Skip to content

[ciqlts9_6] Multiple patches tested (12 commits)#1419

Open
ciq-kernel-automation[bot] wants to merge 12 commits into
ciqlts9_6from
{shreeya_epoll_ipv6}_ciqlts9_6
Open

[ciqlts9_6] Multiple patches tested (12 commits)#1419
ciq-kernel-automation[bot] wants to merge 12 commits into
ciqlts9_6from
{shreeya_epoll_ipv6}_ciqlts9_6

Conversation

@ciq-kernel-automation

@ciq-kernel-automation ciq-kernel-automation Bot commented Jul 9, 2026

Copy link
Copy Markdown

Summary

This PR has been automatically created after successful completion of all CI stages.

Commit Message(s)

epoll: annotate racy check

jira VULN-186882
cve-pre CVE-2026-46242
commit-author Christian Brauner <brauner@kernel.org>
commit 6474353a5e3d0b2cf610153cea0c61f576a36d0a
eventpoll: use hlist_is_singular_node() in __ep_remove()

jira VULN-186882
cve-pre CVE-2026-46242
commit-author Christian Brauner <brauner@kernel.org>
commit 3d9fd0abc94d8cd430cc7cd7d37ce5e5aae2cd2b
eventpoll: split __ep_remove()

jira VULN-186882
cve-pre CVE-2026-46242
commit-author Christian Brauner <brauner@kernel.org>
commit 0f7bdfd413000985de09fc39eb9efa1e091a3ce0
eventpoll: kill __ep_remove()

jira VULN-186882
cve-pre CVE-2026-46242
commit-author Christian Brauner <brauner@kernel.org>
commit e9e5cd40d7c403e19f21d0f7b8b8ba3a76b58330
eventpoll: drop vestigial __ prefix from ep_remove_{file,epi}()

jira VULN-186882
cve-pre CVE-2026-46242
commit-author Christian Brauner <brauner@kernel.org>
commit 0feaf644f7180c4a91b6b405a881afbfd958f1cf
eventpoll: rename ep_remove_safe() back to ep_remove()

jira VULN-186882
cve-pre CVE-2026-46242
commit-author Christian Brauner <brauner@kernel.org>
commit 0bade234723e40e4937be912e105785d6a51464e
eventpoll: move epi_fget() up

jira VULN-186882
cve-pre CVE-2026-46242
commit-author Christian Brauner <brauner@kernel.org>
commit 86e87059e6d1fd5115a31949726450ed03c1073b
upstream-diff |
	Pure code motion, no functional change intended (matches upstream's
	own commit message). Kept this tree's existing epi_fget() body
	using atomic_long_inc_not_zero(&file->f_count) instead of upstream's
	file_ref_get(&file->f_ref); the file_ref_t/file_ref_get() API comes
	from a separate, unrelated whole-VFS struct file refcounting rework
	(commit 90ee6ed776c06 "fs: port files to file_ref", 2024-10-07) that
	is not present on this branch and is out of scope for this CVE fix.
	Both mechanisms provide the identical "pin the file, fail if it's
	already at zero refs" semantics the upcoming ep_remove() UAF fix
	depends on, so this substitution preserves the security property
	unchanged.
eventpoll: fix ep_remove struct eventpoll / struct file UAF

jira VULN-186882
cve CVE-2026-46242
commit-author Christian Brauner <brauner@kernel.org>
commit a6dc643c69311677c574a0f17a3f4d66a5f3744b
file: add fput() cleanup helper

jira VULN-186882
cve-pre CVE-2026-46242
commit-author Christian Brauner <brauner@kernel.org>
commit 257b1c2c78c25643526609dee0c15f1544eb3252
eventpoll: defer struct eventpoll free to RCU grace period

jira VULN-184228
cve CVE-2026-43074
commit-author Nicholas Carlini <nicholas@carlini.com>
commit 07712db80857d5d09ae08f3df85a708ecfc3b61f
rtmutex: Use waiter::task instead of current in remove_waiter()

jira VULN-191596
cve CVE-2026-43499
commit-author Keenan Dong <keenanat2000@gmail.com>
commit 3bfdc63936dd4773109b7b8c280c0f3b5ae7d349
locking/rtmutex: Skip remove_waiter() when waiter is not enqueued

jira VULN-190210
cve CVE-2026-53163
commit-author Davidlohr Bueso <dave@stgolabs.net>
commit 40a25d59e85b3c8709ac2424d44f65610467871e
upstream-diff |
	The functional change is identical to upstream: the
	remove_waiter() call in rt_mutex_start_proxy_lock() is gated on
	"ret < 0" instead of "ret" so it is skipped on the ret==1
	(lock acquired) path. Context differs: this tree's
	__rt_mutex_start_proxy_lock() has no @wake_q parameter and no
	preempt_disable() around the wait_lock release (both from later,
	unrelated reworks not present here), so only the surrounding
	context was adjusted; the patched line matches upstream verbatim.
	The kernel/locking/rtmutex.c hunk (the !waiter_task guard) applied
	cleanly.

Test Results

✅ Build Stage

Architecture Build Time Total Time
x86_64 33m 3s 34m 1s
aarch64 18m 57s 19m 46s

✅ Boot Verification

✅ Kernel Selftests

Architecture Passed Failed Compared Against Status
x86_64 207 42 ciqlts9_6 ✅ No regressions
aarch64 154 45 ciqlts9_6 ✅ No regressions

✅ LTP Results

Architecture Passed Failed Compared Against Status
x86_64 1453 82 ciqlts9_6 ✅ No regressions
aarch64 1426 83 ciqlts9_6 ✅ No regressions

🤖 This PR was automatically generated by GitHub Actions
Run ID: 29070816909

brauner and others added 12 commits July 9, 2026 09:14
jira VULN-186882
cve-pre CVE-2026-46242
commit-author Christian Brauner <brauner@kernel.org>
commit 6474353

Epoll relies on a racy fastpath check during __fput() in
eventpoll_release() to avoid the hit of pointlessly acquiring a
semaphore. Annotate that race by using WRITE_ONCE() and READ_ONCE().

