Skip to content

[LTS 8.6] CVE-2022-1055, CVE-2023-1989, CVE-2023-1252, CVE-2023-1118, CVE-2022-3640 #585

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Sep 24, 2025
Merged

[LTS 8.6] CVE-2022-1055, CVE-2023-1989, CVE-2023-1252, CVE-2023-1118, CVE-2022-3640 #585

merged 5 commits into from
Sep 24, 2025

Conversation

pvts-mat
Copy link
Contributor

@pvts-mat pvts-mat commented Sep 19, 2025
edited
Loading

[LTS 8.6]
CVE-2022-1055 VULN-3152
CVE-2023-1989 VULN-3967
CVE-2023-1252 VULN-3964
CVE-2023-1118 VULN-3963
CVE-2022-3640 VULN-3949

Commits

CVE-2022-1055

457dff8:

net: sched: fix use-after-free in tc_new_tfilter()

jira VULN-3152
cve CVE-2022-1055
commit-author Eric Dumazet <edumazet@google.com>
commit 04c2a47ffb13c29778e2a14e414ad4cb5a5db4b5

Cherry-picking the fix resulted in conflicts because of the 04c2a47 commit expecting flags = 0; to be around

++<<<<<<< HEAD
++=======
+ 	q = NULL;
+ 	chain = NULL;
+ 	flags = 0;
++>>>>>>> 04c2a47ff (net: sched: fix use-after-free in tc_new_tfilter())

It was introduced by 695176b commit carefuly omitted in RH's backporting of net/sched/cls_api.c changes. Fixed the conflict manually by just ignoring the flags = 0; part. Omitted upstream-diff as this resolution didn't modify the upstream change in any way (the delta is the same) but dealt with the cherry-picking technicalities.

The change doesn't seem quite consistent with nulling-out chain in tc_new_tfilter(…) but not in tc_ctl_chain(…), despite consistency being the goal of modifying tc_ctl_chain(…) in a similar manner as tc_new_tfilter(…) even though the cited KASAN bug related to tc_new_tfilter(…) only. Apparently the chain variable doesn't need to be nulled-out at all, see discussion. Left the change as it was.

CVE-2023-1989

68b3ca9:

Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition

jira VULN-3967
jira VULN-68015
cve CVE-2023-1989
cve CVE-2023-53145
commit-author Zheng Wang <zyytlz.wz@163.com>
commit 73f7b171b7c09139eb3c6a5677c200dc1be5f318

The commit picked is different from the associated 1e9ac11. See its fix db2bf51 which completely reverts it and also points to the correct solution:

Revert "Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work"

This reverts commit 1e9ac11.

This patch introduces a possible null-ptr-def problem. Revert it. And the
fixed bug by this patch have resolved by commit 73f7b17 ("Bluetooth:
btsdio: fix use after free bug in btsdio_remove due to race condition").

The mentioned commit 73f7b17 is formally associated with another CVE-2023-53145, thus added to the meta along with associated VULN-68015 for LTS 8.6.

CVE-2023-1252

b033dc8:

ovl: fix use after free in struct ovl_aio_req

jira VULN-3964
cve CVE-2023-1252
commit-author yangerkun <yangerkun@huawei.com>
commit 9a254403760041528bc8f69fe2f5e1ef86950991

CVE-2023-1118

9208830:

media: rc: Fix use-after-free bugs caused by ene_tx_irqsim()

jira VULN-3963
cve CVE-2023-1118
commit-author Duoming Zhou <duoming@zju.edu.cn>
commit 29b0589a865b6f66d141d79b2dd1373e4e50fe17

CVE-2022-3640

7e3f445:

Bluetooth: L2CAP: fix use-after-free in l2cap_conn_del()

jira VULN-3949
cve CVE-2022-3640
cve CVE-2022-49909
commit-author Zhengchao Shao <shaozhengchao@huawei.com>
commit 0d0e2d032811280b927650ff3c15fe5020e82533

The CVE-2022-49909 is also associated with the cherry-picked commit. RH classifies 8.6 EUS (and beyond) as not affected by it:

Fixed starting from Red Hat Enterprise Linux 8.6 (and later) versions.

(Probably the overlap with CVE-2022-3640 was recognized and the patch for it was already in place.) This means no VULN jira ticket is expected to be associated with, so none was included.

kABI check: passed

$ DEBUG=1 CVE=CVE-batch-5 ./ninja.sh _kabi_checked__x86_64--test--ciqlts8_6-CVE-batch-5

[0/1] Check ABI of kernel [ciqlts8_6-CVE-batch-5]
++ uname -m
+ python3 /data/src/ctrliq-github/kernel-dist-git-el-8.6/SOURCES/check-kabi -k /data/src/ctrliq-github/kernel-dist-git-el-8.6/SOURCES/Module.kabi_x86_64 -s vms/x86_64--build--ciqlts8_6/build_files/kernel-src-tree-ciqlts8_6-CVE-batch-5/Module.symvers
kABI check passed
+ touch state/kernels/ciqlts8_6-CVE-batch-5/x86_64/kabi_checked

