[LTS 8.6] CVE-2024-58002, CVE-2025-40248, CVE-2022-48786, CVE-2025-22026#996
Open
pvts-mat wants to merge 10 commits intoctrliq:ciqlts8_6from
Open
[LTS 8.6] CVE-2024-58002, CVE-2025-40248, CVE-2022-48786, CVE-2025-22026#996pvts-mat wants to merge 10 commits intoctrliq:ciqlts8_6from
pvts-mat wants to merge 10 commits intoctrliq:ciqlts8_6from
Conversation
jira VULN-53459 cve-pre CVE-2024-58002 commit-author Ricardo Ribalda <ribalda@chromium.org> commit 6350d6a upstream-diff | - Modified the `uvc_ioctl_s_ctrl()' function body to align with the new signature of `uvc_ctrl_commit()' it is using. A throwaway object `xctrls' is created on stack to encapsulate `xctrl' formerly passed to `uvc_ctrl_commit()' directly. This adaptation was missing from the backported commit, because at the moment of its introduction the `uvc_ioctl_s_ctrl()' function was no longer present, removed in 0c6bcbd ("media: uvcvideo: Remove s_ctrl and g_ctrl"), which was not backported to LTS 8.6. - Solved the context conflict stemming from the missing ee929d5 If we have an error setting a control, return the affected control in the error_idx field. Reviewed-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Ricardo Ribalda <ribalda@chromium.org> Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org> (cherry picked from commit 6350d6a) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-53459 cve-pre CVE-2024-58002 commit-author Ricardo Ribalda <ribalda@chromium.org> commit f0577b1 If mappings points to an invalid memory, we will be invalid accessing it. Solve it by initializing the value of the variable mapping and by changing the order in the conditional statement (to avoid accessing mapping->id if not needed). Fix: kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [ctrliq#1] PREEMPT SMP KASAN NOPTI Fixes: 6350d6a ("media: uvcvideo: Set error_idx during ctrl_commit errors") Signed-off-by: Ricardo Ribalda <ribalda@chromium.org> Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org> (cherry picked from commit f0577b1) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-53459 cve-pre CVE-2024-58002 commit-author Ricardo Ribalda <ribalda@chromium.org> commit 414d3b4 If the memory where ctrl_found is placed has the value of uvc_ctrl and __uvc_find_control does not find the control we will return an invalid index. Fixes: 6350d6a ("media: uvcvideo: Set error_idx during ctrl_commit errors") Signed-off-by: Ricardo Ribalda <ribalda@chromium.org> Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org> (cherry picked from commit 414d3b4) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-53459 cve-pre CVE-2024-58002 commit-author Ricardo Ribalda <ribalda@chromium.org> commit 64627da Avoid using the iterators after the list_for_each() constructs. This patch should be a NOP, but makes cocci, happier: drivers/media/usb/uvc/uvc_ctrl.c:1861:44-50: ERROR: invalid reference to the index variable of the iterator on line 1850 drivers/media/usb/uvc/uvc_ctrl.c:2195:17-23: ERROR: invalid reference to the index variable of the iterator on line 2179 Reviewed-by: Sergey Senozhatsky <senozhatsky@chromium.org> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by: Ricardo Ribalda <ribalda@chromium.org> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> (cherry picked from commit 64627da) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-53459 cve-pre CVE-2024-58002 commit-author Ricardo Ribalda <ribalda@chromium.org> commit d9fecd0 Now we keep a reference to the active fh for any call to uvc_ctrl_set, regardless if it is an actual set or if it is a just a try or if the device refused the operation. We should only keep the file handle if the device actually accepted applying the operation. Cc: stable@vger.kernel.org Fixes: e5225c8 ("media: uvcvideo: Send a control event when a Control Change interrupt arrives") Suggested-by: Hans de Goede <hdegoede@redhat.com> Reviewed-by: Hans de Goede <hdegoede@redhat.com> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by: Ricardo Ribalda <ribalda@chromium.org> Link: https://lore.kernel.org/r/20241203-uvc-fix-async-v6-1-26c867231118@chromium.org Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org> (cherry picked from commit d9fecd0) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-53459 cve CVE-2024-58002 commit-author Ricardo Ribalda <ribalda@chromium.org> commit 221cd51 upstream-diff Used linux-5.15.y backport 117f7a2 as the base because of the missing backport of 54da6a0 which changed the locking scheme used in the upstream version. Resolved context conflicts around the `uvc_ctrl_cleanup_fh()' function When an async control is written, we copy a pointer to the file handle that started the operation. That pointer will be used when the device is done. Which could be anytime in the future. If the user closes that file descriptor, its structure will be freed, and there will be one dangling pointer per pending async control, that the driver will try to use. Clean all the dangling pointers during release(). To avoid adding a performance penalty in the most common case (no async operation), a counter has been introduced with some logic to make sure that it is properly handled. Cc: stable@vger.kernel.org Fixes: e5225c8 ("media: uvcvideo: Send a control event when a Control Change interrupt arrives") Reviewed-by: Hans de Goede <hdegoede@redhat.com> Signed-off-by: Ricardo Ribalda <ribalda@chromium.org> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Link: https://lore.kernel.org/r/20241203-uvc-fix-async-v6-3-26c867231118@chromium.org Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org> (cherry picked from commit 117f7a2) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
…by a signal jira VULN-32672 cve CVE-2022-48786 commit-author Seth Forshee <sforshee@digitalocean.com> commit b920849 vsock_connect() expects that the socket could already be in the TCP_ESTABLISHED state when the connecting task wakes up with a signal pending. If this happens the socket will be in the connected table, and it is not removed when the socket state is reset. In this situation it's common for the process to retry connect(), and if the connection is successful the socket will be added to the connected table a second time, corrupting the list. Prevent this by calling vsock_remove_connected() if a signal is received while waiting for a connection. This is harmless if the socket is not in the connected table, and if it is in the table then removing it will prevent list corruption from a double add. Note for backporting: this patch requires d5afa82 ("vsock: correct removal of socket from the list"), which is in all current stable trees except 4.9.y. Fixes: d021c34 ("VSOCK: Introduce VM Sockets") Signed-off-by: Seth Forshee <sforshee@digitalocean.com> Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> Link: https://lore.kernel.org/r/20220217141312.2297547-1-sforshee@digitalocean.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit b920849) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
pvts-mat
force-pushed
the
ciqlts8_6-CVE-batch-25
branch
from
ffc4761 to
99c4b23
Compare
|
🤖 Validation Checks In Progress Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/23360220178 |
🔍 Interdiff Analysis
================================================================================
* DELTA DIFFERENCES - code changes that differ between the patches *
================================================================================
--- b/drivers/media/usb/uvc/uvc_v4l2.c
+++ b/drivers/media/usb/uvc/uvc_v4l2.c
@@ -1024,7 +1024,6 @@
struct uvc_fh *handle = fh;
struct uvc_video_chain *chain = handle->chain;
struct v4l2_ext_control xctrl;
- struct v4l2_ext_controls xctrls;
int ret;
memset(&xctrl, 0, sizeof(xctrl));
@@ -1041,9 +1040,7 @@
return ret;
}
- xctrls.controls = &xctrl;
- xctrls.count = 1;
- ret = uvc_ctrl_commit(handle, &xctrls);
+ ret = uvc_ctrl_commit(handle, &xctrl, 1);
if (ret < 0)
return ret;
################################################################################
! REJECTED PATCH2 HUNKS - could not be compared; manual review needed !
