Skip to content

[LTS 9.6] net: CVE-2025-40158, CVE-2025-40135, CVE-2025-40170, CVE-2025-21766#1446

Open
pvts-mat wants to merge 18 commits into
ctrliq:ciqlts9_6from
pvts-mat:CVE-batch-41_ciqlts9_6
Open

[LTS 9.6] net: CVE-2025-40158, CVE-2025-40135, CVE-2025-40170, CVE-2025-21766#1446
pvts-mat wants to merge 18 commits into
ctrliq:ciqlts9_6from
pvts-mat:CVE-batch-41_ciqlts9_6

Conversation

@pvts-mat

Copy link
Copy Markdown
Contributor

[LTS 9.6]

CVE-2025-40158 VULN-162723
CVE-2025-40135 VULN-162725
CVE-2025-40170 VULN-162719
CVE-2025-21766 VULN-162081

Summary

This PR follows closely the merge request for CentOS 9.8 for the same CVEs set. The differences:

  • CVE-2025-21766 was included as part of the solution, but it's only a matter of tagging the 1395121 backport, which exists in the CentOS MR as well.
  • Additional commit 4693085 had to be included as one of prerequisites; it's present in centos9 as aa0e0ee, unlike in ciqlts9_6.
  • Commit caedcc5 net: dst: introduce dst->dev_rcu raised some kABI issues which had to be resolved. More details in the Commits section.

An upstream commit was picked directly wherever possible. Otherwise a CentOS 9 backport was used. The LTS 9.6 net subsystem follows CentOS 9 close enough that none of the CentOS 9 commits required additional tailoring.

PR Structure

Overview

All fixes for the main CVEs (CVE-2025-40158, CVE-2025-40135, CVE-2025-40170) lie on the same branch merged into upstream in 864ecc4 net: add rcu safety to dst->dev. This branch builds on top of three others (starting from most recent):

  • 7945fe4 net: add data-race annotations around dst fields
  • 3da81cb net: first round to use dev_net_rcu()
  • 85496c9 net: remove some rcu_bh cruft

All but the last one deal with the same problem: data races in accessing the dev field of struct dst_entry. All CVEs solved in this PR are different cases of that issue. The net: remove some rcu_bh cruft branch is a form of synchronization optimization, which is nonetheless assumed to be in place by the bugfixing branches following it.

This PR is, roughly, the backporting of the four branches listed above, reduced in scope to those commits necessary to solve the three main CVEs with the highest CVSS. Backporting them in different scopes (either wider or narrower) was evaluated for each branch and discussed below. While some deviations from the CentOS 9 solution could be justified, it was nevertheless decided to follow it, as it seems to be capturing the best value for the backporting effort.

Branch net: remove some rcu_bh cruft (group bh) + fixes

git log -n 4 --oneline --graph 85496c9b3bf8dbe15e2433d3a0197954d323cadc
*   85496c9b3bf8dbe15e2433d3a0197954d323cadc Merge branch 'net-remove-some-rcu_bh-cruft'
|\  
| * fe602c87df1b6927562f4ee61edd851bb9578a49 net: remove rcu_dereference_bh_rtnl()
| * 09eed1192cec1755967f2af8394207acdde579a1 neighbour: switch to standard rcu, instead of rcu_bh
| * 4c5c496a942fa3d2197f5be22762695170c95863 ipv6: flowlabel: do not disable BH where not needed
|/
upstream ciqlts9_6 centos9 Groups PR pick CVE Fixes Fixed by Subject
fe602c8 - 47ddbcf bh:0 mr:12 fe602c8 - - - `net: remove rcu_dereference_bh_rtnl()`
09eed11 - 8b5b970 bh:1 mr:13 8b5b970 - - 2033ab9 ef1148d fb86c42 `neighbour: switch to standard rcu, instead of rcu_bh`
4c5c496 - b1c4527 bh:2 mr:14 4c5c496 - - - `ipv6: flowlabel: do not disable BH where not needed`

This branch was backported in whole. Its main goal is to remove, in the neighbor discovery protocols of the network stack, the disabling of soft IRQs in the RCU read critical sections. General pattern:

rcu_read_lock_bh();
/* RCU read critical section*/
/* ... */
rcu_read_unlock_bh();

=>

rcu_read_lock();
/* RCU read critical section*/
/* ... */
rcu_read_unlock();

The rcu_read_lock_bh() function disables soft interrupts (_bh = bottom half) on CPU. This makes sure the protected section is exited as quickly as possible, keeping the RCU grace period short. This is desirable, given that some writers may use blocking procedures like synchronize_rcu() before freeing the protected object (unlike the asynchronous call_rcu(), for example). However, disabling interrupts also have its cost, and _bh optimization didn't seem to be needed. From 85496c9's message:

There is no point using rcu_bh variant hoping to free objects faster,
especially hen using call_rcu() or kfree_rcu().

Disabling/enabling BH has a non-zero cost, and adds distracting
hot spots in kernel profiles eg. in ip6_xmit().

Commit neighbour: switch to standard rcu, instead of rcu_bh introduces a few bugs and their fixes were backported as well.

upstream ciqlts9_6 centos9 Groups PR pick CVE Fixes Fixed by Subject
fb86c42 - 6ba7eeb mr:9 fb86c42 - 09eed11 - `bpf: Fix mismatched RCU unlock flavour in bpf_out_neigh_v6`
2033ab9 - 885a181 mr:10 2033ab9 - 09eed11 - `vrf: Fix lockdep splat in output path`
ef1148d - 4c4ddc8 mr:11 ef1148d - 09eed11 - `ipv6: remove nexthop_fib6_nh_bh()`

