diff --git a/COPYING-6.12.0-124.31.1.el10_1 b/COPYING-6.12.0-124.35.1.el10_1 similarity index 100% rename from COPYING-6.12.0-124.31.1.el10_1 rename to COPYING-6.12.0-124.35.1.el10_1 diff --git a/Documentation/networking/bonding.rst b/Documentation/networking/bonding.rst index 7c8d22d686824..7d86e6a0862cb 100644 --- a/Documentation/networking/bonding.rst +++ b/Documentation/networking/bonding.rst @@ -562,6 +562,12 @@ lacp_rate The default is slow. +broadcast_neighbor + + Option specifying whether to broadcast ARP/ND packets to all + active slaves. This option has no effect in modes other than + 802.3ad mode. The default is off (0). + max_bonds Specifies the number of bonding devices to create for this diff --git a/Makefile.rhelver b/Makefile.rhelver index e4427791af80a..f4fc763e3bbd1 100644 --- a/Makefile.rhelver +++ b/Makefile.rhelver @@ -12,7 +12,7 @@ RHEL_MINOR = 1 # # Use this spot to avoid future merge conflicts. # Do not trim this comment. -RHEL_RELEASE = 124.31.1 +RHEL_RELEASE = 124.35.1 # # RHEL_REBASE_NUM diff --git a/ciq/ciq_backports/kernel-6.12.0-124.35.1.el10_1/41b70df5.failed b/ciq/ciq_backports/kernel-6.12.0-124.35.1.el10_1/41b70df5.failed new file mode 100644 index 0000000000000..77a572a5d81f0 --- /dev/null +++ b/ciq/ciq_backports/kernel-6.12.0-124.35.1.el10_1/41b70df5.failed @@ -0,0 +1,56 @@ +io_uring/net: commit partial buffers on retry + +jira KERNEL-602 +cve CVE-2025-38730 +Rebuild_History Non-Buildable kernel-6.12.0-124.35.1.el10_1 +commit-author Jens Axboe +commit 41b70df5b38bc80967d2e0ed55cc3c3896bba781 +Empty-Commit: Cherry-Pick Conflicts during history rebuild. +Will be included in final tarball splat. Ref for failed cherry-pick at: +ciq/ciq_backports/kernel-6.12.0-124.35.1.el10_1/41b70df5.failed + +Ring provided buffers are potentially only valid within the single +execution context in which they were acquired. io_uring deals with this +and invalidates them on retry. But on the networking side, if +MSG_WAITALL is set, or if the socket is of the streaming type and too +little was processed, then it will hang on to the buffer rather than +recycle or commit it. This is problematic for two reasons: + +1) If someone unregisters the provided buffer ring before a later retry, + then the req->buf_list will no longer be valid. + +2) If multiple sockers are using the same buffer group, then multiple + receives can consume the same memory. This can cause data corruption + in the application, as either receive could land in the same + userspace buffer. + +Fix this by disallowing partial retries from pinning a provided buffer +across multiple executions, if ring provided buffers are used. + + Cc: stable@vger.kernel.org + Reported-by: pt x +Fixes: c56e022c0a27 ("io_uring: add support for user mapped provided buffer ring") + Signed-off-by: Jens Axboe +(cherry picked from commit 41b70df5b38bc80967d2e0ed55cc3c3896bba781) + Signed-off-by: Jonathan Maple + +# Conflicts: +# io_uring/net.c +diff --cc io_uring/net.c +index 18507658a921,d69f2afa4f7a..000000000000 +--- a/io_uring/net.c ++++ b/io_uring/net.c +@@@ -1037,8 -1078,7 +1044,12 @@@ retry_multishot + } + if (ret > 0 && io_net_retry(sock, flags)) { + sr->done_io += ret; +++<<<<<<< HEAD + + req->flags |= REQ_F_BL_NO_RECYCLE; + + return -EAGAIN; +++======= ++ return io_net_kbuf_recyle(req, kmsg, ret); +++>>>>>>> 41b70df5b38b (io_uring/net: commit partial buffers on retry) + } + if (ret == -ERESTARTSYS) + ret = -EINTR; +* Unmerged path io_uring/net.c diff --git a/ciq/ciq_backports/kernel-6.12.0-124.35.1.el10_1/f57e53ea.failed b/ciq/ciq_backports/kernel-6.12.0-124.35.1.el10_1/f57e53ea.failed new file mode 100644 index 0000000000000..715ea873cc74d --- /dev/null +++ b/ciq/ciq_backports/kernel-6.12.0-124.35.1.el10_1/f57e53ea.failed @@ -0,0 +1,113 @@ +smb: client: let recv_done verify data_offset, data_length and remaining_data_length + +jira KERNEL-602 +cve CVE-2025-39933 +Rebuild_History Non-Buildable kernel-6.12.0-124.35.1.el10_1 +commit-author Stefan Metzmacher +commit f57e53ea252363234f86674db475839e5b87102e +Empty-Commit: Cherry-Pick Conflicts during history rebuild. +Will be included in final tarball splat. Ref for failed cherry-pick at: +ciq/ciq_backports/kernel-6.12.0-124.35.1.el10_1/f57e53ea.failed + +This is inspired by the related server fixes. + + Cc: Tom Talpey + Cc: Long Li + Cc: linux-cifs@vger.kernel.org + Cc: samba-technical@lists.samba.org + Reviewed-by: Namjae Jeon +Fixes: f198186aa9bb ("CIFS: SMBD: Establish SMB Direct connection") + Signed-off-by: Stefan Metzmacher + Signed-off-by: Steve French +(cherry picked from commit f57e53ea252363234f86674db475839e5b87102e) + Signed-off-by: Jonathan Maple + +# Conflicts: +# fs/smb/client/smbdirect.c +diff --cc fs/smb/client/smbdirect.c +index 754e94a0e07f,dafa3ed4a630..000000000000 +--- a/fs/smb/client/smbdirect.c ++++ b/fs/smb/client/smbdirect.c +@@@ -454,13 -450,18 +454,25 @@@ static void smbd_post_send_credits(stru + static void recv_done(struct ib_cq *cq, struct ib_wc *wc) + { + struct smbdirect_data_transfer *data_transfer; +++<<<<<<< HEAD + + struct smbd_response *response = + + container_of(wc->wr_cqe, struct smbd_response, cqe); + + struct smbd_connection *info = response->info; + + int data_length = 0; +++======= ++ struct smbdirect_recv_io *response = ++ container_of(wc->wr_cqe, struct smbdirect_recv_io, cqe); ++ struct smbdirect_socket *sc = response->socket; ++ struct smbdirect_socket_parameters *sp = &sc->parameters; ++ struct smbd_connection *info = ++ container_of(sc, struct smbd_connection, socket); ++ u32 data_offset = 0; ++ u32 data_length = 0; ++ u32 remaining_data_length = 0; +++>>>>>>> f57e53ea2523 (smb: client: let recv_done verify data_offset, data_length and remaining_data_length) + + log_rdma_recv(INFO, "response=0x%p type=%d wc status=%d wc opcode %d byte_len=%d pkey_index=%u\n", + - response, sc->recv_io.expected, wc->status, wc->opcode, + + response, response->type, wc->status, wc->opcode, + wc->byte_len, wc->pkey_index); + + if (wc->status != IB_WC_SUCCESS || wc->opcode != IB_WC_RECV) { +@@@ -476,27 -476,39 +488,47 @@@ + response->sge.length, + DMA_FROM_DEVICE); + + - switch (sc->recv_io.expected) { + + switch (response->type) { + /* SMBD