Skip to content

[ciqlts9_6] Multiple patches tested (8 commits)#1403

Open
ciq-kernel-automation[bot] wants to merge 8 commits into
ciqlts9_6from
{ciq_kernel_automation}_ciqlts9_6
Open

[ciqlts9_6] Multiple patches tested (8 commits)#1403
ciq-kernel-automation[bot] wants to merge 8 commits into
ciqlts9_6from
{ciq_kernel_automation}_ciqlts9_6

Conversation

@ciq-kernel-automation

Copy link
Copy Markdown

Summary

This PR has been automatically created after successful completion of all CI stages.

Commit Message(s)

netfilter: conntrack: clamp maximum hashtable size to INT_MAX

jira VULN-161930
cve CVE-2025-21648
commit-author Pablo Neira Ayuso <pablo@netfilter.org>
commit b541ba7d1f5a5b7b3e2e22dc9e40e18a7d6dbc13
RDMA/rxe: Fix double free in rxe_srq_from_init

jira VULN-186068
cve CVE-2026-45852
commit-author Jiasheng Jiang <jiashengjiangcool@gmail.com>
commit 0beefd0e15d962f497aad750b2d5e9c3570b66d1
ALSA: aloop: Fix racy access at PCM trigger

jira VULN-176124
cve CVE-2026-23191
commit-author Takashi Iwai <tiwai@suse.de>
commit 826af7fa62e347464b1b4e0ba2fe19a92438084f
RDMA/umem: Fix double dma_buf_unpin in failure path

jira VULN-184380
cve CVE-2026-43128
commit-author Jacob Moroni <jmoroni@google.com>
commit 104016eb671e19709721c1b0048dd912dc2e96be
scsi: qla2xxx: Completely fix fcport double free

jira VULN-185060
cve CVE-2026-43414
commit-author Vladimir Riabchun <ferr.lambarginio@gmail.com>
commit c0b7da13a04bd70ef6070bfb9ea85f582294560a
netfilter: flowtable: strictly check for maximum number of actions

jira VULN-185476
cve CVE-2026-43329
commit-author Pablo Neira Ayuso <pablo@netfilter.org>
commit 76522fcdbc3a02b568f5d957f7e66fc194abb893
netfilter: nf_conntrack_helper: pass helper to expect cleanup

jira VULN-183691
cve CVE-2026-43027
commit-author Qi Tang <tpluszz77@gmail.com>
commit a242a9ae58aa46ff7dae51ce64150a93957abe65
RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()

jira VULN-190445
cve CVE-2026-46176
commit-author Junrui Luo <moonafterrain@outlook.com>
commit c488df06bd552bb8b6e14fa0cfd5ad986c6e9525

Test Results

✅ Build Stage

Architecture Build Time Total Time
x86_64 32m 52s 33m 59s
aarch64 25m 44s 26m 48s

✅ Boot Verification

✅ Kernel Selftests

Architecture Passed Failed Compared Against Status
x86_64 207 42 ciqlts9_6 ⚠️ No baseline available
aarch64 152 47 ciqlts9_6 ⚠️ No baseline available

✅ LTP Results

Architecture Passed Failed Compared Against Status
x86_64 1453 82 ciqlts9_6 ⚠️ No baseline available
aarch64 1421 88 ciqlts9_6 ⚠️ No baseline available

🤖 This PR was automatically generated by GitHub Actions
Run ID: 28776364171

CIQ Kernel Automation added 8 commits July 6, 2026 07:40
jira VULN-161930
cve CVE-2025-21648
commit-author Pablo Neira Ayuso <pablo@netfilter.org>
commit b541ba7

Use INT_MAX as maximum size for the conntrack hashtable. Otherwise, it
is possible to hit WARN_ON_ONCE in __kvmalloc_node_noprof() when
resizing hashtable because __GFP_NOWARN is unset. See:

  0708a0a ("mm: Consider __GFP_NOWARN flag for oversized kvmalloc() calls")

Note: hashtable resize is only possible from init_netns.

Fixes: 9cc1c73 ("netfilter: conntrack: avoid integer overflow when resizing")
	Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit b541ba7)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-186068
cve CVE-2026-45852
commit-author Jiasheng Jiang <jiashengjiangcool@gmail.com>
commit 0beefd0

In rxe_srq_from_init(), the queue pointer 'q' is assigned to
'srq->rq.queue' before copying the SRQ number to user space.
If copy_to_user() fails, the function calls rxe_queue_cleanup()
to free the queue, but leaves the now-invalid pointer in
'srq->rq.queue'.

The caller of rxe_srq_from_init() (rxe_create_srq) eventually
calls rxe_srq_cleanup() upon receiving the error, which triggers
a second rxe_queue_cleanup() on the same memory, leading to a
double free.

