[rocky10_2] History Rebuild through kernel-6.12.0-211.18.1.el10_2

Makefile.rhelver

@@ -12,7 +12,7 @@ RHEL_MINOR = 2
 #
 # Use this spot to avoid future merge conflicts.
 # Do not trim this comment.
-RHEL_RELEASE = 211.16.1
+RHEL_RELEASE = 211.18.1
 
 #
 # RHEL_REBASE_NUM

ciq/ciq_backports/kernel-6.12.0-211.18.1.el10_2/19bbfe7b.failed

@@ -0,0 +1,170 @@
+fs: add S_ANON_INODE
+
+jira KERNEL-1088
+Rebuild_History Non-Buildable kernel-6.12.0-211.18.1.el10_2
+commit-author Christian Brauner <brauner@kernel.org>
+commit 19bbfe7b5fcc04d8711e8e1352acc77c1a5c3955
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-6.12.0-211.18.1.el10_2/19bbfe7b.failed
+
+This makes it easy to detect proper anonymous inodes and to ensure that
+we can detect them in codepaths such as readahead().
+
+Readahead on anonymous inodes didn't work because they didn't have a
+proper mode. Now that they have we need to retain EINVAL being returned
+otherwise LTP will fail.
+
+We also need to ensure that ioctls aren't simply fired like they are for
+regular files so things like inotify inodes continue to correctly call
+their own ioctl handlers as in [1].
+
+	Reported-by: Xilin Wu <sophon@radxa.com>
+Link: https://lore.kernel.org/3A9139D5CD543962+89831381-31b9-4392-87ec-a84a5b3507d8@radxa.com [1]
+Link: https://lore.kernel.org/7a1a7076-ff6b-4cb0-94e7-7218a0a44028@sirena.org.uk
+	Signed-off-by: Christian Brauner <brauner@kernel.org>
+(cherry picked from commit 19bbfe7b5fcc04d8711e8e1352acc77c1a5c3955)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	mm/readahead.c
+diff --cc mm/readahead.c
+index 2dbe5993b6aa,20d36d6b055e..000000000000
+--- a/mm/readahead.c
++++ b/mm/readahead.c
+@@@ -678,29 -690,34 +678,55 @@@ EXPORT_SYMBOL_GPL(page_cache_async_ra)
+
+  ssize_t ksys_readahead(int fd, loff_t offset, size_t count)
+  {
+++<<<<<<< HEAD
+ +	ssize_t ret;
+ +	struct fd f;
+ +
+ +	ret = -EBADF;
+ +	f = fdget(fd);
+ +	if (!fd_file(f) || !(fd_file(f)->f_mode & FMODE_READ))
+ +		goto out;
+++=======
++ 	struct file *file;
++ 	const struct inode *inode;
++ 
++ 	CLASS(fd, f)(fd);
++ 	if (fd_empty(f))
++ 		return -EBADF;
++ 
++ 	file = fd_file(f);
++ 	if (!(file->f_mode & FMODE_READ))
++ 		return -EBADF;
+++>>>>>>> 19bbfe7b5fcc (fs: add S_ANON_INODE)
+
+  	/*
+  	 * The readahead() syscall is intended to run only on files
+  	 * that can execute readahead. If readahead is not possible
+  	 * on this file, then we must return -EINVAL.
+  	 */
+++<<<<<<< HEAD
+ +	ret = -EINVAL;
+ +	if (!fd_file(f)->f_mapping || !fd_file(f)->f_mapping->a_ops ||
+ +	    (!S_ISREG(file_inode(fd_file(f))->i_mode) &&
+ +	    !S_ISBLK(file_inode(fd_file(f))->i_mode)))
+ +		goto out;
+++=======
++ 	if (!file->f_mapping)
++ 		return -EINVAL;
++ 	if (!file->f_mapping->a_ops)
++ 		return -EINVAL;
++ 
++ 	inode = file_inode(file);
++ 	if (!S_ISREG(inode->i_mode) && !S_ISBLK(inode->i_mode))
++ 		return -EINVAL;
++ 	if (IS_ANON_FILE(inode))
++ 		return -EINVAL;
+++>>>>>>> 19bbfe7b5fcc (fs: add S_ANON_INODE)
+
+ -	return vfs_fadvise(fd_file(f), offset, count, POSIX_FADV_WILLNEED);
+ +	ret = vfs_fadvise(fd_file(f), offset, count, POSIX_FADV_WILLNEED);
