[rocky8_10] History Rebuild through kernel-4.18.0-553.100.1.el8_10

Makefile.rhelver

@@ -12,7 +12,7 @@ RHEL_MINOR = 10
 #
 # Use this spot to avoid future merge conflicts.
 # Do not trim this comment.
-RHEL_RELEASE = 553.97.1
+RHEL_RELEASE = 553.100.1
 
 #
 # ZSTREAM

ciq/ciq_backports/kernel-4.18.0-553.100.1.el8_10/895b4c0c.failed

@@ -0,0 +1,126 @@
+fs/proc: fix uaf in proc_readdir_de()
+
+jira KERNEL-579
+cve CVE-2025-40271
+Rebuild_History Non-Buildable kernel-4.18.0-553.100.1.el8_10
+commit-author Wei Yang <albinwyang@tencent.com>
+commit 895b4c0c79b092d732544011c3cecaf7322c36a1
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-4.18.0-553.100.1.el8_10/895b4c0c.failed
+
+Pde is erased from subdir rbtree through rb_erase(), but not set the node
+to EMPTY, which may result in uaf access.  We should use RB_CLEAR_NODE()
+set the erased node to EMPTY, then pde_subdir_next() will return NULL to
+avoid uaf access.
+
+We found an uaf issue while using stress-ng testing, need to run testcase
+getdent and tun in the same time.  The steps of the issue is as follows:
+
+1) use getdent to traverse dir /proc/pid/net/dev_snmp6/, and current
+   pde is tun3;
+
+2) in the [time windows] unregister netdevice tun3 and tun2, and erase
+   them from rbtree.  erase tun3 first, and then erase tun2.  the
+   pde(tun2) will be released to slab;
+
+3) continue to getdent process, then pde_subdir_next() will return
+   pde(tun2) which is released, it will case uaf access.
+
+CPU 0                                      |    CPU 1
+-------------------------------------------------------------------------
+traverse dir /proc/pid/net/dev_snmp6/      |   unregister_netdevice(tun->dev)   //tun3 tun2
+sys_getdents64()                           |
+  iterate_dir()                            |
+    proc_readdir()                         |
+      proc_readdir_de()                    |     snmp6_unregister_dev()
+        pde_get(de);                       |       proc_remove()
+        read_unlock(&proc_subdir_lock);    |         remove_proc_subtree()
+                                           |           write_lock(&proc_subdir_lock);
+        [time window]                      |           rb_erase(&root->subdir_node, &parent->subdir);
+                                           |           write_unlock(&proc_subdir_lock);
+        read_lock(&proc_subdir_lock);      |
+        next = pde_subdir_next(de);        |
+        pde_put(de);                       |
+        de = next;    //UAF                |
+
+rbtree of dev_snmp6
+                        |
+                    pde(tun3)
+                     /    \
+                  NULL  pde(tun2)
+
+Link: https://lkml.kernel.org/r/20251025024233.158363-1-albin_yang@163.com
+	Signed-off-by: Wei Yang <albinwyang@tencent.com>
+	Cc: Al Viro <viro@zeniv.linux.org.uk>
+	Cc: Christian Brauner <brauner@kernel.org>
+	Cc: wangzijie <wangzijie1@honor.com>
+	Cc: Alexey Dobriyan <adobriyan@gmail.com>
+	Cc: <stable@vger.kernel.org>
+	Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+(cherry picked from commit 895b4c0c79b092d732544011c3cecaf7322c36a1)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	fs/proc/generic.c
+diff --cc fs/proc/generic.c
+index 5ee78ffa628a,501889856461..000000000000
+--- a/fs/proc/generic.c
++++ b/fs/proc/generic.c
+@@@ -665,8 -721,16 +671,21 @@@ void remove_proc_entry(const char *name
+  	len = strlen(fn);
+
+  	de = pde_subdir_find(parent, fn, len);
+++<<<<<<< HEAD
+ +	if (de)
+ +		rb_erase(&de->subdir_node, &parent->subdir);
+++=======
++ 	if (de) {
++ 		if (unlikely(pde_is_permanent(de))) {
++ 			WARN(1, "removing permanent /proc entry '%s'", de->name);
++ 			de = NULL;
++ 		} else {
++ 			pde_erase(de, parent);
++ 			if (S_ISDIR(de->mode))
++ 				parent->nlink--;
++ 		}
++ 	}
+++>>>>>>> 895b4c0c79b0 (fs/proc: fix uaf in proc_readdir_de())
+  	write_unlock(&proc_subdir_lock);
+  	if (!de) {
+  		WARN(1, "name '%s'\n", name);
+@@@ -703,13 -764,25 +722,33 @@@ int remove_proc_subtree(const char *nam
+  		write_unlock(&proc_subdir_lock);
+  		return -ENOENT;
+  	}
+++<<<<<<< HEAD
+ +	rb_erase(&root->subdir_node, &parent->subdir);
+++=======
++ 	if (unlikely(pde_is_permanent(root))) {
++ 		write_unlock(&proc_subdir_lock);
++ 		WARN(1, "removing permanent /proc entry '%s/%s'",
++ 			root->parent->name, root->name);
++ 		return -EINVAL;
++ 	}
++ 	pde_erase(root, parent);
+++>>>>>>> 895b4c0c79b0 (fs/proc: fix uaf in proc_readdir_de())
+
+  	de = root;
+  	while (1) {
+  		next = pde_subdir_first(de);
+  		if (next) {
+++<<<<<<< HEAD
+ +			rb_erase(&next->subdir_node, &de->subdir);
+++=======
++ 			if (unlikely(pde_is_permanent(next))) {
++ 				write_unlock(&proc_subdir_lock);
++ 				WARN(1, "removing permanent /proc entry '%s/%s'",
++ 					next->parent->name, next->name);
++ 				return -EINVAL;
++ 			}
++ 			pde_erase(next, de);
+++>>>>>>> 895b4c0c79b0 (fs/proc: fix uaf in proc_readdir_de())
+  			de = next;
+  			continue;
+  		}
+* Unmerged path fs/proc/generic.c

