From: Sasha Levin Date: Sat, 12 Jul 2025 02:28:13 +0000 (-0400) Subject: Fixes for 6.6 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=565562c56028b445cfa17cc2dee922574ff62e7c;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.6 Signed-off-by: Sasha Levin --- diff --git a/queue-6.6/asoc-cs35l56-probe-should-fail-if-the-device-id-is-n.patch b/queue-6.6/asoc-cs35l56-probe-should-fail-if-the-device-id-is-n.patch new file mode 100644 index 0000000000..27fe2cda61 --- /dev/null +++ b/queue-6.6/asoc-cs35l56-probe-should-fail-if-the-device-id-is-n.patch @@ -0,0 +1,41 @@ +From d4ce57b90b41ff87106a070d5b8d7b75f18e4541 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jul 2025 11:25:21 +0100 +Subject: ASoC: cs35l56: probe() should fail if the device ID is not recognized + +From: Richard Fitzgerald + +[ Upstream commit 3b3312f28ee2d9c386602f8521e419cfc69f4823 ] + +Return an error from driver probe if the DEVID read from the chip is not +one supported by this driver. + +In cs35l56_hw_init() there is a check for valid DEVID, but the invalid +case was returning the value of ret. At this point in the code ret == 0 +so the caller would think that cs35l56_hw_init() was successful. + +Signed-off-by: Richard Fitzgerald +Fixes: 84851aa055c8 ("ASoC: cs35l56: Move part of cs35l56_init() to shared library") +Link: https://patch.msgid.link/20250703102521.54204-1-rf@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/cs35l56-shared.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/cs35l56-shared.c b/sound/soc/codecs/cs35l56-shared.c +index d3db89c93b331..25ee7477709e7 100644 +--- a/sound/soc/codecs/cs35l56-shared.c ++++ b/sound/soc/codecs/cs35l56-shared.c +@@ -661,7 +661,7 @@ int cs35l56_hw_init(struct cs35l56_base *cs35l56_base) + break; + default: + dev_err(cs35l56_base->dev, "Unknown device %x\n", devid); +- return ret; ++ return -ENODEV; + } + + ret = regmap_read(cs35l56_base->regmap, CS35L56_DSP_RESTRICT_STS1, &secured); +-- +2.39.5 + diff --git a/queue-6.6/asoc-fsl_asrc-use-internal-measured-ratio-for-non-id.patch b/queue-6.6/asoc-fsl_asrc-use-internal-measured-ratio-for-non-id.patch new file mode 100644 index 0000000000..d473c82ac5 --- /dev/null +++ b/queue-6.6/asoc-fsl_asrc-use-internal-measured-ratio-for-non-id.patch @@ -0,0 +1,40 @@ +From da60103921c717d1ea3b2042d92a87ab00cc42eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Jun 2025 10:05:04 +0800 +Subject: ASoC: fsl_asrc: use internal measured ratio for non-ideal ratio mode + +From: Shengjiu Wang + +[ Upstream commit cbe876121633dadb2b0ce52711985328638e9aab ] + +When USRC=0, there is underrun issue for the non-ideal ratio mode; +according to the reference mannual, the internal measured ratio can be +used with USRC=1 and IDRC=0. + +Fixes: d0250cf4f2ab ("ASoC: fsl_asrc: Add an option to select internal ratio mode") +Signed-off-by: Shengjiu Wang +Reviewed-by: Daniel Baluta +Link: https://patch.msgid.link/20250625020504.2728161-1-shengjiu.wang@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/fsl_asrc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/fsl/fsl_asrc.c b/sound/soc/fsl/fsl_asrc.c +index b793263291dc8..72dc23c994bcd 100644 +--- a/sound/soc/fsl/fsl_asrc.c ++++ b/sound/soc/fsl/fsl_asrc.c +@@ -517,7 +517,8 @@ static int fsl_asrc_config_pair(struct fsl_asrc_pair *pair, bool use_ideal_rate) + regmap_update_bits(asrc->regmap, REG_ASRCTR, + ASRCTR_ATSi_MASK(index), ASRCTR_ATS(index)); + regmap_update_bits(asrc->regmap, REG_ASRCTR, +- ASRCTR_USRi_MASK(index), 0); ++ ASRCTR_IDRi_MASK(index) | ASRCTR_USRi_MASK(index), ++ ASRCTR_USR(index)); + + /* Set the input and output clock sources */ + regmap_update_bits(asrc->regmap, REG_ASRCSR, +-- +2.39.5 + diff --git a/queue-6.6/atm-clip-fix-infinite-recursive-call-of-clip_push.patch b/queue-6.6/atm-clip-fix-infinite-recursive-call-of-clip_push.patch new file mode 100644 index 0000000000..dd0f434f6d --- /dev/null +++ b/queue-6.6/atm-clip-fix-infinite-recursive-call-of-clip_push.patch @@ -0,0 +1,102 @@ +From 0b949fd53c32b3f4fc6c3bff3e041420796e027c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Jul 2025 06:23:53 +0000 +Subject: atm: clip: Fix infinite recursive call of clip_push(). + +From: Kuniyuki Iwashima + +[ Upstream commit c489f3283dbfc0f3c00c312149cae90d27552c45 ] + +syzbot reported the splat below. [0] + +This happens if we call ioctl(ATMARP_MKIP) more than once. + +During the first call, clip_mkip() sets clip_push() to vcc->push(), +and the second call copies it to clip_vcc->old_push(). + +Later, when the socket is close()d, vcc_destroy_socket() passes +NULL skb to clip_push(), which calls clip_vcc->old_push(), +triggering the infinite recursion. + +Let's prevent the second ioctl(ATMARP_MKIP) by checking +vcc->user_back, which is allocated by the first call as clip_vcc. + +Note also that we use lock_sock() to prevent racy calls. + +[0]: +BUG: TASK stack guard page was hit at ffffc9000d66fff8 (stack is ffffc9000d670000..ffffc9000d678000) +Oops: stack guard page: 0000 [#1] SMP KASAN NOPTI +CPU: 0 UID: 0 PID: 5322 Comm: syz.0.0 Not tainted 6.16.0-rc4-syzkaller #0 PREEMPT(full) +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 +RIP: 0010:clip_push+0x5/0x720 net/atm/clip.c:191 +Code: e0 8f aa 8c e8 1c ad 5b fa eb ae 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 55 <41> 57 41 56 41 55 41 54 53 48 83 ec 20 48 89 f3 49 89 fd 48 bd 00 +RSP: 0018:ffffc9000d670000 EFLAGS: 00010246 +RAX: 1ffff1100235a4a5 RBX: ffff888011ad2508 RCX: ffff8880003c0000 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888037f01000 +RBP: dffffc0000000000 R08: ffffffff8fa104f7 R09: 1ffffffff1f4209e +R10: dffffc0000000000 R11: ffffffff8a99b300 R12: ffffffff8a99b300 +R13: ffff888037f01000 R14: ffff888011ad2500 R15: ffff888037f01578 +FS: 000055557ab6d500(0000) GS:ffff88808d250000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: ffffc9000d66fff8 CR3: 0000000043172000 CR4: 0000000000352ef0 +Call Trace: + + clip_push+0x6dc/0x720 net/atm/clip.c:200 + clip_push+0x6dc/0x720 net/atm/clip.c:200 + clip_push+0x6dc/0x720 net/atm/clip.c:200 +... + clip_push+0x6dc/0x720 net/atm/clip.c:200 + clip_push+0x6dc/0x720 net/atm/clip.c:200 + clip_push+0x6dc/0x720 net/atm/clip.c:200 + vcc_destroy_socket net/atm/common.c:183 [inline] + vcc_release+0x157/0x460 net/atm/common.c:205 + __sock_release net/socket.c:647 [inline] + sock_close+0xc0/0x240 net/socket.c:1391 + __fput+0x449/0xa70 fs/file_table.c:465 + task_work_run+0x1d1/0x260 kernel/task_work.c:227 + resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] + exit_to_user_mode_loop+0xec/0x110 kernel/entry/common.c:114 + exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline] + syscall_exit_to_user_mode_work include/linux/entry-common.h:414 [inline] + syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline] + do_syscall_64+0x2bd/0x3b0 arch/x86/entry/syscall_64.c:100 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7ff31c98e929 +Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007fffb5aa1f78 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 +RAX: 0000000000000000 RBX: 0000000000012747 RCX: 00007ff31c98e929 +RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 +RBP: 00007ff31cbb7ba0 R08: 0000000000000001 R09: 0000000db5aa226f +R10: 00007ff31c7ff030 R11: 0000000000000246 R12: 00007ff31cbb608c +R13: 00007ff31cbb6080 R14: ffffffffffffffff R15: 00007fffb5aa2090 + +Modules linked in: + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot+0c77cccd6b7cd917b35a@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=2371d94d248d126c1eb1 +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250704062416.1613927-4-kuniyu@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/atm/clip.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/atm/clip.c b/net/atm/clip.c +index 14b485f725d0c..936b9558be4b9 100644 +--- a/net/atm/clip.c ++++ b/net/atm/clip.c +@@ -429,6 +429,8 @@ static int clip_mkip(struct atm_vcc *vcc, int timeout) + + if (!vcc->push) + return -EBADFD; ++ if (vcc->user_back) ++ return -EINVAL; + clip_vcc = kmalloc(sizeof(struct clip_vcc), GFP_KERNEL); + if (!clip_vcc) + return -ENOMEM; +-- +2.39.5 + diff --git a/queue-6.6/atm-clip-fix-memory-leak-of-struct-clip_vcc.patch b/queue-6.6/atm-clip-fix-memory-leak-of-struct-clip_vcc.patch new file mode 100644 index 0000000000..fe55959d97 --- /dev/null +++ b/queue-6.6/atm-clip-fix-memory-leak-of-struct-clip_vcc.patch @@ -0,0 +1,76 @@ +From a085e19a98a209994d1fcca84ce2b3f4e2e6ffba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Jul 2025 06:23:52 +0000 +Subject: atm: clip: Fix memory leak of struct clip_vcc. + +From: Kuniyuki Iwashima + +[ Upstream commit 62dba28275a9a3104d4e33595c7b3328d4032d8d ] + +ioctl(ATMARP_MKIP) allocates struct clip_vcc and set it to +vcc->user_back. + +The code assumes that vcc_destroy_socket() passes NULL skb +to vcc->push() when the socket is close()d, and then clip_push() +frees clip_vcc. + +However, ioctl(ATMARPD_CTRL) sets NULL to vcc->push() in +atm_init_atmarp(), resulting in memory leak. + +Let's serialise two ioctl() by lock_sock() and check vcc->push() +in atm_init_atmarp() to prevent memleak. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250704062416.1613927-3-kuniyu@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/atm/clip.