Skip to content

[LTS-9.4] CVE-2025-{22004, 21867, 22104, 23150, 37738, 37797, 38079, 38086, 38087, 38177} #553

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 10 commits into from
Sep 8, 2025
Merged

[LTS-9.4] CVE-2025-{22004, 21867, 22104, 23150, 37738, 37797, 38079, 38086, 38087, 38177} #553

merged 10 commits into from
Sep 8, 2025

Conversation

pvts-mat
Copy link
Contributor

@pvts-mat pvts-mat commented Sep 5, 2025

[LTS 9.4]
CVE-2025-22004 VULN-56268
CVE-2025-21867 VULN-55841
CVE-2025-22104 VULN-65341
CVE-2025-23150 VULN-66675
CVE-2025-37738 VULN-66827
CVE-2025-37797 VULN-67701
CVE-2025-38079 VULN-70980
CVE-2025-38086 VULN-71595
CVE-2025-38087 VULN-71604
CVE-2025-38177 VULN-71950

Commits

CVE-2025-22004

e33e408

net: atm: fix use after free in lec_send()

jira VULN-56268
cve CVE-2025-22004
commit-author Dan Carpenter <[email protected]>
commit f3009d0d6ab78053117f8857b921a8237f4d17b3

CVE-2025-21867

a72207c

bpf, test_run: Fix use-after-free issue in eth_skb_pkt_type()

jira VULN-55841
cve CVE-2025-21867
commit-author Shigeru Yoshida <[email protected]>
commit 6b3d638ca897e099fa99bd6d02189d3176f80a47

CVE-2025-22104

8a3d21e

ibmvnic: Use kernel helpers for hex dumps

jira VULN-65341
cve CVE-2025-22104
commit-author Nick Child <[email protected]>
commit d93a6caab5d7d9b5ce034d75b1e1e993338e3852

The affected file drivers/net/ethernet/ibm/ibmvnic.c requires CONFIG_IBMVNIC to be included in the build

kernel-src-tree/drivers/net/ethernet/ibm/Makefile

Line 7 in 32c89d9

obj-$(CONFIG_IBMVNIC) += ibmvnic.o

so the bug applies to the ppc64le arch only

grep 'CONFIG_IBMVNIC\b' configs/*.config

configs/kernel-ppc64le-debug-rhel.config:CONFIG_IBMVNIC=m
configs/kernel-ppc64le-rhel.config:CONFIG_IBMVNIC=m

No ppc64le machine was available for testing, so the patch is effectively untested.

CVE-2025-23150

615e315

ext4: fix off-by-one error in do_split

jira VULN-66675
cve CVE-2025-23150
commit-author Artem Sadovnikov <[email protected]>
commit 94824ac9a8aaf2fb3c54b4bdde842db80ffa555d

CVE-2025-37738

10c59a2

ext4: ignore xattrs past end

jira VULN-66827
cve CVE-2025-37738
commit-author Bhupesh <[email protected]>
commit c8e008b60492cf6fd31ef127aea6d02fd3d314cd

CVE-2025-37797

3585df1

net_sched: hfsc: Fix a UAF vulnerability in class handling

jira VULN-67701
cve CVE-2025-37797
commit-author Cong Wang <[email protected]>
commit 3df275ef0a6ae181e8428a6589ef5d5231e58b5c

Note that there is also CVE-2025-37823 connected with this one. It's a very next commit (6ccbda4) in the net/sched/sch_hfsc.c's history:

net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too

Similarly to the previous patch, we need to safe guard hfsc_dequeue()
too. But for this one, we don't have a reliable reproducer.

For reference, the "previous patch", aka this one:

net_sched: hfsc: Fix a UAF vulnerability in class handling

This patch fixes a Use-After-Free vulnerability in the HFSC qdisc class
handling. The issue occurs due to a time-of-check/time-of-use condition
in hfsc_change_class() when working with certain child qdiscs like netem
or codel.

It's also related to CVE-2025-37890 (next²), to CVE-2025-38001 (which is CVE-2025-37890's bugfix) and to CVE-2025-38350 (through the CVE-2025-38001's prereq:

                             Git tag "Fixes"
         .--------(but not in advisory of CVE-2025-37890)----------------. 
        /          (in advisory of CVE-2025-38001 though)                 \
       /                                                                   v
ac9fe7dd ------Enhances-----> 141d3439 ----    Git tag "Fixes"    --------> 37d9cf1a   CVE-2025-37890
       \                                   CVE-2025-37890 advisory          ^          CVE-2025-38001
        \                                                                  /
         '-----Conflicts-without------.                                   /
                                       \                                 / 
                                        \                               /  
                 Git tag "Fixes"         v                             /   
103406b3  ---  (actually enhances)  ---> 3f981138 ---Git tag "Fixes"--/--> 12d0ad3b    CVE-2025-38350
       \     CVE-2025-38350 advisory                                 /     ^
        \                                                           /     / 
         '----------------- Actual fix of -------------------------------'

), although those have been addressed already for LTS 9.4 (fixed, fixed and blocked, respectively (although the last one should probably be no more as CVE-2025-38350 was fixed by RH on September 2, 2025)). Next is CVE-2025-38177 coincidentally being addressed in this PR as well. Finally (hopefully), there is also CVE-2025-38684, which is a fix of the CVE-2025-38350 fix. RH didn't emit the patch yet for it though. See the map of net/sched/sch_hfsc.c's recent history, for some summary:

kernel-mainline                                                                                     linux-5.15.y          
--------------------------------------------------------------------------------------------------  ----------------------
dd831ac82 2025-07-10 net/sched: sch_qfq: Fix null-deref in agg_dequeue
ac9fe7dd8 2025-05-28 net_sched: hfsc: Address reentrant enqueue adding class to eltree twice        ~ 2c928b3a0 2025-06-04    <- CVE-2025-37890, CVE-2025-38001
3f9811381 2025-05-22 sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()            ~ 89c301e92 2025-06-04    <- CVE-2025-38350
141d34391 2025-04-28 net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc    ~ e3e949a39 2025-05-09    <- CVE-2025-37890
6ccbda44e 2025-04-23 net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too                     ~ da7936518 2025-05-02    <- CVE-2025-37823
3df275ef0 2025-04-23 net_sched: hfsc: Fix a UAF vulnerability in class handling                     ~ fcc8ede66 2025-05-02    <- CVE-2025-37797
51eb3b655 2025-04-08 sch_hfsc: make hfsc_qlen_notify() idempotent                                                             <- CVE-2025-38177

All of the CVEs mentioned are CVSS ≥ 7.

CVE-2025-38079

25c9b30

crypto: algif_hash - fix double free in hash_accept

jira VULN-70980
cve CVE-2025-38079
commit-author Ivan Pravdin <[email protected]>
commit b2df03ed4052e97126267e8c13ad4204ea6ba9b6

CVE-2025-38086

40afb02

net: ch9200: fix uninitialised access during mii_nway_restart

jira VULN-71595
cve CVE-2025-38086
commit-author Qasim Ijaz <[email protected]>
commit 9ad0452c0277b816a435433cca601304cfac7c21

CVE-2025-38087

1f1c17e

net/sched: fix use-after-free in taprio_dev_notifier

jira VULN-71604
cve CVE-2025-38087
commit-author Hyunwoo Kim <[email protected]>
commit b160766e26d4e2e2d6fe2294e0b02f92baefcec5

CVE-2025-38177

23141b0

sch_hfsc: make hfsc_qlen_notify() idempotent

jira VULN-71950
cve CVE-2025-38177
commit-author Cong Wang <[email protected]>
commit 51eb3b65544c9efd6a1026889ee5fb5aa62da3bb

See related CVE-2025-37797 for context.

kABI check: passed

DEBUG=1 CVE=CVE-batch-2 ./ninja.sh _kabi_checked__x86_64--test--ciqlts9_4-CVE-batch-2

[0/1] Check ABI of kernel [ciqlts9_4-CVE-batch-2]
++ uname -m
+ python3 /data/src/ctrliq-github/kernel-dist-git-el-9.4/SOURCES/check-kabi -k /data/src/ctrliq-github/kernel-dist-git-el-9.4/SOURCES/Module.kabi_x86_64 -s vms/x86_64--build--ciqlts9_4/build_files/kernel-src-tree-ciqlts9_4-CVE-batch-2/Module.symvers
kABI check passed
+ touch state/kernels/ciqlts9_4-CVE-batch-2/x86_64/kabi_checked

Boot test: passed

boot-test.log

Kselftests: passed relative

Reference

kselftests–ciqlts9_4–run1.log

Patch

kselftests–ciqlts9_4-CVE-batch-2–run1.log
kselftests–ciqlts9_4-CVE-batch-2–run2.log
kselftests–ciqlts9_4-CVE-batch-2–run3.log
kselftests–ciqlts9_4-CVE-batch-2–run4.log

Comparison

The tests results for the reference and patched kernel are the same.

