Skip to content

[RLC-10] Rebase Custom Changes to rlc-10/6.12.0-211.30.1.el10_2#1424

Open
PlaidCat wants to merge 17 commits into
rlc-10/6.12.0-211.30.1.el10_2from
jmaple_rlc-10/6.12.0-211.30.1.el10_2
Open

[RLC-10] Rebase Custom Changes to rlc-10/6.12.0-211.30.1.el10_2#1424
PlaidCat wants to merge 17 commits into
rlc-10/6.12.0-211.30.1.el10_2from
jmaple_rlc-10/6.12.0-211.30.1.el10_2

Conversation

@PlaidCat

@PlaidCat PlaidCat commented Jul 10, 2026

Copy link
Copy Markdown
Collaborator

https://ciqinc.atlassian.net/browse/KERNEL-1266

Update process (This kernel CentOS base for 6.12.0-211.30.1.el10_2)

  • Rolling Release Rebase Process
  • Create rlc-10/6.12.0-211.30.1.el10_2 branch from rocky10_2
  • Cherry-pick all code from previous branch rlc-10/6.12.0-211.26.1.el10_2 into new branch (skipping unneeded code)
    • Fix conflicts as they arise
  • Build and Test

Rebase Log

[jmaple@devbox code]$ cat RR.rlc-10.20260709_131625.log
Already on 'rlc-10/6.12.0-211.26.1.el10_2'
Already on 'jmaple_rlc-10/6.12.0-211.30.1.el10_2'
[rolling release update] Rolling Product:  rlc-10
[rolling release update] Checking out branch:  rlc-10/6.12.0-211.26.1.el10_2
[rolling release update] Gathering all the RESF kernel Tags
[rolling release update] Found 7 RESF kernel tags
[rolling release update] Checking out branch:  rocky10_2
[rolling release update] Gathering all the RESF kernel Tags
[rolling release update] Found 10 RESF kernel tags
[rolling release update] Common tag sha:  b'9b071f21cf07'
"9b071f21cf07aa476aba543d4e8b70a7cc323d6b Rebuild rocky10_2 with kernel-6.12.0-211.26.1.el10_2"
[rolling release update] Checking for FIPS protected changes between the common tag and HEAD
[rolling release update] Checking for FIPS protected changes
[rolling release update] Getting SHAS 9b071f21cf07..HEAD
[rolling release update] Number of commits to check:  44
[rolling release update] Checking modifications of shas
[rolling release update] Checked 4 of 44 commits
[rolling release update] Checked 8 of 44 commits
[rolling release update] Checked commit b'ce6d8b524734d9b42d82de53eab05b1b3baf0b48' touched 1 FIPS protected files
  - b'crypto/'
[rolling release update] Checked 12 of 44 commits
[rolling release update] Checked commit b'936068c02a7ec1723dd828813bfb60df40150dcf' touched 1 FIPS protected files
  - b'crypto/'
[rolling release update] Checked commit b'ff418aa0fff146fa508b33acbff5ad87cc78d49b' touched 1 FIPS protected files
  - b'crypto/'
[rolling release update] Checked commit b'0d9000cc8fbfdeda78a97705e692870a76c5a614' touched 1 FIPS protected files
  - b'crypto/'
[rolling release update] Checked 16 of 44 commits
[rolling release update] Checked 20 of 44 commits
[rolling release update] Checked commit b'0e7619f7d8a0724b08f078885062219f9c84aa6d' touched 1 FIPS protected files
  - b'drivers/crypto/'
[rolling release update] Checked 24 of 44 commits
[rolling release update] Checked commit b'91df04d8359cfd4e60a6e52a43e7a0c46d86b93b' touched 1 FIPS protected files
  - b'drivers/crypto/'
[rolling release update] Checked commit b'dd36bb8acc66ec80cb0f7738e0bf57209335731d' touched 1 FIPS protected files
  - b'drivers/crypto/'
[rolling release update] Checked commit b'c9acf51c31184cc8d90621b2341e0c0e0501f6c7' touched 1 FIPS protected files
  - b'drivers/crypto/'
[rolling release update] Checked commit b'31f64e73ec19829585a92adf67348b9ed9b25a0c' touched 1 FIPS protected files
  - b'drivers/crypto/'
[rolling release update] Checked 28 of 44 commits
[rolling release update] Checked commit b'0da6dc429445e5ee499b15ba7d9c9b43824fb2eb' touched 1 FIPS protected files
  - b'drivers/crypto/'
[rolling release update] Checked commit b'b2a7c54571d03c10fbe850e878888206e6878222' touched 1 FIPS protected files
  - b'drivers/crypto/'
[rolling release update] Checked commit b'e62dbdddd898f70ccf771c72f634f2fc4054d59e' touched 1 FIPS protected files
  - b'drivers/crypto/'
[rolling release update] Checked 32 of 44 commits
[rolling release update] Checked 36 of 44 commits
[rolling release update] Checked 40 of 44 commits
