Skip to content

[ciqlts8_6] Multiple patches tested (10 commits)#1151

Merged
roxanan1996 merged 10 commits into
ciqlts8_6from
{ciq_kernel_automation}_ciqlts8_6
Apr 29, 2026
Merged

[ciqlts8_6] Multiple patches tested (10 commits)#1151
roxanan1996 merged 10 commits into
ciqlts8_6from
{ciq_kernel_automation}_ciqlts8_6

Conversation

@ciq-kernel-automation

@ciq-kernel-automation ciq-kernel-automation Bot commented Apr 27, 2026

Copy link
Copy Markdown

Summary

This PR has been automatically created after successful completion of all CI stages.

Commit Message(s)

cifs: Return correct error code from smb2_get_enc_key

jira VULN-61636
cve CVE-2021-46960
commit-author Paul Aurich <paul@darkrain42.org>
commit 83728cbf366e334301091d5b808add468ab46b27
mISDN: fix possible use-after-free in HFC_cleanup()

jira VULN-61254
cve CVE-2021-47356
commit-author Zou Wei <zou_wei@huawei.com>
commit 009fc857c5f6fda81f2f7dd851b2d54193a8e733
mISDN: hfcpci: Fix use-after-free bug in hfcpci_softirq

jira VULN-61254
cve-bf CVE-2021-47356
commit-author Duoming Zhou <duoming@zju.edu.cn>
commit 175302f6b79ebbb207c2d58d6d3e679465de23b0
mISDN: hfcpci: Fix warning when deleting uninitialized timer

jira VULN-155209
cve CVE-2025-39833
commit-author Vladimir Riabchun <ferr.lambarginio@gmail.com>
commit 97766512a9951b9fd6fc97f1b93211642bb0b220
cxgb4: avoid accessing registers when clearing filters

jira VULN-62707
cve CVE-2021-47138
commit-author Raju Rangoju <rajur@chelsio.com>
commit 88c380df84fbd03f9b137c2b9d0a44b9f2f553b0
virtio-net: Add validation for used length

jira VULN-63928
cve CVE-2021-47352
commit-author Xie Yongji <xieyongji@bytedance.com>
commit ad993a95c508417acdeb15244109e009e50d8758
net: ti: fix UAF in tlan_remove_one

jira VULN-63850
cve CVE-2021-47310
commit-author Pavel Skripkin <paskripkin@gmail.com>
commit 0336f8ffece62f882ab3012820965a786a983f70
net: qcom/emac: fix UAF in emac_remove

jira VULN-63828
cve CVE-2021-47311
commit-author Pavel Skripkin <paskripkin@gmail.com>
commit ad297cd2db8953e2202970e9504cab247b6c7cb4
net/sched: act_skbmod: Skip non-Ethernet packets

jira VULN-135922
cve CVE-2021-47293
commit-author Peilin Ye <peilin.ye@bytedance.com>
commit 727d6a8b7ef3d25080fad228b2c4a1d4da5999c6
hwmon: (mlxreg-fan) Return non-zero value when fan current state is enforced from sysfs

jira VULN-63645
cve CVE-2021-47393
commit-author Vadim Pasternak <vadimp@nvidia.com>
commit e6fab7af6ba1bc77c78713a83876f60ca7a4a064

Test Results

✅ Build Stage

Architecture Build Time Total Time
x86_64 23m 44s 24m 42s
aarch64 9m 35s 10m 13s

✅ Boot Verification

✅ Kernel Selftests

Architecture Passed Failed Compared Against Status
x86_64 108 31 ciqlts8_6 ✅ No regressions
aarch64 66 21 ciqlts8_6 ✅ No regressions

✅ LTP Results

Architecture Passed Failed Compared Against Status
x86_64 1455 14 ciqlts8_6 ✅ No regressions
aarch64 1425 14 ciqlts8_6 ✅ No regressions

x86_64 newly passing:

  • binfmt_misc01 (PASS)
  • binfmt_misc02 (PASS)
  • cap_bounds (PASS)
  • check_keepcaps01 (PASS)
  • check_keepcaps02 (PASS)
  • check_keepcaps03 (PASS)
  • cve-2022-0185 (PASS)
  • cve-2022-4378 (PASS)
  • dio01 (PASS)
  • dio02 (PASS)
  • dio03 (PASS)
  • dio04 (PASS)
  • dio05 (PASS)
  • dio06 (PASS)
  • dio07 (PASS)
  • dio08 (PASS)
  • dio09 (PASS)
  • dio10 (PASS)
  • dio11 (PASS)
  • dio12 (PASS)
  • dio13 (PASS)
  • dio14 (PASS)
  • dio15 (PASS)
  • dio16 (PASS)
  • dio17 (PASS)
  • dio18 (PASS)
  • dio19 (PASS)
  • dio20 (PASS)
  • dio21 (PASS)
  • dio22 (PASS)
  • dio23 (PASS)
  • dio24 (PASS)
  • dio25 (PASS)
  • dio26 (PASS)
  • dio27 (PASS)
  • dio28 (PASS)
  • dio29 (PASS)
  • dio30 (PASS)
  • filecaps (PASS)
  • fs_di (PASS)
  • fs_fill (FAIL)
  • fs_inod01 (PASS)
  • fs_perms01 (PASS)
  • fs_perms02 (PASS)
  • fs_perms03 (PASS)
  • fs_perms04 (PASS)
  • fs_perms05 (PASS)
  • fs_perms06 (PASS)
  • fs_perms07 (PASS)
  • fs_perms08 (PASS)
  • fs_perms09 (PASS)
  • fs_perms10 (PASS)
  • fs_perms11 (PASS)
  • fs_perms12 (PASS)
  • fs_perms13 (PASS)
  • fs_perms14 (PASS)
  • fs_perms15 (PASS)
  • fs_perms16 (PASS)
  • fs_perms17 (PASS)
  • fs_perms18 (PASS)
  • fs_racer (PASS)
  • ftest01 (PASS)
  • ftest02 (PASS)
  • ftest03 (PASS)
  • ftest04 (PASS)
  • ftest05 (PASS)
  • ftest06 (PASS)
  • ftest07 (PASS)
  • ftest08 (PASS)
  • gf01 (PASS)
  • gf02 (PASS)
  • gf03 (PASS)
  • gf04 (PASS)
  • gf05 (PASS)
  • gf06 (PASS)
  • gf07 (PASS)
  • gf08 (PASS)
  • gf09 (PASS)
  • gf10 (PASS)
  • gf11 (PASS)
  • gf12 (PASS)
  • gf13 (PASS)
  • gf14 (PASS)
  • gf15 (PASS)
  • gf16 (PASS)
  • gf17 (PASS)
  • gf18 (PASS)
  • gf19 (PASS)
  • gf20 (PASS)
  • gf21 (PASS)
  • gf22 (PASS)
  • gf23 (PASS)
  • gf24 (PASS)
  • gf25 (PASS)
  • gf26 (PASS)
  • gf27 (PASS)
  • gf28 (PASS)
  • gf29 (PASS)
  • gf30 (PASS)
  • inode01 (PASS)
  • inode02 (PASS)
  • iogen01 (PASS)
  • isofs (CONF)
  • lftest01 (PASS)
  • linker01 (PASS)
  • openfile01 (PASS)
  • proc01 (PASS)
  • quota_remount_test01 (CONF)
  • read_all_dev (PASS)
  • read_all_proc (PASS)
  • read_all_sys (PASS)
  • rwtest01 (PASS)
  • rwtest02 (PASS)
  • rwtest03 (PASS)
  • rwtest04 (PASS)
  • rwtest05 (PASS)
  • squashfs01 (CONF)
  • stream01 (PASS)
  • stream02 (PASS)
  • stream03 (PASS)
  • stream04 (PASS)
  • stream05 (PASS)
  • writetest01 (PASS)
    aarch64 newly passing:
  • binfmt_misc01 (PASS)
  • binfmt_misc02 (PASS)
  • cap_bounds (PASS)
  • check_keepcaps01 (PASS)
  • check_keepcaps02 (PASS)
  • check_keepcaps03 (PASS)
  • dio01 (PASS)
  • dio02 (PASS)
  • dio03 (PASS)
  • dio04 (PASS)
  • dio05 (PASS)
  • dio06 (PASS)
  • dio07 (PASS)
  • dio08 (PASS)
  • dio09 (PASS)
  • dio10 (PASS)
  • dio11 (PASS)
  • dio12 (PASS)
  • dio13 (PASS)
  • dio14 (PASS)
  • dio15 (PASS)
  • dio16 (PASS)
  • dio17 (PASS)
  • dio18 (PASS)
  • dio19 (PASS)
  • dio20 (PASS)
  • dio21 (PASS)
  • dio22 (PASS)
  • dio23 (PASS)
  • dio24 (PASS)
  • dio25 (PASS)
  • dio26 (PASS)
  • dio27 (PASS)
  • dio28 (PASS)
  • dio29 (PASS)
  • dio30 (PASS)
  • filecaps (PASS)
  • fs_di (PASS)
  • fs_fill (PASS)
  • fs_inod01 (PASS)
  • fs_perms01 (PASS)
  • fs_perms02 (PASS)
  • fs_perms03 (PASS)
  • fs_perms04 (PASS)
  • fs_perms05 (PASS)
  • fs_perms06 (PASS)
  • fs_perms07 (PASS)
  • fs_perms08 (PASS)
  • fs_perms09 (PASS)
  • fs_perms10 (PASS)
  • fs_perms11 (PASS)
  • fs_perms12 (PASS)
  • fs_perms13 (PASS)
  • fs_perms14 (PASS)
  • fs_perms15 (PASS)
  • fs_perms16 (PASS)
  • fs_perms17 (PASS)
  • fs_perms18 (PASS)
  • fs_racer (PASS)
  • ftest01 (PASS)
  • ftest02 (PASS)
  • ftest03 (PASS)
  • ftest04 (PASS)
  • ftest05 (PASS)
  • ftest06 (PASS)
  • ftest07 (PASS)
  • ftest08 (PASS)
  • gf01 (PASS)
  • gf02 (PASS)
  • gf03 (PASS)
  • gf04 (PASS)
  • gf05 (PASS)
  • gf06 (PASS)
  • gf07 (PASS)
  • gf08 (PASS)
  • gf09 (PASS)
  • gf10 (PASS)
  • gf11 (PASS)
  • gf12 (PASS)
  • gf13 (PASS)
  • gf14 (PASS)
  • gf15 (PASS)
  • gf16 (PASS)
  • gf17 (PASS)
  • gf18 (PASS)
  • gf19 (PASS)
  • gf20 (PASS)
  • gf21 (PASS)
  • gf22 (PASS)
  • gf23 (PASS)
  • gf24 (PASS)
  • gf25 (PASS)
  • gf26 (PASS)
  • gf27 (PASS)
  • gf28 (PASS)
  • gf29 (PASS)
  • gf30 (PASS)
  • inode01 (PASS)
  • inode02 (PASS)
  • iogen01 (PASS)
  • isofs (CONF)
  • lftest01 (PASS)
  • linker01 (PASS)
  • openfile01 (PASS)
  • proc01 (PASS)
  • quota_remount_test01 (CONF)
  • read_all_dev (PASS)
  • read_all_proc (PASS)
  • read_all_sys (PASS)
  • rwtest01 (PASS)
  • rwtest02 (PASS)
  • rwtest03 (PASS)
  • rwtest04 (PASS)
  • rwtest05 (PASS)
  • squashfs01 (CONF)
  • stream01 (PASS)
  • stream02 (PASS)
  • stream03 (PASS)
  • stream04 (PASS)
  • stream05 (PASS)
  • writetest01 (PASS)
  • af_alg04 (FAIL -> PASS)
  • mmap16 (FAIL -> PASS)

