[rocky10_2] History Rebuild through kernel-6.12.0-211.22.1.el10_2

Makefile.rhelver

@@ -12,7 +12,7 @@ RHEL_MINOR = 2
 #
 # Use this spot to avoid future merge conflicts.
 # Do not trim this comment.
-RHEL_RELEASE = 211.20.1
+RHEL_RELEASE = 211.22.1
 
 #
 # RHEL_REBASE_NUM

arch/arm64/Kconfig

@@ -219,6 +219,7 @@ config ARM64
 		if DYNAMIC_FTRACE_WITH_ARGS
 	select HAVE_SAMPLE_FTRACE_DIRECT
 	select HAVE_SAMPLE_FTRACE_DIRECT_MULTI
+	select HAVE_BUILDTIME_MCOUNT_SORT
 	select HAVE_EFFICIENT_UNALIGNED_ACCESS
 	select HAVE_GUP_FAST
 	select HAVE_FTRACE_MCOUNT_RECORD

arch/s390/pci/pci_event.c

@@ -187,7 +187,7 @@ static pci_ers_result_t zpci_event_attempt_error_recovery(struct pci_dev *pdev)
 	 * is unbound or probed and that userspace can't access its
 	 * configuration space while we perform recovery.
 	 */
-	pci_dev_lock(pdev);
+	device_lock(&pdev->dev);
 	if (pdev->error_state == pci_channel_io_perm_failure) {
 		ers_res = PCI_ERS_RESULT_DISCONNECT;
 		goto out_unlock;
@@ -254,7 +254,7 @@ static pci_ers_result_t zpci_event_attempt_error_recovery(struct pci_dev *pdev)
 	if (driver->err_handler->resume)
 		driver->err_handler->resume(pdev);
 out_unlock:
-	pci_dev_unlock(pdev);
+	device_unlock(&pdev->dev);
 	zpci_report_status(zdev, "recovery", status_str);
 
 	return ers_res;

ciq/ciq_backports/kernel-6.12.0-211.22.1.el10_2/24a9c589.failed

@@ -0,0 +1,28 @@
+lsm: rename/rework append_ordered_lsm() into lsm_order_append()
+
+jira KERNEL-1156
+cve CVE-2026-46054
+Rebuild_History Non-Buildable kernel-6.12.0-211.22.1.el10_2
+commit-author Paul Moore <paul@paul-moore.com>
+commit 24a9c58978ee368cbd796a03cb6e8ade6e0b6f5f
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-6.12.0-211.22.1.el10_2/24a9c589.failed
+
+Rename append_ordered_lsm() to lsm_order_append() to better match
+convention and do some rework.  The rework includes moving the
+LSM_FLAG_EXCLUSIVE logic from lsm_prepare() to lsm_order_append()
+in order to consolidate the individual LSM append/activation code,
+and adding logic to skip appending explicitly disabled LSMs to the
+active LSM list.
+
+	Reviewed-by: Casey Schaufler <casey@schaufler-ca.com>
+	Reviewed-by: John Johansen <john.johhansen@canonical.com>
+	Signed-off-by: Paul Moore <paul@paul-moore.com>
+(cherry picked from commit 24a9c58978ee368cbd796a03cb6e8ade6e0b6f5f)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	security/lsm_init.c
+* Unmerged path security/lsm_init.c
+* Unmerged path security/lsm_init.c

