[ciqlts8 6] Multiple VULNS #679

roxanan1996 · 2025-11-09T13:48:49Z

DESCRIPTION

Commits

Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put

jira VULN-155016
cve-pre CVE-2023-53305
commit-author Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
commit d0be8347c623e0ac4202a1d4e0373882821f56b0

Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm regression

jira VULN-155016
cve-pre CVE-2023-53305
commit-author Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
commit 332f1795ca202489c665a75e62e18ff6284de077

Bluetooth: L2CAP: Fix build errors in some archs

jira VULN-155016
cve-pre CVE-2023-53305
commit-author Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
commit fc5ae5b44eb26db973a6d4cfa0f75fe0650a95c6

Bluetooth: L2CAP: Fix use-after-free

jira VULN-155016
cve CVE-2023-53305
commit-author Zhengping Jiang <jiangzp@google.com>
commit f752a0b334bb95fe9b42ecb511e0864e2768046f

net_sched: hfsc: Fix a UAF vulnerability in class handling

jira VULN-67695
cve CVE-2025-37797
commit-author Cong Wang <xiyou.wangcong@gmail.com>
commit 3df275ef0a6ae181e8428a6589ef5d5231e58b5c

net_sched: ets: Fix double list add in class with netem as child qdisc

jira VULN-73369
cve CVE-2025-37914
commit-author Victor Nogueira <victor@mojatatu.com>
commit 1a6d0c00fa07972384b0c308c72db091d49988b6

wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds

jira VULN-71883
cve CVE-2025-38159
commit-author Alexey Kodanev <aleksei.kodanev@bell-sw.com>
commit 4c2c372de2e108319236203cce6de44d70ae15cd

i40e: fix MMIO write access to an invalid page in i40e_clear_hw

jira VULN-72059
cve CVE-2025-38200
commit-author Kyungwook Boo <bookyungwook@gmail.com>
commit 015bac5daca978448f2671478c553ce1f300c21e

scsi: lpfc: Use memcpy() for BIOS version

jira VULN-72453
cve CVE-2025-38332
commit-author Daniel Wagner <wagi@kernel.org>
commit ae82eaf4aeea060bb736c3e20c0568b67c701d7d

tipc: Fix use-after-free in tipc_conn_close().

jira VULN-80314
cve CVE-2025-38464
commit-author Kuniyuki Iwashima <kuniyu@google.com>
commit 667eeab4999e981c96b447a4df5f20bdf5c26f13

TESTING

BUILD

> grep -E -B 5 -A 5 '\[TIMER\]|^Starting Build' /home/rnicolescu/ciq/kernels/lts-8.6/kernel-build-after.log
  CLEAN   include/config usr/include include/generated arch/x86/include/generated
  CLEAN   .config .config.old .version Module.symvers
+ [[ 0 -ne 0 ]]
++ date +%s
+ END_MRPROPER=1762537513
+ echo '[TIMER]{MRPROPER}: 6s'
[TIMER]{MRPROPER}: 6s
++ uname -m
+ ARCH=x86_64
+ '[' x86_64 == x86_64 ']'
++ uname -r
++ cut -d - -f1
--
# configuration written to .config
#
++ date +%s
+ START_BUILD=1762537516
+ echo 'Starting Build'
Starting Build
++ nproc
+ make -j12
scripts/kconfig/conf  --syncconfig Kconfig
  SYSTBL  arch/x86/include/generated/asm/syscalls_32.h
  SYSHDR  arch/x86/include/generated/asm/unistd_32_ia32.h
--
  LD [M]  sound/xen/snd_xen_front.ko
  LD [M]  virt/lib/irqbypass.ko
+ '[' 0 -ne 0 ']'
++ date +%s
+ END_BUILD=1762538933
+ echo '[TIMER]{BUILD}: 1417s'
[TIMER]{BUILD}: 1417s
+ echo 'Making Modules'
Making Modules
++ date +%s
+ START_MODULES=1762538933
++ nproc
--
  INSTALL virt/lib/irqbypass.ko
  DEPMOD  4.18.0-rnicolescu_ciqlts8_6-f956b303284a+
+ '[' 0 -ne 0 ']'
++ date +%s
+ END_MODULES=1762538942
+ echo '[TIMER]{MODULES}: 9s'
[TIMER]{MODULES}: 9s
+ echo 'Making Install'
Making Install
++ date +%s
+ START_INSTALL=1762538942
+ sudo make install
sh ./arch/x86/boot/install.sh 4.18.0-rnicolescu_ciqlts8_6-f956b303284a+ arch/x86/boot/bzImage \
	System.map "/boot"
+ '[' 0 -ne 0 ']'
++ date +%s
+ END_INSTALL=1762538974
+ echo '[TIMER]{INSTALL}: 32s'
[TIMER]{INSTALL}: 32s
+ '[' 0 -eq 1 ']'
+ echo 'Checking kABI'
Checking kABI
+ ../kernel-dist-git/SOURCES/check-kabi -k ../kernel-dist-git/SOURCES/Module.kabi_x86_64 -s Module.symvers
+ '[' 0 -ne 0 ']'
--
+ echo 'Hopefully Grub2.0 took everything ... rebooting after time metrices'
Hopefully Grub2.0 took everything ... rebooting after time metrices
++ date +%s
+ END=1762538977
+ DIFF=1470
+ echo '[TIMER]{MRPROPER}: 6s'
[TIMER]{MRPROPER}: 6s
+ echo '[TIMER]{BUILD}: 1417s'
[TIMER]{BUILD}: 1417s
+ echo '[TIMER]{MODULES}: 9s'
[TIMER]{MODULES}: 9s
+ echo '[TIMER]{INSTALL}: 32s'
[TIMER]{INSTALL}: 32s
+ echo '[TIMER]{TOTAL} 1470s'
[TIMER]{TOTAL} 1470s
+ '[' 0 -ne 1 ']'
+ echo 'Rebooting in 10 seconds'
Rebooting in 10 seconds
+ sleep 10
+ sudo reboot

