Skip to content

[LTS 9.4] CVE-2025-39697, CVE-2025-38248#1210

Open
pvts-mat wants to merge 6 commits intoctrliq:ciqlts9_4from
pvts-mat:ciqlts9_4-CVE-batch-31
Open

[LTS 9.4] CVE-2025-39697, CVE-2025-38248#1210
pvts-mat wants to merge 6 commits intoctrliq:ciqlts9_4from
pvts-mat:ciqlts9_4-CVE-batch-31

Conversation

@pvts-mat
Copy link
Copy Markdown
Contributor

@pvts-mat pvts-mat commented May 8, 2026

[LTS 9.4]

CVE-2025-39697 VULN-136536
CVE-2025-38248 VULN-72330

Commits

CVE-2025-39697

0:

NFS: Fix a race when updating an existing write

jira VULN-136536
cve CVE-2025-39697
commit-author Trond Myklebust <trond.myklebust@hammerspace.com>
commit 76d2e3890fb169168c73f2e4f8375c7cc24a765e
upstream-diff Used linux-6.6.y backport
  181feb41f0b268e6288bf9a7b984624d7fe2031d for the clean cherry pick

1:

nfs: fold nfs_page_group_lock_subrequests into nfs_lock_and_join_requests

jira VULN-136536
cve-pre CVE-2025-39697
commit-author Christoph Hellwig <hch@lst.de>
commit 25edbcac6e32eab345e470d56ca9974a577b878b
upstream-diff Used linux-6.6.y backport
  9a1963404cc2eef69d2f8a42861bdf63d087dd5d for the clean cherry pick

2:

NFS: Use the correct commit info in nfs_join_page_group()

jira VULN-136536
cve-pre CVE-2025-39697
commit-author Trond Myklebust <trond.myklebust@hammerspace.com>
commit b193a78ddb5ee7dba074d3f28dc050069ba083c0

The fix 76d2e38 expands the locked range in nfs_lock_and_join_requests() function on code which in ciqlts9_4 was not inlined and remains in the nfs_page_group_lock_subrequests() function. Before it can be applied the nfs_page_group_lock_subrequests() call must be inlined - this is what nfs: fold nfs_page_group_lock_subrequests into nfs_lock_and_join_requests accomplishes. The problem is that nfs_lock_and_join_requests() undergoes frequent changes and at the time of upstream's 25edbca it differs substantially from the LTS 9.4 version. A stable Linux version exists with CVE-2025-39697 backported, whose NFS timeline closely matches that of LTS 9.4 - linux-6.6.y:

   Label    File
   -------  ------------------------
   A        fs/nfs/pagelist.c
   B        fs/nfs/write.c
   C        include/linux/nfs_page.h
   
