Skip to content

[ciqlts9_2] Multiple patches tested (8 commits)#1416

Open
ciq-kernel-automation[bot] wants to merge 8 commits into
ciqlts9_2from
{rnicolescu}_ciqlts9_2
Open

[ciqlts9_2] Multiple patches tested (8 commits)#1416
ciq-kernel-automation[bot] wants to merge 8 commits into
ciqlts9_2from
{rnicolescu}_ciqlts9_2

Conversation

@ciq-kernel-automation

Copy link
Copy Markdown

Summary

This PR has been automatically created after successful completion of all CI stages.

Commit Message(s)

RDMA/umem: Fix double dma_buf_unpin in failure path

jira VULN-184378
cve CVE-2026-43128
commit-author Jacob Moroni <jmoroni@google.com>
commit 104016eb671e19709721c1b0048dd912dc2e96be
Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout

jira VULN-65614
cve CVE-2024-27398
commit-author Duoming Zhou <duoming@zju.edu.cn>
commit 483bc08181827fc475643272ffb69c533007e546
Bluetooth: SCO: Fix UAF on sco_sock_timeout

jira VULN-8628
cve CVE-2024-50125
commit-author Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
commit 1bf4470a3939c678fb822073e9ea77a0560bc6bb
upstream-diff |
	Adjusted context in include/net/bluetooth/bluetooth.h due to missing
	bt_sock_alloc().
Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold

jira VULN-180255
cve CVE-2026-31408
commit-author Hyunwoo Kim <imv4bel@gmail.com>
commit 598dbba9919c5e36c54fe1709b557d64120cb94b
netfilter: flowtable: strictly check for maximum number of actions

jira VULN-185474
cve CVE-2026-43329
commit-author Pablo Neira Ayuso <pablo@netfilter.org>
commit 76522fcdbc3a02b568f5d957f7e66fc194abb893
RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()

jira VULN-187923
cve CVE-2026-46181
commit-author Jason Gunthorpe <jgg@ziepe.ca>
commit c9341307ea16b9395c2e4c9c94d8499d91fe31d0
upstream-diff |
        refcount_set_release() does not exist.
        Instead of backporting the wrapper, atomic_set_release() was used
        directly on the underlying aromic_t.
RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path

jira VULN-188154
cve CVE-2026-46189
commit-author Jason Gunthorpe <jgg@ziepe.ca>
commit e38e86995df27f1f854063dab1f0c6a513db3faf
exit: prevent preemption of oopsing TASK_DEAD task

jira VULN-187123
cve CVE-2026-46173
commit-author Jann Horn <jannh@google.com>
commit c1fa0bb633e4a6b11e83ffc57fa5abe8ebb87891

Test Results

✅ Build Stage

Architecture Build Time Total Time
x86_64 23m 1s 23m 51s
aarch64 12m 55s 13m 30s

✅ Boot Verification

✅ Kernel Selftests

Architecture Passed Failed Compared Against Status
x86_64 173 25 ciqlts9_2 ✅ No regressions
aarch64 141 27 ciqlts9_2 ✅ No regressions

✅ LTP Results

Architecture Passed Failed Compared Against Status
x86_64 1439 81 ciqlts9_2 ✅ No regressions
aarch64 1409 83 ciqlts9_2 ✅ No regressions

aarch64 newly passing:

  • fcntl14_64 (FAIL -> PASS)

🤖 This PR was automatically generated by GitHub Actions
Run ID: 28935462447

CIQ Kernel Automation and others added 8 commits July 8, 2026 07:22
jira VULN-184378
cve CVE-2026-43128
commit-author Jacob Moroni <jmoroni@google.com>
commit 104016e

In ib_umem_dmabuf_get_pinned_with_dma_device(), the call to
ib_umem_dmabuf_map_pages() can fail. If this occurs, the dmabuf
is immediately unpinned but the umem_dmabuf->pinned flag is still
set. Then, when ib_umem_release() is called, it calls
ib_umem_dmabuf_revoke() which will call dma_buf_unpin() again.

Fix this by removing the immediate unpin upon failure and just let
the ib_umem_release/revoke path handle it. This also ensures the
proper unmap-unpin unwind ordering if the dmabuf_map_pages call
happened to fail due to dma_resv_wait_timeout (and therefore has
a non-NULL umem_dmabuf->sgt).

