Skip to content

[lts8_6] CVE-2025-39955 and CVE-2025-40186 #804

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
roxanan1996 merged 2 commits into from
Jan 12, 2026
Merged

[lts8_6] CVE-2025-39955 and CVE-2025-40186 #804

roxanan1996 merged 2 commits into from
Jan 12, 2026

Conversation

@roxanan1996
Copy link
Contributor

@roxanan1996 roxanan1996 commented Jan 8, 2026

DESCRIPTION

Clean cherry picks.

Started with CVE-2025-39955
CVE-2025-40186 is in fact a fix for CVE-2025-39955 as well.

COMMITS

tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect().

jira VULN-158527
cve CVE-2025-39955
commit-author Kuniyuki Iwashima <kuniyu@google.com>
commit 45c8a6cc2bcd780e634a6ba8e46bffbdf1fc5c01

tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request().

jira VULN-160501
cve CVE-2025-40186
commit-author Kuniyuki Iwashima <kuniyu@google.com>
commit 2e7cbbbe3d61c63606994b7ff73c72537afe2e1c

TESTING

BUILD

> grep -E -B 5 -A 5 '\[TIMER\]|^Starting Build' /home/rnicolescu/ciq/kernels/lts-8.6/kernel-build-after.log
  CLEAN   scripts/selinux/genheaders
  CLEAN   scripts/selinux/mdp
  CLEAN   scripts
  CLEAN   include/config include/generated arch/x86/include/generated
  CLEAN   .config .config.old
[TIMER]{MRPROPER}: 4s
x86_64 architecture detected, copying config
'configs/kernel-x86_64.config' -> '.config'
Setting Local Version for build
CONFIG_LOCALVERSION="-rnicolescu_ciqlts8_6-c4be97103d565"
Making olddefconfig
--
  HOSTLD  scripts/kconfig/conf
scripts/kconfig/conf  --olddefconfig Kconfig
#
# configuration written to .config
#
Starting Build
scripts/kconfig/conf  --syncconfig Kconfig
  SYSTBL  arch/x86/include/generated/asm/syscalls_32.h
  SYSHDR  arch/x86/include/generated/asm/unistd_32_ia32.h
  SYSHDR  arch/x86/include/generated/asm/unistd_64_x32.h
  HYPERCALLS arch/x86/include/generated/asm/xen-hypercalls.h
--
  LD [M]  sound/usb/usx2y/snd-usb-usx2y.ko
  LD [M]  sound/virtio/virtio_snd.ko
  LD [M]  sound/x86/snd-hdmi-lpe-audio.ko
  LD [M]  sound/xen/snd_xen_front.ko
  LD [M]  virt/lib/irqbypass.ko
[TIMER]{BUILD}: 1385s
Making Modules
  INSTALL arch/x86/crypto/blowfish-x86_64.ko
  INSTALL arch/x86/crypto/camellia-aesni-avx-x86_64.ko
  INSTALL arch/x86/crypto/camellia-aesni-avx2.ko
  INSTALL arch/x86/crypto/camellia-x86_64.ko
--
  INSTALL sound/virtio/virtio_snd.ko
  INSTALL sound/x86/snd-hdmi-lpe-audio.ko
  INSTALL sound/xen/snd_xen_front.ko
  INSTALL virt/lib/irqbypass.ko
  DEPMOD  4.18.0-rnicolescu_ciqlts8_6-c4be97103d565+
[TIMER]{MODULES}: 9s
Making Install
sh ./arch/x86/boot/install.sh 4.18.0-rnicolescu_ciqlts8_6-c4be97103d565+ arch/x86/boot/bzImage \
	System.map "/boot"
[TIMER]{INSTALL}: 31s
Checking kABI
kABI check passed
Setting Default Kernel to /boot/vmlinuz-4.18.0-rnicolescu_ciqlts8_6-c4be97103d565+ and Index to 0
The default is /boot/loader/entries/13c4c473ec1e4e8bbcfb1c5586c03772-4.18.0-rnicolescu_ciqlts8_6-c4be97103d565+.conf with index 0 and kernel /boot/vmlinuz-4.18.0-rnicolescu_ciqlts8_6-c4be97103d565+
The default is /boot/loader/entries/13c4c473ec1e4e8bbcfb1c5586c03772-4.18.0-rnicolescu_ciqlts8_6-c4be97103d565+.conf with index 0 and kernel /boot/vmlinuz-4.18.0-rnicolescu_ciqlts8_6-c4be97103d565+
Generating grub configuration file ...
done
Hopefully Grub2.0 took everything ... rebooting after time metrices
[TIMER]{MRPROPER}: 4s
[TIMER]{BUILD}: 1385s
[TIMER]{MODULES}: 9s
[TIMER]{INSTALL}: 31s
[TIMER]{TOTAL} 1433s
Rebooting in 10 seconds

