[LTS 9.6] net: CVE-2025-40158, CVE-2025-40135, CVE-2025-40170, CVE-2025-21766#1446
Open
pvts-mat wants to merge 18 commits into
Open
[LTS 9.6] net: CVE-2025-40158, CVE-2025-40135, CVE-2025-40170, CVE-2025-21766#1446pvts-mat wants to merge 18 commits into
pvts-mat wants to merge 18 commits into
Conversation
jira VULN-162723 cve-pre CVE-2025-40158 commit-author Yajun Deng <yajun.deng@linux.dev> commit 1e84dc6 Add neigh_confirm() for the confirmed member in struct neighbour, it can be called as an independent unit by other functions. Signed-off-by: Yajun Deng <yajun.deng@linux.dev> Reviewed-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> (cherry picked from commit 1e84dc6) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-162723 cve-pre CVE-2025-40158 commit-author Eric Dumazet <edumazet@google.com> commit c486640 rt6_check_neigh() uses read_lock() to protect n->nud_state reading. This seems overkill and causes false sharing. Signed-off-by: Eric Dumazet <edumazet@google.com> Reviewed-by: David Ahern <dsahern@kernel.org> Reviewed-by: Martin KaFai Lau <martin.lau@kernel.org> Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit c486640) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-162723 cve-pre CVE-2025-40158 commit-author Eric Dumazet <edumazet@google.com> commit 4c5c496 struct ip6_flowlabel are rcu managed, and call_rcu() is used to delay fl_free_rcu() after RCU grace period. There is no point disabling BH for pure RCU lookups. Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit 4c5c496) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-162723 cve-pre CVE-2025-40158 commit-author Eric Dumazet <edumazet@google.com> commit 09eed11 upstream-diff Used CentOS 9 backport 8b5b970 for a clean pick rcu_bh is no longer a win, especially for objects freed with standard call_rcu(). Switch neighbour code to no longer disable BH when not necessary. Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit 8b5b970) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-162723 cve-pre CVE-2025-40158 commit-author Eric Dumazet <edumazet@google.com> commit fe602c8 This helper is no longer used in the tree. Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit fe602c8) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-162723 cve-pre CVE-2025-40158 commit-author Eric Dumazet <edumazet@google.com> commit ef1148d After blamed commit, nexthop_fib6_nh_bh() and nexthop_fib6_nh() are the same. Delete nexthop_fib6_nh_bh(), and convert /proc/net/ipv6_route to standard rcu to avoid this splat: [ 5723.180080] WARNING: suspicious RCU usage [ 5723.180083] ----------------------------- [ 5723.180084] include/net/nexthop.h:516 suspicious rcu_dereference_check() usage! [ 5723.180086] other info that might help us debug this: [ 5723.180087] rcu_scheduler_active = 2, debug_locks = 1 [ 5723.180089] 2 locks held by cat/55856: [ 5723.180091] #0: ffff9440a582afa8 (&p->lock){+.+.}-{3:3}, at: seq_read_iter (fs/seq_file.c:188) [ 5723.180100] ctrliq#1: ffffffffaac07040 (rcu_read_lock_bh){....}-{1:2}, at: rcu_lock_acquire (include/linux/rcupdate.h:326) [ 5723.180109] stack backtrace: [ 5723.180111] CPU: 14 PID: 55856 Comm: cat Tainted: G S I 6.3.0-dbx-DEV ctrliq#528 [ 5723.180115] Call Trace: [ 5723.180117] <TASK> [ 5723.180119] dump_stack_lvl (lib/dump_stack.c:107) [ 5723.180124] dump_stack (lib/dump_stack.c:114) [ 5723.180126] lockdep_rcu_suspicious (include/linux/context_tracking.h:122) [ 5723.180132] ipv6_route_seq_show (include/net/nexthop.h:?) [ 5723.180135] ? ipv6_route_seq_next (net/ipv6/ip6_fib.c:2605) [ 5723.180140] seq_read_iter (fs/seq_file.c:272) [ 5723.180145] seq_read (fs/seq_file.c:163) [ 5723.180151] proc_reg_read (fs/proc/inode.c:316 fs/proc/inode.c:328) [ 5723.180155] vfs_read (fs/read_write.c:468) [ 5723.180160] ? up_read (kernel/locking/rwsem.c:1617) [ 5723.180164] ksys_read (fs/read_write.c:613) [ 5723.180168] __x64_sys_read (fs/read_write.c:621) [ 5723.180170] do_syscall_64 (arch/x86/entry/common.c:?) [ 5723.180174] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) [ 5723.180177] RIP: 0033:0x7fa455677d2a Fixes: 09eed11 ("neighbour: switch to standard rcu, instead of rcu_bh") Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Reviewed-by: David Ahern <dsahern@kernel.org> Link: https://lore.kernel.org/r/20230510154646.370659-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit ef1148d) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-162723 cve-pre CVE-2025-40158 commit-author Ido Schimmel <idosch@nvidia.com> commit 2033ab9 Cited commit converted the neighbour code to use the standard RCU variant instead of the RCU-bh variant, but the VRF code still uses rcu_read_lock_bh() / rcu_read_unlock_bh() around the neighbour lookup code in its IPv4 and IPv6 output paths, resulting in lockdep splats [1][2]. Can be reproduced using [3]. Fix by switching to rcu_read_lock() / rcu_read_unlock(). [1] ============================= WARNING: suspicious RCU usage 6.5.0-rc1-custom-g9c099e6dbf98 ctrliq#403 Not tainted ----------------------------- include/net/neighbour.h:302 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 2 locks held by ping/183: #0: ffff888105ea1d80 (sk_lock-AF_INET){+.+.}-{0:0}, at: raw_sendmsg+0xc6c/0x33c0 ctrliq#1: ffffffff85b46820 (rcu_read_lock_bh){....}-{1:2}, at: vrf_output+0x2e3/0x2030 stack backtrace: CPU: 0 PID: 183 Comm: ping Not tainted 6.5.0-rc1-custom-g9c099e6dbf98 ctrliq#403 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc37 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0xc1/0xf0 lockdep_rcu_suspicious+0x211/0x3b0 vrf_output+0x1380/0x2030 ip_push_pending_frames+0x125/0x2a0 raw_sendmsg+0x200d/0x33c0 inet_sendmsg+0xa2/0xe0 __sys_sendto+0x2aa/0x420 __x64_sys_sendto+0xe5/0x1c0 do_syscall_64+0x38/0x80 entry_SYSCALL_64_after_hwframe+0x63/0xcd [2] ============================= WARNING: suspicious RCU usage 6.5.0-rc1-custom-g9c099e6dbf98 ctrliq#403 Not tainted ----------------------------- include/net/neighbour.h:302 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 2 locks held by ping6/182: #0: ffff888114b63000 (sk_lock-AF_INET6){+.+.}-{0:0}, at: rawv6_sendmsg+0x1602/0x3e50 ctrliq#1: ffffffff85b46820 (rcu_read_lock_bh){....}-{1:2}, at: vrf_output6+0xe9/0x1310 stack backtrace: CPU: 0 PID: 182 Comm: ping6 Not tainted 6.5.0-rc1-custom-g9c099e6dbf98 ctrliq#403 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc37 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0xc1/0xf0 lockdep_rcu_suspicious+0x211/0x3b0 vrf_output6+0xd32/0x1310 ip6_local_out+0xb4/0x1a0 ip6_send_skb+0xbc/0x340 ip6_push_pending_frames+0xe5/0x110 rawv6_sendmsg+0x2e6e/0x3e50 inet_sendmsg+0xa2/0xe0 __sys_sendto+0x2aa/0x420 __x64_sys_sendto+0xe5/0x1c0 do_syscall_64+0x38/0x80 entry_SYSCALL_64_after_hwframe+0x63/0xcd [3] #!/bin/bash ip link add name vrf-red up numtxqueues 2 type vrf table 10 ip link add name swp1 up master vrf-red type dummy ip address add 192.0.2.1/24 dev swp1 ip address add 2001:db8:1::1/64 dev swp1 ip neigh add 192.0.2.2 lladdr 00:11:22:33:44:55 nud perm dev swp1 ip neigh add 2001:db8:1::2 lladdr 00:11:22:33:44:55 nud perm dev swp1 ip vrf exec vrf-red ping 192.0.2.2 -c 1 &> /dev/null ip vrf exec vrf-red ping6 2001:db8:1::2 -c 1 &> /dev/null Fixes: 09eed11 ("neighbour: switch to standard rcu, instead of rcu_bh") Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org> Link: https://lore.kernel.org/netdev/CA+G9fYtEr-=GbcXNDYo3XOkwR+uYgehVoDjsP0pFLUpZ_AZcyg@mail.gmail.com/ Signed-off-by: Ido Schimmel <idosch@nvidia.com> Reviewed-by: David Ahern <dsahern@kernel.org> Reviewed-by: Eric Dumazet <edumazet@google.com> Link: https://lore.kernel.org/r/20230715153605.4068066-1-idosch@nvidia.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> (cherry picked from commit 2033ab9) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-162723 cve-pre CVE-2025-40158 commit-author Jiawei Ye <jiawei.ye@foxmail.com> commit fb86c42 In the bpf_out_neigh_v6 function, rcu_read_lock() is used to begin an RCU read-side critical section. However, when unlocking, one branch incorrectly uses a different RCU unlock flavour rcu_read_unlock_bh() instead of rcu_read_unlock(). This mismatch in RCU locking flavours can lead to unexpected behavior and potential concurrency issues. This possible bug was identified using a static analysis tool developed by myself, specifically designed to detect RCU-related issues. This patch corrects the mismatched unlock flavour by replacing the incorrect rcu_read_unlock_bh() with the