Skip to content

[ciqlts9_2] CVE-2026-46331#1392

Merged
bmastbergen merged 10 commits into
ciqlts9_2from
{rnicolescu}_ciqlts9_2
Jun 29, 2026
Merged

[ciqlts9_2] CVE-2026-46331#1392
bmastbergen merged 10 commits into
ciqlts9_2from
{rnicolescu}_ciqlts9_2

Conversation

@ciq-kernel-automation

Copy link
Copy Markdown

Summary

This PR has been automatically created after successful completion of all CI stages.

Commit Message(s)

net/sched: act_pedit: use NLA_POLICY for parsing 'ex' keys

jira VULN-188480
cve-pre CVE-2026-46331
commit-author Rajat Gupta <rajat.gupta@oss.qualcomm.com>
commit 5036034572b79daa6d6600338e8e8229e2a44b09
net/sched: transition act_pedit to rcu and percpu stats

jira VULN-188480
cve-pre CVE-2026-46331
commit-author Rajat Gupta <rajat.gupta@oss.qualcomm.com>
commit 52cf89f78c01bf39973f3e70d366921d70faff7a
net/sched: simplify tcf_pedit_act

jira VULN-188480
cve-pre CVE-2026-46331
commit-author Rajat Gupta <rajat.gupta@oss.qualcomm.com>
commit 95b069382351826c0ae37938070aa82dbeaf288d
net/sched: act_pedit: remove extra check for key type

jira VULN-188480
cve-pre CVE-2026-46331
commit-author Rajat Gupta <rajat.gupta@oss.qualcomm.com>
commit 577140180ba28d0d37bc898c7bd6702c83aa106f
net/sched: act_pedit: check static offsets a priori

jira VULN-188480
cve-pre CVE-2026-46331
commit-author Rajat Gupta <rajat.gupta@oss.qualcomm.com>
commit e1201bc781c28766720e78a5e099ffa568be4d74
net/sched: act_pedit: rate limit datapath messages

jira VULN-188480
cve-pre CVE-2026-46331
commit-author Rajat Gupta <rajat.gupta@oss.qualcomm.com>
commit e3c9673e2f6e1b3aa4bb87c570336e10f364c28a
net/sched: act_pedit: Parse L3 Header for L4 offset

jira VULN-188480
cve-pre CVE-2026-46331
commit-author Rajat Gupta <rajat.gupta@oss.qualcomm.com>
commit 6c02568fd1ae53099b4ab86365c5be1ff15f586b
net/sched: act_pedit: free pedit keys on bail from offset check

jira VULN-188480
cve-pre CVE-2026-46331
commit-author Rajat Gupta <rajat.gupta@oss.qualcomm.com>
commit 1b483d9f5805c7e3d628d4995e97f4311fcb82eb
net/sched: act_pedit: fix action bind logic

jira VULN-188480
cve-pre CVE-2026-46331
commit-author Rajat Gupta <rajat.gupta@oss.qualcomm.com>
commit e9e42292ea76a8358b0c02ffd530d78e133a1b73
net/sched: fix pedit partial COW leading to page cache corruption

jira VULN-188480
cve CVE-2026-46331
commit-author Rajat Gupta <rajat.gupta@oss.qualcomm.com>
commit 899ee91156e57784090c5565e4f31bd7dbffbc5a
upstream-diff |
	rename include file from linux/unaligned.h to asm/unaligned.h

Test Results

✅ Build Stage

Architecture Build Time Total Time
x86_64 24m 51s 25m 43s
aarch64 13m 6s 13m 39s

✅ Boot Verification

✅ Kernel Selftests

Architecture Passed Failed Compared Against Status
x86_64 173 25 ciqlts9_2 ✅ No regressions
aarch64 140 28 ciqlts9_2 ✅ No regressions

