[lts96] Many VULNS 2025-12-16 #776

bmastbergen · 2025-12-17T21:00:39Z

Commits

    nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm()

    jira VULN-162275
    cve CVE-2025-38724
    commit-author Jeff Layton <[email protected]>
    commit 908e4ead7f757504d8b345452730636e298cbf68

    wifi: cfg80211: fix use-after-free in cmp_bss()

    jira VULN-162351
    cve CVE-2025-39864
    commit-author Dmitry Antipov <[email protected]>
    commit 26e84445f02ce6b2fe5f3e0e28ff7add77f35e08

    mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory

    jira VULN-161584
    cve CVE-2025-39883
    commit-author Miaohe Lin <[email protected]>
    commit d613f53c83ec47089c4e25859d5e8e0359f6f8da

    e1000e: fix heap overflow in e1000_set_eeprom

    jira VULN-161576
    cve CVE-2025-39898
    commit-author Vitaly Lifshits <[email protected]>
    commit 90fb7db49c6dbac961c6b8ebfd741141ffbc8545

    wifi: mt76: fix linked list corruption

    jira VULN-161567
    cve CVE-2025-39918
    commit-author Felix Fietkau <[email protected]>
    commit 49fba87205bec14a0f6bd997635bf3968408161e

    tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect().

    jira VULN-161840
    cve CVE-2025-39955
    commit-author Kuniyuki Iwashima <[email protected]>
    commit 45c8a6cc2bcd780e634a6ba8e46bffbdf1fc5c01

    i40e: fix idx validation in config queues msg

    jira VULN-161968
    cve CVE-2025-39971
    commit-author Lukasz Czapnik <[email protected]>
    commit f1ad24c5abe1eaef69158bac1405a74b3c365115

    io_uring/waitid: always prune wait queue entry in io_waitid_wait()

    jira VULN-162139
    cve CVE-2025-40047
    commit-author Jens Axboe <[email protected]>
    commit 2f8229d53d984c6a05b71ac9e9583d4354e3b91f

    tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request().

    jira VULN-162657
    cve CVE-2025-40186
    commit-author Kuniyuki Iwashima <[email protected]>
    commit 2e7cbbbe3d61c63606994b7ff73c72537afe2e1c

