[rocky9_8] History Rebuild through kernel-5.14.0-687.12.1.el9_8

Makefile.rhelver

@@ -12,7 +12,7 @@ RHEL_MINOR = 8
 #
 # Use this spot to avoid future merge conflicts.
 # Do not trim this comment.
-RHEL_RELEASE = 687.10.1
+RHEL_RELEASE = 687.12.1
 
 #
 # ZSTREAM

arch/s390/pci/pci_event.c

@@ -187,7 +187,7 @@ static pci_ers_result_t zpci_event_attempt_error_recovery(struct pci_dev *pdev)
 	 * is unbound or probed and that userspace can't access its
 	 * configuration space while we perform recovery.
 	 */
-	pci_dev_lock(pdev);
+	device_lock(&pdev->dev);
 	if (pdev->error_state == pci_channel_io_perm_failure) {
 		ers_res = PCI_ERS_RESULT_DISCONNECT;
 		goto out_unlock;
@@ -254,7 +254,7 @@ static pci_ers_result_t zpci_event_attempt_error_recovery(struct pci_dev *pdev)
 	if (driver->err_handler->resume)
 		driver->err_handler->resume(pdev);
 out_unlock:
-	pci_dev_unlock(pdev);
+	device_unlock(&pdev->dev);
 	zpci_report_status(zdev, "recovery", status_str);
 
 	return ers_res;

arch/x86/mm/init_64.c

@@ -32,6 +32,7 @@
 #include <linux/memremap.h>
 #include <linux/nmi.h>
 #include <linux/gfp.h>
+#include <linux/iommu.h>
 #include <linux/kcore.h>
 #include <linux/bootmem_info.h>
 
@@ -1017,6 +1018,9 @@ static void __meminit free_pagetable(struct page *page, int order)
 	unsigned long magic;
 	unsigned int nr_pages = 1 << order;
 
+	/* Flush IOMMU paging structure caches before freeing PT page */
+	iommu_sva_invalidate_kva_range(PAGE_OFFSET, TLB_FLUSH_ALL);
+
 	/* bootmem page has reserved flag */
 	if (PageReserved(page)) {
 		__ClearPageReserved(page);

arch/x86/mm/pat/set_memory.c

@@ -21,6 +21,7 @@
 #include <linux/kernel.h>
 #include <linux/cc_platform.h>
 #include <linux/set_memory.h>
+#include <linux/iommu.h>
 
 #include <asm/e820/api.h>
 #include <asm/processor.h>
@@ -1204,6 +1205,8 @@ static bool try_to_free_pte_page(pte_t *pte)
 		if (!pte_none(pte[i]))
 			return false;
 
+	/* Flush IOMMU paging structure caches before freeing PT page */
+	iommu_sva_invalidate_kva_range(PAGE_OFFSET, TLB_FLUSH_ALL);
 	free_page((unsigned long)pte);
 	return true;
 }
@@ -1216,6 +1219,8 @@ static bool try_to_free_pmd_page(pmd_t *pmd)
 		if (!pmd_none(pmd[i]))
 			return false;
 
+	/* Flush IOMMU paging structure caches before freeing PT page */
+	iommu_sva_invalidate_kva_range(PAGE_OFFSET, TLB_FLUSH_ALL);
 	free_page((unsigned long)pmd);
 	return true;
 }

arch/x86/mm/pgtable.c

@@ -2,6 +2,7 @@
 #include <linux/mm.h>
 #include <linux/gfp.h>
 #include <linux/hugetlb.h>
+#include <linux/iommu.h>
 #include <asm/pgalloc.h>
 #include <asm/tlb.h>
 #include <asm/fixmap.h>
@@ -832,6 +833,9 @@ int pud_free_pmd_page(pud_t *pud, unsigned long addr)
 	/* INVLPG to clear all paging-structure caches */
 	flush_tlb_kernel_range(addr, addr + PAGE_SIZE-1);
 
