Fixes for all trees

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-5.15/bpf-add-bpf_prog_run_data_pointers.patch b/queue-5.15/bpf-add-bpf_prog_run_data_pointers.patch
new file mode 100644 (file)
index 0000000..fd336f4
--- /dev/null
+++ b/queue-5.15/bpf-add-bpf_prog_run_data_pointers.patch
@@ -0,0 +1,112 @@
+From aac3838bbf8b2c7391f5d00073a2f80fa92c2efa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Nov 2025 12:55:16 +0000
+Subject: bpf: Add bpf_prog_run_data_pointers()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 4ef92743625818932b9c320152b58274c05e5053 ]
+
+syzbot found that cls_bpf_classify() is able to change
+tc_skb_cb(skb)->drop_reason triggering a warning in sk_skb_reason_drop().
+
+WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 __sk_skb_reason_drop net/core/skbuff.c:1189 [inline]
+WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 sk_skb_reason_drop+0x76/0x170 net/core/skbuff.c:1214
+
+struct tc_skb_cb has been added in commit ec624fe740b4 ("net/sched:
+Extend qdisc control block with tc control block"), which added a wrong
+interaction with db58ba459202 ("bpf: wire in data and data_end for
+cls_act_bpf").
+
+drop_reason was added later.
+
+Add bpf_prog_run_data_pointers() helper to save/restore the net_sched
+storage colliding with BPF data_meta/data_end.
+
+Fixes: ec624fe740b4 ("net/sched: Extend qdisc control block with tc control block")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Closes: https://lore.kernel.org/netdev/6913437c.a70a0220.22f260.013b.GAE@google.com/
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Reviewed-by: Victor Nogueira <victor@mojatatu.com>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Link: https://patch.msgid.link/20251112125516.1563021-1-edumazet@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/filter.h | 20 ++++++++++++++++++++
+ net/sched/act_bpf.c    |  6 ++----
+ net/sched/cls_bpf.c    |  6 ++----
+ 3 files changed, 24 insertions(+), 8 deletions(-)
+
+diff --git a/include/linux/filter.h b/include/linux/filter.h
+index dc49c8eb00fd6..e8d52cf2883a6 100644
+--- a/include/linux/filter.h
++++ b/include/linux/filter.h
+@@ -701,6 +701,26 @@ static inline void bpf_compute_data_pointers(struct sk_buff *skb)
+       cb->data_end  = skb->data + skb_headlen(skb);
+ }
+ 
++static inline int bpf_prog_run_data_pointers(
++      const struct bpf_prog *prog,
++      struct sk_buff *skb)
++{
++      struct bpf_skb_data_end *cb = (struct bpf_skb_data_end *)skb->cb;
++      void *save_data_meta, *save_data_end;
++      int res;
++
++      save_data_meta = cb->data_meta;
++      save_data_end = cb->data_end;
++
++      bpf_compute_data_pointers(skb);
++      res = bpf_prog_run(prog, skb);
++
++      cb->data_meta = save_data_meta;
++      cb->data_end = save_data_end;
++
++      return res;
++}
++
+ /* Similar to bpf_compute_data_pointers(), except that save orginal
+  * data in cb->data and cb->meta_data for restore.
+  */
+diff --git a/net/sched/act_bpf.c b/net/sched/act_bpf.c
+index 5576eb97d39e0..e1b6e88feaf51 100644
+--- a/net/sched/act_bpf.c
++++ b/net/sched/act_bpf.c
+@@ -45,12 +45,10 @@ static int tcf_bpf_act(struct sk_buff *skb, const struct tc_action *act,
+       filter = rcu_dereference(prog->filter);
+       if (at_ingress) {
+               __skb_push(skb, skb->mac_len);
+-              bpf_compute_data_pointers(skb);
+-              filter_res = bpf_prog_run(filter, skb);
++              filter_res = bpf_prog_run_data_pointers(filter, skb);
+               __skb_pull(skb, skb->mac_len);
+       } else {
+-              bpf_compute_data_pointers(skb);
+-              filter_res = bpf_prog_run(filter, skb);
++              filter_res = bpf_prog_run_data_pointers(filter, skb);
+       }
+       if (skb_sk_is_prefetched(skb) && filter_res != TC_ACT_OK)
+               skb_orphan(skb);
+diff --git a/net/sched/cls_bpf.c b/net/sched/cls_bpf.c
+index b7c46a93a4121..63fb61a290cd6 100644
+--- a/net/sched/cls_bpf.c
++++ b/net/sched/cls_bpf.c
+@@ -95,12 +95,10 @@ static int cls_bpf_classify(struct sk_buff *skb, const struct tcf_proto *tp,
+               } else if (at_ingress) {
+                       /* It is safe to push/pull even if skb_shared() */
+                       __skb_push(skb, skb->mac_len);
+-                      bpf_compute_data_pointers(skb);
+-                      filter_res = bpf_prog_run(prog->filter, skb);
++                      filter_res = bpf_prog_run_data_pointers(prog->filter, skb);
+                       __skb_pull(skb, skb->mac_len);
+               } else {
+-                      bpf_compute_data_pointers(skb);
+-                      filter_res = bpf_prog_run(prog->filter, skb);
++                      filter_res = bpf_prog_run_data_pointers(prog->filter, skb);
+               }
+ 
+               if (prog->exts_integrated) {
+-- 
+2.51.0
+

diff --git a/queue-5.15/series b/queue-5.15/series
index 0cd7f47c68c96bb8ead89d90cd0b6f1c3f710093..624b6978419ba05f15706927a2c6c51d4c6b4763 100644 (file)
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -262,3 +262,4 @@ asoc-cs4271-fix-regulator-leak-on-probe-failure.patch
 drm-vmwgfx-validate-command-header-size-against-svga.patch
 nfsv4-fix-an-incorrect-parameter-when-calling-nfs4_c.patch
 alsa-usb-audio-fix-null-pointer-dereference-in-snd_u.patch
+bpf-add-bpf_prog_run_data_pointers.patch