Build Log

/home/brett/kernel-src-tree
Running make mrproper...
[TIMER]{MRPROPER}: 13s
x86_64 architecture detected, copying config
'configs/kernel-x86_64-rhel.config' -> '.config'
Setting Local Version for build
CONFIG_LOCALVERSION="-bmastbergen_ciqlts9_6_many-vulns-2025-12-16-90c9656a2"
Making olddefconfig
--
  HOSTCC  scripts/kconfig/util.o
  HOSTLD  scripts/kconfig/conf
#
# configuration written to .config
#
Starting Build
  SYSHDR  arch/x86/include/generated/uapi/asm/unistd_32.h
  SYSHDR  arch/x86/include/generated/uapi/asm/unistd_x32.h
  SYSHDR  arch/x86/include/generated/uapi/asm/unistd_64.h
  SYSHDR  arch/x86/include/generated/asm/unistd_32_ia32.h
  SYSTBL  arch/x86/include/generated/asm/syscalls_32.h
--
  BTF [M] sound/virtio/virtio_snd.ko
  BTF [M] sound/x86/snd-hdmi-lpe-audio.ko
  LD [M]  sound/xen/snd_xen_front.ko
  BTF [M] sound/usb/usx2y/snd-usb-usx2y.ko
  BTF [M] sound/xen/snd_xen_front.ko
[TIMER]{BUILD}: 2783s
Making Modules
  INSTALL /lib/modules/5.14.0-bmastbergen_ciqlts9_6_many-vulns-2025-12-16-90c9656a2+/kernel/arch/x86/crypto/blake2s-x86_64.ko
  INSTALL /lib/modules/5.14.0-bmastbergen_ciqlts9_6_many-vulns-2025-12-16-90c9656a2+/kernel/arch/x86/crypto/blowfish-x86_64.ko
  INSTALL /lib/modules/5.14.0-bmastbergen_ciqlts9_6_many-vulns-2025-12-16-90c9656a2+/kernel/arch/x86/crypto/camellia-aesni-avx-x86_64.ko
  INSTALL /lib/modules/5.14.0-bmastbergen_ciqlts9_6_many-vulns-2025-12-16-90c9656a2+/kernel/arch/x86/crypto/camellia-aesni-avx2.ko
--
  SIGN    /lib/modules/5.14.0-bmastbergen_ciqlts9_6_many-vulns-2025-12-16-90c9656a2+/kernel/sound/x86/snd-hdmi-lpe-audio.ko
  INSTALL /lib/modules/5.14.0-bmastbergen_ciqlts9_6_many-vulns-2025-12-16-90c9656a2+/kernel/sound/xen/snd_xen_front.ko
  STRIP   /lib/modules/5.14.0-bmastbergen_ciqlts9_6_many-vulns-2025-12-16-90c9656a2+/kernel/sound/xen/snd_xen_front.ko
  SIGN    /lib/modules/5.14.0-bmastbergen_ciqlts9_6_many-vulns-2025-12-16-90c9656a2+/kernel/sound/xen/snd_xen_front.ko
  DEPMOD  /lib/modules/5.14.0-bmastbergen_ciqlts9_6_many-vulns-2025-12-16-90c9656a2+
[TIMER]{MODULES}: 21s
Making Install
sh ./arch/x86/boot/install.sh 5.14.0-bmastbergen_ciqlts9_6_many-vulns-2025-12-16-90c9656a2+ \
	arch/x86/boot/bzImage System.map "/boot"
[TIMER]{INSTALL}: 128s
Checking kABI
kABI check passed
Setting Default Kernel to /boot/vmlinuz-5.14.0-bmastbergen_ciqlts9_6_many-vulns-2025-12-16-90c9656a2+ and Index to 0
Hopefully Grub2.0 took everything ... rebooting after time metrices
[TIMER]{MRPROPER}: 13s
[TIMER]{BUILD}: 2783s
[TIMER]{MODULES}: 21s
[TIMER]{INSTALL}: 128s
[TIMER]{TOTAL} 2967s
Rebooting in 10 seconds

Testing

selftest-5.14.0-570.58.1.el9_6.x86_64-1.log

selftest-5.14.0-bmastbergen_ciqlts9_6_many-vulns-2025-12-16-90c9656a2+-1.log

brett@lycia ~/ciq/many-96-vulns-2025-12-16/kselftest-logs
 % grep ^ok selftest-5.14.0-570.58.1.el9_6.x86_64-1.log | wc -l
385
brett@lycia ~/ciq/many-96-vulns-2025-12-16/kselftest-logs
 % grep ^ok selftest-5.14.0-bmastbergen_ciqlts9_6_many-vulns-2025-12-16-90c9656a2+-1.log | wc -l
392
brett@lycia ~/ciq/many-96-vulns-2025-12-16/kselftest-logs
 % grep ok <(diff -adU0 <(grep ^ok selftest-5.14.0-570.58.1.el9_6.x86_64-1.log | sort -h) <(grep ^ok selftest-5.14.0-bmastbergen_ciqlts9_6_many-vulns-2025-12-16-90c9656a2+-1.log | sort -h))

+ok 10 selftests: netfilter: nft_queue.sh
+ok 10 selftests: net: test_bpf.sh
-ok 1 selftests: livepatch: test-livepatch.sh # SKIP
+ok 1 selftests: livepatch: test-livepatch.sh
+ok 1 selftests: netfilter: nft_trans_stress.sh
-ok 1 selftests: zram: zram.sh # SKIP
+ok 1 selftests: zram: zram.sh
-ok 2 selftests: livepatch: test-callbacks.sh # SKIP
+ok 2 selftests: livepatch: test-callbacks.sh
+ok 33 selftests: net: l2tp.sh
-ok 3 selftests: livepatch: test-shadow-vars.sh # SKIP
+ok 3 selftests: livepatch: test-shadow-vars.sh
+ok 48 selftests: net: drop_monitor_tests.sh
-ok 4 selftests: livepatch: test-state.sh # SKIP
+ok 4 selftests: livepatch: test-state.sh
+ok 54 selftests: net: gro.sh
+ok 58 selftests: net: nl_netdev.py
-ok 5 selftests: livepatch: test-ftrace.sh # SKIP
+ok 5 selftests: livepatch: test-ftrace.sh
-ok 6 selftests: livepatch: test-sysfs.sh # SKIP
+ok 6 selftests: livepatch: test-sysfs.sh
-ok 7 selftests: livepatch: test-syscall.sh # SKIP
+ok 7 selftests: livepatch: test-syscall.sh
brett@lycia ~/ciq/many-96-vulns-2025-12-16/kselftest-logs
 %

