Skip to content

[ciqlts9_2] Multiple patches tested (7 commits)#1125

Merged
roxanan1996 merged 7 commits into
ciqlts9_2from
{ciq_kernel_automation}_ciqlts9_2
Apr 21, 2026
Merged

[ciqlts9_2] Multiple patches tested (7 commits)#1125
roxanan1996 merged 7 commits into
ciqlts9_2from
{ciq_kernel_automation}_ciqlts9_2

Conversation

@ciq-kernel-automation

Copy link
Copy Markdown

Summary

This PR has been automatically created after successful completion of all CI stages.

Commit Message(s)

KVM: SVM: Flush pages under kvm->lock to fix UAF in svm_register_enc_region()

jira VULN-47177
cve CVE-2024-35791
commit-author Sean Christopherson <seanjc@google.com>
commit 5ef1d8c1ddbf696e47b226e11888eaf8d9e8e807
ipv6: fix potential "struct net" leak in inet6_rtm_getaddr()

jira VULN-42852
cve CVE-2024-27417
commit-author Eric Dumazet <edumazet@google.com>
commit 10bfd453da64a057bcfd1a49fb6b271c48653cdb
Bluetooth: Avoid potential use-after-free in hci_error_reset

jira VULN-3101
cve CVE-2024-26801
commit-author Ying Hsu <yinghsu@chromium.org>
commit 2449007d3f73b2842c9734f45f0aadb522daf592
NFSv4.2: fix nfs4_listxattr kernel BUG at mm/usercopy.c:102

jira VULN-4877
cve CVE-2024-26870
commit-author Jorge Mora <jmora1300@gmail.com>
commit 251a658bbfceafb4d58c76b77682c8bf7bcfad65
vt: fix unicode buffer corruption when deleting characters

jira VULN-5074
cve CVE-2024-35823
commit-author Nicolas Pitre <nico@fluxnic.net>
commit 1581dafaf0d34bc9c428a794a22110d7046d186d
net: ice: Fix potential NULL pointer dereference in ice_bridge_setlink()

jira VULN-37073
cve CVE-2024-26855
commit-author Rand Deeb <rand.sec96@gmail.com>
commit 06e456a05d669ca30b224b8ed962421770c1496c
mac802154: fix llsec key resources release in mac802154_llsec_key_del

jira VULN-4938
cve CVE-2024-26961
commit-author Fedor Pchelkin <pchelkin@ispras.ru>
commit e8a1e58345cf40b7b272e08ac7b32328b2543e40

Test Results

✅ Build Stage

Architecture Build Time Total Time
x86_64 24m 33s 25m 28s
aarch64 12m 27s 13m 0s

✅ Boot Verification

✅ Kernel Selftests

Architecture Passed Failed Compared Against Status
x86_64 173 25 ciqlts9_2 ✅ No regressions
aarch64 139 29 ciqlts9_2 ✅ No regressions

✅ LTP Results

Architecture Passed Failed Compared Against Status
x86_64 1321 81 ciqlts9_2 ⚠️ No baseline available
aarch64 1291 83 ciqlts9_2 ⚠️ No baseline available

🤖 This PR was automatically generated by GitHub Actions
Run ID: 24659720144

CIQ Kernel Automation added 7 commits April 20, 2026 11:44
…region()

jira VULN-47177
cve CVE-2024-35791
commit-author Sean Christopherson <seanjc@google.com>
commit 5ef1d8c

Do the cache flush of converted pages in svm_register_enc_region() before
dropping kvm->lock to fix use-after-free issues where region and/or its
array of pages could be freed by a different task, e.g. if userspace has
__unregister_enc_region_locked() already queued up for the region.

Note, the "obvious" alternative of using local variables doesn't fully
resolve the bug, as region->pages is also dynamically allocated.  I.e. the
region structure itself would be fine, but region->pages could be freed.

Flushing multiple pages under kvm->lock is unfortunate, but the entire
flow is a rare slow path, and the manual flush is only needed on CPUs that
lack coherency for encrypted memory.

