Skip to content

TEST TEST TEST PR Checker #615

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: fips-8-compliant/4.18.0-553.16.1
Choose a base branch
from
Open

TEST TEST TEST PR Checker #615

wants to merge 5 commits into from

Conversation

PlaidCat
Copy link
Collaborator

@PlaidCat PlaidCat commented Oct 9, 2025

Just a test do not merge

@PlaidCat
net_sched: hfsc: Fix a UAF vulnerability in class handling
1046754 
jira VULN-67698
jira VULN-67697
cve CVE-2025-37797
commit-author Cong Wang <[email protected]>
commit 3df275e

This patch fixes a Use-After-Free vulnerability in the HFSC qdisc class
handling. The issue occurs due to a time-of-check/time-of-use condition
in hfsc_change_class() when working with certain child qdiscs like netem
or codel.

The vulnerability works as follows:
1. hfsc_change_class() checks if a class has packets (q.qlen != 0)
2. It then calls qdisc_peek_len(), which for certain qdiscs (e.g.,
   codel, netem) might drop packets and empty the queue
3. The code continues assuming the queue is still non-empty, adding
   the class to vttree
4. This breaks HFSC scheduler assumptions that only non-empty classes
   are in vttree
5. Later, when the class is destroyed, this can lead to a Use-After-Free

The fix adds a second queue length check after qdisc_peek_len() to verify
the queue wasn't emptied.

Fixes: 21f4d5c ("net_sched/hfsc: fix curve activation in hfsc_change_class()")
	Reported-by: Gerrard Tai <[email protected]>
	Reviewed-by: Konstantin Khlebnikov <[email protected]>
	Signed-off-by: Cong Wang <[email protected]>
	Reviewed-by: Jamal Hadi Salim <[email protected]>
Link: https://patch.msgid.link/[email protected]
	Signed-off-by: Jakub Kicinski <[email protected]>
(cherry picked from commit 3df275e)
	Signed-off-by: Jonathan Maple <[email protected]>
@PlaidCat
sctp: linearize cloned gso packets in sctp_rcv
f631fe5 
jira VULN-136339
jira VULN-136338
cve CVE-2025-38718
commit-author Xin Long <[email protected]>
commit fd60d8a

A cloned head skb still shares these frag skbs in fraglist with the
original head skb. It's not safe to access these frag skbs.

syzbot reported two use-of-uninitialized-memory bugs caused by this:

  BUG: KMSAN: uninit-value in sctp_inq_pop+0x15b7/0x1920 net/sctp/inqueue.c:211
   sctp_inq_pop+0x15b7/0x1920 net/sctp/inqueue.c:211
   sctp_assoc_bh_rcv+0x1a7/0xc50 net/sctp/associola.c:998
   sctp_inq_push+0x2ef/0x380 net/sctp/inqueue.c:88
   sctp_backlog_rcv+0x397/0xdb0 net/sctp/input.c:331
   sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1122
   __release_sock+0x1da/0x330 net/core/sock.c:3106
   release_sock+0x6b/0x250 net/core/sock.c:3660
   sctp_wait_for_connect+0x487/0x820 net/sctp/socket.c:9360
   sctp_sendmsg_to_asoc+0x1ec1/0x1f00 net/sctp/socket.c:1885
   sctp_sendmsg+0x32b9/0x4a80 net/sctp/socket.c:2031
   inet_sendmsg+0x25a/0x280 net/ipv4/af_inet.c:851
   sock_sendmsg_nosec net/socket.c:718 [inline]

and

  BUG: KMSAN: uninit-value in sctp_assoc_bh_rcv+0x34e/0xbc0 net/sctp/associola.c:987
   sctp_assoc_bh_rcv+0x34e/0xbc0 net/sctp/associola.c:987
   sctp_inq_push+0x2a3/0x350 net/sctp/inqueue.c:88
   sctp_backlog_rcv+0x3c7/0xda0 net/sctp/input.c:331
   sk_backlog_rcv+0x142/0x420 include/net/sock.h:1148
   __release_sock+0x1d3/0x330 net/core/sock.c:3213
   release_sock+0x6b/0x270 net/core/sock.c:3767
   sctp_wait_for_connect+0x458/0x820 net/sctp/socket.c:9367
   sctp_sendmsg_to_asoc+0x223a/0x2260 net/sctp/socket.c:1886
   sctp_sendmsg+0x3910/0x49f0 net/sctp/socket.c:2032
   inet_sendmsg+0x269/0x2a0 net/ipv4/af_inet.c:851
   sock_sendmsg_nosec net/socket.c:712 [inline]

This patch fixes it by linearizing cloned gso packets in sctp_rcv().