Branch net: first round to use dev_net_rcu() (group ip)

git log -n 13 --oneline --graph 3da81cb9a4ac26ac6bc7ef48508b3ebea714eb1a
*   3da81cb9a4ac26ac6bc7ef48508b3ebea714eb1a Merge branch 'net-first-round-to-use-dev_net_rcu'
|\  
| * b768294d449da6d7dc0667c1ec92dc4af6ef766b ipv6: Use RCU in ip6_input()
| * 34aef2b0ce3aa4eb4ef2e1f5cad3738d527032f5 ipv6: icmp: convert to dev_net_rcu()
| * 3c8ffcd248da34fc41e52a46e51505900115fc2a ipv6: use RCU protection in ip6_default_advmss()
| * afec62cd0a4191cde6dd3a75382be4d51a38ce9b flow_dissector: use RCU protection to fetch dev_net()
| * 4b8474a0951e605d2a27a2c483da4eb4b8c63760 ipv4: icmp: convert to dev_net_rcu()
| * 139512191bd06f1b496117c76372b2ce372c9a41 ipv4: use RCU protection in __ip_rt_update_pmtu() *
| * 719817cd293e4fa389e1f69c396f3f816ed5aa41 ipv4: use RCU protection in inet_select_addr()
| * dd205fcc33d92d54eee4d7f21bb073af9bd5ce2b ipv4: use RCU protection in rt_is_expired()
| * 71b8471c93fa0bcab911fcb65da1eb6c4f5f735f ipv4: use RCU protection in ipv4_default_advmss()
| * 071d8012869b6af352acca346ade13e7be90a49f ipv4: use RCU protection in ip_dst_mtu_maybe_forward() *
| * 469308552ca4560176cfc100e7ca84add1bebd7c ipv4: add RCU protection to ip4_dst_hoplimit() *
| * 482ad2a4ace2740ca0ff1cbc8f3c7f862f3ab507 net: add dev_net_rcu() helper
|/  
upstream ciqlts9_6 centos9 Groups PR pick CVE Fixes Fixed by Subject
b768294 - - ip:0 - - - - `ipv6: Use RCU in ip6_input()`
34aef2b - - ip:1 - - 9a43b70 - `ipv6: icmp: convert to dev_net_rcu()`
3c8ffcd 9601d84 bad0070 ip:2 - CVE-2025-21765(F) 5578689 - `ipv6: use RCU protection in ip6_default_advmss()`
afec62c - ef9f434 ip:3 - - 9b52e3f - `flow_dissector: use RCU protection to fetch dev_net()`
4b8474a - - ip:4 - - dde1bc0 - `ipv4: icmp: convert to dev_net_rcu()`
1395121 - fd7e9d2 ip:5 mr:6 fd7e9d2 CVE-2025-21766(F) 1de6b15 2fbc6e8 - `ipv4: use RCU protection in __ip_rt_update_pmtu()`
719817c - 0d3e725 ip:6 - - c4544c7 - `ipv4: use RCU protection in inet_select_addr()`
dd205fc - c6c52c7 ip:7 - - e84f84f - `ipv4: use RCU protection in rt_is_expired()`
71b8471 - - ip:8 - - 2e9589f - `ipv4: use RCU protection in ipv4_default_advmss()`
071d801 - 4ea98f0 ip:9 mr:1 4ea98f0 - f87c10a - `ipv4: use RCU protection in ip_dst_mtu_maybe_forward()`
4693085 - aa0e0ee ip:10 4693085 - fa50d97 - `ipv4: add RCU protection to ip4_dst_hoplimit()`
482ad2a cb32423 db65b8b ip:11 - - - - `net: add dev_net_rcu() helper`

This branch is the first patch set aiming to guard the dst_entry::dev field. Two commits were already present in ciqlts9_6 as part of CVE-2025-21765 fix (482ad2a prereq + 3c8ffcd fix). CentOS 9 MR included two additional commits from this branch:

Additionally, for this LTS 9.6 PR, the 4693085 commit was picked as prerequisite for CVE-2025-40170 fix.

This branch ports easily in whole, without any conflicts. Despite every commit fixing some data race, however, only two of them are oficially recognized as vulnerability fixes, and were addressed already. To keep the scope of this PR CVE-centered none of the additional commits were backported.

Branch net: add data-race annotations around dst fields (group race)

git log -n 11 --oneline --graph 7945fe4858663f2d3b80b5ddcc939efbeba4f36e
*   7945fe4858663f2d3b80b5ddcc939efbeba4f36e Merge branch 'net-add-data-race-annotations-around-dst-fields'
|\  
| * 46a94e44b9ec4d8d20108a1748c410d71a8dc759 ipv6: ip6_mc_input() and ip6_mr_input() cleanups
| * 93d1cff35adc522a5d21e722eee1071f3f7dc716 ipv6: adopt skb_dst_dev() and skb_dst_dev_net[_rcu]() helpers
| * 1caf27297215a5241f9bfc9c07336349d9034ee3 ipv6: adopt dst_dev() helper
| * a74fc62eec155ca5a6da8ff3856f3dc87fe24558 ipv4: adopt dst_dev, skb_dst_dev and skb_dst_dev_net[_rcu]
| * 88fe14253e181878c2ddb51a298ae8c468a63010 net: dst: add four helpers to annotate data-races around dst->dev
| * 2dce8c52a98995c4719def6f88629ab1581c0b82 net: dst: annotate data-races around dst->output
| * f1c5fd34891a1c242885f48c2e4dc52df180f311 net: dst: annotate data-races around dst->input
| * 8f2b2282d04a5d5bcbec22f91572bb6803cfc771 net: dst: annotate data-races around dst->lastuse
| * 36229b2caca2228b834c03fb83867022485a0563 net: dst: annotate data-races around dst->expires
| * 8a402bbe54760dea67f1b2980c727761b47994d7 net: dst: annotate data-races around dst->obsolete
|/
upstream ciqlts9_6 centos9 Groups PR pick CVE Fixes Fixed by Subject
46a94e4 - - race:0   - - - `ipv6: ip6_mc_input() and ip6_mr_input() cleanups`
93d1cff - - race:1   - - - `ipv6: adopt skb_dst_dev() and skb_dst_dev_net[_rcu]() helpers`
1caf272 - - race:2   - - - `ipv6: adopt dst_dev() helper`
a74fc62 - - race:3   - - - `ipv4: adopt dst_dev, skb_dst_dev and skb_dst_dev_net[_rcu]`
88fe142 - 098485b race:4 mr:8 098485b - 4a6ce2b - `net: dst: add four helpers to annotate data-races around dst->dev`
2dce8c5 - - race:5   - 4a6ce2b - `net: dst: annotate data-races around dst->output`
f1c5fd3 - - race:6   - 4a6ce2b - `net: dst: annotate data-races around dst->input`
8f2b228 - - race:7   - - - `net: dst: annotate data-races around dst->lastuse`
36229b2 - - race:8   - - - `net: dst: annotate data-races around dst->expires`
8a402bb - - race:9   - - - `net: dst: annotate data-races around dst->obsolete`

This branch continues adding protection around various dst_entry fields. Despite many of the commits fixing data races none of them has any CVE associated. Only one commit was included in this PR, which defines functions heavily used in the next branch. In fact, all the following commits from this group (from race:4 to race:0 in total) are prerequisites for the clean backport of the next branch. However, backporting this branch is difficult. Except for 2dce8c5 all commits cause many conflicts and they are often wide in scope. For this reason the manual conflict resolution of the dst branch backport was chosen instead.

