[LTS 9.2] CVE-2024-26923, CVE-2024-35937, CVE-2024-58002 #704

pvts-mat · 2025-11-17T21:19:11Z

[LTS 9.2]
CVE-2024-26923 VULN-8201
CVE-2024-35937 VULN-5183
CVE-2024-58002 VULN-53464

Commits

CVE-2024-26923

5514900:

af_unix: fix lockdep positive in sk_diag_dump_icons()

jira VULN-8201
cve-pre CVE-2024-26923
commit-author Eric Dumazet <edumazet@google.com>
commit 4d322dce82a1d44f8c83f0f54f95dd1b8dcf46c9

7127fb9:

af_unix: Fix garbage collector racing against connect()

jira VULN-8201
cve CVE-2024-26923
commit-author Michal Luczaj <mhal@rbox.co>
commit 47d8ac011fe1c9251070e1bd64cb10b48193ec51
upstream-diff No actual difference from the upstream patch, but required
  manual conflicts resolution due to differences in neighbouring code
  (`inflight_refs')

e7f6aee:

af_unix: Suppress false-positive lockdep splat for spin_lock() in __unix_gc().

jira VULN-8201
cve-bf CVE-2024-26923
commit-author Kuniyuki Iwashima <kuniyu@amazon.com>
commit 1971d13ffa84a551d29a81fdf5b5ec5be166ac83

The 4d322dc commit is not so much a prerequisite for the cve fix as it is for its bugfix 1971d13. Same solution can be found in linux-5.15.y, although mixed with fixes for other CVEs (CVE-2024-26750, CVE-2024-26780, CVE-2024-36972, CVE-2024-26676, all CVSS 5.5).

$ git --no-pager log --oneline -n 11  linux-5.15.y  -- net/unix/garbage.c include/net/af_unix.h include/linux/unix_diag.h net/unix/diag.c

d34d3b3f92249706af9ad1bbb075cd224ea59758 af_unix: Annotate data-race of sk->sk_shutdown in sk_diag_fill().  
bdb5e4fbad58434dc2ef048a2c20ed9df7f471f3 af_unix: Use skb_queue_len_lockless() in sk_diag_show_rqlen().
69e797f63468cf40ac81fbd619f19efabd1263e7 af_unix: Annotate data-races around sk->sk_state in UNIX_DIAG.
2e29ff824b47a22f5c2531f957f55de2db65af6c af_unix: Suppress false-positive lockdep splat for spin_lock() in __unix_gc().   <--
e76c2678228f6aec74b305ae30c9374cc2f28a51 af_unix: Fix garbage collector racing against connect()                          <--
37120fa8d92a43f538ff6b7646948a55cdbad266 af_unix: Do not use atomic ops for unix_sk(sk)->inflight.
8a029ee1e392f41ae799c0848aed133082963567 af_unix: Annotate data-race of gc_in_progress in wait_for_unix_gc().
6c480d0f131862645d172ca9e25dc152b1a5c3a6 af_unix: Drop oob_skb ref before purging queue in GC.
36f7371de977f805750748e80279be7e370df85c af_unix: Fix task hung while purging oob_skb in GC.
4fe505c63aa3273135a57597fda761e9aecc7668 af_unix: Call kfree_skb() for dead unix_(sk)->oob_skb in GC.
c8f6b3b864cb876e9ee21666a391c9ee290682ac af_unix: fix lockdep positive in sk_diag_dump_icons()                            <--

CVE-2024-35937

132eaaa:

wifi: cfg80211: check A-MSDU format more carefully

jira VULN-5183
cve CVE-2024-35937
commit-author Johannes Berg <johannes.berg@intel.com>
commit 9ad7974856926129f190ffbe3beea78460b3b7cc
upstream-diff |
  1. All changes to the `ieee80211_is_valid_amsdu' function were discarded
     because it's missing from `ciqlts9_2'.
  2. Changes to `ieee80211_amsdu_to_8023s' were adapted to account for the
     missing 986e43b19ae9176093da35e0a844e65c8bf9ede7 from `ciqlts9_2'
     history: the `copy_len > remaining' condition was changed to
     `sizeof(eth) > remaining', as `sizeof(eth)' is the only possible
     value `copy_len' could have assumed in `ciqlts9_2' if it was
     introduced without backporting 986e43b (pointless).

CVE-2024-58002

Neutral code refactor, makes next next picks clean:

b00b1a4:

media: uvcvideo: Refactor iterators

jira VULN-53464
cve-pre CVE-2024-58002
commit-author Ricardo Ribalda <ribalda@chromium.org>
commit 64627daf0c5f7838111f52bbbd1a597cb5d6871a

CVE-lacking fix of the same culprit commit e5225c8, which additionally makes the next pick clean.

068e994:

media: uvcvideo: Only save async fh if success

jira VULN-53464
cve-pre CVE-2024-58002
commit-author Ricardo Ribalda <ribalda@chromium.org>
commit d9fecd096f67a4469536e040a8a10bbfb665918b

The fix proper for CVE-2024-58002:

052793b:

media: uvcvideo: Remove dangling pointers

jira VULN-53464
cve CVE-2024-58002
commit-author Ricardo Ribalda <ribalda@chromium.org>
commit 221cd51efe4565501a3dbf04cc011b537dcce7fb
upstream-diff `guard(mutex)' construct replaced with older locking
  scheme because `ciqlts9_2' lacks
  54da6a0924311c7cf5015533991e44fb8eb12773. This commit is actually a
  direct cherry pick of the 5.15 stable backport
  117f7a2975baa4b7d702d3f4830d5a4ebd0c6d50.

Additional CVE-lacking fixes exist for e5225c8: 04d3398 and 619d9b7. Both were backported to stable 5.15 (14810fb and 8e62139). Omitted in the PR to keep it focused.

kABI check: passed

$ DEBUG=1 CVE=CVE-batch-11 ./ninja.sh _kabi_check_kernel__x86_64--test--ciqlts9_2-CVE-batch-11

[0/1] kabi_check_kernel	Check ABI of kernel [ciqlts9_2-CVE-batch-11]	_kabi_check_kernel__x86_64--test--ciqlts9_2-CVE-batch-11
++ uname -m
+ python3 /data/src/ctrliq-github-haskell/kernel-dist-git-el-9.2/SOURCES/check-kabi -k /data/src/ctrliq-github-haskell/kernel-dist-git-el-9.2/SOURCES/Module.kabi_x86_64 -s vms/x86_64--build--ciqlts9_2/build_files/kernel-src-tree-ciqlts9_2-CVE-batch-11/Module.symvers
kABI check passed
+ touch state/kernels/ciqlts9_2-CVE-batch-11/x86_64/kabi_checked

Boot test: passed

boot-test.log

Kselftests: passed relative

Reference

kselftests–ciqlts9_2–run1.log

Patch

kselftests–ciqlts9_2-CVE-batch-11–run1.log
kselftests–ciqlts9_2-CVE-batch-11–run2.log

Comparison

The tests results for the reference and the patch are the same.

$ ktests.xsh diff kselftests*.log

Column    File
--------  --------------------------------------------
Status0   kselftests--ciqlts9_2--run1.log
Status1   kselftests--ciqlts9_2-CVE-batch-11--run1.log
Status2   kselftests--ciqlts9_2-CVE-batch-11--run2.log