Column    File
--------  -------------------------------------------
Status0   kselftests--ciqlts9_4--run1.log
Status1   kselftests--ciqlts9_4-CVE-batch-2--run1.log
Status2   kselftests--ciqlts9_4-CVE-batch-2--run2.log
Status3   kselftests--ciqlts9_4-CVE-batch-2--run3.log
Status4   kselftests--ciqlts9_4-CVE-batch-2--run4.log

TestCase                                               Status0  Status1  Status2  Status3  Status4  Summary
bpf:test_cgroup_storage                                pass     pass     pass     pass     pass     same
bpf:test_lpm_map                                       pass     pass     pass     pass     pass     same
bpf:test_lru_map                                       pass     pass     pass     pass     pass     same
bpf:test_sock                                          pass     pass     pass     pass     pass     same
bpf:test_sysctl                                        pass     pass     pass     pass     pass     same
bpf:test_tag                                           pass     pass     pass     pass     pass     same
bpf:test_tcpnotify_user                                pass     pass     pass     pass     pass     same
bpf:test_verifier                                      fail     fail     fail     fail     fail     same
breakpoints:breakpoint_test                            pass     pass     pass     pass     pass     same
capabilities:test_execve                               pass     pass     pass     pass     pass     same
clone3:clone3                                          pass     pass     pass     pass     pass     same
clone3:clone3_cap_checkpoint_restore                   pass     pass     pass     pass     pass     same
clone3:clone3_clear_sighand                            pass     pass     pass     pass     pass     same
clone3:clone3_set_tid                                  pass     pass     pass     pass     pass     same
cpu-hotplug:cpu-on-off-test.sh                         pass     pass     pass     pass     pass     same
cpufreq:main.sh                                        fail     fail     fail     fail     fail     same
drivers/dma-buf:udmabuf                                pass     pass     pass     pass     pass     same
drivers/net/bonding:bond-arp-interval-causes-panic.sh  pass     pass     pass     pass     pass     same
drivers/net/bonding:bond-break-lacpdu-tx.sh            fail     fail     fail     fail     fail     same
drivers/net/bonding:bond-eth-type-change.sh            pass     pass     pass     pass     pass     same
drivers/net/bonding:bond-lladdr-target.sh              pass     pass     pass     pass     pass     same
drivers/net/bonding:bond_options.sh                    fail     fail     fail     fail     fail     same
drivers/net/bonding:dev_addr_lists.sh                  pass     pass     pass     pass     pass     same
drivers/net/bonding:mode-1-recovery-updelay.sh         pass     pass     pass     pass     pass     same
drivers/net/bonding:mode-2-recovery-updelay.sh         pass     pass     pass     pass     pass     same
drivers/net/team:dev_addr_lists.sh                     pass     pass     pass     pass     pass     same
exec:binfmt_script                                     pass     pass     pass     pass     pass     same
exec:execveat                                          pass     pass     pass     pass     pass     same
exec:load_address_16777216                             fail     fail     fail     fail     fail     same
exec:load_address_2097152                              pass     pass     pass     pass     pass     same
exec:load_address_4096                                 pass     pass     pass     pass     pass     same
exec:non-regular                                       fail     fail     fail     fail     fail     same
exec:recursion-depth                                   pass     pass     pass     pass     pass     same
filesystems/binderfs:binderfs_test                     fail     fail     fail     fail     fail     same
filesystems/epoll:epoll_wakeup_test                    pass     pass     pass     pass     pass     same
firmware:fw_run_tests.sh                               skip     skip     skip     skip     skip     same
fpu:run_test_fpu.sh                                    skip     skip     skip     skip     skip     same
fpu:test_fpu                                           pass     pass     pass     pass     pass     same
ftrace:ftracetest                                      fail     fail     fail     fail     fail     same
futex:run.sh                                           pass     pass     pass     pass     pass     same
gpio:gpio-mockup.sh                                    fail     fail     fail     fail     fail     same
intel_pstate:run.sh                                    pass     pass     pass     pass     pass     same
iommu:iommufd                                          fail     fail     fail     fail     fail     same
iommu:iommufd_fail_nth                                 pass     pass     pass     pass     pass     same
ipc:msgque                                             pass     pass     pass     pass     pass     same
ir:ir_loopback.sh                                      skip     skip     skip     skip     skip     same
kcmp:kcmp_test                                         pass     pass     pass     pass     pass     same
kexec:test_kexec_file_load.sh                          skip     skip     skip     skip     skip     same
kexec:test_kexec_load.sh                               skip     skip     skip     skip     skip     same
kvm:access_tracking_perf_test                          pass     pass     pass     pass     pass     same
kvm:amx_test                                           fail     fail     fail     fail     fail     same
kvm:cpuid_test                                         fail     fail     fail     fail     fail     same
kvm:cr4_cpuid_sync_test                                fail     fail     fail     fail     fail     same
kvm:debug_regs                                         fail     fail     fail     fail     fail     same
kvm:demand_paging_test                                 pass     pass     pass     pass     pass     same
kvm:dirty_log_page_splitting_test                      fail     fail     fail     fail     fail     same
kvm:dirty_log_perf_test                                pass     pass     pass     pass     pass     same
kvm:dirty_log_test                                     fail     fail     fail     fail     fail     same
kvm:exit_on_emulation_failure_test                     fail     fail     fail     fail     fail     same
kvm:fix_hypercall_test                                 fail     fail     fail     fail     fail     same
kvm:get_msr_index_features                             fail     fail     fail     fail     fail     same
kvm:guest_memfd_test                                   pass     pass     pass     pass     pass     same
kvm:guest_print_test                                   pass     pass     pass     pass     pass     same
kvm:hardware_disable_test                              pass     pass     pass     pass     pass     same
kvm:hyperv_clock                                       fail     fail     fail     fail     fail     same
kvm:hyperv_cpuid                                       fail     fail     fail     fail     fail     same
kvm:hyperv_evmcs                                       fail     fail     fail     fail     fail     same
kvm:hyperv_extended_hypercalls                         fail     fail     fail     fail     fail     same
kvm:hyperv_features                                    fail     fail     fail     fail     fail     same
kvm:hyperv_ipi                                         fail     fail     fail     fail     fail     same
kvm:hyperv_svm_test                                    fail     fail     fail     fail     fail     same
kvm:hyperv_tlb_flush                                   fail     fail     fail     fail     fail     same
kvm:kvm_binary_stats_test                              pass     pass     pass     pass     pass     same
kvm:kvm_clock_test                                     fail     fail     fail     fail     fail     same
kvm:kvm_create_max_vcpus                               pass     pass     pass     pass     pass     same
kvm:kvm_page_table_test                                pass     pass     pass     pass     pass     same
kvm:kvm_pv_test                                        fail     fail     fail     fail     fail     same
kvm:max_guest_memory_test                              pass     pass     pass     pass     pass     same
kvm:max_vcpuid_cap_test                                fail     fail     fail     fail     fail     same
kvm:memslot_modification_stress_test                   pass     pass     pass     pass     pass     same
kvm:memslot_perf_test                                  pass     pass     pass     pass     pass     same
kvm:mmio_warning_test                                  fail     fail     fail     fail     fail     same
kvm:monitor_mwait_test                                 fail     fail     fail     fail     fail     same
kvm:nested_exceptions_test                             fail     fail     fail     fail     fail     same
kvm:nx_huge_pages_test.sh                              fail     fail     fail     fail     fail     same
kvm:platform_info_test                                 fail     fail     fail     fail     fail     same
kvm:pmu_event_filter_test                              fail     fail     fail     fail     fail     same
kvm:private_mem_conversions_test                       fail     fail     fail     fail     fail     same
kvm:private_mem_kvm_exits_test                         fail     fail     fail     fail     fail     same
kvm:recalc_apic_map_test                               fail     fail     fail     fail     fail     same
kvm:rseq_test                                          fail     fail     fail     fail     fail     same
kvm:set_boot_cpu_id                                    fail     fail     fail     fail     fail     same
kvm:set_memory_region_test                             pass     pass     pass     pass     pass     same
kvm:set_sregs_test                                     fail     fail     fail     fail     fail     same
kvm:sev_migrate_tests                                  fail     fail     fail     fail     fail     same
kvm:smaller_maxphyaddr_emulation_test                  fail     fail     fail     fail     fail     same
kvm:smm_test                                           fail     fail     fail     fail     fail     same
kvm:state_test                                         fail     fail     fail     fail     fail     same
kvm:steal_time                                         pass     pass     pass     pass     pass     same
kvm:svm_int_ctl_test                                   fail     fail     fail     fail     fail     same
kvm:svm_nested_shutdown_test                           fail     fail     fail     fail     fail     same
kvm:svm_nested_soft_inject_test                        fail     fail     fail     fail     fail     same