diff --git a/queue-6.1/bpf-add-bpf_prog_run_data_pointers.patch b/queue-6.1/bpf-add-bpf_prog_run_data_pointers.patch
new file mode 100644 (file)
index 0000000..8038078
--- /dev/null
+++ b/queue-6.1/bpf-add-bpf_prog_run_data_pointers.patch
@@ -0,0 +1,112 @@
+From 1b538b004cbb49d02c50538252fc32a548b00959 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Nov 2025 12:55:16 +0000
+Subject: bpf: Add bpf_prog_run_data_pointers()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 4ef92743625818932b9c320152b58274c05e5053 ]
+
+syzbot found that cls_bpf_classify() is able to change
+tc_skb_cb(skb)->drop_reason triggering a warning in sk_skb_reason_drop().
+
+WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 __sk_skb_reason_drop net/core/skbuff.c:1189 [inline]
+WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 sk_skb_reason_drop+0x76/0x170 net/core/skbuff.c:1214
+
+struct tc_skb_cb has been added in commit ec624fe740b4 ("net/sched:
+Extend qdisc control block with tc control block"), which added a wrong
+interaction with db58ba459202 ("bpf: wire in data and data_end for
+cls_act_bpf").
+
+drop_reason was added later.
+
+Add bpf_prog_run_data_pointers() helper to save/restore the net_sched
+storage colliding with BPF data_meta/data_end.
+
+Fixes: ec624fe740b4 ("net/sched: Extend qdisc control block with tc control block")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Closes: https://lore.kernel.org/netdev/6913437c.a70a0220.22f260.013b.GAE@google.com/
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Reviewed-by: Victor Nogueira <victor@mojatatu.com>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Link: https://patch.msgid.link/20251112125516.1563021-1-edumazet@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/filter.h | 20 ++++++++++++++++++++
+ net/sched/act_bpf.c    |  6 ++----
+ net/sched/cls_bpf.c    |  6 ++----
+ 3 files changed, 24 insertions(+), 8 deletions(-)
+
+diff --git a/include/linux/filter.h b/include/linux/filter.h
+index bbdae97d50c42..502cab01e9e97 100644
+--- a/include/linux/filter.h
++++ b/include/linux/filter.h
+@@ -676,6 +676,26 @@ static inline void bpf_compute_data_pointers(struct sk_buff *skb)
+       cb->data_end  = skb->data + skb_headlen(skb);
+ }
+ 
++static inline int bpf_prog_run_data_pointers(
++      const struct bpf_prog *prog,
++      struct sk_buff *skb)
++{
++      struct bpf_skb_data_end *cb = (struct bpf_skb_data_end *)skb->cb;
++      void *save_data_meta, *save_data_end;
++      int res;
++
++      save_data_meta = cb->data_meta;
++      save_data_end = cb->data_end;
++
++      bpf_compute_data_pointers(skb);
++      res = bpf_prog_run(prog, skb);
++
++      cb->data_meta = save_data_meta;
++      cb->data_end = save_data_end;
++
++      return res;
++}
++
+ /* Similar to bpf_compute_data_pointers(), except that save orginal
+  * data in cb->data and cb->meta_data for restore.
+  */
+diff --git a/net/sched/act_bpf.c b/net/sched/act_bpf.c
+index b79eee44e24eb..e33a6be877def 100644
+--- a/net/sched/act_bpf.c
++++ b/net/sched/act_bpf.c
+@@ -45,12 +45,10 @@ static int tcf_bpf_act(struct sk_buff *skb, const struct tc_action *act,
+       filter = rcu_dereference(prog->filter);
+       if (at_ingress) {
+               __skb_push(skb, skb->mac_len);
+-              bpf_compute_data_pointers(skb);
+-              filter_res = bpf_prog_run(filter, skb);
++              filter_res = bpf_prog_run_data_pointers(filter, skb);
+               __skb_pull(skb, skb->mac_len);
+       } else {
+-              bpf_compute_data_pointers(skb);
+-              filter_res = bpf_prog_run(filter, skb);
++              filter_res = bpf_prog_run_data_pointers(filter, skb);
+       }
+       if (unlikely(!skb->tstamp && skb->mono_delivery_time))
+               skb->mono_delivery_time = 0;
+diff --git a/net/sched/cls_bpf.c b/net/sched/cls_bpf.c
+index 0320e11eb248b..5820ee95fa36e 100644
+--- a/net/sched/cls_bpf.c
++++ b/net/sched/cls_bpf.c
+@@ -95,12 +95,10 @@ static int cls_bpf_classify(struct sk_buff *skb, const struct tcf_proto *tp,
+               } else if (at_ingress) {
+                       /* It is safe to push/pull even if skb_shared() */
+                       __skb_push(skb, skb->mac_len);
+-                      bpf_compute_data_pointers(skb);
+-                      filter_res = bpf_prog_run(prog->filter, skb);
++                      filter_res = bpf_prog_run_data_pointers(prog->filter, skb);
+                       __skb_pull(skb, skb->mac_len);
+               } else {
+-                      bpf_compute_data_pointers(skb);
+-                      filter_res = bpf_prog_run(prog->filter, skb);
++                      filter_res = bpf_prog_run_data_pointers(prog->filter, skb);
+               }
+               if (unlikely(!skb->tstamp && skb->mono_delivery_time))
+                       skb->mono_delivery_time = 0;
+-- 
+2.51.0
+

diff --git a/queue-6.1/series b/queue-6.1/series
index 7123464e7c0d3b54a39eae2af9603ccee8b76f6c..ccf85f0d2569f7f13d9aad27b52994d3e7fcacc6 100644 (file)
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -385,3 +385,4 @@ asoc-codecs-va-macro-fix-resource-leak-in-probe-erro.patch
 drm-vmwgfx-validate-command-header-size-against-svga.patch
 nfsv4-fix-an-incorrect-parameter-when-calling-nfs4_c.patch
 alsa-usb-audio-fix-null-pointer-dereference-in-snd_u.patch
+bpf-add-bpf_prog_run_data_pointers.patch

