Update kernel to 6.12.23 base (#43)

Co-authored-by: sys_oak <sys_oak@intel.com>

Author: renjiaox

SPECS/kernel-headers/kernel-headers.signatures.json

@@ -1,5 +1,5 @@
 {
   "Signatures": {
-    "lts-v6.12.20-edge-250324T192946Z.tar.gz": "6aa265c2e640ffc060ac0e4fb0dd3363913053a7e306be2e269b5432045d7255"
+    "lts-v6.12.23-emt-250415T094615Z.tar.gz": "752b4275dcc3d0a457802f57f5462fe1e0837730f3752292016beeacbf631021"
   }
 }

SPECS/kernel-headers/kernel-headers.spec

@@ -13,14 +13,14 @@
 
 Summary:        Linux API header files
 Name:           kernel-headers
-Version:        6.12.20
+Version:        6.12.23
 Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Intel Corporation
 Distribution:   Edge Microvisor Toolkit
 Group:          System Environment/Kernel
 URL:            https://github.com/intel/linux-intel-lts
-Source0:        https://github.com/intel/linux-intel-lts/archive/refs/tags/lts-v6.12.20-edge-250324T192946Z.tar.gz
+Source0:        https://github.com/intel/linux-intel-lts/archive/refs/tags/lts-v6.12.23-emt-250415T094615Z.tar.gz
 # Historical name shipped by other distros
 Provides:       glibc-kernheaders = %{version}-%{release}
 BuildArch:      noarch
@@ -41,7 +41,7 @@ cross-glibc package.
 %endif
 
 %prep
-%setup -q -n lts-v6.12.20-edge-250324T192946Z
+%setup -q -n lts-v6.12.23-emt-250415T094615Z
 
 %build
 make mrproper
@@ -76,6 +76,9 @@ done
 %endif
 
 %changelog
+* Mon Apr 21 2025 Ren Jiaojiao <jiaojiaox.ren@intel.com> - 6.12.23-1
+- Update kernel to 6.12.23
+
 * Thu Mar 27 2025 Ren Jiaojiao <jiaojiaox.ren@intel.com> - 6.12.20-1
 - Update kernel to 6.12.20
 