Boot test: passed

boot-test.log

Kselftests: passed relative

Reference

kselftests–ciqlts8_6–run1.log

Patch

kselftests–ciqlts8_6-CVE-batch-5–run1.log

Comparison

The tests results for the reference kernel and the patch are the same

$ ktests.xsh diff  kselftests*.log

Column    File
--------  -------------------------------------------
Status0   kselftests--ciqlts8_6--run1.log
Status1   kselftests--ciqlts8_6-CVE-batch-5--run1.log

TestCase                                     Status0  Status1  Summary
android:run.sh                               skip     skip     same
bpf:get_cgroup_id_user                       pass     pass     same
bpf:test_bpftool.sh                          pass     pass     same
bpf:test_bpftool_build.sh                    pass     pass     same
bpf:test_bpftool_metadata.sh                 pass     pass     same
bpf:test_cgroup_storage                      pass     pass     same
bpf:test_dev_cgroup                          pass     pass     same
bpf:test_doc_build.sh                        pass     pass     same
bpf:test_flow_dissector.sh                   pass     pass     same
bpf:test_lirc_mode2.sh                       pass     pass     same
bpf:test_lpm_map                             pass     pass     same
bpf:test_lru_map                             fail     fail     same
bpf:test_lwt_ip_encap.sh                     pass     pass     same
bpf:test_lwt_seg6local.sh                    pass     pass     same
bpf:test_netcnt                              pass     pass     same
bpf:test_offload.py                          pass     pass     same
bpf:test_skb_cgroup_id.sh                    pass     pass     same
bpf:test_sock                                pass     pass     same
bpf:test_sock_addr.sh                        pass     pass     same
bpf:test_sysctl                              pass     pass     same
bpf:test_tag                                 pass     pass     same
bpf:test_tc_edt.sh                           pass     pass     same
bpf:test_tc_tunnel.sh                        pass     pass     same
bpf:test_tcp_check_syncookie.sh              pass     pass     same
bpf:test_tcpnotify_user                      pass     pass     same
bpf:test_tunnel.sh                           pass     pass     same
bpf:test_verifier                            pass     pass     same
bpf:test_verifier_log                        pass     pass     same
bpf:test_xdp_meta.sh                         pass     pass     same
bpf:test_xdp_redirect.sh                     pass     pass     same
bpf:test_xdp_veth.sh                         pass     pass     same
bpf:test_xdp_vlan_mode_generic.sh            pass     pass     same
bpf:test_xdp_vlan_mode_native.sh             pass     pass     same
bpf:test_xdping.sh                           pass     pass     same
bpf:urandom_read                             pass     pass     same
breakpoints:breakpoint_test                  pass     pass     same
capabilities:test_execve                     pass     pass     same
core:close_range_test                        pass     pass     same
cpu-hotplug:cpu-on-off-test.sh               pass     pass     same
cpufreq:main.sh                              fail     fail     same
exec:execveat                                pass     pass     same
firmware:fw_run_tests.sh                     skip     skip     same
fpu:run_test_fpu.sh                          skip     skip     same
fpu:test_fpu                                 pass     pass     same
ftrace:ftracetest                            fail     fail     same
futex:run.sh                                 pass     pass     same
gpio:gpio-mockup.sh                          fail     fail     same
intel_pstate:run.sh                          pass     pass     same
ipc:msgque                                   pass     pass     same
kcmp:kcmp_test                               pass     pass     same
kexec:test_kexec_file_load.sh                skip     skip     same
kexec:test_kexec_load.sh                     skip     skip     same
kvm:access_tracking_perf_test                fail     fail     same
kvm:amx_test                                 fail     fail     same
kvm:cr4_cpuid_sync_test                      fail     fail     same
kvm:debug_regs                               fail     fail     same
kvm:demand_paging_test                       pass     pass     same
kvm:dirty_log_perf_test                      pass     pass     same
kvm:dirty_log_test                           fail     fail     same
kvm:emulator_error_test                      fail     fail     same
kvm:evmcs_test                               fail     fail     same
kvm:get_cpuid_test                           fail     fail     same
kvm:get_msr_index_features                   fail     fail     same
kvm:hardware_disable_test                    pass     pass     same
kvm:hyperv_clock                             fail     fail     same
kvm:hyperv_cpuid                             fail     fail     same
kvm:hyperv_features                          fail     fail     same
kvm:kvm_binary_stats_test                    pass     pass     same
kvm:kvm_create_max_vcpus                     skip     skip     same
kvm:kvm_page_table_test                      pass     pass     same
kvm:kvm_pv_test                              fail     fail     same
kvm:memslot_modification_stress_test         pass     pass     same
kvm:memslot_perf_test                        fail     fail     same
kvm:mmio_warning_test                        fail     fail     same
kvm:mmu_role_test                            fail     fail     same
kvm:platform_info_test                       fail     fail     same
kvm:rseq_test                                fail     fail     same
kvm:set_boot_cpu_id                          fail     fail     same
kvm:set_memory_region_test                   pass     pass     same
kvm:set_sregs_test                           fail     fail     same
kvm:smm_test                                 fail     fail     same
kvm:state_test                               fail     fail     same
kvm:steal_time                               pass     pass     same
kvm:svm_int_ctl_test                         fail     fail     same
kvm:svm_vmcall_test                          fail     fail     same
kvm:sync_regs_test                           fail     fail     same
