From f561feb556e4d94b6ecdad0af27cb90bb76bdcf5 Mon Sep 17 00:00:00 2001 From: Saikrishna Arcot Date: Tue, 7 Jul 2026 23:42:03 -0700 Subject: [PATCH 1/2] Remove upstreamed patches, and remove old patch directory Signed-off-by: Saikrishna Arcot --- patch/kconfig-exclusions | 70 ----- patch/kconfig-force-inclusions | 3 - patch/kconfig-inclusions | 254 ------------------ patch/kconfig-secure-boot-exclusions | 20 -- patch/kconfig-secure-boot-inclusions | 18 -- ...-Update-cache-properties-for-marvell.patch | 88 ------ ...ell-Add-NAND-flash-controller-to-AC5.patch | 52 ---- ...arm64-dts-ac5-add-mmc-node-and-clock.patch | 84 ------ ...on-Add-ac5-support-via-bounce-buffer.patch | 109 -------- .../0007-usb-ehci-Add-support-for-ac5.patch | 38 --- ...nk-state-exit-during-switch-upstream.patch | 79 ------ ...o-hwmon-pmbus_core-pec-support-check.patch | 47 ---- patches-sonic/cisco-x86-gpio-config.patch | 40 --- patches-sonic/series | 11 - 14 files changed, 913 deletions(-) delete mode 100644 patch/kconfig-exclusions delete mode 100644 patch/kconfig-force-inclusions delete mode 100644 patch/kconfig-inclusions delete mode 100644 patch/kconfig-secure-boot-exclusions delete mode 100644 patch/kconfig-secure-boot-inclusions delete mode 100644 patches-sonic/0002-arm64-dts-Update-cache-properties-for-marvell.patch delete mode 100644 patches-sonic/0003-arm64-dts-marvell-Add-NAND-flash-controller-to-AC5.patch delete mode 100644 patches-sonic/0004-arm64-dts-ac5-add-mmc-node-and-clock.patch delete mode 100644 patches-sonic/0006-mmc-xenon-Add-ac5-support-via-bounce-buffer.patch delete mode 100644 patches-sonic/0007-usb-ehci-Add-support-for-ac5.patch delete mode 100644 patches-sonic/PCI-ASPM-Fix-link-state-exit-during-switch-upstream.patch delete mode 100644 patches-sonic/cisco-hwmon-pmbus_core-pec-support-check.patch delete mode 100644 patches-sonic/cisco-x86-gpio-config.patch diff --git a/patch/kconfig-exclusions b/patch/kconfig-exclusions deleted file mode 100644 index 756b4ab08..000000000 --- a/patch/kconfig-exclusions +++ /dev/null @@ -1,70 +0,0 @@ -[common] -# Unset STRICT_DEVMEM according to Broadcom's requirement and for CENTEC arm64 arch -CONFIG_STRICT_DEVMEM -# Unset classid and priority network cgroups due to conflict between cgroups v1 and v2 -CONFIG_CGROUP_NET_CLASSID -CONFIG_NET_CLS_CGROUP -CONFIG_NETFILTER_XT_MATCH_CGROUP -CONFIG_CGROUP_NET_PRIO -# Unset to enable UBIFS on flash -CONFIG_MTD_SPI_NOR_USE_4K_SECTORS -###-> mellanox_common-start -###-> mellanox_common-end -CONFIG_DRM -CONFIG_VIDEO_DEV -CONFIG_MEDIA_SUPPORT -CONFIG_MEDIA_CONTROLLER -CONFIG_DVB_CORE -CONFIG_MEDIA_TUNER -CONFIG_MEDIA_ATTACH - -[amd64] -CONFIG_AMD_MEM_ENCRYPT -# Unset X86_PAT according to Broadcom's requirement -CONFIG_X86_PAT -CONFIG_MLXSW_PCI -###-> mellanox_amd64-start -###-> mellanox_amd64-end - -[arm64] -CONFIG_SQUASHFS_DECOMP_MULTI_PERCPU - -[marvell-prestera-arm64] -CONFIG_UBIFS_FS_ZSTD -CONFIG_CRYPTO_DEV_SAFEXCEL - -[pensando] -CONFIG_ARM64_VA_BITS_48 - -[armhf] - -[marvell-prestera-armhf] -CONFIG_ARCH_VIRT -CONFIG_ARCH_BCM -CONFIG_ARCH_EXYNOS -CONFIG_ARCH_HIGHBANK -CONFIG_ARCH_MXC -CONFIG_ARCH_MESON -CONFIG_ARCH_OMAP3 -CONFIG_ARCH_OMAP4 -CONFIG_SOC_OMAP5 -CONFIG_SOC_AM33XX -CONFIG_SOC_DRA7XX -CONFIG_ARCH_ROCKCHIP -CONFIG_ARCH_SOCFPGA -CONFIG_ARCH_SUNXI -CONFIG_ARCH_TEGRA -CONFIG_ARCH_VEXPRESS -CONFIG_ARCH_WM8850 -CONFIG_FW_CFG_SYSFS -CONFIG_VORTEX -CONFIG_NTP_PPS -CONFIG_SENSORS_MAX6620 -CONFIG_SND_LX6464ES -CONFIG_EFI -CONFIG_LOCK_DOWN_KERNEL -CONFIG_SECONDARY_TRUSTED_KEYRING -CONFIG_SYSTEM_BLACKLIST_KEYRING - -[mellanox-arm64] - diff --git a/patch/kconfig-force-inclusions b/patch/kconfig-force-inclusions deleted file mode 100644 index e14876637..000000000 --- a/patch/kconfig-force-inclusions +++ /dev/null @@ -1,3 +0,0 @@ -[arm64] -CONFIG_COMPAT_VDSO=y -CONFIG_THUMB2_COMPAT_VDSO=y diff --git a/patch/kconfig-inclusions b/patch/kconfig-inclusions deleted file mode 100644 index 11b64f57d..000000000 --- a/patch/kconfig-inclusions +++ /dev/null @@ -1,254 +0,0 @@ -[common] -CONFIG_LOG_BUF_SHIFT=20 -CONFIG_RTC_INTF_DEV_UIE_EMUL=y -###-> mellanox_common-start -###-> mellanox_common-end - -[amd64] -CONFIG_SATA_MOBILE_LPM_POLICY=1 -# For Arista -CONFIG_I2C_MUX_PCA9541=m -CONFIG_SENSORS_MAX6697=m -#CONFIG_SENSORS_DPS1900=m # TODO: enable once the DPS1900 patch is re-enabled -CONFIG_PCI_REASSIGN_PREF_MEM=y -# For cig-cs6436 -CONFIG_SERIAL_8250_LPSS=m -# SFF_8436 -CONFIG_EEPROM_SFF_8436=m -# For Dell S6000 -CONFIG_SENSORS_MAX6620=m -CONFIG_PMBUS=m -CONFIG_SENSORS_PMBUS=m -#CONFIG_SENSORS_DNI_DPS460=m # TODO: enable once the DPS460 patch is re-enabled -CONFIG_I2C_MUX_GPIO=m -CONFIG_GPIO_SYSFS=y -CONFIG_GPIO_SCH=m -# For Dell Z9100 -CONFIG_I2C_MUX_PCA954x=m -# For Ingrasys S9100 -CONFIG_I2C_GPIO=m -CONFIG_GPIO_PCA953X=m -# For Inventec d7032 -CONFIG_GPIO_ICH=m -# For mitac ly1200 -CONFIG_SENSORS_MAX31790=m -# For optoe -CONFIG_EEPROM_OPTOE=m -###-> mellanox_amd64-start -CONFIG_X86_AMD_PLATFORM_DEVICE=y -CONFIG_MCTP=y -CONFIG_DMI_SYSFS=y -CONFIG_OF=y -CONFIG_EEPROM_AT24=m -CONFIG_AMD_XGBE=m -CONFIG_IGB=m -CONFIG_MLXSW_CORE=m -CONFIG_MARVELL_PHY=m -CONFIG_MARVELL_10G_PHY=m -CONFIG_SERIAL_8250_DW=y -CONFIG_HW_RANDOM_AMD=m -CONFIG_I2C_CHARDEV=m -CONFIG_I2C_MUX=m -CONFIG_I2C_SMBUS=m -CONFIG_I2C_I801=m -CONFIG_I2C_DESIGNWARE_PCI=m -CONFIG_I2C_MLXCPLD=m -CONFIG_I2C_SLAVE=y -CONFIG_PINCTRL=y -CONFIG_GPIOLIB=y -CONFIG_SENSORS_K10TEMP=m -CONFIG_SENSORS_DRIVETEMP=m -CONFIG_SENSORS_CORETEMP=m -CONFIG_SENSORS_JC42=m -CONFIG_SENSORS_POWR1220=m -CONFIG_SENSORS_LM75=m -CONFIG_SENSORS_EMC1403=m -CONFIG_SENSORS_EMC2305=m -CONFIG_SENSORS_STTS751=m -CONFIG_SENSORS_TMP102=m -CONFIG_SENSORS_TMP421=m -CONFIG_THERMAL_NETLINK=y -CONFIG_INTEL_PCH_THERMAL=m -CONFIG_WATCHDOG_SYSFS=y -CONFIG_LPC_ICH=m -CONFIG_MFD_INTEL_LPSS_PCI=y -CONFIG_LEDS_MLXREG=m -CONFIG_LEDS_TRIGGER_TIMER=m -CONFIG_DW_DMAC_PCI=y -CONFIG_MELLANOX_PLATFORM=y -CONFIG_MLX_PLATFORM=m -CONFIG_NET_DEVLINK=y -CONFIG_I2C_MUX_REG=m -CONFIG_I2C_MUX_MLXCPLD=m -CONFIG_REGMAP_I2C=m -CONFIG_IIO_SYSFS_TRIGGER=m -CONFIG_NVME_HWMON=y -CONFIG_MLXSW_CORE_HWMON=y -CONFIG_MLXSW_I2C=m -CONFIG_MLXSW_MINIMAL=m -CONFIG_MLXSW_CORE_THERMAL=n -CONFIG_MLXREG_HOTPLUG=m -CONFIG_MLXREG_IO=m -CONFIG_MLX_WDT=m -CONFIG_MLXREG_LC=m -#CONFIG_MLXREG_DPU=m -CONFIG_SENSORS_MLXREG_FAN=m -CONFIG_GPIO_GENERIC=m -CONFIG_MAX1363=m -CONFIG_SENSORS_TPS53679=m -CONFIG_SENSORS_XDPE122=m -CONFIG_SENSORS_MP2975=m -#CONFIG_SENSORS_MP2855=m -CONFIG_SENSORS_MP2888=m -CONFIG_SENSORS_MP2891=m -CONFIG_CPU_THERMAL=y -CONFIG_IGB_HWMON=y -CONFIG_MFD_CORE=y -CONFIG_MFD_INTEL_LPSS=y -CONFIG_TI_ADS1015=m -CONFIG_PINCTRL_INTEL=y -CONFIG_PINCTRL_CANNONLAKE=m -CONFIG_PINCTRL_DENVERTON=m -CONFIG_NVSW_SN2201=m -CONFIG_I2C_DESIGNWARE_PLATFORM=m -CONFIG_I2C_DESIGNWARE_BAYTRAIL=y -CONFIG_I2C_DESIGNWARE_CORE=m -CONFIG_SPI_PXA2XX=m -CONFIG_SENSORS_XDPE152=m -CONFIG_SENSORS_IIO_HWMON=m -CONFIG_SENSORS_LM25066=m -CONFIG_SENSORS_UCD9000=m -CONFIG_SENSORS_UCD9200=m -CONFIG_THERMAL_OF=y -CONFIG_MCTP_FLOWS=y -CONFIG_MCTP_TRANSPORT_I2C=m -CONFIG_I2C_SLAVE_EEPROM=m -#CONFIG_I2C_ASF=m -CONFIG_SPI_AMD=m -CONFIG_PINCTRL_AMD=y -CONFIG_EDAC_AMD64=m -CONFIG_AMD_XGBE_DCB=y -CONFIG_SENSORS_ISL68137=m -###-> mellanox_amd64-end -# For Cisco 8000 -CONFIG_PHYLIB=m -CONFIG_OF_GPIO=y -CONFIG_OF_MDIO=m -CONFIG_MDIO_BUS_MUX_GPIO=m -CONFIG_MDIO_BUS_MUX=m -CONFIG_REGMAP_MMIO=y -CONFIG_TI_TLC4541=m -CONFIG_SENSORS_LTC2978=m -CONFIG_SENSORS_LTC2945=m -CONFIG_SENSORS_TPS40422=m -CONFIG_SENSORS_ADM1275=m -CONFIG_SPI_INTEL_PLATFORM=m -CONFIG_SPI_INTEL=m -# For pensando -CONFIG_IONIC=m -# For AMD Ryzen Embedded processors -CONFIG_PCI_ENDPOINT=y -CONFIG_PCIE_DW=y -CONFIG_PCIE_DW_HOST=y -CONFIG_PCIE_DW_EP=y -CONFIG_PCIE_DW_PLAT=y -CONFIG_PCIE_DW_PLAT_HOST=y -CONFIG_PCIE_DW_PLAT_EP=y -# For Micas -CONFIG_MDIO_BITBANG=m -CONFIG_MDIO_GPIO=m -CONFIG_SPI_GPIO=m -CONFIG_SENSORS_INA3221=m -# For Nokia -CONFIG_RTC_DRV_DS1307=m -CONFIG_SENSORS_TMP464=m -CONFIG_RTC_DRV_PCF85363=m -# For Nexthop -CONFIG_PCI_STUB=y -CONFIG_SENSORS_ADM1266=m - -[arm64] -# For enabling SDEI -CONFIG_ARM_SDE_INTERFACE=y -# For Marvell -CONFIG_EEPROM_SFF_8436=m -CONFIG_EEPROM_OPTOE=m -CONFIG_I2C_MUX_GPIO=m -CONFIG_MTD_RAW_NAND=m -CONFIG_MTD_NAND_ECC_SW_BCH=y -CONFIG_MTD_NAND_MARVELL=m -CONFIG_SENSORS_EMC2305=m -CONFIG_PHY_MVEBU_CP110_COMPHY=y -CONFIG_SPI_ORION=m -CONFIG_ARM_SMC_WATCHDOG=m -# For pensando -CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y -CONFIG_DEVTMPFS_MOUNT=y -CONFIG_EMBEDDED=y -CONFIG_GENERIC_IRQ_DEBUGFS=y -CONFIG_GPIO_DWAPB=m -CONFIG_IP_PNP=y -CONFIG_IP_PNP_BOOTP=y -CONFIG_IP_PNP_DHCP=y -CONFIG_IRQSOFF_TRACER=y -CONFIG_KALLSYMS_ALL=y -CONFIG_TRACER_SNAPSHOT_PER_CPU_SWAP=y -CONFIG_SCHED_TRACER=y -CONFIG_MEMTEST=y -CONFIG_MMC_DEBUG=y -CONFIG_MMC_SDHCI_CADENCE=m -CONFIG_PMBUS=m -CONFIG_SENSORS_PMBUS=m -CONFIG_SENSORS_LTC2978=m -CONFIG_SENSORS_TPS53679=m -CONFIG_RTC_DRV_PCF85363=m -CONFIG_RTC_CLASS=y -CONFIG_SPI_CADENCE_QUADSPI=m -CONFIG_SPI_DESIGNWARE=m -CONFIG_SPI_DW_MMIO=m -CONFIG_SQUASHFS_DECOMP_MULTI=y -CONFIG_PREEMPTIRQ_TRACEPOINTS=y -CONFIG_RING_BUFFER_ALLOW_SWAP=y -CONFIG_KEXEC_FILE=y - -[marvell-prestera-arm64] - -[pensando] -CONFIG_ARCH_PENSANDO=y -CONFIG_ARCH_PENSANDO_ELBA_SOC=y -CONFIG_PENSANDO_SOC_PENFW=y -CONFIG_EDAC_ELBA=y -CONFIG_IRQ_PENSANDO=y -CONFIG_MFD_PENSANDO_ELBASR=y -CONFIG_RESET_ELBASR=y -CONFIG_UIO_PCIEMAC=m -CONFIG_UIO_PENMSI1=m -CONFIG_UIO_PENGIC=m -CONFIG_UIO_PENMSI=m -CONFIG_ARM64_VA_BITS_39=y -CONFIG_COMMON_CLK_CS2000_CP=y -CONFIG_I2C_RD1173=y -CONFIG_CONTEXT_TRACKING=y -CONFIG_NO_HZ_FULL=y -CONFIG_RCU_NOCB_CPU=y -CONFIG_VIRT_CPU_ACCOUNTING=y -CONFIG_VIRT_CPU_ACCOUNTING_GEN=y -CONFIG_RTC_DRV_ELBA_CPLD=y - -[armhf] -CONFIG_EEPROM_SFF_8436=m -CONFIG_EEPROM_OPTOE=m -CONFIG_I2C_MUX_GPIO=m - -[marvell-prestera-armhf] -CONFIG_MTD_CMDLINE_PARTS=y -CONFIG_MTD_OF_PARTS=y - -[nvidia-bluefield] -CONFIG_MMC_DW=y -CONFIG_MMC_DW_PLTFM=y -CONFIG_MMC_DW_BLUEFIELD=y -CONFIG_EFIVAR_FS=y - -[mellanox-arm64] - diff --git a/patch/kconfig-secure-boot-exclusions b/patch/kconfig-secure-boot-exclusions deleted file mode 100644 index 68fb8c58f..000000000 --- a/patch/kconfig-secure-boot-exclusions +++ /dev/null @@ -1,20 +0,0 @@ -[common] - -[amd64] -CONFIG_MODULE_SIG_SHA256 -# For mellanox -CONFIG_SECURITY_LOCKDOWN_LSM -CONFIG_SECURITY_LOCKDOWN_LSM_EARLY -CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE -CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT - -[arm64] -CONFIG_MODULE_SIG_SHA256 -# For mellanox -CONFIG_SECURITY_LOCKDOWN_LSM -CONFIG_SECURITY_LOCKDOWN_LSM_EARLY -CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE -CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT - -[armhf] - diff --git a/patch/kconfig-secure-boot-inclusions b/patch/kconfig-secure-boot-inclusions deleted file mode 100644 index cfd9e900c..000000000 --- a/patch/kconfig-secure-boot-inclusions +++ /dev/null @@ -1,18 +0,0 @@ -[common] - -[amd64] -CONFIG_SYSTEM_TRUSTED_KEYS="debian/certs/debian-uefi-certs.pem" -CONFIG_MODULE_SIG_HASH="sha512" -CONFIG_MODULE_SIG_SHA512=y -CONFIG_KEXEC_SIG_FORCE=y -CONFIG_MODULE_SIG_FORCE=y - -[arm64] -CONFIG_SYSTEM_TRUSTED_KEYS="debian/certs/debian-uefi-certs.pem" -CONFIG_MODULE_SIG_HASH="sha512" -CONFIG_MODULE_SIG_SHA512=y -CONFIG_KEXEC_SIG=y -CONFIG_MODULE_SIG_FORCE=y - -[armhf] - diff --git a/patches-sonic/0002-arm64-dts-Update-cache-properties-for-marvell.patch b/patches-sonic/0002-arm64-dts-Update-cache-properties-for-marvell.patch deleted file mode 100644 index 4d6c1bb20..000000000 --- a/patches-sonic/0002-arm64-dts-Update-cache-properties-for-marvell.patch +++ /dev/null @@ -1,88 +0,0 @@ -From: Pierre Gondois -Date: Mon, 31 Oct 2022 10:20:16 +0100 -arm64: dts: Update cache properties for marvell - -The DeviceTree Specification v0.3 specifies that the cache node -'compatible' and 'cache-level' properties are 'required'. Cf. -s3.8 Multi-level and Shared Cache Nodes - -The recently added init_of_cache_level() function checks -these properties. Add them if missing. - -Signed-off-by: Pierre Gondois -Reviewed-by: Chris Packham -Signed-off-by: Gregory CLEMENT ---- - arch/arm64/boot/dts/marvell/ac5-98dx25xx.dtsi | 1 + - arch/arm64/boot/dts/marvell/armada-ap806-dual.dtsi | 1 + - arch/arm64/boot/dts/marvell/armada-ap806-quad.dtsi | 2 ++ - arch/arm64/boot/dts/marvell/armada-ap807-quad.dtsi | 2 ++ - 4 files changed, 6 insertions(+) - -diff --git a/arch/arm64/boot/dts/marvell/ac5-98dx25xx.dtsi b/arch/arm64/boot/dts/marvell/ac5-98dx25xx.dtsi -index 44ed6f963..7308f7b6b 100644 ---- a/arch/arm64/boot/dts/marvell/ac5-98dx25xx.dtsi -+++ b/arch/arm64/boot/dts/marvell/ac5-98dx25xx.dtsi -@@ -49,6 +49,7 @@ cpu1: cpu@1 { - - l2: l2-cache { - compatible = "cache"; -+ cache-level = <2>; - }; - }; - -diff --git a/arch/arm64/boot/dts/marvell/armada-ap806-dual.dtsi b/arch/arm64/boot/dts/marvell/armada-ap806-dual.dtsi -index fcab5173f..990f70303 100644 ---- a/arch/arm64/boot/dts/marvell/armada-ap806-dual.dtsi -+++ b/arch/arm64/boot/dts/marvell/armada-ap806-dual.dtsi -@@ -51,6 +51,7 @@ l2: l2-cache { - cache-size = <0x80000>; - cache-line-size = <64>; - cache-sets = <512>; -+ cache-level = <2>; - }; - }; - -diff --git a/arch/arm64/boot/dts/marvell/armada-ap806-quad.dtsi b/arch/arm64/boot/dts/marvell/armada-ap806-quad.dtsi -index 3db427122..a7b8e001c 100644 ---- a/arch/arm64/boot/dts/marvell/armada-ap806-quad.dtsi -+++ b/arch/arm64/boot/dts/marvell/armada-ap806-quad.dtsi -@@ -81,6 +81,7 @@ l2_0: l2-cache0 { - cache-size = <0x80000>; - cache-line-size = <64>; - cache-sets = <512>; -+ cache-level = <2>; - }; - - l2_1: l2-cache1 { -@@ -88,6 +89,7 @@ l2_1: l2-cache1 { - cache-size = <0x80000>; - cache-line-size = <64>; - cache-sets = <512>; -+ cache-level = <2>; - }; - }; - }; -diff --git a/arch/arm64/boot/dts/marvell/armada-ap807-quad.dtsi b/arch/arm64/boot/dts/marvell/armada-ap807-quad.dtsi -index 68782f161..7740098fd 100644 ---- a/arch/arm64/boot/dts/marvell/armada-ap807-quad.dtsi -+++ b/arch/arm64/boot/dts/marvell/armada-ap807-quad.dtsi -@@ -81,6 +81,7 @@ l2_0: l2-cache0 { - cache-size = <0x80000>; - cache-line-size = <64>; - cache-sets = <512>; -+ cache-level = <2>; - }; - - l2_1: l2-cache1 { -@@ -88,6 +89,7 @@ l2_1: l2-cache1 { - cache-size = <0x80000>; - cache-line-size = <64>; - cache-sets = <512>; -+ cache-level = <2>; - }; - }; - }; --- -2.25.1 - diff --git a/patches-sonic/0003-arm64-dts-marvell-Add-NAND-flash-controller-to-AC5.patch b/patches-sonic/0003-arm64-dts-marvell-Add-NAND-flash-controller-to-AC5.patch deleted file mode 100644 index b19946b94..000000000 --- a/patches-sonic/0003-arm64-dts-marvell-Add-NAND-flash-controller-to-AC5.