Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package kernel-source-longterm for
openSUSE:Factory checked in at 2026-05-04 12:49:16
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/kernel-source-longterm (Old)
and /work/SRC/openSUSE:Factory/.kernel-source-longterm.new.30200 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "kernel-source-longterm"
Mon May 4 12:49:16 2026 rev:123 rq:1350327 version:6.18.26
Changes:
--------
--- /work/SRC/openSUSE:Factory/kernel-source-longterm/kernel-longterm.changes
2026-04-29 19:18:01.093510166 +0200
+++
/work/SRC/openSUSE:Factory/.kernel-source-longterm.new.30200/kernel-longterm.changes
2026-05-04 12:50:15.161415401 +0200
@@ -1,0 +2,8 @@
+Thu Apr 30 13:07:03 CEST 2026 - [email protected]
+
+- Linux 6.18.26 (bsc#1258210).
+- Buffer overflow in drivers/xen/sys-hypervisor.c (bsc#1258210).
+- xen/privcmd: fix double free via VMA splitting (bsc#1258210).
+- commit f326d63
+
+-------------------------------------------------------------------
@@ -636,0 +645,12 @@
+Thu Apr 16 13:10:09 CEST 2026 - [email protected]
+
+- check-for-config-changes: Exclude CC_MS_EXTENSIONS
+- commit c04d7e7
+
+-------------------------------------------------------------------
+Mon Apr 13 10:48:47 CEST 2026 - [email protected]
+
+- check-for-config-changes: Exclude HAVE_CFI_ICALL_NORMALIZE_INTEGERS{,_RUSTC}
+- commit ba5597d
+
+-------------------------------------------------------------------
@@ -5804,0 +5825,8 @@
+
+-------------------------------------------------------------------
+Mon Feb 23 17:50:45 CET 2026 - [email protected]
+
+- rpm/check-for-config-changes: add OPENSSL_SUPPORTS_ to IGNORED_CONFIGS_RE
+ Config option OPENSSL_SUPPORTS_ML_DSA was introduced by mainline commit
+ 0ad9a71933e7 ("modsign: Enable ML-DSA module signing") in 7.0-rc1
+- commit 21b4616
kernel-source-longterm.changes: same change
kernel-syms-longterm.changes: same change
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ kernel-longterm.spec ++++++
--- /var/tmp/diff_new_pack.41ffxQ/_old 2026-05-04 12:50:19.809606785 +0200
+++ /var/tmp/diff_new_pack.41ffxQ/_new 2026-05-04 12:50:19.809606785 +0200
@@ -18,8 +18,8 @@
%define srcversion 6.18
-%define patchversion 6.18.25
-%define git_commit a985b332b9dc481dc98ac4298253d4442bfc3951
+%define patchversion 6.18.26
+%define git_commit d1ddab13835f7415b5ddbeaf5839f9509ebc33f9
%define variant -longterm%{nil}
%define compress_modules zstd
%define compress_vmlinux xz
@@ -40,9 +40,9 @@
%(chmod +x
%_sourcedir/{guards,apply-patches,check-for-config-changes,group-source-files.pl,split-modules,modversions,kabi.pl,arch-symbols,check-module-license,splitflist,mergedep,moddep,modflist,kernel-subpackage-build})
Name: kernel-longterm
-Version: 6.18.25
+Version: 6.18.26
%if 0%{?is_kotd}
-Release: <RELEASE>.ga985b33
+Release: <RELEASE>.gd1ddab1
%else
Release: 0
%endif
++++++ kernel-source-longterm.spec ++++++
--- /var/tmp/diff_new_pack.41ffxQ/_old 2026-05-04 12:50:19.905610738 +0200
+++ /var/tmp/diff_new_pack.41ffxQ/_new 2026-05-04 12:50:19.909610902 +0200
@@ -17,8 +17,8 @@
%define srcversion 6.18
-%define patchversion 6.18.25
-%define git_commit a985b332b9dc481dc98ac4298253d4442bfc3951
+%define patchversion 6.18.26
+%define git_commit d1ddab13835f7415b5ddbeaf5839f9509ebc33f9
%define variant -longterm%{nil}
%define gcc_package gcc
%define gcc_compiler gcc
@@ -28,9 +28,9 @@
