This project is mirrored from https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10.git.
Pull mirroring updated .
- Mar 21, 2025
-
-
Julio Faracco authored
Signed-off-by:Julio Faracco <jfaracco@redhat.com>
-
Julio Faracco authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/446 JIRA: https://issues.redhat.com/browse/RHEL-81378 CVE: CVE-2024-57988 ``` commit b88655bc6593c6a7fdc1248b212d17e581c4334e Author: Charles Han <hanchunchao@inspur.com> Date: Fri Dec 27 17:20:46 2024 +0800 Bluetooth: btbcm: Fix NULL deref in btbcm_get_board_name() devm_kstrdup() can return a NULL pointer on failure,but this returned value in btbcm_get_board_name() is not checked. Add NULL check in btbcm_get_board_name(), to handle kernel NULL pointer dereference error. Fixes: f9183eaa ("Bluetooth: btbcm: Use devm_kstrdup()") Signed-off-by:
Charles Han <hanchunchao@inspur.com> Signed-off-by:
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>```> Signed-off-by:
CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com> --- <small>Created 2025-02-27 18:35 UTC by backporter - [KWF FAQ](https://red.ht/kernel_workflow_doc) - [Slack #team-kernel-workflow](https://redhat-internal.slack.com/archives/C04LRUPMJQ5) - [Source](https://gitlab.com/cki-project/kernel-workflow/-/blob/main/webhook/utils/backporter.py) - [Documentation](https://gitlab.com/cki-project/kernel-workflow/-/blob/main/docs/README.backporter.md) - [Report an issue](https://gitlab.com/cki-project/kernel-workflow/-/issues/new?issue%5Btitle%5D=backporter%20webhook%20issue)</small > Approved-by:
Bastien Nocera <bnocera@redhat.com> Approved-by:
José Ignacio Tornos Martínez <jtornosm@redhat.com> Approved-by:
CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> Merged-by:
-
Julio Faracco authored
Merge: CVE-2024-58013: Bluetooth: MGMT: Fix slab-use-after-free Read in mgmt_remove_adv_monitor_sync MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/476 JIRA: https://issues.redhat.com/browse/RHEL-81510 CVE: CVE-2024-58013 ``` commit 26fbd3494a7dd26269cb0817c289267dbcfdec06 Author: Mazin Al Haddad <mazin@getstate.dev> Date: Tue Dec 24 05:06:16 2024 +0300 Bluetooth: MGMT: Fix slab-use-after-free Read in mgmt_remove_adv_monitor_sync This fixes the following crash: ================================================================== BUG: KASAN: slab-use-after-free in mgmt_remove_adv_monitor_sync+0x3a/0xd0 net/bluetooth/mgmt.c:5543 Read of size 8 at addr ffff88814128f898 by task kworker/u9:4/5961 CPU: 1 UID: 0 PID: 5961 Comm: kworker/u9:4 Not tainted 6.12.0-syzkaller-10684-gf1cd565ce577 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: hci0 hci_cmd_sync_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 mgmt_remove_adv_monitor_sync+0x3a/0xd0 net/bluetooth/mgmt.c:5543 hci_cmd_sync_work+0x22b/0x400 net/bluetooth/hci_sync.c:332 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Allocated by task 16026: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4314 kmalloc_noprof include/linux/slab.h:901 [inline] kzalloc_noprof include/linux/slab.h:1037 [inline] mgmt_pending_new+0x65/0x250 net/bluetooth/mgmt_util.c:269 mgmt_pending_add+0x36/0x120 net/bluetooth/mgmt_util.c:296 remove_adv_monitor+0x102/0x1b0 net/bluetooth/mgmt.c:5568 hci_mgmt_cmd+0xc47/0x11d0 net/bluetooth/hci_sock.c:1712 hci_sock_sendmsg+0x7b8/0x11c0 net/bluetooth/hci_sock.c:1832 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:726 sock_write_iter+0x2d7/0x3f0 net/socket.c:1147 new_sync_write fs/read_write.c:586 [inline] vfs_write+0xaeb/0xd30 fs/read_write.c:679 ksys_write+0x18f/0x2b0 fs/read_write.c:731 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 16022: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2338 [inline] slab_free mm/slub.c:4598 [inline] kfree+0x196/0x420 mm/slub.c:4746 mgmt_pending_foreach+0xd1/0x130 net/bluetooth/mgmt_util.c:259 __mgmt_power_off+0x183/0x430 net/bluetooth/mgmt.c:9550 hci_dev_close_sync+0x6c4/0x11c0 net/bluetooth/hci_sync.c:5208 hci_dev_do_close net/bluetooth/hci_core.c:483 [inline] hci_dev_close+0x112/0x210 net/bluetooth/hci_core.c:508 sock_do_ioctl+0x158/0x460 net/socket.c:1209 sock_ioctl+0x626/0x8e0 net/socket.c:1328 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Reported-by:
<syzbot+479aff51bb361ef5aa18@syzkaller.appspotmail.com> Closes: https://syzkaller.appspot.com/bug?extid=479aff51bb361ef5aa18 Tested-by:
Mazin Al Haddad <mazin@getstate.dev> Signed-off-by:
-
Julio Faracco authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/408 JIRA: https://issues.redhat.com/browse/RHEL-77888 CVE: CVE-2025-21652 ``` commit cb358ff94154774d031159b018adf45e17673941 Author: Kuniyuki Iwashima <kuniyu@amazon.com> Date: Mon Jan 6 16:19:11 2025 +0900 ipvlan: Fix use-after-free in ipvlan_get_iflink(). syzbot presented an use-after-free report [0] regarding ipvlan and linkwatch. ipvlan does not hold a refcnt of the lower device unlike vlan and macvlan. If the linkwatch work is triggered for the ipvlan dev, the lower dev might have already been freed, resulting in UAF of ipvlan->phy_dev in ipvlan_get_iflink(). We can delay the lower dev unregistration like vlan and macvlan by holding the lower dev's refcnt in dev->netdev_ops->ndo_init() and releasing it in dev->priv_destructor(). Jakub pointed out calling .ndo_XXX after unregister_netdevice() has returned is error prone and suggested [1] addressing this UAF in the core by taking commit 750e51603395 ("net: avoid potential UAF in default_operstate()") further. Let's assume unregistering devices DOWN and use RCU protection in default_operstate() not to race with the device unregistration. [0]: BUG: KASAN: slab-use-after-free in ipvlan_get_iflink+0x84/0x88 drivers/net/ipvlan/ipvlan_main.c:353 Read of size 4 at addr ffff0000d768c0e0 by task kworker/u8:35/6944 CPU: 0 UID: 0 PID: 6944 Comm: kworker/u8:35 Not tainted 6.13.0-rc2-g9bc5c9515b48 #12 4c3cb9e8b4565456f6a355f312ff91f4f29b3c47 Hardware name: linux,dummy-virt (DT) Workqueue: events_unbound linkwatch_event Call trace: show_stack+0x38/0x50 arch/arm64/kernel/stacktrace.c:484 (C) __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xbc/0x108 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x16c/0x6f0 mm/kasan/report.c:489 kasan_report+0xc0/0x120 mm/kasan/report.c:602 __asan_report_load4_noabort+0x20/0x30 mm/kasan/report_generic.c:380 ipvlan_get_iflink+0x84/0x88 drivers/net/ipvlan/ipvlan_main.c:353 dev_get_iflink+0x7c/0xd8 net/core/dev.c:674 default_operstate net/core/link_watch.c:45 [inline] rfc2863_policy+0x144/0x360 net/core/link_watch.c:72 linkwatch_do_dev+0x60/0x228 net/core/link_watch.c:175 __linkwatch_run_queue+0x2f4/0x5b8 net/core/link_watch.c:239 linkwatch_event+0x64/0xa8 net/core/link_watch.c:282 process_one_work+0x700/0x1398 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x8c4/0xe10 kernel/workqueue.c:3391 kthread+0x2b0/0x360 kernel/kthread.c:389 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:862 Allocated by task 9303: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x68 mm/kasan/common.c:68 kasan_save_alloc_info+0x44/0x58 mm/kasan/generic.c:568 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x84/0xa0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4283 [inline] __kmalloc_node_noprof+0x2a0/0x560 mm/slub.c:4289 __kvmalloc_node_noprof+0x9c/0x230 mm/util.c:650 alloc_netdev_mqs+0xb4/0x1118 net/core/dev.c:11209 rtnl_create_link+0x2b8/0xb60 net/core/rtnetlink.c:3595 rtnl_newlink_create+0x19c/0x868 net/core/rtnetlink.c:3771 __rtnl_newlink net/core/rtnetlink.c:3896 [inline] rtnl_newlink+0x122c/0x15c0 net/core/rtnetlink.c:4011 rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6901 netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2542 rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6928 netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline] netlink_unicast+0x618/0x838 net/netlink/af_netlink.c:1347 netlink_sendmsg+0x5fc/0x8b0 net/netlink/af_netlink.c:1891 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg net/socket.c:726 [inline] __sys_sendto+0x2ec/0x438 net/socket.c:2197 __do_sys_sendto net/socket.c:2204 [inline] __se_sys_sendto net/socket.c:2200 [inline] __arm64_sys_sendto+0xe4/0x110 net/socket.c:2200 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x90/0x278 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x13c/0x250 arch/arm64/kernel/syscall.c:132 do_el0_svc+0x54/0x70 arch/arm64/kernel/syscall.c:151 el0_svc+0x4c/0xa8 arch/arm64/kernel/entry-common.c:744 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:762 el0t_64_sync+0x198/0x1a0 arch/arm64/kernel/entry.S:600 Freed by task 10200: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x68 