appropriate rcu_read_unlock(), ensuring that the RCU critical section is properly exited. This change prevents potential synchronization issues and aligns with proper RCU usage patterns. Fixes: 09eed11 ("neighbour: switch to standard rcu, instead of rcu_bh") Signed-off-by: Jiawei Ye <jiawei.ye@foxmail.com> Acked-by: Yonghong Song <yonghong.song@linux.dev> Link: https://lore.kernel.org/r/tencent_CFD3D1C3D68B45EA9F52D8EC76D2C4134306@qq.com Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org> (cherry picked from commit fb86c42) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-162719 cve-pre CVE-2025-40170 commit-author Eric Dumazet <edumazet@google.com> commit 88fe142 upstream-diff Used CentOS 9 backport 098485b for a clean pick dst->dev is read locklessly in many contexts, and written in dst_dev_put(). Fixing all the races is going to need many changes. We probably will have to add full RCU protection. Add three helpers to ease this painful process. static inline struct net_device *dst_dev(const struct dst_entry *dst) { return READ_ONCE(dst->dev); } static inline struct net_device *skb_dst_dev(const struct sk_buff *skb) { return dst_dev(skb_dst(skb)); } static inline struct net *skb_dst_dev_net(const struct sk_buff *skb) { return dev_net(skb_dst_dev(skb)); } static inline struct net *skb_dst_dev_net_rcu(const struct sk_buff *skb) { return dev_net_rcu(skb_dst_dev(skb)); } Fixes: 4a6ce2b ("net: introduce a new function dst_dev_put()") Signed-off-by: Eric Dumazet <edumazet@google.com> Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com> Link: https://patch.msgid.link/20250630121934.3399505-7-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit 098485b) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-162725 cve-pre CVE-2025-40135 commit-author Sharath Chandra Vurukala <quic_sharathv@quicinc.com> commit 1dbf1d5 upstream-diff Used CentOS 9 backport fb02c5a for a clean pick In ip_output() skb->dev is updated from the skb_dst(skb)->dev this can become invalid when the interface is unregistered and freed, Introduced new skb_dst_dev_rcu() function to be used instead of skb_dst_dev() within rcu_locks in ip_output.This will ensure that all the skb's associated with the dev being deregistered will be transnmitted out first, before freeing the dev. Given that ip_output() is called within an rcu_read_lock() critical section or from a bottom-half context, it is safe to introduce an RCU read-side critical section within it. Multiple panic call stacks were observed when UL traffic was run in concurrency with device deregistration from different functions, pasting one sample for reference. [496733.627565][T13385] Call trace: [496733.627570][T13385] bpf_prog_ce7c9180c3b128ea_cgroupskb_egres+0x24c/0x7f0 [496733.627581][T13385] __cgroup_bpf_run_filter_skb+0x128/0x498 [496733.627595][T13385] ip_finish_output+0xa4/0xf4 [496733.627605][T13385] ip_output+0x100/0x1a0 [496733.627613][T13385] ip_send_skb+0x68/0x100 [496733.627618][T13385] udp_send_skb+0x1c4/0x384 [496733.627625][T13385] udp_sendmsg+0x7b0/0x898 [496733.627631][T13385] inet_sendmsg+0x5c/0x7c [496733.627639][T13385] __sys_sendto+0x174/0x1e4 [496733.627647][T13385] __arm64_sys_sendto+0x28/0x3c [496733.627653][T13385] invoke_syscall+0x58/0x11c [496733.627662][T13385] el0_svc_common+0x88/0xf4 [496733.627669][T13385] do_el0_svc+0x2c/0xb0 [496733.627676][T13385] el0_svc+0x2c/0xa4 [496733.627683][T13385] el0t_64_sync_handler+0x68/0xb4 [496733.627689][T13385] el0t_64_sync+0x1a4/0x1a8 Changes in v3: - Replaced WARN_ON() with WARN_ON_ONCE(), as suggested by Willem de Bruijn. - Dropped legacy lines mistakenly pulled in from an outdated branch. Changes in v2: - Addressed review comments from Eric Dumazet - Used READ_ONCE() to prevent potential load/store tearing - Added skb_dst_dev_rcu() and used along with rcu_read_lock() in ip_output Signed-off-by: Sharath Chandra Vurukala <quic_sharathv@quicinc.com> Reviewed-by: Eric Dumazet <edumazet@google.com> Link: https://patch.msgid.link/20250730105118.GA26100@hu-sharathv-hyd.qualcomm.