jira VULN-162275 cve CVE-2025-38724 commit-author Jeff Layton <[email protected]> commit 908e4ea Lei Lu recently reported that nfsd4_setclientid_confirm() did not check the return value from get_client_locked(). a SETCLIENTID_CONFIRM could race with a confirmed client expiring and fail to get a reference. That could later lead to a UAF. Fix this by getting a reference early in the case where there is an extant confirmed client. If that fails then treat it as if there were no confirmed client found at all. In the case where the unconfirmed client is expiring, just fail and return the result from get_client_locked(). Reported-by: lei lu <[email protected]> Closes: https://lore.kernel.org/linux-nfs/CAEBF3_b=UvqzNKdnfD_52L05Mqrqui9vZ2eFamgAbV0WG+FNWQ@mail.gmail.com/ Fixes: d20c11d ("nfsd: Protect session creation and client confirm using client_lock") Cc: [email protected] Signed-off-by: Jeff Layton <[email protected]> Signed-off-by: Chuck Lever <[email protected]> (cherry picked from commit 908e4ea) Signed-off-by: Brett Mastbergen <[email protected]>

jira VULN-162351 cve CVE-2025-39864 commit-author Dmitry Antipov <[email protected]> commit 26e8444 Following bss_free() quirk introduced in commit 776b358 ("cfg80211: track hidden SSID networks properly"), adjust cfg80211_update_known_bss() to free the last beacon frame elements only if they're not shared via the corresponding 'hidden_beacon_bss' pointer. Reported-by: [email protected] Closes: https://syzkaller.appspot.com/bug?extid=30754ca335e6fb7e3092 Fixes: 3ab8227 ("cfg80211: refactor cfg80211_bss_update") Signed-off-by: Dmitry Antipov <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Johannes Berg <[email protected]> (cherry picked from commit 26e8444) Signed-off-by: Brett Mastbergen <[email protected]>

