Skip to content

[ciqcbr7_9] Multiple patches tested (4 commits)#1183

Merged
roxanan1996 merged 4 commits into
ciqcbr7_9from
{rnicolescu}_ciqcbr7_9
May 7, 2026
Merged

[ciqcbr7_9] Multiple patches tested (4 commits)#1183
roxanan1996 merged 4 commits into
ciqcbr7_9from
{rnicolescu}_ciqcbr7_9

Conversation

@ciq-kernel-automation

Copy link
Copy Markdown

Summary

This PR has been automatically created after successful completion of all CI stages.

Commit Message(s)

scsi: target: iscsi: Fix use-after-free in iscsit_dec_conn_usage_count()

jira VULN-176433
cve CVE-2026-23216
commit-author Maurizio Lombardi <mlombard@redhat.com>
commit 9411a89e9e7135cc459178fa77a3f1d6191ae903
net/sched: Enforce that teql can only be used as root qdisc

jira VULN-175587
cve CVE-2026-23074
commit-author Jamal Hadi Salim <jhs@mojatatu.com>
commit 50da4b9d07a7a463e2cfb738f3ad4cff6b2c9c3b
net: add skb_header_pointer_careful() helper

jira VULN-176126
cve-pre CVE-2026-23204
commit-author Eric Dumazet <edumazet@google.com>
commit 13e00fdc9236bd4d0bff4109d2983171fbcb74c4
upstream-diff |
	Adjusted context because skb_pointer_if_linear does not exist.
	Introduced in 6f5a630d7c57c ("bpf, net: Introduce skb_pointer_if_linear().")
net/sched: cls_u32: use skb_header_pointer_careful()

jira VULN-176126
cve CVE-2026-23204
commit-author Eric Dumazet <edumazet@google.com>
commit cabd1a976375780dabab888784e356f574bbaed8

Test Results

✅ Build Stage

  • Status: Passed (x86_64)

  • Build Time: 13m 7s

  • Total Time: 14m 11s

  • View build logs

✅ Boot Verification


🤖 This PR was automatically generated by GitHub Actions
Run ID: 25426180213

jira VULN-176433
cve CVE-2026-23216
commit-author Maurizio Lombardi <mlombard@redhat.com>
commit 9411a89

In iscsit_dec_conn_usage_count(), the function calls complete() while
holding the conn->conn_usage_lock. As soon as complete() is invoked, the
waiter (such as iscsit_close_connection()) may wake up and proceed to free
the iscsit_conn structure.

If the waiter frees the memory before the current thread reaches
spin_unlock_bh(), it results in a KASAN slab-use-after-free as the function
attempts to release a lock within the already-freed connection structure.

Fix this by releasing the spinlock before calling complete().

	Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
	Reported-by: Zhaojuan Guo <zguo@redhat.com>
	Reviewed-by: Mike Christie <michael.christie@oracle.com>
Link: https://patch.msgid.link/20260112165352.138606-2-mlombard@redhat.com
	Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
(cherry picked from commit 9411a89)
	Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>
jira VULN-175587
cve CVE-2026-23074
commit-author Jamal Hadi Salim <jhs@mojatatu.com>
commit 50da4b9

Design intent of teql is that it is only supposed to be used as root qdisc.
We need to check for that constraint.

Although not important, I will describe the scenario that unearthed this
issue for the curious.

GangMin Kim <km.kim1503@gmail.com> managed to concot a scenario as follows:

ROOT qdisc 1:0 (QFQ)
  ├── class 1:1 (weight=15, lmax=16384) netem with delay 6.4s
  └── class 1:2 (weight=1, lmax=1514) teql

GangMin sends a packet which is enqueued to 1:1 (netem).
Any invocation of dequeue by QFQ from this class will not return a packet
until after 6.4s. In the meantime, a second packet is sent and it lands on
1:2. teql's enqueue will return success and this will activate class 1:2.
Main issue is that teql only updates the parent visible qlen (sch->q.qlen)
at dequeue. Since QFQ will only call dequeue if peek succeeds (and teql's
peek always returns NULL), dequeue will never be called and thus the qlen
will remain as 0. With that in mind, when GangMin updates 1:2's lmax value,
the qfq_change_class calls qfq_deact_rm_from_agg. Since the child qdisc's
qlen was not incremented, qfq fails to deactivate the class, but still
frees its pointers from the aggregate. So when the first packet is
rescheduled after 6.4 seconds (netem's delay), a dangling pointer is
accessed causing GangMin's causing a UAF.