TestCase                                               Status0  Status1  Status2  Summary
bpf:test_bpftool.sh                                    pass     pass     pass     same
bpf:test_bpftool_build.sh                              pass     pass     pass     same
bpf:test_bpftool_metadata.sh                           pass     pass     pass     same
bpf:test_cgroup_storage                                pass     pass     pass     same
bpf:test_doc_build.sh                                  pass     pass     pass     same
bpf:test_flow_dissector.sh                             fail     fail     fail     same
bpf:test_lirc_mode2.sh                                 pass     pass     pass     same
bpf:test_lpm_map                                       pass     pass     pass     same
bpf:test_lru_map                                       pass     pass     pass     same
bpf:test_lwt_ip_encap.sh                               pass     pass     pass     same
bpf:test_lwt_seg6local.sh                              pass     pass     pass     same
bpf:test_offload.py                                    fail     fail     fail     same
bpf:test_sock                                          pass     pass     pass     same
bpf:test_sock_addr.sh                                  pass     pass     pass     same
bpf:test_sysctl                                        pass     pass     pass     same
bpf:test_tag                                           pass     pass     pass     same
bpf:test_tc_edt.sh                                     pass     pass     pass     same
bpf:test_tc_tunnel.sh                                  fail     fail     fail     same
bpf:test_tcp_check_syncookie.sh                        pass     pass     pass     same
bpf:test_tcpnotify_user                                pass     pass     pass     same
bpf:test_tunnel.sh                                     fail     fail     fail     same
bpf:test_verifier                                      fail     fail     fail     same
bpf:test_xdp_meta.sh                                   pass     pass     pass     same
bpf:test_xdp_redirect.sh                               pass     pass     pass     same
bpf:test_xdp_redirect_multi.sh                         pass     pass     pass     same
bpf:test_xdp_veth.sh                                   pass     pass     pass     same
bpf:test_xdp_vlan_mode_generic.sh                      pass     pass     pass     same
bpf:test_xdp_vlan_mode_native.sh                       pass     pass     pass     same
bpf:test_xdping.sh                                     pass     pass     pass     same
breakpoints:breakpoint_test                            pass     pass     pass     same
capabilities:test_execve                               pass     pass     pass     same
cgroup:test_core                                       fail     fail     fail     same
cgroup:test_cpuset_prs.sh                              pass     pass     pass     same
cgroup:test_kill                                       pass     pass     pass     same
cgroup:test_kmem                                       pass     pass     pass     same
cgroup:test_stress.sh                                  fail     fail     fail     same
clone3:clone3                                          pass     pass     pass     same
clone3:clone3_cap_checkpoint_restore                   pass     pass     pass     same
clone3:clone3_clear_sighand                            pass     pass     pass     same
clone3:clone3_set_tid                                  pass     pass     pass     same
core:close_range_test                                  pass     pass     pass     same
cpu-hotplug:cpu-on-off-test.sh                         pass     pass     pass     same
cpufreq:main.sh                                        fail     fail     fail     same
drivers/dma-buf:udmabuf                                pass     pass     pass     same
drivers/net/bonding:bond-arp-interval-causes-panic.sh  pass     pass     pass     same
drivers/net/bonding:bond-break-lacpdu-tx.sh            pass     pass     pass     same
drivers/net/bonding:bond-lladdr-target.sh              pass     pass     pass     same
drivers/net/bonding:dev_addr_lists.sh                  pass     pass     pass     same
drivers/net/bonding:mode-1-recovery-updelay.sh         pass     pass     pass     same
drivers/net/bonding:mode-2-recovery-updelay.sh         pass     pass     pass     same
drivers/net/team:dev_addr_lists.sh                     pass     pass     pass     same
filesystems/binderfs:binderfs_test                     fail     fail     fail     same
firmware:fw_run_tests.sh                               skip     skip     skip     same
fpu:run_test_fpu.sh                                    skip     skip     skip     same
fpu:test_fpu                                           pass     pass     pass     same
ftrace:ftracetest                                      fail     fail     fail     same
futex:run.sh                                           pass     pass     pass     same
gpio:gpio-mockup.sh                                    fail     fail     fail     same
intel_pstate:run.sh                                    pass     pass     pass     same
ipc:msgque                                             pass     pass     pass     same
ir:ir_loopback.sh                                      skip     skip     skip     same
kcmp:kcmp_test                                         pass     pass     pass     same
kexec:test_kexec_file_load.sh                          skip     skip     skip     same
kexec:test_kexec_load.sh                               skip     skip     skip     same
kvm:access_tracking_perf_test                          pass     pass     pass     same
kvm:amx_test                                           fail     fail     fail     same
kvm:cpuid_test                                         fail     fail     fail     same
kvm:cr4_cpuid_sync_test                                fail     fail     fail     same
kvm:debug_regs                                         fail     fail     fail     same
kvm:demand_paging_test                                 pass     pass     pass     same
kvm:dirty_log_perf_test                                pass     pass     pass     same
kvm:dirty_log_test                                     fail     fail     fail     same
kvm:emulator_error_test                                fail     fail     fail     same
kvm:evmcs_test                                         fail     fail     fail     same
kvm:fix_hypercall_test                                 fail     fail     fail     same
kvm:get_msr_index_features                             fail     fail     fail     same
kvm:hardware_disable_test                              pass     pass     pass     same
kvm:hyperv_clock                                       fail     fail     fail     same
kvm:hyperv_cpuid                                       fail     fail     fail     same
kvm:hyperv_features                                    fail     fail     fail     same
kvm:hyperv_svm_test                                    fail     fail     fail     same
kvm:kvm_binary_stats_test                              pass     pass     pass     same
kvm:kvm_clock_test                                     fail     fail     fail     same
kvm:kvm_create_max_vcpus                               pass     pass     pass     same
kvm:kvm_page_table_test                                pass     pass     pass     same
kvm:kvm_pv_test                                        fail     fail     fail     same
kvm:max_guest_memory_test                              pass     pass     pass     same
kvm:max_vcpuid_cap_test                                fail     fail     fail     same
kvm:memslot_modification_stress_test                   pass     pass     pass     same
kvm:memslot_perf_test                                  pass     pass     pass     same
kvm:mmio_warning_test                                  fail     fail     fail     same
kvm:monitor_mwait_test                                 fail     fail     fail     same
kvm:nx_huge_pages_test.sh                              fail     fail     fail     same
kvm:platform_info_test                                 fail     fail     fail     same
kvm:pmu_event_filter_test                              fail     fail     fail     same
kvm:rseq_test                                          fail     fail     fail     same
kvm:set_boot_cpu_id                                    fail     fail     fail     same
kvm:set_memory_region_test                             pass     pass     pass     same
kvm:set_sregs_test                                     fail     fail     fail     same
kvm:sev_migrate_tests                                  fail     fail     fail     same
kvm:smm_test                                           fail     fail     fail     same
kvm:state_test                                         fail     fail     fail     same
kvm:steal_time                                         pass     pass     pass     same
kvm:svm_int_ctl_test                                   fail     fail     fail     same
kvm:svm_nested_soft_inject_test                        fail     fail     fail     same
kvm:svm_vmcall_test                                    fail     fail     fail     same
kvm:sync_regs_test                                     fail     fail     fail     same
kvm:system_counter_offset_test                         pass     pass     pass     same
kvm:triple_fault_event_test                            fail     fail     fail     same
kvm:tsc_msrs_test                                      fail     fail     fail     same
kvm:tsc_scaling_sync                                   fail     fail     fail     same
kvm:ucna_injection_test                                fail     fail     fail     same
kvm:userspace_io_test                                  fail     fail     fail     same
kvm:userspace_msr_exit_test                            fail     fail     fail     same
kvm:vmx_apic_access_test                               fail     fail     fail     same
kvm:vmx_close_while_nested_test                        fail     fail     fail     same
kvm:vmx_dirty_log_test                                 fail     fail     fail     same
kvm:vmx_exception_with_invalid_guest_state             fail     fail     fail     same
kvm:vmx_invalid_nested_guest_state                     fail     fail     fail     same
kvm:vmx_msrs_test                                      fail     fail     fail     same
kvm:vmx_nested_tsc_scaling_test                        fail     fail     fail     same
kvm:vmx_pmu_caps_test                                  fail     fail     fail     same
kvm:vmx_preemption_timer_test                          fail     fail     fail     same
kvm:vmx_set_nested_state_test                          fail     fail     fail     same
kvm:vmx_tsc_adjust_test                                fail     fail     fail     same
kvm:xapic_ipi_test                                     fail     fail     fail     same
kvm:xapic_state_test                                   fail     fail     fail     same
kvm:xen_shinfo_test                                    fail     fail     fail     same
kvm:xen_vmcall_test                                    fail     fail     fail     same
kvm:xss_msr_test                                       fail     fail     fail     same
landlock:base_test                                     fail     fail     fail     same
landlock:fs_test                                       fail     fail     fail     same
landlock:ptrace_test                                   fail     fail     fail     same
lib:bitmap.sh                                          skip     skip     skip     same
lib:prime_numbers.sh                                   skip     skip     skip     same
lib:printf.sh                                          skip     skip     skip     same
lib:scanf.sh                                           skip     skip     skip     same
lib:strscpy.sh                                         skip     skip     skip     same
livepatch:test-callbacks.sh                            skip     skip     skip     same
livepatch:test-ftrace.sh                               skip     skip     skip     same
livepatch:test-livepatch.sh                            skip     skip     skip     same
livepatch:test-shadow-vars.sh                          skip     skip     skip     same
livepatch:test-state.sh                                skip     skip     skip     same
membarrier:membarrier_test_multi_thread                pass     pass     pass     same
membarrier:membarrier_test_single_thread               pass     pass     pass     same
memfd:memfd_test                                       pass     pass     pass     same
memfd:run_fuse_test.sh                                 pass     pass     pass     same
memfd:run_hugetlbfs_test.sh                            pass     pass     pass     same
memory-hotplug:mem-on-off-test.sh                      pass     pass     pass     same
mincore:mincore_selftest                               fail     fail     fail     same
mount:run_nosymfollow.sh                               pass     pass     pass     same
mount:run_unprivileged_remount.sh                      pass     pass     pass     same
mqueue:mq_open_tests                                   pass     pass     pass     same
mqueue:mq_perf_tests                                   pass     pass     pass     same
nci:nci_dev                                            fail     fail     fail     same
net/forwarding:bridge_locked_port.sh                   pass     pass     pass     same
net/forwarding:bridge_mld.sh                           fail     fail     fail     same
net/forwarding:bridge_port_isolation.sh                pass     pass     pass     same
net/forwarding:bridge_sticky_fdb.sh                    pass     pass     pass     same
net/forwarding:bridge_vlan_aware.sh                    fail     fail     fail     same
net/forwarding:bridge_vlan_mcast.sh                    fail     fail     fail     same
net/forwarding:bridge_vlan_unaware.sh                  pass     pass     pass     same
net/forwarding:custom_multipath_hash.sh                fail     fail     fail     same
net/forwarding:ethtool.sh                              fail     fail     fail     same
net/forwarding:ethtool_extended_state.sh               fail     fail     fail     same
net/forwarding:gre_custom_multipath_hash.sh            fail     fail     fail     same
net/forwarding:gre_inner_v4_multipath.sh               fail     fail     fail     same
net/forwarding:gre_multipath.sh                        fail     fail     fail     same
net/forwarding:gre_multipath_nh.sh                     fail     fail     fail     same
net/forwarding:gre_multipath_nh_res.sh                 fail     fail     fail     same
net/forwarding:hw_stats_l3.sh                          fail     fail     fail     same
net/forwarding:hw_stats_l3_gre.sh                      fail     fail     fail     same
net/forwarding:ip6_forward_instats_vrf.sh              fail     fail     fail     same
net/forwarding:ip6gre_custom_multipath_hash.sh         fail     fail     fail     same
net/forwarding:ip6gre_flat.sh                          pass     pass     pass     same
net/forwarding:ip6gre_flat_key.sh                      pass     pass     pass     same
net/forwarding:ip6gre_flat_keys.sh                     pass     pass     pass     same
net/forwarding:ip6gre_hier.sh                          pass     pass     pass     same
net/forwarding:ip6gre_hier_key.sh                      pass     pass     pass     same
net/forwarding:ip6gre_hier_keys.sh                     pass     pass     pass     same
net/forwarding:ip6gre_inner_v4_multipath.sh            fail     fail     fail     same
net/forwarding:ip6gre_inner_v6_multipath.sh            fail     fail     fail     same
net/forwarding:ipip_flat_gre.sh                        pass     pass     pass     same
net/forwarding:ipip_flat_gre_key.sh                    pass     pass     pass     same
net/forwarding:ipip_flat_gre_keys.sh                   pass     pass     pass     same
net/forwarding:ipip_hier_gre.sh                        pass     pass     pass     same
net/forwarding:ipip_hier_gre_key.sh                    pass     pass     pass     same
net/forwarding:loopback.sh                             skip     skip     skip     same
net/forwarding:mirror_gre.sh                           fail     fail     fail     same
net/forwarding:mirror_gre_bound.sh                     pass     pass     pass     same
net/forwarding:mirror_gre_bridge_1d.sh                 pass     pass     pass     same
net/forwarding:mirror_gre_bridge_1q.sh                 pass     pass     pass     same
net/forwarding:mirror_gre_bridge_1q_lag.sh             pass     pass     pass     same
net/forwarding:mirror_gre_changes.sh                   fail     fail     fail     same
net/forwarding:mirror_gre_flower.sh                    fail     fail     fail     same
net/forwarding:mirror_gre_lag_lacp.sh                  pass     pass     pass     same
net/forwarding:mirror_gre_neigh.sh                     pass     pass     pass     same
net/forwarding:mirror_gre_nh.sh                        pass     pass     pass     same
net/forwarding:mirror_gre_vlan.sh                      pass     pass     pass     same
net/forwarding:mirror_vlan.sh                          pass     pass     pass     same
net/forwarding:pedit_dsfield.sh                        pass     pass     pass     same
net/forwarding:pedit_ip.sh                             pass     pass     pass     same
net/forwarding:pedit_l4port.sh                         pass     pass     pass     same
net/forwarding:q_in_vni_ipv6.sh                        pass     pass     pass     same
net/forwarding:router.sh                               skip     skip     skip     same
net/forwarding:router_bridge.sh                        pass     pass     pass     same
net/forwarding:router_bridge_vlan.sh                   pass     pass     pass     same
net/forwarding:router_broadcast.sh                     pass     pass     pass     same
net/forwarding:router_mpath_nh.sh                      fail     fail     fail     same
net/forwarding:router_mpath_nh_res.sh                  fail     fail     fail     same
net/forwarding:router_multicast.sh                     skip     skip     skip     same
net/forwarding:router_multipath.sh                     fail     fail     fail     same
net/forwarding:router_nh.sh                            pass     pass     pass     same
net/forwarding:router_vid_1.sh                         pass     pass     pass     same
net/forwarding:skbedit_priority.sh                     pass     pass     pass     same
net/forwarding:tc_chains.sh                            pass     pass     pass     same
net/forwarding:tc_flower.sh                            pass     pass     pass     same
net/forwarding:tc_flower_router.sh                     pass     pass     pass     same
net/forwarding:tc_mpls_l2vpn.sh                        pass     pass     pass     same
net/forwarding:tc_shblocks.sh                          pass     pass     pass     same
net/forwarding:tc_vlan_modify.sh                       pass     pass     pass     same
net/forwarding:vxlan_asymmetric.sh                     pass     pass     pass     same
net/forwarding:vxlan_asymmetric_ipv6.sh                pass     pass     pass     same
net/forwarding:vxlan_bridge_1d.sh                      fail     fail     fail     same
net/forwarding:vxlan_bridge_1d_port_8472.sh            pass     pass     pass     same
net/forwarding:vxlan_bridge_1d_port_8472_ipv6.sh       fail     fail     fail     same
net/forwarding:vxlan_bridge_1q.sh                      fail     fail     fail     same
net/forwarding:vxlan_bridge_1q_ipv6.sh                 fail     fail     fail     same
net/forwarding:vxlan_bridge_1q_port_8472.sh            pass     pass     pass     same
net/forwarding:vxlan_bridge_1q_port_8472_ipv6.sh       fail     fail     fail     same
net/forwarding:vxlan_symmetric.sh                      pass     pass     pass     same
net/forwarding:vxlan_symmetric_ipv6.sh                 pass     pass     pass     same
net/mptcp:diag.sh                                      pass     pass     pass     same
net/mptcp:mptcp_connect.sh                             pass     pass     pass     same
net/mptcp:mptcp_sockopt.sh                             pass     pass     pass     same
net/mptcp:pm_netlink.sh                                pass     pass     pass     same
net:altnames.sh                                        pass     pass     pass     same
net:bareudp.sh                                         pass     pass     pass     same
net:cmsg_so_mark.sh                                    pass     pass     pass     same
net:devlink_port_split.py                              skip     skip     skip     same
net:drop_monitor_tests.sh                              skip     skip     skip     same
net:fcnal-test.sh                                      skip     skip     skip     same
net:fib-onlink-tests.sh                                pass     pass     pass     same
net:fib_nexthop_multiprefix.sh                         pass     pass     pass     same
net:fib_rule_tests.sh                                  pass     pass     pass     same
net:fib_tests.sh                                       fail     fail     fail     same
net:fin_ack_lat.sh                                     pass     pass     pass     same
net:gre_gso.sh                                         pass     pass     pass     same
net:icmp.sh                                            fail     fail     fail     same
net:icmp_redirect.sh                                   pass     pass     pass     same
net:ip6_gre_headroom.sh                                pass     pass     pass     same
net:ipv6_flowlabel.sh                                  pass     pass     pass     same
net:l2tp.sh                                            pass     pass     pass     same
net:msg_zerocopy.sh                                    pass     pass     pass     same
net:netdevice.sh                                       pass     pass     pass     same
net:pmtu.sh                                            pass     pass     pass     same
net:psock_snd.sh                                       pass     pass     pass     same
net:reuseaddr_conflict                                 pass     pass     pass     same
net:reuseaddr_ports_exhausted.sh                       pass     pass     pass     same
net:reuseport_bpf                                      pass     pass     pass     same
net:reuseport_bpf_cpu                                  pass     pass     pass     same
net:reuseport_bpf_numa                                 pass     pass     pass     same
net:reuseport_dualstack                                pass     pass     pass     same
net:route_localnet.sh                                  pass     pass     pass     same
net:rps_default_mask.sh                                fail     fail     fail     same
net:rtnetlink.sh                                       skip     skip     skip     same
net:run_afpackettests                                  pass     pass     pass     same
net:run_netsocktests                                   pass     pass     pass     same
net:rxtimestamp.sh                                     pass     pass     pass     same
net:so_txtime.sh                                       pass     pass     pass     same
net:stress_reuseport_listen.sh                         pass     pass     pass     same
net:tcp_fastopen_backup_key.sh                         pass     pass     pass     same
net:test_blackhole_dev.sh                              fail     fail     fail     same
net:test_bpf.sh                                        pass     pass     pass     same
net:test_vxlan_fdb_changelink.sh                       pass     pass     pass     same
net:test_vxlan_under_vrf.sh                            pass     pass     pass     same
net:tls                                                pass     pass     pass     same
net:traceroute.sh                                      pass     pass     pass     same
net:udpgro.sh                                          fail     fail     fail     same
net:udpgro_bench.sh                                    fail     fail     fail     same
net:udpgso.sh                                          pass     pass     pass     same
net:unicast_extensions.sh                              pass     pass     pass     same
net:veth.sh                                            fail     fail     fail     same
net:vrf-xfrm-tests.sh                                  pass     pass     pass     same
net:vrf_route_leaking.sh                               fail     fail     fail     same
net:vrf_strict_mode_test.sh                            pass     pass     pass     same
netfilter:bridge_brouter.sh                            skip     skip     skip     same
netfilter:conntrack_icmp_related.sh                    fail     fail     fail     same
netfilter:conntrack_tcp_unreplied.sh                   pass     pass     pass     same
netfilter:conntrack_vrf.sh                             pass     pass     pass     same
netfilter:ipvs.sh                                      pass     pass     pass     same
netfilter:nf_nat_edemux.sh                             fail     fail     fail     same
netfilter:nft_concat_range.sh                          fail     fail     fail     same
netfilter:nft_conntrack_helper.sh                      skip     skip     skip     same
netfilter:nft_fib.sh                                   skip     skip     skip     same
netfilter:nft_flowtable.sh                             fail     fail     fail     same
netfilter:nft_meta.sh                                  pass     pass     pass     same
netfilter:nft_nat.sh                                   skip     skip     skip     same
netfilter:nft_queue.sh                                 skip     skip     skip     same
netfilter:rpath.sh                                     pass     pass     pass     same
nsfs:owner                                             pass     pass     pass     same
nsfs:pidns                                             pass     pass     pass     same
openat2:openat2_test                                   fail     fail     fail     same
openat2:rename_attack_test                             pass     pass     pass     same
openat2:resolve_test                                   fail     fail     fail     same
pid_namespace:regression_enomem                        pass     pass     pass     same
pidfd:pidfd_fdinfo_test                                pass     pass     pass     same
pidfd:pidfd_getfd_test                                 pass     pass     pass     same
pidfd:pidfd_open_test                                  pass     pass     pass     same
pidfd:pidfd_poll_test                                  pass     pass     pass     same
pidfd:pidfd_setns_test                                 pass     pass     pass     same
pidfd:pidfd_test                                       pass     pass     pass     same
pidfd:pidfd_wait                                       pass     pass     pass     same
proc:fd-001-lookup                                     pass     pass     pass     same
proc:fd-002-posix-eq                                   pass     pass     pass     same
proc:fd-003-kthread                                    pass     pass     pass     same
proc:proc-fsconfig-hidepid                             pass     pass     pass     same
proc:proc-loadavg-001                                  pass     pass     pass     same
proc:proc-multiple-procfs                              pass     pass     pass     same
proc:proc-self-map-files-001                           pass     pass     pass     same
proc:proc-self-map-files-002                           pass     pass     pass     same
proc:proc-self-syscall                                 pass     pass     pass     same
proc:proc-self-wchan                                   pass     pass     pass     same
proc:proc-subset-pid                                   pass     pass     pass     same
proc:proc-uptime-002                                   pass     pass     pass     same
proc:read                                              pass     pass     pass     same
proc:self                                              pass     pass     pass     same
proc:setns-dcache                                      pass     pass     pass     same
proc:setns-sysvipc                                     pass     pass     pass     same
proc:thread-self                                       pass     pass     pass     same
pstore:pstore_post_reboot_tests                        skip     skip     skip     same
pstore:pstore_tests                                    fail     fail     fail     same
ptrace:get_syscall_info                                pass     pass     pass     same
ptrace:peeksiginfo                                     pass     pass     pass     same
ptrace:vmaccess                                        fail     fail     fail     same
rlimits:rlimits-per-userns                             pass     pass     pass     same
rseq:basic_percpu_ops_test                             pass     pass     pass     same
rseq:basic_test                                        pass     pass     pass     same
rseq:param_test                                        pass     pass     pass     same
rseq:param_test_benchmark                              pass     pass     pass     same
rseq:param_test_compare_twice                          pass     pass     pass     same
rseq:run_param_test.sh                                 pass     pass     pass     same
seccomp:seccomp_benchmark                              pass     pass     pass     same
seccomp:seccomp_bpf                                    pass     pass     pass     same
sgx:test_sgx                                           fail     fail     fail     same
sigaltstack:sas                                        pass     pass     pass     same
size:get_size                                          pass     pass     pass     same
splice:default_file_splice_read.sh                     pass     pass     pass     same
splice:short_splice_read.sh                            fail     fail     fail     same
static_keys:test_static_keys.sh                        skip     skip     skip     same
syscall_user_dispatch:sud_benchmark                    pass     pass     pass     same
syscall_user_dispatch:sud_test                         pass     pass     pass     same
tc-testing:tdc.sh                                      fail     fail     fail     same
tdx:tdx_guest_test                                     fail     fail     fail     same
timens:clock_nanosleep                                 pass     pass     pass     same
timens:exec                                            pass     pass     pass     same
timens:futex                                           pass     pass     pass     same
timens:procfs                                          pass     pass     pass     same
timens:timens                                          pass     pass     pass     same
timens:timer                                           pass     pass     pass     same
timens:timerfd                                         pass     pass     pass     same
timens:vfork_exec                                      pass     pass     pass     same
timers:inconsistency-check                             pass     pass     pass     same
timers:mqueue-lat                                      pass     pass     pass     same
timers:nanosleep                                       pass     pass     pass     same
timers:nsleep-lat                                      pass     pass     pass     same
timers:posix_timers                                    pass     pass     pass     same
timers:rtcpie                                          pass     pass     pass     same
timers:set-timer-lat                                   pass     pass     pass     same
timers:threadtest                                      pass     pass     pass     same
tmpfs:bug-link-o-tmpfile                               pass     pass     pass     same
tpm2:test_smoke.sh                                     skip     skip     skip     same
tpm2:test_space.sh                                     skip     skip     skip     same
vDSO:vdso_standalone_test_x86                          pass     pass     pass     same
vDSO:vdso_test_abi                                     pass     pass     pass     same
vDSO:vdso_test_clock_getres                            pass     pass     pass     same
vDSO:vdso_test_correctness                             pass     pass     pass     same
vDSO:vdso_test_getcpu                                  pass     pass     pass     same
vDSO:vdso_test_gettimeofday                            pass     pass     pass     same
vm:run_vmtests.sh                                      skip     skip     skip     same
x86:amx_64                                             fail     fail     fail     same
x86:check_initial_reg_state_64                         pass     pass     pass     same
x86:corrupt_xstate_header_64                           pass     pass     pass     same
x86:fsgsbase_64                                        pass     pass     pass     same
x86:fsgsbase_restore_64                                pass     pass     pass     same
x86:ioperm_64                                          pass     pass     pass     same
x86:iopl_64                                            pass     pass     pass     same
x86:mov_ss_trap_64                                     pass     pass     pass     same
x86:sigaltstack_64                                     pass     pass     pass     same
x86:sigreturn_64                                       pass     pass     pass     same
x86:single_step_syscall_64                             pass     pass     pass     same
x86:syscall_arg_fault_64                               pass     pass     pass     same
x86:syscall_nt_64                                      pass     pass     pass     same
x86:syscall_numbering_64                               pass     pass     pass     same
x86:sysret_rip_64                                      pass     pass     pass     same
x86:sysret_ss_attrs_64                                 pass     pass     pass     same
x86:test_mremap_vdso_64                                pass     pass     pass     same
x86:test_vsyscall_64                                   pass     pass     pass     same
zram:zram.sh                                           pass     pass     pass     same