Fixes: 90017ac ("sctp: Add GSO support")
	Reported-by: [email protected]
	Reported-by: [email protected]
	Signed-off-by: Xin Long <[email protected]>
	Reviewed-by: Marcelo Ricardo Leitner <[email protected]>
Link: https://patch.msgid.link/dd7dc337b99876d4132d0961f776913719f7d225.1754595611.git.lucien.xin@gmail.com
	Signed-off-by: Jakub Kicinski <[email protected]>
(cherry picked from commit fd60d8a)
	Signed-off-by: Jonathan Maple <[email protected]>
@PlaidCat PlaidCat self-assigned this Oct 9, 2025
github-actions[bot]
github-actions bot requested changes Oct 9, 2025
View reviewed changes
Copy link

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ This PR contains VULN tickets that do not match the target LTS product. Please review the JIRA ticket assignments and ensure they match the merge target branch.

@PlaidCat PlaidCat force-pushed the {jmaple}_fips-8-compliant/4.18.0-553.16.1 branch from 22dabbc to 4edda16 Compare October 9, 2025 12:24
@ctrliq ctrliq deleted a comment from github-actions bot Oct 9, 2025
@PlaidCat PlaidCat force-pushed the {jmaple}_fips-8-compliant/4.18.0-553.16.1 branch from 4edda16 to b65c1c6 Compare October 9, 2025 12:56
@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 9, 2025

JIRA PR Check Results

3 commit(s) with issues found:

Commit 353ee378d3ef

Summary: NFS: Fix filehandle bounds checking in nfs_fh_to_dentry()

❌ Errors:

  • VULN-136573: Status is 'To Do', expected 'In Progress'
  • VULN-136573: LTS product 'lts-8.6' expects branch 'ciqlts8_6', but merge target is 'fips-8-compliant/4.18.0-553.16.1'

⚠️ Warnings:

  • VULN-136573: No time logged - please log time manually

Commit f631fe5b7fff

Summary: sctp: linearize cloned gso packets in sctp_rcv

❌ Errors:

  • VULN-136339: Status is 'To Do', expected 'In Progress'

Commit 104675413a08

Summary: net_sched: hfsc: Fix a UAF vulnerability in class handling

⚠️ Warnings:

  • VULN-67697: No time logged - please log time manually

Summary: Checked 4 commit(s) total.

github-actions[bot]
github-actions bot requested changes Oct 9, 2025
View reviewed changes
Copy link

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ This PR contains VULN tickets that do not match the target LTS product. Please review the JIRA ticket assignments and ensure they match the merge target branch.

@PlaidCat
NFS: Fix filehandle bounds checking in nfs_fh_to_dentry()
2621a89 
jira VULN-136575
jira VULN-136574
jira VULN-136573
cve CVE-2025-39730
cve CVE-2025-1234556789
cve-bf CVE-2025-39730
commit-author Trond Myklebust <[email protected]>
commit ef93a68

The function needs to check the minimal filehandle length before it can
access the embedded filehandle.

	Reported-by: zhangjian <[email protected]>
Fixes: 20fa190 ("nfs: add export operations")
	Signed-off-by: Trond Myklebust <[email protected]>
(cherry picked from commit ef93a68)
	Signed-off-by: Jonathan Maple <[email protected]>
@PlaidCat PlaidCat force-pushed the {jmaple}_fips-8-compliant/4.18.0-553.16.1 branch from b65c1c6 to 3499125 Compare October 9, 2025 15:53
@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 9, 2025

JIRA PR Check Results

3 commit(s) with issues found:

Commit 2621a890be52

Summary: NFS: Fix filehandle bounds checking in nfs_fh_to_dentry()

❌ Errors:

  • VULN-136575: CVE mismatch - Commit has CVE-2025-1234556789 but VULN ticket does not
  • VULN-136574: CVE mismatch - Commit has CVE-2025-1234556789 but VULN ticket does not
  • VULN-136573: CVE mismatch - Commit has CVE-2025-1234556789 but VULN ticket does not
  • VULN-136573: Status is 'To Do', expected 'In Progress'
  • VULN-136573: LTS product 'lts-8.6' expects branch 'ciqlts8_6', but merge target is 'fips-8-compliant/4.18.0-553.16.1'

⚠️ Warnings:

  • VULN-136573: No time logged - please log time manually

Commit f631fe5b7fff

Summary: sctp: linearize cloned gso packets in sctp_rcv

❌ Errors:

  • VULN-136339: Status is 'To Do', expected 'In Progress'

Commit 104675413a08

Summary: net_sched: hfsc: Fix a UAF vulnerability in class handling

⚠️ Warnings:

  • VULN-67697: No time logged - please log time manually

Summary: Checked 4 commit(s) total.

github-actions[bot]
github-actions bot requested changes Oct 9, 2025
View reviewed changes
Copy link

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ This PR contains VULN tickets that do not match the target LTS product. Please review the JIRA ticket assignments and ensure they match the merge target branch.