…on memory jira VULN-161584 cve CVE-2025-39883 commit-author Miaohe Lin <[email protected]> commit d613f53 When I did memory failure tests, below panic occurs: page dumped because: VM_BUG_ON_PAGE(PagePoisoned(page)) kernel BUG at include/linux/page-flags.h:616! Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 3 PID: 720 Comm: bash Not tainted 6.10.0-rc1-00195-g148743902568 #40 RIP: 0010:unpoison_memory+0x2f3/0x590 RSP: 0018:ffffa57fc8787d60 EFLAGS: 00000246 RAX: 0000000000000037 RBX: 0000000000000009 RCX: ffff9be25fcdc9c8 RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff9be25fcdc9c0 RBP: 0000000000300000 R08: ffffffffb4956f88 R09: 0000000000009ffb R10: 0000000000000284 R11: ffffffffb4926fa0 R12: ffffe6b00c000000 R13: ffff9bdb453dfd00 R14: 0000000000000000 R15: fffffffffffffffe FS: 00007f08f04e4740(0000) GS:ffff9be25fcc0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000564787a30410 CR3: 000000010d4e2000 CR4: 00000000000006f0 Call Trace: <TASK> unpoison_memory+0x2f3/0x590 simple_attr_write_xsigned.constprop.0.isra.0+0xb3/0x110 debugfs_attr_write+0x42/0x60 full_proxy_write+0x5b/0x80 vfs_write+0xd5/0x540 ksys_write+0x64/0xe0 do_syscall_64+0xb9/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f08f0314887 RSP: 002b:00007ffece710078 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000009 RCX: 00007f08f0314887 RDX: 0000000000000009 RSI: 0000564787a30410 RDI: 0000000000000001 RBP: 0000564787a30410 R08: 000000000000fefe R09: 000000007fffffff R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000009 R13: 00007f08f041b780 R14: 00007f08f0417600 R15: 00007f08f0416a00 </TASK> Modules linked in: hwpoison_inject ---[ end trace 0000000000000000 ]--- RIP: 0010:unpoison_memory+0x2f3/0x590 RSP: 0018:ffffa57fc8787d60 EFLAGS: 00000246 RAX: 0000000000000037 RBX: 0000000000000009 RCX: ffff9be25fcdc9c8 RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff9be25fcdc9c0 RBP: 0000000000300000 R08: ffffffffb4956f88 R09: 0000000000009ffb R10: 0000000000000284 R11: ffffffffb4926fa0 R12: ffffe6b00c000000 R13: ffff9bdb453dfd00 R14: 0000000000000000 R15: fffffffffffffffe FS: 00007f08f04e4740(0000) GS:ffff9be25fcc0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000564787a30410 CR3: 000000010d4e2000 CR4: 00000000000006f0 Kernel panic - not syncing: Fatal exception Kernel Offset: 0x31c00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) ---[ end Kernel panic - not syncing: Fatal exception ]--- The root cause is that unpoison_memory() tries to check the PG_HWPoison flags of an uninitialized page. So VM_BUG_ON_PAGE(PagePoisoned(page)) is triggered. This can be reproduced by below steps: 1.Offline memory block: echo offline > /sys/devices/system/memory/memory12/state 2.Get offlined memory pfn: page-types -b n -rlN 3.Write pfn to unpoison-pfn echo <pfn> > /sys/kernel/debug/hwpoison/unpoison-pfn This scenario can be identified by pfn_to_online_page() returning NULL. And ZONE_DEVICE pages are never expected, so we can simply fail if pfn_to_online_page() == NULL to fix the bug. Link: https://lkml.kernel.org/r/[email protected] Fixes: f1dd2cd ("mm, memory_hotplug: do not associate hotadded memory to zones until online") Signed-off-by: Miaohe Lin <[email protected]> Suggested-by: David Hildenbrand <[email protected]> Acked-by: David Hildenbrand <[email protected]> Cc: Naoya Horiguchi <[email protected]> Cc: <[email protected]> Signed-off-by: Andrew Morton <[email protected]> (cherry picked from commit d613f53) Signed-off-by: Brett Mastbergen <[email protected]>

jira VULN-161576 cve CVE-2025-39898 commit-author Vitaly Lifshits <[email protected]> commit 90fb7db Fix a possible heap overflow in e1000_set_eeprom function by adding input validation for the requested length of the change in the EEPROM. In addition, change the variable type from int to size_t for better code practices and rearrange declarations to RCT. Cc: [email protected] Fixes: bc7f75f ("[E1000E]: New pci-express e1000 driver (currently for ICH9 devices only)") Co-developed-by: Mikael Wessel <[email protected]> Signed-off-by: Mikael Wessel <[email protected]> Signed-off-by: Vitaly Lifshits <[email protected]> Tested-by: Mor Bar-Gabay <[email protected]> Signed-off-by: Tony Nguyen <[email protected]> (cherry picked from commit 90fb7db) Signed-off-by: Brett Mastbergen <[email protected]>

jira VULN-161567 cve CVE-2025-39918 commit-author Felix Fietkau <[email protected]> commit 49fba87 Never leave scheduled wcid entries on the temporary on-stack list Fixes: 0b3be9d ("wifi: mt76: add separate tx scheduling queue for off-channel tx") Link: https://patch.msgid.link/[email protected] Signed-off-by: Felix Fietkau <[email protected]> (cherry picked from commit 49fba87) Signed-off-by: Brett Mastbergen <[email protected]>

