Skip to content

[ciqlts9_4] Multiple patches tested (8 commits)#1149

Merged
PlaidCat merged 8 commits into
ciqlts9_4from
{ciq_kernel_automation}_ciqlts9_4
Apr 27, 2026
Merged

[ciqlts9_4] Multiple patches tested (8 commits)#1149
PlaidCat merged 8 commits into
ciqlts9_4from
{ciq_kernel_automation}_ciqlts9_4

Conversation

@ciq-kernel-automation

Copy link
Copy Markdown

Summary

This PR has been automatically created after successful completion of all CI stages.

Commit Message(s)

hwmon: (w83791d) Fix NULL pointer dereference by removing unnecessary structure field

jira VULN-63616
cve CVE-2021-47386
commit-author Nadezda Lutovinova <lutovinova@ispras.ru>
commit 943c15ac1b84d378da26bba41c83c67e16499ac4
hwmon: (w83793) Fix NULL pointer dereference by removing unnecessary structure field

jira VULN-63633
cve CVE-2021-47384
commit-author Nadezda Lutovinova <lutovinova@ispras.ru>
commit dd4d747ef05addab887dc8ff0d6ab9860bbcd783
nvmem: Fix shift-out-of-bound (UBSAN) with byte size cells

jira VULN-63539
cve CVE-2021-47497
commit-author Stephen Boyd <swboyd@chromium.org>
commit 5d388fa01fa6eb310ac023a363a6cb216d9d8fe9
tty: tty_buffer: Fix the softlockup issue in flush_to_ldisc

jira VULN-64290
cve CVE-2021-47185
commit-author Guanghui Feng <guanghuifeng@linux.alibaba.com>
commit 3968ddcf05fb4b9409cd1859feb06a5b0550a1c1
serial: core: fix transmit-buffer reset and memleak

jira VULN-63270
cve CVE-2021-47527
commit-author Johan Hovold <johan@kernel.org>
commit 00de977f9e0aa9760d9a79d1e41ff780f74e3424
asix: fix uninit-value in asix_mdio_read()

jira VULN-64167
cve CVE-2021-47101
commit-author Pavel Skripkin <paskripkin@gmail.com>
commit 8035b1a2a37a29d8c717ef84fca8fe7278bc9f03
um: Fix out-of-bounds read in LDT setup

jira VULN-51244
cve CVE-2022-49395
commit-author Vincent Whitchurch <vincent.whitchurch@axis.com>
commit 2a4a62a14be1947fa945c5c11ebf67326381a568
net/usb: kalmia: Don't pass act_len in usb_bulk_msg error path

jira VULN-35526
cve CVE-2023-52703
commit-author Miko Larsson <mikoxyzzz@gmail.com>
commit c68f345b7c425b38656e1791a0486769a8797016

Test Results

✅ Build Stage

Architecture Build Time Total Time
x86_64 27m 53s 28m 52s
aarch64 21m 10s 21m 57s

✅ Boot Verification

✅ Kernel Selftests

Architecture Passed Failed Compared Against Status
x86_64 188 29 ciqlts9_4 ⚠️ No baseline available
aarch64 144 31 ciqlts9_4 ⚠️ No baseline available

✅ LTP Results

Architecture Passed Failed Compared Against Status
x86_64 1329 81 ciqlts9_4 ⚠️ No baseline available
aarch64 1300 82 ciqlts9_4 ⚠️ No baseline available

🤖 This PR was automatically generated by GitHub Actions
Run ID: 24981633002

CIQ Kernel Automation added 8 commits April 27, 2026 07:08
… structure field

jira VULN-63616
cve CVE-2021-47386
commit-author Nadezda Lutovinova <lutovinova@ispras.ru>
commit 943c15a

If driver read val value sufficient for
(val & 0x08) && (!(val & 0x80)) && ((val & 0x7) == ((val >> 4) & 0x7))
from device then Null pointer dereference occurs.
(It is possible if tmp = 0b0xyz1xyz, where same literals mean same numbers)
Also lm75[] does not serve a purpose anymore after switching to
devm_i2c_new_dummy_device() in w83791d_detect_subclients().

The patch fixes possible NULL pointer dereference by removing lm75[].

Found by Linux Driver Verification project (linuxtesting.org).