The call trace looks like this:
   kmem_cache_free+0x.../0x...
   rxe_queue_cleanup+0x1a/0x30 [rdma_rxe]
   rxe_srq_cleanup+0x42/0x60 [rdma_rxe]
   rxe_elem_release+0x31/0x70 [rdma_rxe]
   rxe_create_srq+0x12b/0x1a0 [rdma_rxe]
   ib_create_srq_user+0x9a/0x150 [ib_core]

Fix this by moving 'srq->rq.queue = q' after copy_to_user.

Fixes: aae0484 ("IB/rxe: avoid srq memory leak")
	Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Link: https://patch.msgid.link/20260112015412.29458-1-jiashengjiangcool@gmail.com
	Reviewed-by: Zhu Yanjun <yanjun.Zhu@linux.dev>
	Signed-off-by: Leon Romanovsky <leon@kernel.org>
(cherry picked from commit 0beefd0)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-176124
cve CVE-2026-23191
commit-author Takashi Iwai <tiwai@suse.de>
commit 826af7f

The PCM trigger callback of aloop driver tries to check the PCM state
and stop the stream of the tied substream in the corresponding cable.
Since both check and stop operations are performed outside the cable
lock, this may result in UAF when a program attempts to trigger
frequently while opening/closing the tied stream, as spotted by
fuzzers.

For addressing the UAF, this patch changes two things:
- It covers the most of code in loopback_check_format() with
  cable->lock spinlock, and add the proper NULL checks.  This avoids
  already some racy accesses.
- In addition, now we try to check the state of the capture PCM stream
  that may be stopped in this function, which was the major pain point
  leading to UAF.

	Reported-by: syzbot+5f8f3acdee1ec7a7ef7b@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/69783ba1.050a0220.c9109.0011.GAE@google.com
	Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20260203141003.116584-1-tiwai@suse.de
	Signed-off-by: Takashi Iwai <tiwai@suse.de>
(cherry picked from commit 826af7f)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-184380
cve CVE-2026-43128
commit-author Jacob Moroni <jmoroni@google.com>
commit 104016e

In ib_umem_dmabuf_get_pinned_with_dma_device(), the call to
ib_umem_dmabuf_map_pages() can fail. If this occurs, the dmabuf
is immediately unpinned but the umem_dmabuf->pinned flag is still
set. Then, when ib_umem_release() is called, it calls
ib_umem_dmabuf_revoke() which will call dma_buf_unpin() again.

Fix this by removing the immediate unpin upon failure and just let
the ib_umem_release/revoke path handle it. This also ensures the
proper unmap-unpin unwind ordering if the dmabuf_map_pages call
happened to fail due to dma_resv_wait_timeout (and therefore has
a non-NULL umem_dmabuf->sgt).

Fixes: 1e4df4a ("RDMA/umem: Allow pinned dmabuf umem usage")
	Signed-off-by: Jacob Moroni <jmoroni@google.com>
Link: https://patch.msgid.link/20260224234153.1207849-1-jmoroni@google.com
	Signed-off-by: Leon Romanovsky <leon@kernel.org>
(cherry picked from commit 104016e)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-185060
cve CVE-2026-43414
commit-author Vladimir Riabchun <ferr.lambarginio@gmail.com>
commit c0b7da1

In qla24xx_els_dcmd_iocb() sp->free is set to qla2x00_els_dcmd_sp_free().
When an error happens, this function is called by qla2x00_sp_release(),
when kref_put() releases the first and the last reference.

qla2x00_els_dcmd_sp_free() frees fcport by calling qla2x00_free_fcport().
Doing it one more time after kref_put() is a bad idea.

Fixes: 82f522a ("scsi: qla2xxx: Fix double free of fcport")
Fixes: 4895009 ("scsi: qla2xxx: Prevent command send on chip reset")
	Signed-off-by: Vladimir Riabchun <ferr.lambarginio@gmail.com>
	Signed-off-by: Farhat Abbas <fabbas@cloudlinux.com>
Link: https://patch.msgid.link/aYsDln9NFQQsPDgg@vova-pc
	Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
(cherry picked from commit c0b7da1)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-185476
cve CVE-2026-43329
commit-author Pablo Neira Ayuso <pablo@netfilter.org>
commit 76522fc

The maximum number of flowtable hardware offload actions in IPv6 is:

* ethernet mangling (4 payload actions, 2 for each ethernet address)
* SNAT (4 payload actions)
* DNAT (4 payload actions)
* Double VLAN (4 vlan actions, 2 for popping vlan, and 2 for pushing)
  for QinQ.
* Redirect (1 action)

Which makes 17, while the maximum is 16. But act_ct supports for tunnels
actions too. Note that payload action operates at 32-bit word level, so
mangling an IPv6 address takes 4 payload actions.

Update flow_action_entry_next() calls to check for the maximum number of
supported actions.

