[LTS 9.4] CVE-2025-22058, CVE-2025-38250, CVE-2025-38556, CVE-2025-38566 #815

pvts-mat · 2026-01-15T19:37:42Z

[LTS 9.4]
CVE-2025-22058 VULN-65245
CVE-2025-38250 VULN-72348
CVE-2025-38556 VULN-131260
CVE-2025-38566 VULN-131158

Commits

CVE-2025-22058

net: forward_alloc_get depends on CONFIG_MPTCP

jira VULN-65245
cve-pre CVE-2025-22058
commit-author Eric Dumazet <edumazet@google.com>
commit 6c302e799a0d4be1362f505453b714fe05d91f2a

net: annotate data-races around sk->sk_forward_alloc

jira VULN-65245
cve-pre CVE-2025-22058
commit-author Eric Dumazet <edumazet@google.com>
commit 5e6300e7b3a4ab5b72a82079753868e91fbf9efc
upstream-diff |
  Accounted for missing 5e6300e7b3a4ab5b72a82079753868e91fbf9efc:
  1. Resolved context conflicts in `mptcp_destroy_common()'
  2. Skipped changes in `mptcp_forward_alloc_get()' - READ_ONCE on
  `sk->sk_forward_alloc' already present

udp: Fix memory accounting leak.

jira VULN-65245
cve CVE-2025-22058
commit-author Kuniyuki Iwashima <kuniyu@amazon.com>
commit df207de9d9e7a4d92f8567e2c539d9c8c12fd99d

CVE-2025-38250

Bluetooth: hci_core: Fix use-after-free in vhci_flush()

jira VULN-72348
cve CVE-2025-38250
commit-author Kuniyuki Iwashima <kuniyu@google.com>
commit 1d6123102e9fbedc8d25bf4731da6d513173e49e
upstream-diff Used ciqlts9_2 backport
  7695f98ce700c12791a899fc0129949686a131af for the actual (clean)
  cherry-pick

CVE-2025-38556

HID: core: Harden s32ton() against conversion to 0 bits

jira VULN-131260
cve CVE-2025-38556
commit-author Alan Stern <stern@rowland.harvard.edu>
commit a6b87bfc2ab5bccb7ad953693c85d9062aef3fdd
upstream-diff Used ciqlts9_2 backport
  60a9b74a81c975beab9804d473cba47b6f0960ad for the actual (clean)
  cherry-pick

CVE-2025-38566

The bug source 5e052dd can't be found in ciqlts9_4 literally, but it was backported as 38481bd, so the issue applies.

sunrpc: fix handling of server side tls alerts

jira VULN-131158
cve CVE-2025-38566
commit-author Olga Kornievskaia <okorniev@redhat.com>
commit bee47cb026e762841f3faece47b51f985e215edb
upstream-diff Context conflicts - accounted for the missing commit
  de4eda9de2d957ef2d6a8365a01e26a435e958cb

kABI check: passed

[1/2] kabi_check_kernel	Check ABI of kernel [ciqlts9_4-CVE-batch-17]	_kabi_check_kernel__x86_64--test--ciqlts9_4-CVE-batch-17
++ uname -m
+ python3 /data/src/ctrliq-github-haskell/kernel-dist-git-el-9.4/SOURCES/check-kabi -k /data/src/ctrliq-github-haskell/kernel-dist-git-el-9.4/SOURCES/Module.kabi_x86_64 -s vms/x86_64--build--ciqlts9_4/build_files/kernel-src-tree-ciqlts9_4-CVE-batch-17/Module.symvers
kABI check passed
+ touch state/kernels/ciqlts9_4-CVE-batch-17/x86_64/kabi_checked

Boot test: passed

boot-test.log

Kselftests: passed relative

Reference

kselftests–ciqlts9_4–run1.log

Patch

kselftests–ciqlts9_4-CVE-batch-17–run1.log
kselftests–ciqlts9_4-CVE-batch-17–run2.log
kselftests–ciqlts9_4-CVE-batch-17–run3.log

Comparison

The tests results for the reference and the patch are the same.

$ ktests.xsh diff  kselftests*.log

Column    File
--------  --------------------------------------------
Status0   kselftests--ciqlts9_4--run1.log
Status1   kselftests--ciqlts9_4-CVE-batch-17--run1.log
Status2   kselftests--ciqlts9_4-CVE-batch-17--run2.log
Status3   kselftests--ciqlts9_4-CVE-batch-17--run3.log

