Skip to content

[ciqlts9_6] Multiple patches tested (4 commits)#1415

Open
ciq-kernel-automation[bot] wants to merge 4 commits into
ciqlts9_6from
{rnicolescu}_ciqlts9_6
Open

[ciqlts9_6] Multiple patches tested (4 commits)#1415
ciq-kernel-automation[bot] wants to merge 4 commits into
ciqlts9_6from
{rnicolescu}_ciqlts9_6

Conversation

@ciq-kernel-automation

Copy link
Copy Markdown

Summary

This PR has been automatically created after successful completion of all CI stages.

Commit Message(s)

RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()

jira VULN-187925
cve CVE-2026-46181
commit-author Jason Gunthorpe <jgg@ziepe.ca>
commit c9341307ea16b9395c2e4c9c94d8499d91fe31d0
upstream-diff |
	refcount_set_release() does not exist.
	Instead of backporting the wrapper, atomic_set_release() was used
	directly on the underlying aromic_t.
sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL

jira VULN-186969
cve CVE-2026-46227
commit-author Ben Morris <bmorris@anthropic.com>
commit abb5f36771cc4c05899b34000829a787572a8817
exit: prevent preemption of oopsing TASK_DEAD task

jira VULN-187125
cve CVE-2026-46173
commit-author Jann Horn <jannh@google.com>
commit c1fa0bb633e4a6b11e83ffc57fa5abe8ebb87891
netfilter: nft_inner: Fix IPv6 inner_thoff desync

jira VULN-186973
cve CVE-2026-46244
commit-author Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
commit b6a91f68ebfed9c38e0e9150f58a9b85da07181c

Test Results

✅ Build Stage

Architecture Build Time Total Time
x86_64 33m 3s 34m 0s
aarch64 18m 29s 19m 11s

✅ Boot Verification

✅ Kernel Selftests

Architecture Passed Failed Compared Against Status
x86_64 206 43 ciqlts9_6 ✅ No regressions
aarch64 151 48 ciqlts9_6 ✅ No regressions

✅ LTP Results

Architecture Passed Failed Compared Against Status
x86_64 1453 82 ciqlts9_6 ✅ No regressions
aarch64 1426 83 ciqlts9_6 ✅ No regressions

x86_64 newly passing:

  • futex_wake04 (FAIL -> PASS)

🤖 This PR was automatically generated by GitHub Actions
Run ID: 28932587133

CIQ Kernel Automation added 4 commits July 8, 2026 11:32
jira VULN-187925
cve CVE-2026-46181
commit-author Jason Gunthorpe <jgg@ziepe.ca>
commit c934130
upstream-diff |
	refcount_set_release() does not exist.
	Instead of backporting the wrapper, atomic_set_release() was used
	directly on the underlying aromic_t.

Sashiko points out the radix_tree itself is RCU safe, but nothing ever
frees the mlx4_srq struct with RCU, and it isn't even accessed within the
RCU critical section. It also will crash if an event is delivered before
the srq object is finished initializing.

Use the spinlock since it isn't easy to make RCU work, use
refcount_inc_not_zero() to protect against partially initialized objects,
and order the refcount_set() to be after the srq is fully initialized.

	Cc: stable@vger.kernel.org
Fixes: 30353bf ("net/mlx4_core: Use RCU to perform radix tree lookup for SRQ")
Link: https://sashiko.dev/#/patchset/0-v2-1c49eeb88c48%2B91-rdma_udata_rep_jgg%40nvidia.com?part=5
Link: https://patch.msgid.link/r/12-v1-41f3135e5565+9d2-rdma_ai_fixes1_jgg@nvidia.com
	Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
(cherry picked from commit c934130)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
	Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>
…DALL

jira VULN-186969
cve CVE-2026-46227
commit-author Ben Morris <bmorris@anthropic.com>
commit abb5f36

The SCTP_SENDALL path in sctp_sendmsg() iterates ep->asocs with
list_for_each_entry_safe(), which caches the next entry in @tmp before
the loop body runs.  The body calls sctp_sendmsg_to_asoc(), which may
drop the socket lock inside sctp_wait_for_sndbuf().

While the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the
association cached in @tmp, migrating it to a new endpoint via
sctp_sock_migrate() (list_del_init() + list_add_tail() to
newep->asocs), and optionally close the new socket which frees the
association via kfree_rcu().  The cached @tmp can also be freed by a
network ABORT for that association, processed in softirq while the
lock is dropped.

sctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock
via the "sk != asoc->base.sk" and "asoc->base.dead" checks, but nothing
revalidates @tmp.  After a successful return, the iterator advances to
the stale @tmp, yielding either a use-after-free (if the peeled socket
was closed) or a list-walk onto the new endpoint's list head (type
confusion of &newep->asocs as a struct sctp_association *).

Both are reachable from CapEff=0; the type-confusion path gives
controlled indirect call via the outqueue.sched->init_sid pointer.

