[rocky10_1] History Rebuild to kernel-6.12.0-124.21.1.el10_1

Makefile.rhelver

@@ -12,7 +12,7 @@ RHEL_MINOR = 1
 #
 # Use this spot to avoid future merge conflicts.
 # Do not trim this comment.
-RHEL_RELEASE = 124.20.1
+RHEL_RELEASE = 124.21.1
 
 #
 # RHEL_REBASE_NUM

ciq/ciq_backports/kernel-6.12.0-124.21.1.el10_1/c28f922c.failed

@@ -0,0 +1,89 @@
+clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns
+
+jira KERNEL-386
+cve CVE-2025-38499
+Rebuild_History Non-Buildable kernel-6.12.0-124.21.1.el10_1
+Rebuild_CHGLOG: - CVE-2025-38499 kernel: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (Abhi Das) [RHEL-129282] {CVE-2025-38499}
+Rebuild_FUZZ: 87.43%
+commit-author Al Viro <viro@zeniv.linux.org.uk>
+commit c28f922c9dcee0e4876a2c095939d77fe7e15116
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-6.12.0-124.21.1.el10_1/c28f922c.failed
+
+What we want is to verify there is that clone won't expose something
+hidden by a mount we wouldn't be able to undo.  "Wouldn't be able to undo"
+may be a result of MNT_LOCKED on a child, but it may also come from
+lacking admin rights in the userns of the namespace mount belongs to.
+
+clone_private_mnt() checks the former, but not the latter.
+
+There's a number of rather confusing CAP_SYS_ADMIN checks in various
+userns during the mount, especially with the new mount API; they serve
+different purposes and in case of clone_private_mnt() they usually,
+but not always end up covering the missing check mentioned above.
+
+	Reviewed-by: Christian Brauner <brauner@kernel.org>
+	Reported-by: "Orlando, Noah" <Noah.Orlando@deshaw.com>
+Fixes: 427215d85e8d ("ovl: prevent private clone if bind mount is not allowed")
+	Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+(cherry picked from commit c28f922c9dcee0e4876a2c095939d77fe7e15116)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	fs/namespace.c
+diff --cc fs/namespace.c
+index da767032a0a1,1c54c16c7bab..000000000000
+--- a/fs/namespace.c
++++ b/fs/namespace.c
+@@@ -2254,21 -2488,37 +2254,33 @@@ struct vfsmount *clone_private_mount(co
+  	struct mount *old_mnt = real_mount(path->mnt);
+  	struct mount *new_mnt;
+
+ -	guard(rwsem_read)(&namespace_sem);
+ -
+ +	down_read(&namespace_sem);
+  	if (IS_MNT_UNBINDABLE(old_mnt))
+ -		return ERR_PTR(-EINVAL);
+ +		goto invalid;
+
+ -	/*
+ -	 * Make sure the source mount is acceptable.
+ -	 * Anything mounted in our mount namespace is allowed.
+ -	 * Otherwise, it must be the root of an anonymous mount
+ -	 * namespace, and we need to make sure no namespace
+ -	 * loops get created.
+ -	 */
+ -	if (!check_mnt(old_mnt)) {
+ -		if (!is_mounted(&old_mnt->mnt) ||
+ -			!is_anon_ns(old_mnt->mnt_ns) ||
+ -			mnt_has_parent(old_mnt))
+ -			return ERR_PTR(-EINVAL);
+ +	if (!check_mnt(old_mnt))
+ +		goto invalid;
+
+++<<<<<<< HEAD
+ +	if (has_locked_children(old_mnt, path->dentry))
+ +		goto invalid;
+++=======
++ 		if (!check_for_nsfs_mounts(old_mnt))
++ 			return ERR_PTR(-EINVAL);
++ 	}
++ 
++         if (!ns_capable(old_mnt->mnt_ns->user_ns, CAP_SYS_ADMIN))
++ 		return ERR_PTR(-EPERM);
++ 
++ 	if (__has_locked_children(old_mnt, path->dentry))
++ 		return ERR_PTR(-EINVAL);
+++>>>>>>> c28f922c9dce (clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns)
+
+  	new_mnt = clone_mnt(old_mnt, path->dentry, CL_PRIVATE);
+ +	up_read(&namespace_sem);
+ +
+  	if (IS_ERR(new_mnt))
+ -		return ERR_PTR(-EINVAL);
+ +		return ERR_CAST(new_mnt);
+
+  	/* Longterm mount to be removed by kern_unmount*() */
+  	new_mnt->mnt_ns = MNT_NS_INTERNAL;
+* Unmerged path fs/namespace.c