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit fb02c5a) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-162081 cve CVE-2025-21766 commit-author Eric Dumazet <edumazet@google.com> commit 1395121 upstream-diff Used CentOS 9 backport fd7e9d2 for a clean pick __ip_rt_update_pmtu() must use RCU protection to make sure the net structure it reads does not disappear. Fixes: 2fbc6e8 ("ipv4: Update exception handling for multipath routes via same device") Fixes: 1de6b15 ("Namespaceify min_pmtu sysctl") Signed-off-by: Eric Dumazet <edumazet@google.com> Link: https://patch.msgid.link/20250205155120.1676781-8-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit fd7e9d2) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-162719 cve-pre CVE-2025-40170 commit-author Eric Dumazet <edumazet@google.com> commit caedcc5 upstream-diff Used CentOS 9 backport ca6810f as a clean cherry-pick base. Used RH_KABI_REPLACE in `struct dst_entry' to silence the kABI checker. Originally the `struct net_device *dev' field was changed into a union of `struct net_device *dev' and `struct net_device __rcu *dev_rcu'. The latter has the same size and alignment as the former (this is actually checked statically by the RH_KABI_REPLACE macro), with the `__rcu' annotation serving only at compile time and being invisible to the binary output. The `dev_rcu' is therefore just an alias for the `dev' field. Followup of commit 88fe142 ("net: dst: add four helpers to annotate data-races around dst->dev"). We want to gradually add explicit RCU protection to dst->dev, including lockdep support. Add an union to alias dst->dev_rcu and dst->dev. Add dst_dev_net_rcu() helper. Fixes: 4a6ce2b ("net: introduce a new function dst_dev_put()") Signed-off-by: Eric Dumazet <edumazet@google.com> Reviewed-by: David Ahern <dsahern@kernel.org> Link: https://patch.msgid.link/20250828195823.3958522-2-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit d566795fc6a28cf9457511b428c86bb783ac7d7c) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-162723 cve CVE-2025-40158 commit-author Eric Dumazet <edumazet@google.com> commit 1170957 upstream-diff Used CentOS 9 backport 9b21011 for a clean pick Use RCU in ip6_output() in order to use dst_dev_rcu() to prevent possible UAF. We can remove rcu_read_lock()/rcu_read_unlock() pairs from ip6_finish_output2(). Fixes: 4a6ce2b ("net: introduce a new function dst_dev_put()") Signed-off-by: Eric Dumazet <edumazet@google.com> Reviewed-by: David Ahern <dsahern@kernel.org> Link: https://patch.msgid.link/20250828195823.3958522-5-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit 9b21011) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-162725 cve CVE-2025-40135 commit-author Eric Dumazet <edumazet@google.com> commit 9085e56 upstream-diff Used CentOS 9 backport f37f7b3 for a clean pick Use RCU in ip6_xmit() in order to use dst_dev_rcu() to prevent possible UAF. Fixes: 4a6ce2b ("net: introduce a new function dst_dev_put()") Signed-off-by: Eric Dumazet <edumazet@google.com> Reviewed-by: David Ahern <dsahern@kernel.org> Link: https://patch.msgid.link/20250828195823.3958522-4-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit f37f7b3) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-162719 cve-pre CVE-2025-40170 commit-author Vadim Fedorenko <vfedorenko@novek.ru> commit ac6627a Consolidate IPv4 MTU code the same way it is done in IPv6 to have code aligned in both address families Signed-off-by: Vadim Fedorenko <vfedorenko@novek.ru> Reviewed-by: David Ahern <dsahern@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net> (cherry picked from commit ac6627a) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-162719 cve-pre CVE-2025-40170 commit-author Eric Dumazet <edumazet@google.com> commit 071d801 upstream-diff Used CentOS 9 backport 4ea98f0 for a clean pick ip_dst_mtu_maybe_forward() must use RCU protection to make sure the net structure it reads does not disappear. Fixes: f87c10a ("ipv4: introduce ip_dst_mtu_maybe_forward and protect forwarding path against pmtu spoofing") Signed-off-by: Eric Dumazet <edumazet@google.com> Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com> Link: https://patch.msgid.link/20250205155120.1676781-4-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit 4ea98f0) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-162719 cve-pre CVE-2025-40170 commit-author Eric Dumazet <edumazet@google.com> commit 