[LTS 9.4] CVE-2024-41049, CVE-2024-42301, CVE-2024-46858, CVE-2025-21727, CVE-2025-21887 #531

pvts-mat · 2025-08-27T15:55:33Z

[LTS 9.4]
CVE-2024-41049 VULN-8260
CVE-2024-42301 VULN-38861
CVE-2024-46858 VULN-8359
CVE-2025-21727 VULN-53766
CVE-2025-21887 VULN-55376

Commits

CVE-2024-41049

601e597:

filelock: fix potential use-after-free in posix_lock_inode

jira VULN-8260
cve CVE-2024-41049
commit-author Jeff Layton <[email protected]>
commit 1b3ec4f7c03d4b07bad70697d7e2f4088d2cfe92

CVE-2024-42301

525ab66:

dev/parport: fix the array out-of-bounds risk

jira VULN-38861
cve CVE-2024-42301
commit-author tuhaowen <[email protected]>
commit ab11dac93d2d568d151b1918d7b84c2d02bacbd5

a18f0a2:

parport: Proper fix for array out-of-bounds access

jira VULN-38861
cve-bf CVE-2024-42301
commit-author Takashi Iwai <[email protected]>
commit 02ac3a9ef3a18b58d8f3ea2b6e46de657bf6c4f9

CVE-2024-46858

d8648a4:

mptcp: pm: Fix uaf in __timer_delete_sync

jira VULN-8359
cve CVE-2024-46858
commit-author Edward Adam Davis <[email protected]>
commit b4cd80b0338945a94972ac3ed54f8338d2da2076

CVE-2025-21727

e5e164b:

padata: fix UAF in padata_reorder

jira VULN-53766
cve CVE-2025-21727
commit-author Chen Ridong <[email protected]>
commit e01780ea4661172734118d2a5f41bc9720765668

CVE-2025-21887

731f0b5:

ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up

jira VULN-55376
cve CVE-2025-21887
commit-author Vasiliy Kovalev <[email protected]>
commit c84e125fff2615b4d9c259e762596134eddd2f27

kABI check: passed

DEBUG=1 CVE=CVE-batch-1 ./ninja.sh _kabi_checked__x86_64--test--ciqlts9_4-CVE-batch-1

[0/1] Check ABI of kernel [ciqlts9_4-CVE-batch-1]
++ uname -m
+ python3 /data/src/ctrliq-github/kernel-dist-git-el-9.4/SOURCES/check-kabi -k /data/src/ctrliq-github/kernel-dist-git-el-9.4/SOURCES/Module.kabi_x86_64 -s vms/x86_64--build--ciqlts9_4/build_files/kernel-src-tree-ciqlts9_4-CVE-batch-1/Module.symvers
kABI check passed
+ touch state/kernels/ciqlts9_4-CVE-batch-1/x86_64/kabi_checked

Boot test: passed

boot-test.log

Kselftests: passed relative

Reference

kselftests–ciqlts9_4–run1.log

Patch

kselftests–ciqlts9_4-CVE-batch-1–run1.log
kselftests–ciqlts9_4-CVE-batch-1–run2.log

Comparison

The results for the reference kernel and patch are the same.

$ ktests.xsh diff  kselftests*.log

Column    File
--------  -------------------------------------------
Status0   kselftests--ciqlts9_4--run1.log
Status1   kselftests--ciqlts9_4-CVE-batch-1--run1.log
Status2   kselftests--ciqlts9_4-CVE-batch-1--run2.log