ciq/ciq_backports/kernel-6.12.0-211.22.1.el10_2/250898ca.failed

@@ -0,0 +1,109 @@
+lsm: rework lsm_active_cnt and lsm_idlist[]
+
+jira KERNEL-1156
+cve CVE-2026-46054
+Rebuild_History Non-Buildable kernel-6.12.0-211.22.1.el10_2
+commit-author Paul Moore <paul@paul-moore.com>
+commit 250898ca335f337bc032a9693dc0a30a1cb85825
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-6.12.0-211.22.1.el10_2/250898ca.failed
+
+Move the LSM active count and lsm_id list declarations out of a header
+that is visible across the kernel and into a header that is limited to
+the LSM framework.  This not only helps keep the include/linux headers
+smaller and cleaner, it helps prevent misuse of these variables.
+
+	Reviewed-by: Casey Schaufler <casey@schaufler-ca.com>
+	Reviewed-by: John Johansen <john.johhansen@canonical.com>
+	Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
+	Signed-off-by: Paul Moore <paul@paul-moore.com>
+(cherry picked from commit 250898ca335f337bc032a9693dc0a30a1cb85825)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	security/lsm.h
+#	security/lsm_init.c
+#	security/security.c
+diff --cc security/security.c
+index fb106d16f2ba,b4eec4f00730..000000000000
+--- a/security/security.c
++++ b/security/security.c
+@@@ -91,21 -73,32 +91,28 @@@ const char *const lockdown_reasons[LOCK
+  	[LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality",
+  };
+
+++<<<<<<< HEAD
+ +static struct kmem_cache *lsm_file_cache;
+ +static struct kmem_cache *lsm_inode_cache;
+++=======
++ unsigned int lsm_active_cnt __ro_after_init;
++ const struct lsm_id *lsm_idlist[MAX_LSM_COUNT];
++ 
++ struct lsm_blob_sizes blob_sizes;
+++>>>>>>> 250898ca335f (lsm: rework lsm_active_cnt and lsm_idlist[])
+
+ -struct kmem_cache *lsm_file_cache;
+ -struct kmem_cache *lsm_inode_cache;
+ +char *lsm_names;
+ +static struct lsm_blob_sizes blob_sizes __ro_after_init;
+
+ -#define SECURITY_HOOK_ACTIVE_KEY(HOOK, IDX) security_hook_active_##HOOK##_##IDX
+ +/* Boot-time LSM user choice */
+ +static __initdata const char *chosen_lsm_order;
+ +static __initdata const char *chosen_major_lsm;
+
+ -/*
+ - * Identifier for the LSM static calls.
+ - * HOOK is an LSM hook as defined in linux/lsm_hookdefs.h
+ - * IDX is the index of the static call. 0 <= NUM < MAX_LSM_COUNT
+ - */
+ -#define LSM_STATIC_CALL(HOOK, IDX) lsm_static_call_##HOOK##_##IDX
+ +static __initconst const char *const builtin_lsm_order = CONFIG_LSM;
+
+ -/*
+ - * Call the macro M for each LSM hook MAX_LSM_COUNT times.
+ - */
+ -#define LSM_LOOP_UNROLL(M, ...) 		\
+ -do {						\
+ -	UNROLL(MAX_LSM_COUNT, M, __VA_ARGS__)	\
+ -} while (0)
+ -
+ -#define LSM_DEFINE_UNROLL(M, ...) UNROLL(MAX_LSM_COUNT, M, __VA_ARGS__)
+ +/* Ordered list of LSMs to initialize. */
+ +static __initdata struct lsm_info *ordered_lsms[MAX_LSM_COUNT + 1];
+ +static __initdata struct lsm_info *exclusive;
+
+  #ifdef CONFIG_HAVE_STATIC_CALL
+  #define LSM_HOOK_TRAMP(NAME, NUM) \
+* Unmerged path security/lsm.h
+* Unmerged path security/lsm_init.c
+diff --git a/include/linux/security.h b/include/linux/security.h
+index 90b2a5a1b400..d884589ef37d 100644
+--- a/include/linux/security.h
++++ b/include/linux/security.h
+@@ -153,8 +153,6 @@ enum lockdown_reason {
+ };
+
+ extern const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1];
+-extern u32 lsm_active_cnt;
+-extern const struct lsm_id *lsm_idlist[];
+
+ /* These functions are in security/commoncap.c */
+ extern int cap_capable(const struct cred *cred, struct user_namespace *ns,
+* Unmerged path security/lsm.h
+* Unmerged path security/lsm_init.c
+diff --git a/security/lsm_syscalls.c b/security/lsm_syscalls.c
+index 8440948a690c..5648b1f0ce9c 100644
+--- a/security/lsm_syscalls.c
++++ b/security/lsm_syscalls.c
+@@ -17,6 +17,8 @@
+ #include <linux/lsm_hooks.h>
+ #include <uapi/linux/lsm.h>
+
++#include "lsm.h"
++
+ /**
+  * lsm_name_to_attr - map an LSM attribute name to its ID
+  * @name: name of the attribute
+* Unmerged path security/security.c

