From: Sasha Levin Date: Sat, 6 Sep 2025 04:36:07 +0000 (-0400) Subject: Fixes for all trees X-Git-Tag: v5.4.299~59 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4c0eb32a8bbc06f7b0cbab11fba13d0098d8e8ed;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for all trees Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/ax25-properly-unshare-skbs-in-ax25_kiss_rcv.patch b/queue-5.10/ax25-properly-unshare-skbs-in-ax25_kiss_rcv.patch new file mode 100644 index 0000000000..12d1fc7490 --- /dev/null +++ b/queue-5.10/ax25-properly-unshare-skbs-in-ax25_kiss_rcv.patch @@ -0,0 +1,59 @@ +From 92cac9cff4f9e43f481d03ace673524ab9ae0670 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Sep 2025 12:46:42 +0000 +Subject: ax25: properly unshare skbs in ax25_kiss_rcv() + +From: Eric Dumazet + +[ Upstream commit 8156210d36a43e76372312c87eb5ea3dbb405a85 ] + +Bernard Pidoux reported a regression apparently caused by commit +c353e8983e0d ("net: introduce per netns packet chains"). + +skb->dev becomes NULL and we crash in __netif_receive_skb_core(). + +Before above commit, different kind of bugs or corruptions could happen +without a major crash. + +But the root cause is that ax25_kiss_rcv() can queue/mangle input skb +without checking if this skb is shared or not. + +Many thanks to Bernard Pidoux for his help, diagnosis and tests. + +We had a similar issue years ago fixed with commit 7aaed57c5c28 +("phonet: properly unshare skbs in phonet_rcv()"). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Bernard Pidoux +Closes: https://lore.kernel.org/netdev/1713f383-c538-4918-bc64-13b3288cd542@free.fr/ +Tested-by: Bernard Pidoux +Signed-off-by: Eric Dumazet +Cc: Joerg Reuter +Cc: David Ranch +Cc: Folkert van Heusden +Reviewed-by: Dan Cross +Link: https://patch.msgid.link/20250902124642.212705-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ax25/ax25_in.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/ax25/ax25_in.c b/net/ax25/ax25_in.c +index cd6afe895db99..e43f92372cba5 100644 +--- a/net/ax25/ax25_in.c ++++ b/net/ax25/ax25_in.c +@@ -433,6 +433,10 @@ static int ax25_rcv(struct sk_buff *skb, struct net_device *dev, + int ax25_kiss_rcv(struct sk_buff *skb, struct net_device *dev, + struct packet_type *ptype, struct net_device *orig_dev) + { ++ skb = skb_share_check(skb, GFP_ATOMIC); ++ if (!skb) ++ return NET_RX_DROP; ++ + skb_orphan(skb); + + if (!net_eq(dev_net(dev), &init_net)) { +-- +2.50.1 + diff --git a/queue-5.10/bluetooth-fix-use-after-free-in-l2cap_sock_cleanup_l.patch b/queue-5.10/bluetooth-fix-use-after-free-in-l2cap_sock_cleanup_l.patch new file mode 100644 index 0000000000..4212a20183 --- /dev/null +++ b/queue-5.10/bluetooth-fix-use-after-free-in-l2cap_sock_cleanup_l.patch @@ -0,0 +1,171 @@ +From a82a2f4afd7cbed56263430dc47a80ffce805d39 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Aug 2025 20:40:14 +0000 +Subject: Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen() + +From: Kuniyuki Iwashima + +[ Upstream commit 862c628108562d8c7a516a900034823b381d3cba ] + +syzbot reported the splat below without a repro. + +In the splat, a single thread calling bt_accept_dequeue() freed sk +and touched it after that. + +The root cause would be the racy l2cap_sock_cleanup_listen() call +added by the cited commit. + +bt_accept_dequeue() is called under lock_sock() except for +l2cap_sock_release(). + +Two threads could see the same socket during the list iteration +in bt_accept_dequeue(): + + CPU1 CPU2 (close()) + ---- ---- + sock_hold(sk) sock_hold(sk); + lock_sock(sk) <-- block close() + sock_put(sk) + bt_accept_unlink(sk) + sock_put(sk) <-- refcnt by bt_accept_enqueue() + release_sock(sk) + lock_sock(sk) + sock_put(sk) + bt_accept_unlink(sk) + sock_put(sk) <-- last refcnt + bt_accept_unlink(sk) <-- UAF + +Depending on the timing, the other thread could show up in the +"Freed by task" part. + +Let's call l2cap_sock_cleanup_listen() under lock_sock() in +l2cap_sock_release(). + +[0]: +BUG: KASAN: slab-use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline] +BUG: KASAN: slab-use-after-free in do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115 +Read of size 4 at addr ffff88803b7eb1c4 by task syz.5.3276/16995 +CPU: 3 UID: 0 PID: 16995 Comm: syz.5.3276 Not tainted syzkaller #0 PREEMPT(full) +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 +Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0xcd/0x630 mm/kasan/report.c:482 + kasan_report+0xe0/0x110 mm/kasan/report.c:595 + debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline] + do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115 + spin_lock_bh include/linux/spinlock.h:356 [inline] + release_sock+0x21/0x220 net/core/sock.c:3746 + bt_accept_dequeue+0x505/0x600 net/bluetooth/af_bluetooth.c:312 + l2cap_sock_cleanup_listen+0x5c/0x2a0 net/bluetooth/l2cap_sock.c:1451 + l2cap_sock_release+0x5c/0x210 net/bluetooth/l2cap_sock.c:1425 + __sock_release+0xb3/0x270 net/socket.c:649 + sock_close+0x1c/0x30 net/socket.c:1439 + __fput+0x3ff/0xb70 fs/file_table.c:468 + task_work_run+0x14d/0x240 kernel/task_work.c:227 + resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] + exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43 + exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] + syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline] + syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline] + do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7f2accf8ebe9 +Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007ffdb6cb1378 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 +RAX: 0000000000000000 RBX: 00000000000426fb RCX: 00007f2accf8ebe9 +RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 +RBP: 00007f2acd1b7da0 R08: 0000000000000001 R09: 00000012b6cb166f +R10: 0000001b30e20000 R11: 0000000000000246 R12: 00007f2acd1b609c +R13: 00007f2acd1b6090 R14: ffffffffffffffff R15: 00007ffdb6cb1490 + + +Allocated by task 5326: + kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 + kasan_save_track+0x14/0x30 mm/kasan/common.c:68 + poison_kmalloc_redzone mm/kasan/common.c:388 [inline] + __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:405 + kasan_kmalloc include/linux/kasan.h:260 [inline] + __do_kmalloc_node mm/slub.c:4365 [inline] + __kmalloc_noprof+0x223/0x510 mm/slub.c:4377 + kmalloc_noprof include/linux/slab.h:909 [inline] + sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2239 + sk_alloc+0x36/0xc20 net/core/sock.c:2295 + bt_sock_alloc+0x3b/0x3a0 net/bluetooth/af_bluetooth.c:151 + l2cap_sock_alloc.constprop.0+0x33/0x1d0 net/bluetooth/l2cap_sock.c:1894 + l2cap_sock_new_connection_cb+0x101/0x240 net/bluetooth/l2cap_sock.c:1482 + l2cap_connect_cfm+0x4c4/0xf80 net/bluetooth/l2cap_core.c:7287 + hci_connect_cfm include/net/bluetooth/hci_core.h:2050 [inline] + hci_remote_features_evt+0x4dd/0x970 net/bluetooth/hci_event.c:3712 + hci_event_func net/bluetooth/hci_event.c:7519 [inline] + hci_event_packet+0xa0d/0x11c0 net/bluetooth/hci_event.c:7573 + hci_rx_work+0x2c5/0x16b0 net/bluetooth/hci_core.c:4071 + process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3236 + process_scheduled_works kernel/workqueue.c:3319 [inline] + worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400 + kthread+0x3c2/0x780 kernel/kthread.c:463 + ret_from_fork+0x5d7/0x6f0 arch/x86/kernel/process.c:148 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 + +Freed by task 16995: + kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 + kasan_save_track+0x14/0x30 mm/kasan/common.c:68 + kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576 + poison_slab_object mm/kasan/common.c:243 [inline] + __kasan_slab_free+0x60/0x70 mm/kasan/common.c:275 + kasan_slab_free include/linux/kasan.h:233 [inline] + slab_free_hook mm/slub.c:2417 [inline] + slab_free mm/slub.c:4680 [inline] + kfree+0x2b4/0x4d0 mm/slub.c:4879 + sk_prot_free net/core/sock.c:2278 [inline] + __sk_destruct+0x75f/0x9a0 net/core/sock.c:2373 + sk_destruct+0xc2/0xf0 net/core/sock.c:2401 + __sk_free+0xf4/0x3e0 net/core/sock.c:2412 + sk_free+0x6a/0x90 net/core/sock.c:2423 + sock_put include/net/sock.h:1960 [inline] + bt_accept_unlink+0x245/0x2e0 net/bluetooth/af_bluetooth.c:262 + bt_accept_dequeue+0x517/0x600 net/bluetooth/af_bluetooth.c:308 + l2cap_sock_cleanup_listen+0x5c/0x2a0 net/bluetooth/l2cap_sock.c:1451 + l2cap_sock_release+0x5c/0x210 net/bluetooth/l2cap_sock.c:1425 + __sock_release+0xb3/0x270 net/socket.c:649 + sock_close+0x1c/0x30 net/socket.c:1439 + __fput+0x3ff/0xb70 fs/file_table.c:468 + task_work_run+0x14d/0x240 kernel/task_work.c:227 + resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] + exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43 + exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] + syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline] + syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline] + do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fixes: 1728137b33c0 ("Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_ready_cb") +Reported-by: syzbot+e5e64cdf8e92046dd3e1@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/linux-bluetooth/68af6b9d.a70a0220.3cafd4.0032.GAE@google.com/ +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_sock.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c +index 7d7f4ba60a208..5465b537f0e72 100644 +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -1404,7 +1404,10 @@ static int l2cap_sock_release(struct socket *sock) + if (!sk) + return 0; + ++ lock_sock_nested(sk, L2CAP_NESTING_PARENT); + l2cap_sock_cleanup_listen(sk); ++ release_sock(sk); ++ + bt_sock_unlink(&l2cap_sk_list, sk); + + err = l2cap_sock_shutdown(sock, SHUT_RDWR); +-- +2.50.1 + diff --git a/queue-5.10/i40e-fix-potential-invalid-access-when-mac-list-is-e.patch b/queue-5.10/i40e-fix-potential-invalid-access-when-mac-list-is-e.patch new file mode 100644 index 0000000000..9a9614e80d --- /dev/null +++ b/queue-5.10/i40e-fix-potential-invalid-access-when-mac-list-is-e.patch @@ -0,0 +1,42 @@ +From a768a6b0c98f698524ab04d3f9a394e035dba9d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Aug 2025 19:56:31 +0800 +Subject: i40e: Fix potential invalid access when MAC list is empty + +From: Zhen Ni + +[ Upstream commit a556f06338e1d5a85af0e32ecb46e365547f92b9 ] + +list_first_entry() never returns NULL - if the list is empty, it still +returns a pointer to an invalid object, leading to potential invalid +memory access when dereferenced. + +Fix this by using list_first_entry_or_null instead of list_first_entry. + +Fixes: e3219ce6a775 ("i40e: Add support for client interface for IWARP driver") +Signed-off-by: Zhen Ni +Reviewed-by: Paul Menzel +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_client.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_client.c b/drivers/net/ethernet/intel/i40e/i40e_client.c +index b3cb5d1033260..af65321a68886 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_client.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_client.c +@@ -318,8 +318,8 @@ static void i40e_client_add_instance(struct i40e_pf *pf) + return; + } + +- mac = list_first_entry(&cdev->lan_info.netdev->dev_addrs.list, +- struct netdev_hw_addr, list); ++ mac = list_first_entry_or_null(&cdev->lan_info.netdev->dev_addrs.list, ++ struct netdev_hw_addr, list); + if (mac) + ether_addr_copy(cdev->lan_info.lanmac, mac->addr); + else +-- +2.50.1 + diff --git a/queue-5.10/icmp-fix-icmp_ndo_send-address-translation-for-reply.patch b/queue-5.10/icmp-fix-icmp_ndo_send-address-translation-for-reply.patch new file mode 100644 index 0000000000..ef4cc9e5f0 --- /dev/null +++ b/queue-5.10/icmp-fix-icmp_ndo_send-address-translation-for-reply.patch @@ -0,0 +1,110 @@ +From 23d966897a24bce4466654a9b6ecd07b02fa7ae8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Aug 2025 11:14:35 +0200 +Subject: icmp: fix icmp_ndo_send address translation for reply direction +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Fabian Bläse + +[ Upstream commit c6dd1aa2cbb72b33e0569f3e71d95792beab5042 ] + +The icmp_ndo_send function was originally introduced to ensure proper +rate limiting when icmp_send is called by a network device driver, +where the packet's source address may have already been transformed +by SNAT. + +However, the original implementation only considers the +IP_CT_DIR_ORIGINAL direction for SNAT and always replaced the packet's +source address with that of the original-direction tuple. This causes +two problems: + +1. For SNAT: + Reply-direction packets were incorrectly translated using the source + address of the CT original direction, even though no translation is + required. + +2. For DNAT: + Reply-direction packets were not handled at all. In DNAT, the original + direction's destination is translated. Therefore, in the reply + direction the source address must be set to the reply-direction + source, so rate limiting works as intended. + +Fix this by using the connection direction to select the correct tuple +for source address translation, and adjust the pre-checks to handle +reply-direction packets in case of DNAT. + +Additionally, wrap the `ct->status` access in READ_ONCE(). This avoids +possible KCSAN reports about concurrent updates to `ct->status`. + +Fixes: 0b41713b6066 ("icmp: introduce helper for nat'd source address in network device context") +Signed-off-by: Fabian Bläse +Cc: Jason A. Donenfeld +Reviewed-by: Florian Westphal +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/icmp.c | 6 ++++-- + net/ipv6/ip6_icmp.c | 6 ++++-- + 2 files changed, 8 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c +index 0bbc047e8f6e1..efeeed4f0517e 100644 +--- a/net/ipv4/icmp.c ++++ b/net/ipv4/icmp.c +@@ -791,11 +791,12 @@ void icmp_ndo_send(struct sk_buff *skb_in, int type, int code, __be32 info) + struct sk_buff *cloned_skb = NULL; + struct ip_options opts = { 0 }; + enum ip_conntrack_info ctinfo; ++ enum ip_conntrack_dir dir; + struct nf_conn *ct; + __be32 orig_ip; + + ct = nf_ct_get(skb_in, &ctinfo); +- if (!ct || !(ct->status & IPS_SRC_NAT)) { ++ if (!ct || !(READ_ONCE(ct->status) & IPS_NAT_MASK)) { + __icmp_send(skb_in, type, code, info, &opts); + return; + } +@@ -810,7 +811,8 @@ void icmp_ndo_send(struct sk_buff *skb_in, int type, int code, __be32 info) + goto out; + + orig_ip = ip_hdr(skb_in)->saddr; +- ip_hdr(skb_in)->saddr = ct->tuplehash[0].tuple.src.u3.ip; ++ dir = CTINFO2DIR(ctinfo); ++ ip_hdr(skb_in)->saddr = ct->tuplehash[dir].tuple.src.u3.ip; + __icmp_send(skb_in, type, code, info, &opts); + ip_hdr(skb_in)->saddr = orig_ip; + out: +diff --git a/net/ipv6/ip6_icmp.c b/net/ipv6/ip6_icmp.c +index 9e3574880cb03..233914b63bdb8 100644 +--- a/net/ipv6/ip6_icmp.c ++++ b/net/ipv6/ip6_icmp.c +@@ -54,11 +54,12 @@ void icmpv6_ndo_send(struct sk_buff *skb_in, u8 type, u8 code, __u32 info) + struct inet6_skb_parm parm = { 0 }; + struct sk_buff *cloned_skb = NULL; + enum ip_conntrack_info ctinfo; ++ enum ip_conntrack_dir dir; + struct in6_addr orig_ip; + struct nf_conn *ct; + + ct = nf_ct_get(skb_in, &ctinfo); +- if (!ct || !(ct->status & IPS_SRC_NAT)) { ++ if (!ct || !(READ_ONCE(ct->status) & IPS_NAT_MASK)) { + __icmpv6_send(skb_in, type, code, info, &parm); + return; + } +@@ -73,7 +74,8 @@ void icmpv6_ndo_send(struct sk_buff *skb_in, u8 type, u8 code, __u32 info) + goto out; + + orig_ip = ipv6_hdr(skb_in)->saddr; +- ipv6_hdr(skb_in)->saddr = ct->tuplehash[0].tuple.src.u3.in6; ++ dir = CTINFO2DIR(ctinfo); ++ ipv6_hdr(skb_in)->saddr = ct->tuplehash[dir].tuple.src.u3.in6; + __icmpv6_send(skb_in, type, code, info, &parm); + ipv6_hdr(skb_in)->saddr = orig_ip; + out: +-- +2.50.1 + diff --git a/queue-5.10/ipv4-fix-null-vs-error-pointer-check-in-inet_blackho.patch b/queue-5.10/ipv4-fix-null-vs-error-pointer-check-in-inet_blackho.patch new file mode 100644 index 0000000000..3f6d06f184 --- /dev/null +++ b/queue-5.10/ipv4-fix-null-vs-error-pointer-check-in-inet_blackho.patch @@ -0,0 +1,48 @@ +From c3f56c54369b995cd5eff946a5261e5d22c10506 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Sep 2025 09:36:08 +0300 +Subject: ipv4: Fix NULL vs error pointer check in inet_blackhole_dev_init() + +From: Dan Carpenter + +[ Upstream commit a51160f8da850a65afbf165f5bbac7ffb388bf74 ] + +The inetdev_init() function never returns NULL. Check for error +pointers instead. + +Fixes: 22600596b675 ("ipv4: give an IPv4 dev to blackhole_netdev") +Signed-off-by: Dan Carpenter +Reviewed-by: Simon Horman +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/aLaQWL9NguWmeM1i@stanley.mountain +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/devinet.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c +index 2dc94109fc0ea..bf85978145197 100644 +--- a/net/ipv4/devinet.c ++++ b/net/ipv4/devinet.c +@@ -332,14 +332,13 @@ static void inetdev_destroy(struct in_device *in_dev) + + static int __init inet_blackhole_dev_init(void) + { +- int err = 0; ++ struct in_device *in_dev; + + rtnl_lock(); +- if (!inetdev_init(blackhole_netdev)) +- err = -ENOMEM; ++ in_dev = inetdev_init(blackhole_netdev); + rtnl_unlock(); + +- return err; ++ return PTR_ERR_OR_ZERO(in_dev); + } + late_initcall(inet_blackhole_dev_init); + +-- +2.50.1 + diff --git a/queue-5.10/misdn-fix-memory-leak-in-dsp_hwec_enable.patch b/queue-5.10/misdn-fix-memory-leak-in-dsp_hwec_enable.patch new file mode 100644 index 0000000000..f9560f4cb1 --- /dev/null +++ b/queue-5.10/misdn-fix-memory-leak-in-dsp_hwec_enable.patch @@ -0,0 +1,53 @@ +From 41c92c8cd2db71fd24f2b4fea3022ec3cf3cc839 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Aug 2025 16:14:57 +0800 +Subject: mISDN: Fix memory leak in dsp_hwec_enable() + +From: Miaoqian Lin + +[ Upstream commit 0704a3da7ce50f972e898bbda88d2692a22922d9 ] + +dsp_hwec_enable() allocates dup pointer by kstrdup(arg), +but then it updates dup variable by strsep(&dup, ","). +As a result when it calls kfree(dup), the dup variable may be +a modified pointer that no longer points to the original allocated +memory, causing a memory leak. + +The issue is the same pattern as fixed in commit c6a502c22999 +("mISDN: Fix memory leak in dsp_pipeline_build()"). + +Fixes: 9a4381618262 ("mISDN: Remove VLAs") +Signed-off-by: Miaoqian Lin +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250828081457.36061-1-linmq006@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/isdn/mISDN/dsp_hwec.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/isdn/mISDN/dsp_hwec.c b/drivers/isdn/mISDN/dsp_hwec.c +index 0b3f29195330a..0cd216e28f009 100644 +--- a/drivers/isdn/mISDN/dsp_hwec.c ++++ b/drivers/isdn/mISDN/dsp_hwec.c +@@ -51,14 +51,14 @@ void dsp_hwec_enable(struct dsp *dsp, const char *arg) + goto _do; + + { +- char *dup, *tok, *name, *val; ++ char *dup, *next, *tok, *name, *val; + int tmp; + +- dup = kstrdup(arg, GFP_ATOMIC); ++ dup = next = kstrdup(arg, GFP_ATOMIC); + if (!dup) + return; + +- while ((tok = strsep(&dup, ","))) { ++ while ((tok = strsep(&next, ","))) { + if (!strlen(tok)) + continue; + name = strsep(&tok, "="); +-- +2.50.1 + diff --git a/queue-5.10/net-atm-fix-memory-leak-in-atm_register_sysfs-when-d.patch b/queue-5.10/net-atm-fix-memory-leak-in-atm_register_sysfs-when-d.patch new file mode 100644 index 0000000000..83acdf5318 --- /dev/null +++ b/queue-5.10/net-atm-fix-memory-leak-in-atm_register_sysfs-when-d.patch @@ -0,0 +1,78 @@ +From bfe1dac2cbed3104c6471c61aaf2d88d8dd0d051 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Sep 2025 14:35:37 +0800 +Subject: net: atm: fix memory leak in atm_register_sysfs when device_register + fail + +From: Wang Liang + +[ Upstream commit 0a228624bcc00af41f281a2a84c928595a74c17d ] + +When device_register() return error in atm_register_sysfs(), which can be +triggered by kzalloc fail in device_private_init() or other reasons, +kmemleak reports the following memory leaks: + +unreferenced object 0xffff88810182fb80 (size 8): + comm "insmod", pid 504, jiffies 4294852464 + hex dump (first 8 bytes): + 61 64 75 6d 6d 79 30 00 adummy0. + backtrace (crc 14dfadaf): + __kmalloc_node_track_caller_noprof+0x335/0x450 + kvasprintf+0xb3/0x130 + kobject_set_name_vargs+0x45/0x120 + dev_set_name+0xa9/0xe0 + atm_register_sysfs+0xf3/0x220 + atm_dev_register+0x40b/0x780 + 0xffffffffa000b089 + do_one_initcall+0x89/0x300 + do_init_module+0x27b/0x7d0 + load_module+0x54cd/0x5ff0 + init_module_from_file+0xe4/0x150 + idempotent_init_module+0x32c/0x610 + __x64_sys_finit_module+0xbd/0x120 + do_syscall_64+0xa8/0x270 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +When device_create_file() return error in atm_register_sysfs(), the same +issue also can be triggered. + +Function put_device() should be called to release kobj->name memory and +other device resource, instead of kfree(). + +Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array") +Signed-off-by: Wang Liang +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250901063537.1472221-1-wangliang74@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/atm/resources.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/atm/resources.c b/net/atm/resources.c +index fb8cf4cd6c1d7..932f7b383dba7 100644 +--- a/net/atm/resources.c ++++ b/net/atm/resources.c +@@ -114,7 +114,9 @@ struct atm_dev *atm_dev_register(const char *type, struct device *parent, + + if (atm_proc_dev_register(dev) < 0) { + pr_err("atm_proc_dev_register failed for dev %s\n", type); +- goto out_fail; ++ mutex_unlock(&atm_dev_mutex); ++ kfree(dev); ++ return NULL; + } + + if (atm_register_sysfs(dev, parent) < 0) { +@@ -130,7 +132,7 @@ struct atm_dev *atm_dev_register(const char *type, struct device *parent, + return dev; + + out_fail: +- kfree(dev); ++ put_device(&dev->class_dev); + dev = NULL; + goto out; + } +-- +2.50.1 + diff --git a/queue-5.10/net-ethernet-mtk_eth_soc-fix-tx-vlan-tag-for-llc-pac.patch b/queue-5.10/net-ethernet-mtk_eth_soc-fix-tx-vlan-tag-for-llc-pac.patch new file mode 100644 index 0000000000..1f208d7ffc --- /dev/null +++ b/queue-5.10/net-ethernet-mtk_eth_soc-fix-tx-vlan-tag-for-llc-pac.patch @@ -0,0 +1,55 @@ +From 2aa676bc11a39a1374890d99cda7e0d296e8ce30 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 Aug 2025 20:20:07 +0200 +Subject: net: ethernet: mtk_eth_soc: fix tx vlan tag for llc packets + +From: Felix Fietkau + +[ Upstream commit d4736737110ffa83d29f1c5d17b26113864205f6 ] + +When sending llc packets with vlan tx offload, the hardware fails to +actually add the tag. Deal with this by fixing it up in software. + +Fixes: 656e705243fd ("net-next: mediatek: add support for MT7623 ethernet") +Reported-by: Thibaut VARENE +Signed-off-by: Felix Fietkau +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250831182007.51619-1-nbd@nbd.name +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mediatek/mtk_eth_soc.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +index 011210e6842de..dc29403e4b733 100644 +--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c ++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +@@ -1178,6 +1178,13 @@ static netdev_tx_t mtk_start_xmit(struct sk_buff *skb, struct net_device *dev) + bool gso = false; + int tx_num; + ++ if (skb_vlan_tag_present(skb) && ++ !eth_proto_is_802_3(eth_hdr(skb)->h_proto)) { ++ skb = __vlan_hwaccel_push_inside(skb); ++ if (!skb) ++ goto dropped; ++ } ++ + /* normally we can rely on the stack not calling this more than once, + * however we have 2 queues running on the same ring so we need to lock + * the ring access +@@ -1223,8 +1230,9 @@ static netdev_tx_t mtk_start_xmit(struct sk_buff *skb, struct net_device *dev) + + drop: + spin_unlock(ð->page_lock); +- stats->tx_dropped++; + dev_kfree_skb_any(skb); ++dropped: ++ stats->tx_dropped++; + return NETDEV_TX_OK; + } + +-- +2.50.1 + diff --git a/queue-5.10/net-thunder_bgx-add-a-missing-of_node_put.patch b/queue-5.10/net-thunder_bgx-add-a-missing-of_node_put.patch new file mode 100644 index 0000000000..4fb09b3ce0 --- /dev/null +++ b/queue-5.10/net-thunder_bgx-add-a-missing-of_node_put.patch @@ -0,0 +1,53 @@ +From 946adeac1656a740fdf27f291be08fb152f76dd1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Sep 2025 14:30:18 -0700 +Subject: net: thunder_bgx: add a missing of_node_put + +From: Rosen Penev + +[ Upstream commit 9d28f94912589f04ab51fbccaef287d4f40e0d1f ] + +phy_np needs to get freed, just like the other child nodes. + +Fixes: 5fc7cf179449 ("net: thunderx: Cleanup PHY probing code.") +Signed-off-by: Rosen Penev +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250901213018.47392-1-rosenp@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/cavium/thunder/thunder_bgx.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c +index 0a71909bb2ee5..f5dbe2f5af659 100644 +--- a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c ++++ b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c +@@ -1497,13 +1497,17 @@ static int bgx_init_of_phy(struct bgx *bgx) + * this cortina phy, for which there is no driver + * support, ignore it. + */ +- if (phy_np && +- !of_device_is_compatible(phy_np, "cortina,cs4223-slice")) { +- /* Wait until the phy drivers are available */ +- pd = of_phy_find_device(phy_np); +- if (!pd) +- goto defer; +- bgx->lmac[lmac].phydev = pd; ++ if (phy_np) { ++ if (!of_device_is_compatible(phy_np, "cortina,cs4223-slice")) { ++ /* Wait until the phy drivers are available */ ++ pd = of_phy_find_device(phy_np); ++ if (!pd) { ++ of_node_put(phy_np); ++ goto defer; ++ } ++ bgx->lmac[lmac].phydev = pd; ++ } ++ of_node_put(phy_np); + } + + lmac++; +-- +2.50.1 + diff --git a/queue-5.10/net-thunder_bgx-decrement-cleanup-index-before-use.patch b/queue-5.10/net-thunder_bgx-decrement-cleanup-index-before-use.patch new file mode 100644 index 0000000000..82f9ff1a3e --- /dev/null +++ b/queue-5.10/net-thunder_bgx-decrement-cleanup-index-before-use.patch @@ -0,0 +1,44 @@ +From b36fd26a00a58b0d81cb7d74bf2076dc4284d18f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Sep 2025 14:33:14 -0700 +Subject: net: thunder_bgx: decrement cleanup index before use + +From: Rosen Penev + +[ Upstream commit 9e3d71a92e561ccc77025689dab25d201fee7a3e ] + +All paths in probe that call goto defer do so before assigning phydev +and thus it makes sense to cleanup the prior index. It also fixes a bug +where index 0 does not get cleaned up. + +Fixes: b7d3e3d3d21a ("net: thunderx: Don't leak phy device references on -EPROBE_DEFER condition.") +Signed-off-by: Rosen Penev +Reviewed-by: Vadim Fedorenko +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250901213314.48599-1-rosenp@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/thunder/thunder_bgx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c +index f5dbe2f5af659..daabd851dae87 100644 +--- a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c ++++ b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c +@@ -1523,11 +1523,11 @@ static int bgx_init_of_phy(struct bgx *bgx) + * for phy devices we may have already found. + */ + while (lmac) { ++ lmac--; + if (bgx->lmac[lmac].phydev) { + put_device(&bgx->lmac[lmac].phydev->mdio.dev); + bgx->lmac[lmac].phydev = NULL; + } +- lmac--; + } + of_node_put(node); + return -EPROBE_DEFER; +-- +2.50.1 + diff --git a/queue-5.10/netfilter-conntrack-helper-replace-eexist-by-ebusy.patch b/queue-5.10/netfilter-conntrack-helper-replace-eexist-by-ebusy.patch new file mode 100644 index 0000000000..d7831b53df --- /dev/null +++ b/queue-5.10/netfilter-conntrack-helper-replace-eexist-by-ebusy.patch @@ -0,0 +1,50 @@ +From f682507ec8d4ac9b36fd73b2e521899adda5ed54 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Aug 2025 13:22:20 +0200 +Subject: netfilter: conntrack: helper: Replace -EEXIST by -EBUSY + +From: Phil Sutter + +[ Upstream commit 54416fd76770bd04fc3c501810e8d673550bab26 ] + +The helper registration return value is passed-through by module_init +callbacks which modprobe confuses with the harmless -EEXIST returned +when trying to load an already loaded module. + +Make sure modprobe fails so users notice their helper has not been +registered and won't work. + +Suggested-by: Christophe Leroy +Fixes: 12f7a505331e ("netfilter: add user-space connection tracking helper infrastructure") +Signed-off-by: Phil Sutter +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_helper.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c +index 32cc91f5ba99f..89174c91053ed 100644 +--- a/net/netfilter/nf_conntrack_helper.c ++++ b/net/netfilter/nf_conntrack_helper.c +@@ -417,7 +417,7 @@ int nf_conntrack_helper_register(struct nf_conntrack_helper *me) + (cur->tuple.src.l3num == NFPROTO_UNSPEC || + cur->tuple.src.l3num == me->tuple.src.l3num) && + cur->tuple.dst.protonum == me->tuple.dst.protonum) { +- ret = -EEXIST; ++ ret = -EBUSY; + goto out; + } + } +@@ -428,7 +428,7 @@ int nf_conntrack_helper_register(struct nf_conntrack_helper *me) + hlist_for_each_entry(cur, &nf_ct_helper_hash[h], hnode) { + if (nf_ct_tuple_src_mask_cmp(&cur->tuple, &me->tuple, + &mask)) { +- ret = -EEXIST; ++ ret = -EBUSY; + goto out; + } + } +-- +2.50.1 + diff --git a/queue-5.10/ppp-fix-memory-leak-in-pad_compress_skb.patch b/queue-5.10/ppp-fix-memory-leak-in-pad_compress_skb.patch new file mode 100644 index 0000000000..a05af62e0f --- /dev/null +++ b/queue-5.10/ppp-fix-memory-leak-in-pad_compress_skb.patch @@ -0,0 +1,66 @@ +From 4a144f1e0c5e06eae086f5559dccfa402292ef4f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Sep 2025 18:07:26 +0800 +Subject: ppp: fix memory leak in pad_compress_skb + +From: Qingfang Deng + +[ Upstream commit 4844123fe0b853a4982c02666cb3fd863d701d50 ] + +If alloc_skb() fails in pad_compress_skb(), it returns NULL without +releasing the old skb. The caller does: + + skb = pad_compress_skb(ppp, skb); + if (!skb) + goto drop; + +drop: + kfree_skb(skb); + +When pad_compress_skb() returns NULL, the reference to the old skb is +lost and kfree_skb(skb) ends up doing nothing, leading to a memory leak. + +Align pad_compress_skb() semantics with realloc(): only free the old +skb if allocation and compression succeed. At the call site, use the +new_skb variable so the original skb is not lost when pad_compress_skb() +fails. + +Fixes: b3f9b92a6ec1 ("[PPP]: add PPP MPPE encryption module") +Signed-off-by: Qingfang Deng +Reviewed-by: Eric Dumazet +Reviewed-by: Yue Haibing +Link: https://patch.msgid.link/20250903100726.269839-1-dqfext@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ppp/ppp_generic.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c +index d9d1f3519f0a7..b2b5a994dd0ee 100644 +--- a/drivers/net/ppp/ppp_generic.c ++++ b/drivers/net/ppp/ppp_generic.c +@@ -1616,7 +1616,6 @@ pad_compress_skb(struct ppp *ppp, struct sk_buff *skb) + */ + if (net_ratelimit()) + netdev_err(ppp->dev, "ppp: compressor dropped pkt\n"); +- kfree_skb(skb); + consume_skb(new_skb); + new_skb = NULL; + } +@@ -1718,9 +1717,10 @@ ppp_send_frame(struct ppp *ppp, struct sk_buff *skb) + "down - pkt dropped.\n"); + goto drop; + } +- skb = pad_compress_skb(ppp, skb); +- if (!skb) ++ new_skb = pad_compress_skb(ppp, skb); ++ if (!new_skb) + goto drop; ++ skb = new_skb; + } + + /* +-- +2.50.1 + diff --git a/queue-5.10/series b/queue-5.10/series index 3457b2512c..7b055e151c 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -1,3 +1,19 @@ drm-amd-display-don-t-warn-when-missing-dce-encoder-.patch tee-fix-null-pointer-dereference-in-tee_shm_put.patch arm64-dts-rockchip-add-vcc-supply-to-spi-flash-on-rk.patch +wifi-cfg80211-fix-use-after-free-in-cmp_bss.patch +netfilter-conntrack-helper-replace-eexist-by-ebusy.patch +bluetooth-fix-use-after-free-in-l2cap_sock_cleanup_l.patch +xirc2ps_cs-fix-register-access-when-enabling-fulldup.patch +misdn-fix-memory-leak-in-dsp_hwec_enable.patch +icmp-fix-icmp_ndo_send-address-translation-for-reply.patch +i40e-fix-potential-invalid-access-when-mac-list-is-e.patch +net-ethernet-mtk_eth_soc-fix-tx-vlan-tag-for-llc-pac.patch +wifi-cw1200-cap-ssid-length-in-cw1200_do_join.patch +wifi-libertas-cap-ssid-len-in-lbs_associate.patch +net-thunder_bgx-add-a-missing-of_node_put.patch +net-thunder_bgx-decrement-cleanup-index-before-use.patch +ipv4-fix-null-vs-error-pointer-check-in-inet_blackho.patch +ax25-properly-unshare-skbs-in-ax25_kiss_rcv.patch +net-atm-fix-memory-leak-in-atm_register_sysfs-when-d.patch +ppp-fix-memory-leak-in-pad_compress_skb.patch diff --git a/queue-5.10/wifi-cfg80211-fix-use-after-free-in-cmp_bss.patch b/queue-5.10/wifi-cfg80211-fix-use-after-free-in-cmp_bss.patch new file mode 100644 index 0000000000..81aebb73f2 --- /dev/null +++ b/queue-5.10/wifi-cfg80211-fix-use-after-free-in-cmp_bss.patch @@ -0,0 +1,43 @@ +From 93fdf736a1a378bd57a202348b1a9f2019287f4c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Aug 2025 16:52:36 +0300 +Subject: wifi: cfg80211: fix use-after-free in cmp_bss() + +From: Dmitry Antipov + +[ Upstream commit 26e84445f02ce6b2fe5f3e0e28ff7add77f35e08 ] + +Following bss_free() quirk introduced in commit 776b3580178f +("cfg80211: track hidden SSID networks properly"), adjust +cfg80211_update_known_bss() to free the last beacon frame +elements only if they're not shared via the corresponding +'hidden_beacon_bss' pointer. + +Reported-by: syzbot+30754ca335e6fb7e3092@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=30754ca335e6fb7e3092 +Fixes: 3ab8227d3e7d ("cfg80211: refactor cfg80211_bss_update") +Signed-off-by: Dmitry Antipov +Link: https://patch.msgid.link/20250813135236.799384-1-dmantipov@yandex.ru +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/scan.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/wireless/scan.c b/net/wireless/scan.c +index 670fcdbef95be..a09fb52910082 100644 +--- a/net/wireless/scan.c ++++ b/net/wireless/scan.c +@@ -1761,7 +1761,8 @@ cfg80211_update_known_bss(struct cfg80211_registered_device *rdev, + */ + + f = rcu_access_pointer(new->pub.beacon_ies); +- kfree_rcu((struct cfg80211_bss_ies *)f, rcu_head); ++ if (!new->pub.hidden_beacon_bss) ++ kfree_rcu((struct cfg80211_bss_ies *)f, rcu_head); + return false; + } + +-- +2.50.1 + diff --git a/queue-5.10/wifi-cw1200-cap-ssid-length-in-cw1200_do_join.patch b/queue-5.10/wifi-cw1200-cap-ssid-length-in-cw1200_do_join.patch new file mode 100644 index 0000000000..b183b2e202 --- /dev/null +++ b/queue-5.10/wifi-cw1200-cap-ssid-length-in-cw1200_do_join.patch @@ -0,0 +1,36 @@ +From 966f00f823b2b507bb05f2a8a9da9d83129aa32e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Aug 2025 15:48:28 +0300 +Subject: wifi: cw1200: cap SSID length in cw1200_do_join() + +From: Dan Carpenter + +[ Upstream commit f8f15f6742b8874e59c9c715d0af3474608310ad ] + +If the ssidie[1] length is more that 32 it leads to memory corruption. + +Fixes: a910e4a94f69 ("cw1200: add driver for the ST-E CW1100 & CW1200 WLAN chipsets") +Signed-off-by: Dan Carpenter +Link: https://patch.msgid.link/e91fb43fcedc4893b604dfb973131661510901a7.1756456951.git.dan.carpenter@linaro.org +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/st/cw1200/sta.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/st/cw1200/sta.c b/drivers/net/wireless/st/cw1200/sta.c +index 236022d4ae2a3..0f2d1ec34cd82 100644 +--- a/drivers/net/wireless/st/cw1200/sta.c ++++ b/drivers/net/wireless/st/cw1200/sta.c +@@ -1289,7 +1289,7 @@ static void cw1200_do_join(struct cw1200_common *priv) + rcu_read_lock(); + ssidie = ieee80211_bss_get_ie(bss, WLAN_EID_SSID); + if (ssidie) { +- join.ssid_len = ssidie[1]; ++ join.ssid_len = min(ssidie[1], IEEE80211_MAX_SSID_LEN); + memcpy(join.ssid, &ssidie[2], join.ssid_len); + } + rcu_read_unlock(); +-- +2.50.1 + diff --git a/queue-5.10/wifi-libertas-cap-ssid-len-in-lbs_associate.patch b/queue-5.10/wifi-libertas-cap-ssid-len-in-lbs_associate.patch new file mode 100644 index 0000000000..c1e6ce63c8 --- /dev/null +++ b/queue-5.10/wifi-libertas-cap-ssid-len-in-lbs_associate.patch @@ -0,0 +1,44 @@ +From 2bfc9633a793a79d036c4a76f3c35a08c13ade52 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Aug 2025 15:48:35 +0300 +Subject: wifi: libertas: cap SSID len in lbs_associate() + +From: Dan Carpenter + +[ Upstream commit c786794bd27b0d7a5fd9063695df83206009be59 ] + +If the ssid_eid[1] length is more that 32 it leads to memory corruption. + +Fixes: a910e4a94f69 ("cw1200: add driver for the ST-E CW1100 & CW1200 WLAN chipsets") +Signed-off-by: Dan Carpenter +Link: https://patch.msgid.link/2a40f5ec7617144aef412034c12919a4927d90ad.1756456951.git.dan.carpenter@linaro.org +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/libertas/cfg.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/marvell/libertas/cfg.c b/drivers/net/wireless/marvell/libertas/cfg.c +index 4e3de684928bf..a659054c1bcd9 100644 +--- a/drivers/net/wireless/marvell/libertas/cfg.c ++++ b/drivers/net/wireless/marvell/libertas/cfg.c +@@ -1102,10 +1102,13 @@ static int lbs_associate(struct lbs_private *priv, + /* add SSID TLV */ + rcu_read_lock(); + ssid_eid = ieee80211_bss_get_ie(bss, WLAN_EID_SSID); +- if (ssid_eid) +- pos += lbs_add_ssid_tlv(pos, ssid_eid + 2, ssid_eid[1]); +- else ++ if (ssid_eid) { ++ u32 ssid_len = min(ssid_eid[1], IEEE80211_MAX_SSID_LEN); ++ ++ pos += lbs_add_ssid_tlv(pos, ssid_eid + 2, ssid_len); ++ } else { + lbs_deb_assoc("no SSID\n"); ++ } + rcu_read_unlock(); + + /* add DS param TLV */ +-- +2.50.1 + diff --git a/queue-5.10/xirc2ps_cs-fix-register-access-when-enabling-fulldup.patch b/queue-5.10/xirc2ps_cs-fix-register-access-when-enabling-fulldup.patch new file mode 100644 index 0000000000..2a084ed093 --- /dev/null +++ b/queue-5.10/xirc2ps_cs-fix-register-access-when-enabling-fulldup.patch @@ -0,0 +1,44 @@ +From e4c76166434395824eb4aba0dc7718dfb0e73855 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Aug 2025 12:26:43 -0700 +Subject: xirc2ps_cs: fix register access when enabling FullDuplex + +From: Alok Tiwari + +[ Upstream commit b79e498080b170fd94fc83bca2471f450811549b ] + +The current code incorrectly passes (XIRCREG1_ECR | FullDuplex) as +the register address to GetByte(), instead of fetching the register +value and OR-ing it with FullDuplex. This results in an invalid +register access. + +Fix it by reading XIRCREG1_ECR first, then or-ing with FullDuplex +before writing it back. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Alok Tiwari +Reviewed-by: Simon Horman +Reviewed-by: Jacob Keller +Link: https://patch.msgid.link/20250827192645.658496-1-alok.a.tiwari@oracle.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/xircom/xirc2ps_cs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/xircom/xirc2ps_cs.c b/drivers/net/ethernet/xircom/xirc2ps_cs.c +index 56cef59c1c872..1dd297143ee08 100644 +--- a/drivers/net/ethernet/xircom/xirc2ps_cs.c ++++ b/drivers/net/ethernet/xircom/xirc2ps_cs.c +@@ -1584,7 +1584,7 @@ do_reset(struct net_device *dev, int full) + msleep(40); /* wait 40 msec to let it complete */ + } + if (full_duplex) +- PutByte(XIRCREG1_ECR, GetByte(XIRCREG1_ECR | FullDuplex)); ++ PutByte(XIRCREG1_ECR, GetByte(XIRCREG1_ECR) | FullDuplex); + } else { /* No MII */ + SelectPage(0); + value = GetByte(XIRCREG_ESR); /* read the ESR */ +-- +2.50.1 + diff --git a/queue-5.15/ax25-properly-unshare-skbs-in-ax25_kiss_rcv.patch b/queue-5.15/ax25-properly-unshare-skbs-in-ax25_kiss_rcv.patch new file mode 100644 index 0000000000..d4db1cc8ed --- /dev/null +++ b/queue-5.15/ax25-properly-unshare-skbs-in-ax25_kiss_rcv.patch @@ -0,0 +1,59 @@ +From 9f6ccc2b8d4e50d472c7a4bb4b50651b77935185 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Sep 2025 12:46:42 +0000 +Subject: ax25: properly unshare skbs in ax25_kiss_rcv() + +From: Eric Dumazet + +[ Upstream commit 8156210d36a43e76372312c87eb5ea3dbb405a85 ] + +Bernard Pidoux reported a regression apparently caused by commit +c353e8983e0d ("net: introduce per netns packet chains"). + +skb->dev becomes NULL and we crash in __netif_receive_skb_core(). + +Before above commit, different kind of bugs or corruptions could happen +without a major crash. + +But the root cause is that ax25_kiss_rcv() can queue/mangle input skb +without checking if this skb is shared or not. + +Many thanks to Bernard Pidoux for his help, diagnosis and tests. + +We had a similar issue years ago fixed with commit 7aaed57c5c28 +("phonet: properly unshare skbs in phonet_rcv()"). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Bernard Pidoux +Closes: https://lore.kernel.org/netdev/1713f383-c538-4918-bc64-13b3288cd542@free.fr/ +Tested-by: Bernard Pidoux +Signed-off-by: Eric Dumazet +Cc: Joerg Reuter +Cc: David Ranch +Cc: Folkert van Heusden +Reviewed-by: Dan Cross +Link: https://patch.msgid.link/20250902124642.212705-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ax25/ax25_in.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/ax25/ax25_in.c b/net/ax25/ax25_in.c +index cd6afe895db99..e43f92372cba5 100644 +--- a/net/ax25/ax25_in.c ++++ b/net/ax25/ax25_in.c +@@ -433,6 +433,10 @@ static int ax25_rcv(struct sk_buff *skb, struct net_device *dev, + int ax25_kiss_rcv(struct sk_buff *skb, struct net_device *dev, + struct packet_type *ptype, struct net_device *orig_dev) + { ++ skb = skb_share_check(skb, GFP_ATOMIC); ++ if (!skb) ++ return NET_RX_DROP; ++ + skb_orphan(skb); + + if (!net_eq(dev_net(dev), &init_net)) { +-- +2.50.1 + diff --git a/queue-5.15/bluetooth-fix-use-after-free-in-l2cap_sock_cleanup_l.patch b/queue-5.15/bluetooth-fix-use-after-free-in-l2cap_sock_cleanup_l.patch new file mode 100644 index 0000000000..9d92db642a --- /dev/null +++ b/queue-5.15/bluetooth-fix-use-after-free-in-l2cap_sock_cleanup_l.patch @@ -0,0 +1,171 @@ +From 5948471309cc466590ca2bb074276d86491bf8d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Aug 2025 20:40:14 +0000 +Subject: Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen() + +From: Kuniyuki Iwashima + +[ Upstream commit 862c628108562d8c7a516a900034823b381d3cba ] + +syzbot reported the splat below without a repro. + +In the splat, a single thread calling bt_accept_dequeue() freed sk +and touched it after that. + +The root cause would be the racy l2cap_sock_cleanup_listen() call +added by the cited commit. + +bt_accept_dequeue() is called under lock_sock() except for +l2cap_sock_release(). + +Two threads could see the same socket during the list iteration +in bt_accept_dequeue(): + + CPU1 CPU2 (close()) + ---- ---- + sock_hold(sk) sock_hold(sk); + lock_sock(sk) <-- block close() + sock_put(sk) + bt_accept_unlink(sk) + sock_put(sk) <-- refcnt by bt_accept_enqueue() + release_sock(sk) + lock_sock(sk) + sock_put(sk) + bt_accept_unlink(sk) + sock_put(sk) <-- last refcnt + bt_accept_unlink(sk) <-- UAF + +Depending on the timing, the other thread could show up in the +"Freed by task" part. + +Let's call l2cap_sock_cleanup_listen() under lock_sock() in +l2cap_sock_release(). + +[0]: +BUG: KASAN: slab-use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline] +BUG: KASAN: slab-use-after-free in do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115 +Read of size 4 at addr ffff88803b7eb1c4 by task syz.5.3276/16995 +CPU: 3 UID: 0 PID: 16995 Comm: syz.5.3276 Not tainted syzkaller #0 PREEMPT(full) +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 +Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0xcd/0x630 mm/kasan/report.c:482 + kasan_report+0xe0/0x110 mm/kasan/report.c:595 + debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline] + do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115 + spin_lock_bh include/linux/spinlock.h:356 [inline] + release_sock+0x21/0x220 net/core/sock.c:3746 + bt_accept_dequeue+0x505/0x600 net/bluetooth/af_bluetooth.c:312 + l2cap_sock_cleanup_listen+0x5c/0x2a0 net/bluetooth/l2cap_sock.c:1451 + l2cap_sock_release+0x5c/0x210 net/bluetooth/l2cap_sock.c:1425 + __sock_release+0xb3/0x270 net/socket.c:649 + sock_close+0x1c/0x30 net/socket.c:1439 + __fput+0x3ff/0xb70 fs/file_table.c:468 + task_work_run+0x14d/0x240 kernel/task_work.c:227 + resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] + exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43 + exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] + syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline] + syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline] + do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7f2accf8ebe9 +Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007ffdb6cb1378 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 +RAX: 0000000000000000 RBX: 00000000000426fb RCX: 00007f2accf8ebe9 +RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 +RBP: 00007f2acd1b7da0 R08: 0000000000000001 R09: 00000012b6cb166f +R10: 0000001b30e20000 R11: 0000000000000246 R12: 00007f2acd1b609c +R13: 00007f2acd1b6090 R14: ffffffffffffffff R15: 00007ffdb6cb1490 + + +Allocated by task 5326: + kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 + kasan_save_track+0x14/0x30 mm/kasan/common.c:68 + poison_kmalloc_redzone mm/kasan/common.c:388 [inline] + __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:405 + kasan_kmalloc include/linux/kasan.h:260 [inline] + __do_kmalloc_node mm/slub.c:4365 [inline] + __kmalloc_noprof+0x223/0x510 mm/slub.c:4377 + kmalloc_noprof include/linux/slab.h:909 [inline] + sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2239 + sk_alloc+0x36/0xc20 net/core/sock.c:2295 + bt_sock_alloc+0x3b/0x3a0 net/bluetooth/af_bluetooth.c:151 + l2cap_sock_alloc.constprop.0+0x33/0x1d0 net/bluetooth/l2cap_sock.c:1894 + l2cap_sock_new_connection_cb+0x101/0x240 net/bluetooth/l2cap_sock.c:1482 + l2cap_connect_cfm+0x4c4/0xf80 net/bluetooth/l2cap_core.c:7287 + hci_connect_cfm include/net/bluetooth/hci_core.h:2050 [inline] + hci_remote_features_evt+0x4dd/0x970 net/bluetooth/hci_event.c:3712 + hci_event_func net/bluetooth/hci_event.c:7519 [inline] + hci_event_packet+0xa0d/0x11c0 net/bluetooth/hci_event.c:7573 + hci_rx_work+0x2c5/0x16b0 net/bluetooth/hci_core.c:4071 + process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3236 + process_scheduled_works kernel/workqueue.c:3319 [inline] + worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400 + kthread+0x3c2/0x780 kernel/kthread.c:463 + ret_from_fork+0x5d7/0x6f0 arch/x86/kernel/process.c:148 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 + +Freed by task 16995: + kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 + kasan_save_track+0x14/0x30 mm/kasan/common.c:68 + kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576 + poison_slab_object mm/kasan/common.c:243 [inline] + __kasan_slab_free+0x60/0x70 mm/kasan/common.c:275 + kasan_slab_free include/linux/kasan.h:233 [inline] + slab_free_hook mm/slub.c:2417 [inline] + slab_free mm/slub.c:4680 [inline] + kfree+0x2b4/0x4d0 mm/slub.c:4879 + sk_prot_free net/core/sock.c:2278 [inline] + __sk_destruct+0x75f/0x9a0 net/core/sock.c:2373 + sk_destruct+0xc2/0xf0 net/core/sock.c:2401 + __sk_free+0xf4/0x3e0 net/core/sock.c:2412 + sk_free+0x6a/0x90 net/core/sock.c:2423 + sock_put include/net/sock.h:1960 [inline] + bt_accept_unlink+0x245/0x2e0 net/bluetooth/af_bluetooth.c:262 + bt_accept_dequeue+0x517/0x600 net/bluetooth/af_bluetooth.c:308 + l2cap_sock_cleanup_listen+0x5c/0x2a0 net/bluetooth/l2cap_sock.c:1451 + l2cap_sock_release+0x5c/0x210 net/bluetooth/l2cap_sock.c:1425 + __sock_release+0xb3/0x270 net/socket.c:649 + sock_close+0x1c/0x30 net/socket.c:1439 + __fput+0x3ff/0xb70 fs/file_table.c:468 + task_work_run+0x14d/0x240 kernel/task_work.c:227 + resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] + exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43 + exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] + syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline] + syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline] + do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fixes: 1728137b33c0 ("Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_ready_cb") +Reported-by: syzbot+e5e64cdf8e92046dd3e1@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/linux-bluetooth/68af6b9d.a70a0220.3cafd4.0032.GAE@google.com/ +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_sock.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c +index b2719f1b8adff..8e2e6d1a6dd15 100644 +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -1416,7 +1416,10 @@ static int l2cap_sock_release(struct socket *sock) + if (!sk) + return 0; + ++ lock_sock_nested(sk, L2CAP_NESTING_PARENT); + l2cap_sock_cleanup_listen(sk); ++ release_sock(sk); ++ + bt_sock_unlink(&l2cap_sk_list, sk); + + err = l2cap_sock_shutdown(sock, SHUT_RDWR); +-- +2.50.1 + diff --git a/queue-5.15/i40e-fix-potential-invalid-access-when-mac-list-is-e.patch b/queue-5.15/i40e-fix-potential-invalid-access-when-mac-list-is-e.patch new file mode 100644 index 0000000000..21e80f98cd --- /dev/null +++ b/queue-5.15/i40e-fix-potential-invalid-access-when-mac-list-is-e.patch @@ -0,0 +1,42 @@ +From 5294b575f52b363cf0a8c25f08ec8e65e27ce9ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Aug 2025 19:56:31 +0800 +Subject: i40e: Fix potential invalid access when MAC list is empty + +From: Zhen Ni + +[ Upstream commit a556f06338e1d5a85af0e32ecb46e365547f92b9 ] + +list_first_entry() never returns NULL - if the list is empty, it still +returns a pointer to an invalid object, leading to potential invalid +memory access when dereferenced. + +Fix this by using list_first_entry_or_null instead of list_first_entry. + +Fixes: e3219ce6a775 ("i40e: Add support for client interface for IWARP driver") +Signed-off-by: Zhen Ni +Reviewed-by: Paul Menzel +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_client.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_client.c b/drivers/net/ethernet/intel/i40e/i40e_client.c +index 8bcb98b85e3d9..4af2a4c591067 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_client.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_client.c +@@ -362,8 +362,8 @@ static void i40e_client_add_instance(struct i40e_pf *pf) + if (i40e_client_get_params(vsi, &cdev->lan_info.params)) + goto free_cdev; + +- mac = list_first_entry(&cdev->lan_info.netdev->dev_addrs.list, +- struct netdev_hw_addr, list); ++ mac = list_first_entry_or_null(&cdev->lan_info.netdev->dev_addrs.list, ++ struct netdev_hw_addr, list); + if (mac) + ether_addr_copy(cdev->lan_info.lanmac, mac->addr); + else +-- +2.50.1 + diff --git a/queue-5.15/icmp-fix-icmp_ndo_send-address-translation-for-reply.patch b/queue-5.15/icmp-fix-icmp_ndo_send-address-translation-for-reply.patch new file mode 100644 index 0000000000..44d5701ecb --- /dev/null +++ b/queue-5.15/icmp-fix-icmp_ndo_send-address-translation-for-reply.patch @@ -0,0 +1,110 @@ +From feb596fa252010e015d631e6fdf19de4857dc529 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Aug 2025 11:14:35 +0200 +Subject: icmp: fix icmp_ndo_send address translation for reply direction +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Fabian Bläse + +[ Upstream commit c6dd1aa2cbb72b33e0569f3e71d95792beab5042 ] + +The icmp_ndo_send function was originally introduced to ensure proper +rate limiting when icmp_send is called by a network device driver, +where the packet's source address may have already been transformed +by SNAT. + +However, the original implementation only considers the +IP_CT_DIR_ORIGINAL direction for SNAT and always replaced the packet's +source address with that of the original-direction tuple. This causes +two problems: + +1. For SNAT: + Reply-direction packets were incorrectly translated using the source + address of the CT original direction, even though no translation is + required. + +2. For DNAT: + Reply-direction packets were not handled at all. In DNAT, the original + direction's destination is translated. Therefore, in the reply + direction the source address must be set to the reply-direction + source, so rate limiting works as intended. + +Fix this by using the connection direction to select the correct tuple +for source address translation, and adjust the pre-checks to handle +reply-direction packets in case of DNAT. + +Additionally, wrap the `ct->status` access in READ_ONCE(). This avoids +possible KCSAN reports about concurrent updates to `ct->status`. + +Fixes: 0b41713b6066 ("icmp: introduce helper for nat'd source address in network device context") +Signed-off-by: Fabian Bläse +Cc: Jason A. Donenfeld +Reviewed-by: Florian Westphal +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/icmp.c | 6 ++++-- + net/ipv6/ip6_icmp.c | 6 ++++-- + 2 files changed, 8 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c +index 38b30f6790294..8a70e51654264 100644 +--- a/net/ipv4/icmp.c ++++ b/net/ipv4/icmp.c +@@ -792,11 +792,12 @@ void icmp_ndo_send(struct sk_buff *skb_in, int type, int code, __be32 info) + struct sk_buff *cloned_skb = NULL; + struct ip_options opts = { 0 }; + enum ip_conntrack_info ctinfo; ++ enum ip_conntrack_dir dir; + struct nf_conn *ct; + __be32 orig_ip; + + ct = nf_ct_get(skb_in, &ctinfo); +- if (!ct || !(ct->status & IPS_SRC_NAT)) { ++ if (!ct || !(READ_ONCE(ct->status) & IPS_NAT_MASK)) { + __icmp_send(skb_in, type, code, info, &opts); + return; + } +@@ -811,7 +812,8 @@ void icmp_ndo_send(struct sk_buff *skb_in, int type, int code, __be32 info) + goto out; + + orig_ip = ip_hdr(skb_in)->saddr; +- ip_hdr(skb_in)->saddr = ct->tuplehash[0].tuple.src.u3.ip; ++ dir = CTINFO2DIR(ctinfo); ++ ip_hdr(skb_in)->saddr = ct->tuplehash[dir].tuple.src.u3.ip; + __icmp_send(skb_in, type, code, info, &opts); + ip_hdr(skb_in)->saddr = orig_ip; + out: +diff --git a/net/ipv6/ip6_icmp.c b/net/ipv6/ip6_icmp.c +index 9e3574880cb03..233914b63bdb8 100644 +--- a/net/ipv6/ip6_icmp.c ++++ b/net/ipv6/ip6_icmp.c +@@ -54,11 +54,12 @@ void icmpv6_ndo_send(struct sk_buff *skb_in, u8 type, u8 code, __u32 info) + struct inet6_skb_parm parm = { 0 }; + struct sk_buff *cloned_skb = NULL; + enum ip_conntrack_info ctinfo; ++ enum ip_conntrack_dir dir; + struct in6_addr orig_ip; + struct nf_conn *ct; + + ct = nf_ct_get(skb_in, &ctinfo); +- if (!ct || !(ct->status & IPS_SRC_NAT)) { ++ if (!ct || !(READ_ONCE(ct->status) & IPS_NAT_MASK)) { + __icmpv6_send(skb_in, type, code, info, &parm); + return; + } +@@ -73,7 +74,8 @@ void icmpv6_ndo_send(struct sk_buff *skb_in, u8 type, u8 code, __u32 info) + goto out; + + orig_ip = ipv6_hdr(skb_in)->saddr; +- ipv6_hdr(skb_in)->saddr = ct->tuplehash[0].tuple.src.u3.in6; ++ dir = CTINFO2DIR(ctinfo); ++ ipv6_hdr(skb_in)->saddr = ct->tuplehash[dir].tuple.src.u3.in6; + __icmpv6_send(skb_in, type, code, info, &parm); + ipv6_hdr(skb_in)->saddr = orig_ip; + out: +-- +2.50.1 + diff --git a/queue-5.15/ipv4-fix-null-vs-error-pointer-check-in-inet_blackho.patch b/queue-5.15/ipv4-fix-null-vs-error-pointer-check-in-inet_blackho.patch new file mode 100644 index 0000000000..aba537a031 --- /dev/null +++ b/queue-5.15/ipv4-fix-null-vs-error-pointer-check-in-inet_blackho.patch @@ -0,0 +1,48 @@ +From 56872d1abdbc201186e4e87baa63d83682044f29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Sep 2025 09:36:08 +0300 +Subject: ipv4: Fix NULL vs error pointer check in inet_blackhole_dev_init() + +From: Dan Carpenter + +[ Upstream commit a51160f8da850a65afbf165f5bbac7ffb388bf74 ] + +The inetdev_init() function never returns NULL. Check for error +pointers instead. + +Fixes: 22600596b675 ("ipv4: give an IPv4 dev to blackhole_netdev") +Signed-off-by: Dan Carpenter +Reviewed-by: Simon Horman +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/aLaQWL9NguWmeM1i@stanley.mountain +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/devinet.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c +index 33e87b442b475..6b0dc07f273a2 100644 +--- a/net/ipv4/devinet.c ++++ b/net/ipv4/devinet.c +@@ -332,14 +332,13 @@ static void inetdev_destroy(struct in_device *in_dev) + + static int __init inet_blackhole_dev_init(void) + { +- int err = 0; ++ struct in_device *in_dev; + + rtnl_lock(); +- if (!inetdev_init(blackhole_netdev)) +- err = -ENOMEM; ++ in_dev = inetdev_init(blackhole_netdev); + rtnl_unlock(); + +- return err; ++ return PTR_ERR_OR_ZERO(in_dev); + } + late_initcall(inet_blackhole_dev_init); + +-- +2.50.1 + diff --git a/queue-5.15/misdn-fix-memory-leak-in-dsp_hwec_enable.patch b/queue-5.15/misdn-fix-memory-leak-in-dsp_hwec_enable.patch new file mode 100644 index 0000000000..a8ed851b67 --- /dev/null +++ b/queue-5.15/misdn-fix-memory-leak-in-dsp_hwec_enable.patch @@ -0,0 +1,53 @@ +From 0242749f48795d5adbe29eb18f65b36d10aa1512 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Aug 2025 16:14:57 +0800 +Subject: mISDN: Fix memory leak in dsp_hwec_enable() + +From: Miaoqian Lin + +[ Upstream commit 0704a3da7ce50f972e898bbda88d2692a22922d9 ] + +dsp_hwec_enable() allocates dup pointer by kstrdup(arg), +but then it updates dup variable by strsep(&dup, ","). +As a result when it calls kfree(dup), the dup variable may be +a modified pointer that no longer points to the original allocated +memory, causing a memory leak. + +The issue is the same pattern as fixed in commit c6a502c22999 +("mISDN: Fix memory leak in dsp_pipeline_build()"). + +Fixes: 9a4381618262 ("mISDN: Remove VLAs") +Signed-off-by: Miaoqian Lin +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250828081457.36061-1-linmq006@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/isdn/mISDN/dsp_hwec.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/isdn/mISDN/dsp_hwec.c b/drivers/isdn/mISDN/dsp_hwec.c +index 0b3f29195330a..0cd216e28f009 100644 +--- a/drivers/isdn/mISDN/dsp_hwec.c ++++ b/drivers/isdn/mISDN/dsp_hwec.c +@@ -51,14 +51,14 @@ void dsp_hwec_enable(struct dsp *dsp, const char *arg) + goto _do; + + { +- char *dup, *tok, *name, *val; ++ char *dup, *next, *tok, *name, *val; + int tmp; + +- dup = kstrdup(arg, GFP_ATOMIC); ++ dup = next = kstrdup(arg, GFP_ATOMIC); + if (!dup) + return; + +- while ((tok = strsep(&dup, ","))) { ++ while ((tok = strsep(&next, ","))) { + if (!strlen(tok)) + continue; + name = strsep(&tok, "="); +-- +2.50.1 + diff --git a/queue-5.15/net-atm-fix-memory-leak-in-atm_register_sysfs-when-d.patch b/queue-5.15/net-atm-fix-memory-leak-in-atm_register_sysfs-when-d.patch new file mode 100644 index 0000000000..c363d95d93 --- /dev/null +++ b/queue-5.15/net-atm-fix-memory-leak-in-atm_register_sysfs-when-d.patch @@ -0,0 +1,78 @@ +From 702d3740e1f452419bdee97db25a245b8fc926ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Sep 2025 14:35:37 +0800 +Subject: net: atm: fix memory leak in atm_register_sysfs when device_register + fail + +From: Wang Liang + +[ Upstream commit 0a228624bcc00af41f281a2a84c928595a74c17d ] + +When device_register() return error in atm_register_sysfs(), which can be +triggered by kzalloc fail in device_private_init() or other reasons, +kmemleak reports the following memory leaks: + +unreferenced object 0xffff88810182fb80 (size 8): + comm "insmod", pid 504, jiffies 4294852464 + hex dump (first 8 bytes): + 61 64 75 6d 6d 79 30 00 adummy0. + backtrace (crc 14dfadaf): + __kmalloc_node_track_caller_noprof+0x335/0x450 + kvasprintf+0xb3/0x130 + kobject_set_name_vargs+0x45/0x120 + dev_set_name+0xa9/0xe0 + atm_register_sysfs+0xf3/0x220 + atm_dev_register+0x40b/0x780 + 0xffffffffa000b089 + do_one_initcall+0x89/0x300 + do_init_module+0x27b/0x7d0 + load_module+0x54cd/0x5ff0 + init_module_from_file+0xe4/0x150 + idempotent_init_module+0x32c/0x610 + __x64_sys_finit_module+0xbd/0x120 + do_syscall_64+0xa8/0x270 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +When device_create_file() return error in atm_register_sysfs(), the same +issue also can be triggered. + +Function put_device() should be called to release kobj->name memory and +other device resource, instead of kfree(). + +Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array") +Signed-off-by: Wang Liang +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250901063537.1472221-1-wangliang74@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/atm/resources.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/atm/resources.c b/net/atm/resources.c +index b19d851e1f443..7c6fdedbcf4e5 100644 +--- a/net/atm/resources.c ++++ b/net/atm/resources.c +@@ -112,7 +112,9 @@ struct atm_dev *atm_dev_register(const char *type, struct device *parent, + + if (atm_proc_dev_register(dev) < 0) { + pr_err("atm_proc_dev_register failed for dev %s\n", type); +- goto out_fail; ++ mutex_unlock(&atm_dev_mutex); ++ kfree(dev); ++ return NULL; + } + + if (atm_register_sysfs(dev, parent) < 0) { +@@ -128,7 +130,7 @@ struct atm_dev *atm_dev_register(const char *type, struct device *parent, + return dev; + + out_fail: +- kfree(dev); ++ put_device(&dev->class_dev); + dev = NULL; + goto out; + } +-- +2.50.1 + diff --git a/queue-5.15/net-ethernet-mtk_eth_soc-fix-tx-vlan-tag-for-llc-pac.patch b/queue-5.15/net-ethernet-mtk_eth_soc-fix-tx-vlan-tag-for-llc-pac.patch new file mode 100644 index 0000000000..3e6cb9b7ed --- /dev/null +++ b/queue-5.15/net-ethernet-mtk_eth_soc-fix-tx-vlan-tag-for-llc-pac.patch @@ -0,0 +1,55 @@ +From 16a9d4618f4af2d3845ce6eb90505cc28e44a632 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 Aug 2025 20:20:07 +0200 +Subject: net: ethernet: mtk_eth_soc: fix tx vlan tag for llc packets + +From: Felix Fietkau + +[ Upstream commit d4736737110ffa83d29f1c5d17b26113864205f6 ] + +When sending llc packets with vlan tx offload, the hardware fails to +actually add the tag. Deal with this by fixing it up in software. + +Fixes: 656e705243fd ("net-next: mediatek: add support for MT7623 ethernet") +Reported-by: Thibaut VARENE +Signed-off-by: Felix Fietkau +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250831182007.51619-1-nbd@nbd.name +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mediatek/mtk_eth_soc.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +index 711acc6059a4f..4d7a72bcee614 100644 +--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c ++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +@@ -1196,6 +1196,13 @@ static netdev_tx_t mtk_start_xmit(struct sk_buff *skb, struct net_device *dev) + bool gso = false; + int tx_num; + ++ if (skb_vlan_tag_present(skb) && ++ !eth_proto_is_802_3(eth_hdr(skb)->h_proto)) { ++ skb = __vlan_hwaccel_push_inside(skb); ++ if (!skb) ++ goto dropped; ++ } ++ + /* normally we can rely on the stack not calling this more than once, + * however we have 2 queues running on the same ring so we need to lock + * the ring access +@@ -1241,8 +1248,9 @@ static netdev_tx_t mtk_start_xmit(struct sk_buff *skb, struct net_device *dev) + + drop: + spin_unlock(ð->page_lock); +- stats->tx_dropped++; + dev_kfree_skb_any(skb); ++dropped: ++ stats->tx_dropped++; + return NETDEV_TX_OK; + } + +-- +2.50.1 + diff --git a/queue-5.15/net-phy-mscc-fix-memory-leak-when-using-one-step-tim.patch b/queue-5.15/net-phy-mscc-fix-memory-leak-when-using-one-step-tim.patch new file mode 100644 index 0000000000..f83d08d972 --- /dev/null +++ b/queue-5.15/net-phy-mscc-fix-memory-leak-when-using-one-step-tim.patch @@ -0,0 +1,63 @@ +From d5900d832747d3449328855be8d11b44248a1b97 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 May 2025 13:57:22 +0200 +Subject: net: phy: mscc: Fix memory leak when using one step timestamping + +From: Horatiu Vultur + +[ Upstream commit 846992645b25ec4253167e3f931e4597eb84af56 ] + +Fix memory leak when running one-step timestamping. When running +one-step sync timestamping, the HW is configured to insert the TX time +into the frame, so there is no reason to keep the skb anymore. As in +this case the HW will never generate an interrupt to say that the frame +was timestamped, then the frame will never released. +Fix this by freeing the frame in case of one-step timestamping. + +Fixes: 7d272e63e0979d ("net: phy: mscc: timestamping and PHC support") +Signed-off-by: Horatiu Vultur +Link: https://patch.msgid.link/20250522115722.2827199-1-horatiu.vultur@microchip.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: 9b2bfdbf43ad ("phy: mscc: Stop taking ts_lock for tx_queue and use its own lock") +Signed-off-by: Sasha Levin +--- + drivers/net/phy/mscc/mscc_ptp.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/phy/mscc/mscc_ptp.c b/drivers/net/phy/mscc/mscc_ptp.c +index e30e6ba9da2f4..717435562f1c5 100644 +--- a/drivers/net/phy/mscc/mscc_ptp.c ++++ b/drivers/net/phy/mscc/mscc_ptp.c +@@ -1171,18 +1171,24 @@ static void vsc85xx_txtstamp(struct mii_timestamper *mii_ts, + container_of(mii_ts, struct vsc8531_private, mii_ts); + + if (!vsc8531->ptp->configured) +- return; ++ goto out; + +- if (vsc8531->ptp->tx_type == HWTSTAMP_TX_OFF) { +- kfree_skb(skb); +- return; +- } ++ if (vsc8531->ptp->tx_type == HWTSTAMP_TX_OFF) ++ goto out; ++ ++ if (vsc8531->ptp->tx_type == HWTSTAMP_TX_ONESTEP_SYNC) ++ if (ptp_msg_is_sync(skb, type)) ++ goto out; + + skb_shinfo(skb)->tx_flags |= SKBTX_IN_PROGRESS; + + mutex_lock(&vsc8531->ts_lock); + __skb_queue_tail(&vsc8531->ptp->tx_queue, skb); + mutex_unlock(&vsc8531->ts_lock); ++ return; ++ ++out: ++ kfree_skb(skb); + } + + static bool vsc85xx_rxtstamp(struct mii_timestamper *mii_ts, +-- +2.50.1 + diff --git a/queue-5.15/net-thunder_bgx-add-a-missing-of_node_put.patch b/queue-5.15/net-thunder_bgx-add-a-missing-of_node_put.patch new file mode 100644 index 0000000000..da1641515f --- /dev/null +++ b/queue-5.15/net-thunder_bgx-add-a-missing-of_node_put.patch @@ -0,0 +1,53 @@ +From 10566a50b23b12f9828b68d816220ab2ba86ad0e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Sep 2025 14:30:18 -0700 +Subject: net: thunder_bgx: add a missing of_node_put + +From: Rosen Penev + +[ Upstream commit 9d28f94912589f04ab51fbccaef287d4f40e0d1f ] + +phy_np needs to get freed, just like the other child nodes. + +Fixes: 5fc7cf179449 ("net: thunderx: Cleanup PHY probing code.") +Signed-off-by: Rosen Penev +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250901213018.47392-1-rosenp@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/cavium/thunder/thunder_bgx.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c +index 1831066c76475..d749431803e2e 100644 +--- a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c ++++ b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c +@@ -1491,13 +1491,17 @@ static int bgx_init_of_phy(struct bgx *bgx) + * this cortina phy, for which there is no driver + * support, ignore it. + */ +- if (phy_np && +- !of_device_is_compatible(phy_np, "cortina,cs4223-slice")) { +- /* Wait until the phy drivers are available */ +- pd = of_phy_find_device(phy_np); +- if (!pd) +- goto defer; +- bgx->lmac[lmac].phydev = pd; ++ if (phy_np) { ++ if (!of_device_is_compatible(phy_np, "cortina,cs4223-slice")) { ++ /* Wait until the phy drivers are available */ ++ pd = of_phy_find_device(phy_np); ++ if (!pd) { ++ of_node_put(phy_np); ++ goto defer; ++ } ++ bgx->lmac[lmac].phydev = pd; ++ } ++ of_node_put(phy_np); + } + + lmac++; +-- +2.50.1 + diff --git a/queue-5.15/net-thunder_bgx-decrement-cleanup-index-before-use.patch b/queue-5.15/net-thunder_bgx-decrement-cleanup-index-before-use.patch new file mode 100644 index 0000000000..3833327c77 --- /dev/null +++ b/queue-5.15/net-thunder_bgx-decrement-cleanup-index-before-use.patch @@ -0,0 +1,44 @@ +From e98a08ece9a0b30838b8d6c8dc6b91f5c0c4d650 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Sep 2025 14:33:14 -0700 +Subject: net: thunder_bgx: decrement cleanup index before use + +From: Rosen Penev + +[ Upstream commit 9e3d71a92e561ccc77025689dab25d201fee7a3e ] + +All paths in probe that call goto defer do so before assigning phydev +and thus it makes sense to cleanup the prior index. It also fixes a bug +where index 0 does not get cleaned up. + +Fixes: b7d3e3d3d21a ("net: thunderx: Don't leak phy device references on -EPROBE_DEFER condition.") +Signed-off-by: Rosen Penev +Reviewed-by: Vadim Fedorenko +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250901213314.48599-1-rosenp@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/thunder/thunder_bgx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c +index d749431803e2e..460f8c0989947 100644 +--- a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c ++++ b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c +@@ -1517,11 +1517,11 @@ static int bgx_init_of_phy(struct bgx *bgx) + * for phy devices we may have already found. + */ + while (lmac) { ++ lmac--; + if (bgx->lmac[lmac].phydev) { + put_device(&bgx->lmac[lmac].phydev->mdio.dev); + bgx->lmac[lmac].phydev = NULL; + } +- lmac--; + } + of_node_put(node); + return -EPROBE_DEFER; +-- +2.50.1 + diff --git a/queue-5.15/netfilter-br_netfilter-do-not-check-confirmed-bit-in.patch b/queue-5.15/netfilter-br_netfilter-do-not-check-confirmed-bit-in.patch new file mode 100644 index 0000000000..2a236bb2bd --- /dev/null +++ b/queue-5.15/netfilter-br_netfilter-do-not-check-confirmed-bit-in.patch @@ -0,0 +1,77 @@ +From 0bcf72fabb303a8b73601eabfc558f526b0387da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Aug 2025 11:52:19 +0800 +Subject: netfilter: br_netfilter: do not check confirmed bit in + br_nf_local_in() after confirm + +From: Wang Liang + +[ Upstream commit 479a54ab92087318514c82428a87af2d7af1a576 ] + +When send a broadcast packet to a tap device, which was added to a bridge, +br_nf_local_in() is called to confirm the conntrack. If another conntrack +with the same hash value is added to the hash table, which can be +triggered by a normal packet to a non-bridge device, the below warning +may happen. + + ------------[ cut here ]------------ + WARNING: CPU: 1 PID: 96 at net/bridge/br_netfilter_hooks.c:632 br_nf_local_in+0x168/0x200 + CPU: 1 UID: 0 PID: 96 Comm: tap_send Not tainted 6.17.0-rc2-dirty #44 PREEMPT(voluntary) + RIP: 0010:br_nf_local_in+0x168/0x200 + Call Trace: + + nf_hook_slow+0x3e/0xf0 + br_pass_frame_up+0x103/0x180 + br_handle_frame_finish+0x2de/0x5b0 + br_nf_hook_thresh+0xc0/0x120 + br_nf_pre_routing_finish+0x168/0x3a0 + br_nf_pre_routing+0x237/0x5e0 + br_handle_frame+0x1ec/0x3c0 + __netif_receive_skb_core+0x225/0x1210 + __netif_receive_skb_one_core+0x37/0xa0 + netif_receive_skb+0x36/0x160 + tun_get_user+0xa54/0x10c0 + tun_chr_write_iter+0x65/0xb0 + vfs_write+0x305/0x410 + ksys_write+0x60/0xd0 + do_syscall_64+0xa4/0x260 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + + ---[ end trace 0000000000000000 ]--- + +To solve the hash conflict, nf_ct_resolve_clash() try to merge the +conntracks, and update skb->_nfct. However, br_nf_local_in() still use the +old ct from local variable 'nfct' after confirm(), which leads to this +warning. + +If confirm() does not insert the conntrack entry and return NF_DROP, the +warning may also occur. There is no need to reserve the WARN_ON_ONCE, just +remove it. + +Link: https://lore.kernel.org/netdev/20250820043329.2902014-1-wangliang74@huawei.com/ +Fixes: 62e7151ae3eb ("netfilter: bridge: confirm multicast packets before passing them up the stack") +Suggested-by: Florian Westphal +Signed-off-by: Wang Liang +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/bridge/br_netfilter_hooks.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c +index 7cd2bef583312..9ad0feb248b5d 100644 +--- a/net/bridge/br_netfilter_hooks.c ++++ b/net/bridge/br_netfilter_hooks.c +@@ -630,9 +630,6 @@ static unsigned int br_nf_local_in(void *priv, + break; + } + +- ct = container_of(nfct, struct nf_conn, ct_general); +- WARN_ON_ONCE(!nf_ct_is_confirmed(ct)); +- + return ret; + } + #endif +-- +2.50.1 + diff --git a/queue-5.15/netfilter-conntrack-helper-replace-eexist-by-ebusy.patch b/queue-5.15/netfilter-conntrack-helper-replace-eexist-by-ebusy.patch new file mode 100644 index 0000000000..5c13b9f12e --- /dev/null +++ b/queue-5.15/netfilter-conntrack-helper-replace-eexist-by-ebusy.patch @@ -0,0 +1,50 @@ +From d739e1061c0a230a693737607136f4a559d33378 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Aug 2025 13:22:20 +0200 +Subject: netfilter: conntrack: helper: Replace -EEXIST by -EBUSY + +From: Phil Sutter + +[ Upstream commit 54416fd76770bd04fc3c501810e8d673550bab26 ] + +The helper registration return value is passed-through by module_init +callbacks which modprobe confuses with the harmless -EEXIST returned +when trying to load an already loaded module. + +Make sure modprobe fails so users notice their helper has not been +registered and won't work. + +Suggested-by: Christophe Leroy +Fixes: 12f7a505331e ("netfilter: add user-space connection tracking helper infrastructure") +Signed-off-by: Phil Sutter +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_helper.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c +index 41c9708b50575..de5ac9f431031 100644 +--- a/net/netfilter/nf_conntrack_helper.c ++++ b/net/netfilter/nf_conntrack_helper.c +@@ -418,7 +418,7 @@ int nf_conntrack_helper_register(struct nf_conntrack_helper *me) + (cur->tuple.src.l3num == NFPROTO_UNSPEC || + cur->tuple.src.l3num == me->tuple.src.l3num) && + cur->tuple.dst.protonum == me->tuple.dst.protonum) { +- ret = -EEXIST; ++ ret = -EBUSY; + goto out; + } + } +@@ -429,7 +429,7 @@ int nf_conntrack_helper_register(struct nf_conntrack_helper *me) + hlist_for_each_entry(cur, &nf_ct_helper_hash[h], hnode) { + if (nf_ct_tuple_src_mask_cmp(&cur->tuple, &me->tuple, + &mask)) { +- ret = -EEXIST; ++ ret = -EBUSY; + goto out; + } + } +-- +2.50.1 + diff --git a/queue-5.15/phy-mscc-stop-taking-ts_lock-for-tx_queue-and-use-it.patch b/queue-5.15/phy-mscc-stop-taking-ts_lock-for-tx_queue-and-use-it.patch new file mode 100644 index 0000000000..795047b0ed --- /dev/null +++ b/queue-5.15/phy-mscc-stop-taking-ts_lock-for-tx_queue-and-use-it.patch @@ -0,0 +1,147 @@ +From 9eaeacc3514420ebff10690707cdd8dcbc15e381 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Sep 2025 14:12:59 +0200 +Subject: phy: mscc: Stop taking ts_lock for tx_queue and use its own lock + +From: Horatiu Vultur + +[ Upstream commit 9b2bfdbf43adb9929c5ddcdd96efedbf1c88cf53 ] + +When transmitting a PTP frame which is timestamp using 2 step, the +following warning appears if CONFIG_PROVE_LOCKING is enabled: +============================= +[ BUG: Invalid wait context ] +6.17.0-rc1-00326-ge6160462704e #427 Not tainted +----------------------------- +ptp4l/119 is trying to lock: +c2a44ed4 (&vsc8531->ts_lock){+.+.}-{3:3}, at: vsc85xx_txtstamp+0x50/0xac +other info that might help us debug this: +context-{4:4} +4 locks held by ptp4l/119: + #0: c145f068 (rcu_read_lock_bh){....}-{1:2}, at: __dev_queue_xmit+0x58/0x1440 + #1: c29df974 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: __dev_queue_xmit+0x5c4/0x1440 + #2: c2aaaad0 (_xmit_ETHER#2){+.-.}-{2:2}, at: sch_direct_xmit+0x108/0x350 + #3: c2aac170 (&lan966x->tx_lock){+.-.}-{2:2}, at: lan966x_port_xmit+0xd0/0x350 +stack backtrace: +CPU: 0 UID: 0 PID: 119 Comm: ptp4l Not tainted 6.17.0-rc1-00326-ge6160462704e #427 NONE +Hardware name: Generic DT based system +Call trace: + unwind_backtrace from show_stack+0x10/0x14 + show_stack from dump_stack_lvl+0x7c/0xac + dump_stack_lvl from __lock_acquire+0x8e8/0x29dc + __lock_acquire from lock_acquire+0x108/0x38c + lock_acquire from __mutex_lock+0xb0/0xe78 + __mutex_lock from mutex_lock_nested+0x1c/0x24 + mutex_lock_nested from vsc85xx_txtstamp+0x50/0xac + vsc85xx_txtstamp from lan966x_fdma_xmit+0xd8/0x3a8 + lan966x_fdma_xmit from lan966x_port_xmit+0x1bc/0x350 + lan966x_port_xmit from dev_hard_start_xmit+0xc8/0x2c0 + dev_hard_start_xmit from sch_direct_xmit+0x8c/0x350 + sch_direct_xmit from __dev_queue_xmit+0x680/0x1440 + __dev_queue_xmit from packet_sendmsg+0xfa4/0x1568 + packet_sendmsg from __sys_sendto+0x110/0x19c + __sys_sendto from sys_send+0x18/0x20 + sys_send from ret_fast_syscall+0x0/0x1c +Exception stack(0xf0b05fa8 to 0xf0b05ff0) +5fa0: 00000001 0000000e 0000000e 0004b47a 0000003a 00000000 +5fc0: 00000001 0000000e 00000000 00000121 0004af58 00044874 00000000 00000000 +5fe0: 00000001 bee9d420 00025a10 b6e75c7c + +So, instead of using the ts_lock for tx_queue, use the spinlock that +skb_buff_head has. + +Reviewed-by: Vadim Fedorenko +Fixes: 7d272e63e0979d ("net: phy: mscc: timestamping and PHC support") +Signed-off-by: Horatiu Vultur +Link: https://patch.msgid.link/20250902121259.3257536-1-horatiu.vultur@microchip.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/mscc/mscc_ptp.c | 18 ++++++++---------- + 1 file changed, 8 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/phy/mscc/mscc_ptp.c b/drivers/net/phy/mscc/mscc_ptp.c +index 717435562f1c5..7b73b78ac9b35 100644 +--- a/drivers/net/phy/mscc/mscc_ptp.c ++++ b/drivers/net/phy/mscc/mscc_ptp.c +@@ -455,12 +455,12 @@ static void vsc85xx_dequeue_skb(struct vsc85xx_ptp *ptp) + *p++ = (reg >> 24) & 0xff; + } + +- len = skb_queue_len(&ptp->tx_queue); ++ len = skb_queue_len_lockless(&ptp->tx_queue); + if (len < 1) + return; + + while (len--) { +- skb = __skb_dequeue(&ptp->tx_queue); ++ skb = skb_dequeue(&ptp->tx_queue); + if (!skb) + return; + +@@ -485,7 +485,7 @@ static void vsc85xx_dequeue_skb(struct vsc85xx_ptp *ptp) + * packet in the FIFO right now, reschedule it for later + * packets. + */ +- __skb_queue_tail(&ptp->tx_queue, skb); ++ skb_queue_tail(&ptp->tx_queue, skb); + } + } + +@@ -1070,6 +1070,7 @@ static int vsc85xx_hwtstamp(struct mii_timestamper *mii_ts, struct ifreq *ifr) + case HWTSTAMP_TX_ON: + break; + case HWTSTAMP_TX_OFF: ++ skb_queue_purge(&vsc8531->ptp->tx_queue); + break; + default: + return -ERANGE; +@@ -1094,9 +1095,6 @@ static int vsc85xx_hwtstamp(struct mii_timestamper *mii_ts, struct ifreq *ifr) + + mutex_lock(&vsc8531->ts_lock); + +- __skb_queue_purge(&vsc8531->ptp->tx_queue); +- __skb_queue_head_init(&vsc8531->ptp->tx_queue); +- + /* Disable predictor while configuring the 1588 block */ + val = vsc85xx_ts_read_csr(phydev, PROCESSOR, + MSCC_PHY_PTP_INGR_PREDICTOR); +@@ -1182,9 +1180,7 @@ static void vsc85xx_txtstamp(struct mii_timestamper *mii_ts, + + skb_shinfo(skb)->tx_flags |= SKBTX_IN_PROGRESS; + +- mutex_lock(&vsc8531->ts_lock); +- __skb_queue_tail(&vsc8531->ptp->tx_queue, skb); +- mutex_unlock(&vsc8531->ts_lock); ++ skb_queue_tail(&vsc8531->ptp->tx_queue, skb); + return; + + out: +@@ -1550,6 +1546,7 @@ void vsc8584_ptp_deinit(struct phy_device *phydev) + if (vsc8531->ptp->ptp_clock) { + ptp_clock_unregister(vsc8531->ptp->ptp_clock); + skb_queue_purge(&vsc8531->rx_skbs_list); ++ skb_queue_purge(&vsc8531->ptp->tx_queue); + } + } + +@@ -1573,7 +1570,7 @@ irqreturn_t vsc8584_handle_ts_interrupt(struct phy_device *phydev) + if (rc & VSC85XX_1588_INT_FIFO_ADD) { + vsc85xx_get_tx_ts(priv->ptp); + } else if (rc & VSC85XX_1588_INT_FIFO_OVERFLOW) { +- __skb_queue_purge(&priv->ptp->tx_queue); ++ skb_queue_purge(&priv->ptp->tx_queue); + vsc85xx_ts_reset_fifo(phydev); + } + +@@ -1593,6 +1590,7 @@ int vsc8584_ptp_probe(struct phy_device *phydev) + mutex_init(&vsc8531->phc_lock); + mutex_init(&vsc8531->ts_lock); + skb_queue_head_init(&vsc8531->rx_skbs_list); ++ skb_queue_head_init(&vsc8531->ptp->tx_queue); + + /* Retrieve the shared load/save GPIO. Request it as non exclusive as + * the same GPIO can be requested by all the PHYs of the same package. +-- +2.50.1 + diff --git a/queue-5.15/ppp-fix-memory-leak-in-pad_compress_skb.patch b/queue-5.15/ppp-fix-memory-leak-in-pad_compress_skb.patch new file mode 100644 index 0000000000..3a68f838c6 --- /dev/null +++ b/queue-5.15/ppp-fix-memory-leak-in-pad_compress_skb.patch @@ -0,0 +1,66 @@ +From e5ba38bf81cfc5c0005b4cccfa308e1f448e531f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Sep 2025 18:07:26 +0800 +Subject: ppp: fix memory leak in pad_compress_skb + +From: Qingfang Deng + +[ Upstream commit 4844123fe0b853a4982c02666cb3fd863d701d50 ] + +If alloc_skb() fails in pad_compress_skb(), it returns NULL without +releasing the old skb. The caller does: + + skb = pad_compress_skb(ppp, skb); + if (!skb) + goto drop; + +drop: + kfree_skb(skb); + +When pad_compress_skb() returns NULL, the reference to the old skb is +lost and kfree_skb(skb) ends up doing nothing, leading to a memory leak. + +Align pad_compress_skb() semantics with realloc(): only free the old +skb if allocation and compression succeed. At the call site, use the +new_skb variable so the original skb is not lost when pad_compress_skb() +fails. + +Fixes: b3f9b92a6ec1 ("[PPP]: add PPP MPPE encryption module") +Signed-off-by: Qingfang Deng +Reviewed-by: Eric Dumazet +Reviewed-by: Yue Haibing +Link: https://patch.msgid.link/20250903100726.269839-1-dqfext@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ppp/ppp_generic.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c +index 5cb06e04293e3..91a19ed03bc7d 100644 +--- a/drivers/net/ppp/ppp_generic.c ++++ b/drivers/net/ppp/ppp_generic.c +@@ -1752,7 +1752,6 @@ pad_compress_skb(struct ppp *ppp, struct sk_buff *skb) + */ + if (net_ratelimit()) + netdev_err(ppp->dev, "ppp: compressor dropped pkt\n"); +- kfree_skb(skb); + consume_skb(new_skb); + new_skb = NULL; + } +@@ -1854,9 +1853,10 @@ ppp_send_frame(struct ppp *ppp, struct sk_buff *skb) + "down - pkt dropped.\n"); + goto drop; + } +- skb = pad_compress_skb(ppp, skb); +- if (!skb) ++ new_skb = pad_compress_skb(ppp, skb); ++ if (!new_skb) + goto drop; ++ skb = new_skb; + } + + /* +-- +2.50.1 + diff --git a/queue-5.15/ptp-add-generic-ptp-is_sync-function.patch b/queue-5.15/ptp-add-generic-ptp-is_sync-function.patch new file mode 100644 index 0000000000..1058867989 --- /dev/null +++ b/queue-5.15/ptp-add-generic-ptp-is_sync-function.patch @@ -0,0 +1,82 @@ +From c5f7a20bfc50392ff2b17e87d27341b4e11ecb06 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Mar 2022 12:21:25 +0100 +Subject: ptp: Add generic PTP is_sync() function + +From: Kurt Kanzenbach + +[ Upstream commit f72de02ebece2e962462bc0c1e9efd29eaa029b2 ] + +PHY drivers such as micrel or dp83640 need to analyze whether a given +skb is a PTP sync message for one step functionality. + +In order to avoid code duplication introduce a generic function and +move it to ptp classify. + +Signed-off-by: Kurt Kanzenbach +Signed-off-by: David S. Miller +Stable-dep-of: 9b2bfdbf43ad ("phy: mscc: Stop taking ts_lock for tx_queue and use its own lock") +Signed-off-by: Sasha Levin +--- + include/linux/ptp_classify.h | 15 +++++++++++++++ + net/core/ptp_classifier.c | 12 ++++++++++++ + 2 files changed, 27 insertions(+) + +diff --git a/include/linux/ptp_classify.h b/include/linux/ptp_classify.h +index 7a526b52bd748..c91ede9654f92 100644 +--- a/include/linux/ptp_classify.h ++++ b/include/linux/ptp_classify.h +@@ -128,6 +128,17 @@ static inline u8 ptp_get_msgtype(const struct ptp_header *hdr, + return msgtype; + } + ++/** ++ * ptp_msg_is_sync - Evaluates whether the given skb is a PTP Sync message ++ * @skb: packet buffer ++ * @type: type of the packet (see ptp_classify_raw()) ++ * ++ * This function evaluates whether the given skb is a PTP Sync message. ++ * ++ * Return: true if sync message, false otherwise ++ */ ++bool ptp_msg_is_sync(struct sk_buff *skb, unsigned int type); ++ + void __init ptp_classifier_init(void); + #else + static inline void ptp_classifier_init(void) +@@ -150,5 +161,9 @@ static inline u8 ptp_get_msgtype(const struct ptp_header *hdr, + */ + return PTP_MSGTYPE_SYNC; + } ++static inline bool ptp_msg_is_sync(struct sk_buff *skb, unsigned int type) ++{ ++ return false; ++} + #endif + #endif /* _PTP_CLASSIFY_H_ */ +diff --git a/net/core/ptp_classifier.c b/net/core/ptp_classifier.c +index dd4cf01d1e0a2..598041b0499e3 100644 +--- a/net/core/ptp_classifier.c ++++ b/net/core/ptp_classifier.c +@@ -137,6 +137,18 @@ struct ptp_header *ptp_parse_header(struct sk_buff *skb, unsigned int type) + } + EXPORT_SYMBOL_GPL(ptp_parse_header); + ++bool ptp_msg_is_sync(struct sk_buff *skb, unsigned int type) ++{ ++ struct ptp_header *hdr; ++ ++ hdr = ptp_parse_header(skb, type); ++ if (!hdr) ++ return false; ++ ++ return ptp_get_msgtype(hdr, type) == PTP_MSGTYPE_SYNC; ++} ++EXPORT_SYMBOL_GPL(ptp_msg_is_sync); ++ + void __init ptp_classifier_init(void) + { + static struct sock_filter ptp_filter[] __initdata = { +-- +2.50.1 + diff --git a/queue-5.15/series b/queue-5.15/series index f79a3d5e9e..73fe92238c 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -6,3 +6,23 @@ drm-amd-display-don-t-warn-when-missing-dce-encoder-.patch fs-writeback-fix-use-after-free-in-__mark_inode_dirt.patch tee-fix-null-pointer-dereference-in-tee_shm_put.patch arm64-dts-rockchip-add-vcc-supply-to-spi-flash-on-rk.patch +wifi-cfg80211-fix-use-after-free-in-cmp_bss.patch +netfilter-br_netfilter-do-not-check-confirmed-bit-in.patch +netfilter-conntrack-helper-replace-eexist-by-ebusy.patch +bluetooth-fix-use-after-free-in-l2cap_sock_cleanup_l.patch +xirc2ps_cs-fix-register-access-when-enabling-fulldup.patch +misdn-fix-memory-leak-in-dsp_hwec_enable.patch +icmp-fix-icmp_ndo_send-address-translation-for-reply.patch +i40e-fix-potential-invalid-access-when-mac-list-is-e.patch +net-ethernet-mtk_eth_soc-fix-tx-vlan-tag-for-llc-pac.patch +wifi-cw1200-cap-ssid-length-in-cw1200_do_join.patch +wifi-libertas-cap-ssid-len-in-lbs_associate.patch +net-thunder_bgx-add-a-missing-of_node_put.patch +net-thunder_bgx-decrement-cleanup-index-before-use.patch +ipv4-fix-null-vs-error-pointer-check-in-inet_blackho.patch +ax25-properly-unshare-skbs-in-ax25_kiss_rcv.patch +net-atm-fix-memory-leak-in-atm_register_sysfs-when-d.patch +ppp-fix-memory-leak-in-pad_compress_skb.patch +ptp-add-generic-ptp-is_sync-function.patch +net-phy-mscc-fix-memory-leak-when-using-one-step-tim.patch +phy-mscc-stop-taking-ts_lock-for-tx_queue-and-use-it.patch diff --git a/queue-5.15/wifi-cfg80211-fix-use-after-free-in-cmp_bss.patch b/queue-5.15/wifi-cfg80211-fix-use-after-free-in-cmp_bss.patch new file mode 100644 index 0000000000..ba72d3926e --- /dev/null +++ b/queue-5.15/wifi-cfg80211-fix-use-after-free-in-cmp_bss.patch @@ -0,0 +1,43 @@ +From 1cd04db178fd4d910213e5c43211878603e67329 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Aug 2025 16:52:36 +0300 +Subject: wifi: cfg80211: fix use-after-free in cmp_bss() + +From: Dmitry Antipov + +[ Upstream commit 26e84445f02ce6b2fe5f3e0e28ff7add77f35e08 ] + +Following bss_free() quirk introduced in commit 776b3580178f +("cfg80211: track hidden SSID networks properly"), adjust +cfg80211_update_known_bss() to free the last beacon frame +elements only if they're not shared via the corresponding +'hidden_beacon_bss' pointer. + +Reported-by: syzbot+30754ca335e6fb7e3092@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=30754ca335e6fb7e3092 +Fixes: 3ab8227d3e7d ("cfg80211: refactor cfg80211_bss_update") +Signed-off-by: Dmitry Antipov +Link: https://patch.msgid.link/20250813135236.799384-1-dmantipov@yandex.ru +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/scan.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/wireless/scan.c b/net/wireless/scan.c +index d977d7a7675e1..e2b4149e5ff43 100644 +--- a/net/wireless/scan.c ++++ b/net/wireless/scan.c +@@ -1768,7 +1768,8 @@ cfg80211_update_known_bss(struct cfg80211_registered_device *rdev, + */ + + f = rcu_access_pointer(new->pub.beacon_ies); +- kfree_rcu((struct cfg80211_bss_ies *)f, rcu_head); ++ if (!new->pub.hidden_beacon_bss) ++ kfree_rcu((struct cfg80211_bss_ies *)f, rcu_head); + return false; + } + +-- +2.50.1 + diff --git a/queue-5.15/wifi-cw1200-cap-ssid-length-in-cw1200_do_join.patch b/queue-5.15/wifi-cw1200-cap-ssid-length-in-cw1200_do_join.patch new file mode 100644 index 0000000000..2d016c682e --- /dev/null +++ b/queue-5.15/wifi-cw1200-cap-ssid-length-in-cw1200_do_join.patch @@ -0,0 +1,36 @@ +From 43885afaea51527337489f550f7bf46b356c8cbd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Aug 2025 15:48:28 +0300 +Subject: wifi: cw1200: cap SSID length in cw1200_do_join() + +From: Dan Carpenter + +[ Upstream commit f8f15f6742b8874e59c9c715d0af3474608310ad ] + +If the ssidie[1] length is more that 32 it leads to memory corruption. + +Fixes: a910e4a94f69 ("cw1200: add driver for the ST-E CW1100 & CW1200 WLAN chipsets") +Signed-off-by: Dan Carpenter +Link: https://patch.msgid.link/e91fb43fcedc4893b604dfb973131661510901a7.1756456951.git.dan.carpenter@linaro.org +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/st/cw1200/sta.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/st/cw1200/sta.c b/drivers/net/wireless/st/cw1200/sta.c +index 236022d4ae2a3..0f2d1ec34cd82 100644 +--- a/drivers/net/wireless/st/cw1200/sta.c ++++ b/drivers/net/wireless/st/cw1200/sta.c +@@ -1289,7 +1289,7 @@ static void cw1200_do_join(struct cw1200_common *priv) + rcu_read_lock(); + ssidie = ieee80211_bss_get_ie(bss, WLAN_EID_SSID); + if (ssidie) { +- join.ssid_len = ssidie[1]; ++ join.ssid_len = min(ssidie[1], IEEE80211_MAX_SSID_LEN); + memcpy(join.ssid, &ssidie[2], join.ssid_len); + } + rcu_read_unlock(); +-- +2.50.1 + diff --git a/queue-5.15/wifi-libertas-cap-ssid-len-in-lbs_associate.patch b/queue-5.15/wifi-libertas-cap-ssid-len-in-lbs_associate.patch new file mode 100644 index 0000000000..48df7df599 --- /dev/null +++ b/queue-5.15/wifi-libertas-cap-ssid-len-in-lbs_associate.patch @@ -0,0 +1,44 @@ +From 121cf6f53c428b9a974e19e5e86bb5567bb91b12 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Aug 2025 15:48:35 +0300 +Subject: wifi: libertas: cap SSID len in lbs_associate() + +From: Dan Carpenter + +[ Upstream commit c786794bd27b0d7a5fd9063695df83206009be59 ] + +If the ssid_eid[1] length is more that 32 it leads to memory corruption. + +Fixes: a910e4a94f69 ("cw1200: add driver for the ST-E CW1100 & CW1200 WLAN chipsets") +Signed-off-by: Dan Carpenter +Link: https://patch.msgid.link/2a40f5ec7617144aef412034c12919a4927d90ad.1756456951.git.dan.carpenter@linaro.org +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/libertas/cfg.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/marvell/libertas/cfg.c b/drivers/net/wireless/marvell/libertas/cfg.c +index 4e3de684928bf..a659054c1bcd9 100644 +--- a/drivers/net/wireless/marvell/libertas/cfg.c ++++ b/drivers/net/wireless/marvell/libertas/cfg.c +@@ -1102,10 +1102,13 @@ static int lbs_associate(struct lbs_private *priv, + /* add SSID TLV */ + rcu_read_lock(); + ssid_eid = ieee80211_bss_get_ie(bss, WLAN_EID_SSID); +- if (ssid_eid) +- pos += lbs_add_ssid_tlv(pos, ssid_eid + 2, ssid_eid[1]); +- else ++ if (ssid_eid) { ++ u32 ssid_len = min(ssid_eid[1], IEEE80211_MAX_SSID_LEN); ++ ++ pos += lbs_add_ssid_tlv(pos, ssid_eid + 2, ssid_len); ++ } else { + lbs_deb_assoc("no SSID\n"); ++ } + rcu_read_unlock(); + + /* add DS param TLV */ +-- +2.50.1 + diff --git a/queue-5.15/xirc2ps_cs-fix-register-access-when-enabling-fulldup.patch b/queue-5.15/xirc2ps_cs-fix-register-access-when-enabling-fulldup.patch new file mode 100644 index 0000000000..ed1088d685 --- /dev/null +++ b/queue-5.15/xirc2ps_cs-fix-register-access-when-enabling-fulldup.patch @@ -0,0 +1,44 @@ +From 96015fdc2b6e98c45c12be0b3c2b990ece9f385c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Aug 2025 12:26:43 -0700 +Subject: xirc2ps_cs: fix register access when enabling FullDuplex + +From: Alok Tiwari + +[ Upstream commit b79e498080b170fd94fc83bca2471f450811549b ] + +The current code incorrectly passes (XIRCREG1_ECR | FullDuplex) as +the register address to GetByte(), instead of fetching the register +value and OR-ing it with FullDuplex. This results in an invalid +register access. + +Fix it by reading XIRCREG1_ECR first, then or-ing with FullDuplex +before writing it back. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Alok Tiwari +Reviewed-by: Simon Horman +Reviewed-by: Jacob Keller +Link: https://patch.msgid.link/20250827192645.658496-1-alok.a.tiwari@oracle.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/xircom/xirc2ps_cs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/xircom/xirc2ps_cs.c b/drivers/net/ethernet/xircom/xirc2ps_cs.c +index 10f42b7df8b35..efbd337b8bb8e 100644 +--- a/drivers/net/ethernet/xircom/xirc2ps_cs.c ++++ b/drivers/net/ethernet/xircom/xirc2ps_cs.c +@@ -1582,7 +1582,7 @@ do_reset(struct net_device *dev, int full) + msleep(40); /* wait 40 msec to let it complete */ + } + if (full_duplex) +- PutByte(XIRCREG1_ECR, GetByte(XIRCREG1_ECR | FullDuplex)); ++ PutByte(XIRCREG1_ECR, GetByte(XIRCREG1_ECR) | FullDuplex); + } else { /* No MII */ + SelectPage(0); + value = GetByte(XIRCREG_ESR); /* read the ESR */ +-- +2.50.1 + diff --git a/queue-5.4/ax25-properly-unshare-skbs-in-ax25_kiss_rcv.patch b/queue-5.4/ax25-properly-unshare-skbs-in-ax25_kiss_rcv.patch new file mode 100644 index 0000000000..355845e8bc --- /dev/null +++ b/queue-5.4/ax25-properly-unshare-skbs-in-ax25_kiss_rcv.patch @@ -0,0 +1,59 @@ +From 9f23391db0127f2e649b4b05da5d0e32f544ee73 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Sep 2025 12:46:42 +0000 +Subject: ax25: properly unshare skbs in ax25_kiss_rcv() + +From: Eric Dumazet + +[ Upstream commit 8156210d36a43e76372312c87eb5ea3dbb405a85 ] + +Bernard Pidoux reported a regression apparently caused by commit +c353e8983e0d ("net: introduce per netns packet chains"). + +skb->dev becomes NULL and we crash in __netif_receive_skb_core(). + +Before above commit, different kind of bugs or corruptions could happen +without a major crash. + +But the root cause is that ax25_kiss_rcv() can queue/mangle input skb +without checking if this skb is shared or not. + +Many thanks to Bernard Pidoux for his help, diagnosis and tests. + +We had a similar issue years ago fixed with commit 7aaed57c5c28 +("phonet: properly unshare skbs in phonet_rcv()"). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Bernard Pidoux +Closes: https://lore.kernel.org/netdev/1713f383-c538-4918-bc64-13b3288cd542@free.fr/ +Tested-by: Bernard Pidoux +Signed-off-by: Eric Dumazet +Cc: Joerg Reuter +Cc: David Ranch +Cc: Folkert van Heusden +Reviewed-by: Dan Cross +Link: https://patch.msgid.link/20250902124642.212705-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ax25/ax25_in.