Fixes: 19a23da ("Fix unsynchronized access to sev members through svm_register_enc_region")
	Reported-by: Gabe Kirkpatrick <gkirkpatrick@google.com>
	Cc: Josh Eads <josheads@google.com>
	Cc: Peter Gonda <pgonda@google.com>
	Cc: stable@vger.kernel.org
	Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20240217013430.2079561-1-seanjc@google.com>
	Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 5ef1d8c)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-42852
cve CVE-2024-27417
commit-author Eric Dumazet <edumazet@google.com>
commit 10bfd45

It seems that if userspace provides a correct IFA_TARGET_NETNSID value
but no IFA_ADDRESS and IFA_LOCAL attributes, inet6_rtm_getaddr()
returns -EINVAL with an elevated "struct net" refcount.

Fixes: 6ecf4c3 ("ipv6: enable IFA_TARGET_NETNSID for RTM_GETADDR")
	Signed-off-by: Eric Dumazet <edumazet@google.com>
	Cc: Christian Brauner <brauner@kernel.org>
	Cc: David Ahern <dsahern@kernel.org>
	Reviewed-by: David Ahern <dsahern@kernel.org>
	Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 10bfd45)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-3101
cve CVE-2024-26801
commit-author Ying Hsu <yinghsu@chromium.org>
commit 2449007

While handling the HCI_EV_HARDWARE_ERROR event, if the underlying
BT controller is not responding, the GPIO reset mechanism would
free the hci_dev and lead to a use-after-free in hci_error_reset.

Here's the call trace observed on a ChromeOS device with Intel AX201:
   queue_work_on+0x3e/0x6c
   __hci_cmd_sync_sk+0x2ee/0x4c0 [bluetooth <HASH:3b4a6>]
   ? init_wait_entry+0x31/0x31
   __hci_cmd_sync+0x16/0x20 [bluetooth <HASH:3b4a 6>]
   hci_error_reset+0x4f/0xa4 [bluetooth <HASH:3b4a 6>]
   process_one_work+0x1d8/0x33f
   worker_thread+0x21b/0x373
   kthread+0x13a/0x152
   ? pr_cont_work+0x54/0x54
   ? kthread_blkcg+0x31/0x31
    ret_from_fork+0x1f/0x30

This patch holds the reference count on the hci_dev while processing
a HCI_EV_HARDWARE_ERROR event to avoid potential crash.

Fixes: c7741d1 ("Bluetooth: Perform a power cycle when receiving hardware error event")
	Signed-off-by: Ying Hsu <yinghsu@chromium.org>
	Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
(cherry picked from commit 2449007)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-4877
cve CVE-2024-26870
commit-author Jorge Mora <jmora1300@gmail.com>
commit 251a658

A call to listxattr() with a buffer size = 0 returns the actual
size of the buffer needed for a subsequent call. When size > 0,
nfs4_listxattr() does not return an error because either
generic_listxattr() or nfs4_listxattr_nfs4_label() consumes
exactly all the bytes then size is 0 when calling
nfs4_listxattr_nfs4_user() which then triggers the following
kernel BUG:

  [   99.403778] kernel BUG at mm/usercopy.c:102!
  [   99.404063] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP
  [   99.408463] CPU: 0 PID: 3310 Comm: python3 Not tainted 6.6.0-61.fc40.aarch64 #1
  [   99.415827] Call trace:
  [   99.415985]  usercopy_abort+0x70/0xa0
  [   99.416227]  __check_heap_object+0x134/0x158
  [   99.416505]  check_heap_object+0x150/0x188
  [   99.416696]  __check_object_size.part.0+0x78/0x168
  [   99.416886]  __check_object_size+0x28/0x40
  [   99.417078]  listxattr+0x8c/0x120
  [   99.417252]  path_listxattr+0x78/0xe0
  [   99.417476]  __arm64_sys_listxattr+0x28/0x40
  [   99.417723]  invoke_syscall+0x78/0x100
  [   99.417929]  el0_svc_common.constprop.0+0x48/0xf0
  [   99.418186]  do_el0_svc+0x24/0x38
  [   99.418376]  el0_svc+0x3c/0x110
  [   99.418554]  el0t_64_sync_handler+0x120/0x130
  [   99.418788]  el0t_64_sync+0x194/0x198
  [   99.418994] Code: aa0003e3 d000a3e0 91310000 97f49bdb (d4210000)

Issue is reproduced when generic_listxattr() returns 'system.nfs4_acl',
thus calling lisxattr() with size = 16 will trigger the bug.

