[rocky8_10] History Rebuild through kernel-4.18.0-553.105.1.el8_10 by PlaidCat · Pull Request #901 · ctrliq/kernel-src-tree

PlaidCat · 2026-02-20T11:46:35Z

This is an automated kernel history rebuild using cron and internal tooling. It follows the same process used for previous history rebuilds:

Download all unprocessed src.rpm packages
For each src.rpm:
- Identify all commits in the changelog up to the last known tag (4.18.0-553)
- Replay commits in chronological order (oldest to newest in the changelog) using git cherry-pick
- Replace the code in the branch with the output of rpmbuild -bp for the corresponding src.rpm
- Tag the rebuild branch

JIRA Tickets

Parent: KERNEL-646
History Rebuild: KERNEL-647

Rebuild Splat Inspection

kernel-4.18.0-553.105.1.el8_10

$ cat ciq/ciq_backports/kernel-4.18.0-553.105.1.el8_10/rebuild.details.txt
Rebuild_History BUILDABLE
Rebuilding Kernel from rpm changelog with Fuzz Limit: 87.50%
Number of commits in upstream range v4.18~1..kernel-mainline: 594898
Number of commits in rpm: 26
Number of commits matched with upstream: 20 (76.92%)
Number of commits in upstream but not in rpm: 594878
Number of commits NOT found in upstream: 6 (23.08%)

Rebuilding Kernel on Branch rocky8_10_rebuild_kernel-4.18.0-553.105.1.el8_10 for kernel-4.18.0-553.105.1.el8_10
Clean Cherry Picks: 15 (75.00%)
Empty Cherry Picks: 5 (25.00%)
_______________________________

__EMPTY COMMITS__________________________
1a942de092c0b96216864fedcb4d8822ce3fc12e Bluetooth: Move hci_abort_conn to hci_conn.c
b62e72200eaad523f08d8319bba50fc652e032a8 Bluetooth: Fix printing errors if LE Connection times out
a13f316e90fdb1fb6df6582e845aa9b3270f3581 Bluetooth: hci_conn: Consolidate code for aborting connections
5af1f84ed13a416297ab9ced7537f4d5ae7f329a Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync
94d9ba9f9888b748d4abd2aa1547af56ae85f772 Bluetooth: hci_sync: Fix UAF in hci_disconnect_all_sync

__CHANGES NOT IN UPSTREAM________________
Adding prod certs and changed cert date to 20210620
Adding Rocky secure boot certs
Fixing vmlinuz removal
Fixing UEFI CA path
Porting to 8.10, debranding and Rocky branding
Fixing pesign_key_name values

BUILD

$ grep -E -B 5 -A 5 "\[TIMER\]|^Starting Build" $(ls -t kbuild* | head -n1)
/mnt/code/kernel-src-tree-build
Running make mrproper...
  CLEAN   scripts/basic
  CLEAN   scripts/kconfig
[TIMER]{MRPROPER}: 5s
x86_64 architecture detected, copying config
'configs/kernel-x86_64.config' -> '.config'
Setting Local Version for build
CONFIG_LOCALVERSION="-rocky8_10_rebuild-e91c91081883"
Making olddefconfig
--
  HOSTLD  scripts/kconfig/conf
scripts/kconfig/conf  --olddefconfig Kconfig
#
# configuration written to .config
#
Starting Build
scripts/kconfig/conf  --syncconfig Kconfig
  SYSTBL  arch/x86/include/generated/asm/syscalls_32.h
  SYSHDR  arch/x86/include/generated/asm/unistd_32_ia32.h
  SYSHDR  arch/x86/include/generated/asm/unistd_64_x32.h
  SYSTBL  arch/x86/include/generated/asm/syscalls_64.h
--
  LD [M]  sound/usb/usx2y/snd-usb-usx2y.ko
  LD [M]  sound/virtio/virtio_snd.ko
  LD [M]  sound/x86/snd-hdmi-lpe-audio.ko
  LD [M]  sound/xen/snd_xen_front.ko
  LD [M]  virt/lib/irqbypass.ko
[TIMER]{BUILD}: 1488s
Making Modules
  INSTALL arch/x86/crypto/blowfish-x86_64.ko
  INSTALL arch/x86/crypto/camellia-aesni-avx-x86_64.ko
  INSTALL arch/x86/crypto/camellia-aesni-avx2.ko
  INSTALL arch/x86/crypto/camellia-x86_64.ko
--
  INSTALL sound/virtio/virtio_snd.ko
  INSTALL sound/x86/snd-hdmi-lpe-audio.ko
  INSTALL sound/xen/snd_xen_front.ko
  INSTALL virt/lib/irqbypass.ko
  DEPMOD  4.18.0-rocky8_10_rebuild-e91c91081883+
[TIMER]{MODULES}: 13s
Making Install
sh ./arch/x86/boot/install.sh 4.18.0-rocky8_10_rebuild-e91c91081883+ arch/x86/boot/bzImage \
	System.map "/boot"
[TIMER]{INSTALL}: 21s
Checking kABI
kABI check passed
Setting Default Kernel to /boot/vmlinuz-4.18.0-rocky8_10_rebuild-e91c91081883+ and Index to 0
Hopefully Grub2.0 took everything ... rebooting after time metrices
[TIMER]{MRPROPER}: 5s
[TIMER]{BUILD}: 1488s
[TIMER]{MODULES}: 13s
[TIMER]{INSTALL}: 21s
[TIMER]{TOTAL} 1532s
Rebooting in 10 seconds