ciq/ciq_backports/kernel-6.12.0-211.22.1.el10_2/27be5600.failed

@@ -0,0 +1,27 @@
+lsm: cleanup initialize_lsm() and rename to lsm_init_single()
+
+jira KERNEL-1156
+cve CVE-2026-46054
+Rebuild_History Non-Buildable kernel-6.12.0-211.22.1.el10_2
+commit-author Paul Moore <paul@paul-moore.com>
+commit 27be5600fe852c52d5b70f4ac9406879b39c864e
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-6.12.0-211.22.1.el10_2/27be5600.failed
+
+Rename initialize_lsm() to be more consistent with the rest of the LSM
+initialization changes and rework the function itself to better fit
+with the "exit on fail" coding pattern.
+
+	Reviewed-by: Kees Cook <kees@kernel.org>
+	Reviewed-by: John Johansen <john.johansen@canonical.com>
+	Reviewed-by: Casey Schaufler <casey@schaufler-ca.com>
+	Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
+	Signed-off-by: Paul Moore <paul@paul-moore.com>
+(cherry picked from commit 27be5600fe852c52d5b70f4ac9406879b39c864e)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	security/lsm_init.c
+* Unmerged path security/lsm_init.c
+* Unmerged path security/lsm_init.c

ciq/ciq_backports/kernel-6.12.0-211.22.1.el10_2/291271e6.failed

@@ -0,0 +1,75 @@
+lsm: cleanup the LSM blob size code
+
+jira KERNEL-1156
+cve CVE-2026-46054
+Rebuild_History Non-Buildable kernel-6.12.0-211.22.1.el10_2
+commit-author Paul Moore <paul@paul-moore.com>
+commit 291271e691740003021cf5b48fa7cf7e3371eaa7
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-6.12.0-211.22.1.el10_2/291271e6.failed
+
+Convert the lsm_blob_size fields to unsigned integers as there is no
+current need for them to be negative, change "lsm_set_blob_size()" to
+"lsm_blob_size_update()" to better reflect reality, and perform some
+other minor cleanups to the associated code.
+
+	Reviewed-by: Kees Cook <kees@kernel.org>
+	Reviewed-by: John Johansen <john.johansen@canonical.com>
+	Reviewed-by: Casey Schaufler <casey@schaufler-ca.com>
+	Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
+	Signed-off-by: Paul Moore <paul@paul-moore.com>
+(cherry picked from commit 291271e691740003021cf5b48fa7cf7e3371eaa7)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	include/linux/lsm_hooks.h
+#	security/lsm_init.c
+diff --cc include/linux/lsm_hooks.h
+index 090d1d3e19fe,86e457aa8809..000000000000
+--- a/include/linux/lsm_hooks.h
++++ b/include/linux/lsm_hooks.h
+@@@ -102,20 -102,23 +102,40 @@@ struct security_hook_list 
+   * Security blob size or offset data.
+   */
+  struct lsm_blob_sizes {
+++<<<<<<< HEAD
+ +	int lbs_cred;
+ +	int lbs_file;
+ +	int lbs_ib;
+ +	int lbs_inode;
+ +	int lbs_sock;
+ +	int lbs_superblock;
+ +	int lbs_ipc;
+ +	int lbs_key;
+ +	int lbs_msg_msg;
+ +	int lbs_perf_event;
+ +	int lbs_task;
+ +	int lbs_xattr_count; /* number of xattr slots in new_xattrs array */
+ +	int lbs_tun_dev;
+ +	int lbs_bdev;
+++=======
++ 	unsigned int lbs_cred;
++ 	unsigned int lbs_file;
++ 	unsigned int lbs_ib;
++ 	unsigned int lbs_inode;
++ 	unsigned int lbs_sock;
++ 	unsigned int lbs_superblock;
++ 	unsigned int lbs_ipc;
++ 	unsigned int lbs_key;
++ 	unsigned int lbs_msg_msg;
++ 	unsigned int lbs_perf_event;
++ 	unsigned int lbs_task;
++ 	unsigned int lbs_xattr_count; /* num xattr slots in new_xattrs array */
++ 	unsigned int lbs_tun_dev;
++ 	unsigned int lbs_bdev;
++ 	unsigned int lbs_bpf_map;
++ 	unsigned int lbs_bpf_prog;
++ 	unsigned int lbs_bpf_token;
+++>>>>>>> 291271e69174 (lsm: cleanup the LSM blob size code)
+  };
+
+  /*
+* Unmerged path security/lsm_init.c
+* Unmerged path include/linux/lsm_hooks.h
+* Unmerged path security/lsm_init.c

