From: Sasha Levin Date: Mon, 21 Jul 2025 12:47:48 +0000 (-0400) Subject: Fixes for 6.1 X-Git-Tag: v6.1.147~55 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5e2d39ae89f00d513c38ea7c7961a0aa314c55dc;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.1 Signed-off-by: Sasha Levin --- diff --git a/queue-6.1/bluetooth-btusb-qca-fix-downloading-wrong-nvm-for-wc.patch b/queue-6.1/bluetooth-btusb-qca-fix-downloading-wrong-nvm-for-wc.patch new file mode 100644 index 0000000000..6f7005a5c4 --- /dev/null +++ b/queue-6.1/bluetooth-btusb-qca-fix-downloading-wrong-nvm-for-wc.patch @@ -0,0 +1,128 @@ +From 9547bf83906b5f435589a841b73468dfdb11b7d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Jul 2025 20:40:13 +0800 +Subject: Bluetooth: btusb: QCA: Fix downloading wrong NVM for WCN6855 GF + variant without board ID + +From: Zijun Hu + +[ Upstream commit 43015955795a619f7ca4ae69b9c0ffc994c82818 ] + +For GF variant of WCN6855 without board ID programmed +btusb_generate_qca_nvm_name() will chose wrong NVM +'qca/nvm_usb_00130201.bin' to download. + +Fix by choosing right NVM 'qca/nvm_usb_00130201_gf.bin'. +Also simplify NVM choice logic of btusb_generate_qca_nvm_name(). + +Fixes: d6cba4e6d0e2 ("Bluetooth: btusb: Add support using different nvm for variant WCN6855 controller") +Signed-off-by: Zijun Hu +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btusb.c | 78 ++++++++++++++++++++++----------------- + 1 file changed, 44 insertions(+), 34 deletions(-) + +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c +index 25adb3ac40eb8..8bb1162031a6a 100644 +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -3251,6 +3251,32 @@ static const struct qca_device_info qca_devices_table[] = { + { 0x00190200, 40, 4, 16 }, /* WCN785x 2.0 */ + }; + ++static u16 qca_extract_board_id(const struct qca_version *ver) ++{ ++ u16 flag = le16_to_cpu(ver->flag); ++ u16 board_id = 0; ++ ++ if (((flag >> 8) & 0xff) == QCA_FLAG_MULTI_NVM) { ++ /* The board_id should be split into two bytes ++ * The 1st byte is chip ID, and the 2nd byte is platform ID ++ * For example, board ID 0x010A, 0x01 is platform ID. 0x0A is chip ID ++ * we have several platforms, and platform IDs are continuously added ++ * Platform ID: ++ * 0x00 is for Mobile ++ * 0x01 is for X86 ++ * 0x02 is for Automotive ++ * 0x03 is for Consumer electronic ++ */ ++ board_id = (ver->chip_id << 8) + ver->platform_id; ++ } ++ ++ /* Take 0xffff as invalid board ID */ ++ if (board_id == 0xffff) ++ board_id = 0; ++ ++ return board_id; ++} ++ + static int btusb_qca_send_vendor_req(struct usb_device *udev, u8 request, + void *data, u16 size) + { +@@ -3407,44 +3433,28 @@ static void btusb_generate_qca_nvm_name(char *fwname, size_t max_size, + const struct qca_version *ver) + { + u32 rom_version = le32_to_cpu(ver->rom_version); +- u16 flag = le16_to_cpu(ver->flag); ++ const char *variant; ++ int len; ++ u16 board_id; + +- if (((flag >> 8) & 0xff) == QCA_FLAG_MULTI_NVM) { +- /* The board_id should be split into two bytes +- * The 1st byte is chip ID, and the 2nd byte is platform ID +- * For example, board ID 0x010A, 0x01 is platform ID. 0x0A is chip ID +- * we have several platforms, and platform IDs are continuously added +- * Platform ID: +- * 0x00 is for Mobile +- * 0x01 is for X86 +- * 0x02 is for Automotive +- * 0x03 is for Consumer electronic +- */ +- u16 board_id = (ver->chip_id << 8) + ver->platform_id; +- const char *variant; ++ board_id = qca_extract_board_id(ver); + +- switch (le32_to_cpu(ver->ram_version)) { +- case WCN6855_2_0_RAM_VERSION_GF: +- case WCN6855_2_1_RAM_VERSION_GF: +- variant = "_gf"; +- break; +- default: +- variant = ""; +- break; +- } +- +- if (board_id == 0) { +- snprintf(fwname, max_size, "qca/nvm_usb_%08x%s.bin", +- rom_version, variant); +- } else { +- snprintf(fwname, max_size, "qca/nvm_usb_%08x%s_%04x.bin", +- rom_version, variant, board_id); +- } +- } else { +- snprintf(fwname, max_size, "qca/nvm_usb_%08x.bin", +- rom_version); ++ switch (le32_to_cpu(ver->ram_version)) { ++ case WCN6855_2_0_RAM_VERSION_GF: ++ case WCN6855_2_1_RAM_VERSION_GF: ++ variant = "_gf"; ++ break; ++ default: ++ variant = NULL; ++ break; + } + ++ len = snprintf(fwname, max_size, "qca/nvm_usb_%08x", rom_version); ++ if (variant) ++ len += snprintf(fwname + len, max_size - len, "%s", variant); ++ if (board_id) ++ len += snprintf(fwname + len, max_size - len, "_%04x", board_id); ++ len += snprintf(fwname + len, max_size - len, ".bin"); + } + + static int btusb_setup_qca_load_nvm(struct hci_dev *hdev, +-- +2.39.5 + diff --git a/queue-6.1/bluetooth-fix-null-ptr-deref-in-l2cap_sock_resume_cb.patch b/queue-6.1/bluetooth-fix-null-ptr-deref-in-l2cap_sock_resume_cb.patch new file mode 100644 index 0000000000..b886fde280 --- /dev/null +++ b/queue-6.1/bluetooth-fix-null-ptr-deref-in-l2cap_sock_resume_cb.patch @@ -0,0 +1,80 @@ +From 2cd56306e08e6cec4b003097a226ccf8239041d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Jul 2025 19:28:29 +0000 +Subject: Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb() + +From: Kuniyuki Iwashima + +[ Upstream commit a0075accbf0d76c2dad1ad3993d2e944505d99a0 ] + +syzbot reported null-ptr-deref in l2cap_sock_resume_cb(). [0] + +l2cap_sock_resume_cb() has a similar problem that was fixed by commit +1bff51ea59a9 ("Bluetooth: fix use-after-free error in lock_sock_nested()"). + +Since both l2cap_sock_kill() and l2cap_sock_resume_cb() are executed +under l2cap_sock_resume_cb(), we can avoid the issue simply by checking +if chan->data is NULL. + +Let's not access to the killed socket in l2cap_sock_resume_cb(). + +[0]: +BUG: KASAN: null-ptr-deref in instrument_atomic_write include/linux/instrumented.h:82 [inline] +BUG: KASAN: null-ptr-deref in clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline] +BUG: KASAN: null-ptr-deref in l2cap_sock_resume_cb+0xb4/0x17c net/bluetooth/l2cap_sock.c:1711 +Write of size 8 at addr 0000000000000570 by task kworker/u9:0/52 + +CPU: 1 UID: 0 PID: 52 Comm: kworker/u9:0 Not tainted 6.16.0-rc4-syzkaller-g7482bb149b9f #0 PREEMPT +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 +Workqueue: hci0 hci_rx_work +Call trace: + show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:501 (C) + __dump_stack+0x30/0x40 lib/dump_stack.c:94 + dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120 + print_report+0x58/0x84 mm/kasan/report.c:524 + kasan_report+0xb0/0x110 mm/kasan/report.c:634 + check_region_inline mm/kasan/generic.c:-1 [inline] + kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189 + __kasan_check_write+0x20/0x30 mm/kasan/shadow.c:37 + instrument_atomic_write include/linux/instrumented.h:82 [inline] + clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline] + l2cap_sock_resume_cb+0xb4/0x17c net/bluetooth/l2cap_sock.c:1711 + l2cap_security_cfm+0x524/0xea0 net/bluetooth/l2cap_core.c:7357 + hci_auth_cfm include/net/bluetooth/hci_core.h:2092 [inline] + hci_auth_complete_evt+0x2e8/0xa4c net/bluetooth/hci_event.c:3514 + hci_event_func net/bluetooth/hci_event.c:7511 [inline] + hci_event_packet+0x650/0xe9c net/bluetooth/hci_event.c:7565 + hci_rx_work+0x320/0xb18 net/bluetooth/hci_core.c:4070 + process_one_work+0x7e8/0x155c kernel/workqueue.c:3238 + process_scheduled_works kernel/workqueue.c:3321 [inline] + worker_thread+0x958/0xed8 kernel/workqueue.c:3402 + kthread+0x5fc/0x75c kernel/kthread.c:464 + ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:847 + +Fixes: d97c899bde33 ("Bluetooth: Introduce L2CAP channel callback for resuming") +Reported-by: syzbot+e4d73b165c3892852d22@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/686c12bd.a70a0220.29fe6c.0b13.GAE@google.com/ +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_sock.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c +index bdfc83eb7aefc..c89277848ca83 100644 +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -1723,6 +1723,9 @@ static void l2cap_sock_resume_cb(struct l2cap_chan *chan) + { + struct sock *sk = chan->data; + ++ if (!sk) ++ return; ++ + if (test_and_clear_bit(FLAG_PENDING_SECURITY, &chan->flags)) { + sk->sk_state = BT_CONNECTED; + chan->state = BT_CONNECTED; +-- +2.39.5 + diff --git a/queue-6.1/bluetooth-hci_sync-fix-connectable-extended-advertis.patch b/queue-6.1/bluetooth-hci_sync-fix-connectable-extended-advertis.patch new file mode 100644 index 0000000000..12ad8c7471 --- /dev/null +++ b/queue-6.1/bluetooth-hci_sync-fix-connectable-extended-advertis.patch @@ -0,0 +1,85 @@ +From d382287e58629ca0aacf496200b07d8b00238e4d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jul 2025 09:53:11 +0200 +Subject: Bluetooth: hci_sync: fix connectable extended advertising when using + static random address + +From: Alessandro Gasbarroni + +[ Upstream commit d85edab911a4c1fcbe3f08336eff5c7feec567d0 ] + +Currently, the connectable flag used by the setup of an extended +advertising instance drives whether we require privacy when trying to pass +a random address to the advertising parameters (Own Address). +If privacy is not required, then it automatically falls back to using the +controller's public address. This can cause problems when using controllers +that do not have a public address set, but instead use a static random +address. + +e.g. Assume a BLE controller that does not have a public address set. +The controller upon powering is set with a random static address by default +by the kernel. + + < HCI Command: LE Set Random Address (0x08|0x0005) plen 6 + Address: E4:AF:26:D8:3E:3A (Static) + > HCI Event: Command Complete (0x0e) plen 4 + LE Set Random Address (0x08|0x0005) ncmd 1 + Status: Success (0x00) + +Setting non-connectable extended advertisement parameters in bluetoothctl +mgmt + + add-ext-adv-params -r 0x801 -x 0x802 -P 2M -g 1 + +correctly sets Own address type as Random + + < HCI Command: LE Set Extended Advertising Parameters (0x08|0x0036) + plen 25 + ... + Own address type: Random (0x01) + +Setting connectable extended advertisement parameters in bluetoothctl mgmt + + add-ext-adv-params -r 0x801 -x 0x802 -P 2M -g -c 1 + +mistakenly sets Own address type to Public (which causes to use Public +Address 00:00:00:00:00:00) + + < HCI Command: LE Set Extended Advertising Parameters (0x08|0x0036) + plen 25 + ... + Own address type: Public (0x00) + +This causes either the controller to emit an Invalid Parameters error or to +mishandle the advertising. + +This patch makes sure that we use the already set static random address +when requesting a connectable extended advertising when we don't require +privacy and our public address is not set (00:00:00:00:00:00). + +Fixes: 3fe318ee72c5 ("Bluetooth: move hci_get_random_address() to hci_sync") +Signed-off-by: Alessandro Gasbarroni +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_sync.