[rolling release update] Checked 44 of 44 commits
[rolling release update] 12 of 44 commits have FIPS protected changes
[rolling release update] Checking out old rolling branch:  rlc-10/6.12.0-211.26.1.el10_2
[rolling release update] Finding the CIQ Kernel and Associated Upstream commits between the last resf tag and HEAD
[rolling release update] Getting SHAS 9b071f21cf07..HEAD
WARNING: - already in upstream_commits
WARNING: - already in upstream_commits
WARNING: - already in upstream_commits
WARNING: - already in upstream_commits
WARNING: - already in upstream_commits
[rolling release update] Last RESF tag sha:  b'9b071f21cf07'
[rolling release update] Total commits in old branch: 26
[rolling release update] Checking out new base branch:  rocky10_2
[rolling release update] Finding the kernel version for the new rolling release
[rolling release update] New Branch to create: rlc-10/6.12.0-211.30.1.el10_2
[rolling release update] Creating new branch: rlc-10/6.12.0-211.30.1.el10_2
[rolling release update] Creating new branch for PR:  jmaple_rlc-10/6.12.0-211.30.1.el10_2
[rolling release update] Creating Map of all new commits from last rolling release fork
[rolling release update] Total commits in new branch: 43
[rolling release update] Checking if any of the commits from the old rolling release are already present in the new base branch
- Old commit 6131f53b6c20 backported upstream 2c99561016c5
  Already in new base as c8980e9dbd29: arm64: cputype: Add C1-Pro definitions
- Old commit 4daab754999c backported upstream 13031fb6b835
  Already in new base as e978acc58cd1: KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry
- Old commit 7e85d943cdc4 backported upstream 55b2984c96c3
  Already in new base as 5c4833c51b29: rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets
- Old commit d28321f3c823 backported upstream 1f2740150f90
  Already in new base as 419088d8bb73: rxrpc: Fix potential UAF after skb_unshare() failure
[rolling release update] Found 4 duplicate commits to remove
[rolling release update] Removing duplicate commits:
  - 6131f53b6c208648f3b283a105a137d1579df128 arm64: cputype: Add C1-Pro definitions
  - 4daab754999c54bbda6d91cc672aaca53a09405f KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry
  - 7e85d943cdc4177a389a6b39d2b0a9105fe40028 rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets
  - d28321f3c82367417153e008eba019466934f488 rxrpc: Fix potential UAF after skb_unshare() failure
[rolling release update] Applying 22 remaining commits to the new branch
  [1/22] b60458581c9a github actions: Add kernelCI for rlc-10
  [2/22] aaadbfbf4785 github actions: Use trigger for kernelCI
  [3/22] 84c4d6854bfb github actions: Pin Checkout action to v6.0.2
  [4/22] a6e665630af8 github actions: set make to `nproc` rather than hardcoded
  [5/22] 8ed39e72e3fe tools: hv: Enable debug logs for hv_kvp_daemon
  [6/22] 2a6230577e7e dcache: export shrink_dentry_list() and add new helper d_dispose_if_unused()
  [7/22] af2316372f40 fuse: don't truncate cached, mutated symlink
  [8/22] c71c5279e663 fuse: add more control over cache invalidation behaviour
  [9/22] 709afb7ba848 fuse: fix possibly missing fuse_copy_finish() call in fuse_notify()
  [10/22] c082869ac14b fs: fuse: add dev id to /dev/fuse fdinfo
  [11/22] ca665f09a8be fuse: respect FOPEN_KEEP_CACHE on opendir
  [12/22] 24fade73d5ec rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present
  [13/22] 2df427b013da net: gro: don't merge zcopy skbs
  [14/22] a19a3ed58576 KVM: arm64: Reassign nested_mmus array behind mmu_lock
  [15/22] 1b43b8a7613c KVM: arm64: Take the SRCU lock for page table walks in fault injection and AT emulation
  [16/22] 81781fc774e5 arm64: cputype: Add C1-Ultra definitions
[rolling release update] ERROR: Failed to cherry-pick commit 81781fc774e5706915ea3afbedabd5e5ec16befc
The previous cherry-pick is now empty, possibly due to conflict resolution.
If you wish to commit it anyway, use:

    git commit --allow-empty

Otherwise, please use 'git cherry-pick --skip'

