Skip to content

[rlc-9/5.14.0-687.17.1.el9_8] Multiple patches tested (11 commits)#1420

Open
ciq-kernel-automation[bot] wants to merge 11 commits into
rlc-9/5.14.0-687.17.1.el9_8from
{shreeya_epoll_ipv6}_rlc-9/5.14.0-687.17.1.el9_8
Open

[rlc-9/5.14.0-687.17.1.el9_8] Multiple patches tested (11 commits)#1420
ciq-kernel-automation[bot] wants to merge 11 commits into
rlc-9/5.14.0-687.17.1.el9_8from
{shreeya_epoll_ipv6}_rlc-9/5.14.0-687.17.1.el9_8

Conversation

@ciq-kernel-automation

Copy link
Copy Markdown

Summary

This PR has been automatically created after successful completion of all CI stages.

Commit Message(s)

epoll: annotate racy check

cve-pre CVE-2026-46242
commit-author Christian Brauner <brauner@kernel.org>
commit 6474353a5e3d0b2cf610153cea0c61f576a36d0a
eventpoll: use hlist_is_singular_node() in __ep_remove()

cve-pre CVE-2026-46242
commit-author Christian Brauner <brauner@kernel.org>
commit 3d9fd0abc94d8cd430cc7cd7d37ce5e5aae2cd2b
eventpoll: split __ep_remove()

cve-pre CVE-2026-46242
commit-author Christian Brauner <brauner@kernel.org>
commit 0f7bdfd413000985de09fc39eb9efa1e091a3ce0
eventpoll: kill __ep_remove()

cve-pre CVE-2026-46242
commit-author Christian Brauner <brauner@kernel.org>
commit e9e5cd40d7c403e19f21d0f7b8b8ba3a76b58330
eventpoll: drop vestigial __ prefix from ep_remove_{file,epi}()

cve-pre CVE-2026-46242
commit-author Christian Brauner <brauner@kernel.org>
commit 0feaf644f7180c4a91b6b405a881afbfd958f1cf
eventpoll: rename ep_remove_safe() back to ep_remove()

cve-pre CVE-2026-46242
commit-author Christian Brauner <brauner@kernel.org>
commit 0bade234723e40e4937be912e105785d6a51464e
eventpoll: move epi_fget() up

cve-pre CVE-2026-46242
commit-author Christian Brauner <brauner@kernel.org>
commit 86e87059e6d1fd5115a31949726450ed03c1073b
upstream-diff |
	Pure code motion, no functional change intended (matches upstream's
	own commit message). Kept this tree's existing epi_fget() body
	using atomic_long_inc_not_zero(&file->f_count) instead of upstream's
	file_ref_get(&file->f_ref); the file_ref_t/file_ref_get() API comes
	from a separate, unrelated whole-VFS struct file refcounting rework
	(commit 90ee6ed776c06 "fs: port files to file_ref", 2024-10-07) that
	is not present on this branch and is out of scope for this CVE fix.
	Both mechanisms provide the identical "pin the file, fail if it's
	already at zero refs" semantics the upcoming ep_remove() UAF fix
	depends on, so this substitution preserves the security property
	unchanged.
eventpoll: fix ep_remove struct eventpoll / struct file UAF

cve CVE-2026-46242
commit-author Christian Brauner <brauner@kernel.org>
commit a6dc643c69311677c574a0f17a3f4d66a5f3744b
eventpoll: defer struct eventpoll free to RCU grace period

cve CVE-2026-43074
commit-author Nicholas Carlini <nicholas@carlini.com>
commit 07712db80857d5d09ae08f3df85a708ecfc3b61f
rtmutex: Use waiter::task instead of current in remove_waiter()

cve CVE-2026-43499
commit-author Keenan Dong <keenanat2000@gmail.com>
commit 3bfdc63936dd4773109b7b8c280c0f3b5ae7d349
locking/rtmutex: Skip remove_waiter() when waiter is not enqueued

cve-pre CVE-2026-43499
commit-author Davidlohr Bueso <dave@stgolabs.net>
commit 40a25d59e85b3c8709ac2424d44f65610467871e

