From 2dd2826e38e62681e923bb47e232223e36a2bb28 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcin=20Wcis=C5=82o?= Date: Fri, 25 Jul 2025 20:15:54 +0200 Subject: [PATCH 01/16] netfilter: nf_tables: Reject tables of unsupported family MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit jira VULN-8164 cve CVE-2023-6040 commit-author Phil Sutter commit f1082dd31fe461d482d69da2a8eccfeb7bf07ac2 An nftables family is merely a hollow container, its family just a number and such not reliant on compile-time options other than nftables support itself. Add an artificial check so attempts at using a family the kernel can't support fail as early as possible. This helps user space detect kernels which lack e.g. NFPROTO_INET. Signed-off-by: Phil Sutter Signed-off-by: Pablo Neira Ayuso (cherry picked from commit f1082dd31fe461d482d69da2a8eccfeb7bf07ac2) Signed-off-by: Marcin Wcisło --- net/netfilter/nf_tables_api.c | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 015f13c824667..88dd8669336d0 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -1164,6 +1164,30 @@ static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg, return strcmp(obj->key.name, k->name); } +static bool nft_supported_family(u8 family) +{ + return false +#ifdef CONFIG_NF_TABLES_INET + || family == NFPROTO_INET +#endif +#ifdef CONFIG_NF_TABLES_IPV4 + || family == NFPROTO_IPV4 +#endif +#ifdef CONFIG_NF_TABLES_ARP + || family == NFPROTO_ARP +#endif +#ifdef CONFIG_NF_TABLES_NETDEV + || family == NFPROTO_NETDEV +#endif +#if IS_ENABLED(CONFIG_NF_TABLES_BRIDGE) + || family == NFPROTO_BRIDGE +#endif +#ifdef CONFIG_NF_TABLES_IPV6 + || family == NFPROTO_IPV6 +#endif + ; +} + static int nf_tables_newtable(struct sk_buff *skb, const struct nfnl_info *info, const struct nlattr * const nla[]) { @@ -1178,6 +1202,9 @@ static int nf_tables_newtable(struct sk_buff *skb, const struct nfnl_info *info, u32 flags = 0; int err; + if (!nft_supported_family(family)) + return -EOPNOTSUPP; + lockdep_assert_held(&nft_net->commit_mutex); attr = nla[NFTA_TABLE_NAME]; table = nft_table_lookup(net, attr, family, genmask, From ae5e1287b56664b486629f67c451248db34dd7d1 Mon Sep 17 00:00:00 2001 From: Anmol Jain Date: Wed, 30 Jul 2025 10:01:43 +0000 Subject: [PATCH 02/16] netfilter: nf_tables: skip bound chain on rule flush jira VULN-6585 cve CVE-2023-3777 commit-author Pablo Neira Ayuso commit 6eaf41e87a223ae6f8e7a28d6e78384ad7e407f8 Skip bound chain when flushing table rules, the rule that owns this chain releases these objects. Otherwise, the following warning is triggered: WARNING: CPU: 2 PID: 1217 at net/netfilter/nf_tables_api.c:2013 nf_tables_chain_destroy+0x1f7/0x210 [nf_tables] CPU: 2 PID: 1217 Comm: chain-flush Not tainted 6.1.39 #1 RIP: 0010:nf_tables_chain_destroy+0x1f7/0x210 [nf_tables] Fixes: d0e2c7de92c7 ("netfilter: nf_tables: add NFT_CHAIN_BINDING") Reported-by: Kevin Rich Signed-off-by: Pablo Neira Ayuso Signed-off-by: Florian Westphal (cherry picked from commit 6eaf41e87a223ae6f8e7a28d6e78384ad7e407f8) Signed-off-by: Anmol Jain --- net/netfilter/nf_tables_api.