kvm:tsc_msrs_test                            fail     fail     same
kvm:userspace_msr_exit_test                  fail     fail     same
kvm:vmx_apic_access_test                     fail     fail     same
kvm:vmx_close_while_nested_test              fail     fail     same
kvm:vmx_dirty_log_test                       fail     fail     same
kvm:vmx_nested_tsc_scaling_test              fail     fail     same
kvm:vmx_pmu_msrs_test                        fail     fail     same
kvm:vmx_preemption_timer_test                fail     fail     same
kvm:vmx_set_nested_state_test                fail     fail     same
kvm:vmx_tsc_adjust_test                      fail     fail     same
kvm:xapic_ipi_test                           fail     fail     same
kvm:xen_shinfo_test                          fail     fail     same
kvm:xen_vmcall_test                          fail     fail     same
kvm:xss_msr_test                             fail     fail     same
lib:bitmap.sh                                skip     skip     same
lib:prime_numbers.sh                         skip     skip     same
lib:printf.sh                                skip     skip     same
lib:scanf.sh                                 fail     fail     same
livepatch:test-callbacks.sh                  pass     pass     same
livepatch:test-ftrace.sh                     pass     pass     same
livepatch:test-livepatch.sh                  pass     pass     same
livepatch:test-shadow-vars.sh                pass     pass     same
livepatch:test-state.sh                      pass     pass     same
membarrier:membarrier_test_multi_thread      pass     pass     same
membarrier:membarrier_test_single_thread     pass     pass     same
memfd:memfd_test                             pass     pass     same
memfd:run_fuse_test.sh                       fail     fail     same
memfd:run_hugetlbfs_test.sh                  pass     pass     same
memory-hotplug:mem-on-off-test.sh            pass     pass     same
mount:run_tests.sh                           pass     pass     same
net/forwarding:bridge_port_isolation.sh      pass     pass     same
net/forwarding:bridge_sticky_fdb.sh          pass     pass     same
net/forwarding:bridge_vlan_aware.sh          fail     fail     same
net/forwarding:bridge_vlan_unaware.sh        pass     pass     same
net/forwarding:ethtool.sh                    fail     fail     same
net/forwarding:gre_multipath.sh              fail     fail     same
net/forwarding:ip6_forward_instats_vrf.sh    fail     fail     same
net/forwarding:ipip_flat_gre.sh              pass     pass     same
net/forwarding:ipip_flat_gre_key.sh          pass     pass     same
net/forwarding:ipip_flat_gre_keys.sh         pass     pass     same
net/forwarding:ipip_hier_gre.sh              pass     pass     same
net/forwarding:ipip_hier_gre_key.sh          pass     pass     same
net/forwarding:loopback.sh                   skip     skip     same
net/forwarding:mirror_gre.sh                 fail     fail     same
net/forwarding:mirror_gre_bound.sh           pass     pass     same
net/forwarding:mirror_gre_bridge_1d.sh       pass     pass     same
net/forwarding:mirror_gre_bridge_1q.sh       pass     pass     same
net/forwarding:mirror_gre_bridge_1q_lag.sh   pass     pass     same
net/forwarding:mirror_gre_changes.sh         fail     fail     same
net/forwarding:mirror_gre_flower.sh          fail     fail     same
net/forwarding:mirror_gre_lag_lacp.sh        pass     pass     same
net/forwarding:mirror_gre_neigh.sh           pass     pass     same
net/forwarding:mirror_gre_nh.sh              pass     pass     same
net/forwarding:mirror_gre_vlan.sh            pass     pass     same
net/forwarding:mirror_vlan.sh                pass     pass     same
net/forwarding:router.sh                     fail     fail     same
net/forwarding:router_bridge.sh              pass     pass     same
net/forwarding:router_bridge_vlan.sh         pass     pass     same
net/forwarding:router_broadcast.sh           fail     fail     same
net/forwarding:router_multicast.sh           fail     fail     same
net/forwarding:router_multipath.sh           fail     fail     same
net/forwarding:router_vid_1.sh               pass     pass     same
net/forwarding:tc_chains.sh                  pass     pass     same
net/forwarding:tc_flower.sh                  pass     pass     same
net/forwarding:tc_flower_router.sh           pass     pass     same
net/forwarding:tc_mpls_l2vpn.sh              pass     pass     same
net/forwarding:tc_shblocks.sh                pass     pass     same
net/forwarding:tc_vlan_modify.sh             pass     pass     same
net/forwarding:vxlan_asymmetric.sh           pass     pass     same
net/forwarding:vxlan_bridge_1d.sh            fail     fail     same
net/forwarding:vxlan_bridge_1d_port_8472.sh  pass     pass     same
net/forwarding:vxlan_bridge_1q.sh            fail     fail     same
net/forwarding:vxlan_bridge_1q_port_8472.sh  pass     pass     same
net/forwarding:vxlan_symmetric.sh            pass     pass     same
net/mptcp:diag.sh                            pass     pass     same
net/mptcp:mptcp_connect.sh                   pass     pass     same
net/mptcp:mptcp_sockopt.sh                   pass     pass     same
net/mptcp:pm_netlink.sh                      pass     pass     same
net:bareudp.sh                               pass     pass     same
net:devlink_port_split.py                    pass     pass     same
net:drop_monitor_tests.sh                    skip     skip     same
net:fcnal-test.sh                            pass     pass     same
net:fib-onlink-tests.sh                      pass     pass     same
net:fib_rule_tests.sh                        fail     fail     same
net:fib_tests.sh                             pass     pass     same
net:gre_gso.sh                               pass     pass     same
net:icmp_redirect.sh                         pass     pass     same
net:ip6_gre_headroom.sh                      pass     pass     same
net:ipv6_flowlabel.sh                        pass     pass     same
net:l2tp.sh                                  pass     pass     same
net:msg_zerocopy.sh                          fail     fail     same
net:netdevice.sh                             pass     pass     same
net:pmtu.sh                                  pass     pass     same
net:psock_snd.sh                             fail     fail     same
