Skip to content

[LTS 9.2] CVE-2025-38250, CVE-2025-39697 #746

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
pvts-mat wants to merge 3 commits into
base: ciqlts9_2
Choose a base branch
from
Open

[LTS 9.2] CVE-2025-38250, CVE-2025-39697 #746

pvts-mat wants to merge 3 commits into from
+129 −135

Conversation

@pvts-mat
Copy link
Contributor

@pvts-mat pvts-mat commented Dec 4, 2025

[LTS 9.2]
CVE-2025-38250 VULN-72347
CVE-2025-39697 VULN-136535

Commits

CVE-2025-38250

Bluetooth: hci_core: Fix use-after-free in vhci_flush()

jira VULN-72347
cve CVE-2025-38250
commit-author Kuniyuki Iwashima <[email protected]>
commit 1d6123102e9fbedc8d25bf4731da6d513173e49e
upstream-diff Context conflicts resolved in 'hci_unregister_dev()'

In kernel-mainline the function hci_unregister_dev() underwent a change in 0d151a1 (CVE-2024-41063 (RH CVSS 5.5)) along with its bugfix 989fa51 (CVE-2024-58241 (RH CVSS 4.4)), which was expected by git's auto-resolver to be in place, so it complained about contextual conflicts. The additional work sync patches were not included because of their own prerequisites and low scores of the associated CVEs.

CVE-2025-39697

1:

nfs: fold nfs_page_group_lock_subrequests into nfs_lock_and_join_requests

jira VULN-136535
cve-pre CVE-2025-39697
commit-author Christoph Hellwig <[email protected]>
commit 25edbcac6e32eab345e470d56ca9974a577b878b
upstream-diff Used linux-5.15.y backport
  fd947b71cc1b86c4731f8d470f5ab5df94e838d8 as baseline, then accounted
  in 'nfs_lock_and_join_requests()' for the missing
  b193a78ddb5ee7dba074d3f28dc050069ba083c0 backport.

0:

NFS: Fix a race when updating an existing write

jira VULN-136535
cve CVE-2025-39697
commit-author Trond Myklebust <[email protected]>
commit 76d2e3890fb169168c73f2e4f8375c7cc24a765e
upstream-diff Used linux-5.15.y backport
  f230d40147cc37eb3aef4d50e2e2c06ea73d9a77, which applied cleanly

The patch for this CVE was backported to Linux stable 5.15 and that backport was used as a baseline for LTS 9.2 backport, since the timelines for the affected files were very similar and the conflicts were far reduced.

The nfs_lock_and_join_requests() function modified in the official CVE-2025-39697 patch (0) underwent heavy changes in commit (1), which had to be pulled in just like it was done in linux-5.15.y. Additionally the commit (2) would be needed for clean cherry pick but it was decided to resolve the simple conflicts for (1) manually. Commit (2) fixes a bug, but it's not associated with any CVE.

    Label    File
    -------  ------------------------
    A        fs/nfs/pagelist.c
    B        fs/nfs/write.c
    C        include/linux/nfs_page.h
    