TestCase                                               Status0  Status1  Status2  Summary
bpf:test_cgroup_storage                                pass     pass     pass     same
bpf:test_lpm_map                                       pass     pass     pass     same
bpf:test_lru_map                                       pass     pass     pass     same
bpf:test_sock                                          pass     pass     pass     same
bpf:test_sysctl                                        pass     pass     pass     same
bpf:test_tag                                           pass     pass     pass     same
bpf:test_tcpnotify_user                                pass     pass     pass     same
bpf:test_verifier                                      fail     fail     fail     same
breakpoints:breakpoint_test                            pass     pass     pass     same
capabilities:test_execve                               pass     pass     pass     same
clone3:clone3                                          pass     pass     pass     same
clone3:clone3_cap_checkpoint_restore                   pass     pass     pass     same
clone3:clone3_clear_sighand                            pass     pass     pass     same
clone3:clone3_set_tid                                  pass     pass     pass     same
cpu-hotplug:cpu-on-off-test.sh                         pass     pass     pass     same
cpufreq:main.sh                                        fail     fail     fail     same
drivers/dma-buf:udmabuf                                pass     pass     pass     same
drivers/net/bonding:bond-arp-interval-causes-panic.sh  pass     pass     pass     same
drivers/net/bonding:bond-break-lacpdu-tx.sh            fail     fail     fail     same
drivers/net/bonding:bond-eth-type-change.sh            pass     pass     pass     same
drivers/net/bonding:bond-lladdr-target.sh              pass     pass     pass     same
drivers/net/bonding:bond_options.sh                    fail     fail     fail     same
drivers/net/bonding:dev_addr_lists.sh                  pass     pass     pass     same
drivers/net/bonding:mode-1-recovery-updelay.sh         pass     pass     pass     same
drivers/net/bonding:mode-2-recovery-updelay.sh         pass     pass     pass     same
drivers/net/team:dev_addr_lists.sh                     pass     pass     pass     same
exec:binfmt_script                                     pass     pass     pass     same
exec:execveat                                          pass     pass     pass     same
exec:load_address_16777216                             fail     fail     fail     same
exec:load_address_2097152                              pass     pass     pass     same
exec:load_address_4096                                 pass     pass     pass     same
exec:non-regular                                       fail     fail     fail     same
exec:recursion-depth                                   pass     pass     pass     same
filesystems/binderfs:binderfs_test                     fail     fail     fail     same
filesystems/epoll:epoll_wakeup_test                    pass     pass     pass     same
firmware:fw_run_tests.sh                               skip     skip     skip     same
fpu:run_test_fpu.sh                                    skip     skip     skip     same
fpu:test_fpu                                           pass     pass     pass     same
ftrace:ftracetest                                      fail     fail     fail     same
futex:run.sh                                           pass     pass     pass     same
gpio:gpio-mockup.sh                                    fail     fail     fail     same
intel_pstate:run.sh                                    pass     pass     pass     same
iommu:iommufd                                          fail     fail     fail     same
iommu:iommufd_fail_nth                                 pass     pass     pass     same
ipc:msgque                                             pass     pass     pass     same
ir:ir_loopback.sh                                      skip     skip     skip     same
kcmp:kcmp_test                                         pass     pass     pass     same
kexec:test_kexec_file_load.sh                          skip     skip     skip     same
kexec:test_kexec_load.sh                               skip     skip     skip     same
kvm:access_tracking_perf_test                          pass     pass     pass     same
kvm:amx_test                                           fail     fail     fail     same
kvm:cpuid_test                                         fail     fail     fail     same
kvm:cr4_cpuid_sync_test                                fail     fail     fail     same
kvm:debug_regs                                         fail     fail     fail     same
kvm:demand_paging_test                                 pass     pass     pass     same
kvm:dirty_log_page_splitting_test                      fail     fail     fail     same
kvm:dirty_log_perf_test                                pass     pass     pass     same
kvm:dirty_log_test                                     fail     fail     fail     same
kvm:exit_on_emulation_failure_test                     fail     fail     fail     same
kvm:fix_hypercall_test                                 fail     fail     fail     same
kvm:get_msr_index_features                             fail     fail     fail     same
kvm:guest_memfd_test                                   pass     pass     pass     same
kvm:guest_print_test                                   pass     pass     pass     same
kvm:hardware_disable_test                              pass     pass     pass     same
kvm:hyperv_clock                                       fail     fail     fail     same
kvm:hyperv_cpuid                                       fail     fail     fail     same
kvm:hyperv_evmcs                                       fail     fail     fail     same
kvm:hyperv_extended_hypercalls                         fail     fail     fail     same
kvm:hyperv_features                                    fail     fail     fail     same
kvm:hyperv_ipi                                         fail     fail     fail     same
kvm:hyperv_svm_test                                    fail     fail     fail     same
kvm:hyperv_tlb_flush                                   fail     fail     fail     same
kvm:kvm_binary_stats_test                              pass     pass     pass     same
kvm:kvm_clock_test                                     fail     fail     fail     same
kvm:kvm_create_max_vcpus                               pass     pass     pass     same
kvm:kvm_page_table_test                                pass     pass     pass     same
kvm:kvm_pv_test                                        fail     fail     fail     same
kvm:max_guest_memory_test                              pass     pass     pass     same
kvm:max_vcpuid_cap_test                                fail     fail     fail     same
kvm:memslot_modification_stress_test                   pass     pass     pass     same
kvm:memslot_perf_test                                  pass     pass     pass     same
kvm:mmio_warning_test                                  fail     fail     fail     same
kvm:monitor_mwait_test                                 fail     fail     fail     same
kvm:nested_exceptions_test                             fail     fail     fail     same
kvm:nx_huge_pages_test.sh                              fail     fail     fail     same
kvm:platform_info_test                                 fail     fail     fail     same
kvm:pmu_event_filter_test                              fail     fail     fail     same
kvm:private_mem_conversions_test                       fail     fail     fail     same
kvm:private_mem_kvm_exits_test                         fail     fail     fail     same
kvm:recalc_apic_map_test                               fail     fail     fail     same
kvm:rseq_test                                          fail     fail     fail     same
kvm:set_boot_cpu_id                                    fail     fail     fail     same
kvm:set_memory_region_test                             pass     pass     pass     same
kvm:set_sregs_test                                     fail     fail     fail     same
kvm:sev_migrate_tests                                  fail     fail     fail     same
kvm:smaller_maxphyaddr_emulation_test                  fail     fail     fail     same
kvm:smm_test                                           fail     fail     fail     same
kvm:state_test                                         fail     fail     fail     same
kvm:steal_time                                         pass     pass     pass     same
kvm:svm_int_ctl_test                                   fail     fail     fail     same
kvm:svm_nested_shutdown_test                           fail     fail     fail     same
kvm:svm_nested_soft_inject_test                        fail     fail     fail     same
kvm:svm_vmcall_test                                    fail     fail     fail     same
kvm:sync_regs_test                                     fail     fail     fail     same
kvm:system_counter_offset_test                         pass     pass     pass     same
kvm:triple_fault_event_test                            fail     fail     fail     same
kvm:tsc_msrs_test                                      fail     fail     fail     same
kvm:tsc_scaling_sync                                   fail     fail     fail     same
kvm:ucna_injection_test                                fail     fail     fail     same
kvm:userspace_io_test                                  fail     fail     fail     same
kvm:userspace_msr_exit_test                            fail     fail     fail     same
kvm:vmx_apic_access_test                               fail     fail     fail     same
kvm:vmx_close_while_nested_test                        fail     fail     fail     same
kvm:vmx_dirty_log_test                                 fail     fail     fail     same
kvm:vmx_exception_with_invalid_guest_state             fail     fail     fail     same
kvm:vmx_invalid_nested_guest_state                     fail     fail     fail     same
kvm:vmx_msrs_test                                      fail     fail     fail     same
kvm:vmx_nested_tsc_scaling_test                        fail     fail     fail     same
kvm:vmx_pmu_caps_test                                  fail     fail     fail     same
kvm:vmx_preemption_timer_test                          fail     fail     fail     same
kvm:vmx_set_nested_state_test                          fail     fail     fail     same
kvm:vmx_tsc_adjust_test                                fail     fail     fail     same
kvm:xapic_ipi_test                                     fail     fail     fail     same
kvm:xapic_state_test                                   fail     fail     fail     same
kvm:xcr0_cpuid_test                                    fail     fail     fail     same
kvm:xen_shinfo_test                                    fail     fail     fail     same
kvm:xen_vmcall_test                                    fail     fail     fail     same
kvm:xss_msr_test                                       fail     fail     fail     same
landlock:base_test                                     fail     fail     fail     same
landlock:fs_test                                       fail     fail     fail     same
landlock:ptrace_test                                   fail     fail     fail     same
lib:bitmap.sh                                          skip     skip     skip     same
lib:prime_numbers.sh                                   pass     pass     pass     same
lib:printf.sh                                          skip     skip     skip     same
lib:scanf.sh                                           skip     skip     skip     same
lib:strscpy.sh                                         skip     skip     skip     same
livepatch:test-callbacks.sh                            pass     pass     pass     same
livepatch:test-ftrace.sh                               pass     pass     pass     same
livepatch:test-livepatch.sh                            pass     pass     pass     same