Link: https://lore.kernel.org/r/66edfb3c.050a0220.3195df.001a.GAE@google.com
Link: https://lore.kernel.org/r/20240925-fungieren-anbauen-79b334b00542@brauner
Reviewed-by: Jan Kara <jack@suse.cz>
Reported-by: syzbot+3b6b32dc50537a49bb4a@syzkaller.appspotmail.com
Signed-off-by: Christian Brauner <brauner@kernel.org>

(cherry picked from commit 6474353)
Signed-off-by: Shreeya Patel <spatel@ciq.com>
jira VULN-186882
cve-pre CVE-2026-46242
commit-author Christian Brauner <brauner@kernel.org>
commit 3d9fd0a

Replace the open-coded "epi is the only entry in file->f_ep" check
with hlist_is_singular_node(). Same semantics, and the helper avoids
the head-cacheline access in the common false case.

Link: https://patch.msgid.link/20260423-work-epoll-uaf-v1-1-2470f9eec0f5@kernel.org
Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>

(cherry picked from commit 3d9fd0a)
Signed-off-by: Shreeya Patel <spatel@ciq.com>
jira VULN-186882
cve-pre CVE-2026-46242
commit-author Christian Brauner <brauner@kernel.org>
commit 0f7bdfd

Split __ep_remove() to delineate file removal from epoll item removal.

Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Link: https://patch.msgid.link/20260423-work-epoll-uaf-v1-2-2470f9eec0f5@kernel.org
Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>

(cherry picked from commit 0f7bdfd)
Signed-off-by: Shreeya Patel <spatel@ciq.com>
jira VULN-186882
cve-pre CVE-2026-46242
commit-author Christian Brauner <brauner@kernel.org>
commit e9e5cd4

Remove the boolean conditional in __ep_remove() and restructure the code
so the check for racing with eventpoll_release_file() are only done in
the ep_remove_safe() path where they belong.

Link: https://patch.msgid.link/20260423-work-epoll-uaf-v1-3-2470f9eec0f5@kernel.org
Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>

(cherry picked from commit e9e5cd4)
Signed-off-by: Shreeya Patel <spatel@ciq.com>
jira VULN-186882
cve-pre CVE-2026-46242
commit-author Christian Brauner <brauner@kernel.org>
commit 0feaf64

With __ep_remove() gone, the double-underscore on __ep_remove_file()
and __ep_remove_epi() no longer contrasts with a __-less parent and
just reads as noise. Rename both to ep_remove_file() and
ep_remove_epi(). No functional change.

Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>

(cherry picked from commit 0feaf64)
Signed-off-by: Shreeya Patel <spatel@ciq.com>
jira VULN-186882
cve-pre CVE-2026-46242
commit-author Christian Brauner <brauner@kernel.org>
commit 0bade23

The current name is just confusing and doesn't clarify anything.

Link: https://patch.msgid.link/20260423-work-epoll-uaf-v1-4-2470f9eec0f5@kernel.org
Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>

(cherry picked from commit 0bade23)
Signed-off-by: Shreeya Patel <spatel@ciq.com>
jira VULN-186882
cve-pre CVE-2026-46242
commit-author Christian Brauner <brauner@kernel.org>
commit 86e8705
upstream-diff |
	Pure code motion, no functional change intended (matches upstream's
	own commit message). Kept this tree's existing epi_fget() body
	using atomic_long_inc_not_zero(&file->f_count) instead of upstream's
	file_ref_get(&file->f_ref); the file_ref_t/file_ref_get() API comes
	from a separate, unrelated whole-VFS struct file refcounting rework
	(commit 90ee6ed "fs: port files to file_ref", 2024-10-07) that
	is not present on this branch and is out of scope for this CVE fix.
	Both mechanisms provide the identical "pin the file, fail if it's
	already at zero refs" semantics the upcoming ep_remove() UAF fix
	depends on, so this substitution preserves the security property
	unchanged.

We'll need it when removing files so move it up. No functional change.

Link: https://patch.msgid.link/20260423-work-epoll-uaf-v1-5-2470f9eec0f5@kernel.org
Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>

(cherry picked from commit 86e8705)
Signed-off-by: Shreeya Patel <spatel@ciq.com>
jira VULN-186882
cve CVE-2026-46242
commit-author Christian Brauner <brauner@kernel.org>
commit a6dc643

ep_remove() (via ep_remove_file()) cleared file->f_ep under
file->f_lock but then kept using @file inside the critical section
(is_file_epoll(), hlist_del_rcu() through the head, spin_unlock).
A concurrent __fput() taking the eventpoll_release() fastpath in
that window observed the transient NULL, skipped
eventpoll_release_file() and ran to f_op->release / file_free().

For the epoll-watches-epoll case, f_op->release is
ep_eventpoll_release() -> ep_clear_and_put() -> ep_free(), which
kfree()s the watched struct eventpoll. Its embedded ->refs
hlist_head is exactly where epi->fllink.pprev points, so the
subsequent hlist_del_rcu()'s "*pprev = next" scribbles into freed
kmalloc-192 memory.