    ABC    kernel-mainline                                                                                linux-6.6.y            linux-5.15.y           ciqlts9_2              ciqlts9_4
    -----  ---------------------------------------------------------------------------------------------  ---------------------  ---------------------  ---------------------  ---------------------
    -#-    9ff022f3 2025-10-13 NFS: check if suid/sgid was cleared after a write as needed
    -#-    eb71428e 2025-09-26 NFSv4/flexfiles: Use ds_commit_idx when marking a write commit
    -#-    902893e3 2025-09-23 NFS: Enable use of the RWF_DONTCACHE flag on the NFS client
    --#    301f3470 2025-09-23 nfs: remove NFS_WBACK_BUSY()
    -#-    9082aae1 2025-09-23 sunrpc: remove dfprintk_cont() and dfprintk_rcu_cont()
    -#-    83c47ef8 2025-09-23 nfs: add tracepoints to nfs_writepages()
    -#-    b6ef079f 2025-09-23 nfs: more in-depth tracing of writepage events
    -#-    4a2d8171 2025-09-23 nfs: new tracepoints around write handling
    -#-    c12b6a7b 2025-09-06 NFS: Fix the marking of the folio as up to date
    -#-    b7b85742 2025-09-06 NFS: nfs_invalidate_folio() must observe the offset and size arguments
0:  ###    76d2e389 2025-08-19 NFS: Fix a race when updating an existing write                            ~ 181feb41 2025-09-04  ~ f230d401 2025-09-04
    -#-    72508db0 2025-07-14 NFS: Allow folio migration for the case of mode == MIGRATE_SYNC
    -#-    a8fb49c6 2025-07-09 mm: remove the for_reclaim field from struct writeback_control
    -#-    f72a6759 2025-05-28 nfs: use writeback_iter directly
    -#-    66a49813 2025-05-28 nfs: refactor nfs_do_writepage
    -#-    66beed5a 2025-05-28 nfs: don't return AOP_WRITEPAGE_ACTIVATE from nfs_do_writepage
    -#-    b6354e60 2025-05-28 nfs: fold nfs_page_async_flush into nfs_do_writepage
    -#-    8e5419d6 2025-04-02 nfs: Add missing release on error in nfs_lock_and_join_requests()
    ##-    86e00412 2025-01-14 nfs: cache all open LOCALIO nfsd_file(s) in client
    -#-    66f9dac9 2024-11-18 Revert "nfs: don't reuse partially completed requests in nfs_lock_and_jo…
    -#-    8f52caf9 2024-11-09 Revert "fs: nfs: fix missing refcnt by replacing folio_set_private by fo…
    ##-    fa88a7d6 2024-09-23 nfs: enable localio for non-pNFS IO
    ##-    70ba381e 2024-09-23 nfs: add LOCALIO support
    ##-    df24c483 2024-09-23 nfs: pass struct nfsd_file to nfs_init_pgio and nfs_init_commit
    -#-    dfb07e99 2024-09-23 nfs: add 'noalignwrite' option for lock-less 'lost writes' prevention
    -#-    03e02b94 2024-09-23 fs: nfs: fix missing refcnt by replacing folio_set_private by folio_atta…
    -#-    fada32ed 2024-07-17 nfs: pass explicit offset/count to trace events
    -#-    39c910a4 2024-07-12 nfs: do not extend writes to the entire folio
    -#-    b571cfcb 2024-07-08 nfs: don't reuse partially completed requests in nfs_lock_and_join_reque…
    ###    f1b7c755 2024-07-08 nfs: move nfs_wait_on_request to write.c
1:  ###    25edbcac 2024-07-08 nfs: fold nfs_page_group_lock_subrequests into nfs_lock_and_join_requests  ~ 9a196340 2025-09-04  ~ fd947b71 2025-09-04
    -#-    c3f22357 2024-07-08 nfs: fold nfs_folio_find_and_lock_request into nfs_lock_and_join_requests
    ###    9eb7c484 2024-07-08 nfs: simplify nfs_folio_find_and_lock_request
    -#-    02e61ec1 2024-07-08 nfs: remove nfs_folio_private_request
    ###    7e8e78a0 2024-07-08 nfs: remove dead code for the old swap over NFS implementation
    -#-    2f1f3104 2024-07-08 nfs: Block on write congestion
    -#-    37d4159d 2024-07-08 nfs: Drop pointless check from nfs_commit_release_pages()
    -#-    e12912d9 2024-07-08 NFSv4: Add support for delegated atime and mtime attributes
    -#-    4201916f 2024-07-08 NFSv4: Add a flags argument to the 'have_delegation' callback
    -#-    237d2907 2024-07-03 nfs: drop usage of folio_file_pos
    -#-    8f3ab6e4 2024-05-31 nfs: Remove calls to folio_set_error
    #--    a527c3ba 2024-05-24 nfs: Avoid flushing many pages with NFS_FILE_SYNC                          ~ e3adf998 2024-07-25
    -#-    2e9d7e4b 2024-04-29 mm: Remove the PG_fscache alias for PG_private_2
    -#-    17f46b80 2024-03-09 nfs: fix UAF in direct writes                                              ~ e25447c3 2024-04-03  ~ 80d24b30 2024-04-10
    -#-    0b81371d 2024-03-09 NFS: remove sync_mode test from nfs_writepage_locked()                                                                                          ~ 2d2bb567 2024-09-12
    -#-    dd1fac6a 2024-02-05 nfs: adapt to breakup of struct file_lock
    -#-    a69ce85e 2024-02-05 filelock: split common fields into struct file_lock_core
    -#-    d7c9616b 2024-02-05 nfs: convert to using new filelock helpers
    -#-    12fc0a96 2024-01-04 nfs: Remove writepage                                                                                                                           # e26c1a09 2024-09-12
    -#-    600f111e 2023-11-21 fs: Rename mapping private members
    -#-    6e7434ab 2023-10-22 NFSv4/pnfs: Allow layoutget to return EAGAIN for softerr mounts
    -#-    6a6d4644 2023-10-11 NFS: Fix potential oops in nfs_inode_remove_request()                      = 6a6d4644 2023-10-11                                                ~ 7b0cdef4 2023-12-02
    -#-    dd1b2026 2023-09-28 nfs: decrement nrequests counter before releasing the req                  = dd1b2026 2023-09-28                                                ~ ae102dd8 2023-12-02
2:  -##    b193a78d 2023-09-13 NFS: Use the correct commit info in nfs_join_page_group()                  = b193a78d 2023-09-13  ~ a354b4a3 2023-10-06
    #-#    000dbe0b 2023-04-11 NFS: Convert buffered read paths to use netfs when fscache is enabled      = 000dbe0b 2023-04-11                                                ~ 2b171d71 2023-05-11
    -#-    256093fe 2023-02-14 NFS: Improve tracing of nfs_wb_folio()                                     = 256093fe 2023-02-14                                                ~ cf2c3591 2023-05-08
    #-#    70e9db69 2023-02-14 NFS: Clean up O_DIRECT request allocation                                  = 70e9db69 2023-02-14                                                ~ 266b973f 2023-05-08
    -#-    4cbf7694 2023-02-14 NFS: Remove unused function nfs_wb_page()                                  = 4cbf7694 2023-02-14                                                ~ b5b4ecd6 2023-05-08
    -#-    0c493b5c 2023-02-14 NFS: Convert buffered writes to use folios                                 = 0c493b5c 2023-02-14                                                ~ 0c2c4eaa 2023-05-08
    -#-    5241060e 2023-02-14 NFS: Convert the function nfs_wb_page() to use folios                      = 5241060e 2023-02-14                                                ~ 6ed0bf3b 2023-05-08
    #-#    ab75bff1 2023-02-14 NFS: Convert buffered reads to use folios                                  = ab75bff1 2023-02-14                                                ~ 5f1b0544 2023-05-08
    -#-    4b27232a 2023-02-14 NFS: Add a helper nfs_wb_folio()                                           = 4b27232a 2023-02-14                                                ~ 8aa08d5e 2023-05-08
    #--    cbefa53c 2023-02-14 NFS: Convert the remaining pagelist helper functions to support folios     = cbefa53c 2023-02-14                                                ~ 80973d1c 2023-05-08
    ###    6dd85e83 2023-02-14 NFS: Add a helper to convert a struct nfs_page into an inode               = 6dd85e83 2023-02-14                                                ~ 72aafff7 2023-05-08
    #-#    8e0bdc70 2023-02-14 NFS: Fix nfs_coalesce_size() to work with folios                           = 8e0bdc70 2023-02-14                                                ~ 0499e730 2023-05-08
    #--    eb9f2a5a 2023-02-14 NFS: Support folios in nfs_generic_pgio()                                  = eb9f2a5a 2023-02-14                                                ~ cec4a4f7 2023-05-08
    #-#    35c5db0e 2023-02-14 NFS: Add basic functionality for tracking folios in struct nfs_page        = 35c5db0e 2023-02-14                                                ~ bcdf77e6 2023-05-08
    #--    785207aa 2023-02-14 NFS: Fix for xfstests generic/208                                          = 785207aa 2023-02-14                                                ~ 8a993f0e 2023-05-08
    -#-    d585bdbe 2023-02-02 fs: convert writepage_t callback to pass a folio                           = d585bdbe 2023-02-02
    ##-    5970e15d 2023-01-11 filelock: move file locking definitions to separate header file            = 5970e15d 2023-01-11
    ##-    17b985de 2022-11-30 nfs: use locks_inode_context helper                                        = 17b985de 2022-11-30                                                ~ 37028f07 2023-03-27
    -#-    d7a51186 2022-09-08 NFSv4.2: Update mode bits after ALLOCATE and DEALLOCATE                    = d7a51186 2022-09-08                         ~ 6e5f8670 2022-09-26  ~ 6e5f8670 2022-09-26
    -#-    67f4b5dc 2022-08-13 NFS: Fix another fsync() issue after a server reboot                       = 67f4b5dc 2022-08-13  ~ 3b97deb4 2022-09-15  ~ 55fe4913 2022-09-26  ~ 55fe4913 2022-09-26
    -##    af887e43 2022-08-09 NFS: Improve write error tracing                                           = af887e43 2022-08-09                                                ~ 531e57c0 2023-05-08
    -#-    b1a28f2e 2022-08-02 NFS: nfs_async_write_reschedule_io must not recurse into the writeback co  = b1a28f2e 2022-08-02  ~ 31545f4b 2024-12-14                         ~ 14ce2287 2023-05-08
    -#-    54184650 2022-08-02 mm/migrate: Convert migrate_page() to migrate_folio()                      = 54184650 2022-08-02                                                ~ 30ef2db2 2023-03-24
    -#-    4ae84a80 2022-08-02 nfs: Convert to migrate_folio                                              = 4ae84a80 2022-08-02                                                ~ 3a51424d 2023-03-24
    -#-    69d96651 2022-07-23 nfs: only issue commit in DIO codepath if we have uncommitted data         = 69d96651 2022-07-23                         ~ 7188cfeb 2022-08-11  ~ 7188cfeb 2022-08-11
    ##-    118f09ed 2022-05-31 NFSv4.1 mark qualified async operations as MOVEABLE tasks                  = 118f09ed 2022-05-31  ~ 54c40880 2022-06-09  ~ 161caa70 2022-08-16  ~ 161caa70 2022-08-16
    -#-    c6fd3511 2022-05-17 NFS: Further fixes to the writeback error handling                         = c6fd3511 2022-05-17  ~ 08b9d374 2022-06-09  ~ 68bb2d53 2022-09-26  ~ 68bb2d53 2022-09-26
    -#-    c5e483b7 2022-05-17 NFS: Don't report errors from nfs_pageio_complete() more than once         = c5e483b7 2022-05-17  ~ 471577e9 2022-06-09  ~ 1fe4343f 2022-09-26  ~ 1fe4343f 2022-09-26
    -#-    cea9ba72 2022-05-17 NFS: Do not report EINTR/ERESTARTSYS as mapping errors                     = cea9ba72 2022-05-17  ~ 79e0b743 2022-06-09  ~ 47814bd1 2022-09-26  ~ 47814bd1 2022-09-26
    #--    d02d81ef 2022-03-25 NFS: Don't loop forever in nfs_do_recoalesce()                             = d02d81ef 2022-03-25  ~ c9557823 2022-04-08  ~ c5a0cf68 2022-03-31  ~ c5a0cf68 2022-03-31
    -#-    6df25e58 2022-03-22 nfs: remove reliance on bdi congestion                                     = 6df25e58 2022-03-22                         ~ 7c6a9cbd 2022-09-26  ~ 7c6a9cbd 2022-09-26
    ##-    0bae835b 2022-03-22 NFS: Avoid writeback threads getting stuck in mempool_alloc()              = 0bae835b 2022-03-22  ~ ea029e4c 2022-04-13  ~ a327333b 2022-09-26  ~ a327333b 2022-09-26
    -#-    515dcdcd 2022-03-22 NFS: nfsiod should not block forever in mempool_alloc()                    = 515dcdcd 2022-03-22  ~ da747de6 2022-04-13  ~ 8038eeb7 2022-09-26  ~ 8038eeb7 2022-09-26
    -#-    6d740c76 2022-03-15 nfs: Convert from invalidatepage to invalidate_folio                       = 6d740c76 2022-03-15                                                ~ d9b9cd9f 2023-03-24
    -#-    8db55a03 2022-03-13 SUNRPC: improve 'swap' handling: scheduling and PF_MEMALLOC                = 8db55a03 2022-03-13                         ~ d8a28fa2 2022-09-26  ~ d8a28fa2 2022-09-26
    -#-    6c984083 2022-02-25 NFS: Use of mapping_set_error() results in spurious errors                 = 6c984083 2022-02-25  ~ ba3a3390 2022-04-08  ~ f167e355 2022-09-26  ~ f167e355 2022-09-26
    -#-    88a6099f 2022-02-25 NFS: Replace last uses of NFS_INO_REVAL_PAGECACHE                          = 88a6099f 2022-02-25                         ~ a04ea5ad 2022-09-26  ~ a04ea5ad 2022-09-26
    -#-    16f2f4e6 2022-01-10 nfs: Implement cache I/O by accessing the cache directly                   = 16f2f4e6 2022-01-10                         ~ 9450678e 2022-08-22  ~ 9450678e 2022-08-22
    -#-    a6b5a28e 2022-01-10 nfs: Convert to new fscache volume/cookie API                              = a6b5a28e 2022-01-10                         ~ fc6c4cab 2022-08-22  ~ fc6c4cab 2022-08-22
    -#-    4cd27df8 2021-10-21 NFS: Remove redundant call to __set_page_dirty_nobuffers                   = 4cd27df8 2021-10-21                         ~ 48bc6a48 2022-02-03  ~ 48bc6a48 2022-02-03
    ##-    b40887e1 2021-10-20 SUNRPC: Trace calls to .rpc_call_done                                      = b40887e1 2021-10-20                         ~ 8a51e317 2022-02-03  ~ 8a51e317 2022-02-03
    -#-    133a48ab 2021-10-20 NFS: Fix up commit deadlocks                                               = 133a48ab 2021-10-20  ~ 9443fcc2 2021-11-18  ~ 3bd5d379 2022-02-03  ~ 3bd5d379 2022-02-03
    -#-    64a93dbf 2021-10-10 NFS: Fix deadlocks in nfs_scan_commit_list()                               = 64a93dbf 2021-10-10  ~ cab693c0 2021-11-18  ~ a03e0f30 2022-02-03  ~ a03e0f30 2022-02-03
    -#-    110cb2d2 2021-10-10 NFS: Instrument i_size_write()                                             = 110cb2d2 2021-10-10                         ~ 6a3e6152 2022-02-03  ~ 6a3e6152 2022-02-03
    #--    43d20e80 2021-10-03 NFS: Fix a few more clear_bit() instances that need release semantics      = 43d20e80 2021-10-03                         ~ 61b320de 2022-02-03  ~ 61b320de 2022-02-03
    -#-    ca05cbae 2021-10-03 NFS: Fix up nfs_ctx_key_to_expire()                                        = ca05cbae 2021-10-03                         ~ 116a5bda 2022-02-03  ~ 116a5bda 2022-02-03
    ##-    85e39fee 2021-07-08 NFSv4.1 identify and mark RPC tasks that can move between transports       = 85e39fee 2021-07-08  = 85e39fee 2021-07-08  = 85e39fee 2021-07-08  = 85e39fee 2021-07-08
    #--    70536bf4 2021-05-26 NFS: Clean up reset of the mirror accounting variables                     = 70536bf4 2021-05-26  = 70536bf4 2021-05-26  = 70536bf4 2021-05-26  = 70536bf4 2021-05-26
    #--    0d0ea309 2021-05-26 NFS: Don't corrupt the value of pg_bytes_written in nfs_do_recoalesce()    = 0d0ea309 2021-05-26  = 0d0ea309 2021-05-26  = 0d0ea309 2021-05-26  = 0d0ea309 2021-05-26
    [... further history identical for all versions ...]