Kselftests

> /home/rnicolescu/ciq/kernel-tools/kselftest-diff.sh /home/rnicolescu/ciq/kernels/lts-8.6
/home/rnicolescu/ciq/kernels/lts-8.6/kselftest-before.log
212
/home/rnicolescu/ciq/kernels/lts-8.6/kselftest-after.log
212
Before: /home/rnicolescu/ciq/kernels/lts-8.6/kselftest-before.log
After: /home/rnicolescu/ciq/kernels/lts-8.6/kselftest-after.log
Diff:
No differences found.

Check_kernel_commits

> python3 /home/rnicolescu/ciq/kernel-src-tree-tools/check_kernel_commits.py --repo /home/rnicolescu/ciq/kernels/lts-8.6/kernel-src-tree --pr_branch {rnicolescu}_ciqlts8_6 --base_branch origin/ciqlts8_6 --check-cves
All referenced commits exist upstream and have no Fixes: tags.

Run interdiff

> python3 /home/rnicolescu/ciq/kernel-src-tree-tools/run_interdiff.py --repo /home/rnicolescu/ciq/kernels/lts-8.6/kernel-src-tree --pr_branch {rnicolescu}_ciqlts8_6 --base_branch origin/ciqlts8_6
[DIFF] PR commit 15a3c8cfde80f (tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect().) → upstream 45c8a6cc2bcd
Differences found:

  diff -u b/net/ipv4/tcp.c b/net/ipv4/tcp.c
  --- b/net/ipv4/tcp.c
  +++ b/net/ipv4/tcp.c
  @@ -2591,5 +2591,5 @@
  -	struct inet_connection_sock *icsk = inet_csk(sk);
   	struct tcp_sock *tp = tcp_sk(sk);
  +	int err = 0;
   	int old_state = sk->sk_state;
   	struct request_sock *req;
   	u32 seq;
  @@ -2704,5 +2704,5 @@
   	if (req)
   		reqsk_fastopen_remove(sk, req, false);
   	tcp_free_fastopen_req(tp);
  -	inet_clear_bit(DEFER_CONNECT, sk);
  -	tp->fastopen_client_fail = 0;
  +	inet->defer_connect = 0;
  +

Expected but not interfering due to missing
a01512b ("tcp: remove unneeded variable 'err'")
08e39c0 ("inet: move inet->defer_connect to inet->inet_flags")
4802747 ("480274787d7e3458bc5a7cfbbbe07033984ad711")

Run jira_pr_check

> python3 /home/rnicolescu/ciq/kernel-src-tree-tools/jira_pr_check.py --kernel-src-tree /home/rnicolescu/ciq/kernels/lts-8.6/kernel-src-tree --merge-target {rnicolescu}_ciqlts8_6 --pr-branch origin/ciqlts8_6

## JIRA PR Check Results

✅ **No issues found!**


---
**Summary:** Checked 0 commit(s) total.

@roxanan1996
tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect().
15a3c8c 
jira VULN-158527
cve CVE-2025-39955
commit-author Kuniyuki Iwashima <kuniyu@google.com>
commit 45c8a6c

syzbot reported the splat below where a socket had tcp_sk(sk)->fastopen_rsk
in the TCP_ESTABLISHED state. [0]

syzbot reused the server-side TCP Fast Open socket as a new client before
the TFO socket completes 3WHS:

  1. accept()
  2. connect(AF_UNSPEC)
  3. connect() to another destination

As of accept(), sk->sk_state is TCP_SYN_RECV, and tcp_disconnect() changes
it to TCP_CLOSE and makes connect() possible, which restarts timers.

Since tcp_disconnect() forgot to clear tcp_sk(sk)->fastopen_rsk, the
retransmit timer triggered the warning and the intended packet was not
retransmitted.