net:reuseaddr_conflict                       pass     pass     same
net:reuseport_bpf                            pass     pass     same
net:reuseport_bpf_cpu                        pass     pass     same
net:reuseport_bpf_numa                       pass     pass     same
net:reuseport_dualstack                      pass     pass     same
net:rtnetlink.sh                             skip     skip     same
net:run_afpackettests                        pass     pass     same
net:run_netsocktests                         pass     pass     same
net:rxtimestamp.sh                           pass     pass     same
net:so_txtime.sh                             fail     fail     same
net:test_bpf.sh                              pass     pass     same
net:test_vxlan_fdb_changelink.sh             pass     pass     same
net:tls                                      pass     pass     same
net:traceroute.sh                            pass     pass     same
net:udpgro.sh                                fail     fail     same
net:udpgro_bench.sh                          fail     fail     same
net:udpgso.sh                                pass     pass     same
net:veth.sh                                  fail     fail     same
net:vrf-xfrm-tests.sh                        pass     pass     same
netfilter:conntrack_icmp_related.sh          fail     fail     same
netfilter:conntrack_tcp_unreplied.sh         fail     fail     same
netfilter:ipvs.sh                            skip     skip     same
netfilter:nft_flowtable.sh                   fail     fail     same
netfilter:nft_meta.sh                        pass     pass     same
netfilter:nft_nat.sh                         skip     skip     same
netfilter:nft_queue.sh                       skip     skip     same
nsfs:owner                                   pass     pass     same
nsfs:pidns                                   pass     pass     same
proc:fd-001-lookup                           pass     pass     same
proc:fd-002-posix-eq                         pass     pass     same
proc:fd-003-kthread                          pass     pass     same
proc:proc-loadavg-001                        pass     pass     same
proc:proc-self-map-files-001                 pass     pass     same
proc:proc-self-map-files-002                 fail     fail     same
proc:proc-self-syscall                       pass     pass     same
proc:proc-self-wchan                         pass     pass     same
proc:proc-uptime-001                         pass     pass     same
proc:proc-uptime-002                         pass     pass     same
proc:read                                    pass     pass     same
proc:setns-dcache                            fail     fail     same
pstore:pstore_post_reboot_tests              skip     skip     same
pstore:pstore_tests                          fail     fail     same
ptrace:peeksiginfo                           pass     pass     same
ptrace:vmaccess                              fail     fail     same
rseq:basic_percpu_ops_test                   pass     pass     same
rseq:basic_test                              pass     pass     same
rseq:param_test                              pass     pass     same
rseq:param_test_benchmark                    pass     pass     same
rseq:param_test_compare_twice                pass     pass     same
rseq:run_param_test.sh                       fail     fail     same
sgx:test_sgx                                 fail     fail     same
sigaltstack:sas                              pass     pass     same
size:get_size                                pass     pass     same
splice:default_file_splice_read.sh           pass     pass     same
static_keys:test_static_keys.sh              skip     skip     same
tc-testing:tdc.sh                            pass     pass     same
timens:clock_nanosleep                       pass     pass     same
timens:exec                                  pass     pass     same
timens:procfs                                pass     pass     same
timens:timens                                pass     pass     same
timens:timer                                 pass     pass     same
timens:timerfd                               pass     pass     same
timers:inconsistency-check                   fail     fail     same
timers:mqueue-lat                            pass     pass     same
timers:nanosleep                             pass     pass     same
timers:nsleep-lat                            fail     fail     same
timers:posix_timers                          pass     pass     same
timers:rtcpie                                pass     pass     same
timers:set-timer-lat                         fail     fail     same
timers:threadtest                            pass     pass     same
tpm2:test_smoke.sh                           fail     fail     same
tpm2:test_space.sh                           fail     fail     same
vm:run_vmtests                               fail     fail     same
x86:amx_64                                   fail     fail     same
x86:check_initial_reg_state_64               pass     pass     same
x86:corrupt_xstate_header_64                 pass     pass     same
x86:fsgsbase_64                              pass     pass     same
x86:fsgsbase_restore_64                      pass     pass     same
x86:ioperm_64                                pass     pass     same
x86:iopl_64                                  pass     pass     same
x86:mov_ss_trap_64                           pass     pass     same
x86:mpx-mini-test_64                         fail     fail     same
x86:protection_keys_64                       pass     pass     same
x86:sigaltstack_64                           pass     pass     same
x86:sigreturn_64                             pass     pass     same
x86:single_step_syscall_64                   pass     pass     same
x86:syscall_nt_64                            pass     pass     same
x86:sysret_rip_64                            pass     pass     same
x86:sysret_ss_attrs_64                       pass     pass     same
x86:test_mremap_vdso_64                      pass     pass     same
x86:test_vdso_64                             pass     pass     same
x86:test_vsyscall_64                         pass     pass     same
zram:zram.sh                                 pass     pass     same