The

Branch net: add rcu safety to dst->dev (group dst)

git log -n 9 --oneline --graph 864ecc4a6dade82d3f70eab43dad0e277aa6fc78
*   864ecc4a6dade82d3f70eab43dad0e277aa6fc78 Merge branch 'net-add-rcu-safety-to-dst-dev'
|\  
| * 6ad8de3cefdb6ffa6708b21c567df0dbf82c43a8 ipv4: start using dst_dev_rcu()
| * b62a59c18b692f892dcb8109c1c2e653b2abc95c tcp: use dst_dev_rcu() in tcp_fastopen_active_disable_ofo_check()
| * 50c127a69cd6285300931853b352a1918cfa180f tcp_metrics: use dst_dev_net_rcu()
| * 99a2ace61b211b0be861b07fbaa062fca4b58879 net: use dst_dev_rcu() in sk_setup_caps()
| * 11709573cc4e48dc34c80fc7ab9ce5b159e29695 ipv6: use RCU in ip6_output()
| * 9085e56501d93af9f2d7bd16f7fcfacdde47b99c ipv6: use RCU in ip6_xmit()
| * b775ecf1655cedbc465fd6699ab18a2bc4e7a352 ipv6: start using dst_dev_rcu()
| * caedcc5b6df1b2e2b5f39079e3369c1d4d5c5f50 net: dst: introduce dst->dev_rcu
|/
upstream ciqlts9_6 centos9 Groups PR pick CVE Fixes Fixed by Subject
6ad8de3 - - dst:0   CVE-2025-40074(F) 4a6ce2b - `ipv4: start using dst_dev_rcu()`
b62a59c - - dst:1   CVE-2025-68188(F) - - `tcp: use dst_dev_rcu() in tcp_fastopen_active_disable_ofo_check()`
50c127a - - dst:2   CVE-2025-40075(F) 4a6ce2b - `tcp_metrics: use dst_dev_net_rcu()`
99a2ace - acc5b1b dst:3 mr:0 acc5b1b CVE-2025-40170(F) 4a6ce2b - `net: use dst_dev_rcu() in sk_setup_caps()`
1170957 - 9b21011 dst:4 mr:4 9b21011 CVE-2025-40158(F) 4a6ce2b - `ipv6: use RCU in ip6_output()`
9085e56 - f37f7b3 dst:5 mr:3 f37f7b3 CVE-2025-40135(F) 4a6ce2b - `ipv6: use RCU in ip6_xmit()`
b775ecf - - dst:6   - 4a6ce2b - `ipv6: start using dst_dev_rcu()`
caedcc5 - ca6810f dst:7 mr:5 ca6810f - 4a6ce2b - `net: dst: introduce dst->dev_rcu`

This branch covers the fixes of all the main CVEs addressed in this PR (CVE-2025-40158, CVE-2025-40135, CVE-2025-40170). All cherry-picks were taken from the CentOS 9 MR, which accounted for the missing race branch backports already. Additionally 3 more CVE fixes can be found:

Because of the effort required for fixing CVE-2025-40074 it was not included in this PR. Although CVE-2025-68188 and CVE-2025-40075 were much easier to address they were omitted as well, given their relatively low CVSS score and an already big volume of this PR. Can be solved in a follow-up PR, if requested.

PR commits table

The following table summarizes the commits used in this PR in a similar fashion to how it was done for the backported branches. The mr group designates the commits from the CentOS 9 MR

upstream ciqlts9_6 centos9 Groups PR pick CVE Fixes Fixed by Subject
99a2ace - acc5b1b mr:0 dst:3 acc5b1b CVE-2025-40170(F) 4a6ce2b - `net: use dst_dev_rcu() in sk_setup_caps()`
4693085 - aa0e0ee ip:10 4693085 - fa50d97 - `ipv4: add RCU protection to ip4_dst_hoplimit()`
071d801 - 4ea98f0 mr:1 ip:9 4ea98f0 - f87c10a - `ipv4: use RCU protection in ip_dst_mtu_maybe_forward()`
ac6627a - 4f5a216 mr:2 ac6627a - - - `net: ipv4: Consolidate ipv4_mtu and ip_dst_mtu_maybe_forward`
9085e56 - f37f7b3 mr:3 dst:5 f37f7b3 CVE-2025-40135(F) 4a6ce2b - `ipv6: use RCU in ip6_xmit()`
1170957 - 9b21011 mr:4 dst:4 9b21011 CVE-2025-40158(F) 4a6ce2b - `ipv6: use RCU in ip6_output()`
caedcc5 - ca6810f mr:5 dst:7 ca6810f - 4a6ce2b - `net: dst: introduce dst->dev_rcu`
1395121 - fd7e9d2 mr:6 ip:5 fd7e9d2 CVE-2025-21766(F) 1de6b15 2fbc6e8 - `ipv4: use RCU protection in __ip_rt_update_pmtu()`
1dbf1d5 - fb02c5a mr:7 fb02c5a - - - `net: Add locking to protect skb->dev access in ip_output`
88fe142 - 098485b mr:8 race:4 098485b - 4a6ce2b - `net: dst: add four helpers to annotate data-races around dst->dev`
fb86c42 - 6ba7eeb mr:9 fb86c42 - 09eed11 - `bpf: Fix mismatched RCU unlock flavour in bpf_out_neigh_v6`
2033ab9 - 885a181 mr:10 2033ab9 - 09eed11 - `vrf: Fix lockdep splat in output path`
ef1148d - 4c4ddc8 mr:11 ef1148d - 09eed11 - `ipv6: remove nexthop_fib6_nh_bh()`
fe602c8 - 47ddbcf mr:12 bh:0 fe602c8 - - - `net: remove rcu_dereference_bh_rtnl()`
09eed11 - 8b5b970 mr:13 bh:1 8b5b970 - - 2033ab9 ef1148d fb86c42 `neighbour: switch to standard rcu, instead of rcu_bh`
4c5c496 - b1c4527 mr:14 bh:2 4c5c496 - - - `ipv6: flowlabel: do not disable BH where not needed`
c486640 - d344737 mr:15 c486640 - - - `ipv6: remove one read_lock()/read_unlock() pair in rt6_check_neigh()`
1e84dc6 - a6df1e3 mr:16 1e84dc6 - - - `neigh: introduce neigh_confirm() helper function`

