[LTS 9.2] netfilter: CVE-2024-27397, CVE-2024-57947, CVE-2025-38120 #803
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
PlaidCat
previously approved these changes
Jan 14, 2026
Collaborator
PlaidCat
left a comment
PlaidCat
left a comment
There was a problem hiding this comment.
These look fine will you also make sure this is updated to the latest 9.2 head
pvts-mat
force-pushed
the
ciqlts9_2-CVE-batch-16
branch
from
5fc0e7e to
e269437
Compare
|
🤖 Validation Checks In Progress Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/21003894885 |
🔍 Interdiff Analysis
diff -u b/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
--- b/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -1687,6 +1687,4 @@
return net_generic(net, nf_tables_net_id);
}
-#define __NFT_REDUCE_READONLY 1UL
-#define NFT_REDUCE_READONLY (void *)__NFT_REDUCE_READONLY
-
+#endif /* _NET_NF_TABLES_H */
@@ -1699,2 +1706,7 @@ INTERDIFF: rejected hunk from patch1, cannot diff context
+static inline u64 nft_net_tstamp(const struct net *net)
+{
+ return nft_pernet(net)->tstamp;
+}
+
#endif /* _NET_NF_TABLES_H */
@@ -1798,6 +1805,11 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
return net_generic(net, nf_tables_net_id);
}
+static inline u64 nft_net_tstamp(const struct net *net)
+{
+ return nft_pernet(net)->tstamp;
+}
+
#define __NFT_REDUCE_READONLY 1UL
#define NFT_REDUCE_READONLY (void *)__NFT_REDUCE_READONLY
diff -u b/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
--- b/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -9199,7 +9199,7 @@
u64 tstamp = nft_net_tstamp(gc->net);
const struct nft_set *set = gc->set;
struct nft_elem_priv *elem_priv;
- struct nft_set_ext *ext;
+ struct nft_set_elem elem;
list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
ext = nft_set_elem_ext(set, catchall->elem);
diff -u b/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c
--- b/net/netfilter/nft_set_pipapo.c
+++ b/net/netfilter/nft_set_pipapo.c
@@ -1566,4 +1566,4 @@
-{
+ struct nft_set *set = (struct nft_set *) _set;
struct nft_pipapo *priv = nft_set_priv(set);
struct net *net = read_pnet(&set->net);
u64 tstamp = nft_net_tstamp(net);
diff -u b/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c
--- b/net/netfilter/nft_set_rbtree.c
+++ b/net/netfilter/nft_set_rbtree.c
@@ -576,7 +576,18446744073709551607 @@
- rbe_end = rbe;
- continue;
- }
- if (!nft_set_elem_expired(&rbe->ext))
- continue;
-
- gc = nft_trans_gc_queue_sync(gc, GFP_KERNEL);
@@ -626,6 +628,8 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
{
struct nft_rbtree *priv = nft_set_priv(set);
struct nft_rbtree_elem *rbe, *rbe_end = NULL;
+ struct net *net = read_pnet(&set->net);
+ u64 tstamp = nft_net_tstamp(net);
struct rb_node *node, *next;
struct nft_trans_gc *gc;
struct net *net;
@@ -628,7 +632,6 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
struct nft_rbtree_elem *rbe, *rbe_end = NULL;
struct rb_node *node, *next;
struct nft_trans_gc *gc;
- struct net *net;
set = nft_set_container_of(priv);
net = read_pnet(&set->net);
@@ -650,7 +653,7 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
rbe_end = rbe;
continue;
}
- if (!nft_set_elem_expired(&rbe->ext))
+ if (!__nft_set_elem_expired(&rbe->ext, tstamp))
continue;
gc = nft_trans_gc_queue_sync(gc, GFP_KERNEL);
diff -u b/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c
--- b/net/netfilter/nft_set_pipapo.c
+++ b/net/netfilter/nft_set_pipapo.c
@@ -411,4 +411,4 @@
- struct nft_pipapo_scratch *scratch;
+ struct nft_pipapo *priv = nft_set_priv(set);
unsigned long *res_map, *fill_map;
u8 genmask = nft_genmask_cur(net);
const struct nft_pipapo_match *m;
diff -u b/net/netfilter/nft_set_pipapo_avx2.c b/net/netfilter/nft_set_pipapo_avx2.c
--- b/net/netfilter/nft_set_pipapo_avx2.c
+++ b/net/netfilter/nft_set_pipapo_avx2.c
@@ -1061,3 +1061,3 @@
{
- unsigned long bsize = f->bsize;
+ unsigned long *lt = f->lt, bsize = f->bsize;
int i, ret = -1, b;