Test Results

✅ Build Stage

Architecture Build Time Total Time
x86_64 34m 1s 34m 57s
aarch64 20m 4s 20m 53s

✅ Boot Verification

✅ Kernel Selftests

Architecture Passed Failed Compared Against Status
x86_64 206 49 rlc-9/5.14.0-687.17.1.el9_8 ✅ No regressions
aarch64 154 49 rlc-9/5.14.0-687.17.1.el9_8 ✅ No regressions

✅ LTP Results

Architecture Passed Failed Compared Against Status
x86_64 1456 81 rlc-9/5.14.0-687.17.1.el9_8 ✅ No regressions
aarch64 1429 82 rlc-9/5.14.0-687.17.1.el9_8 ✅ No regressions

🤖 This PR was automatically generated by GitHub Actions
Run ID: 29009863403

brauner and others added 11 commits July 9, 2026 09:30
cve-pre CVE-2026-46242
commit-author Christian Brauner <brauner@kernel.org>
commit 6474353

Epoll relies on a racy fastpath check during __fput() in
eventpoll_release() to avoid the hit of pointlessly acquiring a
semaphore. Annotate that race by using WRITE_ONCE() and READ_ONCE().

Link: https://lore.kernel.org/r/66edfb3c.050a0220.3195df.001a.GAE@google.com
Link: https://lore.kernel.org/r/20240925-fungieren-anbauen-79b334b00542@brauner
Reviewed-by: Jan Kara <jack@suse.cz>
Reported-by: syzbot+3b6b32dc50537a49bb4a@syzkaller.appspotmail.com
Signed-off-by: Christian Brauner <brauner@kernel.org>

(cherry picked from commit 6474353)
Signed-off-by: Shreeya Patel <spatel@ciq.com>
cve-pre CVE-2026-46242
commit-author Christian Brauner <brauner@kernel.org>
commit 3d9fd0a

Replace the open-coded "epi is the only entry in file->f_ep" check
with hlist_is_singular_node(). Same semantics, and the helper avoids
the head-cacheline access in the common false case.

Link: https://patch.msgid.link/20260423-work-epoll-uaf-v1-1-2470f9eec0f5@kernel.org
Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>

(cherry picked from commit 3d9fd0a)
Signed-off-by: Shreeya Patel <spatel@ciq.com>
cve-pre CVE-2026-46242
commit-author Christian Brauner <brauner@kernel.org>
commit 0f7bdfd

Split __ep_remove() to delineate file removal from epoll item removal.

Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Link: https://patch.msgid.link/20260423-work-epoll-uaf-v1-2-2470f9eec0f5@kernel.org
Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>

(cherry picked from commit 0f7bdfd)
Signed-off-by: Shreeya Patel <spatel@ciq.com>
cve-pre CVE-2026-46242
commit-author Christian Brauner <brauner@kernel.org>
commit e9e5cd4

Remove the boolean conditional in __ep_remove() and restructure the code
so the check for racing with eventpoll_release_file() are only done in
the ep_remove_safe() path where they belong.

Link: https://patch.msgid.link/20260423-work-epoll-uaf-v1-3-2470f9eec0f5@kernel.org
Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>

(cherry picked from commit e9e5cd4)
Signed-off-by: Shreeya Patel <spatel@ciq.com>
cve-pre CVE-2026-46242
commit-author Christian Brauner <brauner@kernel.org>
commit 0feaf64

With __ep_remove() gone, the double-underscore on __ep_remove_file()
and __ep_remove_epi() no longer contrasts with a __-less parent and
just reads as noise. Rename both to ep_remove_file() and
ep_remove_epi(). No functional change.

Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>

(cherry picked from commit 0feaf64)
Signed-off-by: Shreeya Patel <spatel@ciq.com>
cve-pre CVE-2026-46242
commit-author Christian Brauner <brauner@kernel.org>
commit 0bade23

The current name is just confusing and doesn't clarify anything.