   ABC    kernel-mainline                                                                                                                     ciqlts9_4               linux-5.15.y            linux-6.1.y             linux-6.6.y             linux-6.12.y            linux-6.16.y
   -----  ----------------------------------------------------------------------------------------------------------------------------------  ----------------------  ----------------------  ----------------------  ----------------------  ----------------------  ----------------------
   ##-    69050f8d6d075dc01af7a5f2f550a8067510366f 2026-02-21 treewide: Replace kmalloc with kmalloc_obj for non-scalar types
   -#-    fd15b9c6ec8a3a6105a3295af52adea6d6e4cf59 2026-02-17 nfs: stop using writeback internals for WB_WRITEBACK accounting
   -#-    7537db24806fdc3d3ec4fef53babdc22c9219e75 2026-01-30 NFS: Merge CONFIG_NFS_V4_1 with CONFIG_NFS_V4
   -#-    cce0be6eb4971456b703aaeafd571650d314bcca 2026-01-04 NFS: Fix a deadlock involving nfs_release_folio()                                                                                                       ~ a4810f8be 2026-03-25  ~ 49d352bc2 2026-01-23
   -#-    9ff022f3820a31507cb93be6661bf5f3ca0609a4 2025-10-13 NFS: check if suid/sgid was cleared after a write as needed                                             ~ 652585576 2025-12-07                          ~ a74a8be26 2025-11-24  ~ 25fbc3c27 2025-11-24
   -#-    eb71428e1a7fb51b8d43762db1c2ec1d8a7a95b6 2025-09-26 NFSv4/flexfiles: Use ds_commit_idx when marking a write commit
   -#-    902893e3907620153a17fb40834ab6fba9f83fab 2025-09-23 NFS: Enable use of the RWF_DONTCACHE flag on the NFS client
   --#    301f3470273c89df3a933762b7495569f650e68b 2025-09-23 nfs: remove NFS_WBACK_BUSY()
   -#-    9082aae154be2d9e208b56e249cb886612f7c6cf 2025-09-23 sunrpc: remove dfprintk_cont() and dfprintk_rcu_cont()
   -#-    83c47ef8aca0dc5e2159e884b2bfd3440948eed1 2025-09-23 nfs: add tracepoints to nfs_writepages()
   -#-    b6ef079fd984930dcc42f4b247777f296528507e 2025-09-23 nfs: more in-depth tracing of writepage events
   -#-    4a2d81714d10e66dd7df50d32f9f30382b85fa43 2025-09-23 nfs: new tracepoints around write handling
   -#-    c12b6a7b12a13ccd3aece6be09345c1944e18d3e 2025-09-06 NFS: Fix the marking of the folio as up to date
   -#-    b7b8574225e9d2b5f1fb5483886ab797892f43b5 2025-09-06 NFS: nfs_invalidate_folio() must observe the offset and size arguments                                                                                                          ~ b7c6c76c8 2025-09-19  ~ fc3bc5d24 2025-09-19
0> ###    76d2e3890fb169168c73f2e4f8375c7cc24a765e 2025-08-19 NFS: Fix a race when updating an existing write                                                         ~ f230d4014 2025-09-04                          ~ 181feb41f 2025-09-04  ~ 92278ae36 2025-08-28  ~ 202a3432d 2025-08-28
   -#-    72508db0fe1762f2cfcff1cb4cf28a8e645bdd43 2025-07-14 NFS: Allow folio migration for the case of mode == MIGRATE_SYNC
   -#-    a8fb49c6abbbe5c71e1a8a888ef2c4b3e341d169 2025-07-09 mm: remove the for_reclaim field from struct writeback_control
   -#-    f72a67598cd797ac33d32cd3c10f321b51c6d9df 2025-05-28 nfs: use writeback_iter directly                                                                                                                                                                        = f72a67598 2025-05-28
   -#-    66a49813501c77700a7fe504e0d28aa126b115cb 2025-05-28 nfs: refactor nfs_do_writepage                                                                                                                                                                          = 66a498135 2025-05-28
   -#-    66beed5acaf27137007459e7e53bf8d6f1b799cc 2025-05-28 nfs: don't return AOP_WRITEPAGE_ACTIVATE from nfs_do_writepage                                                                                                                                          = 66beed5ac 2025-05-28
   -#-    b6354e60dd01d700a99d1f8c2f20d8ed530b0f45 2025-05-28 nfs: fold nfs_page_async_flush into nfs_do_writepage                                                                                                                                                    = b6354e60d 2025-05-28
   -#-    8e5419d6542fdf2dca9a0acdef2b8255f0e4ba69 2025-04-02 nfs: Add missing release on error in nfs_lock_and_join_requests()                                                                                                               ~ eb532ac40 2025-04-10  = 8e5419d65 2025-04-02
   ##-    86e00412254a717ffd5d38dc5ec0ee1cce6281b3 2025-01-14 nfs: cache all open LOCALIO nfsd_file(s) in client                                                                                                                                                      = 86e004122 2025-01-14
   -#-    66f9dac9077c9c063552e465212abeb8f97d28a7 2024-11-18 Revert "nfs: don't reuse partially completed requests in nfs_lock_and_join_req                                                                                                  ~ 8f95ffb8f 2024-12-05  = 66f9dac90 2024-11-18
   -#-    8f52caf9d231e77412766b48e5630a647e5ef774 2024-11-09 Revert "fs: nfs: fix missing refcnt by replacing folio_set_private by folio_at                                                                                                                          = 8f52caf9d 2024-11-09
   ##-    fa88a7d6ae089c07aba872fff30a1342d3503e80 2024-09-23 nfs: enable localio for non-pNFS IO                                                                                                                                             = fa88a7d6a 2024-09-23  = fa88a7d6a 2024-09-23
   ##-    70ba381e1a431245c137ed597ec6a05991c79bd9 2024-09-23 nfs: add LOCALIO support                                                                                                                                                        = 70ba381e1 2024-09-23  = 70ba381e1 2024-09-23
   ##-    df24c483e28f7f9a421afde15d0497e61bc2d3ea 2024-09-23 nfs: pass struct nfsd_file to nfs_init_pgio and nfs_init_commit                                                                                                                 = df24c483e 2024-09-23  = df24c483e 2024-09-23
   -#-    dfb07e990a0d019d7ae9b78dd4260620ce32e79a 2024-09-23 nfs: add 'noalignwrite' option for lock-less 'lost writes' prevention                                                                                                           = dfb07e990 2024-09-23  = dfb07e990 2024-09-23
   -#-    03e02b94171b1985dd0aa184296fe94425b855a3 2024-09-23 fs: nfs: fix missing refcnt by replacing folio_set_private by folio_attach_pri                                                                                                  = 03e02b941 2024-09-23  = 03e02b941 2024-09-23
   -#-    fada32ed6dbc748f447c8d050a961b75d946055a 2024-07-17 nfs: pass explicit offset/count to trace events                                                                                                         ~ 1562138b9 2026-03-25  = fada32ed6 2024-07-17  = fada32ed6 2024-07-17
   -#-    39c910a430370fd25d5b5e4b2f4b24581a705499 2024-07-12 nfs: do not extend writes to the entire folio                                                                                                                                   = 39c910a43 2024-07-12  = 39c910a43 2024-07-12