In addition, struct file is SLAB_TYPESAFE_BY_RCU, so the slot
backing @file could be recycled by alloc_empty_file() --
reinitializing f_lock and f_ep -- while ep_remove() is still
nominally inside that lock. The upshot is an attacker-controllable
kmem_cache_free() against the wrong slab cache.

Pin @file via epi_fget() at the top of ep_remove() and gate the
critical section on the pin succeeding. With the pin held @file
cannot reach refcount zero, which holds __fput() off and
transitively keeps the watched struct eventpoll alive across the
hlist_del_rcu() and the f_lock use, closing both UAFs.

If the pin fails @file has already reached refcount zero and its
__fput() is in flight. Because we bailed before clearing f_ep,
that path takes the eventpoll_release() slow path into
eventpoll_release_file() and blocks on ep->mtx until the waiter
side's ep_clear_and_put() drops it. The bailed epi's share of
ep->refcount stays intact, so the trailing ep_refcount_dec_and_test()
in ep_clear_and_put() cannot free the eventpoll out from under
eventpoll_release_file(); the orphaned epi is then cleaned up
there.

A successful pin also proves we are not racing
eventpoll_release_file() on this epi, so drop the now-redundant
re-check of epi->dying under f_lock. The cheap lockless
READ_ONCE(epi->dying) fast-path bailout stays.

Fixes: 58c9b01 ("epoll: use refcount to reduce ep_mutex contention")
Reported-by: Jaeyoung Chung <jjy600901@snu.ac.kr>
Link: https://patch.msgid.link/20260423-work-epoll-uaf-v1-6-2470f9eec0f5@kernel.org
Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>

(cherry picked from commit a6dc643)
Signed-off-by: Shreeya Patel <spatel@ciq.com>
jira VULN-186882
cve-pre CVE-2026-46242
commit-author Christian Brauner <brauner@kernel.org>
commit 257b1c2

Add a simple helper to put a file reference.

Link: https://lore.kernel.org/r/20240719-work-mount-namespace-v1-4-834113cab0d2@kernel.org
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Christian Brauner <brauner@kernel.org>

(cherry picked from commit 257b1c2)
Signed-off-by: Shreeya Patel <spatel@ciq.com>
jira VULN-184228
cve CVE-2026-43074
commit-author Nicholas Carlini <nicholas@carlini.com>
commit 07712db

In certain situations, ep_free() in eventpoll.c will kfree the epi->ep
eventpoll struct while it still being used by another concurrent thread.
Defer the kfree() to an RCU callback to prevent UAF.

Fixes: f2e467a ("eventpoll: Fix semi-unbounded recursion")
Signed-off-by: Nicholas Carlini <nicholas@carlini.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>

(cherry picked from commit 07712db)
Signed-off-by: Shreeya Patel <spatel@ciq.com>
jira VULN-191596
cve CVE-2026-43499
commit-author Keenan Dong <keenanat2000@gmail.com>
commit 3bfdc63

remove_waiter() is used by the slowlock paths, but it is also used for
proxy-lock rollback in rt_mutex_start_proxy_lock() when invoked from
futex_requeue().

In the latter case waiter::task is not current, but remove_waiter()
operates on current for the dequeue operation. That results in several
problems:

  1) the rbtree dequeue happens without waiter::task::pi_lock being held

  2) the waiter task's pi_blocked_on state is not cleared, which leaves a
     dangling pointer primed for UAF around.

  3) rt_mutex_adjust_prio_chain() operates on the wrong top priority waiter
     task

Use waiter::task instead of current in all related operations in
remove_waiter() to cure those problems.

[ tglx: Fixup rt_mutex_adjust_prio_chain(), add a comment and amend the
  	changelog ]

Fixes: 8161239 ("rtmutex: Simplify PI algorithm and make highest prio task get lock")
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Keenan Dong <keenanat2000@gmail.com>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Cc: stable@vger.kernel.org

(cherry picked from commit 3bfdc63)
Signed-off-by: Shreeya Patel <spatel@ciq.com>
jira VULN-190210
cve CVE-2026-53163
commit-author Davidlohr Bueso <dave@stgolabs.net>
commit 40a25d5
upstream-diff |
	The functional change is identical to upstream: the
	remove_waiter() call in rt_mutex_start_proxy_lock() is gated on
	"ret < 0" instead of "ret" so it is skipped on the ret==1
	(lock acquired) path. Context differs: this tree's
	__rt_mutex_start_proxy_lock() has no @wake_q parameter and no
	preempt_disable() around the wait_lock release (both from later,
	unrelated reworks not present here), so only the surrounding
	context was adjusted; the patched line matches upstream verbatim.
	The kernel/locking/rtmutex.c hunk (the !waiter_task guard) applied
	cleanly.

syzbot triggered the following splat in remove_waiter() via
FUTEX_CMP_REQUEUE_PI:

  KASAN: null-ptr-deref in range [0x0000000000000a88-0x0000000000000a8f]
   class_raw_spinlock_constructor
   remove_waiter+0x159/0x1200 kernel/locking/rtmutex.c:1561
   rt_mutex_start_proxy_lock+0x103/0x120
   futex_requeue+0x10e4/0x20d0
   __x64_sys_futex+0x34f/0x4d0

task_blocks_on_rt_mutex() does not arm the waiter upon deadlock detection,
leaving waiter->task nil, where 3bfdc63 ("rtmutex: Use waiter::task instead
of current in remove_waiter()") made this fatal.

Furthermore, rt_mutex_start_proxy_lock() should not be calling into remove_waiter()
upon a successfully grabbing the rtmutex. 1a1fb98 ("futex: Handle early deadlock
return correctly"), moved the remove_waiter() out of __rt_mutex_start_proxy_lock()
(where 'ret' was only ever 0 or < 0) into the wrapper. Tighten this check to
account for try_to_take_rt_mutex().

