From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 21 Nov 2025 10:45:00 +0000 (+0100)
Subject: 6.6-stable patches
X-Git-Tag: v6.6.117~8
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=aaa65132399087f7cffe36401a0b213280327718;p=thirdparty%2Fkernel%2Fstable-queue.git

6.6-stable patches

added patches:
	net-netpoll-ensure-skb_pool-list-is-always-initialized.patch
---

diff --git a/queue-6.6/net-netpoll-ensure-skb_pool-list-is-always-initialized.patch b/queue-6.6/net-netpoll-ensure-skb_pool-list-is-always-initialized.patch
new file mode 100644
index 0000000000..dfe587f035
--- /dev/null
+++ b/queue-6.6/net-netpoll-ensure-skb_pool-list-is-always-initialized.patch
@@ -0,0 +1,91 @@
+From f0d0277796db613c124206544b6dbe95b520ab6c Mon Sep 17 00:00:00 2001
+From: John Sperbeck <jsperbeck@google.com>
+Date: Mon, 13 Jan 2025 17:13:54 -0800
+Subject: net: netpoll: ensure skb_pool list is always initialized
+
+From: John Sperbeck <jsperbeck@google.com>
+
+commit f0d0277796db613c124206544b6dbe95b520ab6c upstream.
+
+When __netpoll_setup() is called directly, instead of through
+netpoll_setup(), the np->skb_pool list head isn't initialized.
+If skb_pool_flush() is later called, then we hit a NULL pointer
+in skb_queue_purge_reason().  This can be seen with this repro,
+when CONFIG_NETCONSOLE is enabled as a module:
+
+    ip tuntap add mode tap tap0
+    ip link add name br0 type bridge
+    ip link set dev tap0 master br0
+    modprobe netconsole netconsole=4444@10.0.0.1/br0,9353@10.0.0.2/
+    rmmod netconsole
+
+The backtrace is:
+
+    BUG: kernel NULL pointer dereference, address: 0000000000000008
+    #PF: supervisor write access in kernel mode
+    #PF: error_code(0x0002) - not-present page
+    ... ... ...
+    Call Trace:
+     <TASK>
+     __netpoll_free+0xa5/0xf0
+     br_netpoll_cleanup+0x43/0x50 [bridge]
+     do_netpoll_cleanup+0x43/0xc0
+     netconsole_netdev_event+0x1e3/0x300 [netconsole]
+     unregister_netdevice_notifier+0xd9/0x150
+     cleanup_module+0x45/0x920 [netconsole]
+     __se_sys_delete_module+0x205/0x290
+     do_syscall_64+0x70/0x150
+     entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+Move the skb_pool list setup and initial skb fill into __netpoll_setup().
+
+Fixes: 221a9c1df790 ("net: netpoll: Individualize the skb pool")
+Signed-off-by: John Sperbeck <jsperbeck@google.com>
+Reviewed-by: Breno Leitao <leitao@debian.org>
+Link: https://patch.msgid.link/20250114011354.2096812-1-jsperbeck@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/netpoll.c |   10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/net/core/netpoll.c
++++ b/net/core/netpoll.c
+@@ -634,6 +634,8 @@ int __netpoll_setup(struct netpoll *np,
+ 	const struct net_device_ops *ops;
+ 	int err;
+ 
++	skb_queue_head_init(&np->skb_pool);
++
+ 	if (ndev->priv_flags & IFF_DISABLE_NETPOLL) {
+ 		np_err(np, "%s doesn't support polling, aborting\n",
+ 		       ndev->name);
+@@ -669,6 +671,9 @@ int __netpoll_setup(struct netpoll *np,
+ 	strscpy(np->dev_name, ndev->name, IFNAMSIZ);
+ 	npinfo->netpoll = np;
+ 
++	/* fill up the skb queue */
++	refill_skbs(np);
++
+ 	/* last thing to do is link it to the net device structure */
+ 	rcu_assign_pointer(ndev->npinfo, npinfo);
+ 
+@@ -688,8 +693,6 @@ int netpoll_setup(struct netpoll *np)
+ 	struct in_device *in_dev;
+ 	int err;
+ 
+-	skb_queue_head_init(&np->skb_pool);
+-
+ 	rtnl_lock();
+ 	if (np->dev_name[0]) {
+ 		struct net *net = current->nsproxy->net_ns;
+@@ -789,9 +792,6 @@ put_noaddr:
+ 		}
+ 	}
+ 
+-	/* fill up the skb queue */
+-	refill_skbs(np);
+-
+ 	err = __netpoll_setup(np, ndev);
+ 	if (err)
+ 		goto flush;
diff --git a/queue-6.6/series b/queue-6.6/series
index 62952d9e77..9f8c272346 100644
--- a/queue-6.6/series
+++ b/queue-6.6/series
@@ -520,3 +520,4 @@ mm-memory-do-not-populate-page-table-entries-beyond-i_size.patch
 mm-truncate-unmap-large-folio-on-split-failure.patch
 mm-secretmem-fix-use-after-free-race-in-fault-handler.patch
 isdn-misdn-hfcsusb-fix-memory-leak-in-hfcsusb_probe.patch
+net-netpoll-ensure-skb_pool-list-is-always-initialized.patch