Skip to content

[ciqlts9_6] Multiple patches tested (8 commits)#1152

Merged
roxanan1996 merged 8 commits into
ciqlts9_6from
{ciq_kernel_automation}_ciqlts9_6
Apr 29, 2026
Merged

[ciqlts9_6] Multiple patches tested (8 commits)#1152
roxanan1996 merged 8 commits into
ciqlts9_6from
{ciq_kernel_automation}_ciqlts9_6

Conversation

@ciq-kernel-automation

Copy link
Copy Markdown

Summary

This PR has been automatically created after successful completion of all CI stages.

Commit Message(s)

crypto: pcrypt - Call crypto layer directly when padata_do_parallel() return -EBUSY

jira VULN-166865
cve CVE-2024-56690
commit-author Yi Yang <yiyang13@huawei.com>
commit 662f2f13e66d3883b9238b0b96b17886179e60e2
scsi: mpi3mr: Synchronous access b/w reset and tm thread for reply queue

jira VULN-162605
cve CVE-2025-37861
commit-author Ranjan Kumar <ranjan.kumar@broadcom.com>
commit f195fc060c738d303a21fae146dbf85e1595fb4c
NFSD: fix hang in nfsd4_shutdown_callback

jira VULN-162091
cve CVE-2025-21795
commit-author Dai Ngo <dai.ngo@oracle.com>
commit 036ac2778f7b28885814c6fbc07e156ad1624d03
usb: xhci: Fix isochronous Ring Underrun/Overrun event handling

jira VULN-162623
cve CVE-2025-37882
commit-author Michal Pecio <michal.pecio@gmail.com>
commit 906dec15b9b321b546fd31a3c99ffc13724c7af4
ntb_hw_switchtec: Fix shift-out-of-bounds in switchtec_ntb_mw_set_trans

jira VULN-164393
cve CVE-2023-53034
commit-author Yajun Deng <yajun.deng@linux.dev>
commit de203da734fae00e75be50220ba5391e7beecdf9
drm/xe: Use local fence in error path of xe_migrate_clear

jira VULN-162597
cve CVE-2025-37869
commit-author Matthew Brost <matthew.brost@intel.com>
commit 20659d3150f1a2a258a173fe011013178ff2a197
net: openvswitch: fix nested key length validation in the set() action

jira VULN-162463
cve CVE-2025-37789
commit-author Ilya Maximets <i.maximets@ovn.org>
commit 65d91192aa66f05710cfddf6a14b5a25ee554dba
irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode()

jira VULN-162593
cve CVE-2025-37819
commit-author Suzuki K Poulose <suzuki.poulose@arm.com>
commit 3318dc299b072a0511d6dfd8367f3304fb6d9827

Test Results

✅ Build Stage

Architecture Build Time Total Time
x86_64 32m 35s 33m 29s
aarch64 25m 6s 26m 0s

✅ Boot Verification

✅ Kernel Selftests

Architecture Passed Failed Compared Against Status
x86_64 206 43 ciqlts9_6 ⚠️ No baseline available
aarch64 149 50 ciqlts9_6 ⚠️ No baseline available

✅ LTP Results

Architecture Passed Failed Compared Against Status
x86_64 1335 82 ciqlts9_6 ⚠️ No baseline available
aarch64 1308 83 ciqlts9_6 ⚠️ No baseline available

🤖 This PR was automatically generated by GitHub Actions
Run ID: 24981642616

CIQ Kernel Automation added 8 commits April 27, 2026 07:09
… return -EBUSY

jira VULN-166865
cve CVE-2024-56690
commit-author Yi Yang <yiyang13@huawei.com>
commit 662f2f1

Since commit 8f4f68e ("crypto: pcrypt - Fix hungtask for
PADATA_RESET"), the pcrypt encryption and decryption operations return
-EAGAIN when the CPU goes online or offline. In alg_test(), a WARN is
generated when pcrypt_aead_decrypt() or pcrypt_aead_encrypt() returns
-EAGAIN, the unnecessary panic will occur when panic_on_warn set 1.
Fix this issue by calling crypto layer directly without parallelization
in that case.