################################################################################
--- b/drivers/media/usb/uvc/uvc_v4l2.c
+++ b/drivers/media/usb/uvc/uvc_v4l2.c
@@ -1100,7 +1100,7 @@
ctrls->error_idx = 0;
if (ioctl == VIDIOC_S_EXT_CTRLS)
- return uvc_ctrl_commit(handle, ctrls->controls, ctrls->count);
+ return uvc_ctrl_commit(handle, ctrls);
else
return uvc_ctrl_rollback(handle);
}
================================================================================
* CONTEXT DIFFERENCES - surrounding code differences between the patches *
================================================================================
--- b/drivers/media/usb/uvc/uvc_v4l2.c
+++ b/drivers/media/usb/uvc/uvc_v4l2.c
@@ -1119,6 +1099,6 @@
ctrls->error_idx = 0;
- if (commit)
+ if (ioctl == VIDIOC_S_EXT_CTRLS)
return uvc_ctrl_commit(handle, ctrls->controls, ctrls->count);
else
return uvc_ctrl_rollback(handle);
================================================================================
* DELTA DIFFERENCES - code changes that differ between the patches *
================================================================================
--- b/drivers/media/usb/uvc/uvc_ctrl.c
+++ b/drivers/media/usb/uvc/uvc_ctrl.c
@@ -2419,16 +2419,13 @@
{
struct uvc_entity *entity;
- mutex_lock(&handle->chain->ctrl_mutex);
+ guard(mutex)(&handle->chain->ctrl_mutex);
- if (!handle->pending_async_ctrls) {
- mutex_unlock(&handle->chain->ctrl_mutex);
+ if (!handle->pending_async_ctrls)
return;
- }
list_for_each_entry(entity, &handle->chain->dev->entities, list) {
- unsigned int i;
- for (i = 0; i < entity->ncontrols; ++i) {
+ for (unsigned int i = 0; i < entity->ncontrols; ++i) {
if (entity->controls[i].handle != handle)
continue;
uvc_ctrl_set_handle(handle, &entity->controls[i], NULL);
@@ -2436,7 +2433,6 @@
}
WARN_ON(handle->pending_async_ctrls);
- mutex_unlock(&handle->chain->ctrl_mutex);
}
/*
================================================================================
* CONTEXT DIFFERENCES - surrounding code differences between the patches *
================================================================================
--- b/drivers/media/usb/uvc/uvcvideo.h
+++ b/drivers/media/usb/uvc/uvcvideo.h
@@ -897,6 +789,6 @@
int uvc_xu_ctrl_query(struct uvc_video_chain *chain,
struct uvc_xu_control_query *xqry);
/* Utility functions */
-void uvc_simplify_fraction(u32 *numerator, u32 *denominator,
- unsigned int n_terms, unsigned int threshold);
+struct usb_host_endpoint *uvc_find_endpoint(struct usb_host_interface *alts,
+ u8 epaddr);
================================================================================
* DELTA DIFFERENCES - code changes that differ between the patches *
================================================================================
--- b/fs/nfsd/nfsctl.c
+++ b/fs/nfsd/nfsctl.c
@@ -1524,10 +1524,7 @@
retval = nfsd4_init_pnfs();
if (retval)
goto out_free_slabs;
- if (!nfsd_stat_init()) { /* Statistics */
- retval = -ENOMEM;
- goto out_free_pnfs;
- }
+ nfsd_stat_init(); /* Statistics */
retval = nfsd_drc_slab_create();
if (retval)
goto out_free_stat;
@@ -1552,7 +1549,6 @@
nfsd_drc_slab_free();
out_free_stat:
nfsd_stat_shutdown();
-out_free_pnfs:
nfsd4_exit_pnfs();
out_free_slabs:
nfsd4_free_slabs();
--- b/fs/nfsd/stats.c
+++ b/fs/nfsd/stats.c
@@ -91,10 +91,10 @@
.release = single_release,
};
-struct proc_dir_entry *
+void
nfsd_stat_init(void)
{
- return svc_proc_register(&init_net, &nfsd_svcstats, &nfsd_proc_fops);
+ svc_proc_register(&init_net, &nfsd_svcstats, &nfsd_proc_fops);
}
void
--- b/fs/nfsd/stats.h
+++ b/fs/nfsd/stats.h
@@ -38,7 +38,7 @@
extern struct nfsd_stats nfsdstats;
extern struct svc_stat nfsd_svcstats;
-struct proc_dir_entry * nfsd_stat_init(void);
+void nfsd_stat_init(void);
void nfsd_stat_shutdown(void);
#endif /* _NFSD_STATS_H */
################################################################################
! REJECTED PATCH2 HUNKS - could not be compared; manual review needed !
