From: Sasha Levin Date: Sat, 24 May 2025 10:22:30 +0000 (-0400) Subject: Fixes for 5.15 X-Git-Tag: v6.12.31~73 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f9d30f51a88ed556ec1b196c2f668e62992de865;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.15 Signed-off-by: Sasha Levin --- diff --git a/queue-5.15/bluetooth-l2cap-fix-not-checking-l2cap_chan-security.patch b/queue-5.15/bluetooth-l2cap-fix-not-checking-l2cap_chan-security.patch new file mode 100644 index 0000000000..fe12f719d5 --- /dev/null +++ b/queue-5.15/bluetooth-l2cap-fix-not-checking-l2cap_chan-security.patch @@ -0,0 +1,92 @@ +From c85a917ca084e2d1bc10c16ab112090ec5403dad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 May 2025 15:00:30 -0400 +Subject: Bluetooth: L2CAP: Fix not checking l2cap_chan security level + +From: Luiz Augusto von Dentz + +[ Upstream commit 7af8479d9eb4319b4ba7b47a8c4d2c55af1c31e1 ] + +l2cap_check_enc_key_size shall check the security level of the +l2cap_chan rather than the hci_conn since for incoming connection +request that may be different as hci_conn may already been +encrypted using a different security level. + +Fixes: 522e9ed157e3 ("Bluetooth: l2cap: Check encryption key size on incoming connection") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index d34e161a30b37..872a0249f53c8 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -1537,7 +1537,8 @@ static void l2cap_request_info(struct l2cap_conn *conn) + sizeof(req), &req); + } + +-static bool l2cap_check_enc_key_size(struct hci_conn *hcon) ++static bool l2cap_check_enc_key_size(struct hci_conn *hcon, ++ struct l2cap_chan *chan) + { + /* The minimum encryption key size needs to be enforced by the + * host stack before establishing any L2CAP connections. The +@@ -1551,7 +1552,7 @@ static bool l2cap_check_enc_key_size(struct hci_conn *hcon) + int min_key_size = hcon->hdev->min_enc_key_size; + + /* On FIPS security level, key size must be 16 bytes */ +- if (hcon->sec_level == BT_SECURITY_FIPS) ++ if (chan->sec_level == BT_SECURITY_FIPS) + min_key_size = 16; + + return (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags) || +@@ -1579,7 +1580,7 @@ static void l2cap_do_start(struct l2cap_chan *chan) + !__l2cap_no_conn_pending(chan)) + return; + +- if (l2cap_check_enc_key_size(conn->hcon)) ++ if (l2cap_check_enc_key_size(conn->hcon, chan)) + l2cap_start_connection(chan); + else + __set_chan_timer(chan, L2CAP_DISC_TIMEOUT); +@@ -1661,7 +1662,7 @@ static void l2cap_conn_start(struct l2cap_conn *conn) + continue; + } + +- if (l2cap_check_enc_key_size(conn->hcon)) ++ if (l2cap_check_enc_key_size(conn->hcon, chan)) + l2cap_start_connection(chan); + else + l2cap_chan_close(chan, ECONNREFUSED); +@@ -4163,7 +4164,7 @@ static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn, + /* Check if the ACL is secure enough (if not SDP) */ + if (psm != cpu_to_le16(L2CAP_PSM_SDP) && + (!hci_conn_check_link_mode(conn->hcon) || +- !l2cap_check_enc_key_size(conn->hcon))) { ++ !l2cap_check_enc_key_size(conn->hcon, pchan))) { + conn->disc_reason = HCI_ERROR_AUTH_FAILURE; + result = L2CAP_CR_SEC_BLOCK; + goto response; +@@ -8373,7 +8374,7 @@ static void l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt) + } + + if (chan->state == BT_CONNECT) { +- if (!status && l2cap_check_enc_key_size(hcon)) ++ if (!status && l2cap_check_enc_key_size(hcon, chan)) + l2cap_start_connection(chan); + else + __set_chan_timer(chan, L2CAP_DISC_TIMEOUT); +@@ -8383,7 +8384,7 @@ static void