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/net/atm/clip.c b/net/atm/clip.c +index 8059b7d1fb931..14b485f725d0c 100644 +--- a/net/atm/clip.c ++++ b/net/atm/clip.c +@@ -645,6 +645,9 @@ static struct atm_dev atmarpd_dev = { + + static int atm_init_atmarp(struct atm_vcc *vcc) + { ++ if (vcc->push == clip_push) ++ return -EINVAL; ++ + mutex_lock(&atmarpd_lock); + if (atmarpd) { + mutex_unlock(&atmarpd_lock); +@@ -669,6 +672,7 @@ static int atm_init_atmarp(struct atm_vcc *vcc) + static int clip_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg) + { + struct atm_vcc *vcc = ATM_SD(sock); ++ struct sock *sk = sock->sk; + int err = 0; + + switch (cmd) { +@@ -689,14 +693,18 @@ static int clip_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg) + err = clip_create(arg); + break; + case ATMARPD_CTRL: ++ lock_sock(sk); + err = atm_init_atmarp(vcc); + if (!err) { + sock->state = SS_CONNECTED; + __module_get(THIS_MODULE); + } ++ release_sock(sk); + break; + case ATMARP_MKIP: ++ lock_sock(sk); + err = clip_mkip(vcc, arg); ++ release_sock(sk); + break; + case ATMARP_SETENTRY: + err = clip_setentry(vcc, (__force __be32)arg); +-- +2.39.5 + diff --git a/queue-6.6/atm-clip-fix-null-pointer-dereference-in-vcc_sendmsg.patch b/queue-6.6/atm-clip-fix-null-pointer-dereference-in-vcc_sendmsg.patch new file mode 100644 index 0000000000..7de04dcd9f --- /dev/null +++ b/queue-6.6/atm-clip-fix-null-pointer-dereference-in-vcc_sendmsg.patch @@ -0,0 +1,82 @@ +From 8e80e13b538dce8a7b4ec264f710951c330f0925 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Jul 2025 16:52:28 +0800 +Subject: atm: clip: Fix NULL pointer dereference in vcc_sendmsg() + +From: Yue Haibing + +[ Upstream commit 22fc46cea91df3dce140a7dc6847c6fcf0354505 ] + +atmarpd_dev_ops does not implement the send method, which may cause crash +as bellow. + +BUG: kernel NULL pointer dereference, address: 0000000000000000 +PGD 0 P4D 0 +Oops: Oops: 0010 [#1] SMP KASAN NOPTI +CPU: 0 UID: 0 PID: 5324 Comm: syz.0.0 Not tainted 6.15.0-rc6-syzkaller-00346-g5723cc3450bc #0 PREEMPT(full) +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 +RIP: 0010:0x0 +Code: Unable to access opcode bytes at 0xffffffffffffffd6. +RSP: 0018:ffffc9000d3cf778 EFLAGS: 00010246 +RAX: 1ffffffff1910dd1 RBX: 00000000000000c0 RCX: dffffc0000000000 +RDX: ffffc9000dc82000 RSI: ffff88803e4c4640 RDI: ffff888052cd0000 +RBP: ffffc9000d3cf8d0 R08: ffff888052c9143f R09: 1ffff1100a592287 +R10: dffffc0000000000 R11: 0000000000000000 R12: 1ffff92001a79f00 +R13: ffff888052cd0000 R14: ffff88803e4c4640 R15: ffffffff8c886e88 +FS: 00007fbc762566c0(0000) GS:ffff88808d6c2000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: ffffffffffffffd6 CR3: 0000000041f1b000 CR4: 0000000000352ef0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + vcc_sendmsg+0xa10/0xc50 net/atm/common.c:644 + sock_sendmsg_nosec net/socket.c:712 [inline] + __sock_sendmsg+0x219/0x270 net/socket.c:727 + ____sys_sendmsg+0x52d/0x830 net/socket.c:2566 + ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2620 + __sys_sendmmsg+0x227/0x430 net/socket.c:2709 + __do_sys_sendmmsg net/socket.c:2736 [inline] + __se_sys_sendmmsg net/socket.c:2733 [inline] + __x64_sys_sendmmsg+0xa0/0xc0 net/socket.c:2733 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xf6/0x210 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot+e34e5e6b5eddb0014def@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/682f82d5.a70a0220.1765ec.0143.GAE@google.com/T +Signed-off-by: Yue Haibing +Reviewed-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20250705085228.329202-1-yuehaibing@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/atm/clip.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/net/atm/clip.c b/net/atm/clip.c +index 936b9558be4b9..53d62361ae460 100644 +--- a/net/atm/clip.c ++++ b/net/atm/clip.c +@@ -632,8 +632,16 @@ static void atmarpd_close(struct atm_vcc *vcc) + module_put(THIS_MODULE); + } + ++static int atmarpd_send(struct atm_vcc *vcc, struct sk_buff *skb) ++{ ++ atm_return_tx(vcc, skb); ++ dev_kfree_skb_any(skb); ++ return 0; ++} ++ + static const struct atmdev_ops atmarpd_dev_ops = { +- .close = atmarpd_close ++ .close = atmarpd_close, ++ .send = atmarpd_send + }; + + +-- +2.39.5 + diff --git a/queue-6.6/atm-clip-fix-potential-null-ptr-deref-in-to_atmarpd.patch b/queue-6.6/atm-clip-fix-potential-null-ptr-deref-in-to_atmarpd.patch new file mode 100644 index 0000000000..7af26af69a --- /dev/null +++ b/queue-6.6/atm-clip-fix-potential-null-ptr-deref-in-to_atmarpd.patch @@ -0,0 +1,134 @@ +From f34df41455c91a341f0c2652e264c1472d482622 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Jul 2025 06:23:51 +0000 +Subject: atm: clip: Fix potential null-ptr-deref in to_atmarpd(). + +From: Kuniyuki Iwashima + +[ Upstream commit 706cc36477139c1616a9b2b96610a8bb520b7119 ] + +atmarpd is protected by RTNL since commit f3a0592b37b8 ("[ATM]: clip +causes unregister hang"). + +However, it is not enough because to_atmarpd() is called without RTNL, +especially clip_neigh_solicit() / neigh_ops->solicit() is unsleepable. + +Also, there is no RTNL dependency around atmarpd. + +Let's use a private mutex and RCU to protect access to atmarpd in +to_atmarpd(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250704062416.1613927-2-kuniyu@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/atm/clip.c | 44 +++++++++++++++++++++++++++++--------------- + 1 file changed, 29 insertions(+), 15 deletions(-) + +diff --git a/net/atm/clip.c b/net/atm/clip.c +index 511467bb7fe40..8059b7d1fb931 100644 +--- a/net/atm/clip.c ++++ b/net/atm/clip.c +@@ -45,7 +45,8 @@ + #include + + static struct net_device *clip_devs; +-static struct atm_vcc *atmarpd; ++static struct atm_vcc __rcu *atmarpd; ++static DEFINE_MUTEX(atmarpd_lock); + static struct timer_list idle_timer; + static const struct neigh_ops clip_neigh_ops; + +@@ -53,24 +54,35 @@ static int to_atmarpd(enum atmarp_ctrl_type type, int itf, __be32 ip) + { + struct sock *sk; + struct atmarp_ctrl *ctrl; ++ struct atm_vcc *vcc; + struct sk_buff *skb; ++ int err = 0; + + pr_debug("(%d)\n", type); +- if (!atmarpd) +- return -EUNATCH; ++ ++ rcu_read_lock(); ++ vcc = rcu_dereference(atmarpd); ++ if (!vcc) { ++ err = -EUNATCH; ++ goto unlock; ++ } + skb = alloc_skb(sizeof(struct atmarp_ctrl), GFP_ATOMIC); +- if (!skb) +- return -ENOMEM; ++ if (!skb) { ++ err = -ENOMEM; ++ goto unlock; ++ } + ctrl = skb_put(skb, sizeof(struct atmarp_ctrl)); + ctrl->type = type; + ctrl->itf_num = itf; + ctrl->ip = ip; +- atm_force_charge(atmarpd, skb->truesize); ++ atm_force_charge(vcc, skb->truesize); + +- sk = sk_atm(atmarpd); ++ sk = sk_atm(vcc); + skb_queue_tail(&sk->sk_receive_queue, skb); + sk->sk_data_ready(sk); +- return 0; ++unlock: ++ rcu_read_unlock(); ++ return err; + } + + static void link_vcc(struct clip_vcc *clip_vcc, struct atmarp_entry *entry) +@@ -607,10 +619,12 @@ static void atmarpd_close(struct atm_vcc *vcc) + { + pr_debug("\n"); + +- rtnl_lock(); +- atmarpd = NULL; ++ mutex_lock(&atmarpd_lock); ++ RCU_INIT_POINTER(atmarpd, NULL); ++ mutex_unlock(&atmarpd_lock); ++ ++ synchronize_rcu(); + skb_queue_purge(&sk_atm(vcc)->sk_receive_queue); +- rtnl_unlock(); + + pr_debug("(done)\n"); + module_put(THIS_MODULE); +@@ -631,15 +645,15 @@ static struct atm_dev atmarpd_dev = { + + static int atm_init_atmarp(struct atm_vcc *vcc) + { +- rtnl_lock(); ++ mutex_lock(&atmarpd_lock); + if (atmarpd) { +- rtnl_unlock(); ++ mutex_unlock(&atmarpd_lock); + return -EADDRINUSE; + } + + mod_timer(&idle_timer, jiffies + CLIP_CHECK_INTERVAL * HZ); + +- atmarpd = vcc; ++ rcu_assign_pointer(atmarpd, vcc); + set_bit(ATM_VF_META, &vcc->flags); + set_bit(ATM_VF_READY, &vcc->flags); + /* allow replies and avoid getting closed if signaling dies */ +@@ -648,7 +662,7 @@ static int atm_init_atmarp(struct atm_vcc *vcc) + vcc->push = NULL; + vcc->pop = NULL; /* crash */ + vcc->push_oam = NULL; /* crash */ +- rtnl_unlock(); ++ mutex_unlock(&atmarpd_lock); + return 0; + } + +-- +2.39.5 + diff --git a/queue-6.6/bluetooth-hci_event-fix-not-marking-broadcast-sink-b.patch b/queue-6.6/bluetooth-hci_event-fix-not-marking-broadcast-sink-b.patch new file mode 100644 index 0000000000..28256973cb --- /dev/null +++ b/queue-6.6/bluetooth-hci_event-fix-not-marking-broadcast-sink-b.patch @@ -0,0 +1,40 @@ +From 61f57c4f9b2b08629812e5a39946122d514839c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Jun 2025 11:19:02 -0400 +Subject: Bluetooth: hci_event: Fix not marking Broadcast Sink BIS as connected + +From: Luiz Augusto von Dentz + +[ Upstream commit c7349772c268ec3c91d83cbfbbcf63f1bd7c256c ] + +Upon receiving HCI_EVT_LE_BIG_SYNC_ESTABLISHED with status 0x00 +(success) the corresponding BIS hci_conn state shall be set to +BT_CONNECTED otherwise they will be left with BT_OPEN which is invalid +at that point, also create the debugfs and sysfs entries following the +same logic as the likes of Broadcast Source BIS and CIS connections. + +Fixes: f777d8827817 ("Bluetooth: ISO: Notify user space about failed bis connections") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_event.