[rolling release update] ========================================
[rolling release update] INTERACTIVE MODE: Merge conflict detected
[rolling release update] ========================================
[rolling release update] Please resolve or skip the merge conflict manually.
[rolling release update] To resolve:
[rolling release update]   1. Fix merge conflicts in the working directory
[rolling release update]   2. Stage resolved files: git add <files>
[rolling release update]   3. Complete cherry-pick: git cherry-pick --continue
[rolling release update]      (or commit manually if needed)
[rolling release update] To skip:
[rolling release update]   1. To skip this commit: git cherry-pick --skip
[rolling release update] When done:
[rolling release update]   Return here and press Enter to continue
[rolling release update] ========================================
[rolling release update] Press Enter when resolved (or type "stop"/"abort" to exit): [rolling release update] Cherry-pick resolved successfully, continuing...
  [17/22] a4cb31af3da6 arm64: cputype: Add C1-Premium definitions
[rolling release update] ERROR: Failed to cherry-pick commit a4cb31af3da6910d84e78f0b9d05751bfd04a998
The previous cherry-pick is now empty, possibly due to conflict resolution.
If you wish to commit it anyway, use:

    git commit --allow-empty

Otherwise, please use 'git cherry-pick --skip'

[rolling release update] ========================================
[rolling release update] INTERACTIVE MODE: Merge conflict detected
[rolling release update] ========================================
[rolling release update] Please resolve or skip the merge conflict manually.
[rolling release update] To resolve:
[rolling release update]   1. Fix merge conflicts in the working directory
[rolling release update]   2. Stage resolved files: git add <files>
[rolling release update]   3. Complete cherry-pick: git cherry-pick --continue
[rolling release update]      (or commit manually if needed)
[rolling release update] To skip:
[rolling release update]   1. To skip this commit: git cherry-pick --skip
[rolling release update] When done:
[rolling release update]   Return here and press Enter to continue
[rolling release update] ========================================
[rolling release update] Press Enter when resolved (or type "stop"/"abort" to exit): [rolling release update] Cherry-pick resolved successfully, continuing...
  [18/22] d0a8cedfae36 arm64: errata: Mitigate TLBI errata on various Arm CPUs
[rolling release update] ERROR: Failed to cherry-pick commit d0a8cedfae36f2c8391ab9ebaa9cef86ecaf8f30
error: could not apply d0a8cedfae36... arm64: errata: Mitigate TLBI errata on various Arm CPUs
hint: After resolving the conflicts, mark them with
hint: "git add/rm <pathspec>", then run
hint: "git cherry-pick --continue".
hint: You can instead skip this commit with "git cherry-pick --skip".
hint: To abort and get back to the state before "git cherry-pick",
hint: run "git cherry-pick --abort".
hint: Disable this message with "git config set advice.mergeConflict false"

[rolling release update] ========================================
[rolling release update] INTERACTIVE MODE: Merge conflict detected
[rolling release update] ========================================
[rolling release update] Please resolve or skip the merge conflict manually.
[rolling release update] To resolve:
[rolling release update]   1. Fix merge conflicts in the working directory
[rolling release update]   2. Stage resolved files: git add <files>
[rolling release update]   3. Complete cherry-pick: git cherry-pick --continue
[rolling release update]      (or commit manually if needed)
[rolling release update] To skip:
[rolling release update]   1. To skip this commit: git cherry-pick --skip
[rolling release update] When done:
[rolling release update]   Return here and press Enter to continue
[rolling release update] ========================================
[rolling release update] Press Enter when resolved (or type "stop"/"abort" to exit): [rolling release update] Cherry-pick resolved successfully, continuing...
  [19/22] 26b6fd9389e5 arm64: errata: Mitigate TLBI errata on NVIDIA Olympus CPU
[rolling release update] ERROR: Failed to cherry-pick commit 26b6fd9389e5c385646133f92cb652877b8368d1
error: could not apply 26b6fd9389e5... arm64: errata: Mitigate TLBI errata on NVIDIA Olympus CPU
hint: After resolving the conflicts, mark them with
hint: "git add/rm <pathspec>", then run
hint: "git cherry-pick --continue".
hint: You can instead skip this commit with "git cherry-pick --skip".
hint: To abort and get back to the state before "git cherry-pick",
hint: run "git cherry-pick --abort".
hint: Disable this message with "git config set advice.mergeConflict false"

