Skip to content

[ciqlts9_4] Multiple patches tested (9 commits)#1304

Merged
shreeya-patel98 merged 9 commits into
ciqlts9_4from
{ciq_kernel_automation}_ciqlts9_4
Jun 9, 2026
Merged

[ciqlts9_4] Multiple patches tested (9 commits)#1304
shreeya-patel98 merged 9 commits into
ciqlts9_4from
{ciq_kernel_automation}_ciqlts9_4

Conversation

@ciq-kernel-automation

Copy link
Copy Markdown

Summary

This PR has been automatically created after successful completion of all CI stages.

Commit Message(s)

net/mlx5e: fix a double-free in arfs_create_groups

jira VULN-42962
cve CVE-2024-35835
commit-author Zhipeng Lu <alexious@zju.edu.cn>
commit 3c6d5189246f590e4e1f167991558bdb72a4738b
HID: i2c-hid-of: fix NULL-deref on failed power up

jira VULN-36624
cve CVE-2024-26717
commit-author Johan Hovold <johan+linaro@kernel.org>
commit 00aab7dcb2267f2aef59447602f34501efe1a07f
xhci: process isoc TD properly when there was a transaction error mid TD.

jira VULN-42729
cve-pre CVE-2024-26659
commit-author Mathias Nyman <mathias.nyman@linux.intel.com>
commit 5372c65e1311a16351ef03dd096ff576e6477674
xhci: handle isoc Babble and Buffer Overrun events properly

jira VULN-42729
cve CVE-2024-26659
commit-author Michal Pecio <michal.pecio@gmail.com>
commit 7c4650ded49e5b88929ecbbb631efb8b0838e811
x86/fpu: Stop relying on userspace for info to fault in xsave buffer

jira VULN-42554
cve CVE-2024-26603
commit-author Andrei Vagin <avagin@google.com>
commit d877550eaf2dc9090d782864c96939397a3c6835
drm/vmwgfx: Fix the lifetime of the bo cursor memory

jira VULN-47230
cve CVE-2024-35810
commit-author Zack Rusin <zack.rusin@broadcom.com>
commit 9a9e8a7159ca09af9b1a300a6c8e8b6ff7501c76
RDMA/mlx5: Fix fortify source warning while accessing Eth segment

jira VULN-37265
cve CVE-2024-26907
commit-author Leon Romanovsky <leon@kernel.org>
commit 4d5e86a56615cc387d21c629f9af8fb0e958d350
nvme-fc: do not wait in vain when unloading module

jira VULN-37041
cve CVE-2024-26846
commit-author Daniel Wagner <dwagner@suse.de>
commit 70fbfc47a392b98e5f8dba70c6efc6839205c982
VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host()

jira VULN-37990
cve CVE-2024-35944
commit-author Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
commit 19b070fefd0d024af3daa7329cbc0d00de5302ec

Test Results

✅ Build Stage

Architecture Build Time Total Time
x86_64 27m 47s 28m 39s
aarch64 15m 46s 16m 22s

✅ Boot Verification

✅ Kernel Selftests

Architecture Passed Failed Compared Against Status
x86_64 189 28 ciqlts9_4 ⚠️ No baseline available
aarch64 144 31 ciqlts9_4 ⚠️ No baseline available

✅ LTP Results

Architecture Passed Failed Compared Against Status
x86_64 1447 81 ciqlts9_4 ⚠️ No baseline available
aarch64 1418 82 ciqlts9_4 ⚠️ No baseline available

🤖 This PR was automatically generated by GitHub Actions
Run ID: 27133838638

CIQ Kernel Automation and others added 9 commits June 8, 2026 07:48
jira VULN-42962
cve CVE-2024-35835
commit-author Zhipeng Lu <alexious@zju.edu.cn>
commit 3c6d518

When `in` allocated by kvzalloc fails, arfs_create_groups will free
ft->g and return an error. However, arfs_create_table, the only caller of
arfs_create_groups, will hold this error and call to
mlx5e_destroy_flow_table, in which the ft->g will be freed again.