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/ax25/ax25_in.c b/net/ax25/ax25_in.c +index dcdbaeeb2358a..506a88b2357bf 100644 +--- a/net/ax25/ax25_in.c ++++ b/net/ax25/ax25_in.c +@@ -433,6 +433,10 @@ static int ax25_rcv(struct sk_buff *skb, struct net_device *dev, + int ax25_kiss_rcv(struct sk_buff *skb, struct net_device *dev, + struct packet_type *ptype, struct net_device *orig_dev) + { ++ skb = skb_share_check(skb, GFP_ATOMIC); ++ if (!skb) ++ return NET_RX_DROP; ++ + skb_orphan(skb); + + if (!net_eq(dev_net(dev), &init_net)) { +-- +2.50.1 + diff --git a/queue-5.4/bluetooth-fix-use-after-free-in-l2cap_sock_cleanup_l.patch b/queue-5.4/bluetooth-fix-use-after-free-in-l2cap_sock_cleanup_l.patch new file mode 100644 index 0000000000..561d5698f5 --- /dev/null +++ b/queue-5.4/bluetooth-fix-use-after-free-in-l2cap_sock_cleanup_l.patch @@ -0,0 +1,171 @@ +From 8b77bc5378d526a64cb4287c795944588b545f7d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Aug 2025 20:40:14 +0000 +Subject: Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen() + +From: Kuniyuki Iwashima + +[ Upstream commit 862c628108562d8c7a516a900034823b381d3cba ] + +syzbot reported the splat below without a repro. + +In the splat, a single thread calling bt_accept_dequeue() freed sk +and touched it after that. + +The root cause would be the racy l2cap_sock_cleanup_listen() call +added by the cited commit. + +bt_accept_dequeue() is called under lock_sock() except for +l2cap_sock_release(). + +Two threads could see the same socket during the list iteration +in bt_accept_dequeue(): + + CPU1 CPU2 (close()) + ---- ---- + sock_hold(sk) sock_hold(sk); + lock_sock(sk) <-- block close() + sock_put(sk) + bt_accept_unlink(sk) + sock_put(sk) <-- refcnt by bt_accept_enqueue() + release_sock(sk) + lock_sock(sk) + sock_put(sk) + bt_accept_unlink(sk) + sock_put(sk) <-- last refcnt + bt_accept_unlink(sk) <-- UAF + +Depending on the timing, the other thread could show up in the +"Freed by task" part. + +Let's call l2cap_sock_cleanup_listen() under lock_sock() in +l2cap_sock_release(). + +[0]: +BUG: KASAN: slab-use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline] +BUG: KASAN: slab-use-after-free in do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115 +Read of size 4 at addr ffff88803b7eb1c4 by task syz.5.3276/16995 +CPU: 3 UID: 0 PID: 16995 Comm: syz.5.3276 Not tainted syzkaller #0 PREEMPT(full) +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 +Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0xcd/0x630 mm/kasan/report.c:482 + kasan_report+0xe0/0x110 mm/kasan/report.c:595 + debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline] + do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115 + spin_lock_bh include/linux/spinlock.h:356 [inline] + release_sock+0x21/0x220 net/core/sock.c:3746 + bt_accept_dequeue+0x505/0x600 net/bluetooth/af_bluetooth.c:312 + l2cap_sock_cleanup_listen+0x5c/0x2a0 net/bluetooth/l2cap_sock.c:1451 + l2cap_sock_release+0x5c/0x210 net/bluetooth/l2cap_sock.c:1425 + __sock_release+0xb3/0x270 net/socket.c:649 + sock_close+0x1c/0x30 net/socket.c:1439 + __fput+0x3ff/0xb70 fs/file_table.c:468 + task_work_run+0x14d/0x240 kernel/task_work.c:227 + resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] + exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43 + exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] + syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline] + syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline] + do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7f2accf8ebe9 +Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007ffdb6cb1378 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 +RAX: 0000000000000000 RBX: 00000000000426fb RCX: 00007f2accf8ebe9 +RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 +RBP: 00007f2acd1b7da0 R08: 0000000000000001 R09: 00000012b6cb166f +R10: 0000001b30e20000 R11: 0000000000000246 R12: 00007f2acd1b609c +R13: 00007f2acd1b6090 R14: ffffffffffffffff R15: 00007ffdb6cb1490 + + +Allocated by task 5326: + kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 + kasan_save_track+0x14/0x30 mm/kasan/common.c:68 + poison_kmalloc_redzone mm/kasan/common.c:388 [inline] + __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:405 + kasan_kmalloc include/linux/kasan.h:260 [inline] + __do_kmalloc_node mm/slub.c:4365 [inline] + __kmalloc_noprof+0x223/0x510 mm/slub.c:4377 + kmalloc_noprof include/linux/slab.h:909 [inline] + sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2239 + sk_alloc+0x36/0xc20 net/core/sock.c:2295 + bt_sock_alloc+0x3b/0x3a0 net/bluetooth/af_bluetooth.c:151 + l2cap_sock_alloc.constprop.0+0x33/0x1d0 net/bluetooth/l2cap_sock.c:1894 + l2cap_sock_new_connection_cb+0x101/0x240 net/bluetooth/l2cap_sock.c:1482 + l2cap_connect_cfm+0x4c4/0xf80 net/bluetooth/l2cap_core.c:7287 + hci_connect_cfm include/net/bluetooth/hci_core.h:2050 [inline] + hci_remote_features_evt+0x4dd/0x970 net/bluetooth/hci_event.c:3712 + hci_event_func net/bluetooth/hci_event.c:7519 [inline] + hci_event_packet+0xa0d/0x11c0 net/bluetooth/hci_event.c:7573 + hci_rx_work+0x2c5/0x16b0 net/bluetooth/hci_core.c:4071 + process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3236 + process_scheduled_works kernel/workqueue.c:3319 [inline] + worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400 + kthread+0x3c2/0x780 kernel/kthread.c:463 + ret_from_fork+0x5d7/0x6f0 arch/x86/kernel/process.c:148 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 + +Freed by task 16995: + kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 + kasan_save_track+0x14/0x30 mm/kasan/common.c:68 + kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576 + poison_slab_object mm/kasan/common.c:243 [inline] + __kasan_slab_free+0x60/0x70 mm/kasan/common.c:275 + kasan_slab_free include/linux/kasan.h:233 [inline] + slab_free_hook mm/slub.c:2417 [inline] + slab_free mm/slub.c:4680 [inline] + kfree+0x2b4/0x4d0 mm/slub.c:4879 + sk_prot_free net/core/sock.c:2278 [inline] + __sk_destruct+0x75f/0x9a0 net/core/sock.c:2373 + sk_destruct+0xc2/0xf0 net/core/sock.c:2401 + __sk_free+0xf4/0x3e0 net/core/sock.c:2412 + sk_free+0x6a/0x90 net/core/sock.c:2423 + sock_put include/net/sock.h:1960 [inline] + bt_accept_unlink+0x245/0x2e0 net/bluetooth/af_bluetooth.c:262 + bt_accept_dequeue+0x517/0x600 net/bluetooth/af_bluetooth.c:308 + l2cap_sock_cleanup_listen+0x5c/0x2a0 net/bluetooth/l2cap_sock.c:1451 + l2cap_sock_release+0x5c/0x210 net/bluetooth/l2cap_sock.c:1425 + __sock_release+0xb3/0x270 net/socket.c:649 + sock_close+0x1c/0x30 net/socket.c:1439 + __fput+0x3ff/0xb70 fs/file_table.c:468 + task_work_run+0x14d/0x240 kernel/task_work.c:227 + resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] + exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43 + exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] + syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline] + syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline] + do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fixes: 1728137b33c0 ("Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_ready_cb") +Reported-by: syzbot+e5e64cdf8e92046dd3e1@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/linux-bluetooth/68af6b9d.a70a0220.3cafd4.0032.GAE@google.com/ +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_sock.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c +index 93df53f2b76e3..dfffc5bb292dd 100644 +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -1226,7 +1226,10 @@ static int l2cap_sock_release(struct socket *sock) + if (!sk) + return 0; + ++ lock_sock_nested(sk, L2CAP_NESTING_PARENT); + l2cap_sock_cleanup_listen(sk); ++ release_sock(sk); ++ + bt_sock_unlink(&l2cap_sk_list, sk); + + err = l2cap_sock_shutdown(sock, 2); +-- +2.50.1 + diff --git a/queue-5.4/i40e-fix-potential-invalid-access-when-mac-list-is-e.patch b/queue-5.4/i40e-fix-potential-invalid-access-when-mac-list-is-e.patch new file mode 100644 index 0000000000..0fc0dcc709 --- /dev/null +++ b/queue-5.4/i40e-fix-potential-invalid-access-when-mac-list-is-e.patch @@ -0,0 +1,42 @@ +From 562fa2e31fafb2513a3006238ea9dd05bb2d94d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Aug 2025 19:56:31 +0800 +Subject: i40e: Fix potential invalid access when MAC list is empty + +From: Zhen Ni + +[ Upstream commit a556f06338e1d5a85af0e32ecb46e365547f92b9 ] + +list_first_entry() never returns NULL - if the list is empty, it still +returns a pointer to an invalid object, leading to potential invalid +memory access when dereferenced. + +Fix this by using list_first_entry_or_null instead of list_first_entry. + +Fixes: e3219ce6a775 ("i40e: Add support for client interface for IWARP driver") +Signed-off-by: Zhen Ni +Reviewed-by: Paul Menzel +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_client.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_client.c b/drivers/net/ethernet/intel/i40e/i40e_client.c +index 10125b02d1543..b7c3625aec154 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_client.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_client.c +@@ -320,8 +320,8 @@ static void i40e_client_add_instance(struct i40e_pf *pf) + return; + } + +- mac = list_first_entry(&cdev->lan_info.netdev->dev_addrs.list, +- struct netdev_hw_addr, list); ++ mac = list_first_entry_or_null(&cdev->lan_info.netdev->dev_addrs.list, ++ struct netdev_hw_addr, list); + if (mac) + ether_addr_copy(cdev->lan_info.lanmac, mac->addr); + else +-- +2.50.1 + diff --git a/queue-5.4/icmp-fix-icmp_ndo_send-address-translation-for-reply.patch b/queue-5.4/icmp-fix-icmp_ndo_send-address-translation-for-reply.patch new file mode 100644 index 0000000000..6a2b1a83fc --- /dev/null +++ b/queue-5.4/icmp-fix-icmp_ndo_send-address-translation-for-reply.patch @@ -0,0 +1,110 @@ +From 1d26751a90a549fa0059e1d8502de71abf012f64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Aug 2025 11:14:35 +0200 +Subject: icmp: fix icmp_ndo_send address translation for reply direction +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Fabian Bläse + +[ Upstream commit c6dd1aa2cbb72b33e0569f3e71d95792beab5042 ] + +The icmp_ndo_send function was originally introduced to ensure proper +rate limiting when icmp_send is called by a network device driver, +where the packet's source address may have already been transformed +by SNAT. + +However, the original implementation only considers the +IP_CT_DIR_ORIGINAL direction for SNAT and always replaced the packet's +source address with that of the original-direction tuple. This causes +two problems: + +1. For SNAT: + Reply-direction packets were incorrectly translated using the source + address of the CT original direction, even though no translation is + required. + +2. For DNAT: + Reply-direction packets were not handled at all. In DNAT, the original + direction's destination is translated. Therefore, in the reply + direction the source address must be set to the reply-direction + source, so rate limiting works as intended. + +Fix this by using the connection direction to select the correct tuple +for source address translation, and adjust the pre-checks to handle +reply-direction packets in case of DNAT. + +Additionally, wrap the `ct->status` access in READ_ONCE(). This avoids +possible KCSAN reports about concurrent updates to `ct->status`. + +Fixes: 0b41713b6066 ("icmp: introduce helper for nat'd source address in network device context") +Signed-off-by: Fabian Bläse +Cc: Jason A. Donenfeld +Reviewed-by: Florian Westphal +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/icmp.c | 6 ++++-- + net/ipv6/ip6_icmp.c | 6 ++++-- + 2 files changed, 8 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c +index ac82a4158b86b..875424c428e66 100644 +--- a/net/ipv4/icmp.c ++++ b/net/ipv4/icmp.c +@@ -790,11 +790,12 @@ void icmp_ndo_send(struct sk_buff *skb_in, int type, int code, __be32 info) + struct sk_buff *cloned_skb = NULL; + struct ip_options opts = { 0 }; + enum ip_conntrack_info ctinfo; ++ enum ip_conntrack_dir dir; + struct nf_conn *ct; + __be32 orig_ip; + + ct = nf_ct_get(skb_in, &ctinfo); +- if (!ct || !(ct->status & IPS_SRC_NAT)) { ++ if (!ct || !(READ_ONCE(ct->status) & IPS_NAT_MASK)) { + __icmp_send(skb_in, type, code, info, &opts); + return; + } +@@ -809,7 +810,8 @@ void icmp_ndo_send(struct sk_buff *skb_in, int type, int code, __be32 info) + goto out; + + orig_ip = ip_hdr(skb_in)->saddr; +- ip_hdr(skb_in)->saddr = ct->tuplehash[0].tuple.src.u3.ip; ++ dir = CTINFO2DIR(ctinfo); ++ ip_hdr(skb_in)->saddr = ct->tuplehash[dir].tuple.src.u3.ip; + __icmp_send(skb_in, type, code, info, &opts); + ip_hdr(skb_in)->saddr = orig_ip; + out: +diff --git a/net/ipv6/ip6_icmp.c b/net/ipv6/ip6_icmp.c +index 9e3574880cb03..233914b63bdb8 100644 +--- a/net/ipv6/ip6_icmp.c ++++ b/net/ipv6/ip6_icmp.c +@@ -54,11 +54,12 @@ void icmpv6_ndo_send(struct sk_buff *skb_in, u8 type, u8 code, __u32 info) + struct inet6_skb_parm parm = { 0 }; + struct sk_buff *cloned_skb = NULL; + enum ip_conntrack_info ctinfo; ++ enum ip_conntrack_dir dir; + struct in6_addr orig_ip; + struct nf_conn *ct; + + ct = nf_ct_get(skb_in, &ctinfo); +- if (!ct || !(ct->status & IPS_SRC_NAT)) { ++ if (!ct || !(READ_ONCE(ct->status) & IPS_NAT_MASK)) { + __icmpv6_send(skb_in, type, code, info, &parm); + return; + } +@@ -73,7 +74,8 @@ void icmpv6_ndo_send(struct sk_buff *skb_in, u8 type, u8 code, __u32 info) + goto out; + + orig_ip = ipv6_hdr(skb_in)->saddr; +- ipv6_hdr(skb_in)->saddr = ct->tuplehash[0].tuple.src.u3.in6; ++ dir = CTINFO2DIR(ctinfo); ++ ipv6_hdr(skb_in)->saddr = ct->tuplehash[dir].tuple.src.u3.in6; + __icmpv6_send(skb_in, type, code, info, &parm); + ipv6_hdr(skb_in)->saddr = orig_ip; + out: +-- +2.50.1 + diff --git a/queue-5.4/ipv4-fix-null-vs-error-pointer-check-in-inet_blackho.patch b/queue-5.4/ipv4-fix-null-vs-error-pointer-check-in-inet_blackho.patch new file mode 100644 index 0000000000..37a2b1fd61 --- /dev/null +++ b/queue-5.4/ipv4-fix-null-vs-error-pointer-check-in-inet_blackho.patch @@ -0,0 +1,48 @@ +From 9752d736d95b54eef609e8b0169b2e7758aa373f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Sep 2025 09:36:08 +0300 +Subject: ipv4: Fix NULL vs error pointer check in inet_blackhole_dev_init() + +From: Dan Carpenter + +[ Upstream commit a51160f8da850a65afbf165f5bbac7ffb388bf74 ] + +The inetdev_init() function never returns NULL. Check for error +pointers instead. + +Fixes: 22600596b675 ("ipv4: give an IPv4 dev to blackhole_netdev") +Signed-off-by: Dan Carpenter +Reviewed-by: Simon Horman +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/aLaQWL9NguWmeM1i@stanley.mountain +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/devinet.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c +index 6855372d57a34..b4fb75be24d9c 100644 +--- a/net/ipv4/devinet.c ++++ b/net/ipv4/devinet.c +@@ -332,14 +332,13 @@ static void inetdev_destroy(struct in_device *in_dev) + + static int __init inet_blackhole_dev_init(void) + { +- int err = 0; ++ struct in_device *in_dev; + + rtnl_lock(); +- if (!inetdev_init(blackhole_netdev)) +- err = -ENOMEM; ++ in_dev = inetdev_init(blackhole_netdev); + rtnl_unlock(); + +- return err; ++ return PTR_ERR_OR_ZERO(in_dev); + } + late_initcall(inet_blackhole_dev_init); + +-- +2.50.1 + diff --git a/queue-5.4/misdn-fix-memory-leak-in-dsp_hwec_enable.patch b/queue-5.4/misdn-fix-memory-leak-in-dsp_hwec_enable.patch new file mode 100644 index 0000000000..ce92a45618 --- /dev/null +++ b/queue-5.4/misdn-fix-memory-leak-in-dsp_hwec_enable.patch @@ -0,0 +1,53 @@ +From f08221a3baf69001e42a9f32037a689c73f03e3d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Aug 2025 16:14:57 +0800 +Subject: mISDN: Fix memory leak in dsp_hwec_enable() + +From: Miaoqian Lin + +[ Upstream commit 0704a3da7ce50f972e898bbda88d2692a22922d9 ] + +dsp_hwec_enable() allocates dup pointer by kstrdup(arg), +but then it updates dup variable by strsep(&dup, ","). +As a result when it calls kfree(dup), the dup variable may be +a modified pointer that no longer points to the original allocated +memory, causing a memory leak. + +The issue is the same pattern as fixed in commit c6a502c22999 +("mISDN: Fix memory leak in dsp_pipeline_build()"). + +Fixes: 9a4381618262 ("mISDN: Remove VLAs") +Signed-off-by: Miaoqian Lin +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250828081457.36061-1-linmq006@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/isdn/mISDN/dsp_hwec.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/isdn/mISDN/dsp_hwec.c b/drivers/isdn/mISDN/dsp_hwec.c +index 0b3f29195330a..0cd216e28f009 100644 +--- a/drivers/isdn/mISDN/dsp_hwec.c ++++ b/drivers/isdn/mISDN/dsp_hwec.c +@@ -51,14 +51,14 @@ void dsp_hwec_enable(struct dsp *dsp, const char *arg) + goto _do; + + { +- char *dup, *tok, *name, *val; ++ char *dup, *next, *tok, *name, *val; + int tmp; + +- dup = kstrdup(arg, GFP_ATOMIC); ++ dup = next = kstrdup(arg, GFP_ATOMIC); + if (!dup) + return; + +- while ((tok = strsep(&dup, ","))) { ++ while ((tok = strsep(&next, ","))) { + if (!strlen(tok)) + continue; + name = strsep(&tok, "="); +-- +2.50.1 + diff --git a/queue-5.4/net-atm-fix-memory-leak-in-atm_register_sysfs-when-d.patch b/queue-5.4/net-atm-fix-memory-leak-in-atm_register_sysfs-when-d.patch new file mode 100644 index 0000000000..0194f73bb2 --- /dev/null +++ b/queue-5.4/net-atm-fix-memory-leak-in-atm_register_sysfs-when-d.patch @@ -0,0 +1,78 @@ +From 513e9bb448bbe38960f092674eea214c6100db47 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Sep 2025 14:35:37 +0800 +Subject: net: atm: fix memory leak in atm_register_sysfs when device_register + fail + +From: Wang Liang + +[ Upstream commit 0a228624bcc00af41f281a2a84c928595a74c17d ] + +When device_register() return error in atm_register_sysfs(), which can be +triggered by kzalloc fail in device_private_init() or other reasons, +kmemleak reports the following memory leaks: + +unreferenced object 0xffff88810182fb80 (size 8): + comm "insmod", pid 504, jiffies 4294852464 + hex dump (first 8 bytes): + 61 64 75 6d 6d 79 30 00 adummy0. + backtrace (crc 14dfadaf): + __kmalloc_node_track_caller_noprof+0x335/0x450 + kvasprintf+0xb3/0x130 + kobject_set_name_vargs+0x45/0x120 + dev_set_name+0xa9/0xe0 + atm_register_sysfs+0xf3/0x220 + atm_dev_register+0x40b/0x780 + 0xffffffffa000b089 + do_one_initcall+0x89/0x300 + do_init_module+0x27b/0x7d0 + load_module+0x54cd/0x5ff0 + init_module_from_file+0xe4/0x150 + idempotent_init_module+0x32c/0x610 + __x64_sys_finit_module+0xbd/0x120 + do_syscall_64+0xa8/0x270 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +When device_create_file() return error in atm_register_sysfs(), the same +issue also can be triggered. + +Function put_device() should be called to release kobj->name memory and +other device resource, instead of kfree(). + +Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array") +Signed-off-by: Wang Liang +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250901063537.1472221-1-wangliang74@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/atm/resources.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/atm/resources.c b/net/atm/resources.c +index e244c2576d1e0..a00799254e2d6 100644 +--- a/net/atm/resources.c ++++ b/net/atm/resources.c +@@ -114,7 +114,9 @@ struct atm_dev *atm_dev_register(const char *type, struct device *parent, + + if (atm_proc_dev_register(dev) < 0) { + pr_err("atm_proc_dev_register failed for dev %s\n", type); +- goto out_fail; ++ mutex_unlock(&atm_dev_mutex); ++ kfree(dev); ++ return NULL; + } + + if (atm_register_sysfs(dev, parent) < 0) { +@@ -130,7 +132,7 @@ struct atm_dev *atm_dev_register(const char *type, struct device *parent, + return dev; + + out_fail: +- kfree(dev); ++ put_device(&dev->class_dev); + dev = NULL; + goto out; + } +-- +2.50.1 + diff --git a/queue-5.4/net-ethernet-mtk_eth_soc-fix-tx-vlan-tag-for-llc-pac.patch b/queue-5.4/net-ethernet-mtk_eth_soc-fix-tx-vlan-tag-for-llc-pac.patch new file mode 100644 index 0000000000..923926f6e8 --- /dev/null +++ b/queue-5.4/net-ethernet-mtk_eth_soc-fix-tx-vlan-tag-for-llc-pac.patch @@ -0,0 +1,55 @@ +From ae669bb27c600400bee9ff5f6c98549ad70d7366 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 Aug 2025 20:20:07 +0200 +Subject: net: ethernet: mtk_eth_soc: fix tx vlan tag for llc packets + +From: Felix Fietkau + +[ Upstream commit d4736737110ffa83d29f1c5d17b26113864205f6 ] + +When sending llc packets with vlan tx offload, the hardware fails to +actually add the tag. Deal with this by fixing it up in software. + +Fixes: 656e705243fd ("net-next: mediatek: add support for MT7623 ethernet") +Reported-by: Thibaut VARENE +Signed-off-by: Felix Fietkau +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250831182007.51619-1-nbd@nbd.name +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mediatek/mtk_eth_soc.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +index 7b9f5eba78dcc..6ab4c84bc22ef 100644 +--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c ++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +@@ -1173,6 +1173,13 @@ static int mtk_start_xmit(struct sk_buff *skb, struct net_device *dev) + bool gso = false; + int tx_num; + ++ if (skb_vlan_tag_present(skb) && ++ !eth_proto_is_802_3(eth_hdr(skb)->h_proto)) { ++ skb = __vlan_hwaccel_push_inside(skb); ++ if (!skb) ++ goto dropped; ++ } ++ + /* normally we can rely on the stack not calling this more than once, + * however we have 2 queues running on the same ring so we need to lock + * the ring access +@@ -1218,8 +1225,9 @@ static int mtk_start_xmit(struct sk_buff *skb, struct net_device *dev) + + drop: + spin_unlock(ð->page_lock); +- stats->tx_dropped++; + dev_kfree_skb_any(skb); ++dropped: ++ stats->tx_dropped++; + return NETDEV_TX_OK; + } + +-- +2.50.1 + diff --git a/queue-5.4/net-thunder_bgx-add-a-missing-of_node_put.patch b/queue-5.4/net-thunder_bgx-add-a-missing-of_node_put.patch new file mode 100644 index 0000000000..a6d478b69f --- /dev/null +++ b/queue-5.4/net-thunder_bgx-add-a-missing-of_node_put.patch @@ -0,0 +1,53 @@ +From 56b1cdac0364e30c03f927bbec0ebe96e0197d88 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Sep 2025 14:30:18 -0700 +Subject: net: thunder_bgx: add a missing of_node_put + +From: Rosen Penev + +[ Upstream commit 9d28f94912589f04ab51fbccaef287d4f40e0d1f ] + +phy_np needs to get freed, just like the other child nodes. + +Fixes: 5fc7cf179449 ("net: thunderx: Cleanup PHY probing code.") +Signed-off-by: Rosen Penev +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250901213018.47392-1-rosenp@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/cavium/thunder/thunder_bgx.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c +index 8854025610e64..e3acbdbc80993 100644 +--- a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c ++++ b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c +@@ -1497,13 +1497,17 @@ static int bgx_init_of_phy(struct bgx *bgx) + * this cortina phy, for which there is no driver + * support, ignore it. + */ +- if (phy_np && +- !of_device_is_compatible(phy_np, "cortina,cs4223-slice")) { +- /* Wait until the phy drivers are available */ +- pd = of_phy_find_device(phy_np); +- if (!pd) +- goto defer; +- bgx->lmac[lmac].phydev = pd; ++ if (phy_np) { ++ if (!of_device_is_compatible(phy_np, "cortina,cs4223-slice")) { ++ /* Wait until the phy drivers are available */ ++ pd = of_phy_find_device(phy_np); ++ if (!pd) { ++ of_node_put(phy_np); ++ goto defer; ++ } ++ bgx->lmac[lmac].phydev = pd; ++ } ++ of_node_put(phy_np); + } + + lmac++; +-- +2.50.1 + diff --git a/queue-5.4/net-thunder_bgx-decrement-cleanup-index-before-use.patch b/queue-5.4/net-thunder_bgx-decrement-cleanup-index-before-use.patch new file mode 100644 index 0000000000..2b2c2e2623 --- /dev/null +++ b/queue-5.4/net-thunder_bgx-decrement-cleanup-index-before-use.patch @@ -0,0 +1,44 @@ +From 9f58a02d8c8943a28107da393f9d5b31a31fd018 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Sep 2025 14:33:14 -0700 +Subject: net: thunder_bgx: decrement cleanup index before use + +From: Rosen Penev + +[ Upstream commit 9e3d71a92e561ccc77025689dab25d201fee7a3e ] + +All paths in probe that call goto defer do so before assigning phydev +and thus it makes sense to cleanup the prior index. It also fixes a bug +where index 0 does not get cleaned up. + +Fixes: b7d3e3d3d21a ("net: thunderx: Don't leak phy device references on -EPROBE_DEFER condition.") +Signed-off-by: Rosen Penev +Reviewed-by: Vadim Fedorenko +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250901213314.48599-1-rosenp@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/thunder/thunder_bgx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c +index e3acbdbc80993..8f4f831237cd2 100644 +--- a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c ++++ b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c +@@ -1523,11 +1523,11 @@ static int bgx_init_of_phy(struct bgx *bgx) + * for phy devices we may have already found. + */ + while (lmac) { ++ lmac--; + if (bgx->lmac[lmac].phydev) { + put_device(&bgx->lmac[lmac].phydev->mdio.dev); + bgx->lmac[lmac].phydev = NULL; + } +- lmac--; + } + of_node_put(node); + return -EPROBE_DEFER; +-- +2.50.1 + diff --git a/queue-5.4/netfilter-conntrack-helper-replace-eexist-by-ebusy.patch b/queue-5.4/netfilter-conntrack-helper-replace-eexist-by-ebusy.patch new file mode 100644 index 0000000000..786508f42e --- /dev/null +++ b/queue-5.4/netfilter-conntrack-helper-replace-eexist-by-ebusy.patch @@ -0,0 +1,50 @@ +From ffb66390c04d7f2cf1ab36f7c22b1202099af629 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Aug 2025 13:22:20 +0200 +Subject: netfilter: conntrack: helper: Replace -EEXIST by -EBUSY + +From: Phil Sutter + +[ Upstream commit 54416fd76770bd04fc3c501810e8d673550bab26 ] + +The helper registration return value is passed-through by module_init +callbacks which modprobe confuses with the harmless -EEXIST returned +when trying to load an already loaded module. + +Make sure modprobe fails so users notice their helper has not been +registered and won't work. + +Suggested-by: Christophe Leroy +Fixes: 12f7a505331e ("netfilter: add user-space connection tracking helper infrastructure") +Signed-off-by: Phil Sutter +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_helper.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c +index 32cc91f5ba99f..89174c91053ed 100644 +--- a/net/netfilter/nf_conntrack_helper.c ++++ b/net/netfilter/nf_conntrack_helper.c +@@ -417,7 +417,7 @@ int nf_conntrack_helper_register(struct nf_conntrack_helper *me) + (cur->tuple.src.l3num == NFPROTO_UNSPEC || + cur->tuple.src.l3num == me->tuple.src.l3num) && + cur->tuple.dst.protonum == me->tuple.dst.protonum) { +- ret = -EEXIST; ++ ret = -EBUSY; + goto out; + } + } +@@ -428,7 +428,7 @@ int nf_conntrack_helper_register(struct nf_conntrack_helper *me) + hlist_for_each_entry(cur, &nf_ct_helper_hash[h], hnode) { + if (nf_ct_tuple_src_mask_cmp(&cur->tuple, &me->tuple, + &mask)) { +- ret = -EEXIST; ++ ret = -EBUSY; + goto out; + } + } +-- +2.50.1 + diff --git a/queue-5.4/ppp-fix-memory-leak-in-pad_compress_skb.patch b/queue-5.4/ppp-fix-memory-leak-in-pad_compress_skb.patch new file mode 100644 index 0000000000..6d425083c2 --- /dev/null +++ b/queue-5.4/ppp-fix-memory-leak-in-pad_compress_skb.patch @@ -0,0 +1,66 @@ +From cd803beaa7d3c89f55214acd4105ec09383aafbb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Sep 2025 18:07:26 +0800 +Subject: ppp: fix memory leak in pad_compress_skb + +From: Qingfang Deng + +[ Upstream commit 4844123fe0b853a4982c02666cb3fd863d701d50 ] + +If alloc_skb() fails in pad_compress_skb(), it returns NULL without +releasing the old skb. The caller does: + + skb = pad_compress_skb(ppp, skb); + if (!skb) + goto drop; + +drop: + kfree_skb(skb); + +When pad_compress_skb() returns NULL, the reference to the old skb is +lost and kfree_skb(skb) ends up doing nothing, leading to a memory leak. + +Align pad_compress_skb() semantics with realloc(): only free the old +skb if allocation and compression succeed. At the call site, use the +new_skb variable so the original skb is not lost when pad_compress_skb() +fails. + +Fixes: b3f9b92a6ec1 ("[PPP]: add PPP MPPE encryption module") +Signed-off-by: Qingfang Deng +Reviewed-by: Eric Dumazet +Reviewed-by: Yue Haibing +Link: https://patch.msgid.link/20250903100726.269839-1-dqfext@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ppp/ppp_generic.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c +index 7b9337e16d6e1..dd7c84e4b4986 100644 +--- a/drivers/net/ppp/ppp_generic.c ++++ b/drivers/net/ppp/ppp_generic.c +@@ -1528,7 +1528,6 @@ pad_compress_skb(struct ppp *ppp, struct sk_buff *skb) + */ + if (net_ratelimit()) + netdev_err(ppp->dev, "ppp: compressor dropped pkt\n"); +- kfree_skb(skb); + consume_skb(new_skb); + new_skb = NULL; + } +@@ -1630,9 +1629,10 @@ ppp_send_frame(struct ppp *ppp, struct sk_buff *skb) + "down - pkt dropped.\n"); + goto drop; + } +- skb = pad_compress_skb(ppp, skb); +- if (!skb) ++ new_skb = pad_compress_skb(ppp, skb); ++ if (!new_skb) + goto drop; ++ skb = new_skb; + } + + /* +-- +2.50.1 + diff --git a/queue-5.4/series b/queue-5.4/series index 36cd370593..a36333d3e4 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -1 +1,17 @@ powerpc-boot-remove-leading-zero-in-label-in-udelay.patch +wifi-cfg80211-fix-use-after-free-in-cmp_bss.patch +netfilter-conntrack-helper-replace-eexist-by-ebusy.patch +bluetooth-fix-use-after-free-in-l2cap_sock_cleanup_l.patch +xirc2ps_cs-fix-register-access-when-enabling-fulldup.patch +misdn-fix-memory-leak-in-dsp_hwec_enable.patch +icmp-fix-icmp_ndo_send-address-translation-for-reply.patch +i40e-fix-potential-invalid-access-when-mac-list-is-e.patch +net-ethernet-mtk_eth_soc-fix-tx-vlan-tag-for-llc-pac.patch +wifi-cw1200-cap-ssid-length-in-cw1200_do_join.patch +wifi-libertas-cap-ssid-len-in-lbs_associate.patch +net-thunder_bgx-add-a-missing-of_node_put.patch +net-thunder_bgx-decrement-cleanup-index-before-use.patch +ipv4-fix-null-vs-error-pointer-check-in-inet_blackho.patch +ax25-properly-unshare-skbs-in-ax25_kiss_rcv.patch +net-atm-fix-memory-leak-in-atm_register_sysfs-when-d.patch +ppp-fix-memory-leak-in-pad_compress_skb.patch diff --git a/queue-5.4/wifi-cfg80211-fix-use-after-free-in-cmp_bss.patch b/queue-5.4/wifi-cfg80211-fix-use-after-free-in-cmp_bss.patch new file mode 100644 index 0000000000..c651bb8871 --- /dev/null +++ b/queue-5.4/wifi-cfg80211-fix-use-after-free-in-cmp_bss.patch @@ -0,0 +1,43 @@ +From 878c4ec6a0ef6d1913198595c6d495160758a974 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Aug 2025 16:52:36 +0300 +Subject: wifi: cfg80211: fix use-after-free in cmp_bss() + +From: Dmitry Antipov + +[ Upstream commit 26e84445f02ce6b2fe5f3e0e28ff7add77f35e08 ] + +Following bss_free() quirk introduced in commit 776b3580178f +("cfg80211: track hidden SSID networks properly"), adjust +cfg80211_update_known_bss() to free the last beacon frame +elements only if they're not shared via the corresponding +'hidden_beacon_bss' pointer. + +Reported-by: syzbot+30754ca335e6fb7e3092@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=30754ca335e6fb7e3092 +Fixes: 3ab8227d3e7d ("cfg80211: refactor cfg80211_bss_update") +Signed-off-by: Dmitry Antipov +Link: https://patch.msgid.link/20250813135236.799384-1-dmantipov@yandex.ru +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/scan.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/wireless/scan.c b/net/wireless/scan.c +index 18398968b3ed7..33e6f41035506 100644 +--- a/net/wireless/scan.c ++++ b/net/wireless/scan.c +@@ -1219,7 +1219,8 @@ cfg80211_update_known_bss(struct cfg80211_registered_device *rdev, + */ + + f = rcu_access_pointer(new->pub.beacon_ies); +- kfree_rcu((struct cfg80211_bss_ies *)f, rcu_head); ++ if (!new->pub.hidden_beacon_bss) ++ kfree_rcu((struct cfg80211_bss_ies *)f, rcu_head); + return false; + } + +-- +2.50.1 + diff --git a/queue-5.4/wifi-cw1200-cap-ssid-length-in-cw1200_do_join.patch b/queue-5.4/wifi-cw1200-cap-ssid-length-in-cw1200_do_join.patch new file mode 100644 index 0000000000..294c7e2997 --- /dev/null +++ b/queue-5.4/wifi-cw1200-cap-ssid-length-in-cw1200_do_join.patch @@ -0,0 +1,36 @@ +From 4fa62ab288955803897881d318fb911fd91f218b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Aug 2025 15:48:28 +0300 +Subject: wifi: cw1200: cap SSID length in cw1200_do_join() + +From: Dan Carpenter + +[ Upstream commit f8f15f6742b8874e59c9c715d0af3474608310ad ] + +If the ssidie[1] length is more that 32 it leads to memory corruption. + +Fixes: a910e4a94f69 ("cw1200: add driver for the ST-E CW1100 & CW1200 WLAN chipsets") +Signed-off-by: Dan Carpenter +Link: https://patch.msgid.link/e91fb43fcedc4893b604dfb973131661510901a7.1756456951.git.dan.carpenter@linaro.org +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/st/cw1200/sta.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/st/cw1200/sta.c b/drivers/net/wireless/st/cw1200/sta.c +index 236022d4ae2a3..0f2d1ec34cd82 100644 +--- a/drivers/net/wireless/st/cw1200/sta.c ++++ b/drivers/net/wireless/st/cw1200/sta.c +@@ -1289,7 +1289,7 @@ static void cw1200_do_join(struct cw1200_common *priv) + rcu_read_lock(); + ssidie = ieee80211_bss_get_ie(bss, WLAN_EID_SSID); + if (ssidie) { +- join.ssid_len = ssidie[1]; ++ join.ssid_len = min(ssidie[1], IEEE80211_MAX_SSID_LEN); + memcpy(join.ssid, &ssidie[2], join.ssid_len); + } + rcu_read_unlock(); +-- +2.50.1 + diff --git a/queue-5.4/wifi-libertas-cap-ssid-len-in-lbs_associate.patch b/queue-5.4/wifi-libertas-cap-ssid-len-in-lbs_associate.patch new file mode 100644 index 0000000000..e3db4bdcb2 --- /dev/null +++ b/queue-5.4/wifi-libertas-cap-ssid-len-in-lbs_associate.patch @@ -0,0 +1,44 @@ +From 51d401e5acdaabfb658d8099ec164b4b73a74d58 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Aug 2025 15:48:35 +0300 +Subject: wifi: libertas: cap SSID len in lbs_associate() + +From: Dan Carpenter + +[ Upstream commit c786794bd27b0d7a5fd9063695df83206009be59 ] + +If the ssid_eid[1] length is more that 32 it leads to memory corruption. + +Fixes: a910e4a94f69 ("cw1200: add driver for the ST-E CW1100 & CW1200 WLAN chipsets") +Signed-off-by: Dan Carpenter +Link: https://patch.msgid.link/2a40f5ec7617144aef412034c12919a4927d90ad.1756456951.git.dan.carpenter@linaro.org +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/libertas/cfg.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/marvell/libertas/cfg.c b/drivers/net/wireless/marvell/libertas/cfg.c +index 4e3de684928bf..a659054c1bcd9 100644 +--- a/drivers/net/wireless/marvell/libertas/cfg.c ++++ b/drivers/net/wireless/marvell/libertas/cfg.c +@@ -1102,10 +1102,13 @@ static int lbs_associate(struct lbs_private *priv, + /* add SSID TLV */ + rcu_read_lock(); + ssid_eid = ieee80211_bss_get_ie(bss, WLAN_EID_SSID); +- if (ssid_eid) +- pos += lbs_add_ssid_tlv(pos, ssid_eid + 2, ssid_eid[1]); +- else ++ if (ssid_eid) { ++ u32 ssid_len = min(ssid_eid[1], IEEE80211_MAX_SSID_LEN); ++ ++ pos += lbs_add_ssid_tlv(pos, ssid_eid + 2, ssid_len); ++ } else { + lbs_deb_assoc("no SSID\n"); ++ } + rcu_read_unlock(); + + /* add DS param TLV */ +-- +2.50.1 + diff --git a/queue-5.4/xirc2ps_cs-fix-register-access-when-enabling-fulldup.patch b/queue-5.4/xirc2ps_cs-fix-register-access-when-enabling-fulldup.patch new file mode 100644 index 0000000000..0ea94605a8 --- /dev/null +++ b/queue-5.4/xirc2ps_cs-fix-register-access-when-enabling-fulldup.patch @@ -0,0 +1,44 @@ +From 65bb29d5c12b441c7025aec427892d61dea36eea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Aug 2025 12:26:43 -0700 +Subject: xirc2ps_cs: fix register access when enabling FullDuplex + +From: Alok Tiwari + +[ Upstream commit b79e498080b170fd94fc83bca2471f450811549b ] + +The current code incorrectly passes (XIRCREG1_ECR | FullDuplex) as +the register address to GetByte(), instead of fetching the register +value and OR-ing it with FullDuplex. This results in an invalid +register access. + +Fix it by reading XIRCREG1_ECR first, then or-ing with FullDuplex +before writing it back. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Alok Tiwari +Reviewed-by: Simon Horman +Reviewed-by: Jacob Keller +Link: https://patch.msgid.link/20250827192645.658496-1-alok.a.tiwari@oracle.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/xircom/xirc2ps_cs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/xircom/xirc2ps_cs.c b/drivers/net/ethernet/xircom/xirc2ps_cs.c +index e3438cef5f9c6..4d8a1728e8ed6 100644 +--- a/drivers/net/ethernet/xircom/xirc2ps_cs.c ++++ b/drivers/net/ethernet/xircom/xirc2ps_cs.c +@@ -1584,7 +1584,7 @@ do_reset(struct net_device *dev, int full) + msleep(40); /* wait 40 msec to let it complete */ + } + if (full_duplex) +- PutByte(XIRCREG1_ECR, GetByte(XIRCREG1_ECR | FullDuplex)); ++ PutByte(XIRCREG1_ECR, GetByte(XIRCREG1_ECR) | FullDuplex); + } else { /* No MII */ + SelectPage(0); + value = GetByte(XIRCREG_ESR); /* read the ESR */ +-- +2.50.1 + diff --git a/queue-6.1/ax25-properly-unshare-skbs-in-ax25_kiss_rcv.patch b/queue-6.1/ax25-properly-unshare-skbs-in-ax25_kiss_rcv.patch new file mode 100644 index 0000000000..ba3e9a48ef --- /dev/null +++ b/queue-6.1/ax25-properly-unshare-skbs-in-ax25_kiss_rcv.patch @@ -0,0 +1,59 @@ +From 801f6e3aaab8dc49168a1035ca67426fb07e9283 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Sep 2025 12:46:42 +0000 +Subject: ax25: properly unshare skbs in ax25_kiss_rcv() + +From: Eric Dumazet + +[ Upstream commit 8156210d36a43e76372312c87eb5ea3dbb405a85 ] + +Bernard Pidoux reported a regression apparently caused by commit +c353e8983e0d ("net: introduce per netns packet chains"). + +skb->dev becomes NULL and we crash in __netif_receive_skb_core(). + +Before above commit, different kind of bugs or corruptions could happen +without a major crash. + +But the root cause is that ax25_kiss_rcv() can queue/mangle input skb +without checking if this skb is shared or not. + +Many thanks to Bernard Pidoux for his help, diagnosis and tests. + +We had a similar issue years ago fixed with commit 7aaed57c5c28 +("phonet: properly unshare skbs in phonet_rcv()"). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Bernard Pidoux +Closes: https://lore.kernel.org/netdev/1713f383-c538-4918-bc64-13b3288cd542@free.fr/ +Tested-by: Bernard Pidoux +Signed-off-by: Eric Dumazet +Cc: Joerg Reuter +Cc: David Ranch +Cc: Folkert van Heusden +Reviewed-by: Dan Cross +Link: https://patch.msgid.link/20250902124642.212705-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ax25/ax25_in.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/ax25/ax25_in.c b/net/ax25/ax25_in.c +index 1cac25aca6378..f2d66af863595 100644 +--- a/net/ax25/ax25_in.c ++++ b/net/ax25/ax25_in.c +@@ -433,6 +433,10 @@ static int ax25_rcv(struct sk_buff *skb, struct net_device *dev, + int ax25_kiss_rcv(struct sk_buff *skb, struct net_device *dev, + struct packet_type *ptype, struct net_device *orig_dev) + { ++ skb = skb_share_check(skb, GFP_ATOMIC); ++ if (!skb) ++ return NET_RX_DROP; ++ + skb_orphan(skb); + + if (!net_eq(dev_net(dev), &init_net)) { +-- +2.50.1 + diff --git a/queue-6.1/bluetooth-fix-use-after-free-in-l2cap_sock_cleanup_l.patch b/queue-6.1/bluetooth-fix-use-after-free-in-l2cap_sock_cleanup_l.patch new file mode 100644 index 0000000000..c2ed83e615 --- /dev/null +++ b/queue-6.1/bluetooth-fix-use-after-free-in-l2cap_sock_cleanup_l.patch @@ -0,0 +1,171 @@ +From ec60ae32db29173fc2a53a6121124b4cd4816dfe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Aug 2025 20:40:14 +0000 +Subject: Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen() + +From: Kuniyuki Iwashima + +[ Upstream commit 862c628108562d8c7a516a900034823b381d3cba ] + +syzbot reported the splat below without a repro. + +In the splat, a single thread calling bt_accept_dequeue() freed sk +and touched it after that. + +The root cause would be the racy l2cap_sock_cleanup_listen() call +added by the cited commit. + +bt_accept_dequeue() is called under lock_sock() except for +l2cap_sock_release(). + +Two threads could see the same socket during the list iteration +in bt_accept_dequeue(): + + CPU1 CPU2 (close()) + ---- ---- + sock_hold(sk) sock_hold(sk); + lock_sock(sk) <-- block close() + sock_put(sk) + bt_accept_unlink(sk) + sock_put(sk) <-- refcnt by bt_accept_enqueue() + release_sock(sk) + lock_sock(sk) + sock_put(sk) + bt_accept_unlink(sk) + sock_put(sk) <-- last refcnt + bt_accept_unlink(sk) <-- UAF + +Depending on the timing, the other thread could show up in the +"Freed by task" part. + +Let's call l2cap_sock_cleanup_listen() under lock_sock() in +l2cap_sock_release(). + +[0]: +BUG: KASAN: slab-use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline] +BUG: KASAN: slab-use-after-free in do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115 +Read of size 4 at addr ffff88803b7eb1c4 by task syz.5.3276/16995 +CPU: 3 UID: 0 PID: 16995 Comm: syz.5.3276 Not tainted syzkaller #0 PREEMPT(full) +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 +Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0xcd/0x630 mm/kasan/report.c:482 + kasan_report+0xe0/0x110 mm/kasan/report.c:595 + debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline] + do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115 + spin_lock_bh include/linux/spinlock.h:356 [inline] + release_sock+0x21/0x220 net/core/sock.c:3746 + bt_accept_dequeue+0x505/0x600 net/bluetooth/af_bluetooth.c:312 + l2cap_sock_cleanup_listen+0x5c/0x2a0 net/bluetooth/l2cap_sock.c:1451 + l2cap_sock_release+0x5c/0x210 net/bluetooth/l2cap_sock.c:1425 + __sock_release+0xb3/0x270 net/socket.c:649 + sock_close+0x1c/0x30 net/socket.c:1439 + __fput+0x3ff/0xb70 fs/file_table.c:468 + task_work_run+0x14d/0x240 kernel/task_work.c:227 + resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] + exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43 + exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] + syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline] + syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline] + do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7f2accf8ebe9 +Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007ffdb6cb1378 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 +RAX: 0000000000000000 RBX: 00000000000426fb RCX: 00007f2accf8ebe9 +RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 +RBP: 00007f2acd1b7da0 R08: 0000000000000001 R09: 00000012b6cb166f +R10: 0000001b30e20000 R11: 0000000000000246 R12: 00007f2acd1b609c +R13: 00007f2acd1b6090 R14: ffffffffffffffff R15: 00007ffdb6cb1490 + + +Allocated by task 5326: + kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 + kasan_save_track+0x14/0x30 mm/kasan/common.c:68 + poison_kmalloc_redzone mm/kasan/common.c:388 [inline] + __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:405 + kasan_kmalloc include/linux/kasan.h:260 [inline] + __do_kmalloc_node mm/slub.c:4365 [inline] + __kmalloc_noprof+0x223/0x510 mm/slub.c:4377 + kmalloc_noprof include/linux/slab.h:909 [inline] + sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2239 + sk_alloc+0x36/0xc20 net/core/sock.c:2295 + bt_sock_alloc+0x3b/0x3a0 net/bluetooth/af_bluetooth.c:151 + l2cap_sock_alloc.constprop.0+0x33/0x1d0 net/bluetooth/l2cap_sock.c:1894 + l2cap_sock_new_connection_cb+0x101/0x240 net/bluetooth/l2cap_sock.c:1482 + l2cap_connect_cfm+0x4c4/0xf80 net/bluetooth/l2cap_core.c:7287 + hci_connect_cfm include/net/bluetooth/hci_core.h:2050 [inline] + hci_remote_features_evt+0x4dd/0x970 net/bluetooth/hci_event.c:3712 + hci_event_func net/bluetooth/hci_event.c:7519 [inline] + hci_event_packet+0xa0d/0x11c0 net/bluetooth/hci_event.c:7573 + hci_rx_work+0x2c5/0x16b0 net/bluetooth/hci_core.c:4071 + process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3236 + process_scheduled_works kernel/workqueue.c:3319 [inline] + worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400 + kthread+0x3c2/0x780 kernel/kthread.c:463 + ret_from_fork+0x5d7/0x6f0 arch/x86/kernel/process.c:148 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 + +Freed by task 16995: + kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 + kasan_save_track+0x14/0x30 mm/kasan/common.c:68 + kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576 + poison_slab_object mm/kasan/common.c:243 [inline] + __kasan_slab_free+0x60/0x70 mm/kasan/common.c:275 + kasan_slab_free include/linux/kasan.h:233 [inline] + slab_free_hook mm/slub.c:2417 [inline] + slab_free mm/slub.c:4680 [inline] + kfree+0x2b4/0x4d0 mm/slub.c:4879 + sk_prot_free net/core/sock.c:2278 [inline] + __sk_destruct+0x75f/0x9a0 net/core/sock.c:2373 + sk_destruct+0xc2/0xf0 net/core/sock.c:2401 + __sk_free+0xf4/0x3e0 net/core/sock.c:2412 + sk_free+0x6a/0x90 net/core/sock.c:2423 + sock_put include/net/sock.h:1960 [inline] + bt_accept_unlink+0x245/0x2e0 net/bluetooth/af_bluetooth.c:262 + bt_accept_dequeue+0x517/0x600 net/bluetooth/af_bluetooth.c:308 + l2cap_sock_cleanup_listen+0x5c/0x2a0 net/bluetooth/l2cap_sock.c:1451 + l2cap_sock_release+0x5c/0x210 net/bluetooth/l2cap_sock.c:1425 + __sock_release+0xb3/0x270 net/socket.c:649 + sock_close+0x1c/0x30 net/socket.c:1439 + __fput+0x3ff/0xb70 fs/file_table.c:468 + task_work_run+0x14d/0x240 kernel/task_work.c:227 + resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] + exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43 + exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] + syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline] + syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline] + do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fixes: 1728137b33c0 ("Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_ready_cb") +Reported-by: syzbot+e5e64cdf8e92046dd3e1@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/linux-bluetooth/68af6b9d.a70a0220.3cafd4.0032.GAE@google.com/ +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_sock.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c +index c89277848ca83..7b822445f8ce4 100644 +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -1442,7 +1442,10 @@ static int l2cap_sock_release(struct socket *sock) + if (!sk) + return 0; + ++ lock_sock_nested(sk, L2CAP_NESTING_PARENT); + l2cap_sock_cleanup_listen(sk); ++ release_sock(sk); ++ + bt_sock_unlink(&l2cap_sk_list, sk); + + err = l2cap_sock_shutdown(sock, SHUT_RDWR); +-- +2.50.1 + diff --git a/queue-6.1/i40e-fix-potential-invalid-access-when-mac-list-is-e.patch b/queue-6.1/i40e-fix-potential-invalid-access-when-mac-list-is-e.patch new file mode 100644 index 0000000000..9c4ceecca3 --- /dev/null +++ b/queue-6.1/i40e-fix-potential-invalid-access-when-mac-list-is-e.patch @@ -0,0 +1,42 @@ +From a51c6e6ee075b0221fcb8e50e787dfc304373d95 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Aug 2025 19:56:31 +0800 +Subject: i40e: Fix potential invalid access when MAC list is empty + +From: Zhen Ni + +[ Upstream commit a556f06338e1d5a85af0e32ecb46e365547f92b9 ] + +list_first_entry() never returns NULL - if the list is empty, it still +returns a pointer to an invalid object, leading to potential invalid +memory access when dereferenced. + +Fix this by using list_first_entry_or_null instead of list_first_entry. + +Fixes: e3219ce6a775 ("i40e: Add support for client interface for IWARP driver") +Signed-off-by: Zhen Ni +Reviewed-by: Paul Menzel +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_client.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_client.c b/drivers/net/ethernet/intel/i40e/i40e_client.c +index a289f1bb3dbfc..86fd82412e9e4 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_client.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_client.c +@@ -362,8 +362,8 @@ static void i40e_client_add_instance(struct i40e_pf *pf) + if (i40e_client_get_params(vsi, &cdev->lan_info.params)) + goto free_cdev; + +- mac = list_first_entry(&cdev->lan_info.netdev->dev_addrs.list, +- struct netdev_hw_addr, list); ++ mac = list_first_entry_or_null(&cdev->lan_info.netdev->dev_addrs.list, ++ struct netdev_hw_addr, list); + if (mac) + ether_addr_copy(cdev->lan_info.lanmac, mac->addr); + else +-- +2.50.1 + diff --git a/queue-6.1/icmp-fix-icmp_ndo_send-address-translation-for-reply.patch b/queue-6.1/icmp-fix-icmp_ndo_send-address-translation-for-reply.patch new file mode 100644 index 0000000000..2e230f2a19 --- /dev/null +++ b/queue-6.1/icmp-fix-icmp_ndo_send-address-translation-for-reply.patch @@ -0,0 +1,110 @@ +From e00cfef79a666e4624e9e0cf9fb1a888be84729b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Aug 2025 11:14:35 +0200 +Subject: icmp: fix icmp_ndo_send address translation for reply direction +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Fabian Bläse + +[ Upstream commit c6dd1aa2cbb72b33e0569f3e71d95792beab5042 ] + +The icmp_ndo_send function was originally introduced to ensure proper +rate limiting when icmp_send is called by a network device driver, +where the packet's source address may have already been transformed +by SNAT. + +However, the original implementation only considers the +IP_CT_DIR_ORIGINAL direction for SNAT and always replaced the packet's +source address with that of the original-direction tuple. This causes +two problems: + +1. For SNAT: + Reply-direction packets were incorrectly translated using the source + address of the CT original direction, even though no translation is + required. + +2. For DNAT: + Reply-direction packets were not handled at all. In DNAT, the original + direction's destination is translated. Therefore, in the reply + direction the source address must be set to the reply-direction + source, so rate limiting works as intended. + +Fix this by using the connection direction to select the correct tuple +for source address translation, and adjust the pre-checks to handle +reply-direction packets in case of DNAT. + +Additionally, wrap the `ct->status` access in READ_ONCE(). This avoids +possible KCSAN reports about concurrent updates to `ct->status`. + +Fixes: 0b41713b6066 ("icmp: introduce helper for nat'd source address in network device context") +Signed-off-by: Fabian Bläse +Cc: Jason A. Donenfeld +Reviewed-by: Florian Westphal +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/icmp.c | 6 ++++-- + net/ipv6/ip6_icmp.c | 6 ++++-- + 2 files changed, 8 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c +index 94501bb30c431..b17549c4e5de8 100644 +--- a/net/ipv4/icmp.c ++++ b/net/ipv4/icmp.c +@@ -801,11 +801,12 @@ void icmp_ndo_send(struct sk_buff *skb_in, int type, int code, __be32 info) + struct sk_buff *cloned_skb = NULL; + struct ip_options opts = { 0 }; + enum ip_conntrack_info ctinfo; ++ enum ip_conntrack_dir dir; + struct nf_conn *ct; + __be32 orig_ip; + + ct = nf_ct_get(skb_in, &ctinfo); +- if (!ct || !(ct->status & IPS_SRC_NAT)) { ++ if (!ct || !(READ_ONCE(ct->status) & IPS_NAT_MASK)) { + __icmp_send(skb_in, type, code, info, &opts); + return; + } +@@ -820,7 +821,8 @@ void icmp_ndo_send(struct sk_buff *skb_in, int type, int code, __be32 info) + goto out; + + orig_ip = ip_hdr(skb_in)->saddr; +- ip_hdr(skb_in)->saddr = ct->tuplehash[0].tuple.src.u3.ip; ++ dir = CTINFO2DIR(ctinfo); ++ ip_hdr(skb_in)->saddr = ct->tuplehash[dir].tuple.src.u3.ip; + __icmp_send(skb_in, type, code, info, &opts); + ip_hdr(skb_in)->saddr = orig_ip; + out: +diff --git a/net/ipv6/ip6_icmp.c b/net/ipv6/ip6_icmp.c +index 9e3574880cb03..233914b63bdb8 100644 +--- a/net/ipv6/ip6_icmp.c ++++ b/net/ipv6/ip6_icmp.c +@@ -54,11 +54,12 @@ void icmpv6_ndo_send(struct sk_buff *skb_in, u8 type, u8 code, __u32 info) + struct inet6_skb_parm parm = { 0 }; + struct sk_buff *cloned_skb = NULL; + enum ip_conntrack_info ctinfo; ++ enum ip_conntrack_dir dir; + struct in6_addr orig_ip; + struct nf_conn *ct; + + ct = nf_ct_get(skb_in, &ctinfo); +- if (!ct || !(ct->status & IPS_SRC_NAT)) { ++ if (!ct || !(READ_ONCE(ct->status) & IPS_NAT_MASK)) { + __icmpv6_send(skb_in, type, code, info, &parm); + return; + } +@@ -73,7 +74,8 @@ void icmpv6_ndo_send(struct sk_buff *skb_in, u8 type, u8 code, __u32 info) + goto out; + + orig_ip = ipv6_hdr(skb_in)->saddr; +- ipv6_hdr(skb_in)->saddr = ct->tuplehash[0].tuple.src.u3.in6; ++ dir = CTINFO2DIR(ctinfo); ++ ipv6_hdr(skb_in)->saddr = ct->tuplehash[dir].tuple.src.u3.in6; + __icmpv6_send(skb_in, type, code, info, &parm); + ipv6_hdr(skb_in)->saddr = orig_ip; + out: +-- +2.50.1 + diff --git a/queue-6.1/ipv4-fix-null-vs-error-pointer-check-in-inet_blackho.patch b/queue-6.1/ipv4-fix-null-vs-error-pointer-check-in-inet_blackho.patch new file mode 100644 index 0000000000..fef6e3a7c4 --- /dev/null +++ b/queue-6.1/ipv4-fix-null-vs-error-pointer-check-in-inet_blackho.patch @@ -0,0 +1,48 @@ +From f7f7a0cec8e5d4f533721fb6377b7a4c1bb3daa2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Sep 2025 09:36:08 +0300 +Subject: ipv4: Fix NULL vs error pointer check in inet_blackhole_dev_init() + +From: Dan Carpenter + +[ Upstream commit a51160f8da850a65afbf165f5bbac7ffb388bf74 ] + +The inetdev_init() function never returns NULL. Check for error +pointers instead. + +Fixes: 22600596b675 ("ipv4: give an IPv4 dev to blackhole_netdev") +Signed-off-by: Dan Carpenter +Reviewed-by: Simon Horman +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/aLaQWL9NguWmeM1i@stanley.mountain +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/devinet.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c +index 1738cc2bfc7f0..fee0a0b83d27b 100644 +--- a/net/ipv4/devinet.c ++++ b/net/ipv4/devinet.c +@@ -335,14 +335,13 @@ static void inetdev_destroy(struct in_device *in_dev) + + static int __init inet_blackhole_dev_init(void) + { +- int err = 0; ++ struct in_device *in_dev; + + rtnl_lock(); +- if (!inetdev_init(blackhole_netdev)) +- err = -ENOMEM; ++ in_dev = inetdev_init(blackhole_netdev); + rtnl_unlock(); + +- return err; ++ return PTR_ERR_OR_ZERO(in_dev); + } + late_initcall(inet_blackhole_dev_init); + +-- +2.50.1 + diff --git a/queue-6.1/mctp-return-enoprotoopt-for-unknown-getsockopt-optio.patch b/queue-6.1/mctp-return-enoprotoopt-for-unknown-getsockopt-optio.patch new file mode 100644 index 0000000000..2541dc4d80 --- /dev/null +++ b/queue-6.1/mctp-return-enoprotoopt-for-unknown-getsockopt-optio.patch @@ -0,0 +1,43 @@ +From 5b9911483acac7fd87f23b41add36cfcf9355560 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Sep 2025 03:20:55 -0700 +Subject: mctp: return -ENOPROTOOPT for unknown getsockopt options + +From: Alok Tiwari + +[ Upstream commit a125c8fb9ddbcb0602103a50727a476fd30dec01 ] + +In mctp_getsockopt(), unrecognized options currently return -EINVAL. +In contrast, mctp_setsockopt() returns -ENOPROTOOPT for unknown +options. + +Update mctp_getsockopt() to also return -ENOPROTOOPT for unknown +options. This aligns the behavior of getsockopt() and setsockopt(), +and matches the standard kernel socket API convention for handling +unsupported options. + +Fixes: 99ce45d5e7db ("mctp: Implement extended addressing") +Signed-off-by: Alok Tiwari +Link: https://patch.msgid.link/20250902102059.1370008-1-alok.a.tiwari@oracle.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/mctp/af_mctp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/mctp/af_mctp.c b/net/mctp/af_mctp.c +index 0f49b41570f56..8f241c92e03d8 100644 +--- a/net/mctp/af_mctp.c ++++ b/net/mctp/af_mctp.c +@@ -346,7 +346,7 @@ static int mctp_getsockopt(struct socket *sock, int level, int optname, + return 0; + } + +- return -EINVAL; ++ return -ENOPROTOOPT; + } + + static int mctp_ioctl_alloctag(struct mctp_sock *msk, unsigned long arg) +-- +2.50.1 + diff --git a/queue-6.1/misdn-fix-memory-leak-in-dsp_hwec_enable.patch b/queue-6.1/misdn-fix-memory-leak-in-dsp_hwec_enable.patch new file mode 100644 index 0000000000..be6d8bf567 --- /dev/null +++ b/queue-6.1/misdn-fix-memory-leak-in-dsp_hwec_enable.patch @@ -0,0 +1,53 @@ +From ef1a6e4909338a25f3b28f536350d98e60ebe9b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Aug 2025 16:14:57 +0800 +Subject: mISDN: Fix memory leak in dsp_hwec_enable() + +From: Miaoqian Lin + +[ Upstream commit 0704a3da7ce50f972e898bbda88d2692a22922d9 ] + +dsp_hwec_enable() allocates dup pointer by kstrdup(arg), +but then it updates dup variable by strsep(&dup, ","). +As a result when it calls kfree(dup), the dup variable may be +a modified pointer that no longer points to the original allocated +memory, causing a memory leak. + +The issue is the same pattern as fixed in commit c6a502c22999 +("mISDN: Fix memory leak in dsp_pipeline_build()"). + +Fixes: 9a4381618262 ("mISDN: Remove VLAs") +Signed-off-by: Miaoqian Lin +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250828081457.36061-1-linmq006@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/isdn/mISDN/dsp_hwec.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/isdn/mISDN/dsp_hwec.c b/drivers/isdn/mISDN/dsp_hwec.c +index 0b3f29195330a..0cd216e28f009 100644 +--- a/drivers/isdn/mISDN/dsp_hwec.c ++++ b/drivers/isdn/mISDN/dsp_hwec.c +@@ -51,14 +51,14 @@ void dsp_hwec_enable(struct dsp *dsp, const char *arg) + goto _do; + + { +- char *dup, *tok, *name, *val; ++ char *dup, *next, *tok, *name, *val; + int tmp; + +- dup = kstrdup(arg, GFP_ATOMIC); ++ dup = next = kstrdup(arg, GFP_ATOMIC); + if (!dup) + return; + +- while ((tok = strsep(&dup, ","))) { ++ while ((tok = strsep(&next, ","))) { + if (!strlen(tok)) + continue; + name = strsep(&tok, "="); +-- +2.50.1 + diff --git a/queue-6.1/net-atm-fix-memory-leak-in-atm_register_sysfs-when-d.patch b/queue-6.1/net-atm-fix-memory-leak-in-atm_register_sysfs-when-d.patch new file mode 100644 index 0000000000..c61a4c3d98 --- /dev/null +++ b/queue-6.1/net-atm-fix-memory-leak-in-atm_register_sysfs-when-d.patch @@ -0,0 +1,78 @@ +From 3e2dec88667e6e099db5c9fdd3c9c3b7a0a7f09e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Sep 2025 14:35:37 +0800 +Subject: net: atm: fix memory leak in atm_register_sysfs when device_register + fail + +From: Wang Liang + +[ Upstream commit 0a228624bcc00af41f281a2a84c928595a74c17d ] + +When device_register() return error in atm_register_sysfs(), which can be +triggered by kzalloc fail in device_private_init() or other reasons, +kmemleak reports the following memory leaks: + +unreferenced object 0xffff88810182fb80 (size 8): + comm "insmod", pid 504, jiffies 4294852464 + hex dump (first 8 bytes): + 61 64 75 6d 6d 79 30 00 adummy0. + backtrace (crc 14dfadaf): + __kmalloc_node_track_caller_noprof+0x335/0x450 + kvasprintf+0xb3/0x130 + kobject_set_name_vargs+0x45/0x120 + dev_set_name+0xa9/0xe0 + atm_register_sysfs+0xf3/0x220 + atm_dev_register+0x40b/0x780 + 0xffffffffa000b089 + do_one_initcall+0x89/0x300 + do_init_module+0x27b/0x7d0 + load_module+0x54cd/0x5ff0 + init_module_from_file+0xe4/0x150 + idempotent_init_module+0x32c/0x610 + __x64_sys_finit_module+0xbd/0x120 + do_syscall_64+0xa8/0x270 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +When device_create_file() return error in atm_register_sysfs(), the same +issue also can be triggered. + +Function put_device() should be called to release kobj->name memory and +other device resource, instead of kfree(). + +Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array") +Signed-off-by: Wang Liang +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250901063537.1472221-1-wangliang74@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/atm/resources.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/atm/resources.c b/net/atm/resources.c +index b19d851e1f443..7c6fdedbcf4e5 100644 +--- a/net/atm/resources.c ++++ b/net/atm/resources.c +@@ -112,7 +112,9 @@ struct atm_dev *atm_dev_register(const char *type, struct device *parent, + + if (atm_proc_dev_register(dev) < 0) { + pr_err("atm_proc_dev_register failed for dev %s\n", type); +- goto out_fail; ++ mutex_unlock(&atm_dev_mutex); ++ kfree(dev); ++ return NULL; + } + + if (atm_register_sysfs(dev, parent) < 0) { +@@ -128,7 +130,7 @@ struct atm_dev *atm_dev_register(const char *type, struct device *parent, + return dev; + + out_fail: +- kfree(dev); ++ put_device(&dev->class_dev); + dev = NULL; + goto out; + } +-- +2.50.1 + diff --git a/queue-6.1/net-ethernet-mtk_eth_soc-fix-tx-vlan-tag-for-llc-pac.patch b/queue-6.1/net-ethernet-mtk_eth_soc-fix-tx-vlan-tag-for-llc-pac.patch new file mode 100644 index 0000000000..c87e7e39a1 --- /dev/null +++ b/queue-6.1/net-ethernet-mtk_eth_soc-fix-tx-vlan-tag-for-llc-pac.patch @@ -0,0 +1,55 @@ +From a65235bd95101e7427c7024a8c8b263bfae58bbf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 Aug 2025 20:20:07 +0200 +Subject: net: ethernet: mtk_eth_soc: fix tx vlan tag for llc packets + +From: Felix Fietkau + +[ Upstream commit d4736737110ffa83d29f1c5d17b26113864205f6 ] + +When sending llc packets with vlan tx offload, the hardware fails to +actually add the tag. Deal with this by fixing it up in software. + +Fixes: 656e705243fd ("net-next: mediatek: add support for MT7623 ethernet") +Reported-by: Thibaut VARENE +Signed-off-by: Felix Fietkau +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250831182007.51619-1-nbd@nbd.name +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mediatek/mtk_eth_soc.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +index fecf3dd22dfaa..3f2f725ccceb3 100644 +--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c ++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +@@ -1375,6 +1375,13 @@ static netdev_tx_t mtk_start_xmit(struct sk_buff *skb, struct net_device *dev) + bool gso = false; + int tx_num; + ++ if (skb_vlan_tag_present(skb) && ++ !eth_proto_is_802_3(eth_hdr(skb)->h_proto)) { ++ skb = __vlan_hwaccel_push_inside(skb); ++ if (!skb) ++ goto dropped; ++ } ++ + /* normally we can rely on the stack not calling this more than once, + * however we have 2 queues running on the same ring so we need to lock + * the ring access +@@ -1420,8 +1427,9 @@ static netdev_tx_t mtk_start_xmit(struct sk_buff *skb, struct net_device *dev) + + drop: + spin_unlock(ð->page_lock); +- stats->tx_dropped++; + dev_kfree_skb_any(skb); ++dropped: ++ stats->tx_dropped++; + return NETDEV_TX_OK; + } + +-- +2.50.1 + diff --git a/queue-6.1/net-macb-fix-tx_ptr_lock-locking.patch b/queue-6.1/net-macb-fix-tx_ptr_lock-locking.patch new file mode 100644 index 0000000000..3f514183cd --- /dev/null +++ b/queue-6.1/net-macb-fix-tx_ptr_lock-locking.patch @@ -0,0 +1,135 @@ +From 38b3aa7ae24866fa7b98a99563e3882eb14f7696 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Aug 2025 10:35:21 -0400 +Subject: net: macb: Fix tx_ptr_lock locking + +From: Sean Anderson + +[ Upstream commit 6bc8a5098bf4a365c4086a4a4130bfab10a58260 ] + +macb_start_xmit and macb_tx_poll can be called with bottom-halves +disabled (e.g. from softirq) as well as with interrupts disabled (with +netpoll). Because of this, all other functions taking tx_ptr_lock must +use spin_lock_irqsave. + +Fixes: 138badbc21a0 ("net: macb: use NAPI for TX completion path") +Reported-by: Mike Galbraith +Signed-off-by: Sean Anderson +Link: https://patch.msgid.link/20250829143521.1686062-1-sean.anderson@linux.dev +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cadence/macb_main.c | 28 ++++++++++++++---------- + 1 file changed, 16 insertions(+), 12 deletions(-) + +diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c +index 495a1cb0bc183..1ea7c86f75013 100644 +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -1174,11 +1174,12 @@ static int macb_tx_complete(struct macb_queue *queue, int budget) + { + struct macb *bp = queue->bp; + u16 queue_index = queue - bp->queues; ++ unsigned long flags; + unsigned int tail; + unsigned int head; + int packets = 0; + +- spin_lock(&queue->tx_ptr_lock); ++ spin_lock_irqsave(&queue->tx_ptr_lock, flags); + head = queue->tx_head; + for (tail = queue->tx_tail; tail != head && packets < budget; tail++) { + struct macb_tx_skb *tx_skb; +@@ -1241,7 +1242,7 @@ static int macb_tx_complete(struct macb_queue *queue, int budget) + CIRC_CNT(queue->tx_head, queue->tx_tail, + bp->tx_ring_size) <= MACB_TX_WAKEUP_THRESH(bp)) + netif_wake_subqueue(bp->dev, queue_index); +- spin_unlock(&queue->tx_ptr_lock); ++ spin_unlock_irqrestore(&queue->tx_ptr_lock, flags); + + return packets; + } +@@ -1657,8 +1658,9 @@ static void macb_tx_restart(struct macb_queue *queue) + { + struct macb *bp = queue->bp; + unsigned int head_idx, tbqp; ++ unsigned long flags; + +- spin_lock(&queue->tx_ptr_lock); ++ spin_lock_irqsave(&queue->tx_ptr_lock, flags); + + if (queue->tx_head == queue->tx_tail) + goto out_tx_ptr_unlock; +@@ -1670,19 +1672,20 @@ static void macb_tx_restart(struct macb_queue *queue) + if (tbqp == head_idx) + goto out_tx_ptr_unlock; + +- spin_lock_irq(&bp->lock); ++ spin_lock(&bp->lock); + macb_writel(bp, NCR, macb_readl(bp, NCR) | MACB_BIT(TSTART)); +- spin_unlock_irq(&bp->lock); ++ spin_unlock(&bp->lock); + + out_tx_ptr_unlock: +- spin_unlock(&queue->tx_ptr_lock); ++ spin_unlock_irqrestore(&queue->tx_ptr_lock, flags); + } + + static bool macb_tx_complete_pending(struct macb_queue *queue) + { + bool retval = false; ++ unsigned long flags; + +- spin_lock(&queue->tx_ptr_lock); ++ spin_lock_irqsave(&queue->tx_ptr_lock, flags); + if (queue->tx_head != queue->tx_tail) { + /* Make hw descriptor updates visible to CPU */ + rmb(); +@@ -1690,7 +1693,7 @@ static bool macb_tx_complete_pending(struct macb_queue *queue) + if (macb_tx_desc(queue, queue->tx_tail)->ctrl & MACB_BIT(TX_USED)) + retval = true; + } +- spin_unlock(&queue->tx_ptr_lock); ++ spin_unlock_irqrestore(&queue->tx_ptr_lock, flags); + return retval; + } + +@@ -2258,6 +2261,7 @@ static netdev_tx_t macb_start_xmit(struct sk_buff *skb, struct net_device *dev) + struct macb_queue *queue = &bp->queues[queue_index]; + unsigned int desc_cnt, nr_frags, frag_size, f; + unsigned int hdrlen; ++ unsigned long flags; + bool is_lso; + netdev_tx_t ret = NETDEV_TX_OK; + +@@ -2312,7 +2316,7 @@ static netdev_tx_t macb_start_xmit(struct sk_buff *skb, struct net_device *dev) + desc_cnt += DIV_ROUND_UP(frag_size, bp->max_tx_length); + } + +- spin_lock_bh(&queue->tx_ptr_lock); ++ spin_lock_irqsave(&queue->tx_ptr_lock, flags); + + /* This is a hard error, log it. */ + if (CIRC_SPACE(queue->tx_head, queue->tx_tail, +@@ -2334,15 +2338,15 @@ static netdev_tx_t macb_start_xmit(struct sk_buff *skb, struct net_device *dev) + wmb(); + skb_tx_timestamp(skb); + +- spin_lock_irq(&bp->lock); ++ spin_lock(&bp->lock); + macb_writel(bp, NCR, macb_readl(bp, NCR) | MACB_BIT(TSTART)); +- spin_unlock_irq(&bp->lock); ++ spin_unlock(&bp->lock); + + if (CIRC_SPACE(queue->tx_head, queue->tx_tail, bp->tx_ring_size) < 1) + netif_stop_subqueue(dev, queue_index); + + unlock: +- spin_unlock_bh(&queue->tx_ptr_lock); ++ spin_unlock_irqrestore(&queue->tx_ptr_lock, flags); + + return ret; + } +-- +2.50.1 + diff --git a/queue-6.1/net-smc-fix-one-null-pointer-dereference-in-smc_ib_i.patch b/queue-6.1/net-smc-fix-one-null-pointer-dereference-in-smc_ib_i.patch new file mode 100644 index 0000000000..aefa768beb --- /dev/null +++ b/queue-6.1/net-smc-fix-one-null-pointer-dereference-in-smc_ib_i.patch @@ -0,0 +1,67 @@ +From 9ad4e9578198feb81fd2ffd7f700af7180af8ade Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Aug 2025 20:41:17 +0800 +Subject: net/smc: fix one NULL pointer dereference in smc_ib_is_sg_need_sync() + +From: Liu Jian + +[ Upstream commit ba1e9421cf1a8369d25c3832439702a015d6b5f9 ] + +BUG: kernel NULL pointer dereference, address: 00000000000002ec +PGD 0 P4D 0 +Oops: Oops: 0000 [#1] SMP PTI +CPU: 28 UID: 0 PID: 343 Comm: kworker/28:1 Kdump: loaded Tainted: G OE 6.17.0-rc2+ #9 NONE +Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 +Workqueue: smc_hs_wq smc_listen_work [smc] +RIP: 0010:smc_ib_is_sg_need_sync+0x9e/0xd0 [smc] +... +Call Trace: + + smcr_buf_map_link+0x211/0x2a0 [smc] + __smc_buf_create+0x522/0x970 [smc] + smc_buf_create+0x3a/0x110 [smc] + smc_find_rdma_v2_device_serv+0x18f/0x240 [smc] + ? smc_vlan_by_tcpsk+0x7e/0xe0 [smc] + smc_listen_find_device+0x1dd/0x2b0 [smc] + smc_listen_work+0x30f/0x580 [smc] + process_one_work+0x18c/0x340 + worker_thread+0x242/0x360 + kthread+0xe7/0x220 + ret_from_fork+0x13a/0x160 + ret_from_fork_asm+0x1a/0x30 + + +If the software RoCE device is used, ibdev->dma_device is a null pointer. +As a result, the problem occurs. Null pointer detection is added to +prevent problems. + +Fixes: 0ef69e788411c ("net/smc: optimize for smc_sndbuf_sync_sg_for_device and smc_rmb_sync_sg_for_cpu") +Signed-off-by: Liu Jian +Reviewed-by: Guangguan Wang +Reviewed-by: Zhu Yanjun +Reviewed-by: D. Wythe +Link: https://patch.msgid.link/20250828124117.2622624-1-liujian56@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/smc/smc_ib.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/smc/smc_ib.c b/net/smc/smc_ib.c +index 6de53431629ca..8e41034d8d96f 100644 +--- a/net/smc/smc_ib.c ++++ b/net/smc/smc_ib.c +@@ -743,6 +743,9 @@ bool smc_ib_is_sg_need_sync(struct smc_link *lnk, + unsigned int i; + bool ret = false; + ++ if (!lnk->smcibdev->ibdev->dma_device) ++ return ret; ++ + /* for now there is just one DMA address */ + for_each_sg(buf_slot->sgt[lnk->link_idx].sgl, sg, + buf_slot->sgt[lnk->link_idx].nents, i) { +-- +2.50.1 + diff --git a/queue-6.1/net-smc-remove-validation-of-reserved-bits-in-clc-de.patch b/queue-6.1/net-smc-remove-validation-of-reserved-bits-in-clc-de.patch new file mode 100644 index 0000000000..158f364e0e --- /dev/null +++ b/queue-6.1/net-smc-remove-validation-of-reserved-bits-in-clc-de.patch @@ -0,0 +1,48 @@ +From e1ac89889d2a4c4d586809a61746825c5d570b68 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Sep 2025 10:20:41 +0200 +Subject: net/smc: Remove validation of reserved bits in CLC Decline message + +From: Mahanta Jambigi + +[ Upstream commit cc282f73bc0cbdf3ee7af2f2d3a2ef4e6b19242d ] + +Currently SMC code is validating the reserved bits while parsing the incoming +CLC decline message & when this validation fails, its treated as a protocol +error. As a result, the SMC connection is terminated instead of falling back to +TCP. As per RFC7609[1] specs we shouldn't be validating the reserved bits that +is part of CLC message. This patch fixes this issue. + +CLC Decline message format can viewed here[2]. + +[1] https://datatracker.ietf.org/doc/html/rfc7609#page-92 +[2] https://datatracker.ietf.org/doc/html/rfc7609#page-105 + +Fixes: 8ade200c269f ("net/smc: add v2 format of CLC decline message") +Signed-off-by: Mahanta Jambigi +Reviewed-by: Sidraya Jayagond +Reviewed-by: Alexandra Winter +Reviewed-by: Dust Li +Link: https://patch.msgid.link/20250902082041.98996-1-mjambigi@linux.ibm.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/smc/smc_clc.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/net/smc/smc_clc.c b/net/smc/smc_clc.c +index a48fdc83fe6b2..6ed77f02ceac0 100644 +--- a/net/smc/smc_clc.c ++++ b/net/smc/smc_clc.c +@@ -422,8 +422,6 @@ smc_clc_msg_decl_valid(struct smc_clc_msg_decline *dclc) + { + struct smc_clc_msg_hdr *hdr = &dclc->hdr; + +- if (hdr->typev1 != SMC_TYPE_R && hdr->typev1 != SMC_TYPE_D) +- return false; + if (hdr->version == SMC_V1) { + if (ntohs(hdr->length) != sizeof(struct smc_clc_msg_decline)) + return false; +-- +2.50.1 + diff --git a/queue-6.1/net-thunder_bgx-add-a-missing-of_node_put.patch b/queue-6.1/net-thunder_bgx-add-a-missing-of_node_put.patch new file mode 100644 index 0000000000..8081ca05d0 --- /dev/null +++ b/queue-6.1/net-thunder_bgx-add-a-missing-of_node_put.patch @@ -0,0 +1,53 @@ +From 9eb36004c62705d00a2fdd4887e317a127e6cade Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Sep 2025 14:30:18 -0700 +Subject: net: thunder_bgx: add a missing of_node_put + +From: Rosen Penev + +[ Upstream commit 9d28f94912589f04ab51fbccaef287d4f40e0d1f ] + +phy_np needs to get freed, just like the other child nodes. + +Fixes: 5fc7cf179449 ("net: thunderx: Cleanup PHY probing code.") +Signed-off-by: Rosen Penev +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250901213018.47392-1-rosenp@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/cavium/thunder/thunder_bgx.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c +index 8c955eefc7e4f..d054c519cd617 100644 +--- a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c ++++ b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c +@@ -1492,13 +1492,17 @@ static int bgx_init_of_phy(struct bgx *bgx) + * this cortina phy, for which there is no driver + * support, ignore it. + */ +- if (phy_np && +- !of_device_is_compatible(phy_np, "cortina,cs4223-slice")) { +- /* Wait until the phy drivers are available */ +- pd = of_phy_find_device(phy_np); +- if (!pd) +- goto defer; +- bgx->lmac[lmac].phydev = pd; ++ if (phy_np) { ++ if (!of_device_is_compatible(phy_np, "cortina,cs4223-slice")) { ++ /* Wait until the phy drivers are available */ ++ pd = of_phy_find_device(phy_np); ++ if (!pd) { ++ of_node_put(phy_np); ++ goto defer; ++ } ++ bgx->lmac[lmac].phydev = pd; ++ } ++ of_node_put(phy_np); + } + + lmac++; +-- +2.50.1 + diff --git a/queue-6.1/net-thunder_bgx-decrement-cleanup-index-before-use.patch b/queue-6.1/net-thunder_bgx-decrement-cleanup-index-before-use.patch new file mode 100644 index 0000000000..a944895531 --- /dev/null +++ b/queue-6.1/net-thunder_bgx-decrement-cleanup-index-before-use.patch @@ -0,0 +1,44 @@ +From 561e16016f20486b840c15fbd3d263e4a9b6e359 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Sep 2025 14:33:14 -0700 +Subject: net: thunder_bgx: decrement cleanup index before use + +From: Rosen Penev + +[ Upstream commit 9e3d71a92e561ccc77025689dab25d201fee7a3e ] + +All paths in probe that call goto defer do so before assigning phydev +and thus it makes sense to cleanup the prior index. It also fixes a bug +where index 0 does not get cleaned up. + +Fixes: b7d3e3d3d21a ("net: thunderx: Don't leak phy device references on -EPROBE_DEFER condition.") +Signed-off-by: Rosen Penev +Reviewed-by: Vadim Fedorenko +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250901213314.48599-1-rosenp@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/thunder/thunder_bgx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c +index d054c519cd617..bb70afae10c4c 100644 +--- a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c ++++ b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c +@@ -1518,11 +1518,11 @@ static int bgx_init_of_phy(struct bgx *bgx) + * for phy devices we may have already found. + */ + while (lmac) { ++ lmac--; + if (bgx->lmac[lmac].phydev) { + put_device(&bgx->lmac[lmac].phydev->mdio.dev); + bgx->lmac[lmac].phydev = NULL; + } +- lmac--; + } + of_node_put(node); + return -EPROBE_DEFER; +-- +2.50.1 + diff --git a/queue-6.1/netfilter-br_netfilter-do-not-check-confirmed-bit-in.patch b/queue-6.1/netfilter-br_netfilter-do-not-check-confirmed-bit-in.patch new file mode 100644 index 0000000000..c028af3254 --- /dev/null +++ b/queue-6.1/netfilter-br_netfilter-do-not-check-confirmed-bit-in.patch @@ -0,0 +1,77 @@ +From 70d134e48ba6756854dfcc4148fc82b8cae90d0d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Aug 2025 11:52:19 +0800 +Subject: netfilter: br_netfilter: do not check confirmed bit in + br_nf_local_in() after confirm + +From: Wang Liang + +[ Upstream commit 479a54ab92087318514c82428a87af2d7af1a576 ] + +When send a broadcast packet to a tap device, which was added to a bridge, +br_nf_local_in() is called to confirm the conntrack. If another conntrack +with the same hash value is added to the hash table, which can be +triggered by a normal packet to a non-bridge device, the below warning +may happen. + + ------------[ cut here ]------------ + WARNING: CPU: 1 PID: 96 at net/bridge/br_netfilter_hooks.c:632 br_nf_local_in+0x168/0x200 + CPU: 1 UID: 0 PID: 96 Comm: tap_send Not tainted 6.17.0-rc2-dirty #44 PREEMPT(voluntary) + RIP: 0010:br_nf_local_in+0x168/0x200 + Call Trace: + + nf_hook_slow+0x3e/0xf0 + br_pass_frame_up+0x103/0x180 + br_handle_frame_finish+0x2de/0x5b0 + br_nf_hook_thresh+0xc0/0x120 + br_nf_pre_routing_finish+0x168/0x3a0 + br_nf_pre_routing+0x237/0x5e0 + br_handle_frame+0x1ec/0x3c0 + __netif_receive_skb_core+0x225/0x1210 + __netif_receive_skb_one_core+0x37/0xa0 + netif_receive_skb+0x36/0x160 + tun_get_user+0xa54/0x10c0 + tun_chr_write_iter+0x65/0xb0 + vfs_write+0x305/0x410 + ksys_write+0x60/0xd0 + do_syscall_64+0xa4/0x260 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + + ---[ end trace 0000000000000000 ]--- + +To solve the hash conflict, nf_ct_resolve_clash() try to merge the +conntracks, and update skb->_nfct. However, br_nf_local_in() still use the +old ct from local variable 'nfct' after confirm(), which leads to this +warning. + +If confirm() does not insert the conntrack entry and return NF_DROP, the +warning may also occur. There is no need to reserve the WARN_ON_ONCE, just +remove it. + +Link: https://lore.kernel.org/netdev/20250820043329.2902014-1-wangliang74@huawei.com/ +Fixes: 62e7151ae3eb ("netfilter: bridge: confirm multicast packets before passing them up the stack") +Suggested-by: Florian Westphal +Signed-off-by: Wang Liang +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/bridge/br_netfilter_hooks.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c +index b4d661fe7886d..c4765691e7815 100644 +--- a/net/bridge/br_netfilter_hooks.c ++++ b/net/bridge/br_netfilter_hooks.c +@@ -648,9 +648,6 @@ static unsigned int br_nf_local_in(void *priv, + break; + } + +- ct = container_of(nfct, struct nf_conn, ct_general); +- WARN_ON_ONCE(!nf_ct_is_confirmed(ct)); +- + return ret; + } + #endif +-- +2.50.1 + diff --git a/queue-6.1/netfilter-conntrack-helper-replace-eexist-by-ebusy.patch b/queue-6.1/netfilter-conntrack-helper-replace-eexist-by-ebusy.patch new file mode 100644 index 0000000000..89b17f321a --- /dev/null +++ b/queue-6.1/netfilter-conntrack-helper-replace-eexist-by-ebusy.patch @@ -0,0 +1,50 @@ +From da4ba42b65fe61e37f7dd2599ac3029b5ca958ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Aug 2025 13:22:20 +0200 +Subject: netfilter: conntrack: helper: Replace -EEXIST by -EBUSY + +From: Phil Sutter + +[ Upstream commit 54416fd76770bd04fc3c501810e8d673550bab26 ] + +The helper registration return value is passed-through by module_init +callbacks which modprobe confuses with the harmless -EEXIST returned +when trying to load an already loaded module. + +Make sure modprobe fails so users notice their helper has not been +registered and won't work. + +Suggested-by: Christophe Leroy +Fixes: 12f7a505331e ("netfilter: add user-space connection tracking helper infrastructure") +Signed-off-by: Phil Sutter +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_helper.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c +index bf09a1e062481..5545016c107db 100644 +--- a/net/netfilter/nf_conntrack_helper.c ++++ b/net/netfilter/nf_conntrack_helper.c +@@ -371,7 +371,7 @@ int nf_conntrack_helper_register(struct nf_conntrack_helper *me) + (cur->tuple.src.l3num == NFPROTO_UNSPEC || + cur->tuple.src.l3num == me->tuple.src.l3num) && + cur->tuple.dst.protonum == me->tuple.dst.protonum) { +- ret = -EEXIST; ++ ret = -EBUSY; + goto out; + } + } +@@ -382,7 +382,7 @@ int nf_conntrack_helper_register(struct nf_conntrack_helper *me) + hlist_for_each_entry(cur, &nf_ct_helper_hash[h], hnode) { + if (nf_ct_tuple_src_mask_cmp(&cur->tuple, &me->tuple, + &mask)) { +- ret = -EEXIST; ++ ret = -EBUSY; + goto out; + } + } +-- +2.50.1 + diff --git a/queue-6.1/phy-mscc-stop-taking-ts_lock-for-tx_queue-and-use-it.patch b/queue-6.1/phy-mscc-stop-taking-ts_lock-for-tx_queue-and-use-it.patch new file mode 100644 index 0000000000..4f8676428b --- /dev/null +++ b/queue-6.1/phy-mscc-stop-taking-ts_lock-for-tx_queue-and-use-it.patch @@ -0,0 +1,147 @@ +From 81caf4679237a0cb2e70dde9177a92b3126458d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Sep 2025 14:12:59 +0200 +Subject: phy: mscc: Stop taking ts_lock for tx_queue and use its own lock + +From: Horatiu Vultur + +[ Upstream commit 9b2bfdbf43adb9929c5ddcdd96efedbf1c88cf53 ] + +When transmitting a PTP frame which is timestamp using 2 step, the +following warning appears if CONFIG_PROVE_LOCKING is enabled: +============================= +[ BUG: Invalid wait context ] +6.17.0-rc1-00326-ge6160462704e #427 Not tainted +----------------------------- +ptp4l/119 is trying to lock: +c2a44ed4 (&vsc8531->ts_lock){+.+.}-{3:3}, at: vsc85xx_txtstamp+0x50/0xac +other info that might help us debug this: +context-{4:4} +4 locks held by ptp4l/119: + #0: c145f068 (rcu_read_lock_bh){....}-{1:2}, at: __dev_queue_xmit+0x58/0x1440 + #1: c29df974 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: __dev_queue_xmit+0x5c4/0x1440 + #2: c2aaaad0 (_xmit_ETHER#2){+.-.}-{2:2}, at: sch_direct_xmit+0x108/0x350 + #3: c2aac170 (&lan966x->tx_lock){+.-.}-{2:2}, at: lan966x_port_xmit+0xd0/0x350 +stack backtrace: +CPU: 0 UID: 0 PID: 119 Comm: ptp4l Not tainted 6.17.0-rc1-00326-ge6160462704e #427 NONE +Hardware name: Generic DT based system +Call trace: + unwind_backtrace from show_stack+0x10/0x14 + show_stack from dump_stack_lvl+0x7c/0xac + dump_stack_lvl from __lock_acquire+0x8e8/0x29dc + __lock_acquire from lock_acquire+0x108/0x38c + lock_acquire from __mutex_lock+0xb0/0xe78 + __mutex_lock from mutex_lock_nested+0x1c/0x24 + mutex_lock_nested from vsc85xx_txtstamp+0x50/0xac + vsc85xx_txtstamp from lan966x_fdma_xmit+0xd8/0x3a8 + lan966x_fdma_xmit from lan966x_port_xmit+0x1bc/0x350 + lan966x_port_xmit from dev_hard_start_xmit+0xc8/0x2c0 + dev_hard_start_xmit from sch_direct_xmit+0x8c/0x350 + sch_direct_xmit from __dev_queue_xmit+0x680/0x1440 + __dev_queue_xmit from packet_sendmsg+0xfa4/0x1568 + packet_sendmsg from __sys_sendto+0x110/0x19c + __sys_sendto from sys_send+0x18/0x20 + sys_send from ret_fast_syscall+0x0/0x1c +Exception stack(0xf0b05fa8 to 0xf0b05ff0) +5fa0: 00000001 0000000e 0000000e 0004b47a 0000003a 00000000 +5fc0: 00000001 0000000e 00000000 00000121 0004af58 00044874 00000000 00000000 +5fe0: 00000001 bee9d420 00025a10 b6e75c7c + +So, instead of using the ts_lock for tx_queue, use the spinlock that +skb_buff_head has. + +Reviewed-by: Vadim Fedorenko +Fixes: 7d272e63e0979d ("net: phy: mscc: timestamping and PHC support") +Signed-off-by: Horatiu Vultur +Link: https://patch.msgid.link/20250902121259.3257536-1-horatiu.vultur@microchip.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/mscc/mscc_ptp.c | 18 ++++++++---------- + 1 file changed, 8 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/phy/mscc/mscc_ptp.c b/drivers/net/phy/mscc/mscc_ptp.c +index 1f6237705b44b..939a8a17595ef 100644 +--- a/drivers/net/phy/mscc/mscc_ptp.c ++++ b/drivers/net/phy/mscc/mscc_ptp.c +@@ -455,12 +455,12 @@ static void vsc85xx_dequeue_skb(struct vsc85xx_ptp *ptp) + *p++ = (reg >> 24) & 0xff; + } + +- len = skb_queue_len(&ptp->tx_queue); ++ len = skb_queue_len_lockless(&ptp->tx_queue); + if (len < 1) + return; + + while (len--) { +- skb = __skb_dequeue(&ptp->tx_queue); ++ skb = skb_dequeue(&ptp->tx_queue); + if (!skb) + return; + +@@ -485,7 +485,7 @@ static void vsc85xx_dequeue_skb(struct vsc85xx_ptp *ptp) + * packet in the FIFO right now, reschedule it for later + * packets. + */ +- __skb_queue_tail(&ptp->tx_queue, skb); ++ skb_queue_tail(&ptp->tx_queue, skb); + } + } + +@@ -1067,6 +1067,7 @@ static int vsc85xx_hwtstamp(struct mii_timestamper *mii_ts, struct ifreq *ifr) + case HWTSTAMP_TX_ON: + break; + case HWTSTAMP_TX_OFF: ++ skb_queue_purge(&vsc8531->ptp->tx_queue); + break; + default: + return -ERANGE; +@@ -1091,9 +1092,6 @@ static int vsc85xx_hwtstamp(struct mii_timestamper *mii_ts, struct ifreq *ifr) + + mutex_lock(&vsc8531->ts_lock); + +- __skb_queue_purge(&vsc8531->ptp->tx_queue); +- __skb_queue_head_init(&vsc8531->ptp->tx_queue); +- + /* Disable predictor while configuring the 1588 block */ + val = vsc85xx_ts_read_csr(phydev, PROCESSOR, + MSCC_PHY_PTP_INGR_PREDICTOR); +@@ -1179,9 +1177,7 @@ static void vsc85xx_txtstamp(struct mii_timestamper *mii_ts, + + skb_shinfo(skb)->tx_flags |= SKBTX_IN_PROGRESS; + +- mutex_lock(&vsc8531->ts_lock); +- __skb_queue_tail(&vsc8531->ptp->tx_queue, skb); +- mutex_unlock(&vsc8531->ts_lock); ++ skb_queue_tail(&vsc8531->ptp->tx_queue, skb); + return; + + out: +@@ -1547,6 +1543,7 @@ void vsc8584_ptp_deinit(struct phy_device *phydev) + if (vsc8531->ptp->ptp_clock) { + ptp_clock_unregister(vsc8531->ptp->ptp_clock); + skb_queue_purge(&vsc8531->rx_skbs_list); ++ skb_queue_purge(&vsc8531->ptp->tx_queue); + } + } + +@@ -1570,7 +1567,7 @@ irqreturn_t vsc8584_handle_ts_interrupt(struct phy_device *phydev) + if (rc & VSC85XX_1588_INT_FIFO_ADD) { + vsc85xx_get_tx_ts(priv->ptp); + } else if (rc & VSC85XX_1588_INT_FIFO_OVERFLOW) { +- __skb_queue_purge(&priv->ptp->tx_queue); ++ skb_queue_purge(&priv->ptp->tx_queue); + vsc85xx_ts_reset_fifo(phydev); + } + +@@ -1590,6 +1587,7 @@ int vsc8584_ptp_probe(struct phy_device *phydev) + mutex_init(&vsc8531->phc_lock); + mutex_init(&vsc8531->ts_lock); + skb_queue_head_init(&vsc8531->rx_skbs_list); ++ skb_queue_head_init(&vsc8531->ptp->tx_queue); + + /* Retrieve the shared load/save GPIO. Request it as non exclusive as + * the same GPIO can be requested by all the PHYs of the same package. +-- +2.50.1 + diff --git a/queue-6.1/ppp-fix-memory-leak-in-pad_compress_skb.patch b/queue-6.1/ppp-fix-memory-leak-in-pad_compress_skb.patch new file mode 100644 index 0000000000..eb61418e76 --- /dev/null +++ b/queue-6.1/ppp-fix-memory-leak-in-pad_compress_skb.patch @@ -0,0 +1,66 @@ +From aebf57274a90adf0d0569158cb6722daeeafbce2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Sep 2025 18:07:26 +0800 +Subject: ppp: fix memory leak in pad_compress_skb + +From: Qingfang Deng + +[ Upstream commit 4844123fe0b853a4982c02666cb3fd863d701d50 ] + +If alloc_skb() fails in pad_compress_skb(), it returns NULL without +releasing the old skb. The caller does: + + skb = pad_compress_skb(ppp, skb); + if (!skb) + goto drop; + +drop: + kfree_skb(skb); + +When pad_compress_skb() returns NULL, the reference to the old skb is +lost and kfree_skb(skb) ends up doing nothing, leading to a memory leak. + +Align pad_compress_skb() semantics with realloc(): only free the old +skb if allocation and compression succeed. At the call site, use the +new_skb variable so the original skb is not lost when pad_compress_skb() +fails. + +Fixes: b3f9b92a6ec1 ("[PPP]: add PPP MPPE encryption module") +Signed-off-by: Qingfang Deng +Reviewed-by: Eric Dumazet +Reviewed-by: Yue Haibing +Link: https://patch.msgid.link/20250903100726.269839-1-dqfext@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ppp/ppp_generic.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c +index cbf1c1f23281d..f184368d5c5e7 100644 +--- a/drivers/net/ppp/ppp_generic.c ++++ b/drivers/net/ppp/ppp_generic.c +@@ -1753,7 +1753,6 @@ pad_compress_skb(struct ppp *ppp, struct sk_buff *skb) + */ + if (net_ratelimit()) + netdev_err(ppp->dev, "ppp: compressor dropped pkt\n"); +- kfree_skb(skb); + consume_skb(new_skb); + new_skb = NULL; + } +@@ -1855,9 +1854,10 @@ ppp_send_frame(struct ppp *ppp, struct sk_buff *skb) + "down - pkt dropped.\n"); + goto drop; + } +- skb = pad_compress_skb(ppp, skb); +- if (!skb) ++ new_skb = pad_compress_skb(ppp, skb); ++ if (!new_skb) + goto drop; ++ skb = new_skb; + } + + /* +-- +2.50.1 + diff --git a/queue-6.1/selftest-net-fix-weird-setsockopt-in-bind_bhash.c.patch b/queue-6.1/selftest-net-fix-weird-setsockopt-in-bind_bhash.c.patch new file mode 100644 index 0000000000..033f67c609 --- /dev/null +++ b/queue-6.1/selftest-net-fix-weird-setsockopt-in-bind_bhash.c.patch @@ -0,0 +1,62 @@ +From 93d3ad2189f3eb3dfbb29631a86c00f27606656d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Sep 2025 22:28:51 +0000 +Subject: selftest: net: Fix weird setsockopt() in bind_bhash.c. + +From: Kuniyuki Iwashima + +[ Upstream commit fd2004d82d8d8faa94879e3de3096c8511728637 ] + +bind_bhash.c passes (SO_REUSEADDR | SO_REUSEPORT) to setsockopt(). + +In the asm-generic definition, the value happens to match with the +bare SO_REUSEPORT, (2 | 15) == 15, but not on some arch. + +arch/alpha/include/uapi/asm/socket.h:18:#define SO_REUSEADDR 0x0004 +arch/alpha/include/uapi/asm/socket.h:24:#define SO_REUSEPORT 0x0200 +arch/mips/include/uapi/asm/socket.h:24:#define SO_REUSEADDR 0x0004 /* Allow reuse of local addresses. */ +arch/mips/include/uapi/asm/socket.h:33:#define SO_REUSEPORT 0x0200 /* Allow local address and port reuse. */ +arch/parisc/include/uapi/asm/socket.h:12:#define SO_REUSEADDR 0x0004 +arch/parisc/include/uapi/asm/socket.h:18:#define SO_REUSEPORT 0x0200 +arch/sparc/include/uapi/asm/socket.h:13:#define SO_REUSEADDR 0x0004 +arch/sparc/include/uapi/asm/socket.h:20:#define SO_REUSEPORT 0x0200 +include/uapi/asm-generic/socket.h:12:#define SO_REUSEADDR 2 +include/uapi/asm-generic/socket.h:27:#define SO_REUSEPORT 15 + +Let's pass SO_REUSEPORT only. + +Fixes: c35ecb95c448 ("selftests/net: Add test for timing a bind request to a port with a populated bhash entry") +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250903222938.2601522-1-kuniyu@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/bind_bhash.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/net/bind_bhash.c b/tools/testing/selftests/net/bind_bhash.c +index 57ff67a3751eb..da04b0b19b73c 100644 +--- a/tools/testing/selftests/net/bind_bhash.c ++++ b/tools/testing/selftests/net/bind_bhash.c +@@ -75,7 +75,7 @@ static void *setup(void *arg) + int *array = (int *)arg; + + for (i = 0; i < MAX_CONNECTIONS; i++) { +- sock_fd = bind_socket(SO_REUSEADDR | SO_REUSEPORT, setup_addr); ++ sock_fd = bind_socket(SO_REUSEPORT, setup_addr); + if (sock_fd < 0) { + ret = sock_fd; + pthread_exit(&ret); +@@ -103,7 +103,7 @@ int main(int argc, const char *argv[]) + + setup_addr = use_v6 ? setup_addr_v6 : setup_addr_v4; + +- listener_fd = bind_socket(SO_REUSEADDR | SO_REUSEPORT, setup_addr); ++ listener_fd = bind_socket(SO_REUSEPORT, setup_addr); + if (listen(listener_fd, 100) < 0) { + perror("listen failed"); + return -1; +-- +2.50.1 + diff --git a/queue-6.1/series b/queue-6.1/series index 64457ee685..9b99bcae54 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -13,3 +13,27 @@ tee-fix-null-pointer-dereference-in-tee_shm_put.patch arm64-dts-rockchip-add-vcc-supply-to-spi-flash-on-rk.patch tee-optee-ffa-fix-a-typo-of-optee_ffa_api_is_compati.patch arm64-dts-imx8mp-fix-missing-microsd-slot-vqmmc-on-d.patch +wifi-cfg80211-fix-use-after-free-in-cmp_bss.patch +netfilter-br_netfilter-do-not-check-confirmed-bit-in.patch +netfilter-conntrack-helper-replace-eexist-by-ebusy.patch +bluetooth-fix-use-after-free-in-l2cap_sock_cleanup_l.patch +xirc2ps_cs-fix-register-access-when-enabling-fulldup.patch +misdn-fix-memory-leak-in-dsp_hwec_enable.patch +icmp-fix-icmp_ndo_send-address-translation-for-reply.patch +net-macb-fix-tx_ptr_lock-locking.patch +net-smc-fix-one-null-pointer-dereference-in-smc_ib_i.patch +i40e-fix-potential-invalid-access-when-mac-list-is-e.patch +net-ethernet-mtk_eth_soc-fix-tx-vlan-tag-for-llc-pac.patch +wifi-cw1200-cap-ssid-length-in-cw1200_do_join.patch +wifi-libertas-cap-ssid-len-in-lbs_associate.patch +wifi-cfg80211-sme-cap-ssid-length-in-__cfg80211_conn.patch +net-thunder_bgx-add-a-missing-of_node_put.patch +net-thunder_bgx-decrement-cleanup-index-before-use.patch +ipv4-fix-null-vs-error-pointer-check-in-inet_blackho.patch +net-smc-remove-validation-of-reserved-bits-in-clc-de.patch +mctp-return-enoprotoopt-for-unknown-getsockopt-optio.patch +ax25-properly-unshare-skbs-in-ax25_kiss_rcv.patch +net-atm-fix-memory-leak-in-atm_register_sysfs-when-d.patch +ppp-fix-memory-leak-in-pad_compress_skb.patch +selftest-net-fix-weird-setsockopt-in-bind_bhash.c.patch +phy-mscc-stop-taking-ts_lock-for-tx_queue-and-use-it.patch diff --git a/queue-6.1/wifi-cfg80211-fix-use-after-free-in-cmp_bss.patch b/queue-6.1/wifi-cfg80211-fix-use-after-free-in-cmp_bss.patch new file mode 100644 index 0000000000..e5af162fdf --- /dev/null +++ b/queue-6.1/wifi-cfg80211-fix-use-after-free-in-cmp_bss.patch @@ -0,0 +1,43 @@ +From cd2e358a8d181cd48d4ccc86aa2d4c00c830eac5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Aug 2025 16:52:36 +0300 +Subject: wifi: cfg80211: fix use-after-free in cmp_bss() + +From: Dmitry Antipov + +[ Upstream commit 26e84445f02ce6b2fe5f3e0e28ff7add77f35e08 ] + +Following bss_free() quirk introduced in commit 776b3580178f +("cfg80211: track hidden SSID networks properly"), adjust +cfg80211_update_known_bss() to free the last beacon frame +elements only if they're not shared via the corresponding +'hidden_beacon_bss' pointer. + +Reported-by: syzbot+30754ca335e6fb7e3092@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=30754ca335e6fb7e3092 +Fixes: 3ab8227d3e7d ("cfg80211: refactor cfg80211_bss_update") +Signed-off-by: Dmitry Antipov +Link: https://patch.msgid.link/20250813135236.799384-1-dmantipov@yandex.ru +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/scan.