✅ LTP Results

Architecture Passed Failed Compared Against Status
x86_64 1439 81 ciqlts9_2 ✅ No regressions
aarch64 1404 88 ciqlts9_2 ❌ 3 regressions

aarch64 regressions:

  • fork14 (PASS -> FAIL)
  • futex_cmp_requeue01 (PASS -> FAIL)
  • mmap16 (PASS -> FAIL)

🤖 This PR was automatically generated by GitHub Actions
Run ID: 28365777097

tammela and others added 10 commits June 29, 2026 12:23
jira VULN-188480
cve-pre CVE-2026-46331
commit-author Rajat Gupta <rajat.gupta@oss.qualcomm.com>
commit 5036034

Transform two checks in the 'ex' key parsing into netlink policies
removing extra if checks.

	Signed-off-by: Pedro Tammela <pctammela@mojatatu.com>
	Reviewed-by: Simon Horman <simon.horman@corigine.com>
	Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 5036034)
    	Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>
jira VULN-188480
cve-pre CVE-2026-46331
commit-author Rajat Gupta <rajat.gupta@oss.qualcomm.com>
commit 52cf89f

The software pedit action didn't get the same love as some of the
other actions and it's still using spinlocks and shared stats in the
datapath.
Transition the action to rcu and percpu stats as this improves the
action's performance dramatically on multiple cpu deployments.

	Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
	Signed-off-by: Pedro Tammela <pctammela@mojatatu.com>
	Reviewed-by: Simon Horman <simon.horman@corigine.com>
	Signed-off-by: Paolo Abeni <pabeni@redhat.com>
(cherry picked from commit 52cf89f)
	Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>
jira VULN-188480
cve-pre CVE-2026-46331
commit-author Rajat Gupta <rajat.gupta@oss.qualcomm.com>
commit 95b0693

Remove the check for a negative number of keys as
this cannot ever happen

	Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
	Reviewed-by: Simon Horman <simon.horman@corigine.com>
	Signed-off-by: Pedro Tammela <pctammela@mojatatu.com>
	Signed-off-by: Paolo Abeni <pabeni@redhat.com>
(cherry picked from commit 95b0693)
	Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>
jira VULN-188480
cve-pre CVE-2026-46331
commit-author Rajat Gupta <rajat.gupta@oss.qualcomm.com>
commit 5771401

The netlink parsing already validates the key 'htype'.
Remove the datapath check as it's redundant.

	Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
	Reviewed-by: Simon Horman <simon.horman@corigine.com>
	Signed-off-by: Pedro Tammela <pctammela@mojatatu.com>
	Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 5771401)
	Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>
jira VULN-188480
cve-pre CVE-2026-46331
commit-author Rajat Gupta <rajat.gupta@oss.qualcomm.com>
commit e1201bc

Static key offsets should always be on 32 bit boundaries. Validate them on
create/update time for static offsets and move the datapath validation
for runtime offsets only.

iproute2 already errors out if a given offset and data size cannot be
packed to a 32 bit boundary. This change will make sure users which
create/update pedit instances directly via netlink also error out,
instead of finding out when packets are traversing.

	Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
	Reviewed-by: Simon Horman <simon.horman@corigine.com>
	Signed-off-by: Pedro Tammela <pctammela@mojatatu.com>
	Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit e1201bc)
	Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>
jira VULN-188480
cve-pre CVE-2026-46331
commit-author Rajat Gupta <rajat.gupta@oss.qualcomm.com>
commit e3c9673

Unbounded info messages in the pedit datapath can flood the printk
ring buffer quite easily depending on the action created.
As these messages are informational, usually printing some, not all,
is enough to bring attention to the real issue.

	Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
	Reviewed-by: Simon Horman <simon.horman@corigine.com>
	Signed-off-by: Pedro Tammela <pctammela@mojatatu.com>
	Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit e3c9673)
	Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>
jira VULN-188480
cve-pre CVE-2026-46331
commit-author Rajat Gupta <rajat.gupta@oss.qualcomm.com>
commit 6c02568

Instead of relying on skb->transport_header being set correctly, opt
instead to parse the L3 header length out of the L3 headers for both
IPv4/IPv6 when the Extended Layer Op for tcp/udp is used. This fixes a
bug if GRO is disabled, when GRO is disabled skb->transport_header is
set by __netif_receive_skb_core() to point to the L3 header, it's later
fixed by the upper protocol layers, but act_pedit will receive the SKB
before the fixups are completed. The existing behavior causes the
following to edit the L3 header if GRO is disabled instead of the UDP
header:

    tc filter add dev eth0 ingress protocol ip flower ip_proto udp \
 dst_ip 192.168.1.3 action pedit ex munge udp set dport 18053

Also re-introduce a rate-limited warning if we were unable to extract
the header offset when using the 'ex' interface.

Fixes: 71d0ed7 ("net/act_pedit: Support using offset relative to
the conventional network headers")
	Signed-off-by: Max Tottenham <mtottenh@akamai.com>
	Reviewed-by: Josh Hunt <johunt@akamai.com>
	Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202305261541.N165u9TZ-lkp@intel.com/
	Reviewed-by: Pedro Tammela <pctammela@mojatatu.com>
	Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 6c02568)
	Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>
jira VULN-188480
cve-pre CVE-2026-46331
commit-author Rajat Gupta <rajat.gupta@oss.qualcomm.com>
commit 1b483d9

Ido Schimmel reports a memleak on a syzkaller instance:
   BUG: memory leak
   unreferenced object 0xffff88803d45e400 (size 1024):
     comm "syz-executor292", pid 563, jiffies 4295025223 (age 51.781s)
     hex dump (first 32 bytes):
       28 bd 70 00 fb db df 25 02 00 14 1f ff 02 00 02  (.p....%........
       00 32 00 00 1f 00 00 00 ac 14 14 3e 08 00 07 00  .2.........>....
     backtrace:
       [<ffffffff81bd0f2c>] kmemleak_alloc_recursive include/linux/kmemleak.h:42 [inline]
       [<ffffffff81bd0f2c>] slab_post_alloc_hook mm/slab.h:772 [inline]
       [<ffffffff81bd0f2c>] slab_alloc_node mm/slub.c:3452 [inline]
       [<ffffffff81bd0f2c>] __kmem_cache_alloc_node+0x25c/0x320 mm/slub.c:3491
       [<ffffffff81a865d9>] __do_kmalloc_node mm/slab_common.c:966 [inline]
       [<ffffffff81a865d9>] __kmalloc+0x59/0x1a0 mm/slab_common.c:980
       [<ffffffff83aa85c3>] kmalloc include/linux/slab.h:584 [inline]
       [<ffffffff83aa85c3>] tcf_pedit_init+0x793/0x1ae0 net/sched/act_pedit.c:245
       [<ffffffff83a90623>] tcf_action_init_1+0x453/0x6e0 net/sched/act_api.c:1394
       [<ffffffff83a90e58>] tcf_action_init+0x5a8/0x950 net/sched/act_api.c:1459
       [<ffffffff83a96258>] tcf_action_add+0x118/0x4e0 net/sched/act_api.c:1985
       [<ffffffff83a96997>] tc_ctl_action+0x377/0x490 net/sched/act_api.c:2044
       [<ffffffff83920a8d>] rtnetlink_rcv_msg+0x46d/0xd70 net/core/rtnetlink.c:6395
       [<ffffffff83b24305>] netlink_rcv_skb+0x185/0x490 net/netlink/af_netlink.c:2575
       [<ffffffff83901806>] rtnetlink_rcv+0x26/0x30 net/core/rtnetlink.c:6413
       [<ffffffff83b21cae>] netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
       [<ffffffff83b21cae>] netlink_unicast+0x5be/0x8a0 net/netlink/af_netlink.c:1365
       [<ffffffff83b2293f>] netlink_sendmsg+0x9af/0xed0 net/netlink/af_netlink.c:1942
       [<ffffffff8380c39f>] sock_sendmsg_nosec net/socket.c:724 [inline]
       [<ffffffff8380c39f>] sock_sendmsg net/socket.c:747 [inline]
       [<ffffffff8380c39f>] ____sys_sendmsg+0x3ef/0xaa0 net/socket.c:2503
       [<ffffffff838156d2>] ___sys_sendmsg+0x122/0x1c0 net/socket.c:2557
       [<ffffffff8381594f>] __sys_sendmsg+0x11f/0x200 net/socket.c:2586
       [<ffffffff83815ab0>] __do_sys_sendmsg net/socket.c:2595 [inline]
       [<ffffffff83815ab0>] __se_sys_sendmsg net/socket.c:2593 [inline]
       [<ffffffff83815ab0>] __x64_sys_sendmsg+0x80/0xc0 net/socket.c:2593