TestCase                                               Status0  Status1  Status2  Status3  Summary
bpf:get_cgroup_id_user                                 pass     pass     pass     pass     same
bpf:test_cgroup_storage                                pass     pass     pass     pass     same
bpf:test_dev_cgroup                                    pass     pass     pass     pass     same
bpf:test_lpm_map                                       pass     pass     pass     pass     same
bpf:test_lru_map                                       pass     pass     pass     pass     same
bpf:test_sock                                          pass     pass     pass     pass     same
bpf:test_sysctl                                        pass     pass     pass     pass     same
bpf:test_tag                                           pass     pass     pass     pass     same
bpf:test_tcpnotify_user                                pass     pass     pass     pass     same
bpf:test_verifier                                      fail     fail     fail     fail     same
breakpoints:breakpoint_test                            pass     pass     pass     pass     same
capabilities:test_execve                               pass     pass     pass     pass     same
clone3:clone3                                          pass     pass     pass     pass     same
clone3:clone3_cap_checkpoint_restore                   pass     pass     pass     pass     same
clone3:clone3_clear_sighand                            pass     pass     pass     pass     same
clone3:clone3_set_tid                                  pass     pass     pass     pass     same
cpu-hotplug:cpu-on-off-test.sh                         pass     pass     pass     pass     same
cpufreq:main.sh                                        fail     fail     fail     fail     same
drivers/dma-buf:udmabuf                                pass     pass     pass     pass     same
drivers/net/bonding:bond-arp-interval-causes-panic.sh  pass     pass     pass     pass     same
drivers/net/bonding:bond-break-lacpdu-tx.sh            fail     fail     fail     fail     same
drivers/net/bonding:bond-eth-type-change.sh            pass     pass     pass     pass     same
drivers/net/bonding:bond-lladdr-target.sh              pass     pass     pass     pass     same
drivers/net/bonding:bond_options.sh                    fail     fail     fail     fail     same
drivers/net/bonding:dev_addr_lists.sh                  pass     pass     pass     pass     same
drivers/net/bonding:mode-1-recovery-updelay.sh         pass     pass     pass     pass     same
drivers/net/bonding:mode-2-recovery-updelay.sh         pass     pass     pass     pass     same
drivers/net/team:dev_addr_lists.sh                     pass     pass     pass     pass     same
exec:binfmt_script                                     pass     pass     pass     pass     same
exec:execveat                                          pass     pass     pass     pass     same
exec:load_address_16777216                             fail     fail     fail     fail     same
exec:load_address_2097152                              pass     pass     pass     pass     same
exec:load_address_4096                                 pass     pass     pass     pass     same
exec:non-regular                                       fail     fail     fail     fail     same
exec:recursion-depth                                   pass     pass     pass     pass     same
filesystems/binderfs:binderfs_test                     fail     fail     fail     fail     same
filesystems/epoll:epoll_wakeup_test                    pass     pass     pass     pass     same
firmware:fw_run_tests.sh                               skip     skip     skip     skip     same
fpu:run_test_fpu.sh                                    skip     skip     skip     skip     same
fpu:test_fpu                                           pass     pass     pass     pass     same
ftrace:ftracetest                                      fail     fail     fail     fail     same
futex:run.sh                                           pass     pass     pass     pass     same
gpio:gpio-mockup.sh                                    fail     fail     fail     fail     same
intel_pstate:run.sh                                    pass     pass     pass     pass     same
iommu:iommufd                                          fail     fail     fail     fail     same
iommu:iommufd_fail_nth                                 pass     pass     pass     pass     same
ipc:msgque                                             pass     pass     pass     pass     same
ir:ir_loopback.sh                                      skip     skip     skip     skip     same
kcmp:kcmp_test                                         pass     pass     pass     pass     same
kexec:test_kexec_file_load.sh                          skip     skip     skip     skip     same
kexec:test_kexec_load.sh                               skip     skip     skip     skip     same
kvm:access_tracking_perf_test                          pass     pass     pass     pass     same
kvm:amx_test                                           fail     fail     fail     fail     same
kvm:cpuid_test                                         fail     fail     fail     fail     same
kvm:cr4_cpuid_sync_test                                fail     fail     fail     fail     same
kvm:debug_regs                                         fail     fail     fail     fail     same
kvm:demand_paging_test                                 pass     pass     pass     pass     same
kvm:dirty_log_page_splitting_test                      fail     fail     fail     fail     same
kvm:dirty_log_perf_test                                pass     pass     pass     pass     same
kvm:dirty_log_test                                     fail     fail     fail     fail     same
kvm:exit_on_emulation_failure_test                     fail     fail     fail     fail     same
kvm:fix_hypercall_test                                 fail     fail     fail     fail     same
kvm:get_msr_index_features                             fail     fail     fail     fail     same
kvm:guest_memfd_test                                   pass     pass     pass     pass     same
kvm:guest_print_test                                   pass     pass     pass     pass     same
kvm:hardware_disable_test                              pass     pass     pass     pass     same
kvm:hyperv_clock                                       fail     fail     fail     fail     same
kvm:hyperv_cpuid                                       fail     fail     fail     fail     same
kvm:hyperv_evmcs                                       fail     fail     fail     fail     same
kvm:hyperv_extended_hypercalls                         fail     fail     fail     fail     same
kvm:hyperv_features                                    fail     fail     fail     fail     same
kvm:hyperv_ipi                                         fail     fail     fail     fail     same
kvm:hyperv_svm_test                                    fail     fail     fail     fail     same
kvm:hyperv_tlb_flush                                   fail     fail     fail     fail     same
kvm:kvm_binary_stats_test                              pass     pass     pass     pass     same
kvm:kvm_clock_test                                     fail     fail     fail     fail     same
kvm:kvm_create_max_vcpus                               pass     pass     pass     pass     same
kvm:kvm_page_table_test                                pass     pass     pass     pass     same
kvm:kvm_pv_test                                        fail     fail     fail     fail     same
kvm:max_guest_memory_test                              pass     pass     pass     pass     same
kvm:max_vcpuid_cap_test                                fail     fail     fail     fail     same
kvm:memslot_modification_stress_test                   pass     pass     pass     pass     same
kvm:memslot_perf_test                                  pass     pass     pass     pass     same
kvm:mmio_warning_test                                  fail     fail     fail     fail     same
kvm:monitor_mwait_test                                 fail     fail     fail     fail     same
kvm:nested_exceptions_test                             fail     fail     fail     fail     same
kvm:nx_huge_pages_test.sh                              fail     fail     fail     fail     same
kvm:platform_info_test                                 fail     fail     fail     fail     same
kvm:pmu_event_filter_test                              fail     fail     fail     fail     same
kvm:private_mem_conversions_test                       fail     fail     fail     fail     same
kvm:private_mem_kvm_exits_test                         fail     fail     fail     fail     same
kvm:recalc_apic_map_test                               fail     fail     fail     fail     same
kvm:rseq_test                                          fail     fail     fail     fail     same
kvm:set_boot_cpu_id                                    fail     fail     fail     fail     same
kvm:set_memory_region_test                             pass     pass     pass     pass     same
kvm:set_sregs_test                                     fail     fail     fail     fail     same
kvm:sev_migrate_tests                                  fail     fail     fail     fail     same
kvm:smaller_maxphyaddr_emulation_test                  fail     fail     fail     fail     same
kvm:smm_test                                           fail     fail     fail     fail     same
kvm:state_test                                         fail     fail     fail     fail     same
kvm:steal_time                                         pass     pass     pass     pass     same
kvm:svm_int_ctl_test                                   fail     fail     fail     fail     same
kvm:svm_nested_shutdown_test                           fail     fail     fail     fail     same
kvm:svm_nested_soft_inject_test                        fail     fail     fail     fail     same