   -#-    b571cfcb9dcac187c6d967987792d37cb0688610 2024-07-08 nfs: don't reuse partially completed requests in nfs_lock_and_join_requests                                                                                                     = b571cfcb9 2024-07-08  = b571cfcb9 2024-07-08
   ###    f1b7c7552cbcf89e56b15ff481f3d19b53046291 2024-07-08 nfs: move nfs_wait_on_request to write.c                                                                                                                                        = f1b7c7552 2024-07-08  = f1b7c7552 2024-07-08
1> ###    25edbcac6e32eab345e470d56ca9974a577b878b 2024-07-08 nfs: fold nfs_page_group_lock_subrequests into nfs_lock_and_join_requests                               ~ fd947b71c 2025-09-04                          ~ 9a1963404 2025-09-04  = 25edbcac6 2024-07-08  = 25edbcac6 2024-07-08
   -#-    c3f2235782c395896e835650f25f985713146592 2024-07-08 nfs: fold nfs_folio_find_and_lock_request into nfs_lock_and_join_requests                                                                                                       = c3f223578 2024-07-08  = c3f223578 2024-07-08
   ###    9eb7c484db1ae993648fc9b9d48a295f4d99afb8 2024-07-08 nfs: simplify nfs_folio_find_and_lock_request                                                                                                                                   = 9eb7c484d 2024-07-08  = 9eb7c484d 2024-07-08
   -#-    02e61ec1e2c1da136bbf7f6bbabc46733c53b035 2024-07-08 nfs: remove nfs_folio_private_request                                                                                                                                           = 02e61ec1e 2024-07-08  = 02e61ec1e 2024-07-08
   ###    7e8e78a0ba00c88f0ded86de64bdddc82e06b196 2024-07-08 nfs: remove dead code for the old swap over NFS implementation                                                                                                                  = 7e8e78a0b 2024-07-08  = 7e8e78a0b 2024-07-08
   -#-    2f1f31042ef07719a0d5cb4784b8a32d20c13110 2024-07-08 nfs: Block on write congestion                                                                                                                                                  = 2f1f31042 2024-07-08  = 2f1f31042 2024-07-08
   -#-    37d4159dd25ade59ce0fecc75984240e5f7abc14 2024-07-08 nfs: Drop pointless check from nfs_commit_release_pages()                                                                                                                       = 37d4159dd 2024-07-08  = 37d4159dd 2024-07-08
   -#-    e12912d94137ab36ee704a91f465ff15c8b423da 2024-07-08 NFSv4: Add support for delegated atime and mtime attributes                                                                                                                     = e12912d94 2024-07-08  = e12912d94 2024-07-08
   -#-    4201916f2ab13577d45876f4bc784be55e4a83da 2024-07-08 NFSv4: Add a flags argument to the 'have_delegation' callback                                                                                                                   = 4201916f2 2024-07-08  = 4201916f2 2024-07-08
   -#-    237d29075ca71feeadf38e801ef657858d9e9598 2024-07-03 nfs: drop usage of folio_file_pos                                                                                                                                               = 237d29075 2024-07-03  = 237d29075 2024-07-03
   -#-    8f3ab6e4bebe789f23690cf57fb1a648c4422b9d 2024-05-31 nfs: Remove calls to folio_set_error                                                                                                                                            = 8f3ab6e4b 2024-05-31  = 8f3ab6e4b 2024-05-31
   #--    a527c3ba41c4c61e2069bfce4091e5515f06a8dd 2024-05-24 nfs: Avoid flushing many pages with NFS_FILE_SYNC                                                                                                       ~ e3adf9987 2024-07-25  = a527c3ba4 2024-05-24  = a527c3ba4 2024-05-24
   -#-    2e9d7e4b984a61823c41ba65e1b58b98ca9912bb 2024-04-29 mm: Remove the PG_fscache alias for PG_private_2                                                                                                                                = 2e9d7e4b9 2024-04-29  = 2e9d7e4b9 2024-04-29
   -#-    17f46b803d4f23c66cacce81db35fef3adb8f2af 2024-03-09 nfs: fix UAF in direct writes                                                                           ~ 80d24b308 2024-04-10  ~ 3abc2d160 2024-04-03  ~ e25447c35 2024-04-03  = 17f46b803 2024-03-09  = 17f46b803 2024-03-09
   -#-    0b81371d3c6b849bfde9f478bfe70661759cc018 2024-03-09 NFS: remove sync_mode test from nfs_writepage_locked()                          ~ 2d2bb5678 2024-09-12                                                                          = 0b81371d3 2024-03-09  = 0b81371d3 2024-03-09
   -#-    dd1fac6ae648cac4e92ccc829e94750ddfed5e52 2024-02-05 nfs: adapt to breakup of struct file_lock                                                                                                                                       = dd1fac6ae 2024-02-05  = dd1fac6ae 2024-02-05
   -#-    a69ce85ec9af6bdc0b3511959a7dc1a324e5e16a 2024-02-05 filelock: split common fields into struct file_lock_core                                                                                                                        = a69ce85ec 2024-02-05  = a69ce85ec 2024-02-05
   -#-    d7c9616be0759c1cfb44a68ba838548d22b98484 2024-02-05 nfs: convert to using new filelock helpers                                                                                                                                      = d7c9616be 2024-02-05  = d7c9616be 2024-02-05
   -#-    12fc0a963128b54b82e98b9909f463e784b90b07 2024-01-04 nfs: Remove writepage                                                           # e26c1a09b 2024-09-12                                                                          = 12fc0a963 2024-01-04  = 12fc0a963 2024-01-04
   -#-    600f111ef51dc2cbdb330b09d09f1856efa64912 2023-11-21 fs: Rename mapping private members                                                                                                                                              = 600f111ef 2023-11-21  = 600f111ef 2023-11-21
   -#-    6e7434abcd07e8beb67fdc4af6207ae0490d5274 2023-10-22 NFSv4/pnfs: Allow layoutget to return EAGAIN for softerr mounts                                                                                                                 = 6e7434abc 2023-10-22  = 6e7434abc 2023-10-22
   -#-    6a6d4644ce935ddec4f76223ac0ca68da56bd2d3 2023-10-11 NFS: Fix potential oops in nfs_inode_remove_request()                           ~ 7b0cdef47 2023-12-02                                                  = 6a6d4644c 2023-10-11  = 6a6d4644c 2023-10-11  = 6a6d4644c 2023-10-11
   -#-    dd1b2026323a2d075ac553cecfd7a0c23c456c59 2023-09-28 nfs: decrement nrequests counter before releasing the req                       ~ ae102dd82 2023-12-02                                                  = dd1b20263 2023-09-28  = dd1b20263 2023-09-28  = dd1b20263 2023-09-28
2> -##    b193a78ddb5ee7dba074d3f28dc050069ba083c0 2023-09-13 NFS: Use the correct commit info in nfs_join_page_group()                                               ~ a354b4a36 2023-10-06  ~ d4729af1c 2023-10-06  = b193a78dd 2023-09-13  = b193a78dd 2023-09-13  = b193a78dd 2023-09-13