🤖 This PR was automatically generated by GitHub Actions
Run ID: 25106193576

CIQ Kernel Automation added 3 commits April 27, 2026 07:10
jira VULN-61636
cve CVE-2021-46960
commit-author Paul Aurich <paul@darkrain42.org>
commit 83728cb

Avoid a warning if the error percolates back up:

[440700.376476] CIFS VFS: \\otters.example.com crypt_message: Could not get encryption key
[440700.386947] ------------[ cut here ]------------
[440700.386948] err = 1
[440700.386977] WARNING: CPU: 11 PID: 2733 at /build/linux-hwe-5.4-p6lk6L/linux-hwe-5.4-5.4.0/lib/errseq.c:74 errseq_set+0x5c/0x70
...
[440700.397304] CPU: 11 PID: 2733 Comm: tar Tainted: G           OE     5.4.0-70-generic #78~18.04.1-Ubuntu
...
[440700.397334] Call Trace:
[440700.397346]  __filemap_set_wb_err+0x1a/0x70
[440700.397419]  cifs_writepages+0x9c7/0xb30 [cifs]
[440700.397426]  do_writepages+0x4b/0xe0
[440700.397444]  __filemap_fdatawrite_range+0xcb/0x100
[440700.397455]  filemap_write_and_wait+0x42/0xa0
[440700.397486]  cifs_setattr+0x68b/0xf30 [cifs]
[440700.397493]  notify_change+0x358/0x4a0
[440700.397500]  utimes_common+0xe9/0x1c0
[440700.397510]  do_utimes+0xc5/0x150
[440700.397520]  __x64_sys_utimensat+0x88/0xd0

Fixes: 61cfac6 ("CIFS: Fix possible use after free in demultiplex thread")
	Signed-off-by: Paul Aurich <paul@darkrain42.org>
CC: stable@vger.kernel.org
	Signed-off-by: Steve French <stfrench@microsoft.com>
(cherry picked from commit 83728cb)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-61254
cve CVE-2021-47356
commit-author Zou Wei <zou_wei@huawei.com>
commit 009fc85

This module's remove path calls del_timer(). However, that function
does not wait until the timer handler finishes. This means that the
timer handler may still be running after the driver's remove function
has finished, which would result in a use-after-free.

Fix by calling del_timer_sync(), which makes sure the timer handler
has finished, and unable to re-schedule itself.

	Reported-by: Hulk Robot <hulkci@huawei.com>
	Signed-off-by: Zou Wei <zou_wei@huawei.com>
	Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 009fc85)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-61254
cve-bf CVE-2021-47356
commit-author Duoming Zhou <duoming@zju.edu.cn>
commit 175302f

The function hfcpci_softirq() is a timer handler. If it
is running, the timer_pending() will return 0 and the
del_timer_sync() in HFC_cleanup() will not be executed.
As a result, the use-after-free bug will happen. The
process is shown below:

    (cleanup routine)          |        (timer handler)
HFC_cleanup()                  | hfcpci_softirq()
 if (timer_pending(&hfc_tl))   |
   del_timer_sync()            |
 ...                           | ...
 pci_unregister_driver(hc)     |
  driver_unregister            |  driver_for_each_device
   bus_remove_driver           |   _hfcpci_softirq
    driver_detach              |   ...
     put_device(dev) //[1]FREE |
                               |    dev_get_drvdata(dev) //[2]USE

The device is deallocated is position [1] and used in
position [2].

Fix by removing the "timer_pending" check in HFC_cleanup(),
which makes sure that the hfcpci_softirq() have finished
before the resource is deallocated.