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c +index 7d22b2b02745a..27d1209da0df9 100644 +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -6508,8 +6508,8 @@ int hci_get_random_address(struct hci_dev *hdev, bool require_privacy, + return 0; + } + +- /* No privacy so use a public address. */ +- *own_addr_type = ADDR_LE_DEV_PUBLIC; ++ /* No privacy, use the current address */ ++ hci_copy_identity_address(hdev, rand_addr, own_addr_type); + + return 0; + } +-- +2.39.5 + diff --git a/queue-6.1/bluetooth-l2cap-fix-attempting-to-adjust-outgoing-mt.patch b/queue-6.1/bluetooth-l2cap-fix-attempting-to-adjust-outgoing-mt.patch new file mode 100644 index 0000000000..3b1bc77a24 --- /dev/null +++ b/queue-6.1/bluetooth-l2cap-fix-attempting-to-adjust-outgoing-mt.patch @@ -0,0 +1,79 @@ +From ebd12ad16c994bd8e051081d2cf28a2b4116abb4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jul 2025 09:40:49 -0400 +Subject: Bluetooth: L2CAP: Fix attempting to adjust outgoing MTU +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Luiz Augusto von Dentz + +[ Upstream commit d24e4a7fedae121d33fb32ad785b87046527eedb ] + +Configuration request only configure the incoming direction of the peer +initiating the request, so using the MTU is the other direction shall +not be used, that said the spec allows the peer responding to adjust: + +Bluetooth Core 6.1, Vol 3, Part A, Section 4.5 + + 'Each configuration parameter value (if any is present) in an + L2CAP_CONFIGURATION_RSP packet reflects an ‘adjustment’ to a + configuration parameter value that has been sent (or, in case of + default values, implied) in the corresponding + L2CAP_CONFIGURATION_REQ packet.' + +That said adjusting the MTU in the response shall be limited to ERTM +channels only as for older modes the remote stack may not be able to +detect the adjustment causing it to silently drop packets. + +Link: https://github.com/bluez/bluez/issues/1422 +Link: https://gitlab.archlinux.org/archlinux/packaging/packages/linux/-/issues/149 +Link: https://gitlab.freedesktop.org/pipewire/pipewire/-/issues/4793 +Fixes: 042bb9603c44 ("Bluetooth: L2CAP: Fix L2CAP MTU negotiation") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 26 +++++++++++++++++++++----- + 1 file changed, 21 insertions(+), 5 deletions(-) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 514adb013f3f4..8bb6d2690e2b9 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -3711,12 +3711,28 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data + /* Configure output options and let the other side know + * which ones we don't like. */ + +- /* If MTU is not provided in configure request, use the most recently +- * explicitly or implicitly accepted value for the other direction, +- * or the default value. ++ /* If MTU is not provided in configure request, try adjusting it ++ * to the current output MTU if it has been set ++ * ++ * Bluetooth Core 6.1, Vol 3, Part A, Section 4.5 ++ * ++ * Each configuration parameter value (if any is present) in an ++ * L2CAP_CONFIGURATION_RSP packet reflects an ‘adjustment’ to a ++ * configuration parameter value that has been sent (or, in case ++ * of default values, implied) in the corresponding ++ * L2CAP_CONFIGURATION_REQ packet. + */ +- if (mtu == 0) +- mtu = chan->imtu ? chan->imtu : L2CAP_DEFAULT_MTU; ++ if (!mtu) { ++ /* Only adjust for ERTM channels as for older modes the ++ * remote stack may not be able to detect that the ++ * adjustment causing it to silently drop packets. ++ */ ++ if (chan->mode == L2CAP_MODE_ERTM && ++ chan->omtu && chan->omtu != L2CAP_DEFAULT_MTU) ++ mtu = chan->omtu; ++ else ++ mtu = L2CAP_DEFAULT_MTU; ++ } + + if (mtu < L2CAP_DEFAULT_MIN_MTU) + result = L2CAP_CONF_UNACCEPT; +-- +2.39.5 + diff --git a/queue-6.1/bluetooth-smp-fix-using-hci_error_remote_user_term-o.patch b/queue-6.1/bluetooth-smp-fix-using-hci_error_remote_user_term-o.patch new file mode 100644 index 0000000000..b4cad780a9 --- /dev/null +++ b/queue-6.1/bluetooth-smp-fix-using-hci_error_remote_user_term-o.patch @@ -0,0 +1,37 @@ +From 0d1846b8a9fc81b56324ed0a5c4187a3e4e305fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Jul 2025 11:53:40 -0400 +Subject: Bluetooth: SMP: Fix using HCI_ERROR_REMOTE_USER_TERM on timeout + +From: Luiz Augusto von Dentz + +[ Upstream commit 6ef99c917688a8510259e565bd1b168b7146295a ] + +This replaces the usage of HCI_ERROR_REMOTE_USER_TERM, which as the name +suggest is to indicate a regular disconnection initiated by an user, +with HCI_ERROR_AUTH_FAILURE to indicate the session has timeout thus any +pairing shall be considered as failed. + +Fixes: 1e91c29eb60c ("Bluetooth: Use hci_disconnect for immediate disconnection from SMP") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/smp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c +index 2ed57a71f1b2f..a03920fe44d94 100644 +--- a/net/bluetooth/smp.c ++++ b/net/bluetooth/smp.c +@@ -1373,7 +1373,7 @@ static void smp_timeout(struct work_struct *work) + + bt_dev_dbg(conn->hcon->hdev, "conn %p", conn); + +- hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM); ++ hci_disconnect(conn->hcon, HCI_ERROR_AUTH_FAILURE); + } + + static struct smp_chan *smp_chan_create(struct l2cap_conn *conn) +-- +2.39.5 + diff --git a/queue-6.1/bluetooth-smp-if-an-unallowed-command-is-received-co.patch b/queue-6.1/bluetooth-smp-if-an-unallowed-command-is-received-co.patch new file mode 100644 index 0000000000..8baa45367d --- /dev/null +++ b/queue-6.1/bluetooth-smp-if-an-unallowed-command-is-received-co.patch @@ -0,0 +1,130 @@ +From 3dc4be44881b8d1481563aa12fd1a00f895fd768 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jun 2025 14:42:23 -0400 +Subject: Bluetooth: SMP: If an unallowed command is received consider it a + failure + +From: Luiz Augusto von Dentz + +[ Upstream commit fe4840df0bdf341f376885271b7680764fe6b34e ] + +If a command is received while a bonding is ongoing consider it a +pairing failure so the session is cleanup properly and the device is +disconnected immediately instead of continuing with other commands that +may result in the session to get stuck without ever completing such as +the case bellow: + +> ACL Data RX: Handle 2048 flags 0x02 dlen 21 + SMP: Identity Information (0x08) len 16 + Identity resolving key[16]: d7e08edef97d3e62cd2331f82d8073b0 +> ACL Data RX: Handle 2048 flags 0x02 dlen 21 + SMP: Signing Information (0x0a) len 16 + Signature key[16]: 1716c536f94e843a9aea8b13ffde477d +Bluetooth: hci0: unexpected SMP command 0x0a from XX:XX:XX:XX:XX:XX +> ACL Data RX: Handle 2048 flags 0x02 dlen 12 + SMP: Identity Address Information (0x09) len 7 + Address: XX:XX:XX:XX:XX:XX (Intel Corporate) + +While accourding to core spec 6.1 the expected order is always BD_ADDR +first first then CSRK: + +When using LE legacy pairing, the keys shall be distributed in the +following order: + + LTK by the Peripheral + + EDIV and Rand by the Peripheral + + IRK by the Peripheral + + BD_ADDR by the Peripheral + + CSRK by the Peripheral + + LTK by the Central + + EDIV and Rand by the Central + + IRK by the Central + + BD_ADDR by the Central + + CSRK by the Central + +When using LE Secure Connections, the keys shall be distributed in the +following order: + + IRK by the Peripheral + + BD_ADDR by the Peripheral + + CSRK by the Peripheral + + IRK by the Central + + BD_ADDR by the Central + + CSRK by the Central + +According to the Core 6.1 for commands used for key distribution "Key +Rejected" can be used: + + '3.6.1. Key distribution and generation + + A device may reject a distributed key by sending the Pairing Failed command + with the reason set to "Key Rejected". + +Fixes: b28b4943660f ("Bluetooth: Add strict checks for allowed SMP PDUs") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/smp.c | 19 ++++++++++++++++++- + net/bluetooth/smp.h | 1 + + 2 files changed, 19 insertions(+), 1 deletion(-) + +diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c +index b93494790877f..2ed57a71f1b2f 100644 +--- a/net/bluetooth/smp.c ++++ b/net/bluetooth/smp.c +@@ -2971,8 +2971,25 @@ static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb) + if (code > SMP_CMD_MAX) + goto drop; + +- if (smp && !test_and_clear_bit(code, &smp->allow_cmd)) ++ if (smp && !test_and_clear_bit(code, &smp->allow_cmd)) { ++ /* If there is a context and the command is not allowed consider ++ * it a failure so the session is cleanup properly. ++ */ ++ switch (code) { ++ case SMP_CMD_IDENT_INFO: ++ case SMP_CMD_IDENT_ADDR_INFO: ++ case SMP_CMD_SIGN_INFO: ++ /* 3.6.1. Key distribution and generation ++ * ++ * A device may reject a distributed key by sending the ++ * Pairing Failed command with the reason set to ++ * "Key Rejected". ++ */ ++ smp_failure(conn, SMP_KEY_REJECTED); ++ break; ++ } + goto drop; ++ } + + /* If we don't have a context the only allowed commands are + * pairing request and security request. +diff --git a/net/bluetooth/smp.h b/net/bluetooth/smp.h +index 87a59ec2c9f02..c5da53dfab04f 100644 +--- a/net/bluetooth/smp.h ++++ b/net/bluetooth/smp.h +@@ -138,6 +138,7 @@ struct smp_cmd_keypress_notify { + #define SMP_NUMERIC_COMP_FAILED 0x0c + #define SMP_BREDR_PAIRING_IN_PROGRESS 0x0d + #define SMP_CROSS_TRANSP_NOT_ALLOWED 0x0e ++#define SMP_KEY_REJECTED 0x0f + + #define SMP_MIN_ENC_KEY_SIZE 7 + #define SMP_MAX_ENC_KEY_SIZE 16 +-- +2.39.5 + diff --git a/queue-6.1/bpf-reject-p-format-string-in-bprintf-like-helpers.patch b/queue-6.1/bpf-reject-p-format-string-in-bprintf-like-helpers.patch new file mode 100644 index 0000000000..6ea138777e --- /dev/null +++ b/queue-6.1/bpf-reject-p-format-string-in-bprintf-like-helpers.patch @@ -0,0 +1,68 @@ +From eb8c5b6989266b7e2d0fb7b4eabedeb4e0aa42de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Jul 2025 21:47:30 +0200 +Subject: bpf: Reject %p% format string in bprintf-like helpers + +From: Paul Chaignon + +[ Upstream commit f8242745871f81a3ac37f9f51853d12854fd0b58 ] + +static const char fmt[] = "%p%"; + bpf_trace_printk(fmt, sizeof(fmt)); + +The above BPF program isn't rejected and causes a kernel warning at +runtime: + + Please remove unsupported %\x00 in format string + WARNING: CPU: 1 PID: 7244 at lib/vsprintf.c:2680 format_decode+0x49c/0x5d0 + +This happens because bpf_bprintf_prepare skips over the second %, +detected as punctuation, while processing %p. This patch fixes it by +not skipping over punctuation. %\x00 is then processed in the next +iteration and rejected. + +Reported-by: syzbot+e2c932aec5c8a6e1d31c@syzkaller.appspotmail.com +Fixes: 48cac3f4a96d ("bpf: Implement formatted output helpers with bstr_printf") +Acked-by: Yonghong Song +Signed-off-by: Paul Chaignon +Link: https://lore.kernel.org/r/a0e06cc479faec9e802ae51ba5d66420523251ee.1751395489.git.paul.chaignon@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/helpers.