%(chmod +x
%_sourcedir/{guards,apply-patches,check-for-config-changes,group-source-files.pl,split-modules,modversions,kabi.pl,arch-symbols,check-module-license,splitflist,mergedep,moddep,modflist,kernel-subpackage-build})
Name: kernel-source-longterm
-Version: 6.18.25
+Version: 6.18.26
%if 0%{?is_kotd}
-Release: <RELEASE>.ga985b33
+Release: <RELEASE>.gd1ddab1
%else
Release: 0
%endif
++++++ kernel-syms-longterm.spec ++++++
--- /var/tmp/diff_new_pack.41ffxQ/_old 2026-05-04 12:50:19.989614197 +0200
+++ /var/tmp/diff_new_pack.41ffxQ/_new 2026-05-04 12:50:19.989614197 +0200
@@ -16,15 +16,15 @@
#
-%define git_commit a985b332b9dc481dc98ac4298253d4442bfc3951
+%define git_commit d1ddab13835f7415b5ddbeaf5839f9509ebc33f9
%define variant -longterm%{nil}
%include %_sourcedir/kernel-spec-macros
Name: kernel-syms-longterm
-Version: 6.18.25
+Version: 6.18.26
%if 0%{?is_kotd}
-Release: <RELEASE>.ga985b33
+Release: <RELEASE>.gd1ddab1
%else
Release: 0
%endif
++++++ _scmsync.obsinfo ++++++
--- /var/tmp/diff_new_pack.41ffxQ/_old 2026-05-04 12:50:20.189622432 +0200
+++ /var/tmp/diff_new_pack.41ffxQ/_new 2026-05-04 12:50:20.193622596 +0200
@@ -1,6 +1,6 @@
-mtime: 1777356320
-commit: de3e4ee1e64d473a4ceea48c6d89a6abe80545156a932d16de7c100aaa49fd61
+mtime: 1777615590
+commit: 68a2eb87805a67b58ec9a7cee2e4c8eca213dafba3c7e51c80d012bfa600947b
url: https://src.opensuse.org/kernelbugs/kernel-source-longterm
-revision: de3e4ee1e64d473a4ceea48c6d89a6abe80545156a932d16de7c100aaa49fd61
+revision: 68a2eb87805a67b58ec9a7cee2e4c8eca213dafba3c7e51c80d012bfa600947b
trackingbranch: Kernel/slowroll
++++++ build.specials.obscpio ++++++
++++++ build.specials.obscpio ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/.gitignore new/.gitignore
--- old/.gitignore 1970-01-01 01:00:00.000000000 +0100
+++ new/.gitignore 2026-05-01 08:06:30.000000000 +0200
@@ -0,0 +1 @@
+.osc
++++++ check-for-config-changes ++++++
--- /var/tmp/diff_new_pack.41ffxQ/_old 2026-05-04 12:50:20.441632807 +0200
+++ /var/tmp/diff_new_pack.41ffxQ/_new 2026-05-04 12:50:20.445632973 +0200
@@ -17,6 +17,7 @@
'CC_IS_\(CLANG\|GCC\)'
'CC_HAS_[A-Z_]*'
'CC_HAVE_[A-Z_]*'
+ 'CC_MS_EXTENSIONS'
'CC_VERSION_TEXT'
'CLANG_VERSION'
'DRM_MSM_VALIDATE_XML'
@@ -29,6 +30,7 @@
'G*CC[0-9]*_NO_[A-Z_]*'
'HAS_LTO_CLANG'
'HAVE_[A-Z]*_COMPILER'
+ 'HAVE_CFI_ICALL_NORMALIZE_[A-Z_]*'
'HAVE_RUST'
'HAVE_SHADOW_CALL_STACK'
'LD_CAN_[A-Z_]*'
@@ -36,6 +38,7 @@
'LD_VERSION'
'LLD_VERSION'
'OBJTOOL'
+ 'OPENSSL_SUPPORTS_[A-Z0-9_]*'
'PAHOLE_HAS_[A-Z0-9_]*'
'PAHOLE_VERSION'
'RISCV_ISA_[A-Z_]*'
++++++ patches.kernel.org.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/patches.kernel.org/6.18.26-001-xen-privcmd-fix-double-free-via-VMA-splitting.patch
new/patches.kernel.org/6.18.26-001-xen-privcmd-fix-double-free-via-VMA-splitting.patch
---
old/patches.kernel.org/6.18.26-001-xen-privcmd-fix-double-free-via-VMA-splitting.patch
1970-01-01 01:00:00.000000000 +0100
+++
new/patches.kernel.org/6.18.26-001-xen-privcmd-fix-double-free-via-VMA-splitting.patch
2026-04-30 13:07:08.000000000 +0200
@@ -0,0 +1,68 @@
+From: Juergen Gross <[email protected]>
+Date: Fri, 10 Apr 2026 09:20:04 +0200
+Subject: [PATCH] xen/privcmd: fix double free via VMA splitting
+References: bsc#1258210
+Patch-mainline: 6.18.26
+Git-commit: 24daca4fc07f3ff8cd0e3f629cd982187f48436a
+
+commit 24daca4fc07f3ff8cd0e3f629cd982187f48436a upstream.