Fixes: 1da177e ("Linux-2.6.12-rc2")
	Reported-by: GangMin Kim <km.kim1503@gmail.com>
	Tested-by: Victor Nogueira <victor@mojatatu.com>
	Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://patch.msgid.link/20260114160243.913069-2-jhs@mojatatu.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 50da4b9)
	Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>
jira VULN-176126
cve-pre CVE-2026-23204
commit-author Eric Dumazet <edumazet@google.com>
commit 13e00fd
upstream-diff |
	Adjusted context because skb_pointer_if_linear does not exist.
	Introduced in 6f5a630 ("bpf, net: Introduce skb_pointer_if_linear().")

This variant of skb_header_pointer() should be used in contexts
where @offset argument is user-controlled and could be negative.

Negative offsets are supported, as long as the zone starts
between skb->head and skb->data.

	Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260128141539.3404400-2-edumazet@google.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 13e00fd)
	Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>
jira VULN-176126
cve CVE-2026-23204
commit-author Eric Dumazet <edumazet@google.com>
commit cabd1a9

skb_header_pointer() does not fully validate negative @offset values.

Use skb_header_pointer_careful() instead.

GangMin Kim provided a report and a repro fooling u32_classify():

BUG: KASAN: slab-out-of-bounds in u32_classify+0x1180/0x11b0
net/sched/cls_u32.c:221

Fixes: fbc2e7d ("cls_u32: use skb_header_pointer() to dereference data safely")
	Reported-by: GangMin Kim <km.kim1503@gmail.com>
Closes: https://lore.kernel.org/netdev/CANn89iJkyUZ=mAzLzC4GdcAgLuPnUoivdLaOs6B9rq5_erj76w@mail.gmail.com/T/
	Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260128141539.3404400-3-edumazet@google.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit cabd1a9)
	Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>
@ciq-kernel-automation ciq-kernel-automation Bot added the created-by-kernelci Tag PRs that were automatically created when a user branch was pushed to the repo (kernelCI) label May 6, 2026
@github-actions

github-actions Bot commented May 6, 2026

Copy link
Copy Markdown

🤖 Validation Checks In Progress Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/25427866655

@github-actions

github-actions Bot commented May 6, 2026

Copy link
Copy Markdown

🔍 Interdiff Analysis

  • ⚠️ PR commit 357557a6f909 (net: add skb_header_pointer_careful() helper) → upstream 13e00fdc9236
    Differences found:
################################################################################
!    REJECTED PATCH2 HUNKS - could not be compared; manual review needed       !
################################################################################

--- b/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -4301,6 +4301,18 @@
 				    skb_headlen(skb), buffer);
 }
 
+/* Variant of skb_header_pointer() where @offset is user-controlled
+ * and potentially negative.
+ */
+static inline void * __must_check
+skb_header_pointer_careful(const struct sk_buff *skb, int offset,
+			   int len, void *buffer)
+{
+	if (unlikely(offset < 0 && -offset > skb_headroom(skb)))
+		return NULL;
+	return skb_header_pointer(skb, offset, len, buffer);
+}
+
 static inline void * __must_check
 skb_pointer_if_linear(const struct sk_buff *skb, int offset, int len)
 {

================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -3268,6 +3268,6 @@
 				    skb_headlen(skb), buffer);
 }
 
-/**
- *	skb_needs_linearize - check if we need to linearize a given skb
- *			      depending on the given device features.
+static inline void * __must_check
+skb_pointer_if_linear(const struct sk_buff *skb, int offset, int len)
+{

This is an automated interdiff check for backported commits.

@github-actions

github-actions Bot commented May 6, 2026

Copy link
Copy Markdown

Validation checks completed successfully View full results: https://github.com/ctrliq/kernel-src-tree/actions/runs/25427866655

Comment thread net/sched/sch_teql.c
@roxanan1996 roxanan1996 requested a review from a team May 6, 2026 13:31

@bmastbergen bmastbergen left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🥌

@roxanan1996 roxanan1996 merged commit 67fda58 into ciqcbr7_9 May 7, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

created-by-kernelci Tag PRs that were automatically created when a user branch was pushed to the repo (kernelCI)

Development

Successfully merging this pull request may close these issues.

4 participants