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c +index 94e85d311641b..be9dc396537f1 100644 +--- a/kernel/bpf/helpers.c ++++ b/kernel/bpf/helpers.c +@@ -876,6 +876,13 @@ int bpf_bprintf_prepare(char *fmt, u32 fmt_size, const u64 *raw_args, + if (fmt[i] == 'p') { + sizeof_cur_arg = sizeof(long); + ++ if (fmt[i + 1] == 0 || isspace(fmt[i + 1]) || ++ ispunct(fmt[i + 1])) { ++ if (tmp_buf) ++ cur_arg = raw_args[num_spec]; ++ goto nocopy_fmt; ++ } ++ + if ((fmt[i + 1] == 'k' || fmt[i + 1] == 'u') && + fmt[i + 2] == 's') { + fmt_ptype = fmt[i + 1]; +@@ -883,11 +890,9 @@ int bpf_bprintf_prepare(char *fmt, u32 fmt_size, const u64 *raw_args, + goto fmt_str; + } + +- if (fmt[i + 1] == 0 || isspace(fmt[i + 1]) || +- ispunct(fmt[i + 1]) || fmt[i + 1] == 'K' || ++ if (fmt[i + 1] == 'K' || + fmt[i + 1] == 'x' || fmt[i + 1] == 's' || + fmt[i + 1] == 'S') { +- /* just kernel pointers */ + if (tmp_buf) + cur_arg = raw_args[num_spec]; + i++; +-- +2.39.5 + diff --git a/queue-6.1/cachefiles-fix-the-incorrect-return-value-in-__cache.patch b/queue-6.1/cachefiles-fix-the-incorrect-return-value-in-__cache.patch new file mode 100644 index 0000000000..7d0f30d08c --- /dev/null +++ b/queue-6.1/cachefiles-fix-the-incorrect-return-value-in-__cache.patch @@ -0,0 +1,69 @@ +From 317269d00297995dd3414c658c97aab521a88cc1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jul 2025 10:44:18 +0800 +Subject: cachefiles: Fix the incorrect return value in __cachefiles_write() + +From: Zizhi Wo + +[ Upstream commit 6b89819b06d8d339da414f06ef3242f79508be5e ] + +In __cachefiles_write(), if the return value of the write operation > 0, it +is set to 0. This makes it impossible to distinguish scenarios where a +partial write has occurred, and will affect the outer calling functions: + + 1) cachefiles_write_complete() will call "term_func" such as +netfs_write_subrequest_terminated(). When "ret" in __cachefiles_write() +is used as the "transferred_or_error" of this function, it can not +distinguish the amount of data written, makes the WARN meaningless. + + 2) cachefiles_ondemand_fd_write_iter() can only assume all writes were +successful by default when "ret" is 0, and unconditionally return the full +length specified by user space. + +Fix it by modifying "ret" to reflect the actual number of bytes written. +Furthermore, returning a value greater than 0 from __cachefiles_write() +does not affect other call paths, such as cachefiles_issue_write() and +fscache_write(). + +Fixes: 047487c947e8 ("cachefiles: Implement the I/O routines") +Signed-off-by: Zizhi Wo +Link: https://lore.kernel.org/20250703024418.2809353-1-wozizhi@huaweicloud.com +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/cachefiles/io.c | 2 -- + fs/cachefiles/ondemand.c | 4 +--- + 2 files changed, 1 insertion(+), 5 deletions(-) + +diff --git a/fs/cachefiles/io.c b/fs/cachefiles/io.c +index 000a28f46e59e..5d2a41bab9c19 100644 +--- a/fs/cachefiles/io.c ++++ b/fs/cachefiles/io.c +@@ -356,8 +356,6 @@ int __cachefiles_write(struct cachefiles_object *object, + default: + ki->was_async = false; + cachefiles_write_complete(&ki->iocb, ret); +- if (ret > 0) +- ret = 0; + break; + } + +diff --git a/fs/cachefiles/ondemand.c b/fs/cachefiles/ondemand.c +index 3389a373faf68..cfa8f23fdfb65 100644 +--- a/fs/cachefiles/ondemand.c ++++ b/fs/cachefiles/ondemand.c +@@ -84,10 +84,8 @@ static ssize_t cachefiles_ondemand_fd_write_iter(struct kiocb *kiocb, + + trace_cachefiles_ondemand_fd_write(object, file_inode(file), pos, len); + ret = __cachefiles_write(object, file, pos, iter, NULL, NULL); +- if (!ret) { +- ret = len; ++ if (ret > 0) + kiocb->ki_pos += ret; +- } + + out: + fput(file); +-- +2.39.5 + diff --git a/queue-6.1/hwmon-corsair-cpro-validate-the-size-of-the-received.patch b/queue-6.1/hwmon-corsair-cpro-validate-the-size-of-the-received.patch new file mode 100644 index 0000000000..1ef5c216cf --- /dev/null +++ b/queue-6.1/hwmon-corsair-cpro-validate-the-size-of-the-received.patch @@ -0,0 +1,56 @@ +From e5c9e3bb439aa23865283f1414cbc6da2cc0628e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Jun 2025 15:27:47 +0200 +Subject: hwmon: (corsair-cpro) Validate the size of the received input buffer + +From: Marius Zachmann + +[ Upstream commit 495a4f0dce9c8c4478c242209748f1ee9e4d5820 ] + +Add buffer_recv_size to store the size of the received bytes. +Validate buffer_recv_size in send_usb_cmd(). + +Reported-by: syzbot+3bbbade4e1a7ab45ca3b@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/linux-hwmon/61233ba1-e5ad-4d7a-ba31-3b5d0adcffcc@roeck-us.net +Fixes: 40c3a4454225 ("hwmon: add Corsair Commander Pro driver") +Signed-off-by: Marius Zachmann +Link: https://lore.kernel.org/r/20250619132817.39764-5-mail@mariuszachmann.de +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/corsair-cpro.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/hwmon/corsair-cpro.c b/drivers/hwmon/corsair-cpro.c +index 486fb6a8c3566..18da3e013c20b 100644 +--- a/drivers/hwmon/corsair-cpro.c ++++ b/drivers/hwmon/corsair-cpro.c +@@ -84,6 +84,7 @@ struct ccp_device { + struct mutex mutex; /* whenever buffer is used, lock before send_usb_cmd */ + u8 *cmd_buffer; + u8 *buffer; ++ int buffer_recv_size; /* number of received bytes in buffer */ + int target[6]; + DECLARE_BITMAP(temp_cnct, NUM_TEMP_SENSORS); + DECLARE_BITMAP(fan_cnct, NUM_FANS); +@@ -139,6 +140,9 @@ static int send_usb_cmd(struct ccp_device *ccp, u8 command, u8 byte1, u8 byte2, + if (!t) + return -ETIMEDOUT; + ++ if (ccp->buffer_recv_size != IN_BUFFER_SIZE) ++ return -EPROTO; ++ + return ccp_get_errno(ccp); + } + +@@ -150,6 +154,7 @@ static int ccp_raw_event(struct hid_device *hdev, struct hid_report *report, u8 + spin_lock(&ccp->wait_input_report_lock); + if (!completion_done(&ccp->wait_input_report)) { + memcpy(ccp->buffer, data, min(IN_BUFFER_SIZE, size)); ++ ccp->buffer_recv_size = size; + complete_all(&ccp->wait_input_report); + } + spin_unlock(&ccp->wait_input_report_lock); +-- +2.39.5 + diff --git a/queue-6.1/ipv6-mcast-delay-put-pmc-idev-in-mld_del_delrec.patch b/queue-6.1/ipv6-mcast-delay-put-pmc-idev-in-mld_del_delrec.patch new file mode 100644 index 0000000000..ddb3f4557d --- /dev/null +++ b/queue-6.1/ipv6-mcast-delay-put-pmc-idev-in-mld_del_delrec.patch @@ -0,0 +1,38 @@ +From 53da6966c46ca10424f83c343b6d080cf02d78ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Jul 2025 22:19:57 +0800 +Subject: ipv6: mcast: Delay put pmc->idev in mld_del_delrec() + +From: Yue Haibing + +[ Upstream commit ae3264a25a4635531264728859dbe9c659fad554 ] + +pmc->idev is still used in ip6_mc_clear_src(), so as mld_clear_delrec() +does, the reference should be put after ip6_mc_clear_src() return. + +Fixes: 63ed8de4be81 ("mld: add mc_lock for protecting per-interface mld data") +Signed-off-by: Yue Haibing +Link: https://patch.msgid.link/20250714141957.3301871-1-yuehaibing@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/mcast.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c +index a1b3f3e7921fa..e9e59a83ba9b4 100644 +--- a/net/ipv6/mcast.c ++++ b/net/ipv6/mcast.c +@@ -803,8 +803,8 @@ static void mld_del_delrec(struct inet6_dev *idev, struct ifmcaddr6 *im) + } else { + im->mca_crcount = idev->mc_qrv; + } +- in6_dev_put(pmc->idev); + ip6_mc_clear_src(pmc); ++ in6_dev_put(pmc->idev); + kfree_rcu(pmc, rcu); + } + } +-- +2.39.5 + diff --git a/queue-6.1/net-bridge-do-not-offload-igmp-mld-messages.patch b/queue-6.1/net-bridge-do-not-offload-igmp-mld-messages.patch new file mode 100644 index 0000000000..9221f918c1 --- /dev/null +++ b/queue-6.1/net-bridge-do-not-offload-igmp-mld-messages.patch @@ -0,0 +1,58 @@ +From 399f0f25f3b7072327bf770b46cd1dc1ee52346b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jul 2025 11:35:50 -0400 +Subject: net: bridge: Do not offload IGMP/MLD messages + +From: Joseph Huang + +[ Upstream commit 683dc24da8bf199bb7446e445ad7f801c79a550e ] + +Do not offload IGMP/MLD messages as it could lead to IGMP/MLD Reports +being unintentionally flooded to Hosts. Instead, let the bridge decide +where to send these IGMP/MLD messages. + +Consider the case where the local host is sending out reports in response +to a remote querier like the following: + + mcast-listener-process (IP_ADD_MEMBERSHIP) + \ + br0 + / \ + swp1 swp2 + | | + QUERIER SOME-OTHER-HOST + +In the above setup, br0 will want to br_forward() reports for +mcast-listener-process's group(s) via swp1 to QUERIER; but since the +source hwdom is 0, the report is eligible for tx offloading, and is +flooded by hardware to both swp1 and swp2, reaching SOME-OTHER-HOST as +well. (Example and illustration provided by Tobias.) + +Fixes: 472111920f1c ("net: bridge: switchdev: allow the TX data plane forwarding to be offloaded") +Signed-off-by: Joseph Huang +Acked-by: Nikolay Aleksandrov +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/20250716153551.1830255-1-Joseph.Huang@garmin.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/bridge/br_switchdev.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/bridge/br_switchdev.c b/net/bridge/br_switchdev.c +index b61ef2dff7a4b..a0974374bf717 100644 +--- a/net/bridge/br_switchdev.c ++++ b/net/bridge/br_switchdev.c +@@ -17,6 +17,9 @@ static bool nbp_switchdev_can_offload_tx_fwd(const struct net_bridge_port *p, + if (!static_branch_unlikely(&br_switchdev_tx_fwd_offload)) + return false; + ++ if (br_multicast_igmp_type(skb)) ++ return false; ++ + return (p->flags & BR_TX_FWD_OFFLOAD) && + (p->hwdom != BR_INPUT_SKB_CB(skb)->src_hwdom); + } +-- +2.39.5 + diff --git a/queue-6.1/net-emaclite-fix-missing-pointer-increment-in-aligne.patch b/queue-6.1/net-emaclite-fix-missing-pointer-increment-in-aligne.patch new file mode 100644 index 0000000000..c65db01074 --- /dev/null +++ b/queue-6.1/net-emaclite-fix-missing-pointer-increment-in-aligne.patch @@ -0,0 +1,40 @@ +From 64fea5f6fb785a471c10d9c91c9269803cf26c7b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jul 2025 10:38:46 -0700 +Subject: net: emaclite: Fix missing pointer increment in aligned_read() + +From: Alok Tiwari + +[ Upstream commit 7727ec1523d7973defa1dff8f9c0aad288d04008 ] + +Add missing post-increment operators for byte pointers in the +loop that copies remaining bytes in xemaclite_aligned_read(). +Without the increment, the same byte was written repeatedly +to the destination. +This update aligns with xemaclite_aligned_write() + +Fixes: bb81b2ddfa19 ("net: add Xilinx emac lite device driver") +Signed-off-by: Alok Tiwari +Link: https://patch.msgid.link/20250710173849.2381003-1-alok.a.tiwari@oracle.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/xilinx/xilinx_emaclite.