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 88dd8669336d0..5264437d3b89b 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -3756,6 +3756,8 @@ static int nf_tables_delrule(struct sk_buff *skb, const struct nfnl_info *info, list_for_each_entry(chain, &table->chains, list) { if (!nft_is_active_next(net, chain)) continue; + if (nft_chain_is_bound(chain)) + continue; ctx.chain = chain; err = nft_delrule_by_chain(&ctx); From d60bfb4a58c42651642a751e0bf30f4f6c88a69c Mon Sep 17 00:00:00 2001 From: Anmol Jain Date: Wed, 30 Jul 2025 10:57:33 +0000 Subject: [PATCH 03/16] Bluetooth: Fix double free in hci_conn_cleanup jira VULN-334 cve CVE-2023-28464 commit-author ZhengHan Wang commit a85fb91e3d728bdfc80833167e8162cce8bc7004 syzbot reports a slab use-after-free in hci_conn_hash_flush [1]. After releasing an object using hci_conn_del_sysfs in the hci_conn_cleanup function, releasing the same object again using the hci_dev_put and hci_conn_put functions causes a double free. Here's a simplified flow: hci_conn_del_sysfs: hci_dev_put put_device kobject_put kref_put kobject_release kobject_cleanup kfree_const kfree(name) hci_dev_put: ... kfree(name) hci_conn_put: put_device ... kfree(name) This patch drop the hci_dev_put and hci_conn_put function call in hci_conn_cleanup function, because the object is freed in hci_conn_del_sysfs function. This patch also fixes the refcounting in hci_conn_add_sysfs() and hci_conn_del_sysfs() to take into account device_add() failures. This fixes CVE-2023-28464. Link: https://syzkaller.appspot.com/bug?id=1bb51491ca5df96a5f724899d1dbb87afda61419 [1] Signed-off-by: ZhengHan Wang Co-developed-by: Luiz Augusto von Dentz Signed-off-by: Luiz Augusto von Dentz (cherry picked from commit a85fb91e3d728bdfc80833167e8162cce8bc7004) Signed-off-by: Anmol Jain --- net/bluetooth/hci_conn.c | 6 ++---- net/bluetooth/hci_sysfs.c | 23 ++++++++++++----------- 2 files changed, 14 insertions(+), 15 deletions(-) diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c index f26ed278d9e3c..21af5d43803ca 100644 --- a/net/bluetooth/hci_conn.c +++ b/net/bluetooth/hci_conn.c @@ -144,13 +144,11 @@ static void hci_conn_cleanup(struct hci_conn *conn) hdev->notify(hdev, HCI_NOTIFY_CONN_DEL); } - hci_conn_del_sysfs(conn); - debugfs_remove_recursive(conn->debugfs); - hci_dev_put(hdev); + hci_conn_del_sysfs(conn); - hci_conn_put(conn); + hci_dev_put(hdev); } static void le_scan_cleanup(struct work_struct *work) diff --git a/net/bluetooth/hci_sysfs.c b/net/bluetooth/hci_sysfs.c index 4e3e0451b08c1..a3c942da5220f 100644 --- a/net/bluetooth/hci_sysfs.c +++ b/net/bluetooth/hci_sysfs.c @@ -33,7 +33,7 @@ void hci_conn_init_sysfs(struct hci_conn *conn) { struct hci_dev *hdev = conn->hdev; - BT_DBG("conn %p", conn); + bt_dev_dbg(hdev, "conn %p", conn); conn->dev.type = &bt_link; conn->dev.class = bt_class; @@ -46,24 +46,27 @@ void hci_conn_add_sysfs(struct hci_conn *conn) { struct hci_dev *hdev = conn->hdev; - BT_DBG("conn %p", conn); + bt_dev_dbg(hdev, "conn %p", conn); dev_set_name(&conn->dev, "%s:%d", hdev->name, conn->handle); - if (device_add(&conn->dev) < 0) { + if (device_add(&conn->dev) < 0) bt_dev_err(hdev, "failed to register connection device"); - return; - } - - hci_dev_hold(hdev); } void hci_conn_del_sysfs(struct hci_conn *conn) { struct hci_dev *hdev = conn->hdev; - if (!device_is_registered(&conn->dev)) + bt_dev_dbg(hdev, "conn %p", conn); + + if (!device_is_registered(&conn->dev)) { + /* If device_add() has *not* succeeded, use *only* put_device() + * to drop the reference count. + */ + put_device(&conn->dev); return; + } while (1) { struct device *dev; @@ -75,9 +78,7 @@ void hci_conn_del_sysfs(struct hci_conn *conn) put_device(dev); } - device_del(&conn->dev); - - hci_dev_put(hdev); + device_unregister(&conn->dev); } static void bt_host_release(struct device *dev) From 839a41ce2e9cdb03532764ec83d33d0a206ef1da Mon Sep 17 00:00:00 2001 From: Shreeya Patel Date: Mon, 21 Jul 2025 12:00:46 +0000 Subject: [PATCH 04/16] perf: Disallow mis-matched inherited group reads jira VULN-6760 cve CVE-2023-5717 commit-author Peter Zijlstra commit 32671e3799ca2e4590773fd0e63aaa4229e50c06 upstream-diff This patch causes kABI breakage due to a change in the struct perf_event layout after adding the group_generation field. Hence, to preserve kABI compatibility, use RH_KABI_EXTEND macro to safely append the new field without affecting the existing layout. Also, add an upstream patch 28a6c6e ("perf/core: Fix potential NULL deref") which fixes a NULL pointer deref issue in the existing CVE fix. Because group consistency is non-atomic between parent (filedesc) and children (inherited) events, it is possible for PERF_FORMAT_GROUP read() to try and sum non-matching counter groups -- with non-sensical results. Add group_generation to distinguish the case where a parent group removes and adds an event and thus has the same number, but a different configuration of events as inherited groups. This became a problem when commit fa8c269353d5 ("perf/core: Invert perf_read_group() loops") flipped the order of child_list and sibling_list. Previously it would iterate the group (sibling_list) first, and for each sibling traverse the child_list. In this order, only the group composition of the parent is relevant. By flipping the order the group composition of the child (inherited) events becomes an issue and the mis-match in group composition becomes evident. That said; even prior to this commit, while reading of a group that is not equally inherited was not broken, it still made no sense. (Ab)use ECHILD as error return to indicate issues with child process group composition. Fixes: fa8c269353d5 ("perf/core: Invert perf_read_group() loops") Reported-by: Budimir Markovic Signed-off-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/20231018115654.GK33217@noisy.programming.kicks-ass.net (cherry picked from commit 32671e3799ca2e4590773fd0e63aaa4229e50c06) Signed-off-by: Shreeya Patel --- include/linux/perf_event.h | 3 +++ kernel/events/core.c | 39 ++++++++++++++++++++++++++++++++------ 2 files changed, 36 insertions(+), 6 deletions(-) diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h index c2a7d2e1607da..111e5e0b3dcaa 100644 --- a/include/linux/perf_event.h +++ b/include/linux/perf_event.h @@ -61,6 +61,7 @@ struct perf_guest_info_callbacks { #include #include #include +#include #include struct perf_callchain_entry { @@ -803,6 +804,8 @@ struct perf_event { void *security; #endif struct list_head sb_list; + + RH_KABI_EXTEND(unsigned int group_generation) #endif /* CONFIG_PERF_EVENTS */ }; diff --git a/kernel/events/core.c b/kernel/events/core.c index bad8fb7cd8139..ab9a0a79128bb 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -1956,6 +1956,7 @@ static void perf_group_attach(struct perf_event *event) list_add_tail(&event->sibling_list, &group_leader->sibling_list); group_leader->nr_siblings++; + group_leader->group_generation++; perf_event__header_size(group_leader); @@ -2150,6 +2151,7 @@ static void perf_group_detach(struct perf_event *event) if (leader != event) { list_del_init(&event->sibling_list); event->group_leader->nr_siblings--; + event->group_leader->group_generation++; goto out; } @@ -5239,7 +5241,7 @@ static int __perf_read_group_add(struct perf_event *leader, u64 read_format, u64 *values) { struct perf_event_context *ctx = leader->ctx; - struct perf_event *sub; + struct perf_event *sub, *parent; unsigned long flags; int n = 1; /* skip @nr */ int ret; @@ -5249,6 +5251,33 @@ static int __perf_read_group_add(struct perf_event *leader, return ret; raw_spin_lock_irqsave(&ctx->lock, flags); + /* + * Verify the grouping between the parent and child (inherited) + * events is still in tact. + * + * Specifically: + * - leader->ctx->lock pins leader->sibling_list + * - parent->child_mutex pins parent->child_list + * - parent->ctx->mutex pins parent->sibling_list + * + * Because parent->ctx != leader->ctx (and child_list nests inside + * ctx->mutex), group destruction is not atomic between children, also + * see perf_event_release_kernel(). Additionally, parent can grow the + * group. + * + * Therefore it is possible to have parent and child groups in a + * different configuration and summing over such a beast makes no sense + * what so ever. + * + * Reject this. + */ + parent = leader->parent; + if (parent && + (parent->group_generation != leader->group_generation || + parent->nr_siblings != leader->nr_siblings)) { + ret = -ECHILD; + goto unlock; + } /* * Since we co-schedule groups, {enabled,running} times of siblings @@ -5282,8 +5311,9 @@ static int __perf_read_group_add(struct perf_event *leader, values[n++] = atomic64_read(&sub->lost_samples); } +unlock: raw_spin_unlock_irqrestore(&ctx->lock, flags); - return 0; + return ret; } static int perf_read_group(struct perf_event *event, @@ -5302,10 +5332,6 @@ static int perf_read_group(struct perf_event *event, values[0] = 1 + leader->nr_siblings; - /* - * By locking the child_mutex of the leader we effectively - * lock the child list of all siblings.. XXX explain how. - */ mutex_lock(&leader->child_mutex); ret = __perf_read_group_add(leader, read_format, values); @@ -13117,6 +13143,7 @@ static int inherit_group(struct perf_event *parent_event, !perf_get_aux_event(child_ctr, leader)) return -EINVAL; } + leader->group_generation = parent_event->group_generation; return 0; } From aaf8ba2afa979e958981739ebc2f9897cf6ea267 Mon Sep 17 00:00:00 2001 From: Shreeya Patel Date: Thu, 31 Jul 2025 15:49:39 +0000 Subject: [PATCH 05/16] perf/core: Fix potential NULL deref jira VULN-6760 cve-bf CVE-2023-5717 commit-author Peter Zijlstra commit a71ef31485bb51b846e8db8b3a35e432cc15afb5 Smatch is awesome. Fixes: 32671e3799ca ("perf: Disallow mis-matched inherited group reads") Reported-by: Dan Carpenter Signed-off-by: Peter Zijlstra (Intel) Signed-off-by: Ingo Molnar (cherry picked from commit a71ef31485bb51b846e8db8b3a35e432cc15afb5) Signed-off-by: Shreeya Patel --- kernel/events/core.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kernel/events/core.c b/kernel/events/core.c index ab9a0a79128bb..a273b8a17c0f9 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -13143,7 +13143,8 @@ static int inherit_group(struct perf_event *parent_event, !perf_get_aux_event(child_ctr, leader)) return -EINVAL; } - leader->group_generation = parent_event->group_generation; + if (leader) + leader->group_generation = parent_event->group_generation; return 0; } From 04479cb17e7c12aefea5b972c694f986aadb169b Mon Sep 17 00:00:00 2001 From: Brett Mastbergen Date: Wed, 30 Jul 2025 14:13:13 -0400 Subject: [PATCH 06/16] net/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done jira VULN-70868 cve CVE-2025-38052 commit-author Wang Liang commit e279024617134c94fd3e37470156534d5f2b3472 Syzbot reported a slab-use-after-free with the following call trace: ================================================================== BUG: KASAN: slab-use-after-free in tipc_aead_encrypt_done+0x4bd/0x510 net/tipc/crypto.c:840 Read of size 8 