kvm:svm_vmcall_test                                    fail     fail     fail     fail     fail     same
kvm:sync_regs_test                                     fail     fail     fail     fail     fail     same
kvm:system_counter_offset_test                         pass     pass     pass     pass     pass     same
kvm:triple_fault_event_test                            fail     fail     fail     fail     fail     same
kvm:tsc_msrs_test                                      fail     fail     fail     fail     fail     same
kvm:tsc_scaling_sync                                   fail     fail     fail     fail     fail     same
kvm:ucna_injection_test                                fail     fail     fail     fail     fail     same
kvm:userspace_io_test                                  fail     fail     fail     fail     fail     same
kvm:userspace_msr_exit_test                            fail     fail     fail     fail     fail     same
kvm:vmx_apic_access_test                               fail     fail     fail     fail     fail     same
kvm:vmx_close_while_nested_test                        fail     fail     fail     fail     fail     same
kvm:vmx_dirty_log_test                                 fail     fail     fail     fail     fail     same
kvm:vmx_exception_with_invalid_guest_state             fail     fail     fail     fail     fail     same
kvm:vmx_invalid_nested_guest_state                     fail     fail     fail     fail     fail     same
kvm:vmx_msrs_test                                      fail     fail     fail     fail     fail     same
kvm:vmx_nested_tsc_scaling_test                        fail     fail     fail     fail     fail     same
kvm:vmx_pmu_caps_test                                  fail     fail     fail     fail     fail     same
kvm:vmx_preemption_timer_test                          fail     fail     fail     fail     fail     same
kvm:vmx_set_nested_state_test                          fail     fail     fail     fail     fail     same
kvm:vmx_tsc_adjust_test                                fail     fail     fail     fail     fail     same
kvm:xapic_ipi_test                                     fail     fail     fail     fail     fail     same
kvm:xapic_state_test                                   fail     fail     fail     fail     fail     same
kvm:xcr0_cpuid_test                                    fail     fail     fail     fail     fail     same
kvm:xen_shinfo_test                                    fail     fail     fail     fail     fail     same
kvm:xen_vmcall_test                                    fail     fail     fail     fail     fail     same
kvm:xss_msr_test                                       fail     fail     fail     fail     fail     same
landlock:base_test                                     fail     fail     fail     fail     fail     same
landlock:fs_test                                       fail     fail     fail     fail     fail     same
landlock:ptrace_test                                   fail     fail     fail     fail     fail     same
lib:bitmap.sh                                          skip     skip     skip     skip     skip     same
lib:prime_numbers.sh                                   pass     pass     pass     pass     pass     same
lib:printf.sh                                          skip     skip     skip     skip     skip     same
lib:scanf.sh                                           skip     skip     skip     skip     skip     same
lib:strscpy.sh                                         skip     skip     skip     skip     skip     same
livepatch:test-callbacks.sh                            pass     pass     pass     pass     pass     same
livepatch:test-ftrace.sh                               pass     pass     pass     pass     pass     same
livepatch:test-livepatch.sh                            pass     pass     pass     pass     pass     same
livepatch:test-shadow-vars.sh                          pass     pass     pass     pass     pass     same
livepatch:test-state.sh                                pass     pass     pass     pass     pass     same
livepatch:test-sysfs.sh                                pass     pass     pass     pass     pass     same
membarrier:membarrier_test_multi_thread                pass     pass     pass     pass     pass     same
membarrier:membarrier_test_single_thread               pass     pass     pass     pass     pass     same
memfd:memfd_test                                       pass     pass     pass     pass     pass     same
memfd:run_fuse_test.sh                                 pass     pass     pass     pass     pass     same
memfd:run_hugetlbfs_test.sh                            pass     pass     pass     pass     pass     same
memory-hotplug:mem-on-off-test.sh                      pass     pass     pass     pass     pass     same
mincore:mincore_selftest                               fail     fail     fail     fail     fail     same
mount:run_nosymfollow.sh                               pass     pass     pass     pass     pass     same
mount:run_unprivileged_remount.sh                      pass     pass     pass     pass     pass     same
mqueue:mq_open_tests                                   pass     pass     pass     pass     pass     same
mqueue:mq_perf_tests                                   pass     pass     pass     pass     pass     same
nci:nci_dev                                            fail     fail     fail     fail     fail     same
net/forwarding:bridge_locked_port.sh                   pass     pass     pass     pass     pass     same
net/forwarding:bridge_mdb.sh                           skip     skip     skip     skip     skip     same
net/forwarding:bridge_mdb_host.sh                      pass     pass     pass     pass     pass     same
net/forwarding:bridge_mdb_max.sh                       skip     skip     skip     skip     skip     same
net/forwarding:bridge_mdb_port_down.sh                 pass     pass     pass     pass     pass     same
net/forwarding:bridge_mld.sh                           pass     pass     pass     pass     pass     same
net/forwarding:bridge_port_isolation.sh                pass     pass     pass     pass     pass     same
net/forwarding:bridge_sticky_fdb.sh                    pass     pass     pass     pass     pass     same
net/forwarding:bridge_vlan_aware.sh                    pass     pass     pass     pass     pass     same
net/forwarding:bridge_vlan_mcast.sh                    pass     pass     pass     pass     pass     same
net/forwarding:bridge_vlan_unaware.sh                  pass     pass     pass     pass     pass     same
net/forwarding:custom_multipath_hash.sh                fail     fail     fail     fail     fail     same
net/forwarding:ethtool.sh                              skip     skip     skip     skip     skip     same
net/forwarding:ethtool_extended_state.sh               skip     skip     skip     skip     skip     same
net/forwarding:gre_custom_multipath_hash.sh            fail     fail     fail     fail     fail     same
net/forwarding:gre_inner_v4_multipath.sh               pass     pass     pass     pass     pass     same
net/forwarding:gre_multipath.sh                        pass     pass     pass     pass     pass     same
net/forwarding:gre_multipath_nh.sh                     fail     fail     fail     fail     fail     same
net/forwarding:gre_multipath_nh_res.sh                 fail     fail     fail     fail     fail     same
net/forwarding:hw_stats_l3.sh                          skip     skip     skip     skip     skip     same
net/forwarding:hw_stats_l3_gre.sh                      skip     skip     skip     skip     skip     same
net/forwarding:ip6_forward_instats_vrf.sh              skip     skip     skip     skip     skip     same
net/forwarding:ip6gre_custom_multipath_hash.sh         fail     fail     fail     fail     fail     same
net/forwarding:ip6gre_flat.sh                          pass     pass     pass     pass     pass     same
net/forwarding:ip6gre_flat_key.sh                      pass     pass     pass     pass     pass     same
net/forwarding:ip6gre_flat_keys.sh                     pass     pass     pass     pass     pass     same
net/forwarding:ip6gre_hier.sh                          pass     pass     pass     pass     pass     same
net/forwarding:ip6gre_hier_key.sh                      pass     pass     pass     pass     pass     same
net/forwarding:ip6gre_hier_keys.sh                     pass     pass     pass     pass     pass     same
net/forwarding:ip6gre_inner_v4_multipath.sh            pass     pass     pass     pass     pass     same
net/forwarding:ipip_flat_gre.sh                        pass     pass     pass     pass     pass     same
net/forwarding:ipip_flat_gre_key.sh                    pass     pass     pass     pass     pass     same
net/forwarding:ipip_flat_gre_keys.sh                   pass     pass     pass     pass     pass     same
net/forwarding:ipip_hier_gre.sh                        pass     pass     pass     pass     pass     same
net/forwarding:ipip_hier_gre_key.sh                    pass     pass     pass     pass     pass     same
net/forwarding:local_termination.sh                    skip     skip     skip     skip     skip     same
net/forwarding:loopback.sh                             skip     skip     skip     skip     skip     same
net/forwarding:mirror_gre.sh                           pass     pass     pass     pass     pass     same
net/forwarding:mirror_gre_bound.sh                     pass     pass     pass     pass     pass     same
net/forwarding:mirror_gre_bridge_1d.sh                 pass     pass     pass     pass     pass     same
net/forwarding:mirror_gre_bridge_1q.sh                 pass     pass     pass     pass     pass     same
net/forwarding:mirror_gre_bridge_1q_lag.sh             pass     pass     pass     pass     pass     same
net/forwarding:mirror_gre_changes.sh                   pass     pass     pass     pass     pass     same
net/forwarding:mirror_gre_flower.sh                    pass     pass     pass     pass     pass     same
net/forwarding:mirror_gre_lag_lacp.sh                  pass     pass     pass     pass     pass     same
net/forwarding:mirror_gre_neigh.sh                     pass     pass     pass     pass     pass     same
net/forwarding:mirror_gre_nh.sh                        pass     pass     pass     pass     pass     same
net/forwarding:mirror_gre_vlan.sh                      pass     pass     pass     pass     pass     same
net/forwarding:mirror_vlan.sh                          pass     pass     pass     pass     pass     same
net/forwarding:no_forwarding.sh                        pass     pass     pass     pass     pass     same
net/forwarding:pedit_dsfield.sh                        pass     pass     pass     pass     pass     same
net/forwarding:pedit_ip.sh                             pass     pass     pass     pass     pass     same
net/forwarding:pedit_l4port.sh                         pass     pass     pass     pass     pass     same