ciq/ciq_backports/kernel-6.12.0-124.21.1.el10_1/rebuild.details.txt

@@ -0,0 +1,20 @@
+Rebuild_History BUILDABLE
+Rebuilding Kernel from rpm changelog with Fuzz Limit: 87.50%
+Number of commits in upstream range v6.12~1..kernel-mainline: 79692
+Number of commits in rpm: 5
+Number of commits matched with upstream: 2 (40.00%)
+Number of commits in upstream but not in rpm: 79690
+Number of commits NOT found in upstream: 3 (60.00%)
+
+Rebuilding Kernel on Branch rocky10_1_rebuild_kernel-6.12.0-124.21.1.el10_1 for kernel-6.12.0-124.21.1.el10_1
+Clean Cherry Picks: 1 (50.00%)
+Empty Cherry Picks: 1 (50.00%)
+_______________________________
+
+__EMPTY COMMITS__________________________
+c28f922c9dcee0e4876a2c095939d77fe7e15116 clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns
+
+__CHANGES NOT IN UPSTREAM________________
+Porting to Rocky Linux 10, debranding and Rocky Linux branding'
+Add partial riscv64 support for build root'
+Provide basic VisionFive 2 support'

configs/kernel-6.12.0-aarch64-64k-debug.config

@@ -12,8 +12,8 @@ CONFIG_AS_VERSION=25000
 CONFIG_LD_IS_BFD=y
 CONFIG_LD_VERSION=25000
 CONFIG_LLD_VERSION=0
-CONFIG_RUSTC_VERSION=0
-CONFIG_RUSTC_LLVM_VERSION=0
+CONFIG_RUSTC_VERSION=107600
+CONFIG_RUSTC_LLVM_VERSION=170006
 CONFIG_CC_CAN_LINK=y
 CONFIG_CC_CAN_LINK_STATIC=y
 CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y

configs/kernel-6.12.0-aarch64-64k.config

@@ -12,8 +12,8 @@ CONFIG_AS_VERSION=25000
 CONFIG_LD_IS_BFD=y
 CONFIG_LD_VERSION=25000
 CONFIG_LLD_VERSION=0
-CONFIG_RUSTC_VERSION=0
-CONFIG_RUSTC_LLVM_VERSION=0
+CONFIG_RUSTC_VERSION=107600
+CONFIG_RUSTC_LLVM_VERSION=170006
 CONFIG_CC_CAN_LINK=y
 CONFIG_CC_CAN_LINK_STATIC=y
 CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y

configs/kernel-6.12.0-aarch64-debug.config

@@ -12,8 +12,8 @@ CONFIG_AS_VERSION=25000
 CONFIG_LD_IS_BFD=y
 CONFIG_LD_VERSION=25000
 CONFIG_LLD_VERSION=0
-CONFIG_RUSTC_VERSION=0
-CONFIG_RUSTC_LLVM_VERSION=0
+CONFIG_RUSTC_VERSION=107600
+CONFIG_RUSTC_LLVM_VERSION=170006
 CONFIG_CC_CAN_LINK=y
 CONFIG_CC_CAN_LINK_STATIC=y
 CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y

configs/kernel-6.12.0-aarch64-rt-64k-debug.config

@@ -12,8 +12,8 @@ CONFIG_AS_VERSION=25000
 CONFIG_LD_IS_BFD=y
 CONFIG_LD_VERSION=25000
 CONFIG_LLD_VERSION=0
-CONFIG_RUSTC_VERSION=0
-CONFIG_RUSTC_LLVM_VERSION=0
+CONFIG_RUSTC_VERSION=107600
+CONFIG_RUSTC_LLVM_VERSION=170006
 CONFIG_CC_CAN_LINK=y
 CONFIG_CC_CAN_LINK_STATIC=y
 CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y