kvm:svm_vmcall_test                                    fail     fail     fail     fail     same
kvm:sync_regs_test                                     fail     fail     fail     fail     same
kvm:system_counter_offset_test                         pass     pass     pass     pass     same
kvm:triple_fault_event_test                            fail     fail     fail     fail     same
kvm:tsc_msrs_test                                      fail     fail     fail     fail     same
kvm:tsc_scaling_sync                                   fail     fail     fail     fail     same
kvm:ucna_injection_test                                fail     fail     fail     fail     same
kvm:userspace_io_test                                  fail     fail     fail     fail     same
kvm:userspace_msr_exit_test                            fail     fail     fail     fail     same
kvm:vmx_apic_access_test                               fail     fail     fail     fail     same
kvm:vmx_close_while_nested_test                        fail     fail     fail     fail     same
kvm:vmx_dirty_log_test                                 fail     fail     fail     fail     same
kvm:vmx_exception_with_invalid_guest_state             fail     fail     fail     fail     same
kvm:vmx_invalid_nested_guest_state                     fail     fail     fail     fail     same
kvm:vmx_msrs_test                                      fail     fail     fail     fail     same
kvm:vmx_nested_tsc_scaling_test                        fail     fail     fail     fail     same
kvm:vmx_pmu_caps_test                                  fail     fail     fail     fail     same
kvm:vmx_preemption_timer_test                          fail     fail     fail     fail     same
kvm:vmx_set_nested_state_test                          fail     fail     fail     fail     same
kvm:vmx_tsc_adjust_test                                fail     fail     fail     fail     same
kvm:xapic_ipi_test                                     fail     fail     fail     fail     same
kvm:xapic_state_test                                   fail     fail     fail     fail     same
kvm:xcr0_cpuid_test                                    fail     fail     fail     fail     same
kvm:xen_shinfo_test                                    fail     fail     fail     fail     same
kvm:xen_vmcall_test                                    fail     fail     fail     fail     same
kvm:xss_msr_test                                       fail     fail     fail     fail     same
landlock:base_test                                     fail     fail     fail     fail     same
landlock:fs_test                                       fail     fail     fail     fail     same
landlock:ptrace_test                                   fail     fail     fail     fail     same
lib:bitmap.sh                                          skip     skip     skip     skip     same
lib:prime_numbers.sh                                   pass     pass     pass     pass     same
lib:printf.sh                                          skip     skip     skip     skip     same
lib:scanf.sh                                           skip     skip     skip     skip     same
lib:strscpy.sh                                         skip     skip     skip     skip     same
livepatch:test-callbacks.sh                            pass     pass     pass     pass     same
livepatch:test-ftrace.sh                               pass     pass     pass     pass     same
livepatch:test-livepatch.sh                            pass     pass     pass     pass     same
livepatch:test-shadow-vars.sh                          pass     pass     pass     pass     same
livepatch:test-state.sh                                pass     pass     pass     pass     same
livepatch:test-sysfs.sh                                pass     pass     pass     pass     same
membarrier:membarrier_test_multi_thread                pass     pass     pass     pass     same
membarrier:membarrier_test_single_thread               pass     pass     pass     pass     same
memfd:memfd_test                                       pass     pass     pass     pass     same
memfd:run_fuse_test.sh                                 pass     pass     pass     pass     same
memfd:run_hugetlbfs_test.sh                            pass     pass     pass     pass     same
memory-hotplug:mem-on-off-test.sh                      pass     pass     pass     pass     same
mincore:mincore_selftest                               fail     fail     fail     fail     same
mount:run_nosymfollow.sh                               pass     pass     pass     pass     same
mount:run_unprivileged_remount.sh                      pass     pass     pass     pass     same
mqueue:mq_open_tests                                   pass     pass     pass     pass     same
mqueue:mq_perf_tests                                   pass     pass     pass     pass     same
nci:nci_dev                                            fail     fail     fail     fail     same
net/forwarding:bridge_locked_port.sh                   pass     pass     pass     pass     same
net/forwarding:bridge_mdb.sh                           skip     skip     skip     skip     same
net/forwarding:bridge_mdb_host.sh                      pass     pass     pass     pass     same
net/forwarding:bridge_mdb_max.sh                       skip     skip     skip     skip     same
net/forwarding:bridge_mdb_port_down.sh                 pass     pass     pass     pass     same
net/forwarding:bridge_mld.sh                           pass     pass     pass     pass     same
net/forwarding:bridge_port_isolation.sh                pass     pass     pass     pass     same
net/forwarding:bridge_sticky_fdb.sh                    pass     pass     pass     pass     same
net/forwarding:bridge_vlan_aware.sh                    pass     pass     pass     pass     same
net/forwarding:bridge_vlan_mcast.sh                    pass     pass     pass     pass     same
net/forwarding:bridge_vlan_unaware.sh                  pass     pass     pass     pass     same
net/forwarding:custom_multipath_hash.sh                fail     fail     fail     fail     same
net/forwarding:ethtool.sh                              skip     skip     skip     skip     same
net/forwarding:ethtool_extended_state.sh               skip     skip     skip     skip     same
net/forwarding:gre_custom_multipath_hash.sh            fail     fail     fail     fail     same
net/forwarding:gre_inner_v4_multipath.sh               pass     pass     pass     pass     same
net/forwarding:gre_multipath.sh                        pass     pass     pass     pass     same
net/forwarding:gre_multipath_nh.sh                     fail     fail     fail     fail     same
net/forwarding:gre_multipath_nh_res.sh                 fail     fail     fail     fail     same
net/forwarding:hw_stats_l3.sh                          skip     skip     skip     skip     same
net/forwarding:hw_stats_l3_gre.sh                      skip     skip     skip     skip     same
net/forwarding:ip6_forward_instats_vrf.sh              skip     skip     skip     skip     same
net/forwarding:ip6gre_custom_multipath_hash.sh         fail     fail     fail     fail     same
net/forwarding:ip6gre_flat.sh                          pass     pass     pass     pass     same
net/forwarding:ip6gre_flat_key.sh                      pass     pass     pass     pass     same
net/forwarding:ip6gre_flat_keys.sh                     pass     pass     pass     pass     same
net/forwarding:ip6gre_hier.sh                          pass     pass     pass     pass     same
net/forwarding:ip6gre_hier_key.sh                      pass     pass     pass     pass     same
net/forwarding:ip6gre_hier_keys.sh                     pass     pass     pass     pass     same
net/forwarding:ip6gre_inner_v4_multipath.sh            pass     pass     pass     pass     same
net/forwarding:ipip_flat_gre.sh                        pass     pass     pass     pass     same
net/forwarding:ipip_flat_gre_key.sh                    pass     pass     pass     pass     same
net/forwarding:ipip_flat_gre_keys.sh                   pass     pass     pass     pass     same
net/forwarding:ipip_hier_gre.sh                        pass     pass     pass     pass     same
net/forwarding:ipip_hier_gre_key.sh                    pass     pass     pass     pass     same
net/forwarding:local_termination.sh                    skip     skip     skip     skip     same
net/forwarding:loopback.sh                             skip     skip     skip     skip     same
net/forwarding:mirror_gre.sh                           pass     pass     pass     pass     same
net/forwarding:mirror_gre_bound.sh                     pass     pass     pass     pass     same
net/forwarding:mirror_gre_bridge_1d.sh                 pass     pass     pass     pass     same
net/forwarding:mirror_gre_bridge_1q.sh                 pass     pass     pass     pass     same
net/forwarding:mirror_gre_bridge_1q_lag.sh             pass     pass     pass     pass     same
net/forwarding:mirror_gre_changes.sh                   pass     pass     pass     pass     same
net/forwarding:mirror_gre_flower.sh                    pass     pass     pass     pass     same
net/forwarding:mirror_gre_lag_lacp.sh                  pass     pass     pass     pass     same
net/forwarding:mirror_gre_neigh.sh                     pass     pass     pass     pass     same
net/forwarding:mirror_gre_nh.sh                        pass     pass     pass     pass     same
net/forwarding:mirror_gre_vlan.sh                      pass     pass     pass     pass     same
net/forwarding:mirror_vlan.sh                          pass     pass     pass     pass     same
net/forwarding:no_forwarding.sh                        pass     pass     pass     pass     same
net/forwarding:pedit_dsfield.sh                        pass     pass     pass     pass     same
net/forwarding:pedit_ip.sh                             pass     pass     pass     pass     same
net/forwarding:pedit_l4port.sh                         pass     pass     pass     pass     same