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index 4029330e29a99..8d4ab29e37946 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -6916,7 +6916,10 @@ static void hci_le_big_sync_established_evt(struct hci_dev *hdev, void *data, + bis->iso_qos.bcast.in.sdu = le16_to_cpu(ev->max_pdu); + + if (!ev->status) { ++ bis->state = BT_CONNECTED; + set_bit(HCI_CONN_BIG_SYNC, &bis->flags); ++ hci_debugfs_create_conn(bis); ++ hci_conn_add_sysfs(bis); + hci_iso_setup_path(bis); + } + } +-- +2.39.5 + diff --git a/queue-6.6/bluetooth-hci_sync-fix-not-disabling-advertising-ins.patch b/queue-6.6/bluetooth-hci_sync-fix-not-disabling-advertising-ins.patch new file mode 100644 index 0000000000..f135cfd837 --- /dev/null +++ b/queue-6.6/bluetooth-hci_sync-fix-not-disabling-advertising-ins.patch @@ -0,0 +1,36 @@ +From 8bc6eb41ec818c5a57263134dbcd5d9adfe25119 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Jun 2025 12:31:33 -0400 +Subject: Bluetooth: hci_sync: Fix not disabling advertising instance + +From: Luiz Augusto von Dentz + +[ Upstream commit ef9675b0ef030d135413e8638989f3a7d1f3217a ] + +As the code comments on hci_setup_ext_adv_instance_sync suggests the +advertising instance needs to be disabled in order to update its +parameters, but it was wrongly checking that !adv->pending. + +Fixes: cba6b758711c ("Bluetooth: hci_sync: Make use of hci_cmd_sync_queue set 2") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_sync.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c +index d602e9d8eff45..71736537cc6e3 100644 +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -1247,7 +1247,7 @@ int hci_setup_ext_adv_instance_sync(struct hci_dev *hdev, u8 instance) + * Command Disallowed error, so we must first disable the + * instance if it is active. + */ +- if (adv && !adv->pending) { ++ if (adv) { + err = hci_disable_ext_adv_instance_sync(hdev, instance); + if (err) + return err; +-- +2.39.5 + diff --git a/queue-6.6/fix-proc_sys_compare-handling-of-in-lookup-dentries.patch b/queue-6.6/fix-proc_sys_compare-handling-of-in-lookup-dentries.patch new file mode 100644 index 0000000000..36b7de50ea --- /dev/null +++ b/queue-6.6/fix-proc_sys_compare-handling-of-in-lookup-dentries.patch @@ -0,0 +1,96 @@ +From 967927c67803862f31bca8d72991541d2bbb496e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jun 2025 02:52:13 -0400 +Subject: fix proc_sys_compare() handling of in-lookup dentries + +From: Al Viro + +[ Upstream commit b969f9614885c20f903e1d1f9445611daf161d6d ] + +There's one case where ->d_compare() can be called for an in-lookup +dentry; usually that's nothing special from ->d_compare() point of +view, but... proc_sys_compare() is weird. + +The thing is, /proc/sys subdirectories can look differently for +different processes. Up to and including having the same name +resolve to different dentries - all of them hashed. + +The way it's done is ->d_compare() refusing to admit a match unless +this dentry is supposed to be visible to this caller. The information +needed to discriminate between them is stored in inode; it is set +during proc_sys_lookup() and until it's done d_splice_alias() we really +can't tell who should that dentry be visible for. + +Normally there's no negative dentries in /proc/sys; we can run into +a dying dentry in RCU dcache lookup, but those can be safely rejected. + +However, ->d_compare() is also called for in-lookup dentries, before +they get positive - or hashed, for that matter. In case of match +we will wait until dentry leaves in-lookup state and repeat ->d_compare() +afterwards. In other words, the right behaviour is to treat the +name match as sufficient for in-lookup dentries; if dentry is not +for us, we'll see that when we recheck once proc_sys_lookup() is +done with it. + +While we are at it, fix the misspelled READ_ONCE and WRITE_ONCE there. + +Fixes: d9171b934526 ("parallel lookups machinery, part 4 (and last)") +Reported-by: NeilBrown +Reviewed-by: Christian Brauner +Reviewed-by: NeilBrown +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + fs/proc/inode.c | 2 +- + fs/proc/proc_sysctl.c | 18 +++++++++++------- + 2 files changed, 12 insertions(+), 8 deletions(-) + +diff --git a/fs/proc/inode.c b/fs/proc/inode.c +index 897c71077a0f7..4b3ae7e0def32 100644 +--- a/fs/proc/inode.c ++++ b/fs/proc/inode.c +@@ -52,7 +52,7 @@ static void proc_evict_inode(struct inode *inode) + + head = ei->sysctl; + if (head) { +- RCU_INIT_POINTER(ei->sysctl, NULL); ++ WRITE_ONCE(ei->sysctl, NULL); + proc_sys_evict_inode(inode, head); + } + } +diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c +index 071a71eb1a2d4..b7d6bc5c1ce9a 100644 +--- a/fs/proc/proc_sysctl.c ++++ b/fs/proc/proc_sysctl.c +@@ -920,17 +920,21 @@ static int proc_sys_compare(const struct dentry *dentry, + struct ctl_table_header *head; + struct inode *inode; + +- /* Although proc doesn't have negative dentries, rcu-walk means +- * that inode here can be NULL */ +- /* AV: can it, indeed? */ +- inode = d_inode_rcu(dentry); +- if (!inode) +- return 1; + if (name->len != len) + return 1; + if (memcmp(name->name, str, len)) + return 1; +- head = rcu_dereference(PROC_I(inode)->sysctl); ++ ++ // false positive is fine here - we'll recheck anyway ++ if (d_in_lookup(dentry)) ++ return 0; ++ ++ inode = d_inode_rcu(dentry); ++ // we just might have run into dentry in the middle of __dentry_kill() ++ if (!inode) ++ return 1; ++ ++ head = READ_ONCE(PROC_I(inode)->sysctl); + return !head || !sysctl_is_seen(head); + } + +-- +2.39.5 + diff --git a/queue-6.6/net-phy-smsc-fix-auto-mdix-configuration-when-disabl.patch b/queue-6.6/net-phy-smsc-fix-auto-mdix-configuration-when-disabl.patch new file mode 100644 index 0000000000..e7a78c01ec --- /dev/null +++ b/queue-6.6/net-phy-smsc-fix-auto-mdix-configuration-when-disabl.patch @@ -0,0 +1,54 @@ +From 6e51bf4eed347fcb7309eb66afb3f492dcb2b5e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jul 2025 13:49:39 +0200 +Subject: net: phy: smsc: Fix Auto-MDIX configuration when disabled by strap + +From: Oleksij Rempel + +[ Upstream commit a141af8eb2272ab0f677a7f2653874840bc9b214 ] + +Correct the Auto-MDIX configuration to ensure userspace settings are +respected when the feature is disabled by the AUTOMDIX_EN hardware strap. + +The LAN9500 PHY allows its default MDI-X mode to be configured via a +hardware strap. If this strap sets the default to "MDI-X off", the +driver was previously unable to enable Auto-MDIX from userspace. + +When handling the ETH_TP_MDI_AUTO case, the driver would set the +SPECIAL_CTRL_STS_AMDIX_ENABLE_ bit but neglected to set the required +SPECIAL_CTRL_STS_OVRRD_AMDIX_ bit. Without the override flag, the PHY +falls back to its hardware strap default, ignoring the software request. + +This patch corrects the behavior by also setting the override bit when +enabling Auto-MDIX. This ensures that the userspace configuration takes +precedence over the hardware strap, allowing Auto-MDIX to be enabled +correctly in all scenarios. + +Fixes: 05b35e7eb9a1 ("smsc95xx: add phylib support") +Signed-off-by: Oleksij Rempel +Cc: Andre Edich +Reviewed-by: Maxime Chevallier +Link: https://patch.msgid.link/20250703114941.3243890-2-o.rempel@pengutronix.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/smsc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/phy/smsc.c b/drivers/net/phy/smsc.c +index c88edb19d2e71..b7f9c4649652b 100644 +--- a/drivers/net/phy/smsc.c ++++ b/drivers/net/phy/smsc.c +@@ -167,7 +167,8 @@ static int lan87xx_config_aneg(struct phy_device *phydev) + SPECIAL_CTRL_STS_AMDIX_STATE_; + break; + case ETH_TP_MDI_AUTO: +- val = SPECIAL_CTRL_STS_AMDIX_ENABLE_; ++ val = SPECIAL_CTRL_STS_OVRRD_AMDIX_ | ++ SPECIAL_CTRL_STS_AMDIX_ENABLE_; + break; + default: + return genphy_config_aneg(phydev); +-- +2.39.5 + diff --git a/queue-6.6/net-phy-smsc-fix-link-failure-in-forced-mode-with-au.patch b/queue-6.6/net-phy-smsc-fix-link-failure-in-forced-mode-with-au.patch new file mode 100644 index 0000000000..8fedee162d --- /dev/null +++ b/queue-6.6/net-phy-smsc-fix-link-failure-in-forced-mode-with-au.patch @@ -0,0 +1,86 @@ +From 037747fa767f9319025a668a829dc06e09426b70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jul 2025 13:49:41 +0200 +Subject: net: phy: smsc: Fix link failure in forced mode with Auto-MDIX + +From: Oleksij Rempel + +[ Upstream commit 9dfe110cc0f6ef42af8e81ce52aef34a647d0b8a ] + +Force a fixed MDI-X mode when auto-negotiation is disabled to prevent +link instability. + +When forcing the link speed and duplex on a LAN9500 PHY (e.g., with +`ethtool -s eth0 autoneg off ...`) while leaving MDI-X control in auto +mode, the PHY fails to establish a stable link. This occurs because the +PHY's Auto-MDIX algorithm is not designed to operate when +auto-negotiation is disabled. In this state, the PHY continuously +toggles the TX/RX signal pairs, which prevents the link partner from +synchronizing. + +This patch resolves the issue by detecting when auto-negotiation is +disabled. If the MDI-X control mode is set to 'auto', the driver now +forces a specific, stable mode (ETH_TP_MDI) to prevent the pair +toggling. This choice of a fixed MDI mode mirrors the behavior the +hardware would exhibit if the AUTOMDIX_EN strap were configured for a +fixed MDI connection. + +Fixes: 05b35e7eb9a1 ("smsc95xx: add phylib support") +Signed-off-by: Oleksij Rempel +Cc: Andre Edich +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/20250703114941.3243890-4-o.rempel@pengutronix.