docs: refresh CVE and xr11 status

README.md

@@ -8,11 +8,11 @@ Fork of `torvalds/linux` with CI-built RPMs carrying VR/XR patches.
 
 ## Current State
 
-As of 2026-04-25:
+As of 2026-05-09:
 
 | Area | Status | Notes |
 | --- | --- | --- |
-| Release artifacts | Proven | Latest public release ships generic and RT RPMs. |
+| Release artifacts | Proven, next candidate building | `v6.19.5-xr10` is the latest published secured lab release with generic and RT RPMs. `v6.19.5-xr11` is the current merged build candidate for the expanded Dirty Frag RxRPC RXGK route. |
 | `honey` rollout | Proven (generic) | `honey` is persistently defaulted to the generic XR kernel lane. |
 | `honey` RT boot | Reboot-valid, gated | RT boot and `/sys/kernel/realtime=1` verification succeeded; Dell's repeated host packet is cautionary, so regular use still needs downstream deadline evidence. |
 | `yoga` rollout | Proven one-time generic boot | Generic XR RPM install and one-time boot succeeded; stock Rocky remains the persistent fallback. |
@@ -84,8 +84,8 @@ The real RPM release lane remains [`build-kernel.yml`](.github/workflows/build-k
 | `bigscreen-beyond-edid.patch` | EDID non-desktop quirk for Beyond (BIG/0x1234 + 0x5095) |
 | `cve-2026-31431-algif-aead.patch` | CVE-2026-31431 stable `6.19.y` security backport, applied automatically for vulnerable 6.19.x bases |
 | `dirtyfrag-esp-shared-frag.patch` | CVE-2026-43284 Dirty Frag ESP page-cache write hardening, applied automatically for supported vulnerable bases |
-| `dirtyfrag-rxrpc-linearize.patch` | Reserved CVE-2026-43500 Dirty Frag RxRPC RXKAD in-place decrypt hardening, applied automatically for supported vulnerable bases |
-| `dirtyfrag-rxrpc-rxgk-linearize.patch` | Reserved CVE-2026-43500 Dirty Frag RxRPC RXGK in-place decrypt hardening, applied automatically for supported RXGK-capable vulnerable bases |
+| `dirtyfrag-rxrpc-linearize.patch` | CVE-2026-43500 Dirty Frag RxRPC RXKAD in-place decrypt hardening, applied automatically for supported vulnerable bases |
+| `dirtyfrag-rxrpc-rxgk-linearize.patch` | CVE-2026-43500 Dirty Frag RxRPC RXGK in-place decrypt hardening, applied automatically for supported RXGK-capable vulnerable bases |
 | `patch-6.19.3-rt1.patch` | PREEMPT_RT real-time scheduling (RT variant only, downloaded from kernel.org) |
 
 XR carry patches are maintained in this repository under [`xr/patches`](xr/patches).
@@ -277,7 +277,7 @@ Other vulnerable or unknown bases are refused unless
 `LINUX_XR_ALLOW_CVE_2026_31431=1` is set for explicit validation.
 
 The Dirty Frag gate tracks `CVE-2026-43284` for the ESP shared-frag fix and
-the separate reserved `CVE-2026-43500` RxRPC in-place decrypt sinks.
+the separate `CVE-2026-43500` RxRPC in-place decrypt sinks.
 Supported vulnerable bases apply
 [`xr/security/dirtyfrag-esp-shared-frag.patch`](xr/security/dirtyfrag-esp-shared-frag.patch)
 and/or
@@ -290,7 +290,7 @@ as needed. Unsupported vulnerable or unknown bases are refused unless
 For a no-build check of the active route:
 
 ```bash
-./xr/scripts/build-rpm.sh --kernel-version 6.19.5 --xr-release 10 --security-preflight-only
+./xr/scripts/build-rpm.sh --kernel-version 6.19.5 --xr-release 11 --security-preflight-only
 ```
 
 For a read-only check of a running host:
@@ -313,9 +313,9 @@ adding, dropping, or upstreaming a repo-managed CVE or public security backport.
 
