Skip to content

[ciqlts9_6] Multiple patches tested (5 commits)#1134

Merged
PlaidCat merged 5 commits into
ciqlts9_6from
{rnicolescu}_ciqlts9_6
Apr 24, 2026
Merged

[ciqlts9_6] Multiple patches tested (5 commits)#1134
PlaidCat merged 5 commits into
ciqlts9_6from
{rnicolescu}_ciqlts9_6

Conversation

@ciq-kernel-automation

Copy link
Copy Markdown

Summary

This PR has been automatically created after successful completion of all CI stages.

Commit Message(s)

mm/damon/sysfs: cleanup attrs subdirs on context dir setup failure

jira VULN-176248
cve CVE-2026-23144
commit-author SeongJae Park <sj@kernel.org>
commit 9814cc832b88bd040fc2a1817c2b5469d0f7e862
scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count()

jira VULN-176315
cve CVE-2026-23193
commit-author Maurizio Lombardi <mlombard@redhat.com>
commit 84dc6037390b8607c5551047d3970336cb51ba9a
net: add skb_header_pointer_careful() helper

jira VULN-176131
cve-pre CVE-2026-23204
commit-author Eric Dumazet <edumazet@google.com>
commit 13e00fdc9236bd4d0bff4109d2983171fbcb74c4
upstream-diff |
	Adjusted context because skb_pointer_if_linear does not exist.
	Introduced in 6f5a630d7c57c ("bpf, net: Introduce skb_pointer_if_linear().")
net/sched: cls_u32: use skb_header_pointer_careful()

jira VULN-176131
cve CVE-2026-23204
commit-author Eric Dumazet <edumazet@google.com>
commit cabd1a976375780dabab888784e356f574bbaed8
netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()

jira VULN-176074
cve CVE-2026-23111
commit-author Andrew Fasano <andrew.fasano@nist.gov>
commit f41c5d151078c5348271ffaf8e7410d96f2d82f8

Test Results

✅ Build Stage

Architecture Build Time Total Time
x86_64 35m 1s 36m 9s
aarch64 19m 17s 19m 57s

✅ Boot Verification

✅ Kernel Selftests

Architecture Passed Failed Compared Against Status
x86_64 206 43 ciqlts9_6 ⚠️ No baseline available
aarch64 155 44 ciqlts9_6 ⚠️ No baseline available

✅ LTP Results

Architecture Passed Failed Compared Against Status
x86_64 N/A N/A ciqlts9_6 ⚠️ No baseline available
aarch64 N/A N/A ciqlts9_6 ⚠️ No baseline available

🤖 This PR was automatically generated by GitHub Actions
Run ID: 24839497063

CIQ Kernel Automation and others added 5 commits April 23, 2026 12:34
jira VULN-176248
cve CVE-2026-23144
commit-author SeongJae Park <sj@kernel.org>
commit 9814cc8

When a context DAMON sysfs directory setup is failed after setup of attrs/
directory, subdirectories of attrs/ directory are not cleaned up.  As a
result, DAMON sysfs interface is nearly broken until the system reboots,
and the memory for the unremoved directory is leaked.

Cleanup the directories under such failures.

Link: https://lkml.kernel.org/r/20251225023043.18579-3-sj@kernel.org
Fixes: c951cd3 ("mm/damon: implement a minimal stub for sysfs-based DAMON interface")
	Signed-off-by: SeongJae Park <sj@kernel.org>
	Cc: chongjiapeng <jiapeng.chong@linux.alibaba.com>
	Cc: <stable@vger.kernel.org> # 5.18.x
	Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
(cherry picked from commit 9814cc8)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
…ount()

jira VULN-176315
cve CVE-2026-23193
commit-author Maurizio Lombardi <mlombard@redhat.com>
commit 84dc603

In iscsit_dec_session_usage_count(), the function calls complete() while
holding the sess->session_usage_lock. Similar to the connection usage count
logic, the waiter signaled by complete() (e.g., in the session release
path) may wake up and free the iscsit_session structure immediately.

This creates a race condition where the current thread may attempt to
execute spin_unlock_bh() on a session structure that has already been
deallocated, resulting in a KASAN slab-use-after-free.

To resolve this, release the session_usage_lock before calling complete()
to ensure all dereferences of the sess pointer are finished before the
waiter is allowed to proceed with deallocation.

	Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
	Reported-by: Zhaojuan Guo <zguo@redhat.com>
	Reviewed-by: Mike Christie <michael.christie@oracle.com>
Link: https://patch.msgid.link/20260112165352.138606-3-mlombard@redhat.com
	Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
(cherry picked from commit 84dc603)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-176131
cve-pre CVE-2026-23204
commit-author Eric Dumazet <edumazet@google.com>
commit 13e00fd
upstream-diff |
	Adjusted context because skb_pointer_if_linear does not exist.
	Introduced in 6f5a630 ("bpf, net: Introduce skb_pointer_if_linear().")

This variant of skb_header_pointer() should be used in contexts
where @offset argument is user-controlled and could be negative.

Negative offsets are supported, as long as the zone starts
between skb->head and skb->data.

	Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260128141539.3404400-2-edumazet@google.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 13e00fd)
	Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>
jira VULN-176131
cve CVE-2026-23204
commit-author Eric Dumazet <edumazet@google.com>
commit cabd1a9

skb_header_pointer() does not fully validate negative @offset values.

Use skb_header_pointer_careful() instead.

GangMin Kim provided a report and a repro fooling u32_classify():

BUG: KASAN: slab-out-of-bounds in u32_classify+0x1180/0x11b0
net/sched/cls_u32.c:221

Fixes: fbc2e7d ("cls_u32: use skb_header_pointer() to dereference data safely")
	Reported-by: GangMin Kim <km.kim1503@gmail.com>
Closes: https://lore.kernel.org/netdev/CANn89iJkyUZ=mAzLzC4GdcAgLuPnUoivdLaOs6B9rq5_erj76w@mail.gmail.com/T/
	Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260128141539.3404400-3-edumazet@google.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit cabd1a9)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
…activate()

jira VULN-176074
cve CVE-2026-23111
commit-author Andrew Fasano <andrew.fasano@nist.gov>
commit f41c5d1

nft_map_catchall_activate() has an inverted element activity check
compared to its non-catchall counterpart nft_mapelem_activate() and
compared to what is logically required.

nft_map_catchall_activate() is called from the abort path to re-activate
catchall map elements that were deactivated during a failed transaction.
It should skip elements that are already active (they don't need
re-activation) and process elements that are inactive (they need to be
restored). Instead, the current code does the opposite: it skips inactive
elements and processes active ones.

Compare the non-catchall activate callback, which is correct:

  nft_mapelem_activate():
    if (nft_set_elem_active(ext, iter->genmask))
        return 0;   /* skip active, process inactive */

With the buggy catchall version:

  nft_map_catchall_activate():
    if (!nft_set_elem_active(ext, genmask))
        continue;   /* skip inactive, process active */

The consequence is that when a DELSET operation is aborted,
nft_setelem_data_activate() is never called for the catchall element.
For NFT_GOTO verdict elements, this means nft_data_hold() is never
called to restore the chain->use reference count. Each abort cycle
permanently decrements chain->use. Once chain->use reaches zero,
DELCHAIN succeeds and frees the chain while catchall verdict elements
still reference it, resulting in a use-after-free.

This is exploitable for local privilege escalation from an unprivileged
user via user namespaces + nftables on distributions that enable
CONFIG_USER_NS and CONFIG_NF_TABLES.

Fix by removing the negation so the check matches nft_mapelem_activate():
skip active elements, process inactive ones.

Fixes: 628bd3e ("netfilter: nf_tables: drop map element references from preparation phase")
	Signed-off-by: Andrew Fasano <andrew.fasano@nist.gov>
	Signed-off-by: Florian Westphal <fw@strlen.de>
(cherry picked from commit f41c5d1)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
@ciq-kernel-automation ciq-kernel-automation Bot added the created-by-kernelci Tag PRs that were automatically created when a user branch was pushed to the repo (kernelCI) label Apr 23, 2026
@github-actions

Copy link
Copy Markdown

🤖 Validation Checks In Progress Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/24848476061

@github-actions

Copy link
Copy Markdown

🔍 Interdiff Analysis

  • ⚠️ PR commit da3995734a1 (net: add skb_header_pointer_careful() helper) → upstream 13e00fdc9236
    Differences found:
################################################################################
!    REJECTED PATCH2 HUNKS - could not be compared; manual review needed       !
################################################################################

--- b/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -4301,6 +4301,18 @@
 				    skb_headlen(skb), buffer);
 }
 
+/* Variant of skb_header_pointer() where @offset is user-controlled
+ * and potentially negative.
+ */
+static inline void * __must_check
+skb_header_pointer_careful(const struct sk_buff *skb, int offset,
+			   int len, void *buffer)
+{
+	if (unlikely(offset < 0 && -offset > skb_headroom(skb)))
+		return NULL;
+	return skb_header_pointer(skb, offset, len, buffer);
+}
+
 static inline void * __must_check
 skb_pointer_if_linear(const struct sk_buff *skb, int offset, int len)
 {

================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -4023,6 +4023,6 @@
 				    skb_headlen(skb), buffer);
 }
 
-/**
- *	skb_needs_linearize - check if we need to linearize a given skb
- *			      depending on the given device features.
+static inline void * __must_check
+skb_pointer_if_linear(const struct sk_buff *skb, int offset, int len)
+{

This is an automated interdiff check for backported commits.

@github-actions

Copy link
Copy Markdown

Validation checks completed successfully View full results: https://github.com/ctrliq/kernel-src-tree/actions/runs/24848476061

@PlaidCat PlaidCat left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

@PlaidCat PlaidCat requested a review from a team April 23, 2026 23:02

@bmastbergen bmastbergen left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🥌

@PlaidCat PlaidCat merged commit bb9afc2 into ciqlts9_6 Apr 24, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

created-by-kernelci Tag PRs that were automatically created when a user branch was pushed to the repo (kernelCI)

Development

Successfully merging this pull request may close these issues.

3 participants