@pvts-mat
net: sched: fix use-after-free in tc_new_tfilter()
457dff8 
jira VULN-3152
cve CVE-2022-1055
commit-author Eric Dumazet <edumazet@google.com>
commit 04c2a47

Whenever tc_new_tfilter() jumps back to replay: label,
we need to make sure @q and @chain local variables are cleared again,
or risk use-after-free as in [1]

For consistency, apply the same fix in tc_ctl_chain()

BUG: KASAN: use-after-free in mini_qdisc_pair_swap+0x1b9/0x1f0 net/sched/sch_generic.c:1581
Write of size 8 at addr ffff8880985c4b08 by task syz-executor.4/1945

CPU: 0 PID: 1945 Comm: syz-executor.4 Not tainted 5.17.0-rc1-syzkaller-00495-gff58831fa02d #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0x8d/0x336 mm/kasan/report.c:255
 __kasan_report mm/kasan/report.c:442 [inline]
 kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
 mini_qdisc_pair_swap+0x1b9/0x1f0 net/sched/sch_generic.c:1581
 tcf_chain_head_change_item net/sched/cls_api.c:372 [inline]
 tcf_chain0_head_change.isra.0+0xb9/0x120 net/sched/cls_api.c:386
 tcf_chain_tp_insert net/sched/cls_api.c:1657 [inline]
 tcf_chain_tp_insert_unique net/sched/cls_api.c:1707 [inline]
 tc_new_tfilter+0x1e67/0x2350 net/sched/cls_api.c:2086
 rtnetlink_rcv_msg+0x80d/0xb80 net/core/rtnetlink.c:5583
 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494
 netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
 netlink_unicast+0x539/0x7e0 net/netlink/af_netlink.c:1343
 netlink_sendmsg+0x904/0xe00 net/netlink/af_netlink.c:1919
 sock_sendmsg_nosec net/socket.c:705 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:725
 ____sys_sendmsg+0x331/0x810 net/socket.c:2413
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2467
 __sys_sendmmsg+0x195/0x470 net/socket.c:2553
 __do_sys_sendmmsg net/socket.c:2582 [inline]
 __se_sys_sendmmsg net/socket.c:2579 [inline]
 __x64_sys_sendmmsg+0x99/0x100 net/socket.c:2579
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f2647172059
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f2645aa5168 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 00007f2647285100 RCX: 00007f2647172059
RDX: 040000000000009f RSI: 00000000200002c0 RDI: 0000000000000006
RBP: 00007f26471cc08d R08: 0000000000000000 R09: 0000000000000000
R10: 9e00000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fffb3f7f02f R14: 00007f2645aa5300 R15: 0000000000022000
 </TASK>

Allocated by task 1944:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:436 [inline]
 ____kasan_kmalloc mm/kasan/common.c:515 [inline]
 ____kasan_kmalloc mm/kasan/common.c:474 [inline]
 __kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:524
 kmalloc_node include/linux/slab.h:604 [inline]
 kzalloc_node include/linux/slab.h:726 [inline]
 qdisc_alloc+0xac/0xa10 net/sched/sch_generic.c:941
 qdisc_create.constprop.0+0xce/0x10f0 net/sched/sch_api.c:1211
 tc_modify_qdisc+0x4c5/0x1980 net/sched/sch_api.c:1660
 rtnetlink_rcv_msg+0x413/0xb80 net/core/rtnetlink.c:5592
 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494
 netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
 netlink_unicast+0x539/0x7e0 net/netlink/af_netlink.c:1343
 netlink_sendmsg+0x904/0xe00 net/netlink/af_netlink.c:1919
 sock_sendmsg_nosec net/socket.c:705 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:725
 ____sys_sendmsg+0x331/0x810 net/socket.c:2413
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2467
 __sys_sendmmsg+0x195/0x470 net/socket.c:2553
 __do_sys_sendmmsg net/socket.c:2582 [inline]
 __se_sys_sendmmsg net/socket.c:2579 [inline]
 __x64_sys_sendmmsg+0x99/0x100 net/socket.c:2579
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Freed by task 3609:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track+0x21/0x30 mm/kasan/common.c:45
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
 ____kasan_slab_free mm/kasan/common.c:366 [inline]
 ____kasan_slab_free+0x130/0x160 mm/kasan/common.c:328
 kasan_slab_free include/linux/kasan.h:236 [inline]
 slab_free_hook mm/slub.c:1728 [inline]
 slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1754
 slab_free mm/slub.c:3509 [inline]
 kfree+0xcb/0x280 mm/slub.c:4562
 rcu_do_batch kernel/rcu/tree.c:2527 [inline]
 rcu_core+0x7b8/0x1540 kernel/rcu/tree.c:2778
 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558