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/xilinx/xilinx_emaclite.c b/drivers/net/ethernet/xilinx/xilinx_emaclite.c +index ad2c30d9a4824..fb0e42ddb3adb 100644 +--- a/drivers/net/ethernet/xilinx/xilinx_emaclite.c ++++ b/drivers/net/ethernet/xilinx/xilinx_emaclite.c +@@ -285,7 +285,7 @@ static void xemaclite_aligned_read(u32 *src_ptr, u8 *dest_ptr, + + /* Read the remaining data */ + for (; length > 0; length--) +- *to_u8_ptr = *from_u8_ptr; ++ *to_u8_ptr++ = *from_u8_ptr++; + } + } + +-- +2.39.5 + diff --git a/queue-6.1/net-mlx5-correctly-set-gso_size-when-lro-is-used.patch b/queue-6.1/net-mlx5-correctly-set-gso_size-when-lro-is-used.patch new file mode 100644 index 0000000000..6ad54e0938 --- /dev/null +++ b/queue-6.1/net-mlx5-correctly-set-gso_size-when-lro-is-used.patch @@ -0,0 +1,84 @@ +From 8fb147b6e76186addee6ecf33bb8c43434155440 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Jul 2025 13:20:53 -0700 +Subject: net/mlx5: Correctly set gso_size when LRO is used + +From: Christoph Paasch + +[ Upstream commit 531d0d32de3e1b6b77a87bd37de0c2c6e17b496a ] + +gso_size is expected by the networking stack to be the size of the +payload (thus, not including ethernet/IP/TCP-headers). However, cqe_bcnt +is the full sized frame (including the headers). Dividing cqe_bcnt by +lro_num_seg will then give incorrect results. + +For example, running a bpftrace higher up in the TCP-stack +(tcp_event_data_recv), we commonly have gso_size set to 1450 or 1451 even +though in reality the payload was only 1448 bytes. + +This can have unintended consequences: +- In tcp_measure_rcv_mss() len will be for example 1450, but. rcv_mss +will be 1448 (because tp->advmss is 1448). Thus, we will always +recompute scaling_ratio each time an LRO-packet is received. +- In tcp_gro_receive(), it will interfere with the decision whether or +not to flush and thus potentially result in less gro'ed packets. + +So, we need to discount the protocol headers from cqe_bcnt so we can +actually divide the payload by lro_num_seg to get the real gso_size. + +v2: + - Use "(unsigned char *)tcp + tcp->doff * 4 - skb->data)" to compute header-len + (Tariq Toukan ) + - Improve commit-message (Gal Pressman ) + +Fixes: e586b3b0baee ("net/mlx5: Ethernet Datapath files") +Signed-off-by: Christoph Paasch +Reviewed-by: Tariq Toukan +Reviewed-by: Gal Pressman +Link: https://patch.msgid.link/20250715-cpaasch-pf-925-investigate-incorrect-gso_size-on-cx-7-nic-v2-1-e06c3475f3ac@openai.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c +index ccddfa49e96c0..74dc45d9c242e 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c +@@ -1015,8 +1015,9 @@ static void mlx5e_lro_update_tcp_hdr(struct mlx5_cqe64 *cqe, struct tcphdr *tcp) + } + } + +-static void mlx5e_lro_update_hdr(struct sk_buff *skb, struct mlx5_cqe64 *cqe, +- u32 cqe_bcnt) ++static unsigned int mlx5e_lro_update_hdr(struct sk_buff *skb, ++ struct mlx5_cqe64 *cqe, ++ u32 cqe_bcnt) + { + struct ethhdr *eth = (struct ethhdr *)(skb->data); + struct tcphdr *tcp; +@@ -1067,6 +1068,8 @@ static void mlx5e_lro_update_hdr(struct sk_buff *skb, struct mlx5_cqe64 *cqe, + tcp->check = csum_ipv6_magic(&ipv6->saddr, &ipv6->daddr, payload_len, + IPPROTO_TCP, check); + } ++ ++ return (unsigned int)((unsigned char *)tcp + tcp->doff * 4 - skb->data); + } + + static void *mlx5e_shampo_get_packet_hd(struct mlx5e_rq *rq, u16 header_index) +@@ -1422,8 +1425,9 @@ static inline void mlx5e_build_rx_skb(struct mlx5_cqe64 *cqe, + mlx5e_macsec_offload_handle_rx_skb(netdev, skb, cqe); + + if (lro_num_seg > 1) { +- mlx5e_lro_update_hdr(skb, cqe, cqe_bcnt); +- skb_shinfo(skb)->gso_size = DIV_ROUND_UP(cqe_bcnt, lro_num_seg); ++ unsigned int hdrlen = mlx5e_lro_update_hdr(skb, cqe, cqe_bcnt); ++ ++ skb_shinfo(skb)->gso_size = DIV_ROUND_UP(cqe_bcnt - hdrlen, lro_num_seg); + /* Subtract one since we already counted this as one + * "regular" packet in mlx5e_complete_rx_cqe() + */ +-- +2.39.5 + diff --git a/queue-6.1/net-sched-return-null-when-htb_lookup_leaf-encounter.patch b/queue-6.1/net-sched-return-null-when-htb_lookup_leaf-encounter.patch new file mode 100644 index 0000000000..29322f71e9 --- /dev/null +++ b/queue-6.1/net-sched-return-null-when-htb_lookup_leaf-encounter.patch @@ -0,0 +1,97 @@ +From e3456d5353f048cbfc4cdaf0eb1379a4042749ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jul 2025 02:28:38 +0000 +Subject: net/sched: Return NULL when htb_lookup_leaf encounters an empty + rbtree + +From: William Liu + +[ Upstream commit 0e1d5d9b5c5966e2e42e298670808590db5ed628 ] + +htb_lookup_leaf has a BUG_ON that can trigger with the following: + +tc qdisc del dev lo root +tc qdisc add dev lo root handle 1: htb default 1 +tc class add dev lo parent 1: classid 1:1 htb rate 64bit +tc qdisc add dev lo parent 1:1 handle 2: netem +tc qdisc add dev lo parent 2:1 handle 3: blackhole +ping -I lo -c1 -W0.001 127.0.0.1 + +The root cause is the following: + +1. htb_dequeue calls htb_dequeue_tree which calls the dequeue handler on + the selected leaf qdisc +2. netem_dequeue calls enqueue on the child qdisc +3. blackhole_enqueue drops the packet and returns a value that is not + just NET_XMIT_SUCCESS +4. Because of this, netem_dequeue calls qdisc_tree_reduce_backlog, and + since qlen is now 0, it calls htb_qlen_notify -> htb_deactivate -> + htb_deactiviate_prios -> htb_remove_class_from_row -> htb_safe_rb_erase +5. As this is the only class in the selected hprio rbtree, + __rb_change_child in __rb_erase_augmented sets the rb_root pointer to + NULL +6. Because blackhole_dequeue returns NULL, netem_dequeue returns NULL, + which causes htb_dequeue_tree to call htb_lookup_leaf with the same + hprio rbtree, and fail the BUG_ON + +The function graph for this scenario is shown here: + 0) | htb_enqueue() { + 0) + 13.635 us | netem_enqueue(); + 0) 4.719 us | htb_activate_prios(); + 0) # 2249.199 us | } + 0) | htb_dequeue() { + 0) 2.355 us | htb_lookup_leaf(); + 0) | netem_dequeue() { + 0) + 11.061 us | blackhole_enqueue(); + 0) | qdisc_tree_reduce_backlog() { + 0) | qdisc_lookup_rcu() { + 0) 1.873 us | qdisc_match_from_root(); + 0) 6.292 us | } + 0) 1.894 us | htb_search(); + 0) | htb_qlen_notify() { + 0) 2.655 us | htb_deactivate_prios(); + 0) 6.933 us | } + 0) + 25.227 us | } + 0) 1.983 us | blackhole_dequeue(); + 0) + 86.553 us | } + 0) # 2932.761 us | qdisc_warn_nonwc(); + 0) | htb_lookup_leaf() { + 0) | BUG_ON(); + ------------------------------------------ + +The full original bug report can be seen here [1]. + +We can fix this just by returning NULL instead of the BUG_ON, +as htb_dequeue_tree returns NULL when htb_lookup_leaf returns +NULL. + +[1] https://lore.kernel.org/netdev/pF5XOOIim0IuEfhI-SOxTgRvNoDwuux7UHKnE_Y5-zVd4wmGvNk2ceHjKb8ORnzw0cGwfmVu42g9dL7XyJLf1NEzaztboTWcm0Ogxuojoeo=@willsroot.io/ + +Fixes: 512bb43eb542 ("pkt_sched: sch_htb: Optimize WARN_ONs in htb_dequeue_tree() etc.") +Signed-off-by: William Liu +Signed-off-by: Savino Dicanosa +Link: https://patch.msgid.link/20250717022816.221364-1-will@willsroot.io +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_htb.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/sched/sch_htb.c b/net/sched/sch_htb.c +index 29f394fe39987..1e19d3ffbf219 100644 +--- a/net/sched/sch_htb.c ++++ b/net/sched/sch_htb.c +@@ -818,7 +818,9 @@ static struct htb_class *htb_lookup_leaf(struct htb_prio *hprio, const int prio) + u32 *pid; + } stk[TC_HTB_MAXDEPTH], *sp = stk; + +- BUG_ON(!hprio->row.rb_node); ++ if (unlikely(!hprio->row.rb_node)) ++ return NULL; ++ + sp->root = hprio->row.rb_node; + sp->pptr = &hprio->ptr; + sp->pid = &hprio->last_ptr_id; +-- +2.39.5 + diff --git a/queue-6.1/net-sched-sch_qfq-fix-race-condition-on-qfq_aggregat.patch b/queue-6.1/net-sched-sch_qfq-fix-race-condition-on-qfq_aggregat.patch new file mode 100644 index 0000000000..ba9a855db7 --- /dev/null +++ b/queue-6.1/net-sched-sch_qfq-fix-race-condition-on-qfq_aggregat.patch @@ -0,0 +1,115 @@ +From b5fec504a526ba4c82b5c05d53c8da817fd15070 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jul 2025 03:09:42 -0700 +Subject: net/sched: sch_qfq: Fix race condition on qfq_aggregate + +From: Xiang Mei + +[ Upstream commit 5e28d5a3f774f118896aec17a3a20a9c5c9dfc64 ] + +A race condition can occur when 'agg' is modified in qfq_change_agg +(called during qfq_enqueue) while other threads access it +concurrently. For example, qfq_dump_class may trigger a NULL +dereference, and qfq_delete_class may cause a use-after-free. + +This patch addresses the issue by: + +1. Moved qfq_destroy_class into the critical section. + +2. Added sch_tree_lock protection to qfq_dump_class and +qfq_dump_class_stats. + +Fixes: 462dbc9101ac ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost") +Signed-off-by: Xiang Mei +Reviewed-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/sch_qfq.c | 30 +++++++++++++++++++++--------- + 1 file changed, 21 insertions(+), 9 deletions(-) + +diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c +index 6462468bf77c7..f2692c9173f79 100644 +--- a/net/sched/sch_qfq.c ++++ b/net/sched/sch_qfq.c +@@ -414,7 +414,7 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid, + bool existing = false; + struct nlattr *tb[TCA_QFQ_MAX + 1]; + struct qfq_aggregate *new_agg = NULL; +- u32 weight, lmax, inv_w; ++ u32 weight, lmax, inv_w, old_weight, old_lmax; + int err; + int delta_w; + +@@ -448,12 +448,16 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid, + inv_w = ONE_FP / weight; + weight = ONE_FP / inv_w; + +- if (cl != NULL && +- lmax == cl->agg->lmax && +- weight == cl->agg->class_weight) +- return 0; /* nothing to change */ ++ if (cl != NULL) { ++ sch_tree_lock(sch); ++ old_weight = cl->agg->class_weight; ++ old_lmax = cl->agg->lmax; ++ sch_tree_unlock(sch); ++ if (lmax == old_lmax && weight == old_weight) ++ return 0; /* nothing to change */ ++ } + +- delta_w = weight - (cl ? cl->agg->class_weight : 0); ++ delta_w = weight - (cl ? old_weight : 0); + + if (q->wsum + delta_w > QFQ_MAX_WSUM) { + pr_notice("qfq: total weight out of range (%d + %u)\n", +@@ -557,10 +561,10 @@ static int qfq_delete_class(struct Qdisc *sch, unsigned long arg, + + qdisc_purge_queue(cl->qdisc); + qdisc_class_hash_remove(&q->clhash, &cl->common); ++ qfq_destroy_class(sch, cl); + + sch_tree_unlock(sch); + +- qfq_destroy_class(sch, cl); + return 0; + } + +@@ -627,6 +631,7 @@ static int qfq_dump_class(struct Qdisc *sch, unsigned long arg, + { + struct qfq_class *cl = (struct qfq_class *)arg; + struct nlattr *nest; ++ u32 class_weight, lmax; + + tcm->tcm_parent = TC_H_ROOT; + tcm->tcm_handle = cl->common.classid; +@@ -635,8 +640,13 @@ static int qfq_dump_class(struct Qdisc *sch, unsigned long arg, + nest = nla_nest_start_noflag(skb, TCA_OPTIONS); + if (nest == NULL) + goto nla_put_failure; +- if (nla_put_u32(skb, TCA_QFQ_WEIGHT, cl->agg->class_weight) || +- nla_put_u32(skb, TCA_QFQ_LMAX, cl->agg->lmax)) ++ ++ sch_tree_lock(sch); ++ class_weight = cl->agg->class_weight; ++ lmax = cl->agg->lmax; ++ sch_tree_unlock(sch); ++ if (nla_put_u32(skb, TCA_QFQ_WEIGHT, class_weight) || ++ nla_put_u32(skb, TCA_QFQ_LMAX, lmax)) + goto nla_put_failure; + return nla_nest_end(skb, nest); + +@@ -653,8 +663,10 @@ static int qfq_dump_class_stats(struct Qdisc *sch, unsigned long arg, + + memset(&xstats, 0, sizeof(xstats)); + ++ sch_tree_lock(sch); + xstats.weight = cl->agg->class_weight; + xstats.lmax = cl->agg->lmax; ++ sch_tree_unlock(sch); + + if (gnet_stats_copy_basic(d, NULL, &cl->bstats, true) < 0 || + gnet_stats_copy_rate_est(d, &cl->rate_est) < 0 || +-- +2.39.5 + diff --git a/queue-6.1/net-vlan-fix-vlan-0-refcount-imbalance-of-toggling-f.patch b/queue-6.1/net-vlan-fix-vlan-0-refcount-imbalance-of-toggling-f.patch new file mode 100644 index 0000000000..ab7b34429a --- /dev/null +++ b/queue-6.1/net-vlan-fix-vlan-0-refcount-imbalance-of-toggling-f.patch @@ -0,0 +1,204 @@ +From 39e3380b7e6137f521e3b983386f4a87d281a5d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jul 2025 11:45:03 +0800 +Subject: net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during + runtime + +From: Dong Chenchen + +[ Upstream commit 579d4f9ca9a9a605184a9b162355f6ba131f678d ] + +Assuming the "rx-vlan-filter" feature is enabled on a net device, the +8021q module will automatically add or remove VLAN 0 when the net device +is put administratively up or down, respectively. There are a couple of +problems with the above scheme. + +The first problem is a memory leak that can happen if the "rx-vlan-filter" +feature is disabled while the device is running: + + # ip link add bond1 up type bond mode 0 + # ethtool -K bond1 rx-vlan-filter off + # ip link del dev bond1 + +When the device is put administratively down the "rx-vlan-filter" +feature is disabled, so the 8021q module will not remove VLAN 0 and the +memory will be leaked [1]. + +Another problem that can happen is that the kernel can automatically +delete VLAN 0 when the device is put administratively down despite not +adding it when the device was put administratively up since during that +time the "rx-vlan-filter" feature was disabled. null-ptr-unref or +bug_on[2] will be triggered by unregister_vlan_dev() for refcount +imbalance if toggling filtering during runtime: + +$ ip link add bond0 type bond mode 0 +$ ip link add link bond0 name vlan0 type vlan id 0 protocol 802.1q +$ ethtool -K bond0 rx-vlan-filter off +$ ifconfig bond0 up +$ ethtool -K bond0 rx-vlan-filter on +$ ifconfig bond0 down +$ ip link del vlan0 + +Root cause is as below: +step1: add vlan0 for real_dev, such as bond, team. +register_vlan_dev + vlan_vid_add(real_dev,htons(ETH_P_8021Q),0) //refcnt=1 +step2: disable vlan filter feature and enable real_dev +step3: change filter from 0 to 1 +vlan_device_event + vlan_filter_push_vids + ndo_vlan_rx_add_vid //No refcnt added to real_dev vlan0 +step4: real_dev down +vlan_device_event + vlan_vid_del(dev, htons(ETH_P_8021Q), 0); //refcnt=0 + vlan_info_rcu_free //free vlan0 +step5: delete vlan0 +unregister_vlan_dev + BUG_ON(!vlan_info); //vlan_info is null + +Fix both problems by noting in the VLAN info whether VLAN 0 was +automatically added upon NETDEV_UP and based on that decide whether it +should be deleted upon NETDEV_DOWN, regardless of the state of the +"rx-vlan-filter" feature. + +[1] +unreferenced object 0xffff8880068e3100 (size 256): + comm "ip", pid 384, jiffies 4296130254 + hex dump (first 32 bytes): + 00 20 30 0d 80 88 ff ff 00 00 00 00 00 00 00 00 . 0............. + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace (crc 81ce31fa): + __kmalloc_cache_noprof+0x2b5/0x340 + vlan_vid_add+0x434/0x940 + vlan_device_event.cold+0x75/0xa8 + notifier_call_chain+0xca/0x150 + __dev_notify_flags+0xe3/0x250 + rtnl_configure_link+0x193/0x260 + rtnl_newlink_create+0x383/0x8e0 + __rtnl_newlink+0x22c/0xa40 + rtnl_newlink+0x627/0xb00 + rtnetlink_rcv_msg+0x6fb/0xb70 + netlink_rcv_skb+0x11f/0x350 + netlink_unicast+0x426/0x710 + netlink_sendmsg+0x75a/0xc20 + __sock_sendmsg+0xc1/0x150 + ____sys_sendmsg+0x5aa/0x7b0 + ___sys_sendmsg+0xfc/0x180 + +[2] +kernel BUG at net/8021q/vlan.c:99! +Oops: invalid opcode: 0000 [#1] SMP KASAN PTI +CPU: 0 UID: 0 PID: 382 Comm: ip Not tainted 6.16.0-rc3 #61 PREEMPT(voluntary) +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), +BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 +RIP: 0010:unregister_vlan_dev (net/8021q/vlan.c:99 (discriminator 1)) +RSP: 0018:ffff88810badf310 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: ffff88810da84000 RCX: ffffffffb47ceb9a +RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88810e8b43c8 +RBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff6cefe80 +R10: ffffffffb677f407 R11: ffff88810badf3c0 R12: ffff88810e8b4000 +R13: 0000000000000000 R14: ffff88810642a5c0 R15: 000000000000017e +FS: 00007f1ff68c20c0(0000) GS:ffff888163a24000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f1ff5dad240 CR3: 0000000107e56000 CR4: 00000000000006f0 +Call Trace: + +rtnl_dellink (net/core/rtnetlink.c:3511 net/core/rtnetlink.c:3553) +rtnetlink_rcv_msg (net/core/rtnetlink.c:6945) +netlink_rcv_skb (net/netlink/af_netlink.c:2535) +netlink_unicast (net/netlink/af_netlink.c:1314 net/netlink/af_netlink.c:1339) +netlink_sendmsg (net/netlink/af_netlink.c:1883) +____sys_sendmsg (net/socket.c:712 net/socket.c:727 net/socket.c:2566) +___sys_sendmsg (net/socket.c:2622) +__sys_sendmsg (net/socket.c:2652) +do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) + +Fixes: ad1afb003939 ("vlan_dev: VLAN 0 should be treated as "no vlan tag" (802.1p packet)") +Reported-by: syzbot+a8b046e462915c65b10b@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=a8b046e462915c65b10b +Suggested-by: Ido Schimmel +Signed-off-by: Dong Chenchen +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/20250716034504.2285203-2-dongchenchen2@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/8021q/vlan.c | 42 +++++++++++++++++++++++++++++++++--------- + net/8021q/vlan.h | 1 + + 2 files changed, 34 insertions(+), 9 deletions(-) + +diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c +index b477ba37a6991..422f726346ea5 100644 +--- a/net/8021q/vlan.c ++++ b/net/8021q/vlan.c +@@ -358,6 +358,35 @@ static int __vlan_device_event(struct net_device *dev, unsigned long event) + return err; + } + ++static void vlan_vid0_add(struct net_device *dev) ++{ ++ struct vlan_info *vlan_info; ++ int err; ++ ++ if (!(dev->features & NETIF_F_HW_VLAN_CTAG_FILTER)) ++ return; ++ ++ pr_info("adding VLAN 0 to HW filter on device %s\n", dev->name); ++ ++ err = vlan_vid_add(dev, htons(ETH_P_8021Q), 0); ++ if (err) ++ return; ++ ++ vlan_info = rtnl_dereference(dev->vlan_info); ++ vlan_info->auto_vid0 = true; ++} ++ ++static void vlan_vid0_del(struct net_device *dev) ++{ ++ struct vlan_info *vlan_info = rtnl_dereference(dev->vlan_info); ++ ++ if (!vlan_info || !vlan_info->auto_vid0) ++ return; ++ ++ vlan_info->auto_vid0 = false; ++ vlan_vid_del(dev, htons(ETH_P_8021Q), 0); ++} ++ + static int vlan_device_event(struct notifier_block *unused, unsigned long event, + void *ptr) + { +@@ -379,15 +408,10 @@ static int vlan_device_event(struct notifier_block *unused, unsigned long event, + return notifier_from_errno(err); + } + +- if ((event == NETDEV_UP) && +- (dev->features & NETIF_F_HW_VLAN_CTAG_FILTER)) { +- pr_info("adding VLAN 0 to HW filter on device %s\n", +- dev->name); +- vlan_vid_add(dev, htons(ETH_P_8021Q), 0); +- } +- if (event == NETDEV_DOWN && +- (dev->features & NETIF_F_HW_VLAN_CTAG_FILTER)) +- vlan_vid_del(dev, htons(ETH_P_8021Q), 0); ++ if (event == NETDEV_UP) ++ vlan_vid0_add(dev); ++ else if (event == NETDEV_DOWN) ++ vlan_vid0_del(dev); + + vlan_info = rtnl_dereference(dev->vlan_info); + if (!vlan_info) +diff --git a/net/8021q/vlan.h b/net/8021q/vlan.h +index 5eaf38875554b..c7ffe591d5936 100644 +--- a/net/8021q/vlan.h ++++ b/net/8021q/vlan.h +@@ -33,6 +33,7 @@ struct vlan_info { + struct vlan_group grp; + struct list_head vid_list; + unsigned int nr_vids; ++ bool auto_vid0; + struct rcu_head rcu; + }; + +-- +2.39.5 + diff --git a/queue-6.1/netfilter-nf_conntrack-fix-crash-due-to-removal-of-u.patch b/queue-6.1/netfilter-nf_conntrack-fix-crash-due-to-removal-of-u.patch new file mode 100644 index 0000000000..03b3420ec0 --- /dev/null +++ b/queue-6.1/netfilter-nf_conntrack-fix-crash-due-to-removal-of-u.patch @@ -0,0 +1,245 @@ +From 20c40ac647692246fd7a4fbcff397ea61614f128 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jul 2025 20:39:14 +0200 +Subject: netfilter: nf_conntrack: fix crash due to removal of uninitialised + entry + +From: Florian Westphal + +[ Upstream commit 2d72afb340657f03f7261e9243b44457a9228ac7 ] + +A crash in conntrack was reported while trying to unlink the conntrack +entry from the hash bucket list: + [exception RIP: __nf_ct_delete_from_lists+172] + [..] + #7 [ff539b5a2b043aa0] nf_ct_delete at ffffffffc124d421 [nf_conntrack] + #8 [ff539b5a2b043ad0] nf_ct_gc_expired at ffffffffc124d999 [nf_conntrack] + #9 [ff539b5a2b043ae0] __nf_conntrack_find_get at ffffffffc124efbc [nf_conntrack] + [..] + +The nf_conn struct is marked as allocated from slab but appears to be in +a partially initialised state: + + ct hlist pointer is garbage; looks like the ct hash value + (hence crash). + ct->status is equal to IPS_CONFIRMED|IPS_DYING, which is expected + ct->timeout is 30000 (=30s), which is unexpected. + +Everything else looks like normal udp conntrack entry. If we ignore +ct->status and pretend its 0, the entry matches those that are newly +allocated but not yet inserted into the hash: + - ct hlist pointers are overloaded and store/cache the raw tuple hash + - ct->timeout matches the relative time expected for a new udp flow + rather than the absolute 'jiffies' value. + +If it were not for the presence of IPS_CONFIRMED, +__nf_conntrack_find_get() would have skipped the entry. + +Theory is that we did hit following race: + +cpu x cpu y cpu z + found entry E found entry E + E is expired + nf_ct_delete() + return E to rcu slab + init_conntrack + E is re-inited, + ct->status set to 0 + reply tuplehash hnnode.pprev + stores hash value. + +cpu y found E right before it was deleted on cpu x. +E is now re-inited on cpu z. cpu y was preempted before +checking for expiry and/or confirm bit. + + ->refcnt set to 1 + E now owned by skb + ->timeout set to 30000 + +If cpu y were to resume now, it would observe E as +expired but would skip E due to missing CONFIRMED bit. + + nf_conntrack_confirm gets called + sets: ct->status |= CONFIRMED + This is wrong: E is not yet added + to hashtable. + +cpu y resumes, it observes E as expired but CONFIRMED: + + nf_ct_expired() + -> yes (ct->timeout is 30s) + confirmed bit set. + +cpu y will try