Bump kernel base from v6.1 to v6.1.170#37
Merged
Conversation
Pull in ~170 stable releases of security and bug fixes accumulated since the original v6.1 (December 2022) tag. Notable: the build was missing every linux-6.1.y backport, including a long backlog of CVE fixes unrelated to AF_ALG. Introduces KERNEL_VERSION (defaulting to 6.1.170) as the actual git tag to clone, while KERNEL_BRANCH (6.1) continues to identify the patches/ and config/ subdirectories — so future stable bumps only need a single value change. Notes on CVE-2026-31431 ("Copy Fail", algif_aead): the upstream fix (mainline a664bf3d603d) is currently in stable-review for 6.1.y (Eric Biggers' [PATCH 6.1 0/9] AF_ALG fixes, lore 20260430062731) and not yet in any 6.1.y release. This kernel build is unaffected in practice because CONFIG_CRYPTO_USER_API_AEAD (and the rest of CONFIG_CRYPTO_USER_API_*) is already =n in both arch configs, so the algif_aead module is never compiled in. Re-bump to 6.1.171+ once the series lands upstream. Change-type: patch Signed-off-by: Kyle Harding <kyle@balena.io>
aethernet
approved these changes
Apr 30, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
v6.1(Dec 2022) tov6.1.170, picking up ~170 stable releases worth of accumulated security and bug fixes.KERNEL_VERSIONarg/variable (defaulting to6.1.170) so future stable bumps require a single value change whileKERNEL_BRANCH=6.1continues to identify thepatches//config/subdirectories.torvalds/linuxtogregkh/linux—torvalds/linuxonly carries mainline tags, so it hasv6.1(which worked by coincidence) but not anyv6.1.ypoint release. The previous setup was effectively pinned to the.0release with no path to picking up stable patches.Context — CVE-2026-31431 ("Copy Fail" /
algif_aead)This work was kicked off by CVE-2026-31431, an unprivileged-LPE / container-escape primitive in
crypto/algif_aead.c. Investigation found:linux-6.1.yrelease. Mainline fix isa664bf3d603d(in 7.0); stable fixes are in6.18.22and6.19.12. Eric Biggers posted a 9-patch backport for 6.1.y on 2026-04-30 (lore) — it was in stable-review at the time of this PR and expected in6.1.171+.# CONFIG_CRYPTO_USER_API_AEAD is not set(along with the rest ofCONFIG_CRYPTO_USER_API_*andCONFIG_CRYPTO_AUTHENC), so the entire AF_ALG userspace surface is unbuilt — there is noalgif_aeadmodule/built-in in the producedvmlinux.Verification
git ls-remoteconfirmsv6.1.170resolves to02d4d51a937120cc924e3df214b1ff271234f020ongregkh/linux(and the canonical kernel.orgstable/linux.git).patches/6.1/0001-UBUNTU-SAUCE-...and0002-HACK-...patches still apply cleanly tokernel/sys.catv6.1.170(verified viagit apply --checkagainst a temp checkout).