jira VULN-161840 cve CVE-2025-39955 commit-author Kuniyuki Iwashima <[email protected]> commit 45c8a6c syzbot reported the splat below where a socket had tcp_sk(sk)->fastopen_rsk in the TCP_ESTABLISHED state. [0] syzbot reused the server-side TCP Fast Open socket as a new client before the TFO socket completes 3WHS: 1. accept() 2. connect(AF_UNSPEC) 3. connect() to another destination As of accept(), sk->sk_state is TCP_SYN_RECV, and tcp_disconnect() changes it to TCP_CLOSE and makes connect() possible, which restarts timers. Since tcp_disconnect() forgot to clear tcp_sk(sk)->fastopen_rsk, the retransmit timer triggered the warning and the intended packet was not retransmitted. Let's call reqsk_fastopen_remove() in tcp_disconnect(). [0]: WARNING: CPU: 2 PID: 0 at net/ipv4/tcp_timer.c:542 tcp_retransmit_timer (net/ipv4/tcp_timer.c:542 (discriminator 7)) Modules linked in: CPU: 2 UID: 0 PID: 0 Comm: swapper/2 Not tainted 6.17.0-rc5-g201825fb4278 #62 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:tcp_retransmit_timer (net/ipv4/tcp_timer.c:542 (discriminator 7)) Code: 41 55 41 54 55 53 48 8b af b8 08 00 00 48 89 fb 48 85 ed 0f 84 55 01 00 00 0f b6 47 12 3c 03 74 0c 0f b6 47 12 3c 04 74 04 90 <0f> 0b 90 48 8b 85 c0 00 00 00 48 89 ef 48 8b 40 30 e8 6a 4f 06 3e RSP: 0018:ffffc900002f8d40 EFLAGS: 00010293 RAX: 0000000000000002 RBX: ffff888106911400 RCX: 0000000000000017 RDX: 0000000002517619 RSI: ffffffff83764080 RDI: ffff888106911400 RBP: ffff888106d5c000 R08: 0000000000000001 R09: ffffc900002f8de8 R10: 00000000000000c2 R11: ffffc900002f8ff8 R12: ffff888106911540 R13: ffff888106911480 R14: ffff888106911840 R15: ffffc900002f8de0 FS: 0000000000000000(0000) GS:ffff88907b768000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f8044d69d90 CR3: 0000000002c30003 CR4: 0000000000370ef0 Call Trace: <IRQ> tcp_write_timer (net/ipv4/tcp_timer.c:738) call_timer_fn (kernel/time/timer.c:1747) __run_timers (kernel/time/timer.c:1799 kernel/time/timer.c:2372) timer_expire_remote (kernel/time/timer.c:2385 kernel/time/timer.c:2376 kernel/time/timer.c:2135) tmigr_handle_remote_up (kernel/time/timer_migration.c:944 kernel/time/timer_migration.c:1035) __walk_groups.isra.0 (kernel/time/timer_migration.c:533 (discriminator 1)) tmigr_handle_remote (kernel/time/timer_migration.c:1096) handle_softirqs (./arch/x86/include/asm/jump_label.h:36 ./include/trace/events/irq.h:142 kernel/softirq.c:580) irq_exit_rcu (kernel/softirq.c:614 kernel/softirq.c:453 kernel/softirq.c:680 kernel/softirq.c:696) sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1050 (discriminator 35) arch/x86/kernel/apic/apic.c:1050 (discriminator 35)) </IRQ> Fixes: 8336886 ("tcp: TCP Fast Open Server - support TFO listeners") Reported-by: syzkaller <[email protected]> Signed-off-by: Kuniyuki Iwashima <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Jakub Kicinski <[email protected]> (cherry picked from commit 45c8a6c) Signed-off-by: Brett Mastbergen <[email protected]>