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/wireless/scan.c b/net/wireless/scan.c +index 810293f160a8c..7369172819fdf 100644 +--- a/net/wireless/scan.c ++++ b/net/wireless/scan.c +@@ -1785,7 +1785,8 @@ cfg80211_update_known_bss(struct cfg80211_registered_device *rdev, + */ + + f = rcu_access_pointer(new->pub.beacon_ies); +- kfree_rcu((struct cfg80211_bss_ies *)f, rcu_head); ++ if (!new->pub.hidden_beacon_bss) ++ kfree_rcu((struct cfg80211_bss_ies *)f, rcu_head); + return false; + } + +-- +2.50.1 + diff --git a/queue-6.1/wifi-cfg80211-sme-cap-ssid-length-in-__cfg80211_conn.patch b/queue-6.1/wifi-cfg80211-sme-cap-ssid-length-in-__cfg80211_conn.patch new file mode 100644 index 0000000000..d523018ee6 --- /dev/null +++ b/queue-6.1/wifi-cfg80211-sme-cap-ssid-length-in-__cfg80211_conn.patch @@ -0,0 +1,46 @@ +From afcdb7e9b34bc2ef956d83aa38e3a7549b7066f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Aug 2025 15:48:45 +0300 +Subject: wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result() + +From: Dan Carpenter + +[ Upstream commit 62b635dcd69c4fde7ce1de4992d71420a37e51e3 ] + +If the ssid->datalen is more than IEEE80211_MAX_SSID_LEN (32) it would +lead to memory corruption so add some bounds checking. + +Fixes: c38c70185101 ("wifi: cfg80211: Set SSID if it is not already set") +Signed-off-by: Dan Carpenter +Link: https://patch.msgid.link/0aaaae4a3ed37c6252363c34ae4904b1604e8e32.1756456951.git.dan.carpenter@linaro.org +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/sme.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/wireless/sme.c b/net/wireless/sme.c +index e35c3c29cec7d..ed16e852133e7 100644 +--- a/net/wireless/sme.c ++++ b/net/wireless/sme.c +@@ -886,13 +886,16 @@ void __cfg80211_connect_result(struct net_device *dev, + if (!wdev->u.client.ssid_len) { + rcu_read_lock(); + for_each_valid_link(cr, link) { ++ u32 ssid_len; ++ + ssid = ieee80211_bss_get_elem(cr->links[link].bss, + WLAN_EID_SSID); + + if (!ssid || !ssid->datalen) + continue; + +- memcpy(wdev->u.client.ssid, ssid->data, ssid->datalen); ++ ssid_len = min(ssid->datalen, IEEE80211_MAX_SSID_LEN); ++ memcpy(wdev->u.client.ssid, ssid->data, ssid_len); + wdev->u.client.ssid_len = ssid->datalen; + break; + } +-- +2.50.1 + diff --git a/queue-6.1/wifi-cw1200-cap-ssid-length-in-cw1200_do_join.patch b/queue-6.1/wifi-cw1200-cap-ssid-length-in-cw1200_do_join.patch new file mode 100644 index 0000000000..632fd39fe2 --- /dev/null +++ b/queue-6.1/wifi-cw1200-cap-ssid-length-in-cw1200_do_join.patch @@ -0,0 +1,36 @@ +From 093fcee9dcb9666f1925a9f2312d914ea06829e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Aug 2025 15:48:28 +0300 +Subject: wifi: cw1200: cap SSID length in cw1200_do_join() + +From: Dan Carpenter + +[ Upstream commit f8f15f6742b8874e59c9c715d0af3474608310ad ] + +If the ssidie[1] length is more that 32 it leads to memory corruption. + +Fixes: a910e4a94f69 ("cw1200: add driver for the ST-E CW1100 & CW1200 WLAN chipsets") +Signed-off-by: Dan Carpenter +Link: https://patch.msgid.link/e91fb43fcedc4893b604dfb973131661510901a7.1756456951.git.dan.carpenter@linaro.org +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/st/cw1200/sta.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/st/cw1200/sta.c b/drivers/net/wireless/st/cw1200/sta.c +index 8ef1d06b9bbdd..121d810c8839e 100644 +--- a/drivers/net/wireless/st/cw1200/sta.c ++++ b/drivers/net/wireless/st/cw1200/sta.c +@@ -1290,7 +1290,7 @@ static void cw1200_do_join(struct cw1200_common *priv) + rcu_read_lock(); + ssidie = ieee80211_bss_get_ie(bss, WLAN_EID_SSID); + if (ssidie) { +- join.ssid_len = ssidie[1]; ++ join.ssid_len = min(ssidie[1], IEEE80211_MAX_SSID_LEN); + memcpy(join.ssid, &ssidie[2], join.ssid_len); + } + rcu_read_unlock(); +-- +2.50.1 + diff --git a/queue-6.1/wifi-libertas-cap-ssid-len-in-lbs_associate.patch b/queue-6.1/wifi-libertas-cap-ssid-len-in-lbs_associate.patch new file mode 100644 index 0000000000..f1374592b5 --- /dev/null +++ b/queue-6.1/wifi-libertas-cap-ssid-len-in-lbs_associate.patch @@ -0,0 +1,44 @@ +From 7b103fd6923b404cebe3b3cc7a88a3f6312ee82d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Aug 2025 15:48:35 +0300 +Subject: wifi: libertas: cap SSID len in lbs_associate() + +From: Dan Carpenter + +[ Upstream commit c786794bd27b0d7a5fd9063695df83206009be59 ] + +If the ssid_eid[1] length is more that 32 it leads to memory corruption. + +Fixes: a910e4a94f69 ("cw1200: add driver for the ST-E CW1100 & CW1200 WLAN chipsets") +Signed-off-by: Dan Carpenter +Link: https://patch.msgid.link/2a40f5ec7617144aef412034c12919a4927d90ad.1756456951.git.dan.carpenter@linaro.org +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/libertas/cfg.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/marvell/libertas/cfg.c b/drivers/net/wireless/marvell/libertas/cfg.c +index 3e065cbb0af91..5f0fef67fa841 100644 +--- a/drivers/net/wireless/marvell/libertas/cfg.c ++++ b/drivers/net/wireless/marvell/libertas/cfg.c +@@ -1101,10 +1101,13 @@ static int lbs_associate(struct lbs_private *priv, + /* add SSID TLV */ + rcu_read_lock(); + ssid_eid = ieee80211_bss_get_ie(bss, WLAN_EID_SSID); +- if (ssid_eid) +- pos += lbs_add_ssid_tlv(pos, ssid_eid + 2, ssid_eid[1]); +- else ++ if (ssid_eid) { ++ u32 ssid_len = min(ssid_eid[1], IEEE80211_MAX_SSID_LEN); ++ ++ pos += lbs_add_ssid_tlv(pos, ssid_eid + 2, ssid_len); ++ } else { + lbs_deb_assoc("no SSID\n"); ++ } + rcu_read_unlock(); + + /* add DS param TLV */ +-- +2.50.1 + diff --git a/queue-6.1/xirc2ps_cs-fix-register-access-when-enabling-fulldup.patch b/queue-6.1/xirc2ps_cs-fix-register-access-when-enabling-fulldup.patch new file mode 100644 index 0000000000..9d78eba7b5 --- /dev/null +++ b/queue-6.1/xirc2ps_cs-fix-register-access-when-enabling-fulldup.patch @@ -0,0 +1,44 @@ +From da5bc216d65d573c689ced0980d49041a6ef2ae5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Aug 2025 12:26:43 -0700 +Subject: xirc2ps_cs: fix register access when enabling FullDuplex + +From: Alok Tiwari + +[ Upstream commit b79e498080b170fd94fc83bca2471f450811549b ] + +The current code incorrectly passes (XIRCREG1_ECR | FullDuplex) as +the register address to GetByte(), instead of fetching the register +value and OR-ing it with FullDuplex. This results in an invalid +register access. + +Fix it by reading XIRCREG1_ECR first, then or-ing with FullDuplex +before writing it back. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Alok Tiwari +Reviewed-by: Simon Horman +Reviewed-by: Jacob Keller +Link: https://patch.msgid.link/20250827192645.658496-1-alok.a.tiwari@oracle.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/xircom/xirc2ps_cs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/xircom/xirc2ps_cs.c b/drivers/net/ethernet/xircom/xirc2ps_cs.c +index 9f505cf02d965..2dc1cfcd7ce99 100644 +--- a/drivers/net/ethernet/xircom/xirc2ps_cs.c ++++ b/drivers/net/ethernet/xircom/xirc2ps_cs.c +@@ -1578,7 +1578,7 @@ do_reset(struct net_device *dev, int full) + msleep(40); /* wait 40 msec to let it complete */ + } + if (full_duplex) +- PutByte(XIRCREG1_ECR, GetByte(XIRCREG1_ECR | FullDuplex)); ++ PutByte(XIRCREG1_ECR, GetByte(XIRCREG1_ECR) | FullDuplex); + } else { /* No MII */ + SelectPage(0); + value = GetByte(XIRCREG_ESR); /* read the ESR */ +-- +2.50.1 + diff --git a/queue-6.12/ax25-properly-unshare-skbs-in-ax25_kiss_rcv.patch b/queue-6.12/ax25-properly-unshare-skbs-in-ax25_kiss_rcv.patch new file mode 100644 index 0000000000..0562dc8b04 --- /dev/null +++ b/queue-6.12/ax25-properly-unshare-skbs-in-ax25_kiss_rcv.patch @@ -0,0 +1,59 @@ +From 0d8e55d405cf1b187b73951e817ac40b82d28a1c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Sep 2025 12:46:42 +0000 +Subject: ax25: properly unshare skbs in ax25_kiss_rcv() + +From: Eric Dumazet + +[ Upstream commit 8156210d36a43e76372312c87eb5ea3dbb405a85 ] + +Bernard Pidoux reported a regression apparently caused by commit +c353e8983e0d ("net: introduce per netns packet chains"). + +skb->dev becomes NULL and we crash in __netif_receive_skb_core(). + +Before above commit, different kind of bugs or corruptions could happen +without a major crash. + +But the root cause is that ax25_kiss_rcv() can queue/mangle input skb +without checking if this skb is shared or not. + +Many thanks to Bernard Pidoux for his help, diagnosis and tests. + +We had a similar issue years ago fixed with commit 7aaed57c5c28 +("phonet: properly unshare skbs in phonet_rcv()"). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Bernard Pidoux +Closes: https://lore.kernel.org/netdev/1713f383-c538-4918-bc64-13b3288cd542@free.fr/ +Tested-by: Bernard Pidoux +Signed-off-by: Eric Dumazet +Cc: Joerg Reuter +Cc: David Ranch +Cc: Folkert van Heusden +Reviewed-by: Dan Cross +Link: https://patch.msgid.link/20250902124642.212705-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ax25/ax25_in.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/ax25/ax25_in.c b/net/ax25/ax25_in.c +index 1cac25aca6378..f2d66af863595 100644 +--- a/net/ax25/ax25_in.c ++++ b/net/ax25/ax25_in.c +@@ -433,6 +433,10 @@ static int ax25_rcv(struct sk_buff *skb, struct net_device *dev, + int ax25_kiss_rcv(struct sk_buff *skb, struct net_device *dev, + struct packet_type *ptype, struct net_device *orig_dev) + { ++ skb = skb_share_check(skb, GFP_ATOMIC); ++ if (!skb) ++ return NET_RX_DROP; ++ + skb_orphan(skb); + + if (!net_eq(dev_net(dev), &init_net)) { +-- +2.50.1 + diff --git a/queue-6.12/bluetooth-fix-use-after-free-in-l2cap_sock_cleanup_l.patch b/queue-6.12/bluetooth-fix-use-after-free-in-l2cap_sock_cleanup_l.patch new file mode 100644 index 0000000000..dfd46455d6 --- /dev/null +++ b/queue-6.12/bluetooth-fix-use-after-free-in-l2cap_sock_cleanup_l.patch @@ -0,0 +1,171 @@ +From d0f1d7d2a438ff4b740644c2dd0e9fb923b90bbd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Aug 2025 20:40:14 +0000 +Subject: Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen() + +From: Kuniyuki Iwashima + +[ Upstream commit 862c628108562d8c7a516a900034823b381d3cba ] + +syzbot reported the splat below without a repro. + +In the splat, a single thread calling bt_accept_dequeue() freed sk +and touched it after that. + +The root cause would be the racy l2cap_sock_cleanup_listen() call +added by the cited commit. + +bt_accept_dequeue() is called under lock_sock() except for +l2cap_sock_release(). + +Two threads could see the same socket during the list iteration +in bt_accept_dequeue(): + + CPU1 CPU2 (close()) + ---- ---- + sock_hold(sk) sock_hold(sk); + lock_sock(sk) <-- block close() + sock_put(sk) + bt_accept_unlink(sk) + sock_put(sk) <-- refcnt by bt_accept_enqueue() + release_sock(sk) + lock_sock(sk) + sock_put(sk) + bt_accept_unlink(sk) + sock_put(sk) <-- last refcnt + bt_accept_unlink(sk) <-- UAF + +Depending on the timing, the other thread could show up in the +"Freed by task" part. + +Let's call l2cap_sock_cleanup_listen() under lock_sock() in +l2cap_sock_release(). + +[0]: +BUG: KASAN: slab-use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline] +BUG: KASAN: slab-use-after-free in do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115 +Read of size 4 at addr ffff88803b7eb1c4 by task syz.5.3276/16995 +CPU: 3 UID: 0 PID: 16995 Comm: syz.5.3276 Not tainted syzkaller #0 PREEMPT(full) +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 +Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0xcd/0x630 mm/kasan/report.c:482 + kasan_report+0xe0/0x110 mm/kasan/report.c:595 + debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline] + do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115 + spin_lock_bh include/linux/spinlock.h:356 [inline] + release_sock+0x21/0x220 net/core/sock.c:3746 + bt_accept_dequeue+0x505/0x600 net/bluetooth/af_bluetooth.c:312 + l2cap_sock_cleanup_listen+0x5c/0x2a0 net/bluetooth/l2cap_sock.c:1451 + l2cap_sock_release+0x5c/0x210 net/bluetooth/l2cap_sock.c:1425 + __sock_release+0xb3/0x270 net/socket.c:649 + sock_close+0x1c/0x30 net/socket.c:1439 + __fput+0x3ff/0xb70 fs/file_table.c:468 + task_work_run+0x14d/0x240 kernel/task_work.c:227 + resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] + exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43 + exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] + syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline] + syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline] + do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7f2accf8ebe9 +Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007ffdb6cb1378 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 +RAX: 0000000000000000 RBX: 00000000000426fb RCX: 00007f2accf8ebe9 +RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 +RBP: 00007f2acd1b7da0 R08: 0000000000000001 R09: 00000012b6cb166f +R10: 0000001b30e20000 R11: 0000000000000246 R12: 00007f2acd1b609c +R13: 00007f2acd1b6090 R14: ffffffffffffffff R15: 00007ffdb6cb1490 + + +Allocated by task 5326: + kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 + kasan_save_track+0x14/0x30 mm/kasan/common.c:68 + poison_kmalloc_redzone mm/kasan/common.c:388 [inline] + __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:405 + kasan_kmalloc include/linux/kasan.h:260 [inline] + __do_kmalloc_node mm/slub.c:4365 [inline] + __kmalloc_noprof+0x223/0x510 mm/slub.c:4377 + kmalloc_noprof include/linux/slab.h:909 [inline] + sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2239 + sk_alloc+0x36/0xc20 net/core/sock.c:2295 + bt_sock_alloc+0x3b/0x3a0 net/bluetooth/af_bluetooth.c:151 + l2cap_sock_alloc.constprop.0+0x33/0x1d0 net/bluetooth/l2cap_sock.c:1894 + l2cap_sock_new_connection_cb+0x101/0x240 net/bluetooth/l2cap_sock.c:1482 + l2cap_connect_cfm+0x4c4/0xf80 net/bluetooth/l2cap_core.c:7287 + hci_connect_cfm include/net/bluetooth/hci_core.h:2050 [inline] + hci_remote_features_evt+0x4dd/0x970 net/bluetooth/hci_event.c:3712 + hci_event_func net/bluetooth/hci_event.c:7519 [inline] + hci_event_packet+0xa0d/0x11c0 net/bluetooth/hci_event.c:7573 + hci_rx_work+0x2c5/0x16b0 net/bluetooth/hci_core.c:4071 + process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3236 + process_scheduled_works kernel/workqueue.c:3319 [inline] + worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400 + kthread+0x3c2/0x780 kernel/kthread.c:463 + ret_from_fork+0x5d7/0x6f0 arch/x86/kernel/process.c:148 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 + +Freed by task 16995: + kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 + kasan_save_track+0x14/0x30 mm/kasan/common.c:68 + kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576 + poison_slab_object mm/kasan/common.c:243 [inline] + __kasan_slab_free+0x60/0x70 mm/kasan/common.c:275 + kasan_slab_free include/linux/kasan.h:233 [inline] + slab_free_hook mm/slub.c:2417 [inline] + slab_free mm/slub.c:4680 [inline] + kfree+0x2b4/0x4d0 mm/slub.c:4879 + sk_prot_free net/core/sock.c:2278 [inline] + __sk_destruct+0x75f/0x9a0 net/core/sock.c:2373 + sk_destruct+0xc2/0xf0 net/core/sock.c:2401 + __sk_free+0xf4/0x3e0 net/core/sock.c:2412 + sk_free+0x6a/0x90 net/core/sock.c:2423 + sock_put include/net/sock.h:1960 [inline] + bt_accept_unlink+0x245/0x2e0 net/bluetooth/af_bluetooth.c:262 + bt_accept_dequeue+0x517/0x600 net/bluetooth/af_bluetooth.c:308 + l2cap_sock_cleanup_listen+0x5c/0x2a0 net/bluetooth/l2cap_sock.c:1451 + l2cap_sock_release+0x5c/0x210 net/bluetooth/l2cap_sock.c:1425 + __sock_release+0xb3/0x270 net/socket.c:649 + sock_close+0x1c/0x30 net/socket.c:1439 + __fput+0x3ff/0xb70 fs/file_table.c:468 + task_work_run+0x14d/0x240 kernel/task_work.c:227 + resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] + exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43 + exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] + syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline] + syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline] + do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fixes: 1728137b33c0 ("Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_ready_cb") +Reported-by: syzbot+e5e64cdf8e92046dd3e1@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/linux-bluetooth/68af6b9d.a70a0220.3cafd4.0032.GAE@google.com/ +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_sock.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c +index 615c18e290ab9..b35f1551b9be7 100644 +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -1409,7 +1409,10 @@ static int l2cap_sock_release(struct socket *sock) + if (!sk) + return 0; + ++ lock_sock_nested(sk, L2CAP_NESTING_PARENT); + l2cap_sock_cleanup_listen(sk); ++ release_sock(sk); ++ + bt_sock_unlink(&l2cap_sk_list, sk); + + err = l2cap_sock_shutdown(sock, SHUT_RDWR); +-- +2.50.1 + diff --git a/queue-6.12/bluetooth-vhci-prevent-use-after-free-by-removing-de.patch b/queue-6.12/bluetooth-vhci-prevent-use-after-free-by-removing-de.patch new file mode 100644 index 0000000000..97d6d11e53 --- /dev/null +++ b/queue-6.12/bluetooth-vhci-prevent-use-after-free-by-removing-de.patch @@ -0,0 +1,125 @@ +From f58686cf85219dafd8736569932eeae1b7541f0a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Aug 2025 10:53:25 -0400 +Subject: Bluetooth: vhci: Prevent use-after-free by removing debugfs files + early + +From: Ivan Pravdin + +[ Upstream commit 28010791193a4503f054e8d69a950ef815deb539 ] + +Move the creation of debugfs files into a dedicated function, and ensure +they are explicitly removed during vhci_release(), before associated +data structures are freed. + +Previously, debugfs files such as "force_suspend", "force_wakeup", and +others were created under hdev->debugfs but not removed in +vhci_release(). Since vhci_release() frees the backing vhci_data +structure, any access to these files after release would result in +use-after-free errors. + +Although hdev->debugfs is later freed in hci_release_dev(), user can +access files after vhci_data is freed but before hdev->debugfs is +released. + +Fixes: ab4e4380d4e1 ("Bluetooth: Add vhci devcoredump support") +Signed-off-by: Ivan Pravdin +Reviewed-by: Paul Menzel +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/hci_vhci.c | 57 ++++++++++++++++++++++++++---------- + 1 file changed, 41 insertions(+), 16 deletions(-) + +diff --git a/drivers/bluetooth/hci_vhci.c b/drivers/bluetooth/hci_vhci.c +index 9ac22e4a070be..59872e73c1878 100644 +--- a/drivers/bluetooth/hci_vhci.c ++++ b/drivers/bluetooth/hci_vhci.c +@@ -380,6 +380,28 @@ static const struct file_operations force_devcoredump_fops = { + .write = force_devcd_write, + }; + ++static void vhci_debugfs_init(struct vhci_data *data) ++{ ++ struct hci_dev *hdev = data->hdev; ++ ++ debugfs_create_file("force_suspend", 0644, hdev->debugfs, data, ++ &force_suspend_fops); ++ ++ debugfs_create_file("force_wakeup", 0644, hdev->debugfs, data, ++ &force_wakeup_fops); ++ ++ if (IS_ENABLED(CONFIG_BT_MSFTEXT)) ++ debugfs_create_file("msft_opcode", 0644, hdev->debugfs, data, ++ &msft_opcode_fops); ++ ++ if (IS_ENABLED(CONFIG_BT_AOSPEXT)) ++ debugfs_create_file("aosp_capable", 0644, hdev->debugfs, data, ++ &aosp_capable_fops); ++ ++ debugfs_create_file("force_devcoredump", 0644, hdev->debugfs, data, ++ &force_devcoredump_fops); ++} ++ + static int __vhci_create_device(struct vhci_data *data, __u8 opcode) + { + struct hci_dev *hdev; +@@ -433,22 +455,8 @@ static int __vhci_create_device(struct vhci_data *data, __u8 opcode) + return -EBUSY; + } + +- debugfs_create_file("force_suspend", 0644, hdev->debugfs, data, +- &force_suspend_fops); +- +- debugfs_create_file("force_wakeup", 0644, hdev->debugfs, data, +- &force_wakeup_fops); +- +- if (IS_ENABLED(CONFIG_BT_MSFTEXT)) +- debugfs_create_file("msft_opcode", 0644, hdev->debugfs, data, +- &msft_opcode_fops); +- +- if (IS_ENABLED(CONFIG_BT_AOSPEXT)) +- debugfs_create_file("aosp_capable", 0644, hdev->debugfs, data, +- &aosp_capable_fops); +- +- debugfs_create_file("force_devcoredump", 0644, hdev->debugfs, data, +- &force_devcoredump_fops); ++ if (!IS_ERR_OR_NULL(hdev->debugfs)) ++ vhci_debugfs_init(data); + + hci_skb_pkt_type(skb) = HCI_VENDOR_PKT; + +@@ -650,6 +658,21 @@ static int vhci_open(struct inode *inode, struct file *file) + return 0; + } + ++static void vhci_debugfs_remove(struct hci_dev *hdev) ++{ ++ debugfs_lookup_and_remove("force_suspend", hdev->debugfs); ++ ++ debugfs_lookup_and_remove("force_wakeup", hdev->debugfs); ++ ++ if (IS_ENABLED(CONFIG_BT_MSFTEXT)) ++ debugfs_lookup_and_remove("msft_opcode", hdev->debugfs); ++ ++ if (IS_ENABLED(CONFIG_BT_AOSPEXT)) ++ debugfs_lookup_and_remove("aosp_capable", hdev->debugfs); ++ ++ debugfs_lookup_and_remove("force_devcoredump", hdev->debugfs); ++} ++ + static int vhci_release(struct inode *inode, struct file *file) + { + struct vhci_data *data = file->private_data; +@@ -661,6 +684,8 @@ static int vhci_release(struct inode *inode, struct file *file) + hdev = data->hdev; + + if (hdev) { ++ if (!IS_ERR_OR_NULL(hdev->debugfs)) ++ vhci_debugfs_remove(hdev); + hci_unregister_dev(hdev); + hci_free_dev(hdev); + } +-- +2.50.1 + diff --git a/queue-6.12/bnxt_en-fix-incorrect-page-count-in-rx-aggr-ring-log.patch b/queue-6.12/bnxt_en-fix-incorrect-page-count-in-rx-aggr-ring-log.patch new file mode 100644 index 0000000000..551c8710fe --- /dev/null +++ b/queue-6.12/bnxt_en-fix-incorrect-page-count-in-rx-aggr-ring-log.patch @@ -0,0 +1,44 @@ +From 2de783008907375ef749a95e70d5671b1807ac6e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Aug 2025 23:23:27 -0700 +Subject: bnxt_en: fix incorrect page count in RX aggr ring log + +From: Alok Tiwari + +[ Upstream commit 7000f4fa9b24ae2511b07babd0d49e888db5d265 ] + +The warning in bnxt_alloc_one_rx_ring_netmem() reports the number +of pages allocated for the RX aggregation ring. However, it +mistakenly used bp->rx_ring_size instead of bp->rx_agg_ring_size, +leading to confusing or misleading log output. + +Use the correct bp->rx_agg_ring_size value to fix this. + +Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.") +Signed-off-by: Alok Tiwari +Reviewed-by: Jacob Keller +Reviewed-by: Michael Chan +Reviewed-by: Somnath Kotur +Link: https://patch.msgid.link/20250830062331.783783-1-alok.a.tiwari@oracle.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index 08886c3a28c61..8a6f3e230fce6 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -4207,7 +4207,7 @@ static void bnxt_alloc_one_rx_ring_page(struct bnxt *bp, + for (i = 0; i < bp->rx_agg_ring_size; i++) { + if (bnxt_alloc_rx_page(bp, rxr, prod, GFP_KERNEL)) { + netdev_warn(bp->dev, "init'ed rx ring %d with %d/%d pages only\n", +- ring_nr, i, bp->rx_ring_size); ++ ring_nr, i, bp->rx_agg_ring_size); + break; + } + prod = NEXT_RX_AGG(prod); +-- +2.50.1 + diff --git a/queue-6.12/i40e-fix-potential-invalid-access-when-mac-list-is-e.patch b/queue-6.12/i40e-fix-potential-invalid-access-when-mac-list-is-e.patch new file mode 100644 index 0000000000..eb32ef789b --- /dev/null +++ b/queue-6.12/i40e-fix-potential-invalid-access-when-mac-list-is-e.patch @@ -0,0 +1,42 @@ +From 1fe868e3d7def114b934dd09a4ecbc7fd524316b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Aug 2025 19:56:31 +0800 +Subject: i40e: Fix potential invalid access when MAC list is empty + +From: Zhen Ni + +[ Upstream commit a556f06338e1d5a85af0e32ecb46e365547f92b9 ] + +list_first_entry() never returns NULL - if the list is empty, it still +returns a pointer to an invalid object, leading to potential invalid +memory access when dereferenced. + +Fix this by using list_first_entry_or_null instead of list_first_entry. + +Fixes: e3219ce6a775 ("i40e: Add support for client interface for IWARP driver") +Signed-off-by: Zhen Ni +Reviewed-by: Paul Menzel +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_client.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_client.c b/drivers/net/ethernet/intel/i40e/i40e_client.c +index 59263551c3838..0b099e5f48163 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_client.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_client.c +@@ -359,8 +359,8 @@ static void i40e_client_add_instance(struct i40e_pf *pf) + if (i40e_client_get_params(vsi, &cdev->lan_info.params)) + goto free_cdev; + +- mac = list_first_entry(&cdev->lan_info.netdev->dev_addrs.list, +- struct netdev_hw_addr, list); ++ mac = list_first_entry_or_null(&cdev->lan_info.netdev->dev_addrs.list, ++ struct netdev_hw_addr, list); + if (mac) + ether_addr_copy(cdev->lan_info.lanmac, mac->addr); + else +-- +2.50.1 + diff --git a/queue-6.12/i40e-remove-read-access-to-debugfs-files.patch b/queue-6.12/i40e-remove-read-access-to-debugfs-files.patch new file mode 100644 index 0000000000..2006fd5fc1 --- /dev/null +++ b/queue-6.12/i40e-remove-read-access-to-debugfs-files.patch @@ -0,0 +1,286 @@ +From 92c58f45763331b549d118c4e371cdb817a77460 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Jul 2025 17:14:37 -0700 +Subject: i40e: remove read access to debugfs files + +From: Jacob Keller + +[ Upstream commit 9fcdb1c3c4ba134434694c001dbff343f1ffa319 ] + +The 'command' and 'netdev_ops' debugfs files are a legacy debugging +interface supported by the i40e driver since its early days by commit +02e9c290814c ("i40e: debugfs interface"). + +Both of these debugfs files provide a read handler which is mostly useless, +and which is implemented with questionable logic. They both use a static +256 byte buffer which is initialized to the empty string. In the case of +the 'command' file this buffer is literally never used and simply wastes +space. In the case of the 'netdev_ops' file, the last command written is +saved here. + +On read, the files contents are presented as the name of the device +followed by a colon and then the contents of their respective static +buffer. For 'command' this will always be ": ". For 'netdev_ops', +this will be ": ". But note the buffer is +shared between all devices operated by this module. At best, it is mostly +meaningless information, and at worse it could be accessed simultaneously +as there doesn't appear to be any locking mechanism. + +We have also recently received multiple reports for both read functions +about their use of snprintf and potential overflow that could result in +reading arbitrary kernel memory. For the 'command' file, this is definitely +impossible, since the static buffer is always zero and never written to. +For the 'netdev_ops' file, it does appear to be possible, if the user +carefully crafts the command input, it will be copied into the buffer, +which could be large enough to cause snprintf to truncate, which then +causes the copy_to_user to read beyond the length of the buffer allocated +by kzalloc. + +A minimal fix would be to replace snprintf() with scnprintf() which would +cap the return to the number of bytes written, preventing an overflow. A +more involved fix would be to drop the mostly useless static buffers, +saving 512 bytes and modifying the read functions to stop needing those as +input. + +Instead, lets just completely drop the read access to these files. These +are debug interfaces exposed as part of debugfs, and I don't believe that +dropping read access will break any script, as the provided output is +pretty useless. You can find the netdev name through other more standard +interfaces, and the 'netdev_ops' interface can easily result in garbage if +you issue simultaneous writes to multiple devices at once. + +In order to properly remove the i40e_dbg_netdev_ops_buf, we need to +refactor its write function to avoid using the static buffer. Instead, use +the same logic as the i40e_dbg_command_write, with an allocated buffer. +Update the code to use this instead of the static buffer, and ensure we +free the buffer on exit. This fixes simultaneous writes to 'netdev_ops' on +multiple devices, and allows us to remove the now unused static buffer +along with removing the read access. + +Fixes: 02e9c290814c ("i40e: debugfs interface") +Reported-by: Kunwu Chan +Closes: https://lore.kernel.org/intel-wired-lan/20231208031950.47410-1-chentao@kylinos.cn/ +Reported-by: Wang Haoran +Closes: https://lore.kernel.org/all/CANZ3JQRRiOdtfQJoP9QM=6LS1Jto8PGBGw6y7-TL=BcnzHQn1Q@mail.gmail.com/ +Reported-by: Amir Mohammad Jahangirzad +Closes: https://lore.kernel.org/all/20250722115017.206969-1-a.jahangirzad@gmail.com/ +Signed-off-by: Jacob Keller +Reviewed-by: Dawid Osuchowski +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Simon Horman +Reviewed-by: Kunwu Chan +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + .../net/ethernet/intel/i40e/i40e_debugfs.c | 123 +++--------------- + 1 file changed, 19 insertions(+), 104 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_debugfs.c b/drivers/net/ethernet/intel/i40e/i40e_debugfs.c +index 208c2f0857b61..ded8f43fdf068 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_debugfs.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_debugfs.c +@@ -40,48 +40,6 @@ static struct i40e_vsi *i40e_dbg_find_vsi(struct i40e_pf *pf, int seid) + * setup, adding or removing filters, or other things. Many of + * these will be useful for some forms of unit testing. + **************************************************************/ +-static char i40e_dbg_command_buf[256] = ""; +- +-/** +- * i40e_dbg_command_read - read for command datum +- * @filp: the opened file +- * @buffer: where to write the data for the user to read +- * @count: the size of the user's buffer +- * @ppos: file position offset +- **/ +-static ssize_t i40e_dbg_command_read(struct file *filp, char __user *buffer, +- size_t count, loff_t *ppos) +-{ +- struct i40e_pf *pf = filp->private_data; +- struct i40e_vsi *main_vsi; +- int bytes_not_copied; +- int buf_size = 256; +- char *buf; +- int len; +- +- /* don't allow partial reads */ +- if (*ppos != 0) +- return 0; +- if (count < buf_size) +- return -ENOSPC; +- +- buf = kzalloc(buf_size, GFP_KERNEL); +- if (!buf) +- return -ENOSPC; +- +- main_vsi = i40e_pf_get_main_vsi(pf); +- len = snprintf(buf, buf_size, "%s: %s\n", main_vsi->netdev->name, +- i40e_dbg_command_buf); +- +- bytes_not_copied = copy_to_user(buffer, buf, len); +- kfree(buf); +- +- if (bytes_not_copied) +- return -EFAULT; +- +- *ppos = len; +- return len; +-} + + static char *i40e_filter_state_string[] = { + "INVALID", +@@ -1621,7 +1579,6 @@ static ssize_t i40e_dbg_command_write(struct file *filp, + static const struct file_operations i40e_dbg_command_fops = { + .owner = THIS_MODULE, + .open = simple_open, +- .read = i40e_dbg_command_read, + .write = i40e_dbg_command_write, + }; + +@@ -1630,48 +1587,6 @@ static const struct file_operations i40e_dbg_command_fops = { + * The netdev_ops entry in debugfs is for giving the driver commands + * to be executed from the netdev operations. + **************************************************************/ +-static char i40e_dbg_netdev_ops_buf[256] = ""; +- +-/** +- * i40e_dbg_netdev_ops_read - read for netdev_ops datum +- * @filp: the opened file +- * @buffer: where to write the data for the user to read +- * @count: the size of the user's buffer +- * @ppos: file position offset +- **/ +-static ssize_t i40e_dbg_netdev_ops_read(struct file *filp, char __user *buffer, +- size_t count, loff_t *ppos) +-{ +- struct i40e_pf *pf = filp->private_data; +- struct i40e_vsi *main_vsi; +- int bytes_not_copied; +- int buf_size = 256; +- char *buf; +- int len; +- +- /* don't allow partal reads */ +- if (*ppos != 0) +- return 0; +- if (count < buf_size) +- return -ENOSPC; +- +- buf = kzalloc(buf_size, GFP_KERNEL); +- if (!buf) +- return -ENOSPC; +- +- main_vsi = i40e_pf_get_main_vsi(pf); +- len = snprintf(buf, buf_size, "%s: %s\n", main_vsi->netdev->name, +- i40e_dbg_netdev_ops_buf); +- +- bytes_not_copied = copy_to_user(buffer, buf, len); +- kfree(buf); +- +- if (bytes_not_copied) +- return -EFAULT; +- +- *ppos = len; +- return len; +-} + + /** + * i40e_dbg_netdev_ops_write - write into netdev_ops datum +@@ -1685,35 +1600,36 @@ static ssize_t i40e_dbg_netdev_ops_write(struct file *filp, + size_t count, loff_t *ppos) + { + struct i40e_pf *pf = filp->private_data; ++ char *cmd_buf, *buf_tmp; + int bytes_not_copied; + struct i40e_vsi *vsi; +- char *buf_tmp; + int vsi_seid; + int i, cnt; + + /* don't allow partial writes */ + if (*ppos != 0) + return 0; +- if (count >= sizeof(i40e_dbg_netdev_ops_buf)) +- return -ENOSPC; + +- memset(i40e_dbg_netdev_ops_buf, 0, sizeof(i40e_dbg_netdev_ops_buf)); +- bytes_not_copied = copy_from_user(i40e_dbg_netdev_ops_buf, +- buffer, count); +- if (bytes_not_copied) ++ cmd_buf = kzalloc(count + 1, GFP_KERNEL); ++ if (!cmd_buf) ++ return count; ++ bytes_not_copied = copy_from_user(cmd_buf, buffer, count); ++ if (bytes_not_copied) { ++ kfree(cmd_buf); + return -EFAULT; +- i40e_dbg_netdev_ops_buf[count] = '\0'; ++ } ++ cmd_buf[count] = '\0'; + +- buf_tmp = strchr(i40e_dbg_netdev_ops_buf, '\n'); ++ buf_tmp = strchr(cmd_buf, '\n'); + if (buf_tmp) { + *buf_tmp = '\0'; +- count = buf_tmp - i40e_dbg_netdev_ops_buf + 1; ++ count = buf_tmp - cmd_buf + 1; + } + +- if (strncmp(i40e_dbg_netdev_ops_buf, "change_mtu", 10) == 0) { ++ if (strncmp(cmd_buf, "change_mtu", 10) == 0) { + int mtu; + +- cnt = sscanf(&i40e_dbg_netdev_ops_buf[11], "%i %i", ++ cnt = sscanf(&cmd_buf[11], "%i %i", + &vsi_seid, &mtu); + if (cnt != 2) { + dev_info(&pf->pdev->dev, "change_mtu \n"); +@@ -1735,8 +1651,8 @@ static ssize_t i40e_dbg_netdev_ops_write(struct file *filp, + dev_info(&pf->pdev->dev, "Could not acquire RTNL - please try again\n"); + } + +- } else if (strncmp(i40e_dbg_netdev_ops_buf, "set_rx_mode", 11) == 0) { +- cnt = sscanf(&i40e_dbg_netdev_ops_buf[11], "%i", &vsi_seid); ++ } else if (strncmp(cmd_buf, "set_rx_mode", 11) == 0) { ++ cnt = sscanf(&cmd_buf[11], "%i", &vsi_seid); + if (cnt != 1) { + dev_info(&pf->pdev->dev, "set_rx_mode \n"); + goto netdev_ops_write_done; +@@ -1756,8 +1672,8 @@ static ssize_t i40e_dbg_netdev_ops_write(struct file *filp, + dev_info(&pf->pdev->dev, "Could not acquire RTNL - please try again\n"); + } + +- } else if (strncmp(i40e_dbg_netdev_ops_buf, "napi", 4) == 0) { +- cnt = sscanf(&i40e_dbg_netdev_ops_buf[4], "%i", &vsi_seid); ++ } else if (strncmp(cmd_buf, "napi", 4) == 0) { ++ cnt = sscanf(&cmd_buf[4], "%i", &vsi_seid); + if (cnt != 1) { + dev_info(&pf->pdev->dev, "napi \n"); + goto netdev_ops_write_done; +@@ -1775,21 +1691,20 @@ static ssize_t i40e_dbg_netdev_ops_write(struct file *filp, + dev_info(&pf->pdev->dev, "napi called\n"); + } + } else { +- dev_info(&pf->pdev->dev, "unknown command '%s'\n", +- i40e_dbg_netdev_ops_buf); ++ dev_info(&pf->pdev->dev, "unknown command '%s'\n", cmd_buf); + dev_info(&pf->pdev->dev, "available commands\n"); + dev_info(&pf->pdev->dev, " change_mtu \n"); + dev_info(&pf->pdev->dev, " set_rx_mode \n"); + dev_info(&pf->pdev->dev, " napi \n"); + } + netdev_ops_write_done: ++ kfree(cmd_buf); + return count; + } + + static const struct file_operations i40e_dbg_netdev_ops_fops = { + .owner = THIS_MODULE, + .open = simple_open, +- .read = i40e_dbg_netdev_ops_read, + .write = i40e_dbg_netdev_ops_write, + }; + +-- +2.50.1 + diff --git a/queue-6.12/ice-fix-null-access-of-tx-in_use-in-ice_ll_ts_intr.patch b/queue-6.12/ice-fix-null-access-of-tx-in_use-in-ice_ll_ts_intr.patch new file mode 100644 index 0000000000..03b9a08986 --- /dev/null +++ b/queue-6.12/ice-fix-null-access-of-tx-in_use-in-ice_ll_ts_intr.patch @@ -0,0 +1,64 @@ +From 364d96e1e619067e0dceedafb24b89bfb670cc10 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Aug 2025 10:35:27 -0700 +Subject: ice: fix NULL access of tx->in_use in ice_ll_ts_intr + +From: Jacob Keller + +[ Upstream commit f6486338fde3f04ed0ec59fe67a69a208c32734f ] + +Recent versions of the E810 firmware have support for an extra interrupt to +handle report of the "low latency" Tx timestamps coming from the +specialized low latency firmware interface. Instead of polling the +registers, software can wait until the low latency interrupt is fired. + +This logic makes use of the Tx timestamp tracking structure, ice_ptp_tx, as +it uses the same "ready" bitmap to track which Tx timestamps complete. + +Unfortunately, the ice_ll_ts_intr() function does not check if the +tracker is initialized before its first access. This results in NULL +dereference or use-after-free bugs similar to the issues fixed in the +ice_ptp_ts_irq() function. + +Fix this by only checking the in_use bitmap (and other fields) if the +tracker is marked as initialized. The reset flow will clear the init field +under lock before it tears the tracker down, thus preventing any +use-after-free or NULL access. + +Fixes: 82e71b226e0e ("ice: Enable SW interrupt from FW for LL TS") +Signed-off-by: Jacob Keller +Reviewed-by: Paul Menzel +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_main.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c +index 74d4f2fde3e0f..bd5db525f1939 100644 +--- a/drivers/net/ethernet/intel/ice/ice_main.c ++++ b/drivers/net/ethernet/intel/ice/ice_main.c +@@ -3193,12 +3193,14 @@ static irqreturn_t ice_ll_ts_intr(int __always_unused irq, void *data) + hw = &pf->hw; + tx = &pf->ptp.port.tx; + spin_lock_irqsave(&tx->lock, flags); +- ice_ptp_complete_tx_single_tstamp(tx); ++ if (tx->init) { ++ ice_ptp_complete_tx_single_tstamp(tx); + +- idx = find_next_bit_wrap(tx->in_use, tx->len, +- tx->last_ll_ts_idx_read + 1); +- if (idx != tx->len) +- ice_ptp_req_tx_single_tstamp(tx, idx); ++ idx = find_next_bit_wrap(tx->in_use, tx->len, ++ tx->last_ll_ts_idx_read + 1); ++ if (idx != tx->len) ++ ice_ptp_req_tx_single_tstamp(tx, idx); ++ } + spin_unlock_irqrestore(&tx->lock, flags); + + val = GLINT_DYN_CTL_INTENA_M | GLINT_DYN_CTL_CLEARPBA_M | +-- +2.50.1 + diff --git a/queue-6.12/icmp-fix-icmp_ndo_send-address-translation-for-reply.patch b/queue-6.12/icmp-fix-icmp_ndo_send-address-translation-for-reply.patch new file mode 100644 index 0000000000..ebba852853 --- /dev/null +++ b/queue-6.12/icmp-fix-icmp_ndo_send-address-translation-for-reply.patch @@ -0,0 +1,110 @@ +From 9da88934276fb787f13b64f4048ec4ece37b1f4a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Aug 2025 11:14:35 +0200 +Subject: icmp: fix icmp_ndo_send address translation for reply direction +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Fabian Bläse + +[ Upstream commit c6dd1aa2cbb72b33e0569f3e71d95792beab5042 ] + +The icmp_ndo_send function was originally introduced to ensure proper +rate limiting when icmp_send is called by a network device driver, +where the packet's source address may have already been transformed +by SNAT. + +However, the original implementation only considers the +IP_CT_DIR_ORIGINAL direction for SNAT and always replaced the packet's +source address with that of the original-direction tuple. This causes +two problems: + +1. For SNAT: + Reply-direction packets were incorrectly translated using the source + address of the CT original direction, even though no translation is + required. + +2. For DNAT: + Reply-direction packets were not handled at all. In DNAT, the original + direction's destination is translated. Therefore, in the reply + direction the source address must be set to the reply-direction + source, so rate limiting works as intended. + +Fix this by using the connection direction to select the correct tuple +for source address translation, and adjust the pre-checks to handle +reply-direction packets in case of DNAT. + +Additionally, wrap the `ct->status` access in READ_ONCE(). This avoids +possible KCSAN reports about concurrent updates to `ct->status`. + +Fixes: 0b41713b6066 ("icmp: introduce helper for nat'd source address in network device context") +Signed-off-by: Fabian Bläse +Cc: Jason A. Donenfeld +Reviewed-by: Florian Westphal +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/icmp.c | 6 ++++-- + net/ipv6/ip6_icmp.c | 6 ++++-- + 2 files changed, 8 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c +index b8111ec651b54..8f11870b77377 100644 +--- a/net/ipv4/icmp.c ++++ b/net/ipv4/icmp.c +@@ -799,11 +799,12 @@ void icmp_ndo_send(struct sk_buff *skb_in, int type, int code, __be32 info) + struct sk_buff *cloned_skb = NULL; + struct ip_options opts = { 0 }; + enum ip_conntrack_info ctinfo; ++ enum ip_conntrack_dir dir; + struct nf_conn *ct; + __be32 orig_ip; + + ct = nf_ct_get(skb_in, &ctinfo); +- if (!ct || !(ct->status & IPS_SRC_NAT)) { ++ if (!ct || !(READ_ONCE(ct->status) & IPS_NAT_MASK)) { + __icmp_send(skb_in, type, code, info, &opts); + return; + } +@@ -818,7 +819,8 @@ void icmp_ndo_send(struct sk_buff *skb_in, int type, int code, __be32 info) + goto out; + + orig_ip = ip_hdr(skb_in)->saddr; +- ip_hdr(skb_in)->saddr = ct->tuplehash[0].tuple.src.u3.ip; ++ dir = CTINFO2DIR(ctinfo); ++ ip_hdr(skb_in)->saddr = ct->tuplehash[dir].tuple.src.u3.ip; + __icmp_send(skb_in, type, code, info, &opts); + ip_hdr(skb_in)->saddr = orig_ip; + out: +diff --git a/net/ipv6/ip6_icmp.c b/net/ipv6/ip6_icmp.c +index 9e3574880cb03..233914b63bdb8 100644 +--- a/net/ipv6/ip6_icmp.c ++++ b/net/ipv6/ip6_icmp.c +@@ -54,11 +54,12 @@ void icmpv6_ndo_send(struct sk_buff *skb_in, u8 type, u8 code, __u32 info) + struct inet6_skb_parm parm = { 0 }; + struct sk_buff *cloned_skb = NULL; + enum ip_conntrack_info ctinfo; ++ enum ip_conntrack_dir dir; + struct in6_addr orig_ip; + struct nf_conn *ct; + + ct = nf_ct_get(skb_in, &ctinfo); +- if (!ct || !(ct->status & IPS_SRC_NAT)) { ++ if (!ct || !(READ_ONCE(ct->status) & IPS_NAT_MASK)) { + __icmpv6_send(skb_in, type, code, info, &parm); + return; + } +@@ -73,7 +74,8 @@ void icmpv6_ndo_send(struct sk_buff *skb_in, u8 type, u8 code, __u32 info) + goto out; + + orig_ip = ipv6_hdr(skb_in)->saddr; +- ipv6_hdr(skb_in)->saddr = ct->tuplehash[0].tuple.src.u3.in6; ++ dir = CTINFO2DIR(ctinfo); ++ ipv6_hdr(skb_in)->saddr = ct->tuplehash[dir].tuple.src.u3.in6; + __icmpv6_send(skb_in, type, code, info, &parm); + ipv6_hdr(skb_in)->saddr = orig_ip; + out: +-- +2.50.1 + diff --git a/queue-6.12/idpf-set-mac-type-when-adding-and-removing-mac-filte.patch b/queue-6.12/idpf-set-mac-type-when-adding-and-removing-mac-filte.patch new file mode 100644 index 0000000000..b9e559cb81 --- /dev/null +++ b/queue-6.12/idpf-set-mac-type-when-adding-and-removing-mac-filte.patch @@ -0,0 +1,116 @@ +From f725322b67428a86a2bf96f52b954dd6e5628463 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Aug 2025 16:43:00 -0700 +Subject: idpf: set mac type when adding and removing MAC filters + +From: Emil Tantilov + +[ Upstream commit acf3a5c8be80fe238c1a7629db1c21c74a1f9dd4 ] + +On control planes that allow changing the MAC address of the interface, +the driver must provide a MAC type to avoid errors such as: + +idpf 0000:0a:00.0: Transaction failed (op 535) +idpf 0000:0a:00.0: Received invalid MAC filter payload (op 535) (len 0) +idpf 0000:0a:00.0: Transaction failed (op 536) + +These errors occur during driver load or when changing the MAC via: +ip link set address + +Add logic to set the MAC type when sending ADD/DEL (opcodes 535/536) to +the control plane. Since only one primary MAC is supported per vport, the +driver only needs to send an ADD opcode when setting it. Remove the old +address by calling __idpf_del_mac_filter(), which skips the message and +just clears the entry from the internal list. This avoids an error on DEL +as it attempts to remove an address already cleared by the preceding ADD +opcode. + +Fixes: ce1b75d0635c ("idpf: add ptypes and MAC filter support") +Reported-by: Jian Liu +Signed-off-by: Emil Tantilov +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Paul Menzel +Reviewed-by: Simon Horman +Tested-by: Samuel Salin +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/idpf/idpf_lib.c | 9 ++++++--- + drivers/net/ethernet/intel/idpf/idpf_virtchnl.c | 12 ++++++++++++ + 2 files changed, 18 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/intel/idpf/idpf_lib.c b/drivers/net/ethernet/intel/idpf/idpf_lib.c +index 1468a0f0df2ba..52d9caab2fcb2 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_lib.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_lib.c +@@ -2278,6 +2278,7 @@ static int idpf_set_mac(struct net_device *netdev, void *p) + struct idpf_netdev_priv *np = netdev_priv(netdev); + struct idpf_vport_config *vport_config; + struct sockaddr *addr = p; ++ u8 old_mac_addr[ETH_ALEN]; + struct idpf_vport *vport; + int err = 0; + +@@ -2301,17 +2302,19 @@ static int idpf_set_mac(struct net_device *netdev, void *p) + if (ether_addr_equal(netdev->dev_addr, addr->sa_data)) + goto unlock_mutex; + ++ ether_addr_copy(old_mac_addr, vport->default_mac_addr); ++ ether_addr_copy(vport->default_mac_addr, addr->sa_data); + vport_config = vport->adapter->vport_config[vport->idx]; + err = idpf_add_mac_filter(vport, np, addr->sa_data, false); + if (err) { + __idpf_del_mac_filter(vport_config, addr->sa_data); ++ ether_addr_copy(vport->default_mac_addr, netdev->dev_addr); + goto unlock_mutex; + } + +- if (is_valid_ether_addr(vport->default_mac_addr)) +- idpf_del_mac_filter(vport, np, vport->default_mac_addr, false); ++ if (is_valid_ether_addr(old_mac_addr)) ++ __idpf_del_mac_filter(vport_config, old_mac_addr); + +- ether_addr_copy(vport->default_mac_addr, addr->sa_data); + eth_hw_addr_set(netdev, addr->sa_data); + + unlock_mutex: +diff --git a/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c b/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c +index 151beea20d343..f27a8cf3816db 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c +@@ -3513,6 +3513,16 @@ u32 idpf_get_vport_id(struct idpf_vport *vport) + return le32_to_cpu(vport_msg->vport_id); + } + ++static void idpf_set_mac_type(struct idpf_vport *vport, ++ struct virtchnl2_mac_addr *mac_addr) ++{ ++ bool is_primary; ++ ++ is_primary = ether_addr_equal(vport->default_mac_addr, mac_addr->addr); ++ mac_addr->type = is_primary ? VIRTCHNL2_MAC_ADDR_PRIMARY : ++ VIRTCHNL2_MAC_ADDR_EXTRA; ++} ++ + /** + * idpf_mac_filter_async_handler - Async callback for mac filters + * @adapter: private data struct +@@ -3642,6 +3652,7 @@ int idpf_add_del_mac_filters(struct idpf_vport *vport, + list) { + if (add && f->add) { + ether_addr_copy(mac_addr[i].addr, f->macaddr); ++ idpf_set_mac_type(vport, &mac_addr[i]); + i++; + f->add = false; + if (i == total_filters) +@@ -3649,6 +3660,7 @@ int idpf_add_del_mac_filters(struct idpf_vport *vport, + } + if (!add && f->remove) { + ether_addr_copy(mac_addr[i].addr, f->macaddr); ++ idpf_set_mac_type(vport, &mac_addr[i]); + i++; + f->remove = false; + if (i == total_filters) +-- +2.50.1 + diff --git a/queue-6.12/ipv4-fix-null-vs-error-pointer-check-in-inet_blackho.patch b/queue-6.12/ipv4-fix-null-vs-error-pointer-check-in-inet_blackho.patch new file mode 100644 index 0000000000..0cacd56b26 --- /dev/null +++ b/queue-6.12/ipv4-fix-null-vs-error-pointer-check-in-inet_blackho.patch @@ -0,0 +1,48 @@ +From a59f73d91a412d9be965d5370f37d5d1975843da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Sep 2025 09:36:08 +0300 +Subject: ipv4: Fix NULL vs error pointer check in inet_blackhole_dev_init() + +From: Dan Carpenter + +[ Upstream commit a51160f8da850a65afbf165f5bbac7ffb388bf74 ] + +The inetdev_init() function never returns NULL. Check for error +pointers instead. + +Fixes: 22600596b675 ("ipv4: give an IPv4 dev to blackhole_netdev") +Signed-off-by: Dan Carpenter +Reviewed-by: Simon Horman +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/aLaQWL9NguWmeM1i@stanley.mountain +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/devinet.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c +index a55e95046984d..46fa50576f581 100644 +--- a/net/ipv4/devinet.c ++++ b/net/ipv4/devinet.c +@@ -351,14 +351,13 @@ static void inetdev_destroy(struct in_device *in_dev) + + static int __init inet_blackhole_dev_init(void) + { +- int err = 0; ++ struct in_device *in_dev; + + rtnl_lock(); +- if (!inetdev_init(blackhole_netdev)) +- err = -ENOMEM; ++ in_dev = inetdev_init(blackhole_netdev); + rtnl_unlock(); + +- return err; ++ return PTR_ERR_OR_ZERO(in_dev); + } + late_initcall(inet_blackhole_dev_init); + +-- +2.50.1 + diff --git a/queue-6.12/ixgbe-fix-incorrect-map-used-in-eee-linkmode.patch b/queue-6.12/ixgbe-fix-incorrect-map-used-in-eee-linkmode.patch new file mode 100644 index 0000000000..dcfbf17d52 --- /dev/null +++ b/queue-6.12/ixgbe-fix-incorrect-map-used-in-eee-linkmode.patch @@ -0,0 +1,54 @@ +From e5b4cedbe1ca3b31c3afdd29dfacaa09b4e95990 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 10 Aug 2025 10:01:14 -0700 +Subject: ixgbe: fix incorrect map used in eee linkmode + +From: Alok Tiwari + +[ Upstream commit b7e5c3e3bfa9dc8af75ff6d8633ad7070e1985e4 ] + +incorrectly used ixgbe_lp_map in loops intended to populate the +supported and advertised EEE linkmode bitmaps based on ixgbe_ls_map. +This results in incorrect bit setting and potential out-of-bounds +access, since ixgbe_lp_map and ixgbe_ls_map have different sizes +and purposes. + +ixgbe_lp_map[i] -> ixgbe_ls_map[i] + +Use ixgbe_ls_map for supported and advertised linkmodes, and keep +ixgbe_lp_map usage only for link partner (lp_advertised) mapping. + +Fixes: 9356b6db9d05 ("net: ethernet: ixgbe: Convert EEE to use linkmodes") +Signed-off-by: Alok Tiwari +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Paul Menzel +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c +index 9482e0cca8b7d..0b9ecb10aa7cf 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c +@@ -3443,13 +3443,13 @@ ixgbe_get_eee_fw(struct ixgbe_adapter *adapter, struct ethtool_keee *edata) + + for (i = 0; i < ARRAY_SIZE(ixgbe_ls_map); ++i) { + if (hw->phy.eee_speeds_supported & ixgbe_ls_map[i].mac_speed) +- linkmode_set_bit(ixgbe_lp_map[i].link_mode, ++ linkmode_set_bit(ixgbe_ls_map[i].link_mode, + edata->supported); + } + + for (i = 0; i < ARRAY_SIZE(ixgbe_ls_map); ++i) { + if (hw->phy.eee_speeds_advertised & ixgbe_ls_map[i].mac_speed) +- linkmode_set_bit(ixgbe_lp_map[i].link_mode, ++ linkmode_set_bit(ixgbe_ls_map[i].link_mode, + edata->advertised); + } + +-- +2.50.1 + diff --git a/queue-6.12/macsec-read-macsec_sa_attr_pn-with-nla_get_uint.patch b/queue-6.12/macsec-read-macsec_sa_attr_pn-with-nla_get_uint.patch new file mode 100644 index 0000000000..7349da4a0c --- /dev/null +++ b/queue-6.12/macsec-read-macsec_sa_attr_pn-with-nla_get_uint.patch @@ -0,0 +1,72 @@ +From 334ef68fc8fc512be79e4e021554a80ede63d819 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Aug 2025 20:55:40 +0200 +Subject: macsec: read MACSEC_SA_ATTR_PN with nla_get_uint + +From: Sabrina Dubroca + +[ Upstream commit 030e1c45666629f72d0fc1d040f9d2915680de8e ] + +The code currently reads both U32 attributes and U64 attributes as +U64, so when a U32 attribute is provided by userspace (ie, when not +using XPN), on big endian systems, we'll load that value into the +upper 32bits of the next_pn field instead of the lower 32bits. This +means that the value that userspace provided is ignored (we only care +about the lower 32bits for non-XPN), and we'll start using PNs from 0. + +Switch to nla_get_uint, which will read the value correctly on all +arches, whether it's 32b or 64b. + +Fixes: 48ef50fa866a ("macsec: Netlink support of XPN cipher suites (IEEE 802.1AEbw)") +Signed-off-by: Sabrina Dubroca +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/1c1df1661b89238caf5beefb84a10ebfd56c66ea.1756459839.git.sd@queasysnail.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/macsec.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c +index 090a56a5e456a..8b10112c30dc1 100644 +--- a/drivers/net/macsec.c ++++ b/drivers/net/macsec.c +@@ -1843,7 +1843,7 @@ static int macsec_add_rxsa(struct sk_buff *skb, struct genl_info *info) + + if (tb_sa[MACSEC_SA_ATTR_PN]) { + spin_lock_bh(&rx_sa->lock); +- rx_sa->next_pn = nla_get_u64(tb_sa[MACSEC_SA_ATTR_PN]); ++ rx_sa->next_pn = nla_get_uint(tb_sa[MACSEC_SA_ATTR_PN]); + spin_unlock_bh(&rx_sa->lock); + } + +@@ -2085,7 +2085,7 @@ static int macsec_add_txsa(struct sk_buff *skb, struct genl_info *info) + } + + spin_lock_bh(&tx_sa->lock); +- tx_sa->next_pn = nla_get_u64(tb_sa[MACSEC_SA_ATTR_PN]); ++ tx_sa->next_pn = nla_get_uint(tb_sa[MACSEC_SA_ATTR_PN]); + spin_unlock_bh(&tx_sa->lock); + + if (tb_sa[MACSEC_SA_ATTR_ACTIVE]) +@@ -2397,7 +2397,7 @@ static int macsec_upd_txsa(struct sk_buff *skb, struct genl_info *info) + + spin_lock_bh(&tx_sa->lock); + prev_pn = tx_sa->next_pn_halves; +- tx_sa->next_pn = nla_get_u64(tb_sa[MACSEC_SA_ATTR_PN]); ++ tx_sa->next_pn = nla_get_uint(tb_sa[MACSEC_SA_ATTR_PN]); + spin_unlock_bh(&tx_sa->lock); + } + +@@ -2495,7 +2495,7 @@ static int macsec_upd_rxsa(struct sk_buff *skb, struct genl_info *info) + + spin_lock_bh(&rx_sa->lock); + prev_pn = rx_sa->next_pn_halves; +- rx_sa->next_pn = nla_get_u64(tb_sa[MACSEC_SA_ATTR_PN]); ++ rx_sa->next_pn = nla_get_uint(tb_sa[MACSEC_SA_ATTR_PN]); + spin_unlock_bh(&rx_sa->lock); + } + +-- +2.50.1 + diff --git a/queue-6.12/mctp-return-enoprotoopt-for-unknown-getsockopt-optio.patch b/queue-6.12/mctp-return-enoprotoopt-for-unknown-getsockopt-optio.patch new file mode 100644 index 0000000000..b2fea9a645 --- /dev/null +++ b/queue-6.12/mctp-return-enoprotoopt-for-unknown-getsockopt-optio.patch @@ -0,0 +1,43 @@ +From 01ebc574aade76dfe73daf82177ba9c003e5e646 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Sep 2025 03:20:55 -0700 +Subject: mctp: return -ENOPROTOOPT for unknown getsockopt options + +From: Alok Tiwari + +[ Upstream commit a125c8fb9ddbcb0602103a50727a476fd30dec01 ] + +In mctp_getsockopt(), unrecognized options currently return -EINVAL. +In contrast, mctp_setsockopt() returns -ENOPROTOOPT for unknown +options. + +Update mctp_getsockopt() to also return -ENOPROTOOPT for unknown +options. This aligns the behavior of getsockopt() and setsockopt(), +and matches the standard kernel socket API convention for handling +unsupported options. + +Fixes: 99ce45d5e7db ("mctp: Implement extended addressing") +Signed-off-by: Alok Tiwari +Link: https://patch.msgid.link/20250902102059.1370008-1-alok.a.tiwari@oracle.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/mctp/af_mctp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/mctp/af_mctp.c b/net/mctp/af_mctp.c +index 70aeebfc4182e..9a552569143bb 100644 +--- a/net/mctp/af_mctp.c ++++ b/net/mctp/af_mctp.c +@@ -346,7 +346,7 @@ static int mctp_getsockopt(struct socket *sock, int level, int optname, + return 0; + } + +- return -EINVAL; ++ return -ENOPROTOOPT; + } + + /* helpers for reading/writing the tag ioc, handling compatibility across the +-- +2.50.1 + diff --git a/queue-6.12/misdn-fix-memory-leak-in-dsp_hwec_enable.patch b/queue-6.12/misdn-fix-memory-leak-in-dsp_hwec_enable.patch new file mode 100644 index 0000000000..a4968e2261 --- /dev/null +++ b/queue-6.12/misdn-fix-memory-leak-in-dsp_hwec_enable.patch @@ -0,0 +1,53 @@ +From 234fe42f5d1e99cd99ab945d0e0b407be263ea73 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Aug 2025 16:14:57 +0800 +Subject: mISDN: Fix memory leak in dsp_hwec_enable() + +From: Miaoqian Lin + +[ Upstream commit 0704a3da7ce50f972e898bbda88d2692a22922d9 ] + +dsp_hwec_enable() allocates dup pointer by kstrdup(arg), +but then it updates dup variable by strsep(&dup, ","). +As a result when it calls kfree(dup), the dup variable may be +a modified pointer that no longer points to the original allocated +memory, causing a memory leak. + +The issue is the same pattern as fixed in commit c6a502c22999 +("mISDN: Fix memory leak in dsp_pipeline_build()"). + +Fixes: 9a4381618262 ("mISDN: Remove VLAs") +Signed-off-by: Miaoqian Lin +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250828081457.36061-1-linmq006@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/isdn/mISDN/dsp_hwec.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/isdn/mISDN/dsp_hwec.c b/drivers/isdn/mISDN/dsp_hwec.c +index 0b3f29195330a..0cd216e28f009 100644 +--- a/drivers/isdn/mISDN/dsp_hwec.c ++++ b/drivers/isdn/mISDN/dsp_hwec.c +@@ -51,14 +51,14 @@ void dsp_hwec_enable(struct dsp *dsp, const char *arg) + goto _do; + + { +- char *dup, *tok, *name, *val; ++ char *dup, *next, *tok, *name, *val; + int tmp; + +- dup = kstrdup(arg, GFP_ATOMIC); ++ dup = next = kstrdup(arg, GFP_ATOMIC); + if (!dup) + return; + +- while ((tok = strsep(&dup, ","))) { ++ while ((tok = strsep(&next, ","))) { + if (!strlen(tok)) + continue; + name = strsep(&tok, "="); +-- +2.50.1 + diff --git a/queue-6.12/net-atm-fix-memory-leak-in-atm_register_sysfs-when-d.patch b/queue-6.12/net-atm-fix-memory-leak-in-atm_register_sysfs-when-d.patch new file mode 100644 index 0000000000..0135820b07 --- /dev/null +++ b/queue-6.12/net-atm-fix-memory-leak-in-atm_register_sysfs-when-d.patch @@ -0,0 +1,78 @@ +From 99c1e9900b5c015c1b5110a4ace9cb2c1b1cd37f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Sep 2025 14:35:37 +0800 +Subject: net: atm: fix memory leak in atm_register_sysfs when device_register + fail + +From: Wang Liang + +[ Upstream commit 0a228624bcc00af41f281a2a84c928595a74c17d ] + +When device_register() return error in atm_register_sysfs(), which can be +triggered by kzalloc fail in device_private_init() or other reasons, +kmemleak reports the following memory leaks: + +unreferenced object 0xffff88810182fb80 (size 8): + comm "insmod", pid 504, jiffies 4294852464 + hex dump (first 8 bytes): + 61 64 75 6d 6d 79 30 00 adummy0. + backtrace (crc 14dfadaf): + __kmalloc_node_track_caller_noprof+0x335/0x450 + kvasprintf+0xb3/0x130 + kobject_set_name_vargs+0x45/0x120 + dev_set_name+0xa9/0xe0 + atm_register_sysfs+0xf3/0x220 + atm_dev_register+0x40b/0x780 + 0xffffffffa000b089 + do_one_initcall+0x89/0x300 + do_init_module+0x27b/0x7d0 + load_module+0x54cd/0x5ff0 + init_module_from_file+0xe4/0x150 + idempotent_init_module+0x32c/0x610 + __x64_sys_finit_module+0xbd/0x120 + do_syscall_64+0xa8/0x270 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +When device_create_file() return error in atm_register_sysfs(), the same +issue also can be triggered. + +Function put_device() should be called to release kobj->name memory and +other device resource, instead of kfree(). + +Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array") +Signed-off-by: Wang Liang +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250901063537.1472221-1-wangliang74@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/atm/resources.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/atm/resources.c b/net/atm/resources.c +index b19d851e1f443..7c6fdedbcf4e5 100644 +--- a/net/atm/resources.c ++++ b/net/atm/resources.c +@@ -112,7 +112,9 @@ struct atm_dev *atm_dev_register(const char *type, struct device *parent, + + if (atm_proc_dev_register(dev) < 0) { + pr_err("atm_proc_dev_register failed for dev %s\n", type); +- goto out_fail; ++ mutex_unlock(&atm_dev_mutex); ++ kfree(dev); ++ return NULL; + } + + if (atm_register_sysfs(dev, parent) < 0) { +@@ -128,7 +130,7 @@ struct atm_dev *atm_dev_register(const char *type, struct device *parent, + return dev; + + out_fail: +- kfree(dev); ++ put_device(&dev->class_dev); + dev = NULL; + goto out; + } +-- +2.50.1 + diff --git a/queue-6.12/net-ethernet-mtk_eth_soc-fix-tx-vlan-tag-for-llc-pac.patch b/queue-6.12/net-ethernet-mtk_eth_soc-fix-tx-vlan-tag-for-llc-pac.patch new file mode 100644 index 0000000000..0383e91ef8 --- /dev/null +++ b/queue-6.12/net-ethernet-mtk_eth_soc-fix-tx-vlan-tag-for-llc-pac.patch @@ -0,0 +1,55 @@ +From f5d8129c443fed2c6939309ec914b75cae288c6a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 Aug 2025 20:20:07 +0200 +Subject: net: ethernet: mtk_eth_soc: fix tx vlan tag for llc packets + +From: Felix Fietkau + +[ Upstream commit d4736737110ffa83d29f1c5d17b26113864205f6 ] + +When sending llc packets with vlan tx offload, the hardware fails to +actually add the tag. Deal with this by fixing it up in software. + +Fixes: 656e705243fd ("net-next: mediatek: add support for MT7623 ethernet") +Reported-by: Thibaut VARENE +Signed-off-by: Felix Fietkau +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250831182007.51619-1-nbd@nbd.name +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mediatek/mtk_eth_soc.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +index 272f178906d61..64d86068b51eb 100644 +--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c ++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +@@ -1606,6 +1606,13 @@ static netdev_tx_t mtk_start_xmit(struct sk_buff *skb, struct net_device *dev) + bool gso = false; + int tx_num; + ++ if (skb_vlan_tag_present(skb) && ++ !eth_proto_is_802_3(eth_hdr(skb)->h_proto)) { ++ skb = __vlan_hwaccel_push_inside(skb); ++ if (!skb) ++ goto dropped; ++ } ++ + /* normally we can rely on the stack not calling this more than once, + * however we have 2 queues running on the same ring so we need to lock + * the ring access +@@ -1651,8 +1658,9 @@ static netdev_tx_t mtk_start_xmit(struct sk_buff *skb, struct net_device *dev) + + drop: + spin_unlock(ð->page_lock); +- stats->tx_dropped++; + dev_kfree_skb_any(skb); ++dropped: ++ stats->tx_dropped++; + return NETDEV_TX_OK; + } + +-- +2.50.1 + diff --git a/queue-6.12/net-macb-fix-tx_ptr_lock-locking.patch b/queue-6.12/net-macb-fix-tx_ptr_lock-locking.patch new file mode 100644 index 0000000000..ffbc5882af --- /dev/null +++ b/queue-6.12/net-macb-fix-tx_ptr_lock-locking.patch @@ -0,0 +1,135 @@ +From de87e94bd40fcc792e7deed5c568062d46ec3ab5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Aug 2025 10:35:21 -0400 +Subject: net: macb: Fix tx_ptr_lock locking + +From: Sean Anderson + +[ Upstream commit 6bc8a5098bf4a365c4086a4a4130bfab10a58260 ] + +macb_start_xmit and macb_tx_poll can be called with bottom-halves +disabled (e.g. from softirq) as well as with interrupts disabled (with +netpoll). Because of this, all other functions taking tx_ptr_lock must +use spin_lock_irqsave. + +Fixes: 138badbc21a0 ("net: macb: use NAPI for TX completion path") +Reported-by: Mike Galbraith +Signed-off-by: Sean Anderson +Link: https://patch.msgid.link/20250829143521.1686062-1-sean.anderson@linux.dev +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cadence/macb_main.c | 28 ++++++++++++++---------- + 1 file changed, 16 insertions(+), 12 deletions(-) + +diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c +index 6c2d69ef1a8db..f7e8c08d84415 100644 +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -1234,11 +1234,12 @@ static int macb_tx_complete(struct macb_queue *queue, int budget) + { + struct macb *bp = queue->bp; + u16 queue_index = queue - bp->queues; ++ unsigned long flags; + unsigned int tail; + unsigned int head; + int packets = 0; + +- spin_lock(&queue->tx_ptr_lock); ++ spin_lock_irqsave(&queue->tx_ptr_lock, flags); + head = queue->tx_head; + for (tail = queue->tx_tail; tail != head && packets < budget; tail++) { + struct macb_tx_skb *tx_skb; +@@ -1297,7 +1298,7 @@ static int macb_tx_complete(struct macb_queue *queue, int budget) + CIRC_CNT(queue->tx_head, queue->tx_tail, + bp->tx_ring_size) <= MACB_TX_WAKEUP_THRESH(bp)) + netif_wake_subqueue(bp->dev, queue_index); +- spin_unlock(&queue->tx_ptr_lock); ++ spin_unlock_irqrestore(&queue->tx_ptr_lock, flags); + + return packets; + } +@@ -1713,8 +1714,9 @@ static void macb_tx_restart(struct macb_queue *queue) + { + struct macb *bp = queue->bp; + unsigned int head_idx, tbqp; ++ unsigned long flags; + +- spin_lock(&queue->tx_ptr_lock); ++ spin_lock_irqsave(&queue->tx_ptr_lock, flags); + + if (queue->tx_head == queue->tx_tail) + goto out_tx_ptr_unlock; +@@ -1726,19 +1728,20 @@ static void macb_tx_restart(struct macb_queue *queue) + if (tbqp == head_idx) + goto out_tx_ptr_unlock; + +- spin_lock_irq(&bp->lock); ++ spin_lock(&bp->lock); + macb_writel(bp, NCR, macb_readl(bp, NCR) | MACB_BIT(TSTART)); +- spin_unlock_irq(&bp->lock); ++ spin_unlock(&bp->lock); + + out_tx_ptr_unlock: +- spin_unlock(&queue->tx_ptr_lock); ++ spin_unlock_irqrestore(&queue->tx_ptr_lock, flags); + } + + static bool macb_tx_complete_pending(struct macb_queue *queue) + { + bool retval = false; ++ unsigned long flags; + +- spin_lock(&queue->tx_ptr_lock); ++ spin_lock_irqsave(&queue->tx_ptr_lock, flags); + if (queue->tx_head != queue->tx_tail) { + /* Make hw descriptor updates visible to CPU */ + rmb(); +@@ -1746,7 +1749,7 @@ static bool macb_tx_complete_pending(struct macb_queue *queue) + if (macb_tx_desc(queue, queue->tx_tail)->ctrl & MACB_BIT(TX_USED)) + retval = true; + } +- spin_unlock(&queue->tx_ptr_lock); ++ spin_unlock_irqrestore(&queue->tx_ptr_lock, flags); + return retval; + } + +@@ -2314,6 +2317,7 @@ static netdev_tx_t macb_start_xmit(struct sk_buff *skb, struct net_device *dev) + struct macb_queue *queue = &bp->queues[queue_index]; + unsigned int desc_cnt, nr_frags, frag_size, f; + unsigned int hdrlen; ++ unsigned long flags; + bool is_lso; + netdev_tx_t ret = NETDEV_TX_OK; + +@@ -2374,7 +2378,7 @@ static netdev_tx_t macb_start_xmit(struct sk_buff *skb, struct net_device *dev) + desc_cnt += DIV_ROUND_UP(frag_size, bp->max_tx_length); + } + +- spin_lock_bh(&queue->tx_ptr_lock); ++ spin_lock_irqsave(&queue->tx_ptr_lock, flags); + + /* This is a hard error, log it. */ + if (CIRC_SPACE(queue->tx_head, queue->tx_tail, +@@ -2396,15 +2400,15 @@ static netdev_tx_t macb_start_xmit(struct sk_buff *skb, struct net_device *dev) + wmb(); + skb_tx_timestamp(skb); + +- spin_lock_irq(&bp->lock); ++ spin_lock(&bp->lock); + macb_writel(bp, NCR, macb_readl(bp, NCR) | MACB_BIT(TSTART)); +- spin_unlock_irq(&bp->lock); ++ spin_unlock(&bp->lock); + + if (CIRC_SPACE(queue->tx_head, queue->tx_tail, bp->tx_ring_size) < 1) + netif_stop_subqueue(dev, queue_index); + + unlock: +- spin_unlock_bh(&queue->tx_ptr_lock); ++ spin_unlock_irqrestore(&queue->tx_ptr_lock, flags); + + return ret; + } +-- +2.50.1 + diff --git a/queue-6.12/net-mctp-mctp_fraq_queue-should-take-ownership-of-pa.patch b/queue-6.12/net-mctp-mctp_fraq_queue-should-take-ownership-of-pa.patch new file mode 100644 index 0000000000..6b00e36129 --- /dev/null +++ b/queue-6.12/net-mctp-mctp_fraq_queue-should-take-ownership-of-pa.patch @@ -0,0 +1,129 @@ +From 84e22279d0604e355a61d6839a683237f7797c8a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Aug 2025 15:28:26 +0800 +Subject: net: mctp: mctp_fraq_queue should take ownership of passed skb + +From: Jeremy Kerr + +[ Upstream commit 773b27a8a2f00ce3134e92e50ea4794a98ba2b76 ] + +As of commit f5d83cf0eeb9 ("net: mctp: unshare packets when +reassembling"), we skb_unshare() in mctp_frag_queue(). The unshare may +invalidate the original skb pointer, so we need to treat the skb as +entirely owned by the fraq queue, even on failure. + +Fixes: f5d83cf0eeb9 ("net: mctp: unshare packets when reassembling") +Signed-off-by: Jeremy Kerr +Link: https://patch.msgid.link/20250829-mctp-skb-unshare-v1-1-1c28fe10235a@codeconstruct.com.au +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/mctp/route.c | 35 +++++++++++++++++++---------------- + 1 file changed, 19 insertions(+), 16 deletions(-) + +diff --git a/net/mctp/route.c b/net/mctp/route.c +index d9c8e5a5f9ce9..19ff259d7bc43 100644 +--- a/net/mctp/route.c ++++ b/net/mctp/route.c +@@ -325,6 +325,7 @@ static void mctp_skb_set_flow(struct sk_buff *skb, struct mctp_sk_key *key) {} + static void mctp_flow_prepare_output(struct sk_buff *skb, struct mctp_dev *dev) {} + #endif + ++/* takes ownership of skb, both in success and failure cases */ + static int mctp_frag_queue(struct mctp_sk_key *key, struct sk_buff *skb) + { + struct mctp_hdr *hdr = mctp_hdr(skb); +@@ -334,8 +335,10 @@ static int mctp_frag_queue(struct mctp_sk_key *key, struct sk_buff *skb) + & MCTP_HDR_SEQ_MASK; + + if (!key->reasm_head) { +- /* Since we're manipulating the shared frag_list, ensure it isn't +- * shared with any other SKBs. ++ /* Since we're manipulating the shared frag_list, ensure it ++ * isn't shared with any other SKBs. In the cloned case, ++ * this will free the skb; callers can no longer access it ++ * safely. + */ + key->reasm_head = skb_unshare(skb, GFP_ATOMIC); + if (!key->reasm_head) +@@ -349,10 +352,10 @@ static int mctp_frag_queue(struct mctp_sk_key *key, struct sk_buff *skb) + exp_seq = (key->last_seq + 1) & MCTP_HDR_SEQ_MASK; + + if (this_seq != exp_seq) +- return -EINVAL; ++ goto err_free; + + if (key->reasm_head->len + skb->len > mctp_message_maxlen) +- return -EINVAL; ++ goto err_free; + + skb->next = NULL; + skb->sk = NULL; +@@ -366,6 +369,10 @@ static int mctp_frag_queue(struct mctp_sk_key *key, struct sk_buff *skb) + key->reasm_head->truesize += skb->truesize; + + return 0; ++ ++err_free: ++ kfree_skb(skb); ++ return -EINVAL; + } + + static int mctp_route_input(struct mctp_route *route, struct sk_buff *skb) +@@ -476,18 +483,16 @@ static int mctp_route_input(struct mctp_route *route, struct sk_buff *skb) + * key isn't observable yet + */ + mctp_frag_queue(key, skb); ++ skb = NULL; + + /* if the key_add fails, we've raced with another + * SOM packet with the same src, dest and tag. There's + * no way to distinguish future packets, so all we +- * can do is drop; we'll free the skb on exit from +- * this function. ++ * can do is drop. + */ + rc = mctp_key_add(key, msk); +- if (!rc) { ++ if (!rc) + trace_mctp_key_acquire(key); +- skb = NULL; +- } + + /* we don't need to release key->lock on exit, so + * clean up here and suppress the unlock via +@@ -505,8 +510,7 @@ static int mctp_route_input(struct mctp_route *route, struct sk_buff *skb) + key = NULL; + } else { + rc = mctp_frag_queue(key, skb); +- if (!rc) +- skb = NULL; ++ skb = NULL; + } + } + +@@ -516,17 +520,16 @@ static int mctp_route_input(struct mctp_route *route, struct sk_buff *skb) + */ + + /* we need to be continuing an existing reassembly... */ +- if (!key->reasm_head) ++ if (!key->reasm_head) { + rc = -EINVAL; +- else ++ } else { + rc = mctp_frag_queue(key, skb); ++ skb = NULL; ++ } + + if (rc) + goto out_unlock; + +- /* we've queued; the queue owns the skb now */ +- skb = NULL; +- + /* end of message? deliver to socket, and we're done with + * the reassembly/response key + */ +-- +2.50.1 + diff --git a/queue-6.12/net-skb-add-pskb_network_may_pull_reason-helper.patch b/queue-6.12/net-skb-add-pskb_network_may_pull_reason-helper.patch new file mode 100644 index 0000000000..939a34ddad --- /dev/null +++ b/queue-6.12/net-skb-add-pskb_network_may_pull_reason-helper.patch @@ -0,0 +1,46 @@ +From a28fdbc6b7c73c346079857586ee879001e1842a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Oct 2024 10:28:19 +0800 +Subject: net: skb: add pskb_network_may_pull_reason() helper + +From: Menglong Dong + +[ Upstream commit 454bbde8f0d465e93e5a3a4003ac6c7e62fa4473 ] + +Introduce the function pskb_network_may_pull_reason() and make +pskb_network_may_pull() a simple inline call to it. The drop reasons of +it just come from pskb_may_pull_reason. + +Signed-off-by: Menglong Dong +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Stable-dep-of: 6ead38147ebb ("vxlan: Fix NPD when refreshing an FDB entry with a nexthop object") +Signed-off-by: Sasha Levin +--- + include/linux/skbuff.h | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h +index b2827fce5a2de..314328ab0b843 100644 +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -3153,9 +3153,15 @@ static inline int skb_inner_network_offset(const struct sk_buff *skb) + return skb_inner_network_header(skb) - skb->data; + } + ++static inline enum skb_drop_reason ++pskb_network_may_pull_reason(struct sk_buff *skb, unsigned int len) ++{ ++ return pskb_may_pull_reason(skb, skb_network_offset(skb) + len); ++} ++ + static inline int pskb_network_may_pull(struct sk_buff *skb, unsigned int len) + { +- return pskb_may_pull(skb, skb_network_offset(skb) + len); ++ return pskb_network_may_pull_reason(skb, len) == SKB_NOT_DROPPED_YET; + } + + /* +-- +2.50.1 + diff --git a/queue-6.12/net-smc-fix-one-null-pointer-dereference-in-smc_ib_i.patch b/queue-6.12/net-smc-fix-one-null-pointer-dereference-in-smc_ib_i.patch new file mode 100644 index 0000000000..35b27098aa --- /dev/null +++ b/queue-6.12/net-smc-fix-one-null-pointer-dereference-in-smc_ib_i.patch @@ -0,0 +1,67 @@ +From ec38630dce22ce0547461c80db4dac6f2ec8c862 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Aug 2025 20:41:17 +0800 +Subject: net/smc: fix one NULL pointer dereference in smc_ib_is_sg_need_sync() + +From: Liu Jian + +[ Upstream commit ba1e9421cf1a8369d25c3832439702a015d6b5f9 ] + +BUG: kernel NULL pointer dereference, address: 00000000000002ec +PGD 0 P4D 0 +Oops: Oops: 0000 [#1] SMP PTI +CPU: 28 UID: 0 PID: 343 Comm: kworker/28:1 Kdump: loaded Tainted: G OE 6.17.0-rc2+ #9 NONE +Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 +Workqueue: smc_hs_wq smc_listen_work [smc] +RIP: 0010:smc_ib_is_sg_need_sync+0x9e/0xd0 [smc] +... +Call Trace: + + smcr_buf_map_link+0x211/0x2a0 [smc] + __smc_buf_create+0x522/0x970 [smc] + smc_buf_create+0x3a/0x110 [smc] + smc_find_rdma_v2_device_serv+0x18f/0x240 [smc] + ? smc_vlan_by_tcpsk+0x7e/0xe0 [smc] + smc_listen_find_device+0x1dd/0x2b0 [smc] + smc_listen_work+0x30f/0x580 [smc] + process_one_work+0x18c/0x340 + worker_thread+0x242/0x360 + kthread+0xe7/0x220 + ret_from_fork+0x13a/0x160 + ret_from_fork_asm+0x1a/0x30 + + +If the software RoCE device is used, ibdev->dma_device is a null pointer. +As a result, the problem occurs. Null pointer detection is added to +prevent problems. + +Fixes: 0ef69e788411c ("net/smc: optimize for smc_sndbuf_sync_sg_for_device and smc_rmb_sync_sg_for_cpu") +Signed-off-by: Liu Jian +Reviewed-by: Guangguan Wang +Reviewed-by: Zhu Yanjun +Reviewed-by: D. Wythe +Link: https://patch.msgid.link/20250828124117.2622624-1-liujian56@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/smc/smc_ib.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/smc/smc_ib.c b/net/smc/smc_ib.c +index 9c563cdbea908..fc07fc4ed9986 100644 +--- a/net/smc/smc_ib.c ++++ b/net/smc/smc_ib.c +@@ -743,6 +743,9 @@ bool smc_ib_is_sg_need_sync(struct smc_link *lnk, + unsigned int i; + bool ret = false; + ++ if (!lnk->smcibdev->ibdev->dma_device) ++ return ret; ++ + /* for now there is just one DMA address */ + for_each_sg(buf_slot->sgt[lnk->link_idx].sgl, sg, + buf_slot->sgt[lnk->link_idx].nents, i) { +-- +2.50.1 + diff --git a/queue-6.12/net-smc-remove-validation-of-reserved-bits-in-clc-de.patch b/queue-6.12/net-smc-remove-validation-of-reserved-bits-in-clc-de.patch new file mode 100644 index 0000000000..b28a4a3332 --- /dev/null +++ b/queue-6.12/net-smc-remove-validation-of-reserved-bits-in-clc-de.patch @@ -0,0 +1,48 @@ +From 1922f6f4be3e3ccb1763b1cb710d0e24713cacdb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Sep 2025 10:20:41 +0200 +Subject: net/smc: Remove validation of reserved bits in CLC Decline message + +From: Mahanta Jambigi + +[ Upstream commit cc282f73bc0cbdf3ee7af2f2d3a2ef4e6b19242d ] + +Currently SMC code is validating the reserved bits while parsing the incoming +CLC decline message & when this validation fails, its treated as a protocol +error. As a result, the SMC connection is terminated instead of falling back to +TCP. As per RFC7609[1] specs we shouldn't be validating the reserved bits that +is part of CLC message. This patch fixes this issue. + +CLC Decline message format can viewed here[2]. + +[1] https://datatracker.ietf.org/doc/html/rfc7609#page-92 +[2] https://datatracker.ietf.org/doc/html/rfc7609#page-105 + +Fixes: 8ade200c269f ("net/smc: add v2 format of CLC decline message") +Signed-off-by: Mahanta Jambigi +Reviewed-by: Sidraya Jayagond +Reviewed-by: Alexandra Winter +Reviewed-by: Dust Li +Link: https://patch.msgid.link/20250902082041.98996-1-mjambigi@linux.ibm.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/smc/smc_clc.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/net/smc/smc_clc.c b/net/smc/smc_clc.c +index 521f5df80e10c..8a794333e9927 100644 +--- a/net/smc/smc_clc.c ++++ b/net/smc/smc_clc.c +@@ -426,8 +426,6 @@ smc_clc_msg_decl_valid(struct smc_clc_msg_decline *dclc) + { + struct smc_clc_msg_hdr *hdr = &dclc->hdr; + +- if (hdr->typev1 != SMC_TYPE_R && hdr->typev1 != SMC_TYPE_D) +- return false; + if (hdr->version == SMC_V1) { + if (ntohs(hdr->length) != sizeof(struct smc_clc_msg_decline)) + return false; +-- +2.50.1 + diff --git a/queue-6.12/net-tcp-fix-socket-memory-leak-in-tcp-ao-failure-han.patch b/queue-6.12/net-tcp-fix-socket-memory-leak-in-tcp-ao-failure-han.patch new file mode 100644 index 0000000000..dc375cc532 --- /dev/null +++ b/queue-6.12/net-tcp-fix-socket-memory-leak-in-tcp-ao-failure-han.patch @@ -0,0 +1,135 @@ +From bda5c6d94a78497b1d33fb812b268063eb57a53f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 30 Aug 2025 15:55:38 -0700 +Subject: net/tcp: Fix socket memory leak in TCP-AO failure handling for IPv6 + +From: Christoph Paasch + +[ Upstream commit fa390321aba0a54d0f7ae95ee4ecde1358bb9234 ] + +When tcp_ao_copy_all_matching() fails in tcp_v6_syn_recv_sock() it just +exits the function. This ends up causing a memory-leak: + +unreferenced object 0xffff0000281a8200 (size 2496): + comm "softirq", pid 0, jiffies 4295174684 + hex dump (first 32 bytes): + 7f 00 00 06 7f 00 00 06 00 00 00 00 cb a8 88 13 ................ + 0a 00 03 61 00 00 00 00 00 00 00 00 00 00 00 00 ...a............ + backtrace (crc 5ebdbe15): + kmemleak_alloc+0x44/0xe0 + kmem_cache_alloc_noprof+0x248/0x470 + sk_prot_alloc+0x48/0x120 + sk_clone_lock+0x38/0x3b0 + inet_csk_clone_lock+0x34/0x150 + tcp_create_openreq_child+0x3c/0x4a8 + tcp_v6_syn_recv_sock+0x1c0/0x620 + tcp_check_req+0x588/0x790 + tcp_v6_rcv+0x5d0/0xc18 + ip6_protocol_deliver_rcu+0x2d8/0x4c0 + ip6_input_finish+0x74/0x148 + ip6_input+0x50/0x118 + ip6_sublist_rcv+0x2fc/0x3b0 + ipv6_list_rcv+0x114/0x170 + __netif_receive_skb_list_core+0x16c/0x200 + netif_receive_skb_list_internal+0x1f0/0x2d0 + +This is because in tcp_v6_syn_recv_sock (and the IPv4 counterpart), when +exiting upon error, inet_csk_prepare_forced_close() and tcp_done() need +to be called. They make sure the newsk will end up being correctly +free'd. + +tcp_v4_syn_recv_sock() makes this very clear by having the put_and_exit +label that takes care of things. So, this patch here makes sure +tcp_v4_syn_recv_sock and tcp_v6_syn_recv_sock have similar +error-handling and thus fixes the leak for TCP-AO. + +Fixes: 06b22ef29591 ("net/tcp: Wire TCP-AO to request sockets") +Signed-off-by: Christoph Paasch +Reviewed-by: Dmitry Safonov <0x7f454c46@gmail.com> +Link: https://patch.msgid.link/20250830-tcpao_leak-v1-1-e5878c2c3173@openai.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/tcp_ipv6.c | 32 +++++++++++++++----------------- + 1 file changed, 15 insertions(+), 17 deletions(-) + +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c +index 59173f58ce992..882ce5444572e 100644 +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -1417,17 +1417,17 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff * + ireq = inet_rsk(req); + + if (sk_acceptq_is_full(sk)) +- goto out_overflow; ++ goto exit_overflow; + + if (!dst) { + dst = inet6_csk_route_req(sk, &fl6, req, IPPROTO_TCP); + if (!dst) +- goto out; ++ goto exit; + } + + newsk = tcp_create_openreq_child(sk, req, skb); + if (!newsk) +- goto out_nonewsk; ++ goto exit_nonewsk; + + /* + * No need to charge this sock to the relevant IPv6 refcnt debug socks +@@ -1517,25 +1517,19 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff * + const union tcp_md5_addr *addr; + + addr = (union tcp_md5_addr *)&newsk->sk_v6_daddr; +- if (tcp_md5_key_copy(newsk, addr, AF_INET6, 128, l3index, key)) { +- inet_csk_prepare_forced_close(newsk); +- tcp_done(newsk); +- goto out; +- } ++ if (tcp_md5_key_copy(newsk, addr, AF_INET6, 128, l3index, key)) ++ goto put_and_exit; + } + } + #endif + #ifdef CONFIG_TCP_AO + /* Copy over tcp_ao_info if any */ + if (tcp_ao_copy_all_matching(sk, newsk, req, skb, AF_INET6)) +- goto out; /* OOM */ ++ goto put_and_exit; /* OOM */ + #endif + +- if (__inet_inherit_port(sk, newsk) < 0) { +- inet_csk_prepare_forced_close(newsk); +- tcp_done(newsk); +- goto out; +- } ++ if (__inet_inherit_port(sk, newsk) < 0) ++ goto put_and_exit; + *own_req = inet_ehash_nolisten(newsk, req_to_sk(req_unhash), + &found_dup_sk); + if (*own_req) { +@@ -1562,13 +1556,17 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff * + + return newsk; + +-out_overflow: ++exit_overflow: + __NET_INC_STATS(sock_net(sk), LINUX_MIB_LISTENOVERFLOWS); +-out_nonewsk: ++exit_nonewsk: + dst_release(dst); +-out: ++exit: + tcp_listendrop(sk); + return NULL; ++put_and_exit: ++ inet_csk_prepare_forced_close(newsk); ++ tcp_done(newsk); ++ goto exit; + } + + INDIRECT_CALLABLE_DECLARE(struct dst_entry *ipv4_dst_check(struct dst_entry *, +-- +2.50.1 + diff --git a/queue-6.12/net-thunder_bgx-add-a-missing-of_node_put.patch b/queue-6.12/net-thunder_bgx-add-a-missing-of_node_put.patch new file mode 100644 index 0000000000..d7982ba6b3 --- /dev/null +++ b/queue-6.12/net-thunder_bgx-add-a-missing-of_node_put.patch @@ -0,0 +1,53 @@ +From 7e8e32a55bcaadfd75645f6396040e85adab3716 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Sep 2025 14:30:18 -0700 +Subject: net: thunder_bgx: add a missing of_node_put + +From: Rosen Penev + +[ Upstream commit 9d28f94912589f04ab51fbccaef287d4f40e0d1f ] + +phy_np needs to get freed, just like the other child nodes. + +Fixes: 5fc7cf179449 ("net: thunderx: Cleanup PHY probing code.") +Signed-off-by: Rosen Penev +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250901213018.47392-1-rosenp@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/cavium/thunder/thunder_bgx.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c +index aa80c37022323..5afc0735b5827 100644 +--- a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c ++++ b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c +@@ -1493,13 +1493,17 @@ static int bgx_init_of_phy(struct bgx *bgx) + * this cortina phy, for which there is no driver + * support, ignore it. + */ +- if (phy_np && +- !of_device_is_compatible(phy_np, "cortina,cs4223-slice")) { +- /* Wait until the phy drivers are available */ +- pd = of_phy_find_device(phy_np); +- if (!pd) +- goto defer; +- bgx->lmac[lmac].phydev = pd; ++ if (phy_np) { ++ if (!of_device_is_compatible(phy_np, "cortina,cs4223-slice")) { ++ /* Wait until the phy drivers are available */ ++ pd = of_phy_find_device(phy_np); ++ if (!pd) { ++ of_node_put(phy_np); ++ goto defer; ++ } ++ bgx->lmac[lmac].phydev = pd; ++ } ++ of_node_put(phy_np); + } + + lmac++; +-- +2.50.1 + diff --git a/queue-6.12/net-thunder_bgx-decrement-cleanup-index-before-use.patch b/queue-6.12/net-thunder_bgx-decrement-cleanup-index-before-use.patch new file mode 100644 index 0000000000..10756c2711 --- /dev/null +++ b/queue-6.12/net-thunder_bgx-decrement-cleanup-index-before-use.patch @@ -0,0 +1,44 @@ +From b084a1bb23095d389a0cc6f37f8a36f44aa28aa9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Sep 2025 14:33:14 -0700 +Subject: net: thunder_bgx: decrement cleanup index before use + +From: Rosen Penev + +[ Upstream commit 9e3d71a92e561ccc77025689dab25d201fee7a3e ] + +All paths in probe that call goto defer do so before assigning phydev +and thus it makes sense to cleanup the prior index. It also fixes a bug +where index 0 does not get cleaned up. + +Fixes: b7d3e3d3d21a ("net: thunderx: Don't leak phy device references on -EPROBE_DEFER condition.") +Signed-off-by: Rosen Penev +Reviewed-by: Vadim Fedorenko +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250901213314.48599-1-rosenp@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/thunder/thunder_bgx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c +index 5afc0735b5827..a360d3dffccd4 100644 +--- a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c ++++ b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c +@@ -1519,11 +1519,11 @@ static int bgx_init_of_phy(struct bgx *bgx) + * for phy devices we may have already found. + */ + while (lmac) { ++ lmac--; + if (bgx->lmac[lmac].phydev) { + put_device(&bgx->lmac[lmac].phydev->mdio.dev); + bgx->lmac[lmac].phydev = NULL; + } +- lmac--; + } + of_node_put(node); + return -EPROBE_DEFER; +-- +2.50.1 + diff --git a/queue-6.12/net-tunnel-add-pskb_inet_may_pull_reason-helper.patch b/queue-6.12/net-tunnel-add-pskb_inet_may_pull_reason-helper.patch new file mode 100644 index 0000000000..0c7244ecb2 --- /dev/null +++ b/queue-6.12/net-tunnel-add-pskb_inet_may_pull_reason-helper.patch @@ -0,0 +1,54 @@ +From 16335c441c6cafa04b5eb1e1a5105b36317ac3c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Oct 2024 10:28:20 +0800 +Subject: net: tunnel: add pskb_inet_may_pull_reason() helper + +From: Menglong Dong + +[ Upstream commit 7f20dbd7de7b9b2804e6bf54b0c22f2bc447cd64 ] + +Introduce the function pskb_inet_may_pull_reason() and make +pskb_inet_may_pull a simple inline call to it. The drop reasons of it just +come from pskb_may_pull_reason(). + +Signed-off-by: Menglong Dong +Reviewed-by: Simon Horman +Reviewed-by: Kalesh AP +Signed-off-by: David S. Miller +Stable-dep-of: 6ead38147ebb ("vxlan: Fix NPD when refreshing an FDB entry with a nexthop object") +Signed-off-by: Sasha Levin +--- + include/net/ip_tunnels.h | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/include/net/ip_tunnels.h b/include/net/ip_tunnels.h +index 6a070478254d8..ae83a969ae64b 100644 +--- a/include/net/ip_tunnels.h ++++ b/include/net/ip_tunnels.h +@@ -439,7 +439,8 @@ int ip_tunnel_encap_del_ops(const struct ip_tunnel_encap_ops *op, + int ip_tunnel_encap_setup(struct ip_tunnel *t, + struct ip_tunnel_encap *ipencap); + +-static inline bool pskb_inet_may_pull(struct sk_buff *skb) ++static inline enum skb_drop_reason ++pskb_inet_may_pull_reason(struct sk_buff *skb) + { + int nhlen; + +@@ -456,7 +457,12 @@ static inline bool pskb_inet_may_pull(struct sk_buff *skb) + nhlen = 0; + } + +- return pskb_network_may_pull(skb, nhlen); ++ return pskb_network_may_pull_reason(skb, nhlen); ++} ++ ++static inline bool pskb_inet_may_pull(struct sk_buff *skb) ++{ ++ return pskb_inet_may_pull_reason(skb) == SKB_NOT_DROPPED_YET; + } + + /* Variant of pskb_inet_may_pull(). +-- +2.50.1 + diff --git a/queue-6.12/net-vxlan-add-skb-drop-reasons-to-vxlan_rcv.patch b/queue-6.12/net-vxlan-add-skb-drop-reasons-to-vxlan_rcv.patch new file mode 100644 index 0000000000..92af0938e2 --- /dev/null +++ b/queue-6.12/net-vxlan-add-skb-drop-reasons-to-vxlan_rcv.patch @@ -0,0 +1,173 @@ +From 05bad791ab132a59c880ca671de0412acb9cb5d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Oct 2024 10:28:22 +0800 +Subject: net: vxlan: add skb drop reasons to vxlan_rcv() + +From: Menglong Dong + +[ Upstream commit 4c06d9daf8e6215447ca8a2ddd59fa09862c9bae ] + +Introduce skb drop reasons to the function vxlan_rcv(). Following new +drop reasons are added: + + SKB_DROP_REASON_VXLAN_INVALID_HDR + SKB_DROP_REASON_VXLAN_VNI_NOT_FOUND + SKB_DROP_REASON_IP_TUNNEL_ECN + +Signed-off-by: Menglong Dong +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Stable-dep-of: 6ead38147ebb ("vxlan: Fix NPD when refreshing an FDB entry with a nexthop object") +Signed-off-by: Sasha Levin +--- + drivers/net/vxlan/vxlan_core.c | 26 ++++++++++++++++++++------ + include/net/dropreason-core.h | 16 ++++++++++++++++ + 2 files changed, 36 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/vxlan/vxlan_core.c b/drivers/net/vxlan/vxlan_core.c +index 1a70770938001..efd5e99808935 100644 +--- a/drivers/net/vxlan/vxlan_core.c ++++ b/drivers/net/vxlan/vxlan_core.c +@@ -1671,13 +1671,15 @@ static int vxlan_rcv(struct sock *sk, struct sk_buff *skb) + struct vxlan_metadata _md; + struct vxlan_metadata *md = &_md; + __be16 protocol = htons(ETH_P_TEB); ++ enum skb_drop_reason reason; + bool raw_proto = false; + void *oiph; + __be32 vni = 0; + int nh; + + /* Need UDP and VXLAN header to be present */ +- if (!pskb_may_pull(skb, VXLAN_HLEN)) ++ reason = pskb_may_pull_reason(skb, VXLAN_HLEN); ++ if (reason) + goto drop; + + unparsed = *vxlan_hdr(skb); +@@ -1686,6 +1688,7 @@ static int vxlan_rcv(struct sock *sk, struct sk_buff *skb) + netdev_dbg(skb->dev, "invalid vxlan flags=%#x vni=%#x\n", + ntohl(vxlan_hdr(skb)->vx_flags), + ntohl(vxlan_hdr(skb)->vx_vni)); ++ reason = SKB_DROP_REASON_VXLAN_INVALID_HDR; + /* Return non vxlan pkt */ + goto drop; + } +@@ -1699,8 +1702,10 @@ static int vxlan_rcv(struct sock *sk, struct sk_buff *skb) + vni = vxlan_vni(vxlan_hdr(skb)->vx_vni); + + vxlan = vxlan_vs_find_vni(vs, skb->dev->ifindex, vni, &vninode); +- if (!vxlan) ++ if (!vxlan) { ++ reason = SKB_DROP_REASON_VXLAN_VNI_NOT_FOUND; + goto drop; ++ } + + /* For backwards compatibility, only allow reserved fields to be + * used by VXLAN extensions if explicitly requested. +@@ -1713,8 +1718,10 @@ static int vxlan_rcv(struct sock *sk, struct sk_buff *skb) + } + + if (__iptunnel_pull_header(skb, VXLAN_HLEN, protocol, raw_proto, +- !net_eq(vxlan->net, dev_net(vxlan->dev)))) ++ !net_eq(vxlan->net, dev_net(vxlan->dev)))) { ++ reason = SKB_DROP_REASON_NOMEM; + goto drop; ++ } + + if (vs->flags & VXLAN_F_REMCSUM_RX) + if (unlikely(!vxlan_remcsum(&unparsed, skb, vs->flags))) +@@ -1728,8 +1735,10 @@ static int vxlan_rcv(struct sock *sk, struct sk_buff *skb) + tun_dst = udp_tun_rx_dst(skb, vxlan_get_sk_family(vs), flags, + key32_to_tunnel_id(vni), sizeof(*md)); + +- if (!tun_dst) ++ if (!tun_dst) { ++ reason = SKB_DROP_REASON_NOMEM; + goto drop; ++ } + + md = ip_tunnel_info_opts(&tun_dst->u.tun_info); + +@@ -1753,6 +1762,7 @@ static int vxlan_rcv(struct sock *sk, struct sk_buff *skb) + * is more robust and provides a little more security in + * adding extensions to VXLAN. + */ ++ reason = SKB_DROP_REASON_VXLAN_INVALID_HDR; + goto drop; + } + +@@ -1773,7 +1783,8 @@ static int vxlan_rcv(struct sock *sk, struct sk_buff *skb) + + skb_reset_network_header(skb); + +- if (!pskb_inet_may_pull(skb)) { ++ reason = pskb_inet_may_pull_reason(skb); ++ if (reason) { + DEV_STATS_INC(vxlan->dev, rx_length_errors); + DEV_STATS_INC(vxlan->dev, rx_errors); + vxlan_vnifilter_count(vxlan, vni, vninode, +@@ -1785,6 +1796,7 @@ static int vxlan_rcv(struct sock *sk, struct sk_buff *skb) + oiph = skb->head + nh; + + if (!vxlan_ecn_decapsulate(vs, oiph, skb)) { ++ reason = SKB_DROP_REASON_IP_TUNNEL_ECN; + DEV_STATS_INC(vxlan->dev, rx_frame_errors); + DEV_STATS_INC(vxlan->dev, rx_errors); + vxlan_vnifilter_count(vxlan, vni, vninode, +@@ -1799,6 +1811,7 @@ static int vxlan_rcv(struct sock *sk, struct sk_buff *skb) + dev_core_stats_rx_dropped_inc(vxlan->dev); + vxlan_vnifilter_count(vxlan, vni, vninode, + VXLAN_VNI_STATS_RX_DROPS, 0); ++ reason = SKB_DROP_REASON_DEV_READY; + goto drop; + } + +@@ -1811,8 +1824,9 @@ static int vxlan_rcv(struct sock *sk, struct sk_buff *skb) + return 0; + + drop: ++ reason = reason ?: SKB_DROP_REASON_NOT_SPECIFIED; + /* Consume bad packet */ +- kfree_skb(skb); ++ kfree_skb_reason(skb, reason); + return 0; + } + +diff --git a/include/net/dropreason-core.h b/include/net/dropreason-core.h +index 4748680e8c88e..98259d2b3e926 100644 +--- a/include/net/dropreason-core.h ++++ b/include/net/dropreason-core.h +@@ -92,6 +92,9 @@ + FN(PACKET_SOCK_ERROR) \ + FN(TC_CHAIN_NOTFOUND) \ + FN(TC_RECLASSIFY_LOOP) \ ++ FN(VXLAN_INVALID_HDR) \ ++ FN(VXLAN_VNI_NOT_FOUND) \ ++ FN(IP_TUNNEL_ECN) \ + FNe(MAX) + + /** +@@ -418,6 +421,19 @@ enum skb_drop_reason { + * iterations. + */ + SKB_DROP_REASON_TC_RECLASSIFY_LOOP, ++ /** ++ * @SKB_DROP_REASON_VXLAN_INVALID_HDR: VXLAN header is invalid. E.g.: ++ * 1) reserved fields are not zero ++ * 2) "I" flag is not set ++ */ ++ SKB_DROP_REASON_VXLAN_INVALID_HDR, ++ /** @SKB_DROP_REASON_VXLAN_VNI_NOT_FOUND: no VXLAN device found for VNI */ ++ SKB_DROP_REASON_VXLAN_VNI_NOT_FOUND, ++ /** ++ * @SKB_DROP_REASON_IP_TUNNEL_ECN: skb is dropped according to ++ * RFC 6040 4.2, see __INET_ECN_decapsulate() for detail. ++ */ ++ SKB_DROP_REASON_IP_TUNNEL_ECN, + /** + * @SKB_DROP_REASON_MAX: the maximum of core drop reasons, which + * shouldn't be used as a real 'reason' - only for tracing code gen +-- +2.50.1 + diff --git a/queue-6.12/net-vxlan-make-vxlan_set_mac-return-drop-reasons.patch b/queue-6.12/net-vxlan-make-vxlan_set_mac-return-drop-reasons.patch new file mode 100644 index 0000000000..c3d2998813 --- /dev/null +++ b/queue-6.12/net-vxlan-make-vxlan_set_mac-return-drop-reasons.patch @@ -0,0 +1,103 @@ +From 4129353540f0134104269399ee01a6324a8577ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Oct 2024 10:28:25 +0800 +Subject: net: vxlan: make vxlan_set_mac() return drop reasons + +From: Menglong Dong + +[ Upstream commit d209706f562ee4fa81bdf24cf6b679c3222aa06c ] + +Change the return type of vxlan_set_mac() from bool to enum +skb_drop_reason. In this commit, the drop reason +"SKB_DROP_REASON_LOCAL_MAC" is introduced for the case that the source +mac of the packet is a local mac. + +Signed-off-by: Menglong Dong +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Stable-dep-of: 1f5d2fd1ca04 ("vxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects") +Signed-off-by: Sasha Levin +--- + drivers/net/vxlan/vxlan_core.c | 19 ++++++++++--------- + include/net/dropreason-core.h | 6 ++++++ + 2 files changed, 16 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/vxlan/vxlan_core.c b/drivers/net/vxlan/vxlan_core.c +index 58590ddbc6a15..d9077698c5a89 100644 +--- a/drivers/net/vxlan/vxlan_core.c ++++ b/drivers/net/vxlan/vxlan_core.c +@@ -1605,9 +1605,9 @@ static void vxlan_parse_gbp_hdr(struct vxlanhdr *unparsed, + unparsed->vx_flags &= ~VXLAN_GBP_USED_BITS; + } + +-static bool vxlan_set_mac(struct vxlan_dev *vxlan, +- struct vxlan_sock *vs, +- struct sk_buff *skb, __be32 vni) ++static enum skb_drop_reason vxlan_set_mac(struct vxlan_dev *vxlan, ++ struct vxlan_sock *vs, ++ struct sk_buff *skb, __be32 vni) + { + union vxlan_addr saddr; + u32 ifindex = skb->dev->ifindex; +@@ -1618,7 +1618,7 @@ static bool vxlan_set_mac(struct vxlan_dev *vxlan, + + /* Ignore packet loops (and multicast echo) */ + if (ether_addr_equal(eth_hdr(skb)->h_source, vxlan->dev->dev_addr)) +- return false; ++ return SKB_DROP_REASON_LOCAL_MAC; + + /* Get address from the outer IP header */ + if (vxlan_get_sk_family(vs) == AF_INET) { +@@ -1631,11 +1631,11 @@ static bool vxlan_set_mac(struct vxlan_dev *vxlan, + #endif + } + +- if ((vxlan->cfg.flags & VXLAN_F_LEARN) && +- vxlan_snoop(skb->dev, &saddr, eth_hdr(skb)->h_source, ifindex, vni)) +- return false; ++ if (!