to delete E from the hashtable: + nf_ct_delete() -> set DYING bit + __nf_ct_delete_from_lists + +Even this scenario doesn't guarantee a crash: +cpu z still holds the table bucket lock(s) so y blocks: + + wait for spinlock held by z + + CONFIRMED is set but there is no + guarantee ct will be added to hash: + "chaintoolong" or "clash resolution" + logic both skip the insert step. + reply hnnode.pprev still stores the + hash value. + + unlocks spinlock + return NF_DROP + + +In case CPU z does insert the entry into the hashtable, cpu y will unlink +E again right away but no crash occurs. + +Without 'cpu y' race, 'garbage' hlist is of no consequence: +ct refcnt remains at 1, eventually skb will be free'd and E gets +destroyed via: nf_conntrack_put -> nf_conntrack_destroy -> nf_ct_destroy. + +To resolve this, move the IPS_CONFIRMED assignment after the table +insertion but before the unlock. + +Pablo points out that the confirm-bit-store could be reordered to happen +before hlist add resp. the timeout fixup, so switch to set_bit and +before_atomic memory barrier to prevent this. + +It doesn't matter if other CPUs can observe a newly inserted entry right +before the CONFIRMED bit was set: + +Such event cannot be distinguished from above "E is the old incarnation" +case: the entry will be skipped. + +Also change nf_ct_should_gc() to first check the confirmed bit. + +The gc sequence is: + 1. Check if entry has expired, if not skip to next entry + 2. Obtain a reference to the expired entry. + 3. Call nf_ct_should_gc() to double-check step 1. + +nf_ct_should_gc() is thus called only for entries that already failed an +expiry check. After this patch, once the confirmed bit check passes +ct->timeout has been altered to reflect the absolute 'best before' date +instead of a relative time. Step 3 will therefore not remove the entry. + +Without this change to nf_ct_should_gc() we could still get this sequence: + + 1. Check if entry has expired. + 2. Obtain a reference. + 3. Call nf_ct_should_gc() to double-check step 1: + 4 - entry is still observed as expired + 5 - meanwhile, ct->timeout is corrected to absolute value on other CPU + and confirm bit gets set + 6 - confirm bit is seen + 7 - valid entry is removed again + +First do check 6), then 4) so the gc expiry check always picks up either +confirmed bit unset (entry gets skipped) or expiry re-check failure for +re-inited conntrack objects. + +This change cannot be backported to releases before 5.19. Without +commit 8a75a2c17410 ("netfilter: conntrack: remove unconfirmed list") +|= IPS_CONFIRMED line cannot be moved without further changes. + +Cc: Razvan Cojocaru +Link: https://lore.kernel.org/netfilter-devel/20250627142758.25664-1-fw@strlen.de/ +Link: https://lore.kernel.org/netfilter-devel/4239da15-83ff-4ca4-939d-faef283471bb@gmail.com/ +Fixes: 1397af5bfd7d ("netfilter: conntrack: remove the percpu dying list") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/net/netfilter/nf_conntrack.h | 15 +++++++++++++-- + net/netfilter/nf_conntrack_core.c | 26 ++++++++++++++++++++------ + 2 files changed, 33 insertions(+), 8 deletions(-) + +diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h +index 3dbf947285be2..be396d566b57b 100644 +--- a/include/net/netfilter/nf_conntrack.h ++++ b/include/net/netfilter/nf_conntrack.h +@@ -306,8 +306,19 @@ static inline bool nf_ct_is_expired(const struct nf_conn *ct) + /* use after obtaining a reference count */ + static inline bool nf_ct_should_gc(const struct nf_conn *ct) + { +- return nf_ct_is_expired(ct) && nf_ct_is_confirmed(ct) && +- !nf_ct_is_dying(ct); ++ if (!nf_ct_is_confirmed(ct)) ++ return false; ++ ++ /* load ct->timeout after is_confirmed() test. ++ * Pairs with __nf_conntrack_confirm() which: ++ * 1. Increases ct->timeout value ++ * 2. Inserts ct into rcu hlist ++ * 3. Sets the confirmed bit ++ * 4. Unlocks the hlist lock ++ */ ++ smp_acquire__after_ctrl_dep(); ++ ++ return nf_ct_is_expired(ct) && !nf_ct_is_dying(ct); + } + + #define NF_CT_DAY (86400 * HZ) +diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c +index ec4c39641089b..002d53ded404e 100644 +--- a/net/netfilter/nf_conntrack_core.c ++++ b/net/netfilter/nf_conntrack_core.c +@@ -1087,6 +1087,12 @@ static int nf_ct_resolve_clash_harder(struct sk_buff *skb, u32 repl_idx) + + hlist_nulls_add_head_rcu(&loser_ct->tuplehash[IP_CT_DIR_REPLY].hnnode, + &nf_conntrack_hash[repl_idx]); ++ /* confirmed bit must be set after hlist add, not before: ++ * loser_ct can still be visible to other cpu due to ++ * SLAB_TYPESAFE_BY_RCU. ++ */ ++ smp_mb__before_atomic(); ++ set_bit(IPS_CONFIRMED_BIT, &loser_ct->status); + + NF_CT_STAT_INC(net, clash_resolve); + return NF_ACCEPT; +@@ -1224,8 +1230,6 @@ __nf_conntrack_confirm(struct sk_buff *skb) + * user context, else we insert an already 'dead' hash, blocking + * further use of that particular connection -JM. + */ +- ct->status |= IPS_CONFIRMED; +- + if (unlikely(nf_ct_is_dying(ct))) { + NF_CT_STAT_INC(net, insert_failed); + goto dying; +@@ -1257,7 +1261,7 @@ __nf_conntrack_confirm(struct sk_buff *skb) + } + } + +- /* Timer relative to confirmation time, not original ++ /* Timeout is relative to confirmation time, not original + setting time, otherwise we'd get timer wrap in + weird delay cases. */ + ct->timeout += nfct_time_stamp; +@@ -1265,11 +1269,21 @@ __nf_conntrack_confirm(struct sk_buff *skb) + __nf_conntrack_insert_prepare(ct); + + /* Since the lookup is lockless, hash insertion must be done after +- * starting the timer and setting the CONFIRMED bit. The RCU barriers +- * guarantee that no other CPU can find the conntrack before the above +- * stores are visible. ++ * setting ct->timeout. The RCU barriers guarantee that no other CPU ++ * can find the conntrack before the above stores are visible. + */ + __nf_conntrack_hash_insert(ct, hash, reply_hash); ++ ++ /* IPS_CONFIRMED unset means 'ct not (yet) in hash', conntrack lookups ++ * skip entries that lack this bit. This happens when a CPU is looking ++ * at a stale entry that is being recycled due to SLAB_TYPESAFE_BY_RCU ++ * or when another CPU encounters this entry right after the insertion ++ * but before the set-confirm-bit below. This bit must not be set until ++ * after __nf_conntrack_hash_insert(). ++ */ ++ smp_mb__before_atomic(); ++ set_bit(IPS_CONFIRMED_BIT, &ct->status); ++ + nf_conntrack_double_unlock(hash, reply_hash); + local_bh_enable(); + +-- +2.39.5 + diff --git a/queue-6.1/nvme-fix-misaccounting-of-nvme-mpath-inflight-i-o.patch b/queue-6.1/nvme-fix-misaccounting-of-nvme-mpath-inflight-i-o.patch new file mode 100644 index 0000000000..8c11c0a3c9 --- /dev/null +++ b/queue-6.1/nvme-fix-misaccounting-of-nvme-mpath-inflight-i-o.patch @@ -0,0 +1,52 @@ +From c542b9219a19d431dd3a86b61185c3996fad5503 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Jul 2025 09:28:12 +0800 +Subject: nvme: fix misaccounting of nvme-mpath inflight I/O + +From: Yu Kuai + +[ Upstream commit 71257925e83eae1cb6913d65ca71927d2220e6d1 ] + +Procedures for nvme-mpath IO accounting: + + 1) initialize nvme_request and clear flags; + 2) set NVME_MPATH_IO_STATS and increase inflight counter when IO + started; + 3) check NVME_MPATH_IO_STATS and decrease inflight counter when IO is + done; + +However, for the case nvme_fail_nonready_command(), both step 1) and 2) +are skipped, and if old nvme_request set NVME_MPATH_IO_STATS and then +request is reused, step 3) will still be executed, causing inflight I/O +counter to be negative. + +Fix the problem by clearing nvme_request in nvme_fail_nonready_command(). + +Fixes: ea5e5f42cd2c ("nvme-fabrics: avoid double completions in nvmf_fail_nonready_command") +Reported-by: Yi Zhang +Closes: https://lore.kernel.org/all/CAHj4cs_+dauobyYyP805t33WMJVzOWj=7+51p4_j9rA63D9sog@mail.gmail.com/ +Signed-off-by: Yu Kuai +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index fbe3fb4fbe95f..7d3759f875b23 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -706,6 +706,10 @@ blk_status_t nvme_fail_nonready_command(struct nvme_ctrl *ctrl, + !test_bit(NVME_CTRL_FAILFAST_EXPIRED, &ctrl->flags) && + !blk_noretry_request(rq) && !(rq->cmd_flags & REQ_NVME_MPATH)) + return BLK_STS_RESOURCE; ++ ++ if (!(rq->rq_flags & RQF_DONTPREP)) ++ nvme_clear_nvme_request(rq); ++ + return nvme_host_path_error(rq); + } + EXPORT_SYMBOL_GPL(nvme_fail_nonready_command); +-- +2.39.5 + diff --git a/queue-6.1/revert-cgroup_freezer-cgroup_freezing-check-if-not-f.patch b/queue-6.1/revert-cgroup_freezer-cgroup_freezing-check-if-not-f.patch new file mode 100644 index 0000000000..2a46a91f5b --- /dev/null +++ b/queue-6.1/revert-cgroup_freezer-cgroup_freezing-check-if-not-f.patch @@ -0,0 +1,77 @@ +From 7f8879d0e505be4c57ff9a2eecaa6d5618d40912 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jul 2025 08:55:50 +0000 +Subject: Revert "cgroup_freezer: cgroup_freezing: Check if not frozen" + +From: Chen Ridong + +[ Upstream commit 14a67b42cb6f3ab66f41603c062c5056d32ea7dd ] + +This reverts commit cff5f49d433fcd0063c8be7dd08fa5bf190c6c37. + +Commit cff5f49d433f ("cgroup_freezer: cgroup_freezing: Check if not +frozen") modified the cgroup_freezing() logic to verify that the FROZEN +flag is not set, affecting the return value of the freezing() function, +in order to address a warning in __thaw_task. + +A race condition exists that may allow tasks to escape being frozen. The +following scenario demonstrates this issue: + +CPU 0 (get_signal path) CPU 1 (freezer.state reader) +try_to_freeze read freezer.state +__refrigerator freezer_read + update_if_frozen +WRITE_ONCE(current->__state, TASK_FROZEN); + ... + /* Task is now marked frozen */ + /* frozen(task) == true */ + /* Assuming other tasks are frozen */ + freezer->state |= CGROUP_FROZEN; +/* freezing(current) returns false */ +/* because cgroup is frozen (not freezing) */ +break out +__set_current_state(TASK_RUNNING); +/* Bug: Task resumes running when it should remain frozen */ + +The existing !frozen(p) check in __thaw_task makes the +WARN_ON_ONCE(freezing(p)) warning redundant. Removing this warning enables +reverting the commit cff5f49d433f ("cgroup_freezer: cgroup_freezing: Check +if not frozen") to resolve the issue. + +The warning has been removed in the previous patch. This patch revert the +commit cff5f49d433f ("cgroup_freezer: cgroup_freezing: Check if not +frozen") to complete the fix. + +Fixes: cff5f49d433f ("cgroup_freezer: cgroup_freezing: Check if not frozen") +Reported-by: Zhong Jiawei +Signed-off-by: Chen Ridong +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + kernel/cgroup/legacy_freezer.c | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +diff --git a/kernel/cgroup/legacy_freezer.c b/kernel/cgroup/legacy_freezer.c +index a3e13e6d5ee40..bee2f9ea5e4ae 100644 +--- a/kernel/cgroup/legacy_freezer.c ++++ b/kernel/cgroup/legacy_freezer.c +@@ -66,15 +66,9 @@ static struct freezer *parent_freezer(struct freezer *freezer) + bool cgroup_freezing(struct task_struct *task) + { + bool ret; +- unsigned int state; + + rcu_read_lock(); +- /* Check if the cgroup is still FREEZING, but not FROZEN. The extra +- * !FROZEN check is required, because the FREEZING bit is not cleared +- * when the state FROZEN is reached. +- */ +- state = task_freezer(task)->state; +- ret = (state & CGROUP_FREEZING) && !