configs/kernel-6.12.0-aarch64-rt-64k.config

@@ -12,8 +12,8 @@ CONFIG_AS_VERSION=25000
 CONFIG_LD_IS_BFD=y
 CONFIG_LD_VERSION=25000
 CONFIG_LLD_VERSION=0
-CONFIG_RUSTC_VERSION=0
-CONFIG_RUSTC_LLVM_VERSION=0
+CONFIG_RUSTC_VERSION=107600
+CONFIG_RUSTC_LLVM_VERSION=170006
 CONFIG_CC_CAN_LINK=y
 CONFIG_CC_CAN_LINK_STATIC=y
 CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y

configs/kernel-6.12.0-aarch64-rt-debug.config

@@ -12,8 +12,8 @@ CONFIG_AS_VERSION=25000
 CONFIG_LD_IS_BFD=y
 CONFIG_LD_VERSION=25000
 CONFIG_LLD_VERSION=0
-CONFIG_RUSTC_VERSION=0
-CONFIG_RUSTC_LLVM_VERSION=0
+CONFIG_RUSTC_VERSION=107600
+CONFIG_RUSTC_LLVM_VERSION=170006
 CONFIG_CC_CAN_LINK=y
 CONFIG_CC_CAN_LINK_STATIC=y
 CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y

configs/kernel-6.12.0-aarch64-rt.config

@@ -12,8 +12,8 @@ CONFIG_AS_VERSION=25000
 CONFIG_LD_IS_BFD=y
 CONFIG_LD_VERSION=25000
 CONFIG_LLD_VERSION=0
-CONFIG_RUSTC_VERSION=0
-CONFIG_RUSTC_LLVM_VERSION=0
+CONFIG_RUSTC_VERSION=107600
+CONFIG_RUSTC_LLVM_VERSION=170006
 CONFIG_CC_CAN_LINK=y
 CONFIG_CC_CAN_LINK_STATIC=y
 CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y

configs/kernel-6.12.0-aarch64.config

@@ -12,8 +12,8 @@ CONFIG_AS_VERSION=25000
 CONFIG_LD_IS_BFD=y
 CONFIG_LD_VERSION=25000
 CONFIG_LLD_VERSION=0
-CONFIG_RUSTC_VERSION=0
-CONFIG_RUSTC_LLVM_VERSION=0
+CONFIG_RUSTC_VERSION=107600
+CONFIG_RUSTC_LLVM_VERSION=170006
 CONFIG_CC_CAN_LINK=y
 CONFIG_CC_CAN_LINK_STATIC=y
 CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y

configs/kernel-6.12.0-ppc64le-debug.config

@@ -12,8 +12,8 @@ CONFIG_AS_VERSION=25000
 CONFIG_LD_IS_BFD=y
 CONFIG_LD_VERSION=25000
 CONFIG_LLD_VERSION=0
-CONFIG_RUSTC_VERSION=0
-CONFIG_RUSTC_LLVM_VERSION=0
+CONFIG_RUSTC_VERSION=107600
+CONFIG_RUSTC_LLVM_VERSION=170006
 CONFIG_CC_CAN_LINK=y
 CONFIG_CC_CAN_LINK_STATIC=y
 CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y

configs/kernel-6.12.0-ppc64le.config

@@ -12,8 +12,8 @@ CONFIG_AS_VERSION=25000
 CONFIG_LD_IS_BFD=y
 CONFIG_LD_VERSION=25000
 CONFIG_LLD_VERSION=0
-CONFIG_RUSTC_VERSION=0
-CONFIG_RUSTC_LLVM_VERSION=0
+CONFIG_RUSTC_VERSION=107600
+CONFIG_RUSTC_LLVM_VERSION=170006
 CONFIG_CC_CAN_LINK=y
 CONFIG_CC_CAN_LINK_STATIC=y
 CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y

configs/kernel-6.12.0-riscv64-debug.config

@@ -12,8 +12,8 @@ CONFIG_AS_VERSION=25000
 CONFIG_LD_IS_BFD=y
 CONFIG_LD_VERSION=25000
 CONFIG_LLD_VERSION=0
-CONFIG_RUSTC_VERSION=0
-CONFIG_RUSTC_LLVM_VERSION=0
+CONFIG_RUSTC_VERSION=107600
+CONFIG_RUSTC_LLVM_VERSION=170006
 CONFIG_CC_CAN_LINK=y
 CONFIG_CC_CAN_LINK_STATIC=y
 CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y