Fixes: 8f4f68e ("crypto: pcrypt - Fix hungtask for PADATA_RESET")
	Signed-off-by: Yi Yang <yiyang13@huawei.com>
	Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit 662f2f1)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-162605
cve CVE-2025-37861
commit-author Ranjan Kumar <ranjan.kumar@broadcom.com>
commit f195fc0

When the task management thread processes reply queues while the reset
thread resets them, the task management thread accesses an invalid queue ID
(0xFFFF), set by the reset thread, which points to unallocated memory,
causing a crash.

Add flag 'io_admin_reset_sync' to synchronize access between the reset,
I/O, and admin threads. Before a reset, the reset handler sets this flag to
block I/O and admin processing threads. If any thread bypasses the initial
check, the reset thread waits up to 10 seconds for processing to finish. If
the wait exceeds 10 seconds, the controller is marked as unrecoverable.

	Signed-off-by: Sumit Saxena <sumit.saxena@broadcom.com>
	Signed-off-by: Ranjan Kumar <ranjan.kumar@broadcom.com>
Link: https://lore.kernel.org/r/20250129100850.25430-4-ranjan.kumar@broadcom.com
	Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
(cherry picked from commit f195fc0)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-162091
cve CVE-2025-21795
commit-author Dai Ngo <dai.ngo@oracle.com>
commit 036ac27

If nfs4_client is in courtesy state then there is no point to send
the callback. This causes nfsd4_shutdown_callback to hang since
cl_cb_inflight is not 0. This hang lasts about 15 minutes until TCP
notifies NFSD that the connection was dropped.

This patch modifies nfsd4_run_cb_work to skip the RPC call if
nfs4_client is in courtesy state.

	Signed-off-by: Dai Ngo <dai.ngo@oracle.com>
Fixes: 66af257 ("NFSD: add courteous server support for thread with only delegation")
	Cc: stable@vger.kernel.org
	Reviewed-by: Jeff Layton <jlayton@kernel.org>
	Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
(cherry picked from commit 036ac27)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-162623
cve CVE-2025-37882
commit-author Michal Pecio <michal.pecio@gmail.com>
commit 906dec1

The TRB pointer of these events points at enqueue at the time of error
occurrence on xHCI 1.1+ HCs or it's NULL on older ones. By the time we
are handling the event, a new TD may be queued at this ring position.

I can trigger this race by rising interrupt moderation to increase IRQ
handling delay. Similar delay may occur naturally due to system load.

If this ever happens after a Missed Service Error, missed TDs will be
skipped and the new TD processed as if it matched the event. It could
be given back prematurely, risking data loss or buffer UAF by the xHC.

Don't complete TDs on xrun events and don't warn if queued TDs don't
match the event's TRB pointer, which can be NULL or a link/no-op TRB.
Don't warn if there are no queued TDs at all.

Now that it's safe, also handle xrun events if the skip flag is clear.
This ensures completion of any TD stuck in 'error mid TD' state right
before the xrun event, which could happen if a driver submits a finite
number of URBs to a buggy HC and then an error occurs on the last TD.

	Signed-off-by: Michal Pecio <michal.pecio@gmail.com>
	Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20250306144954.3507700-6-mathias.nyman@linux.intel.com
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 906dec1)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-164393
cve CVE-2023-53034
commit-author Yajun Deng <yajun.deng@linux.dev>
commit de203da

There is a kernel API ntb_mw_clear_trans() would pass 0 to both addr and
size. This would make xlate_pos negative.

[   23.734156] switchtec switchtec0: MW 0: part 0 addr 0x0000000000000000 size 0x0000000000000000
[   23.734158] ================================================================================
[   23.734172] UBSAN: shift-out-of-bounds in drivers/ntb/hw/mscc/ntb_hw_switchtec.c:293:7
[   23.734418] shift exponent -1 is negative

Ensuring xlate_pos is a positive or zero before BIT.