(vxlan->cfg.flags & VXLAN_F_LEARN)) ++ return SKB_NOT_DROPPED_YET; + +- return true; ++ return vxlan_snoop(skb->dev, &saddr, eth_hdr(skb)->h_source, ++ ifindex, vni); + } + + static bool vxlan_ecn_decapsulate(struct vxlan_sock *vs, void *oiph, +@@ -1768,7 +1768,8 @@ static int vxlan_rcv(struct sock *sk, struct sk_buff *skb) + } + + if (!raw_proto) { +- if (!vxlan_set_mac(vxlan, vs, skb, vni)) ++ reason = vxlan_set_mac(vxlan, vs, skb, vni); ++ if (reason) + goto drop; + } else { + skb_reset_mac_header(skb); +diff --git a/include/net/dropreason-core.h b/include/net/dropreason-core.h +index 1cb8d7c953beb..fbf92d442c1b2 100644 +--- a/include/net/dropreason-core.h ++++ b/include/net/dropreason-core.h +@@ -97,6 +97,7 @@ + FN(MAC_INVALID_SOURCE) \ + FN(VXLAN_ENTRY_EXISTS) \ + FN(IP_TUNNEL_ECN) \ ++ FN(LOCAL_MAC) \ + FNe(MAX) + + /** +@@ -443,6 +444,11 @@ enum skb_drop_reason { + * RFC 6040 4.2, see __INET_ECN_decapsulate() for detail. + */ + SKB_DROP_REASON_IP_TUNNEL_ECN, ++ /** ++ * @SKB_DROP_REASON_LOCAL_MAC: the source MAC address is equal to ++ * the MAC address of the local netdev. ++ */ ++ SKB_DROP_REASON_LOCAL_MAC, + /** + * @SKB_DROP_REASON_MAX: the maximum of core drop reasons, which + * shouldn't be used as a real 'reason' - only for tracing code gen +-- +2.50.1 + diff --git a/queue-6.12/net-vxlan-make-vxlan_snoop-return-drop-reasons.patch b/queue-6.12/net-vxlan-make-vxlan_snoop-return-drop-reasons.patch new file mode 100644 index 0000000000..e67ae522f7 --- /dev/null +++ b/queue-6.12/net-vxlan-make-vxlan_snoop-return-drop-reasons.patch @@ -0,0 +1,110 @@ +From 7ecbf2b72bfee5c1d0969f1b4c100c987605e18c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Oct 2024 10:28:24 +0800 +Subject: net: vxlan: make vxlan_snoop() return drop reasons + +From: Menglong Dong + +[ Upstream commit 289fd4e75219a96f77c5d679166035cd5118d139 ] + +Change the return type of vxlan_snoop() from bool to enum +skb_drop_reason. In this commit, two drop reasons are introduced: + + SKB_DROP_REASON_MAC_INVALID_SOURCE + SKB_DROP_REASON_VXLAN_ENTRY_EXISTS + +Signed-off-by: Menglong Dong +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Stable-dep-of: 6ead38147ebb ("vxlan: Fix NPD when refreshing an FDB entry with a nexthop object") +Signed-off-by: Sasha Levin +--- + drivers/net/vxlan/vxlan_core.c | 17 +++++++++-------- + include/net/dropreason-core.h | 9 +++++++++ + 2 files changed, 18 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/vxlan/vxlan_core.c b/drivers/net/vxlan/vxlan_core.c +index efd5e99808935..c4ce577eb0908 100644 +--- a/drivers/net/vxlan/vxlan_core.c ++++ b/drivers/net/vxlan/vxlan_core.c +@@ -1437,9 +1437,10 @@ static int vxlan_fdb_get(struct sk_buff *skb, + * and Tunnel endpoint. + * Return true if packet is bogus and should be dropped. + */ +-static bool vxlan_snoop(struct net_device *dev, +- union vxlan_addr *src_ip, const u8 *src_mac, +- u32 src_ifindex, __be32 vni) ++static enum skb_drop_reason vxlan_snoop(struct net_device *dev, ++ union vxlan_addr *src_ip, ++ const u8 *src_mac, u32 src_ifindex, ++ __be32 vni) + { + struct vxlan_dev *vxlan = netdev_priv(dev); + struct vxlan_fdb *f; +@@ -1447,7 +1448,7 @@ static bool vxlan_snoop(struct net_device *dev, + + /* Ignore packets from invalid src-address */ + if (!is_valid_ether_addr(src_mac)) +- return true; ++ return SKB_DROP_REASON_MAC_INVALID_SOURCE; + + #if IS_ENABLED(CONFIG_IPV6) + if (src_ip->sa.sa_family == AF_INET6 && +@@ -1461,15 +1462,15 @@ static bool vxlan_snoop(struct net_device *dev, + + if (likely(vxlan_addr_equal(&rdst->remote_ip, src_ip) && + rdst->remote_ifindex == ifindex)) +- return false; ++ return SKB_NOT_DROPPED_YET; + + /* Don't migrate static entries, drop packets */ + if (f->state & (NUD_PERMANENT | NUD_NOARP)) +- return true; ++ return SKB_DROP_REASON_VXLAN_ENTRY_EXISTS; + + /* Don't override an fdb with nexthop with a learnt entry */ + if (rcu_access_pointer(f->nh)) +- return true; ++ return SKB_DROP_REASON_VXLAN_ENTRY_EXISTS; + + if (net_ratelimit()) + netdev_info(dev, +@@ -1497,7 +1498,7 @@ static bool vxlan_snoop(struct net_device *dev, + spin_unlock(&vxlan->hash_lock[hash_index]); + } + +- return false; ++ return SKB_NOT_DROPPED_YET; + } + + static bool __vxlan_sock_release_prep(struct vxlan_sock *vs) +diff --git a/include/net/dropreason-core.h b/include/net/dropreason-core.h +index 98259d2b3e926..1cb8d7c953beb 100644 +--- a/include/net/dropreason-core.h ++++ b/include/net/dropreason-core.h +@@ -94,6 +94,8 @@ + FN(TC_RECLASSIFY_LOOP) \ + FN(VXLAN_INVALID_HDR) \ + FN(VXLAN_VNI_NOT_FOUND) \ ++ FN(MAC_INVALID_SOURCE) \ ++ FN(VXLAN_ENTRY_EXISTS) \ + FN(IP_TUNNEL_ECN) \ + FNe(MAX) + +@@ -429,6 +431,13 @@ enum skb_drop_reason { + SKB_DROP_REASON_VXLAN_INVALID_HDR, + /** @SKB_DROP_REASON_VXLAN_VNI_NOT_FOUND: no VXLAN device found for VNI */ + SKB_DROP_REASON_VXLAN_VNI_NOT_FOUND, ++ /** @SKB_DROP_REASON_MAC_INVALID_SOURCE: source mac is invalid */ ++ SKB_DROP_REASON_MAC_INVALID_SOURCE, ++ /** ++ * @SKB_DROP_REASON_VXLAN_ENTRY_EXISTS: trying to migrate a static ++ * entry or an entry pointing to a nexthop. ++ */ ++ SKB_DROP_REASON_VXLAN_ENTRY_EXISTS, + /** + * @SKB_DROP_REASON_IP_TUNNEL_ECN: skb is dropped according to + * RFC 6040 4.2, see __INET_ECN_decapsulate() for detail. +-- +2.50.1 + diff --git a/queue-6.12/net-vxlan-rename-skb_drop_reason_vxlan_no_remote.patch b/queue-6.12/net-vxlan-rename-skb_drop_reason_vxlan_no_remote.patch new file mode 100644 index 0000000000..20ce1e5bfd --- /dev/null +++ b/queue-6.12/net-vxlan-rename-skb_drop_reason_vxlan_no_remote.patch @@ -0,0 +1,94 @@ +From 8762606b2ec57bf147d754e45e8642ef2c153e83 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Dec 2024 11:36:05 -0500 +Subject: net: vxlan: rename SKB_DROP_REASON_VXLAN_NO_REMOTE + +From: Radu Rendec + +[ Upstream commit 46e0ccfb88f02ab2eb20a41d519d6e4c028652f2 ] + +The SKB_DROP_REASON_VXLAN_NO_REMOTE skb drop reason was introduced in +the specific context of vxlan. As it turns out, there are similar cases +when a packet needs to be dropped in other parts of the network stack, +such as the bridge module. + +Rename SKB_DROP_REASON_VXLAN_NO_REMOTE and give it a more generic name, +so that it can be used in other parts of the network stack. This is not +a functional change, and the numeric value of the drop reason even +remains unchanged. + +Signed-off-by: Radu Rendec +Reviewed-by: Ido Schimmel +Acked-by: Nikolay Aleksandrov +Link: https://patch.msgid.link/20241219163606.717758-2-rrendec@redhat.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: 1f5d2fd1ca04 ("vxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects") +Signed-off-by: Sasha Levin +--- + drivers/net/vxlan/vxlan_core.c | 4 ++-- + drivers/net/vxlan/vxlan_mdb.c | 2 +- + include/net/dropreason-core.h | 6 +++--- + 3 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/vxlan/vxlan_core.c b/drivers/net/vxlan/vxlan_core.c +index 40f01a6aaed38..ce9dcd8e74a93 100644 +--- a/drivers/net/vxlan/vxlan_core.c ++++ b/drivers/net/vxlan/vxlan_core.c +@@ -2787,7 +2787,7 @@ static netdev_tx_t vxlan_xmit(struct sk_buff *skb, struct net_device *dev) + dev_core_stats_tx_dropped_inc(dev); + vxlan_vnifilter_count(vxlan, vni, NULL, + VXLAN_VNI_STATS_TX_DROPS, 0); +- kfree_skb_reason(skb, SKB_DROP_REASON_VXLAN_NO_REMOTE); ++ kfree_skb_reason(skb, SKB_DROP_REASON_NO_TX_TARGET); + return NETDEV_TX_OK; + } + } +@@ -2810,7 +2810,7 @@ static netdev_tx_t vxlan_xmit(struct sk_buff *skb, struct net_device *dev) + if (fdst) + vxlan_xmit_one(skb, dev, vni, fdst, did_rsc); + else +- kfree_skb_reason(skb, SKB_DROP_REASON_VXLAN_NO_REMOTE); ++ kfree_skb_reason(skb, SKB_DROP_REASON_NO_TX_TARGET); + } + + return NETDEV_TX_OK; +diff --git a/drivers/net/vxlan/vxlan_mdb.c b/drivers/net/vxlan/vxlan_mdb.c +index e1173ae134284..ec86d1c024834 100644 +--- a/drivers/net/vxlan/vxlan_mdb.c ++++ b/drivers/net/vxlan/vxlan_mdb.c +@@ -1712,7 +1712,7 @@ netdev_tx_t vxlan_mdb_xmit(struct vxlan_dev *vxlan, + vxlan_xmit_one(skb, vxlan->dev, src_vni, + rcu_dereference(fremote->rd), false); + else +- kfree_skb_reason(skb, SKB_DROP_REASON_VXLAN_NO_REMOTE); ++ kfree_skb_reason(skb, SKB_DROP_REASON_NO_TX_TARGET); + + return NETDEV_TX_OK; + } +diff --git a/include/net/dropreason-core.h b/include/net/dropreason-core.h +index d59bb96c5a02c..02e7be19b0428 100644 +--- a/include/net/dropreason-core.h ++++ b/include/net/dropreason-core.h +@@ -96,7 +96,7 @@ + FN(VXLAN_VNI_NOT_FOUND) \ + FN(MAC_INVALID_SOURCE) \ + FN(VXLAN_ENTRY_EXISTS) \ +- FN(VXLAN_NO_REMOTE) \ ++ FN(NO_TX_TARGET) \ + FN(IP_TUNNEL_ECN) \ + FN(TUNNEL_TXINFO) \ + FN(LOCAL_MAC) \ +@@ -441,8 +441,8 @@ enum skb_drop_reason { + * entry or an entry pointing to a nexthop. + */ + SKB_DROP_REASON_VXLAN_ENTRY_EXISTS, +- /** @SKB_DROP_REASON_VXLAN_NO_REMOTE: no remote found for xmit */ +- SKB_DROP_REASON_VXLAN_NO_REMOTE, ++ /** @SKB_DROP_REASON_NO_TX_TARGET: no target found for xmit */ ++ SKB_DROP_REASON_NO_TX_TARGET, + /** + * @SKB_DROP_REASON_IP_TUNNEL_ECN: skb is dropped according to + * RFC 6040 4.2, see __INET_ECN_decapsulate() for detail. +-- +2.50.1 + diff --git a/queue-6.12/net-vxlan-use-kfree_skb_reason-in-vxlan_mdb_xmit.patch b/queue-6.12/net-vxlan-use-kfree_skb_reason-in-vxlan_mdb_xmit.patch new file mode 100644 index 0000000000..05373fe001 --- /dev/null +++ b/queue-6.12/net-vxlan-use-kfree_skb_reason-in-vxlan_mdb_xmit.patch @@ -0,0 +1,37 @@ +From 3f61f28d39e1e37304b5c5607c02455be8a3db83 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Oct 2024 10:28:28 +0800 +Subject: net: vxlan: use kfree_skb_reason() in vxlan_mdb_xmit() + +From: Menglong Dong + +[ Upstream commit 03483dbde80d102146a61ec09b9e90cfc4bb8be0 ] + +Replace kfree_skb() with kfree_skb_reason() in vxlan_mdb_xmit. No drop +reasons are introduced in this commit. + +Signed-off-by: Menglong Dong +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Stable-dep-of: 1f5d2fd1ca04 ("vxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects") +Signed-off-by: Sasha Levin +--- + drivers/net/vxlan/vxlan_mdb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/vxlan/vxlan_mdb.c b/drivers/net/vxlan/vxlan_mdb.c +index 60eb95a06d551..e1173ae134284 100644 +--- a/drivers/net/vxlan/vxlan_mdb.c ++++ b/drivers/net/vxlan/vxlan_mdb.c +@@ -1712,7 +1712,7 @@ netdev_tx_t vxlan_mdb_xmit(struct vxlan_dev *vxlan, + vxlan_xmit_one(skb, vxlan->dev, src_vni, + rcu_dereference(fremote->rd), false); + else +- kfree_skb(skb); ++ kfree_skb_reason(skb, SKB_DROP_REASON_VXLAN_NO_REMOTE); + + return NETDEV_TX_OK; + } +-- +2.50.1 + diff --git a/queue-6.12/net-vxlan-use-kfree_skb_reason-in-vxlan_xmit.patch b/queue-6.12/net-vxlan-use-kfree_skb_reason-in-vxlan_xmit.patch new file mode 100644 index 0000000000..65fe2ddf2a --- /dev/null +++ b/queue-6.12/net-vxlan-use-kfree_skb_reason-in-vxlan_xmit.patch @@ -0,0 +1,96 @@ +From caa2ea2179057df8ad5656fe836d7917232464fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Oct 2024 10:28:26 +0800 +Subject: net: vxlan: use kfree_skb_reason() in vxlan_xmit() + +From: Menglong Dong + +[ Upstream commit b71a576e452b800efeac49ecca116d954601d911 ] + +Replace kfree_skb() with kfree_skb_reason() in vxlan_xmit(). Following +new skb drop reasons are introduced for vxlan: + +/* no remote found for xmit */ +SKB_DROP_REASON_VXLAN_NO_REMOTE +/* packet without necessary metadata reached a device which is + * in "external" mode + */ +SKB_DROP_REASON_TUNNEL_TXINFO + +Signed-off-by: Menglong Dong +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Stable-dep-of: 1f5d2fd1ca04 ("vxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects") +Signed-off-by: Sasha Levin +--- + drivers/net/vxlan/vxlan_core.c | 6 +++--- + include/net/dropreason-core.h | 9 +++++++++ + 2 files changed, 12 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/vxlan/vxlan_core.c b/drivers/net/vxlan/vxlan_core.c +index d9077698c5a89..40f01a6aaed38 100644 +--- a/drivers/net/vxlan/vxlan_core.c ++++ b/drivers/net/vxlan/vxlan_core.c +@@ -2724,7 +2724,7 @@ static netdev_tx_t vxlan_xmit(struct sk_buff *skb, struct net_device *dev) + if (info && info->mode & IP_TUNNEL_INFO_TX) + vxlan_xmit_one(skb, dev, vni, NULL, false); + else +- kfree_skb(skb); ++ kfree_skb_reason(skb, SKB_DROP_REASON_TUNNEL_TXINFO); + return NETDEV_TX_OK; + } + } +@@ -2787,7 +2787,7 @@ static netdev_tx_t vxlan_xmit(struct sk_buff *skb, struct net_device *dev) + dev_core_stats_tx_dropped_inc(dev); + vxlan_vnifilter_count(vxlan, vni, NULL, + VXLAN_VNI_STATS_TX_DROPS, 0); +- kfree_skb(skb); ++ kfree_skb_reason(skb, SKB_DROP_REASON_VXLAN_NO_REMOTE); + return NETDEV_TX_OK; + } + } +@@ -2810,7 +2810,7 @@ static netdev_tx_t vxlan_xmit(struct sk_buff *skb, struct net_device *dev) + if (fdst) + vxlan_xmit_one(skb, dev, vni, fdst, did_rsc); + else +- kfree_skb(skb); ++ kfree_skb_reason(skb, SKB_DROP_REASON_VXLAN_NO_REMOTE); + } + + return NETDEV_TX_OK; +diff --git a/include/net/dropreason-core.h b/include/net/dropreason-core.h +index fbf92d442c1b2..d59bb96c5a02c 100644 +--- a/include/net/dropreason-core.h ++++ b/include/net/dropreason-core.h +@@ -96,7 +96,9 @@ + FN(VXLAN_VNI_NOT_FOUND) \ + FN(MAC_INVALID_SOURCE) \ + FN(VXLAN_ENTRY_EXISTS) \ ++ FN(VXLAN_NO_REMOTE) \ + FN(IP_TUNNEL_ECN) \ ++ FN(TUNNEL_TXINFO) \ + FN(LOCAL_MAC) \ + FNe(MAX) + +@@ -439,11 +441,18 @@ enum skb_drop_reason { + * entry or an entry pointing to a nexthop. + */ + SKB_DROP_REASON_VXLAN_ENTRY_EXISTS, ++ /** @SKB_DROP_REASON_VXLAN_NO_REMOTE: no remote found for xmit */ ++ SKB_DROP_REASON_VXLAN_NO_REMOTE, + /** + * @SKB_DROP_REASON_IP_TUNNEL_ECN: skb is dropped according to + * RFC 6040 4.2, see __INET_ECN_decapsulate() for detail. + */ + SKB_DROP_REASON_IP_TUNNEL_ECN, ++ /** ++ * @SKB_DROP_REASON_TUNNEL_TXINFO: packet without necessary metadata ++ * reached a device which is in "external" mode. ++ */ ++ SKB_DROP_REASON_TUNNEL_TXINFO, + /** + * @SKB_DROP_REASON_LOCAL_MAC: the source MAC address is equal to + * the MAC address of the local netdev. +-- +2.50.1 + diff --git a/queue-6.12/net-xilinx-axienet-add-error-handling-for-rx-metadat.patch b/queue-6.12/net-xilinx-axienet-add-error-handling-for-rx-metadat.patch new file mode 100644 index 0000000000..d60fc7b12f --- /dev/null +++ b/queue-6.12/net-xilinx-axienet-add-error-handling-for-rx-metadat.patch @@ -0,0 +1,58 @@ +From 6a24744b60d37549544a78b92ec23561e85ca16a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Sep 2025 08:22:13 +0530 +Subject: net: xilinx: axienet: Add error handling for RX metadata pointer + retrieval + +From: Abin Joseph + +[ Upstream commit 8bbceba7dc5090c00105e006ce28d1292cfda8dd ] + +Add proper error checking for dmaengine_desc_get_metadata_ptr() which +can return an error pointer and lead to potential crashes or undefined +behaviour if the pointer retrieval fails. + +Properly handle the error by unmapping DMA buffer, freeing the skb and +returning early to prevent further processing with invalid data. + +Fixes: 6a91b846af85 ("net: axienet: Introduce dmaengine support") +Signed-off-by: Abin Joseph +Reviewed-by: Radhey Shyam Pandey +Link: https://patch.msgid.link/20250903025213.3120181-1-abin.joseph@amd.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c +index 1775e060d39d3..3339c5e1a57a9 100644 +--- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c ++++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c +@@ -1127,6 +1127,15 @@ static void axienet_dma_rx_cb(void *data, const struct dmaengine_result *result) + &meta_max_len); + dma_unmap_single(lp->dev, skbuf_dma->dma_address, lp->max_frm_size, + DMA_FROM_DEVICE); ++ ++ if (IS_ERR(app_metadata)) { ++ if (net_ratelimit()) ++ netdev_err(lp->ndev, "Failed to get RX metadata pointer\n"); ++ dev_kfree_skb_any(skb); ++ lp->ndev->stats.rx_dropped++; ++ goto rx_submit; ++ } ++ + /* TODO: Derive app word index programmatically */ + rx_len = (app_metadata[LEN_APP] & 0xFFFF); + skb_put(skb, rx_len); +@@ -1139,6 +1148,7 @@ static void axienet_dma_rx_cb(void *data, const struct dmaengine_result *result) + u64_stats_add(&lp->rx_bytes, rx_len); + u64_stats_update_end(&lp->rx_stat_sync); + ++rx_submit: + for (i = 0; i < CIRC_SPACE(lp->rx_ring_head, lp->rx_ring_tail, + RX_BUF_NUM_DEFAULT); i++) + axienet_rx_submit_desc(lp->ndev); +-- +2.50.1 + diff --git a/queue-6.12/net_sched-gen_estimator-fix-est_timer-vs-config_pree.patch b/queue-6.12/net_sched-gen_estimator-fix-est_timer-vs-config_pree.patch new file mode 100644 index 0000000000..f1b8f2f752 --- /dev/null +++ b/queue-6.12/net_sched-gen_estimator-fix-est_timer-vs-config_pree.patch @@ -0,0 +1,73 @@ +From 75c7377b305279bbe7772e0777fd4b6733e3f2e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Aug 2025 16:23:52 +0000 +Subject: net_sched: gen_estimator: fix est_timer() vs CONFIG_PREEMPT_RT=y + +From: Eric Dumazet + +[ Upstream commit 9f74c0ea9b26d1505d55b61e36b1623dd347e1d1 ] + +syzbot reported a WARNING in est_timer() [1] + +Problem here is that with CONFIG_PREEMPT_RT=y, timer callbacks +can be preempted. + +Adopt preempt_disable_nested()/preempt_enable_nested() to fix this. + +[1] + WARNING: CPU: 0 PID: 16 at ./include/linux/seqlock.h:221 __seqprop_assert include/linux/seqlock.h:221 [inline] + WARNING: CPU: 0 PID: 16 at ./include/linux/seqlock.h:221 est_timer+0x6dc/0x9f0 net/core/gen_estimator.c:93 +Modules linked in: +CPU: 0 UID: 0 PID: 16 Comm: ktimers/0 Not tainted syzkaller #0 PREEMPT_{RT,(full)} +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 + RIP: 0010:__seqprop_assert include/linux/seqlock.h:221 [inline] + RIP: 0010:est_timer+0x6dc/0x9f0 net/core/gen_estimator.c:93 +Call Trace: + + call_timer_fn+0x17e/0x5f0 kernel/time/timer.c:1747 + expire_timers kernel/time/timer.c:1798 [inline] + __run_timers kernel/time/timer.c:2372 [inline] + __run_timer_base+0x648/0x970 kernel/time/timer.c:2384 + run_timer_base kernel/time/timer.c:2393 [inline] + run_timer_softirq+0xb7/0x180 kernel/time/timer.c:2403 + handle_softirqs+0x22c/0x710 kernel/softirq.c:579 + __do_softirq kernel/softirq.c:613 [inline] + run_ktimerd+0xcf/0x190 kernel/softirq.c:1043 + smpboot_thread_fn+0x53f/0xa60 kernel/smpboot.c:160 + kthread+0x70e/0x8a0 kernel/kthread.c:463 + ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 + + +Fixes: d2d6422f8bd1 ("x86: Allow to enable PREEMPT_RT.") +Reported-by: syzbot+72db9ee39db57c3fecc5@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/68adf6fa.a70a0220.3cafd4.0000.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Reviewed-by: Sebastian Andrzej Siewior +Link: https://patch.msgid.link/20250827162352.3960779-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/gen_estimator.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/core/gen_estimator.c b/net/core/gen_estimator.c +index 412816076b8bc..392f1cb5cc479 100644 +--- a/net/core/gen_estimator.c ++++ b/net/core/gen_estimator.c +@@ -90,10 +90,12 @@ static void est_timer(struct timer_list *t) + rate = (b_packets - est->last_packets) << (10 - est->intvl_log); + rate = (rate >> est->ewma_log) - (est->avpps >> est->ewma_log); + ++ preempt_disable_nested(); + write_seqcount_begin(&est->seq); + est->avbps += brate; + est->avpps += rate; + write_seqcount_end(&est->seq); ++ preempt_enable_nested(); + + est->last_bytes = b_bytes; + est->last_packets = b_packets; +-- +2.50.1 + diff --git a/queue-6.12/netfilter-br_netfilter-do-not-check-confirmed-bit-in.patch b/queue-6.12/netfilter-br_netfilter-do-not-check-confirmed-bit-in.patch new file mode 100644 index 0000000000..4b8d215b77 --- /dev/null +++ b/queue-6.12/netfilter-br_netfilter-do-not-check-confirmed-bit-in.patch @@ -0,0 +1,77 @@ +From 6c8012325874886890f70a29c135545fa3d56cf9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Aug 2025 11:52:19 +0800 +Subject: netfilter: br_netfilter: do not check confirmed bit in + br_nf_local_in() after confirm + +From: Wang Liang + +[ Upstream commit 479a54ab92087318514c82428a87af2d7af1a576 ] + +When send a broadcast packet to a tap device, which was added to a bridge, +br_nf_local_in() is called to confirm the conntrack. If another conntrack +with the same hash value is added to the hash table, which can be +triggered by a normal packet to a non-bridge device, the below warning +may happen. + + ------------[ cut here ]------------ + WARNING: CPU: 1 PID: 96 at net/bridge/br_netfilter_hooks.c:632 br_nf_local_in+0x168/0x200 + CPU: 1 UID: 0 PID: 96 Comm: tap_send Not tainted 6.17.0-rc2-dirty #44 PREEMPT(voluntary) + RIP: 0010:br_nf_local_in+0x168/0x200 + Call Trace: + + nf_hook_slow+0x3e/0xf0 + br_pass_frame_up+0x103/0x180 + br_handle_frame_finish+0x2de/0x5b0 + br_nf_hook_thresh+0xc0/0x120 + br_nf_pre_routing_finish+0x168/0x3a0 + br_nf_pre_routing+0x237/0x5e0 + br_handle_frame+0x1ec/0x3c0 + __netif_receive_skb_core+0x225/0x1210 + __netif_receive_skb_one_core+0x37/0xa0 + netif_receive_skb+0x36/0x160 + tun_get_user+0xa54/0x10c0 + tun_chr_write_iter+0x65/0xb0 + vfs_write+0x305/0x410 + ksys_write+0x60/0xd0 + do_syscall_64+0xa4/0x260 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + + ---[ end trace 0000000000000000 ]--- + +To solve the hash conflict, nf_ct_resolve_clash() try to merge the +conntracks, and update skb->_nfct. However, br_nf_local_in() still use the +old ct from local variable 'nfct' after confirm(), which leads to this +warning. + +If confirm() does not insert the conntrack entry and return NF_DROP, the +warning may also occur. There is no need to reserve the WARN_ON_ONCE, just +remove it. + +Link: https://lore.kernel.org/netdev/20250820043329.2902014-1-wangliang74@huawei.com/ +Fixes: 62e7151ae3eb ("netfilter: bridge: confirm multicast packets before passing them up the stack") +Suggested-by: Florian Westphal +Signed-off-by: Wang Liang +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/bridge/br_netfilter_hooks.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c +index 17a5f5923d615..5ad3f3ef4ca75 100644 +--- a/net/bridge/br_netfilter_hooks.c ++++ b/net/bridge/br_netfilter_hooks.c +@@ -653,9 +653,6 @@ static unsigned int br_nf_local_in(void *priv, + break; + } + +- ct = container_of(nfct, struct nf_conn, ct_general); +- WARN_ON_ONCE(!nf_ct_is_confirmed(ct)); +- + return ret; + } + #endif +-- +2.50.1 + diff --git a/queue-6.12/netfilter-conntrack-helper-replace-eexist-by-ebusy.patch b/queue-6.12/netfilter-conntrack-helper-replace-eexist-by-ebusy.patch new file mode 100644 index 0000000000..67f214aea4 --- /dev/null +++ b/queue-6.12/netfilter-conntrack-helper-replace-eexist-by-ebusy.patch @@ -0,0 +1,50 @@ +From 5bbc3be0077e9017e74037e9e734bcb3d0290ca2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Aug 2025 13:22:20 +0200 +Subject: netfilter: conntrack: helper: Replace -EEXIST by -EBUSY + +From: Phil Sutter + +[ Upstream commit 54416fd76770bd04fc3c501810e8d673550bab26 ] + +The helper registration return value is passed-through by module_init +callbacks which modprobe confuses with the harmless -EEXIST returned +when trying to load an already loaded module. + +Make sure modprobe fails so users notice their helper has not been +registered and won't work. + +Suggested-by: Christophe Leroy +Fixes: 12f7a505331e ("netfilter: add user-space connection tracking helper infrastructure") +Signed-off-by: Phil Sutter +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_helper.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c +index 4ed5878cb25b1..ceb48c3ca0a43 100644 +--- a/net/netfilter/nf_conntrack_helper.c ++++ b/net/netfilter/nf_conntrack_helper.c +@@ -368,7 +368,7 @@ int nf_conntrack_helper_register(struct nf_conntrack_helper *me) + (cur->tuple.src.l3num == NFPROTO_UNSPEC || + cur->tuple.src.l3num == me->tuple.src.l3num) && + cur->tuple.dst.protonum == me->tuple.dst.protonum) { +- ret = -EEXIST; ++ ret = -EBUSY; + goto out; + } + } +@@ -379,7 +379,7 @@ int nf_conntrack_helper_register(struct nf_conntrack_helper *me) + hlist_for_each_entry(cur, &nf_ct_helper_hash[h], hnode) { + if (nf_ct_tuple_src_mask_cmp(&cur->tuple, &me->tuple, + &mask)) { +- ret = -EEXIST; ++ ret = -EBUSY; + goto out; + } + } +-- +2.50.1 + diff --git a/queue-6.12/netfilter-nft_flowtable.sh-re-run-with-random-mtu-si.patch b/queue-6.12/netfilter-nft_flowtable.sh-re-run-with-random-mtu-si.patch new file mode 100644 index 0000000000..dd376cac44 --- /dev/null +++ b/queue-6.12/netfilter-nft_flowtable.sh-re-run-with-random-mtu-si.patch @@ -0,0 +1,385 @@ +From 5571c22a30a73ed8bea61c31d60b66cbd2b29ea0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Aug 2025 23:49:18 +0200 +Subject: netfilter: nft_flowtable.sh: re-run with random mtu sizes + +From: Florian Westphal + +[ Upstream commit d6a367ec6c96fc8e61b4d67e69df03565ec69fb7 ] + +Jakub says: + nft_flowtable.sh is one of the most flake-atious test for netdev CI currently :( + +The root cause is two-fold: +1. the failing part of the test is supposed to make sure that ip + fragments are forwarded for offloaded flows. + (flowtable has to pass them to classic forward path). + path mtu discovery for these subtests is disabled. + +2. nft_flowtable.sh has two passes. One with fixed mtus/file size and + one where link mtus and file sizes are random. + +The CI failures all have same pattern: + re-run with random mtus and file size: -o 27663 -l 4117 -r 10089 -s 54384840 + [..] + PASS: dscp_egress: dscp packet counters match + FAIL: file mismatch for ns1 -> ns2 + +In some cases this error triggers a bit ealier, sometimes in a later +subtest: + re-run with random mtus and file size: -o 20201 -l 4555 -r 12657 -s 9405856 + [..] + PASS: dscp_egress: dscp packet counters match + PASS: dscp_fwd: dscp packet counters match + 2025/08/17 20:37:52 socat[18954] E write(7, 0x560716b96000, 8192): Broken pipe + FAIL: file mismatch for ns1 -> ns2 + -rw------- 1 root root 9405856 Aug 17 20:36 /tmp/tmp.2n63vlTrQe + +But all logs I saw show same scenario: +1. Failing tests have pmtu discovery off (i.e., ip fragmentation) +2. The test file is much larger than first-pass default (2M Byte) +3. peers have much larger MTUs compared to the 'network'. + +These errors are very reproducible when re-running the test with +the same commandline arguments. + +The timeout became much more prominent with +1d2fbaad7cd8 ("tcp: stronger sk_rcvbuf checks"): reassembled packets +typically have a skb->truesize more than double the skb length. + +As that commit is intentional and pmtud-off with +large-tcp-packets-as-fragments is not normal adjust the test to use a +smaller file for the pmtu-off subtests. + +While at it, add more information to pass/fail messages and +also run the dscp alteration subtest with pmtu discovery enabled. + +Link: https://netdev.bots.linux.dev/contest.html?test=nft-flowtable-sh +Fixes: f84ab634904c ("selftests: netfilter: nft_flowtable.sh: re-run with random mtu sizes") +Reported-by: Jakub Kicinski +Closes: https://lore.kernel.org/netdev/20250822071330.4168f0db@kernel.org/ +Signed-off-by: Florian Westphal +Link: https://patch.msgid.link/20250828214918.3385-1-fw@strlen.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../selftests/net/netfilter/nft_flowtable.sh | 113 ++++++++++++------ + 1 file changed, 76 insertions(+), 37 deletions(-) + +diff --git a/tools/testing/selftests/net/netfilter/nft_flowtable.sh b/tools/testing/selftests/net/netfilter/nft_flowtable.sh +index a4ee5496f2a17..45832df982950 100755 +--- a/tools/testing/selftests/net/netfilter/nft_flowtable.sh ++++ b/tools/testing/selftests/net/netfilter/nft_flowtable.sh +@@ -20,6 +20,7 @@ ret=0 + SOCAT_TIMEOUT=60 + + nsin="" ++nsin_small="" + ns1out="" + ns2out="" + +@@ -36,7 +37,7 @@ cleanup() { + + cleanup_all_ns + +- rm -f "$nsin" "$ns1out" "$ns2out" ++ rm -f "$nsin" "$nsin_small" "$ns1out" "$ns2out" + + [ "$log_netns" -eq 0 ] && sysctl -q net.netfilter.nf_log_all_netns="$log_netns" + } +@@ -72,6 +73,7 @@ lmtu=1500 + rmtu=2000 + + filesize=$((2 * 1024 * 1024)) ++filesize_small=$((filesize / 16)) + + usage(){ + echo "nft_flowtable.sh [OPTIONS]" +@@ -89,7 +91,10 @@ do + o) omtu=$OPTARG;; + l) lmtu=$OPTARG;; + r) rmtu=$OPTARG;; +- s) filesize=$OPTARG;; ++ s) ++ filesize=$OPTARG ++ filesize_small=$((OPTARG / 16)) ++ ;; + *) usage;; + esac + done +@@ -215,6 +220,7 @@ if ! ip netns exec "$ns2" ping -c 1 -q 10.0.1.99 > /dev/null; then + fi + + nsin=$(mktemp) ++nsin_small=$(mktemp) + ns1out=$(mktemp) + ns2out=$(mktemp) + +@@ -265,6 +271,7 @@ check_counters() + check_dscp() + { + local what=$1 ++ local pmtud="$2" + local ok=1 + + local counter +@@ -277,37 +284,39 @@ check_dscp() + local pc4z=${counter%*bytes*} + local pc4z=${pc4z#*packets} + ++ local failmsg="FAIL: pmtu $pmtu: $what counters do not match, expected" ++ + case "$what" in + "dscp_none") + if [ "$pc4" -gt 0 ] || [ "$pc4z" -eq 0 ]; then +- echo "FAIL: dscp counters do not match, expected dscp3 == 0, dscp0 > 0, but got $pc4,$pc4z" 1>&2 ++ echo "$failmsg dscp3 == 0, dscp0 > 0, but got $pc4,$pc4z" 1>&2 + ret=1 + ok=0 + fi + ;; + "dscp_fwd") + if [ "$pc4" -eq 0 ] || [ "$pc4z" -eq 0 ]; then +- echo "FAIL: dscp counters do not match, expected dscp3 and dscp0 > 0 but got $pc4,$pc4z" 1>&2 ++ echo "$failmsg dscp3 and dscp0 > 0 but got $pc4,$pc4z" 1>&2 + ret=1 + ok=0 + fi + ;; + "dscp_ingress") + if [ "$pc4" -eq 0 ] || [ "$pc4z" -gt 0 ]; then +- echo "FAIL: dscp counters do not match, expected dscp3 > 0, dscp0 == 0 but got $pc4,$pc4z" 1>&2 ++ echo "$failmsg dscp3 > 0, dscp0 == 0 but got $pc4,$pc4z" 1>&2 + ret=1 + ok=0 + fi + ;; + "dscp_egress") + if [ "$pc4" -eq 0 ] || [ "$pc4z" -gt 0 ]; then +- echo "FAIL: dscp counters do not match, expected dscp3 > 0, dscp0 == 0 but got $pc4,$pc4z" 1>&2 ++ echo "$failmsg dscp3 > 0, dscp0 == 0 but got $pc4,$pc4z" 1>&2 + ret=1 + ok=0 + fi + ;; + *) +- echo "FAIL: Unknown DSCP check" 1>&2 ++ echo "$failmsg: Unknown DSCP check" 1>&2 + ret=1 + ok=0 + esac +@@ -319,9 +328,9 @@ check_dscp() + + check_transfer() + { +- in=$1 +- out=$2 +- what=$3 ++ local in=$1 ++ local out=$2 ++ local what=$3 + + if ! cmp "$in" "$out" > /dev/null 2>&1; then + echo "FAIL: file mismatch for $what" 1>&2 +@@ -342,25 +351,39 @@ test_tcp_forwarding_ip() + { + local nsa=$1 + local nsb=$2 +- local dstip=$3 +- local dstport=$4 ++ local pmtu=$3 ++ local dstip=$4 ++ local dstport=$5 + local lret=0 ++ local socatc ++ local socatl ++ local infile="$nsin" ++ ++ if [ $pmtu -eq 0 ]; then ++ infile="$nsin_small" ++ fi + +- timeout "$SOCAT_TIMEOUT" ip netns exec "$nsb" socat -4 TCP-LISTEN:12345,reuseaddr STDIO < "$nsin" > "$ns2out" & ++ timeout "$SOCAT_TIMEOUT" ip netns exec "$nsb" socat -4 TCP-LISTEN:12345,reuseaddr STDIO < "$infile" > "$ns2out" & + lpid=$! + + busywait 1000 listener_ready + +- timeout "$SOCAT_TIMEOUT" ip netns exec "$nsa" socat -4 TCP:"$dstip":"$dstport" STDIO < "$nsin" > "$ns1out" ++ timeout "$SOCAT_TIMEOUT" ip netns exec "$nsa" socat -4 TCP:"$dstip":"$dstport" STDIO < "$infile" > "$ns1out" ++ socatc=$? + + wait $lpid ++ socatl=$? + +- if ! check_transfer "$nsin" "$ns2out" "ns1 -> ns2"; then ++ if [ $socatl -ne 0 ] || [ $socatc -ne 0 ];then ++ rc=1 ++ fi ++ ++ if ! check_transfer "$infile" "$ns2out" "ns1 -> ns2"; then + lret=1 + ret=1 + fi + +- if ! check_transfer "$nsin" "$ns1out" "ns1 <- ns2"; then ++ if ! check_transfer "$infile" "$ns1out" "ns1 <- ns2"; then + lret=1 + ret=1 + fi +@@ -370,14 +393,16 @@ test_tcp_forwarding_ip() + + test_tcp_forwarding() + { +- test_tcp_forwarding_ip "$1" "$2" 10.0.2.99 12345 ++ local pmtu="$3" ++ ++ test_tcp_forwarding_ip "$1" "$2" "$pmtu" 10.0.2.99 12345 + + return $? + } + + test_tcp_forwarding_set_dscp() + { +- check_dscp "dscp_none" ++ local pmtu="$3" + + ip netns exec "$nsr1" nft -f - <&2 +@@ -489,8 +519,9 @@ table ip nat { + } + EOF + ++check_dscp "dscp_none" "0" + if ! test_tcp_forwarding_set_dscp "$ns1" "$ns2" 0 ""; then +- echo "FAIL: flow offload for ns1/ns2 with dscp update" 1>&2 ++ echo "FAIL: flow offload for ns1/ns2 with dscp update and no pmtu discovery" 1>&2 + exit 0 + fi + +@@ -512,6 +543,14 @@ ip netns exec "$ns2" sysctl net.ipv4.ip_no_pmtu_disc=0 > /dev/null + # are lower than file size and packets were forwarded via flowtable layer. + # For earlier tests (large mtus), packets cannot be handled via flowtable + # (except pure acks and other small packets). ++ip netns exec "$nsr1" nft reset counters table inet filter >/dev/null ++ip netns exec "$ns2" nft reset counters table inet filter >/dev/null ++ ++if ! test_tcp_forwarding_set_dscp "$ns1" "$ns2" 1 ""; then ++ echo "FAIL: flow offload for ns1/ns2 with dscp update and pmtu discovery" 1>&2 ++ exit 0 ++fi ++ + ip netns exec "$nsr1" nft reset counters table inet filter >/dev/null + + if ! test_tcp_forwarding_nat "$ns1" "$ns2" 1 ""; then +@@ -644,7 +683,7 @@ ip -net "$ns2" route del 192.168.10.1 via 10.0.2.1 + ip -net "$ns2" route add default via 10.0.2.1 + ip -net "$ns2" route add default via dead:2::1 + +-if test_tcp_forwarding "$ns1" "$ns2"; then ++if test_tcp_forwarding "$ns1" "$ns2" 1; then + check_counters "ipsec tunnel mode for ns1/ns2" + else + echo "FAIL: ipsec tunnel mode for ns1/ns2" +@@ -668,7 +707,7 @@ if [ "$1" = "" ]; then + fi + + echo "re-run with random mtus and file size: -o $o -l $l -r $r -s $filesize" +- $0 -o "$o" -l "$l" -r "$r" -s "$filesize" ++ $0 -o "$o" -l "$l" -r "$r" -s "$filesize" || ret=1 + fi + + exit $ret +-- +2.50.1 + diff --git a/queue-6.12/phy-mscc-stop-taking-ts_lock-for-tx_queue-and-use-it.patch b/queue-6.12/phy-mscc-stop-taking-ts_lock-for-tx_queue-and-use-it.patch new file mode 100644 index 0000000000..8b73e05fc8 --- /dev/null +++ b/queue-6.12/phy-mscc-stop-taking-ts_lock-for-tx_queue-and-use-it.patch @@ -0,0 +1,147 @@ +From 0b9b7da5fd56279399c787320232eb93fd3d9f11 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Sep 2025 14:12:59 +0200 +Subject: phy: mscc: Stop taking ts_lock for tx_queue and use its own lock + +From: Horatiu Vultur + +[ Upstream commit 9b2bfdbf43adb9929c5ddcdd96efedbf1c88cf53 ] + +When transmitting a PTP frame which is timestamp using 2 step, the +following warning appears if CONFIG_PROVE_LOCKING is enabled: +============================= +[ BUG: Invalid wait context ] +6.17.0-rc1-00326-ge6160462704e #427 Not tainted +----------------------------- +ptp4l/119 is trying to lock: +c2a44ed4 (&vsc8531->ts_lock){+.+.}-{3:3}, at: vsc85xx_txtstamp+0x50/0xac +other info that might help us debug this: +context-{4:4} +4 locks held by ptp4l/119: + #0: c145f068 (rcu_read_lock_bh){....}-{1:2}, at: __dev_queue_xmit+0x58/0x1440 + #1: c29df974 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: __dev_queue_xmit+0x5c4/0x1440 + #2: c2aaaad0 (_xmit_ETHER#2){+.-.}-{2:2}, at: sch_direct_xmit+0x108/0x350 + #3: c2aac170 (&lan966x->tx_lock){+.-.}-{2:2}, at: lan966x_port_xmit+0xd0/0x350 +stack backtrace: +CPU: 0 UID: 0 PID: 119 Comm: ptp4l Not tainted 6.17.0-rc1-00326-ge6160462704e #427 NONE +Hardware name: Generic DT based system +Call trace: + unwind_backtrace from show_stack+0x10/0x14 + show_stack from dump_stack_lvl+0x7c/0xac + dump_stack_lvl from __lock_acquire+0x8e8/0x29dc + __lock_acquire from lock_acquire+0x108/0x38c + lock_acquire from __mutex_lock+0xb0/0xe78 + __mutex_lock from mutex_lock_nested+0x1c/0x24 + mutex_lock_nested from vsc85xx_txtstamp+0x50/0xac + vsc85xx_txtstamp from lan966x_fdma_xmit+0xd8/0x3a8 + lan966x_fdma_xmit from lan966x_port_xmit+0x1bc/0x350 + lan966x_port_xmit from dev_hard_start_xmit+0xc8/0x2c0 + dev_hard_start_xmit from sch_direct_xmit+0x8c/0x350 + sch_direct_xmit from __dev_queue_xmit+0x680/0x1440 + __dev_queue_xmit from packet_sendmsg+0xfa4/0x1568 + packet_sendmsg from __sys_sendto+0x110/0x19c + __sys_sendto from sys_send+0x18/0x20 + sys_send from ret_fast_syscall+0x0/0x1c +Exception stack(0xf0b05fa8 to 0xf0b05ff0) +5fa0: 00000001 0000000e 0000000e 0004b47a 0000003a 00000000 +5fc0: 00000001 0000000e 00000000 00000121 0004af58 00044874 00000000 00000000 +5fe0: 00000001 bee9d420 00025a10 b6e75c7c + +So, instead of using the ts_lock for tx_queue, use the spinlock that +skb_buff_head has. + +Reviewed-by: Vadim Fedorenko +Fixes: 7d272e63e0979d ("net: phy: mscc: timestamping and PHC support") +Signed-off-by: Horatiu Vultur +Link: https://patch.msgid.link/20250902121259.3257536-1-horatiu.vultur@microchip.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/mscc/mscc_ptp.c | 18 ++++++++---------- + 1 file changed, 8 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/phy/mscc/mscc_ptp.c b/drivers/net/phy/mscc/mscc_ptp.c +index 920f35f8f84e7..fa24ba8f6bff0 100644 +--- a/drivers/net/phy/mscc/mscc_ptp.c ++++ b/drivers/net/phy/mscc/mscc_ptp.c +@@ -455,12 +455,12 @@ static void vsc85xx_dequeue_skb(struct vsc85xx_ptp *ptp) + *p++ = (reg >> 24) & 0xff; + } + +- len = skb_queue_len(&ptp->tx_queue); ++ len = skb_queue_len_lockless(&ptp->tx_queue); + if (len < 1) + return; + + while (len--) { +- skb = __skb_dequeue(&ptp->tx_queue); ++ skb = skb_dequeue(&ptp->tx_queue); + if (!skb) + return; + +@@ -485,7 +485,7 @@ static void vsc85xx_dequeue_skb(struct vsc85xx_ptp *ptp) + * packet in the FIFO right now, reschedule it for later + * packets. + */ +- __skb_queue_tail(&ptp->tx_queue, skb); ++ skb_queue_tail(&ptp->tx_queue, skb); + } + } + +@@ -1065,6 +1065,7 @@ static int vsc85xx_hwtstamp(struct mii_timestamper *mii_ts, + case HWTSTAMP_TX_ON: + break; + case HWTSTAMP_TX_OFF: ++ skb_queue_purge(&vsc8531->ptp->tx_queue); + break; + default: + return -ERANGE; +@@ -1089,9 +1090,6 @@ static int vsc85xx_hwtstamp(struct mii_timestamper *mii_ts, + + mutex_lock(&vsc8531->ts_lock); + +- __skb_queue_purge(&vsc8531->ptp->tx_queue); +- __skb_queue_head_init(&vsc8531->ptp->tx_queue); +- + /* Disable predictor while configuring the 1588 block */ + val = vsc85xx_ts_read_csr(phydev, PROCESSOR, + MSCC_PHY_PTP_INGR_PREDICTOR); +@@ -1177,9 +1175,7 @@ static void vsc85xx_txtstamp(struct mii_timestamper *mii_ts, + + skb_shinfo(skb)->tx_flags |= SKBTX_IN_PROGRESS; + +- mutex_lock(&vsc8531->ts_lock); +- __skb_queue_tail(&vsc8531->ptp->tx_queue, skb); +- mutex_unlock(&vsc8531->ts_lock); ++ skb_queue_tail(&vsc8531->ptp->tx_queue, skb); + return; + + out: +@@ -1545,6 +1541,7 @@ void vsc8584_ptp_deinit(struct phy_device *phydev) + if (vsc8531->ptp->ptp_clock) { + ptp_clock_unregister(vsc8531->ptp->ptp_clock); + skb_queue_purge(&vsc8531->rx_skbs_list); ++ skb_queue_purge(&vsc8531->ptp->tx_queue); + } + } + +@@ -1568,7 +1565,7 @@ irqreturn_t vsc8584_handle_ts_interrupt(struct phy_device *phydev) + if (rc & VSC85XX_1588_INT_FIFO_ADD) { + vsc85xx_get_tx_ts(priv->ptp); + } else if (rc & VSC85XX_1588_INT_FIFO_OVERFLOW) { +- __skb_queue_purge(&priv->ptp->tx_queue); ++ skb_queue_purge(&priv->ptp->tx_queue); + vsc85xx_ts_reset_fifo(phydev); + } + +@@ -1588,6 +1585,7 @@ int vsc8584_ptp_probe(struct phy_device *phydev) + mutex_init(&vsc8531->phc_lock); + mutex_init(&vsc8531->ts_lock); + skb_queue_head_init(&vsc8531->rx_skbs_list); ++ skb_queue_head_init(&vsc8531->ptp->tx_queue); + + /* Retrieve the shared load/save GPIO. Request it as non exclusive as + * the same GPIO can be requested by all the PHYs of the same package. +-- +2.50.1 + diff --git a/queue-6.12/ppp-fix-memory-leak-in-pad_compress_skb.patch b/queue-6.12/ppp-fix-memory-leak-in-pad_compress_skb.patch new file mode 100644 index 0000000000..3f6f7bcb5a --- /dev/null +++ b/queue-6.12/ppp-fix-memory-leak-in-pad_compress_skb.patch @@ -0,0 +1,66 @@ +From df94b39b2101a2b7ae180d64fba4333e721a3da0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Sep 2025 18:07:26 +0800 +Subject: ppp: fix memory leak in pad_compress_skb + +From: Qingfang Deng + +[ Upstream commit 4844123fe0b853a4982c02666cb3fd863d701d50 ] + +If alloc_skb() fails in pad_compress_skb(), it returns NULL without +releasing the old skb. The caller does: + + skb = pad_compress_skb(ppp, skb); + if (!skb) + goto drop; + +drop: + kfree_skb(skb); + +When pad_compress_skb() returns NULL, the reference to the old skb is +lost and kfree_skb(skb) ends up doing nothing, leading to a memory leak. + +Align pad_compress_skb() semantics with realloc(): only free the old +skb if allocation and compression succeed. At the call site, use the +new_skb variable so the original skb is not lost when pad_compress_skb() +fails. + +Fixes: b3f9b92a6ec1 ("[PPP]: add PPP MPPE encryption module") +Signed-off-by: Qingfang Deng +Reviewed-by: Eric Dumazet +Reviewed-by: Yue Haibing +Link: https://patch.msgid.link/20250903100726.269839-1-dqfext@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ppp/ppp_generic.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c +index 0553b0b356b30..afc1566488b32 100644 +--- a/drivers/net/ppp/ppp_generic.c ++++ b/drivers/net/ppp/ppp_generic.c +@@ -1753,7 +1753,6 @@ pad_compress_skb(struct ppp *ppp, struct sk_buff *skb) + */ + if (net_ratelimit()) + netdev_err(ppp->dev, "ppp: compressor dropped pkt\n"); +- kfree_skb(skb); + consume_skb(new_skb); + new_skb = NULL; + } +@@ -1855,9 +1854,10 @@ ppp_send_frame(struct ppp *ppp, struct sk_buff *skb) + "down - pkt dropped.\n"); + goto drop; + } +- skb = pad_compress_skb(ppp, skb); +- if (!skb) ++ new_skb = pad_compress_skb(ppp, skb); ++ if (!new_skb) + goto drop; ++ skb = new_skb; + } + + /* +-- +2.50.1 + diff --git a/queue-6.12/selftest-net-fix-weird-setsockopt-in-bind_bhash.c.patch b/queue-6.12/selftest-net-fix-weird-setsockopt-in-bind_bhash.c.patch new file mode 100644 index 0000000000..aa09f1a89e --- /dev/null +++ b/queue-6.12/selftest-net-fix-weird-setsockopt-in-bind_bhash.c.patch @@ -0,0 +1,62 @@ +From 02521d5b99d973a63fa5a63424943839847ad50e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Sep 2025 22:28:51 +0000 +Subject: selftest: net: Fix weird setsockopt() in bind_bhash.c. + +From: Kuniyuki Iwashima + +[ Upstream commit fd2004d82d8d8faa94879e3de3096c8511728637 ] + +bind_bhash.c passes (SO_REUSEADDR | SO_REUSEPORT) to setsockopt(). + +In the asm-generic definition, the value happens to match with the +bare SO_REUSEPORT, (2 | 15) == 15, but not on some arch. + +arch/alpha/include/uapi/asm/socket.h:18:#define SO_REUSEADDR 0x0004 +arch/alpha/include/uapi/asm/socket.h:24:#define SO_REUSEPORT 0x0200 +arch/mips/include/uapi/asm/socket.h:24:#define SO_REUSEADDR 0x0004 /* Allow reuse of local addresses. */ +arch/mips/include/uapi/asm/socket.h:33:#define SO_REUSEPORT 0x0200 /* Allow local address and port reuse. */ +arch/parisc/include/uapi/asm/socket.h:12:#define SO_REUSEADDR 0x0004 +arch/parisc/include/uapi/asm/socket.h:18:#define SO_REUSEPORT 0x0200 +arch/sparc/include/uapi/asm/socket.h:13:#define SO_REUSEADDR 0x0004 +arch/sparc/include/uapi/asm/socket.h:20:#define SO_REUSEPORT 0x0200 +include/uapi/asm-generic/socket.h:12:#define SO_REUSEADDR 2 +include/uapi/asm-generic/socket.h:27:#define SO_REUSEPORT 15 + +Let's pass SO_REUSEPORT only. + +Fixes: c35ecb95c448 ("selftests/net: Add test for timing a bind request to a port with a populated bhash entry") +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250903222938.2601522-1-kuniyu@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/bind_bhash.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/net/bind_bhash.c b/tools/testing/selftests/net/bind_bhash.c +index 57ff67a3751eb..da04b0b19b73c 100644 +--- a/tools/testing/selftests/net/bind_bhash.c ++++ b/tools/testing/selftests/net/bind_bhash.c +@@ -75,7 +75,7 @@ static void *setup(void *arg) + int *array = (int *)arg; + + for (i = 0; i < MAX_CONNECTIONS; i++) { +- sock_fd = bind_socket(SO_REUSEADDR | SO_REUSEPORT, setup_addr); ++ sock_fd = bind_socket(SO_REUSEPORT, setup_addr); + if (sock_fd < 0) { + ret = sock_fd; + pthread_exit(&ret); +@@ -103,7 +103,7 @@ int main(int argc, const char *argv[]) + + setup_addr = use_v6 ? setup_addr_v6 : setup_addr_v4; + +- listener_fd = bind_socket(SO_REUSEADDR | SO_REUSEPORT, setup_addr); ++ listener_fd = bind_socket(SO_REUSEPORT, setup_addr); + if (listen(listener_fd, 100) < 0) { + perror("listen failed"); + return -1; +-- +2.50.1 + diff --git a/queue-6.12/selftests-drv-net-csum-fix-interface-name-for-remote.patch b/queue-6.12/selftests-drv-net-csum-fix-interface-name-for-remote.patch new file mode 100644 index 0000000000..f479b702f5 --- /dev/null +++ b/queue-6.12/selftests-drv-net-csum-fix-interface-name-for-remote.patch @@ -0,0 +1,48 @@ +From 3de887d42798a89f1101f09387e4b4d8ca3aaec1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 30 Aug 2025 11:38:42 -0700 +Subject: selftests: drv-net: csum: fix interface name for remote host + +From: Jakub Kicinski + +[ Upstream commit 49c2502b5946ebf454d7e16fd0189769a82b6117 ] + +Use cfg.remote_ifname for arguments of remote command. +Without this UDP tests fail in NIPA where local interface +is called enp1s0 and remote enp0s4. + +Fixes: 1d0dc857b5d8 ("selftests: drv-net: add checksum tests") +Reviewed-by: Willem de Bruijn +Reviewed-by: Vadim Fedorenko +Link: https://patch.msgid.link/20250830183842.688935-1-kuba@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/drivers/net/hw/csum.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/drivers/net/hw/csum.py b/tools/testing/selftests/drivers/net/hw/csum.py +index cb40497faee44..b7e55be9bd9fd 100755 +--- a/tools/testing/selftests/drivers/net/hw/csum.py ++++ b/tools/testing/selftests/drivers/net/hw/csum.py +@@ -20,7 +20,7 @@ def test_receive(cfg, ipv4=False, extra_args=None): + ip_args = f"-6 -S {cfg.remote_v6} -D {cfg.v6}" + + rx_cmd = f"{cfg.bin_local} -i {cfg.ifname} -n 100 {ip_args} -r 1 -R {extra_args}" +- tx_cmd = f"{cfg.bin_remote} -i {cfg.ifname} -n 100 {ip_args} -r 1 -T {extra_args}" ++ tx_cmd = f"{cfg.bin_remote} -i {cfg.remote_ifname} -n 100 {ip_args} -r 1 -T {extra_args}" + + with bkg(rx_cmd, exit_wait=True): + wait_port_listen(34000, proto="udp") +@@ -43,7 +43,7 @@ def test_transmit(cfg, ipv4=False, extra_args=None): + if extra_args != "-U -Z": + extra_args += " -r 1" + +- rx_cmd = f"{cfg.bin_remote} -i {cfg.ifname} -L 1 -n 100 {ip_args} -R {extra_args}" ++ rx_cmd = f"{cfg.bin_remote} -i {cfg.remote_ifname} -L 1 -n 100 {ip_args} -R {extra_args}" + tx_cmd = f"{cfg.bin_local} -i {cfg.ifname} -L 1 -n 100 {ip_args} -T {extra_args}" + + with bkg(rx_cmd, host=cfg.remote, exit_wait=True): +-- +2.50.1 + diff --git a/queue-6.12/series b/queue-6.12/series index 763a1f9285..e2d8e7e092 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -30,3 +30,61 @@ loongarch-vdso-remove-hash-style-sysv.patch loongarch-vdso-remove-nostdlib-complier-flag.patch mmc-sdhci-of-arasan-support-for-emmc-hardware-reset.patch mmc-sdhci-of-arasan-ensure-cd-logic-stabilization-be.patch +wifi-cfg80211-fix-use-after-free-in-cmp_bss.patch +wifi-brcmfmac-fix-use-after-free-when-rescheduling-b.patch +wifi-mt76-mt7925-fix-locking-in-mt7925_change_vif_li.patch +wifi-mt76-prevent-non-offchannel-mgmt-tx-during-scan.patch +wifi-mt76-free-pending-offchannel-tx-frames-on-wcid-.patch +wifi-mt76-fix-linked-list-corruption.patch +netfilter-br_netfilter-do-not-check-confirmed-bit-in.patch +netfilter-conntrack-helper-replace-eexist-by-ebusy.patch +wifi-iwlwifi-uefi-check-dsm-item-validity.patch +bluetooth-vhci-prevent-use-after-free-by-removing-de.patch +bluetooth-fix-use-after-free-in-l2cap_sock_cleanup_l.patch +netfilter-nft_flowtable.sh-re-run-with-random-mtu-si.patch +net_sched-gen_estimator-fix-est_timer-vs-config_pree.patch +xirc2ps_cs-fix-register-access-when-enabling-fulldup.patch +misdn-fix-memory-leak-in-dsp_hwec_enable.patch +selftests-drv-net-csum-fix-interface-name-for-remote.patch +bnxt_en-fix-incorrect-page-count-in-rx-aggr-ring-log.patch +icmp-fix-icmp_ndo_send-address-translation-for-reply.patch +net-macb-fix-tx_ptr_lock-locking.patch +macsec-read-macsec_sa_attr_pn-with-nla_get_uint.patch +net-smc-fix-one-null-pointer-dereference-in-smc_ib_i.patch +net-mctp-mctp_fraq_queue-should-take-ownership-of-pa.patch +ice-fix-null-access-of-tx-in_use-in-ice_ll_ts_intr.patch +idpf-set-mac-type-when-adding-and-removing-mac-filte.patch +i40e-remove-read-access-to-debugfs-files.patch +i40e-fix-potential-invalid-access-when-mac-list-is-e.patch +ixgbe-fix-incorrect-map-used-in-eee-linkmode.patch +wifi-ath11k-fix-group-data-packet-drops-during-rekey.patch +net-tcp-fix-socket-memory-leak-in-tcp-ao-failure-han.patch +net-ethernet-mtk_eth_soc-fix-tx-vlan-tag-for-llc-pac.patch +net-skb-add-pskb_network_may_pull_reason-helper.patch +net-tunnel-add-pskb_inet_may_pull_reason-helper.patch +net-vxlan-add-skb-drop-reasons-to-vxlan_rcv.patch +net-vxlan-make-vxlan_snoop-return-drop-reasons.patch +vxlan-fix-npd-when-refreshing-an-fdb-entry-with-a-ne.patch +net-vxlan-make-vxlan_set_mac-return-drop-reasons.patch +net-vxlan-use-kfree_skb_reason-in-vxlan_xmit.patch +net-vxlan-use-kfree_skb_reason-in-vxlan_mdb_xmit.patch +net-vxlan-rename-skb_drop_reason_vxlan_no_remote.patch +vxlan-refresh-fdb-updated-time-upon-ntf_use.patch +vxlan-avoid-unnecessary-updates-to-fdb-used-time.patch +vxlan-add-rcu-read-side-critical-sections-in-the-tx-.patch +vxlan-rename-fdb-tx-lookup-function.patch +vxlan-fix-npd-in-arp-neigh-_reduce-when-using-nextho.patch +wifi-cw1200-cap-ssid-length-in-cw1200_do_join.patch +wifi-libertas-cap-ssid-len-in-lbs_associate.patch +wifi-cfg80211-sme-cap-ssid-length-in-__cfg80211_conn.patch +net-thunder_bgx-add-a-missing-of_node_put.patch +net-thunder_bgx-decrement-cleanup-index-before-use.patch +ipv4-fix-null-vs-error-pointer-check-in-inet_blackho.patch +net-smc-remove-validation-of-reserved-bits-in-clc-de.patch +mctp-return-enoprotoopt-for-unknown-getsockopt-optio.patch +ax25-properly-unshare-skbs-in-ax25_kiss_rcv.patch +net-atm-fix-memory-leak-in-atm_register_sysfs-when-d.patch +net-xilinx-axienet-add-error-handling-for-rx-metadat.patch +ppp-fix-memory-leak-in-pad_compress_skb.patch +selftest-net-fix-weird-setsockopt-in-bind_bhash.c.patch +phy-mscc-stop-taking-ts_lock-for-tx_queue-and-use-it.patch diff --git a/queue-6.12/vxlan-add-rcu-read-side-critical-sections-in-the-tx-.patch b/queue-6.12/vxlan-add-rcu-read-side-critical-sections-in-the-tx-.patch new file mode 100644 index 0000000000..7df18da233 --- /dev/null +++ b/queue-6.12/vxlan-add-rcu-read-side-critical-sections-in-the-tx-.patch @@ -0,0 +1,95 @@ +From 3590e4e5253d1968a51abc26dcb9363245697669 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Apr 2025 15:11:29 +0300 +Subject: vxlan: Add RCU read-side critical sections in the Tx path + +From: Ido Schimmel + +[ Upstream commit 804b09be09f8af4eda5346a72361459ba21fcf1b ] + +The Tx path does not run from an RCU read-side critical section which +makes the current lockless accesses to FDB entries invalid. As far as I +am aware, this has not been a problem in practice, but traces will be +generated once we transition the FDB lookup to rhashtable_lookup(). + +Add rcu_read_{lock,unlock}() around the handling of FDB entries in the +Tx path. Remove the RCU read-side critical section from vxlan_xmit_nh() +as now the function is always called from an RCU read-side critical +section. + +Reviewed-by: Petr Machata +Signed-off-by: Ido Schimmel +Link: https://patch.msgid.link/20250415121143.345227-2-idosch@nvidia.com +Reviewed-by: Nikolay Aleksandrov +Signed-off-by: Paolo Abeni +Stable-dep-of: 1f5d2fd1ca04 ("vxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects") +Signed-off-by: Sasha Levin +--- + drivers/net/vxlan/vxlan_core.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/vxlan/vxlan_core.c b/drivers/net/vxlan/vxlan_core.c +index 8853fcb7eb7f2..1d431e3fc71ea 100644 +--- a/drivers/net/vxlan/vxlan_core.c ++++ b/drivers/net/vxlan/vxlan_core.c +@@ -1909,12 +1909,15 @@ static int arp_reduce(struct net_device *dev, struct sk_buff *skb, __be32 vni) + goto out; + } + ++ rcu_read_lock(); + f = vxlan_find_mac(vxlan, n->ha, vni); + if (f && vxlan_addr_any(&(first_remote_rcu(f)->remote_ip))) { + /* bridge-local neighbor */ + neigh_release(n); ++ rcu_read_unlock(); + goto out; + } ++ rcu_read_unlock(); + + reply = arp_create(ARPOP_REPLY, ETH_P_ARP, sip, dev, tip, sha, + n->ha, sha); +@@ -2632,14 +2635,10 @@ static void vxlan_xmit_nh(struct sk_buff *skb, struct net_device *dev, + memset(&nh_rdst, 0, sizeof(struct vxlan_rdst)); + hash = skb_get_hash(skb); + +- rcu_read_lock(); + nh = rcu_dereference(f->nh); +- if (!nh) { +- rcu_read_unlock(); ++ if (!nh) + goto drop; +- } + do_xmit = vxlan_fdb_nh_path_select(nh, hash, &nh_rdst); +- rcu_read_unlock(); + + if (likely(do_xmit)) + vxlan_xmit_one(skb, dev, vni, &nh_rdst, did_rsc); +@@ -2766,6 +2765,7 @@ static netdev_tx_t vxlan_xmit(struct sk_buff *skb, struct net_device *dev) + } + + eth = eth_hdr(skb); ++ rcu_read_lock(); + f = vxlan_find_mac(vxlan, eth->h_dest, vni); + did_rsc = false; + +@@ -2788,7 +2788,7 @@ static netdev_tx_t vxlan_xmit(struct sk_buff *skb, struct net_device *dev) + vxlan_vnifilter_count(vxlan, vni, NULL, + VXLAN_VNI_STATS_TX_DROPS, 0); + kfree_skb_reason(skb, SKB_DROP_REASON_NO_TX_TARGET); +- return NETDEV_TX_OK; ++ goto out; + } + } + +@@ -2813,6 +2813,8 @@ static netdev_tx_t vxlan_xmit(struct sk_buff *skb, struct net_device *dev) + kfree_skb_reason(skb, SKB_DROP_REASON_NO_TX_TARGET); + } + ++out: ++ rcu_read_unlock(); + return NETDEV_TX_OK; + } + +-- +2.50.1 + diff --git a/queue-6.12/vxlan-avoid-unnecessary-updates-to-fdb-used-time.patch b/queue-6.12/vxlan-avoid-unnecessary-updates-to-fdb-used-time.patch new file mode 100644 index 0000000000..9c9d057fb2 --- /dev/null +++ b/queue-6.12/vxlan-avoid-unnecessary-updates-to-fdb-used-time.patch @@ -0,0 +1,80 @@ +From b0fddb6e5f22f2150bc07eee8fd3247ea3a4e41d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Feb 2025 16:55:48 +0200 +Subject: vxlan: Avoid unnecessary updates to FDB 'used' time + +From: Ido Schimmel + +[ Upstream commit 9722f834fe9a7c583591defa2cab3f652f50a5f0 ] + +Now that the VXLAN driver ages out FDB entries based on their 'updated' +time we can remove unnecessary updates of the 'used' time from the Rx +path and the control path, so that the 'used' time is only updated by +the Tx path. + +Reviewed-by: Petr Machata +Signed-off-by: Ido Schimmel +Reviewed-by: Nikolay Aleksandrov +Link: https://patch.msgid.link/20250204145549.1216254-8-idosch@nvidia.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: 1f5d2fd1ca04 ("vxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects") +Signed-off-by: Sasha Levin +--- + drivers/net/vxlan/vxlan_core.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/vxlan/vxlan_core.c b/drivers/net/vxlan/vxlan_core.c +index ce9c979080bb4..8853fcb7eb7f2 100644 +--- a/drivers/net/vxlan/vxlan_core.c ++++ b/drivers/net/vxlan/vxlan_core.c +@@ -1047,10 +1047,8 @@ static int vxlan_fdb_update_existing(struct vxlan_dev *vxlan, + notify |= rc; + } + +- if (ndm_flags & NTF_USE) { +- WRITE_ONCE(f->used, jiffies); ++ if (ndm_flags & NTF_USE) + WRITE_ONCE(f->updated, jiffies); +- } + + if (notify) { + if (rd == NULL) +@@ -1294,7 +1292,7 @@ int __vxlan_fdb_delete(struct vxlan_dev *vxlan, + struct vxlan_fdb *f; + int err = -ENOENT; + +- f = vxlan_find_mac(vxlan, addr, src_vni); ++ f = __vxlan_find_mac(vxlan, addr, src_vni); + if (!f) + return err; + +@@ -1458,7 +1456,7 @@ static enum skb_drop_reason vxlan_snoop(struct net_device *dev, + ifindex = src_ifindex; + #endif + +- f = vxlan_find_mac(vxlan, src_mac, vni); ++ f = __vxlan_find_mac(vxlan, src_mac, vni); + if (likely(f)) { + struct vxlan_rdst *rdst = first_remote_rcu(f); + +@@ -4718,7 +4716,7 @@ vxlan_fdb_offloaded_set(struct net_device *dev, + + spin_lock_bh(&vxlan->hash_lock[hash_index]); + +- f = vxlan_find_mac(vxlan, fdb_info->eth_addr, fdb_info->vni); ++ f = __vxlan_find_mac(vxlan, fdb_info->eth_addr, fdb_info->vni); + if (!f) + goto out; + +@@ -4774,7 +4772,7 @@ vxlan_fdb_external_learn_del(struct net_device *dev, + hash_index = fdb_head_index(vxlan, fdb_info->eth_addr, fdb_info->vni); + spin_lock_bh(&vxlan->hash_lock[hash_index]); + +- f = vxlan_find_mac(vxlan, fdb_info->eth_addr, fdb_info->vni); ++ f = __vxlan_find_mac(vxlan, fdb_info->eth_addr, fdb_info->vni); + if (!f) + err = -ENOENT; + else if (f->flags & NTF_EXT_LEARNED) +-- +2.50.1 + diff --git a/queue-6.12/vxlan-fix-npd-in-arp-neigh-_reduce-when-using-nextho.patch b/queue-6.12/vxlan-fix-npd-in-arp-neigh-_reduce-when-using-nextho.patch new file mode 100644 index 0000000000..823f32f4df --- /dev/null +++ b/queue-6.12/vxlan-fix-npd-in-arp-neigh-_reduce-when-using-nextho.patch @@ -0,0 +1,152 @@ +From 5542642cb084acbc9b7ef97fc115cd6ba36c271f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Sep 2025 09:50:34 +0300 +Subject: vxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects + +From: Ido Schimmel + +[ Upstream commit 1f5d2fd1ca04a23c18b1bde9a43ce2fa2ffa1bce ] + +When the "proxy" option is enabled on a VXLAN device, the device will +suppress ARP requests and IPv6 Neighbor Solicitation messages if it is +able to reply on behalf of the remote host. That is, if a matching and +valid neighbor entry is configured on the VXLAN device whose MAC address +is not behind the "any" remote (0.0.0.0 / ::). + +The code currently assumes that the FDB entry for the neighbor's MAC +address points to a valid remote destination, but this is incorrect if +the entry is associated with an FDB nexthop group. This can result in a +NPD [1][3] which can be reproduced using [2][4]. + +Fix by checking that the remote destination exists before dereferencing +it. + +[1] +BUG: kernel NULL pointer dereference, address: 0000000000000000 +[...] +CPU: 4 UID: 0 PID: 365 Comm: arping Not tainted 6.17.0-rc2-virtme-g2a89cb21162c #2 PREEMPT(voluntary) +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc41 04/01/2014 +RIP: 0010:vxlan_xmit+0xb58/0x15f0 +[...] +Call Trace: + + dev_hard_start_xmit+0x5d/0x1c0 + __dev_queue_xmit+0x246/0xfd0 + packet_sendmsg+0x113a/0x1850 + __sock_sendmsg+0x38/0x70 + __sys_sendto+0x126/0x180 + __x64_sys_sendto+0x24/0x30 + do_syscall_64+0xa4/0x260 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + +[2] + #!/bin/bash + + ip address add 192.0.2.1/32 dev lo + + ip nexthop add id 1 via 192.0.2.2 fdb + ip nexthop add id 10 group 1 fdb + + ip link add name vx0 up type vxlan id 10010 local 192.0.2.1 dstport 4789 proxy + + ip neigh add 192.0.2.3 lladdr 00:11:22:33:44:55 nud perm dev vx0 + + bridge fdb add 00:11:22:33:44:55 dev vx0 self static nhid 10 + + arping -b -c 1 -s 192.0.2.1 -I vx0 192.0.2.3 + +[3] +BUG: kernel NULL pointer dereference, address: 0000000000000000 +[...] +CPU: 13 UID: 0 PID: 372 Comm: ndisc6 Not tainted 6.17.0-rc2-virtmne-g6ee90cb26014 #3 PREEMPT(voluntary) +Hardware name: QEMU Standard PC (i440FX + PIIX, 1v996), BIOS 1.17.0-4.fc41 04/01/2x014 +RIP: 0010:vxlan_xmit+0x803/0x1600 +[...] +Call Trace: + + dev_hard_start_xmit+0x5d/0x1c0 + __dev_queue_xmit+0x246/0xfd0 + ip6_finish_output2+0x210/0x6c0 + ip6_finish_output+0x1af/0x2b0 + ip6_mr_output+0x92/0x3e0 + ip6_send_skb+0x30/0x90 + rawv6_sendmsg+0xe6e/0x12e0 + __sock_sendmsg+0x38/0x70 + __sys_sendto+0x126/0x180 + __x64_sys_sendto+0x24/0x30 + do_syscall_64+0xa4/0x260 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 +RIP: 0033:0x7f383422ec77 + +[4] + #!/bin/bash + + ip address add 2001:db8:1::1/128 dev lo + + ip nexthop add id 1 via 2001:db8:1::1 fdb + ip nexthop add id 10 group 1 fdb + + ip link add name vx0 up type vxlan id 10010 local 2001:db8:1::1 dstport 4789 proxy + + ip neigh add 2001:db8:1::3 lladdr 00:11:22:33:44:55 nud perm dev vx0 + + bridge fdb add 00:11:22:33:44:55 dev vx0 self static nhid 10 + + ndisc6 -r 1 -s 2001:db8:1::1 -w 1 2001:db8:1::3 vx0 + +Fixes: 1274e1cc4226 ("vxlan: ecmp support for mac fdb entries") +Reviewed-by: Petr Machata +Signed-off-by: Ido Schimmel +Reviewed-by: Nikolay Aleksandrov +Link: https://patch.msgid.link/20250901065035.159644-3-idosch@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/vxlan/vxlan_core.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/vxlan/vxlan_core.c b/drivers/net/vxlan/vxlan_core.c +index 6b4b4b0484d6e..bbfa4eed17559 100644 +--- a/drivers/net/vxlan/vxlan_core.c ++++ b/drivers/net/vxlan/vxlan_core.c +@@ -1901,6 +1901,7 @@ static int arp_reduce(struct net_device *dev, struct sk_buff *skb, __be32 vni) + n = neigh_lookup(&arp_tbl, &tip, dev); + + if (n) { ++ struct vxlan_rdst *rdst = NULL; + struct vxlan_fdb *f; + struct sk_buff *reply; + +@@ -1911,7 +1912,9 @@ static int arp_reduce(struct net_device *dev, struct sk_buff *skb, __be32 vni) + + rcu_read_lock(); + f = vxlan_find_mac_tx(vxlan, n->ha, vni); +- if (f && vxlan_addr_any(&(first_remote_rcu(f)->remote_ip))) { ++ if (f) ++ rdst = first_remote_rcu(f); ++ if (rdst && vxlan_addr_any(&rdst->remote_ip)) { + /* bridge-local neighbor */ + neigh_release(n); + rcu_read_unlock(); +@@ -2068,6 +2071,7 @@ static int neigh_reduce(struct net_device *dev, struct sk_buff *skb, __be32 vni) + n = neigh_lookup(ipv6_stub->nd_tbl, &msg->target, dev); + + if (n) { ++ struct vxlan_rdst *rdst = NULL; + struct vxlan_fdb *f; + struct sk_buff *reply; + +@@ -2077,7 +2081,9 @@ static int neigh_reduce(struct net_device *dev, struct sk_buff *skb, __be32 vni) + } + + f = vxlan_find_mac_tx(vxlan, n->ha, vni); +- if (f && vxlan_addr_any(&(first_remote_rcu(f)->remote_ip))) { ++ if (f) ++ rdst = first_remote_rcu(f); ++ if (rdst && vxlan_addr_any(&rdst->remote_ip)) { + /* bridge-local neighbor */ + neigh_release(n); + goto out; +-- +2.50.1 + diff --git a/queue-6.12/vxlan-fix-npd-when-refreshing-an-fdb-entry-with-a-ne.patch b/queue-6.12/vxlan-fix-npd-when-refreshing-an-fdb-entry-with-a-ne.patch new file mode 100644 index 0000000000..c027c47633 --- /dev/null +++ b/queue-6.12/vxlan-fix-npd-when-refreshing-an-fdb-entry-with-a-ne.patch @@ -0,0 +1,118 @@ +From d1e9fa792bf0fad4e6ab391fd6f6a31640489dd2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Sep 2025 09:50:33 +0300 +Subject: vxlan: Fix NPD when refreshing an FDB entry with a nexthop object + +From: Ido Schimmel + +[ Upstream commit 6ead38147ebb813f08be6ea8ef547a0e4c09559a ] + +VXLAN FDB entries can point to either a remote destination or an FDB +nexthop group. The latter is usually used in EVPN deployments where +learning is disabled. + +However, when learning is enabled, an incoming packet might try to +refresh an FDB entry that points to an FDB nexthop group and therefore +does not have a remote. Such packets should be dropped, but they are +only dropped after dereferencing the non-existent remote, resulting in a +NPD [1] which can be reproduced using [2]. + +Fix by dropping such packets earlier. Remove the misleading comment from +first_remote_rcu(). + +[1] +BUG: kernel NULL pointer dereference, address: 0000000000000000 +[...] +CPU: 13 UID: 0 PID: 361 Comm: mausezahn Not tainted 6.17.0-rc1-virtme-g9f6b606b6b37 #1 PREEMPT(voluntary) +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc41 04/01/2014 +RIP: 0010:vxlan_snoop+0x98/0x1e0 +[...] +Call Trace: + + vxlan_encap_bypass+0x209/0x240 + encap_bypass_if_local+0xb1/0x100 + vxlan_xmit_one+0x1375/0x17e0 + vxlan_xmit+0x6b4/0x15f0 + dev_hard_start_xmit+0x5d/0x1c0 + __dev_queue_xmit+0x246/0xfd0 + packet_sendmsg+0x113a/0x1850 + __sock_sendmsg+0x38/0x70 + __sys_sendto+0x126/0x180 + __x64_sys_sendto+0x24/0x30 + do_syscall_64+0xa4/0x260 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + +[2] + #!/bin/bash + + ip address add 192.0.2.1/32 dev lo + ip address add 192.0.2.2/32 dev lo + + ip nexthop add id 1 via 192.0.2.3 fdb + ip nexthop add id 10 group 1 fdb + + ip link add name vx0 up type vxlan id 10010 local 192.0.2.1 dstport 12345 localbypass + ip link add name vx1 up type vxlan id 10020 local 192.0.2.2 dstport 54321 learning + + bridge fdb add 00:11:22:33:44:55 dev vx0 self static dst 192.0.2.2 port 54321 vni 10020 + bridge fdb add 00:aa:bb:cc:dd:ee dev vx1 self static nhid 10 + + mausezahn vx0 -a 00:aa:bb:cc:dd:ee -b 00:11:22:33:44:55 -c 1 -q + +Fixes: 1274e1cc4226 ("vxlan: ecmp support for mac fdb entries") +Reported-by: Marlin Cremers +Reviewed-by: Petr Machata +Signed-off-by: Ido Schimmel +Reviewed-by: Nikolay Aleksandrov +Link: https://patch.msgid.link/20250901065035.159644-2-idosch@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/vxlan/vxlan_core.c | 8 ++++---- + drivers/net/vxlan/vxlan_private.h | 4 +--- + 2 files changed, 5 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/vxlan/vxlan_core.c b/drivers/net/vxlan/vxlan_core.c +index c4ce577eb0908..58590ddbc6a15 100644 +--- a/drivers/net/vxlan/vxlan_core.c ++++ b/drivers/net/vxlan/vxlan_core.c +@@ -1460,6 +1460,10 @@ static enum skb_drop_reason vxlan_snoop(struct net_device *dev, + if (likely(f)) { + struct vxlan_rdst *rdst = first_remote_rcu(f); + ++ /* Don't override an fdb with nexthop with a learnt entry */ ++ if (rcu_access_pointer(f->nh)) ++ return SKB_DROP_REASON_VXLAN_ENTRY_EXISTS; ++ + if (likely(vxlan_addr_equal(&rdst->remote_ip, src_ip) && + rdst->remote_ifindex == ifindex)) + return SKB_NOT_DROPPED_YET; +@@ -1468,10 +1472,6 @@ static enum skb_drop_reason vxlan_snoop(struct net_device *dev, + if (f->state & (NUD_PERMANENT | NUD_NOARP)) + return SKB_DROP_REASON_VXLAN_ENTRY_EXISTS; + +- /* Don't override an fdb with nexthop with a learnt entry */ +- if (rcu_access_pointer(f->nh)) +- return SKB_DROP_REASON_VXLAN_ENTRY_EXISTS; +- + if (net_ratelimit()) + netdev_info(dev, + "%pM migrated from %pIS to %pIS\n", +diff --git a/drivers/net/vxlan/vxlan_private.h b/drivers/net/vxlan/vxlan_private.h +index 76a351a997d51..c6279ef98a5c2 100644 +--- a/drivers/net/vxlan/vxlan_private.h ++++ b/drivers/net/vxlan/vxlan_private.h +@@ -56,9 +56,7 @@ static inline struct hlist_head *vs_head(struct net *net, __be16 port) + return &vn->sock_list[hash_32(ntohs(port), PORT_HASH_BITS)]; + } + +-/* First remote destination for a forwarding entry. +- * Guaranteed to be non-NULL because remotes are never deleted. +- */ ++/* First remote destination for a forwarding entry. */ + static inline struct vxlan_rdst *first_remote_rcu(struct vxlan_fdb *fdb) + { + if (rcu_access_pointer(fdb->nh)) +-- +2.50.1 + diff --git a/queue-6.12/vxlan-refresh-fdb-updated-time-upon-ntf_use.patch b/queue-6.12/vxlan-refresh-fdb-updated-time-upon-ntf_use.patch new file mode 100644 index 0000000000..21104d467c --- /dev/null +++ b/queue-6.12/vxlan-refresh-fdb-updated-time-upon-ntf_use.patch @@ -0,0 +1,87 @@ +From 863c144ae6ce9cc15a745b3b3be603a073f929b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Feb 2025 16:55:45 +0200 +Subject: vxlan: Refresh FDB 'updated' time upon 'NTF_USE' + +From: Ido Schimmel + +[ Upstream commit 40a9994f2fbddf299655073be947e9cfc57dfdf1 ] + +The 'NTF_USE' flag can be used by user space to refresh FDB entries so +that they will not age out. Currently, the VXLAN driver implements it by +refreshing the 'used' field in the FDB entry as this is the field +according to which FDB entries are aged out. + +Subsequent patches will switch the VXLAN driver to age out entries based +on the 'updated' field. Prepare for this change by refreshing the +'updated' field upon 'NTF_USE'. This is consistent with the bridge +driver's FDB: + + # ip link add name br1 up type bridge + # ip link add name swp1 master br1 up type dummy + # bridge fdb add 00:11:22:33:44:55 dev swp1 master dynamic vlan 1 + # sleep 10 + # bridge fdb replace 00:11:22:33:44:55 dev swp1 master dynamic vlan 1 + # bridge -s -j fdb get 00:11:22:33:44:55 br br1 vlan 1 | jq '.[]["updated"]' + 10 + # sleep 10 + # bridge fdb replace 00:11:22:33:44:55 dev swp1 master use dynamic vlan 1 + # bridge -s -j fdb get 00:11:22:33:44:55 br br1 vlan 1 | jq '.[]["updated"]' + 0 + +Before: + + # ip link add name vx1 up type vxlan id 10010 dstport 4789 + # bridge fdb add 00:11:22:33:44:55 dev vx1 self dynamic dst 198.51.100.1 + # sleep 10 + # bridge fdb replace 00:11:22:33:44:55 dev vx1 self dynamic dst 198.51.100.1 + # bridge -s -j -p fdb get 00:11:22:33:44:55 br vx1 self | jq '.[]["updated"]' + 10 + # sleep 10 + # bridge fdb replace 00:11:22:33:44:55 dev vx1 self use dynamic dst 198.51.100.1 + # bridge -s -j -p fdb get 00:11:22:33:44:55 br vx1 self | jq '.[]["updated"]' + 20 + +After: + + # ip link add name vx1 up type vxlan id 10010 dstport 4789 + # bridge fdb add 00:11:22:33:44:55 dev vx1 self dynamic dst 198.51.100.1 + # sleep 10 + # bridge fdb replace 00:11:22:33:44:55 dev vx1 self dynamic dst 198.51.100.1 + # bridge -s -j -p fdb get 00:11:22:33:44:55 br vx1 self | jq '.[]["updated"]' + 10 + # sleep 10 + # bridge fdb replace 00:11:22:33:44:55 dev vx1 self use dynamic dst 198.51.100.1 + # bridge -s -j -p fdb get 00:11:22:33:44:55 br vx1 self | jq '.[]["updated"]' + 0 + +Reviewed-by: Petr Machata +Signed-off-by: Ido Schimmel +Reviewed-by: Nikolay Aleksandrov +Link: https://patch.msgid.link/20250204145549.1216254-5-idosch@nvidia.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: 1f5d2fd1ca04 ("vxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects") +Signed-off-by: Sasha Levin +--- + drivers/net/vxlan/vxlan_core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/vxlan/vxlan_core.c b/drivers/net/vxlan/vxlan_core.c +index ce9dcd8e74a93..ce9c979080bb4 100644 +--- a/drivers/net/vxlan/vxlan_core.c ++++ b/drivers/net/vxlan/vxlan_core.c +@@ -1047,8 +1047,10 @@ static int vxlan_fdb_update_existing(struct vxlan_dev *vxlan, + notify |= rc; + } + +- if (ndm_flags & NTF_USE) ++ if (ndm_flags & NTF_USE) { + WRITE_ONCE(f->used, jiffies); ++ WRITE_ONCE(f->updated, jiffies); ++ } + + if (notify) { + if (rd == NULL) +-- +2.50.1 + diff --git a/queue-6.12/vxlan-rename-fdb-tx-lookup-function.patch b/queue-6.12/vxlan-rename-fdb-tx-lookup-function.patch new file mode 100644 index 0000000000..9fa8d40dad --- /dev/null +++ b/queue-6.12/vxlan-rename-fdb-tx-lookup-function.patch @@ -0,0 +1,87 @@ +From 9e02f79945cf32dfaf8b07e2b7b81ada04b4303a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Apr 2025 15:11:39 +0300 +Subject: vxlan: Rename FDB Tx lookup function + +From: Ido Schimmel + +[ Upstream commit 5cde39ea38813ebb5bf07922a3ba60871edebf99 ] + +vxlan_find_mac() is only expected to be called from the Tx path as it +updates the 'used' timestamp. Rename it to vxlan_find_mac_tx() to +reflect that and to avoid incorrect updates of this timestamp like those +addressed by commit 9722f834fe9a ("vxlan: Avoid unnecessary updates to +FDB 'used' time"). + +No functional changes intended. + +Reviewed-by: Petr Machata +Signed-off-by: Ido Schimmel +Link: https://patch.msgid.link/20250415121143.345227-12-idosch@nvidia.com +Reviewed-by: Nikolay Aleksandrov +Signed-off-by: Paolo Abeni +Stable-dep-of: 1f5d2fd1ca04 ("vxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects") +Signed-off-by: Sasha Levin +--- + drivers/net/vxlan/vxlan_core.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/vxlan/vxlan_core.c b/drivers/net/vxlan/vxlan_core.c +index 1d431e3fc71ea..6b4b4b0484d6e 100644 +--- a/drivers/net/vxlan/vxlan_core.c ++++ b/drivers/net/vxlan/vxlan_core.c +@@ -428,8 +428,8 @@ static struct vxlan_fdb *__vxlan_find_mac(struct vxlan_dev *vxlan, + return NULL; + } + +-static struct vxlan_fdb *vxlan_find_mac(struct vxlan_dev *vxlan, +- const u8 *mac, __be32 vni) ++static struct vxlan_fdb *vxlan_find_mac_tx(struct vxlan_dev *vxlan, ++ const u8 *mac, __be32 vni) + { + struct vxlan_fdb *f; + +@@ -1910,7 +1910,7 @@ static int arp_reduce(struct net_device *dev, struct sk_buff *skb, __be32 vni) + } + + rcu_read_lock(); +- f = vxlan_find_mac(vxlan, n->ha, vni); ++ f = vxlan_find_mac_tx(vxlan, n->ha, vni); + if (f && vxlan_addr_any(&(first_remote_rcu(f)->remote_ip))) { + /* bridge-local neighbor */ + neigh_release(n); +@@ -2076,7 +2076,7 @@ static int neigh_reduce(struct net_device *dev, struct sk_buff *skb, __be32 vni) + goto out; + } + +- f = vxlan_find_mac(vxlan, n->ha, vni); ++ f = vxlan_find_mac_tx(vxlan, n->ha, vni); + if (f && vxlan_addr_any(&(first_remote_rcu(f)->remote_ip))) { + /* bridge-local neighbor */ + neigh_release(n); +@@ -2766,7 +2766,7 @@ static netdev_tx_t vxlan_xmit(struct sk_buff *skb, struct net_device *dev) + + eth = eth_hdr(skb); + rcu_read_lock(); +- f = vxlan_find_mac(vxlan, eth->h_dest, vni); ++ f = vxlan_find_mac_tx(vxlan, eth->h_dest, vni); + did_rsc = false; + + if (f && (f->flags & NTF_ROUTER) && (vxlan->cfg.flags & VXLAN_F_RSC) && +@@ -2774,11 +2774,11 @@ static netdev_tx_t vxlan_xmit(struct sk_buff *skb, struct net_device *dev) + ntohs(eth->h_proto) == ETH_P_IPV6)) { + did_rsc = route_shortcircuit(dev, skb); + if (did_rsc) +- f = vxlan_find_mac(vxlan, eth->h_dest, vni); ++ f = vxlan_find_mac_tx(vxlan, eth->h_dest, vni); + } + + if (f == NULL) { +- f = vxlan_find_mac(vxlan, all_zeros_mac, vni); ++ f = vxlan_find_mac_tx(vxlan, all_zeros_mac, vni); + if (f == NULL) { + if ((vxlan->cfg.flags & VXLAN_F_L2MISS) && + !is_multicast_ether_addr(eth->h_dest)) +-- +2.50.1 + diff --git a/queue-6.12/wifi-ath11k-fix-group-data-packet-drops-during-rekey.patch b/queue-6.12/wifi-ath11k-fix-group-data-packet-drops-during-rekey.patch new file mode 100644 index 0000000000..a60b515481 --- /dev/null +++ b/queue-6.12/wifi-ath11k-fix-group-data-packet-drops-during-rekey.patch @@ -0,0 +1,244 @@ +From facb50079149384b5ceee02c370286472c785fbe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 10 Aug 2025 22:30:18 +0530 +Subject: wifi: ath11k: fix group data packet drops during rekey +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rameshkumar Sundaram + +[ Upstream commit 97acb0259cc9cbfbd7ab689e25684f3d8ce10e26 ] + +During GTK rekey, mac80211 issues a clear key (if the old key exists) +followed by an install key operation in the same context. This causes +ath11k to send two WMI commands in quick succession: one to clear the +old key and another to install the new key in the same slot. + +Under certain conditions—especially under high load or time sensitive +scenarios, firmware may process these commands asynchronously in a way +that firmware assumes the key is cleared whereas hardware has a valid key. +This inconsistency between hardware and firmware leads to group addressed +packet drops. Only setting the same key again can restore a valid key in +firmware and allow packets to be transmitted. + +This issue remained latent because the host's clear key commands were +not effective in firmware until commit 436a4e886598 ("ath11k: clear the +keys properly via DISABLE_KEY"). That commit enabled the host to +explicitly clear group keys, which inadvertently exposed the race. + +To mitigate this, restrict group key clearing across all modes (AP, STA, +MESH). During rekey, the new key can simply be set on top of the previous +one, avoiding the need for a clear followed by a set. + +However, in AP mode specifically, permit group key clearing when no +stations are associated. This exception supports transitions from secure +modes (e.g., WPA2/WPA3) to open mode, during which all associated peers +are removed and the group key is cleared as part of the transition. + +Add a per-BSS station counter to track the presence of stations during +set key operations. Also add a reset_group_keys flag to track the key +re-installation state and avoid repeated installation of the same key +when the number of connected stations transitions to non-zero within a +rekey period. + +Additionally, for AP and Mesh modes, when the first station associates, +reinstall the same group key that was last set. This ensures that the +firmware recovers from any race that may have occurred during a previous +key clear when no stations were associated. + +This change ensures that key clearing is permitted only when no clients +are connected, avoiding packet loss while enabling dynamic security mode +transitions. + +Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.9.0.1-02146-QCAHKSWPL_SILICONZ-1 +Tested-on: WCN6855 hw2.1 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41 + +Reported-by: Steffen Moser +Closes: https://lore.kernel.org/linux-wireless/c6366409-9928-4dd7-bf7b-ba7fcf20eabf@steffen-moser.de +Fixes: 436a4e886598 ("ath11k: clear the keys properly via DISABLE_KEY") +Signed-off-by: Rameshkumar Sundaram +Tested-by: Nicolas Escande +Reviewed-by: Vasanthakumar Thiagarajan +Link: https://patch.msgid.link/20250810170018.1124014-1-rameshkumar.sundaram@oss.qualcomm.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/core.h | 2 + + drivers/net/wireless/ath/ath11k/mac.c | 111 +++++++++++++++++++++++-- + 2 files changed, 104 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath11k/core.h b/drivers/net/wireless/ath/ath11k/core.h +index 09fdb7be0e197..2fed2f58a0bd9 100644 +--- a/drivers/net/wireless/ath/ath11k/core.h ++++ b/drivers/net/wireless/ath/ath11k/core.h +@@ -409,6 +409,8 @@ struct ath11k_vif { + bool do_not_send_tmpl; + struct ath11k_arp_ns_offload arp_ns_offload; + struct ath11k_rekey_data rekey_data; ++ u32 num_stations; ++ bool reinstall_group_keys; + + struct ath11k_reg_tpc_power_info reg_tpc_info; + +diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c +index ddf4ec6b244b4..bd91d1deb26e1 100644 +--- a/drivers/net/wireless/ath/ath11k/mac.c ++++ b/drivers/net/wireless/ath/ath11k/mac.c +@@ -4307,6 +4307,40 @@ static int ath11k_clear_peer_keys(struct ath11k_vif *arvif, + return first_errno; + } + ++static int ath11k_set_group_keys(struct ath11k_vif *arvif) ++{ ++ struct ath11k *ar = arvif->ar; ++ struct ath11k_base *ab = ar->ab; ++ const u8 *addr = arvif->bssid; ++ int i, ret, first_errno = 0; ++ struct ath11k_peer *peer; ++ ++ spin_lock_bh(&ab->base_lock); ++ peer = ath11k_peer_find(ab, arvif->vdev_id, addr); ++ spin_unlock_bh(&ab->base_lock); ++ ++ if (!peer) ++ return -ENOENT; ++ ++ for (i = 0; i < ARRAY_SIZE(peer->keys); i++) { ++ struct ieee80211_key_conf *key = peer->keys[i]; ++ ++ if (!key || (key->flags & IEEE80211_KEY_FLAG_PAIRWISE)) ++ continue; ++ ++ ret = ath11k_install_key(arvif, key, SET_KEY, addr, ++ WMI_KEY_GROUP); ++ if (ret < 0 && first_errno == 0) ++ first_errno = ret; ++ ++ if (ret < 0) ++ ath11k_warn(ab, "failed to set group key of idx %d for vdev %d: %d\n", ++ i, arvif->vdev_id, ret); ++ } ++ ++ return first_errno; ++} ++ + static int ath11k_mac_op_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd, + struct ieee80211_vif *vif, struct ieee80211_sta *sta, + struct ieee80211_key_conf *key) +@@ -4316,6 +4350,7 @@ static int ath11k_mac_op_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd, + struct ath11k_vif *arvif = ath11k_vif_to_arvif(vif); + struct ath11k_peer *peer; + struct ath11k_sta *arsta; ++ bool is_ap_with_no_sta; + const u8 *peer_addr; + int ret = 0; + u32 flags = 0; +@@ -4376,16 +4411,57 @@ static int ath11k_mac_op_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd, + else + flags |= WMI_KEY_GROUP; + +- ret = ath11k_install_key(arvif, key, cmd, peer_addr, flags); +- if (ret) { +- ath11k_warn(ab, "ath11k_install_key failed (%d)\n", ret); +- goto exit; +- } ++ ath11k_dbg(ar->ab, ATH11K_DBG_MAC, ++ "%s for peer %pM on vdev %d flags 0x%X, type = %d, num_sta %d\n", ++ cmd == SET_KEY ? "SET_KEY" : "DEL_KEY", peer_addr, arvif->vdev_id, ++ flags, arvif->vdev_type, arvif->num_stations); ++ ++ /* Allow group key clearing only in AP mode when no stations are ++ * associated. There is a known race condition in firmware where ++ * group addressed packets may be dropped if the key is cleared ++ * and immediately set again during rekey. ++ * ++ * During GTK rekey, mac80211 issues a clear key (if the old key ++ * exists) followed by an install key operation for same key ++ * index. This causes ath11k to send two WMI commands in quick ++ * succession: one to clear the old key and another to install the ++ * new key in the same slot. ++ * ++ * Under certain conditions—especially under high load or time ++ * sensitive scenarios, firmware may process these commands ++ * asynchronously in a way that firmware assumes the key is ++ * cleared whereas hardware has a valid key. This inconsistency ++ * between hardware and firmware leads to group addressed packet ++ * drops after rekey. ++ * Only setting the same key again can restore a valid key in ++ * firmware and allow packets to be transmitted. ++ * ++ * There is a use case where an AP can transition from Secure mode ++ * to open mode without a vdev restart by just deleting all ++ * associated peers and clearing key, Hence allow clear key for ++ * that case alone. Mark arvif->reinstall_group_keys in such cases ++ * and reinstall the same key when the first peer is added, ++ * allowing firmware to recover from the race if it had occurred. ++ */ + +- ret = ath11k_dp_peer_rx_pn_replay_config(arvif, peer_addr, cmd, key); +- if (ret) { +- ath11k_warn(ab, "failed to offload PN replay detection %d\n", ret); +- goto exit; ++ is_ap_with_no_sta = (vif->type == NL80211_IFTYPE_AP && ++ !arvif->num_stations); ++ if ((flags & WMI_KEY_PAIRWISE) || cmd == SET_KEY || is_ap_with_no_sta) { ++ ret = ath11k_install_key(arvif, key, cmd, peer_addr, flags); ++ if (ret) { ++ ath11k_warn(ab, "ath11k_install_key failed (%d)\n", ret); ++ goto exit; ++ } ++ ++ ret = ath11k_dp_peer_rx_pn_replay_config(arvif, peer_addr, cmd, key); ++ if (ret) { ++ ath11k_warn(ab, "failed to offload PN replay detection %d\n", ++ ret); ++ goto exit; ++ } ++ ++ if ((flags & WMI_KEY_GROUP) && cmd == SET_KEY && is_ap_with_no_sta) ++ arvif->reinstall_group_keys = true; + } + + spin_lock_bh(&ab->base_lock); +@@ -4984,6 +5060,7 @@ static int ath11k_mac_inc_num_stations(struct ath11k_vif *arvif, + return -ENOBUFS; + + ar->num_stations++; ++ arvif->num_stations++; + + return 0; + } +@@ -4999,6 +5076,7 @@ static void ath11k_mac_dec_num_stations(struct ath11k_vif *arvif, + return; + + ar->num_stations--; ++ arvif->num_stations--; + } + + static u32 ath11k_mac_ieee80211_sta_bw_to_wmi(struct ath11k *ar, +@@ -9519,6 +9597,21 @@ static int ath11k_mac_station_add(struct ath11k *ar, + goto exit; + } + ++ /* Driver allows the DEL KEY followed by SET KEY sequence for ++ * group keys for only when there is no clients associated, if at ++ * all firmware has entered the race during that window, ++ * reinstalling the same key when the first sta connects will allow ++ * firmware to recover from the race. ++ */ ++ if (arvif->num_stations == 1 && arvif->reinstall_group_keys) { ++ ath11k_dbg(ab, ATH11K_DBG_MAC, "set group keys on 1st station add for vdev %d\n", ++ arvif->vdev_id); ++ ret = ath11k_set_group_keys(arvif); ++ if (ret) ++ goto dec_num_station; ++ arvif->reinstall_group_keys = false; ++ } ++ + arsta->rx_stats = kzalloc(sizeof(*arsta->rx_stats), GFP_KERNEL); + if (!arsta->rx_stats) { + ret = -ENOMEM; +-- +2.50.1 + diff --git a/queue-6.12/wifi-brcmfmac-fix-use-after-free-when-rescheduling-b.patch b/queue-6.12/wifi-brcmfmac-fix-use-after-free-when-rescheduling-b.patch new file mode 100644 index 0000000000..3038afbf76 --- /dev/null +++ b/queue-6.12/wifi-brcmfmac-fix-use-after-free-when-rescheduling-b.patch @@ -0,0 +1,106 @@ +From d2acd81dd549712e96699d5c7a3635a3866011cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Aug 2025 13:08:39 +0800 +Subject: wifi: brcmfmac: fix use-after-free when rescheduling + brcmf_btcoex_info work +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Duoming Zhou + +[ Upstream commit 9cb83d4be0b9b697eae93d321e0da999f9cdfcfc ] + +The brcmf_btcoex_detach() only shuts down the btcoex timer, if the +flag timer_on is false. However, the brcmf_btcoex_timerfunc(), which +runs as timer handler, sets timer_on to false. This creates critical +race conditions: + +1.If brcmf_btcoex_detach() is called while brcmf_btcoex_timerfunc() +is executing, it may observe timer_on as false and skip the call to +timer_shutdown_sync(). + +2.The brcmf_btcoex_timerfunc() may then reschedule the brcmf_btcoex_info +worker after the cancel_work_sync() has been executed, resulting in +use-after-free bugs. + +The use-after-free bugs occur in two distinct scenarios, depending on +the timing of when the brcmf_btcoex_info struct is freed relative to +the execution of its worker thread. + +Scenario 1: Freed before the worker is scheduled + +The brcmf_btcoex_info is deallocated before the worker is scheduled. +A race condition can occur when schedule_work(&bt_local->work) is +called after the target memory has been freed. The sequence of events +is detailed below: + +CPU0 | CPU1 +brcmf_btcoex_detach | brcmf_btcoex_timerfunc + | bt_local->timer_on = false; + if (cfg->btcoex->timer_on) | + ... | + cancel_work_sync(); | + ... | + kfree(cfg->btcoex); // FREE | + | schedule_work(&bt_local->work); // USE + +Scenario 2: Freed after the worker is scheduled + +The brcmf_btcoex_info is freed after the worker has been scheduled +but before or during its execution. In this case, statements within +the brcmf_btcoex_handler() — such as the container_of macro and +subsequent dereferences of the brcmf_btcoex_info object will cause +a use-after-free access. The following timeline illustrates this +scenario: + +CPU0 | CPU1 +brcmf_btcoex_detach | brcmf_btcoex_timerfunc + | bt_local->timer_on = false; + if (cfg->btcoex->timer_on) | + ... | + cancel_work_sync(); | + ... | schedule_work(); // Reschedule + | + kfree(cfg->btcoex); // FREE | brcmf_btcoex_handler() // Worker + /* | btci = container_of(....); // USE + The kfree() above could | ... + also occur at any point | btci-> // USE + during the worker's execution| + */ | + +To resolve the race conditions, drop the conditional check and call +timer_shutdown_sync() directly. It can deactivate the timer reliably, +regardless of its current state. Once stopped, the timer_on state is +then set to false. + +Fixes: 61730d4dfffc ("brcmfmac: support critical protocol API for DHCP") +Acked-by: Arend van Spriel +Signed-off-by: Duoming Zhou +Link: https://patch.msgid.link/20250822050839.4413-1-duoming@zju.edu.cn +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c +index 1e8495f50c16a..6531cff58ae9f 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c +@@ -392,10 +392,8 @@ void brcmf_btcoex_detach(struct brcmf_cfg80211_info *cfg) + if (!cfg->btcoex) + return; + +- if (cfg->btcoex->timer_on) { +- cfg->btcoex->timer_on = false; +- timer_shutdown_sync(&cfg->btcoex->timer); +- } ++ timer_shutdown_sync(&cfg->btcoex->timer); ++ cfg->btcoex->timer_on = false; + + cancel_work_sync(&cfg->btcoex->work); + +-- +2.50.1 + diff --git a/queue-6.12/wifi-cfg80211-fix-use-after-free-in-cmp_bss.patch b/queue-6.12/wifi-cfg80211-fix-use-after-free-in-cmp_bss.patch new file mode 100644 index 0000000000..8d5ba9f058 --- /dev/null +++ b/queue-6.12/wifi-cfg80211-fix-use-after-free-in-cmp_bss.patch @@ -0,0 +1,43 @@ +From 5d62cf12ef755fdd35eb8dd923db6e28e3f9e6f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Aug 2025 16:52:36 +0300 +Subject: wifi: cfg80211: fix use-after-free in cmp_bss() + +From: Dmitry Antipov + +[ Upstream commit 26e84445f02ce6b2fe5f3e0e28ff7add77f35e08 ] + +Following bss_free() quirk introduced in commit 776b3580178f +("cfg80211: track hidden SSID networks properly"), adjust +cfg80211_update_known_bss() to free the last beacon frame +elements only if they're not shared via the corresponding +'hidden_beacon_bss' pointer. + +Reported-by: syzbot+30754ca335e6fb7e3092@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=30754ca335e6fb7e3092 +Fixes: 3ab8227d3e7d ("cfg80211: refactor cfg80211_bss_update") +Signed-off-by: Dmitry Antipov +Link: https://patch.msgid.link/20250813135236.799384-1-dmantipov@yandex.ru +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/scan.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/wireless/scan.c b/net/wireless/scan.c +index d80ab1725f28d..f00ccc6d803be 100644 +--- a/net/wireless/scan.c ++++ b/net/wireless/scan.c +@@ -1868,7 +1868,8 @@ cfg80211_update_known_bss(struct cfg80211_registered_device *rdev, + */ + + f = rcu_access_pointer(new->pub.beacon_ies); +- kfree_rcu((struct cfg80211_bss_ies *)f, rcu_head); ++ if (!new->pub.hidden_beacon_bss) ++ kfree_rcu((struct cfg80211_bss_ies *)f, rcu_head); + return false; + } + +-- +2.50.1 + diff --git a/queue-6.12/wifi-cfg80211-sme-cap-ssid-length-in-__cfg80211_conn.patch b/queue-6.12/wifi-cfg80211-sme-cap-ssid-length-in-__cfg80211_conn.patch new file mode 100644 index 0000000000..e29fb27fd1 --- /dev/null +++ b/queue-6.12/wifi-cfg80211-sme-cap-ssid-length-in-__cfg80211_conn.patch @@ -0,0 +1,46 @@ +From 9af13662c05bb62e24bafd430c7ed47f074a1bcc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Aug 2025 15:48:45 +0300 +Subject: wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result() + +From: Dan Carpenter + +[ Upstream commit 62b635dcd69c4fde7ce1de4992d71420a37e51e3 ] + +If the ssid->datalen is more than IEEE80211_MAX_SSID_LEN (32) it would +lead to memory corruption so add some bounds checking. + +Fixes: c38c70185101 ("wifi: cfg80211: Set SSID if it is not already set") +Signed-off-by: Dan Carpenter +Link: https://patch.msgid.link/0aaaae4a3ed37c6252363c34ae4904b1604e8e32.1756456951.git.dan.carpenter@linaro.org +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/sme.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/wireless/sme.c b/net/wireless/sme.c +index 2681716000876..e0d3c713538b5 100644 +--- a/net/wireless/sme.c ++++ b/net/wireless/sme.c +@@ -903,13 +903,16 @@ void __cfg80211_connect_result(struct net_device *dev, + if (!wdev->u.client.ssid_len) { + rcu_read_lock(); + for_each_valid_link(cr, link) { ++ u32 ssid_len; ++ + ssid = ieee80211_bss_get_elem(cr->links[link].bss, + WLAN_EID_SSID); + + if (!ssid || !ssid->datalen) + continue; + +- memcpy(wdev->u.client.ssid, ssid->data, ssid->datalen); ++ ssid_len = min(ssid->datalen, IEEE80211_MAX_SSID_LEN); ++ memcpy(wdev->u.client.ssid, ssid->data, ssid_len); + wdev->u.client.ssid_len = ssid->datalen; + break; + } +-- +2.50.1 + diff --git a/queue-6.12/wifi-cw1200-cap-ssid-length-in-cw1200_do_join.patch b/queue-6.12/wifi-cw1200-cap-ssid-length-in-cw1200_do_join.patch new file mode 100644 index 0000000000..edc32834ac --- /dev/null +++ b/queue-6.12/wifi-cw1200-cap-ssid-length-in-cw1200_do_join.patch @@ -0,0 +1,36 @@ +From fdc05faeb2da7b384620748c2f74bc0c63a01fa4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Aug 2025 15:48:28 +0300 +Subject: wifi: cw1200: cap SSID length in cw1200_do_join() + +From: Dan Carpenter + +[ Upstream commit f8f15f6742b8874e59c9c715d0af3474608310ad ] + +If the ssidie[1] length is more that 32 it leads to memory corruption. + +Fixes: a910e4a94f69 ("cw1200: add driver for the ST-E CW1100 & CW1200 WLAN chipsets") +Signed-off-by: Dan Carpenter +Link: https://patch.msgid.link/e91fb43fcedc4893b604dfb973131661510901a7.1756456951.git.dan.carpenter@linaro.org +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/st/cw1200/sta.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/st/cw1200/sta.c b/drivers/net/wireless/st/cw1200/sta.c +index c259da8161e4d..2bce867dd4acf 100644 +--- a/drivers/net/wireless/st/cw1200/sta.c ++++ b/drivers/net/wireless/st/cw1200/sta.c +@@ -1290,7 +1290,7 @@ static void cw1200_do_join(struct cw1200_common *priv) + rcu_read_lock(); + ssidie = ieee80211_bss_get_ie(bss, WLAN_EID_SSID); + if (ssidie) { +- join.ssid_len = ssidie[1]; ++ join.ssid_len = min(ssidie[1], IEEE80211_MAX_SSID_LEN); + memcpy(join.ssid, &ssidie[2], join.ssid_len); + } + rcu_read_unlock(); +-- +2.50.1 + diff --git a/queue-6.12/wifi-iwlwifi-uefi-check-dsm-item-validity.patch b/queue-6.12/wifi-iwlwifi-uefi-check-dsm-item-validity.patch new file mode 100644 index 0000000000..e6df12b2a7 --- /dev/null +++ b/queue-6.12/wifi-iwlwifi-uefi-check-dsm-item-validity.patch @@ -0,0 +1,43 @@ +From f2062e91037bddbde645f893e4cacad07b73dd8e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Aug 2025 09:55:28 +0300 +Subject: wifi: iwlwifi: uefi: check DSM item validity + +From: Johannes Berg + +[ Upstream commit 1d33694462fa7da451846c39d653585b61375992 ] + +The first array index is a bitmap indicating which of the +other values are valid. Check that bitmap before returning +a value. + +Fixes: fc7214c3c986 ("wifi: iwlwifi: read DSM functions from UEFI") +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220085 +Signed-off-by: Johannes Berg +Signed-off-by: Miri Korenblit +Link: https://patch.msgid.link/20250828095500.59ec52ff865e.I9e11f497a029eb38f481b2c90c43c0935285216d@changeid +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/fw/uefi.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/wireless/intel/iwlwifi/fw/uefi.c b/drivers/net/wireless/intel/iwlwifi/fw/uefi.c +index 86d6286a15378..e5fbb5fcc4abc 100644 +--- a/drivers/net/wireless/intel/iwlwifi/fw/uefi.c ++++ b/drivers/net/wireless/intel/iwlwifi/fw/uefi.c +@@ -741,6 +741,12 @@ int iwl_uefi_get_dsm(struct iwl_fw_runtime *fwrt, enum iwl_dsm_funcs func, + goto out; + } + ++ if (!(data->functions[DSM_FUNC_QUERY] & BIT(func))) { ++ IWL_DEBUG_RADIO(fwrt, "DSM func %d not in 0x%x\n", ++ func, data->functions[DSM_FUNC_QUERY]); ++ goto out; ++ } ++ + *value = data->functions[func]; + ret = 0; + out: +-- +2.50.1 + diff --git a/queue-6.12/wifi-libertas-cap-ssid-len-in-lbs_associate.patch b/queue-6.12/wifi-libertas-cap-ssid-len-in-lbs_associate.patch new file mode 100644 index 0000000000..93935d9f2a --- /dev/null +++ b/queue-6.12/wifi-libertas-cap-ssid-len-in-lbs_associate.patch @@ -0,0 +1,44 @@ +From d691b9b883c9f2b45af64cef528b23b5e12dc72d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Aug 2025 15:48:35 +0300 +Subject: wifi: libertas: cap SSID len in lbs_associate() + +From: Dan Carpenter + +[ Upstream commit c786794bd27b0d7a5fd9063695df83206009be59 ] + +If the ssid_eid[1] length is more that 32 it leads to memory corruption. + +Fixes: a910e4a94f69 ("cw1200: add driver for the ST-E CW1100 & CW1200 WLAN chipsets") +Signed-off-by: Dan Carpenter +Link: https://patch.msgid.link/2a40f5ec7617144aef412034c12919a4927d90ad.1756456951.git.dan.carpenter@linaro.org +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/libertas/cfg.