net/forwarding:q_in_vni_ipv6.sh                        pass     pass     pass     pass     same
net/forwarding:router.sh                               skip     skip     skip     skip     same
net/forwarding:router_bridge.sh                        pass     pass     pass     pass     same
net/forwarding:router_bridge_1d.sh                     pass     pass     pass     pass     same
net/forwarding:router_bridge_pvid_vlan_upper.sh        pass     pass     pass     pass     same
net/forwarding:router_bridge_vlan.sh                   pass     pass     pass     pass     same
net/forwarding:router_bridge_vlan_upper.sh             pass     pass     pass     pass     same
net/forwarding:router_bridge_vlan_upper_pvid.sh        pass     pass     pass     pass     same
net/forwarding:router_broadcast.sh                     pass     pass     pass     pass     same
net/forwarding:router_mpath_nh.sh                      fail     fail     fail     fail     same
net/forwarding:router_mpath_nh_res.sh                  pass     pass     pass     pass     same
net/forwarding:router_multicast.sh                     skip     skip     skip     skip     same
net/forwarding:router_multipath.sh                     fail     fail     fail     fail     same
net/forwarding:router_nh.sh                            pass     pass     pass     pass     same
net/forwarding:router_vid_1.sh                         pass     pass     pass     pass     same
net/forwarding:skbedit_priority.sh                     pass     pass     pass     pass     same
net/forwarding:tc_chains.sh                            pass     pass     pass     pass     same
net/forwarding:tc_flower.sh                            pass     pass     pass     pass     same
net/forwarding:tc_flower_cfm.sh                        fail     fail     fail     fail     same
net/forwarding:tc_flower_l2_miss.sh                    fail     fail     fail     fail     same
net/forwarding:tc_flower_router.sh                     pass     pass     pass     pass     same
net/forwarding:tc_mpls_l2vpn.sh                        pass     pass     pass     pass     same
net/forwarding:tc_shblocks.sh                          pass     pass     pass     pass     same
net/forwarding:tc_tunnel_key.sh                        skip     skip     skip     skip     same
net/forwarding:tc_vlan_modify.sh                       pass     pass     pass     pass     same
net/forwarding:vxlan_asymmetric.sh                     pass     pass     pass     pass     same
net/forwarding:vxlan_asymmetric_ipv6.sh                pass     pass     pass     pass     same
net/forwarding:vxlan_bridge_1d.sh                      pass     pass     pass     pass     same
net/forwarding:vxlan_bridge_1d_port_8472.sh            pass     pass     pass     pass     same
net/forwarding:vxlan_bridge_1d_port_8472_ipv6.sh       pass     pass     pass     pass     same
net/forwarding:vxlan_bridge_1q.sh                      pass     pass     pass     pass     same
net/forwarding:vxlan_bridge_1q_ipv6.sh                 pass     pass     pass     pass     same
net/forwarding:vxlan_bridge_1q_port_8472.sh            pass     pass     pass     pass     same
net/forwarding:vxlan_bridge_1q_port_8472_ipv6.sh       pass     pass     pass     pass     same
net/forwarding:vxlan_symmetric.sh                      pass     pass     pass     pass     same
net/forwarding:vxlan_symmetric_ipv6.sh                 pass     pass     pass     pass     same
net/hsr:hsr_ping.sh                                    fail     fail     fail     fail     same
net/mptcp:diag.sh                                      pass     pass     pass     pass     same
net/mptcp:mptcp_connect.sh                             pass     pass     pass     pass     same
net/mptcp:mptcp_sockopt.sh                             pass     pass     pass     pass     same
net/mptcp:pm_netlink.sh                                pass     pass     pass     pass     same
net:altnames.sh                                        pass     pass     pass     pass     same
net:bareudp.sh                                         pass     pass     pass     pass     same
net:big_tcp.sh                                         skip     skip     skip     skip     same
net:cmsg_so_mark.sh                                    pass     pass     pass     pass     same
net:devlink_port_split.py                              skip     skip     skip     skip     same
net:drop_monitor_tests.sh                              skip     skip     skip     skip     same
net:fcnal-test.sh                                      skip     skip     skip     skip     same
net:fib-onlink-tests.sh                                pass     pass     pass     pass     same
net:fib_nexthop_multiprefix.sh                         pass     pass     pass     pass     same
net:fib_nexthop_nongw.sh                               pass     pass     pass     pass     same
net:fib_rule_tests.sh                                  pass     pass     pass     pass     same
net:fib_tests.sh                                       fail     fail     fail     fail     same
net:fin_ack_lat.sh                                     pass     pass     pass     pass     same
net:gre_gso.sh                                         pass     pass     pass     pass     same
net:icmp.sh                                            fail     fail     fail     fail     same
net:icmp_redirect.sh                                   pass     pass     pass     pass     same
net:io_uring_zerocopy_tx.sh                            fail     fail     fail     fail     same
net:ip6_gre_headroom.sh                                pass     pass     pass     pass     same
net:ipv6_flowlabel.sh                                  pass     pass     pass     pass     same
net:l2_tos_ttl_inherit.sh                              skip     skip     skip     skip     same
net:l2tp.sh                                            pass     pass     pass     pass     same
net:msg_zerocopy.sh                                    pass     pass     pass     pass     same
net:netdevice.sh                                       pass     pass     pass     pass     same
net:pmtu.sh                                            fail     fail     fail     fail     same
net:psock_snd.sh                                       pass     pass     pass     pass     same
net:reuseaddr_conflict                                 pass     pass     pass     pass     same
net:reuseaddr_ports_exhausted.sh                       pass     pass     pass     pass     same
net:reuseport_bpf                                      pass     pass     pass     pass     same
net:reuseport_bpf_cpu                                  pass     pass     pass     pass     same
net:reuseport_bpf_numa                                 pass     pass     pass     pass     same
net:reuseport_dualstack                                pass     pass     pass     pass     same
net:route_localnet.sh                                  pass     pass     pass     pass     same
net:rps_default_mask.sh                                pass     pass     pass     pass     same
net:rtnetlink.sh                                       skip     skip     skip     skip     same
net:run_afpackettests                                  pass     pass     pass     pass     same
net:run_netsocktests                                   pass     pass     pass     pass     same
net:rxtimestamp.sh                                     pass     pass     pass     pass     same
net:so_txtime.sh                                       pass     pass     pass     pass     same
net:srv6_end_next_csid_l3vpn_test.sh                   pass     pass     pass     pass     same
net:srv6_hencap_red_l3vpn_test.sh                      pass     pass     pass     pass     same
net:srv6_hl2encap_red_l2vpn_test.sh                    pass     pass     pass     pass     same
net:stress_reuseport_listen.sh                         pass     pass     pass     pass     same
net:tcp_fastopen_backup_key.sh                         pass     pass     pass     pass     same
net:test_blackhole_dev.sh                              fail     fail     fail     fail     same
net:test_bpf.sh                                        pass     pass     pass     pass     same
net:test_bridge_neigh_suppress.sh                      skip     skip     skip     skip     same
net:test_vxlan_fdb_changelink.sh                       pass     pass     pass     pass     same
net:test_vxlan_under_vrf.sh                            pass     pass     pass     pass     same
net:tls                                                pass     pass     pass     pass     same
net:traceroute.sh                                      pass     pass     pass     pass     same
net:udpgro.sh                                          fail     fail     fail     fail     same
net:udpgro_bench.sh                                    fail     fail     fail     fail     same
net:udpgso.sh                                          pass     pass     pass     pass     same
net:unicast_extensions.sh                              pass     pass     pass     pass     same
net:veth.sh                                            fail     fail     fail     fail     same
net:vrf-xfrm-tests.sh                                  pass     pass     pass     pass     same
net:vrf_route_leaking.sh                               pass     pass     pass     pass     same
net:vrf_strict_mode_test.sh                            pass     pass     pass     pass     same
netfilter:bridge_brouter.sh                            skip     skip     skip     skip     same
netfilter:conntrack_icmp_related.sh                    fail     fail     fail     fail     same
netfilter:conntrack_tcp_unreplied.sh                   pass     pass     pass     pass     same
netfilter:conntrack_vrf.sh                             pass     pass     pass     pass     same
netfilter:ipvs.sh                                      pass     pass     pass     pass     same
netfilter:nf_nat_edemux.sh                             fail     fail     fail     fail     same
netfilter:nft_audit.sh                                 fail     fail     fail     fail     same