livepatch:test-shadow-vars.sh                          pass     pass     pass     same
livepatch:test-state.sh                                pass     pass     pass     same
livepatch:test-sysfs.sh                                pass     pass     pass     same
membarrier:membarrier_test_multi_thread                pass     pass     pass     same
membarrier:membarrier_test_single_thread               pass     pass     pass     same
memfd:memfd_test                                       pass     pass     pass     same
memfd:run_fuse_test.sh                                 pass     pass     pass     same
memfd:run_hugetlbfs_test.sh                            pass     pass     pass     same
memory-hotplug:mem-on-off-test.sh                      pass     pass     pass     same
mincore:mincore_selftest                               fail     fail     fail     same
mount:run_nosymfollow.sh                               pass     pass     pass     same
mount:run_unprivileged_remount.sh                      pass     pass     pass     same
mqueue:mq_open_tests                                   pass     pass     pass     same
mqueue:mq_perf_tests                                   pass     pass     pass     same
nci:nci_dev                                            fail     fail     fail     same
net/forwarding:bridge_locked_port.sh                   pass     pass     pass     same
net/forwarding:bridge_mdb.sh                           skip     skip     skip     same
net/forwarding:bridge_mdb_host.sh                      pass     pass     pass     same
net/forwarding:bridge_mdb_max.sh                       skip     skip     skip     same
net/forwarding:bridge_mdb_port_down.sh                 pass     pass     pass     same
net/forwarding:bridge_mld.sh                           pass     pass     pass     same
net/forwarding:bridge_port_isolation.sh                pass     pass     pass     same
net/forwarding:bridge_sticky_fdb.sh                    pass     pass     pass     same
net/forwarding:bridge_vlan_aware.sh                    pass     pass     pass     same
net/forwarding:bridge_vlan_mcast.sh                    pass     pass     pass     same
net/forwarding:bridge_vlan_unaware.sh                  pass     pass     pass     same
net/forwarding:custom_multipath_hash.sh                fail     fail     fail     same
net/forwarding:ethtool.sh                              skip     skip     skip     same
net/forwarding:ethtool_extended_state.sh               skip     skip     skip     same
net/forwarding:gre_custom_multipath_hash.sh            fail     fail     fail     same
net/forwarding:gre_inner_v4_multipath.sh               pass     pass     pass     same
net/forwarding:gre_multipath.sh                        pass     pass     pass     same
net/forwarding:gre_multipath_nh.sh                     fail     fail     fail     same
net/forwarding:gre_multipath_nh_res.sh                 fail     fail     fail     same
net/forwarding:hw_stats_l3.sh                          skip     skip     skip     same
net/forwarding:hw_stats_l3_gre.sh                      skip     skip     skip     same
net/forwarding:ip6_forward_instats_vrf.sh              skip     skip     skip     same
net/forwarding:ip6gre_custom_multipath_hash.sh         fail     fail     fail     same
net/forwarding:ip6gre_flat.sh                          pass     pass     pass     same
net/forwarding:ip6gre_flat_key.sh                      pass     pass     pass     same
net/forwarding:ip6gre_flat_keys.sh                     pass     pass     pass     same
net/forwarding:ip6gre_hier.sh                          pass     pass     pass     same
net/forwarding:ip6gre_hier_key.sh                      pass     pass     pass     same
net/forwarding:ip6gre_hier_keys.sh                     pass     pass     pass     same
net/forwarding:ip6gre_inner_v4_multipath.sh            pass     pass     pass     same
net/forwarding:ipip_flat_gre.sh                        pass     pass     pass     same
net/forwarding:ipip_flat_gre_key.sh                    pass     pass     pass     same
net/forwarding:ipip_flat_gre_keys.sh                   pass     pass     pass     same
net/forwarding:ipip_hier_gre.sh                        pass     pass     pass     same
net/forwarding:ipip_hier_gre_key.sh                    pass     pass     pass     same
net/forwarding:local_termination.sh                    skip     skip     skip     same
net/forwarding:loopback.sh                             skip     skip     skip     same
net/forwarding:mirror_gre.sh                           pass     pass     pass     same
net/forwarding:mirror_gre_bound.sh                     pass     pass     pass     same
net/forwarding:mirror_gre_bridge_1d.sh                 pass     pass     pass     same
net/forwarding:mirror_gre_bridge_1q.sh                 pass     pass     pass     same
net/forwarding:mirror_gre_bridge_1q_lag.sh             pass     pass     pass     same
net/forwarding:mirror_gre_changes.sh                   pass     pass     pass     same
net/forwarding:mirror_gre_flower.sh                    pass     pass     pass     same
net/forwarding:mirror_gre_lag_lacp.sh                  pass     pass     pass     same
net/forwarding:mirror_gre_neigh.sh                     pass     pass     pass     same
net/forwarding:mirror_gre_nh.sh                        pass     pass     pass     same
net/forwarding:mirror_gre_vlan.sh                      pass     pass     pass     same
net/forwarding:mirror_vlan.sh                          pass     pass     pass     same
net/forwarding:no_forwarding.sh                        pass     pass     pass     same
net/forwarding:pedit_dsfield.sh                        pass     pass     pass     same
net/forwarding:pedit_ip.sh                             pass     pass     pass     same
net/forwarding:pedit_l4port.sh                         pass     pass     pass     same
net/forwarding:q_in_vni_ipv6.sh                        pass     pass     pass     same
net/forwarding:router.sh                               skip     skip     skip     same
net/forwarding:router_bridge.sh                        pass     pass     pass     same
net/forwarding:router_bridge_1d.sh                     pass     pass     pass     same
net/forwarding:router_bridge_pvid_vlan_upper.sh        pass     pass     pass     same
net/forwarding:router_bridge_vlan.sh                   pass     pass     pass     same
net/forwarding:router_bridge_vlan_upper.sh             pass     pass     pass     same
net/forwarding:router_bridge_vlan_upper_pvid.sh        pass     pass     pass     same
net/forwarding:router_broadcast.sh                     pass     pass     pass     same
net/forwarding:router_mpath_nh.sh                      fail     fail     fail     same
net/forwarding:router_mpath_nh_res.sh                  pass     pass     pass     same
net/forwarding:router_multicast.sh                     skip     skip     skip     same
net/forwarding:router_multipath.sh                     fail     fail     fail     same
net/forwarding:router_nh.sh                            pass     pass     pass     same
net/forwarding:router_vid_1.sh                         pass     pass     pass     same
net/forwarding:skbedit_priority.sh                     pass     pass     pass     same
net/forwarding:tc_chains.sh                            pass     pass     pass     same
net/forwarding:tc_flower.sh                            pass     pass     pass     same
net/forwarding:tc_flower_cfm.sh                        fail     fail     fail     same
net/forwarding:tc_flower_l2_miss.sh                    fail     fail     fail     same
net/forwarding:tc_flower_router.sh                     pass     pass     pass     same
net/forwarding:tc_mpls_l2vpn.sh                        pass     pass     pass     same
net/forwarding:tc_shblocks.sh                          pass     pass     pass     same
net/forwarding:tc_tunnel_key.sh                        skip     skip     skip     same
net/forwarding:tc_vlan_modify.sh                       pass     pass     pass     same
net/forwarding:vxlan_asymmetric.sh                     pass     pass     pass     same
net/forwarding:vxlan_asymmetric_ipv6.sh                pass     pass     pass     same
net/forwarding:vxlan_bridge_1d.sh                      pass     pass     pass     same
net/forwarding:vxlan_bridge_1d_port_8472.sh            pass     pass     pass     same
net/forwarding:vxlan_bridge_1d_port_8472_ipv6.sh       pass     pass     pass     same
net/forwarding:vxlan_bridge_1q.sh                      pass     pass     pass     same
net/forwarding:vxlan_bridge_1q_ipv6.sh                 pass     pass     pass     same
net/forwarding:vxlan_bridge_1q_port_8472.sh            pass     pass     pass     same
net/forwarding:vxlan_bridge_1q_port_8472_ipv6.sh       pass     pass     pass     same
net/forwarding:vxlan_symmetric.sh                      pass     pass     pass     same
net/forwarding:vxlan_symmetric_ipv6.sh                 pass     pass     pass     same
net/hsr:hsr_ping.sh                                    fail     fail     fail     same
net/mptcp:diag.sh                                      pass     pass     pass     same
net/mptcp:mptcp_connect.sh                             pass     pass     pass     same
net/mptcp:mptcp_sockopt.sh                             pass     pass     pass     same
net/mptcp:pm_netlink.sh                                pass     pass     pass     same
net:altnames.sh                                        pass     pass     pass     same
net:bareudp.sh                                         pass     pass     pass     same
net:big_tcp.sh                                         skip     skip     skip     same
net:cmsg_so_mark.sh                                    pass     pass     pass     same
net:devlink_port_split.py                              skip     skip     skip     same
net:drop_monitor_tests.sh                              skip     skip     skip     same
net:fcnal-test.sh                                      skip     skip     skip     same
net:fib-onlink-tests.sh                                pass     pass     pass     same
net:fib_nexthop_multiprefix.sh                         pass     pass     pass     same
net:fib_nexthop_nongw.sh                               pass     pass     pass     same
net:fib_rule_tests.sh                                  pass     pass     pass     same
net:fib_tests.sh                                       fail     fail     fail     same
net:fin_ack_lat.sh                                     pass     pass     pass     same
net:gre_gso.sh                                         skip     skip     skip     same
net:icmp.sh                                            fail     fail     fail     same
net:icmp_redirect.sh                                   pass     pass     pass     same
net:io_uring_zerocopy_tx.sh                            fail     fail     fail     same
net:ip6_gre_headroom.sh                                pass     pass     pass     same
net:ipv6_flowlabel.sh                                  pass     pass     pass     same
net:l2_tos_ttl_inherit.sh                              skip     skip     skip     same
net:l2tp.sh                                            pass     pass     pass     same
net:msg_zerocopy.sh                                    pass     pass     pass     same
net:netdevice.sh                                       pass     pass     pass     same
net:pmtu.sh                                            fail     fail     fail     same
net:psock_snd.sh                                       pass     pass     pass     same
net:reuseaddr_ports_exhausted.sh                       pass     pass     pass     same
net:reuseport_bpf                                      pass     pass     pass     same
net:reuseport_bpf_cpu                                  pass     pass     pass     same
net:reuseport_bpf_numa                                 pass     pass     pass     same
net:reuseport_dualstack                                pass     pass     pass     same
net:route_localnet.sh                                  pass     pass     pass     same
