[rocky9_7] History Rebuild through kernel-5.14.0-611.16.1.el9_7

Makefile.rhelver

@@ -12,7 +12,7 @@ RHEL_MINOR = 7
 #
 # Use this spot to avoid future merge conflicts.
 # Do not trim this comment.
-RHEL_RELEASE = 611.13.1
+RHEL_RELEASE = 611.16.1
 
 #
 # ZSTREAM

arch/x86/kvm/svm/sev.c

@@ -2903,6 +2903,7 @@ void __init sev_set_cpu_caps(void)
 void __init sev_hardware_setup(void)
 {
 	unsigned int eax, ebx, ecx, edx, sev_asid_count, sev_es_asid_count;
+	struct sev_platform_init_args init_args = {0};
 	bool sev_snp_supported = false;
 	bool sev_es_supported = false;
 	bool sev_supported = false;
@@ -3019,6 +3020,15 @@ void __init sev_hardware_setup(void)
 	sev_supported_vmsa_features = 0;
 	if (sev_es_debug_swap_enabled)
 		sev_supported_vmsa_features |= SVM_SEV_FEAT_DEBUG_SWAP;
+
+	if (!sev_enabled)
+		return;
+
+	/*
+	 * Do both SNP and SEV initialization at KVM module load.
+	 */
+	init_args.probe = true;
+	sev_platform_init(&init_args);
 }
 
 void sev_hardware_unsetup(void)
@@ -3034,6 +3044,8 @@ void sev_hardware_unsetup(void)
 
 	misc_cg_set_capacity(MISC_CG_RES_SEV, 0);
 	misc_cg_set_capacity(MISC_CG_RES_SEV_ES, 0);
+
+	sev_platform_shutdown();
 }
 
 int sev_cpu_init(struct svm_cpu_data *sd)