Fixes: 1e4df4a ("RDMA/umem: Allow pinned dmabuf umem usage")
	Signed-off-by: Jacob Moroni <jmoroni@google.com>
Link: https://patch.msgid.link/20260224234153.1207849-1-jmoroni@google.com
	Signed-off-by: Leon Romanovsky <leon@kernel.org>
(cherry picked from commit 104016e)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-65614
cve CVE-2024-27398
commit-author Duoming Zhou <duoming@zju.edu.cn>
commit 483bc08

When the sco connection is established and then, the sco socket
is releasing, timeout_work will be scheduled to judge whether
the sco disconnection is timeout. The sock will be deallocated
later, but it is dereferenced again in sco_sock_timeout. As a
result, the use-after-free bugs will happen. The root cause is
shown below:

    Cleanup Thread               |      Worker Thread
sco_sock_release                 |
  sco_sock_close                 |
    __sco_sock_close             |
      sco_sock_set_timer         |
        schedule_delayed_work    |
  sco_sock_kill                  |    (wait a time)
    sock_put(sk) //FREE          |  sco_sock_timeout
                                 |    sock_hold(sk) //USE

The KASAN report triggered by POC is shown below:

[   95.890016] ==================================================================
[   95.890496] BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x5e/0x1c0
[   95.890755] Write of size 4 at addr ffff88800c388080 by task kworker/0:0/7
...
[   95.890755] Workqueue: events sco_sock_timeout
[   95.890755] Call Trace:
[   95.890755]  <TASK>
[   95.890755]  dump_stack_lvl+0x45/0x110
[   95.890755]  print_address_description+0x78/0x390
[   95.890755]  print_report+0x11b/0x250
[   95.890755]  ? __virt_addr_valid+0xbe/0xf0
[   95.890755]  ? sco_sock_timeout+0x5e/0x1c0
[   95.890755]  kasan_report+0x139/0x170
[   95.890755]  ? update_load_avg+0xe5/0x9f0
[   95.890755]  ? sco_sock_timeout+0x5e/0x1c0
[   95.890755]  kasan_check_range+0x2c3/0x2e0
[   95.890755]  sco_sock_timeout+0x5e/0x1c0
[   95.890755]  process_one_work+0x561/0xc50
[   95.890755]  worker_thread+0xab2/0x13c0
[   95.890755]  ? pr_cont_work+0x490/0x490
[   95.890755]  kthread+0x279/0x300
[   95.890755]  ? pr_cont_work+0x490/0x490
[   95.890755]  ? kthread_blkcg+0xa0/0xa0
[   95.890755]  ret_from_fork+0x34/0x60
[   95.890755]  ? kthread_blkcg+0xa0/0xa0
[   95.890755]  ret_from_fork_asm+0x11/0x20
[   95.890755]  </TASK>
[   95.890755]
[   95.890755] Allocated by task 506:
[   95.890755]  kasan_save_track+0x3f/0x70
[   95.890755]  __kasan_kmalloc+0x86/0x90
[   95.890755]  __kmalloc+0x17f/0x360
[   95.890755]  sk_prot_alloc+0xe1/0x1a0
[   95.890755]  sk_alloc+0x31/0x4e0
[   95.890755]  bt_sock_alloc+0x2b/0x2a0
[   95.890755]  sco_sock_create+0xad/0x320
[   95.890755]  bt_sock_create+0x145/0x320
[   95.890755]  __sock_create+0x2e1/0x650
[   95.890755]  __sys_socket+0xd0/0x280
[   95.890755]  __x64_sys_socket+0x75/0x80
[   95.890755]  do_syscall_64+0xc4/0x1b0
[   95.890755]  entry_SYSCALL_64_after_hwframe+0x67/0x6f
[   95.890755]
[   95.890755] Freed by task 506:
[   95.890755]  kasan_save_track+0x3f/0x70
[   95.890755]  kasan_save_free_info+0x40/0x50
[   95.890755]  poison_slab_object+0x118/0x180
[   95.890755]  __kasan_slab_free+0x12/0x30
[   95.890755]  kfree+0xb2/0x240
[   95.890755]  __sk_destruct+0x317/0x410
[   95.890755]  sco_sock_release+0x232/0x280
[   95.890755]  sock_close+0xb2/0x210
[   95.890755]  __fput+0x37f/0x770
[   95.890755]  task_work_run+0x1ae/0x210
[   95.890755]  get_signal+0xe17/0xf70
[   95.890755]  arch_do_signal_or_restart+0x3f/0x520
[   95.890755]  syscall_exit_to_user_mode+0x55/0x120
[   95.890755]  do_syscall_64+0xd1/0x1b0
[   95.890755]  entry_SYSCALL_64_after_hwframe+0x67/0x6f
[   95.890755]
[   95.890755] The buggy address belongs to the object at ffff88800c388000
[   95.890755]  which belongs to the cache kmalloc-1k of size 1024
[   95.890755] The buggy address is located 128 bytes inside of
[   95.890755]  freed 1024-byte region [ffff88800c388000, ffff88800c388400)
[   95.890755]
[   95.890755] The buggy address belongs to the physical page:
[   95.890755] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800c38a800 pfn:0xc388
[   95.890755] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   95.890755] anon flags: 0x100000000000840(slab|head|node=0|zone=1)
[   95.890755] page_type: 0xffffffff()
[   95.890755] raw: 0100000000000840 ffff888006842dc0 0000000000000000 0000000000000001
[   95.890755] raw: ffff88800c38a800 000000000010000a 00000001ffffffff 0000000000000000
[   95.890755] head: 0100000000000840 ffff888006842dc0 0000000000000000 0000000000000001
[   95.890755] head: ffff88800c38a800 000000000010000a 00000001ffffffff 0000000000000000
[   95.890755] head: 0100000000000003 ffffea000030e201 ffffea000030e248 00000000ffffffff
[   95.890755] head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000
[   95.890755] page dumped because: kasan: bad access detected
[   95.890755]
[   95.890755] Memory state around the buggy address:
[   95.890755]  ffff88800c387f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   95.890755]  ffff88800c388000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   95.890755] >ffff88800c388080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   95.890755]                    ^
[   95.890755]  ffff88800c388100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   95.890755]  ffff88800c388180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   95.890755] ==================================================================