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/marvell/libertas/cfg.c b/drivers/net/wireless/marvell/libertas/cfg.c +index afe9bcd3ad46d..37bb788f83e36 100644 +--- a/drivers/net/wireless/marvell/libertas/cfg.c ++++ b/drivers/net/wireless/marvell/libertas/cfg.c +@@ -1150,10 +1150,13 @@ static int lbs_associate(struct lbs_private *priv, + /* add SSID TLV */ + rcu_read_lock(); + ssid_eid = ieee80211_bss_get_ie(bss, WLAN_EID_SSID); +- if (ssid_eid) +- pos += lbs_add_ssid_tlv(pos, ssid_eid + 2, ssid_eid[1]); +- else ++ if (ssid_eid) { ++ u32 ssid_len = min(ssid_eid[1], IEEE80211_MAX_SSID_LEN); ++ ++ pos += lbs_add_ssid_tlv(pos, ssid_eid + 2, ssid_len); ++ } else { + lbs_deb_assoc("no SSID\n"); ++ } + rcu_read_unlock(); + + /* add DS param TLV */ +-- +2.50.1 + diff --git a/queue-6.12/wifi-mt76-fix-linked-list-corruption.patch b/queue-6.12/wifi-mt76-fix-linked-list-corruption.patch new file mode 100644 index 0000000000..42c7d0073a --- /dev/null +++ b/queue-6.12/wifi-mt76-fix-linked-list-corruption.patch @@ -0,0 +1,60 @@ +From d57ce062989234f925316bd7434cc431894ad525 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Aug 2025 10:53:52 +0200 +Subject: wifi: mt76: fix linked list corruption + +From: Felix Fietkau + +[ Upstream commit 49fba87205bec14a0f6bd997635bf3968408161e ] + +Never leave scheduled wcid entries on the temporary on-stack list + +Fixes: 0b3be9d1d34e ("wifi: mt76: add separate tx scheduling queue for off-channel tx") +Link: https://patch.msgid.link/20250827085352.51636-6-nbd@nbd.name +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/tx.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/tx.c b/drivers/net/wireless/mediatek/mt76/tx.c +index 5e081972bf445..634b6dacd1e0d 100644 +--- a/drivers/net/wireless/mediatek/mt76/tx.c ++++ b/drivers/net/wireless/mediatek/mt76/tx.c +@@ -645,6 +645,7 @@ mt76_txq_schedule_pending_wcid(struct mt76_phy *phy, struct mt76_wcid *wcid, + static void mt76_txq_schedule_pending(struct mt76_phy *phy) + { + LIST_HEAD(tx_list); ++ int ret = 0; + + if (list_empty(&phy->tx_list)) + return; +@@ -656,13 +657,13 @@ static void mt76_txq_schedule_pending(struct mt76_phy *phy) + list_splice_init(&phy->tx_list, &tx_list); + while (!list_empty(&tx_list)) { + struct mt76_wcid *wcid; +- int ret; + + wcid = list_first_entry(&tx_list, struct mt76_wcid, tx_list); + list_del_init(&wcid->tx_list); + + spin_unlock(&phy->tx_lock); +- ret = mt76_txq_schedule_pending_wcid(phy, wcid, &wcid->tx_offchannel); ++ if (ret >= 0) ++ ret = mt76_txq_schedule_pending_wcid(phy, wcid, &wcid->tx_offchannel); + if (ret >= 0 && !phy->offchannel) + ret = mt76_txq_schedule_pending_wcid(phy, wcid, &wcid->tx_pending); + spin_lock(&phy->tx_lock); +@@ -671,9 +672,6 @@ static void mt76_txq_schedule_pending(struct mt76_phy *phy) + !skb_queue_empty(&wcid->tx_offchannel) && + list_empty(&wcid->tx_list)) + list_add_tail(&wcid->tx_list, &phy->tx_list); +- +- if (ret < 0) +- break; + } + spin_unlock(&phy->tx_lock); + +-- +2.50.1 + diff --git a/queue-6.12/wifi-mt76-free-pending-offchannel-tx-frames-on-wcid-.patch b/queue-6.12/wifi-mt76-free-pending-offchannel-tx-frames-on-wcid-.patch new file mode 100644 index 0000000000..3ef29cb9fc --- /dev/null +++ b/queue-6.12/wifi-mt76-free-pending-offchannel-tx-frames-on-wcid-.patch @@ -0,0 +1,37 @@ +From 23c8d9bab63fdaf6bae8809696b93f4122428ce9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Aug 2025 10:53:51 +0200 +Subject: wifi: mt76: free pending offchannel tx frames on wcid cleanup + +From: Felix Fietkau + +[ Upstream commit bdeac7815629c1a32b8784922368742e183747ea ] + +Avoid leaking them or keeping the wcid on the tx list + +Fixes: 0b3be9d1d34e ("wifi: mt76: add separate tx scheduling queue for off-channel tx") +Link: https://patch.msgid.link/20250827085352.51636-5-nbd@nbd.name +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mac80211.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/wireless/mediatek/mt76/mac80211.c b/drivers/net/wireless/mediatek/mt76/mac80211.c +index 0ca83f1a3e3ea..5373f8c419b04 100644 +--- a/drivers/net/wireless/mediatek/mt76/mac80211.c ++++ b/drivers/net/wireless/mediatek/mt76/mac80211.c +@@ -1586,6 +1586,10 @@ void mt76_wcid_cleanup(struct mt76_dev *dev, struct mt76_wcid *wcid) + skb_queue_splice_tail_init(&wcid->tx_pending, &list); + spin_unlock(&wcid->tx_pending.lock); + ++ spin_lock(&wcid->tx_offchannel.lock); ++ skb_queue_splice_tail_init(&wcid->tx_offchannel, &list); ++ spin_unlock(&wcid->tx_offchannel.lock); ++ + spin_unlock_bh(&phy->tx_lock); + + while ((skb = __skb_dequeue(&list)) != NULL) { +-- +2.50.1 + diff --git a/queue-6.12/wifi-mt76-mt7925-fix-locking-in-mt7925_change_vif_li.patch b/queue-6.12/wifi-mt76-mt7925-fix-locking-in-mt7925_change_vif_li.patch new file mode 100644 index 0000000000..897fbfc4fc --- /dev/null +++ b/queue-6.12/wifi-mt76-mt7925-fix-locking-in-mt7925_change_vif_li.patch @@ -0,0 +1,43 @@ +From 92ab92579037cf7498349a36b3944ed28a45f7ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 27 Jul 2025 07:04:13 -0700 +Subject: wifi: mt76: mt7925: fix locking in mt7925_change_vif_links() + +From: Harshit Mogalapalli + +[ Upstream commit 9f15701370ec15fbf1f6a1cbbf584b0018d036b5 ] + +&dev->mt76.mutex lock is taken using mt792x_mutex_acquire(dev) but not +released in one of the error paths, add the unlock to fix it. + +Fixes: 5cd0bd815c8a ("wifi: mt76: mt7925: fix NULL deref check in mt7925_change_vif_links") +Reported-by: kernel test robot +Reported-by: Dan Carpenter +Closes: https://lore.kernel.org/r/202503031055.3ZRqxhAl-lkp@intel.com/ +Signed-off-by: Harshit Mogalapalli +Link: https://patch.msgid.link/20250727140416.1153406-1-harshit.m.mogalapalli@oracle.com +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7925/main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/main.c b/drivers/net/wireless/mediatek/mt76/mt7925/main.c +index a635b223dab18..53831e1e00424 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c +@@ -2005,8 +2005,10 @@ mt7925_change_vif_links(struct ieee80211_hw *hw, struct ieee80211_vif *vif, + GFP_KERNEL); + mlink = devm_kzalloc(dev->mt76.dev, sizeof(*mlink), + GFP_KERNEL); +- if (!mconf || !mlink) ++ if (!mconf || !mlink) { ++ mt792x_mutex_release(dev); + return -ENOMEM; ++ } + } + + mconfs[link_id] = mconf; +-- +2.50.1 + diff --git a/queue-6.12/wifi-mt76-prevent-non-offchannel-mgmt-tx-during-scan.patch b/queue-6.12/wifi-mt76-prevent-non-offchannel-mgmt-tx-during-scan.patch new file mode 100644 index 0000000000..654558a273 --- /dev/null +++ b/queue-6.12/wifi-mt76-prevent-non-offchannel-mgmt-tx-during-scan.patch @@ -0,0 +1,47 @@ +From a292faa1cd56a2193bc8b5e813bb534a5cfb0b8b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Aug 2025 14:11:06 +0200 +Subject: wifi: mt76: prevent non-offchannel mgmt tx during scan/roc + +From: Felix Fietkau + +[ Upstream commit 4c2334587b0a13b8f4eda1336ae657297fcd743b ] + +Only put probe request packets in the offchannel queue if +IEEE80211_TX_CTRL_DONT_USE_RATE_MASK is set and IEEE80211_TX_CTL_TX_OFFCHAN +is unset. + +Fixes: 0b3be9d1d34e ("wifi: mt76: add separate tx scheduling queue for off-channel tx") +Reported-by: Chad Monroe +Link: https://patch.msgid.link/20250813121106.81559-2-nbd@nbd.name +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/tx.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/tx.c b/drivers/net/wireless/mediatek/mt76/tx.c +index 065a1e4537457..5e081972bf445 100644 +--- a/drivers/net/wireless/mediatek/mt76/tx.c ++++ b/drivers/net/wireless/mediatek/mt76/tx.c +@@ -334,6 +334,7 @@ mt76_tx(struct mt76_phy *phy, struct ieee80211_sta *sta, + struct mt76_wcid *wcid, struct sk_buff *skb) + { + struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb); ++ struct ieee80211_hdr *hdr = (void *)skb->data; + struct sk_buff_head *head; + + if (mt76_testmode_enabled(phy)) { +@@ -351,7 +352,8 @@ mt76_tx(struct mt76_phy *phy, struct ieee80211_sta *sta, + info->hw_queue |= FIELD_PREP(MT_TX_HW_QUEUE_PHY, phy->band_idx); + + if ((info->flags & IEEE80211_TX_CTL_TX_OFFCHAN) || +- (info->control.flags & IEEE80211_TX_CTRL_DONT_USE_RATE_MASK)) ++ ((info->control.flags & IEEE80211_TX_CTRL_DONT_USE_RATE_MASK) && ++ ieee80211_is_probe_req(hdr->frame_control))) + head = &wcid->tx_offchannel; + else + head = &wcid->tx_pending; +-- +2.50.1 + diff --git a/queue-6.12/xirc2ps_cs-fix-register-access-when-enabling-fulldup.patch b/queue-6.12/xirc2ps_cs-fix-register-access-when-enabling-fulldup.patch new file mode 100644 index 0000000000..a4362f0289 --- /dev/null +++ b/queue-6.12/xirc2ps_cs-fix-register-access-when-enabling-fulldup.patch @@ -0,0 +1,44 @@ +From 98f1a7a60b979493e9b4feeb4a840ef324d90232 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Aug 2025 12:26:43 -0700 +Subject: xirc2ps_cs: fix register access when enabling FullDuplex + +From: Alok Tiwari + +[ Upstream commit b79e498080b170fd94fc83bca2471f450811549b ] + +The current code incorrectly passes (XIRCREG1_ECR | FullDuplex) as +the register address to GetByte(), instead of fetching the register +value and OR-ing it with FullDuplex. This results in an invalid +register access. + +Fix it by reading XIRCREG1_ECR first, then or-ing with FullDuplex +before writing it back. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Alok Tiwari +Reviewed-by: Simon Horman +Reviewed-by: Jacob Keller +Link: https://patch.msgid.link/20250827192645.658496-1-alok.a.tiwari@oracle.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/xircom/xirc2ps_cs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/xircom/xirc2ps_cs.c b/drivers/net/ethernet/xircom/xirc2ps_cs.c +index a31d5d5e65936..97e88886253f5 100644 +--- a/drivers/net/ethernet/xircom/xirc2ps_cs.c ++++ b/drivers/net/ethernet/xircom/xirc2ps_cs.c +@@ -1576,7 +1576,7 @@ do_reset(struct net_device *dev, int full) + msleep(40); /* wait 40 msec to let it complete */ + } + if (full_duplex) +- PutByte(XIRCREG1_ECR, GetByte(XIRCREG1_ECR | FullDuplex)); ++ PutByte(XIRCREG1_ECR, GetByte(XIRCREG1_ECR) | FullDuplex); + } else { /* No MII */ + SelectPage(0); + value = GetByte(XIRCREG_ESR); /* read the ESR */ +-- +2.50.1 + diff --git a/queue-6.16/ax25-properly-unshare-skbs-in-ax25_kiss_rcv.patch b/queue-6.16/ax25-properly-unshare-skbs-in-ax25_kiss_rcv.patch new file mode 100644 index 0000000000..65f0577f4a --- /dev/null +++ b/queue-6.16/ax25-properly-unshare-skbs-in-ax25_kiss_rcv.patch @@ -0,0 +1,59 @@ +From aaa0899200bf3ec0abf75f1948da2463de72b5c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Sep 2025 12:46:42 +0000 +Subject: ax25: properly unshare skbs in ax25_kiss_rcv() + +From: Eric Dumazet + +[ Upstream commit 8156210d36a43e76372312c87eb5ea3dbb405a85 ] + +Bernard Pidoux reported a regression apparently caused by commit +c353e8983e0d ("net: introduce per netns packet chains"). + +skb->dev becomes NULL and we crash in __netif_receive_skb_core(). + +Before above commit, different kind of bugs or corruptions could happen +without a major crash. + +But the root cause is that ax25_kiss_rcv() can queue/mangle input skb +without checking if this skb is shared or not. + +Many thanks to Bernard Pidoux for his help, diagnosis and tests. + +We had a similar issue years ago fixed with commit 7aaed57c5c28 +("phonet: properly unshare skbs in phonet_rcv()"). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Bernard Pidoux +Closes: https://lore.kernel.org/netdev/1713f383-c538-4918-bc64-13b3288cd542@free.fr/ +Tested-by: Bernard Pidoux +Signed-off-by: Eric Dumazet +Cc: Joerg Reuter +Cc: David Ranch +Cc: Folkert van Heusden +Reviewed-by: Dan Cross +Link: https://patch.msgid.link/20250902124642.212705-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ax25/ax25_in.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/ax25/ax25_in.c b/net/ax25/ax25_in.c +index 1cac25aca6378..f2d66af863595 100644 +--- a/net/ax25/ax25_in.c ++++ b/net/ax25/ax25_in.c +@@ -433,6 +433,10 @@ static int ax25_rcv(struct sk_buff *skb, struct net_device *dev, + int ax25_kiss_rcv(struct sk_buff *skb, struct net_device *dev, + struct packet_type *ptype, struct net_device *orig_dev) + { ++ skb = skb_share_check(skb, GFP_ATOMIC); ++ if (!skb) ++ return NET_RX_DROP; ++ + skb_orphan(skb); + + if (!net_eq(dev_net(dev), &init_net)) { +-- +2.50.1 + diff --git a/queue-6.16/bluetooth-fix-use-after-free-in-l2cap_sock_cleanup_l.patch b/queue-6.16/bluetooth-fix-use-after-free-in-l2cap_sock_cleanup_l.patch new file mode 100644 index 0000000000..616b3c1ee5 --- /dev/null +++ b/queue-6.16/bluetooth-fix-use-after-free-in-l2cap_sock_cleanup_l.patch @@ -0,0 +1,171 @@ +From c5e552646706ef4eb4476554c6fc8b639b32ae31 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Aug 2025 20:40:14 +0000 +Subject: Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen() + +From: Kuniyuki Iwashima + +[ Upstream commit 862c628108562d8c7a516a900034823b381d3cba ] + +syzbot reported the splat below without a repro. + +In the splat, a single thread calling bt_accept_dequeue() freed sk +and touched it after that. + +The root cause would be the racy l2cap_sock_cleanup_listen() call +added by the cited commit. + +bt_accept_dequeue() is called under lock_sock() except for +l2cap_sock_release(). + +Two threads could see the same socket during the list iteration +in bt_accept_dequeue(): + + CPU1 CPU2 (close()) + ---- ---- + sock_hold(sk) sock_hold(sk); + lock_sock(sk) <-- block close() + sock_put(sk) + bt_accept_unlink(sk) + sock_put(sk) <-- refcnt by bt_accept_enqueue() + release_sock(sk) + lock_sock(sk) + sock_put(sk) + bt_accept_unlink(sk) + sock_put(sk) <-- last refcnt + bt_accept_unlink(sk) <-- UAF + +Depending on the timing, the other thread could show up in the +"Freed by task" part. + +Let's call l2cap_sock_cleanup_listen() under lock_sock() in +l2cap_sock_release(). + +[0]: +BUG: KASAN: slab-use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline] +BUG: KASAN: slab-use-after-free in do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115 +Read of size 4 at addr ffff88803b7eb1c4 by task syz.5.3276/16995 +CPU: 3 UID: 0 PID: 16995 Comm: syz.5.3276 Not tainted syzkaller #0 PREEMPT(full) +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 +Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0xcd/0x630 mm/kasan/report.c:482 + kasan_report+0xe0/0x110 mm/kasan/report.c:595 + debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline] + do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115 + spin_lock_bh include/linux/spinlock.h:356 [inline] + release_sock+0x21/0x220 net/core/sock.c:3746 + bt_accept_dequeue+0x505/0x600 net/bluetooth/af_bluetooth.c:312 + l2cap_sock_cleanup_listen+0x5c/0x2a0 net/bluetooth/l2cap_sock.c:1451 + l2cap_sock_release+0x5c/0x210 net/bluetooth/l2cap_sock.c:1425 + __sock_release+0xb3/0x270 net/socket.c:649 + sock_close+0x1c/0x30 net/socket.c:1439 + __fput+0x3ff/0xb70 fs/file_table.c:468 + task_work_run+0x14d/0x240 kernel/task_work.c:227 + resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] + exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43 + exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] + syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline] + syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline] + do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7f2accf8ebe9 +Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007ffdb6cb1378 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 +RAX: 0000000000000000 RBX: 00000000000426fb RCX: 00007f2accf8ebe9 +RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 +RBP: 00007f2acd1b7da0 R08: 0000000000000001 R09: 00000012b6cb166f +R10: 0000001b30e20000 R11: 0000000000000246 R12: 00007f2acd1b609c +R13: 00007f2acd1b6090 R14: ffffffffffffffff R15: 00007ffdb6cb1490 + + +Allocated by task 5326: + kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 + kasan_save_track+0x14/0x30 mm/kasan/common.c:68 + poison_kmalloc_redzone mm/kasan/common.c:388 [inline] + __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:405 + kasan_kmalloc include/linux/kasan.h:260 [inline] + __do_kmalloc_node mm/slub.c:4365 [inline] + __kmalloc_noprof+0x223/0x510 mm/slub.c:4377 + kmalloc_noprof include/linux/slab.h:909 [inline] + sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2239 + sk_alloc+0x36/0xc20 net/core/sock.c:2295 + bt_sock_alloc+0x3b/0x3a0 net/bluetooth/af_bluetooth.c:151 + l2cap_sock_alloc.constprop.0+0x33/0x1d0 net/bluetooth/l2cap_sock.c:1894 + l2cap_sock_new_connection_cb+0x101/0x240 net/bluetooth/l2cap_sock.c:1482 + l2cap_connect_cfm+0x4c4/0xf80 net/bluetooth/l2cap_core.c:7287 + hci_connect_cfm include/net/bluetooth/hci_core.h:2050 [inline] + hci_remote_features_evt+0x4dd/0x970 net/bluetooth/hci_event.c:3712 + hci_event_func net/bluetooth/hci_event.c:7519 [inline] + hci_event_packet+0xa0d/0x11c0 net/bluetooth/hci_event.c:7573 + hci_rx_work+0x2c5/0x16b0 net/bluetooth/hci_core.c:4071 + process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3236 + process_scheduled_works kernel/workqueue.c:3319 [inline] + worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400 + kthread+0x3c2/0x780 kernel/kthread.c:463 + ret_from_fork+0x5d7/0x6f0 arch/x86/kernel/process.c:148 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 + +Freed by task 16995: + kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 + kasan_save_track+0x14/0x30 mm/kasan/common.c:68 + kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576 + poison_slab_object mm/kasan/common.c:243 [inline] + __kasan_slab_free+0x60/0x70 mm/kasan/common.c:275 + kasan_slab_free include/linux/kasan.h:233 [inline] + slab_free_hook mm/slub.c:2417 [inline] + slab_free mm/slub.c:4680 [inline] + kfree+0x2b4/0x4d0 mm/slub.c:4879 + sk_prot_free net/core/sock.c:2278 [inline] + __sk_destruct+0x75f/0x9a0 net/core/sock.c:2373 + sk_destruct+0xc2/0xf0 net/core/sock.c:2401 + __sk_free+0xf4/0x3e0 net/core/sock.c:2412 + sk_free+0x6a/0x90 net/core/sock.c:2423 + sock_put include/net/sock.h:1960 [inline] + bt_accept_unlink+0x245/0x2e0 net/bluetooth/af_bluetooth.c:262 + bt_accept_dequeue+0x517/0x600 net/bluetooth/af_bluetooth.c:308 + l2cap_sock_cleanup_listen+0x5c/0x2a0 net/bluetooth/l2cap_sock.c:1451 + l2cap_sock_release+0x5c/0x210 net/bluetooth/l2cap_sock.c:1425 + __sock_release+0xb3/0x270 net/socket.c:649 + sock_close+0x1c/0x30 net/socket.c:1439 + __fput+0x3ff/0xb70 fs/file_table.c:468 + task_work_run+0x14d/0x240 kernel/task_work.c:227 + resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] + exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43 + exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] + syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline] + syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline] + do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fixes: 1728137b33c0 ("Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_ready_cb") +Reported-by: syzbot+e5e64cdf8e92046dd3e1@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/linux-bluetooth/68af6b9d.a70a0220.3cafd4.0032.GAE@google.com/ +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_sock.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c +index 82d943c4cb505..05b7480970f72 100644 +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -1422,7 +1422,10 @@ static int l2cap_sock_release(struct socket *sock) + if (!sk) + return 0; + ++ lock_sock_nested(sk, L2CAP_NESTING_PARENT); + l2cap_sock_cleanup_listen(sk); ++ release_sock(sk); ++ + bt_sock_unlink(&l2cap_sk_list, sk); + + err = l2cap_sock_shutdown(sock, SHUT_RDWR); +-- +2.50.1 + diff --git a/queue-6.16/bluetooth-vhci-prevent-use-after-free-by-removing-de.patch b/queue-6.16/bluetooth-vhci-prevent-use-after-free-by-removing-de.patch new file mode 100644 index 0000000000..07915603e1 --- /dev/null +++ b/queue-6.16/bluetooth-vhci-prevent-use-after-free-by-removing-de.patch @@ -0,0 +1,125 @@ +From b9c4d984bc2df5ed128d0915438375554b0fa201 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Aug 2025 10:53:25 -0400 +Subject: Bluetooth: vhci: Prevent use-after-free by removing debugfs files + early + +From: Ivan Pravdin + +[ Upstream commit 28010791193a4503f054e8d69a950ef815deb539 ] + +Move the creation of debugfs files into a dedicated function, and ensure +they are explicitly removed during vhci_release(), before associated +data structures are freed. + +Previously, debugfs files such as "force_suspend", "force_wakeup", and +others were created under hdev->debugfs but not removed in +vhci_release(). Since vhci_release() frees the backing vhci_data +structure, any access to these files after release would result in +use-after-free errors. + +Although hdev->debugfs is later freed in hci_release_dev(), user can +access files after vhci_data is freed but before hdev->debugfs is +released. + +Fixes: ab4e4380d4e1 ("Bluetooth: Add vhci devcoredump support") +Signed-off-by: Ivan Pravdin +Reviewed-by: Paul Menzel +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/hci_vhci.c | 57 ++++++++++++++++++++++++++---------- + 1 file changed, 41 insertions(+), 16 deletions(-) + +diff --git a/drivers/bluetooth/hci_vhci.c b/drivers/bluetooth/hci_vhci.c +index f7d8c3c00655a..2fef08254d78d 100644 +--- a/drivers/bluetooth/hci_vhci.c ++++ b/drivers/bluetooth/hci_vhci.c +@@ -380,6 +380,28 @@ static const struct file_operations force_devcoredump_fops = { + .write = force_devcd_write, + }; + ++static void vhci_debugfs_init(struct vhci_data *data) ++{ ++ struct hci_dev *hdev = data->hdev; ++ ++ debugfs_create_file("force_suspend", 0644, hdev->debugfs, data, ++ &force_suspend_fops); ++ ++ debugfs_create_file("force_wakeup", 0644, hdev->debugfs, data, ++ &force_wakeup_fops); ++ ++ if (IS_ENABLED(CONFIG_BT_MSFTEXT)) ++ debugfs_create_file("msft_opcode", 0644, hdev->debugfs, data, ++ &msft_opcode_fops); ++ ++ if (IS_ENABLED(CONFIG_BT_AOSPEXT)) ++ debugfs_create_file("aosp_capable", 0644, hdev->debugfs, data, ++ &aosp_capable_fops); ++ ++ debugfs_create_file("force_devcoredump", 0644, hdev->debugfs, data, ++ &force_devcoredump_fops); ++} ++ + static int __vhci_create_device(struct vhci_data *data, __u8 opcode) + { + struct hci_dev *hdev; +@@ -434,22 +456,8 @@ static int __vhci_create_device(struct vhci_data *data, __u8 opcode) + return -EBUSY; + } + +- debugfs_create_file("force_suspend", 0644, hdev->debugfs, data, +- &force_suspend_fops); +- +- debugfs_create_file("force_wakeup", 0644, hdev->debugfs, data, +- &force_wakeup_fops); +- +- if (IS_ENABLED(CONFIG_BT_MSFTEXT)) +- debugfs_create_file("msft_opcode", 0644, hdev->debugfs, data, +- &msft_opcode_fops); +- +- if (IS_ENABLED(CONFIG_BT_AOSPEXT)) +- debugfs_create_file("aosp_capable", 0644, hdev->debugfs, data, +- &aosp_capable_fops); +- +- debugfs_create_file("force_devcoredump", 0644, hdev->debugfs, data, +- &force_devcoredump_fops); ++ if (!IS_ERR_OR_NULL(hdev->debugfs)) ++ vhci_debugfs_init(data); + + hci_skb_pkt_type(skb) = HCI_VENDOR_PKT; + +@@ -651,6 +659,21 @@ static int vhci_open(struct inode *inode, struct file *file) + return 0; + } + ++static void vhci_debugfs_remove(struct hci_dev *hdev) ++{ ++ debugfs_lookup_and_remove("force_suspend", hdev->debugfs); ++ ++ debugfs_lookup_and_remove("force_wakeup", hdev->debugfs); ++ ++ if (IS_ENABLED(CONFIG_BT_MSFTEXT)) ++ debugfs_lookup_and_remove("msft_opcode", hdev->debugfs); ++ ++ if (IS_ENABLED(CONFIG_BT_AOSPEXT)) ++ debugfs_lookup_and_remove("aosp_capable", hdev->debugfs); ++ ++ debugfs_lookup_and_remove("force_devcoredump", hdev->debugfs); ++} ++ + static int vhci_release(struct inode *inode, struct file *file) + { + struct vhci_data *data = file->private_data; +@@ -662,6 +685,8 @@ static int vhci_release(struct inode *inode, struct file *file) + hdev = data->hdev; + + if (hdev) { ++ if (!IS_ERR_OR_NULL(hdev->debugfs)) ++ vhci_debugfs_remove(hdev); + hci_unregister_dev(hdev); + hci_free_dev(hdev); + } +-- +2.50.1 + diff --git a/queue-6.16/bnxt_en-fix-incorrect-page-count-in-rx-aggr-ring-log.patch b/queue-6.16/bnxt_en-fix-incorrect-page-count-in-rx-aggr-ring-log.patch new file mode 100644 index 0000000000..876614fa4e --- /dev/null +++ b/queue-6.16/bnxt_en-fix-incorrect-page-count-in-rx-aggr-ring-log.patch @@ -0,0 +1,44 @@ +From 515da162e6c0a22d5898c33f1ad5a4f8b575b56d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Aug 2025 23:23:27 -0700 +Subject: bnxt_en: fix incorrect page count in RX aggr ring log + +From: Alok Tiwari + +[ Upstream commit 7000f4fa9b24ae2511b07babd0d49e888db5d265 ] + +The warning in bnxt_alloc_one_rx_ring_netmem() reports the number +of pages allocated for the RX aggregation ring. However, it +mistakenly used bp->rx_ring_size instead of bp->rx_agg_ring_size, +leading to confusing or misleading log output. + +Use the correct bp->rx_agg_ring_size value to fix this. + +Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.") +Signed-off-by: Alok Tiwari +Reviewed-by: Jacob Keller +Reviewed-by: Michael Chan +Reviewed-by: Somnath Kotur +Link: https://patch.msgid.link/20250830062331.783783-1-alok.a.tiwari@oracle.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index cb76ab78904fc..d47c1d81c49b8 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -4390,7 +4390,7 @@ static void bnxt_alloc_one_rx_ring_netmem(struct bnxt *bp, + for (i = 0; i < bp->rx_agg_ring_size; i++) { + if (bnxt_alloc_rx_netmem(bp, rxr, prod, GFP_KERNEL)) { + netdev_warn(bp->dev, "init'ed rx ring %d with %d/%d pages only\n", +- ring_nr, i, bp->rx_ring_size); ++ ring_nr, i, bp->rx_agg_ring_size); + break; + } + prod = NEXT_RX_AGG(prod); +-- +2.50.1 + diff --git a/queue-6.16/eth-mlx4-fix-is_err-vs-null-check-bug-in-mlx4_en_cre.patch b/queue-6.16/eth-mlx4-fix-is_err-vs-null-check-bug-in-mlx4_en_cre.patch new file mode 100644 index 0000000000..59dd5ed7d8 --- /dev/null +++ b/queue-6.16/eth-mlx4-fix-is_err-vs-null-check-bug-in-mlx4_en_cre.patch @@ -0,0 +1,42 @@ +From 963c1288aed98d312e262c534f4dc44b26c46cbe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Aug 2025 20:18:58 +0800 +Subject: eth: mlx4: Fix IS_ERR() vs NULL check bug in mlx4_en_create_rx_ring + +From: Miaoqian Lin + +[ Upstream commit e580beaf43d563aaf457f1c7f934002355ebfe7b ] + +Replace NULL check with IS_ERR() check after calling page_pool_create() +since this function returns error pointers (ERR_PTR). +Using NULL check could lead to invalid pointer dereference. + +Fixes: 8533b14b3d65 ("eth: mlx4: create a page pool for Rx") +Signed-off-by: Miaoqian Lin +Reviewed-by: Vadim Fedorenko +Link: https://patch.msgid.link/20250828121858.67639-1-linmq006@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx4/en_rx.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx4/en_rx.c b/drivers/net/ethernet/mellanox/mlx4/en_rx.c +index b33285d755b90..a626fd0d20735 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/en_rx.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_rx.c +@@ -267,8 +267,10 @@ int mlx4_en_create_rx_ring(struct mlx4_en_priv *priv, + pp.dma_dir = priv->dma_dir; + + ring->pp = page_pool_create(&pp); +- if (!ring->pp) ++ if (IS_ERR(ring->pp)) { ++ err = PTR_ERR(ring->pp); + goto err_ring; ++ } + + if (xdp_rxq_info_reg(&ring->xdp_rxq, priv->dev, queue_index, 0) < 0) + goto err_pp; +-- +2.50.1 + diff --git a/queue-6.16/i40e-fix-potential-invalid-access-when-mac-list-is-e.patch b/queue-6.16/i40e-fix-potential-invalid-access-when-mac-list-is-e.patch new file mode 100644 index 0000000000..40230a1485 --- /dev/null +++ b/queue-6.16/i40e-fix-potential-invalid-access-when-mac-list-is-e.patch @@ -0,0 +1,42 @@ +From 16b99db6dcb7778ff60c04777ea93f83b4fc5291 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Aug 2025 19:56:31 +0800 +Subject: i40e: Fix potential invalid access when MAC list is empty + +From: Zhen Ni + +[ Upstream commit a556f06338e1d5a85af0e32ecb46e365547f92b9 ] + +list_first_entry() never returns NULL - if the list is empty, it still +returns a pointer to an invalid object, leading to potential invalid +memory access when dereferenced. + +Fix this by using list_first_entry_or_null instead of list_first_entry. + +Fixes: e3219ce6a775 ("i40e: Add support for client interface for IWARP driver") +Signed-off-by: Zhen Ni +Reviewed-by: Paul Menzel +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_client.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_client.c b/drivers/net/ethernet/intel/i40e/i40e_client.c +index 59263551c3838..0b099e5f48163 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_client.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_client.c +@@ -359,8 +359,8 @@ static void i40e_client_add_instance(struct i40e_pf *pf) + if (i40e_client_get_params(vsi, &cdev->lan_info.params)) + goto free_cdev; + +- mac = list_first_entry(&cdev->lan_info.netdev->dev_addrs.list, +- struct netdev_hw_addr, list); ++ mac = list_first_entry_or_null(&cdev->lan_info.netdev->dev_addrs.list, ++ struct netdev_hw_addr, list); + if (mac) + ether_addr_copy(cdev->lan_info.lanmac, mac->addr); + else +-- +2.50.1 + diff --git a/queue-6.16/i40e-remove-read-access-to-debugfs-files.patch b/queue-6.16/i40e-remove-read-access-to-debugfs-files.patch new file mode 100644 index 0000000000..36a6631fa8 --- /dev/null +++ b/queue-6.16/i40e-remove-read-access-to-debugfs-files.patch @@ -0,0 +1,286 @@ +From 7353c3b4b184c4310909e123bf6a7e9a057f4b51 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Jul 2025 17:14:37 -0700 +Subject: i40e: remove read access to debugfs files + +From: Jacob Keller + +[ Upstream commit 9fcdb1c3c4ba134434694c001dbff343f1ffa319 ] + +The 'command' and 'netdev_ops' debugfs files are a legacy debugging +interface supported by the i40e driver since its early days by commit +02e9c290814c ("i40e: debugfs interface"). + +Both of these debugfs files provide a read handler which is mostly useless, +and which is implemented with questionable logic. They both use a static +256 byte buffer which is initialized to the empty string. In the case of +the 'command' file this buffer is literally never used and simply wastes +space. In the case of the 'netdev_ops' file, the last command written is +saved here. + +On read, the files contents are presented as the name of the device +followed by a colon and then the contents of their respective static +buffer. For 'command' this will always be ": ". For 'netdev_ops', +this will be ": ". But note the buffer is +shared between all devices operated by this module. At best, it is mostly +meaningless information, and at worse it could be accessed simultaneously +as there doesn't appear to be any locking mechanism. + +We have also recently received multiple reports for both read functions +about their use of snprintf and potential overflow that could result in +reading arbitrary kernel memory. For the 'command' file, this is definitely +impossible, since the static buffer is always zero and never written to. +For the 'netdev_ops' file, it does appear to be possible, if the user +carefully crafts the command input, it will be copied into the buffer, +which could be large enough to cause snprintf to truncate, which then +causes the copy_to_user to read beyond the length of the buffer allocated +by kzalloc. + +A minimal fix would be to replace snprintf() with scnprintf() which would +cap the return to the number of bytes written, preventing an overflow. A +more involved fix would be to drop the mostly useless static buffers, +saving 512 bytes and modifying the read functions to stop needing those as +input. + +Instead, lets just completely drop the read access to these files. These +are debug interfaces exposed as part of debugfs, and I don't believe that +dropping read access will break any script, as the provided output is +pretty useless. You can find the netdev name through other more standard +interfaces, and the 'netdev_ops' interface can easily result in garbage if +you issue simultaneous writes to multiple devices at once. + +In order to properly remove the i40e_dbg_netdev_ops_buf, we need to +refactor its write function to avoid using the static buffer. Instead, use +the same logic as the i40e_dbg_command_write, with an allocated buffer. +Update the code to use this instead of the static buffer, and ensure we +free the buffer on exit. This fixes simultaneous writes to 'netdev_ops' on +multiple devices, and allows us to remove the now unused static buffer +along with removing the read access. + +Fixes: 02e9c290814c ("i40e: debugfs interface") +Reported-by: Kunwu Chan +Closes: https://lore.kernel.org/intel-wired-lan/20231208031950.47410-1-chentao@kylinos.cn/ +Reported-by: Wang Haoran +Closes: https://lore.kernel.org/all/CANZ3JQRRiOdtfQJoP9QM=6LS1Jto8PGBGw6y7-TL=BcnzHQn1Q@mail.gmail.com/ +Reported-by: Amir Mohammad Jahangirzad +Closes: https://lore.kernel.org/all/20250722115017.206969-1-a.jahangirzad@gmail.com/ +Signed-off-by: Jacob Keller +Reviewed-by: Dawid Osuchowski +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Simon Horman +Reviewed-by: Kunwu Chan +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + .../net/ethernet/intel/i40e/i40e_debugfs.c | 123 +++--------------- + 1 file changed, 19 insertions(+), 104 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_debugfs.c b/drivers/net/ethernet/intel/i40e/i40e_debugfs.c +index 6cd9da662ae11..a5c794371dfe6 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_debugfs.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_debugfs.c +@@ -40,48 +40,6 @@ static struct i40e_vsi *i40e_dbg_find_vsi(struct i40e_pf *pf, int seid) + * setup, adding or removing filters, or other things. Many of + * these will be useful for some forms of unit testing. + **************************************************************/ +-static char i40e_dbg_command_buf[256] = ""; +- +-/** +- * i40e_dbg_command_read - read for command datum +- * @filp: the opened file +- * @buffer: where to write the data for the user to read +- * @count: the size of the user's buffer +- * @ppos: file position offset +- **/ +-static ssize_t i40e_dbg_command_read(struct file *filp, char __user *buffer, +- size_t count, loff_t *ppos) +-{ +- struct i40e_pf *pf = filp->private_data; +- struct i40e_vsi *main_vsi; +- int bytes_not_copied; +- int buf_size = 256; +- char *buf; +- int len; +- +- /* don't allow partial reads */ +- if (*ppos != 0) +- return 0; +- if (count < buf_size) +- return -ENOSPC; +- +- buf = kzalloc(buf_size, GFP_KERNEL); +- if (!buf) +- return -ENOSPC; +- +- main_vsi = i40e_pf_get_main_vsi(pf); +- len = snprintf(buf, buf_size, "%s: %s\n", main_vsi->netdev->name, +- i40e_dbg_command_buf); +- +- bytes_not_copied = copy_to_user(buffer, buf, len); +- kfree(buf); +- +- if (bytes_not_copied) +- return -EFAULT; +- +- *ppos = len; +- return len; +-} + + static char *i40e_filter_state_string[] = { + "INVALID", +@@ -1621,7 +1579,6 @@ static ssize_t i40e_dbg_command_write(struct file *filp, + static const struct file_operations i40e_dbg_command_fops = { + .owner = THIS_MODULE, + .open = simple_open, +- .read = i40e_dbg_command_read, + .write = i40e_dbg_command_write, + }; + +@@ -1630,48 +1587,6 @@ static const struct file_operations i40e_dbg_command_fops = { + * The netdev_ops entry in debugfs is for giving the driver commands + * to be executed from the netdev operations. + **************************************************************/ +-static char i40e_dbg_netdev_ops_buf[256] = ""; +- +-/** +- * i40e_dbg_netdev_ops_read - read for netdev_ops datum +- * @filp: the opened file +- * @buffer: where to write the data for the user to read +- * @count: the size of the user's buffer +- * @ppos: file position offset +- **/ +-static ssize_t i40e_dbg_netdev_ops_read(struct file *filp, char __user *buffer, +- size_t count, loff_t *ppos) +-{ +- struct i40e_pf *pf = filp->private_data; +- struct i40e_vsi *main_vsi; +- int bytes_not_copied; +- int buf_size = 256; +- char *buf; +- int len; +- +- /* don't allow partal reads */ +- if (*ppos != 0) +- return 0; +- if (count < buf_size) +- return -ENOSPC; +- +- buf = kzalloc(buf_size, GFP_KERNEL); +- if (!buf) +- return -ENOSPC; +- +- main_vsi = i40e_pf_get_main_vsi(pf); +- len = snprintf(buf, buf_size, "%s: %s\n", main_vsi->netdev->name, +- i40e_dbg_netdev_ops_buf); +- +- bytes_not_copied = copy_to_user(buffer, buf, len); +- kfree(buf); +- +- if (bytes_not_copied) +- return -EFAULT; +- +- *ppos = len; +- return len; +-} + + /** + * i40e_dbg_netdev_ops_write - write into netdev_ops datum +@@ -1685,35 +1600,36 @@ static ssize_t i40e_dbg_netdev_ops_write(struct file *filp, + size_t count, loff_t *ppos) + { + struct i40e_pf *pf = filp->private_data; ++ char *cmd_buf, *buf_tmp; + int bytes_not_copied; + struct i40e_vsi *vsi; +- char *buf_tmp; + int vsi_seid; + int i, cnt; + + /* don't allow partial writes */ + if (*ppos != 0) + return 0; +- if (count >= sizeof(i40e_dbg_netdev_ops_buf)) +- return -ENOSPC; + +- memset(i40e_dbg_netdev_ops_buf, 0, sizeof(i40e_dbg_netdev_ops_buf)); +- bytes_not_copied = copy_from_user(i40e_dbg_netdev_ops_buf, +- buffer, count); +- if (bytes_not_copied) ++ cmd_buf = kzalloc(count + 1, GFP_KERNEL); ++ if (!cmd_buf) ++ return count; ++ bytes_not_copied = copy_from_user(cmd_buf, buffer, count); ++ if (bytes_not_copied) { ++ kfree(cmd_buf); + return -EFAULT; +- i40e_dbg_netdev_ops_buf[count] = '\0'; ++ } ++ cmd_buf[count] = '\0'; + +- buf_tmp = strchr(i40e_dbg_netdev_ops_buf, '\n'); ++ buf_tmp = strchr(cmd_buf, '\n'); + if (buf_tmp) { + *buf_tmp = '\0'; +- count = buf_tmp - i40e_dbg_netdev_ops_buf + 1; ++ count = buf_tmp - cmd_buf + 1; + } + +- if (strncmp(i40e_dbg_netdev_ops_buf, "change_mtu", 10) == 0) { ++ if (strncmp(cmd_buf, "change_mtu", 10) == 0) { + int mtu; + +- cnt = sscanf(&i40e_dbg_netdev_ops_buf[11], "%i %i", ++ cnt = sscanf(&cmd_buf[11], "%i %i", + &vsi_seid, &mtu); + if (cnt != 2) { + dev_info(&pf->pdev->dev, "change_mtu \n"); +@@ -1735,8 +1651,8 @@ static ssize_t i40e_dbg_netdev_ops_write(struct file *filp, + dev_info(&pf->pdev->dev, "Could not acquire RTNL - please try again\n"); + } + +- } else if (strncmp(i40e_dbg_netdev_ops_buf, "set_rx_mode", 11) == 0) { +- cnt = sscanf(&i40e_dbg_netdev_ops_buf[11], "%i", &vsi_seid); ++ } else if (strncmp(cmd_buf, "set_rx_mode", 11) == 0) { ++ cnt = sscanf(&cmd_buf[11], "%i", &vsi_seid); + if (cnt != 1) { + dev_info(&pf->pdev->dev, "set_rx_mode \n"); + goto netdev_ops_write_done; +@@ -1756,8 +1672,8 @@ static ssize_t i40e_dbg_netdev_ops_write(struct file *filp, + dev_info(&pf->pdev->dev, "Could not acquire RTNL - please try again\n"); + } + +- } else if (strncmp(i40e_dbg_netdev_ops_buf, "napi", 4) == 0) { +- cnt = sscanf(&i40e_dbg_netdev_ops_buf[4], "%i", &vsi_seid); ++ } else if (strncmp(cmd_buf, "napi", 4) == 0) { ++ cnt = sscanf(&cmd_buf[4], "%i", &vsi_seid); + if (cnt != 1) { + dev_info(&pf->pdev->dev, "napi \n"); + goto netdev_ops_write_done; +@@ -1775,21 +1691,20 @@ static ssize_t i40e_dbg_netdev_ops_write(struct file *filp, + dev_info(&pf->pdev->dev, "napi called\n"); + } + } else { +- dev_info(&pf->pdev->dev, "unknown command '%s'\n", +- i40e_dbg_netdev_ops_buf); ++ dev_info(&pf->pdev->dev, "unknown command '%s'\n", cmd_buf); + dev_info(&pf->pdev->dev, "available commands\n"); + dev_info(&pf->pdev->dev, " change_mtu \n"); + dev_info(&pf->pdev->dev, " set_rx_mode \n"); + dev_info(&pf->pdev->dev, " napi \n"); + } + netdev_ops_write_done: ++ kfree(cmd_buf); + return count; + } + + static const struct file_operations i40e_dbg_netdev_ops_fops = { + .owner = THIS_MODULE, + .open = simple_open, +- .read = i40e_dbg_netdev_ops_read, + .write = i40e_dbg_netdev_ops_write, + }; + +-- +2.50.1 + diff --git a/queue-6.16/ice-fix-null-access-of-tx-in_use-in-ice_ll_ts_intr.patch b/queue-6.16/ice-fix-null-access-of-tx-in_use-in-ice_ll_ts_intr.patch new file mode 100644 index 0000000000..d8fafb44ff --- /dev/null +++ b/queue-6.16/ice-fix-null-access-of-tx-in_use-in-ice_ll_ts_intr.patch @@ -0,0 +1,64 @@ +From 80f332fe3787a9f210136b73a691d1f1b4acb4b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Aug 2025 10:35:27 -0700 +Subject: ice: fix NULL access of tx->in_use in ice_ll_ts_intr + +From: Jacob Keller + +[ Upstream commit f6486338fde3f04ed0ec59fe67a69a208c32734f ] + +Recent versions of the E810 firmware have support for an extra interrupt to +handle report of the "low latency" Tx timestamps coming from the +specialized low latency firmware interface. Instead of polling the +registers, software can wait until the low latency interrupt is fired. + +This logic makes use of the Tx timestamp tracking structure, ice_ptp_tx, as +it uses the same "ready" bitmap to track which Tx timestamps complete. + +Unfortunately, the ice_ll_ts_intr() function does not check if the +tracker is initialized before its first access. This results in NULL +dereference or use-after-free bugs similar to the issues fixed in the +ice_ptp_ts_irq() function. + +Fix this by only checking the in_use bitmap (and other fields) if the +tracker is marked as initialized. The reset flow will clear the init field +under lock before it tears the tracker down, thus preventing any +use-after-free or NULL access. + +Fixes: 82e71b226e0e ("ice: Enable SW interrupt from FW for LL TS") +Signed-off-by: Jacob Keller +Reviewed-by: Paul Menzel +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_main.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c +index d42892c8c5a12..a34faa4894739 100644 +--- a/drivers/net/ethernet/intel/ice/ice_main.c ++++ b/drivers/net/ethernet/intel/ice/ice_main.c +@@ -3172,12 +3172,14 @@ static irqreturn_t ice_ll_ts_intr(int __always_unused irq, void *data) + hw = &pf->hw; + tx = &pf->ptp.port.tx; + spin_lock_irqsave(&tx->lock, flags); +- ice_ptp_complete_tx_single_tstamp(tx); ++ if (tx->init) { ++ ice_ptp_complete_tx_single_tstamp(tx); + +- idx = find_next_bit_wrap(tx->in_use, tx->len, +- tx->last_ll_ts_idx_read + 1); +- if (idx != tx->len) +- ice_ptp_req_tx_single_tstamp(tx, idx); ++ idx = find_next_bit_wrap(tx->in_use, tx->len, ++ tx->last_ll_ts_idx_read + 1); ++ if (idx != tx->len) ++ ice_ptp_req_tx_single_tstamp(tx, idx); ++ } + spin_unlock_irqrestore(&tx->lock, flags); + + val = GLINT_DYN_CTL_INTENA_M | GLINT_DYN_CTL_CLEARPBA_M | +-- +2.50.1 + diff --git a/queue-6.16/ice-fix-null-access-of-tx-in_use-in-ice_ptp_ts_irq.patch b/queue-6.16/ice-fix-null-access-of-tx-in_use-in-ice_ptp_ts_irq.patch new file mode 100644 index 0000000000..8f9fdd755c --- /dev/null +++ b/queue-6.16/ice-fix-null-access-of-tx-in_use-in-ice_ptp_ts_irq.patch @@ -0,0 +1,78 @@ +From 0a3843c7568757dc80c3911da4af127a1a89125a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Aug 2025 10:35:26 -0700 +Subject: ice: fix NULL access of tx->in_use in ice_ptp_ts_irq + +From: Jacob Keller + +[ Upstream commit 403bf043d9340196e06769065169df7444b91f7a ] + +The E810 device has support for a "low latency" firmware interface to +access and read the Tx timestamps. This interface does not use the standard +Tx timestamp logic, due to the latency overhead of proxying sideband +command requests over the firmware AdminQ. + +The logic still makes use of the Tx timestamp tracking structure, +ice_ptp_tx, as it uses the same "ready" bitmap to track which Tx +timestamps complete. + +Unfortunately, the ice_ptp_ts_irq() function does not check if the tracker +is initialized before its first access. This results in NULL dereference or +use-after-free bugs similar to the following: + +[245977.278756] BUG: kernel NULL pointer dereference, address: 0000000000000000 +[245977.278774] RIP: 0010:_find_first_bit+0x19/0x40 +[245977.278796] Call Trace: +[245977.278809] ? ice_misc_intr+0x364/0x380 [ice] + +This can occur if a Tx timestamp interrupt races with the driver reset +logic. + +Fix this by only checking the in_use bitmap (and other fields) if the +tracker is marked as initialized. The reset flow will clear the init field +under lock before it tears the tracker down, thus preventing any +use-after-free or NULL access. + +Fixes: f9472aaabd1f ("ice: Process TSYN IRQ in a separate function") +Signed-off-by: Jacob Keller +Reviewed-by: Paul Menzel +Reviewed-by: Aleksandr Loktionov +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_ptp.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_ptp.c b/drivers/net/ethernet/intel/ice/ice_ptp.c +index 55cad824c5b9f..69e05bafb1e37 100644 +--- a/drivers/net/ethernet/intel/ice/ice_ptp.c ++++ b/drivers/net/ethernet/intel/ice/ice_ptp.c +@@ -2877,16 +2877,19 @@ irqreturn_t ice_ptp_ts_irq(struct ice_pf *pf) + */ + if (hw->dev_caps.ts_dev_info.ts_ll_int_read) { + struct ice_ptp_tx *tx = &pf->ptp.port.tx; +- u8 idx; ++ u8 idx, last; + + if (!ice_pf_state_is_nominal(pf)) + return IRQ_HANDLED; + + spin_lock(&tx->lock); +- idx = find_next_bit_wrap(tx->in_use, tx->len, +- tx->last_ll_ts_idx_read + 1); +- if (idx != tx->len) +- ice_ptp_req_tx_single_tstamp(tx, idx); ++ if (tx->init) { ++ last = tx->last_ll_ts_idx_read + 1; ++ idx = find_next_bit_wrap(tx->in_use, tx->len, ++ last); ++ if (idx != tx->len) ++ ice_ptp_req_tx_single_tstamp(tx, idx); ++ } + spin_unlock(&tx->lock); + + return IRQ_HANDLED; +-- +2.50.1 + diff --git a/queue-6.16/icmp-fix-icmp_ndo_send-address-translation-for-reply.patch b/queue-6.16/icmp-fix-icmp_ndo_send-address-translation-for-reply.patch new file mode 100644 index 0000000000..da95730abd --- /dev/null +++ b/queue-6.16/icmp-fix-icmp_ndo_send-address-translation-for-reply.patch @@ -0,0 +1,110 @@ +From c09c239e737c29a04537f72b8a4535a405a8cf1c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Aug 2025 11:14:35 +0200 +Subject: icmp: fix icmp_ndo_send address translation for reply direction +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Fabian Bläse + +[ Upstream commit c6dd1aa2cbb72b33e0569f3e71d95792beab5042 ] + +The icmp_ndo_send function was originally introduced to ensure proper +rate limiting when icmp_send is called by a network device driver, +where the packet's source address may have already been transformed +by SNAT. + +However, the original implementation only considers the +IP_CT_DIR_ORIGINAL direction for SNAT and always replaced the packet's +source address with that of the original-direction tuple. This causes +two problems: + +1. For SNAT: + Reply-direction packets were incorrectly translated using the source + address of the CT original direction, even though no translation is + required. + +2. For DNAT: + Reply-direction packets were not handled at all. In DNAT, the original + direction's destination is translated. Therefore, in the reply + direction the source address must be set to the reply-direction + source, so rate limiting works as intended. + +Fix this by using the connection direction to select the correct tuple +for source address translation, and adjust the pre-checks to handle +reply-direction packets in case of DNAT. + +Additionally, wrap the `ct->status` access in READ_ONCE(). This avoids +possible KCSAN reports about concurrent updates to `ct->status`. + +Fixes: 0b41713b6066 ("icmp: introduce helper for nat'd source address in network device context") +Signed-off-by: Fabian Bläse +Cc: Jason A. Donenfeld +Reviewed-by: Florian Westphal +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/icmp.c | 6 ++++-- + net/ipv6/ip6_icmp.c | 6 ++++-- + 2 files changed, 8 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c +index 717cb7d3607a1..14beae97f81b3 100644 +--- a/net/ipv4/icmp.c ++++ b/net/ipv4/icmp.c +@@ -797,11 +797,12 @@ void icmp_ndo_send(struct sk_buff *skb_in, int type, int code, __be32 info) + struct sk_buff *cloned_skb = NULL; + struct ip_options opts = { 0 }; + enum ip_conntrack_info ctinfo; ++ enum ip_conntrack_dir dir; + struct nf_conn *ct; + __be32 orig_ip; + + ct = nf_ct_get(skb_in, &ctinfo); +- if (!ct || !(ct->status & IPS_SRC_NAT)) { ++ if (!ct || !(READ_ONCE(ct->status) & IPS_NAT_MASK)) { + __icmp_send(skb_in, type, code, info, &opts); + return; + } +@@ -816,7 +817,8 @@ void icmp_ndo_send(struct sk_buff *skb_in, int type, int code, __be32 info) + goto out; + + orig_ip = ip_hdr(skb_in)->saddr; +- ip_hdr(skb_in)->saddr = ct->tuplehash[0].tuple.src.u3.ip; ++ dir = CTINFO2DIR(ctinfo); ++ ip_hdr(skb_in)->saddr = ct->tuplehash[dir].tuple.src.u3.ip; + __icmp_send(skb_in, type, code, info, &opts); + ip_hdr(skb_in)->saddr = orig_ip; + out: +diff --git a/net/ipv6/ip6_icmp.c b/net/ipv6/ip6_icmp.c +index 9e3574880cb03..233914b63bdb8 100644 +--- a/net/ipv6/ip6_icmp.c ++++ b/net/ipv6/ip6_icmp.c +@@ -54,11 +54,12 @@ void icmpv6_ndo_send(struct sk_buff *skb_in, u8 type, u8 code, __u32 info) + struct inet6_skb_parm parm = { 0 }; + struct sk_buff *cloned_skb = NULL; + enum ip_conntrack_info ctinfo; ++ enum ip_conntrack_dir dir; + struct in6_addr orig_ip; + struct nf_conn *ct; + + ct = nf_ct_get(skb_in, &ctinfo); +- if (!ct || !(ct->status & IPS_SRC_NAT)) { ++ if (!ct || !(READ_ONCE(ct->status) & IPS_NAT_MASK)) { + __icmpv6_send(skb_in, type, code, info, &parm); + return; + } +@@ -73,7 +74,8 @@ void icmpv6_ndo_send(struct sk_buff *skb_in, u8 type, u8 code, __u32 info) + goto out; + + orig_ip = ipv6_hdr(skb_in)->saddr; +- ipv6_hdr(skb_in)->saddr = ct->tuplehash[0].tuple.src.u3.in6; ++ dir = CTINFO2DIR(ctinfo); ++ ipv6_hdr(skb_in)->saddr = ct->tuplehash[dir].tuple.src.u3.in6; + __icmpv6_send(skb_in, type, code, info, &parm); + ipv6_hdr(skb_in)->saddr = orig_ip; + out: +-- +2.50.1 + diff --git a/queue-6.16/idpf-set-mac-type-when-adding-and-removing-mac-filte.patch b/queue-6.16/idpf-set-mac-type-when-adding-and-removing-mac-filte.patch new file mode 100644 index 0000000000..f2770be6fd --- /dev/null +++ b/queue-6.16/idpf-set-mac-type-when-adding-and-removing-mac-filte.patch @@ -0,0 +1,116 @@ +From 2756bbcc1f0ccc8be0d33f8e7778fffd711b3d2b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Aug 2025 16:43:00 -0700 +Subject: idpf: set mac type when adding and removing MAC filters + +From: Emil Tantilov + +[ Upstream commit acf3a5c8be80fe238c1a7629db1c21c74a1f9dd4 ] + +On control planes that allow changing the MAC address of the interface, +the driver must provide a MAC type to avoid errors such as: + +idpf 0000:0a:00.0: Transaction failed (op 535) +idpf 0000:0a:00.0: Received invalid MAC filter payload (op 535) (len 0) +idpf 0000:0a:00.0: Transaction failed (op 536) + +These errors occur during driver load or when changing the MAC via: +ip link set address + +Add logic to set the MAC type when sending ADD/DEL (opcodes 535/536) to +the control plane. Since only one primary MAC is supported per vport, the +driver only needs to send an ADD opcode when setting it. Remove the old +address by calling __idpf_del_mac_filter(), which skips the message and +just clears the entry from the internal list. This avoids an error on DEL +as it attempts to remove an address already cleared by the preceding ADD +opcode. + +Fixes: ce1b75d0635c ("idpf: add ptypes and MAC filter support") +Reported-by: Jian Liu +Signed-off-by: Emil Tantilov +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Paul Menzel +Reviewed-by: Simon Horman +Tested-by: Samuel Salin +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/idpf/idpf_lib.c | 9 ++++++--- + drivers/net/ethernet/intel/idpf/idpf_virtchnl.c | 12 ++++++++++++ + 2 files changed, 18 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/intel/idpf/idpf_lib.c b/drivers/net/ethernet/intel/idpf/idpf_lib.c +index e9f8da9f7979b..5fc6147ecd93c 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_lib.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_lib.c +@@ -2277,6 +2277,7 @@ static int idpf_set_mac(struct net_device *netdev, void *p) + struct idpf_netdev_priv *np = netdev_priv(netdev); + struct idpf_vport_config *vport_config; + struct sockaddr *addr = p; ++ u8 old_mac_addr[ETH_ALEN]; + struct idpf_vport *vport; + int err = 0; + +@@ -2300,17 +2301,19 @@ static int idpf_set_mac(struct net_device *netdev, void *p) + if (ether_addr_equal(netdev->dev_addr, addr->sa_data)) + goto unlock_mutex; + ++ ether_addr_copy(old_mac_addr, vport->default_mac_addr); ++ ether_addr_copy(vport->default_mac_addr, addr->sa_data); + vport_config = vport->adapter->vport_config[vport->idx]; + err = idpf_add_mac_filter(vport, np, addr->sa_data, false); + if (err) { + __idpf_del_mac_filter(vport_config, addr->sa_data); ++ ether_addr_copy(vport->default_mac_addr, netdev->dev_addr); + goto unlock_mutex; + } + +- if (is_valid_ether_addr(vport->default_mac_addr)) +- idpf_del_mac_filter(vport, np, vport->default_mac_addr, false); ++ if (is_valid_ether_addr(old_mac_addr)) ++ __idpf_del_mac_filter(vport_config, old_mac_addr); + +- ether_addr_copy(vport->default_mac_addr, addr->sa_data); + eth_hw_addr_set(netdev, addr->sa_data); + + unlock_mutex: +diff --git a/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c b/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c +index 24febaaa8fbb8..cb9a27307670e 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c +@@ -3507,6 +3507,16 @@ u32 idpf_get_vport_id(struct idpf_vport *vport) + return le32_to_cpu(vport_msg->vport_id); + } + ++static void idpf_set_mac_type(struct idpf_vport *vport, ++ struct virtchnl2_mac_addr *mac_addr) ++{ ++ bool is_primary; ++ ++ is_primary = ether_addr_equal(vport->default_mac_addr, mac_addr->addr); ++ mac_addr->type = is_primary ? VIRTCHNL2_MAC_ADDR_PRIMARY : ++ VIRTCHNL2_MAC_ADDR_EXTRA; ++} ++ + /** + * idpf_mac_filter_async_handler - Async callback for mac filters + * @adapter: private data struct +@@ -3636,6 +3646,7 @@ int idpf_add_del_mac_filters(struct idpf_vport *vport, + list) { + if (add && f->add) { + ether_addr_copy(mac_addr[i].addr, f->macaddr); ++ idpf_set_mac_type(vport, &mac_addr[i]); + i++; + f->add = false; + if (i == total_filters) +@@ -3643,6 +3654,7 @@ int idpf_add_del_mac_filters(struct idpf_vport *vport, + } + if (!add && f->remove) { + ether_addr_copy(mac_addr[i].addr, f->macaddr); ++ idpf_set_mac_type(vport, &mac_addr[i]); + i++; + f->remove = false; + if (i == total_filters) +-- +2.50.1 + diff --git a/queue-6.16/ipv4-fix-null-vs-error-pointer-check-in-inet_blackho.patch b/queue-6.16/ipv4-fix-null-vs-error-pointer-check-in-inet_blackho.patch new file mode 100644 index 0000000000..11c218fd43 --- /dev/null +++ b/queue-6.16/ipv4-fix-null-vs-error-pointer-check-in-inet_blackho.patch @@ -0,0 +1,48 @@ +From fee0706be4bbb979013e394f8115faa8291d5697 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Sep 2025 09:36:08 +0300 +Subject: ipv4: Fix NULL vs error pointer check in inet_blackhole_dev_init() + +From: Dan Carpenter + +[ Upstream commit a51160f8da850a65afbf165f5bbac7ffb388bf74 ] + +The inetdev_init() function never returns NULL. Check for error +pointers instead. + +Fixes: 22600596b675 ("ipv4: give an IPv4 dev to blackhole_netdev") +Signed-off-by: Dan Carpenter +Reviewed-by: Simon Horman +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/aLaQWL9NguWmeM1i@stanley.mountain +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/devinet.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c +index c47d3828d4f65..942a887bf0893 100644 +--- a/net/ipv4/devinet.c ++++ b/net/ipv4/devinet.c +@@ -340,14 +340,13 @@ static void inetdev_destroy(struct in_device *in_dev) + + static int __init inet_blackhole_dev_init(void) + { +- int err = 0; ++ struct in_device *in_dev; + + rtnl_lock(); +- if (!inetdev_init(blackhole_netdev)) +- err = -ENOMEM; ++ in_dev = inetdev_init(blackhole_netdev); + rtnl_unlock(); + +- return err; ++ return PTR_ERR_OR_ZERO(in_dev); + } + late_initcall(inet_blackhole_dev_init); + +-- +2.50.1 + diff --git a/queue-6.16/ixgbe-fix-incorrect-map-used-in-eee-linkmode.patch b/queue-6.16/ixgbe-fix-incorrect-map-used-in-eee-linkmode.patch new file mode 100644 index 0000000000..060ed7675a --- /dev/null +++ b/queue-6.16/ixgbe-fix-incorrect-map-used-in-eee-linkmode.patch @@ -0,0 +1,54 @@ +From eea5372ed6b5500487b55d42889d53d72c3bfe9e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 10 Aug 2025 10:01:14 -0700 +Subject: ixgbe: fix incorrect map used in eee linkmode + +From: Alok Tiwari + +[ Upstream commit b7e5c3e3bfa9dc8af75ff6d8633ad7070e1985e4 ] + +incorrectly used ixgbe_lp_map in loops intended to populate the +supported and advertised EEE linkmode bitmaps based on ixgbe_ls_map. +This results in incorrect bit setting and potential out-of-bounds +access, since ixgbe_lp_map and ixgbe_ls_map have different sizes +and purposes. + +ixgbe_lp_map[i] -> ixgbe_ls_map[i] + +Use ixgbe_ls_map for supported and advertised linkmodes, and keep +ixgbe_lp_map usage only for link partner (lp_advertised) mapping. + +Fixes: 9356b6db9d05 ("net: ethernet: ixgbe: Convert EEE to use linkmodes") +Signed-off-by: Alok Tiwari +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Paul Menzel +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c +index d8a919ab7027a..05a1f9f5914fd 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c +@@ -3565,13 +3565,13 @@ ixgbe_get_eee_fw(struct ixgbe_adapter *adapter, struct ethtool_keee *edata) + + for (i = 0; i < ARRAY_SIZE(ixgbe_ls_map); ++i) { + if (hw->phy.eee_speeds_supported & ixgbe_ls_map[i].mac_speed) +- linkmode_set_bit(ixgbe_lp_map[i].link_mode, ++ linkmode_set_bit(ixgbe_ls_map[i].link_mode, + edata->supported); + } + + for (i = 0; i < ARRAY_SIZE(ixgbe_ls_map); ++i) { + if (hw->phy.eee_speeds_advertised & ixgbe_ls_map[i].mac_speed) +- linkmode_set_bit(ixgbe_lp_map[i].link_mode, ++ linkmode_set_bit(ixgbe_ls_map[i].link_mode, + edata->advertised); + } + +-- +2.50.1 + diff --git a/queue-6.16/macsec-read-macsec_sa_attr_pn-with-nla_get_uint.patch b/queue-6.16/macsec-read-macsec_sa_attr_pn-with-nla_get_uint.patch new file mode 100644 index 0000000000..a6b72aed0a --- /dev/null +++ b/queue-6.16/macsec-read-macsec_sa_attr_pn-with-nla_get_uint.patch @@ -0,0 +1,72 @@ +From e1badcd606cd5d3c9ec721e98bf449740311a775 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Aug 2025 20:55:40 +0200 +Subject: macsec: read MACSEC_SA_ATTR_PN with nla_get_uint + +From: Sabrina Dubroca + +[ Upstream commit 030e1c45666629f72d0fc1d040f9d2915680de8e ] + +The code currently reads both U32 attributes and U64 attributes as +U64, so when a U32 attribute is provided by userspace (ie, when not +using XPN), on big endian systems, we'll load that value into the +upper 32bits of the next_pn field instead of the lower 32bits. This +means that the value that userspace provided is ignored (we only care +about the lower 32bits for non-XPN), and we'll start using PNs from 0. + +Switch to nla_get_uint, which will read the value correctly on all +arches, whether it's 32b or 64b. + +Fixes: 48ef50fa866a ("macsec: Netlink support of XPN cipher suites (IEEE 802.1AEbw)") +Signed-off-by: Sabrina Dubroca +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/1c1df1661b89238caf5beefb84a10ebfd56c66ea.1756459839.git.sd@queasysnail.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/macsec.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c +index 4c75d1fea5527..01329fe7451a1 100644 +--- a/drivers/net/macsec.c ++++ b/drivers/net/macsec.c +@@ -1844,7 +1844,7 @@ static int macsec_add_rxsa(struct sk_buff *skb, struct genl_info *info) + + if (tb_sa[MACSEC_SA_ATTR_PN]) { + spin_lock_bh(&rx_sa->lock); +- rx_sa->next_pn = nla_get_u64(tb_sa[MACSEC_SA_ATTR_PN]); ++ rx_sa->next_pn = nla_get_uint(tb_sa[MACSEC_SA_ATTR_PN]); + spin_unlock_bh(&rx_sa->lock); + } + +@@ -2086,7 +2086,7 @@ static int macsec_add_txsa(struct sk_buff *skb, struct genl_info *info) + } + + spin_lock_bh(&tx_sa->lock); +- tx_sa->next_pn = nla_get_u64(tb_sa[MACSEC_SA_ATTR_PN]); ++ tx_sa->next_pn = nla_get_uint(tb_sa[MACSEC_SA_ATTR_PN]); + spin_unlock_bh(&tx_sa->lock); + + if (tb_sa[MACSEC_SA_ATTR_ACTIVE]) +@@ -2398,7 +2398,7 @@ static int macsec_upd_txsa(struct sk_buff *skb, struct genl_info *info) + + spin_lock_bh(&tx_sa->lock); + prev_pn = tx_sa->next_pn_halves; +- tx_sa->next_pn = nla_get_u64(tb_sa[MACSEC_SA_ATTR_PN]); ++ tx_sa->next_pn = nla_get_uint(tb_sa[MACSEC_SA_ATTR_PN]); + spin_unlock_bh(&tx_sa->lock); + } + +@@ -2496,7 +2496,7 @@ static int macsec_upd_rxsa(struct sk_buff *skb, struct genl_info *info) + + spin_lock_bh(&rx_sa->lock); + prev_pn = rx_sa->next_pn_halves; +- rx_sa->next_pn = nla_get_u64(tb_sa[MACSEC_SA_ATTR_PN]); ++ rx_sa->next_pn = nla_get_uint(tb_sa[MACSEC_SA_ATTR_PN]); + spin_unlock_bh(&rx_sa->lock); + } + +-- +2.50.1 + diff --git a/queue-6.16/mctp-return-enoprotoopt-for-unknown-getsockopt-optio.patch b/queue-6.16/mctp-return-enoprotoopt-for-unknown-getsockopt-optio.patch new file mode 100644 index 0000000000..99e2b6b1e1 --- /dev/null +++ b/queue-6.16/mctp-return-enoprotoopt-for-unknown-getsockopt-optio.patch @@ -0,0 +1,43 @@ +From 4ab93f8ef85d52b62d9aaf8120154238acd2b9ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Sep 2025 03:20:55 -0700 +Subject: mctp: return -ENOPROTOOPT for unknown getsockopt options + +From: Alok Tiwari + +[ Upstream commit a125c8fb9ddbcb0602103a50727a476fd30dec01 ] + +In mctp_getsockopt(), unrecognized options currently return -EINVAL. +In contrast, mctp_setsockopt() returns -ENOPROTOOPT for unknown +options. + +Update mctp_getsockopt() to also return -ENOPROTOOPT for unknown +options. This aligns the behavior of getsockopt() and setsockopt(), +and matches the standard kernel socket API convention for handling +unsupported options. + +Fixes: 99ce45d5e7db ("mctp: Implement extended addressing") +Signed-off-by: Alok Tiwari +Link: https://patch.msgid.link/20250902102059.1370008-1-alok.a.tiwari@oracle.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/mctp/af_mctp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/mctp/af_mctp.c b/net/mctp/af_mctp.c +index 9d5db3feedec5..4dee06171361e 100644 +--- a/net/mctp/af_mctp.c ++++ b/net/mctp/af_mctp.c +@@ -346,7 +346,7 @@ static int mctp_getsockopt(struct socket *sock, int level, int optname, + return 0; + } + +- return -EINVAL; ++ return -ENOPROTOOPT; + } + + /* helpers for reading/writing the tag ioc, handling compatibility across the +-- +2.50.1 + diff --git a/queue-6.16/misdn-fix-memory-leak-in-dsp_hwec_enable.patch b/queue-6.16/misdn-fix-memory-leak-in-dsp_hwec_enable.patch new file mode 100644 index 0000000000..b2196fec3a --- /dev/null +++ b/queue-6.16/misdn-fix-memory-leak-in-dsp_hwec_enable.patch @@ -0,0 +1,53 @@ +From eee74822a54e5285963d825d574bd9bec5ff1a73 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Aug 2025 16:14:57 +0800 +Subject: mISDN: Fix memory leak in dsp_hwec_enable() + +From: Miaoqian Lin + +[ Upstream commit 0704a3da7ce50f972e898bbda88d2692a22922d9 ] + +dsp_hwec_enable() allocates dup pointer by kstrdup(arg), +but then it updates dup variable by strsep(&dup, ","). +As a result when it calls kfree(dup), the dup variable may be +a modified pointer that no longer points to the original allocated +memory, causing a memory leak. + +The issue is the same pattern as fixed in commit c6a502c22999 +("mISDN: Fix memory leak in dsp_pipeline_build()"). + +Fixes: 9a4381618262 ("mISDN: Remove VLAs") +Signed-off-by: Miaoqian Lin +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250828081457.36061-1-linmq006@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/isdn/mISDN/dsp_hwec.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/isdn/mISDN/dsp_hwec.c b/drivers/isdn/mISDN/dsp_hwec.c +index 0b3f29195330a..0cd216e28f009 100644 +--- a/drivers/isdn/mISDN/dsp_hwec.c ++++ b/drivers/isdn/mISDN/dsp_hwec.c +@@ -51,14 +51,14 @@ void dsp_hwec_enable(struct dsp *dsp, const char *arg) + goto _do; + + { +- char *dup, *tok, *name, *val; ++ char *dup, *next, *tok, *name, *val; + int tmp; + +- dup = kstrdup(arg, GFP_ATOMIC); ++ dup = next = kstrdup(arg, GFP_ATOMIC); + if (!dup) + return; + +- while ((tok = strsep(&dup, ","))) { ++ while ((tok = strsep(&next, ","))) { + if (!strlen(tok)) + continue; + name = strsep(&tok, "="); +-- +2.50.1 + diff --git a/queue-6.16/net-atm-fix-memory-leak-in-atm_register_sysfs-when-d.patch b/queue-6.16/net-atm-fix-memory-leak-in-atm_register_sysfs-when-d.patch new file mode 100644 index 0000000000..0020745a0c --- /dev/null +++ b/queue-6.16/net-atm-fix-memory-leak-in-atm_register_sysfs-when-d.patch @@ -0,0 +1,78 @@ +From 61c9a2d998c6da886a0f43e63f08ddd4e3dadfb3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Sep 2025 14:35:37 +0800 +Subject: net: atm: fix memory leak in atm_register_sysfs when device_register + fail + +From: Wang Liang + +[ Upstream commit 0a228624bcc00af41f281a2a84c928595a74c17d ] + +When device_register() return error in atm_register_sysfs(), which can be +triggered by kzalloc fail in device_private_init() or other reasons, +kmemleak reports the following memory leaks: + +unreferenced object 0xffff88810182fb80 (size 8): + comm "insmod", pid 504, jiffies 4294852464 + hex dump (first 8 bytes): + 61 64 75 6d 6d 79 30 00 adummy0. + backtrace (crc 14dfadaf): + __kmalloc_node_track_caller_noprof+0x335/0x450 + kvasprintf+0xb3/0x130 + kobject_set_name_vargs+0x45/0x120 + dev_set_name+0xa9/0xe0 + atm_register_sysfs+0xf3/0x220 + atm_dev_register+0x40b/0x780 + 0xffffffffa000b089 + do_one_initcall+0x89/0x300 + do_init_module+0x27b/0x7d0 + load_module+0x54cd/0x5ff0 + init_module_from_file+0xe4/0x150 + idempotent_init_module+0x32c/0x610 + __x64_sys_finit_module+0xbd/0x120 + do_syscall_64+0xa8/0x270 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +When device_create_file() return error in atm_register_sysfs(), the same +issue also can be triggered. + +Function put_device() should be called to release kobj->name memory and +other device resource, instead of kfree(). + +Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array") +Signed-off-by: Wang Liang +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250901063537.1472221-1-wangliang74@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/atm/resources.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/atm/resources.c b/net/atm/resources.c +index b19d851e1f443..7c6fdedbcf4e5 100644 +--- a/net/atm/resources.c ++++ b/net/atm/resources.c +@@ -112,7 +112,9 @@ struct atm_dev *atm_dev_register(const char *type, struct device *parent, + + if (atm_proc_dev_register(dev) < 0) { + pr_err("atm_proc_dev_register failed for dev %s\n", type); +- goto out_fail; ++ mutex_unlock(&atm_dev_mutex); ++ kfree(dev); ++ return NULL; + } + + if (atm_register_sysfs(dev, parent) < 0) { +@@ -128,7 +130,7 @@ struct atm_dev *atm_dev_register(const char *type, struct device *parent, + return dev; + + out_fail: +- kfree(dev); ++ put_device(&dev->class_dev); + dev = NULL; + goto out; + } +-- +2.50.1 + diff --git a/queue-6.16/net-ethernet-mtk_eth_soc-fix-tx-vlan-tag-for-llc-pac.patch b/queue-6.16/net-ethernet-mtk_eth_soc-fix-tx-vlan-tag-for-llc-pac.patch new file mode 100644 index 0000000000..4c237dc3f5 --- /dev/null +++ b/queue-6.16/net-ethernet-mtk_eth_soc-fix-tx-vlan-tag-for-llc-pac.patch @@ -0,0 +1,55 @@ +From ae84c62165609e55a10d5dfff72a78117b7c425c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 Aug 2025 20:20:07 +0200 +Subject: net: ethernet: mtk_eth_soc: fix tx vlan tag for llc packets + +From: Felix Fietkau + +[ Upstream commit d4736737110ffa83d29f1c5d17b26113864205f6 ] + +When sending llc packets with vlan tx offload, the hardware fails to +actually add the tag. Deal with this by fixing it up in software. + +Fixes: 656e705243fd ("net-next: mediatek: add support for MT7623 ethernet") +Reported-by: Thibaut VARENE +Signed-off-by: Felix Fietkau +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250831182007.51619-1-nbd@nbd.name +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mediatek/mtk_eth_soc.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +index b38e4f2de6748..880f27ca84d42 100644 +--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c ++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +@@ -1737,6 +1737,13 @@ static netdev_tx_t mtk_start_xmit(struct sk_buff *skb, struct net_device *dev) + bool gso = false; + int tx_num; + ++ if (skb_vlan_tag_present(skb) && ++ !eth_proto_is_802_3(eth_hdr(skb)->h_proto)) { ++ skb = __vlan_hwaccel_push_inside(skb); ++ if (!skb) ++ goto dropped; ++ } ++ + /* normally we can rely on the stack not calling this more than once, + * however we have 2 queues running on the same ring so we need to lock + * the ring access +@@ -1782,8 +1789,9 @@ static netdev_tx_t mtk_start_xmit(struct sk_buff *skb, struct net_device *dev) + + drop: + spin_unlock(ð->page_lock); +- stats->tx_dropped++; + dev_kfree_skb_any(skb); ++dropped: ++ stats->tx_dropped++; + return NETDEV_TX_OK; + } + +-- +2.50.1 + diff --git a/queue-6.16/net-ethernet-ti-am65-cpsw-nuss-fix-null-pointer-dere.patch b/queue-6.16/net-ethernet-ti-am65-cpsw-nuss-fix-null-pointer-dere.patch new file mode 100644 index 0000000000..919e73413f --- /dev/null +++ b/queue-6.16/net-ethernet-ti-am65-cpsw-nuss-fix-null-pointer-dere.patch @@ -0,0 +1,43 @@ +From 0cbe0bb3f924599f449c2d799aa71aa7ebc9ac8b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Aug 2025 17:40:51 +0530 +Subject: net: ethernet: ti: am65-cpsw-nuss: Fix null pointer dereference for + ndev + +From: Nishanth Menon + +[ Upstream commit a6099f263e1f408bcc7913c9df24b0677164fc5d ] + +In the TX completion packet stage of TI SoCs with CPSW2G instance, which +has single external ethernet port, ndev is accessed without being +initialized if no TX packets have been processed. It results into null +pointer dereference, causing kernel to crash. Fix this by having a check +on the number of TX packets which have been processed. + +Fixes: 9a369ae3d143 ("net: ethernet: ti: am65-cpsw: remove am65_cpsw_nuss_tx_compl_packets_2g()") +Signed-off-by: Nishanth Menon +Signed-off-by: Chintan Vankar +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250829121051.2031832-1-c-vankar@ti.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ti/am65-cpsw-nuss.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/ti/am65-cpsw-nuss.c b/drivers/net/ethernet/ti/am65-cpsw-nuss.c +index 231ca141331f5..dbdbc40109c51 100644 +--- a/drivers/net/ethernet/ti/am65-cpsw-nuss.c ++++ b/drivers/net/ethernet/ti/am65-cpsw-nuss.c +@@ -1522,7 +1522,7 @@ static int am65_cpsw_nuss_tx_compl_packets(struct am65_cpsw_common *common, + } + } + +- if (single_port) { ++ if (single_port && num_tx) { + netif_txq = netdev_get_tx_queue(ndev, chn); + netdev_tx_completed_queue(netif_txq, num_tx, total_bytes); + am65_cpsw_nuss_tx_wake(tx_chn, ndev, netif_txq); +-- +2.50.1 + diff --git a/queue-6.16/net-lockless-sock_i_ino.patch b/queue-6.16/net-lockless-sock_i_ino.patch new file mode 100644 index 0000000000..256c458040 --- /dev/null +++ b/queue-6.16/net-lockless-sock_i_ino.patch @@ -0,0 +1,174 @@ +From 7e7e7f7bd5eb1701c44ea1febac0721d8f186f68 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Sep 2025 18:36:03 +0000 +Subject: net: lockless sock_i_ino() + +From: Eric Dumazet + +[ Upstream commit 5d6b58c932ec451a5c41482790eb5b1ecf165a94 ] + +Followup of commit c51da3f7a161 ("net: remove sock_i_uid()") + +A recent syzbot report was the trigger for this change. + +Over the years, we had many problems caused by the +read_lock[_bh](&sk->sk_callback_lock) in sock_i_uid(). + +We could fix smc_diag_dump_proto() or make a more radical move: + +Instead of waiting for new syzbot reports, cache the socket +inode number in sk->sk_ino, so that we no longer +need to acquire sk->sk_callback_lock in sock_i_ino(). + +This makes socket dumps faster (one less cache line miss, +and two atomic ops avoided). + +Prior art: + +commit 25a9c8a4431c ("netlink: Add __sock_i_ino() for __netlink_diag_dump().") +commit 4f9bf2a2f5aa ("tcp: Don't acquire inet_listen_hashbucket::lock with disabled BH.") +commit efc3dbc37412 ("rds: Make rds_sock_lock BH rather than IRQ safe.") + +Fixes: d2d6422f8bd1 ("x86: Allow to enable PREEMPT_RT.") +Reported-by: syzbot+50603c05bbdf4dfdaffa@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/68b73804.050a0220.3db4df.01d8.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Reviewed-by: Kuniyuki Iwashima +Reviewed-by: Sebastian Andrzej Siewior +Link: https://patch.msgid.link/20250902183603.740428-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/sock.h | 17 +++++++++++++---- + net/core/sock.c | 22 ---------------------- + net/mptcp/protocol.c | 1 - + net/netlink/diag.c | 2 +- + 4 files changed, 14 insertions(+), 28 deletions(-) + +diff --git a/include/net/sock.h b/include/net/sock.h +index da644ab5ae7f4..a348ae145eda4 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -285,6 +285,7 @@ struct sk_filter; + * @sk_ack_backlog: current listen backlog + * @sk_max_ack_backlog: listen backlog set in listen() + * @sk_uid: user id of owner ++ * @sk_ino: inode number (zero if orphaned) + * @sk_prefer_busy_poll: prefer busypolling over softirq processing + * @sk_busy_poll_budget: napi processing budget when busypolling + * @sk_priority: %SO_PRIORITY setting +@@ -518,6 +519,7 @@ struct sock { + u32 sk_ack_backlog; + u32 sk_max_ack_backlog; + kuid_t sk_uid; ++ unsigned long sk_ino; + spinlock_t sk_peer_lock; + int sk_bind_phc; + struct pid *sk_peer_pid; +@@ -2056,6 +2058,10 @@ static inline int sk_rx_queue_get(const struct sock *sk) + static inline void sk_set_socket(struct sock *sk, struct socket *sock) + { + sk->sk_socket = sock; ++ if (sock) { ++ WRITE_ONCE(sk->sk_uid, SOCK_INODE(sock)->i_uid); ++ WRITE_ONCE(sk->sk_ino, SOCK_INODE(sock)->i_ino); ++ } + } + + static inline wait_queue_head_t *sk_sleep(struct sock *sk) +@@ -2077,6 +2083,7 @@ static inline void sock_orphan(struct sock *sk) + sk_set_socket(sk, NULL); + sk->sk_wq = NULL; + /* Note: sk_uid is unchanged. */ ++ WRITE_ONCE(sk->sk_ino, 0); + write_unlock_bh(&sk->sk_callback_lock); + } + +@@ -2087,20 +2094,22 @@ static inline void sock_graft(struct sock *sk, struct socket *parent) + rcu_assign_pointer(sk->sk_wq, &parent->wq); + parent->sk = sk; + sk_set_socket(sk, parent); +- WRITE_ONCE(sk->sk_uid, SOCK_INODE(parent)->i_uid); + security_sock_graft(sk, parent); + write_unlock_bh(&sk->sk_callback_lock); + } + ++static inline unsigned long sock_i_ino(const struct sock *sk) ++{ ++ /* Paired with WRITE_ONCE() in sock_graft() and sock_orphan() */ ++ return READ_ONCE(sk->sk_ino); ++} ++ + static inline kuid_t sk_uid(const struct sock *sk) + { + /* Paired with WRITE_ONCE() in sockfs_setattr() */ + return READ_ONCE(sk->sk_uid); + } + +-unsigned long __sock_i_ino(struct sock *sk); +-unsigned long sock_i_ino(struct sock *sk); +- + static inline kuid_t sock_net_uid(const struct net *net, const struct sock *sk) + { + return sk ? sk_uid(sk) : make_kuid(net->user_ns, 0); +diff --git a/net/core/sock.c b/net/core/sock.c +index 1689eaf42f25b..10c1df62338be 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -2788,28 +2788,6 @@ void sock_pfree(struct sk_buff *skb) + EXPORT_SYMBOL(sock_pfree); + #endif /* CONFIG_INET */ + +-unsigned long __sock_i_ino(struct sock *sk) +-{ +- unsigned long ino; +- +- read_lock(&sk->sk_callback_lock); +- ino = sk->sk_socket ? SOCK_INODE(sk->sk_socket)->i_ino : 0; +- read_unlock(&sk->sk_callback_lock); +- return ino; +-} +-EXPORT_SYMBOL(__sock_i_ino); +- +-unsigned long sock_i_ino(struct sock *sk) +-{ +- unsigned long ino; +- +- local_bh_disable(); +- ino = __sock_i_ino(sk); +- local_bh_enable(); +- return ino; +-} +-EXPORT_SYMBOL(sock_i_ino); +- + /* + * Allocate a skb from the socket's send buffer. + */ +diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c +index 76cb699885b38..1063c53850c05 100644 +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -3537,7 +3537,6 @@ void mptcp_sock_graft(struct sock *sk, struct socket *parent) + write_lock_bh(&sk->sk_callback_lock); + rcu_assign_pointer(sk->sk_wq, &parent->wq); + sk_set_socket(sk, parent); +- WRITE_ONCE(sk->sk_uid, SOCK_INODE(parent)->i_uid); + write_unlock_bh(&sk->sk_callback_lock); + } + +diff --git a/net/netlink/diag.c b/net/netlink/diag.c +index 61981e01fd6ff..b8e58132e8af1 100644 +--- a/net/netlink/diag.c ++++ b/net/netlink/diag.c +@@ -168,7 +168,7 @@ static int __netlink_diag_dump(struct sk_buff *skb, struct netlink_callback *cb, + NETLINK_CB(cb->skb).portid, + cb->nlh->nlmsg_seq, + NLM_F_MULTI, +- __sock_i_ino(sk)) < 0) { ++ sock_i_ino(sk)) < 0) { + ret = 1; + break; + } +-- +2.50.1 + diff --git a/queue-6.16/net-macb-fix-tx_ptr_lock-locking.patch b/queue-6.16/net-macb-fix-tx_ptr_lock-locking.patch new file mode 100644 index 0000000000..a3e03740e2 --- /dev/null +++ b/queue-6.16/net-macb-fix-tx_ptr_lock-locking.patch @@ -0,0 +1,136 @@ +From 27022b2874b8f85ca2cdb3c437abf7d92089569f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Aug 2025 10:35:21 -0400 +Subject: net: macb: Fix tx_ptr_lock locking + +From: Sean Anderson + +[ Upstream commit 6bc8a5098bf4a365c4086a4a4130bfab10a58260 ] + +macb_start_xmit and macb_tx_poll can be called with bottom-halves +disabled (e.g. from softirq) as well as with interrupts disabled (with +netpoll). Because of this, all other functions taking tx_ptr_lock must +use spin_lock_irqsave. + +Fixes: 138badbc21a0 ("net: macb: use NAPI for TX completion path") +Reported-by: Mike Galbraith +Signed-off-by: Sean Anderson +Link: https://patch.msgid.link/20250829143521.1686062-1-sean.anderson@linux.dev +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cadence/macb_main.c | 28 ++++++++++++++---------- + 1 file changed, 16 insertions(+), 12 deletions(-) + +diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c +index d949d2ba6cb9f..f5d7556afb97e 100644 +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -1223,12 +1223,13 @@ static int macb_tx_complete(struct macb_queue *queue, int budget) + { + struct macb *bp = queue->bp; + u16 queue_index = queue - bp->queues; ++ unsigned long flags; + unsigned int tail; + unsigned int head; + int packets = 0; + u32 bytes = 0; + +- spin_lock(&queue->tx_ptr_lock); ++ spin_lock_irqsave(&queue->tx_ptr_lock, flags); + head = queue->tx_head; + for (tail = queue->tx_tail; tail != head && packets < budget; tail++) { + struct macb_tx_skb *tx_skb; +@@ -1291,7 +1292,7 @@ static int macb_tx_complete(struct macb_queue *queue, int budget) + CIRC_CNT(queue->tx_head, queue->tx_tail, + bp->tx_ring_size) <= MACB_TX_WAKEUP_THRESH(bp)) + netif_wake_subqueue(bp->dev, queue_index); +- spin_unlock(&queue->tx_ptr_lock); ++ spin_unlock_irqrestore(&queue->tx_ptr_lock, flags); + + return packets; + } +@@ -1707,8 +1708,9 @@ static void macb_tx_restart(struct macb_queue *queue) + { + struct macb *bp = queue->bp; + unsigned int head_idx, tbqp; ++ unsigned long flags; + +- spin_lock(&queue->tx_ptr_lock); ++ spin_lock_irqsave(&queue->tx_ptr_lock, flags); + + if (queue->tx_head == queue->tx_tail) + goto out_tx_ptr_unlock; +@@ -1720,19 +1722,20 @@ static void macb_tx_restart(struct macb_queue *queue) + if (tbqp == head_idx) + goto out_tx_ptr_unlock; + +- spin_lock_irq(&bp->lock); ++ spin_lock(&bp->lock); + macb_writel(bp, NCR, macb_readl(bp, NCR) | MACB_BIT(TSTART)); +- spin_unlock_irq(&bp->lock); ++ spin_unlock(&bp->lock); + + out_tx_ptr_unlock: +- spin_unlock(&queue->tx_ptr_lock); ++ spin_unlock_irqrestore(&queue->tx_ptr_lock, flags); + } + + static bool macb_tx_complete_pending(struct macb_queue *queue) + { + bool retval = false; ++ unsigned long flags; + +- spin_lock(&queue->tx_ptr_lock); ++ spin_lock_irqsave(&queue->tx_ptr_lock, flags); + if (queue->tx_head != queue->tx_tail) { + /* Make hw descriptor updates visible to CPU */ + rmb(); +@@ -1740,7 +1743,7 @@ static bool macb_tx_complete_pending(struct macb_queue *queue) + if (macb_tx_desc(queue, queue->tx_tail)->ctrl & MACB_BIT(TX_USED)) + retval = true; + } +- spin_unlock(&queue->tx_ptr_lock); ++ spin_unlock_irqrestore(&queue->tx_ptr_lock, flags); + return retval; + } + +@@ -2308,6 +2311,7 @@ static netdev_tx_t macb_start_xmit(struct sk_buff *skb, struct net_device *dev) + struct macb_queue *queue = &bp->queues[queue_index]; + unsigned int desc_cnt, nr_frags, frag_size, f; + unsigned int hdrlen; ++ unsigned long flags; + bool is_lso; + netdev_tx_t ret = NETDEV_TX_OK; + +@@ -2368,7 +2372,7 @@ static netdev_tx_t macb_start_xmit(struct sk_buff *skb, struct net_device *dev) + desc_cnt += DIV_ROUND_UP(frag_size, bp->max_tx_length); + } + +- spin_lock_bh(&queue->tx_ptr_lock); ++ spin_lock_irqsave(&queue->tx_ptr_lock, flags); + + /* This is a hard error, log it. */ + if (CIRC_SPACE(queue->tx_head, queue->tx_tail, +@@ -2392,15 +2396,15 @@ static netdev_tx_t macb_start_xmit(struct sk_buff *skb, struct net_device *dev) + netdev_tx_sent_queue(netdev_get_tx_queue(bp->dev, queue_index), + skb->len); + +- spin_lock_irq(&bp->lock); ++ spin_lock(&bp->lock); + macb_writel(bp, NCR, macb_readl(bp, NCR) | MACB_BIT(TSTART)); +- spin_unlock_irq(&bp->lock); ++ spin_unlock(&bp->lock); + + if (CIRC_SPACE(queue->tx_head, queue->tx_tail, bp->tx_ring_size) < 1) + netif_stop_subqueue(dev, queue_index); + + unlock: +- spin_unlock_bh(&queue->tx_ptr_lock); ++ spin_unlock_irqrestore(&queue->tx_ptr_lock, flags); + + return ret; + } +-- +2.50.1 + diff --git a/queue-6.16/net-mctp-mctp_fraq_queue-should-take-ownership-of-pa.patch b/queue-6.16/net-mctp-mctp_fraq_queue-should-take-ownership-of-pa.patch new file mode 100644 index 0000000000..c61caef394 --- /dev/null +++ b/queue-6.16/net-mctp-mctp_fraq_queue-should-take-ownership-of-pa.patch @@ -0,0 +1,129 @@ +From 4ed0c8900bed7a0f67f3b1b2019796ee281aa1c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Aug 2025 15:28:26 +0800 +Subject: net: mctp: mctp_fraq_queue should take ownership of passed skb + +From: Jeremy Kerr + +[ Upstream commit 773b27a8a2f00ce3134e92e50ea4794a98ba2b76 ] + +As of commit f5d83cf0eeb9 ("net: mctp: unshare packets when +reassembling"), we skb_unshare() in mctp_frag_queue(). The unshare may +invalidate the original skb pointer, so we need to treat the skb as +entirely owned by the fraq queue, even on failure. + +Fixes: f5d83cf0eeb9 ("net: mctp: unshare packets when reassembling") +Signed-off-by: Jeremy Kerr +Link: https://patch.msgid.link/20250829-mctp-skb-unshare-v1-1-1c28fe10235a@codeconstruct.com.au +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/mctp/route.c | 35 +++++++++++++++++++---------------- + 1 file changed, 19 insertions(+), 16 deletions(-) + +diff --git a/net/mctp/route.c b/net/mctp/route.c +index d9c8e5a5f9ce9..19ff259d7bc43 100644 +--- a/net/mctp/route.c ++++ b/net/mctp/route.c +@@ -325,6 +325,7 @@ static void mctp_skb_set_flow(struct sk_buff *skb, struct mctp_sk_key *key) {} + static void mctp_flow_prepare_output(struct sk_buff *skb, struct mctp_dev *dev) {} + #endif + ++/* takes ownership of skb, both in success and failure cases */ + static int mctp_frag_queue(struct mctp_sk_key *key, struct sk_buff *skb) + { + struct mctp_hdr *hdr = mctp_hdr(skb); +@@ -334,8 +335,10 @@ static int mctp_frag_queue(struct mctp_sk_key *key, struct sk_buff *skb) + & MCTP_HDR_SEQ_MASK; + + if (!key->reasm_head) { +- /* Since we're manipulating the shared frag_list, ensure it isn't +- * shared with any other SKBs. ++ /* Since we're manipulating the shared frag_list, ensure it ++ * isn't shared with any other SKBs. In the cloned case, ++ * this will free the skb; callers can no longer access it ++ * safely. + */ + key->reasm_head = skb_unshare(skb, GFP_ATOMIC); + if (!key->reasm_head) +@@ -349,10 +352,10 @@ static int mctp_frag_queue(struct mctp_sk_key *key, struct sk_buff *skb) + exp_seq = (key->last_seq + 1) & MCTP_HDR_SEQ_MASK; + + if (this_seq != exp_seq) +- return -EINVAL; ++ goto err_free; + + if (key->reasm_head->len + skb->len > mctp_message_maxlen) +- return -EINVAL; ++ goto err_free; + + skb->next = NULL; + skb->sk = NULL; +@@ -366,6 +369,10 @@ static int mctp_frag_queue(struct mctp_sk_key *key, struct sk_buff *skb) + key->reasm_head->truesize += skb->truesize; + + return 0; ++ ++err_free: ++ kfree_skb(skb); ++ return -EINVAL; + } + + static int mctp_route_input(struct mctp_route *route, struct sk_buff *skb) +@@ -476,18 +483,16 @@ static int mctp_route_input(struct mctp_route *route, struct sk_buff *skb) + * key isn't observable yet + */ + mctp_frag_queue(key, skb); ++ skb = NULL; + + /* if the key_add fails, we've raced with another + * SOM packet with the same src, dest and tag. There's + * no way to distinguish future packets, so all we +- * can do is drop; we'll free the skb on exit from +- * this function. ++ * can do is drop. + */ + rc = mctp_key_add(key, msk); +- if (!rc) { ++ if (!rc) + trace_mctp_key_acquire(key); +- skb = NULL; +- } + + /* we don't need to release key->lock on exit, so + * clean up here and suppress the unlock via +@@ -505,8 +510,7 @@ static int mctp_route_input(struct mctp_route *route, struct sk_buff *skb) + key = NULL; + } else { + rc = mctp_frag_queue(key, skb); +- if (!rc) +- skb = NULL; ++ skb = NULL; + } + } + +@@ -516,17 +520,16 @@ static int mctp_route_input(struct mctp_route *route, struct sk_buff *skb) + */ + + /* we need to be continuing an existing reassembly... */ +- if (!key->reasm_head) ++ if (!key->reasm_head) { + rc = -EINVAL; +- else ++ } else { + rc = mctp_frag_queue(key, skb); ++ skb = NULL; ++ } + + if (rc) + goto out_unlock; + +- /* we've queued; the queue owns the skb now */ +- skb = NULL; +- + /* end of message? deliver to socket, and we're done with + * the reassembly/response key + */ +-- +2.50.1 + diff --git a/queue-6.16/net-mctp-usb-initialise-mac-header-in-rx-path.patch b/queue-6.16/net-mctp-usb-initialise-mac-header-in-rx-path.patch new file mode 100644 index 0000000000..e560b5af54 --- /dev/null +++ b/queue-6.16/net-mctp-usb-initialise-mac-header-in-rx-path.patch @@ -0,0 +1,40 @@ +From faeaa544a3e29d7a3248a1cb7b71a6bd229b287d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Aug 2025 15:40:23 +0800 +Subject: net: mctp: usb: initialise mac header in RX path + +From: Jeremy Kerr + +[ Upstream commit e27e34bc99413a29cafae02ad572ea3c9beba2ce ] + +We're not currently setting skb->mac_header on ingress, and the netdev +core rx path expects it. Without it, we'll hit a warning on DEBUG_NETDEV +from commit 1e4033b53db4 ("net: skb_reset_mac_len() must check if +mac_header was set") + +Initialise the mac_header to refer to the USB transport header. + +Fixes: 0791c0327a6e ("net: mctp: Add MCTP USB transport driver") +Signed-off-by: Jeremy Kerr +Link: https://patch.msgid.link/20250829-mctp-usb-mac-header-v1-1-338ad725e183@codeconstruct.com.au +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/mctp/mctp-usb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/mctp/mctp-usb.c b/drivers/net/mctp/mctp-usb.c +index 775a386d0aca1..36ccc53b17975 100644 +--- a/drivers/net/mctp/mctp-usb.c ++++ b/drivers/net/mctp/mctp-usb.c +@@ -183,6 +183,7 @@ static void mctp_usb_in_complete(struct urb *urb) + struct mctp_usb_hdr *hdr; + u8 pkt_len; /* length of MCTP packet, no USB header */ + ++ skb_reset_mac_header(skb); + hdr = skb_pull_data(skb, sizeof(*hdr)); + if (!hdr) + break; +-- +2.50.1 + diff --git a/queue-6.16/net-remove-sock_i_uid.patch b/queue-6.16/net-remove-sock_i_uid.patch new file mode 100644 index 0000000000..64f1c4ecbe --- /dev/null +++ b/queue-6.16/net-remove-sock_i_uid.patch @@ -0,0 +1,655 @@ +From 7ecdb06fd0515d2ddc04f3e2c1d3191b755849b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jun 2025 13:30:01 +0000 +Subject: net: remove sock_i_uid() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Eric Dumazet + +[ Upstream commit c51da3f7a161c6822232be832abdffe47eb55b4c ] + +Difference between sock_i_uid() and sk_uid() is that +after sock_orphan(), sock_i_uid() returns GLOBAL_ROOT_UID +while sk_uid() returns the last cached sk->sk_uid value. + +None of sock_i_uid() callers care about this. + +Use sk_uid() which is much faster and inlined. + +Note that diag/dump users are calling sock_i_ino() and +can not see the full benefit yet. + +Signed-off-by: Eric Dumazet +Cc: Lorenzo Colitti +Reviewed-by: Maciej Å»enczykowski +Link: https://patch.msgid.link/20250620133001.4090592-3-edumazet@google.