[rocky8_10] History Rebuild through kernel-4.18.0-553.123.1.el8_10

Makefile.rhelver

@@ -12,7 +12,7 @@ RHEL_MINOR = 10
 #
 # Use this spot to avoid future merge conflicts.
 # Do not trim this comment.
-RHEL_RELEASE = 553.120.1
+RHEL_RELEASE = 553.123.1
 
 #
 # ZSTREAM

arch/x86/kvm/mmu/mmu.c

@@ -2643,11 +2643,6 @@ static int mmu_set_spte(struct kvm_vcpu *vcpu, struct kvm_memory_slot *slot,
 	pgprintk("%s: spte %llx write_fault %d gfn %llx\n", __func__,
 		 *sptep, write_fault, gfn);
 
-	if (unlikely(is_noslot_pfn(pfn))) {
-		mark_mmio_spte(vcpu, sptep, gfn, pte_access);
-		return RET_PF_EMULATE;
-	}
-
 	if (is_shadow_present_pte(*sptep)) {
 		/*
 		 * If we overwrite a PTE page pointer with a 2MB PMD, unlink
@@ -2669,6 +2664,14 @@ static int mmu_set_spte(struct kvm_vcpu *vcpu, struct kvm_memory_slot *slot,
 			was_rmapped = 1;
 	}
 
+	if (unlikely(is_noslot_pfn(pfn))) {
+		mark_mmio_spte(vcpu, sptep, gfn, pte_access);
+		if (flush)
+			kvm_flush_remote_tlbs_with_address(vcpu->kvm, gfn,
+							   KVM_PAGES_PER_HPAGE(level));
+		return RET_PF_EMULATE;
+	}
+
 	wrprot = make_spte(vcpu, sp, slot, pte_access, gfn, pfn, *sptep, prefetch,
 			   true, host_writable, &spte);
 

ciq/ciq_backports/kernel-4.18.0-553.123.1.el8_10/1f48ad3b.failed

@@ -0,0 +1,42 @@
+crypto: authencesn - Fix src offset when decrypting in-place
+
+jira KERNEL-949
+Rebuild_History Non-Buildable kernel-4.18.0-553.123.1.el8_10
+commit-author Herbert Xu <herbert@gondor.apana.org.au>
+commit 1f48ad3b19a9dfc947868edda0bb8e48e5b5a8fa
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-4.18.0-553.123.1.el8_10/1f48ad3b.failed
+
+The src SG list offset wasn't set properly when decrypting in-place,
+fix it.
+
+	Reported-by: Wolfgang Walter <linux@stwm.de>
+Fixes: e02494114ebf ("crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption")
+	Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+(cherry picked from commit 1f48ad3b19a9dfc947868edda0bb8e48e5b5a8fa)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	crypto/authencesn.c
+diff --cc crypto/authencesn.c
+index a7c345f88223,af3d584e584f..000000000000
+--- a/crypto/authencesn.c
++++ b/crypto/authencesn.c
+@@@ -265,8 -228,11 +265,15 @@@ static int crypto_authenc_esn_decrypt_t
+
+  decrypt:
+
+++<<<<<<< HEAD
+ +	sg_init_table(areq_ctx->dst, 2);
+++=======
+++>>>>>>> 1f48ad3b19a9 (crypto: authencesn - Fix src offset when decrypting in-place)
+  	dst = scatterwalk_ffwd(areq_ctx->dst, dst, assoclen);
++ 	if (req->src == req->dst)
++ 		src = dst;
++ 	else
++ 		src = scatterwalk_ffwd(areq_ctx->src, src, assoclen);
+
+  	skcipher_request_set_tfm(skreq, ctx->enc);
+  	skcipher_request_set_callback(skreq, flags,
+* Unmerged path crypto/authencesn.c