	Cc: stable@vger.kernel.org
	Signed-off-by: Nadezda Lutovinova <lutovinova@ispras.ru>
Link: https://lore.kernel.org/r/20210921155153.28098-1-lutovinova@ispras.ru
[groeck: Dropped unnecessary continuation lines, fixed multi-line alignment]
	Signed-off-by: Guenter Roeck <linux@roeck-us.net>
(cherry picked from commit 943c15a)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
…structure field

jira VULN-63633
cve CVE-2021-47384
commit-author Nadezda Lutovinova <lutovinova@ispras.ru>
commit dd4d747

If driver read tmp value sufficient for
(tmp & 0x08) && (!(tmp & 0x80)) && ((tmp & 0x7) == ((tmp >> 4) & 0x7))
from device then Null pointer dereference occurs.
(It is possible if tmp = 0b0xyz1xyz, where same literals mean same numbers)
Also lm75[] does not serve a purpose anymore after switching to
devm_i2c_new_dummy_device() in w83791d_detect_subclients().

The patch fixes possible NULL pointer dereference by removing lm75[].

Found by Linux Driver Verification project (linuxtesting.org).

	Cc: stable@vger.kernel.org
	Signed-off-by: Nadezda Lutovinova <lutovinova@ispras.ru>
Link: https://lore.kernel.org/r/20210921155153.28098-3-lutovinova@ispras.ru
[groeck: Dropped unnecessary continuation lines, fixed multi-line alignments]
	Signed-off-by: Guenter Roeck <linux@roeck-us.net>
(cherry picked from commit dd4d747)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-63539
cve CVE-2021-47497
commit-author Stephen Boyd <swboyd@chromium.org>
commit 5d388fa

If a cell has 'nbits' equal to a multiple of BITS_PER_BYTE the logic

 *p &= GENMASK((cell->nbits%BITS_PER_BYTE) - 1, 0);

will become undefined behavior because nbits modulo BITS_PER_BYTE is 0, and we
subtract one from that making a large number that is then shifted more than the
number of bits that fit into an unsigned long.

UBSAN reports this problem:

 UBSAN: shift-out-of-bounds in drivers/nvmem/core.c:1386:8
 shift exponent 64 is too large for 64-bit type 'unsigned long'
 CPU: 6 PID: 7 Comm: kworker/u16:0 Not tainted 5.15.0-rc3+ #9
 Hardware name: Google Lazor (rev3+) with KB Backlight (DT)
 Workqueue: events_unbound deferred_probe_work_func
 Call trace:
  dump_backtrace+0x0/0x170
  show_stack+0x24/0x30
  dump_stack_lvl+0x64/0x7c
  dump_stack+0x18/0x38
  ubsan_epilogue+0x10/0x54
  __ubsan_handle_shift_out_of_bounds+0x180/0x194
  __nvmem_cell_read+0x1ec/0x21c
  nvmem_cell_read+0x58/0x94
  nvmem_cell_read_variable_common+0x4c/0xb0
  nvmem_cell_read_variable_le_u32+0x40/0x100
  a6xx_gpu_init+0x170/0x2f4
  adreno_bind+0x174/0x284
  component_bind_all+0xf0/0x264
  msm_drm_bind+0x1d8/0x7a0
  try_to_bring_up_master+0x164/0x1ac
  __component_add+0xbc/0x13c
  component_add+0x20/0x2c
  dp_display_probe+0x340/0x384
  platform_probe+0xc0/0x100
  really_probe+0x110/0x304
  __driver_probe_device+0xb8/0x120
  driver_probe_device+0x4c/0xfc
  __device_attach_driver+0xb0/0x128
  bus_for_each_drv+0x90/0xdc
  __device_attach+0xc8/0x174
  device_initial_probe+0x20/0x2c
  bus_probe_device+0x40/0xa4
  deferred_probe_work_func+0x7c/0xb8
  process_one_work+0x128/0x21c
  process_scheduled_works+0x40/0x54
  worker_thread+0x1ec/0x2a8
  kthread+0x138/0x158
  ret_from_fork+0x10/0x20

Fix it by making sure there are any bits to mask out.

Fixes: 69aba79 ("nvmem: Add a simple NVMEM framework for consumers")
	Cc: Douglas Anderson <dianders@chromium.org>
	Cc: stable@vger.kernel.org
	Signed-off-by: Stephen Boyd <swboyd@chromium.org>
	Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Link: https://lore.kernel.org/r/20211013124511.18726-1-srinivas.kandagatla@linaro.org
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 5d388fa)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-64290
cve CVE-2021-47185
commit-author Guanghui Feng <guanghuifeng@linux.alibaba.com>
commit 3968ddc

When running ltp testcase(ltp/testcases/kernel/pty/pty04.c) with arm64, there is a soft lockup,
which look like this one:

  Workqueue: events_unbound flush_to_ldisc
  Call trace:
   dump_backtrace+0x0/0x1ec
   show_stack+0x24/0x30
   dump_stack+0xd0/0x128
   panic+0x15c/0x374
   watchdog_timer_fn+0x2b8/0x304
   __run_hrtimer+0x88/0x2c0
   __hrtimer_run_queues+0xa4/0x120
   hrtimer_interrupt+0xfc/0x270
   arch_timer_handler_phys+0x40/0x50
   handle_percpu_devid_irq+0x94/0x220
   __handle_domain_irq+0x88/0xf0
   gic_handle_irq+0x84/0xfc
   el1_irq+0xc8/0x180
   slip_unesc+0x80/0x214 [slip]
   tty_ldisc_receive_buf+0x64/0x80
   tty_port_default_receive_buf+0x50/0x90
   flush_to_ldisc+0xbc/0x110
   process_one_work+0x1d4/0x4b0
   worker_thread+0x180/0x430
   kthread+0x11c/0x120

In the testcase pty04, The first process call the write syscall to send
data to the pty master. At the same time, the workqueue will do the
flush_to_ldisc to pop data in a loop until there is no more data left.
When the sender and workqueue running in different core, the sender sends
data fastly in full time which will result in workqueue doing work in loop
for a long time and occuring softlockup in flush_to_ldisc with kernel
configured without preempt. So I add need_resched check and cond_resched
in the flush_to_ldisc loop to avoid it.

	Signed-off-by: Guanghui Feng <guanghuifeng@linux.alibaba.com>
Link: https://lore.kernel.org/r/1633961304-24759-1-git-send-email-guanghuifeng@linux.alibaba.com
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 3968ddc)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-63270
cve CVE-2021-47527
commit-author Johan Hovold <johan@kernel.org>
commit 00de977

Commit 761ed4a ("tty: serial_core: convert uart_close to use
tty_port_close") converted serial core to use tty_port_close() but
failed to notice that the transmit buffer still needs to be freed on
final close.

Not freeing the transmit buffer means that the buffer is no longer
cleared on next open so that any ioctl() waiting for the buffer to drain
might wait indefinitely (e.g. on termios changes) or that stale data can
end up being transmitted in case tx is restarted.

Furthermore, the buffer of any port that has been opened would leak on
driver unbind.

Note that the port lock is held when clearing the buffer pointer due to
the ldisc race worked around by commit a5ba1d9 ("uart: fix race
between uart_put_char() and uart_shutdown()").

Also note that the tty-port shutdown() callback is not called for
console ports so it is not strictly necessary to free the buffer page
after releasing the lock (cf. d724021 ("tty/serial: do not free
trasnmit buffer page under port lock")).

Link: https://lore.kernel.org/r/319321886d97c456203d5c6a576a5480d07c3478.1635781688.git.baruch@tkos.co.il
Fixes: 761ed4a ("tty: serial_core: convert uart_close to use tty_port_close")
	Cc: stable@vger.kernel.org      # 4.9
	Cc: Rob Herring <robh@kernel.org>
	Reported-by: Baruch Siach <baruch@tkos.co.il>
	Tested-by: Baruch Siach <baruch@tkos.co.il>
	Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20211108085431.12637-1-johan@kernel.org
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 00de977)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-64167
cve CVE-2021-47101
commit-author Pavel Skripkin <paskripkin@gmail.com>
commit 8035b1a

asix_read_cmd() may read less than sizeof(smsr) bytes and in this case
smsr will be uninitialized.

Fail log:
BUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline]
BUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497
BUG: KMSAN: uninit-value in asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497
 asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline]
 asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497
 asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497

Fixes: d9fe64e ("net: asix: Add in_pm parameter")
Reported-and-tested-by: syzbot+f44badb06036334e867a@syzkaller.appspotmail.com
	Reviewed-by: Andrew Lunn <andrew@lunn.ch>
	Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Link: https://lore.kernel.org/r/8966e3b514edf39857dd93603fc79ec02e000a75.1640117288.git.paskripkin@gmail.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 8035b1a)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-51244
cve CVE-2022-49395
commit-author Vincent Whitchurch <vincent.whitchurch@axis.com>
commit 2a4a62a

syscall_stub_data() expects the data_count parameter to be the number of
longs, not bytes.