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: 5d6b58c932ec ("net: lockless sock_i_ino()") +Signed-off-by: Sasha Levin +--- + include/net/sock.h | 2 -- + net/appletalk/atalk_proc.c | 2 +- + net/bluetooth/af_bluetooth.c | 2 +- + net/core/sock.c | 11 ----------- + net/ipv4/inet_connection_sock.c | 27 ++++++++++++--------------- + net/ipv4/inet_diag.c | 2 +- + net/ipv4/inet_hashtables.c | 4 ++-- + net/ipv4/ping.c | 2 +- + net/ipv4/raw.c | 2 +- + net/ipv4/tcp_ipv4.c | 8 ++++---- + net/ipv4/udp.c | 16 ++++++++-------- + net/ipv6/datagram.c | 2 +- + net/ipv6/tcp_ipv6.c | 4 ++-- + net/key/af_key.c | 2 +- + net/llc/llc_proc.c | 2 +- + net/packet/af_packet.c | 2 +- + net/packet/diag.c | 2 +- + net/phonet/socket.c | 4 ++-- + net/sctp/input.c | 2 +- + net/sctp/proc.c | 4 ++-- + net/sctp/socket.c | 4 ++-- + net/smc/smc_diag.c | 2 +- + net/tipc/socket.c | 2 +- + net/unix/af_unix.c | 2 +- + net/unix/diag.c | 2 +- + net/xdp/xsk_diag.c | 2 +- + 26 files changed, 50 insertions(+), 66 deletions(-) + +diff --git a/include/net/sock.h b/include/net/sock.h +index e3ab203456858..da644ab5ae7f4 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -2092,8 +2092,6 @@ static inline void sock_graft(struct sock *sk, struct socket *parent) + write_unlock_bh(&sk->sk_callback_lock); + } + +-kuid_t sock_i_uid(struct sock *sk); +- + static inline kuid_t sk_uid(const struct sock *sk) + { + /* Paired with WRITE_ONCE() in sockfs_setattr() */ +diff --git a/net/appletalk/atalk_proc.c b/net/appletalk/atalk_proc.c +index 9c1241292d1d2..01787fb6a7bce 100644 +--- a/net/appletalk/atalk_proc.c ++++ b/net/appletalk/atalk_proc.c +@@ -181,7 +181,7 @@ static int atalk_seq_socket_show(struct seq_file *seq, void *v) + sk_wmem_alloc_get(s), + sk_rmem_alloc_get(s), + s->sk_state, +- from_kuid_munged(seq_user_ns(seq), sock_i_uid(s))); ++ from_kuid_munged(seq_user_ns(seq), sk_uid(s))); + out: + return 0; + } +diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c +index 6ad2f72f53f4e..ee9bf84c88a70 100644 +--- a/net/bluetooth/af_bluetooth.c ++++ b/net/bluetooth/af_bluetooth.c +@@ -815,7 +815,7 @@ static int bt_seq_show(struct seq_file *seq, void *v) + refcount_read(&sk->sk_refcnt), + sk_rmem_alloc_get(sk), + sk_wmem_alloc_get(sk), +- from_kuid(seq_user_ns(seq), sock_i_uid(sk)), ++ from_kuid(seq_user_ns(seq), sk_uid(sk)), + sock_i_ino(sk), + bt->parent ? sock_i_ino(bt->parent) : 0LU); + +diff --git a/net/core/sock.c b/net/core/sock.c +index 9fae9239f9393..1689eaf42f25b 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -2788,17 +2788,6 @@ void sock_pfree(struct sk_buff *skb) + EXPORT_SYMBOL(sock_pfree); + #endif /* CONFIG_INET */ + +-kuid_t sock_i_uid(struct sock *sk) +-{ +- kuid_t uid; +- +- read_lock_bh(&sk->sk_callback_lock); +- uid = sk->sk_socket ? SOCK_INODE(sk->sk_socket)->i_uid : GLOBAL_ROOT_UID; +- read_unlock_bh(&sk->sk_callback_lock); +- return uid; +-} +-EXPORT_SYMBOL(sock_i_uid); +- + unsigned long __sock_i_ino(struct sock *sk) + { + unsigned long ino; +diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c +index 46750c96d08ea..f4157d26ec9e4 100644 +--- a/net/ipv4/inet_connection_sock.c ++++ b/net/ipv4/inet_connection_sock.c +@@ -168,7 +168,7 @@ static bool inet_use_bhash2_on_bind(const struct sock *sk) + } + + static bool inet_bind_conflict(const struct sock *sk, struct sock *sk2, +- kuid_t sk_uid, bool relax, ++ kuid_t uid, bool relax, + bool reuseport_cb_ok, bool reuseport_ok) + { + int bound_dev_if2; +@@ -185,12 +185,12 @@ static bool inet_bind_conflict(const struct sock *sk, struct sock *sk2, + if (!relax || (!reuseport_ok && sk->sk_reuseport && + sk2->sk_reuseport && reuseport_cb_ok && + (sk2->sk_state == TCP_TIME_WAIT || +- uid_eq(sk_uid, sock_i_uid(sk2))))) ++ uid_eq(uid, sk_uid(sk2))))) + return true; + } else if (!reuseport_ok || !sk->sk_reuseport || + !sk2->sk_reuseport || !reuseport_cb_ok || + (sk2->sk_state != TCP_TIME_WAIT && +- !uid_eq(sk_uid, sock_i_uid(sk2)))) { ++ !uid_eq(uid, sk_uid(sk2)))) { + return true; + } + } +@@ -198,7 +198,7 @@ static bool inet_bind_conflict(const struct sock *sk, struct sock *sk2, + } + + static bool __inet_bhash2_conflict(const struct sock *sk, struct sock *sk2, +- kuid_t sk_uid, bool relax, ++ kuid_t uid, bool relax, + bool reuseport_cb_ok, bool reuseport_ok) + { + if (ipv6_only_sock(sk2)) { +@@ -211,20 +211,20 @@ static bool __inet_bhash2_conflict(const struct sock *sk, struct sock *sk2, + #endif + } + +- return inet_bind_conflict(sk, sk2, sk_uid, relax, ++ return inet_bind_conflict(sk, sk2, uid, relax, + reuseport_cb_ok, reuseport_ok); + } + + static bool inet_bhash2_conflict(const struct sock *sk, + const struct inet_bind2_bucket *tb2, +- kuid_t sk_uid, ++ kuid_t uid, + bool relax, bool reuseport_cb_ok, + bool reuseport_ok) + { + struct sock *sk2; + + sk_for_each_bound(sk2, &tb2->owners) { +- if (__inet_bhash2_conflict(sk, sk2, sk_uid, relax, ++ if (__inet_bhash2_conflict(sk, sk2, uid, relax, + reuseport_cb_ok, reuseport_ok)) + return true; + } +@@ -242,8 +242,8 @@ static int inet_csk_bind_conflict(const struct sock *sk, + const struct inet_bind2_bucket *tb2, /* may be null */ + bool relax, bool reuseport_ok) + { +- kuid_t uid = sock_i_uid((struct sock *)sk); + struct sock_reuseport *reuseport_cb; ++ kuid_t uid = sk_uid(sk); + bool reuseport_cb_ok; + struct sock *sk2; + +@@ -287,11 +287,11 @@ static int inet_csk_bind_conflict(const struct sock *sk, + static bool inet_bhash2_addr_any_conflict(const struct sock *sk, int port, int l3mdev, + bool relax, bool reuseport_ok) + { +- kuid_t uid = sock_i_uid((struct sock *)sk); + const struct net *net = sock_net(sk); + struct sock_reuseport *reuseport_cb; + struct inet_bind_hashbucket *head2; + struct inet_bind2_bucket *tb2; ++ kuid_t uid = sk_uid(sk); + bool conflict = false; + bool reuseport_cb_ok; + +@@ -425,15 +425,13 @@ inet_csk_find_open_port(const struct sock *sk, struct inet_bind_bucket **tb_ret, + static inline int sk_reuseport_match(struct inet_bind_bucket *tb, + struct sock *sk) + { +- kuid_t uid = sock_i_uid(sk); +- + if (tb->fastreuseport <= 0) + return 0; + if (!sk->sk_reuseport) + return 0; + if (rcu_access_pointer(sk->sk_reuseport_cb)) + return 0; +- if (!uid_eq(tb->fastuid, uid)) ++ if (!uid_eq(tb->fastuid, sk_uid(sk))) + return 0; + /* We only need to check the rcv_saddr if this tb was once marked + * without fastreuseport and then was reset, as we can only know that +@@ -458,14 +456,13 @@ static inline int sk_reuseport_match(struct inet_bind_bucket *tb, + void inet_csk_update_fastreuse(struct inet_bind_bucket *tb, + struct sock *sk) + { +- kuid_t uid = sock_i_uid(sk); + bool reuse = sk->sk_reuse && sk->sk_state != TCP_LISTEN; + + if (hlist_empty(&tb->bhash2)) { + tb->fastreuse = reuse; + if (sk->sk_reuseport) { + tb->fastreuseport = FASTREUSEPORT_ANY; +- tb->fastuid = uid; ++ tb->fastuid = sk_uid(sk); + tb->fast_rcv_saddr = sk->sk_rcv_saddr; + tb->fast_ipv6_only = ipv6_only_sock(sk); + tb->fast_sk_family = sk->sk_family; +@@ -492,7 +489,7 @@ void inet_csk_update_fastreuse(struct inet_bind_bucket *tb, + */ + if (!sk_reuseport_match(tb, sk)) { + tb->fastreuseport = FASTREUSEPORT_STRICT; +- tb->fastuid = uid; ++ tb->fastuid = sk_uid(sk); + tb->fast_rcv_saddr = sk->sk_rcv_saddr; + tb->fast_ipv6_only = ipv6_only_sock(sk); + tb->fast_sk_family = sk->sk_family; +diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c +index 1d1d6ad53f4c9..2fa53b16fe778 100644 +--- a/net/ipv4/inet_diag.c ++++ b/net/ipv4/inet_diag.c +@@ -181,7 +181,7 @@ int inet_diag_msg_attrs_fill(struct sock *sk, struct sk_buff *skb, + goto errout; + #endif + +- r->idiag_uid = from_kuid_munged(user_ns, sock_i_uid(sk)); ++ r->idiag_uid = from_kuid_munged(user_ns, sk_uid(sk)); + r->idiag_inode = sock_i_ino(sk); + + memset(&inet_sockopt, 0, sizeof(inet_sockopt)); +diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c +index 77a0b52b2eabf..ceeeec9b7290a 100644 +--- a/net/ipv4/inet_hashtables.c ++++ b/net/ipv4/inet_hashtables.c +@@ -721,8 +721,8 @@ static int inet_reuseport_add_sock(struct sock *sk, + { + struct inet_bind_bucket *tb = inet_csk(sk)->icsk_bind_hash; + const struct hlist_nulls_node *node; ++ kuid_t uid = sk_uid(sk); + struct sock *sk2; +- kuid_t uid = sock_i_uid(sk); + + sk_nulls_for_each_rcu(sk2, node, &ilb->nulls_head) { + if (sk2 != sk && +@@ -730,7 +730,7 @@ static int inet_reuseport_add_sock(struct sock *sk, + ipv6_only_sock(sk2) == ipv6_only_sock(sk) && + sk2->sk_bound_dev_if == sk->sk_bound_dev_if && + inet_csk(sk2)->icsk_bind_hash == tb && +- sk2->sk_reuseport && uid_eq(uid, sock_i_uid(sk2)) && ++ sk2->sk_reuseport && uid_eq(uid, sk_uid(sk2)) && + inet_rcv_saddr_equal(sk, sk2, false)) + return reuseport_add_sock(sk, sk2, + inet_rcv_saddr_any(sk)); +diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c +index 4eacaf00e2e9b..031df4c19fcc5 100644 +--- a/net/ipv4/ping.c ++++ b/net/ipv4/ping.c +@@ -1116,7 +1116,7 @@ static void ping_v4_format_sock(struct sock *sp, struct seq_file *f, + sk_wmem_alloc_get(sp), + sk_rmem_alloc_get(sp), + 0, 0L, 0, +- from_kuid_munged(seq_user_ns(f), sock_i_uid(sp)), ++ from_kuid_munged(seq_user_ns(f), sk_uid(sp)), + 0, sock_i_ino(sp), + refcount_read(&sp->sk_refcnt), sp, + atomic_read(&sp->sk_drops)); +diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c +index 32f942d0f944c..1d2c89d63cc71 100644 +--- a/net/ipv4/raw.c ++++ b/net/ipv4/raw.c +@@ -1043,7 +1043,7 @@ static void raw_sock_seq_show(struct seq_file *seq, struct sock *sp, int i) + sk_wmem_alloc_get(sp), + sk_rmem_alloc_get(sp), + 0, 0L, 0, +- from_kuid_munged(seq_user_ns(seq), sock_i_uid(sp)), ++ from_kuid_munged(seq_user_ns(seq), sk_uid(sp)), + 0, sock_i_ino(sp), + refcount_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops)); + } +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index 6a14f9e6fef64..429fb34b075e0 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -2896,7 +2896,7 @@ static void get_openreq4(const struct request_sock *req, + jiffies_delta_to_clock_t(delta), + req->num_timeout, + from_kuid_munged(seq_user_ns(f), +- sock_i_uid(req->rsk_listener)), ++ sk_uid(req->rsk_listener)), + 0, /* non standard timer */ + 0, /* open_requests have no inode */ + 0, +@@ -2954,7 +2954,7 @@ static void get_tcp4_sock(struct sock *sk, struct seq_file *f, int i) + timer_active, + jiffies_delta_to_clock_t(timer_expires - jiffies), + icsk->icsk_retransmits, +- from_kuid_munged(seq_user_ns(f), sock_i_uid(sk)), ++ from_kuid_munged(seq_user_ns(f), sk_uid(sk)), + icsk->icsk_probes_out, + sock_i_ino(sk), + refcount_read(&sk->sk_refcnt), sk, +@@ -3246,9 +3246,9 @@ static int bpf_iter_tcp_seq_show(struct seq_file *seq, void *v) + const struct request_sock *req = v; + + uid = from_kuid_munged(seq_user_ns(seq), +- sock_i_uid(req->rsk_listener)); ++ sk_uid(req->rsk_listener)); + } else { +- uid = from_kuid_munged(seq_user_ns(seq), sock_i_uid(sk)); ++ uid = from_kuid_munged(seq_user_ns(seq), sk_uid(sk)); + } + + meta.seq = seq; +diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c +index f94bb222aa2d4..19573ee64a0f1 100644 +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -145,8 +145,8 @@ static int udp_lib_lport_inuse(struct net *net, __u16 num, + unsigned long *bitmap, + struct sock *sk, unsigned int log) + { ++ kuid_t uid = sk_uid(sk); + struct sock *sk2; +- kuid_t uid = sock_i_uid(sk); + + sk_for_each(sk2, &hslot->head) { + if (net_eq(sock_net(sk2), net) && +@@ -158,7 +158,7 @@ static int udp_lib_lport_inuse(struct net *net, __u16 num, + inet_rcv_saddr_equal(sk, sk2, true)) { + if (sk2->sk_reuseport && sk->sk_reuseport && + !rcu_access_pointer(sk->sk_reuseport_cb) && +- uid_eq(uid, sock_i_uid(sk2))) { ++ uid_eq(uid, sk_uid(sk2))) { + if (!bitmap) + return 0; + } else { +@@ -180,8 +180,8 @@ static int udp_lib_lport_inuse2(struct net *net, __u16 num, + struct udp_hslot *hslot2, + struct sock *sk) + { ++ kuid_t uid = sk_uid(sk); + struct sock *sk2; +- kuid_t uid = sock_i_uid(sk); + int res = 0; + + spin_lock(&hslot2->lock); +@@ -195,7 +195,7 @@ static int udp_lib_lport_inuse2(struct net *net, __u16 num, + inet_rcv_saddr_equal(sk, sk2, true)) { + if (sk2->sk_reuseport && sk->sk_reuseport && + !rcu_access_pointer(sk->sk_reuseport_cb) && +- uid_eq(uid, sock_i_uid(sk2))) { ++ uid_eq(uid, sk_uid(sk2))) { + res = 0; + } else { + res = 1; +@@ -210,7 +210,7 @@ static int udp_lib_lport_inuse2(struct net *net, __u16 num, + static int udp_reuseport_add_sock(struct sock *sk, struct udp_hslot *hslot) + { + struct net *net = sock_net(sk); +- kuid_t uid = sock_i_uid(sk); ++ kuid_t uid = sk_uid(sk); + struct sock *sk2; + + sk_for_each(sk2, &hslot->head) { +@@ -220,7 +220,7 @@ static int udp_reuseport_add_sock(struct sock *sk, struct udp_hslot *hslot) + ipv6_only_sock(sk2) == ipv6_only_sock(sk) && + (udp_sk(sk2)->udp_port_hash == udp_sk(sk)->udp_port_hash) && + (sk2->sk_bound_dev_if == sk->sk_bound_dev_if) && +- sk2->sk_reuseport && uid_eq(uid, sock_i_uid(sk2)) && ++ sk2->sk_reuseport && uid_eq(uid, sk_uid(sk2)) && + inet_rcv_saddr_equal(sk, sk2, false)) { + return reuseport_add_sock(sk, sk2, + inet_rcv_saddr_any(sk)); +@@ -3387,7 +3387,7 @@ static void udp4_format_sock(struct sock *sp, struct seq_file *f, + sk_wmem_alloc_get(sp), + udp_rqueue_get(sp), + 0, 0L, 0, +- from_kuid_munged(seq_user_ns(f), sock_i_uid(sp)), ++ from_kuid_munged(seq_user_ns(f), sk_uid(sp)), + 0, sock_i_ino(sp), + refcount_read(&sp->sk_refcnt), sp, + atomic_read(&sp->sk_drops)); +@@ -3630,7 +3630,7 @@ static int bpf_iter_udp_seq_show(struct seq_file *seq, void *v) + goto unlock; + } + +- uid = from_kuid_munged(seq_user_ns(seq), sock_i_uid(sk)); ++ uid = from_kuid_munged(seq_user_ns(seq), sk_uid(sk)); + meta.seq = seq; + prog = bpf_iter_get_info(&meta, false); + ret = udp_prog_seq_show(prog, &meta, v, uid, state->bucket); +diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c +index 83f5aa5e133ab..281722817a65c 100644 +--- a/net/ipv6/datagram.c ++++ b/net/ipv6/datagram.c +@@ -1064,7 +1064,7 @@ void __ip6_dgram_sock_seq_show(struct seq_file *seq, struct sock *sp, + sk_wmem_alloc_get(sp), + rqueue, + 0, 0L, 0, +- from_kuid_munged(seq_user_ns(seq), sock_i_uid(sp)), ++ from_kuid_munged(seq_user_ns(seq), sk_uid(sp)), + 0, + sock_i_ino(sp), + refcount_read(&sp->sk_refcnt), sp, +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c +index 3e83c7b5c14a7..5604ae6163f45 100644 +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -2166,7 +2166,7 @@ static void get_openreq6(struct seq_file *seq, + jiffies_to_clock_t(ttd), + req->num_timeout, + from_kuid_munged(seq_user_ns(seq), +- sock_i_uid(req->rsk_listener)), ++ sk_uid(req->rsk_listener)), + 0, /* non standard timer */ + 0, /* open_requests have no inode */ + 0, req); +@@ -2232,7 +2232,7 @@ static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i) + timer_active, + jiffies_delta_to_clock_t(timer_expires - jiffies), + icsk->icsk_retransmits, +- from_kuid_munged(seq_user_ns(seq), sock_i_uid(sp)), ++ from_kuid_munged(seq_user_ns(seq), sk_uid(sp)), + icsk->icsk_probes_out, + sock_i_ino(sp), + refcount_read(&sp->sk_refcnt), sp, +diff --git a/net/key/af_key.c b/net/key/af_key.c +index b5d761700776a..2ebde03522459 100644 +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -3788,7 +3788,7 @@ static int pfkey_seq_show(struct seq_file *f, void *v) + refcount_read(&s->sk_refcnt), + sk_rmem_alloc_get(s), + sk_wmem_alloc_get(s), +- from_kuid_munged(seq_user_ns(f), sock_i_uid(s)), ++ from_kuid_munged(seq_user_ns(f), sk_uid(s)), + sock_i_ino(s) + ); + return 0; +diff --git a/net/llc/llc_proc.c b/net/llc/llc_proc.c +index 07e9abb5978a7..aa81c67b24a15 100644 +--- a/net/llc/llc_proc.c ++++ b/net/llc/llc_proc.c +@@ -151,7 +151,7 @@ static int llc_seq_socket_show(struct seq_file *seq, void *v) + sk_wmem_alloc_get(sk), + sk_rmem_alloc_get(sk) - llc->copied_seq, + sk->sk_state, +- from_kuid_munged(seq_user_ns(seq), sock_i_uid(sk)), ++ from_kuid_munged(seq_user_ns(seq), sk_uid(sk)), + llc->link); + out: + return 0; +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index c7c7de3403f76..a7017d7f09272 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -4782,7 +4782,7 @@ static int packet_seq_show(struct seq_file *seq, void *v) + READ_ONCE(po->ifindex), + packet_sock_flag(po, PACKET_SOCK_RUNNING), + atomic_read(&s->sk_rmem_alloc), +- from_kuid_munged(seq_user_ns(seq), sock_i_uid(s)), ++ from_kuid_munged(seq_user_ns(seq), sk_uid(s)), + sock_i_ino(s)); + } + +diff --git a/net/packet/diag.c b/net/packet/diag.c +index 47f69f3dbf73e..6ce1dcc284d92 100644 +--- a/net/packet/diag.c ++++ b/net/packet/diag.c +@@ -153,7 +153,7 @@ static int sk_diag_fill(struct sock *sk, struct sk_buff *skb, + + if ((req->pdiag_show & PACKET_SHOW_INFO) && + nla_put_u32(skb, PACKET_DIAG_UID, +- from_kuid_munged(user_ns, sock_i_uid(sk)))) ++ from_kuid_munged(user_ns, sk_uid(sk)))) + goto out_nlmsg_trim; + + if ((req->pdiag_show & PACKET_SHOW_MCLIST) && +diff --git a/net/phonet/socket.c b/net/phonet/socket.c +index 5ce0b3ee5def8..ea4d5e6533dba 100644 +--- a/net/phonet/socket.c ++++ b/net/phonet/socket.c +@@ -584,7 +584,7 @@ static int pn_sock_seq_show(struct seq_file *seq, void *v) + sk->sk_protocol, pn->sobject, pn->dobject, + pn->resource, sk->sk_state, + sk_wmem_alloc_get(sk), sk_rmem_alloc_get(sk), +- from_kuid_munged(seq_user_ns(seq), sock_i_uid(sk)), ++ from_kuid_munged(seq_user_ns(seq), sk_uid(sk)), + sock_i_ino(sk), + refcount_read(&sk->sk_refcnt), sk, + atomic_read(&sk->sk_drops)); +@@ -755,7 +755,7 @@ static int pn_res_seq_show(struct seq_file *seq, void *v) + + seq_printf(seq, "%02X %5u %lu", + (int) (psk - pnres.sk), +- from_kuid_munged(seq_user_ns(seq), sock_i_uid(sk)), ++ from_kuid_munged(seq_user_ns(seq), sk_uid(sk)), + sock_i_ino(sk)); + } + seq_pad(seq, '\n'); +diff --git a/net/sctp/input.c b/net/sctp/input.c +index 6fcdcaeed40e9..7e99894778d4f 100644 +--- a/net/sctp/input.c ++++ b/net/sctp/input.c +@@ -756,7 +756,7 @@ static int __sctp_hash_endpoint(struct sctp_endpoint *ep) + struct sock *sk2 = ep2->base.sk; + + if (!net_eq(sock_net(sk2), net) || sk2 == sk || +- !uid_eq(sock_i_uid(sk2), sock_i_uid(sk)) || ++ !uid_eq(sk_uid(sk2), sk_uid(sk)) || + !sk2->sk_reuseport) + continue; + +diff --git a/net/sctp/proc.c b/net/sctp/proc.c +index ec00ee75d59a6..74bff317e205c 100644 +--- a/net/sctp/proc.c ++++ b/net/sctp/proc.c +@@ -177,7 +177,7 @@ static int sctp_eps_seq_show(struct seq_file *seq, void *v) + seq_printf(seq, "%8pK %8pK %-3d %-3d %-4d %-5d %5u %5lu ", ep, sk, + sctp_sk(sk)->type, sk->sk_state, hash, + ep->base.bind_addr.port, +- from_kuid_munged(seq_user_ns(seq), sock_i_uid(sk)), ++ from_kuid_munged(seq_user_ns(seq), sk_uid(sk)), + sock_i_ino(sk)); + + sctp_seq_dump_local_addrs(seq, &ep->base); +@@ -267,7 +267,7 @@ static int sctp_assocs_seq_show(struct seq_file *seq, void *v) + assoc->assoc_id, + assoc->sndbuf_used, + atomic_read(&assoc->rmem_alloc), +- from_kuid_munged(seq_user_ns(seq), sock_i_uid(sk)), ++ from_kuid_munged(seq_user_ns(seq), sk_uid(sk)), + sock_i_ino(sk), + epb->bind_addr.port, + assoc->peer.port); +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index 1e5739858c206..aa6400811018e 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -8345,8 +8345,8 @@ static int sctp_get_port_local(struct sock *sk, union sctp_addr *addr) + bool reuse = (sk->sk_reuse || sp->reuse); + struct sctp_bind_hashbucket *head; /* hash list */ + struct net *net = sock_net(sk); +- kuid_t uid = sock_i_uid(sk); + struct sctp_bind_bucket *pp; ++ kuid_t uid = sk_uid(sk); + unsigned short snum; + int ret; + +@@ -8444,7 +8444,7 @@ static int sctp_get_port_local(struct sock *sk, union sctp_addr *addr) + (reuse && (sk2->sk_reuse || sp2->reuse) && + sk2->sk_state != SCTP_SS_LISTENING) || + (sk->sk_reuseport && sk2->sk_reuseport && +- uid_eq(uid, sock_i_uid(sk2)))) ++ uid_eq(uid, sk_uid(sk2)))) + continue; + + if ((!sk->sk_bound_dev_if || !bound_dev_if2 || +diff --git a/net/smc/smc_diag.c b/net/smc/smc_diag.c +index 6fdb2d96777ad..8ed2f6689b017 100644 +--- a/net/smc/smc_diag.c ++++ b/net/smc/smc_diag.c +@@ -64,7 +64,7 @@ static int smc_diag_msg_attrs_fill(struct sock *sk, struct sk_buff *skb, + if (nla_put_u8(skb, SMC_DIAG_SHUTDOWN, sk->sk_shutdown)) + return 1; + +- r->diag_uid = from_kuid_munged(user_ns, sock_i_uid(sk)); ++ r->diag_uid = from_kuid_munged(user_ns, sk_uid(sk)); + r->diag_inode = sock_i_ino(sk); + return 0; + } +diff --git a/net/tipc/socket.c b/net/tipc/socket.c +index 7c61d47ea2086..e028bf6584992 100644 +--- a/net/tipc/socket.c ++++ b/net/tipc/socket.c +@@ -3642,7 +3642,7 @@ int tipc_sk_fill_sock_diag(struct sk_buff *skb, struct netlink_callback *cb, + nla_put_u32(skb, TIPC_NLA_SOCK_INO, sock_i_ino(sk)) || + nla_put_u32(skb, TIPC_NLA_SOCK_UID, + from_kuid_munged(sk_user_ns(NETLINK_CB(cb->skb).sk), +- sock_i_uid(sk))) || ++ sk_uid(sk))) || + nla_put_u64_64bit(skb, TIPC_NLA_SOCK_COOKIE, + tipc_diag_gen_cookie(sk), + TIPC_NLA_SOCK_PAD)) +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 52b155123985a..564c970d97fff 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -3697,7 +3697,7 @@ static int bpf_iter_unix_seq_show(struct seq_file *seq, void *v) + goto unlock; + } + +- uid = from_kuid_munged(seq_user_ns(seq), sock_i_uid(sk)); ++ uid = from_kuid_munged(seq_user_ns(seq), sk_uid(sk)); + meta.seq = seq; + prog = bpf_iter_get_info(&meta, false); + ret = unix_prog_seq_show(prog, &meta, v, uid); +diff --git a/net/unix/diag.c b/net/unix/diag.c +index 79b182d0e62ae..ca34730261510 100644 +--- a/net/unix/diag.c ++++ b/net/unix/diag.c +@@ -106,7 +106,7 @@ static int sk_diag_show_rqlen(struct sock *sk, struct sk_buff *nlskb) + static int sk_diag_dump_uid(struct sock *sk, struct sk_buff *nlskb, + struct user_namespace *user_ns) + { +- uid_t uid = from_kuid_munged(user_ns, sock_i_uid(sk)); ++ uid_t uid = from_kuid_munged(user_ns, sk_uid(sk)); + return nla_put(nlskb, UNIX_DIAG_UID, sizeof(uid_t), &uid); + } + +diff --git a/net/xdp/xsk_diag.c b/net/xdp/xsk_diag.c +index 09dcea0cbbed9..0e0bca031c039 100644 +--- a/net/xdp/xsk_diag.c ++++ b/net/xdp/xsk_diag.c +@@ -119,7 +119,7 @@ static int xsk_diag_fill(struct sock *sk, struct sk_buff *nlskb, + + if ((req->xdiag_show & XDP_SHOW_INFO) && + nla_put_u32(nlskb, XDP_DIAG_UID, +- from_kuid_munged(user_ns, sock_i_uid(sk)))) ++ from_kuid_munged(user_ns, sk_uid(sk)))) + goto out_nlmsg_trim; + + if ((req->xdiag_show & XDP_SHOW_RING_CFG) && +-- +2.50.1 + diff --git a/queue-6.16/net-smc-fix-one-null-pointer-dereference-in-smc_ib_i.patch b/queue-6.16/net-smc-fix-one-null-pointer-dereference-in-smc_ib_i.patch new file mode 100644 index 0000000000..f2666cafe9 --- /dev/null +++ b/queue-6.16/net-smc-fix-one-null-pointer-dereference-in-smc_ib_i.patch @@ -0,0 +1,67 @@ +From b4ec076f5d12b6bddca66516150211cf51e39ec3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Aug 2025 20:41:17 +0800 +Subject: net/smc: fix one NULL pointer dereference in smc_ib_is_sg_need_sync() + +From: Liu Jian + +[ Upstream commit ba1e9421cf1a8369d25c3832439702a015d6b5f9 ] + +BUG: kernel NULL pointer dereference, address: 00000000000002ec +PGD 0 P4D 0 +Oops: Oops: 0000 [#1] SMP PTI +CPU: 28 UID: 0 PID: 343 Comm: kworker/28:1 Kdump: loaded Tainted: G OE 6.17.0-rc2+ #9 NONE +Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 +Workqueue: smc_hs_wq smc_listen_work [smc] +RIP: 0010:smc_ib_is_sg_need_sync+0x9e/0xd0 [smc] +... +Call Trace: + + smcr_buf_map_link+0x211/0x2a0 [smc] + __smc_buf_create+0x522/0x970 [smc] + smc_buf_create+0x3a/0x110 [smc] + smc_find_rdma_v2_device_serv+0x18f/0x240 [smc] + ? smc_vlan_by_tcpsk+0x7e/0xe0 [smc] + smc_listen_find_device+0x1dd/0x2b0 [smc] + smc_listen_work+0x30f/0x580 [smc] + process_one_work+0x18c/0x340 + worker_thread+0x242/0x360 + kthread+0xe7/0x220 + ret_from_fork+0x13a/0x160 + ret_from_fork_asm+0x1a/0x30 + + +If the software RoCE device is used, ibdev->dma_device is a null pointer. +As a result, the problem occurs. Null pointer detection is added to +prevent problems. + +Fixes: 0ef69e788411c ("net/smc: optimize for smc_sndbuf_sync_sg_for_device and smc_rmb_sync_sg_for_cpu") +Signed-off-by: Liu Jian +Reviewed-by: Guangguan Wang +Reviewed-by: Zhu Yanjun +Reviewed-by: D. Wythe +Link: https://patch.msgid.link/20250828124117.2622624-1-liujian56@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/smc/smc_ib.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/smc/smc_ib.c b/net/smc/smc_ib.c +index 53828833a3f7f..a42ef3f77b961 100644 +--- a/net/smc/smc_ib.c ++++ b/net/smc/smc_ib.c +@@ -742,6 +742,9 @@ bool smc_ib_is_sg_need_sync(struct smc_link *lnk, + unsigned int i; + bool ret = false; + ++ if (!lnk->smcibdev->ibdev->dma_device) ++ return ret; ++ + /* for now there is just one DMA address */ + for_each_sg(buf_slot->sgt[lnk->link_idx].sgl, sg, + buf_slot->sgt[lnk->link_idx].nents, i) { +-- +2.50.1 + diff --git a/queue-6.16/net-smc-remove-validation-of-reserved-bits-in-clc-de.patch b/queue-6.16/net-smc-remove-validation-of-reserved-bits-in-clc-de.patch new file mode 100644 index 0000000000..db11bd23cb --- /dev/null +++ b/queue-6.16/net-smc-remove-validation-of-reserved-bits-in-clc-de.patch @@ -0,0 +1,48 @@ +From 391391fa17c210edb8fb020b93ca6de1b971a86c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Sep 2025 10:20:41 +0200 +Subject: net/smc: Remove validation of reserved bits in CLC Decline message + +From: Mahanta Jambigi + +[ Upstream commit cc282f73bc0cbdf3ee7af2f2d3a2ef4e6b19242d ] + +Currently SMC code is validating the reserved bits while parsing the incoming +CLC decline message & when this validation fails, its treated as a protocol +error. As a result, the SMC connection is terminated instead of falling back to +TCP. As per RFC7609[1] specs we shouldn't be validating the reserved bits that +is part of CLC message. This patch fixes this issue. + +CLC Decline message format can viewed here[2]. + +[1] https://datatracker.ietf.org/doc/html/rfc7609#page-92 +[2] https://datatracker.ietf.org/doc/html/rfc7609#page-105 + +Fixes: 8ade200c269f ("net/smc: add v2 format of CLC decline message") +Signed-off-by: Mahanta Jambigi +Reviewed-by: Sidraya Jayagond +Reviewed-by: Alexandra Winter +Reviewed-by: Dust Li +Link: https://patch.msgid.link/20250902082041.98996-1-mjambigi@linux.ibm.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/smc/smc_clc.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/net/smc/smc_clc.c b/net/smc/smc_clc.c +index 521f5df80e10c..8a794333e9927 100644 +--- a/net/smc/smc_clc.c ++++ b/net/smc/smc_clc.c +@@ -426,8 +426,6 @@ smc_clc_msg_decl_valid(struct smc_clc_msg_decline *dclc) + { + struct smc_clc_msg_hdr *hdr = &dclc->hdr; + +- if (hdr->typev1 != SMC_TYPE_R && hdr->typev1 != SMC_TYPE_D) +- return false; + if (hdr->version == SMC_V1) { + if (ntohs(hdr->length) != sizeof(struct smc_clc_msg_decline)) + return false; +-- +2.50.1 + diff --git a/queue-6.16/net-tcp-fix-socket-memory-leak-in-tcp-ao-failure-han.patch b/queue-6.16/net-tcp-fix-socket-memory-leak-in-tcp-ao-failure-han.patch new file mode 100644 index 0000000000..3e2171e12d --- /dev/null +++ b/queue-6.16/net-tcp-fix-socket-memory-leak-in-tcp-ao-failure-han.patch @@ -0,0 +1,135 @@ +From 0746a3835a3f0fc7d17a109173b50fbc0d28dfe6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 30 Aug 2025 15:55:38 -0700 +Subject: net/tcp: Fix socket memory leak in TCP-AO failure handling for IPv6 + +From: Christoph Paasch + +[ Upstream commit fa390321aba0a54d0f7ae95ee4ecde1358bb9234 ] + +When tcp_ao_copy_all_matching() fails in tcp_v6_syn_recv_sock() it just +exits the function. This ends up causing a memory-leak: + +unreferenced object 0xffff0000281a8200 (size 2496): + comm "softirq", pid 0, jiffies 4295174684 + hex dump (first 32 bytes): + 7f 00 00 06 7f 00 00 06 00 00 00 00 cb a8 88 13 ................ + 0a 00 03 61 00 00 00 00 00 00 00 00 00 00 00 00 ...a............ + backtrace (crc 5ebdbe15): + kmemleak_alloc+0x44/0xe0 + kmem_cache_alloc_noprof+0x248/0x470 + sk_prot_alloc+0x48/0x120 + sk_clone_lock+0x38/0x3b0 + inet_csk_clone_lock+0x34/0x150 + tcp_create_openreq_child+0x3c/0x4a8 + tcp_v6_syn_recv_sock+0x1c0/0x620 + tcp_check_req+0x588/0x790 + tcp_v6_rcv+0x5d0/0xc18 + ip6_protocol_deliver_rcu+0x2d8/0x4c0 + ip6_input_finish+0x74/0x148 + ip6_input+0x50/0x118 + ip6_sublist_rcv+0x2fc/0x3b0 + ipv6_list_rcv+0x114/0x170 + __netif_receive_skb_list_core+0x16c/0x200 + netif_receive_skb_list_internal+0x1f0/0x2d0 + +This is because in tcp_v6_syn_recv_sock (and the IPv4 counterpart), when +exiting upon error, inet_csk_prepare_forced_close() and tcp_done() need +to be called. They make sure the newsk will end up being correctly +free'd. + +tcp_v4_syn_recv_sock() makes this very clear by having the put_and_exit +label that takes care of things. So, this patch here makes sure +tcp_v4_syn_recv_sock and tcp_v6_syn_recv_sock have similar +error-handling and thus fixes the leak for TCP-AO. + +Fixes: 06b22ef29591 ("net/tcp: Wire TCP-AO to request sockets") +Signed-off-by: Christoph Paasch +Reviewed-by: Dmitry Safonov <0x7f454c46@gmail.com> +Link: https://patch.msgid.link/20250830-tcpao_leak-v1-1-e5878c2c3173@openai.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/tcp_ipv6.c | 32 +++++++++++++++----------------- + 1 file changed, 15 insertions(+), 17 deletions(-) + +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c +index f61b0396ef6b1..3e83c7b5c14a7 100644 +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -1431,17 +1431,17 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff * + ireq = inet_rsk(req); + + if (sk_acceptq_is_full(sk)) +- goto out_overflow; ++ goto exit_overflow; + + if (!dst) { + dst = inet6_csk_route_req(sk, &fl6, req, IPPROTO_TCP); + if (!dst) +- goto out; ++ goto exit; + } + + newsk = tcp_create_openreq_child(sk, req, skb); + if (!newsk) +- goto out_nonewsk; ++ goto exit_nonewsk; + + /* + * No need to charge this sock to the relevant IPv6 refcnt debug socks +@@ -1525,25 +1525,19 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff * + const union tcp_md5_addr *addr; + + addr = (union tcp_md5_addr *)&newsk->sk_v6_daddr; +- if (tcp_md5_key_copy(newsk, addr, AF_INET6, 128, l3index, key)) { +- inet_csk_prepare_forced_close(newsk); +- tcp_done(newsk); +- goto out; +- } ++ if (tcp_md5_key_copy(newsk, addr, AF_INET6, 128, l3index, key)) ++ goto put_and_exit; + } + } + #endif + #ifdef CONFIG_TCP_AO + /* Copy over tcp_ao_info if any */ + if (tcp_ao_copy_all_matching(sk, newsk, req, skb, AF_INET6)) +- goto out; /* OOM */ ++ goto put_and_exit; /* OOM */ + #endif + +- if (__inet_inherit_port(sk, newsk) < 0) { +- inet_csk_prepare_forced_close(newsk); +- tcp_done(newsk); +- goto out; +- } ++ if (__inet_inherit_port(sk, newsk) < 0) ++ goto put_and_exit; + *own_req = inet_ehash_nolisten(newsk, req_to_sk(req_unhash), + &found_dup_sk); + if (*own_req) { +@@ -1570,13 +1564,17 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff * + + return newsk; + +-out_overflow: ++exit_overflow: + __NET_INC_STATS(sock_net(sk), LINUX_MIB_LISTENOVERFLOWS); +-out_nonewsk: ++exit_nonewsk: + dst_release(dst); +-out: ++exit: + tcp_listendrop(sk); + return NULL; ++put_and_exit: ++ inet_csk_prepare_forced_close(newsk); ++ tcp_done(newsk); ++ goto exit; + } + + INDIRECT_CALLABLE_DECLARE(struct dst_entry *ipv4_dst_check(struct dst_entry *, +-- +2.50.1 + diff --git a/queue-6.16/net-thunder_bgx-add-a-missing-of_node_put.patch b/queue-6.16/net-thunder_bgx-add-a-missing-of_node_put.patch new file mode 100644 index 0000000000..8b9e00c489 --- /dev/null +++ b/queue-6.16/net-thunder_bgx-add-a-missing-of_node_put.patch @@ -0,0 +1,53 @@ +From a8784fc1348050c072739b3589d766806fd5ece1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Sep 2025 14:30:18 -0700 +Subject: net: thunder_bgx: add a missing of_node_put + +From: Rosen Penev + +[ Upstream commit 9d28f94912589f04ab51fbccaef287d4f40e0d1f ] + +phy_np needs to get freed, just like the other child nodes. + +Fixes: 5fc7cf179449 ("net: thunderx: Cleanup PHY probing code.") +Signed-off-by: Rosen Penev +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250901213018.47392-1-rosenp@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/cavium/thunder/thunder_bgx.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c +index 21495b5dce254..0f913db4814ea 100644 +--- a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c ++++ b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c +@@ -1493,13 +1493,17 @@ static int bgx_init_of_phy(struct bgx *bgx) + * this cortina phy, for which there is no driver + * support, ignore it. + */ +- if (phy_np && +- !of_device_is_compatible(phy_np, "cortina,cs4223-slice")) { +- /* Wait until the phy drivers are available */ +- pd = of_phy_find_device(phy_np); +- if (!pd) +- goto defer; +- bgx->lmac[lmac].phydev = pd; ++ if (phy_np) { ++ if (!of_device_is_compatible(phy_np, "cortina,cs4223-slice")) { ++ /* Wait until the phy drivers are available */ ++ pd = of_phy_find_device(phy_np); ++ if (!pd) { ++ of_node_put(phy_np); ++ goto defer; ++ } ++ bgx->lmac[lmac].phydev = pd; ++ } ++ of_node_put(phy_np); + } + + lmac++; +-- +2.50.1 + diff --git a/queue-6.16/net-thunder_bgx-decrement-cleanup-index-before-use.patch b/queue-6.16/net-thunder_bgx-decrement-cleanup-index-before-use.patch new file mode 100644 index 0000000000..59ad89ae1b --- /dev/null +++ b/queue-6.16/net-thunder_bgx-decrement-cleanup-index-before-use.patch @@ -0,0 +1,44 @@ +From f0a2e5542c8180353ac6cd23d8bc3ee1244419a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Sep 2025 14:33:14 -0700 +Subject: net: thunder_bgx: decrement cleanup index before use + +From: Rosen Penev + +[ Upstream commit 9e3d71a92e561ccc77025689dab25d201fee7a3e ] + +All paths in probe that call goto defer do so before assigning phydev +and thus it makes sense to cleanup the prior index. It also fixes a bug +where index 0 does not get cleaned up. + +Fixes: b7d3e3d3d21a ("net: thunderx: Don't leak phy device references on -EPROBE_DEFER condition.") +Signed-off-by: Rosen Penev +Reviewed-by: Vadim Fedorenko +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250901213314.48599-1-rosenp@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/thunder/thunder_bgx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c +index 0f913db4814ea..9efb60842ad1f 100644 +--- a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c ++++ b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c +@@ -1519,11 +1519,11 @@ static int bgx_init_of_phy(struct bgx *bgx) + * for phy devices we may have already found. + */ + while (lmac) { ++ lmac--; + if (bgx->lmac[lmac].phydev) { + put_device(&bgx->lmac[lmac].phydev->mdio.dev); + bgx->lmac[lmac].phydev = NULL; + } +- lmac--; + } + of_node_put(node); + return -EPROBE_DEFER; +-- +2.50.1 + diff --git a/queue-6.16/net-xilinx-axienet-add-error-handling-for-rx-metadat.patch b/queue-6.16/net-xilinx-axienet-add-error-handling-for-rx-metadat.patch new file mode 100644 index 0000000000..dc9d26e386 --- /dev/null +++ b/queue-6.16/net-xilinx-axienet-add-error-handling-for-rx-metadat.patch @@ -0,0 +1,58 @@ +From c4404f0b03906d917ec22f125b30dce40b80e70d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Sep 2025 08:22:13 +0530 +Subject: net: xilinx: axienet: Add error handling for RX metadata pointer + retrieval + +From: Abin Joseph + +[ Upstream commit 8bbceba7dc5090c00105e006ce28d1292cfda8dd ] + +Add proper error checking for dmaengine_desc_get_metadata_ptr() which +can return an error pointer and lead to potential crashes or undefined +behaviour if the pointer retrieval fails. + +Properly handle the error by unmapping DMA buffer, freeing the skb and +returning early to prevent further processing with invalid data. + +Fixes: 6a91b846af85 ("net: axienet: Introduce dmaengine support") +Signed-off-by: Abin Joseph +Reviewed-by: Radhey Shyam Pandey +Link: https://patch.msgid.link/20250903025213.3120181-1-abin.joseph@amd.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c +index 0d8a05fe541af..ec6d47dc984aa 100644 +--- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c ++++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c +@@ -1168,6 +1168,15 @@ static void axienet_dma_rx_cb(void *data, const struct dmaengine_result *result) + &meta_max_len); + dma_unmap_single(lp->dev, skbuf_dma->dma_address, lp->max_frm_size, + DMA_FROM_DEVICE); ++ ++ if (IS_ERR(app_metadata)) { ++ if (net_ratelimit()) ++ netdev_err(lp->ndev, "Failed to get RX metadata pointer\n"); ++ dev_kfree_skb_any(skb); ++ lp->ndev->stats.rx_dropped++; ++ goto rx_submit; ++ } ++ + /* TODO: Derive app word index programmatically */ + rx_len = (app_metadata[LEN_APP] & 0xFFFF); + skb_put(skb, rx_len); +@@ -1180,6 +1189,7 @@ static void axienet_dma_rx_cb(void *data, const struct dmaengine_result *result) + u64_stats_add(&lp->rx_bytes, rx_len); + u64_stats_update_end(&lp->rx_stat_sync); + ++rx_submit: + for (i = 0; i < CIRC_SPACE(lp->rx_ring_head, lp->rx_ring_tail, + RX_BUF_NUM_DEFAULT); i++) + axienet_rx_submit_desc(lp->ndev); +-- +2.50.1 + diff --git a/queue-6.16/net_sched-gen_estimator-fix-est_timer-vs-config_pree.patch b/queue-6.16/net_sched-gen_estimator-fix-est_timer-vs-config_pree.patch new file mode 100644 index 0000000000..3b66d46839 --- /dev/null +++ b/queue-6.16/net_sched-gen_estimator-fix-est_timer-vs-config_pree.patch @@ -0,0 +1,73 @@ +From 01078420ce6e0e9aaf11d55686a33bd93eea23f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Aug 2025 16:23:52 +0000 +Subject: net_sched: gen_estimator: fix est_timer() vs CONFIG_PREEMPT_RT=y + +From: Eric Dumazet + +[ Upstream commit 9f74c0ea9b26d1505d55b61e36b1623dd347e1d1 ] + +syzbot reported a WARNING in est_timer() [1] + +Problem here is that with CONFIG_PREEMPT_RT=y, timer callbacks +can be preempted. + +Adopt preempt_disable_nested()/preempt_enable_nested() to fix this. + +[1] + WARNING: CPU: 0 PID: 16 at ./include/linux/seqlock.h:221 __seqprop_assert include/linux/seqlock.h:221 [inline] + WARNING: CPU: 0 PID: 16 at ./include/linux/seqlock.h:221 est_timer+0x6dc/0x9f0 net/core/gen_estimator.c:93 +Modules linked in: +CPU: 0 UID: 0 PID: 16 Comm: ktimers/0 Not tainted syzkaller #0 PREEMPT_{RT,(full)} +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 + RIP: 0010:__seqprop_assert include/linux/seqlock.h:221 [inline] + RIP: 0010:est_timer+0x6dc/0x9f0 net/core/gen_estimator.c:93 +Call Trace: + + call_timer_fn+0x17e/0x5f0 kernel/time/timer.c:1747 + expire_timers kernel/time/timer.c:1798 [inline] + __run_timers kernel/time/timer.c:2372 [inline] + __run_timer_base+0x648/0x970 kernel/time/timer.c:2384 + run_timer_base kernel/time/timer.c:2393 [inline] + run_timer_softirq+0xb7/0x180 kernel/time/timer.c:2403 + handle_softirqs+0x22c/0x710 kernel/softirq.c:579 + __do_softirq kernel/softirq.c:613 [inline] + run_ktimerd+0xcf/0x190 kernel/softirq.c:1043 + smpboot_thread_fn+0x53f/0xa60 kernel/smpboot.c:160 + kthread+0x70e/0x8a0 kernel/kthread.c:463 + ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 + + +Fixes: d2d6422f8bd1 ("x86: Allow to enable PREEMPT_RT.") +Reported-by: syzbot+72db9ee39db57c3fecc5@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/68adf6fa.a70a0220.3cafd4.0000.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Reviewed-by: Sebastian Andrzej Siewior +Link: https://patch.msgid.link/20250827162352.3960779-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/gen_estimator.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/core/gen_estimator.c b/net/core/gen_estimator.c +index 7d426a8e29f30..f112156db587b 100644 +--- a/net/core/gen_estimator.c ++++ b/net/core/gen_estimator.c +@@ -90,10 +90,12 @@ static void est_timer(struct timer_list *t) + rate = (b_packets - est->last_packets) << (10 - est->intvl_log); + rate = (rate >> est->ewma_log) - (est->avpps >> est->ewma_log); + ++ preempt_disable_nested(); + write_seqcount_begin(&est->seq); + est->avbps += brate; + est->avpps += rate; + write_seqcount_end(&est->seq); ++ preempt_enable_nested(); + + est->last_bytes = b_bytes; + est->last_packets = b_packets; +-- +2.50.1 + diff --git a/queue-6.16/netfilter-br_netfilter-do-not-check-confirmed-bit-in.patch b/queue-6.16/netfilter-br_netfilter-do-not-check-confirmed-bit-in.patch new file mode 100644 index 0000000000..33f37497d8 --- /dev/null +++ b/queue-6.16/netfilter-br_netfilter-do-not-check-confirmed-bit-in.patch @@ -0,0 +1,77 @@ +From e5c1216662d1adb09a81d49eca1a90b125da138e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Aug 2025 11:52:19 +0800 +Subject: netfilter: br_netfilter: do not check confirmed bit in + br_nf_local_in() after confirm + +From: Wang Liang + +[ Upstream commit 479a54ab92087318514c82428a87af2d7af1a576 ] + +When send a broadcast packet to a tap device, which was added to a bridge, +br_nf_local_in() is called to confirm the conntrack. If another conntrack +with the same hash value is added to the hash table, which can be +triggered by a normal packet to a non-bridge device, the below warning +may happen. + + ------------[ cut here ]------------ + WARNING: CPU: 1 PID: 96 at net/bridge/br_netfilter_hooks.c:632 br_nf_local_in+0x168/0x200 + CPU: 1 UID: 0 PID: 96 Comm: tap_send Not tainted 6.17.0-rc2-dirty #44 PREEMPT(voluntary) + RIP: 0010:br_nf_local_in+0x168/0x200 + Call Trace: + + nf_hook_slow+0x3e/0xf0 + br_pass_frame_up+0x103/0x180 + br_handle_frame_finish+0x2de/0x5b0 + br_nf_hook_thresh+0xc0/0x120 + br_nf_pre_routing_finish+0x168/0x3a0 + br_nf_pre_routing+0x237/0x5e0 + br_handle_frame+0x1ec/0x3c0 + __netif_receive_skb_core+0x225/0x1210 + __netif_receive_skb_one_core+0x37/0xa0 + netif_receive_skb+0x36/0x160 + tun_get_user+0xa54/0x10c0 + tun_chr_write_iter+0x65/0xb0 + vfs_write+0x305/0x410 + ksys_write+0x60/0xd0 + do_syscall_64+0xa4/0x260 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + + ---[ end trace 0000000000000000 ]--- + +To solve the hash conflict, nf_ct_resolve_clash() try to merge the +conntracks, and update skb->_nfct. However, br_nf_local_in() still use the +old ct from local variable 'nfct' after confirm(), which leads to this +warning. + +If confirm() does not insert the conntrack entry and return NF_DROP, the +warning may also occur. There is no need to reserve the WARN_ON_ONCE, just +remove it. + +Link: https://lore.kernel.org/netdev/20250820043329.2902014-1-wangliang74@huawei.com/ +Fixes: 62e7151ae3eb ("netfilter: bridge: confirm multicast packets before passing them up the stack") +Suggested-by: Florian Westphal +Signed-off-by: Wang Liang +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/bridge/br_netfilter_hooks.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c +index 94cbe967d1c16..083e2fe96441d 100644 +--- a/net/bridge/br_netfilter_hooks.c ++++ b/net/bridge/br_netfilter_hooks.c +@@ -626,9 +626,6 @@ static unsigned int br_nf_local_in(void *priv, + break; + } + +- ct = container_of(nfct, struct nf_conn, ct_general); +- WARN_ON_ONCE(!nf_ct_is_confirmed(ct)); +- + return ret; + } + #endif +-- +2.50.1 + diff --git a/queue-6.16/netfilter-conntrack-helper-replace-eexist-by-ebusy.patch b/queue-6.16/netfilter-conntrack-helper-replace-eexist-by-ebusy.patch new file mode 100644 index 0000000000..507627ca61 --- /dev/null +++ b/queue-6.16/netfilter-conntrack-helper-replace-eexist-by-ebusy.patch @@ -0,0 +1,50 @@ +From d5d35dc9ac72f55cd420ae829a3f9bc5760ac1b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Aug 2025 13:22:20 +0200 +Subject: netfilter: conntrack: helper: Replace -EEXIST by -EBUSY + +From: Phil Sutter + +[ Upstream commit 54416fd76770bd04fc3c501810e8d673550bab26 ] + +The helper registration return value is passed-through by module_init +callbacks which modprobe confuses with the harmless -EEXIST returned +when trying to load an already loaded module. + +Make sure modprobe fails so users notice their helper has not been +registered and won't work. + +Suggested-by: Christophe Leroy +Fixes: 12f7a505331e ("netfilter: add user-space connection tracking helper infrastructure") +Signed-off-by: Phil Sutter +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_helper.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c +index 4ed5878cb25b1..ceb48c3ca0a43 100644 +--- a/net/netfilter/nf_conntrack_helper.c ++++ b/net/netfilter/nf_conntrack_helper.c +@@ -368,7 +368,7 @@ int nf_conntrack_helper_register(struct nf_conntrack_helper *me) + (cur->tuple.src.l3num == NFPROTO_UNSPEC || + cur->tuple.src.l3num == me->tuple.src.l3num) && + cur->tuple.dst.protonum == me->tuple.dst.protonum) { +- ret = -EEXIST; ++ ret = -EBUSY; + goto out; + } + } +@@ -379,7 +379,7 @@ int nf_conntrack_helper_register(struct nf_conntrack_helper *me) + hlist_for_each_entry(cur, &nf_ct_helper_hash[h], hnode) { + if (nf_ct_tuple_src_mask_cmp(&cur->tuple, &me->tuple, + &mask)) { +- ret = -EEXIST; ++ ret = -EBUSY; + goto out; + } + } +-- +2.50.1 + diff --git a/queue-6.16/netfilter-nf_tables-introduce-nfta_device_prefix.patch b/queue-6.16/netfilter-nf_tables-introduce-nfta_device_prefix.patch new file mode 100644 index 0000000000..3f410ee81d --- /dev/null +++ b/queue-6.16/netfilter-nf_tables-introduce-nfta_device_prefix.patch @@ -0,0 +1,163 @@ +From f320b159b348e9eff634d70557b4caad36155010 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Aug 2025 15:49:59 +0200 +Subject: netfilter: nf_tables: Introduce NFTA_DEVICE_PREFIX + +From: Phil Sutter + +[ Upstream commit 4039ce7ef40474d5ba46f414c50cc7020b9cf8ae ] + +This new attribute is supposed to be used instead of NFTA_DEVICE_NAME +for simple wildcard interface specs. It holds a NUL-terminated string +representing an interface name prefix to match on. + +While kernel code to distinguish full names from prefixes in +NFTA_DEVICE_NAME is simpler than this solution, reusing the existing +attribute with different semantics leads to confusion between different +versions of kernel and user space though: + +* With old kernels, wildcards submitted by user space are accepted yet + silently treated as regular names. +* With old user space, wildcards submitted by kernel may cause crashes + since libnftnl expects NUL-termination when there is none. + +Using a distinct attribute type sanitizes these situations as the +receiving part detects and rejects the unexpected attribute nested in +*_HOOK_DEVS attributes. + +Fixes: 6d07a289504a ("netfilter: nf_tables: Support wildcard netdev hook specs") +Signed-off-by: Phil Sutter +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + include/uapi/linux/netfilter/nf_tables.h | 2 ++ + net/netfilter/nf_tables_api.c | 42 +++++++++++++++++------- + 2 files changed, 33 insertions(+), 11 deletions(-) + +diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h +index 2beb30be2c5f8..8e0eb832bc01e 100644 +--- a/include/uapi/linux/netfilter/nf_tables.h ++++ b/include/uapi/linux/netfilter/nf_tables.h +@@ -1784,10 +1784,12 @@ enum nft_synproxy_attributes { + * enum nft_device_attributes - nf_tables device netlink attributes + * + * @NFTA_DEVICE_NAME: name of this device (NLA_STRING) ++ * @NFTA_DEVICE_PREFIX: device name prefix, a simple wildcard (NLA_STRING) + */ + enum nft_devices_attributes { + NFTA_DEVICE_UNSPEC, + NFTA_DEVICE_NAME, ++ NFTA_DEVICE_PREFIX, + __NFTA_DEVICE_MAX + }; + #define NFTA_DEVICE_MAX (__NFTA_DEVICE_MAX - 1) +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 46ca725d65381..0e86434ca13b0 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -1953,6 +1953,18 @@ static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats) + return -ENOSPC; + } + ++static bool hook_is_prefix(struct nft_hook *hook) ++{ ++ return strlen(hook->ifname) >= hook->ifnamelen; ++} ++ ++static int nft_nla_put_hook_dev(struct sk_buff *skb, struct nft_hook *hook) ++{ ++ int attr = hook_is_prefix(hook) ? NFTA_DEVICE_PREFIX : NFTA_DEVICE_NAME; ++ ++ return nla_put_string(skb, attr, hook->ifname); ++} ++ + static int nft_dump_basechain_hook(struct sk_buff *skb, + const struct net *net, int family, + const struct nft_base_chain *basechain, +@@ -1984,16 +1996,15 @@ static int nft_dump_basechain_hook(struct sk_buff *skb, + if (!first) + first = hook; + +- if (nla_put(skb, NFTA_DEVICE_NAME, +- hook->ifnamelen, hook->ifname)) ++ if (nft_nla_put_hook_dev(skb, hook)) + goto nla_put_failure; + n++; + } + nla_nest_end(skb, nest_devs); + + if (n == 1 && +- nla_put(skb, NFTA_HOOK_DEV, +- first->ifnamelen, first->ifname)) ++ !hook_is_prefix(first) && ++ nla_put_string(skb, NFTA_HOOK_DEV, first->ifname)) + goto nla_put_failure; + } + nla_nest_end(skb, nest); +@@ -2297,7 +2308,8 @@ void nf_tables_chain_destroy(struct nft_chain *chain) + } + + static struct nft_hook *nft_netdev_hook_alloc(struct net *net, +- const struct nlattr *attr) ++ const struct nlattr *attr, ++ bool prefix) + { + struct nf_hook_ops *ops; + struct net_device *dev; +@@ -2314,7 +2326,8 @@ static struct nft_hook *nft_netdev_hook_alloc(struct net *net, + if (err < 0) + goto err_hook_free; + +- hook->ifnamelen = nla_len(attr); ++ /* include the terminating NUL-char when comparing non-prefixes */ ++ hook->ifnamelen = strlen(hook->ifname) + !prefix; + + /* nf_tables_netdev_event() is called under rtnl_mutex, this is + * indirectly serializing all the other holders of the commit_mutex with +@@ -2361,14 +2374,22 @@ static int nf_tables_parse_netdev_hooks(struct net *net, + struct nft_hook *hook, *next; + const struct nlattr *tmp; + int rem, n = 0, err; ++ bool prefix; + + nla_for_each_nested(tmp, attr, rem) { +- if (nla_type(tmp) != NFTA_DEVICE_NAME) { ++ switch (nla_type(tmp)) { ++ case NFTA_DEVICE_NAME: ++ prefix = false; ++ break; ++ case NFTA_DEVICE_PREFIX: ++ prefix = true; ++ break; ++ default: + err = -EINVAL; + goto err_hook; + } + +- hook = nft_netdev_hook_alloc(net, tmp); ++ hook = nft_netdev_hook_alloc(net, tmp, prefix); + if (IS_ERR(hook)) { + NL_SET_BAD_ATTR(extack, tmp); + err = PTR_ERR(hook); +@@ -2414,7 +2435,7 @@ static int nft_chain_parse_netdev(struct net *net, struct nlattr *tb[], + int err; + + if (tb[NFTA_HOOK_DEV]) { +- hook = nft_netdev_hook_alloc(net, tb[NFTA_HOOK_DEV]); ++ hook = nft_netdev_hook_alloc(net, tb[NFTA_HOOK_DEV], false); + if (IS_ERR(hook)) { + NL_SET_BAD_ATTR(extack, tb[NFTA_HOOK_DEV]); + return PTR_ERR(hook); +@@ -9424,8 +9445,7 @@ static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net, + + list_for_each_entry_rcu(hook, hook_list, list, + lockdep_commit_lock_is_held(net)) { +- if (nla_put(skb, NFTA_DEVICE_NAME, +- hook->ifnamelen, hook->ifname)) ++ if (nft_nla_put_hook_dev(skb, hook)) + goto nla_put_failure; + } + nla_nest_end(skb, nest_devs); +-- +2.50.1 + diff --git a/queue-6.16/netfilter-nft_flowtable.sh-re-run-with-random-mtu-si.patch b/queue-6.16/netfilter-nft_flowtable.sh-re-run-with-random-mtu-si.patch new file mode 100644 index 0000000000..dced4285e1 --- /dev/null +++ b/queue-6.16/netfilter-nft_flowtable.sh-re-run-with-random-mtu-si.patch @@ -0,0 +1,385 @@ +From c5fd80d1dcbc1551b34c7190164b17aa09bb79d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Aug 2025 23:49:18 +0200 +Subject: netfilter: nft_flowtable.sh: re-run with random mtu sizes + +From: Florian Westphal + +[ Upstream commit d6a367ec6c96fc8e61b4d67e69df03565ec69fb7 ] + +Jakub says: + nft_flowtable.sh is one of the most flake-atious test for netdev CI currently :( + +The root cause is two-fold: +1. the failing part of the test is supposed to make sure that ip + fragments are forwarded for offloaded flows. + (flowtable has to pass them to classic forward path). + path mtu discovery for these subtests is disabled. + +2. nft_flowtable.sh has two passes. One with fixed mtus/file size and + one where link mtus and file sizes are random. + +The CI failures all have same pattern: + re-run with random mtus and file size: -o 27663 -l 4117 -r 10089 -s 54384840 + [..] + PASS: dscp_egress: dscp packet counters match + FAIL: file mismatch for ns1 -> ns2 + +In some cases this error triggers a bit ealier, sometimes in a later +subtest: + re-run with random mtus and file size: -o 20201 -l 4555 -r 12657 -s 9405856 + [..] + PASS: dscp_egress: dscp packet counters match + PASS: dscp_fwd: dscp packet counters match + 2025/08/17 20:37:52 socat[18954] E write(7, 0x560716b96000, 8192): Broken pipe + FAIL: file mismatch for ns1 -> ns2 + -rw------- 1 root root 9405856 Aug 17 20:36 /tmp/tmp.2n63vlTrQe + +But all logs I saw show same scenario: +1. Failing tests have pmtu discovery off (i.e., ip fragmentation) +2. The test file is much larger than first-pass default (2M Byte) +3. peers have much larger MTUs compared to the 'network'. + +These errors are very reproducible when re-running the test with +the same commandline arguments. + +The timeout became much more prominent with +1d2fbaad7cd8 ("tcp: stronger sk_rcvbuf checks"): reassembled packets +typically have a skb->truesize more than double the skb length. + +As that commit is intentional and pmtud-off with +large-tcp-packets-as-fragments is not normal adjust the test to use a +smaller file for the pmtu-off subtests. + +While at it, add more information to pass/fail messages and +also run the dscp alteration subtest with pmtu discovery enabled. + +Link: https://netdev.bots.linux.dev/contest.html?test=nft-flowtable-sh +Fixes: f84ab634904c ("selftests: netfilter: nft_flowtable.sh: re-run with random mtu sizes") +Reported-by: Jakub Kicinski +Closes: https://lore.kernel.org/netdev/20250822071330.4168f0db@kernel.org/ +Signed-off-by: Florian Westphal +Link: https://patch.msgid.link/20250828214918.3385-1-fw@strlen.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../selftests/net/netfilter/nft_flowtable.sh | 113 ++++++++++++------ + 1 file changed, 76 insertions(+), 37 deletions(-) + +diff --git a/tools/testing/selftests/net/netfilter/nft_flowtable.sh b/tools/testing/selftests/net/netfilter/nft_flowtable.sh +index a4ee5496f2a17..45832df982950 100755 +--- a/tools/testing/selftests/net/netfilter/nft_flowtable.sh ++++ b/tools/testing/selftests/net/netfilter/nft_flowtable.sh +@@ -20,6 +20,7 @@ ret=0 + SOCAT_TIMEOUT=60 + + nsin="" ++nsin_small="" + ns1out="" + ns2out="" + +@@ -36,7 +37,7 @@ cleanup() { + + cleanup_all_ns + +- rm -f "$nsin" "$ns1out" "$ns2out" ++ rm -f "$nsin" "$nsin_small" "$ns1out" "$ns2out" + + [ "$log_netns" -eq 0 ] && sysctl -q net.netfilter.nf_log_all_netns="$log_netns" + } +@@ -72,6 +73,7 @@ lmtu=1500 + rmtu=2000 + + filesize=$((2 * 1024 * 1024)) ++filesize_small=$((filesize / 16)) + + usage(){ + echo "nft_flowtable.sh [OPTIONS]" +@@ -89,7 +91,10 @@ do + o) omtu=$OPTARG;; + l) lmtu=$OPTARG;; + r) rmtu=$OPTARG;; +- s) filesize=$OPTARG;; ++ s) ++ filesize=$OPTARG ++ filesize_small=$((OPTARG / 16)) ++ ;; + *) usage;; + esac + done +@@ -215,6 +220,7 @@ if ! ip netns exec "$ns2" ping -c 1 -q 10.0.1.99 > /dev/null; then + fi + + nsin=$(mktemp) ++nsin_small=$(mktemp) + ns1out=$(mktemp) + ns2out=$(mktemp) + +@@ -265,6 +271,7 @@ check_counters() + check_dscp() + { + local what=$1 ++ local pmtud="$2" + local ok=1 + + local counter +@@ -277,37 +284,39 @@ check_dscp() + local pc4z=${counter%*bytes*} + local pc4z=${pc4z#*packets} + ++ local failmsg="FAIL: pmtu $pmtu: $what counters do not match, expected" ++ + case "$what" in + "dscp_none") + if [ "$pc4" -gt 0 ] || [ "$pc4z" -eq 0 ]; then +- echo "FAIL: dscp counters do not match, expected dscp3 == 0, dscp0 > 0, but got $pc4,$pc4z" 1>&2 ++ echo "$failmsg dscp3 == 0, dscp0 > 0, but got $pc4,$pc4z" 1>&2 + ret=1 + ok=0 + fi + ;; + "dscp_fwd") + if [ "$pc4" -eq 0 ] || [ "$pc4z" -eq 0 ]; then +- echo "FAIL: dscp counters do not match, expected dscp3 and dscp0 > 0 but got $pc4,$pc4z" 1>&2 ++ echo "$failmsg dscp3 and dscp0 > 0 but got $pc4,$pc4z" 1>&2 + ret=1 + ok=0 + fi + ;; + "dscp_ingress") + if [ "$pc4" -eq 0 ] || [ "$pc4z" -gt 0 ]; then +- echo "FAIL: dscp counters do not match, expected dscp3 > 0, dscp0 == 0 but got $pc4,$pc4z" 1>&2 ++ echo "$failmsg dscp3 > 0, dscp0 == 0 but got $pc4,$pc4z" 1>&2 + ret=1 + ok=0 + fi + ;; + "dscp_egress") + if [ "$pc4" -eq 0 ] || [ "$pc4z" -gt 0 ]; then +- echo "FAIL: dscp counters do not match, expected dscp3 > 0, dscp0 == 0 but got $pc4,$pc4z" 1>&2 ++ echo "$failmsg dscp3 > 0, dscp0 == 0 but got $pc4,$pc4z" 1>&2 + ret=1 + ok=0 + fi + ;; + *) +- echo "FAIL: Unknown DSCP check" 1>&2 ++ echo "$failmsg: Unknown DSCP check" 1>&2 + ret=1 + ok=0 + esac +@@ -319,9 +328,9 @@ check_dscp() + + check_transfer() + { +- in=$1 +- out=$2 +- what=$3 ++ local in=$1 ++ local out=$2 ++ local what=$3 + + if ! cmp "$in" "$out" > /dev/null 2>&1; then + echo "FAIL: file mismatch for $what" 1>&2 +@@ -342,25 +351,39 @@ test_tcp_forwarding_ip() + { + local nsa=$1 + local nsb=$2 +- local dstip=$3 +- local dstport=$4 ++ local pmtu=$3 ++ local dstip=$4 ++ local dstport=$5 + local lret=0 ++ local socatc ++ local socatl ++ local infile="$nsin" ++ ++ if [ $pmtu -eq 0 ]; then ++ infile="$nsin_small" ++ fi + +- timeout "$SOCAT_TIMEOUT" ip netns exec "$nsb" socat -4 TCP-LISTEN:12345,reuseaddr STDIO < "$nsin" > "$ns2out" & ++ timeout "$SOCAT_TIMEOUT" ip netns exec "$nsb" socat -4 TCP-LISTEN:12345,reuseaddr STDIO < "$infile" > "$ns2out" & + lpid=$! + + busywait 1000 listener_ready + +- timeout "$SOCAT_TIMEOUT" ip netns exec "$nsa" socat -4 TCP:"$dstip":"$dstport" STDIO < "$nsin" > "$ns1out" ++ timeout "$SOCAT_TIMEOUT" ip netns exec "$nsa" socat -4 TCP:"$dstip":"$dstport" STDIO < "$infile" > "$ns1out" ++ socatc=$? + + wait $lpid ++ socatl=$? + +- if ! check_transfer "$nsin" "$ns2out" "ns1 -> ns2"; then ++ if [ $socatl -ne 0 ] || [ $socatc -ne 0 ];then ++ rc=1 ++ fi ++ ++ if ! check_transfer "$infile" "$ns2out" "ns1 -> ns2"; then + lret=1 + ret=1 + fi + +- if ! check_transfer "$nsin" "$ns1out" "ns1 <- ns2"; then ++ if ! check_transfer "$infile" "$ns1out" "ns1 <- ns2"; then + lret=1 + ret=1 + fi +@@ -370,14 +393,16 @@ test_tcp_forwarding_ip() + + test_tcp_forwarding() + { +- test_tcp_forwarding_ip "$1" "$2" 10.0.2.99 12345 ++ local pmtu="$3" ++ ++ test_tcp_forwarding_ip "$1" "$2" "$pmtu" 10.0.2.99 12345 + + return $? + } + + test_tcp_forwarding_set_dscp() + { +- check_dscp "dscp_none" ++ local pmtu="$3" + + ip netns exec "$nsr1" nft -f - <&2 +@@ -489,8 +519,9 @@ table ip nat { + } + EOF + ++check_dscp "dscp_none" "0" + if ! test_tcp_forwarding_set_dscp "$ns1" "$ns2" 0 ""; then +- echo "FAIL: flow offload for ns1/ns2 with dscp update" 1>&2 ++ echo "FAIL: flow offload for ns1/ns2 with dscp update and no pmtu discovery" 1>&2 + exit 0 + fi + +@@ -512,6 +543,14 @@ ip netns exec "$ns2" sysctl net.ipv4.ip_no_pmtu_disc=0 > /dev/null + # are lower than file size and packets were forwarded via flowtable layer. + # For earlier tests (large mtus), packets cannot be handled via flowtable + # (except pure acks and other small packets). ++ip netns exec "$nsr1" nft reset counters table inet filter >/dev/null ++ip netns exec "$ns2" nft reset counters table inet filter >/dev/null ++ ++if ! test_tcp_forwarding_set_dscp "$ns1" "$ns2" 1 ""; then ++ echo "FAIL: flow offload for ns1/ns2 with dscp update and pmtu discovery" 1>&2 ++ exit 0 ++fi ++ + ip netns exec "$nsr1" nft reset counters table inet filter >/dev/null + + if ! test_tcp_forwarding_nat "$ns1" "$ns2" 1 ""; then +@@ -644,7 +683,7 @@ ip -net "$ns2" route del 192.168.10.1 via 10.0.2.1 + ip -net "$ns2" route add default via 10.0.2.1 + ip -net "$ns2" route add default via dead:2::1 + +-if test_tcp_forwarding "$ns1" "$ns2"; then ++if test_tcp_forwarding "$ns1" "$ns2" 1; then + check_counters "ipsec tunnel mode for ns1/ns2" + else + echo "FAIL: ipsec tunnel mode for ns1/ns2" +@@ -668,7 +707,7 @@ if [ "$1" = "" ]; then + fi + + echo "re-run with random mtus and file size: -o $o -l $l -r $r -s $filesize" +- $0 -o "$o" -l "$l" -r "$r" -s "$filesize" ++ $0 -o "$o" -l "$l" -r "$r" -s "$filesize" || ret=1 + fi + + exit $ret +-- +2.50.1 + diff --git a/queue-6.16/phy-mscc-stop-taking-ts_lock-for-tx_queue-and-use-it.patch b/queue-6.16/phy-mscc-stop-taking-ts_lock-for-tx_queue-and-use-it.patch new file mode 100644 index 0000000000..a192b1ef88 --- /dev/null +++ b/queue-6.16/phy-mscc-stop-taking-ts_lock-for-tx_queue-and-use-it.patch @@ -0,0 +1,147 @@ +From 2daf76d2fbd7e6ad171a69c87dd51f576f199139 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Sep 2025 14:12:59 +0200 +Subject: phy: mscc: Stop taking ts_lock for tx_queue and use its own lock + +From: Horatiu Vultur + +[ Upstream commit 9b2bfdbf43adb9929c5ddcdd96efedbf1c88cf53 ] + +When transmitting a PTP frame which is timestamp using 2 step, the +following warning appears if CONFIG_PROVE_LOCKING is enabled: +============================= +[ BUG: Invalid wait context ] +6.17.0-rc1-00326-ge6160462704e #427 Not tainted +----------------------------- +ptp4l/119 is trying to lock: +c2a44ed4 (&vsc8531->ts_lock){+.+.}-{3:3}, at: vsc85xx_txtstamp+0x50/0xac +other info that might help us debug this: +context-{4:4} +4 locks held by ptp4l/119: + #0: c145f068 (rcu_read_lock_bh){....}-{1:2}, at: __dev_queue_xmit+0x58/0x1440 + #1: c29df974 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: __dev_queue_xmit+0x5c4/0x1440 + #2: c2aaaad0 (_xmit_ETHER#2){+.-.}-{2:2}, at: sch_direct_xmit+0x108/0x350 + #3: c2aac170 (&lan966x->tx_lock){+.-.}-{2:2}, at: lan966x_port_xmit+0xd0/0x350 +stack backtrace: +CPU: 0 UID: 0 PID: 119 Comm: ptp4l Not tainted 6.17.0-rc1-00326-ge6160462704e #427 NONE +Hardware name: Generic DT based system +Call trace: + unwind_backtrace from show_stack+0x10/0x14 + show_stack from dump_stack_lvl+0x7c/0xac + dump_stack_lvl from __lock_acquire+0x8e8/0x29dc + __lock_acquire from lock_acquire+0x108/0x38c + lock_acquire from __mutex_lock+0xb0/0xe78 + __mutex_lock from mutex_lock_nested+0x1c/0x24 + mutex_lock_nested from vsc85xx_txtstamp+0x50/0xac + vsc85xx_txtstamp from lan966x_fdma_xmit+0xd8/0x3a8 + lan966x_fdma_xmit from lan966x_port_xmit+0x1bc/0x350 + lan966x_port_xmit from dev_hard_start_xmit+0xc8/0x2c0 + dev_hard_start_xmit from sch_direct_xmit+0x8c/0x350 + sch_direct_xmit from __dev_queue_xmit+0x680/0x1440 + __dev_queue_xmit from packet_sendmsg+0xfa4/0x1568 + packet_sendmsg from __sys_sendto+0x110/0x19c + __sys_sendto from sys_send+0x18/0x20 + sys_send from ret_fast_syscall+0x0/0x1c +Exception stack(0xf0b05fa8 to 0xf0b05ff0) +5fa0: 00000001 0000000e 0000000e 0004b47a 0000003a 00000000 +5fc0: 00000001 0000000e 00000000 00000121 0004af58 00044874 00000000 00000000 +5fe0: 00000001 bee9d420 00025a10 b6e75c7c + +So, instead of using the ts_lock for tx_queue, use the spinlock that +skb_buff_head has. + +Reviewed-by: Vadim Fedorenko +Fixes: 7d272e63e0979d ("net: phy: mscc: timestamping and PHC support") +Signed-off-by: Horatiu Vultur +Link: https://patch.msgid.link/20250902121259.3257536-1-horatiu.vultur@microchip.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/mscc/mscc_ptp.c | 18 ++++++++---------- + 1 file changed, 8 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/phy/mscc/mscc_ptp.c b/drivers/net/phy/mscc/mscc_ptp.c +index 72847320cb652..d692df7d975c7 100644 +--- a/drivers/net/phy/mscc/mscc_ptp.c ++++ b/drivers/net/phy/mscc/mscc_ptp.c +@@ -456,12 +456,12 @@ static void vsc85xx_dequeue_skb(struct vsc85xx_ptp *ptp) + *p++ = (reg >> 24) & 0xff; + } + +- len = skb_queue_len(&ptp->tx_queue); ++ len = skb_queue_len_lockless(&ptp->tx_queue); + if (len < 1) + return; + + while (len--) { +- skb = __skb_dequeue(&ptp->tx_queue); ++ skb = skb_dequeue(&ptp->tx_queue); + if (!skb) + return; + +@@ -486,7 +486,7 @@ static void vsc85xx_dequeue_skb(struct vsc85xx_ptp *ptp) + * packet in the FIFO right now, reschedule it for later + * packets. + */ +- __skb_queue_tail(&ptp->tx_queue, skb); ++ skb_queue_tail(&ptp->tx_queue, skb); + } + } + +@@ -1068,6 +1068,7 @@ static int vsc85xx_hwtstamp(struct mii_timestamper *mii_ts, + case HWTSTAMP_TX_ON: + break; + case HWTSTAMP_TX_OFF: ++ skb_queue_purge(&vsc8531->ptp->tx_queue); + break; + default: + return -ERANGE; +@@ -1092,9 +1093,6 @@ static int vsc85xx_hwtstamp(struct mii_timestamper *mii_ts, + + mutex_lock(&vsc8531->ts_lock); + +- __skb_queue_purge(&vsc8531->ptp->tx_queue); +- __skb_queue_head_init(&vsc8531->ptp->tx_queue); +- + /* Disable predictor while configuring the 1588 block */ + val = vsc85xx_ts_read_csr(phydev, PROCESSOR, + MSCC_PHY_PTP_INGR_PREDICTOR); +@@ -1180,9 +1178,7 @@ static void vsc85xx_txtstamp(struct mii_timestamper *mii_ts, + + skb_shinfo(skb)->tx_flags |= SKBTX_IN_PROGRESS; + +- mutex_lock(&vsc8531->ts_lock); +- __skb_queue_tail(&vsc8531->ptp->tx_queue, skb); +- mutex_unlock(&vsc8531->ts_lock); ++ skb_queue_tail(&vsc8531->ptp->tx_queue, skb); + return; + + out: +@@ -1548,6 +1544,7 @@ void vsc8584_ptp_deinit(struct phy_device *phydev) + if (vsc8531->ptp->ptp_clock) { + ptp_clock_unregister(vsc8531->ptp->ptp_clock); + skb_queue_purge(&vsc8531->rx_skbs_list); ++ skb_queue_purge(&vsc8531->ptp->tx_queue); + } + } + +@@ -1571,7 +1568,7 @@ irqreturn_t vsc8584_handle_ts_interrupt(struct phy_device *phydev) + if (rc & VSC85XX_1588_INT_FIFO_ADD) { + vsc85xx_get_tx_ts(priv->ptp); + } else if (rc & VSC85XX_1588_INT_FIFO_OVERFLOW) { +- __skb_queue_purge(&priv->ptp->tx_queue); ++ skb_queue_purge(&priv->ptp->tx_queue); + vsc85xx_ts_reset_fifo(phydev); + } + +@@ -1591,6 +1588,7 @@ int vsc8584_ptp_probe(struct phy_device *phydev) + mutex_init(&vsc8531->phc_lock); + mutex_init(&vsc8531->ts_lock); + skb_queue_head_init(&vsc8531->rx_skbs_list); ++ skb_queue_head_init(&vsc8531->ptp->tx_queue); + + /* Retrieve the shared load/save GPIO. Request it as non exclusive as + * the same GPIO can be requested by all the PHYs of the same package. +-- +2.50.1 + diff --git a/queue-6.16/ppp-fix-memory-leak-in-pad_compress_skb.patch b/queue-6.16/ppp-fix-memory-leak-in-pad_compress_skb.patch new file mode 100644 index 0000000000..738f55d291 --- /dev/null +++ b/queue-6.16/ppp-fix-memory-leak-in-pad_compress_skb.patch @@ -0,0 +1,66 @@ +From 66015393b88e42fae54b15cdc5c673212569556b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Sep 2025 18:07:26 +0800 +Subject: ppp: fix memory leak in pad_compress_skb + +From: Qingfang Deng + +[ Upstream commit 4844123fe0b853a4982c02666cb3fd863d701d50 ] + +If alloc_skb() fails in pad_compress_skb(), it returns NULL without +releasing the old skb. The caller does: + + skb = pad_compress_skb(ppp, skb); + if (!skb) + goto drop; + +drop: + kfree_skb(skb); + +When pad_compress_skb() returns NULL, the reference to the old skb is +lost and kfree_skb(skb) ends up doing nothing, leading to a memory leak. + +Align pad_compress_skb() semantics with realloc(): only free the old +skb if allocation and compression succeed. At the call site, use the +new_skb variable so the original skb is not lost when pad_compress_skb() +fails. + +Fixes: b3f9b92a6ec1 ("[PPP]: add PPP MPPE encryption module") +Signed-off-by: Qingfang Deng +Reviewed-by: Eric Dumazet +Reviewed-by: Yue Haibing +Link: https://patch.msgid.link/20250903100726.269839-1-dqfext@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ppp/ppp_generic.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c +index 5e7672d2022c9..bb5343c039259 100644 +--- a/drivers/net/ppp/ppp_generic.c ++++ b/drivers/net/ppp/ppp_generic.c +@@ -1752,7 +1752,6 @@ pad_compress_skb(struct ppp *ppp, struct sk_buff *skb) + */ + if (net_ratelimit()) + netdev_err(ppp->dev, "ppp: compressor dropped pkt\n"); +- kfree_skb(skb); + consume_skb(new_skb); + new_skb = NULL; + } +@@ -1854,9 +1853,10 @@ ppp_send_frame(struct ppp *ppp, struct sk_buff *skb) + "down - pkt dropped.\n"); + goto drop; + } +- skb = pad_compress_skb(ppp, skb); +- if (!skb) ++ new_skb = pad_compress_skb(ppp, skb); ++ if (!new_skb) + goto drop; ++ skb = new_skb; + } + + /* +-- +2.50.1 + diff --git a/queue-6.16/ptp-ocp-fix-use-after-free-bugs-causing-by-ptp_ocp_w.patch b/queue-6.16/ptp-ocp-fix-use-after-free-bugs-causing-by-ptp_ocp_w.patch new file mode 100644 index 0000000000..c462515dff --- /dev/null +++ b/queue-6.16/ptp-ocp-fix-use-after-free-bugs-causing-by-ptp_ocp_w.patch @@ -0,0 +1,55 @@ +From 676b8b73b070554100542f40dde56f2215e7a300 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Aug 2025 16:29:49 +0800 +Subject: ptp: ocp: fix use-after-free bugs causing by ptp_ocp_watchdog + +From: Duoming Zhou + +[ Upstream commit 8bf935cf789872350b04c1a6468b0a509f67afb2 ] + +The ptp_ocp_detach() only shuts down the watchdog timer if it is +pending. However, if the timer handler is already running, the +timer_delete_sync() is not called. This leads to race conditions +where the devlink that contains the ptp_ocp is deallocated while +the timer handler is still accessing it, resulting in use-after-free +bugs. The following details one of the race scenarios. + +(thread 1) | (thread 2) +ptp_ocp_remove() | + ptp_ocp_detach() | ptp_ocp_watchdog() + if (timer_pending(&bp->watchdog))| bp = timer_container_of() + timer_delete_sync() | + | + devlink_free(devlink) //free | + | bp-> //use + +Resolve this by unconditionally calling timer_delete_sync() to ensure +the timer is reliably deactivated, preventing any access after free. + +Fixes: 773bda964921 ("ptp: ocp: Expose various resources on the timecard.") +Signed-off-by: Duoming Zhou +Reviewed-by: Vadim Fedorenko +Link: https://patch.msgid.link/20250828082949.28189-1-duoming@zju.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/ptp/ptp_ocp.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/ptp/ptp_ocp.c b/drivers/ptp/ptp_ocp.c +index 1e7f72e575576..5388285475952 100644 +--- a/drivers/ptp/ptp_ocp.c ++++ b/drivers/ptp/ptp_ocp.c +@@ -4557,8 +4557,7 @@ ptp_ocp_detach(struct ptp_ocp *bp) + ptp_ocp_debugfs_remove_device(bp); + ptp_ocp_detach_sysfs(bp); + ptp_ocp_attr_group_del(bp); +- if (timer_pending(&bp->watchdog)) +- timer_delete_sync(&bp->watchdog); ++ timer_delete_sync(&bp->watchdog); + if (bp->ts0) + ptp_ocp_unregister_ext(bp->ts0); + if (bp->ts1) +-- +2.50.1 + diff --git a/queue-6.16/selftest-net-fix-weird-setsockopt-in-bind_bhash.c.patch b/queue-6.16/selftest-net-fix-weird-setsockopt-in-bind_bhash.c.patch new file mode 100644 index 0000000000..f4a9acfb0d --- /dev/null +++ b/queue-6.16/selftest-net-fix-weird-setsockopt-in-bind_bhash.c.patch @@ -0,0 +1,62 @@ +From 163b4e4dc7e5a0e5b8f583846426c7263143a682 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Sep 2025 22:28:51 +0000 +Subject: selftest: net: Fix weird setsockopt() in bind_bhash.c. + +From: Kuniyuki Iwashima + +[ Upstream commit fd2004d82d8d8faa94879e3de3096c8511728637 ] + +bind_bhash.c passes (SO_REUSEADDR | SO_REUSEPORT) to setsockopt(). + +In the asm-generic definition, the value happens to match with the +bare SO_REUSEPORT, (2 | 15) == 15, but not on some arch. + +arch/alpha/include/uapi/asm/socket.h:18:#define SO_REUSEADDR 0x0004 +arch/alpha/include/uapi/asm/socket.h:24:#define SO_REUSEPORT 0x0200 +arch/mips/include/uapi/asm/socket.h:24:#define SO_REUSEADDR 0x0004 /* Allow reuse of local addresses. */ +arch/mips/include/uapi/asm/socket.h:33:#define SO_REUSEPORT 0x0200 /* Allow local address and port reuse. */ +arch/parisc/include/uapi/asm/socket.h:12:#define SO_REUSEADDR 0x0004 +arch/parisc/include/uapi/asm/socket.h:18:#define SO_REUSEPORT 0x0200 +arch/sparc/include/uapi/asm/socket.h:13:#define SO_REUSEADDR 0x0004 +arch/sparc/include/uapi/asm/socket.h:20:#define SO_REUSEPORT 0x0200 +include/uapi/asm-generic/socket.h:12:#define SO_REUSEADDR 2 +include/uapi/asm-generic/socket.h:27:#define SO_REUSEPORT 15 + +Let's pass SO_REUSEPORT only. + +Fixes: c35ecb95c448 ("selftests/net: Add test for timing a bind request to a port with a populated bhash entry") +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250903222938.2601522-1-kuniyu@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/bind_bhash.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/net/bind_bhash.c b/tools/testing/selftests/net/bind_bhash.c +index 57ff67a3751eb..da04b0b19b73c 100644 +--- a/tools/testing/selftests/net/bind_bhash.c ++++ b/tools/testing/selftests/net/bind_bhash.c +@@ -75,7 +75,7 @@ static void *setup(void *arg) + int *array = (int *)arg; + + for (i = 0; i < MAX_CONNECTIONS; i++) { +- sock_fd = bind_socket(SO_REUSEADDR | SO_REUSEPORT, setup_addr); ++ sock_fd = bind_socket(SO_REUSEPORT, setup_addr); + if (sock_fd < 0) { + ret = sock_fd; + pthread_exit(&ret); +@@ -103,7 +103,7 @@ int main(int argc, const char *argv[]) + + setup_addr = use_v6 ? setup_addr_v6 : setup_addr_v4; + +- listener_fd = bind_socket(SO_REUSEADDR | SO_REUSEPORT, setup_addr); ++ listener_fd = bind_socket(SO_REUSEPORT, setup_addr); + if (listen(listener_fd, 100) < 0) { + perror("listen failed"); + return -1; +-- +2.50.1 + diff --git a/queue-6.16/selftests-drv-net-csum-fix-interface-name-for-remote.patch b/queue-6.16/selftests-drv-net-csum-fix-interface-name-for-remote.patch new file mode 100644 index 0000000000..ea2c4b0bdc --- /dev/null +++ b/queue-6.16/selftests-drv-net-csum-fix-interface-name-for-remote.patch @@ -0,0 +1,48 @@ +From b82529f412d33bd4a5e15dc1ea87e52ede9edae2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 30 Aug 2025 11:38:42 -0700 +Subject: selftests: drv-net: csum: fix interface name for remote host + +From: Jakub Kicinski + +[ Upstream commit 49c2502b5946ebf454d7e16fd0189769a82b6117 ] + +Use cfg.remote_ifname for arguments of remote command. +Without this UDP tests fail in NIPA where local interface +is called enp1s0 and remote enp0s4. + +Fixes: 1d0dc857b5d8 ("selftests: drv-net: add checksum tests") +Reviewed-by: Willem de Bruijn +Reviewed-by: Vadim Fedorenko +Link: https://patch.msgid.link/20250830183842.688935-1-kuba@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/drivers/net/hw/csum.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/drivers/net/hw/csum.py b/tools/testing/selftests/drivers/net/hw/csum.py +index cd23af8753170..3e3a89a34afe7 100755 +--- a/tools/testing/selftests/drivers/net/hw/csum.py ++++ b/tools/testing/selftests/drivers/net/hw/csum.py +@@ -17,7 +17,7 @@ def test_receive(cfg, ipver="6", extra_args=None): + ip_args = f"-{ipver} -S {cfg.remote_addr_v[ipver]} -D {cfg.addr_v[ipver]}" + + rx_cmd = f"{cfg.bin_local} -i {cfg.ifname} -n 100 {ip_args} -r 1 -R {extra_args}" +- tx_cmd = f"{cfg.bin_remote} -i {cfg.ifname} -n 100 {ip_args} -r 1 -T {extra_args}" ++ tx_cmd = f"{cfg.bin_remote} -i {cfg.remote_ifname} -n 100 {ip_args} -r 1 -T {extra_args}" + + with bkg(rx_cmd, exit_wait=True): + wait_port_listen(34000, proto="udp") +@@ -37,7 +37,7 @@ def test_transmit(cfg, ipver="6", extra_args=None): + if extra_args != "-U -Z": + extra_args += " -r 1" + +- rx_cmd = f"{cfg.bin_remote} -i {cfg.ifname} -L 1 -n 100 {ip_args} -R {extra_args}" ++ rx_cmd = f"{cfg.bin_remote} -i {cfg.remote_ifname} -L 1 -n 100 {ip_args} -R {extra_args}" + tx_cmd = f"{cfg.bin_local} -i {cfg.ifname} -L 1 -n 100 {ip_args} -T {extra_args}" + + with bkg(rx_cmd, host=cfg.remote, exit_wait=True): +-- +2.50.1 + diff --git a/queue-6.16/selftests-netfilter-fix-udpclash-tool-hang.patch b/queue-6.16/selftests-netfilter-fix-udpclash-tool-hang.patch new file mode 100644 index 0000000000..65c2ebe980 --- /dev/null +++ b/queue-6.16/selftests-netfilter-fix-udpclash-tool-hang.patch @@ -0,0 +1,86 @@ +From 6c8fe9e52f73c32f4b022984c9f21fbd6e138d8c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Aug 2025 19:17:32 +0200 +Subject: selftests: netfilter: fix udpclash tool hang + +From: Florian Westphal + +[ Upstream commit 661a4f307fe0f80c1d544e09476ccba9037e8e65 ] + +Yi Chen reports that 'udpclash' loops forever depending on compiler +(and optimization level used); while (x == 1) gets optimized into +for (;;). Add volatile qualifier to avoid that. + +While at it, also run it under timeout(1) and fix the resize script +to not ignore the timeout passed as second parameter to insert_flood. + +Reported-by: Yi Chen +Suggested-by: Yi Chen +Fixes: 78a588363587 ("selftests: netfilter: add conntrack clash resolution test case") +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/netfilter/conntrack_clash.sh | 2 +- + tools/testing/selftests/net/netfilter/conntrack_resize.sh | 5 +++-- + tools/testing/selftests/net/netfilter/udpclash.c | 2 +- + 3 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/tools/testing/selftests/net/netfilter/conntrack_clash.sh b/tools/testing/selftests/net/netfilter/conntrack_clash.sh +index 606a43a60f736..7fc6c5dbd5516 100755 +--- a/tools/testing/selftests/net/netfilter/conntrack_clash.sh ++++ b/tools/testing/selftests/net/netfilter/conntrack_clash.sh +@@ -99,7 +99,7 @@ run_one_clash_test() + local entries + local cre + +- if ! ip netns exec "$ns" ./udpclash $daddr $dport;then ++ if ! ip netns exec "$ns" timeout 30 ./udpclash $daddr $dport;then + echo "INFO: did not receive expected number of replies for $daddr:$dport" + ip netns exec "$ctns" conntrack -S + # don't fail: check if clash resolution triggered after all. +diff --git a/tools/testing/selftests/net/netfilter/conntrack_resize.sh b/tools/testing/selftests/net/netfilter/conntrack_resize.sh +index 788cd56ea4a0d..615fe3c6f405d 100755 +--- a/tools/testing/selftests/net/netfilter/conntrack_resize.sh ++++ b/tools/testing/selftests/net/netfilter/conntrack_resize.sh +@@ -187,7 +187,7 @@ ct_udpclash() + [ -x udpclash ] || return + + while [ $now -lt $end ]; do +- ip netns exec "$ns" ./udpclash 127.0.0.1 $((RANDOM%65536)) > /dev/null 2>&1 ++ ip netns exec "$ns" timeout 30 ./udpclash 127.0.0.1 $((RANDOM%65536)) > /dev/null 2>&1 + + now=$(date +%s) + done +@@ -277,6 +277,7 @@ check_taint() + insert_flood() + { + local n="$1" ++ local timeout="$2" + local r=0 + + r=$((RANDOM%$insert_count)) +@@ -302,7 +303,7 @@ test_floodresize_all() + read tainted_then < /proc/sys/kernel/tainted + + for n in "$nsclient1" "$nsclient2";do +- insert_flood "$n" & ++ insert_flood "$n" "$timeout" & + done + + # resize table constantly while flood/insert/dump/flushs +diff --git a/tools/testing/selftests/net/netfilter/udpclash.c b/tools/testing/selftests/net/netfilter/udpclash.c +index 85c7b906ad08f..79de163d61ab7 100644 +--- a/tools/testing/selftests/net/netfilter/udpclash.c ++++ b/tools/testing/selftests/net/netfilter/udpclash.c +@@ -29,7 +29,7 @@ struct thread_args { + int sockfd; + }; + +-static int wait = 1; ++static volatile int wait = 1; + + static void *thread_main(void *varg) + { +-- +2.50.1 + diff --git a/queue-6.16/series b/queue-6.16/series index 30022aa6d4..9ccbcb32f6 100644 --- a/queue-6.16/series +++ b/queue-6.16/series @@ -27,3 +27,69 @@ arm64-dts-imx8mp-fix-missing-microsd-slot-vqmmc-on-d.patch-482 arm64-dts-rockchip-fix-the-headphone-detection-on-th.patch arm64-dts-rockchip-add-supplies-for-emmc-on-rk3588-o.patch arm-dts-microchip-sama7d65-force-sdmmc-legacy-mode.patch +wifi-cfg80211-fix-use-after-free-in-cmp_bss.patch +wifi-brcmfmac-fix-use-after-free-when-rescheduling-b.patch +wifi-mt76-mt7921-don-t-disconnect-when-csa-to-dfs-ch.patch +wifi-mt76-mt7925-fix-locking-in-mt7925_change_vif_li.patch +wifi-mt76-prevent-non-offchannel-mgmt-tx-during-scan.patch +wifi-mt76-mt7996-disable-beacons-when-going-offchann.patch +wifi-mt76-mt7996-use-the-correct-vif-link-for-scanni.patch +wifi-mt76-mt7996-add-missing-check-for-rx-wcid-entri.patch +wifi-mt76-mt7915-fix-list-corruption-after-hardware-.patch +wifi-mt76-free-pending-offchannel-tx-frames-on-wcid-.patch +wifi-mt76-fix-linked-list-corruption.patch +netfilter-br_netfilter-do-not-check-confirmed-bit-in.patch +netfilter-conntrack-helper-replace-eexist-by-ebusy.patch +wifi-iwlwifi-if-scratch-is-0u-consider-it-a-failure.patch +wifi-iwlwifi-acpi-check-dsm-func-validity.patch +wifi-iwlwifi-uefi-check-dsm-item-validity.patch +wifi-iwlwifi-cfg-restore-some-1000-series-configs.patch +wifi-iwlwifi-cfg-add-back-more-lost-pci-ids.patch +bluetooth-vhci-prevent-use-after-free-by-removing-de.patch +bluetooth-fix-use-after-free-in-l2cap_sock_cleanup_l.patch +netfilter-nft_flowtable.sh-re-run-with-random-mtu-si.patch +net_sched-gen_estimator-fix-est_timer-vs-config_pree.patch +xirc2ps_cs-fix-register-access-when-enabling-fulldup.patch +ptp-ocp-fix-use-after-free-bugs-causing-by-ptp_ocp_w.patch +misdn-fix-memory-leak-in-dsp_hwec_enable.patch +selftests-drv-net-csum-fix-interface-name-for-remote.patch +bnxt_en-fix-incorrect-page-count-in-rx-aggr-ring-log.patch +icmp-fix-icmp_ndo_send-address-translation-for-reply.patch +eth-mlx4-fix-is_err-vs-null-check-bug-in-mlx4_en_cre.patch +net-macb-fix-tx_ptr_lock-locking.patch +macsec-read-macsec_sa_attr_pn-with-nla_get_uint.patch +net-smc-fix-one-null-pointer-dereference-in-smc_ib_i.patch +net-mctp-mctp_fraq_queue-should-take-ownership-of-pa.patch +net-mctp-usb-initialise-mac-header-in-rx-path.patch +net-ethernet-ti-am65-cpsw-nuss-fix-null-pointer-dere.patch +ice-fix-null-access-of-tx-in_use-in-ice_ptp_ts_irq.patch +ice-fix-null-access-of-tx-in_use-in-ice_ll_ts_intr.patch +idpf-set-mac-type-when-adding-and-removing-mac-filte.patch +i40e-remove-read-access-to-debugfs-files.patch +i40e-fix-potential-invalid-access-when-mac-list-is-e.patch +ixgbe-fix-incorrect-map-used-in-eee-linkmode.patch +wifi-ath12k-set-emlsr-support-flag-in-mlo-flags-for-.patch +wifi-ath11k-fix-group-data-packet-drops-during-rekey.patch +net-tcp-fix-socket-memory-leak-in-tcp-ao-failure-han.patch +net-ethernet-mtk_eth_soc-fix-tx-vlan-tag-for-llc-pac.patch +vxlan-fix-npd-when-refreshing-an-fdb-entry-with-a-ne.patch +vxlan-fix-npd-in-arp-neigh-_reduce-when-using-nextho.patch +wifi-cw1200-cap-ssid-length-in-cw1200_do_join.patch +wifi-libertas-cap-ssid-len-in-lbs_associate.patch +wifi-cfg80211-sme-cap-ssid-length-in-__cfg80211_conn.patch +tools-ynl-gen-fix-nested-array-counting.patch +net-remove-sock_i_uid.patch +net-lockless-sock_i_ino.patch +net-thunder_bgx-add-a-missing-of_node_put.patch +net-thunder_bgx-decrement-cleanup-index-before-use.patch +ipv4-fix-null-vs-error-pointer-check-in-inet_blackho.patch +net-smc-remove-validation-of-reserved-bits-in-clc-de.patch +mctp-return-enoprotoopt-for-unknown-getsockopt-optio.patch +ax25-properly-unshare-skbs-in-ax25_kiss_rcv.patch +selftests-netfilter-fix-udpclash-tool-hang.patch +netfilter-nf_tables-introduce-nfta_device_prefix.patch +net-atm-fix-memory-leak-in-atm_register_sysfs-when-d.patch +net-xilinx-axienet-add-error-handling-for-rx-metadat.patch +ppp-fix-memory-leak-in-pad_compress_skb.patch +selftest-net-fix-weird-setsockopt-in-bind_bhash.c.patch +phy-mscc-stop-taking-ts_lock-for-tx_queue-and-use-it.patch diff --git a/queue-6.16/tools-ynl-gen-fix-nested-array-counting.patch b/queue-6.16/tools-ynl-gen-fix-nested-array-counting.patch new file mode 100644 index 0000000000..d0571e8f76 --- /dev/null +++ b/queue-6.16/tools-ynl-gen-fix-nested-array-counting.patch @@ -0,0 +1,60 @@ +From 1f44729cd35b178a0c8c55592f5ae63b8cdc1c1a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Sep 2025 15:59:59 +0000 +Subject: tools: ynl-gen: fix nested array counting +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Asbjørn Sloth Tønnesen + +[ Upstream commit b4ada0618eed0fbd1b1630f73deb048c592b06a1 ] + +The blamed commit introduced the concept of split attribute +counting, and later allocating an array to hold them, however +TypeArrayNest wasn't updated to use the new counting variable. + +Abbreviated example from tools/net/ynl/generated/nl80211-user.c: +nl80211_if_combination_attributes_parse(...): + unsigned int n_limits = 0; + [...] + ynl_attr_for_each(attr, nlh, yarg->ys->family->hdr_len) + if (type == NL80211_IFACE_COMB_LIMITS) + ynl_attr_for_each_nested(attr2, attr) + dst->_count.limits++; + if (n_limits) { + dst->_count.limits = n_limits; + /* allocate and parse attributes */ + } + +In the above example n_limits is guaranteed to always be 0, +hence the conditional is unsatisfiable and is optimized out. + +This patch changes the attribute counting to use n_limits++ in the +attribute counting loop in the above example. + +Fixes: 58da455b31ba ("tools: ynl-gen: improve unwind on parsing errors") +Signed-off-by: Asbjørn Sloth Tønnesen +Link: https://patch.msgid.link/20250902160001.760953-1-ast@fiberby.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/net/ynl/pyynl/ynl_gen_c.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/net/ynl/pyynl/ynl_gen_c.py b/tools/net/ynl/pyynl/ynl_gen_c.py +index 76032e01c2e75..0725a52b6ad7b 100755 +--- a/tools/net/ynl/pyynl/ynl_gen_c.py ++++ b/tools/net/ynl/pyynl/ynl_gen_c.py +@@ -830,7 +830,7 @@ class TypeArrayNest(Type): + 'ynl_attr_for_each_nested(attr2, attr) {', + '\tif (ynl_attr_validate(yarg, attr2))', + '\t\treturn YNL_PARSE_CB_ERROR;', +- f'\t{var}->_count.{self.c_name}++;', ++ f'\tn_{self.c_name}++;', + '}'] + return get_lines, None, local_vars + +-- +2.50.1 + diff --git a/queue-6.16/vxlan-fix-npd-in-arp-neigh-_reduce-when-using-nextho.patch b/queue-6.16/vxlan-fix-npd-in-arp-neigh-_reduce-when-using-nextho.patch new file mode 100644 index 0000000000..e84b3022f6 --- /dev/null +++ b/queue-6.16/vxlan-fix-npd-in-arp-neigh-_reduce-when-using-nextho.patch @@ -0,0 +1,152 @@ +From 1209b6f2c5d046fd870b950373045fbdee34bc00 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Sep 2025 09:50:34 +0300 +Subject: vxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects + +From: Ido Schimmel + +[ Upstream commit 1f5d2fd1ca04a23c18b1bde9a43ce2fa2ffa1bce ] + +When the "proxy" option is enabled on a VXLAN device, the device will +suppress ARP requests and IPv6 Neighbor Solicitation messages if it is +able to reply on behalf of the remote host. That is, if a matching and +valid neighbor entry is configured on the VXLAN device whose MAC address +is not behind the "any" remote (0.0.0.0 / ::). + +The code currently assumes that the FDB entry for the neighbor's MAC +address points to a valid remote destination, but this is incorrect if +the entry is associated with an FDB nexthop group. This can result in a +NPD [1][3] which can be reproduced using [2][4]. + +Fix by checking that the remote destination exists before dereferencing +it. + +[1] +BUG: kernel NULL pointer dereference, address: 0000000000000000 +[...] +CPU: 4 UID: 0 PID: 365 Comm: arping Not tainted 6.17.0-rc2-virtme-g2a89cb21162c #2 PREEMPT(voluntary) +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc41 04/01/2014 +RIP: 0010:vxlan_xmit+0xb58/0x15f0 +[...] +Call Trace: + + dev_hard_start_xmit+0x5d/0x1c0 + __dev_queue_xmit+0x246/0xfd0 + packet_sendmsg+0x113a/0x1850 + __sock_sendmsg+0x38/0x70 + __sys_sendto+0x126/0x180 + __x64_sys_sendto+0x24/0x30 + do_syscall_64+0xa4/0x260 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + +[2] + #!/bin/bash + + ip address add 192.0.2.1/32 dev lo + + ip nexthop add id 1 via 192.0.2.2 fdb + ip nexthop add id 10 group 1 fdb + + ip link add name vx0 up type vxlan id 10010 local 192.0.2.1 dstport 4789 proxy + + ip neigh add 192.0.2.3 lladdr 00:11:22:33:44:55 nud perm dev vx0 + + bridge fdb add 00:11:22:33:44:55 dev vx0 self static nhid 10 + + arping -b -c 1 -s 192.0.2.1 -I vx0 192.0.2.3 + +[3] +BUG: kernel NULL pointer dereference, address: 0000000000000000 +[...] +CPU: 13 UID: 0 PID: 372 Comm: ndisc6 Not tainted 6.17.0-rc2-virtmne-g6ee90cb26014 #3 PREEMPT(voluntary) +Hardware name: QEMU Standard PC (i440FX + PIIX, 1v996), BIOS 1.17.0-4.fc41 04/01/2x014 +RIP: 0010:vxlan_xmit+0x803/0x1600 +[...] +Call Trace: + + dev_hard_start_xmit+0x5d/0x1c0 + __dev_queue_xmit+0x246/0xfd0 + ip6_finish_output2+0x210/0x6c0 + ip6_finish_output+0x1af/0x2b0 + ip6_mr_output+0x92/0x3e0 + ip6_send_skb+0x30/0x90 + rawv6_sendmsg+0xe6e/0x12e0 + __sock_sendmsg+0x38/0x70 + __sys_sendto+0x126/0x180 + __x64_sys_sendto+0x24/0x30 + do_syscall_64+0xa4/0x260 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 +RIP: 0033:0x7f383422ec77 + +[4] + #!/bin/bash + + ip address add 2001:db8:1::1/128 dev lo + + ip nexthop add id 1 via 2001:db8:1::1 fdb + ip nexthop add id 10 group 1 fdb + + ip link add name vx0 up type vxlan id 10010 local 2001:db8:1::1 dstport 4789 proxy + + ip neigh add 2001:db8:1::3 lladdr 00:11:22:33:44:55 nud perm dev vx0 + + bridge fdb add 00:11:22:33:44:55 dev vx0 self static nhid 10 + + ndisc6 -r 1 -s 2001:db8:1::1 -w 1 2001:db8:1::3 vx0 + +Fixes: 1274e1cc4226 ("vxlan: ecmp support for mac fdb entries") +Reviewed-by: Petr Machata +Signed-off-by: Ido Schimmel +Reviewed-by: Nikolay Aleksandrov +Link: https://patch.msgid.link/20250901065035.159644-3-idosch@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/vxlan/vxlan_core.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/vxlan/vxlan_core.c b/drivers/net/vxlan/vxlan_core.c +index cea9dd067b68a..45cec14d76f62 100644 +--- a/drivers/net/vxlan/vxlan_core.c ++++ b/drivers/net/vxlan/vxlan_core.c +@@ -1880,6 +1880,7 @@ static int arp_reduce(struct net_device *dev, struct sk_buff *skb, __be32 vni) + n = neigh_lookup(&arp_tbl, &tip, dev); + + if (n) { ++ struct vxlan_rdst *rdst = NULL; + struct vxlan_fdb *f; + struct sk_buff *reply; + +@@ -1890,7 +1891,9 @@ static int arp_reduce(struct net_device *dev, struct sk_buff *skb, __be32 vni) + + rcu_read_lock(); + f = vxlan_find_mac_tx(vxlan, n->ha, vni); +- if (f && vxlan_addr_any(&(first_remote_rcu(f)->remote_ip))) { ++ if (f) ++ rdst = first_remote_rcu(f); ++ if (rdst && vxlan_addr_any(&rdst->remote_ip)) { + /* bridge-local neighbor */ + neigh_release(n); + rcu_read_unlock(); +@@ -2047,6 +2050,7 @@ static int neigh_reduce(struct net_device *dev, struct sk_buff *skb, __be32 vni) + n = neigh_lookup(ipv6_stub->nd_tbl, &msg->target, dev); + + if (n) { ++ struct vxlan_rdst *rdst = NULL; + struct vxlan_fdb *f; + struct sk_buff *reply; + +@@ -2056,7 +2060,9 @@ static int neigh_reduce(struct net_device *dev, struct sk_buff *skb, __be32 vni) + } + + f = vxlan_find_mac_tx(vxlan, n->ha, vni); +- if (f && vxlan_addr_any(&(first_remote_rcu(f)->remote_ip))) { ++ if (f) ++ rdst = first_remote_rcu(f); ++ if (rdst && vxlan_addr_any(&rdst->remote_ip)) { + /* bridge-local neighbor */ + neigh_release(n); + goto out; +-- +2.50.1 + diff --git a/queue-6.16/vxlan-fix-npd-when-refreshing-an-fdb-entry-with-a-ne.patch b/queue-6.16/vxlan-fix-npd-when-refreshing-an-fdb-entry-with-a-ne.patch new file mode 100644 index 0000000000..eca10d28e2 --- /dev/null +++ b/queue-6.16/vxlan-fix-npd-when-refreshing-an-fdb-entry-with-a-ne.patch @@ -0,0 +1,118 @@ +From 717b7b7ee3df1c0e9331d607a416e9a275699328 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Sep 2025 09:50:33 +0300 +Subject: vxlan: Fix NPD when refreshing an FDB entry with a nexthop object + +From: Ido Schimmel + +[ Upstream commit 6ead38147ebb813f08be6ea8ef547a0e4c09559a ] + +VXLAN FDB entries can point to either a remote destination or an FDB +nexthop group. The latter is usually used in EVPN deployments where +learning is disabled. + +However, when learning is enabled, an incoming packet might try to +refresh an FDB entry that points to an FDB nexthop group and therefore +does not have a remote. Such packets should be dropped, but they are +only dropped after dereferencing the non-existent remote, resulting in a +NPD [1] which can be reproduced using [2]. + +Fix by dropping such packets earlier. Remove the misleading comment from +first_remote_rcu(). + +[1] +BUG: kernel NULL pointer dereference, address: 0000000000000000 +[...] +CPU: 13 UID: 0 PID: 361 Comm: mausezahn Not tainted 6.17.0-rc1-virtme-g9f6b606b6b37 #1 PREEMPT(voluntary) +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc41 04/01/2014 +RIP: 0010:vxlan_snoop+0x98/0x1e0 +[...] +Call Trace: + + vxlan_encap_bypass+0x209/0x240 + encap_bypass_if_local+0xb1/0x100 + vxlan_xmit_one+0x1375/0x17e0 + vxlan_xmit+0x6b4/0x15f0 + dev_hard_start_xmit+0x5d/0x1c0 + __dev_queue_xmit+0x246/0xfd0 + packet_sendmsg+0x113a/0x1850 + __sock_sendmsg+0x38/0x70 + __sys_sendto+0x126/0x180 + __x64_sys_sendto+0x24/0x30 + do_syscall_64+0xa4/0x260 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + +[2] + #!/bin/bash + + ip address add 192.0.2.1/32 dev lo + ip address add 192.0.2.2/32 dev lo + + ip nexthop add id 1 via 192.0.2.3 fdb + ip nexthop add id 10 group 1 fdb + + ip link add name vx0 up type vxlan id 10010 local 192.0.2.1 dstport 12345 localbypass + ip link add name vx1 up type vxlan id 10020 local 192.0.2.2 dstport 54321 learning + + bridge fdb add 00:11:22:33:44:55 dev vx0 self static dst 192.0.2.2 port 54321 vni 10020 + bridge fdb add 00:aa:bb:cc:dd:ee dev vx1 self static nhid 10 + + mausezahn vx0 -a 00:aa:bb:cc:dd:ee -b 00:11:22:33:44:55 -c 1 -q + +Fixes: 1274e1cc4226 ("vxlan: ecmp support for mac fdb entries") +Reported-by: Marlin Cremers +Reviewed-by: Petr Machata +Signed-off-by: Ido Schimmel +Reviewed-by: Nikolay Aleksandrov +Link: https://patch.msgid.link/20250901065035.159644-2-idosch@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/vxlan/vxlan_core.c | 8 ++++---- + drivers/net/vxlan/vxlan_private.h | 4 +--- + 2 files changed, 5 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/vxlan/vxlan_core.c b/drivers/net/vxlan/vxlan_core.c +index 97792de896b72..cea9dd067b68a 100644 +--- a/drivers/net/vxlan/vxlan_core.c ++++ b/drivers/net/vxlan/vxlan_core.c +@@ -1445,6 +1445,10 @@ static enum skb_drop_reason vxlan_snoop(struct net_device *dev, + if (READ_ONCE(f->updated) != now) + WRITE_ONCE(f->updated, now); + ++ /* Don't override an fdb with nexthop with a learnt entry */ ++ if (rcu_access_pointer(f->nh)) ++ return SKB_DROP_REASON_VXLAN_ENTRY_EXISTS; ++ + if (likely(vxlan_addr_equal(&rdst->remote_ip, src_ip) && + rdst->remote_ifindex == ifindex)) + return SKB_NOT_DROPPED_YET; +@@ -1453,10 +1457,6 @@ static enum skb_drop_reason vxlan_snoop(struct net_device *dev, + if (f->state & (NUD_PERMANENT | NUD_NOARP)) + return SKB_DROP_REASON_VXLAN_ENTRY_EXISTS; + +- /* Don't override an fdb with nexthop with a learnt entry */ +- if (rcu_access_pointer(f->nh)) +- return SKB_DROP_REASON_VXLAN_ENTRY_EXISTS; +- + if (net_ratelimit()) + netdev_info(dev, + "%pM migrated from %pIS to %pIS\n", +diff --git a/drivers/net/vxlan/vxlan_private.h b/drivers/net/vxlan/vxlan_private.h +index d328aed9feefd..55b84c0cbd65e 100644 +--- a/drivers/net/vxlan/vxlan_private.h ++++ b/drivers/net/vxlan/vxlan_private.h +@@ -61,9 +61,7 @@ static inline struct hlist_head *vs_head(struct net *net, __be16 port) + return &vn->sock_list[hash_32(ntohs(port), PORT_HASH_BITS)]; + } + +-/* First remote destination for a forwarding entry. +- * Guaranteed to be non-NULL because remotes are never deleted. +- */ ++/* First remote destination for a forwarding entry. */ + static inline struct vxlan_rdst *first_remote_rcu(struct vxlan_fdb *fdb) + { + if (rcu_access_pointer(fdb->nh)) +-- +2.50.1 + diff --git a/queue-6.16/wifi-ath11k-fix-group-data-packet-drops-during-rekey.patch b/queue-6.16/wifi-ath11k-fix-group-data-packet-drops-during-rekey.patch new file mode 100644 index 0000000000..825a23e683 --- /dev/null +++ b/queue-6.16/wifi-ath11k-fix-group-data-packet-drops-during-rekey.patch @@ -0,0 +1,244 @@ +From 7fde069f02b1b7a575f21e427a4d27ae137e8979 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 10 Aug 2025 22:30:18 +0530 +Subject: wifi: ath11k: fix group data packet drops during rekey +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rameshkumar Sundaram + +[ Upstream commit 97acb0259cc9cbfbd7ab689e25684f3d8ce10e26 ] + +During GTK rekey, mac80211 issues a clear key (if the old key exists) +followed by an install key operation in the same context. This causes +ath11k to send two WMI commands in quick succession: one to clear the +old key and another to install the new key in the same slot. + +Under certain conditions—especially under high load or time sensitive +scenarios, firmware may process these commands asynchronously in a way +that firmware assumes the key is cleared whereas hardware has a valid key. +This inconsistency between hardware and firmware leads to group addressed +packet drops. Only setting the same key again can restore a valid key in +firmware and allow packets to be transmitted. + +This issue remained latent because the host's clear key commands were +not effective in firmware until commit 436a4e886598 ("ath11k: clear the +keys properly via DISABLE_KEY"). That commit enabled the host to +explicitly clear group keys, which inadvertently exposed the race. + +To mitigate this, restrict group key clearing across all modes (AP, STA, +MESH). During rekey, the new key can simply be set on top of the previous +one, avoiding the need for a clear followed by a set. + +However, in AP mode specifically, permit group key clearing when no +stations are associated. This exception supports transitions from secure +modes (e.g., WPA2/WPA3) to open mode, during which all associated peers +are removed and the group key is cleared as part of the transition. + +Add a per-BSS station counter to track the presence of stations during +set key operations. Also add a reset_group_keys flag to track the key +re-installation state and avoid repeated installation of the same key +when the number of connected stations transitions to non-zero within a +rekey period. + +Additionally, for AP and Mesh modes, when the first station associates, +reinstall the same group key that was last set. This ensures that the +firmware recovers from any race that may have occurred during a previous +key clear when no stations were associated. + +This change ensures that key clearing is permitted only when no clients +are connected, avoiding packet loss while enabling dynamic security mode +transitions. + +Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.9.0.1-02146-QCAHKSWPL_SILICONZ-1 +Tested-on: WCN6855 hw2.1 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41 + +Reported-by: Steffen Moser +Closes: https://lore.kernel.org/linux-wireless/c6366409-9928-4dd7-bf7b-ba7fcf20eabf@steffen-moser.de +Fixes: 436a4e886598 ("ath11k: clear the keys properly via DISABLE_KEY") +Signed-off-by: Rameshkumar Sundaram +Tested-by: Nicolas Escande +Reviewed-by: Vasanthakumar Thiagarajan +Link: https://patch.msgid.link/20250810170018.1124014-1-rameshkumar.sundaram@oss.qualcomm.