kernel-build-before.log
kernel-build-after.log

Kselftests

> /home/rnicolescu/ciq/kernel-tools/kselftest-diff.sh /home/rnicolescu/ciq/kernels/lts-8.6
/home/rnicolescu/ciq/kernels/lts-8.6/kselftest-before.log
192
/home/rnicolescu/ciq/kernels/lts-8.6/kselftest-after.log
212
Before: /home/rnicolescu/ciq/kernels/lts-8.6/kselftest-before.log
After: /home/rnicolescu/ciq/kernels/lts-8.6/kselftest-after.log
Diff:
+ok 10 selftests: x86: protection_keys_64
+ok 11 selftests: x86: test_vdso_64
+ok 12 selftests: x86: test_vsyscall_64
+ok 13 selftests: x86: mov_ss_trap_64
+ok 14 selftests: x86: fsgsbase_restore_64
+ok 15 selftests: x86: sigaltstack_64
+ok 16 selftests: x86: fsgsbase_64
+ok 17 selftests: x86: sysret_rip_64
+ok 18 selftests: x86: corrupt_xstate_header_64
+ok 1 selftests: size: get_size
+ok 1 selftests: tc-testing: tdc.sh
+ok 1 selftests: x86: single_step_syscall_64
+ok 2 selftests: x86: sysret_ss_attrs_64
+ok 3 selftests: x86: syscall_nt_64
+ok 4 selftests: x86: test_mremap_vdso_64
+ok 5 selftests: x86: check_initial_reg_state_64
+ok 6 selftests: x86: sigreturn_64
+ok 7 selftests: x86: iopl_64
+ok 8 selftests: x86: mpx-mini-test_64
+ok 9 selftests: x86: ioperm_64

kselftest-before.log
kselftest-after.log

Check_kernel_commits including interdiff

> python3 /home/rnicolescu/ciq/kernel-src-tree-tools/check_kernel_commits.py --repo /home/rnicolescu/ciq/kernels/lts-8.6/kernel-src-tree --pr_branch {rnicolescu}_ciqlts8_6 --base_branch origin/ciqlts8_6
[FIXES] PR commit e03af711ad14 (Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm
        regression) references upstream commit 332f1795ca20, which has Fixes
        tags:

    b840304fb46c Bluetooth: L2CAP: Fix build errors in some archs (Luiz Augusto von Dentz)

Note

The above error is because fix
Bluetooth: L2CAP: Fix build errors in some archs (Luiz Augusto von Dentz)
is present in 2 commits that appear in full history, even though they are identical. Only commit

fc5ae5b44eb2 (Bluetooth: L2CAP: Fix build errors in some archs (Luiz Augusto von Dentz)
` ``
is actually present in the main line. 
Investigating for a fix.