Fix this problem by adding a check protected by sco_conn_lock to judget
whether the conn->hcon is null. Because the conn->hcon will be set to null,
when the sock is releasing.

Fixes: ba316be ("Bluetooth: schedule SCO timeouts with delayed_work")
	Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
	Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
(cherry picked from commit 483bc08)
	Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>
jira VULN-8628
cve CVE-2024-50125
commit-author Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
commit 1bf4470
upstream-diff |
	Adjusted context in include/net/bluetooth/bluetooth.h due to missing
	bt_sock_alloc().

conn->sk maybe have been unlinked/freed while waiting for sco_conn_lock
so this checks if the conn->sk is still valid by checking if it part of
sco_sk_list.

	Reported-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com
	Tested-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
Fixes: ba316be ("Bluetooth: schedule SCO timeouts with delayed_work")
	Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
(cherry picked from commit 1bf4470)
	Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>
… sock_hold

jira VULN-180255
cve CVE-2026-31408
commit-author Hyunwoo Kim <imv4bel@gmail.com>
commit 598dbba

sco_recv_frame() reads conn->sk under sco_conn_lock() but immediately
releases the lock without holding a reference to the socket. A concurrent
close() can free the socket between the lock release and the subsequent
sk->sk_state access, resulting in a use-after-free.

Other functions in the same file (sco_sock_timeout(), sco_conn_del())
correctly use sco_sock_hold() to safely hold a reference under the lock.

Fix by using sco_sock_hold() to take a reference before releasing the
lock, and adding sock_put() on all exit paths.

Fixes: 1da177e ("Linux-2.6.12-rc2")
	Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
	Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
(cherry picked from commit 598dbba)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-185474
cve CVE-2026-43329
commit-author Pablo Neira Ayuso <pablo@netfilter.org>
commit 76522fc

The maximum number of flowtable hardware offload actions in IPv6 is:

* ethernet mangling (4 payload actions, 2 for each ethernet address)
* SNAT (4 payload actions)
* DNAT (4 payload actions)
* Double VLAN (4 vlan actions, 2 for popping vlan, and 2 for pushing)
  for QinQ.
* Redirect (1 action)

Which makes 17, while the maximum is 16. But act_ct supports for tunnels
actions too. Note that payload action operates at 32-bit word level, so
mangling an IPv6 address takes 4 payload actions.