jira VULN-8201 cve-pre CVE-2024-26923 commit-author Eric Dumazet <edumazet@google.com> commit 4d322dc syzbot reported a lockdep splat [1]. Blamed commit hinted about the possible lockdep violation, and code used unix_state_lock_nested() in an attempt to silence lockdep. It is not sufficient, because unix_state_lock_nested() is already used from unix_state_double_lock(). We need to use a separate subclass. This patch adds a distinct enumeration to make things more explicit. Also use swap() in unix_state_double_lock() as a clean up. v2: add a missing inline keyword to unix_state_lock_nested() [1] WARNING: possible circular locking dependency detected 6.8.0-rc1-syzkaller-00356-g8a696a29c690 #0 Not tainted syz-executor.1/2542 is trying to acquire lock: ffff88808b5df9e8 (rlock-AF_UNIX){+.+.}-{2:2}, at: skb_queue_tail+0x36/0x120 net/core/skbuff.c:3863 but task is already holding lock: ffff88808b5dfe70 (&u->lock/1){+.+.}-{2:2}, at: unix_dgram_sendmsg+0xfc7/0x2200 net/unix/af_unix.c:2089 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> ctrliq#1 (&u->lock/1){+.+.}-{2:2}: lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754 _raw_spin_lock_nested+0x31/0x40 kernel/locking/spinlock.c:378 sk_diag_dump_icons net/unix/diag.c:87 [inline] sk_diag_fill+0x6ea/0xfe0 net/unix/diag.c:157 sk_diag_dump net/unix/diag.c:196 [inline] unix_diag_dump+0x3e9/0x630 net/unix/diag.c:220 netlink_dump+0x5c1/0xcd0 net/netlink/af_netlink.c:2264 __netlink_dump_start+0x5d7/0x780 net/netlink/af_netlink.c:2370 netlink_dump_start include/linux/netlink.h:338 [inline] unix_diag_handler_dump+0x1c3/0x8f0 net/unix/diag.c:319 sock_diag_rcv_msg+0xe3/0x400 netlink_rcv_skb+0x1df/0x430 net/netlink/af_netlink.c:2543 sock_diag_rcv+0x2a/0x40 net/core/sock_diag.c:280 netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline] netlink_unicast+0x7e6/0x980 net/netlink/af_netlink.c:1367 netlink_sendmsg+0xa37/0xd70 net/netlink/af_netlink.c:1908 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] sock_write_iter+0x39a/0x520 net/socket.c:1160 call_write_iter include/linux/fs.h:2085 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0xa74/0xca0 fs/read_write.c:590 ksys_write+0x1a0/0x2c0 fs/read_write.c:643 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b -> #0 (rlock-AF_UNIX){+.+.}-{2:2}: check_prev_add kernel/locking/lockdep.c:3134 [inline] check_prevs_add kernel/locking/lockdep.c:3253 [inline] validate_chain+0x1909/0x5ab0 kernel/locking/lockdep.c:3869 __lock_acquire+0x1345/0x1fd0 kernel/locking/lockdep.c:5137 lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162 skb_queue_tail+0x36/0x120 net/core/skbuff.c:3863 unix_dgram_sendmsg+0x15d9/0x2200 net/unix/af_unix.c:2112 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] ____sys_sendmsg+0x592/0x890 net/socket.c:2584 ___sys_sendmsg net/socket.c:2638 [inline] __sys_sendmmsg+0x3b2/0x730 net/socket.c:2724 __do_sys_sendmmsg net/socket.c:2753 [inline] __se_sys_sendmmsg net/socket.c:2750 [inline] __x64_sys_sendmmsg+0xa0/0xb0 net/socket.c:2750 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&u->lock/1); lock(rlock-AF_UNIX); lock(&u->lock/1); lock(rlock-AF_UNIX); *** DEADLOCK *** 1 lock held by syz-executor.1/2542: #0: ffff88808b5dfe70 (&u->lock/1){+.+.}-{2:2}, at: unix_dgram_sendmsg+0xfc7/0x2200 net/unix/af_unix.c:2089 stack backtrace: CPU: 1 PID: 2542 Comm: syz-executor.1 Not tainted 6.8.0-rc1-syzkaller-00356-g8a696a29c690 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106 check_noncircular+0x366/0x490 kernel/locking/lockdep.c:2187 check_prev_add kernel/locking/lockdep.c:3134 [inline] check_prevs_add kernel/locking/lockdep.c:3253 [inline] validate_chain+0x1909/0x5ab0 kernel/locking/lockdep.c:3869 __lock_acquire+0x1345/0x1fd0 kernel/locking/lockdep.c:5137 lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162 skb_queue_tail+0x36/0x120 net/core/skbuff.c:3863 unix_dgram_sendmsg+0x15d9/0x2200 net/unix/af_unix.c:2112 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] ____sys_sendmsg+0x592/0x890 net/socket.c:2584 ___sys_sendmsg net/socket.c:2638 [inline] __sys_sendmmsg+0x3b2/0x730 net/socket.c:2724 __do_sys_sendmmsg net/socket.c:2753 [inline] __se_sys_sendmmsg net/socket.c:2750 [inline] __x64_sys_sendmmsg+0xa0/0xb0 net/socket.c:2750 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b RIP: 0033:0x7f26d887cda9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f26d95a60c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 RAX: ffffffffffffffda RBX: 00007f26d89abf80 RCX: 00007f26d887cda9 RDX: 000000000000003e RSI: 00000000200bd000 RDI: 0000000000000004 RBP: 00007f26d88c947a R08: 0000000000000000 R09: 0000000000000000 R10: 00000000000008c0 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007f26d89abf80 R15: 00007ffcfe081a68 Fixes: 2aac7a2 ("unix_diag: Pending connections IDs NLA") Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com> Link: https://lore.kernel.org/r/20240130184235.1620738-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit 4d322dc) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>

