Recreate RHEL 5.14.0-687.25.1 from CS9/upstream backports
- Drop AlmaLinux ahead-of-RHEL rtmutex remove_waiter() fixes (1756, 1757), superseded by RHEL's CVE-2026-43499 copies in 687.25.1 - Add RHEL 687.25.1 backports recreated from CS9/upstream (1761-1769), including the futex/requeue guard and its same-release revert (net zero, kept for changelog fidelity)
This commit is contained in:
parent
ae889222a0
commit
4ce490ce48
@ -1,90 +0,0 @@
|
||||
From 3bfdc63936dd4773109b7b8c280c0f3b5ae7d349 Mon Sep 17 00:00:00 2001
|
||||
From: Keenan Dong <keenanat2000@gmail.com>
|
||||
Date: Wed, 8 Apr 2026 16:46:00 +0800
|
||||
Subject: [PATCH] rtmutex: Use waiter::task instead of current in
|
||||
remove_waiter()
|
||||
|
||||
remove_waiter() is used by the slowlock paths, but it is also used for
|
||||
proxy-lock rollback in rt_mutex_start_proxy_lock() when invoked from
|
||||
futex_requeue().
|
||||
|
||||
In the latter case waiter::task is not current, but remove_waiter()
|
||||
operates on current for the dequeue operation. That results in several
|
||||
problems:
|
||||
|
||||
1) the rbtree dequeue happens without waiter::task::pi_lock being held
|
||||
|
||||
2) the waiter task's pi_blocked_on state is not cleared, which leaves a
|
||||
dangling pointer primed for UAF around.
|
||||
|
||||
3) rt_mutex_adjust_prio_chain() operates on the wrong top priority waiter
|
||||
task
|
||||
|
||||
Use waiter::task instead of current in all related operations in
|
||||
remove_waiter() to cure those problems.
|
||||
|
||||
[ tglx: Fixup rt_mutex_adjust_prio_chain(), add a comment and amend the
|
||||
changelog ]
|
||||
|
||||
Fixes: 8161239a8bcc ("rtmutex: Simplify PI algorithm and make highest prio task get lock")
|
||||
Reported-by: Yuan Tan <yuantan098@gmail.com>
|
||||
Reported-by: Yifan Wu <yifanwucs@gmail.com>
|
||||
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
|
||||
Reported-by: Xin Liu <bird@lzu.edu.cn>
|
||||
Signed-off-by: Keenan Dong <keenanat2000@gmail.com>
|
||||
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
|
||||
Cc: stable@vger.kernel.org
|
||||
|
||||
[ AlmaLinux: adapted to a9 (5.14.0-687.5.1.el9_8). No functional change vs
|
||||
upstream commit 3bfdc63936dd; only diff hunk offsets differ. The
|
||||
scoped_guard(raw_spinlock, ...) form is used verbatim: it is available in
|
||||
this tree via include/linux/cleanup.h and DEFINE_LOCK_GUARD_1(raw_spinlock,
|
||||
...) in include/linux/spinlock.h. ]
|
||||
---
|
||||
kernel/locking/rtmutex.c | 13 ++++++++-----
|
||||
1 file changed, 8 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/kernel/locking/rtmutex.c b/kernel/locking/rtmutex.c
|
||||
index 1eb4f9499..e881d9548 100644
|
||||
--- a/kernel/locking/rtmutex.c
|
||||
+++ b/kernel/locking/rtmutex.c
|
||||
@@ -1534,20 +1534,23 @@ static bool rtmutex_spin_on_owner(struct rt_mutex_base *lock,
|
||||
*
|
||||
* Must be called with lock->wait_lock held and interrupts disabled. It must
|
||||
* have just failed to try_to_take_rt_mutex().
|
||||
+ *
|
||||
+ * When invoked from rt_mutex_start_proxy_lock() waiter::task != current !
|
||||
*/
|
||||
static void __sched remove_waiter(struct rt_mutex_base *lock,
|
||||
struct rt_mutex_waiter *waiter)
|
||||
{
|
||||
bool is_top_waiter = (waiter == rt_mutex_top_waiter(lock));
|
||||
struct task_struct *owner = rt_mutex_owner(lock);
|
||||
+ struct task_struct *waiter_task = waiter->task;
|
||||
struct rt_mutex_base *next_lock;
|
||||
|
||||
lockdep_assert_held(&lock->wait_lock);
|
||||
|
||||
- raw_spin_lock(¤t->pi_lock);
|
||||
- rt_mutex_dequeue(lock, waiter);
|
||||
- current->pi_blocked_on = NULL;
|
||||
- raw_spin_unlock(¤t->pi_lock);
|
||||
+ scoped_guard(raw_spinlock, &waiter_task->pi_lock) {
|
||||
+ rt_mutex_dequeue(lock, waiter);
|
||||
+ waiter_task->pi_blocked_on = NULL;
|
||||
+ }
|
||||
|
||||
/*
|
||||
* Only update priority if the waiter was the highest priority
|
||||
@@ -1583,7 +1586,7 @@ static void __sched remove_waiter(struct rt_mutex_base *lock,
|
||||
raw_spin_unlock_irq(&lock->wait_lock);
|
||||
|
||||
rt_mutex_adjust_prio_chain(owner, RT_MUTEX_MIN_CHAINWALK, lock,
|
||||
- next_lock, NULL, current);
|
||||
+ next_lock, NULL, waiter_task);
|
||||
|
||||
raw_spin_lock_irq(&lock->wait_lock);
|
||||
}
|
||||
--
|
||||
2.43.7
|
||||
|
||||
42
SOURCES/1761-crypto-ccp-copy-iv-using-skcipher-ivsize.patch
Normal file
42
SOURCES/1761-crypto-ccp-copy-iv-using-skcipher-ivsize.patch
Normal file
@ -0,0 +1,42 @@
|
||||
From 798d409a8949f3f495f238549b86de2886b129bd Mon Sep 17 00:00:00 2001
|
||||
From: Paul Moses <p@1g4.org>
|
||||
Date: Wed, 1 Apr 2026 03:07:49 -0500
|
||||
Subject: [PATCH] crypto: ccp - copy IV using skcipher ivsize
|
||||
|
||||
[ Upstream commit a7a1f3cdd64d8a165d9b8c9e9ad7fb46ac19dfc4 ]
|
||||
|
||||
AF_ALG rfc3686-ctr-aes-ccp requests pass an 8-byte IV to the driver.
|
||||
|
||||
ccp_aes_complete() restores AES_BLOCK_SIZE bytes into the caller's IV
|
||||
buffer while RFC3686 skciphers expose an 8-byte IV, so the restore
|
||||
overruns the provided buffer.
|
||||
|
||||
Use crypto_skcipher_ivsize() to copy only the algorithm's IV length.