+ +out:
+ +	fdput(f);
+ +	return ret;
+  }
+
+  SYSCALL_DEFINE3(readahead, int, fd, loff_t, offset, size_t, count)
+diff --git a/fs/ioctl.c b/fs/ioctl.c
+index 6e0c954388d4..4dbd5627af8f 100644
+--- a/fs/ioctl.c
++++ b/fs/ioctl.c
+@@ -822,7 +822,8 @@ static int do_vfs_ioctl(struct file *filp, unsigned int fd,
+ 		return ioctl_fioasync(fd, filp, argp);
+
+ 	case FIOQSIZE:
+-		if (S_ISDIR(inode->i_mode) || S_ISREG(inode->i_mode) ||
++		if (S_ISDIR(inode->i_mode) ||
++		    (S_ISREG(inode->i_mode) && !IS_ANON_FILE(inode)) ||
+ 		    S_ISLNK(inode->i_mode)) {
+ 			loff_t res = inode_get_bytes(inode);
+ 			return copy_to_user(argp, &res, sizeof(res)) ?
+@@ -857,7 +858,7 @@ static int do_vfs_ioctl(struct file *filp, unsigned int fd,
+ 		return ioctl_file_dedupe_range(filp, argp);
+
+ 	case FIONREAD:
+-		if (!S_ISREG(inode->i_mode))
++		if (!S_ISREG(inode->i_mode) || IS_ANON_FILE(inode))
+ 			return vfs_ioctl(filp, cmd, arg);
+
+ 		return put_user(i_size_read(inode) - filp->f_pos,
+@@ -882,7 +883,7 @@ static int do_vfs_ioctl(struct file *filp, unsigned int fd,
+ 		return ioctl_get_fs_sysfs_path(filp, argp);
+
+ 	default:
+-		if (S_ISREG(inode->i_mode))
++		if (S_ISREG(inode->i_mode) && !IS_ANON_FILE(inode))
+ 			return file_ioctl(filp, cmd, argp);
+ 		break;
+ 	}
+diff --git a/fs/libfs.c b/fs/libfs.c
+index 7fd661bb935f..df9a2f4472f7 100644
+--- a/fs/libfs.c
++++ b/fs/libfs.c
+@@ -1654,7 +1654,7 @@ struct inode *alloc_anon_inode(struct super_block *s)
+ 	inode->i_mode = S_IRUSR | S_IWUSR;
+ 	inode->i_uid = current_fsuid();
+ 	inode->i_gid = current_fsgid();
+-	inode->i_flags |= S_PRIVATE;
++	inode->i_flags |= S_PRIVATE | S_ANON_INODE;
+ 	simple_inode_init_ts(inode);
+ 	return inode;
+ }
+diff --git a/fs/pidfs.c b/fs/pidfs.c
+index d6c0ed79ea24..7e10fac8e623 100644
+--- a/fs/pidfs.c
++++ b/fs/pidfs.c
+@@ -804,7 +804,7 @@ static int pidfs_init_inode(struct inode *inode, void *data)
+ 	const struct pid *pid = data;
+
+ 	inode->i_private = data;
+-	inode->i_flags |= S_PRIVATE;
++	inode->i_flags |= S_PRIVATE | S_ANON_INODE;
+ 	inode->i_mode |= S_IRWXU;
+ 	inode->i_op = &pidfs_inode_operations;
+ 	inode->i_fop = &pidfs_file_operations;
+diff --git a/include/linux/fs.h b/include/linux/fs.h
+index 106b644cee85..af426a3bd89c 100644
+--- a/include/linux/fs.h
++++ b/include/linux/fs.h
+@@ -2319,6 +2319,7 @@ struct super_operations {
+ #define S_CASEFOLD	(1 << 15) /* Casefolded file */
+ #define S_VERITY	(1 << 16) /* Verity file (using fs/verity/) */
+ #define S_KERNEL_FILE	(1 << 17) /* File is in use by the kernel (eg. fs/cachefiles) */
++#define S_ANON_INODE	(1 << 19) /* Inode is an anonymous inode */
+
+ /*
+  * Note that nosuid etc flags are inode-specific: setting some file-system
+@@ -2375,6 +2376,7 @@ static inline bool sb_rdonly(const struct super_block *sb) { return sb->s_flags
+
+ #define IS_WHITEOUT(inode)	(S_ISCHR(inode->i_mode) && \
+ 				 (inode)->i_rdev == WHITEOUT_DEV)
++#define IS_ANON_FILE(inode)	((inode)->i_flags & S_ANON_INODE)
+
+ static inline bool HAS_UNMAPPED_ID(struct mnt_idmap *idmap,
+ 				   struct inode *inode)
+* Unmerged path mm/readahead.c