net:rps_default_mask.sh                                pass     pass     pass     same
net:rtnetlink.sh                                       skip     skip     skip     same
net:run_afpackettests                                  pass     pass     pass     same
net:run_netsocktests                                   pass     pass     pass     same
net:rxtimestamp.sh                                     pass     pass     pass     same
net:so_txtime.sh                                       pass     pass     pass     same
net:srv6_end_next_csid_l3vpn_test.sh                   pass     pass     pass     same
net:srv6_hencap_red_l3vpn_test.sh                      pass     pass     pass     same
net:srv6_hl2encap_red_l2vpn_test.sh                    pass     pass     pass     same
net:stress_reuseport_listen.sh                         pass     pass     pass     same
net:tcp_fastopen_backup_key.sh                         pass     pass     pass     same
net:test_blackhole_dev.sh                              fail     fail     fail     same
net:test_bpf.sh                                        pass     pass     pass     same
net:test_bridge_neigh_suppress.sh                      skip     skip     skip     same
net:test_vxlan_fdb_changelink.sh                       pass     pass     pass     same
net:test_vxlan_under_vrf.sh                            pass     pass     pass     same
net:tls                                                pass     pass     pass     same
net:traceroute.sh                                      pass     pass     pass     same
net:udpgro.sh                                          fail     fail     fail     same
net:udpgro_bench.sh                                    fail     fail     fail     same
net:udpgso.sh                                          pass     pass     pass     same
net:unicast_extensions.sh                              pass     pass     pass     same
net:veth.sh                                            fail     fail     fail     same
net:vrf-xfrm-tests.sh                                  pass     pass     pass     same
net:vrf_route_leaking.sh                               pass     pass     pass     same
net:vrf_strict_mode_test.sh                            pass     pass     pass     same
netfilter:bridge_brouter.sh                            skip     skip     skip     same
netfilter:conntrack_icmp_related.sh                    fail     fail     fail     same
netfilter:conntrack_tcp_unreplied.sh                   fail     fail     fail     same
netfilter:conntrack_vrf.sh                             skip     skip     skip     same
netfilter:ipip-conntrack-mtu.sh                        skip     skip     skip     same
netfilter:ipvs.sh                                      skip     skip     skip     same
netfilter:nf_nat_edemux.sh                             skip     skip     skip     same
netfilter:nft_audit.sh                                 fail     fail     fail     same
netfilter:nft_concat_range.sh                          fail     fail     fail     same
netfilter:nft_conntrack_helper.sh                      skip     skip     skip     same
netfilter:nft_fib.sh                                   skip     skip     skip     same
netfilter:nft_flowtable.sh                             fail     fail     fail     same
netfilter:nft_meta.sh                                  pass     pass     pass     same
netfilter:nft_nat.sh                                   skip     skip     skip     same
netfilter:nft_queue.sh                                 skip     skip     skip     same
netfilter:rpath.sh                                     pass     pass     pass     same
nsfs:owner                                             pass     pass     pass     same
nsfs:pidns                                             pass     pass     pass     same
pid_namespace:regression_enomem                        pass     pass     pass     same
pidfd:pidfd_fdinfo_test                                pass     pass     pass     same
pidfd:pidfd_getfd_test                                 pass     pass     pass     same
pidfd:pidfd_open_test                                  pass     pass     pass     same
pidfd:pidfd_poll_test                                  pass     pass     pass     same
pidfd:pidfd_setns_test                                 pass     pass     pass     same
pidfd:pidfd_test                                       pass     pass     pass     same
pidfd:pidfd_wait                                       pass     pass     pass     same
proc:fd-001-lookup                                     pass     pass     pass     same
proc:fd-002-posix-eq                                   pass     pass     pass     same
proc:fd-003-kthread                                    pass     pass     pass     same
proc:proc-fsconfig-hidepid                             pass     pass     pass     same
proc:proc-loadavg-001                                  pass     pass     pass     same
proc:proc-multiple-procfs                              pass     pass     pass     same
proc:proc-self-map-files-001                           pass     pass     pass     same
proc:proc-self-map-files-002                           pass     pass     pass     same
proc:proc-self-syscall                                 pass     pass     pass     same
proc:proc-self-wchan                                   pass     pass     pass     same
proc:proc-subset-pid                                   pass     pass     pass     same
proc:proc-uptime-002                                   pass     pass     pass     same
proc:read                                              pass     pass     pass     same
proc:self                                              pass     pass     pass     same
proc:setns-dcache                                      pass     pass     pass     same
proc:setns-sysvipc                                     pass     pass     pass     same
proc:thread-self                                       pass     pass     pass     same
pstore:pstore_post_reboot_tests                        skip     skip     skip     same
pstore:pstore_tests                                    fail     fail     fail     same
ptrace:get_syscall_info                                pass     pass     pass     same
ptrace:peeksiginfo                                     pass     pass     pass     same
ptrace:vmaccess                                        fail     fail     fail     same
rlimits:rlimits-per-userns                             pass     pass     pass     same
rseq:basic_percpu_ops_test                             pass     pass     pass     same
rseq:basic_test                                        pass     pass     pass     same
rseq:param_test                                        pass     pass     pass     same
rseq:param_test_benchmark                              pass     pass     pass     same
rseq:param_test_compare_twice                          pass     pass     pass     same
rseq:run_param_test.sh                                 pass     pass     pass     same
seccomp:seccomp_benchmark                              pass     pass     pass     same
seccomp:seccomp_bpf                                    pass     pass     pass     same
sgx:test_sgx                                           fail     fail     fail     same
sigaltstack:sas                                        pass     pass     pass     same
size:get_size                                          pass     pass     pass     same
splice:default_file_splice_read.sh                     pass     pass     pass     same
splice:short_splice_read.sh                            fail     fail     fail     same
static_keys:test_static_keys.sh                        skip     skip     skip     same
syscall_user_dispatch:sud_benchmark                    pass     pass     pass     same
syscall_user_dispatch:sud_test                         pass     pass     pass     same
tc-testing:tdc.sh                                      fail     fail     fail     same
tdx:tdx_guest_test                                     fail     fail     fail     same
timens:clock_nanosleep                                 pass     pass     pass     same
timens:exec                                            pass     pass     pass     same
timens:futex                                           pass     pass     pass     same
timens:procfs                                          pass     pass     pass     same
timens:timens                                          pass     pass     pass     same
timens:timer                                           pass     pass     pass     same
timens:timerfd                                         pass     pass     pass     same
timens:vfork_exec                                      pass     pass     pass     same
timers:inconsistency-check                             pass     pass     pass     same
timers:mqueue-lat                                      pass     pass     pass     same
timers:nanosleep                                       pass     pass     pass     same
timers:nsleep-lat                                      pass     pass     pass     same
timers:posix_timers                                    pass     pass     pass     same
timers:raw_skew                                        pass     pass     pass     same
timers:rtcpie                                          pass     pass     pass     same
timers:set-timer-lat                                   pass     pass     pass     same
timers:threadtest                                      pass     pass     pass     same
tmpfs:bug-link-o-tmpfile                               pass     pass     pass     same
tpm2:test_smoke.sh                                     skip     skip     skip     same
tpm2:test_space.sh                                     skip     skip     skip     same
tty:tty_tstamp_update                                  skip     skip     skip     same
vDSO:vdso_standalone_test_x86                          pass     pass     pass     same
vDSO:vdso_test_abi                                     pass     pass     pass     same
vDSO:vdso_test_clock_getres                            pass     pass     pass     same
vDSO:vdso_test_correctness                             pass     pass     pass     same
vDSO:vdso_test_getcpu                                  pass     pass     pass     same
vDSO:vdso_test_gettimeofday                            pass     pass     pass     same
x86:amx_64                                             fail     fail     fail     same
x86:check_initial_reg_state_64                         pass     pass     pass     same
x86:corrupt_xstate_header_64                           fail     fail     fail     same
x86:fsgsbase_64                                        fail     fail     fail     same
x86:fsgsbase_restore_64                                fail     fail     fail     same
x86:ioperm_64                                          pass     pass     pass     same
x86:iopl_64                                            pass     pass     pass     same
x86:lam_64                                             fail     fail     fail     same
x86:mov_ss_trap_64                                     fail     fail     fail     same
x86:sigaltstack_64                                     fail     fail     fail     same
x86:sigreturn_64                                       fail     fail     fail     same
x86:single_step_syscall_64                             fail     fail     fail     same
x86:syscall_arg_fault_64                               fail     fail     fail     same
x86:syscall_nt_64                                      pass     pass     pass     same
x86:syscall_numbering_64                               fail     fail     fail     same
x86:sysret_rip_64                                      fail     fail     fail     same
x86:sysret_ss_attrs_64                                 pass     pass     pass     same
x86:test_mremap_vdso_64                                pass     pass     pass     same
x86:test_vsyscall_64                                   pass     pass     pass     same
zram:zram.sh                                           pass     pass     pass     same