@@ -1133,8 +1146,6 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
struct nft_pipapo_scratch *scratch;
u8 genmask = nft_genmask_cur(net);
const u8 *rp = (const u8 *)key;
- struct nft_pipapo_match *m;
- struct nft_pipapo_field *f;
unsigned long *res, *fill;
bool map_index;
int i, ret = 0;
@@ -1133,11 +1133,11 @@
struct nft_pipapo *priv = nft_set_priv(set);
- struct nft_pipapo_scratch *scratch;
+ unsigned long *res, *fill, *scratch;
u8 genmask = nft_genmask_cur(net);
const struct nft_pipapo_match *m;
const struct nft_pipapo_field *f;
const u8 *rp = (const u8 *)key;
struct nft_pipapo_match *m;
struct nft_pipapo_field *f;
- unsigned long *res, *fill;
bool map_index;
int i, ret = 0;
+
@@ -1138,8 +1151,6 @@ INTERDIFF: rejected hunk from patch1, cannot diff context
unsigned long *res, *fill, *scratch;
u8 genmask = nft_genmask_cur(net);
const u8 *rp = (const u8 *)key;
- struct nft_pipapo_match *m;
- struct nft_pipapo_field *f;
bool map_index;
int i, ret = 0;
diff -u b/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c
--- b/net/netfilter/nft_set_pipapo.c
+++ b/net/netfilter/nft_set_pipapo.c
@@ -429,5 +429,5 @@
- res_map = scratch->map + (map_index ? m->bsize_max : 0);
- fill_map = scratch->map + (map_index ? 0 : m->bsize_max);
+ res_map = *raw_cpu_ptr(m->scratch) + (map_index ? m->bsize_max : 0);
+ fill_map = *raw_cpu_ptr(m->scratch) + (map_index ? 0 : m->bsize_max);
pipapo_resmap_init(m, res_map);
diff -u b/net/netfilter/nft_set_pipapo_avx2.c b/net/netfilter/nft_set_pipapo_avx2.c
--- b/net/netfilter/nft_set_pipapo_avx2.c
+++ b/net/netfilter/nft_set_pipapo_avx2.c
@@ -1060,7 +1060,7 @@
const struct nft_pipapo_field *f,
int offset, const u8 *pkt,
bool first, bool last)
- int i, ret = -1, b;
+ lt += offset * NFT_PIPAPO_LONGS_PER_M256;
if (first)
pipapo_resmap_init(mdata, map);
diff -u b/net/netfilter/nft_set_pipapo_avx2.c b/net/netfilter/nft_set_pipapo_avx2.c
--- b/net/netfilter/nft_set_pipapo_avx2.c
+++ b/net/netfilter/nft_set_pipapo_avx2.c
@@ -1182,5 +1182,5 @@
- res = scratch->map + (map_index ? m->bsize_max : 0);
- fill = scratch->map + (map_index ? 0 : m->bsize_max);
+ res = scratch + (map_index ? m->bsize_max : 0);
+ fill = scratch + (map_index ? 0 : m->bsize_max);
pipapo_resmap_init_avx2(m, res);This is an automated interdiff check for backported commits. |
JIRA PR Check Results5 commit(s) with issues found: Commit
|
|
✅ Validation checks completed successfully View full results: https://github.com/ctrliq/kernel-src-tree/actions/runs/21003894885 |
Collaborator
I didn't see any issues with this because of the noted execptions in the commit. |
Collaborator
|
There are apparently conflicts can you address these and push an update |
jira VULN-7048 cve-pre CVE-2024-27397 commit-author Pablo Neira Ayuso <[email protected]> commit d111692 This allows to remove an expired element which is not possible in other existing set backends, this is more noticeable if gc-interval is high so expired elements remain in the tree. On-demand gc also does not help in this case, because this is delete element path. Return NULL if element has expired. Fixes: 8d8540c ("netfilter: nft_set_rbtree: add timeout support") Signed-off-by: Pablo Neira Ayuso <[email protected]> Signed-off-by: Florian Westphal <[email protected]> (cherry picked from commit d111692) Signed-off-by: Marcin Wcisło <[email protected]>