@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 9, 2025

JIRA PR Check Results

3 commit(s) with issues found:

Commit 2621a890be52

Summary: NFS: Fix filehandle bounds checking in nfs_fh_to_dentry()

❌ Errors:

  • VULN-136575: CVE mismatch - Commit has CVE-2025-1234556789 but VULN ticket does not
  • VULN-136574: CVE mismatch - Commit has CVE-2025-1234556789 but VULN ticket does not
  • VULN-136573: CVE mismatch - Commit has CVE-2025-1234556789 but VULN ticket does not
  • VULN-136573: Status is 'To Do', expected 'In Progress'
  • VULN-136573: LTS product 'lts-8.6' expects branch 'ciqlts8_6', but merge target is 'fips-8-compliant/4.18.0-553.16.1'

⚠️ Warnings:

  • VULN-136573: No time logged - please log time manually

Commit f631fe5b7fff

Summary: sctp: linearize cloned gso packets in sctp_rcv

❌ Errors:

  • VULN-136339: Status is 'To Do', expected 'In Progress'

Commit 104675413a08

Summary: net_sched: hfsc: Fix a UAF vulnerability in class handling

⚠️ Warnings:

  • VULN-67697: No time logged - please log time manually

Summary: Checked 7 commit(s) total.

github-actions[bot]
github-actions bot requested changes Oct 9, 2025
View reviewed changes
Copy link

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ This PR contains VULN tickets that do not match the target LTS product. Please review the JIRA ticket assignments and ensure they match the merge target branch.

@PlaidCat
github actions: rename upstream-commit-check for generalization
5cca184 
We are going to use this github action to do all the PR git commit
processing. Since the kernel-src-tree is so large we need to minimize
the wasted cycles on common checkout actions.
@PlaidCat
githbub actions: Initial commit for checking JIRA
487b0da 
We will be reaching into our JIRA to check the state of each commits
jira.  In this we want to ensure that the target branch matches the
defined branch for that product and validate that the CVE ID is also
correct for the ticket.  It will also check to confirm that the tickets
are in progress and have time logged, if either are untrue then it will
produce a warning.

In the event there are Product or CVE mis matches it will block the PR
and request changes.
@PlaidCat PlaidCat force-pushed the {jmaple}_fips-8-compliant/4.18.0-553.16.1 branch from a145ba6 to 487b0da Compare October 10, 2025 00:39
@github-actions GitHub Actions
Copy link

JIRA PR Check Results

3 commit(s) with issues found:

Commit 2621a890be52

Summary: NFS: Fix filehandle bounds checking in nfs_fh_to_dentry()

❌ Errors:

  • VULN-136575: CVE mismatch - Commit has CVE-2025-1234556789 but VULN ticket does not
  • VULN-136574: CVE mismatch - Commit has CVE-2025-1234556789 but VULN ticket does not
  • VULN-136573: CVE mismatch - Commit has CVE-2025-1234556789 but VULN ticket does not
  • VULN-136573: Status is 'To Do', expected 'In Progress'
  • VULN-136573: LTS product 'lts-8.6' expects branch 'ciqlts8_6', but merge target is 'fips-8-compliant/4.18.0-553.16.1'

⚠️ Warnings:

  • VULN-136573: No time logged - please log time manually

Commit f631fe5b7fff

Summary: sctp: linearize cloned gso packets in sctp_rcv

❌ Errors:

  • VULN-136339: Status is 'To Do', expected 'In Progress'

Commit 104675413a08

Summary: net_sched: hfsc: Fix a UAF vulnerability in class handling

⚠️ Warnings:

  • VULN-67697: No time logged - please log time manually

Summary: Checked 5 commit(s) total.

github-actions[bot]
github-actions bot requested changes Oct 10, 2025
View reviewed changes
Copy link

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ This PR contains VULN tickets that do not match the target LTS product. Please review the JIRA ticket assignments and ensure they match the merge target branch.

@PlaidCat PlaidCat mentioned this pull request Oct 10, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@PlaidCat PlaidCat

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@PlaidCat