Fixes: 3bfdc63 ("rtmutex: Use waiter::task instead of current in remove_waiter()")
Reported-by: syzbot+78147abe6c524f183ee9@syzkaller.appspotmail.com
Signed-off-by: Davidlohr Bueso <dave@stgolabs.net>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Cc: stable@vger.kernel.org
Closes: https://lore.kernel.org/all/69f114ac.050a0220.ac8b.0003.GAE@google.com/
Link: https://patch.msgid.link/20260507112913.1019537-1-dave@stgolabs.net

(cherry picked from commit 40a25d5)
Signed-off-by: Shreeya Patel <spatel@ciq.com>
@ciq-kernel-automation ciq-kernel-automation Bot added the created-by-kernelci Tag PRs that were automatically created when a user branch was pushed to the repo (kernelCI) label Jul 9, 2026
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown

🤖 Validation Checks In Progress Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/29024096320

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown

🔍 Upstream Linux Kernel Commit Check

  • ⚠️ PR commit 80771aacd3c (rtmutex: Use waiter::task instead of current in remove_waiter()) references upstream commit
    3bfdc63936dd which has been referenced by a Fixes: tag in the upstream
    Linux kernel:
    74e144274af futex/requeue: Prevent NULL pointer dereference in remove_waiter() on self-deadlock (Ji'an Zhou) (CVE-2026-53166)
  • ⚠️ PR commit 4ddb645e49c (locking/rtmutex: Skip remove_waiter() when waiter is not enqueued) does not reference a CVE but
    upstream commit 40a25d59e85b is associated with CVE-2026-53163

This is an automated message from the kernel commit checker workflow.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown

🔍 Interdiff Analysis

  • ⚠️ PR commit 6c6cb9263db (eventpoll: move epi_fget() up) → upstream 86e87059e6d1
    Differences found:
================================================================================
*    DELTA DIFFERENCES - code changes that differ between the patches          *
================================================================================

--- b/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -734,7 +734,7 @@
 	struct file *file;
 
 	file = epi->ffd.file;
-	if (!atomic_long_inc_not_zero(&file->f_count))
+	if (!file_ref_get(&file->f_ref))
 		file = NULL;
 	return file;
 }
@@ -912,4 +912,32 @@
 
 /*
+ * The ffd.file pointer may be in the process of being torn down due to
+ * being closed, but we may not have finished eventpoll_release() yet.
+ *
+ * Normally, even with the atomic_long_inc_not_zero, the file may have
+ * been free'd and then gotten re-allocated to something else (since
+ * files are not RCU-delayed, they are SLAB_TYPESAFE_BY_RCU).
+ *
+ * But for epoll, users hold the ep->mtx mutex, and as such any file in
+ * the process of being free'd will block in eventpoll_release_file()
+ * and thus the underlying file allocation will not be free'd, and the
+ * file re-use cannot happen.
+ *
+ * For the same reason we can avoid a rcu_read_lock() around the
+ * operation - 'ffd.file' cannot go away even if the refcount has
+ * reached zero (but we must still not call out to ->poll() functions
+ * etc).
+ */
+static struct file *epi_fget(const struct epitem *epi)
+{
+	struct file *file;
+
+	file = epi->ffd.file;
+	if (!atomic_long_inc_not_zero(&file->f_count))
+		file = NULL;
+	return file;
+}
+
+/*
  * Differs from ep_eventpoll_poll() in that internal callers already have
  * the ep->mtx so we need to start from depth=1, such that mutex_lock_nested()

################################################################################
!    REJECTED PATCH2 HUNKS - could not be compared; manual review needed       !
################################################################################

--- b/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -1046,34 +1074,6 @@
 	return res;
 }
 
-/*
- * The ffd.file pointer may be in the process of being torn down due to
- * being closed, but we may not have finished eventpoll_release() yet.
- *
- * Normally, even with the atomic_long_inc_not_zero, the file may have
- * been free'd and then gotten re-allocated to something else (since
- * files are not RCU-delayed, they are SLAB_TYPESAFE_BY_RCU).
- *
- * But for epoll, users hold the ep->mtx mutex, and as such any file in
- * the process of being free'd will block in eventpoll_release_file()
- * and thus the underlying file allocation will not be free'd, and the
- * file re-use cannot happen.
- *
- * For the same reason we can avoid a rcu_read_lock() around the
- * operation - 'ffd.file' cannot go away even if the refcount has
- * reached zero (but we must still not call out to ->poll() functions
- * etc).
- */
-static struct file *epi_fget(const struct epitem *epi)
-{
-	struct file *file;
-
-	file = epi->ffd.file;
-	if (!file_ref_get(&file->f_ref))
-		file = NULL;
-	return file;
-}
-
 /*
  * Differs from ep_eventpoll_poll() in that internal callers already have
  * the ep->mtx so we need to start from depth=1, such that mutex_lock_nested()
  • ⚠️ PR commit b39ec69c5db (file: add fput() cleanup helper) → upstream 257b1c2c78c2
    Differences found:
================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/include/linux/file.h
+++ b/include/linux/file.h
@@ -93,6 +93,6 @@
 
 DEFINE_CLASS(get_unused_fd, int, if (_T >= 0) put_unused_fd(_T),
 	     get_unused_fd_flags(flags), unsigned flags)
 