diff --git a/queue-6.12/bpf-account-for-current-allocated-stack-depth-in-wid.patch b/queue-6.12/bpf-account-for-current-allocated-stack-depth-in-wid.patch
new file mode 100644 (file)
index 0000000..93ed779
--- /dev/null
+++ b/queue-6.12/bpf-account-for-current-allocated-stack-depth-in-wid.patch
@@ -0,0 +1,71 @@
+From fcb8c893fc10fc6ba5a10d3eb43d5a7f6b1eeee0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Nov 2025 18:57:29 -0800
+Subject: bpf: account for current allocated stack depth in
+ widen_imprecise_scalars()
+
+From: Eduard Zingerman <eddyz87@gmail.com>
+
+[ Upstream commit b0c8e6d3d866b6a7f73877f71968dbffd27b7785 ]
+
+The usage pattern for widen_imprecise_scalars() looks as follows:
+
+    prev_st = find_prev_entry(env, ...);
+    queued_st = push_stack(...);
+    widen_imprecise_scalars(env, prev_st, queued_st);
+
+Where prev_st is an ancestor of the queued_st in the explored states
+tree. This ancestor is not guaranteed to have same allocated stack
+depth as queued_st. E.g. in the following case:
+
+    def main():
+      for i in 1..2:
+        foo(i)        // same callsite, differnt param
+
+    def foo(i):
+      if i == 1:
+        use 128 bytes of stack
+      iterator based loop
+
+Here, for a second 'foo' call prev_st->allocated_stack is 128,
+while queued_st->allocated_stack is much smaller.
+widen_imprecise_scalars() needs to take this into account and avoid
+accessing bpf_verifier_state->frame[*]->stack out of bounds.
+
+Fixes: 2793a8b015f7 ("bpf: exact states comparison for iterator convergence checks")
+Reported-by: Emil Tsalapatis <emil@etsalapatis.com>
+Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
+Link: https://lore.kernel.org/r/20251114025730.772723-1-eddyz87@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/verifier.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 218c238d61398..7b75a2dd8cb8f 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -8228,7 +8228,7 @@ static int widen_imprecise_scalars(struct bpf_verifier_env *env,
+                                  struct bpf_verifier_state *cur)
+ {
+       struct bpf_func_state *fold, *fcur;
+-      int i, fr;
++      int i, fr, num_slots;
+ 
+       reset_idmap_scratch(env);
+       for (fr = old->curframe; fr >= 0; fr--) {
+@@ -8241,7 +8241,9 @@ static int widen_imprecise_scalars(struct bpf_verifier_env *env,
+                                       &fcur->regs[i],
+                                       &env->idmap_scratch);
+ 
+-              for (i = 0; i < fold->allocated_stack / BPF_REG_SIZE; i++) {
++              num_slots = min(fold->allocated_stack / BPF_REG_SIZE,
++                              fcur->allocated_stack / BPF_REG_SIZE);
++              for (i = 0; i < num_slots; i++) {
+                       if (!is_spilled_reg(&fold->stack[i]) ||
+                           !is_spilled_reg(&fcur->stack[i]))
+                               continue;
+-- 
+2.51.0
+

diff --git a/queue-6.12/bpf-add-bpf_prog_run_data_pointers.patch b/queue-6.12/bpf-add-bpf_prog_run_data_pointers.patch
new file mode 100644 (file)
index 0000000..2dfe9da
--- /dev/null
+++ b/queue-6.12/bpf-add-bpf_prog_run_data_pointers.patch
@@ -0,0 +1,112 @@
+From 23d86396642b9566f78f6d69655dd34ab31ea6ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Nov 2025 12:55:16 +0000
+Subject: bpf: Add bpf_prog_run_data_pointers()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 4ef92743625818932b9c320152b58274c05e5053 ]
+
+syzbot found that cls_bpf_classify() is able to change
+tc_skb_cb(skb)->drop_reason triggering a warning in sk_skb_reason_drop().
+
+WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 __sk_skb_reason_drop net/core/skbuff.c:1189 [inline]
+WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 sk_skb_reason_drop+0x76/0x170 net/core/skbuff.c:1214
+
+struct tc_skb_cb has been added in commit ec624fe740b4 ("net/sched:
+Extend qdisc control block with tc control block"), which added a wrong
+interaction with db58ba459202 ("bpf: wire in data and data_end for
+cls_act_bpf").
+
+drop_reason was added later.
+
+Add bpf_prog_run_data_pointers() helper to save/restore the net_sched
+storage colliding with BPF data_meta/data_end.
+
+Fixes: ec624fe740b4 ("net/sched: Extend qdisc control block with tc control block")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Closes: https://lore.kernel.org/netdev/6913437c.a70a0220.22f260.013b.GAE@google.com/
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Reviewed-by: Victor Nogueira <victor@mojatatu.com>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Link: https://patch.msgid.link/20251112125516.1563021-1-edumazet@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/filter.h | 20 ++++++++++++++++++++
+ net/sched/act_bpf.c    |  6 ++----
+ net/sched/cls_bpf.c    |  6 ++----
+ 3 files changed, 24 insertions(+), 8 deletions(-)
+
+diff --git a/include/linux/filter.h b/include/linux/filter.h
+index aef18f0e9450e..9b6908291de7c 100644
+--- a/include/linux/filter.h
++++ b/include/linux/filter.h
+@@ -881,6 +881,26 @@ static inline void bpf_compute_data_pointers(struct sk_buff *skb)
+       cb->data_end  = skb->data + skb_headlen(skb);
+ }
+ 
++static inline int bpf_prog_run_data_pointers(
++      const struct bpf_prog *prog,
++      struct sk_buff *skb)
++{
++      struct bpf_skb_data_end *cb = (struct bpf_skb_data_end *)skb->cb;
++      void *save_data_meta, *save_data_end;
++      int res;
++
++      save_data_meta = cb->data_meta;
++      save_data_end = cb->data_end;
++
++      bpf_compute_data_pointers(skb);
++      res = bpf_prog_run(prog, skb);
++
++      cb->data_meta = save_data_meta;
++      cb->data_end = save_data_end;
++
++      return res;
++}
++
+ /* Similar to bpf_compute_data_pointers(), except that save orginal
+  * data in cb->data and cb->meta_data for restore.
+  */
+diff --git a/net/sched/act_bpf.c b/net/sched/act_bpf.c
+index 396b576390d00..c2b5bc19e0911 100644
+--- a/net/sched/act_bpf.c
++++ b/net/sched/act_bpf.c
+@@ -47,12 +47,10 @@ TC_INDIRECT_SCOPE int tcf_bpf_act(struct sk_buff *skb,
+       filter = rcu_dereference(prog->filter);
+       if (at_ingress) {
+               __skb_push(skb, skb->mac_len);
+-              bpf_compute_data_pointers(skb);
+-              filter_res = bpf_prog_run(filter, skb);
++              filter_res = bpf_prog_run_data_pointers(filter, skb);
+               __skb_pull(skb, skb->mac_len);
+       } else {
+-              bpf_compute_data_pointers(skb);
+-              filter_res = bpf_prog_run(filter, skb);
++              filter_res = bpf_prog_run_data_pointers(filter, skb);
+       }
+       if (unlikely(!skb->tstamp && skb->tstamp_type))
+               skb->tstamp_type = SKB_CLOCK_REALTIME;
+diff --git a/net/sched/cls_bpf.c b/net/sched/cls_bpf.c
+index 7fbe42f0e5c2b..a32754a2658bb 100644
+--- a/net/sched/cls_bpf.c
++++ b/net/sched/cls_bpf.c
+@@ -97,12 +97,10 @@ TC_INDIRECT_SCOPE int cls_bpf_classify(struct sk_buff *skb,
+               } else if (at_ingress) {
+                       /* It is safe to push/pull even if skb_shared() */
+                       __skb_push(skb, skb->mac_len);
+-                      bpf_compute_data_pointers(skb);
+-                      filter_res = bpf_prog_run(prog->filter, skb);
++                      filter_res = bpf_prog_run_data_pointers(prog->filter, skb);
+                       __skb_pull(skb, skb->mac_len);
+               } else {
+-                      bpf_compute_data_pointers(skb);
+-                      filter_res = bpf_prog_run(prog->filter, skb);
++                      filter_res = bpf_prog_run_data_pointers(prog->filter, skb);
+               }
+               if (unlikely(!skb->tstamp && skb->tstamp_type))
+                       skb->tstamp_type = SKB_CLOCK_REALTIME;
+-- 
+2.51.0
+

