Recreate RHEL 5.14.0-687.25.1 from CS9/upstream backports

- Drop AlmaLinux ahead-of-RHEL rtmutex remove_waiter() fixes (1756, 1757),
  superseded by RHEL's CVE-2026-43499 copies in 687.25.1
- Add RHEL 687.25.1 backports recreated from CS9/upstream (1761-1769),
  including the futex/requeue guard and its same-release revert (net zero,
  kept for changelog fidelity)
This commit is contained in:
Andrew Lukoshko 2026-07-13 14:49:58 +00:00
parent ae889222a0
commit 4ce490ce48
11 changed files with 788 additions and 114 deletions

View File

@ -1,90 +0,0 @@
From 3bfdc63936dd4773109b7b8c280c0f3b5ae7d349 Mon Sep 17 00:00:00 2001
From: Keenan Dong <keenanat2000@gmail.com>
Date: Wed, 8 Apr 2026 16:46:00 +0800
Subject: [PATCH] rtmutex: Use waiter::task instead of current in
remove_waiter()
remove_waiter() is used by the slowlock paths, but it is also used for
proxy-lock rollback in rt_mutex_start_proxy_lock() when invoked from
futex_requeue().
In the latter case waiter::task is not current, but remove_waiter()
operates on current for the dequeue operation. That results in several
problems:
1) the rbtree dequeue happens without waiter::task::pi_lock being held
2) the waiter task's pi_blocked_on state is not cleared, which leaves a
dangling pointer primed for UAF around.
3) rt_mutex_adjust_prio_chain() operates on the wrong top priority waiter
task
Use waiter::task instead of current in all related operations in
remove_waiter() to cure those problems.
[ tglx: Fixup rt_mutex_adjust_prio_chain(), add a comment and amend the
changelog ]
Fixes: 8161239a8bcc ("rtmutex: Simplify PI algorithm and make highest prio task get lock")
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Keenan Dong <keenanat2000@gmail.com>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Cc: stable@vger.kernel.org
[ AlmaLinux: adapted to a9 (5.14.0-687.5.1.el9_8). No functional change vs
upstream commit 3bfdc63936dd; only diff hunk offsets differ. The
scoped_guard(raw_spinlock, ...) form is used verbatim: it is available in
this tree via include/linux/cleanup.h and DEFINE_LOCK_GUARD_1(raw_spinlock,
...) in include/linux/spinlock.h. ]
---
kernel/locking/rtmutex.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/kernel/locking/rtmutex.c b/kernel/locking/rtmutex.c
index 1eb4f9499..e881d9548 100644
--- a/kernel/locking/rtmutex.c
+++ b/kernel/locking/rtmutex.c
@@ -1534,20 +1534,23 @@ static bool rtmutex_spin_on_owner(struct rt_mutex_base *lock,
*
* Must be called with lock->wait_lock held and interrupts disabled. It must
* have just failed to try_to_take_rt_mutex().
+ *
+ * When invoked from rt_mutex_start_proxy_lock() waiter::task != current !
*/
static void __sched remove_waiter(struct rt_mutex_base *lock,
struct rt_mutex_waiter *waiter)
{
bool is_top_waiter = (waiter == rt_mutex_top_waiter(lock));
struct task_struct *owner = rt_mutex_owner(lock);
+ struct task_struct *waiter_task = waiter->task;
struct rt_mutex_base *next_lock;
lockdep_assert_held(&lock->wait_lock);
- raw_spin_lock(&current->pi_lock);
- rt_mutex_dequeue(lock, waiter);
- current->pi_blocked_on = NULL;
- raw_spin_unlock(&current->pi_lock);
+ scoped_guard(raw_spinlock, &waiter_task->pi_lock) {
+ rt_mutex_dequeue(lock, waiter);
+ waiter_task->pi_blocked_on = NULL;
+ }
/*
* Only update priority if the waiter was the highest priority
@@ -1583,7 +1586,7 @@ static void __sched remove_waiter(struct rt_mutex_base *lock,
raw_spin_unlock_irq(&lock->wait_lock);
rt_mutex_adjust_prio_chain(owner, RT_MUTEX_MIN_CHAINWALK, lock,
- next_lock, NULL, current);
+ next_lock, NULL, waiter_task);
raw_spin_lock_irq(&lock->wait_lock);
}
--
2.43.7

View File

@ -0,0 +1,42 @@
From 798d409a8949f3f495f238549b86de2886b129bd Mon Sep 17 00:00:00 2001
From: Paul Moses <p@1g4.org>
Date: Wed, 1 Apr 2026 03:07:49 -0500
Subject: [PATCH] crypto: ccp - copy IV using skcipher ivsize
[ Upstream commit a7a1f3cdd64d8a165d9b8c9e9ad7fb46ac19dfc4 ]
AF_ALG rfc3686-ctr-aes-ccp requests pass an 8-byte IV to the driver.
ccp_aes_complete() restores AES_BLOCK_SIZE bytes into the caller's IV
buffer while RFC3686 skciphers expose an 8-byte IV, so the restore
overruns the provided buffer.
Use crypto_skcipher_ivsize() to copy only the algorithm's IV length.
Fixes: 2b789435d7f3 ("crypto: ccp - CCP AES crypto API support")
Signed-off-by: Paul Moses <p@1g4.org>
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
diff --git a/drivers/crypto/ccp/ccp-crypto-aes.c b/drivers/crypto/ccp/ccp-crypto-aes.c
index e6dcd8cedd53..b03ed5e83c3e 100644
--- a/drivers/crypto/ccp/ccp-crypto-aes.c
+++ b/drivers/crypto/ccp/ccp-crypto-aes.c
@@ -28,8 +28,11 @@ static int ccp_aes_complete(struct crypto_async_request *async_req, int ret)
if (ret)
return ret;
- if (ctx->u.aes.mode != CCP_AES_MODE_ECB)
- memcpy(req->iv, rctx->iv, AES_BLOCK_SIZE);
+ if (ctx->u.aes.mode != CCP_AES_MODE_ECB) {
+ size_t ivsize = crypto_skcipher_ivsize(crypto_skcipher_reqtfm(req));
+
+ memcpy(req->iv, rctx->iv, ivsize);
+ }
return 0;
}
--
2.50.1 (Apple Git-155)