ciq/ciq_backports/kernel-4.18.0-553.123.1.el8_10/31d00156.failed

@@ -0,0 +1,60 @@
+crypto: af_alg - Fix page reassignment overflow in af_alg_pull_tsgl
+
+jira KERNEL-949
+Rebuild_History Non-Buildable kernel-4.18.0-553.123.1.el8_10
+commit-author Herbert Xu <herbert@gondor.apana.org.au>
+commit 31d00156e50ecad37f2cb6cbf04aaa9a260505ef
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-4.18.0-553.123.1.el8_10/31d00156.failed
+
+When page reassignment was added to af_alg_pull_tsgl the original
+loop wasn't updated so it may try to reassign one more page than
+necessary.
+
+Add the check to the reassignment so that this does not happen.
+
+Also update the comment which still refers to the obsolete offset
+argument.
+
+	Reported-by: syzbot+d23888375c2737c17ba5@syzkaller.appspotmail.com
+Fixes: e870456d8e7c ("crypto: algif_skcipher - overhaul memory management")
+	Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+(cherry picked from commit 31d00156e50ecad37f2cb6cbf04aaa9a260505ef)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	crypto/af_alg.c
+diff --cc crypto/af_alg.c
+index 84cc5ed24ff3,dd0e5be4d8c0..000000000000
+--- a/crypto/af_alg.c
++++ b/crypto/af_alg.c
+@@@ -615,19 -705,11 +615,27 @@@ void af_alg_pull_tsgl(struct sock *sk, 
+  			 * Assumption: caller created af_alg_count_tsgl(len)
+  			 * SG entries in dst.
+  			 */
+++<<<<<<< HEAD
+ +			if (dst) {
+ +				if (dst_offset >= plen) {
+ +					/* discard page before offset */
+ +					dst_offset -= plen;
+ +				} else {
+ +					/* reassign page to dst after offset */
+ +					get_page(page);
+ +					sg_set_page(dst + j, page,
+ +						    plen - dst_offset,
+ +						    sg[i].offset + dst_offset);
+ +					dst_offset = 0;
+ +					j++;
+ +				}
+++=======
++ 			if (dst && plen) {
++ 				/* reassign page to dst */
++ 				get_page(page);
++ 				sg_set_page(dst + j, page, plen, sg[i].offset);
++ 				j++;
+++>>>>>>> 31d00156e50e (crypto: af_alg - Fix page reassignment overflow in af_alg_pull_tsgl)
+  			}
+
+  			sg[i].length -= plen;
+* Unmerged path crypto/af_alg.c