ciq/ciq_backports/kernel-5.14.0-611.16.1.el9_7/4e034bf0.failed

@@ -0,0 +1,146 @@
+iommufd: Fix race during abort for file descriptors
+
+jira KERNEL-393
+cve CVE-2025-39966
+Rebuild_History Non-Buildable kernel-5.14.0-611.16.1.el9_7
+commit-author Jason Gunthorpe <jgg@ziepe.ca>
+commit 4e034bf045b12852a24d5d33f2451850818ba0c1
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-5.14.0-611.16.1.el9_7/4e034bf0.failed
+
+fput() doesn't actually call file_operations release() synchronously, it
+puts the file on a work queue and it will be released eventually.
+
+This is normally fine, except for iommufd the file and the iommufd_object
+are tied to gether. The file has the object as it's private_data and holds
+a users refcount, while the object is expected to remain alive as long as
+the file is.
+
+When the allocation of a new object aborts before installing the file it
+will fput() the file and then go on to immediately kfree() the obj. This
+causes a UAF once the workqueue completes the fput() and tries to
+decrement the users refcount.
+
+Fix this by putting the core code in charge of the file lifetime, and call
+__fput_sync() during abort to ensure that release() is called before
+kfree. __fput_sync() is a bit too tricky to open code in all the object
+implementations. Instead the objects tell the core code where the file
+pointer is and the core will take care of the life cycle.
+
+If the object is successfully allocated then the file will hold a users
+refcount and the iommufd_object cannot be destroyed.
+
+It is worth noting that close(); ioctl(IOMMU_DESTROY); doesn't have an
+issue because close() is already using a synchronous version of fput().
+
+The UAF looks like this:
+
+    BUG: KASAN: slab-use-after-free in iommufd_eventq_fops_release+0x45/0xc0 drivers/iommu/iommufd/eventq.c:376
+    Write of size 4 at addr ffff888059c97804 by task syz.0.46/6164
+
+    CPU: 0 UID: 0 PID: 6164 Comm: syz.0.46 Not tainted syzkaller #0 PREEMPT(full)
+    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
+    Call Trace:
+     <TASK>
+     __dump_stack lib/dump_stack.c:94 [inline]
+     dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
+     print_address_description mm/kasan/report.c:378 [inline]
+     print_report+0xcd/0x630 mm/kasan/report.c:482
+     kasan_report+0xe0/0x110 mm/kasan/report.c:595
+     check_region_inline mm/kasan/generic.c:183 [inline]
+     kasan_check_range+0x100/0x1b0 mm/kasan/generic.c:189
+     instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
+     atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:400 [inline]
+     __refcount_dec include/linux/refcount.h:455 [inline]
+     refcount_dec include/linux/refcount.h:476 [inline]
+     iommufd_eventq_fops_release+0x45/0xc0 drivers/iommu/iommufd/eventq.c:376
+     __fput+0x402/0xb70 fs/file_table.c:468
+     task_work_run+0x14d/0x240 kernel/task_work.c:227
+     resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
+     exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43
+     exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
+     syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
+     syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
+     do_syscall_64+0x41c/0x4c0 arch/x86/entry/syscall_64.c:100
+     entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Link: https://patch.msgid.link/r/1-v1-02cd136829df+31-iommufd_syz_fput_jgg@nvidia.com
+	Cc: stable@vger.kernel.org
+Fixes: 07838f7fd529 ("iommufd: Add iommufd fault object")
+	Reviewed-by: Nicolin Chen <nicolinc@nvidia.com>
+	Reviewed-by: Nirmoy Das <nirmoyd@nvidia.com>
+	Reviewed-by: Kevin Tian <kevin.tian@intel.com>
+	Tested-by: Nicolin Chen <nicolinc@nvidia.com>
+	Reported-by: syzbot+80620e2d0d0a33b09f93@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/r/68c8583d.050a0220.2ff435.03a2.GAE@google.com
+	Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+(cherry picked from commit 4e034bf045b12852a24d5d33f2451850818ba0c1)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	drivers/iommu/iommufd/eventq.c
+#	drivers/iommu/iommufd/main.c
+diff --cc drivers/iommu/iommufd/main.c
+index ee750fc5ae80,88be2e157245..000000000000
+--- a/drivers/iommu/iommufd/main.c
++++ b/drivers/iommu/iommufd/main.c
+@@@ -23,6 -23,8 +23,11 @@@
+  #include "iommufd_test.h"
+
+  struct iommufd_object_ops {
+++<<<<<<< HEAD
+++=======
++ 	size_t file_offset;
++ 	void (*pre_destroy)(struct iommufd_object *obj);
+++>>>>>>> 4e034bf045b1 (iommufd: Fix race during abort for file descriptors)
+  	void (*destroy)(struct iommufd_object *obj);
+  	void (*abort)(struct iommufd_object *obj);
+  };
+@@@ -479,8 -678,14 +504,14 @@@ void iommufd_ctx_put(struct iommufd_ct
+  {
+  	fput(ictx->file);
+  }
+ -EXPORT_SYMBOL_NS_GPL(iommufd_ctx_put, "IOMMUFD");
+ +EXPORT_SYMBOL_NS_GPL(iommufd_ctx_put, IOMMUFD);
+
++ #define IOMMUFD_FILE_OFFSET(_struct, _filep, _obj)                           \
++ 	.file_offset = (offsetof(_struct, _filep) +                          \
++ 			BUILD_BUG_ON_ZERO(!__same_type(                      \
++ 				struct file *, ((_struct *)NULL)->_filep)) + \
++ 			BUILD_BUG_ON_ZERO(offsetof(_struct, _obj)))
++ 
+  static const struct iommufd_object_ops iommufd_object_ops[] = {
+  	[IOMMUFD_OBJ_ACCESS] = {
+  		.destroy = iommufd_access_destroy_object,
+@@@ -490,7 -696,11 +521,8 @@@
+  	},
+  	[IOMMUFD_OBJ_FAULT] = {
+  		.destroy = iommufd_fault_destroy,
++ 		IOMMUFD_FILE_OFFSET(struct iommufd_fault, common.filep, common.obj),
+  	},
+ -	[IOMMUFD_OBJ_HW_QUEUE] = {
+ -		.destroy = iommufd_hw_queue_destroy,
+ -	},
+  	[IOMMUFD_OBJ_HWPT_PAGING] = {
+  		.destroy = iommufd_hwpt_paging_destroy,
+  		.abort = iommufd_hwpt_paging_abort,
+@@@ -504,6 -714,12 +536,15 @@@
+  	},
+  	[IOMMUFD_OBJ_VDEVICE] = {
+  		.destroy = iommufd_vdevice_destroy,
+++<<<<<<< HEAD
+++=======
++ 		.abort = iommufd_vdevice_abort,
++ 	},
++ 	[IOMMUFD_OBJ_VEVENTQ] = {
++ 		.destroy = iommufd_veventq_destroy,
++ 		.abort = iommufd_veventq_abort,
++ 		IOMMUFD_FILE_OFFSET(struct iommufd_veventq, common.filep, common.obj),
+++>>>>>>> 4e034bf045b1 (iommufd: Fix race during abort for file descriptors)
+  	},
+  	[IOMMUFD_OBJ_VIOMMU] = {
+  		.destroy = iommufd_viommu_destroy,
+* Unmerged path drivers/iommu/iommufd/eventq.c
+* Unmerged path drivers/iommu/iommufd/eventq.c
+* Unmerged path drivers/iommu/iommufd/main.c