-extern void fd_install(unsigned int fd, struct file *file);
-
+/*
+ * take_fd() will take care to set @fd to -EBADF ensuring that
  • ⚠️ PR commit 4ddb645e49c (locking/rtmutex: Skip remove_waiter() when waiter is not enqueued) → upstream 40a25d59e85b
    Differences found:
################################################################################
!    REJECTED PATCH2 HUNKS - could not be compared; manual review needed       !
################################################################################

--- b/kernel/locking/rtmutex_api.c
+++ b/kernel/locking/rtmutex_api.c
@@ -365,7 +365,7 @@
 
 	raw_spin_lock_irq(&lock->wait_lock);
 	ret = __rt_mutex_start_proxy_lock(lock, waiter, task, &wake_q);
-	if (unlikely(ret))
+	if (unlikely(ret < 0))
 		remove_waiter(lock, waiter);
 	preempt_disable();
 	raw_spin_unlock_irq(&lock->wait_lock);

================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/kernel/locking/rtmutex_api.c
+++ b/kernel/locking/rtmutex_api.c
@@ -342,5 +342,6 @@
 	raw_spin_lock_irq(&lock->wait_lock);
-	ret = __rt_mutex_start_proxy_lock(lock, waiter, task);
+	ret = __rt_mutex_start_proxy_lock(lock, waiter, task, &wake_q);
 	if (unlikely(ret))
 		remove_waiter(lock, waiter);
+	preempt_disable();
 	raw_spin_unlock_irq(&lock->wait_lock);

This is an automated interdiff check for backported commits.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown

Validation checks completed with issues View full results: https://github.com/ctrliq/kernel-src-tree/actions/runs/29024096320

@roxanan1996

roxanan1996 commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

🔍 Upstream Linux Kernel Commit Check

* ⚠️ PR commit `80771aacd3c (rtmutex: Use waiter::task instead of current in remove_waiter())` references upstream commit
  `3bfdc63936dd` which has been referenced by a `Fixes:` tag in the upstream
  Linux kernel:
    74e144274af futex/requeue: Prevent NULL pointer dereference in remove_waiter() on self-deadlock (Ji'an Zhou) (CVE-2026-53166)

This is fine because it is later reverted as it introduced issues and the problem it tries to fix it is already fix by
4ddb645.

. Check this discussion in stable for 5.15 https://lore.kernel.org/all/CAPw-QwdiQnbxiwrivx8HthquyQef4herojq15ozy2JgWa8sAAA@mail.gmail.com/
Check where it was reverted and why https://lore.kernel.org/all/178302354241.3843924.17363437869359149725.tip-bot2@tip-bot2/. So all good here.

* ⚠️ PR commit `4ddb645e49c (locking/rtmutex: Skip remove_waiter() when waiter is not enqueued)` does not reference a CVE but
  upstream commit `40a25d59e85b` is associated with `CVE-2026-53163`

This should be fixed. Use VULN-190210.

This is an automated message from the kernel commit checker workflow.

@github-actions

Copy link
Copy Markdown

🤖 Validation Checks In Progress Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/29069648434

@github-actions

Copy link
Copy Markdown

🔍 Upstream Linux Kernel Commit Check

  • ⚠️ PR commit daa7f7eee43 (rtmutex: Use waiter::task instead of current in remove_waiter()) references upstream commit
    3bfdc63936dd which has been referenced by a Fixes: tag in the upstream
    Linux kernel:
    74e144274af futex/requeue: Prevent NULL pointer dereference in remove_waiter() on self-deadlock (Ji'an Zhou) (CVE-2026-53166)
  • ⚠️ PR commit b4218c03641 (locking/rtmutex: Skip remove_waiter() when waiter is not enqueued) does not reference a CVE but
    upstream commit 40a25d59e85b is associated with CVE-2026-53163

This is an automated message from the kernel commit checker workflow.

@github-actions

Copy link
Copy Markdown

🔍 Interdiff Analysis

  • ⚠️ PR commit 3ccf8879e9f (eventpoll: move epi_fget() up) → upstream 86e87059e6d1
    Differences found:
================================================================================
*    DELTA DIFFERENCES - code changes that differ between the patches          *
================================================================================

--- b/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -734,7 +734,7 @@
 	struct file *file;
 
 	file = epi->ffd.file;
-	if (!atomic_long_inc_not_zero(&file->f_count))
+	if (!file_ref_get(&file->f_ref))
 		file = NULL;
 	return file;
 }
@@ -912,4 +912,32 @@
 
 /*
+ * The ffd.file pointer may be in the process of being torn down due to
+ * being closed, but we may not have finished eventpoll_release() yet.
+ *
+ * Normally, even with the atomic_long_inc_not_zero, the file may have
+ * been free'd and then gotten re-allocated to something else (since
+ * files are not RCU-delayed, they are SLAB_TYPESAFE_BY_RCU).
+ *
+ * But for epoll, users hold the ep->mtx mutex, and as such any file in
+ * the process of being free'd will block in eventpoll_release_file()
+ * and thus the underlying file allocation will not be free'd, and the
+ * file re-use cannot happen.
+ *
+ * For the same reason we can avoid a rcu_read_lock() around the
+ * operation - 'ffd.file' cannot go away even if the refcount has
+ * reached zero (but we must still not call out to ->poll() functions
+ * etc).
+ */
+static struct file *epi_fget(const struct epitem *epi)
+{
+	struct file *file;
+
+	file = epi->ffd.file;
+	if (!atomic_long_inc_not_zero(&file->f_count))
+		file = NULL;
+	return file;
+}
+
+/*
  * Differs from ep_eventpoll_poll() in that internal callers already have
  * the ep->mtx so we need to start from depth=1, such that mutex_lock_nested()

################################################################################
!    REJECTED PATCH2 HUNKS - could not be compared; manual review needed       !
################################################################################