jira VULN-155016 cve-pre CVE-2023-53305 commit-author Luiz Augusto von Dentz <luiz.von.dentz@intel.com> commit d0be834 This fixes the following trace which is caused by hci_rx_work starting up *after* the final channel reference has been put() during sock_close() but *before* the references to the channel have been destroyed, so instead the code now rely on kref_get_unless_zero/l2cap_chan_hold_unless_zero to prevent referencing a channel that is about to be destroyed. refcount_t: increment on 0; use-after-free. BUG: KASAN: use-after-free in refcount_dec_and_test+0x20/0xd0 Read of size 4 at addr ffffffc114f5bf18 by task kworker/u17:14/705 CPU: 4 PID: 705 Comm: kworker/u17:14 Tainted: G S W 4.14.234-00003-g1fb6d0bd49a4-dirty #28 Hardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM sm8150 Flame DVT (DT) Workqueue: hci0 hci_rx_work Call trace: dump_backtrace+0x0/0x378 show_stack+0x20/0x2c dump_stack+0x124/0x148 print_address_description+0x80/0x2e8 __kasan_report+0x168/0x188 kasan_report+0x10/0x18 __asan_load4+0x84/0x8c refcount_dec_and_test+0x20/0xd0 l2cap_chan_put+0x48/0x12c l2cap_recv_frame+0x4770/0x6550 l2cap_recv_acldata+0x44c/0x7a4 hci_acldata_packet+0x100/0x188 hci_rx_work+0x178/0x23c process_one_work+0x35c/0x95c worker_thread+0x4cc/0x960 kthread+0x1a8/0x1c4 ret_from_fork+0x10/0x18 Cc: stable@kernel.org Reported-by: Lee Jones <lee.jones@linaro.org> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Tested-by: Lee Jones <lee.jones@linaro.org> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> (cherry picked from commit d0be834) Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>

jira VULN-155016 cve-pre CVE-2023-53305 commit-author Luiz Augusto von Dentz <luiz.von.dentz@intel.com> commit 332f179 The patch d0be834: "Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put" from Jul 21, 2022, leads to the following Smatch static checker warning: net/bluetooth/l2cap_core.c:1977 l2cap_global_chan_by_psm() error: we previously assumed 'c' could be null (see line 1996) Fixes: d0be834 ("Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put") Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> (cherry picked from commit 332f179) Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>

jira VULN-155016 cve-pre CVE-2023-53305 commit-author Luiz Augusto von Dentz <luiz.von.dentz@intel.com> commit fc5ae5b This attempts to fix the follow errors: In function 'memcmp', inlined from 'bacmp' at ./include/net/bluetooth/bluetooth.h:347:9, inlined from 'l2cap_global_chan_by_psm' at net/bluetooth/l2cap_core.c:2003:15: ./include/linux/fortify-string.h:44:33: error: '__builtin_memcmp' specified bound 6 exceeds source size 0 [-Werror=stringop-overread] 44 | #define __underlying_memcmp __builtin_memcmp | ^ ./include/linux/fortify-string.h:420:16: note: in expansion of macro '__underlying_memcmp' 420 | return __underlying_memcmp(p, q, size); | ^~~~~~~~~~~~~~~~~~~ In function 'memcmp', inlined from 'bacmp' at ./include/net/bluetooth/bluetooth.h:347:9, inlined from 'l2cap_global_chan_by_psm' at net/bluetooth/l2cap_core.c:2004:15: ./include/linux/fortify-string.h:44:33: error: '__builtin_memcmp' specified bound 6 exceeds source size 0 [-Werror=stringop-overread] 44 | #define __underlying_memcmp __builtin_memcmp | ^ ./include/linux/fortify-string.h:420:16: note: in expansion of macro '__underlying_memcmp' 420 | return __underlying_memcmp(p, q, size); | ^~~~~~~~~~~~~~~~~~~ Fixes: 332f179 ("Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm regression") Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> (cherry picked from commit fc5ae5b) Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>

jira VULN-155016 cve CVE-2023-53305 commit-author Zhengping Jiang <jiangzp@google.com> commit f752a0b Fix potential use-after-free in l2cap_le_command_rej. Signed-off-by: Zhengping Jiang <jiangzp@google.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit f752a0b) Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>

jira VULN-67695 cve CVE-2025-37797 commit-author Cong Wang <xiyou.wangcong@gmail.com> commit 3df275e This patch fixes a Use-After-Free vulnerability in the HFSC qdisc class handling. The issue occurs due to a time-of-check/time-of-use condition in hfsc_change_class() when working with certain child qdiscs like netem or codel. The vulnerability works as follows: 1. hfsc_change_class() checks if a class has packets (q.qlen != 0) 2. It then calls qdisc_peek_len(), which for certain qdiscs (e.g., codel, netem) might drop packets and empty the queue 3. The code continues assuming the queue is still non-empty, adding the class to vttree 4. This breaks HFSC scheduler assumptions that only non-empty classes are in vttree 5. Later, when the class is destroyed, this can lead to a Use-After-Free The fix adds a second queue length check after qdisc_peek_len() to verify the queue wasn't emptied. Fixes: 21f4d5c ("net_sched/hfsc: fix curve activation in hfsc_change_class()") Reported-by: Gerrard Tai <gerrard.tai@starlabs.sg> Reviewed-by: Konstantin Khlebnikov <koct9i@gmail.com> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com> Link: https://patch.msgid.link/20250417184732.943057-2-xiyou.wangcong@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit 3df275e) Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>