[rolling release update] ========================================
[rolling release update] INTERACTIVE MODE: Merge conflict detected
[rolling release update] ========================================
[rolling release update] Please resolve or skip the merge conflict manually.
[rolling release update] To resolve:
[rolling release update]   1. Fix merge conflicts in the working directory
[rolling release update]   2. Stage resolved files: git add <files>
[rolling release update]   3. Complete cherry-pick: git cherry-pick --continue
[rolling release update]      (or commit manually if needed)
[rolling release update] To skip:
[rolling release update]   1. To skip this commit: git cherry-pick --skip
[rolling release update] When done:
[rolling release update]   Return here and press Enter to continue
[rolling release update] ========================================
[rolling release update] Press Enter when resolved (or type "stop"/"abort" to exit): [rolling release update] Cherry-pick resolved successfully, continuing...
  [20/22] 679af58bb510 arm64: errata: Mitigate TLBI errata on Microsoft Azure Cobalt 100 CPU
[rolling release update] ERROR: Failed to cherry-pick commit 679af58bb510d0c5cafaa31c8ef1db9092c4685d
The previous cherry-pick is now empty, possibly due to conflict resolution.
If you wish to commit it anyway, use:

    git commit --allow-empty

Otherwise, please use 'git cherry-pick --skip'

[rolling release update] ========================================
[rolling release update] INTERACTIVE MODE: Merge conflict detected
[rolling release update] ========================================
[rolling release update] Please resolve or skip the merge conflict manually.
[rolling release update] To resolve:
[rolling release update]   1. Fix merge conflicts in the working directory
[rolling release update]   2. Stage resolved files: git add <files>
[rolling release update]   3. Complete cherry-pick: git cherry-pick --continue
[rolling release update]      (or commit manually if needed)
[rolling release update] To skip:
[rolling release update]   1. To skip this commit: git cherry-pick --skip
[rolling release update] When done:
[rolling release update]   Return here and press Enter to continue
[rolling release update] ========================================
[rolling release update] Press Enter when resolved (or type "stop"/"abort" to exit): [rolling release update] Cherry-pick resolved successfully, continuing...
  [21/22] 4edef17836e2 KVM: x86: Fix shadow paging use-after-free due to unexpected GFN
  [22/22] 3940b13c7828 KVM: x86: Fix shadow paging use-after-free due to unexpected role
[rolling release update] Successfully applied all 22 commits

BUILD

$ egrep -B 5 -A 5 "\[TIMER\]|^Starting Build" $(ls -t kbuild* | head -n1)
/mnt/code/kernel-src-tree-build
Running make mrproper...
  CLEAN   scripts/basic
  CLEAN   scripts/kconfig
  CLEAN   include/config include/generated
[TIMER]{MRPROPER}: 6s
x86_64 architecture detected, copying config
'configs/kernel-x86_64-rhel.config' -> '.config'
Setting Local Version for build
CONFIG_LOCALVERSION="-rocky10_2_rebuild-4b56adaf67e7"
Making olddefconfig
--
  HOSTCC  scripts/kconfig/util.o
  HOSTLD  scripts/kconfig/conf
#
# configuration written to .config
#
Starting Build
  GEN     arch/x86/include/generated/asm/orc_hash.h
  WRAP    arch/x86/include/generated/uapi/asm/bpf_perf_event.h
  WRAP    arch/x86/include/generated/uapi/asm/errno.h
  UPD     include/generated/uapi/linux/version.h
  WRAP    arch/x86/include/generated/uapi/asm/fcntl.h
--
  BTF [M] net/hsr/hsr.ko
  LD [M]  virt/lib/irqbypass.ko
  BTF [M] net/qrtr/qrtr.ko
  BTF [M] net/qrtr/qrtr-mhi.ko
  BTF [M] virt/lib/irqbypass.ko
[TIMER]{BUILD}: 2300s
Making Modules
  SYMLINK /lib/modules/6.12.0-rocky10_2_rebuild-4b56adaf67e7+/build
  INSTALL /lib/modules/6.12.0-rocky10_2_rebuild-4b56adaf67e7+/modules.order
  INSTALL /lib/modules/6.12.0-rocky10_2_rebuild-4b56adaf67e7+/modules.builtin
  INSTALL /lib/modules/6.12.0-rocky10_2_rebuild-4b56adaf67e7+/modules.builtin.modinfo
--
  STRIP   /lib/modules/6.12.0-rocky10_2_rebuild-4b56adaf67e7+/kernel/virt/lib/irqbypass.ko
  SIGN    /lib/modules/6.12.0-rocky10_2_rebuild-4b56adaf67e7+/kernel/net/qrtr/qrtr.ko
  SIGN    /lib/modules/6.12.0-rocky10_2_rebuild-4b56adaf67e7+/kernel/net/qrtr/qrtr-mhi.ko
  SIGN    /lib/modules/6.12.0-rocky10_2_rebuild-4b56adaf67e7+/kernel/virt/lib/irqbypass.ko
  DEPMOD  /lib/modules/6.12.0-rocky10_2_rebuild-4b56adaf67e7+
[TIMER]{MODULES}: 12s
Making Install
  INSTALL /boot
[TIMER]{INSTALL}: 17s
Checking kABI
kABI check passed
Setting Default Kernel to /boot/vmlinuz-6.12.0-rocky10_2_rebuild-4b56adaf67e7+ and Index to 2
Hopefully Grub2.0 took everything ... rebooting after time metrices
[TIMER]{MRPROPER}: 6s
[TIMER]{BUILD}: 2300s
[TIMER]{MODULES}: 12s
[TIMER]{INSTALL}: 17s
[TIMER]{TOTAL} 2340s
Rebooting in 10 seconds