+	/* Flush IOMMU paging structure caches before freeing PT pages */
+	iommu_sva_invalidate_kva_range(PAGE_OFFSET, TLB_FLUSH_ALL);
+
 	for (i = 0; i < PTRS_PER_PMD; i++) {
 		if (!pmd_none(pmd_sv[i])) {
 			pte = (pte_t *)pmd_page_vaddr(pmd_sv[i]);
@@ -865,6 +869,8 @@ int pmd_free_pte_page(pmd_t *pmd, unsigned long addr)
 	/* INVLPG to clear all paging-structure caches */
 	flush_tlb_kernel_range(addr, addr + PAGE_SIZE-1);
 
+	/* Flush IOMMU paging structure caches before freeing PT page */
+	iommu_sva_invalidate_kva_range(PAGE_OFFSET, TLB_FLUSH_ALL);
 	free_page((unsigned long)pte);
 
 	return 1;

ciq/ciq_backports/kernel-5.14.0-687.10.1.el9_8.0.1/rebuild.details.txt

@@ -0,0 +1,17 @@
+Rebuild_History BUILDABLE
+Rebuilding Kernel from rpm changelog with Fuzz Limit: 87.50%
+Number of commits in upstream range v5.14~1..kernel-mainline: 382157
+Number of commits in rpm: 1
+Number of commits matched with upstream: 0 (0.00%)
+Number of commits in upstream but not in rpm: 382157
+Number of commits NOT found in upstream: 1 (100.00%)
+
+Rebuilding Kernel on Branch rocky9_8_rebuild_kernel-5.14.0-687.10.1.el9_8.0.1 for kernel-5.14.0-687.10.1.el9_8.0.1
+Clean Cherry Picks: 0 (0.00%)
+Empty Cherry Picks: 0 (0.00%)
+_______________________________
+
+__EMPTY COMMITS__________________________
+
+__CHANGES NOT IN UPSTREAM________________
+Bump release for rebuild with updated rocky-sb-certs'

ciq/ciq_backports/kernel-5.14.0-687.12.1.el9_8/0a8cf165.failed

@@ -0,0 +1,65 @@
+smb: client: validate the whole DACL before rewriting it in cifsacl
+
+jira KERNEL-1100
+cve CVE-2026-31709
+Rebuild_History Non-Buildable kernel-5.14.0-687.12.1.el9_8
+commit-author Michael Bommarito <michael.bommarito@gmail.com>
+commit 0a8cf165566ba55a39fd0f4de172119dd646d39a
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-5.14.0-687.12.1.el9_8/0a8cf165.failed
+
+build_sec_desc() and id_mode_to_cifs_acl() derive a DACL pointer from a
+server-supplied dacloffset and then use the incoming ACL to rebuild the
+chmod/chown security descriptor.
+
+The original fix only checked that the struct smb_acl header fits before
+reading dacl_ptr->size or dacl_ptr->num_aces.  That avoids the immediate
+header-field OOB read, but the rewrite helpers still walk ACEs based on
+pdacl->num_aces with no structural validation of the incoming DACL body.
+
+A malicious server can return a truncated DACL that still contains a
+header, claims one or more ACEs, and then drive
+replace_sids_and_copy_aces() or set_chmod_dacl() past the validated
+extent while they compare or copy attacker-controlled ACEs.
+
+Factor the DACL structural checks into validate_dacl(), extend them to
+validate each ACE against the DACL bounds, and use the shared validator
+before the chmod/chown rebuild paths.  parse_dacl() reuses the same
+validator so the read-side parser and write-side rewrite paths agree on
+what constitutes a well-formed incoming DACL.
+
+Fixes: bc3e9dd9d104 ("cifs: Change SIDs in ACEs while transferring file ownership.")
+	Cc: stable@vger.kernel.org
+Assisted-by: Claude:claude-opus-4-6
+Assisted-by: Codex:gpt-5-4
+	Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
+	Signed-off-by: Steve French <stfrench@microsoft.com>
+(cherry picked from commit 0a8cf165566ba55a39fd0f4de172119dd646d39a)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	fs/smb/client/cifsacl.c
+diff --cc fs/smb/client/cifsacl.c
+index 345d788b1cb2,cb4060ba5e31..000000000000
+--- a/fs/smb/client/cifsacl.c
++++ b/fs/smb/client/cifsacl.c
+@@@ -799,13 -868,7 +867,17 @@@ static void parse_dacl(struct smb_acl *
+  	if (num_aces > 0) {
+  		umode_t denied_mode = 0;
+
+++<<<<<<< HEAD
+ +		if (num_aces > (le16_to_cpu(pdacl->size) - sizeof(struct smb_acl)) /
+ +				(offsetof(struct smb_ace, sid) +
+ +				 offsetof(struct smb_sid, sub_auth) + sizeof(__le16)))
+ +			return;
+ +
+ +		ppace = kmalloc_array(num_aces, sizeof(struct smb_ace *),
+ +				      GFP_KERNEL);
+++=======
++ 		ppace = kmalloc_objs(struct smb_ace *, num_aces);
+++>>>>>>> 0a8cf165566b (smb: client: validate the whole DACL before rewriting it in cifsacl)
+  		if (!ppace)
+  			return;
+
+* Unmerged path fs/smb/client/cifsacl.c

