP_REQUESTED flag in the init task is not needed anymore, hence +the removal of idpf_set_vport_state(). The IDPF_VPORT_UP_REQUESTED is +still being used to restore the state of the netdevs following the reset, +but has no use outside of the reset handling flow. + +idpf_init_hard_reset() is converted to void, since it was used as such and +there is no error handling being done based on its return value. + +Before this change, invoking hard and soft resets simultaneously will +cause the driver to lose the vport state: +ip -br a + UP +echo 1 > /sys/class/net/ens801f0/device/reset& \ +ethtool -L ens801f0 combined 8 +ip -br a + DOWN +ip link set up +ip -br a + DOWN + +Also in case of a failure in the reset path, the netdev is left +exposed to external callbacks, while vport resources are not +initialized, leading to a crash on subsequent ifup/down: +[408471.398966] idpf 0000:83:00.0: HW reset detected +[408471.411744] idpf 0000:83:00.0: Device HW Reset initiated +[408472.277901] idpf 0000:83:00.0: The driver was unable to contact the device's firmware. Check that the FW is running. Driver state= 0x2 +[408508.125551] BUG: kernel NULL pointer dereference, address: 0000000000000078 +[408508.126112] #PF: supervisor read access in kernel mode +[408508.126687] #PF: error_code(0x0000) - not-present page +[408508.127256] PGD 2aae2f067 P4D 0 +[408508.127824] Oops: Oops: 0000 [#1] SMP NOPTI +... +[408508.130871] RIP: 0010:idpf_stop+0x39/0x70 [idpf] +... +[408508.139193] Call Trace: +[408508.139637] +[408508.140077] __dev_close_many+0xbb/0x260 +[408508.140533] __dev_change_flags+0x1cf/0x280 +[408508.140987] netif_change_flags+0x26/0x70 +[408508.141434] dev_change_flags+0x3d/0xb0 +[408508.141878] devinet_ioctl+0x460/0x890 +[408508.142321] inet_ioctl+0x18e/0x1d0 +[408508.142762] ? _copy_to_user+0x22/0x70 +[408508.143207] sock_do_ioctl+0x3d/0xe0 +[408508.143652] sock_ioctl+0x10e/0x330 +[408508.144091] ? find_held_lock+0x2b/0x80 +[408508.144537] __x64_sys_ioctl+0x96/0xe0 +[408508.144979] do_syscall_64+0x79/0x3d0 +[408508.145415] entry_SYSCALL_64_after_hwframe+0x76/0x7e +[408508.145860] RIP: 0033:0x7f3e0bb4caff + +Fixes: 0fe45467a104 ("idpf: add create vport and netdev configuration") +Signed-off-by: Emil Tantilov +Reviewed-by: Madhu Chittim +Tested-by: Samuel Salin +Signed-off-by: Tony Nguyen +--- + drivers/net/ethernet/intel/idpf/idpf_lib.c | 116 +++++++++++++-------- + 1 file changed, 71 insertions(+), 45 deletions(-) + +diff --git a/drivers/net/ethernet/intel/idpf/idpf_lib.c b/drivers/net/ethernet/intel/idpf/idpf_lib.c +index a0677b327783..bba7b06c8153 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_lib.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_lib.c +@@ -693,6 +693,65 @@ static int idpf_init_mac_addr(struct idpf_vport *vport, + return 0; + } + ++static void idpf_detach_and_close(struct idpf_adapter *adapter) ++{ ++ int max_vports = adapter->max_vports; ++ ++ for (int i = 0; i < max_vports; i++) { ++ struct net_device *netdev = adapter->netdevs[i]; ++ ++ /* If the interface is in detached state, that means the ++ * previous reset was not handled successfully for this ++ * vport. ++ */ ++ if (!netif_device_present(netdev)) ++ continue; ++ ++ /* Hold RTNL to protect racing with callbacks */ ++ rtnl_lock(); ++ netif_device_detach(netdev); ++ if (netif_running(netdev)) { ++ set_bit(IDPF_VPORT_UP_REQUESTED, ++ adapter->vport_config[i]->flags); ++ dev_close(netdev); ++ } ++ rtnl_unlock(); ++ } ++} ++ ++static void idpf_attach_and_open(struct idpf_adapter *adapter) ++{ ++ int max_vports = adapter->max_vports; ++ ++ for (int i = 0; i < max_vports; i++) { ++ struct idpf_vport *vport = adapter->vports[i]; ++ struct idpf_vport_config *vport_config; ++ struct net_device *netdev; ++ ++ /* In case of a critical error in the init task, the vport ++ * will be freed. Only continue to restore the netdevs ++ * if the vport is allocated. ++ */ ++ if (!vport) ++ continue; ++ ++ /* No need for RTNL on attach as this function is called ++ * following detach and dev_close(). We do take RTNL for ++ * dev_open() below as it can race with external callbacks ++ * following the call to netif_device_attach(). ++ */ ++ netdev = adapter->netdevs[i]; ++ netif_device_attach(netdev); ++ vport_config = adapter->vport_config[vport->idx]; ++ if (test_and_clear_bit(IDPF_VPORT_UP_REQUESTED, ++ vport_config->flags)) { ++ rtnl_lock(); ++ dev_open(netdev, NULL); ++ rtnl_unlock(); ++ } ++ } ++} ++ + /** + * idpf_cfg_netdev - Allocate, configure and register a netdev + * @vport: main vport structure +@@ -986,10 +1045,11 @@ static void idpf_vport_dealloc(struct idpf_vport *vport) + unsigned int i = vport->idx; + + idpf_deinit_mac_addr(vport); +- idpf_vport_stop(vport); + +- if (!test_bit(IDPF_HR_RESET_IN_PROG, adapter->flags)) ++ if (!test_bit(IDPF_HR_RESET_IN_PROG, adapter->flags)) { ++ idpf_vport_stop(vport); + idpf_decfg_netdev(vport); ++ } + if (test_bit(IDPF_REMOVE_IN_PROG, adapter->flags)) + idpf_del_all_mac_filters(vport); + +@@ -1467,7 +1527,6 @@ void idpf_init_task(struct work_struct *work) + struct idpf_vport_config *vport_config; + struct idpf_vport_max_q max_q; + struct idpf_adapter *adapter; +- struct idpf_netdev_priv *np; + struct idpf_vport *vport; + u16 num_default_vports; + struct pci_dev *pdev; +@@ -1524,12 +1583,6 @@ void idpf_init_task(struct work_struct *work) + if (idpf_cfg_netdev(vport)) + goto unwind_vports; + +- /* Once state is put into DOWN, driver is ready for dev_open */ +- np = netdev_priv(vport->netdev); +- np->state = __IDPF_VPORT_DOWN; +- if (test_and_clear_bit(IDPF_VPORT_UP_REQUESTED, vport_config->flags)) +- idpf_vport_open(vport); +- + /* Spawn and return 'idpf_init_task' work queue until all the + * default vports are created + */ +@@ -1696,27 +1749,6 @@ static int idpf_check_reset_complete(struct idpf_hw *hw, + return -EBUSY; + } + +-/** +- * idpf_set_vport_state - Set the vport state to be after the reset +- * @adapter: Driver specific private structure +- */ +-static void idpf_set_vport_state(struct idpf_adapter *adapter) +-{ +- u16 i; +- +- for (i = 0; i < adapter->max_vports; i++) { +- struct idpf_netdev_priv *np; +- +- if (!adapter->netdevs[i]) +- continue; +- +- np = netdev_priv(adapter->netdevs[i]); +- if (np->state == __IDPF_VPORT_UP) +- set_bit(IDPF_VPORT_UP_REQUESTED, +- adapter->vport_config[i]->flags); +- } +-} +- + /** + * idpf_init_hard_reset - Initiate a hardware reset + * @adapter: Driver specific private structure +@@ -1725,35 +1757,23 @@ static void idpf_set_vport_state(struct idpf_adapter *adapter) + * reallocate. Also reinitialize the mailbox. Return 0 on success, + * negative on failure. + */ +-static int idpf_init_hard_reset(struct idpf_adapter *adapter) ++static void idpf_init_hard_reset(struct idpf_adapter *adapter) + { + struct idpf_reg_ops *reg_ops = &adapter->dev_ops.reg_ops; + struct device *dev = &adapter->pdev->dev; +- struct net_device *netdev; + int err; +- u16 i; + ++ idpf_detach_and_close(adapter); + mutex_lock(&adapter->vport_ctrl_lock); + + dev_info(dev, "Device HW Reset initiated\n"); + +- /* Avoid TX hangs on reset */ +- for (i = 0; i < adapter->max_vports; i++) { +- netdev = adapter->netdevs[i]; +- if (!netdev) +- continue; +- +- netif_carrier_off(netdev); +- netif_tx_disable(netdev); +- } +- + /* Prepare for reset */ + if (test_and_clear_bit(IDPF_HR_DRV_LOAD, adapter->flags)) { + reg_ops->trigger_reset(adapter, IDPF_HR_DRV_LOAD); + } else if (test_and_clear_bit(IDPF_HR_FUNC_RESET, adapter->flags)) { + bool is_reset = idpf_is_reset_detected(adapter); + +- idpf_set_vport_state(adapter); + idpf_vc_core_deinit(adapter); + if (!is_reset) + reg_ops->trigger_reset(adapter, IDPF_HR_FUNC_RESET); +@@ -1800,7 +1820,13 @@ static int idpf_init_hard_reset(struct idpf_adapter *adapter) + unlock_mutex: + mutex_unlock(&adapter->vport_ctrl_lock); + +- return err; ++ /* Attempt to restore netdevs and initialize RDMA CORE AUX device, ++ * provided vc_core_init succeeded. It is still possible that ++ * vports are not allocated at this point if the init task failed. ++ */ ++ if (!err) { ++ idpf_attach_and_open(adapter); ++ } + } + + /** +-- +2.43.0 + diff --git a/SPECS/kernel/CVE-2026-22985.patch b/SPECS/kernel/CVE-2026-22985.patch new file mode 100644 index 0000000000..6023b558a9 --- /dev/null +++ b/SPECS/kernel/CVE-2026-22985.patch @@ -0,0 +1,255 @@ +From bf5c1e9b7788995bbf0491635b3c65f3de8f59c8 Mon Sep 17 00:00:00 2001 +From: Emil Tantilov +Date: Tue, 25 Nov 2025 14:36:24 -0800 +Subject: [PATCH 3/9] idpf: convert vport state to bitmap + +Convert vport state to a bitmap and remove the DOWN state which is +redundant in the existing logic. There are no functional changes aside +from the use of bitwise operations when setting and checking the states. +Removed the double underscore to be consistent with the naming of other +bitmaps in the header and renamed current_state to vport_is_up to match +the meaning of the new variable. + +Reviewed-by: Przemek Kitszel +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Chittim Madhu +Signed-off-by: Emil Tantilov +Tested-by: Samuel Salin +Signed-off-by: Tony Nguyen +Link: https://patch.msgid.link/20251125223632.1857532-6-anthony.l.nguyen@intel.com +Signed-off-by: Jakub Kicinski +--- + drivers/net/ethernet/intel/idpf/idpf.h | 12 +++++------ + .../net/ethernet/intel/idpf/idpf_ethtool.c | 10 +++++----- + drivers/net/ethernet/intel/idpf/idpf_lib.c | 20 +++++++++---------- + .../ethernet/intel/idpf/idpf_singleq_txrx.c | 2 +- + drivers/net/ethernet/intel/idpf/idpf_txrx.c | 2 +- + .../net/ethernet/intel/idpf/idpf_virtchnl.c | 4 ++-- + 6 files changed, 24 insertions(+), 26 deletions(-) + +diff --git a/drivers/net/ethernet/intel/idpf/idpf.h b/drivers/net/ethernet/intel/idpf/idpf.h +index f4d51c885f33..44db60611178 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf.h ++++ b/drivers/net/ethernet/intel/idpf/idpf.h +@@ -126,14 +126,12 @@ enum idpf_cap_field { + + /** + * enum idpf_vport_state - Current vport state +- * @__IDPF_VPORT_DOWN: Vport is down +- * @__IDPF_VPORT_UP: Vport is up +- * @__IDPF_VPORT_STATE_LAST: Must be last, number of states ++ * @IDPF_VPORT_UP: Vport is up ++ * @IDPF_VPORT_STATE_NBITS: Must be last, number of states + */ + enum idpf_vport_state { +- __IDPF_VPORT_DOWN, +- __IDPF_VPORT_UP, +- __IDPF_VPORT_STATE_LAST, ++ IDPF_VPORT_UP, ++ IDPF_VPORT_STATE_NBITS + }; + + /** +@@ -157,7 +155,7 @@ struct idpf_netdev_priv { + u16 vport_idx; + u16 max_tx_hdr_size; + u16 tx_max_bufs; +- enum idpf_vport_state state; ++ DECLARE_BITMAP(state, IDPF_VPORT_STATE_NBITS); + struct rtnl_link_stats64 netstats; + spinlock_t stats_lock; + }; +diff --git a/drivers/net/ethernet/intel/idpf/idpf_ethtool.c b/drivers/net/ethernet/intel/idpf/idpf_ethtool.c +index f0f0ced0d95f..58e2894cbe54 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_ethtool.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_ethtool.c +@@ -98,7 +98,7 @@ static int idpf_get_rxfh(struct net_device *netdev, + } + + rss_data = &adapter->vport_config[np->vport_idx]->user_config.rss_data; +- if (np->state != __IDPF_VPORT_UP) ++ if (!test_bit(IDPF_VPORT_UP, np->state)) + goto unlock_mutex; + + rxfh->hfunc = ETH_RSS_HASH_TOP; +@@ -148,7 +148,7 @@ static int idpf_set_rxfh(struct net_device *netdev, + } + + rss_data = &adapter->vport_config[vport->idx]->user_config.rss_data; +- if (np->state != __IDPF_VPORT_UP) ++ if (!test_bit(IDPF_VPORT_UP, np->state)) + goto unlock_mutex; + + if (rxfh->hfunc != ETH_RSS_HASH_NO_CHANGE && +@@ -879,7 +879,7 @@ static void idpf_get_ethtool_stats(struct net_device *netdev, + idpf_vport_ctrl_lock(netdev); + vport = idpf_netdev_to_vport(netdev); + +- if (np->state != __IDPF_VPORT_UP) { ++ if (!test_bit(IDPF_VPORT_UP, np->state)) { + idpf_vport_ctrl_unlock(netdev); + + return; +@@ -1031,7 +1031,7 @@ static int idpf_get_q_coalesce(struct net_device *netdev, + idpf_vport_ctrl_lock(netdev); + vport = idpf_netdev_to_vport(netdev); + +- if (np->state != __IDPF_VPORT_UP) ++ if (!test_bit(IDPF_VPORT_UP, np->state)) + goto unlock_mutex; + + if (q_num >= vport->num_rxq && q_num >= vport->num_txq) { +@@ -1219,7 +1219,7 @@ static int idpf_set_coalesce(struct net_device *netdev, + idpf_vport_ctrl_lock(netdev); + vport = idpf_netdev_to_vport(netdev); + +- if (np->state != __IDPF_VPORT_UP) ++ if (!test_bit(IDPF_VPORT_UP, np->state)) + goto unlock_mutex; + + for (i = 0; i < vport->num_txq; i++) { +diff --git a/drivers/net/ethernet/intel/idpf/idpf_lib.c b/drivers/net/ethernet/intel/idpf/idpf_lib.c +index bba7b06c8153..73efbfc773b6 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_lib.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_lib.c +@@ -483,7 +483,7 @@ static int idpf_del_mac_filter(struct idpf_vport *vport, + } + spin_unlock_bh(&vport_config->mac_filter_list_lock); + +- if (np->state == __IDPF_VPORT_UP) { ++ if (test_bit(IDPF_VPORT_UP, np->state)) { + int err; + + err = idpf_add_del_mac_filters(vport, np, false, async); +@@ -554,7 +554,7 @@ static int idpf_add_mac_filter(struct idpf_vport *vport, + if (err) + return err; + +- if (np->state == __IDPF_VPORT_UP) ++ if (test_bit(IDPF_VPORT_UP, np->state)) + err = idpf_add_del_mac_filters(vport, np, true, async); + + return err; +@@ -909,7 +909,7 @@ static void idpf_vport_stop(struct idpf_vport *vport) + { + struct idpf_netdev_priv *np = netdev_priv(vport->netdev); + +- if (np->state <= __IDPF_VPORT_DOWN) ++ if (!test_bit(IDPF_VPORT_UP, np->state)) + return; + + netif_carrier_off(vport->netdev); +@@ -932,7 +932,7 @@ static void idpf_vport_stop(struct idpf_vport *vport) + idpf_vport_intr_deinit(vport); + idpf_vport_queues_rel(vport); + idpf_vport_intr_rel(vport); +- np->state = __IDPF_VPORT_DOWN; ++ clear_bit(IDPF_VPORT_UP, np->state); + } + + /** +@@ -1350,7 +1350,7 @@ static int idpf_up_complete(struct idpf_vport *vport) + netif_tx_start_all_queues(vport->netdev); + } + +- np->state = __IDPF_VPORT_UP; ++ set_bit(IDPF_VPORT_UP, np->state); + + return 0; + } +@@ -1395,7 +1395,7 @@ static int idpf_vport_open(struct idpf_vport *vport) + struct idpf_vport_config *vport_config; + int err; + +- if (np->state != __IDPF_VPORT_DOWN) ++ if (test_bit(IDPF_VPORT_UP, np->state)) + return -EBUSY; + + /* we do not allow interface up just yet */ +@@ -1869,7 +1869,7 @@ int idpf_initiate_soft_reset(struct idpf_vport *vport, + enum idpf_vport_reset_cause reset_cause) + { + struct idpf_netdev_priv *np = netdev_priv(vport->netdev); +- enum idpf_vport_state current_state = np->state; ++ bool vport_is_up = test_bit(IDPF_VPORT_UP, np->state); + struct idpf_adapter *adapter = vport->adapter; + struct idpf_vport *new_vport; + int err; +@@ -1917,7 +1917,7 @@ int idpf_initiate_soft_reset(struct idpf_vport *vport, + goto free_vport; + } + +- if (current_state <= __IDPF_VPORT_DOWN) { ++ if (!vport_is_up) { + idpf_send_delete_queues_msg(vport); + } else { + set_bit(IDPF_VPORT_DEL_QUEUES, vport->flags); +@@ -1950,7 +1950,7 @@ int idpf_initiate_soft_reset(struct idpf_vport *vport, + if (err) + goto err_open; + +- if (current_state == __IDPF_VPORT_UP) ++ if (vport_is_up) + err = idpf_vport_open(vport); + + kfree(new_vport); +@@ -1962,7 +1962,7 @@ int idpf_initiate_soft_reset(struct idpf_vport *vport, + vport->num_rxq, vport->num_bufq); + + err_open: +- if (current_state == __IDPF_VPORT_UP) ++ if (vport_is_up) + idpf_vport_open(vport); + + free_vport: +diff --git a/drivers/net/ethernet/intel/idpf/idpf_singleq_txrx.c b/drivers/net/ethernet/intel/idpf/idpf_singleq_txrx.c +index ea0eec59a072..33f4e89d0c67 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_singleq_txrx.