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/core.h | 2 + + drivers/net/wireless/ath/ath11k/mac.c | 111 +++++++++++++++++++++++-- + 2 files changed, 104 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath11k/core.h b/drivers/net/wireless/ath/ath11k/core.h +index 6b2f207975e33..5d0210953fa30 100644 +--- a/drivers/net/wireless/ath/ath11k/core.h ++++ b/drivers/net/wireless/ath/ath11k/core.h +@@ -410,6 +410,8 @@ struct ath11k_vif { + bool do_not_send_tmpl; + struct ath11k_arp_ns_offload arp_ns_offload; + struct ath11k_rekey_data rekey_data; ++ u32 num_stations; ++ bool reinstall_group_keys; + + struct ath11k_reg_tpc_power_info reg_tpc_info; + +diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c +index 977f370fd6de4..5f6cc763c86ac 100644 +--- a/drivers/net/wireless/ath/ath11k/mac.c ++++ b/drivers/net/wireless/ath/ath11k/mac.c +@@ -4317,6 +4317,40 @@ static int ath11k_clear_peer_keys(struct ath11k_vif *arvif, + return first_errno; + } + ++static int ath11k_set_group_keys(struct ath11k_vif *arvif) ++{ ++ struct ath11k *ar = arvif->ar; ++ struct ath11k_base *ab = ar->ab; ++ const u8 *addr = arvif->bssid; ++ int i, ret, first_errno = 0; ++ struct ath11k_peer *peer; ++ ++ spin_lock_bh(&ab->base_lock); ++ peer = ath11k_peer_find(ab, arvif->vdev_id, addr); ++ spin_unlock_bh(&ab->base_lock); ++ ++ if (!peer) ++ return -ENOENT; ++ ++ for (i = 0; i < ARRAY_SIZE(peer->keys); i++) { ++ struct ieee80211_key_conf *key = peer->keys[i]; ++ ++ if (!key || (key->flags & IEEE80211_KEY_FLAG_PAIRWISE)) ++ continue; ++ ++ ret = ath11k_install_key(arvif, key, SET_KEY, addr, ++ WMI_KEY_GROUP); ++ if (ret < 0 && first_errno == 0) ++ first_errno = ret; ++ ++ if (ret < 0) ++ ath11k_warn(ab, "failed to set group key of idx %d for vdev %d: %d\n", ++ i, arvif->vdev_id, ret); ++ } ++ ++ return first_errno; ++} ++ + static int ath11k_mac_op_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd, + struct ieee80211_vif *vif, struct ieee80211_sta *sta, + struct ieee80211_key_conf *key) +@@ -4326,6 +4360,7 @@ static int ath11k_mac_op_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd, + struct ath11k_vif *arvif = ath11k_vif_to_arvif(vif); + struct ath11k_peer *peer; + struct ath11k_sta *arsta; ++ bool is_ap_with_no_sta; + const u8 *peer_addr; + int ret = 0; + u32 flags = 0; +@@ -4386,16 +4421,57 @@ static int ath11k_mac_op_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd, + else + flags |= WMI_KEY_GROUP; + +- ret = ath11k_install_key(arvif, key, cmd, peer_addr, flags); +- if (ret) { +- ath11k_warn(ab, "ath11k_install_key failed (%d)\n", ret); +- goto exit; +- } ++ ath11k_dbg(ar->ab, ATH11K_DBG_MAC, ++ "%s for peer %pM on vdev %d flags 0x%X, type = %d, num_sta %d\n", ++ cmd == SET_KEY ? "SET_KEY" : "DEL_KEY", peer_addr, arvif->vdev_id, ++ flags, arvif->vdev_type, arvif->num_stations); ++ ++ /* Allow group key clearing only in AP mode when no stations are ++ * associated. There is a known race condition in firmware where ++ * group addressed packets may be dropped if the key is cleared ++ * and immediately set again during rekey. ++ * ++ * During GTK rekey, mac80211 issues a clear key (if the old key ++ * exists) followed by an install key operation for same key ++ * index. This causes ath11k to send two WMI commands in quick ++ * succession: one to clear the old key and another to install the ++ * new key in the same slot. ++ * ++ * Under certain conditions—especially under high load or time ++ * sensitive scenarios, firmware may process these commands ++ * asynchronously in a way that firmware assumes the key is ++ * cleared whereas hardware has a valid key. This inconsistency ++ * between hardware and firmware leads to group addressed packet ++ * drops after rekey. ++ * Only setting the same key again can restore a valid key in ++ * firmware and allow packets to be transmitted. ++ * ++ * There is a use case where an AP can transition from Secure mode ++ * to open mode without a vdev restart by just deleting all ++ * associated peers and clearing key, Hence allow clear key for ++ * that case alone. Mark arvif->reinstall_group_keys in such cases ++ * and reinstall the same key when the first peer is added, ++ * allowing firmware to recover from the race if it had occurred. ++ */ + +- ret = ath11k_dp_peer_rx_pn_replay_config(arvif, peer_addr, cmd, key); +- if (ret) { +- ath11k_warn(ab, "failed to offload PN replay detection %d\n", ret); +- goto exit; ++ is_ap_with_no_sta = (vif->type == NL80211_IFTYPE_AP && ++ !arvif->num_stations); ++ if ((flags & WMI_KEY_PAIRWISE) || cmd == SET_KEY || is_ap_with_no_sta) { ++ ret = ath11k_install_key(arvif, key, cmd, peer_addr, flags); ++ if (ret) { ++ ath11k_warn(ab, "ath11k_install_key failed (%d)\n", ret); ++ goto exit; ++ } ++ ++ ret = ath11k_dp_peer_rx_pn_replay_config(arvif, peer_addr, cmd, key); ++ if (ret) { ++ ath11k_warn(ab, "failed to offload PN replay detection %d\n", ++ ret); ++ goto exit; ++ } ++ ++ if ((flags & WMI_KEY_GROUP) && cmd == SET_KEY && is_ap_with_no_sta) ++ arvif->reinstall_group_keys = true; + } + + spin_lock_bh(&ab->base_lock); +@@ -4994,6 +5070,7 @@ static int ath11k_mac_inc_num_stations(struct ath11k_vif *arvif, + return -ENOBUFS; + + ar->num_stations++; ++ arvif->num_stations++; + + return 0; + } +@@ -5009,6 +5086,7 @@ static void ath11k_mac_dec_num_stations(struct ath11k_vif *arvif, + return; + + ar->num_stations--; ++ arvif->num_stations--; + } + + static u32 ath11k_mac_ieee80211_sta_bw_to_wmi(struct ath11k *ar, +@@ -9536,6 +9614,21 @@ static int ath11k_mac_station_add(struct ath11k *ar, + goto exit; + } + ++ /* Driver allows the DEL KEY followed by SET KEY sequence for ++ * group keys for only when there is no clients associated, if at ++ * all firmware has entered the race during that window, ++ * reinstalling the same key when the first sta connects will allow ++ * firmware to recover from the race. ++ */ ++ if (arvif->num_stations == 1 && arvif->reinstall_group_keys) { ++ ath11k_dbg(ab, ATH11K_DBG_MAC, "set group keys on 1st station add for vdev %d\n", ++ arvif->vdev_id); ++ ret = ath11k_set_group_keys(arvif); ++ if (ret) ++ goto dec_num_station; ++ arvif->reinstall_group_keys = false; ++ } ++ + arsta->rx_stats = kzalloc(sizeof(*arsta->rx_stats), GFP_KERNEL); + if (!arsta->rx_stats) { + ret = -ENOMEM; +-- +2.50.1 + diff --git a/queue-6.16/wifi-ath12k-set-emlsr-support-flag-in-mlo-flags-for-.patch b/queue-6.16/wifi-ath12k-set-emlsr-support-flag-in-mlo-flags-for-.patch new file mode 100644 index 0000000000..a4761d4b47 --- /dev/null +++ b/queue-6.16/wifi-ath12k-set-emlsr-support-flag-in-mlo-flags-for-.patch @@ -0,0 +1,48 @@ +From fb52db37efeba431a0742e58d063a7833a0db390 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Aug 2025 16:19:20 +0530 +Subject: wifi: ath12k: Set EMLSR support flag in MLO flags for EML-capable + stations + +From: Ramya Gnanasekar + +[ Upstream commit 22c55fb9eb92395d999b8404d73e58540d11bdd8 ] + +Currently, when updating EMLSR capabilities of a multi-link (ML) station, +only the EMLSR parameters (e.g., padding delay, transition delay, and +timeout) are sent to firmware. However, firmware also requires the +EMLSR support flag to be set in the MLO flags of the peer assoc WMI +command to properly handle EML operating mode notification frames. + +Set the ATH12K_WMI_FLAG_MLO_EMLSR_SUPPORT flag in the peer assoc WMI +command when the ML station is EMLSR-capable, so that the firmware can +respond to EHT EML action frames from associated stations. + +Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1 + +Fixes: 4bcf9525bc49 ("wifi: ath12k: update EMLSR capabilities of ML Station") +Signed-off-by: Ramya Gnanasekar +Signed-off-by: Rameshkumar Sundaram +Reviewed-by: Vasanthakumar Thiagarajan +Link: https://patch.msgid.link/20250801104920.3326352-1-rameshkumar.sundaram@oss.qualcomm.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath12k/wmi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/ath/ath12k/wmi.c b/drivers/net/wireless/ath/ath12k/wmi.c +index 1d0d4a6689464..eac5d48cade66 100644 +--- a/drivers/net/wireless/ath/ath12k/wmi.c ++++ b/drivers/net/wireless/ath/ath12k/wmi.c +@@ -2370,6 +2370,7 @@ int ath12k_wmi_send_peer_assoc_cmd(struct ath12k *ar, + + eml_cap = arg->ml.eml_cap; + if (u16_get_bits(eml_cap, IEEE80211_EML_CAP_EMLSR_SUPP)) { ++ ml_params->flags |= cpu_to_le32(ATH12K_WMI_FLAG_MLO_EMLSR_SUPPORT); + /* Padding delay */ + eml_pad_delay = ieee80211_emlsr_pad_delay_in_us(eml_cap); + ml_params->emlsr_padding_delay_us = cpu_to_le32(eml_pad_delay); +-- +2.50.1 + diff --git a/queue-6.16/wifi-brcmfmac-fix-use-after-free-when-rescheduling-b.patch b/queue-6.16/wifi-brcmfmac-fix-use-after-free-when-rescheduling-b.patch new file mode 100644 index 0000000000..ed8faf8364 --- /dev/null +++ b/queue-6.16/wifi-brcmfmac-fix-use-after-free-when-rescheduling-b.patch @@ -0,0 +1,106 @@ +From 4c0d72920e4bd0f74981669dfa2309d757b7aacf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Aug 2025 13:08:39 +0800 +Subject: wifi: brcmfmac: fix use-after-free when rescheduling + brcmf_btcoex_info work +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Duoming Zhou + +[ Upstream commit 9cb83d4be0b9b697eae93d321e0da999f9cdfcfc ] + +The brcmf_btcoex_detach() only shuts down the btcoex timer, if the +flag timer_on is false. However, the brcmf_btcoex_timerfunc(), which +runs as timer handler, sets timer_on to false. This creates critical +race conditions: + +1.If brcmf_btcoex_detach() is called while brcmf_btcoex_timerfunc() +is executing, it may observe timer_on as false and skip the call to +timer_shutdown_sync(). + +2.The brcmf_btcoex_timerfunc() may then reschedule the brcmf_btcoex_info +worker after the cancel_work_sync() has been executed, resulting in +use-after-free bugs. + +The use-after-free bugs occur in two distinct scenarios, depending on +the timing of when the brcmf_btcoex_info struct is freed relative to +the execution of its worker thread. + +Scenario 1: Freed before the worker is scheduled + +The brcmf_btcoex_info is deallocated before the worker is scheduled. +A race condition can occur when schedule_work(&bt_local->work) is +called after the target memory has been freed. The sequence of events +is detailed below: + +CPU0 | CPU1 +brcmf_btcoex_detach | brcmf_btcoex_timerfunc + | bt_local->timer_on = false; + if (cfg->btcoex->timer_on) | + ... | + cancel_work_sync(); | + ... | + kfree(cfg->btcoex); // FREE | + | schedule_work(&bt_local->work); // USE + +Scenario 2: Freed after the worker is scheduled + +The brcmf_btcoex_info is freed after the worker has been scheduled +but before or during its execution. In this case, statements within +the brcmf_btcoex_handler() — such as the container_of macro and +subsequent dereferences of the brcmf_btcoex_info object will cause +a use-after-free access. The following timeline illustrates this +scenario: + +CPU0 | CPU1 +brcmf_btcoex_detach | brcmf_btcoex_timerfunc + | bt_local->timer_on = false; + if (cfg->btcoex->timer_on) | + ... | + cancel_work_sync(); | + ... | schedule_work(); // Reschedule + | + kfree(cfg->btcoex); // FREE | brcmf_btcoex_handler() // Worker + /* | btci = container_of(....); // USE + The kfree() above could | ... + also occur at any point | btci-> // USE + during the worker's execution| + */ | + +To resolve the race conditions, drop the conditional check and call +timer_shutdown_sync() directly. It can deactivate the timer reliably, +regardless of its current state. Once stopped, the timer_on state is +then set to false. + +Fixes: 61730d4dfffc ("brcmfmac: support critical protocol API for DHCP") +Acked-by: Arend van Spriel +Signed-off-by: Duoming Zhou +Link: https://patch.msgid.link/20250822050839.4413-1-duoming@zju.edu.cn +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c +index 69ef8cf203d24..67c0c5a92f998 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c +@@ -393,10 +393,8 @@ void brcmf_btcoex_detach(struct brcmf_cfg80211_info *cfg) + if (!cfg->btcoex) + return; + +- if (cfg->btcoex->timer_on) { +- cfg->btcoex->timer_on = false; +- timer_shutdown_sync(&cfg->btcoex->timer); +- } ++ timer_shutdown_sync(&cfg->btcoex->timer); ++ cfg->btcoex->timer_on = false; + + cancel_work_sync(&cfg->btcoex->work); + +-- +2.50.1 + diff --git a/queue-6.16/wifi-cfg80211-fix-use-after-free-in-cmp_bss.patch b/queue-6.16/wifi-cfg80211-fix-use-after-free-in-cmp_bss.patch new file mode 100644 index 0000000000..853a84176f --- /dev/null +++ b/queue-6.16/wifi-cfg80211-fix-use-after-free-in-cmp_bss.patch @@ -0,0 +1,43 @@ +From 61291c9ee150abfd26df874e12e7ed9eb894dabf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Aug 2025 16:52:36 +0300 +Subject: wifi: cfg80211: fix use-after-free in cmp_bss() + +From: Dmitry Antipov + +[ Upstream commit 26e84445f02ce6b2fe5f3e0e28ff7add77f35e08 ] + +Following bss_free() quirk introduced in commit 776b3580178f +("cfg80211: track hidden SSID networks properly"), adjust +cfg80211_update_known_bss() to free the last beacon frame +elements only if they're not shared via the corresponding +'hidden_beacon_bss' pointer. + +Reported-by: syzbot+30754ca335e6fb7e3092@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=30754ca335e6fb7e3092 +Fixes: 3ab8227d3e7d ("cfg80211: refactor cfg80211_bss_update") +Signed-off-by: Dmitry Antipov +Link: https://patch.msgid.link/20250813135236.799384-1-dmantipov@yandex.ru +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/scan.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/wireless/scan.c b/net/wireless/scan.c +index e8a4fe44ec2d8..f2a66af385dcb 100644 +--- a/net/wireless/scan.c ++++ b/net/wireless/scan.c +@@ -1905,7 +1905,8 @@ cfg80211_update_known_bss(struct cfg80211_registered_device *rdev, + */ + + f = rcu_access_pointer(new->pub.beacon_ies); +- kfree_rcu((struct cfg80211_bss_ies *)f, rcu_head); ++ if (!new->pub.hidden_beacon_bss) ++ kfree_rcu((struct cfg80211_bss_ies *)f, rcu_head); + return false; + } + +-- +2.50.1 + diff --git a/queue-6.16/wifi-cfg80211-sme-cap-ssid-length-in-__cfg80211_conn.patch b/queue-6.16/wifi-cfg80211-sme-cap-ssid-length-in-__cfg80211_conn.patch new file mode 100644 index 0000000000..8980e69ceb --- /dev/null +++ b/queue-6.16/wifi-cfg80211-sme-cap-ssid-length-in-__cfg80211_conn.patch @@ -0,0 +1,46 @@ +From 5966205ad61462636ac53733848ebc525c5324e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Aug 2025 15:48:45 +0300 +Subject: wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result() + +From: Dan Carpenter + +[ Upstream commit 62b635dcd69c4fde7ce1de4992d71420a37e51e3 ] + +If the ssid->datalen is more than IEEE80211_MAX_SSID_LEN (32) it would +lead to memory corruption so add some bounds checking. + +Fixes: c38c70185101 ("wifi: cfg80211: Set SSID if it is not already set") +Signed-off-by: Dan Carpenter +Link: https://patch.msgid.link/0aaaae4a3ed37c6252363c34ae4904b1604e8e32.1756456951.git.dan.carpenter@linaro.org +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/sme.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/wireless/sme.c b/net/wireless/sme.c +index cf998500a9654..05d06512983c2 100644 +--- a/net/wireless/sme.c ++++ b/net/wireless/sme.c +@@ -901,13 +901,16 @@ void __cfg80211_connect_result(struct net_device *dev, + if (!wdev->u.client.ssid_len) { + rcu_read_lock(); + for_each_valid_link(cr, link) { ++ u32 ssid_len; ++ + ssid = ieee80211_bss_get_elem(cr->links[link].bss, + WLAN_EID_SSID); + + if (!ssid || !ssid->datalen) + continue; + +- memcpy(wdev->u.client.ssid, ssid->data, ssid->datalen); ++ ssid_len = min(ssid->datalen, IEEE80211_MAX_SSID_LEN); ++ memcpy(wdev->u.client.ssid, ssid->data, ssid_len); + wdev->u.client.ssid_len = ssid->datalen; + break; + } +-- +2.50.1 + diff --git a/queue-6.16/wifi-cw1200-cap-ssid-length-in-cw1200_do_join.patch b/queue-6.16/wifi-cw1200-cap-ssid-length-in-cw1200_do_join.patch new file mode 100644 index 0000000000..60a6d20856 --- /dev/null +++ b/queue-6.16/wifi-cw1200-cap-ssid-length-in-cw1200_do_join.patch @@ -0,0 +1,36 @@ +From 215fa59de8498a8230348c340591714a278e1d54 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Aug 2025 15:48:28 +0300 +Subject: wifi: cw1200: cap SSID length in cw1200_do_join() + +From: Dan Carpenter + +[ Upstream commit f8f15f6742b8874e59c9c715d0af3474608310ad ] + +If the ssidie[1] length is more that 32 it leads to memory corruption. + +Fixes: a910e4a94f69 ("cw1200: add driver for the ST-E CW1100 & CW1200 WLAN chipsets") +Signed-off-by: Dan Carpenter +Link: https://patch.msgid.link/e91fb43fcedc4893b604dfb973131661510901a7.1756456951.git.dan.carpenter@linaro.org +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/st/cw1200/sta.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/st/cw1200/sta.c b/drivers/net/wireless/st/cw1200/sta.c +index 5dd7f6a389006..cc56018b2e327 100644 +--- a/drivers/net/wireless/st/cw1200/sta.c ++++ b/drivers/net/wireless/st/cw1200/sta.c +@@ -1290,7 +1290,7 @@ static void cw1200_do_join(struct cw1200_common *priv) + rcu_read_lock(); + ssidie = ieee80211_bss_get_ie(bss, WLAN_EID_SSID); + if (ssidie) { +- join.ssid_len = ssidie[1]; ++ join.ssid_len = min(ssidie[1], IEEE80211_MAX_SSID_LEN); + memcpy(join.ssid, &ssidie[2], join.ssid_len); + } + rcu_read_unlock(); +-- +2.50.1 + diff --git a/queue-6.16/wifi-iwlwifi-acpi-check-dsm-func-validity.patch b/queue-6.16/wifi-iwlwifi-acpi-check-dsm-func-validity.patch new file mode 100644 index 0000000000..b68a48cbf4 --- /dev/null +++ b/queue-6.16/wifi-iwlwifi-acpi-check-dsm-func-validity.patch @@ -0,0 +1,96 @@ +From 5ce37ccb625c560ec6b79cec480d7d16f620c805 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Aug 2025 09:55:27 +0300 +Subject: wifi: iwlwifi: acpi: check DSM func validity + +From: Johannes Berg + +[ Upstream commit 7bf2dfccc2dd70821104d15cbab7b6fca21872be ] + +The DSM func 0 (DSM_FUNC_QUERY) returns a bitmap of which +other functions contain valid data, query and check it +before returning other functions data. + +Fixes: 9db93491f29e ("iwlwifi: acpi: support device specific method (DSM)") +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220085 +Signed-off-by: Johannes Berg +Signed-off-by: Miri Korenblit +Link: https://patch.msgid.link/20250828095500.881e17ff8f6a.Ic6d92997d9d5fad127919d6e1b830cd3fe944468@changeid +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/fw/acpi.c | 25 ++++++++++++++++++- + .../net/wireless/intel/iwlwifi/fw/runtime.h | 8 ++++++ + 2 files changed, 32 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/fw/acpi.c b/drivers/net/wireless/intel/iwlwifi/fw/acpi.c +index bee7d92293b8d..7ec22738b5d65 100644 +--- a/drivers/net/wireless/intel/iwlwifi/fw/acpi.c ++++ b/drivers/net/wireless/intel/iwlwifi/fw/acpi.c +@@ -169,7 +169,7 @@ int iwl_acpi_get_dsm(struct iwl_fw_runtime *fwrt, + + BUILD_BUG_ON(ARRAY_SIZE(acpi_dsm_size) != DSM_FUNC_NUM_FUNCS); + +- if (WARN_ON(func >= ARRAY_SIZE(acpi_dsm_size))) ++ if (WARN_ON(func >= ARRAY_SIZE(acpi_dsm_size) || !func)) + return -EINVAL; + + expected_size = acpi_dsm_size[func]; +@@ -178,6 +178,29 @@ int iwl_acpi_get_dsm(struct iwl_fw_runtime *fwrt, + if (expected_size != sizeof(u8) && expected_size != sizeof(u32)) + return -EOPNOTSUPP; + ++ if (!fwrt->acpi_dsm_funcs_valid) { ++ ret = iwl_acpi_get_dsm_integer(fwrt->dev, ACPI_DSM_REV, ++ DSM_FUNC_QUERY, ++ &iwl_guid, &tmp, ++ acpi_dsm_size[DSM_FUNC_QUERY]); ++ if (ret) { ++ /* always indicate BIT(0) to avoid re-reading */ ++ fwrt->acpi_dsm_funcs_valid = BIT(0); ++ return ret; ++ } ++ ++ IWL_DEBUG_RADIO(fwrt, "ACPI DSM validity bitmap 0x%x\n", ++ (u32)tmp); ++ /* always indicate BIT(0) to avoid re-reading */ ++ fwrt->acpi_dsm_funcs_valid = tmp | BIT(0); ++ } ++ ++ if (!(fwrt->acpi_dsm_funcs_valid & BIT(func))) { ++ IWL_DEBUG_RADIO(fwrt, "ACPI DSM %d not indicated as valid\n", ++ func); ++ return -ENODATA; ++ } ++ + ret = iwl_acpi_get_dsm_integer(fwrt->dev, ACPI_DSM_REV, func, + &iwl_guid, &tmp, expected_size); + if (ret) +diff --git a/drivers/net/wireless/intel/iwlwifi/fw/runtime.h b/drivers/net/wireless/intel/iwlwifi/fw/runtime.h +index 0444a736c2b20..bd3bc2846cfa4 100644 +--- a/drivers/net/wireless/intel/iwlwifi/fw/runtime.h ++++ b/drivers/net/wireless/intel/iwlwifi/fw/runtime.h +@@ -113,6 +113,10 @@ struct iwl_txf_iter_data { + * @phy_filters: specific phy filters as read from WPFC BIOS table + * @ppag_bios_rev: PPAG BIOS revision + * @ppag_bios_source: see &enum bios_source ++ * @acpi_dsm_funcs_valid: bitmap indicating which DSM values are valid, ++ * zero (default initialization) means it hasn't been read yet, ++ * and BIT(0) is set when it has since function 0 also has this ++ * bitmap and is always supported + */ + struct iwl_fw_runtime { + struct iwl_trans *trans; +@@ -189,6 +193,10 @@ struct iwl_fw_runtime { + bool uats_valid; + u8 uefi_tables_lock_status; + struct iwl_phy_specific_cfg phy_filters; ++ ++#ifdef CONFIG_ACPI ++ u32 acpi_dsm_funcs_valid; ++#endif + }; + + void iwl_fw_runtime_init(struct iwl_fw_runtime *fwrt, struct iwl_trans *trans, +-- +2.50.1 + diff --git a/queue-6.16/wifi-iwlwifi-cfg-add-back-more-lost-pci-ids.patch b/queue-6.16/wifi-iwlwifi-cfg-add-back-more-lost-pci-ids.patch new file mode 100644 index 0000000000..4ffde3237e --- /dev/null +++ b/queue-6.16/wifi-iwlwifi-cfg-add-back-more-lost-pci-ids.patch @@ -0,0 +1,50 @@ +From b5c8a1693a96153332c6fa6c6f010f7ea96e6ffc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Aug 2025 09:55:31 +0300 +Subject: wifi: iwlwifi: cfg: add back more lost PCI IDs + +From: Johannes Berg + +[ Upstream commit 019f71a6760a6f89d388c3cd45622d1aae7d3641 ] + +Add back a few more PCI IDs to the config match table that +evidently I lost during the cleanups. + +Fixes: 1fb053d9876f ("wifi: iwlwifi: cfg: remove unnecessary configs") +Signed-off-by: Johannes Berg +Signed-off-by: Miri Korenblit +Link: https://patch.msgid.link/20250828095500.46fee422651e.I8f6c3e9eea9523bb1658f5690b715eb443740e07@changeid +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c +index b66a581c2e564..4e47ccb43bd86 100644 +--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c +@@ -670,6 +670,8 @@ VISIBLE_IF_IWLWIFI_KUNIT const struct iwl_dev_info iwl_dev_info_table[] = { + + IWL_DEV_INFO(iwl6005_n_cfg, iwl6005_2agn_sff_name, + DEVICE(0x0082), SUBDEV_MASKED(0xC000, 0xF000)), ++ IWL_DEV_INFO(iwl6005_n_cfg, iwl6005_2agn_sff_name, ++ DEVICE(0x0085), SUBDEV_MASKED(0xC000, 0xF000)), + IWL_DEV_INFO(iwl6005_n_cfg, iwl6005_2agn_d_name, + DEVICE(0x0082), SUBDEV(0x4820)), + IWL_DEV_INFO(iwl6005_n_cfg, iwl6005_2agn_mow1_name, +@@ -961,6 +963,12 @@ VISIBLE_IF_IWLWIFI_KUNIT const struct iwl_dev_info iwl_dev_info_table[] = { + DEVICE(0x24F3), SUBDEV(0x0004)), + IWL_DEV_INFO(iwl8260_cfg, iwl8260_2n_name, + DEVICE(0x24F3), SUBDEV(0x0044)), ++ IWL_DEV_INFO(iwl8260_cfg, iwl8260_2ac_name, ++ DEVICE(0x24F4)), ++ IWL_DEV_INFO(iwl8260_cfg, iwl4165_2ac_name, ++ DEVICE(0x24F5)), ++ IWL_DEV_INFO(iwl8260_cfg, iwl4165_2ac_name, ++ DEVICE(0x24F6)), + IWL_DEV_INFO(iwl8265_cfg, iwl8265_2ac_name, + DEVICE(0x24FD)), + IWL_DEV_INFO(iwl8265_cfg, iwl8275_2ac_name, +-- +2.50.1 + diff --git a/queue-6.16/wifi-iwlwifi-cfg-restore-some-1000-series-configs.patch b/queue-6.16/wifi-iwlwifi-cfg-restore-some-1000-series-configs.patch new file mode 100644 index 0000000000..38986ecaff --- /dev/null +++ b/queue-6.16/wifi-iwlwifi-cfg-restore-some-1000-series-configs.patch @@ -0,0 +1,45 @@ +From c95561b7c4bc36bdaab9226c21b126d6259d0cf4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Aug 2025 09:55:29 +0300 +Subject: wifi: iwlwifi: cfg: restore some 1000 series configs + +From: Johannes Berg + +[ Upstream commit 22e6bdb129ec64e640f5cccef9686f7c1a7d559b ] + +In the fixed commit, I inadvertently removed two configurations +while combining the 0x0083/0x0084 device IDs. Replace the fixed +matches for the BG versions by a masked match and add the BGN +version back with a similar masked match. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=220477 +Fixes: 1fb053d9876f ("wifi: iwlwifi: cfg: remove unnecessary configs") +Signed-off-by: Johannes Berg +Link: https://patch.msgid.link/20250828095500.fabb99c2df9e.If0ad87bf9ab360da5f613e879fd416c17c544733@changeid +Signed-off-by: Miri Korenblit +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c +index e4e06bf9161c3..b66a581c2e564 100644 +--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c +@@ -726,10 +726,10 @@ VISIBLE_IF_IWLWIFI_KUNIT const struct iwl_dev_info iwl_dev_info_table[] = { + DEVICE(0x0083), SUBDEV_MASKED(0x5, 0xF)), + IWL_DEV_INFO(iwl1000_bg_cfg, iwl1000_bg_name, + DEVICE(0x0083), SUBDEV_MASKED(0x6, 0xF)), ++ IWL_DEV_INFO(iwl1000_bgn_cfg, iwl1000_bgn_name, ++ DEVICE(0x0084), SUBDEV_MASKED(0x5, 0xF)), + IWL_DEV_INFO(iwl1000_bg_cfg, iwl1000_bg_name, +- DEVICE(0x0084), SUBDEV(0x1216)), +- IWL_DEV_INFO(iwl1000_bg_cfg, iwl1000_bg_name, +- DEVICE(0x0084), SUBDEV(0x1316)), ++ DEVICE(0x0084), SUBDEV_MASKED(0x6, 0xF)), + + /* 100 Series WiFi */ + IWL_DEV_INFO(iwl100_bgn_cfg, iwl100_bgn_name, +-- +2.50.1 + diff --git a/queue-6.16/wifi-iwlwifi-if-scratch-is-0u-consider-it-a-failure.patch b/queue-6.16/wifi-iwlwifi-if-scratch-is-0u-consider-it-a-failure.patch new file mode 100644 index 0000000000..0dc6af0418 --- /dev/null +++ b/queue-6.16/wifi-iwlwifi-if-scratch-is-0u-consider-it-a-failure.patch @@ -0,0 +1,48 @@ +From c46330e01f8c0661ecddcaa5987cda7b9d0aa453 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Aug 2025 09:55:26 +0300 +Subject: wifi: iwlwifi: if scratch is ~0U, consider it a failure + +From: Emmanuel Grumbach + +[ Upstream commit 224476613c8499f00ce4de975dd65749c5ca498c ] + +We want to see bits being set in the scratch register upon resume, but +if all the bits are set, it means that we were kicked out of the PCI bus +and that clearly doesn't mean we can assume the firmware is still alive +after the suspend / resume cycle. + +Fixes: cb347bd29d0d ("wifi: iwlwifi: mvm: fix hibernation") +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Miri Korenblit +Link: https://patch.msgid.link/20250828095500.0f203e559242.I59eff718cb5fda575db41081a1a389f7af488717@changeid +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c +index 0a9e0dbb58fbf..e4e06bf9161c3 100644 +--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c +@@ -1503,11 +1503,15 @@ static int _iwl_pci_resume(struct device *device, bool restore) + * Note: MAC (bits 0:7) will be cleared upon suspend even with wowlan, + * but not bits [15:8]. So if we have bits set in lower word, assume + * the device is alive. ++ * Alternatively, if the scratch value is 0xFFFFFFFF, then we no longer ++ * have access to the device and consider it powered off. + * For older devices, just try silently to grab the NIC. + */ + if (trans->mac_cfg->device_family >= IWL_DEVICE_FAMILY_BZ) { +- if (!(iwl_read32(trans, CSR_FUNC_SCRATCH) & +- CSR_FUNC_SCRATCH_POWER_OFF_MASK)) ++ u32 scratch = iwl_read32(trans, CSR_FUNC_SCRATCH); ++ ++ if (!(scratch & CSR_FUNC_SCRATCH_POWER_OFF_MASK) || ++ scratch == ~0U) + device_was_powered_off = true; + } else { + /* +-- +2.50.1 + diff --git a/queue-6.16/wifi-iwlwifi-uefi-check-dsm-item-validity.patch b/queue-6.16/wifi-iwlwifi-uefi-check-dsm-item-validity.patch new file mode 100644 index 0000000000..2c477d3620 --- /dev/null +++ b/queue-6.16/wifi-iwlwifi-uefi-check-dsm-item-validity.patch @@ -0,0 +1,43 @@ +From 3223353a1582eb202909a04ac7cd6aa9300d017b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Aug 2025 09:55:28 +0300 +Subject: wifi: iwlwifi: uefi: check DSM item validity + +From: Johannes Berg + +[ Upstream commit 1d33694462fa7da451846c39d653585b61375992 ] + +The first array index is a bitmap indicating which of the +other values are valid. Check that bitmap before returning +a value. + +Fixes: fc7214c3c986 ("wifi: iwlwifi: read DSM functions from UEFI") +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220085 +Signed-off-by: Johannes Berg +Signed-off-by: Miri Korenblit +Link: https://patch.msgid.link/20250828095500.59ec52ff865e.I9e11f497a029eb38f481b2c90c43c0935285216d@changeid +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/fw/uefi.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/wireless/intel/iwlwifi/fw/uefi.c b/drivers/net/wireless/intel/iwlwifi/fw/uefi.c +index 48126ec6b94bf..99a17b9323e9b 100644 +--- a/drivers/net/wireless/intel/iwlwifi/fw/uefi.c ++++ b/drivers/net/wireless/intel/iwlwifi/fw/uefi.c +@@ -747,6 +747,12 @@ int iwl_uefi_get_dsm(struct iwl_fw_runtime *fwrt, enum iwl_dsm_funcs func, + goto out; + } + ++ if (!(data->functions[DSM_FUNC_QUERY] & BIT(func))) { ++ IWL_DEBUG_RADIO(fwrt, "DSM func %d not in 0x%x\n", ++ func, data->functions[DSM_FUNC_QUERY]); ++ goto out; ++ } ++ + *value = data->functions[func]; + + IWL_DEBUG_RADIO(fwrt, +-- +2.50.1 + diff --git a/queue-6.16/wifi-libertas-cap-ssid-len-in-lbs_associate.patch b/queue-6.16/wifi-libertas-cap-ssid-len-in-lbs_associate.patch new file mode 100644 index 0000000000..a3248a26e6 --- /dev/null +++ b/queue-6.16/wifi-libertas-cap-ssid-len-in-lbs_associate.patch @@ -0,0 +1,44 @@ +From 4a2f25ee481c9c5e897194f7fbcbf3ae44f59733 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Aug 2025 15:48:35 +0300 +Subject: wifi: libertas: cap SSID len in lbs_associate() + +From: Dan Carpenter + +[ Upstream commit c786794bd27b0d7a5fd9063695df83206009be59 ] + +If the ssid_eid[1] length is more that 32 it leads to memory corruption. + +Fixes: a910e4a94f69 ("cw1200: add driver for the ST-E CW1100 & CW1200 WLAN chipsets") +Signed-off-by: Dan Carpenter +Link: https://patch.msgid.link/2a40f5ec7617144aef412034c12919a4927d90ad.1756456951.git.dan.carpenter@linaro.org +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/libertas/cfg.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/marvell/libertas/cfg.c b/drivers/net/wireless/marvell/libertas/cfg.c +index 2e2c193716d96..309556541a83e 100644 +--- a/drivers/net/wireless/marvell/libertas/cfg.c ++++ b/drivers/net/wireless/marvell/libertas/cfg.c +@@ -1151,10 +1151,13 @@ static int lbs_associate(struct lbs_private *priv, + /* add SSID TLV */ + rcu_read_lock(); + ssid_eid = ieee80211_bss_get_ie(bss, WLAN_EID_SSID); +- if (ssid_eid) +- pos += lbs_add_ssid_tlv(pos, ssid_eid + 2, ssid_eid[1]); +- else ++ if (ssid_eid) { ++ u32 ssid_len = min(ssid_eid[1], IEEE80211_MAX_SSID_LEN); ++ ++ pos += lbs_add_ssid_tlv(pos, ssid_eid + 2, ssid_len); ++ } else { + lbs_deb_assoc("no SSID\n"); ++ } + rcu_read_unlock(); + + /* add DS param TLV */ +-- +2.50.1 + diff --git a/queue-6.16/wifi-mt76-fix-linked-list-corruption.patch b/queue-6.16/wifi-mt76-fix-linked-list-corruption.patch new file mode 100644 index 0000000000..12e9cfeef5 --- /dev/null +++ b/queue-6.16/wifi-mt76-fix-linked-list-corruption.patch @@ -0,0 +1,60 @@ +From d37521e02cfefe4e152d9a070fad6725d90ae8b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Aug 2025 10:53:52 +0200 +Subject: wifi: mt76: fix linked list corruption + +From: Felix Fietkau + +[ Upstream commit 49fba87205bec14a0f6bd997635bf3968408161e ] + +Never leave scheduled wcid entries on the temporary on-stack list + +Fixes: 0b3be9d1d34e ("wifi: mt76: add separate tx scheduling queue for off-channel tx") +Link: https://patch.msgid.link/20250827085352.51636-6-nbd@nbd.name +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/tx.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/tx.c b/drivers/net/wireless/mediatek/mt76/tx.c +index 03b042fdf997f..8ab5840fee57f 100644 +--- a/drivers/net/wireless/mediatek/mt76/tx.c ++++ b/drivers/net/wireless/mediatek/mt76/tx.c +@@ -646,6 +646,7 @@ mt76_txq_schedule_pending_wcid(struct mt76_phy *phy, struct mt76_wcid *wcid, + static void mt76_txq_schedule_pending(struct mt76_phy *phy) + { + LIST_HEAD(tx_list); ++ int ret = 0; + + if (list_empty(&phy->tx_list)) + return; +@@ -657,13 +658,13 @@ static void mt76_txq_schedule_pending(struct mt76_phy *phy) + list_splice_init(&phy->tx_list, &tx_list); + while (!list_empty(&tx_list)) { + struct mt76_wcid *wcid; +- int ret; + + wcid = list_first_entry(&tx_list, struct mt76_wcid, tx_list); + list_del_init(&wcid->tx_list); + + spin_unlock(&phy->tx_lock); +- ret = mt76_txq_schedule_pending_wcid(phy, wcid, &wcid->tx_offchannel); ++ if (ret >= 0) ++ ret = mt76_txq_schedule_pending_wcid(phy, wcid, &wcid->tx_offchannel); + if (ret >= 0 && !phy->offchannel) + ret = mt76_txq_schedule_pending_wcid(phy, wcid, &wcid->tx_pending); + spin_lock(&phy->tx_lock); +@@ -672,9 +673,6 @@ static void mt76_txq_schedule_pending(struct mt76_phy *phy) + !skb_queue_empty(&wcid->tx_offchannel) && + list_empty(&wcid->tx_list)) + list_add_tail(&wcid->tx_list, &phy->tx_list); +- +- if (ret < 0) +- break; + } + spin_unlock(&phy->tx_lock); + +-- +2.50.1 + diff --git a/queue-6.16/wifi-mt76-free-pending-offchannel-tx-frames-on-wcid-.patch b/queue-6.16/wifi-mt76-free-pending-offchannel-tx-frames-on-wcid-.patch new file mode 100644 index 0000000000..87414de8b4 --- /dev/null +++ b/queue-6.16/wifi-mt76-free-pending-offchannel-tx-frames-on-wcid-.patch @@ -0,0 +1,37 @@ +From 9dd88c583347750e2841e36afd1cb3909800f402 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Aug 2025 10:53:51 +0200 +Subject: wifi: mt76: free pending offchannel tx frames on wcid cleanup + +From: Felix Fietkau + +[ Upstream commit bdeac7815629c1a32b8784922368742e183747ea ] + +Avoid leaking them or keeping the wcid on the tx list + +Fixes: 0b3be9d1d34e ("wifi: mt76: add separate tx scheduling queue for off-channel tx") +Link: https://patch.msgid.link/20250827085352.51636-5-nbd@nbd.name +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mac80211.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/wireless/mediatek/mt76/mac80211.c b/drivers/net/wireless/mediatek/mt76/mac80211.c +index 4e435bec828b5..8e6ce16ab5b88 100644 +--- a/drivers/net/wireless/mediatek/mt76/mac80211.c ++++ b/drivers/net/wireless/mediatek/mt76/mac80211.c +@@ -1716,6 +1716,10 @@ void mt76_wcid_cleanup(struct mt76_dev *dev, struct mt76_wcid *wcid) + skb_queue_splice_tail_init(&wcid->tx_pending, &list); + spin_unlock(&wcid->tx_pending.lock); + ++ spin_lock(&wcid->tx_offchannel.lock); ++ skb_queue_splice_tail_init(&wcid->tx_offchannel, &list); ++ spin_unlock(&wcid->tx_offchannel.lock); ++ + spin_unlock_bh(&phy->tx_lock); + + while ((skb = __skb_dequeue(&list)) != NULL) { +-- +2.50.1 + diff --git a/queue-6.16/wifi-mt76-mt7915-fix-list-corruption-after-hardware-.patch b/queue-6.16/wifi-mt76-mt7915-fix-list-corruption-after-hardware-.patch new file mode 100644 index 0000000000..bf581a1baf --- /dev/null +++ b/queue-6.16/wifi-mt76-mt7915-fix-list-corruption-after-hardware-.patch @@ -0,0 +1,114 @@ +From f689238875caeda807da31492679c0d8009f7ad6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Aug 2025 10:53:50 +0200 +Subject: wifi: mt76: mt7915: fix list corruption after hardware restart + +From: Felix Fietkau + +[ Upstream commit 065c79df595af21d6d1b27d642860faa1d938774 ] + +Since stations are recreated from scratch, all lists that wcids are added +to must be cleared before calling ieee80211_restart_hw. +Set wcid->sta = 0 for each wcid entry in order to ensure that they are +not added again before they are ready. + +Fixes: 8a55712d124f ("wifi: mt76: mt7915: enable full system reset support") +Link: https://patch.msgid.link/20250827085352.51636-4-nbd@nbd.name +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mac80211.c | 37 +++++++++++++++++++ + drivers/net/wireless/mediatek/mt76/mt76.h | 1 + + .../net/wireless/mediatek/mt76/mt7915/mac.c | 12 +++--- + 3 files changed, 43 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mac80211.c b/drivers/net/wireless/mediatek/mt76/mac80211.c +index 45c8db939d554..4e435bec828b5 100644 +--- a/drivers/net/wireless/mediatek/mt76/mac80211.c ++++ b/drivers/net/wireless/mediatek/mt76/mac80211.c +@@ -818,6 +818,43 @@ void mt76_free_device(struct mt76_dev *dev) + } + EXPORT_SYMBOL_GPL(mt76_free_device); + ++static void mt76_reset_phy(struct mt76_phy *phy) ++{ ++ if (!phy) ++ return; ++ ++ INIT_LIST_HEAD(&phy->tx_list); ++} ++ ++void mt76_reset_device(struct mt76_dev *dev) ++{ ++ int i; ++ ++ rcu_read_lock(); ++ for (i = 0; i < ARRAY_SIZE(dev->wcid); i++) { ++ struct mt76_wcid *wcid; ++ ++ wcid = rcu_dereference(dev->wcid[i]); ++ if (!wcid) ++ continue; ++ ++ wcid->sta = 0; ++ mt76_wcid_cleanup(dev, wcid); ++ rcu_assign_pointer(dev->wcid[i], NULL); ++ } ++ rcu_read_unlock(); ++ ++ INIT_LIST_HEAD(&dev->wcid_list); ++ INIT_LIST_HEAD(&dev->sta_poll_list); ++ dev->vif_mask = 0; ++ memset(dev->wcid_mask, 0, sizeof(dev->wcid_mask)); ++ ++ mt76_reset_phy(&dev->phy); ++ for (i = 0; i < ARRAY_SIZE(dev->phys); i++) ++ mt76_reset_phy(dev->phys[i]); ++} ++EXPORT_SYMBOL_GPL(mt76_reset_device); ++ + struct mt76_phy *mt76_vif_phy(struct ieee80211_hw *hw, + struct ieee80211_vif *vif) + { +diff --git a/drivers/net/wireless/mediatek/mt76/mt76.h b/drivers/net/wireless/mediatek/mt76/mt76.h +index 0ecf77fcbe3d0..0290ddbb2424e 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt76.h ++++ b/drivers/net/wireless/mediatek/mt76/mt76.h +@@ -1241,6 +1241,7 @@ int mt76_register_device(struct mt76_dev *dev, bool vht, + struct ieee80211_rate *rates, int n_rates); + void mt76_unregister_device(struct mt76_dev *dev); + void mt76_free_device(struct mt76_dev *dev); ++void mt76_reset_device(struct mt76_dev *dev); + void mt76_unregister_phy(struct mt76_phy *phy); + + struct mt76_phy *mt76_alloc_radio_phy(struct mt76_dev *dev, unsigned int size, +diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c +index 6639976afcee6..1c0d310146d63 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c +@@ -1460,17 +1460,15 @@ mt7915_mac_full_reset(struct mt7915_dev *dev) + if (i == 10) + dev_err(dev->mt76.dev, "chip full reset failed\n"); + +- spin_lock_bh(&dev->mt76.sta_poll_lock); +- while (!list_empty(&dev->mt76.sta_poll_list)) +- list_del_init(dev->mt76.sta_poll_list.next); +- spin_unlock_bh(&dev->mt76.sta_poll_lock); +- +- memset(dev->mt76.wcid_mask, 0, sizeof(dev->mt76.wcid_mask)); +- dev->mt76.vif_mask = 0; + dev->phy.omac_mask = 0; + if (phy2) + phy2->omac_mask = 0; + ++ mt76_reset_device(&dev->mt76); ++ ++ INIT_LIST_HEAD(&dev->sta_rc_list); ++ INIT_LIST_HEAD(&dev->twt_list); ++ + i = mt76_wcid_alloc(dev->mt76.wcid_mask, MT7915_WTBL_STA); + dev->mt76.global_wcid.idx = i; + dev->recovery.hw_full_reset = false; +-- +2.50.1 + diff --git a/queue-6.16/wifi-mt76-mt7921-don-t-disconnect-when-csa-to-dfs-ch.patch b/queue-6.16/wifi-mt76-mt7921-don-t-disconnect-when-csa-to-dfs-ch.patch new file mode 100644 index 0000000000..a8dea7ba94 --- /dev/null +++ b/queue-6.16/wifi-mt76-mt7921-don-t-disconnect-when-csa-to-dfs-ch.patch @@ -0,0 +1,46 @@ +From d5caa65b4281dc16189d07992809a55a2a5e196b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jul 2025 18:54:01 +0200 +Subject: wifi: mt76: mt7921: don't disconnect when CSA to DFS chan + +From: Janusz Dziedzic + +[ Upstream commit 87f38519d27a514c9909f84b8f1334125df9778e ] + +When station mode, don't disconnect when we get +channel switch from AP to DFS channel. Most APs +send CSA request after pass background CAC. In other +case we should disconnect after detect beacon miss. + +Without patch when we get CSA to DFS channel get: +"kernel: wlo1: preparing for channel switch failed, disconnecting" + +Fixes: 8aa2f59260eb ("wifi: mt76: mt7921: introduce CSA support") +Signed-off-by: Janusz Dziedzic +Link: https://patch.msgid.link/20250716165443.28354-1-janusz.dziedzic@gmail.com +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7921/main.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/main.c b/drivers/net/wireless/mediatek/mt76/mt7921/main.c +index 77f73ae1d7ecc..f6b431c422ebc 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7921/main.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7921/main.c +@@ -1457,11 +1457,8 @@ static int mt7921_pre_channel_switch(struct ieee80211_hw *hw, + if (vif->type != NL80211_IFTYPE_STATION || !vif->cfg.assoc) + return -EOPNOTSUPP; + +- /* Avoid beacon loss due to the CAC(Channel Availability Check) time +- * of the AP. +- */ + if (!cfg80211_chandef_usable(hw->wiphy, &chsw->chandef, +- IEEE80211_CHAN_RADAR)) ++ IEEE80211_CHAN_DISABLED)) + return -EOPNOTSUPP; + + return 0; +-- +2.50.1 + diff --git a/queue-6.16/wifi-mt76-mt7925-fix-locking-in-mt7925_change_vif_li.patch b/queue-6.16/wifi-mt76-mt7925-fix-locking-in-mt7925_change_vif_li.patch new file mode 100644 index 0000000000..d7dd383857 --- /dev/null +++ b/queue-6.16/wifi-mt76-mt7925-fix-locking-in-mt7925_change_vif_li.patch @@ -0,0 +1,43 @@ +From 4c76c8215dab279991085b614663d9a213fd7e7d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 27 Jul 2025 07:04:13 -0700 +Subject: wifi: mt76: mt7925: fix locking in mt7925_change_vif_links() + +From: Harshit Mogalapalli + +[ Upstream commit 9f15701370ec15fbf1f6a1cbbf584b0018d036b5 ] + +&dev->mt76.mutex lock is taken using mt792x_mutex_acquire(dev) but not +released in one of the error paths, add the unlock to fix it. + +Fixes: 5cd0bd815c8a ("wifi: mt76: mt7925: fix NULL deref check in mt7925_change_vif_links") +Reported-by: kernel test robot +Reported-by: Dan Carpenter +Closes: https://lore.kernel.org/r/202503031055.3ZRqxhAl-lkp@intel.com/ +Signed-off-by: Harshit Mogalapalli +Link: https://patch.msgid.link/20250727140416.1153406-1-harshit.m.mogalapalli@oracle.com +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7925/main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/main.c b/drivers/net/wireless/mediatek/mt76/mt7925/main.c +index 5b001548dffce..328a06998c7b7 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c +@@ -2067,8 +2067,10 @@ mt7925_change_vif_links(struct ieee80211_hw *hw, struct ieee80211_vif *vif, + GFP_KERNEL); + mlink = devm_kzalloc(dev->mt76.dev, sizeof(*mlink), + GFP_KERNEL); +- if (!mconf || !mlink) ++ if (!mconf || !mlink) { ++ mt792x_mutex_release(dev); + return -ENOMEM; ++ } + } + + mconfs[link_id] = mconf; +-- +2.50.1 + diff --git a/queue-6.16/wifi-mt76-mt7996-add-missing-check-for-rx-wcid-entri.patch b/queue-6.16/wifi-mt76-mt7996-add-missing-check-for-rx-wcid-entri.patch new file mode 100644 index 0000000000..1423a5ee95 --- /dev/null +++ b/queue-6.16/wifi-mt76-mt7996-add-missing-check-for-rx-wcid-entri.patch @@ -0,0 +1,37 @@ +From b5779a2f5c5f323d80f8c4e288035d5561e7753f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Aug 2025 10:53:49 +0200 +Subject: wifi: mt76: mt7996: add missing check for rx wcid entries + +From: Felix Fietkau + +[ Upstream commit 4a522b01e368eec58d182ecc47d24f49a39e440d ] + +Non-station wcid entries must not be passed to the rx functions. +In case of the global wcid entry, it could even lead to corruption in the wcid +array due to pointer being casted to struct mt7996_sta_link using container_of. + +Fixes: 7464b12b7d92 ("wifi: mt76: mt7996: rework mt7996_rx_get_wcid to support MLO") +Link: https://patch.msgid.link/20250827085352.51636-3-nbd@nbd.name +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7996/mac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c +index b0fa051fc3094..a7a5ac8b7d265 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c +@@ -62,7 +62,7 @@ static struct mt76_wcid *mt7996_rx_get_wcid(struct mt7996_dev *dev, + int i; + + wcid = mt76_wcid_ptr(dev, idx); +- if (!wcid) ++ if (!wcid || !wcid->sta) + return NULL; + + if (!mt7996_band_valid(dev, band_idx)) +-- +2.50.1 + diff --git a/queue-6.16/wifi-mt76-mt7996-disable-beacons-when-going-offchann.patch b/queue-6.16/wifi-mt76-mt7996-disable-beacons-when-going-offchann.patch new file mode 100644 index 0000000000..79d8c7a0b6 --- /dev/null +++ b/queue-6.16/wifi-mt76-mt7996-disable-beacons-when-going-offchann.patch @@ -0,0 +1,185 @@ +From 3bc1a65a6a8b5dbeede04705ae0530e945a98a5b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Aug 2025 14:11:05 +0200 +Subject: wifi: mt76: mt7996: disable beacons when going offchannel + +From: Felix Fietkau + +[ Upstream commit f30906c55a400a9b7fc677e3f4c614b9069bd4a8 ] + +Avoid leaking beacons on unrelated channels during scanning/roc + +Fixes: c56d6edebc1f ("wifi: mt76: mt7996: use emulated hardware scan support") +Reported-by: Chad Monroe +Link: https://patch.msgid.link/20250813121106.81559-1-nbd@nbd.name +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + .../net/wireless/mediatek/mt76/mt7996/mac.c | 46 +++++++++++-------- + .../net/wireless/mediatek/mt76/mt7996/main.c | 5 ++ + .../net/wireless/mediatek/mt76/mt7996/mcu.c | 11 +++-- + .../wireless/mediatek/mt76/mt7996/mt7996.h | 1 + + 4 files changed, 42 insertions(+), 21 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c +index 37b21ad828b96..f675cf537898a 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c +@@ -1696,43 +1696,53 @@ mt7996_wait_reset_state(struct mt7996_dev *dev, u32 state) + static void + mt7996_update_vif_beacon(void *priv, u8 *mac, struct ieee80211_vif *vif) + { +- struct ieee80211_hw *hw = priv; ++ struct ieee80211_bss_conf *link_conf; ++ struct mt7996_phy *phy = priv; ++ struct mt7996_dev *dev = phy->dev; ++ unsigned int link_id; ++ + + switch (vif->type) { + case NL80211_IFTYPE_MESH_POINT: + case NL80211_IFTYPE_ADHOC: + case NL80211_IFTYPE_AP: +- mt7996_mcu_add_beacon(hw, vif, &vif->bss_conf); + break; + default: +- break; ++ return; ++ } ++ ++ for_each_vif_active_link(vif, link_conf, link_id) { ++ struct mt7996_vif_link *link; ++ ++ link = mt7996_vif_link(dev, vif, link_id); ++ if (!link || link->phy != phy) ++ continue; ++ ++ mt7996_mcu_add_beacon(dev->mt76.hw, vif, link_conf); + } + } + ++void mt7996_mac_update_beacons(struct mt7996_phy *phy) ++{ ++ ieee80211_iterate_active_interfaces(phy->mt76->hw, ++ IEEE80211_IFACE_ITER_RESUME_ALL, ++ mt7996_update_vif_beacon, phy); ++} ++ + static void + mt7996_update_beacons(struct mt7996_dev *dev) + { + struct mt76_phy *phy2, *phy3; + +- ieee80211_iterate_active_interfaces(dev->mt76.hw, +- IEEE80211_IFACE_ITER_RESUME_ALL, +- mt7996_update_vif_beacon, dev->mt76.hw); ++ mt7996_mac_update_beacons(&dev->phy); + + phy2 = dev->mt76.phys[MT_BAND1]; +- if (!phy2) +- return; +- +- ieee80211_iterate_active_interfaces(phy2->hw, +- IEEE80211_IFACE_ITER_RESUME_ALL, +- mt7996_update_vif_beacon, phy2->hw); ++ if (phy2) ++ mt7996_mac_update_beacons(phy2->priv); + + phy3 = dev->mt76.phys[MT_BAND2]; +- if (!phy3) +- return; +- +- ieee80211_iterate_active_interfaces(phy3->hw, +- IEEE80211_IFACE_ITER_RESUME_ALL, +- mt7996_update_vif_beacon, phy3->hw); ++ if (phy3) ++ mt7996_mac_update_beacons(phy3->priv); + } + + void mt7996_tx_token_put(struct mt7996_dev *dev) +diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/main.c b/drivers/net/wireless/mediatek/mt76/mt7996/main.c +index f41b2c98bc451..f6590ef85c0d0 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7996/main.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7996/main.c +@@ -516,6 +516,9 @@ int mt7996_set_channel(struct mt76_phy *mphy) + struct mt7996_phy *phy = mphy->priv; + int ret; + ++ if (mphy->offchannel) ++ mt7996_mac_update_beacons(phy); ++ + ret = mt7996_mcu_set_chan_info(phy, UNI_CHANNEL_SWITCH); + if (ret) + goto out; +@@ -533,6 +536,8 @@ int mt7996_set_channel(struct mt76_phy *mphy) + + mt7996_mac_reset_counters(phy); + phy->noise = 0; ++ if (!mphy->offchannel) ++ mt7996_mac_update_beacons(phy); + + out: + ieee80211_queue_delayed_work(mphy->hw, &mphy->mac_work, +diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c +index dd4b7b8c34ea1..655950276840d 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c +@@ -2755,13 +2755,15 @@ int mt7996_mcu_add_beacon(struct ieee80211_hw *hw, struct ieee80211_vif *vif, + struct ieee80211_bss_conf *link_conf) + { + struct mt7996_dev *dev = mt7996_hw_dev(hw); +- struct mt76_vif_link *mlink = mt76_vif_conf_link(&dev->mt76, vif, link_conf); ++ struct mt7996_vif_link *link = mt7996_vif_conf_link(dev, vif, link_conf); ++ struct mt76_vif_link *mlink = link ? &link->mt76 : NULL; + struct ieee80211_mutable_offsets offs; + struct ieee80211_tx_info *info; + struct sk_buff *skb, *rskb; + struct tlv *tlv; + struct bss_bcn_content_tlv *bcn; + int len, extra_len = 0; ++ bool enabled = link_conf->enable_beacon; + + if (link_conf->nontransmitted) + return 0; +@@ -2769,13 +2771,16 @@ int mt7996_mcu_add_beacon(struct ieee80211_hw *hw, struct ieee80211_vif *vif, + if (!mlink) + return -EINVAL; + ++ if (link->phy && link->phy->mt76->offchannel) ++ enabled = false; ++ + rskb = __mt7996_mcu_alloc_bss_req(&dev->mt76, mlink, + MT7996_MAX_BSS_OFFLOAD_SIZE); + if (IS_ERR(rskb)) + return PTR_ERR(rskb); + + skb = ieee80211_beacon_get_template(hw, vif, &offs, link_conf->link_id); +- if (link_conf->enable_beacon && !skb) { ++ if (enabled && !skb) { + dev_kfree_skb(rskb); + return -EINVAL; + } +@@ -2794,7 +2799,7 @@ int mt7996_mcu_add_beacon(struct ieee80211_hw *hw, struct ieee80211_vif *vif, + len = ALIGN(sizeof(*bcn) + MT_TXD_SIZE + extra_len, 4); + tlv = mt7996_mcu_add_uni_tlv(rskb, UNI_BSS_INFO_BCN_CONTENT, len); + bcn = (struct bss_bcn_content_tlv *)tlv; +- bcn->enable = link_conf->enable_beacon; ++ bcn->enable = enabled; + if (!bcn->enable) + goto out; + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h b/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h +index 33ac16b64ef11..8509d508e1e19 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h ++++ b/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h +@@ -732,6 +732,7 @@ void mt7996_mac_write_txwi(struct mt7996_dev *dev, __le32 *txwi, + struct sk_buff *skb, struct mt76_wcid *wcid, + struct ieee80211_key_conf *key, int pid, + enum mt76_txq_id qid, u32 changed); ++void mt7996_mac_update_beacons(struct mt7996_phy *phy); + void mt7996_mac_set_coverage_class(struct mt7996_phy *phy); + void mt7996_mac_work(struct work_struct *work); + void mt7996_mac_reset_work(struct work_struct *work); +-- +2.50.1 + diff --git a/queue-6.16/wifi-mt76-mt7996-use-the-correct-vif-link-for-scanni.patch b/queue-6.16/wifi-mt76-mt7996-use-the-correct-vif-link-for-scanni.patch new file mode 100644 index 0000000000..479ebc423f --- /dev/null +++ b/queue-6.16/wifi-mt76-mt7996-use-the-correct-vif-link-for-scanni.patch @@ -0,0 +1,43 @@ +From 89166a65dae1cea4db8a984842ae57e8ccd6f543 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Aug 2025 13:29:48 +0000 +Subject: wifi: mt76: mt7996: use the correct vif link for scanning/roc + +From: Chad Monroe + +[ Upstream commit 4be3b46ec5190dc79cd38e3750480b2c66a791ad ] + +restore fix which was dropped during MLO rework + +Fixes: f0b0b239b8f3 ("wifi: mt76: mt7996: rework mt7996_mac_write_txwi() for MLO support") +Signed-off-by: Chad Monroe +Acked-by: Lorenzo Bianconi +Link: https://patch.msgid.link/180fffd409aa57f535a3d2c1951e41ae398ce09e.1754659732.git.chad@monroe.io +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7996/mac.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c +index f675cf537898a..b0fa051fc3094 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c +@@ -903,8 +903,12 @@ void mt7996_mac_write_txwi(struct mt7996_dev *dev, __le32 *txwi, + IEEE80211_TX_CTRL_MLO_LINK); + + mvif = vif ? (struct mt7996_vif *)vif->drv_priv : NULL; +- if (mvif) +- mlink = rcu_dereference(mvif->mt76.link[link_id]); ++ if (mvif) { ++ if (wcid->offchannel) ++ mlink = rcu_dereference(mvif->mt76.offchannel_link); ++ if (!mlink) ++ mlink = rcu_dereference(mvif->mt76.link[link_id]); ++ } + + if (mlink) { + omac_idx = mlink->omac_idx; +-- +2.50.1 + diff --git a/queue-6.16/wifi-mt76-prevent-non-offchannel-mgmt-tx-during-scan.patch b/queue-6.16/wifi-mt76-prevent-non-offchannel-mgmt-tx-during-scan.patch new file mode 100644 index 0000000000..2bf8aff837 --- /dev/null +++ b/queue-6.16/wifi-mt76-prevent-non-offchannel-mgmt-tx-during-scan.patch @@ -0,0 +1,47 @@ +From 48c061febb044464bda5ea8a0fb055ffa56584b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Aug 2025 14:11:06 +0200 +Subject: wifi: mt76: prevent non-offchannel mgmt tx during scan/roc + +From: Felix Fietkau + +[ Upstream commit 4c2334587b0a13b8f4eda1336ae657297fcd743b ] + +Only put probe request packets in the offchannel queue if +IEEE80211_TX_CTRL_DONT_USE_RATE_MASK is set and IEEE80211_TX_CTL_TX_OFFCHAN +is unset. + +Fixes: 0b3be9d1d34e ("wifi: mt76: add separate tx scheduling queue for off-channel tx") +Reported-by: Chad Monroe +Link: https://patch.msgid.link/20250813121106.81559-2-nbd@nbd.name +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/tx.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/tx.c b/drivers/net/wireless/mediatek/mt76/tx.c +index e6cf16706667e..03b042fdf997f 100644 +--- a/drivers/net/wireless/mediatek/mt76/tx.c ++++ b/drivers/net/wireless/mediatek/mt76/tx.c +@@ -332,6 +332,7 @@ mt76_tx(struct mt76_phy *phy, struct ieee80211_sta *sta, + struct mt76_wcid *wcid, struct sk_buff *skb) + { + struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb); ++ struct ieee80211_hdr *hdr = (void *)skb->data; + struct sk_buff_head *head; + + if (mt76_testmode_enabled(phy)) { +@@ -349,7 +350,8 @@ mt76_tx(struct mt76_phy *phy, struct ieee80211_sta *sta, + info->hw_queue |= FIELD_PREP(MT_TX_HW_QUEUE_PHY, phy->band_idx); + + if ((info->flags & IEEE80211_TX_CTL_TX_OFFCHAN) || +- (info->control.flags & IEEE80211_TX_CTRL_DONT_USE_RATE_MASK)) ++ ((info->control.flags & IEEE80211_TX_CTRL_DONT_USE_RATE_MASK) && ++ ieee80211_is_probe_req(hdr->frame_control))) + head = &wcid->tx_offchannel; + else + head = &wcid->tx_pending; +-- +2.50.1 + diff --git a/queue-6.16/xirc2ps_cs-fix-register-access-when-enabling-fulldup.patch b/queue-6.16/xirc2ps_cs-fix-register-access-when-enabling-fulldup.patch new file mode 100644 index 0000000000..2c40277cf6 --- /dev/null +++ b/queue-6.16/xirc2ps_cs-fix-register-access-when-enabling-fulldup.patch @@ -0,0 +1,44 @@ +From 1a55229ba6b41922671c9e55ee10700e11bcce34 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Aug 2025 12:26:43 -0700 +Subject: xirc2ps_cs: fix register access when enabling FullDuplex + +From: Alok Tiwari + +[ Upstream commit b79e498080b170fd94fc83bca2471f450811549b ] + +The current code incorrectly passes (XIRCREG1_ECR | FullDuplex) as +the register address to GetByte(), instead of fetching the register +value and OR-ing it with FullDuplex. This results in an invalid +register access. + +Fix it by reading XIRCREG1_ECR first, then or-ing with FullDuplex +before writing it back. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Alok Tiwari +Reviewed-by: Simon Horman +Reviewed-by: Jacob Keller +Link: https://patch.msgid.link/20250827192645.658496-1-alok.a.tiwari@oracle.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/xircom/xirc2ps_cs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/xircom/xirc2ps_cs.c b/drivers/net/ethernet/xircom/xirc2ps_cs.c +index a31d5d5e65936..97e88886253f5 100644 +--- a/drivers/net/ethernet/xircom/xirc2ps_cs.c ++++ b/drivers/net/ethernet/xircom/xirc2ps_cs.c +@@ -1576,7 +1576,7 @@ do_reset(struct net_device *dev, int full) + msleep(40); /* wait 40 msec to let it complete */ + } + if (full_duplex) +- PutByte(XIRCREG1_ECR, GetByte(XIRCREG1_ECR | FullDuplex)); ++ PutByte(XIRCREG1_ECR, GetByte(XIRCREG1_ECR) | FullDuplex); + } else { /* No MII */ + SelectPage(0); + value = GetByte(XIRCREG_ESR); /* read the ESR */ +-- +2.50.1 + diff --git a/queue-6.6/ax25-properly-unshare-skbs-in-ax25_kiss_rcv.patch b/queue-6.6/ax25-properly-unshare-skbs-in-ax25_kiss_rcv.patch new file mode 100644 index 0000000000..9f24d7489a --- /dev/null +++ b/queue-6.6/ax25-properly-unshare-skbs-in-ax25_kiss_rcv.patch @@ -0,0 +1,59 @@ +From 360ccf629d7c254209590a5713a47c3dc0cf6b16 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Sep 2025 12:46:42 +0000 +Subject: ax25: properly unshare skbs in ax25_kiss_rcv() + +From: Eric Dumazet + +[ Upstream commit 8156210d36a43e76372312c87eb5ea3dbb405a85 ] + +Bernard Pidoux reported a regression apparently caused by commit +c353e8983e0d ("net: introduce per netns packet chains"). + +skb->dev becomes NULL and we crash in __netif_receive_skb_core(). + +Before above commit, different kind of bugs or corruptions could happen +without a major crash. + +But the root cause is that ax25_kiss_rcv() can queue/mangle input skb +without checking if this skb is shared or not. + +Many thanks to Bernard Pidoux for his help, diagnosis and tests. + +We had a similar issue years ago fixed with commit 7aaed57c5c28 +("phonet: properly unshare skbs in phonet_rcv()"). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Bernard Pidoux +Closes: https://lore.kernel.org/netdev/1713f383-c538-4918-bc64-13b3288cd542@free.fr/ +Tested-by: Bernard Pidoux +Signed-off-by: Eric Dumazet +Cc: Joerg Reuter +Cc: David Ranch +Cc: Folkert van Heusden +Reviewed-by: Dan Cross +Link: https://patch.msgid.link/20250902124642.212705-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ax25/ax25_in.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/ax25/ax25_in.c b/net/ax25/ax25_in.c +index 1cac25aca6378..f2d66af863595 100644 +--- a/net/ax25/ax25_in.c ++++ b/net/ax25/ax25_in.c +@@ -433,6 +433,10 @@ static int ax25_rcv(struct sk_buff *skb, struct net_device *dev, + int ax25_kiss_rcv(struct sk_buff *skb, struct net_device *dev, + struct packet_type *ptype, struct net_device *orig_dev) + { ++ skb = skb_share_check(skb, GFP_ATOMIC); ++ if (!skb) ++ return NET_RX_DROP; ++ + skb_orphan(skb); + + if (!net_eq(dev_net(dev), &init_net)) { +-- +2.50.1 + diff --git a/queue-6.6/bluetooth-fix-use-after-free-in-l2cap_sock_cleanup_l.patch b/queue-6.6/bluetooth-fix-use-after-free-in-l2cap_sock_cleanup_l.patch new file mode 100644 index 0000000000..6472b573c9 --- /dev/null +++ b/queue-6.6/bluetooth-fix-use-after-free-in-l2cap_sock_cleanup_l.patch @@ -0,0 +1,171 @@ +From dd171d6d9578573e55b655a38adf443bba854b9b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Aug 2025 20:40:14 +0000 +Subject: Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen() + +From: Kuniyuki Iwashima + +[ Upstream commit 862c628108562d8c7a516a900034823b381d3cba ] + +syzbot reported the splat below without a repro. + +In the splat, a single thread calling bt_accept_dequeue() freed sk +and touched it after that. + +The root cause would be the racy l2cap_sock_cleanup_listen() call +added by the cited commit. + +bt_accept_dequeue() is called under lock_sock() except for +l2cap_sock_release(). + +Two threads could see the same socket during the list iteration +in bt_accept_dequeue(): + + CPU1 CPU2 (close()) + ---- ---- + sock_hold(sk) sock_hold(sk); + lock_sock(sk) <-- block close() + sock_put(sk) + bt_accept_unlink(sk) + sock_put(sk) <-- refcnt by bt_accept_enqueue() + release_sock(sk) + lock_sock(sk) + sock_put(sk) + bt_accept_unlink(sk) + sock_put(sk) <-- last refcnt + bt_accept_unlink(sk) <-- UAF + +Depending on the timing, the other thread could show up in the +"Freed by task" part. + +Let's call l2cap_sock_cleanup_listen() under lock_sock() in +l2cap_sock_release(). + +[0]: +BUG: KASAN: slab-use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline] +BUG: KASAN: slab-use-after-free in do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115 +Read of size 4 at addr ffff88803b7eb1c4 by task syz.5.3276/16995 +CPU: 3 UID: 0 PID: 16995 Comm: syz.5.3276 Not tainted syzkaller #0 PREEMPT(full) +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 +Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0xcd/0x630 mm/kasan/report.c:482 + kasan_report+0xe0/0x110 mm/kasan/report.c:595 + debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline] + do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115 + spin_lock_bh include/linux/spinlock.h:356 [inline] + release_sock+0x21/0x220 net/core/sock.c:3746 + bt_accept_dequeue+0x505/0x600 net/bluetooth/af_bluetooth.c:312 + l2cap_sock_cleanup_listen+0x5c/0x2a0 net/bluetooth/l2cap_sock.c:1451 + l2cap_sock_release+0x5c/0x210 net/bluetooth/l2cap_sock.c:1425 + __sock_release+0xb3/0x270 net/socket.c:649 + sock_close+0x1c/0x30 net/socket.c:1439 + __fput+0x3ff/0xb70 fs/file_table.c:468 + task_work_run+0x14d/0x240 kernel/task_work.c:227 + resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] + exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43 + exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] + syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline] + syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline] + do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7f2accf8ebe9 +Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007ffdb6cb1378 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 +RAX: 0000000000000000 RBX: 00000000000426fb RCX: 00007f2accf8ebe9 +RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 +RBP: 00007f2acd1b7da0 R08: 0000000000000001 R09: 00000012b6cb166f +R10: 0000001b30e20000 R11: 0000000000000246 R12: 00007f2acd1b609c +R13: 00007f2acd1b6090 R14: ffffffffffffffff R15: 00007ffdb6cb1490 + + +Allocated by task 5326: + kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 + kasan_save_track+0x14/0x30 mm/kasan/common.c:68 + poison_kmalloc_redzone mm/kasan/common.c:388 [inline] + __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:405 + kasan_kmalloc include/linux/kasan.h:260 [inline] + __do_kmalloc_node mm/slub.c:4365 [inline] + __kmalloc_noprof+0x223/0x510 mm/slub.c:4377 + kmalloc_noprof include/linux/slab.h:909 [inline] + sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2239 + sk_alloc+0x36/0xc20 net/core/sock.c:2295 + bt_sock_alloc+0x3b/0x3a0 net/bluetooth/af_bluetooth.c:151 + l2cap_sock_alloc.constprop.0+0x33/0x1d0 net/bluetooth/l2cap_sock.c:1894 + l2cap_sock_new_connection_cb+0x101/0x240 net/bluetooth/l2cap_sock.c:1482 + l2cap_connect_cfm+0x4c4/0xf80 net/bluetooth/l2cap_core.c:7287 + hci_connect_cfm include/net/bluetooth/hci_core.h:2050 [inline] + hci_remote_features_evt+0x4dd/0x970 net/bluetooth/hci_event.c:3712 + hci_event_func net/bluetooth/hci_event.c:7519 [inline] + hci_event_packet+0xa0d/0x11c0 net/bluetooth/hci_event.c:7573 + hci_rx_work+0x2c5/0x16b0 net/bluetooth/hci_core.c:4071 + process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3236 + process_scheduled_works kernel/workqueue.c:3319 [inline] + worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400 + kthread+0x3c2/0x780 kernel/kthread.c:463 + ret_from_fork+0x5d7/0x6f0 arch/x86/kernel/process.c:148 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 + +Freed by task 16995: + kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 + kasan_save_track+0x14/0x30 mm/kasan/common.c:68 + kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576 + poison_slab_object mm/kasan/common.c:243 [inline] + __kasan_slab_free+0x60/0x70 mm/kasan/common.c:275 + kasan_slab_free include/linux/kasan.h:233 [inline] + slab_free_hook mm/slub.c:2417 [inline] + slab_free mm/slub.c:4680 [inline] + kfree+0x2b4/0x4d0 mm/slub.c:4879 + sk_prot_free net/core/sock.c:2278 [inline] + __sk_destruct+0x75f/0x9a0 net/core/sock.c:2373 + sk_destruct+0xc2/0xf0 net/core/sock.c:2401 + __sk_free+0xf4/0x3e0 net/core/sock.c:2412 + sk_free+0x6a/0x90 net/core/sock.c:2423 + sock_put include/net/sock.h:1960 [inline] + bt_accept_unlink+0x245/0x2e0 net/bluetooth/af_bluetooth.c:262 + bt_accept_dequeue+0x517/0x600 net/bluetooth/af_bluetooth.c:308 + l2cap_sock_cleanup_listen+0x5c/0x2a0 net/bluetooth/l2cap_sock.c:1451 + l2cap_sock_release+0x5c/0x210 net/bluetooth/l2cap_sock.c:1425 + __sock_release+0xb3/0x270 net/socket.c:649 + sock_close+0x1c/0x30 net/socket.c:1439 + __fput+0x3ff/0xb70 fs/file_table.c:468 + task_work_run+0x14d/0x240 kernel/task_work.c:227 + resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] + exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43 + exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] + syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline] + syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline] + do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fixes: 1728137b33c0 ("Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_ready_cb") +Reported-by: syzbot+e5e64cdf8e92046dd3e1@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/linux-bluetooth/68af6b9d.a70a0220.3cafd4.0032.GAE@google.com/ +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_sock.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c +index 9a906977c8723..59630dbeda20d 100644 +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -1406,7 +1406,10 @@ static int l2cap_sock_release(struct socket *sock) + if (!sk) + return 0; + ++ lock_sock_nested(sk, L2CAP_NESTING_PARENT); + l2cap_sock_cleanup_listen(sk); ++ release_sock(sk); ++ + bt_sock_unlink(&l2cap_sk_list, sk); + + err = l2cap_sock_shutdown(sock, SHUT_RDWR); +-- +2.50.1 + diff --git a/queue-6.6/bluetooth-vhci-prevent-use-after-free-by-removing-de.patch b/queue-6.6/bluetooth-vhci-prevent-use-after-free-by-removing-de.patch new file mode 100644 index 0000000000..9dde91cf7d --- /dev/null +++ b/queue-6.6/bluetooth-vhci-prevent-use-after-free-by-removing-de.patch @@ -0,0 +1,125 @@ +From 848a4154c345d39c2a5073fb78b4acf8cc9f566e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Aug 2025 10:53:25 -0400 +Subject: Bluetooth: vhci: Prevent use-after-free by removing debugfs files + early + +From: Ivan Pravdin + +[ Upstream commit 28010791193a4503f054e8d69a950ef815deb539 ] + +Move the creation of debugfs files into a dedicated function, and ensure +they are explicitly removed during vhci_release(), before associated +data structures are freed. + +Previously, debugfs files such as "force_suspend", "force_wakeup", and +others were created under hdev->debugfs but not removed in +vhci_release(). Since vhci_release() frees the backing vhci_data +structure, any access to these files after release would result in +use-after-free errors. + +Although hdev->debugfs is later freed in hci_release_dev(), user can +access files after vhci_data is freed but before hdev->debugfs is +released. + +Fixes: ab4e4380d4e1 ("Bluetooth: Add vhci devcoredump support") +Signed-off-by: Ivan Pravdin +Reviewed-by: Paul Menzel +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/hci_vhci.c | 57 ++++++++++++++++++++++++++---------- + 1 file changed, 41 insertions(+), 16 deletions(-) + +diff --git a/drivers/bluetooth/hci_vhci.c b/drivers/bluetooth/hci_vhci.c +index 4bfc78f9781ed..0935045051699 100644 +--- a/drivers/bluetooth/hci_vhci.c ++++ b/drivers/bluetooth/hci_vhci.c +@@ -380,6 +380,28 @@ static const struct file_operations force_devcoredump_fops = { + .write = force_devcd_write, + }; + ++static void vhci_debugfs_init(struct vhci_data *data) ++{ ++ struct hci_dev *hdev = data->hdev; ++ ++ debugfs_create_file("force_suspend", 0644, hdev->debugfs, data, ++ &force_suspend_fops); ++ ++ debugfs_create_file("force_wakeup", 0644, hdev->debugfs, data, ++ &force_wakeup_fops); ++ ++ if (IS_ENABLED(CONFIG_BT_MSFTEXT)) ++ debugfs_create_file("msft_opcode", 0644, hdev->debugfs, data, ++ &msft_opcode_fops); ++ ++ if (IS_ENABLED(CONFIG_BT_AOSPEXT)) ++ debugfs_create_file("aosp_capable", 0644, hdev->debugfs, data, ++ &aosp_capable_fops); ++ ++ debugfs_create_file("force_devcoredump", 0644, hdev->debugfs, data, ++ &force_devcoredump_fops); ++} ++ + static int __vhci_create_device(struct vhci_data *data, __u8 opcode) + { + struct hci_dev *hdev; +@@ -435,22 +457,8 @@ static int __vhci_create_device(struct vhci_data *data, __u8 opcode) + return -EBUSY; + } + +- debugfs_create_file("force_suspend", 0644, hdev->debugfs, data, +- &force_suspend_fops); +- +- debugfs_create_file("force_wakeup", 0644, hdev->debugfs, data, +- &force_wakeup_fops); +- +- if (IS_ENABLED(CONFIG_BT_MSFTEXT)) +- debugfs_create_file("msft_opcode", 0644, hdev->debugfs, data, +- &msft_opcode_fops); +- +- if (IS_ENABLED(CONFIG_BT_AOSPEXT)) +- debugfs_create_file("aosp_capable", 0644, hdev->debugfs, data, +- &aosp_capable_fops); +- +- debugfs_create_file("force_devcoredump", 0644, hdev->debugfs, data, +- &force_devcoredump_fops); ++ if (!IS_ERR_OR_NULL(hdev->debugfs)) ++ vhci_debugfs_init(data); + + hci_skb_pkt_type(skb) = HCI_VENDOR_PKT; + +@@ -652,6 +660,21 @@ static int vhci_open(struct inode *inode, struct file *file) + return 0; + } + ++static void vhci_debugfs_remove(struct hci_dev *hdev) ++{ ++ debugfs_lookup_and_remove("force_suspend", hdev->debugfs); ++ ++ debugfs_lookup_and_remove("force_wakeup", hdev->debugfs); ++ ++ if (IS_ENABLED(CONFIG_BT_MSFTEXT)) ++ debugfs_lookup_and_remove("msft_opcode", hdev->debugfs); ++ ++ if (IS_ENABLED(CONFIG_BT_AOSPEXT)) ++ debugfs_lookup_and_remove("aosp_capable", hdev->debugfs); ++ ++ debugfs_lookup_and_remove("force_devcoredump", hdev->debugfs); ++} ++ + static int vhci_release(struct inode *inode, struct file *file) + { + struct vhci_data *data = file->private_data; +@@ -663,6 +686,8 @@ static int vhci_release(struct inode *inode, struct file *file) + hdev = data->hdev; + + if (hdev) { ++ if (!IS_ERR_OR_NULL(hdev->debugfs)) ++ vhci_debugfs_remove(hdev); + hci_unregister_dev(hdev); + hci_free_dev(hdev); + } +-- +2.50.1 + diff --git a/queue-6.6/i40e-fix-potential-invalid-access-when-mac-list-is-e.patch b/queue-6.6/i40e-fix-potential-invalid-access-when-mac-list-is-e.patch new file mode 100644 index 0000000000..942a579d6d --- /dev/null +++ b/queue-6.6/i40e-fix-potential-invalid-access-when-mac-list-is-e.patch @@ -0,0 +1,42 @@ +From 9652c4c0c6d8a6e9fdbb0377d1545aeca7728a7f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Aug 2025 19:56:31 +0800 +Subject: i40e: Fix potential invalid access when MAC list is empty + +From: Zhen Ni + +[ Upstream commit a556f06338e1d5a85af0e32ecb46e365547f92b9 ] + +list_first_entry() never returns NULL - if the list is empty, it still +returns a pointer to an invalid object, leading to potential invalid +memory access when dereferenced. + +Fix this by using list_first_entry_or_null instead of list_first_entry. + +Fixes: e3219ce6a775 ("i40e: Add support for client interface for IWARP driver") +Signed-off-by: Zhen Ni +Reviewed-by: Paul Menzel +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_client.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_client.c b/drivers/net/ethernet/intel/i40e/i40e_client.c +index 306758428aefd..a569d2fcc90af 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_client.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_client.c +@@ -361,8 +361,8 @@ static void i40e_client_add_instance(struct i40e_pf *pf) + if (i40e_client_get_params(vsi, &cdev->lan_info.params)) + goto free_cdev; + +- mac = list_first_entry(&cdev->lan_info.netdev->dev_addrs.list, +- struct netdev_hw_addr, list); ++ mac = list_first_entry_or_null(&cdev->lan_info.netdev->dev_addrs.list, ++ struct netdev_hw_addr, list); + if (mac) + ether_addr_copy(cdev->lan_info.lanmac, mac->addr); + else +-- +2.50.1 + diff --git a/queue-6.6/icmp-fix-icmp_ndo_send-address-translation-for-reply.patch b/queue-6.6/icmp-fix-icmp_ndo_send-address-translation-for-reply.patch new file mode 100644 index 0000000000..c7fa7eeb37 --- /dev/null +++ b/queue-6.6/icmp-fix-icmp_ndo_send-address-translation-for-reply.patch @@ -0,0 +1,110 @@ +From 904f68af634a9d837339a218c74dab784a99f858 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Aug 2025 11:14:35 +0200 +Subject: icmp: fix icmp_ndo_send address translation for reply direction +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Fabian Bläse + +[ Upstream commit c6dd1aa2cbb72b33e0569f3e71d95792beab5042 ] + +The icmp_ndo_send function was originally introduced to ensure proper +rate limiting when icmp_send is called by a network device driver, +where the packet's source address may have already been transformed +by SNAT. + +However, the original implementation only considers the +IP_CT_DIR_ORIGINAL direction for SNAT and always replaced the packet's +source address with that of the original-direction tuple. This causes +two problems: + +1. For SNAT: + Reply-direction packets were incorrectly translated using the source + address of the CT original direction, even though no translation is + required. + +2. For DNAT: + Reply-direction packets were not handled at all. In DNAT, the original + direction's destination is translated. Therefore, in the reply + direction the source address must be set to the reply-direction + source, so rate limiting works as intended. + +Fix this by using the connection direction to select the correct tuple +for source address translation, and adjust the pre-checks to handle +reply-direction packets in case of DNAT. + +Additionally, wrap the `ct->status` access in READ_ONCE(). This avoids +possible KCSAN reports about concurrent updates to `ct->status`. + +Fixes: 0b41713b6066 ("icmp: introduce helper for nat'd source address in network device context") +Signed-off-by: Fabian Bläse +Cc: Jason A. Donenfeld +Reviewed-by: Florian Westphal +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/icmp.c | 6 ++++-- + net/ipv6/ip6_icmp.c | 6 ++++-- + 2 files changed, 8 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c +index 94501bb30c431..b17549c4e5de8 100644 +--- a/net/ipv4/icmp.c ++++ b/net/ipv4/icmp.c +@@ -801,11 +801,12 @@ void icmp_ndo_send(struct sk_buff *skb_in, int type, int code, __be32 info) + struct sk_buff *cloned_skb = NULL; + struct ip_options opts = { 0 }; + enum ip_conntrack_info ctinfo; ++ enum ip_conntrack_dir dir; + struct nf_conn *ct; + __be32 orig_ip; + + ct = nf_ct_get(skb_in, &ctinfo); +- if (!ct || !(ct->status & IPS_SRC_NAT)) { ++ if (!ct || !(READ_ONCE(ct->status) & IPS_NAT_MASK)) { + __icmp_send(skb_in, type, code, info, &opts); + return; + } +@@ -820,7 +821,8 @@ void icmp_ndo_send(struct sk_buff *skb_in, int type, int code, __be32 info) + goto out; + + orig_ip = ip_hdr(skb_in)->saddr; +- ip_hdr(skb_in)->saddr = ct->tuplehash[0].tuple.src.u3.ip; ++ dir = CTINFO2DIR(ctinfo); ++ ip_hdr(skb_in)->saddr = ct->tuplehash[dir].tuple.src.u3.ip; + __icmp_send(skb_in, type, code, info, &opts); + ip_hdr(skb_in)->saddr = orig_ip; + out: +diff --git a/net/ipv6/ip6_icmp.c b/net/ipv6/ip6_icmp.c +index 9e3574880cb03..233914b63bdb8 100644 +--- a/net/ipv6/ip6_icmp.c ++++ b/net/ipv6/ip6_icmp.c +@@ -54,11 +54,12 @@ void icmpv6_ndo_send(struct sk_buff *skb_in, u8 type, u8 code, __u32 info) + struct inet6_skb_parm parm = { 0 }; + struct sk_buff *cloned_skb = NULL; + enum ip_conntrack_info ctinfo; ++ enum ip_conntrack_dir dir; + struct in6_addr orig_ip; + struct nf_conn *ct; + + ct = nf_ct_get(skb_in, &ctinfo); +- if (!ct || !(ct->status & IPS_SRC_NAT)) { ++ if (!ct || !(READ_ONCE(ct->status) & IPS_NAT_MASK)) { + __icmpv6_send(skb_in, type, code, info, &parm); + return; + } +@@ -73,7 +74,8 @@ void icmpv6_ndo_send(struct sk_buff *skb_in, u8 type, u8 code, __u32 info) + goto out; + + orig_ip = ipv6_hdr(skb_in)->saddr; +- ipv6_hdr(skb_in)->saddr = ct->tuplehash[0].tuple.src.u3.in6; ++ dir = CTINFO2DIR(ctinfo); ++ ipv6_hdr(skb_in)->saddr = ct->tuplehash[dir].tuple.src.u3.in6; + __icmpv6_send(skb_in, type, code, info, &parm); + ipv6_hdr(skb_in)->saddr = orig_ip; + out: +-- +2.50.1 + diff --git a/queue-6.6/ipv4-fix-null-vs-error-pointer-check-in-inet_blackho.patch b/queue-6.6/ipv4-fix-null-vs-error-pointer-check-in-inet_blackho.patch new file mode 100644 index 0000000000..81f519b433 --- /dev/null +++ b/queue-6.6/ipv4-fix-null-vs-error-pointer-check-in-inet_blackho.patch @@ -0,0 +1,48 @@ +From 634e182306260bd0c3d379c1a7ec6189cb4a5aea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Sep 2025 09:36:08 +0300 +Subject: ipv4: Fix NULL vs error pointer check in inet_blackhole_dev_init() + +From: Dan Carpenter + +[ Upstream commit a51160f8da850a65afbf165f5bbac7ffb388bf74 ] + +The inetdev_init() function never returns NULL. Check for error +pointers instead. + +Fixes: 22600596b675 ("ipv4: give an IPv4 dev to blackhole_netdev") +Signed-off-by: Dan Carpenter +Reviewed-by: Simon Horman +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/aLaQWL9NguWmeM1i@stanley.mountain +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/devinet.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c +index c33b1ecc591e4..798497c8b1923 100644 +--- a/net/ipv4/devinet.c ++++ b/net/ipv4/devinet.c +@@ -336,14 +336,13 @@ static void inetdev_destroy(struct in_device *in_dev) + + static int __init inet_blackhole_dev_init(void) + { +- int err = 0; ++ struct in_device *in_dev; + + rtnl_lock(); +- if (!inetdev_init(blackhole_netdev)) +- err = -ENOMEM; ++ in_dev = inetdev_init(blackhole_netdev); + rtnl_unlock(); + +- return err; ++ return PTR_ERR_OR_ZERO(in_dev); + } + late_initcall(inet_blackhole_dev_init); + +-- +2.50.1 + diff --git a/queue-6.6/macsec-read-macsec_sa_attr_pn-with-nla_get_uint.patch b/queue-6.6/macsec-read-macsec_sa_attr_pn-with-nla_get_uint.patch new file mode 100644 index 0000000000..79418895b5 --- /dev/null +++ b/queue-6.6/macsec-read-macsec_sa_attr_pn-with-nla_get_uint.patch @@ -0,0 +1,72 @@ +From 22f0a3a98764de9c25a3da16081f2504d60f0709 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Aug 2025 20:55:40 +0200 +Subject: macsec: read MACSEC_SA_ATTR_PN with nla_get_uint + +From: Sabrina Dubroca + +[ Upstream commit 030e1c45666629f72d0fc1d040f9d2915680de8e ] + +The code currently reads both U32 attributes and U64 attributes as +U64, so when a U32 attribute is provided by userspace (ie, when not +using XPN), on big endian systems, we'll load that value into the +upper 32bits of the next_pn field instead of the lower 32bits. This +means that the value that userspace provided is ignored (we only care +about the lower 32bits for non-XPN), and we'll start using PNs from 0. + +Switch to nla_get_uint, which will read the value correctly on all +arches, whether it's 32b or 64b. + +Fixes: 48ef50fa866a ("macsec: Netlink support of XPN cipher suites (IEEE 802.1AEbw)") +Signed-off-by: Sabrina Dubroca +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/1c1df1661b89238caf5beefb84a10ebfd56c66ea.1756459839.git.sd@queasysnail.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/macsec.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c +index 767053d6c6b6f..af6cc3e90ef7c 100644 +--- a/drivers/net/macsec.c ++++ b/drivers/net/macsec.c +@@ -1840,7 +1840,7 @@ static int macsec_add_rxsa(struct sk_buff *skb, struct genl_info *info) + + if (tb_sa[MACSEC_SA_ATTR_PN]) { + spin_lock_bh(&rx_sa->lock); +- rx_sa->next_pn = nla_get_u64(tb_sa[MACSEC_SA_ATTR_PN]); ++ rx_sa->next_pn = nla_get_uint(tb_sa[MACSEC_SA_ATTR_PN]); + spin_unlock_bh(&rx_sa->lock); + } + +@@ -2082,7 +2082,7 @@ static int macsec_add_txsa(struct sk_buff *skb, struct genl_info *info) + } + + spin_lock_bh(&tx_sa->lock); +- tx_sa->next_pn = nla_get_u64(tb_sa[MACSEC_SA_ATTR_PN]); ++ tx_sa->next_pn = nla_get_uint(tb_sa[MACSEC_SA_ATTR_PN]); + spin_unlock_bh(&tx_sa->lock); + + if (tb_sa[MACSEC_SA_ATTR_ACTIVE]) +@@ -2394,7 +2394,7 @@ static int macsec_upd_txsa(struct sk_buff *skb, struct genl_info *info) + + spin_lock_bh(&tx_sa->lock); + prev_pn = tx_sa->next_pn_halves; +- tx_sa->next_pn = nla_get_u64(tb_sa[MACSEC_SA_ATTR_PN]); ++ tx_sa->next_pn = nla_get_uint(tb_sa[MACSEC_SA_ATTR_PN]); + spin_unlock_bh(&tx_sa->lock); + } + +@@ -2492,7 +2492,7 @@ static int macsec_upd_rxsa(struct sk_buff *skb, struct genl_info *info) + + spin_lock_bh(&rx_sa->lock); + prev_pn = rx_sa->next_pn_halves; +- rx_sa->next_pn = nla_get_u64(tb_sa[MACSEC_SA_ATTR_PN]); ++ rx_sa->next_pn = nla_get_uint(tb_sa[MACSEC_SA_ATTR_PN]); + spin_unlock_bh(&rx_sa->lock); + } + +-- +2.50.1 + diff --git a/queue-6.6/mctp-return-enoprotoopt-for-unknown-getsockopt-optio.patch b/queue-6.6/mctp-return-enoprotoopt-for-unknown-getsockopt-optio.patch new file mode 100644 index 0000000000..40befd0bf9 --- /dev/null +++ b/queue-6.6/mctp-return-enoprotoopt-for-unknown-getsockopt-optio.patch @@ -0,0 +1,43 @@ +From 36d729f7a48b504a73cdc08d1232c40e783743b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Sep 2025 03:20:55 -0700 +Subject: mctp: return -ENOPROTOOPT for unknown getsockopt options + +From: Alok Tiwari + +[ Upstream commit a125c8fb9ddbcb0602103a50727a476fd30dec01 ] + +In mctp_getsockopt(), unrecognized options currently return -EINVAL. +In contrast, mctp_setsockopt() returns -ENOPROTOOPT for unknown +options. + +Update mctp_getsockopt() to also return -ENOPROTOOPT for unknown +options. This aligns the behavior of getsockopt() and setsockopt(), +and matches the standard kernel socket API convention for handling +unsupported options. + +Fixes: 99ce45d5e7db ("mctp: Implement extended addressing") +Signed-off-by: Alok Tiwari +Link: https://patch.msgid.link/20250902102059.1370008-1-alok.a.tiwari@oracle.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/mctp/af_mctp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/mctp/af_mctp.c b/net/mctp/af_mctp.c +index 5f9592fb57add..805f7376cebe3 100644 +--- a/net/mctp/af_mctp.c ++++ b/net/mctp/af_mctp.c +@@ -346,7 +346,7 @@ static int mctp_getsockopt(struct socket *sock, int level, int optname, + return 0; + } + +- return -EINVAL; ++ return -ENOPROTOOPT; + } + + static int mctp_ioctl_alloctag(struct mctp_sock *msk, unsigned long arg) +-- +2.50.1 + diff --git a/queue-6.6/misdn-fix-memory-leak-in-dsp_hwec_enable.patch b/queue-6.6/misdn-fix-memory-leak-in-dsp_hwec_enable.patch new file mode 100644 index 0000000000..bcde73530b --- /dev/null +++ b/queue-6.6/misdn-fix-memory-leak-in-dsp_hwec_enable.patch @@ -0,0 +1,53 @@ +From b8a05fd7e5affe543feeebda20def620ece1b078 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Aug 2025 16:14:57 +0800 +Subject: mISDN: Fix memory leak in dsp_hwec_enable() + +From: Miaoqian Lin + +[ Upstream commit 0704a3da7ce50f972e898bbda88d2692a22922d9 ] + +dsp_hwec_enable() allocates dup pointer by kstrdup(arg), +but then it updates dup variable by strsep(&dup, ","). +As a result when it calls kfree(dup), the dup variable may be +a modified pointer that no longer points to the original allocated +memory, causing a memory leak. + +The issue is the same pattern as fixed in commit c6a502c22999 +("mISDN: Fix memory leak in dsp_pipeline_build()"). + +Fixes: 9a4381618262 ("mISDN: Remove VLAs") +Signed-off-by: Miaoqian Lin +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250828081457.36061-1-linmq006@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/isdn/mISDN/dsp_hwec.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/isdn/mISDN/dsp_hwec.c b/drivers/isdn/mISDN/dsp_hwec.c +index 0b3f29195330a..0cd216e28f009 100644 +--- a/drivers/isdn/mISDN/dsp_hwec.c ++++ b/drivers/isdn/mISDN/dsp_hwec.c +@@ -51,14 +51,14 @@ void dsp_hwec_enable(struct dsp *dsp, const char *arg) + goto _do; + + { +- char *dup, *tok, *name, *val; ++ char *dup, *next, *tok, *name, *val; + int tmp; + +- dup = kstrdup(arg, GFP_ATOMIC); ++ dup = next = kstrdup(arg, GFP_ATOMIC); + if (!dup) + return; + +- while ((tok = strsep(&dup, ","))) { ++ while ((tok = strsep(&next, ","))) { + if (!strlen(tok)) + continue; + name = strsep(&tok, "="); +-- +2.50.1 + diff --git a/queue-6.6/net-atm-fix-memory-leak-in-atm_register_sysfs-when-d.patch b/queue-6.6/net-atm-fix-memory-leak-in-atm_register_sysfs-when-d.patch new file mode 100644 index 0000000000..c06b50177b --- /dev/null +++ b/queue-6.6/net-atm-fix-memory-leak-in-atm_register_sysfs-when-d.patch @@ -0,0 +1,78 @@ +From 88295c606db5424591125afeee4c6bdf2646343d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Sep 2025 14:35:37 +0800 +Subject: net: atm: fix memory leak in atm_register_sysfs when device_register + fail + +From: Wang Liang + +[ Upstream commit 0a228624bcc00af41f281a2a84c928595a74c17d ] + +When device_register() return error in atm_register_sysfs(), which can be +triggered by kzalloc fail in device_private_init() or other reasons, +kmemleak reports the following memory leaks: + +unreferenced object 0xffff88810182fb80 (size 8): + comm "insmod", pid 504, jiffies 4294852464 + hex dump (first 8 bytes): + 61 64 75 6d 6d 79 30 00 adummy0. + backtrace (crc 14dfadaf): + __kmalloc_node_track_caller_noprof+0x335/0x450 + kvasprintf+0xb3/0x130 + kobject_set_name_vargs+0x45/0x120 + dev_set_name+0xa9/0xe0 + atm_register_sysfs+0xf3/0x220 + atm_dev_register+0x40b/0x780 + 0xffffffffa000b089 + do_one_initcall+0x89/0x300 + do_init_module+0x27b/0x7d0 + load_module+0x54cd/0x5ff0 + init_module_from_file+0xe4/0x150 + idempotent_init_module+0x32c/0x610 + __x64_sys_finit_module+0xbd/0x120 + do_syscall_64+0xa8/0x270 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +When device_create_file() return error in atm_register_sysfs(), the same +issue also can be triggered. + +Function put_device() should be called to release kobj->name memory and +other device resource, instead of kfree(). + +Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array") +Signed-off-by: Wang Liang +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250901063537.1472221-1-wangliang74@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/atm/resources.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/atm/resources.c b/net/atm/resources.c +index b19d851e1f443..7c6fdedbcf4e5 100644 +--- a/net/atm/resources.c ++++ b/net/atm/resources.c +@@ -112,7 +112,9 @@ struct atm_dev *atm_dev_register(const char *type, struct device *parent, + + if (atm_proc_dev_register(dev) < 0) { + pr_err("atm_proc_dev_register failed for dev %s\n", type); +- goto out_fail; ++ mutex_unlock(&atm_dev_mutex); ++ kfree(dev); ++ return NULL; + } + + if (atm_register_sysfs(dev, parent) < 0) { +@@ -128,7 +130,7 @@ struct atm_dev *atm_dev_register(const char *type, struct device *parent, + return dev; + + out_fail: +- kfree(dev); ++ put_device(&dev->class_dev); + dev = NULL; + goto out; + } +-- +2.50.1 + diff --git a/queue-6.6/net-ethernet-mtk_eth_soc-fix-tx-vlan-tag-for-llc-pac.patch b/queue-6.6/net-ethernet-mtk_eth_soc-fix-tx-vlan-tag-for-llc-pac.patch new file mode 100644 index 0000000000..1937c7bd3d --- /dev/null +++ b/queue-6.6/net-ethernet-mtk_eth_soc-fix-tx-vlan-tag-for-llc-pac.patch @@ -0,0 +1,55 @@ +From 614be817df275cc03dfc344cb2ee9e9b021b9451 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 Aug 2025 20:20:07 +0200 +Subject: net: ethernet: mtk_eth_soc: fix tx vlan tag for llc packets + +From: Felix Fietkau + +[ Upstream commit d4736737110ffa83d29f1c5d17b26113864205f6 ] + +When sending llc packets with vlan tx offload, the hardware fails to +actually add the tag. Deal with this by fixing it up in software. + +Fixes: 656e705243fd ("net-next: mediatek: add support for MT7623 ethernet") +Reported-by: Thibaut VARENE +Signed-off-by: Felix Fietkau +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250831182007.51619-1-nbd@nbd.name +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mediatek/mtk_eth_soc.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +index cb8efc952dfda..aefe2af6f01d4 100644 +--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c ++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +@@ -1586,6 +1586,13 @@ static netdev_tx_t mtk_start_xmit(struct sk_buff *skb, struct net_device *dev) + bool gso = false; + int tx_num; + ++ if (skb_vlan_tag_present(skb) && ++ !eth_proto_is_802_3(eth_hdr(skb)->h_proto)) { ++ skb = __vlan_hwaccel_push_inside(skb); ++ if (!skb) ++ goto dropped; ++ } ++ + /* normally we can rely on the stack not calling this more than once, + * however we have 2 queues running on the same ring so we need to lock + * the ring access +@@ -1631,8 +1638,9 @@ static netdev_tx_t mtk_start_xmit(struct sk_buff *skb, struct net_device *dev) + + drop: + spin_unlock(ð->page_lock); +- stats->tx_dropped++; + dev_kfree_skb_any(skb); ++dropped: ++ stats->tx_dropped++; + return NETDEV_TX_OK; + } + +-- +2.50.1 + diff --git a/queue-6.6/net-macb-fix-tx_ptr_lock-locking.patch b/queue-6.6/net-macb-fix-tx_ptr_lock-locking.patch new file mode 100644 index 0000000000..e16f531840 --- /dev/null +++ b/queue-6.6/net-macb-fix-tx_ptr_lock-locking.patch @@ -0,0 +1,135 @@ +From 71380180bcd166a2746056783278b13fcce604d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Aug 2025 10:35:21 -0400 +Subject: net: macb: Fix tx_ptr_lock locking + +From: Sean Anderson + +[ Upstream commit 6bc8a5098bf4a365c4086a4a4130bfab10a58260 ] + +macb_start_xmit and macb_tx_poll can be called with bottom-halves +disabled (e.g. from softirq) as well as with interrupts disabled (with +netpoll). Because of this, all other functions taking tx_ptr_lock must +use spin_lock_irqsave. + +Fixes: 138badbc21a0 ("net: macb: use NAPI for TX completion path") +Reported-by: Mike Galbraith +Signed-off-by: Sean Anderson +Link: https://patch.msgid.link/20250829143521.1686062-1-sean.anderson@linux.dev +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cadence/macb_main.c | 28 ++++++++++++++---------- + 1 file changed, 16 insertions(+), 12 deletions(-) + +diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c +index 534e7f7bca4c2..b836ab2a649a2 100644 +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -1234,11 +1234,12 @@ static int macb_tx_complete(struct macb_queue *queue, int budget) + { + struct macb *bp = queue->bp; + u16 queue_index = queue - bp->queues; ++ unsigned long flags; + unsigned int tail; + unsigned int head; + int packets = 0; + +- spin_lock(&queue->tx_ptr_lock); ++ spin_lock_irqsave(&queue->tx_ptr_lock, flags); + head = queue->tx_head; + for (tail = queue->tx_tail; tail != head && packets < budget; tail++) { + struct macb_tx_skb *tx_skb; +@@ -1297,7 +1298,7 @@ static int macb_tx_complete(struct macb_queue *queue, int budget) + CIRC_CNT(queue->tx_head, queue->tx_tail, + bp->tx_ring_size) <= MACB_TX_WAKEUP_THRESH(bp)) + netif_wake_subqueue(bp->dev, queue_index); +- spin_unlock(&queue->tx_ptr_lock); ++ spin_unlock_irqrestore(&queue->tx_ptr_lock, flags); + + return packets; + } +@@ -1713,8 +1714,9 @@ static void macb_tx_restart(struct macb_queue *queue) + { + struct macb *bp = queue->bp; + unsigned int head_idx, tbqp; ++ unsigned long flags; + +- spin_lock(&queue->tx_ptr_lock); ++ spin_lock_irqsave(&queue->tx_ptr_lock, flags); + + if (queue->tx_head == queue->tx_tail) + goto out_tx_ptr_unlock; +@@ -1726,19 +1728,20 @@ static void macb_tx_restart(struct macb_queue *queue) + if (tbqp == head_idx) + goto out_tx_ptr_unlock; + +- spin_lock_irq(&bp->lock); ++ spin_lock(&bp->lock); + macb_writel(bp, NCR, macb_readl(bp, NCR) | MACB_BIT(TSTART)); +- spin_unlock_irq(&bp->lock); ++ spin_unlock(&bp->lock); + + out_tx_ptr_unlock: +- spin_unlock(&queue->tx_ptr_lock); ++ spin_unlock_irqrestore(&queue->tx_ptr_lock, flags); + } + + static bool macb_tx_complete_pending(struct macb_queue *queue) + { + bool retval = false; ++ unsigned long flags; + +- spin_lock(&queue->tx_ptr_lock); ++ spin_lock_irqsave(&queue->tx_ptr_lock, flags); + if (queue->tx_head != queue->tx_tail) { + /* Make hw descriptor updates visible to CPU */ + rmb(); +@@ -1746,7 +1749,7 @@ static bool macb_tx_complete_pending(struct macb_queue *queue) + if (macb_tx_desc(queue, queue->tx_tail)->ctrl & MACB_BIT(TX_USED)) + retval = true; + } +- spin_unlock(&queue->tx_ptr_lock); ++ spin_unlock_irqrestore(&queue->tx_ptr_lock, flags); + return retval; + } + +@@ -2314,6 +2317,7 @@ static netdev_tx_t macb_start_xmit(struct sk_buff *skb, struct net_device *dev) + struct macb_queue *queue = &bp->queues[queue_index]; + unsigned int desc_cnt, nr_frags, frag_size, f; + unsigned int hdrlen; ++ unsigned long flags; + bool is_lso; + netdev_tx_t ret = NETDEV_TX_OK; + +@@ -2374,7 +2378,7 @@ static netdev_tx_t macb_start_xmit(struct sk_buff *skb, struct net_device *dev) + desc_cnt += DIV_ROUND_UP(frag_size, bp->max_tx_length); + } + +- spin_lock_bh(&queue->tx_ptr_lock); ++ spin_lock_irqsave(&queue->tx_ptr_lock, flags); + + /* This is a hard error, log it. */ + if (CIRC_SPACE(queue->tx_head, queue->tx_tail, +@@ -2396,15 +2400,15 @@ static netdev_tx_t macb_start_xmit(struct sk_buff *skb, struct net_device *dev) + wmb(); + skb_tx_timestamp(skb); + +- spin_lock_irq(&bp->lock); ++ spin_lock(&bp->lock); + macb_writel(bp, NCR, macb_readl(bp, NCR) | MACB_BIT(TSTART)); +- spin_unlock_irq(&bp->lock); ++ spin_unlock(&bp->lock); + + if (CIRC_SPACE(queue->tx_head, queue->tx_tail, bp->tx_ring_size) < 1) + netif_stop_subqueue(dev, queue_index); + + unlock: +- spin_unlock_bh(&queue->tx_ptr_lock); ++ spin_unlock_irqrestore(&queue->tx_ptr_lock, flags); + + return ret; + } +-- +2.50.1 + diff --git a/queue-6.6/net-smc-fix-one-null-pointer-dereference-in-smc_ib_i.patch b/queue-6.6/net-smc-fix-one-null-pointer-dereference-in-smc_ib_i.patch new file mode 100644 index 0000000000..2fb3383b40 --- /dev/null +++ b/queue-6.6/net-smc-fix-one-null-pointer-dereference-in-smc_ib_i.patch @@ -0,0 +1,67 @@ +From 9568db6540253a5990c8e2e2e374b6c30d3cb730 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Aug 2025 20:41:17 +0800 +Subject: net/smc: fix one NULL pointer dereference in smc_ib_is_sg_need_sync() + +From: Liu Jian + +[ Upstream commit ba1e9421cf1a8369d25c3832439702a015d6b5f9 ] + +BUG: kernel NULL pointer dereference, address: 00000000000002ec +PGD 0 P4D 0 +Oops: Oops: 0000 [#1] SMP PTI +CPU: 28 UID: 0 PID: 343 Comm: kworker/28:1 Kdump: loaded Tainted: G OE 6.17.0-rc2+ #9 NONE +Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 +Workqueue: smc_hs_wq smc_listen_work [smc] +RIP: 0010:smc_ib_is_sg_need_sync+0x9e/0xd0 [smc] +... +Call Trace: + + smcr_buf_map_link+0x211/0x2a0 [smc] + __smc_buf_create+0x522/0x970 [smc] + smc_buf_create+0x3a/0x110 [smc] + smc_find_rdma_v2_device_serv+0x18f/0x240 [smc] + ? smc_vlan_by_tcpsk+0x7e/0xe0 [smc] + smc_listen_find_device+0x1dd/0x2b0 [smc] + smc_listen_work+0x30f/0x580 [smc] + process_one_work+0x18c/0x340 + worker_thread+0x242/0x360 + kthread+0xe7/0x220 + ret_from_fork+0x13a/0x160 + ret_from_fork_asm+0x1a/0x30 + + +If the software RoCE device is used, ibdev->dma_device is a null pointer. +As a result, the problem occurs. Null pointer detection is added to +prevent problems. + +Fixes: 0ef69e788411c ("net/smc: optimize for smc_sndbuf_sync_sg_for_device and smc_rmb_sync_sg_for_cpu") +Signed-off-by: Liu Jian +Reviewed-by: Guangguan Wang +Reviewed-by: Zhu Yanjun +Reviewed-by: D. Wythe +Link: https://patch.msgid.link/20250828124117.2622624-1-liujian56@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/smc/smc_ib.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/smc/smc_ib.c b/net/smc/smc_ib.c +index 598ac9ead64b7..6df543e083fb3 100644 +--- a/net/smc/smc_ib.c ++++ b/net/smc/smc_ib.c +@@ -743,6 +743,9 @@ bool smc_ib_is_sg_need_sync(struct smc_link *lnk, + unsigned int i; + bool ret = false; + ++ if (!lnk->smcibdev->ibdev->dma_device) ++ return ret; ++ + /* for now there is just one DMA address */ + for_each_sg(buf_slot->sgt[lnk->link_idx].sgl, sg, + buf_slot->sgt[lnk->link_idx].nents, i) { +-- +2.50.1 + diff --git a/queue-6.6/net-smc-remove-validation-of-reserved-bits-in-clc-de.patch b/queue-6.6/net-smc-remove-validation-of-reserved-bits-in-clc-de.patch new file mode 100644 index 0000000000..5d8b3b5bdb --- /dev/null +++ b/queue-6.6/net-smc-remove-validation-of-reserved-bits-in-clc-de.patch @@ -0,0 +1,48 @@ +From dbd78e1c1af3f3837fc2ffda1b0257f4fd1e9e5e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Sep 2025 10:20:41 +0200 +Subject: net/smc: Remove validation of reserved bits in CLC Decline message + +From: Mahanta Jambigi + +[ Upstream commit cc282f73bc0cbdf3ee7af2f2d3a2ef4e6b19242d ] + +Currently SMC code is validating the reserved bits while parsing the incoming +CLC decline message & when this validation fails, its treated as a protocol +error. As a result, the SMC connection is terminated instead of falling back to +TCP. As per RFC7609[1] specs we shouldn't be validating the reserved bits that +is part of CLC message. This patch fixes this issue. + +CLC Decline message format can viewed here[2]. + +[1] https://datatracker.ietf.org/doc/html/rfc7609#page-92 +[2] https://datatracker.ietf.org/doc/html/rfc7609#page-105 + +Fixes: 8ade200c269f ("net/smc: add v2 format of CLC decline message") +Signed-off-by: Mahanta Jambigi +Reviewed-by: Sidraya Jayagond +Reviewed-by: Alexandra Winter +Reviewed-by: Dust Li +Link: https://patch.msgid.link/20250902082041.98996-1-mjambigi@linux.ibm.