KSelfTest

$ ./kernel-tools/kernel_auto_rebuild/get_kselftest_diff.sh
selftest-6.12.0-jmaple_rlc-10_6.12.0-211.20.1.el10_2-5865fafefaee+-1.log: 491 passed
selftest-6.12.0-jmaple_rlc-10_6.12.0-211.22.1.el10_2-05335323b6dd+-1.log: 490 passed
selftest-6.12.0-jmaple_rlc-10_6.12.0-211.26.1.el10_2-9a3695773e60+-1.log: 491 passed
selftest-6.12.0-jmaple_rlc-10_6.12.0-211.30.1.el10_2-ddb3d41be8db+-1.log: 491 passed

Before: selftest-6.12.0-jmaple_rlc-10_6.12.0-211.26.1.el10_2-9a3695773e60+-1.log
After: selftest-6.12.0-jmaple_rlc-10_6.12.0-211.30.1.el10_2-ddb3d41be8db+-1.log
Diff:
+ok 14 selftests: net: bind_wildcard
-ok 4 selftests: cgroup: test_freezer

roxanan1996 and others added 17 commits July 9, 2026 13:17
Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>
Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>
jira LE-3207
feature tools_hv
commit-author Shradha Gupta <shradhagupta@linux.microsoft.com>
commit a9c0b33

Allow the KVP daemon to log the KVP updates triggered in the VM
with a new debug flag(-d).
When the daemon is started with this flag, it logs updates and debug
information in syslog with loglevel LOG_DEBUG. This information comes
in handy for debugging issues where the key-value pairs for certain
pools show mismatch/incorrect values.
The distro-vendors can further consume these changes and modify the
respective service files to redirect the logs to specific files as
needed.

	Signed-off-by: Shradha Gupta <shradhagupta@linux.microsoft.com>
	Reviewed-by: Naman Jain <namjain@linux.microsoft.com>
	Reviewed-by: Dexuan Cui <decui@microsoft.com>
Link: https://lore.kernel.org/r/1744715978-8185-1-git-send-email-shradhagupta@linux.microsoft.com
	Signed-off-by: Wei Liu <wei.liu@kernel.org>
Message-ID: <1744715978-8185-1-git-send-email-shradhagupta@linux.microsoft.com>
(cherry picked from commit a9c0b33)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
…nused()

jira SECO-468
commit-author Luis Henriques <luis@igalia.com>
commit 395b955

Add and export a new helper d_dispose_if_unused() which is simply a wrapper
around to_shrink_list(), to add an entry to a dispose list if it's not used
anymore.

Also export shrink_dentry_list() to kill all dentries in a dispose list.

	Suggested-by: Miklos Szeredi <miklos@szeredi.hu>
	Signed-off-by: Luis Henriques <luis@igalia.com>
	Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
(cherry picked from commit 395b955)
	Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>
jira SECO-478
RFBugFix: FUSE
commit-author Miklos Szeredi <mszeredi@redhat.com>
commit b4c173d

Fuse allows the value of a symlink to change and this property is exploited
by some filesystems (e.g. CVMFS).

It has been observed, that sometimes after changing the symlink contents,
the value is truncated to the old size.

This is caused by fuse_getattr() racing with fuse_reverse_inval_inode().
fuse_reverse_inval_inode() updates the fuse_inode's attr_version, which
results in fuse_change_attributes() exiting before updating the cached
attributes

This is okay, as the cached attributes remain invalid and the next call to
fuse_change_attributes() will likely update the inode with the correct
values.

The reason this causes problems is that cached symlinks will be
returned through page_get_link(), which truncates the symlink to
inode->i_size.  This is correct for filesystems that don't mutate
symlinks, but in this case it causes bad behavior.

The solution is to just remove this truncation.  This can cause a
regression in a filesystem that relies on supplying a symlink larger than
the file size, but this is unlikely.  If that happens we'd need to make
this behavior conditional.