|
||||
|
||||
Fixes: 2b789435d7f3 ("crypto: ccp - CCP AES crypto API support")
|
||||
Signed-off-by: Paul Moses <p@1g4.org>
|
||||
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
|
||||
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
|
||||
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||||
|
||||
diff --git a/drivers/crypto/ccp/ccp-crypto-aes.c b/drivers/crypto/ccp/ccp-crypto-aes.c
|
||||
index e6dcd8cedd53..b03ed5e83c3e 100644
|
||||
--- a/drivers/crypto/ccp/ccp-crypto-aes.c
|
||||
+++ b/drivers/crypto/ccp/ccp-crypto-aes.c
|
||||
@@ -28,8 +28,11 @@ static int ccp_aes_complete(struct crypto_async_request *async_req, int ret)
|
||||
if (ret)
|
||||
return ret;
|
||||
|
||||
- if (ctx->u.aes.mode != CCP_AES_MODE_ECB)
|
||||
- memcpy(req->iv, rctx->iv, AES_BLOCK_SIZE);
|
||||
+ if (ctx->u.aes.mode != CCP_AES_MODE_ECB) {
|
||||
+ size_t ivsize = crypto_skcipher_ivsize(crypto_skcipher_reqtfm(req));
|
||||
+
|
||||
+ memcpy(req->iv, rctx->iv, ivsize);
|
||||
+ }
|
||||
|
||||
return 0;
|
||||
}
|
||||
--
|
||||
2.50.1 (Apple Git-155)
|
||||
|
||||
@ -0,0 +1,100 @@
|
||||
From 238e03d0466239410b72294b79494e43d4fabe77 Mon Sep 17 00:00:00 2001
|
||||
From: Mohammad Heib <mheib@redhat.com>
|
||||
Date: Sun, 4 Jan 2026 23:31:01 +0200
|
||||
Subject: [PATCH] net: fix memory leak in skb_segment_list for GRO packets
|
||||
|
||||
When skb_segment_list() is called during packet forwarding, it handles
|
||||
packets that were aggregated by the GRO engine.
|
||||
|
||||
Historically, the segmentation logic in skb_segment_list assumes that
|
||||
individual segments are split from a parent SKB and may need to carry
|
||||
their own socket memory accounting. Accordingly, the code transfers
|
||||
truesize from the parent to the newly created segments.
|
||||
|
||||
Prior to commit ed4cccef64c1 ("gro: fix ownership transfer"), this
|
||||
truesize subtraction in skb_segment_list() was valid because fragments
|
||||
still carry a reference to the original socket.
|
||||
|
||||
However, commit ed4cccef64c1 ("gro: fix ownership transfer") changed
|
||||
this behavior by ensuring that fraglist entries are explicitly
|
||||
orphaned (skb->sk = NULL) to prevent illegal orphaning later in the
|
||||
stack. This change meant that the entire socket memory charge remained
|
||||
with the head SKB, but the corresponding accounting logic in
|
||||
skb_segment_list() was never updated.
|
||||
|
||||
As a result, the current code unconditionally adds each fragment's
|
||||
truesize to delta_truesize and subtracts it from the parent SKB. Since
|
||||
the fragments are no longer charged to the socket, this subtraction
|
||||
results in an effective under-count of memory when the head is freed.
|
||||
This causes sk_wmem_alloc to remain non-zero, preventing socket
|
||||
destruction and leading to a persistent memory leak.
|
||||
|
||||
The leak can be observed via KMEMLEAK when tearing down the networking
|
||||
environment:
|
||||
|
||||
unreferenced object 0xffff8881e6eb9100 (size 2048):
|
||||
comm "ping", pid 6720, jiffies 4295492526
|
||||
backtrace:
|
||||
kmem_cache_alloc_noprof+0x5c6/0x800
|
||||
sk_prot_alloc+0x5b/0x220
|
||||
sk_alloc+0x35/0xa00
|
||||
inet6_create.part.0+0x303/0x10d0
|
||||
__sock_create+0x248/0x640
|
||||
__sys_socket+0x11b/0x1d0
|
||||
|
||||
Since skb_segment_list() is exclusively used for SKB_GSO_FRAGLIST
|
||||
packets constructed by GRO, the truesize adjustment is removed.
|
||||
|
||||
The call to skb_release_head_state() must be preserved. As documented in
|
||||
commit cf673ed0e057 ("net: fix fraglist segmentation reference count
|
||||
leak"), it is still required to correctly drop references to SKB
|
||||
extensions that may be overwritten during __copy_skb_header().
|
||||
|
||||
Fixes: ed4cccef64c1 ("gro: fix ownership transfer")
|
||||
Signed-off-by: Mohammad Heib <mheib@redhat.com>
|
||||
Reviewed-by: Willem de Bruijn <willemb@google.com>
|
||||
Link: https://patch.msgid.link/20260104213101.352887-1-mheib@redhat.com
|
||||
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
|
||||
|
||||
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
|
||||
index a00808f7be6a..a56133902c0d 100644
|
||||
--- a/net/core/skbuff.c
|
||||
+++ b/net/core/skbuff.c
|
||||
@@ -4636,12 +4636,14 @@ struct sk_buff *skb_segment_list(struct sk_buff *skb,
|
||||
{
|
||||
struct sk_buff *list_skb = skb_shinfo(skb)->frag_list;
|
||||
unsigned int tnl_hlen = skb_tnl_header_len(skb);
|
||||
- unsigned int delta_truesize = 0;
|
||||
unsigned int delta_len = 0;
|
||||
struct sk_buff *tail = NULL;
|
||||
struct sk_buff *nskb, *tmp;
|
||||
int len_diff, err;
|
||||
|
||||
+ /* Only skb_gro_receive_list generated skbs arrive here */
|
||||
+ DEBUG_NET_WARN_ON_ONCE(!(skb_shinfo(skb)->gso_type & SKB_GSO_FRAGLIST));
|
||||
+
|
||||
skb_push(skb, -skb_network_offset(skb) + offset);
|
||||
|
||||
/* Ensure the head is writeable before touching the shared info */
|
||||
@@ -4655,8 +4657,9 @@ struct sk_buff *skb_segment_list(struct sk_buff *skb,
|
||||
nskb = list_skb;
|
||||
list_skb = list_skb->next;
|
||||
|
||||
+ DEBUG_NET_WARN_ON_ONCE(nskb->sk);
|
||||
+
|
||||
err = 0;
|
||||
- delta_truesize += nskb->truesize;
|
||||
if (skb_shared(nskb)) {
|
||||
tmp = skb_clone(nskb, GFP_ATOMIC);
|
||||
if (tmp) {
|
||||
@@ -4699,7 +4702,6 @@ struct sk_buff *skb_segment_list(struct sk_buff *skb,
|
||||
goto err_linearize;
|
||||
}
|
||||
|
||||
- skb->truesize = skb->truesize - delta_truesize;
|
||||
skb->data_len = skb->data_len - delta_len;
|
||||
skb->len = skb->len - delta_len;
|
||||
|
||||
--
|
||||
2.50.1 (Apple Git-155)
|
||||
|
||||
@ -0,0 +1,77 @@
|
||||
From bba6d3303088d0f68a34859079a4656d6e86e164 Mon Sep 17 00:00:00 2001
|
||||
From: Anubhav Shelat <ashelat@redhat.com>
|
||||
Date: Tue, 12 May 2026 12:55:02 -0400
|
||||
Subject: [PATCH] kallsyms: clean up modname and modbuildid initialization in
|
||||
kallsyms_lookup_buildid()
|
||||
|
||||
JIRA: https://issues.redhat.com/browse/RHEL-164306
|
||||
|
||||
upstream
|
||||
========
|
||||
commit fda024fb64769e9d6b3916d013c78d6b189129f8
|
||||
Author: Petr Mladek <pmladek@suse.com>
|
||||
Date: Fri Nov 28 14:59:15 2025 +0100
|
||||
|
||||
description
|
||||
===========
|
||||
The @modname and @modbuildid optional return parameters are set only when
|
||||
the symbol is in a module.