at addr ffff88807a733000 by task kworker/1:0/25 Call Trace: kasan_report+0xd9/0x110 mm/kasan/report.c:601 tipc_aead_encrypt_done+0x4bd/0x510 net/tipc/crypto.c:840 crypto_request_complete include/crypto/algapi.h:266 aead_request_complete include/crypto/internal/aead.h:85 cryptd_aead_crypt+0x3b8/0x750 crypto/cryptd.c:772 crypto_request_complete include/crypto/algapi.h:266 cryptd_queue_worker+0x131/0x200 crypto/cryptd.c:181 process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231 Allocated by task 8355: kzalloc_noprof include/linux/slab.h:778 tipc_crypto_start+0xcc/0x9e0 net/tipc/crypto.c:1466 tipc_init_net+0x2dd/0x430 net/tipc/core.c:72 ops_init+0xb9/0x650 net/core/net_namespace.c:139 setup_net+0x435/0xb40 net/core/net_namespace.c:343 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0xc0/0x1f0 kernel/nsproxy.c:228 ksys_unshare+0x419/0x970 kernel/fork.c:3323 __do_sys_unshare kernel/fork.c:3394 Freed by task 63: kfree+0x12a/0x3b0 mm/slub.c:4557 tipc_crypto_stop+0x23c/0x500 net/tipc/crypto.c:1539 tipc_exit_net+0x8c/0x110 net/tipc/core.c:119 ops_exit_list+0xb0/0x180 net/core/net_namespace.c:173 cleanup_net+0x5b7/0xbf0 net/core/net_namespace.c:640 process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231 After freed the tipc_crypto tx by delete namespace, tipc_aead_encrypt_done may still visit it in cryptd_queue_worker workqueue. I reproduce this issue by: ip netns add ns1 ip link add veth1 type veth peer name veth2 ip link set veth1 netns ns1 ip netns exec ns1 tipc bearer enable media eth dev veth1 ip netns exec ns1 tipc node set key this_is_a_master_key master ip netns exec ns1 tipc bearer disable media eth dev veth1 ip netns del ns1 The key of reproduction is that, simd_aead_encrypt is interrupted, leading to crypto_simd_usable() return false. Thus, the cryptd_queue_worker is triggered, and the tipc_crypto tx will be visited. tipc_disc_timeout tipc_bearer_xmit_skb tipc_crypto_xmit tipc_aead_encrypt crypto_aead_encrypt // encrypt() simd_aead_encrypt // crypto_simd_usable() is false child = &ctx->cryptd_tfm->base; simd_aead_encrypt crypto_aead_encrypt // encrypt() cryptd_aead_encrypt_enqueue cryptd_aead_enqueue cryptd_enqueue_request // trigger cryptd_queue_worker queue_work_on(smp_processor_id(), cryptd_wq, &cpu_queue->work) Fix this by holding net reference count before encrypt. Reported-by: syzbot+55c12726619ff85ce1f6@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=55c12726619ff85ce1f6 Fixes: fc1b6d6de220 ("tipc: introduce TIPC encryption & authentication") Signed-off-by: Wang Liang Link: https://patch.msgid.link/20250520101404.1341730-1-wangliang74@huawei.com Signed-off-by: Paolo Abeni (cherry picked from commit e279024617134c94fd3e37470156534d5f2b3472) Signed-off-by: Brett Mastbergen --- net/tipc/crypto.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c index d67440de011e7..6857638dfa392 100644 --- a/net/tipc/crypto.c +++ b/net/tipc/crypto.c @@ -817,12 +817,16 @@ static int tipc_aead_encrypt(struct tipc_aead *aead, struct sk_buff *skb, goto exit; } + /* Get net to avoid freed tipc_crypto when delete namespace */ + get_net(aead->crypto->net); + /* Now, do encrypt */ rc = crypto_aead_encrypt(req); if (rc == -EINPROGRESS || rc == -EBUSY) return rc; tipc_bearer_put(b); + put_net(aead->crypto->net); exit: kfree(ctx); @@ -860,6 +864,7 @@ static void tipc_aead_encrypt_done(struct crypto_async_request *base, int err) kfree(tx_ctx); tipc_bearer_put(b); tipc_aead_put(aead); + put_net(net); } /** From 3a5f59a61dbdf9e71ceb4534a8d939a0c883e13a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcin=20Wcis=C5=82o?