jira VULN-7048 cve CVE-2024-27397 commit-author Pablo Neira Ayuso <[email protected]> commit 7395dfa upstream-diff Omitted changes in `nft_rbtree_gc()' in net/netfilter/nft_set_rbtree.c. Function `nft_rbtree_gc()' was changed from async to sync in 7d259f0 ("nft_set_rbtree: prefer sync gc to async worker"), which was not backported to ciqlts9_2 and `nft_rbtree_gc()' remains asynchronous in this version. The upstream fix 7395dfa left checking current time as it was in the async garbage collectors: "Then, there is async gc which also needs to check the current time since it runs asynchronously from a workqueue." Similar situation occurred in linux-5.15.y and the fix backported as 0d40e8c omits changes in `nft_rbtree_gc()' as well. Add a timestamp field at the beginning of the transaction, store it in the nftables per-netns area. Update set backend .insert, .deactivate and sync gc path to use the timestamp, this avoids that an element expires while control plane transaction is still unfinished. .lookup and .update, which are used from packet path, still use the current time to check if the element has expired. And .get path and dump also since this runs lockless under rcu read size lock. Then, there is async gc which also needs to check the current time since it runs asynchronously from a workqueue. Fixes: c3e1b00 ("netfilter: nf_tables: add set element timeout support") Signed-off-by: Pablo Neira Ayuso <[email protected]> (cherry picked from commit 7395dfa) Signed-off-by: Marcin Wcisło <[email protected]>
jira VULN-42212 cve-pre CVE-2024-57947 commit-author Florian Westphal <[email protected]> commit f04df57 upstream-diff Context conflicts resolution in `nft_pipapo_avx2_lookup()'. No actual diff. Those get called from packet path, content must not be modified. No functional changes intended. Reviewed-by: Stefano Brivio <[email protected]> Signed-off-by: Florian Westphal <[email protected]> (cherry picked from commit f04df57) Signed-off-by: Marcin Wcisło <[email protected]>
jira VULN-42212 cve CVE-2024-57947 commit-author Florian Westphal <[email protected]> commit 791a615 The initial buffer has to be inited to all-ones, but it must restrict it to the size of the first field, not the total field size. After each round in the map search step, the result and the fill map are swapped, so if we have a set where f->bsize of the first element is smaller than m->bsize_max, those one-bits are leaked into future rounds result map. This makes pipapo find an incorrect matching results for sets where first field size is not the largest. Followup patch adds a test case to nft_concat_range.sh selftest script. Thanks to Stefano Brivio for pointing out that we need to zero out the remainder explicitly, only correcting memset() argument isn't enough. Fixes: 3c4287f ("nf_tables: Add set type for arbitrary concatenation of ranges") Reported-by: Yi Chen <[email protected]> Cc: Stefano Brivio <[email protected]> Signed-off-by: Florian Westphal <[email protected]> Reviewed-by: Stefano Brivio <[email protected]> Signed-off-by: Pablo Neira Ayuso <[email protected]> (cherry picked from commit 791a615) Signed-off-by: Marcin Wcisło <[email protected]>
jira VULN-71797 cve CVE-2025-38120 commit-author Florian Westphal <[email protected]> commit ea77c39 If the first field doesn't cover the entire start map, then we must zero out the remainder, else we leak those bits into the next match round map. The early fix was incomplete and did only fix up the generic C implementation. A followup patch adds a test case to nft_concat_range.sh. Fixes: 791a615 ("netfilter: nf_set_pipapo: fix initial map fill") Signed-off-by: Florian Westphal <[email protected]> Reviewed-by: Stefano Brivio <[email protected]> Signed-off-by: Pablo Neira Ayuso <[email protected]> (cherry picked from commit ea77c39) Signed-off-by: Marcin Wcisło <[email protected]>
pvts-mat
force-pushed
the
ciqlts9_2-CVE-batch-16
branch
from
e269437 to
420b004
Compare
Contributor
Author
|
🤖 Validation Checks In Progress Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/21048295033 |
🔍 Interdiff Analysis
diff -u b/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
--- b/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -1701,6 +1701,4 @@
return net_generic(net, nf_tables_net_id);
}
-#define __NFT_REDUCE_READONLY 1UL
-#define NFT_REDUCE_READONLY (void *)__NFT_REDUCE_READONLY
-
+#endif /* _NET_NF_TABLES_H */
@@ -1713,2 +1720,7 @@ INTERDIFF: rejected hunk from patch1, cannot diff context