|
||||
|
||||
Always initialize them so that they do not need to be cleared when the
|
||||
module is not in a module. It simplifies the logic and makes the code
|
||||
even slightly more safe.
|
||||
|
||||
Note that bpf_address_lookup() function will get updated in a separate
|
||||
patch.
|
||||
|
||||
Link: https://lkml.kernel.org/r/20251128135920.217303-3-pmladek@suse.com
|
||||
Signed-off-by: Petr Mladek <pmladek@suse.com>
|
||||
Cc: Aaron Tomlin <atomlin@atomlin.com>
|
||||
Cc: Alexei Starovoitov <ast@kernel.org>
|
||||
Cc: Daniel Borkman <daniel@iogearbox.net>
|
||||
Cc: Daniel Gomez <da.gomez@samsung.com>
|
||||
Cc: John Fastabend <john.fastabend@gmail.com>
|
||||
Cc: Kees Cook <kees@kernel.org>
|
||||
Cc: Luis Chamberalin <mcgrof@kernel.org>
|
||||
Cc: Marc Rutland <mark.rutland@arm.com>
|
||||
Cc: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
|
||||
Cc: Petr Pavlu <petr.pavlu@suse.com>
|
||||
Cc: Sami Tolvanen <samitolvanen@google.com>
|
||||
Cc: Steven Rostedt (Google) <rostedt@goodmis.org>
|
||||
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
|
||||
|
||||
Signed-off-by: Anubhav Shelat <ashelat@redhat.com>
|
||||
|
||||
diff --git a/kernel/kallsyms.c b/kernel/kallsyms.c
|
||||
index 8deb399d45c7..859435335c6f 100644
|
||||
--- a/kernel/kallsyms.c
|
||||
+++ b/kernel/kallsyms.c
|
||||
@@ -403,6 +403,14 @@ static const char *kallsyms_lookup_buildid(unsigned long addr,
|
||||
|
||||
namebuf[KSYM_NAME_LEN - 1] = 0;
|
||||
namebuf[0] = 0;
|
||||
+ /*
|
||||
+ * Initialize the module-related return values. They are not set
|
||||
+ * when the symbol is in vmlinux or it is a bpf address.
|
||||
+ */
|
||||
+ if (modname)
|
||||
+ *modname = NULL;
|
||||
+ if (modbuildid)
|
||||
+ *modbuildid = NULL;
|
||||
|
||||
if (is_ksym_addr(addr)) {
|
||||
unsigned long pos;
|
||||
@@ -411,10 +419,6 @@ static const char *kallsyms_lookup_buildid(unsigned long addr,
|
||||
/* Grab name */
|
||||
kallsyms_expand_symbol(get_symbol_offset(pos),
|
||||
namebuf, KSYM_NAME_LEN);
|
||||
- if (modname)
|
||||
- *modname = NULL;
|
||||
- if (modbuildid)
|
||||
- *modbuildid = NULL;
|
||||
|
||||
ret = namebuf;
|
||||
goto found;
|
||||
--
|
||||
2.50.1 (Apple Git-155)
|
||||
|
||||
175
SOURCES/1764-kallsyms-bpf-rename-bpf-address-lookup.patch
Normal file
175
SOURCES/1764-kallsyms-bpf-rename-bpf-address-lookup.patch
Normal file
@ -0,0 +1,175 @@
|
||||
From f4175fcdb3d3d06d76caf08a7e6cb8f56da32f94 Mon Sep 17 00:00:00 2001
|
||||
From: Anubhav Shelat <ashelat@redhat.com>
|
||||
Date: Tue, 12 May 2026 17:50:20 -0400
|
||||
Subject: [PATCH] kallsyms/bpf: rename __bpf_address_lookup() to
|
||||
bpf_address_lookup()
|
||||
|
||||
JIRA: https://issues.redhat.com/browse/RHEL-164306
|
||||
|
||||
Conflict: Code difference due to missing
|
||||
7e1f4eb9a60d40dd17a97d9b76818682a024a127 (kallsyms: rework symbol lookup
|
||||
return codes).
|
||||
|
||||
upstream
|
||||
========
|
||||
commit cd6735896d0343942cf3dafb48ce32eb79341990
|
||||
Author: Petr Mladek <pmladek@suse.com>
|
||||
Date: Fri Nov 28 14:59:18 2025 +0100
|
||||
|
||||
description
|
||||
===========
|
||||
|
||||
bpf_address_lookup() has been used only in kallsyms_lookup_buildid(). It
|
||||
was supposed to set @modname and @modbuildid when the symbol was in a
|
||||
module.
|
||||
|
||||
But it always just cleared @modname because BPF symbols were never in a
|
||||
module. And it did not clear @modbuildid because the pointer was not
|
||||
passed.
|
||||
|
||||
The wrapper is no longer needed. Both @modname and @modbuildid are now
|
||||
always initialized to NULL in kallsyms_lookup_buildid().
|
||||
|
||||
Remove the wrapper and rename __bpf_address_lookup() to
|
||||
bpf_address_lookup() because this variant is used everywhere.
|
||||
|
||||
[akpm@linux-foundation.org: fix loongarch]
|
||||
Link: https://lkml.kernel.org/r/20251128135920.217303-6-pmladek@suse.com
|
||||
Fixes: 9294523e3768 ("module: add printk formats to add module build ID to stacktraces")
|
||||
Signed-off-by: Petr Mladek <pmladek@suse.com>
|
||||
Acked-by: Alexei Starovoitov <ast@kernel.org>
|
||||
Cc: Aaron Tomlin <atomlin@atomlin.com>
|
||||
Cc: Daniel Borkman <daniel@iogearbox.net>
|
||||
Cc: Daniel Gomez <da.gomez@samsung.com>
|
||||
Cc: John Fastabend <john.fastabend@gmail.com>
|
||||
Cc: Kees Cook <kees@kernel.org>
|
||||
Cc: Luis Chamberalin <mcgrof@kernel.org>
|
||||
Cc: Marc Rutland <mark.rutland@arm.com>
|
||||
Cc: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
|
||||
Cc: Petr Pavlu <petr.pavlu@suse.com>
|
||||
Cc: Sami Tolvanen <samitolvanen@google.com>
|
||||
Cc: Steven Rostedt (Google) <rostedt@goodmis.org>
|
||||
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
|
||||
|
||||
Signed-off-by: Anubhav Shelat <ashelat@redhat.com>
|
||||
|
||||
diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c
|
||||
index c2afc5533..0f32892f0 100644
|
||||
--- a/arch/arm64/net/bpf_jit_comp.c
|
||||
+++ b/arch/arm64/net/bpf_jit_comp.c
|
||||
@@ -2567,7 +2567,7 @@ int bpf_arch_text_poke(void *ip, enum bpf_text_poke_type poke_type,
|
||||
u64 plt_target = 0ULL;
|
||||
bool poking_bpf_entry;
|
||||
|
||||
- if (!__bpf_address_lookup((unsigned long)ip, &size, &offset, namebuf))
|
||||
+ if (!bpf_address_lookup((unsigned long)ip, &size, &offset, namebuf))
|
||||
/* Only poking bpf text is supported. Since kernel function
|
||||
* entry is set up by ftrace, we reply on ftrace to poke kernel
|
||||
* functions.
