Skip to content

[ciqlts8_6] Multiple patches tested (8 commits)#1347

Merged
roxanan1996 merged 8 commits into
ciqlts8_6from
{ciq_kernel_automation}_ciqlts8_6
Jun 16, 2026
Merged

[ciqlts8_6] Multiple patches tested (8 commits)#1347
roxanan1996 merged 8 commits into
ciqlts8_6from
{ciq_kernel_automation}_ciqlts8_6

Conversation

@ciq-kernel-automation

Copy link
Copy Markdown

Summary

This PR has been automatically created after successful completion of all CI stages.

Commit Message(s)

net:emac/emac-mac: Fix a use after free in emac_mac_tx_buf_send

jira VULN-84
cve CVE-2021-47013
commit-author Lv Yunlong <lyl2019@mail.ustc.edu.cn>
commit 6d72e7c767acbbdd44ebc7d89c6690b405b32b57
net: core: reject skb_copy(_expand) for fraglist GSO skbs

jira VULN-5378
cve CVE-2024-36929
commit-author Felix Fietkau <nbd@nbd.name>
commit d091e579b864fa790dd6a0cd537a22c383126681
rtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation

jira VULN-5266
cve CVE-2024-36017
commit-author Roded Zats <rzats@paloaltonetworks.com>
commit 1aec77b2bb2ed1db0f5efc61c4c1ca3813307489
af_unix: Fix data races in unix_release_sock/unix_stream_sendmsg

jira VULN-5495
cve CVE-2024-38596
commit-author Breno Leitao <leitao@debian.org>
commit 540bf24fba16b88c1b3b9353927204b4f1074e25
net/mlx5: Discard command completions in internal error

jira VULN-5471
cve CVE-2024-38555
commit-author Akiva Goldberger <agoldberger@nvidia.com>
commit db9b31aa9bc56ff0d15b78f7e827d61c4a096e40
tls: fix missing memory barrier in tls_init

jira VULN-5306
cve CVE-2024-36489
commit-author Dae R. Jeong <threeearcat@gmail.com>
commit 91e61dd7a0af660408e87372d8330ceb218be302
r8169: Fix possible ring buffer corruption on fragmented Tx packets.

jira VULN-43369
cve CVE-2024-38586
commit-author Ken Milmore <ken.milmore@gmail.com>
commit c71e3a5cffd5309d7f84444df03d5b72600cc417
netfilter: tproxy: bail out if IP has been disabled on the device

jira VULN-5290
cve CVE-2024-36270
commit-author Florian Westphal <fw@strlen.de>
commit 21a673bddc8fd4873c370caf9ae70ffc6d47e8d3

Test Results

✅ Build Stage

Architecture Build Time Total Time
x86_64 22m 56s 23m 50s
aarch64 9m 30s 10m 8s

✅ Boot Verification

✅ Kernel Selftests

Architecture Passed Failed Compared Against Status
x86_64 108 31 ciqlts8_6 ✅ No regressions
aarch64 65 22 ciqlts8_6 ✅ No regressions

✅ LTP Results

Architecture Passed Failed Compared Against Status
x86_64 1437 13 ciqlts8_6 ✅ No regressions
aarch64 1425 14 ciqlts8_6 ✅ No regressions

🤖 This PR was automatically generated by GitHub Actions
Run ID: 27533613031

CIQ Kernel Automation added 8 commits June 15, 2026 08:03
jira VULN-84
cve CVE-2021-47013
commit-author Lv Yunlong <lyl2019@mail.ustc.edu.cn>
commit 6d72e7c

In emac_mac_tx_buf_send, it calls emac_tx_fill_tpd(..,skb,..).
If some error happens in emac_tx_fill_tpd(), the skb will be freed via
dev_kfree_skb(skb) in error branch of emac_tx_fill_tpd().
But the freed skb is still used via skb->len by netdev_sent_queue(,skb->len).

As i observed that emac_tx_fill_tpd() haven't modified the value of skb->len,
thus my patch assigns skb->len to 'len' before the possible free and
use 'len' instead of skb->len later.

Fixes: b9b17de ("net: emac: emac gigabit ethernet controller driver")
	Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
	Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 6d72e7c)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-5378
cve CVE-2024-36929
commit-author Felix Fietkau <nbd@nbd.name>
commit d091e57

SKB_GSO_FRAGLIST skbs must not be linearized, otherwise they become
invalid. Return NULL if such an skb is passed to skb_copy or
skb_copy_expand, in order to prevent a crash on a potential later
call to skb_gso_segment.