	Reported-by: Laura Promberger <laura.promberger@cern.ch>
	Tested-by: Sam Lewis <samclewis@google.com>
	Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Link: https://lore.kernel.org/r/20250220100258.793363-1-mszeredi@redhat.com
	Reviewed-by: Bernd Schubert <bschubert@ddn.com>
	Signed-off-by: Christian Brauner <brauner@kernel.org>
(cherry picked from commit b4c173d)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira SECO-478
RFBugFix: FUSE
commit-author Luis Henriques <luis@igalia.com>
commit 2396356
upstream-diff | conflict in fs/fuse/dir.c due to missing this piece:
       d701902 - fuse: return correct dentry for ->mkdir
       Which is a part of a larger changeset here that we're not going to
       take: https://lore.kernel.org/all/20250227013949.536172-1-neilb@suse.de/
       | Additionally this bumps the Kernel FUSE API minor version from 41
       to 44.  The interface into via fuse3 currently in Rocky 10.1 is
       limited to API 38 anyways at 3.16.2.
       | There is a build conflict due to a major rewrite of the d_revalidate
       calls which now includes the parent directory being passed.
       5be1fa8 Pass parent directory inode and expected name to ->d_revalidate()
       In this case we can use the dentry->i_sb because we only need the
       superblock for get_fuse_conn_super().

Currently userspace is able to notify the kernel to invalidate the cache
for an inode.  This means that, if all the inodes in a filesystem need to
be invalidated, then userspace needs to iterate through all of them and do
this kernel notification separately.

This patch adds the concept of 'epoch': each fuse connection will have the
current epoch initialized and every new dentry will have it's d_time set to
the current epoch value.  A new operation will then allow userspace to
increment the epoch value.  Every time a dentry is d_revalidate()'ed, it's
epoch is compared with the current connection epoch and invalidated if it's
value is different.

	Signed-off-by: Luis Henriques <luis@igalia.com>
	Tested-by: Laura Promberger <laura.promberger@cern.ch>
	Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
(cherry picked from commit 2396356)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>

build fix: fuse: add more control over cache invalidation behaviour
jira SECO-478
BUGFIX: FUSE
commit-author Miklos Szeredi <mszeredi@redhat.com>
commit 0b563aa

In case of FUSE_NOTIFY_RESEND and FUSE_NOTIFY_INC_EPOCH fuse_copy_finish()
isn't called.

Fix by always calling fuse_copy_finish() after fuse_notify().  It's a no-op
if called a second time.

Fixes: 760eac7 ("fuse: Introduce a new notification type for resend pending requests")
Fixes: 2396356 ("fuse: add more control over cache invalidation behaviour")
	Cc: <stable@vger.kernel.org> # v6.9
	Reviewed-by: Joanne Koong <joannelkoong@gmail.com>
	Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
(cherry picked from commit 0b563aa)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira SECO-511
commit-author Chen Linxuan <chenlinxuan@uniontech.com>
commit f092229
upstream-diff | There were conflicts seen while applying
this patch due to the following missing commit :-
786412a ("fuse: enable fuse-over-io-uring")

This commit add fuse connection device id to
fdinfo of opened /dev/fuse files.

Related discussions can be found at links below.

Link: https://lore.kernel.org/all/CAJfpegvEYUgEbpATpQx8NqVR33Mv-VK96C+gbTag1CEUeBqvnA@mail.gmail.com/
	Signed-off-by: Chen Linxuan <chenlinxuan@uniontech.com>
	Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
(cherry picked from commit f092229)
	Signed-off-by: Shreeya Patel <spatel@ciq.com>
jira SECO-518
commit-author Amir Goldstein <amir73il@gmail.com>
commit 03f275a

The re-factoring of fuse_dir_open() missed the need to invalidate
directory inode page cache with open flag FOPEN_KEEP_CACHE.

Fixes: 7de64d5 ("fuse: break up fuse_open_common()")
	Reported-by: Prince Kumar <princer@google.com>
Closes: https://lore.kernel.org/linux-fsdevel/CAEW=TRr7CYb4LtsvQPLj-zx5Y+EYBmGfM24SuzwyDoGVNoKm7w@mail.gmail.com/
	Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Link: https://lore.kernel.org/r/20250101130037.96680-1-amir73il@gmail.com
	Reviewed-by: Bernd Schubert <bernd.schubert@fastmail.fm>
	Signed-off-by: Christian Brauner <brauner@kernel.org>
(cherry picked from commit 03f275a)
	Signed-off-by: Shreeya Patel <spatel@ciq.com>
cve CVE-2026-43500
commit-author Hyunwoo Kim <imv4bel@gmail.com>
commit -
commit-source https://lore.kernel.org/all/af2kdW2F1gJ9U-Gg@v4bel
upstream-diff |
        The conn_event.c hunk is dropped entirely. Upstream wraps the
        conn->security->verify_response() call inside a new
        rxrpc_verify_response() function that copies non-linear skbs before
        in-place decryption. This kernel doesn't have that wrapper; the
        security op is called directly from rxrpc_process_event(), so there
        is no call site to patch. Additionally, the rxkad_verify_response()
        implementation in this tree already pulls the response and ticket
        out via skb_copy_bits() into kmalloc'd local buffers and decrypts
        those buffers (not the skb backing pages), so the RESPONSE-packet
        vector that v3 closes upstream is not reachable here. The
        call_event.c hunk applies as-is.

