Skip to content

[ciqlts9_6] Multiple patches tested (8 commits)#1346

Merged
roxanan1996 merged 8 commits into
ciqlts9_6from
{ciq_kernel_automation}_ciqlts9_6
Jun 16, 2026
Merged

[ciqlts9_6] Multiple patches tested (8 commits)#1346
roxanan1996 merged 8 commits into
ciqlts9_6from
{ciq_kernel_automation}_ciqlts9_6

Conversation

@ciq-kernel-automation

Copy link
Copy Markdown

Summary

This PR has been automatically created after successful completion of all CI stages.

Commit Message(s)

crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id

jira VULN-171988
cve CVE-2025-68724
commit-author Thorsten Blum <thorsten.blum@linux.dev>
commit df0845cf447ae1556c3440b8b155de0926cbaa56
iommu: disable SVA when CONFIG_X86 is set

jira VULN-174373
cve CVE-2025-71089
commit-author Lu Baolu <baolu.lu@linux.intel.com>
commit 72f98ef9a4be30d2a60136dd6faee376f780d06c
libceph: make decode_pool() more resilient against corrupted osdmaps

jira VULN-174160
cve CVE-2025-71116
commit-author Ilya Dryomov <idryomov@gmail.com>
commit 8c738512714e8c0aa18f8a10c072d5b01c83db39
libceph: prevent potential out-of-bounds reads in handle_auth_done()

jira VULN-174770
cve CVE-2026-22984
commit-author ziming zhang <ezrakiez@gmail.com>
commit 818156caffbf55cb4d368f9c3cac64e458fb49c9
libceph: replace overzealous BUG_ON in osdmap_apply_incremental()

jira VULN-174790
cve CVE-2026-22990
commit-author Ilya Dryomov <idryomov@gmail.com>
commit e00c3f71b5cf75681dbd74ee3f982a99cb690c2b
scsi: target: iscsi: Fix use-after-free in iscsit_dec_conn_usage_count()

jira VULN-176438
cve CVE-2026-23216
commit-author Maurizio Lombardi <mlombard@redhat.com>
commit 9411a89e9e7135cc459178fa77a3f1d6191ae903
netfilter: xt_tcpmss: check remaining length before reading optlen

jira VULN-184559
cve CVE-2026-43190
commit-author Florian Westphal <fw@strlen.de>
commit 735ee8582da3d239eb0c7a53adca61b79fb228b3
netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()

jira VULN-179958
cve CVE-2026-23455
commit-author Jenny Guanni Qu <qguanni@gmail.com>
commit f173d0f4c0f689173f8cdac79991043a4a89bf66

Test Results

✅ Build Stage

Architecture Build Time Total Time
x86_64 32m 52s 33m 56s
aarch64 18m 24s 19m 6s

✅ Boot Verification

✅ Kernel Selftests

Architecture Passed Failed Compared Against Status
x86_64 206 43 ciqlts9_6 ✅ No regressions
aarch64 154 45 ciqlts9_6 ✅ No regressions

✅ LTP Results

Architecture Passed Failed Compared Against Status
x86_64 1452 83 ciqlts9_6 ❌ 1 regressions
aarch64 1426 83 ciqlts9_6 ✅ No regressions

x86_64 regressions:

  • futex_wake02 (PASS -> FAIL)

🤖 This PR was automatically generated by GitHub Actions
Run ID: 27533032228

CIQ Kernel Automation added 8 commits June 15, 2026 08:05
jira VULN-171988
cve CVE-2025-68724
commit-author Thorsten Blum <thorsten.blum@linux.dev>
commit df0845c

Use check_add_overflow() to guard against potential integer overflows
when adding the binary blob lengths and the size of an asymmetric_key_id
structure and return ERR_PTR(-EOVERFLOW) accordingly. This prevents a
possible buffer overflow when copying data from potentially malicious
X.509 certificate fields that can be arbitrarily large, such as ASN.1
INTEGER serial numbers, issuer names, etc.

Fixes: 7901c1a ("KEYS: Implement binary asymmetric key ID handling")
	Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
	Reviewed-by: Lukas Wunner <lukas@wunner.de>
	Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit df0845c)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-174373
cve CVE-2025-71089
commit-author Lu Baolu <baolu.lu@linux.intel.com>
commit 72f98ef

Patch series "Fix stale IOTLB entries for kernel address space", v7.