A few new commits occur here, not discussed so far:

  • 1e84dc6 neigh: introduce neigh_confirm() helper function: Simplifies the backport of 09eed11.
  • c486640 ipv6: remove one read_lock()/read_unlock() pair in rt6_check_neigh(): Simplifies the rt6_check_neigh function, later modified in neighbour: switch to standard rcu, instead of rcu_bh. Note that the changes introduced there don't make sense without the accompanying WRITE_ONCE(neigh->nud_state) done in the sibling commit b071af5 from the same branch. However, it is already bacported to ciqlts9_6 as b167c4e.
  • 1dbf1d5 net: Add locking to protect skb->dev access in ip_output: Defines dst_dev_rcu used by CVE-2025-40135 and CVE-2025-40170 fixes. Also it seems it should have its ow CVE, given that it's just the ip4 version of the CVE-2025-40158 fix 1170957.
  • ac6627a net: ipv4: Consolidate ipv4_mtu and ip_dst_mtu_maybe_forward: This commit prepares the ip_dst_mtu_maybe_forward function for the next one, 071d801.

Commits

net: use dst_dev_rcu() in sk_setup_caps()

jira VULN-162719
cve CVE-2025-40170
commit-author Eric Dumazet <edumazet@google.com>
commit 99a2ace61b211b0be861b07fbaa062fca4b58879
upstream-diff Used CentOS 9 backport
  acc5b1b3f6e937c219da6eff70f79f29c0c794e0 for a clean pick
ipv4: add RCU protection to ip4_dst_hoplimit()

jira VULN-162719
cve-pre CVE-2025-40170
commit-author Eric Dumazet <edumazet@google.com>
commit 469308552ca4560176cfc100e7ca84add1bebd7c
ipv4: use RCU protection in ip_dst_mtu_maybe_forward()

jira VULN-162719
cve-pre CVE-2025-40170
commit-author Eric Dumazet <edumazet@google.com>
commit 071d8012869b6af352acca346ade13e7be90a49f
upstream-diff Used CentOS 9 backport
  4ea98f09499595e3b4b380e5ef60c2c9563b06be for a clean pick
net: ipv4: Consolidate ipv4_mtu and ip_dst_mtu_maybe_forward

jira VULN-162719
cve-pre CVE-2025-40170
commit-author Vadim Fedorenko <vfedorenko@novek.ru>
commit ac6627a28dbfb5d96736544a00c3938fa7ea6dfb
ipv6: use RCU in ip6_xmit()

jira VULN-162725
cve CVE-2025-40135
commit-author Eric Dumazet <edumazet@google.com>
commit 9085e56501d93af9f2d7bd16f7fcfacdde47b99c
upstream-diff Used CentOS 9 backport
  f37f7b3231da22922882bd67b4918788919216b8 for a clean pick
ipv6: use RCU in ip6_output()

jira VULN-162723
cve CVE-2025-40158
commit-author Eric Dumazet <edumazet@google.com>
commit 11709573cc4e48dc34c80fc7ab9ce5b159e29695
upstream-diff Used CentOS 9 backport
  9b21011cae661b5f80f0ea5220b288f423d6df69 for a clean pick
net: dst: introduce dst->dev_rcu

jira VULN-162719
cve-pre CVE-2025-40170
commit-author Eric Dumazet <edumazet@google.com>
commit caedcc5b6df1b2e2b5f39079e3369c1d4d5c5f50
upstream-diff Used CentOS 9 backport
  ca6810ffc83408a1dd36676447c35d0348ef0571 as a clean cherry-pick base.
  Used RH_KABI_REPLACE in `struct dst_entry' to silence the kABI
  checker. Originally the `struct net_device *dev' field was changed
  into a union of `struct net_device *dev' and `struct net_device __rcu
  *dev_rcu'. The latter has the same size and alignment as the former
  (this is actually checked statically by the RH_KABI_REPLACE macro),
  with the `__rcu' annotation serving only at compile time and being
  invisible to the binary output. The `dev_rcu' is therefore just an
  alias for the `dev' field.
ipv4: use RCU protection in __ip_rt_update_pmtu()

jira VULN-162081
cve CVE-2025-21766
commit-author Eric Dumazet <edumazet@google.com>
commit 139512191bd06f1b496117c76372b2ce372c9a41
upstream-diff Used CentOS 9 backport
  fd7e9d21f4fa35270f40feb436ad53deebbcc0ee for a clean pick
net: Add locking to protect skb->dev access in ip_output

jira VULN-162725
cve-pre CVE-2025-40135
commit-author Sharath Chandra Vurukala <quic_sharathv@quicinc.com>
commit 1dbf1d590d10a6d1978e8184f8dfe20af22d680a
upstream-diff Used CentOS 9 backport
  fb02c5a748f81d46ac611837d63f148721f36dec for a clean pick
net: dst: add four helpers to annotate data-races around dst->dev

jira VULN-162719
cve-pre CVE-2025-40170
commit-author Eric Dumazet <edumazet@google.com>
commit 88fe14253e181878c2ddb51a298ae8c468a63010
upstream-diff Used CentOS 9 backport
  098485bd7555a047d4c54974c72fcc8e62f97294 for a clean pick
bpf: Fix mismatched RCU unlock flavour in bpf_out_neigh_v6

jira VULN-162723
cve-pre CVE-2025-40158
commit-author Jiawei Ye <jiawei.ye@foxmail.com>
commit fb86c42a2a5d44e849ddfbc98b8d2f4f40d36ee3
vrf: Fix lockdep splat in output path

jira VULN-162723
cve-pre CVE-2025-40158
commit-author Ido Schimmel <idosch@nvidia.com>
commit 2033ab90380d46e0e9f0520fd6776a73d107fd95
ipv6: remove nexthop_fib6_nh_bh()