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/smc/smc_clc.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/net/smc/smc_clc.c b/net/smc/smc_clc.c +index dbce904c03cf7..4f485b9b31b28 100644 +--- a/net/smc/smc_clc.c ++++ b/net/smc/smc_clc.c +@@ -426,8 +426,6 @@ smc_clc_msg_decl_valid(struct smc_clc_msg_decline *dclc) + { + struct smc_clc_msg_hdr *hdr = &dclc->hdr; + +- if (hdr->typev1 != SMC_TYPE_R && hdr->typev1 != SMC_TYPE_D) +- return false; + if (hdr->version == SMC_V1) { + if (ntohs(hdr->length) != sizeof(struct smc_clc_msg_decline)) + return false; +-- +2.50.1 + diff --git a/queue-6.6/net-thunder_bgx-add-a-missing-of_node_put.patch b/queue-6.6/net-thunder_bgx-add-a-missing-of_node_put.patch new file mode 100644 index 0000000000..c813698f2e --- /dev/null +++ b/queue-6.6/net-thunder_bgx-add-a-missing-of_node_put.patch @@ -0,0 +1,53 @@ +From 9b035f22694a34025698303085334c4b2d6b9706 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Sep 2025 14:30:18 -0700 +Subject: net: thunder_bgx: add a missing of_node_put + +From: Rosen Penev + +[ Upstream commit 9d28f94912589f04ab51fbccaef287d4f40e0d1f ] + +phy_np needs to get freed, just like the other child nodes. + +Fixes: 5fc7cf179449 ("net: thunderx: Cleanup PHY probing code.") +Signed-off-by: Rosen Penev +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250901213018.47392-1-rosenp@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/cavium/thunder/thunder_bgx.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c +index 087d4c2b3efd1..7ef1b88c8c535 100644 +--- a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c ++++ b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c +@@ -1491,13 +1491,17 @@ static int bgx_init_of_phy(struct bgx *bgx) + * this cortina phy, for which there is no driver + * support, ignore it. + */ +- if (phy_np && +- !of_device_is_compatible(phy_np, "cortina,cs4223-slice")) { +- /* Wait until the phy drivers are available */ +- pd = of_phy_find_device(phy_np); +- if (!pd) +- goto defer; +- bgx->lmac[lmac].phydev = pd; ++ if (phy_np) { ++ if (!of_device_is_compatible(phy_np, "cortina,cs4223-slice")) { ++ /* Wait until the phy drivers are available */ ++ pd = of_phy_find_device(phy_np); ++ if (!pd) { ++ of_node_put(phy_np); ++ goto defer; ++ } ++ bgx->lmac[lmac].phydev = pd; ++ } ++ of_node_put(phy_np); + } + + lmac++; +-- +2.50.1 + diff --git a/queue-6.6/net-thunder_bgx-decrement-cleanup-index-before-use.patch b/queue-6.6/net-thunder_bgx-decrement-cleanup-index-before-use.patch new file mode 100644 index 0000000000..f5a428c670 --- /dev/null +++ b/queue-6.6/net-thunder_bgx-decrement-cleanup-index-before-use.patch @@ -0,0 +1,44 @@ +From 0ea7ffc3f07747db6bbad828adff2059b6432508 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Sep 2025 14:33:14 -0700 +Subject: net: thunder_bgx: decrement cleanup index before use + +From: Rosen Penev + +[ Upstream commit 9e3d71a92e561ccc77025689dab25d201fee7a3e ] + +All paths in probe that call goto defer do so before assigning phydev +and thus it makes sense to cleanup the prior index. It also fixes a bug +where index 0 does not get cleaned up. + +Fixes: b7d3e3d3d21a ("net: thunderx: Don't leak phy device references on -EPROBE_DEFER condition.") +Signed-off-by: Rosen Penev +Reviewed-by: Vadim Fedorenko +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250901213314.48599-1-rosenp@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/thunder/thunder_bgx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c +index 7ef1b88c8c535..a423a93882115 100644 +--- a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c ++++ b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c +@@ -1517,11 +1517,11 @@ static int bgx_init_of_phy(struct bgx *bgx) + * for phy devices we may have already found. + */ + while (lmac) { ++ lmac--; + if (bgx->lmac[lmac].phydev) { + put_device(&bgx->lmac[lmac].phydev->mdio.dev); + bgx->lmac[lmac].phydev = NULL; + } +- lmac--; + } + of_node_put(node); + return -EPROBE_DEFER; +-- +2.50.1 + diff --git a/queue-6.6/netfilter-br_netfilter-do-not-check-confirmed-bit-in.patch b/queue-6.6/netfilter-br_netfilter-do-not-check-confirmed-bit-in.patch new file mode 100644 index 0000000000..1f8bc98cd4 --- /dev/null +++ b/queue-6.6/netfilter-br_netfilter-do-not-check-confirmed-bit-in.patch @@ -0,0 +1,77 @@ +From ed965805fe91869b5be5cf3caf2d1a057f1d2812 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Aug 2025 11:52:19 +0800 +Subject: netfilter: br_netfilter: do not check confirmed bit in + br_nf_local_in() after confirm + +From: Wang Liang + +[ Upstream commit 479a54ab92087318514c82428a87af2d7af1a576 ] + +When send a broadcast packet to a tap device, which was added to a bridge, +br_nf_local_in() is called to confirm the conntrack. If another conntrack +with the same hash value is added to the hash table, which can be +triggered by a normal packet to a non-bridge device, the below warning +may happen. + + ------------[ cut here ]------------ + WARNING: CPU: 1 PID: 96 at net/bridge/br_netfilter_hooks.c:632 br_nf_local_in+0x168/0x200 + CPU: 1 UID: 0 PID: 96 Comm: tap_send Not tainted 6.17.0-rc2-dirty #44 PREEMPT(voluntary) + RIP: 0010:br_nf_local_in+0x168/0x200 + Call Trace: + + nf_hook_slow+0x3e/0xf0 + br_pass_frame_up+0x103/0x180 + br_handle_frame_finish+0x2de/0x5b0 + br_nf_hook_thresh+0xc0/0x120 + br_nf_pre_routing_finish+0x168/0x3a0 + br_nf_pre_routing+0x237/0x5e0 + br_handle_frame+0x1ec/0x3c0 + __netif_receive_skb_core+0x225/0x1210 + __netif_receive_skb_one_core+0x37/0xa0 + netif_receive_skb+0x36/0x160 + tun_get_user+0xa54/0x10c0 + tun_chr_write_iter+0x65/0xb0 + vfs_write+0x305/0x410 + ksys_write+0x60/0xd0 + do_syscall_64+0xa4/0x260 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + + ---[ end trace 0000000000000000 ]--- + +To solve the hash conflict, nf_ct_resolve_clash() try to merge the +conntracks, and update skb->_nfct. However, br_nf_local_in() still use the +old ct from local variable 'nfct' after confirm(), which leads to this +warning. + +If confirm() does not insert the conntrack entry and return NF_DROP, the +warning may also occur. There is no need to reserve the WARN_ON_ONCE, just +remove it. + +Link: https://lore.kernel.org/netdev/20250820043329.2902014-1-wangliang74@huawei.com/ +Fixes: 62e7151ae3eb ("netfilter: bridge: confirm multicast packets before passing them up the stack") +Suggested-by: Florian Westphal +Signed-off-by: Wang Liang +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/bridge/br_netfilter_hooks.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c +index 2a4958e995f2d..e6962d693359b 100644 +--- a/net/bridge/br_netfilter_hooks.c ++++ b/net/bridge/br_netfilter_hooks.c +@@ -648,9 +648,6 @@ static unsigned int br_nf_local_in(void *priv, + break; + } + +- ct = container_of(nfct, struct nf_conn, ct_general); +- WARN_ON_ONCE(!nf_ct_is_confirmed(ct)); +- + return ret; + } + #endif +-- +2.50.1 + diff --git a/queue-6.6/netfilter-conntrack-helper-replace-eexist-by-ebusy.patch b/queue-6.6/netfilter-conntrack-helper-replace-eexist-by-ebusy.patch new file mode 100644 index 0000000000..83ac63ada8 --- /dev/null +++ b/queue-6.6/netfilter-conntrack-helper-replace-eexist-by-ebusy.patch @@ -0,0 +1,50 @@ +From eebaeffbdbb047ecb35b1930510263a993b59cfc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Aug 2025 13:22:20 +0200 +Subject: netfilter: conntrack: helper: Replace -EEXIST by -EBUSY + +From: Phil Sutter + +[ Upstream commit 54416fd76770bd04fc3c501810e8d673550bab26 ] + +The helper registration return value is passed-through by module_init +callbacks which modprobe confuses with the harmless -EEXIST returned +when trying to load an already loaded module. + +Make sure modprobe fails so users notice their helper has not been +registered and won't work. + +Suggested-by: Christophe Leroy +Fixes: 12f7a505331e ("netfilter: add user-space connection tracking helper infrastructure") +Signed-off-by: Phil Sutter +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_helper.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c +index f22691f838536..10f72b5b4e1ad 100644 +--- a/net/netfilter/nf_conntrack_helper.c ++++ b/net/netfilter/nf_conntrack_helper.c +@@ -373,7 +373,7 @@ int nf_conntrack_helper_register(struct nf_conntrack_helper *me) + (cur->tuple.src.l3num == NFPROTO_UNSPEC || + cur->tuple.src.l3num == me->tuple.src.l3num) && + cur->tuple.dst.protonum == me->tuple.dst.protonum) { +- ret = -EEXIST; ++ ret = -EBUSY; + goto out; + } + } +@@ -384,7 +384,7 @@ int nf_conntrack_helper_register(struct nf_conntrack_helper *me) + hlist_for_each_entry(cur, &nf_ct_helper_hash[h], hnode) { + if (nf_ct_tuple_src_mask_cmp(&cur->tuple, &me->tuple, + &mask)) { +- ret = -EEXIST; ++ ret = -EBUSY; + goto out; + } + } +-- +2.50.1 + diff --git a/queue-6.6/netlink-add-variable-length-auto-integers.patch b/queue-6.6/netlink-add-variable-length-auto-integers.patch new file mode 100644 index 0000000000..0905358d7f --- /dev/null +++ b/queue-6.6/netlink-add-variable-length-auto-integers.patch @@ -0,0 +1,426 @@ +From e3430bf9d21a25ae13c20332fe46aab5ec9e4bfe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Oct 2023 14:39:20 -0700 +Subject: netlink: add variable-length / auto integers + +From: Jakub Kicinski + +[ Upstream commit 374d345d9b5e13380c66d7042f9533a6ac6d1195 ] + +We currently push everyone to use padding to align 64b values +in netlink. Un-padded nla_put_u64() doesn't even exist any more. + +The story behind this possibly start with this thread: +https://lore.kernel.org/netdev/20121204.130914.1457976839967676240.davem@davemloft.net/ +where DaveM was concerned about the alignment of a structure +containing 64b stats. If user space tries to access such struct +directly: + + struct some_stats *stats = nla_data(attr); + printf("A: %llu", stats->a); + +lack of alignment may become problematic for some architectures. +These days we most often put every single member in a separate +attribute, meaning that the code above would use a helper like +nla_get_u64(), which can deal with alignment internally. +Even for arches which don't have good unaligned access - access +aligned to 4B should be pretty efficient. +Kernel and well known libraries deal with unaligned input already. + +Padded 64b is quite space-inefficient (64b + pad means at worst 16B +per attr vs 32b which takes 8B). It is also more typing: + + if (nla_put_u64_pad(rsp, NETDEV_A_SOMETHING_SOMETHING, + value, NETDEV_A_SOMETHING_PAD)) + +Create a new attribute type which will use 32 bits at netlink +level if value is small enough (probably most of the time?), +and (4B-aligned) 64 bits otherwise. Kernel API is just: + + if (nla_put_uint(rsp, NETDEV_A_SOMETHING_SOMETHING, value)) + +Calling this new type "just" sint / uint with no specific size +will hopefully also make people more comfortable with using it. +Currently telling people "don't use u8, you may need the bits, +and netlink will round up to 4B, anyway" is the #1 comment +we give to newcomers. + +In terms of netlink layout it looks like this: + + 0 4 8 12 16 +32b: [nlattr][ u32 ] +64b: [ pad ][nlattr][ u64 ] +uint(32) [nlattr][ u32 ] +uint(64) [nlattr][ u64 ] + +Signed-off-by: Jakub Kicinski +Acked-by: Nicolas Dichtel +Signed-off-by: David S. Miller +Stable-dep-of: 030e1c456666 ("macsec: read MACSEC_SA_ATTR_PN with nla_get_uint") +Signed-off-by: Sasha Levin +--- + Documentation/userspace-api/netlink/specs.rst | 18 ++++- + include/net/netlink.h | 69 ++++++++++++++++++- + include/uapi/linux/netlink.h | 5 ++ + lib/nlattr.c | 22 ++++++ + net/netlink/policy.c | 14 +++- + 5 files changed, 121 insertions(+), 7 deletions(-) + +diff --git a/Documentation/userspace-api/netlink/specs.rst b/Documentation/userspace-api/netlink/specs.rst +index cc4e2430997ef..a8218284e67a4 100644 +--- a/Documentation/userspace-api/netlink/specs.rst ++++ b/Documentation/userspace-api/netlink/specs.rst +@@ -408,10 +408,21 @@ This section describes the attribute types supported by the ``genetlink`` + compatibility level. Refer to documentation of different levels for additional + attribute types. + +-Scalar integer types ++Common integer types + -------------------- + +-Fixed-width integer types: ++``sint`` and ``uint`` represent signed and unsigned 64 bit integers. ++If the value can fit on 32 bits only 32 bits are carried in netlink ++messages, otherwise full 64 bits are carried. Note that the payload ++is only aligned to 4B, so the full 64 bit value may be unaligned! ++ ++Common integer types should be preferred over fix-width types in majority ++of cases. ++ ++Fix-width integer types ++----------------------- ++ ++Fixed-width integer types include: + ``u8``, ``u16``, ``u32``, ``u64``, ``s8``, ``s16``, ``s32``, ``s64``. + + Note that types smaller than 32 bit should be avoided as using them +@@ -421,6 +432,9 @@ See :ref:`pad_type` for padding of 64 bit attributes. + The payload of the attribute is the integer in host order unless ``byte-order`` + specifies otherwise. + ++64 bit values are usually aligned by the kernel but it is recommended ++that the user space is able to deal with unaligned values. ++ + .. _pad_type: + + pad +diff --git a/include/net/netlink.h b/include/net/netlink.h +index 8a7cd1170e1f7..aba2b162a2260 100644 +--- a/include/net/netlink.h ++++ b/include/net/netlink.h +@@ -128,6 +128,8 @@ + * nla_len(nla) length of attribute payload + * + * Attribute Payload Access for Basic Types: ++ * nla_get_uint(nla) get payload for a uint attribute ++ * nla_get_sint(nla) get payload for a sint attribute + * nla_get_u8(nla) get payload for a u8 attribute + * nla_get_u16(nla) get payload for a u16 attribute + * nla_get_u32(nla) get payload for a u32 attribute +@@ -183,6 +185,8 @@ enum { + NLA_REJECT, + NLA_BE16, + NLA_BE32, ++ NLA_SINT, ++ NLA_UINT, + __NLA_TYPE_MAX, + }; + +@@ -229,6 +233,7 @@ enum nla_policy_validation { + * nested header (or empty); len field is used if + * nested_policy is also used, for the max attr + * number in the nested policy. ++ * NLA_SINT, NLA_UINT, + * NLA_U8, NLA_U16, + * NLA_U32, NLA_U64, + * NLA_S8, NLA_S16, +@@ -260,12 +265,14 @@ enum nla_policy_validation { + * while an array has the nested attributes at another + * level down and the attribute types directly in the + * nesting don't matter. ++ * NLA_UINT, + * NLA_U8, + * NLA_U16, + * NLA_U32, + * NLA_U64, + * NLA_BE16, + * NLA_BE32, ++ * NLA_SINT, + * NLA_S8, + * NLA_S16, + * NLA_S32, +@@ -280,6 +287,7 @@ enum nla_policy_validation { + * or NLA_POLICY_FULL_RANGE_SIGNED() macros instead. + * Use the NLA_POLICY_MIN(), NLA_POLICY_MAX() and + * NLA_POLICY_RANGE() macros. ++ * NLA_UINT, + * NLA_U8, + * NLA_U16, + * NLA_U32, +@@ -288,6 +296,7 @@ enum nla_policy_validation { + * to a struct netlink_range_validation that indicates + * the min/max values. + * Use NLA_POLICY_FULL_RANGE(). ++ * NLA_SINT, + * NLA_S8, + * NLA_S16, + * NLA_S32, +@@ -377,9 +386,11 @@ struct nla_policy { + + #define __NLA_IS_UINT_TYPE(tp) \ + (tp == NLA_U8 || tp == NLA_U16 || tp == NLA_U32 || \ +- tp == NLA_U64 || tp == NLA_BE16 || tp == NLA_BE32) ++ tp == NLA_U64 || tp == NLA_UINT || \ ++ tp == NLA_BE16 || tp == NLA_BE32) + #define __NLA_IS_SINT_TYPE(tp) \ +- (tp == NLA_S8 || tp == NLA_S16 || tp == NLA_S32 || tp == NLA_S64) ++ (tp == NLA_S8 || tp == NLA_S16 || tp == NLA_S32 || tp == NLA_S64 || \ ++ tp == NLA_SINT) + + #define __NLA_ENSURE(condition) BUILD_BUG_ON_ZERO(!(condition)) + #define NLA_ENSURE_UINT_TYPE(tp) \ +@@ -1357,6 +1368,22 @@ static inline int nla_put_u32(struct sk_buff *skb, int attrtype, u32 value) + return nla_put(skb, attrtype, sizeof(u32), &tmp); + } + ++/** ++ * nla_put_uint - Add a variable-size unsigned int to a socket buffer ++ * @skb: socket buffer to add attribute to ++ * @attrtype: attribute type ++ * @value: numeric value ++ */ ++static inline int nla_put_uint(struct sk_buff *skb, int attrtype, u64 value) ++{ ++ u64 tmp64 = value; ++ u32 tmp32 = value; ++ ++ if (tmp64 == tmp32) ++ return nla_put_u32(skb, attrtype, tmp32); ++ return nla_put(skb, attrtype, sizeof(u64), &tmp64); ++} ++ + /** + * nla_put_be32 - Add a __be32 netlink attribute to a socket buffer + * @skb: socket buffer to add attribute to +@@ -1511,6 +1538,22 @@ static inline int nla_put_s64(struct sk_buff *skb, int attrtype, s64 value, + return nla_put_64bit(skb, attrtype, sizeof(s64), &tmp, padattr); + } + ++/** ++ * nla_put_sint - Add a variable-size signed int to a socket buffer ++ * @skb: socket buffer to add attribute to ++ * @attrtype: attribute type ++ * @value: numeric value ++ */ ++static inline int nla_put_sint(struct sk_buff *skb, int attrtype, s64 value) ++{ ++ s64 tmp64 = value; ++ s32 tmp32 = value; ++ ++ if (tmp64 == tmp32) ++ return nla_put_s32(skb, attrtype, tmp32); ++ return nla_put(skb, attrtype, sizeof(s64), &tmp64); ++} ++ + /** + * nla_put_string - Add a string netlink attribute to a socket buffer + * @skb: socket buffer to add attribute to +@@ -1667,6 +1710,17 @@ static inline u64 nla_get_u64(const struct nlattr *nla) + return tmp; + } + ++/** ++ * nla_get_uint - return payload of uint attribute ++ * @nla: uint netlink attribute ++ */ ++static inline u64 nla_get_uint(const struct nlattr *nla) ++{ ++ if (nla_len(nla) == sizeof(u32)) ++ return nla_get_u32(nla); ++ return nla_get_u64(nla); ++} ++ + /** + * nla_get_be64 - return payload of __be64 attribute + * @nla: __be64 netlink attribute +@@ -1729,6 +1783,17 @@ static inline s64 nla_get_s64(const struct nlattr *nla) + return tmp; + } + ++/** ++ * nla_get_sint - return payload of uint attribute ++ * @nla: uint netlink attribute ++ */ ++static inline s64 nla_get_sint(const struct nlattr *nla) ++{ ++ if (nla_len(nla) == sizeof(s32)) ++ return nla_get_s32(nla); ++ return nla_get_s64(nla); ++} ++ + /** + * nla_get_flag - return payload of flag attribute + * @nla: flag netlink attribute +diff --git a/include/uapi/linux/netlink.h b/include/uapi/linux/netlink.h +index e2ae82e3f9f71..f87aaf28a6491 100644 +--- a/include/uapi/linux/netlink.h ++++ b/include/uapi/linux/netlink.h +@@ -298,6 +298,8 @@ struct nla_bitfield32 { + * entry has attributes again, the policy for those inner ones + * and the corresponding maxtype may be specified. + * @NL_ATTR_TYPE_BITFIELD32: &struct nla_bitfield32 attribute ++ * @NL_ATTR_TYPE_SINT: 32-bit or 64-bit signed attribute, aligned to 4B ++ * @NL_ATTR_TYPE_UINT: 32-bit or 64-bit unsigned attribute, aligned to 4B + */ + enum netlink_attribute_type { + NL_ATTR_TYPE_INVALID, +@@ -322,6 +324,9 @@ enum netlink_attribute_type { + NL_ATTR_TYPE_NESTED_ARRAY, + + NL_ATTR_TYPE_BITFIELD32, ++ ++ NL_ATTR_TYPE_SINT, ++ NL_ATTR_TYPE_UINT, + }; + + /** +diff --git a/lib/nlattr.c b/lib/nlattr.c +index ba698a097fc81..0319e811bb10a 100644 +--- a/lib/nlattr.c ++++ b/lib/nlattr.c +@@ -138,6 +138,7 @@ void nla_get_range_unsigned(const struct nla_policy *pt, + range->max = U32_MAX; + break; + case NLA_U64: ++ case NLA_UINT: + case NLA_MSECS: + range->max = U64_MAX; + break; +@@ -187,6 +188,9 @@ static int nla_validate_range_unsigned(const struct nla_policy *pt, + case NLA_U64: + value = nla_get_u64(nla); + break; ++ case NLA_UINT: ++ value = nla_get_uint(nla); ++ break; + case NLA_MSECS: + value = nla_get_u64(nla); + break; +@@ -252,6 +256,7 @@ void nla_get_range_signed(const struct nla_policy *pt, + range->max = S32_MAX; + break; + case NLA_S64: ++ case NLA_SINT: + range->min = S64_MIN; + range->max = S64_MAX; + break; +@@ -299,6 +304,9 @@ static int nla_validate_int_range_signed(const struct nla_policy *pt, + case NLA_S64: + value = nla_get_s64(nla); + break; ++ case NLA_SINT: ++ value = nla_get_sint(nla); ++ break; + default: + return -EINVAL; + } +@@ -324,6 +332,7 @@ static int nla_validate_int_range(const struct nla_policy *pt, + case NLA_U16: + case NLA_U32: + case NLA_U64: ++ case NLA_UINT: + case NLA_MSECS: + case NLA_BINARY: + case NLA_BE16: +@@ -333,6 +342,7 @@ static int nla_validate_int_range(const struct nla_policy *pt, + case NLA_S16: + case NLA_S32: + case NLA_S64: ++ case NLA_SINT: + return nla_validate_int_range_signed(pt, nla, extack); + default: + WARN_ON(1); +@@ -359,6 +369,9 @@ static int nla_validate_mask(const struct nla_policy *pt, + case NLA_U64: + value = nla_get_u64(nla); + break; ++ case NLA_UINT: ++ value = nla_get_uint(nla); ++ break; + case NLA_BE16: + value = ntohs(nla_get_be16(nla)); + break; +@@ -437,6 +450,15 @@ static int validate_nla(const struct nlattr *nla, int maxtype, + goto out_err; + break; + ++ case NLA_SINT: ++ case NLA_UINT: ++ if (attrlen != sizeof(u32) && attrlen != sizeof(u64)) { ++ NL_SET_ERR_MSG_ATTR_POL(extack, nla, pt, ++ "invalid attribute length"); ++ return -EINVAL; ++ } ++ break; ++ + case NLA_BITFIELD32: + if (attrlen != sizeof(struct nla_bitfield32)) + goto out_err; +diff --git a/net/netlink/policy.c b/net/netlink/policy.c +index 87e3de0fde896..ef542a142b980 100644 +--- a/net/netlink/policy.c ++++ b/net/netlink/policy.c +@@ -229,6 +229,8 @@ int netlink_policy_dump_attr_size_estimate(const struct nla_policy *pt) + case NLA_S16: + case NLA_S32: + case NLA_S64: ++ case NLA_SINT: ++ case NLA_UINT: + /* maximum is common, u64 min/max with padding */ + return common + + 2 * (nla_attr_size(0) + nla_attr_size(sizeof(u64))); +@@ -287,6 +289,7 @@ __netlink_policy_dump_write_attr(struct netlink_policy_dump_state *state, + case NLA_U16: + case NLA_U32: + case NLA_U64: ++ case NLA_UINT: + case NLA_MSECS: { + struct netlink_range_validation range; + +@@ -296,8 +299,10 @@ __netlink_policy_dump_write_attr(struct netlink_policy_dump_state *state, + type = NL_ATTR_TYPE_U16; + else if (pt->type == NLA_U32) + type = NL_ATTR_TYPE_U32; +- else ++ else if (pt->type == NLA_U64) + type = NL_ATTR_TYPE_U64; ++ else ++ type = NL_ATTR_TYPE_UINT; + + if (pt->validation_type == NLA_VALIDATE_MASK) { + if (nla_put_u64_64bit(skb, NL_POLICY_TYPE_ATTR_MASK, +@@ -319,7 +324,8 @@ __netlink_policy_dump_write_attr(struct netlink_policy_dump_state *state, + case NLA_S8: + case NLA_S16: + case NLA_S32: +- case NLA_S64: { ++ case NLA_S64: ++ case NLA_SINT: { + struct netlink_range_validation_signed range; + + if (pt->type == NLA_S8) +@@ -328,8 +334,10 @@ __netlink_policy_dump_write_attr(struct netlink_policy_dump_state *state, + type = NL_ATTR_TYPE_S16; + else if (pt->type == NLA_S32) + type = NL_ATTR_TYPE_S32; +- else ++ else if (pt->type == NLA_S64) + type = NL_ATTR_TYPE_S64; ++ else ++ type = NL_ATTR_TYPE_SINT; + + nla_get_range_signed(pt, &range); + +-- +2.50.1 + diff --git a/queue-6.6/phy-mscc-stop-taking-ts_lock-for-tx_queue-and-use-it.patch b/queue-6.6/phy-mscc-stop-taking-ts_lock-for-tx_queue-and-use-it.patch new file mode 100644 index 0000000000..070c5cd63b --- /dev/null +++ b/queue-6.6/phy-mscc-stop-taking-ts_lock-for-tx_queue-and-use-it.patch @@ -0,0 +1,147 @@ +From 2a2e1498d143975bfec6707d013cd478d4ecd781 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Sep 2025 14:12:59 +0200 +Subject: phy: mscc: Stop taking ts_lock for tx_queue and use its own lock + +From: Horatiu Vultur + +[ Upstream commit 9b2bfdbf43adb9929c5ddcdd96efedbf1c88cf53 ] + +When transmitting a PTP frame which is timestamp using 2 step, the +following warning appears if CONFIG_PROVE_LOCKING is enabled: +============================= +[ BUG: Invalid wait context ] +6.17.0-rc1-00326-ge6160462704e #427 Not tainted +----------------------------- +ptp4l/119 is trying to lock: +c2a44ed4 (&vsc8531->ts_lock){+.+.}-{3:3}, at: vsc85xx_txtstamp+0x50/0xac +other info that might help us debug this: +context-{4:4} +4 locks held by ptp4l/119: + #0: c145f068 (rcu_read_lock_bh){....}-{1:2}, at: __dev_queue_xmit+0x58/0x1440 + #1: c29df974 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: __dev_queue_xmit+0x5c4/0x1440 + #2: c2aaaad0 (_xmit_ETHER#2){+.-.}-{2:2}, at: sch_direct_xmit+0x108/0x350 + #3: c2aac170 (&lan966x->tx_lock){+.-.}-{2:2}, at: lan966x_port_xmit+0xd0/0x350 +stack backtrace: +CPU: 0 UID: 0 PID: 119 Comm: ptp4l Not tainted 6.17.0-rc1-00326-ge6160462704e #427 NONE +Hardware name: Generic DT based system +Call trace: + unwind_backtrace from show_stack+0x10/0x14 + show_stack from dump_stack_lvl+0x7c/0xac + dump_stack_lvl from __lock_acquire+0x8e8/0x29dc + __lock_acquire from lock_acquire+0x108/0x38c + lock_acquire from __mutex_lock+0xb0/0xe78 + __mutex_lock from mutex_lock_nested+0x1c/0x24 + mutex_lock_nested from vsc85xx_txtstamp+0x50/0xac + vsc85xx_txtstamp from lan966x_fdma_xmit+0xd8/0x3a8 + lan966x_fdma_xmit from lan966x_port_xmit+0x1bc/0x350 + lan966x_port_xmit from dev_hard_start_xmit+0xc8/0x2c0 + dev_hard_start_xmit from sch_direct_xmit+0x8c/0x350 + sch_direct_xmit from __dev_queue_xmit+0x680/0x1440 + __dev_queue_xmit from packet_sendmsg+0xfa4/0x1568 + packet_sendmsg from __sys_sendto+0x110/0x19c + __sys_sendto from sys_send+0x18/0x20 + sys_send from ret_fast_syscall+0x0/0x1c +Exception stack(0xf0b05fa8 to 0xf0b05ff0) +5fa0: 00000001 0000000e 0000000e 0004b47a 0000003a 00000000 +5fc0: 00000001 0000000e 00000000 00000121 0004af58 00044874 00000000 00000000 +5fe0: 00000001 bee9d420 00025a10 b6e75c7c + +So, instead of using the ts_lock for tx_queue, use the spinlock that +skb_buff_head has. + +Reviewed-by: Vadim Fedorenko +Fixes: 7d272e63e0979d ("net: phy: mscc: timestamping and PHC support") +Signed-off-by: Horatiu Vultur +Link: https://patch.msgid.link/20250902121259.3257536-1-horatiu.vultur@microchip.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/mscc/mscc_ptp.c | 18 ++++++++---------- + 1 file changed, 8 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/phy/mscc/mscc_ptp.c b/drivers/net/phy/mscc/mscc_ptp.c +index 1f6237705b44b..939a8a17595ef 100644 +--- a/drivers/net/phy/mscc/mscc_ptp.c ++++ b/drivers/net/phy/mscc/mscc_ptp.c +@@ -455,12 +455,12 @@ static void vsc85xx_dequeue_skb(struct vsc85xx_ptp *ptp) + *p++ = (reg >> 24) & 0xff; + } + +- len = skb_queue_len(&ptp->tx_queue); ++ len = skb_queue_len_lockless(&ptp->tx_queue); + if (len < 1) + return; + + while (len--) { +- skb = __skb_dequeue(&ptp->tx_queue); ++ skb = skb_dequeue(&ptp->tx_queue); + if (!skb) + return; + +@@ -485,7 +485,7 @@ static void vsc85xx_dequeue_skb(struct vsc85xx_ptp *ptp) + * packet in the FIFO right now, reschedule it for later + * packets. + */ +- __skb_queue_tail(&ptp->tx_queue, skb); ++ skb_queue_tail(&ptp->tx_queue, skb); + } + } + +@@ -1067,6 +1067,7 @@ static int vsc85xx_hwtstamp(struct mii_timestamper *mii_ts, struct ifreq *ifr) + case HWTSTAMP_TX_ON: + break; + case HWTSTAMP_TX_OFF: ++ skb_queue_purge(&vsc8531->ptp->tx_queue); + break; + default: + return -ERANGE; +@@ -1091,9 +1092,6 @@ static int vsc85xx_hwtstamp(struct mii_timestamper *mii_ts, struct ifreq *ifr) + + mutex_lock(&vsc8531->ts_lock); + +- __skb_queue_purge(&vsc8531->ptp->tx_queue); +- __skb_queue_head_init(&vsc8531->ptp->tx_queue); +- + /* Disable predictor while configuring the 1588 block */ + val = vsc85xx_ts_read_csr(phydev, PROCESSOR, + MSCC_PHY_PTP_INGR_PREDICTOR); +@@ -1179,9 +1177,7 @@ static void vsc85xx_txtstamp(struct mii_timestamper *mii_ts, + + skb_shinfo(skb)->tx_flags |= SKBTX_IN_PROGRESS; + +- mutex_lock(&vsc8531->ts_lock); +- __skb_queue_tail(&vsc8531->ptp->tx_queue, skb); +- mutex_unlock(&vsc8531->ts_lock); ++ skb_queue_tail(&vsc8531->ptp->tx_queue, skb); + return; + + out: +@@ -1547,6 +1543,7 @@ void vsc8584_ptp_deinit(struct phy_device *phydev) + if (vsc8531->ptp->ptp_clock) { + ptp_clock_unregister(vsc8531->ptp->ptp_clock); + skb_queue_purge(&vsc8531->rx_skbs_list); ++ skb_queue_purge(&vsc8531->ptp->tx_queue); + } + } + +@@ -1570,7 +1567,7 @@ irqreturn_t vsc8584_handle_ts_interrupt(struct phy_device *phydev) + if (rc & VSC85XX_1588_INT_FIFO_ADD) { + vsc85xx_get_tx_ts(priv->ptp); + } else if (rc & VSC85XX_1588_INT_FIFO_OVERFLOW) { +- __skb_queue_purge(&priv->ptp->tx_queue); ++ skb_queue_purge(&priv->ptp->tx_queue); + vsc85xx_ts_reset_fifo(phydev); + } + +@@ -1590,6 +1587,7 @@ int vsc8584_ptp_probe(struct phy_device *phydev) + mutex_init(&vsc8531->phc_lock); + mutex_init(&vsc8531->ts_lock); + skb_queue_head_init(&vsc8531->rx_skbs_list); ++ skb_queue_head_init(&vsc8531->ptp->tx_queue); + + /* Retrieve the shared load/save GPIO. Request it as non exclusive as + * the same GPIO can be requested by all the PHYs of the same package. +-- +2.50.1 + diff --git a/queue-6.6/ppp-fix-memory-leak-in-pad_compress_skb.patch b/queue-6.6/ppp-fix-memory-leak-in-pad_compress_skb.patch new file mode 100644 index 0000000000..76659524af --- /dev/null +++ b/queue-6.6/ppp-fix-memory-leak-in-pad_compress_skb.patch @@ -0,0 +1,66 @@ +From 64f781419b1cc0dd1fa3c044098b65c9cc95a62e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Sep 2025 18:07:26 +0800 +Subject: ppp: fix memory leak in pad_compress_skb + +From: Qingfang Deng + +[ Upstream commit 4844123fe0b853a4982c02666cb3fd863d701d50 ] + +If alloc_skb() fails in pad_compress_skb(), it returns NULL without +releasing the old skb. The caller does: + + skb = pad_compress_skb(ppp, skb); + if (!skb) + goto drop; + +drop: + kfree_skb(skb); + +When pad_compress_skb() returns NULL, the reference to the old skb is +lost and kfree_skb(skb) ends up doing nothing, leading to a memory leak. + +Align pad_compress_skb() semantics with realloc(): only free the old +skb if allocation and compression succeed. At the call site, use the +new_skb variable so the original skb is not lost when pad_compress_skb() +fails. + +Fixes: b3f9b92a6ec1 ("[PPP]: add PPP MPPE encryption module") +Signed-off-by: Qingfang Deng +Reviewed-by: Eric Dumazet +Reviewed-by: Yue Haibing +Link: https://patch.msgid.link/20250903100726.269839-1-dqfext@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ppp/ppp_generic.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c +index 28b894bcd7a93..46ac51217114b 100644 +--- a/drivers/net/ppp/ppp_generic.c ++++ b/drivers/net/ppp/ppp_generic.c +@@ -1753,7 +1753,6 @@ pad_compress_skb(struct ppp *ppp, struct sk_buff *skb) + */ + if (net_ratelimit()) + netdev_err(ppp->dev, "ppp: compressor dropped pkt\n"); +- kfree_skb(skb); + consume_skb(new_skb); + new_skb = NULL; + } +@@ -1855,9 +1854,10 @@ ppp_send_frame(struct ppp *ppp, struct sk_buff *skb) + "down - pkt dropped.\n"); + goto drop; + } +- skb = pad_compress_skb(ppp, skb); +- if (!skb) ++ new_skb = pad_compress_skb(ppp, skb); ++ if (!new_skb) + goto drop; ++ skb = new_skb; + } + + /* +-- +2.50.1 + diff --git a/queue-6.6/selftest-net-fix-weird-setsockopt-in-bind_bhash.c.patch b/queue-6.6/selftest-net-fix-weird-setsockopt-in-bind_bhash.c.patch new file mode 100644 index 0000000000..20c9c58b52 --- /dev/null +++ b/queue-6.6/selftest-net-fix-weird-setsockopt-in-bind_bhash.c.patch @@ -0,0 +1,62 @@ +From d432a96f2c5d2f954d98ec6ba93614d1ccc3d0c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Sep 2025 22:28:51 +0000 +Subject: selftest: net: Fix weird setsockopt() in bind_bhash.c. + +From: Kuniyuki Iwashima + +[ Upstream commit fd2004d82d8d8faa94879e3de3096c8511728637 ] + +bind_bhash.c passes (SO_REUSEADDR | SO_REUSEPORT) to setsockopt(). + +In the asm-generic definition, the value happens to match with the +bare SO_REUSEPORT, (2 | 15) == 15, but not on some arch. + +arch/alpha/include/uapi/asm/socket.h:18:#define SO_REUSEADDR 0x0004 +arch/alpha/include/uapi/asm/socket.h:24:#define SO_REUSEPORT 0x0200 +arch/mips/include/uapi/asm/socket.h:24:#define SO_REUSEADDR 0x0004 /* Allow reuse of local addresses. */ +arch/mips/include/uapi/asm/socket.h:33:#define SO_REUSEPORT 0x0200 /* Allow local address and port reuse. */ +arch/parisc/include/uapi/asm/socket.h:12:#define SO_REUSEADDR 0x0004 +arch/parisc/include/uapi/asm/socket.h:18:#define SO_REUSEPORT 0x0200 +arch/sparc/include/uapi/asm/socket.h:13:#define SO_REUSEADDR 0x0004 +arch/sparc/include/uapi/asm/socket.h:20:#define SO_REUSEPORT 0x0200 +include/uapi/asm-generic/socket.h:12:#define SO_REUSEADDR 2 +include/uapi/asm-generic/socket.h:27:#define SO_REUSEPORT 15 + +Let's pass SO_REUSEPORT only. + +Fixes: c35ecb95c448 ("selftests/net: Add test for timing a bind request to a port with a populated bhash entry") +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250903222938.2601522-1-kuniyu@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/bind_bhash.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/net/bind_bhash.c b/tools/testing/selftests/net/bind_bhash.c +index 57ff67a3751eb..da04b0b19b73c 100644 +--- a/tools/testing/selftests/net/bind_bhash.c ++++ b/tools/testing/selftests/net/bind_bhash.c +@@ -75,7 +75,7 @@ static void *setup(void *arg) + int *array = (int *)arg; + + for (i = 0; i < MAX_CONNECTIONS; i++) { +- sock_fd = bind_socket(SO_REUSEADDR | SO_REUSEPORT, setup_addr); ++ sock_fd = bind_socket(SO_REUSEPORT, setup_addr); + if (sock_fd < 0) { + ret = sock_fd; + pthread_exit(&ret); +@@ -103,7 +103,7 @@ int main(int argc, const char *argv[]) + + setup_addr = use_v6 ? setup_addr_v6 : setup_addr_v4; + +- listener_fd = bind_socket(SO_REUSEADDR | SO_REUSEPORT, setup_addr); ++ listener_fd = bind_socket(SO_REUSEPORT, setup_addr); + if (listen(listener_fd, 100) < 0) { + perror("listen failed"); + return -1; +-- +2.50.1 + diff --git a/queue-6.6/series b/queue-6.6/series index b9aa0d1073..96aed3a1a6 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -16,3 +16,35 @@ arm64-dts-rockchip-add-vcc-supply-to-spi-flash-on-rk.patch tee-optee-ffa-fix-a-typo-of-optee_ffa_api_is_compati.patch arm64-dts-imx8mp-fix-missing-microsd-slot-vqmmc-on-d.patch arm64-dts-imx8mp-fix-missing-microsd-slot-vqmmc-on-d.patch-12817 +wifi-cfg80211-fix-use-after-free-in-cmp_bss.patch +wifi-brcmfmac-fix-use-after-free-when-rescheduling-b.patch +netfilter-br_netfilter-do-not-check-confirmed-bit-in.patch +netfilter-conntrack-helper-replace-eexist-by-ebusy.patch +bluetooth-vhci-prevent-use-after-free-by-removing-de.patch +bluetooth-fix-use-after-free-in-l2cap_sock_cleanup_l.patch +xirc2ps_cs-fix-register-access-when-enabling-fulldup.patch +misdn-fix-memory-leak-in-dsp_hwec_enable.patch +icmp-fix-icmp_ndo_send-address-translation-for-reply.patch +net-macb-fix-tx_ptr_lock-locking.patch +netlink-add-variable-length-auto-integers.patch +macsec-read-macsec_sa_attr_pn-with-nla_get_uint.patch +net-smc-fix-one-null-pointer-dereference-in-smc_ib_i.patch +i40e-fix-potential-invalid-access-when-mac-list-is-e.patch +wifi-ath11k-introduce-and-use-ath11k_sta_to_arsta.patch +wifi-ath11k-rename-ath11k_start_vdev_delay.patch +wifi-ath11k-avoid-forward-declaration-of-ath11k_mac_.patch +wifi-ath11k-fix-group-data-packet-drops-during-rekey.patch +net-ethernet-mtk_eth_soc-fix-tx-vlan-tag-for-llc-pac.patch +wifi-cw1200-cap-ssid-length-in-cw1200_do_join.patch +wifi-libertas-cap-ssid-len-in-lbs_associate.patch +wifi-cfg80211-sme-cap-ssid-length-in-__cfg80211_conn.patch +net-thunder_bgx-add-a-missing-of_node_put.patch +net-thunder_bgx-decrement-cleanup-index-before-use.patch +ipv4-fix-null-vs-error-pointer-check-in-inet_blackho.patch +net-smc-remove-validation-of-reserved-bits-in-clc-de.patch +mctp-return-enoprotoopt-for-unknown-getsockopt-optio.patch +ax25-properly-unshare-skbs-in-ax25_kiss_rcv.patch +net-atm-fix-memory-leak-in-atm_register_sysfs-when-d.patch +ppp-fix-memory-leak-in-pad_compress_skb.patch +selftest-net-fix-weird-setsockopt-in-bind_bhash.c.patch +phy-mscc-stop-taking-ts_lock-for-tx_queue-and-use-it.patch diff --git a/queue-6.6/wifi-ath11k-avoid-forward-declaration-of-ath11k_mac_.patch b/queue-6.6/wifi-ath11k-avoid-forward-declaration-of-ath11k_mac_.patch new file mode 100644 index 0000000000..1233b5c7d9 --- /dev/null +++ b/queue-6.6/wifi-ath11k-avoid-forward-declaration-of-ath11k_mac_.patch @@ -0,0 +1,520 @@ +From d1cd23403c460d407d2fb4147ed282120da7e9e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Jan 2024 10:56:59 +0800 +Subject: wifi: ath11k: avoid forward declaration of + ath11k_mac_start_vdev_delay() + +From: Baochen Qiang + +[ Upstream commit ce59902e56ea0477ad9bef0067d0e47b6c4d707d ] + +Currently ath11k_mac_start_vdev_delay() needs a forward declaration because +it is defined after where it is called. Avoid this by re-arranging +ath11k_mac_station_add() and ath11k_mac_op_sta_state(). + +No functional changes. Compile tested only. + +Signed-off-by: Baochen Qiang +Acked-by: Jeff Johnson +Signed-off-by: Kalle Valo +Link: https://msgid.link/20240123025700.2929-4-quic_bqiang@quicinc.com +Stable-dep-of: 97acb0259cc9 ("wifi: ath11k: fix group data packet drops during rekey") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/mac.c | 459 +++++++++++++------------- + 1 file changed, 228 insertions(+), 231 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c +index 58cc079f0df4a..eb295d092a33c 100644 +--- a/drivers/net/wireless/ath/ath11k/mac.c ++++ b/drivers/net/wireless/ath/ath11k/mac.c +@@ -254,9 +254,6 @@ static const u32 ath11k_smps_map[] = { + [WLAN_HT_CAP_SM_PS_DISABLED] = WMI_PEER_SMPS_PS_NONE, + }; + +-static int ath11k_mac_start_vdev_delay(struct ieee80211_hw *hw, +- struct ieee80211_vif *vif); +- + enum nl80211_he_ru_alloc ath11k_mac_phy_he_ru_to_nl80211_he_ru_alloc(u16 ru_phy) + { + enum nl80211_he_ru_alloc ret; +@@ -4896,100 +4893,6 @@ static void ath11k_mac_dec_num_stations(struct ath11k_vif *arvif, + ar->num_stations--; + } + +-static int ath11k_mac_station_add(struct ath11k *ar, +- struct ieee80211_vif *vif, +- struct ieee80211_sta *sta) +-{ +- struct ath11k_base *ab = ar->ab; +- struct ath11k_vif *arvif = ath11k_vif_to_arvif(vif); +- struct ath11k_sta *arsta = ath11k_sta_to_arsta(sta); +- struct peer_create_params peer_param; +- int ret; +- +- lockdep_assert_held(&ar->conf_mutex); +- +- ret = ath11k_mac_inc_num_stations(arvif, sta); +- if (ret) { +- ath11k_warn(ab, "refusing to associate station: too many connected already (%d)\n", +- ar->max_num_stations); +- goto exit; +- } +- +- arsta->rx_stats = kzalloc(sizeof(*arsta->rx_stats), GFP_KERNEL); +- if (!arsta->rx_stats) { +- ret = -ENOMEM; +- goto dec_num_station; +- } +- +- peer_param.vdev_id = arvif->vdev_id; +- peer_param.peer_addr = sta->addr; +- peer_param.peer_type = WMI_PEER_TYPE_DEFAULT; +- +- ret = ath11k_peer_create(ar, arvif, sta, &peer_param); +- if (ret) { +- ath11k_warn(ab, "Failed to add peer: %pM for VDEV: %d\n", +- sta->addr, arvif->vdev_id); +- goto free_rx_stats; +- } +- +- ath11k_dbg(ab, ATH11K_DBG_MAC, "Added peer: %pM for VDEV: %d\n", +- sta->addr, arvif->vdev_id); +- +- if (ath11k_debugfs_is_extd_tx_stats_enabled(ar)) { +- arsta->tx_stats = kzalloc(sizeof(*arsta->tx_stats), GFP_KERNEL); +- if (!arsta->tx_stats) { +- ret = -ENOMEM; +- goto free_peer; +- } +- } +- +- if (ieee80211_vif_is_mesh(vif)) { +- ath11k_dbg(ab, ATH11K_DBG_MAC, +- "setting USE_4ADDR for mesh STA %pM\n", sta->addr); +- ret = ath11k_wmi_set_peer_param(ar, sta->addr, +- arvif->vdev_id, +- WMI_PEER_USE_4ADDR, 1); +- if (ret) { +- ath11k_warn(ab, "failed to set mesh STA %pM 4addr capability: %d\n", +- sta->addr, ret); +- goto free_tx_stats; +- } +- } +- +- ret = ath11k_dp_peer_setup(ar, arvif->vdev_id, sta->addr); +- if (ret) { +- ath11k_warn(ab, "failed to setup dp for peer %pM on vdev %i (%d)\n", +- sta->addr, arvif->vdev_id, ret); +- goto free_tx_stats; +- } +- +- if (ab->hw_params.vdev_start_delay && +- !arvif->is_started && +- arvif->vdev_type != WMI_VDEV_TYPE_AP) { +- ret = ath11k_mac_start_vdev_delay(ar->hw, vif); +- if (ret) { +- ath11k_warn(ab, "failed to delay vdev start: %d\n", ret); +- goto free_tx_stats; +- } +- } +- +- ewma_avg_rssi_init(&arsta->avg_rssi); +- return 0; +- +-free_tx_stats: +- kfree(arsta->tx_stats); +- arsta->tx_stats = NULL; +-free_peer: +- ath11k_peer_delete(ar, arvif->vdev_id, sta->addr); +-free_rx_stats: +- kfree(arsta->rx_stats); +- arsta->rx_stats = NULL; +-dec_num_station: +- ath11k_mac_dec_num_stations(arvif, sta); +-exit: +- return ret; +-} +- + static u32 ath11k_mac_ieee80211_sta_bw_to_wmi(struct ath11k *ar, + struct ieee80211_sta *sta) + { +@@ -5018,140 +4921,6 @@ static u32 ath11k_mac_ieee80211_sta_bw_to_wmi(struct ath11k *ar, + return bw; + } + +-static int ath11k_mac_op_sta_state(struct ieee80211_hw *hw, +- struct ieee80211_vif *vif, +- struct ieee80211_sta *sta, +- enum ieee80211_sta_state old_state, +- enum ieee80211_sta_state new_state) +-{ +- struct ath11k *ar = hw->priv; +- struct ath11k_vif *arvif = ath11k_vif_to_arvif(vif); +- struct ath11k_sta *arsta = ath11k_sta_to_arsta(sta); +- struct ath11k_peer *peer; +- int ret = 0; +- +- /* cancel must be done outside the mutex to avoid deadlock */ +- if ((old_state == IEEE80211_STA_NONE && +- new_state == IEEE80211_STA_NOTEXIST)) { +- cancel_work_sync(&arsta->update_wk); +- cancel_work_sync(&arsta->set_4addr_wk); +- } +- +- mutex_lock(&ar->conf_mutex); +- +- if (old_state == IEEE80211_STA_NOTEXIST && +- new_state == IEEE80211_STA_NONE) { +- memset(arsta, 0, sizeof(*arsta)); +- arsta->arvif = arvif; +- arsta->peer_ps_state = WMI_PEER_PS_STATE_DISABLED; +- INIT_WORK(&arsta->update_wk, ath11k_sta_rc_update_wk); +- INIT_WORK(&arsta->set_4addr_wk, ath11k_sta_set_4addr_wk); +- +- ret = ath11k_mac_station_add(ar, vif, sta); +- if (ret) +- ath11k_warn(ar->ab, "Failed to add station: %pM for VDEV: %d\n", +- sta->addr, arvif->vdev_id); +- } else if ((old_state == IEEE80211_STA_NONE && +- new_state == IEEE80211_STA_NOTEXIST)) { +- bool skip_peer_delete = ar->ab->hw_params.vdev_start_delay && +- vif->type == NL80211_IFTYPE_STATION; +- +- ath11k_dp_peer_cleanup(ar, arvif->vdev_id, sta->addr); +- +- if (!skip_peer_delete) { +- ret = ath11k_peer_delete(ar, arvif->vdev_id, sta->addr); +- if (ret) +- ath11k_warn(ar->ab, +- "Failed to delete peer: %pM for VDEV: %d\n", +- sta->addr, arvif->vdev_id); +- else +- ath11k_dbg(ar->ab, +- ATH11K_DBG_MAC, +- "Removed peer: %pM for VDEV: %d\n", +- sta->addr, arvif->vdev_id); +- } +- +- ath11k_mac_dec_num_stations(arvif, sta); +- mutex_lock(&ar->ab->tbl_mtx_lock); +- spin_lock_bh(&ar->ab->base_lock); +- peer = ath11k_peer_find(ar->ab, arvif->vdev_id, sta->addr); +- if (skip_peer_delete && peer) { +- peer->sta = NULL; +- } else if (peer && peer->sta == sta) { +- ath11k_warn(ar->ab, "Found peer entry %pM n vdev %i after it was supposedly removed\n", +- vif->addr, arvif->vdev_id); +- ath11k_peer_rhash_delete(ar->ab, peer); +- peer->sta = NULL; +- list_del(&peer->list); +- kfree(peer); +- ar->num_peers--; +- } +- spin_unlock_bh(&ar->ab->base_lock); +- mutex_unlock(&ar->ab->tbl_mtx_lock); +- +- kfree(arsta->tx_stats); +- arsta->tx_stats = NULL; +- +- kfree(arsta->rx_stats); +- arsta->rx_stats = NULL; +- } else if (old_state == IEEE80211_STA_AUTH && +- new_state == IEEE80211_STA_ASSOC && +- (vif->type == NL80211_IFTYPE_AP || +- vif->type == NL80211_IFTYPE_MESH_POINT || +- vif->type == NL80211_IFTYPE_ADHOC)) { +- ret = ath11k_station_assoc(ar, vif, sta, false); +- if (ret) +- ath11k_warn(ar->ab, "Failed to associate station: %pM\n", +- sta->addr); +- +- spin_lock_bh(&ar->data_lock); +- /* Set arsta bw and prev bw */ +- arsta->bw = ath11k_mac_ieee80211_sta_bw_to_wmi(ar, sta); +- arsta->bw_prev = arsta->bw; +- spin_unlock_bh(&ar->data_lock); +- } else if (old_state == IEEE80211_STA_ASSOC && +- new_state == IEEE80211_STA_AUTHORIZED) { +- spin_lock_bh(&ar->ab->base_lock); +- +- peer = ath11k_peer_find(ar->ab, arvif->vdev_id, sta->addr); +- if (peer) +- peer->is_authorized = true; +- +- spin_unlock_bh(&ar->ab->base_lock); +- +- if (vif->type == NL80211_IFTYPE_STATION && arvif->is_up) { +- ret = ath11k_wmi_set_peer_param(ar, sta->addr, +- arvif->vdev_id, +- WMI_PEER_AUTHORIZE, +- 1); +- if (ret) +- ath11k_warn(ar->ab, "Unable to authorize peer %pM vdev %d: %d\n", +- sta->addr, arvif->vdev_id, ret); +- } +- } else if (old_state == IEEE80211_STA_AUTHORIZED && +- new_state == IEEE80211_STA_ASSOC) { +- spin_lock_bh(&ar->ab->base_lock); +- +- peer = ath11k_peer_find(ar->ab, arvif->vdev_id, sta->addr); +- if (peer) +- peer->is_authorized = false; +- +- spin_unlock_bh(&ar->ab->base_lock); +- } else if (old_state == IEEE80211_STA_ASSOC && +- new_state == IEEE80211_STA_AUTH && +- (vif->type == NL80211_IFTYPE_AP || +- vif->type == NL80211_IFTYPE_MESH_POINT || +- vif->type == NL80211_IFTYPE_ADHOC)) { +- ret = ath11k_station_disassoc(ar, vif, sta); +- if (ret) +- ath11k_warn(ar->ab, "Failed to disassociate station: %pM\n", +- sta->addr); +- } +- +- mutex_unlock(&ar->conf_mutex); +- return ret; +-} +- + static int ath11k_mac_op_sta_set_txpwr(struct ieee80211_hw *hw, + struct ieee80211_vif *vif, + struct ieee80211_sta *sta) +@@ -9099,6 +8868,234 @@ static int ath11k_mac_op_get_txpower(struct ieee80211_hw *hw, + return 0; + } + ++static int ath11k_mac_station_add(struct ath11k *ar, ++ struct ieee80211_vif *vif, ++ struct ieee80211_sta *sta) ++{ ++ struct ath11k_base *ab = ar->ab; ++ struct ath11k_vif *arvif = ath11k_vif_to_arvif(vif); ++ struct ath11k_sta *arsta = ath11k_sta_to_arsta(sta); ++ struct peer_create_params peer_param; ++ int ret; ++ ++ lockdep_assert_held(&ar->conf_mutex); ++ ++ ret = ath11k_mac_inc_num_stations(arvif, sta); ++ if (ret) { ++ ath11k_warn(ab, "refusing to associate station: too many connected already (%d)\n", ++ ar->max_num_stations); ++ goto exit; ++ } ++ ++ arsta->rx_stats = kzalloc(sizeof(*arsta->rx_stats), GFP_KERNEL); ++ if (!arsta->rx_stats) { ++ ret = -ENOMEM; ++ goto dec_num_station; ++ } ++ ++ peer_param.vdev_id = arvif->vdev_id; ++ peer_param.peer_addr = sta->addr; ++ peer_param.peer_type = WMI_PEER_TYPE_DEFAULT; ++ ++ ret = ath11k_peer_create(ar, arvif, sta, &peer_param); ++ if (ret) { ++ ath11k_warn(ab, "Failed to add peer: %pM for VDEV: %d\n", ++ sta->addr, arvif->vdev_id); ++ goto free_rx_stats; ++ } ++ ++ ath11k_dbg(ab, ATH11K_DBG_MAC, "Added peer: %pM for VDEV: %d\n", ++ sta->addr, arvif->vdev_id); ++ ++ if (ath11k_debugfs_is_extd_tx_stats_enabled(ar)) { ++ arsta->tx_stats = kzalloc(sizeof(*arsta->tx_stats), GFP_KERNEL); ++ if (!arsta->tx_stats) { ++ ret = -ENOMEM; ++ goto free_peer; ++ } ++ } ++ ++ if (ieee80211_vif_is_mesh(vif)) { ++ ath11k_dbg(ab, ATH11K_DBG_MAC, ++ "setting USE_4ADDR for mesh STA %pM\n", sta->addr); ++ ret = ath11k_wmi_set_peer_param(ar, sta->addr, ++ arvif->vdev_id, ++ WMI_PEER_USE_4ADDR, 1); ++ if (ret) { ++ ath11k_warn(ab, "failed to set mesh STA %pM 4addr capability: %d\n", ++ sta->addr, ret); ++ goto free_tx_stats; ++ } ++ } ++ ++ ret = ath11k_dp_peer_setup(ar, arvif->vdev_id, sta->addr); ++ if (ret) { ++ ath11k_warn(ab, "failed to setup dp for peer %pM on vdev %i (%d)\n", ++ sta->addr, arvif->vdev_id, ret); ++ goto free_tx_stats; ++ } ++ ++ if (ab->hw_params.vdev_start_delay && ++ !arvif->is_started && ++ arvif->vdev_type != WMI_VDEV_TYPE_AP) { ++ ret = ath11k_mac_start_vdev_delay(ar->hw, vif); ++ if (ret) { ++ ath11k_warn(ab, "failed to delay vdev start: %d\n", ret); ++ goto free_tx_stats; ++ } ++ } ++ ++ ewma_avg_rssi_init(&arsta->avg_rssi); ++ return 0; ++ ++free_tx_stats: ++ kfree(arsta->tx_stats); ++ arsta->tx_stats = NULL; ++free_peer: ++ ath11k_peer_delete(ar, arvif->vdev_id, sta->addr); ++free_rx_stats: ++ kfree(arsta->rx_stats); ++ arsta->rx_stats = NULL; ++dec_num_station: ++ ath11k_mac_dec_num_stations(arvif, sta); ++exit: ++ return ret; ++} ++ ++static int ath11k_mac_op_sta_state(struct ieee80211_hw *hw, ++ struct ieee80211_vif *vif, ++ struct ieee80211_sta *sta, ++ enum ieee80211_sta_state old_state, ++ enum ieee80211_sta_state new_state) ++{ ++ struct ath11k *ar = hw->priv; ++ struct ath11k_vif *arvif = ath11k_vif_to_arvif(vif); ++ struct ath11k_sta *arsta = ath11k_sta_to_arsta(sta); ++ struct ath11k_peer *peer; ++ int ret = 0; ++ ++ /* cancel must be done outside the mutex to avoid deadlock */ ++ if ((old_state == IEEE80211_STA_NONE && ++ new_state == IEEE80211_STA_NOTEXIST)) { ++ cancel_work_sync(&arsta->update_wk); ++ cancel_work_sync(&arsta->set_4addr_wk); ++ } ++ ++ mutex_lock(&ar->conf_mutex); ++ ++ if (old_state == IEEE80211_STA_NOTEXIST && ++ new_state == IEEE80211_STA_NONE) { ++ memset(arsta, 0, sizeof(*arsta)); ++ arsta->arvif = arvif; ++ arsta->peer_ps_state = WMI_PEER_PS_STATE_DISABLED; ++ INIT_WORK(&arsta->update_wk, ath11k_sta_rc_update_wk); ++ INIT_WORK(&arsta->set_4addr_wk, ath11k_sta_set_4addr_wk); ++ ++ ret = ath11k_mac_station_add(ar, vif, sta); ++ if (ret) ++ ath11k_warn(ar->ab, "Failed to add station: %pM for VDEV: %d\n", ++ sta->addr, arvif->vdev_id); ++ } else if ((old_state == IEEE80211_STA_NONE && ++ new_state == IEEE80211_STA_NOTEXIST)) { ++ bool skip_peer_delete = ar->ab->hw_params.vdev_start_delay && ++ vif->type == NL80211_IFTYPE_STATION; ++ ++ ath11k_dp_peer_cleanup(ar, arvif->vdev_id, sta->addr); ++ ++ if (!skip_peer_delete) { ++ ret = ath11k_peer_delete(ar, arvif->vdev_id, sta->addr); ++ if (ret) ++ ath11k_warn(ar->ab, ++ "Failed to delete peer: %pM for VDEV: %d\n", ++ sta->addr, arvif->vdev_id); ++ else ++ ath11k_dbg(ar->ab, ++ ATH11K_DBG_MAC, ++ "Removed peer: %pM for VDEV: %d\n", ++ sta->addr, arvif->vdev_id); ++ } ++ ++ ath11k_mac_dec_num_stations(arvif, sta); ++ mutex_lock(&ar->ab->tbl_mtx_lock); ++ spin_lock_bh(&ar->ab->base_lock); ++ peer = ath11k_peer_find(ar->ab, arvif->vdev_id, sta->addr); ++ if (skip_peer_delete && peer) { ++ peer->sta = NULL; ++ } else if (peer && peer->sta == sta) { ++ ath11k_warn(ar->ab, "Found peer entry %pM n vdev %i after it was supposedly removed\n", ++ vif->addr, arvif->vdev_id); ++ ath11k_peer_rhash_delete(ar->ab, peer); ++ peer->sta = NULL; ++ list_del(&peer->list); ++ kfree(peer); ++ ar->num_peers--; ++ } ++ spin_unlock_bh(&ar->ab->base_lock); ++ mutex_unlock(&ar->ab->tbl_mtx_lock); ++ ++ kfree(arsta->tx_stats); ++ arsta->tx_stats = NULL; ++ ++ kfree(arsta->rx_stats); ++ arsta->rx_stats = NULL; ++ } else if (old_state == IEEE80211_STA_AUTH && ++ new_state == IEEE80211_STA_ASSOC && ++ (vif->type == NL80211_IFTYPE_AP || ++ vif->type == NL80211_IFTYPE_MESH_POINT || ++ vif->type == NL80211_IFTYPE_ADHOC)) { ++ ret = ath11k_station_assoc(ar, vif, sta, false); ++ if (ret) ++ ath11k_warn(ar->ab, "Failed to associate station: %pM\n", ++ sta->addr); ++ ++ spin_lock_bh(&ar->data_lock); ++ /* Set arsta bw and prev bw */ ++ arsta->bw = ath11k_mac_ieee80211_sta_bw_to_wmi(ar, sta); ++ arsta->bw_prev = arsta->bw; ++ spin_unlock_bh(&ar->data_lock); ++ } else if (old_state == IEEE80211_STA_ASSOC && ++ new_state == IEEE80211_STA_AUTHORIZED) { ++ spin_lock_bh(&ar->ab->base_lock); ++ ++ peer = ath11k_peer_find(ar->ab, arvif->vdev_id, sta->addr); ++ if (peer) ++ peer->is_authorized = true; ++ ++ spin_unlock_bh(&ar->ab->base_lock); ++ ++ if (vif->type == NL80211_IFTYPE_STATION && arvif->is_up) { ++ ret = ath11k_wmi_set_peer_param(ar, sta->addr, ++ arvif->vdev_id, ++ WMI_PEER_AUTHORIZE, ++ 1); ++ if (ret) ++ ath11k_warn(ar->ab, "Unable to authorize peer %pM vdev %d: %d\n", ++ sta->addr, arvif->vdev_id, ret); ++ } ++ } else if (old_state == IEEE80211_STA_AUTHORIZED && ++ new_state == IEEE80211_STA_ASSOC) { ++ spin_lock_bh(&ar->ab->base_lock); ++ ++ peer = ath11k_peer_find(ar->ab, arvif->vdev_id, sta->addr); ++ if (peer) ++ peer->is_authorized = false; ++ ++ spin_unlock_bh(&ar->ab->base_lock); ++ } else if (old_state == IEEE80211_STA_ASSOC && ++ new_state == IEEE80211_STA_AUTH && ++ (vif->type == NL80211_IFTYPE_AP || ++ vif->type == NL80211_IFTYPE_MESH_POINT || ++ vif->type == NL80211_IFTYPE_ADHOC)) { ++ ret = ath11k_station_disassoc(ar, vif, sta); ++ if (ret) ++ ath11k_warn(ar->ab, "Failed to disassociate station: %pM\n", ++ sta->addr); ++ } ++ ++ mutex_unlock(&ar->conf_mutex); ++ return ret; ++} ++ + static const struct ieee80211_ops ath11k_ops = { + .tx = ath11k_mac_op_tx, + .wake_tx_queue = ieee80211_handle_wake_tx_queue, +-- +2.50.1 + diff --git a/queue-6.6/wifi-ath11k-fix-group-data-packet-drops-during-rekey.patch b/queue-6.6/wifi-ath11k-fix-group-data-packet-drops-during-rekey.patch new file mode 100644 index 0000000000..76ff42e826 --- /dev/null +++ b/queue-6.6/wifi-ath11k-fix-group-data-packet-drops-during-rekey.patch @@ -0,0 +1,244 @@ +From 0f879aec07f622945cc260814614d07345b536e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 10 Aug 2025 22:30:18 +0530 +Subject: wifi: ath11k: fix group data packet drops during rekey +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rameshkumar Sundaram + +[ Upstream commit 97acb0259cc9cbfbd7ab689e25684f3d8ce10e26 ] + +During GTK rekey, mac80211 issues a clear key (if the old key exists) +followed by an install key operation in the same context. This causes +ath11k to send two WMI commands in quick succession: one to clear the +old key and another to install the new key in the same slot. + +Under certain conditions—especially under high load or time sensitive +scenarios, firmware may process these commands asynchronously in a way +that firmware assumes the key is cleared whereas hardware has a valid key. +This inconsistency between hardware and firmware leads to group addressed +packet drops. Only setting the same key again can restore a valid key in +firmware and allow packets to be transmitted. + +This issue remained latent because the host's clear key commands were +not effective in firmware until commit 436a4e886598 ("ath11k: clear the +keys properly via DISABLE_KEY"). That commit enabled the host to +explicitly clear group keys, which inadvertently exposed the race. + +To mitigate this, restrict group key clearing across all modes (AP, STA, +MESH). During rekey, the new key can simply be set on top of the previous +one, avoiding the need for a clear followed by a set. + +However, in AP mode specifically, permit group key clearing when no +stations are associated. This exception supports transitions from secure +modes (e.g., WPA2/WPA3) to open mode, during which all associated peers +are removed and the group key is cleared as part of the transition. + +Add a per-BSS station counter to track the presence of stations during +set key operations. Also add a reset_group_keys flag to track the key +re-installation state and avoid repeated installation of the same key +when the number of connected stations transitions to non-zero within a +rekey period. + +Additionally, for AP and Mesh modes, when the first station associates, +reinstall the same group key that was last set. This ensures that the +firmware recovers from any race that may have occurred during a previous +key clear when no stations were associated. + +This change ensures that key clearing is permitted only when no clients +are connected, avoiding packet loss while enabling dynamic security mode +transitions. + +Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.9.0.1-02146-QCAHKSWPL_SILICONZ-1 +Tested-on: WCN6855 hw2.1 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41 + +Reported-by: Steffen Moser +Closes: https://lore.kernel.org/linux-wireless/c6366409-9928-4dd7-bf7b-ba7fcf20eabf@steffen-moser.de +Fixes: 436a4e886598 ("ath11k: clear the keys properly via DISABLE_KEY") +Signed-off-by: Rameshkumar Sundaram +Tested-by: Nicolas Escande +Reviewed-by: Vasanthakumar Thiagarajan +Link: https://patch.msgid.link/20250810170018.1124014-1-rameshkumar.sundaram@oss.qualcomm.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/core.h | 2 + + drivers/net/wireless/ath/ath11k/mac.c | 111 +++++++++++++++++++++++-- + 2 files changed, 104 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath11k/core.h b/drivers/net/wireless/ath/ath11k/core.h +index fea96620e0672..4bb36dc6ae08b 100644 +--- a/drivers/net/wireless/ath/ath11k/core.h ++++ b/drivers/net/wireless/ath/ath11k/core.h +@@ -365,6 +365,8 @@ struct ath11k_vif { + struct ieee80211_chanctx_conf chanctx; + struct ath11k_arp_ns_offload arp_ns_offload; + struct ath11k_rekey_data rekey_data; ++ u32 num_stations; ++ bool reinstall_group_keys; + + #ifdef CONFIG_ATH11K_DEBUGFS + struct dentry *debugfs_twt; +diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c +index eb295d092a33c..2921be9bd530c 100644 +--- a/drivers/net/wireless/ath/ath11k/mac.c ++++ b/drivers/net/wireless/ath/ath11k/mac.c +@@ -4205,6 +4205,40 @@ static int ath11k_clear_peer_keys(struct ath11k_vif *arvif, + return first_errno; + } + ++static int ath11k_set_group_keys(struct ath11k_vif *arvif) ++{ ++ struct ath11k *ar = arvif->ar; ++ struct ath11k_base *ab = ar->ab; ++ const u8 *addr = arvif->bssid; ++ int i, ret, first_errno = 0; ++ struct ath11k_peer *peer; ++ ++ spin_lock_bh(&ab->base_lock); ++ peer = ath11k_peer_find(ab, arvif->vdev_id, addr); ++ spin_unlock_bh(&ab->base_lock); ++ ++ if (!peer) ++ return -ENOENT; ++ ++ for (i = 0; i < ARRAY_SIZE(peer->keys); i++) { ++ struct ieee80211_key_conf *key = peer->keys[i]; ++ ++ if (!key || (key->flags & IEEE80211_KEY_FLAG_PAIRWISE)) ++ continue; ++ ++ ret = ath11k_install_key(arvif, key, SET_KEY, addr, ++ WMI_KEY_GROUP); ++ if (ret < 0 && first_errno == 0) ++ first_errno = ret; ++ ++ if (ret < 0) ++ ath11k_warn(ab, "failed to set group key of idx %d for vdev %d: %d\n", ++ i, arvif->vdev_id, ret); ++ } ++ ++ return first_errno; ++} ++ + static int ath11k_mac_op_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd, + struct ieee80211_vif *vif, struct ieee80211_sta *sta, + struct ieee80211_key_conf *key) +@@ -4214,6 +4248,7 @@ static int ath11k_mac_op_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd, + struct ath11k_vif *arvif = ath11k_vif_to_arvif(vif); + struct ath11k_peer *peer; + struct ath11k_sta *arsta; ++ bool is_ap_with_no_sta; + const u8 *peer_addr; + int ret = 0; + u32 flags = 0; +@@ -4274,16 +4309,57 @@ static int ath11k_mac_op_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd, + else + flags |= WMI_KEY_GROUP; + +- ret = ath11k_install_key(arvif, key, cmd, peer_addr, flags); +- if (ret) { +- ath11k_warn(ab, "ath11k_install_key failed (%d)\n", ret); +- goto exit; +- } ++ ath11k_dbg(ar->ab, ATH11K_DBG_MAC, ++ "%s for peer %pM on vdev %d flags 0x%X, type = %d, num_sta %d\n", ++ cmd == SET_KEY ? "SET_KEY" : "DEL_KEY", peer_addr, arvif->vdev_id, ++ flags, arvif->vdev_type, arvif->num_stations); ++ ++ /* Allow group key clearing only in AP mode when no stations are ++ * associated. There is a known race condition in firmware where ++ * group addressed packets may be dropped if the key is cleared ++ * and immediately set again during rekey. ++ * ++ * During GTK rekey, mac80211 issues a clear key (if the old key ++ * exists) followed by an install key operation for same key ++ * index. This causes ath11k to send two WMI commands in quick ++ * succession: one to clear the old key and another to install the ++ * new key in the same slot. ++ * ++ * Under certain conditions—especially under high load or time ++ * sensitive scenarios, firmware may process these commands ++ * asynchronously in a way that firmware assumes the key is ++ * cleared whereas hardware has a valid key. This inconsistency ++ * between hardware and firmware leads to group addressed packet ++ * drops after rekey. ++ * Only setting the same key again can restore a valid key in ++ * firmware and allow packets to be transmitted. ++ * ++ * There is a use case where an AP can transition from Secure mode ++ * to open mode without a vdev restart by just deleting all ++ * associated peers and clearing key, Hence allow clear key for ++ * that case alone. Mark arvif->reinstall_group_keys in such cases ++ * and reinstall the same key when the first peer is added, ++ * allowing firmware to recover from the race if it had occurred. ++ */ + +- ret = ath11k_dp_peer_rx_pn_replay_config(arvif, peer_addr, cmd, key); +- if (ret) { +- ath11k_warn(ab, "failed to offload PN replay detection %d\n", ret); +- goto exit; ++ is_ap_with_no_sta = (vif->type == NL80211_IFTYPE_AP && ++ !arvif->num_stations); ++ if ((flags & WMI_KEY_PAIRWISE) || cmd == SET_KEY || is_ap_with_no_sta) { ++ ret = ath11k_install_key(arvif, key, cmd, peer_addr, flags); ++ if (ret) { ++ ath11k_warn(ab, "ath11k_install_key failed (%d)\n", ret); ++ goto exit; ++ } ++ ++ ret = ath11k_dp_peer_rx_pn_replay_config(arvif, peer_addr, cmd, key); ++ if (ret) { ++ ath11k_warn(ab, "failed to offload PN replay detection %d\n", ++ ret); ++ goto exit; ++ } ++ ++ if ((flags & WMI_KEY_GROUP) && cmd == SET_KEY && is_ap_with_no_sta) ++ arvif->reinstall_group_keys = true; + } + + spin_lock_bh(&ab->base_lock); +@@ -4876,6 +4952,7 @@ static int ath11k_mac_inc_num_stations(struct ath11k_vif *arvif, + return -ENOBUFS; + + ar->num_stations++; ++ arvif->num_stations++; + + return 0; + } +@@ -4891,6 +4968,7 @@ static void ath11k_mac_dec_num_stations(struct ath11k_vif *arvif, + return; + + ar->num_stations--; ++ arvif->num_stations--; + } + + static u32 ath11k_mac_ieee80211_sta_bw_to_wmi(struct ath11k *ar, +@@ -8887,6 +8965,21 @@ static int ath11k_mac_station_add(struct ath11k *ar, + goto exit; + } + ++ /* Driver allows the DEL KEY followed by SET KEY sequence for ++ * group keys for only when there is no clients associated, if at ++ * all firmware has entered the race during that window, ++ * reinstalling the same key when the first sta connects will allow ++ * firmware to recover from the race. ++ */ ++ if (arvif->num_stations == 1 && arvif->reinstall_group_keys) { ++ ath11k_dbg(ab, ATH11K_DBG_MAC, "set group keys on 1st station add for vdev %d\n", ++ arvif->vdev_id); ++ ret = ath11k_set_group_keys(arvif); ++ if (ret) ++ goto dec_num_station; ++ arvif->reinstall_group_keys = false; ++ } ++ + arsta->rx_stats = kzalloc(sizeof(*arsta->rx_stats), GFP_KERNEL); + if (!arsta->rx_stats) { + ret = -ENOMEM; +-- +2.50.1 + diff --git a/queue-6.6/wifi-ath11k-introduce-and-use-ath11k_sta_to_arsta.patch b/queue-6.6/wifi-ath11k-introduce-and-use-ath11k_sta_to_arsta.patch new file mode 100644 index 0000000000..c48f8deda7 --- /dev/null +++ b/queue-6.6/wifi-ath11k-introduce-and-use-ath11k_sta_to_arsta.patch @@ -0,0 +1,409 @@ +From 8f3bfdac964bafa920b94ec0fb7206814dbdff34 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Oct 2023 09:39:42 -0700 +Subject: wifi: ath11k: Introduce and use ath11k_sta_to_arsta() + +From: Jeff Johnson + +[ Upstream commit 10c65f97b424fcee439463f933140df2a0022f98 ] + +Currently, the logic to return an ath11k_sta pointer, given a +ieee80211_sta pointer, uses typecasting throughout the driver. In +general, conversion functions are preferable to typecasting since +using a conversion function allows the compiler to validate the types +of both the input and output parameters. + +ath11k already defines a conversion function ath11k_vif_to_arvif() for +a similar conversion. So introduce ath11k_sta_to_arsta() for this use +case, and convert all of the existing typecasting to use this +function. + +No functional changes, compile tested only. + +Signed-off-by: Jeff Johnson +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20231009-ath11k_sta_to_arsta-v1-1-1563e3a307e8@quicinc.com +Stable-dep-of: 97acb0259cc9 ("wifi: ath11k: fix group data packet drops during rekey") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/core.h | 5 ++++ + drivers/net/wireless/ath/ath11k/debugfs.c | 4 +-- + drivers/net/wireless/ath/ath11k/debugfs_sta.c | 30 +++++++++---------- + drivers/net/wireless/ath/ath11k/dp_rx.c | 8 ++--- + drivers/net/wireless/ath/ath11k/dp_tx.c | 4 +-- + drivers/net/wireless/ath/ath11k/mac.c | 18 +++++------ + drivers/net/wireless/ath/ath11k/peer.c | 2 +- + drivers/net/wireless/ath/ath11k/wmi.c | 6 ++-- + 8 files changed, 41 insertions(+), 36 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath11k/core.h b/drivers/net/wireless/ath/ath11k/core.h +index 812a174f74c0b..fea96620e0672 100644 +--- a/drivers/net/wireless/ath/ath11k/core.h ++++ b/drivers/net/wireless/ath/ath11k/core.h +@@ -1234,6 +1234,11 @@ static inline struct ath11k_vif *ath11k_vif_to_arvif(struct ieee80211_vif *vif) + return (struct ath11k_vif *)vif->drv_priv; + } + ++static inline struct ath11k_sta *ath11k_sta_to_arsta(struct ieee80211_sta *sta) ++{ ++ return (struct ath11k_sta *)sta->drv_priv; ++} ++ + static inline struct ath11k *ath11k_ab_to_ar(struct ath11k_base *ab, + int mac_id) + { +diff --git a/drivers/net/wireless/ath/ath11k/debugfs.c b/drivers/net/wireless/ath/ath11k/debugfs.c +index 50bc17127e68a..4304fed44d583 100644 +--- a/drivers/net/wireless/ath/ath11k/debugfs.c ++++ b/drivers/net/wireless/ath/ath11k/debugfs.c +@@ -1452,7 +1452,7 @@ static void ath11k_reset_peer_ps_duration(void *data, + struct ieee80211_sta *sta) + { + struct ath11k *ar = data; +- struct ath11k_sta *arsta = (struct ath11k_sta *)sta->drv_priv; ++ struct ath11k_sta *arsta = ath11k_sta_to_arsta(sta); + + spin_lock_bh(&ar->data_lock); + arsta->ps_total_duration = 0; +@@ -1503,7 +1503,7 @@ static void ath11k_peer_ps_state_disable(void *data, + struct ieee80211_sta *sta) + { + struct ath11k *ar = data; +- struct ath11k_sta *arsta = (struct ath11k_sta *)sta->drv_priv; ++ struct ath11k_sta *arsta = ath11k_sta_to_arsta(sta); + + spin_lock_bh(&ar->data_lock); + arsta->peer_ps_state = WMI_PEER_PS_STATE_DISABLED; +diff --git a/drivers/net/wireless/ath/ath11k/debugfs_sta.c b/drivers/net/wireless/ath/ath11k/debugfs_sta.c +index 168879a380cb2..f56a24b6c8da2 100644 +--- a/drivers/net/wireless/ath/ath11k/debugfs_sta.c ++++ b/drivers/net/wireless/ath/ath11k/debugfs_sta.c +@@ -137,7 +137,7 @@ static ssize_t ath11k_dbg_sta_dump_tx_stats(struct file *file, + size_t count, loff_t *ppos) + { + struct ieee80211_sta *sta = file->private_data; +- struct ath11k_sta *arsta = (struct ath11k_sta *)sta->drv_priv; ++ struct ath11k_sta *arsta = ath11k_sta_to_arsta(sta); + struct ath11k *ar = arsta->arvif->ar; + struct ath11k_htt_data_stats *stats; + static const char *str_name[ATH11K_STATS_TYPE_MAX] = {"succ", "fail", +@@ -244,7 +244,7 @@ static ssize_t ath11k_dbg_sta_dump_rx_stats(struct file *file, + size_t count, loff_t *ppos) + { + struct ieee80211_sta *sta = file->private_data; +- struct ath11k_sta *arsta = (struct ath11k_sta *)sta->drv_priv; ++ struct ath11k_sta *arsta = ath11k_sta_to_arsta(sta); + struct ath11k *ar = arsta->arvif->ar; + struct ath11k_rx_peer_stats *rx_stats = arsta->rx_stats; + int len = 0, i, retval = 0; +@@ -341,7 +341,7 @@ static int + ath11k_dbg_sta_open_htt_peer_stats(struct inode *inode, struct file *file) + { + struct ieee80211_sta *sta = inode->i_private; +- struct ath11k_sta *arsta = (struct ath11k_sta *)sta->drv_priv; ++ struct ath11k_sta *arsta = ath11k_sta_to_arsta(sta); + struct ath11k *ar = arsta->arvif->ar; + struct debug_htt_stats_req *stats_req; + int type = ar->debug.htt_stats.type; +@@ -377,7 +377,7 @@ static int + ath11k_dbg_sta_release_htt_peer_stats(struct inode *inode, struct file *file) + { + struct ieee80211_sta *sta = inode->i_private; +- struct ath11k_sta *arsta = (struct ath11k_sta *)sta->drv_priv; ++ struct ath11k_sta *arsta = ath11k_sta_to_arsta(sta); + struct ath11k *ar = arsta->arvif->ar; + + mutex_lock(&ar->conf_mutex); +@@ -414,7 +414,7 @@ static ssize_t ath11k_dbg_sta_write_peer_pktlog(struct file *file, + size_t count, loff_t *ppos) + { + struct ieee80211_sta *sta = file->private_data; +- struct ath11k_sta *arsta = (struct ath11k_sta *)sta->drv_priv; ++ struct ath11k_sta *arsta = ath11k_sta_to_arsta(sta); + struct ath11k *ar = arsta->arvif->ar; + int ret, enable; + +@@ -454,7 +454,7 @@ static ssize_t ath11k_dbg_sta_read_peer_pktlog(struct file *file, + size_t count, loff_t *ppos) + { + struct ieee80211_sta *sta = file->private_data; +- struct ath11k_sta *arsta = (struct ath11k_sta *)sta->drv_priv; ++ struct ath11k_sta *arsta = ath11k_sta_to_arsta(sta); + struct ath11k *ar = arsta->arvif->ar; + char buf[32] = {0}; + int len; +@@ -481,7 +481,7 @@ static ssize_t ath11k_dbg_sta_write_delba(struct file *file, + size_t count, loff_t *ppos) + { + struct ieee80211_sta *sta = file->private_data; +- struct ath11k_sta *arsta = (struct ath11k_sta *)sta->drv_priv; ++ struct ath11k_sta *arsta = ath11k_sta_to_arsta(sta); + struct ath11k *ar = arsta->arvif->ar; + u32 tid, initiator, reason; + int ret; +@@ -532,7 +532,7 @@ static ssize_t ath11k_dbg_sta_write_addba_resp(struct file *file, + size_t count, loff_t *ppos) + { + struct ieee80211_sta *sta = file->private_data; +- struct ath11k_sta *arsta = (struct ath11k_sta *)sta->drv_priv; ++ struct ath11k_sta *arsta = ath11k_sta_to_arsta(sta); + struct ath11k *ar = arsta->arvif->ar; + u32 tid, status; + int ret; +@@ -582,7 +582,7 @@ static ssize_t ath11k_dbg_sta_write_addba(struct file *file, + size_t count, loff_t *ppos) + { + struct ieee80211_sta *sta = file->private_data; +- struct ath11k_sta *arsta = (struct ath11k_sta *)sta->drv_priv; ++ struct ath11k_sta *arsta = ath11k_sta_to_arsta(sta); + struct ath11k *ar = arsta->arvif->ar; + u32 tid, buf_size; + int ret; +@@ -633,7 +633,7 @@ static ssize_t ath11k_dbg_sta_read_aggr_mode(struct file *file, + size_t count, loff_t *ppos) + { + struct ieee80211_sta *sta = file->private_data; +- struct ath11k_sta *arsta = (struct ath11k_sta *)sta->drv_priv; ++ struct ath11k_sta *arsta = ath11k_sta_to_arsta(sta); + struct ath11k *ar = arsta->arvif->ar; + char buf[64]; + int len = 0; +@@ -653,7 +653,7 @@ static ssize_t ath11k_dbg_sta_write_aggr_mode(struct file *file, + size_t count, loff_t *ppos) + { + struct ieee80211_sta *sta = file->private_data; +- struct ath11k_sta *arsta = (struct ath11k_sta *)sta->drv_priv; ++ struct ath11k_sta *arsta = ath11k_sta_to_arsta(sta); + struct ath11k *ar = arsta->arvif->ar; + u32 aggr_mode; + int ret; +@@ -698,7 +698,7 @@ ath11k_write_htt_peer_stats_reset(struct file *file, + size_t count, loff_t *ppos) + { + struct ieee80211_sta *sta = file->private_data; +- struct ath11k_sta *arsta = (struct ath11k_sta *)sta->drv_priv; ++ struct ath11k_sta *arsta = ath11k_sta_to_arsta(sta); + struct ath11k *ar = arsta->arvif->ar; + struct htt_ext_stats_cfg_params cfg_params = { 0 }; + int ret; +@@ -757,7 +757,7 @@ static ssize_t ath11k_dbg_sta_read_peer_ps_state(struct file *file, + size_t count, loff_t *ppos) + { + struct ieee80211_sta *sta = file->private_data; +- struct ath11k_sta *arsta = (struct ath11k_sta *)sta->drv_priv; ++ struct ath11k_sta *arsta = ath11k_sta_to_arsta(sta); + struct ath11k *ar = arsta->arvif->ar; + char buf[20]; + int len; +@@ -784,7 +784,7 @@ static ssize_t ath11k_dbg_sta_read_current_ps_duration(struct file *file, + loff_t *ppos) + { + struct ieee80211_sta *sta = file->private_data; +- struct ath11k_sta *arsta = (struct ath11k_sta *)sta->drv_priv; ++ struct ath11k_sta *arsta = ath11k_sta_to_arsta(sta); + struct ath11k *ar = arsta->arvif->ar; + u64 time_since_station_in_power_save; + char buf[20]; +@@ -818,7 +818,7 @@ static ssize_t ath11k_dbg_sta_read_total_ps_duration(struct file *file, + size_t count, loff_t *ppos) + { + struct ieee80211_sta *sta = file->private_data; +- struct ath11k_sta *arsta = (struct ath11k_sta *)sta->drv_priv; ++ struct ath11k_sta *arsta = ath11k_sta_to_arsta(sta); + struct ath11k *ar = arsta->arvif->ar; + char buf[20]; + u64 power_save_duration; +diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless/ath/ath11k/dp_rx.c +index 33b9764eaa916..8cc51ab699de7 100644 +--- a/drivers/net/wireless/ath/ath11k/dp_rx.c ++++ b/drivers/net/wireless/ath/ath11k/dp_rx.c +@@ -1100,7 +1100,7 @@ int ath11k_dp_rx_ampdu_start(struct ath11k *ar, + struct ieee80211_ampdu_params *params) + { + struct ath11k_base *ab = ar->ab; +- struct ath11k_sta *arsta = (void *)params->sta->drv_priv; ++ struct ath11k_sta *arsta = ath11k_sta_to_arsta(params->sta); + int vdev_id = arsta->arvif->vdev_id; + int ret; + +@@ -1118,7 +1118,7 @@ int ath11k_dp_rx_ampdu_stop(struct ath11k *ar, + { + struct ath11k_base *ab = ar->ab; + struct ath11k_peer *peer; +- struct ath11k_sta *arsta = (void *)params->sta->drv_priv; ++ struct ath11k_sta *arsta = ath11k_sta_to_arsta(params->sta); + int vdev_id = arsta->arvif->vdev_id; + dma_addr_t paddr; + bool active; +@@ -1460,7 +1460,7 @@ ath11k_update_per_peer_tx_stats(struct ath11k *ar, + } + + sta = peer->sta; +- arsta = (struct ath11k_sta *)sta->drv_priv; ++ arsta = ath11k_sta_to_arsta(sta); + + memset(&arsta->txrate, 0, sizeof(arsta->txrate)); + +@@ -5269,7 +5269,7 @@ int ath11k_dp_rx_process_mon_status(struct ath11k_base *ab, int mac_id, + goto next_skb; + } + +- arsta = (struct ath11k_sta *)peer->sta->drv_priv; ++ arsta = ath11k_sta_to_arsta(peer->sta); + ath11k_dp_rx_update_peer_stats(arsta, ppdu_info); + + if (ath11k_debugfs_is_pktlog_peer_valid(ar, peer->addr)) +diff --git a/drivers/net/wireless/ath/ath11k/dp_tx.c b/drivers/net/wireless/ath/ath11k/dp_tx.c +index 7dd1ee5898017..c1072e66e3e8f 100644 +--- a/drivers/net/wireless/ath/ath11k/dp_tx.c ++++ b/drivers/net/wireless/ath/ath11k/dp_tx.c +@@ -467,7 +467,7 @@ void ath11k_dp_tx_update_txcompl(struct ath11k *ar, struct hal_tx_status *ts) + } + + sta = peer->sta; +- arsta = (struct ath11k_sta *)sta->drv_priv; ++ arsta = ath11k_sta_to_arsta(sta); + + memset(&arsta->txrate, 0, sizeof(arsta->txrate)); + pkt_type = FIELD_GET(HAL_TX_RATE_STATS_INFO0_PKT_TYPE, +@@ -627,7 +627,7 @@ static void ath11k_dp_tx_complete_msdu(struct ath11k *ar, + ieee80211_free_txskb(ar->hw, msdu); + return; + } +- arsta = (struct ath11k_sta *)peer->sta->drv_priv; ++ arsta = ath11k_sta_to_arsta(peer->sta); + status.sta = peer->sta; + status.skb = msdu; + status.info = info; +diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c +index 9df3f6449f768..cc9c09d05f63f 100644 +--- a/drivers/net/wireless/ath/ath11k/mac.c ++++ b/drivers/net/wireless/ath/ath11k/mac.c +@@ -2828,7 +2828,7 @@ static void ath11k_peer_assoc_prepare(struct ath11k *ar, + + lockdep_assert_held(&ar->conf_mutex); + +- arsta = (struct ath11k_sta *)sta->drv_priv; ++ arsta = ath11k_sta_to_arsta(sta); + + memset(arg, 0, sizeof(*arg)); + +@@ -4311,7 +4311,7 @@ static int ath11k_mac_op_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd, + ath11k_warn(ab, "peer %pM disappeared!\n", peer_addr); + + if (sta) { +- arsta = (struct ath11k_sta *)sta->drv_priv; ++ arsta = ath11k_sta_to_arsta(sta); + + switch (key->cipher) { + case WLAN_CIPHER_SUITE_TKIP: +@@ -4902,7 +4902,7 @@ static int ath11k_mac_station_add(struct ath11k *ar, + { + struct ath11k_base *ab = ar->ab; + struct ath11k_vif *arvif = ath11k_vif_to_arvif(vif); +- struct ath11k_sta *arsta = (struct ath11k_sta *)sta->drv_priv; ++ struct ath11k_sta *arsta = ath11k_sta_to_arsta(sta); + struct peer_create_params peer_param; + int ret; + +@@ -5026,7 +5026,7 @@ static int ath11k_mac_op_sta_state(struct ieee80211_hw *hw, + { + struct ath11k *ar = hw->priv; + struct ath11k_vif *arvif = ath11k_vif_to_arvif(vif); +- struct ath11k_sta *arsta = (struct ath11k_sta *)sta->drv_priv; ++ struct ath11k_sta *arsta = ath11k_sta_to_arsta(sta); + struct ath11k_peer *peer; + int ret = 0; + +@@ -5192,7 +5192,7 @@ static void ath11k_mac_op_sta_set_4addr(struct ieee80211_hw *hw, + struct ieee80211_sta *sta, bool enabled) + { + struct ath11k *ar = hw->priv; +- struct ath11k_sta *arsta = (struct ath11k_sta *)sta->drv_priv; ++ struct ath11k_sta *arsta = ath11k_sta_to_arsta(sta); + + if (enabled && !arsta->use_4addr_set) { + ieee80211_queue_work(ar->hw, &arsta->set_4addr_wk); +@@ -5206,7 +5206,7 @@ static void ath11k_mac_op_sta_rc_update(struct ieee80211_hw *hw, + u32 changed) + { + struct ath11k *ar = hw->priv; +- struct ath11k_sta *arsta = (struct ath11k_sta *)sta->drv_priv; ++ struct ath11k_sta *arsta = ath11k_sta_to_arsta(sta); + struct ath11k_vif *arvif = ath11k_vif_to_arvif(vif); + struct ath11k_peer *peer; + u32 bw, smps; +@@ -6204,7 +6204,7 @@ static void ath11k_mac_op_tx(struct ieee80211_hw *hw, + } + + if (control->sta) +- arsta = (struct ath11k_sta *)control->sta->drv_priv; ++ arsta = ath11k_sta_to_arsta(control->sta); + + ret = ath11k_dp_tx(ar, arvif, arsta, skb); + if (unlikely(ret)) { +@@ -8228,7 +8228,7 @@ static void ath11k_mac_set_bitrate_mask_iter(void *data, + struct ieee80211_sta *sta) + { + struct ath11k_vif *arvif = data; +- struct ath11k_sta *arsta = (struct ath11k_sta *)sta->drv_priv; ++ struct ath11k_sta *arsta = ath11k_sta_to_arsta(sta); + struct ath11k *ar = arvif->ar; + + spin_lock_bh(&ar->data_lock); +@@ -8632,7 +8632,7 @@ static void ath11k_mac_op_sta_statistics(struct ieee80211_hw *hw, + struct ieee80211_sta *sta, + struct station_info *sinfo) + { +- struct ath11k_sta *arsta = (struct ath11k_sta *)sta->drv_priv; ++ struct ath11k_sta *arsta = ath11k_sta_to_arsta(sta); + struct ath11k *ar = arsta->arvif->ar; + s8 signal; + bool db2dbm = test_bit(WMI_TLV_SERVICE_HW_DB2DBM_CONVERSION_SUPPORT, +diff --git a/drivers/net/wireless/ath/ath11k/peer.c b/drivers/net/wireless/ath/ath11k/peer.c +index ca719eb3f7f82..6d0126c393018 100644 +--- a/drivers/net/wireless/ath/ath11k/peer.c ++++ b/drivers/net/wireless/ath/ath11k/peer.c +@@ -446,7 +446,7 @@ int ath11k_peer_create(struct ath11k *ar, struct ath11k_vif *arvif, + peer->sec_type_grp = HAL_ENCRYPT_TYPE_OPEN; + + if (sta) { +- arsta = (struct ath11k_sta *)sta->drv_priv; ++ arsta = ath11k_sta_to_arsta(sta); + arsta->tcl_metadata |= FIELD_PREP(HTT_TCL_META_DATA_TYPE, 0) | + FIELD_PREP(HTT_TCL_META_DATA_PEER_ID, + peer->peer_id); +diff --git a/drivers/net/wireless/ath/ath11k/wmi.c b/drivers/net/wireless/ath/ath11k/wmi.c +index 9a829b8282420..31dbabc9eaf33 100644 +--- a/drivers/net/wireless/ath/ath11k/wmi.c ++++ b/drivers/net/wireless/ath/ath11k/wmi.c +@@ -6452,7 +6452,7 @@ static int ath11k_wmi_tlv_rssi_chain_parse(struct ath11k_base *ab, + goto exit; + } + +- arsta = (struct ath11k_sta *)sta->drv_priv; ++ arsta = ath11k_sta_to_arsta(sta); + + BUILD_BUG_ON(ARRAY_SIZE(arsta->chain_signal) > + ARRAY_SIZE(stats_rssi->rssi_avg_beacon)); +@@ -6540,7 +6540,7 @@ static int ath11k_wmi_tlv_fw_stats_data_parse(struct ath11k_base *ab, + arvif->bssid, + NULL); + if (sta) { +- arsta = (struct ath11k_sta *)sta->drv_priv; ++ arsta = ath11k_sta_to_arsta(sta); + arsta->rssi_beacon = src->beacon_snr; + ath11k_dbg(ab, ATH11K_DBG_WMI, + "stats vdev id %d snr %d\n", +@@ -7469,7 +7469,7 @@ static void ath11k_wmi_event_peer_sta_ps_state_chg(struct ath11k_base *ab, + goto exit; + } + +- arsta = (struct ath11k_sta *)sta->drv_priv; ++ arsta = ath11k_sta_to_arsta(sta); + + spin_lock_bh(&ar->data_lock); + +-- +2.50.1 + diff --git a/queue-6.6/wifi-ath11k-rename-ath11k_start_vdev_delay.patch b/queue-6.6/wifi-ath11k-rename-ath11k_start_vdev_delay.patch new file mode 100644 index 0000000000..85016a5213 --- /dev/null +++ b/queue-6.6/wifi-ath11k-rename-ath11k_start_vdev_delay.patch @@ -0,0 +1,65 @@ +From 9b9727e20927444f04d29238fcd2a7a1aea83c32 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Jan 2024 10:56:58 +0800 +Subject: wifi: ath11k: rename ath11k_start_vdev_delay() + +From: Baochen Qiang + +[ Upstream commit 629642fa8b25b8dfecefc9e2177a44c009858da7 ] + +Rename ath11k_start_vdev_delay() as ath11k_mac_start_vdev_delay() +to follow naming convention. + +Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-01740-QCAHSTSWPLZ_V2_TO_X86-1 +Tested-on: WCN6855 hw2.1 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.23 +Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1 +Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1 + +Signed-off-by: Baochen Qiang +Acked-by: Jeff Johnson +Signed-off-by: Kalle Valo +Link: https://msgid.link/20240123025700.2929-3-quic_bqiang@quicinc.com +Stable-dep-of: 97acb0259cc9 ("wifi: ath11k: fix group data packet drops during rekey") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/mac.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c +index cc9c09d05f63f..58cc079f0df4a 100644 +--- a/drivers/net/wireless/ath/ath11k/mac.c ++++ b/drivers/net/wireless/ath/ath11k/mac.c +@@ -254,8 +254,8 @@ static const u32 ath11k_smps_map[] = { + [WLAN_HT_CAP_SM_PS_DISABLED] = WMI_PEER_SMPS_PS_NONE, + }; + +-static int ath11k_start_vdev_delay(struct ieee80211_hw *hw, +- struct ieee80211_vif *vif); ++static int ath11k_mac_start_vdev_delay(struct ieee80211_hw *hw, ++ struct ieee80211_vif *vif); + + enum nl80211_he_ru_alloc ath11k_mac_phy_he_ru_to_nl80211_he_ru_alloc(u16 ru_phy) + { +@@ -4966,7 +4966,7 @@ static int ath11k_mac_station_add(struct ath11k *ar, + if (ab->hw_params.vdev_start_delay && + !arvif->is_started && + arvif->vdev_type != WMI_VDEV_TYPE_AP) { +- ret = ath11k_start_vdev_delay(ar->hw, vif); ++ ret = ath11k_mac_start_vdev_delay(ar->hw, vif); + if (ret) { + ath11k_warn(ab, "failed to delay vdev start: %d\n", ret); + goto free_tx_stats; +@@ -7546,8 +7546,8 @@ static void ath11k_mac_op_change_chanctx(struct ieee80211_hw *hw, + mutex_unlock(&ar->conf_mutex); + } + +-static int ath11k_start_vdev_delay(struct ieee80211_hw *hw, +- struct ieee80211_vif *vif) ++static int ath11k_mac_start_vdev_delay(struct ieee80211_hw *hw, ++ struct ieee80211_vif *vif) + { + struct ath11k *ar = hw->priv; + struct ath11k_base *ab = ar->ab; +-- +2.50.1 + diff --git a/queue-6.6/wifi-brcmfmac-fix-use-after-free-when-rescheduling-b.patch b/queue-6.6/wifi-brcmfmac-fix-use-after-free-when-rescheduling-b.patch new file mode 100644 index 0000000000..aa90728501 --- /dev/null +++ b/queue-6.6/wifi-brcmfmac-fix-use-after-free-when-rescheduling-b.patch @@ -0,0 +1,106 @@ +From fe3316f1303f1aa1a45f13e462cc9f6498b731a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Aug 2025 13:08:39 +0800 +Subject: wifi: brcmfmac: fix use-after-free when rescheduling + brcmf_btcoex_info work +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Duoming Zhou + +[ Upstream commit 9cb83d4be0b9b697eae93d321e0da999f9cdfcfc ] + +The brcmf_btcoex_detach() only shuts down the btcoex timer, if the +flag timer_on is false. However, the brcmf_btcoex_timerfunc(), which +runs as timer handler, sets timer_on to false. This creates critical +race conditions: + +1.If brcmf_btcoex_detach() is called while brcmf_btcoex_timerfunc() +is executing, it may observe timer_on as false and skip the call to +timer_shutdown_sync(). + +2.The brcmf_btcoex_timerfunc() may then reschedule the brcmf_btcoex_info +worker after the cancel_work_sync() has been executed, resulting in +use-after-free bugs. + +The use-after-free bugs occur in two distinct scenarios, depending on +the timing of when the brcmf_btcoex_info struct is freed relative to +the execution of its worker thread. + +Scenario 1: Freed before the worker is scheduled + +The brcmf_btcoex_info is deallocated before the worker is scheduled. +A race condition can occur when schedule_work(&bt_local->work) is +called after the target memory has been freed. The sequence of events +is detailed below: + +CPU0 | CPU1 +brcmf_btcoex_detach | brcmf_btcoex_timerfunc + | bt_local->timer_on = false; + if (cfg->btcoex->timer_on) | + ... | + cancel_work_sync(); | + ... | + kfree(cfg->btcoex); // FREE | + | schedule_work(&bt_local->work); // USE + +Scenario 2: Freed after the worker is scheduled + +The brcmf_btcoex_info is freed after the worker has been scheduled +but before or during its execution. In this case, statements within +the brcmf_btcoex_handler() — such as the container_of macro and +subsequent dereferences of the brcmf_btcoex_info object will cause +a use-after-free access. The following timeline illustrates this +scenario: + +CPU0 | CPU1 +brcmf_btcoex_detach | brcmf_btcoex_timerfunc + | bt_local->timer_on = false; + if (cfg->btcoex->timer_on) | + ... | + cancel_work_sync(); | + ... | schedule_work(); // Reschedule + | + kfree(cfg->btcoex); // FREE | brcmf_btcoex_handler() // Worker + /* | btci = container_of(....); // USE + The kfree() above could | ... + also occur at any point | btci-> // USE + during the worker's execution| + */ | + +To resolve the race conditions, drop the conditional check and call +timer_shutdown_sync() directly. It can deactivate the timer reliably, +regardless of its current state. Once stopped, the timer_on state is +then set to false. + +Fixes: 61730d4dfffc ("brcmfmac: support critical protocol API for DHCP") +Acked-by: Arend van Spriel +Signed-off-by: Duoming Zhou +Link: https://patch.msgid.link/20250822050839.4413-1-duoming@zju.edu.cn +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c +index 00794086cc7c9..bf80675667ba3 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c +@@ -392,10 +392,8 @@ void brcmf_btcoex_detach(struct brcmf_cfg80211_info *cfg) + if (!cfg->btcoex) + return; + +- if (cfg->btcoex->timer_on) { +- cfg->btcoex->timer_on = false; +- timer_shutdown_sync(&cfg->btcoex->timer); +- } ++ timer_shutdown_sync(&cfg->btcoex->timer); ++ cfg->btcoex->timer_on = false; + + cancel_work_sync(&cfg->btcoex->work); + +-- +2.50.1 + diff --git a/queue-6.6/wifi-cfg80211-fix-use-after-free-in-cmp_bss.patch b/queue-6.6/wifi-cfg80211-fix-use-after-free-in-cmp_bss.patch new file mode 100644 index 0000000000..b8b82747dd --- /dev/null +++ b/queue-6.6/wifi-cfg80211-fix-use-after-free-in-cmp_bss.patch @@ -0,0 +1,43 @@ +From b24cc3c45050fc3ecf18c3c8d15ae269878e505b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Aug 2025 16:52:36 +0300 +Subject: wifi: cfg80211: fix use-after-free in cmp_bss() + +From: Dmitry Antipov + +[ Upstream commit 26e84445f02ce6b2fe5f3e0e28ff7add77f35e08 ] + +Following bss_free() quirk introduced in commit 776b3580178f +("cfg80211: track hidden SSID networks properly"), adjust +cfg80211_update_known_bss() to free the last beacon frame +elements only if they're not shared via the corresponding +'hidden_beacon_bss' pointer. + +Reported-by: syzbot+30754ca335e6fb7e3092@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=30754ca335e6fb7e3092 +Fixes: 3ab8227d3e7d ("cfg80211: refactor cfg80211_bss_update") +Signed-off-by: Dmitry Antipov +Link: https://patch.msgid.link/20250813135236.799384-1-dmantipov@yandex.ru +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/scan.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/wireless/scan.c b/net/wireless/scan.c +index 6db8c9a2a7a2b..c1d64e2504548 100644 +--- a/net/wireless/scan.c ++++ b/net/wireless/scan.c +@@ -1807,7 +1807,8 @@ cfg80211_update_known_bss(struct cfg80211_registered_device *rdev, + */ + + f = rcu_access_pointer(new->pub.beacon_ies); +- kfree_rcu((struct cfg80211_bss_ies *)f, rcu_head); ++ if (!new->pub.hidden_beacon_bss) ++ kfree_rcu((struct cfg80211_bss_ies *)f, rcu_head); + return false; + } + +-- +2.50.1 + diff --git a/queue-6.6/wifi-cfg80211-sme-cap-ssid-length-in-__cfg80211_conn.patch b/queue-6.6/wifi-cfg80211-sme-cap-ssid-length-in-__cfg80211_conn.patch new file mode 100644 index 0000000000..adcb0b9c28 --- /dev/null +++ b/queue-6.6/wifi-cfg80211-sme-cap-ssid-length-in-__cfg80211_conn.patch @@ -0,0 +1,46 @@ +From ac21dbbd4574988cf087ebb7466e2e1dcba18cf3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Aug 2025 15:48:45 +0300 +Subject: wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result() + +From: Dan Carpenter + +[ Upstream commit 62b635dcd69c4fde7ce1de4992d71420a37e51e3 ] + +If the ssid->datalen is more than IEEE80211_MAX_SSID_LEN (32) it would +lead to memory corruption so add some bounds checking. + +Fixes: c38c70185101 ("wifi: cfg80211: Set SSID if it is not already set") +Signed-off-by: Dan Carpenter +Link: https://patch.msgid.link/0aaaae4a3ed37c6252363c34ae4904b1604e8e32.1756456951.git.dan.carpenter@linaro.org +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/sme.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/wireless/sme.c b/net/wireless/sme.c +index 70881782c25c6..5904c869085c8 100644 +--- a/net/wireless/sme.c ++++ b/net/wireless/sme.c +@@ -915,13 +915,16 @@ void __cfg80211_connect_result(struct net_device *dev, + if (!wdev->u.client.ssid_len) { + rcu_read_lock(); + for_each_valid_link(cr, link) { ++ u32 ssid_len; ++ + ssid = ieee80211_bss_get_elem(cr->links[link].bss, + WLAN_EID_SSID); + + if (!ssid || !ssid->datalen) + continue; + +- memcpy(wdev->u.client.ssid, ssid->data, ssid->datalen); ++ ssid_len = min(ssid->datalen, IEEE80211_MAX_SSID_LEN); ++ memcpy(wdev->u.client.ssid, ssid->data, ssid_len); + wdev->u.client.ssid_len = ssid->datalen; + break; + } +-- +2.50.1 + diff --git a/queue-6.6/wifi-cw1200-cap-ssid-length-in-cw1200_do_join.patch b/queue-6.6/wifi-cw1200-cap-ssid-length-in-cw1200_do_join.patch new file mode 100644 index 0000000000..dad970b5a0 --- /dev/null +++ b/queue-6.6/wifi-cw1200-cap-ssid-length-in-cw1200_do_join.patch @@ -0,0 +1,36 @@ +From abf4b9f99f11f1e43bb5a4b2987274dcefe00e95 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Aug 2025 15:48:28 +0300 +Subject: wifi: cw1200: cap SSID length in cw1200_do_join() + +From: Dan Carpenter + +[ Upstream commit f8f15f6742b8874e59c9c715d0af3474608310ad ] + +If the ssidie[1] length is more that 32 it leads to memory corruption. + +Fixes: a910e4a94f69 ("cw1200: add driver for the ST-E CW1100 & CW1200 WLAN chipsets") +Signed-off-by: Dan Carpenter +Link: https://patch.msgid.link/e91fb43fcedc4893b604dfb973131661510901a7.1756456951.git.dan.carpenter@linaro.org +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/st/cw1200/sta.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/st/cw1200/sta.c b/drivers/net/wireless/st/cw1200/sta.c +index 8ef1d06b9bbdd..121d810c8839e 100644 +--- a/drivers/net/wireless/st/cw1200/sta.c ++++ b/drivers/net/wireless/st/cw1200/sta.c +@@ -1290,7 +1290,7 @@ static void cw1200_do_join(struct cw1200_common *priv) + rcu_read_lock(); + ssidie = ieee80211_bss_get_ie(bss, WLAN_EID_SSID); + if (ssidie) { +- join.ssid_len = ssidie[1]; ++ join.ssid_len = min(ssidie[1], IEEE80211_MAX_SSID_LEN); + memcpy(join.ssid, &ssidie[2], join.ssid_len); + } + rcu_read_unlock(); +-- +2.50.1 + diff --git a/queue-6.6/wifi-libertas-cap-ssid-len-in-lbs_associate.patch b/queue-6.6/wifi-libertas-cap-ssid-len-in-lbs_associate.patch new file mode 100644 index 0000000000..220bd2a3f8 --- /dev/null +++ b/queue-6.6/wifi-libertas-cap-ssid-len-in-lbs_associate.patch @@ -0,0 +1,44 @@ +From 9354ed5c2c56a71759e90343f23bc27164d29e0a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Aug 2025 15:48:35 +0300 +Subject: wifi: libertas: cap SSID len in lbs_associate() + +From: Dan Carpenter + +[ Upstream commit c786794bd27b0d7a5fd9063695df83206009be59 ] + +If the ssid_eid[1] length is more that 32 it leads to memory corruption. + +Fixes: a910e4a94f69 ("cw1200: add driver for the ST-E CW1100 & CW1200 WLAN chipsets") +Signed-off-by: Dan Carpenter +Link: https://patch.msgid.link/2a40f5ec7617144aef412034c12919a4927d90ad.1756456951.git.dan.carpenter@linaro.org +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/libertas/cfg.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/marvell/libertas/cfg.c b/drivers/net/wireless/marvell/libertas/cfg.c +index b700c213d10c4..38ad49033d0ba 100644 +--- a/drivers/net/wireless/marvell/libertas/cfg.c ++++ b/drivers/net/wireless/marvell/libertas/cfg.c +@@ -1150,10 +1150,13 @@ static int lbs_associate(struct lbs_private *priv, + /* add SSID TLV */ + rcu_read_lock(); + ssid_eid = ieee80211_bss_get_ie(bss, WLAN_EID_SSID); +- if (ssid_eid) +- pos += lbs_add_ssid_tlv(pos, ssid_eid + 2, ssid_eid[1]); +- else ++ if (ssid_eid) { ++ u32 ssid_len = min(ssid_eid[1], IEEE80211_MAX_SSID_LEN); ++ ++ pos += lbs_add_ssid_tlv(pos, ssid_eid + 2, ssid_len); ++ } else { + lbs_deb_assoc("no SSID\n"); ++ } + rcu_read_unlock(); + + /* add DS param TLV */ +-- +2.50.1 + diff --git a/queue-6.6/xirc2ps_cs-fix-register-access-when-enabling-fulldup.patch b/queue-6.6/xirc2ps_cs-fix-register-access-when-enabling-fulldup.patch new file mode 100644 index 0000000000..43be90b252 --- /dev/null +++ b/queue-6.6/xirc2ps_cs-fix-register-access-when-enabling-fulldup.patch @@ -0,0 +1,44 @@ +From 0ca3d89b4d1d848854391aa129475f036b71a1c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Aug 2025 12:26:43 -0700 +Subject: xirc2ps_cs: fix register access when enabling FullDuplex + +From: Alok Tiwari + +[ Upstream commit b79e498080b170fd94fc83bca2471f450811549b ] + +The current code incorrectly passes (XIRCREG1_ECR | FullDuplex) as +the register address to GetByte(), instead of fetching the register +value and OR-ing it with FullDuplex. This results in an invalid +register access. + +Fix it by reading XIRCREG1_ECR first, then or-ing with FullDuplex +before writing it back. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Alok Tiwari +Reviewed-by: Simon Horman +Reviewed-by: Jacob Keller +Link: https://patch.msgid.link/20250827192645.658496-1-alok.a.tiwari@oracle.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/xircom/xirc2ps_cs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/xircom/xirc2ps_cs.c b/drivers/net/ethernet/xircom/xirc2ps_cs.c +index 9f505cf02d965..2dc1cfcd7ce99 100644 +--- a/drivers/net/ethernet/xircom/xirc2ps_cs.c ++++ b/drivers/net/ethernet/xircom/xirc2ps_cs.c +@@ -1578,7 +1578,7 @@ do_reset(struct net_device *dev, int full) + msleep(40); /* wait 40 msec to let it complete */ + } + if (full_duplex) +- PutByte(XIRCREG1_ECR, GetByte(XIRCREG1_ECR | FullDuplex)); ++ PutByte(XIRCREG1_ECR, GetByte(XIRCREG1_ECR) | FullDuplex); + } else { /* No MII */ + SelectPage(0); + value = GetByte(XIRCREG_ESR); /* read the ESR */ +-- +2.50.1 +