jira VULN-73369 cve CVE-2025-37914 commit-author Victor Nogueira <victor@mojatatu.com> commit 1a6d0c0 As described in Gerrard's report [1], there are use cases where a netem child qdisc will make the parent qdisc's enqueue callback reentrant. In the case of ets, there won't be a UAF, but the code will add the same classifier to the list twice, which will cause memory corruption. In addition to checking for qlen being zero, this patch checks whether the class was already added to the active_list (cl_is_active) before doing the addition to cater for the reentrant case. [1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/ Fixes: 37d9cf1 ("sched: Fix detection of empty queues in child qdiscs") Acked-by: Jamal Hadi Salim <jhs@mojatatu.com> Signed-off-by: Victor Nogueira <victor@mojatatu.com> Link: https://patch.msgid.link/20250425220710.3964791-4-victor@mojatatu.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit 1a6d0c0) Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>

jira VULN-71883 cve CVE-2025-38159 commit-author Alexey Kodanev <aleksei.kodanev@bell-sw.com> commit 4c2c372 Set the size to 6 instead of 2, since 'para' array is passed to 'rtw_fw_bt_wifi_control(rtwdev, para[0], &para[1])', which reads 5 bytes: void rtw_fw_bt_wifi_control(struct rtw_dev *rtwdev, u8 op_code, u8 *data) { ... SET_BT_WIFI_CONTROL_DATA1(h2c_pkt, *data); SET_BT_WIFI_CONTROL_DATA2(h2c_pkt, *(data + 1)); ... SET_BT_WIFI_CONTROL_DATA5(h2c_pkt, *(data + 4)); Detected using the static analysis tool - Svace. Fixes: 4136214 ("rtw88: add BT co-existence support") Signed-off-by: Alexey Kodanev <aleksei.kodanev@bell-sw.com> Signed-off-by: Ping-Ke Shih <pkshih@realtek.com> Link: https://patch.msgid.link/20250513121304.124141-1-aleksei.kodanev@bell-sw.com (cherry picked from commit 4c2c372) Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>

jira VULN-72059 cve CVE-2025-38200 commit-author Kyungwook Boo <bookyungwook@gmail.com> commit 015bac5 When the device sends a specific input, an integer underflow can occur, leading to MMIO write access to an invalid page. Prevent the integer underflow by changing the type of related variables. Signed-off-by: Kyungwook Boo <bookyungwook@gmail.com> Link: https://lore.kernel.org/lkml/ffc91764-1142-4ba2-91b6-8c773f6f7095@gmail.com/T/ Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com> Reviewed-by: Simon Horman <horms@kernel.org> Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com> Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel) Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com> (cherry picked from commit 015bac5) Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>

jira VULN-72453 cve CVE-2025-38332 commit-author Daniel Wagner <wagi@kernel.org> commit ae82eaf The strlcat() with FORTIFY support is triggering a panic because it thinks the target buffer will overflow although the correct target buffer size is passed in. Anyway, instead of memset() with 0 followed by a strlcat(), just use memcpy() and ensure that the resulting buffer is NULL terminated. BIOSVersion is only used for the lpfc_printf_log() which expects a properly terminated string. Signed-off-by: Daniel Wagner <wagi@kernel.org> Link: https://lore.kernel.org/r/20250409-fix-lpfc-bios-str-v1-1-05dac9e51e13@kernel.org Reviewed-by: Justin Tee <justin.tee@broadcom.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> (cherry picked from commit ae82eaf) Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>