The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE
handler in rxrpc_verify_response() copy the skb to a linear one before
calling into the security ops only when skb_cloned() is true.  An skb
that is not cloned but still carries externally-owned paged fragments
(e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via
__ip_append_data, or a chained skb_has_frag_list()) falls through to
the in-place decryption path, which binds the frag pages directly into
the AEAD/skcipher SGL via skb_to_sgvec().

Extend the gate to also unshare when skb_has_frag_list() or
skb_has_shared_frag() is true.  This catches the splice-loopback vector
and other externally-shared frag sources while preserving the
zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC
page_pool RX, GRO).  The OOM/trace handling already in place is reused.

Fixes: d0d5c0c ("rxrpc: Use skb_unshare() rather than skb_cow_data()")
	Cc: stable@vger.kernel.org
	Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
(cherry picked from commit 544687651fe57721c5e4e76380ed8ef8fdfdc98b)
	Signed-off-by: Shreeya Patel <spatel@ciq.com>
cve CVE-Pending
commit-author Sabrina Dubroca <sd@queasysnail.net>
commit 4db79a3

skb_gro_receive() can currently copy frags between the source and GRO
skb, without checking the zerocopy status, and in particular the
SKBFL_MANAGED_FRAG_REFS flag.

When SKBFL_MANAGED_FRAG_REFS is set, the skb doesn't hold a reference
on the pages in shinfo->frags. Appending those frags to another skb's
frags without fixing up the page refcount can lead to UAF.

When either the last skb in the GRO chain (the one we would append
frags to) or the source skb is zerocopy, don't merge the skbs.

Fixes: 753f1ca ("net: introduce managed frags infrastructure")
Reported-by: Huzaifa Sidhpurwala <huzaifas@redhat.com>
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/c3b7f906bbfcbdfd7b4fa9d6c18a438870df85be.1779307748.git.sd@queasysnail.net
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Shreeya Patel <spatel@ciq.com>
cve CVE-2026-46317
commit-author Hyunwoo Kim <imv4bel@gmail.com>
commit 7054335

kvm->arch.nested_mmus[] is walked under kvm->mmu_lock, including from the
MMU notifier path (kvm_unmap_gfn_range() -> kvm_nested_s2_unmap()), which
can run at any time. kvm_vcpu_init_nested() reallocates the array and frees
the old buffer while holding only kvm->arch.config_lock, so such a walker
can reference the freed array.

Allocate the new array outside of mmu_lock, as the allocation can sleep.
Under the lock, copy the existing entries, fix up the back pointers and
reassign the array. Free the old buffer after dropping the lock, as
kvfree() can sleep as well.

Fixes: 4f128f8 ("KVM: arm64: nv: Support multiple nested Stage-2 mmu structures")
	Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
	Reviewed-by: Oliver Upton <oupton@kernel.org>
Link: https://patch.msgid.link/aiKIVVeIr1aAB1yp@v4bel
	Signed-off-by: Marc Zyngier <maz@kernel.org>
	Cc: stable@vger,kernel.org
(cherry picked from commit 7054335)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
…n and AT emulation

bugfix aarch64 kvm
commit-author Hyunwoo Kim <imv4bel@gmail.com>
commit f2ca45b

walk_s1() and kvm_walk_nested_s2() expect to be called while holding
kvm->srcu to guard against memslot changes. While this is generally
the case, __kvm_at_s12() and __kvm_find_s1_desc_level() call into the
respective walkers without taking kvm->srcu.

Fix by acquiring kvm->srcu prior to the table walk in both instances.

	Cc: stable@vger.kernel.org
Fixes: 50f77dc ("KVM: arm64: Populate level on S1PTW SEA injection")
Fixes: be04ceb ("KVM: arm64: nv: Add emulation of AT S12E{0,1}{R,W}")
	Suggested-by: Oliver Upton <oupton@kernel.org>
	Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
	Reviewed-by: Oliver Upton <oupton@kernel.org>
Link: https://patch.msgid.link/aiAZfdeyanIvP8SD@v4bel
	Signed-off-by: Marc Zyngier <maz@kernel.org>
(cherry picked from commit f2ca45b)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
cve CVE-2026-46113
commit-author Sean Christopherson <seanjc@google.com>
commit 0cb2af2

The shadow MMU computes GFNs for direct shadow pages using sp->gfn plus
the SPTE index. This assumption breaks for shadow paging if the guest
page tables are modified between VM entries (similar to commit
aad885e, "KVM: x86/mmu: Drop/zap existing present SPTE even
when creating an MMIO SPTE", 2026-03-27).  The flow is as follows:

- a PDE is installed for a 2MB mapping, and a page in that area is
  accessed.  KVM creates a kvm_mmu_page consisting of 512 4KB pages;
  the kvm_mmu_page is marked by FNAME(fetch) as direct-mapped because
  the guest's mapping is a huge page (and thus contiguous).