--- b/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -1046,34 +1074,6 @@
 	return res;
 }
 
-/*
- * The ffd.file pointer may be in the process of being torn down due to
- * being closed, but we may not have finished eventpoll_release() yet.
- *
- * Normally, even with the atomic_long_inc_not_zero, the file may have
- * been free'd and then gotten re-allocated to something else (since
- * files are not RCU-delayed, they are SLAB_TYPESAFE_BY_RCU).
- *
- * But for epoll, users hold the ep->mtx mutex, and as such any file in
- * the process of being free'd will block in eventpoll_release_file()
- * and thus the underlying file allocation will not be free'd, and the
- * file re-use cannot happen.
- *
- * For the same reason we can avoid a rcu_read_lock() around the
- * operation - 'ffd.file' cannot go away even if the refcount has
- * reached zero (but we must still not call out to ->poll() functions
- * etc).
- */
-static struct file *epi_fget(const struct epitem *epi)
-{
-	struct file *file;
-
-	file = epi->ffd.file;
-	if (!file_ref_get(&file->f_ref))
-		file = NULL;
-	return file;
-}
-
 /*
  * Differs from ep_eventpoll_poll() in that internal callers already have
  * the ep->mtx so we need to start from depth=1, such that mutex_lock_nested()
  • ⚠️ PR commit 8e2f93865ac (file: add fput() cleanup helper) → upstream 257b1c2c78c2
    Differences found:
================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/include/linux/file.h
+++ b/include/linux/file.h
@@ -93,6 +93,6 @@
 
 DEFINE_CLASS(get_unused_fd, int, if (_T >= 0) put_unused_fd(_T),
 	     get_unused_fd_flags(flags), unsigned flags)
 
-extern void fd_install(unsigned int fd, struct file *file);
-
+/*
+ * take_fd() will take care to set @fd to -EBADF ensuring that
  • ⚠️ PR commit b4218c03641 (locking/rtmutex: Skip remove_waiter() when waiter is not enqueued) → upstream 40a25d59e85b
    Differences found:
################################################################################
!    REJECTED PATCH2 HUNKS - could not be compared; manual review needed       !
################################################################################

--- b/kernel/locking/rtmutex_api.c
+++ b/kernel/locking/rtmutex_api.c
@@ -365,7 +365,7 @@
 
 	raw_spin_lock_irq(&lock->wait_lock);
 	ret = __rt_mutex_start_proxy_lock(lock, waiter, task, &wake_q);
-	if (unlikely(ret))
+	if (unlikely(ret < 0))
 		remove_waiter(lock, waiter);
 	preempt_disable();
 	raw_spin_unlock_irq(&lock->wait_lock);

================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/kernel/locking/rtmutex_api.c
+++ b/kernel/locking/rtmutex_api.c
@@ -342,5 +342,6 @@
 	raw_spin_lock_irq(&lock->wait_lock);
-	ret = __rt_mutex_start_proxy_lock(lock, waiter, task);
+	ret = __rt_mutex_start_proxy_lock(lock, waiter, task, &wake_q);
 	if (unlikely(ret))
 		remove_waiter(lock, waiter);
+	preempt_disable();
 	raw_spin_unlock_irq(&lock->wait_lock);

This is an automated interdiff check for backported commits.

@github-actions

Copy link
Copy Markdown

JIRA PR Check Results

12 commit(s) with issues found:

Commit b4218c036417

Summary: locking/rtmutex: Skip remove_waiter() when waiter is not enqueued

❌ Errors:

  • VULN-191596: Status is 'To Do', expected 'In Progress'

⚠️ Warnings:

  • VULN-191596: No time logged - please log time manually

Commit daa7f7eee43b

Summary: rtmutex: Use waiter::task instead of current in remove_waiter()

❌ Errors:

  • VULN-191596: Status is 'To Do', expected 'In Progress'

⚠️ Warnings:

  • VULN-191596: No time logged - please log time manually

Commit 48757f9bbdd3

Summary: eventpoll: defer struct eventpoll free to RCU grace period

❌ Errors:

  • VULN-184228: Status is 'To Do', expected 'In Progress'

⚠️ Warnings:

  • VULN-184228: No time logged - please log time manually

Commit 8e2f93865ac6

Summary: file: add fput() cleanup helper

❌ Errors:

  • VULN-186882: Status is 'To Do', expected 'In Progress'

⚠️ Warnings:

  • VULN-186882: No time logged - please log time manually

Commit b85bd139d2bd

Summary: eventpoll: fix ep_remove struct eventpoll / struct file UAF

❌ Errors:

  • VULN-186882: Status is 'To Do', expected 'In Progress'

⚠️ Warnings:

  • VULN-186882: No time logged - please log time manually

Commit 3ccf8879e9f1

Summary: eventpoll: move epi_fget() up

❌ Errors:

  • VULN-186882: Status is 'To Do', expected 'In Progress'

⚠️ Warnings:

  • VULN-186882: No time logged - please log time manually

Commit a03ffebe41c4

Summary: eventpoll: rename ep_remove_safe() back to ep_remove()

❌ Errors:

  • VULN-186882: Status is 'To Do', expected 'In Progress'

⚠️ Warnings:

  • VULN-186882: No time logged - please log time manually

Commit c033557d3207

Summary: eventpoll: drop vestigial __ prefix from ep_remove_{file,epi}()

❌ Errors:

  • VULN-186882: Status is 'To Do', expected 'In Progress'

⚠️ Warnings:

  • VULN-186882: No time logged - please log time manually

Commit 8aacc68220fb

Summary: eventpoll: kill __ep_remove()