This proposes a fix for a security vulnerability related to IOMMU Shared
Virtual Addressing (SVA).  In an SVA context, an IOMMU can cache kernel
page table entries.  When a kernel page table page is freed and
reallocated for another purpose, the IOMMU might still hold stale,
incorrect entries.  This can be exploited to cause a use-after-free or
write-after-free condition, potentially leading to privilege escalation or
data corruption.

This solution introduces a deferred freeing mechanism for kernel page
table pages, which provides a safe window to notify the IOMMU to
invalidate its caches before the page is reused.

This patch (of 8):

In the IOMMU Shared Virtual Addressing (SVA) context, the IOMMU hardware
shares and walks the CPU's page tables.  The x86 architecture maps the
kernel's virtual address space into the upper portion of every process's
page table.  Consequently, in an SVA context, the IOMMU hardware can walk
and cache kernel page table entries.

The Linux kernel currently lacks a notification mechanism for kernel page
table changes, specifically when page table pages are freed and reused.
The IOMMU driver is only notified of changes to user virtual address
mappings.  This can cause the IOMMU's internal caches to retain stale
entries for kernel VA.

Use-After-Free (UAF) and Write-After-Free (WAF) conditions arise when
kernel page table pages are freed and later reallocated.  The IOMMU could
misinterpret the new data as valid page table entries.  The IOMMU might
then walk into attacker-controlled memory, leading to arbitrary physical
memory DMA access or privilege escalation.  This is also a
Write-After-Free issue, as the IOMMU will potentially continue to write
Accessed and Dirty bits to the freed memory while attempting to walk the
stale page tables.

Currently, SVA contexts are unprivileged and cannot access kernel
mappings.  However, the IOMMU will still walk kernel-only page tables all
the way down to the leaf entries, where it realizes the mapping is for the
kernel and errors out.  This means the IOMMU still caches these
intermediate page table entries, making the described vulnerability a real
concern.

Disable SVA on x86 architecture until the IOMMU can receive notification
to flush the paging cache before freeing the CPU kernel page table pages.

Link: https://lkml.kernel.org/r/20251022082635.2462433-1-baolu.lu@linux.intel.com
Link: https://lkml.kernel.org/r/20251022082635.2462433-2-baolu.lu@linux.intel.com
Fixes: 26b25a2 ("iommu: Bind process address spaces to devices")
	Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
	Suggested-by: Jason Gunthorpe <jgg@nvidia.com>
	Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
	Cc: Alistair Popple <apopple@nvidia.com>
	Cc: Andy Lutomirski <luto@kernel.org>
	Cc: Borislav Betkov <bp@alien8.de>
	Cc: Dave Hansen <dave.hansen@intel.com>
	Cc: David Hildenbrand <david@redhat.com>
	Cc: Ingo Molnar <mingo@redhat.com>
	Cc: Jann Horn <jannh@google.com>
	Cc: Jean-Philippe Brucker <jean-philippe@linaro.org>
	Cc: Joerg Roedel <joro@8bytes.org>
	Cc: Kevin Tian <kevin.tian@intel.com>
	Cc: Liam Howlett <liam.howlett@oracle.com>
	Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
	Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
	Cc: Michal Hocko <mhocko@kernel.org>
	Cc: Mike Rapoport <rppt@kernel.org>
	Cc: Peter Zijlstra <peterz@infradead.org>
	Cc: Robin Murohy <robin.murphy@arm.com>
	Cc: Thomas Gleinxer <tglx@linutronix.de>
	Cc: "Uladzislau Rezki (Sony)" <urezki@gmail.com>
	Cc: Vasant Hegde <vasant.hegde@amd.com>
	Cc: Vinicius Costa Gomes <vinicius.gomes@intel.com>
	Cc: Vlastimil Babka <vbabka@suse.cz>
	Cc: Will Deacon <will@kernel.org>
	Cc: Yi Lai <yi1.lai@intel.com>
	Cc: <stable@vger.kernel.org>
	Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
(cherry picked from commit 72f98ef)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-174160
cve CVE-2025-71116
commit-author Ilya Dryomov <idryomov@gmail.com>
commit 8c73851

If the osdmap is (maliciously) corrupted such that the encoded length
of ceph_pg_pool envelope is less than what is expected for a particular
encoding version, out-of-bounds reads may ensue because the only bounds
check that is there is based on that length value.

This patch adds explicit bounds checks for each field that is decoded
or skipped.