negotiation response */ + - case SMBDIRECT_EXPECT_NEGOTIATE_REP: + - dump_smbdirect_negotiate_resp(smbdirect_recv_io_payload(response)); + - sc->recv_io.reassembly.full_packet_received = true; + + case SMBD_NEGOTIATE_RESP: + + dump_smbdirect_negotiate_resp(smbd_response_payload(response)); + + info->full_packet_received = true; + info->negotiate_done = + process_negotiation_response(response, wc->byte_len); + - put_receive_buffer(info, response); + complete(&info->negotiate_completion); + - return; + + break; + + /* SMBD data transfer packet */ +++<<<<<<< HEAD + + case SMBD_TRANSFER_DATA: + + data_transfer = smbd_response_payload(response); +++======= ++ case SMBDIRECT_EXPECT_DATA_TRANSFER: ++ data_transfer = smbdirect_recv_io_payload(response); ++ ++ if (wc->byte_len < ++ offsetof(struct smbdirect_data_transfer, padding)) ++ goto error; ++ ++ remaining_data_length = le32_to_cpu(data_transfer->remaining_data_length); ++ data_offset = le32_to_cpu(data_transfer->data_offset); +++>>>>>>> f57e53ea2523 (smb: client: let recv_done verify data_offset, data_length and remaining_data_length) + data_length = le32_to_cpu(data_transfer->data_length); ++ if (wc->byte_len < data_offset || ++ (u64)wc->byte_len < (u64)data_offset + data_length) ++ goto error; ++ ++ if (remaining_data_length > sp->max_fragmented_recv_size || ++ data_length > sp->max_fragmented_recv_size || ++ (u64)remaining_data_length + (u64)data_length > (u64)sp->max_fragmented_recv_size) ++ goto error; + + + /* + + * If this is a packet with data playload place the data in + + * reassembly queue and wake up the reading thread + + */ + if (data_length) { + - if (sc->recv_io.reassembly.full_packet_received) + + if (info->full_packet_received) + response->first_segment = true; + + if (le32_to_cpu(data_transfer->remaining_data_length)) +* Unmerged path fs/smb/client/smbdirect.c diff --git a/ciq/ciq_backports/kernel-6.12.0-124.35.1.el10_1/rebuild.details.txt b/ciq/ciq_backports/kernel-6.12.0-124.35.1.el10_1/rebuild.details.txt new file mode 100644 index 0000000000000..e669dda856fed --- /dev/null +++ b/ciq/ciq_backports/kernel-6.12.0-124.35.1.el10_1/rebuild.details.txt @@ -0,0 +1,23 @@ +Rebuild_History BUILDABLE +Rebuilding Kernel from rpm changelog with Fuzz Limit: 87.50% +Number of commits in upstream range v6.12~1..kernel-mainline: 93416 +Number of commits in rpm: 20 +Number of commits matched with upstream: 15 (75.00%) +Number of commits in upstream but not in rpm: 93401 +Number of commits NOT found in upstream: 5 (25.00%) + +Rebuilding Kernel on Branch rocky10_1_rebuild_kernel-6.12.0-124.35.1.el10_1 for kernel-6.12.0-124.35.1.el10_1 +Clean Cherry Picks: 13 (86.67%) +Empty Cherry Picks: 2 (13.33%) +_______________________________ + +__EMPTY COMMITS__________________________ +f57e53ea252363234f86674db475839e5b87102e smb: client: let recv_done verify data_offset, data_length and remaining_data_length +41b70df5b38bc80967d2e0ed55cc3c3896bba781 io_uring/net: commit partial buffers on retry + +__CHANGES NOT IN UPSTREAM________________ +Add partial riscv64 support for build root' +Provide basic VisionFive 2 support' +Patch MMU for riscv64' +ice: Fix kernel panic due to page refcount underflow +ice: prevent NULL deref in ice_lag_move_new_vf_nodes() diff --git a/configs/kernel-6.12.0-aarch64-64k-debug.config b/configs/kernel-6.12.0-aarch64-64k-debug.config index 976f7ddcc1fa1..89c63ec931d57 100644 --- a/configs/kernel-6.12.0-aarch64-64k-debug.config +++ b/configs/kernel-6.12.0-aarch64-64k-debug.config @@ -12,8 +12,8 @@ CONFIG_AS_VERSION=25000 CONFIG_LD_IS_BFD=y CONFIG_LD_VERSION=25000 CONFIG_LLD_VERSION=0 -CONFIG_RUSTC_VERSION=0 -CONFIG_RUSTC_LLVM_VERSION=0 +CONFIG_RUSTC_VERSION=107600 +CONFIG_RUSTC_LLVM_VERSION=170006 CONFIG_CC_CAN_LINK=y CONFIG_CC_CAN_LINK_STATIC=y CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y diff --git a/configs/kernel-6.12.0-aarch64-64k.config b/configs/kernel-6.12.0-aarch64-64k.config index fc1423961a733..2c31913a36ffd 100644 --- a/configs/kernel-6.12.0-aarch64-64k.config +++ b/configs/kernel-6.12.0-aarch64-64k.config @@ -12,8 +12,8 @@ CONFIG_AS_VERSION=25000 CONFIG_LD_IS_BFD=y CONFIG_LD_VERSION=25000 CONFIG_LLD_VERSION=0 -CONFIG_RUSTC_VERSION=0 -CONFIG_RUSTC_LLVM_VERSION=0 +CONFIG_RUSTC_VERSION=107600 +CONFIG_RUSTC_LLVM_VERSION=170006 CONFIG_CC_CAN_LINK=y CONFIG_CC_CAN_LINK_STATIC=y CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y diff --git a/configs/kernel-6.12.0-aarch64-debug.config b/configs/kernel-6.12.0-aarch64-debug.config index eba77102fc2a5..897ec5ee1ca2a 100644 --- a/configs/kernel-6.12.0-aarch64-debug.config +++ b/configs/kernel-6.12.0-aarch64-debug.config @@ -12,8 +12,8 @@ CONFIG_AS_VERSION=25000 CONFIG_LD_IS_BFD=y CONFIG_LD_VERSION=25000 CONFIG_LLD_VERSION=0 -CONFIG_RUSTC_VERSION=0 -CONFIG_RUSTC_LLVM_VERSION=0 +CONFIG_RUSTC_VERSION=107600 +CONFIG_RUSTC_LLVM_VERSION=170006 CONFIG_CC_CAN_LINK=y CONFIG_CC_CAN_LINK_STATIC=y CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y diff --git a/configs/kernel-6.12.0-aarch64-rt-64k-debug.config b/configs/kernel-6.12.0-aarch64-rt-64k-debug.config index 36a9ea924e736..f9a446a620d3b 100644 --- a/configs/kernel-6.12.0-aarch64-rt-64k-debug.config +++ b/configs/kernel-6.12.0-aarch64-rt-64k-debug.config @@ -12,8 +12,8 @@ CONFIG_AS_VERSION=25000 CONFIG_LD_IS_BFD=y CONFIG_LD_VERSION=25000 CONFIG_LLD_VERSION=0 -CONFIG_RUSTC_VERSION=0 -CONFIG_RUSTC_LLVM_VERSION=0 +CONFIG_RUSTC_VERSION=107600 +CONFIG_RUSTC_LLVM_VERSION=170006 CONFIG_CC_CAN_LINK=y CONFIG_CC_CAN_LINK_STATIC=y CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y diff --git a/configs/kernel-6.12.0-aarch64-rt-64k.config b/configs/kernel-6.12.0-aarch64-rt-64k.config index a94f969fd853d..da134a98df4b9 100644 --- a/configs/kernel-6.12.0-aarch64-rt-64k.config +++ b/configs/kernel-6.12.0-aarch64-rt-64k.config @@ -12,8 +12,8 @@ CONFIG_AS_VERSION=25000 CONFIG_LD_IS_BFD=y CONFIG_LD_VERSION=25000 CONFIG_LLD_VERSION=0 -CONFIG_RUSTC_VERSION=0 -CONFIG_RUSTC_LLVM_VERSION=0 +CONFIG_RUSTC_VERSION=107600 +CONFIG_RUSTC_LLVM_VERSION=170006 CONFIG_CC_CAN_LINK=y CONFIG_CC_CAN_LINK_STATIC=y CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y diff --git a/configs/kernel-6.12.0-aarch64-rt-debug.config