View File

@ -0,0 +1,100 @@
From 238e03d0466239410b72294b79494e43d4fabe77 Mon Sep 17 00:00:00 2001
From: Mohammad Heib <mheib@redhat.com>
Date: Sun, 4 Jan 2026 23:31:01 +0200
Subject: [PATCH] net: fix memory leak in skb_segment_list for GRO packets
When skb_segment_list() is called during packet forwarding, it handles
packets that were aggregated by the GRO engine.
Historically, the segmentation logic in skb_segment_list assumes that
individual segments are split from a parent SKB and may need to carry
their own socket memory accounting. Accordingly, the code transfers
truesize from the parent to the newly created segments.
Prior to commit ed4cccef64c1 ("gro: fix ownership transfer"), this
truesize subtraction in skb_segment_list() was valid because fragments
still carry a reference to the original socket.
However, commit ed4cccef64c1 ("gro: fix ownership transfer") changed
this behavior by ensuring that fraglist entries are explicitly
orphaned (skb->sk = NULL) to prevent illegal orphaning later in the
stack. This change meant that the entire socket memory charge remained
with the head SKB, but the corresponding accounting logic in
skb_segment_list() was never updated.
As a result, the current code unconditionally adds each fragment's
truesize to delta_truesize and subtracts it from the parent SKB. Since
the fragments are no longer charged to the socket, this subtraction
results in an effective under-count of memory when the head is freed.
This causes sk_wmem_alloc to remain non-zero, preventing socket
destruction and leading to a persistent memory leak.
The leak can be observed via KMEMLEAK when tearing down the networking
environment:
unreferenced object 0xffff8881e6eb9100 (size 2048):
comm "ping", pid 6720, jiffies 4295492526
backtrace:
kmem_cache_alloc_noprof+0x5c6/0x800
sk_prot_alloc+0x5b/0x220
sk_alloc+0x35/0xa00
inet6_create.part.0+0x303/0x10d0
__sock_create+0x248/0x640
__sys_socket+0x11b/0x1d0
Since skb_segment_list() is exclusively used for SKB_GSO_FRAGLIST
packets constructed by GRO, the truesize adjustment is removed.
The call to skb_release_head_state() must be preserved. As documented in
commit cf673ed0e057 ("net: fix fraglist segmentation reference count
leak"), it is still required to correctly drop references to SKB
extensions that may be overwritten during __copy_skb_header().
Fixes: ed4cccef64c1 ("gro: fix ownership transfer")
Signed-off-by: Mohammad Heib <mheib@redhat.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/20260104213101.352887-1-mheib@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index a00808f7be6a..a56133902c0d 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -4636,12 +4636,14 @@ struct sk_buff *skb_segment_list(struct sk_buff *skb,
{
struct sk_buff *list_skb = skb_shinfo(skb)->frag_list;
unsigned int tnl_hlen = skb_tnl_header_len(skb);
- unsigned int delta_truesize = 0;
unsigned int delta_len = 0;
struct sk_buff *tail = NULL;
struct sk_buff *nskb, *tmp;
int len_diff, err;
+ /* Only skb_gro_receive_list generated skbs arrive here */
+ DEBUG_NET_WARN_ON_ONCE(!(skb_shinfo(skb)->gso_type & SKB_GSO_FRAGLIST));
+
skb_push(skb, -skb_network_offset(skb) + offset);
/* Ensure the head is writeable before touching the shared info */
@@ -4655,8 +4657,9 @@ struct sk_buff *skb_segment_list(struct sk_buff *skb,
nskb = list_skb;
list_skb = list_skb->next;
+ DEBUG_NET_WARN_ON_ONCE(nskb->sk);
+
err = 0;
- delta_truesize += nskb->truesize;
if (skb_shared(nskb)) {
tmp = skb_clone(nskb, GFP_ATOMIC);
if (tmp) {
@@ -4699,7 +4702,6 @@ struct sk_buff *skb_segment_list(struct sk_buff *skb,
goto err_linearize;
}
- skb->truesize = skb->truesize - delta_truesize;
skb->data_len = skb->data_len - delta_len;
skb->len = skb->len - delta_len;
--
2.50.1 (Apple Git-155)