   #-#    000dbe0bec058cbf2ca9e156e4a5584f5158b0f9 2023-04-11 NFS: Convert buffered read paths to use netfs when fscache is enabled           ~ 2b171d71a 2023-05-11                                                  = 000dbe0be 2023-04-11  = 000dbe0be 2023-04-11  = 000dbe0be 2023-04-11
   -#-    256093fec1f0ae2f10eb3aae5903ecb689c55ecc 2023-02-14 NFS: Improve tracing of nfs_wb_folio()                                          ~ cf2c3591a 2023-05-08                                                  = 256093fec 2023-02-14  = 256093fec 2023-02-14  = 256093fec 2023-02-14
   #-#    70e9db69f927bb378db9aaa807cc83ae550779a9 2023-02-14 NFS: Clean up O_DIRECT request allocation                                       ~ 266b973ff 2023-05-08                                                  = 70e9db69f 2023-02-14  = 70e9db69f 2023-02-14  = 70e9db69f 2023-02-14
   -#-    4cbf76948c457f0beb9f184ebb21341c8235846a 2023-02-14 NFS: Remove unused function nfs_wb_page()                                       ~ b5b4ecd62 2023-05-08                                                  = 4cbf76948 2023-02-14  = 4cbf76948 2023-02-14  = 4cbf76948 2023-02-14
   -#-    0c493b5cf16e28d761b6e77c7c32aa0e7af70813 2023-02-14 NFS: Convert buffered writes to use folios                                      ~ 0c2c4eaad 2023-05-08                                                  = 0c493b5cf 2023-02-14  = 0c493b5cf 2023-02-14  = 0c493b5cf 2023-02-14
   -#-    5241060e8b4f09d63a004b7a735346442fd3ab2d 2023-02-14 NFS: Convert the function nfs_wb_page() to use folios                           ~ 6ed0bf3b1 2023-05-08                                                  = 5241060e8 2023-02-14  = 5241060e8 2023-02-14  = 5241060e8 2023-02-14
   #-#    ab75bff1140733f1b43e81f055acd7d27af7ac05 2023-02-14 NFS: Convert buffered reads to use folios                                       ~ 5f1b05441 2023-05-08                                                  = ab75bff11 2023-02-14  = ab75bff11 2023-02-14  = ab75bff11 2023-02-14
   -#-    4b27232a6e064f3d779cfa76cd251d6023949d22 2023-02-14 NFS: Add a helper nfs_wb_folio()                                                ~ 8aa08d5eb 2023-05-08                                                  = 4b27232a6 2023-02-14  = 4b27232a6 2023-02-14  = 4b27232a6 2023-02-14
   #--    cbefa53cb1fe30ae4467be863afc3cf60238fd08 2023-02-14 NFS: Convert the remaining pagelist helper functions to support folios          ~ 80973d1cc 2023-05-08                                                  = cbefa53cb 2023-02-14  = cbefa53cb 2023-02-14  = cbefa53cb 2023-02-14
   ###    6dd85e83f3f182b56770f8bb6dbed1f0dafb9117 2023-02-14 NFS: Add a helper to convert a struct nfs_page into an inode                    ~ 72aafff7f 2023-05-08                                                  = 6dd85e83f 2023-02-14  = 6dd85e83f 2023-02-14  = 6dd85e83f 2023-02-14
   #-#    8e0bdc7021f713fdf3b985cda3ce715e41b06698 2023-02-14 NFS: Fix nfs_coalesce_size() to work with folios                                ~ 0499e7302 2023-05-08                                                  = 8e0bdc702 2023-02-14  = 8e0bdc702 2023-02-14  = 8e0bdc702 2023-02-14
   #--    eb9f2a5a5e85fd24949480d1d02c2a497f26e154 2023-02-14 NFS: Support folios in nfs_generic_pgio()                                       ~ cec4a4f7e 2023-05-08                                                  = eb9f2a5a5 2023-02-14  = eb9f2a5a5 2023-02-14  = eb9f2a5a5 2023-02-14
   #-#    35c5db0ec49f073e6a2d5236b5fcfb0a134a215a 2023-02-14 NFS: Add basic functionality for tracking folios in struct nfs_page             ~ bcdf77e6d 2023-05-08                                                  = 35c5db0ec 2023-02-14  = 35c5db0ec 2023-02-14  = 35c5db0ec 2023-02-14
   #--    785207aa3d61ec1cb86e4441bff0a37c412ebd10 2023-02-14 NFS: Fix for xfstests generic/208                                               ~ 8a993f0ec 2023-05-08                                                  = 785207aa3 2023-02-14  = 785207aa3 2023-02-14  = 785207aa3 2023-02-14
   -#-    d585bdbeb79aa13b8a9bbe952d90f5252f7fe909 2023-02-02 fs: convert writepage_t callback to pass a folio                                                                                                        = d585bdbeb 2023-02-02  = d585bdbeb 2023-02-02  = d585bdbeb 2023-02-02
   ##-    5970e15dbcfeb0ed3a0bf1954f35bbe60a048754 2023-01-11 filelock: move file locking definitions to separate header file                                                                                         = 5970e15db 2023-01-11  = 5970e15db 2023-01-11  = 5970e15db 2023-01-11
   ##-    17b985def2a859d66d27afee442147468a6a4ea6 2022-11-30 nfs: use locks_inode_context helper                                             ~ 37028f079 2023-03-27                                                  = 17b985def 2022-11-30  = 17b985def 2022-11-30  = 17b985def 2022-11-30
   -#-    d7a5118635e725d195843bda80cc5c964d93ef31 2022-09-08 NFSv4.2: Update mode bits after ALLOCATE and DEALLOCATE                         ~ 6e5f86704 2022-09-26                          = d7a511863 2022-09-08  = d7a511863 2022-09-08  = d7a511863 2022-09-08  = d7a511863 2022-09-08
   -#-    67f4b5dc49913abcdb5cc736e73674e2f352f81d 2022-08-13 NFS: Fix another fsync() issue after a server reboot                            ~ 55fe49130 2022-09-26  ~ 3b97deb4a 2022-09-15  = 67f4b5dc4 2022-08-13  = 67f4b5dc4 2022-08-13  = 67f4b5dc4 2022-08-13  = 67f4b5dc4 2022-08-13
   -##    af887e437bb298752b2edc5834048b8151b8aea0 2022-08-09 NFS: Improve write error tracing                                                ~ 531e57c0f 2023-05-08                          = af887e437 2022-08-09  = af887e437 2022-08-09  = af887e437 2022-08-09  = af887e437 2022-08-09
   -#-    b1a28f2eb9ea7a5a1763fe53fe699aa0feae4231 2022-08-02 NFS: nfs_async_write_reschedule_io must not recurse into the writeback code     ~ 14ce22874 2023-05-08  ~ 31545f4b7 2024-12-14  = b1a28f2eb 2022-08-02  = b1a28f2eb 2022-08-02  = b1a28f2eb 2022-08-02  = b1a28f2eb 2022-08-02
   -#-    541846502f4fe826cd7c16e4784695ac90736585 2022-08-02 mm/migrate: Convert migrate_page() to migrate_folio()                           ~ 30ef2db26 2023-03-24                          = 541846502 2022-08-02  = 541846502 2022-08-02  = 541846502 2022-08-02  = 541846502 2022-08-02
   -#-    4ae84a80475144f739f77ed8bc789bc7feaa08ce 2022-08-02 nfs: Convert to migrate_folio                                                   ~ 3a51424db 2023-03-24                          = 4ae84a804 2022-08-02  = 4ae84a804 2022-08-02  = 4ae84a804 2022-08-02  = 4ae84a804 2022-08-02
   -#-    69d966510d9f5de81588b37d23a9ee8ccc477b23 2022-07-23 nfs: only issue commit in DIO codepath if we have uncommitted data              ~ 7188cfebf 2022-08-11                          = 69d966510 2022-07-23  = 69d966510 2022-07-23  = 69d966510 2022-07-23  = 69d966510 2022-07-23
   ##-    118f09eda21d392e1eeb9f8a4bee044958cccf20 2022-05-31 NFSv4.1 mark qualified async operations as MOVEABLE tasks                       ~ 161caa70a 2022-08-16  ~ 54c408800 2022-06-09  = 118f09eda 2022-05-31  = 118f09eda 2022-05-31  = 118f09eda 2022-05-31  = 118f09eda 2022-05-31
   -#-    c6fd3511c3397dd9cbc6dc5d105bbedb69bf4061 2022-05-17 NFS: Further fixes to the writeback error handling                              ~ 68bb2d53f 2022-09-26  ~ 08b9d374c 2022-06-09  = c6fd3511c 2022-05-17  = c6fd3511c 2022-05-17  = c6fd3511c 2022-05-17  = c6fd3511c 2022-05-17
   [...]