b/configs/kernel-6.12.0-aarch64-rt-debug.config index a8003d73aed0e..a54e5e6e98e19 100644 --- a/configs/kernel-6.12.0-aarch64-rt-debug.config +++ b/configs/kernel-6.12.0-aarch64-rt-debug.config @@ -12,8 +12,8 @@ CONFIG_AS_VERSION=25000 CONFIG_LD_IS_BFD=y CONFIG_LD_VERSION=25000 CONFIG_LLD_VERSION=0 -CONFIG_RUSTC_VERSION=0 -CONFIG_RUSTC_LLVM_VERSION=0 +CONFIG_RUSTC_VERSION=107600 +CONFIG_RUSTC_LLVM_VERSION=170006 CONFIG_CC_CAN_LINK=y CONFIG_CC_CAN_LINK_STATIC=y CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y diff --git a/configs/kernel-6.12.0-aarch64-rt.config b/configs/kernel-6.12.0-aarch64-rt.config index dc5ad05892136..1cd5fe06c54cf 100644 --- a/configs/kernel-6.12.0-aarch64-rt.config +++ b/configs/kernel-6.12.0-aarch64-rt.config @@ -12,8 +12,8 @@ CONFIG_AS_VERSION=25000 CONFIG_LD_IS_BFD=y CONFIG_LD_VERSION=25000 CONFIG_LLD_VERSION=0 -CONFIG_RUSTC_VERSION=0 -CONFIG_RUSTC_LLVM_VERSION=0 +CONFIG_RUSTC_VERSION=107600 +CONFIG_RUSTC_LLVM_VERSION=170006 CONFIG_CC_CAN_LINK=y CONFIG_CC_CAN_LINK_STATIC=y CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y diff --git a/configs/kernel-6.12.0-aarch64.config b/configs/kernel-6.12.0-aarch64.config index 2d579b0dbaeef..d128a41b44560 100644 --- a/configs/kernel-6.12.0-aarch64.config +++ b/configs/kernel-6.12.0-aarch64.config @@ -12,8 +12,8 @@ CONFIG_AS_VERSION=25000 CONFIG_LD_IS_BFD=y CONFIG_LD_VERSION=25000 CONFIG_LLD_VERSION=0 -CONFIG_RUSTC_VERSION=0 -CONFIG_RUSTC_LLVM_VERSION=0 +CONFIG_RUSTC_VERSION=107600 +CONFIG_RUSTC_LLVM_VERSION=170006 CONFIG_CC_CAN_LINK=y CONFIG_CC_CAN_LINK_STATIC=y CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y diff --git a/configs/kernel-6.12.0-ppc64le-debug.config b/configs/kernel-6.12.0-ppc64le-debug.config index ce940a7303a4f..ccfa3eca8218d 100644 --- a/configs/kernel-6.12.0-ppc64le-debug.config +++ b/configs/kernel-6.12.0-ppc64le-debug.config @@ -12,8 +12,8 @@ CONFIG_AS_VERSION=25000 CONFIG_LD_IS_BFD=y CONFIG_LD_VERSION=25000 CONFIG_LLD_VERSION=0 -CONFIG_RUSTC_VERSION=0 -CONFIG_RUSTC_LLVM_VERSION=0 +CONFIG_RUSTC_VERSION=107600 +CONFIG_RUSTC_LLVM_VERSION=170006 CONFIG_CC_CAN_LINK=y CONFIG_CC_CAN_LINK_STATIC=y CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y diff --git a/configs/kernel-6.12.0-ppc64le.config b/configs/kernel-6.12.0-ppc64le.config index ec814991e2f15..bd9863680037a 100644 --- a/configs/kernel-6.12.0-ppc64le.config +++ b/configs/kernel-6.12.0-ppc64le.config @@ -12,8 +12,8 @@ CONFIG_AS_VERSION=25000 CONFIG_LD_IS_BFD=y CONFIG_LD_VERSION=25000 CONFIG_LLD_VERSION=0 -CONFIG_RUSTC_VERSION=0 -CONFIG_RUSTC_LLVM_VERSION=0 +CONFIG_RUSTC_VERSION=107600 +CONFIG_RUSTC_LLVM_VERSION=170006 CONFIG_CC_CAN_LINK=y CONFIG_CC_CAN_LINK_STATIC=y CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y diff --git a/configs/kernel-6.12.0-riscv64-debug.config b/configs/kernel-6.12.0-riscv64-debug.config index f674761392764..7e32eee0b294c 100644 --- a/configs/kernel-6.12.0-riscv64-debug.config +++ b/configs/kernel-6.12.0-riscv64-debug.config @@ -12,8 +12,8 @@ CONFIG_AS_VERSION=25000 CONFIG_LD_IS_BFD=y CONFIG_LD_VERSION=25000 CONFIG_LLD_VERSION=0 -CONFIG_RUSTC_VERSION=0 -CONFIG_RUSTC_LLVM_VERSION=0 +CONFIG_RUSTC_VERSION=107600 +CONFIG_RUSTC_LLVM_VERSION=170006 CONFIG_CC_CAN_LINK=y CONFIG_CC_CAN_LINK_STATIC=y CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y diff --git a/configs/kernel-6.12.0-riscv64.config b/configs/kernel-6.12.0-riscv64.config index 71b88b3cf4fd4..48594fde160c2 100644 --- a/configs/kernel-6.12.0-riscv64.config +++ b/configs/kernel-6.12.0-riscv64.config @@ -12,8 +12,8 @@ CONFIG_AS_VERSION=25000 CONFIG_LD_IS_BFD=y CONFIG_LD_VERSION=25000 CONFIG_LLD_VERSION=0 -CONFIG_RUSTC_VERSION=0 -CONFIG_RUSTC_LLVM_VERSION=0 +CONFIG_RUSTC_VERSION=107600 +CONFIG_RUSTC_LLVM_VERSION=170006 CONFIG_CC_CAN_LINK=y CONFIG_CC_CAN_LINK_STATIC=y CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y diff --git a/configs/kernel-6.12.0-s390x-debug.config b/configs/kernel-6.12.0-s390x-debug.config index d3d4295cf6585..f84080c298096 100644 --- a/configs/kernel-6.12.0-s390x-debug.config +++ b/configs/kernel-6.12.0-s390x-debug.config @@ -12,8 +12,8 @@ CONFIG_AS_VERSION=25000 CONFIG_LD_IS_BFD=y CONFIG_LD_VERSION=25000 CONFIG_LLD_VERSION=0 -CONFIG_RUSTC_VERSION=0 -CONFIG_RUSTC_LLVM_VERSION=0 +CONFIG_RUSTC_VERSION=107600 +CONFIG_RUSTC_LLVM_VERSION=170006 CONFIG_CC_CAN_LINK=y CONFIG_CC_CAN_LINK_STATIC=y CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y diff --git a/configs/kernel-6.12.0-s390x-zfcpdump.config b/configs/kernel-6.12.0-s390x-zfcpdump.config index effc3271fcd5d..c65275e81257d 100644 --- a/configs/kernel-6.12.0-s390x-zfcpdump.config +++ b/configs/kernel-6.12.0-s390x-zfcpdump.config @@ -12,8 +12,8 @@ CONFIG_AS_VERSION=25000 CONFIG_LD_IS_BFD=y CONFIG_LD_VERSION=25000 CONFIG_LLD_VERSION=0 -CONFIG_RUSTC_VERSION=0 -CONFIG_RUSTC_LLVM_VERSION=0 +CONFIG_RUSTC_VERSION=107600 +CONFIG_RUSTC_LLVM_VERSION=170006 CONFIG_CC_CAN_LINK=y CONFIG_CC_CAN_LINK_STATIC=y CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y diff --git a/configs/kernel-6.12.0-s390x.config b/configs/kernel-6.12.0-s390x.config index d37af0a3b5589..d61c6b9108897 100644 --- a/configs/kernel-6.12.0-s390x.config +++ b/configs/kernel-6.12.0-s390x.config @@ -12,8 +12,8 @@ CONFIG_AS_VERSION=25000 CONFIG_LD_IS_BFD=y CONFIG_LD_VERSION=25000 CONFIG_LLD_VERSION=0 -CONFIG_RUSTC_VERSION=0 -CONFIG_RUSTC_LLVM_VERSION=0 +CONFIG_RUSTC_VERSION=107600 +CONFIG_RUSTC_LLVM_VERSION=170006 CONFIG_CC_CAN_LINK=y CONFIG_CC_CAN_LINK_STATIC=y CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y diff --git a/configs/kernel-6.12.0-x86_64-debug.config b/configs/kernel-6.12.0-x86_64-debug.config index fa3044c4ab3ba..94d09a557b775 100644 --- a/configs/kernel-6.12.0-x86_64-debug.config +++ b/configs/kernel-6.12.0-x86_64-debug.config @@ -12,8 +12,8 @@ CONFIG_AS_VERSION=25000 CONFIG_LD_IS_BFD=y CONFIG_LD_VERSION=25000 CONFIG_LLD_VERSION=0 -CONFIG_RUSTC_VERSION=0 -CONFIG_RUSTC_LLVM_VERSION=0 +CONFIG_RUSTC_VERSION=107600 +CONFIG_RUSTC_LLVM_VERSION=170006 CONFIG_CC_CAN_LINK=y CONFIG_CC_CAN_LINK_STATIC=y CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y diff --git a/configs/kernel-6.12.0-x86_64-rt-debug.config b/configs/kernel-6.12.0-x86_64-rt-debug.config index 