Link: https://patch.msgid.link/20260423-work-epoll-uaf-v1-4-2470f9eec0f5@kernel.org
Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>

(cherry picked from commit 0bade23)
Signed-off-by: Shreeya Patel <spatel@ciq.com>
cve-pre CVE-2026-46242
commit-author Christian Brauner <brauner@kernel.org>
commit 86e8705
upstream-diff |
	Pure code motion, no functional change intended (matches upstream's
	own commit message). Kept this tree's existing epi_fget() body
	using atomic_long_inc_not_zero(&file->f_count) instead of upstream's
	file_ref_get(&file->f_ref); the file_ref_t/file_ref_get() API comes
	from a separate, unrelated whole-VFS struct file refcounting rework
	(commit 90ee6ed "fs: port files to file_ref", 2024-10-07) that
	is not present on this branch and is out of scope for this CVE fix.
	Both mechanisms provide the identical "pin the file, fail if it's
	already at zero refs" semantics the upcoming ep_remove() UAF fix
	depends on, so this substitution preserves the security property
	unchanged.

We'll need it when removing files so move it up. No functional change.

Link: https://patch.msgid.link/20260423-work-epoll-uaf-v1-5-2470f9eec0f5@kernel.org
Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>

(cherry picked from commit 86e8705)
Signed-off-by: Shreeya Patel <spatel@ciq.com>
cve CVE-2026-46242
commit-author Christian Brauner <brauner@kernel.org>
commit a6dc643

ep_remove() (via ep_remove_file()) cleared file->f_ep under
file->f_lock but then kept using @file inside the critical section
(is_file_epoll(), hlist_del_rcu() through the head, spin_unlock).
A concurrent __fput() taking the eventpoll_release() fastpath in
that window observed the transient NULL, skipped
eventpoll_release_file() and ran to f_op->release / file_free().

For the epoll-watches-epoll case, f_op->release is
ep_eventpoll_release() -> ep_clear_and_put() -> ep_free(), which
kfree()s the watched struct eventpoll. Its embedded ->refs
hlist_head is exactly where epi->fllink.pprev points, so the
subsequent hlist_del_rcu()'s "*pprev = next" scribbles into freed
kmalloc-192 memory.

In addition, struct file is SLAB_TYPESAFE_BY_RCU, so the slot
backing @file could be recycled by alloc_empty_file() --
reinitializing f_lock and f_ep -- while ep_remove() is still
nominally inside that lock. The upshot is an attacker-controllable
kmem_cache_free() against the wrong slab cache.

Pin @file via epi_fget() at the top of ep_remove() and gate the
critical section on the pin succeeding. With the pin held @file
cannot reach refcount zero, which holds __fput() off and
transitively keeps the watched struct eventpoll alive across the
hlist_del_rcu() and the f_lock use, closing both UAFs.

If the pin fails @file has already reached refcount zero and its
__fput() is in flight. Because we bailed before clearing f_ep,
that path takes the eventpoll_release() slow path into
eventpoll_release_file() and blocks on ep->mtx until the waiter
side's ep_clear_and_put() drops it. The bailed epi's share of
ep->refcount stays intact, so the trailing ep_refcount_dec_and_test()
in ep_clear_and_put() cannot free the eventpoll out from under
eventpoll_release_file(); the orphaned epi is then cleaned up
there.

A successful pin also proves we are not racing
eventpoll_release_file() on this epi, so drop the now-redundant
re-check of epi->dying under f_lock. The cheap lockless
READ_ONCE(epi->dying) fast-path bailout stays.

Fixes: 58c9b01 ("epoll: use refcount to reduce ep_mutex contention")
Reported-by: Jaeyoung Chung <jjy600901@snu.ac.kr>
Link: https://patch.msgid.link/20260423-work-epoll-uaf-v1-6-2470f9eec0f5@kernel.org
Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>

(cherry picked from commit a6dc643)
Signed-off-by: Shreeya Patel <spatel@ciq.com>
cve CVE-2026-43074
commit-author Nicholas Carlini <nicholas@carlini.com>
commit 07712db

In certain situations, ep_free() in eventpoll.c will kfree the epi->ep
eventpoll struct while it still being used by another concurrent thread.
Defer the kfree() to an RCU callback to prevent UAF.

Fixes: f2e467a ("eventpoll: Fix semi-unbounded recursion")
Signed-off-by: Nicholas Carlini <nicholas@carlini.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>

(cherry picked from commit 07712db)
Signed-off-by: Shreeya Patel <spatel@ciq.com>
cve CVE-2026-43499
commit-author Keenan Dong <keenanat2000@gmail.com>
commit 3bfdc63

remove_waiter() is used by the slowlock paths, but it is also used for
proxy-lock rollback in rt_mutex_start_proxy_lock() when invoked from
futex_requeue().