The recently added static offset check missed a free to the key buffer when
bailing out on error.

Fixes: e1201bc ("net/sched: act_pedit: check static offsets a priori")
	Reported-by: Ido Schimmel <idosch@idosch.org>
	Signed-off-by: Pedro Tammela <pctammela@mojatatu.com>
	Reviewed-by: Ido Schimmel <idosch@nvidia.com>
	Tested-by: Ido Schimmel <idosch@nvidia.com>
Link: https://lore.kernel.org/r/20230425144725.669262-1-pctammela@mojatatu.com
	Signed-off-by: Paolo Abeni <pabeni@redhat.com>
(cherry picked from commit 1b483d9)
	Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>
jira VULN-188480
cve-pre CVE-2026-46331
commit-author Rajat Gupta <rajat.gupta@oss.qualcomm.com>
commit e9e4229

The TC architecture allows filters and actions to be created independently.
In filters the user can reference action objects using:
tc action add action pedit ... index 1
tc filter add ... action pedit index 1

In the current code for act_pedit this is broken as it checks netlink
attributes for create/update before actually checking if we are binding to an
existing action.

tdc results:
1..69
ok 1 319a - Add pedit action that mangles IP TTL
ok 2 7e67 - Replace pedit action with invalid goto chain
ok 3 377e - Add pedit action with RAW_OP offset u32
ok 4 a0ca - Add pedit action with RAW_OP offset u32 (INVALID)
ok 5 dd8a - Add pedit action with RAW_OP offset u16 u16
ok 6 53db - Add pedit action with RAW_OP offset u16 (INVALID)
ok 7 5c7e - Add pedit action with RAW_OP offset u8 add value
ok 8 2893 - Add pedit action with RAW_OP offset u8 quad
ok 9 3a07 - Add pedit action with RAW_OP offset u8-u16-u8
ok 10 ab0f - Add pedit action with RAW_OP offset u16-u8-u8
ok 11 9d12 - Add pedit action with RAW_OP offset u32 set u16 clear u8 invert
ok 12 ebfa - Add pedit action with RAW_OP offset overflow u32 (INVALID)
ok 13 f512 - Add pedit action with RAW_OP offset u16 at offmask shift set
ok 14 c2cb - Add pedit action with RAW_OP offset u32 retain value
ok 15 1762 - Add pedit action with RAW_OP offset u8 clear value
ok 16 bcee - Add pedit action with RAW_OP offset u8 retain value
ok 17 e89f - Add pedit action with RAW_OP offset u16 retain value
ok 18 c282 - Add pedit action with RAW_OP offset u32 clear value
ok 19 c422 - Add pedit action with RAW_OP offset u16 invert value
ok 20 d3d3 - Add pedit action with RAW_OP offset u32 invert value
ok 21 57e5 - Add pedit action with RAW_OP offset u8 preserve value
ok 22 99e0 - Add pedit action with RAW_OP offset u16 preserve value
ok 23 1892 - Add pedit action with RAW_OP offset u32 preserve value
ok 24 4b60 - Add pedit action with RAW_OP negative offset u16/u32 set value
ok 25 a5a7 - Add pedit action with LAYERED_OP eth set src
ok 26 86d4 - Add pedit action with LAYERED_OP eth set src & dst
ok 27 f8a9 - Add pedit action with LAYERED_OP eth set dst