KSelfTests

$ get_kselftest_diff.sh
ls: cannot access 'selftest-*': No such file or directory
kselftest.4.18.0-rocky8_10_rebuild-6bb44a4d2944+.log
207
kselftest.4.18.0-jmaple_rlc-8_4.18.0-553.100.1.el8_10-23296d1f787c+-1.log
259
kselftest.4.18.0-jmaple_rlc-8_4.18.0-553.104.1.el8_10-11d1dd1201c6+-1.log
259
kselftest.4.18.0-rocky8_10_rebuild-e91c91081883+.log
207
Before: kselftest.4.18.0-jmaple_rlc-8_4.18.0-553.104.1.el8_10-11d1dd1201c6+-1.log
After: kselftest.4.18.0-rocky8_10_rebuild-e91c91081883+.log
Diff:
-ok 10 selftests: net: netdevice.sh
+ok 10 selftests: net: netdevice.sh # SKIP
-ok 10 selftests: x86: test_vdso_64
-ok 11 selftests: x86: test_vsyscall_64
-ok 12 selftests: net: xfrm_policy.sh
-ok 12 selftests: x86: mov_ss_trap_64
+ok 12 selftests: net: xfrm_policy.sh # SKIP
-ok 13 selftests: net: fib_tests.sh
+ok 13 selftests: net: fib_tests.sh # SKIP
-ok 13 selftests: x86: fsgsbase_restore_64
-ok 14 selftests: net: fib-onlink-tests.sh
-ok 14 selftests: x86: sigaltstack_64
-ok 15 selftests: net: pmtu.sh
-ok 15 selftests: x86: fsgsbase_64
-ok 16 selftests: net: udpgso.sh
-ok 16 selftests: x86: sysret_rip_64
-ok 17 selftests: net: ip_defrag.sh
-ok 17 selftests: x86: corrupt_xstate_header_64
-ok 18 selftests: net: udpgso_bench.sh # SKIP
+ok 19 selftests: net: fib_rule_tests.sh # SKIP
-ok 1 selftests: capabilities: test_execve
-ok 1 selftests: cpu-hotplug: cpu-on-off-test.sh
+ok 1 selftests: cpufreq: main.sh # SKIP
+ok 1 selftests: cpu-hotplug: cpu-on-off-test.sh # SKIP
-ok 1 selftests: intel_pstate: run.sh
-ok 1 selftests: ipc: msgque
+ok 1 selftests: intel_pstate: run.sh # SKIP
+ok 1 selftests: ipc: msgque # SKIP
-ok 1 selftests: livepatch: test-livepatch.sh
+ok 1 selftests: livepatch: test-livepatch.sh # SKIP
-ok 1 selftests: memory-hotplug: mem-on-off-test.sh
-ok 1 selftests: mm: run_vmtests.sh # SKIP
+ok 1 selftests: memory-hotplug: mem-on-off-test.sh # SKIP
-ok 1 selftests: mqueue: mq_open_tests
-ok 1 selftests: netfilter: nft_trans_stress.sh
-ok 1 selftests: net: reuseport_bpf
-ok 1 selftests: size: get_size
-ok 1 selftests: tc-testing: tdc.sh
-ok 1 selftests: timens: timens
+ok 1 selftests: timens: timens # SKIP
-ok 1 selftests: x86: single_step_syscall_64
-ok 1 selftests: zram: zram.sh
+ok 1 selftests: zram: zram.sh # SKIP
-ok 21 selftests: net: psock_snd.sh
-ok 22 selftests: net: udpgro_bench.sh
-ok 23 selftests: net: udpgro.sh
-ok 25 selftests: net: test_vxlan_fdb_changelink.sh