ciq/ciq_backports/kernel-4.18.0-553.100.1.el8_10/b64700d4.failed

@@ -0,0 +1,77 @@
+squashfs: fix memory leak in squashfs_fill_super
+
+jira KERNEL-579
+cve CVE-2025-38415
+Rebuild_History Non-Buildable kernel-4.18.0-553.100.1.el8_10
+commit-author Phillip Lougher <phillip@squashfs.org.uk>
+commit b64700d41bdc4e9f82f1346c15a3678ebb91a89c
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-4.18.0-553.100.1.el8_10/b64700d4.failed
+
+If sb_min_blocksize returns 0, squashfs_fill_super exits without freeing
+allocated memory (sb->s_fs_info).
+
+Fix this by moving the call to sb_min_blocksize to before memory is
+allocated.
+
+Link: https://lkml.kernel.org/r/20250811223740.110392-1-phillip@squashfs.org.uk
+Fixes: 734aa85390ea ("Squashfs: check return result of sb_min_blocksize")
+	Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
+	Reported-by: Scott GUO <scottzhguo@tencent.com>
+Closes: https://lore.kernel.org/all/20250811061921.3807353-1-scott_gzh@163.com
+	Cc: <stable@vger.kernel.org>
+	Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+(cherry picked from commit b64700d41bdc4e9f82f1346c15a3678ebb91a89c)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	fs/squashfs/super.c
+diff --cc fs/squashfs/super.c
+index 7e1a090738a6,4465cf05603a..000000000000
+--- a/fs/squashfs/super.c
++++ b/fs/squashfs/super.c
+@@@ -110,18 -191,9 +110,24 @@@ static int squashfs_fill_super(struct s
+
+  	TRACE("Entered squashfs_fill_superblock\n");
+
+++<<<<<<< HEAD
+ +	/*
+ +	 * squashfs provides 'backing_dev_info' in order to disable read-ahead. For
+ +	 * squashfs, I/O is not deferred, it is done immediately in readpage,
+ +	 * which means the user would always have to wait their own I/O. So the effect
+ +	 * of readahead is very weak for squashfs. squashfs_bdi_init will set
+ +	 * sb->s_bdi->ra_pages and sb->s_bdi->io_pages to 0 and close readahead for
+ +	 * squashfs.
+ +	 */
+ +	err = squashfs_bdi_init(sb);
+ +	if (err) {
+ +		errorf(fc, "squashfs init bdi failed");
+ +		return err;
+++=======
++ 	if (!devblksize) {
++ 		errorf(fc, "squashfs: unable to set blocksize\n");
++ 		return -EINVAL;
+++>>>>>>> b64700d41bdc (squashfs: fix memory leak in squashfs_fill_super)
+  	}
+
+  	sb->s_fs_info = kzalloc(sizeof(*msblk), GFP_KERNEL);
+@@@ -130,13 -202,11 +136,8 @@@
+  		return -ENOMEM;
+  	}
+  	msblk = sb->s_fs_info;
+ -	msblk->thread_ops = opts->thread_ops;
+ -
+ -	msblk->panic_on_errors = (opts->errors == Opt_errors_panic);
+
+- 	msblk->devblksize = sb_min_blocksize(sb, SQUASHFS_DEVBLK_SIZE);
+- 	if (!msblk->devblksize) {
+- 		errorf(fc, "squashfs: unable to set blocksize\n");
+- 		return -EINVAL;
+- 	}
+- 
++ 	msblk->devblksize = devblksize;
+  	msblk->devblksize_log2 = ffz(~msblk->devblksize);
+
+  	mutex_init(&msblk->meta_index_mutex);
+* Unmerged path fs/squashfs/super.c