net/forwarding:q_in_vni_ipv6.sh                        pass     pass     pass     pass     pass     same
net/forwarding:router.sh                               skip     skip     skip     skip     skip     same
net/forwarding:router_bridge.sh                        pass     pass     pass     pass     pass     same
net/forwarding:router_bridge_1d.sh                     pass     pass     pass     pass     pass     same
net/forwarding:router_bridge_pvid_vlan_upper.sh        pass     pass     pass     pass     pass     same
net/forwarding:router_bridge_vlan.sh                   pass     pass     pass     pass     pass     same
net/forwarding:router_bridge_vlan_upper.sh             pass     pass     pass     pass     pass     same
net/forwarding:router_bridge_vlan_upper_pvid.sh        pass     pass     pass     pass     pass     same
net/forwarding:router_broadcast.sh                     pass     pass     pass     pass     pass     same
net/forwarding:router_mpath_nh.sh                      fail     fail     fail     fail     fail     same
net/forwarding:router_mpath_nh_res.sh                  pass     pass     pass     pass     pass     same
net/forwarding:router_multicast.sh                     skip     skip     skip     skip     skip     same
net/forwarding:router_multipath.sh                     fail     fail     fail     fail     fail     same
net/forwarding:router_nh.sh                            pass     pass     pass     pass     pass     same
net/forwarding:router_vid_1.sh                         pass     pass     pass     pass     pass     same
net/forwarding:skbedit_priority.sh                     pass     pass     pass     pass     pass     same
net/forwarding:tc_chains.sh                            pass     pass     pass     pass     pass     same
net/forwarding:tc_flower.sh                            pass     pass     pass     pass     pass     same
net/forwarding:tc_flower_cfm.sh                        fail     fail     fail     fail     fail     same
net/forwarding:tc_flower_l2_miss.sh                    fail     fail     fail     fail     fail     same
net/forwarding:tc_flower_router.sh                     pass     pass     pass     pass     pass     same
net/forwarding:tc_mpls_l2vpn.sh                        pass     pass     pass     pass     pass     same
net/forwarding:tc_shblocks.sh                          pass     pass     pass     pass     pass     same
net/forwarding:tc_tunnel_key.sh                        skip     skip     skip     skip     skip     same
net/forwarding:tc_vlan_modify.sh                       pass     pass     pass     pass     pass     same
net/forwarding:vxlan_asymmetric.sh                     pass     pass     pass     pass     pass     same
net/forwarding:vxlan_asymmetric_ipv6.sh                pass     pass     pass     pass     pass     same
net/forwarding:vxlan_bridge_1d.sh                      pass     pass     pass     pass     pass     same
net/forwarding:vxlan_bridge_1d_port_8472.sh            pass     pass     pass     pass     pass     same
net/forwarding:vxlan_bridge_1d_port_8472_ipv6.sh       pass     pass     pass     pass     pass     same
net/forwarding:vxlan_bridge_1q.sh                      pass     pass     pass     pass     pass     same
net/forwarding:vxlan_bridge_1q_ipv6.sh                 pass     pass     pass     pass     pass     same
net/forwarding:vxlan_bridge_1q_port_8472.sh            pass     pass     pass     pass     pass     same
net/forwarding:vxlan_bridge_1q_port_8472_ipv6.sh       pass     pass     pass     pass     pass     same
net/forwarding:vxlan_symmetric.sh                      pass     pass     pass     pass     pass     same
net/forwarding:vxlan_symmetric_ipv6.sh                 pass     pass     pass     pass     pass     same
net/hsr:hsr_ping.sh                                    fail     fail     fail     fail     fail     same
net/mptcp:diag.sh                                      pass     pass     pass     pass     pass     same
net/mptcp:mptcp_connect.sh                             pass     pass     pass     pass     pass     same
net/mptcp:mptcp_sockopt.sh                             pass     pass     pass     pass     pass     same
net/mptcp:pm_netlink.sh                                pass     pass     pass     pass     pass     same
net:altnames.sh                                        pass     pass     pass     pass     pass     same
net:bareudp.sh                                         pass     pass     pass     pass     pass     same
net:big_tcp.sh                                         skip     skip     skip     skip     skip     same
net:cmsg_so_mark.sh                                    pass     pass     pass     pass     pass     same
net:devlink_port_split.py                              skip     skip     skip     skip     skip     same
net:drop_monitor_tests.sh                              skip     skip     skip     skip     skip     same
net:fcnal-test.sh                                      skip     skip     skip     skip     skip     same
net:fib-onlink-tests.sh                                pass     pass     pass     pass     pass     same
net:fib_nexthop_multiprefix.sh                         pass     pass     pass     pass     pass     same
net:fib_nexthop_nongw.sh                               pass     pass     pass     pass     pass     same
net:fib_rule_tests.sh                                  pass     pass     pass     pass     pass     same
net:fib_tests.sh                                       fail     fail     fail     fail     fail     same
net:fin_ack_lat.sh                                     pass     pass     pass     pass     pass     same
net:gre_gso.sh                                         skip     skip     skip     skip     skip     same
net:icmp.sh                                            fail     fail     fail     fail     fail     same
net:icmp_redirect.sh                                   pass     pass     pass     pass     pass     same
net:io_uring_zerocopy_tx.sh                            fail     fail     fail     fail     fail     same
net:ip6_gre_headroom.sh                                pass     pass     pass     pass     pass     same
net:ipv6_flowlabel.sh                                  pass     pass     pass     pass     pass     same
net:l2_tos_ttl_inherit.sh                              skip     skip     skip     skip     skip     same
net:l2tp.sh                                            pass     pass     pass     pass     pass     same
net:msg_zerocopy.sh                                    pass     pass     pass     pass     pass     same
net:netdevice.sh                                       pass     pass     pass     pass     pass     same
net:pmtu.sh                                            fail     fail     fail     fail     fail     same
net:psock_snd.sh                                       pass     pass     pass     pass     pass     same
net:reuseaddr_ports_exhausted.sh                       pass     pass     pass     pass     pass     same
net:reuseport_bpf                                      pass     pass     pass     pass     pass     same
net:reuseport_bpf_cpu                                  pass     pass     pass     pass     pass     same
net:reuseport_bpf_numa                                 pass     pass     pass     pass     pass     same
net:reuseport_dualstack                                pass     pass     pass     pass     pass     same
net:route_localnet.sh                                  pass     pass     pass     pass     pass     same
net:rps_default_mask.sh                                pass     pass     pass     pass     pass     same
net:rtnetlink.sh                                       skip     skip     skip     skip     skip     same
net:run_afpackettests                                  pass     pass     pass     pass     pass     same
net:run_netsocktests                                   pass     pass     pass     pass     pass     same
net:rxtimestamp.sh                                     pass     pass     pass     pass     pass     same
net:so_txtime.sh                                       pass     pass     pass     pass     pass     same
net:srv6_end_next_csid_l3vpn_test.sh                   pass     pass     pass     pass     pass     same
net:srv6_hencap_red_l3vpn_test.sh                      pass     pass     pass     pass     pass     same
net:srv6_hl2encap_red_l2vpn_test.sh                    pass     pass     pass     pass     pass     same
net:stress_reuseport_listen.sh                         pass     pass     pass     pass     pass     same
net:tcp_fastopen_backup_key.sh                         pass     pass     pass     pass     pass     same
net:test_blackhole_dev.sh                              fail     fail     fail     fail     fail     same
net:test_bpf.sh                                        pass     pass     pass     pass     pass     same
net:test_bridge_neigh_suppress.sh                      skip     skip     skip     skip     skip     same
net:test_vxlan_fdb_changelink.sh                       pass     pass     pass     pass     pass     same
net:test_vxlan_under_vrf.sh                            pass     pass     pass     pass     pass     same
net:tls                                                pass     pass     pass     pass     pass     same
net:traceroute.sh                                      pass     pass     pass     pass     pass     same
net:udpgro.sh                                          fail     fail     fail     fail     fail     same
net:udpgro_bench.sh                                    fail     fail     fail     fail     fail     same
net:udpgso.sh                                          pass     pass     pass     pass     pass     same
net:unicast_extensions.sh                              pass     pass     pass     pass     pass     same
net:veth.sh                                            fail     fail     fail     fail     fail     same
net:vrf-xfrm-tests.sh                                  pass     pass     pass     pass     pass     same
net:vrf_route_leaking.sh                               pass     pass     pass     pass     pass     same
net:vrf_strict_mode_test.sh                            pass     pass     pass     pass     pass     same
netfilter:bridge_brouter.sh                            skip     skip     skip     skip     skip     same
netfilter:conntrack_icmp_related.sh                    fail     fail     fail     fail     fail     same
netfilter:conntrack_tcp_unreplied.sh                   fail     fail     fail     fail     fail     same
netfilter:conntrack_vrf.sh                             skip     skip     skip     skip     skip     same
netfilter:ipip-conntrack-mtu.sh                        skip     skip     skip     skip     skip     same
netfilter:ipvs.sh                                      skip     skip     skip     skip     skip     same
netfilter:nf_nat_edemux.sh                             skip     skip     skip     skip     skip     same
netfilter:nft_audit.sh                                 fail     fail     fail     fail     fail     same