Update flow_action_entry_next() calls to check for the maximum number of
supported actions.

While at it, rise the maximum number of actions per flow from 16 to 24
so this works fine with IPv6 setups.

Fixes: c29f74e ("netfilter: nf_flow_table: hardware offload support")
	Reported-by: Hyunwoo Kim <imv4bel@gmail.com>
	Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit 76522fc)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-187923
cve CVE-2026-46181
commit-author Jason Gunthorpe <jgg@ziepe.ca>
commit c934130
upstream-diff |
        refcount_set_release() does not exist.
        Instead of backporting the wrapper, atomic_set_release() was used
        directly on the underlying aromic_t.

Sashiko points out the radix_tree itself is RCU safe, but nothing ever
frees the mlx4_srq struct with RCU, and it isn't even accessed within the
RCU critical section. It also will crash if an event is delivered before
the srq object is finished initializing.

Use the spinlock since it isn't easy to make RCU work, use
refcount_inc_not_zero() to protect against partially initialized objects,
and order the refcount_set() to be after the srq is fully initialized.

	Cc: stable@vger.kernel.org
Fixes: 30353bf ("net/mlx4_core: Use RCU to perform radix tree lookup for SRQ")
Link: https://sashiko.dev/#/patchset/0-v2-1c49eeb88c48%2B91-rdma_udata_rep_jgg%40nvidia.com?part=5
Link: https://patch.msgid.link/r/12-v1-41f3135e5565+9d2-rdma_ai_fixes1_jgg@nvidia.com
	Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
(cherry picked from commit c934130)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
	Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>
jira VULN-188154
cve CVE-2026-46189
commit-author Jason Gunthorpe <jgg@ziepe.ca>
commit e38e869

Sashiko points out that pvrdma_uar_free() is already called within
pvrdma_dealloc_ucontext(), so calling it before triggers a double free.

	Cc: stable@vger.kernel.org
Fixes: 29c8d9e ("IB: Add vmw_pvrdma driver")
Link: https://sashiko.dev/#/patchset/0-v1-e911b76a94d1%2B65d95-rdma_udata_rep_jgg%40nvidia.com?part=4
Link: https://patch.msgid.link/r/10-v1-41f3135e5565+9d2-rdma_ai_fixes1_jgg@nvidia.com
	Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
(cherry picked from commit e38e869)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-187123
cve CVE-2026-46173
commit-author Jann Horn <jannh@google.com>
commit c1fa0bb

When an already-exiting task oopses, make_task_dead() currently calls
do_task_dead() with preemption enabled.  That is forbidden:
do_task_dead() calls __schedule(), which has a comment saying "WARNING:
must be called with preemption disabled!".

If an oopsing task is preempted in do_task_dead(), between becoming
TASK_DEAD and entering the scheduler explicitly, bad things happen:
finish_task_switch() assumes that once the scheduler has switched away
from a TASK_DEAD task, the task can never run again and its stack is no
longer needed; but that assumption apparently doesn't hold if the dead
task was preempted (the SM_PREEMPT case).

This means that the scheduler ends up repeatedly dropping references on
the dead task's stack, which can lead to use-after-free or double-free
of the entire task stack; in other words, two tasks can end up running
on the same stack, resulting in various kinds of memory corruption.

(This does not just affect "recursively oopsing" tasks; it is enough to
oops once during task exit, for example in a file_operations::release
handler)

Fixes: 7f80a2f ("exit: Stop poorly open coding do_task_dead in make_task_dead")
	Cc: stable@kernel.org
	Signed-off-by: Jann Horn <jannh@google.com>
	Acked-by: Peter Zijlstra <peterz@infradead.org>
	Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
(cherry picked from commit c1fa0bb)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
@ciq-kernel-automation ciq-kernel-automation Bot added the created-by-kernelci Tag PRs that were automatically created when a user branch was pushed to the repo (kernelCI) label Jul 8, 2026
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown

🤖 Validation Checks In Progress Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/28951716090

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown

🔍 Interdiff Analysis

  • ⚠️ PR commit 520e82924fc (Bluetooth: SCO: Fix UAF on sco_sock_timeout) → upstream 1bf4470a3939
    Differences found:
################################################################################
!    REJECTED PATCH2 HUNKS - could not be compared; manual review needed       !
################################################################################