Fixes: 1cabe6b ("net/mlx5e: Create aRFS flow tables")
	Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn>
	Reviewed-by: Simon Horman <horms@kernel.org>
	Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
(cherry picked from commit 3c6d518)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-36624
cve CVE-2024-26717
commit-author Johan Hovold <johan+linaro@kernel.org>
commit 00aab7d

A while back the I2C HID implementation was split in an ACPI and OF
part, but the new OF driver never initialises the client pointer which
is dereferenced on power-up failures.

Fixes: b33752c ("HID: i2c-hid: Reorganize so ACPI and OF are separate modules")
	Cc: stable@vger.kernel.org      # 5.12
	Cc: Douglas Anderson <dianders@chromium.org>
	Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
	Reviewed-by: Douglas Anderson <dianders@chromium.org>
	Signed-off-by: Jiri Kosina <jkosina@suse.com>
(cherry picked from commit 00aab7d)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
… TD.

jira VULN-42729
cve-pre CVE-2024-26659
commit-author Mathias Nyman <mathias.nyman@linux.intel.com>
commit 5372c65

The last TRB of a isoc TD might not trigger an event if there was
an error event for a TRB mid TD. This is seen on a NEC Corporation
uPD720200 USB 3.0 Host

After an error mid a multi-TRB TD the xHC should according to xhci 4.9.1
generate events for passed TRBs with IOC flag set if it proceeds to the
next TD. This event is either a copy of the original error, or a
"success" transfer event.

If that event is missing then the driver and xHC host get out of sync as
the driver is still expecting a transfer event for that first TD, while
xHC host is already sending events for the next TD in the list.
This leads to
"Transfer event TRB DMA ptr not part of current TD" messages.

As a solution we tag the isoc TDs that get error events mid TD.
If an event doesn't match the first TD, then check if the tag is
set, and event points to the next TD.
In that case give back the fist TD and process the next TD normally

Make sure TD status and transferred length stay valid in both cases
with and without final TD completion event.

	Reported-by: Michał Pecio <michal.pecio@gmail.com>
Closes: https://lore.kernel.org/linux-usb/20240112235205.1259f60c@foxbook/
	Tested-by: Michał Pecio <michal.pecio@gmail.com>
	Cc: stable@vger.kernel.org
	Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20240125152737.2983959-4-mathias.nyman@linux.intel.com
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 5372c65)
	Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>
jira VULN-42729
cve CVE-2024-26659
commit-author Michal Pecio <michal.pecio@gmail.com>
commit 7c4650d

xHCI 4.9 explicitly forbids assuming that the xHC has released its
ownership of a multi-TRB TD when it reports an error on one of the
early TRBs. Yet the driver makes such assumption and releases the TD,
allowing the remaining TRBs to be freed or overwritten by new TDs.

The xHC should also report completion of the final TRB due to its IOC
flag being set by us, regardless of prior errors. This event cannot
be recognized if the TD has already been freed earlier, resulting in
"Transfer event TRB DMA ptr not part of current TD" error message.

Fix this by reusing the logic for processing isoc Transaction Errors.
This also handles hosts which fail to report the final completion.

Fix transfer length reporting on Babble errors. They may be caused by
device malfunction, no guarantee that the buffer has been filled.

	Signed-off-by: Michal Pecio <michal.pecio@gmail.com>
	Cc: stable@vger.kernel.org
	Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20240125152737.2983959-5-mathias.nyman@linux.intel.com
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 7c4650d)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-42554
cve CVE-2024-26603
commit-author Andrei Vagin <avagin@google.com>
commit d877550

Before this change, the expected size of the user space buffer was
taken from fx_sw->xstate_size. fx_sw->xstate_size can be changed
from user-space, so it is possible construct a sigreturn frame where:

 * fx_sw->xstate_size is smaller than the size required by valid bits in
   fx_sw->xfeatures.
 * user-space unmaps parts of the sigrame fpu buffer so that not all of
   the buffer required by xrstor is accessible.

In this case, xrstor tries to restore and accesses the unmapped area
which results in a fault. But fault_in_readable succeeds because buf +
fx_sw->xstate_size is within the still mapped area, so it goes back and
tries xrstor again. It will spin in this loop forever.