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/smsc.c | 25 ++++++++++++++++++++++--- + 1 file changed, 22 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/phy/smsc.c b/drivers/net/phy/smsc.c +index 1ce0ca8048ac6..4ca813c009476 100644 +--- a/drivers/net/phy/smsc.c ++++ b/drivers/net/phy/smsc.c +@@ -155,10 +155,29 @@ static int smsc_phy_reset(struct phy_device *phydev) + + static int lan87xx_config_aneg(struct phy_device *phydev) + { +- int rc; ++ u8 mdix_ctrl; + int val; ++ int rc; ++ ++ /* When auto-negotiation is disabled (forced mode), the PHY's ++ * Auto-MDIX will continue toggling the TX/RX pairs. ++ * ++ * To establish a stable link, we must select a fixed MDI mode. ++ * If the user has not specified a fixed MDI mode (i.e., mdix_ctrl is ++ * 'auto'), we default to ETH_TP_MDI. This choice of a ETH_TP_MDI mode ++ * mirrors the behavior the hardware would exhibit if the AUTOMDIX_EN ++ * strap were configured for a fixed MDI connection. ++ */ ++ if (phydev->autoneg == AUTONEG_DISABLE) { ++ if (phydev->mdix_ctrl == ETH_TP_MDI_AUTO) ++ mdix_ctrl = ETH_TP_MDI; ++ else ++ mdix_ctrl = phydev->mdix_ctrl; ++ } else { ++ mdix_ctrl = phydev->mdix_ctrl; ++ } + +- switch (phydev->mdix_ctrl) { ++ switch (mdix_ctrl) { + case ETH_TP_MDI: + val = SPECIAL_CTRL_STS_OVRRD_AMDIX_; + break; +@@ -184,7 +203,7 @@ static int lan87xx_config_aneg(struct phy_device *phydev) + rc |= val; + phy_write(phydev, SPECIAL_CTRL_STS, rc); + +- phydev->mdix = phydev->mdix_ctrl; ++ phydev->mdix = mdix_ctrl; + return genphy_config_aneg(phydev); + } + +-- +2.39.5 + diff --git a/queue-6.6/net-phy-smsc-force-predictable-mdi-x-state-on-lan87x.patch b/queue-6.6/net-phy-smsc-force-predictable-mdi-x-state-on-lan87x.patch new file mode 100644 index 0000000000..4856e9d409 --- /dev/null +++ b/queue-6.6/net-phy-smsc-force-predictable-mdi-x-state-on-lan87x.patch @@ -0,0 +1,82 @@ +From ccf252c812267af250dd5a1577432c07022e6721 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jul 2025 13:49:40 +0200 +Subject: net: phy: smsc: Force predictable MDI-X state on LAN87xx + +From: Oleksij Rempel + +[ Upstream commit 0713e55533c88a20edb53eea6517dc56786a0078 ] + +Override the hardware strap configuration for MDI-X mode to ensure a +predictable initial state for the driver. The initial mode of the LAN87xx +PHY is determined by the AUTOMDIX_EN strap pin, but the driver has no +documented way to read its latched status. + +This unpredictability means the driver cannot know if the PHY has +initialized with Auto-MDIX enabled or disabled, preventing it from +providing a reliable interface to the user. + +This patch introduces a `config_init` hook that forces the PHY into a +known state by explicitly enabling Auto-MDIX. + +Fixes: 05b35e7eb9a1 ("smsc95xx: add phylib support") +Signed-off-by: Oleksij Rempel +Cc: Andre Edich +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/20250703114941.3243890-3-o.rempel@pengutronix.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/smsc.c | 29 ++++++++++++++++++++++++++++- + 1 file changed, 28 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/phy/smsc.c b/drivers/net/phy/smsc.c +index b7f9c4649652b..1ce0ca8048ac6 100644 +--- a/drivers/net/phy/smsc.c ++++ b/drivers/net/phy/smsc.c +@@ -262,6 +262,33 @@ int lan87xx_read_status(struct phy_device *phydev) + } + EXPORT_SYMBOL_GPL(lan87xx_read_status); + ++static int lan87xx_phy_config_init(struct phy_device *phydev) ++{ ++ int rc; ++ ++ /* The LAN87xx PHY's initial MDI-X mode is determined by the AUTOMDIX_EN ++ * hardware strap, but the driver cannot read the strap's status. This ++ * creates an unpredictable initial state. ++ * ++ * To ensure consistent and reliable behavior across all boards, ++ * override the strap configuration on initialization and force the PHY ++ * into a known state with Auto-MDIX enabled, which is the expected ++ * default for modern hardware. ++ */ ++ rc = phy_modify(phydev, SPECIAL_CTRL_STS, ++ SPECIAL_CTRL_STS_OVRRD_AMDIX_ | ++ SPECIAL_CTRL_STS_AMDIX_ENABLE_ | ++ SPECIAL_CTRL_STS_AMDIX_STATE_, ++ SPECIAL_CTRL_STS_OVRRD_AMDIX_ | ++ SPECIAL_CTRL_STS_AMDIX_ENABLE_); ++ if (rc < 0) ++ return rc; ++ ++ phydev->mdix_ctrl = ETH_TP_MDI_AUTO; ++ ++ return smsc_phy_config_init(phydev); ++} ++ + static int lan874x_phy_config_init(struct phy_device *phydev) + { + u16 val; +@@ -697,7 +724,7 @@ static struct phy_driver smsc_phy_driver[] = { + + /* basic functions */ + .read_status = lan87xx_read_status, +- .config_init = smsc_phy_config_init, ++ .config_init = lan87xx_phy_config_init, + .soft_reset = smsc_phy_reset, + .config_aneg = lan87xx_config_aneg, + +-- +2.39.5 + diff --git a/queue-6.6/net-sched-abort-__tc_modify_qdisc-if-parent-class-do.patch b/queue-6.6/net-sched-abort-__tc_modify_qdisc-if-parent-class-do.patch new file mode 100644 index 0000000000..e7f66eb61c --- /dev/null +++ b/queue-6.6/net-sched-abort-__tc_modify_qdisc-if-parent-class-do.patch @@ -0,0 +1,121 @@ +From d561627c5de8ba24075c83647a10347430842d64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Jul 2025 18:08:01 -0300 +Subject: net/sched: Abort __tc_modify_qdisc if parent class does not exist + +From: Victor Nogueira + +[ Upstream commit ffdde7bf5a439aaa1955ebd581f5c64ab1533963 ] + +Lion's patch [1] revealed an ancient bug in the qdisc API. +Whenever a user creates/modifies a qdisc specifying as a parent another +qdisc, the qdisc API will, during grafting, detect that the user is +not trying to attach to a class and reject. However grafting is +performed after qdisc_create (and thus the qdiscs' init callback) is +executed. In qdiscs that eventually call qdisc_tree_reduce_backlog +during init or change (such as fq, hhf, choke, etc), an issue +arises. For example, executing the following commands: + +sudo tc qdisc add dev lo root handle a: htb default 2 +sudo tc qdisc add dev lo parent a: handle beef fq + +Qdiscs such as fq, hhf, choke, etc unconditionally invoke +qdisc_tree_reduce_backlog() in their control path init() or change() which +then causes a failure to find the child class; however, that does not stop +the unconditional invocation of the assumed child qdisc's qlen_notify with +a null class. All these qdiscs make the assumption that class is non-null. + +The solution is ensure that qdisc_leaf() which looks up the parent +class, and is invoked prior to qdisc_create(), should return failure on +not finding the class. +In this patch, we leverage qdisc_leaf to return ERR_PTRs whenever the +parentid doesn't correspond to a class, so that we can detect it +earlier on and abort before qdisc_create is called. + +[1] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/ + +Fixes: 5e50da01d0ce ("[NET_SCHED]: Fix endless loops (part 2): "simple" qdiscs") +Reported-by: syzbot+d8b58d7b0ad89a678a16@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/68663c93.a70a0220.5d25f.0857.GAE@google.com/ +Reported-by: syzbot+5eccb463fa89309d8bdc@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/68663c94.a70a0220.5d25f.0858.GAE@google.com/ +Reported-by: syzbot+1261670bbdefc5485a06@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/686764a5.a00a0220.c7b3.0013.GAE@google.com/ +Reported-by: syzbot+15b96fc3aac35468fe77@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/686764a5.a00a0220.c7b3.0014.GAE@google.com/ +Reported-by: syzbot+4dadc5aecf80324d5a51@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/68679e81.a70a0220.29cf51.0016.GAE@google.com/ +Acked-by: Jamal Hadi Salim +Reviewed-by: Cong Wang +Signed-off-by: Victor Nogueira +Link: https://patch.msgid.link/20250707210801.372995-1-victor@mojatatu.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_api.c | 23 ++++++++++++++++------- + 1 file changed, 16 insertions(+), 7 deletions(-) + +diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c +index 282423106f15d..a300e8c1b53aa 100644 +--- a/net/sched/sch_api.c ++++ b/net/sched/sch_api.c +@@ -334,17 +334,22 @@ struct Qdisc *qdisc_lookup_rcu(struct net_device *dev, u32 handle) + return q; + } + +-static struct Qdisc *qdisc_leaf(struct Qdisc *p, u32 classid) ++static struct Qdisc *qdisc_leaf(struct Qdisc *p, u32 classid, ++ struct netlink_ext_ack *extack) + { + unsigned long cl; + const struct Qdisc_class_ops *cops = p->ops->cl_ops; + +- if (cops == NULL) +- return NULL; ++ if (cops == NULL) { ++ NL_SET_ERR_MSG(extack, "Parent qdisc is not classful"); ++ return ERR_PTR(-EOPNOTSUPP); ++ } + cl = cops->find(p, classid); + +- if (cl == 0) +- return NULL; ++ if (cl == 0) { ++ NL_SET_ERR_MSG(extack, "Specified class not found"); ++ return ERR_PTR(-ENOENT); ++ } + return cops->leaf(p, cl); + } + +@@ -1497,7 +1502,7 @@ static int tc_get_qdisc(struct sk_buff *skb, struct nlmsghdr *n, + NL_SET_ERR_MSG(extack, "Failed to find qdisc with specified classid"); + return -ENOENT; + } +- q = qdisc_leaf(p, clid); ++ q = qdisc_leaf(p, clid, extack); + } else if (dev_ingress_queue(dev)) { + q = rtnl_dereference(dev_ingress_queue(dev)->qdisc_sleeping); + } +@@ -1508,6 +1513,8 @@ static int tc_get_qdisc(struct sk_buff *skb, struct nlmsghdr *n, + NL_SET_ERR_MSG(extack, "Cannot find specified qdisc on specified device"); + return -ENOENT; + } ++ if (IS_ERR(q)) ++ return PTR_ERR(q); + + if (tcm->tcm_handle && q->handle != tcm->tcm_handle) { + NL_SET_ERR_MSG(extack, "Invalid handle"); +@@ -1601,7 +1608,9 @@ static int tc_modify_qdisc(struct sk_buff *skb, struct nlmsghdr *n, + NL_SET_ERR_MSG(extack, "Failed to find specified qdisc"); + return -ENOENT; + } +- q = qdisc_leaf(p, clid); ++ q = qdisc_leaf(p, clid, extack); ++ if (IS_ERR(q)) ++ return PTR_ERR(q); + } else if (dev_ingress_queue_create(dev)) { + q = rtnl_dereference(dev_ingress_queue(dev)->qdisc_sleeping); + } +-- +2.39.5 + diff --git a/queue-6.6/net-stmmac-fix-interrupt-handling-for-level-triggere.patch b/queue-6.6/net-stmmac-fix-interrupt-handling-for-level-triggere.patch new file mode 100644 index 0000000000..ef2469d676 --- /dev/null +++ b/queue-6.6/net-stmmac-fix-interrupt-handling-for-level-triggere.patch @@ -0,0 +1,78 @@ +From a27f9ff3c38357f2a82d6e799d8d822910911938 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jul 