diff --git a/queue-6.12/irqchip-riscv-intc-add-missing-free-callback-in-risc.patch b/queue-6.12/irqchip-riscv-intc-add-missing-free-callback-in-risc.patch
new file mode 100644 (file)
index 0000000..c6e6938
--- /dev/null
+++ b/queue-6.12/irqchip-riscv-intc-add-missing-free-callback-in-risc.patch
@@ -0,0 +1,43 @@
+From ee06bee42530a9e979df95628e0b315cc12c1e8b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Nov 2025 15:28:44 +0800
+Subject: irqchip/riscv-intc: Add missing free() callback in
+ riscv_intc_domain_ops
+
+From: Nick Hu <nick.hu@sifive.com>
+
+[ Upstream commit 14473a1f88596fd729e892782efc267c0097dd1d ]
+
+The irq_domain_free_irqs() helper requires that the irq_domain_ops->free
+callback is implemented. Otherwise, the kernel reports the warning message
+"NULL pointer, cannot free irq" when irq_dispose_mapping() is invoked to
+release the per-HART local interrupts.
+
+Set irq_domain_ops->free to irq_domain_free_irqs_top() to cure that.
+
+Fixes: 832f15f42646 ("RISC-V: Treat IPIs as normal Linux IRQs")
+Signed-off-by: Nick Hu <nick.hu@sifive.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://patch.msgid.link/20251114-rv-intc-fix-v1-1-a3edd1c1a868@sifive.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-riscv-intc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/irqchip/irq-riscv-intc.c b/drivers/irqchip/irq-riscv-intc.c
+index f653c13de62b5..a02ef98848d36 100644
+--- a/drivers/irqchip/irq-riscv-intc.c
++++ b/drivers/irqchip/irq-riscv-intc.c
+@@ -166,7 +166,8 @@ static int riscv_intc_domain_alloc(struct irq_domain *domain,
+ static const struct irq_domain_ops riscv_intc_domain_ops = {
+       .map    = riscv_intc_domain_map,
+       .xlate  = irq_domain_xlate_onecell,
+-      .alloc  = riscv_intc_domain_alloc
++      .alloc  = riscv_intc_domain_alloc,
++      .free   = irq_domain_free_irqs_top,
+ };
+ 
+ static struct fwnode_handle *riscv_intc_hwnode(void)
+-- 
+2.51.0
+

diff --git a/queue-6.12/series b/queue-6.12/series
index 84c1f1af6ed45e1295adc067c7f52d9d9db1b329..2ce7c677e38730f0258be5f8ef05bc41142ddf3d 100644 (file)
--- a/queue-6.12/series
+++ b/queue-6.12/series
@@ -79,3 +79,6 @@ nfsv4-fix-an-incorrect-parameter-when-calling-nfs4_c.patch
 nfs-fix-ltp-test-failures-when-timestamps-are-delega.patch
 alsa-usb-audio-fix-null-pointer-dereference-in-snd_u.patch
 acpi-hmat-fix-lockdep-warning-for-hmem_register_reso.patch
+bpf-add-bpf_prog_run_data_pointers.patch
+bpf-account-for-current-allocated-stack-depth-in-wid.patch
+irqchip-riscv-intc-add-missing-free-callback-in-risc.patch