4df603849d15e..ebf9dd7915a3b 100644 --- a/configs/kernel-6.12.0-x86_64-rt-debug.config +++ b/configs/kernel-6.12.0-x86_64-rt-debug.config @@ -12,8 +12,8 @@ CONFIG_AS_VERSION=25000 CONFIG_LD_IS_BFD=y CONFIG_LD_VERSION=25000 CONFIG_LLD_VERSION=0 -CONFIG_RUSTC_VERSION=0 -CONFIG_RUSTC_LLVM_VERSION=0 +CONFIG_RUSTC_VERSION=107600 +CONFIG_RUSTC_LLVM_VERSION=170006 CONFIG_CC_CAN_LINK=y CONFIG_CC_CAN_LINK_STATIC=y CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y diff --git a/configs/kernel-6.12.0-x86_64-rt.config b/configs/kernel-6.12.0-x86_64-rt.config index b01bf080db1b3..ce4a536a71663 100644 --- a/configs/kernel-6.12.0-x86_64-rt.config +++ b/configs/kernel-6.12.0-x86_64-rt.config @@ -12,8 +12,8 @@ CONFIG_AS_VERSION=25000 CONFIG_LD_IS_BFD=y CONFIG_LD_VERSION=25000 CONFIG_LLD_VERSION=0 -CONFIG_RUSTC_VERSION=0 -CONFIG_RUSTC_LLVM_VERSION=0 +CONFIG_RUSTC_VERSION=107600 +CONFIG_RUSTC_LLVM_VERSION=170006 CONFIG_CC_CAN_LINK=y CONFIG_CC_CAN_LINK_STATIC=y CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y diff --git a/configs/kernel-6.12.0-x86_64.config b/configs/kernel-6.12.0-x86_64.config index c3fa4c155bd38..00afa86d9d1ea 100644 --- a/configs/kernel-6.12.0-x86_64.config +++ b/configs/kernel-6.12.0-x86_64.config @@ -12,8 +12,8 @@ CONFIG_AS_VERSION=25000 CONFIG_LD_IS_BFD=y CONFIG_LD_VERSION=25000 CONFIG_LLD_VERSION=0 -CONFIG_RUSTC_VERSION=0 -CONFIG_RUSTC_LLVM_VERSION=0 +CONFIG_RUSTC_VERSION=107600 +CONFIG_RUSTC_LLVM_VERSION=170006 CONFIG_CC_CAN_LINK=y CONFIG_CC_CAN_LINK_STATIC=y CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c index 8aacbe40ec017..483671421a68d 100644 --- a/drivers/net/bonding/bond_main.c +++ b/drivers/net/bonding/bond_main.c @@ -211,6 +211,8 @@ atomic_t netpoll_block_tx = ATOMIC_INIT(0); unsigned int bond_net_id __read_mostly; +DEFINE_STATIC_KEY_FALSE(bond_bcast_neigh_enabled); + static const struct flow_dissector_key flow_keys_bonding_keys[] = { { .key_id = FLOW_DISSECTOR_KEY_CONTROL, @@ -2364,7 +2366,9 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev, unblock_netpoll_tx(); } - if (bond_mode_can_use_xmit_hash(bond)) + /* broadcast mode uses the all_slaves to loop through slaves. */ + if (bond_mode_can_use_xmit_hash(bond) || + BOND_MODE(bond) == BOND_MODE_BROADCAST) bond_update_slave_arr(bond, NULL); if (!slave_dev->netdev_ops->ndo_bpf || @@ -2540,7 +2544,8 @@ static int __bond_release_one(struct net_device *bond_dev, bond_upper_dev_unlink(bond, slave); - if (bond_mode_can_use_xmit_hash(bond)) + if (bond_mode_can_use_xmit_hash(bond) || + BOND_MODE(bond) == BOND_MODE_BROADCAST) bond_update_slave_arr(bond, slave); slave_info(bond_dev, slave_dev, "Releasing %s interface\n", @@ -4450,6 +4455,9 @@ static int bond_open(struct net_device *bond_dev) bond_for_each_slave(bond, slave, iter) dev_mc_add(slave->dev, lacpdu_mcast_addr); + + if (bond->params.broadcast_neighbor) + static_branch_inc(&bond_bcast_neigh_enabled); } if (bond_mode_can_use_xmit_hash(bond)) @@ -4469,6 +4477,10 @@ static int bond_close(struct net_device *bond_dev) bond_alb_deinitialize(bond); bond->recv_probe = NULL; + if (BOND_MODE(bond) == BOND_MODE_8023AD && + bond->params.broadcast_neighbor) + static_branch_dec(&bond_bcast_neigh_enabled); + if (bond_uses_primary(bond)) { rcu_read_lock(); slave = rcu_dereference(bond->curr_active_slave); @@ -5305,6 +5317,37 @@ static struct slave *bond_xdp_xmit_3ad_xor_slave_get(struct bonding *bond, return slaves->arr[hash % count]; } +static bool bond_should_broadcast_neighbor(struct sk_buff *skb, + struct net_device *dev) +{ + struct bonding *bond = netdev_priv(dev); + struct { + struct ipv6hdr ip6; + struct icmp6hdr icmp6; + } *combined, _combined; + + if (!static_branch_unlikely(&bond_bcast_neigh_enabled)) + return false; + + if (!bond->params.broadcast_neighbor) + return false; + + if (skb->protocol == htons(ETH_P_ARP)) + return true; + + if (skb->protocol == htons(ETH_P_IPV6)) { + combined = skb_header_pointer(skb, skb_mac_header_len(skb), + sizeof(_combined), + &_combined); + if (combined && combined->ip6.nexthdr == NEXTHDR_ICMP && + (combined->icmp6.icmp6_type == NDISC_NEIGHBOUR_SOLICITATION || + combined->icmp6.icmp6_type == NDISC_NEIGHBOUR_ADVERTISEMENT)) + return true; + } + + return false; +} + /* Use this Xmit function for 3AD as well as XOR modes. The current * usable slave array is formed in the control path. The xmit function * just calculates hash and sends the packet out. @@ -5324,17 +5367,27 @@ static netdev_tx_t bond_3ad_xor_xmit(struct sk_buff *skb, return bond_tx_drop(dev, skb); } -/* in broadcast mode, we send everything to all usable interfaces. */ +/* in broadcast mode, we send everything to all or usable slave interfaces. + * under rcu_read_lock when this function is called. + */ static netdev_tx_t bond_xmit_broadcast(struct sk_buff *skb, - struct net_device *bond_dev) + struct net_device *bond_dev, + bool all_slaves) { struct bonding *bond = netdev_priv(bond_dev); - struct slave *slave = NULL; - struct list_head *iter; + struct bond_up_slave *slaves; bool xmit_suc = false; bool skb_used = false; + int slaves_count, i; - bond_for_each_slave_rcu(bond, slave, iter) { + if (all_slaves) + slaves = rcu_dereference(bond->all_slaves); + else + slaves = rcu_dereference(bond->usable_slaves); + + slaves_count = slaves ? READ_ONCE(slaves->count) : 0; + for (i = 0; i < slaves_count; i++) { + struct slave *slave = slaves->arr[i]; struct sk_buff *skb2; if (!