Skip to content

[ciqlts9_6] Multiple patches tested (6 commits)#1444

Open
ciq-kernel-automation[bot] wants to merge 6 commits into
ciqlts9_6from
{ciq_kernel_automation}_ciqlts9_6
Open

[ciqlts9_6] Multiple patches tested (6 commits)#1444
ciq-kernel-automation[bot] wants to merge 6 commits into
ciqlts9_6from
{ciq_kernel_automation}_ciqlts9_6

Conversation

@ciq-kernel-automation

Copy link
Copy Markdown

Summary

This PR has been automatically created after successful completion of all CI stages.

Commit Message(s)

ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr

jira VULN-169731
cve CVE-2025-68183
commit-author Coiby Xu <coxu@redhat.com>
commit 88b4cbcf6b041ae0f2fc8a34554a5b6a83a2b7cd
gfs2: Add metapath_dibh helper

jira VULN-186356
cve-pre CVE-2026-45984
commit-author Andreas Gruenbacher <agruenba@redhat.com>
commit 92099f0c92270c8c7a79e6bc6e0312ad248ea331
gfs2: Fix use-after-free in iomap inline data write path

jira VULN-186356
cve CVE-2026-45984
commit-author Deepanshu Kartikey <kartikey406@gmail.com>
commit faddeb848305e79db89ee0479bb0e33380656321
Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold

jira VULN-180257
cve CVE-2026-31408
commit-author Hyunwoo Kim <imv4bel@gmail.com>
commit 598dbba9919c5e36c54fe1709b557d64120cb94b
wifi: mac80211: drop stray 'static' from fast-RX rx_result

jira VULN-188475
cve CVE-2026-46152
commit-author Catherine <enderaoelyther@gmail.com>
commit 7a5b81e0c87a075afd572f659d8eb68c9c4cd2ba
RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path

jira VULN-188156
cve CVE-2026-46189
commit-author Jason Gunthorpe <jgg@ziepe.ca>
commit e38e86995df27f1f854063dab1f0c6a513db3faf

Test Results

✅ Build Stage

Architecture Build Time Total Time
x86_64 32m 57s 33m 53s
aarch64 18m 51s 19m 37s

✅ Boot Verification

✅ Kernel Selftests

Architecture Passed Failed Compared Against Status
x86_64 206 43 ciqlts9_6 ✅ No regressions
aarch64 154 45 ciqlts9_6 ✅ No regressions

✅ LTP Results

Architecture Passed Failed Compared Against Status
x86_64 1453 82 ciqlts9_6 ✅ No regressions
aarch64 1426 83 ciqlts9_6 ✅ No regressions

🤖 This PR was automatically generated by GitHub Actions
Run ID: 29400380667

CIQ Kernel Automation and others added 6 commits July 15, 2026 07:10
jira VULN-169731
cve CVE-2025-68183
commit-author Coiby Xu <coxu@redhat.com>
commit 88b4cbc

Currently when both IMA and EVM are in fix mode, the IMA signature will
be reset to IMA hash if a program first stores IMA signature in
security.ima and then writes/removes some other security xattr for the
file.

For example, on Fedora, after booting the kernel with "ima_appraise=fix
evm=fix ima_policy=appraise_tcb" and installing rpm-plugin-ima,
installing/reinstalling a package will not make good reference IMA
signature generated. Instead IMA hash is generated,

    # getfattr -m - -d -e hex /usr/bin/bash
    # file: usr/bin/bash
    security.ima=0x0404...

This happens because when setting security.selinux, the IMA_DIGSIG flag
that had been set early was cleared. As a result, IMA hash is generated
when the file is closed.

Similarly, IMA signature can be cleared on file close after removing
security xattr like security.evm or setting/removing ACL.

Prevent replacing the IMA file signature with a file hash, by preventing
the IMA_DIGSIG flag from being reset.

Here's a minimal C reproducer which sets security.selinux as the last
step which can also replaced by removing security.evm or setting ACL,