ciq/ciq_backports/kernel-5.14.0-687.12.1.el9_8/31e62c2e.failed

@@ -0,0 +1,65 @@
+ptrace: slightly saner 'get_dumpable()' logic
+
+jira KERNEL-1100
+cve CVE-2026-46333
+Rebuild_History Non-Buildable kernel-5.14.0-687.12.1.el9_8
+commit-author Linus Torvalds <torvalds@linux-foundation.org>
+commit 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-5.14.0-687.12.1.el9_8/31e62c2e.failed
+
+The 'dumpability' of a task is fundamentally about the memory image of
+the task - the concept comes from whether it can core dump or not - and
+makes no sense when you don't have an associated mm.
+
+And almost all users do in fact use it only for the case where the task
+has a mm pointer.
+
+But we have one odd special case: ptrace_may_access() uses 'dumpable' to
+check various other things entirely independently of the MM (typically
+explicitly using flags like PTRACE_MODE_READ_FSCREDS).  Including for
+threads that no longer have a VM (and maybe never did, like most kernel
+threads).
+
+It's not what this flag was designed for, but it is what it is.
+
+The ptrace code does check that the uid/gid matches, so you do have to
+be uid-0 to see kernel thread details, but this means that the
+traditional "drop capabilities" model doesn't make any difference for
+this all.
+
+Make it all make a *bit* more sense by saying that if you don't have a
+MM pointer, we'll use a cached "last dumpability" flag if the thread
+ever had a MM (it will be zero for kernel threads since it is never
+set), and require a proper CAP_SYS_PTRACE capability to override.
+
+	Reported-by: Qualys Security Advisory <qsa@qualys.com>
+	Cc: Oleg Nesterov <oleg@redhat.com>
+	Cc: Kees Cook <kees@kernel.org>
+	Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+(cherry picked from commit 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	include/linux/sched.h
+diff --cc include/linux/sched.h
+index 0ecc26623bf8,ee06cba5c6f5..000000000000
+--- a/include/linux/sched.h
++++ b/include/linux/sched.h
+@@@ -962,7 -1002,10 +962,14 @@@ struct task_struct 
+  	unsigned			sched_rt_mutex:1;
+  #endif
+
+++<<<<<<< HEAD
+ +	/* Bit to tell LSMs we're in execve(): */
+++=======
++ 	/* Save user-dumpable when mm goes away */
++ 	unsigned			user_dumpable:1;
++ 
++ 	/* Bit to tell TOMOYO we're in execve(): */
+++>>>>>>> 31e62c2ebbfd (ptrace: slightly saner 'get_dumpable()' logic)
+  	unsigned			in_execve:1;
+  	unsigned			in_iowait:1;
+  #ifndef TIF_RESTORE_SIGMASK
+* Unmerged path include/linux/sched.h