= Date: Thu, 24 Jul 2025 23:49:04 +0200 Subject: [PATCH 07/16] KVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit jira VULN-8190 cve CVE-2024-26598 commit-author Oliver Upton commit ad362fe07fecf0aba839ff2cc59a3617bd42c33f There is a potential UAF scenario in the case of an LPI translation cache hit racing with an operation that invalidates the cache, such as a DISCARD ITS command. The root of the problem is that vgic_its_check_cache() does not elevate the refcount on the vgic_irq before dropping the lock that serializes refcount changes. Have vgic_its_check_cache() raise the refcount on the returned vgic_irq and add the corresponding decrement after queueing the interrupt. Cc: stable@vger.kernel.org Signed-off-by: Oliver Upton Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20240104183233.3560639-1-oliver.upton@linux.dev (cherry picked from commit ad362fe07fecf0aba839ff2cc59a3617bd42c33f) Signed-off-by: Marcin Wcisło --- arch/arm64/kvm/vgic/vgic-its.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/arch/arm64/kvm/vgic/vgic-its.c b/arch/arm64/kvm/vgic/vgic-its.c index a4dff86d39f0a..72436c8641a8e 100644 --- a/arch/arm64/kvm/vgic/vgic-its.c +++ b/arch/arm64/kvm/vgic/vgic-its.c @@ -584,7 +584,11 @@ static struct vgic_irq *vgic_its_check_cache(struct kvm *kvm, phys_addr_t db, unsigned long flags; raw_spin_lock_irqsave(&dist->lpi_list_lock, flags); + irq = __vgic_its_check_cache(dist, db, devid, eventid); + if (irq) + vgic_get_irq_kref(irq); + raw_spin_unlock_irqrestore(&dist->lpi_list_lock, flags); return irq; @@ -763,6 +767,7 @@ int vgic_its_inject_cached_translation(struct kvm *kvm, struct kvm_msi *msi) raw_spin_lock_irqsave(&irq->irq_lock, flags); irq->pending_latch = true; vgic_queue_irq_unlock(kvm, irq, flags); + vgic_put_irq(kvm, irq); return 0; } From bd7c69d35f696a1e303f205b608d7efc392fc5a2 Mon Sep 17 00:00:00 2001 From: Anmol Jain Date: Wed, 6 Aug 2025 11:13:34 +0000 Subject: [PATCH 08/16] NFSD: fix use-after-free in nfsd4_ssc_setup_dul() jira VULN-8056 cve CVE-2023-1652 commit-author Xingyuan Mo commit e6cf91b7b47ff82b624bdfe2fdcde32bb52e71dd If signal_pending() returns true, schedule_timeout() will not be executed, causing the waiting task to remain in the wait queue. Fixed by adding a call to finish_wait(), which ensures that the waiting task will always be removed from the wait queue. Fixes: f4e44b393389 ("NFSD: delay unmount source's export after inter-server copy completed.") Signed-off-by: Xingyuan Mo Reviewed-by: Jeff Layton Signed-off-by: Chuck Lever (cherry picked from commit e6cf91b7b47ff82b624bdfe2fdcde32bb52e71dd) Signed-off-by: Anmol Jain --- fs/nfsd/nfs4proc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c index b7647fe1fcfba..1666ac21987e2 100644 --- a/fs/nfsd/nfs4proc.c +++ b/fs/nfsd/nfs4proc.c @@ -1328,6 +1328,7 @@ static __be32 nfsd4_ssc_setup_dul(struct nfsd_net *nn, char *ipaddr, /* allow 20secs for mount/unmount for now - revisit */ if (signal_pending(current) || (schedule_timeout(20*HZ) == 0)) { + finish_wait(&nn->nfsd_ssc_waitq, &wait); kfree(work); return nfserr_eagain; } From 831a84d891150e75a409366280c8676542aad4be Mon Sep 17 00:00:00 2001 From: Anmol Jain Date: Thu, 7 Aug 2025 17:48:31 +0000 Subject: [PATCH 09/16] net: inet: do not leave a dangling sk pointer in inet_create() jira VULN-41185 cve CVE-2024-56601 commit-author Ignat Korchagin commit 9365fa510c6f82e3aa550a09d0c5c6b44dbc78ff sock_init_data() attaches the allocated sk object