Skip to content

[ciqlts8_6] Multiple patches tested (8 commits)#1401

Open
ciq-kernel-automation[bot] wants to merge 8 commits into
ciqlts8_6from
{ciq_kernel_automation}_ciqlts8_6
Open

[ciqlts8_6] Multiple patches tested (8 commits)#1401
ciq-kernel-automation[bot] wants to merge 8 commits into
ciqlts8_6from
{ciq_kernel_automation}_ciqlts8_6

Conversation

@ciq-kernel-automation

@ciq-kernel-automation ciq-kernel-automation Bot commented Jul 6, 2026

Copy link
Copy Markdown

Summary

This PR has been automatically created after successful completion of all CI stages.

Commit Message(s)

sch_hfsc: make hfsc_qlen_notify() idempotent

jira VULN-71944
cve CVE-2025-38177
commit-author Cong Wang <xiyou.wangcong@gmail.com>
commit 51eb3b65544c9efd6a1026889ee5fb5aa62da3bb
net/sched: sch_hfsc: Don't make class passive twice

jira VULN-71944
cve-bf CVE-2025-38177
commit-author Victor Nogueira <victor@mojatatu.com>
commit 90b662ea25f5e83bb3b8ccec5b93ced810b92fb8
libceph: make decode_pool() more resilient against corrupted osdmaps

jira VULN-174154
cve CVE-2025-71116
commit-author Ilya Dryomov <idryomov@gmail.com>
commit 8c738512714e8c0aa18f8a10c072d5b01c83db39
libceph: prevent potential out-of-bounds reads in handle_auth_done()

jira VULN-174766
cve CVE-2026-22984
commit-author ziming zhang <ezrakiez@gmail.com>
commit 818156caffbf55cb4d368f9c3cac64e458fb49c9
libceph: replace overzealous BUG_ON in osdmap_apply_incremental()

jira VULN-174786
cve CVE-2026-22990
commit-author Ilya Dryomov <idryomov@gmail.com>
commit e00c3f71b5cf75681dbd74ee3f982a99cb690c2b
RDMA/rxe: Fix double free in rxe_srq_from_init

jira VULN-186064
cve CVE-2026-45852
commit-author Jiasheng Jiang <jiashengjiangcool@gmail.com>
commit 0beefd0e15d962f497aad750b2d5e9c3570b66d1
upstream-diff Based on the 5.10 stable backport. Upstream moves both
  srq->rq.queue and init->attr.max_wr assignments; this kernel never had
  init->attr.max_wr in rxe_srq_from_init(), so only the queue pointer
  assignment is moved.
netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()

jira VULN-179954
cve CVE-2026-23455
commit-author Jenny Guanni Qu <qguanni@gmail.com>
commit f173d0f4c0f689173f8cdac79991043a4a89bf66
sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL

jira VULN-186965
cve CVE-2026-46227
commit-author Ben Morris <bmorris@anthropic.com>
commit abb5f36771cc4c05899b34000829a787572a8817

Test Results

✅ Build Stage

Architecture Build Time Total Time
x86_64 22m 12s 23m 8s
aarch64 9m 58s 10m 40s

✅ Boot Verification

✅ Kernel Selftests

Architecture Passed Failed Compared Against Status
x86_64 108 31 ciqlts8_6 ✅ No regressions
aarch64 66 21 ciqlts8_6 ✅ No regressions

✅ LTP Results

Architecture Passed Failed Compared Against Status
x86_64 1440 13 ciqlts8_6 ✅ No regressions
aarch64 1425 14 ciqlts8_6 ✅ No regressions

x86_64 newly passing:

  • cap_bounds (PASS)
  • check_keepcaps01 (PASS)
  • check_keepcaps02 (PASS)
  • check_keepcaps03 (PASS)
  • dio19 (PASS)
  • dio20 (PASS)
  • dio21 (PASS)
  • dio22 (PASS)
  • dio23 (PASS)
  • dio24 (PASS)
  • dio25 (PASS)
  • dio26 (PASS)
  • dio27 (PASS)
  • dio28 (PASS)
  • dio29 (PASS)
  • dio30 (PASS)
  • filecaps (PASS)
  • fs_perms01 (PASS)
  • fs_perms02 (PASS)

🤖 This PR was automatically generated by GitHub Actions
Run ID: 28800908621

CIQ Kernel Automation added 5 commits July 6, 2026 07:54
jira VULN-71944
cve CVE-2025-38177
commit-author Cong Wang <xiyou.wangcong@gmail.com>
commit 51eb3b6

hfsc_qlen_notify() is not idempotent either and not friendly
to its callers, like fq_codel_dequeue(). Let's make it idempotent
to ease qdisc_tree_reduce_backlog() callers' life:

1. update_vf() decreases cl->cl_nactive, so we can check whether it is
non-zero before calling it.