View File

@ -0,0 +1,77 @@
From bba6d3303088d0f68a34859079a4656d6e86e164 Mon Sep 17 00:00:00 2001
From: Anubhav Shelat <ashelat@redhat.com>
Date: Tue, 12 May 2026 12:55:02 -0400
Subject: [PATCH] kallsyms: clean up modname and modbuildid initialization in
kallsyms_lookup_buildid()
JIRA: https://issues.redhat.com/browse/RHEL-164306
upstream
========
commit fda024fb64769e9d6b3916d013c78d6b189129f8
Author: Petr Mladek <pmladek@suse.com>
Date: Fri Nov 28 14:59:15 2025 +0100
description
===========
The @modname and @modbuildid optional return parameters are set only when
the symbol is in a module.
Always initialize them so that they do not need to be cleared when the
module is not in a module. It simplifies the logic and makes the code
even slightly more safe.
Note that bpf_address_lookup() function will get updated in a separate
patch.
Link: https://lkml.kernel.org/r/20251128135920.217303-3-pmladek@suse.com
Signed-off-by: Petr Mladek <pmladek@suse.com>
Cc: Aaron Tomlin <atomlin@atomlin.com>
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: Daniel Borkman <daniel@iogearbox.net>
Cc: Daniel Gomez <da.gomez@samsung.com>
Cc: John Fastabend <john.fastabend@gmail.com>
Cc: Kees Cook <kees@kernel.org>
Cc: Luis Chamberalin <mcgrof@kernel.org>
Cc: Marc Rutland <mark.rutland@arm.com>
Cc: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
Cc: Petr Pavlu <petr.pavlu@suse.com>
Cc: Sami Tolvanen <samitolvanen@google.com>
Cc: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Anubhav Shelat <ashelat@redhat.com>
diff --git a/kernel/kallsyms.c b/kernel/kallsyms.c
index 8deb399d45c7..859435335c6f 100644
--- a/kernel/kallsyms.c
+++ b/kernel/kallsyms.c
@@ -403,6 +403,14 @@ static const char *kallsyms_lookup_buildid(unsigned long addr,
namebuf[KSYM_NAME_LEN - 1] = 0;
namebuf[0] = 0;
+ /*
+ * Initialize the module-related return values. They are not set
+ * when the symbol is in vmlinux or it is a bpf address.
+ */
+ if (modname)
+ *modname = NULL;
+ if (modbuildid)
+ *modbuildid = NULL;
if (is_ksym_addr(addr)) {
unsigned long pos;
@@ -411,10 +419,6 @@ static const char *kallsyms_lookup_buildid(unsigned long addr,
/* Grab name */
kallsyms_expand_symbol(get_symbol_offset(pos),
namebuf, KSYM_NAME_LEN);
- if (modname)
- *modname = NULL;
- if (modbuildid)
- *modbuildid = NULL;
ret = namebuf;
goto found;
--
2.50.1 (Apple Git-155)

View File

@ -0,0 +1,175 @@
From f4175fcdb3d3d06d76caf08a7e6cb8f56da32f94 Mon Sep 17 00:00:00 2001
From: Anubhav Shelat <ashelat@redhat.com>
Date: Tue, 12 May 2026 17:50:20 -0400
Subject: [PATCH] kallsyms/bpf: rename __bpf_address_lookup() to
bpf_address_lookup()
JIRA: https://issues.redhat.com/browse/RHEL-164306
Conflict: Code difference due to missing
7e1f4eb9a60d40dd17a97d9b76818682a024a127 (kallsyms: rework symbol lookup
return codes).
upstream
========
commit cd6735896d0343942cf3dafb48ce32eb79341990
Author: Petr Mladek <pmladek@suse.com>
Date: Fri Nov 28 14:59:18 2025 +0100
description
===========
bpf_address_lookup() has been used only in kallsyms_lookup_buildid(). It
was supposed to set @modname and @modbuildid when the symbol was in a
module.
But it always just cleared @modname because BPF symbols were never in a
module. And it did not clear @modbuildid because the pointer was not
passed.
The wrapper is no longer needed. Both @modname and @modbuildid are now
always initialized to NULL in kallsyms_lookup_buildid().
Remove the wrapper and rename __bpf_address_lookup() to
bpf_address_lookup() because this variant is used everywhere.
[akpm@linux-foundation.org: fix loongarch]
Link: https://lkml.kernel.org/r/20251128135920.217303-6-pmladek@suse.com
Fixes: 9294523e3768 ("module: add printk formats to add module build ID to stacktraces")
Signed-off-by: Petr Mladek <pmladek@suse.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Cc: Aaron Tomlin <atomlin@atomlin.com>
Cc: Daniel Borkman <daniel@iogearbox.net>
Cc: Daniel Gomez <da.gomez@samsung.com>
Cc: John Fastabend <john.fastabend@gmail.com>
Cc: Kees Cook <kees@kernel.org>
Cc: Luis Chamberalin <mcgrof@kernel.org>
Cc: Marc Rutland <mark.rutland@arm.com>
Cc: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
Cc: Petr Pavlu <petr.pavlu@suse.com>
Cc: Sami Tolvanen <samitolvanen@google.com>
Cc: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Anubhav Shelat <ashelat@redhat.com>
diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c
index c2afc5533..0f32892f0 100644
--- a/arch/arm64/net/bpf_jit_comp.c
+++ b/arch/arm64/net/bpf_jit_comp.c
@@ -2567,7 +2567,7 @@ int bpf_arch_text_poke(void *ip, enum bpf_text_poke_type poke_type,
u64 plt_target = 0ULL;
bool poking_bpf_entry;
- if (!__bpf_address_lookup((unsigned long)ip, &size, &offset, namebuf))
+ if (!bpf_address_lookup((unsigned long)ip, &size, &offset, namebuf))
/* Only poking bpf text is supported. Since kernel function
* entry is set up by ftrace, we reply on ftrace to poke kernel
* functions.
diff --git a/arch/powerpc/net/bpf_jit_comp.c b/arch/powerpc/net/bpf_jit_comp.c
index b381ab8d1..325d494e2 100644
--- a/arch/powerpc/net/bpf_jit_comp.c
+++ b/arch/powerpc/net/bpf_jit_comp.c
@@ -1096,7 +1096,7 @@ int bpf_arch_text_poke(void *ip, enum bpf_text_poke_type poke_type,
branch_flags = poke_type == BPF_MOD_CALL ? BRANCH_SET_LINK : 0;
/* We currently only support poking bpf programs */
- if (!__bpf_address_lookup(bpf_func, &size, &offset, name)) {
+ if (!bpf_address_lookup(bpf_func, &size, &offset, name)) {
pr_err("%s (0x%lx): kernel/modules are not supported\n", __func__, bpf_func);
return -EOPNOTSUPP;
}
diff --git a/include/linux/filter.h b/include/linux/filter.h
index c04fbf7f0..057626c3b 100644
--- a/include/linux/filter.h
+++ b/include/linux/filter.h
@@ -1249,24 +1249,13 @@ static inline bool bpf_jit_kallsyms_enabled(void)
return false;
}
-const char *__bpf_address_lookup(unsigned long addr, unsigned long *size,
- unsigned long *off, char *sym);
+const char *bpf_address_lookup(unsigned long addr, unsigned long *size,
+ unsigned long *off, char *sym);
bool is_bpf_text_address(unsigned long addr);
int bpf_get_kallsym(unsigned int symnum, unsigned long *value, char *type,
char *sym);
struct bpf_prog *bpf_prog_ksym_find(unsigned long addr);
-static inline const char *
-bpf_address_lookup(unsigned long addr, unsigned long *size,
- unsigned long *off, char **modname, char *sym)
-{
- const char *ret = __bpf_address_lookup(addr, size, off, sym);
-
- if (ret && modname)
- *modname = NULL;
- return ret;
-}
-
void bpf_prog_kallsyms_add(struct bpf_prog *fp);
void bpf_prog_kallsyms_del(struct bpf_prog *fp);
@@ -1305,8 +1294,8 @@ static inline bool bpf_jit_kallsyms_enabled(void)
}
static inline const char *
-__bpf_address_lookup(unsigned long addr, unsigned long *size,
- unsigned long *off, char *sym)
+bpf_address_lookup(unsigned long addr, unsigned long *size,
+ unsigned long *off, char *sym)
{
return NULL;
}
@@ -1327,13 +1316,6 @@ static inline struct bpf_prog *bpf_prog_ksym_find(unsigned long addr)
return NULL;
}
-static inline const char *
-bpf_address_lookup(unsigned long addr, unsigned long *size,
- unsigned long *off, char **modname, char *sym)
-{
- return NULL;
-}
-
static inline void bpf_prog_kallsyms_add(struct bpf_prog *fp)
{
}
diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
index 07dda7c6a..5c07d9a7d 100644
--- a/kernel/bpf/core.c
+++ b/kernel/bpf/core.c
@@ -742,8 +742,8 @@ static struct bpf_ksym *bpf_ksym_find(unsigned long addr)
return n ? container_of(n, struct bpf_ksym, tnode) : NULL;
}
-const char *__bpf_address_lookup(unsigned long addr, unsigned long *size,
- unsigned long *off, char *sym)
+const char *bpf_address_lookup(unsigned long addr, unsigned long *size,
+ unsigned long *off, char *sym)
{
struct bpf_ksym *ksym;
char *ret = NULL;
diff --git a/kernel/kallsyms.c b/kernel/kallsyms.c
index 859435335..8ff04b11e 100644
--- a/kernel/kallsyms.c
+++ b/kernel/kallsyms.c
@@ -391,7 +391,7 @@ int kallsyms_lookup_size_offset(unsigned long addr, unsigned long *symbolsize,
return 1;
}
return !!module_address_lookup(addr, symbolsize, offset, NULL, NULL, namebuf) ||
- !!__bpf_address_lookup(addr, symbolsize, offset, namebuf);
+ !!bpf_address_lookup(addr, symbolsize, offset, namebuf);
}
static const char *kallsyms_lookup_buildid(unsigned long addr,
@@ -428,8 +428,7 @@ static const char *kallsyms_lookup_buildid(unsigned long addr,
ret = module_address_lookup(addr, symbolsize, offset,
modname, modbuildid, namebuf);
if (!ret)
- ret = bpf_address_lookup(addr, symbolsize,
- offset, modname, namebuf);
+ ret = bpf_address_lookup(addr, symbolsize, offset, namebuf);
if (!ret)
ret = ftrace_mod_address_lookup(addr, symbolsize,