mm/kasan/common.c:68 kasan_save_free_info+0x58/0x70 mm/kasan/generic.c:582 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x48/0x68 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2338 [inline] slab_free mm/slub.c:4598 [inline] kfree+0x140/0x420 mm/slub.c:4746 kvfree+0x4c/0x68 mm/util.c:693 netdev_release+0x94/0xc8 net/core/net-sysfs.c:2034 device_release+0x98/0x1c0 kobject_cleanup lib/kobject.c:689 [inline] kobject_release lib/kobject.c:720 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x2b0/0x438 lib/kobject.c:737 netdev_run_todo+0xdd8/0xf48 net/core/dev.c:10924 rtnl_unlock net/core/rtnetlink.c:152 [inline] rtnl_net_unlock net/core/rtnetlink.c:209 [inline] rtnl_dellink+0x484/0x680 net/core/rtnetlink.c:3526 rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6901 netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2542 rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6928 netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline] netlink_unicast+0x618/0x838 net/netlink/af_netlink.c:1347 netlink_sendmsg+0x5fc/0x8b0 net/netlink/af_netlink.c:1891 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg net/socket.c:726 [inline] ____sys_sendmsg+0x410/0x708 net/socket.c:2583 ___sys_sendmsg+0x178/0x1d8 net/socket.c:2637 __sys_sendmsg net/socket.c:2669 [inline] __do_sys_sendmsg net/socket.c:2674 [inline] __se_sys_sendmsg net/socket.c:2672 [inline] __arm64_sys_sendmsg+0x12c/0x1c8 net/socket.c:2672 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x90/0x278 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x13c/0x250 arch/arm64/kernel/syscall.c:132 do_el0_svc+0x54/0x70 arch/arm64/kernel/syscall.c:151 el0_svc+0x4c/0xa8 arch/arm64/kernel/entry-common.c:744 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:762 el0t_64_sync+0x198/0x1a0 arch/arm64/kernel/entry.S:600 The buggy address belongs to the object at ffff0000d768c000 which belongs to the cache kmalloc-cg-4k of size 4096 The buggy address is located 224 bytes inside of freed 4096-byte region [ffff0000d768c000, ffff0000d768d000) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x117688 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 memcg:ffff0000c77ef981 flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) page_type: f5(slab) raw: 0bfffe0000000040 ffff0000c000f500 dead000000000100 dead000000000122 raw: 0000000000000000 0000000000040004 00000001f5000000 ffff0000c77ef981 head: 0bfffe0000000040 ffff0000c000f500 dead000000000100 dead000000000122 head: 0000000000000000 0000000000040004 00000001f5000000 ffff0000c77ef981 head: 0bfffe0000000003 fffffdffc35da201 ffffffffffffffff 0000000000000000 head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0000d768bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff0000d768c000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff0000d768c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff0000d768c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff0000d768c180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb Fixes: 8c55face ("net: linkwatch: only report IF_OPER_LOWERLAYERDOWN if iflink is actually down") Reported-by:
syzkaller <syzkaller@googlegroups.com> Suggested-by:
Jakub Kicinski <kuba@kernel.org> Link: https://lore.kernel.org/netdev/20250102174400.085fd8ac@kernel.org/ [1] Signed-off-by:
Kuniyuki Iwashima <kuniyu@amazon.com> Link: https://patch.msgid.link/20250106071911.64355-1-kuniyu@amazon.com Signed-off-by:
Jakub Kicinski <kuba@kernel.org>```> Signed-off-by:
Davide Caratti <dcaratti@redhat.com> Approved-by:
Xin Long <lxin@redhat.com> Approved-by:
-
Julio Faracco authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/503 JIRA: https://issues.redhat.com/browse/RHEL-81435 CVE: CVE-2025-21742 JIRA: https://issues.redhat.com/browse/RHEL-81349 CVE: CVE-2025-21743 JIRA: https://issues.redhat.com/browse/RHEL-81565 CVE: CVE-2025-21741 Some CVEs for ipheth driver. All the commits here are part of the same series and are interrelated. Signed-off-by:
Desnes Nunes <desnesn@redhat.com> Approved-by:
Michal Schmidt <mschmidt@redhat.com> Approved-by:
Corinna Vinschen <vinschen@redhat.com> Approved-by:
mheib <mheib@redhat.com> Approved-by:
-