ciq/ciq_backports/kernel-6.12.0-211.22.1.el10_2/2d671726.failed

@@ -0,0 +1,26 @@
+lsm: rework the LSM enable/disable setter/getter functions
+
+jira KERNEL-1156
+cve CVE-2026-46054
+Rebuild_History Non-Buildable kernel-6.12.0-211.22.1.el10_2
+commit-author Paul Moore <paul@paul-moore.com>
+commit 2d67172612fd9df2c4d08533515ef483cb526dd9
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-6.12.0-211.22.1.el10_2/2d671726.failed
+
+In addition to style changes, rename set_enabled() to lsm_enabled_set()
+and is_enabled() to lsm_is_enabled() to better fit within the LSM
+initialization code.
+
+	Reviewed-by: Casey Schaufler <casey@schaufler-ca.com>
+	Reviewed-by: John Johansen <john.johhansen@canonical.com>
+	Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
+	Signed-off-by: Paul Moore <paul@paul-moore.com>
+(cherry picked from commit 2d67172612fd9df2c4d08533515ef483cb526dd9)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	security/lsm_init.c
+* Unmerged path security/lsm_init.c
+* Unmerged path security/lsm_init.c

ciq/ciq_backports/kernel-6.12.0-211.22.1.el10_2/37f788f6.failed

@@ -0,0 +1,27 @@
+lsm: introduce looping macros for the initialization code
+
+jira KERNEL-1156
+cve CVE-2026-46054
+Rebuild_History Non-Buildable kernel-6.12.0-211.22.1.el10_2
+commit-author Paul Moore <paul@paul-moore.com>
+commit 37f788f65528611f4482e2135d11ca34afb25828
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-6.12.0-211.22.1.el10_2/37f788f6.failed
+
+There are three common for loop patterns in the LSM initialization code
+to loop through the ordered LSM list and the registered "early" LSMs.
+This patch implements these loop patterns as macros to help simplify the
+code and reduce the chance for errors.
+
+	Reviewed-by: Casey Schaufler <casey@schaufler-ca.com>
+	Reviewed-by: John Johansen <john.johhansen@canonical.com>
+	Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
+	Signed-off-by: Paul Moore <paul@paul-moore.com>
+(cherry picked from commit 37f788f65528611f4482e2135d11ca34afb25828)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	security/lsm_init.c
+* Unmerged path security/lsm_init.c
+* Unmerged path security/lsm_init.c

ciq/ciq_backports/kernel-6.12.0-211.22.1.el10_2/45070533.failed

@@ -0,0 +1,25 @@
+lsm: add/tweak function header comment blocks in lsm_init.c
+
+jira KERNEL-1156
+cve CVE-2026-46054
+Rebuild_History Non-Buildable kernel-6.12.0-211.22.1.el10_2
+commit-author Paul Moore <paul@paul-moore.com>
+commit 450705334f698990804b470437f3014cee979486
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-6.12.0-211.22.1.el10_2/45070533.failed
+
+Add function header comments for lsm_static_call_init() and
+early_security_init(), tweak the existing comment block for
+security_add_hooks().
+
+	Reviewed-by: Casey Schaufler <casey@schaufler-ca.com>
+	Reviewed-by: John Johansen <john.johhansen@canonical.com>
+	Signed-off-by: Paul Moore <paul@paul-moore.com>
+(cherry picked from commit 450705334f698990804b470437f3014cee979486)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	security/lsm_init.c
+* Unmerged path security/lsm_init.c
+* Unmerged path security/lsm_init.c

ciq/ciq_backports/kernel-6.12.0-211.22.1.el10_2/45a41d13.failed

@@ -0,0 +1,25 @@
+lsm: fold lsm_init_ordered() into security_init()
+
+jira KERNEL-1156
+cve CVE-2026-46054
+Rebuild_History Non-Buildable kernel-6.12.0-211.22.1.el10_2
+commit-author Paul Moore <paul@paul-moore.com>
+commit 45a41d1394aa2ed0305f0560f93bb87be7192481
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-6.12.0-211.22.1.el10_2/45a41d13.failed
+
+With only security_init() calling lsm_init_ordered, it makes little
+sense to keep lsm_init_ordered() as a standalone function.  Fold
+lsm_init_ordered() into security_init().
+
+	Reviewed-by: Casey Schaufler <casey@schaufler-ca.com>
+	Reviewed-by: John Johansen <john.johhansen@canonical.com>
+	Signed-off-by: Paul Moore <paul@paul-moore.com>
+(cherry picked from commit 45a41d1394aa2ed0305f0560f93bb87be7192481)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	security/lsm_init.c
+* Unmerged path security/lsm_init.c
+* Unmerged path security/lsm_init.c