configs/kernel-6.12.0-riscv64.config

@@ -12,8 +12,8 @@ CONFIG_AS_VERSION=25000
 CONFIG_LD_IS_BFD=y
 CONFIG_LD_VERSION=25000
 CONFIG_LLD_VERSION=0
-CONFIG_RUSTC_VERSION=0
-CONFIG_RUSTC_LLVM_VERSION=0
+CONFIG_RUSTC_VERSION=107600
+CONFIG_RUSTC_LLVM_VERSION=170006
 CONFIG_CC_CAN_LINK=y
 CONFIG_CC_CAN_LINK_STATIC=y
 CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y

configs/kernel-6.12.0-s390x-debug.config

@@ -12,8 +12,8 @@ CONFIG_AS_VERSION=25000
 CONFIG_LD_IS_BFD=y
 CONFIG_LD_VERSION=25000
 CONFIG_LLD_VERSION=0
-CONFIG_RUSTC_VERSION=0
-CONFIG_RUSTC_LLVM_VERSION=0
+CONFIG_RUSTC_VERSION=107600
+CONFIG_RUSTC_LLVM_VERSION=170006
 CONFIG_CC_CAN_LINK=y
 CONFIG_CC_CAN_LINK_STATIC=y
 CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y

configs/kernel-6.12.0-s390x-zfcpdump.config

@@ -12,8 +12,8 @@ CONFIG_AS_VERSION=25000
 CONFIG_LD_IS_BFD=y
 CONFIG_LD_VERSION=25000
 CONFIG_LLD_VERSION=0
-CONFIG_RUSTC_VERSION=0
-CONFIG_RUSTC_LLVM_VERSION=0
+CONFIG_RUSTC_VERSION=107600
+CONFIG_RUSTC_LLVM_VERSION=170006
 CONFIG_CC_CAN_LINK=y
 CONFIG_CC_CAN_LINK_STATIC=y
 CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y

configs/kernel-6.12.0-s390x.config

@@ -12,8 +12,8 @@ CONFIG_AS_VERSION=25000
 CONFIG_LD_IS_BFD=y
 CONFIG_LD_VERSION=25000
 CONFIG_LLD_VERSION=0
-CONFIG_RUSTC_VERSION=0
-CONFIG_RUSTC_LLVM_VERSION=0
+CONFIG_RUSTC_VERSION=107600
+CONFIG_RUSTC_LLVM_VERSION=170006
 CONFIG_CC_CAN_LINK=y
 CONFIG_CC_CAN_LINK_STATIC=y
 CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y

configs/kernel-6.12.0-x86_64-debug.config

@@ -12,8 +12,8 @@ CONFIG_AS_VERSION=25000
 CONFIG_LD_IS_BFD=y
 CONFIG_LD_VERSION=25000
 CONFIG_LLD_VERSION=0
-CONFIG_RUSTC_VERSION=0
-CONFIG_RUSTC_LLVM_VERSION=0
+CONFIG_RUSTC_VERSION=107600
+CONFIG_RUSTC_LLVM_VERSION=170006
 CONFIG_CC_CAN_LINK=y
 CONFIG_CC_CAN_LINK_STATIC=y
 CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y

configs/kernel-6.12.0-x86_64-rt-debug.config

@@ -12,8 +12,8 @@ CONFIG_AS_VERSION=25000
 CONFIG_LD_IS_BFD=y
 CONFIG_LD_VERSION=25000
 CONFIG_LLD_VERSION=0
-CONFIG_RUSTC_VERSION=0
-CONFIG_RUSTC_LLVM_VERSION=0
+CONFIG_RUSTC_VERSION=107600
+CONFIG_RUSTC_LLVM_VERSION=170006
 CONFIG_CC_CAN_LINK=y
 CONFIG_CC_CAN_LINK_STATIC=y
 CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y