-ok 27 selftests: net: ipv6_flowlabel.sh
+ok 28 selftests: net: fcnal-test.sh # SKIP
-ok 29 selftests: net: l2tp.sh
-ok 2 selftests: fpu: run_test_fpu.sh # SKIP
-ok 2 selftests: livepatch: test-callbacks.sh
+ok 2 selftests: livepatch: test-callbacks.sh # SKIP
-ok 2 selftests: memfd: run_fuse_test.sh
-ok 2 selftests: mqueue: mq_perf_tests
-ok 2 selftests: netfilter: nft_nat.sh
-ok 2 selftests: timens: timerfd
+ok 2 selftests: timens: timerfd # SKIP
-ok 2 selftests: x86: sysret_ss_attrs_64
-ok 31 selftests: net: icmp_redirect.sh
-ok 34 selftests: net: vrf-xfrm-tests.sh
-ok 35 selftests: net: rxtimestamp.sh
-ok 38 selftests: net: bareudp.sh
+ok 38 selftests: net: bareudp.sh # SKIP
-ok 39 selftests: net: udpgro_fwd.sh
-ok 3 selftests: lib: prime_numbers.sh
-ok 3 selftests: livepatch: test-shadow-vars.sh
-ok 3 selftests: memfd: run_hugetlbfs_test.sh
-ok 3 selftests: netfilter: conntrack_icmp_related.sh
+ok 3 selftests: lib: prime_numbers.sh # SKIP
+ok 3 selftests: livepatch: test-shadow-vars.sh # SKIP
+ok 3 selftests: memfd: run_hugetlbfs_test.sh # SKIP
-ok 3 selftests: net: reuseport_bpf_numa
-ok 3 selftests: timens: timer
-ok 3 selftests: x86: syscall_nt_64
+ok 3 selftests: timens: timer # SKIP
-ok 40 selftests: net: veth.sh
-ok 41 selftests: net: gro.sh
-ok 42 selftests: net: gre_gso.sh
+ok 42 selftests: net: gre_gso.sh # SKIP
-ok 43 selftests: net: rps_default_mask.sh
-ok 4 selftests: livepatch: test-state.sh
+ok 4 selftests: livepatch: test-state.sh # SKIP
-ok 4 selftests: timens: clock_nanosleep
-ok 4 selftests: x86: test_mremap_vdso_64
+ok 4 selftests: timens: clock_nanosleep # SKIP
-ok 5 selftests: livepatch: test-ftrace.sh
-ok 5 selftests: netfilter: ipvs.sh
+ok 5 selftests: livepatch: test-ftrace.sh # SKIP
-ok 5 selftests: timens: procfs
+ok 5 selftests: timens: procfs # SKIP
-ok 5 selftests: x86: check_initial_reg_state_64
-ok 6 selftests: netfilter: nft_queue.sh
-ok 6 selftests: timens: exec
-ok 6 selftests: x86: sigreturn_64
+ok 6 selftests: timens: exec # SKIP
-ok 7 selftests: netfilter: nft_meta.sh
-ok 7 selftests: timens: vfork_exec
-ok 7 selftests: x86: iopl_64
+ok 7 selftests: timens: vfork_exec # SKIP
-ok 8 selftests: netfilter: conntrack_tcp_unreplied.sh
-ok 8 selftests: net: run_afpackettests
+ok 8 selftests: net: run_afpackettests # SKIP
-ok 8 selftests: x86: mpx-mini-test_64
-ok 9 selftests: netfilter: rpath.sh
-ok 9 selftests: net: test_bpf.sh
-ok 9 selftests: timers: rtcpie
-ok 9 selftests: x86: ioperm_64