Fixes: 009fc85 ("mISDN: fix possible use-after-free in HFC_cleanup()")
	Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
	Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 175302f)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
@ciq-kernel-automation ciq-kernel-automation Bot added the created-by-kernelci Tag PRs that were automatically created when a user branch was pushed to the repo (kernelCI) label Apr 27, 2026
@github-actions

Copy link
Copy Markdown

🤖 Validation Checks In Progress Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/24992234905

@github-actions

Copy link
Copy Markdown

🔍 Upstream Linux Kernel Commit Check

  • ⚠️ PR commit c2c6c338c92e (mISDN: hfcpci: Fix warning when deleting uninitialized timer) does not reference a CVE but
    upstream commit 97766512a995 is associated with CVE-2025-39833

This is an automated message from the kernel commit checker workflow.

@github-actions

Copy link
Copy Markdown

🔍 Interdiff Analysis

  • ⚠️ PR commit c0be44ecbdad (virtio-net: Add validation for used length) → upstream ad993a95c508
    Differences found:
================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/drivers/net/virtio_net.c
+++ b/drivers/net/virtio_net.c
@@ -952,3 +1022,3 @@
 	head_skb = page_to_skb(vi, rq, page, offset, len, truesize, !xdp_prog,
-			       metasize);
+			       metasize, !!headroom);
 	curr_skb = head_skb;

This is an automated interdiff check for backported commits.

@github-actions

Copy link
Copy Markdown

Validation checks completed successfully View full results: https://github.com/ctrliq/kernel-src-tree/actions/runs/24992234905

@shreeya-patel98

Copy link
Copy Markdown
Collaborator

Last test was merged 3 days ago for 8.6, but comparison isn't able to find any results as it was I think modified by Roxana to fix any issues with the patches. We need to fix this in future.

@shreeya-patel98 shreeya-patel98 requested review from a team and shreeya-patel98 April 27, 2026 14:40
@shreeya-patel98

Copy link
Copy Markdown
Collaborator

🔍 Upstream Linux Kernel Commit Check

  • ⚠️ PR commit c2c6c338c92e (mISDN: hfcpci: Fix warning when deleting uninitialized timer) does not reference a CVE but
    upstream commit 97766512a995 is associated with CVE-2025-39833

This is an automated message from the kernel commit checker workflow.

See this :- #1150 (comment)

@roxanan1996

Copy link
Copy Markdown
Contributor

🔍 Upstream Linux Kernel Commit Check

  • ⚠️ PR commit c2c6c338c92e (mISDN: hfcpci: Fix warning when deleting uninitialized timer) does not reference a CVE but
    upstream commit 97766512a995 is associated with CVE-2025-39833

This is an automated message from the kernel commit checker workflow.

See this :- #1150 (comment)

See this #1150 (comment)

CIQ Kernel Automation added 7 commits April 29, 2026 13:20
jira VULN-155209
cve CVE-2025-39833
commit-author Vladimir Riabchun <ferr.lambarginio@gmail.com>
commit 9776651

With CONFIG_DEBUG_OBJECTS_TIMERS unloading hfcpci module leads
to the following splat:

[  250.215892] ODEBUG: assert_init not available (active state 0) object: ffffffffc01a3dc0 object type: timer_list hint: 0x0
[  250.217520] WARNING: CPU: 0 PID: 233 at lib/debugobjects.c:612 debug_print_object+0x1b6/0x2c0
[  250.218775] Modules linked in: hfcpci(-) mISDN_core
[  250.219537] CPU: 0 UID: 0 PID: 233 Comm: rmmod Not tainted 6.17.0-rc2-g6f713187ac98 #2 PREEMPT(voluntary)
[  250.220940] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  250.222377] RIP: 0010:debug_print_object+0x1b6/0x2c0
[  250.223131] Code: fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 75 4f 41 56 48 8b 14 dd a0 4e 01 9f 48 89 ee 48 c7 c7 20 46 01 9f e8 cb 84d
[  250.225805] RSP: 0018:ffff888015ea7c08 EFLAGS: 00010286
[  250.226608] RAX: 0000000000000000 RBX: 0000000000000005 RCX: ffffffff9be93a95
[  250.227708] RDX: 1ffff1100d945138 RSI: 0000000000000008 RDI: ffff88806ca289c0
[  250.228993] RBP: ffffffff9f014a00 R08: 0000000000000001 R09: ffffed1002bd4f39
[  250.230043] R10: ffff888015ea79cf R11: 0000000000000001 R12: 0000000000000001
[  250.231185] R13: ffffffff9eea0520 R14: 0000000000000000 R15: ffff888015ea7cc8
[  250.232454] FS:  00007f3208f01540(0000) GS:ffff8880caf5a000(0000) knlGS:0000000000000000
[  250.233851] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  250.234856] CR2: 00007f32090a7421 CR3: 0000000004d63000 CR4: 00000000000006f0
[  250.236117] Call Trace:
[  250.236599]  <TASK>
[  250.236967]  ? trace_irq_enable.constprop.0+0xd4/0x130
[  250.237920]  debug_object_assert_init+0x1f6/0x310
[  250.238762]  ? __pfx_debug_object_assert_init+0x10/0x10
[  250.239658]  ? __lock_acquire+0xdea/0x1c70
[  250.240369]  __try_to_del_timer_sync+0x69/0x140
[  250.241172]  ? __pfx___try_to_del_timer_sync+0x10/0x10
[  250.242058]  ? __timer_delete_sync+0xc6/0x120
[  250.242842]  ? lock_acquire+0x30/0x80
[  250.243474]  ? __timer_delete_sync+0xc6/0x120
[  250.244262]  __timer_delete_sync+0x98/0x120
[  250.245015]  HFC_cleanup+0x10/0x20 [hfcpci]
[  250.245704]  __do_sys_delete_module+0x348/0x510
[  250.246461]  ? __pfx___do_sys_delete_module+0x10/0x10
[  250.247338]  do_syscall_64+0xc1/0x360
[  250.247924]  entry_SYSCALL_64_after_hwframe+0x77/0x7f

Fix this by initializing hfc_tl timer with DEFINE_TIMER macro.
Also, use mod_timer instead of manual timeout update.

Fixes: 87c5fa1 ("mISDN: Add different different timer settings for hfc-pci")
Fixes: 175302f ("mISDN: hfcpci: Fix use-after-free bug in hfcpci_softirq")
	Signed-off-by: Vladimir Riabchun <ferr.lambarginio@gmail.com>
Link: https://patch.msgid.link/aKiy2D_LiWpQ5kXq@vova-pc
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 9776651)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-62707
cve CVE-2021-47138
commit-author Raju Rangoju <rajur@chelsio.com>
commit 88c380d

Hardware register having the server TID base can contain
invalid values when adapter is in bad state (for example,
due to AER fatal error). Reading these invalid values in the
register can lead to out-of-bound memory access. So, fix
by using the saved server TID base when clearing filters.

Fixes: b1a7936 ("cxgb4: Delete all hash and TCAM filters before resource cleanup")
	Signed-off-by: Raju Rangoju <rajur@chelsio.com>
	Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 88c380d)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-63928
cve CVE-2021-47352
commit-author Xie Yongji <xieyongji@bytedance.com>
commit ad993a9

This adds validation for used length (might come
from an untrusted device) to avoid data corruption
or loss.

	Signed-off-by: Xie Yongji <xieyongji@bytedance.com>
	Acked-by: Jason Wang <jasowang@redhat.com>
Link: https://lore.kernel.org/r/20210531135852.113-1-xieyongji@bytedance.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit ad993a9)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-63850
cve CVE-2021-47310
commit-author Pavel Skripkin <paskripkin@gmail.com>
commit 0336f8f

priv is netdev private data and it cannot be
used after free_netdev() call. Using priv after free_netdev()
can cause UAF bug. Fix it by moving free_netdev() at the end of the
function.

Fixes: 1e0a8b1 ("tlan: cancel work at remove path")
	Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
	Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 0336f8f)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-63828
cve CVE-2021-47311
commit-author Pavel Skripkin <paskripkin@gmail.com>
commit ad297cd

adpt is netdev private data and it cannot be
used after free_netdev() call. Using adpt after free_netdev()
can cause UAF bug. Fix it by moving free_netdev() at the end of the
function.