ok 28 c715 - Add pedit action with LAYERED_OP eth set src (INVALID)
ok 29 8131 - Add pedit action with LAYERED_OP eth set dst (INVALID)
ok 30 ba22 - Add pedit action with LAYERED_OP eth type set/clear sequence
ok 31 dec4 - Add pedit action with LAYERED_OP eth set type (INVALID)
ok 32 ab06 - Add pedit action with LAYERED_OP eth add type
ok 33 918d - Add pedit action with LAYERED_OP eth invert src
ok 34 a8d4 - Add pedit action with LAYERED_OP eth invert dst
ok 35 ee13 - Add pedit action with LAYERED_OP eth invert type
ok 36 7588 - Add pedit action with LAYERED_OP ip set src
ok 37 0fa7 - Add pedit action with LAYERED_OP ip set dst
ok 38 5810 - Add pedit action with LAYERED_OP ip set src & dst
ok 39 1092 - Add pedit action with LAYERED_OP ip set ihl & dsfield
ok 40 02d8 - Add pedit action with LAYERED_OP ip set ttl & protocol
ok 41 3e2d - Add pedit action with LAYERED_OP ip set ttl (INVALID)
ok 42 31ae - Add pedit action with LAYERED_OP ip ttl clear/set
ok 43 486f - Add pedit action with LAYERED_OP ip set duplicate fields
ok 44 e790 - Add pedit action with LAYERED_OP ip set ce, df, mf, firstfrag, nofrag fields
ok 45 cc8a - Add pedit action with LAYERED_OP ip set tos
ok 46 7a17 - Add pedit action with LAYERED_OP ip set precedence
ok 47 c3b6 - Add pedit action with LAYERED_OP ip add tos
ok 48 43d3 - Add pedit action with LAYERED_OP ip add precedence
ok 49 438e - Add pedit action with LAYERED_OP ip clear tos
ok 50 6b1b - Add pedit action with LAYERED_OP ip clear precedence
ok 51 824a - Add pedit action with LAYERED_OP ip invert tos
ok 52 106f - Add pedit action with LAYERED_OP ip invert precedence
ok 53 6829 - Add pedit action with LAYERED_OP beyond ip set dport & sport
ok 54 afd8 - Add pedit action with LAYERED_OP beyond ip set icmp_type & icmp_code
ok 55 3143 - Add pedit action with LAYERED_OP beyond ip set dport (INVALID)
ok 56 815c - Add pedit action with LAYERED_OP ip6 set src
ok 57 4dae - Add pedit action with LAYERED_OP ip6 set dst
ok 58 fc1f - Add pedit action with LAYERED_OP ip6 set src & dst
ok 59 6d34 - Add pedit action with LAYERED_OP ip6 dst retain value (INVALID)
ok 60 94bb - Add pedit action with LAYERED_OP ip6 traffic_class
ok 61 6f5e - Add pedit action with LAYERED_OP ip6 flow_lbl
ok 62 6795 - Add pedit action with LAYERED_OP ip6 set payload_len, nexthdr, hoplimit
ok 63 1442 - Add pedit action with LAYERED_OP tcp set dport & sport
ok 64 b7ac - Add pedit action with LAYERED_OP tcp sport set (INVALID)
ok 65 cfcc - Add pedit action with LAYERED_OP tcp flags set
ok 66 3bc4 - Add pedit action with LAYERED_OP tcp set dport, sport & flags fields
ok 67 f1c8 - Add pedit action with LAYERED_OP udp set dport & sport
ok 68 d784 - Add pedit action with mixed RAW/LAYERED_OP #1
ok 69 70ca - Add pedit action with mixed RAW/LAYERED_OP #2