ciq/ciq_backports/kernel-5.14.0-611.16.1.el9_7/c28f922c.failed

@@ -0,0 +1,89 @@
+clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns
+
+jira KERNEL-393
+cve CVE-2025-38499
+Rebuild_History Non-Buildable kernel-5.14.0-611.16.1.el9_7
+Rebuild_CHGLOG: - CVE-2025-38499 kernel: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (Abhi Das) [RHEL-129261] {CVE-2025-38499}
+Rebuild_FUZZ: 87.43%
+commit-author Al Viro <viro@zeniv.linux.org.uk>
+commit c28f922c9dcee0e4876a2c095939d77fe7e15116
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-5.14.0-611.16.1.el9_7/c28f922c.failed
+
+What we want is to verify there is that clone won't expose something
+hidden by a mount we wouldn't be able to undo.  "Wouldn't be able to undo"
+may be a result of MNT_LOCKED on a child, but it may also come from
+lacking admin rights in the userns of the namespace mount belongs to.
+
+clone_private_mnt() checks the former, but not the latter.
+
+There's a number of rather confusing CAP_SYS_ADMIN checks in various
+userns during the mount, especially with the new mount API; they serve
+different purposes and in case of clone_private_mnt() they usually,
+but not always end up covering the missing check mentioned above.
+
+	Reviewed-by: Christian Brauner <brauner@kernel.org>
+	Reported-by: "Orlando, Noah" <Noah.Orlando@deshaw.com>
+Fixes: 427215d85e8d ("ovl: prevent private clone if bind mount is not allowed")
+	Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+(cherry picked from commit c28f922c9dcee0e4876a2c095939d77fe7e15116)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	fs/namespace.c
+diff --cc fs/namespace.c
+index 9801f4051b3a,1c54c16c7bab..000000000000
+--- a/fs/namespace.c
++++ b/fs/namespace.c
+@@@ -1971,21 -2488,37 +1971,33 @@@ struct vfsmount *clone_private_mount(co
+  	struct mount *old_mnt = real_mount(path->mnt);
+  	struct mount *new_mnt;
+
+ -	guard(rwsem_read)(&namespace_sem);
+ -
+ +	down_read(&namespace_sem);
+  	if (IS_MNT_UNBINDABLE(old_mnt))
+ -		return ERR_PTR(-EINVAL);
+ +		goto invalid;
+
+ -	/*
+ -	 * Make sure the source mount is acceptable.
+ -	 * Anything mounted in our mount namespace is allowed.
+ -	 * Otherwise, it must be the root of an anonymous mount
+ -	 * namespace, and we need to make sure no namespace
+ -	 * loops get created.
+ -	 */
+ -	if (!check_mnt(old_mnt)) {
+ -		if (!is_mounted(&old_mnt->mnt) ||
+ -			!is_anon_ns(old_mnt->mnt_ns) ||
+ -			mnt_has_parent(old_mnt))
+ -			return ERR_PTR(-EINVAL);
+ +	if (!check_mnt(old_mnt))
+ +		goto invalid;
+
+++<<<<<<< HEAD
+ +	if (has_locked_children(old_mnt, path->dentry))
+ +		goto invalid;
+++=======
++ 		if (!check_for_nsfs_mounts(old_mnt))
++ 			return ERR_PTR(-EINVAL);
++ 	}
++ 
++         if (!ns_capable(old_mnt->mnt_ns->user_ns, CAP_SYS_ADMIN))
++ 		return ERR_PTR(-EPERM);
++ 
++ 	if (__has_locked_children(old_mnt, path->dentry))
++ 		return ERR_PTR(-EINVAL);
+++>>>>>>> c28f922c9dce (clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns)
+
+  	new_mnt = clone_mnt(old_mnt, path->dentry, CL_PRIVATE);
+ +	up_read(&namespace_sem);
+ +
+  	if (IS_ERR(new_mnt))
+ -		return ERR_PTR(-EINVAL);
+ +		return ERR_CAST(new_mnt);
+
+  	/* Longterm mount to be removed by kern_unmount*() */
+  	new_mnt->mnt_ns = MNT_NS_INTERNAL;
+* Unmerged path fs/namespace.c

ciq/ciq_backports/kernel-5.14.0-611.16.1.el9_7/rebuild.details.txt

@@ -0,0 +1,22 @@
+Rebuild_History BUILDABLE
+Rebuilding Kernel from rpm changelog with Fuzz Limit: 87.50%
+Number of commits in upstream range v5.14~1..kernel-mainline: 337791
+Number of commits in rpm: 20
+Number of commits matched with upstream: 16 (80.00%)
+Number of commits in upstream but not in rpm: 337775
+Number of commits NOT found in upstream: 4 (20.00%)
+
+Rebuilding Kernel on Branch rocky9_7_rebuild_kernel-5.14.0-611.16.1.el9_7 for kernel-5.14.0-611.16.1.el9_7
+Clean Cherry Picks: 14 (87.50%)
+Empty Cherry Picks: 2 (12.50%)
+_______________________________
+
+__EMPTY COMMITS__________________________
+4e034bf045b12852a24d5d33f2451850818ba0c1 iommufd: Fix race during abort for file descriptors
+c28f922c9dcee0e4876a2c095939d77fe7e15116 clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns
+
+__CHANGES NOT IN UPSTREAM________________
+Porting to Rocky Linux 9, debranding and Rocky branding'
+Ensure aarch64 kernel is not compressed'
+scsi: lpfc: avoid crashing in lpfc_nlp_get() if lpfc_nodelist was freed
+scsi: lpfc: Fix reusing an ndlp that is marked NLP_DROPPED during FLOGI