Julio Faracco authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/468 JIRA: https://issues.redhat.com/browse/RHEL-81475 CVE: CVE-2025-21786 ``` commit e76946110137703c16423baf6ee177b751a34b7e Author: Lai Jiangshan <jiangshan.ljs@antgroup.com> Date: Thu Jan 23 16:25:35 2025 +0800 workqueue: Put the pwq after detaching the rescuer from the pool The commit 68f83057("workqueue: Reap workers via kthread_stop() and remove detach_completion") adds code to reap the normal workers but mistakenly does not handle the rescuer and also removes the code waiting for the rescuer in put_unbound_pool(), which caused a use-after-free bug reported by Cheung Wall. To avoid the use-after-free bug, the pool’s reference must be held until the detachment is complete. Therefore, move the code that puts the pwq after detaching the rescuer from the pool. Reported-by:
cheung wall <zzqq0103.hey@gmail.com> Cc: cheung wall <zzqq0103.hey@gmail.com> Link: https://lore.kernel.org/lkml/CAKHoSAvP3iQW+GwmKzWjEAOoPvzeWeoMO0Gz7Pp3_4kxt-RMoA@mail.gmail.com/ Fixes: 68f83057("workqueue: Reap workers via kthread_stop() and remove detach_completion") Signed-off-by:
Lai Jiangshan <jiangshan.ljs@antgroup.com> Signed-off-by:
Tejun Heo <tj@kernel.org>```> Signed-off-by:
Waiman Long <longman@redhat.com> Approved-by:
Phil Auld <pauld@redhat.com> Approved-by:
-
Julio Faracco authored
Merge: CVE-2025-21826: netfilter: nf_tables: reject mismatching sum of field_len with set key length MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/532 JIRA: https://issues.redhat.com/browse/RHEL-82492 CVE: CVE-2025-21826 ``` commit 1b9335a8000fb70742f7db10af314104b6ace220 Author: Pablo Neira Ayuso <pablo@netfilter.org> Date: Tue Jan 28 12:26:33 2025 +0100 netfilter: nf_tables: reject mismatching sum of field_len with set key length The field length description provides the length of each separated key field in the concatenation, each field gets rounded up to 32-bits to calculate the pipapo rule width from pipapo_init(). The set key length provides the total size of the key aligned to 32-bits. Register-based arithmetics still allows for combining mismatching set key length and field length description, eg. set key length 10 and field description [ 5, 4 ] leading to pipapo width of 12. Cc: stable@vger.kernel.org Fixes: 3ce67e37 ("netfilter: nf_tables: do not allow mismatch field size and set key length") Reported-by:
Noam Rathaus <noamr@ssd-disclosure.com> Reviewed-by:
Florian Westphal <fw@strlen.de> Signed-off-by:
Pablo Neira Ayuso <pablo@netfilter.org>```> Signed-off-by:
Florian Westphal <fwestpha@redhat.com> Approved-by:
-
Julio Faracco authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/305 JIRA: https://issues.redhat.com/browse/RHEL-77232 CVE: CVE-2025-21680 ``` pktgen: Avoid out-of-bounds access in get_imix_entries Passing a sufficient amount of imix entries leads to invalid access to the pkt_dev->imix_entries array because of the incorrect boundary check. UBSAN: array-index-out-of-bounds in net/core/pktgen.c:874:24 index 20 is out of range for type 'imix_pkt [20]' CPU: 2 PID: 1210 Comm: bash Not tainted 6.10.0-rc1 #121 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) Call Trace: <TASK> dump_stack_lvl lib/dump_stack.c:117 __ubsan_handle_out_of_bounds lib/ubsan.c:429 get_imix_entries net/core/pktgen.c:874 pktgen_if_write net/core/pktgen.c:1063 pde_write fs/proc/inode.c:334 proc_reg_write fs/proc/inode.c:346 vfs_write fs/read_write.c:593 ksys_write fs/read_write.c:644 do_syscall_64 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe arch/x86/entry/entry_64.S:130 Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 52a62f86 ("pktgen: Parse internet mix (imix) input") Signed-off-by:
Artem Chernyshev <artem.chernyshev@red-soft.ru> [ fp: allow to fill the array completely; minor changelog cleanup ] Signed-off-by:
Fedor Pchelkin <pchelkin@ispras.ru> Signed-off-by:
David S. Miller <davem@davemloft.net> (cherry picked from commit 76201b5979768500bca362871db66d77cb4c225e) ``` Signed-off-by:
Antoine Tenart <atenart@redhat.com> Approved-by:
-
Julio Faracco authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/440 JIRA: https://issues.redhat.com/browse/RHEL-81271 CVE: CVE-2024-57987 ``` commit 3c15082f3567032d196e8760753373332508c2ca Author: Max Chou <max.chou@realtek.com> Date: Tue Dec 31 14:57:19 2024 +0800 Bluetooth: btrtl: check for NULL in btrtl_setup_realtek() If insert an USB dongle which chip is not maintained in ic_id_table, it will hit the NULL point accessed. Add a null point check to avoid the Kernel Oops. Fixes: b39910bb ("Bluetooth: Populate hci_set_hw_info for Intel and Realtek") Reviewed-by:
Alex Lu <alex_lu@realsil.com.cn> Signed-off-by:
Max Chou <max.chou@realtek.com> Signed-off-by:
-
- Mar 19, 2025
-
-
Julio Faracco authored
Signed-off-by: -
Julio Faracco authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/539 JIRA: https://issues.redhat.com/browse/RHEL-82479 CVE: CVE-2024-58075 commit 15589bda46830695a3261518bb7627afac61f519 Author: Chen Ridong <chenridong@huawei.com> Date: Mon Nov 11 01:28:27 2024 +0000 crypto: tegra - do not transfer req when tegra init fails The tegra_cmac_init or tegra_sha_init function may return an error when memory is exhausted. It should not transfer the request when they return an error. Fixes: 0880bb3b ("crypto: tegra - Add Tegra Security Engine driver") Signed-off-by:
Chen Ridong <chenridong@huawei.com> Acked-by:
Akhil R <akhilrajeev@nvidia.com> Acked-by:
Thierry Reding <treding@nvidia.com> Signed-off-by:
Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by:
Herbert Xu <herbert.xu@redhat.com> Approved-by:
Tony Camuso <tcamuso@redhat.com> Approved-by:
Vladis Dronov <vdronov@redhat.com> Approved-by:
-
Julio Faracco authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/505 JIRA: https://issues.redhat.com/browse/RHEL-81295 CVE: CVE-2025-21795 Signed-off-by:
Olga Kornievskaia <okorniev@redhat.com> Approved-by:
Benjamin Coddington <bcodding@redhat.com> Approved-by:
Scott Mayhew <smayhew@redhat.com> Approved-by:
-
Julio Faracco authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/247 JIRA: https://issues.redhat.com/browse/RHEL-76329 CVE: CVE-2024-53241 Signed-off-by:
Vitaly Kuznetsov <vkuznets@redhat.com> Approved-by:
David Arcari <darcari@redhat.com> Approved-by:
Lenny Szubowicz <lszubowi@redhat.com> Approved-by:
Joe Lawrence <joe.lawrence@redhat.com> Approved-by:
-
Julio Faracco authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/562 Fix data corruption issue in hyperV storvsc driver JIRA: https://issues.redhat.com/browse/RHEL-82461 Signed-off-by:
Cathy Avery <cavery@redhat.com> Approved-by:
Maxim Levitsky <mlevitsk@redhat.com> Approved-by:
Ewan D. Milne <emilne@redhat.com> Approved-by:
-
Julio Faracco authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/367 JIRA: https://issues.redhat.com/browse/RHEL-78669 MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/367 This MR can greatly improve the performance of the RT debug kernels. It can also slightly improve the performance of the non-RT debug kernels. It does so by enabling the CONFIG_KASAN_INLINE kernel config option for the RT debug kernel which replace many of the external KASAN function calls to inline codes which increase the size of the debug kernel but reduce the execution time. The second change is to disable KASAN instrumentation in the lockdep code which is another heavy performance hit in the debug kernel. As listed in the commit log of patch 2, these two changes can more than double the performance of the RT debug kernel. Signed-off-by:
Herton R. Krzesinski <herton@redhat.com> Approved-by:
Clark Williams <williams@redhat.com> Approved-by:
Rafael Aquini <raquini@redhat.com> Approved-by:
-
Julio Faracco authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/521 JIRA: https://issues.redhat.com/browse/RHEL-62933 JIRA: https://issues.redhat.com/browse/RHEL-79456 Signed-off-by:
Ming Lei <ming.lei@redhat.com> Approved-by:
Xiao Ni <xni@redhat.com> Approved-by:
Maurizio Lombardi <mlombard@redhat.com> Approved-by:
-
Julio Faracco authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/535 ``` JIRA: https://issues.redhat.com/browse/RHEL-81557 CVE: CVE-2024-58006 Signed-off-by:
Myron Stowe <mstowe@redhat.com> ``` Approved-by:
John W. Linville <linville@redhat.com> Approved-by:
Steve Best <sbest@redhat.com> Approved-by:
-
Julio Faracco authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/567 JIRA: https://issues.redhat.com/browse/RHEL-83186 Upstream Status: all mainline in kernel-ark.git Conflicts: patch applied manually as rhel-10 has no def_variants.yaml for fedora Tested: boot-tested only Signed-off-by:
Jan Stancek <jstancek@redhat.com> Approved-by:
-
Julio Faracco authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/386 JIRA: https://issues.redhat.com/browse/RHEL-78928 CVE: CVE-2024-53147 ``` commit 184fa506e392eb78364d9283c961217ff2c0617b Author: Yuezhang Mo <Yuezhang.Mo@sony.com> Date: Mon Oct 28 11:23:36 2024 +0800 exfat: fix out-of-bounds access of directory entries In the case of the directory size is greater than or equal to the cluster size, if start_clu becomes an EOF cluster(an invalid cluster) due to file system corruption, then the directory entry where ei->hint_femp.eidx hint is outside the directory, resulting in an out-of-bounds access, which may cause further file system corruption. This commit adds a check for start_clu, if it is an invalid cluster, the file or directory will be treated as empty. Cc: stable@vger.kernel.org Signed-off-by:
Yuezhang Mo <Yuezhang.Mo@sony.com> Co-developed-by:
Namjae Jeon <linkinjeon@kernel.org> Signed-off-by:
Namjae Jeon <linkinjeon@kernel.org>```> Signed-off-by:
Pavel Reichl <preichl@redhat.com> Approved-by:
Carlos Maiolino <cmaiolino@redhat.com> Approved-by:
Andrey Albershteyn <aalbersh@redhat.com> Approved-by:
-
Julio Faracco authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/355 Description: ============ This patch set updates the RDMA core and RDMA ULPs to upstream kernel v6.13. Upstream: ========= Linus's master tree. Issues: ======= JIRA: https://issues.redhat.com/browse/RHEL-77879 Brew: ===== https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=66571797 Signed-off-by:
Kamal Heib <kheib@redhat.com> Approved-by:
-
Julio Faracco authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/546 ``` This series updates RHEL9's PCI subsystem with content from upstream v6.13 - Related post v6.13 (v6.14) Fixes 7ca288760007 PCI: rockchip-ep: Fix error code in rockchip_pcie_ep fd46bc0e0bb3 PCI: rockchip: Add missing fields descriptions for s Merge tag 'pci-v6.13-fixes-3' of git://git.kernel.org/pub/scm https://lkml.org/lkml/2025/1/14/1378 commit 7f5b6a8ec18e3add4c74682f60b90c31bdf849f2 Merge: c3812b15000c 15b8968dcb90 1 file changed, 16 insertions(+), 9 deletions(-) Merge tag 'pci-v6.13-fixes-2' of git://git.kernel.org/pub/scm/l https://lkml.org/lkml/2024/12/21/??? commit a99b4a369a5495dbb625e1dfb5cd7a5ff6ba4bd5 Merge: 78b1346123bb 774c71c52aa4 Merge tag 'pci-v6.13-fixes-1' of git://git.kernel.org/pub/scm/l https://lkml.org/lkml/2024/11/30/474 commit 0cb71708c5816569f8addd5c6f33cb9679e73b5b Merge: 8a6a03ad5b04 5c8418cf4025 1 file changed, 7 insertions(+), 2 deletions(-) Merge tag 'pci-v6.13-changes' of git://git.kernel.org/pub/scm/../git/pci/pci https://lkml.org/lkml/2024/11/25/1200 commit 1746db26f85e4f4b3dd11d7b55f4eff4b0423884 Merge: 1dc707e647bc 10099266dec8 134 files changed, 4173 insertions(+), 1164 deletions(-) There were a number back-ports with conflicts, most were due to out-of-order backporting (with respect to upstream), or patches that were based on old content (i.e., not accounting for recent updates) and so incurred the same conflict as encountered upstream. All such occurrences are noted in the back-port's commit message with the same changes that occurred upstream being made in the back-port to keep things in sync. Of special note: This MR renames a module from pci-pwrctl-pwrseq.ko to pci-pwrctrl-pwrseq.ko. This is done in upstream commit 3f925cd62874 "PCI/pwrctrl: Rename pwrctrl functions and structures", specifically, the last hunk of drivers/pci/pwrctrl/pci-pwrctrl-pwrseq.c. The name change should not impact the customer's ability to use this module. JIRA: https://issues.redhat.com/browse/RHEL-74285 CVE: CVE-2024-56745 CVE: CVE-2024-53152 CVE: CVE-2024-53153 CVE: CVE-2024-57809 CVE: CVE-2024-56561 CVE: CVE-2024-56689 CVE: CVE-2024-53194 Omitted-fix: 1390a33b3d04 Omitted-fix: 1b1bb7b29b10 Omitted-fix: 86a5f32ed881 Signed-off-by:
Eder Zulian <ezulian@redhat.com> Approved-by:
Jarod Wilson <jarod@redhat.com> Approved-by:
Enric Balletbo i Serra <eballetbo@redhat.com> Approved-by:
Brian Masney <bmasney@redhat.com> Approved-by:
-
- Mar 18, 2025
-
-
Julio Faracco authored
Signed-off-by: -
Julio Faracco authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/251 JIRA: https://issues.redhat.com/browse/RHEL-73781 Tested: by HPE Signed-off-by:
Aristeu Rozanski <arozansk@redhat.com> Approved-by:
-
Julio Faracco authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/403 JIRA: https://issues.redhat.com/browse/RHEL-77929 commit e129fdc599093457648eccf981d672fade55a9c8 Author: Phil Auld <pauld@redhat.com> Date: Tue Jan 14 14:05:25 2025 -0500 Documentation/sysctl: Add timer_migration to kernel.rst There is no mention of timer_migration in the docs. Add a short description. Signed-off-by:
Jonathan Corbet <corbet@lwn.net> Link: https://lore.kernel.org/r/20250114190525.169022-1-pauld@redhat.com Signed-off-by:
-
Julio Faracco authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/461 JIRA: https://issues.redhat.com/browse/RHEL-81442 CVE: CVE-2024-58012 ``` commit 569922b82ca660f8b24e705f6cf674e6b1f99cc7 Author: Bard Liao <yung-chuan.liao@linux.intel.com> Date: Tue Dec 3 18:48:53 2024 +0800 ASoC: SOF: Intel: hda-dai: Ensure DAI widget is valid during params Each cpu DAI should associate with a widget. However, the topology might not create the right number of DAI widgets for aggregated amps. And it will cause NULL pointer deference. Check that the DAI widget associated with the CPU DAI is valid to prevent NULL pointer deference due to missing DAI widgets in topologies with aggregated amps. Signed-off-by:
Bard Liao <yung-chuan.liao@linux.intel.com> Reviewed-by:
Ranjani Sridharan <ranjani.sridharan@linux.intel.com> Reviewed-by:
Péter Ujfalusi <peter.ujfalusi@linux.intel.com> Reviewed-by:
Liam Girdwood <liam.r.girdwood@intel.com> Link: https://patch.msgid.link/20241203104853.56956-1-yung-chuan.liao@linux.intel.com Signed-off-by:
Mark Brown <broonie@kernel.org>```> Signed-off-by:
Jaroslav Kysela <jkysela@redhat.com> Approved-by:
-
Julio Faracco authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/201 JIRA: https://issues.redhat.com/browse/RHEL-73050 Tested: by me Signed-off-by:
Jiri Dluhos <jdluhos@redhat.com> Approved-by:
-
Julio Faracco authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/552 # Merge Request Required Information JIRA: https://issues.redhat.com/browse/RHEL-74339 ## Summary of Changes ## Approved Development Ticket(s) All submissions to CentOS Stream must reference a ticket in [Red Hat Jira](https://issues.redhat.com/). <details><summary>Click for formatting instructions</summary> Please follow the CentOS Stream [contribution documentation](https://docs.centos.org/en-US/stream-contrib/quickstart/ ) for how to file this ticket and have it approved. List tickets each on their own line of this description using the format "Resolves: RHEL-76229", "Related: RHEL-76229" or "Reverts: RHEL-76229", as appropriate. </details> Signed-off-by:
Jakub Brnak <jbrnak@redhat.com> Approved-by:
Michael Petlan <mpetlan@redhat.com> Approved-by:
ashelat <ashelat@redhat.com> Approved-by:
-
Julio Faracco authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/579 JIRA: https://issues.redhat.com/browse/RHEL-79766 This reverts commit a5c6bc59 (Revert "selftests/mm: remove local __NR_* definitions") Signed-off-by:
Li Wang <liwang@redhat.com> Approved-by:
Nico Pache <npache@redhat.com> Approved-by:
-
Jan Stancek authored
JIRA: INTERNAL Upstream Status: RHEL only Don't bring in changes from Makefile.rhelver and 10.0 KABI. Signed-off-by:
-
- Mar 17, 2025
-
-
Jan Stancek authored
Signed-off-by: -
Jan Stancek authored
MR: https://gitlab.com/redhat/rhel/src/kernel/rhel-10/-/merge_requests/40 JIRA: https://issues.redhat.com/browse/RHEL-38582 Upstream Status: RHEL only For Intel NPU user mode driver, we need the Intel VPU kernel mode driver in the kernel. This is only available on x86_66. Signed-off-by:
Fabien Dupont <fdupont@redhat.com> Signed-off-by:
Karol Herbst <kherbst@redhat.com> Approved-by:
David Airlie <airlied@redhat.com> Approved-by:
Jocelyn Falempe <jfalempe@redhat.com> Approved-by:
-
Jan Stancek authored
MR: https://gitlab.com/redhat/rhel/src/kernel/rhel-10/-/merge_requests/15 JIRA: https://issues.redhat.com/browse/RHEL-80226 commit 875d742cf5327c93cba1f11e12b08d3cce7a88d2 Author: Radu Rendec <rrendec@redhat.com> Date: Thu Feb 6 12:44:20 2025 -0500 arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array The loop that detects/populates cache information already has a bounds check on the array size but does not account for cache levels with separate data/instructions cache. Fix this by incrementing the index for any populated leaf (instead of any populated level). Fixes: 5d425c18 ("arm64: kernel: add support for cpu cache information") Signed-off-by:
Radu Rendec <rrendec@redhat.com> Link: https://lore.kernel.org/r/20250206174420.2178724-1-rrendec@redhat.com Signed-off-by:
Will Deacon <will@kernel.org> Signed-off-by:
Mark Salter <msalter@redhat.com> Approved-by:
Eric Chanudet <echanude@redhat.com> Approved-by:
Mark Langsdorf <mlangsdo@redhat.com> Approved-by:
-
Jan Stancek authored
MR: https://gitlab.com/redhat/rhel/src/kernel/rhel-10/-/merge_requests/45 JIRA: https://issues.redhat.com/browse/RHEL-82677 - smb: client: fix chmod(2) regression with ATTR_READONLY (Paulo Alcantara) [[RHEL-82677](https://issues.redhat.com/browse/RHEL-82677) [RHEL-80534](ttps://issues.redhat.com/browse/RHEL-80534) ] Y-Commit: ff607656 Signed-off-by:
Jay Shin <jaeshin@redhat.com> Approved-by:
Paulo Alcantara <paalcant@redhat.com> Approved-by:
-
Jan Stancek authored
MR: https://gitlab.com/redhat/rhel/src/kernel/rhel-10/-/merge_requests/48 JIRA: https://issues.redhat.com/browse/RHEL-79881 Upstream Status: RHEL only Symbol checksums taken from 6.12.0-55.4.1.el10_0. Signed-off-by:
Čestmír Kalina <ckalina@redhat.com> Approved-by:
-
- Mar 14, 2025
-
-
Jan Stancek authored
Signed-off-by: -
Jan Stancek authored
MR: https://gitlab.com/redhat/rhel/src/kernel/rhel-10/-/merge_requests/47 JIRA: https://issues.redhat.com/browse/RHEL-77295 CVE: CVE-2024-57927 commit 86ad1a58f6a9453f49e06ef957a40a8dac00a13f Author: David Howells <dhowells@redhat.com> Date: Fri Dec 13 13:50:04 2024 +0000 nfs: Fix oops in nfs_netfs_init_request() when copying to cache When netfslib wants to copy some data that has just been read on behalf of nfs, it creates a new write request and calls nfs_netfs_init_request() to initialise it, but with a NULL file pointer. This causes nfs_file_open_context() to oops - however, we don't actually need the nfs context as we're only going to write to the cache. Fix this by just returning if we aren't given a file pointer and emit a warning if the request was for something other than copy-to-cache. Further, fix nfs_netfs_free_request() so that it doesn't try to free the context if the pointer is NULL. Fixes: ee4cdf7b ("netfs: Speed up buffered reading") Reported-by:
Max Kellermann <max.kellermann@ionos.com> Closes: https://lore.kernel.org/r/CAKPOu+9DyMbKLhyJb7aMLDTb=Fh0T8Teb9sjuf_pze+XWT1VaQ@mail.gmail.com/ Signed-off-by:
David Howells <dhowells@redhat.com> Link: https://lore.kernel.org/r/20241213135013.2964079-5-dhowells@redhat.com cc: Trond Myklebust <trondmy@kernel.org> cc: Anna Schumaker <anna@kernel.org> cc: Dave Wysochanski <dwysocha@redhat.com> cc: Jeff Layton <jlayton@kernel.org> cc: linux-nfs@vger.kernel.org cc: netfs@lists.linux.dev cc: linux-fsdevel@vger.kernel.org Signed-off-by:
Christian Brauner <brauner@kernel.org> Signed-off-by:
Steve Dickson <steved@redhat.com> Approved-by:
-
Jan Stancek authored
MR: https://gitlab.com/redhat/rhel/src/kernel/rhel-10/-/merge_requests/51 JIRA: https://issues.redhat.com/browse/RHEL-80112 Upstream Status: all mainline in kernel-ark.git Conflicts: see individual patches Tested: boot-tested only Signed-off-by:
Marcelo Ricardo Leitner <mleitner@redhat.com> Approved-by:
-
Jan Stancek authored
MR: https://gitlab.com/redhat/rhel/src/kernel/rhel-10/-/merge_requests/19 JIRA: https://issues.redhat.com/browse/RHEL-79087 Fix suspend/resume scenario for mt7925 device. Tested with mt7925 device and rtcwake command. Signed-off-by:
Izabela Bakollari <ibakolla@redhat.com> Approved-by:
-
Jan Stancek authored
MR: https://gitlab.com/redhat/rhel/src/kernel/rhel-10/-/merge_requests/25 JIRA: https://issues.redhat.com/browse/RHEL-80281 Upstream Status: RHEL-only nouveau GSP support relies on FW_CACHE for suspend/resume support to work properly. This is on in Fedora (and now kernel-ark), and reduces the chance of a divergence between fedora testing a feature and RHEL. Without this change nouveau fails to suspend because it tries to read a firmware file that is read earlier but the disk is suspended. This will eventually be enforced upstream by a select in nouveau's Kconfig, just hasn't landed yet. Signed-off-by:
-
- Mar 13, 2025
-
-
Julio Faracco authored
Signed-off-by:
-