 | CVE | Public name | linux-xr status | Repo links | External references |
 | --- | --- | --- | --- | --- |
-| CVE-2026-31431 | Copy Fail / `algif_aead` AF_ALG local privilege escalation | Patched in `v6.19.5-xr9` and carried forward in `v6.19.5-xr10` by applying the stable `6.19.y` backport on top of the vulnerable `6.19.5` base; fixed natively by upstream affected-range floors such as `6.19.12+`, `6.18.22+`, `6.12.85+`, `6.6.137+`, `6.1.170+`, `5.15.204+`, `5.10.254+`, and `7.0+` bases | [`xr/security/cve-2026-31431-algif-aead.patch`](xr/security/cve-2026-31431-algif-aead.patch), [`xr/scripts/build-rpm.sh`](xr/scripts/build-rpm.sh), [`xr/scripts/check-cve-2026-31431-live.sh`](xr/scripts/check-cve-2026-31431-live.sh), [`v6.19.5-xr10`](https://github.com/tinyland-inc/linux-xr/releases/tag/v6.19.5-xr10) | [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-31431), [Red Hat RHSB-2026-02](https://access.redhat.com/security/vulnerabilities/RHSB-2026-02), [CISA KEV](https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-31431), [Copy Fail](https://copy.fail/) |
-| CVE-2026-43284 | Dirty Frag / ESP page-cache write | `v6.19.5-xr10` carries the repo-managed ESP backport on the vulnerable `6.19.5` base. Published fixed floors include `5.10.255+`, `5.15.205+`, `6.1.171+`, `6.6.138+`, `6.12.87+`, `6.18.28+`, and `7.0.5+`; EOL `6.19.x` stays conservative and uses the repo backport. | [`xr/security/dirtyfrag-esp-shared-frag.patch`](xr/security/dirtyfrag-esp-shared-frag.patch), [`xr/scripts/build-rpm.sh`](xr/scripts/build-rpm.sh), [`v6.19.5-xr10`](https://github.com/tinyland-inc/linux-xr/releases/tag/v6.19.5-xr10) | [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-43284), [CVE record](https://www.cve.org/CVERecord?id=CVE-2026-43284), [Dirty Frag](https://github.com/Jesssullivan/dirtyfrag), [ESP netdev fix f4c50a4034e6](https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=f4c50a4034e6) |
-| CVE-2026-43500 (reserved) | Dirty Frag / RxRPC page-cache write | `v6.19.5-xr10` carried the first repo-managed RxRPC RXKAD linearize/COW hardening on the vulnerable `6.19.5` base. Current linux-xr main also requires the RXGK linearize/COW backport for `6.18.x`, `6.19.x`, and `7.0.x` bases that include RXGK. As of the 2026-05-09 linux-xr check, Debian tracks fixed package builds but NVD/CVE.org are not public here and no kernel.org upstream fixed floor is recorded in the gate, so supported `6.12.x`, `6.18.x`, `6.19.x`, and `7.0.x` bases rely on the linux-xr backport route until proven otherwise. | [`xr/security/dirtyfrag-rxrpc-linearize.patch`](xr/security/dirtyfrag-rxrpc-linearize.patch), [`xr/security/dirtyfrag-rxrpc-rxgk-linearize.patch`](xr/security/dirtyfrag-rxrpc-rxgk-linearize.patch), [`xr/scripts/build-rpm.sh`](xr/scripts/build-rpm.sh), [`v6.19.5-xr10`](https://github.com/tinyland-inc/linux-xr/releases/tag/v6.19.5-xr10) | [Dirty Frag](https://github.com/Jesssullivan/dirtyfrag), [Debian CVE tracker](https://security-tracker.debian.org/tracker/CVE-2026-43500), [RxRPC patch route](https://lore.kernel.org/all/afKV2zGR6rrelPC7@v4bel/) |
