[rocky9_5] History Rebuild to kernel-5.14.0-503.40.1.el9_5

Makefile.rhelver

@@ -12,7 +12,7 @@ RHEL_MINOR = 5
 #
 # Use this spot to avoid future merge conflicts.
 # Do not trim this comment.
-RHEL_RELEASE = 503.38.1
+RHEL_RELEASE = 503.40.1
 
 #
 # ZSTREAM

arch/x86/virt/svm/sev.c

@@ -190,6 +190,8 @@ static void __init __snp_fixup_e820_tables(u64 pa)
 		e820__range_update(pa, PMD_SIZE, E820_TYPE_RAM, E820_TYPE_RESERVED);
 		e820__range_update_table(e820_table_kexec, pa, PMD_SIZE, E820_TYPE_RAM, E820_TYPE_RESERVED);
 		e820__range_update_table(e820_table_firmware, pa, PMD_SIZE, E820_TYPE_RAM, E820_TYPE_RESERVED);
+		if (!memblock_is_region_reserved(pa, PMD_SIZE))
+			memblock_reserve(pa, PMD_SIZE);
 	}
 }
 

ciq/ciq_backports/kernel-5.14.0-503.40.1.el9_5/ad95bab0.failed

@@ -0,0 +1,101 @@
+nvme-tcp: fix potential memory corruption in nvme_tcp_recv_pdu()
+
+jira LE-2974
+cve CVE-2025-21927
+Rebuild_History Non-Buildable kernel-5.14.0-503.40.1.el9_5
+commit-author Maurizio Lombardi <[email protected]>
+commit ad95bab0cd28ed77c2c0d0b6e76e03e031391064
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-5.14.0-503.40.1.el9_5/ad95bab0.failed
+
+nvme_tcp_recv_pdu() doesn't check the validity of the header length.
+When header digests are enabled, a target might send a packet with an
+invalid header length (e.g. 255), causing nvme_tcp_verify_hdgst()
+to access memory outside the allocated area and cause memory corruptions
+by overwriting it with the calculated digest.
+
+Fix this by rejecting packets with an unexpected header length.
+
+Fixes: 3f2304f8c6d6 ("nvme-tcp: add NVMe over TCP host driver")
+	Signed-off-by: Maurizio Lombardi <[email protected]>
+	Reviewed-by: Sagi Grimberg <[email protected]>
+	Signed-off-by: Keith Busch <[email protected]>
+(cherry picked from commit ad95bab0cd28ed77c2c0d0b6e76e03e031391064)
+	Signed-off-by: Jonathan Maple <[email protected]>
+
+# Conflicts:
+#	drivers/nvme/host/tcp.c
+diff --cc drivers/nvme/host/tcp.c
+index 12d3a23bd4c1,23f11527d29d..000000000000
+--- a/drivers/nvme/host/tcp.c
++++ b/drivers/nvme/host/tcp.c
+@@@ -205,7 -217,34 +205,38 @@@ static inline int nvme_tcp_queue_id(str
+  	return queue - queue->ctrl->queues;
+  }
+
+++<<<<<<< HEAD
+ +static inline bool nvme_tcp_tls(struct nvme_ctrl *ctrl)
+++=======
++ static inline bool nvme_tcp_recv_pdu_supported(enum nvme_tcp_pdu_type type)
++ {
++ 	switch (type) {
++ 	case nvme_tcp_c2h_term:
++ 	case nvme_tcp_c2h_data:
++ 	case nvme_tcp_r2t:
++ 	case nvme_tcp_rsp:
++ 		return true;
++ 	default:
++ 		return false;
++ 	}
++ }
++ 
++ /*
++  * Check if the queue is TLS encrypted
++  */
++ static inline bool nvme_tcp_queue_tls(struct nvme_tcp_queue *queue)
++ {
++ 	if (!IS_ENABLED(CONFIG_NVME_TCP_TLS))
++ 		return 0;
++ 
++ 	return queue->tls_enabled;
++ }
++ 
++ /*
++  * Check if TLS is configured for the controller.
++  */
++ static inline bool nvme_tcp_tls_configured(struct nvme_ctrl *ctrl)
+++>>>>>>> ad95bab0cd28 (nvme-tcp: fix potential memory corruption in nvme_tcp_recv_pdu())
+  {
+  	if (!IS_ENABLED(CONFIG_NVME_TCP_TLS))
+  		return 0;
+@@@ -758,6 -831,25 +789,28 @@@ static int nvme_tcp_recv_pdu(struct nvm
+  		return 0;
+
+  	hdr = queue->pdu;
+++<<<<<<< HEAD
+++=======
++ 	if (unlikely(hdr->hlen != sizeof(struct nvme_tcp_rsp_pdu))) {
++ 		if (!nvme_tcp_recv_pdu_supported(hdr->type))
++ 			goto unsupported_pdu;
++ 
++ 		dev_err(queue->ctrl->ctrl.device,
++ 			"pdu type %d has unexpected header length (%d)\n",
++ 			hdr->type, hdr->hlen);
++ 		return -EPROTO;
++ 	}
++ 
++ 	if (unlikely(hdr->type == nvme_tcp_c2h_term)) {
++ 		/*
++ 		 * C2HTermReq never includes Header or Data digests.
++ 		 * Skip the checks.
++ 		 */
++ 		nvme_tcp_handle_c2h_term(queue, (void *)queue->pdu);
++ 		return -EINVAL;
++ 	}
++ 
+++>>>>>>> ad95bab0cd28 (nvme-tcp: fix potential memory corruption in nvme_tcp_recv_pdu())
+  	if (queue->hdr_digest) {
+  		ret = nvme_tcp_verify_hdgst(queue, queue->pdu, hdr->hlen);
+  		if (unlikely(ret))
+* Unmerged path drivers/nvme/host/tcp.c