kABI check: passed

$ DEBUG=1 CVE=CVE-batch-13 ./ninja.sh -d explain _kabi_check_kernel__x86_64--test--ciqlts9_2-CVE-batch-13

[0/1] kabi_check_kernel	Check ABI of kernel [ciqlts9_2-CVE-batch-13]	_kabi_check_kernel__x86_64--test--ciqlts9_2-CVE-batch-13
++ uname -m
+ python3 /data/src/ctrliq-github-haskell/kernel-dist-git-el-9.2/SOURCES/check-kabi -k /data/src/ctrliq-github-haskell/kernel-dist-git-el-9.2/SOURCES/Module.kabi_x86_64 -s vms/x86_64--build--ciqlts9_2/build_files/kernel-src-tree-ciqlts9_2-CVE-batch-13/Module.symvers
kABI check passed
+ touch state/kernels/ciqlts9_2-CVE-batch-13/x86_64/kabi_checked

Boot test: passed

boot-test.log

[pvts@ciqlts-9-2 ~]$ sudo modprobe bluetooth
[  223.031861] Bluetooth: Core ver 2.22
[  223.032453] NET: Registered PF_BLUETOOTH protocol family
[  223.033156] Bluetooth: HCI device and connection manager initialized
[  223.033989] Bluetooth: HCI socket layer initialized
[  223.034627] Bluetooth: L2CAP socket layer initialized
[  223.035293] Bluetooth: SCO socket layer initialized

[pvts@ciqlts-9-2 ~]$ sudo modprobe nfs
[  234.800546] FS-Cache: Loaded

Kselftests: passed relative

Reference

kselftests–ciqlts9_2–run1.log
kselftests–ciqlts9_2–run2.log

Patch

kselftests–ciqlts9_2-CVE-batch-13–run1.log
kselftests–ciqlts9_2-CVE-batch-13–run2.log

Comparison

The tests results for the reference and the patch are the same.