Last potentially related work creation:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 __kasan_record_aux_stack+0xbe/0xd0 mm/kasan/generic.c:348
 __call_rcu kernel/rcu/tree.c:3026 [inline]
 call_rcu+0xb1/0x740 kernel/rcu/tree.c:3106
 qdisc_put_unlocked+0x6f/0x90 net/sched/sch_generic.c:1109
 tcf_block_release+0x86/0x90 net/sched/cls_api.c:1238
 tc_new_tfilter+0xc0d/0x2350 net/sched/cls_api.c:2148
 rtnetlink_rcv_msg+0x80d/0xb80 net/core/rtnetlink.c:5583
 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494
 netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
 netlink_unicast+0x539/0x7e0 net/netlink/af_netlink.c:1343
 netlink_sendmsg+0x904/0xe00 net/netlink/af_netlink.c:1919
 sock_sendmsg_nosec net/socket.c:705 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:725
 ____sys_sendmsg+0x331/0x810 net/socket.c:2413
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2467
 __sys_sendmmsg+0x195/0x470 net/socket.c:2553
 __do_sys_sendmmsg net/socket.c:2582 [inline]
 __se_sys_sendmmsg net/socket.c:2579 [inline]
 __x64_sys_sendmmsg+0x99/0x100 net/socket.c:2579
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff8880985c4800
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 776 bytes inside of
 1024-byte region [ffff8880985c4800, ffff8880985c4c00)
The buggy address belongs to the page:
page:ffffea0002617000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x985c0
head:ffffea0002617000 order:3 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 0000000000000000 dead000000000122 ffff888010c41dc0
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 1941, ts 1038999441284, free_ts 1033444432829
 prep_new_page mm/page_alloc.c:2434 [inline]
 get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4165
 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5389
 alloc_pages+0x1aa/0x310 mm/mempolicy.c:2271
 alloc_slab_page mm/slub.c:1799 [inline]
 allocate_slab mm/slub.c:1944 [inline]
 new_slab+0x28a/0x3b0 mm/slub.c:2004
 ___slab_alloc+0x87c/0xe90 mm/slub.c:3018
 __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3105
 slab_alloc_node mm/slub.c:3196 [inline]
 slab_alloc mm/slub.c:3238 [inline]
 __kmalloc+0x2fb/0x340 mm/slub.c:4420
 kmalloc include/linux/slab.h:586 [inline]
 kzalloc include/linux/slab.h:715 [inline]
 __register_sysctl_table+0x112/0x1090 fs/proc/proc_sysctl.c:1335
 neigh_sysctl_register+0x2c8/0x5e0 net/core/neighbour.c:3787
 devinet_sysctl_register+0xb1/0x230 net/ipv4/devinet.c:2618
 inetdev_init+0x286/0x580 net/ipv4/devinet.c:278
 inetdev_event+0xa8a/0x15d0 net/ipv4/devinet.c:1532
 notifier_call_chain+0xb5/0x200 kernel/notifier.c:84
 call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1919
 call_netdevice_notifiers_extack net/core/dev.c:1931 [inline]
 call_netdevice_notifiers net/core/dev.c:1945 [inline]
 register_netdevice+0x1073/0x1500 net/core/dev.c:9698
 veth_newlink+0x59c/0xa90 drivers/net/veth.c:1722
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1352 [inline]
 free_pcp_prepare+0x374/0x870 mm/page_alloc.c:1404
 free_unref_page_prepare mm/page_alloc.c:3325 [inline]
 free_unref_page+0x19/0x690 mm/page_alloc.c:3404
 release_pages+0x748/0x1220 mm/swap.c:956
 tlb_batch_pages_flush mm/mmu_gather.c:50 [inline]
 tlb_flush_mmu_free mm/mmu_gather.c:243 [inline]
 tlb_flush_mmu+0xe9/0x6b0 mm/mmu_gather.c:250
 zap_pte_range mm/memory.c:1441 [inline]
 zap_pmd_range mm/memory.c:1490 [inline]
 zap_pud_range mm/memory.c:1519 [inline]
 zap_p4d_range mm/memory.c:1540 [inline]
 unmap_page_range+0x1d1d/0x2a30 mm/memory.c:1561
 unmap_single_vma+0x198/0x310 mm/memory.c:1606
 unmap_vmas+0x16b/0x2f0 mm/memory.c:1638
 exit_mmap+0x201/0x670 mm/mmap.c:3178
 __mmput+0x122/0x4b0 kernel/fork.c:1114
 mmput+0x56/0x60 kernel/fork.c:1135
 exit_mm kernel/exit.c:507 [inline]
 do_exit+0xa3c/0x2a30 kernel/exit.c:793
 do_group_exit+0xd2/0x2f0 kernel/exit.c:935
 __do_sys_exit_group kernel/exit.c:946 [inline]
 __se_sys_exit_group kernel/exit.c:944 [inline]
 __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:944
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Memory state around the buggy address:
 ffff8880985c4a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880985c4a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880985c4b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff8880985c4b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880985c4c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

Fixes: 470502d ("net: sched: unlock rules update API")
	Signed-off-by: Eric Dumazet <edumazet@google.com>
	Cc: Vlad Buslov <vladbu@mellanox.com>
	Cc: Jiri Pirko <jiri@mellanox.com>
	Cc: Cong Wang <xiyou.wangcong@gmail.com>
	Reported-by: syzbot <syzkaller@googlegroups.com>
Link: https://lore.kernel.org/r/20220131172018.3704490-1-eric.dumazet@gmail.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 04c2a47)
	Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
@pvts-mat
Bluetooth: btsdio: fix use after free bug in btsdio_remove due to rac…
68b3ca9 
…e condition

jira VULN-3967
jira VULN-68015
cve CVE-2023-1989
cve CVE-2023-53145
commit-author Zheng Wang <zyytlz.wz@163.com>
commit 73f7b17

In btsdio_probe, the data->work is bound with btsdio_work. It will be
started in btsdio_send_frame.

