From 9e67fbb375b9388616d82a8cf6320a08a4d2642d Mon Sep 17 00:00:00 2001 From: Jonathan Maple Date: Fri, 20 Feb 2026 12:32:57 -0500 Subject: [PATCH 1/9] Bluetooth: ISO: Fix possible UAF on iso_conn_free jira KERNEL-640 cve CVE-2025-40141 Rebuild_History Non-Buildable kernel-6.12.0-124.38.1.el10_1 commit-author Luiz Augusto von Dentz commit 9950f095d6c875dbe0c9ebfcf972ec88fdf26fc8 This attempt to fix similar issue to sco_conn_free where if the conn->sk is not set to NULL may lead to UAF on iso_conn_free. Fixes: ccf74f2390d6 ("Bluetooth: Add BTPROTO_ISO socket type") Signed-off-by: Luiz Augusto von Dentz (cherry picked from commit 9950f095d6c875dbe0c9ebfcf972ec88fdf26fc8) Signed-off-by: Jonathan Maple --- net/bluetooth/iso.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c index 2819cda616bce..5987f8ad95ac2 100644 --- a/net/bluetooth/iso.c +++ b/net/bluetooth/iso.c @@ -746,6 +746,13 @@ static void iso_sock_kill(struct sock *sk) BT_DBG("sk %p state %d", sk, sk->sk_state); + /* Sock is dead, so set conn->sk to NULL to avoid possible UAF */ + if (iso_pi(sk)->conn) { + iso_conn_lock(iso_pi(sk)->conn); + iso_pi(sk)->conn->sk = NULL; + iso_conn_unlock(iso_pi(sk)->conn); + } + /* Kill poor orphan */ bt_sock_unlink(&iso_sk_list, sk); sock_set_flag(sk, SOCK_DEAD); From 33a0a93f79b3f22b9e432f358ca81f6c82f36e15 Mon Sep 17 00:00:00 2001 From: Jonathan Maple Date: Fri, 20 Feb 2026 12:32:58 -0500 Subject: [PATCH 2/9] ALSA: usb-audio: Fix potential overflow of PCM transfer buffer jira KERNEL-640 cve CVE-2025-40269 Rebuild_History Non-Buildable kernel-6.12.0-124.38.1.el10_1 commit-author Takashi Iwai commit 05a1fc5efdd8560f34a3af39c9cf1e1526cc3ddf The PCM stream data in USB-audio driver is transferred over USB URB packet buffers, and each packet size is determined dynamically. The packet sizes are limited by some factors such as wMaxPacketSize USB descriptor. OTOH, in the current code, the actually used packet sizes are determined only by the rate and the PPS, which may be bigger than the size limit above. This results in a buffer overflow, as reported by syzbot. Basically when the limit is smaller than the calculated packet size, it implies that something is wrong, most likely a weird USB descriptor. So the best option would be just to return an error at the parameter setup time before doing any further operations. This patch introduces such a sanity check, and returns -EINVAL when the packet size is greater than maxpacksize. The comparison with ep->packsize[1] alone should suffice since it's always equal or greater than ep->packsize[0]. Reported-by: syzbot+bfd77469c8966de076f7@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=bfd77469c8966de076f7 Link: https://lore.kernel.org/690b6b46.050a0220.3d0d33.0054.GAE@google.com Cc: Lizhi Xu Cc: Link: https://patch.msgid.link/20251109091211.12739-1-tiwai@suse.de Signed-off-by: Takashi Iwai (cherry picked from commit 05a1fc5efdd8560f34a3af39c9cf1e1526cc3ddf) Signed-off-by: Jonathan Maple --- sound/usb/endpoint.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/sound/usb/endpoint.c b/sound/usb/endpoint.c index f36ec98da4601..7238f65cbcfff 100644 --- a/sound/usb/endpoint.c +++ b/sound/usb/endpoint.c @@ -1386,6 +1386,11 @@ int snd_usb_endpoint_set_params(struct snd_usb_audio *chip, ep->sample_rem = ep->cur_rate % ep->pps; ep->packsize[0] = ep->cur_rate / ep->pps; ep->packsize[1] = (ep->cur_rate + (ep->pps - 1)) / ep->pps; + if (ep->packsize[1] > ep->maxpacksize) { + usb_audio_dbg(chip, "Too small maxpacksize %u for rate %u / pps %u\n", + ep->maxpacksize, ep->cur_rate, ep->pps); + return -EINVAL; + } /* calculate the frequency in 16.16 format */ ep->freqm = ep->freqn; From d13eeacfd575cb35168aa12e0d76506969fa9d3e Mon Sep 17 00:00:00 2001 From: Jonathan Maple Date: Fri, 20 Feb 2026 12:32:58 -0500 Subject: [PATCH 3/9] erofs: avoid using multiple devices with different type jira KERNEL-640 cve CVE-2025-38172 Rebuild_History Non-Buildable kernel-6.12.0-124.38.1.el10_1 commit-author Sheng Yong commit 9748f2f54f66743ac77275c34886a9f890e18409 For multiple devices, both primary and extra devices should be the same type. `erofs_init_device` has already guaranteed that if the primary is a file-backed device, extra devices should also be regular files. However, if the primary is a block device while the extra device is a file-backed device, `erofs_init_device` will get an ENOTBLK, which is not treated as an error in `erofs_fc_get_tree`, and that leads to an UAF: erofs_fc_get_tree get_tree_bdev_flags(erofs_fc_fill_super) erofs_read_superblock erofs_init_device // sbi->dif0 is not inited yet, // return -ENOTBLK deactivate_locked_super free(sbi) if (err is -ENOTBLK) sbi->dif0.file = filp_open() // sbi UAF So if -ENOTBLK is hitted in `erofs_init_device`, it means the primary device must be a block device, and the extra device is not a block device. The error can be converted to -EINVAL. Fixes: fb176750266a ("erofs: add file-backed mount support") Signed-off-by: Sheng Yong Reviewed-by: Gao Xiang Reviewed-by: Hongbo Li Link: https://lore.kernel.org/r/20250515014837.3315886-1-shengyong1@xiaomi.com Signed-off-by: Gao Xiang (cherry picked from commit 9748f2f54f66743ac77275c34886a9f890e18409) Signed-off-by: Jonathan Maple --- fs/erofs/super.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fs/erofs/super.c b/fs/erofs/super.c index 2dd7d819572f4..c36a0eb70cddd 100644 --- a/fs/erofs/super.c +++ b/fs/erofs/super.c @@ -188,8 +188,11 @@ static int erofs_init_device(struct erofs_buf *buf, struct super_block *sb, filp_open(dif->path, O_RDONLY | O_LARGEFILE, 0) : bdev_file_open_by_path(dif->path, BLK_OPEN_READ, sb->s_type, NULL); - if (IS_ERR(file)) + if (IS_ERR(file)) { + if (file == ERR_PTR(-ENOTBLK)) + return -EINVAL; return PTR_ERR(file); + } if (!erofs_is_fileio_mode(sbi)) { dif->dax_dev = fs_dax_get_by_bdev(file_bdev(file), From 8b68db7eef561ca0fe445f443df37df302a0f147 Mon Sep 17 00:00:00 2001 From: Jonathan Maple Date: Fri, 20 Feb 2026 12:32:58 -0500 Subject: [PATCH 4/9] ntb_hw_switchtec: Fix shift-out-of-bounds in switchtec_ntb_mw_set_trans jira KERNEL-640 cve CVE-2023-53034 Rebuild_History Non-Buildable kernel-6.12.0-124.38.1.el10_1 commit-author Yajun Deng commit de203da734fae00e75be50220ba5391e7beecdf9 There is a kernel API ntb_mw_clear_trans() would pass 0 to both addr and size. This would make xlate_pos negative. [ 23.734156] switchtec switchtec0: MW 0: part 0 addr 0x0000000000000000 size 0x0000000000000000 [ 23.734158] ================================================================================ [ 23.734172] UBSAN: shift-out-of-bounds in drivers/ntb/hw/mscc/ntb_hw_switchtec.c:293:7 [ 23.734418] shift exponent -1 is negative Ensuring xlate_pos is a positive or zero before BIT. Fixes: 1e2fd202f859 ("ntb_hw_switchtec: Check for alignment of the buffer in