[rocky8_10] History Rebuild through kernel-4.18.0-553.104.1.el8_10

Makefile.rhelver

@@ -12,7 +12,7 @@ RHEL_MINOR = 10
 #
 # Use this spot to avoid future merge conflicts.
 # Do not trim this comment.
-RHEL_RELEASE = 553.100.1
+RHEL_RELEASE = 553.104.1
 
 #
 # ZSTREAM

ciq/ciq_backports/kernel-4.18.0-553.104.1.el8_10/071d8012.failed

@@ -0,0 +1,82 @@
+ipv4: use RCU protection in ip_dst_mtu_maybe_forward()
+
+jira KERNEL-609
+Rebuild_History Non-Buildable kernel-4.18.0-553.104.1.el8_10
+commit-author Eric Dumazet <edumazet@google.com>
+commit 071d8012869b6af352acca346ade13e7be90a49f
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-4.18.0-553.104.1.el8_10/071d8012.failed
+
+ip_dst_mtu_maybe_forward() must use RCU protection to make
+sure the net structure it reads does not disappear.
+
+Fixes: f87c10a8aa1e8 ("ipv4: introduce ip_dst_mtu_maybe_forward and protect forwarding path against pmtu spoofing")
+	Signed-off-by: Eric Dumazet <edumazet@google.com>
+	Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Link: https://patch.msgid.link/20250205155120.1676781-4-edumazet@google.com
+	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+(cherry picked from commit 071d8012869b6af352acca346ade13e7be90a49f)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	include/net/ip.h
+diff --cc include/net/ip.h
+index 7b302d367b31,ba7b43447775..000000000000
+--- a/include/net/ip.h
++++ b/include/net/ip.h
+@@@ -394,14 -470,41 +394,48 @@@ static inline bool ip_sk_ignore_df(cons
+  static inline unsigned int ip_dst_mtu_maybe_forward(const struct dst_entry *dst,
+  						    bool forwarding)
+  {
+++<<<<<<< HEAD
+ +	struct net *net = dev_net(dst->dev);
+ +
+ +	if (net->ipv4.sysctl_ip_fwd_use_pmtu ||
+++=======
++ 	const struct rtable *rt = dst_rtable(dst);
++ 	unsigned int mtu, res;
++ 	struct net *net;
++ 
++ 	rcu_read_lock();
++ 
++ 	net = dev_net_rcu(dst->dev);
++ 	if (READ_ONCE(net->ipv4.sysctl_ip_fwd_use_pmtu) ||
+++>>>>>>> 071d8012869b (ipv4: use RCU protection in ip_dst_mtu_maybe_forward())
+  	    ip_mtu_locked(dst) ||
+ -	    !forwarding) {
+ -		mtu = rt->rt_pmtu;
+ -		if (mtu && time_before(jiffies, rt->dst.expires))
+ -			goto out;
+ -	}
+ +	    !forwarding)
+ +		return dst_mtu(dst);
+
+++<<<<<<< HEAD
+ +	return min(READ_ONCE(dst->dev->mtu), IP_MAX_MTU);
+++=======
++ 	/* 'forwarding = true' case should always honour route mtu */
++ 	mtu = dst_metric_raw(dst, RTAX_MTU);
++ 	if (mtu)
++ 		goto out;
++ 
++ 	mtu = READ_ONCE(dst->dev->mtu);
++ 
++ 	if (unlikely(ip_mtu_locked(dst))) {
++ 		if (rt->rt_uses_gateway && mtu > 576)
++ 			mtu = 576;
++ 	}
++ 
++ out:
++ 	mtu = min_t(unsigned int, mtu, IP_MAX_MTU);
++ 
++ 	res = mtu - lwtunnel_headroom(dst->lwtstate, mtu);
++ 
++ 	rcu_read_unlock();
++ 
++ 	return res;
+++>>>>>>> 071d8012869b (ipv4: use RCU protection in ip_dst_mtu_maybe_forward())
+  }
+
+  static inline unsigned int ip_skb_dst_mtu(struct sock *sk,
+* Unmerged path include/net/ip.h