If the btsdio_remove runs with a unfinished work, there may be a race
condition that hdev is freed but used in btsdio_work. Fix it by
canceling the work before do cleanup in btsdio_remove.

	Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
	Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
(cherry picked from commit 73f7b17)
	Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
@pvts-mat
ovl: fix use after free in struct ovl_aio_req
b033dc8 
jira VULN-3964
cve CVE-2023-1252
commit-author yangerkun <yangerkun@huawei.com>
commit 9a25440

Example for triggering use after free in a overlay on ext4 setup:

aio_read
  ovl_read_iter
    vfs_iter_read
      ext4_file_read_iter
        ext4_dio_read_iter
          iomap_dio_rw -> -EIOCBQUEUED
          /*
	   * Here IO is completed in a separate thread,
	   * ovl_aio_cleanup_handler() frees aio_req which has iocb embedded
	   */
          file_accessed(iocb->ki_filp); /**BOOM**/

Fix by introducing a refcount in ovl_aio_req similarly to aio_kiocb.  This
guarantees that iocb is only freed after vfs_read/write_iter() returns on
underlying fs.

Fixes: 2406a30 ("ovl: implement async IO routines")
	Signed-off-by: yangerkun <yangerkun@huawei.com>
Link: https://lore.kernel.org/r/20210930032228.3199690-3-yangerkun@huawei.com/
	Cc: <stable@vger.kernel.org> # v5.6
	Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
(cherry picked from commit 9a25440)
	Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
@pvts-mat
media: rc: Fix use-after-free bugs caused by ene_tx_irqsim()
9208830 
jira VULN-3963
cve CVE-2023-1118
commit-author Duoming Zhou <duoming@zju.edu.cn>
commit 29b0589

When the ene device is detaching, function ene_remove() will
be called. But there is no function to cancel tx_sim_timer
in ene_remove(), the timer handler ene_tx_irqsim() could race
with ene_remove(). As a result, the UAF bugs could happen,
the process is shown below.

    (cleanup routine)          |        (timer routine)
                               | mod_timer(&dev->tx_sim_timer, ..)
ene_remove()                   | (wait a time)
                               | ene_tx_irqsim()
                               |   dev->hw_lock //USE
                               |   ene_tx_sample(dev) //USE

Fix by adding del_timer_sync(&dev->tx_sim_timer) in ene_remove(),
The tx_sim_timer could stop before ene device is deallocated.

What's more, The rc_unregister_device() and del_timer_sync()
should be called first in ene_remove() and the deallocated
functions such as free_irq(), release_region() and so on
should be called behind them. Because the rc_unregister_device()
is well synchronized. Otherwise, race conditions may happen. The
situations that may lead to race conditions are shown below.

Firstly, the rx receiver is disabled with ene_rx_disable()
before rc_unregister_device() in ene_remove(), which means it
can be enabled again if a process opens /dev/lirc0 between
ene_rx_disable() and rc_unregister_device().

Secondly, the irqaction descriptor is freed by free_irq()
before the rc device is unregistered, which means irqaction
descriptor may be accessed again after it is deallocated.

Thirdly, the timer can call ene_tx_sample() that can write
to the io ports, which means the io ports could be accessed
again after they are deallocated by release_region().

Therefore, the rc_unregister_device() and del_timer_sync()
should be called first in ene_remove().

Suggested by: Sean Young <sean@mess.org>

Fixes: 9ea53b7 ("V4L/DVB: STAGING: remove lirc_ene0100 driver")
	Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
	Signed-off-by: Sean Young <sean@mess.org>
	Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
(cherry picked from commit 29b0589)
	Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
@PlaidCat
Copy link
Collaborator

PlaidCat commented Sep 23, 2025
edited
Loading

For this one can you add this VULN 7e3f445
CVE-2022-49909 + VULN-66429

edit this should be remove CVE-2022-49909 ... its a part of the Kernel.org backfill and it duplicates CVE-2022-3640 and it closer matches EUS.

@pvts-mat
Bluetooth: L2CAP: fix use-after-free in l2cap_conn_del()
590fa62 
jira VULN-3949
cve CVE-2022-3640
commit-author Zhengchao Shao <shaozhengchao@huawei.com>
commit 0d0e2d0

When l2cap_recv_frame() is invoked to receive data, and the cid is
L2CAP_CID_A2MP, if the channel does not exist, it will create a channel.
However, after a channel is created, the hold operation of the channel
is not performed. In this case, the value of channel reference counting
is 1. As a result, after hci_error_reset() is triggered, l2cap_conn_del()
invokes the close hook function of A2MP to release the channel. Then
 l2cap_chan_unlock(chan) will trigger UAF issue.

