Skip to content

[ciqlts9_2] Multiple patches tested (9 commits)#1365

Merged
roxanan1996 merged 9 commits into
ciqlts9_2from
{ciq_kernel_automation}_ciqlts9_2
Jun 23, 2026
Merged

[ciqlts9_2] Multiple patches tested (9 commits)#1365
roxanan1996 merged 9 commits into
ciqlts9_2from
{ciq_kernel_automation}_ciqlts9_2

Conversation

@ciq-kernel-automation

Copy link
Copy Markdown

Summary

This PR has been automatically created after successful completion of all CI stages.

Commit Message(s)

netfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get()

jira VULN-37860
cve CVE-2024-35898
commit-author Ziyang Xuan <william.xuanziyang@huawei.com>
commit 24225011d81b471acc0e1e315b7d9905459a6304
scsi: qla2xxx: Fix off by one in qla_edif_app_getstats()

jira VULN-5287
cve CVE-2024-36025
commit-author Dan Carpenter <dan.carpenter@linaro.org>
commit 4406e4176f47177f5e51b4cc7e6a7a2ff3dbfbbd
drm/client: Fully protect modes[] with dev->mode_config.mutex

jira VULN-38014
cve CVE-2024-35950
commit-author Ville Syrjälä <ville.syrjala@linux.intel.com>
commit 3eadd887dbac1df8f25f701e5d404d1b90fd0fea
ipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr

jira VULN-38062
cve CVE-2024-35969
commit-author Jiri Benc <jbenc@redhat.com>
commit 7633c4da919ad51164acbf1aa322cc1a3ead6129
net/mlx5: Properly link new fs rules into the tree

jira VULN-3105
cve CVE-2024-35960
commit-author Cosmin Ratiu <cratiu@nvidia.com>
commit 7c6782ad4911cbee874e85630226ed389ff2e453
net: ena: Fix incorrect descriptor free behavior

jira VULN-38028
cve CVE-2024-35958
commit-author David Arinzon <darinzon@amazon.com>
commit bf02d9fe00632d22fa91d34749c7aacf397b6cde
netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get()

jira VULN-4970
cve CVE-2024-27020
commit-author Ziyang Xuan <william.xuanziyang@huawei.com>
commit f969eb84ce482331a991079ab7a5c4dc3b7f89bf
netfilter: flowtable: validate pppoe header

jira VULN-37637
cve CVE-2024-27016
commit-author Pablo Neira Ayuso <pablo@netfilter.org>
commit 87b3593bed1868b2d9fe096c01bcdf0ea86cbebf
netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto()

jira VULN-80080
cve CVE-2025-38441
commit-author Eric Dumazet <edumazet@google.com>
commit 18cdb3d982da8976b28d57691eb256ec5688fad2

Test Results

✅ Build Stage

Architecture Build Time Total Time
x86_64 24m 30s 25m 25s
aarch64 12m 41s 13m 13s

✅ Boot Verification

✅ Kernel Selftests

Architecture Passed Failed Compared Against Status
x86_64 173 25 ciqlts9_2 ✅ No regressions
aarch64 141 27 ciqlts9_2 ✅ No regressions

✅ LTP Results

Architecture Passed Failed Compared Against Status
x86_64 1439 81 ciqlts9_2 ✅ No regressions
aarch64 1408 84 ciqlts9_2 ❌ 1 regressions

aarch64 regressions:

  • fcntl14 (PASS -> FAIL)

🤖 This PR was automatically generated by GitHub Actions
Run ID: 27939822742

CIQ Kernel Automation added 9 commits June 22, 2026 08:19
…_get()

jira VULN-37860
cve CVE-2024-35898
commit-author Ziyang Xuan <william.xuanziyang@huawei.com>
commit 2422501

nft_unregister_flowtable_type() within nf_flow_inet_module_exit() can
concurrent with __nft_flowtable_type_get() within nf_tables_newflowtable().
And thhere is not any protection when iterate over nf_tables_flowtables
list in __nft_flowtable_type_get(). Therefore, there is pertential
data-race of nf_tables_flowtables list entry.

Use list_for_each_entry_rcu() to iterate over nf_tables_flowtables list
in __nft_flowtable_type_get(), and use rcu_read_lock() in the caller
nft_flowtable_type_get() to protect the entire type query process.

Fixes: 3b49e2e ("netfilter: nf_tables: add flow table netlink frontend")
	Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
	Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit 2422501)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-5287
cve CVE-2024-36025
commit-author Dan Carpenter <dan.carpenter@linaro.org>
commit 4406e41

The app_reply->elem[] array is allocated earlier in this function and it
has app_req.num_ports elements.  Thus this > comparison needs to be >= to
prevent memory corruption.