Instead, fault in the maximum size which can be touched by XRSTOR (taken
from fpstate->user_size).

[ dhansen: tweak subject / changelog ]

Fixes: fcb3635 ("x86/fpu/signal: Handle #PF in the direct restore path")
	Reported-by: Konstantin Bogomolov <bogomolov@google.com>
	Suggested-by: Thomas Gleixner <tglx@linutronix.de>
	Signed-off-by: Andrei Vagin <avagin@google.com>
	Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
	Cc:stable@vger.kernel.org
Link: https://lore.kernel.org/all/20240130063603.3392627-1-avagin%40google.com
(cherry picked from commit d877550)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-47230
cve CVE-2024-35810
commit-author Zack Rusin <zack.rusin@broadcom.com>
commit 9a9e8a7

The cleanup can be dispatched while the atomic update is still active,
which means that the memory acquired in the atomic update needs to
not be invalidated by the cleanup. The buffer objects in vmw_plane_state
instead of using the builtin map_and_cache were trying to handle
the lifetime of the mapped memory themselves, leading to crashes.

Use the map_and_cache instead of trying to manage the lifetime of the
buffer objects held by the vmw_plane_state.

Fixes kernel oops'es in IGT's kms_cursor_legacy forked-bo.

	Signed-off-by: Zack Rusin <zack.rusin@broadcom.com>
Fixes: bb6780a ("drm/vmwgfx: Diff cursors when using cmds")
	Cc: <stable@vger.kernel.org> # v6.2+
	Reviewed-by: Martin Krastev <martin.krastev@broadcom.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20240126200804.732454-6-zack.rusin@broadcom.com
(cherry picked from commit 9a9e8a7)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-37265
cve CVE-2024-26907
commit-author Leon Romanovsky <leon@kernel.org>
commit 4d5e86a