|
||||
diff --git a/arch/powerpc/net/bpf_jit_comp.c b/arch/powerpc/net/bpf_jit_comp.c
|
||||
index b381ab8d1..325d494e2 100644
|
||||
--- a/arch/powerpc/net/bpf_jit_comp.c
|
||||
+++ b/arch/powerpc/net/bpf_jit_comp.c
|
||||
@@ -1096,7 +1096,7 @@ int bpf_arch_text_poke(void *ip, enum bpf_text_poke_type poke_type,
|
||||
branch_flags = poke_type == BPF_MOD_CALL ? BRANCH_SET_LINK : 0;
|
||||
|
||||
/* We currently only support poking bpf programs */
|
||||
- if (!__bpf_address_lookup(bpf_func, &size, &offset, name)) {
|
||||
+ if (!bpf_address_lookup(bpf_func, &size, &offset, name)) {
|
||||
pr_err("%s (0x%lx): kernel/modules are not supported\n", __func__, bpf_func);
|
||||
return -EOPNOTSUPP;
|
||||
}
|
||||
diff --git a/include/linux/filter.h b/include/linux/filter.h
|
||||
index c04fbf7f0..057626c3b 100644
|
||||
--- a/include/linux/filter.h
|
||||
+++ b/include/linux/filter.h
|
||||
@@ -1249,24 +1249,13 @@ static inline bool bpf_jit_kallsyms_enabled(void)
|
||||
return false;
|
||||
}
|
||||
|
||||
-const char *__bpf_address_lookup(unsigned long addr, unsigned long *size,
|
||||
- unsigned long *off, char *sym);
|
||||
+const char *bpf_address_lookup(unsigned long addr, unsigned long *size,
|
||||
+ unsigned long *off, char *sym);
|
||||
bool is_bpf_text_address(unsigned long addr);
|
||||
int bpf_get_kallsym(unsigned int symnum, unsigned long *value, char *type,
|
||||
char *sym);
|
||||
struct bpf_prog *bpf_prog_ksym_find(unsigned long addr);
|
||||
|
||||
-static inline const char *
|
||||
-bpf_address_lookup(unsigned long addr, unsigned long *size,
|
||||
- unsigned long *off, char **modname, char *sym)
|
||||
-{
|
||||
- const char *ret = __bpf_address_lookup(addr, size, off, sym);
|
||||
-
|
||||
- if (ret && modname)
|
||||
- *modname = NULL;
|
||||
- return ret;
|
||||
-}
|
||||
-
|
||||
void bpf_prog_kallsyms_add(struct bpf_prog *fp);
|
||||
void bpf_prog_kallsyms_del(struct bpf_prog *fp);
|
||||
|
||||
@@ -1305,8 +1294,8 @@ static inline bool bpf_jit_kallsyms_enabled(void)
|
||||
}
|
||||
|
||||
static inline const char *
|
||||
-__bpf_address_lookup(unsigned long addr, unsigned long *size,
|
||||
- unsigned long *off, char *sym)
|
||||
+bpf_address_lookup(unsigned long addr, unsigned long *size,
|
||||
+ unsigned long *off, char *sym)
|
||||
{
|
||||
return NULL;
|
||||
}
|
||||
@@ -1327,13 +1316,6 @@ static inline struct bpf_prog *bpf_prog_ksym_find(unsigned long addr)
|
||||
return NULL;
|
||||
}
|
||||
|
||||
-static inline const char *
|
||||
-bpf_address_lookup(unsigned long addr, unsigned long *size,
|
||||
- unsigned long *off, char **modname, char *sym)
|
||||
-{
|
||||
- return NULL;
|
||||
-}
|
||||
-
|
||||
static inline void bpf_prog_kallsyms_add(struct bpf_prog *fp)
|
||||
{
|
||||
}
|
||||
diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
|
||||
index 07dda7c6a..5c07d9a7d 100644
|
||||
--- a/kernel/bpf/core.c
|
||||
+++ b/kernel/bpf/core.c
|
||||
@@ -742,8 +742,8 @@ static struct bpf_ksym *bpf_ksym_find(unsigned long addr)
|
||||
return n ? container_of(n, struct bpf_ksym, tnode) : NULL;
|
||||
}
|
||||
|
||||
-const char *__bpf_address_lookup(unsigned long addr, unsigned long *size,
|
||||
- unsigned long *off, char *sym)
|
||||
+const char *bpf_address_lookup(unsigned long addr, unsigned long *size,
|
||||
+ unsigned long *off, char *sym)
|
||||
{
|
||||
struct bpf_ksym *ksym;
|
||||
char *ret = NULL;
|
||||
diff --git a/kernel/kallsyms.c b/kernel/kallsyms.c
|
||||
index 859435335..8ff04b11e 100644
|
||||
--- a/kernel/kallsyms.c
|
||||
+++ b/kernel/kallsyms.c
|
||||
@@ -391,7 +391,7 @@ int kallsyms_lookup_size_offset(unsigned long addr, unsigned long *symbolsize,
|
||||
return 1;
|
||||
}
|
||||
return !!module_address_lookup(addr, symbolsize, offset, NULL, NULL, namebuf) ||
|
||||
- !!__bpf_address_lookup(addr, symbolsize, offset, namebuf);
|
||||
+ !!bpf_address_lookup(addr, symbolsize, offset, namebuf);
|
||||
}
|
||||
|
||||
static const char *kallsyms_lookup_buildid(unsigned long addr,
|
||||
@@ -428,8 +428,7 @@ static const char *kallsyms_lookup_buildid(unsigned long addr,
|
||||
ret = module_address_lookup(addr, symbolsize, offset,
|
||||
modname, modbuildid, namebuf);
|
||||
if (!ret)
|
||||
- ret = bpf_address_lookup(addr, symbolsize,
|
||||
- offset, modname, namebuf);
|
||||
+ ret = bpf_address_lookup(addr, symbolsize, offset, namebuf);
|
||||
|
||||
if (!ret)
|
||||
ret = ftrace_mod_address_lookup(addr, symbolsize,
|
||||
@ -0,0 +1,171 @@
|
||||
From a6ae4511c07b91f597e461406c6330f0d4ff810e Mon Sep 17 00:00:00 2001
|
||||
From: Zhengchuan Liang <zcliangcn@gmail.com>
|
||||
Date: Mon, 4 May 2026 08:16:28 -0400
|
||||
Subject: [PATCH] net: bridge: use a stable FDB dst snapshot in RCU readers
|
||||
|
||||
[ Upstream commit df4601653201de21b487c3e7fffd464790cab808 ]
|
||||
|
||||
Local FDB entries can be rewritten in place by `fdb_delete_local()`, which
|
||||
updates `f->dst` to another port or to `NULL` while keeping the entry
|
||||
alive. Several bridge RCU readers inspect `f->dst`, including
|
||||
`br_fdb_fillbuf()` through the `brforward_read()` sysfs path.
|
||||
|
||||
These readers currently load `f->dst` multiple times and can therefore
|
||||
observe inconsistent values across the check and later dereference.
|
||||
In `br_fdb_fillbuf()`, this means a concurrent local-FDB update can change
|
||||
`f->dst` after the NULL check and before the `port_no` dereference,
|
||||
leading to a NULL-ptr-deref.
|
||||
|
||||
Fix this by taking a single `READ_ONCE()` snapshot of `f->dst` in each
|
||||
affected RCU reader and using that snapshot for the rest of the access
|
||||
sequence. Also publish the in-place `f->dst` updates in `fdb_delete_local()`
|
||||
with `WRITE_ONCE()` so the readers and writer use matching access patterns.
