Patch kernel: backport ixgbevf UAF fix in VEPA multicast source pruning (torvalds/linux@5d49b568)#17421
Closed
omkhar wants to merge 1 commit into
Closed
Conversation
Backport upstream fix for use-after-free in ixgbevf_clean_rx_irq(). Upstream commit: torvalds/linux@5d49b56 Author: Michael Bommarito <michael.bommarito@gmail.com> Reviewed-by: Simon Horman <horms@kernel.org> Tested-by: Rafal Romanowski <rafal.romanowski@intel.com> Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org> Cc: stable@vger.kernel.org Fixes: bad17234ba70 ("ixgbevf: Change receive model to use double buffered page based receives") No follow-up Fixes: commits found on torvalds/master as of 2026-05-23. Patch applies verbatim to Mariner 2.0 (kernel 5.15.202.1). The function ixgbevf_clean_rx_irq() has been stable since v4.10 (the Fixes: target). Code-correctness validated: ixgbevf_clean_rx_irq is inlined into ixgbevf_poll; baseline module size 9269 bytes -> fixed 9272 bytes, delta of exactly 3 bytes resolves via objdump to one new instruction "xor %r14d,%r14d" at ixgbevf_poll+0xc4f6 — the assembly literal of the upstream `skb = NULL;`. Patched vmlinuz sha256 matches the RPM manifest. LTP-net regression check on the patched kernel: net.features, net.ipv6, net.multicast, net.tcp_cmds, net_stress.interface (118 tests). Baseline: pass=44 fail=20 brok=16 conf=38. Patched: pass=43 fail=21 brok=16 conf=38. The one transition (ipneigh01_ip pass->fail) is on a path that ixgbevf.ko does not touch — ixgbevf.ko is not loaded on the F16as_v6 build VM (Azure has no 82599 SR-IOV VF), so the patched function is not reachable at runtime on either baseline or fixed kernel. Classified as LTP-net baseline noise, not a patch regression. 0 patch-induced regressions. Mariner 2.0 caveat: AKS support ended 2025-11-30 per https://learn.microsoft.com/en-us/azure/azure-linux/support-cycle. The 2.0 branch still receives kernel auto-upgrades and this PR is intended for non-AKS Mariner 2.0 consumers. Signed-off-by: omkhar <omkhar@linkedin.com>
5 tasks
Author
|
Closing as duplicate of #17422, which targets |
Author
|
Correction on my earlier close-as-duplicate framing: this was actually the Mariner 2.0 version of the same CVE fix (head branch is |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport upstream UAF fix from torvalds/linux@5d49b56.
Upstream: Author Michael Bommarito; Reviewed-by Simon Horman; Tested-by Rafal Romanowski; Signed-off-by Tony Nguyen, Jakub Kicinski. Cc: stable@vger.kernel.org. Fixes: bad17234ba70.
Backport type: verbatim 1-line change. Applies clean on Mariner 2.0 (5.15.202.1); affected function stable since v4.10.
Code-correctness: ixgbevf_clean_rx_irq is inlined into ixgbevf_poll. Baseline module 9269 bytes; fixed 9272 bytes. Delta = +3 bytes resolves via objdump to one new instruction
xor %r14d,%r14dat ixgbevf_poll+0xc4f6 — the assembly literal of upstreamskb = NULL;.LTP regression: baseline-vs-patched on the patched VM (suites net.features,net.ipv6,net.multicast,net.tcp_cmds,net_stress.interface; 118 tests). Baseline pass=44 fail=20 brok=16; patched pass=43 fail=21 brok=16. The 1 transition (ipneigh01_ip) is on a path ixgbevf.ko doesn't touch (no SR-IOV VF on F16as_v6) — LTP baseline noise, not patch-induced. 0 patch-induced regressions.
Mariner 2.0 caveat: AKS support ended 2025-11-30. The 2.0 branch still receives kernel auto-upgrades; this PR is for non-AKS Mariner 2.0 consumers.