jira VULN-8201 cve CVE-2024-26923 commit-author Michal Luczaj <mhal@rbox.co> commit 47d8ac0 upstream-diff No actual difference from the upstream patch, but required manual conflicts resolution due to differences in neighbouring code (`inflight_refs') Garbage collector does not take into account the risk of embryo getting enqueued during the garbage collection. If such embryo has a peer that carries SCM_RIGHTS, two consecutive passes of scan_children() may see a different set of children. Leading to an incorrectly elevated inflight count, and then a dangling pointer within the gc_inflight_list. sockets are AF_UNIX/SOCK_STREAM S is an unconnected socket L is a listening in-flight socket bound to addr, not in fdtable V's fd will be passed via sendmsg(), gets inflight count bumped connect(S, addr) sendmsg(S, [V]); close(V) __unix_gc() ---------------- ------------------------- ----------- NS = unix_create1() skb1 = sock_wmalloc(NS) L = unix_find_other(addr) unix_state_lock(L) unix_peer(S) = NS // V count=1 inflight=0 NS = unix_peer(S) skb2 = sock_alloc() skb_queue_tail(NS, skb2[V]) // V became in-flight // V count=2 inflight=1 close(V) // V count=1 inflight=1 // GC candidate condition met for u in gc_inflight_list: if (total_refs == inflight_refs) add u to gc_candidates // gc_candidates={L, V} for u in gc_candidates: scan_children(u, dec_inflight) // embryo (skb1) was not // reachable from L yet, so V's // inflight remains unchanged __skb_queue_tail(L, skb1) unix_state_unlock(L) for u in gc_candidates: if (u.inflight) scan_children(u, inc_inflight_move_tail) // V count=1 inflight=2 (!) If there is a GC-candidate listening socket, lock/unlock its state. This makes GC wait until the end of any ongoing connect() to that socket. After flipping the lock, a possibly SCM-laden embryo is already enqueued. And if there is another embryo coming, it can not possibly carry SCM_RIGHTS. At this point, unix_inflight() can not happen because unix_gc_lock is already taken. Inflight graph remains unaffected. Fixes: 1fd05ba ("[AF_UNIX]: Rewrite garbage collector, fixes race.") Signed-off-by: Michal Luczaj <mhal@rbox.co> Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com> Link: https://lore.kernel.org/r/20240409201047.1032217-1-mhal@rbox.co Signed-off-by: Paolo Abeni <pabeni@redhat.com> (cherry picked from commit 47d8ac0) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>