jira VULN-161968 cve CVE-2025-39971 commit-author Lukasz Czapnik <[email protected]> commit f1ad24c Ensure idx is within range of active/initialized TCs when iterating over vf->ch[idx] in i40e_vc_config_queues_msg(). Fixes: c27eac4 ("i40e: Enable ADq and create queue channel/s on VF") Cc: [email protected] Signed-off-by: Lukasz Czapnik <[email protected]> Reviewed-by: Aleksandr Loktionov <[email protected]> Signed-off-by: Przemek Kitszel <[email protected]> Reviewed-by: Simon Horman <[email protected]> Tested-by: Kamakshi Nellore <[email protected]> (A Contingent Worker at Intel) Signed-off-by: Tony Nguyen <[email protected]> (cherry picked from commit f1ad24c) Signed-off-by: Brett Mastbergen <[email protected]>

jira VULN-162139 cve CVE-2025-40047 commit-author Jens Axboe <[email protected]> commit 2f8229d For a successful return, always remove our entry from the wait queue entry list. Previously this was skipped if a cancelation was in progress, but this can race with another invocation of the wait queue entry callback. Cc: [email protected] Fixes: f31ecf6 ("io_uring: add IORING_OP_WAITID support") Reported-by: [email protected] Tested-by: [email protected] Link: https://lore.kernel.org/io-uring/[email protected]/ Signed-off-by: Jens Axboe <[email protected]> (cherry picked from commit 2f8229d) Signed-off-by: Brett Mastbergen <[email protected]>

jira VULN-162657 cve CVE-2025-40186 commit-author Kuniyuki Iwashima <[email protected]> commit 2e7cbbb syzbot reported the splat below in tcp_conn_request(). [0] If a listener is close()d while a TFO socket is being processed in tcp_conn_request(), inet_csk_reqsk_queue_add() does not set reqsk->sk and calls inet_child_forget(), which calls tcp_disconnect() for the TFO socket. After the cited commit, tcp_disconnect() calls reqsk_fastopen_remove(), where reqsk_put() is called due to !reqsk->sk. Then, reqsk_fastopen_remove() in tcp_conn_request() decrements the last req->rsk_refcnt and frees reqsk, and __reqsk_free() at the drop_and_free label causes the refcount underflow for the listener and double-free of the reqsk. Let's remove reqsk_fastopen_remove() in tcp_conn_request(). Note that other callers make sure tp->fastopen_rsk is not NULL. [0]: refcount_t: underflow; use-after-free. WARNING: CPU: 12 PID: 5563 at lib/refcount.c:28 refcount_warn_saturate (lib/refcount.c:28) Modules linked in: CPU: 12 UID: 0 PID: 5563 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 RIP: 0010:refcount_warn_saturate (lib/refcount.c:28) Code: ab e8 8e b4 98 ff 0f 0b c3 cc cc cc cc cc 80 3d a4 e4 d6 01 00 75 9c c6 05 9b e4 d6 01 01 48 c7 c7 e8 df fb ab e8 6a b4 98 ff <0f> 0b e9 03 5b 76 00 cc 80 3d 7d e4 d6 01 00 0f 85 74 ff ff ff c6 RSP: 0018:ffffa79fc0304a98 EFLAGS: 00010246 RAX: d83af4db1c6b3900 RBX: ffff9f65c7a69020 RCX: d83af4db1c6b3900 RDX: 0000000000000000 RSI: 00000000ffff7fff RDI: ffffffffac78a280 RBP: 000000009d781b60 R08: 0000000000007fff R09: ffffffffac6ca280 R10: 0000000000017ffd R11: 0000000000000004 R12: ffff9f65c7b4f100 R13: ffff9f65c7d23c00 R14: ffff9f65c7d26000 R15: ffff9f65c7a64ef8 FS: 00007f9f962176c0(0000) GS:ffff9f65fcf00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000200000000180 CR3: 000000000dbbe006 CR4: 0000000000372ef0 Call Trace: <IRQ> tcp_conn_request (./include/linux/refcount.h:400 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 ./include/net/sock.h:1965 ./include/net/request_sock.h:131 net/ipv4/tcp_input.c:7301) tcp_rcv_state_process (net/ipv4/tcp_input.c:6708) tcp_v6_do_rcv (net/ipv6/tcp_ipv6.c:1670) tcp_v6_rcv (net/ipv6/tcp_ipv6.c:1906) ip6_protocol_deliver_rcu (net/ipv6/ip6_input.c:438) ip6_input (net/ipv6/ip6_input.c:500) ipv6_rcv (net/ipv6/ip6_input.c:311) __netif_receive_skb (net/core/dev.c:6104) process_backlog (net/core/dev.c:6456) __napi_poll (net/core/dev.c:7506) net_rx_action (net/core/dev.c:7569 net/core/dev.c:7696) handle_softirqs (kernel/softirq.c:579) do_softirq (kernel/softirq.c:480) </IRQ> Fixes: 45c8a6c ("tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect().") Reported-by: syzkaller <[email protected]> Signed-off-by: Kuniyuki Iwashima <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Jakub Kicinski <[email protected]> (cherry picked from commit 2e7cbbb) Signed-off-by: Brett Mastbergen <[email protected]>