View File

@ -0,0 +1,171 @@
From a6ae4511c07b91f597e461406c6330f0d4ff810e Mon Sep 17 00:00:00 2001
From: Zhengchuan Liang <zcliangcn@gmail.com>
Date: Mon, 4 May 2026 08:16:28 -0400
Subject: [PATCH] net: bridge: use a stable FDB dst snapshot in RCU readers
[ Upstream commit df4601653201de21b487c3e7fffd464790cab808 ]
Local FDB entries can be rewritten in place by `fdb_delete_local()`, which
updates `f->dst` to another port or to `NULL` while keeping the entry
alive. Several bridge RCU readers inspect `f->dst`, including
`br_fdb_fillbuf()` through the `brforward_read()` sysfs path.
These readers currently load `f->dst` multiple times and can therefore
observe inconsistent values across the check and later dereference.
In `br_fdb_fillbuf()`, this means a concurrent local-FDB update can change
`f->dst` after the NULL check and before the `port_no` dereference,
leading to a NULL-ptr-deref.
Fix this by taking a single `READ_ONCE()` snapshot of `f->dst` in each
affected RCU reader and using that snapshot for the rest of the access
sequence. Also publish the in-place `f->dst` updates in `fdb_delete_local()`
with `WRITE_ONCE()` so the readers and writer use matching access patterns.
Fixes: 960b589f86c7 ("bridge: Properly check if local fdb entry can be deleted in br_fdb_change_mac_address")
Cc: stable@kernel.org
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Co-developed-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Yuan Tan <yuantan098@gmail.com>
Suggested-by: Xin Liu <bird@lzu.edu.cn>
Tested-by: Ren Wei <enjou1224z@gmail.com>
Signed-off-by: Zhengchuan Liang <zcliangcn@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
Link: https://patch.msgid.link/6570fabb85ecadb8baaf019efe856f407711c7b9.1776043229.git.zcliangcn@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
[ kept combined-flag check `(dst->flags & (BR_PROXYARP_WIFI | BR_NEIGH_SUPPRESS))` and `cb->args[2]` indexing instead of `br_is_neigh_suppress_enabled()` helper and `ctx->fdb_idx` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
diff --git a/net/bridge/br_arp_nd_proxy.c b/net/bridge/br_arp_nd_proxy.c
index 1e2b51769..1f37b8cff 100644
--- a/net/bridge/br_arp_nd_proxy.c
+++ b/net/bridge/br_arp_nd_proxy.c
@@ -202,11 +202,12 @@ void br_do_proxy_suppress_arp(struct sk_buff *skb, struct net_bridge *br,
f = br_fdb_find_rcu(br, n->ha, vid);
if (f) {
+ const struct net_bridge_port *dst = READ_ONCE(f->dst);
bool replied = false;
if ((p && (p->flags & BR_PROXYARP)) ||
- (f->dst && (f->dst->flags & BR_PROXYARP_WIFI)) ||
- br_is_neigh_suppress_enabled(f->dst, vid)) {
+ (dst && (dst->flags & BR_PROXYARP_WIFI)) ||
+ br_is_neigh_suppress_enabled(dst, vid)) {
if (!vid)
br_arp_send(br, p, skb->dev, sip, tip,
sha, n->ha, sha, 0, 0);
@@ -466,9 +467,10 @@ void br_do_suppress_nd(struct sk_buff *skb, struct net_bridge *br,
f = br_fdb_find_rcu(br, n->ha, vid);
if (f) {
+ const struct net_bridge_port *dst = READ_ONCE(f->dst);
bool replied = false;
- if (br_is_neigh_suppress_enabled(f->dst, vid)) {
+ if (br_is_neigh_suppress_enabled(dst, vid)) {
if (vid != 0)
br_nd_send(br, p, skb, n,
skb->vlan_proto,
diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c
index 83483ea12..53abd9d9a 100644
--- a/net/bridge/br_fdb.c
+++ b/net/bridge/br_fdb.c
@@ -243,6 +243,7 @@ struct net_device *br_fdb_find_port(const struct net_device *br_dev,
const unsigned char *addr,
__u16 vid)
{
+ const struct net_bridge_port *dst;
struct net_bridge_fdb_entry *f;
struct net_device *dev = NULL;
struct net_bridge *br;
@@ -255,8 +256,11 @@ struct net_device *br_fdb_find_port(const struct net_device *br_dev,
br = netdev_priv(br_dev);
rcu_read_lock();
f = br_fdb_find_rcu(br, addr, vid);
- if (f && f->dst)
- dev = f->dst->dev;
+ if (f) {
+ dst = READ_ONCE(f->dst);
+ if (dst)
+ dev = dst->dev;
+ }
rcu_read_unlock();
return dev;
@@ -353,7 +357,7 @@ static void fdb_delete_local(struct net_bridge *br,
vg = nbp_vlan_group(op);
if (op != p && ether_addr_equal(op->dev->dev_addr, addr) &&
(!vid || br_vlan_find(vg, vid))) {
- f->dst = op;
+ WRITE_ONCE(f->dst, op);
clear_bit(BR_FDB_ADDED_BY_USER, &f->flags);
return;
}
@@ -364,7 +368,7 @@ static void fdb_delete_local(struct net_bridge *br,
/* Maybe bridge device has same hw addr? */
if (p && ether_addr_equal(br->dev->dev_addr, addr) &&
(!vid || (v && br_vlan_should_use(v)))) {
- f->dst = NULL;
+ WRITE_ONCE(f->dst, NULL);
clear_bit(BR_FDB_ADDED_BY_USER, &f->flags);
return;
}
@@ -827,6 +831,7 @@ int br_fdb_test_addr(struct net_device *dev, unsigned char *addr)
int br_fdb_fillbuf(struct net_bridge *br, void *buf,
unsigned long maxnum, unsigned long skip)
{
+ const struct net_bridge_port *dst;
struct net_bridge_fdb_entry *f;
struct __fdb_entry *fe = buf;
int num = 0;
@@ -842,7 +847,8 @@ int br_fdb_fillbuf(struct net_bridge *br, void *buf,
continue;
/* ignore pseudo entry for local MAC address */
- if (!f->dst)
+ dst = READ_ONCE(f->dst);
+ if (!dst)
continue;
if (skip) {
@@ -854,8 +860,8 @@ int br_fdb_fillbuf(struct net_bridge *br, void *buf,
memcpy(fe->mac_addr, f->key.addr.addr, ETH_ALEN);
/* due to ABI compat need to split into hi/lo */
- fe->port_no = f->dst->port_no;
- fe->port_hi = f->dst->port_no >> 8;
+ fe->port_no = dst->port_no;
+ fe->port_hi = dst->port_no >> 8;
fe->is_local = test_bit(BR_FDB_LOCAL, &f->flags);
if (!test_bit(BR_FDB_STATIC, &f->flags))
@@ -977,9 +983,11 @@ int br_fdb_dump(struct sk_buff *skb,
rcu_read_lock();
hlist_for_each_entry_rcu(f, &br->fdb_list, fdb_node) {
+ const struct net_bridge_port *dst = READ_ONCE(f->dst);
+
if (*idx < cb->args[2])
goto skip;
- if (filter_dev && (!f->dst || f->dst->dev != filter_dev)) {
+ if (filter_dev && (!dst || dst->dev != filter_dev)) {
if (filter_dev != dev)
goto skip;
/* !f->dst is a special case for bridge
@@ -987,10 +995,10 @@ int br_fdb_dump(struct sk_buff *skb,
* Therefore need a little more filtering
* we only want to dump the !f->dst case
*/
- if (f->dst)
+ if (dst)
goto skip;
}
- if (!filter_dev && f->dst)
+ if (!filter_dev && dst)
goto skip;
err = fdb_fill_info(skb, br, f,