jira VULN-8260 cve CVE-2024-41049 commit-author Jeff Layton <[email protected]> commit 1b3ec4f Light Hsieh reported a KASAN UAF warning in trace_posix_lock_inode(). The request pointer had been changed earlier to point to a lock entry that was added to the inode's list. However, before the tracepoint could fire, another task raced in and freed that lock. Fix this by moving the tracepoint inside the spinlock, which should ensure that this doesn't happen. Fixes: 74f6f59 ("locks: fix KASAN: use-after-free in trace_event_raw_event_filelock_lock") Link: https://lore.kernel.org/linux-fsdevel/[email protected]/ Reported-by: Light Hsieh (謝明燈) <[email protected]> Signed-off-by: Jeff Layton <[email protected]> Link: https://lore.kernel.org/r/[email protected] Reviewed-by: Alexander Aring <[email protected]> Signed-off-by: Christian Brauner <[email protected]> (cherry picked from commit 1b3ec4f) Signed-off-by: Marcin Wcisło <[email protected]>

jira VULN-38861 cve CVE-2024-42301 commit-author tuhaowen <[email protected]> commit ab11dac Fixed array out-of-bounds issues caused by sprintf by replacing it with snprintf for safer data copying, ensuring the destination buffer is not overflowed. Below is the stack trace I encountered during the actual issue: [ 66.575408s] [pid:5118,cpu4,QThread,4]Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: do_hardware_base_addr+0xcc/0xd0 [parport] [ 66.575408s] [pid:5118,cpu4,QThread,5]CPU: 4 PID: 5118 Comm: QThread Tainted: G S W O 5.10.97-arm64-desktop #7100.57021.2 [ 66.575439s] [pid:5118,cpu4,QThread,6]TGID: 5087 Comm: EFileApp [ 66.575439s] [pid:5118,cpu4,QThread,7]Hardware name: HUAWEI HUAWEI QingYun PGUX-W515x-B081/SP1PANGUXM, BIOS 1.00.07 04/29/2024 [ 66.575439s] [pid:5118,cpu4,QThread,8]Call trace: [ 66.575469s] [pid:5118,cpu4,QThread,9] dump_backtrace+0x0/0x1c0 [ 66.575469s] [pid:5118,cpu4,QThread,0] show_stack+0x14/0x20 [ 66.575469s] [pid:5118,cpu4,QThread,1] dump_stack+0xd4/0x10c [ 66.575500s] [pid:5118,cpu4,QThread,2] panic+0x1d8/0x3bc [ 66.575500s] [pid:5118,cpu4,QThread,3] __stack_chk_fail+0x2c/0x38 [ 66.575500s] [pid:5118,cpu4,QThread,4] do_hardware_base_addr+0xcc/0xd0 [parport] Signed-off-by: tuhaowen <[email protected]> Cc: stable <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]> (cherry picked from commit ab11dac) Signed-off-by: Marcin Wcisło <[email protected]>

