From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 17 Sep 2025 15:13:12 +0000 (+0200)
Subject: 6.12-stable patches
X-Git-Tag: v6.1.153~5
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=35b8437ff50eb4e1e0074872f6d2222594326ee0;p=thirdparty%2Fkernel%2Fstable-queue.git

6.12-stable patches

added patches:
	netfilter-nft_set_pipapo-fix-null-deref-for-empty-set.patch
	x86-disable-image-size-check-for-test-builds.patch
---

diff --git a/queue-6.12/netfilter-nft_set_pipapo-fix-null-deref-for-empty-set.patch b/queue-6.12/netfilter-nft_set_pipapo-fix-null-deref-for-empty-set.patch
new file mode 100644
index 0000000000..546b96d85b
--- /dev/null
+++ b/queue-6.12/netfilter-nft_set_pipapo-fix-null-deref-for-empty-set.patch
@@ -0,0 +1,40 @@
+From 30c1d25b9870d551be42535067d5481668b5e6f3 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Mon, 11 Aug 2025 12:26:10 +0200
+Subject: netfilter: nft_set_pipapo: fix null deref for empty set
+
+From: Florian Westphal <fw@strlen.de>
+
+commit 30c1d25b9870d551be42535067d5481668b5e6f3 upstream.
+
+Blamed commit broke the check for a null scratch map:
+  -  if (unlikely(!m || !*raw_cpu_ptr(m->scratch)))
+  +  if (unlikely(!raw_cpu_ptr(m->scratch)))
+
+This should have been "if (!*raw_ ...)".
+Use the pattern of the avx2 version which is more readable.
+
+This can only be reproduced if avx2 support isn't available.
+
+Fixes: d8d871a35ca9 ("netfilter: nft_set_pipapo: merge pipapo_get/lookup")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nft_set_pipapo.c |    5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/net/netfilter/nft_set_pipapo.c
++++ b/net/netfilter/nft_set_pipapo.c
+@@ -426,10 +426,9 @@ static struct nft_pipapo_elem *pipapo_ge
+ 
+ 	local_bh_disable();
+ 
+-	if (unlikely(!raw_cpu_ptr(m->scratch)))
+-		goto out;
+-
+ 	scratch = *raw_cpu_ptr(m->scratch);
++	if (unlikely(!scratch))
++		goto out;
+ 
+ 	map_index = scratch->map_index;
+ 
diff --git a/queue-6.12/series b/queue-6.12/series
index 7582ebf96a..aeb27052d6 100644
--- a/queue-6.12/series
+++ b/queue-6.12/series
@@ -138,3 +138,5 @@ x86-cpu-topology-always-try-cpu_parse_topology_ext-on-amd-hygon.patch
 net-mdiobus-release-reset_gpio-in-mdiobus_unregister_device.patch
 drm-i915-power-fix-size-for-for_each_set_bit-in-abox-iteration.patch
 drm-amdgpu-fix-a-memory-leak-in-fence-cleanup-when-unloading.patch
+netfilter-nft_set_pipapo-fix-null-deref-for-empty-set.patch
+x86-disable-image-size-check-for-test-builds.patch
diff --git a/queue-6.12/x86-disable-image-size-check-for-test-builds.patch b/queue-6.12/x86-disable-image-size-check-for-test-builds.patch
new file mode 100644
index 0000000000..bf313f7a6b
--- /dev/null
+++ b/queue-6.12/x86-disable-image-size-check-for-test-builds.patch
@@ -0,0 +1,66 @@
+From 00a241f528427b63c415a410293b86e66098888e Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Wed, 16 Apr 2025 18:09:50 -0700
+Subject: x86: disable image size check for test builds
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+commit 00a241f528427b63c415a410293b86e66098888e upstream.
+
+64-bit allyesconfig builds fail with
+
+x86_64-linux-ld: kernel image bigger than KERNEL_IMAGE_SIZE
+
+Bisect points to commit 6f110a5e4f99 ("Disable SLUB_TINY for build
+testing") as the responsible commit.  Reverting that patch does indeed fix
+the problem.  Further analysis shows that disabling SLUB_TINY enables
+KASAN, and that KASAN is responsible for the image size increase.
+
+Solve the build problem by disabling the image size check for test
+builds.
+
+[akpm@linux-foundation.org: add comment, fix nearby typo (sink->sync)]
+[akpm@linux-foundation.org: fix comment snafu
+  Link: https://lore.kernel.org/oe-kbuild-all/202504191813.4r9H6Glt-lkp@intel.com/
+Link: https://lkml.kernel.org/r/20250417010950.2203847-1-linux@roeck-us.net
+Fixes: 6f110a5e4f99 ("Disable SLUB_TINY for build testing")
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Alexander Potapenko <glider@google.com>
+Cc: Andrey Konovalov <andreyknvl@gmail.com>
+Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
+Cc: Borislav Betkov <bp@alien8.de>
+Cc: Dmitriy Vyukov <dvyukov@google.com>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Thomas Gleinxer <tglx@linutronix.de>
+Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
+Cc: <x86@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/vmlinux.lds.S |   10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/vmlinux.lds.S
++++ b/arch/x86/kernel/vmlinux.lds.S
+@@ -486,10 +486,18 @@ SECTIONS
+ }
+ 
+ /*
+- * The ASSERT() sink to . is intentional, for binutils 2.14 compatibility:
++ * COMPILE_TEST kernels can be large - CONFIG_KASAN, for example, can cause
++ * this.  Let's assume that nobody will be running a COMPILE_TEST kernel and
++ * let's assert that fuller build coverage is more valuable than being able to
++ * run a COMPILE_TEST kernel.
++ */
++#ifndef CONFIG_COMPILE_TEST
++/*
++ * The ASSERT() sync to . is intentional, for binutils 2.14 compatibility:
+  */
+ . = ASSERT((_end - LOAD_OFFSET <= KERNEL_IMAGE_SIZE),
+ 	   "kernel image bigger than KERNEL_IMAGE_SIZE");
++#endif
+ 
+ /* needed for Clang - see arch/x86/entry/entry.S */
+ PROVIDE(__ref_stack_chk_guard = __stack_chk_guard);