ciq/ciq_backports/kernel-6.12.0-211.18.1.el10_2/22bdf3d6.failed

@@ -0,0 +1,133 @@
+anon_inode: explicitly block ->setattr()
+
+jira KERNEL-1088
+Rebuild_History Non-Buildable kernel-6.12.0-211.18.1.el10_2
+commit-author Christian Brauner <brauner@kernel.org>
+commit 22bdf3d6581af6d06ed8a46c6835648421cca0ea
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-6.12.0-211.18.1.el10_2/22bdf3d6.failed
+
+It is currently possible to change the mode and owner of the single
+anonymous inode in the kernel:
+
+int main(int argc, char *argv[])
+{
+        int ret, sfd;
+        sigset_t mask;
+        struct signalfd_siginfo fdsi;
+
+        sigemptyset(&mask);
+        sigaddset(&mask, SIGINT);
+        sigaddset(&mask, SIGQUIT);
+
+        ret = sigprocmask(SIG_BLOCK, &mask, NULL);
+        if (ret < 0)
+                _exit(1);
+
+        sfd = signalfd(-1, &mask, 0);
+        if (sfd < 0)
+                _exit(2);
+
+        ret = fchown(sfd, 5555, 5555);
+        if (ret < 0)
+                _exit(3);
+
+        ret = fchmod(sfd, 0777);
+        if (ret < 0)
+                _exit(3);
+
+        _exit(4);
+}
+
+This is a bug. It's not really a meaningful one because anonymous inodes
+don't really figure into path lookup and they cannot be reopened via
+/proc/<pid>/fd/<nr> and can't be used for lookup itself. So they can
+only ever serve as direct references.
+
+But it is still completely bogus to allow the mode and ownership or any
+of the properties of the anonymous inode to be changed. Block this!
+
+Link: https://lore.kernel.org/20250407-work-anon_inode-v1-3-53a44c20d44e@kernel.org
+	Reviewed-by: Jeff Layton <jlayton@kernel.org>
+	Cc: stable@vger.kernel.org # all LTS kernels
+	Signed-off-by: Christian Brauner <brauner@kernel.org>
+(cherry picked from commit 22bdf3d6581af6d06ed8a46c6835648421cca0ea)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	fs/anon_inodes.c
+#	fs/internal.h
+diff --cc fs/anon_inodes.c
+index 5a070be69922,cb51a90bece0..000000000000
+--- a/fs/anon_inodes.c
++++ b/fs/anon_inodes.c
+@@@ -28,6 -30,45 +28,48 @@@ static struct vfsmount *anon_inode_mnt 
+  static struct inode *anon_inode_inode __ro_after_init;
+
+  /*
+++<<<<<<< HEAD
+++=======
++  * User space expects anonymous inodes to have no file type in st_mode.
++  *
++  * In particular, 'lsof' has this legacy logic:
++  *
++  *	type = s->st_mode & S_IFMT;
++  *	switch (type) {
++  *	  ...
++  *	case 0:
++  *		if (!strcmp(p, "anon_inode"))
++  *			Lf->ntype = Ntype = N_ANON_INODE;
++  *
++  * to detect our old anon_inode logic.
++  *
++  * Rather than mess with our internal sane inode data, just fix it
++  * up here in getattr() by masking off the format bits.
++  */
++ int anon_inode_getattr(struct mnt_idmap *idmap, const struct path *path,
++ 		       struct kstat *stat, u32 request_mask,
++ 		       unsigned int query_flags)
++ {
++ 	struct inode *inode = d_inode(path->dentry);
++ 
++ 	generic_fillattr(&nop_mnt_idmap, request_mask, inode, stat);
++ 	stat->mode &= ~S_IFMT;
++ 	return 0;
++ }
++ 
++ int anon_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry,
++ 		       struct iattr *attr)
++ {
++ 	return -EOPNOTSUPP;
++ }
++ 
++ static const struct inode_operations anon_inode_operations = {
++ 	.getattr = anon_inode_getattr,
++ 	.setattr = anon_inode_setattr,
++ };
++ 
++ /*
+++>>>>>>> 22bdf3d6581a (anon_inode: explicitly block ->setattr())
+   * anon_inodefs_dname() is called from d_path().
+   */
+  static char *anon_inodefs_dname(struct dentry *dentry, char *buffer, int buflen)
+diff --cc fs/internal.h
+index b555366c7974,f545400ce607..000000000000
+--- a/fs/internal.h
++++ b/fs/internal.h
+@@@ -338,3 -341,10 +338,13 @@@ static inline bool path_mounted(const s
+  	return path->mnt->mnt_root == path->dentry;
+  }
+  void file_f_owner_release(struct file *file);
+++<<<<<<< HEAD
+++=======
++ bool file_seek_cur_needs_f_lock(struct file *file);
++ int statmount_mnt_idmap(struct mnt_idmap *idmap, struct seq_file *seq, bool uid_map);
++ int anon_inode_getattr(struct mnt_idmap *idmap, const struct path *path,
++ 		       struct kstat *stat, u32 request_mask,
++ 		       unsigned int query_flags);
++ int anon_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry,
++ 		       struct iattr *attr);
+++>>>>>>> 22bdf3d6581a (anon_inode: explicitly block ->setattr())
+* Unmerged path fs/anon_inodes.c
+* Unmerged path fs/internal.h