jira KERNEL-647 cve CVE-2025-40168 Rebuild_History Non-Buildable kernel-4.18.0-553.105.1.el8_10 commit-author Kuniyuki Iwashima <kuniyu@google.com> commit 235f810 smc_clc_prfx_match() is called from smc_listen_work() and not under RCU nor RTNL. Using sk_dst_get(sk)->dev could trigger UAF. Let's use __sk_dst_get() and dst_dev_rcu(). Note that the returned value of smc_clc_prfx_match() is not used in the caller. Fixes: a046d57 ("smc: CLC handshake (incl. preparation steps)") Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com> Reviewed-by: Eric Dumazet <edumazet@google.com> Link: https://patch.msgid.link/20250916214758.650211-4-kuniyu@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit 235f810) Signed-off-by: Jonathan Maple <jmaple@ciq.com>

jira KERNEL-647 Rebuild_History Non-Buildable kernel-4.18.0-553.105.1.el8_10 commit-author Bob Peterson <rpeterso@redhat.com> commit c8ed1b3 In gfs2_file_buffered_write(), we currently jump from the second call of function should_fault_in_pages() to above the first call, so should_fault_in_pages() is getting called twice in a row, causing it to accidentally fall back to single-page writes rather than trying the more efficient multi-page writes first. Fix that by moving the retry label to the correct place, behind the first call to should_fault_in_pages(). Fixes: e1fa9ea ("gfs2: Stop using glock holder auto-demotion for now") Signed-off-by: Bob Peterson <rpeterso@redhat.com> Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com> (cherry picked from commit c8ed1b3) Signed-off-by: Jonathan Maple <jmaple@ciq.com>

jira KERNEL-647 cve CVE-2025-40304 Rebuild_History Non-Buildable kernel-4.18.0-553.105.1.el8_10 commit-author Albin Babu Varghese <albinbabuvarghese20@gmail.com> commit 3637d34 Add bounds checking to prevent writes past framebuffer boundaries when rendering text near screen edges. Return early if the Y position is off-screen and clip image height to screen boundary. Break from the rendering loop if the X position is off-screen. When clipping image width to fit the screen, update the character count to match the clipped width to prevent buffer size mismatches. Without the character count update, bit_putcs_aligned and bit_putcs_unaligned receive mismatched parameters where the buffer is allocated for the clipped width but cnt reflects the original larger count, causing out-of-bounds writes. Reported-by: syzbot+48b0652a95834717f190@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=48b0652a95834717f190 Suggested-by: Helge Deller <deller@gmx.de> Tested-by: syzbot+48b0652a95834717f190@syzkaller.appspotmail.com Signed-off-by: Albin Babu Varghese <albinbabuvarghese20@gmail.com> Signed-off-by: Helge Deller <deller@gmx.de> (cherry picked from commit 3637d34) Signed-off-by: Jonathan Maple <jmaple@ciq.com>

jira KERNEL-647 cve CVE-2023-53762 Rebuild_History Non-Buildable kernel-4.18.0-553.105.1.el8_10 commit-author Soenke Huster <soenke.huster@eknoes.de> commit 3afee21 This event is just specified for SCO and eSCO link types. On the reception of a HCI_Synchronous_Connection_Complete for a BDADDR of an existing LE connection, LE link type and a status that triggers the second case of the packet processing a NULL pointer dereference happens, as conn->link is NULL. Signed-off-by: Soenke Huster <soenke.huster@eknoes.de> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> (cherry picked from commit 3afee21) Signed-off-by: Jonathan Maple <jmaple@ciq.com>

jira KERNEL-647 cve CVE-2023-53762 Rebuild_History Non-Buildable kernel-4.18.0-553.105.1.el8_10 commit-author Soenke Huster <soenke.huster@eknoes.de> commit d5ebaa7 When one of the three connection complete events is received multiple times for the same handle, the device is registered multiple times which leads to memory corruptions. Therefore, consequent events for a single connection are ignored. The conn->state can hold different values, therefore HCI_CONN_HANDLE_UNSET is introduced to identify new connections. To make sure the events do not contain this or another invalid handle HCI_CONN_HANDLE_MAX and checks are introduced. Buglink: https://bugzilla.kernel.org/show_bug.cgi?id=215497 Signed-off-by: Soenke Huster <soenke.huster@eknoes.de> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> (cherry picked from commit d5ebaa7) Signed-off-by: Jonathan Maple <jmaple@ciq.com>

jira KERNEL-647 cve CVE-2023-53762 Rebuild_History Non-Buildable kernel-4.18.0-553.105.1.el8_10 commit-author Tom Rix <trix@redhat.com> commit 8cd3c55 clang static analysis reports this problem hci_sync.c:4428:2: warning: Undefined or garbage value returned to caller return err; ^~~~~~~~~~ If there are no connections this function is a noop but err is never set and a false error could be reported. Return 0 as other hci_* functions do. Fixes: 182ee45 ("Bluetooth: hci_sync: Rework hci_suspend_notifier") Signed-off-by: Tom Rix <trix@redhat.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> (cherry picked from commit 8cd3c55) Signed-off-by: Jonathan Maple <jmaple@ciq.com>