jira VULN-80314 cve CVE-2025-38464 commit-author Kuniyuki Iwashima <kuniyu@google.com> commit 667eeab syzbot reported a null-ptr-deref in tipc_conn_close() during netns dismantle. [0] tipc_topsrv_stop() iterates tipc_net(net)->topsrv->conn_idr and calls tipc_conn_close() for each tipc_conn. The problem is that tipc_conn_close() is called after releasing the IDR lock. At the same time, there might be tipc_conn_recv_work() running and it could call tipc_conn_close() for the same tipc_conn and release its last ->kref. Once we release the IDR lock in tipc_topsrv_stop(), there is no guarantee that the tipc_conn is alive. Let's hold the ref before releasing the lock and put the ref after tipc_conn_close() in tipc_topsrv_stop(). [0]: BUG: KASAN: use-after-free in tipc_conn_close+0x122/0x140 net/tipc/topsrv.c:165 Read of size 8 at addr ffff888099305a08 by task kworker/u4:3/435 CPU: 0 PID: 435 Comm: kworker/u4:3 Not tainted 4.19.204-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanup_net Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2ef lib/dump_stack.c:118 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256 kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354 kasan_report mm/kasan/report.c:412 [inline] __asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433 tipc_conn_close+0x122/0x140 net/tipc/topsrv.c:165 tipc_topsrv_stop net/tipc/topsrv.c:701 [inline] tipc_topsrv_exit_net+0x27b/0x5c0 net/tipc/topsrv.c:722 ops_exit_list+0xa5/0x150 net/core/net_namespace.c:153 cleanup_net+0x3b4/0x8b0 net/core/net_namespace.c:553 process_one_work+0x864/0x1570 kernel/workqueue.c:2153 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 Allocated by task 23: kmem_cache_alloc_trace+0x12f/0x380 mm/slab.c:3625 kmalloc include/linux/slab.h:515 [inline] kzalloc include/linux/slab.h:709 [inline] tipc_conn_alloc+0x43/0x4f0 net/tipc/topsrv.c:192 tipc_topsrv_accept+0x1b5/0x280 net/tipc/topsrv.c:470 process_one_work+0x864/0x1570 kernel/workqueue.c:2153 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 Freed by task 23: __cache_free mm/slab.c:3503 [inline] kfree+0xcc/0x210 mm/slab.c:3822 tipc_conn_kref_release net/tipc/topsrv.c:150 [inline] kref_put include/linux/kref.h:70 [inline] conn_put+0x2cd/0x3a0 net/tipc/topsrv.c:155 process_one_work+0x864/0x1570 kernel/workqueue.c:2153 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 The buggy address belongs to the object at ffff888099305a00 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 8 bytes inside of 512-byte region [ffff888099305a00, ffff888099305c00) The buggy address belongs to the page: page:ffffea000264c140 count:1 mapcount:0 mapping:ffff88813bff0940 index:0x0 flags: 0xfff00000000100(slab) raw: 00fff00000000100 ffffea00028b6b88 ffffea0002cd2b08 ffff88813bff0940 raw: 0000000000000000 ffff888099305000 0000000100000006 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888099305900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888099305980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888099305a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888099305a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888099305b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb Fixes: c5fa7b3 ("tipc: introduce new TIPC server infrastructure") Reported-by: syzbot+d333febcf8f4bc5f6110@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=27169a847a70550d17be Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com> Reviewed-by: Tung Nguyen <tung.quang.nguyen@est.tech> Link: https://patch.msgid.link/20250702014350.692213-1-kuniyu@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit 667eeab) Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>

github-actions · 2025-11-09T14:01:18Z

🔍 Upstream Linux Kernel Commit Check

⚠️ PR commit e03af711ad14 (Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm regression) references upstream commit
332f1795ca20 which has been referenced by a Fixes: tag in the upstream
Linux kernel:

    b840304fb46c Bluetooth: L2CAP: Fix build errors in some archs (Luiz Augusto von Dentz)

This is an automated message from the kernel commit checker workflow.

PlaidCat

roxanan1996 added 10 commits November 6, 2025 10:31

PlaidCat requested a review from a team November 11, 2025 00:00

PlaidCat approved these changes Nov 11, 2025

View reviewed changes

PlaidCat requested a review from a team November 11, 2025 00:15

roxanan1996 merged commit f956b30 into ciqlts8_6 Nov 11, 2025
3 checks passed

roxanan1996 mentioned this pull request Nov 12, 2025

[ciqlts8 6] Multiple VULNS #680

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[ciqlts8 6] Multiple VULNS #679

[ciqlts8 6] Multiple VULNS #679

Uh oh!

roxanan1996 commented Nov 9, 2025 •

edited

Loading

Uh oh!

github-actions bot commented Nov 9, 2025

Uh oh!

PlaidCat left a comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

3 participants

[ciqlts8 6] Multiple VULNS #679

[ciqlts8 6] Multiple VULNS #679

Uh oh!

Conversation

roxanan1996 commented Nov 9, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

DESCRIPTION

Commits

TESTING

BUILD

Kselftests

Check_kernel_commits including interdiff

Note

Uh oh!

github-actions bot commented Nov 9, 2025

🔍 Upstream Linux Kernel Commit Check

Uh oh!

PlaidCat left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

3 participants

roxanan1996 commented Nov 9, 2025 •

edited

Loading