ciq/ciq_backports/kernel-4.18.0-553.123.1.el8_10/3cd39bc3.failed

@@ -0,0 +1,78 @@
+kernel.h: Move ARRAY_SIZE() to a separate header
+
+jira KERNEL-949
+cve CVE-2025-40252
+Rebuild_History Non-Buildable kernel-4.18.0-553.123.1.el8_10
+commit-author Alejandro Colomar <alx@kernel.org>
+commit 3cd39bc3b11b8d34b7d7c961a35fdfd18b0ebf75
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-4.18.0-553.123.1.el8_10/3cd39bc3.failed
+
+Touching files so used for the kernel,
+forces 'make' to recompile most of the kernel.
+
+Having those definitions in more granular files
+helps avoid recompiling so much of the kernel.
+
+	Signed-off-by: Alejandro Colomar <alx@kernel.org>
+	Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+	Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20230817143352.132583-2-lucas.segarra.fernandez@intel.com
+[andy: reduced to cover only string.h for now]
+	Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+(cherry picked from commit 3cd39bc3b11b8d34b7d7c961a35fdfd18b0ebf75)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	include/linux/kernel.h
+diff --cc include/linux/kernel.h
+index f448aa985302,d9ad21058eed..000000000000
+--- a/include/linux/kernel.h
++++ b/include/linux/kernel.h
+@@@ -2,7 -2,18 +2,13 @@@
+  #ifndef _LINUX_KERNEL_H
+  #define _LINUX_KERNEL_H
+
+++<<<<<<< HEAD
+ +#include <stdarg.h>
+++=======
++ #include <linux/stdarg.h>
++ #include <linux/align.h>
++ #include <linux/array_size.h>
+++>>>>>>> 3cd39bc3b11b (kernel.h: Move ARRAY_SIZE() to a separate header)
+  #include <linux/limits.h>
+  #include <linux/linkage.h>
+  #include <linux/stddef.h>
+diff --git a/include/linux/array_size.h b/include/linux/array_size.h
+new file mode 100644
+index 000000000000..06d7d83196ca
+--- /dev/null
++++ b/include/linux/array_size.h
+@@ -0,0 +1,13 @@
++/* SPDX-License-Identifier: GPL-2.0 */
++#ifndef _LINUX_ARRAY_SIZE_H
++#define _LINUX_ARRAY_SIZE_H
++
++#include <linux/compiler.h>
++
++/**
++ * ARRAY_SIZE - get the number of elements in array @arr
++ * @arr: array to be sized
++ */
++#define ARRAY_SIZE(arr) (sizeof(arr) / sizeof((arr)[0]) + __must_be_array(arr))
++
++#endif  /* _LINUX_ARRAY_SIZE_H */
+* Unmerged path include/linux/kernel.h
+diff --git a/include/linux/string.h b/include/linux/string.h
+index 9e56d276594f..8cdbf52f5aaf 100644
+--- a/include/linux/string.h
++++ b/include/linux/string.h
+@@ -2,6 +2,7 @@
+ #ifndef _LINUX_STRING_H_
+ #define _LINUX_STRING_H_
+
++#include <linux/array_size.h>
+ #include <linux/compiler.h>	/* for inline */
+ #include <linux/types.h>	/* for size_t */
+ #include <linux/stddef.h>	/* for NULL */