…nix_gc(). jira VULN-8201 cve-bf CVE-2024-26923 commit-author Kuniyuki Iwashima <kuniyu@amazon.com> commit 1971d13 syzbot reported a lockdep splat regarding unix_gc_lock and unix_state_lock(). One is called from recvmsg() for a connected socket, and another is called from GC for TCP_LISTEN socket. So, the splat is false-positive. Let's add a dedicated lock class for the latter to suppress the splat. Note that this change is not necessary for net-next.git as the issue is only applied to the old GC impl. [0]: WARNING: possible circular locking dependency detected 6.9.0-rc5-syzkaller-00007-g4d2008430ce8 #0 Not tainted ----------------------------------------------------- kworker/u8:1/11 is trying to acquire lock: ffff88807cea4e70 (&u->lock){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline] ffff88807cea4e70 (&u->lock){+.+.}-{2:2}, at: __unix_gc+0x40e/0xf70 net/unix/garbage.c:302 but task is already holding lock: ffffffff8f6ab638 (unix_gc_lock){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline] ffffffff8f6ab638 (unix_gc_lock){+.+.}-{2:2}, at: __unix_gc+0x117/0xf70 net/unix/garbage.c:261 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> ctrliq#1 (unix_gc_lock){+.+.}-{2:2}: lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154 spin_lock include/linux/spinlock.h:351 [inline] unix_notinflight+0x13d/0x390 net/unix/garbage.c:140 unix_detach_fds net/unix/af_unix.c:1819 [inline] unix_destruct_scm+0x221/0x350 net/unix/af_unix.c:1876 skb_release_head_state+0x100/0x250 net/core/skbuff.c:1188 skb_release_all net/core/skbuff.c:1200 [inline] __kfree_skb net/core/skbuff.c:1216 [inline] kfree_skb_reason+0x16d/0x3b0 net/core/skbuff.c:1252 kfree_skb include/linux/skbuff.h:1262 [inline] manage_oob net/unix/af_unix.c:2672 [inline] unix_stream_read_generic+0x1125/0x2700 net/unix/af_unix.c:2749 unix_stream_splice_read+0x239/0x320 net/unix/af_unix.c:2981 do_splice_read fs/splice.c:985 [inline] splice_file_to_pipe+0x299/0x500 fs/splice.c:1295 do_splice+0xf2d/0x1880 fs/splice.c:1379 __do_splice fs/splice.c:1436 [inline] __do_sys_splice fs/splice.c:1652 [inline] __se_sys_splice+0x331/0x4a0 fs/splice.c:1634 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #0 (&u->lock){+.+.}-{2:2}: check_prev_add kernel/locking/lockdep.c:3134 [inline] check_prevs_add kernel/locking/lockdep.c:3253 [inline] validate_chain+0x18cb/0x58e0 kernel/locking/lockdep.c:3869 __lock_acquire+0x1346/0x1fd0 kernel/locking/lockdep.c:5137 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154 spin_lock include/linux/spinlock.h:351 [inline] __unix_gc+0x40e/0xf70 net/unix/garbage.c:302 process_one_work kernel/workqueue.c:3254 [inline] process_scheduled_works+0xa10/0x17c0 kernel/workqueue.c:3335 worker_thread+0x86d/0xd70 kernel/workqueue.c:3416 kthread+0x2f0/0x390 kernel/kthread.c:388 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(unix_gc_lock); lock(&u->lock); lock(unix_gc_lock); lock(&u->lock); *** DEADLOCK *** 3 locks held by kworker/u8:1/11: #0: ffff888015089148 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3229 [inline] #0: ffff888015089148 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_scheduled_works+0x8e0/0x17c0 kernel/workqueue.c:3335 ctrliq#1: ffffc90000107d00 (unix_gc_work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3230 [inline] ctrliq#1: ffffc90000107d00 (unix_gc_work){+.+.}-{0:0}, at: process_scheduled_works+0x91b/0x17c0 kernel/workqueue.c:3335 ctrliq#2: ffffffff8f6ab638 (unix_gc_lock){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline] ctrliq#2: ffffffff8f6ab638 (unix_gc_lock){+.+.}-{2:2}, at: __unix_gc+0x117/0xf70 net/unix/garbage.c:261 stack backtrace: CPU: 0 PID: 11 Comm: kworker/u8:1 Not tainted 6.9.0-rc5-syzkaller-00007-g4d2008430ce8 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Workqueue: events_unbound __unix_gc Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 check_noncircular+0x36a/0x4a0 kernel/locking/lockdep.c:2187 check_prev_add kernel/locking/lockdep.c:3134 [inline] check_prevs_add kernel/locking/lockdep.c:3253 [inline] validate_chain+0x18cb/0x58e0 kernel/locking/lockdep.c:3869 __lock_acquire+0x1346/0x1fd0 kernel/locking/lockdep.c:5137 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154 spin_lock include/linux/spinlock.h:351 [inline] __unix_gc+0x40e/0xf70 net/unix/garbage.c:302 process_one_work kernel/workqueue.c:3254 [inline] process_scheduled_works+0xa10/0x17c0 kernel/workqueue.c:3335 worker_thread+0x86d/0xd70 kernel/workqueue.c:3416 kthread+0x2f0/0x390 kernel/kthread.c:388 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Fixes: 47d8ac0 ("af_unix: Fix garbage collector racing against connect()") Reported-and-tested-by: syzbot+fa379358c28cc87cc307@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=fa379358c28cc87cc307 Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> Link: https://lore.kernel.org/r/20240424170443.9832-1-kuniyu@amazon.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit 1971d13) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>