netfilter:nft_concat_range.sh                          fail     fail     fail     fail     same
netfilter:nft_conntrack_helper.sh                      skip     skip     skip     skip     same
netfilter:nft_fib.sh                                   skip     skip     skip     skip     same
netfilter:nft_flowtable.sh                             fail     fail     fail     fail     same
netfilter:nft_meta.sh                                  pass     pass     pass     pass     same
netfilter:nft_nat.sh                                   skip     skip     skip     skip     same
netfilter:nft_queue.sh                                 skip     skip     skip     skip     same
netfilter:rpath.sh                                     pass     pass     pass     pass     same
nsfs:owner                                             pass     pass     pass     pass     same
nsfs:pidns                                             pass     pass     pass     pass     same
pid_namespace:regression_enomem                        pass     pass     pass     pass     same
pidfd:pidfd_fdinfo_test                                pass     pass     pass     pass     same
pidfd:pidfd_getfd_test                                 pass     pass     pass     pass     same
pidfd:pidfd_open_test                                  pass     pass     pass     pass     same
pidfd:pidfd_poll_test                                  pass     pass     pass     pass     same
pidfd:pidfd_setns_test                                 pass     pass     pass     pass     same
pidfd:pidfd_test                                       pass     pass     pass     pass     same
pidfd:pidfd_wait                                       pass     pass     pass     pass     same
proc:fd-001-lookup                                     pass     pass     pass     pass     same
proc:fd-002-posix-eq                                   pass     pass     pass     pass     same
proc:fd-003-kthread                                    pass     pass     pass     pass     same
proc:proc-fsconfig-hidepid                             pass     pass     pass     pass     same
proc:proc-loadavg-001                                  pass     pass     pass     pass     same
proc:proc-multiple-procfs                              pass     pass     pass     pass     same
proc:proc-self-map-files-001                           pass     pass     pass     pass     same
proc:proc-self-map-files-002                           pass     pass     pass     pass     same
proc:proc-self-syscall                                 pass     pass     pass     pass     same
proc:proc-self-wchan                                   pass     pass     pass     pass     same
proc:proc-subset-pid                                   pass     pass     pass     pass     same
proc:proc-uptime-002                                   pass     pass     pass     pass     same
proc:read                                              pass     pass     pass     pass     same
proc:self                                              pass     pass     pass     pass     same
proc:setns-dcache                                      pass     pass     pass     pass     same
proc:setns-sysvipc                                     pass     pass     pass     pass     same
proc:thread-self                                       pass     pass     pass     pass     same
pstore:pstore_post_reboot_tests                        skip     skip     skip     skip     same
pstore:pstore_tests                                    fail     fail     fail     fail     same
ptrace:get_syscall_info                                pass     pass     pass     pass     same
ptrace:peeksiginfo                                     pass     pass     pass     pass     same
ptrace:vmaccess                                        fail     fail     fail     fail     same
rlimits:rlimits-per-userns                             pass     pass     pass     pass     same
rseq:basic_percpu_ops_test                             pass     pass     pass     pass     same
rseq:basic_test                                        pass     pass     pass     pass     same
rseq:param_test                                        pass     pass     pass     pass     same
rseq:param_test_benchmark                              pass     pass     pass     pass     same
rseq:param_test_compare_twice                          pass     pass     pass     pass     same
rseq:run_param_test.sh                                 pass     pass     pass     pass     same
seccomp:seccomp_benchmark                              pass     pass     pass     pass     same
seccomp:seccomp_bpf                                    pass     pass     pass     pass     same
sgx:test_sgx                                           fail     fail     fail     fail     same
sigaltstack:sas                                        pass     pass     pass     pass     same
size:get_size                                          pass     pass     pass     pass     same
splice:default_file_splice_read.sh                     pass     pass     pass     pass     same
splice:short_splice_read.sh                            fail     fail     fail     fail     same
static_keys:test_static_keys.sh                        skip     skip     skip     skip     same
syscall_user_dispatch:sud_benchmark                    pass     pass     pass     pass     same
syscall_user_dispatch:sud_test                         pass     pass     pass     pass     same
tc-testing:tdc.sh                                      fail     fail     fail     fail     same
tdx:tdx_guest_test                                     fail     fail     fail     fail     same
timens:clock_nanosleep                                 pass     pass     pass     pass     same
timens:exec                                            pass     pass     pass     pass     same
timens:futex                                           pass     pass     pass     pass     same
timens:procfs                                          pass     pass     pass     pass     same
timens:timens                                          pass     pass     pass     pass     same
timens:timer                                           pass     pass     pass     pass     same
timens:timerfd                                         pass     pass     pass     pass     same
timens:vfork_exec                                      pass     pass     pass     pass     same
timers:inconsistency-check                             pass     pass     pass     pass     same
timers:mqueue-lat                                      pass     pass     pass     pass     same
timers:nanosleep                                       pass     pass     pass     pass     same
timers:nsleep-lat                                      pass     pass     pass     pass     same
timers:posix_timers                                    pass     pass     pass     pass     same
timers:rtcpie                                          pass     pass     pass     pass     same
timers:set-timer-lat                                   pass     pass     pass     pass     same
timers:threadtest                                      pass     pass     pass     pass     same
tmpfs:bug-link-o-tmpfile                               pass     pass     pass     pass     same
tpm2:test_smoke.sh                                     skip     skip     skip     skip     same
tpm2:test_space.sh                                     skip     skip     skip     skip     same
tty:tty_tstamp_update                                  skip     skip     skip     skip     same
vDSO:vdso_standalone_test_x86                          pass     pass     pass     pass     same
vDSO:vdso_test_abi                                     pass     pass     pass     pass     same
vDSO:vdso_test_clock_getres                            pass     pass     pass     pass     same
vDSO:vdso_test_correctness                             pass     pass     pass     pass     same
vDSO:vdso_test_getcpu                                  pass     pass     pass     pass     same
vDSO:vdso_test_gettimeofday                            pass     pass     pass     pass     same
x86:amx_64                                             fail     fail     fail     fail     same
x86:check_initial_reg_state_64                         fail     fail     fail     fail     same
x86:corrupt_xstate_header_64                           fail     fail     fail     fail     same
x86:fsgsbase_64                                        fail     fail     fail     fail     same
x86:fsgsbase_restore_64                                fail     fail     fail     fail     same
x86:ioperm_64                                          fail     fail     fail     fail     same
x86:iopl_64                                            fail     fail     fail     fail     same
x86:lam_64                                             fail     fail     fail     fail     same
x86:mov_ss_trap_64                                     fail     fail     fail     fail     same
x86:sigaltstack_64                                     fail     fail     fail     fail     same
x86:sigreturn_64                                       fail     fail     fail     fail     same
x86:single_step_syscall_64                             fail     fail     fail     fail     same
x86:syscall_arg_fault_64                               fail     fail     fail     fail     same
x86:syscall_nt_64                                      fail     fail     fail     fail     same
x86:syscall_numbering_64                               fail     fail     fail     fail     same
x86:sysret_rip_64                                      fail     fail     fail     fail     same
x86:sysret_ss_attrs_64                                 fail     fail     fail     fail     same
x86:test_mremap_vdso_64                                fail     fail     fail     fail     same
x86:test_vsyscall_64                                   fail     fail     fail     fail     same
zram:zram.sh                                           pass     pass     pass     pass     same