ciq/ciq_backports/kernel-6.12.0-211.18.1.el10_2/ac1ea219.failed

@@ -0,0 +1,70 @@
+mm/page_alloc: clear page->private in free_pages_prepare()
+
+jira KERNEL-1088
+cve CVE-2026-43303
+Rebuild_History Non-Buildable kernel-6.12.0-211.18.1.el10_2
+commit-author Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
+commit ac1ea219590c09572ed5992dc233bbf7bb70fef9
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-6.12.0-211.18.1.el10_2/ac1ea219.failed
+
+Several subsystems (slub, shmem, ttm, etc.) use page->private but don't
+clear it before freeing pages.  When these pages are later allocated as
+high-order pages and split via split_page(), tail pages retain stale
+page->private values.
+
+This causes a use-after-free in the swap subsystem.  The swap code uses
+page->private to track swap count continuations, assuming freshly
+allocated pages have page->private == 0.  When stale values are present,
+swap_count_continued() incorrectly assumes the continuation list is valid
+and iterates over uninitialized page->lru containing LIST_POISON values,
+causing a crash:
+
+  KASAN: maybe wild-memory-access in range [0xdead000000000100-0xdead000000000107]
+  RIP: 0010:__do_sys_swapoff+0x1151/0x1860
+
+Fix this by clearing page->private in free_pages_prepare(), ensuring all
+freed pages have clean state regardless of previous use.
+
+Link: https://lkml.kernel.org/r/20260207173615.146159-1-mikhail.v.gavrilov@gmail.com
+Fixes: 3b8000ae185c ("mm/vmalloc: huge vmalloc backing pages should be split rather than compound")
+	Signed-off-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
+	Suggested-by: Zi Yan <ziy@nvidia.com>
+	Acked-by: Zi Yan <ziy@nvidia.com>
+	Acked-by: David Hildenbrand (Arm) <david@kernel.org>
+	Reviewed-by: Vlastimil Babka <vbabka@suse.cz>
+	Cc: Brendan Jackman <jackmanb@google.com>
+	Cc: Chris Li <chrisl@kernel.org>
+	Cc: Hugh Dickins <hughd@google.com>
+	Cc: Johannes Weiner <hannes@cmpxchg.org>
+	Cc: Kairui Song <ryncsn@gmail.com>
+	Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
+	Cc: Michal Hocko <mhocko@suse.com>
+	Cc: Nicholas Piggin <npiggin@gmail.com>
+	Cc: Suren Baghdasaryan <surenb@google.com>
+	Cc: <stable@vger.kernel.org>
+	Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+(cherry picked from commit ac1ea219590c09572ed5992dc233bbf7bb70fef9)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	mm/page_alloc.c
+diff --cc mm/page_alloc.c
+index 373e0e4bb3d2,77dcec36946f..000000000000
+--- a/mm/page_alloc.c
++++ b/mm/page_alloc.c
+@@@ -1134,7 -1428,8 +1134,12 @@@ __always_inline bool free_pages_prepare
+  	}
+
+  	page_cpupid_reset_last(page);
+++<<<<<<< HEAD
+ +	page->flags &= ~PAGE_FLAGS_CHECK_AT_PREP;
+++=======
++ 	page->flags.f &= ~PAGE_FLAGS_CHECK_AT_PREP;
++ 	page->private = 0;
+++>>>>>>> ac1ea219590c (mm/page_alloc: clear page->private in free_pages_prepare())
+  	reset_page_owner(page, order);
+  	page_table_check_free(page, order);
+  	pgalloc_tag_sub(page, 1 << order);
+* Unmerged path mm/page_alloc.c