ciq/ciq_backports/kernel-4.18.0-553.104.1.el8_10/11709573.failed

@@ -0,0 +1,166 @@
+ipv6: use RCU in ip6_output()
+
+jira KERNEL-609
+cve CVE-2025-40158
+Rebuild_History Non-Buildable kernel-4.18.0-553.104.1.el8_10
+commit-author Eric Dumazet <edumazet@google.com>
+commit 11709573cc4e48dc34c80fc7ab9ce5b159e29695
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-4.18.0-553.104.1.el8_10/11709573.failed
+
+Use RCU in ip6_output() in order to use dst_dev_rcu() to prevent
+possible UAF.
+
+We can remove rcu_read_lock()/rcu_read_unlock() pairs
+from ip6_finish_output2().
+
+Fixes: 4a6ce2b6f2ec ("net: introduce a new function dst_dev_put()")
+	Signed-off-by: Eric Dumazet <edumazet@google.com>
+	Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://patch.msgid.link/20250828195823.3958522-5-edumazet@google.com
+	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+(cherry picked from commit 11709573cc4e48dc34c80fc7ab9ce5b159e29695)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	net/ipv6/ip6_output.c
+diff --cc net/ipv6/ip6_output.c
+index f4f534042ec2,9d64c13bab5e..000000000000
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@@ -63,14 -60,27 +63,34 @@@
+  static int ip6_finish_output2(struct net *net, struct sock *sk, struct sk_buff *skb)
+  {
+  	struct dst_entry *dst = skb_dst(skb);
+++<<<<<<< HEAD
+ +	struct net_device *dev = dst->dev;
+ +	const struct in6_addr *nexthop;
+ +	struct neighbour *neigh;
+ +	int ret;
+ +
+ +	if (ipv6_addr_is_multicast(&ipv6_hdr(skb)->daddr)) {
+ +		struct inet6_dev *idev = ip6_dst_idev(skb_dst(skb));
+++=======
++ 	struct net_device *dev = dst_dev_rcu(dst);
++ 	struct inet6_dev *idev = ip6_dst_idev(dst);
++ 	unsigned int hh_len = LL_RESERVED_SPACE(dev);
++ 	const struct in6_addr *daddr, *nexthop;
++ 	struct ipv6hdr *hdr;
++ 	struct neighbour *neigh;
++ 	int ret;
++ 
++ 	/* Be paranoid, rather than too clever. */
++ 	if (unlikely(hh_len > skb_headroom(skb)) && dev->header_ops) {
++ 		/* idev stays alive because we hold rcu_read_lock(). */
++ 		skb = skb_expand_head(skb, hh_len);
++ 		if (!skb) {
++ 			IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS);
++ 			return -ENOMEM;
++ 		}
++ 	}
+++>>>>>>> 11709573cc4e (ipv6: use RCU in ip6_output())
+
+ -	hdr = ipv6_hdr(skb);
+ -	daddr = &hdr->daddr;
+ -	if (ipv6_addr_is_multicast(daddr)) {
+  		if (!(dev->flags & IFF_LOOPBACK) && sk_mc_loop(sk) &&
+  		    ((mroute6_is_socket(net, skb) &&
+  		     !(IP6CB(skb)->flags & IP6SKB_FORWARDED)) ||
+@@@ -111,22 -118,23 +131,42 @@@
+  			return res;
+  	}
+
+++<<<<<<< HEAD
+ +	rcu_read_lock_bh();
+ +	nexthop = rt6_nexthop((struct rt6_info *)dst, &ipv6_hdr(skb)->daddr);
+ +	neigh = __ipv6_neigh_lookup_noref(dst->dev, nexthop);
+ +	if (unlikely(!neigh))
+ +		neigh = __neigh_create(&nd_tbl, nexthop, dst->dev, false);