l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt) + struct l2cap_conn_rsp rsp; + __u16 res, stat; + +- if (!status && l2cap_check_enc_key_size(hcon)) { ++ if (!status && l2cap_check_enc_key_size(hcon, chan)) { + if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) { + res = L2CAP_CR_PEND; + stat = L2CAP_CS_AUTHOR_PEND; +-- +2.39.5 + diff --git a/queue-5.15/bridge-netfilter-fix-forwarding-of-fragmented-packet.patch b/queue-5.15/bridge-netfilter-fix-forwarding-of-fragmented-packet.patch new file mode 100644 index 0000000000..ea556d3d06 --- /dev/null +++ b/queue-5.15/bridge-netfilter-fix-forwarding-of-fragmented-packet.patch @@ -0,0 +1,95 @@ +From 3fae3d38a9b23efbfdbbd8876afed78518f5aac9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 May 2025 11:48:48 +0300 +Subject: bridge: netfilter: Fix forwarding of fragmented packets + +From: Ido Schimmel + +[ Upstream commit 91b6dbced0ef1d680afdd69b14fc83d50ebafaf3 ] + +When netfilter defrag hooks are loaded (due to the presence of conntrack +rules, for example), fragmented packets entering the bridge will be +defragged by the bridge's pre-routing hook (br_nf_pre_routing() -> +ipv4_conntrack_defrag()). + +Later on, in the bridge's post-routing hook, the defragged packet will +be fragmented again. If the size of the largest fragment is larger than +what the kernel has determined as the destination MTU (using +ip_skb_dst_mtu()), the defragged packet will be dropped. + +Before commit ac6627a28dbf ("net: ipv4: Consolidate ipv4_mtu and +ip_dst_mtu_maybe_forward"), ip_skb_dst_mtu() would return dst_mtu() as +the destination MTU. Assuming the dst entry attached to the packet is +the bridge's fake rtable one, this would simply be the bridge's MTU (see +fake_mtu()). + +However, after above mentioned commit, ip_skb_dst_mtu() ends up +returning the route's MTU stored in the dst entry's metrics. Ideally, in +case the dst entry is the bridge's fake rtable one, this should be the +bridge's MTU as the bridge takes care of updating this metric when its +MTU changes (see br_change_mtu()). + +Unfortunately, the last operation is a no-op given the metrics attached +to the fake rtable entry are marked as read-only. Therefore, +ip_skb_dst_mtu() ends up returning 1500 (the initial MTU value) and +defragged packets are dropped during fragmentation when dealing with +large fragments and high MTU (e.g., 9k). + +Fix by moving the fake rtable entry's metrics to be per-bridge (in a +similar fashion to the fake rtable entry itself) and marking them as +writable, thereby allowing MTU changes to be reflected. + +Fixes: 62fa8a846d7d ("net: Implement read-only protection and COW'ing of metrics.") +Fixes: 33eb9873a283 ("bridge: initialize fake_rtable metrics") +Reported-by: Venkat Venkatsubra +Closes: https://lore.kernel.org/netdev/PH0PR10MB4504888284FF4CBA648197D0ACB82@PH0PR10MB4504.namprd10.prod.outlook.com/ +Tested-by: Venkat Venkatsubra +Signed-off-by: Ido Schimmel +Acked-by: Nikolay Aleksandrov +Link: https://patch.msgid.link/20250515084848.727706-1-idosch@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/bridge/br_nf_core.c | 7 ++----- + net/bridge/br_private.h | 1 + + 2 files changed, 3 insertions(+), 5 deletions(-) + +diff --git a/net/bridge/br_nf_core.c b/net/bridge/br_nf_core.c +index 8c69f0c95a8ed..b8c8deb87407d 100644 +--- a/net/bridge/br_nf_core.c ++++ b/net/bridge/br_nf_core.c +@@ -65,17 +65,14 @@ static struct dst_ops fake_dst_ops = { + * ipt_REJECT needs it. Future netfilter modules might + * require us to fill additional fields. + */ +-static const u32 br_dst_default_metrics[RTAX_MAX] = { +- [RTAX_MTU - 1] = 1500, +-}; +- + void br_netfilter_rtable_init(struct net_bridge *br) + { + struct rtable *rt = &br->fake_rtable; + + atomic_set(&rt->dst.