jira VULN-38861 cve-bf CVE-2024-42301 commit-author Takashi Iwai <[email protected]> commit 02ac3a9 The recent fix for array out-of-bounds accesses replaced sprintf() calls blindly with snprintf(). However, since snprintf() returns the would-be-printed size, not the actually output size, the length calculation can still go over the given limit. Use scnprintf() instead of snprintf(), which returns the actually output letters, for addressing the potential out-of-bounds access properly. Fixes: ab11dac ("dev/parport: fix the array out-of-bounds risk") Cc: [email protected] Signed-off-by: Takashi Iwai <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]> (cherry picked from commit 02ac3a9) Signed-off-by: Marcin Wcisło <[email protected]>

jira VULN-8359 cve CVE-2024-46858 commit-author Edward Adam Davis <[email protected]> commit b4cd80b There are two paths to access mptcp_pm_del_add_timer, result in a race condition: CPU1 CPU2 ==== ==== net_rx_action napi_poll netlink_sendmsg __napi_poll netlink_unicast process_backlog netlink_unicast_kernel __netif_receive_skb genl_rcv __netif_receive_skb_one_core netlink_rcv_skb NF_HOOK genl_rcv_msg ip_local_deliver_finish genl_family_rcv_msg ip_protocol_deliver_rcu genl_family_rcv_msg_doit tcp_v4_rcv mptcp_pm_nl_flush_addrs_doit tcp_v4_do_rcv mptcp_nl_remove_addrs_list tcp_rcv_established mptcp_pm_remove_addrs_and_subflows tcp_data_queue remove_anno_list_by_saddr mptcp_incoming_options mptcp_pm_del_add_timer mptcp_pm_del_add_timer kfree(entry) In remove_anno_list_by_saddr(running on CPU2), after leaving the critical zone protected by "pm.lock", the entry will be released, which leads to the occurrence of uaf in the mptcp_pm_del_add_timer(running on CPU1). Keeping a reference to add_timer inside the lock, and calling sk_stop_timer_sync() with this reference, instead of "entry->add_timer". Move list_del(&entry->list) to mptcp_pm_del_add_timer and inside the pm lock, do not directly access any members of the entry outside the pm lock, which can avoid similar "entry->x" uaf. Fixes: 00cfd77 ("mptcp: retransmit ADD_ADDR when timeout") Cc: [email protected] Reported-and-tested-by: [email protected] Closes: https://syzkaller.appspot.com/bug?extid=f3a31fb909db9b2a5c4d Signed-off-by: Matthieu Baerts (NGI0) <[email protected]> Signed-off-by: Edward Adam Davis <[email protected]> Acked-by: Paolo Abeni <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Jakub Kicinski <[email protected]> (cherry picked from commit b4cd80b) Signed-off-by: Marcin Wcisło <[email protected]>