roxanan1996

LGTM

roxanan1996 · 2025-11-19T14:35:35Z

@kerneltoast can you double check interdiff for this commit?

[DIFF] PR commit 9e850e6600d0 (wifi: cfg80211: check A-MSDU format more carefully) → upstream 9ad797485692
Differences found:

  diff -u b/net/wireless/util.c b/net/wireless/util.c
  --- b/net/wireless/util.c
  +++ b/net/wireless/util.c
  @@ -754,22 +754,0 @@
  -
  -bool ieee80211_is_valid_amsdu(struct sk_buff *skb, u8 mesh_hdr)
  -{
  -     int offset = 0, remaining, subframe_len, padding;
  -
  -     for (offset = 0; offset < skb->len; offset += subframe_len + padding) {
  -             struct {
  -                 __be16 len;
  -                 u8 mesh_flags;
  -             } hdr;
  -             u16 len;
  -
  -             if (skb_copy_bits(skb, offset + 2 * ETH_ALEN, &hdr, sizeof(hdr)) < 0)
  -                     return false;
  -
  -                                                   mesh_hdr);
  -             subframe_len = sizeof(struct ethhdr) + len;
  -             padding = (4 - subframe_len) & 0x3;
  -             remaining = skb->len - offset;
  -
  -             if (subframe_len > remaining)
  -                     return false;
  @@ -757,10 +757,10 @@ INTERDIFF: rejected hunk from patch1, cannot diff context
        struct sk_buff *frame = NULL;
        u16 ethertype;
        u8 *payload;
  -     int offset = 0, remaining;
  +     int offset = 0;
        struct ethhdr eth;
        bool reuse_frag = skb->head_frag && !skb_has_frag_list(skb);
        bool reuse_skb = false;
        bool last = false;

        while (!last) {
  @@ -763,8 +763,9 @@ INTERDIFF: rejected hunk from patch1, cannot diff context
        bool reuse_skb = false;
        bool last = false;

        while (!last) {
  +             int remaining = skb->len - offset;
                unsigned int subframe_len;
                int len;
                u8 padding;

  @@ -767,10 +768,13 @@ INTERDIFF: rejected hunk from patch1, cannot diff context
                unsigned int subframe_len;
                int len;
                u8 padding;

  +             if (sizeof(eth) > remaining)
  +                     goto purge;
  +
                skb_copy_bits(skb, offset, &eth, sizeof(eth));
                len = ntohs(eth.h_proto);
                subframe_len = sizeof(struct ethhdr) + len;
                padding = (4 - subframe_len) & 0x3;

                /* the last MSDU has no padding */
  @@ -776,7 +754,4 @@
  -{
  -     unsigned int hlen = ALIGN(extra_headroom, 4);
        struct sk_buff *frame = NULL;
  +     u16 ethertype;
  +     u8 *payload;
        int offset = 0, remaining;
  -     struct {
  -             struct ethhdr eth;
  -             uint8_t flags;
  @@ -783,13 +758,16 @@
  -             copy_len = sizeof(hdr);
  +     struct ethhdr eth;
  +     bool reuse_frag = skb->head_frag && !skb_has_frag_list(skb);
  +     bool reuse_skb = false;
  +     bool last = false;

        while (!last) {
                unsigned int subframe_len;
  -             int len, mesh_len = 0;
  +             int len;
                u8 padding;

  -             skb_copy_bits(skb, offset, &hdr, copy_len);
  -             if (iftype == NL80211_IFTYPE_MESH_POINT)
  -                     mesh_len = __ieee80211_get_mesh_hdrlen(hdr.flags);
  +             skb_copy_bits(skb, offset, &eth, sizeof(eth));
  +             len = ntohs(eth.h_proto);
  +             subframe_len = sizeof(struct ethhdr) + len;
                padding = (4 - subframe_len) & 0x3;

