[rocky9_6] History Rebuild for kernel-5.14.0-570.21.1.el9_6 & kernel-5.14.0-570.22.1.el9_6

Makefile.rhelver

@@ -12,7 +12,7 @@ RHEL_MINOR = 6
 #
 # Use this spot to avoid future merge conflicts.
 # Do not trim this comment.
-RHEL_RELEASE = 570.19.1
+RHEL_RELEASE = 570.22.1
 
 #
 # ZSTREAM

ciq/ciq_backports/kernel-5.14.0-570.21.1.el9_6/rebuild.details.txt

@@ -0,0 +1,18 @@
+Rebuild_History BUILDABLE
+Rebuilding Kernel from rpm changelog with Fuzz Limit: 87.50%
+Number of commits in upstream range v5.14~1..kernel-mainline: 309912
+Number of commits in rpm: 8
+Number of commits matched with upstream: 6 (75.00%)
+Number of commits in upstream but not in rpm: 309906
+Number of commits NOT found in upstream: 2 (25.00%)
+
+Rebuilding Kernel on Branch rocky9_6_rebuild_kernel-5.14.0-570.21.1.el9_6 for kernel-5.14.0-570.21.1.el9_6
+Clean Cherry Picks: 6 (100.00%)
+Empty Cherry Picks: 0 (0.00%)
+_______________________________
+
+__EMPTY COMMITS__________________________
+
+__CHANGES NOT IN UPSTREAM________________
+Porting to Rocky Linux 9, debranding and Rocky branding'
+Ensure aarch64 kernel is not compressed'