$ ktests.xsh diff  kselftests*.log

Column    File
--------  --------------------------------------------
Status0   kselftests--ciqlts9_2--run1.log
Status1   kselftests--ciqlts9_2--run2.log
Status2   kselftests--ciqlts9_2-CVE-batch-13--run1.log
Status3   kselftests--ciqlts9_2-CVE-batch-13--run2.log

TestCase                                               Status0  Status1  Status2  Status3  Summary
bpf:test_bpftool.sh                                    pass     pass     pass     pass     same
bpf:test_bpftool_build.sh                              pass     pass     pass     pass     same
bpf:test_bpftool_metadata.sh                           pass     pass     pass     pass     same
bpf:test_cgroup_storage                                pass     pass     pass     pass     same
bpf:test_doc_build.sh                                  pass     pass     pass     pass     same
bpf:test_flow_dissector.sh                             fail     fail     fail     fail     same
bpf:test_lirc_mode2.sh                                 pass     pass     pass     pass     same
bpf:test_lpm_map                                       pass     pass     pass     pass     same
bpf:test_lru_map                                       pass     pass     pass     pass     same
bpf:test_lwt_ip_encap.sh                               pass     pass     pass     pass     same
bpf:test_lwt_seg6local.sh                              pass     pass     pass     pass     same
bpf:test_offload.py                                    fail     fail     fail     fail     same
bpf:test_sock                                          pass     pass     pass     pass     same
bpf:test_sock_addr.sh                                  pass     pass     pass     pass     same
bpf:test_sysctl                                        pass     pass     pass     pass     same
bpf:test_tag                                           pass     pass     pass     pass     same
bpf:test_tc_edt.sh                                     pass     pass     pass     pass     same
bpf:test_tc_tunnel.sh                                  fail     fail     fail     fail     same
bpf:test_tcp_check_syncookie.sh                        pass     pass     pass     pass     same
bpf:test_tcpnotify_user                                pass     pass     pass     pass     same
bpf:test_tunnel.sh                                     fail     fail     fail     fail     same
bpf:test_verifier                                      fail     fail     fail     fail     same
bpf:test_xdp_meta.sh                                   pass     pass     pass     pass     same
bpf:test_xdp_redirect.sh                               pass     pass     pass     pass     same
bpf:test_xdp_redirect_multi.sh                         pass     pass     pass     pass     same
bpf:test_xdp_veth.sh                                   pass     pass     pass     pass     same
bpf:test_xdp_vlan_mode_generic.sh                      pass     pass     pass     pass     same
bpf:test_xdp_vlan_mode_native.sh                       pass     pass     pass     pass     same
bpf:test_xdping.sh                                     pass     pass     pass     pass     same
breakpoints:breakpoint_test                            pass     pass     pass     pass     same
capabilities:test_execve                               pass     pass     pass     pass     same
cgroup:test_core                                       fail     fail     fail     fail     same
cgroup:test_cpuset_prs.sh                              pass     pass     pass     pass     same
cgroup:test_kill                                       pass     pass     pass     pass     same
cgroup:test_kmem                                       pass     pass     pass     pass     same
cgroup:test_stress.sh                                  fail     fail     fail     fail     same
clone3:clone3                                          pass     pass     pass     pass     same
clone3:clone3_cap_checkpoint_restore                   pass     pass     pass     pass     same
clone3:clone3_clear_sighand                            pass     pass     pass     pass     same
clone3:clone3_set_tid                                  pass     pass     pass     pass     same
core:close_range_test                                  pass     pass     pass     pass     same
cpu-hotplug:cpu-on-off-test.sh                         pass     pass     pass     pass     same
cpufreq:main.sh                                        fail     fail     fail     fail     same
drivers/dma-buf:udmabuf                                pass     pass     pass     pass     same
drivers/net/bonding:bond-arp-interval-causes-panic.sh  pass     pass     pass     pass     same
drivers/net/bonding:bond-break-lacpdu-tx.sh            pass     pass     pass     pass     same
drivers/net/bonding:bond-lladdr-target.sh              pass     pass     pass     pass     same
drivers/net/bonding:dev_addr_lists.sh                  pass     pass     pass     pass     same
drivers/net/bonding:mode-1-recovery-updelay.sh         pass     pass     pass     pass     same
drivers/net/bonding:mode-2-recovery-updelay.sh         pass     pass     pass     pass     same
drivers/net/team:dev_addr_lists.sh                     pass     pass     pass     pass     same
filesystems/binderfs:binderfs_test                     fail     fail     fail     fail     same
firmware:fw_run_tests.sh                               skip     skip     skip     skip     same
fpu:run_test_fpu.sh                                    skip     skip     skip     skip     same
fpu:test_fpu                                           pass     pass     pass     pass     same
ftrace:ftracetest                                      fail     fail     fail     fail     same
futex:run.sh                                           pass     pass     pass     pass     same
gpio:gpio-mockup.sh                                    fail     fail     fail     fail     same
intel_pstate:run.sh                                    pass     pass     pass     pass     same
ipc:msgque                                             pass     pass     pass     pass     same
ir:ir_loopback.sh                                      skip     skip     skip     skip     same
kcmp:kcmp_test                                         pass     pass     pass     pass     same
kexec:test_kexec_file_load.sh                          skip     skip     skip     skip     same
kexec:test_kexec_load.sh                               skip     skip     skip     skip     same
kvm:access_tracking_perf_test                          pass     pass     pass     pass     same
kvm:amx_test                                           fail     fail     fail     fail     same
kvm:cpuid_test                                         fail     fail     fail     fail     same
kvm:cr4_cpuid_sync_test                                fail     fail     fail     fail     same
kvm:debug_regs                                         fail     fail     fail     fail     same
kvm:demand_paging_test                                 pass     pass     pass     pass     same
kvm:dirty_log_perf_test                                pass     pass     pass     pass     same
kvm:dirty_log_test                                     fail     fail     fail     fail     same
kvm:emulator_error_test                                fail     fail     fail     fail     same
kvm:evmcs_test                                         fail     fail     fail     fail     same
kvm:fix_hypercall_test                                 fail     fail     fail     fail     same
kvm:get_msr_index_features                             fail     fail     fail     fail     same
kvm:hardware_disable_test                              pass     pass     pass     pass     same
kvm:hyperv_clock                                       fail     fail     fail     fail     same
kvm:hyperv_cpuid                                       fail     fail     fail     fail     same
kvm:hyperv_features                                    fail     fail     fail     fail     same
kvm:hyperv_svm_test                                    fail     fail     fail     fail     same
kvm:kvm_binary_stats_test                              pass     pass     pass     pass     same
kvm:kvm_clock_test                                     fail     fail     fail     fail     same
kvm:kvm_create_max_vcpus                               pass     pass     pass     pass     same
kvm:kvm_page_table_test                                pass     pass     pass     pass     same
kvm:kvm_pv_test                                        fail     fail     fail     fail     same
kvm:max_guest_memory_test                              pass     pass     pass     pass     same
kvm:max_vcpuid_cap_test                                fail     fail     fail     fail     same
kvm:memslot_modification_stress_test                   pass     pass     pass     pass     same
kvm:memslot_perf_test                                  pass     pass     pass     pass     same
kvm:mmio_warning_test                                  fail     fail     fail     fail     same
kvm:monitor_mwait_test                                 fail     fail     fail     fail     same
kvm:nx_huge_pages_test.sh                              fail     fail     fail     fail     same
kvm:platform_info_test                                 fail     fail     fail     fail     same
kvm:pmu_event_filter_test                              fail     fail     fail     fail     same
kvm:rseq_test                                          fail     fail     fail     fail     same
kvm:set_boot_cpu_id                                    fail     fail     fail     fail     same
kvm:set_memory_region_test                             pass     pass     pass     pass     same
kvm:set_sregs_test                                     fail     fail     fail     fail     same
kvm:sev_migrate_tests                                  fail     fail     fail     fail     same
kvm:smm_test                                           fail     fail     fail     fail     same
kvm:state_test                                         fail     fail     fail     fail     same
kvm:steal_time                                         pass     pass     pass     pass     same
kvm:svm_int_ctl_test                                   fail     fail     fail     fail     same
kvm:svm_nested_soft_inject_test                        fail     fail     fail     fail     same
kvm:svm_vmcall_test                                    fail     fail     fail     fail     same
kvm:sync_regs_test                                     fail     fail     fail     fail     same
kvm:system_counter_offset_test                         pass     pass     pass     pass     same
kvm:triple_fault_event_test                            fail     fail     fail     fail     same
kvm:tsc_msrs_test                                      fail     fail     fail     fail     same
kvm:tsc_scaling_sync                                   fail     fail     fail     fail     same
kvm:ucna_injection_test                                fail     fail     fail     fail     same
kvm:userspace_io_test                                  fail     fail     fail     fail     same
kvm:userspace_msr_exit_test                            fail     fail     fail     fail     same
kvm:vmx_apic_access_test                               fail     fail     fail     fail     same
kvm:vmx_close_while_nested_test                        fail     fail     fail     fail     same
kvm:vmx_dirty_log_test                                 fail     fail     fail     fail     same
kvm:vmx_exception_with_invalid_guest_state             fail     fail     fail     fail     same
kvm:vmx_invalid_nested_guest_state                     fail     fail     fail     fail     same
kvm:vmx_msrs_test                                      fail     fail     fail     fail     same
kvm:vmx_nested_tsc_scaling_test                        fail     fail     fail     fail     same
kvm:vmx_pmu_caps_test                                  fail     fail     fail     fail     same
kvm:vmx_preemption_timer_test                          fail     fail     fail     fail     same
kvm:vmx_set_nested_state_test                          fail     fail     fail     fail     same
kvm:vmx_tsc_adjust_test                                fail     fail     fail     fail     same
kvm:xapic_ipi_test                                     fail     fail     fail     fail     same
kvm:xapic_state_test                                   fail     fail     fail     fail     same
kvm:xen_shinfo_test                                    fail     fail     fail     fail     same
kvm:xen_vmcall_test                                    fail     fail     fail     fail     same
kvm:xss_msr_test                                       fail     fail     fail     fail     same