Except for handling the struct nfs_commit_info object the nfs_lock_and_join_requests() function is the same in ciqlts9_4 and linux-6.6.y. Commit (2) NFS: Use the correct commit info in nfs_join_page_group() nulls out this difference and allows for a clean cherry pick of linux-6.6.y version of 25edbca. This linux-6.6.y backport introduces nfs_init_cinfo_from_inode() call

nfs_init_cinfo_from_inode(&cinfo, inode);

which seems to be redundant, but it was left for the sake of simplicity and compatibility with the following commit. Having linux-6.6.y-flavored 25edbca in place the CVE-2025-39697 fix from linux-6.6.y applied cleanly as well.

The linux-6.6.y backports may be confusing, because they mix in elements from other commits as well. This can be best explained with the table of commits listing upstream changes to the nfs_lock_and_join_requests() function since the the upstream CVE-2025-39697 fix 76d2e38 down to the version found in ciqlts9_4:

Upstream (from most recent) Short summary `ciqlts9_4` equivalent `linux-6.6.y` equivalent Effectively in `linux-6.6.y` as part of
76d2e38 CVE-2025-39697 bugfix - 181feb4 181feb4
8e5419d Fix missing `nfs_release_request()` - - 181feb4
66f9dac Revert of "don't reuse partially completed requests" - - 181feb4
b571cfc "don't reuse partially completed requests" - - 181feb4
25edbca `nfs_page_group_lock_subrequests` inlined - 9a19634 9a19634
c3f2235 `nfs_folio_find_and_lock_request` inlined - - 9a19634, 181feb4
7e8e78a Direct `inode` access through folio - - -
b193a78 Added `cinfo` - b193a78 b193a78
0c493b5 Starting point (what we have in `ciqlts9_4`) 0c2c4ea 0c493b5 0c493b5

The end result - at the moment of NFS: Fix a race when updating an existing write fix - is the nfs_lock_and_join_requests() function being the same in linux-6.6.y and the upstream:

kernel-src-tree/fs/nfs/write.c

Lines 553 to 609 in 76d2e38

static struct nfs_page *nfs_lock_and_join_requests(struct folio *folio)
{
struct inode *inode = folio->mapping->host;
struct nfs_page *head, *subreq;
struct nfs_commit_info cinfo;
int ret;
/*
* A reference is taken only on the head request which acts as a
* reference to the whole page group - the group will not be destroyed
* until the head reference is released.
*/
retry:
head = nfs_folio_find_head_request(folio);
if (!head)
return NULL;
while (!nfs_lock_request(head)) {
ret = nfs_wait_on_request(head);
if (ret < 0) {
nfs_release_request(head);
return ERR_PTR(ret);
}
}
ret = nfs_page_group_lock(head);
if (ret < 0)
goto out_unlock;
/* Ensure that nobody removed the request before we locked it */
if (head != folio->private) {
nfs_page_group_unlock(head);
nfs_unlock_and_release_request(head);
goto retry;
}
nfs_cancel_remove_inode(head, inode);
/* lock each request in the page group */
for (subreq = head->wb_this_page;
subreq != head;
subreq = subreq->wb_this_page) {
ret = nfs_page_group_lock_subreq(head, subreq);
if (ret < 0)
goto out_unlock;
}
nfs_page_group_unlock(head);
nfs_init_cinfo_from_inode(&cinfo, inode);
nfs_join_page_group(head, &cinfo, inode);
return head;
out_unlock:
nfs_unlock_and_release_request(head);
return ERR_PTR(ret);
}

up to two lines:

  1. Obtaining inode object through folio_file_mapping() call instead of direct folio field access:

    • linux-6.6.y

      struct inode *inode = folio_file_mapping(folio)->host;

    • kernel-mainline

      struct inode *inode = folio->mapping->host;
  2. Additional !folio_test_swapcache(folio) condition in the request removal test

    • linux-6.6.y

      /* Ensure that nobody removed the request before we locked it */
if (head != folio->private && !folio_test_swapcache(folio)) {
	nfs_page_group_unlock(head);
	nfs_unlock_and_release_request(head);
	goto retry;
}

    • kernel-mainline

      /* Ensure that nobody removed the request before we locked it */
if (head != folio->private) {
	nfs_page_group_unlock(head);
	nfs_unlock_and_release_request(head);
	goto retry;
}

Both of these differences are the result of the lack of backported commit 7e8e78a - directly for the first one and indirectly for the second one, as the above branch was part of the inlined nfs_folio_find_and_lock_request() function with the folio_test_swapcache(folio) check removed in that commit.

CVE-2025-38248

bridge: mcast: Fix use-after-free during router port configuration

jira VULN-72330
cve CVE-2025-38248
commit-author Ido Schimmel <idosch@nvidia.com>
commit 7544f3f5b0b58c396f374d060898b5939da31709
upstream-diff Context conflicts due to missing
  8fa7292fee5c5240402371ea89ab285ec856c916 ("treewide: Switch/rename to
  timer_delete[_sync]()"). No real diffs from upstream

net: bridge: mcast: update multicast contex when vlan state is changed

jira VULN-72330
cve-pre CVE-2025-38248
commit-author Yong Wang <yongwang@nvidia.com>
commit 6c131043eaf1be2a6cc2d228f92ceb626fbcc0f3

net: bridge: mcast: re-implement br_multicast_{enable, disable}_port functions

jira VULN-72330
cve-pre CVE-2025-38248
commit-author Yong Wang <yongwang@nvidia.com>
commit 4b30ae9adb047dd0a7982975ec3933c529537026

For CVE-2025-38248 on LTS 9.4 the situation is very similar to LTS 9.6 . In summary, bridge: mcast: Fix use-after-free during router port configuration fixes the bug, but it assumes net: bridge: mcast: re-implement br_multicast_{enable, disable}_port functions is in place, which is part of the problem, but not the only one, so the bug still applies, while net: bridge: mcast: update multicast contex when vlan state is changed is pulled in for completion. See #1163 for details.

Bug replication was done with KASAN enabled:

CONFIG_KASAN=y
CONFIG_KASAN_MODULE_TEST=m
CONFIG_STACKTRACE=y

Three versions of kernel were tested:

  • unpatched ciqlts9_4,
  • ciqlts9_4 with net: bridge: mcast: re-implement br_multicast_{enable, disable}_port functions backported,
  • patched ciqlts9_4 as in this PR.