Fixes: 54e19bc ("net: qcom/emac: do not use devm on internal phy pdev")
	Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
	Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit ad297cd)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-135922
cve CVE-2021-47293
commit-author Peilin Ye <peilin.ye@bytedance.com>
commit 727d6a8

Currently tcf_skbmod_act() assumes that packets use Ethernet as their L2
protocol, which is not always the case.  As an example, for CAN devices:

	$ ip link add dev vcan0 type vcan
	$ ip link set up vcan0
	$ tc qdisc add dev vcan0 root handle 1: htb
	$ tc filter add dev vcan0 parent 1: protocol ip prio 10 \
		matchall action skbmod swap mac

Doing the above silently corrupts all the packets.  Do not perform skbmod
actions for non-Ethernet packets.

Fixes: 86da71b ("net_sched: Introduce skbmod action")
	Reviewed-by: Cong Wang <cong.wang@bytedance.com>
	Signed-off-by: Peilin Ye <peilin.ye@bytedance.com>
	Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 727d6a8)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
…nforced from sysfs

jira VULN-63645
cve CVE-2021-47393
commit-author Vadim Pasternak <vadimp@nvidia.com>
commit e6fab7a

Fan speed minimum can be enforced from sysfs. For example, setting
current fan speed to 20 is used to enforce fan speed to be at 100%
speed, 19 - to be not below 90% speed, etcetera. This feature provides
ability to limit fan speed according to some system wise
considerations, like absence of some replaceable units or high system
ambient temperature.

Request for changing fan minimum speed is configuration request and can
be set only through 'sysfs' write procedure. In this situation value of
argument 'state' is above nominal fan speed maximum.

Return non-zero code in this case to avoid
thermal_cooling_device_stats_update() call, because in this case
statistics update violates thermal statistics table range.
The issues is observed in case kernel is configured with option
CONFIG_THERMAL_STATISTICS.

Here is the trace from KASAN:
[  159.506659] BUG: KASAN: slab-out-of-bounds in thermal_cooling_device_stats_update+0x7d/0xb0
[  159.516016] Read of size 4 at addr ffff888116163840 by task hw-management.s/7444
[  159.545625] Call Trace:
[  159.548366]  dump_stack+0x92/0xc1
[  159.552084]  ? thermal_cooling_device_stats_update+0x7d/0xb0
[  159.635869]  thermal_zone_device_update+0x345/0x780
[  159.688711]  thermal_zone_device_set_mode+0x7d/0xc0
[  159.694174]  mlxsw_thermal_modules_init+0x48f/0x590 [mlxsw_core]
[  159.700972]  ? mlxsw_thermal_set_cur_state+0x5a0/0x5a0 [mlxsw_core]
[  159.731827]  mlxsw_thermal_init+0x763/0x880 [mlxsw_core]
[  160.070233] RIP: 0033:0x7fd995909970
[  160.074239] Code: 73 01 c3 48 8b 0d 28 d5 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 99 2d 2c 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ..
[  160.095242] RSP: 002b:00007fff54f5d938 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[  160.103722] RAX: ffffffffffffffda RBX: 0000000000000013 RCX: 00007fd995909970
[  160.111710] RDX: 0000000000000013 RSI: 0000000001906008 RDI: 0000000000000001
[  160.119699] RBP: 0000000001906008 R08: 00007fd995bc9760 R09: 00007fd996210700
[  160.127687] R10: 0000000000000073 R11: 0000000000000246 R12: 0000000000000013
[  160.135673] R13: 0000000000000001 R14: 00007fd995bc8600 R15: 0000000000000013
[  160.143671]
[  160.145338] Allocated by task 2924:
[  160.149242]  kasan_save_stack+0x19/0x40
[  160.153541]  __kasan_kmalloc+0x7f/0xa0
[  160.157743]  __kmalloc+0x1a2/0x2b0
[  160.161552]  thermal_cooling_device_setup_sysfs+0xf9/0x1a0
[  160.167687]  __thermal_cooling_device_register+0x1b5/0x500
[  160.173833]  devm_thermal_of_cooling_device_register+0x60/0xa0
[  160.180356]  mlxreg_fan_probe+0x474/0x5e0 [mlxreg_fan]
[  160.248140]
[  160.249807] The buggy address belongs to the object at ffff888116163400
[  160.249807]  which belongs to the cache kmalloc-1k of size 1024
[  160.263814] The buggy address is located 64 bytes to the right of
[  160.263814]  1024-byte region [ffff888116163400, ffff888116163800)
[  160.277536] The buggy address belongs to the page:
[  160.282898] page:0000000012275840 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888116167000 pfn:0x116160
[  160.294872] head:0000000012275840 order:3 compound_mapcount:0 compound_pincount:0
[  160.303251] flags: 0x200000000010200(slab|head|node=0|zone=2)
[  160.309694] raw: 0200000000010200 ffffea00046f7208 ffffea0004928208 ffff88810004dbc0
[  160.318367] raw: ffff888116167000 00000000000a0006 00000001ffffffff 0000000000000000
[  160.327033] page dumped because: kasan: bad access detected
[  160.333270]
[  160.334937] Memory state around the buggy address:
[  160.356469] >ffff888116163800: fc ..