--- b/include/net/bluetooth/bluetooth.h
+++ b/include/net/bluetooth/bluetooth.h
@@ -403,6 +403,7 @@
 void bt_sock_unregister(int proto);
 void bt_sock_link(struct bt_sock_list *l, struct sock *s);
 void bt_sock_unlink(struct bt_sock_list *l, struct sock *s);
+bool bt_sock_linked(struct bt_sock_list *l, struct sock *s);
 struct sock *bt_sock_alloc(struct net *net, struct socket *sock,
 			   struct proto *prot, int proto, gfp_t prio, int kern);
 int  bt_sock_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,

================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/include/net/bluetooth/bluetooth.h
+++ b/include/net/bluetooth/bluetooth.h
@@ -380,2 +380,4 @@
 void bt_sock_unlink(struct bt_sock_list *l, struct sock *s);
+struct sock *bt_sock_alloc(struct net *net, struct socket *sock,
+			   struct proto *prot, int proto, gfp_t prio, int kern);
 int  bt_sock_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
--- b/net/bluetooth/af_bluetooth.c
+++ b/net/bluetooth/af_bluetooth.c
@@ -153,6 +153,6 @@
 }
 EXPORT_SYMBOL(bt_sock_unlink);
 
 void bt_accept_enqueue(struct sock *parent, struct sock *sk, bool bh)
 {
-	BT_DBG("parent %p, sk %p", parent, sk);
+	const struct cred *old_cred;
  • ⚠️ PR commit 31a54a4ab10 (RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()) → upstream c9341307ea16
    Differences found:
================================================================================
*    DELTA DIFFERENCES - code changes that differ between the patches          *
================================================================================

--- b/drivers/net/ethernet/mellanox/mlx4/srq.c
+++ b/drivers/net/ethernet/mellanox/mlx4/srq.c
@@ -205,7 +205,7 @@
 		goto err_radix;
 
 	init_completion(&srq->free);
-	atomic_set_release(&srq->refcount.refs, 1);
+	refcount_set_release(&srq->refcount, 1);
 
 	return 0;

This is an automated interdiff check for backported commits.

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown

Validation checks completed successfully View full results: https://github.com/ctrliq/kernel-src-tree/actions/runs/28951716090

@roxanan1996 roxanan1996 force-pushed the {rnicolescu}_ciqlts9_2 branch 2 times, most recently from 5d45c17 to 1fcd25b Compare July 9, 2026 15:56
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown

🤖 Validation Checks In Progress Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/29031574144

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown

🔍 Upstream Linux Kernel Commit Check

  • ⚠️ PR commit 337d3077208 (locking: Introduce __cleanup() based infrastructure) references upstream commit
    54da6a092431 which has been referenced by a Fixes: tag in the upstream
    Linux kernel:
    cd7eb8f83fc mm/slab: make __free(kfree) accept error pointers (Dan Carpenter) (CVE-2024-36890)
  • ⚠️ PR commit e78344ba931 (eventpoll: don't decrement ep refcount while still holding the ep mutex) does not reference a CVE but
    upstream commit 8c2e52ebbe88 is associated with CVE-2025-38349

  • ⚠️ PR commit 9d21a959f5e (rtmutex: Use waiter::task instead of current in remove_waiter()) references upstream commit
    3bfdc63936dd which has been referenced by a Fixes: tag in the upstream
    Linux kernel:

    74e144274af futex/requeue: Prevent NULL pointer dereference in remove_waiter() on self-deadlock (Ji'an Zhou) (CVE-2026-53166)
  • ⚠️ PR commit 5d45c176c23 (locking/rtmutex: Skip remove_waiter() when waiter is not enqueued) does not reference a CVE but
    upstream commit 40a25d59e85b is associated with CVE-2026-53163

This is an automated message from the kernel commit checker workflow.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown

🔍 Interdiff Analysis

  • ⚠️ PR commit c1656112476 (epoll: use refcount to reduce ep_mutex contention) → upstream 58c9b016e128
    Differences found:
################################################################################
!    REJECTED PATCH2 HUNKS - could not be compared; manual review needed       !
################################################################################