diff --git a/queue-6.17/bpf-account-for-current-allocated-stack-depth-in-wid.patch b/queue-6.17/bpf-account-for-current-allocated-stack-depth-in-wid.patch
new file mode 100644 (file)
index 0000000..087b563
--- /dev/null
+++ b/queue-6.17/bpf-account-for-current-allocated-stack-depth-in-wid.patch
@@ -0,0 +1,71 @@
+From d15d7d0efbf198281eff890126d73c8c8bb4ff9c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Nov 2025 18:57:29 -0800
+Subject: bpf: account for current allocated stack depth in
+ widen_imprecise_scalars()
+
+From: Eduard Zingerman <eddyz87@gmail.com>
+
+[ Upstream commit b0c8e6d3d866b6a7f73877f71968dbffd27b7785 ]
+
+The usage pattern for widen_imprecise_scalars() looks as follows:
+
+    prev_st = find_prev_entry(env, ...);
+    queued_st = push_stack(...);
+    widen_imprecise_scalars(env, prev_st, queued_st);
+
+Where prev_st is an ancestor of the queued_st in the explored states
+tree. This ancestor is not guaranteed to have same allocated stack
+depth as queued_st. E.g. in the following case:
+
+    def main():
+      for i in 1..2:
+        foo(i)        // same callsite, differnt param
+
+    def foo(i):
+      if i == 1:
+        use 128 bytes of stack
+      iterator based loop
+
+Here, for a second 'foo' call prev_st->allocated_stack is 128,
+while queued_st->allocated_stack is much smaller.
+widen_imprecise_scalars() needs to take this into account and avoid
+accessing bpf_verifier_state->frame[*]->stack out of bounds.
+
+Fixes: 2793a8b015f7 ("bpf: exact states comparison for iterator convergence checks")
+Reported-by: Emil Tsalapatis <emil@etsalapatis.com>
+Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
+Link: https://lore.kernel.org/r/20251114025730.772723-1-eddyz87@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/verifier.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 2844adf4da61a..c3cdf2bf09aa4 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -8917,7 +8917,7 @@ static int widen_imprecise_scalars(struct bpf_verifier_env *env,
+                                  struct bpf_verifier_state *cur)
+ {
+       struct bpf_func_state *fold, *fcur;
+-      int i, fr;
++      int i, fr, num_slots;
+ 
+       reset_idmap_scratch(env);
+       for (fr = old->curframe; fr >= 0; fr--) {
+@@ -8930,7 +8930,9 @@ static int widen_imprecise_scalars(struct bpf_verifier_env *env,
+                                       &fcur->regs[i],
+                                       &env->idmap_scratch);
+ 
+-              for (i = 0; i < fold->allocated_stack / BPF_REG_SIZE; i++) {
++              num_slots = min(fold->allocated_stack / BPF_REG_SIZE,
++                              fcur->allocated_stack / BPF_REG_SIZE);
++              for (i = 0; i < num_slots; i++) {
+                       if (!is_spilled_reg(&fold->stack[i]) ||
+                           !is_spilled_reg(&fcur->stack[i]))
+                               continue;
+-- 
+2.51.0
+

diff --git a/queue-6.17/bpf-add-bpf_prog_run_data_pointers.patch b/queue-6.17/bpf-add-bpf_prog_run_data_pointers.patch
new file mode 100644 (file)
index 0000000..471a0ce
--- /dev/null
+++ b/queue-6.17/bpf-add-bpf_prog_run_data_pointers.patch
@@ -0,0 +1,112 @@
+From e9c87bba978322b7ea1fdc23468ec23e7a6c32d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Nov 2025 12:55:16 +0000
+Subject: bpf: Add bpf_prog_run_data_pointers()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 4ef92743625818932b9c320152b58274c05e5053 ]
+
+syzbot found that cls_bpf_classify() is able to change
+tc_skb_cb(skb)->drop_reason triggering a warning in sk_skb_reason_drop().
+
+WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 __sk_skb_reason_drop net/core/skbuff.c:1189 [inline]
+WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 sk_skb_reason_drop+0x76/0x170 net/core/skbuff.c:1214
+
+struct tc_skb_cb has been added in commit ec624fe740b4 ("net/sched:
+Extend qdisc control block with tc control block"), which added a wrong
+interaction with db58ba459202 ("bpf: wire in data and data_end for
+cls_act_bpf").
+
+drop_reason was added later.
+
+Add bpf_prog_run_data_pointers() helper to save/restore the net_sched
+storage colliding with BPF data_meta/data_end.
+
+Fixes: ec624fe740b4 ("net/sched: Extend qdisc control block with tc control block")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Closes: https://lore.kernel.org/netdev/6913437c.a70a0220.22f260.013b.GAE@google.com/
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Reviewed-by: Victor Nogueira <victor@mojatatu.com>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Link: https://patch.msgid.link/20251112125516.1563021-1-edumazet@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/filter.h | 20 ++++++++++++++++++++
+ net/sched/act_bpf.c    |  6 ++----
+ net/sched/cls_bpf.c    |  6 ++----
+ 3 files changed, 24 insertions(+), 8 deletions(-)
+
+diff --git a/include/linux/filter.h b/include/linux/filter.h
+index 52fecb7a1fe36..152f2fc7b65a3 100644
+--- a/include/linux/filter.h
++++ b/include/linux/filter.h
+@@ -898,6 +898,26 @@ static inline void bpf_compute_data_pointers(struct sk_buff *skb)
+       cb->data_end  = skb->data + skb_headlen(skb);
+ }
+ 
++static inline int bpf_prog_run_data_pointers(
++      const struct bpf_prog *prog,
++      struct sk_buff *skb)
++{
++      struct bpf_skb_data_end *cb = (struct bpf_skb_data_end *)skb->cb;
++      void *save_data_meta, *save_data_end;
++      int res;
++
++      save_data_meta = cb->data_meta;
++      save_data_end = cb->data_end;
++
++      bpf_compute_data_pointers(skb);
++      res = bpf_prog_run(prog, skb);
++
++      cb->data_meta = save_data_meta;
++      cb->data_end = save_data_end;
++
++      return res;
++}
++
+ /* Similar to bpf_compute_data_pointers(), except that save orginal
+  * data in cb->data and cb->meta_data for restore.
+  */
+diff --git a/net/sched/act_bpf.c b/net/sched/act_bpf.c
+index 396b576390d00..c2b5bc19e0911 100644
+--- a/net/sched/act_bpf.c
++++ b/net/sched/act_bpf.c
+@@ -47,12 +47,10 @@ TC_INDIRECT_SCOPE int tcf_bpf_act(struct sk_buff *skb,
+       filter = rcu_dereference(prog->filter);
+       if (at_ingress) {
+               __skb_push(skb, skb->mac_len);
+-              bpf_compute_data_pointers(skb);
+-              filter_res = bpf_prog_run(filter, skb);
++              filter_res = bpf_prog_run_data_pointers(filter, skb);
+               __skb_pull(skb, skb->mac_len);
+       } else {
+-              bpf_compute_data_pointers(skb);
+-              filter_res = bpf_prog_run(filter, skb);
++              filter_res = bpf_prog_run_data_pointers(filter, skb);
+       }
+       if (unlikely(!skb->tstamp && skb->tstamp_type))
+               skb->tstamp_type = SKB_CLOCK_REALTIME;
+diff --git a/net/sched/cls_bpf.c b/net/sched/cls_bpf.c
+index 7fbe42f0e5c2b..a32754a2658bb 100644
+--- a/net/sched/cls_bpf.c
++++ b/net/sched/cls_bpf.c
+@@ -97,12 +97,10 @@ TC_INDIRECT_SCOPE int cls_bpf_classify(struct sk_buff *skb,
+               } else if (at_ingress) {
+                       /* It is safe to push/pull even if skb_shared() */
+                       __skb_push(skb, skb->mac_len);
+-                      bpf_compute_data_pointers(skb);
+-                      filter_res = bpf_prog_run(prog->filter, skb);
++                      filter_res = bpf_prog_run_data_pointers(prog->filter, skb);
+                       __skb_pull(skb, skb->mac_len);
+               } else {
+-                      bpf_compute_data_pointers(skb);
+-                      filter_res = bpf_prog_run(prog->filter, skb);
++                      filter_res = bpf_prog_run_data_pointers(prog->filter, skb);
+               }
+               if (unlikely(!skb->tstamp && skb->tstamp_type))
+                       skb->tstamp_type = SKB_CLOCK_REALTIME;
+-- 
+2.51.0
+

