Patch kernel: backport ixgbevf UAF fix in VEPA multicast source pruning (torvalds/linux@5d49b568)

[omkhar]

Backport upstream UAF fix from torvalds/linux@5d49b56.

Upstream: Author Michael Bommarito; Reviewed-by Simon Horman; Tested-by Rafal Romanowski; Signed-off-by Tony Nguyen, Jakub Kicinski. Cc: stable@vger.kernel.org.

Backport type: verbatim 1-line change. Patch applies clean on AzureLinux 3.0 (6.6.139.1).

Code-correctness: New instruction movq $0x0,-0xd0(%rbp) at offset +0x2111 in ixgbevf_poll — literal assembly of skb = NULL;. ixgbevf.ko .text +16 bytes (alignment).

LTP regression: net.ipv6_lib + net.multicast baseline-vs-patched. 0 patch-induced regressions.

[omkhar]

Closing per the OOT policy I committed to on #17414 (comment): I only ask for OOT carry when there is a public PoC achieving LPE/RCE on a stock kernel, or active-in-the-wild signal. This backport is technically sound (verbatim upstream apply, LTP clean, Cc: stable@vger.kernel.org upstream) but no public PoC was demonstrated against a stock 3.0 kernel, so it does not clear that bar.

The upstream fix carries Cc: stable@vger.kernel.org so it will land in linux-6.6.y on the normal stable cadence; AUTOPATCHER on 3.0-dev empirically picks up 6.6.y stable within ~1–3 weeks. Not worth the OOT spec churn and eventual revert PR.

Happy to reopen if a public PoC surfaces or if the Mariner / 3.0 kernel team disagrees with the bar.