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 58fe732052196777112fdba536fb9db5cdd42ec6 Mon Sep 17 00:00:00 2001 -From: Chris Packham -Date: Mon, 3 Jul 2023 15:50:43 +1200 -Subject: arm64: dts: marvell: Add NAND flash controller to AC5 - -The AC5/AC5X SoC has a NAND flash controller (NFC). Add this to -the base SoC dtsi file as a disabled node. The NFC integration -on the AC5/AC5X only supports SDR timing modes up to 3 so requires a -dedicated compatible property so this limitation can be enforced. - -Signed-off-by: Chris Packham -Signed-off-by: Gregory CLEMENT ---- - arch/arm64/boot/dts/marvell/ac5-98dx25xx.dtsi | 16 ++++++++++++++++ - 1 file changed, 16 insertions(+) - -diff --git a/arch/arm64/boot/dts/marvell/ac5-98dx25xx.dtsi b/arch/arm64/boot/dts/marvell/ac5-98dx25xx.dtsi -index 67c4688546b8..62d03ffa9485 100644 ---- a/arch/arm64/boot/dts/marvell/ac5-98dx25xx.dtsi -+++ b/arch/arm64/boot/dts/marvell/ac5-98dx25xx.dtsi -@@ -297,6 +297,16 @@ spi1: spi@805a8000 { - status = "disabled"; - }; - -+ nand: nand-controller@805b0000 { -+ compatible = "marvell,ac5-nand-controller"; -+ reg = <0x0 0x805b0000 0x0 0x00000054>; -+ #address-cells = <0x1>; -+ #size-cells = <0x0>; -+ interrupts = ; -+ clocks = <&nand_clock>; -+ status = "disabled"; -+ }; -+ - gic: interrupt-controller@80600000 { - compatible = "arm,gic-v3"; - #interrupt-cells = <3>; -@@ -319,5 +329,11 @@ spi_clock: spi-clock { - #clock-cells = <0>; - clock-frequency = <200000000>; - }; -+ -+ nand_clock: nand-clock { -+ compatible = "fixed-clock"; -+ #clock-cells = <0>; -+ clock-frequency = <400000000>; -+ }; - }; - }; --- -2.25.1 - diff --git a/patches-sonic/0004-arm64-dts-ac5-add-mmc-node-and-clock.patch b/patches-sonic/0004-arm64-dts-ac5-add-mmc-node-and-clock.patch deleted file mode 100644 index dddb78a76..000000000 --- a/patches-sonic/0004-arm64-dts-ac5-add-mmc-node-and-clock.patch +++ /dev/null @@ -1,84 +0,0 @@ -From cd40be983803830da19cb492b250abccf71ace7d Mon Sep 17 00:00:00 2001 -From: Elad Nachman -Date: Wed, 3 Jan 2024 19:28:03 +0200 -Subject: arm64: dts: ac5: add mmc node and clock - -Add mmc and mmc clock nodes to ac5 and ac5x device tree files - -Signed-off-by: Elad Nachman -Signed-off-by: Gregory CLEMENT ---- - arch/arm64/boot/dts/marvell/ac5-98dx25xx.dtsi | 31 ++++++++++++++++++- - .../boot/dts/marvell/ac5-98dx35xx-rd.dts | 4 +++ - 2 files changed, 34 insertions(+), 1 deletion(-) - -diff --git a/arch/arm64/boot/dts/marvell/ac5-98dx25xx.dtsi b/arch/arm64/boot/dts/marvell/ac5-98dx25xx.dtsi -index b5e042b8e929..5591939e057b 100644 ---- a/arch/arm64/boot/dts/marvell/ac5-98dx25xx.dtsi -+++ b/arch/arm64/boot/dts/marvell/ac5-98dx25xx.dtsi -@@ -77,7 +77,6 @@ soc { - #address-cells = <2>; - #size-cells = <2>; - ranges; -- dma-ranges; - - internal-regs@7f000000 { - #address-cells = <1>; -@@ -204,6 +203,30 @@ gpio1: gpio@18140 { - }; - }; - -+ mmc_dma: bus@80500000 { -+ compatible = "simple-bus"; -+ ranges; -+ #address-cells = <0x2>; -+ #size-cells = <0x2>; -+ reg = <0x0 0x80500000 0x0 0x100000>; -+ dma-ranges = <0x0 0x0 0x2 0x0 0x0 0x80000000>; -+ dma-coherent; -+ -+ sdhci: mmc@805c0000 { -+ compatible = "marvell,ac5-sdhci", -+ "marvell,armada-ap806-sdhci"; -+ reg = <0x0 0x805c0000 0x0 0x1000>; -+ interrupts = ; -+ clocks = <&emmc_clock>, <&cnm_clock>; -+ clock-names = "core", "axi"; -+ bus-width = <8>; -+ non-removable; -+ mmc-ddr-1_8v; -+ mmc-hs200-1_8v; -+ mmc-hs400-1_8v; -+ }; -+ }; -+ - /* - * Dedicated section for devices behind 32bit controllers so we - * can configure specific DMA mapping for them -@@ -335,5 +358,11 @@ nand_clock: nand-clock { - #clock-cells = <0>; - clock-frequency = <400000000>; - }; -+ -+ emmc_clock: emmc-clock { -+ compatible = "fixed-clock"; -+ #clock-cells = <0>; -+ clock-frequency = <400000000>; -+ }; - }; - }; -diff --git a/arch/arm64/boot/dts/marvell/ac5-98dx35xx-rd.dts b/arch/arm64/boot/dts/marvell/ac5-98dx35xx-rd.dts -index f0ebdb84eec9..0c973d7a215a 100644 ---- a/arch/arm64/boot/dts/marvell/ac5-98dx35xx-rd.dts -+++ b/arch/arm64/boot/dts/marvell/ac5-98dx35xx-rd.dts -@@ -99,3 +99,7 @@ parition@2 { - }; - }; - }; -+ -+&sdhci { -+ status = "okay"; -+}; --- -2.25.1 - diff --git a/patches-sonic/0006-mmc-xenon-Add-ac5-support-via-bounce-buffer.patch b/patches-sonic/0006-mmc-xenon-Add-ac5-support-via-bounce-buffer.patch deleted file mode 100644 index 83e4e7793..000000000 --- a/patches-sonic/0006-mmc-xenon-Add-ac5-support-via-bounce-buffer.patch +++ /dev/null @@ -1,109 +0,0 @@ -From 5d40213347480e3ab903d5438dbd0d6b0110e6b8 Mon Sep 17 00:00:00 2001 -From: Elad Nachman -Date: Thu, 4 Jan 2024 19:30:33 +0200 -Subject: mmc: xenon: Add ac5 support via bounce buffer - -AC5/X/IM SOCs has a variant of the Xenon eMMC controller, -in which only 31-bit of addressing pass from the controller -on the AXI bus. -Since we cannot guarantee that only buffers from the first 2GB -of memory will reach the driver, the driver is configured for -SDMA mode, without 64-bit mode, overriding the DMA mask to 34-bit -to support the DDR memory mapping, which starts at offset 8GB. - -Signed-off-by: Elad Nachman -Acked-by: Adrian Hunter -Link: https://lore.kernel.org/r/20240104173033.2836110-1-enachman@marvell.com -Signed-off-by: Ulf Hansson ---- - drivers/mmc/host/sdhci-xenon.c | 31 +++++++++++++++++++++++++++++++ - drivers/mmc/host/sdhci-xenon.h | 3 ++- - 2 files changed, 33 insertions(+), 1 deletion(-) - -diff --git a/drivers/mmc/host/sdhci-xenon.c b/drivers/mmc/host/sdhci-xenon.c -index 25ba7aecc3be..0e52867f6e91 100644 ---- a/drivers/mmc/host/sdhci-xenon.c -+++ b/drivers/mmc/host/sdhci-xenon.c -@@ -18,6 +18,8 @@ - #include - #include - #include -+#include -+#include - - #include "sdhci-pltfm.h" - #include "sdhci-xenon.h" -@@ -422,6 +424,7 @@ static int xenon_probe_params(struct platform_device *pdev) - struct xenon_priv *priv = sdhci_pltfm_priv(pltfm_host); - u32 sdhc_id, nr_sdhc; - u32 tuning_count; -+ struct sysinfo si; - - /* Disable HS200 on Armada AP806 */ - if (priv->hw_version == XENON_AP806) -@@ -450,6 +453,23 @@ static int xenon_probe_params(struct platform_device *pdev) - } - priv->tuning_count = tuning_count; - -+ /* -+ * AC5/X/IM HW has only 31-bits passed in the crossbar switch. -+ * If we have more than 2GB of memory, this means we might pass -+ * memory pointers which are above 2GB and which cannot be properly -+ * represented. In this case, disable ADMA, 64-bit DMA and allow only SDMA. -+ * This effectively will enable bounce buffer quirk in the -+ * generic SDHCI driver, which will make sure DMA is only done -+ * from supported memory regions: -+ */ -+ if (priv->hw_version == XENON_AC5) { -+ si_meminfo(&si); -+ if (si.totalram * si.mem_unit > SZ_2G) { -+ host->quirks |= SDHCI_QUIRK_BROKEN_ADMA; -+ host->quirks2 |= SDHCI_QUIRK2_BROKEN_64_BIT_DMA; -+ } -+ } -+ - return xenon_phy_parse_params(dev, host); - } - -@@ -562,6 +582,16 @@ static int xenon_probe(struct platform_device *pdev) - goto remove_sdhc; - - pm_runtime_put_autosuspend(&pdev->dev); -+ /* -+ * If we previously detected AC5 with over 2GB of memory, -+ * then we disable ADMA and 64-bit DMA. -+ * This means generic SDHCI driver has set the DMA mask to -+ * 32-bit. Since DDR starts at 0x2_0000_0000, we must use -+ * 34-bit DMA mask to access this DDR memory: -+ */ -+ if (priv->hw_version == XENON_AC5 && -+ host->quirks2 & SDHCI_QUIRK2_BROKEN_64_BIT_DMA) -+ dma_set_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(34)); - - return 0; - -@@ -680,6 +710,7 @@ static const struct of_device_id sdhci_xenon_dt_ids[] = { - { .compatible = "marvell,armada-ap807-sdhci", .data = (void *)XENON_AP807}, - { .compatible = "marvell,armada-cp110-sdhci", .data = (void *)XENON_CP110}, - { .compatible = "marvell,armada-3700-sdhci", .data = (void *)XENON_A3700}, -+ { .compatible = "marvell,ac5-sdhci", .data = (void *)XENON_AC5}, - {} - }; - MODULE_DEVICE_TABLE(of, sdhci_xenon_dt_ids); -diff --git a/drivers/mmc/host/sdhci-xenon.h b/drivers/mmc/host/sdhci-xenon.h -index 3e9c6c908a79..0460d97aad26 100644 ---- a/drivers/mmc/host/sdhci-xenon.h -+++ b/drivers/mmc/host/sdhci-xenon.h -@@ -57,7 +57,8 @@ enum xenon_variant { - XENON_A3700, - XENON_AP806, - XENON_AP807, -- XENON_CP110 -+ XENON_CP110, -+ XENON_AC5 - }; - - struct xenon_priv { --- -2.25.1 - diff --git a/patches-sonic/0007-usb-ehci-Add-support-for-ac5.patch b/patches-sonic/0007-usb-ehci-Add-support-for-ac5.patch deleted file mode 100644 index 48dfaf832..000000000 --- a/patches-sonic/0007-usb-ehci-Add-support-for-ac5.patch +++ /dev/null @@ -1,38 +0,0 @@ -From: Pavan Naregundi -Date: Mon, 13 Mar 2023 10:01:51 +0000 -usb: ehci: Add support for ac5 - -Add a new compatible string for 98DX25xx SoCs. -Change DMA bit mask to 64-bit addressing. - -Signed-off-by: Yuval Shaia -Tested-by: Raz Adashi -Reviewed-by: Raz Adashi ---- - drivers/usb/host/ehci-orion.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/drivers/usb/host/ehci-orion.c b/drivers/usb/host/ehci-orion.c -index 3626758b3..488a2ba86 100644 ---- a/drivers/usb/host/ehci-orion.c -+++ b/drivers/usb/host/ehci-orion.c -@@ -232,7 +232,7 @@ static int ehci_orion_drv_probe(struct platform_device *pdev) - * set. Since shared usb code relies on it, set it here for - * now. Once we have dma capability bindings this can go away. - */ -- err = dma_coerce_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(32)); -+ err = dma_coerce_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(64)); - if (err) - goto err; - -@@ -341,6 +341,7 @@ static int ehci_orion_drv_remove(struct platform_device *pdev) - static const struct of_device_id ehci_orion_dt_ids[] = { - { .compatible = "marvell,orion-ehci", }, - { .compatible = "marvell,armada-3700-ehci", }, -+ { .compatible = "marvell,ac5-ehci", }, - {}, - }; - MODULE_DEVICE_TABLE(of, ehci_orion_dt_ids); --- -2.25.1 - diff --git a/patches-sonic/PCI-ASPM-Fix-link-state-exit-during-switch-upstream.patch b/patches-sonic/PCI-ASPM-Fix-link-state-exit-during-switch-upstream.patch deleted file mode 100644 index 1b2cb4d8c..000000000 --- a/patches-sonic/PCI-ASPM-Fix-link-state-exit-during-switch-upstream.patch +++ /dev/null @@ -1,79 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Daniel Stodden -Date: Sun, 22 Dec 2024 19:39:08 -0800 -Subject: [PATCH] PCI/ASPM: Fix link state exit during switch upstream function - removal -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -[ Upstream commit cbf937dcadfd571a434f8074d057b32cd14fbea5 ] - -Before 456d8aa37d0f ("PCI/ASPM: Disable ASPM on MFD function removal to -avoid use-after-free"), we would free the ASPM link only after the last -function on the bus pertaining to the given link was removed. - -That was too late. If function 0 is removed before sibling function, -link->downstream would point to free'd memory after. - -After above change, we freed the ASPM parent link state upon any function -removal on the bus pertaining to a given link. - -That is too early. If the link is to a PCIe switch with MFD on the upstream -port, then removing functions other than 0 first would free a link which -still remains parent_link to the remaining downstream ports. - -The resulting GPFs are especially frequent during hot-unplug, because -pciehp removes devices on the link bus in reverse order. - -On that switch, function 0 is the virtual P2P bridge to the internal bus. -Free exactly when function 0 is removed -- before the parent link is -obsolete, but after all subordinate links are gone. - -Link: https://lore.kernel.org/r/e12898835f25234561c9d7de4435590d957b85d9.1734924854.git.dns@arista.com -Fixes: 456d8aa37d0f ("PCI/ASPM: Disable ASPM on MFD function removal to avoid use-after-free") -Signed-off-by: Daniel Stodden -Signed-off-by: Bjorn Helgaas -[kwilczynski: commit log] -Signed-off-by: Krzysztof Wilczyński ---- - drivers/pci/pcie/aspm.c | 17 +++++++++-------- - 1 file changed, 9 insertions(+), 8 deletions(-) - -diff --git a/drivers/pci/pcie/aspm.c b/drivers/pci/pcie/aspm.c -index cf4acea6610d..20ec2a4aae65 100644 ---- a/drivers/pci/pcie/aspm.c -+++ b/drivers/pci/pcie/aspm.c -@@ -1031,16 +1031,16 @@ void pcie_aspm_exit_link_state(struct pci_dev *pdev) - parent_link = link->parent; - - /* -- * link->downstream is a pointer to the pci_dev of function 0. If -- * we remove that function, the pci_dev is about to be deallocated, -- * so we can't use link->downstream again. Free the link state to -- * avoid this. -+ * Free the parent link state, no later than function 0 (i.e. -+ * link->downstream) being removed. - * -- * If we're removing a non-0 function, it's possible we could -- * retain the link state, but PCIe r6.0, sec 7.5.3.7, recommends -- * programming the same ASPM Control value for all functions of -- * multi-function devices, so disable ASPM for all of them. -+ * Do not free the link state any earlier. If function 0 is a -+ * switch upstream port, this link state is parent_link to all -+ * subordinate ones. - */ -+ if (pdev != link->downstream) -+ goto out; -+ - pcie_config_aspm_link(link, 0); - list_del(&link->sibling); - free_link_state(link); -@@ -1051,6 +1051,7 @@ void pcie_aspm_exit_link_state(struct pci_dev *pdev) - pcie_config_aspm_path(parent_link); - } - -+ out: - mutex_unlock(&aspm_lock); - up_read(&pci_bus_sem); - } diff --git a/patches-sonic/cisco-hwmon-pmbus_core-pec-support-check.patch b/patches-sonic/cisco-hwmon-pmbus_core-pec-support-check.patch deleted file mode 100644 index bd6d5cedd..000000000 --- a/patches-sonic/cisco-hwmon-pmbus_core-pec-support-check.