jira VULN-162723
cve-pre CVE-2025-40158
commit-author Eric Dumazet <edumazet@google.com>
commit ef1148d4487438a3408d6face2a8360d91b4af70
net: remove rcu_dereference_bh_rtnl()

jira VULN-162723
cve-pre CVE-2025-40158
commit-author Eric Dumazet <edumazet@google.com>
commit fe602c87df1b6927562f4ee61edd851bb9578a49
neighbour: switch to standard rcu, instead of rcu_bh

jira VULN-162723
cve-pre CVE-2025-40158
commit-author Eric Dumazet <edumazet@google.com>
commit 09eed1192cec1755967f2af8394207acdde579a1
upstream-diff Used CentOS 9 backport
  8b5b9707c3f82d029fbcad0997be1905bdd6945e for a clean pick
ipv6: flowlabel: do not disable BH where not needed

jira VULN-162723
cve-pre CVE-2025-40158
commit-author Eric Dumazet <edumazet@google.com>
commit 4c5c496a942fa3d2197f5be22762695170c95863
ipv6: remove one read_lock()/read_unlock() pair in rt6_check_neigh()

jira VULN-162723
cve-pre CVE-2025-40158
commit-author Eric Dumazet <edumazet@google.com>
commit c486640aa710ddd06c13a7f7162126e1552e8842
neigh: introduce neigh_confirm() helper function

jira VULN-162723
cve-pre CVE-2025-40158
commit-author Yajun Deng <yajun.deng@linux.dev>
commit 1e84dc6b7bbfc4d1dd846decece4611b7e035772

kABI check: passed

[1/2] kabi_check_kernel	Check ABI of kernel [ciqlts9_6-CVE-batch-41]	_kabi_check_kernel__x86_64--test--ciqlts9_6-CVE-batch-41
+ dist_git_version=el-9.6
+ local_version=ciqlts9_6-CVE-batch-41
+ arch=x86_64
+ user=pvts
+ buildmachine=x86_64--build--ciqlts9_6
+ virsh_timeout=600
+ ssh_daemon_wait=20
+ src_dir=/mnt/code/kernel-dist-git-el-9.6
+ build_dir=/mnt/build_files/kernel-src-tree-ciqlts9_6-CVE-batch-41
+ sudo chmod +x /data/src/ctrliq-github-haskell/kernel-dist-git-el-9.6/SOURCES/check-kabi
+ ninja-back/virssh.xsh --max 8 --shutdown-on-success --shutdown-on-failure --timeout 600 --ssh-daemon-wait 20 pvts x86_64--build--ciqlts9_6 ''\''/mnt/code/kernel-dist-git-el-9.6/SOURCES/check-kabi'\'' -k '\''/mnt/code/kernel-dist-git-el-9.6/SOURCES/Module.kabi_x86_64'\'' -s '\''/mnt/build_files/kernel-src-tree-ciqlts9_6-CVE-batch-41/Module.symvers'\'''
kABI check passed
+ touch state/kernels/ciqlts9_6-CVE-batch-41/x86_64/kabi_checked

Boot test: passed

boot-test.log

Kselftests: passed relative

The patchset is concerned with the net subsystem specifically, so only the net* selftests were run.

Reference

kselftests–ciqlts9_6–run1.log
kselftests–ciqlts9_6–run2.log
kselftests–ciqlts9_6–run3.log
kselftests–ciqlts9_6–run4.log
kselftests–ciqlts9_6–run5.log

Patch

kselftests–ciqlts9_6-CVE-batch-41–run1.log
kselftests–ciqlts9_6-CVE-batch-41–run2.log
kselftests–ciqlts9_6-CVE-batch-41–run3.log
kselftests–ciqlts9_6-CVE-batch-41–run4.log
kselftests–ciqlts9_6-CVE-batch-41–run5.log

Comparison

Only one test net/forwarding:tc_flower_l2_miss.sh gave different results, but it proved to be inconsistent even for the reference kernel

$ ktests.xsh diff -d kselftests*.log 

Column    File
--------  --------------------------------------------
Status0   kselftests--ciqlts9_6--run1.log
Status1   kselftests--ciqlts9_6--run2.log
Status2   kselftests--ciqlts9_6--run3.log
Status3   kselftests--ciqlts9_6--run4.log
Status4   kselftests--ciqlts9_6--run5.log
Status5   kselftests--ciqlts9_6-CVE-batch-41--run1.log
Status6   kselftests--ciqlts9_6-CVE-batch-41--run2.log
Status7   kselftests--ciqlts9_6-CVE-batch-41--run3.log
Status8   kselftests--ciqlts9_6-CVE-batch-41--run4.log
Status9   kselftests--ciqlts9_6-CVE-batch-41--run5.log

TestCase                             Status0  Status1  Status2  Status3  Status4  Status5  Status6  Status7  Status8  Status9  Summary
net/forwarding:tc_flower_l2_miss.sh  pass     fail     fail     fail     pass     fail     fail     fail     pass     fail     diff

full-test-results-comparison.log

pvts-mat added 18 commits July 16, 2026 20:04
jira VULN-162723
cve-pre CVE-2025-40158
commit-author Yajun Deng <yajun.deng@linux.dev>
commit 1e84dc6

Add neigh_confirm() for the confirmed member in struct neighbour,
it can be called as an independent unit by other functions.

	Signed-off-by: Yajun Deng <yajun.deng@linux.dev>
	Reviewed-by: Eric Dumazet <edumazet@google.com>
	Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 1e84dc6)
	Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-162723
cve-pre CVE-2025-40158
commit-author Eric Dumazet <edumazet@google.com>
commit c486640

rt6_check_neigh() uses read_lock() to protect n->nud_state reading.

This seems overkill and causes false sharing.

	Signed-off-by: Eric Dumazet <edumazet@google.com>
	Reviewed-by: David Ahern <dsahern@kernel.org>
	Reviewed-by: Martin KaFai Lau <martin.lau@kernel.org>
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit c486640)
	Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-162723
cve-pre CVE-2025-40158
commit-author Eric Dumazet <edumazet@google.com>
commit 4c5c496

struct ip6_flowlabel are rcu managed, and call_rcu() is used
to delay fl_free_rcu() after RCU grace period.

There is no point disabling BH for pure RCU lookups.