jira VULN-65245 cve-pre CVE-2025-22058 commit-author Eric Dumazet <edumazet@google.com> commit 6c302e7 (struct proto)->sk_forward_alloc is currently only used by MPTCP. Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> (cherry picked from commit 6c302e7) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>

jira VULN-65245 cve-pre CVE-2025-22058 commit-author Eric Dumazet <edumazet@google.com> commit 5e6300e upstream-diff | Accounted for missing 5e6300e: 1. Resolved context conflicts in `mptcp_destroy_common()' 2. Skipped changes in `mptcp_forward_alloc_get()' - READ_ONCE on `sk->sk_forward_alloc' already present Every time sk->sk_forward_alloc is read locklessly, add a READ_ONCE(). Add sk_forward_alloc_add() helper to centralize updates, to reduce number of WRITE_ONCE(). Fixes: 1da177e ("Linux-2.6.12-rc2") Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> (cherry picked from commit 5e6300e) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>

jira VULN-65245 cve CVE-2025-22058 commit-author Kuniyuki Iwashima <kuniyu@amazon.com> commit df207de Matt Dowling reported a weird UDP memory usage issue. Under normal operation, the UDP memory usage reported in /proc/net/sockstat remains close to zero. However, it occasionally spiked to 524,288 pages and never dropped. Moreover, the value doubled when the application was terminated. Finally, it caused intermittent packet drops. We can reproduce the issue with the script below [0]: 1. /proc/net/sockstat reports 0 pages # cat /proc/net/sockstat | grep UDP: UDP: inuse 1 mem 0 2. Run the script till the report reaches 524,288 # python3 test.py & sleep 5 # cat /proc/net/sockstat | grep UDP: UDP: inuse 3 mem 524288 <-- (INT_MAX + 1) >> PAGE_SHIFT 3. Kill the socket and confirm the number never drops # pkill python3 && sleep 5 # cat /proc/net/sockstat | grep UDP: UDP: inuse 1 mem 524288 4. (necessary since v6.0) Trigger proto_memory_pcpu_drain() # python3 test.py & sleep 1 && pkill python3 5. The number doubles # cat /proc/net/sockstat | grep UDP: UDP: inuse 1 mem 1048577 The application set INT_MAX to SO_RCVBUF, which triggered an integer overflow in udp_rmem_release(). When a socket is close()d, udp_destruct_common() purges its receive queue and sums up skb->truesize in the queue. This total is calculated and stored in a local unsigned integer variable. The total size is then passed to udp_rmem_release() to adjust memory accounting. However, because the function takes a signed integer argument, the total size can wrap around, causing an overflow. Then, the released amount is calculated as follows: 1) Add size to sk->sk_forward_alloc. 2) Round down sk->sk_forward_alloc to the nearest lower multiple of PAGE_SIZE and assign it to amount. 3) Subtract amount from sk->sk_forward_alloc. 4) Pass amount >> PAGE_SHIFT to __sk_mem_reduce_allocated(). When the issue occurred, the total in udp_destruct_common() was 2147484480 (INT_MAX + 833), which was cast to -2147482816 in udp_rmem_release(). At 1) sk->sk_forward_alloc is changed from 3264 to -2147479552, and 2) sets -2147479552 to amount. 3) reverts the wraparound, so we don't see a warning in inet_sock_destruct(). However, udp_memory_allocated ends up doubling at 4). Since commit 3cd3399 ("net: implement per-cpu reserves for memory_allocated"), memory usage no longer doubles immediately after a socket is close()d because __sk_mem_reduce_allocated() caches the amount in udp_memory_per_cpu_fw_alloc. However, the next time a UDP socket receives a packet, the subtraction takes effect, causing UDP memory usage to double. This issue makes further memory allocation fail once the socket's sk->sk_rmem_alloc exceeds net.ipv4.udp_rmem_min, resulting in packet drops. To prevent this issue, let's use unsigned int for the calculation and call sk_forward_alloc_add() only once for the small delta. Note that first_packet_length() also potentially has the same problem. [0]: from socket import * SO_RCVBUFFORCE = 33 INT_MAX = (2 ** 31) - 1 s = socket(AF_INET, SOCK_DGRAM) s.bind(('', 0)) s.setsockopt(SOL_SOCKET, SO_RCVBUFFORCE, INT_MAX) c = socket(AF_INET, SOCK_DGRAM) c.connect(s.getsockname()) data = b'a' * 100 while True: c.send(data) Fixes: f970bd9 ("udp: implement memory accounting helpers") Reported-by: Matt Dowling <madowlin@amazon.com> Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> Reviewed-by: Willem de Bruijn <willemb@google.com> Link: https://patch.msgid.link/20250401184501.67377-3-kuniyu@amazon.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit df207de) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>