View File

@ -0,0 +1,91 @@
From 4e5a31ae1fa995362e4a828f36369ea3e7b44cc1 Mon Sep 17 00:00:00 2001
From: Waiman Long <longman@redhat.com>
Date: Tue, 28 Apr 2026 21:48:18 -0400
Subject: [PATCH] rtmutex: Use waiter::task instead of current in
remove_waiter()
JIRA: https://redhat.atlassian.net/browse/RHEL-171802
commit 3bfdc63936dd4773109b7b8c280c0f3b5ae7d349
Author: Keenan Dong <keenanat2000@gmail.com>
Date: Wed, 8 Apr 2026 16:46:00 +0800
rtmutex: Use waiter::task instead of current in remove_waiter()
remove_waiter() is used by the slowlock paths, but it is also used for
proxy-lock rollback in rt_mutex_start_proxy_lock() when invoked from
futex_requeue().
In the latter case waiter::task is not current, but remove_waiter()
operates on current for the dequeue operation. That results in several
problems:
1) the rbtree dequeue happens without waiter::task::pi_lock being held
2) the waiter task's pi_blocked_on state is not cleared, which leaves a
dangling pointer primed for UAF around.
3) rt_mutex_adjust_prio_chain() operates on the wrong top priority waiter
task
Use waiter::task instead of current in all related operations in
remove_waiter() to cure those problems.
[ tglx: Fixup rt_mutex_adjust_prio_chain(), add a comment and amend the
changelog ]
Fixes: 8161239a8bcc ("rtmutex: Simplify PI algorithm and make highest prio task get lock")
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Keenan Dong <keenanat2000@gmail.com>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Waiman Long <longman@redhat.com>
diff --git a/kernel/locking/rtmutex.c b/kernel/locking/rtmutex.c
index 1eb4f949909c..e881d9548030 100644
--- a/kernel/locking/rtmutex.c
+++ b/kernel/locking/rtmutex.c
@@ -1534,20 +1534,23 @@ static bool rtmutex_spin_on_owner(struct rt_mutex_base *lock,
*
* Must be called with lock->wait_lock held and interrupts disabled. It must
* have just failed to try_to_take_rt_mutex().
+ *
+ * When invoked from rt_mutex_start_proxy_lock() waiter::task != current !
*/
static void __sched remove_waiter(struct rt_mutex_base *lock,
struct rt_mutex_waiter *waiter)
{
bool is_top_waiter = (waiter == rt_mutex_top_waiter(lock));
struct task_struct *owner = rt_mutex_owner(lock);
+ struct task_struct *waiter_task = waiter->task;
struct rt_mutex_base *next_lock;
lockdep_assert_held(&lock->wait_lock);
- raw_spin_lock(&current->pi_lock);
- rt_mutex_dequeue(lock, waiter);
- current->pi_blocked_on = NULL;
- raw_spin_unlock(&current->pi_lock);
+ scoped_guard(raw_spinlock, &waiter_task->pi_lock) {
+ rt_mutex_dequeue(lock, waiter);
+ waiter_task->pi_blocked_on = NULL;
+ }
/*
* Only update priority if the waiter was the highest priority
@@ -1583,7 +1586,7 @@ static void __sched remove_waiter(struct rt_mutex_base *lock,
raw_spin_unlock_irq(&lock->wait_lock);
rt_mutex_adjust_prio_chain(owner, RT_MUTEX_MIN_CHAINWALK, lock,
- next_lock, NULL, current);
+ next_lock, NULL, waiter_task);
raw_spin_lock_irq(&lock->wait_lock);
}
--
2.50.1 (Apple Git-155)

View File

@ -0,0 +1,42 @@
From 74e144274af39935b0f410c0ee4d2b91c3730414 Mon Sep 17 00:00:00 2001
From: Ji'an Zhou <eilaimemedsnaimel@gmail.com>
Date: Tue, 2 Jun 2026 09:12:04 +0000
Subject: [PATCH] futex/requeue: Prevent NULL pointer dereference in
remove_waiter() on self-deadlock
When FUTEX_CMP_REQUEUE_PI requeues a non-top waiter that already owns the
target PI futex, task_blocks_on_rt_mutex() returns -EDEADLK before setting
waiter->task.
The subsequent remove_waiter() in rt_mutex_start_proxy_lock() dereferences
the NULL waiter->task, causing a kernel crash.
Add a self-deadlock check for non-top waiters before calling
rt_mutex_start_proxy_lock(), analogous to the top-waiter check in
futex_lock_pi_atomic().
Fixes: 3bfdc63936dd4773109b7b8c280c0f3b5ae7d349 ("rtmutex: Use waiter::task instead of current in remove_waiter()")
Signed-off-by: Ji'an Zhou <eilaimemedsnaimel@gmail.com>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Cc: stable@vger.kernel.org
diff --git a/kernel/futex/requeue.c b/kernel/futex/requeue.c
index b597cb3d17fc..1d99a84dc9ad 100644
--- a/kernel/futex/requeue.c
+++ b/kernel/futex/requeue.c
@@ -643,6 +643,12 @@ int futex_requeue(u32 __user *uaddr1, unsigned int flags1,
continue;
}
+ /* Self-deadlock: non-top waiter already owns the PI futex. */
+ if (rt_mutex_owner(&pi_state->pi_mutex) == this->task) {
+ ret = -EDEADLK;
+ break;
+ }
+
ret = rt_mutex_start_proxy_lock(&pi_state->pi_mutex,
this->rt_waiter,
this->task);
--
2.50.1 (Apple Git-155)