+ +	if (!IS_ERR(neigh)) {
+ +		sock_confirm_neigh(skb, neigh);
+ +		ret = neigh_output(neigh, skb);
+ +		rcu_read_unlock_bh();
+ +		return ret;
+ +	}
+ +	rcu_read_unlock_bh();
+ +
+ +	IP6_INC_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES);
+ +	kfree_skb_reason(skb, SKB_DROP_REASON_NEIGH_CREATEFAIL);
+ +	return -EINVAL;
+++=======
++ 	IP6_UPD_PO_STATS(net, idev, IPSTATS_MIB_OUT, skb->len);
++ 
++ 	nexthop = rt6_nexthop(dst_rt6_info(dst), daddr);
++ 	neigh = __ipv6_neigh_lookup_noref(dev, nexthop);
++ 
++ 	if (IS_ERR_OR_NULL(neigh)) {
++ 		if (unlikely(!neigh))
++ 			neigh = __neigh_create(&nd_tbl, nexthop, dev, false);
++ 		if (IS_ERR(neigh)) {
++ 			IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTNOROUTES);
++ 			kfree_skb_reason(skb, SKB_DROP_REASON_NEIGH_CREATEFAIL);
++ 			return -EINVAL;
++ 		}
++ 	}
++ 	sock_confirm_neigh(skb, neigh);
++ 	ret = neigh_output(neigh, skb, false);
++ 	return ret;
+++>>>>>>> 11709573cc4e (ipv6: use RCU in ip6_output())
+  }
+
+  static int
+@@@ -210,30 -226,38 +250,43 @@@ static int ip6_finish_output(struct ne
+
+  int ip6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
+  {
+++<<<<<<< HEAD
+ +	struct net_device *dev = skb_dst(skb)->dev, *indev = skb->dev;
+ +	struct inet6_dev *idev = ip6_dst_idev(skb_dst(skb));
+++=======
++ 	struct dst_entry *dst = skb_dst(skb);
++ 	struct net_device *dev, *indev = skb->dev;
++ 	struct inet6_dev *idev;
++ 	int ret;
+++>>>>>>> 11709573cc4e (ipv6: use RCU in ip6_output())
+
+  	skb->protocol = htons(ETH_P_IPV6);
++ 	rcu_read_lock();
++ 	dev = dst_dev_rcu(dst);
++ 	idev = ip6_dst_idev(dst);
+  	skb->dev = dev;
+
+ -	if (unlikely(!idev || READ_ONCE(idev->cnf.disable_ipv6))) {
+ +	if (unlikely(!idev || idev->cnf.disable_ipv6)) {
+  		IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS);
++ 		rcu_read_unlock();
+  		kfree_skb_reason(skb, SKB_DROP_REASON_IPV6DISABLED);
+  		return 0;
+  	}
+
+- 	return NF_HOOK_COND(NFPROTO_IPV6, NF_INET_POST_ROUTING,
+- 			    net, sk, skb, indev, dev,
+- 			    ip6_finish_output,
+- 			    !(IP6CB(skb)->flags & IP6SKB_REROUTED));
++ 	ret = NF_HOOK_COND(NFPROTO_IPV6, NF_INET_POST_ROUTING,
++ 			   net, sk, skb, indev, dev,
++ 			   ip6_finish_output,
++ 			   !(IP6CB(skb)->flags & IP6SKB_REROUTED));
++ 	rcu_read_unlock();
++ 	return ret;
+  }
+ -EXPORT_SYMBOL(ip6_output);
+
+ -bool ip6_autoflowlabel(struct net *net, const struct sock *sk)
+ +bool ip6_autoflowlabel(struct net *net, const struct ipv6_pinfo *np)
+  {
+ -	if (!inet6_test_bit(AUTOFLOWLABEL_SET, sk))
+ +	if (!np->autoflowlabel_set)
+  		return ip6_default_np_autolabel(net);
+ -	return inet6_test_bit(AUTOFLOWLABEL, sk);
+ +	else
+ +		return np->autoflowlabel;
+  }
+
+  /*
+* Unmerged path net/ipv6/ip6_output.c