SPECS/kernel-rt/CVE-2025-21884-1.patch

@@ -0,0 +1,252 @@
+From 7eed89daad561d34ad3b65b2f6e73c99eed0f090 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 20 Feb 2025 13:18:54 +0000
+Subject: [PATCH 2/2] net: better track kernel sockets lifetime
+
+While kernel sockets are dismantled during pernet_operations->exit(),
+their freeing can be delayed by any tx packets still held in qdisc
+or device queues, due to skb_set_owner_w() prior calls.
+
+This then trigger the following warning from ref_tracker_dir_exit() [1]
+
+To fix this, make sure that kernel sockets own a reference on net->passive.
+
+Add sk_net_refcnt_upgrade() helper, used whenever a kernel socket
+is converted to a refcounted one.
+
+[1]
+
+[  136.263918][   T35] ref_tracker: net notrefcnt@ffff8880638f01e0 has 1/2 users at
+[  136.263918][   T35]      sk_alloc+0x2b3/0x370
+[  136.263918][   T35]      inet6_create+0x6ce/0x10f0
+[  136.263918][   T35]      __sock_create+0x4c0/0xa30
+[  136.263918][   T35]      inet_ctl_sock_create+0xc2/0x250
+[  136.263918][   T35]      igmp6_net_init+0x39/0x390
+[  136.263918][   T35]      ops_init+0x31e/0x590
+[  136.263918][   T35]      setup_net+0x287/0x9e0
+[  136.263918][   T35]      copy_net_ns+0x33f/0x570
+[  136.263918][   T35]      create_new_namespaces+0x425/0x7b0
+[  136.263918][   T35]      unshare_nsproxy_namespaces+0x124/0x180
+[  136.263918][   T35]      ksys_unshare+0x57d/0xa70
+[  136.263918][   T35]      __x64_sys_unshare+0x38/0x40
+[  136.263918][   T35]      do_syscall_64+0xf3/0x230
+[  136.263918][   T35]      entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[  136.263918][   T35]
+[  136.343488][   T35] ref_tracker: net notrefcnt@ffff8880638f01e0 has 1/2 users at
+[  136.343488][   T35]      sk_alloc+0x2b3/0x370
+[  136.343488][   T35]      inet6_create+0x6ce/0x10f0
+[  136.343488][   T35]      __sock_create+0x4c0/0xa30
+[  136.343488][   T35]      inet_ctl_sock_create+0xc2/0x250
+[  136.343488][   T35]      ndisc_net_init+0xa7/0x2b0
+[  136.343488][   T35]      ops_init+0x31e/0x590
+[  136.343488][   T35]      setup_net+0x287/0x9e0
+[  136.343488][   T35]      copy_net_ns+0x33f/0x570
+[  136.343488][   T35]      create_new_namespaces+0x425/0x7b0
+[  136.343488][   T35]      unshare_nsproxy_namespaces+0x124/0x180
+[  136.343488][   T35]      ksys_unshare+0x57d/0xa70
+[  136.343488][   T35]      __x64_sys_unshare+0x38/0x40
+[  136.343488][   T35]      do_syscall_64+0xf3/0x230
+[  136.343488][   T35]      entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Fixes: 0cafd77dcd03 ("net: add a refcount tracker for kernel sockets")
+Reported-by: syzbot+30a19e01a97420719891@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/67b72aeb.050a0220.14d86d.0283.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Link: https://patch.msgid.link/20250220131854.4048077-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+---
+ include/net/sock.h       |  1 +
+ net/core/sock.c          | 27 ++++++++++++++++++++++-----
+ net/mptcp/subflow.c      |  5 +----
+ net/netlink/af_netlink.c | 10 ----------
+ net/rds/tcp.c            |  8 ++------
+ net/smc/af_smc.c         |  5 +----
+ net/sunrpc/svcsock.c     |  5 +----
+ net/sunrpc/xprtsock.c    |  8 ++------
+ 8 files changed, 30 insertions(+), 39 deletions(-)
+
+diff --git a/include/net/sock.h b/include/net/sock.h
+index fa055cf1785e..0c8dc587a8ff 100644
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -1744,6 +1744,7 @@ static inline bool sock_allow_reclassification(const struct sock *csk)
+ struct sock *sk_alloc(struct net *net, int family, gfp_t priority,
+ 		      struct proto *prot, int kern);
+ void sk_free(struct sock *sk);
++void sk_net_refcnt_upgrade(struct sock *sk);
+ void sk_destruct(struct sock *sk);
+ struct sock *sk_clone_lock(const struct sock *sk, const gfp_t priority);
+ void sk_free_unlock_clone(struct sock *sk);
+diff --git a/net/core/sock.c b/net/core/sock.c
+index a83f64a1d96a..822642bcb81a 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -2238,6 +2238,7 @@ struct sock *sk_alloc(struct net *net, int family, gfp_t priority,
+ 			get_net_track(net, &sk->ns_tracker, priority);
+ 			sock_inuse_add(net, 1);
+ 		} else {
++			net_passive_inc(net);
+ 			__netns_tracker_alloc(net, &sk->ns_tracker,
+ 					      false, priority);
+ 		}
+@@ -2262,6 +2263,7 @@ EXPORT_SYMBOL(sk_alloc);
+ static void __sk_destruct(struct rcu_head *head)
+ {
+ 	struct sock *sk = container_of(head, struct sock, sk_rcu);
++	struct net *net = sock_net(sk);
+ 	struct sk_filter *filter;
+ 
+ 	if (sk->sk_destruct)
+@@ -2293,14 +2295,28 @@ static void __sk_destruct(struct rcu_head *head)
+ 	put_cred(sk->sk_peer_cred);
+ 	put_pid(sk->sk_peer_pid);
+ 
+-	if (likely(sk->sk_net_refcnt))
+-		put_net_track(sock_net(sk), &sk->ns_tracker);
+-	else
+-		__netns_tracker_free(sock_net(sk), &sk->ns_tracker, false);