 ==================================================================
 BUG: KASAN: stack-out-of-bounds in syscall_stub_data+0x70/0xe0
 Read of size 128 at addr 000000006411f6f0 by task swapper/1

 CPU: 0 PID: 1 Comm: swapper Not tainted 5.18.0+ #18
 Call Trace:
  show_stack.cold+0x166/0x2a7
  __dump_stack+0x3a/0x43
  dump_stack_lvl+0x1f/0x27
  print_report.cold+0xdb/0xf81
  kasan_report+0x119/0x1f0
  kasan_check_range+0x3a3/0x440
  memcpy+0x52/0x140
  syscall_stub_data+0x70/0xe0
  write_ldt_entry+0xac/0x190
  init_new_ldt+0x515/0x960
  init_new_context+0x2c4/0x4d0
  mm_init.constprop.0+0x5ed/0x760
  mm_alloc+0x118/0x170
  0x60033f48
  do_one_initcall+0x1d7/0x860
  0x60003e7b
  kernel_init+0x6e/0x3d4
  new_thread_handler+0x1e7/0x2c0

 The buggy address belongs to stack of task swapper/1
  and is located at offset 64 in frame:
  init_new_ldt+0x0/0x960

 This frame has 2 objects:
  [32, 40) 'addr'
  [64, 80) 'desc'
 ==================================================================

Fixes: 858259c ("uml: maintain own LDT entries")
	Signed-off-by: Vincent Whitchurch <vincent.whitchurch@axis.com>
	Cc: stable@vger.kernel.org
	Signed-off-by: Richard Weinberger <richard@nod.at>
(cherry picked from commit 2a4a62a)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-35526
cve CVE-2023-52703
commit-author Miko Larsson <mikoxyzzz@gmail.com>
commit c68f345

syzbot reported that act_len in kalmia_send_init_packet() is
uninitialized when passing it to the first usb_bulk_msg error path. Jiri
Pirko noted that it's pointless to pass it in the error path, and that
the value that would be printed in the second error path would be the
value of act_len from the first call to usb_bulk_msg.[1]

With this in mind, let's just not pass act_len to the usb_bulk_msg error
paths.

1: https://lore.kernel.org/lkml/Y9pY61y1nwTuzMOa@nanopsycho/

Fixes: d402612 ("net/usb: Add Samsung Kalmia driver for Samsung GT-B3730")
Reported-and-tested-by: syzbot+cd80c5ef5121bfe85b55@syzkaller.appspotmail.com
	Signed-off-by: Miko Larsson <mikoxyzzz@gmail.com>
	Reviewed-by: Alexander Duyck <alexanderduyck@fb.com>
	Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit c68f345)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
@ciq-kernel-automation ciq-kernel-automation Bot added the created-by-kernelci Tag PRs that were automatically created when a user branch was pushed to the repo (kernelCI) label Apr 27, 2026
@github-actions

Copy link
Copy Markdown

🤖 Validation Checks In Progress Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/24990418840

@github-actions

Copy link
Copy Markdown

🔍 Interdiff Analysis

  • ⚠️ PR commit 4265b5d1ff3 (hwmon: (w83791d) Fix NULL pointer dereference by removing unnecessary structure field) → upstream 943c15ac1b84
    Differences found:
================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/drivers/hwmon/w83791d.c
+++ b/drivers/hwmon/w83791d.c
@@ -270,4 +270,4 @@
-	bool valid;			/* true if following fields are valid */
+	char valid;			/* !=0 if following fields are valid */
 	unsigned long last_updated;	/* In jiffies */
 
 	/* array of 2 pointers to subclients */
  • ⚠️ PR commit c27c1dd0912 (hwmon: (w83793) Fix NULL pointer dereference by removing unnecessary structure field) → upstream dd4d747ef05a
    Differences found:
================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/drivers/hwmon/w83793.c
+++ b/drivers/hwmon/w83793.c
@@ -205,4 +205,4 @@
 	struct i2c_client *lm75[2];
 	struct device *hwmon_dev;
 	struct mutex update_lock;
-	bool valid;			/* true if following fields are valid */
+	char valid;			/* !=0 if following fields are valid */

This is an automated interdiff check for backported commits.

@github-actions

Copy link
Copy Markdown

Validation checks completed successfully View full results: https://github.com/ctrliq/kernel-src-tree/actions/runs/24990418840

@shreeya-patel98 shreeya-patel98 requested a review from a team April 27, 2026 14:36

@PlaidCat PlaidCat left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

@PlaidCat PlaidCat merged commit 5dbc71a into ciqlts9_4 Apr 27, 2026
7 checks passed
@PlaidCat PlaidCat deleted the {ciq_kernel_automation}_ciqlts9_4 branch April 27, 2026 14:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

created-by-kernelci Tag PRs that were automatically created when a user branch was pushed to the repo (kernelCI)

Development

Successfully merging this pull request may close these issues.

2 participants