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 8451736f488d2e24da57a6d6d8a3880bd023812b Mon Sep 17 00:00:00 2001 -From: Madhava Reddy Siddareddygari -Date: Tue, 9 Nov 2021 10:54:31 -0800 -Subject: [PATCH] hwmon: (pmbus_core) Check adapter PEC support - -Currently, for Packet Error Checking (PEC) only the controller -is checked for support. This causes problems on the cisco-8000 -platform where a SMBUS transaction errors are observed. This is -because PEC has to be enabled only if both controller and -adapter supports it. - -Added code to check PEC capability for adapter and enable it -only if both controller and adapter supports PEC. - -This patch was applied to Linux 5.14 in commit -4e5418f787ec56d7fe3c6efee486b8f508c58baf -(hwmon: (pmbus_core) Check adapter PEC support). - -Signed-off-by: Madhava Reddy Siddareddygari ---- - drivers/hwmon/pmbus/pmbus_core.c | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) - -diff --git a/drivers/hwmon/pmbus/pmbus_core.c b/drivers/hwmon/pmbus/pmbus_core.c -index 192442b3b..634615324 100644 ---- a/drivers/hwmon/pmbus/pmbus_core.c -+++ b/drivers/hwmon/pmbus/pmbus_core.c -@@ -2203,10 +2203,12 @@ static int pmbus_init_common(struct i2c_client *client, struct pmbus_data *data, - data->has_status_word = true; - } - -- /* Enable PEC if the controller supports it */ -- ret = i2c_smbus_read_byte_data(client, PMBUS_CAPABILITY); -- if (ret >= 0 && (ret & PB_CAPABILITY_ERROR_CHECK)) -- client->flags |= I2C_CLIENT_PEC; -+ /* Enable PEC if the controller and bus support it */ -+ if (i2c_check_functionality(client->adapter, I2C_FUNC_SMBUS_PEC)) { -+ ret = i2c_smbus_read_byte_data(client, PMBUS_CAPABILITY); -+ if (ret >= 0 && (ret & PB_CAPABILITY_ERROR_CHECK)) -+ client->flags |= I2C_CLIENT_PEC; -+ } - - /* - * Check if the chip is write protected. If it is, we can not clear --- -2.25.1 - diff --git a/patches-sonic/cisco-x86-gpio-config.patch b/patches-sonic/cisco-x86-gpio-config.patch deleted file mode 100644 index 5df46b7b1..000000000 --- a/patches-sonic/cisco-x86-gpio-config.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 7106f3961be1dc0d921efe5c719ada6096307227 Mon Sep 17 00:00:00 2001 -From: Madhava Reddy Siddareddygari -Date: Tue, 10 Aug 2021 12:51:47 -0700 -Subject: [PATCH] x86/Kconfig: Introduce ARCH_NR_GPIO - -The x86 platform did not allow configuring the maximum number of GPIOs -supported, although the ARM platform did. For cisco-8000 platform, -each FPGA gpio IP block can support 1K pins. Distributed chassis with -Route Processor and Fabric cards can have 10 such IP blocks, along with -additional pins through i2c gpio extenders. - -This patch supports configurable number of GPIO's at kernel config time -similar to ARM platform. - -Signed-off-by: Madhava Reddy Siddareddygari ---- - arch/x86/Kconfig | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index d2453b251..e894cd71d 100644 ---- a/arch/x86/Kconfig -+++ b/arch/x86/Kconfig -@@ -342,6 +342,11 @@ config SCHED_MC_PRIO - - config ARCH_NR_GPIO - int -+ prompt "Maximum number of GPIO's" - default 1024 if X86_64 - default 512 -+ help -+ Maximum number of GPIOs in the system. -+ -+ If unsure, leave the default value. - - config ARCH_SUSPEND_POSSIBLE - def_bool y --- -2.26.2 - diff --git a/patches-sonic/series b/patches-sonic/series index 89bdcd183..dd8a7127b 100644 --- a/patches-sonic/series +++ b/patches-sonic/series @@ -148,11 +148,9 @@ driver-i2c-smbus-add-disable_spd-module-parameter.patch # Cisco patches for 5.10 kernel cisco-mtd-part.patch cisco-mdio-mux-support-acpi.patch -#cisco-x86-gpio-config.patch # Deprecated, GPIOs are effectively unlimited cisco-acpi-spi-nor.patch cisco-Enable-static-memory-reservation-for-OIRable-PCIe-de.patch cisco-npu-disable-other-bars.patch -#cisco-hwmon-pmbus_core-pec-support-check.patch # Upstreamed 0001-regmap-i2c-add-SMBus-byte-word-reg16-bus-for-adapter.patch 0002-regmap-i2c-fix-sparse-warning-in-regmap_smbus_word_w.patch @@ -162,12 +160,7 @@ cisco-npu-disable-other-bars.patch # # Marvell platform patches for 6.1 kernel 0001-armhf_secondary_boot_online.patch -#0002-arm64-dts-Update-cache-properties-for-marvell.patch # Upstreamed -#0003-arm64-dts-marvell-Add-NAND-flash-controller-to-AC5.patch # Upstreamed -#0004-arm64-dts-ac5-add-mmc-node-and-clock.patch # Upstreamed 0005-dts-ac5-marvell-Add-switching-watchdog-node.patch -#0006-mmc-xenon-Add-ac5-support-via-bounce-buffer.patch # Upstreamed -#0007-usb-ehci-Add-support-for-ac5.patch # Upstreamed but no 64-bit, so the next 0007 0007-usb-ehci-Add-support-for-ac5-with-DMA-mask-64-bit.patch 0008-mv6xxx-Fix-i2c-lock-due-to-arb-loss.patch 0009-dt-bindings-marvell-Add-ARMADA-7K-properties.patch @@ -241,10 +234,6 @@ driver-tty-serial-8250-add-support-for-fintek-F81214E.patch # Linux upstream pen 0015-i2c-xiic-use-numbered-adapter-registration.patch 0016-i2c-xiic-skip-input-clock-setup-on-non-OF-systems.patch -# Fix to avoid kernel panic on Kernel 6.1.94 -# https://github.com/sonic-net/sonic-buildimage/issues/20901 -#PCI-ASPM-Fix-link-state-exit-during-switch-upstream.patch # Upstreamed - # 0001-PCI-AER-Simplify-pci_print_aer.patch 0002-PCI-AER-Update-statistics-before-ratelimiting.patch From 134a7d884049056f7f0175961f45fe87cf8ff444 Mon Sep 17 00:00:00 2001 From: Saikrishna Arcot Date: Wed, 8 Jul 2026 14:02:40 -0700 Subject: [PATCH 2/2] Update to Linux 6.12.94 Aspeed patches are disabled as of right now. Signed-off-by: Saikrishna Arcot --- Makefile | 2 +- ...sdhci-cadence-Add-CN10K-eMMC-support.patch | 16 +- ...e-vxlan-Protocol-field-in-bridge-fdb.patch | 2 +- ...ware-Support-stuck-SDA-line-recovery.patch | 2 +- ...-Call-platform-handler-for-do_serror.patch | 6 +- ...e-DFA-start-states-are-in-bounds-in-.patch | 56 -- ...mor-fix-memory-leak-in-verify_header.patch | 40 - ...-recursive-profile-removal-with-iter.patch | 86 --- ...it-the-number-of-levels-of-policy-na.patch | 52 -- ...e-effect-bug-in-match_char-macro-usa.patch | 124 --- ...sing-bounds-check-on-DEFAULT-table-i.patch | 92 --- ...ble-free-of-ns_name-in-aa_replace_pr.patch | 48 -- ...rivileged-local-user-can-do-privileg.patch | 187 ----- ...x-differential-encoding-verification.patch | 92 --- ...rmor-fix-race-on-rawdata-dereference.patch | 446 ----------- ...e-between-freeing-data-and-fs-access.patch | 717 ------------------ patches-sonic/series | 52 +- 17 files changed, 38 insertions(+), 1982 deletions(-) delete mode 100644 patches-sonic/qsa-2026-apparmor/0001-apparmor-validate-DFA-start-states-are-in-bounds-in-.patch delete mode 100644 patches-sonic/qsa-2026-apparmor/0002-apparmor-fix-memory-leak-in-verify_header.patch delete mode 100644 patches-sonic/qsa-2026-apparmor/0003-apparmor-replace-recursive-profile-removal-with-iter.patch delete mode 100644 patches-sonic/qsa-2026-apparmor/0004-apparmor-fix-limit-the-number-of-levels-of-policy-na.patch delete mode 100644 patches-sonic/qsa-2026-apparmor/0005-apparmor-fix-side-effect-bug-in-match_char-macro-usa.patch delete mode 100644 patches-sonic/qsa-2026-apparmor/0006-apparmor-fix-missing-bounds-check-on-DEFAULT-table-i.patch delete mode 100644 patches-sonic/qsa-2026-apparmor/0007-apparmor-Fix-double-free-of-ns_name-in-aa_replace_pr.patch delete mode 100644 patches-sonic/qsa-2026-apparmor/0008-apparmor-fix-unprivileged-local-user-can-do-privileg.patch delete mode 100644 patches-sonic/qsa-2026-apparmor/0009-apparmor-fix-differential-encoding-verification.patch delete mode 100644 patches-sonic/qsa-2026-apparmor/0010-apparmor-fix-race-on-rawdata-dereference.patch delete mode 100644 patches-sonic/qsa-2026-apparmor/0011-apparmor-fix-race-between-freeing-data-and-fs-access.patch diff --git a/Makefile b/Makefile index 2c4cc7609..0b8f3fce3 100644 --- a/Makefile +++ b/Makefile @@ -2,7 +2,7 @@ SHELL = /bin/bash .SHELLFLAGS += -ex -KERNEL_VERSION ?= 6.12.41 +KERNEL_VERSION ?= 6.12.94 KERNEL_ABISUFFIX ?= +deb13 KERNEL_SUBVERSION ?= 1 KERNEL_FEATURESET ?= sonic diff --git a/patches-sonic/0001-mmc-sdhci-cadence-Add-CN10K-eMMC-support.patch b/patches-sonic/0001-mmc-sdhci-cadence-Add-CN10K-eMMC-support.patch index aa878442f..bfdef2dc6 100644 --- a/patches-sonic/0001-mmc-sdhci-cadence-Add-CN10K-eMMC-support.patch +++ b/patches-sonic/0001-mmc-sdhci-cadence-Add-CN10K-eMMC-support.patch @@ -2470,7 +2470,7 @@ index be1505e8c536..87022bc6d941 100644 }; static const struct sdhci_cdns_drv_data sdhci_elba_drv_data = { -@@ -431,12 +2281,32 @@ static const struct sdhci_cdns_drv_data sdhci_elba_drv_data = { +@@ -431,19 +2281,40 @@ static const struct sdhci_cdns_drv_data sdhci_elba_drv_data = { .pltfm_data = { .ops = &sdhci_elba_ops, }, @@ -2494,6 +2494,14 @@ index be1505e8c536..87022bc6d941 100644 + .cdns_data = &sdhci_cdns_sd4_data, }; + static const struct sdhci_cdns_drv_data sdhci_eyeq_drv_data = { + .pltfm_data = { + .ops = &sdhci_cdns_ops, + .quirks2 = SDHCI_QUIRK2_PRESET_VALUE_BROKEN, + }, ++ .cdns_data = NULL, + }; + -static const struct sdhci_cdns_drv_data sdhci_cdns_drv_data = { +static const struct sdhci_cdns_drv_data sdhci_cdns_sd6_drv_data = { + .init = sdhci_cdns_sd6_phy_probe, @@ -2698,9 +2706,9 @@ index be1505e8c536..87022bc6d941 100644 return ret; } -@@ -595,7 +2549,14 @@ static const struct of_device_id sdhci_cdns_match[] = { - .compatible = "amd,pensando-elba-sd4hc", - .data = &sdhci_elba_drv_data, +@@ -606,7 +2549,14 @@ static const struct of_device_id sdhci_cdns_match[] = { + .compatible = "mobileye,eyeq-sd4hc", + .data = &sdhci_eyeq_drv_data, }, - { .compatible = "cdns,sd4hc" }, + { diff --git a/patches-sonic/0002-net-bridge-vxlan-Protocol-field-in-bridge-fdb.patch b/patches-sonic/0002-net-bridge-vxlan-Protocol-field-in-bridge-fdb.patch index 22bfe9744..f49434b8c 100644 --- a/patches-sonic/0002-net-bridge-vxlan-Protocol-field-in-bridge-fdb.patch +++ b/patches-sonic/0002-net-bridge-vxlan-Protocol-field-in-bridge-fdb.patch @@ -217,7 +217,7 @@ index ffb0b61..7e08ae3 100644 hash_index = fdb_head_index(vxlan, addr, src_vni); spin_lock_bh(&vxlan->hash_lock[hash_index]); + if (protocol != RTPROT_UNSPEC) { -+ f = vxlan_find_mac(vxlan, addr, src_vni); ++ f = vxlan_find_mac_tx(vxlan, addr, src_vni); + if (!f || f->protocol != protocol) { + err = -ENOENT; + goto out; diff --git a/patches-sonic/0003-i2c-designware-Support-stuck-SDA-line-recovery.patch b/patches-sonic/0003-i2c-designware-Support-stuck-SDA-line-recovery.patch index 550f39abc..dc71eec8a 100644 --- a/patches-sonic/0003-i2c-designware-Support-stuck-SDA-line-recovery.patch +++ b/patches-sonic/0003-i2c-designware-Support-stuck-SDA-line-recovery.patch @@ -42,9 +42,9 @@ index 2d32896..59d1eba 100644 #define DW_IC_CLR_RESTART_DET 0xa8 +#define DW_IC_SCL_STUCK_AT_LOW 0xac +#define DW_IC_SDA_STUCK_AT_LOW 0xb0 + #define DW_IC_SMBUS_INTR_MASK 0xcc #define DW_IC_COMP_PARAM_1 0xf4 #define DW_IC_COMP_VERSION 0xf8 - #define DW_IC_SDA_HOLD_MIN_VERS 0x3131312A /* "111*" == v1.11* */ @@ -98,6 +100,7 @@ #define DW_IC_INTR_GEN_CALL BIT(11) #define DW_IC_INTR_RESTART_DET BIT(12) diff --git a/patches-sonic/0005-arm64-traps-Call-platform-handler-for-do_serror.patch b/patches-sonic/0005-arm64-traps-Call-platform-handler-for-do_serror.patch index 9dbe58b22..77d9790c5 100644 --- a/patches-sonic/0005-arm64-traps-Call-platform-handler-for-do_serror.patch +++ b/patches-sonic/0005-arm64-traps-Call-platform-handler-for-do_serror.patch @@ -18,9 +18,9 @@ index 82cf1f8..1b22756 100644 --- a/arch/arm64/include/asm/traps.h +++ b/arch/arm64/include/asm/traps.h @@ -28,7 +28,7 @@ - void arm64_force_sig_fault_pkey(unsigned long far, const char *str, int pkey); - void arm64_force_sig_mceerr(int code, unsigned long far, short lsb, const char *str); - void arm64_force_sig_ptrace_errno_trap(int errno, unsigned long far, const char *str); + int reserved_fault_brk_handler(struct pt_regs *regs, unsigned long esr); + int kasan_brk_handler(struct pt_regs *regs, unsigned long esr); + int ubsan_brk_handler(struct pt_regs *regs, unsigned long esr); - +int platform_serror(struct pt_regs *regs, unsigned int esr); int early_brk64(unsigned long addr, unsigned long esr, struct pt_regs *regs); diff --git a/patches-sonic/qsa-2026-apparmor/0001-apparmor-validate-DFA-start-states-are-in-bounds-in-.patch b/patches-sonic/qsa-2026-apparmor/0001-apparmor-validate-DFA-start-states-are-in-bounds-in-.patch deleted file mode 100644 index 3447056fa..000000000 --- a/patches-sonic/qsa-2026-apparmor/0001-apparmor-validate-DFA-start-states-are-in-bounds-in-.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 0bc5b34e913eadcd3bcc51e4d365bf35f81b5c1f Mon Sep 17 00:00:00 2001 -From: Massimiliano Pellizzer -Date: Thu, 15 Jan 2026 15:30:50 +0100 -Subject: [PATCH 01/11] apparmor: validate DFA start states are in bounds in - unpack_pdb - -Start states are read from untrusted data and used as indexes into the -DFA state tables. The aa_dfa_next() function call in unpack_pdb() will -access dfa->tables[YYTD_ID_BASE][start], and if the start state exceeds -the number of states in the DFA, this results in an out-of-bound read. - -================================================================== - BUG: KASAN: slab-out-of-bounds in aa_dfa_next+0x2a1/0x360 - Read of size 4 at addr ffff88811956fb90 by task su/1097 - ... - -Reject policies with out-of-bounds start states during unpacking -to prevent the issue. - -Fixes: ad5ff3db53c6 ("AppArmor: Add ability to load extended policy") -Reported-by: Qualys Security Advisory -Tested-by: Salvatore Bonaccorso -Reviewed-by: Georgia Garcia -Reviewed-by: Cengiz Can -Signed-off-by: Massimiliano Pellizzer -Signed-off-by: John Johansen ---- - security/apparmor/policy_unpack.c | 12 +++++++++++- - 1 file changed, 11 insertions(+), 1 deletion(-) - -diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c -index 3483c595f999..e472442274d1 100644 ---- a/security/apparmor/policy_unpack.c -+++ b/security/apparmor/policy_unpack.c -@@ -760,7 +760,17 @@ static int unpack_pdb(struct aa_ext *e, struct aa_policydb **policy, - if (!aa_unpack_u32(e, &pdb->start[AA_CLASS_FILE], "dfa_start")) { - /* default start state for xmatch and file dfa */ - pdb->start[AA_CLASS_FILE] = DFA_START; -- } /* setup class index */ -+ } -+ -+ size_t state_count = pdb->dfa->tables[YYTD_ID_BASE]->td_lolen; -+ -+ if (pdb->start[0] >= state_count || -+ pdb->start[AA_CLASS_FILE] >= state_count) { -+ *info = "invalid dfa start state"; -+ goto fail; -+ } -+ -+ /* setup class index */ - for (i = AA_CLASS_FILE + 1; i <= AA_CLASS_LAST; i++) { - pdb->start[i] = aa_dfa_next(pdb->dfa, pdb->start[0], - i); --- -2.53.0 - diff --git a/patches-sonic/qsa-2026-apparmor/0002-apparmor-fix-memory-leak-in-verify_header.patch b/patches-sonic/qsa-2026-apparmor/0002-apparmor-fix-memory-leak-in-verify_header.patch deleted file mode 100644 index a7986efbc..000000000 --- a/patches-sonic/qsa-2026-apparmor/0002-apparmor-fix-memory-leak-in-verify_header.