configs/kernel-6.12.0-x86_64-rt.config

@@ -12,8 +12,8 @@ CONFIG_AS_VERSION=25000
 CONFIG_LD_IS_BFD=y
 CONFIG_LD_VERSION=25000
 CONFIG_LLD_VERSION=0
-CONFIG_RUSTC_VERSION=0
-CONFIG_RUSTC_LLVM_VERSION=0
+CONFIG_RUSTC_VERSION=107600
+CONFIG_RUSTC_LLVM_VERSION=170006
 CONFIG_CC_CAN_LINK=y
 CONFIG_CC_CAN_LINK_STATIC=y
 CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y

configs/kernel-6.12.0-x86_64.config

@@ -12,8 +12,8 @@ CONFIG_AS_VERSION=25000
 CONFIG_LD_IS_BFD=y
 CONFIG_LD_VERSION=25000
 CONFIG_LLD_VERSION=0
-CONFIG_RUSTC_VERSION=0
-CONFIG_RUSTC_LLVM_VERSION=0
+CONFIG_RUSTC_VERSION=107600
+CONFIG_RUSTC_LLVM_VERSION=170006
 CONFIG_CC_CAN_LINK=y
 CONFIG_CC_CAN_LINK_STATIC=y
 CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y

drivers/net/tun.c

@@ -1932,6 +1932,9 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile,
 				local_bh_enable();
 				goto unlock_frags;
 			}
+
+			if (frags && skb != tfile->napi.skb)
+				tfile->napi.skb = skb;
 		}
 		rcu_read_unlock();
 		local_bh_enable();

fs/namespace.c

@@ -2261,6 +2261,11 @@ struct vfsmount *clone_private_mount(const struct path *path)
 	if (!check_mnt(old_mnt))
 		goto invalid;
 
+	if (!ns_capable(old_mnt->mnt_ns->user_ns, CAP_SYS_ADMIN)) {
+		up_read(&namespace_sem);
+		return ERR_PTR(-EPERM);
+	}
+
 	if (has_locked_children(old_mnt, path->dentry))
 		goto invalid;
 

redhat/kernel.changelog-10.1

@@ -1,3 +1,8 @@
+* Thu Dec 04 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-124.21.1.el10_1]
+- CVE-2025-38499 kernel: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (Abhi Das) [RHEL-129282] {CVE-2025-38499}
+- net: tun: Update napi->skb after XDP process (CKI Backport Bot) [RHEL-122247] {CVE-2025-39984}
+Resolves: RHEL-122247, RHEL-129282
+
 * Tue Dec 02 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-124.20.1.el10_1]
 - iommu/vt-d: Disallow dirty tracking if incoherent page walk (CKI Backport Bot) [RHEL-125482] {CVE-2025-40058}
 - net/mlx5: fs, fix UAF in flow counter release (Michal Schmidt) [RHEL-124432] {CVE-2025-39979}

uki-addons.sbat

@@ -1,3 +1,3 @@
 sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
-kernel-uki-virt-addons.rhel,1,Red Hat,kernel-uki-virt-addons,6.12.0-124.20.1.el10_1.x86_64,mailto:secalert@redhat.com
-kernel-uki-virt-addons.rocky,1,RESF,kernel-uki-virt-addons,6.12.0-124.20.1.el10_1.x86_64,mailto:security@rockylinux.org
+kernel-uki-virt-addons.rhel,1,Red Hat,kernel-uki-virt-addons,6.12.0-124.21.1.el10_1.x86_64,mailto:secalert@redhat.com
+kernel-uki-virt-addons.rocky,1,RESF,kernel-uki-virt-addons,6.12.0-124.21.1.el10_1.x86_64,mailto:security@rockylinux.org

uki.sbat

@@ -1,3 +1,3 @@
 sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
-kernel-uki-virt.rhel,1,Red Hat,kernel-uki-virt,6.12.0-124.20.1.el10_1.x86_64,mailto:secalert@redhat.com
-kernel-uki-virt.rocky,1,RESF,kernel-uki-virt,6.12.0-124.20.1.el10_1.x86_64,mailto:security@rockylinux.org
+kernel-uki-virt.rhel,1,Red Hat,kernel-uki-virt,6.12.0-124.21.1.el10_1.x86_64,mailto:secalert@redhat.com
+kernel-uki-virt.rocky,1,RESF,kernel-uki-virt,6.12.0-124.21.1.el10_1.x86_64,mailto:security@rockylinux.org