to the provided sock object. If inet_create() fails later, the sk object is freed, but the sock object retains the dangling pointer, which may create use-after-free later. Clear the sk pointer in the sock object on error. Signed-off-by: Ignat Korchagin Reviewed-by: Kuniyuki Iwashima Reviewed-by: Eric Dumazet Link: https://patch.msgid.link/20241014153808.51894-7-ignat@cloudflare.com Signed-off-by: Jakub Kicinski (cherry picked from commit 9365fa510c6f82e3aa550a09d0c5c6b44dbc78ff) Signed-off-by: Anmol Jain --- net/ipv4/af_inet.c | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c index ef59a735f6314..cc3ccfbcaf2d1 100644 --- a/net/ipv4/af_inet.c +++ b/net/ipv4/af_inet.c @@ -367,32 +367,30 @@ static int inet_create(struct net *net, struct socket *sock, int protocol, inet->inet_sport = htons(inet->inet_num); /* Add to protocol hash chains. */ err = sk->sk_prot->hash(sk); - if (err) { - sk_common_release(sk); - goto out; - } + if (err) + goto out_sk_release; } if (sk->sk_prot->init) { err = sk->sk_prot->init(sk); - if (err) { - sk_common_release(sk); - goto out; - } + if (err) + goto out_sk_release; } if (!kern) { err = BPF_CGROUP_RUN_PROG_INET_SOCK(sk); - if (err) { - sk_common_release(sk); - goto out; - } + if (err) + goto out_sk_release; } out: return err; out_rcu_unlock: rcu_read_unlock(); goto out; +out_sk_release: + sk_common_release(sk); + sock->sk = NULL; + goto out; } From fb6c158b3371db7d601108ae3a0c47b79bb0de28 Mon Sep 17 00:00:00 2001 From: Brett Mastbergen Date: Fri, 1 Aug 2025 11:21:02 -0400 Subject: [PATCH 10/16] switch to ubuntu latest --- .github/workflows/build-check_x86_64.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-check_x86_64.yml b/.github/workflows/build-check_x86_64.yml index 182d25d8d76f0..0b17e4187c619 100644 --- a/.github/workflows/build-check_x86_64.yml +++ b/.github/workflows/build-check_x86_64.yml @@ -8,7 +8,7 @@ on: jobs: kernel-build-job: runs-on: - labels: kernel-build + labels: ubuntu-latest container: image: rockylinux:9 env: From c9e6951d8c0291c0cf53769313d853665f0b6ee9 Mon Sep 17 00:00:00 2001 From: Brett Mastbergen Date: Fri, 1 Aug 2025 11:22:11 -0400 Subject: [PATCH 11/16] 4 cpu --- .github/workflows/build-check_x86_64.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-check_x86_64.yml b/.github/workflows/build-check_x86_64.yml index 0b17e4187c619..790d053328bf6 100644 --- a/.github/workflows/build-check_x86_64.yml +++ b/.github/workflows/build-check_x86_64.yml @@ -15,7 +15,7 @@ jobs: ROCKY_ENV: rocky9 ports: - 80 - options: --cpus 8 + options: --cpus 4 steps: - name: Install tools and Libraries run: | From 24baf67562472cd7ade3b30b88678048068994fe Mon Sep 17 00:00:00 2001 From: Brett Mastbergen Date: Fri, 1 Aug 2025 10:55:26 -0400 Subject: [PATCH 12/16] kabi check WIP --- .github/workflows/build-check_x86_64.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.github/workflows/build-check_x86_64.yml b/.github/workflows/build-check_x86_64.yml index 790d053328bf6..427a01590d573 100644 --- a/.github/workflows/build-check_x86_64.yml +++ b/.github/workflows/build-check_x86_64.yml @@ -32,3 +32,13 @@ jobs: cp configs/kernel-x86_64-rhel.config .config make ARCH=x86_64 CROSS_COMPILE=./scripts/dummy-tools/ olddefconfig make -j8 + - name: Check kabi + run: | + git clone --branch r9 --single-branch https://git.rockylinux.org/staging/rpms/kernel.git kernel-dist-git + git -C kernel-dist-git reset --hard imports/r9/kernel-5.14.0-284.30.1.el9_2 + KABI_CHECK=$(./kernel-dist-git/SOURCES/check-kabi -k ./kernel-dist-git/SOURCES/Module.kabi_x86_64 -s Module.symvers) + if [ $? -ne 0 ]; then + echo "Error: kABI check failed" + exit 1 + fi + echo "kABI check passed" From 77d95ba4754811f37609f1b84d2cbfde6f68bf7b Mon Sep 17 00:00:00 2001 From: Brett Mastbergen Date: Fri, 1 Aug 2025 16:08:16 -0400 Subject: [PATCH 13/16] Break the kabi --- include/linux/perf_event.