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 66ecb6689b1ee73fd2ecf7aea226ef21d72163cd Mon Sep 17 00:00:00 2001 -From: Massimiliano Pellizzer -Date: Tue, 20 Jan 2026 15:24:04 +0100 -Subject: [PATCH 02/11] apparmor: fix memory leak in verify_header - -The function sets `*ns = NULL` on every call, leaking the namespace -string allocated in previous iterations when multiple profiles are -unpacked. This also breaks namespace consistency checking since *ns -is always NULL when the comparison is made. - -Remove the incorrect assignment. -The caller (aa_unpack) initializes *ns to NULL once before the loop, -which is sufficient. - -Fixes: dd51c8485763 ("apparmor: provide base for multiple profiles to be replaced at once") -Reported-by: Qualys Security Advisory -Tested-by: Salvatore Bonaccorso -Reviewed-by: Georgia Garcia -Reviewed-by: Cengiz Can -Signed-off-by: Massimiliano Pellizzer -Signed-off-by: John Johansen ---- - security/apparmor/policy_unpack.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c -index e472442274d1..0232fc29a234 100644 ---- a/security/apparmor/policy_unpack.c -+++ b/security/apparmor/policy_unpack.c -@@ -1140,7 +1140,6 @@ static int verify_header(struct aa_ext *e, int required, const char **ns) - { - int error = -EPROTONOSUPPORT; - const char *name = NULL; -- *ns = NULL; - - /* get the interface version */ - if (!aa_unpack_u32(e, &e->version, "version")) { --- -2.53.0 - diff --git a/patches-sonic/qsa-2026-apparmor/0003-apparmor-replace-recursive-profile-removal-with-iter.patch b/patches-sonic/qsa-2026-apparmor/0003-apparmor-replace-recursive-profile-removal-with-iter.patch deleted file mode 100644 index 26a038e22..000000000 --- a/patches-sonic/qsa-2026-apparmor/0003-apparmor-replace-recursive-profile-removal-with-iter.patch +++ /dev/null @@ -1,86 +0,0 @@ -From 83417f15ea8253d96e6636fbb1c1cf95c0e6b6af Mon Sep 17 00:00:00 2001 -From: Massimiliano Pellizzer -Date: Tue, 13 Jan 2026 09:09:43 +0100 -Subject: [PATCH 03/11] apparmor: replace recursive profile removal with - iterative approach - -The profile removal code uses recursion when removing nested profiles, -which can lead to kernel stack exhaustion and system crashes. - -Reproducer: - $ pf='a'; for ((i=0; i<1024; i++)); do - echo -e "profile $pf { \n }" | apparmor_parser -K -a; - pf="$pf//x"; - done - $ echo -n a > /sys/kernel/security/apparmor/.remove - -Replace the recursive __aa_profile_list_release() approach with an -iterative approach in __remove_profile(). The function repeatedly -finds and removes leaf profiles until the entire subtree is removed, -maintaining the same removal semantic without recursion. - -Fixes: c88d4c7b049e ("AppArmor: core policy routines") -Reported-by: Qualys Security Advisory -Tested-by: Salvatore Bonaccorso -Reviewed-by: Georgia Garcia -Reviewed-by: Cengiz Can -Signed-off-by: Massimiliano Pellizzer -Signed-off-by: John Johansen ---- - security/apparmor/policy.c | 30 +++++++++++++++++++++++++++--- - 1 file changed, 27 insertions(+), 3 deletions(-) - -diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c -index 105706abf281..f6869ea00d1d 100644 ---- a/security/apparmor/policy.c -+++ b/security/apparmor/policy.c -@@ -184,19 +184,43 @@ static void __list_remove_profile(struct aa_profile *profile) - } - - /** -- * __remove_profile - remove old profile, and children -- * @profile: profile to be replaced (NOT NULL) -+ * __remove_profile - remove profile, and children -+ * @profile: profile to be removed (NOT NULL) - * - * Requires: namespace list lock be held, or list not be shared - */ - static void __remove_profile(struct aa_profile *profile) - { -+ struct aa_profile *curr, *to_remove; -+ - AA_BUG(!profile); - AA_BUG(!profile->ns); - AA_BUG(!mutex_is_locked(&profile->ns->lock)); - - /* release any children lists first */ -- __aa_profile_list_release(&profile->base.profiles); -+ if (!list_empty(&profile->base.profiles)) { -+ curr = list_first_entry(&profile->base.profiles, struct aa_profile, base.list); -+ -+ while (curr != profile) { -+ -+ while (!list_empty(&curr->base.profiles)) -+ curr = list_first_entry(&curr->base.profiles, -+ struct aa_profile, base.list); -+ -+ to_remove = curr; -+ if (!list_is_last(&to_remove->base.list, -+ &aa_deref_parent(curr)->base.profiles)) -+ curr = list_next_entry(to_remove, base.list); -+ else -+ curr = aa_deref_parent(curr); -+ -+ /* released by free_profile */ -+ aa_label_remove(&to_remove->label); -+ __aafs_profile_rmdir(to_remove); -+ __list_remove_profile(to_remove); -+ } -+ } -+ - /* released by free_profile */ - aa_label_remove(&profile->label); - __aafs_profile_rmdir(profile); --- -2.53.0 - diff --git a/patches-sonic/qsa-2026-apparmor/0004-apparmor-fix-limit-the-number-of-levels-of-policy-na.patch b/patches-sonic/qsa-2026-apparmor/0004-apparmor-fix-limit-the-number-of-levels-of-policy-na.patch deleted file mode 100644 index a506aa58f..000000000 --- a/patches-sonic/qsa-2026-apparmor/0004-apparmor-fix-limit-the-number-of-levels-of-policy-na.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 4fd74536d8c7e2fc69dc58907a2b082e393cfff4 Mon Sep 17 00:00:00 2001 -From: John Johansen -Date: Tue, 3 Mar 2026 11:08:02 -0800 -Subject: [PATCH 04/11] apparmor: fix: limit the number of levels of policy - namespaces - -Currently the number of policy namespaces is not bounded relying on -the user namespace limit. However policy namespaces aren't strictly -tied to user namespaces and it is possible to create them and nest -them arbitrarily deep which can be used to exhaust system resource. - -Hard cap policy namespaces to the same depth as user namespaces. - -Fixes: c88d4c7b049e8 ("AppArmor: core policy routines") -Reported-by: Qualys Security Advisory -Reviewed-by: Ryan Lee -Reviewed-by: Cengiz Can -Signed-off-by: John Johansen ---- - security/apparmor/include/policy_ns.h | 2 ++ - security/apparmor/policy_ns.c | 2 ++ - 2 files changed, 4 insertions(+) - -diff --git a/security/apparmor/include/policy_ns.h b/security/apparmor/include/policy_ns.h -index d646070fd966..cc6e84151812 100644 ---- a/security/apparmor/include/policy_ns.h -+++ b/security/apparmor/include/policy_ns.h -@@ -18,6 +18,8 @@ - #include "label.h" - #include "policy.h" - -+/* Match max depth of user namespaces */ -+#define MAX_NS_DEPTH 32 - - /* struct aa_ns_acct - accounting of profiles in namespace - * @max_size: maximum space allowed for all profiles in namespace -diff --git a/security/apparmor/policy_ns.c b/security/apparmor/policy_ns.c -index 1f02cfe1d974..06c0bde97a63 100644 ---- a/security/apparmor/policy_ns.c -+++ b/security/apparmor/policy_ns.c -@@ -223,6 +223,8 @@ static struct aa_ns *__aa_create_ns(struct aa_ns *parent, const char *name, - AA_BUG(!name); - AA_BUG(!mutex_is_locked(&parent->lock)); - -+ if (parent->level > MAX_NS_DEPTH) -+ return ERR_PTR(-ENOSPC); - ns = alloc_ns(parent->base.hname, name); - if (!ns) - return ERR_PTR(-ENOMEM); --- -2.53.0 - diff --git a/patches-sonic/qsa-2026-apparmor/0005-apparmor-fix-side-effect-bug-in-match_char-macro-usa.patch b/patches-sonic/qsa-2026-apparmor/0005-apparmor-fix-side-effect-bug-in-match_char-macro-usa.patch deleted file mode 100644 index df6b18709..000000000 --- a/patches-sonic/qsa-2026-apparmor/0005-apparmor-fix-side-effect-bug-in-match_char-macro-usa.patch +++ /dev/null @@ -1,124 +0,0 @@ -From 05302d7b0886b14de3d0e91a1b0c332f9ea0d292 Mon Sep 17 00:00:00 2001 -From: Massimiliano Pellizzer -Date: Thu, 29 Jan 2026 17:08:25 +0100 -Subject: [PATCH 05/11] apparmor: fix side-effect bug in match_char() macro - usage - -The match_char() macro evaluates its character parameter multiple -times when traversing differential encoding chains. When invoked -with *str++, the string pointer advances on each iteration of the -inner do-while loop, causing the DFA to check different characters -at each iteration and therefore skip input characters. -This results in out-of-bounds reads when the pointer advances past -the input buffer boundary. - -[ 94.984676] ================================================================== -[ 94.985301] BUG: KASAN: slab-out-of-bounds in aa_dfa_match+0x5ae/0x760 -[ 94.985655] Read of size 1 at addr ffff888100342000 by task file/976 - -[ 94.986319] CPU: 7 UID: 1000 PID: 976 Comm: file Not tainted 6.19.0-rc7-next-20260127 #1 PREEMPT(lazy) -[ 94.986322] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 -[ 94.986329] Call Trace: -[ 94.986341] -[ 94.986347] dump_stack_lvl+0x5e/0x80 -[ 94.986374] print_report+0xc8/0x270 -[ 94.986384] ? aa_dfa_match+0x5ae/0x760 -[ 94.986388] kasan_report+0x118/0x150 -[ 94.986401] ? aa_dfa_match+0x5ae/0x760 -[ 94.986405] aa_dfa_match+0x5ae/0x760 -[ 94.986408] __aa_path_perm+0x131/0x400 -[ 94.986418] aa_path_perm+0x219/0x2f0 -[ 94.986424] apparmor_file_open+0x345/0x570 -[ 94.986431] security_file_open+0x5c/0x140 -[ 94.986442] do_dentry_open+0x2f6/0x1120 -[ 94.986450] vfs_open+0x38/0x2b0 -[ 94.986453] ? may_open+0x1e2/0x2b0 -[ 94.986466] path_openat+0x231b/0x2b30 -[ 94.986469] ? __x64_sys_openat+0xf8/0x130 -[ 94.986477] do_file_open+0x19d/0x360 -[ 94.986487] do_sys_openat2+0x98/0x100 -[ 94.986491] __x64_sys_openat+0xf8/0x130 -[ 94.986499] do_syscall_64+0x8e/0x660 -[ 94.986515] ? count_memcg_events+0x15f/0x3c0 -[ 94.986526] ? srso_alias_return_thunk+0x5/0xfbef5 -[ 94.986540] ? handle_mm_fault+0x1639/0x1ef0 -[ 94.986551] ? vma_start_read+0xf0/0x320 -[ 94.986558] ? srso_alias_return_thunk+0x5/0xfbef5 -[ 94.986561] ? srso_alias_return_thunk+0x5/0xfbef5 -[ 94.986563] ? fpregs_assert_state_consistent+0x50/0xe0 -[ 94.986572] ? srso_alias_return_thunk+0x5/0xfbef5 -[ 94.986574] ? arch_exit_to_user_mode_prepare+0x9/0xb0 -[ 94.986587] ? srso_alias_return_thunk+0x5/0xfbef5 -[ 94.986588] ? irqentry_exit+0x3c/0x590 -[ 94.986595] entry_SYSCALL_64_after_hwframe+0x76/0x7e -[ 94.986597] RIP: 0033:0x7fda4a79c3ea - -Fix by extracting the character value before invoking match_char, -ensuring single evaluation per outer loop. - -Fixes: 074c1cd798cb ("apparmor: dfa move character match into a macro") -Reported-by: Qualys Security Advisory -Tested-by: Salvatore Bonaccorso -Reviewed-by: Georgia Garcia -Reviewed-by: Cengiz Can -Signed-off-by: Massimiliano Pellizzer -Signed-off-by: John Johansen ---- - security/apparmor/match.c | 30 ++++++++++++++++++++---------- - 1 file changed, 20 insertions(+), 10 deletions(-) - -diff --git a/security/apparmor/match.c b/security/apparmor/match.c -index 12e036f8ce0f..5fbfdd75afb5 100644 ---- a/security/apparmor/match.c -+++ b/security/apparmor/match.c -@@ -408,13 +408,18 @@ aa_state_t aa_dfa_match_len(struct aa_dfa *dfa, aa_state_t start, - if (dfa->tables[YYTD_ID_EC]) { - /* Equivalence class table defined */ - u8 *equiv = EQUIV_TABLE(dfa); -- for (; len; len--) -- match_char(state, def, base, next, check, -- equiv[(u8) *str++]); -+ for (; len; len--) { -+ u8 c = equiv[(u8) *str]; -+ -+ match_char(state, def, base, next, check, c); -+ str++; -+ } - } else { - /* default is direct to next state */ -- for (; len; len--) -- match_char(state, def, base, next, check, (u8) *str++); -+ for (; len; len--) { -+ match_char(state, def, base, next, check, (u8) *str); -+ str++; -+ } - } - - return state; -@@ -448,13 +453,18 @@ aa_state_t aa_dfa_match(struct aa_dfa *dfa, aa_state_t start, const char *str) - /* Equivalence class table defined */ - u8 *equiv = EQUIV_TABLE(dfa); - /* default is direct to next state */ -- while (*str) -- match_char(state, def, base, next, check, -- equiv[(u8) *str++]); -+ while (*str) { -+ u8 c = equiv[(u8) *str]; -+ -+ match_char(state, def, base, next, check, c); -+ str++; -+ } - } else { - /* default is direct to next state */ -- while (*str) -- match_char(state, def, base, next, check, (u8) *str++); -+ while (*str) { -+ match_char(state, def, base, next, check, (u8) *str); -+ str++; -+ } - } - - return state; --- -2.53.0 - diff --git a/patches-sonic/qsa-2026-apparmor/0006-apparmor-fix-missing-bounds-check-on-DEFAULT-table-i.patch b/patches-sonic/qsa-2026-apparmor/0006-apparmor-fix-missing-bounds-check-on-DEFAULT-table-i.patch deleted file mode 100644 index 9ba69881d..000000000 --- a/patches-sonic/qsa-2026-apparmor/0006-apparmor-fix-missing-bounds-check-on-DEFAULT-table-i.patch +++ /dev/null @@ -1,92 +0,0 @@ -From 32ef9e21844645607f4d24203cede23e1a76ceec Mon Sep 17 00:00:00 2001 -From: Massimiliano Pellizzer -Date: Thu, 29 Jan 2026 16:51:11 +0100 -Subject: [PATCH 06/11] apparmor: fix missing bounds check on DEFAULT table in - verify_dfa() - -The verify_dfa() function only checks DEFAULT_TABLE bounds when the state -is not differentially encoded. - -When the verification loop traverses the differential encoding chain, -it reads k = DEFAULT_TABLE[j] and uses k as an array index without -validation. A malformed DFA with DEFAULT_TABLE[j] >= state_count, -therefore, causes both out-of-bounds reads and writes. - -[ 57.179855] ================================================================== -[ 57.180549] BUG: KASAN: slab-out-of-bounds in verify_dfa+0x59a/0x660 -[ 57.180904] Read of size 4 at addr ffff888100eadec4 by task su/993 - -[ 57.181554] CPU: 1 UID: 0 PID: 993 Comm: su Not tainted 6.19.0-rc7-next-20260127 #1 PREEMPT(lazy) -[ 57.181558] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 -[ 57.181563] Call Trace: -[ 57.181572] -[ 57.181577] dump_stack_lvl+0x5e/0x80 -[ 57.181596] print_report+0xc8/0x270 -[ 57.181605] ? verify_dfa+0x59a/0x660 -[ 57.181608] kasan_report+0x118/0x150 -[ 57.181620] ? verify_dfa+0x59a/0x660 -[ 57.181623] verify_dfa+0x59a/0x660 -[ 57.181627] aa_dfa_unpack+0x1610/0x1740 -[ 57.181629] ? __kmalloc_cache_noprof+0x1d0/0x470 -[ 57.181640] unpack_pdb+0x86d/0x46b0 -[ 57.181647] ? srso_alias_return_thunk+0x5/0xfbef5 -[ 57.181653] ? srso_alias_return_thunk+0x5/0xfbef5 -[ 57.181656] ? aa_unpack_nameX+0x1a8/0x300 -[ 57.181659] aa_unpack+0x20b0/0x4c30 -[ 57.181662] ? srso_alias_return_thunk+0x5/0xfbef5 -[ 57.181664] ? stack_depot_save_flags+0x33/0x700 -[ 57.181681] ? kasan_save_track+0x4f/0x80 -[ 57.181683] ? kasan_save_track+0x3e/0x80 -[ 57.181686] ? __kasan_kmalloc+0x93/0xb0 -[ 57.181688] ? __kvmalloc_node_noprof+0x44a/0x780 -[ 57.181693] ? aa_simple_write_to_buffer+0x54/0x130 -[ 57.181697] ? policy_update+0x154/0x330 -[ 57.181704] aa_replace_profiles+0x15a/0x1dd0 -[ 57.181707] ? srso_alias_return_thunk+0x5/0xfbef5 -[ 57.181710] ? __kvmalloc_node_noprof+0x44a/0x780 -[ 57.181712] ? aa_loaddata_alloc+0x77/0x140 -[ 57.181715] ? srso_alias_return_thunk+0x5/0xfbef5 -[ 57.181717] ? _copy_from_user+0x2a/0x70 -[ 57.181730] policy_update+0x17a/0x330 -[ 57.181733] profile_replace+0x153/0x1a0 -[ 57.181735] ? rw_verify_area+0x93/0x2d0 -[ 57.181740] vfs_write+0x235/0xab0 -[ 57.181745] ksys_write+0xb0/0x170 -[ 57.181748] do_syscall_64+0x8e/0x660 -[ 57.181762] entry_SYSCALL_64_after_hwframe+0x76/0x7e -[ 57.181765] RIP: 0033:0x7f6192792eb2 - -Remove the MATCH_FLAG_DIFF_ENCODE condition to validate all DEFAULT_TABLE -entries unconditionally. - -Fixes: 031dcc8f4e84 ("apparmor: dfa add support for state differential encoding") -Reported-by: Qualys Security Advisory -Tested-by: Salvatore Bonaccorso -Reviewed-by: Georgia Garcia -Reviewed-by: Cengiz Can -Signed-off-by: Massimiliano Pellizzer -Signed-off-by: John Johansen ---- - security/apparmor/match.