4693085 ip4_dst_hoplimit() must use RCU protection to make sure the net structure it reads does not disappear. Fixes: fa50d97 ("ipv4: Namespaceify ip_default_ttl sysctl knob") Signed-off-by: Eric Dumazet <edumazet@google.com> Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com> Link: https://patch.msgid.link/20250205155120.1676781-3-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit 4693085) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-162719 cve CVE-2025-40170 commit-author Eric Dumazet <edumazet@google.com> commit 99a2ace upstream-diff Used CentOS 9 backport acc5b1b for a clean pick Use RCU to protect accesses to dst->dev from sk_setup_caps() and sk_dst_gso_max_size(). Also use dst_dev_rcu() in ip6_dst_mtu_maybe_forward(), and ip_dst_mtu_maybe_forward(). ip4_dst_hoplimit() can use dst_dev_net_rcu(). Fixes: 4a6ce2b ("net: introduce a new function dst_dev_put()") Signed-off-by: Eric Dumazet <edumazet@google.com> Reviewed-by: David Ahern <dsahern@kernel.org> Link: https://patch.msgid.link/20250828195823.3958522-6-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit acc5b1b) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
[LTS 9.6]
Summary
This PR follows closely the merge request for CentOS 9.8 for the same CVEs set. The differences:
centos9as aa0e0ee, unlike inciqlts9_6.net: dst: introduce dst->dev_rcuraised some kABI issues which had to be resolved. More details in the Commits section.An upstream commit was picked directly wherever possible. Otherwise a CentOS 9 backport was used. The LTS 9.6 net subsystem follows CentOS 9 close enough that none of the CentOS 9 commits required additional tailoring.
PR Structure
Overview
All fixes for the main CVEs (CVE-2025-40158, CVE-2025-40135, CVE-2025-40170) lie on the same branch merged into upstream in 864ecc4
net: add rcu safety to dst->dev. This branch builds on top of three others (starting from most recent):net: add data-race annotations around dst fieldsnet: first round to use dev_net_rcu()net: remove some rcu_bh cruftAll but the last one deal with the same problem: data races in accessing the
devfield ofstruct dst_entry. All CVEs solved in this PR are different cases of that issue. Thenet: remove some rcu_bh cruftbranch is a form of synchronization optimization, which is nonetheless assumed to be in place by the bugfixing branches following it.This PR is, roughly, the backporting of the four branches listed above, reduced in scope to those commits necessary to solve the three main CVEs with the highest CVSS. Backporting them in different scopes (either wider or narrower) was evaluated for each branch and discussed below. While some deviations from the CentOS 9 solution could be justified, it was nevertheless decided to follow it, as it seems to be capturing the best value for the backporting effort.
Branch
net: remove some rcu_bh cruft(groupbh) + fixesThis branch was backported in whole. Its main goal is to remove, in the neighbor discovery protocols of the network stack, the disabling of soft IRQs in the RCU read critical sections. General pattern:
=>
The
rcu_read_lock_bh()function disables soft interrupts (_bh= bottom half) on CPU. This makes sure the protected section is exited as quickly as possible, keeping the RCU grace period short. This is desirable, given that some writers may use blocking procedures likesynchronize_rcu()before freeing the protected object (unlike the asynchronouscall_rcu(), for example). However, disabling interrupts also have its cost, and_bhoptimization didn't seem to be needed. From 85496c9's message:Commit
neighbour: switch to standard rcu, instead of rcu_bhintroduces a few bugs and their fixes were backported as well.Branch
net: first round to use dev_net_rcu()(groupip)This branch is the first patch set aiming to guard the
dst_entry::devfield. Two commits were already present inciqlts9_6as part of CVE-2025-21765 fix (482ad2a prereq + 3c8ffcd fix). CentOS 9 MR included two additional commits from this branch:__ip_rt_update_pmtufunction, later also modified in the backported commit caedcc5 of the next branch. It has its own associated CVE-2025-21766.Additionally, for this LTS 9.6 PR, the 4693085 commit was picked as prerequisite for CVE-2025-40170 fix.