ciq/ciq_backports/kernel-5.14.0-570.22.1.el9_6/5a6ac3f4.failed

@@ -0,0 +1,110 @@
+media: v4l2-mediabus: Drop legacy V4L2_MBUS_CSI2_CHANNEL_* flags
+
+jira LE-3262
+Rebuild_History Non-Buildable kernel-5.14.0-570.22.1.el9_6
+commit-author Laurent Pinchart <[email protected]>
+commit 5a6ac3f4b46fd86d13e1d8ab4a55e4d89f3ab400
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-5.14.0-570.22.1.el9_6/5a6ac3f4.failed
+
+The V4L2_MBUS_CSI2_CHANNEL_* flags are a legacy API. Only
+V4L2_MBUS_CSI2_CHANNEL_0 is used, set in a single driver, and never
+read. Drop those flags. Virtual channel information should be conveyed
+through frame descriptors instead.
+
+	Signed-off-by: Laurent Pinchart <[email protected]>
+	Signed-off-by: Sakari Ailus <[email protected]>
+	Signed-off-by: Mauro Carvalho Chehab <[email protected]>
+(cherry picked from commit 5a6ac3f4b46fd86d13e1d8ab4a55e4d89f3ab400)
+	Signed-off-by: Jonathan Maple <[email protected]>
+
+# Conflicts:
+#	drivers/media/i2c/adv7180.c
+#	include/media/v4l2-mediabus.h
+diff --cc drivers/media/i2c/adv7180.c
+index 811619651329,3ff37a550810..000000000000
+--- a/drivers/media/i2c/adv7180.c
++++ b/drivers/media/i2c/adv7180.c
+@@@ -768,8 -784,8 +768,13 @@@ static int adv7180_get_mbus_config(stru
+
+  	if (state->chip_info->flags & ADV7180_FLAG_MIPI_CSI2) {
+  		cfg->type = V4L2_MBUS_CSI2_DPHY;
+++<<<<<<< HEAD
+ +		cfg->flags = V4L2_MBUS_CSI2_1_LANE |
+ +				V4L2_MBUS_CSI2_CHANNEL_0 |
+++=======
++ 		cfg->bus.mipi_csi2.num_data_lanes = 1;
++ 		cfg->bus.mipi_csi2.flags =
+++>>>>>>> 5a6ac3f4b46f (media: v4l2-mediabus: Drop legacy V4L2_MBUS_CSI2_CHANNEL_* flags)
+  				V4L2_MBUS_CSI2_CONTINUOUS_CLOCK;
+  	} else {
+  		/*
+diff --cc include/media/v4l2-mediabus.h
+index b77871485306,c6626a22b394..000000000000
+--- a/include/media/v4l2-mediabus.h
++++ b/include/media/v4l2-mediabus.h
+@@@ -76,10 -71,54 +71,61 @@@
+  #define V4L2_MBUS_CSI2_CONTINUOUS_CLOCK		BIT(8)
+  #define V4L2_MBUS_CSI2_NONCONTINUOUS_CLOCK	BIT(9)
+
+++<<<<<<< HEAD
+ +#define V4L2_MBUS_CSI2_CHANNELS		(V4L2_MBUS_CSI2_CHANNEL_0 | \
+ +					 V4L2_MBUS_CSI2_CHANNEL_1 | \
+ +					 V4L2_MBUS_CSI2_CHANNEL_2 | \
+ +					 V4L2_MBUS_CSI2_CHANNEL_3)
+++=======
++ #define V4L2_MBUS_CSI2_MAX_DATA_LANES		8
++ 
++ /**
++  * struct v4l2_mbus_config_mipi_csi2 - MIPI CSI-2 data bus configuration
++  * @flags: media bus (V4L2_MBUS_*) flags
++  * @data_lanes: an array of physical data lane indexes
++  * @clock_lane: physical lane index of the clock lane
++  * @num_data_lanes: number of data lanes
++  * @lane_polarities: polarity of the lanes. The order is the same of
++  *		   the physical lanes.
++  */
++ struct v4l2_mbus_config_mipi_csi2 {
++ 	unsigned int flags;
++ 	unsigned char data_lanes[V4L2_MBUS_CSI2_MAX_DATA_LANES];
++ 	unsigned char clock_lane;
++ 	unsigned char num_data_lanes;
++ 	bool lane_polarities[1 + V4L2_MBUS_CSI2_MAX_DATA_LANES];
++ };
++ 
++ /**
++  * struct v4l2_mbus_config_parallel - parallel data bus configuration
++  * @flags: media bus (V4L2_MBUS_*) flags
++  * @bus_width: bus width in bits
++  * @data_shift: data shift in bits
++  */
++ struct v4l2_mbus_config_parallel {
++ 	unsigned int flags;
++ 	unsigned char bus_width;
++ 	unsigned char data_shift;
++ };
++ 
++ /**
++  * struct v4l2_mbus_config_mipi_csi1 - CSI-1/CCP2 data bus configuration
++  * @clock_inv: polarity of clock/strobe signal
++  *	       false - not inverted, true - inverted
++  * @strobe: false - data/clock, true - data/strobe
++  * @lane_polarity: the polarities of the clock (index 0) and data lanes
++  *		   index (1)
++  * @data_lane: the number of the data lane
++  * @clock_lane: the number of the clock lane
++  */
++ struct v4l2_mbus_config_mipi_csi1 {
++ 	unsigned char clock_inv:1;
++ 	unsigned char strobe:1;
++ 	bool lane_polarity[2];
++ 	unsigned char data_lane;
++ 	unsigned char clock_lane;
++ };
+++>>>>>>> 5a6ac3f4b46f (media: v4l2-mediabus: Drop legacy V4L2_MBUS_CSI2_CHANNEL_* flags)
+
+  /**
+   * enum v4l2_mbus_type - media bus type
+* Unmerged path drivers/media/i2c/adv7180.c
+* Unmerged path include/media/v4l2-mediabus.h