landlock:base_test                                     fail     fail     fail     fail     same
landlock:fs_test                                       fail     fail     fail     fail     same
landlock:ptrace_test                                   fail     fail     fail     fail     same
lib:bitmap.sh                                          skip     skip     skip     skip     same
lib:prime_numbers.sh                                   skip     skip     skip     skip     same
lib:printf.sh                                          skip     skip     skip     skip     same
lib:scanf.sh                                           skip     skip     skip     skip     same
lib:strscpy.sh                                         skip     skip     skip     skip     same
livepatch:test-callbacks.sh                            skip     skip     skip     skip     same
livepatch:test-ftrace.sh                               skip     skip     skip     skip     same
livepatch:test-livepatch.sh                            skip     skip     skip     skip     same
livepatch:test-shadow-vars.sh                          skip     skip     skip     skip     same
livepatch:test-state.sh                                skip     skip     skip     skip     same
membarrier:membarrier_test_multi_thread                pass     pass     pass     pass     same
membarrier:membarrier_test_single_thread               pass     pass     pass     pass     same
memfd:memfd_test                                       pass     pass     pass     pass     same
memfd:run_fuse_test.sh                                 pass     pass     pass     pass     same
memfd:run_hugetlbfs_test.sh                            pass     pass     pass     pass     same
memory-hotplug:mem-on-off-test.sh                      pass     pass     pass     pass     same
mincore:mincore_selftest                               fail     fail     fail     fail     same
mount:run_nosymfollow.sh                               pass     pass     pass     pass     same
mount:run_unprivileged_remount.sh                      pass     pass     pass     pass     same
mqueue:mq_open_tests                                   pass     pass     pass     pass     same
mqueue:mq_perf_tests                                   pass     pass     pass     pass     same
nci:nci_dev                                            fail     fail     fail     fail     same
net/forwarding:bridge_locked_port.sh                   pass     pass     pass     pass     same
net/forwarding:bridge_mld.sh                           fail     fail     fail     fail     same
net/forwarding:bridge_port_isolation.sh                pass     pass     pass     pass     same
net/forwarding:bridge_sticky_fdb.sh                    pass     pass     pass     pass     same
net/forwarding:bridge_vlan_aware.sh                    fail     fail     fail     fail     same
net/forwarding:bridge_vlan_mcast.sh                    fail     fail     fail     fail     same
net/forwarding:bridge_vlan_unaware.sh                  pass     pass     pass     pass     same
net/forwarding:custom_multipath_hash.sh                fail     fail     fail     fail     same
net/forwarding:ethtool.sh                              fail     fail     fail     fail     same
net/forwarding:ethtool_extended_state.sh               fail     fail     fail     fail     same
net/forwarding:gre_custom_multipath_hash.sh            fail     fail     fail     fail     same
net/forwarding:gre_inner_v4_multipath.sh               fail     fail     fail     fail     same
net/forwarding:gre_multipath.sh                        fail     fail     fail     fail     same
net/forwarding:gre_multipath_nh.sh                     fail     fail     fail     fail     same
net/forwarding:gre_multipath_nh_res.sh                 fail     fail     fail     fail     same
net/forwarding:hw_stats_l3.sh                          fail     fail     fail     fail     same
net/forwarding:hw_stats_l3_gre.sh                      fail     fail     fail     fail     same
net/forwarding:ip6_forward_instats_vrf.sh              fail     fail     fail     fail     same
net/forwarding:ip6gre_custom_multipath_hash.sh         fail     fail     fail     fail     same
net/forwarding:ip6gre_flat.sh                          pass     pass     pass     pass     same
net/forwarding:ip6gre_flat_key.sh                      pass     pass     pass     pass     same
net/forwarding:ip6gre_flat_keys.sh                     pass     pass     pass     pass     same
net/forwarding:ip6gre_hier.sh                          pass     pass     pass     pass     same
net/forwarding:ip6gre_hier_key.sh                      pass     pass     pass     pass     same
net/forwarding:ip6gre_hier_keys.sh                     pass     pass     pass     pass     same
net/forwarding:ip6gre_inner_v4_multipath.sh            fail     fail     fail     fail     same
net/forwarding:ip6gre_inner_v6_multipath.sh            fail     fail     fail     fail     same
net/forwarding:ipip_flat_gre.sh                        pass     pass     pass     pass     same
net/forwarding:ipip_flat_gre_key.sh                    pass     pass     pass     pass     same
net/forwarding:ipip_flat_gre_keys.sh                   pass     pass     pass     pass     same
net/forwarding:ipip_hier_gre.sh                        pass     pass     pass     pass     same
net/forwarding:ipip_hier_gre_key.sh                    pass     pass     pass     pass     same
net/forwarding:loopback.sh                             skip     skip     skip     skip     same
net/forwarding:mirror_gre.sh                           fail     fail     fail     fail     same
net/forwarding:mirror_gre_bound.sh                     pass     pass     pass     pass     same
net/forwarding:mirror_gre_bridge_1d.sh                 pass     pass     pass     pass     same
net/forwarding:mirror_gre_bridge_1q.sh                 pass     pass     pass     pass     same
net/forwarding:mirror_gre_bridge_1q_lag.sh             pass     pass     pass     pass     same
net/forwarding:mirror_gre_changes.sh                   fail     fail     fail     fail     same
net/forwarding:mirror_gre_flower.sh                    fail     fail     fail     fail     same
net/forwarding:mirror_gre_lag_lacp.sh                  pass     pass     pass     pass     same
net/forwarding:mirror_gre_neigh.sh                     pass     pass     pass     pass     same
net/forwarding:mirror_gre_nh.sh                        pass     pass     pass     pass     same
net/forwarding:mirror_gre_vlan.sh                      pass     pass     pass     pass     same
net/forwarding:mirror_vlan.sh                          pass     pass     pass     pass     same
net/forwarding:pedit_dsfield.sh                        pass     pass     pass     pass     same
net/forwarding:pedit_ip.sh                             pass     pass     pass     pass     same
net/forwarding:pedit_l4port.sh                         pass     pass     pass     pass     same
net/forwarding:q_in_vni_ipv6.sh                        pass     pass     pass     pass     same
net/forwarding:router.sh                               skip     skip     skip     skip     same
net/forwarding:router_bridge.sh                        pass     pass     pass     pass     same
net/forwarding:router_bridge_vlan.sh                   pass     pass     pass     pass     same
net/forwarding:router_broadcast.sh                     pass     pass     pass     pass     same
net/forwarding:router_mpath_nh.sh                      fail     fail     fail     fail     same
net/forwarding:router_mpath_nh_res.sh                  fail     fail     fail     fail     same
net/forwarding:router_multicast.sh                     skip     skip     skip     skip     same
net/forwarding:router_multipath.sh                     fail     fail     fail     fail     same
net/forwarding:router_nh.sh                            pass     pass     pass     pass     same
net/forwarding:router_vid_1.sh                         pass     pass     pass     pass     same
net/forwarding:skbedit_priority.sh                     pass     pass     pass     pass     same
net/forwarding:tc_chains.sh                            pass     pass     pass     pass     same
net/forwarding:tc_flower.sh                            pass     pass     pass     pass     same
net/forwarding:tc_flower_router.sh                     pass     pass     pass     pass     same
net/forwarding:tc_mpls_l2vpn.sh                        pass     pass     pass     pass     same
net/forwarding:tc_shblocks.sh                          pass     pass     pass     pass     same
net/forwarding:tc_vlan_modify.sh                       pass     pass     pass     pass     same
net/forwarding:vxlan_asymmetric.sh                     pass     pass     pass     pass     same
net/forwarding:vxlan_asymmetric_ipv6.sh                pass     pass     pass     pass     same
net/forwarding:vxlan_bridge_1d.sh                      fail     fail     fail     fail     same
net/forwarding:vxlan_bridge_1d_port_8472.sh            pass     pass     pass     pass     same
net/forwarding:vxlan_bridge_1d_port_8472_ipv6.sh       fail     fail     fail     fail     same
net/forwarding:vxlan_bridge_1q.sh                      fail     fail     fail     fail     same
net/forwarding:vxlan_bridge_1q_ipv6.sh                 fail     fail     fail     fail     same
net/forwarding:vxlan_bridge_1q_port_8472.sh            pass     pass     pass     pass     same
net/forwarding:vxlan_bridge_1q_port_8472_ipv6.sh       fail     fail     fail     fail     same
net/forwarding:vxlan_symmetric.sh                      pass     pass     pass     pass     same
net/forwarding:vxlan_symmetric_ipv6.sh                 pass     pass     pass     pass     same
net/mptcp:diag.sh                                      pass     pass     pass     pass     same
net/mptcp:mptcp_connect.sh                             pass     pass     pass     pass     same
net/mptcp:mptcp_sockopt.sh                             pass     pass     pass     pass     same
net/mptcp:pm_netlink.sh                                pass     pass     pass     pass     same
net:altnames.sh                                        pass     pass     pass     pass     same
net:bareudp.sh                                         pass     pass     pass     pass     same
net:cmsg_so_mark.sh                                    pass     pass     pass     pass     same
net:devlink_port_split.py                              skip     skip     skip     skip     same
net:drop_monitor_tests.sh                              skip     skip     skip     skip     same
net:fcnal-test.sh                                      skip     skip     skip     skip     same
net:fib-onlink-tests.sh                                pass     pass     pass     pass     same
net:fib_nexthop_multiprefix.sh                         pass     pass     pass     pass     same
net:fib_rule_tests.sh                                  pass     pass     pass     pass     same
net:fib_tests.sh                                       fail     fail     fail     fail     same
net:fin_ack_lat.sh                                     pass     pass     pass     pass     same
net:gre_gso.sh                                         pass     pass     pass     pass     same
net:icmp.sh                                            fail     fail     fail     fail     same
net:icmp_redirect.sh                                   pass     pass     pass     pass     same
net:ip6_gre_headroom.sh                                pass     pass     pass     pass     same
net:ipv6_flowlabel.sh                                  pass     pass     pass     pass     same
net:l2tp.sh                                            pass     pass     pass     pass     same
net:msg_zerocopy.sh                                    pass     pass     pass     pass     same
net:netdevice.sh                                       pass     pass     pass     pass     same
net:pmtu.sh                                            pass     pass     pass     pass     same
net:psock_snd.sh                                       pass     pass     pass     pass     same
net:reuseaddr_conflict                                 pass     pass     pass     pass     same
net:reuseaddr_ports_exhausted.sh                       pass     pass     pass     pass     same
net:reuseport_bpf                                      pass     pass     pass     pass     same
net:reuseport_bpf_cpu                                  pass     pass     pass     pass     same
net:reuseport_bpf_numa                                 pass     pass     pass     pass     same
net:reuseport_dualstack                                pass     pass     pass     pass     same
net:route_localnet.sh                                  pass     pass     pass     pass     same
net:rps_default_mask.sh                                fail     fail     fail     fail     same