	Cc: stable@vger.kernel.org
	Reported-by: ziming zhang <ezrakiez@gmail.com>
	Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
	Reviewed-by: Xiubo Li <xiubli@redhat.com>
	Tested-by: ziming zhang <ezrakiez@gmail.com>
(cherry picked from commit 8c73851)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-174770
cve CVE-2026-22984
commit-author ziming zhang <ezrakiez@gmail.com>
commit 818156c

Perform an explicit bounds check on payload_len to avoid a possible
out-of-bounds access in the callout.

[ idryomov: changelog ]

	Cc: stable@vger.kernel.org
	Signed-off-by: ziming zhang <ezrakiez@gmail.com>
	Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
	Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
(cherry picked from commit 818156c)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-174790
cve CVE-2026-22990
commit-author Ilya Dryomov <idryomov@gmail.com>
commit e00c3f7

If the osdmap is (maliciously) corrupted such that the incremental
osdmap epoch is different from what is expected, there is no need to
BUG.  Instead, just declare the incremental osdmap to be invalid.

	Cc: stable@vger.kernel.org
	Reported-by: ziming zhang <ezrakiez@gmail.com>
	Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
(cherry picked from commit e00c3f7)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-176438
cve CVE-2026-23216
commit-author Maurizio Lombardi <mlombard@redhat.com>
commit 9411a89

In iscsit_dec_conn_usage_count(), the function calls complete() while
holding the conn->conn_usage_lock. As soon as complete() is invoked, the
waiter (such as iscsit_close_connection()) may wake up and proceed to free
the iscsit_conn structure.

If the waiter frees the memory before the current thread reaches
spin_unlock_bh(), it results in a KASAN slab-use-after-free as the function
attempts to release a lock within the already-freed connection structure.

Fix this by releasing the spinlock before calling complete().

	Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
	Reported-by: Zhaojuan Guo <zguo@redhat.com>
	Reviewed-by: Mike Christie <michael.christie@oracle.com>
Link: https://patch.msgid.link/20260112165352.138606-2-mlombard@redhat.com
	Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
(cherry picked from commit 9411a89)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-184559
cve CVE-2026-43190
commit-author Florian Westphal <fw@strlen.de>
commit 735ee85

Quoting reporter:
  In net/netfilter/xt_tcpmss.c (lines 53-68), the TCP option parser reads
 op[i+1] directly without validating the remaining option length.

  If the last byte of the option field is not EOL/NOP (0/1), the code attempts
  to index op[i+1]. In the case where i + 1 == optlen, this causes an
  out-of-bounds read, accessing memory past the optlen boundary
  (either reading beyond the stack buffer _opt or the
  following payload).

	Reported-by: sungzii <sungzii@pm.me>
	Signed-off-by: Florian Westphal <fw@strlen.de>
(cherry picked from commit 735ee85)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-179958
cve CVE-2026-23455
commit-author Jenny Guanni Qu <qguanni@gmail.com>
commit f173d0f

In DecodeQ931(), the UserUserIE code path reads a 16-bit length from
the packet, then decrements it by 1 to skip the protocol discriminator
byte before passing it to DecodeH323_UserInformation(). If the encoded
length is 0, the decrement wraps to -1, which is then passed as a
large value to the decoder, leading to an out-of-bounds read.

Add a check to ensure len is positive after the decrement.

Fixes: 5e35941 ("[NETFILTER]: Add H.323 conntrack/NAT helper")
	Reported-by: Klaudia Kloc <klaudia@vidocsecurity.com>
	Reported-by: Dawid Moczadło <dawid@vidocsecurity.com>
	Tested-by: Jenny Guanni Qu <qguanni@gmail.com>
	Signed-off-by: Jenny Guanni Qu <qguanni@gmail.com>
	Signed-off-by: Florian Westphal <fw@strlen.de>
(cherry picked from commit f173d0f)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
@ciq-kernel-automation ciq-kernel-automation Bot added the created-by-kernelci Tag PRs that were automatically created when a user branch was pushed to the repo (kernelCI) label Jun 15, 2026
@github-actions

Copy link
Copy Markdown

🤖 Validation Checks In Progress Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/27545636291

@github-actions

Copy link
Copy Markdown

Validation checks completed successfully View full results: https://github.com/ctrliq/kernel-src-tree/actions/runs/27545636291

@PlaidCat PlaidCat left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

@PlaidCat PlaidCat requested a review from a team June 15, 2026 15:47
@roxanan1996 roxanan1996 merged commit 5776c0e into ciqlts9_6 Jun 16, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

created-by-kernelci Tag PRs that were automatically created when a user branch was pushed to the repo (kernelCI)

Development

Successfully merging this pull request may close these issues.

2 participants