jira VULN-72348 cve CVE-2025-38250 commit-author Kuniyuki Iwashima <kuniyu@google.com> commit 1d61231 upstream-diff Used ciqlts9_2 backport 7695f98 for the actual (clean) cherry-pick syzbot reported use-after-free in vhci_flush() without repro. [0] From the splat, a thread close()d a vhci file descriptor while its device was being used by iotcl() on another thread. Once the last fd refcnt is released, vhci_release() calls hci_unregister_dev(), hci_free_dev(), and kfree() for struct vhci_data, which is set to hci_dev->dev->driver_data. The problem is that there is no synchronisation after unlinking hdev from hci_dev_list in hci_unregister_dev(). There might be another thread still accessing the hdev which was fetched before the unlink operation. We can use SRCU for such synchronisation. Let's run hci_dev_reset() under SRCU and wait for its completion in hci_unregister_dev(). Another option would be to restore hci_dev->destruct(), which was removed in commit 587ae08 ("Bluetooth: Remove unused hci-destruct cb"). However, this would not be a good solution, as we should not run hci_unregister_dev() while there are in-flight ioctl() requests, which could lead to another data-race KCSAN splat. Note that other drivers seem to have the same problem, for exmaple, virtbt_remove(). [0]: BUG: KASAN: slab-use-after-free in skb_queue_empty_lockless include/linux/skbuff.h:1891 [inline] BUG: KASAN: slab-use-after-free in skb_queue_purge_reason+0x99/0x360 net/core/skbuff.c:3937 Read of size 8 at addr ffff88807cb8d858 by task syz.1.219/6718 CPU: 1 UID: 0 PID: 6718 Comm: syz.1.219 Not tainted 6.16.0-rc1-syzkaller-00196-g08207f42d3ff #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xd2/0x2b0 mm/kasan/report.c:521 kasan_report+0x118/0x150 mm/kasan/report.c:634 skb_queue_empty_lockless include/linux/skbuff.h:1891 [inline] skb_queue_purge_reason+0x99/0x360 net/core/skbuff.c:3937 skb_queue_purge include/linux/skbuff.h:3368 [inline] vhci_flush+0x44/0x50 drivers/bluetooth/hci_vhci.c:69 hci_dev_do_reset net/bluetooth/hci_core.c:552 [inline] hci_dev_reset+0x420/0x5c0 net/bluetooth/hci_core.c:592 sock_do_ioctl+0xd9/0x300 net/socket.c:1190 sock_ioctl+0x576/0x790 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fcf5b98e929 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fcf5c7b9038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007fcf5bbb6160 RCX: 00007fcf5b98e929 RDX: 0000000000000000 RSI: 00000000400448cb RDI: 0000000000000009 RBP: 00007fcf5ba10b39 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007fcf5bbb6160 R15: 00007ffd6353d528 </TASK> Allocated by task 6535: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4359 kmalloc_noprof include/linux/slab.h:905 [inline] kzalloc_noprof include/linux/slab.h:1039 [inline] vhci_open+0x57/0x360 drivers/bluetooth/hci_vhci.c:635 misc_open+0x2bc/0x330 drivers/char/misc.c:161 chrdev_open+0x4c9/0x5e0 fs/char_dev.c:414 do_dentry_open+0xdf0/0x1970 fs/open.c:964 vfs_open+0x3b/0x340 fs/open.c:1094 do_open fs/namei.c:3887 [inline] path_openat+0x2ee5/0x3830 fs/namei.c:4046 do_filp_open+0x1fa/0x410 fs/namei.c:4073 do_sys_openat2+0x121/0x1c0 fs/open.c:1437 do_sys_open fs/open.c:1452 [inline] __do_sys_openat fs/open.c:1468 [inline] __se_sys_openat fs/open.c:1463 [inline] __x64_sys_openat+0x138/0x170 fs/open.c:1463 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 6535: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2381 [inline] slab_free mm/slub.c:4643 [inline] kfree+0x18e/0x440 mm/slub.c:4842 vhci_release+0xbc/0xd0 drivers/bluetooth/hci_vhci.c:671 __fput+0x44c/0xa70 fs/file_table.c:465 task_work_run+0x1d1/0x260 kernel/task_work.c:227 exit_task_work include/linux/task_work.h:40 [inline] do_exit+0x6ad/0x22e0 kernel/exit.c:955 do_group_exit+0x21c/0x2d0 kernel/exit.c:1104 __do_sys_exit_group kernel/exit.c:1115 [inline] __se_sys_exit_group kernel/exit.c:1113 [inline] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1113 x64_sys_call+0x21ba/0x21c0 arch/x86/include/generated/asm/syscalls_64.h:232 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff88807cb8d800 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 88 bytes inside of freed 1024-byte region [ffff88807cb8d800, ffff88807cb8dc00) Fixes: bf18c71 ("Bluetooth: vhci: Free driver_data on file release") Reported-by: syzbot+2faa4825e556199361f9@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=f62d64848fc4c7c30cd6 Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com> Acked-by: Paul Menzel <pmenzel@molgen.mpg.de> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> (cherry picked from commit 7695f98) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>