 ------------[ cut here ]------------
 memcpy: detected field-spanning write (size 56) of single field "eseg->inline_hdr.start" at /var/lib/dkms/mlnx-ofed-kernel/5.8/build/drivers/infiniband/hw/mlx5/wr.c:131 (size 2)
 WARNING: CPU: 0 PID: 293779 at /var/lib/dkms/mlnx-ofed-kernel/5.8/build/drivers/infiniband/hw/mlx5/wr.c:131 mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]
 Modules linked in: 8021q garp mrp stp llc rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) ib_uverbs(OE) ib_core(OE) mlx5_core(OE) pci_hyperv_intf mlxdevm(OE) mlx_compat(OE) tls mlxfw(OE) psample nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables libcrc32c nfnetlink mst_pciconf(OE) knem(OE) vfio_pci vfio_pci_core vfio_iommu_type1 vfio iommufd irqbypass cuse nfsv3 nfs fscache netfs xfrm_user xfrm_algo ipmi_devintf ipmi_msghandler binfmt_misc crct10dif_pclmul crc32_pclmul polyval_clmulni polyval_generic ghash_clmulni_intel sha512_ssse3 snd_pcsp aesni_intel crypto_simd cryptd snd_pcm snd_timer joydev snd soundcore input_leds serio_raw evbug nfsd auth_rpcgss nfs_acl lockd grace sch_fq_codel sunrpc drm efi_pstore ip_tables x_tables autofs4 psmouse virtio_net net_failover failover floppy
  [last unloaded: mlx_compat(OE)]
 CPU: 0 PID: 293779 Comm: ssh Tainted: G           OE      6.2.0-32-generic #32~22.04.1-Ubuntu
 Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
 RIP: 0010:mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]
 Code: 0c 01 00 a8 01 75 25 48 8b 75 a0 b9 02 00 00 00 48 c7 c2 10 5b fd c0 48 c7 c7 80 5b fd c0 c6 05 57 0c 03 00 01 e8 95 4d 93 da <0f> 0b 44 8b 4d b0 4c 8b 45 c8 48 8b 4d c0 e9 49 fb ff ff 41 0f b7
 RSP: 0018:ffffb5b48478b570 EFLAGS: 00010046
 RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000
 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
 RBP: ffffb5b48478b628 R08: 0000000000000000 R09: 0000000000000000
 R10: 0000000000000000 R11: 0000000000000000 R12: ffffb5b48478b5e8
 R13: ffff963a3c609b5e R14: ffff9639c3fbd800 R15: ffffb5b480475a80
 FS:  00007fc03b444c80(0000) GS:ffff963a3dc00000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 0000556f46bdf000 CR3: 0000000006ac6003 CR4: 00000000003706f0
 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
 Call Trace:
  <TASK>
  ? show_regs+0x72/0x90
  ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]
  ? __warn+0x8d/0x160
  ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]
  ? report_bug+0x1bb/0x1d0
  ? handle_bug+0x46/0x90
  ? exc_invalid_op+0x19/0x80
  ? asm_exc_invalid_op+0x1b/0x20
  ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]
  mlx5_ib_post_send_nodrain+0xb/0x20 [mlx5_ib]
  ipoib_send+0x2ec/0x770 [ib_ipoib]
  ipoib_start_xmit+0x5a0/0x770 [ib_ipoib]
  dev_hard_start_xmit+0x8e/0x1e0
  ? validate_xmit_skb_list+0x4d/0x80
  sch_direct_xmit+0x116/0x3a0
  __dev_xmit_skb+0x1fd/0x580
  __dev_queue_xmit+0x284/0x6b0
  ? _raw_spin_unlock_irq+0xe/0x50
  ? __flush_work.isra.0+0x20d/0x370
  ? push_pseudo_header+0x17/0x40 [ib_ipoib]
  neigh_connected_output+0xcd/0x110
  ip_finish_output2+0x179/0x480
  ? __smp_call_single_queue+0x61/0xa0
  __ip_finish_output+0xc3/0x190
  ip_finish_output+0x2e/0xf0
  ip_output+0x78/0x110
  ? __pfx_ip_finish_output+0x10/0x10
  ip_local_out+0x64/0x70
  __ip_queue_xmit+0x18a/0x460
  ip_queue_xmit+0x15/0x30
  __tcp_transmit_skb+0x914/0x9c0
  tcp_write_xmit+0x334/0x8d0
  tcp_push_one+0x3c/0x60
  tcp_sendmsg_locked+0x2e1/0xac0
  tcp_sendmsg+0x2d/0x50
  inet_sendmsg+0x43/0x90
  sock_sendmsg+0x68/0x80
  sock_write_iter+0x93/0x100
  vfs_write+0x326/0x3c0
  ksys_write+0xbd/0xf0
  ? do_syscall_64+0x69/0x90
  __x64_sys_write+0x19/0x30
  do_syscall_64+0x59/0x90
  ? do_user_addr_fault+0x1d0/0x640
  ? exit_to_user_mode_prepare+0x3b/0xd0
  ? irqentry_exit_to_user_mode+0x9/0x20
  ? irqentry_exit+0x43/0x50
  ? exc_page_fault+0x92/0x1b0
  entry_SYSCALL_64_after_hwframe+0x72/0xdc
 RIP: 0033:0x7fc03ad14a37
 Code: 10 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24
 RSP: 002b:00007ffdf8697fe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
 RAX: ffffffffffffffda RBX: 0000000000008024 RCX: 00007fc03ad14a37
 RDX: 0000000000008024 RSI: 0000556f46bd8270 RDI: 0000000000000003
 RBP: 0000556f46bb1800 R08: 0000000000007fe3 R09: 0000000000000000
 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002
 R13: 0000556f46bc66b0 R14: 000000000000000a R15: 0000556f46bb2f50
  </TASK>
 ---[ end trace 0000000000000000 ]---

Link: https://lore.kernel.org/r/8228ad34bd1a25047586270f7b1fb4ddcd046282.1706433934.git.leon@kernel.org
	Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
(cherry picked from commit 4d5e86a)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-37041
cve CVE-2024-26846
commit-author Daniel Wagner <dwagner@suse.de>
commit 70fbfc4

The module exit path has race between deleting all controllers and
freeing 'left over IDs'. To prevent double free a synchronization
between nvme_delete_ctrl and ida_destroy has been added by the initial
commit.

There is some logic around trying to prevent from hanging forever in
wait_for_completion, though it does not handling all cases. E.g.
blktests is able to reproduce the situation where the module unload
hangs forever.