ciq/ciq_backports/kernel-4.18.0-553.100.1.el8_10/d0706bfd.failed

@@ -0,0 +1,126 @@
+RDMA/core: Fix "KASAN: slab-use-after-free Read in ib_register_device" problem
+
+jira KERNEL-579
+cve CVE-2025-38022
+Rebuild_History Non-Buildable kernel-4.18.0-553.100.1.el8_10
+commit-author Zhu Yanjun <yanjun.zhu@linux.dev>
+commit d0706bfd3ee40923c001c6827b786a309e2a8713
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-4.18.0-553.100.1.el8_10/d0706bfd.failed
+
+Call Trace:
+
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:408 [inline]
+ print_report+0xc3/0x670 mm/kasan/report.c:521
+ kasan_report+0xe0/0x110 mm/kasan/report.c:634
+ strlen+0x93/0xa0 lib/string.c:420
+ __fortify_strlen include/linux/fortify-string.h:268 [inline]
+ get_kobj_path_length lib/kobject.c:118 [inline]
+ kobject_get_path+0x3f/0x2a0 lib/kobject.c:158
+ kobject_uevent_env+0x289/0x1870 lib/kobject_uevent.c:545
+ ib_register_device drivers/infiniband/core/device.c:1472 [inline]
+ ib_register_device+0x8cf/0xe00 drivers/infiniband/core/device.c:1393
+ rxe_register_device+0x275/0x320 drivers/infiniband/sw/rxe/rxe_verbs.c:1552
+ rxe_net_add+0x8e/0xe0 drivers/infiniband/sw/rxe/rxe_net.c:550
+ rxe_newlink+0x70/0x190 drivers/infiniband/sw/rxe/rxe.c:225
+ nldev_newlink+0x3a3/0x680 drivers/infiniband/core/nldev.c:1796
+ rdma_nl_rcv_msg+0x387/0x6e0 drivers/infiniband/core/netlink.c:195
+ rdma_nl_rcv_skb.constprop.0.isra.0+0x2e5/0x450
+ netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]
+ netlink_unicast+0x53a/0x7f0 net/netlink/af_netlink.c:1339
+ netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1883
+ sock_sendmsg_nosec net/socket.c:712 [inline]
+ __sock_sendmsg net/socket.c:727 [inline]
+ ____sys_sendmsg+0xa95/0xc70 net/socket.c:2566
+ ___sys_sendmsg+0x134/0x1d0 net/socket.c:2620
+ __sys_sendmsg+0x16d/0x220 net/socket.c:2652
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+This problem is similar to the problem that the
+commit 1d6a9e7449e2 ("RDMA/core: Fix use-after-free when rename device name")
+fixes.
+
+The root cause is: the function ib_device_rename() renames the name with
+lock. But in the function kobject_uevent(), this name is accessed without
+lock protection at the same time.
+
+The solution is to add the lock protection when this name is accessed in
+the function kobject_uevent().
+
+Fixes: 779e0bf47632 ("RDMA/core: Do not indicate device ready when device enablement fails")
+Link: https://patch.msgid.link/r/20250506151008.75701-1-yanjun.zhu@linux.dev
+	Reported-by: syzbot+e2ce9e275ecc70a30b72@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=e2ce9e275ecc70a30b72
+	Signed-off-by: Zhu Yanjun <yanjun.zhu@linux.dev>
+	Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+(cherry picked from commit d0706bfd3ee40923c001c6827b786a309e2a8713)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	drivers/infiniband/core/device.c
+diff --cc drivers/infiniband/core/device.c
+index 830c60d82fe5,d4263385850a..000000000000
+--- a/drivers/infiniband/core/device.c
++++ b/drivers/infiniband/core/device.c
+@@@ -1345,6 -1344,37 +1345,40 @@@ static void prevent_dealloc_device(stru
+  {
+  }
+
+++<<<<<<< HEAD
+++=======
++ static void ib_device_notify_register(struct ib_device *device)
++ {
++ 	struct net_device *netdev;
++ 	u32 port;
++ 	int ret;
++ 
++ 	down_read(&devices_rwsem);
++ 
++ 	/* Mark for userspace that device is ready */
++ 	kobject_uevent(&device->dev.kobj, KOBJ_ADD);
++ 
++ 	ret = rdma_nl_notify_event(device, 0, RDMA_REGISTER_EVENT);
++ 	if (ret)
++ 		goto out;
++ 
++ 	rdma_for_each_port(device, port) {
++ 		netdev = ib_device_get_netdev(device, port);
++ 		if (!netdev)
++ 			continue;
++ 
++ 		ret = rdma_nl_notify_event(device, port,
++ 					   RDMA_NETDEV_ATTACH_EVENT);
++ 		dev_put(netdev);
++ 		if (ret)
++ 			goto out;
++ 	}
++ 
++ out:
++ 	up_read(&devices_rwsem);
++ }
++ 
+++>>>>>>> d0706bfd3ee4 (RDMA/core: Fix "KASAN: slab-use-after-free Read in ib_register_device" problem)
+  /**
+   * ib_register_device - Register an IB device with IB core
+   * @device: Device to register
+@@@ -1441,8 -1471,9 +1475,14 @@@ int ib_register_device(struct ib_devic
+  		return ret;
+  	}
+  	dev_set_uevent_suppress(&device->dev, false);
+++<<<<<<< HEAD
+ +	/* Mark for userspace that device is ready */
+ +	kobject_uevent(&device->dev.kobj, KOBJ_ADD);
+++=======
++ 
++ 	ib_device_notify_register(device);
++ 
+++>>>>>>> d0706bfd3ee4 (RDMA/core: Fix "KASAN: slab-use-after-free Read in ib_register_device" problem)
+  	ib_device_put(device);
+
+  	return 0;
+* Unmerged path drivers/infiniband/core/device.c