jira VULN-131260 cve CVE-2025-38556 commit-author Alan Stern <stern@rowland.harvard.edu> commit a6b87bf upstream-diff Used ciqlts9_2 backport 60a9b74 for the actual (clean) cherry-pick Testing by the syzbot fuzzer showed that the HID core gets a shift-out-of-bounds exception when it tries to convert a 32-bit quantity to a 0-bit quantity. Ideally this should never occur, but there are buggy devices and some might have a report field with size set to zero; we shouldn't reject the report or the device just because of that. Instead, harden the s32ton() routine so that it returns a reasonable result instead of crashing when it is called with the number of bits set to 0 -- the same as what snto32() does. Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Reported-by: syzbot+b63d677d63bcac06cf90@syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-usb/68753a08.050a0220.33d347.0008.GAE@google.com/ Tested-by: syzbot+b63d677d63bcac06cf90@syzkaller.appspotmail.com Fixes: dde5845 ("[PATCH] Generic HID layer - code split") Cc: stable@vger.kernel.org Link: https://patch.msgid.link/613a66cd-4309-4bce-a4f7-2905f9bce0c9@rowland.harvard.edu Signed-off-by: Benjamin Tissoires <bentiss@kernel.org> (cherry picked from commit 60a9b74) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>

jira VULN-131158 cve CVE-2025-38566 commit-author Olga Kornievskaia <okorniev@redhat.com> commit bee47cb upstream-diff Context conflicts - accounted for the missing commit de4eda9 Scott Mayhew discovered a security exploit in NFS over TLS in tls_alert_recv() due to its assumption it can read data from the msg iterator's kvec.. kTLS implementation splits TLS non-data record payload between the control message buffer (which includes the type such as TLS aler or TLS cipher change) and the rest of the payload (say TLS alert's level/description) which goes into the msg payload buffer. This patch proposes to rework how control messages are setup and used by sock_recvmsg(). If no control message structure is setup, kTLS layer will read and process TLS data record types. As soon as it encounters a TLS control message, it would return an error. At that point, NFS can setup a kvec backed msg buffer and read in the control message such as a TLS alert. Msg iterator can advance the kvec pointer as a part of the copy process thus we need to revert the iterator before calling into the tls_alert_recv. Reported-by: Scott Mayhew <smayhew@redhat.com> Fixes: 5e052dd ("SUNRPC: Recognize control messages in server-side TCP socket code") Suggested-by: Trond Myklebust <trondmy@hammerspace.com> Cc: stable@vger.kernel.org Signed-off-by: Olga Kornievskaia <okorniev@redhat.com> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> (cherry picked from commit bee47cb) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>

pvts-mat added 6 commits January 13, 2026 00:48

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[LTS 9.4] CVE-2025-22058, CVE-2025-38250, CVE-2025-38556, CVE-2025-38566 #815

[LTS 9.4] CVE-2025-22058, CVE-2025-38250, CVE-2025-38556, CVE-2025-38566 #815

Uh oh!

pvts-mat commented Jan 15, 2026

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

1 participant

[LTS 9.4] CVE-2025-22058, CVE-2025-38250, CVE-2025-38556, CVE-2025-38566 #815

Are you sure you want to change the base?

[LTS 9.4] CVE-2025-22058, CVE-2025-38250, CVE-2025-38556, CVE-2025-38566 #815

Uh oh!

Conversation

pvts-mat commented Jan 15, 2026

Commits

CVE-2025-22058

CVE-2025-38250

CVE-2025-38556

CVE-2025-38566

kABI check: passed

Boot test: passed

Kselftests: passed relative

Reference

Patch

Comparison

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

1 participant