|
||||
|
||||
Fixes: 960b589f86c7 ("bridge: Properly check if local fdb entry can be deleted in br_fdb_change_mac_address")
|
||||
Cc: stable@kernel.org
|
||||
Reported-by: Yifan Wu <yifanwucs@gmail.com>
|
||||
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
|
||||
Co-developed-by: Yuan Tan <yuantan098@gmail.com>
|
||||
Signed-off-by: Yuan Tan <yuantan098@gmail.com>
|
||||
Suggested-by: Xin Liu <bird@lzu.edu.cn>
|
||||
Tested-by: Ren Wei <enjou1224z@gmail.com>
|
||||
Signed-off-by: Zhengchuan Liang <zcliangcn@gmail.com>
|
||||
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
|
||||
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
|
||||
Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
|
||||
Link: https://patch.msgid.link/6570fabb85ecadb8baaf019efe856f407711c7b9.1776043229.git.zcliangcn@gmail.com
|
||||
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
|
||||
[ kept combined-flag check `(dst->flags & (BR_PROXYARP_WIFI | BR_NEIGH_SUPPRESS))` and `cb->args[2]` indexing instead of `br_is_neigh_suppress_enabled()` helper and `ctx->fdb_idx` ]
|
||||
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
|
||||
diff --git a/net/bridge/br_arp_nd_proxy.c b/net/bridge/br_arp_nd_proxy.c
|
||||
index 1e2b51769..1f37b8cff 100644
|
||||
--- a/net/bridge/br_arp_nd_proxy.c
|
||||
+++ b/net/bridge/br_arp_nd_proxy.c
|
||||
@@ -202,11 +202,12 @@ void br_do_proxy_suppress_arp(struct sk_buff *skb, struct net_bridge *br,
|
||||
|
||||
f = br_fdb_find_rcu(br, n->ha, vid);
|
||||
if (f) {
|
||||
+ const struct net_bridge_port *dst = READ_ONCE(f->dst);
|
||||
bool replied = false;
|
||||
|
||||
if ((p && (p->flags & BR_PROXYARP)) ||
|
||||
- (f->dst && (f->dst->flags & BR_PROXYARP_WIFI)) ||
|
||||
- br_is_neigh_suppress_enabled(f->dst, vid)) {
|
||||
+ (dst && (dst->flags & BR_PROXYARP_WIFI)) ||
|
||||
+ br_is_neigh_suppress_enabled(dst, vid)) {
|
||||
if (!vid)
|
||||
br_arp_send(br, p, skb->dev, sip, tip,
|
||||
sha, n->ha, sha, 0, 0);
|
||||
@@ -466,9 +467,10 @@ void br_do_suppress_nd(struct sk_buff *skb, struct net_bridge *br,
|
||||
|
||||
f = br_fdb_find_rcu(br, n->ha, vid);
|
||||
if (f) {
|
||||
+ const struct net_bridge_port *dst = READ_ONCE(f->dst);
|
||||
bool replied = false;
|
||||
|
||||
- if (br_is_neigh_suppress_enabled(f->dst, vid)) {
|
||||
+ if (br_is_neigh_suppress_enabled(dst, vid)) {
|
||||
if (vid != 0)
|
||||
br_nd_send(br, p, skb, n,
|
||||
skb->vlan_proto,
|
||||
diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c
|
||||
index 83483ea12..53abd9d9a 100644
|
||||
--- a/net/bridge/br_fdb.c
|
||||
+++ b/net/bridge/br_fdb.c
|
||||
@@ -243,6 +243,7 @@ struct net_device *br_fdb_find_port(const struct net_device *br_dev,
|
||||
const unsigned char *addr,
|
||||
__u16 vid)
|
||||
{
|
||||
+ const struct net_bridge_port *dst;
|
||||
struct net_bridge_fdb_entry *f;
|
||||
struct net_device *dev = NULL;
|
||||
struct net_bridge *br;
|
||||
@@ -255,8 +256,11 @@ struct net_device *br_fdb_find_port(const struct net_device *br_dev,
|
||||
br = netdev_priv(br_dev);
|
||||
rcu_read_lock();
|
||||
f = br_fdb_find_rcu(br, addr, vid);
|
||||
- if (f && f->dst)
|
||||
- dev = f->dst->dev;
|
||||
+ if (f) {
|
||||
+ dst = READ_ONCE(f->dst);
|
||||
+ if (dst)
|
||||
+ dev = dst->dev;
|
||||
+ }
|
||||
rcu_read_unlock();
|
||||
|
||||
return dev;
|
||||
@@ -353,7 +357,7 @@ static void fdb_delete_local(struct net_bridge *br,
|
||||
vg = nbp_vlan_group(op);
|
||||
if (op != p && ether_addr_equal(op->dev->dev_addr, addr) &&
|
||||
(!vid || br_vlan_find(vg, vid))) {
|
||||
- f->dst = op;
|
||||
+ WRITE_ONCE(f->dst, op);
|
||||
clear_bit(BR_FDB_ADDED_BY_USER, &f->flags);
|
||||
return;
|
||||
}
|
||||
@@ -364,7 +368,7 @@ static void fdb_delete_local(struct net_bridge *br,
|
||||
/* Maybe bridge device has same hw addr? */
|
||||
if (p && ether_addr_equal(br->dev->dev_addr, addr) &&
|
||||
(!vid || (v && br_vlan_should_use(v)))) {
|
||||
- f->dst = NULL;
|
||||
+ WRITE_ONCE(f->dst, NULL);
|
||||
clear_bit(BR_FDB_ADDED_BY_USER, &f->flags);
|
||||
return;
|
||||
}
|
||||
@@ -827,6 +831,7 @@ int br_fdb_test_addr(struct net_device *dev, unsigned char *addr)
|
||||
int br_fdb_fillbuf(struct net_bridge *br, void *buf,
|
||||
unsigned long maxnum, unsigned long skip)
|
||||
{
|
||||
+ const struct net_bridge_port *dst;
|
||||
struct net_bridge_fdb_entry *f;
|
||||
struct __fdb_entry *fe = buf;
|
||||
int num = 0;
|
||||
@@ -842,7 +847,8 @@ int br_fdb_fillbuf(struct net_bridge *br, void *buf,
|
||||
continue;
|
||||
|
||||
/* ignore pseudo entry for local MAC address */
|
||||
- if (!f->dst)
|
||||
+ dst = READ_ONCE(f->dst);
|
||||
+ if (!dst)
|
||||
continue;
|
||||
|
||||
if (skip) {
|
||||
@@ -854,8 +860,8 @@ int br_fdb_fillbuf(struct net_bridge *br, void *buf,
|
||||
memcpy(fe->mac_addr, f->key.addr.addr, ETH_ALEN);
|
||||
|
||||
/* due to ABI compat need to split into hi/lo */
|
||||
- fe->port_no = f->dst->port_no;
|
||||
- fe->port_hi = f->dst->port_no >> 8;
|
||||
+ fe->port_no = dst->port_no;
|
||||
+ fe->port_hi = dst->port_no >> 8;
|
||||
|
||||
fe->is_local = test_bit(BR_FDB_LOCAL, &f->flags);
|
||||
if (!test_bit(BR_FDB_STATIC, &f->flags))
|
||||
@@ -977,9 +983,11 @@ int br_fdb_dump(struct sk_buff *skb,
|
||||
|
||||
rcu_read_lock();
|
||||
hlist_for_each_entry_rcu(f, &br->fdb_list, fdb_node) {
|
||||