2025 10:04:49 +0800 +Subject: net: stmmac: Fix interrupt handling for level-triggered mode in + DWC_XGMAC2 + +From: EricChan + +[ Upstream commit 78b7920a03351a8402de2f81914c1d2e2bdf24b7 ] + +According to the Synopsys Controller IP XGMAC-10G Ethernet MAC Databook +v3.30a (section 2.7.2), when the INTM bit in the DMA_Mode register is set +to 2, the sbd_perch_tx_intr_o[] and sbd_perch_rx_intr_o[] signals operate +in level-triggered mode. However, in this configuration, the DMA does not +assert the XGMAC_NIS status bit for Rx or Tx interrupt events. + +This creates a functional regression where the condition +if (likely(intr_status & XGMAC_NIS)) in dwxgmac2_dma_interrupt() will +never evaluate to true, preventing proper interrupt handling for +level-triggered mode. The hardware specification explicitly states that +"The DMA does not assert the NIS status bit for the Rx or Tx interrupt +events" (Synopsys DWC_XGMAC2 Databook v3.30a, sec. 2.7.2). + +The fix ensures correct handling of both edge and level-triggered +interrupts while maintaining backward compatibility with existing +configurations. It has been tested on the hardware device (not publicly +available), and it can properly trigger the RX and TX interrupt handling +in both the INTM=0 and INTM=2 configurations. + +Fixes: d6ddfacd95c7 ("net: stmmac: Add DMA related callbacks for XGMAC2") +Tested-by: EricChan +Signed-off-by: EricChan +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250703020449.105730-1-chenchuangyu@xiaomi.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../ethernet/stmicro/stmmac/dwxgmac2_dma.c | 24 +++++++++---------- + 1 file changed, 11 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c +index dd2ab6185c40e..05ea74e937939 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c +@@ -364,19 +364,17 @@ static int dwxgmac2_dma_interrupt(struct stmmac_priv *priv, + } + + /* TX/RX NORMAL interrupts */ +- if (likely(intr_status & XGMAC_NIS)) { +- if (likely(intr_status & XGMAC_RI)) { +- u64_stats_update_begin(&stats->syncp); +- u64_stats_inc(&stats->rx_normal_irq_n[chan]); +- u64_stats_update_end(&stats->syncp); +- ret |= handle_rx; +- } +- if (likely(intr_status & (XGMAC_TI | XGMAC_TBU))) { +- u64_stats_update_begin(&stats->syncp); +- u64_stats_inc(&stats->tx_normal_irq_n[chan]); +- u64_stats_update_end(&stats->syncp); +- ret |= handle_tx; +- } ++ if (likely(intr_status & XGMAC_RI)) { ++ u64_stats_update_begin(&stats->syncp); ++ u64_stats_inc(&stats->rx_normal_irq_n[chan]); ++ u64_stats_update_end(&stats->syncp); ++ ret |= handle_rx; ++ } ++ if (likely(intr_status & (XGMAC_TI | XGMAC_TBU))) { ++ u64_stats_update_begin(&stats->syncp); ++ u64_stats_inc(&stats->tx_normal_irq_n[chan]); ++ u64_stats_update_end(&stats->syncp); ++ ret |= handle_tx; + } + + /* Clear interrupts */ +-- +2.39.5 + diff --git a/queue-6.6/netlink-fix-wraparounds-of-sk-sk_rmem_alloc.patch b/queue-6.6/netlink-fix-wraparounds-of-sk-sk_rmem_alloc.patch new file mode 100644 index 0000000000..c24a7ad6b6 --- /dev/null +++ b/queue-6.6/netlink-fix-wraparounds-of-sk-sk_rmem_alloc.patch @@ -0,0 +1,200 @@ +From 6e647bbcb3c7a958d146d3b0d66c7547b58f50b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Jul 2025 05:48:18 +0000 +Subject: netlink: Fix wraparounds of sk->sk_rmem_alloc. + +From: Kuniyuki Iwashima + +[ Upstream commit ae8f160e7eb24240a2a79fc4c815c6a0d4ee16cc ] + +Netlink has this pattern in some places + + if (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf) + atomic_add(skb->truesize, &sk->sk_rmem_alloc); + +, which has the same problem fixed by commit 5a465a0da13e ("udp: +Fix multiple wraparounds of sk->sk_rmem_alloc."). + +For example, if we set INT_MAX to SO_RCVBUFFORCE, the condition +is always false as the two operands are of int. + +Then, a single socket can eat as many skb as possible until OOM +happens, and we can see multiple wraparounds of sk->sk_rmem_alloc. + +Let's fix it by using atomic_add_return() and comparing the two +variables as unsigned int. + +Before: + [root@fedora ~]# ss -f netlink + Recv-Q Send-Q Local Address:Port Peer Address:Port + -1668710080 0 rtnl:nl_wraparound/293 * + +After: + [root@fedora ~]# ss -f netlink + Recv-Q Send-Q Local Address:Port Peer Address:Port + 2147483072 0 rtnl:nl_wraparound/290 * + ^ + `--- INT_MAX - 576 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Jason Baron +Closes: https://lore.kernel.org/netdev/cover.1750285100.git.jbaron@akamai.com/ +Signed-off-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20250704054824.1580222-1-kuniyu@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/netlink/af_netlink.c | 81 ++++++++++++++++++++++++---------------- + 1 file changed, 49 insertions(+), 32 deletions(-) + +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index 4aa2cbe9d6fa6..6476640b6b1ec 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -387,7 +387,6 @@ static void netlink_skb_set_owner_r(struct sk_buff *skb, struct sock *sk) + WARN_ON(skb->sk != NULL); + skb->sk = sk; + skb->destructor = netlink_skb_destructor; +- atomic_add(skb->truesize, &sk->sk_rmem_alloc); + sk_mem_charge(sk, skb->truesize); + } + +@@ -1223,41 +1222,48 @@ static struct sk_buff *netlink_alloc_large_skb(unsigned int size, + int netlink_attachskb(struct sock *sk, struct sk_buff *skb, + long *timeo, struct sock *ssk) + { ++ DECLARE_WAITQUEUE(wait, current); + struct netlink_sock *nlk; ++ unsigned int rmem; + + nlk = nlk_sk(sk); ++ rmem = atomic_add_return(skb->truesize, &sk->sk_rmem_alloc); + +- if ((atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf || +- test_bit(NETLINK_S_CONGESTED, &nlk->state))) { +- DECLARE_WAITQUEUE(wait, current); +- if (!*timeo) { +- if (!ssk || netlink_is_kernel(ssk)) +- netlink_overrun(sk); +- sock_put(sk); +- kfree_skb(skb); +- return -EAGAIN; +- } +- +- __set_current_state(TASK_INTERRUPTIBLE); +- add_wait_queue(&nlk->wait, &wait); ++ if ((rmem == skb->truesize || rmem < READ_ONCE(sk->sk_rcvbuf)) && ++ !test_bit(NETLINK_S_CONGESTED, &nlk->state)) { ++ netlink_skb_set_owner_r(skb, sk); ++ return 0; ++ } + +- if ((atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf || +- test_bit(NETLINK_S_CONGESTED, &nlk->state)) && +- !sock_flag(sk, SOCK_DEAD)) +- *timeo = schedule_timeout(*timeo); ++ atomic_sub(skb->truesize, &sk->sk_rmem_alloc); + +- __set_current_state(TASK_RUNNING); +- remove_wait_queue(&nlk->wait, &wait); ++ if (!*timeo) { ++ if (!ssk || netlink_is_kernel(ssk)) ++ netlink_overrun(sk); + sock_put(sk); ++ kfree_skb(skb); ++ return -EAGAIN; ++ } + +- if (signal_pending(current)) { +- kfree_skb(skb); +- return sock_intr_errno(*timeo); +- } +- return 1; ++ __set_current_state(TASK_INTERRUPTIBLE); ++ add_wait_queue(&nlk->wait, &wait); ++ rmem = atomic_read(&sk->sk_rmem_alloc); ++ ++ if (((rmem && rmem + skb->truesize > READ_ONCE(sk->sk_rcvbuf)) || ++ test_bit(NETLINK_S_CONGESTED, &nlk->state)) && ++ !sock_flag(sk, SOCK_DEAD)) ++ *timeo = schedule_timeout(*timeo); ++ ++ __set_current_state(TASK_RUNNING); ++ remove_wait_queue(&nlk->wait, &wait); ++ sock_put(sk); ++ ++ if (signal_pending(current)) { ++ kfree_skb(skb); ++ return sock_intr_errno(*timeo); + } +- netlink_skb_set_owner_r(skb, sk); +- return 0; ++ ++ return 1; + } + + static int __netlink_sendskb(struct sock *sk, struct sk_buff *skb) +@@ -1317,6 +1323,7 @@ static int netlink_unicast_kernel(struct sock *sk, struct sk_buff *skb, + ret = -ECONNREFUSED; + if (nlk->netlink_rcv != NULL) { + ret = skb->len; ++ atomic_add(skb->truesize, &sk->sk_rmem_alloc); + netlink_skb_set_owner_r(skb, sk); + NETLINK_CB(skb).sk = ssk; + netlink_deliver_tap_kernel(sk, ssk, skb); +@@ -1393,13 +1400,19 @@ EXPORT_SYMBOL_GPL(netlink_strict_get_check); + static int netlink_broadcast_deliver(struct sock *sk, struct sk_buff *skb) + { + struct netlink_sock *nlk = nlk_sk(sk); ++ unsigned int rmem, rcvbuf; + +- if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf && ++ rmem = atomic_add_return(skb->truesize, &sk->sk_rmem_alloc); ++ rcvbuf = READ_ONCE(sk->sk_rcvbuf); ++ ++ if ((rmem != skb->truesize || rmem <= rcvbuf) && + !test_bit(NETLINK_S_CONGESTED, &nlk->state)) { + netlink_skb_set_owner_r(skb, sk); + __netlink_sendskb(sk, skb); +- return atomic_read(&sk->sk_rmem_alloc) > (sk->sk_rcvbuf >> 1); ++ return rmem > (rcvbuf >> 1); + } ++ ++ atomic_sub(skb->truesize, &sk->sk_rmem_alloc); + return -1; + } + +@@ -2190,6 +2203,7 @@ static int netlink_dump(struct sock *sk, bool lock_taken) + struct module *module; + int err = -ENOBUFS; + int alloc_min_size; ++ unsigned int rmem; + int alloc_size; + + if (!lock_taken) +@@ -2199,9 +2213,6 @@ static int netlink_dump(struct sock *sk, bool lock_taken) + goto errout_skb; + } + +- if (atomic_read(&sk->sk_rmem_alloc) >= sk->sk_rcvbuf) +- goto errout_skb; +- + /* NLMSG_GOODSIZE is small to avoid high order allocations being + * required, but it makes sense to _attempt_ a 16K bytes allocation + * to reduce number of system calls on dump operations, if user +@@ -2224,6 +2235,12 @@ static int netlink_dump(struct sock *sk, bool lock_taken) + if (!skb) + goto errout_skb; + ++ rmem = atomic_add_return(skb->truesize, &sk->sk_rmem_alloc); ++ if (rmem >= READ_ONCE(sk->sk_rcvbuf)) { ++ atomic_sub(skb->truesize, &sk->sk_rmem_alloc); ++ goto errout_skb; ++ } ++ + /* Trim skb to allocated size. User is expected to provide buffer as + * large as max(min_dump_alloc, 16KiB (mac_recvmsg_len capped at + * netlink_recvmsg())). dump will pack as many smaller messages as +-- +2.39.5 + diff --git