+| CVE-2026-31431 | Copy Fail / `algif_aead` AF_ALG local privilege escalation | Patched in `v6.19.5-xr9` and carried forward in `v6.19.5-xr10`; the merged `v6.19.5-xr11` build route keeps the same stable `6.19.y` backport on top of the vulnerable `6.19.5` base. Fixed natively by upstream affected-range floors such as `6.19.12+`, `6.18.22+`, `6.12.85+`, `6.6.137+`, `6.1.170+`, `5.15.204+`, `5.10.254+`, and `7.0+` bases. | [`xr/security/cve-2026-31431-algif-aead.patch`](xr/security/cve-2026-31431-algif-aead.patch), [`xr/scripts/build-rpm.sh`](xr/scripts/build-rpm.sh), [`xr/scripts/check-cve-2026-31431-live.sh`](xr/scripts/check-cve-2026-31431-live.sh), [`v6.19.5-xr10`](https://github.com/tinyland-inc/linux-xr/releases/tag/v6.19.5-xr10), [`xr11` build run](https://github.com/tinyland-inc/linux-xr/actions/runs/25609434372) | [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-31431), [Red Hat RHSB-2026-02](https://access.redhat.com/security/vulnerabilities/RHSB-2026-02), [CISA KEV](https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-31431), [Copy Fail](https://copy.fail/) |
+| CVE-2026-43284 | Dirty Frag / ESP page-cache write | `v6.19.5-xr10` carries the repo-managed ESP backport on the vulnerable `6.19.5` base, and the merged `v6.19.5-xr11` build route keeps it. Published fixed floors include `5.10.255+`, `5.15.205+`, `6.1.171+`, `6.6.138+`, `6.12.87+`, `6.18.28+`, and `7.0.5+`; EOL `6.19.x` stays conservative and uses the repo backport. | [`xr/security/dirtyfrag-esp-shared-frag.patch`](xr/security/dirtyfrag-esp-shared-frag.patch), [`xr/scripts/build-rpm.sh`](xr/scripts/build-rpm.sh), [`v6.19.5-xr10`](https://github.com/tinyland-inc/linux-xr/releases/tag/v6.19.5-xr10), [`xr11` build run](https://github.com/tinyland-inc/linux-xr/actions/runs/25609434372) | [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-43284), [CVE record](https://www.cve.org/CVERecord?id=CVE-2026-43284), [Dirty Frag](https://github.com/Jesssullivan/dirtyfrag), [ESP netdev fix f4c50a4034e6](https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=f4c50a4034e6) |
+| CVE-2026-43500 | Dirty Frag / RxRPC page-cache write | `v6.19.5-xr10` carried the first repo-managed RxRPC RXKAD linearize/COW hardening on the vulnerable `6.19.5` base. Current `xr/main` also carries the RXGK linearize/COW backport for `6.18.x`, `6.19.x`, and `7.0.x` bases that include RXGK; `v6.19.5-xr11` is the first merged build candidate expected to publish RXKAD plus RXGK coverage. As of the 2026-05-09 linux-xr check, Debian tracks fixed package builds but NVD/CVE.org are not public here and no kernel.org upstream fixed floor is recorded in the gate, so supported `6.12.x`, `6.18.x`, `6.19.x`, and `7.0.x` bases rely on the linux-xr backport route until proven otherwise. | [`xr/security/dirtyfrag-rxrpc-linearize.patch`](xr/security/dirtyfrag-rxrpc-linearize.patch), [`xr/security/dirtyfrag-rxrpc-rxgk-linearize.patch`](xr/security/dirtyfrag-rxrpc-rxgk-linearize.patch), [`xr/scripts/build-rpm.sh`](xr/scripts/build-rpm.sh), [`v6.19.5-xr10`](https://github.com/tinyland-inc/linux-xr/releases/tag/v6.19.5-xr10), [`xr11` build run](https://github.com/tinyland-inc/linux-xr/actions/runs/25609434372) | [Dirty Frag](https://github.com/Jesssullivan/dirtyfrag), [Debian CVE tracker](https://security-tracker.debian.org/tracker/CVE-2026-43500), [RxRPC patch route](https://lore.kernel.org/all/afKV2zGR6rrelPC7@v4bel/) |
 