netfilter:nft_concat_range.sh                          fail     fail     fail     fail     fail     same
netfilter:nft_conntrack_helper.sh                      skip     skip     skip     skip     skip     same
netfilter:nft_fib.sh                                   skip     skip     skip     skip     skip     same
netfilter:nft_flowtable.sh                             fail     fail     fail     fail     fail     same
netfilter:nft_meta.sh                                  pass     pass     pass     pass     pass     same
netfilter:nft_nat.sh                                   skip     skip     skip     skip     skip     same
netfilter:nft_queue.sh                                 skip     skip     skip     skip     skip     same
netfilter:rpath.sh                                     pass     pass     pass     pass     pass     same
nsfs:owner                                             pass     pass     pass     pass     pass     same
nsfs:pidns                                             pass     pass     pass     pass     pass     same
pid_namespace:regression_enomem                        pass     pass     pass     pass     pass     same
pidfd:pidfd_fdinfo_test                                pass     pass     pass     pass     pass     same
pidfd:pidfd_getfd_test                                 pass     pass     pass     pass     pass     same
pidfd:pidfd_open_test                                  pass     pass     pass     pass     pass     same
pidfd:pidfd_poll_test                                  pass     pass     pass     pass     pass     same
pidfd:pidfd_setns_test                                 pass     pass     pass     pass     pass     same
pidfd:pidfd_test                                       pass     pass     pass     pass     pass     same
pidfd:pidfd_wait                                       pass     pass     pass     pass     pass     same
proc:fd-001-lookup                                     pass     pass     pass     pass     pass     same
proc:fd-002-posix-eq                                   pass     pass     pass     pass     pass     same
proc:fd-003-kthread                                    pass     pass     pass     pass     pass     same
proc:proc-fsconfig-hidepid                             pass     pass     pass     pass     pass     same
proc:proc-loadavg-001                                  pass     pass     pass     pass     pass     same
proc:proc-multiple-procfs                              pass     pass     pass     pass     pass     same
proc:proc-self-map-files-001                           pass     pass     pass     pass     pass     same
proc:proc-self-map-files-002                           pass     pass     pass     pass     pass     same
proc:proc-self-syscall                                 pass     pass     pass     pass     pass     same
proc:proc-self-wchan                                   pass     pass     pass     pass     pass     same
proc:proc-subset-pid                                   pass     pass     pass     pass     pass     same
proc:proc-uptime-002                                   pass     pass     pass     pass     pass     same
proc:read                                              pass     pass     pass     pass     pass     same
proc:self                                              pass     pass     pass     pass     pass     same
proc:setns-dcache                                      pass     pass     pass     pass     pass     same
proc:setns-sysvipc                                     pass     pass     pass     pass     pass     same
proc:thread-self                                       pass     pass     pass     pass     pass     same
pstore:pstore_post_reboot_tests                        skip     skip     skip     skip     skip     same
pstore:pstore_tests                                    fail     fail     fail     fail     fail     same
ptrace:get_syscall_info                                pass     pass     pass     pass     pass     same
ptrace:peeksiginfo                                     pass     pass     pass     pass     pass     same
ptrace:vmaccess                                        fail     fail     fail     fail     fail     same
rlimits:rlimits-per-userns                             pass     pass     pass     pass     pass     same
rseq:basic_percpu_ops_test                             pass     pass     pass     pass     pass     same
rseq:basic_test                                        pass     pass     pass     pass     pass     same
rseq:param_test                                        pass     pass     pass     pass     pass     same
rseq:param_test_benchmark                              pass     pass     pass     pass     pass     same
rseq:param_test_compare_twice                          pass     pass     pass     pass     pass     same
rseq:run_param_test.sh                                 pass     pass     pass     pass     pass     same
seccomp:seccomp_benchmark                              pass     pass     pass     pass     pass     same
seccomp:seccomp_bpf                                    pass     pass     pass     pass     pass     same
sgx:test_sgx                                           fail     fail     fail     fail     fail     same
sigaltstack:sas                                        pass     pass     pass     pass     pass     same
size:get_size                                          pass     pass     pass     pass     pass     same
splice:default_file_splice_read.sh                     pass     pass     pass     pass     pass     same
splice:short_splice_read.sh                            fail     fail     fail     fail     fail     same
static_keys:test_static_keys.sh                        skip     skip     skip     skip     skip     same
syscall_user_dispatch:sud_benchmark                    pass     pass     pass     pass     pass     same
syscall_user_dispatch:sud_test                         pass     pass     pass     pass     pass     same
tc-testing:tdc.sh                                      fail     fail     fail     fail     fail     same
tdx:tdx_guest_test                                     fail     fail     fail     fail     fail     same
timens:clock_nanosleep                                 pass     pass     pass     pass     pass     same
timens:exec                                            pass     pass     pass     pass     pass     same
timens:futex                                           pass     pass     pass     pass     pass     same
timens:procfs                                          pass     pass     pass     pass     pass     same
timens:timens                                          pass     pass     pass     pass     pass     same
timens:timer                                           pass     pass     pass     pass     pass     same
timens:timerfd                                         pass     pass     pass     pass     pass     same
timens:vfork_exec                                      pass     pass     pass     pass     pass     same
timers:inconsistency-check                             pass     pass     pass     pass     pass     same
timers:mqueue-lat                                      pass     pass     pass     pass     pass     same
timers:nanosleep                                       pass     pass     pass     pass     pass     same
timers:nsleep-lat                                      pass     pass     pass     pass     pass     same
timers:posix_timers                                    pass     pass     pass     pass     pass     same
timers:raw_skew                                        pass     pass     pass     pass     pass     same
timers:rtcpie                                          pass     pass     pass     pass     pass     same
timers:set-timer-lat                                   pass     pass     pass     pass     pass     same
timers:threadtest                                      pass     pass     pass     pass     pass     same
tmpfs:bug-link-o-tmpfile                               pass     pass     pass     pass     pass     same
tpm2:test_smoke.sh                                     skip     skip     skip     skip     skip     same
tpm2:test_space.sh                                     skip     skip     skip     skip     skip     same
tty:tty_tstamp_update                                  skip     skip     skip     skip     skip     same
vDSO:vdso_standalone_test_x86                          pass     pass     pass     pass     pass     same
vDSO:vdso_test_abi                                     pass     pass     pass     pass     pass     same
vDSO:vdso_test_clock_getres                            pass     pass     pass     pass     pass     same
vDSO:vdso_test_correctness                             pass     pass     pass     pass     pass     same
vDSO:vdso_test_getcpu                                  pass     pass     pass     pass     pass     same
vDSO:vdso_test_gettimeofday                            pass     pass     pass     pass     pass     same
x86:amx_64                                             fail     fail     fail     fail     fail     same
x86:check_initial_reg_state_64                         pass     pass     pass     pass     pass     same
x86:corrupt_xstate_header_64                           fail     fail     fail     fail     fail     same
x86:fsgsbase_64                                        fail     fail     fail     fail     fail     same
x86:fsgsbase_restore_64                                fail     fail     fail     fail     fail     same
x86:ioperm_64                                          pass     pass     pass     pass     pass     same
x86:iopl_64                                            pass     pass     pass     pass     pass     same
x86:lam_64                                             fail     fail     fail     fail     fail     same
x86:mov_ss_trap_64                                     fail     fail     fail     fail     fail     same
x86:sigaltstack_64                                     fail     fail     fail     fail     fail     same
x86:sigreturn_64                                       fail     fail     fail     fail     fail     same
x86:single_step_syscall_64                             fail     fail     fail     fail     fail     same
x86:syscall_arg_fault_64                               fail     fail     fail     fail     fail     same
x86:syscall_nt_64                                      pass     pass     pass     pass     pass     same
x86:syscall_numbering_64                               fail     fail     fail     fail     fail     same
x86:sysret_rip_64                                      fail     fail     fail     fail     fail     same
x86:sysret_ss_attrs_64                                 pass     pass     pass     pass     pass     same
x86:test_mremap_vdso_64                                pass     pass     pass     pass     pass     same
x86:test_vsyscall_64                                   pass     pass     pass     pass     pass     same
zram:zram.sh                                           pass     pass     pass     pass     pass     same