While at it, rise the maximum number of actions per flow from 16 to 24
so this works fine with IPv6 setups.

Fixes: c29f74e ("netfilter: nf_flow_table: hardware offload support")
	Reported-by: Hyunwoo Kim <imv4bel@gmail.com>
	Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit 76522fc)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-183691
cve CVE-2026-43027
commit-author Qi Tang <tpluszz77@gmail.com>
commit a242a9a

nf_conntrack_helper_unregister() calls nf_ct_expect_iterate_destroy()
to remove expectations belonging to the helper being unregistered.
However, it passes NULL instead of the helper pointer as the data
argument, so expect_iter_me() never matches any expectation and all
of them survive the cleanup.

After unregister returns, nfnl_cthelper_del() frees the helper
object immediately.  Subsequent expectation dumps or packet-driven
init_conntrack() calls then dereference the freed exp->helper,
causing a use-after-free.

Pass the actual helper pointer so expectations referencing it are
properly destroyed before the helper object is freed.

  BUG: KASAN: slab-use-after-free in string+0x38f/0x430
  Read of size 1 at addr ffff888003b14d20 by task poc/103
  Call Trace:
   string+0x38f/0x430
   vsnprintf+0x3cc/0x1170
   seq_printf+0x17a/0x240
   exp_seq_show+0x2e5/0x560
   seq_read_iter+0x419/0x1280
   proc_reg_read+0x1ac/0x270
   vfs_read+0x179/0x930
   ksys_read+0xef/0x1c0
  Freed by task 103:
  The buggy address is located 32 bytes inside of
   freed 192-byte region [ffff888003b14d00, ffff888003b14dc0)

Fixes: ac7b848 ("netfilter: expect: add and use nf_ct_expect_iterate helpers")
	Signed-off-by: Qi Tang <tpluszz77@gmail.com>
	Reviewed-by: Phil Sutter <phil@nwl.cc>
	Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit a242a9a)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-190445
cve CVE-2026-46176
commit-author Junrui Luo <moonafterrain@outlook.com>
commit c488df0

mlx5_ib_dev_res_srq_init() allocates two SRQs, s0 and s1. When
ib_create_srq() fails for s1, the error branch destroys s0 but falls
through and unconditionally assigns the freed s0 and the ERR_PTR s1 to
devr->s0 and devr->s1.

This leads to several problems: the lock-free fast path checks
"if (devr->s1) return 0;" and treats the ERR_PTR as already initialised;
users in mlx5_ib_create_qp() dereference the freed SRQ or ERR_PTR via
to_msrq(devr->s0)->msrq.srqn; and mlx5_ib_dev_res_cleanup() dereferences
the ERR_PTR and double-frees s0 on teardown.

Fix by adding the same `goto unlock` in the s1 failure path.

	Cc: stable@vger.kernel.org
Fixes: 5895e70 ("IB/mlx5: Allocate resources just before first QP/SRQ is created")
Link: https://patch.msgid.link/r/SYBPR01MB7881E1E0970268BD69C0BA75AF2B2@SYBPR01MB7881.ausprd01.prod.outlook.com
	Reported-by: Yuhao Jiang <danisjiang@gmail.com>
	Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
	Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
(cherry picked from commit c488df0)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
@ciq-kernel-automation ciq-kernel-automation Bot added the created-by-kernelci Tag PRs that were automatically created when a user branch was pushed to the repo (kernelCI) label Jul 6, 2026
@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown

🤖 Validation Checks In Progress Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/28796634035

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown

🔍 Interdiff Analysis

  • ⚠️ PR commit 7ed0f27d4b6 (netfilter: nf_conntrack_helper: pass helper to expect cleanup) → upstream a242a9ae58aa
    Differences found:
================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/net/netfilter/nf_conntrack_helper.c
+++ b/net/netfilter/nf_conntrack_helper.c
@@ -412,7 +412,7 @@
 	 */
 	synchronize_rcu();
 
 	nf_ct_expect_iterate_destroy(expect_iter_me, NULL);
 	nf_ct_iterate_destroy(unhelp, me);
-}
-EXPORT_SYMBOL_GPL(nf_conntrack_helper_unregister);
+
+	/* nf_ct_iterate_destroy() does an unconditional synchronize_rcu() as

This is an automated interdiff check for backported commits.

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown

Validation checks completed successfully View full results: https://github.com/ctrliq/kernel-src-tree/actions/runs/28796634035

@bmastbergen bmastbergen self-requested a review July 6, 2026 18:27

@bmastbergen bmastbergen left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🥌

@bmastbergen bmastbergen requested a review from a team July 6, 2026 18:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

created-by-kernelci Tag PRs that were automatically created when a user branch was pushed to the repo (kernelCI)

Development

Successfully merging this pull request may close these issues.

1 participant