################################################################################
--- b/fs/nfsd/nfsctl.c
+++ b/fs/nfsd/nfsctl.c
@@ -2202,6 +2202,7 @@
NFSD_STATS_COUNTERS_NUM);
if (retval)
goto out_repcache_error;
+
memset(&nn->nfsd_svcstats, 0, sizeof(nn->nfsd_svcstats));
nn->nfsd_svcstats.program = &nfsd_programs[0];
for (i = 0; i < sizeof(nn->nfsd_versions); i++)
@@ -2204,6 +2205,11 @@
goto out_repcache_error;
memset(&nn->nfsd_svcstats, 0, sizeof(nn->nfsd_svcstats));
nn->nfsd_svcstats.program = &nfsd_programs[0];
+ if (!nfsd_proc_stat_init(net)) {
+ retval = -ENOMEM;
+ goto out_proc_error;
+ }
+
for (i = 0; i < sizeof(nn->nfsd_versions); i++)
nn->nfsd_versions[i] = nfsd_support_version(i);
for (i = 0; i < sizeof(nn->nfsd4_minorversions); i++)
@@ -2213,7 +2219,6 @@
nfsd4_init_leases_net(nn);
get_random_bytes(&nn->siphash_key, sizeof(nn->siphash_key));
seqlock_init(&nn->writeverf_lock);
- nfsd_proc_stat_init(net);
#if IS_ENABLED(CONFIG_NFS_LOCALIO)
spin_lock_init(&nn->local_clients_lock);
INIT_LIST_HEAD(&nn->local_clients);
@@ -2217,6 +2222,8 @@
#endif
return 0;
+out_proc_error:
+ percpu_counter_destroy_many(nn->counter, NFSD_STATS_COUNTERS_NUM);
out_repcache_error:
nfsd_idmap_shutdown(net);
out_idmap_error:
--- b/fs/nfsd/stats.c
+++ b/fs/nfsd/stats.c
@@ -73,7 +73,7 @@
DEFINE_PROC_SHOW_ATTRIBUTE(nfsd);
-void nfsd_proc_stat_init(struct net *net)
+struct proc_dir_entry *nfsd_proc_stat_init(struct net *net)
{
struct nfsd_net *nn = net_generic(net, nfsd_net_id);
@@ -77,7 +77,7 @@
{
struct nfsd_net *nn = net_generic(net, nfsd_net_id);
- svc_proc_register(net, &nn->nfsd_svcstats, &nfsd_proc_ops);
+ return svc_proc_register(net, &nn->nfsd_svcstats, &nfsd_proc_ops);
}
void nfsd_proc_stat_shutdown(struct net *net)
--- b/fs/nfsd/stats.h
+++ b/fs/nfsd/stats.h
@@ -10,7 +10,7 @@
#include <uapi/linux/nfsd/stats.h>
#include <linux/percpu_counter.h>
-void nfsd_proc_stat_init(struct net *net);
+struct proc_dir_entry *nfsd_proc_stat_init(struct net *net);
void nfsd_proc_stat_shutdown(struct net *net);
static inline void nfsd_stats_rc_hits_inc(struct nfsd_net *nn)
================================================================================
* CONTEXT DIFFERENCES - surrounding code differences between the patches *
================================================================================
--- b/fs/nfsd/stats.c
+++ b/fs/nfsd/stats.c
@@ -72,8 +70,11 @@
-void
-nfsd_stat_init(void)
+DEFINE_PROC_SHOW_ATTRIBUTE(nfsd);
+
+void nfsd_proc_stat_init(struct net *net)
{
- svc_proc_register(&init_net, &nfsd_svcstats, &nfsd_proc_fops);
+ struct nfsd_net *nn = net_generic(net, nfsd_net_id);
+
+ svc_proc_register(net, &nn->nfsd_svcstats, &nfsd_proc_ops);
}
-void
+void nfsd_proc_stat_shutdown(struct net *net)
--- b/fs/nfsd/stats.h
+++ b/fs/nfsd/stats.h
@@ -7,7 +7,7 @@
-extern struct nfsd_stats nfsdstats;
-extern struct svc_stat nfsd_svcstats;
+#include <uapi/linux/nfsd/stats.h>
+#include <linux/percpu_counter.h>
-void nfsd_stat_init(void);
-void nfsd_stat_shutdown(void);
+void nfsd_proc_stat_init(struct net *net);
+void nfsd_proc_stat_shutdown(struct net *net);
-#endif /* _NFSD_STATS_H */
+static inline void nfsd_stats_rc_hits_inc(struct nfsd_net *nn)This is an automated interdiff check for backported commits. |
JIRA PR Check Results10 commit(s) with issues found: Commit