 ## SELinux and Security Config
 
@@ -347,7 +347,7 @@ As of 2026-05-09, the latest published secured linux-xr lab release is
 [`v6.19.5-xr10`](https://github.com/tinyland-inc/linux-xr/releases/tag/v6.19.5-xr10).
 It keeps the `6.19.5` lab base but carries repo-managed
 [`CVE-2026-31431`](#known-patched-cves-and-security-backports),
-`CVE-2026-43284` Dirty Frag ESP, and reserved-`CVE-2026-43500` Dirty Frag
+`CVE-2026-43284` Dirty Frag ESP, and `CVE-2026-43500` Dirty Frag
 RxRPC backports. The generic `xr10` runtime is boot-proven on
 `mbp-13` and `honey`; RT artifacts are published but remain gated on explicit
 RT host validation. Kernel.org now lists
@@ -357,6 +357,13 @@ should not become the long-lived lab target. Issue
 lab line to a selected maintained stable or longterm base and triaging all
 carry patches.
 
+The current merged build candidate is
+[`v6.19.5-xr11`](https://github.com/tinyland-inc/linux-xr/actions/runs/25609434372)
+from `xr/main` commit `3b55106d`. It keeps the `6.19.5` compatibility base,
+adds the Dirty Frag RxRPC RXGK backport alongside the existing RXKAD route, and
+should supersede `xr10` for lab rollout only after generic and RT artifacts are
+uploaded and the target hosts boot the exact `6.19.5-11.xr.el10` kernel.
+
 Current ingestion checkpoint:
 
 - Generic `6.19.14` is a viable EOL compatibility proof target: the XR carry
@@ -366,11 +373,12 @@ Current ingestion checkpoint:
 - Generic `6.18.28` longterm and `7.0.5` stable are maintained-base candidates:
   the XR carry patches dry-run cleanly against both tarballs. Both have
   `CVE-2026-43284` ESP fixed natively and still use the repo-managed
-  reserved-`CVE-2026-43500` RxRPC route until an upstream fixed floor is proven.
+  `CVE-2026-43500` RxRPC route until an upstream fixed floor is proven.
 - Generic `6.12.87` has `CVE-2026-43284` ESP fixed natively and now has a
-  repo-managed reserved-`CVE-2026-43500` RxRPC route. It remains a fallback
-  candidate, but its real RPM proof is blocked on a zero-fuzz DSC carry conflict
-  found in `%prep`.
+  repo-managed `CVE-2026-43500` RxRPC route. It remains a fallback candidate,
+  but its next real RPM proof must preserve the Rocky/systemd
+  `CONFIG_FW_LOADER_USER_HELPER=n` boot contract while allowing newer hardening
+  symbols that do not exist in `6.12.y` to be absent rather than disabled.
 - RT `7.0.1-rt2` and `6.19.3-rt1` pass the bounded carry/security preflights;
   RT `6.18.13-rt4` still fails the CVE-2026-31431 gate. Keep RT promotion
   separate from the generic SOTA target until a same-base RT patchset or local
@@ -388,9 +396,9 @@ Current ingestion checkpoint:
 
 | Patch/workstream | Upstream status | Next action |
 |-------|----------------|-----|
-| CVE-2026-31431 / Copy Fail / `algif_aead` | Fixed upstream in `7.0` and stable affected-range floors including `6.19.12`, `6.18.22`, `6.12.85`, `6.6.137`, `6.1.170`, `5.15.204`, and `5.10.254`; `v6.19.5-xr10` carries the `6.19.y` backport on the current `6.19.5` lab base | Keep fleet rollout on `xr10`, then rebase the generic lane to a maintained target such as `7.0.5` stable or `6.18.28` longterm under issue #37. Treat stock 6.12-class hosts as exposed to Dirty Frag RxRPC unless a vendor backport, mitigation, or linux-xr route is proven and installed. |
-| CVE-2026-43284 / Dirty Frag ESP page-cache write | ESP shared-frag fix is in netdev/net commit `f4c50a4034e6` and published in stable floors including `6.12.87`, `6.18.28`, and `7.0.5`; the EOL `6.19.5` lab base remains protected by the repo backport | Keep `v6.19.5-xr10` as the current secured lab release, stop treating fixed maintained bases as needing the ESP backport, and keep `6.12.87` as a fallback candidate only after an RPM proof succeeds. |
-| CVE-2026-43500 / Dirty Frag RxRPC page-cache write | Debian now tracks the reserved CVE and carries an `skb->data_len` RxRPC fix, but no NVD/CVE.org record or kernel.org upstream fixed floor is visible from the 2026-05-09 linux-xr check; linux-xr carries RXKAD and RXGK linearize/COW backports until that upstream floor is proven | Keep carrying RxRPC on source-sync candidates until upstream/vendor fixed floors are proven. |
+| CVE-2026-31431 / Copy Fail / `algif_aead` | Fixed upstream in `7.0` and stable affected-range floors including `6.19.12`, `6.18.22`, `6.12.85`, `6.6.137`, `6.1.170`, `5.15.204`, and `5.10.254`; `v6.19.5-xr10` carries the `6.19.y` backport on the current `6.19.5` lab base, and the merged `xr11` candidate keeps it | Keep fleet rollout on `xr10` until `xr11` artifacts pass and host boot evidence exists, then rebase the generic lane to a maintained target such as `7.0.5` stable or `6.18.28` longterm under issue #37. Treat stock 6.12-class hosts as exposed to Dirty Frag RxRPC unless a vendor backport, mitigation, or linux-xr route is proven and installed. |
+| CVE-2026-43284 / Dirty Frag ESP page-cache write | ESP shared-frag fix is in netdev/net commit `f4c50a4034e6` and published in stable floors including `6.12.87`, `6.18.28`, and `7.0.5`; the EOL `6.19.5` lab base remains protected by the repo backport | Keep `v6.19.5-xr10` as the latest published secured lab release until `xr11` artifacts pass, stop treating fixed maintained bases as needing the ESP backport, and keep `6.12.87` as a fallback candidate only after an RPM proof succeeds. |
+| CVE-2026-43500 / Dirty Frag RxRPC page-cache write | Debian now tracks the CVE and carries an `skb->data_len` RxRPC fix, but no NVD/CVE.org record or kernel.org upstream fixed floor is visible from the 2026-05-09 linux-xr check; linux-xr carries RXKAD and RXGK linearize/COW backports until that upstream floor is proven | Publish and boot-validate `xr11` for the EOL `6.19.5` lab line, and keep carrying RxRPC on source-sync candidates until upstream/vendor fixed floors are proven. |
 | VESA DisplayID DSC BPP parser / amdgpu handling | In-flight upstream series; not present in current upstream checkout | Track Bolyukin v7 fixed-DSC-BPP series and drop this part when it lands. |
 | QP table + RC offset adjustments | Local carry; not submitted as a standalone upstream series | Split from the DisplayID parser carry using `xr/patches/0007-vesa-dsc-bpp.map.md` and decide whether this is evidence-backed upstream material or host-only risk. |
 | EDID non-desktop quirk for `BIG/0x1234` and `BIG/0x5095` | Absent from current upstream checkout | Follow `xr/patches/bigscreen-beyond-edid.route.md`: local `BIG/0x1234` evidence now proves `non-desktop=1`; next regenerate an upstream/drm-misc topic patch and send via the DRM route. |