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h index 111e5e0b3dcaa..b391f0d14402a 100644 --- a/include/linux/perf_event.h +++ b/include/linux/perf_event.h @@ -691,6 +691,7 @@ struct perf_event { int event_caps; /* The cumulative AND of all event_caps for events in this group. */ int group_caps; + unsigned int group_generation; struct perf_event *group_leader; struct pmu *pmu; @@ -805,7 +806,6 @@ struct perf_event { #endif struct list_head sb_list; - RH_KABI_EXTEND(unsigned int group_generation) #endif /* CONFIG_PERF_EVENTS */ }; From b877a9910cbd60330040dffd7223b8f7c91c54dc Mon Sep 17 00:00:00 2001 From: Brett Mastbergen Date: Mon, 11 Aug 2025 14:41:57 -0400 Subject: [PATCH 14/16] echo kabi check output on failure --- .github/workflows/build-check_x86_64.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build-check_x86_64.yml b/.github/workflows/build-check_x86_64.yml index 427a01590d573..56dce050c013d 100644 --- a/.github/workflows/build-check_x86_64.yml +++ b/.github/workflows/build-check_x86_64.yml @@ -38,6 +38,7 @@ jobs: git -C kernel-dist-git reset --hard imports/r9/kernel-5.14.0-284.30.1.el9_2 KABI_CHECK=$(./kernel-dist-git/SOURCES/check-kabi -k ./kernel-dist-git/SOURCES/Module.kabi_x86_64 -s Module.symvers) if [ $? -ne 0 ]; then + echo ${KABI_CHECK} echo "Error: kABI check failed" exit 1 fi From 1402bacf1fd1cf105faf354627a61ee59a66abfa Mon Sep 17 00:00:00 2001 From: Brett Mastbergen Date: Mon, 11 Aug 2025 16:02:08 -0400 Subject: [PATCH 15/16] simplify --- .github/workflows/build-check_x86_64.yml | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/.github/workflows/build-check_x86_64.yml b/.github/workflows/build-check_x86_64.yml index 56dce050c013d..885afe9d90952 100644 --- a/.github/workflows/build-check_x86_64.yml +++ b/.github/workflows/build-check_x86_64.yml @@ -36,10 +36,4 @@ jobs: run: | git clone --branch r9 --single-branch https://git.rockylinux.org/staging/rpms/kernel.git kernel-dist-git git -C kernel-dist-git reset --hard imports/r9/kernel-5.14.0-284.30.1.el9_2 - KABI_CHECK=$(./kernel-dist-git/SOURCES/check-kabi -k ./kernel-dist-git/SOURCES/Module.kabi_x86_64 -s Module.symvers) - if [ $? -ne 0 ]; then - echo ${KABI_CHECK} - echo "Error: kABI check failed" - exit 1 - fi - echo "kABI check passed" + ./kernel-dist-git/SOURCES/check-kabi -k ./kernel-dist-git/SOURCES/Module.kabi_x86_64 -s Module.symvers From d174af9e4c7d3456f2db9c150bf7e5296b145ae7 Mon Sep 17 00:00:00 2001 From: Brett Mastbergen Date: Mon, 11 Aug 2025 17:01:31 -0400 Subject: [PATCH 16/16] Revert "Break the kabi" This reverts commit 77d95ba4754811f37609f1b84d2cbfde6f68bf7b. --- include/linux/perf_event.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h index b391f0d14402a..111e5e0b3dcaa 100644 --- a/include/linux/perf_event.h +++ b/include/linux/perf_event.h @@ -691,7 +691,6 @@ struct perf_event { int event_caps; /* The cumulative AND of all event_caps for events in this group. */ int group_caps; - unsigned int group_generation; struct perf_event *group_leader; struct pmu *pmu; @@ -806,6 +805,7 @@ struct perf_event { #endif struct list_head sb_list; + RH_KABI_EXTEND(unsigned int group_generation) #endif /* CONFIG_PERF_EVENTS */ };