	Signed-off-by: Eric Dumazet <edumazet@google.com>
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 4c5c496)
	Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-162723
cve-pre CVE-2025-40158
commit-author Eric Dumazet <edumazet@google.com>
commit 09eed11
upstream-diff Used CentOS 9 backport
  8b5b970 for a clean pick

rcu_bh is no longer a win, especially for objects freed
with standard call_rcu().

Switch neighbour code to no longer disable BH when not necessary.

	Signed-off-by: Eric Dumazet <edumazet@google.com>
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 8b5b970)
	Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-162723
cve-pre CVE-2025-40158
commit-author Eric Dumazet <edumazet@google.com>
commit fe602c8

This helper is no longer used in the tree.

	Signed-off-by: Eric Dumazet <edumazet@google.com>
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit fe602c8)
	Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-162723
cve-pre CVE-2025-40158
commit-author Eric Dumazet <edumazet@google.com>
commit ef1148d

After blamed commit, nexthop_fib6_nh_bh() and nexthop_fib6_nh()
are the same.

Delete nexthop_fib6_nh_bh(), and convert /proc/net/ipv6_route
to standard rcu to avoid this splat:

[ 5723.180080] WARNING: suspicious RCU usage
[ 5723.180083] -----------------------------
[ 5723.180084] include/net/nexthop.h:516 suspicious rcu_dereference_check() usage!
[ 5723.180086]
other info that might help us debug this:

[ 5723.180087]
rcu_scheduler_active = 2, debug_locks = 1
[ 5723.180089] 2 locks held by cat/55856:
[ 5723.180091] #0: ffff9440a582afa8 (&p->lock){+.+.}-{3:3}, at: seq_read_iter (fs/seq_file.c:188)
[ 5723.180100] ctrliq#1: ffffffffaac07040 (rcu_read_lock_bh){....}-{1:2}, at: rcu_lock_acquire (include/linux/rcupdate.h:326)
[ 5723.180109]
stack backtrace:
[ 5723.180111] CPU: 14 PID: 55856 Comm: cat Tainted: G S        I        6.3.0-dbx-DEV ctrliq#528
[ 5723.180115] Call Trace:
[ 5723.180117]  <TASK>
[ 5723.180119] dump_stack_lvl (lib/dump_stack.c:107)
[ 5723.180124] dump_stack (lib/dump_stack.c:114)
[ 5723.180126] lockdep_rcu_suspicious (include/linux/context_tracking.h:122)
[ 5723.180132] ipv6_route_seq_show (include/net/nexthop.h:?)
[ 5723.180135] ? ipv6_route_seq_next (net/ipv6/ip6_fib.c:2605)
[ 5723.180140] seq_read_iter (fs/seq_file.c:272)
[ 5723.180145] seq_read (fs/seq_file.c:163)
[ 5723.180151] proc_reg_read (fs/proc/inode.c:316 fs/proc/inode.c:328)
[ 5723.180155] vfs_read (fs/read_write.c:468)
[ 5723.180160] ? up_read (kernel/locking/rwsem.c:1617)
[ 5723.180164] ksys_read (fs/read_write.c:613)
[ 5723.180168] __x64_sys_read (fs/read_write.c:621)
[ 5723.180170] do_syscall_64 (arch/x86/entry/common.c:?)
[ 5723.180174] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
[ 5723.180177] RIP: 0033:0x7fa455677d2a

Fixes: 09eed11 ("neighbour: switch to standard rcu, instead of rcu_bh")
	Reported-by: syzbot <syzkaller@googlegroups.com>
	Signed-off-by: Eric Dumazet <edumazet@google.com>
	Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://lore.kernel.org/r/20230510154646.370659-1-edumazet@google.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit ef1148d)
	Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-162723
cve-pre CVE-2025-40158
commit-author Ido Schimmel <idosch@nvidia.com>
commit 2033ab9

Cited commit converted the neighbour code to use the standard RCU
variant instead of the RCU-bh variant, but the VRF code still uses
rcu_read_lock_bh() / rcu_read_unlock_bh() around the neighbour lookup
code in its IPv4 and IPv6 output paths, resulting in lockdep splats
[1][2]. Can be reproduced using [3].

Fix by switching to rcu_read_lock() / rcu_read_unlock().

[1]
=============================
WARNING: suspicious RCU usage
6.5.0-rc1-custom-g9c099e6dbf98 ctrliq#403 Not tainted
-----------------------------
include/net/neighbour.h:302 suspicious rcu_dereference_check() usage!

other info that might help us debug this:

rcu_scheduler_active = 2, debug_locks = 1
2 locks held by ping/183:
 #0: ffff888105ea1d80 (sk_lock-AF_INET){+.+.}-{0:0}, at: raw_sendmsg+0xc6c/0x33c0
 ctrliq#1: ffffffff85b46820 (rcu_read_lock_bh){....}-{1:2}, at: vrf_output+0x2e3/0x2030

stack backtrace:
CPU: 0 PID: 183 Comm: ping Not tainted 6.5.0-rc1-custom-g9c099e6dbf98 ctrliq#403
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc37 04/01/2014
Call Trace:
 <TASK>
 dump_stack_lvl+0xc1/0xf0
 lockdep_rcu_suspicious+0x211/0x3b0
 vrf_output+0x1380/0x2030
 ip_push_pending_frames+0x125/0x2a0
 raw_sendmsg+0x200d/0x33c0
 inet_sendmsg+0xa2/0xe0
 __sys_sendto+0x2aa/0x420
 __x64_sys_sendto+0xe5/0x1c0
 do_syscall_64+0x38/0x80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

[2]
=============================
WARNING: suspicious RCU usage
6.5.0-rc1-custom-g9c099e6dbf98 ctrliq#403 Not tainted
-----------------------------
include/net/neighbour.h:302 suspicious rcu_dereference_check() usage!