net:rtnetlink.sh                                       skip     skip     skip     skip     same
net:run_afpackettests                                  pass     pass     pass     pass     same
net:run_netsocktests                                   pass     pass     pass     pass     same
net:rxtimestamp.sh                                     pass     pass     pass     pass     same
net:so_txtime.sh                                       pass     pass     pass     pass     same
net:stress_reuseport_listen.sh                         pass     pass     pass     pass     same
net:tcp_fastopen_backup_key.sh                         pass     pass     pass     pass     same
net:test_blackhole_dev.sh                              fail     fail     fail     fail     same
net:test_bpf.sh                                        pass     pass     pass     pass     same
net:test_vxlan_fdb_changelink.sh                       pass     pass     pass     pass     same
net:test_vxlan_under_vrf.sh                            pass     pass     pass     pass     same
net:tls                                                pass     pass     pass     pass     same
net:traceroute.sh                                      pass     pass     pass     pass     same
net:udpgro.sh                                          fail     fail     fail     fail     same
net:udpgro_bench.sh                                    fail     fail     fail     fail     same
net:udpgso.sh                                          pass     pass     pass     pass     same
net:unicast_extensions.sh                              pass     pass     pass     pass     same
net:veth.sh                                            fail     fail     fail     fail     same
net:vrf-xfrm-tests.sh                                  pass     pass     pass     pass     same
net:vrf_route_leaking.sh                               fail     fail     fail     fail     same
net:vrf_strict_mode_test.sh                            pass     pass     pass     pass     same
netfilter:bridge_brouter.sh                            skip     skip     skip     skip     same
netfilter:conntrack_icmp_related.sh                    fail     fail     fail     fail     same
netfilter:conntrack_tcp_unreplied.sh                   pass     pass     pass     pass     same
netfilter:conntrack_vrf.sh                             pass     pass     pass     pass     same
netfilter:ipvs.sh                                      pass     pass     pass     pass     same
netfilter:nf_nat_edemux.sh                             fail     fail     fail     fail     same
netfilter:nft_concat_range.sh                          fail     fail     fail     fail     same
netfilter:nft_conntrack_helper.sh                      skip     skip     skip     skip     same
netfilter:nft_fib.sh                                   skip     skip     skip     skip     same
netfilter:nft_flowtable.sh                             fail     fail     fail     fail     same
netfilter:nft_meta.sh                                  pass     pass     pass     pass     same
netfilter:nft_nat.sh                                   skip     skip     skip     skip     same
netfilter:nft_queue.sh                                 skip     skip     skip     skip     same
netfilter:rpath.sh                                     pass     pass     pass     pass     same
nsfs:owner                                             pass     pass     pass     pass     same
nsfs:pidns                                             pass     pass     pass     pass     same
openat2:openat2_test                                   fail     fail     fail     fail     same
openat2:rename_attack_test                             pass     pass     pass     pass     same
openat2:resolve_test                                   fail     fail     fail     fail     same
pid_namespace:regression_enomem                        pass     pass     pass     pass     same
pidfd:pidfd_fdinfo_test                                pass     pass     pass     pass     same
pidfd:pidfd_getfd_test                                 pass     pass     pass     pass     same
pidfd:pidfd_open_test                                  pass     pass     pass     pass     same
pidfd:pidfd_poll_test                                  pass     pass     pass     pass     same
pidfd:pidfd_setns_test                                 pass     pass     pass     pass     same
pidfd:pidfd_test                                       pass     pass     pass     pass     same
pidfd:pidfd_wait                                       pass     pass     pass     pass     same
proc:fd-001-lookup                                     pass     pass     pass     pass     same
proc:fd-002-posix-eq                                   pass     pass     pass     pass     same
proc:fd-003-kthread                                    pass     pass     pass     pass     same
proc:proc-fsconfig-hidepid                             pass     pass     pass     pass     same
proc:proc-loadavg-001                                  pass     pass     pass     pass     same
proc:proc-multiple-procfs                              pass     pass     pass     pass     same
proc:proc-self-map-files-001                           pass     pass     pass     pass     same
proc:proc-self-map-files-002                           pass     pass     pass     pass     same
proc:proc-self-syscall                                 pass     pass     pass     pass     same
proc:proc-self-wchan                                   pass     pass     pass     pass     same
proc:proc-subset-pid                                   pass     pass     pass     pass     same
proc:proc-uptime-002                                   pass     pass     pass     pass     same
proc:read                                              pass     pass     pass     pass     same
proc:self                                              pass     pass     pass     pass     same
proc:setns-dcache                                      pass     pass     pass     pass     same
proc:setns-sysvipc                                     pass     pass     pass     pass     same
proc:thread-self                                       pass     pass     pass     pass     same
pstore:pstore_post_reboot_tests                        skip     skip     skip     skip     same
pstore:pstore_tests                                    fail     fail     fail     fail     same
ptrace:get_syscall_info                                pass     pass     pass     pass     same
ptrace:peeksiginfo                                     pass     pass     pass     pass     same
ptrace:vmaccess                                        fail     fail     fail     fail     same
rlimits:rlimits-per-userns                             pass     pass     pass     pass     same
rseq:basic_percpu_ops_test                             pass     pass     pass     pass     same
rseq:basic_test                                        pass     pass     pass     pass     same
rseq:param_test                                        pass     pass     pass     pass     same
rseq:param_test_benchmark                              pass     pass     pass     pass     same
rseq:param_test_compare_twice                          pass     pass     pass     pass     same
rseq:run_param_test.sh                                 pass     pass     pass     pass     same
seccomp:seccomp_benchmark                              pass     pass     pass     pass     same
seccomp:seccomp_bpf                                    pass     pass     pass     pass     same
sgx:test_sgx                                           fail     fail     fail     fail     same
sigaltstack:sas                                        pass     pass     pass     pass     same
size:get_size                                          pass     pass     pass     pass     same
splice:default_file_splice_read.sh                     pass     pass     pass     pass     same
splice:short_splice_read.sh                            fail     fail     fail     fail     same
static_keys:test_static_keys.sh                        skip     skip     skip     skip     same
syscall_user_dispatch:sud_benchmark                    pass     pass     pass     pass     same
syscall_user_dispatch:sud_test                         pass     pass     pass     pass     same
tc-testing:tdc.sh                                      fail     fail     fail     fail     same
tdx:tdx_guest_test                                     fail     fail     fail     fail     same
timens:clock_nanosleep                                 pass     pass     pass     pass     same
timens:exec                                            pass     pass     pass     pass     same
timens:futex                                           pass     pass     pass     pass     same
timens:procfs                                          pass     pass     pass     pass     same
timens:timens                                          pass     pass     pass     pass     same
timens:timer                                           pass     pass     pass     pass     same
timens:timerfd                                         pass     pass     pass     pass     same
timens:vfork_exec                                      pass     pass     pass     pass     same
timers:inconsistency-check                             pass     pass     pass     pass     same
timers:mqueue-lat                                      pass     pass     pass     pass     same
timers:nanosleep                                       pass     pass     pass     pass     same
timers:nsleep-lat                                      pass     pass     pass     pass     same
timers:posix_timers                                    pass     pass     pass     pass     same
timers:rtcpie                                          pass     pass     pass     pass     same
timers:set-timer-lat                                   pass     pass     pass     pass     same
timers:threadtest                                      pass     pass     pass     pass     same
tmpfs:bug-link-o-tmpfile                               pass     pass     pass     pass     same
tpm2:test_smoke.sh                                     skip     skip     skip     skip     same
tpm2:test_space.sh                                     skip     skip     skip     skip     same
vDSO:vdso_standalone_test_x86                          pass     pass     pass     pass     same
vDSO:vdso_test_abi                                     pass     pass     pass     pass     same
vDSO:vdso_test_clock_getres                            pass     pass     pass     pass     same
vDSO:vdso_test_correctness                             pass     pass     pass     pass     same
vDSO:vdso_test_getcpu                                  pass     pass     pass     pass     same
vDSO:vdso_test_gettimeofday                            pass     pass     pass     pass     same
vm:run_vmtests.sh                                      skip     skip     skip     skip     same
x86:amx_64                                             fail     fail     fail     fail     same
x86:check_initial_reg_state_64                         pass     pass     pass     pass     same
x86:corrupt_xstate_header_64                           pass     pass     pass     pass     same
x86:fsgsbase_64                                        pass     pass     pass     pass     same
x86:fsgsbase_restore_64                                pass     pass     pass     pass     same
x86:ioperm_64                                          pass     pass     pass     pass     same
x86:iopl_64                                            pass     pass     pass     pass     same
x86:mov_ss_trap_64                                     pass     pass     pass     pass     same
x86:sigaltstack_64                                     pass     pass     pass     pass     same
x86:sigreturn_64                                       pass     pass     pass     pass     same
x86:single_step_syscall_64                             pass     pass     pass     pass     same
x86:syscall_arg_fault_64                               pass     pass     pass     pass     same
x86:syscall_nt_64                                      pass     pass     pass     pass     same
x86:syscall_numbering_64                               pass     pass     pass     pass     same
x86:sysret_rip_64                                      pass     pass     pass     pass     same
x86:sysret_ss_attrs_64                                 pass     pass     pass     pass     same
x86:test_mremap_vdso_64                                pass     pass     pass     pass     same
x86:test_vsyscall_64                                   pass     pass     pass     pass     same
zram:zram.sh                                           pass     pass     pass     pass     same