+ const struct net_bridge_port *dst = READ_ONCE(f->dst);
|
||||
+
|
||||
if (*idx < cb->args[2])
|
||||
goto skip;
|
||||
- if (filter_dev && (!f->dst || f->dst->dev != filter_dev)) {
|
||||
+ if (filter_dev && (!dst || dst->dev != filter_dev)) {
|
||||
if (filter_dev != dev)
|
||||
goto skip;
|
||||
/* !f->dst is a special case for bridge
|
||||
@@ -987,10 +995,10 @@ int br_fdb_dump(struct sk_buff *skb,
|
||||
* Therefore need a little more filtering
|
||||
* we only want to dump the !f->dst case
|
||||
*/
|
||||
- if (f->dst)
|
||||
+ if (dst)
|
||||
goto skip;
|
||||
}
|
||||
- if (!filter_dev && f->dst)
|
||||
+ if (!filter_dev && dst)
|
||||
goto skip;
|
||||
|
||||
err = fdb_fill_info(skb, br, f,
|
||||
@ -0,0 +1,91 @@
|
||||
From 4e5a31ae1fa995362e4a828f36369ea3e7b44cc1 Mon Sep 17 00:00:00 2001
|
||||
From: Waiman Long <longman@redhat.com>
|
||||
Date: Tue, 28 Apr 2026 21:48:18 -0400
|
||||
Subject: [PATCH] rtmutex: Use waiter::task instead of current in
|
||||
remove_waiter()
|
||||
|
||||
JIRA: https://redhat.atlassian.net/browse/RHEL-171802
|
||||
|
||||
commit 3bfdc63936dd4773109b7b8c280c0f3b5ae7d349
|
||||
Author: Keenan Dong <keenanat2000@gmail.com>
|
||||
Date: Wed, 8 Apr 2026 16:46:00 +0800
|
||||
|
||||
rtmutex: Use waiter::task instead of current in remove_waiter()
|
||||
|
||||
remove_waiter() is used by the slowlock paths, but it is also used for
|
||||
proxy-lock rollback in rt_mutex_start_proxy_lock() when invoked from
|
||||
futex_requeue().
|
||||
|
||||
In the latter case waiter::task is not current, but remove_waiter()
|
||||
operates on current for the dequeue operation. That results in several
|
||||
problems:
|
||||
|
||||
1) the rbtree dequeue happens without waiter::task::pi_lock being held
|
||||
|
||||
2) the waiter task's pi_blocked_on state is not cleared, which leaves a
|
||||
dangling pointer primed for UAF around.
|
||||
|
||||
3) rt_mutex_adjust_prio_chain() operates on the wrong top priority waiter
|
||||
task
|
||||
|
||||
Use waiter::task instead of current in all related operations in
|
||||
remove_waiter() to cure those problems.
|
||||
|
||||
[ tglx: Fixup rt_mutex_adjust_prio_chain(), add a comment and amend the
|
||||
changelog ]
|
||||
|
||||
Fixes: 8161239a8bcc ("rtmutex: Simplify PI algorithm and make highest prio task get lock")
|
||||
Reported-by: Yuan Tan <yuantan098@gmail.com>
|
||||
Reported-by: Yifan Wu <yifanwucs@gmail.com>
|
||||
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
|
||||
Reported-by: Xin Liu <bird@lzu.edu.cn>
|
||||
Signed-off-by: Keenan Dong <keenanat2000@gmail.com>
|
||||
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
|
||||
Cc: stable@vger.kernel.org
|
||||
|
||||
Signed-off-by: Waiman Long <longman@redhat.com>
|
||||
|
||||
diff --git a/kernel/locking/rtmutex.c b/kernel/locking/rtmutex.c
|
||||
index 1eb4f949909c..e881d9548030 100644
|
||||
--- a/kernel/locking/rtmutex.c
|
||||
+++ b/kernel/locking/rtmutex.c
|
||||
@@ -1534,20 +1534,23 @@ static bool rtmutex_spin_on_owner(struct rt_mutex_base *lock,
|
||||
*
|
||||
* Must be called with lock->wait_lock held and interrupts disabled. It must
|
||||
* have just failed to try_to_take_rt_mutex().
|
||||
+ *
|
||||
+ * When invoked from rt_mutex_start_proxy_lock() waiter::task != current !
|
||||
*/
|
||||
static void __sched remove_waiter(struct rt_mutex_base *lock,
|
||||
struct rt_mutex_waiter *waiter)
|
||||
{
|
||||
bool is_top_waiter = (waiter == rt_mutex_top_waiter(lock));
|
||||
struct task_struct *owner = rt_mutex_owner(lock);
|
||||
+ struct task_struct *waiter_task = waiter->task;
|
||||
struct rt_mutex_base *next_lock;
|
||||
|
||||
lockdep_assert_held(&lock->wait_lock);
|
||||
|
||||
- raw_spin_lock(¤t->pi_lock);
|
||||
- rt_mutex_dequeue(lock, waiter);
|
||||
- current->pi_blocked_on = NULL;
|
||||
- raw_spin_unlock(¤t->pi_lock);
|
||||
+ scoped_guard(raw_spinlock, &waiter_task->pi_lock) {
|
||||
+ rt_mutex_dequeue(lock, waiter);
|
||||
+ waiter_task->pi_blocked_on = NULL;
|
||||
+ }
|
||||
|
||||
/*
|
||||
* Only update priority if the waiter was the highest priority
|
||||
@@ -1583,7 +1586,7 @@ static void __sched remove_waiter(struct rt_mutex_base *lock,
|
||||
raw_spin_unlock_irq(&lock->wait_lock);
|
||||
|
||||
rt_mutex_adjust_prio_chain(owner, RT_MUTEX_MIN_CHAINWALK, lock,
|
||||
- next_lock, NULL, current);
|
||||
+ next_lock, NULL, waiter_task);
|
||||
|
||||
raw_spin_lock_irq(&lock->wait_lock);
|
||||
}
|
||||
--
|
||||
2.50.1 (Apple Git-155)
|
||||
|
||||
@ -0,0 +1,42 @@
|
||||
From 74e144274af39935b0f410c0ee4d2b91c3730414 Mon Sep 17 00:00:00 2001
|
||||
From: Ji'an Zhou <eilaimemedsnaimel@gmail.com>
|
||||
Date: Tue, 2 Jun 2026 09:12:04 +0000
|
||||
Subject: [PATCH] futex/requeue: Prevent NULL pointer dereference in
|
||||
remove_waiter() on self-deadlock
|
||||
|
||||
When FUTEX_CMP_REQUEUE_PI requeues a non-top waiter that already owns the
|
||||
target PI futex, task_blocks_on_rt_mutex() returns -EDEADLK before setting
|
||||
waiter->task.
|
||||
|
||||
The subsequent remove_waiter() in rt_mutex_start_proxy_lock() dereferences
|
||||
the NULL waiter->task, causing a kernel crash.
|
||||
|
||||
Add a self-deadlock check for non-top waiters before calling
|
||||
rt_mutex_start_proxy_lock(), analogous to the top-waiter check in
|
||||
futex_lock_pi_atomic().