+
+privcmd_vm_ops defines .close (privcmd_close), but neither .may_split
+nor .open. When userspace does a partial munmap() on a privcmd mapping,
+the kernel splits the VMA via __split_vma(). Since may_split is NULL,
+the split is allowed. vm_area_dup() copies vm_private_data (a pages
+array allocated in alloc_empty_pages()) into the new VMA without any
+fixup, because there is no .open callback.
+
+Both VMAs now point to the same pages array. When the unmapped portion
+is closed, privcmd_close() calls:
+ - xen_unmap_domain_gfn_range()
+ - xen_free_unpopulated_pages()
+ - kvfree(pages)
+
+The surviving VMA still holds the dangling pointer. When it is later
+destroyed, the same sequence runs again, which leads to a double free.
+
+Fix this issue by adding a .may_split callback denying the VMA split.
+
+This is XSA-487 / CVE-2026-31787
+
+Fixes: d71f513985c2 ("xen: privcmd: support autotranslated physmap guests.")
+Reported-by: Atharva Vartak <[email protected]>
+Suggested-by: Atharva Vartak <[email protected]>
+Signed-off-by: Juergen Gross <[email protected]>
+Reviewed-by: Jan Beulich <[email protected]>
+Signed-off-by: Greg Kroah-Hartman <[email protected]>
+Signed-off-by: Robert Frohl <[email protected]>
+---
+ drivers/xen/privcmd.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/xen/privcmd.c b/drivers/xen/privcmd.c
+index cbc62f0df11b..f37d8d212c06 100644
+--- a/drivers/xen/privcmd.c
++++ b/drivers/xen/privcmd.c
+@@ -1619,6 +1619,12 @@ static void privcmd_close(struct vm_area_struct *vma)
+ kvfree(pages);
+ }
+
++static int privcmd_may_split(struct vm_area_struct *area, unsigned long addr)
++{
++ /* Forbid splitting, avoids double free via privcmd_close(). */
++ return -EINVAL;
++}
++
+ static vm_fault_t privcmd_fault(struct vm_fault *vmf)
+ {
+ printk(KERN_DEBUG "privcmd_fault: vma=%p %lx-%lx, pgoff=%lx, uv=%p\n",
+@@ -1630,6 +1636,7 @@ static vm_fault_t privcmd_fault(struct vm_fault *vmf)
+
+ static const struct vm_operations_struct privcmd_vm_ops = {
+ .close = privcmd_close,
++ .may_split = privcmd_may_split,
+ .fault = privcmd_fault
+ };
+
+--
+2.53.0
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/patches.kernel.org/6.18.26-002-Buffer-overflow-in-drivers-xen-sys-hypervisor.patch
new/patches.kernel.org/6.18.26-002-Buffer-overflow-in-drivers-xen-sys-hypervisor.patch
---
old/patches.kernel.org/6.18.26-002-Buffer-overflow-in-drivers-xen-sys-hypervisor.patch
1970-01-01 01:00:00.000000000 +0100
+++
new/patches.kernel.org/6.18.26-002-Buffer-overflow-in-drivers-xen-sys-hypervisor.patch
2026-04-30 13:07:08.000000000 +0200
@@ -0,0 +1,69 @@
+From: Juergen Gross <[email protected]>
+Date: Fri, 27 Mar 2026 14:13:38 +0100
+Subject: [PATCH] Buffer overflow in drivers/xen/sys-hypervisor.c
+References: bsc#1258210
+Patch-mainline: 6.18.26
+Git-commit: 27fdbab4221b375de54bf91919798d88520c6e28
+
+commit 27fdbab4221b375de54bf91919798d88520c6e28 upstream.
+
+The build id returned by HYPERVISOR_xen_version(XENVER_build_id) is
+neither NUL terminated nor a string.
+
+The first causes a buffer overflow as sprintf in buildid_show will
+read and copy till it finds a NUL.
+
+00000000 f4 91 51 f4 dd 38 9e 9d 65 47 52 eb 10 71 db 50 |..Q..8..eGR..q.P|
+00000010 b9 a8 01 42 6f 2e 32 |...Bo.2|
+00000017
+
+So use a memcpy instead of sprintf to have the correct value:
+
+00000000 f4 91 51 f4 dd 00 9e 9d 65 47 52 eb 10 71 db 50 |..Q.....eGR..q.P|
+00000010 b9 a8 01 42 |...B|
+00000014
+
+(the above have a hack to embed a zero inside and check it's
+returned correctly).