Fixes: 1e2fd20 ("ntb_hw_switchtec: Check for alignment of the buffer in mw_set_trans()")
	Signed-off-by: Yajun Deng <yajun.deng@linux.dev>
	Reviewed-by: Logan Gunthorpe <logang@deltatee.com>
	Signed-off-by: Jon Mason <jdmason@kudzu.us>
(cherry picked from commit de203da)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-162597
cve CVE-2025-37869
commit-author Matthew Brost <matthew.brost@intel.com>
commit 20659d3

The intent of the error path in xe_migrate_clear is to wait on locally
generated fence and then return. The code is waiting on m->fence which
could be the local fence but this is only stable under the job mutex
leading to a possible UAF. Fix code to wait on local fence.

Fixes: dd08ebf ("drm/xe: Introduce a new DRM driver for Intel GPUs")
	Cc: stable@vger.kernel.org
	Signed-off-by: Matthew Brost <matthew.brost@intel.com>
	Reviewed-by: Matthew Auld <matthew.auld@intel.com>
Link: https://lore.kernel.org/r/20250311182915.3606291-1-matthew.brost@intel.com
(cherry picked from commit 762b7e9)
	Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
(cherry picked from commit 20659d3)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-162463
cve CVE-2025-37789
commit-author Ilya Maximets <i.maximets@ovn.org>
commit 65d9119

It's not safe to access nla_len(ovs_key) if the data is smaller than
the netlink header.  Check that the attribute is OK first.

Fixes: ccb1352 ("net: Add Open vSwitch kernel components.")
	Reported-by: syzbot+b07a9da40df1576b8048@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=b07a9da40df1576b8048
	Tested-by: syzbot+b07a9da40df1576b8048@syzkaller.appspotmail.com
	Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
	Reviewed-by: Eelco Chaudron <echaudro@redhat.com>
	Acked-by: Aaron Conole <aconole@redhat.com>
Link: https://patch.msgid.link/20250412104052.2073688-1-i.maximets@ovn.org
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 65d9119)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-162593
cve CVE-2025-37819
commit-author Suzuki K Poulose <suzuki.poulose@arm.com>
commit 3318dc2

With ACPI in place, gicv2m_get_fwnode() is registered with the pci
subsystem as pci_msi_get_fwnode_cb(), which may get invoked at runtime
during a PCI host bridge probe. But, the call back is wrongly marked as
__init, causing it to be freed, while being registered with the PCI
subsystem and could trigger:

 Unable to handle kernel paging request at virtual address ffff8000816c0400
  gicv2m_get_fwnode+0x0/0x58 (P)
  pci_set_bus_msi_domain+0x74/0x88
  pci_register_host_bridge+0x194/0x548

This is easily reproducible on a Juno board with ACPI boot.

Retain the function for later use.

Fixes: 0644b3d ("irqchip/gic-v2m: acpi: Introducing GICv2m ACPI support")
	Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
	Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
	Signed-off-by: Ingo Molnar <mingo@kernel.org>
	Reviewed-by: Marc Zyngier <maz@kernel.org>
	Cc: stable@vger.kernel.org
(cherry picked from commit 3318dc2)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
@ciq-kernel-automation ciq-kernel-automation Bot added the created-by-kernelci Tag PRs that were automatically created when a user branch was pushed to the repo (kernelCI) label Apr 27, 2026
@github-actions

Copy link
Copy Markdown

🤖 Validation Checks In Progress Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/24993247886

@github-actions

Copy link
Copy Markdown

Validation checks completed successfully View full results: https://github.com/ctrliq/kernel-src-tree/actions/runs/24993247886

@shreeya-patel98 shreeya-patel98 requested a review from a team April 27, 2026 14:40
@roxanan1996 roxanan1996 merged commit 1ec6863 into ciqlts9_6 Apr 29, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

created-by-kernelci Tag PRs that were automatically created when a user branch was pushed to the repo (kernelCI)

Development

Successfully merging this pull request may close these issues.

2 participants