(bond_slave_is_up(slave) && slave->link == BOND_LINK_UP)) @@ -5572,10 +5625,13 @@ static netdev_tx_t __bond_start_xmit(struct sk_buff *skb, struct net_device *dev case BOND_MODE_ACTIVEBACKUP: return bond_xmit_activebackup(skb, dev); case BOND_MODE_8023AD: + if (bond_should_broadcast_neighbor(skb, dev)) + return bond_xmit_broadcast(skb, dev, false); + fallthrough; case BOND_MODE_XOR: return bond_3ad_xor_xmit(skb, dev); case BOND_MODE_BROADCAST: - return bond_xmit_broadcast(skb, dev); + return bond_xmit_broadcast(skb, dev, true); case BOND_MODE_ALB: return bond_alb_xmit(skb, dev); case BOND_MODE_TLB: @@ -6451,6 +6507,7 @@ static int __init bond_check_params(struct bond_params *params) eth_zero_addr(params->ad_actor_system); params->ad_user_port_key = ad_user_port_key; params->coupled_control = 1; + params->broadcast_neighbor = 0; if (packets_per_slave > 0) { params->reciprocal_packets_per_slave = reciprocal_value(packets_per_slave); diff --git a/drivers/net/bonding/bond_netlink.c b/drivers/net/bonding/bond_netlink.c index 2a6a424806aa6..b057d89942dc2 100644 --- a/drivers/net/bonding/bond_netlink.c +++ b/drivers/net/bonding/bond_netlink.c @@ -124,6 +124,7 @@ static const struct nla_policy bond_policy[IFLA_BOND_MAX + 1] = { [IFLA_BOND_MISSED_MAX] = { .type = NLA_U8 }, [IFLA_BOND_NS_IP6_TARGET] = { .type = NLA_NESTED }, [IFLA_BOND_COUPLED_CONTROL] = { .type = NLA_U8 }, + [IFLA_BOND_BROADCAST_NEIGH] = { .type = NLA_U8 }, }; static const struct nla_policy bond_slave_policy[IFLA_BOND_SLAVE_MAX + 1] = { @@ -561,6 +562,16 @@ static int bond_changelink(struct net_device *bond_dev, struct nlattr *tb[], return err; } + if (data[IFLA_BOND_BROADCAST_NEIGH]) { + int broadcast_neigh = nla_get_u8(data[IFLA_BOND_BROADCAST_NEIGH]); + + bond_opt_initval(&newval, broadcast_neigh); + err = __bond_opt_set(bond, BOND_OPT_BROADCAST_NEIGH, &newval, + data[IFLA_BOND_BROADCAST_NEIGH], extack); + if (err) + return err; + } + return 0; } @@ -628,6 +639,7 @@ static size_t bond_get_size(const struct net_device *bond_dev) nla_total_size(sizeof(struct nlattr)) + nla_total_size(sizeof(struct in6_addr)) * BOND_MAX_NS_TARGETS + nla_total_size(sizeof(u8)) + /* IFLA_BOND_COUPLED_CONTROL */ + nla_total_size(sizeof(u8)) + /* IFLA_BOND_BROADCAST_NEIGH */ 0; } @@ -791,6 +803,10 @@ static int bond_fill_info(struct sk_buff *skb, bond->params.coupled_control)) goto nla_put_failure; + if (nla_put_u8(skb, IFLA_BOND_BROADCAST_NEIGH, + bond->params.broadcast_neighbor)) + goto nla_put_failure; + if (BOND_MODE(bond) == BOND_MODE_8023AD) { struct ad_info info; diff --git a/drivers/net/bonding/bond_options.c b/drivers/net/bonding/bond_options.c index 91893c29b8995..1d639a3be6bac 100644 --- a/drivers/net/bonding/bond_options.c +++ b/drivers/net/bonding/bond_options.c @@ -87,6 +87,8 @@ static int bond_option_missed_max_set(struct bonding *bond, const struct bond_opt_value *newval); static int bond_option_coupled_control_set(struct bonding *bond, const struct bond_opt_value *newval); +static int bond_option_broadcast_neigh_set(struct bonding *bond, + const struct bond_opt_value *newval); static const struct bond_opt_value bond_mode_tbl[] = { { "balance-rr", BOND_MODE_ROUNDROBIN, BOND_VALFLAG_DEFAULT}, @@ -240,6 +242,12 @@ static const struct bond_opt_value bond_coupled_control_tbl[] = { { NULL, -1, 0}, }; +static const struct bond_opt_value bond_broadcast_neigh_tbl[] = { + { "off", 0, BOND_VALFLAG_DEFAULT}, + { "on", 1, 0}, + { NULL, -1, 0} +}; + static const struct bond_option bond_opts[BOND_OPT_LAST] = { [BOND_OPT_MODE] = { .id = BOND_OPT_MODE, @@ -513,6 +521,14 @@ static const struct bond_option bond_opts[BOND_OPT_LAST] = { .flags = BOND_OPTFLAG_IFDOWN, .values = bond_coupled_control_tbl, .set = bond_option_coupled_control_set, + }, + [BOND_OPT_BROADCAST_NEIGH] = { + .id = BOND_OPT_BROADCAST_NEIGH, + .name = "broadcast_neighbor", + .desc = "Broadcast neighbor packets to all active slaves", + .unsuppmodes = BOND_MODE_ALL_EX(BIT(BOND_MODE_8023AD)), + .values = bond_broadcast_neigh_tbl, + .set = bond_option_broadcast_neigh_set, } }; @@ -894,6 +910,13 @@ static int bond_option_mode_set(struct bonding *bond, bond->params.arp_validate = BOND_ARP_VALIDATE_NONE; bond->params.mode = newval->value; + /* When changing mode, the bond device is down, we may reduce + * the bond_bcast_neigh_enabled in bond_close() if broadcast_neighbor + * enabled in 8023ad mode. Therefore, only clear broadcast_neighbor + * to 0. + */ + bond->params.broadcast_neighbor = 0; + if (bond->dev->reg_state == NETREG_REGISTERED) { bool update = false; @@ -1840,3 +1863,22 @@ static int bond_option_coupled_control_set(struct bonding *bond, bond->params.coupled_control = newval->value; return 0; } + +static int bond_option_broadcast_neigh_set(struct bonding *bond, + const struct bond_opt_value *newval) +{ + if (bond->params.broadcast_neighbor == newval->value) + return 0; + + bond->params.broadcast_neighbor = newval->value; + if (bond->dev->flags & IFF_UP) { + if (bond->params.broadcast_neighbor) + static_branch_inc(&bond_bcast_neigh_enabled); + else + static_branch_dec(&bond_bcast_neigh_enabled); + } + + netdev_dbg(bond->dev, "Setting broadcast_neighbor to %s (%llu)\n", + newval->string, newval->value); + return 0; +} diff --git a/drivers/net/ethernet/intel/ice/ice_lag.c b/drivers/net/ethernet/intel/ice/ice_lag.c index 2410aee59fb2d..1b3b1776e8fbc 100644 --- a/drivers/net/ethernet/intel/ice/ice_lag.c +++ b/drivers/net/ethernet/intel/ice/ice_lag.c @@ -704,7 +704,7 @@ void ice_lag_move_new_vf_nodes(struct ice_vf *vf) lag = pf->lag; mutex_lock(&pf->lag_mutex); - if (!lag->bonded) + if (!lag || !lag->bonded) goto new_vf_unlock; pri_port = pf->hw.port_info->lport; diff --git a/drivers/net/ethernet/intel/ice/ice_txrx.c b/drivers/net/ethernet/intel/ice/ice_txrx.c index 72de666acc362..1cfb9b52ac189 100644 --- a/drivers/net/ethernet/intel/ice/ice_txrx.c +++ b/drivers/net/ethernet/intel/ice/ice_txrx.c @@ -919,8 +919,10 @@ ice_get_rx_buf(struct ice_rx_ring *rx_ring, const unsigned int size, rx_buf = &rx_ring->rx_buf[ntc]; prefetchw(rx_buf->page); - if (!size) + if (!size) { + rx_buf->pagecnt_bias--; return rx_buf; + } /* we are reusing so sync this buffer for CPU use */ dma_sync_single_range_for_cpu(rx_ring->dev, rx_buf->dma, rx_buf->page_offset, size, diff --git a/drivers/video/fbdev/core/bitblit.c b/drivers/video/fbdev/core/bitblit.c index 3ff1b2a8659e8..525c1b4c60fc2 100644 --- a/drivers/video/fbdev/core/bitblit.c +++ b/drivers/video/fbdev/core/bitblit.c @@ -80,12 +80,16 @@ static inline void bit_putcs_aligned(struct vc_data *vc, struct fb_info *info, struct fb_image *image, u8 *buf, u8 *dst) { u16 charmask = vc->vc_hi_font_mask ? 0x1ff : 0xff; + unsigned int charcnt = vc->vc_font.charcount; u32 idx = vc->vc_font.width >> 3; u8 *src; while (cnt--) { - src = vc->vc_font.data + (scr_readw(s++)& - charmask)*cellsize; + u16 ch = scr_readw(s++) & charmask; + + if (ch >= charcnt) + ch = 0; + src = vc->vc_font.data + (unsigned int)ch * cellsize; if (attr) { update_attr(buf, src, attr, vc); @@ -113,14 +117,18 @@ static inline void bit_putcs_unaligned(struct vc_data *vc, u8 *dst) { u16 charmask = vc->vc_hi_font_mask ? 