ciq/ciq_backports/kernel-4.18.0-553.123.1.el8_10/5133b61a.failed

@@ -0,0 +1,118 @@
+nfsd: fix heap overflow in NFSv4.0 LOCK replay cache
+
+jira KERNEL-949
+cve CVE-2026-31402
+Rebuild_History Non-Buildable kernel-4.18.0-553.123.1.el8_10
+commit-author Jeff Layton <jlayton@kernel.org>
+commit 5133b61aaf437e5f25b1b396b14242a6bb0508e2
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-4.18.0-553.123.1.el8_10/5133b61a.failed
+
+The NFSv4.0 replay cache uses a fixed 112-byte inline buffer
+(rp_ibuf[NFSD4_REPLAY_ISIZE]) to store encoded operation responses.
+This size was calculated based on OPEN responses and does not account
+for LOCK denied responses, which include the conflicting lock owner as
+a variable-length field up to 1024 bytes (NFS4_OPAQUE_LIMIT).
+
+When a LOCK operation is denied due to a conflict with an existing lock
+that has a large owner, nfsd4_encode_operation() copies the full encoded
+response into the undersized replay buffer via read_bytes_from_xdr_buf()
+with no bounds check. This results in a slab-out-of-bounds write of up
+to 944 bytes past the end of the buffer, corrupting adjacent heap memory.
+
+This can be triggered remotely by an unauthenticated attacker with two
+cooperating NFSv4.0 clients: one sets a lock with a large owner string,
+then the other requests a conflicting lock to provoke the denial.
+
+We could fix this by increasing NFSD4_REPLAY_ISIZE to allow for a full
+opaque, but that would increase the size of every stateowner, when most
+lockowners are not that large.
+
+Instead, fix this by checking the encoded response length against
+NFSD4_REPLAY_ISIZE before copying into the replay buffer. If the
+response is too large, set rp_buflen to 0 to skip caching the replay
+payload. The status is still cached, and the client already received the
+correct response on the original request.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+	Cc: stable@kernel.org
+	Reported-by: Nicholas Carlini <npc@anthropic.com>
+	Tested-by: Nicholas Carlini <npc@anthropic.com>
+	Signed-off-by: Jeff Layton <jlayton@kernel.org>
+	Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+(cherry picked from commit 5133b61aaf437e5f25b1b396b14242a6bb0508e2)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	fs/nfsd/nfs4xdr.c
+diff --cc fs/nfsd/nfs4xdr.c
+index 857457f42c9d,fa16b34fae50..000000000000
+--- a/fs/nfsd/nfs4xdr.c
++++ b/fs/nfsd/nfs4xdr.c
+@@@ -5115,19 -6276,25 +5115,29 @@@ nfsd4_encode_operation(struct nfsd4_com
+  		 * bug if we had to do this on a non-idempotent op:
+  		 */
+  		warn_on_nonidempotent_op(op);
+ -		xdr_truncate_encode(xdr, op_status_offset + XDR_UNIT);
+ -	} else if (so) {
+ -		int len = xdr->buf->len - (op_status_offset + XDR_UNIT);
+ +		xdr_truncate_encode(xdr, post_err_offset);
+ +	}
+ +	if (so) {
+ +		int len = xdr->buf->len - post_err_offset;
+
+  		so->so_replay.rp_status = op->status;
+++<<<<<<< HEAD
+ +		so->so_replay.rp_buflen = len;
+ +		read_bytes_from_xdr_buf(xdr->buf, post_err_offset,
+++=======
++ 		if (len <= NFSD4_REPLAY_ISIZE) {
++ 			so->so_replay.rp_buflen = len;
++ 			read_bytes_from_xdr_buf(xdr->buf,
++ 						op_status_offset + XDR_UNIT,
+++>>>>>>> 5133b61aaf43 (nfsd: fix heap overflow in NFSv4.0 LOCK replay cache)
+  						so->so_replay.rp_buf, len);
++ 		} else {
++ 			so->so_replay.rp_buflen = 0;
++ 		}
+  	}
+  status:
+ -	op->status = nfsd4_map_status(op->status,
+ -				      resp->cstate.minorversion);
+ -	write_bytes_to_xdr_buf(xdr->buf, op_status_offset,
+ -			       &op->status, XDR_UNIT);
+ +	/* Note that op->status is already in network byte order: */
+ +	write_bytes_to_xdr_buf(xdr->buf, post_err_offset - 4, &op->status, 4);
+  release:
+  	if (opdesc && opdesc->op_release)
+  		opdesc->op_release(&op->u);
+* Unmerged path fs/nfsd/nfs4xdr.c
+diff --git a/fs/nfsd/state.h b/fs/nfsd/state.h
+index fe32ee1b3c89..f8164fbe16da 100644
+--- a/fs/nfsd/state.h
++++ b/fs/nfsd/state.h
+@@ -379,11 +379,18 @@ struct nfs4_client_reclaim {
+ 	struct xdr_netobj	cr_princhash;
+ };
+
+-/* A reasonable value for REPLAY_ISIZE was estimated as follows:  
+- * The OPEN response, typically the largest, requires 
+- *   4(status) + 8(stateid) + 20(changeinfo) + 4(rflags) +  8(verifier) + 
+- *   4(deleg. type) + 8(deleg. stateid) + 4(deleg. recall flag) + 
+- *   20(deleg. space limit) + ~32(deleg. ace) = 112 bytes 
++/*
++ * REPLAY_ISIZE is sized for an OPEN response with delegation:
++ *   4(status) + 8(stateid) + 20(changeinfo) + 4(rflags) +
++ *   8(verifier) + 4(deleg. type) + 8(deleg. stateid) +
++ *   4(deleg. recall flag) + 20(deleg. space limit) +
++ *   ~32(deleg. ace) = 112 bytes
++ *
++ * Some responses can exceed this. A LOCK denial includes the conflicting
++ * lock owner, which can be up to 1024 bytes (NFS4_OPAQUE_LIMIT). Responses
++ * larger than REPLAY_ISIZE are not cached in rp_ibuf; only rp_status is
++ * saved. Enlarging this constant increases the size of every
++ * nfs4_stateowner.
+  */
+
+ #define NFSD4_REPLAY_ISIZE       112