jira VULN-53766 cve CVE-2025-21727 commit-author Chen Ridong <[email protected]> commit e01780e A bug was found when run ltp test: BUG: KASAN: slab-use-after-free in padata_find_next+0x29/0x1a0 Read of size 4 at addr ffff88bbfe003524 by task kworker/u113:2/3039206 CPU: 0 PID: 3039206 Comm: kworker/u113:2 Kdump: loaded Not tainted 6.6.0+ Workqueue: pdecrypt_parallel padata_parallel_worker Call Trace: <TASK> dump_stack_lvl+0x32/0x50 print_address_description.constprop.0+0x6b/0x3d0 print_report+0xdd/0x2c0 kasan_report+0xa5/0xd0 padata_find_next+0x29/0x1a0 padata_reorder+0x131/0x220 padata_parallel_worker+0x3d/0xc0 process_one_work+0x2ec/0x5a0 If 'mdelay(10)' is added before calling 'padata_find_next' in the 'padata_reorder' function, this issue could be reproduced easily with ltp test (pcrypt_aead01). This can be explained as bellow: pcrypt_aead_encrypt ... padata_do_parallel refcount_inc(&pd->refcnt); // add refcnt ... padata_do_serial padata_reorder // pd while (1) { padata_find_next(pd, true); // using pd queue_work_on ... padata_serial_worker crypto_del_alg padata_put_pd_cnt // sub refcnt padata_free_shell padata_put_pd(ps->pd); // pd is freed // loop again, but pd is freed // call padata_find_next, UAF } In the padata_reorder function, when it loops in 'while', if the alg is deleted, the refcnt may be decreased to 0 before entering 'padata_find_next', which leads to UAF. As mentioned in [1], do_serial is supposed to be called with BHs disabled and always happen under RCU protection, to address this issue, add synchronize_rcu() in 'padata_free_shell' wait for all _do_serial calls to finish. [1] https://lore.kernel.org/all/[email protected]/ [2] https://lore.kernel.org/linux-kernel/jfjz5d7zwbytztackem7ibzalm5lnxldi2eofeiczqmqs2m7o6@fq426cwnjtkm/ Fixes: b128a30 ("padata: allocate workqueue internally") Signed-off-by: Chen Ridong <[email protected]> Signed-off-by: Qu Zicheng <[email protected]> Acked-by: Daniel Jordan <[email protected]> Signed-off-by: Herbert Xu <[email protected]> (cherry picked from commit e01780e) Signed-off-by: Marcin Wcisło <[email protected]>