jira KERNEL-647 cve CVE-2023-53762 Rebuild_History Non-Buildable kernel-4.18.0-553.105.1.el8_10 commit-author Niels Dossche <dossche.niels@gmail.com> commit 9fa6b4c hci_le_conn_failed function's documentation says that the caller must hold hdev->lock. The only callsite that does not hold that lock is hci_le_conn_failed. The other 3 callsites hold the hdev->lock very locally. The solution is to hold the lock during the call to hci_le_conn_failed. Fixes: 3c85775 ("Bluetooth: Add directed advertising support through connect()") Signed-off-by: Niels Dossche <dossche.niels@gmail.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> (cherry picked from commit 9fa6b4c) Signed-off-by: Jonathan Maple <jmaple@ciq.com>

jira KERNEL-647 cve CVE-2023-53762 Rebuild_History Non-Buildable kernel-4.18.0-553.105.1.el8_10 commit-author Luiz Augusto von Dentz <luiz.von.dentz@intel.com> commit c86cc5a Commit d5ebaa7 introduces checks for handle range (e.g HCI_CONN_HANDLE_MAX) but controllers like Intel AX200 don't seem to respect the valid range int case of error status: > HCI Event: Connect Complete (0x03) plen 11 Status: Page Timeout (0x04) Handle: 65535 Address: 94:DB:56:XX:XX:XX (Sony Home Entertainment& Sound Products Inc) Link type: ACL (0x01) Encryption: Disabled (0x00) [1644965.827560] Bluetooth: hci0: Ignoring HCI_Connection_Complete for invalid handle Because of it is impossible to cleanup the connections properly since the stack would attempt to cancel the connection which is no longer in progress causing the following trace: < HCI Command: Create Connection Cancel (0x01|0x0008) plen 6 Address: 94:DB:56:XX:XX:XX (Sony Home Entertainment& Sound Products Inc) = bluetoothd: src/profile.c:record_cb() Unable to get Hands-Free Voice gateway SDP record: Connection timed out > HCI Event: Command Complete (0x0e) plen 10 Create Connection Cancel (0x01|0x0008) ncmd 1 Status: Unknown Connection Identifier (0x02) Address: 94:DB:56:XX:XX:XX (Sony Home Entertainment& Sound Products Inc) < HCI Command: Create Connection Cancel (0x01|0x0008) plen 6 Address: 94:DB:56:XX:XX:XX (Sony Home Entertainment& Sound Products Inc) Fixes: d5ebaa7 ("Bluetooth: hci_event: Ignore multiple conn complete events") Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> (cherry picked from commit c86cc5a) Signed-off-by: Jonathan Maple <jmaple@ciq.com>

jira KERNEL-647 cve CVE-2023-53762 Rebuild_History Non-Buildable kernel-4.18.0-553.105.1.el8_10 commit-author Luiz Augusto von Dentz <luiz.von.dentz@intel.com> commit 9b3628d This attempts to cleanup the hci_conn if it cannot be aborted as otherwise it would likely result in having the controller and host stack out of sync with respect to connection handle. Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> (cherry picked from commit 9b3628d) Signed-off-by: Jonathan Maple <jmaple@ciq.com>

jira KERNEL-647 cve CVE-2023-53762 Rebuild_History Non-Buildable kernel-4.18.0-553.105.1.el8_10 commit-author Luiz Augusto von Dentz <luiz.von.dentz@intel.com> commit c9f73a2 The handling of connection failures shall be handled by the request completion callback as already done by hci_cs_le_create_conn, also make sure to use hci_conn_failed instead of hci_le_conn_failed as the later don't actually call hci_conn_del to cleanup. Link: bluez/bluez#340 Fixes: 8e8b92e ("Bluetooth: hci_sync: Add hci_le_create_conn_sync") Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> (cherry picked from commit c9f73a2) Signed-off-by: Jonathan Maple <jmaple@ciq.com>