❌ Errors:

  • VULN-186882: Status is 'To Do', expected 'In Progress'

⚠️ Warnings:

  • VULN-186882: No time logged - please log time manually

Commit fa2f1b8ab294

Summary: eventpoll: split __ep_remove()

❌ Errors:

  • VULN-186882: Status is 'To Do', expected 'In Progress'

⚠️ Warnings:

  • VULN-186882: No time logged - please log time manually

Commit e91991ce6fae

Summary: eventpoll: use hlist_is_singular_node() in __ep_remove()

❌ Errors:

  • VULN-186882: Status is 'To Do', expected 'In Progress'

⚠️ Warnings:

  • VULN-186882: No time logged - please log time manually

Commit 787b8d9f6016

Summary: epoll: annotate racy check

❌ Errors:

  • VULN-186882: Status is 'To Do', expected 'In Progress'

⚠️ Warnings:

  • VULN-186882: No time logged - please log time manually

Summary: Checked 12 commit(s) total.

@github-actions

Copy link
Copy Markdown

Validation checks completed with issues View full results: https://github.com/ctrliq/kernel-src-tree/actions/runs/29069648434

@kerneltoast kerneltoast left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I populated the missing VULNs in each commit message. The backports look correct to me. 🚢

@kerneltoast kerneltoast force-pushed the {shreeya_epoll_ipv6}_ciqlts9_6 branch from b4218c0 to 131f5a2 Compare July 10, 2026 05:11
@github-actions

Copy link
Copy Markdown

🤖 Validation Checks In Progress Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/29071160457

@github-actions

Copy link
Copy Markdown

🔍 Upstream Linux Kernel Commit Check

  • ⚠️ PR commit daa7f7eee43 (rtmutex: Use waiter::task instead of current in remove_waiter()) references upstream commit
    3bfdc63936dd which has been referenced by a Fixes: tag in the upstream
    Linux kernel:
    74e144274af futex/requeue: Prevent NULL pointer dereference in remove_waiter() on self-deadlock (Ji'an Zhou) (CVE-2026-53166)

This is an automated message from the kernel commit checker workflow.

@github-actions

Copy link
Copy Markdown

🔍 Interdiff Analysis

  • ⚠️ PR commit 3ccf8879e9f (eventpoll: move epi_fget() up) → upstream 86e87059e6d1
    Differences found:
================================================================================
*    DELTA DIFFERENCES - code changes that differ between the patches          *
================================================================================

--- b/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -734,7 +734,7 @@
 	struct file *file;
 
 	file = epi->ffd.file;
-	if (!atomic_long_inc_not_zero(&file->f_count))
+	if (!file_ref_get(&file->f_ref))
 		file = NULL;
 	return file;
 }
@@ -912,4 +912,32 @@
 
 /*
+ * The ffd.file pointer may be in the process of being torn down due to
+ * being closed, but we may not have finished eventpoll_release() yet.
+ *
+ * Normally, even with the atomic_long_inc_not_zero, the file may have
+ * been free'd and then gotten re-allocated to something else (since
+ * files are not RCU-delayed, they are SLAB_TYPESAFE_BY_RCU).
+ *
+ * But for epoll, users hold the ep->mtx mutex, and as such any file in
+ * the process of being free'd will block in eventpoll_release_file()
+ * and thus the underlying file allocation will not be free'd, and the
+ * file re-use cannot happen.
+ *
+ * For the same reason we can avoid a rcu_read_lock() around the
+ * operation - 'ffd.file' cannot go away even if the refcount has
+ * reached zero (but we must still not call out to ->poll() functions
+ * etc).
+ */
+static struct file *epi_fget(const struct epitem *epi)
+{
+	struct file *file;
+
+	file = epi->ffd.file;
+	if (!atomic_long_inc_not_zero(&file->f_count))
+		file = NULL;
+	return file;
+}
+
+/*
  * Differs from ep_eventpoll_poll() in that internal callers already have
  * the ep->mtx so we need to start from depth=1, such that mutex_lock_nested()

################################################################################
!    REJECTED PATCH2 HUNKS - could not be compared; manual review needed       !
################################################################################

--- b/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -1046,34 +1074,6 @@
 	return res;
 }
 
-/*
- * The ffd.file pointer may be in the process of being torn down due to
- * being closed, but we may not have finished eventpoll_release() yet.
- *
- * Normally, even with the atomic_long_inc_not_zero, the file may have
- * been free'd and then gotten re-allocated to something else (since
- * files are not RCU-delayed, they are SLAB_TYPESAFE_BY_RCU).
- *
- * But for epoll, users hold the ep->mtx mutex, and as such any file in
- * the process of being free'd will block in eventpoll_release_file()
- * and thus the underlying file allocation will not be free'd, and the
- * file re-use cannot happen.
- *
- * For the same reason we can avoid a rcu_read_lock() around the
- * operation - 'ffd.file' cannot go away even if the refcount has
- * reached zero (but we must still not call out to ->poll() functions
- * etc).
- */
-static struct file *epi_fget(const struct epitem *epi)
-{
-	struct file *file;
-
-	file = epi->ffd.file;
-	if (!file_ref_get(&file->f_ref))
-		file = NULL;
-	return file;
-}
-
 /*
  * Differs from ep_eventpoll_poll() in that internal callers already have
  * the ep->mtx so we need to start from depth=1, such that mutex_lock_nested()
  • ⚠️ PR commit 8e2f93865ac (file: add fput() cleanup helper) → upstream 257b1c2c78c2
    Differences found:
================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/include/linux/file.h
+++ b/include/linux/file.h
@@ -93,6 +93,6 @@
 