ciq/ciq_backports/kernel-5.14.0-570.22.1.el9_6/654b33ad.failed

@@ -0,0 +1,193 @@
+proc: fix UAF in proc_get_inode()
+
+jira LE-3262
+cve CVE-2025-21999
+Rebuild_History Non-Buildable kernel-5.14.0-570.22.1.el9_6
+commit-author Ye Bin <[email protected]>
+commit 654b33ada4ab5e926cd9c570196fefa7bec7c1df
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-5.14.0-570.22.1.el9_6/654b33ad.failed
+
+Fix race between rmmod and /proc/XXX's inode instantiation.
+
+The bug is that pde->proc_ops don't belong to /proc, it belongs to a
+module, therefore dereferencing it after /proc entry has been registered
+is a bug unless use_pde/unuse_pde() pair has been used.
+
+use_pde/unuse_pde can be avoided (2 atomic ops!) because pde->proc_ops
+never changes so information necessary for inode instantiation can be
+saved _before_ proc_register() in PDE itself and used later, avoiding
+pde->proc_ops->...  dereference.
+
+      rmmod                         lookup
+sys_delete_module
+                         proc_lookup_de
+			   pde_get(de);
+			   proc_get_inode(dir->i_sb, de);
+  mod->exit()
+    proc_remove
+      remove_proc_subtree
+       proc_entry_rundown(de);
+  free_module(mod);
+
+                               if (S_ISREG(inode->i_mode))
+	                         if (de->proc_ops->proc_read_iter)
+                           --> As module is already freed, will trigger UAF
+
+BUG: unable to handle page fault for address: fffffbfff80a702b
+PGD 817fc4067 P4D 817fc4067 PUD 817fc0067 PMD 102ef4067 PTE 0
+Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI
+CPU: 26 UID: 0 PID: 2667 Comm: ls Tainted: G
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
+RIP: 0010:proc_get_inode+0x302/0x6e0
+RSP: 0018:ffff88811c837998 EFLAGS: 00010a06
+RAX: dffffc0000000000 RBX: ffffffffc0538140 RCX: 0000000000000007
+RDX: 1ffffffff80a702b RSI: 0000000000000001 RDI: ffffffffc0538158
+RBP: ffff8881299a6000 R08: 0000000067bbe1e5 R09: 1ffff11023906f20
+R10: ffffffffb560ca07 R11: ffffffffb2b43a58 R12: ffff888105bb78f0
+R13: ffff888100518048 R14: ffff8881299a6004 R15: 0000000000000001
+FS:  00007f95b9686840(0000) GS:ffff8883af100000(0000) knlGS:0000000000000000
+CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: fffffbfff80a702b CR3: 0000000117dd2000 CR4: 00000000000006f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ proc_lookup_de+0x11f/0x2e0
+ __lookup_slow+0x188/0x350
+ walk_component+0x2ab/0x4f0
+ path_lookupat+0x120/0x660
+ filename_lookup+0x1ce/0x560
+ vfs_statx+0xac/0x150
+ __do_sys_newstat+0x96/0x110
+ do_syscall_64+0x5f/0x170
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+[[email protected]: don't do 2 atomic ops on the common path]
+Link: https://lkml.kernel.org/r/3d25ded0-1739-447e-812b-e34da7990dcf@p183
+Fixes: 778f3dd5a13c ("Fix procfs compat_ioctl regression")
+	Signed-off-by: Ye Bin <[email protected]>
+	Signed-off-by: Alexey Dobriyan <[email protected]>
+	Cc: Al Viro <[email protected]>
+	Cc: David S. Miller <[email protected]>
+	Cc: <[email protected]>
+	Signed-off-by: Andrew Morton <[email protected]>
+(cherry picked from commit 654b33ada4ab5e926cd9c570196fefa7bec7c1df)
+	Signed-off-by: Jonathan Maple <[email protected]>
+
+# Conflicts:
+#	fs/proc/internal.h
+diff --cc fs/proc/internal.h
+index 92bb5d4ce5a3,77a517f91821..000000000000
+--- a/fs/proc/internal.h
++++ b/fs/proc/internal.h
+@@@ -79,6 -80,25 +79,28 @@@ static inline bool pde_is_permanent(con