View File

@ -32,24 +32,11 @@ Cc: stable@vger.kernel.org
Closes: https://lore.kernel.org/all/69f114ac.050a0220.ac8b.0003.GAE@google.com/
Link: https://patch.msgid.link/20260507112913.1019537-1-dave@stgolabs.net
[ AlmaLinux: adapted to a9 (5.14.0-687.5.1.el9_8). No change vs upstream
commit 40a25d59e85b. Both hunks apply cleanly: kernel/locking/rtmutex.c
remove_waiter() (the waiter_task local comes from the earlier
"rtmutex: Use waiter::task ..." patch) and kernel/locking/rtmutex_api.c
rt_mutex_start_proxy_lock(). The "ret < 0" tightening is meaningful in this
tree: __rt_mutex_start_proxy_lock() returns 1 on try_to_take_rt_mutex()
success, so the prior "if (unlikely(ret))" wrongly invoked remove_waiter()
after acquiring the lock. ]
---
kernel/locking/rtmutex.c | 3 +++
kernel/locking/rtmutex_api.c | 2 +-
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/kernel/locking/rtmutex.c b/kernel/locking/rtmutex.c
index e881d9548..1cecc1092 100644
index 4f386ea6c792..daeeeef973e2 100644
--- a/kernel/locking/rtmutex.c
+++ b/kernel/locking/rtmutex.c
@@ -1547,6 +1547,9 @@ static void __sched remove_waiter(struct rt_mutex_base *lock,
@@ -1558,6 +1558,9 @@ static void __sched remove_waiter(struct rt_mutex_base *lock,
lockdep_assert_held(&lock->wait_lock);
@ -60,10 +47,10 @@ index e881d9548..1cecc1092 100644
rt_mutex_dequeue(lock, waiter);
waiter_task->pi_blocked_on = NULL;
diff --git a/kernel/locking/rtmutex_api.c b/kernel/locking/rtmutex_api.c
index 6614ccdc1..341a540f6 100644
index 124219aea46e..514fce7a4e0a 100644
--- a/kernel/locking/rtmutex_api.c
+++ b/kernel/locking/rtmutex_api.c
@@ -347,7 +347,7 @@ int __sched rt_mutex_start_proxy_lock(struct rt_mutex_base *lock,
@@ -365,7 +365,7 @@ int __sched rt_mutex_start_proxy_lock(struct rt_mutex_base *lock,
raw_spin_lock_irq(&lock->wait_lock);
ret = __rt_mutex_start_proxy_lock(lock, waiter, task, &wake_q);
@ -73,5 +60,5 @@ index 6614ccdc1..341a540f6 100644
preempt_disable();
raw_spin_unlock_irq(&lock->wait_lock);
--
2.43.7
2.50.1 (Apple Git-155)

View File

@ -0,0 +1,48 @@
From 39def6d250d370298f86c116f4ac60093cefadaa Mon Sep 17 00:00:00 2001
From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Date: Wed, 1 Jul 2026 15:11:50 +0200
Subject: [PATCH] futex/requeue: Revert "Prevent NULL pointer dereference in
remove_waiter() on self-deadlock""
The commit cited below should not have been merged. It attemted to fix an
existing problem ansd thereby introduced new problems by keeping the
pi_state in state Q_REQUEUE_PI_IN_PROGRESS and leaking it.
Based on the commit description the intention was to handle the case
when task_blocks_on_rt_mutex() returns -EDEADLK and the following
remove_waiter() dereferences the NULL pointer in waiter->task.
That is already handled by Davidlohr in commit 40a25d59e85b3
("locking/rtmutex: Skip remove_waiter() when waiter is not enqueued") and
requires no further acting.
Revert the commit breaking the "waiter == owner" case again.
Fixes: 74e144274af39 ("futex/requeue: Prevent NULL pointer dereference in remove_waiter() on self-deadlock")
Reported-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260701131150.0Ijhq4Dw@linutronix.de
Closes: https://lore.kernel.org/all/20260629020049.2082397-1-michael.bommarito@gmail.com
diff --git a/kernel/futex/requeue.c b/kernel/futex/requeue.c
index 7384672916fb..79823ad13683 100644
--- a/kernel/futex/requeue.c
+++ b/kernel/futex/requeue.c
@@ -645,12 +645,6 @@ int futex_requeue(u32 __user *uaddr1, unsigned int flags1,
continue;
}
- /* Self-deadlock: non-top waiter already owns the PI futex. */
- if (rt_mutex_owner(&pi_state->pi_mutex) == this->task) {
- ret = -EDEADLK;
- break;
- }
-
ret = rt_mutex_start_proxy_lock(&pi_state->pi_mutex,
this->rt_waiter,
this->task);
--
2.50.1 (Apple Git-155)