@pvts-mat
net: atm: fix use after free in lec_send()
e33e408 
jira VULN-56268
cve CVE-2025-22004
commit-author Dan Carpenter <[email protected]>
commit f3009d0

The ->send() operation frees skb so save the length before calling
->send() to avoid a use after free.

Fixes: 1da177e ("Linux-2.6.12-rc2")
	Signed-off-by: Dan Carpenter <[email protected]>
	Reviewed-by: Simon Horman <[email protected]>
Link: https://patch.msgid.link/[email protected]
	Signed-off-by: Paolo Abeni <[email protected]>

(cherry picked from commit f3009d0)
	Signed-off-by: Marcin Wcisło <[email protected]>
@pvts-mat
bpf, test_run: Fix use-after-free issue in eth_skb_pkt_type()
a72207c 
jira VULN-55841
cve CVE-2025-21867
commit-author Shigeru Yoshida <[email protected]>
commit 6b3d638

KMSAN reported a use-after-free issue in eth_skb_pkt_type()[1]. The
cause of the issue was that eth_skb_pkt_type() accessed skb's data
that didn't contain an Ethernet header. This occurs when
bpf_prog_test_run_xdp() passes an invalid value as the user_data
argument to bpf_test_init().

Fix this by returning an error when user_data is less than ETH_HLEN in
bpf_test_init(). Additionally, remove the check for "if (user_size >
size)" as it is unnecessary.

[1]
BUG: KMSAN: use-after-free in eth_skb_pkt_type include/linux/etherdevice.h:627 [inline]
BUG: KMSAN: use-after-free in eth_type_trans+0x4ee/0x980 net/ethernet/eth.c:165
 eth_skb_pkt_type include/linux/etherdevice.h:627 [inline]
 eth_type_trans+0x4ee/0x980 net/ethernet/eth.c:165
 __xdp_build_skb_from_frame+0x5a8/0xa50 net/core/xdp.c:635
 xdp_recv_frames net/bpf/test_run.c:272 [inline]
 xdp_test_run_batch net/bpf/test_run.c:361 [inline]
 bpf_test_run_xdp_live+0x2954/0x3330 net/bpf/test_run.c:390
 bpf_prog_test_run_xdp+0x148e/0x1b10 net/bpf/test_run.c:1318
 bpf_prog_test_run+0x5b7/0xa30 kernel/bpf/syscall.c:4371
 __sys_bpf+0x6a6/0xe20 kernel/bpf/syscall.c:5777
 __do_sys_bpf kernel/bpf/syscall.c:5866 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5864 [inline]
 __x64_sys_bpf+0xa4/0xf0 kernel/bpf/syscall.c:5864
 x64_sys_call+0x2ea0/0x3d90 arch/x86/include/generated/asm/syscalls_64.h:322
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xd9/0x1d0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 free_pages_prepare mm/page_alloc.c:1056 [inline]
 free_unref_page+0x156/0x1320 mm/page_alloc.c:2657
 __free_pages+0xa3/0x1b0 mm/page_alloc.c:4838
 bpf_ringbuf_free kernel/bpf/ringbuf.c:226 [inline]
 ringbuf_map_free+0xff/0x1e0 kernel/bpf/ringbuf.c:235
 bpf_map_free kernel/bpf/syscall.c:838 [inline]
 bpf_map_free_deferred+0x17c/0x310 kernel/bpf/syscall.c:862
 process_one_work kernel/workqueue.c:3229 [inline]
 process_scheduled_works+0xa2b/0x1b60 kernel/workqueue.c:3310
 worker_thread+0xedf/0x1550 kernel/workqueue.c:3391
 kthread+0x535/0x6b0 kernel/kthread.c:389
 ret_from_fork+0x6e/0x90 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

CPU: 1 UID: 0 PID: 17276 Comm: syz.1.16450 Not tainted 6.12.0-05490-g9bb88c659673 ctrliq#8
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014

Fixes: be3d72a ("bpf: move user_size out of bpf_test_init")
	Reported-by: syzkaller <[email protected]>
	Suggested-by: Martin KaFai Lau <[email protected]>
	Signed-off-by: Shigeru Yoshida <[email protected]>
	Signed-off-by: Martin KaFai Lau <[email protected]>
	Acked-by: Stanislav Fomichev <[email protected]>
	Acked-by: Daniel Borkmann <[email protected]>
Link: https://patch.msgid.link/[email protected]
	Signed-off-by: Alexei Starovoitov <[email protected]>
(cherry picked from commit 6b3d638)
	Signed-off-by: Marcin Wcisło <[email protected]>
@pvts-mat
ibmvnic: Use kernel helpers for hex dumps
8a3d21e 
jira VULN-65341
cve CVE-2025-22104
commit-author Nick Child <[email protected]>
commit d93a6ca

Previously, when the driver was printing hex dumps, the buffer was cast
to an 8 byte long and printed using string formatters. If the buffer
size was not a multiple of 8 then a read buffer overflow was possible.

Therefore, create a new ibmvnic function that loops over a buffer and
calls hex_dump_to_buffer instead.