xr/security/README.md

@@ -11,8 +11,8 @@ feature carry; use `xr/patches/` for that path.
 | --- | --- | --- |
 | `cve-2026-31431-algif-aead.patch` | Linux stable `6.19.y` commit `ce42ee423e58`, backporting mainline `a664bf3d603d` | Applied automatically for vulnerable `6.19.x` bases before RT and XR carry patches |
 | `dirtyfrag-esp-shared-frag.patch` | `CVE-2026-43284` Dirty Frag ESP mitigation from netdev/net commit `f4c50a4034e6` | Applied automatically for supported vulnerable `6.18.x`, `6.19.x`, and pre-`7.0.5` `7.0.x` bases before RT and XR carry patches; fixed maintained bases such as `6.12.87`, `6.18.28`, and `7.0.5` do not need this backport |
-| `dirtyfrag-rxrpc-linearize.patch` | Reserved `CVE-2026-43500` linux-xr RXKAD backport adapted from the public Dirty Frag RxRPC patch route | Applied automatically for supported vulnerable `6.12.x`, `6.18.x`, `6.19.x`, and `7.0.x` bases before RT and XR carry patches until an upstream fixed floor is published and proven |
-| `dirtyfrag-rxrpc-rxgk-linearize.patch` | Reserved `CVE-2026-43500` linux-xr RXGK backport for DATA/RESPONSE in-place decrypt paths | Applied automatically with the RXKAD backport for supported vulnerable `6.18.x`, `6.19.x`, and `7.0.x` bases that carry RXGK until an upstream fixed floor is published and proven |
+| `dirtyfrag-rxrpc-linearize.patch` | `CVE-2026-43500` linux-xr RXKAD backport adapted from the public Dirty Frag RxRPC patch route; Debian now tracks fixed package builds, but this repo has not yet recorded a kernel.org fixed floor | Applied automatically for supported vulnerable `6.12.x`, `6.18.x`, `6.19.x`, and `7.0.x` bases before RT and XR carry patches until an upstream fixed floor is published and proven |
+| `dirtyfrag-rxrpc-rxgk-linearize.patch` | `CVE-2026-43500` linux-xr RXGK backport for DATA/RESPONSE in-place decrypt paths; `v6.19.5-xr11` is the first merged build candidate expected to publish RXKAD plus RXGK coverage on the EOL `6.19.5` lab base | Applied automatically with the RXKAD backport for supported vulnerable `6.18.x`, `6.19.x`, and `7.0.x` bases that carry RXGK until an upstream fixed floor is published and proven |
 
 Other affected kernel lines remain guarded by `xr/scripts/build-rpm.sh`, but do
 not have repo-managed backports here. Use a fixed upstream floor, vendor-fixed