This branch ports easily in whole, without any conflicts. Despite every commit fixing some data race, however, only two of them are oficially recognized as vulnerability fixes, and were addressed already. To keep the scope of this PR CVE-centered none of the additional commits were backported.
Branch
net: add data-race annotations around dst fields(grouprace)This branch continues adding protection around various
dst_entryfields. Despite many of the commits fixing data races none of them has any CVE associated. Only one commit was included in this PR, which defines functions heavily used in the next branch. In fact, all the following commits from this group (fromrace:4torace:0in total) are prerequisites for the clean backport of the next branch. However, backporting this branch is difficult. Except for 2dce8c5 all commits cause many conflicts and they are often wide in scope. For this reason the manual conflict resolution of thedstbranch backport was chosen instead.The
Branch
net: add rcu safety to dst->dev(groupdst)This branch covers the fixes of all the main CVEs addressed in this PR (CVE-2025-40158, CVE-2025-40135, CVE-2025-40170). All cherry-picks were taken from the CentOS 9 MR, which accounted for the missing race branch backports already. Additionally 3 more CVE fixes can be found:
Will not fix. Backporting the fixing commits 6ad8de3 causes heavy conflicts.Fix deferred. Backporting the fixing commits b62a59c causes small conflicts, can be resolved easily.Fix deferred. Backporting the fixing commits 50c127a causes small conflicts, can be resolved easily.Because of the effort required for fixing CVE-2025-40074 it was not included in this PR. Although CVE-2025-68188 and CVE-2025-40075 were much easier to address they were omitted as well, given their relatively low CVSS score and an already big volume of this PR. Can be solved in a follow-up PR, if requested.
PR commits table
The following table summarizes the commits used in this PR in a similar fashion to how it was done for the backported branches. The
mrgroup designates the commits from the CentOS 9 MRA few new commits occur here, not discussed so far:
neigh: introduce neigh_confirm() helper function: Simplifies the backport of 09eed11.ipv6: remove one read_lock()/read_unlock() pair in rt6_check_neigh(): Simplifies thert6_check_neighfunction, later modified inneighbour: switch to standard rcu, instead of rcu_bh. Note that the changes introduced there don't make sense without the accompanyingWRITE_ONCE(neigh->nud_state)done in the sibling commit b071af5 from the same branch. However, it is already bacported tociqlts9_6as b167c4e.net: Add locking to protect skb->dev access in ip_output: Definesdst_dev_rcuused by CVE-2025-40135 and CVE-2025-40170 fixes. Also it seems it should have its ow CVE, given that it's just the ip4 version of the CVE-2025-40158 fix 1170957.net: ipv4: Consolidate ipv4_mtu and ip_dst_mtu_maybe_forward: This commit prepares theip_dst_mtu_maybe_forwardfunction for the next one, 071d801.Commits
kABI check: passed
Boot test: passed
boot-test.log
Kselftests: passed relative
The patchset is concerned with the net subsystem specifically, so only the
net*selftests were run.Reference
kselftests–ciqlts9_6–run1.log
kselftests–ciqlts9_6–run2.log
kselftests–ciqlts9_6–run3.log
kselftests–ciqlts9_6–run4.log
kselftests–ciqlts9_6–run5.log
Patch
kselftests–ciqlts9_6-CVE-batch-41–run1.log
kselftests–ciqlts9_6-CVE-batch-41–run2.log
kselftests–ciqlts9_6-CVE-batch-41–run3.log
kselftests–ciqlts9_6-CVE-batch-41–run4.log
kselftests–ciqlts9_6-CVE-batch-41–run5.log
Comparison
Only one test
net/forwarding:tc_flower_l2_miss.shgave different results, but it proved to be inconsistent even for the reference kernelfull-test-results-comparison.log