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/security/apparmor/match.c b/security/apparmor/match.c -index 5fbfdd75afb5..98cf3b1f1649 100644 ---- a/security/apparmor/match.c -+++ b/security/apparmor/match.c -@@ -160,9 +160,10 @@ static int verify_dfa(struct aa_dfa *dfa) - if (state_count == 0) - goto out; - for (i = 0; i < state_count; i++) { -- if (!(BASE_TABLE(dfa)[i] & MATCH_FLAG_DIFF_ENCODE) && -- (DEFAULT_TABLE(dfa)[i] >= state_count)) -+ if (DEFAULT_TABLE(dfa)[i] >= state_count) { -+ pr_err("AppArmor DFA default state out of bounds"); - goto out; -+ } - if (BASE_TABLE(dfa)[i] & MATCH_FLAGS_INVALID) { - pr_err("AppArmor DFA state with invalid match flags"); - goto out; --- -2.53.0 - diff --git a/patches-sonic/qsa-2026-apparmor/0007-apparmor-Fix-double-free-of-ns_name-in-aa_replace_pr.patch b/patches-sonic/qsa-2026-apparmor/0007-apparmor-Fix-double-free-of-ns_name-in-aa_replace_pr.patch deleted file mode 100644 index f87545d8b..000000000 --- a/patches-sonic/qsa-2026-apparmor/0007-apparmor-Fix-double-free-of-ns_name-in-aa_replace_pr.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 93eb370bd91e1f3f9eaa53a1a8fa910903febeed Mon Sep 17 00:00:00 2001 -From: John Johansen -Date: Wed, 10 Sep 2025 06:22:17 -0700 -Subject: [PATCH 07/11] apparmor: Fix double free of ns_name in - aa_replace_profiles() - -if ns_name is NULL after -1071 error = aa_unpack(udata, &lh, &ns_name); - -and if ent->ns_name contains an ns_name in -1089 } else if (ent->ns_name) { - -then ns_name is assigned the ent->ns_name -1095 ns_name = ent->ns_name; - -however ent->ns_name is freed at -1262 aa_load_ent_free(ent); - -and then again when freeing ns_name at -1270 kfree(ns_name); - -Fix this by NULLing out ent->ns_name after it is transferred to ns_name - -Fixes: 04dc715e24d08 ("apparmor: audit policy ns specified in policy load") -Reported-by: Qualys Security Advisory -Tested-by: Salvatore Bonaccorso -Reviewed-by: Georgia Garcia -Reviewed-by: Cengiz Can -Signed-off-by: John Johansen ---- - security/apparmor/policy.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c -index f6869ea00d1d..9a4e29cdd8c0 100644 ---- a/security/apparmor/policy.c -+++ b/security/apparmor/policy.c -@@ -1118,6 +1118,7 @@ ssize_t aa_replace_profiles(struct aa_ns *policy_ns, struct aa_label *label, - goto fail; - } - ns_name = ent->ns_name; -+ ent->ns_name = NULL; - } else - count++; - } --- -2.53.0 - diff --git a/patches-sonic/qsa-2026-apparmor/0008-apparmor-fix-unprivileged-local-user-can-do-privileg.patch b/patches-sonic/qsa-2026-apparmor/0008-apparmor-fix-unprivileged-local-user-can-do-privileg.patch deleted file mode 100644 index eb300c4ed..000000000 --- a/patches-sonic/qsa-2026-apparmor/0008-apparmor-fix-unprivileged-local-user-can-do-privileg.patch +++ /dev/null @@ -1,187 +0,0 @@ -From 1e21c55c0b49ec1e88dd519f5d44695feb2adad9 Mon Sep 17 00:00:00 2001 -From: John Johansen -Date: Fri, 7 Nov 2025 08:36:04 -0800 -Subject: [PATCH 08/11] apparmor: fix unprivileged local user can do privileged - policy management - -An unprivileged local user can load, replace, and remove profiles by -opening the apparmorfs interfaces, via a confused deputy attack, by -passing the opened fd to a privileged process, and getting the -privileged process to write to the interface. - -This does require a privileged target that can be manipulated to do -the write for the unprivileged process, but once such access is -achieved full policy management is possible and all the possible -implications that implies: removing confinement, DoS of system or -target applications by denying all execution, by-passing the -unprivileged user namespace restriction, to exploiting kernel bugs for -a local privilege escalation. - -The policy management interface can not have its permissions simply -changed from 0666 to 0600 because non-root processes need to be able -to load policy to different policy namespaces. - -Instead ensure the task writing the interface has privileges that -are a subset of the task that opened the interface. This is already -done via policy for confined processes, but unconfined can delegate -access to the opened fd, by-passing the usual policy check. - -Fixes: c88d4c7b049e8 ("AppArmor: core policy routines") -Reported-by: Qualys Security Advisory -Tested-by: Salvatore Bonaccorso -Reviewed-by: Georgia Garcia -Reviewed-by: Cengiz Can -Signed-off-by: John Johansen ---- - security/apparmor/apparmorfs.c | 16 ++++++++------ - security/apparmor/include/policy.h | 2 +- - security/apparmor/policy.c | 34 +++++++++++++++++++++++++++++- - 3 files changed, 43 insertions(+), 9 deletions(-) - -diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c -index 01b923d97a44..c708f0bfe594 100644 ---- a/security/apparmor/apparmorfs.c -+++ b/security/apparmor/apparmorfs.c -@@ -412,7 +412,8 @@ static struct aa_loaddata *aa_simple_write_to_buffer(const char __user *userbuf, - } - - static ssize_t policy_update(u32 mask, const char __user *buf, size_t size, -- loff_t *pos, struct aa_ns *ns) -+ loff_t *pos, struct aa_ns *ns, -+ const struct cred *ocred) - { - struct aa_loaddata *data; - struct aa_label *label; -@@ -423,7 +424,7 @@ static ssize_t policy_update(u32 mask, const char __user *buf, size_t size, - /* high level check about policy management - fine grained in - * below after unpack - */ -- error = aa_may_manage_policy(current_cred(), label, ns, mask); -+ error = aa_may_manage_policy(current_cred(), label, ns, ocred, mask); - if (error) - goto end_section; - -@@ -444,7 +445,8 @@ static ssize_t profile_load(struct file *f, const char __user *buf, size_t size, - loff_t *pos) - { - struct aa_ns *ns = aa_get_ns(f->f_inode->i_private); -- int error = policy_update(AA_MAY_LOAD_POLICY, buf, size, pos, ns); -+ int error = policy_update(AA_MAY_LOAD_POLICY, buf, size, pos, ns, -+ f->f_cred); - - aa_put_ns(ns); - -@@ -462,7 +464,7 @@ static ssize_t profile_replace(struct file *f, const char __user *buf, - { - struct aa_ns *ns = aa_get_ns(f->f_inode->i_private); - int error = policy_update(AA_MAY_LOAD_POLICY | AA_MAY_REPLACE_POLICY, -- buf, size, pos, ns); -+ buf, size, pos, ns, f->f_cred); - aa_put_ns(ns); - - return error; -@@ -487,7 +489,7 @@ static ssize_t profile_remove(struct file *f, const char __user *buf, - * below after unpack - */ - error = aa_may_manage_policy(current_cred(), label, ns, -- AA_MAY_REMOVE_POLICY); -+ f->f_cred, AA_MAY_REMOVE_POLICY); - if (error) - goto out; - -@@ -1804,7 +1806,7 @@ static int ns_mkdir_op(struct mnt_idmap *idmap, struct inode *dir, - int error; - - label = begin_current_label_crit_section(); -- error = aa_may_manage_policy(current_cred(), label, NULL, -+ error = aa_may_manage_policy(current_cred(), label, NULL, NULL, - AA_MAY_LOAD_POLICY); - end_current_label_crit_section(label); - if (error) -@@ -1854,7 +1856,7 @@ static int ns_rmdir_op(struct inode *dir, struct dentry *dentry) - int error; - - label = begin_current_label_crit_section(); -- error = aa_may_manage_policy(current_cred(), label, NULL, -+ error = aa_may_manage_policy(current_cred(), label, NULL, NULL, - AA_MAY_LOAD_POLICY); - end_current_label_crit_section(label); - if (error) -diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h -index 75088cc310b6..b8c35972883c 100644 ---- a/security/apparmor/include/policy.h -+++ b/security/apparmor/include/policy.h -@@ -393,7 +393,7 @@ bool aa_policy_admin_capable(const struct cred *subj_cred, - struct aa_label *label, struct aa_ns *ns); - int aa_may_manage_policy(const struct cred *subj_cred, - struct aa_label *label, struct aa_ns *ns, -- u32 mask); -+ const struct cred *ocred, u32 mask); - bool aa_current_policy_view_capable(struct aa_ns *ns); - bool aa_current_policy_admin_capable(struct aa_ns *ns); - -diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c -index 9a4e29cdd8c0..29f1cfd75090 100644 ---- a/security/apparmor/policy.c -+++ b/security/apparmor/policy.c -@@ -894,17 +894,44 @@ bool aa_current_policy_admin_capable(struct aa_ns *ns) - return res; - } - -+static bool is_subset_of_obj_privilege(const struct cred *cred, -+ struct aa_label *label, -+ const struct cred *ocred) -+{ -+ if (cred == ocred) -+ return true; -+ -+ if (!aa_label_is_subset(label, cred_label(ocred))) -+ return false; -+ /* don't allow crossing userns for now */ -+ if (cred->user_ns != ocred->user_ns) -+ return false; -+ if (!cap_issubset(cred->cap_inheritable, ocred->cap_inheritable)) -+ return false; -+ if (!cap_issubset(cred->cap_permitted, ocred->cap_permitted)) -+ return false; -+ if (!cap_issubset(cred->cap_effective, ocred->cap_effective)) -+ return false; -+ if (!cap_issubset(cred->cap_bset, ocred->cap_bset)) -+ return false; -+ if (!cap_issubset(cred->cap_ambient, ocred->cap_ambient)) -+ return false; -+ return true; -+} -+ -+ - /** - * aa_may_manage_policy - can the current task manage policy - * @subj_cred: subjects cred - * @label: label to check if it can manage policy - * @ns: namespace being managed by @label (may be NULL if @label's ns) -+ * @ocred: object cred if request is coming from an open object - * @mask: contains the policy manipulation operation being done - * - * Returns: 0 if the task is allowed to manipulate policy else error - */ - int aa_may_manage_policy(const struct cred *subj_cred, struct aa_label *label, -- struct aa_ns *ns, u32 mask) -+ struct aa_ns *ns, const struct cred *ocred, u32 mask) - { - const char *op; - -@@ -920,6 +947,11 @@ int aa_may_manage_policy(const struct cred *subj_cred, struct aa_label *label, - return audit_policy(label, op, NULL, NULL, "policy_locked", - -EACCES); - -+ if (ocred && !is_subset_of_obj_privilege(subj_cred, label, ocred)) -+ return audit_policy(label, op, NULL, NULL, -+ "not privileged for target profile", -+ -EACCES); -+ - if (!aa_policy_admin_capable(subj_cred, label, ns)) - return audit_policy(label, op, NULL, NULL, "not policy admin", - -EACCES); --- -2.53.0 - diff --git a/patches-sonic/qsa-2026-apparmor/0009-apparmor-fix-differential-encoding-verification.patch b/patches-sonic/qsa-2026-apparmor/0009-apparmor-fix-differential-encoding-verification.patch deleted file mode 100644 index 9266e2bb6..000000000 --- a/patches-sonic/qsa-2026-apparmor/0009-apparmor-fix-differential-encoding-verification.patch +++ /dev/null @@ -1,92 +0,0 @@ -From 4bf3bc43e05ddcf84032d415861308ac5c895732 Mon Sep 17 00:00:00 2001 -From: John Johansen -Date: Fri, 17 Oct 2025 01:53:00 -0700 -Subject: [PATCH 09/11] apparmor: fix differential encoding verification - -Differential encoding allows loops to be created if it is abused. To -prevent this the unpack should verify that a diff-encode chain -terminates. - -Unfortunately the differential encode verification had two bugs. - -1. it conflated states that had gone through check and already been - marked, with states that were currently being checked and marked. - This means that loops in the current chain being verified are treated - as a chain that has already been verified. - -2. the order bailout on already checked states compared current chain - check iterators j,k instead of using the outer loop iterator i. - Meaning a step backwards in states in the current chain verification - was being mistaken for moving to an already verified state. - -Move to a double mark scheme where already verified states get a -different mark, than the current chain being kept. This enables us -to also drop the backwards verification check that was the cause of -the second error as any already verified state is already marked. - -Fixes: 031dcc8f4e84 ("apparmor: dfa add support for state differential encoding") -Reported-by: Qualys Security Advisory -Tested-by: Salvatore Bonaccorso -Reviewed-by: Georgia Garcia -Reviewed-by: Cengiz Can -Signed-off-by: John Johansen ---- - security/apparmor/include/match.h | 1 + - security/apparmor/match.c | 23 +++++++++++++++++++---- - 2 files changed, 20 insertions(+), 4 deletions(-) - -diff --git a/security/apparmor/include/match.h b/security/apparmor/include/match.h -index ae31a8a631fc..a86f74b59360 100644 ---- a/security/apparmor/include/match.h -+++ b/security/apparmor/include/match.h -@@ -181,6 +181,7 @@ static inline void aa_put_dfa(struct aa_dfa *dfa) - #define MATCH_FLAG_DIFF_ENCODE 0x80000000 - #define MARK_DIFF_ENCODE 0x40000000 - #define MATCH_FLAG_OOB_TRANSITION 0x20000000 -+#define MARK_DIFF_ENCODE_VERIFIED 0x10000000 - #define MATCH_FLAGS_MASK 0xff000000 - #define MATCH_FLAGS_VALID (MATCH_FLAG_DIFF_ENCODE | MATCH_FLAG_OOB_TRANSITION) - #define MATCH_FLAGS_INVALID (MATCH_FLAGS_MASK & ~MATCH_FLAGS_VALID) -diff --git a/security/apparmor/match.c b/security/apparmor/match.c -index 98cf3b1f1649..a37a5649802b 100644 ---- a/security/apparmor/match.c -+++ b/security/apparmor/match.c -@@ -202,16 +202,31 @@ static int verify_dfa(struct aa_dfa *dfa) - size_t j, k; - - for (j = i; -- (BASE_TABLE(dfa)[j] & MATCH_FLAG_DIFF_ENCODE) && -- !(BASE_TABLE(dfa)[j] & MARK_DIFF_ENCODE); -+ ((BASE_TABLE(dfa)[j] & MATCH_FLAG_DIFF_ENCODE) && -+ !