diff --git a/queue-6.17/irqchip-riscv-intc-add-missing-free-callback-in-risc.patch b/queue-6.17/irqchip-riscv-intc-add-missing-free-callback-in-risc.patch
new file mode 100644 (file)
index 0000000..347dd7b
--- /dev/null
+++ b/queue-6.17/irqchip-riscv-intc-add-missing-free-callback-in-risc.patch
@@ -0,0 +1,43 @@
+From cfb961a40d30ba5fceaefc3d94eaafe8d9479957 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Nov 2025 15:28:44 +0800
+Subject: irqchip/riscv-intc: Add missing free() callback in
+ riscv_intc_domain_ops
+
+From: Nick Hu <nick.hu@sifive.com>
+
+[ Upstream commit 14473a1f88596fd729e892782efc267c0097dd1d ]
+
+The irq_domain_free_irqs() helper requires that the irq_domain_ops->free
+callback is implemented. Otherwise, the kernel reports the warning message
+"NULL pointer, cannot free irq" when irq_dispose_mapping() is invoked to
+release the per-HART local interrupts.
+
+Set irq_domain_ops->free to irq_domain_free_irqs_top() to cure that.
+
+Fixes: 832f15f42646 ("RISC-V: Treat IPIs as normal Linux IRQs")
+Signed-off-by: Nick Hu <nick.hu@sifive.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://patch.msgid.link/20251114-rv-intc-fix-v1-1-a3edd1c1a868@sifive.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-riscv-intc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/irqchip/irq-riscv-intc.c b/drivers/irqchip/irq-riscv-intc.c
+index e5805885394ee..70290b35b3173 100644
+--- a/drivers/irqchip/irq-riscv-intc.c
++++ b/drivers/irqchip/irq-riscv-intc.c
+@@ -166,7 +166,8 @@ static int riscv_intc_domain_alloc(struct irq_domain *domain,
+ static const struct irq_domain_ops riscv_intc_domain_ops = {
+       .map    = riscv_intc_domain_map,
+       .xlate  = irq_domain_xlate_onecell,
+-      .alloc  = riscv_intc_domain_alloc
++      .alloc  = riscv_intc_domain_alloc,
++      .free   = irq_domain_free_irqs_top,
+ };
+ 
+ static struct fwnode_handle *riscv_intc_hwnode(void)
+-- 
+2.51.0
+

diff --git a/queue-6.17/posix-timers-plug-potential-memory-leak-in-do_timer_.patch b/queue-6.17/posix-timers-plug-potential-memory-leak-in-do_timer_.patch
new file mode 100644 (file)
index 0000000..53aa35d
--- /dev/null
+++ b/queue-6.17/posix-timers-plug-potential-memory-leak-in-do_timer_.patch
@@ -0,0 +1,63 @@
+From 300c4d5762b3962439b20a249895c71a07708bf9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Nov 2025 14:27:39 +0200
+Subject: posix-timers: Plug potential memory leak in do_timer_create()
+
+From: Eslam Khafagy <eslam.medhat1993@gmail.com>
+
+[ Upstream commit e0fd4d42e27f761e9cc82801b3f183e658dc749d ]
+
+When posix timer creation is set to allocate a given timer ID and the
+access to the user space value faults, the function terminates without
+freeing the already allocated posix timer structure.
+
+Move the allocation after the user space access to cure that.
+
+[ tglx: Massaged change log ]
+
+Fixes: ec2d0c04624b3 ("posix-timers: Provide a mechanism to allocate a given timer ID")
+Reported-by: syzbot+9c47ad18f978d4394986@syzkaller.appspotmail.com
+Suggested-by: Cyrill Gorcunov <gorcunov@gmail.com>
+Signed-off-by: Eslam Khafagy <eslam.medhat1993@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Frederic Weisbecker <frederic@kernel.org>
+Link: https://patch.msgid.link/20251114122739.994326-1-eslam.medhat1993@gmail.com
+Closes: https://lore.kernel.org/all/69155df4.a70a0220.3124cb.0017.GAE@google.com/T/
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/time/posix-timers.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/kernel/time/posix-timers.c b/kernel/time/posix-timers.c
+index 8b582174b1f94..42db8396f1999 100644
+--- a/kernel/time/posix-timers.c
++++ b/kernel/time/posix-timers.c
+@@ -476,12 +476,6 @@ static int do_timer_create(clockid_t which_clock, struct sigevent *event,
+       if (!kc->timer_create)
+               return -EOPNOTSUPP;
+ 
+-      new_timer = alloc_posix_timer();
+-      if (unlikely(!new_timer))
+-              return -EAGAIN;
+-
+-      spin_lock_init(&new_timer->it_lock);
+-
+       /* Special case for CRIU to restore timers with a given timer ID. */
+       if (unlikely(current->signal->timer_create_restore_ids)) {
+               if (copy_from_user(&req_id, created_timer_id, sizeof(req_id)))
+@@ -491,6 +485,12 @@ static int do_timer_create(clockid_t which_clock, struct sigevent *event,
+                       return -EINVAL;
+       }
+ 
++      new_timer = alloc_posix_timer();
++      if (unlikely(!new_timer))
++              return -EAGAIN;
++
++      spin_lock_init(&new_timer->it_lock);
++
+       /*
+        * Add the timer to the hash table. The timer is not yet valid
+        * after insertion, but has a unique ID allocated.
+-- 
+2.51.0
+