jira KERNEL-647 cve CVE-2023-53762 Rebuild_History Non-Buildable kernel-4.18.0-553.105.1.el8_10 commit-author Luiz Augusto von Dentz <luiz.von.dentz@intel.com> commit 1f7435c This fixes using hci_conn_abort instead of using hci_conn_abort_sync. Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> (cherry picked from commit 1f7435c) Signed-off-by: Jonathan Maple <jmaple@ciq.com>

jira KERNEL-647 cve CVE-2023-53762 Rebuild_History Non-Buildable kernel-4.18.0-553.105.1.el8_10 commit-author Brian Gix <brian.gix@intel.com> commit 1a942de Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-4.18.0-553.105.1.el8_10/1a942de0.failed hci_abort_conn() is a wrapper around a number of DISCONNECT and CREATE_CONN_CANCEL commands that was being invoked from hci_request request queues, which are now deprecated. There are two versions: hci_abort_conn() which can be invoked from the hci_event thread, and hci_abort_conn_sync() which can be invoked within a hci_sync cmd chain. Signed-off-by: Brian Gix <brian.gix@intel.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> (cherry picked from commit 1a942de) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # net/bluetooth/hci_request.c # net/bluetooth/hci_request.h

jira KERNEL-647 cve CVE-2023-53762 Rebuild_History Non-Buildable kernel-4.18.0-553.105.1.el8_10 commit-author Zhengping Jiang <jiangzp@google.com> commit b828854 When disconnecting all devices, hci_conn_failed is used to cleanup hci_conn object when the hci_conn object cannot be aborted. The function hci_conn_failed requires the caller holds hdev->lock. Fixes: 9b3628d ("Bluetooth: hci_sync: Cleanup hci_conn if it cannot be aborted") Signed-off-by: Zhengping Jiang <jiangzp@google.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> (cherry picked from commit b828854) Signed-off-by: Jonathan Maple <jmaple@ciq.com>

jira KERNEL-647 cve CVE-2023-53762 Rebuild_History Non-Buildable kernel-4.18.0-553.105.1.el8_10 commit-author Luiz Augusto von Dentz <luiz.von.dentz@intel.com> commit 19cf60b hci_connect_le_scan_cleanup shall always be invoked to cleanup the states and re-enable passive scanning if necessary, otherwise it may cause the pending action to stay active causing multiple attempts to connect. Fixes: 9b3628d ("Bluetooth: hci_sync: Cleanup hci_conn if it cannot be aborted") Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> (cherry picked from commit 19cf60b) Signed-off-by: Jonathan Maple <jmaple@ciq.com>

jira KERNEL-647 cve CVE-2023-53762 Rebuild_History Non-Buildable kernel-4.18.0-553.105.1.el8_10 commit-author Luiz Augusto von Dentz <luiz.von.dentz@intel.com> commit b62e722 Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-4.18.0-553.105.1.el8_10/b62e7220.failed This fixes errors like bellow when LE Connection times out since that is actually not a controller error: Bluetooth: hci0: Opcode 0x200d failed: -110 Bluetooth: hci0: request failed to create LE connection: err -110 Instead the code shall properly detect if -ETIMEDOUT is returned and send HCI_OP_LE_CREATE_CONN_CANCEL to give up on the connection. Link: bluez/bluez#340 Fixes: 8e8b92e ("Bluetooth: hci_sync: Add hci_le_create_conn_sync") Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> (cherry picked from commit b62e722) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # net/bluetooth/hci_conn.c # net/bluetooth/hci_sync.c

jira KERNEL-647 cve CVE-2023-53762 Rebuild_History Non-Buildable kernel-4.18.0-553.105.1.el8_10 commit-author Luiz Augusto von Dentz <luiz.von.dentz@intel.com> commit a13f316 Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-4.18.0-553.105.1.el8_10/a13f316e.failed This consolidates code for aborting connections using hci_cmd_sync_queue so it is synchronized with other threads, but because of the fact that some commands may block the cmd_sync_queue while waiting specific events this attempt to cancel those requests by using hci_cmd_sync_cancel. Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> (cherry picked from commit a13f316) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # net/bluetooth/hci_conn.c # net/bluetooth/hci_sync.c