(state & CGROUP_FROZEN); ++ ret = task_freezer(task)->state & CGROUP_FREEZING; + rcu_read_unlock(); + + return ret; +-- +2.39.5 + diff --git a/queue-6.1/rpl-fix-use-after-free-in-rpl_do_srh_inline.patch b/queue-6.1/rpl-fix-use-after-free-in-rpl_do_srh_inline.patch new file mode 100644 index 0000000000..a4cc3c2077 --- /dev/null +++ b/queue-6.1/rpl-fix-use-after-free-in-rpl_do_srh_inline.patch @@ -0,0 +1,187 @@ +From 4be691f6d42d3feca5c587269e92925f213b88e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Jul 2025 18:21:19 +0000 +Subject: rpl: Fix use-after-free in rpl_do_srh_inline(). + +From: Kuniyuki Iwashima + +[ Upstream commit b640daa2822a39ff76e70200cb2b7b892b896dce ] + +Running lwt_dst_cache_ref_loop.sh in selftest with KASAN triggers +the splat below [0]. + +rpl_do_srh_inline() fetches ipv6_hdr(skb) and accesses it after +skb_cow_head(), which is illegal as the header could be freed then. + +Let's fix it by making oldhdr to a local struct instead of a pointer. + +[0]: +[root@fedora net]# ./lwt_dst_cache_ref_loop.sh +... +TEST: rpl (input) +[ 57.631529] ================================================================== +BUG: KASAN: slab-use-after-free in rpl_do_srh_inline.isra.0 (net/ipv6/rpl_iptunnel.c:174) +Read of size 40 at addr ffff888122bf96d8 by task ping6/1543 + +CPU: 50 UID: 0 PID: 1543 Comm: ping6 Not tainted 6.16.0-rc5-01302-gfadd1e6231b1 #23 PREEMPT(voluntary) +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +Call Trace: + + dump_stack_lvl (lib/dump_stack.c:122) + print_report (mm/kasan/report.c:409 mm/kasan/report.c:521) + kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:636) + kasan_check_range (mm/kasan/generic.c:175 (discriminator 1) mm/kasan/generic.c:189 (discriminator 1)) + __asan_memmove (mm/kasan/shadow.c:94 (discriminator 2)) + rpl_do_srh_inline.isra.0 (net/ipv6/rpl_iptunnel.c:174) + rpl_input (net/ipv6/rpl_iptunnel.c:201 net/ipv6/rpl_iptunnel.c:282) + lwtunnel_input (net/core/lwtunnel.c:459) + ipv6_rcv (./include/net/dst.h:471 (discriminator 1) ./include/net/dst.h:469 (discriminator 1) net/ipv6/ip6_input.c:79 (discriminator 1) ./include/linux/netfilter.h:317 (discriminator 1) ./include/linux/netfilter.h:311 (discriminator 1) net/ipv6/ip6_input.c:311 (discriminator 1)) + __netif_receive_skb_one_core (net/core/dev.c:5967) + process_backlog (./include/linux/rcupdate.h:869 net/core/dev.c:6440) + __napi_poll.constprop.0 (net/core/dev.c:7452) + net_rx_action (net/core/dev.c:7518 net/core/dev.c:7643) + handle_softirqs (kernel/softirq.c:579) + do_softirq (kernel/softirq.c:480 (discriminator 20)) + + + __local_bh_enable_ip (kernel/softirq.c:407) + __dev_queue_xmit (net/core/dev.c:4740) + ip6_finish_output2 (./include/linux/netdevice.h:3358 ./include/net/neighbour.h:526 ./include/net/neighbour.h:540 net/ipv6/ip6_output.c:141) + ip6_finish_output (net/ipv6/ip6_output.c:215 net/ipv6/ip6_output.c:226) + ip6_output (./include/linux/netfilter.h:306 net/ipv6/ip6_output.c:248) + ip6_send_skb (net/ipv6/ip6_output.c:1983) + rawv6_sendmsg (net/ipv6/raw.c:588 net/ipv6/raw.c:918) + __sys_sendto (net/socket.c:714 (discriminator 1) net/socket.c:729 (discriminator 1) net/socket.c:2228 (discriminator 1)) + __x64_sys_sendto (net/socket.c:2231) + do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) + entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) +RIP: 0033:0x7f68cffb2a06 +Code: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 <48> 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08 +RSP: 002b:00007ffefb7c53d0 EFLAGS: 00000202 ORIG_RAX: 000000000000002c +RAX: ffffffffffffffda RBX: 0000564cd69f10a0 RCX: 00007f68cffb2a06 +RDX: 0000000000000040 RSI: 0000564cd69f10a4 RDI: 0000000000000003 +RBP: 00007ffefb7c53f0 R08: 0000564cd6a032ac R09: 000000000000001c +R10: 0000000000000000 R11: 0000000000000202 R12: 0000564cd69f10a4 +R13: 0000000000000040 R14: 00007ffefb7c66e0 R15: 0000564cd69f10a0 + + +Allocated by task 1543: + kasan_save_stack (mm/kasan/common.c:48) + kasan_save_track (mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1)) + __kasan_slab_alloc (mm/kasan/common.c:319 mm/kasan/common.c:345) + kmem_cache_alloc_node_noprof (./include/linux/kasan.h:250 mm/slub.c:4148 mm/slub.c:4197 mm/slub.c:4249) + kmalloc_reserve (net/core/skbuff.c:581 (discriminator 88)) + __alloc_skb (net/core/skbuff.c:669) + __ip6_append_data (net/ipv6/ip6_output.c:1672 (discriminator 1)) + ip6_append_data (net/ipv6/ip6_output.c:1859) + rawv6_sendmsg (net/ipv6/raw.c:911) + __sys_sendto (net/socket.c:714 (discriminator 1) net/socket.c:729 (discriminator 1) net/socket.c:2228 (discriminator 1)) + __x64_sys_sendto (net/socket.c:2231) + do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) + entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) + +Freed by task 1543: + kasan_save_stack (mm/kasan/common.c:48) + kasan_save_track (mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1)) + kasan_save_free_info (mm/kasan/generic.c:579 (discriminator 1)) + __kasan_slab_free (mm/kasan/common.c:271) + kmem_cache_free (mm/slub.c:4643 (discriminator 3) mm/slub.c:4745 (discriminator 3)) + pskb_expand_head (net/core/skbuff.c:2274) + rpl_do_srh_inline.isra.0 (net/ipv6/rpl_iptunnel.c:158 (discriminator 1)) + rpl_input (net/ipv6/rpl_iptunnel.c:201 net/ipv6/rpl_iptunnel.c:282) + lwtunnel_input (net/core/lwtunnel.c:459) + ipv6_rcv (./include/net/dst.h:471 (discriminator 1) ./include/net/dst.h:469 (discriminator 1) net/ipv6/ip6_input.c:79 (discriminator 1) ./include/linux/netfilter.h:317 (discriminator 1) ./include/linux/netfilter.h:311 (discriminator 1) net/ipv6/ip6_input.c:311 (discriminator 1)) + __netif_receive_skb_one_core (net/core/dev.c:5967) + process_backlog (./include/linux/rcupdate.h:869 net/core/dev.c:6440) + __napi_poll.constprop.0 (net/core/dev.c:7452) + net_rx_action (net/core/dev.c:7518 net/core/dev.c:7643) + handle_softirqs (kernel/softirq.c:579) + do_softirq (kernel/softirq.c:480 (discriminator 20)) + __local_bh_enable_ip (kernel/softirq.c:407) + __dev_queue_xmit (net/core/dev.c:4740) + ip6_finish_output2 (./include/linux/netdevice.h:3358 ./include/net/neighbour.h:526 ./include/net/neighbour.h:540 net/ipv6/ip6_output.c:141) + ip6_finish_output (net/ipv6/ip6_output.c:215 net/ipv6/ip6_output.c:226) + ip6_output (./include/linux/netfilter.h:306 net/ipv6/ip6_output.c:248) + ip6_send_skb (net/ipv6/ip6_output.c:1983) + rawv6_sendmsg (net/ipv6/raw.c:588 net/ipv6/raw.c:918) + __sys_sendto (net/socket.c:714 (discriminator 1) net/socket.c:729 (discriminator 1) net/socket.c:2228 (discriminator 1)) + __x64_sys_sendto (net/socket.c:2231) + do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) + entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) + +The buggy address belongs to the object at ffff888122bf96c0 + which belongs to the cache skbuff_small_head of size 704 +The buggy address is located 24 bytes inside of + freed 704-byte region [ffff888122bf96c0, ffff888122bf9980) + +The buggy address belongs to the physical page: +page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x122bf8 +head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 +flags: 0x200000000000040(head|node=0|zone=2) +page_type: f5(slab) +raw: 0200000000000040 ffff888101fc0a00 ffffea000464dc00 0000000000000002 +raw: 0000000000000000 0000000080270027 00000000f5000000 0000000000000000 +head: 0200000000000040 ffff888101fc0a00 ffffea000464dc00 0000000000000002 +head: 0000000000000000 0000000080270027 00000000f5000000 0000000000000000 +head: 0200000000000003 ffffea00048afe01 00000000ffffffff 00000000ffffffff +head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff888122bf9580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff888122bf9600: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc +>ffff888122bf9680: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb + ^ + ffff888122bf9700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff888122bf9780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + +Fixes: a7a29f9c361f8 ("net: ipv6: add rpl sr tunnel") +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/rpl_iptunnel.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/ipv6/rpl_iptunnel.c b/net/ipv6/rpl_iptunnel.c +index 862ac1e2e191c..952ec785853ab 100644 +--- a/net/ipv6/rpl_iptunnel.c ++++ b/net/ipv6/rpl_iptunnel.c +@@ -129,13 +129,13 @@ static int rpl_do_srh_inline(struct sk_buff *skb, const struct rpl_lwt *rlwt, + struct dst_entry *cache_dst) + { + struct ipv6_rpl_sr_hdr *isrh, *csrh; +- const struct ipv6hdr *oldhdr; ++ struct ipv6hdr oldhdr; + struct ipv6hdr *hdr; + unsigned char *buf; + size_t hdrlen; + int err; + +- oldhdr = ipv6_hdr(skb); ++ memcpy(&oldhdr, ipv6_hdr(skb), sizeof(oldhdr)); + + buf = kcalloc(struct_size(srh, segments.addr, srh->segments_left), 2, GFP_ATOMIC); + if (!buf) +@@ -147,7 +147,7 @@ static int rpl_do_srh_inline(struct sk_buff *skb, const struct rpl_lwt *rlwt, + memcpy(isrh, srh, sizeof(*isrh)); + memcpy(isrh->rpl_segaddr, &srh->rpl_segaddr[1], + (srh->segments_left - 1) * 16); +- isrh->rpl_segaddr[srh->segments_left - 1] = oldhdr->daddr; ++ isrh->rpl_segaddr[srh->segments_left - 1] = oldhdr.daddr; + + ipv6_rpl_srh_compress(csrh, isrh, &srh->rpl_segaddr[0], + isrh->segments_left - 1); +@@ -169,7 +169,7 @@ static int rpl_do_srh_inline(struct sk_buff *skb, const struct rpl_lwt *rlwt, + skb_mac_header_rebuild(skb); + + hdr = ipv6_hdr(skb); +- memmove(hdr, oldhdr, sizeof(*hdr)); ++ memmove(hdr, &oldhdr, sizeof(*hdr)); + isrh = (void *)hdr + sizeof(*hdr); + memcpy(isrh, csrh, hdrlen); + +-- +2.39.5 + diff --git a/queue-6.1/selftests-net-increase-inter-packet-timeout-in-udpgr.patch b/queue-6.1/selftests-net-increase-inter-packet-timeout-in-udpgr.patch new file mode 100644 index 0000000000..174fe42f81 --- /dev/null +++ b/queue-6.1/selftests-net-increase-inter-packet-timeout-in-udpgr.patch @@ -0,0 +1,59 @@ +From 038489894954de796cec8d7c733a41d65e437900 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jul 2025 18:04:50 +0200 +Subject: selftests: net: increase inter-packet timeout in udpgro.sh + +From: Paolo Abeni + +[ Upstream commit 0e9418961f897be59b1fab6e31ae1b09a0bae902 ] + +The mentioned test is not very stable when running on top of +debug kernel build. Increase the inter-packet timeout to allow +more slack in such environments. + +Fixes: 3327a9c46352 ("selftests: add functionals test for UDP GRO") +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/b0370c06ddb3235debf642c17de0284b2cd3c652.1752163107.git.pabeni@redhat.