(BASE_TABLE(dfa)[j] & MARK_DIFF_ENCODE_VERIFIED)); - j = k) { -+ if (BASE_TABLE(dfa)[j] & MARK_DIFF_ENCODE) -+ /* loop in current chain */ -+ goto out; - k = DEFAULT_TABLE(dfa)[j]; - if (j == k) -+ /* self loop */ - goto out; -- if (k < j) -- break; /* already verified */ - BASE_TABLE(dfa)[j] |= MARK_DIFF_ENCODE; - } -+ /* move mark to verified */ -+ for (j = i; -+ (BASE_TABLE(dfa)[j] & MATCH_FLAG_DIFF_ENCODE); -+ j = k) { -+ k = DEFAULT_TABLE(dfa)[j]; -+ if (j < i) -+ /* jumps to state/chain that has been -+ * verified -+ */ -+ break; -+ BASE_TABLE(dfa)[j] &= ~MARK_DIFF_ENCODE; -+ BASE_TABLE(dfa)[j] |= MARK_DIFF_ENCODE_VERIFIED; -+ } - } - error = 0; - --- -2.53.0 - diff --git a/patches-sonic/qsa-2026-apparmor/0010-apparmor-fix-race-on-rawdata-dereference.patch b/patches-sonic/qsa-2026-apparmor/0010-apparmor-fix-race-on-rawdata-dereference.patch deleted file mode 100644 index 00a52913a..000000000 --- a/patches-sonic/qsa-2026-apparmor/0010-apparmor-fix-race-on-rawdata-dereference.patch +++ /dev/null @@ -1,446 +0,0 @@ -From c88a5ec7c46387ceab1f9d550c035a76faf0f3d1 Mon Sep 17 00:00:00 2001 -From: John Johansen -Date: Tue, 24 Feb 2026 10:20:02 -0800 -Subject: [PATCH 10/11] apparmor: fix race on rawdata dereference -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -There is a race condition that leads to a use-after-free situation: -because the rawdata inodes are not refcounted, an attacker can start -open()ing one of the rawdata files, and at the same time remove the -last reference to this rawdata (by removing the corresponding profile, -for example), which frees its struct aa_loaddata; as a result, when -seq_rawdata_open() is reached, i_private is a dangling pointer and -freed memory is accessed. - -The rawdata inodes weren't refcounted to avoid a circular refcount and -were supposed to be held by the profile rawdata reference. However -during profile removal there is a window where the vfs and profile -destruction race, resulting in the use after free. - -Fix this by moving to a double refcount scheme. Where the profile -refcount on rawdata is used to break the circular dependency. Allowing -for freeing of the rawdata once all inode references to the rawdata -are put. - -Fixes: 5d5182cae401 ("apparmor: move to per loaddata files, instead of replicating in profiles") -Reported-by: Qualys Security Advisory -Reviewed-by: Georgia Garcia -Reviewed-by: Maxime Bélair -Reviewed-by: Cengiz Can -Tested-by: Salvatore Bonaccorso -Signed-off-by: John Johansen ---- - security/apparmor/apparmorfs.c | 35 ++++++----- - security/apparmor/include/policy_unpack.h | 71 ++++++++++++++--------- - security/apparmor/policy.c | 12 ++-- - security/apparmor/policy_unpack.c | 32 +++++++--- - 4 files changed, 93 insertions(+), 57 deletions(-) - -diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c -index c708f0bfe594..45f44978537e 100644 ---- a/security/apparmor/apparmorfs.c -+++ b/security/apparmor/apparmorfs.c -@@ -79,7 +79,7 @@ static void rawdata_f_data_free(struct rawdata_f_data *private) - if (!private) - return; - -- aa_put_loaddata(private->loaddata); -+ aa_put_i_loaddata(private->loaddata); - kvfree(private); - } - -@@ -404,7 +404,8 @@ static struct aa_loaddata *aa_simple_write_to_buffer(const char __user *userbuf, - - data->size = copy_size; - if (copy_from_user(data->data, userbuf, copy_size)) { -- aa_put_loaddata(data); -+ /* trigger free - don't need to put pcount */ -+ aa_put_i_loaddata(data); - return ERR_PTR(-EFAULT); - } - -@@ -432,7 +433,10 @@ static ssize_t policy_update(u32 mask, const char __user *buf, size_t size, - error = PTR_ERR(data); - if (!IS_ERR(data)) { - error = aa_replace_profiles(ns, label, mask, data); -- aa_put_loaddata(data); -+ /* put pcount, which will put count and free if no -+ * profiles referencing it. -+ */ -+ aa_put_profile_loaddata(data); - } - end_section: - end_current_label_crit_section(label); -@@ -503,7 +507,7 @@ static ssize_t profile_remove(struct file *f, const char __user *buf, - if (!IS_ERR(data)) { - data->data[size] = 0; - error = aa_remove_profiles(ns, label, data->data, size); -- aa_put_loaddata(data); -+ aa_put_profile_loaddata(data); - } - out: - end_current_label_crit_section(label); -@@ -1242,18 +1246,17 @@ static const struct file_operations seq_rawdata_ ##NAME ##_fops = { \ - static int seq_rawdata_open(struct inode *inode, struct file *file, - int (*show)(struct seq_file *, void *)) - { -- struct aa_loaddata *data = __aa_get_loaddata(inode->i_private); -+ struct aa_loaddata *data = aa_get_i_loaddata(inode->i_private); - int error; - - if (!data) -- /* lost race this ent is being reaped */ - return -ENOENT; - - error = single_open(file, show, data); - if (error) { - AA_BUG(file->private_data && - ((struct seq_file *)file->private_data)->private); -- aa_put_loaddata(data); -+ aa_put_i_loaddata(data); - } - - return error; -@@ -1264,7 +1267,7 @@ static int seq_rawdata_release(struct inode *inode, struct file *file) - struct seq_file *seq = (struct seq_file *) file->private_data; - - if (seq) -- aa_put_loaddata(seq->private); -+ aa_put_i_loaddata(seq->private); - - return single_release(inode, file); - } -@@ -1376,9 +1379,8 @@ static int rawdata_open(struct inode *inode, struct file *file) - if (!aa_current_policy_view_capable(NULL)) - return -EACCES; - -- loaddata = __aa_get_loaddata(inode->i_private); -+ loaddata = aa_get_i_loaddata(inode->i_private); - if (!loaddata) -- /* lost race: this entry is being reaped */ - return -ENOENT; - - private = rawdata_f_data_alloc(loaddata->size); -@@ -1403,7 +1405,7 @@ static int rawdata_open(struct inode *inode, struct file *file) - return error; - - fail_private_alloc: -- aa_put_loaddata(loaddata); -+ aa_put_i_loaddata(loaddata); - return error; - } - -@@ -1420,9 +1422,9 @@ static void remove_rawdata_dents(struct aa_loaddata *rawdata) - - for (i = 0; i < AAFS_LOADDATA_NDENTS; i++) { - if (!IS_ERR_OR_NULL(rawdata->dents[i])) { -- /* no refcounts on i_private */ - aafs_remove(rawdata->dents[i]); - rawdata->dents[i] = NULL; -+ aa_put_i_loaddata(rawdata); - } - } - } -@@ -1461,18 +1463,21 @@ int __aa_fs_create_rawdata(struct aa_ns *ns, struct aa_loaddata *rawdata) - if (IS_ERR(dir)) - /* ->name freed when rawdata freed */ - return PTR_ERR(dir); -+ aa_get_i_loaddata(rawdata); - rawdata->dents[AAFS_LOADDATA_DIR] = dir; - - dent = aafs_create_file("abi", S_IFREG | 0444, dir, rawdata, - &seq_rawdata_abi_fops); - if (IS_ERR(dent)) - goto fail; -+ aa_get_i_loaddata(rawdata); - rawdata->dents[AAFS_LOADDATA_ABI] = dent; - - dent = aafs_create_file("revision", S_IFREG | 0444, dir, rawdata, - &seq_rawdata_revision_fops); - if (IS_ERR(dent)) - goto fail; -+ aa_get_i_loaddata(rawdata); - rawdata->dents[AAFS_LOADDATA_REVISION] = dent; - - if (aa_g_hash_policy) { -@@ -1480,6 +1485,7 @@ int __aa_fs_create_rawdata(struct aa_ns *ns, struct aa_loaddata *rawdata) - rawdata, &seq_rawdata_hash_fops); - if (IS_ERR(dent)) - goto fail; -+ aa_get_i_loaddata(rawdata); - rawdata->dents[AAFS_LOADDATA_HASH] = dent; - } - -@@ -1488,24 +1494,25 @@ int __aa_fs_create_rawdata(struct aa_ns *ns, struct aa_loaddata *rawdata) - &seq_rawdata_compressed_size_fops); - if (IS_ERR(dent)) - goto fail; -+ aa_get_i_loaddata(rawdata); - rawdata->dents[AAFS_LOADDATA_COMPRESSED_SIZE] = dent; - - dent = aafs_create_file("raw_data", S_IFREG | 0444, - dir, rawdata, &rawdata_fops); - if (IS_ERR(dent)) - goto fail; -+ aa_get_i_loaddata(rawdata); - rawdata->dents[AAFS_LOADDATA_DATA] = dent; - d_inode(dent)->i_size = rawdata->size; - - rawdata->ns = aa_get_ns(ns); - list_add(&rawdata->list, &ns->rawdata_list); -- /* no refcount on inode rawdata */ - - return 0; - - fail: - remove_rawdata_dents(rawdata); -- -+ aa_put_i_loaddata(rawdata); - return PTR_ERR(dent); - } - #endif /* CONFIG_SECURITY_APPARMOR_EXPORT_BINARY */ -diff --git a/security/apparmor/include/policy_unpack.h b/security/apparmor/include/policy_unpack.h -index a6f4611ee50c..4f800fbb805a 100644 ---- a/security/apparmor/include/policy_unpack.h -+++ b/security/apparmor/include/policy_unpack.h -@@ -87,17 +87,29 @@ struct aa_ext { - u32 version; - }; - --/* -- * struct aa_loaddata - buffer of policy raw_data set -+/* struct aa_loaddata - buffer of policy raw_data set -+ * @count: inode/filesystem refcount - use aa_get_i_loaddata() -+ * @pcount: profile refcount - use aa_get_profile_loaddata() -+ * @list: list the loaddata is on -+ * @work: used to do a delayed cleanup -+ * @dents: refs to dents created in aafs -+ * @ns: the namespace this loaddata was loaded into -+ * @name: -+ * @size: the size of the data that was loaded -+ * @compressed_size: the size of the data when it is compressed -+ * @revision: unique revision count that this data was loaded as -+ * @abi: the abi number the loaddata uses -+ * @hash: a hash of the loaddata, used to help dedup data - * -- * there is no loaddata ref for being on ns list, nor a ref from -- * d_inode(@dentry) when grab a ref from these, @ns->lock must be held -- * && __aa_get_loaddata() needs to be used, and the return value -- * checked, if NULL the loaddata is already being reaped and should be -- * considered dead. -+ * There is no loaddata ref for being on ns->rawdata_list, so -+ * @ns->lock must be held when walking the list. Dentries and -+ * inode opens hold refs on @count; profiles hold refs on @pcount. -+ * When the last @pcount drops, do_ploaddata_rmfs() removes the -+ * fs entries and drops the associated @count ref. - */ - struct aa_loaddata { - struct kref count; -+ struct kref pcount; - struct list_head list; - struct work_struct work; - struct dentry *dents[AAFS_LOADDATA_NDENTS]; -@@ -119,52 +131,55 @@ struct aa_loaddata { - int aa_unpack(struct aa_loaddata *udata, struct list_head *lh, const char **ns); - - /** -- * __aa_get_loaddata - get a reference count to uncounted data reference -+ * aa_get_loaddata - get a reference count from a counted data reference - * @data: reference to get a count on - * -- * Returns: pointer to reference OR NULL if race is lost and reference is -- * being repeated. -- * Requires: @data->ns->lock held, and the return code MUST be checked -- * -- * Use only from inode->i_private and @data->list found references -+ * Returns: pointer to reference -+ * Requires: @data to have a valid reference count on it. It is a bug -+ * if the race to reap can be encountered when it is used. - */ - static inline struct aa_loaddata * --__aa_get_loaddata(struct aa_loaddata *data) -+aa_get_i_loaddata(struct aa_loaddata *data) - { -- if (data && kref_get_unless_zero(&(data->count))) -- return data; - -- return NULL; -+ if (data) -+ kref_get(&(data->count)); -+ return data; - } - -+ - /** -- * aa_get_loaddata - get a reference count from a counted data reference -+ * aa_get_profile_loaddata - get a profile reference count on loaddata - * @data: reference to get a count on - * -- * Returns: point to reference -- * Requires: @data to have a valid reference count on it. It is a bug -- * if the race to reap can be encountered when it is used. -+ * Returns: pointer to reference -+ * Requires: @data to have a valid reference count on it. - */ - static inline struct aa_loaddata * --aa_get_loaddata(struct aa_loaddata *data) -+aa_get_profile_loaddata(struct aa_loaddata *data) - { -- struct aa_loaddata *tmp = __aa_get_loaddata(data); -- -- AA_BUG(data && !tmp); -- -- return tmp; -+ if (data) -+ kref_get(&(data->pcount)); -+ return data; - } - - void __aa_loaddata_update(struct aa_loaddata *data, long revision); - bool aa_rawdata_eq(struct aa_loaddata *l, struct aa_loaddata *r); - void aa_loaddata_kref(struct kref *kref); -+void aa_ploaddata_kref(struct kref *kref); - struct aa_loaddata *aa_loaddata_alloc(size_t size); --static inline void aa_put_loaddata(struct aa_loaddata *data) -+static inline void aa_put_i_loaddata(struct aa_loaddata *data) - { - if (data) - kref_put(&data->count, aa_loaddata_kref); - } - -+static inline void aa_put_profile_loaddata(struct aa_loaddata *data) -+{ -+ if (data) -+ kref_put(&data->pcount, aa_ploaddata_kref); -+} -+ - #if IS_ENABLED(CONFIG_KUNIT) - bool aa_inbounds(struct aa_ext *e, size_t size); - size_t aa_unpack_u16_chunk(struct aa_ext *e, char **chunk); -diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c -index 29f1cfd75090..b5ae0314b384 100644 ---- a/security/apparmor/policy.c -+++ b/security/apparmor/policy.c -@@ -338,7 +338,7 @@ void aa_free_profile(struct aa_profile *profile) - } - - kfree_sensitive(profile->hash); -- aa_put_loaddata(profile->rawdata); -+ aa_put_profile_loaddata(profile->rawdata); - aa_label_destroy(&profile->label); - - kfree_sensitive(profile); -@@ -1123,7 +1123,7 @@ ssize_t aa_replace_profiles(struct aa_ns *policy_ns, struct aa_label *label, - LIST_HEAD(lh); - - op = mask & AA_MAY_REPLACE_POLICY ? OP_PROF_REPL : OP_PROF_LOAD; -- aa_get_loaddata(udata); -+ aa_get_profile_loaddata(udata); - /* released below */ - error = aa_unpack(udata, &lh, &ns_name); - if (error) -@@ -1175,10 +1175,10 @@ ssize_t aa_replace_profiles(struct aa_ns *policy_ns, struct aa_label *label, - if (aa_rawdata_eq(rawdata_ent, udata)) { - struct aa_loaddata *tmp; - -- tmp = __aa_get_loaddata(rawdata_ent); -+ tmp = aa_get_profile_loaddata(rawdata_ent); - /* check we didn't fail the race */ - if (tmp) { -- aa_put_loaddata(udata); -+ aa_put_profile_loaddata(udata); - udata = tmp; - break; - } -@@ -1191,7 +1191,7 @@ ssize_t aa_replace_profiles(struct aa_ns *policy_ns, struct aa_label *label, - struct aa_profile *p; - - if (aa_g_export_binary) -- ent->new->rawdata = aa_get_loaddata(udata); -+ ent->new->rawdata = aa_get_profile_loaddata(udata); - error = __lookup_replace(ns, ent->new->base.hname, - !