Fixes: 3a1296a ("net: Support GRO/GSO fraglist chaining.")
	Signed-off-by: Felix Fietkau <nbd@nbd.name>
	Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit d091e57)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-5266
cve CVE-2024-36017
commit-author Roded Zats <rzats@paloaltonetworks.com>
commit 1aec77b

Each attribute inside a nested IFLA_VF_VLAN_LIST is assumed to be a
struct ifla_vf_vlan_info so the size of such attribute needs to be at least
of sizeof(struct ifla_vf_vlan_info) which is 14 bytes.
The current size validation in do_setvfinfo is against NLA_HDRLEN (4 bytes)
which is less than sizeof(struct ifla_vf_vlan_info) so this validation
is not enough and a too small attribute might be cast to a
struct ifla_vf_vlan_info, this might result in an out of bands
read access when accessing the saved (casted) entry in ivvl.

Fixes: 79aab09 ("net: Update API for VF vlan protocol 802.1ad support")
	Signed-off-by: Roded Zats <rzats@paloaltonetworks.com>
	Reviewed-by: Donald Hunter <donald.hunter@gmail.com>
Link: https://lore.kernel.org/r/20240502155751.75705-1-rzats@paloaltonetworks.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 1aec77b)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-5495
cve CVE-2024-38596
commit-author Breno Leitao <leitao@debian.org>
commit 540bf24

A data-race condition has been identified in af_unix. In one data path,
the write function unix_release_sock() atomically writes to
sk->sk_shutdown using WRITE_ONCE. However, on the reader side,
unix_stream_sendmsg() does not read it atomically. Consequently, this
issue is causing the following KCSAN splat to occur:

	BUG: KCSAN: data-race in unix_release_sock / unix_stream_sendmsg

	write (marked) to 0xffff88867256ddbb of 1 bytes by task 7270 on cpu 28:
	unix_release_sock (net/unix/af_unix.c:640)
	unix_release (net/unix/af_unix.c:1050)
	sock_close (net/socket.c:659 net/socket.c:1421)
	__fput (fs/file_table.c:422)
	__fput_sync (fs/file_table.c:508)
	__se_sys_close (fs/open.c:1559 fs/open.c:1541)
	__x64_sys_close (fs/open.c:1541)
	x64_sys_call (arch/x86/entry/syscall_64.c:33)
	do_syscall_64 (arch/x86/entry/common.c:?)
	entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)

	read to 0xffff88867256ddbb of 1 bytes by task 989 on cpu 14:
	unix_stream_sendmsg (net/unix/af_unix.c:2273)
	__sock_sendmsg (net/socket.c:730 net/socket.c:745)
	____sys_sendmsg (net/socket.c:2584)
	__sys_sendmmsg (net/socket.c:2638 net/socket.c:2724)
	__x64_sys_sendmmsg (net/socket.c:2753 net/socket.c:2750 net/socket.c:2750)
	x64_sys_call (arch/x86/entry/syscall_64.c:33)
	do_syscall_64 (arch/x86/entry/common.c:?)
	entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)

	value changed: 0x01 -> 0x03

The line numbers are related to commit dd5a440 ("Linux 6.9-rc7").

Commit e1d09c2 ("af_unix: Fix data races around sk->sk_shutdown.")
addressed a comparable issue in the past regarding sk->sk_shutdown.
However, it overlooked resolving this particular data path.
This patch only offending unix_stream_sendmsg() function, since the
other reads seem to be protected by unix_state_lock() as discussed in
Link: https://lore.kernel.org/all/20240508173324.53565-1-kuniyu@amazon.com/

Fixes: 1da177e ("Linux-2.6.12-rc2")
	Signed-off-by: Breno Leitao <leitao@debian.org>
	Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Link: https://lore.kernel.org/r/20240509081459.2807828-1-leitao@debian.org
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 540bf24)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-5471
cve CVE-2024-38555
commit-author Akiva Goldberger <agoldberger@nvidia.com>
commit db9b31a

Fix use after free when FW completion arrives while device is in
internal error state. Avoid calling completion handler in this case,
since the device will flush the command interface and trigger all
completions manually.

Kernel log:
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
...
RIP: 0010:refcount_warn_saturate+0xd8/0xe0
...
Call Trace:
<IRQ>
? __warn+0x79/0x120
? refcount_warn_saturate+0xd8/0xe0
? report_bug+0x17c/0x190
? handle_bug+0x3c/0x60
? exc_invalid_op+0x14/0x70
? asm_exc_invalid_op+0x16/0x20
? refcount_warn_saturate+0xd8/0xe0
cmd_ent_put+0x13b/0x160 [mlx5_core]
mlx5_cmd_comp_handler+0x5f9/0x670 [mlx5_core]
cmd_comp_notifier+0x1f/0x30 [mlx5_core]
notifier_call_chain+0x35/0xb0
atomic_notifier_call_chain+0x16/0x20
mlx5_eq_async_int+0xf6/0x290 [mlx5_core]
notifier_call_chain+0x35/0xb0
atomic_notifier_call_chain+0x16/0x20
irq_int_handler+0x19/0x30 [mlx5_core]
__handle_irq_event_percpu+0x4b/0x160
handle_irq_event+0x2e/0x80
handle_edge_irq+0x98/0x230
__common_interrupt+0x3b/0xa0
common_interrupt+0x7b/0xa0
</IRQ>
<TASK>
asm_common_interrupt+0x22/0x40

Fixes: 51d138c ("net/mlx5: Fix health error state handling")
	Signed-off-by: Akiva Goldberger <agoldberger@nvidia.com>
	Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
	Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://lore.kernel.org/r/20240509112951.590184-6-tariqt@nvidia.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit db9b31a)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-5306
cve CVE-2024-36489
commit-author Dae R. Jeong <threeearcat@gmail.com>
commit 91e61dd

In tls_init(), a write memory barrier is missing, and store-store
reordering may cause NULL dereference in tls_{setsockopt,getsockopt}.