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_singleq_txrx.c +@@ -571,7 +571,7 @@ static bool idpf_tx_singleq_clean(struct idpf_tx_queue *tx_q, int napi_budget, + np = netdev_priv(tx_q->netdev); + nq = netdev_get_tx_queue(tx_q->netdev, tx_q->idx); + +- dont_wake = np->state != __IDPF_VPORT_UP || ++ dont_wake = !test_bit(IDPF_VPORT_UP, np->state) || + !netif_carrier_ok(tx_q->netdev); + __netif_txq_completed_wake(nq, ss.packets, ss.bytes, + IDPF_DESC_UNUSED(tx_q), IDPF_TX_WAKE_THRESH, +diff --git a/drivers/net/ethernet/intel/idpf/idpf_txrx.c b/drivers/net/ethernet/intel/idpf/idpf_txrx.c +index 3ddf7b1e85ef..646f19e4d0fa 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_txrx.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_txrx.c +@@ -1845,7 +1845,7 @@ static bool idpf_tx_clean_complq(struct idpf_compl_queue *complq, int budget, + /* Update BQL */ + nq = netdev_get_tx_queue(tx_q->netdev, tx_q->idx); + +- dont_wake = !complq_ok || np->state != __IDPF_VPORT_UP || ++ dont_wake = !complq_ok || !test_bit(IDPF_VPORT_UP, np->state) || + !netif_carrier_ok(tx_q->netdev); + /* Check if the TXQ needs to and can be restarted */ + __netif_txq_completed_wake(nq, tx_q->cleaned_pkts, tx_q->cleaned_bytes, +diff --git a/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c b/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c +index d1f374da0098..5480b4aa567b 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c +@@ -148,7 +148,7 @@ static void idpf_handle_event_link(struct idpf_adapter *adapter, + + vport->link_up = v2e->link_status; + +- if (np->state != __IDPF_VPORT_UP) ++ if (!test_bit(IDPF_VPORT_UP, np->state)) + return; + + if (vport->link_up) { +@@ -2297,7 +2297,7 @@ int idpf_send_get_stats_msg(struct idpf_vport *vport) + + + /* Don't send get_stats message if the link is down */ +- if (np->state <= __IDPF_VPORT_DOWN) ++ if (!test_bit(IDPF_VPORT_UP, np->state)) + return 0; + + stats_msg.vport_id = cpu_to_le32(vport->vport_id); +-- +2.43.0 + diff --git a/SPECS/kernel/CVE-2026-22985_2.patch b/SPECS/kernel/CVE-2026-22985_2.patch new file mode 100644 index 0000000000..f796740fbb --- /dev/null +++ b/SPECS/kernel/CVE-2026-22985_2.patch @@ -0,0 +1,400 @@ +From fdc6a5ca9d6a3cabc7d8bc4bd3f97a3a73f6f1a8 Mon Sep 17 00:00:00 2001 +From: Sreedevi Joshi +Date: Mon, 24 Nov 2025 12:47:48 -0600 +Subject: [PATCH 4/9] idpf: Fix RSS LUT NULL pointer crash on early ethtool + operations + +The RSS LUT is not initialized until the interface comes up, causing +the following NULL pointer crash when ethtool operations like rxhash on/off +are performed before the interface is brought up for the first time. + +Move RSS LUT initialization from ndo_open to vport creation to ensure LUT +is always available. This enables RSS configuration via ethtool before +bringing the interface up. Simplify LUT management by maintaining all +changes in the driver's soft copy and programming zeros to the indirection +table when rxhash is disabled. Defer HW programming until the interface +comes up if it is down during rxhash and LUT configuration changes. + +Steps to reproduce: +** Load idpf driver; interfaces will be created + modprobe idpf +** Before bringing the interfaces up, turn rxhash off + ethtool -K eth2 rxhash off + +[89408.371875] BUG: kernel NULL pointer dereference, address: 0000000000000000 +[89408.371908] #PF: supervisor read access in kernel mode +[89408.371924] #PF: error_code(0x0000) - not-present page +[89408.371940] PGD 0 P4D 0 +[89408.371953] Oops: Oops: 0000 [#1] SMP NOPTI + +[89408.372052] RIP: 0010:memcpy_orig+0x16/0x130 +[89408.372310] Call Trace: +[89408.372317] +[89408.372326] ? idpf_set_features+0xfc/0x180 [idpf] +[89408.372363] __netdev_update_features+0x295/0xde0 +[89408.372384] ethnl_set_features+0x15e/0x460 +[89408.372406] genl_family_rcv_msg_doit+0x11f/0x180 +[89408.372429] genl_rcv_msg+0x1ad/0x2b0 +[89408.372446] ? __pfx_ethnl_set_features+0x10/0x10 +[89408.372465] ? __pfx_genl_rcv_msg+0x10/0x10 +[89408.372482] netlink_rcv_skb+0x58/0x100 +[89408.372502] genl_rcv+0x2c/0x50 +[89408.372516] netlink_unicast+0x289/0x3e0 +[89408.372533] netlink_sendmsg+0x215/0x440 +[89408.372551] __sys_sendto+0x234/0x240 +[89408.372571] __x64_sys_sendto+0x28/0x30 +[89408.372585] x64_sys_call+0x1909/0x1da0 +[89408.372604] do_syscall_64+0x7a/0xfa0 +[89408.373140] ? clear_bhb_loop+0x60/0xb0 +[89408.373647] entry_SYSCALL_64_after_hwframe+0x76/0x7e +[89408.378887] + + +Fixes: a251eee62133 ("idpf: add SRIOV support and other ndo_ops") +Signed-off-by: Sreedevi Joshi +Reviewed-by: Sridhar Samudrala +Reviewed-by: Emil Tantilov +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Paul Menzel +Reviewed-by: Simon Horman +Tested-by: Samuel Salin +Signed-off-by: Tony Nguyen +--- + drivers/net/ethernet/intel/idpf/idpf.h | 2 - + drivers/net/ethernet/intel/idpf/idpf_lib.c | 94 +++++++++---------- + drivers/net/ethernet/intel/idpf/idpf_txrx.c | 36 +++---- + drivers/net/ethernet/intel/idpf/idpf_txrx.h | 4 +- + .../net/ethernet/intel/idpf/idpf_virtchnl.c | 9 +- + 5 files changed, 66 insertions(+), 79 deletions(-) + +diff --git a/drivers/net/ethernet/intel/idpf/idpf.h b/drivers/net/ethernet/intel/idpf/idpf.h +index 44db60611178..7f0e642b703b 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf.h ++++ b/drivers/net/ethernet/intel/idpf/idpf.h +@@ -359,14 +359,12 @@ enum idpf_user_flags { + * @rss_key: RSS hash key + * @rss_lut_size: Size of RSS lookup table + * @rss_lut: RSS lookup table +- * @cached_lut: Used to restore previously init RSS lut + */ + struct idpf_rss_data { + u16 rss_key_size; + u8 *rss_key; + u16 rss_lut_size; + u32 *rss_lut; +- u32 *cached_lut; + }; + + /** +diff --git a/drivers/net/ethernet/intel/idpf/idpf_lib.c b/drivers/net/ethernet/intel/idpf/idpf_lib.c +index 73efbfc773b6..958b9ac25a70 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_lib.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_lib.c +@@ -995,7 +995,7 @@ static void idpf_vport_rel(struct idpf_vport *vport) + u16 idx = vport->idx; + + vport_config = adapter->vport_config[vport->idx]; +- idpf_deinit_rss(vport); ++ idpf_deinit_rss_lut(vport); + rss_data = &vport_config->user_config.rss_data; + kfree(rss_data->rss_key); + rss_data->rss_key = NULL; +@@ -1144,6 +1144,7 @@ static struct idpf_vport *idpf_vport_alloc(struct idpf_adapter *adapter, + u16 idx = adapter->next_vport; + struct idpf_vport *vport; + u16 num_max_q; ++ int err; + + if (idx == IDPF_NO_FREE_SLOT) + return NULL; +@@ -1194,10 +1195,11 @@ static struct idpf_vport *idpf_vport_alloc(struct idpf_adapter *adapter, + + idpf_vport_init(vport, max_q); + +- /* This alloc is done separate from the LUT because it's not strictly +- * dependent on how many queues we have. If we change number of queues +- * and soft reset we'll need a new LUT but the key can remain the same +- * for as long as the vport exists. ++ /* LUT and key are both initialized here. Key is not strictly dependent ++ * on how many queues we have. If we change number of queues and soft ++ * reset is initiated, LUT will be freed and a new LUT will be allocated ++ * as per the updated number of queues during vport bringup. However, ++ * the key remains the same for as long as the vport exists. + */ + rss_data = &adapter->vport_config[idx]->user_config.rss_data; + rss_data->rss_key = kzalloc(rss_data->rss_key_size, GFP_KERNEL); +@@ -1207,6 +1209,11 @@ static struct idpf_vport *idpf_vport_alloc(struct idpf_adapter *adapter, + /* Initialize default rss key */ + netdev_rss_key_fill((void *)rss_data->rss_key, rss_data->rss_key_size); + ++ /* Initialize default rss LUT */ ++ err = idpf_init_rss_lut(vport); ++ if (err) ++ goto free_rss_key; ++ + /* fill vport slot in the adapter struct */ + adapter->vports[idx] = vport; + adapter->vport_ids[idx] = idpf_get_vport_id(vport); +@@ -1217,6 +1224,8 @@ static struct idpf_vport *idpf_vport_alloc(struct idpf_adapter *adapter, + + return vport; + ++free_rss_key: ++ kfree(rss_data->rss_key); + free_vector_idxs: + kfree(vport->q_vector_idxs); + free_vport: +@@ -1393,6 +1402,7 @@ static int idpf_vport_open(struct idpf_vport *vport) + struct idpf_netdev_priv *np = netdev_priv(vport->netdev); + struct idpf_adapter *adapter = vport->adapter; + struct idpf_vport_config *vport_config; ++ struct idpf_rss_data *rss_data; + int err; + + if (test_bit(IDPF_VPORT_UP, np->state)) +@@ -1475,12 +1485,21 @@ static int idpf_vport_open(struct idpf_vport *vport) + idpf_restore_features(vport); + + vport_config = adapter->vport_config[vport->idx]; +- if (vport_config->user_config.rss_data.rss_lut) +- err = idpf_config_rss(vport); +- else +- err = idpf_init_rss(vport); ++ rss_data = &vport_config->user_config.rss_data; ++ ++ if (!rss_data->rss_lut) { ++ err = idpf_init_rss_lut(vport); ++ if (err) { ++ dev_err(&adapter->pdev->dev, ++ "Failed to initialize RSS LUT for vport %u: %d\n", ++ vport->vport_id, err); ++ goto disable_vport; ++ } ++ } ++ ++ err = idpf_config_rss(vport); + if (err) { +- dev_err(&adapter->pdev->dev, "Failed to initialize RSS for vport %u: %d\n", ++ dev_err(&adapter->pdev->dev, "Failed to configure RSS for vport %u: %d\n", + vport->vport_id, err); + goto disable_vport; + } +@@ -1489,13 +1508,11 @@ static int idpf_vport_open(struct idpf_vport *vport) + if (err) { + dev_err(&adapter->pdev->dev, "Failed to complete interface up for vport %u: %d\n", + vport->vport_id, err); +- goto deinit_rss; ++ goto disable_vport; + } + + return 0; + +-deinit_rss: +- idpf_deinit_rss(vport); + disable_vport: + idpf_send_disable_vport_msg(vport); + disable_queues: +@@ -1924,7 +1941,7 @@ int idpf_initiate_soft_reset(struct idpf_vport *vport, + idpf_vport_stop(vport); + } + +- idpf_deinit_rss(vport); ++ idpf_deinit_rss_lut(vport); + /* We're passing in vport here because we need its wait_queue + * to send a message and it should be getting all the vport + * config data out of the adapter but we need to be careful not +@@ -2090,40 +2107,6 @@ static void idpf_set_rx_mode(struct net_device *netdev) + dev_err(dev, "Failed to set promiscuous mode: %d\n", err); + } + +-/** +- * idpf_vport_manage_rss_lut - disable/enable RSS +- * @vport: the vport being changed +- * +- * In the event of disable request for RSS, this function will zero out RSS +- * LUT, while in the event of enable request for RSS, it will reconfigure RSS +- * LUT with the default LUT configuration. +- */ +-static int idpf_vport_manage_rss_lut(struct idpf_vport *vport) +-{ +- bool ena = idpf_is_feature_ena(vport, NETIF_F_RXHASH); +- struct idpf_rss_data *rss_data; +- u16 idx = vport->idx; +- int lut_size; +- +- rss_data = &vport->adapter->vport_config[idx]->user_config.rss_data; +- lut_size = rss_data->rss_lut_size * sizeof(u32); +- +- if (ena) { +- /* This will contain the default or user configured LUT */ +- memcpy(rss_data->rss_lut, rss_data->cached_lut, lut_size); +- } else { +- /* Save a copy of the current LUT to be restored later if +- * requested. +- */ +- memcpy(rss_data->cached_lut, rss_data->rss_lut, lut_size); +- +- /* Zero out the current LUT to disable */ +- memset(rss_data->rss_lut, 0, lut_size); +- } +- +- return idpf_config_rss(vport); +-} +- + /** + * idpf_set_features - set the netdev feature flags + * @netdev: ptr to the netdev being adjusted +@@ -2149,10 +2132,19 @@ static int idpf_set_features(struct net_device *netdev, + } + + if (changed & NETIF_F_RXHASH) { ++ struct idpf_netdev_priv *np = netdev_priv(netdev); ++ + netdev->features ^= NETIF_F_RXHASH; +- err = idpf_vport_manage_rss_lut(vport); +- if (err) +- goto unlock_mutex; ++ ++ /* If the interface is not up when changing the rxhash, update ++ * to the HW is skipped. The updated LUT will be committed to ++ * the HW when the interface is brought up. ++ */ ++ if (test_bit(IDPF_VPORT_UP, np->state)) { ++ err = idpf_config_rss(vport); ++ if (err) ++ goto unlock_mutex; ++ } + } + + if (changed & NETIF_F_GRO_HW) { +diff --git a/drivers/net/ethernet/intel/idpf/idpf_txrx.c b/drivers/net/ethernet/intel/idpf/idpf_txrx.c +index 646f19e4d0fa..3b2938aa15ab 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_txrx.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_txrx.c +@@ -4068,57 +4068,47 @@ static void idpf_fill_dflt_rss_lut(struct idpf_vport *vport) + + rss_data = &adapter->vport_config[vport->idx]->user_config.rss_data; + +- for (i = 0; i < rss_data->rss_lut_size; i++) { ++ for (i = 0; i < rss_data->rss_lut_size; i++) + rss_data->rss_lut[i] = i % num_active_rxq; +- rss_data->cached_lut[i] = rss_data->rss_lut[i]; +- } + } + + /** +- * idpf_init_rss - Allocate and initialize RSS resources ++ * idpf_init_rss_lut - Allocate and initialize RSS LUT + * @vport: virtual port + * +- * Return 0 on success, negative on failure ++ * Return: 0 on success, negative on failure + */ +-int idpf_init_rss(struct idpf_vport *vport) ++int idpf_init_rss_lut(struct idpf_vport *vport) + { + struct idpf_adapter *adapter = vport->adapter; + struct idpf_rss_data *rss_data; +- u32 lut_size; + + rss_data = &adapter->vport_config[vport->idx]->user_config.rss_data; ++ if (!rss_data->rss_lut) { ++ u32 lut_size; + +- lut_size = rss_data->rss_lut_size * sizeof(u32); +- rss_data->rss_lut = kzalloc(lut_size, GFP_KERNEL); +- if (!rss_data->rss_lut) +- return -ENOMEM; +- +- rss_data->cached_lut = kzalloc(lut_size, GFP_KERNEL); +- if (!rss_data->cached_lut) { +- kfree(rss_data->rss_lut); +- rss_data->rss_lut = NULL; +- +- return -ENOMEM; ++ lut_size = rss_data->rss_lut_size * sizeof(u32); ++ rss_data->rss_lut = kzalloc(lut_size, GFP_KERNEL); ++ if (!rss_data->rss_lut) ++ return -ENOMEM; + } + + /* Fill the default RSS lut values */ + idpf_fill_dflt_rss_lut(vport); + +- return idpf_config_rss(vport); ++ return 0; + } + + /** +- * idpf_deinit_rss - Release RSS resources ++ * idpf_deinit_rss_lut - Release RSS LUT + * @vport: virtual port + */ +-void idpf_deinit_rss(struct idpf_vport *vport) ++void idpf_deinit_rss_lut(struct idpf_vport *vport) + { + struct idpf_adapter *adapter = vport->adapter; + struct idpf_rss_data *rss_data; + + rss_data = &adapter->vport_config[vport->idx]->user_config.rss_data; +- kfree(rss_data->cached_lut); +- rss_data->cached_lut = NULL; + kfree(rss_data->rss_lut); + rss_data->rss_lut = NULL; + } +diff --git a/drivers/net/ethernet/intel/idpf/idpf_txrx.h b/drivers/net/ethernet/intel/idpf/idpf_txrx.h +index 5f8a9b9f5d5d..ddba70d4b8ee 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_txrx.h ++++ b/drivers/net/ethernet/intel/idpf/idpf_txrx.h +@@ -1018,8 +1018,8 @@ void idpf_vport_intr_deinit(struct idpf_vport *vport); + int idpf_vport_intr_init(struct idpf_vport *vport); + void idpf_vport_intr_ena(struct idpf_vport *vport); + int idpf_config_rss(struct idpf_vport *vport); +-int idpf_init_rss(struct idpf_vport *vport); +-void idpf_deinit_rss(struct idpf_vport *vport); ++int idpf_init_rss_lut(struct idpf_vport *vport); ++void idpf_deinit_rss_lut(struct idpf_vport *vport); + int idpf_rx_bufs_init_all(struct idpf_vport *vport); + void idpf_rx_add_frag(struct idpf_rx_buf *rx_buf, struct sk_buff *skb, + unsigned int size); +diff --git a/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c b/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c +index 5480b4aa567b..ef13468851c1 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c +@@ -2341,6 +2341,10 @@ int idpf_send_get_stats_msg(struct idpf_vport *vport) + * @vport: virtual port data structure + * @get: flag to set or get rss look up table + * ++ * When rxhash is disabled, RSS LUT will be configured with zeros. If rxhash ++ * is enabled, the LUT values stored in driver's soft copy will be used to setup ++ * the HW. ++ * + * Returns 0 on success, negative on failure. + */ + int idpf_send_get_set_rss_lut_msg(struct idpf_vport *vport, bool get) +@@ -2351,10 +2355,12 @@ int idpf_send_get_set_rss_lut_msg(struct idpf_vport *vport, bool get) + struct idpf_rss_data *rss_data; + int