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/udpgro.sh | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/tools/testing/selftests/net/udpgro.sh b/tools/testing/selftests/net/udpgro.sh +index 241c6c37994d8..f6e50824c5eb9 100755 +--- a/tools/testing/selftests/net/udpgro.sh ++++ b/tools/testing/selftests/net/udpgro.sh +@@ -50,7 +50,7 @@ run_one() { + + cfg_veth + +- ip netns exec "${PEER_NS}" ./udpgso_bench_rx -C 1000 -R 10 ${rx_args} & ++ ip netns exec "${PEER_NS}" ./udpgso_bench_rx -C 1000 -R 100 ${rx_args} & + local PID1=$! + + wait_local_port_listen ${PEER_NS} 8000 udp +@@ -97,7 +97,7 @@ run_one_nat() { + # will land on the 'plain' one + ip netns exec "${PEER_NS}" ./udpgso_bench_rx -G ${family} -b ${addr1} -n 0 & + local PID1=$! +- ip netns exec "${PEER_NS}" ./udpgso_bench_rx -C 1000 -R 10 ${family} -b ${addr2%/*} ${rx_args} & ++ ip netns exec "${PEER_NS}" ./udpgso_bench_rx -C 1000 -R 100 ${family} -b ${addr2%/*} ${rx_args} & + local PID2=$! + + wait_local_port_listen "${PEER_NS}" 8000 udp +@@ -119,9 +119,9 @@ run_one_2sock() { + + cfg_veth + +- ip netns exec "${PEER_NS}" ./udpgso_bench_rx -C 1000 -R 10 ${rx_args} -p 12345 & ++ ip netns exec "${PEER_NS}" ./udpgso_bench_rx -C 1000 -R 100 ${rx_args} -p 12345 & + local PID1=$! +- ip netns exec "${PEER_NS}" ./udpgso_bench_rx -C 2000 -R 10 ${rx_args} & ++ ip netns exec "${PEER_NS}" ./udpgso_bench_rx -C 2000 -R 100 ${rx_args} & + local PID2=$! + + wait_local_port_listen "${PEER_NS}" 12345 udp +-- +2.39.5 + diff --git a/queue-6.1/series b/queue-6.1/series index 91ad2c234a..b6acf1ce3e 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -39,3 +39,27 @@ comedi-fail-comedi_insnlist-ioctl-if-n_insns-is-too-large.patch comedi-fix-some-signed-shift-left-operations.patch comedi-fix-use-of-uninitialized-data-in-insn_rw_emulate_bits.patch comedi-fix-initialization-of-data-for-instructions-that-write-to-subdevice.patch +bpf-reject-p-format-string-in-bprintf-like-helpers.patch +cachefiles-fix-the-incorrect-return-value-in-__cache.patch +net-emaclite-fix-missing-pointer-increment-in-aligne.patch +net-sched-sch_qfq-fix-race-condition-on-qfq_aggregat.patch +rpl-fix-use-after-free-in-rpl_do_srh_inline.patch +smb-client-fix-use-after-free-in-cifs_oplock_break.patch +nvme-fix-misaccounting-of-nvme-mpath-inflight-i-o.patch +selftests-net-increase-inter-packet-timeout-in-udpgr.patch +hwmon-corsair-cpro-validate-the-size-of-the-received.patch +usb-net-sierra-check-for-no-status-endpoint.patch +bluetooth-fix-null-ptr-deref-in-l2cap_sock_resume_cb.patch +bluetooth-hci_sync-fix-connectable-extended-advertis.patch +bluetooth-smp-if-an-unallowed-command-is-received-co.patch +bluetooth-smp-fix-using-hci_error_remote_user_term-o.patch +bluetooth-btusb-qca-fix-downloading-wrong-nvm-for-wc.patch +net-mlx5-correctly-set-gso_size-when-lro-is-used.patch +ipv6-mcast-delay-put-pmc-idev-in-mld_del_delrec.patch +netfilter-nf_conntrack-fix-crash-due-to-removal-of-u.patch +bluetooth-l2cap-fix-attempting-to-adjust-outgoing-mt.patch +tls-always-refresh-the-queue-when-reading-sock.patch +net-vlan-fix-vlan-0-refcount-imbalance-of-toggling-f.patch +net-bridge-do-not-offload-igmp-mld-messages.patch +net-sched-return-null-when-htb_lookup_leaf-encounter.patch +revert-cgroup_freezer-cgroup_freezing-check-if-not-f.patch diff --git a/queue-6.1/smb-client-fix-use-after-free-in-cifs_oplock_break.patch b/queue-6.1/smb-client-fix-use-after-free-in-cifs_oplock_break.patch new file mode 100644 index 0000000000..2b55736e70 --- /dev/null +++ b/queue-6.1/smb-client-fix-use-after-free-in-cifs_oplock_break.patch @@ -0,0 +1,90 @@ +From ea500b627eebbb81434b4ca943493ad71a2abfce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Jul 2025 09:09:26 +0800 +Subject: smb: client: fix use-after-free in cifs_oplock_break + +From: Wang Zhaolong + +[ Upstream commit 705c79101ccf9edea5a00d761491a03ced314210 ] + +A race condition can occur in cifs_oplock_break() leading to a +use-after-free of the cinode structure when unmounting: + + cifs_oplock_break() + _cifsFileInfo_put(cfile) + cifsFileInfo_put_final() + cifs_sb_deactive() + [last ref, start releasing sb] + kill_sb() + kill_anon_super() + generic_shutdown_super() + evict_inodes() + dispose_list() + evict() + destroy_inode() + call_rcu(&inode->i_rcu, i_callback) + spin_lock(&cinode->open_file_lock) <- OK + [later] i_callback() + cifs_free_inode() + kmem_cache_free(cinode) + spin_unlock(&cinode->open_file_lock) <- UAF + cifs_done_oplock_break(cinode) <- UAF + +The issue occurs when umount has already released its reference to the +superblock. When _cifsFileInfo_put() calls cifs_sb_deactive(), this +releases the last reference, triggering the immediate cleanup of all +inodes under RCU. However, cifs_oplock_break() continues to access the +cinode after this point, resulting in use-after-free. + +Fix this by holding an extra reference to the superblock during the +entire oplock break operation. This ensures that the superblock and +its inodes remain valid until the oplock break completes. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=220309 +Fixes: b98749cac4a6 ("CIFS: keep FileInfo handle live during oplock break") +Reviewed-by: Paulo Alcantara (Red Hat) +Signed-off-by: Wang Zhaolong +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/file.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/fs/smb/client/file.c b/fs/smb/client/file.c +index 9b0919d9e3370..3551054ef0973 100644 +--- a/fs/smb/client/file.c ++++ b/fs/smb/client/file.c +@@ -5189,7 +5189,8 @@ void cifs_oplock_break(struct work_struct *work) + struct cifsFileInfo *cfile = container_of(work, struct cifsFileInfo, + oplock_break); + struct inode *inode = d_inode(cfile->dentry); +- struct cifs_sb_info *cifs_sb = CIFS_SB(inode->i_sb); ++ struct super_block *sb = inode->i_sb; ++ struct cifs_sb_info *cifs_sb = CIFS_SB(sb); + struct cifsInodeInfo *cinode = CIFS_I(inode); + struct cifs_tcon *tcon; + struct TCP_Server_Info *server; +@@ -5199,6 +5200,12 @@ void cifs_oplock_break(struct work_struct *work) + __u64 persistent_fid, volatile_fid; + __u16 net_fid; + ++ /* ++ * Hold a reference to the superblock to prevent it and its inodes from ++ * being freed while we are accessing cinode. Otherwise, _cifsFileInfo_put() ++ * may release the last reference to the sb and trigger inode eviction. ++ */ ++ cifs_sb_active(sb); + wait_on_bit(&cinode->flags, CIFS_INODE_PENDING_WRITERS, + TASK_UNINTERRUPTIBLE); + +@@ -5271,6 +5278,7 @@ void cifs_oplock_break(struct work_struct *work) + cifs_put_tlink(tlink); + out: + cifs_done_oplock_break(cinode); ++ cifs_sb_deactive(sb); + } + + /* +-- +2.39.5 + diff --git a/queue-6.1/tls-always-refresh-the-queue-when-reading-sock.patch b/queue-6.1/tls-always-refresh-the-queue-when-reading-sock.patch new file mode 100644 index 0000000000..f10cb55f30 --- /dev/null +++ b/queue-6.1/tls-always-refresh-the-queue-when-reading-sock.patch @@ -0,0 +1,55 @@ +From 17feeba5262d505b1e336e8a06d1f9903531e302 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jul 2025 07:38:50 -0700 +Subject: tls: always refresh the queue when reading sock + +From: Jakub Kicinski + +[ Upstream commit 4ab26bce3969f8fd925fe6f6f551e4d1a508c68b ] + +After recent changes in net-next TCP compacts skbs much more +aggressively. This unearthed a bug in TLS where we may try +to operate on an old skb when checking if all skbs in the +queue have matching decrypt state and geometry. + + BUG: KASAN: slab-use-after-free in tls_strp_check_rcv+0x898/0x9a0 [tls] + (net/tls/tls_strp.c:436 net/tls/tls_strp.c:530 net/tls/tls_strp.c:544) + Read of size 4 at addr ffff888013085750 by task tls/13529 + + CPU: 2 UID: 0 PID: 13529 Comm: tls Not tainted 6.16.0-rc5-virtme + Call Trace: + kasan_report+0xca/0x100 + tls_strp_check_rcv+0x898/0x9a0 [tls] + tls_rx_rec_wait+0x2c9/0x8d0 [tls] + tls_sw_recvmsg+0x40f/0x1aa0 [tls] + inet_recvmsg+0x1c3/0x1f0 + +Always reload the queue, fast path is to have the record in the queue +when we wake, anyway (IOW the path going down "if !strp->stm.full_len"). + +Fixes: 0d87bbd39d7f ("tls: strp: make sure the TCP skbs do not have overlapping data") +Link: https://patch.msgid.link/20250716143850.1520292-1-kuba@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tls/tls_strp.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/tls/tls_strp.c b/net/tls/tls_strp.c +index 44d7f1aef9f12..b7ed76c0e576e 100644 +--- a/net/tls/tls_strp.c ++++ b/net/tls/tls_strp.c +@@ -512,9 +512,8 @@ static int tls_strp_read_sock(struct tls_strparser *strp) + if (inq < strp->stm.full_len) + return tls_strp_read_copy(strp, true); + ++ tls_strp_load_anchor_with_queue(strp, inq); + if (!strp->stm.full_len) { +- tls_strp_load_anchor_with_queue(strp, inq); +- + sz = tls_rx_msg_size(strp, strp->anchor); + if (sz < 0) { + tls_strp_abort_strp(strp, sz); +-- +2.39.5 + diff --git a/queue-6.1/usb-net-sierra-check-for-no-status-endpoint.patch b/queue-6.1/usb-net-sierra-check-for-no-status-endpoint.patch new file mode 100644 index 0000000000..9e64175695 --- /dev/null +++ b/queue-6.1/usb-net-sierra-check-for-no-status-endpoint.patch @@ -0,0 +1,44 @@ +From 6496d749510a2ef0b8b1dee293c0ea2da3632b6a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Jul 2025 13:12:56 +0200 +Subject: usb: net: sierra: check for no status endpoint + +From: Oliver Neukum + +[ Upstream commit 4c4ca3c46167518f8534ed70f6e3b4bf86c4d158 ] + +The driver checks for having three endpoints and +having bulk in and out endpoints, but not that +the third endpoint is interrupt input. +Rectify the omission. + +Reported-by: syzbot+3f89ec3d1d0842e95d50@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/linux-usb/686d5a9f.050a0220.1ffab7.0017.GAE@google.com/ +Tested-by: syzbot+3f89ec3d1d0842e95d50@syzkaller.appspotmail.com +Fixes: eb4fd8cd355c8 ("net/usb: add sierra_net.c driver") +Signed-off-by: Oliver Neukum +Link: https://patch.msgid.link/20250714111326.258378-1-oneukum@suse.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/sierra_net.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/usb/sierra_net.c b/drivers/net/usb/sierra_net.c +index b3ae949e6f1c5..d067f09fc072b 100644 +--- a/drivers/net/usb/sierra_net.c ++++ b/drivers/net/usb/sierra_net.c +@@ -689,6 +689,10 @@ static int sierra_net_bind(struct usbnet *dev, struct usb_interface *intf) + status); + return -ENODEV; + } ++ if (!dev->status) { ++ dev_err(&dev->udev->dev, "No status endpoint found"); ++ return -ENODEV; ++ } + /* Initialize sierra private data */ + priv = kzalloc(sizeof *priv, GFP_KERNEL); + if (!priv) +-- +2.39.5 +