                /* the last MSDU has no padding */
  @@ -791,7 +791,7 @@ INTERDIFF: rejected hunk from patch2, cannot diff context

   bool ieee80211_is_valid_amsdu(struct sk_buff *skb, u8 mesh_hdr)
   {
  -     int offset = 0, remaining, subframe_len, padding;
  +     int offset = 0, subframe_len, padding;

        for (offset = 0; offset < skb->len; offset += subframe_len + padding) {
                struct {
  @@ -794,9 +794,10 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
        int offset = 0, remaining, subframe_len, padding;

        for (offset = 0; offset < skb->len; offset += subframe_len + padding) {
  +             int remaining = skb->len - offset;
                struct {
                    __be16 len;
                    u8 mesh_flags;
                } hdr;
                u16 len;

  @@ -800,6 +801,9 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
                } hdr;
                u16 len;

  +             if (sizeof(hdr) > remaining)
  +                     return false;
  +
                if (skb_copy_bits(skb, offset + 2 * ETH_ALEN, &hdr, sizeof(hdr)) < 0)
                        return false;

  @@ -824,7 +827,7 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
   {
        unsigned int hlen = ALIGN(extra_headroom, 4);
        struct sk_buff *frame = NULL;
  -     int offset = 0, remaining;
  +     int offset = 0;
        struct {
                struct ethhdr eth;
                uint8_t flags;
  @@ -838,7 +841,8 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
                copy_len = sizeof(hdr);

        while (!last) {
  +             int remaining = skb->len - offset;
                unsigned int subframe_len;
                int len, mesh_len = 0;
                u8 padding;

  @@ -842,6 +846,9 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
                int len, mesh_len = 0;
                u8 padding;

  +             if (copy_len > remaining)
  +                     goto purge;
  +
                skb_copy_bits(skb, offset, &hdr, copy_len);
                if (iftype == NL80211_IFTYPE_MESH_POINT)
                        mesh_len = __ieee80211_get_mesh_hdrlen(hdr.flags);
  @@ -851,7 +858,6 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
                padding = (4 - subframe_len) & 0x3;

                /* the last MSDU has no padding */
  -             remaining = skb->len - offset;
                if (subframe_len > remaining)
                        goto purge;
                /* mitigate A-MSDU aggregation injection attacks */

It looks weird.

PlaidCat

but waiting on response from kerneltoat

roxanan1996 · 2025-11-21T08:38:21Z

but waiting on response from kerneltoat

The commit looked ok, I double checked. I just signaled that interdiff does not work as intented, I believe.

kerneltoast · 2025-12-01T23:52:31Z

@roxanan1996 Sorry for the late reply, this got lost in my inbox. 😞

That first hunk of just a bunch of minus lines was conclusively fixed in my last interdiff update ("Fixed remaining edge cases where spurious added or deleted code blocks would appear in the output due to rejected hunks"). I do see some other little issues here with the latest version of interdiff; did you notice any other issues besides that first hunk?

kerneltoast

Huh, why is the git commit author for wifi: cfg80211: check A-MSDU format more carefully set to Johannes Berg <johannes.berg@intel.com> instead of Marcin Wcisło <marcin.wcislo@conclusive.pl>? The commit date appears to have incorrectly been copied from the upstream commit too.

pvts-mat · 2025-12-02T19:45:43Z

Huh, why is the git commit author for wifi: cfg80211: check A-MSDU format more carefully set to `Johannes Berg johannes.berg@intel.com` instead of `Marcin Wcisło marcin.wcislo@conclusive.pl`? The commit date appears to have incorrectly been copied from the upstream commit too.

This is how git cherry-pick without the -n option behaves. It's actually normal for the backports to have the author different than commiter, from what I see, and it's the -n behavior striking as odd (it's not even mentioned in the manual). Not to look much further, the 5.15 backport of media: uvcvideo: Remove dangling pointers:

$ git log --color --pretty=fuller -n 1 117f7a2975baa4b7d702d3f4830d5a4ebd0c6d50 | head -n 5

commit 117f7a2975baa4b7d702d3f4830d5a4ebd0c6d50
Author:     Ricardo Ribalda <ribalda@chromium.org>
AuthorDate: Tue Dec 3 21:20:10 2024 +0000
Commit:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>
CommitDate: Thu Mar 13 12:51:12 2025 +0100

Is this required to have author = commiter @PlaidCat?

PlaidCat · 2025-12-02T22:33:47Z

Huh, why is the git commit author for wifi: cfg80211: check A-MSDU format more carefully set to Johannes Berg [johannes.berg@intel.com](mailto:johannes.berg@intel.com) instead of Marcin Wcisło [marcin.wcislo@conclusive.pl](mailto:marcin.wcislo@conclusive.pl)? The commit date appears to have incorrectly been copied from the upstream commit too.

This is how git cherry-pick without the -n option behaves. It's actually normal for the backports to have the author different than commiter, from what I see, and it's the -n behavior striking as odd (it's not even mentioned in the manual). Not to look much further, the 5.15 backport of media: uvcvideo: Remove dangling pointers:
$ git log --color --pretty=fuller -n 1 117f7a2975baa4b7d702d3f4830d5a4ebd0c6d50 | head -n 5
commit 117f7a2975baa4b7d702d3f4830d5a4ebd0c6d50
Author:     Ricardo Ribalda <ribalda@chromium.org>
AuthorDate: Tue Dec 3 21:20:10 2024 +0000
Commit:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>
CommitDate: Thu Mar 13 12:51:12 2025 +0100
Is this required to have author = commiter @PlaidCat?

You're right this is NOT how upstream does this for sure.

we've always used -nsx for cherry-picks because thats how redhat has done it and a red hat engineer was the one that helped form the original structure.
This is why we also always have the attribution to the original author as well in the header

See RedHat Changes
https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/commit/332b710963b2cb59339623de28a303886fcdf5ae

commit 332b710963b2cb59339623de28a303886fcdf5ae
Author: Mamatha Inamdar <minamdar@redhat.com>
Date:   Fri Nov 28 04:35:39 2025 -0500

    powerpc/pseries/htmdump: Add documentation for H_HTM debugfs interface

    JIRA: https://issues.redhat.com/browse/RHEL-52755

    commit ab1456c5aa7a63d5145547fc644bd4580dd253f2
    Author: Athira Rajeev <atrajeev@linux.ibm.com>
    Date:   Sun Apr 20 23:38:44 2025 +0530

        powerpc/pseries/htmdump: Add documentation for H_HTM debugfs interface

        Documentation for HTM (Hardware Trace Macro) debugfs interface
        and how it can be used to configure/control the HTM operations.

        Signed-off-by: Athira Rajeev <atrajeev@linux.ibm.com>
        Tested-by: Venkat Rao Bagalkote <venkat88@linux.ibm.com>
        Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
        Link: https://patch.msgid.link/20250420180844.53128-10-atrajeev@linux.ibm.com

    Signed-off-by: Mamatha Inamdar <minamdar@redhat.com>

Its buried in the wiki text so maybe not the most obvious that if you use cherry pick it should be using cherry-pick -nsx to make ourselves the author with -n = no commit so when you commit its who ever is at the keyboard,

We have tooling that uses git cherry-pick -nsx underneath, which will create the engineer doing the backport the author of the commit. We made this decision so that if someone adds any watcher and e-mailer program from the original authors from getting slammed we're restricting that to the participants in this kernel source tree.

I didn't catch this on initial review so I would appreciate it you're set to the author

pvts-mat · 2025-12-02T22:53:08Z

Its buried in the wiki text so maybe not the most obvious that if you use cherry pick it should be using cherry-pick -nsx to make ourselves the author with -n = no commit so when you commit its who ever is at the keyboard,

We have tooling that uses git cherry-pick -nsx underneath, which will create the engineer doing the backport the author of the commit. We made this decision so that if someone adds any watcher and e-mailer program from the original authors from getting slammed we're restricting that to the participants in this kernel source tree.

I remember this -nsx stuff, I just thought the -n part was merely a workflow suggestion, but it says explicitly about the commit authorship. Sorry for trouble, let me fix that real quick.