jira VULN-55376 cve CVE-2025-21887 commit-author Vasiliy Kovalev <[email protected]> commit c84e125 The issue was caused by dput(upper) being called before ovl_dentry_update_reval(), while upper->d_flags was still accessed in ovl_dentry_remote(). Move dput(upper) after its last use to prevent use-after-free. BUG: KASAN: slab-use-after-free in ovl_dentry_remote fs/overlayfs/util.c:162 [inline] BUG: KASAN: slab-use-after-free in ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc3/0x620 mm/kasan/report.c:488 kasan_report+0xd9/0x110 mm/kasan/report.c:601 ovl_dentry_remote fs/overlayfs/util.c:162 [inline] ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167 ovl_link_up fs/overlayfs/copy_up.c:610 [inline] ovl_copy_up_one+0x2105/0x3490 fs/overlayfs/copy_up.c:1170 ovl_copy_up_flags+0x18d/0x200 fs/overlayfs/copy_up.c:1223 ovl_rename+0x39e/0x18c0 fs/overlayfs/dir.c:1136 vfs_rename+0xf84/0x20a0 fs/namei.c:4893 ... </TASK> Fixes: b07d5cc ("ovl: update of dentry revalidate flags after copy up") Reported-by: [email protected] Closes: https://syzkaller.appspot.com/bug?extid=316db8a1191938280eb6 Signed-off-by: Vasiliy Kovalev <[email protected]> Link: https://lore.kernel.org/r/[email protected] Reviewed-by: Amir Goldstein <[email protected]> Signed-off-by: Christian Brauner <[email protected]> (cherry picked from commit c84e125) Signed-off-by: Marcin Wcisło <[email protected]>

thefossguy-ciq

🚤

pvts-mat added 6 commits August 26, 2025 00:05

bmastbergen requested review from PlaidCat, bmastbergen, kerneltoast, shreeya-patel98 and thefossguy-ciq August 27, 2025 20:34

thefossguy-ciq approved these changes Aug 28, 2025

View reviewed changes

Kemotaha approved these changes Aug 29, 2025

View reviewed changes

shreeya-patel98 approved these changes Sep 1, 2025

View reviewed changes

bmastbergen merged commit 72caef5 into ctrliq:ciqlts9_4 Sep 2, 2025
4 of 5 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[LTS 9.4] CVE-2024-41049, CVE-2024-42301, CVE-2024-46858, CVE-2025-21727, CVE-2025-21887 #531

[LTS 9.4] CVE-2024-41049, CVE-2024-42301, CVE-2024-46858, CVE-2025-21727, CVE-2025-21887 #531

pvts-mat commented Aug 27, 2025

Uh oh!

thefossguy-ciq left a comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

5 participants

[LTS 9.4] CVE-2024-41049, CVE-2024-42301, CVE-2024-46858, CVE-2025-21727, CVE-2025-21887 #531

[LTS 9.4] CVE-2024-41049, CVE-2024-42301, CVE-2024-46858, CVE-2025-21727, CVE-2025-21887 #531

Conversation

pvts-mat commented Aug 27, 2025

Commits

CVE-2024-41049

CVE-2024-42301

CVE-2024-46858

CVE-2025-21727

CVE-2025-21887

kABI check: passed

Boot test: passed

Kselftests: passed relative

Reference

Patch

Comparison

Uh oh!

thefossguy-ciq left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

5 participants