+static inline u64 nft_net_tstamp(const struct net *net)
+{
+ return nft_pernet(net)->tstamp;
+}
+
#endif /* _NET_NF_TABLES_H */
@@ -1798,6 +1805,11 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
return net_generic(net, nf_tables_net_id);
}
+static inline u64 nft_net_tstamp(const struct net *net)
+{
+ return nft_pernet(net)->tstamp;
+}
+
#define __NFT_REDUCE_READONLY 1UL
#define NFT_REDUCE_READONLY (void *)__NFT_REDUCE_READONLY
diff -u b/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
--- b/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -9236,7 +9236,7 @@
u64 tstamp = nft_net_tstamp(gc->net);
const struct nft_set *set = gc->set;
struct nft_elem_priv *elem_priv;
- struct nft_set_ext *ext;
+ struct nft_set_elem elem;
list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
ext = nft_set_elem_ext(set, catchall->elem);
diff -u b/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c
--- b/net/netfilter/nft_set_pipapo.c
+++ b/net/netfilter/nft_set_pipapo.c
@@ -1566,4 +1566,4 @@
-{
+ struct nft_set *set = (struct nft_set *) _set;
struct nft_pipapo *priv = nft_set_priv(set);
struct net *net = read_pnet(&set->net);
u64 tstamp = nft_net_tstamp(net);
diff -u b/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c
--- b/net/netfilter/nft_set_rbtree.c
+++ b/net/netfilter/nft_set_rbtree.c
@@ -576,7 +576,18446744073709551607 @@
- rbe_end = rbe;
- continue;
- }
- if (!nft_set_elem_expired(&rbe->ext))
- continue;
-
- gc = nft_trans_gc_queue_sync(gc, GFP_KERNEL);
@@ -626,6 +628,8 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
{
struct nft_rbtree *priv = nft_set_priv(set);
struct nft_rbtree_elem *rbe, *rbe_end = NULL;
+ struct net *net = read_pnet(&set->net);
+ u64 tstamp = nft_net_tstamp(net);
struct rb_node *node, *next;
struct nft_trans_gc *gc;
struct net *net;
@@ -628,7 +632,6 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
struct nft_rbtree_elem *rbe, *rbe_end = NULL;
struct rb_node *node, *next;
struct nft_trans_gc *gc;
- struct net *net;
set = nft_set_container_of(priv);
net = read_pnet(&set->net);
@@ -650,7 +653,7 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
rbe_end = rbe;
continue;
}
- if (!nft_set_elem_expired(&rbe->ext))
+ if (!__nft_set_elem_expired(&rbe->ext, tstamp))
continue;
gc = nft_trans_gc_queue_sync(gc, GFP_KERNEL);
diff -u b/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c
--- b/net/netfilter/nft_set_pipapo.c
+++ b/net/netfilter/nft_set_pipapo.c
@@ -411,4 +411,4 @@
- struct nft_pipapo_scratch *scratch;
+ struct nft_pipapo *priv = nft_set_priv(set);
unsigned long *res_map, *fill_map;
u8 genmask = nft_genmask_cur(net);
const struct nft_pipapo_match *m;
@@ -2024,8 +2024,8 @@
+ struct nft_set_iter *iter)
{
struct nft_pipapo *priv = nft_set_priv(set);
- struct net *net = read_pnet(&set->net);
struct nft_pipapo_match *m;
struct nft_pipapo_field *f;
int i, r;
- rcu_read_lock();
+ WARN_ON_ONCE(iter->type != NFT_ITER_READ &&
@@ -2027,8 +2029,8 @@ INTERDIFF: rejected hunk from patch1, cannot diff context
struct nft_set_iter *iter)
{
struct nft_pipapo *priv = nft_set_priv(set);
- struct nft_pipapo_match *m;
- struct nft_pipapo_field *f;
+ const struct nft_pipapo_match *m;
+ const struct nft_pipapo_field *f;
int i, r;
WARN_ON_ONCE(iter->type != NFT_ITER_READ &&
@@ -2041,8 +2043,8 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
{
struct nft_pipapo *priv = nft_set_priv(set);
struct net *net = read_pnet(&set->net);
- struct nft_pipapo_match *m;
- struct nft_pipapo_field *f;
+ const struct nft_pipapo_match *m;
+ const struct nft_pipapo_field *f;
int i, r;
rcu_read_lock();
diff -u b/net/netfilter/nft_set_pipapo_avx2.c b/net/netfilter/nft_set_pipapo_avx2.c
--- b/net/netfilter/nft_set_pipapo_avx2.c
+++ b/net/netfilter/nft_set_pipapo_avx2.c
@@ -1061,3 +1061,3 @@
{
- unsigned long bsize = f->bsize;
+ unsigned long *lt = f->lt, bsize = f->bsize;
int i, ret = -1, b;