|
||||
|
||||
Fixes: 3bfdc63936dd4773109b7b8c280c0f3b5ae7d349 ("rtmutex: Use waiter::task instead of current in remove_waiter()")
|
||||
Signed-off-by: Ji'an Zhou <eilaimemedsnaimel@gmail.com>
|
||||
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
|
||||
Cc: stable@vger.kernel.org
|
||||
|
||||
diff --git a/kernel/futex/requeue.c b/kernel/futex/requeue.c
|
||||
index b597cb3d17fc..1d99a84dc9ad 100644
|
||||
--- a/kernel/futex/requeue.c
|
||||
+++ b/kernel/futex/requeue.c
|
||||
@@ -643,6 +643,12 @@ int futex_requeue(u32 __user *uaddr1, unsigned int flags1,
|
||||
continue;
|
||||
}
|
||||
|
||||
+ /* Self-deadlock: non-top waiter already owns the PI futex. */
|
||||
+ if (rt_mutex_owner(&pi_state->pi_mutex) == this->task) {
|
||||
+ ret = -EDEADLK;
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
ret = rt_mutex_start_proxy_lock(&pi_state->pi_mutex,
|
||||
this->rt_waiter,
|
||||
this->task);
|
||||
--
|
||||
2.50.1 (Apple Git-155)
|
||||
|
||||
@ -32,24 +32,11 @@ Cc: stable@vger.kernel.org
|
||||
Closes: https://lore.kernel.org/all/69f114ac.050a0220.ac8b.0003.GAE@google.com/
|
||||
Link: https://patch.msgid.link/20260507112913.1019537-1-dave@stgolabs.net
|
||||
|
||||
[ AlmaLinux: adapted to a9 (5.14.0-687.5.1.el9_8). No change vs upstream
|
||||
commit 40a25d59e85b. Both hunks apply cleanly: kernel/locking/rtmutex.c
|
||||
remove_waiter() (the waiter_task local comes from the earlier
|
||||
"rtmutex: Use waiter::task ..." patch) and kernel/locking/rtmutex_api.c
|
||||
rt_mutex_start_proxy_lock(). The "ret < 0" tightening is meaningful in this
|
||||
tree: __rt_mutex_start_proxy_lock() returns 1 on try_to_take_rt_mutex()
|
||||
success, so the prior "if (unlikely(ret))" wrongly invoked remove_waiter()
|
||||
after acquiring the lock. ]
|
||||
---
|
||||
kernel/locking/rtmutex.c | 3 +++
|
||||
kernel/locking/rtmutex_api.c | 2 +-
|
||||
2 files changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/kernel/locking/rtmutex.c b/kernel/locking/rtmutex.c
|
||||
index e881d9548..1cecc1092 100644
|
||||
index 4f386ea6c792..daeeeef973e2 100644
|
||||
--- a/kernel/locking/rtmutex.c
|
||||
+++ b/kernel/locking/rtmutex.c
|
||||
@@ -1547,6 +1547,9 @@ static void __sched remove_waiter(struct rt_mutex_base *lock,
|
||||
@@ -1558,6 +1558,9 @@ static void __sched remove_waiter(struct rt_mutex_base *lock,
|
||||
|
||||
lockdep_assert_held(&lock->wait_lock);
|
||||
|
||||
@ -60,10 +47,10 @@ index e881d9548..1cecc1092 100644
|
||||
rt_mutex_dequeue(lock, waiter);
|
||||
waiter_task->pi_blocked_on = NULL;
|
||||
diff --git a/kernel/locking/rtmutex_api.c b/kernel/locking/rtmutex_api.c
|
||||
index 6614ccdc1..341a540f6 100644
|
||||
index 124219aea46e..514fce7a4e0a 100644
|
||||
--- a/kernel/locking/rtmutex_api.c
|
||||
+++ b/kernel/locking/rtmutex_api.c
|
||||
@@ -347,7 +347,7 @@ int __sched rt_mutex_start_proxy_lock(struct rt_mutex_base *lock,
|
||||
@@ -365,7 +365,7 @@ int __sched rt_mutex_start_proxy_lock(struct rt_mutex_base *lock,
|
||||
|
||||
raw_spin_lock_irq(&lock->wait_lock);
|
||||
ret = __rt_mutex_start_proxy_lock(lock, waiter, task, &wake_q);
|
||||
@ -73,5 +60,5 @@ index 6614ccdc1..341a540f6 100644
|
||||
preempt_disable();
|
||||
raw_spin_unlock_irq(&lock->wait_lock);
|
||||
--
|
||||
2.43.7
|
||||
2.50.1 (Apple Git-155)
|
||||
|
||||
@ -0,0 +1,48 @@
|
||||
From 39def6d250d370298f86c116f4ac60093cefadaa Mon Sep 17 00:00:00 2001
|
||||
From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
|
||||
Date: Wed, 1 Jul 2026 15:11:50 +0200
|
||||
Subject: [PATCH] futex/requeue: Revert "Prevent NULL pointer dereference in
|
||||
remove_waiter() on self-deadlock""
|
||||
|
||||
The commit cited below should not have been merged. It attemted to fix an
|
||||
existing problem ansd thereby introduced new problems by keeping the
|
||||
pi_state in state Q_REQUEUE_PI_IN_PROGRESS and leaking it.
|
||||
|
||||
Based on the commit description the intention was to handle the case
|
||||
when task_blocks_on_rt_mutex() returns -EDEADLK and the following
|
||||
remove_waiter() dereferences the NULL pointer in waiter->task.
|
||||
|
||||
That is already handled by Davidlohr in commit 40a25d59e85b3
|
||||
("locking/rtmutex: Skip remove_waiter() when waiter is not enqueued") and
|
||||
requires no further acting.
|
||||
|
||||
Revert the commit breaking the "waiter == owner" case again.