0x1ff : 0xff; + unsigned int charcnt = vc->vc_font.charcount; u32 shift_low = 0, mod = vc->vc_font.width % 8; u32 shift_high = 8; u32 idx = vc->vc_font.width >> 3; u8 *src; while (cnt--) { - src = vc->vc_font.data + (scr_readw(s++)& - charmask)*cellsize; + u16 ch = scr_readw(s++) & charmask; + + if (ch >= charcnt) + ch = 0; + src = vc->vc_font.data + (unsigned int)ch * cellsize; if (attr) { update_attr(buf, src, attr, vc); @@ -161,6 +169,11 @@ static void bit_putcs(struct vc_data *vc, struct fb_info *info, image.height = vc->vc_font.height; image.depth = 1; + if (image.dy >= info->var.yres) + return; + + image.height = min(image.height, info->var.yres - image.dy); + if (attribute) { buf = kmalloc(cellsize, GFP_ATOMIC); if (!buf) @@ -174,6 +187,18 @@ static void bit_putcs(struct vc_data *vc, struct fb_info *info, cnt = count; image.width = vc->vc_font.width * cnt; + + if (image.dx >= info->var.xres) + break; + + if (image.dx + image.width > info->var.xres) { + image.width = info->var.xres - image.dx; + cnt = image.width / vc->vc_font.width; + if (cnt == 0) + break; + image.width = cnt * vc->vc_font.width; + } + pitch = DIV_ROUND_UP(image.width, 8) + scan_align; pitch &= ~scan_align; size = pitch * image.height + buf_align; diff --git a/fs/exec.c b/fs/exec.c index da51ca70489ac..2c6e61139ac78 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -1190,16 +1190,16 @@ static int unshare_sighand(struct task_struct *me) } /* - * These functions flushes out all traces of the currently running executable - * so that a new one can be started + * This is unlocked -- the string will always be NUL-terminated, but + * may show overlapping contents if racing concurrent reads. */ - void __set_task_comm(struct task_struct *tsk, const char *buf, bool exec) { - task_lock(tsk); + size_t len = min(strlen(buf), sizeof(tsk->comm) - 1); + trace_task_rename(tsk, buf); - strscpy_pad(tsk->comm, buf, sizeof(tsk->comm)); - task_unlock(tsk); + memcpy(tsk->comm, buf, len); + memset(&tsk->comm[len], 0, sizeof(tsk->comm) - len); perf_event_comm(tsk, exec); } diff --git a/fs/smb/client/smbdirect.c b/fs/smb/client/smbdirect.c index 754e94a0e07f5..6947b89247ebc 100644 --- a/fs/smb/client/smbdirect.c +++ b/fs/smb/client/smbdirect.c @@ -457,7 +457,11 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc) struct smbd_response *response = container_of(wc->wr_cqe, struct smbd_response, cqe); struct smbd_connection *info = response->info; - int data_length = 0; + struct smbdirect_socket *sc = &info->socket; + struct smbdirect_socket_parameters *sp = &sc->parameters; + u32 data_offset = 0; + u32 data_length = 0; + u32 remaining_data_length = 0; log_rdma_recv(INFO, "response=0x%p type=%d wc status=%d wc opcode %d byte_len=%d pkey_index=%u\n", response, response->type, wc->status, wc->opcode, @@ -489,7 +493,22 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc) /* SMBD data transfer packet */ case SMBD_TRANSFER_DATA: data_transfer = smbd_response_payload(response); + + if (wc->byte_len < + offsetof(struct smbdirect_data_transfer, padding)) + goto error; + + remaining_data_length = le32_to_cpu(data_transfer->remaining_data_length); + data_offset = le32_to_cpu(data_transfer->data_offset); data_length = le32_to_cpu(data_transfer->data_length); + if (wc->byte_len < data_offset || + (u64)wc->byte_len < (u64)data_offset + data_length) + goto error; + + if (remaining_data_length > sp->max_fragmented_recv_size || + data_length > sp->max_fragmented_recv_size || + (u64)remaining_data_length + (u64)data_length > (u64)sp->max_fragmented_recv_size) + goto error; /* * If this is a packet with data playload place the data in diff --git a/fs/squashfs/super.c b/fs/squashfs/super.c index 22e812808e5cf..494d21777ed00 100644 --- a/fs/squashfs/super.c +++ b/fs/squashfs/super.c @@ -187,10 +187,15 @@ static int squashfs_fill_super(struct super_block *sb, struct fs_context *fc) unsigned short flags; unsigned int fragments; u64 lookup_table_start, xattr_id_table_start, next_table; - int err; + int err, devblksize = sb_min_blocksize(sb, SQUASHFS_DEVBLK_SIZE); TRACE("Entered squashfs_fill_superblock\n"); + if (!devblksize) { + errorf(fc, "squashfs: unable to set blocksize\n"); + return -EINVAL; + } + sb->s_fs_info = kzalloc(sizeof(*msblk), GFP_KERNEL); if (sb->s_fs_info == NULL) { ERROR("Failed to allocate squashfs_sb_info\n"); @@ -201,7 +206,7 @@ static int squashfs_fill_super(struct super_block *sb, struct fs_context *fc) msblk->panic_on_errors = (opts->errors == Opt_errors_panic); - msblk->devblksize = sb_min_blocksize(sb, SQUASHFS_DEVBLK_SIZE); + msblk->devblksize = devblksize; msblk->devblksize_log2 = ffz(~msblk->devblksize); mutex_init(&msblk->meta_index_mutex); diff --git a/include/linux/sched.h b/include/linux/sched.h index 88aa76e84f246..5f5986b0ea56d 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -1992,11 +1992,10 @@ static inline void kick_process(struct task_struct *tsk) { } #endif extern void __set_task_comm(struct task_struct *tsk, const char *from, bool exec); - -static inline void set_task_comm(struct task_struct *tsk, const char *from) -{ - __set_task_comm(tsk, from, false); -} +#define set_task_comm(tsk, from) ({ \ + BUILD_BUG_ON(sizeof(from) != TASK_COMM_LEN); \ + __set_task_comm(tsk, from, false); \ +}) /* * - Why not use task_lock()? diff --git a/include/net/bond_options.h b/include/net/bond_options.h index 18687ccf06383..022b122a9fb61 100644 --- a/include/net/bond_options.h +++ b/include/net/bond_options.h @@ -77,6 +77,7 @@ enum { BOND_OPT_NS_TARGETS, BOND_OPT_PRIO, BOND_OPT_COUPLED_CONTROL, + BOND_OPT_BROADCAST_NEIGH, BOND_OPT_LAST }; diff --git a/include/net/bonding.h b/include/net/bonding.h index 95f67b308c19a..e06f0d63b2c17 100644 --- a/include/net/bonding.h +++ b/include/net/bonding.h @@ -115,6 +115,8 @@ static inline int is_netpoll_tx_blocked(struct net_device *dev) #define is_netpoll_tx_blocked(dev) (0) #endif +DECLARE_STATIC_KEY_FALSE(bond_bcast_neigh_enabled); + struct bond_params { int mode; int xmit_policy; @@ -149,6 +151,7 @@ struct bond_params { struct