+-
++	if (likely(sk->sk_net_refcnt)) {
++		put_net_track(net, &sk->ns_tracker);
++	} else {
++		__netns_tracker_free(net, &sk->ns_tracker, false);
++		net_passive_dec(net);
++	}
+ 	sk_prot_free(sk->sk_prot_creator, sk);
+ }
+ 
++void sk_net_refcnt_upgrade(struct sock *sk)
++{
++	struct net *net = sock_net(sk);
++
++	WARN_ON_ONCE(sk->sk_net_refcnt);
++	__netns_tracker_free(net, &sk->ns_tracker, false);
++	net_passive_dec(net);
++	sk->sk_net_refcnt = 1;
++	get_net_track(net, &sk->ns_tracker, GFP_KERNEL);
++	sock_inuse_add(net, 1);
++}
++EXPORT_SYMBOL_GPL(sk_net_refcnt_upgrade);
++
+ void sk_destruct(struct sock *sk)
+ {
+ 	bool use_call_rcu = sock_flag(sk, SOCK_RCU_FREE);
+@@ -2397,6 +2413,7 @@ struct sock *sk_clone_lock(const struct sock *sk, const gfp_t priority)
+ 		 * is not properly dismantling its kernel sockets at netns
+ 		 * destroy time.
+ 		 */
++		net_passive_inc(sock_net(newsk));
+ 		__netns_tracker_alloc(sock_net(newsk), &newsk->ns_tracker,
+ 				      false, priority);
+ 	}
+diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c
+index b56bbee7312c..4a49b7749b07 100644
+--- a/net/mptcp/subflow.c
++++ b/net/mptcp/subflow.c
+@@ -1755,10 +1755,7 @@ int mptcp_subflow_create_socket(struct sock *sk, unsigned short family,
+ 	 * needs it.
+ 	 * Update ns_tracker to current stack trace and refcounted tracker.
+ 	 */
+-	__netns_tracker_free(net, &sf->sk->ns_tracker, false);
+-	sf->sk->sk_net_refcnt = 1;
+-	get_net_track(net, &sf->sk->ns_tracker, GFP_KERNEL);
+-	sock_inuse_add(net, 1);
++	sk_net_refcnt_upgrade(sf->sk);
+ 	err = tcp_set_ulp(sf->sk, "mptcp");
+ 	if (err)
+ 		goto err_free;
+diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
+index 775d707ec708..f26e6be94d84 100644
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -795,16 +795,6 @@ static int netlink_release(struct socket *sock)
+ 
+ 	sock_prot_inuse_add(sock_net(sk), &netlink_proto, -1);
+ 
+-	/* Because struct net might disappear soon, do not keep a pointer. */
+-	if (!sk->sk_net_refcnt && sock_net(sk) != &init_net) {
+-		__netns_tracker_free(sock_net(sk), &sk->ns_tracker, false);
+-		/* Because of deferred_put_nlk_sk and use of work queue,
+-		 * it is possible  netns will be freed before this socket.
+-		 */
+-		sock_net_set(sk, &init_net);
+-		__netns_tracker_alloc(&init_net, &sk->ns_tracker,
+-				      false, GFP_KERNEL);
+-	}
+ 	call_rcu(&nlk->rcu, deferred_put_nlk_sk);
+ 	return 0;
+ }
+diff --git a/net/rds/tcp.c b/net/rds/tcp.c
+index 0581c53e6517..3cc2f303bf78 100644
+--- a/net/rds/tcp.c
++++ b/net/rds/tcp.c
+@@ -504,12 +504,8 @@ bool rds_tcp_tune(struct socket *sock)
+ 			release_sock(sk);
+ 			return false;
+ 		}
+-		/* Update ns_tracker to current stack trace and refcounted tracker */
+-		__netns_tracker_free(net, &sk->ns_tracker, false);
+-
+-		sk->sk_net_refcnt = 1;
+-		netns_tracker_alloc(net, &sk->ns_tracker, GFP_KERNEL);
+-		sock_inuse_add(net, 1);
++		sk_net_refcnt_upgrade(sk);
++		put_net(net);
+ 	}
+ 	rtn = net_generic(net, rds_tcp_netid);
+ 	if (rtn->sndbuf_size > 0) {
+diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
+index ebc41a7b13db..ba834cefb177 100644
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -3334,10 +3334,7 @@ int smc_create_clcsk(struct net *net, struct sock *sk, int family)
+ 	 * which need net ref.
+ 	 */
+ 	sk = smc->clcsock->sk;
+-	__netns_tracker_free(net, &sk->ns_tracker, false);
+-	sk->sk_net_refcnt = 1;
+-	get_net_track(net, &sk->ns_tracker, GFP_KERNEL);
+-	sock_inuse_add(net, 1);
++	sk_net_refcnt_upgrade(sk);
+ 	return 0;
+ }
+ 
+diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c
+index 3bfbb789c4be..780a54548372 100644
+--- a/net/sunrpc/svcsock.c
++++ b/net/sunrpc/svcsock.c
+@@ -1541,10 +1541,7 @@ static struct svc_xprt *svc_create_socket(struct svc_serv *serv,
+ 	newlen = error;
+ 
+ 	if (protocol == IPPROTO_TCP) {
+-		__netns_tracker_free(net, &sock->sk->ns_tracker, false);
+-		sock->sk->sk_net_refcnt = 1;
+-		get_net_track(net, &sock->sk->ns_tracker, GFP_KERNEL);
+-		sock_inuse_add(net, 1);
++		sk_net_refcnt_upgrade(sock->sk);
+ 		if ((error = kernel_listen(sock, 64)) < 0)
+ 			goto bummer;
+ 	}
+diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c
+index 171ad4e2523f..e077f5718e8b 100644
+--- a/net/sunrpc/xprtsock.c
++++ b/net/sunrpc/xprtsock.c
+@@ -1940,12 +1940,8 @@ static struct socket *xs_create_sock(struct rpc_xprt *xprt,
+ 		goto out;
+ 	}
+ 
+-	if (protocol == IPPROTO_TCP) {
+-		__netns_tracker_free(xprt->xprt_net, &sock->sk->ns_tracker, false);
+-		sock->sk->sk_net_refcnt = 1;
+-		get_net_track(xprt->xprt_net, &sock->sk->ns_tracker, GFP_KERNEL);
+-		sock_inuse_add(xprt->xprt_net, 1);
+-	}
++	if (protocol == IPPROTO_TCP)
++		sk_net_refcnt_upgrade(sock->sk);
+ 
+ 	filp = sock_alloc_file(sock, O_NONBLOCK, NULL);
+ 	if (IS_ERR(filp))
+-- 
+2.25.1
+