Just to be sure - is it ok to have different author date and commit date? I sometimes raw cherry pick (without -nsx) my own commits when juggling alternative solutions and the resulting commit has the same author and commiter, all the required metadata, but the times of creation and commiting may differ.

jira VULN-5183 cve CVE-2024-35937 commit-author Johannes Berg <johannes.berg@intel.com> commit 9ad7974 upstream-diff | 1. All changes to the `ieee80211_is_valid_amsdu' function were discarded because it's missing from `ciqlts9_2'. 2. Changes to `ieee80211_amsdu_to_8023s' were adapted to account for the missing 986e43b from `ciqlts9_2' history: the `copy_len > remaining' condition was changed to `sizeof(eth) > remaining', as `sizeof(eth)' is the only possible value `copy_len' could have assumed in `ciqlts9_2' if it was introduced without backporting 986e43b (pointless). If it looks like there's another subframe in the A-MSDU but the header isn't fully there, we can end up reading data out of bounds, only to discard later. Make this a bit more careful and check if the subframe header can even be present. Reported-by: syzbot+d050d437fe47d479d210@syzkaller.appspotmail.com Link: https://msgid.link/20240226203405.a731e2c95e38.I82ce7d8c0cc8970ce29d0a39fdc07f1ffc425be4@changeid Signed-off-by: Johannes Berg <johannes.berg@intel.com> (cherry picked from commit 9ad7974) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>

jira VULN-53464 cve-pre CVE-2024-58002 commit-author Ricardo Ribalda <ribalda@chromium.org> commit 64627da Avoid using the iterators after the list_for_each() constructs. This patch should be a NOP, but makes cocci, happier: drivers/media/usb/uvc/uvc_ctrl.c:1861:44-50: ERROR: invalid reference to the index variable of the iterator on line 1850 drivers/media/usb/uvc/uvc_ctrl.c:2195:17-23: ERROR: invalid reference to the index variable of the iterator on line 2179 Reviewed-by: Sergey Senozhatsky <senozhatsky@chromium.org> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by: Ricardo Ribalda <ribalda@chromium.org> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> (cherry picked from commit 64627da) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>

jira VULN-53464 cve-pre CVE-2024-58002 commit-author Ricardo Ribalda <ribalda@chromium.org> commit d9fecd0 Now we keep a reference to the active fh for any call to uvc_ctrl_set, regardless if it is an actual set or if it is a just a try or if the device refused the operation. We should only keep the file handle if the device actually accepted applying the operation. Cc: stable@vger.kernel.org Fixes: e5225c8 ("media: uvcvideo: Send a control event when a Control Change interrupt arrives") Suggested-by: Hans de Goede <hdegoede@redhat.com> Reviewed-by: Hans de Goede <hdegoede@redhat.com> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by: Ricardo Ribalda <ribalda@chromium.org> Link: https://lore.kernel.org/r/20241203-uvc-fix-async-v6-1-26c867231118@chromium.org Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org> (cherry picked from commit d9fecd0) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>

jira VULN-53464 cve CVE-2024-58002 commit-author Ricardo Ribalda <ribalda@chromium.org> commit 221cd51 upstream-diff `guard(mutex)' construct replaced with older locking scheme because `ciqlts9_2' lacks 54da6a0. This commit is actually a direct cherry pick of the 5.15 stable backport 117f7a2. When an async control is written, we copy a pointer to the file handle that started the operation. That pointer will be used when the device is done. Which could be anytime in the future. If the user closes that file descriptor, its structure will be freed, and there will be one dangling pointer per pending async control, that the driver will try to use. Clean all the dangling pointers during release(). To avoid adding a performance penalty in the most common case (no async operation), a counter has been introduced with some logic to make sure that it is properly handled. Cc: stable@vger.kernel.org Fixes: e5225c8 ("media: uvcvideo: Send a control event when a Control Change interrupt arrives") Reviewed-by: Hans de Goede <hdegoede@redhat.com> Signed-off-by: Ricardo Ribalda <ribalda@chromium.org> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Link: https://lore.kernel.org/r/20241203-uvc-fix-async-v6-3-26c867231118@chromium.org Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org> (cherry picked from commit 221cd51) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>

kerneltoast · 2025-12-03T04:01:35Z

Its buried in the wiki text so maybe not the most obvious that if you use cherry pick it should be using cherry-pick -nsx to make ourselves the author with -n = no commit so when you commit its who ever is at the keyboard,

We have tooling that uses git cherry-pick -nsx underneath, which will create the engineer doing the backport the author of the commit. We made this decision so that if someone adds any watcher and e-mailer program from the original authors from getting slammed we're restricting that to the participants in this kernel source tree.

I remember this -nsx stuff, I just thought the -n part was merely a workflow suggestion, but it says explicitly about the commit authorship. Sorry for trouble, let me fix that real quick.

Just to be sure - is it ok to have different author date and commit date? I sometimes raw cherry pick (without -nsx) my own commits when juggling alternative solutions and the resulting commit has the same author and commiter, all the required metadata, but the times of creation and commiting may differ.

You're not using ciq-cherry-pick.py?

PlaidCat · 2025-12-03T14:22:52Z

Its buried in the wiki text so maybe not the most obvious that if you use cherry pick it should be using cherry-pick -nsx to make ourselves the author with -n = no commit so when you commit its who ever is at the keyboard,

We have tooling that uses git cherry-pick -nsx underneath, which will create the engineer doing the backport the author of the commit. We made this decision so that if someone adds any watcher and e-mailer program from the original authors from getting slammed we're restricting that to the participants in this kernel source tree.

I remember this -nsx stuff, I just thought the -n part was merely a workflow suggestion, but it says explicitly about the commit authorship. Sorry for trouble, let me fix that real quick.
Just to be sure - is it ok to have different author date and commit date? I sometimes raw cherry pick (without -nsx) my own commits when juggling alternative solutions and the resulting commit has the same author and commiter, all the required metadata, but the times of creation and commiting may differ.

You're not using ciq-cherry-pick.py?

Oh he does but there are some edge conditions with using CentOS-streams we're not yet handling. He did the git workspace / worktree changes to ciq-cherry-pick

PlaidCat · 2025-12-04T15:59:29Z

Its buried in the wiki text so maybe not the most obvious that if you use cherry pick it should be using cherry-pick -nsx to make ourselves the author with -n = no commit so when you commit its who ever is at the keyboard,

We have tooling that uses git cherry-pick -nsx underneath, which will create the engineer doing the backport the author of the commit. We made this decision so that if someone adds any watcher and e-mailer program from the original authors from getting slammed we're restricting that to the participants in this kernel source tree.

I remember this -nsx stuff, I just thought the -n part was merely a workflow suggestion, but it says explicitly about the commit authorship. Sorry for trouble, let me fix that real quick.

Just to be sure - is it ok to have different author date and commit date? I sometimes raw cherry pick (without -nsx) my own commits when juggling alternative solutions and the resulting commit has the same author and commiter, all the required metadata, but the times of creation and commiting may differ.

I missed this, because the date of the commit is going to be changed due to the date WE introduce it to our franken kernels its fine a know issue discrepancy.

@kerneltoast , @pvts-mat has resolved the comment and request change, do you mind reevaluating or dropping your block so we can merge?

kerneltoast

🚢

pvts-mat added 3 commits November 13, 2025 23:59

pvts-mat marked this pull request as ready for review November 18, 2025 17:19

roxanan1996 approved these changes Nov 19, 2025

View reviewed changes

PlaidCat approved these changes Nov 20, 2025

View reviewed changes

kerneltoast requested changes Dec 2, 2025

View reviewed changes

pvts-mat added 4 commits December 3, 2025 00:01

pvts-mat force-pushed the ciqlts9_2-CVE-batch-11 branch from 052793b to ba109c8 Compare December 2, 2025 23:04

pvts-mat requested a review from kerneltoast December 2, 2025 23:09

kerneltoast approved these changes Dec 5, 2025

View reviewed changes

PlaidCat merged commit 0d11dcf into ctrliq:ciqlts9_2 Dec 5, 2025
2 of 3 checks passed

[LTS 9.2] CVE-2024-26923, CVE-2024-35937, CVE-2024-58002 #704

[LTS 9.2] CVE-2024-26923, CVE-2024-35937, CVE-2024-58002 #704

Uh oh!

Conversation

pvts-mat commented Nov 17, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Commits

CVE-2024-26923

CVE-2024-35937

CVE-2024-58002

kABI check: passed

Boot test: passed

Kselftests: passed relative

Reference

Patch

Comparison

Uh oh!

roxanan1996 left a comment

Choose a reason for hiding this comment

Uh oh!

roxanan1996 commented Nov 19, 2025

Uh oh!

PlaidCat left a comment

Choose a reason for hiding this comment

Uh oh!

roxanan1996 commented Nov 21, 2025

Uh oh!

kerneltoast commented Dec 1, 2025

Uh oh!

kerneltoast left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

pvts-mat commented Dec 2, 2025

Uh oh!

PlaidCat commented Dec 2, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

pvts-mat commented Dec 2, 2025

Uh oh!

kerneltoast commented Dec 3, 2025

Uh oh!

PlaidCat commented Dec 3, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

PlaidCat commented Dec 4, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

kerneltoast left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

4 participants

pvts-mat commented Nov 17, 2025 •

edited

Loading

kerneltoast left a comment •

edited

Loading

PlaidCat commented Dec 2, 2025 •

edited

Loading

PlaidCat commented Dec 3, 2025 •

edited

Loading

PlaidCat commented Dec 4, 2025 •

edited

Loading