--- b/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -771,6 +809,8 @@
 	call_rcu(&epi->rcu, epi_rcu_free);
 
 	percpu_counter_dec(&ep->user->epoll_watches);
+	return ep_refcount_dec_and_test(ep);
+}
 
 	return 0;
 }

================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -723,6 +732,6 @@
 	call_rcu(&epi->rcu, epi_rcu_free);
 
-	atomic_long_dec(&ep->user->epoll_watches);
+	percpu_counter_dec(&ep->user->epoll_watches);
 
 	return 0;
 }
@@ -735,7 +744,7 @@
 
 	/* We need to release all tasks waiting for these file */
 	if (waitqueue_active(&ep->poll_wait))
-		ep_poll_safewake(ep, NULL);
+		ep_poll_safewake(ep, NULL, 0);
 
 	/*
 	 * We need to lock this because we could be hit by
  • ⚠️ PR commit 337d3077208 (locking: Introduce __cleanup() based infrastructure) → upstream 54da6a092431
    Differences found:
================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/include/linux/compiler_attributes.h
+++ b/include/linux/compiler_attributes.h
@@ -66,5 +66,5 @@
  */
-#define __cold                          __attribute__((__cold__))
+#define __assume_aligned(a, ...)        __attribute__((__assume_aligned__(a, ## __VA_ARGS__)))
 
 /*
  * Note the long name.
--- b/include/linux/percpu.h
+++ b/include/linux/percpu.h
@@ -124,5 +124,5 @@
-extern void __percpu *__alloc_percpu_gfp(size_t size, size_t align, gfp_t gfp);
-extern void __percpu *__alloc_percpu(size_t size, size_t align);
+extern void __percpu *__alloc_percpu_gfp(size_t size, size_t align, gfp_t gfp) __alloc_size(1);
+extern void __percpu *__alloc_percpu(size_t size, size_t align) __alloc_size(1);
 extern void free_percpu(void __percpu *__pdata);
 extern phys_addr_t per_cpu_ptr_to_phys(void *addr);
 
--- b/include/linux/rcupdate.h
+++ b/include/linux/rcupdate.h
@@ -29,4 +29,4 @@
 #include <linux/lockdep.h>
 #include <asm/processor.h>
 #include <linux/cpumask.h>
-
+#include <linux/context_tracking_irq.h>

================================================================================
*    ONLY IN PATCH2 - files not modified by patch1                             *
================================================================================

--- a/include/linux/preempt.h
+++ b/include/linux/preempt.h
@@ -8,6 +8,7 @@
  */
 
 #include <linux/linkage.h>
+#include <linux/cleanup.h>
 #include <linux/list.h>
 
 /*
@@ -463,4 +464,8 @@ static __always_inline void preempt_enable_nested(void)
 		preempt_enable();
 }
 
+DEFINE_LOCK_GUARD_0(preempt, preempt_disable(), preempt_enable())
+DEFINE_LOCK_GUARD_0(preempt_notrace, preempt_disable_notrace(), preempt_enable_notrace())
+DEFINE_LOCK_GUARD_0(migrate, migrate_disable(), migrate_enable())
+
 #endif /* __LINUX_PREEMPT_H */
  • ⚠️ PR commit a1f8a6cde0f (file: add fput() cleanup helper) → upstream 257b1c2c78c2
    Differences found:
================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/include/linux/file.h
+++ b/include/linux/file.h
@@ -92,6 +92,6 @@
 
 DEFINE_CLASS(get_unused_fd, int, if (_T >= 0) put_unused_fd(_T),
 	     get_unused_fd_flags(flags), unsigned flags)
 
-extern void fd_install(unsigned int fd, struct file *file);
-
+/*
+ * take_fd() will take care to set @fd to -EBADF ensuring that
  • ⚠️ PR commit e78344ba931 (eventpoll: don't decrement ep refcount while still holding the ep mutex) → upstream 8c2e52ebbe88
    Differences found:
################################################################################
!    REJECTED PATCH2 HUNKS - could not be compared; manual review needed       !
################################################################################

--- b/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -828,7 +828,7 @@
 	kfree_rcu(epi, rcu);
 
 	percpu_counter_dec(&ep->user->epoll_watches);
-	return ep_refcount_dec_and_test(ep);
+	return true;
 }
 