|
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
|
❌ Validation checks completed with issues View full results: https://github.com/ctrliq/kernel-src-tree/actions/runs/23360220178 |
jira VULN-160776 cve-pre CVE-2025-40248 commit-author Zhuang Shengen <zhuangshengen@huawei.com> commit 6d4486e When client and server establish a connection through vsock, the client send a request to the server to initiate the connection, then start a timer to wait for the server's response. When the server's RESPONSE message arrives, the timer also times out and exits. The server's RESPONSE message is processed first, and the connection is established. However, the client's timer also times out, the original processing logic of the client is to directly set the state of this vsock to CLOSE and return ETIMEDOUT. It will not notify the server when the port is released, causing the server port remain. when client's vsock_connect timeout,it should check sk state is ESTABLISHED or not. if sk state is ESTABLISHED, it means the connection is established, the client should not set the sk state to CLOSE Note: I encountered this issue on kernel-4.18, which can be fixed by this patch. Then I checked the latest code in the community and found similar issue. Fixes: d021c34 ("VSOCK: Introduce VM Sockets") Signed-off-by: Zhuang Shengen <zhuangshengen@huawei.com> Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> (cherry picked from commit 6d4486e) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-160776 cve CVE-2025-40248 commit-author Michal Luczaj <mhal@rbox.co> commit 002541e During connect(), acting on a signal/timeout by disconnecting an already established socket leads to several issues: 1. connect() invoking vsock_transport_cancel_pkt() -> virtio_transport_purge_skbs() may race with sendmsg() invoking virtio_transport_get_credit(). This results in a permanently elevated `vvs->bytes_unsent`. Which, in turn, confuses the SOCK_LINGER handling. 2. connect() resetting a connected socket's state may race with socket being placed in a sockmap. A disconnected socket remaining in a sockmap breaks sockmap's assumptions. And gives rise to WARNs. 3. connect() transitioning SS_CONNECTED -> SS_UNCONNECTED allows for a transport change/drop after TCP_ESTABLISHED. Which poses a problem for any simultaneous sendmsg() or connect() and may result in a use-after-free/null-ptr-deref. Do not disconnect socket on signal/timeout. Keep the logic for unconnected sockets: they don't linger, can't be placed in a sockmap, are rejected by sendmsg(). [1]: https://lore.kernel.org/netdev/e07fd95c-9a38-4eea-9638-133e38c2ec9b@rbox.co/ [2]: https://lore.kernel.org/netdev/20250317-vsock-trans-signal-race-v4-0-fc8837f3f1d4@rbox.co/ [3]: https://lore.kernel.org/netdev/60f1b7db-3099-4f6a-875e-af9f6ef194f6@rbox.co/ Fixes: d021c34 ("VSOCK: Introduce VM Sockets") Signed-off-by: Michal Luczaj <mhal@rbox.co> Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> Link: https://patch.msgid.link/20251119-vsock-interrupted-connect-v2-1-70734cf1233f@rbox.co Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit 002541e) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-64890 cve CVE-2025-22026 commit-author Jeff Layton <jlayton@kernel.org> commit 930b64c upstream-diff Ignored cherry-pick