CPU0                               CPU1
-----                              -----
// In tls_init()
// In tls_ctx_create()
ctx = kzalloc()
ctx->sk_proto = READ_ONCE(sk->sk_prot) -(1)

// In update_sk_prot()
WRITE_ONCE(sk->sk_prot, tls_prots)     -(2)

                                   // In sock_common_setsockopt()
                                   READ_ONCE(sk->sk_prot)->setsockopt()

                                   // In tls_{setsockopt,getsockopt}()
                                   ctx->sk_proto->setsockopt()    -(3)

In the above scenario, when (1) and (2) are reordered, (3) can observe
the NULL value of ctx->sk_proto, causing NULL dereference.

To fix it, we rely on rcu_assign_pointer() which implies the release
barrier semantic. By moving rcu_assign_pointer() after ctx->sk_proto is
initialized, we can ensure that ctx->sk_proto are visible when
changing sk->sk_prot.

Fixes: d5bee73 ("net/tls: Annotate access to sk_prot with READ_ONCE/WRITE_ONCE")
	Signed-off-by: Yewon Choi <woni9911@gmail.com>
	Signed-off-by: Dae R. Jeong <threeearcat@gmail.com>
Link: https://lore.kernel.org/netdev/ZU4OJG56g2V9z_H7@dragonet/T/
Link: https://lore.kernel.org/r/Zkx4vjSFp0mfpjQ2@libra05
	Signed-off-by: Paolo Abeni <pabeni@redhat.com>
(cherry picked from commit 91e61dd)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-43369
cve CVE-2024-38586
commit-author Ken Milmore <ken.milmore@gmail.com>
commit c71e3a5

An issue was found on the RTL8125b when transmitting small fragmented
packets, whereby invalid entries were inserted into the transmit ring
buffer, subsequently leading to calls to dma_unmap_single() with a null
address.

This was caused by rtl8169_start_xmit() not noticing changes to nr_frags
which may occur when small packets are padded (to work around hardware
quirks) in rtl8169_tso_csum_v2().

To fix this, postpone inspecting nr_frags until after any padding has been
applied.

Fixes: 9020845 ("r8169: improve rtl8169_start_xmit")
	Cc: stable@vger.kernel.org
	Signed-off-by: Ken Milmore <ken.milmore@gmail.com>
	Reviewed-by: Heiner Kallweit <hkallweit1@gmail.com>
Link: https://lore.kernel.org/r/27ead18b-c23d-4f49-a020-1fc482c5ac95@gmail.com
	Signed-off-by: Paolo Abeni <pabeni@redhat.com>
(cherry picked from commit c71e3a5)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-5290
cve CVE-2024-36270
commit-author Florian Westphal <fw@strlen.de>
commit 21a673b

syzbot reports:
general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
[..]
RIP: 0010:nf_tproxy_laddr4+0xb7/0x340 net/ipv4/netfilter/nf_tproxy_ipv4.c:62
Call Trace:
 nft_tproxy_eval_v4 net/netfilter/nft_tproxy.c:56 [inline]
 nft_tproxy_eval+0xa9a/0x1a00 net/netfilter/nft_tproxy.c:168

__in_dev_get_rcu() can return NULL, so check for this.

Reported-and-tested-by: syzbot+b94a6818504ea90d7661@syzkaller.appspotmail.com
Fixes: cc6eb43 ("tproxy: use the interface primary IP address as a default value for --on-ip")
	Signed-off-by: Florian Westphal <fw@strlen.de>
	Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit 21a673b)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
@ciq-kernel-automation ciq-kernel-automation Bot added the created-by-kernelci Tag PRs that were automatically created when a user branch was pushed to the repo (kernelCI) label Jun 15, 2026
@github-actions

Copy link
Copy Markdown

🤖 Validation Checks In Progress Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/27546228982

@github-actions

Copy link
Copy Markdown

Validation checks completed successfully View full results: https://github.com/ctrliq/kernel-src-tree/actions/runs/27546228982

@PlaidCat PlaidCat left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

@PlaidCat PlaidCat requested a review from a team June 15, 2026 15:10
@roxanan1996 roxanan1996 merged commit 8301c5d into ciqlts8_6 Jun 16, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

created-by-kernelci Tag PRs that were automatically created when a user branch was pushed to the repo (kernelCI)

Development

Successfully merging this pull request may close these issues.

2 participants