ciq/ciq_backports/kernel-4.18.0-553.104.1.el8_10/13951219.failed

@@ -0,0 +1,104 @@
+ipv4: use RCU protection in __ip_rt_update_pmtu()
+
+jira KERNEL-609
+cve CVE-2025-21766
+Rebuild_History Non-Buildable kernel-4.18.0-553.104.1.el8_10
+commit-author Eric Dumazet <edumazet@google.com>
+commit 139512191bd06f1b496117c76372b2ce372c9a41
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-4.18.0-553.104.1.el8_10/13951219.failed
+
+__ip_rt_update_pmtu() must use RCU protection to make
+sure the net structure it reads does not disappear.
+
+Fixes: 2fbc6e89b2f1 ("ipv4: Update exception handling for multipath routes via same device")
+Fixes: 1de6b15a434c ("Namespaceify min_pmtu sysctl")
+	Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20250205155120.1676781-8-edumazet@google.com
+	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+(cherry picked from commit 139512191bd06f1b496117c76372b2ce372c9a41)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	net/ipv4/route.c
+diff --cc net/ipv4/route.c
+index 60932d85f568,753704f75b2c..000000000000
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@@ -1035,10 -1008,10 +1035,17 @@@ out:	kfree_skb_reason(skb, reason)
+  static void __ip_rt_update_pmtu(struct rtable *rt, struct flowi4 *fl4, u32 mtu)
+  {
+  	struct dst_entry *dst = &rt->dst;
+++<<<<<<< HEAD
+ +	struct net *net = dev_net(dst->dev);
+ +	u32 old_mtu = ipv4_mtu(dst);
+ +	struct fib_result res;
+ +	bool lock = false;
+++=======
++ 	struct fib_result res;
++ 	bool lock = false;
++ 	struct net *net;
++ 	u32 old_mtu;
+++>>>>>>> 139512191bd0 (ipv4: use RCU protection in __ip_rt_update_pmtu())
+
+  	if (ip_mtu_locked(dst))
+  		return;
+@@@ -1046,24 -1019,39 +1053,53 @@@
+  	if (old_mtu < mtu)
+  		return;
+
+++<<<<<<< HEAD
+ +	if (mtu < ip_rt_min_pmtu) {
+++=======
++ 	rcu_read_lock();
++ 	net = dev_net_rcu(dst->dev);
++ 	if (mtu < net->ipv4.ip_rt_min_pmtu) {
+++>>>>>>> 139512191bd0 (ipv4: use RCU protection in __ip_rt_update_pmtu())
+  		lock = true;
+ -		mtu = min(old_mtu, net->ipv4.ip_rt_min_pmtu);
+ +		mtu = min(old_mtu, ip_rt_min_pmtu);
+  	}
+
+  	if (rt->rt_pmtu == mtu && !lock &&
+++<<<<<<< HEAD
+ +	    time_before(jiffies, dst->expires - ip_rt_mtu_expires / 2))
+ +		return;
+++=======
++ 	    time_before(jiffies, dst->expires - net->ipv4.ip_rt_mtu_expires / 2))
++ 		goto out;
+++>>>>>>> 139512191bd0 (ipv4: use RCU protection in __ip_rt_update_pmtu())
+
+- 	rcu_read_lock();
+  	if (fib_lookup(net, fl4, &res, 0) == 0) {
+ -		struct fib_nh_common *nhc;
+ +		struct fib_nh *nh;
+
+  		fib_select_path(net, &res, fl4, NULL);
+++<<<<<<< HEAD
+ +		nh = &FIB_RES_NH(res);
+ +		update_or_create_fnhe(nh, fl4->daddr, 0, mtu, lock,
+ +				      jiffies + ip_rt_mtu_expires);
+++=======
++ #ifdef CONFIG_IP_ROUTE_MULTIPATH
++ 		if (fib_info_num_path(res.fi) > 1) {
++ 			int nhsel;
++ 
++ 			for (nhsel = 0; nhsel < fib_info_num_path(res.fi); nhsel++) {
++ 				nhc = fib_info_nhc(res.fi, nhsel);
++ 				update_or_create_fnhe(nhc, fl4->daddr, 0, mtu, lock,
++ 						      jiffies + net->ipv4.ip_rt_mtu_expires);
++ 			}
++ 			goto out;
++ 		}
++ #endif /* CONFIG_IP_ROUTE_MULTIPATH */
++ 		nhc = FIB_RES_NHC(res);
++ 		update_or_create_fnhe(nhc, fl4->daddr, 0, mtu, lock,
++ 				      jiffies + net->ipv4.ip_rt_mtu_expires);
+++>>>>>>> 139512191bd0 (ipv4: use RCU protection in __ip_rt_update_pmtu())
+  	}
++ out:
+  	rcu_read_unlock();
+  }
+
+* Unmerged path net/ipv4/route.c