diff --git a/prepare_source b/prepare_source index c144eaa..0d27f27 100755 --- a/prepare_source +++ b/prepare_source @@ -1,5 +1,5 @@ pkg=linux -version_orig=6.18.33 +version_orig=6.18.35 version="$version_orig-1" ( diff --git a/upstream_patches/CVE-2026-31688.patch b/upstream_patches/CVE-2026-31688.patch new file mode 100644 index 0000000..7e7f5ba --- /dev/null +++ b/upstream_patches/CVE-2026-31688.patch @@ -0,0 +1,48 @@ +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=dc23806a7c47ec5f1293aba407fb69519f976ee0 +--- a/drivers/base/base.h ++++ b/drivers/base/base.h +@@ -166,9 +166,18 @@ void device_set_deferred_probe_reason(const struct device *dev, struct va_format + static inline int driver_match_device(const struct device_driver *drv, + struct device *dev) + { ++ device_lock_assert(dev); ++ + return drv->bus->match ? drv->bus->match(dev, drv) : 1; + } + ++static inline int driver_match_device_locked(const struct device_driver *drv, ++ struct device *dev) ++{ ++ guard(device)(dev); ++ return driver_match_device(drv, dev); ++} ++ + static inline void dev_sync_state(struct device *dev) + { + if (dev->bus->sync_state) +diff --git a/drivers/base/bus.c b/drivers/base/bus.c +index 2653670f962f..2b039aa2da74 100644 +--- a/drivers/base/bus.c ++++ b/drivers/base/bus.c +@@ -263,7 +263,7 @@ static ssize_t bind_store(struct device_driver *drv, const char *buf, + int err = -ENODEV; + + dev = bus_find_device_by_name(bus, NULL, buf); +- if (dev && driver_match_device(drv, dev)) { ++ if (dev && driver_match_device_locked(drv, dev)) { + err = device_driver_attach(drv, dev); + if (!err) { + /* success */ +diff --git a/drivers/base/dd.c b/drivers/base/dd.c +index 2c3a610f52a7..04087a4961ef 100644 +--- a/drivers/base/dd.c ++++ b/drivers/base/dd.c +@@ -1250,7 +1250,7 @@ static int __driver_attach(struct device *dev, void *data) + * is an error. + */ + +- ret = driver_match_device(drv, dev); ++ ret = driver_match_device_locked(drv, dev); + if (ret == 0) { + /* no match */ + return 0; diff --git a/upstream_patches/CVE-2026-43009.patch b/upstream_patches/CVE-2026-43009.patch new file mode 100644 index 0000000..c1ed38d --- /dev/null +++ b/upstream_patches/CVE-2026-43009.patch @@ -0,0 +1,45 @@ +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=7ffbe45b1d227e24659998a91cfd4c27af457e71 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -610,6 +610,13 @@ static bool is_atomic_load_insn(const struct bpf_insn *insn) + insn->imm == BPF_LOAD_ACQ; + } + ++static bool is_atomic_fetch_insn(const struct bpf_insn *insn) ++{ ++ return BPF_CLASS(insn->code) == BPF_STX && ++ BPF_MODE(insn->code) == BPF_ATOMIC && ++ (insn->imm & BPF_FETCH); ++} ++ + static int __get_spi(s32 off) + { + return (-off - 1) / BPF_REG_SIZE; +@@ -4322,10 +4329,24 @@ static int backtrack_insn(struct bpf_verifier_env *env, int idx, int subseq_idx, + * dreg still needs precision before this insn + */ + } +- } else if (class == BPF_LDX || is_atomic_load_insn(insn)) { +- if (!bt_is_reg_set(bt, dreg)) ++ } else if (class == BPF_LDX || ++ is_atomic_load_insn(insn) || ++ is_atomic_fetch_insn(insn)) { ++ u32 load_reg = dreg; ++ ++ /* ++ * Atomic fetch operation writes the old value into ++ * a register (sreg or r0) and if it was tracked for ++ * precision, propagate to the stack slot like we do ++ * in regular ldx. ++ */ ++ if (is_atomic_fetch_insn(insn)) ++ load_reg = insn->imm == BPF_CMPXCHG ? ++ BPF_REG_0 : sreg; ++ ++ if (!bt_is_reg_set(bt, load_reg)) + return 0; +- bt_clear_reg(bt, dreg); ++ bt_clear_reg(bt, load_reg); + + /* scalars can only be spilled into stack w/o losing precision. + * Load from any other memory can be zero extended. diff --git a/upstream_patches/series b/upstream_patches/series index 0c1b65a..bb2bf16 100644 --- a/upstream_patches/series +++ b/upstream_patches/series @@ -3,3 +3,5 @@ 0003-implement-FIPS-PCT-for-ECDH.patch 0004-flag-instantiations-as-FIPS_compliant.patch 0005-disable-xxhash64.patch +CVE-2026-31688.patch +CVE-2026-43009.patch