    #include <stdio.h>
    #include <sys/xattr.h>
    #include <fcntl.h>
    #include <unistd.h>
    #include <string.h>
    #include <stdlib.h>

    int main() {
        const char* file_path = "/usr/sbin/test_binary";
        const char* hex_string = "030204d33204490066306402304";
        int length = strlen(hex_string);
        char* ima_attr_value;
        int fd;

        fd = open(file_path, O_WRONLY|O_CREAT|O_EXCL, 0644);
        if (fd == -1) {
            perror("Error opening file");
            return 1;
        }

        ima_attr_value = (char*)malloc(length / 2 );
        for (int i = 0, j = 0; i < length; i += 2, j++) {
            sscanf(hex_string + i, "%2hhx", &ima_attr_value[j]);
        }

        if (fsetxattr(fd, "security.ima", ima_attr_value, length/2, 0) == -1) {
            perror("Error setting extended attribute");
            close(fd);
            return 1;
        }

        const char* selinux_value= "system_u:object_r:bin_t:s0";
        if (fsetxattr(fd, "security.selinux", selinux_value, strlen(selinux_value), 0) == -1) {
            perror("Error setting extended attribute");
            close(fd);
            return 1;
        }

        close(fd);

        return 0;
    }

	Signed-off-by: Coiby Xu <coxu@redhat.com>
	Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
(cherry picked from commit 88b4cbc)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-186356
cve-pre CVE-2026-45984
commit-author Andreas Gruenbacher <agruenba@redhat.com>
commit 92099f0

Add a metapath_dibh() helper for extracting the inode's buffer head from
a metapath.

	Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
(cherry picked from commit 92099f0)
	Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>
jira VULN-186356
cve CVE-2026-45984
commit-author Deepanshu Kartikey <kartikey406@gmail.com>
commit faddeb8

The inline data buffer head (dibh) is being released prematurely in
gfs2_iomap_begin() via release_metapath() while iomap->inline_data
still points to dibh->b_data. This causes a use-after-free when
iomap_write_end_inline() later attempts to write to the inline data
area.

The bug sequence:
1. gfs2_iomap_begin() calls gfs2_meta_inode_buffer() to read inode
   metadata into dibh
2. Sets iomap->inline_data = dibh->b_data + sizeof(struct gfs2_dinode)
3. Calls release_metapath() which calls brelse(dibh), dropping refcount
   to 0
4. kswapd reclaims the page (~39ms later in the syzbot report)
5. iomap_write_end_inline() tries to memcpy() to iomap->inline_data
6. KASAN detects use-after-free write to freed memory

Fix by storing dibh in iomap->private and incrementing its refcount
with get_bh() in gfs2_iomap_begin(). The buffer is then properly
released in gfs2_iomap_end() after the inline write completes,
ensuring the page stays alive for the entire iomap operation.

Note: A C reproducer is not available for this issue. The fix is based
on analysis of the KASAN report and code review showing the buffer head
is freed before use.

[agruenba: Take buffer head reference in gfs2_iomap_begin() to avoid
leaks in gfs2_iomap_get() and gfs2_iomap_alloc().]

	Reported-by: syzbot+ea1cd4aa4d1e98458a55@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=ea1cd4aa4d1e98458a55
Fixes: d0a22a4 ("gfs2: Fix iomap write page reclaim deadlock")
	Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
	Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
(cherry picked from commit faddeb8)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
… sock_hold

jira VULN-180257
cve CVE-2026-31408
commit-author Hyunwoo Kim <imv4bel@gmail.com>
commit 598dbba

sco_recv_frame() reads conn->sk under sco_conn_lock() but immediately
releases the lock without holding a reference to the socket. A concurrent
close() can free the socket between the lock release and the subsequent
sk->sk_state access, resulting in a use-after-free.

Other functions in the same file (sco_sock_timeout(), sco_conn_del())
correctly use sco_sock_hold() to safely hold a reference under the lock.

Fix by using sco_sock_hold() to take a reference before releasing the
lock, and adding sock_put() on all exit paths.

Fixes: 1da177e ("Linux-2.6.12-rc2")
	Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
	Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
(cherry picked from commit 598dbba)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-188475
cve CVE-2026-46152
commit-author Catherine <enderaoelyther@gmail.com>
commit 7a5b81e

ieee80211_invoke_fast_rx() is documented as safe for parallel RX, but
its per-invocation rx_result is declared static. Concurrent callers then
share one instance and can overwrite each other's result between
ieee80211_rx_mesh_data() and the switch on res.

That can make a packet that was queued or consumed by
ieee80211_rx_mesh_data() fall through into ieee80211_rx_8023(), or make
a packet that should continue return as queued.

Make res an automatic variable so each invocation keeps its own result.

Fixes: 3468e1e ("wifi: mac80211: add mesh fast-rx support")
	Cc: stable@vger.kernel.org
	Signed-off-by: Catherine <enderaoelyther@gmail.com>
Link: https://patch.msgid.link/20260424131435.83212-2-enderaoelyther@gmail.com
	Signed-off-by: Johannes Berg <johannes.berg@intel.com>
(cherry picked from commit 7a5b81e)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-188156
cve CVE-2026-46189
commit-author Jason Gunthorpe <jgg@ziepe.ca>
commit e38e869

Sashiko points out that pvrdma_uar_free() is already called within
pvrdma_dealloc_ucontext(), so calling it before triggers a double free.