@@ -1133,8 +1146,6 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
struct nft_pipapo_scratch *scratch;
u8 genmask = nft_genmask_cur(net);
const u8 *rp = (const u8 *)key;
- struct nft_pipapo_match *m;
- struct nft_pipapo_field *f;
unsigned long *res, *fill;
bool map_index;
int i, ret = 0;
@@ -1133,11 +1133,11 @@
struct nft_pipapo *priv = nft_set_priv(set);
- struct nft_pipapo_scratch *scratch;
+ unsigned long *res, *fill, *scratch;
u8 genmask = nft_genmask_cur(net);
const struct nft_pipapo_match *m;
const struct nft_pipapo_field *f;
const u8 *rp = (const u8 *)key;
struct nft_pipapo_match *m;
struct nft_pipapo_field *f;
- unsigned long *res, *fill;
bool map_index;
int i, ret = 0;
+
@@ -1138,8 +1151,6 @@ INTERDIFF: rejected hunk from patch1, cannot diff context
unsigned long *res, *fill, *scratch;
u8 genmask = nft_genmask_cur(net);
const u8 *rp = (const u8 *)key;
- struct nft_pipapo_match *m;
- struct nft_pipapo_field *f;
bool map_index;
int i, ret = 0;
diff -u b/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c
--- b/net/netfilter/nft_set_pipapo.c
+++ b/net/netfilter/nft_set_pipapo.c
@@ -429,5 +429,5 @@
- res_map = scratch->map + (map_index ? m->bsize_max : 0);
- fill_map = scratch->map + (map_index ? 0 : m->bsize_max);
+ res_map = *raw_cpu_ptr(m->scratch) + (map_index ? m->bsize_max : 0);
+ fill_map = *raw_cpu_ptr(m->scratch) + (map_index ? 0 : m->bsize_max);
pipapo_resmap_init(m, res_map);
diff -u b/net/netfilter/nft_set_pipapo_avx2.c b/net/netfilter/nft_set_pipapo_avx2.c
--- b/net/netfilter/nft_set_pipapo_avx2.c
+++ b/net/netfilter/nft_set_pipapo_avx2.c
@@ -1060,7 +1060,7 @@
const struct nft_pipapo_field *f,
int offset, const u8 *pkt,
bool first, bool last)
- int i, ret = -1, b;
+ lt += offset * NFT_PIPAPO_LONGS_PER_M256;
if (first)
pipapo_resmap_init(mdata, map);
diff -u b/net/netfilter/nft_set_pipapo_avx2.c b/net/netfilter/nft_set_pipapo_avx2.c
--- b/net/netfilter/nft_set_pipapo_avx2.c
+++ b/net/netfilter/nft_set_pipapo_avx2.c
@@ -1182,5 +1182,5 @@
- res = scratch->map + (map_index ? m->bsize_max : 0);
- fill = scratch->map + (map_index ? 0 : m->bsize_max);
+ res = scratch + (map_index ? m->bsize_max : 0);
+ fill = scratch + (map_index ? 0 : m->bsize_max);
pipapo_resmap_init_avx2(m, res);This is an automated interdiff check for backported commits. |
JIRA PR Check Results5 commit(s) with issues found: Commit
|
|
✅ Validation checks completed successfully View full results: https://github.com/ctrliq/kernel-src-tree/actions/runs/21048295033 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
[LTS 9.2]
CVE-2024-27397 VULN-7048
CVE-2024-57947 VULN-42212
CVE-2025-38120 VULN-71797
Commits
CVE-2024-27397
The fix for CVE-2024-27397 got "unlocked" after merging #668 where most of the prerequisites fell into place. A small prereq
netfilter: nft_set_rbtree: .deactivate fails if element has expiredwas pulled in to further reduce conflicts. The remaining modifications required are explained in theupstream-diffbelow.CVE-2024-57947 (+ CVE-2025-38120)
The prerequisite f04df57
netfilter: nft_set_pipapo: constify lookup fn args where possiblewasn't strictly necessary, but it's functionally neutral and it helped avoid petty conflicts when backporting the main fix 791a615netfilter: nf_set_pipapo: fix initial map fill. The follow-up ea77c39netfilter: nf_set_pipapo_avx2: fix initial map fillis actually a bugfix for CVE-2024-57947, but it has its own CVE-2025-38120 assigned so it was used in place ofcve-bftag.kABI check: passed
Boot test: passed
boot-test.log
Kselftests: passed
Reference
kselftests–ciqlts9_2–run1.log
kselftests–ciqlts9_2–run2.log
Patch
kselftests–ciqlts9_2-CVE-batch-16–run1.log
kselftests–ciqlts9_2-CVE-batch-16–run2.log
kselftests–ciqlts9_2-CVE-batch-16–run3.log
kselftests–ciqlts9_2-CVE-batch-16–run4.log
kselftests–ciqlts9_2-CVE-batch-16–run5.log
Comparison
The tests results for the reference and the patch are the same.