 /*

================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -760,5 +761,5 @@
 
-	atomic_long_dec(&ep->user->epoll_watches);
+	percpu_counter_dec(&ep->user->epoll_watches);
 	return ep_refcount_dec_and_test(ep);
 }
  • ⚠️ PR commit 99dd29e429d (eventpoll: move epi_fget() up) → upstream 86e87059e6d1
    Differences found:
================================================================================
*    DELTA DIFFERENCES - code changes that differ between the patches          *
================================================================================

--- b/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -724,7 +724,7 @@
 	struct file *file;
 
 	file = epi->ffd.file;
-	if (!atomic_long_inc_not_zero(&file->f_count))
+	if (!file_ref_get(&file->f_ref))
 		file = NULL;
 	return file;
 }

################################################################################
!    REJECTED PATCH2 HUNKS - could not be compared; manual review needed       !
################################################################################

--- b/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -1046,34 +1074,6 @@
 	return res;
 }
 
-/*
- * The ffd.file pointer may be in the process of being torn down due to
- * being closed, but we may not have finished eventpoll_release() yet.
- *
- * Normally, even with the atomic_long_inc_not_zero, the file may have
- * been free'd and then gotten re-allocated to something else (since
- * files are not RCU-delayed, they are SLAB_TYPESAFE_BY_RCU).
- *
- * But for epoll, users hold the ep->mtx mutex, and as such any file in
- * the process of being free'd will block in eventpoll_release_file()
- * and thus the underlying file allocation will not be free'd, and the
- * file re-use cannot happen.
- *
- * For the same reason we can avoid a rcu_read_lock() around the
- * operation - 'ffd.file' cannot go away even if the refcount has
- * reached zero (but we must still not call out to ->poll() functions
- * etc).
- */
-static struct file *epi_fget(const struct epitem *epi)
-{
-	struct file *file;
-
-	file = epi->ffd.file;
-	if (!file_ref_get(&file->f_ref))
-		file = NULL;
-	return file;
-}
-
 /*
  * Differs from ep_eventpoll_poll() in that internal callers already have
  * the ep->mtx so we need to start from depth=1, such that mutex_lock_nested()
  • ⚠️ PR commit 9d21a959f5e (rtmutex: Use waiter::task instead of current in remove_waiter()) → upstream 3bfdc63936dd
    Differences found:
================================================================================
*    DELTA DIFFERENCES - code changes that differ between the patches          *
================================================================================

--- b/kernel/locking/rtmutex.c
+++ b/kernel/locking/rtmutex.c
@@ -1487,10 +1487,10 @@
 
 	lockdep_assert_held(&lock->wait_lock);
 
-	raw_spin_lock(&waiter_task->pi_lock);
-	rt_mutex_dequeue(lock, waiter);
-	waiter_task->pi_blocked_on = NULL;
-	raw_spin_unlock(&waiter_task->pi_lock);
+	scoped_guard(raw_spinlock, &waiter_task->pi_lock) {
+		rt_mutex_dequeue(lock, waiter);
+		waiter_task->pi_blocked_on = NULL;
+	}
 
 	/*
 	 * Only update priority if the waiter was the highest priority
  • ⚠️ PR commit 5d45c176c23 (locking/rtmutex: Skip remove_waiter() when waiter is not enqueued) → upstream 40a25d59e85b
    Differences found:
################################################################################
!    REJECTED PATCH2 HUNKS - could not be compared; manual review needed       !
################################################################################

--- b/kernel/locking/rtmutex.c
+++ b/kernel/locking/rtmutex.c
@@ -1558,6 +1558,9 @@
 
 	lockdep_assert_held(&lock->wait_lock);
 
+	if (!waiter_task) /* never enqueued */
+		return;
+
 	scoped_guard(raw_spinlock, &waiter_task->pi_lock) {
 		rt_mutex_dequeue(lock, waiter);
 		waiter_task->pi_blocked_on = NULL;
--- b/kernel/locking/rtmutex_api.c
+++ b/kernel/locking/rtmutex_api.c
@@ -365,7 +365,7 @@
 
 	raw_spin_lock_irq(&lock->wait_lock);
 	ret = __rt_mutex_start_proxy_lock(lock, waiter, task, &wake_q);
-	if (unlikely(ret))
+	if (unlikely(ret < 0))
 		remove_waiter(lock, waiter);
 	preempt_disable();
 	raw_spin_unlock_irq(&lock->wait_lock);