(mask & AA_MAY_REPLACE_POLICY), - &ent->old, &info); -@@ -1324,7 +1324,7 @@ ssize_t aa_replace_profiles(struct aa_ns *policy_ns, struct aa_label *label, - - out: - aa_put_ns(ns); -- aa_put_loaddata(udata); -+ aa_put_profile_loaddata(udata); - kfree(ns_name); - - if (error) -diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c -index 0232fc29a234..36175b99914b 100644 ---- a/security/apparmor/policy_unpack.c -+++ b/security/apparmor/policy_unpack.c -@@ -108,34 +108,47 @@ bool aa_rawdata_eq(struct aa_loaddata *l, struct aa_loaddata *r) - return memcmp(l->data, r->data, r->compressed_size ?: r->size) == 0; - } - -+static void do_loaddata_free(struct aa_loaddata *d) -+{ -+ kfree_sensitive(d->hash); -+ kfree_sensitive(d->name); -+ kvfree(d->data); -+ kfree_sensitive(d); -+} -+ -+void aa_loaddata_kref(struct kref *kref) -+{ -+ struct aa_loaddata *d = container_of(kref, struct aa_loaddata, count); -+ -+ do_loaddata_free(d); -+} -+ - /* - * need to take the ns mutex lock which is NOT safe most places that - * put_loaddata is called, so we have to delay freeing it - */ --static void do_loaddata_free(struct work_struct *work) -+static void do_ploaddata_rmfs(struct work_struct *work) - { - struct aa_loaddata *d = container_of(work, struct aa_loaddata, work); - struct aa_ns *ns = aa_get_ns(d->ns); - - if (ns) { - mutex_lock_nested(&ns->lock, ns->level); -+ /* remove fs ref to loaddata */ - __aa_fs_remove_rawdata(d); - mutex_unlock(&ns->lock); - aa_put_ns(ns); - } -- -- kfree_sensitive(d->hash); -- kfree_sensitive(d->name); -- kvfree(d->data); -- kfree_sensitive(d); -+ /* called by dropping last pcount, so drop its associated icount */ -+ aa_put_i_loaddata(d); - } - --void aa_loaddata_kref(struct kref *kref) -+void aa_ploaddata_kref(struct kref *kref) - { -- struct aa_loaddata *d = container_of(kref, struct aa_loaddata, count); -+ struct aa_loaddata *d = container_of(kref, struct aa_loaddata, pcount); - - if (d) { -- INIT_WORK(&d->work, do_loaddata_free); -+ INIT_WORK(&d->work, do_ploaddata_rmfs); - schedule_work(&d->work); - } - } -@@ -153,6 +166,7 @@ struct aa_loaddata *aa_loaddata_alloc(size_t size) - return ERR_PTR(-ENOMEM); - } - kref_init(&d->count); -+ kref_init(&d->pcount); - INIT_LIST_HEAD(&d->list); - - return d; --- -2.53.0 - diff --git a/patches-sonic/qsa-2026-apparmor/0011-apparmor-fix-race-between-freeing-data-and-fs-access.patch b/patches-sonic/qsa-2026-apparmor/0011-apparmor-fix-race-between-freeing-data-and-fs-access.patch deleted file mode 100644 index d82fa012e..000000000 --- a/patches-sonic/qsa-2026-apparmor/0011-apparmor-fix-race-between-freeing-data-and-fs-access.patch +++ /dev/null @@ -1,717 +0,0 @@ -From 070021c421ed59f4886aad6a3e80f636227d62e5 Mon Sep 17 00:00:00 2001 -From: John Johansen -Date: Sun, 1 Mar 2026 16:10:51 -0800 -Subject: [PATCH 11/11] apparmor: fix race between freeing data and fs - accessing it -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -AppArmor was putting the reference to i_private data on its end after -removing the original entry from the file system. However the inode -can and does live beyond that point and it is possible that some of -the fs call back functions will be invoked after the reference has -been put, which results in a race between freeing the data and -accessing it through the fs. - -While the rawdata/loaddata is the most likely candidate to fail the -race, as it has the fewest references. If properly crafted it might be -possible to trigger a race for the other types stored in i_private. - -Fix this by moving the put of i_private referenced data to the correct -place which is during inode eviction. - -Fixes: c961ee5f21b20 ("apparmor: convert from securityfs to apparmorfs for policy ns files") -Reported-by: Qualys Security Advisory -Reviewed-by: Georgia Garcia -Reviewed-by: Maxime Bélair -Reviewed-by: Cengiz Can -Signed-off-by: John Johansen ---- - security/apparmor/apparmorfs.c | 194 +++++++++++++--------- - security/apparmor/include/label.h | 16 +- - security/apparmor/include/lib.h | 12 ++ - security/apparmor/include/policy.h | 8 +- - security/apparmor/include/policy_unpack.h | 6 +- - security/apparmor/label.c | 12 +- - security/apparmor/policy_unpack.c | 6 +- - 7 files changed, 153 insertions(+), 101 deletions(-) - -diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c -index 45f44978537e..c70e1daad21a 100644 ---- a/security/apparmor/apparmorfs.c -+++ b/security/apparmor/apparmorfs.c -@@ -32,6 +32,7 @@ - #include "include/crypto.h" - #include "include/ipc.h" - #include "include/label.h" -+#include "include/lib.h" - #include "include/policy.h" - #include "include/policy_ns.h" - #include "include/resource.h" -@@ -62,6 +63,7 @@ - * securityfs and apparmorfs filesystems. - */ - -+#define IREF_POISON 101 - - /* - * support fns -@@ -153,6 +155,71 @@ static int aafs_show_path(struct seq_file *seq, struct dentry *dentry) - return 0; - } - -+static struct aa_ns *get_ns_common_ref(struct aa_common_ref *ref) -+{ -+ if (ref) { -+ struct aa_label *reflabel = container_of(ref, struct aa_label, -+ count); -+ return aa_get_ns(labels_ns(reflabel)); -+ } -+ -+ return NULL; -+} -+ -+static struct aa_proxy *get_proxy_common_ref(struct aa_common_ref *ref) -+{ -+ if (ref) -+ return aa_get_proxy(container_of(ref, struct aa_proxy, count)); -+ -+ return NULL; -+} -+ -+static struct aa_loaddata *get_loaddata_common_ref(struct aa_common_ref *ref) -+{ -+ if (ref) -+ return aa_get_i_loaddata(container_of(ref, struct aa_loaddata, -+ count)); -+ return NULL; -+} -+ -+static void aa_put_common_ref(struct aa_common_ref *ref) -+{ -+ if (!ref) -+ return; -+ -+ switch (ref->reftype) { -+ case REF_RAWDATA: -+ aa_put_i_loaddata(container_of(ref, struct aa_loaddata, -+ count)); -+ break; -+ case REF_PROXY: -+ aa_put_proxy(container_of(ref, struct aa_proxy, -+ count)); -+ break; -+ case REF_NS: -+ /* ns count is held on its unconfined label */ -+ aa_put_ns(labels_ns(container_of(ref, struct aa_label, count))); -+ break; -+ default: -+ AA_BUG(true, "unknown refcount type"); -+ break; -+ } -+} -+ -+static void aa_get_common_ref(struct aa_common_ref *ref) -+{ -+ kref_get(&ref->count); -+} -+ -+static void aafs_evict(struct inode *inode) -+{ -+ struct aa_common_ref *ref = inode->i_private; -+ -+ clear_inode(inode); -+ aa_put_common_ref(ref); -+ inode->i_private = (void *) IREF_POISON; -+} -+ - static void aafs_free_inode(struct inode *inode) - { - if (S_ISLNK(inode->i_mode)) -@@ -162,6 +229,7 @@ static void aafs_free_inode(struct inode *inode) - - static const struct super_operations aafs_super_ops = { - .statfs = simple_statfs, -+ .evict_inode = aafs_evict, - .free_inode = aafs_free_inode, - .show_path = aafs_show_path, - }; -@@ -262,7 +330,8 @@ static int __aafs_setup_d_inode(struct inode *dir, struct dentry *dentry, - * aafs_remove(). Will return ERR_PTR on failure. - */ - static struct dentry *aafs_create(const char *name, umode_t mode, -- struct dentry *parent, void *data, void *link, -+ struct dentry *parent, -+ struct aa_common_ref *data, void *link, - const struct file_operations *fops, - const struct inode_operations *iops) - { -@@ -299,6 +368,9 @@ static struct dentry *aafs_create(const char *name, umode_t mode, - goto fail_dentry; - inode_unlock(dir); - -+ if (data) -+ aa_get_common_ref(data); -+ - return dentry; - - fail_dentry: -@@ -323,7 +395,8 @@ static struct dentry *aafs_create(const char *name, umode_t mode, - * see aafs_create - */ - static struct dentry *aafs_create_file(const char *name, umode_t mode, -- struct dentry *parent, void *data, -+ struct dentry *parent, -+ struct aa_common_ref *data, - const struct file_operations *fops) - { - return aafs_create(name, mode, parent, data, NULL, fops, NULL); -@@ -448,7 +521,7 @@ static ssize_t policy_update(u32 mask, const char __user *buf, size_t size, - static ssize_t profile_load(struct file *f, const char __user *buf, size_t size, - loff_t *pos) - { -- struct aa_ns *ns = aa_get_ns(f->f_inode->i_private); -+ struct aa_ns *ns = get_ns_common_ref(f->f_inode->i_private); - int error = policy_update(AA_MAY_LOAD_POLICY, buf, size, pos, ns, - f->f_cred); - -@@ -466,7 +539,7 @@ static const struct file_operations aa_fs_profile_load = { - static ssize_t profile_replace(struct file *f, const char __user *buf, - size_t size, loff_t *pos) - { -- struct aa_ns *ns = aa_get_ns(f->f_inode->i_private); -+ struct aa_ns *ns = get_ns_common_ref(f->f_inode->i_private); - int error = policy_update(AA_MAY_LOAD_POLICY | AA_MAY_REPLACE_POLICY, - buf, size, pos, ns, f->f_cred); - aa_put_ns(ns); -@@ -486,7 +559,7 @@ static ssize_t profile_remove(struct file *f, const char __user *buf, - struct aa_loaddata *data; - struct aa_label *label; - ssize_t error; -- struct aa_ns *ns = aa_get_ns(f->f_inode->i_private); -+ struct aa_ns *ns = get_ns_common_ref(f->f_inode->i_private); - - label = begin_current_label_crit_section(); - /* high level check about policy management - fine grained in -@@ -576,7 +649,7 @@ static int ns_revision_open(struct inode *inode, struct file *file) - if (!rev) - return -ENOMEM; - -- rev->ns = aa_get_ns(inode->i_private); -+ rev->ns = get_ns_common_ref(inode->i_private); - if (!rev->ns) - rev->ns = aa_get_current_ns(); - file->private_data = rev; -@@ -1054,7 +1127,7 @@ static const struct file_operations seq_profile_ ##NAME ##_fops = { \ - static int seq_profile_open(struct inode *inode, struct file *file, - int (*show)(struct seq_file *, void *)) - { -- struct aa_proxy *proxy = aa_get_proxy(inode->i_private); -+ struct aa_proxy *proxy = get_proxy_common_ref(inode->i_private); - int error = single_open(file, show, proxy); - - if (error) { -@@ -1246,7 +1319,7 @@ static const struct file_operations seq_rawdata_ ##NAME ##_fops = { \ - static int seq_rawdata_open(struct inode *inode, struct file *file, - int (*show)(struct seq_file *, void *)) - { -- struct aa_loaddata *data = aa_get_i_loaddata(inode->i_private); -+ struct aa_loaddata *data = get_loaddata_common_ref(inode->i_private); - int error; - - if (!data) -@@ -1379,7 +1452,7 @@ static int rawdata_open(struct inode *inode, struct file *file) - if (!aa_current_policy_view_capable(NULL)) - return -EACCES; - -- loaddata = aa_get_i_loaddata(inode->i_private); -+ loaddata = get_loaddata_common_ref(inode->i_private); - if (!loaddata) - return -ENOENT; - -@@ -1424,7 +1497,6 @@ static void remove_rawdata_dents(struct aa_loaddata *rawdata) - if (!IS_ERR_OR_NULL(rawdata->dents[i])) { - aafs_remove(rawdata->dents[i]); - rawdata->dents[i] = NULL; -- aa_put_i_loaddata(rawdata); - } - } - } -@@ -1463,45 +1535,41 @@ int __aa_fs_create_rawdata(struct aa_ns *ns, struct aa_loaddata *rawdata) - if (IS_ERR(dir)) - /* ->name freed when rawdata freed */ - return PTR_ERR(dir); -- aa_get_i_loaddata(rawdata); - rawdata->dents[AAFS_LOADDATA_DIR] = dir; - -- dent = aafs_create_file("abi", S_IFREG | 0444, dir, rawdata, -+ dent = aafs_create_file("abi", S_IFREG | 0444, dir, &rawdata->count, - &seq_rawdata_abi_fops); - if (IS_ERR(dent)) - goto fail; -- aa_get_i_loaddata(rawdata); - rawdata->dents[AAFS_LOADDATA_ABI] = dent; - -- dent = aafs_create_file("revision", S_IFREG | 0444, dir, rawdata, -- &seq_rawdata_revision_fops); -+ dent = aafs_create_file("revision", S_IFREG | 0444, dir, -+ &rawdata->count, -+ &seq_rawdata_revision_fops); - if (IS_ERR(dent)) - goto fail; -- aa_get_i_loaddata(rawdata); - rawdata->dents[AAFS_LOADDATA_REVISION] = dent; - - if (aa_g_hash_policy) { - dent = aafs_create_file("sha256", S_IFREG | 0444, dir, -- rawdata, &seq_rawdata_hash_fops); -+ &rawdata->count, -+ &seq_rawdata_hash_fops); - if (IS_ERR(dent)) - goto fail; -- aa_get_i_loaddata(rawdata); - rawdata->dents[AAFS_LOADDATA_HASH] = dent; - } - - dent = aafs_create_file("compressed_size", S_IFREG | 0444, dir, -- rawdata, -+ &rawdata->count, - &seq_rawdata_compressed_size_fops); - if (IS_ERR(dent)) - goto fail; -- aa_get_i_loaddata(rawdata); - rawdata->dents[AAFS_LOADDATA_COMPRESSED_SIZE] = dent; - -- dent = aafs_create_file("raw_data", S_IFREG | 0444, -- dir, rawdata, &rawdata_fops); -+ dent = aafs_create_file("raw_data", S_IFREG | 0444, dir, -+ &rawdata->count, &rawdata_fops); - if (IS_ERR(dent)) - goto fail; -- aa_get_i_loaddata(rawdata); - rawdata->dents[AAFS_LOADDATA_DATA] = dent; - d_inode(dent)->i_size = rawdata->size; - -@@ -1512,7 +1580,6 @@ int __aa_fs_create_rawdata(struct aa_ns *ns, struct aa_loaddata *rawdata) - - fail: - remove_rawdata_dents(rawdata); -- aa_put_i_loaddata(rawdata); - return PTR_ERR(dent); - } - #endif /* CONFIG_SECURITY_APPARMOR_EXPORT_BINARY */ -@@ -1536,13 +1603,10 @@ void __aafs_profile_rmdir(struct aa_profile *profile) - __aafs_profile_rmdir(child); - - for (i = AAFS_PROF_SIZEOF - 1; i >= 0; --i) { -- struct aa_proxy *proxy; - if (!profile->dents[i]) - continue; - -- proxy = d_inode(profile->dents[i])->i_private; - aafs_remove(profile->dents[i]); -- aa_put_proxy(proxy); - profile->dents[i] = NULL; - } - } -@@ -1576,14 +1640,7 @@ static struct dentry *create_profile_file(struct dentry *dir, const char *name, - struct aa_profile *profile, - const struct file_operations *fops) - { -- struct aa_proxy *proxy = aa_get_proxy(profile->label.proxy); -- struct dentry *dent; -- -- dent = aafs_create_file(name, S_IFREG | 0444, dir, proxy, fops); -- if (IS_ERR(dent)) -- aa_put_proxy(proxy); -- -- return dent; -+ return aafs_create_file(name, S_IFREG | 0444, dir, &profile->label.proxy->count, fops); - } - - #ifdef CONFIG_SECURITY_APPARMOR_EXPORT_BINARY -@@ -1629,7 +1686,8 @@ static const char *rawdata_get_link_base(struct dentry *dentry, - struct delayed_call *done, - const char *name) - { -- struct aa_proxy *proxy = inode->i_private; -+ struct aa_common_ref *ref = inode->i_private; -+ struct aa_proxy *proxy = container_of(ref, struct aa_proxy, count); - struct aa_label *label; - struct aa_profile *profile; - char *target; -@@ -1762,27 +1820,24 @@ int __aafs_profile_mkdir(struct aa_profile *profile, struct dentry *parent) - if (profile->rawdata) { - if (aa_g_hash_policy) { - dent = aafs_create("raw_sha256", S_IFLNK | 0444, dir, -- profile->label.proxy, NULL, NULL, -- &rawdata_link_sha256_iops); -+ &profile->label.proxy->count, NULL, -+ NULL, &rawdata_link_sha256_iops); - if (IS_ERR(dent)) - goto fail; -- aa_get_proxy(profile->label.proxy); - profile->dents[AAFS_PROF_RAW_HASH] = dent; - } - dent = aafs_create("raw_abi", S_IFLNK | 0444, dir, -- profile->label.proxy, NULL, NULL, -+ &profile->label.proxy->count, NULL, NULL, - &rawdata_link_abi_iops); - if (IS_ERR(dent)) - goto fail; -- aa_get_proxy(profile->label.proxy); - profile->dents[AAFS_PROF_RAW_ABI] = dent; - - dent = aafs_create("raw_data", S_IFLNK | 0444, dir, -- profile->label.proxy, NULL, NULL, -+ &profile->label.proxy->count, NULL, NULL, - &rawdata_link_data_iops); - if (IS_ERR(dent)) - goto fail; -- aa_get_proxy(profile->label.proxy); - profile->dents[AAFS_PROF_RAW_DATA] = dent; - } - #endif /*CONFIG_SECURITY_APPARMOR_EXPORT_BINARY */ -@@ -1819,7 +1874,7 @@ static int ns_mkdir_op(struct mnt_idmap *idmap, struct inode *dir, - if (error) - return error; - -- parent = aa_get_ns(dir->i_private); -+ parent = get_ns_common_ref(dir->i_private); - AA_BUG(d_inode(ns_subns_dir(parent)) != dir); - - /* we have to unlock and then relock to get locking order right -@@ -1869,7 +1924,7 @@ static int ns_rmdir_op(struct inode *dir, struct dentry *dentry) - if (error) - return error; - -- parent = aa_get_ns(dir->i_private); -+ parent = get_ns_common_ref(dir->i_private); - /* rmdir calls the generic securityfs functions to remove files - * from the apparmor dir. It is up to the apparmor ns locking - * to avoid races. -@@ -1939,27 +1994,6 @@ void __aafs_ns_rmdir(struct aa_ns *ns) - - __aa_fs_list_remove_rawdata(ns); - -- if (ns_subns_dir(ns)) { -- sub = d_inode(ns_subns_dir(ns))->i_private; -- aa_put_ns(sub); -- } -- if (ns_subload(ns)) { -- sub = d_inode(ns_subload(ns))->i_private; -- aa_put_ns(sub); -- } -- if (ns_subreplace(ns)) { -- sub = d_inode(ns_subreplace(ns))->i_private; -- aa_put_ns(sub); -- } -- if (ns_subremove(ns)) { -- sub = d_inode(ns_subremove(ns))->i_private; -- aa_put_ns(sub); -- } -- if (ns_subrevision(ns)) { -- sub = d_inode(ns_subrevision(ns))->i_private; -- aa_put_ns(sub); -- } -- - for (i = AAFS_NS_SIZEOF - 1; i >= 0; --i) { - aafs_remove(ns->dents[i]); - ns->dents[i] = NULL; -@@ -1984,40 +2018,40 @@ static int __aafs_ns_mkdir_entries(struct aa_ns *ns, struct dentry *dir) - return PTR_ERR(dent); - ns_subdata_dir(ns) = dent; - -- dent = aafs_create_file("revision", 0444, dir, ns, -+ dent = aafs_create_file("revision", 0444, dir, -+ &ns->unconfined->label.count, - &aa_fs_ns_revision_fops); - if (IS_ERR(dent)) - return PTR_ERR(dent); -- aa_get_ns(ns); - ns_subrevision(ns) = dent; - -- dent = aafs_create_file(".load", 0640, dir, ns, -- &aa_fs_profile_load); -+ dent = aafs_create_file(".load", 0640, dir, -+ &ns->unconfined->label.count, -+ &aa_fs_profile_load); - if (IS_ERR(dent)) - return PTR_ERR(dent); -- aa_get_ns(ns); - ns_subload(ns) = dent; - -- dent = aafs_create_file(".replace", 0640, dir, ns, -- &aa_fs_profile_replace); -+ dent = aafs_create_file(".replace", 0640, dir, -+ &ns->unconfined->label.count, -+ &aa_fs_profile_replace); - if (IS_ERR(dent)) - return PTR_ERR(dent); -- aa_get_ns(ns); - ns_subreplace(ns) = dent; - -- dent = aafs_create_file(".remove", 0640, dir, ns, -- &aa_fs_profile_remove); -+ dent = aafs_create_file(".remove", 0640, dir, -+ &ns->unconfined->label.count, -+ &aa_fs_profile_remove); - if (IS_ERR(dent)) - return PTR_ERR(dent); -- aa_get_ns(ns); - ns_subremove(ns) = dent; - - /* use create_dentry so we can supply private data */ -- dent = aafs_create("namespaces", S_IFDIR | 0755, dir, ns, NULL, NULL, -- &ns_dir_inode_operations); -+ dent = aafs_create("namespaces", S_IFDIR | 0755, dir, -+ &ns->unconfined->label.count, -+ NULL, NULL, &ns_dir_inode_operations); - if (IS_ERR(dent)) - return PTR_ERR(dent); -- aa_get_ns(ns); - ns_subns_dir(ns) = dent; - - return 0; -diff --git a/security/apparmor/include/label.h b/security/apparmor/include/label.h -index 2a72e6b17d68..5aca0f612f8f 100644 ---- a/security/apparmor/include/label.h -+++ b/security/apparmor/include/label.h -@@ -101,7 +101,7 @@ enum label_flags { - - struct aa_label; - struct aa_proxy { -- struct kref count; -+ struct aa_common_ref count; - struct aa_label __rcu *label; - }; - -@@ -121,7 +121,7 @@ struct label_it { - * @ent: set of profiles for label, actual size determined by @size - */ - struct aa_label { -- struct kref count; -+ struct aa_common_ref count; - struct rb_node node; - struct rcu_head rcu; - struct aa_proxy *proxy; -@@ -373,7 +373,7 @@ int aa_label_match(struct aa_profile *profile, struct aa_ruleset *rules, - */ - static inline struct aa_label *__aa_get_label(struct aa_label *l) - { -- if (l && kref_get_unless_zero(&l->count)) -+ if (l && kref_get_unless_zero(&l->count.count)) - return l; - - return NULL; -@@ -382,7 +382,7 @@ static inline struct aa_label *__aa_get_label(struct aa_label *l) - static inline struct aa_label *aa_get_label(struct aa_label *l) - { - if (l) -- kref_get(&(l->count)); -+ kref_get(&(l->count.count)); - - return l; - } -@@ -402,7 +402,7 @@ static inline struct aa_label *aa_get_label_rcu(struct aa_label __rcu **l) - rcu_read_lock(); - do { - c = rcu_dereference(*l); -- } while (c && !kref_get_unless_zero(&c->count)); -+ } while (c && !kref_get_unless_zero(&c->count.count)); - rcu_read_unlock(); - - return c; -@@ -442,7 +442,7 @@ static inline struct aa_label *aa_get_newest_label(struct aa_label *l) - static inline void aa_put_label(struct aa_label *l) - { - if (l) -- kref_put(&l->count, aa_label_kref); -+ kref_put(&l->count.count, aa_label_kref); - } - - -@@ -452,7 +452,7 @@ void aa_proxy_kref(struct kref *kref); - static inline struct aa_proxy *aa_get_proxy(struct aa_proxy *proxy) - { - if (proxy) -- kref_get(&(proxy->count)); -+ kref_get(&(proxy->count.count)); - - return proxy; - } -@@ -460,7 +460,7 @@ static inline struct aa_proxy *aa_get_proxy(struct aa_proxy *proxy) - static inline void aa_put_proxy(struct aa_proxy *proxy) - { - if (proxy) -- kref_put(&proxy->count, aa_proxy_kref); -+ kref_put(&proxy->count.count, aa_proxy_kref); - } - - void __aa_proxy_redirect(struct aa_label *orig, struct aa_label *new); -diff --git a/security/apparmor/include/lib.h b/security/apparmor/include/lib.h -index 1ec00113a056..e76470c8b84c 100644 ---- a/security/apparmor/include/lib.h -+++ b/security/apparmor/include/lib.h -@@ -71,6 +71,18 @@ void aa_info_message(const char *str); - /* Security blob offsets */ - extern struct lsm_blob_sizes apparmor_blob_sizes; - -+enum reftype { -+ REF_NS, -+ REF_PROXY, -+ REF_RAWDATA, -+}; -+ -+/* common reference count used by data the shows up in aafs */ -+struct aa_common_ref { -+ struct kref count; -+ enum reftype reftype; -+}; -+ - /** - * aa_strneq - compare null terminated @str to a non null terminated substring - * @str: a null terminated string -diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h -index b8c35972883c..dbd6af6034f1 100644 ---- a/security/apparmor/include/policy.h -+++ b/security/apparmor/include/policy.h -@@ -329,7 +329,7 @@ static inline aa_state_t ANY_RULE_MEDIATES(struct list_head *head, - static inline struct aa_profile *aa_get_profile(struct aa_profile *p) - { - if (p) -- kref_get(&(p->label.count)); -+ kref_get(&(p->label.count.count)); - - return p; - } -@@ -343,7 +343,7 @@ static inline struct aa_profile *aa_get_profile(struct aa_profile *p) - */ - static inline struct aa_profile *aa_get_profile_not0(struct aa_profile *p) - { -- if (p && kref_get_unless_zero(&p->label.count)) -+ if (p && kref_get_unless_zero(&p->label.count.count)) - return p; - - return NULL; -@@ -363,7 +363,7 @@ static inline struct aa_profile *aa_get_profile_rcu(struct aa_profile __rcu **p) - rcu_read_lock(); - do { - c = rcu_dereference(*p); -- } while (c && !kref_get_unless_zero(&c->label.count)); -+ } while (c && !kref_get_unless_zero(&c->label.count.count)); - rcu_read_unlock(); - - return c; -@@ -376,7 +376,7 @@ static inline struct aa_profile *aa_get_profile_rcu(struct aa_profile __rcu **p) - static inline void aa_put_profile(struct aa_profile *p) - { - if (p) -- kref_put(&p->label.count, aa_label_kref); -+ kref_put(&p->label.count.count, aa_label_kref); - } - - static inline int AUDIT_MODE(struct aa_profile *profile) -diff --git a/security/apparmor/include/policy_unpack.h b/security/apparmor/include/policy_unpack.h -index 4f800fbb805a..e5a95dc4da1f 100644 ---- a/security/apparmor/include/policy_unpack.h -+++ b/security/apparmor/include/policy_unpack.h -@@ -108,7 +108,7 @@ struct aa_ext { - * fs entries and drops the associated @count ref. - */ - struct aa_loaddata { -- struct kref count; -+ struct aa_common_ref count; - struct kref pcount; - struct list_head list; - struct work_struct work; -@@ -143,7 +143,7 @@ aa_get_i_loaddata(struct aa_loaddata *data) - { - - if (data) -- kref_get(&(data->count)); -+ kref_get(&(data->count.count)); - return data; - } - -@@ -171,7 +171,7 @@ struct aa_loaddata *aa_loaddata_alloc(size_t size); - static inline void aa_put_i_loaddata(struct aa_loaddata *data) - { - if (data) -- kref_put(&data->count, aa_loaddata_kref); -+ kref_put(&data->count.count, aa_loaddata_kref); - } - - static inline void aa_put_profile_loaddata(struct aa_loaddata *data) -diff --git a/security/apparmor/label.c b/security/apparmor/label.c -index c71e4615dd46..e8e5baaf05fa 100644 ---- a/security/apparmor/label.c -+++ b/security/apparmor/label.c -@@ -52,7 +52,8 @@ static void free_proxy(struct aa_proxy *proxy) - - void aa_proxy_kref(struct kref *kref) - { -- struct aa_proxy *proxy = container_of(kref, struct aa_proxy, count); -+ struct aa_proxy *proxy = container_of(kref, struct aa_proxy, -+ count.count); - - free_proxy(proxy); - } -@@ -63,7 +64,8 @@ struct aa_proxy *aa_alloc_proxy(struct aa_label *label, gfp_t gfp) - - new = kzalloc(sizeof(struct aa_proxy), gfp); - if (new) { -- kref_init(&new->count); -+ kref_init(&new->count.count); -+ new->count.reftype = REF_PROXY; - rcu_assign_pointer(new->label, aa_get_label(label)); - } - return new; -@@ -371,7 +373,8 @@ static void label_free_rcu(struct rcu_head *head) - - void aa_label_kref(struct kref *kref) - { -- struct aa_label *label = container_of(kref, struct aa_label, count); -+ struct aa_label *label = container_of(kref, struct aa_label, -+ count.count); - struct aa_ns *ns = labels_ns(label); - - if (!ns) { -@@ -408,7 +411,8 @@ bool aa_label_init(struct aa_label *label, int size, gfp_t gfp) - - label->size = size; /* doesn't include null */ - label->vec[size] = NULL; /* null terminate */ -- kref_init(&label->count); -+ kref_init(&label->count.count); -+ label->count.reftype = REF_NS; /* for aafs purposes */ - RB_CLEAR_NODE(&label->node); - - return true; -diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c -index 36175b99914b..b14ead4075ae 100644 ---- a/security/apparmor/policy_unpack.c -+++ b/security/apparmor/policy_unpack.c -@@ -118,7 +118,8 @@ static void do_loaddata_free(struct aa_loaddata *d) - - void aa_loaddata_kref(struct kref *kref) - { -- struct aa_loaddata *d = container_of(kref, struct aa_loaddata, count); -+ struct aa_loaddata *d = container_of(kref, struct aa_loaddata, -+ count.count); - - do_loaddata_free(d); - } -@@ -165,7 +166,8 @@ struct aa_loaddata *aa_loaddata_alloc(size_t size) - kfree(d); - return ERR_PTR(-ENOMEM); - } -- kref_init(&d->count); -+ kref_init(&d->count.count); -+ d->count.reftype = REF_RAWDATA; - kref_init(&d->pcount); - INIT_LIST_HEAD(&d->list); - --- -2.53.0 - diff --git a/patches-sonic/series b/patches-sonic/series index dd8a7127b..c7005fe99 100644 --- a/patches-sonic/series +++ b/patches-sonic/series @@ -98,7 +98,7 @@ driver-i2c-smbus-add-disable_spd-module-parameter.patch 0027-platform-mellanox-mlx-platform-Change-register-name.patch 0028-platform-mellanox-mlxreg-dpu-Add-initial-support-for.patch 0029-platform-mellanox-Introduce-support-of-Nvidia-smart-.patch -0030-hwmon-mlxreg-fan-Separate-methods-of-fan-setting-com.patch +#0030-hwmon-mlxreg-fan-Separate-methods-of-fan-setting-com.patch 0031-platform-mellanox-indicate-deferred-I2C-bus-creation.patch 0032-platform_data-mlxreg-Add-capability-bit-and-mask-fie.patch 0033-platform-mellanox-mlxreg-hotplug-Add-support-for-new.patch @@ -115,7 +115,7 @@ driver-i2c-smbus-add-disable_spd-module-parameter.patch 0044-platform_data-mlxreg-Add-non-sticky-bit-indication-f.patch 0045-platform-mellanox-mlxreg-hotplug-Add-handling-of-non.patch 0046-platform-mellanox-nvsw-bmc-Add-system-control-and-mo.patch -0047-hwmon-mlxreg-fan-Prevent-fans-from-getting-stuck-at-.patch +#0047-hwmon-mlxreg-fan-Prevent-fans-from-getting-stuck-at-.patch 0052-platform-mellanox-Introduce-support-for-switches-equ.patch 0053-platform-mellanox-mlx-platform-Add-support-for-new-X.patch 0054-i2c-asf-Introduce-MCTP-support-over-ASF-controller.patch @@ -206,7 +206,7 @@ cisco-npu-disable-other-bars.patch 0027-pcie-if-hotplug-enabled-do-immediate-reset-on-panic.patch # amd sfh hid -0001-amd_sfh_hid_client_init_log_no_error_for_EOPNOTSUPP.patch +#0001-amd_sfh_hid_client_init_log_no_error_for_EOPNOTSUPP.patch # Security patch #0001-Change-the-system.map-file-permission-only-readable-.patch @@ -222,7 +222,7 @@ cisco-npu-disable-other-bars.patch 0004-xilinx-spi-platform_get_irq_optional.patch 0005-xilinx-spi-use-device-property.patch driver-tty-serial-8250-add-support-for-fintek-F81214E.patch # Linux upstream pending -0001-PM-runtime-Add-new-devm-functions.patch +#0001-PM-runtime-Add-new-devm-functions.patch 0007-i2c-xiic-Relocate-xiic_i2c_runtime_suspend-and-xiic_.patch 0008-i2c-xiic-Add-atomic-transfer-support.patch 0009-i2c-i2c-xiic-Replace-dev_err-with-dev_err_probe-in-p.patch @@ -248,18 +248,6 @@ driver-tty-serial-8250-add-support-for-fintek-F81214E.patch # Linux upstream pen 0011-PCI-AER-Fix-NULL-pointer-access-by-aer_info.patch 0012-PCI-AER-Avoid-NULL-pointer-dereference-in-aer_rateli.patch -# QID-45097: Crackarmor fixes -qsa-2026-apparmor/0001-apparmor-validate-DFA-start-states-are-in-bounds-in-.patch -qsa-2026-apparmor/0002-apparmor-fix-memory-leak-in-verify_header.patch -qsa-2026-apparmor/0003-apparmor-replace-recursive-profile-removal-with-iter.patch -qsa-2026-apparmor/0004-apparmor-fix-limit-the-number-of-levels-of-policy-na.patch -qsa-2026-apparmor/0005-apparmor-fix-side-effect-bug-in-match_char-macro-usa.patch -qsa-2026-apparmor/0006-apparmor-fix-missing-bounds-check-on-DEFAULT-table-i.patch -qsa-2026-apparmor/0007-apparmor-Fix-double-free-of-ns_name-in-aa_replace_pr.patch -qsa-2026-apparmor/0008-apparmor-fix-unprivileged-local-user-can-do-privileg.patch -qsa-2026-apparmor/0009-apparmor-fix-differential-encoding-verification.patch -qsa-2026-apparmor/0010-apparmor-fix-race-on-rawdata-dereference.patch -qsa-2026-apparmor/0011-apparmor-fix-race-between-freeing-data-and-fs-access.patch # Patches for EVPN MH 0001-vxlan-bridge-Add-NDA_FLAGS_EXT-support-with-NTF_EXT_.patch 0002-net-bridge-vxlan-Protocol-field-in-bridge-fdb.patch @@ -272,25 +260,25 @@ qsa-2026-apparmor/0011-apparmor-fix-race-between-freeing-data-and-fs-access.patc # ############################################################ ###-> aspeed -aspeed-ast2700-support.patch -mmc-sdhci-of-aspeed-Improve-CMD6-timing_v6.18.patch -mmc-sdhci-of-aspeed-Optimize-tuning-mechanism_v6.12.patch -nexthop-b27-dts.patch -0001-Add-device-tree-for-Nokia-BMC-H6-128-platform.patch -arista_goldfinch-dts.patch -0001-DTS-Aspeed-Nvidia-spc6-a1-bmc-dts.patch -0002-DTS-Aspeed-Nvidia-spc6-bmc-dts.patch -micas-m2-w6950-128oc-dts.patch +#aspeed-ast2700-support.patch +#mmc-sdhci-of-aspeed-Improve-CMD6-timing_v6.18.patch +#mmc-sdhci-of-aspeed-Optimize-tuning-mechanism_v6.12.patch +#nexthop-b27-dts.patch +#0001-Add-device-tree-for-Nokia-BMC-H6-128-platform.patch +#arista_goldfinch-dts.patch +#0001-DTS-Aspeed-Nvidia-spc6-a1-bmc-dts.patch +#0002-DTS-Aspeed-Nvidia-spc6-bmc-dts.patch +#micas-m2-w6950-128oc-dts.patch ###-> aspeed-end ###-> nvidia_aspeed_bmc-start -0001-mctp-driver-net-Extend-MCTP-support.patch -0002-mctp-aspeed-IRoT-Add-initial-support.patch -0003-mctp-driver-net-Add-global-APIs-for-MCTP.patch -0004-mctp-driver-net-Fix-MCTP-over-VDM-PCIe.patch -0005-mctp-driver-net-Fix-MCTP-over-USB.patch -0006-jtag-Add-JTAG-core-headers-GPIO-mux-and-locking-support.patch -0007-JTAG-Aspeed-Fix-kernel-configuration.patch +#0001-mctp-driver-net-Extend-MCTP-support.patch +#0002-mctp-aspeed-IRoT-Add-initial-support.patch +#0003-mctp-driver-net-Add-global-APIs-for-MCTP.patch +#0004-mctp-driver-net-Fix-MCTP-over-VDM-PCIe.patch +#0005-mctp-driver-net-Fix-MCTP-over-USB.patch +#0006-jtag-Add-JTAG-core-headers-GPIO-mux-and-locking-support.patch +#0007-JTAG-Aspeed-Fix-kernel-configuration.patch ###-> nvidia_aspeed_bmc-end #