mw_set_trans()") Signed-off-by: Yajun Deng Reviewed-by: Logan Gunthorpe Signed-off-by: Jon Mason (cherry picked from commit de203da734fae00e75be50220ba5391e7beecdf9) Signed-off-by: Jonathan Maple --- drivers/ntb/hw/mscc/ntb_hw_switchtec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/ntb/hw/mscc/ntb_hw_switchtec.c b/drivers/ntb/hw/mscc/ntb_hw_switchtec.c index ad1786be2554b..f851397b65d6e 100644 --- a/drivers/ntb/hw/mscc/ntb_hw_switchtec.c +++ b/drivers/ntb/hw/mscc/ntb_hw_switchtec.c @@ -288,7 +288,7 @@ static int switchtec_ntb_mw_set_trans(struct ntb_dev *ntb, int pidx, int widx, if (size != 0 && xlate_pos < 12) return -EINVAL; - if (!IS_ALIGNED(addr, BIT_ULL(xlate_pos))) { + if (xlate_pos >= 0 && !IS_ALIGNED(addr, BIT_ULL(xlate_pos))) { /* * In certain circumstances we can get a buffer that is * not aligned to its size. (Most of the time From 03b1a385c96e66be97e27f79b6de1313122bdfef Mon Sep 17 00:00:00 2001 From: Jonathan Maple Date: Fri, 20 Feb 2026 12:32:59 -0500 Subject: [PATCH 5/9] NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in pnfs_mark_layout_stateid_invalid jira KERNEL-640 cve CVE-2025-68349 Rebuild_History Non-Buildable kernel-6.12.0-124.38.1.el10_1 commit-author Jonathan Curley commit e0f8058f2cb56de0b7572f51cd563ca5debce746 Fixes a crash when layout is null during this call stack: write_inode -> nfs4_write_inode -> pnfs_layoutcommit_inode pnfs_set_layoutcommit relies on the lseg refcount to keep the layout around. Need to clear NFS_INO_LAYOUTCOMMIT otherwise we might attempt to reference a null layout. Fixes: fe1cf9469d7bc ("pNFS: Clear all layout segment state in pnfs_mark_layout_stateid_invalid") Signed-off-by: Jonathan Curley Signed-off-by: Trond Myklebust (cherry picked from commit e0f8058f2cb56de0b7572f51cd563ca5debce746) Signed-off-by: Jonathan Maple --- fs/nfs/pnfs.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c index 1a7ec68bde153..2599ebe19c4d1 100644 --- a/fs/nfs/pnfs.c +++ b/fs/nfs/pnfs.c @@ -466,6 +466,7 @@ pnfs_mark_layout_stateid_invalid(struct pnfs_layout_hdr *lo, struct pnfs_layout_segment *lseg, *next; set_bit(NFS_LAYOUT_INVALID_STID, &lo->plh_flags); + clear_bit(NFS_INO_LAYOUTCOMMIT, &NFS_I(lo->plh_inode)->flags); list_for_each_entry_safe(lseg, next, &lo->plh_segs, pls_list) pnfs_clear_lseg_state(lseg, lseg_list); pnfs_clear_layoutreturn_info(lo); From 3f2ec7c4ca8f3e9c5f207743ed6d1677f604a088 Mon Sep 17 00:00:00 2001 From: Jonathan Maple Date: Fri, 20 Feb 2026 12:32:59 -0500 Subject: [PATCH 6/9] smc: Fix use-after-free in __pnet_find_base_ndev(). jira KERNEL-640 cve CVE-2025-40064 Rebuild_History Non-Buildable kernel-6.12.0-124.38.1.el10_1 commit-author Kuniyuki Iwashima commit 3d3466878afd8d43ec0ca2facfbc7f03e40d0f79 syzbot reported use-after-free of net_device in __pnet_find_base_ndev(), which was called during connect(). [0] smc_pnet_find_ism_resource() fetches sk_dst_get(sk)->dev and passes down to pnet_find_base_ndev(), where RTNL is held. Then, UAF happened at __pnet_find_base_ndev() when the dev is first used. This means dev had already been freed before acquiring RTNL in pnet_find_base_ndev(). While dev is going away, dst->dev could be swapped with blackhole_netdev, and the dev's refcnt by dst will be released. We must hold dev's refcnt before calling smc_pnet_find_ism_resource(). Also, smc_pnet_find_roce_resource() has the same problem. Let's use __sk_dst_get() and dst_dev_rcu() in the two functions. [0]: BUG: KASAN: use-after-free in __pnet_find_base_ndev+0x1b1/0x1c0 net/smc/smc_pnet.c:926 Read of size 1 at addr ffff888036bac33a by task syz.0.3632/18609 CPU: 1 UID: 0 PID: 18609 Comm: syz.0.3632 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 __pnet_find_base_ndev+0x1b1/0x1c0 net/smc/smc_pnet.c:926 pnet_find_base_ndev net/smc/smc_pnet.c:946 [inline] smc_pnet_find_ism_by_pnetid net/smc/smc_pnet.c:1103 [inline] smc_pnet_find_ism_resource+0xef/0x390 net/smc/smc_pnet.c:1154 smc_find_ism_device net/smc/af_smc.c:1030 [inline] smc_find_proposal_devices net/smc/af_smc.c:1115 [inline] __smc_connect+0x372/0x1890 net/smc/af_smc.c:1545 smc_connect+0x877/0xd90 net/smc/af_smc.c:1715 __sys_connect_file net/socket.c:2086 [inline] __sys_connect+0x313/0x440 net/socket.c:2105 __do_sys_connect net/socket.c:2111 [inline] __se_sys_connect net/socket.c:2108 [inline] __x64_sys_connect+0x7a/0x90 net/socket.c:2108 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f47cbf8eba9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f47ccdb1038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 00007f47cc1d5fa0 RCX: 00007f47cbf8eba9 RDX: 0000000000000010 RSI: 0000200000000280 RDI: 000000000000000b RBP: 00007f47cc011e19 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f47cc1d6038 R14: 00007f47cc1d5fa0 R15: 00007ffc512f8aa8 The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888036bacd00 pfn:0x36bac flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 ffffea0001243d08 ffff8880b863fdc0 0000000000000000 raw: ffff888036bacd00 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 2, migratetype Unmovable, gfp_mask 0x446dc0(GFP_KERNEL_ACCOUNT|__GFP_ZERO|__GFP_NOWARN|__GFP_RETRY_MAYFAIL|__GFP_COMP), pid 16741, tgid 16741 (syz-executor), ts 343313197788, free_ts 380670750466 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851 prep_new_page mm/page_alloc.c:1859 [inline] get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416 ___kmalloc_large_node+0x5f/0x1b0 mm/slub.c:4317 __kmalloc_large_node_noprof+0x18/0x90 mm/slub.c:4348 __do_kmalloc_node mm/slub.c:4364 [inline] __kvmalloc_node_noprof+0x6d/0x5f0 mm/slub.c:5067 alloc_netdev_mqs+0xa3/0x11b0 net/core/dev.c:11812 tun_set_iff+0x532/0xef0 drivers/net/tun.c:2775 __tun_chr_ioctl+0x788/0x1df0 drivers/net/tun.c:3085 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:598 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:584 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 18610 tgid 18608 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1395 [inline] __free_frozen_pages+0xbc4/0xd30 mm/page_alloc.c:2895 free_large_kmalloc+0x13a/0x1f0 mm/slub.c:4820 device_release+0x99/0x1c0 drivers/base/core.c:-1 kobject_cleanup lib/kobject.c:689 [inline] kobject_release lib/kobject.c:720 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x22b/0x480 lib/kobject.c:737 netdev_run_todo+0xd2e/0xea0 net/core/dev.c:11513 rtnl_unlock net/core/rtnetlink.c:157 [inline] rtnl_net_unlock include/linux/rtnetlink.h:135 [inline] rtnl_dellink+0x537/0x710 net/core/rtnetlink.c:3563 rtnetlink_rcv_msg+0x7cc/0xb70 net/core/rtnetlink.c:6946 netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0x82f/0x9e0 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg+0x219/0x270 net/socket.c:729 ____sys_sendmsg+0x505/0x830 net/socket.c:2614 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668 __sys_sendmsg