2. eltree_remove() always removes RB node cl->el_node, but we can use
   RB_EMPTY_NODE() + RB_CLEAR_NODE() to make it safe.

	Reported-by: Gerrard Tai <gerrard.tai@starlabs.sg>
	Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
	Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250403211033.166059-4-xiyou.wangcong@gmail.com
	Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
	Signed-off-by: Paolo Abeni <pabeni@redhat.com>
(cherry picked from commit 51eb3b6)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-71944
cve-bf CVE-2025-38177
commit-author Victor Nogueira <victor@mojatatu.com>
commit 90b662e

update_vf() is called from two places for the same class during a single
dequeue when the class's child qdisc (e.g. codel/fq_codel) drops its last
packets while dequeuing:

1. The child calls qdisc_tree_reduce_backlog(), which, now that the child
   is empty, invokes hfsc_qlen_notify() -> update_vf(cl, 0, 0) and turns
   the class passive (cl_nactive is decremented up the hierarchy).

2. hfsc_dequeue() then calls update_vf(cl, qdisc_pkt_len(skb), cur_time)
   to charge the dequeued bytes.

On the second call the class is already passive, but its child qdisc is
still empty, so update_vf() arms go_passive again:

      if (cl->qdisc->q.qlen == 0 && cl->cl_flags & HFSC_FSC)
              go_passive = 1;

The leaf is then skipped by the cl_nactive == 0 check inside the loop,
which does not clear go_passive, so the stale go_passive propagates to the
parent and decrements its cl_nactive a second time. A parent that still
has other active children is driven to cl_nactive == 0 and removed from
the vttree, even though those siblings are still backlogged. They are
never dequeued again and the qdisc stalls.

Fix this by only arming go_passive when the class is actually active, so an
already-passive class no longer triggers a second passive transition. The
byte accounting (cl->cl_total += len) still runs for every ancestor, so
dequeued bytes continue to be counted exactly once.

Fixes: 51eb3b6 ("sch_hfsc: make hfsc_qlen_notify() idempotent")
	Reported-by: Anirudh Gupta <anirudhrudr@gmail.com>
Closes: https://lore.kernel.org/netdev/CAN2cbVe79oj0O9==m4+4x3v+O+qzRagA=2=wkrp9i9=CqYvyZA@mail.gmail.com/
	Tested-by: Anirudh Gupta <anirudhrudr@gmail.com>
	Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
	Signed-off-by: Victor Nogueira <victor@mojatatu.com>
Link: https://patch.msgid.link/20260610132824.3027549-1-victor@mojatatu.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 90b662e)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-174154
cve CVE-2025-71116
commit-author Ilya Dryomov <idryomov@gmail.com>
commit 8c73851

If the osdmap is (maliciously) corrupted such that the encoded length
of ceph_pg_pool envelope is less than what is expected for a particular
encoding version, out-of-bounds reads may ensue because the only bounds
check that is there is based on that length value.

This patch adds explicit bounds checks for each field that is decoded
or skipped.

	Cc: stable@vger.kernel.org
	Reported-by: ziming zhang <ezrakiez@gmail.com>
	Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
	Reviewed-by: Xiubo Li <xiubli@redhat.com>
	Tested-by: ziming zhang <ezrakiez@gmail.com>
(cherry picked from commit 8c73851)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-174766
cve CVE-2026-22984
commit-author ziming zhang <ezrakiez@gmail.com>
commit 818156c

Perform an explicit bounds check on payload_len to avoid a possible
out-of-bounds access in the callout.

[ idryomov: changelog ]

	Cc: stable@vger.kernel.org
	Signed-off-by: ziming zhang <ezrakiez@gmail.com>
	Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
	Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
(cherry picked from commit 818156c)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-174786
cve CVE-2026-22990
commit-author Ilya Dryomov <idryomov@gmail.com>
commit e00c3f7

If the osdmap is (maliciously) corrupted such that the incremental
osdmap epoch is different from what is expected, there is no need to
BUG.  Instead, just declare the incremental osdmap to be invalid.