Add check on nfs4_listxattr() to return ERANGE error when it is
called with size > 0 and the return value is greater than size.

Fixes: 012a211 ("NFSv4.2: hook in the user extended attribute handlers")
	Signed-off-by: Jorge Mora <mora@netapp.com>
	Reviewed-by: Benjamin Coddington <bcodding@redhat.com>
	Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
(cherry picked from commit 251a658)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-5074
cve CVE-2024-35823
commit-author Nicolas Pitre <nico@fluxnic.net>
commit 1581daf

This is the same issue that was fixed for the VGA text buffer in commit
39cdb68 ("vt: fix memory overlapping when deleting chars in the
buffer"). The cure is also the same i.e. replace memcpy() with memmove()
due to the overlaping buffers.

	Signed-off-by: Nicolas Pitre <nico@fluxnic.net>
Fixes: 81732c3 ("tty vt: Fix line garbage in virtual console on command line edition")
	Cc: stable <stable@kernel.org>
Link: https://lore.kernel.org/r/sn184on2-3p0q-0qrq-0218-895349s4753o@syhkavp.arg
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 1581daf)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-37073
cve CVE-2024-26855
commit-author Rand Deeb <rand.sec96@gmail.com>
commit 06e456a

The function ice_bridge_setlink() may encounter a NULL pointer dereference
if nlmsg_find_attr() returns NULL and br_spec is dereferenced subsequently
in nla_for_each_nested(). To address this issue, add a check to ensure that
br_spec is not NULL before proceeding with the nested attribute iteration.

Fixes: b1edc14 ("ice: Implement ice_bridge_getlink and ice_bridge_setlink")
	Signed-off-by: Rand Deeb <rand.sec96@gmail.com>
	Reviewed-by: Simon Horman <horms@kernel.org>
	Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
(cherry picked from commit 06e456a)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-4938
cve CVE-2024-26961
commit-author Fedor Pchelkin <pchelkin@ispras.ru>
commit e8a1e58

mac802154_llsec_key_del() can free resources of a key directly without
following the RCU rules for waiting before the end of a grace period. This
may lead to use-after-free in case llsec_lookup_key() is traversing the
list of keys in parallel with a key deletion:

refcount_t: addition on 0; use-after-free.
WARNING: CPU: 4 PID: 16000 at lib/refcount.c:25 refcount_warn_saturate+0x162/0x2a0
Modules linked in:
CPU: 4 PID: 16000 Comm: wpan-ping Not tainted 6.7.0 #19
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
RIP: 0010:refcount_warn_saturate+0x162/0x2a0
Call Trace:
 <TASK>
 llsec_lookup_key.isra.0+0x890/0x9e0
 mac802154_llsec_encrypt+0x30c/0x9c0
 ieee802154_subif_start_xmit+0x24/0x1e0
 dev_hard_start_xmit+0x13e/0x690
 sch_direct_xmit+0x2ae/0xbc0
 __dev_queue_xmit+0x11dd/0x3c20
 dgram_sendmsg+0x90b/0xd60
 __sys_sendto+0x466/0x4c0
 __x64_sys_sendto+0xe0/0x1c0
 do_syscall_64+0x45/0xf0
 entry_SYSCALL_64_after_hwframe+0x6e/0x76

Also, ieee802154_llsec_key_entry structures are not freed by
mac802154_llsec_key_del():