SPECS/kernel-rt/CVE-2025-21884.patch

@@ -0,0 +1,97 @@
+From 607f4553ebb61d02df25a2628a9b06d49b83b332 Mon Sep 17 00:00:00 2001
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+Date: Mon, 17 Feb 2025 11:11:27 -0800
+Subject: [PATCH 1/2] net: Add net_passive_inc() and net_passive_dec().
+
+net_drop_ns() is NULL when CONFIG_NET_NS is disabled.
+
+The next patch introduces a function that increments
+and decrements net->passive.
+
+As a prep, let's rename and export net_free() to
+net_passive_dec() and add net_passive_inc().
+
+Suggested-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/netdev/CANn89i+oUCt2VGvrbrweniTendZFEh+nwS=uonc004-aPkWy-Q@mail.gmail.com/
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20250217191129.19967-2-kuniyu@amazon.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+---
+ include/net/net_namespace.h | 10 ++++++++++
+ net/core/net_namespace.c    |  8 ++++----
+ 2 files changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h
+index da93873df4db..2cd9b1715632 100644
+--- a/include/net/net_namespace.h
++++ b/include/net/net_namespace.h
+@@ -291,6 +291,7 @@ static inline int check_net(const struct net *net)
+ }
+ 
+ void net_drop_ns(void *);
++void net_passive_dec(struct net *net);
+ 
+ #else
+ 
+@@ -320,8 +321,17 @@ static inline int check_net(const struct net *net)
+ }
+ 
+ #define net_drop_ns NULL
++
++static inline void net_passive_dec(struct net *net)
++{
++	refcount_dec(&net->passive);
++}
+ #endif
+ 
++static inline void net_passive_inc(struct net *net)
++{
++	refcount_inc(&net->passive);
++}
+ 
+ static inline void __netns_tracker_alloc(struct net *net,
+ 					 netns_tracker *tracker,
+diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c
+index 70fea7c1a4b0..ee3c1b37d06c 100644
+--- a/net/core/net_namespace.c
++++ b/net/core/net_namespace.c
+@@ -458,7 +458,7 @@ static void net_complete_free(void)
+ 
+ }
+ 
+-static void net_free(struct net *net)
++void net_passive_dec(struct net *net)
+ {
+ 	if (refcount_dec_and_test(&net->passive)) {
+ 		kfree(rcu_access_pointer(net->gen));
+@@ -476,7 +476,7 @@ void net_drop_ns(void *p)
+ 	struct net *net = (struct net *)p;
+ 
+ 	if (net)
+-		net_free(net);
++		net_passive_dec(net);
+ }
+ 
+ struct net *copy_net_ns(unsigned long flags,
+@@ -517,7 +517,7 @@ struct net *copy_net_ns(unsigned long flags,
+ 		key_remove_domain(net->key_domain);
+ #endif
+ 		put_user_ns(user_ns);
+-		net_free(net);
++		net_passive_dec(net);
+ dec_ucounts:
+ 		dec_net_namespaces(ucounts);
+ 		return ERR_PTR(rv);
+@@ -662,7 +662,7 @@ static void cleanup_net(struct work_struct *work)
+ 		key_remove_domain(net->key_domain);
+ #endif
+ 		put_user_ns(net->user_ns);
+-		net_free(net);
++		net_passive_dec(net);
+ 	}
+ }
+ 
+-- 
+2.25.1
+

SPECS/kernel-rt/CVE-2025-21949.nopatch

@@ -0,0 +1 @@
+LoongArc, no need fix. The file(s) affected by this issue are: arch/loongarch/mm/mmap.c