The 7544f3f commit addresses two use-after-free bugs, denoted [1] and [2], having two separate replication scripts (may not be minimal, but are sufficient):

[1]:

ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1
ip link add name dummy1 up master br1 type dummy
ip link set dev dummy1 type bridge_slave mcast_router 2
ip link set dev br1 type bridge mcast_vlan_snooping 1
ip link set dev dummy1 type bridge_slave mcast_router 0
ip link set dev dummy1 type bridge_slave mcast_router 2
ip link del dev dummy1
ip link add name dummy2 up master br1 type dummy
ip link set dev dummy2 type bridge_slave mcast_router 2

[2]:

ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1 mcast_vlan_snooping 1
ip link add name dummy1 up master br1 type dummy
bridge vlan add vid 2 dev dummy1
bridge vlan global set vid 2 dev br1 mcast_snooping 1
bridge vlan set vid 2 dev dummy1 mcast_router 2
ip link set dev br1 type bridge mcast_vlan_snooping 0
bridge vlan global show dev br1 vid 2
bridge vlan set vid 2 dev dummy1 mcast_router 0
bridge vlan set vid 2 dev dummy1 mcast_router 2
ip link add name dummy2 up master br1 type dummy
bridge vlan add vid 2 dev dummy2
bridge vlan del vid 2 dev dummy1
bridge vlan set vid 2 dev dummy2 mcast_router 2

This gave 2 x 3 = 6 test results, which can be summarized as follows:

  Bug [1] Bug [2]
`ciqlts9_4` no1 yes2
`ciqlts9_4` + 4b30ae9 yes3 yes4
`ciqlts9_4` + 4b30ae9 + 6c13104 + 7544f3f no5 no6

This confirms that ciqlts9_4 is affected by CVE-2025-38248 and that 7544f3f fixes the problem, while 4b30ae9 may exacerbate it temporarily, but may be needed for 7544f3f as prerequisite.

kABI check: passed

[0/1] kabi_check_kernel	Check ABI of kernel [ciqlts9_4-CVE-batch-31]	_kabi_check_kernel__x86_64--test--ciqlts9_4-CVE-batch-31
ninja explain: output state/kernels/ciqlts9_4-CVE-batch-31/x86_64/kabi_checked doesn't exist
ninja explain: state/kernels/ciqlts9_4-CVE-batch-31/x86_64/kabi_checked is dirty
+ dist_git_version=el-9.4
+ local_version=ciqlts9_4-CVE-batch-31
+ arch=x86_64
+ user=pvts
+ buildmachine=x86_64--build--ciqlts9_4
+ virsh_timeout=600
+ ssh_daemon_wait=20
+ src_dir=/mnt/code/kernel-dist-git-el-9.4
+ build_dir=/mnt/build_files/kernel-src-tree-ciqlts9_4-CVE-batch-31
+ sudo chmod +x /data/src/ctrliq-github-haskell/kernel-dist-git-el-9.4/SOURCES/check-kabi
+ ninja-back/virssh.xsh --max 8 --shutdown-on-success --shutdown-on-failure --timeout 600 --ssh-daemon-wait 20 pvts x86_64--build--ciqlts9_4 ''\''/mnt/code/kernel-dist-git-el-9.4/SOURCES/check-kabi'\'' -k '\''/mnt/code/kernel-dist-git-el-9.4/SOURCES/Module.kabi_x86_64'\'' -s '\''/mnt/build_files/kernel-src-tree-ciqlts9_4-CVE-batch-31/Module.symvers'\'''
kABI check passed
+ touch state/kernels/ciqlts9_4-CVE-batch-31/x86_64/kabi_checked

Boot test: passed

boot-test.log

Kselftests: passed relative

Reference

kselftests–ciqlts9_4–run1.log

Patch

kselftests–ciqlts9_4-CVE-batch-31–run1.log
kselftests–ciqlts9_4-CVE-batch-31–run2.log

Comparison

The tests results for the reference and the patch are the same.

$ ktests.xsh diff kselftests*.log

selftests-cmp.txt

Footnotes

1 CVE-2025-38248-repl-1–ciqlts9_4.log

2 CVE-2025-38248-repl-2–ciqlts9_4.log

3 CVE-2025-38248-repl-1–ciqlts9_4-halfpatch.log

4 CVE-2025-38248-repl-2–ciqlts9_4-halfpatch.log

5 CVE-2025-38248-repl-1–ciqlts9_4-patch.log

6 CVE-2025-38248-repl-2–ciqlts9_4-patch.log

pvts-mat added 6 commits May 5, 2026 20:26
@pvts-mat
net: bridge: mcast: re-implement br_multicast_{enable, disable}_port …
d41ffc3 
…functions

jira VULN-72330
cve-pre CVE-2025-38248
commit-author Yong Wang <yongwang@nvidia.com>
commit 4b30ae9

When a bridge port STP state is changed from BLOCKING/DISABLED to
FORWARDING, the port's igmp query timer will NOT re-arm itself if the
bridge has been configured as per-VLAN multicast snooping.

Solve this by choosing the correct multicast context(s) to enable/disable
port multicast based on whether per-VLAN multicast snooping is enabled or
not, i.e. using per-{port, VLAN} context in case of per-VLAN multicast
snooping by re-implementing br_multicast_enable_port() and
br_multicast_disable_port() functions.

Before the patch, the IGMP query does not happen in the last step of the
following test sequence, i.e. no growth for tx counter:
 # ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1 mcast_vlan_snooping 1 mcast_querier 1 mcast_stats_enabled 1
 # bridge vlan global set vid 1 dev br1 mcast_snooping 1 mcast_querier 1 mcast_query_interval 100 mcast_startup_query_count 0
 # ip link add name swp1 up master br1 type dummy
 # bridge link set dev swp1 state 0
 # ip -j -p stats show dev swp1 group xstats_slave subgroup bridge suite mcast | jq '.[]["multicast"]["igmp_queries"]["tx_v2"]'
1
 # sleep 1
 # ip -j -p stats show dev swp1 group xstats_slave subgroup bridge suite mcast | jq '.[]["multicast"]["igmp_queries"]["tx_v2"]'
1
 # bridge link set dev swp1 state 3
 # sleep 2
 # ip -j -p stats show dev swp1 group xstats_slave subgroup bridge suite mcast | jq '.[]["multicast"]["igmp_queries"]["tx_v2"]'
1

After the patch, the IGMP query happens in the last step of the test:
 # ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1 mcast_vlan_snooping 1 mcast_querier 1 mcast_stats_enabled 1
 # bridge vlan global set vid 1 dev br1 mcast_snooping 1 mcast_querier 1 mcast_query_interval 100 mcast_startup_query_count 0
 # ip link add name swp1 up master br1 type dummy
 # bridge link set dev swp1 state 0
 # ip -j -p stats show dev swp1 group xstats_slave subgroup bridge suite mcast | jq '.[]["multicast"]["igmp_queries"]["tx_v2"]'
1
 # sleep 1
 # ip -j -p stats show dev swp1 group xstats_slave subgroup bridge suite mcast | jq '.[]["multicast"]["igmp_queries"]["tx_v2"]'
1
 # bridge link set dev swp1 state 3
 # sleep 2
 # ip -j -p stats show dev swp1 group xstats_slave subgroup bridge suite mcast | jq '.[]["multicast"]["igmp_queries"]["tx_v2"]'
3