Fix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc()
returns.  @asoc is known to still be on ep->asocs at that point: the
only callers that list_del an association from ep->asocs are
sctp_association_free() (which sets asoc->base.dead) and
sctp_assoc_migrate() (which changes asoc->base.sk), and
sctp_wait_for_sndbuf() checks both under the lock before any
successful return; a tripped check propagates as err < 0 and the loop
bails before the re-derive.

The SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the
loop hits 'continue' before sctp_sendmsg_to_asoc() is ever called, so
the @tmp cached by list_for_each_entry_safe() still covers the
lock-held free that ba59fb0 ("sctp: walk the list of asoc
safely") was added for.

Fixes: 4910280 ("sctp: add support for snd flag SCTP_SENDALL process in sendmsg")
	Cc: stable@vger.kernel.org
	Signed-off-by: Ben Morris <bmorris@anthropic.com>
	Acked-by: Xin Long <lucien.xin@gmail.com>
Link: https://patch.msgid.link/20260508001455.3137-1-joycathacker@gmail.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit abb5f36)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-187125
cve CVE-2026-46173
commit-author Jann Horn <jannh@google.com>
commit c1fa0bb

When an already-exiting task oopses, make_task_dead() currently calls
do_task_dead() with preemption enabled.  That is forbidden:
do_task_dead() calls __schedule(), which has a comment saying "WARNING:
must be called with preemption disabled!".

If an oopsing task is preempted in do_task_dead(), between becoming
TASK_DEAD and entering the scheduler explicitly, bad things happen:
finish_task_switch() assumes that once the scheduler has switched away
from a TASK_DEAD task, the task can never run again and its stack is no
longer needed; but that assumption apparently doesn't hold if the dead
task was preempted (the SM_PREEMPT case).

This means that the scheduler ends up repeatedly dropping references on
the dead task's stack, which can lead to use-after-free or double-free
of the entire task stack; in other words, two tasks can end up running
on the same stack, resulting in various kinds of memory corruption.

(This does not just affect "recursively oopsing" tasks; it is enough to
oops once during task exit, for example in a file_operations::release
handler)

Fixes: 7f80a2f ("exit: Stop poorly open coding do_task_dead in make_task_dead")
	Cc: stable@kernel.org
	Signed-off-by: Jann Horn <jannh@google.com>
	Acked-by: Peter Zijlstra <peterz@infradead.org>
	Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
(cherry picked from commit c1fa0bb)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-186973
cve CVE-2026-46244
commit-author Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
commit b6a91f6

In nft_inner_parse_l2l3(), when processing inner IPv6 packets,
ipv6_find_hdr() correctly computes the transport header offset
traversing all extension headers, but the result is immediately
overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only
accounts for the IPv6 base header. This creates a desync between
inner_thoff (wrong — points to extension header start) and l4proto
(correct — e.g., IPPROTO_TCP), enabling transport header forgery
and potential firewall bypass. This issue affects stable versions
from Linux 6.2.

For comparison, the normal (non-inner) IPv6 path correctly
preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite
ensures that ipv6_find_hdr()'s calculated transport header offset is
preserved, thereby fixing the desynchronization.

Fixes: 3a07327 ("netfilter: nft_inner: support for inner tunnel header matching")
	Cc: stable@vger.kernel.org
	Reported-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
	Reported-by: Yuxiang Yang <yangyx22@mails.tsinghua.edu.cn>
	Reported-by: Xuewei Feng <fengxw06@126.com>
	Reported-by: Qi Li <qli01@tsinghua.edu.cn>
	Reported-by: Ke Xu <xuke@tsinghua.edu.cn>
Assisted-by: GLM:5.1 Z.ai
	Signed-off-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
	Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
	Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit b6a91f6)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
@ciq-kernel-automation ciq-kernel-automation Bot added the created-by-kernelci Tag PRs that were automatically created when a user branch was pushed to the repo (kernelCI) label Jul 8, 2026
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown

🤖 Validation Checks In Progress Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/28947270076

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown

🔍 Interdiff Analysis

  • ⚠️ PR commit 30b4e2e4c4c (RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()) → upstream c9341307ea16
    Differences found:
================================================================================
*    DELTA DIFFERENCES - code changes that differ between the patches          *
================================================================================

--- b/drivers/net/ethernet/mellanox/mlx4/srq.c
+++ b/drivers/net/ethernet/mellanox/mlx4/srq.c
@@ -205,7 +205,7 @@
 		goto err_radix;
 
 	init_completion(&srq->free);
-	atomic_set_release(&srq->refcount.refs, 1);
+	refcount_set_release(&srq->refcount, 1);
 
 	return 0;

This is an automated interdiff check for backported commits.

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown

Validation checks completed successfully View full results: https://github.com/ctrliq/kernel-src-tree/actions/runs/28947270076

@bmastbergen bmastbergen left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🥌

@bmastbergen bmastbergen requested a review from a team July 8, 2026 15:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

created-by-kernelci Tag PRs that were automatically created when a user branch was pushed to the repo (kernelCI)

Development

Successfully merging this pull request may close these issues.

1 participant