Fixes: 71d0ed7 ("net/act_pedit: Support using offset relative to the conventional network headers")
Fixes: f67169f ("net/sched: act_pedit: fix WARN() in the traffic path")
	Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
	Signed-off-by: Pedro Tammela <pctammela@mojatatu.com>
	Reviewed-by: Simon Horman <simon.horman@corigine.com>
	Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit e9e4229)
	Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>
jira VULN-188480
cve CVE-2026-46331
commit-author Rajat Gupta <rajat.gupta@oss.qualcomm.com>
commit 899ee91
upstream-diff |
	rename include file from linux/unaligned.h to asm/unaligned.h

tcf_pedit_act() computes the COW range for skb_ensure_writable()
once before the key loop using tcfp_off_max_hint, but the hint does
not account for the runtime header offset added by typed keys. This
can leave part of the write region un-COW'd.

Fix by moving skb_ensure_writable() inside the per-key loop where
the actual write offset is known, and add overflow checking on the
offset arithmetic. For negative offsets (e.g. Ethernet header edits
at ingress), use skb_cow() to COW the headroom instead. Guard
offset_valid() against INT_MIN, where negation is undefined.

Fixes: 8b79647 ("net/sched: act_pedit: really ensure the skb is writable")
	Reported-by: Yiming Qian <yimingqian591@gmail.com>
	Reported-by: Keenan Dong <keenanat2000@gmail.com>
	Reported-by: Han Guidong <2045gemini@gmail.com>
	Reported-by: Zhang Cen <rollkingzzc@gmail.com>
	Reviewed-by: Han Guidong <2045gemini@gmail.com>
	Tested-by: Han Guidong <2045gemini@gmail.com>
	Reviewed-by: Davide Caratti <dcaratti@redhat.com>
	Tested-by: Davide Caratti <dcaratti@redhat.com>
	Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>
	Tested-by: Toke Høiland-Jørgensen <toke@redhat.com>
	Reviewed-by: Victor Nogueira <victor@mojatatu.com>
	Tested-by: Victor Nogueira <victor@mojatatu.com>
	Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
	Signed-off-by: Rajat Gupta <rajat.gupta@oss.qualcomm.com>
Link: https://patch.msgid.link/20260531123221.48732-1-jhs@mojatatu.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 899ee91)
	Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>
@ciq-kernel-automation ciq-kernel-automation Bot added the created-by-kernelci Tag PRs that were automatically created when a user branch was pushed to the repo (kernelCI) label Jun 29, 2026
@github-actions

Copy link
Copy Markdown

🤖 Validation Checks In Progress Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/28387001467

@github-actions

Copy link
Copy Markdown

🔍 Interdiff Analysis

  • ⚠️ PR commit 96215551dc9 (net/sched: transition act_pedit to rcu and percpu stats) → upstream 52cf89f78c01
    Differences found:
================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/net/sched/act_pedit.c
+++ b/net/sched/act_pedit.c
@@ -134,5 +139,5 @@
 {
-	struct tc_action_net *tn = net_generic(net, pedit_net_id);
+	struct tc_action_net *tn = net_generic(net, act_pedit_ops.net_id);
 	bool bind = flags & TCA_ACT_FLAGS_BIND;
 	struct nlattr *tb[TCA_PEDIT_MAX + 1];
 	struct tcf_chain *goto_ch = NULL;
@@ -316,4 +321,4 @@
-			 struct tcf_result *res)
+				    struct tcf_result *res)
 {
 	struct tcf_pedit *p = to_pedit(a);
 	u32 max_offset;
  • ⚠️ PR commit 41ffc6bd54d (net/sched: simplify tcf_pedit_act) → upstream 95b069382351
    Differences found:
================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/net/sched/act_pedit.c
+++ b/net/sched/act_pedit.c
@@ -337,5 +337,5 @@
-static int tcf_pedit_act(struct sk_buff *skb, const struct tc_action *a,
-			 struct tcf_result *res)
+				    const struct tc_action *a,
+				    struct tcf_result *res)
 {
 	struct tcf_pedit *p = to_pedit(a);
 	struct tcf_pedit_parms *parms;
  • ⚠️ PR commit dc9730f2e66 (net/sched: act_pedit: remove extra check for key type) → upstream 577140180ba2
    Differences found:
================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/net/sched/act_pedit.c
+++ b/net/sched/act_pedit.c
@@ -337,4 +358,4 @@
 	return ret;
 }
 