ciq/ciq_backports/kernel-4.18.0-553.100.1.el8_10/d519f350.failed

@@ -0,0 +1,43 @@
+tcp: minor optimization in tcp_add_backlog()
+
+jira KERNEL-579
+cve CVE-2022-50865
+Rebuild_History Non-Buildable kernel-4.18.0-553.100.1.el8_10
+commit-author Eric Dumazet <edumazet@google.com>
+commit d519f350967a60b85a574ad8aeac43f2b4384746
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-4.18.0-553.100.1.el8_10/d519f350.failed
+
+If packet is going to be coalesced, sk_sndbuf/sk_rcvbuf values
+are not used. Defer their access to the point we need them.
+
+	Signed-off-by: Eric Dumazet <edumazet@google.com>
+	Signed-off-by: David S. Miller <davem@davemloft.net>
+(cherry picked from commit d519f350967a60b85a574ad8aeac43f2b4384746)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	net/ipv4/tcp_ipv4.c
+diff --cc net/ipv4/tcp_ipv4.c
+index 6e5d755f14b4,82a9e1b75405..000000000000
+--- a/net/ipv4/tcp_ipv4.c
++++ b/net/ipv4/tcp_ipv4.c
+@@@ -1654,11 -1798,9 +1654,15 @@@ int tcp_v4_early_demux(struct sk_buff *
+  	return 0;
+  }
+
+ -bool tcp_add_backlog(struct sock *sk, struct sk_buff *skb)
+ +bool tcp_add_backlog(struct sock *sk, struct sk_buff *skb,
+ +		     enum skb_drop_reason *reason)
+  {
+++<<<<<<< HEAD
+ +	u32 limit = sk->sk_rcvbuf + sk->sk_sndbuf;
+ +	u32 tail_gso_size, tail_gso_segs;
+++=======
++ 	u32 limit, tail_gso_size, tail_gso_segs;
+++>>>>>>> d519f350967a (tcp: minor optimization in tcp_add_backlog())
+  	struct skb_shared_info *shinfo;
+  	const struct tcphdr *th;
+  	struct tcphdr *thtail;
+* Unmerged path net/ipv4/tcp_ipv4.c