+  	return pde->flags & PROC_ENTRY_PERMANENT;
+  }
+
+++<<<<<<< HEAD
+++=======
++ static inline void pde_make_permanent(struct proc_dir_entry *pde)
++ {
++ 	pde->flags |= PROC_ENTRY_PERMANENT;
++ }
++ 
++ static inline bool pde_has_proc_read_iter(const struct proc_dir_entry *pde)
++ {
++ 	return pde->flags & PROC_ENTRY_proc_read_iter;
++ }
++ 
++ static inline bool pde_has_proc_compat_ioctl(const struct proc_dir_entry *pde)
++ {
++ #ifdef CONFIG_COMPAT
++ 	return pde->flags & PROC_ENTRY_proc_compat_ioctl;
++ #else
++ 	return false;
++ #endif
++ }
++ 
+++>>>>>>> 654b33ada4ab (proc: fix UAF in proc_get_inode())
+  extern struct kmem_cache *proc_dir_entry_cache;
+  void pde_free(struct proc_dir_entry *pde);
+
+diff --git a/fs/proc/generic.c b/fs/proc/generic.c
+index 8379593fa4bb..1edf53be9bdb 100644
+--- a/fs/proc/generic.c
++++ b/fs/proc/generic.c
+@@ -558,10 +558,16 @@ struct proc_dir_entry *proc_create_reg(const char *name, umode_t mode,
+ 	return p;
+ }
+
+-static inline void pde_set_flags(struct proc_dir_entry *pde)
++static void pde_set_flags(struct proc_dir_entry *pde)
+ {
+ 	if (pde->proc_ops->proc_flags & PROC_ENTRY_PERMANENT)
+ 		pde->flags |= PROC_ENTRY_PERMANENT;
++	if (pde->proc_ops->proc_read_iter)
++		pde->flags |= PROC_ENTRY_proc_read_iter;
++#ifdef CONFIG_COMPAT
++	if (pde->proc_ops->proc_compat_ioctl)
++		pde->flags |= PROC_ENTRY_proc_compat_ioctl;
++#endif
+ }
+
+ struct proc_dir_entry *proc_create_data(const char *name, umode_t mode,
+@@ -625,6 +631,7 @@ struct proc_dir_entry *proc_create_seq_private(const char *name, umode_t mode,
+ 	p->proc_ops = &proc_seq_ops;
+ 	p->seq_ops = ops;
+ 	p->state_size = state_size;
++	pde_set_flags(p);
+ 	return proc_register(parent, p);
+ }
+ EXPORT_SYMBOL(proc_create_seq_private);
+@@ -655,6 +662,7 @@ struct proc_dir_entry *proc_create_single_data(const char *name, umode_t mode,
+ 		return NULL;
+ 	p->proc_ops = &proc_single_ops;
+ 	p->single_show = show;
++	pde_set_flags(p);
+ 	return proc_register(parent, p);
+ }
+ EXPORT_SYMBOL(proc_create_single_data);
+diff --git a/fs/proc/inode.c b/fs/proc/inode.c
+index e2174a8bf617..68d99cea93b2 100644
+--- a/fs/proc/inode.c
++++ b/fs/proc/inode.c
+@@ -674,13 +674,13 @@ struct inode *proc_get_inode(struct super_block *sb, struct proc_dir_entry *de)
+
+ 	if (S_ISREG(inode->i_mode)) {
+ 		inode->i_op = de->proc_iops;
+-		if (de->proc_ops->proc_read_iter)
++		if (pde_has_proc_read_iter(de))
+ 			inode->i_fop = &proc_iter_file_ops;
+ 		else
+ 			inode->i_fop = &proc_reg_file_ops;
+ #ifdef CONFIG_COMPAT
+-		if (de->proc_ops->proc_compat_ioctl) {
+-			if (de->proc_ops->proc_read_iter)
++		if (pde_has_proc_compat_ioctl(de)) {
++			if (pde_has_proc_read_iter(de))
+ 				inode->i_fop = &proc_iter_file_ops_compat;
+ 			else
+ 				inode->i_fop = &proc_reg_file_ops_compat;
+* Unmerged path fs/proc/internal.h
+diff --git a/include/linux/proc_fs.h b/include/linux/proc_fs.h
+index 12bf96916c8b..6f7b89b520d6 100644
+--- a/include/linux/proc_fs.h
++++ b/include/linux/proc_fs.h
+@@ -20,10 +20,13 @@ enum {
+ 	 * If in doubt, ignore this flag.
+ 	 */
+ #ifdef MODULE
+-	PROC_ENTRY_PERMANENT = 0U,
++	PROC_ENTRY_PERMANENT		= 0U,
+ #else
+-	PROC_ENTRY_PERMANENT = 1U << 0,
++	PROC_ENTRY_PERMANENT		= 1U << 0,
+ #endif
++
++	PROC_ENTRY_proc_read_iter	= 1U << 1,
++	PROC_ENTRY_proc_compat_ioctl	= 1U << 2,
+ };
+
+ struct proc_ops {