 DEFINE_CLASS(get_unused_fd, int, if (_T >= 0) put_unused_fd(_T),
 	     get_unused_fd_flags(flags), unsigned flags)
 
-extern void fd_install(unsigned int fd, struct file *file);
-
+/*
+ * take_fd() will take care to set @fd to -EBADF ensuring that
  • ⚠️ PR commit 131f5a24924 (locking/rtmutex: Skip remove_waiter() when waiter is not enqueued) → upstream 40a25d59e85b
    Differences found:
################################################################################
!    REJECTED PATCH2 HUNKS - could not be compared; manual review needed       !
################################################################################

--- b/kernel/locking/rtmutex_api.c
+++ b/kernel/locking/rtmutex_api.c
@@ -365,7 +365,7 @@
 
 	raw_spin_lock_irq(&lock->wait_lock);
 	ret = __rt_mutex_start_proxy_lock(lock, waiter, task, &wake_q);
-	if (unlikely(ret))
+	if (unlikely(ret < 0))
 		remove_waiter(lock, waiter);
 	preempt_disable();
 	raw_spin_unlock_irq(&lock->wait_lock);

================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/kernel/locking/rtmutex_api.c
+++ b/kernel/locking/rtmutex_api.c
@@ -342,5 +342,6 @@
 	raw_spin_lock_irq(&lock->wait_lock);
-	ret = __rt_mutex_start_proxy_lock(lock, waiter, task);
+	ret = __rt_mutex_start_proxy_lock(lock, waiter, task, &wake_q);
 	if (unlikely(ret))
 		remove_waiter(lock, waiter);
+	preempt_disable();
 	raw_spin_unlock_irq(&lock->wait_lock);

This is an automated interdiff check for backported commits.

@github-actions

Copy link
Copy Markdown

JIRA PR Check Results

12 commit(s) with issues found:

Commit 131f5a24924f

Summary: locking/rtmutex: Skip remove_waiter() when waiter is not enqueued

❌ Errors:

  • VULN-190210: Status is 'To Do', expected 'In Progress'

⚠️ Warnings:

  • VULN-190210: No time logged - please log time manually

Commit daa7f7eee43b

Summary: rtmutex: Use waiter::task instead of current in remove_waiter()

❌ Errors:

  • VULN-191596: Status is 'To Do', expected 'In Progress'

⚠️ Warnings:

  • VULN-191596: No time logged - please log time manually

Commit 48757f9bbdd3

Summary: eventpoll: defer struct eventpoll free to RCU grace period

❌ Errors:

  • VULN-184228: Status is 'To Do', expected 'In Progress'

⚠️ Warnings:

  • VULN-184228: No time logged - please log time manually

Commit 8e2f93865ac6

Summary: file: add fput() cleanup helper

❌ Errors:

  • VULN-186882: Status is 'To Do', expected 'In Progress'

⚠️ Warnings:

  • VULN-186882: No time logged - please log time manually

Commit b85bd139d2bd

Summary: eventpoll: fix ep_remove struct eventpoll / struct file UAF

❌ Errors:

  • VULN-186882: Status is 'To Do', expected 'In Progress'

⚠️ Warnings:

  • VULN-186882: No time logged - please log time manually

Commit 3ccf8879e9f1

Summary: eventpoll: move epi_fget() up

❌ Errors:

  • VULN-186882: Status is 'To Do', expected 'In Progress'

⚠️ Warnings:

  • VULN-186882: No time logged - please log time manually

Commit a03ffebe41c4

Summary: eventpoll: rename ep_remove_safe() back to ep_remove()

❌ Errors:

  • VULN-186882: Status is 'To Do', expected 'In Progress'

⚠️ Warnings:

  • VULN-186882: No time logged - please log time manually

Commit c033557d3207

Summary: eventpoll: drop vestigial __ prefix from ep_remove_{file,epi}()

❌ Errors:

  • VULN-186882: Status is 'To Do', expected 'In Progress'

⚠️ Warnings:

  • VULN-186882: No time logged - please log time manually

Commit 8aacc68220fb

Summary: eventpoll: kill __ep_remove()

❌ Errors:

  • VULN-186882: Status is 'To Do', expected 'In Progress'

⚠️ Warnings:

  • VULN-186882: No time logged - please log time manually

Commit fa2f1b8ab294

Summary: eventpoll: split __ep_remove()

❌ Errors:

  • VULN-186882: Status is 'To Do', expected 'In Progress'

⚠️ Warnings:

  • VULN-186882: No time logged - please log time manually

Commit e91991ce6fae

Summary: eventpoll: use hlist_is_singular_node() in __ep_remove()

❌ Errors:

  • VULN-186882: Status is 'To Do', expected 'In Progress'

⚠️ Warnings:

  • VULN-186882: No time logged - please log time manually

Commit 787b8d9f6016

Summary: epoll: annotate racy check

❌ Errors:

  • VULN-186882: Status is 'To Do', expected 'In Progress'

⚠️ Warnings:

  • VULN-186882: No time logged - please log time manually

Summary: Checked 12 commit(s) total.

@github-actions

Copy link
Copy Markdown

Validation checks completed with issues View full results: https://github.com/ctrliq/kernel-src-tree/actions/runs/29071160457

@kerneltoast kerneltoast left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Force pushed one more time to also fix the CVE tag for the follow-on fix for GhostLock since it got its own CVE (CVE-2026-53163). 🚢

@shreeya-patel98 shreeya-patel98 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

created-by-kernelci Tag PRs that were automatically created when a user branch was pushed to the repo (kernelCI)

Development

Successfully merging this pull request may close these issues.

6 participants