From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 24 Aug 2025 09:12:29 +0000 (+0200)
Subject: 6.6-stable patches
X-Git-Tag: v5.4.297~24
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f20cede5519bbcf025762f8000e6c0da82db5f57;p=thirdparty%2Fkernel%2Fstable-queue.git

6.6-stable patches

added patches:
	powerpc-boot-fix-build-with-gcc-15.patch
	tls-fix-handling-of-zero-length-records-on-the-rx_list.patch
---

diff --git a/queue-6.6/powerpc-boot-fix-build-with-gcc-15.patch b/queue-6.6/powerpc-boot-fix-build-with-gcc-15.patch
new file mode 100644
index 0000000000..eb6bed3c83
--- /dev/null
+++ b/queue-6.6/powerpc-boot-fix-build-with-gcc-15.patch
@@ -0,0 +1,35 @@
+From 5a821e2d69e26b51b7f3740b6b0c3462b8cacaff Mon Sep 17 00:00:00 2001
+From: Michal Suchanek <msuchanek@suse.de>
+Date: Mon, 31 Mar 2025 12:57:19 +0200
+Subject: powerpc/boot: Fix build with gcc 15
+
+From: Michal Suchanek <msuchanek@suse.de>
+
+commit 5a821e2d69e26b51b7f3740b6b0c3462b8cacaff upstream.
+
+Similar to x86 the ppc boot code does not build with GCC 15.
+
+Copy the fix from
+commit ee2ab467bddf ("x86/boot: Use '-std=gnu11' to fix build with GCC 15")
+
+Signed-off-by: Michal Suchanek <msuchanek@suse.de>
+Tested-by: Amit Machhiwal <amachhiw@linux.ibm.com>
+Tested-by: Venkat Rao Bagalkote <venkat88@linux.ibm.com>
+Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
+Link: https://patch.msgid.link/20250331105722.19709-1-msuchanek@suse.de
+Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/boot/Makefile |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/powerpc/boot/Makefile
++++ b/arch/powerpc/boot/Makefile
+@@ -72,6 +72,7 @@ BOOTCPPFLAGS	:= -nostdinc $(LINUXINCLUDE
+ BOOTCPPFLAGS	+= -isystem $(shell $(BOOTCC) -print-file-name=include)
+ 
+ BOOTCFLAGS	:= $(BOOTTARGETFLAGS) \
++		   -std=gnu11 \
+ 		   -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs \
+ 		   -fno-strict-aliasing -O2 \
+ 		   -msoft-float -mno-altivec -mno-vsx \
diff --git a/queue-6.6/series b/queue-6.6/series
index 44a39ebec4..3fb55b66a1 100644
--- a/queue-6.6/series
+++ b/queue-6.6/series
@@ -531,3 +531,5 @@ usb-dwc3-pci-add-support-for-the-intel-wildcat-lake.patch
 drm-amd-display-don-t-overclock-dce-6-by-15.patch
 compiler-remove-__addressable_asm-_str-again.patch
 mmc-sdhci-pci-gli-gl9763e-mask-the-replay-timer-timeout-of-aer.patch
+powerpc-boot-fix-build-with-gcc-15.patch
+tls-fix-handling-of-zero-length-records-on-the-rx_list.patch
diff --git a/queue-6.6/tls-fix-handling-of-zero-length-records-on-the-rx_list.patch b/queue-6.6/tls-fix-handling-of-zero-length-records-on-the-rx_list.patch
new file mode 100644
index 0000000000..c183f6ef31
--- /dev/null
+++ b/queue-6.6/tls-fix-handling-of-zero-length-records-on-the-rx_list.patch
@@ -0,0 +1,65 @@
+From 62708b9452f8eb77513115b17c4f8d1a22ebf843 Mon Sep 17 00:00:00 2001
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Tue, 19 Aug 2025 19:19:51 -0700
+Subject: tls: fix handling of zero-length records on the rx_list
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+commit 62708b9452f8eb77513115b17c4f8d1a22ebf843 upstream.
+
+Each recvmsg() call must process either
+ - only contiguous DATA records (any number of them)
+ - one non-DATA record
+
+If the next record has different type than what has already been
+processed we break out of the main processing loop. If the record
+has already been decrypted (which may be the case for TLS 1.3 where
+we don't know type until decryption) we queue the pending record
+to the rx_list. Next recvmsg() will pick it up from there.
+
+Queuing the skb to rx_list after zero-copy decrypt is not possible,
+since in that case we decrypted directly to the user space buffer,
+and we don't have an skb to queue (darg.skb points to the ciphertext
+skb for access to metadata like length).
+
+Only data records are allowed zero-copy, and we break the processing
+loop after each non-data record. So we should never zero-copy and
+then find out that the record type has changed. The corner case
+we missed is when the initial record comes from rx_list, and it's
+zero length.
+
+Reported-by: Muhammad Alifa Ramdhan <ramdhan@starlabs.sg>
+Reported-by: Billy Jheng Bing-Jhong <billy@starlabs.sg>
+Fixes: 84c61fe1a75b ("tls: rx: do not use the standard strparser")
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Link: https://patch.msgid.link/20250820021952.143068-1-kuba@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tls/tls_sw.c |    7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/net/tls/tls_sw.c
++++ b/net/tls/tls_sw.c
+@@ -1774,6 +1774,9 @@ int decrypt_skb(struct sock *sk, struct
+ 	return tls_decrypt_sg(sk, NULL, sgout, &darg);
+ }
+ 
++/* All records returned from a recvmsg() call must have the same type.
++ * 0 is not a valid content type. Use it as "no type reported, yet".
++ */
+ static int tls_record_content_type(struct msghdr *msg, struct tls_msg *tlm,
+ 				   u8 *control)
+ {
+@@ -2017,8 +2020,10 @@ int tls_sw_recvmsg(struct sock *sk,
+ 	if (err < 0)
+ 		goto end;
+ 
++	/* process_rx_list() will set @control if it processed any records */
+ 	copied = err;
+-	if (len <= copied || (copied && control != TLS_RECORD_TYPE_DATA) || rx_more)
++	if (len <= copied || rx_more ||
++	    (control && control != TLS_RECORD_TYPE_DATA))
+ 		goto end;
+ 
+ 	target = sock_rcvlowat(sk, flags & MSG_WAITALL, len);