View File

@ -176,13 +176,13 @@ Summary: The Linux kernel
# define buildid .local
%define specversion 5.14.0
%define patchversion 5.14
%define pkgrelease 687.24.1
%define pkgrelease 687.25.1
%define kversion 5
%define tarfile_release 5.14.0-687.5.1.el9_8
# This is needed to do merge window version magic
%define patchlevel 14
# This allows pkg_release to have configurable %%{?dist} tag
%define specrelease 687.24.1%{?buildid}%{?dist}
%define specrelease 687.25.1%{?buildid}%{?dist}
# This defines the kabi tarball version
%define kabiversion 5.14.0-687.5.1.el9_8
@ -1626,11 +1626,18 @@ Patch1752: 1752-eventpoll-drop-dead-bool-return-from-ep-remove-epi.patch
Patch1753: 1753-eventpoll-drop-vestigial-epi-dying-flag.patch
Patch1754: 1754-eventpoll-fix-integer-overflow-in-ep-loop-check-proc.patch
Patch1755: 1755-eventpoll-refresh-epi-fget-ep-remove-file-comments.patch
Patch1756: 1756-rtmutex-use-waiter-task-in-remove-waiter.patch
Patch1757: 1757-rtmutex-skip-remove-waiter-when-not-enqueued.patch
Patch1758: 1758-net-sched-ets-always-remove-class-from-active-list-before-deleting.patch
Patch1759: 1759-kvm-x86-fix-shadow-paging-use-after-free-due-to-unexpected-gfn.patch
Patch1760: 1760-kvm-x86-fix-shadow-paging-use-after-free-due-to-unexpected-role.patch
Patch1761: 1761-crypto-ccp-copy-iv-using-skcipher-ivsize.patch
Patch1762: 1762-net-fix-memory-leak-in-skb-segment-list-for-gro-packets.patch
Patch1763: 1763-kallsyms-clean-up-modname-and-modbuildid-initialization.patch
Patch1764: 1764-kallsyms-bpf-rename-bpf-address-lookup.patch
Patch1765: 1765-net-bridge-use-a-stable-fdb-dst-snapshot-in-rcu-readers.patch
Patch1766: 1766-rtmutex-use-waiter-task-instead-of-current-in-remove-waiter.patch
Patch1767: 1767-futex-requeue-prevent-null-pointer-dereference-in-remove-waiter.patch
Patch1768: 1768-locking-rtmutex-skip-remove-waiter-when-waiter-is-not-enqueued.patch
Patch1769: 1769-futex-requeue-revert-prevent-null-pointer-dereference.patch
# END OF PATCH DEFINITIONS
%description
@ -3024,11 +3031,18 @@ ApplyPatch 1752-eventpoll-drop-dead-bool-return-from-ep-remove-epi.patch
ApplyPatch 1753-eventpoll-drop-vestigial-epi-dying-flag.patch
ApplyPatch 1754-eventpoll-fix-integer-overflow-in-ep-loop-check-proc.patch
ApplyPatch 1755-eventpoll-refresh-epi-fget-ep-remove-file-comments.patch
ApplyPatch 1756-rtmutex-use-waiter-task-in-remove-waiter.patch
ApplyPatch 1757-rtmutex-skip-remove-waiter-when-not-enqueued.patch
ApplyPatch 1758-net-sched-ets-always-remove-class-from-active-list-before-deleting.patch
ApplyPatch 1759-kvm-x86-fix-shadow-paging-use-after-free-due-to-unexpected-gfn.patch
ApplyPatch 1760-kvm-x86-fix-shadow-paging-use-after-free-due-to-unexpected-role.patch
ApplyPatch 1761-crypto-ccp-copy-iv-using-skcipher-ivsize.patch
ApplyPatch 1762-net-fix-memory-leak-in-skb-segment-list-for-gro-packets.patch
ApplyPatch 1763-kallsyms-clean-up-modname-and-modbuildid-initialization.patch
ApplyPatch 1764-kallsyms-bpf-rename-bpf-address-lookup.patch
ApplyPatch 1765-net-bridge-use-a-stable-fdb-dst-snapshot-in-rcu-readers.patch
ApplyPatch 1766-rtmutex-use-waiter-task-instead-of-current-in-remove-waiter.patch
ApplyPatch 1767-futex-requeue-prevent-null-pointer-dereference-in-remove-waiter.patch
ApplyPatch 1768-locking-rtmutex-skip-remove-waiter-when-waiter-is-not-enqueued.patch
ApplyPatch 1769-futex-requeue-revert-prevent-null-pointer-dereference.patch
# END OF PATCH APPLICATIONS
# Any further pre-build tree manipulations happen here.
@ -5103,6 +5117,23 @@ fi
#
#
%changelog
* Mon Jul 13 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 5.14.0-687.25.1
- Recreate RHEL 5.14.0-687.25.1 from CentOS Stream 9 and upstream stable backports (1761-1769)
- The AlmaLinux ahead-of-RHEL rtmutex remove_waiter() fixes for CVE-2026-43499
(1756, 1757) are superseded by RHEL's copies and dropped
- RHEL changelog for 687.25.1 follows:
* Thu Jul 09 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-687.25.1.el9_8]
- futex/requeue: Revert "Prevent NULL pointer dereference in remove_waiter() on self-deadlock"" (Phil Auld) [RHEL-193245] {CVE-2026-53166}
- locking/rtmutex: Skip remove_waiter() when waiter is not enqueued (Phil Auld) [RHEL-193245] {CVE-2026-53166}
- futex/requeue: Prevent NULL pointer dereference in remove_waiter() on self-deadlock (Phil Auld) [RHEL-193151] {CVE-2026-43499}
- rtmutex: Use waiter::task instead of current in remove_waiter() (Phil Auld) [RHEL-193151] {CVE-2026-43499}
- net: bridge: use a stable FDB dst snapshot in RCU readers (Mohammad Heib) [RHEL-179330] {CVE-2026-46086}
- kallsyms/bpf: rename __bpf_address_lookup() to bpf_address_lookup() (Anubhav Shelat) [RHEL-183236]
- kallsyms: clean up modname and modbuildid initialization in kallsyms_lookup_buildid() (Anubhav Shelat) [RHEL-183236]
- net: fix memory leak in skb_segment_list for GRO packets (CKI Backport Bot) [RHEL-189959] {CVE-2026-22979}
- crypto: ccp - copy IV using skcipher ivsize (CKI Backport Bot) [RHEL-188459] {CVE-2026-53016}
* Thu Jul 09 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 5.14.0-687.24.1
- Recreate RHEL 5.14.0-687.24.1 from upstream stable backports (1758-1760)
- The AlmaLinux ahead-of-RHEL KVM x86 shadow paging fixes (1710, 1711) are