other info that might help us debug this:

rcu_scheduler_active = 2, debug_locks = 1
2 locks held by ping6/182:
 #0: ffff888114b63000 (sk_lock-AF_INET6){+.+.}-{0:0}, at: rawv6_sendmsg+0x1602/0x3e50
 ctrliq#1: ffffffff85b46820 (rcu_read_lock_bh){....}-{1:2}, at: vrf_output6+0xe9/0x1310

stack backtrace:
CPU: 0 PID: 182 Comm: ping6 Not tainted 6.5.0-rc1-custom-g9c099e6dbf98 ctrliq#403
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc37 04/01/2014
Call Trace:
 <TASK>
 dump_stack_lvl+0xc1/0xf0
 lockdep_rcu_suspicious+0x211/0x3b0
 vrf_output6+0xd32/0x1310
 ip6_local_out+0xb4/0x1a0
 ip6_send_skb+0xbc/0x340
 ip6_push_pending_frames+0xe5/0x110
 rawv6_sendmsg+0x2e6e/0x3e50
 inet_sendmsg+0xa2/0xe0
 __sys_sendto+0x2aa/0x420
 __x64_sys_sendto+0xe5/0x1c0
 do_syscall_64+0x38/0x80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

[3]
#!/bin/bash

ip link add name vrf-red up numtxqueues 2 type vrf table 10
ip link add name swp1 up master vrf-red type dummy
ip address add 192.0.2.1/24 dev swp1
ip address add 2001:db8:1::1/64 dev swp1
ip neigh add 192.0.2.2 lladdr 00:11:22:33:44:55 nud perm dev swp1
ip neigh add 2001:db8:1::2 lladdr 00:11:22:33:44:55 nud perm dev swp1
ip vrf exec vrf-red ping 192.0.2.2 -c 1 &> /dev/null
ip vrf exec vrf-red ping6 2001:db8:1::2 -c 1 &> /dev/null

Fixes: 09eed11 ("neighbour: switch to standard rcu, instead of rcu_bh")
	Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org>
Link: https://lore.kernel.org/netdev/CA+G9fYtEr-=GbcXNDYo3XOkwR+uYgehVoDjsP0pFLUpZ_AZcyg@mail.gmail.com/
	Signed-off-by: Ido Schimmel <idosch@nvidia.com>
	Reviewed-by: David Ahern <dsahern@kernel.org>
	Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/20230715153605.4068066-1-idosch@nvidia.com
	Signed-off-by: Paolo Abeni <pabeni@redhat.com>
(cherry picked from commit 2033ab9)
	Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-162723
cve-pre CVE-2025-40158
commit-author Jiawei Ye <jiawei.ye@foxmail.com>
commit fb86c42

In the bpf_out_neigh_v6 function, rcu_read_lock() is used to begin an RCU
read-side critical section. However, when unlocking, one branch
incorrectly uses a different RCU unlock flavour rcu_read_unlock_bh()
instead of rcu_read_unlock(). This mismatch in RCU locking flavours can
lead to unexpected behavior and potential concurrency issues.

This possible bug was identified using a static analysis tool developed
by myself, specifically designed to detect RCU-related issues.

This patch corrects the mismatched unlock flavour by replacing the
incorrect rcu_read_unlock_bh() with the appropriate rcu_read_unlock(),
ensuring that the RCU critical section is properly exited. This change
prevents potential synchronization issues and aligns with proper RCU
usage patterns.

Fixes: 09eed11 ("neighbour: switch to standard rcu, instead of rcu_bh")
	Signed-off-by: Jiawei Ye <jiawei.ye@foxmail.com>
	Acked-by: Yonghong Song <yonghong.song@linux.dev>
Link: https://lore.kernel.org/r/tencent_CFD3D1C3D68B45EA9F52D8EC76D2C4134306@qq.com
	Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
(cherry picked from commit fb86c42)
	Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-162719
cve-pre CVE-2025-40170
commit-author Eric Dumazet <edumazet@google.com>
commit 88fe142
upstream-diff Used CentOS 9 backport
  098485b for a clean pick

dst->dev is read locklessly in many contexts,
and written in dst_dev_put().

Fixing all the races is going to need many changes.

We probably will have to add full RCU protection.

Add three helpers to ease this painful process.

static inline struct net_device *dst_dev(const struct dst_entry *dst)
{
       return READ_ONCE(dst->dev);
}

static inline struct net_device *skb_dst_dev(const struct sk_buff *skb)
{
       return dst_dev(skb_dst(skb));
}

static inline struct net *skb_dst_dev_net(const struct sk_buff *skb)
{
       return dev_net(skb_dst_dev(skb));
}

static inline struct net *skb_dst_dev_net_rcu(const struct sk_buff *skb)
{
       return dev_net_rcu(skb_dst_dev(skb));
}

Fixes: 4a6ce2b ("net: introduce a new function dst_dev_put()")
	Signed-off-by: Eric Dumazet <edumazet@google.com>
	Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20250630121934.3399505-7-edumazet@google.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 098485b)
	Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-162725
cve-pre CVE-2025-40135
commit-author Sharath Chandra Vurukala <quic_sharathv@quicinc.com>
commit 1dbf1d5
upstream-diff Used CentOS 9 backport
  fb02c5a for a clean pick

In ip_output() skb->dev is updated from the skb_dst(skb)->dev
this can become invalid when the interface is unregistered and freed,

Introduced new skb_dst_dev_rcu() function to be used instead of
skb_dst_dev() within rcu_locks in ip_output.This will ensure that
all the skb's associated with the dev being deregistered will
be transnmitted out first, before freeing the dev.

Given that ip_output() is called within an rcu_read_lock()
critical section or from a bottom-half context, it is safe to introduce
an RCU read-side critical section within it.

Multiple panic call stacks were observed when UL traffic was run
in concurrency with device deregistration from different functions,
pasting one sample for reference.

[496733.627565][T13385] Call trace:
[496733.627570][T13385] bpf_prog_ce7c9180c3b128ea_cgroupskb_egres+0x24c/0x7f0
[496733.627581][T13385] __cgroup_bpf_run_filter_skb+0x128/0x498
[496733.627595][T13385] ip_finish_output+0xa4/0xf4
[496733.627605][T13385] ip_output+0x100/0x1a0
[496733.627613][T13385] ip_send_skb+0x68/0x100
[496733.627618][T13385] udp_send_skb+0x1c4/0x384
[496733.627625][T13385] udp_sendmsg+0x7b0/0x898
[496733.627631][T13385] inet_sendmsg+0x5c/0x7c
[496733.627639][T13385] __sys_sendto+0x174/0x1e4
[496733.627647][T13385] __arm64_sys_sendto+0x28/0x3c
[496733.627653][T13385] invoke_syscall+0x58/0x11c
[496733.627662][T13385] el0_svc_common+0x88/0xf4
[496733.627669][T13385] do_el0_svc+0x2c/0xb0
[496733.627676][T13385] el0_svc+0x2c/0xa4
[496733.627683][T13385] el0t_64_sync_handler+0x68/0xb4
[496733.627689][T13385] el0t_64_sync+0x1a4/0x1a8

Changes in v3:
- Replaced WARN_ON() with  WARN_ON_ONCE(), as suggested by Willem de Bruijn.
- Dropped legacy lines mistakenly pulled in from an outdated branch.