ciq/ciq_backports/kernel-5.14.0-503.40.1.el9_5/cbd070a4.failed

@@ -0,0 +1,63 @@
+ipvs: properly dereference pe in ip_vs_add_service
+
+jira LE-2974
+cve CVE-2024-42322
+Rebuild_History Non-Buildable kernel-5.14.0-503.40.1.el9_5
+commit-author Chen Hanxiao <[email protected]>
+commit cbd070a4ae62f119058973f6d2c984e325bce6e7
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-5.14.0-503.40.1.el9_5/cbd070a4.failed
+
+Use pe directly to resolve sparse warning:
+
+  net/netfilter/ipvs/ip_vs_ctl.c:1471:27: warning: dereference of noderef expression
+
+Fixes: 39b972231536 ("ipvs: handle connections started by real-servers")
+	Signed-off-by: Chen Hanxiao <[email protected]>
+	Acked-by: Julian Anastasov <[email protected]>
+	Acked-by: Simon Horman <[email protected]>
+	Signed-off-by: Pablo Neira Ayuso <[email protected]>
+(cherry picked from commit cbd070a4ae62f119058973f6d2c984e325bce6e7)
+	Signed-off-by: Jonathan Maple <[email protected]>
+
+# Conflicts:
+#	net/netfilter/ipvs/ip_vs_ctl.c
+diff --cc net/netfilter/ipvs/ip_vs_ctl.c
+index 6907e6ad10ad,706c2b52a1ac..000000000000
+--- a/net/netfilter/ipvs/ip_vs_ctl.c
++++ b/net/netfilter/ipvs/ip_vs_ctl.c
+@@@ -1383,19 -1455,21 +1383,31 @@@ ip_vs_add_service(struct netns_ipvs *ip
+  		sched = NULL;
+  	}
+
+++<<<<<<< HEAD
+ +	/* Bind the ct retriever */
+ +	RCU_INIT_POINTER(svc->pe, pe);
+ +	pe = NULL;
+++=======
++ 	ret = ip_vs_start_estimator(ipvs, &svc->stats);
++ 	if (ret < 0)
++ 		goto out_err;
+++>>>>>>> cbd070a4ae62 (ipvs: properly dereference pe in ip_vs_add_service)
+
+  	/* Update the virtual service counters */
+  	if (svc->port == FTPPORT)
+  		atomic_inc(&ipvs->ftpsvc_counter);
+  	else if (svc->port == 0)
+  		atomic_inc(&ipvs->nullsvc_counter);
+- 	if (svc->pe && svc->pe->conn_out)
++ 	if (pe && pe->conn_out)
+  		atomic_inc(&ipvs->conn_out_counter);
+
+++<<<<<<< HEAD
+ +	ip_vs_start_estimator(ipvs, &svc->stats);
+++=======
++ 	/* Bind the ct retriever */
++ 	RCU_INIT_POINTER(svc->pe, pe);
++ 	pe = NULL;
+++>>>>>>> cbd070a4ae62 (ipvs: properly dereference pe in ip_vs_add_service)
+
+  	/* Count only IPv4 services for old get/setsockopt interface */
+  	if (svc->af == AF_INET)
+* Unmerged path net/netfilter/ipvs/ip_vs_ctl.c

ciq/ciq_backports/kernel-5.14.0-503.40.1.el9_5/rebuild.details.txt

@@ -0,0 +1,20 @@
+Rebuild_History BUILDABLE
+Rebuilding Kernel from rpm changelog with Fuzz Limit: 87.50%
+Number of commits in upstream range v5.14~1..kernel-mainline: 296055
+Number of commits in rpm: 26
+Number of commits matched with upstream: 24 (92.31%)
+Number of commits in upstream but not in rpm: 296031
+Number of commits NOT found in upstream: 2 (7.69%)
+
+Rebuilding Kernel on Branch rocky9_5_rebuild_kernel-5.14.0-503.40.1.el9_5 for kernel-5.14.0-503.40.1.el9_5
+Clean Cherry Picks: 22 (91.67%)
+Empty Cherry Picks: 2 (8.33%)
+_______________________________
+
+__EMPTY COMMITS__________________________
+cbd070a4ae62f119058973f6d2c984e325bce6e7 ipvs: properly dereference pe in ip_vs_add_service
+ad95bab0cd28ed77c2c0d0b6e76e03e031391064 nvme-tcp: fix potential memory corruption in nvme_tcp_recv_pdu()
+
+__CHANGES NOT IN UPSTREAM________________
+Porting to Rocky Linux 9, debranding and Rocky branding'
+Ensure aarch64 kernel is not compressed'