	Signed-off-by: Yong Wang <yongwang@nvidia.com>
	Reviewed-by: Andy Roulin <aroulin@nvidia.com>
	Reviewed-by: Ido Schimmel <idosch@nvidia.com>
	Signed-off-by: Petr Machata <petrm@nvidia.com>
	Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
	Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 4b30ae9)
	Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
@pvts-mat
net: bridge: mcast: update multicast contex when vlan state is changed
cb55851 
jira VULN-72330
cve-pre CVE-2025-38248
commit-author Yong Wang <yongwang@nvidia.com>
commit 6c13104

When the vlan STP state is changed, which could be manipulated by
"bridge vlan" commands, similar to port STP state, this also impacts
multicast behaviors such as igmp query. In the scenario of per-VLAN
snooping, there's a need to update the corresponding multicast context
to re-arm the port query timer when vlan state becomes "forwarding" etc.

Update br_vlan_set_state() function to enable vlan multicast context
in such scenario.

Before the patch, the IGMP query does not happen in the last step of the
following test sequence, i.e. no growth for tx counter:
 # ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1 mcast_vlan_snooping 1 mcast_querier 1 mcast_stats_enabled 1
 # bridge vlan global set vid 1 dev br1 mcast_snooping 1 mcast_querier 1 mcast_query_interval 100 mcast_startup_query_count 0
 # ip link add name swp1 up master br1 type dummy
 # sleep 1
 # bridge vlan set vid 1 dev swp1 state 4
 # ip -j -p stats show dev swp1 group xstats_slave subgroup bridge suite mcast | jq '.[]["multicast"]["igmp_queries"]["tx_v2"]'
1
 # sleep 1
 # ip -j -p stats show dev swp1 group xstats_slave subgroup bridge suite mcast | jq '.[]["multicast"]["igmp_queries"]["tx_v2"]'
1
 # bridge vlan set vid 1 dev swp1 state 3
 # sleep 2
 # ip -j -p stats show dev swp1 group xstats_slave subgroup bridge suite mcast | jq '.[]["multicast"]["igmp_queries"]["tx_v2"]'
1

After the patch, the IGMP query happens in the last step of the test:
 # ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1 mcast_vlan_snooping 1 mcast_querier 1 mcast_stats_enabled 1
 # bridge vlan global set vid 1 dev br1 mcast_snooping 1 mcast_querier 1 mcast_query_interval 100 mcast_startup_query_count 0
 # ip link add name swp1 up master br1 type dummy
 # sleep 1
 # bridge vlan set vid 1 dev swp1 state 4
 # ip -j -p stats show dev swp1 group xstats_slave subgroup bridge suite mcast | jq '.[]["multicast"]["igmp_queries"]["tx_v2"]'
1
 # sleep 1
 # ip -j -p stats show dev swp1 group xstats_slave subgroup bridge suite mcast | jq '.[]["multicast"]["igmp_queries"]["tx_v2"]'
1
 # bridge vlan set vid 1 dev swp1 state 3
 # sleep 2
 # ip -j -p stats show dev swp1 group xstats_slave subgroup bridge suite mcast | jq '.[]["multicast"]["igmp_queries"]["tx_v2"]'
3

	Signed-off-by: Yong Wang <yongwang@nvidia.com>
	Reviewed-by: Andy Roulin <aroulin@nvidia.com>
	Reviewed-by: Ido Schimmel <idosch@nvidia.com>
	Signed-off-by: Petr Machata <petrm@nvidia.com>
	Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
	Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 6c13104)
	Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
@pvts-mat
bridge: mcast: Fix use-after-free during router port configuration
c17f7be 
jira VULN-72330
cve CVE-2025-38248
commit-author Ido Schimmel <idosch@nvidia.com>
commit 7544f3f
upstream-diff Context conflicts due to missing
  8fa7292 ("treewide: Switch/rename to
  timer_delete[_sync]()"). No real diffs from upstream

The bridge maintains a global list of ports behind which a multicast
router resides. The list is consulted during forwarding to ensure
multicast packets are forwarded to these ports even if the ports are not
member in the matching MDB entry.

When per-VLAN multicast snooping is enabled, the per-port multicast
context is disabled on each port and the port is removed from the global
router port list:

 # ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1
 # ip link add name dummy1 up master br1 type dummy
 # ip link set dev dummy1 type bridge_slave mcast_router 2
 $ bridge -d mdb show | grep router
 router ports on br1: dummy1
 # ip link set dev br1 type bridge mcast_vlan_snooping 1
 $ bridge -d mdb show | grep router

However, the port can be re-added to the global list even when per-VLAN
multicast snooping is enabled:

 # ip link set dev dummy1 type bridge_slave mcast_router 0
 # ip link set dev dummy1 type bridge_slave mcast_router 2
 $ bridge -d mdb show | grep router
 router ports on br1: dummy1

Since commit 4b30ae9 ("net: bridge: mcast: re-implement
br_multicast_{enable, disable}_port functions"), when per-VLAN multicast
snooping is enabled, multicast disablement on a port will disable the
per-{port, VLAN} multicast contexts and not the per-port one. As a
result, a port will remain in the global router port list even after it
is deleted. This will lead to a use-after-free [1] when the list is
traversed (when adding a new port to the list, for example):

 # ip link del dev dummy1
 # ip link add name dummy2 up master br1 type dummy
 # ip link set dev dummy2 type bridge_slave mcast_router 2

Similarly, stale entries can also be found in the per-VLAN router port
list. When per-VLAN multicast snooping is disabled, the per-{port, VLAN}
contexts are disabled on each port and the port is removed from the
per-VLAN router port list:

 # ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1 mcast_vlan_snooping 1
 # ip link add name dummy1 up master br1 type dummy
 # bridge vlan add vid 2 dev dummy1
 # bridge vlan global set vid 2 dev br1 mcast_snooping 1
 # bridge vlan set vid 2 dev dummy1 mcast_router 2
 $ bridge vlan global show dev br1 vid 2 | grep router
       router ports: dummy1
 # ip link set dev br1 type bridge mcast_vlan_snooping 0
 $ bridge vlan global show dev br1 vid 2 | grep router

However, the port can be re-added to the per-VLAN list even when
per-VLAN multicast snooping is disabled:

 # bridge vlan set vid 2 dev dummy1 mcast_router 0
 # bridge vlan set vid 2 dev dummy1 mcast_router 2
 $ bridge vlan global show dev br1 vid 2 | grep router
       router ports: dummy1

When the VLAN is deleted from the port, the per-{port, VLAN} multicast
context will not be disabled since multicast snooping is not enabled
on the VLAN. As a result, the port will remain in the per-VLAN router
port list even after it is no longer member in the VLAN. This will lead
to a use-after-free [2] when the list is traversed (when adding a new
port to the list, for example):

 # ip link add name dummy2 up master br1 type dummy
 # bridge vlan add vid 2 dev dummy2
 # bridge vlan del vid 2 dev dummy1
 # bridge vlan set vid 2 dev dummy2 mcast_router 2

Fix these issues by removing the port from the relevant (global or
per-VLAN) router port list in br_multicast_port_ctx_deinit(). The
function is invoked during port deletion with the per-port multicast
context and during VLAN deletion with the per-{port, VLAN} multicast
context.