-static int tcf_pedit_act(struct sk_buff *skb, const struct tc_action *a,
+TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
  • ⚠️ PR commit b4a3e8e7c94 (net/sched: act_pedit: Parse L3 Header for L4 offset) → upstream 6c02568fd1ae
    Differences found:
================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/net/sched/act_pedit.c
+++ b/net/sched/act_pedit.c
@@ -336,4 +351,4 @@
 	}
 }
 
-static int tcf_pedit_act(struct sk_buff *skb, const struct tc_action *a,
+TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
  • ⚠️ PR commit 4ad01aef87f (net/sched: fix pedit partial COW leading to page cache corruption) → upstream 899ee91156e5
    Differences found:
================================================================================
*    DELTA DIFFERENCES - code changes that differ between the patches          *
================================================================================

--- b/net/sched/act_pedit.c
+++ b/net/sched/act_pedit.c
@@ -17,7 +17,7 @@
 #include <linux/ipv6.h>
 #include <linux/slab.h>
 #include <linux/overflow.h>
-#include <asm/unaligned.h>
+#include <linux/unaligned.h>
 #include <net/ipv6.h>
 #include <net/netlink.h>
 #include <net/pkt_sched.h>

################################################################################
!    REJECTED PATCH2 HUNKS - could not be compared; manual review needed       !
################################################################################

--- b/include/net/tc_act/tc_pedit.h
+++ b/include/net/tc_act/tc_pedit.h
@@ -15,7 +15,6 @@
 	struct tc_pedit_key	*tcfp_keys;
 	struct tcf_pedit_key_ex	*tcfp_keys_ex;
 	int action;
-	u32 tcfp_off_max_hint;
 	unsigned char tcfp_nkeys;
 	unsigned char tcfp_flags;
 	struct rcu_head rcu;

================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/include/net/tc_act/tc_pedit.h
+++ b/include/net/tc_act/tc_pedit.h
@@ -12,5 +11,6 @@
 	struct tc_pedit_key	*tcfp_keys;
 	struct tcf_pedit_key_ex	*tcfp_keys_ex;
+	int action;
 	u32 tcfp_off_max_hint;
 	unsigned char tcfp_nkeys;
 	unsigned char tcfp_flags;

This is an automated interdiff check for backported commits.

@github-actions

Copy link
Copy Markdown

Validation checks completed successfully View full results: https://github.com/ctrliq/kernel-src-tree/actions/runs/28387001467

@roxanan1996 roxanan1996 changed the title [ciqlts9_2] Multiple patches tested (10 commits) [ciqlts9_2] CVE-2026-46331 Jun 29, 2026
@bmastbergen bmastbergen self-requested a review June 29, 2026 18:39

@bmastbergen bmastbergen left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🥌

@bmastbergen bmastbergen requested a review from a team June 29, 2026 18:40

@PlaidCat PlaidCat left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

@bmastbergen bmastbergen merged commit c51650a into ciqlts9_2 Jun 29, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

created-by-kernelci Tag PRs that were automatically created when a user branch was pushed to the repo (kernelCI)

Development

Successfully merging this pull request may close these issues.

4 participants