This patch address KASAN reports like the one below:
  ibmvnic 30000003 env3: Login Buffer:
  ibmvnic 30000003 env3: 01000000af000000
  <...>
  ibmvnic 30000003 env3: 2e6d62692e736261
  ibmvnic 30000003 env3: 65050003006d6f63
  ==================================================================
  BUG: KASAN: slab-out-of-bounds in ibmvnic_login+0xacc/0xffc [ibmvnic]
  Read of size 8 at addr c0000001331a9aa8 by task ip/17681
  <...>
  Allocated by task 17681:
  <...>
  ibmvnic_login+0x2f0/0xffc [ibmvnic]
  ibmvnic_open+0x148/0x308 [ibmvnic]
  __dev_open+0x1ac/0x304
  <...>
  The buggy address is located 168 bytes inside of
                allocated 175-byte region [c0000001331a9a00, c0000001331a9aaf)
  <...>
  =================================================================
  ibmvnic 30000003 env3: 000000000033766e

Fixes: 032c5e8 ("Driver for IBM System i/p VNIC protocol")
	Signed-off-by: Nick Child <[email protected]>
	Reviewed-by: Dave Marquardt <[email protected]>
	Reviewed-by: Simon Horman <[email protected]>
Link: https://patch.msgid.link/[email protected]
	Signed-off-by: Jakub Kicinski <[email protected]>
(cherry picked from commit d93a6ca)
	Signed-off-by: Marcin Wcisło <[email protected]>
@pvts-mat
ext4: fix off-by-one error in do_split
615e315 
jira VULN-66675
cve CVE-2025-23150
commit-author Artem Sadovnikov <[email protected]>
commit 94824ac

Syzkaller detected a use-after-free issue in ext4_insert_dentry that was
caused by out-of-bounds access due to incorrect splitting in do_split.

BUG: KASAN: use-after-free in ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109
Write of size 251 at addr ffff888074572f14 by task syz-executor335/5847

CPU: 0 UID: 0 PID: 5847 Comm: syz-executor335 Not tainted 6.12.0-rc6-syzkaller-00318-ga9cda7c0ffed #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:488
 kasan_report+0x143/0x180 mm/kasan/report.c:601
 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
 __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106
 ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109
 add_dirent_to_buf+0x3d9/0x750 fs/ext4/namei.c:2154
 make_indexed_dir+0xf98/0x1600 fs/ext4/namei.c:2351
 ext4_add_entry+0x222a/0x25d0 fs/ext4/namei.c:2455
 ext4_add_nondir+0x8d/0x290 fs/ext4/namei.c:2796
 ext4_symlink+0x920/0xb50 fs/ext4/namei.c:3431
 vfs_symlink+0x137/0x2e0 fs/namei.c:4615
 do_symlinkat+0x222/0x3a0 fs/namei.c:4641
 __do_sys_symlink fs/namei.c:4662 [inline]
 __se_sys_symlink fs/namei.c:4660 [inline]
 __x64_sys_symlink+0x7a/0x90 fs/namei.c:4660
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
 </TASK>

The following loop is located right above 'if' statement.

for (i = count-1; i >= 0; i--) {
	/* is more than half of this entry in 2nd half of the block? */
	if (size + map[i].size/2 > blocksize/2)
		break;
	size += map[i].size;
	move++;
}

'i' in this case could go down to -1, in which case sum of active entries
wouldn't exceed half the block size, but previous behaviour would also do
split in half if sum would exceed at the very last block, which in case of
having too many long name files in a single block could lead to
out-of-bounds access and following use-after-free.

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

	Cc: [email protected]
Fixes: 5872331 ("ext4: fix potential negative array index in do_split()")
	Signed-off-by: Artem Sadovnikov <[email protected]>
	Reviewed-by: Jan Kara <[email protected]>
Link: https://patch.msgid.link/[email protected]
	Signed-off-by: Theodore Ts'o <[email protected]>
(cherry picked from commit 94824ac)
	Signed-off-by: Marcin Wcisło <[email protected]>
@pvts-mat
ext4: ignore xattrs past end
10c59a2 
jira VULN-66827
cve CVE-2025-37738
commit-author Bhupesh <[email protected]>
commit c8e008b

Once inside 'ext4_xattr_inode_dec_ref_all' we should
ignore xattrs entries past the 'end' entry.

This fixes the following KASAN reported issue:

==================================================================
BUG: KASAN: slab-use-after-free in ext4_xattr_inode_dec_ref_all+0xb8c/0xe90
Read of size 4 at addr ffff888012c120c4 by task repro/2065

CPU: 1 UID: 0 PID: 2065 Comm: repro Not tainted 6.13.0-rc2+ ctrliq#11
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
Call Trace:
 <TASK>
 dump_stack_lvl+0x1fd/0x300
 ? tcp_gro_dev_warn+0x260/0x260
 ? _printk+0xc0/0x100
 ? read_lock_is_recursive+0x10/0x10
 ? irq_work_queue+0x72/0xf0
 ? __virt_addr_valid+0x17b/0x4b0
 print_address_description+0x78/0x390
 print_report+0x107/0x1f0
 ? __virt_addr_valid+0x17b/0x4b0
 ? __virt_addr_valid+0x3ff/0x4b0
 ? __phys_addr+0xb5/0x160
 ? ext4_xattr_inode_dec_ref_all+0xb8c/0xe90
 kasan_report+0xcc/0x100
 ? ext4_xattr_inode_dec_ref_all+0xb8c/0xe90
 ext4_xattr_inode_dec_ref_all+0xb8c/0xe90
 ? ext4_xattr_delete_inode+0xd30/0xd30
 ? __ext4_journal_ensure_credits+0x5f0/0x5f0
 ? __ext4_journal_ensure_credits+0x2b/0x5f0
 ? inode_update_timestamps+0x410/0x410
 ext4_xattr_delete_inode+0xb64/0xd30
 ? ext4_truncate+0xb70/0xdc0
 ? ext4_expand_extra_isize_ea+0x1d20/0x1d20
 ? __ext4_mark_inode_dirty+0x670/0x670
 ? ext4_journal_check_start+0x16f/0x240
 ? ext4_inode_is_fast_symlink+0x2f2/0x3a0
 ext4_evict_inode+0xc8c/0xff0
 ? ext4_inode_is_fast_symlink+0x3a0/0x3a0
 ? do_raw_spin_unlock+0x53/0x8a0
 ? ext4_inode_is_fast_symlink+0x3a0/0x3a0
 evict+0x4ac/0x950
 ? proc_nr_inodes+0x310/0x310
 ? trace_ext4_drop_inode+0xa2/0x220
 ? _raw_spin_unlock+0x1a/0x30
 ? iput+0x4cb/0x7e0
 do_unlinkat+0x495/0x7c0
 ? try_break_deleg+0x120/0x120
 ? 0xffffffff81000000
 ? __check_object_size+0x15a/0x210
 ? strncpy_from_user+0x13e/0x250
 ? getname_flags+0x1dc/0x530
 __x64_sys_unlinkat+0xc8/0xf0
 do_syscall_64+0x65/0x110
 entry_SYSCALL_64_after_hwframe+0x67/0x6f
RIP: 0033:0x434ffd
Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 8
RSP: 002b:00007ffc50fa7b28 EFLAGS: 00000246 ORIG_RAX: 0000000000000107
RAX: ffffffffffffffda RBX: 00007ffc50fa7e18 RCX: 0000000000434ffd
RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000005
RBP: 00007ffc50fa7be0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 00007ffc50fa7e08 R14: 00000000004bbf30 R15: 0000000000000001
 </TASK>

The buggy address belongs to the object at ffff888012c12000
 which belongs to the cache filp of size 360
The buggy address is located 196 bytes inside of
 freed 360-byte region [ffff888012c12000, ffff888012c12168)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12c12
head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x40(head|node=0|zone=0)
page_type: f5(slab)
raw: 0000000000000040 ffff888000ad7640 ffffea0000497a00 dead000000000004
raw: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000
head: 0000000000000040 ffff888000ad7640 ffffea0000497a00 dead000000000004
head: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000
head: 0000000000000001 ffffea00004b0481 ffffffffffffffff 0000000000000000
head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888012c11f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888012c12000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff888012c12080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                           ^
 ffff888012c12100: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
 ffff888012c12180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

	Reported-by: [email protected]
Closes: https://syzkaller.appspot.com/bug?extid=b244bda78289b00204ed
	Suggested-by: Thadeu Lima de Souza Cascardo <[email protected]>
	Signed-off-by: Bhupesh <[email protected]>
Link: https://patch.msgid.link/[email protected]
	Signed-off-by: Theodore Ts'o <[email protected]>
(cherry picked from commit c8e008b)
	Signed-off-by: Marcin Wcisło <[email protected]>
@pvts-mat
net_sched: hfsc: Fix a UAF vulnerability in class handling
3585df1 
jira VULN-67701
cve CVE-2025-37797
commit-author Cong Wang <[email protected]>
commit 3df275e

This patch fixes a Use-After-Free vulnerability in the HFSC qdisc class
handling. The issue occurs due to a time-of-check/time-of-use condition
in hfsc_change_class() when working with certain child qdiscs like netem
or codel.