+
+This is XSA-485 / CVE-2026-31786
+
+Fixes: 84b7625728ea ("xen: add sysfs node for hypervisor build id")
+Signed-off-by: Frediano Ziglio <[email protected]>
+Reviewed-by: Juergen Gross <[email protected]>
+Signed-off-by: Juergen Gross <[email protected]>
+Signed-off-by: Greg Kroah-Hartman <[email protected]>
+Signed-off-by: Robert Frohl <[email protected]>
+---
+ drivers/xen/sys-hypervisor.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/xen/sys-hypervisor.c b/drivers/xen/sys-hypervisor.c
+index 2f880374b463..c1a0ca1b1b5f 100644
+--- a/drivers/xen/sys-hypervisor.c
++++ b/drivers/xen/sys-hypervisor.c
+@@ -366,6 +366,8 @@ static ssize_t buildid_show(struct hyp_sysfs_attr *attr,
char *buffer)
+ ret = sprintf(buffer, "<denied>");
+ return ret;
+ }
++ if (ret > PAGE_SIZE)
++ return -ENOSPC;
+
+ buildid = kmalloc(sizeof(*buildid) + ret, GFP_KERNEL);
+ if (!buildid)
+@@ -373,8 +375,10 @@ static ssize_t buildid_show(struct hyp_sysfs_attr *attr,
char *buffer)
+
+ buildid->len = ret;
+ ret = HYPERVISOR_xen_version(XENVER_build_id, buildid);
+- if (ret > 0)
+- ret = sprintf(buffer, "%s", buildid->buf);
++ if (ret > 0) {
++ /* Build id is binary, not a string. */
++ memcpy(buffer, buildid->buf, ret);
++ }
+ kfree(buildid);
+
+ return ret;
+--
+2.53.0
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/patches.kernel.org/6.18.26-003-Linux-6.18.26.patch
new/patches.kernel.org/6.18.26-003-Linux-6.18.26.patch
--- old/patches.kernel.org/6.18.26-003-Linux-6.18.26.patch 1970-01-01
01:00:00.000000000 +0100
+++ new/patches.kernel.org/6.18.26-003-Linux-6.18.26.patch 2026-04-30
13:07:08.000000000 +0200
@@ -0,0 +1,29 @@
+From: Greg Kroah-Hartman <[email protected]>
+Date: Thu, 30 Apr 2026 11:13:53 +0200
+Subject: [PATCH] Linux 6.18.26
+References: bsc#1258210
+Patch-mainline: 6.18.26
+Git-commit: 1fe06068166d4fc16722201f267b1fe19efad639
+
+Signed-off-by: Greg Kroah-Hartman <[email protected]>
+Signed-off-by: Robert Frohl <[email protected]>
+---
+ Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Makefile b/Makefile
+index c8343ec96a09..f1b9b5849b79 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,7 +1,7 @@
+ # SPDX-License-Identifier: GPL-2.0
+ VERSION = 6
+ PATCHLEVEL = 18
+-SUBLEVEL = 25
++SUBLEVEL = 26
+ EXTRAVERSION =
+ NAME = Baby Opossum Posse
+
+--
+2.53.0
+
++++++ series.conf ++++++
--- /var/tmp/diff_new_pack.41ffxQ/_old 2026-05-04 12:50:30.934064820 +0200
+++ /var/tmp/diff_new_pack.41ffxQ/_new 2026-05-04 12:50:30.954065644 +0200
@@ -5634,6 +5634,9 @@
patches.kernel.org/6.18.25-054-crypto-ccp-Don-t-attempt-to-copy-ID-to-usersp.patch
patches.kernel.org/6.18.25-055-rxrpc-Fix-missing-validation-of-ticket-length.patch
patches.kernel.org/6.18.25-056-Linux-6.18.25.patch
+
patches.kernel.org/6.18.26-001-xen-privcmd-fix-double-free-via-VMA-splitting.patch
+
patches.kernel.org/6.18.26-002-Buffer-overflow-in-drivers-xen-sys-hypervisor.patch
+ patches.kernel.org/6.18.26-003-Linux-6.18.26.patch
########################################################
# Build fixes that apply to the vanilla kernel too.
++++++ source-timestamp ++++++
--- /var/tmp/diff_new_pack.41ffxQ/_old 2026-05-04 12:50:31.098071574 +0200
+++ /var/tmp/diff_new_pack.41ffxQ/_new 2026-05-04 12:50:31.106071903 +0200
@@ -1,4 +1,4 @@
-2026-04-28 01:26:06 +0000
-GIT Revision: a985b332b9dc481dc98ac4298253d4442bfc3951
+2026-04-30 11:53:29 +0000
+GIT Revision: d1ddab13835f7415b5ddbeaf5839f9509ebc33f9
GIT Branch: slowroll