Fixes: 7878f22 ("scsi: qla2xxx: edif: Add getfcinfo and statistic bsgs")
	Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://lore.kernel.org/r/5c125b2f-92dd-412b-9b6f-fc3a3207bd60@moroto.mountain
	Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
	Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
(cherry picked from commit 4406e41)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-38014
cve CVE-2024-35950
commit-author Ville Syrjälä <ville.syrjala@linux.intel.com>
commit 3eadd88

The modes[] array contains pointers to modes on the connectors'
mode lists, which are protected by dev->mode_config.mutex.
Thus we need to extend modes[] the same protection or by the
time we use it the elements may already be pointing to
freed/reused memory.

	Cc: stable@vger.kernel.org
Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/10583
	Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20240404203336.10454-2-ville.syrjala@linux.intel.com
	Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
	Reviewed-by: Jani Nikula <jani.nikula@intel.com>
	Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
(cherry picked from commit 3eadd88)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-38062
cve CVE-2024-35969
commit-author Jiri Benc <jbenc@redhat.com>
commit 7633c4d

Although ipv6_get_ifaddr walks inet6_addr_lst under the RCU lock, it
still means hlist_for_each_entry_rcu can return an item that got removed
from the list. The memory itself of such item is not freed thanks to RCU
but nothing guarantees the actual content of the memory is sane.

In particular, the reference count can be zero. This can happen if
ipv6_del_addr is called in parallel. ipv6_del_addr removes the entry
from inet6_addr_lst (hlist_del_init_rcu(&ifp->addr_lst)) and drops all
references (__in6_ifa_put(ifp) + in6_ifa_put(ifp)). With bad enough
timing, this can happen:

1. In ipv6_get_ifaddr, hlist_for_each_entry_rcu returns an entry.

2. Then, the whole ipv6_del_addr is executed for the given entry. The
   reference count drops to zero and kfree_rcu is scheduled.

3. ipv6_get_ifaddr continues and tries to increments the reference count
   (in6_ifa_hold).

4. The rcu is unlocked and the entry is freed.

5. The freed entry is returned.

Prevent increasing of the reference count in such case. The name
in6_ifa_hold_safe is chosen to mimic the existing fib6_info_hold_safe.

[   41.506330] refcount_t: addition on 0; use-after-free.
[   41.506760] WARNING: CPU: 0 PID: 595 at lib/refcount.c:25 refcount_warn_saturate+0xa5/0x130
[   41.507413] Modules linked in: veth bridge stp llc
[   41.507821] CPU: 0 PID: 595 Comm: python3 Not tainted 6.9.0-rc2.main-00208-g49563be82afa #14
[   41.508479] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
[   41.509163] RIP: 0010:refcount_warn_saturate+0xa5/0x130
[   41.509586] Code: ad ff 90 0f 0b 90 90 c3 cc cc cc cc 80 3d c0 30 ad 01 00 75 a0 c6 05 b7 30 ad 01 01 90 48 c7 c7 38 cc 7a 8c e8 cc 18 ad ff 90 <0f> 0b 90 90 c3 cc cc cc cc 80 3d 98 30 ad 01 00 0f 85 75 ff ff ff
[   41.510956] RSP: 0018:ffffbda3c026baf0 EFLAGS: 00010282
[   41.511368] RAX: 0000000000000000 RBX: ffff9e9c46914800 RCX: 0000000000000000
[   41.511910] RDX: ffff9e9c7ec29c00 RSI: ffff9e9c7ec1c900 RDI: ffff9e9c7ec1c900
[   41.512445] RBP: ffff9e9c43660c9c R08: 0000000000009ffb R09: 00000000ffffdfff
[   41.512998] R10: 00000000ffffdfff R11: ffffffff8ca58a40 R12: ffff9e9c4339a000
[   41.513534] R13: 0000000000000001 R14: ffff9e9c438a0000 R15: ffffbda3c026bb48
[   41.514086] FS:  00007fbc4cda1740(0000) GS:ffff9e9c7ec00000(0000) knlGS:0000000000000000
[   41.514726] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   41.515176] CR2: 000056233b337d88 CR3: 000000000376e006 CR4: 0000000000370ef0
[   41.515713] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   41.516252] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   41.516799] Call Trace:
[   41.517037]  <TASK>
[   41.517249]  ? __warn+0x7b/0x120
[   41.517535]  ? refcount_warn_saturate+0xa5/0x130
[   41.517923]  ? report_bug+0x164/0x190
[   41.518240]  ? handle_bug+0x3d/0x70
[   41.518541]  ? exc_invalid_op+0x17/0x70
[   41.520972]  ? asm_exc_invalid_op+0x1a/0x20
[   41.521325]  ? refcount_warn_saturate+0xa5/0x130
[   41.521708]  ipv6_get_ifaddr+0xda/0xe0
[   41.522035]  inet6_rtm_getaddr+0x342/0x3f0
[   41.522376]  ? __pfx_inet6_rtm_getaddr+0x10/0x10
[   41.522758]  rtnetlink_rcv_msg+0x334/0x3d0
[   41.523102]  ? netlink_unicast+0x30f/0x390
[   41.523445]  ? __pfx_rtnetlink_rcv_msg+0x10/0x10
[   41.523832]  netlink_rcv_skb+0x53/0x100
[   41.524157]  netlink_unicast+0x23b/0x390
[   41.524484]  netlink_sendmsg+0x1f2/0x440
[   41.524826]  __sys_sendto+0x1d8/0x1f0
[   41.525145]  __x64_sys_sendto+0x1f/0x30
[   41.525467]  do_syscall_64+0xa5/0x1b0
[   41.525794]  entry_SYSCALL_64_after_hwframe+0x72/0x7a
[   41.526213] RIP: 0033:0x7fbc4cfcea9a
[   41.526528] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89
[   41.527942] RSP: 002b:00007ffcf54012a8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
[   41.528593] RAX: ffffffffffffffda RBX: 00007ffcf5401368 RCX: 00007fbc4cfcea9a
[   41.529173] RDX: 000000000000002c RSI: 00007fbc4b9d9bd0 RDI: 0000000000000005
[   41.529786] RBP: 00007fbc4bafb040 R08: 00007ffcf54013e0 R09: 000000000000000c
[   41.530375] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   41.530977] R13: ffffffffc4653600 R14: 0000000000000001 R15: 00007fbc4ca85d1b
[   41.531573]  </TASK>