buf_size, lut_buf_size; + ssize_t reply_sz; ++ bool rxhash_ena; + int i; + + rss_data = + &vport->adapter->vport_config[vport->idx]->user_config.rss_data; ++ rxhash_ena = idpf_is_feature_ena(vport, NETIF_F_RXHASH); + buf_size = struct_size(rl, lut, rss_data->rss_lut_size); + rl = kzalloc(buf_size, GFP_KERNEL); + if (!rl) +@@ -2376,7 +2382,8 @@ int idpf_send_get_set_rss_lut_msg(struct idpf_vport *vport, bool get) + } else { + rl->lut_entries = cpu_to_le16(rss_data->rss_lut_size); + for (i = 0; i < rss_data->rss_lut_size; i++) +- rl->lut[i] = cpu_to_le32(rss_data->rss_lut[i]); ++ rl->lut[i] = rxhash_ena ? ++ cpu_to_le32(rss_data->rss_lut[i]) : 0; + + xn_params.vc_op = VIRTCHNL2_OP_SET_RSS_LUT; + } +-- +2.43.0 + diff --git a/SPECS/kernel/CVE-2026-22993.patch b/SPECS/kernel/CVE-2026-22993.patch new file mode 100644 index 0000000000..014b7d2979 --- /dev/null +++ b/SPECS/kernel/CVE-2026-22993.patch @@ -0,0 +1,149 @@ +From ebdfe2d47169ed8db3b63b12c938cd4ee9f8fd99 Mon Sep 17 00:00:00 2001 +From: Sreedevi Joshi +Date: Mon, 24 Nov 2025 12:47:50 -0600 +Subject: [PATCH 5/9] idpf: Fix RSS LUT NULL ptr issue after soft reset + +During soft reset, the RSS LUT is freed and not restored unless the +interface is up. If an ethtool command that accesses the rss lut is +attempted immediately after reset, it will result in NULL ptr +dereference. Also, there is no need to reset the rss lut if the soft reset +does not involve queue count change. + +After soft reset, set the RSS LUT to default values based on the updated +queue count only if the reset was a result of a queue count change and +the LUT was not configured by the user. In all other cases, don't touch +the LUT. + +Steps to reproduce: + +** Bring the interface down (if up) +ifconfig eth1 down + +** update the queue count (eg., 27->20) +ethtool -L eth1 combined 20 + +** display the RSS LUT +ethtool -x eth1 + +[82375.558338] BUG: kernel NULL pointer dereference, address: 0000000000000000 +[82375.558373] #PF: supervisor read access in kernel mode +[82375.558391] #PF: error_code(0x0000) - not-present page +[82375.558408] PGD 0 P4D 0 +[82375.558421] Oops: Oops: 0000 [#1] SMP NOPTI + +[82375.558516] RIP: 0010:idpf_get_rxfh+0x108/0x150 [idpf] +[82375.558786] Call Trace: +[82375.558793] +[82375.558804] rss_prepare.isra.0+0x187/0x2a0 +[82375.558827] rss_prepare_data+0x3a/0x50 +[82375.558845] ethnl_default_doit+0x13d/0x3e0 +[82375.558863] genl_family_rcv_msg_doit+0x11f/0x180 +[82375.558886] genl_rcv_msg+0x1ad/0x2b0 +[82375.558902] ? __pfx_ethnl_default_doit+0x10/0x10 +[82375.558920] ? __pfx_genl_rcv_msg+0x10/0x10 +[82375.558937] netlink_rcv_skb+0x58/0x100 +[82375.558957] genl_rcv+0x2c/0x50 +[82375.558971] netlink_unicast+0x289/0x3e0 +[82375.558988] netlink_sendmsg+0x215/0x440 +[82375.559005] __sys_sendto+0x234/0x240 +[82375.559555] __x64_sys_sendto+0x28/0x30 +[82375.560068] x64_sys_call+0x1909/0x1da0 +[82375.560576] do_syscall_64+0x7a/0xfa0 +[82375.561076] ? clear_bhb_loop+0x60/0xb0 +[82375.561567] entry_SYSCALL_64_after_hwframe+0x76/0x7e + + +Fixes: 02cbfba1add5 ("idpf: add ethtool callbacks") +Signed-off-by: Sreedevi Joshi +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Sridhar Samudrala +Reviewed-by: Emil Tantilov +Reviewed-by: Simon Horman +Tested-by: Samuel Salin +Signed-off-by: Tony Nguyen +--- + drivers/net/ethernet/intel/idpf/idpf_lib.c | 20 ++++---------------- + drivers/net/ethernet/intel/idpf/idpf_txrx.c | 2 +- + drivers/net/ethernet/intel/idpf/idpf_txrx.h | 1 + + 3 files changed, 6 insertions(+), 17 deletions(-) + +diff --git a/drivers/net/ethernet/intel/idpf/idpf_lib.c b/drivers/net/ethernet/intel/idpf/idpf_lib.c +index 958b9ac25a70..d66745c9bd36 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_lib.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_lib.c +@@ -1401,8 +1401,6 @@ static int idpf_vport_open(struct idpf_vport *vport) + { + struct idpf_netdev_priv *np = netdev_priv(vport->netdev); + struct idpf_adapter *adapter = vport->adapter; +- struct idpf_vport_config *vport_config; +- struct idpf_rss_data *rss_data; + int err; + + if (test_bit(IDPF_VPORT_UP, np->state)) +@@ -1484,19 +1482,6 @@ static int idpf_vport_open(struct idpf_vport *vport) + + idpf_restore_features(vport); + +- vport_config = adapter->vport_config[vport->idx]; +- rss_data = &vport_config->user_config.rss_data; +- +- if (!rss_data->rss_lut) { +- err = idpf_init_rss_lut(vport); +- if (err) { +- dev_err(&adapter->pdev->dev, +- "Failed to initialize RSS LUT for vport %u: %d\n", +- vport->vport_id, err); +- goto disable_vport; +- } +- } +- + err = idpf_config_rss(vport); + if (err) { + dev_err(&adapter->pdev->dev, "Failed to configure RSS for vport %u: %d\n", +@@ -1941,7 +1926,6 @@ int idpf_initiate_soft_reset(struct idpf_vport *vport, + idpf_vport_stop(vport); + } + +- idpf_deinit_rss_lut(vport); + /* We're passing in vport here because we need its wait_queue + * to send a message and it should be getting all the vport + * config data out of the adapter but we need to be careful not +@@ -1967,6 +1951,10 @@ int idpf_initiate_soft_reset(struct idpf_vport *vport, + if (err) + goto err_open; + ++ if (reset_cause == IDPF_SR_Q_CHANGE && ++ !netif_is_rxfh_configured(vport->netdev)) ++ idpf_fill_dflt_rss_lut(vport); ++ + if (vport_is_up) + err = idpf_vport_open(vport); + +diff --git a/drivers/net/ethernet/intel/idpf/idpf_txrx.c b/drivers/net/ethernet/intel/idpf/idpf_txrx.c +index 3b2938aa15ab..b0be89463323 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_txrx.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_txrx.c +@@ -4059,7 +4059,7 @@ int idpf_config_rss(struct idpf_vport *vport) + * idpf_fill_dflt_rss_lut - Fill the indirection table with the default values + * @vport: virtual port structure + */ +-static void idpf_fill_dflt_rss_lut(struct idpf_vport *vport) ++void idpf_fill_dflt_rss_lut(struct idpf_vport *vport) + { + struct idpf_adapter *adapter = vport->adapter; + u16 num_active_rxq = vport->num_rxq; +diff --git a/drivers/net/ethernet/intel/idpf/idpf_txrx.h b/drivers/net/ethernet/intel/idpf/idpf_txrx.h +index ddba70d4b8ee..a34c791c4608 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_txrx.h ++++ b/drivers/net/ethernet/intel/idpf/idpf_txrx.h +@@ -1017,6 +1017,7 @@ void idpf_vport_intr_update_itr_ena_irq(struct idpf_q_vector *q_vector); + void idpf_vport_intr_deinit(struct idpf_vport *vport); + int idpf_vport_intr_init(struct idpf_vport *vport); + void idpf_vport_intr_ena(struct idpf_vport *vport); ++void idpf_fill_dflt_rss_lut(struct idpf_vport *vport); + int idpf_config_rss(struct idpf_vport *vport); + int idpf_init_rss_lut(struct idpf_vport *vport); + void idpf_deinit_rss_lut(struct idpf_vport *vport); +-- +2.43.0 + diff --git a/SPECS/kernel/CVE-2026-23004.patch b/SPECS/kernel/CVE-2026-23004.patch new file mode 100644 index 0000000000..dad2002768 --- /dev/null +++ b/SPECS/kernel/CVE-2026-23004.patch @@ -0,0 +1,264 @@ +From 9a99adb41d2400dc0b2a7cc027e04a745c82b42c Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Mon, 12 Jan 2026 10:38:25 +0000 +Subject: [PATCH 1/9] dst: fix races in rt6_uncached_list_del() and + rt_del_uncached_list() + +syzbot was able to crash the kernel in rt6_uncached_list_flush_dev() +in an interesting way [1] + +Crash happens in list_del_init()/INIT_LIST_HEAD() while writing +list->prev, while the prior write on list->next went well. + +static inline void INIT_LIST_HEAD(struct list_head *list) +{ + WRITE_ONCE(list->next, list); // This went well + WRITE_ONCE(list->prev, list); // Crash, @list has been freed. +} + +Issue here is that rt6_uncached_list_del() did not attempt to lock +ul->lock, as list_empty(&rt->dst.rt_uncached) returned +true because the WRITE_ONCE(list->next, list) happened on the other CPU. + +We might use list_del_init_careful() and list_empty_careful(), +or make sure rt6_uncached_list_del() always grabs the spinlock +whenever rt->dst.rt_uncached_list has been set. + +A similar fix is neeed for IPv4. + +[1] + + BUG: KASAN: slab-use-after-free in INIT_LIST_HEAD include/linux/list.h:46 [inline] + BUG: KASAN: slab-use-after-free in list_del_init include/linux/list.h:296 [inline] + BUG: KASAN: slab-use-after-free in rt6_uncached_list_flush_dev net/ipv6/route.c:191 [inline] + BUG: KASAN: slab-use-after-free in rt6_disable_ip+0x633/0x730 net/ipv6/route.c:5020 +Write of size 8 at addr ffff8880294cfa78 by task kworker/u8:14/3450 + +CPU: 0 UID: 0 PID: 3450 Comm: kworker/u8:14 Tainted: G L syzkaller #0 PREEMPT_{RT,(full)} +Tainted: [L]=SOFTLOCKUP +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 +Workqueue: netns cleanup_net +Call Trace: + + dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0xca/0x240 mm/kasan/report.c:482 + kasan_report+0x118/0x150 mm/kasan/report.c:595 + INIT_LIST_HEAD include/linux/list.h:46 [inline] + list_del_init include/linux/list.h:296 [inline] + rt6_uncached_list_flush_dev net/ipv6/route.c:191 [inline] + rt6_disable_ip+0x633/0x730 net/ipv6/route.c:5020 + addrconf_ifdown+0x143/0x18a0 net/ipv6/addrconf.c:3853 + addrconf_notify+0x1bc/0x1050 net/ipv6/addrconf.c:-1 + notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85 + call_netdevice_notifiers_extack net/core/dev.c:2268 [inline] + call_netdevice_notifiers net/core/dev.c:2282 [inline] + netif_close_many+0x29c/0x410 net/core/dev.c:1785 + unregister_netdevice_many_notify+0xb50/0x2330 net/core/dev.c:12353 + ops_exit_rtnl_list net/core/net_namespace.c:187 [inline] + ops_undo_list+0x3dc/0x990 net/core/net_namespace.c:248 + cleanup_net+0x4de/0x7b0 net/core/net_namespace.c:696 + process_one_work kernel/workqueue.c:3257 [inline] + process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340 + worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421 + kthread+0x711/0x8a0 kernel/kthread.c:463 + ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 + + +Allocated by task 803: + kasan_save_stack mm/kasan/common.c:57 [inline] + kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 + unpoison_slab_object mm/kasan/common.c:340 [inline] + __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366 + kasan_slab_alloc include/linux/kasan.h:253 [inline] + slab_post_alloc_hook mm/slub.c:4953 [inline] + slab_alloc_node mm/slub.c:5263 [inline] + kmem_cache_alloc_noprof+0x18d/0x6c0 mm/slub.c:5270 + dst_alloc+0x105/0x170 net/core/dst.c:89 + ip6_dst_alloc net/ipv6/route.c:342 [inline] + icmp6_dst_alloc+0x75/0x460 net/ipv6/route.c:3333 + mld_sendpack+0x683/0xe60 net/ipv6/mcast.c:1844 + mld_send_cr net/ipv6/mcast.c:2154 [inline] + mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693 + process_one_work kernel/workqueue.c:3257 [inline] + process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340 + worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421 + kthread+0x711/0x8a0 kernel/kthread.c:463 + ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 + +Freed by task 20: + kasan_save_stack mm/kasan/common.c:57 [inline] + kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 + kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 + poison_slab_object mm/kasan/common.c:253 [inline] + __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285 + kasan_slab_free include/linux/kasan.h:235 [inline] + slab_free_hook mm/slub.c:2540 [inline] + slab_free mm/slub.c:6670 [inline] + kmem_cache_free+0x18f/0x8d0 mm/slub.c:6781 + dst_destroy+0x235/0x350 net/core/dst.c:121 + rcu_do_batch kernel/rcu/tree.c:2605 [inline] + rcu_core kernel/rcu/tree.c:2857 [inline] + rcu_cpu_kthread+0xba5/0x1af0 kernel/rcu/tree.c:2945 + smpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:160 + kthread+0x711/0x8a0 kernel/kthread.c:463 + ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 + +Last potentially related work creation: + kasan_save_stack+0x3e/0x60 mm/kasan/common.c:57 + kasan_record_aux_stack+0xbd/0xd0 mm/kasan/generic.c:556 + __call_rcu_common kernel/rcu/tree.c:3119 [inline] + call_rcu+0xee/0x890 kernel/rcu/tree.c:3239 + refdst_drop include/net/dst.h:266 [inline] + skb_dst_drop include/net/dst.h:278 [inline] + skb_release_head_state+0x71/0x360 net/core/skbuff.c:1156 + skb_release_all net/core/skbuff.c:1180 [inline] + __kfree_skb net/core/skbuff.c:1196 [inline] + sk_skb_reason_drop+0xe9/0x170 net/core/skbuff.c:1234 + kfree_skb_reason include/linux/skbuff.h:1322 [inline] + tcf_kfree_skb_list include/net/sch_generic.h:1127 [inline] + __dev_xmit_skb net/core/dev.c:4260 [inline] + __dev_queue_xmit+0x26aa/0x3210 net/core/dev.c:4785 + NF_HOOK_COND include/linux/netfilter.h:307 [inline] + ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247 + NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318 + mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855 + mld_send_cr net/ipv6/mcast.c:2154 [inline] + mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693 + process_one_work kernel/workqueue.c:3257 [inline] + process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340 + worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421 + kthread+0x711/0x8a0 kernel/kthread.c:463 + ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 + +The buggy address belongs to the object at ffff8880294cfa00 + which belongs to the cache ip6_dst_cache of size 232 +The buggy address is located 120 bytes inside of + freed 232-byte region [ffff8880294cfa00, ffff8880294cfae8) + +The buggy address belongs to the physical page: +page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x294cf +memcg:ffff88803536b781 +flags: 0x80000000000000(node=0|zone=1) +page_type: f5(slab) +raw: 0080000000000000 ffff88802ff1c8c0 ffffea0000bf2bc0 dead000000000006 +raw: 0000000000000000 00000000800c000c 00000000f5000000 ffff88803536b781 +page dumped because: kasan: bad access detected +page_owner tracks the page as allocated +page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 9, tgid 9 (kworker/0:0), ts 91119585830, free_ts 91088628818 + set_page_owner include/linux/page_owner.h:32 [inline] + post_alloc_hook+0x234/0x290 mm/page_alloc.c:1857 + prep_new_page mm/page_alloc.c:1865 [inline] + get_page_from_freelist+0x28c0/0x2960 mm/page_alloc.c:3915 + __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5210 + alloc_pages_mpol+0xd1/0x380 mm/mempolicy.c:2486 + alloc_slab_page mm/slub.c:3075 [inline] + allocate_slab+0x86/0x3b0 mm/slub.c:3248 + new_slab mm/slub.c:3302 [inline] + ___slab_alloc+0xb10/0x13e0 mm/slub.c:4656 + __slab_alloc+0xc6/0x1f0 mm/slub.c:4779 + __slab_alloc_node mm/slub.c:4855 [inline] + slab_alloc_node mm/slub.c:5251 [inline] + kmem_cache_alloc_noprof+0x101/0x6c0 mm/slub.c:5270 + dst_alloc+0x105/0x170 net/core/dst.c:89 + ip6_dst_alloc net/ipv6/route.c:342 [inline] + icmp6_dst_alloc+0x75/0x460 net/ipv6/route.c:3333 + mld_sendpack+0x683/0xe60 net/ipv6/mcast.c:1844 + mld_send_cr net/ipv6/mcast.c:2154 [inline] + mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693 + process_one_work kernel/workqueue.c:3257 [inline] + process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340 + worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421 + kthread+0x711/0x8a0 kernel/kthread.c:463 + ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158 +page last free pid 5859 tgid 5859 stack trace: + reset_page_owner include/linux/page_owner.h:25 [inline] + free_pages_prepare mm/page_alloc.c:1406 [inline] + __free_frozen_pages+0xfe1/0x1170 mm/page_alloc.c:2943 + discard_slab mm/slub.c:3346 [inline] + __put_partials+0x149/0x170 mm/slub.c:3886 + __slab_free+0x2af/0x330 mm/slub.c:5952 + qlink_free mm/kasan/quarantine.c:163 [inline] + qlist_free_all+0x97/0x100 mm/kasan/quarantine.c:179 + kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286 + __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:350 + kasan_slab_alloc include/linux/kasan.h:253 [inline] + slab_post_alloc_hook mm/slub.c:4953 [inline] + slab_alloc_node mm/slub.c:5263 [inline] + kmem_cache_alloc_noprof+0x18d/0x6c0 mm/slub.c:5270 + getname_flags+0xb8/0x540 fs/namei.c:146 + getname include/linux/fs.h:2498 [inline] + do_sys_openat2+0xbc/0x200 fs/open.c:1426 + do_sys_open fs/open.c:1436 [inline] + __do_sys_openat fs/open.c:1452 [inline] + __se_sys_openat fs/open.c:1447 [inline] + __x64_sys_openat+0x138/0x170 fs/open.c:1447 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94 + +Fixes: 8d0b94afdca8 ("ipv6: Keep track of DST_NOCACHE routes in case of iface down/unregister") +Fixes: 78df76a065ae ("ipv4: take rt_uncached_lock only if needed") +Reported-by: syzbot+179fc225724092b8b2b2@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/6964cdf2.050a0220.eaf7.009d.