In the latter case waiter::task is not current, but remove_waiter()
operates on current for the dequeue operation. That results in several
problems:

  1) the rbtree dequeue happens without waiter::task::pi_lock being held

  2) the waiter task's pi_blocked_on state is not cleared, which leaves a
     dangling pointer primed for UAF around.

  3) rt_mutex_adjust_prio_chain() operates on the wrong top priority waiter
     task

Use waiter::task instead of current in all related operations in
remove_waiter() to cure those problems.

[ tglx: Fixup rt_mutex_adjust_prio_chain(), add a comment and amend the
  	changelog ]

Fixes: 8161239 ("rtmutex: Simplify PI algorithm and make highest prio task get lock")
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Keenan Dong <keenanat2000@gmail.com>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Cc: stable@vger.kernel.org

(cherry picked from commit 3bfdc63)
Signed-off-by: Shreeya Patel <spatel@ciq.com>
cve-pre CVE-2026-43499
commit-author Davidlohr Bueso <dave@stgolabs.net>
commit 40a25d5

syzbot triggered the following splat in remove_waiter() via
FUTEX_CMP_REQUEUE_PI:

  KASAN: null-ptr-deref in range [0x0000000000000a88-0x0000000000000a8f]
   class_raw_spinlock_constructor
   remove_waiter+0x159/0x1200 kernel/locking/rtmutex.c:1561
   rt_mutex_start_proxy_lock+0x103/0x120
   futex_requeue+0x10e4/0x20d0
   __x64_sys_futex+0x34f/0x4d0

task_blocks_on_rt_mutex() does not arm the waiter upon deadlock detection,
leaving waiter->task nil, where 3bfdc63 ("rtmutex: Use waiter::task instead
of current in remove_waiter()") made this fatal.

Furthermore, rt_mutex_start_proxy_lock() should not be calling into remove_waiter()
upon a successfully grabbing the rtmutex. 1a1fb98 ("futex: Handle early deadlock
return correctly"), moved the remove_waiter() out of __rt_mutex_start_proxy_lock()
(where 'ret' was only ever 0 or < 0) into the wrapper. Tighten this check to
account for try_to_take_rt_mutex().

Fixes: 3bfdc63 ("rtmutex: Use waiter::task instead of current in remove_waiter()")
Reported-by: syzbot+78147abe6c524f183ee9@syzkaller.appspotmail.com
Signed-off-by: Davidlohr Bueso <dave@stgolabs.net>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Cc: stable@vger.kernel.org
Closes: https://lore.kernel.org/all/69f114ac.050a0220.ac8b.0003.GAE@google.com/
Link: https://patch.msgid.link/20260507112913.1019537-1-dave@stgolabs.net

(cherry picked from commit 40a25d5)
Signed-off-by: Shreeya Patel <spatel@ciq.com>
@ciq-kernel-automation ciq-kernel-automation Bot added the created-by-kernelci Tag PRs that were automatically created when a user branch was pushed to the repo (kernelCI) label Jul 9, 2026
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown

🤖 Validation Checks In Progress Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/29025264866

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown

🔍 Upstream Linux Kernel Commit Check

  • ⚠️ PR commit 62a8e2ce66d (rtmutex: Use waiter::task instead of current in remove_waiter()) references upstream commit
    3bfdc63936dd which has been referenced by a Fixes: tag in the upstream
    Linux kernel:
    74e144274af futex/requeue: Prevent NULL pointer dereference in remove_waiter() on self-deadlock (Ji'an Zhou) (CVE-2026-53166)
  • ⚠️ PR commit 4ca99aa0825 (locking/rtmutex: Skip remove_waiter() when waiter is not enqueued) does not reference a CVE but
    upstream commit 40a25d59e85b is associated with CVE-2026-53163

This is an automated message from the kernel commit checker workflow.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown

🔍 Interdiff Analysis

  • ⚠️ PR commit 01f695a2ea2 (eventpoll: move epi_fget() up) → upstream 86e87059e6d1
    Differences found:
================================================================================
*    DELTA DIFFERENCES - code changes that differ between the patches          *
================================================================================