If we completely rely on the cleanup code executed from the
nvme_delete_ctrl path, all IDs will be freed eventually. This makes
calling ida_destroy unnecessary. We only have to ensure that all
nvme_delete_ctrl code has been executed before we leave
nvme_fc_exit_module. This is done by flushing the nvme_delete_wq
workqueue.

While at it, remove the unused nvme_fc_wq workqueue too.

	Reviewed-by: Christoph Hellwig <hch@lst.de>
	Reviewed-by: Hannes Reinecke <hare@suse.de>
	Signed-off-by: Daniel Wagner <dwagner@suse.de>
	Signed-off-by: Keith Busch <kbusch@kernel.org>
(cherry picked from commit 70fbfc4)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-37990
cve CVE-2024-35944
commit-author Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
commit 19b070f

Syzkaller hit 'WARNING in dg_dispatch_as_host' bug.

memcpy: detected field-spanning write (size 56) of single field "&dg_info->msg"
at drivers/misc/vmw_vmci/vmci_datagram.c:237 (size 24)

WARNING: CPU: 0 PID: 1555 at drivers/misc/vmw_vmci/vmci_datagram.c:237
dg_dispatch_as_host+0x88e/0xa60 drivers/misc/vmw_vmci/vmci_datagram.c:237

Some code commentry, based on my understanding:

544 #define VMCI_DG_SIZE(_dg) (VMCI_DG_HEADERSIZE + (size_t)(_dg)->payload_size)
/// This is 24 + payload_size

memcpy(&dg_info->msg, dg, dg_size);
	Destination = dg_info->msg ---> this is a 24 byte
					structure(struct vmci_datagram)
	Source = dg --> this is a 24 byte structure (struct vmci_datagram)
	Size = dg_size = 24 + payload_size

{payload_size = 56-24 =32} -- Syzkaller managed to set payload_size to 32.

 35 struct delayed_datagram_info {
 36         struct datagram_entry *entry;
 37         struct work_struct work;
 38         bool in_dg_host_queue;
 39         /* msg and msg_payload must be together. */
 40         struct vmci_datagram msg;
 41         u8 msg_payload[];
 42 };

So those extra bytes of payload are copied into msg_payload[], a run time
warning is seen while fuzzing with Syzkaller.

One possible way to fix the warning is to split the memcpy() into
two parts -- one -- direct assignment of msg and second taking care of payload.

Gustavo quoted:
"Under FORTIFY_SOURCE we should not copy data across multiple members
in a structure."

	Reported-by: syzkaller <syzkaller@googlegroups.com>
	Suggested-by: Vegard Nossum <vegard.nossum@oracle.com>
	Suggested-by: Gustavo A. R. Silva <gustavoars@kernel.org>
	Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
	Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
	Reviewed-by: Kees Cook <keescook@chromium.org>
	Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://lore.kernel.org/r/20240105164001.2129796-2-harshit.m.mogalapalli@oracle.com
	Signed-off-by: Kees Cook <keescook@chromium.org>
(cherry picked from commit 19b070f)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
@ciq-kernel-automation ciq-kernel-automation Bot added the created-by-kernelci Tag PRs that were automatically created when a user branch was pushed to the repo (kernelCI) label Jun 8, 2026
@github-actions

github-actions Bot commented Jun 8, 2026

Copy link
Copy Markdown

🤖 Validation Checks In Progress Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/27146097997

@github-actions

github-actions Bot commented Jun 8, 2026

Copy link
Copy Markdown

Validation checks completed successfully View full results: https://github.com/ctrliq/kernel-src-tree/actions/runs/27146097997

@PlaidCat PlaidCat requested a review from a team June 8, 2026 18:29

@PlaidCat PlaidCat left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

@PlaidCat PlaidCat requested a review from a team June 8, 2026 18:36
@shreeya-patel98 shreeya-patel98 merged commit 7eb2893 into ciqlts9_4 Jun 9, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

created-by-kernelci Tag PRs that were automatically created when a user branch was pushed to the repo (kernelCI)

Development

Successfully merging this pull request may close these issues.

3 participants