Fixes: 65afb4c ("hwmon: (mlxreg-fan) Add support for Mellanox FAN driver")
	Signed-off-by: Vadim Pasternak <vadimp@nvidia.com>
Link: https://lore.kernel.org/r/20210916183151.869427-1-vadimp@nvidia.com
	Signed-off-by: Guenter Roeck <linux@roeck-us.net>
(cherry picked from commit e6fab7a)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
@roxanan1996 roxanan1996 force-pushed the {ciq_kernel_automation}_ciqlts8_6 branch from aa845cf to a7049f4 Compare April 29, 2026 11:26
@roxanan1996

Copy link
Copy Markdown
Contributor

Last test was merged 3 days ago for 8.6, but comparison isn't able to find any results as it was I think modified by Roxana to fix any issues with the patches. We need to fix this in future.

@shreeya-patel98 I haven't touched anything related to that lately. But let me know if I should look into that

@roxanan1996

Copy link
Copy Markdown
Contributor

🔍 Upstream Linux Kernel Commit Check

  • ⚠️ PR commit c2c6c338c92e (mISDN: hfcpci: Fix warning when deleting uninitialized timer) does not reference a CVE but
    upstream commit 97766512a995 is associated with CVE-2025-39833

This is an automated message from the kernel commit checker workflow.

See this :- #1150 (comment)

See this #1150 (comment)

Solved now.

@github-actions

Copy link
Copy Markdown

🤖 Validation Checks In Progress Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/25106637200

@github-actions

Copy link
Copy Markdown

🔍 Interdiff Analysis

  • ⚠️ PR commit d44ad15c11db (virtio-net: Add validation for used length) → upstream ad993a95c508
    Differences found:
================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/drivers/net/virtio_net.c
+++ b/drivers/net/virtio_net.c
@@ -952,3 +1022,3 @@
 	head_skb = page_to_skb(vi, rq, page, offset, len, truesize, !xdp_prog,
-			       metasize);
+			       metasize, !!headroom);
 	curr_skb = head_skb;

This is an automated interdiff check for backported commits.

@github-actions

Copy link
Copy Markdown

Validation checks completed successfully View full results: https://github.com/ctrliq/kernel-src-tree/actions/runs/25106637200

@bmastbergen bmastbergen self-requested a review April 29, 2026 14:59

@bmastbergen bmastbergen left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🥌

@roxanan1996 roxanan1996 merged commit ee5a26c into ciqlts8_6 Apr 29, 2026
4 of 5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

created-by-kernelci Tag PRs that were automatically created when a user branch was pushed to the repo (kernelCI)

Development

Successfully merging this pull request may close these issues.

3 participants