diff --git a/queue-6.17/series b/queue-6.17/series
index bce04e6e55100c992b6456d5a710349e4d54ee35..007e1a7b3355d9c8130ea02f49c2ed13b4abdf53 100644 (file)
--- a/queue-6.17/series
+++ b/queue-6.17/series
@@ -115,3 +115,7 @@ drm-amd-amdgpu-ensure-isp_kernel_buffer_alloc-create.patch
 acpi-hmat-fix-lockdep-warning-for-hmem_register_reso.patch
 asoc-rsnd-fix-of-node-reference-leak-in-rsnd_ssiu_pr.patch
 drm-client-fix-module_parm_desc-string-for-active.patch
+bpf-add-bpf_prog_run_data_pointers.patch
+bpf-account-for-current-allocated-stack-depth-in-wid.patch
+irqchip-riscv-intc-add-missing-free-callback-in-risc.patch
+posix-timers-plug-potential-memory-leak-in-do_timer_.patch

diff --git a/queue-6.6/bpf-account-for-current-allocated-stack-depth-in-wid.patch b/queue-6.6/bpf-account-for-current-allocated-stack-depth-in-wid.patch
new file mode 100644 (file)
index 0000000..4dc210f
--- /dev/null
+++ b/queue-6.6/bpf-account-for-current-allocated-stack-depth-in-wid.patch
@@ -0,0 +1,71 @@
+From f409317c6929c18861bdb5c5f2c194c0a6e334e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Nov 2025 18:57:29 -0800
+Subject: bpf: account for current allocated stack depth in
+ widen_imprecise_scalars()
+
+From: Eduard Zingerman <eddyz87@gmail.com>
+
+[ Upstream commit b0c8e6d3d866b6a7f73877f71968dbffd27b7785 ]
+
+The usage pattern for widen_imprecise_scalars() looks as follows:
+
+    prev_st = find_prev_entry(env, ...);
+    queued_st = push_stack(...);
+    widen_imprecise_scalars(env, prev_st, queued_st);
+
+Where prev_st is an ancestor of the queued_st in the explored states
+tree. This ancestor is not guaranteed to have same allocated stack
+depth as queued_st. E.g. in the following case:
+
+    def main():
+      for i in 1..2:
+        foo(i)        // same callsite, differnt param
+
+    def foo(i):
+      if i == 1:
+        use 128 bytes of stack
+      iterator based loop
+
+Here, for a second 'foo' call prev_st->allocated_stack is 128,
+while queued_st->allocated_stack is much smaller.
+widen_imprecise_scalars() needs to take this into account and avoid
+accessing bpf_verifier_state->frame[*]->stack out of bounds.
+
+Fixes: 2793a8b015f7 ("bpf: exact states comparison for iterator convergence checks")
+Reported-by: Emil Tsalapatis <emil@etsalapatis.com>
+Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
+Link: https://lore.kernel.org/r/20251114025730.772723-1-eddyz87@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/verifier.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 5e644b1b12aaa..45b2f06de452c 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -7839,7 +7839,7 @@ static int widen_imprecise_scalars(struct bpf_verifier_env *env,
+                                  struct bpf_verifier_state *cur)
+ {
+       struct bpf_func_state *fold, *fcur;
+-      int i, fr;
++      int i, fr, num_slots;
+ 
+       reset_idmap_scratch(env);
+       for (fr = old->curframe; fr >= 0; fr--) {
+@@ -7852,7 +7852,9 @@ static int widen_imprecise_scalars(struct bpf_verifier_env *env,
+                                       &fcur->regs[i],
+                                       &env->idmap_scratch);
+ 
+-              for (i = 0; i < fold->allocated_stack / BPF_REG_SIZE; i++) {
++              num_slots = min(fold->allocated_stack / BPF_REG_SIZE,
++                              fcur->allocated_stack / BPF_REG_SIZE);
++              for (i = 0; i < num_slots; i++) {
+                       if (!is_spilled_reg(&fold->stack[i]) ||
+                           !is_spilled_reg(&fcur->stack[i]))
+                               continue;
+-- 
+2.51.0
+