Changes in v2:
- Addressed review comments from Eric Dumazet
- Used READ_ONCE() to prevent potential load/store tearing
- Added skb_dst_dev_rcu() and used along with rcu_read_lock() in ip_output

	Signed-off-by: Sharath Chandra Vurukala <quic_sharathv@quicinc.com>
	Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20250730105118.GA26100@hu-sharathv-hyd.qualcomm.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit fb02c5a)
	Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-162081
cve CVE-2025-21766
commit-author Eric Dumazet <edumazet@google.com>
commit 1395121
upstream-diff Used CentOS 9 backport
  fd7e9d2 for a clean pick

__ip_rt_update_pmtu() must use RCU protection to make
sure the net structure it reads does not disappear.

Fixes: 2fbc6e8 ("ipv4: Update exception handling for multipath routes via same device")
Fixes: 1de6b15 ("Namespaceify min_pmtu sysctl")
	Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20250205155120.1676781-8-edumazet@google.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit fd7e9d2)
	Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-162719
cve-pre CVE-2025-40170
commit-author Eric Dumazet <edumazet@google.com>
commit caedcc5
upstream-diff Used CentOS 9 backport
  ca6810f as a clean cherry-pick base.
  Used RH_KABI_REPLACE in `struct dst_entry' to silence the kABI
  checker. Originally the `struct net_device *dev' field was changed
  into a union of `struct net_device *dev' and `struct net_device __rcu
  *dev_rcu'. The latter has the same size and alignment as the former
  (this is actually checked statically by the RH_KABI_REPLACE macro),
  with the `__rcu' annotation serving only at compile time and being
  invisible to the binary output. The `dev_rcu' is therefore just an
  alias for the `dev' field.

Followup of commit 88fe142 ("net: dst: add four helpers
to annotate data-races around dst->dev").

We want to gradually add explicit RCU protection to dst->dev,
including lockdep support.

Add an union to alias dst->dev_rcu and dst->dev.

Add dst_dev_net_rcu() helper.

Fixes: 4a6ce2b ("net: introduce a new function dst_dev_put()")
	Signed-off-by: Eric Dumazet <edumazet@google.com>
	Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://patch.msgid.link/20250828195823.3958522-2-edumazet@google.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit d566795fc6a28cf9457511b428c86bb783ac7d7c)
	Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-162723
cve CVE-2025-40158
commit-author Eric Dumazet <edumazet@google.com>
commit 1170957
upstream-diff Used CentOS 9 backport
  9b21011 for a clean pick

Use RCU in ip6_output() in order to use dst_dev_rcu() to prevent
possible UAF.

We can remove rcu_read_lock()/rcu_read_unlock() pairs
from ip6_finish_output2().

Fixes: 4a6ce2b ("net: introduce a new function dst_dev_put()")
	Signed-off-by: Eric Dumazet <edumazet@google.com>
	Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://patch.msgid.link/20250828195823.3958522-5-edumazet@google.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 9b21011)
	Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-162725
cve CVE-2025-40135
commit-author Eric Dumazet <edumazet@google.com>
commit 9085e56
upstream-diff Used CentOS 9 backport
  f37f7b3 for a clean pick

Use RCU in ip6_xmit() in order to use dst_dev_rcu() to prevent
possible UAF.

Fixes: 4a6ce2b ("net: introduce a new function dst_dev_put()")
	Signed-off-by: Eric Dumazet <edumazet@google.com>
	Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://patch.msgid.link/20250828195823.3958522-4-edumazet@google.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit f37f7b3)
	Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-162719
cve-pre CVE-2025-40170
commit-author Vadim Fedorenko <vfedorenko@novek.ru>
commit ac6627a

Consolidate IPv4 MTU code the same way it is done in IPv6 to have code
aligned in both address families

	Signed-off-by: Vadim Fedorenko <vfedorenko@novek.ru>
	Reviewed-by: David Ahern <dsahern@kernel.org>
	Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit ac6627a)
	Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-162719
cve-pre CVE-2025-40170
commit-author Eric Dumazet <edumazet@google.com>
commit 071d801
upstream-diff Used CentOS 9 backport
  4ea98f0 for a clean pick

ip_dst_mtu_maybe_forward() must use RCU protection to make
sure the net structure it reads does not disappear.

Fixes: f87c10a ("ipv4: introduce ip_dst_mtu_maybe_forward and protect forwarding path against pmtu spoofing")
	Signed-off-by: Eric Dumazet <edumazet@google.com>
	Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Link: https://patch.msgid.link/20250205155120.1676781-4-edumazet@google.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 4ea98f0)
	Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-162719
cve-pre CVE-2025-40170
commit-author Eric Dumazet <edumazet@google.com>
commit 4693085

ip4_dst_hoplimit() must use RCU protection to make
sure the net structure it reads does not disappear.

Fixes: fa50d97 ("ipv4: Namespaceify ip_default_ttl sysctl knob")
	Signed-off-by: Eric Dumazet <edumazet@google.com>
	Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Link: https://patch.msgid.link/20250205155120.1676781-3-edumazet@google.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 4693085)
	Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-162719
cve CVE-2025-40170
commit-author Eric Dumazet <edumazet@google.com>
commit 99a2ace
upstream-diff Used CentOS 9 backport
  acc5b1b for a clean pick

Use RCU to protect accesses to dst->dev from sk_setup_caps()
and sk_dst_gso_max_size().

Also use dst_dev_rcu() in ip6_dst_mtu_maybe_forward(),
and ip_dst_mtu_maybe_forward().

ip4_dst_hoplimit() can use dst_dev_net_rcu().

Fixes: 4a6ce2b ("net: introduce a new function dst_dev_put()")
	Signed-off-by: Eric Dumazet <edumazet@google.com>
	Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://patch.msgid.link/20250828195823.3958522-6-edumazet@google.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit acc5b1b)
	Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

1 participant