Let's call reqsk_fastopen_remove() in tcp_disconnect().

[0]:
WARNING: CPU: 2 PID: 0 at net/ipv4/tcp_timer.c:542 tcp_retransmit_timer (net/ipv4/tcp_timer.c:542 (discriminator 7))
Modules linked in:
CPU: 2 UID: 0 PID: 0 Comm: swapper/2 Not tainted 6.17.0-rc5-g201825fb4278 #62 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:tcp_retransmit_timer (net/ipv4/tcp_timer.c:542 (discriminator 7))
Code: 41 55 41 54 55 53 48 8b af b8 08 00 00 48 89 fb 48 85 ed 0f 84 55 01 00 00 0f b6 47 12 3c 03 74 0c 0f b6 47 12 3c 04 74 04 90 <0f> 0b 90 48 8b 85 c0 00 00 00 48 89 ef 48 8b 40 30 e8 6a 4f 06 3e
RSP: 0018:ffffc900002f8d40 EFLAGS: 00010293
RAX: 0000000000000002 RBX: ffff888106911400 RCX: 0000000000000017
RDX: 0000000002517619 RSI: ffffffff83764080 RDI: ffff888106911400
RBP: ffff888106d5c000 R08: 0000000000000001 R09: ffffc900002f8de8
R10: 00000000000000c2 R11: ffffc900002f8ff8 R12: ffff888106911540
R13: ffff888106911480 R14: ffff888106911840 R15: ffffc900002f8de0
FS:  0000000000000000(0000) GS:ffff88907b768000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f8044d69d90 CR3: 0000000002c30003 CR4: 0000000000370ef0
Call Trace:
 <IRQ>
 tcp_write_timer (net/ipv4/tcp_timer.c:738)
 call_timer_fn (kernel/time/timer.c:1747)
 __run_timers (kernel/time/timer.c:1799 kernel/time/timer.c:2372)
 timer_expire_remote (kernel/time/timer.c:2385 kernel/time/timer.c:2376 kernel/time/timer.c:2135)
 tmigr_handle_remote_up (kernel/time/timer_migration.c:944 kernel/time/timer_migration.c:1035)
 __walk_groups.isra.0 (kernel/time/timer_migration.c:533 (discriminator 1))
 tmigr_handle_remote (kernel/time/timer_migration.c:1096)
 handle_softirqs (./arch/x86/include/asm/jump_label.h:36 ./include/trace/events/irq.h:142 kernel/softirq.c:580)
 irq_exit_rcu (kernel/softirq.c:614 kernel/softirq.c:453 kernel/softirq.c:680 kernel/softirq.c:696)
 sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1050 (discriminator 35) arch/x86/kernel/apic/apic.c:1050 (discriminator 35))
 </IRQ>

Fixes: 8336886 ("tcp: TCP Fast Open Server - support TFO listeners")
	Reported-by: syzkaller <syzkaller@googlegroups.com>
	Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20250915175800.118793-2-kuniyu@google.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 45c8a6c)
	Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>
@roxanan1996
tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request().
c4be971 
jira VULN-160501
cve CVE-2025-40186
commit-author Kuniyuki Iwashima <kuniyu@google.com>
commit 2e7cbbb

syzbot reported the splat below in tcp_conn_request(). [0]

If a listener is close()d while a TFO socket is being processed in
tcp_conn_request(), inet_csk_reqsk_queue_add() does not set reqsk->sk
and calls inet_child_forget(), which calls tcp_disconnect() for the
TFO socket.

After the cited commit, tcp_disconnect() calls reqsk_fastopen_remove(),
where reqsk_put() is called due to !reqsk->sk.

Then, reqsk_fastopen_remove() in tcp_conn_request() decrements the
last req->rsk_refcnt and frees reqsk, and __reqsk_free() at the
drop_and_free label causes the refcount underflow for the listener
and double-free of the reqsk.

Let's remove reqsk_fastopen_remove() in tcp_conn_request().

Note that other callers make sure tp->fastopen_rsk is not NULL.