unreferenced object 0xffff8880613b6980 (size 64):
  comm "iwpan", pid 2176, jiffies 4294761134 (age 60.475s)
  hex dump (first 32 bytes):
    78 0d 8f 18 80 88 ff ff 22 01 00 00 00 00 ad de  x.......".......
    00 00 00 00 00 00 00 00 03 00 cd ab 00 00 00 00  ................
  backtrace:
    [<ffffffff81dcfa62>] __kmem_cache_alloc_node+0x1e2/0x2d0
    [<ffffffff81c43865>] kmalloc_trace+0x25/0xc0
    [<ffffffff88968b09>] mac802154_llsec_key_add+0xac9/0xcf0
    [<ffffffff8896e41a>] ieee802154_add_llsec_key+0x5a/0x80
    [<ffffffff8892adc6>] nl802154_add_llsec_key+0x426/0x5b0
    [<ffffffff86ff293e>] genl_family_rcv_msg_doit+0x1fe/0x2f0
    [<ffffffff86ff46d1>] genl_rcv_msg+0x531/0x7d0
    [<ffffffff86fee7a9>] netlink_rcv_skb+0x169/0x440
    [<ffffffff86ff1d88>] genl_rcv+0x28/0x40
    [<ffffffff86fec15c>] netlink_unicast+0x53c/0x820
    [<ffffffff86fecd8b>] netlink_sendmsg+0x93b/0xe60
    [<ffffffff86b91b35>] ____sys_sendmsg+0xac5/0xca0
    [<ffffffff86b9c3dd>] ___sys_sendmsg+0x11d/0x1c0
    [<ffffffff86b9c65a>] __sys_sendmsg+0xfa/0x1d0
    [<ffffffff88eadbf5>] do_syscall_64+0x45/0xf0
    [<ffffffff890000ea>] entry_SYSCALL_64_after_hwframe+0x6e/0x76

Handle the proper resource release in the RCU callback function
mac802154_llsec_key_del_rcu().

Note that if llsec_lookup_key() finds a key, it gets a refcount via
llsec_key_get() and locally copies key id from key_entry (which is a
list element). So it's safe to call llsec_key_put() and free the list
entry after the RCU grace period elapses.

Found by Linux Verification Center (linuxtesting.org).

Fixes: 5d637d5 ("mac802154: add llsec structures and mutators")
	Cc: stable@vger.kernel.org
	Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
	Acked-by: Alexander Aring <aahringo@redhat.com>
Message-ID: <20240228163840.6667-1-pchelkin@ispras.ru>
	Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
(cherry picked from commit e8a1e58)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
@ciq-kernel-automation ciq-kernel-automation Bot added the created-by-kernelci Tag PRs that were automatically created when a user branch was pushed to the repo (kernelCI) label Apr 20, 2026
@github-actions

Copy link
Copy Markdown

🤖 Validation Checks In Progress Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/24668752094

@github-actions

Copy link
Copy Markdown

🔍 Interdiff Analysis

  • ⚠️ PR commit ec508c9e0b8 (vt: fix unicode buffer corruption when deleting characters) → upstream 1581dafaf0d3
    Differences found:
================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -378,4 +378,4 @@
-		char32_t *ln = uniscr->lines[vc->state.y];
+		u32 *ln = vc->vc_uni_lines[vc->state.y];
 		unsigned int x = vc->state.x, cols = vc->vc_cols;
 
 		memcpy(&ln[x], &ln[x + nr], (cols - x - nr) * sizeof(*ln));

This is an automated interdiff check for backported commits.

@github-actions

Copy link
Copy Markdown

Validation checks completed successfully View full results: https://github.com/ctrliq/kernel-src-tree/actions/runs/24668752094

@bmastbergen bmastbergen self-requested a review April 20, 2026 19:19

@bmastbergen bmastbergen left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🥌

@bmastbergen bmastbergen requested a review from a team April 20, 2026 19:20
@PlaidCat

Copy link
Copy Markdown
Collaborator

🔍 Interdiff Analysis

* ⚠️ PR commit `ec508c9e0b8 (vt: fix unicode buffer corruption when deleting characters)` → upstream `1581dafaf0d3`
  **Differences found:**
================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -378,4 +378,4 @@
-		char32_t *ln = uniscr->lines[vc->state.y];
+		u32 *ln = vc->vc_uni_lines[vc->state.y];
 		unsigned int x = vc->state.x, cols = vc->vc_cols;
 
 		memcpy(&ln[x], &ln[x + nr], (cols - x - nr) * sizeof(*ln));

This is an automated interdiff check for backported commits.

Delta of code context diffs that impact the changed code:
tty: vt: remove char32_t typedef
0c8414a
and
tty: vt: remove struct uni_screen
feb36ab

@PlaidCat PlaidCat left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

@roxanan1996 roxanan1996 merged commit 913dd3a into ciqlts9_2 Apr 21, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

created-by-kernelci Tag PRs that were automatically created when a user branch was pushed to the repo (kernelCI)

Development

Successfully merging this pull request may close these issues.

3 participants