	Cc: stable@vger.kernel.org
	Reported-by: ziming zhang <ezrakiez@gmail.com>
	Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
(cherry picked from commit e00c3f7)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
@ciq-kernel-automation ciq-kernel-automation Bot added the created-by-kernelci Tag PRs that were automatically created when a user branch was pushed to the repo (kernelCI) label Jul 6, 2026
@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown

🤖 Validation Checks In Progress Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/28790592545

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown

🔍 Interdiff Analysis

  • ⚠️ PR commit e27f438fe9cd (RDMA/rxe: Fix double free in rxe_srq_from_init) → upstream 0beefd0e15d9
    Differences found:
################################################################################
!    REJECTED PATCH2 HUNKS - could not be compared; manual review needed       !
################################################################################

--- b/drivers/infiniband/sw/rxe/rxe_srq.c
+++ b/drivers/infiniband/sw/rxe/rxe_srq.c
@@ -77,9 +77,6 @@
 		goto err_free;
 	}
 
-	srq->rq.queue = q;
-	init->attr.max_wr = srq->rq.max_wr;
-
 	if (uresp) {
 		if (copy_to_user(&uresp->srq_num, &srq->srq_num,
 				 sizeof(uresp->srq_num))) {

================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/drivers/infiniband/sw/rxe/rxe_srq.c
+++ b/drivers/infiniband/sw/rxe/rxe_srq.c
@@ -77,3 +86,2 @@
 	return 0;
-}

This is an automated interdiff check for backported commits.

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown

Validation checks completed successfully View full results: https://github.com/ctrliq/kernel-src-tree/actions/runs/28790592545

CIQ Kernel Automation added 3 commits July 6, 2026 10:52
jira VULN-186064
cve CVE-2026-45852
commit-author Jiasheng Jiang <jiashengjiangcool@gmail.com>
commit 0beefd0
upstream-diff Based on the 5.10 stable backport. Upstream moves both
  srq->rq.queue and init->attr.max_wr assignments; this kernel never had
  init->attr.max_wr in rxe_srq_from_init(), so only the queue pointer
  assignment is moved.

In rxe_srq_from_init(), the queue pointer 'q' is assigned to
'srq->rq.queue' before copying the SRQ number to user space.
If copy_to_user() fails, the function calls rxe_queue_cleanup()
to free the queue, but leaves the now-invalid pointer in
'srq->rq.queue'.

The caller of rxe_srq_from_init() (rxe_create_srq) eventually
calls rxe_srq_cleanup() upon receiving the error, which triggers
a second rxe_queue_cleanup() on the same memory, leading to a
double free.

The call trace looks like this:
   kmem_cache_free+0x.../0x...
   rxe_queue_cleanup+0x1a/0x30 [rdma_rxe]
   rxe_srq_cleanup+0x42/0x60 [rdma_rxe]
   rxe_elem_release+0x31/0x70 [rdma_rxe]
   rxe_create_srq+0x12b/0x1a0 [rdma_rxe]
   ib_create_srq_user+0x9a/0x150 [ib_core]

Fix this by moving 'srq->rq.queue = q' after copy_to_user.

Fixes: aae0484 ("IB/rxe: avoid srq memory leak")
	Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Link: https://patch.msgid.link/20260112015412.29458-1-jiashengjiangcool@gmail.com
	Reviewed-by: Zhu Yanjun <yanjun.Zhu@linux.dev>
	Signed-off-by: Leon Romanovsky <leon@kernel.org>
(cherry picked from commit 0beefd0)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-179954
cve CVE-2026-23455
commit-author Jenny Guanni Qu <qguanni@gmail.com>
commit f173d0f

In DecodeQ931(), the UserUserIE code path reads a 16-bit length from
the packet, then decrements it by 1 to skip the protocol discriminator
byte before passing it to DecodeH323_UserInformation(). If the encoded
length is 0, the decrement wraps to -1, which is then passed as a
large value to the decoder, leading to an out-of-bounds read.

Add a check to ensure len is positive after the decrement.

Fixes: 5e35941 ("[NETFILTER]: Add H.323 conntrack/NAT helper")
	Reported-by: Klaudia Kloc <klaudia@vidocsecurity.com>
	Reported-by: Dawid Moczadło <dawid@vidocsecurity.com>
	Tested-by: Jenny Guanni Qu <qguanni@gmail.com>
	Signed-off-by: Jenny Guanni Qu <qguanni@gmail.com>
	Signed-off-by: Florian Westphal <fw@strlen.de>
(cherry picked from commit f173d0f)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
…DALL

jira VULN-186965
cve CVE-2026-46227
commit-author Ben Morris <bmorris@anthropic.com>
commit abb5f36

The SCTP_SENDALL path in sctp_sendmsg() iterates ep->asocs with
list_for_each_entry_safe(), which caches the next entry in @tmp before
the loop body runs.  The body calls sctp_sendmsg_to_asoc(), which may
drop the socket lock inside sctp_wait_for_sndbuf().