	Cc: stable@vger.kernel.org
Fixes: 29c8d9e ("IB: Add vmw_pvrdma driver")
Link: https://sashiko.dev/#/patchset/0-v1-e911b76a94d1%2B65d95-rdma_udata_rep_jgg%40nvidia.com?part=4
Link: https://patch.msgid.link/r/10-v1-41f3135e5565+9d2-rdma_ai_fixes1_jgg@nvidia.com
	Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
(cherry picked from commit e38e869)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
@ciq-kernel-automation ciq-kernel-automation Bot added the created-by-kernelci Tag PRs that were automatically created when a user branch was pushed to the repo (kernelCI) label Jul 15, 2026
@github-actions

Copy link
Copy Markdown

🤖 Validation Checks In Progress Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/29415136485

@github-actions

Copy link
Copy Markdown

🔍 Interdiff Analysis

  • ⚠️ PR commit 889e11fd59d (ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr) → upstream 88b4cbcf6b04
    Differences found:
================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -556,6 +556,6 @@
 	return 0;
 }
 
 static void ima_reset_appraise_flags(struct inode *inode, int digsig)
 {
-	struct integrity_iint_cache *iint;
+	struct ima_iint_cache *iint;
@@ -649,6 +784,6 @@
 		digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG);
 	} else if (!strcmp(xattr_name, XATTR_NAME_EVM) && xattr_value_len > 0) {
 		digsig = (xvalue->type == EVM_XATTR_PORTABLE_DIGSIG);
 	}
 	if (result == 1 || evm_revalidate_status(xattr_name)) {
-		result = validate_hash_algo(dentry, xvalue, xattr_value_len);
+		ima_reset_appraise_flags(d_backing_inode(dentry), digsig);
@@ -662,7 +804,7 @@
-		      const char *acl_name, struct posix_acl *kacl)
+			     const char *acl_name, struct posix_acl *kacl)
 {
 	if (evm_revalidate_status(acl_name))
 		ima_reset_appraise_flags(d_backing_inode(dentry), 0);
 
 	return 0;
 }

This is an automated interdiff check for backported commits.

@github-actions

Copy link
Copy Markdown

Validation checks completed successfully View full results: https://github.com/ctrliq/kernel-src-tree/actions/runs/29415136485

@roxanan1996

Copy link
Copy Markdown
Contributor

🔍 Interdiff Analysis

* ⚠️ PR commit `889e11fd59d (ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr)` → upstream `88b4cbcf6b04`
  **Differences found:**
================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -556,6 +556,6 @@
 	return 0;
 }
 
 static void ima_reset_appraise_flags(struct inode *inode, int digsig)
 {
-	struct integrity_iint_cache *iint;
+	struct ima_iint_cache *iint;
@@ -649,6 +784,6 @@
 		digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG);
 	} else if (!strcmp(xattr_name, XATTR_NAME_EVM) && xattr_value_len > 0) {
 		digsig = (xvalue->type == EVM_XATTR_PORTABLE_DIGSIG);
 	}
 	if (result == 1 || evm_revalidate_status(xattr_name)) {
-		result = validate_hash_algo(dentry, xvalue, xattr_value_len);
+		ima_reset_appraise_flags(d_backing_inode(dentry), digsig);
@@ -662,7 +804,7 @@
-		      const char *acl_name, struct posix_acl *kacl)
+			     const char *acl_name, struct posix_acl *kacl)
 {
 	if (evm_revalidate_status(acl_name))
 		ima_reset_appraise_flags(d_backing_inode(dentry), 0);
 
 	return 0;
 }

This is an automated interdiff check for backported commits.

  1. First chunk irrelevant: Because missing 4de2f08 ("ima: Make it independent from 'integrity' LSM").
    Not related to IMA_DIGSIG whatsover, I believe.

  2. Second chunk: Due to missing 5926586 ("ima: fix blocking of security.ima xattrs of unsupported algorithms"), also not relevant.

  3. Third chunk: because extra spaces because ima_inode_set_acl is now static. Done in commit 84594c9 ("ima: Move IMA-Appraisal to LSM infrastructure").

@roxanan1996 roxanan1996 requested review from a team July 16, 2026 13:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

created-by-kernelci Tag PRs that were automatically created when a user branch was pushed to the repo (kernelCI)

Development

Successfully merging this pull request may close these issues.

1 participant