a/queue-6.6/perf-core-fix-the-warn_on_once-is-out-of-lock-protec.patch b/queue-6.6/perf-core-fix-the-warn_on_once-is-out-of-lock-protec.patch new file mode 100644 index 0000000000..0851ebcbb9 --- /dev/null +++ b/queue-6.6/perf-core-fix-the-warn_on_once-is-out-of-lock-protec.patch @@ -0,0 +1,48 @@ +From ed2e19d708ba6a8f0e5ac23ff86b1a34810c8f3e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Jun 2025 13:54:03 +0000 +Subject: perf/core: Fix the WARN_ON_ONCE is out of lock protected region + +From: Luo Gengkun + +[ Upstream commit 7b4c5a37544ba22c6ebe72c0d4ea56c953459fa5 ] + +commit 3172fb986666 ("perf/core: Fix WARN in perf_cgroup_switch()") try to +fix a concurrency problem between perf_cgroup_switch and +perf_cgroup_event_disable. But it does not to move the WARN_ON_ONCE into +lock-protected region, so the warning is still be triggered. + +Fixes: 3172fb986666 ("perf/core: Fix WARN in perf_cgroup_switch()") +Signed-off-by: Luo Gengkun +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/20250626135403.2454105-1-luogengkun@huaweicloud.com +Signed-off-by: Sasha Levin +--- + kernel/events/core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 873b17545717c..5c6da8bd03b10 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -873,8 +873,6 @@ static void perf_cgroup_switch(struct task_struct *task) + if (READ_ONCE(cpuctx->cgrp) == NULL) + return; + +- WARN_ON_ONCE(cpuctx->ctx.nr_cgroups == 0); +- + cgrp = perf_cgroup_from_task(task, NULL); + if (READ_ONCE(cpuctx->cgrp) == cgrp) + return; +@@ -886,6 +884,8 @@ static void perf_cgroup_switch(struct task_struct *task) + if (READ_ONCE(cpuctx->cgrp) == NULL) + return; + ++ WARN_ON_ONCE(cpuctx->ctx.nr_cgroups == 0); ++ + perf_ctx_disable(&cpuctx->ctx, true); + + ctx_sched_out(&cpuctx->ctx, EVENT_ALL|EVENT_CGROUP); +-- +2.39.5 + diff --git a/queue-6.6/perf-revert-to-requiring-cap_sys_admin-for-uprobes.patch b/queue-6.6/perf-revert-to-requiring-cap_sys_admin-for-uprobes.patch new file mode 100644 index 0000000000..e5da060c31 --- /dev/null +++ b/queue-6.6/perf-revert-to-requiring-cap_sys_admin-for-uprobes.patch @@ -0,0 +1,46 @@ +From 180b4f37eaec234f280bb288e3156da95ee77744 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Jul 2025 18:21:44 +0200 +Subject: perf: Revert to requiring CAP_SYS_ADMIN for uprobes + +From: Peter Zijlstra + +[ Upstream commit ba677dbe77af5ffe6204e0f3f547f3ba059c6302 ] + +Jann reports that uprobes can be used destructively when used in the +middle of an instruction. The kernel only verifies there is a valid +instruction at the requested offset, but due to variable instruction +length cannot determine if this is an instruction as seen by the +intended execution stream. + +Additionally, Mark Rutland notes that on architectures that mix data +in the text segment (like arm64), a similar things can be done if the +data word is 'mistaken' for an instruction. + +As such, require CAP_SYS_ADMIN for uprobes. + +Fixes: c9e0924e5c2b ("perf/core: open access to probes for CAP_PERFMON privileged process") +Reported-by: Jann Horn +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/CAG48ez1n4520sq0XrWYDHKiKxE_+WCfAK+qt9qkY4ZiBGmL-5g@mail.gmail.com +Signed-off-by: Sasha Levin +--- + kernel/events/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 5c6da8bd03b10..3a33d9c1b1b2b 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -10473,7 +10473,7 @@ static int perf_uprobe_event_init(struct perf_event *event) + if (event->attr.type != perf_uprobe.type) + return -ENOENT; + +- if (!perfmon_capable()) ++ if (!capable(CAP_SYS_ADMIN)) + return -EACCES; + + /* +-- +2.39.5 + diff --git a/queue-6.6/pinctrl-amd-clear-gpio-debounce-for-suspend.patch b/queue-6.6/pinctrl-amd-clear-gpio-debounce-for-suspend.patch new file mode 100644 index 0000000000..976ebb1bd3 --- /dev/null +++ b/queue-6.6/pinctrl-amd-clear-gpio-debounce-for-suspend.patch @@ -0,0 +1,57 @@ +From df592f40dffa25b34a8875fc5c80c26f00448e79 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Jun 2025 10:01:46 -0500 +Subject: pinctrl: amd: Clear GPIO debounce for suspend + +From: Mario Limonciello + +[ Upstream commit 8ff4fb276e2384a87ae7f65f3c28e1e139dbb3fe ] + +soc-button-array hardcodes a debounce value by means of gpio_keys +which uses pinctrl-amd as a backend to program debounce for a GPIO. + +This hardcoded value doesn't match what the firmware intended to be +programmed in _AEI. The hardcoded debounce leads to problems waking +from suspend. There isn't appetite to conditionalize the behavior in +soc-button-array or gpio-keys so clear it when the system suspends to +avoid problems with being able to resume. + +Cc: Dmitry Torokhov +Cc: Hans de Goede +Fixes: 5c4fa2a6da7fb ("Input: soc_button_array - debounce the buttons") +Link: https://lore.kernel.org/linux-input/mkgtrb5gt7miyg6kvqdlbu4nj3elym6ijudobpdi26gp4xxay5@rsa6ytrjvj2q/ +Link: https://lore.kernel.org/linux-input/20250625215813.3477840-1-superm1@kernel.org/ +Signed-off-by: Mario Limonciello +Reviewed-by: Hans de Goede +Link: https://lore.kernel.org/20250627150155.3311574-1-superm1@kernel.org +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-amd.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/drivers/pinctrl/pinctrl-amd.c b/drivers/pinctrl/pinctrl-amd.c +index 75bff325a4251..ba38173d3ed3c 100644 +--- a/drivers/pinctrl/pinctrl-amd.c ++++ b/drivers/pinctrl/pinctrl-amd.c +@@ -933,6 +933,17 @@ static int amd_gpio_suspend_hibernate_common(struct device *dev, bool is_suspend + pin, is_suspend ? "suspend" : "hibernate"); + } + ++ /* ++ * debounce enabled over suspend has shown issues with a GPIO ++ * being unable to wake the system, as we're only interested in ++ * the actual wakeup event, clear it. ++ */ ++ if (gpio_dev->saved_regs[i] & (DB_CNTRl_MASK << DB_CNTRL_OFF)) { ++ amd_gpio_set_debounce(gpio_dev, pin, 0); ++ pm_pr_dbg("Clearing debounce for GPIO #%d during %s.\n", ++ pin, is_suspend ? "suspend" : "hibernate"); ++ } ++ + raw_spin_unlock_irqrestore(&gpio_dev->lock, flags); + } + +-- +2.39.5 + diff --git a/queue-6.6/rxrpc-fix-bug-due-to-prealloc-collision.patch b/queue-6.6/rxrpc-fix-bug-due-to-prealloc-collision.patch new file mode 100644 index 0000000000..559546cf8f --- /dev/null +++ b/queue-6.6/rxrpc-fix-bug-due-to-prealloc-collision.patch @@ -0,0 +1,57 @@ +From 14f14d329c3785f49d7bdb69ff3690dbfd4f59a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Jul 2025 22:15:03 +0100 +Subject: rxrpc: Fix bug due to prealloc collision + +From: David Howells + +[ Upstream commit 69e4186773c6445b258fb45b6e1df18df831ec45 ] + +When userspace is using AF_RXRPC to provide a server, it has to preallocate +incoming calls and assign to them call IDs that will be used to thread +related recvmsg() and sendmsg() together. The preallocated call IDs will +automatically be attached to calls as they come in until the pool is empty. + +To the kernel, the call IDs are just arbitrary numbers, but userspace can +use the call ID to hold a pointer to prepared structs. In any case, the +user isn't permitted to create two calls with the same call ID (call IDs +become available again when the call ends) and EBADSLT should result from +sendmsg() if an attempt is made to preallocate a call with an in-use call +ID. + +However, the cleanup in the error handling will trigger both assertions in +rxrpc_cleanup_call() because the call isn't marked complete and isn't +marked as having been released. + +Fix this by setting the call state in rxrpc_service_prealloc_one() and then +marking it as being released before calling the cleanup function. + +Fixes: 00e907127e6f ("rxrpc: Preallocate peers, conns and calls for incoming service requests") +Reported-by: Junvyyang, Tencent Zhuque Lab +Signed-off-by: David Howells +cc: LePremierHomme +cc: Marc Dionne +cc: Simon Horman +cc: linux-afs@lists.infradead.org +Link: https://patch.msgid.link/20250708211506.2699012-2-dhowells@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/rxrpc/call_accept.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/rxrpc/call_accept.c b/net/rxrpc/call_accept.c +index 0f5a1d77b890f..65ef58ab7aa0c 100644 +--- a/net/rxrpc/call_accept.c ++++ b/net/rxrpc/call_accept.c +@@ -149,6 +149,7 @@ static int rxrpc_service_prealloc_one(struct rxrpc_sock *rx, + + id_in_use: + write_unlock(&rx->call_lock); ++ rxrpc_prefail_call(call, RXRPC_CALL_LOCAL_ERROR, -EBADSLT); + rxrpc_cleanup_call(call); + _leave(" = -EBADSLT"); + return -EBADSLT; +-- +2.39.5 + diff --git a/queue-6.6/series b/queue-6.6/series index 616c514170..48d199db90 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -1,2 +1,27 @@ eventpoll-don-t-decrement-ep-refcount-while-still-holding-the-ep-mutex.patch drm-exynos-exynos7_drm_decon-add-vblank-check-in-irq-handling.patch +asoc-fsl_asrc-use-internal-measured-ratio-for-non-id.patch +perf-core-fix-the-warn_on_once-is-out-of-lock-protec.patch +perf-revert-to-requiring-cap_sys_admin-for-uprobes.patch +asoc-cs35l56-probe-should-fail-if-the-device-id-is-n.patch +bluetooth-hci_sync-fix-not-disabling-advertising-ins.patch +bluetooth-hci_event-fix-not-marking-broadcast-sink-b.patch +pinctrl-amd-clear-gpio-debounce-for-suspend.patch +fix-proc_sys_compare-handling-of-in-lookup-dentries.patch +netlink-fix-wraparounds-of-sk-sk_rmem_alloc.patch +vsock-fix-vsock_proto-declaration.patch +tipc-fix-use-after-free-in-tipc_conn_close.patch +tcp-correct-signedness-in-skb-remaining-space-calcul.patch +vsock-fix-transport_-g2h-h2g-toctou.patch +vsock-fix-transport_-toctou.patch +vsock-fix-ioctl_vm_sockets_get_local_cid-to-check-al.patch +net-stmmac-fix-interrupt-handling-for-level-triggere.patch +net-phy-smsc-fix-auto-mdix-configuration-when-disabl.patch +net-phy-smsc-force-predictable-mdi-x-state-on-lan87x.patch +net-phy-smsc-fix-link-failure-in-forced-mode-with-au.patch +atm-clip-fix-potential-null-ptr-deref-in-to_atmarpd.patch +atm-clip-fix-memory-leak-of-struct-clip_vcc.patch +atm-clip-fix-infinite-recursive-call-of-clip_push.patch +atm-clip-fix-null-pointer-dereference-in-vcc_sendmsg.patch +net-sched-abort-__tc_modify_qdisc-if-parent-class-do.patch +rxrpc-fix-bug-due-to-prealloc-collision.patch diff --git a/queue-6.6/tcp-correct-signedness-in-skb-remaining-space-calcul.patch b/queue-6.6/tcp-correct-signedness-in-skb-remaining-space-calcul.patch new file mode 100644 index 0000000000..9a2a1a9877 --- /dev/null +++ b/queue-6.6/tcp-correct-signedness-in-skb-remaining-space-calcul.patch @@ -0,0 +1,76 @@ +From bf6296a9e082726cdf8ca278eb0f66d91ea15bc5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Jul 2025 13:41:11 +0800 +Subject: tcp: Correct signedness in skb remaining space calculation + +From: Jiayuan Chen + +[ Upstream commit d3a5f2871adc0c61c61869f37f3e697d97f03d8c ] + +Syzkaller reported a bug [1] where sk->sk_forward_alloc can overflow. + +When we send data, if an skb exists at the tail of the write queue, the +kernel will attempt to append the new data to that skb. However, the code +that checks for available space in the skb is flawed: +''' +copy = size_goal - skb->len +''' + +The types of the variables involved are: +''' +copy: ssize_t (s64 on 64-bit systems) +size_goal: int +skb->len: unsigned int +''' + +Due to C's type promotion rules, the signed size_goal is converted to an +unsigned int to match skb->len before the subtraction. The result is an +unsigned int. + +When this unsigned int result is then assigned to the s64 copy variable, +it is zero-extended, preserving its non-negative value. Consequently, copy +is always >= 0. + +Assume we are sending 2GB of data and size_goal has been adjusted to a +value smaller than skb->len. The subtraction will result in copy holding a +very large positive integer. In the subsequent logic, this large value is +used to update sk->sk_forward_alloc, which can easily cause it to overflow. + +The syzkaller reproducer uses TCP_REPAIR to reliably create this +condition. However, this can also occur in real-world scenarios. The +tcp_bound_to_half_wnd() function can also reduce size_goal to a small +value. This would cause the subsequent tcp_wmem_schedule() to set +sk->sk_forward_alloc to a value close to INT_MAX. Further memory +allocation requests would then cause sk_forward_alloc to wrap around and +become negative. + +[1]: https://syzkaller.appspot.com/bug?extid=de6565462ab540f50e47 + +Reported-by: syzbot+de6565462ab540f50e47@syzkaller.appspotmail.com +Fixes: 270a1c3de47e ("tcp: Support MSG_SPLICE_PAGES") +Signed-off-by: Jiayuan Chen +Reviewed-by: Eric Dumazet +Reviewed-by: David Howells +Link: https://patch.msgid.link/20250707054112.101081-1-jiayuan.chen@linux.dev +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index ff22060f9145f..a4bbe959d1e25 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -1132,7 +1132,7 @@ int tcp_sendmsg_locked(struct sock *sk, struct msghdr *msg, size_t size) + goto do_error; + + while (msg_data_left(msg)) { +- ssize_t copy = 0; ++ int copy = 0; + + skb = tcp_write_queue_tail(sk); + if (skb) +-- +2.39.5 + diff --git a/queue-6.6/tipc-fix-use-after-free-in-tipc_conn_close.patch b/queue-6.6/tipc-fix-use-after-free-in-tipc_conn_close.patch new file mode 100644 index 0000000000..e4ae9e26bc --- /dev/null +++ b/queue-6.6/tipc-fix-use-after-free-in-tipc_conn_close.patch @@ -0,0 +1,123 @@ +From 21de16f02872eaff3028d62a41997cb0e7d1e7b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Jul 2025 01:43:40 +0000 +Subject: tipc: Fix use-after-free in tipc_conn_close(). + +From: Kuniyuki Iwashima + +[ Upstream commit 667eeab4999e981c96b447a4df5f20bdf5c26f13 ] + +syzbot reported a null-ptr-deref in tipc_conn_close() during netns +dismantle. [0] + +tipc_topsrv_stop() iterates tipc_net(net)->topsrv->conn_idr and calls +tipc_conn_close() for each tipc_conn. + +The problem is that tipc_conn_close() is called after releasing the +IDR lock. + +At the same time, there might be tipc_conn_recv_work() running and it +could call tipc_conn_close() for the same tipc_conn and release its +last ->kref. + +Once we release the IDR lock in tipc_topsrv_stop(), there is no +guarantee that the tipc_conn is alive. + +Let's hold the ref before releasing the lock and put the ref after +tipc_conn_close() in tipc_topsrv_stop(). + +[0]: +BUG: KASAN: use-after-free in tipc_conn_close+0x122/0x140 net/tipc/topsrv.c:165 +Read of size 8 at addr ffff888099305a08 by task kworker/u4:3/435 + +CPU: 0 PID: 435 Comm: kworker/u4:3 Not tainted 4.19.204-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Workqueue: netns cleanup_net +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x1fc/0x2ef lib/dump_stack.c:118 + print_address_description.cold+0x54/0x219 mm/kasan/report.c:256 + kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354 + kasan_report mm/kasan/report.c:412 [inline] + __asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433 + tipc_conn_close+0x122/0x140 net/tipc/topsrv.c:165 + tipc_topsrv_stop net/tipc/topsrv.c:701 [inline] + tipc_topsrv_exit_net+0x27b/0x5c0 net/tipc/topsrv.c:722 + ops_exit_list+0xa5/0x150 net/core/net_namespace.c:153 + cleanup_net+0x3b4/0x8b0 net/core/net_namespace.c:553 + process_one_work+0x864/0x1570 kernel/workqueue.c:2153 + worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 + kthread+0x33f/0x460 kernel/kthread.c:259 + ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 + +Allocated by task 23: + kmem_cache_alloc_trace+0x12f/0x380 mm/slab.c:3625 + kmalloc include/linux/slab.h:515 [inline] + kzalloc include/linux/slab.h:709 [inline] + tipc_conn_alloc+0x43/0x4f0 net/tipc/topsrv.c:192 + tipc_topsrv_accept+0x1b5/0x280 net/tipc/topsrv.c:470 + process_one_work+0x864/0x1570 kernel/workqueue.c:2153 + worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 + kthread+0x33f/0x460 kernel/kthread.c:259 + ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 + +Freed by task 23: + __cache_free mm/slab.c:3503 [inline] + kfree+0xcc/0x210 mm/slab.c:3822 + tipc_conn_kref_release net/tipc/topsrv.c:150 [inline] + kref_put include/linux/kref.h:70 [inline] + conn_put+0x2cd/0x3a0 net/tipc/topsrv.c:155 + process_one_work+0x864/0x1570 kernel/workqueue.c:2153 + worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 + kthread+0x33f/0x460 kernel/kthread.c:259 + ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 + +The buggy address belongs to the object at ffff888099305a00 + which belongs to the cache kmalloc-512 of size 512 +The buggy address is located 8 bytes inside of + 512-byte region [ffff888099305a00, ffff888099305c00) +The buggy address belongs to the page: +page:ffffea000264c140 count:1 mapcount:0 mapping:ffff88813bff0940 index:0x0 +flags: 0xfff00000000100(slab) +raw: 00fff00000000100 ffffea00028b6b88 ffffea0002cd2b08 ffff88813bff0940 +raw: 0000000000000000 ffff888099305000 0000000100000006 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff888099305900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff888099305980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +>ffff888099305a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff888099305a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff888099305b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + +Fixes: c5fa7b3cf3cb ("tipc: introduce new TIPC server infrastructure") +Reported-by: syzbot+d333febcf8f4bc5f6110@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=27169a847a70550d17be +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Tung Nguyen +Link: https://patch.msgid.link/20250702014350.692213-1-kuniyu@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tipc/topsrv.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/tipc/topsrv.c b/net/tipc/topsrv.c +index 8ee0c07d00e9b..ffe577bf6b515 100644 +--- a/net/tipc/topsrv.c ++++ b/net/tipc/topsrv.c +@@ -704,8 +704,10 @@ static void tipc_topsrv_stop(struct net *net) + for (id = 0; srv->idr_in_use; id++) { + con = idr_find(&srv->conn_idr, id); + if (con) { ++ conn_get(con); + spin_unlock_bh(&srv->idr_lock); + tipc_conn_close(con); ++ conn_put(con); + spin_lock_bh(&srv->idr_lock); + } + } +-- +2.39.5 + diff --git a/queue-6.6/vsock-fix-ioctl_vm_sockets_get_local_cid-to-check-al.patch b/queue-6.6/vsock-fix-ioctl_vm_sockets_get_local_cid-to-check-al.patch new file mode 100644 index 0000000000..003ba561e9 --- /dev/null +++ b/queue-6.6/vsock-fix-ioctl_vm_sockets_get_local_cid-to-check-al.patch @@ -0,0 +1,40 @@ +From b498ef82bc95a9504c32d83497996e8240f3c8d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jul 2025 17:18:20 +0200 +Subject: vsock: Fix IOCTL_VM_SOCKETS_GET_LOCAL_CID to check also + `transport_local` + +From: Michal Luczaj + +[ Upstream commit 1e7d9df379a04ccd0c2f82f39fbb69d482e864cc ] + +Support returning VMADDR_CID_LOCAL in case no other vsock transport is +available. + +Fixes: 0e12190578d0 ("vsock: add local transport support in the vsock core") +Suggested-by: Stefano Garzarella +Reviewed-by: Stefano Garzarella +Signed-off-by: Michal Luczaj +Link: https://patch.msgid.link/20250703-vsock-transports-toctou-v4-3-98f0eb530747@rbox.co +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/af_vsock.