of the upstrem fix - the LTS 8.6 nfsd codebase was too distinct from the upstream for auto merging to be useful in any way. Backported checking of the `svc_proc_register()' exit code manually: fs/nfsd/stats.c Modified function `nfsd_stat_init()' instead of `nfsd_proc_stat_init()' because it was renamed in the non-backported commit 93483ac. fs/nfsd/stats.h Like above fs/nfsd/nfsctl.c - Modified `init_nfsd()' where `nfsd_stat_init()' is actually used in LTS 8.6 instead of `nfsd_net_init()', where this function call (named `nfsd_proc_stat_init()' at that time) was moved in the non-backported commit 93483ac. - Ignored the `percpu_counter_destroy_many()' cleanup not applicable to the `init_nfsd()' function. Included in the exit path instead the `nfsd4_exit_pnfs()' call with the use of newly introduced label `out_free_pnfs'. Currently, nfsd_proc_stat_init() ignores the return value of svc_proc_register(). If the procfile creation fails, then the kernel will WARN when it tries to remove the entry later. Fix nfsd_proc_stat_init() to return the same type of pointer as svc_proc_register(), and fix up nfsd_net_init() to check that and fail the nfsd_net construction if it occurs. svc_proc_register() can fail if the dentry can't be allocated, or if an identical dentry already exists. The second case is pretty unlikely in the nfsd_net construction codepath, so if this happens, return -ENOMEM. Reported-by: syzbot+e34ad04f27991521104c@syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-nfs/67a47501.050a0220.19061f.05f9.GAE@google.com/ Cc: stable@vger.kernel.org # v6.9 Signed-off-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> (cherry picked from commit 930b64c) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
pvts-mat
force-pushed
the
ciqlts8_6-CVE-batch-25
branch
from
99c4b23 to
cb64da0
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
[LTS 8.6]
Commits
CVE-2024-58002
This solution is similar to the one in
The difference is the first prerequisite
media: uvcvideo: Set error_idx during ctrl_commit errorswhich all those versions were lucky to have backported already. It required some manual stitching in theuvc_ioctl_s_ctrl()function. Backporting 0c6bcbd was considered, which would avoid the problem of modifyinguvc_ioctl_s_ctrl(), but it was not clear whether the basis for this commit holds true for LTS 8.6 (from the commit's message):Adapting
uvc_ioctl_s_ctrl()to the 6350d6a change was easier, faster and less risky than establishing how the framework works in LTS 8.6.The following two commits
media: uvcvideo: Avoid invalid memory access,media: uvcvideo: Avoid returning invalid controlsare not really prerequisites, but the bugfixes for the
media: uvcvideo: Set error_idx during ctrl_commit errorsprerequisite.CVE-2025-40248 (+ CVE-2022-48786)
The
vsock: remove vsock from connected table when connect is interrupted by a signalcommit was used as prerequisite for CVE-2025-40248, but it had its own CVE.CVE-2025-22026
kABI check: passed
Boot test: passed
boot-test.log
Kselftests: passed relative
Reference
kselftests–ciqlts8_6–run1.log
Patch
kselftests–ciqlts8_6-CVE-batch-25–run1.log
kselftests–ciqlts8_6-CVE-batch-25–run2.log
kselftests–ciqlts8_6-CVE-batch-25–run3.log
Comparison
The tests results for the reference and the patch are the same.