[0]:
refcount_t: underflow; use-after-free.
WARNING: CPU: 12 PID: 5563 at lib/refcount.c:28 refcount_warn_saturate (lib/refcount.c:28)
Modules linked in:
CPU: 12 UID: 0 PID: 5563 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:refcount_warn_saturate (lib/refcount.c:28)
Code: ab e8 8e b4 98 ff 0f 0b c3 cc cc cc cc cc 80 3d a4 e4 d6 01 00 75 9c c6 05 9b e4 d6 01 01 48 c7 c7 e8 df fb ab e8 6a b4 98 ff <0f> 0b e9 03 5b 76 00 cc 80 3d 7d e4 d6 01 00 0f 85 74 ff ff ff c6
RSP: 0018:ffffa79fc0304a98 EFLAGS: 00010246
RAX: d83af4db1c6b3900 RBX: ffff9f65c7a69020 RCX: d83af4db1c6b3900
RDX: 0000000000000000 RSI: 00000000ffff7fff RDI: ffffffffac78a280
RBP: 000000009d781b60 R08: 0000000000007fff R09: ffffffffac6ca280
R10: 0000000000017ffd R11: 0000000000000004 R12: ffff9f65c7b4f100
R13: ffff9f65c7d23c00 R14: ffff9f65c7d26000 R15: ffff9f65c7a64ef8
FS:  00007f9f962176c0(0000) GS:ffff9f65fcf00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000200000000180 CR3: 000000000dbbe006 CR4: 0000000000372ef0
Call Trace:
 <IRQ>
 tcp_conn_request (./include/linux/refcount.h:400 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 ./include/net/sock.h:1965 ./include/net/request_sock.h:131 net/ipv4/tcp_input.c:7301)
 tcp_rcv_state_process (net/ipv4/tcp_input.c:6708)
 tcp_v6_do_rcv (net/ipv6/tcp_ipv6.c:1670)
 tcp_v6_rcv (net/ipv6/tcp_ipv6.c:1906)
 ip6_protocol_deliver_rcu (net/ipv6/ip6_input.c:438)
 ip6_input (net/ipv6/ip6_input.c:500)
 ipv6_rcv (net/ipv6/ip6_input.c:311)
 __netif_receive_skb (net/core/dev.c:6104)
 process_backlog (net/core/dev.c:6456)
 __napi_poll (net/core/dev.c:7506)
 net_rx_action (net/core/dev.c:7569 net/core/dev.c:7696)
 handle_softirqs (kernel/softirq.c:579)
 do_softirq (kernel/softirq.c:480)
 </IRQ>

Fixes: 45c8a6c ("tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect().")
	Reported-by: syzkaller <syzkaller@googlegroups.com>
	Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20251001233755.1340927-1-kuniyu@google.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 2e7cbbb)
	Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>
@github-actions
Copy link

github-actions bot commented Jan 8, 2026

🤖 Validation Checks In Progress Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/20814951045

@github-actions
Copy link

github-actions bot commented Jan 8, 2026

🔍 Interdiff Analysis

  • ⚠️ PR commit 15a3c8cfde80 (tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect().) → upstream 45c8a6cc2bcd
    Differences found:
diff -u b/net/ipv4/tcp.c b/net/ipv4/tcp.c
--- b/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -2591,5 +2591,5 @@
-	struct inet_connection_sock *icsk = inet_csk(sk);
 	struct tcp_sock *tp = tcp_sk(sk);
+	int err = 0;
 	int old_state = sk->sk_state;
 	struct request_sock *req;
 	u32 seq;
@@ -2704,5 +2704,5 @@
 	if (req)
 		reqsk_fastopen_remove(sk, req, false);
 	tcp_free_fastopen_req(tp);
-	inet_clear_bit(DEFER_CONNECT, sk);
-	tp->fastopen_client_fail = 0;
+	inet->defer_connect = 0;
+

This is an automated interdiff check for backported commits.

@github-actions
Copy link

github-actions bot commented Jan 8, 2026

Validation checks completed successfully View full results: https://github.com/ctrliq/kernel-src-tree/actions/runs/20814951045

@PlaidCat PlaidCat requested a review from a team January 9, 2026 17:19
PlaidCat
PlaidCat approved these changes Jan 9, 2026
View reviewed changes
Copy link
Collaborator

@PlaidCat PlaidCat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

@roxanan1996 roxanan1996 merged commit 10f3981 into ciqlts8_6 Jan 12, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@PlaidCat PlaidCat PlaidCat approved these changes

@shreeya-patel98 shreeya-patel98 shreeya-patel98 approved these changes

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@roxanan1996 @PlaidCat @shreeya-patel98