jira KERNEL-647 cve CVE-2023-53762 Rebuild_History Non-Buildable kernel-4.18.0-553.105.1.el8_10 commit-author Luiz Augusto von Dentz <luiz.von.dentz@intel.com> commit 5af1f84 Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-4.18.0-553.105.1.el8_10/5af1f84e.failed Connections may be cleanup while waiting for the commands to complete so this attempts to check if the connection handle remains valid in case of errors that would lead to call hci_conn_failed: BUG: KASAN: slab-use-after-free in hci_conn_failed+0x1f/0x160 Read of size 8 at addr ffff888001376958 by task kworker/u3:0/52 CPU: 0 PID: 52 Comm: kworker/u3:0 Not tainted 6.5.0-rc1-00527-g2dfe76d58d3a #5615 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014 Workqueue: hci0 hci_cmd_sync_work Call Trace: <TASK> dump_stack_lvl+0x1d/0x70 print_report+0xce/0x620 ? __virt_addr_valid+0xd4/0x150 ? hci_conn_failed+0x1f/0x160 kasan_report+0xd1/0x100 ? hci_conn_failed+0x1f/0x160 hci_conn_failed+0x1f/0x160 hci_abort_conn_sync+0x237/0x360 Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> (cherry picked from commit 5af1f84) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # net/bluetooth/hci_sync.c

jira KERNEL-647 cve CVE-2023-53762 Rebuild_History Non-Buildable kernel-4.18.0-553.105.1.el8_10 commit-author Luiz Augusto von Dentz <luiz.von.dentz@intel.com> commit 94d9ba9 Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-4.18.0-553.105.1.el8_10/94d9ba9f.failed Use-after-free can occur in hci_disconnect_all_sync if a connection is deleted by concurrent processing of a controller event. To prevent this the code now tries to iterate over the list backwards to ensure the links are cleanup before its parents, also it no longer relies on a cursor, instead it always uses the last element since hci_abort_conn_sync is guaranteed to call hci_conn_del. UAF crash log: ================================================================== BUG: KASAN: slab-use-after-free in hci_set_powered_sync (net/bluetooth/hci_sync.c:5424) [bluetooth] Read of size 8 at addr ffff888009d9c000 by task kworker/u9:0/124 CPU: 0 PID: 124 Comm: kworker/u9:0 Tainted: G W 6.5.0-rc1+ #10 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014 Workqueue: hci0 hci_cmd_sync_work [bluetooth] Call Trace: <TASK> dump_stack_lvl+0x5b/0x90 print_report+0xcf/0x670 ? __virt_addr_valid+0xdd/0x160 ? hci_set_powered_sync+0x2c9/0x4a0 [bluetooth] kasan_report+0xa6/0xe0 ? hci_set_powered_sync+0x2c9/0x4a0 [bluetooth] ? __pfx_set_powered_sync+0x10/0x10 [bluetooth] hci_set_powered_sync+0x2c9/0x4a0 [bluetooth] ? __pfx_hci_set_powered_sync+0x10/0x10 [bluetooth] ? __pfx_lock_release+0x10/0x10 ? __pfx_set_powered_sync+0x10/0x10 [bluetooth] hci_cmd_sync_work+0x137/0x220 [bluetooth] process_one_work+0x526/0x9d0 ? __pfx_process_one_work+0x10/0x10 ? __pfx_do_raw_spin_lock+0x10/0x10 ? mark_held_locks+0x1a/0x90 worker_thread+0x92/0x630 ? __pfx_worker_thread+0x10/0x10 kthread+0x196/0x1e0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2c/0x50 </TASK> Allocated by task 1782: kasan_save_stack+0x33/0x60 kasan_set_track+0x25/0x30 __kasan_kmalloc+0x8f/0xa0 hci_conn_add+0xa5/0xa80 [bluetooth] hci_bind_cis+0x881/0x9b0 [bluetooth] iso_connect_cis+0x121/0x520 [bluetooth] iso_sock_connect+0x3f6/0x790 [bluetooth] __sys_connect+0x109/0x130 __x64_sys_connect+0x40/0x50 do_syscall_64+0x60/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Freed by task 695: kasan_save_stack+0x33/0x60 kasan_set_track+0x25/0x30 kasan_save_free_info+0x2b/0x50 __kasan_slab_free+0x10a/0x180 __kmem_cache_free+0x14d/0x2e0 device_release+0x5d/0xf0 kobject_put+0xdf/0x270 hci_disconn_complete_evt+0x274/0x3a0 [bluetooth] hci_event_packet+0x579/0x7e0 [bluetooth] hci_rx_work+0x287/0xaa0 [bluetooth] process_one_work+0x526/0x9d0 worker_thread+0x92/0x630 kthread+0x196/0x1e0 ret_from_fork+0x2c/0x50 ================================================================== Fixes: 182ee45 ("Bluetooth: hci_sync: Rework hci_suspend_notifier") Signed-off-by: Pauli Virtanen <pav@iki.fi> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> (cherry picked from commit 94d9ba9) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # net/bluetooth/hci_sync.c