The vulnerability works as follows:
1. hfsc_change_class() checks if a class has packets (q.qlen != 0)
2. It then calls qdisc_peek_len(), which for certain qdiscs (e.g.,
   codel, netem) might drop packets and empty the queue
3. The code continues assuming the queue is still non-empty, adding
   the class to vttree
4. This breaks HFSC scheduler assumptions that only non-empty classes
   are in vttree
5. Later, when the class is destroyed, this can lead to a Use-After-Free

The fix adds a second queue length check after qdisc_peek_len() to verify
the queue wasn't emptied.

Fixes: 21f4d5c ("net_sched/hfsc: fix curve activation in hfsc_change_class()")
	Reported-by: Gerrard Tai <[email protected]>
	Reviewed-by: Konstantin Khlebnikov <[email protected]>
	Signed-off-by: Cong Wang <[email protected]>
	Reviewed-by: Jamal Hadi Salim <[email protected]>
Link: https://patch.msgid.link/[email protected]
	Signed-off-by: Jakub Kicinski <[email protected]>
(cherry picked from commit 3df275e)
	Signed-off-by: Marcin Wcisło <[email protected]>
@pvts-mat
crypto: algif_hash - fix double free in hash_accept
25c9b30 
jira VULN-70980
cve CVE-2025-38079
commit-author Ivan Pravdin <[email protected]>
commit b2df03e

If accept(2) is called on socket type algif_hash with
MSG_MORE flag set and crypto_ahash_import fails,
sk2 is freed. However, it is also freed in af_alg_release,
leading to slab-use-after-free error.

Fixes: fe869cd ("crypto: algif_hash - User-space interface for hash operations")
	Cc: <[email protected]>
	Signed-off-by: Ivan Pravdin <[email protected]>
	Signed-off-by: Herbert Xu <[email protected]>
(cherry picked from commit b2df03e)
	Signed-off-by: Marcin Wcisło <[email protected]>
@pvts-mat
net: ch9200: fix uninitialised access during mii_nway_restart
40afb02 
jira VULN-71595
cve CVE-2025-38086
commit-author Qasim Ijaz <[email protected]>
commit 9ad0452

In mii_nway_restart() the code attempts to call
mii->mdio_read which is ch9200_mdio_read(). ch9200_mdio_read()
utilises a local buffer called "buff", which is initialised
with control_read(). However "buff" is conditionally
initialised inside control_read():

        if (err == size) {
                memcpy(data, buf, size);
        }

If the condition of "err == size" is not met, then
"buff" remains uninitialised. Once this happens the
uninitialised "buff" is accessed and returned during
ch9200_mdio_read():

        return (buff[0] | buff[1] << 8);

The problem stems from the fact that ch9200_mdio_read()
ignores the return value of control_read(), leading to
uinit-access of "buff".

To fix this we should check the return value of
control_read() and return early on error.

	Reported-by: syzbot <[email protected]>
Closes: https://syzkaller.appspot.com/bug?extid=3361c2d6f78a3e0892f9
	Tested-by: syzbot <[email protected]>
Fixes: 4a476bd ("usbnet: New driver for QinHeng CH9200 devices")
	Cc: [email protected]
	Signed-off-by: Qasim Ijaz <[email protected]>
Link: https://patch.msgid.link/[email protected]
	Signed-off-by: Jakub Kicinski <[email protected]>
(cherry picked from commit 9ad0452)
	Signed-off-by: Marcin Wcisło <[email protected]>
@pvts-mat
net/sched: fix use-after-free in taprio_dev_notifier
1f1c17e 
jira VULN-71604
cve CVE-2025-38087
commit-author Hyunwoo Kim <[email protected]>
commit b160766

Since taprio’s taprio_dev_notifier() isn’t protected by an
RCU read-side critical section, a race with advance_sched()
can lead to a use-after-free.

Adding rcu_read_lock() inside taprio_dev_notifier() prevents this.

Fixes: fed87cc ("net/sched: taprio: automatically calculate queueMaxSDU based on TC gate durations")
	Cc: [email protected]
	Signed-off-by: Hyunwoo Kim <[email protected]>
	Reviewed-by: Simon Horman <[email protected]>
	Reviewed-by: Eric Dumazet <[email protected]>
Link: https://patch.msgid.link/aEzIYYxt0is9upYG@v4bel-B760M-AORUS-ELITE-AX
	Signed-off-by: Jakub Kicinski <[email protected]>
(cherry picked from commit b160766)
	Signed-off-by: Marcin Wcisło <[email protected]>
@pvts-mat
sch_hfsc: make hfsc_qlen_notify() idempotent
23141b0 
jira VULN-71950
cve CVE-2025-38177
commit-author Cong Wang <[email protected]>
commit 51eb3b6

hfsc_qlen_notify() is not idempotent either and not friendly
to its callers, like fq_codel_dequeue(). Let's make it idempotent
to ease qdisc_tree_reduce_backlog() callers' life:

1. update_vf() decreases cl->cl_nactive, so we can check whether it is
non-zero before calling it.

2. eltree_remove() always removes RB node cl->el_node, but we can use
   RB_EMPTY_NODE() + RB_CLEAR_NODE() to make it safe.

	Reported-by: Gerrard Tai <[email protected]>
	Signed-off-by: Cong Wang <[email protected]>
	Reviewed-by: Simon Horman <[email protected]>
Link: https://patch.msgid.link/[email protected]
	Acked-by: Jamal Hadi Salim <[email protected]>
	Signed-off-by: Paolo Abeni <[email protected]>
(cherry picked from commit 51eb3b6)
	Signed-off-by: Marcin Wcisło <[email protected]>
@PlaidCat
Copy link
Collaborator

PlaidCat commented Sep 5, 2025

Do you want me to provide you a VULN for CVE GHSA-gr82-7xxj-rqx8 it might worth doing even though redhat has not fixed it yet

@pvts-mat
Copy link
Contributor Author

pvts-mat commented Sep 5, 2025

Do you want me to provide you a VULN for CVE GHSA-gr82-7xxj-rqx8 it might worth doing even though redhat has not fixed it yet

Sure

@pvts-mat
Copy link
Contributor Author

pvts-mat commented Sep 5, 2025

Do you want me to provide you a VULN for CVE GHSA-gr82-7xxj-rqx8 it might worth doing even though redhat has not fixed it yet

RH did fix this one though (the CVE-2025-37823) - see https://access.redhat.com/errata/RHSA-2025:15011 - although only recently, admittedly, just like CVE-2025-38350. You meant CVE-2025-38684? This one is still hanging on RH's pegboard https://access.redhat.com/security/cve/cve-2025-38684. Even github doesn't recognize it yet (notice no auto-linking). CVE.org does though: https://www.cve.org/CVERecord?id=CVE-2025-38684. Looks like it was published yesterday.

@PlaidCat
Copy link
Collaborator

PlaidCat commented Sep 5, 2025

CVE-2025-37823

https://access.redhat.com/errata/RHSA-2025:15011

This is just for 9.6 no EUSs have been fixed yet, 9.6 is not under EUS yet.

just like cve-2025-38350

YEs those have been resolved this week (goto page 2 youll see the specific versions.
https://access.redhat.com/security/cve/cve-2025-38350

Well need to dig into this again

PlaidCat
PlaidCat approved these changes Sep 8, 2025
View reviewed changes
Copy link
Collaborator

@PlaidCat PlaidCat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

bmastbergen
bmastbergen approved these changes Sep 8, 2025
View reviewed changes
Copy link
Collaborator

@bmastbergen bmastbergen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🥌

@PlaidCat PlaidCat merged commit 3713f88 into ctrliq:ciqlts9_4 Sep 8, 2025
4 of 8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@PlaidCat PlaidCat PlaidCat approved these changes

@bmastbergen bmastbergen bmastbergen approved these changes

@kerneltoast kerneltoast Awaiting requested review from kerneltoast

@thefossguy-ciq thefossguy-ciq Awaiting requested review from thefossguy-ciq

@shreeya-patel98 shreeya-patel98 Awaiting requested review from shreeya-patel98

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@pvts-mat @PlaidCat @bmastbergen