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: Martin KaFai Lau +Reviewed-by: David Ahern +Link: https://patch.msgid.link/20260112103825.3810713-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +--- + net/core/dst.c | 1 + + net/ipv4/route.c | 4 ++-- + net/ipv6/route.c | 4 ++-- + 3 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/net/core/dst.c b/net/core/dst.c +index 8dbb54148c03..92aa81b2f331 100644 +--- a/net/core/dst.c ++++ b/net/core/dst.c +@@ -68,6 +68,7 @@ void dst_init(struct dst_entry *dst, struct dst_ops *ops, + dst->lwtstate = NULL; + rcuref_init(&dst->__rcuref, 1); + INIT_LIST_HEAD(&dst->rt_uncached); ++ dst->rt_uncached_list = NULL; + dst->__use = 0; + dst->lastuse = jiffies; + dst->flags = flags; +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index 7579001d5b29..4dce0de6ab89 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -1533,9 +1533,9 @@ void rt_add_uncached_list(struct rtable *rt) + + void rt_del_uncached_list(struct rtable *rt) + { +- if (!list_empty(&rt->dst.rt_uncached)) { +- struct uncached_list *ul = rt->dst.rt_uncached_list; ++ struct uncached_list *ul = rt->dst.rt_uncached_list; + ++ if (ul) { + spin_lock_bh(&ul->lock); + list_del_init(&rt->dst.rt_uncached); + spin_unlock_bh(&ul->lock); +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index aeac45af3a22..8bcd5f38d94c 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -148,9 +148,9 @@ void rt6_uncached_list_add(struct rt6_info *rt) + + void rt6_uncached_list_del(struct rt6_info *rt) + { +- if (!list_empty(&rt->dst.rt_uncached)) { +- struct uncached_list *ul = rt->dst.rt_uncached_list; ++ struct uncached_list *ul = rt->dst.rt_uncached_list; + ++ if (ul) { + spin_lock_bh(&ul->lock); + list_del_init(&rt->dst.rt_uncached); + spin_unlock_bh(&ul->lock); +-- +2.43.0 + diff --git a/SPECS/kernel/kernel-uki.spec b/SPECS/kernel/kernel-uki.spec index 224f2e3f58..dce29e6abd 100644 --- a/SPECS/kernel/kernel-uki.spec +++ b/SPECS/kernel/kernel-uki.spec @@ -12,8 +12,8 @@ Summary: Unified Kernel Image Name: kernel-uki -Version: 6.12.61 -Release: 2%{?dist} +Version: 6.12.67 +Release: 1%{?dist} License: GPLv2 Vendor: Intel Corporation Distribution: Edge Microvisor Toolkit @@ -70,6 +70,10 @@ cp %{buildroot}/boot/vmlinuz-uki-%{kernelver}.efi %{buildroot}/boot/efi/EFI/Linu /boot/efi/EFI/Linux/vmlinuz-uki-%{kernelver}.efi %changelog +* Thu Feb 05 2026 Lishan Liu - 6.12.67-1 +- Update kernel to 6.12.67-1 +- lts-v6.12.67-emt-cve-260128T180434Z + * Fri Jan 9 2026 Lishan Liu - 6.12.61-2 - Update kernel to 6.12.61-2 - lts-v6.12.61-emt-cve-260106T193826Z diff --git a/SPECS/kernel/kernel.signatures.json b/SPECS/kernel/kernel.signatures.json index 8c4b46ffba..afb938fbe2 100644 --- a/SPECS/kernel/kernel.signatures.json +++ b/SPECS/kernel/kernel.signatures.json @@ -5,6 +5,6 @@ "cpupower": "d7518767bf2b1110d146a49c7d42e76b803f45eb8bd14d931aa6d0d346fae985", "cpupower.service": "b057fe9e5d0e8c36f485818286b80e3eba8ff66ff44797940e99b1fd5361bb98", "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f", - "linux-6.12.61.tar.gz": "7fb34abab0902a47ce1d47de58442e69e0e79d17f565b41fcb11249ea5b23801" + "linux-6.12.67.tar.gz": "b4c0b2ed9cd5002478c7c699d69eece548c84d7c7e1ad48cff61cd951424c745" } -} +} \ No newline at end of file diff --git a/SPECS/kernel/kernel.spec b/SPECS/kernel/kernel.spec index 431784d874..2c64e1ffb4 100644 --- a/SPECS/kernel/kernel.spec +++ b/SPECS/kernel/kernel.spec @@ -1,13 +1,13 @@ Summary: Linux Kernel Name: kernel -Version: 6.12.61 -Release: 2%{?dist} +Version: 6.12.67 +Release: 1%{?dist} License: GPLv2 Vendor: Intel Corporation Distribution: Edge Microvisor Toolkit Group: System Environment/Kernel URL: https://www.kernel.org/pub/linux/kernel -Source0: https://www.kernel.org/pub/linux/kernel/v6.x/linux-6.12.61.tar.gz +Source0: https://www.kernel.org/pub/linux/kernel/v6.x/linux-6.12.67.tar.gz Source1: config Source3: sha512hmac-openssl.sh Source4: emt-ca-20211013.pem @@ -15,745 +15,637 @@ Source5: cpupower Source6: cpupower.service -# Intel not-upstreamed kernel features -# Series file for v6.12.61 linux kernel -# dcbeffaf66d03 Linux 6.12.61 +# Intel Kernel Patches +# Series file for v6.12.67 linux kernel +# abf529abd660d Linux 6.12.67 #sriov -Patch0: 0001-drm-i915-mtl-Add-C10-table-for-HDMI-Clock-25175.sriov -Patch1: 0002-drm-i915-mtl-Copy-c10-phy-pll-sw-state-from-master-t.sriov -Patch2: 0003-drm-i915-guc-Define-MAX_DWORDS-for-CTB-HXG-Message.sriov -Patch3: 0004-drm-i915-call-taint_for_CI-on-FLR-failure.sriov -Patch4: 0005-drm-i915-huc-load-HuC-via-non-POR-GSC-engine-flow.sriov -Patch5: 0006-drm-i915-SR-IOV-Enabling-and-Support.sriov -Patch6: 0007-Revert-drm-i915-move-platform_engine_mask-and-memory.sriov -Patch7: 0008-drm-i915-gt-Enable-the-early-register-to-working-win.sriov -Patch8: 0009-drm-i915-gt-Modify-the-adls-mocs-table-same-as-tgl-m.sriov -Patch9: 0010-drm-i915-Bypass-gem_set_tiling-and-gem_get_tiling.sriov -Patch10: 0011-drm-i915-enable-CCS-on-DG1-and-TGL-for-testing.sriov -Patch11: 0012-drm-i915-force-VF-using-v70-GuC-API.sriov -Patch12: 0013-drm-i915-fix-regression-on-sriov-vf-failures-due-to-.sriov -Patch13: 0014-drm-i915-add-null-pointer-protection-inside-intel_fb.sriov -Patch14: 0015-drm-i915-use-the-original-Wa_14010685332-for-PCH_ADP.sriov -Patch15: 0016-drm-i915-fix-bitmap-clear-API-region-start-issue.sriov -Patch16: 0017-drm-i915-iov-Expose-early-runtime-registers-for-MTL.sriov -Patch17: 0018-drm-i915-gt-fix-empty-workaround-list-access-issue.sriov -Patch18: 0019-drm-i915-mtl-Add-module-parameter-override-for-Wa_16.sriov -Patch19: 0020-drm-i915-mtl-Provide-user-the-option-to-disable-ccs.sriov -Patch20: 0021-drm-i915-mtl-Turn-on-Wa_16019325821-Wa_14019159160-b.sriov -Patch21: 0022-drm-i915-pf-Use-GPU-to-set-PTE-owner.sriov -Patch22: 0023-drm-i915-pf-Use-GPU-to-set-PTE-owner-on-platforms-wi.sriov -Patch23: 0024-drm-i915-access-ddc-pointer-only-if-it-is-available.sriov -Patch24: 0025-drm-i915-guc-Upgrade-GuC-fw-version-to-70.20.0.sriov -Patch25: 0026-drm-i915-iov-Adding-runtime-reg-for-MTL-HuC-status.sriov -Patch26: 0027-drm-i915-guc-Upgrade-GuC-fw-version-to-70.29.2.sriov -Patch27: 0028-drm-i915-Re-add-enable_rc6-modparam.sriov -Patch28: 0032-drm-virtio-freeze-and-restore-hooks-to-support-suspe.sriov -Patch29: 0033-drm-virtio-save-and-restore-virtio_gpu_objects.sriov -Patch30: 0001-drm-virtio-Use-drm_gem_plane_helper_prepare_fb.patch -Patch31: 0034-drm-i915-pf-Introduce-i915_ggtt_save_ptes-and-i915_g.sriov -Patch32: 0035-drm-i915-iov-Introduce-VFs-shadow-copy-of-GGTT-on-PF.sriov -Patch33: 0036-drm-i915-iov-Shadow-GGTT-mock-selftestes.sriov -Patch34: 0037-drm-i915-gt-Don-t-support-GGTT-save-restore-via-BAR-.sriov -Patch35: 0038-drm-i915-pf-Add-helpers-for-saving-loading-GGTT-stat.sriov -Patch36: 0039-drm-i915-pf-Handle-VF-pause-complete-notification.sriov -Patch37: 0040-drm-i915-pf-Allow-to-save-restore-GuC-VF-state.sriov -Patch38: 0041-drm-i915-pf-Save-and-restore-VFs-state-during-S2idle.sriov -Patch39: 0042-drm-i915-pf-Skip-VF-save-restore-on-S2idle-S3-S4-if-.sriov -Patch40: 0043-drm-i915-pf-Start-use-shadow-GGTT-to-save-restore-du.sriov -Patch41: 0044-drm-i915-pf-Export-API-to-be-used-by-i915-vfio-pci.sriov -Patch42: 0045-drm-i915-iov-Flag-which-tells-whether-PAUSE-is-in-pr.sriov -Patch43: 0046-drm-i915-iov-Remember-run-state-on-suspend-and-resto.sriov -Patch44: 0047-drm-i915-pf-Pause-VF-before-restore-GuC-state-after-.sriov -Patch45: 0048-drm-i915-iov-fix-i915-sriov-build-issue.sriov -Patch46: 0001-drm-i915-CTB-TLB-invalidation-fix-on-VM.sriov -Patch47: 0002-vfio-i915-Add-vfio_pci-driver-for-Intel-graphics.sriov -Patch48: 0003-drm-i915-guc-Upgrade-GuC-fw-version-to-70.36.0.sriov -Patch49: 0001-drm-i915-Fix-logic-for-GUC-Process.sriov -Patch50: 0001-vfio-i915-Add-support-for-MMIO-save-restore.sriov -Patch51: 0002-drm-i915-SR-IOV-Save-Restore-Feature-support.sriov -Patch52: 0001-i915-Enable-w-a-16026508708.sriov -Patch53: 0001-virtio-hookup-irq_get_affinity-callback.sriov -Patch54: 0002-virtio-break-and-reset-virtio-devices-on-device_shut.sriov -Patch55: 0003-virtgpu-don-t-reset-on-shutdown.sriov -Patch56: 0004-drm-virtio-implement-virtio_gpu_shutdown.sriov -Patch57: 0001-drm-virtio-Wait-until-the-control-and-cursor-queues-.sriov -Patch58: 0001-drm-i915-move-sriov-selftest-buffer-out-of-stack.sriov -Patch59: 0001-drm-i915-Do-not-advertise-about-CCS.sriov -Patch60: 0001-Revert-drm-i915-Do-not-advertise-about-CCS.sriov +Patch01001: 0001-drm-i915-mtl-Add-C10-table-for-HDMI-Clock-25175.sriov +Patch01002: 0002-drm-i915-mtl-Copy-c10-phy-pll-sw-state-from-master-t.sriov +Patch01003: 0003-drm-i915-guc-Define-MAX_DWORDS-for-CTB-HXG-Message.sriov +Patch01004: 0004-drm-i915-call-taint_for_CI-on-FLR-failure.sriov +Patch01005: 0005-drm-i915-huc-load-HuC-via-non-POR-GSC-engine-flow.sriov +Patch01006: 0006-drm-i915-SR-IOV-Enabling-and-Support.sriov +Patch01007: 0007-Revert-drm-i915-move-platform_engine_mask-and-memory.sriov +Patch01008: 0008-drm-i915-gt-Enable-the-early-register-to-working-win.sriov +Patch01009: 0009-drm-i915-gt-Modify-the-adls-mocs-table-same-as-tgl-m.sriov +Patch01010: 0010-drm-i915-Bypass-gem_set_tiling-and-gem_get_tiling.sriov +Patch01011: 0011-drm-i915-enable-CCS-on-DG1-and-TGL-for-testing.sriov +Patch01012: 0012-drm-i915-force-VF-using-v70-GuC-API.sriov +Patch01013: 0013-drm-i915-fix-regression-on-sriov-vf-failures-due-to-.sriov +Patch01014: 0014-drm-i915-add-null-pointer-protection-inside-intel_fb.sriov +Patch01015: 0015-drm-i915-use-the-original-Wa_14010685332-for-PCH_ADP.sriov +Patch01016: 0016-drm-i915-fix-bitmap-clear-API-region-start-issue.sriov +Patch01017: 0017-drm-i915-iov-Expose-early-runtime-registers-for-MTL.sriov +Patch01018: 0018-drm-i915-gt-fix-empty-workaround-list-access-issue.sriov +Patch01019: 0019-drm-i915-mtl-Add-module-parameter-override-for-Wa_16.sriov +Patch01020: 0020-drm-i915-mtl-Provide-user-the-option-to-disable-ccs.sriov +Patch01021: 0021-drm-i915-mtl-Turn-on-Wa_16019325821-Wa_14019159160-b.sriov +Patch01022: 0022-drm-i915-pf-Use-GPU-to-set-PTE-owner.sriov +Patch01023: 0023-drm-i915-pf-Use-GPU-to-set-PTE-owner-on-platforms-wi.sriov +Patch01024: 0024-drm-i915-access-ddc-pointer-only-if-it-is-available.sriov +Patch01025: 0025-drm-i915-guc-Upgrade-GuC-fw-version-to-70.20.0.sriov +Patch01026: 0026-drm-i915-iov-Adding-runtime-reg-for-MTL-HuC-status.sriov +Patch01027: 0027-drm-i915-guc-Upgrade-GuC-fw-version-to-70.29.2.sriov +Patch01028: 0028-drm-i915-Re-add-enable_rc6-modparam.sriov +Patch01029: 0032-drm-virtio-freeze-and-restore-hooks-to-support-suspe.sriov +Patch01030: 0033-drm-virtio-save-and-restore-virtio_gpu_objects.sriov +Patch01031: 0001-drm-virtio-Use-drm_gem_plane_helper_prepare_fb.patch +Patch01032: 0034-drm-i915-pf-Introduce-i915_ggtt_save_ptes-and-i915_g.sriov +Patch01033: 0035-drm-i915-iov-Introduce-VFs-shadow-copy-of-GGTT-on-PF.sriov +Patch01034: 0036-drm-i915-iov-Shadow-GGTT-mock-selftestes.sriov +Patch01035: 0037-drm-i915-gt-Don-t-support-GGTT-save-restore-via-BAR-.sriov +Patch01036: 0038-drm-i915-pf-Add-helpers-for-saving-loading-GGTT-stat.sriov +Patch01037: 0039-drm-i915-pf-Handle-VF-pause-complete-notification.sriov +Patch01038: 0040-drm-i915-pf-Allow-to-save-restore-GuC-VF-state.sriov +Patch01039: 0041-drm-i915-pf-Save-and-restore-VFs-state-during-S2idle.sriov +Patch01040: 0042-drm-i915-pf-Skip-VF-save-restore-on-S2idle-S3-S4-if-.sriov +Patch01041: 0043-drm-i915-pf-Start-use-shadow-GGTT-to-save-restore-du.sriov +Patch01042: 0044-drm-i915-pf-Export-API-to-be-used-by-i915-vfio-pci.sriov +Patch01043: 0045-drm-i915-iov-Flag-which-tells-whether-PAUSE-is-in-pr.sriov +Patch01044: 0046-drm-i915-iov-Remember-run-state-on-suspend-and-resto.sriov +Patch01045: 0047-drm-i915-pf-Pause-VF-before-restore-GuC-state-after-.sriov +Patch01046: 0048-drm-i915-iov-fix-i915-sriov-build-issue.sriov +Patch01047: 0001-drm-i915-CTB-TLB-invalidation-fix-on-VM.sriov +Patch01048: 0002-vfio-i915-Add-vfio_pci-driver-for-Intel-graphics.sriov +Patch01049: 0003-drm-i915-guc-Upgrade-GuC-fw-version-to-70.36.0.sriov +Patch01050: 0001-drm-i915-Fix-logic-for-GUC-Process.sriov +Patch01051: 0001-vfio-i915-Add-support-for-MMIO-save-restore.sriov +Patch01052: 0002-drm-i915-SR-IOV-Save-Restore-Feature-support.sriov +Patch01053: 0001-i915-Enable-w-a-16026508708.sriov +Patch01054: 0001-virtio-hookup-irq_get_affinity-callback.sriov +Patch01055: 0002-virtio-break-and-reset-virtio-devices-on-device_shut.sriov +Patch01056: 0003-virtgpu-don-t-reset-on-shutdown.sriov +Patch01057: 0004-drm-virtio-implement-virtio_gpu_shutdown.sriov +Patch01058: 0001-drm-virtio-Wait-until-the-control-and-cursor-queues-.sriov +Patch01059: 0001-drm-i915-move-sriov-selftest-buffer-out-of-stack.sriov +Patch01060: 0001-drm-i915-Do-not-advertise-about-CCS.sriov +Patch01061: 0001-Revert-drm-i915-Do-not-advertise-about-CCS.sriov #security -Patch61: 0001-mei-bus-add-api-to-query-capabilities-of-ME-clien.security -Patch62: 0002-mei-virtio-virtualization-frontend-driver.security -Patch63: 0003-INTEL_DII-mei-avoid-reset-if-fw-is-down.security -Patch64: 0004-INTEL_DII-FIXME-mei-iaf-add-iaf-Intel-Accelerator.security -Patch65: 0005-INTEL_DII-mei-add-check-for-offline-bit-in-every-.security -Patch66: 0006-INTEL_DII-mei-add-empty-handlers-for-ops-function.security -Patch67: 0007-INTEL_DII-mei-gsc-add-fields-to-support-force-wak.security -Patch68: 0008-INTEL_DII-mei-add-waitqueue-for-device-state-chan.security -Patch69: 0009-INTEL_DII-mei-add-force-wake-workaround-infra.security -Patch70: 0010-INTEL_DII-mei-add-force-wake-workaround-in-init.security -Patch71: 0011-INTEL_DII-mei-add-force-wake-workaround-on-sessio.security -Patch72: 0012-INTEL_DII-mei-add-force-wake-workaround-in-runtim.security -Patch73: 0013-INTEL_DII-mei-add-force-wake-workaround-in-resume.security -Patch74: 0014-INTEL_DII-mei-disable-immediate-enum-if-forcewake.security -Patch75: 0015-INTEL_DII-mei-put-force-wake-in-error-flows.security -Patch76: 0016-INTEL_DII-mei-add-force-wake-callbacks-to-empty-h.security -Patch77: 0017-INTEL_DII-mei-optimize-force-wake-wait.security -Patch78: 0018-mei-me-apply-GSC-error-supression-to-systems-with.security -Patch79: 0019-INTEL_DII-mei-bus-fixup-disable-version-retrieval.security +Patch02001: 0001-mei-bus-add-api-to-query-capabilities-of-ME-clien.security +Patch02002: 0002-mei-virtio-virtualization-frontend-driver.security +Patch02003: 0003-INTEL_DII-mei-avoid-reset-if-fw-is-down.security +Patch02004: 0004-INTEL_DII-FIXME-mei-iaf-add-iaf-Intel-Accelerator.security +Patch02005: 0005-INTEL_DII-mei-add-check-for-offline-bit-in-every-.security +Patch02006: 0006-INTEL_DII-mei-add-empty-handlers-for-ops-function.security +Patch02007: 0007-INTEL_DII-mei-gsc-add-fields-to-support-force-wak.security +Patch02008: 0008-INTEL_DII-mei-add-waitqueue-for-device-state-chan.security +Patch02009: 0009-INTEL_DII-mei-add-force-wake-workaround-infra.security +Patch02010: 0010-INTEL_DII-mei-add-force-wake-workaround-in-init.security +Patch02011: 