@pvts-mat
Bluetooth: hci_core: Fix use-after-free in vhci_flush()
ce23ac8 
jira VULN-72347
cve CVE-2025-38250
commit-author Kuniyuki Iwashima <[email protected]>
commit 1d61231
upstream-diff Context conflicts resolved in 'hci_unregister_dev()'

syzbot reported use-after-free in vhci_flush() without repro. [0]

From the splat, a thread close()d a vhci file descriptor while
its device was being used by iotcl() on another thread.

Once the last fd refcnt is released, vhci_release() calls
hci_unregister_dev(), hci_free_dev(), and kfree() for struct
vhci_data, which is set to hci_dev->dev->driver_data.

The problem is that there is no synchronisation after unlinking
hdev from hci_dev_list in hci_unregister_dev().  There might be
another thread still accessing the hdev which was fetched before
the unlink operation.

We can use SRCU for such synchronisation.

Let's run hci_dev_reset() under SRCU and wait for its completion
in hci_unregister_dev().

Another option would be to restore hci_dev->destruct(), which was
removed in commit 587ae08 ("Bluetooth: Remove unused
hci-destruct cb").  However, this would not be a good solution, as
we should not run hci_unregister_dev() while there are in-flight
ioctl() requests, which could lead to another data-race KCSAN splat.