|
||||
|
||||
Fixes: 74e144274af39 ("futex/requeue: Prevent NULL pointer dereference in remove_waiter() on self-deadlock")
|
||||
Reported-by: Michael Bommarito <michael.bommarito@gmail.com>
|
||||
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
|
||||
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
|
||||
Cc: stable@vger.kernel.org
|
||||
Link: https://patch.msgid.link/20260701131150.0Ijhq4Dw@linutronix.de
|
||||
Closes: https://lore.kernel.org/all/20260629020049.2082397-1-michael.bommarito@gmail.com
|
||||
|
||||
diff --git a/kernel/futex/requeue.c b/kernel/futex/requeue.c
|
||||
index 7384672916fb..79823ad13683 100644
|
||||
--- a/kernel/futex/requeue.c
|
||||
+++ b/kernel/futex/requeue.c
|
||||
@@ -645,12 +645,6 @@ int futex_requeue(u32 __user *uaddr1, unsigned int flags1,
|
||||
continue;
|
||||
}
|
||||
|
||||
- /* Self-deadlock: non-top waiter already owns the PI futex. */
|
||||
- if (rt_mutex_owner(&pi_state->pi_mutex) == this->task) {
|
||||
- ret = -EDEADLK;
|
||||
- break;
|
||||
- }
|
||||
-
|
||||
ret = rt_mutex_start_proxy_lock(&pi_state->pi_mutex,
|
||||
this->rt_waiter,
|
||||
this->task);
|
||||
--
|
||||
2.50.1 (Apple Git-155)
|
||||
|
||||
@ -176,13 +176,13 @@ Summary: The Linux kernel
|
||||
# define buildid .local
|
||||
%define specversion 5.14.0
|
||||
%define patchversion 5.14
|
||||
%define pkgrelease 687.24.1
|
||||
%define pkgrelease 687.25.1
|
||||
%define kversion 5
|
||||
%define tarfile_release 5.14.0-687.5.1.el9_8
|
||||
# This is needed to do merge window version magic
|
||||
%define patchlevel 14
|
||||
# This allows pkg_release to have configurable %%{?dist} tag
|
||||
%define specrelease 687.24.1%{?buildid}%{?dist}
|
||||
%define specrelease 687.25.1%{?buildid}%{?dist}
|
||||
# This defines the kabi tarball version
|
||||
%define kabiversion 5.14.0-687.5.1.el9_8
|
||||
|
||||
@ -1626,11 +1626,18 @@ Patch1752: 1752-eventpoll-drop-dead-bool-return-from-ep-remove-epi.patch
|
||||
Patch1753: 1753-eventpoll-drop-vestigial-epi-dying-flag.patch
|
||||
Patch1754: 1754-eventpoll-fix-integer-overflow-in-ep-loop-check-proc.patch
|
||||
Patch1755: 1755-eventpoll-refresh-epi-fget-ep-remove-file-comments.patch
|
||||
Patch1756: 1756-rtmutex-use-waiter-task-in-remove-waiter.patch
|
||||
Patch1757: 1757-rtmutex-skip-remove-waiter-when-not-enqueued.patch
|
||||
Patch1758: 1758-net-sched-ets-always-remove-class-from-active-list-before-deleting.patch
|
||||
Patch1759: 1759-kvm-x86-fix-shadow-paging-use-after-free-due-to-unexpected-gfn.patch
|
||||
Patch1760: 1760-kvm-x86-fix-shadow-paging-use-after-free-due-to-unexpected-role.patch
|
||||
Patch1761: 1761-crypto-ccp-copy-iv-using-skcipher-ivsize.patch
|
||||
Patch1762: 1762-net-fix-memory-leak-in-skb-segment-list-for-gro-packets.patch
|
||||
Patch1763: 1763-kallsyms-clean-up-modname-and-modbuildid-initialization.patch
|
||||
Patch1764: 1764-kallsyms-bpf-rename-bpf-address-lookup.patch
|
||||
Patch1765: 1765-net-bridge-use-a-stable-fdb-dst-snapshot-in-rcu-readers.patch
|
||||
Patch1766: 1766-rtmutex-use-waiter-task-instead-of-current-in-remove-waiter.patch
|
||||
Patch1767: 1767-futex-requeue-prevent-null-pointer-dereference-in-remove-waiter.patch
|
||||
Patch1768: 1768-locking-rtmutex-skip-remove-waiter-when-waiter-is-not-enqueued.patch
|
||||
Patch1769: 1769-futex-requeue-revert-prevent-null-pointer-dereference.patch
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%description
|
||||
@ -3024,11 +3031,18 @@ ApplyPatch 1752-eventpoll-drop-dead-bool-return-from-ep-remove-epi.patch
|
||||
ApplyPatch 1753-eventpoll-drop-vestigial-epi-dying-flag.patch
|
||||
ApplyPatch 1754-eventpoll-fix-integer-overflow-in-ep-loop-check-proc.patch
|
||||
ApplyPatch 1755-eventpoll-refresh-epi-fget-ep-remove-file-comments.patch
|
||||
ApplyPatch 1756-rtmutex-use-waiter-task-in-remove-waiter.patch
|
||||
ApplyPatch 1757-rtmutex-skip-remove-waiter-when-not-enqueued.patch
|
||||
ApplyPatch 1758-net-sched-ets-always-remove-class-from-active-list-before-deleting.patch
|
||||
ApplyPatch 1759-kvm-x86-fix-shadow-paging-use-after-free-due-to-unexpected-gfn.patch
|
||||
ApplyPatch 1760-kvm-x86-fix-shadow-paging-use-after-free-due-to-unexpected-role.patch
|
||||
ApplyPatch 1761-crypto-ccp-copy-iv-using-skcipher-ivsize.patch
|
||||
ApplyPatch 1762-net-fix-memory-leak-in-skb-segment-list-for-gro-packets.patch
|
||||
ApplyPatch 1763-kallsyms-clean-up-modname-and-modbuildid-initialization.patch
|
||||
ApplyPatch 1764-kallsyms-bpf-rename-bpf-address-lookup.patch
|
||||
ApplyPatch 1765-net-bridge-use-a-stable-fdb-dst-snapshot-in-rcu-readers.patch
|
||||
ApplyPatch 1766-rtmutex-use-waiter-task-instead-of-current-in-remove-waiter.patch
|
||||
ApplyPatch 1767-futex-requeue-prevent-null-pointer-dereference-in-remove-waiter.patch
|
||||
ApplyPatch 1768-locking-rtmutex-skip-remove-waiter-when-waiter-is-not-enqueued.patch
|
||||
ApplyPatch 1769-futex-requeue-revert-prevent-null-pointer-dereference.patch
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
# Any further pre-build tree manipulations happen here.
|
||||
@ -5103,6 +5117,23 @@ fi
|
||||
#
|
||||
#
|
||||
%changelog
|
||||
* Mon Jul 13 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 5.14.0-687.25.1
|
||||
- Recreate RHEL 5.14.0-687.25.1 from CentOS Stream 9 and upstream stable backports (1761-1769)
|
||||
- The AlmaLinux ahead-of-RHEL rtmutex remove_waiter() fixes for CVE-2026-43499
|
||||
(1756, 1757) are superseded by RHEL's copies and dropped
|
||||
- RHEL changelog for 687.25.1 follows:
|
||||
|
||||
* Thu Jul 09 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-687.25.1.el9_8]
|
||||
- futex/requeue: Revert "Prevent NULL pointer dereference in remove_waiter() on self-deadlock"" (Phil Auld) [RHEL-193245] {CVE-2026-53166}
|
||||
- locking/rtmutex: Skip remove_waiter() when waiter is not enqueued (Phil Auld) [RHEL-193245] {CVE-2026-53166}
|
||||
- futex/requeue: Prevent NULL pointer dereference in remove_waiter() on self-deadlock (Phil Auld) [RHEL-193151] {CVE-2026-43499}
|
||||
- rtmutex: Use waiter::task instead of current in remove_waiter() (Phil Auld) [RHEL-193151] {CVE-2026-43499}
|
||||
- net: bridge: use a stable FDB dst snapshot in RCU readers (Mohammad Heib) [RHEL-179330] {CVE-2026-46086}
|
||||
- kallsyms/bpf: rename __bpf_address_lookup() to bpf_address_lookup() (Anubhav Shelat) [RHEL-183236]
|
||||
- kallsyms: clean up modname and modbuildid initialization in kallsyms_lookup_buildid() (Anubhav Shelat) [RHEL-183236]
|
||||
- net: fix memory leak in skb_segment_list for GRO packets (CKI Backport Bot) [RHEL-189959] {CVE-2026-22979}
|
||||
- crypto: ccp - copy IV using skcipher ivsize (CKI Backport Bot) [RHEL-188459] {CVE-2026-53016}
|
||||
|
||||
* Thu Jul 09 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 5.14.0-687.24.1
|
||||
- Recreate RHEL 5.14.0-687.24.1 from upstream stable backports (1758-1760)
|
||||
- The AlmaLinux ahead-of-RHEL KVM x86 shadow paging fixes (1710, 1711) are
|
||||
|
||||
Loading…
Reference in New Issue
Block a user