--- b/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -734,7 +734,7 @@
 	struct file *file;
 
 	file = epi->ffd.file;
-	if (!atomic_long_inc_not_zero(&file->f_count))
+	if (!file_ref_get(&file->f_ref))
 		file = NULL;
 	return file;
 }
@@ -912,4 +912,32 @@
 
 /*
+ * The ffd.file pointer may be in the process of being torn down due to
+ * being closed, but we may not have finished eventpoll_release() yet.
+ *
+ * Normally, even with the atomic_long_inc_not_zero, the file may have
+ * been free'd and then gotten re-allocated to something else (since
+ * files are not RCU-delayed, they are SLAB_TYPESAFE_BY_RCU).
+ *
+ * But for epoll, users hold the ep->mtx mutex, and as such any file in
+ * the process of being free'd will block in eventpoll_release_file()
+ * and thus the underlying file allocation will not be free'd, and the
+ * file re-use cannot happen.
+ *
+ * For the same reason we can avoid a rcu_read_lock() around the
+ * operation - 'ffd.file' cannot go away even if the refcount has
+ * reached zero (but we must still not call out to ->poll() functions
+ * etc).
+ */
+static struct file *epi_fget(const struct epitem *epi)
+{
+	struct file *file;
+
+	file = epi->ffd.file;
+	if (!atomic_long_inc_not_zero(&file->f_count))
+		file = NULL;
+	return file;
+}
+
+/*
  * Differs from ep_eventpoll_poll() in that internal callers already have
  * the ep->mtx so we need to start from depth=1, such that mutex_lock_nested()

################################################################################
!    REJECTED PATCH2 HUNKS - could not be compared; manual review needed       !
################################################################################

--- b/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -1046,34 +1074,6 @@
 	return res;
 }
 
-/*
- * The ffd.file pointer may be in the process of being torn down due to
- * being closed, but we may not have finished eventpoll_release() yet.
- *
- * Normally, even with the atomic_long_inc_not_zero, the file may have
- * been free'd and then gotten re-allocated to something else (since
- * files are not RCU-delayed, they are SLAB_TYPESAFE_BY_RCU).
- *
- * But for epoll, users hold the ep->mtx mutex, and as such any file in
- * the process of being free'd will block in eventpoll_release_file()
- * and thus the underlying file allocation will not be free'd, and the
- * file re-use cannot happen.
- *
- * For the same reason we can avoid a rcu_read_lock() around the
- * operation - 'ffd.file' cannot go away even if the refcount has
- * reached zero (but we must still not call out to ->poll() functions
- * etc).
- */
-static struct file *epi_fget(const struct epitem *epi)
-{
-	struct file *file;
-
-	file = epi->ffd.file;
-	if (!file_ref_get(&file->f_ref))
-		file = NULL;
-	return file;
-}
-
 /*
  * Differs from ep_eventpoll_poll() in that internal callers already have
  * the ep->mtx so we need to start from depth=1, such that mutex_lock_nested()

This is an automated interdiff check for backported commits.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown

Validation checks completed successfully View full results: https://github.com/ctrliq/kernel-src-tree/actions/runs/29025264866

@roxanan1996

Copy link
Copy Markdown
Contributor

🔍 Upstream Linux Kernel Commit Check

* ⚠️ PR commit `62a8e2ce66d (rtmutex: Use waiter::task instead of current in remove_waiter())` references upstream commit
  `3bfdc63936dd` which has been referenced by a `Fixes:` tag in the upstream
  Linux kernel:
    74e144274af futex/requeue: Prevent NULL pointer dereference in remove_waiter() on self-deadlock (Ji'an Zhou) (CVE-2026-53166)
* ⚠️ PR commit `4ca99aa0825 (locking/rtmutex: Skip remove_waiter() when waiter is not enqueued)` does not reference a CVE but
  upstream commit `40a25d59e85b` is associated with `CVE-2026-53163`

This is an automated message from the kernel commit checker workflow.

Same as here #1419 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

created-by-kernelci Tag PRs that were automatically created when a user branch was pushed to the repo (kernelCI)

Development

Successfully merging this pull request may close these issues.

4 participants