Note that other drivers seem to have the same problem, for exmaple,
virtbt_remove().

[0]:
BUG: KASAN: slab-use-after-free in skb_queue_empty_lockless include/linux/skbuff.h:1891 [inline]
BUG: KASAN: slab-use-after-free in skb_queue_purge_reason+0x99/0x360 net/core/skbuff.c:3937
Read of size 8 at addr ffff88807cb8d858 by task syz.1.219/6718

CPU: 1 UID: 0 PID: 6718 Comm: syz.1.219 Not tainted 6.16.0-rc1-syzkaller-00196-g08207f42d3ff #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:408 [inline]
 print_report+0xd2/0x2b0 mm/kasan/report.c:521
 kasan_report+0x118/0x150 mm/kasan/report.c:634
 skb_queue_empty_lockless include/linux/skbuff.h:1891 [inline]
 skb_queue_purge_reason+0x99/0x360 net/core/skbuff.c:3937
 skb_queue_purge include/linux/skbuff.h:3368 [inline]
 vhci_flush+0x44/0x50 drivers/bluetooth/hci_vhci.c:69
 hci_dev_do_reset net/bluetooth/hci_core.c:552 [inline]
 hci_dev_reset+0x420/0x5c0 net/bluetooth/hci_core.c:592
 sock_do_ioctl+0xd9/0x300 net/socket.c:1190
 sock_ioctl+0x576/0x790 net/socket.c:1311
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:907 [inline]
 __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fcf5b98e929
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fcf5c7b9038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fcf5bbb6160 RCX: 00007fcf5b98e929
RDX: 0000000000000000 RSI: 00000000400448cb RDI: 0000000000000009
RBP: 00007fcf5ba10b39 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fcf5bbb6160 R15: 00007ffd6353d528
 </TASK>

Allocated by task 6535:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
 __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394
 kasan_kmalloc include/linux/kasan.h:260 [inline]
 __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4359
 kmalloc_noprof include/linux/slab.h:905 [inline]
 kzalloc_noprof include/linux/slab.h:1039 [inline]
 vhci_open+0x57/0x360 drivers/bluetooth/hci_vhci.c:635
 misc_open+0x2bc/0x330 drivers/char/misc.c:161
 chrdev_open+0x4c9/0x5e0 fs/char_dev.c:414
 do_dentry_open+0xdf0/0x1970 fs/open.c:964
 vfs_open+0x3b/0x340 fs/open.c:1094
 do_open fs/namei.c:3887 [inline]
 path_openat+0x2ee5/0x3830 fs/namei.c:4046
 do_filp_open+0x1fa/0x410 fs/namei.c:4073
 do_sys_openat2+0x121/0x1c0 fs/open.c:1437
 do_sys_open fs/open.c:1452 [inline]
 __do_sys_openat fs/open.c:1468 [inline]
 __se_sys_openat fs/open.c:1463 [inline]
 __x64_sys_openat+0x138/0x170 fs/open.c:1463
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 6535:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2381 [inline]
 slab_free mm/slub.c:4643 [inline]
 kfree+0x18e/0x440 mm/slub.c:4842
 vhci_release+0xbc/0xd0 drivers/bluetooth/hci_vhci.c:671
 __fput+0x44c/0xa70 fs/file_table.c:465
 task_work_run+0x1d1/0x260 kernel/task_work.c:227
 exit_task_work include/linux/task_work.h:40 [inline]
 do_exit+0x6ad/0x22e0 kernel/exit.c:955
 do_group_exit+0x21c/0x2d0 kernel/exit.c:1104
 __do_sys_exit_group kernel/exit.c:1115 [inline]
 __se_sys_exit_group kernel/exit.c:1113 [inline]
 __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1113
 x64_sys_call+0x21ba/0x21c0 arch/x86/include/generated/asm/syscalls_64.h:232
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88807cb8d800
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 88 bytes inside of
 freed 1024-byte region [ffff88807cb8d800, ffff88807cb8dc00)

Fixes: bf18c71 ("Bluetooth: vhci: Free driver_data on file release")
	Reported-by: [email protected]
Closes: https://syzkaller.appspot.com/bug?extid=f62d64848fc4c7c30cd6
	Signed-off-by: Kuniyuki Iwashima <[email protected]>
	Acked-by: Paul Menzel <[email protected]>
	Signed-off-by: Luiz Augusto von Dentz <[email protected]>
(cherry picked from commit 1d61231)
	Signed-off-by: Marcin Wcisło <[email protected]>
@pvts-mat
nfs: fold nfs_page_group_lock_subrequests into nfs_lock_and_join_requ…
381e0b9 
…ests

jira VULN-136535
cve-pre CVE-2025-39697
commit-author Christoph Hellwig <[email protected]>
commit 25edbca
upstream-diff Used linux-5.15.y backport
  fd947b71cc1b86c4731f8d470f5ab5df94e838d8 as baseline, then accounted
  in 'nfs_lock_and_join_requests()' for the missing
  b193a78 backport.

Fold nfs_page_group_lock_subrequests into nfs_lock_and_join_requests to
prepare for future changes to this code, and move the helpers to write.c
as well.

	Signed-off-by: Christoph Hellwig <[email protected]>
	Reviewed-by: Sagi Grimberg <[email protected]>
	Signed-off-by: Anna Schumaker <[email protected]>
	Signed-off-by: Trond Myklebust <[email protected]>
	Signed-off-by: Greg Kroah-Hartman <[email protected]>
(cherry picked from commit fd947b71cc1b86c4731f8d470f5ab5df94e838d8)
	Signed-off-by: Marcin Wcisło <[email protected]>
@pvts-mat
NFS: Fix a race when updating an existing write
778c420 
jira VULN-136535
cve CVE-2025-39697
commit-author Trond Myklebust <[email protected]>
commit 76d2e38
upstream-diff Used linux-5.15.y backport
  f230d40147cc37eb3aef4d50e2e2c06ea73d9a77, which applied cleanly

After nfs_lock_and_join_requests() tests for whether the request is
still attached to the mapping, nothing prevents a call to
nfs_inode_remove_request() from succeeding until we actually lock the
page group.
The reason is that whoever called nfs_inode_remove_request() doesn't
necessarily have a lock on the page group head.

So in order to avoid races, let's take the page group lock earlier in
nfs_lock_and_join_requests(), and hold it across the removal of the
request in nfs_inode_remove_request().

	Reported-by: Jeff Layton <[email protected]>
	Tested-by: Joe Quanaim <[email protected]>
	Tested-by: Andrew Steffen <[email protected]>
	Reviewed-by: Jeff Layton <[email protected]>
Fixes: bd37d6f ("NFSv4: Convert nfs_lock_and_join_requests() to use nfs_page_find_head_request()")
	Cc: [email protected]
	Signed-off-by: Trond Myklebust <[email protected]>
	Signed-off-by: Greg Kroah-Hartman <[email protected]>
(cherry picked from commit f230d40147cc37eb3aef4d50e2e2c06ea73d9a77)
	Signed-off-by: Marcin Wcisło <[email protected]>
@pvts-mat pvts-mat changed the title Ciqlts9 2 CVE batch 13 [LTS 9.2] CVE-2025-38250, CVE-2025-39697 Dec 4, 2025
@PlaidCat PlaidCat requested a review from a team December 4, 2025 20:40
bmastbergen
bmastbergen approved these changes Dec 10, 2025
View reviewed changes
Copy link
Collaborator

@bmastbergen bmastbergen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🥌

@bmastbergen bmastbergen requested a review from a team December 10, 2025 21:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bmastbergen bmastbergen bmastbergen approved these changes

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pvts-mat @bmastbergen