Note that deleting the multicast router timer is not enough as it only
takes care of the temporary multicast router states (1 or 3) and not the
permanent one (2).

[1]
BUG: KASAN: slab-out-of-bounds in br_multicast_add_router.part.0+0x3f1/0x560
Write of size 8 at addr ffff888004a67328 by task ip/384
[...]
Call Trace:
 <TASK>
 dump_stack_lvl+0x6f/0xa0
 print_address_description.constprop.0+0x6f/0x350
 print_report+0x108/0x205
 kasan_report+0xdf/0x110
 br_multicast_add_router.part.0+0x3f1/0x560
 br_multicast_set_port_router+0x74e/0xac0
 br_setport+0xa55/0x1870
 br_port_slave_changelink+0x95/0x120
 __rtnl_newlink+0x5e8/0xa40
 rtnl_newlink+0x627/0xb00
 rtnetlink_rcv_msg+0x6fb/0xb70
 netlink_rcv_skb+0x11f/0x350
 netlink_unicast+0x426/0x710
 netlink_sendmsg+0x75a/0xc20
 __sock_sendmsg+0xc1/0x150
 ____sys_sendmsg+0x5aa/0x7b0
 ___sys_sendmsg+0xfc/0x180
 __sys_sendmsg+0x124/0x1c0
 do_syscall_64+0xbb/0x360
 entry_SYSCALL_64_after_hwframe+0x4b/0x53

[2]
BUG: KASAN: slab-use-after-free in br_multicast_add_router.part.0+0x378/0x560
Read of size 8 at addr ffff888009f00840 by task bridge/391
[...]
Call Trace:
 <TASK>
 dump_stack_lvl+0x6f/0xa0
 print_address_description.constprop.0+0x6f/0x350
 print_report+0x108/0x205
 kasan_report+0xdf/0x110
 br_multicast_add_router.part.0+0x378/0x560
 br_multicast_set_port_router+0x6f9/0xac0
 br_vlan_process_options+0x8b6/0x1430
 br_vlan_rtm_process_one+0x605/0xa30
 br_vlan_rtm_process+0x396/0x4c0
 rtnetlink_rcv_msg+0x2f7/0xb70
 netlink_rcv_skb+0x11f/0x350
 netlink_unicast+0x426/0x710
 netlink_sendmsg+0x75a/0xc20
 __sock_sendmsg+0xc1/0x150
 ____sys_sendmsg+0x5aa/0x7b0
 ___sys_sendmsg+0xfc/0x180
 __sys_sendmsg+0x124/0x1c0
 do_syscall_64+0xbb/0x360
 entry_SYSCALL_64_after_hwframe+0x4b/0x53

Fixes: 2796d84 ("net: bridge: vlan: convert mcast router global option to per-vlan entry")
Fixes: 4b30ae9 ("net: bridge: mcast: re-implement br_multicast_{enable, disable}_port functions")
	Reported-by: syzbot+7bfa4b72c6a5da128d32@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/684c18bd.a00a0220.279073.000b.GAE@google.com/T/
	Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/20250619182228.1656906-1-idosch@nvidia.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 7544f3f)
	Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
@pvts-mat
NFS: Use the correct commit info in nfs_join_page_group()
a5cda26 
jira VULN-136536
cve-pre CVE-2025-39697
commit-author Trond Myklebust <trond.myklebust@hammerspace.com>
commit b193a78

Ensure that nfs_clear_request_commit() updates the correct counters when
it removes them from the commit list.

Fixes: ed5d588 ("NFS: Try to join page groups before an O_DIRECT retransmission")
	Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
	Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
(cherry picked from commit b193a78)
	Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
@pvts-mat
nfs: fold nfs_page_group_lock_subrequests into nfs_lock_and_join_requ…
d099aac 
…ests

jira VULN-136536
cve-pre CVE-2025-39697
commit-author Christoph Hellwig <hch@lst.de>
commit 25edbca
upstream-diff Used linux-6.6.y backport
  9a1963404cc2eef69d2f8a42861bdf63d087dd5d for the clean cherry pick

Fold nfs_page_group_lock_subrequests into nfs_lock_and_join_requests to
prepare for future changes to this code, and move the helpers to write.c
as well.

	Signed-off-by: Christoph Hellwig <hch@lst.de>
	Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
	Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
(cherry picked from commit 9a1963404cc2eef69d2f8a42861bdf63d087dd5d)
	Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
@pvts-mat
NFS: Fix a race when updating an existing write
30b7164 
jira VULN-136536
cve CVE-2025-39697
commit-author Trond Myklebust <trond.myklebust@hammerspace.com>
commit 76d2e38
upstream-diff Used linux-6.6.y backport
  181feb41f0b268e6288bf9a7b984624d7fe2031d for the clean cherry pick

After nfs_lock_and_join_requests() tests for whether the request is
still attached to the mapping, nothing prevents a call to
nfs_inode_remove_request() from succeeding until we actually lock the
page group.
The reason is that whoever called nfs_inode_remove_request() doesn't
necessarily have a lock on the page group head.

So in order to avoid races, let's take the page group lock earlier in
nfs_lock_and_join_requests(), and hold it across the removal of the
request in nfs_inode_remove_request().

	Reported-by: Jeff Layton <jlayton@kernel.org>
	Tested-by: Joe Quanaim <jdq@meta.com>
	Tested-by: Andrew Steffen <aksteffen@meta.com>
	Reviewed-by: Jeff Layton <jlayton@kernel.org>
Fixes: bd37d6f ("NFSv4: Convert nfs_lock_and_join_requests() to use nfs_page_find_head_request()")
	Cc: stable@vger.kernel.org
	Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
(cherry picked from commit 181feb41f0b268e6288bf9a7b984624d7fe2031d)
	Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pvts-mat