Fixes: 5c578ae ("IPv6: convert addrconf hash list to RCU")
	Reviewed-by: Eric Dumazet <edumazet@google.com>
	Reviewed-by: David Ahern <dsahern@kernel.org>
	Signed-off-by: Jiri Benc <jbenc@redhat.com>
Link: https://lore.kernel.org/r/8ab821e36073a4a406c50ec83c9e8dc586c539e4.1712585809.git.jbenc@redhat.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 7633c4d)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-3105
cve CVE-2024-35960
commit-author Cosmin Ratiu <cratiu@nvidia.com>
commit 7c6782a

Previously, add_rule_fg would only add newly created rules from the
handle into the tree when they had a refcount of 1. On the other hand,
create_flow_handle tries hard to find and reference already existing
identical rules instead of creating new ones.

These two behaviors can result in a situation where create_flow_handle
1) creates a new rule and references it, then
2) in a subsequent step during the same handle creation references it
   again,
resulting in a rule with a refcount of 2 that is not linked into the
tree, will have a NULL parent and root and will result in a crash when
the flow group is deleted because del_sw_hw_rule, invoked on rule
deletion, assumes node->parent is != NULL.

This happened in the wild, due to another bug related to incorrect
handling of duplicate pkt_reformat ids, which lead to the code in
create_flow_handle incorrectly referencing a just-added rule in the same
flow handle, resulting in the problem described above. Full details are
at [1].

This patch changes add_rule_fg to add new rules without parents into
the tree, properly initializing them and avoiding the crash. This makes
it more consistent with how rules are added to an FTE in
create_flow_handle.

Fixes: 74491de ("net/mlx5: Add multi dest support")
Link: https://lore.kernel.org/netdev/ea5264d6-6b55-4449-a602-214c6f509c1e@163.com/T/#u [1]
	Signed-off-by: Cosmin Ratiu <cratiu@nvidia.com>
	Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
	Reviewed-by: Mark Bloch <mbloch@nvidia.com>
	Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
	Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://lore.kernel.org/r/20240409190820.227554-5-tariqt@nvidia.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 7c6782a)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-38028
cve CVE-2024-35958
commit-author David Arinzon <darinzon@amazon.com>
commit bf02d9f

ENA has two types of TX queues:
- queues which only process TX packets arriving from the network stack
- queues which only process TX packets forwarded to it by XDP_REDIRECT
  or XDP_TX instructions

The ena_free_tx_bufs() cycles through all descriptors in a TX queue
and unmaps + frees every descriptor that hasn't been acknowledged yet
by the device (uncompleted TX transactions).
The function assumes that the processed TX queue is necessarily from
the first category listed above and ends up using napi_consume_skb()
for descriptors belonging to an XDP specific queue.