0011-INTEL_DII-mei-add-force-wake-workaround-on-sessio.security +Patch02012: 0012-INTEL_DII-mei-add-force-wake-workaround-in-runtim.security +Patch02013: 0013-INTEL_DII-mei-add-force-wake-workaround-in-resume.security +Patch02014: 0014-INTEL_DII-mei-disable-immediate-enum-if-forcewake.security +Patch02015: 0015-INTEL_DII-mei-put-force-wake-in-error-flows.security +Patch02016: 0016-INTEL_DII-mei-add-force-wake-callbacks-to-empty-h.security +Patch02017: 0017-INTEL_DII-mei-optimize-force-wake-wait.security +Patch02018: 0018-mei-me-apply-GSC-error-supression-to-systems-with.security +Patch02019: 0019-INTEL_DII-mei-bus-fixup-disable-version-retrieval.security #tgpio -Patch80: 0001-Revert-timekeeping-Add-function-to-convert-realtime-.tgpio -Patch81: 0002-Revert-x86-tsc-Remove-obsolete-ART-to-TSC-conversion.tgpio -Patch82: 0003-Revert-ice-ptp-Remove-convert_art_to_tsc.tgpio -Patch83: 0004-Revert-ALSA-hda-Remove-convert_art_to_tsc.tgpio -Patch84: 0005-Revert-stmmac-intel-Remove-convert_art_to_tsc.tgpio -Patch85: 0006-Revert-igc-Remove-convert_art_ns_to_tsc.tgpio -Patch86: 0007-Revert-e1000e-Replace-convert_art_to_tsc.tgpio -Patch87: 0008-Revert-x86-tsc-Provide-ART-base-clock-information-fo.tgpio -Patch88: 0009-Revert-timekeeping-Provide-infrastructure-for-conver.tgpio -Patch89: 0010-drivers-ptp-Add-Enhanced-handling-of-reserve-fields.tgpio -Patch90: 0011-drivers-ptp-Add-PEROUT2-ioctl-frequency-adjustment-i.tgpio -Patch91: 0012-drivers-ptp-Add-user-space-input-polling-interface.tgpio -Patch92: 0013-x86-tsc-Add-TSC-support-functions-to-support-ART-dri.tgpio -Patch93: 0014-drivers-ptp-Add-support-for-PMC-Time-Aware-GPIO-Driv.tgpio -Patch94: 0015-x86-core-TSC-reliable-kernel-arg-prevents-DQ-of-TSC-.tgpio -Patch95: 0016-mfd-intel-ehl-gpio-Introduce-MFD-framework-to-PSE-GP.tgpio -Patch96: 0017-TGPIO-Calling-power-management-calls-without-enterin.tgpio -Patch97: 0018-TGPIO-Fix-PSE-TGPIO-PTP-driver-ioctls-fail.tgpio -Patch98: 0019-Kernel-Argument-Bypassing-ART-Detection.tgpio -Patch99: 0020-GPIO-Fix-for-PSE-GPIO-generating-only-one-event-as-i.tgpio -Patch100: 0021-Added-TGPIO-pin-check-before-input-event-read.tgpio -Patch101: 0022-Added-an-Example-to-adjust-frequency-for-output.tgpio -Patch102: 0023-ptp-tgpio-PSE-TGPIO-crosststamp-counttstamp.tgpio -Patch103: 0024-ptp-Fixed-read-issue-on-PHC-with-zero-n_pins.tgpio -Patch104: 0025-ptp-S-W-workaround-for-PMC-TGPIO-h-w-bug.tgpio -Patch105: 0026-ptp-Fix-for-PSE-TGPIO-Oneshot-output-and-counttstamp.tgpio -Patch106: 0027-ptp-Fix-for-PSE-TGPIO-frequency-Adjustment-issue.tgpio -Patch107: 0028-tgpio-Fix-compilation-errors-for-PSE-TGPIO.tgpio -Patch108: 0029-Added-single-shot-output-mode-support-for-TGPIO.tgpio -Patch109: 0030-Added-an-example-to-poll-for-edges.tgpio -Patch110: 0031-Added-support-to-get-TGPIO-System-Clock-Offset.tgpio -Patch111: 0032-Added-single-shot-output-mode-option-for-TGPIO-pin.tgpio -Patch112: 0033-selftests-ptp-Added-COMPV-GPIO-Input-Mode-for-TGPIO.tgpio -Patch113: 0034-ptp-Introduce-PTP_PINDESC_INPUTPOLL-for-Intel-PMC-TG.tgpio -Patch114: 0035-drivers-ptp-Add-COMPV-GPIO-Mode-for-PSE-TGPIO.tgpio -Patch115: 0036-net-ice-fix-braces-around-scalar-initializer.tgpio -Patch116: 0037-ptp-Add-PTP_EVENT_COUNTER_MODE-in-v1-valid-flags.tgpio -Patch117: 0038-ptp-Enable-preempt-if-it-is-disabled.tgpio -Patch118: 0039-ptp-Generate-sqaure-wave-on-PSE-TGPIO.tgpio -Patch119: 0040-ptp-tgpio-Add-an-edge-if-the-output-signal-ends-high.tgpio -Patch120: 0041-ptp-pmc-tgpio-Initialize-variable-to-zero.tgpio -Patch121: 0042-ptp-tgpio-Fix-return-type-of-remove-function-in-tgpi.tgpio -Patch122: 0043-net-mlx5-reuse-convert_art_ns_to_tsc-to-convert-ART-.tgpio +Patch03001: 0001-Revert-timekeeping-Add-function-to-convert-realtime-.tgpio +Patch03002: 0002-Revert-x86-tsc-Remove-obsolete-ART-to-TSC-conversion.tgpio +Patch03003: 0003-Revert-ice-ptp-Remove-convert_art_to_tsc.tgpio +Patch03004: 0004-Revert-ALSA-hda-Remove-convert_art_to_tsc.tgpio +Patch03005: 0005-Revert-stmmac-intel-Remove-convert_art_to_tsc.tgpio +Patch03006: 0006-Revert-igc-Remove-convert_art_ns_to_tsc.tgpio +Patch03007: 0007-Revert-e1000e-Replace-convert_art_to_tsc.tgpio +Patch03008: 0008-Revert-x86-tsc-Provide-ART-base-clock-information-fo.tgpio +Patch03009: 0009-Revert-timekeeping-Provide-infrastructure-for-conver.tgpio +Patch03010: 0010-drivers-ptp-Add-Enhanced-handling-of-reserve-fields.tgpio +Patch03011: 0011-drivers-ptp-Add-PEROUT2-ioctl-frequency-adjustment-i.tgpio +Patch03012: 0012-drivers-ptp-Add-user-space-input-polling-interface.tgpio +Patch03013: 0013-x86-tsc-Add-TSC-support-functions-to-support-ART-dri.tgpio +Patch03014: 0014-drivers-ptp-Add-support-for-PMC-Time-Aware-GPIO-Driv.tgpio +Patch03015: 0015-x86-core-TSC-reliable-kernel-arg-prevents-DQ-of-TSC-.tgpio +Patch03016: 0016-mfd-intel-ehl-gpio-Introduce-MFD-framework-to-PSE-GP.tgpio +Patch03017: 0017-TGPIO-Calling-power-management-calls-without-enterin.tgpio +Patch03018: 0018-TGPIO-Fix-PSE-TGPIO-PTP-driver-ioctls-fail.tgpio +Patch03019: 0019-Kernel-Argument-Bypassing-ART-Detection.tgpio +Patch03020: 0020-GPIO-Fix-for-PSE-GPIO-generating-only-one-event-as-i.tgpio +Patch03021: 0021-Added-TGPIO-pin-check-before-input-event-read.tgpio +Patch03022: 0022-Added-an-Example-to-adjust-frequency-for-output.tgpio +Patch03023: 0023-ptp-tgpio-PSE-TGPIO-crosststamp-counttstamp.tgpio +Patch03024: 0024-ptp-Fixed-read-issue-on-PHC-with-zero-n_pins.tgpio +Patch03025: 0025-ptp-S-W-workaround-for-PMC-TGPIO-h-w-bug.tgpio +Patch03026: 0026-ptp-Fix-for-PSE-TGPIO-Oneshot-output-and-counttstamp.tgpio +Patch03027: 0027-ptp-Fix-for-PSE-TGPIO-frequency-Adjustment-issue.tgpio +Patch03028: 0028-tgpio-Fix-compilation-errors-for-PSE-TGPIO.tgpio +Patch03029: 0029-Added-single-shot-output-mode-support-for-TGPIO.tgpio +Patch03030: 0030-Added-an-example-to-poll-for-edges.tgpio +Patch03031: 0031-Added-support-to-get-TGPIO-System-Clock-Offset.tgpio +Patch03032: 0032-Added-single-shot-output-mode-option-for-TGPIO-pin.tgpio +Patch03033: 0033-selftests-ptp-Added-COMPV-GPIO-Input-Mode-for-TGPIO.tgpio +Patch03034: 0034-ptp-Introduce-PTP_PINDESC_INPUTPOLL-for-Intel-PMC-TG.tgpio +Patch03035: 0035-drivers-ptp-Add-COMPV-GPIO-Mode-for-PSE-TGPIO.tgpio +Patch03036: 0036-net-ice-fix-braces-around-scalar-initializer.tgpio +Patch03037: 0037-ptp-Add-PTP_EVENT_COUNTER_MODE-in-v1-valid-flags.tgpio +Patch03038: 0038-ptp-Enable-preempt-if-it-is-disabled.tgpio +Patch03039: 0039-ptp-Generate-sqaure-wave-on-PSE-TGPIO.tgpio +Patch03040: 0040-ptp-tgpio-Add-an-edge-if-the-output-signal-ends-high.tgpio +Patch03041: 0041-ptp-pmc-tgpio-Initialize-variable-to-zero.tgpio +Patch03042: 0042-ptp-tgpio-Fix-return-type-of-remove-function-in-tgpi.tgpio +Patch03043: 0043-net-mlx5-reuse-convert_art_ns_to_tsc-to-convert-ART-.tgpio #edac -Patch123: 0001-x86-mce-Add-MCACOD-code-for-generic-I-O-error.edac -Patch124: 0002-EDAC-ieh-Add-I-O-device-EDAC-driver-for-Intel-CPUs-wi.edac -Patch125: 0003-EDAC-ieh-Add-I-O-device-EDAC-support-for-Intel-Tiger-.edac -Patch126: 0004-EDAC-igen6-Add-registration-APIs-for-In-Band-ECC-erro.edac -Patch127: 0005-EDAC-i10nm-Print-DRAM-rules-debug-purpose.edac -Patch128: 0006-EDAC-skx_common-skx-i10nm-Make-skx_register_mci-indep.edac -Patch129: 0007-EDAC-skx_common-Prepare-skx_get_edac_list.edac -Patch130: 0008-EDAC-skx_common-Prepare-skx_set_hi_lo.edac -Patch131: 0009-EDAC-igen6-Add-Intel-Pnther-Lake-H-SoCs-support.edac -Patch132: 0002-EDAC-ie31200-Add-Kaby-Lake-S-dual-core-host-bridge-ID.edac -Patch133: 0006-EDAC-ie31200-Fix-the-3rd-parameter-name-of-populate_d.edac -Patch134: 0007-EDAC-ie31200-Simplify-the-pci_device_id-table.edac -Patch135: 0008-EDAC-ie31200-Make-the-memory-controller-resources-con.edac -Patch136: 0009-EDAC-ie31200-Make-struct-dimm_data-contain-decoded-in.edac -Patch137: 0010-EDAC-ie31200-Fold-the-two-channel-loops-into-one-loop.edac -Patch138: 0011-EDAC-ie31200-Break-up-ie31200_probe1.edac -Patch139: 0012-EDAC-ie31200-Add-Intel-Raptor-Lake-S-SoCs-support.edac -Patch140: 0013-EDAC-ie31200-Switch-Raptor-Lake-S-to-interrupt-mode.edac -Patch141: 0001-EDAC-ie31200-Add-two-Intel-SoCs-for-EDAC-support.edac -Patch142: 0002-ie31200-EDAC-Add-Intel-Bartlett-Lake-S-SoCs-support.edac -Patch143: 0001-EDAC-igen6-Add-Intel-Amston-Lake-SoCs-support.edac -Patch144: 0002-EDAC-igen6-Add-additional-Intel-Amston-Lake-SoC-compu.edac -Patch145: 0001-EDAC-igen6-Initialize-edac_op_state-according-to-the-.edac -Patch146: 0002-EDAC-igen6-Add-polling-support.edac -Patch147: 0003-EDAC-igen6-Fix-the-flood-of-invalid-error-reports.edac -Patch148: 0004-EDAC-igen6-Constify-struct-res_config.edac -Patch149: 0005-EDAC-igen6-Skip-absent-memory-controllers.edac -Patch150: 0006-EDAC-igen6-Fix-NULL-pointer-dereference.edac +Patch04001: 0001-x86-mce-Add-MCACOD-code-for-generic-I-O-error.edac +Patch04002: 0002-EDAC-ieh-Add-I-O-device-EDAC-driver-for-Intel-CPUs-wi.edac +Patch04003: 0003-EDAC-ieh-Add-I-O-device-EDAC-support-for-Intel-Tiger-.edac +Patch04004: 0004-EDAC-igen6-Add-registration-APIs-for-In-Band-ECC-erro.edac +Patch04005: 0005-EDAC-i10nm-Print-DRAM-rules-debug-purpose.edac +Patch04006: 0006-EDAC-skx_common-skx-i10nm-Make-skx_register_mci-indep.edac +Patch04007: 0007-EDAC-skx_common-Prepare-skx_get_edac_list.edac +Patch04008: 0008-EDAC-skx_common-Prepare-skx_set_hi_lo.edac +Patch04009: 0009-EDAC-igen6-Add-Intel-Pnther-Lake-H-SoCs-support.edac +Patch04010: 0002-EDAC-ie31200-Add-Kaby-Lake-S-dual-core-host-bridge-ID.edac +Patch04011: 0006-EDAC-ie31200-Fix-the-3rd-parameter-name-of-populate_d.edac +Patch04012: 0007-EDAC-ie31200-Simplify-the-pci_device_id-table.edac +Patch04013: 0008-EDAC-ie31200-Make-the-memory-controller-resources-con.edac +Patch04014: 0009-EDAC-ie31200-Make-struct-dimm_data-contain-decoded-in.edac +Patch04015: 0010-EDAC-ie31200-Fold-the-two-channel-loops-into-one-loop.edac +Patch04016: 0011-EDAC-ie31200-Break-up-ie31200_probe1.edac +Patch04017: 0012-EDAC-ie31200-Add-Intel-Raptor-Lake-S-SoCs-support.edac +Patch04018: 0013-EDAC-ie31200-Switch-Raptor-Lake-S-to-interrupt-mode.edac +Patch04019: 0001-EDAC-ie31200-Add-two-Intel-SoCs-for-EDAC-support.edac +Patch04020: 0002-ie31200-EDAC-Add-Intel-Bartlett-Lake-S-SoCs-support.edac +Patch04021: 0001-EDAC-igen6-Add-Intel-Amston-Lake-SoCs-support.edac +Patch04022: 0002-EDAC-igen6-Add-additional-Intel-Amston-Lake-SoC-compu.edac +Patch04023: 0001-EDAC-igen6-Initialize-edac_op_state-according-to-the-.edac +Patch04024: 0002-EDAC-igen6-Add-polling-support.edac +Patch04025: 0003-EDAC-igen6-Fix-the-flood-of-invalid-error-reports.edac +Patch04026: 0004-EDAC-igen6-Constify-struct-res_config.edac +Patch04027: 0005-EDAC-igen6-Skip-absent-memory-controllers.edac +Patch04028: 0006-EDAC-igen6-Fix-NULL-pointer-dereference.edac #tsn -Patch151: 0001-net-pcs-xpcs-enable-xpcs-reset-skipping.tsn -Patch152: 0002-net-stmmac-Bugfix-on-stmmac_interrupt-for-WOL.tsn -Patch153: 0003-net-phy-increase-gpy-loopback-test-delay.tsn -Patch154: 0004-net-stmmac-Resolve-poor-line-rate-after-switching-from.tsn -Patch155: 0005-net-phy-dp83867-perform-restart-AN-after-modifying-AN-.tsn -Patch156: 0006-stmmac-intel-Separate-ADL-N-and-RPL-P-device-ID-from-T.tsn -Patch157: 0007-net-stmmac-Adjust-mac_capabilities-for-Intel-mGbE-2.5G.tsn -Patch158: 0008-stmmac-intel-skip-xpcs-reset-for-2.5Gbps-on-Intel-Alde.tsn -Patch159: 0009-net-stmmac-add-check-for-2.5G-mode-to-prevent-MAC-capa.tsn -Patch160: 0010-stmmac-intel-Enable-PHY-WoL-in-ADL-N.tsn -Patch161: 0011-net-phy-reconfigure-PHY-WoL-when-WoL-option-is-enabled.tsn -Patch162: 0012-net-stmmac-fix-MAC-and-phylink-mismatch-issue-after-re.tsn -Patch163: 0013-net-stmmac-restructure-Rx-Tx-hardware-timestamping-fun.tsn -Patch164: 0014-net-stmmac-Add-per-packet-time-based-scheduling-for-XD.tsn -Patch165: 0015-net-stmmac-introduce-AF_XDP-ZC-RX-HW-timestamps.tsn -Patch166: 0016-net-stmmac-add-fsleep-in-HW-Rx-timestamp-checking-loop.tsn -Patch167: 0017-net-stmmac-select-PCS-negotiation-mode-according-to-th.tsn -Patch168: 0018-net-pcs-xpcs-re-initiate-clause-37-Auto-negotiation.tsn -Patch169: 0019-arch-x86-Add-IPC-mailbox-accessor-function-and-add-SoC.tsn -Patch170: 0020-net-stmmac-configure-SerDes-according-to-the-interface.tsn -Patch171: 0021-stmmac-intel-interface-switching-support-for-intel-pla.tsn -Patch172: 0022-net-stmmac-Set-mac_managed_pm-flag-from-stmmac-to-reso.tsn -Patch173: 0023-net-phylink-Add-module_exit.tsn -Patch174: 0024-net-stmmac-introduce-AF_XDP-ZC-TX-HW-timestamps.tsn -Patch175: 0025-net-sched-taprio-fix-too-early-schedules-switching.tsn -Patch176: 0026-net-sched-taprio-fix-cycle-time-adjustment-for-next-en.tsn -Patch177: 0027-net-sched-taprio-fix-impacted-fields-value-during-cycl.tsn -Patch178: 0028-net-sched-taprio-get-corrected-value-of-cycle_time-and.tsn -Patch179: 0029-xsk-add-txtime-field-in-xdp_desc-struct.tsn -Patch180: 0030-Revert-net-stmmac-silence-FPE-kernel-logs.tsn -Patch181: 0031-Revert-net-stmmac-support-fp-parameter-of-tc-taprio.tsn -Patch182: 0032-Revert-net-stmmac-support-fp-parameter-of-tc-mqprio.tsn -Patch183: 0033-Revert-net-stmmac-configure-FPE-via-ethtool-mm.tsn -Patch184: 0034-Revert-net-stmmac-refactor-FPE-verification-process.tsn -Patch185: 0035-Revert-net-stmmac-drop-stmmac_fpe_handshake.tsn -Patch186: 0036-Revert-net-stmmac-move-stmmac_fpe_cfg-to-stmmac_priv-d.tsn -Patch187: 0037-net-stmmac-add-FPE-preempt-setting-for-TxQ-preemptible.tsn -Patch188: 0038-taprio-Add-support-for-frame-preemption-offload.tsn -Patch189: 0039-net-stmmac-set-initial-EEE-policy-configuration.tsn -Patch190: 0040-net-phy-fix-phylib-s-dual-eee_enabled.tsn -Patch191: 0041-net-phy-ensure-that-genphy_c45_an_config_eee_aneg-sees.tsn -Patch192: 0042-net-phy-fix-phy_ethtool_set_eee-incorrectly-enabling-L.tsn -Patch193: 0001-igc-Set-the-RX-packet-buffer-size-for-TSN-mode.tsn -Patch194: 0002-igc-Only-dump-registers-if-configured-to-dump-HW-infor.tsn -Patch195: 0003-ethtool-Add-support-for-configuring-frame-preemption.tsn -Patch196: 0004-ethtool-Add-support-for-Frame-Preemption-verification.tsn -Patch197: 0005-igc-Add-support-for-enabling-frame-preemption-via-etht.tsn -Patch198: 0006-igc-Add-support-for-TC_SETUP_PREEMPT.tsn -Patch199: 0007-igc-Add-support-for-setting-frame-preemption-configura.tsn -Patch200: 0008-igc-Add-support-for-Frame-Preemption-verification.tsn -Patch201: 0009-igc-Add-support-for-exposing-frame-preemption-stats-re.tsn -Patch202: 0010-igc-Optimize-the-packet-buffer-utilization.tsn -Patch203: 0011-igc-Add-support-for-enabling-all-packets-to-be-receive.tsn -Patch204: 0012-igc-Add-support-for-DMA-timestamp-for-non-PTP-packets.tsn -Patch205: 0013-bpf-add-btf-register-unregister-API.tsn -Patch206: 0014-net-core-XDP-metadata-BTF-netlink-API.tsn -Patch207: 0015-rtnetlink-Fix-unchecked-return-value-of-dev_xdp_query_.tsn -Patch208: 0016-rtnetlink-Add-return-value-check.tsn -Patch209: 0017-tools-bpf-Query-XDP-metadata-BTF-ID.tsn -Patch210: 0018-tools-bpf-Add-xdp-set-command-for-md-btf.tsn -Patch211: 0019-igc-Add-BTF-based-metadata-for-XDP.tsn -Patch212: 0020-igc-Enable-HW-RX-Timestamp-for-AF_XDP-ZC.tsn -Patch213: 0021-igc-Take-care-of-DMA-timestamp-rollover.tsn -Patch214: 0022-igc-Add-SO_TXTIME-for-AF_XDP-ZC.tsn -Patch215: 0023-igc-Reodering-the-empty-packet-buffers-and-descriptors.tsn -Patch216: 0024-Revert-igc-Add-support-for-PTP-.getcyclesx64.tsn -Patch217: 0025-core-Introduce-netdev_tc_map_to_queue_mask.tsn -Patch218: 0026-taprio-Replace-tc_map_to_queue_mask.tsn -Patch219: 0027-mqprio-Add-support-for-frame-preemption-offload.tsn -Patch220: 0030-igc-Reduce-retry-count-to-a-more-reasonable-number.tsn -Patch221: 0001-igc-Enable-HW-TX-Timestamp-for-AF_XDP-ZC.tsn -Patch222: 0002-igc-Enable-trace-for-HW-TX-Timestamp-AF_XDP-ZC.tsn -Patch223: 0003-igc-Remove-the-CONFIG_DEBUG_MISC-condition-for-trace.tsn -Patch224: 0006-Revert-net-stmmac-set-initial-EEE-policy-configurati.tsn -Patch225: 0001-net-phy-Set-eee_cfg.eee_enabled-according-to-PHY.tsn -Patch226: 0001-Revert-net-stmmac-add-FPE-preempt-setting-for-TxQ-pree.tsn -Patch227: 0002-Reapply-net-stmmac-move-stmmac_fpe_cfg-to-stmmac_priv-.tsn -Patch228: 0003-Reapply-net-stmmac-drop-stmmac_fpe_handshake.tsn -Patch229: 0004-Reapply-net-stmmac-refactor-FPE-verification-process.tsn -Patch230: 0005-Reapply-net-stmmac-configure-FPE-via-ethtool-mm.tsn -Patch231: 0006-Reapply-net-stmmac-support-fp-parameter-of-tc-mqprio.tsn -Patch232: 0007-Reapply-net-stmmac-support-fp-parameter-of-tc-taprio.tsn -Patch233: 0008-Reapply-net-stmmac-silence-FPE-kernel-logs.tsn +Patch05001: 0001-net-pcs-xpcs-enable-xpcs-reset-skipping.tsn +Patch05002: 0002-net-stmmac-Bugfix-on-stmmac_interrupt-for-WOL.tsn +Patch05003: 0003-net-phy-increase-gpy-loopback-test-delay.tsn +Patch05004: 0004-net-stmmac-Resolve-poor-line-rate-after-switching-from.tsn +Patch05005: 0005-net-phy-dp83867-perform-restart-AN-after-modifying-AN-.tsn +Patch05006: 0006-stmmac-intel-Separate-ADL-N-and-RPL-P-device-ID-from-T.tsn +Patch05007: 0007-net-stmmac-Adjust-mac_capabilities-for-Intel-mGbE-2.5G.tsn +Patch05008: 0008-stmmac-intel-skip-xpcs-reset-for-2.5Gbps-on-Intel-Alde.tsn +Patch05009: 0009-net-stmmac-add-check-for-2.5G-mode-to-prevent-MAC-capa.tsn +Patch05010: 0010-stmmac-intel-Enable-PHY-WoL-in-ADL-N.tsn +Patch05011: 0011-net-phy-reconfigure-PHY-WoL-when-WoL-option-is-enabled.tsn +Patch05012: 0012-net-stmmac-fix-MAC-and-phylink-mismatch-issue-after-re.tsn +Patch05013: 0013-net-stmmac-restructure-Rx-Tx-hardware-timestamping-fun.tsn +Patch05014: 0014-net-stmmac-Add-per-packet-time-based-scheduling-for-XD.tsn +Patch05015: 0015-net-stmmac-introduce-AF_XDP-ZC-RX-HW-timestamps.tsn +Patch05016: 0016-net-stmmac-add-fsleep-in-HW-Rx-timestamp-checking-loop.tsn +Patch05017: 0017-net-stmmac-select-PCS-negotiation-mode-according-to-th.tsn +Patch05018: 0018-net-pcs-xpcs-re-initiate-clause-37-Auto-negotiation.tsn +Patch05019: 0019-arch-x86-Add-IPC-mailbox-accessor-function-and-add-SoC.tsn +Patch05020: 0020-net-stmmac-configure-SerDes-according-to-the-interface.tsn +Patch05021: 0021-stmmac-intel-interface-switching-support-for-intel-pla.tsn +Patch05022: 0022-net-stmmac-Set-mac_managed_pm-flag-from-stmmac-to-reso.tsn +Patch05023: 0023-net-phylink-Add-module_exit.tsn +Patch05024: 0024-net-stmmac-introduce-AF_XDP-ZC-TX-HW-timestamps.tsn +Patch05025: 0025-net-sched-taprio-fix-too-early-schedules-switching.tsn +Patch05026: 0026-net-sched-taprio-fix-cycle-time-adjustment-for-next-en.tsn +Patch05027: 0027-net-sched-taprio-fix-impacted-fields-value-during-cycl.tsn +Patch05028: 0028-net-sched-taprio-get-corrected-value-of-cycle_time-and.tsn +Patch05029: 0029-xsk-add-txtime-field-in-xdp_desc-struct.tsn +Patch05030: 0030-Revert-net-stmmac-silence-FPE-kernel-logs.tsn +Patch05031: 0031-Revert-net-stmmac-support-fp-parameter-of-tc-taprio.tsn +Patch05032: 0032-Revert-net-stmmac-support-fp-parameter-of-tc-mqprio.tsn +Patch05033: 0033-Revert-net-stmmac-configure-FPE-via-ethtool-mm.tsn +Patch05034: 0034-Revert-net-stmmac-refactor-FPE-verification-process.tsn +Patch05035: 0035-Revert-net-stmmac-drop-stmmac_fpe_handshake.tsn +Patch05036: 0036-Revert-net-stmmac-move-stmmac_fpe_cfg-to-stmmac_priv-d.tsn +Patch05037: 0037-net-stmmac-add-FPE-preempt-setting-for-TxQ-preemptible.tsn +Patch05038: 0038-taprio-Add-support-for-frame-preemption-offload.tsn +Patch05039: 0039-net-stmmac-set-initial-EEE-policy-configuration.tsn +Patch05040: 0040-net-phy-fix-phylib-s-dual-eee_enabled.tsn +Patch05041: 0041-net-phy-ensure-that-genphy_c45_an_config_eee_aneg-sees.tsn +Patch05042: 0042-net-phy-fix-phy_ethtool_set_eee-incorrectly-enabling-L.tsn +Patch05043: 0001-igc-Set-the-RX-packet-buffer-size-for-TSN-mode.tsn +Patch05044: 0002-igc-Only-dump-registers-if-configured-to-dump-HW-infor.tsn +Patch05045: 0003-ethtool-Add-support-for-configuring-frame-preemption.tsn +Patch05046: 0004-ethtool-Add-support-for-Frame-Preemption-verification.tsn +Patch05047: 0005-igc-Add-support-for-enabling-frame-preemption-via-etht.tsn +Patch05048: 0006-igc-Add-support-for-TC_SETUP_PREEMPT.tsn +Patch05049: 0007-igc-Add-support-for-setting-frame-preemption-configura.tsn +Patch05050: 0008-igc-Add-support-for-Frame-Preemption-verification.tsn +Patch05051: 0009-igc-Add-support-for-exposing-frame-preemption-stats-re.tsn +Patch05052: 0010-igc-Optimize-the-packet-buffer-utilization.tsn +Patch05053: 0011-igc-Add-support-for-enabling-all-packets-to-be-receive.tsn +Patch05054: 0012-igc-Add-support-for-DMA-timestamp-for-non-PTP-packets.tsn +Patch05055: 0013-bpf-add-btf-register-unregister-API.tsn +Patch05056: 0014-net-core-XDP-metadata-BTF-netlink-API.tsn +Patch05057: 0015-rtnetlink-Fix-unchecked-return-value-of-dev_xdp_query_.tsn +Patch05058: 0016-rtnetlink-Add-return-value-check.tsn +Patch05059: 0017-tools-bpf-Query-XDP-metadata-BTF-ID.tsn +Patch05060: 0018-tools-bpf-Add-xdp-set-command-for-md-btf.tsn +Patch05061: 0019-igc-Add-BTF-based-metadata-for-XDP.tsn +Patch05062: 0020-igc-Enable-HW-RX-Timestamp-for-AF_XDP-ZC.tsn +Patch05063: 0021-igc-Take-care-of-DMA-timestamp-rollover.tsn +Patch05064: 0022-igc-Add-SO_TXTIME-for-AF_XDP-ZC.tsn +Patch05065: 0023-igc-Reodering-the-empty-packet-buffers-and-descriptors.tsn +Patch05066: 0024-Revert-igc-Add-support-for-PTP-.getcyclesx64.tsn +Patch05067: 0025-core-Introduce-netdev_tc_map_to_queue_mask.tsn +Patch05068: 0026-taprio-Replace-tc_map_to_queue_mask.tsn +Patch05069: 0027-mqprio-Add-support-for-frame-preemption-offload.tsn +Patch05070: 0030-igc-Reduce-retry-count-to-a-more-reasonable-number.tsn +Patch05071: 0001-igc-Enable-HW-TX-Timestamp-for-AF_XDP-ZC.tsn +Patch05072: 0002-igc-Enable-trace-for-HW-TX-Timestamp-AF_XDP-ZC.tsn +Patch05073: 0003-igc-Remove-the-CONFIG_DEBUG_MISC-condition-for-trace.tsn +Patch05074: 0006-Revert-net-stmmac-set-initial-EEE-policy-configurati.tsn +Patch05075: 0001-net-phy-Set-eee_cfg.eee_enabled-according-to-PHY.tsn +Patch05076: 0001-Revert-net-stmmac-add-FPE-preempt-setting-for-TxQ-pree.tsn +Patch05077: 0002-Reapply-net-stmmac-move-stmmac_fpe_cfg-to-stmmac_priv-.tsn +Patch05078: 0003-Reapply-net-stmmac-drop-stmmac_fpe_handshake.tsn +Patch05079: 0004-Reapply-net-stmmac-refactor-FPE-verification-process.tsn +Patch05080: 0005-Reapply-net-stmmac-configure-FPE-via-ethtool-mm.tsn +Patch05081: 0006-Reapply-net-stmmac-support-fp-parameter-of-tc-mqprio.tsn +Patch05082: 0007-Reapply-net-stmmac-support-fp-parameter-of-tc-taprio.tsn +Patch05083: 0008-Reapply-net-stmmac-silence-FPE-kernel-logs.tsn #camera -Patch234: 0001-media-intel-ipu6-remove-buttress-ish-structure.camera -Patch235: 0001-media-i2c-Add-ar0234-camera-sensor-driver.camera -Patch236: 0002-media-i2c-add-support-for-lt6911uxe.camera -Patch237: 0003-INT3472-Support-LT6911UXE.camera -Patch238: 0004-upstream-Use-module-parameter-to-set-isys-freq.camera -Patch239: 0005-upstream-Use-module-parameter-to-set-psys-freq.camera -Patch240: 0006-media-pci-Enable-ISYS-reset.camera -Patch241: 0007-media-i2c-add-support-for-ar0234-and-lt6911uxe.camera -Patch242: 0008-driver-media-i2c-remove-useless-header-file.camera -Patch243: 0009-media-i2c-update-lt6911uxe-for-upstream-and-bug-fix.camera -Patch244: 0010-media-i2c-add-support-for-lt6911uxc.camera -Patch245: 0011-media-i2c-add-lt6911uxc-driver-and-enable-in-ipu-br.camera -Patch246: 0012-media-pci-intel-psys-driver.camera -Patch247: 0013-media-i2c-Remove-unused-variables-in-Lontium-driver.camera -Patch248: 0001-media-intel-ipu6-remove-buttress-ish-structure-1.camera -Patch249: 0002-media-pci-intel-include-psys-driver.camera -Patch250: 0003-Revert-media-ipu6-use-the-IPU6-DMA-mapping-APIs-to-.camera -Patch251: 0004-Revert-media-ipu6-remove-architecture-DMA-ops-depen.camera -Patch252: 0005-Revert-media-ipu6-not-override-the-dma_ops-of-devic.camera -Patch253: 0001-Reapply-media-ipu6-not-override-the-dma_ops-of-devi.camera -Patch254: 0002-Reapply-media-ipu6-remove-architecture-DMA-ops-depe.camera -Patch255: 0003-Reapply-media-ipu6-use-the-IPU6-DMA-mapping-APIs-to.camera -Patch256: 0001-media-pci-update-IPU6-PSYS-driver.camera -Patch257: 0002-media-i2c-update-lt6911uxc-driver-to-fix-COV-issue.camera -Patch258: 0003-lt6911-2-pads-linked-to-ipu-2-ports-for-split-mode.camera -Patch259: 0004-media-i2c-add-dv_timings-api-in-lt6911uxe.camera -Patch260: 0005-media-intel-ipu6-use-vc1-dma-for-MTL-and-ARL.camera -Patch261: 0006-media-i2c-some-changes-in-lt6911uxe.camera -Patch262: 0001-Revert-media-intel-ipu6-use-vc1-dma-for-MTL-and-ARL.camera -Patch263: 0002-media-i2c-update-format-in-irq-for-lt6911uxe.camera -Patch264: 0003-media-i2c-remove-unused-func-in-lt6911uxe.camera -Patch265: 0001-media-intel-ipu6-use-vc1-dma-for-MTL-and-ARL.camera -Patch266: 0002-media-ipu-Dma-sync-at-buffer_prepare-callback-as-DM.camera -Patch267: 0003-Support-IPU6-ISYS-FW-trace-dump-for-upstream-driver.camera -Patch268: 0004-Support-IPU6-PSYS-FW-trace-dump-for-upstream-driver.camera -Patch269: 0005-media-pci-The-order-of-return-buffers-should-be-FIF.camera -Patch270: 0006-media-i2c-fix-power-on-issue-for-on-board-LT6911UXC.camera -Patch271: 0007-media-i2c-fix-power-on-issue-for-on-board-LT6911UXE.camera -Patch272: 0001-media-pci-Modify-enble-disable-stream-in-CSI2.camera -Patch273: 0002-media-pci-Set-the-correct-SOF-for-different-stream.camera -Patch274: 0003-media-pci-support-imx390-for-6.11.0-rc3.camera -Patch275: 0004-i2c-media-fix-cov-issue.camera -Patch276: 0005-mv-ipu-acpi-module-to-linux-drivers.camera -Patch277: 0006-kernel-enable-VC-support-in-v4l2.camera -Patch278: 0007-media-pci-intel-support-PDATA-in-Kconfig-Makefile.camera -Patch279: 0008-media-pci-unregister-i2c-device-to-complete-ext_sub.camera -Patch280: 0009-media-pci-align-params-for-non-MIPI-split-and-split.camera -Patch281: 0010-media-pci-add-missing-if-for-PDATA.camera -Patch282: 0011-media-platform-fix-allyesconfig-build-error.camera -Patch283: 0012-media-pci-refine-PDATA-related-config.camera -Patch284: 0013-kernel-align-ACPI-PDATA-and-ACPI-fwnode-build-for-E.camera -Patch285: 0014-media-i2c-add-gmsl-isx031-support.camera -Patch286: 0015-media-i2c-add-support-for-isx031-max9296.camera -Patch287: 0016-fix-S4-issue-on-TWL.camera -Patch288: 0017-code-changes-for-link-frequency-and-sensor-physical.camera +Patch06001: 0001-media-intel-ipu6-remove-buttress-ish-structure.camera +Patch06002: 0001-media-i2c-Add-ar0234-camera-sensor-driver.camera +Patch06003: 0002-media-i2c-add-support-for-lt6911uxe.camera +Patch06004: 0003-INT3472-Support-LT6911UXE.camera +Patch06005: 0004-upstream-Use-module-parameter-to-set-isys-freq.camera +Patch06006: 0005-upstream-Use-module-parameter-to-set-psys-freq.camera +Patch06007: 0006-media-pci-Enable-ISYS-reset.camera +Patch06008: 0007-media-i2c-add-support-for-ar0234-and-lt6911uxe.camera +Patch06009: 0008-driver-media-i2c-remove-useless-header-file.camera +Patch06010: 0009-media-i2c-update-lt6911uxe-for-upstream-and-bug-fix.camera +Patch06011: 0010-media-i2c-add-support-for-lt6911uxc.camera +Patch06012: 0011-media-i2c-add-lt6911uxc-driver-and-enable-in-ipu-br.camera +Patch06013: 0012-media-pci-intel-psys-driver.camera +Patch06014: 0013-media-i2c-Remove-unused-variables-in-Lontium-driver.camera +Patch06015: 0001-media-intel-ipu6-remove-buttress-ish-structure-1.camera +Patch06016: 0002-media-pci-intel-include-psys-driver.camera +Patch06017: 0003-Revert-media-ipu6-use-the-IPU6-DMA-mapping-APIs-to-.camera +Patch06018: 0004-Revert-media-ipu6-remove-architecture-DMA-ops-depen.camera +Patch06019: 0005-Revert-media-ipu6-not-override-the-dma_ops-of-devic.camera +Patch06020: 0001-Reapply-media-ipu6-not-override-the-dma_ops-of-devi.camera +Patch06021: 0002-Reapply-media-ipu6-remove-architecture-DMA-ops-depe.camera +Patch06022: 0003-Reapply-media-ipu6-use-the-IPU6-DMA-mapping-APIs-to.camera +Patch06023: 0001-media-pci-update-IPU6-PSYS-driver.camera +Patch06024: 0002-media-i2c-update-lt6911uxc-driver-to-fix-COV-issue.camera +Patch06025: 0003-lt6911-2-pads-linked-to-ipu-2-ports-for-split-mode.camera +Patch06026: 0004-media-i2c-add-dv_timings-api-in-lt6911uxe.camera +Patch06027: 0005-media-intel-ipu6-use-vc1-dma-for-MTL-and-ARL.camera +Patch06028: 0006-media-i2c-some-changes-in-lt6911uxe.camera +Patch06029: 0001-Revert-media-intel-ipu6-use-vc1-dma-for-MTL-and-ARL.camera +Patch06030: 0002-media-i2c-update-format-in-irq-for-lt6911uxe.camera +Patch06031: 0003-media-i2c-remove-unused-func-in-lt6911uxe.camera +Patch06032: 0001-media-intel-ipu6-use-vc1-dma-for-MTL-and-ARL.camera +Patch06033: 0002-media-ipu-Dma-sync-at-buffer_prepare-callback-as-DM.camera +Patch06034: 0003-Support-IPU6-ISYS-FW-trace-dump-for-upstream-driver.camera +Patch06035: 0004-Support-IPU6-PSYS-FW-trace-dump-for-upstream-driver.camera +Patch06036: 0005-media-pci-The-order-of-return-buffers-should-be-FIF.camera +Patch06037: 0006-media-i2c-fix-power-on-issue-for-on-board-LT6911UXC.camera +Patch06038: 0007-media-i2c-fix-power-on-issue-for-on-board-LT6911UXE.camera +Patch06039: 0001-media-pci-Modify-enble-disable-stream-in-CSI2.camera +Patch06040: 0002-media-pci-Set-the-correct-SOF-for-different-stream.camera +Patch06041: 0003-media-pci-support-imx390-for-6.11.0-rc3.camera +Patch06042: 0004-i2c-media-fix-cov-issue.camera +Patch06043: 0005-mv-ipu-acpi-module-to-linux-drivers.camera +Patch06044: 0006-kernel-enable-VC-support-in-v4l2.camera +Patch06045: 0007-media-pci-intel-support-PDATA-in-Kconfig-Makefile.camera +Patch06046: 0008-media-pci-unregister-i2c-device-to-complete-ext_sub.camera +Patch06047: 0009-media-pci-align-params-for-non-MIPI-split-and-split.camera +Patch06048: 0010-media-pci-add-missing-if-for-PDATA.camera +Patch06049: 0011-media-platform-fix-allyesconfig-build-error.camera +Patch06050: 0012-media-pci-refine-PDATA-related-config.camera +Patch06051: 0013-kernel-align-ACPI-PDATA-and-ACPI-fwnode-build-for-E.camera +Patch06052: 0014-media-i2c-add-gmsl-isx031-support.camera +Patch06053: 0015-media-i2c-add-support-for-isx031-max9296.camera +Patch06054: 0016-fix-S4-issue-on-TWL.camera +Patch06055: 0017-code-changes-for-link-frequency-and-sensor-physical.camera #wwan -Patch289: 0001-Revert-bus-mhi-host-pci_generic-add-support-for-sc828.wwan -Patch290: 0002-wwan-add-SAHARA-device.wwan -Patch291: 0003-bus-mhi-host-allow-SBL-as-initial-EE.wwan -Patch292: 0004-drivers-bus-mhi-let-userspace-manage-xfp-fw-update-st.wwan -Patch293: 0005-wwan-add-NMEA-type.wwan -Patch294: 0006-drivers-bus-mhi-add-FN980-v2-support.wwan -Patch295: 0007-drivers-bus-mhi-add-FN990-NMEA-and-DIAG-in-SBL-device.wwan -Patch296: 0008-drivers-net-wwan-add-simple-DTR-driver.wwan -Patch297: 0009-drivers-bus-mhi-host-fix-recovery-process-when-modem-.wwan -Patch298: 0001-Revert-drivers-bus-mhi-host-fix-recovery-process-when.wwan -Patch299: 0002-Revert-drivers-net-wwan-add-simple-DTR-driver.wwan -Patch300: 0003-Revert-drivers-bus-mhi-add-FN990-NMEA-and-DIAG-in-SBL.wwan -Patch301: 0004-Revert-drivers-bus-mhi-add-FN980-v2-support.wwan -Patch302: 0005-Revert-wwan-add-NMEA-type.wwan -Patch303: 0006-Revert-drivers-bus-mhi-let-userspace-manage-xfp-fw-up.wwan -Patch304: 0007-Revert-bus-mhi-host-allow-SBL-as-initial-EE.wwan -Patch305: 0008-Revert-wwan-add-SAHARA-device.wwan -Patch306: 0009-Revert-Revert-bus-mhi-host-pci_generic-add-support-fo.wwan +Patch07001: 0001-Revert-bus-mhi-host-pci_generic-add-support-for-sc828.wwan +Patch07002: 0002-wwan-add-SAHARA-device.wwan +Patch07003: 0003-bus-mhi-host-allow-SBL-as-initial-EE.wwan +Patch07004: 0004-drivers-bus-mhi-let-userspace-manage-xfp-fw-update-st.wwan +Patch07005: 0005-wwan-add-NMEA-type.wwan +Patch07006: 0006-drivers-bus-mhi-add-FN980-v2-support.wwan +Patch07007: 0007-drivers-bus-mhi-add-FN990-NMEA-and-DIAG-in-SBL-device.wwan +Patch07008: 0008-drivers-net-wwan-add-simple-DTR-driver.wwan +Patch07009: 0009-drivers-bus-mhi-host-fix-recovery-process-when-modem-.wwan +Patch07010: 0001-Revert-drivers-bus-mhi-host-fix-recovery-process-when.wwan +Patch07011: 0002-Revert-drivers-net-wwan-add-simple-DTR-driver.wwan +Patch07012: 0003-Revert-drivers-bus-mhi-add-FN990-NMEA-and-DIAG-in-SBL.wwan +Patch07013: 0004-Revert-drivers-bus-mhi-add-FN980-v2-support.wwan +Patch07014: 0005-Revert-wwan-add-NMEA-type.wwan +Patch07015: 0006-Revert-drivers-bus-mhi-let-userspace-manage-xfp-fw-up.wwan +Patch07016: 0007-Revert-bus-mhi-host-allow-SBL-as-initial-EE.wwan +Patch07017: 0008-Revert-wwan-add-SAHARA-device.wwan +Patch07018: 0009-Revert-Revert-bus-mhi-host-pci_generic-add-support-fo.wwan #pmc_core -Patch307: 0001-platform-x86-intel-pmc-Add-Arrow-Lake-U-H-support.pmc_core -Patch308: 0002-platform-x86-intel-pmc-Add-Bartlett-Lake-support-to-.pmc_core -Patch309: 0001-platform-x86-intel-pmc-Fix-Arrow-Lake-U-H-NPU-PCI.pmc_core +Patch08001: 0001-platform-x86-intel-pmc-Add-Arrow-Lake-U-H-support.pmc_core +Patch08002: 0002-platform-x86-intel-pmc-Add-Bartlett-Lake-support-to-.pmc_core +Patch08003: 0001-platform-x86-intel-pmc-Fix-Arrow-Lake-U-H-NPU-PCI.pmc_core #lpss -Patch310: 0001-Added-spi_set_cs-for-more-stable-r-w-operations-in-S.lpss -Patch311: 0002-mtd-core-Don-t-fail-mtd_device_parse_register-if-OTP.lpss -Patch312: 0003-spi-intel-pci-Add-support-for-Arrow-Lake-H-SPI-seria.lpss -Patch313: 0004-spi-intel-Add-protected-and-locked-attributes.lpss +Patch09001: 0001-Added-spi_set_cs-for-more-stable-r-w-operations-in-S.lpss +Patch09002: 0002-mtd-core-Don-t-fail-mtd_device_parse_register-if-OTP.lpss +Patch09003: 0003-spi-intel-pci-Add-support-for-Arrow-Lake-H-SPI-seria.lpss +Patch09004: 0004-spi-intel-Add-protected-and-locked-attributes.lpss #preempt_rt patches backported -Patch314: 0001-Revert-sched-core-Remove-the-unnecessary-need_resche.rt -Patch315: 0001-hrtimer-Use-__raise_softirq_irqoff-to-raise-the-softirq.rt -Patch316: 0002-timers-Use-__raise_softirq_irqoff-to-raise-the-softirq.rt -Patch317: 0003-softirq-Use-a-dedicated-thread-for-timer-wakeups-on-PRE.rt -Patch318: 0004-serial-8250-Switch-to-nbcon-console.rt -Patch319: 0005-serial-8250-Revert-drop-lockdep-annotation-from-serial8.rt -Patch320: 0006-locking-rt-Remove-one-__cond_lock-in-RT-s-spin_trylock_.rt -Patch321: 0007-locking-rt-Add-sparse-annotation-for-RCU.rt -Patch322: 0008-locking-rt-Annotate-unlock-followed-by-lock-for-sparse.rt -Patch323: 0009-drm-i915-Use-preempt_disable-enable_rt-where-recommende.rt -Patch324: 0010-drm-i915-Don-t-disable-interrupts-on-PREEMPT_RT-during-.rt -Patch325: 0011-drm-i915-Don-t-check-for-atomic-context-on-PREEMPT_RT.rt -Patch326: 0012-drm-i915-Disable-tracing-points-on-PREEMPT_RT.rt -Patch327: 0013-drm-i915-gt-Use-spin_lock_irq-instead-of-local_irq_disa.rt -Patch328: 0014-drm-i915-Drop-the-irqs_disabled-check.rt -Patch329: 0015-drm-i915-guc-Consider-also-RCU-depth-in-busy-loop.rt -Patch330: 0016-Revert-drm-i915-Depend-on-PREEMPT_RT.rt -Patch331: 0017-sched-Add-TIF_NEED_RESCHED_LAZY-infrastructure.rt -Patch332: 0018-sched-Add-Lazy-preemption-model.rt -Patch333: 0019-sched-Enable-PREEMPT_DYNAMIC-for-PREEMPT_RT.rt -Patch334: 0020-sched-x86-Enable-Lazy-preemption.rt -Patch335: 0021-sched-Add-laziest-preempt-model.rt -Patch336: 0022-sched-Fixup-the-IS_ENABLED-check-for-PREEMPT_LAZY.rt -Patch337: 0023-tracing-Remove-TRACE_FLAG_IRQS_NOSUPPORT.rt -Patch338: 0024-tracing-Record-task-flag-NEED_RESCHED_LAZY.rt -Patch339: 0025-sysfs-Add-sys-kernel-realtime-entry.rt -Patch340: 0001-serial-8250-enable-original-console-by-default.rt -Patch341: 0001-kernel-trace-Add-DISALLOW_TRACE_PRINTK-make-option.rt -Patch342: 0002-Revert-scripts-remove-bin2c.rt -Patch343: 0003-extend-uio-driver-to-supports-msix.rt -Patch344: 0004-virtio-add-VIRTIO_PMD-support.rt -Patch345: 0005-virt-acrn-Introduce-interfaces-for-PIO-device.rt -Patch346: 0006-Add-hypercall-to-access-MSR.rt -Patch347: 0007-Revert-spi-Remove-unused-function-spi_busnum_to_master.rt -Patch348: 0008-igc-add-CONFIG_IGC_TSN_TRACE-conditional-trace_printk-u.rt -Patch349: 0009-stmmac_pci-add-CONFIG_STMMAC_TSN_TRACE-conditional-trac.rt -Patch350: 0010-igb-prepare-for-AF_XDP-zero-copy-support.rt -Patch351: 0011-igb-Introduce-XSK-data-structures-and-helpers.rt -Patch352: 0012-igb-add-AF_XDP-zero-copy-Rx-support.rt -Patch353: 0013-igb-add-AF_XDP-zero-copy-Tx-support.rt -Patch354: 0014-igb-Add-BTF-based-metadata-for-XDP.rt -Patch355: 0015-ANDROID-trace-power-add-trace_clock_set_parent.rt -Patch356: 0016-ANDROID-trace-net-use-pK-for-kernel-pointers.rt -Patch357: 0017-ANDROID-trace-add-non-hierarchical-function_graph-optio.rt -Patch358: 0018-virtio-fix-VIRTIO_PMD-support.rt -Patch359: 0019-drm-i915-add-i915-perf-event-capacity.rt -Patch360: 0020-drm-xe-pm-allow-xe-with-CONFIG_PM.rt +Patch09005: 0001-Revert-sched-core-Remove-the-unnecessary-need_resche.rt +Patch09006: 0001-hrtimer-Use-__raise_softirq_irqoff-to-raise-the-softirq.rt +Patch09007: 0002-timers-Use-__raise_softirq_irqoff-to-raise-the-softirq.rt +Patch09008: 0003-softirq-Use-a-dedicated-thread-for-timer-wakeups-on-PRE.rt +Patch09009: 0004-serial-8250-Switch-to-nbcon-console.rt +Patch09010: 0005-serial-8250-Revert-drop-lockdep-annotation-from-serial8.rt +Patch09011: 0006-locking-rt-Remove-one-__cond_lock-in-RT-s-spin_trylock_.rt +Patch09012: 0007-locking-rt-Add-sparse-annotation-for-RCU.rt +Patch09013: 0008-locking-rt-Annotate-unlock-followed-by-lock-for-sparse.rt +Patch09014: 0009-drm-i915-Use-preempt_disable-enable_rt-where-recommende.rt +Patch09015: 0010-drm-i915-Don-t-disable-interrupts-on-PREEMPT_RT-during-.rt +Patch09016: 0011-drm-i915-Don-t-check-for-atomic-context-on-PREEMPT_RT.rt +Patch09017: 0012-drm-i915-Disable-tracing-points-on-PREEMPT_RT.rt +Patch09018: 0013-drm-i915-gt-Use-spin_lock_irq-instead-of-local_irq_disa.rt +Patch09019: 0014-drm-i915-Drop-the-irqs_disabled-check.rt +Patch09020: 0015-drm-i915-guc-Consider-also-RCU-depth-in-busy-loop.rt +Patch09021: 0016-Revert-drm-i915-Depend-on-PREEMPT_RT.rt +Patch09022: 0017-sched-Add-TIF_NEED_RESCHED_LAZY-infrastructure.rt +Patch09023: 0018-sched-Add-Lazy-preemption-model.rt +Patch09024: 0019-sched-Enable-PREEMPT_DYNAMIC-for-PREEMPT_RT.rt +Patch09025: 0020-sched-x86-Enable-Lazy-preemption.rt +Patch09026: 0021-sched-Add-laziest-preempt-model.rt +Patch09027: 0022-sched-Fixup-the-IS_ENABLED-check-for-PREEMPT_LAZY.rt +Patch09028: 0023-tracing-Remove-TRACE_FLAG_IRQS_NOSUPPORT.rt +Patch09029: 0024-tracing-Record-task-flag-NEED_RESCHED_LAZY.rt +Patch09030: 0025-sysfs-Add-sys-kernel-realtime-entry.rt +Patch09031: 0001-serial-8250-enable-original-console-by-default.rt +Patch09032: 0001-kernel-trace-Add-DISALLOW_TRACE_PRINTK-make-option.rt +Patch09033: 0002-Revert-scripts-remove-bin2c.rt +Patch09034: 0003-extend-uio-driver-to-supports-msix.rt +Patch09035: 0004-virtio-add-VIRTIO_PMD-support.rt +Patch09036: 0005-virt-acrn-Introduce-interfaces-for-PIO-device.rt +Patch09037: 0006-Add-hypercall-to-access-MSR.rt +Patch09038: 0007-Revert-spi-Remove-unused-function-spi_busnum_to_master.rt +Patch09039: 0008-igc-add-CONFIG_IGC_TSN_TRACE-conditional-trace_printk-u.rt +Patch09040: 0009-stmmac_pci-add-CONFIG_STMMAC_TSN_TRACE-conditional-trac.rt +Patch09041: 0010-igb-prepare-for-AF_XDP-zero-copy-support.rt +Patch09042: 0011-igb-Introduce-XSK-data-structures-and-helpers.rt +Patch09043: 0012-igb-add-AF_XDP-zero-copy-Rx-support.rt +Patch09044: 0013-igb-add-AF_XDP-zero-copy-Tx-support.rt +Patch09045: 0014-igb-Add-BTF-based-metadata-for-XDP.rt +Patch09046: 0015-ANDROID-trace-power-add-trace_clock_set_parent.rt +Patch09047: 0016-ANDROID-trace-net-use-pK-for-kernel-pointers.rt +Patch09048: 0017-ANDROID-trace-add-non-hierarchical-function_graph-optio.rt +Patch09049: 0018-virtio-fix-VIRTIO_PMD-support.rt +Patch09050: 0019-drm-i915-add-i915-perf-event-capacity.rt +Patch09051: 0020-drm-xe-pm-allow-xe-with-CONFIG_PM.rt #drm -Patch361: 0001-drm-i915-enable-guc-submission-for-ADLs-by-default.drm -Patch362: 0001-drm-i915-disable-a-couple-of-RT-functions-if-RT-is-d.drm -Patch363: 0001-drm-i915-disable-dGPU-support-with-RT-kernel.drm -Patch364: 0001-i915-Update-GUC-to-v70.44.1-for-i915-platforms.drm -Patch365: 0001-Revert-drm-i915-disable-dGPU-support-with-RT-kernel.drm -Patch366: 0001-drm-i915-gt-Avoid-using-masked-workaround-for-CCS_MODE.drm -Patch367: 0002-drm-i915-gt-Move-the-CCS-mode-variable-to-a-global-pos.drm -Patch368: 0003-drm-i915-gt-Allow-the-creation-of-multi-mode-CCS-masks.drm -Patch369: 0004-drm-i915-gt-Refactor-uabi-engine-class-instance-list-c.drm -Patch370: 0005-drm-i915-gem-Mark-and-verify-UABI-engine-validity.drm -Patch371: 0006-drm-i915-gt-Introduce-for_each_enabled_engine-and-appl.drm -Patch372: 0007-drm-i915-gt-Manage-CCS-engine-creation-within-UABI-exp.drm -Patch373: 0008-drm-i915-gt-Remove-cslices-mask-value-from-the-CCS-str.drm -Patch374: 0009-drm-i915-gt-Expose-the-number-of-total-CCS-slices.drm -Patch375: 0010-drm-i915-gt-Store-engine-related-sysfs-kobjects.drm -Patch376: 0011-drm-i915-gt-Store-active-CCS-mask.drm -Patch377: 0012-drm-i915-Protect-access-to-the-UABI-engines-list-with-.drm -Patch378: 0013-drm-i915-gt-Isolate-single-sysfs-engine-file-creation.drm -Patch379: 0014-drm-i915-gt-Implement-creation-and-removal-routines-fo.drm -Patch380: 0015-drm-i915-gt-Allow-the-user-to-change-the-CCS-mode-thro.drm -Patch381: 0016-drm-i915-gt-Refactor-CCS-mode-handling-and-improve-app.drm -Patch382: 0017-drm-i915-no-waiting-for-page-flip-in-vpp-case.drm -Patch383: 0001-Remove-unneeded-files.patch -Patch384: 0001-i915-gt-Upgrade-GuC-70.44.1-70.49.4.drm -Patch385: 0001-drm-i915-no-force-probe-needed-for-mtl-platform.drm +Patch10001: 0001-drm-i915-enable-guc-submission-for-ADLs-by-default.drm +Patch10002: 0001-drm-i915-disable-a-couple-of-RT-functions-if-RT-is-d.drm +Patch10003: 0001-drm-i915-disable-dGPU-support-with-RT-kernel.drm +Patch10004: 0001-i915-Update-GUC-to-v70.44.1-for-i915-platforms.drm +Patch10005: 0001-Revert-drm-i915-disable-dGPU-support-with-RT-kernel.drm +Patch10006: 0001-drm-i915-gt-Avoid-using-masked-workaround-for-CCS_MODE.drm +Patch10007: 0002-drm-i915-gt-Move-the-CCS-mode-variable-to-a-global-pos.drm +Patch10008: 0003-drm-i915-gt-Allow-the-creation-of-multi-mode-CCS-masks.drm +Patch10009: 0004-drm-i915-gt-Refactor-uabi-engine-class-instance-list-c.drm +Patch10010: 0005-drm-i915-gem-Mark-and-verify-UABI-engine-validity.drm +Patch10011: 0006-drm-i915-gt-Introduce-for_each_enabled_engine-and-appl.drm +Patch10012: 0007-drm-i915-gt-Manage-CCS-engine-creation-within-UABI-exp.drm +Patch10013: 0008-drm-i915-gt-Remove-cslices-mask-value-from-the-CCS-str.drm +Patch10014: 0009-drm-i915-gt-Expose-the-number-of-total-CCS-slices.drm +Patch10015: 0010-drm-i915-gt-Store-engine-related-sysfs-kobjects.drm +Patch10016: 0011-drm-i915-gt-Store-active-CCS-mask.drm +Patch10017: 0012-drm-i915-Protect-access-to-the-UABI-engines-list-with-.drm +Patch10018: 0013-drm-i915-gt-Isolate-single-sysfs-engine-file-creation.drm +Patch10019: 0014-drm-i915-gt-Implement-creation-and-removal-routines-fo.drm +Patch10020: 0015-drm-i915-gt-Allow-the-user-to-change-the-CCS-mode-thro.drm +Patch10021: 0016-drm-i915-gt-Refactor-CCS-mode-handling-and-improve-app.drm +Patch10022: 0017-drm-i915-no-waiting-for-page-flip-in-vpp-case.drm +Patch10023: 0001-Remove-unneeded-files.patch +Patch10024: 0001-i915-gt-Upgrade-GuC-70.44.1-70.49.4.drm +Patch10025: 0001-drm-i915-no-force-probe-needed-for-mtl-platform.drm #rapl -Patch386: 0001-powercap-intel_rapl-Add-support-for-Bartlett-Lake-pl.rapl +Patch11001: 0001-powercap-intel_rapl-Add-support-for-Bartlett-Lake-pl.rapl #misc -Patch387: 0001-Add-security.md-file.misc +Patch12001: 0001-Add-security.md-file.misc #iommu -Patch388: 0001-driver-core-add-a-faux-bus-for-use-when-a-simple-dev.iommu -Patch389: 0002-iommu-io-pgtable-arm-dynamically-allocate-selftest-d.iommu +Patch13001: 0001-driver-core-add-a-faux-bus-for-use-when-a-simple-dev.iommu +Patch13002: 0002-iommu-io-pgtable-arm-dynamically-allocate-selftest-d.iommu #emt-drm -Patch390: 0075-drm-xe-gsc-mei-interrupt-top-half-should-be-in-irq-d.patch #CVE-2025-21709 -Patch391: CVE-2025-21709.patch +Patch15001: CVE-2025-21709.patch #CVE-2025-21817 -Patch392: CVE-2025-21817.patch +Patch15002: CVE-2025-21817.patch #CVE-2025-22104 -Patch393: CVE-2025-22104.patch +Patch15003: CVE-2025-22104.patch #CVE-2025-22108 -Patch394: CVE-2025-22108.patch - -#CVE-2025-22111 -Patch395: CVE-2025-22111.patch +Patch15004: CVE-2025-22108.patch #CVE-2025-22116 -Patch396: CVE-2025-22116.patch +Patch15005: CVE-2025-22116.patch #CVE-2025-22117 -Patch397: CVE-2025-22117.patch +Patch15006: CVE-2025-22117.patch #CVE-2025-23131 -Patch398: CVE-2025-23131.patch +Patch15007: CVE-2025-23131.patch #CVE-2025-37746 -Patch399: CVE-2025-37746.patch -Patch400: CVE-2025-37746-1.patch +Patch15008: CVE-2025-37746.patch +Patch15009: CVE-2025-37746-1.patch #CVE-2025-37906 -Patch401: CVE-2025-37906.patch +Patch15010: CVE-2025-37906.patch #CVE-2025-38041 -Patch402: CVE-2025-38041.patch -Patch403: CVE-2025-38041-1.patch -Patch404: CVE-2025-38041-2.patch +Patch15011: CVE-2025-38041.patch +Patch15012: CVE-2025-38041-1.patch +Patch15013: CVE-2025-38041-2.patch #CVE-2025-38029 -Patch405: CVE-2025-38029.patch +Patch15014: CVE-2025-38029.patch #CVE-2025-38311 -Patch406: CVE-2025-38311.patch - -#CVE-2025-38248 -Patch407: CVE-2025-38248.patch - -#CVE-2025-38234 -Patch408: CVE-2025-38234.patch +Patch15015: CVE-2025-38311.patch #CVE-2025-38207 -Patch409: CVE-2025-38207.patch +Patch15016: CVE-2025-38207.patch #CVE-2025-38137 -Patch410: CVE-2025-38137.patch - -#CVE-2025-40325 -Patch411: CVE-2025-40325.patch +Patch15017: CVE-2025-38137.patch #CVE-2025-38284 -Patch412: CVE-2025-38284.patch -Patch413: CVE-2025-38284-1.patch -Patch414: CVE-2025-38284-2.patch +Patch15018: CVE-2025-38284.patch +Patch15019: CVE-2025-38284-1.patch +Patch15020: CVE-2025-38284-2.patch #CVE-2025-38199 -Patch415: CVE-2025-38199.patch +Patch15021: CVE-2025-38199.patch #CVE-2025-38140 -Patch416: CVE-2025-38140.patch +Patch15022: CVE-2025-38140.patch #CVE-2025-38132 -Patch417: CVE-2025-38132.patch -Patch418: CVE-2025-38132-1.patch +Patch15023: CVE-2025-38132.patch +Patch15024: CVE-2025-38132-1.patch #CVE-2025-37743 -Patch419: CVE-2025-37743.patch +Patch15025: CVE-2025-37743.patch #CVE-2025-23132 -Patch420: CVE-2025-23132.patch +Patch15026: CVE-2025-23132.patch #CVE-2025-22127 -Patch421: CVE-2025-22127.patch +Patch15027: CVE-2025-22127.patch #CVE-2025-22109 -Patch422: CVE-2025-22109.patch +Patch15028: CVE-2025-22109.patch #CVE-2025-21752 -Patch423: CVE-2025-21752.patch -Patch424: CVE-2025-21752-1.patch +Patch15029: CVE-2025-21752.patch +Patch15030: CVE-2025-21752-1.patch #CVE-2024-58095 -Patch425: CVE-2024-58095.patch +Patch15031: CVE-2024-58095.patch #CVE-2024-58094 -Patch426: CVE-2024-58094.patch +Patch15032: CVE-2024-58094.patch #CVE-2024-52560 -Patch427: CVE-2024-52560.patch -Patch428: CVE-2024-52560-1.patch +Patch15033: CVE-2024-52560.patch +Patch15034: CVE-2024-52560-1.patch #CVE-2025-38621 -Patch429: CVE-2025-38621.patch +Patch15035: CVE-2025-38621.patch #CVE-2025-38627 -Patch430: CVE-2025-38627.patch +Patch15036: CVE-2025-38627.patch #CVE-2025-39789 -Patch431: CVE-2025-39789.patch +Patch15037: CVE-2025-39789.patch #CVE-2025-39764 -Patch432: CVE-2025-39764.patch +Patch15038: CVE-2025-39764.patch #CVE-2025-39745 -Patch433: CVE-2025-39745.patch +Patch15039: CVE-2025-39745.patch #CVE-2025-39677 -Patch434: CVE-2025-39677.patch +Patch15040: CVE-2025-39677.patch #CVE-2025-39933 -Patch435: CVE-2025-39933.patch +Patch15041: CVE-2025-39933.patch #CVE-2025-39833 -Patch436: CVE-2025-39833.patch +Patch15042: CVE-2025-39833.patch #CVE-2025-39925 -Patch437: CVE-2025-39925.patch +Patch15043: CVE-2025-39925.patch #CVE-2025-39905 -Patch438: CVE-2025-39905.patch +Patch15044: CVE-2025-39905.patch #CVE-2025-39859 -Patch439: CVE-2025-39859.patch +Patch15045: CVE-2025-39859.patch #CVE-2025-39910 -Patch440: CVE-2025-39910.patch +Patch15046: CVE-2025-39910.patch #CVE-2025-40098 -Patch441: CVE-2025-40098.patch - -#CVE-2025-40075 -Patch442: CVE-2025-40075.patch -Patch443: CVE-2025-40075-1.patch +Patch15047: CVE-2025-40098.patch #CVE-2025-40074 -Patch444: CVE-2025-40074.patch +Patch15048: CVE-2025-40074.patch #CVE-2025-40064 -Patch445: CVE-2025-40064.patch +Patch15049: CVE-2025-40064.patch #CVE-2025-40086 -Patch446: CVE-2025-40086.patch -Patch447: CVE-2025-40086-1.patch +Patch15050: CVE-2025-40086.patch +Patch15051: CVE-2025-40086-1.patch #CVE-2025-40168 -Patch448: CVE-2025-40168.patch - -#CVE-2025-40170 -Patch449: CVE-2025-40170.patch - -#CVE-2025-40164 -Patch450: CVE-2025-40164.patch - -#CVE-2025-40158 -Patch451: CVE-2025-40158.patch - -#CVE-2025-40149 -Patch452: CVE-2025-40149.patch +Patch15052: CVE-2025-40168.patch #CVE-2025-40147 -Patch453: CVE-2025-40147.patch +Patch15053: CVE-2025-40147.patch #CVE-2025-40139 -Patch454: CVE-2025-40139.patch +Patch15054: CVE-2025-40139.patch #CVE-2025-40136 -Patch455: CVE-2025-40136.patch - -#CVE-2025-40135 -Patch456: CVE-2025-40135.patch +Patch15055: CVE-2025-40136.patch #CVE-2025-40130 -Patch457: CVE-2025-40130.patch +Patch15056: CVE-2025-40130.patch #CVE-2025-38656 -Patch458: CVE-2025-38656.patch -Patch459: CVE-2025-38656-2.patch - -#CVE-2025-38591 -Patch460: CVE-2025-38591.patch +Patch15057: CVE-2025-38656.patch +Patch15058: CVE-2025-38656-2.patch #CVE-2025-38584 -Patch461: CVE-2025-38584.patch - -#CVE-2025-40215 -Patch462: CVE-2025-40215.patch +Patch15059: CVE-2025-38584.patch #CVE-2025-68749 -Patch463: CVE-2025-68749.patch +Patch15060: CVE-2025-68749.patch #CVE-2025-68745 -Patch464: CVE-2025-68745.patch - -#CVE-2025-68744 -Patch465: CVE-2025-68744.patch - -#CVE-2025-68742 -Patch466: CVE-2025-68742.patch - -#CVE-2025-68741 -Patch467: CVE-2025-68741.patch +Patch15061: CVE-2025-68745.patch #CVE-2025-68736 -Patch468: CVE-2025-68736.patch - -#CVE-2025-68733 -Patch469: CVE-2025-68733.patch - -#CVE-2025-68740 -Patch470: CVE-2025-68740.patch +Patch15062: CVE-2025-68736.patch #CVE-2025-68725 -Patch471: CVE-2025-68725.patch - -#CVE-2025-68379 -Patch472: CVE-2025-68379.patch - -#CVE-2025-68732 -Patch473: CVE-2025-68732.patch - -#CVE-2025-68354 -Patch474: CVE-2025-68354.patch - -#CVE-2025-68357 -Patch475: CVE-2025-68357.patch - -#CVE-2025-68724 -Patch476: CVE-2025-68724.patch +Patch15063: CVE-2025-68725.patch #CVE-2025-68358 -Patch477: CVE-2025-68358.patch +Patch15064: CVE-2025-68358.patch #CVE-2025-68359 -Patch478: CVE-2025-68359.patch - -#CVE-2025-68363 -Patch479: CVE-2025-68363.patch - -#CVE-2025-68366 -Patch480: CVE-2025-68366.patch +Patch15065: CVE-2025-68359.patch #CVE-2025-68368 -Patch481: CVE-2025-68368.patch - -#CVE-2025-68372 -Patch482: CVE-2025-68372.patch - -#CVE-2025-68374 -Patch483: CVE-2025-68374.patch - -#CVE-2025-68378 -Patch484: CVE-2025-68378.patch - -#CVE-2025-68337 -Patch485: CVE-2025-68337.patch - -#CVE-2025-68345 -Patch486: CVE-2025-68345.patch - -#CVE-2025-68346 -Patch487: CVE-2025-68346.patch - -#CVE-2025-68347 -Patch488: CVE-2025-68347.patch - -#CVE-2025-68348 -Patch489: CVE-2025-68348.patch - -#CVE-2025-68349 -Patch490: CVE-2025-68349.patch +Patch15066: CVE-2025-68368.patch #CVE-2025-68353 -Patch491: CVE-2025-68353.patch - -#CVE-2025-68371 -Patch492: CVE-2025-68371.patch - -#CVE-2025-68261 -Patch493: CVE-2025-68261.patch +Patch15067: CVE-2025-68353.patch -#CVE-2025-68263 -Patch494: CVE-2025-68263.patch +#CVE-2025-68319 +Patch15068: CVE-2025-68319.patch -#CVE-2025-68264 -Patch495: CVE-2025-68264.patch +#CVE-2025-68333 +Patch15069: CVE-2025-68333.patch -#CVE-2025-68265 -Patch496: CVE-2025-68265.patch +#CVE-2025-68193 +Patch15070: CVE-2025-68193.patch -#CVE-2025-68319 -Patch497: CVE-2025-68319.patch +#CVE-2025-40355 +Patch15071: CVE-2025-40355.patch -#CVE-2025-68333 -Patch498: CVE-2025-68333.patch +#CVE-2025-40338 +Patch15072: CVE-2025-40338.patch -#CVE-2025-68336 -Patch499: CVE-2025-68336.patch +#CVE-2026-23004 +Patch15073: CVE-2026-23004.patch -#CVE-2025-68259 -Patch500: CVE-2025-68259.patch +#CVE-2026-22981 +Patch15074: CVE-2026-22981.patch -#CVE-2025-68256 -Patch501: CVE-2025-68256.patch +#CVE-2026-22985 +Patch15075: CVE-2026-22985.patch +Patch15076: CVE-2026-22985_2.patch -#CVE-2025-68255 -Patch502: CVE-2025-68255.patch +#CVE-2026-22993 +Patch15077: CVE-2026-22993.patch -#CVE-2025-68254 -Patch503: CVE-2025-68254.patch +#CVE-2025-71161 +Patch15078: CVE-2025-71161.patch -#CVE-2025-68206 -Patch504: CVE-2025-68206.patch +#CVE-2025-68823 +Patch15079: CVE-2025-68823.patch -#CVE-2025-68193 -Patch505: CVE-2025-68193.patch +#CVE-2025-71074 +Patch15080: CVE-2025-71074.patch -#CVE-2025-40355 -Patch506: CVE-2025-40355.patch +#CVE-2025-68768 +Patch15081: CVE-2025-68768.patch -#CVE-2025-40338 -Patch507: CVE-2025-40338.patch -# CVE Patches +# End of Patch Section %global security_hardening none %global sha512hmac bash %{_sourcedir}/sha512hmac-openssl.sh @@ -902,8 +794,8 @@ manipulation of eBPF programs and maps. %prep %define _default_patch_flags -p1 --fuzz=3 --force -%setup -q -n linux-6.12.61 -%autosetup -p1 -n linux-6.12.61 +%setup -q -n linux-6.12.67 +%autosetup -p1 -n linux-6.12.67 # %patch 0 -p1 make mrproper @@ -1149,6 +1041,10 @@ echo "initrd of kernel %{uname_r} removed" >&2 %{_sysconfdir}/bash_completion.d/bpftool %changelog +* Thu Feb 05 2026 Lishan Liu - 6.12.67-1 +- Update kernel to 6.12.67-1 +- lts-v6.12.67-emt-cve-260128T180434Z + * Fri Jan 9 2026 Lishan Liu - 6.12.61-2 - Update kernel to 6.12.61-2 - lts-v6.12.61-emt-cve-260106T193826Z diff --git a/SPECS/kernel/series b/SPECS/kernel/series index e5876384f2..7723f860a2 100644 --- a/SPECS/kernel/series +++ b/SPECS/kernel/series @@ -1,5 +1,5 @@ -# Series file for v6.12.61 linux kernel -# dcbeffaf66d03 Linux 6.12.61 +# Series file for v6.12.67 linux kernel +# abf529abd660d Linux 6.12.67 #sriov 0001-drm-i915-mtl-Add-C10-table-for-HDMI-Clock-25175.sriov 0002-drm-i915-mtl-Copy-c10-phy-pll-sw-state-from-master-t.sriov @@ -405,7 +405,6 @@ 0001-driver-core-add-a-faux-bus-for-use-when-a-simple-dev.iommu 0002-iommu-io-pgtable-arm-dynamically-allocate-selftest-d.iommu #emt-drm -0075-drm-xe-gsc-mei-interrupt-top-half-should-be-in-irq-d.patch #CVE-2025-21709 CVE-2025-21709.patch @@ -418,9 +417,6 @@ CVE-2025-22104.patch #CVE-2025-22108 CVE-2025-22108.patch -#CVE-2025-22111 -CVE-2025-22111.patch - #CVE-2025-22116 CVE-2025-22116.patch @@ -448,21 +444,12 @@ CVE-2025-38029.patch #CVE-2025-38311 CVE-2025-38311.patch -#CVE-2025-38248 -CVE-2025-38248.patch - -#CVE-2025-38234 -CVE-2025-38234.patch - #CVE-2025-38207 CVE-2025-38207.patch #CVE-2025-38137 CVE-2025-38137.patch -#CVE-2025-40325 -CVE-2025-40325.patch - #CVE-2025-38284 CVE-2025-38284.patch CVE-2025-38284-1.patch @@ -543,10 +530,6 @@ CVE-2025-39910.patch #CVE-2025-40098 CVE-2025-40098.patch -#CVE-2025-40075 -CVE-2025-40075.patch -CVE-2025-40075-1.patch - #CVE-2025-40074 CVE-2025-40074.patch @@ -560,18 +543,6 @@ CVE-2025-40086-1.patch #CVE-2025-40168 CVE-2025-40168.patch -#CVE-2025-40170 -CVE-2025-40170.patch - -#CVE-2025-40164 -CVE-2025-40164.patch - -#CVE-2025-40158 -CVE-2025-40158.patch - -#CVE-2025-40149 -CVE-2025-40149.patch - #CVE-2025-40147 CVE-2025-40147.patch @@ -581,9 +552,6 @@ CVE-2025-40139.patch #CVE-2025-40136 CVE-2025-40136.patch -#CVE-2025-40135 -CVE-2025-40135.patch - #CVE-2025-40130 CVE-2025-40130.patch @@ -591,141 +559,39 @@ CVE-2025-40130.patch CVE-2025-38656.patch CVE-2025-38656-2.patch -#CVE-2025-38591 -CVE-2025-38591.patch - #CVE-2025-38584 CVE-2025-38584.patch -#CVE-2025-40215 -CVE-2025-40215.patch - #CVE-2025-68749 CVE-2025-68749.patch #CVE-2025-68745 CVE-2025-68745.patch -#CVE-2025-68744 -CVE-2025-68744.patch - -#CVE-2025-68742 -CVE-2025-68742.patch - -#CVE-2025-68741 -CVE-2025-68741.patch - #CVE-2025-68736 CVE-2025-68736.patch -#CVE-2025-68733 -CVE-2025-68733.patch - -#CVE-2025-68740 -CVE-2025-68740.patch - #CVE-2025-68725 CVE-2025-68725.patch -#CVE-2025-68379 -CVE-2025-68379.patch - -#CVE-2025-68732 -CVE-2025-68732.patch - -#CVE-2025-68354 -CVE-2025-68354.patch - -#CVE-2025-68357 -CVE-2025-68357.patch - -#CVE-2025-68724 -CVE-2025-68724.patch - #CVE-2025-68358 CVE-2025-68358.patch #CVE-2025-68359 CVE-2025-68359.patch -#CVE-2025-68363 -CVE-2025-68363.patch - -#CVE-2025-68366 -CVE-2025-68366.patch - #CVE-2025-68368 CVE-2025-68368.patch -#CVE-2025-68372 -CVE-2025-68372.patch - -#CVE-2025-68374 -CVE-2025-68374.patch - -#CVE-2025-68378 -CVE-2025-68378.patch - -#CVE-2025-68337 -CVE-2025-68337.patch - -#CVE-2025-68345 -CVE-2025-68345.patch - -#CVE-2025-68346 -CVE-2025-68346.patch - -#CVE-2025-68347 -CVE-2025-68347.patch - -#CVE-2025-68348 -CVE-2025-68348.patch - -#CVE-2025-68349 -CVE-2025-68349.patch - #CVE-2025-68353 CVE-2025-68353.patch -#CVE-2025-68371 -CVE-2025-68371.patch - -#CVE-2025-68261 -CVE-2025-68261.patch - -#CVE-2025-68263 -CVE-2025-68263.patch - -#CVE-2025-68264 -CVE-2025-68264.patch - -#CVE-2025-68265 -CVE-2025-68265.patch - #CVE-2025-68319 CVE-2025-68319.patch #CVE-2025-68333 CVE-2025-68333.patch -#CVE-2025-68336 -CVE-2025-68336.patch - -#CVE-2025-68259 -CVE-2025-68259.patch - -#CVE-2025-68256 -CVE-2025-68256.patch - -#CVE-2025-68255 -CVE-2025-68255.patch - -#CVE-2025-68254 -CVE-2025-68254.patch - -#CVE-2025-68206 -CVE-2025-68206.patch - #CVE-2025-68193 CVE-2025-68193.patch @@ -735,3 +601,29 @@ CVE-2025-40355.patch #CVE-2025-40338 CVE-2025-40338.patch +#CVE-2026-23004 +CVE-2026-23004.patch + +#CVE-2026-22981 +CVE-2026-22981.patch + +#CVE-2026-22985 +CVE-2026-22985.patch +CVE-2026-22985_2.patch + +#CVE-2026-22993 +CVE-2026-22993.patch + +#CVE-2025-71161 +CVE-2025-71161.patch + +#CVE-2025-68823 +CVE-2025-68823.patch + +#CVE-2025-71074 +CVE-2025-71074.patch + +#CVE-2025-68768 +CVE-2025-68768.patch + + diff --git a/SPECS/nvidia-data-center-driver/nvidia-data-center-driver.spec b/SPECS/nvidia-data-center-driver/nvidia-data-center-driver.spec index f4f770e14e..e6baa176a4 100644 --- a/SPECS/nvidia-data-center-driver/nvidia-data-center-driver.spec +++ b/SPECS/nvidia-data-center-driver/nvidia-data-center-driver.spec @@ -10,7 +10,7 @@ Summary: nvidia gpu driver kernel module for data center devices Name: nvidia-data-center-driver Version: 570.133.20 -Release: 15%{?dist} +Release: 16%{?dist} License: Public Domain Source0: https://us.download.nvidia.com/tesla/%{version}/NVIDIA-Linux-x86_64-%{version}.run Vendor: Intel Corporation @@ -51,6 +51,9 @@ make INSTALL_MOD_PATH=%{buildroot} modules_install /sbin/depmod -a %changelog +* Thu Feb 05 2026 Lishan Liu - 570.133.20-16 +- Bump release to rebuild + * Fri Jan 9 2026 Lishan Liu - 570.133.20-15 - Bump release to rebuild diff --git a/cgmanifest.json b/cgmanifest.json index 4c3c715b26..e433dd47fb 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -8481,8 +8481,8 @@ "type": "other", "other": { "name": "kernel", - "version": "6.12.61", - "downloadUrl": "https://www.kernel.org/pub/linux/kernel/v6.x/linux-6.12.61.tar.gz" + "version": "6.12.67", + "downloadUrl": "https://www.kernel.org/pub/linux/kernel/v6.x/linux-6.12.67.tar.gz" } } }, @@ -8511,8 +8511,8 @@ "type": "other", "other": { "name": "kernel-headers", - "version": "6.12.61", - "downloadUrl": "https://www.kernel.org/pub/linux/kernel/v6.x/linux-6.12.61.tar.gz" + "version": "6.12.67", + "downloadUrl": "https://www.kernel.org/pub/linux/kernel/v6.x/linux-6.12.67.tar.gz" } } }, @@ -8551,8 +8551,8 @@ "type": "other", "other": { "name": "kernel-rt", - "version": "6.12.61", - "downloadUrl": "https://www.kernel.org/pub/linux/kernel/v6.x/linux-6.12.61.tar.gz" + "version": "6.12.67", + "downloadUrl": "https://www.kernel.org/pub/linux/kernel/v6.x/linux-6.12.67.tar.gz" } } }, diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index 6eae151da2..c3ed0b94da 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -1,5 +1,5 @@ filesystem-1.1-21.emt3.x86_64.rpm -kernel-headers-6.12.61-2.emt3.noarch.rpm +kernel-headers-6.12.67-1.emt3.noarch.rpm glibc-2.38-12.emt3.x86_64.rpm glibc-devel-2.38-12.emt3.x86_64.rpm glibc-i18n-2.38-12.emt3.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index ca40834053..e18b025fd5 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -150,8 +150,8 @@ intltool-0.51.0-7.emt3.noarch.rpm itstool-2.0.7-1.emt3.noarch.rpm kbd-2.2.0-2.emt3.x86_64.rpm kbd-debuginfo-2.2.0-2.emt3.x86_64.rpm -kernel-cross-headers-6.12.61-2.emt3.noarch.rpm -kernel-headers-6.12.61-2.emt3.noarch.rpm +kernel-cross-headers-6.12.67-1.emt3.noarch.rpm +kernel-headers-6.12.67-1.emt3.noarch.rpm kmod-30-1.emt3.x86_64.rpm kmod-debuginfo-30-1.emt3.x86_64.rpm kmod-devel-30-1.emt3.x86_64.rpm diff --git a/toolkit/scripts/toolchain/container/Dockerfile b/toolkit/scripts/toolchain/container/Dockerfile index 001021df57..87aaca7504 100644 --- a/toolkit/scripts/toolchain/container/Dockerfile +++ b/toolkit/scripts/toolchain/container/Dockerfile @@ -63,7 +63,7 @@ RUN wget -nv --no-clobber --timeout=30 --continue --input-file=$LFS/tools/toolch # Disable downloading from remote sources by default. The 'toolchain-local-wget-list' generated for the above line will download from $(SOURCE_URL) # The 'toolchain-remote-wget-list' is still available and can be used as an alternate to $(SOURCE_URL) if desired. #RUN wget -nv --no-clobber --timeout=30 --continue --input-file=$LFS/tools/toolchain-remote-wget-list --directory-prefix=$LFS/sources; exit 0 -RUN wget -nv --no-clobber --timeout=30 --continue https://github.com/intel/linux-intel-lts/archive/refs/tags/lts-v6.12.61-emt-260106T193826Z -O lts-v6.12.61-emt-260106T193826Z --directory-prefix=$LFS/sources; exit 0 +RUN wget -nv --no-clobber --timeout=30 --continue https://github.com/intel/linux-intel-lts/archive/refs/tags/lts-v6.12.67-emt-260128T180434Z -O lts-v6.12.67-emt-260128T180434Z --directory-prefix=$LFS/sources; exit 0 USER root RUN mkdir -pv $LFS/{etc,var} $LFS/usr/{bin,lib,sbin} && \ diff --git a/toolkit/scripts/toolchain/container/toolchain-sha256sums b/toolkit/scripts/toolchain/container/toolchain-sha256sums index 50826ebfb1..b0516e7161 100644 --- a/toolkit/scripts/toolchain/container/toolchain-sha256sums +++ b/toolkit/scripts/toolchain/container/toolchain-sha256sums @@ -28,7 +28,7 @@ a3c2b80201b89e68616f4ad30bc66aee4927c3ce50e33929ca819d5c43538898 gmp-6.3.0.tar. 1db2aedde89d0dea42b16d9528f894c8d15dae4e190b59aecc78f5a951276eab grep-3.11.tar.xz 6b9757f592b7518b4902eb6af7e54570bdccba37a871fddb2d30ae3863511c13 groff-1.23.0.tar.gz 7454eb6935db17c6655576c2e1b0fabefd38b4d0936e0f87f48cd062ce91a057 gzip-1.13.tar.xz -7fb34abab0902a47ce1d47de58442e69e0e79d17f565b41fcb11249ea5b23801 linux-6.12.61.tar.gz +b4c0b2ed9cd5002478c7c699d69eece548c84d7c7e1ad48cff61cd951424c745 linux-6.12.67.tar.gz 5d24e40819768f74daf846b99837fc53a3a9dcdf3ce1c2003fe0596db850f0f0 libarchive-3.7.1.tar.gz f311f8f3dad84699d0566d1d6f7ec943a9298b28f714cae3c931dfd57492d7eb libcap-2.69.tar.xz b8b45194989022a79ec1317f64a2a75b1551b2a55bea06f67704cb2a2e4690b0 libpipeline-1.5.7.tar.gz diff --git a/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh b/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh index a8f7955c4d..5506b2d486 100755 --- a/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh +++ b/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh @@ -86,9 +86,9 @@ rm -rf gcc-13.2.0 touch $LFS/logs/temptoolchain/status_gcc_pass1_complete -KERNEL_VERSION="6.12.61" +KERNEL_VERSION="6.12.67" echo Linux-${KERNEL_VERSION} API Headers -tar xf linux-6.12.61.tar.gz +tar xf linux-6.12.67.tar.gz pushd linux-${KERNEL_VERSION} make mrproper make headers