net/socket.c:2700 [inline] __do_sys_sendmsg net/socket.c:2705 [inline] __se_sys_sendmsg net/socket.c:2703 [inline] __x64_sys_sendmsg+0x19b/0x260 net/socket.c:2703 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Memory state around the buggy address: ffff888036bac200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888036bac280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff888036bac300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff888036bac380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888036bac400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Fixes: 0afff91c6f5e ("net/smc: add pnetid support") Fixes: 1619f770589a ("net/smc: add pnetid support for SMC-D and ISM") Reported-by: syzbot+ea28e9d85be2f327b6c6@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/68c237c7.050a0220.3c6139.0036.GAE@google.com/ Signed-off-by: Kuniyuki Iwashima Reviewed-by: Eric Dumazet Link: https://patch.msgid.link/20250916214758.650211-2-kuniyu@google.com Signed-off-by: Jakub Kicinski (cherry picked from commit 3d3466878afd8d43ec0ca2facfbc7f03e40d0f79) Signed-off-by: Jonathan Maple --- net/smc/smc_pnet.c | 43 ++++++++++++++++++++++--------------------- 1 file changed, 22 insertions(+), 21 deletions(-) diff --git a/net/smc/smc_pnet.c b/net/smc/smc_pnet.c index 716808f374a8d..b1a35ffb7dcc7 100644 --- a/net/smc/smc_pnet.c +++ b/net/smc/smc_pnet.c @@ -1124,37 +1124,38 @@ static void smc_pnet_find_ism_by_pnetid(struct net_device *ndev, */ void smc_pnet_find_roce_resource(struct sock *sk, struct smc_init_info *ini) { - struct dst_entry *dst = sk_dst_get(sk); - - if (!dst) - goto out; - if (!dst->dev) - goto out_rel; + struct net_device *dev; + struct dst_entry *dst; - smc_pnet_find_roce_by_pnetid(dst->dev, ini); + rcu_read_lock(); + dst = __sk_dst_get(sk); + dev = dst ? dst_dev_rcu(dst) : NULL; + dev_hold(dev); + rcu_read_unlock(); -out_rel: - dst_release(dst); -out: - return; + if (dev) { + smc_pnet_find_roce_by_pnetid(dev, ini); + dev_put(dev); + } } void smc_pnet_find_ism_resource(struct sock *sk, struct smc_init_info *ini) { - struct dst_entry *dst = sk_dst_get(sk); + struct net_device *dev; + struct dst_entry *dst; ini->ism_dev[0] = NULL; - if (!dst) - goto out; - if (!dst->dev) - goto out_rel; - smc_pnet_find_ism_by_pnetid(dst->dev, ini); + rcu_read_lock(); + dst = __sk_dst_get(sk); + dev = dst ? dst_dev_rcu(dst) : NULL; + dev_hold(dev); + rcu_read_unlock(); -out_rel: - dst_release(dst); -out: - return; + if (dev) { + smc_pnet_find_ism_by_pnetid(dev, ini); + dev_put(dev); + } } /* Lookup and apply a pnet table entry to the given ib device. From 7ee5971ef736d3975c5a05eee2b199613da77933 Mon Sep 17 00:00:00 2001 From: Jonathan Maple Date: Fri, 20 Feb 2026 12:32:59 -0500 Subject: [PATCH 7/9] bpf: Do not audit capability check in do_jit() jira KERNEL-640 Rebuild_History Non-Buildable kernel-6.12.0-124.38.1.el10_1 commit-author Ondrej Mosnacek commit 881a9c9cb7856b24e390fad9f59acfd73b98b3b2 The failure of this check only results in a security mitigation being applied, slightly affecting performance of the compiled BPF program. It doesn't result in a failed syscall, an thus auditing a failed LSM permission check for it is unwanted. For example with SELinux, it causes a denial to be reported for confined processes running as root, which tends to be flagged as a problem to be fixed in the policy. Yet dontauditing or allowing CAP_SYS_ADMIN to the domain may not be desirable, as it would allow/silence also other checks - either going against the principle of least privilege or making debugging potentially harder. Fix it by changing it from capable() to ns_capable_noaudit(), which instructs the LSMs to not audit the resulting denials. Link: https://bugzilla.redhat.com/show_bug.cgi?id=2369326 Fixes: d4e89d212d40 ("x86/bpf: Call branch history clearing sequence on exit") Signed-off-by: Ondrej Mosnacek Reviewed-by: Paul Moore Link: https://lore.kernel.org/r/20251021122758.2659513-1-omosnace@redhat.com Signed-off-by: Alexei Starovoitov (cherry picked from commit 881a9c9cb7856b24e390fad9f59acfd73b98b3b2) Signed-off-by: Jonathan Maple --- arch/x86/net/bpf_jit_comp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c index d12cd8fcc54b7..30d4538af7837 100644 --- a/arch/x86/net/bpf_jit_comp.c +++ b/arch/x86/net/bpf_jit_comp.c @@ -2515,7 +2515,7 @@ st: if (is_imm8(insn->off)) /* Update cleanup_addr */ ctx->cleanup_addr = proglen; if (bpf_prog_was_classic(bpf_prog) && - !capable(CAP_SYS_ADMIN)) { + !ns_capable_noaudit(&init_user_ns, CAP_SYS_ADMIN)) { u8 *ip = image + addrs[i - 1]; if (emit_spectre_bhb_barrier(&prog, ip, bpf_prog)) From a70acc550cdd0d933d7af71d7cd5ce0bf4de616c Mon Sep 17 00:00:00 2001 From: Jonathan Maple Date: Fri, 20 Feb 2026 12:32:59 -0500 Subject: [PATCH 8/9] i40e: avoid redundant VF link state updates jira KERNEL-640 Rebuild_History Non-Buildable kernel-6.12.0-124.38.1.el10_1 commit-author Jay Vosburgh commit a7ae783da0b919550e260aebfca1c6ef030b99a4 Multiple sources can request VF link state changes with identical parameters. For example, OpenStack Neutron may request to set the VF link state to IFLA_VF_LINK_STATE_AUTO during every initialization or user can issue: `ip link set vf 0 state auto` multiple times. Currently, the i40e driver processes each of these requests, even if the requested state is the same as the current one. This leads to unnecessary VF resets and can cause performance degradation or instability in the VF driver, particularly in environment using Data Plane Development Kit (DPDK). With this patch i40e will skip VF link state change requests when the desired link state matches the current configuration. This prevents unnecessary VF resets and reduces PF-VF communication overhead. To reproduce the problem run following command multiple times on the same interface: 'ip link set vf 0 state auto' Every time command is executed, PF driver will trigger VF reset. Co-developed-by: Robert Malz Signed-off-by: Robert Malz Signed-off-by: Jay Vosburgh Reviewed-by: Aleksandr Loktionov Tested-by: Rafal Romanowski Signed-off-by: Tony Nguyen (cherry picked from commit a7ae783da0b919550e260aebfca1c6ef030b99a4) Signed-off-by: Jonathan Maple --- drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c index 950549649995b..5d2c53b7e5b5b 100644 --- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c @@ -4803,6 +4803,7 @@ int i40e_ndo_set_vf_link_state(struct net_device *netdev, int vf_id, int link) unsigned long q_map; struct i40e_vf *vf; int abs_vf_id; + int old_link; int ret = 0; int tmp; @@ -4821,6 +4822,17 @@ int i40e_ndo_set_vf_link_state(struct net_device *netdev, int vf_id, int link) vf = &pf->vf[vf_id]; abs_vf_id = vf->vf_id + hw->func_caps.vf_base_id; + /* skip VF link state change if requested state is already set */ + if (!vf->link_forced) + old_link = IFLA_VF_LINK_STATE_AUTO; + else if (vf->link_up) + old_link = IFLA_VF_LINK_STATE_ENABLE; + else + old_link = IFLA_VF_LINK_STATE_DISABLE; + + if (link == old_link) + goto error_out; + pfe.event = VIRTCHNL_EVENT_LINK_CHANGE; pfe.severity = PF_EVENT_SEVERITY_INFO; From d6ba498d5a6bdf8cb673fc5279aedb517ace99f7 Mon Sep 17 00:00:00 2001 From: Jonathan Maple Date: Fri, 20 Feb 2026 12:33:13 -0500 Subject: [PATCH 9/9] Rebuild rocky10_1 with kernel-6.12.0-124.38.1.el10_1 Rebuild_History BUILDABLE Rebuilding Kernel from rpm changelog with Fuzz Limit: 87.50% Number of commits in upstream range v6.12~1..kernel-mainline: 93416 Number of commits in rpm: 13 Number of commits matched with upstream: 8 (61.54%) Number of commits in upstream but not in rpm: 93408 Number of commits NOT found in upstream: 5 (38.46%) Rebuilding Kernel on Branch rocky10_1_rebuild_kernel-6.12.0-124.38.1.el10_1 for kernel-6.12.0-124.38.1.el10_1 Clean Cherry Picks: 8 (100.00%) Empty Cherry Picks: 0 (0.00%) _______________________________ Full Details Located here: ciq/ciq_backports/kernel-6.12.0-124.38.1.el10_1/rebuild.details.txt Includes: * git commit header above * Empty Commits with upstream SHA * RPM ChangeLog Entries that could not be matched Individual Empty Commit failures contained in the same containing directory. The git message for empty commits will have the path for the failed commit. File names are the first 8 characters of the upstream SHA --- ...1.el10_1 => COPYING-6.12.0-124.38.1.el10_1 | 0 Makefile.rhelver | 2 +- .../rebuild.details.txt | 21 +++++++++++++++++++ .../kernel-6.12.0-aarch64-64k-debug.config | 2 +- configs/kernel-6.12.0-aarch64-64k.config | 2 +- configs/kernel-6.12.0-aarch64-debug.config | 2 +- .../kernel-6.12.0-aarch64-rt-64k-debug.config | 2 +- configs/kernel-6.12.0-aarch64-rt-64k.config | 2 +- configs/kernel-6.12.0-aarch64-rt-debug.config | 2 +- configs/kernel-6.12.0-aarch64-rt.config | 2 +- configs/kernel-6.12.0-aarch64.config | 2 +- configs/kernel-6.12.0-ppc64le-debug.config | 2 +- configs/kernel-6.12.0-ppc64le.config | 2 +- configs/kernel-6.12.0-s390x-debug.config | 2 +- configs/kernel-6.12.0-s390x-zfcpdump.config | 2 +- configs/kernel-6.12.0-s390x.config | 2 +- configs/kernel-6.12.0-x86_64-debug.config | 2 +- configs/kernel-6.12.0-x86_64-rt-debug.config | 2 +- configs/kernel-6.12.0-x86_64-rt.config | 2 +- configs/kernel-6.12.0-x86_64.config | 2 +- configs/kernel-aarch64-64k-debug-rhel.config | 2 +- configs/kernel-aarch64-64k-rhel.config | 2 +- configs/kernel-aarch64-debug-rhel.config | 2 +- configs/kernel-aarch64-rhel.config | 2 +- .../kernel-aarch64-rt-64k-debug-rhel.config | 2 +- configs/kernel-aarch64-rt-64k-rhel.config | 2 +- configs/kernel-aarch64-rt-debug-rhel.config | 2 +- configs/kernel-aarch64-rt-rhel.config | 2 +- configs/kernel-ppc64le-debug-rhel.config | 2 +- configs/kernel-ppc64le-rhel.config | 2 +- configs/kernel-s390x-debug-rhel.config | 2 +- configs/kernel-s390x-rhel.config | 2 +- configs/kernel-s390x-zfcpdump-rhel.config | 2 +- configs/kernel-x86_64-debug-rhel.config | 2 +- configs/kernel-x86_64-rhel.config | 2 +- configs/kernel-x86_64-rt-debug-rhel.config | 2 +- configs/kernel-x86_64-rt-rhel.config | 2 +- drivers/nvme/target/tcp.c | 12 +++++++++++ drivers/scsi/storvsc_drv.c | 3 ++- .../generic/CONFIG_CRYPTO_JITTERENTROPY_OSR | 1 + .../generic/CONFIG_CRYPTO_JITTERENTROPY_OSR | 2 +- redhat/kernel.changelog-10.1 | 19 +++++++++++++++++ uki-addons.sbat | 4 ++-- uki.sbat | 4 ++-- 44 files changed, 95 insertions(+), 41 deletions(-) rename COPYING-6.12.0-124.35.1.el10_1 => COPYING-6.12.0-124.38.1.el10_1 (100%) create mode 100644 ciq/ciq_backports/kernel-6.12.0-124.38.1.el10_1/rebuild.details.txt create mode 100644 redhat/configs/rhel/automotive/generic/CONFIG_CRYPTO_JITTERENTROPY_OSR diff --git a/COPYING-6.12.0-124.35.1.el10_1 b/COPYING-6.12.0-124.38.1.el10_1 similarity index 100% rename from COPYING-6.12.0-124.35.1.el10_1 rename to COPYING-6.12.0-124.38.1.el10_1 diff --git a/Makefile.rhelver b/Makefile.rhelver index f4fc763e3bbd1..69a8a50466346 100644 --- a/Makefile.rhelver +++ b/Makefile.rhelver @@ -12,7 +12,7 @@ RHEL_MINOR = 1 # # Use this spot to avoid future merge conflicts. # Do not trim this comment. -RHEL_RELEASE = 124.35.1 +RHEL_RELEASE = 124.38.1 # # RHEL_REBASE_NUM diff --git a/ciq/ciq_backports/kernel-6.12.0-124.38.1.el10_1/rebuild.details.txt b/ciq/ciq_backports/kernel-6.12.0-124.38.1.el10_1/rebuild.details.txt new file mode 100644 index 0000000000000..2117599d7fe6d --- /dev/null +++ b/ciq/ciq_backports/kernel-6.12.0-124.38.1.el10_1/rebuild.details.txt @@ -0,0 +1,21 @@ +Rebuild_History BUILDABLE +Rebuilding Kernel from rpm changelog with Fuzz Limit: 87.50% +Number of commits in upstream range v6.12~1..kernel-mainline: 93416 +Number of commits in rpm: 13 +Number of commits matched with upstream: 8 (61.54%) +Number of commits in upstream but not in rpm: 93408 +Number of commits NOT found in upstream: 5 (38.46%) + +Rebuilding Kernel on Branch rocky10_1_rebuild_kernel-6.12.0-124.38.1.el10_1 for kernel-6.12.0-124.38.1.el10_1 +Clean Cherry Picks: 8 (100.00%) +Empty Cherry Picks: 0 (0.00%) +_______________________________ + +__EMPTY COMMITS__________________________ + +__CHANGES NOT IN UPSTREAM________________ +Add partial riscv64 support for build root' +Provide basic VisionFive 2 support' +Patch MMU for riscv64' +scsi: storvsc: Process unsupported MODE_SENSE_10 +nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec diff --git a/configs/kernel-6.12.0-aarch64-64k-debug.config b/configs/kernel-6.12.0-aarch64-64k-debug.config index 89c63ec931d57..c8a69da8830bf 100644 --- a/configs/kernel-6.12.0-aarch64-64k-debug.config +++ b/configs/kernel-6.12.0-aarch64-64k-debug.config @@ -8343,7 +8343,7 @@ CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_2=y # CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_8192 is not set CONFIG_CRYPTO_JITTERENTROPY_MEMORY_BLOCKS=64 CONFIG_CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE=32 -CONFIG_CRYPTO_JITTERENTROPY_OSR=1 +CONFIG_CRYPTO_JITTERENTROPY_OSR=3 # CONFIG_CRYPTO_JITTERENTROPY_TESTINTERFACE is not set CONFIG_CRYPTO_KDF800108_CTR=y # end of Random number generation diff --git a/configs/kernel-6.12.0-aarch64-64k.config b/configs/kernel-6.12.0-aarch64-64k.config index 2c31913a36ffd..20f440bccae04 100644 --- a/configs/kernel-6.12.0-aarch64-64k.config +++ b/configs/kernel-6.12.0-aarch64-64k.config @@ -8320,7 +8320,7 @@ CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_2=y # CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_8192 is not set CONFIG_CRYPTO_JITTERENTROPY_MEMORY_BLOCKS=64 CONFIG_CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE=32 -CONFIG_CRYPTO_JITTERENTROPY_OSR=1 +CONFIG_CRYPTO_JITTERENTROPY_OSR=3 # CONFIG_CRYPTO_JITTERENTROPY_TESTINTERFACE is not set CONFIG_CRYPTO_KDF800108_CTR=y # end of