diff --git a/queue-6.6/bpf-add-bpf_prog_run_data_pointers.patch b/queue-6.6/bpf-add-bpf_prog_run_data_pointers.patch
new file mode 100644 (file)
index 0000000..7efdc6f
--- /dev/null
+++ b/queue-6.6/bpf-add-bpf_prog_run_data_pointers.patch
@@ -0,0 +1,112 @@
+From bc09dcf7f19e10592c6b4a476957f5e1beda229b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Nov 2025 12:55:16 +0000
+Subject: bpf: Add bpf_prog_run_data_pointers()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 4ef92743625818932b9c320152b58274c05e5053 ]
+
+syzbot found that cls_bpf_classify() is able to change
+tc_skb_cb(skb)->drop_reason triggering a warning in sk_skb_reason_drop().
+
+WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 __sk_skb_reason_drop net/core/skbuff.c:1189 [inline]
+WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 sk_skb_reason_drop+0x76/0x170 net/core/skbuff.c:1214
+
+struct tc_skb_cb has been added in commit ec624fe740b4 ("net/sched:
+Extend qdisc control block with tc control block"), which added a wrong
+interaction with db58ba459202 ("bpf: wire in data and data_end for
+cls_act_bpf").
+
+drop_reason was added later.
+
+Add bpf_prog_run_data_pointers() helper to save/restore the net_sched
+storage colliding with BPF data_meta/data_end.
+
+Fixes: ec624fe740b4 ("net/sched: Extend qdisc control block with tc control block")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Closes: https://lore.kernel.org/netdev/6913437c.a70a0220.22f260.013b.GAE@google.com/
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Reviewed-by: Victor Nogueira <victor@mojatatu.com>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Link: https://patch.msgid.link/20251112125516.1563021-1-edumazet@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/filter.h | 20 ++++++++++++++++++++
+ net/sched/act_bpf.c    |  6 ++----
+ net/sched/cls_bpf.c    |  6 ++----
+ 3 files changed, 24 insertions(+), 8 deletions(-)
+
+diff --git a/include/linux/filter.h b/include/linux/filter.h
+index 4ffea87e6fb64..ad5a3d68b5552 100644
+--- a/include/linux/filter.h
++++ b/include/linux/filter.h
+@@ -685,6 +685,26 @@ static inline void bpf_compute_data_pointers(struct sk_buff *skb)
+       cb->data_end  = skb->data + skb_headlen(skb);
+ }
+ 
++static inline int bpf_prog_run_data_pointers(
++      const struct bpf_prog *prog,
++      struct sk_buff *skb)
++{
++      struct bpf_skb_data_end *cb = (struct bpf_skb_data_end *)skb->cb;
++      void *save_data_meta, *save_data_end;
++      int res;
++
++      save_data_meta = cb->data_meta;
++      save_data_end = cb->data_end;
++
++      bpf_compute_data_pointers(skb);
++      res = bpf_prog_run(prog, skb);
++
++      cb->data_meta = save_data_meta;
++      cb->data_end = save_data_end;
++
++      return res;
++}
++
+ /* Similar to bpf_compute_data_pointers(), except that save orginal
+  * data in cb->data and cb->meta_data for restore.
+  */
+diff --git a/net/sched/act_bpf.c b/net/sched/act_bpf.c
+index ac87fcff4795e..a1c0e8a9fc8c2 100644
+--- a/net/sched/act_bpf.c
++++ b/net/sched/act_bpf.c
+@@ -47,12 +47,10 @@ TC_INDIRECT_SCOPE int tcf_bpf_act(struct sk_buff *skb,
+       filter = rcu_dereference(prog->filter);
+       if (at_ingress) {
+               __skb_push(skb, skb->mac_len);
+-              bpf_compute_data_pointers(skb);
+-              filter_res = bpf_prog_run(filter, skb);
++              filter_res = bpf_prog_run_data_pointers(filter, skb);
+               __skb_pull(skb, skb->mac_len);
+       } else {
+-              bpf_compute_data_pointers(skb);
+-              filter_res = bpf_prog_run(filter, skb);
++              filter_res = bpf_prog_run_data_pointers(filter, skb);
+       }
+       if (unlikely(!skb->tstamp && skb->tstamp_type))
+               skb->tstamp_type = SKB_CLOCK_REALTIME;
+diff --git a/net/sched/cls_bpf.c b/net/sched/cls_bpf.c
+index db7151c6b70b7..29dfe6767f108 100644
+--- a/net/sched/cls_bpf.c
++++ b/net/sched/cls_bpf.c
+@@ -97,12 +97,10 @@ TC_INDIRECT_SCOPE int cls_bpf_classify(struct sk_buff *skb,
+               } else if (at_ingress) {
+                       /* It is safe to push/pull even if skb_shared() */
+                       __skb_push(skb, skb->mac_len);
+-                      bpf_compute_data_pointers(skb);
+-                      filter_res = bpf_prog_run(prog->filter, skb);
++                      filter_res = bpf_prog_run_data_pointers(prog->filter, skb);
+                       __skb_pull(skb, skb->mac_len);
+               } else {
+-                      bpf_compute_data_pointers(skb);
+-                      filter_res = bpf_prog_run(prog->filter, skb);
++                      filter_res = bpf_prog_run_data_pointers(prog->filter, skb);
+               }
+               if (unlikely(!skb->tstamp && skb->tstamp_type))
+                       skb->tstamp_type = SKB_CLOCK_REALTIME;
+-- 
+2.51.0
+

diff --git a/queue-6.6/irqchip-riscv-intc-add-missing-free-callback-in-risc.patch b/queue-6.6/irqchip-riscv-intc-add-missing-free-callback-in-risc.patch
new file mode 100644 (file)
index 0000000..3238c3d
--- /dev/null
+++ b/queue-6.6/irqchip-riscv-intc-add-missing-free-callback-in-risc.patch
@@ -0,0 +1,43 @@
+From 1bdf62bb3603c3e31ea66aaf9722bfb02d4bdf7b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Nov 2025 15:28:44 +0800
+Subject: irqchip/riscv-intc: Add missing free() callback in
+ riscv_intc_domain_ops
+
+From: Nick Hu <nick.hu@sifive.com>
+
+[ Upstream commit 14473a1f88596fd729e892782efc267c0097dd1d ]
+
+The irq_domain_free_irqs() helper requires that the irq_domain_ops->free
+callback is implemented. Otherwise, the kernel reports the warning message
+"NULL pointer, cannot free irq" when irq_dispose_mapping() is invoked to
+release the per-HART local interrupts.
+
+Set irq_domain_ops->free to irq_domain_free_irqs_top() to cure that.
+
+Fixes: 832f15f42646 ("RISC-V: Treat IPIs as normal Linux IRQs")
+Signed-off-by: Nick Hu <nick.hu@sifive.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://patch.msgid.link/20251114-rv-intc-fix-v1-1-a3edd1c1a868@sifive.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-riscv-intc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/irqchip/irq-riscv-intc.c b/drivers/irqchip/irq-riscv-intc.c
+index 627beae9649a2..84cb9cda365ad 100644
+--- a/drivers/irqchip/irq-riscv-intc.c
++++ b/drivers/irqchip/irq-riscv-intc.c
+@@ -149,7 +149,8 @@ static int riscv_intc_domain_alloc(struct irq_domain *domain,
+ static const struct irq_domain_ops riscv_intc_domain_ops = {
+       .map    = riscv_intc_domain_map,
+       .xlate  = irq_domain_xlate_onecell,
+-      .alloc  = riscv_intc_domain_alloc
++      .alloc  = riscv_intc_domain_alloc,
++      .free   = irq_domain_free_irqs_top,
+ };
+ 
+ static struct fwnode_handle *riscv_intc_hwnode(void)
+-- 
+2.51.0
+

diff --git a/queue-6.6/series b/queue-6.6/series
index 79211ed8ae1b7bd3ed6f5a0ff88b97033605b764..debc8114d762fa54972b4e27181625993d90e180 100644 (file)
--- a/queue-6.6/series
+++ b/queue-6.6/series
@@ -443,3 +443,6 @@ acpi-break-out-nesting-for-hmat_parse_locality.patch
 acpi-numa-add-setting-of-generic-port-system-localit.patch
 base-node-acpi-enumerate-node-access-class-for-struc.patch
 acpi-hmat-fix-lockdep-warning-for-hmem_register_reso.patch
+bpf-add-bpf_prog_run_data_pointers.patch
+bpf-account-for-current-allocated-stack-depth-in-wid.patch
+irqchip-riscv-intc-add-missing-free-callback-in-risc.patch