================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/kernel/locking/rtmutex.c
+++ b/kernel/locking/rtmutex.c
@@ -1484,6 +1484,6 @@
 
 	lockdep_assert_held(&lock->wait_lock);
 
-	raw_spin_lock(&waiter_task->pi_lock);
-	rt_mutex_dequeue(lock, waiter);
-	waiter_task->pi_blocked_on = NULL;
+	scoped_guard(raw_spinlock, &waiter_task->pi_lock) {
+		rt_mutex_dequeue(lock, waiter);
+		waiter_task->pi_blocked_on = NULL;
--- b/kernel/locking/rtmutex_api.c
+++ b/kernel/locking/rtmutex_api.c
@@ -342,5 +342,6 @@
 	raw_spin_lock_irq(&lock->wait_lock);
-	ret = __rt_mutex_start_proxy_lock(lock, waiter, task);
+	ret = __rt_mutex_start_proxy_lock(lock, waiter, task, &wake_q);
 	if (unlikely(ret))
 		remove_waiter(lock, waiter);
+	preempt_disable();
 	raw_spin_unlock_irq(&lock->wait_lock);

This is an automated interdiff check for backported commits.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown

Validation checks completed successfully View full results: https://github.com/ctrliq/kernel-src-tree/actions/runs/29031574144

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown

🤖 Validation Checks In Progress Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/29032132656

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown

🔍 Interdiff Analysis

  • ⚠️ PR commit 520e82924fc (Bluetooth: SCO: Fix UAF on sco_sock_timeout) → upstream 1bf4470a3939
    Differences found:
################################################################################
!    REJECTED PATCH2 HUNKS - could not be compared; manual review needed       !
################################################################################

--- b/include/net/bluetooth/bluetooth.h
+++ b/include/net/bluetooth/bluetooth.h
@@ -403,6 +403,7 @@
 void bt_sock_unregister(int proto);
 void bt_sock_link(struct bt_sock_list *l, struct sock *s);
 void bt_sock_unlink(struct bt_sock_list *l, struct sock *s);
+bool bt_sock_linked(struct bt_sock_list *l, struct sock *s);
 struct sock *bt_sock_alloc(struct net *net, struct socket *sock,
 			   struct proto *prot, int proto, gfp_t prio, int kern);
 int  bt_sock_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,

================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/include/net/bluetooth/bluetooth.h
+++ b/include/net/bluetooth/bluetooth.h
@@ -380,2 +380,4 @@
 void bt_sock_unlink(struct bt_sock_list *l, struct sock *s);
+struct sock *bt_sock_alloc(struct net *net, struct socket *sock,
+			   struct proto *prot, int proto, gfp_t prio, int kern);
 int  bt_sock_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
--- b/net/bluetooth/af_bluetooth.c
+++ b/net/bluetooth/af_bluetooth.c
@@ -153,6 +153,6 @@
 }
 EXPORT_SYMBOL(bt_sock_unlink);
 
 void bt_accept_enqueue(struct sock *parent, struct sock *sk, bool bh)
 {
-	BT_DBG("parent %p, sk %p", parent, sk);
+	const struct cred *old_cred;
  • ⚠️ PR commit 31a54a4ab10 (RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()) → upstream c9341307ea16
    Differences found:
================================================================================
*    DELTA DIFFERENCES - code changes that differ between the patches          *
================================================================================

--- b/drivers/net/ethernet/mellanox/mlx4/srq.c
+++ b/drivers/net/ethernet/mellanox/mlx4/srq.c
@@ -205,7 +205,7 @@
 		goto err_radix;
 
 	init_completion(&srq->free);
-	atomic_set_release(&srq->refcount.refs, 1);
+	refcount_set_release(&srq->refcount, 1);
 
 	return 0;

This is an automated interdiff check for backported commits.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown

Validation checks completed successfully View full results: https://github.com/ctrliq/kernel-src-tree/actions/runs/29032132656

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

created-by-kernelci Tag PRs that were automatically created when a user branch was pushed to the repo (kernelCI)

Development

Successfully merging this pull request may close these issues.

1 participant