This patch solves a bug in which, in case of a VF reset, the
descriptors aren't freed correctly, leading to crashes.

Fixes: 548c494 ("net: ena: Implement XDP_TX action")
	Signed-off-by: Shay Agroskin <shayagr@amazon.com>
	Signed-off-by: David Arinzon <darinzon@amazon.com>
	Reviewed-by: Shannon Nelson <shannon.nelson@amd.com>
	Signed-off-by: Paolo Abeni <pabeni@redhat.com>
(cherry picked from commit bf02d9f)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-4970
cve CVE-2024-27020
commit-author Ziyang Xuan <william.xuanziyang@huawei.com>
commit f969eb8

nft_unregister_expr() can concurrent with __nft_expr_type_get(),
and there is not any protection when iterate over nf_tables_expressions
list in __nft_expr_type_get(). Therefore, there is potential data-race
of nf_tables_expressions list entry.

Use list_for_each_entry_rcu() to iterate over nf_tables_expressions
list in __nft_expr_type_get(), and use rcu_read_lock() in the caller
nft_expr_type_get() to protect the entire type query process.

Fixes: ef1f7df ("netfilter: nf_tables: expression ops overloading")
	Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
	Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit f969eb8)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-37637
cve CVE-2024-27016
commit-author Pablo Neira Ayuso <pablo@netfilter.org>
commit 87b3593

Ensure there is sufficient room to access the protocol field of the
PPPoe header. Validate it once before the flowtable lookup, then use a
helper function to access protocol field.

	Reported-by: syzbot+b6f07e1c07ef40199081@syzkaller.appspotmail.com
Fixes: 72efd58 ("netfilter: flowtable: add pppoe support")
	Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit 87b3593)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
…oto()

jira VULN-80080
cve CVE-2025-38441
commit-author Eric Dumazet <edumazet@google.com>
commit 18cdb3d

syzbot found a potential access to uninit-value in nf_flow_pppoe_proto()

Blamed commit forgot the Ethernet header.

BUG: KMSAN: uninit-value in nf_flow_offload_inet_hook+0x7e4/0x940 net/netfilter/nf_flow_table_inet.c:27
  nf_flow_offload_inet_hook+0x7e4/0x940 net/netfilter/nf_flow_table_inet.c:27
  nf_hook_entry_hookfn include/linux/netfilter.h:157 [inline]
  nf_hook_slow+0xe1/0x3d0 net/netfilter/core.c:623
  nf_hook_ingress include/linux/netfilter_netdev.h:34 [inline]
  nf_ingress net/core/dev.c:5742 [inline]
  __netif_receive_skb_core+0x4aff/0x70c0 net/core/dev.c:5837
  __netif_receive_skb_one_core net/core/dev.c:5975 [inline]
  __netif_receive_skb+0xcc/0xac0 net/core/dev.c:6090
  netif_receive_skb_internal net/core/dev.c:6176 [inline]
  netif_receive_skb+0x57/0x630 net/core/dev.c:6235
  tun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485
  tun_get_user+0x4ee0/0x6b40 drivers/net/tun.c:1938
  tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1984
  new_sync_write fs/read_write.c:593 [inline]
  vfs_write+0xb4b/0x1580 fs/read_write.c:686
  ksys_write fs/read_write.c:738 [inline]
  __do_sys_write fs/read_write.c:749 [inline]

	Reported-by: syzbot+bf6ed459397e307c3ad2@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/686bc073.a00a0220.c7b3.0086.GAE@google.com/T/#u
Fixes: 87b3593 ("netfilter: flowtable: validate pppoe header")
	Signed-off-by: Eric Dumazet <edumazet@google.com>
	Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
Link: https://patch.msgid.link/20250707124517.614489-1-edumazet@google.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 18cdb3d)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
@ciq-kernel-automation ciq-kernel-automation Bot added the created-by-kernelci Tag PRs that were automatically created when a user branch was pushed to the repo (kernelCI) label Jun 22, 2026
@github-actions

Copy link
Copy Markdown

🤖 Validation Checks In Progress Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/27954496319

@github-actions

Copy link
Copy Markdown

Validation checks completed successfully View full results: https://github.com/ctrliq/kernel-src-tree/actions/runs/27954496319

@roxanan1996 roxanan1996 requested a review from a team June 22, 2026 13:44

@bmastbergen bmastbergen left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🥌

@roxanan1996 roxanan1996 merged commit 4f58c44 into ciqlts9_2 Jun 23, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

created-by-kernelci Tag PRs that were automatically created when a user branch was pushed to the repo (kernelCI)

Development

Successfully merging this pull request may close these issues.

2 participants