While the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the
association cached in @tmp, migrating it to a new endpoint via
sctp_sock_migrate() (list_del_init() + list_add_tail() to
newep->asocs), and optionally close the new socket which frees the
association via kfree_rcu().  The cached @tmp can also be freed by a
network ABORT for that association, processed in softirq while the
lock is dropped.

sctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock
via the "sk != asoc->base.sk" and "asoc->base.dead" checks, but nothing
revalidates @tmp.  After a successful return, the iterator advances to
the stale @tmp, yielding either a use-after-free (if the peeled socket
was closed) or a list-walk onto the new endpoint's list head (type
confusion of &newep->asocs as a struct sctp_association *).

Both are reachable from CapEff=0; the type-confusion path gives
controlled indirect call via the outqueue.sched->init_sid pointer.

Fix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc()
returns.  @asoc is known to still be on ep->asocs at that point: the
only callers that list_del an association from ep->asocs are
sctp_association_free() (which sets asoc->base.dead) and
sctp_assoc_migrate() (which changes asoc->base.sk), and
sctp_wait_for_sndbuf() checks both under the lock before any
successful return; a tripped check propagates as err < 0 and the loop
bails before the re-derive.

The SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the
loop hits 'continue' before sctp_sendmsg_to_asoc() is ever called, so
the @tmp cached by list_for_each_entry_safe() still covers the
lock-held free that ba59fb0 ("sctp: walk the list of asoc
safely") was added for.

Fixes: 4910280 ("sctp: add support for snd flag SCTP_SENDALL process in sendmsg")
	Cc: stable@vger.kernel.org
	Signed-off-by: Ben Morris <bmorris@anthropic.com>
	Acked-by: Xin Long <lucien.xin@gmail.com>
Link: https://patch.msgid.link/20260508001455.3137-1-joycathacker@gmail.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit abb5f36)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
@bmastbergen bmastbergen force-pushed the {ciq_kernel_automation}_ciqlts8_6 branch from 9c2d55f to 377837f Compare July 6, 2026 14:55
@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown

🤖 Validation Checks In Progress Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/28801610794

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown

🔍 Interdiff Analysis

  • ⚠️ PR commit 1313c476cbc9 (RDMA/rxe: Fix double free in rxe_srq_from_init) → upstream 0beefd0e15d9
    Differences found:
================================================================================
*    DELTA DIFFERENCES - code changes that differ between the patches          *
================================================================================

--- b/drivers/infiniband/sw/rxe/rxe_srq.c
+++ b/drivers/infiniband/sw/rxe/rxe_srq.c
@@ -101,6 +101,8 @@
 		return -ENOMEM;
 	}
 
+	srq->rq.queue = q;
+
 	err = do_mmap_info(rxe, uresp ? &uresp->mi : NULL, udata, q->buf,
 			   q->buf_size, &q->ip);
 	if (err) {
@@ -118,6 +120,7 @@
 	}
 
 	srq->rq.queue = q;
+	init->attr.max_wr = srq->rq.max_wr;
 
 	return 0;
 }

################################################################################
!    REJECTED PATCH2 HUNKS - could not be compared; manual review needed       !
################################################################################

--- b/drivers/infiniband/sw/rxe/rxe_srq.c
+++ b/drivers/infiniband/sw/rxe/rxe_srq.c
@@ -77,9 +77,6 @@
 		goto err_free;
 	}
 
-	srq->rq.queue = q;
-	init->attr.max_wr = srq->rq.max_wr;
-
 	if (uresp) {
 		if (copy_to_user(&uresp->srq_num, &srq->srq_num,
 				 sizeof(uresp->srq_num))) {

================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/drivers/infiniband/sw/rxe/rxe_srq.c
+++ b/drivers/infiniband/sw/rxe/rxe_srq.c
@@ -74,5 +74,5 @@
-		return -ENOMEM;
+		goto err_free;
 	}
 
 	srq->rq.queue = q;
 
@@ -85,3 +85,2 @@
 	return 0;
-}

This is an automated interdiff check for backported commits.

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown

Validation checks completed successfully View full results: https://github.com/ctrliq/kernel-src-tree/actions/runs/28801610794

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

created-by-kernelci Tag PRs that were automatically created when a user branch was pushed to the repo (kernelCI)

Development

Successfully merging this pull request may close these issues.

0 participants