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c +index 58b7404a0da05..f20b117e5255e 100644 +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -2436,6 +2436,8 @@ static long vsock_dev_do_ioctl(struct file *filp, + cid = vsock_registered_transport_cid(&transport_g2h); + if (cid == VMADDR_CID_ANY) + cid = vsock_registered_transport_cid(&transport_h2g); ++ if (cid == VMADDR_CID_ANY) ++ cid = vsock_registered_transport_cid(&transport_local); + + if (put_user(cid, p) != 0) + retval = -EFAULT; +-- +2.39.5 + diff --git a/queue-6.6/vsock-fix-transport_-g2h-h2g-toctou.patch b/queue-6.6/vsock-fix-transport_-g2h-h2g-toctou.patch new file mode 100644 index 0000000000..01d1d89773 --- /dev/null +++ b/queue-6.6/vsock-fix-transport_-g2h-h2g-toctou.patch @@ -0,0 +1,100 @@ +From 98fd05c9bcbbc701fcb357f058bee9b5a2e09d13 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jul 2025 17:18:18 +0200 +Subject: vsock: Fix transport_{g2h,h2g} TOCTOU + +From: Michal Luczaj + +[ Upstream commit 209fd720838aaf1420416494c5505096478156b4 ] + +vsock_find_cid() and vsock_dev_do_ioctl() may race with module unload. +transport_{g2h,h2g} may become NULL after the NULL check. + +Introduce vsock_transport_local_cid() to protect from a potential +null-ptr-deref. + +KASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f] +RIP: 0010:vsock_find_cid+0x47/0x90 +Call Trace: + __vsock_bind+0x4b2/0x720 + vsock_bind+0x90/0xe0 + __sys_bind+0x14d/0x1e0 + __x64_sys_bind+0x6e/0xc0 + do_syscall_64+0x92/0x1c0 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + +KASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f] +RIP: 0010:vsock_dev_do_ioctl.isra.0+0x58/0xf0 +Call Trace: + __x64_sys_ioctl+0x12d/0x190 + do_syscall_64+0x92/0x1c0 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + +Fixes: c0cfa2d8a788 ("vsock: add multi-transports support") +Suggested-by: Stefano Garzarella +Reviewed-by: Stefano Garzarella +Signed-off-by: Michal Luczaj +Link: https://patch.msgid.link/20250703-vsock-transports-toctou-v4-1-98f0eb530747@rbox.co +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/af_vsock.c | 27 +++++++++++++++++++++------ + 1 file changed, 21 insertions(+), 6 deletions(-) + +diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c +index f8f1a49689da6..dc62b30c0be5d 100644 +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -530,9 +530,25 @@ int vsock_assign_transport(struct vsock_sock *vsk, struct vsock_sock *psk) + } + EXPORT_SYMBOL_GPL(vsock_assign_transport); + ++/* ++ * Provide safe access to static transport_{h2g,g2h,dgram,local} callbacks. ++ * Otherwise we may race with module removal. Do not use on `vsk->transport`. ++ */ ++static u32 vsock_registered_transport_cid(const struct vsock_transport **transport) ++{ ++ u32 cid = VMADDR_CID_ANY; ++ ++ mutex_lock(&vsock_register_mutex); ++ if (*transport) ++ cid = (*transport)->get_local_cid(); ++ mutex_unlock(&vsock_register_mutex); ++ ++ return cid; ++} ++ + bool vsock_find_cid(unsigned int cid) + { +- if (transport_g2h && cid == transport_g2h->get_local_cid()) ++ if (cid == vsock_registered_transport_cid(&transport_g2h)) + return true; + + if (transport_h2g && cid == VMADDR_CID_HOST) +@@ -2391,18 +2407,17 @@ static long vsock_dev_do_ioctl(struct file *filp, + unsigned int cmd, void __user *ptr) + { + u32 __user *p = ptr; +- u32 cid = VMADDR_CID_ANY; + int retval = 0; ++ u32 cid; + + switch (cmd) { + case IOCTL_VM_SOCKETS_GET_LOCAL_CID: + /* To be compatible with the VMCI behavior, we prioritize the + * guest CID instead of well-know host CID (VMADDR_CID_HOST). + */ +- if (transport_g2h) +- cid = transport_g2h->get_local_cid(); +- else if (transport_h2g) +- cid = transport_h2g->get_local_cid(); ++ cid = vsock_registered_transport_cid(&transport_g2h); ++ if (cid == VMADDR_CID_ANY) ++ cid = vsock_registered_transport_cid(&transport_h2g); + + if (put_user(cid, p) != 0) + retval = -EFAULT; +-- +2.39.5 + diff --git a/queue-6.6/vsock-fix-transport_-toctou.patch b/queue-6.6/vsock-fix-transport_-toctou.patch new file mode 100644 index 0000000000..767c019468 --- /dev/null +++ b/queue-6.6/vsock-fix-transport_-toctou.patch @@ -0,0 +1,108 @@ +From 7381eae63e8cfd7971060273591b53b34d8be074 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jul 2025 17:18:19 +0200 +Subject: vsock: Fix transport_* TOCTOU + +From: Michal Luczaj + +[ Upstream commit 687aa0c5581b8d4aa87fd92973e4ee576b550cdf ] + +Transport assignment may race with module unload. Protect new_transport +from becoming a stale pointer. + +This also takes care of an insecure call in vsock_use_local_transport(); +add a lockdep assert. + +BUG: unable to handle page fault for address: fffffbfff8056000 +Oops: Oops: 0000 [#1] SMP KASAN +RIP: 0010:vsock_assign_transport+0x366/0x600 +Call Trace: + vsock_connect+0x59c/0xc40 + __sys_connect+0xe8/0x100 + __x64_sys_connect+0x6e/0xc0 + do_syscall_64+0x92/0x1c0 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + +Fixes: c0cfa2d8a788 ("vsock: add multi-transports support") +Reviewed-by: Stefano Garzarella +Signed-off-by: Michal Luczaj +Link: https://patch.msgid.link/20250703-vsock-transports-toctou-v4-2-98f0eb530747@rbox.co +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/af_vsock.c | 28 +++++++++++++++++++++++----- + 1 file changed, 23 insertions(+), 5 deletions(-) + +diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c +index dc62b30c0be5d..58b7404a0da05 100644 +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -406,6 +406,8 @@ EXPORT_SYMBOL_GPL(vsock_enqueue_accept); + + static bool vsock_use_local_transport(unsigned int remote_cid) + { ++ lockdep_assert_held(&vsock_register_mutex); ++ + if (!transport_local) + return false; + +@@ -463,6 +465,8 @@ int vsock_assign_transport(struct vsock_sock *vsk, struct vsock_sock *psk) + + remote_flags = vsk->remote_addr.svm_flags; + ++ mutex_lock(&vsock_register_mutex); ++ + switch (sk->sk_type) { + case SOCK_DGRAM: + new_transport = transport_dgram; +@@ -478,12 +482,15 @@ int vsock_assign_transport(struct vsock_sock *vsk, struct vsock_sock *psk) + new_transport = transport_h2g; + break; + default: +- return -ESOCKTNOSUPPORT; ++ ret = -ESOCKTNOSUPPORT; ++ goto err; + } + + if (vsk->transport) { +- if (vsk->transport == new_transport) +- return 0; ++ if (vsk->transport == new_transport) { ++ ret = 0; ++ goto err; ++ } + + /* transport->release() must be called with sock lock acquired. + * This path can only be taken during vsock_connect(), where we +@@ -507,8 +514,16 @@ int vsock_assign_transport(struct vsock_sock *vsk, struct vsock_sock *psk) + /* We increase the module refcnt to prevent the transport unloading + * while there are open sockets assigned to it. + */ +- if (!new_transport || !try_module_get(new_transport->module)) +- return -ENODEV; ++ if (!new_transport || !try_module_get(new_transport->module)) { ++ ret = -ENODEV; ++ goto err; ++ } ++ ++ /* It's safe to release the mutex after a successful try_module_get(). ++ * Whichever transport `new_transport` points at, it won't go away until ++ * the last module_put() below or in vsock_deassign_transport(). ++ */ ++ mutex_unlock(&vsock_register_mutex); + + if (sk->sk_type == SOCK_SEQPACKET) { + if (!new_transport->seqpacket_allow || +@@ -527,6 +542,9 @@ int vsock_assign_transport(struct vsock_sock *vsk, struct vsock_sock *psk) + vsk->transport = new_transport; + + return 0; ++err: ++ mutex_unlock(&vsock_register_mutex); ++ return ret; + } + EXPORT_SYMBOL_GPL(vsock_assign_transport); + +-- +2.39.5 + diff --git a/queue-6.6/vsock-fix-vsock_proto-declaration.patch b/queue-6.6/vsock-fix-vsock_proto-declaration.patch new file mode 100644 index 0000000000..2d9d82c17e --- /dev/null +++ b/queue-6.6/vsock-fix-vsock_proto-declaration.patch @@ -0,0 +1,50 @@ +From f1f13db6de9ca3ff184d51a490805c484747dccd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jul 2025 13:23:29 +0200 +Subject: vsock: fix `vsock_proto` declaration + +From: Stefano Garzarella + +[ Upstream commit 1e3b66e326015f77bc4b36976bebeedc2ac0f588 ] + +From commit 634f1a7110b4 ("vsock: support sockmap"), `struct proto +vsock_proto`, defined in af_vsock.c, is not static anymore, since it's +used by vsock_bpf.c. + +If CONFIG_BPF_SYSCALL is not defined, `make C=2` will print a warning: + $ make O=build C=2 W=1 net/vmw_vsock/ + ... + CC [M] net/vmw_vsock/af_vsock.o + CHECK ../net/vmw_vsock/af_vsock.c + ../net/vmw_vsock/af_vsock.c:123:14: warning: symbol 'vsock_proto' was not declared. Should it be static? + +Declare `vsock_proto` regardless of CONFIG_BPF_SYSCALL, since it's defined +in af_vsock.c, which is built regardless of CONFIG_BPF_SYSCALL. + +Fixes: 634f1a7110b4 ("vsock: support sockmap") +Signed-off-by: Stefano Garzarella +Acked-by: Michael S. Tsirkin +Link: https://patch.msgid.link/20250703112329.28365-1-sgarzare@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/af_vsock.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/net/af_vsock.h b/include/net/af_vsock.h +index f8b09a82f62e1..1820b87b8b7ff 100644 +--- a/include/net/af_vsock.h ++++ b/include/net/af_vsock.h +@@ -236,8 +236,8 @@ int __vsock_dgram_recvmsg(struct socket *sock, struct msghdr *msg, + int vsock_dgram_recvmsg(struct socket *sock, struct msghdr *msg, + size_t len, int flags); + +-#ifdef CONFIG_BPF_SYSCALL + extern struct proto vsock_proto; ++#ifdef CONFIG_BPF_SYSCALL + int vsock_bpf_update_proto(struct sock *sk, struct sk_psock *psock, bool restore); + void __init vsock_bpf_build_proto(void); + #else +-- +2.39.5 +