in6_addr ns_targets[BOND_MAX_NS_TARGETS]; #endif int coupled_control; + int broadcast_neighbor; /* 2 bytes of padding : see ether_addr_equal_64bits() */ u8 ad_actor_system[ETH_ALEN + 2]; diff --git a/include/uapi/linux/if_link.h b/include/uapi/linux/if_link.h index 506ba9c80e83a..90c5628c14a3b 100644 --- a/include/uapi/linux/if_link.h +++ b/include/uapi/linux/if_link.h @@ -1509,6 +1509,7 @@ enum { IFLA_BOND_MISSED_MAX, IFLA_BOND_NS_IP6_TARGET, IFLA_BOND_COUPLED_CONTROL, + IFLA_BOND_BROADCAST_NEIGH, __IFLA_BOND_MAX, }; diff --git a/io_uring/io-wq.c b/io_uring/io-wq.c index a38f36b680604..5d0928f37471e 100644 --- a/io_uring/io-wq.c +++ b/io_uring/io-wq.c @@ -634,7 +634,7 @@ static int io_wq_worker(void *data) struct io_wq_acct *acct = io_wq_get_acct(worker); struct io_wq *wq = worker->wq; bool exit_mask = false, last_timeout = false; - char buf[TASK_COMM_LEN]; + char buf[TASK_COMM_LEN] = {}; set_mask_bits(&worker->flags, 0, BIT(IO_WORKER_F_UP) | BIT(IO_WORKER_F_RUNNING)); diff --git a/io_uring/net.c b/io_uring/net.c index 18507658a921d..5275428cfc3d8 100644 --- a/io_uring/net.c +++ b/io_uring/net.c @@ -488,6 +488,15 @@ static int io_bundle_nbufs(struct io_async_msghdr *kmsg, int ret) return nbufs; } +static int io_net_kbuf_recyle(struct io_kiocb *req, + struct io_async_msghdr *kmsg, int len) +{ + req->flags |= REQ_F_BL_NO_RECYCLE; + if (req->flags & REQ_F_BUFFERS_COMMIT) + io_kbuf_commit(req, req->buf_list, len, io_bundle_nbufs(kmsg, len)); + return -EAGAIN; +} + static inline bool io_send_finish(struct io_kiocb *req, int *ret, struct io_async_msghdr *kmsg, unsigned issue_flags) @@ -556,8 +565,7 @@ int io_sendmsg(struct io_kiocb *req, unsigned int issue_flags) kmsg->msg.msg_controllen = 0; kmsg->msg.msg_control = NULL; sr->done_io += ret; - req->flags |= REQ_F_BL_NO_RECYCLE; - return -EAGAIN; + return io_net_kbuf_recyle(req, kmsg, ret); } if (ret == -ERESTARTSYS) ret = -EINTR; @@ -654,8 +662,7 @@ int io_send(struct io_kiocb *req, unsigned int issue_flags) sr->len -= ret; sr->buf += ret; sr->done_io += ret; - req->flags |= REQ_F_BL_NO_RECYCLE; - return -EAGAIN; + return io_net_kbuf_recyle(req, kmsg, ret); } if (ret == -ERESTARTSYS) ret = -EINTR; @@ -1037,8 +1044,7 @@ int io_recvmsg(struct io_kiocb *req, unsigned int issue_flags) } if (ret > 0 && io_net_retry(sock, flags)) { sr->done_io += ret; - req->flags |= REQ_F_BL_NO_RECYCLE; - return -EAGAIN; + return io_net_kbuf_recyle(req, kmsg, ret); } if (ret == -ERESTARTSYS) ret = -EINTR; @@ -1177,8 +1183,7 @@ int io_recv(struct io_kiocb *req, unsigned int issue_flags) sr->len -= ret; sr->buf += ret; sr->done_io += ret; - req->flags |= REQ_F_BL_NO_RECYCLE; - return -EAGAIN; + return io_net_kbuf_recyle(req, kmsg, ret); } if (ret == -ERESTARTSYS) ret = -EINTR; @@ -1406,8 +1411,7 @@ int io_send_zc(struct io_kiocb *req, unsigned int issue_flags) zc->len -= ret; zc->buf += ret; zc->done_io += ret; - req->flags |= REQ_F_BL_NO_RECYCLE; - return -EAGAIN; + return io_net_kbuf_recyle(req, kmsg, ret); } if (ret == -ERESTARTSYS) ret = -EINTR; @@ -1466,8 +1470,7 @@ int io_sendmsg_zc(struct io_kiocb *req, unsigned int issue_flags) if (ret > 0 && io_net_retry(sock, flags)) { sr->done_io += ret; - req->flags |= REQ_F_BL_NO_RECYCLE; - return -EAGAIN; + return io_net_kbuf_recyle(req, kmsg, ret); } if (ret == -ERESTARTSYS) ret = -EINTR; diff --git a/io_uring/sqpoll.c b/io_uring/sqpoll.c index a791dd476abbb..fa61685df1bed 100644 --- a/io_uring/sqpoll.c +++ b/io_uring/sqpoll.c @@ -271,7 +271,7 @@ static int io_sq_thread(void *data) struct io_ring_ctx *ctx; struct rusage start; unsigned long timeout = 0; - char buf[TASK_COMM_LEN]; + char buf[TASK_COMM_LEN] = {}; DEFINE_WAIT(wait); /* offload context creation failed, just exit */ diff --git a/kernel/kthread.c b/kernel/kthread.c index df4f2838394d2..ed586b9e31c85 100644 --- a/kernel/kthread.c +++ b/kernel/kthread.c @@ -817,10 +817,11 @@ EXPORT_SYMBOL(kthread_stop_put); int kthreadd(void *unused) { + static const char comm[TASK_COMM_LEN] = "kthreadd"; struct task_struct *tsk = current; /* Setup a clean context for our children to inherit. */ - set_task_comm(tsk, "kthreadd"); + set_task_comm(tsk, comm); ignore_signals(tsk); set_cpus_allowed_ptr(tsk, housekeeping_cpumask(HK_TYPE_KTHREAD)); set_mems_allowed(node_states[N_MEMORY]); diff --git a/lib/buildid.c b/lib/buildid.c index c4b0f376fb341..a80592ddafd18 100644 --- a/lib/buildid.c +++ b/lib/buildid.c @@ -5,6 +5,7 @@ #include #include #include +#include #include #define BUILD_ID 3 @@ -65,20 +66,9 @@ static int freader_get_folio(struct freader *r, loff_t file_off) freader_put_folio(r); - /* reject secretmem folios created with memfd_secret() */ - if (secretmem_mapping(r->file->f_mapping)) - return -EFAULT; - + /* only use page cache lookup - fail if not already cached */ r->folio = filemap_get_folio(r->file->f_mapping, file_off >> PAGE_SHIFT); - /* if sleeping is allowed, wait for the page, if necessary */ - if (r->may_fault && (IS_ERR(r->folio) || !folio_test_uptodate(r->folio))) { - filemap_invalidate_lock_shared(r->file->f_mapping); - r->folio = read_cache_folio(r->file->f_mapping, file_off >> PAGE_SHIFT, - NULL, r->file); - filemap_invalidate_unlock_shared(r->file->f_mapping); - } - if (IS_ERR(r->folio) || !folio_test_uptodate(r->folio)) { if (!IS_ERR(r->folio)) folio_put(r->folio); @@ -116,6 +106,24 @@ static const void *freader_fetch(struct freader *r, loff_t file_off, size_t sz) return r->data + file_off; } + /* reject secretmem folios created with memfd_secret() */ + if (secretmem_mapping(r->file->f_mapping)) { + r->err = -EFAULT; + return NULL; + } + + /* use __kernel_read() for sleepable context */ + if (r->may_fault) { + ssize_t ret; + + ret = __kernel_read(r->file, r->buf, sz, &file_off); + if (ret != sz) { + r->err = (ret < 0) ? ret : -EIO; + return NULL; + } + return r->buf; + } + /* fetch or reuse folio for given file offset */ r->err = freader_get_folio(r, file_off); if (r->err) diff --git a/net/mptcp/ctrl.c b/net/mptcp/ctrl.c index bdcc4136e92ef..c70e8a780a7fd 100644 --- a/net/mptcp/ctrl.c +++ b/net/mptcp/ctrl.c @@ -381,10 +381,15 @@ void mptcp_active_enable(struct sock *sk) struct mptcp_pernet *pernet = mptcp_get_pernet(sock_net(sk)); if (atomic_read(&pernet->active_disable_times)) { - struct dst_entry *dst = sk_dst_get(sk); + struct net_device *dev; + struct dst_entry *dst; - if (dst && dst->dev && (dst->dev->flags & IFF_LOOPBACK)) + rcu_read_lock(); + dst = __sk_dst_get(sk); + dev = dst ? dst_dev_rcu(dst) : NULL; + if (dev && (dev->flags & IFF_LOOPBACK)) atomic_set(&pernet->active_disable_times, 0); + rcu_read_unlock(); } } diff --git a/net/sunrpc/xprtrdma/svc_rdma_rw.c b/net/sunrpc/xprtrdma/svc_rdma_rw.c index 661b3fe2779f0..945fbb374331c 100644 --- a/net/sunrpc/xprtrdma/svc_rdma_rw.c +++ b/net/sunrpc/xprtrdma/svc_rdma_rw.c @@ -848,7 +848,7 @@ static int svc_rdma_copy_inline_range(struct svc_rqst *rqstp, head->rc_page_count++; dst = page_address(rqstp->rq_pages[head->rc_curpage]); - memcpy(dst + head->rc_curpage, src + offset, page_len); + memcpy((unsigned char *)dst + head->rc_pageoff, src + offset, page_len); head->rc_readbytes += page_len; head->rc_pageoff += page_len; diff --git a/net/vmw_vsock/vmci_transport.c b/net/vmw_vsock/vmci_transport.c index b370070194fa4..7eccd6708d664 100644 --- a/net/vmw_vsock/vmci_transport.c +++ b/net/vmw_vsock/vmci_transport.c @@ -119,6 +119,8 @@ vmci_transport_packet_init(struct vmci_transport_packet *pkt, u16 proto, struct vmci_handle handle) { + memset(pkt, 0, sizeof(*pkt)); + /* We register the stream control handler as an any cid handle so we * must always send from a source address of VMADDR_CID_ANY */ @@ -131,8 +133,6 @@ vmci_transport_packet_init(struct vmci_transport_packet *pkt, pkt->type = type; pkt->src_port = src->svm_port; pkt->dst_port = dst->svm_port; - memset(&pkt->proto, 0, sizeof(pkt->proto)); - memset(&pkt->_reserved2, 0, sizeof(pkt->_reserved2)); switch (pkt->type) { case VMCI_TRANSPORT_PACKET_TYPE_INVALID: diff --git a/redhat/kernel.changelog-10.1 b/redhat/kernel.changelog-10.1 index f0e60c613d7e4..0fdd00f5a88cf 100644 --- a/redhat/kernel.changelog-10.1 +++ b/redhat/kernel.changelog-10.1 @@ -1,3 +1,32 @@ +* Sat Jan 31 2026 CKI KWF Bot [6.12.0-124.35.1.el10_1] +- ice: Fix kernel panic due to page refcount underflow (CKI Backport Bot) [RHEL-139734] +- mptcp: Use __sk_dst_get() and dst_dev_rcu() in mptcp_active_enable(). (Davide Caratti) [RHEL-129044] {CVE-2025-40133} +- mptcp: Call dst_release() in mptcp_active_enable(). (Davide Caratti) [RHEL-129044] +- vsock/vmci: Clear the vmci transport packet properly when initializing it (CKI Backport Bot) [RHEL-137703] {CVE-2025-38403} +Resolves: RHEL-129044, RHEL-137703, RHEL-139734 + +* Thu Jan 29 2026 CKI KWF Bot [6.12.0-124.34.1.el10_1] +- ice: prevent NULL deref in ice_lag_move_new_vf_nodes() (Michal Schmidt) [RHEL-143255] +- svcrdma: use rc_pageoff for memcpy byte offset (CKI Backport Bot) [RHEL-142793] {CVE-2025-68811} +- exec: Make sure task->comm is always NUL-terminated (Luiz Capitulino) [RHEL-141711] +- lib/buildid: use __kernel_read() for sleepable context (Waiman Long) [RHEL-141229] +- net: bonding: update the slave array for broadcast mode (Hangbin Liu) [RHEL-138325] +- net: bonding: add broadcast_neighbor netlink option (Hangbin Liu) [RHEL-138325] +- net: bonding: add broadcast_neighbor option for 802.3ad (Hangbin Liu) [RHEL-138325] +Resolves: RHEL-138325, RHEL-141229, RHEL-141711, RHEL-142793, RHEL-143255 + +* Tue Jan 27 2026 Julio Faracco [6.12.0-124.33.1.el10_1] +- io_uring/net: commit partial buffers on retry (Jeff Moyer) [RHEL-137333] {CVE-2025-38730} +- smb: client: let recv_done verify data_offset, data_length and remaining_data_length (Paulo Alcantara) [RHEL-131394] {CVE-2025-39933} +Resolves: RHEL-131394, RHEL-137333 + +* Sat Jan 24 2026 CKI KWF Bot [6.12.0-124.32.1.el10_1] +- squashfs: fix memory leak in squashfs_fill_super (Abhi Das) [RHEL-138024] {CVE-2025-38415} +- Squashfs: check return result of sb_min_blocksize (CKI Backport Bot) [RHEL-138024] {CVE-2025-38415} +- fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds (CKI Backport Bot) [RHEL-137686] {CVE-2025-40304} +- fbdev: bitblit: bound-check glyph index in bit_putcs* (CKI Backport Bot) [RHEL-136945] {CVE-2025-40322} +Resolves: RHEL-136945, RHEL-137686, RHEL-138024 + * Thu Jan 22 2026 CKI KWF Bot [6.12.0-124.31.1.el10_1] - i40e: support generic devlink param "max_mac_per_vf" (Mohammad Heib) [RHEL-121647] - devlink: Add new "max_mac_per_vf" generic device param (Mohammad Heib) [RHEL-121647] @@ -19,6 +48,7 @@ - RDMA/core: Fix "KASAN: slab-use-after-free Read in ib_register_device" problem (CKI Backport Bot) [RHEL-134363] {CVE-2025-38022} - uprobes: Fix race in uprobe_free_utask (Jay Shin) [RHEL-133456] - ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping (CKI Backport Bot) [RHEL-129115] {CVE-2025-40154} +- kabi: stabilize struct alt_instr (Čestmír Kalina) [RHEL-122759] Resolves: RHEL-121647, RHEL-122759, RHEL-126599, RHEL-129115, RHEL-129452, RHEL-133336, RHEL-133456, RHEL-134363, RHEL-134763, RHEL-136289 * Wed Jan 21 2026 CKI KWF Bot [6.12.0-124.30.1.el10_1] diff --git a/uki-addons.sbat b/uki-addons.sbat index 6a50af964495e..165fbe9806569 100644 --- a/uki-addons.sbat +++ b/uki-addons.sbat @@ -1,3 +1,3 @@ sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md -kernel-uki-virt-addons.rhel,1,Red Hat,kernel-uki-virt-addons,6.12.0-124.31.1.el10_1.x86_64,mailto:secalert@redhat.com -kernel-uki-virt-addons.rocky,1,RESF,kernel-uki-virt-addons,6.12.0-124.31.1.el10_1.x86_64,mailto:security@rockylinux.org +kernel-uki-virt-addons.rhel,1,Red Hat,kernel-uki-virt-addons,6.12.0-124.35.1.el10_1.x86_64,mailto:secalert@redhat.com +kernel-uki-virt-addons.rocky,1,RESF,kernel-uki-virt-addons,6.12.0-124.35.1.el10_1.x86_64,mailto:security@rockylinux.org diff --git a/uki.sbat b/uki.sbat index a3f2d6af4cd48..250adf363dc7c 100644 --- a/uki.sbat +++ b/uki.sbat @@ -1,3 +1,3 @@ sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md -kernel-uki-virt.rhel,1,Red Hat,kernel-uki-virt,6.12.0-124.31.1.el10_1.x86_64,mailto:secalert@redhat.com -kernel-uki-virt.rocky,1,RESF,kernel-uki-virt,6.12.0-124.31.1.el10_1.x86_64,mailto:security@rockylinux.org +kernel-uki-virt.rhel,1,Red Hat,kernel-uki-virt,6.12.0-124.35.1.el10_1.x86_64,mailto:secalert@redhat.com +kernel-uki-virt.rocky,1,RESF,kernel-uki-virt,6.12.0-124.35.1.el10_1.x86_64,mailto:security@rockylinux.org