- the PDE mapping is changed from outside the guest.

- the guest accesses another page in the same 2MB area.  KVM installs
  a new leaf SPTE and rmap entry; the SPTE uses the "correct" GFN
  (i.e. based on the new mapping, as changed in the previous step) but
  that GFN is outside of the [sp->gfn, sp->gfn + 511] range; therefore
  the rmap entry cannot be found and removed when the kvm_mmu_page
  is zapped.

- the memslot that covers the first 2MB mapping is deleted, and the
  kvm_mmu_page for the now-invalid GPA is zapped.  However, rmap_remove()
  only looks at the [sp->gfn, sp->gfn + 511] range established in step 1,
  and fails to find the rmap entry that was recorded by step 3.

- any operation that causes an rmap walk for the same page accessed
  by step 3 then walks a stale rmap and dereferences a freed kvm_mmu_page.
  This includes dirty logging or MMU notifier invalidations (e.g., from
  MADV_DONTNEED).

The underlying issue is that KVM's walking of shadow PTEs assumes that
if a SPTE is present when KVM wants to install a non-leaf SPTE, then the
existing kvm_mmu_page must be for the correct gfn.  Because the only way
for the gfn to be wrong is if KVM messed up and failed to zap a SPTE...
which shouldn't happen, but *actually* only happens in response to a
guest write.

That bug dates back literally forever, as even the first version of KVM
assumes that the GFN matches and walks into the "wrong" shadow page.
However, that was only an imprecision until 2032a93 ("KVM: MMU:
Don't allocate gfns page for direct mmu pages") came along.

Fix it by checking for a target gfn mismatch and zapping the existing
SPTE.  That way the old SP and rmap entries are gone, KVM installs
the rmap in the right location, and everyone is happy.

Fixes: 2032a93 ("KVM: MMU: Don't allocate gfns page for direct mmu pages")
Fixes: 6aa8b73 ("kvm: userspace interface")
Reported-by: Alexander Bulekov <bkov@amazon.com>
Reported-by: Fred Griffoul <fgriffo@amazon.co.uk>
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Link: https://patch.msgid.link/20260503201029.106481-1-pbonzini@redhat.com/
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 0cb2af2)
Signed-off-by: Shreeya Patel <spatel@ciq.com>
cve CVE-2026-53359
commit-author Paolo Bonzini <pbonzini@redhat.com>
commit 81ccda3

Commit 0cb2af2 ("KVM: x86: Fix shadow paging use-after-free due
to unexpected GFN") fixed a shadow paging mismatch between stored and
computed GFNs; the bug could be triggered by changing a PDE mapping from
outside the guest, and then deleting a memslot.  The rmap_remove()
call would miss entries created after the PDE change because the GFN
of the leaf SPTE does not match the GFN of the struct kvm_mmu_page.

A similar hole however remains if the modified PDE points to a non-leaf
page.  In this case the gfn can be made to match, but the role does not
match: the original large 2MB page creates a kvm_mmu_page with direct=1,
while the new 4KB needs a kvm_mmu_page with direct=0.  However,
kvm_mmu_get_child_sp() does not compare the role, and therefore reuses
the page.

The next step is installing a leaf (4KB) SPTE on the new path which
records an rmap entry under the gfn resolved by the walk.  But when
that child is zapped its parent kvm_mmu_page has direct=1 and
kvm_mmu_page_get_gfn() computes the gfn for the 4KB page as
sp->gfn + index instead of using sp->shadowed_translation[] (or sp->gfns[]
in older kernels).  It therefore fails to remove the recorded entry.

When the memslot is dropped the shadow page is freed but the rmap
entry survives, as in the scenario that was already fixed.  Code that
later walks that gfn (dirty logging, MMU notifier invalidation, and
so on) dereferences an sptep that lies in the freed page, causing the
use-after-free.

Fixes: 2032a93 ("KVM: MMU: Don't allocate gfns page for direct mmu pages")
Reported-by: Hyunwoo Kim <imv4bel@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 81ccda3)
Signed-off-by: Shreeya Patel <spatel@ciq.com>

@bmastbergen bmastbergen left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🥌

@bmastbergen bmastbergen requested a review from a team July 10, 2026 19:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

8 participants