The process is as follows:
Receive data:
l2cap_data_channel()
    a2mp_channel_create()  --->channel ref is 2
    l2cap_chan_put()       --->channel ref is 1

Triger event:
    hci_error_reset()
        hci_dev_do_close()
        ...
        l2cap_disconn_cfm()
            l2cap_conn_del()
                l2cap_chan_hold()    --->channel ref is 2
                l2cap_chan_del()     --->channel ref is 1
                a2mp_chan_close_cb() --->channel ref is 0, release channel
                l2cap_chan_unlock()  --->UAF of channel

The detailed Call Trace is as follows:
BUG: KASAN: use-after-free in __mutex_unlock_slowpath+0xa6/0x5e0
Read of size 8 at addr ffff8880160664b8 by task kworker/u11:1/7593
Workqueue: hci0 hci_error_reset
Call Trace:
 <TASK>
 dump_stack_lvl+0xcd/0x134
 print_report.cold+0x2ba/0x719
 kasan_report+0xb1/0x1e0
 kasan_check_range+0x140/0x190
 __mutex_unlock_slowpath+0xa6/0x5e0
 l2cap_conn_del+0x404/0x7b0
 l2cap_disconn_cfm+0x8c/0xc0
 hci_conn_hash_flush+0x11f/0x260
 hci_dev_close_sync+0x5f5/0x11f0
 hci_dev_do_close+0x2d/0x70
 hci_error_reset+0x9e/0x140
 process_one_work+0x98a/0x1620
 worker_thread+0x665/0x1080
 kthread+0x2e4/0x3a0
 ret_from_fork+0x1f/0x30
 </TASK>

Allocated by task 7593:
 kasan_save_stack+0x1e/0x40
 __kasan_kmalloc+0xa9/0xd0
 l2cap_chan_create+0x40/0x930
 amp_mgr_create+0x96/0x990
 a2mp_channel_create+0x7d/0x150
 l2cap_recv_frame+0x51b8/0x9a70
 l2cap_recv_acldata+0xaa3/0xc00
 hci_rx_work+0x702/0x1220
 process_one_work+0x98a/0x1620
 worker_thread+0x665/0x1080
 kthread+0x2e4/0x3a0
 ret_from_fork+0x1f/0x30

Freed by task 7593:
 kasan_save_stack+0x1e/0x40
 kasan_set_track+0x21/0x30
 kasan_set_free_info+0x20/0x30
 ____kasan_slab_free+0x167/0x1c0
 slab_free_freelist_hook+0x89/0x1c0
 kfree+0xe2/0x580
 l2cap_chan_put+0x22a/0x2d0
 l2cap_conn_del+0x3fc/0x7b0
 l2cap_disconn_cfm+0x8c/0xc0
 hci_conn_hash_flush+0x11f/0x260
 hci_dev_close_sync+0x5f5/0x11f0
 hci_dev_do_close+0x2d/0x70
 hci_error_reset+0x9e/0x140
 process_one_work+0x98a/0x1620
 worker_thread+0x665/0x1080
 kthread+0x2e4/0x3a0
 ret_from_fork+0x1f/0x30

Last potentially related work creation:
 kasan_save_stack+0x1e/0x40
 __kasan_record_aux_stack+0xbe/0xd0
 call_rcu+0x99/0x740
 netlink_release+0xe6a/0x1cf0
 __sock_release+0xcd/0x280
 sock_close+0x18/0x20
 __fput+0x27c/0xa90
 task_work_run+0xdd/0x1a0
 exit_to_user_mode_prepare+0x23c/0x250
 syscall_exit_to_user_mode+0x19/0x50
 do_syscall_64+0x42/0x80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Second to last potentially related work creation:
 kasan_save_stack+0x1e/0x40
 __kasan_record_aux_stack+0xbe/0xd0
 call_rcu+0x99/0x740
 netlink_release+0xe6a/0x1cf0
 __sock_release+0xcd/0x280
 sock_close+0x18/0x20
 __fput+0x27c/0xa90
 task_work_run+0xdd/0x1a0
 exit_to_user_mode_prepare+0x23c/0x250
 syscall_exit_to_user_mode+0x19/0x50
 do_syscall_64+0x42/0x80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Fixes: d0be834 ("Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put")
	Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
	Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
(cherry picked from commit 0d0e2d0)
	Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
@pvts-mat pvts-mat force-pushed the ciqlts8_6-CVE-batch-5 branch from 7e3f445 to 590fa62 Compare September 23, 2025 21:38
bmastbergen
bmastbergen approved these changes Sep 24, 2025
View reviewed changes
Copy link
Collaborator

@bmastbergen bmastbergen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🥌

PlaidCat
PlaidCat approved these changes Sep 24, 2025
View reviewed changes
Copy link
Collaborator

@PlaidCat PlaidCat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

@PlaidCat PlaidCat merged commit 58ac554 into ctrliq:ciqlts8_6 Sep 24, 2025
2 of 3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@PlaidCat PlaidCat PlaidCat approved these changes

@bmastbergen bmastbergen bmastbergen approved these changes

@kerneltoast kerneltoast Awaiting requested review from kerneltoast

@thefossguy-ciq thefossguy-ciq Awaiting requested review from thefossguy-ciq

@shreeya-patel98 shreeya-patel98 Awaiting requested review from shreeya-patel98

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@pvts-mat @PlaidCat @bmastbergen