Random number generation diff --git a/configs/kernel-6.12.0-aarch64-debug.config b/configs/kernel-6.12.0-aarch64-debug.config index 897ec5ee1ca2a..7fa8b8fe3ab15 100644 --- a/configs/kernel-6.12.0-aarch64-debug.config +++ b/configs/kernel-6.12.0-aarch64-debug.config @@ -8350,7 +8350,7 @@ CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_2=y # CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_8192 is not set CONFIG_CRYPTO_JITTERENTROPY_MEMORY_BLOCKS=64 CONFIG_CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE=32 -CONFIG_CRYPTO_JITTERENTROPY_OSR=1 +CONFIG_CRYPTO_JITTERENTROPY_OSR=3 # CONFIG_CRYPTO_JITTERENTROPY_TESTINTERFACE is not set CONFIG_CRYPTO_KDF800108_CTR=y # end of Random number generation diff --git a/configs/kernel-6.12.0-aarch64-rt-64k-debug.config b/configs/kernel-6.12.0-aarch64-rt-64k-debug.config index f9a446a620d3b..cd3cca38f32bd 100644 --- a/configs/kernel-6.12.0-aarch64-rt-64k-debug.config +++ b/configs/kernel-6.12.0-aarch64-rt-64k-debug.config @@ -8325,7 +8325,7 @@ CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_2=y # CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_8192 is not set CONFIG_CRYPTO_JITTERENTROPY_MEMORY_BLOCKS=64 CONFIG_CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE=32 -CONFIG_CRYPTO_JITTERENTROPY_OSR=1 +CONFIG_CRYPTO_JITTERENTROPY_OSR=3 # CONFIG_CRYPTO_JITTERENTROPY_TESTINTERFACE is not set CONFIG_CRYPTO_KDF800108_CTR=y # end of Random number generation diff --git a/configs/kernel-6.12.0-aarch64-rt-64k.config b/configs/kernel-6.12.0-aarch64-rt-64k.config index da134a98df4b9..99ce3355c6ae9 100644 --- a/configs/kernel-6.12.0-aarch64-rt-64k.config +++ b/configs/kernel-6.12.0-aarch64-rt-64k.config @@ -8302,7 +8302,7 @@ CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_2=y # CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_8192 is not set CONFIG_CRYPTO_JITTERENTROPY_MEMORY_BLOCKS=64 CONFIG_CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE=32 -CONFIG_CRYPTO_JITTERENTROPY_OSR=1 +CONFIG_CRYPTO_JITTERENTROPY_OSR=3 # CONFIG_CRYPTO_JITTERENTROPY_TESTINTERFACE is not set CONFIG_CRYPTO_KDF800108_CTR=y # end of Random number generation diff --git a/configs/kernel-6.12.0-aarch64-rt-debug.config b/configs/kernel-6.12.0-aarch64-rt-debug.config index a54e5e6e98e19..7338b135c4ffe 100644 --- a/configs/kernel-6.12.0-aarch64-rt-debug.config +++ b/configs/kernel-6.12.0-aarch64-rt-debug.config @@ -8331,7 +8331,7 @@ CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_2=y # CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_8192 is not set CONFIG_CRYPTO_JITTERENTROPY_MEMORY_BLOCKS=64 CONFIG_CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE=32 -CONFIG_CRYPTO_JITTERENTROPY_OSR=1 +CONFIG_CRYPTO_JITTERENTROPY_OSR=3 # CONFIG_CRYPTO_JITTERENTROPY_TESTINTERFACE is not set CONFIG_CRYPTO_KDF800108_CTR=y # end of Random number generation diff --git a/configs/kernel-6.12.0-aarch64-rt.config b/configs/kernel-6.12.0-aarch64-rt.config index 1cd5fe06c54cf..05fd53241b7df 100644 --- a/configs/kernel-6.12.0-aarch64-rt.config +++ b/configs/kernel-6.12.0-aarch64-rt.config @@ -8308,7 +8308,7 @@ CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_2=y # CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_8192 is not set CONFIG_CRYPTO_JITTERENTROPY_MEMORY_BLOCKS=64 CONFIG_CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE=32 -CONFIG_CRYPTO_JITTERENTROPY_OSR=1 +CONFIG_CRYPTO_JITTERENTROPY_OSR=3 # CONFIG_CRYPTO_JITTERENTROPY_TESTINTERFACE is not set CONFIG_CRYPTO_KDF800108_CTR=y # end of Random number generation diff --git a/configs/kernel-6.12.0-aarch64.config b/configs/kernel-6.12.0-aarch64.config index d128a41b44560..3077e8a17f0be 100644 --- a/configs/kernel-6.12.0-aarch64.config +++ b/configs/kernel-6.12.0-aarch64.config @@ -8327,7 +8327,7 @@ CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_2=y # CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_8192 is not set CONFIG_CRYPTO_JITTERENTROPY_MEMORY_BLOCKS=64 CONFIG_CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE=32 -CONFIG_CRYPTO_JITTERENTROPY_OSR=1 +CONFIG_CRYPTO_JITTERENTROPY_OSR=3 # CONFIG_CRYPTO_JITTERENTROPY_TESTINTERFACE is not set CONFIG_CRYPTO_KDF800108_CTR=y # end of Random number generation diff --git a/configs/kernel-6.12.0-ppc64le-debug.config b/configs/kernel-6.12.0-ppc64le-debug.config index ccfa3eca8218d..479f66a704df5 100644 --- a/configs/kernel-6.12.0-ppc64le-debug.config +++ b/configs/kernel-6.12.0-ppc64le-debug.config @@ -6604,7 +6604,7 @@ CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_2=y # CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_8192 is not set CONFIG_CRYPTO_JITTERENTROPY_MEMORY_BLOCKS=64 CONFIG_CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE=32 -CONFIG_CRYPTO_JITTERENTROPY_OSR=1 +CONFIG_CRYPTO_JITTERENTROPY_OSR=3 # CONFIG_CRYPTO_JITTERENTROPY_TESTINTERFACE is not set CONFIG_CRYPTO_KDF800108_CTR=y # end of Random number generation diff --git a/configs/kernel-6.12.0-ppc64le.config b/configs/kernel-6.12.0-ppc64le.config index bd9863680037a..b247bca03800c 100644 --- a/configs/kernel-6.12.0-ppc64le.config +++ b/configs/kernel-6.12.0-ppc64le.config @@ -6600,7 +6600,7 @@ CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_2=y # CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_8192 is not set CONFIG_CRYPTO_JITTERENTROPY_MEMORY_BLOCKS=64 CONFIG_CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE=32 -CONFIG_CRYPTO_JITTERENTROPY_OSR=1 +CONFIG_CRYPTO_JITTERENTROPY_OSR=3 # CONFIG_CRYPTO_JITTERENTROPY_TESTINTERFACE is not set CONFIG_CRYPTO_KDF800108_CTR=y # end of Random number generation diff --git a/configs/kernel-6.12.0-s390x-debug.config b/configs/kernel-6.12.0-s390x-debug.config index f84080c298096..966fe68dba071 100644 --- a/configs/kernel-6.12.0-s390x-debug.config +++ b/configs/kernel-6.12.0-s390x-debug.config @@ -3758,7 +3758,7 @@ CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_2=y # CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_8192 is not set CONFIG_CRYPTO_JITTERENTROPY_MEMORY_BLOCKS=64 CONFIG_CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE=32 -CONFIG_CRYPTO_JITTERENTROPY_OSR=1 +CONFIG_CRYPTO_JITTERENTROPY_OSR=3 # CONFIG_CRYPTO_JITTERENTROPY_TESTINTERFACE is not set CONFIG_CRYPTO_KDF800108_CTR=y # end of Random number generation diff --git a/configs/kernel-6.12.0-s390x-zfcpdump.config b/configs/kernel-6.12.0-s390x-zfcpdump.config index c65275e81257d..a06e1a49bd260 100644 --- a/configs/kernel-6.12.0-s390x-zfcpdump.config +++ b/configs/kernel-6.12.0-s390x-zfcpdump.config @@ -1605,7 +1605,7 @@ CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_2=y # CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_8192 is not set CONFIG_CRYPTO_JITTERENTROPY_MEMORY_BLOCKS=64 CONFIG_CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE=32 -CONFIG_CRYPTO_JITTERENTROPY_OSR=1 +CONFIG_CRYPTO_JITTERENTROPY_OSR=3 # CONFIG_CRYPTO_JITTERENTROPY_TESTINTERFACE is not set # end of Random number generation diff --git a/configs/kernel-6.12.0-s390x.config b/configs/kernel-6.12.0-s390x.config index d61c6b9108897..09571f50e9012 100644 --- a/configs/kernel-6.12.0-s390x.config +++ b/configs/kernel-6.12.0-s390x.config @@ -3783,7 +3783,7 @@ CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_2=y # CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_8192 is not set CONFIG_CRYPTO_JITTERENTROPY_MEMORY_BLOCKS=64 CONFIG_CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE=32 -CONFIG_CRYPTO_JITTERENTROPY_OSR=1 +CONFIG_CRYPTO_JITTERENTROPY_OSR=3 # CONFIG_CRYPTO_JITTERENTROPY_TESTINTERFACE is not set CONFIG_CRYPTO_KDF800108_CTR=y # end of Random number generation diff --git a/configs/kernel-6.12.0-x86_64-debug.config b/configs/kernel-6.12.0-x86_64-debug.config index 94d09a557b775..b08ef88800255 100644 --- a/configs/kernel-6.12.0-x86_64-debug.config +++ b/configs/kernel-6.12.0-x86_64-debug.config @@ -9108,7 +9108,7 @@ CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_2=y # CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_8192 is not set CONFIG_CRYPTO_JITTERENTROPY_MEMORY_BLOCKS=64 CONFIG_CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE=32 -CONFIG_CRYPTO_JITTERENTROPY_OSR=1 +CONFIG_CRYPTO_JITTERENTROPY_OSR=3 # CONFIG_CRYPTO_JITTERENTROPY_TESTINTERFACE is not set CONFIG_CRYPTO_KDF800108_CTR=y # end of Random number generation diff --git a/configs/kernel-6.12.0-x86_64-rt-debug.config b/configs/kernel-6.12.0-x86_64-rt-debug.config index ebf9dd7915a3b..93663804cc0cf 100644 --- a/configs/kernel-6.12.0-x86_64-rt-debug.config +++ b/configs/kernel-6.12.0-x86_64-rt-debug.config @@ -9089,7 +9089,7 @@ CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_2=y # CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_8192 is not set CONFIG_CRYPTO_JITTERENTROPY_MEMORY_BLOCKS=64 CONFIG_CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE=32 -CONFIG_CRYPTO_JITTERENTROPY_OSR=1 +CONFIG_CRYPTO_JITTERENTROPY_OSR=3 # CONFIG_CRYPTO_JITTERENTROPY_TESTINTERFACE is not set CONFIG_CRYPTO_KDF800108_CTR=y # end of Random number generation diff --git a/configs/kernel-6.12.0-x86_64-rt.config b/configs/kernel-6.12.0-x86_64-rt.config index ce4a536a71663..bc526efab6aa4 100644 --- a/configs/kernel-6.12.0-x86_64-rt.config +++ b/configs/kernel-6.12.0-x86_64-rt.config @@ -9060,7 +9060,7 @@ CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_2=y # CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_8192 is not set CONFIG_CRYPTO_JITTERENTROPY_MEMORY_BLOCKS=64 CONFIG_CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE=32 -CONFIG_CRYPTO_JITTERENTROPY_OSR=1 +CONFIG_CRYPTO_JITTERENTROPY_OSR=3 # CONFIG_CRYPTO_JITTERENTROPY_TESTINTERFACE is not set CONFIG_CRYPTO_KDF800108_CTR=y # end of Random number generation diff --git a/configs/kernel-6.12.0-x86_64.config b/configs/kernel-6.12.0-x86_64.config index 00afa86d9d1ea..8b65d83131b12 100644 --- a/configs/kernel-6.12.0-x86_64.config +++ b/configs/kernel-6.12.0-x86_64.config @@ -9079,7 +9079,7 @@ CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_2=y # CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_8192 is not set CONFIG_CRYPTO_JITTERENTROPY_MEMORY_BLOCKS=64 CONFIG_CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE=32 -CONFIG_CRYPTO_JITTERENTROPY_OSR=1 +CONFIG_CRYPTO_JITTERENTROPY_OSR=3 # CONFIG_CRYPTO_JITTERENTROPY_TESTINTERFACE is not set CONFIG_CRYPTO_KDF800108_CTR=y # end of Random number generation diff --git a/configs/kernel-aarch64-64k-debug-rhel.config b/configs/kernel-aarch64-64k-debug-rhel.config index 66d4cde860a25..8102a74535237 100644 --- a/configs/kernel-aarch64-64k-debug-rhel.config +++ b/configs/kernel-aarch64-64k-debug-rhel.config @@ -1281,7 +1281,7 @@ CONFIG_CRYPTO_HW=y # CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_128 is not set CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_2=y # CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_8192 is not set -CONFIG_CRYPTO_JITTERENTROPY_OSR=1 +CONFIG_CRYPTO_JITTERENTROPY_OSR=3 # CONFIG_CRYPTO_JITTERENTROPY_TESTINTERFACE is not set # CONFIG_CRYPTO_KEYWRAP is not set CONFIG_CRYPTO_LIB_AESCFB=y diff --git a/configs/kernel-aarch64-64k-rhel.config b/configs/kernel-aarch64-64k-rhel.config index d9c8093459ff3..624af66475982 100644 --- a/configs/kernel-aarch64-64k-rhel.config +++ b/configs/kernel-aarch64-64k-rhel.config @@ -1281,7 +1281,7 @@ CONFIG_CRYPTO_HW=y # CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_128 is not set CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_2=y # CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_8192 is not set -CONFIG_CRYPTO_JITTERENTROPY_OSR=1 +CONFIG_CRYPTO_JITTERENTROPY_OSR=3 # CONFIG_CRYPTO_JITTERENTROPY_TESTINTERFACE is not set # CONFIG_CRYPTO_KEYWRAP is not set CONFIG_CRYPTO_LIB_AESCFB=y diff --git a/configs/kernel-aarch64-debug-rhel.config b/configs/kernel-aarch64-debug-rhel.config index 6f1501878857b..26f6efa033e7c 100644 --- a/configs/kernel-aarch64-debug-rhel.config +++ b/configs/kernel-aarch64-debug-rhel.config @@ -1279,7 +1279,7 @@ CONFIG_CRYPTO_HW=y # CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_128 is not set CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_2=y # CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_8192 is not set -CONFIG_CRYPTO_JITTERENTROPY_OSR=1 +CONFIG_CRYPTO_JITTERENTROPY_OSR=3 # CONFIG_CRYPTO_JITTERENTROPY_TESTINTERFACE is not set # CONFIG_CRYPTO_KEYWRAP is not set CONFIG_CRYPTO_LIB_AESCFB=y diff --git a/configs/kernel-aarch64-rhel.config b/configs/kernel-aarch64-rhel.config index 342bdc049339c..98d952eee1e52 100644 --- a/configs/kernel-aarch64-rhel.config +++ b/configs/kernel-aarch64-rhel.config @@ -1279,7 +1279,7 @@ CONFIG_CRYPTO_HW=y # CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_128 is not set CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_2=y # CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_8192 is not set -CONFIG_CRYPTO_JITTERENTROPY_OSR=1 +CONFIG_CRYPTO_JITTERENTROPY_OSR=3 # CONFIG_CRYPTO_JITTERENTROPY_TESTINTERFACE is not set # CONFIG_CRYPTO_KEYWRAP is not set CONFIG_CRYPTO_LIB_AESCFB=y diff --git a/configs/kernel-aarch64-rt-64k-debug-rhel.config b/configs/kernel-aarch64-rt-64k-debug-rhel.config index 011f04d13ca3a..ee576390ddb34 100644 --- a/configs/kernel-aarch64-rt-64k-debug-rhel.config +++ b/configs/kernel-aarch64-rt-64k-debug-rhel.config @@ -1282,7 +1282,7 @@ CONFIG_CRYPTO_HW=y # CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_128 is not set CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_2=y # CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_8192 is not set -CONFIG_CRYPTO_JITTERENTROPY_OSR=1 +CONFIG_CRYPTO_JITTERENTROPY_OSR=3 # CONFIG_CRYPTO_JITTERENTROPY_TESTINTERFACE is not set # CONFIG_CRYPTO_KEYWRAP is not set CONFIG_CRYPTO_LIB_AESCFB=y diff --git a/configs/kernel-aarch64-rt-64k-rhel.config b/configs/kernel-aarch64-rt-64k-rhel.config index 5354322b12432..98bf11bc2842f 100644 --- a/configs/kernel-aarch64-rt-64k-rhel.config +++ b/configs/kernel-aarch64-rt-64k-rhel.config @@ -1282,7 +1282,7 @@ CONFIG_CRYPTO_HW=y # CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_128 is not set CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_2=y # CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_8192 is not set -CONFIG_CRYPTO_JITTERENTROPY_OSR=1 +CONFIG_CRYPTO_JITTERENTROPY_OSR=3 # CONFIG_CRYPTO_JITTERENTROPY_TESTINTERFACE is not set # CONFIG_CRYPTO_KEYWRAP is not set CONFIG_CRYPTO_LIB_AESCFB=y diff --git a/configs/kernel-aarch64-rt-debug-rhel.config b/configs/kernel-aarch64-rt-debug-rhel.config index 6900b1706f0e7..fe7be237e1a2d 100644 --- a/configs/kernel-aarch64-rt-debug-rhel.config +++ b/configs/kernel-aarch64-rt-debug-rhel.config @@ -1280,7 +1280,7 @@ CONFIG_CRYPTO_HW=y # CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_128 is not set CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_2=y # CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_8192 is not set -CONFIG_CRYPTO_JITTERENTROPY_OSR=1 +CONFIG_CRYPTO_JITTERENTROPY_OSR=3 # CONFIG_CRYPTO_JITTERENTROPY_TESTINTERFACE is not set # CONFIG_CRYPTO_KEYWRAP is not set CONFIG_CRYPTO_LIB_AESCFB=y diff --git a/configs/kernel-aarch64-rt-rhel.config b/configs/kernel-aarch64-rt-rhel.config index 89fa1e7420f7a..02ed4abae517e 100644 --- a/configs/kernel-aarch64-rt-rhel.config +++ b/configs/kernel-aarch64-rt-rhel.config @@ -1280,7 +1280,7 @@ CONFIG_CRYPTO_HW=y # CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_128 is not set CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_2=y # CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_8192 is not set -CONFIG_CRYPTO_JITTERENTROPY_OSR=1 +CONFIG_CRYPTO_JITTERENTROPY_OSR=3 # CONFIG_CRYPTO_JITTERENTROPY_TESTINTERFACE is not set # CONFIG_CRYPTO_KEYWRAP is not set CONFIG_CRYPTO_LIB_AESCFB=y diff --git a/configs/kernel-ppc64le-debug-rhel.config b/configs/kernel-ppc64le-debug-rhel.config index 9d47362150fec..ee08f1b918b9c 100644 --- a/configs/kernel-ppc64le-debug-rhel.config +++ b/configs/kernel-ppc64le-debug-rhel.config @@ -1044,7 +1044,7 @@ CONFIG_CRYPTO_HW=y # CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_128 is not set CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_2=y # CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_8192 is not set -CONFIG_CRYPTO_JITTERENTROPY_OSR=1 +CONFIG_CRYPTO_JITTERENTROPY_OSR=3 # CONFIG_CRYPTO_JITTERENTROPY_TESTINTERFACE is not set # CONFIG_CRYPTO_KEYWRAP is not set CONFIG_CRYPTO_LIB_AESCFB=y diff --git a/configs/kernel-ppc64le-rhel.config b/configs/kernel-ppc64le-rhel.config index e9cfa0da25ec5..0e621e5485dca 100644 --- a/configs/kernel-ppc64le-rhel.config +++ b/configs/kernel-ppc64le-rhel.config @@ -1044,7 +1044,7 @@ CONFIG_CRYPTO_HW=y # CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_128 is not set CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_2=y # CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_8192 is not set -CONFIG_CRYPTO_JITTERENTROPY_OSR=1 +CONFIG_CRYPTO_JITTERENTROPY_OSR=3 # CONFIG_CRYPTO_JITTERENTROPY_TESTINTERFACE is not set # CONFIG_CRYPTO_KEYWRAP is not set CONFIG_CRYPTO_LIB_AESCFB=y diff --git a/configs/kernel-s390x-debug-rhel.config b/configs/kernel-s390x-debug-rhel.config index 990fdf4d84254..1372799094bb4 100644 --- a/configs/kernel-s390x-debug-rhel.config +++ b/configs/kernel-s390x-debug-rhel.config @@ -1040,7 +1040,7 @@ CONFIG_CRYPTO_HW=y # CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_128 is not set CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_2=y # CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_8192 is not set -CONFIG_CRYPTO_JITTERENTROPY_OSR=1 +CONFIG_CRYPTO_JITTERENTROPY_OSR=3 # CONFIG_CRYPTO_JITTERENTROPY_TESTINTERFACE is not set # CONFIG_CRYPTO_KEYWRAP is not set CONFIG_CRYPTO_LIB_AESCFB=y diff --git a/configs/kernel-s390x-rhel.config b/configs/kernel-s390x-rhel.config index c1f48b25757a4..24050a6538059 100644 --- a/configs/kernel-s390x-rhel.config +++ b/configs/kernel-s390x-rhel.config @@ -1040,7 +1040,7 @@ CONFIG_CRYPTO_HW=y # CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_128 is not set CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_2=y # CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_8192 is not set -CONFIG_CRYPTO_JITTERENTROPY_OSR=1 +CONFIG_CRYPTO_JITTERENTROPY_OSR=3 # CONFIG_CRYPTO_JITTERENTROPY_TESTINTERFACE is not set # CONFIG_CRYPTO_KEYWRAP is not set CONFIG_CRYPTO_LIB_AESCFB=y diff --git a/configs/kernel-s390x-zfcpdump-rhel.config b/configs/kernel-s390x-zfcpdump-rhel.config index 942dc2af1de29..77787d89b9ac6 100644 --- a/configs/kernel-s390x-zfcpdump-rhel.config +++ b/configs/kernel-s390x-zfcpdump-rhel.config @@ -1041,7 +1041,7 @@ CONFIG_CRYPTO_HW=y # CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_128 is not set CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_2=y # CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_8192 is not set -CONFIG_CRYPTO_JITTERENTROPY_OSR=1 +CONFIG_CRYPTO_JITTERENTROPY_OSR=3 # CONFIG_CRYPTO_JITTERENTROPY_TESTINTERFACE is not set # CONFIG_CRYPTO_KEYWRAP is not set CONFIG_CRYPTO_LIB_AESCFB=y diff --git a/configs/kernel-x86_64-debug-rhel.config b/configs/kernel-x86_64-debug-rhel.config index 90aa81e1cf42b..bd2b7d10ac763 100644 --- a/configs/kernel-x86_64-debug-rhel.config +++ b/configs/kernel-x86_64-debug-rhel.config @@ -1098,7 +1098,7 @@ CONFIG_CRYPTO_HW=y # CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_128 is not set CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_2=y # CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_8192 is not set -CONFIG_CRYPTO_JITTERENTROPY_OSR=1 +CONFIG_CRYPTO_JITTERENTROPY_OSR=3 # CONFIG_CRYPTO_JITTERENTROPY_TESTINTERFACE is not set # CONFIG_CRYPTO_KEYWRAP is not set CONFIG_CRYPTO_LIB_AESCFB=y diff --git a/configs/kernel-x86_64-rhel.config b/configs/kernel-x86_64-rhel.config index 9222b710f1a94..30a71006a92ae 100644 --- a/configs/kernel-x86_64-rhel.config +++ b/configs/kernel-x86_64-rhel.config @@ -1098,7 +1098,7 @@ CONFIG_CRYPTO_HW=y # CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_128 is not set CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_2=y # CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_8192 is not set -CONFIG_CRYPTO_JITTERENTROPY_OSR=1 +CONFIG_CRYPTO_JITTERENTROPY_OSR=3 # CONFIG_CRYPTO_JITTERENTROPY_TESTINTERFACE is not set # CONFIG_CRYPTO_KEYWRAP is not set CONFIG_CRYPTO_LIB_AESCFB=y diff --git a/configs/kernel-x86_64-rt-debug-rhel.config b/configs/kernel-x86_64-rt-debug-rhel.config index f37673fe537c6..46b79632c28f0 100644 --- a/configs/kernel-x86_64-rt-debug-rhel.config +++ b/configs/kernel-x86_64-rt-debug-rhel.config @@ -1099,7 +1099,7 @@ CONFIG_CRYPTO_HW=y # CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_128 is not set CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_2=y # CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_8192 is not set -CONFIG_CRYPTO_JITTERENTROPY_OSR=1 +CONFIG_CRYPTO_JITTERENTROPY_OSR=3 # CONFIG_CRYPTO_JITTERENTROPY_TESTINTERFACE is not set # CONFIG_CRYPTO_KEYWRAP is not set CONFIG_CRYPTO_LIB_AESCFB=y diff --git a/configs/kernel-x86_64-rt-rhel.config b/configs/kernel-x86_64-rt-rhel.config index f9c6ef8459fe5..47e2c83df6a98 100644 --- a/configs/kernel-x86_64-rt-rhel.config +++ b/configs/kernel-x86_64-rt-rhel.config @@ -1099,7 +1099,7 @@ CONFIG_CRYPTO_HW=y # CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_128 is not set CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_2=y # CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_8192 is not set -CONFIG_CRYPTO_JITTERENTROPY_OSR=1 +CONFIG_CRYPTO_JITTERENTROPY_OSR=3 # CONFIG_CRYPTO_JITTERENTROPY_TESTINTERFACE is not set # CONFIG_CRYPTO_KEYWRAP is not set CONFIG_CRYPTO_LIB_AESCFB=y diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c index 259ad77c03c50..09634957f3741 100644 --- a/drivers/nvme/target/tcp.c +++ b/drivers/nvme/target/tcp.c @@ -1021,6 +1021,18 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue) pr_err("H2CData PDU len %u is invalid\n", cmd->pdu_len); goto err_proto; } + /* + * Ensure command data structures are initialized. We must check both + * cmd->req.sg and cmd->iov because they can have different NULL states: + * - Uninitialized commands: both NULL + * - READ commands: cmd->req.sg allocated, cmd->iov NULL + * - WRITE commands: both allocated + */ + if (unlikely(!cmd->req.sg || !cmd->iov)) { + pr_err("queue %d: H2CData PDU received for invalid command state (ttag %u)\n", + queue->idx, data->ttag); + goto err_proto; + } cmd->pdu_recv = 0; nvmet_tcp_build_pdu_iovec(cmd); queue->cmd = cmd; diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c index 3284f52ab1fec..f772753a391b4 100644 --- a/drivers/scsi/storvsc_drv.c +++ b/drivers/scsi/storvsc_drv.c @@ -1144,7 +1144,7 @@ static void storvsc_on_io_completion(struct storvsc_device *stor_device, * The current SCSI handling on the host side does * not correctly handle: * INQUIRY command with page code parameter set to 0x80 - * MODE_SENSE command with cmd[2] == 0x1c + * MODE_SENSE and MODE_SENSE_10 command with cmd[2] == 0x1c * MAINTENANCE_IN is not supported by HyperV FC passthrough * * Setup srb and scsi status so this won't be fatal. @@ -1154,6 +1154,7 @@ static void storvsc_on_io_completion(struct storvsc_device *stor_device, if ((stor_pkt->vm_srb.cdb[0] == INQUIRY) || (stor_pkt->vm_srb.cdb[0] == MODE_SENSE) || + (stor_pkt->vm_srb.cdb[0] == MODE_SENSE_10) || (stor_pkt->vm_srb.cdb[0] == MAINTENANCE_IN && hv_dev_is_fc(device))) { vstor_packet->vm_srb.scsi_status = 0; diff --git a/redhat/configs/rhel/automotive/generic/CONFIG_CRYPTO_JITTERENTROPY_OSR b/redhat/configs/rhel/automotive/generic/CONFIG_CRYPTO_JITTERENTROPY_OSR new file mode 100644 index 0000000000000..b413a5719d7a6 --- /dev/null +++ b/redhat/configs/rhel/automotive/generic/CONFIG_CRYPTO_JITTERENTROPY_OSR @@ -0,0 +1 @@ +CONFIG_CRYPTO_JITTERENTROPY_OSR=1 diff --git a/redhat/configs/rhel/generic/CONFIG_CRYPTO_JITTERENTROPY_OSR b/redhat/configs/rhel/generic/CONFIG_CRYPTO_JITTERENTROPY_OSR index b413a5719d7a6..f89858c2a1d9c 100644 --- a/redhat/configs/rhel/generic/CONFIG_CRYPTO_JITTERENTROPY_OSR +++ b/redhat/configs/rhel/generic/CONFIG_CRYPTO_JITTERENTROPY_OSR @@ -1 +1 @@ -CONFIG_CRYPTO_JITTERENTROPY_OSR=1 +CONFIG_CRYPTO_JITTERENTROPY_OSR=3 diff --git a/redhat/kernel.changelog-10.1 b/redhat/kernel.changelog-10.1 index 0fdd00f5a88cf..5c75ebdd76d7a 100644 --- a/redhat/kernel.changelog-10.1 +++ b/redhat/kernel.changelog-10.1 @@ -1,3 +1,22 @@ +* Sat Feb 07 2026 CKI KWF Bot [6.12.0-124.38.1.el10_1] +- scsi: storvsc: Process unsupported MODE_SENSE_10 (Li Tian) [RHEL-147288] +- nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec (CKI Backport Bot) [RHEL-144335] {CVE-2026-22998} +Resolves: RHEL-144335, RHEL-147288 + +* Thu Feb 05 2026 CKI KWF Bot [6.12.0-124.37.1.el10_1] +- i40e: avoid redundant VF link state updates (CKI Backport Bot) [RHEL-141876] +- bpf: Do not audit capability check in do_jit() (Jay Shin) [RHEL-135138] +- smc: Fix use-after-free in __pnet_find_base_ndev(). (Mete Durlu) [RHEL-126896] {CVE-2025-40064} +Resolves: RHEL-126896, RHEL-135138, RHEL-140874, RHEL-141876 + +* Tue Feb 03 2026 CKI KWF Bot [6.12.0-124.36.1.el10_1] +- NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in pnfs_mark_layout_stateid_invalid (CKI Backport Bot) [RHEL-140263] {CVE-2025-68349} +- ntb_hw_switchtec: Fix shift-out-of-bounds in switchtec_ntb_mw_set_trans (Myron Stowe) [RHEL-132908] {CVE-2023-53034} +- erofs: avoid using multiple devices with different type (CKI Backport Bot) [RHEL-137977] {CVE-2025-38172} +- ALSA: usb-audio: Fix potential overflow of PCM transfer buffer (CKI Backport Bot) [RHEL-136912] {CVE-2025-40269} +- Bluetooth: ISO: Fix possible UAF on iso_conn_free (CKI Backport Bot) [RHEL-128899] {CVE-2025-40141} +Resolves: RHEL-128899, RHEL-132908, RHEL-136912, RHEL-137977, RHEL-140263 + * Sat Jan 31 2026 CKI KWF Bot [6.12.0-124.35.1.el10_1] - ice: Fix kernel panic due to page refcount underflow (CKI Backport Bot) [RHEL-139734] - mptcp: Use __sk_dst_get() and dst_dev_rcu() in mptcp_active_enable(). (Davide Caratti) [RHEL-129044] {CVE-2025-40133} diff --git a/uki-addons.sbat b/uki-addons.sbat index 165fbe9806569..e99647fd39482 100644 --- a/uki-addons.sbat +++ b/uki-addons.sbat @@ -1,3 +1,3 @@ sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md -kernel-uki-virt-addons.rhel,1,Red Hat,kernel-uki-virt-addons,6.12.0-124.35.1.el10_1.x86_64,mailto:secalert@redhat.com -kernel-uki-virt-addons.rocky,1,RESF,kernel-uki-virt-addons,6.12.0-124.35.1.el10_1.x86_64,mailto:security@rockylinux.org +kernel-uki-virt-addons.rhel,1,Red Hat,kernel-uki-virt-addons,6.12.0-124.38.1.el10_1.x86_64,mailto:secalert@redhat.com +kernel-uki-virt-addons.rocky,1,RESF,kernel-uki-virt-addons,6.12.0-124.38.1.el10_1.x86_64,mailto:security@rockylinux.org diff --git a/uki.sbat b/uki.sbat index 250adf363dc7c..1031a5d630b74 100644 --- a/uki.sbat +++ b/uki.sbat @@ -1,3 +1,3 @@ sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md -kernel-uki-virt.rhel,1,Red Hat,kernel-uki-virt,6.12.0-124.35.1.el10_1.x86_64,mailto:secalert@redhat.com -kernel-uki-virt.rocky,1,RESF,kernel-uki-virt,6.12.0-124.35.1.el10_1.x86_64,mailto:security@rockylinux.org +kernel-uki-virt.rhel,1,Red Hat,kernel-uki-virt,6.12.0-124.38.1.el10_1.x86_64,mailto:secalert@redhat.com +kernel-uki-virt.rocky,1,RESF,kernel-uki-virt,6.12.0-124.38.1.el10_1.x86_64,mailto:security@rockylinux.org