jira KERNEL-647 cve CVE-2023-53762 Rebuild_History Non-Buildable kernel-4.18.0-553.105.1.el8_10 commit-author Archie Pusaka <apusaka@chromium.org> commit 5356266 To prevent multiple conn complete events, we shouldn't look up the conn with hci_lookup_le_connect, since it requires the state to be BT_CONNECT. By the time the duplicate event is processed, the state might have changed, so we end up processing the new event anyway. Change the lookup function to hci_conn_hash_lookup_ba. Fixes: d5ebaa7 ("Bluetooth: hci_event: Ignore multiple conn complete events") Signed-off-by: Archie Pusaka <apusaka@chromium.org> Reviewed-by: Sonny Sasaka <sonnysasaka@chromium.org> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> (cherry picked from commit 5356266) Signed-off-by: Jonathan Maple <jmaple@ciq.com>

jira KERNEL-647 Rebuild_History Non-Buildable kernel-4.18.0-553.105.1.el8_10 commit-author Sven Schnelle <svens@linux.ibm.com> commit b1aa01d With z16 a new flag 'search boot program' was introduced for list-directed IPL (SCSI, NVMe, ECKD DASD). If this flag is set, e.g. via selecting the "Automatic" value for the "Boot program selector" control on an HMC load panel, it is copied to the reipl structure from the initial ipl structure. When a user now sets a boot prog via sysfs, the flag is not cleared and the bootloader will again automatically select the boot program, ignoring user configuration. To avoid that, clear the SBP flag when a bootprog sysfs file is written. Cc: stable@vger.kernel.org Reviewed-by: Peter Oberparleiter <oberpar@linux.ibm.com> Reviewed-by: Heiko Carstens <hca@linux.ibm.com> Signed-off-by: Sven Schnelle <svens@linux.ibm.com> Signed-off-by: Heiko Carstens <hca@linux.ibm.com> (cherry picked from commit b1aa01d) Signed-off-by: Jonathan Maple <jmaple@ciq.com>

Rebuild_History BUILDABLE Rebuilding Kernel from rpm changelog with Fuzz Limit: 87.50% Number of commits in upstream range v4.18~1..kernel-mainline: 594898 Number of commits in rpm: 26 Number of commits matched with upstream: 20 (76.92%) Number of commits in upstream but not in rpm: 594878 Number of commits NOT found in upstream: 6 (23.08%) Rebuilding Kernel on Branch rocky8_10_rebuild_kernel-4.18.0-553.105.1.el8_10 for kernel-4.18.0-553.105.1.el8_10 Clean Cherry Picks: 15 (75.00%) Empty Cherry Picks: 5 (25.00%) _______________________________ Full Details Located here: ciq/ciq_backports/kernel-4.18.0-553.105.1.el8_10/rebuild.details.txt Includes: * git commit header above * Empty Commits with upstream SHA * RPM ChangeLog Entries that could not be matched Individual Empty Commit failures contained in the same containing directory. The git message for empty commits will have the path for the failed commit. File names are the first 8 characters of the upstream SHA

bmastbergen

🥌

PlaidCat added 21 commits February 20, 2026 06:02

PlaidCat self-assigned this Feb 20, 2026

PlaidCat requested review from a team February 20, 2026 11:46

bmastbergen approved these changes Feb 20, 2026

View reviewed changes

PlaidCat requested review from a team February 20, 2026 16:16

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Comments

[rocky8_10] History Rebuild through kernel-4.18.0-553.105.1.el8_10#901

[rocky8_10] History Rebuild through kernel-4.18.0-553.105.1.el8_10#901
PlaidCat wants to merge 21 commits intorocky8_10from
rocky8_10_rebuild

PlaidCat commented Feb 20, 2026 •

edited by atlassian bot

Loading

Uh oh!

bmastbergen left a comment

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

2 participants

Comments

Conversation

PlaidCat commented Feb 20, 2026 • edited by atlassian bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

JIRA Tickets

Rebuild Splat Inspection

kernel-4.18.0-553.105.1.el8_10

BUILD

KSelfTests

Uh oh!

bmastbergen left a comment

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

2 participants

PlaidCat commented Feb 20, 2026 •

edited by atlassian bot

Loading