github-actions · 2025-12-17T21:09:02Z

🔍 Interdiff Analysis

⚠️ PR commit 3947ded18be (tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect().) → upstream 45c8a6cc2bcd
Differences found:

diff -u b/net/ipv4/tcp.c b/net/ipv4/tcp.c
--- b/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -3275,3 +3275,3 @@
 	tcp_free_fastopen_req(tp);
-	inet_clear_bit(DEFER_CONNECT, sk);
+	inet->defer_connect = 0;
 	tp->fastopen_client_fail = 0;

This is an automated interdiff check for backported commits.

github-actions · 2025-12-17T21:09:24Z

JIRA PR Check Results

9 commit(s) with issues found:

Commit

Summary: tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request().

❌ Errors:

VULN-162657: LTS product 'lts-9.6' not found in release_map

Commit

Summary: io_uring/waitid: always prune wait queue entry in io_waitid_wait()

❌ Errors:

VULN-162139: LTS product 'lts-9.6' not found in release_map

Commit

Summary: i40e: fix idx validation in config queues msg

❌ Errors:

VULN-161968: LTS product 'lts-9.6' not found in release_map

Commit

Summary: tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect().

❌ Errors:

VULN-161840: LTS product 'lts-9.6' not found in release_map

Commit

Summary: wifi: mt76: fix linked list corruption

❌ Errors:

VULN-161567: LTS product 'lts-9.6' not found in release_map

Commit

Summary: e1000e: fix heap overflow in e1000_set_eeprom

❌ Errors:

VULN-161576: LTS product 'lts-9.6' not found in release_map

Commit

Summary: mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory

❌ Errors:

VULN-161584: LTS product 'lts-9.6' not found in release_map

Commit

Summary: wifi: cfg80211: fix use-after-free in cmp_bss()

❌ Errors:

VULN-162351: LTS product 'lts-9.6' not found in release_map

Commit

Summary: nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm()

❌ Errors:

VULN-162275: LTS product 'lts-9.6' not found in release_map

Summary: Checked 9 commit(s) total.

bmastbergen · 2025-12-18T16:23:41Z

Will rerun the validation workflow when this PR gets merged: ctrliq/kernel-src-tree-tools#51

bmastbergen added 9 commits December 16, 2025 15:05

bmastbergen requested a review from a team December 18, 2025 16:23

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[lts96] Many VULNS 2025-12-16 #776

[lts96] Many VULNS 2025-12-16 #776

Uh oh!

bmastbergen commented Dec 17, 2025

Uh oh!

github-actions bot commented Dec 17, 2025

Uh oh!

github-actions bot commented Dec 17, 2025

Uh oh!

bmastbergen commented Dec 18, 2025

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

2 participants

[lts96] Many VULNS 2025-12-16 #776

Are you sure you want to change the base?

[lts96] Many VULNS 2025-12-16 #776

Uh oh!

Conversation

bmastbergen commented Dec 17, 2025

Commits

Build Log

Testing

Uh oh!

github-actions bot commented Dec 17, 2025

🔍 Interdiff Analysis

Uh oh!

github-actions bot commented Dec 17, 2025

JIRA PR Check Results

Commit

Commit

Commit

Commit

Commit

Commit

Commit

Commit

Commit

Uh oh!

bmastbergen commented Dec 18, 2025

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

2 participants