__refcnt, 1); + rt->dst.dev = br->dev; +- dst_init_metrics(&rt->dst, br_dst_default_metrics, true); ++ dst_init_metrics(&rt->dst, br->metrics, false); ++ dst_metric_set(&rt->dst, RTAX_MTU, br->dev->mtu); + rt->dst.flags = DST_NOXFRM | DST_FAKE_RTABLE; + rt->dst.ops = &fake_dst_ops; + } +diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h +index fe61d3b8d0cc2..1718168bd927e 100644 +--- a/net/bridge/br_private.h ++++ b/net/bridge/br_private.h +@@ -466,6 +466,7 @@ struct net_bridge { + struct rtable fake_rtable; + struct rt6_info fake_rt6_info; + }; ++ u32 metrics[RTAX_MAX]; + #endif + u16 group_fwd_mask; + u16 group_fwd_mask_required; +-- +2.39.5 + diff --git a/queue-5.15/net-dwmac-sun8i-use-parsed-internal-phy-address-inst.patch b/queue-5.15/net-dwmac-sun8i-use-parsed-internal-phy-address-inst.patch new file mode 100644 index 0000000000..fdf8553cf5 --- /dev/null +++ b/queue-5.15/net-dwmac-sun8i-use-parsed-internal-phy-address-inst.patch @@ -0,0 +1,48 @@ +From b6608a2f0b97f39d72eaa4473bce6d776b356f53 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 May 2025 18:49:36 +0200 +Subject: net: dwmac-sun8i: Use parsed internal PHY address instead of 1 + +From: Paul Kocialkowski + +[ Upstream commit 47653e4243f2b0a26372e481ca098936b51ec3a8 ] + +While the MDIO address of the internal PHY on Allwinner sun8i chips is +generally 1, of_mdio_parse_addr is used to cleanly parse the address +from the device-tree instead of hardcoding it. + +A commit reworking the code ditched the parsed value and hardcoded the +value 1 instead, which didn't really break anything but is more fragile +and not future-proof. + +Restore the initial behavior using the parsed address returned from the +helper. + +Fixes: 634db83b8265 ("net: stmmac: dwmac-sun8i: Handle integrated/external MDIOs") +Signed-off-by: Paul Kocialkowski +Reviewed-by: Andrew Lunn +Acked-by: Corentin LABBE +Tested-by: Corentin LABBE +Link: https://patch.msgid.link/20250519164936.4172658-1-paulk@sys-base.io +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c +index fda53b4b9406f..b2ec44f84ff5b 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c +@@ -957,7 +957,7 @@ static int sun8i_dwmac_set_syscon(struct device *dev, + /* of_mdio_parse_addr returns a valid (0 ~ 31) PHY + * address. No need to mask it again. + */ +- reg |= 1 << H3_EPHY_ADDR_SHIFT; ++ reg |= ret << H3_EPHY_ADDR_SHIFT; + } else { + /* For SoCs without internal PHY the PHY selection bit should be + * set to 0 (external PHY). +-- +2.39.5 + diff --git a/queue-5.15/net-tipc-fix-slab-use-after-free-read-in-tipc_aead_e.patch b/queue-5.15/net-tipc-fix-slab-use-after-free-read-in-tipc_aead_e.patch new file mode 100644 index 0000000000..8ce7479157 --- /dev/null +++ b/queue-5.15/net-tipc-fix-slab-use-after-free-read-in-tipc_aead_e.patch @@ -0,0 +1,125 @@ +From c04218bc739162022457b5dbcfd821eb6f565f18 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 May 2025 18:14:04 +0800 +Subject: net/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done + +From: Wang Liang + +[ Upstream commit e279024617134c94fd3e37470156534d5f2b3472 ] + +Syzbot reported a slab-use-after-free with the following call trace: + + ================================================================== + BUG: KASAN: slab-use-after-free in tipc_aead_encrypt_done+0x4bd/0x510 net/tipc/crypto.c:840 + Read of size 8 at addr ffff88807a733000 by task kworker/1:0/25 + + Call Trace: + kasan_report+0xd9/0x110 mm/kasan/report.c:601 + tipc_aead_encrypt_done+0x4bd/0x510 net/tipc/crypto.c:840 + crypto_request_complete include/crypto/algapi.h:266 + aead_request_complete include/crypto/internal/aead.h:85 + cryptd_aead_crypt+0x3b8/0x750 crypto/cryptd.c:772 + crypto_request_complete include/crypto/algapi.h:266 + cryptd_queue_worker+0x131/0x200 crypto/cryptd.c:181 + process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231 + + Allocated by task 8355: + kzalloc_noprof include/linux/slab.h:778 + tipc_crypto_start+0xcc/0x9e0 net/tipc/crypto.c:1466 + tipc_init_net+0x2dd/0x430 net/tipc/core.c:72 + ops_init+0xb9/0x650 net/core/net_namespace.c:139 + setup_net+0x435/0xb40 net/core/net_namespace.c:343 + copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 + create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110 + unshare_nsproxy_namespaces+0xc0/0x1f0 kernel/nsproxy.c:228 + ksys_unshare+0x419/0x970 kernel/fork.c:3323 + __do_sys_unshare kernel/fork.c:3394 + + Freed by task 63: + kfree+0x12a/0x3b0 mm/slub.c:4557 + tipc_crypto_stop+0x23c/0x500 net/tipc/crypto.c:1539 + tipc_exit_net+0x8c/0x110 net/tipc/core.c:119 + ops_exit_list+0xb0/0x180 net/core/net_namespace.c:173 + cleanup_net+0x5b7/0xbf0 net/core/net_namespace.c:640 + process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231 + +After freed the tipc_crypto tx by delete namespace, tipc_aead_encrypt_done +may still visit it in cryptd_queue_worker workqueue. + +I reproduce this issue by: + ip netns add ns1 + ip link add veth1 type veth peer name veth2 + ip link set veth1 netns ns1 + ip netns exec ns1 tipc bearer enable media eth dev veth1 + ip netns exec ns1 tipc node set key this_is_a_master_key master + ip netns exec ns1 tipc bearer disable media eth dev veth1 + ip netns del ns1 + +The key of reproduction is that, simd_aead_encrypt is interrupted, leading +to crypto_simd_usable() return false. Thus, the cryptd_queue_worker is +triggered, and the tipc_crypto tx will be visited. + + tipc_disc_timeout + tipc_bearer_xmit_skb + tipc_crypto_xmit + tipc_aead_encrypt + crypto_aead_encrypt + // encrypt() + simd_aead_encrypt + // crypto_simd_usable() is false + child = &ctx->cryptd_tfm->base; + + simd_aead_encrypt + crypto_aead_encrypt + // encrypt() + cryptd_aead_encrypt_enqueue + cryptd_aead_enqueue + cryptd_enqueue_request + // trigger cryptd_queue_worker + queue_work_on(smp_processor_id(), cryptd_wq, &cpu_queue->work) + +Fix this by holding net reference count before encrypt. + +Reported-by: syzbot+55c12726619ff85ce1f6@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=55c12726619ff85ce1f6 +Fixes: fc1b6d6de220 ("tipc: introduce TIPC encryption & authentication") +Signed-off-by: Wang Liang +Link: https://patch.msgid.link/20250520101404.1341730-1-wangliang74@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/tipc/crypto.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c +index b09c4a17b283e..35e0ffa1bd84b 100644 +--- a/net/tipc/crypto.c ++++ b/net/tipc/crypto.c +@@ -828,12 +828,16 @@ static int tipc_aead_encrypt(struct tipc_aead *aead, struct sk_buff *skb, + goto exit; + } + ++ /* Get net to avoid freed tipc_crypto when delete namespace */ ++ get_net(aead->crypto->net); ++ + /* Now, do encrypt */ + rc = crypto_aead_encrypt(req); + if (rc == -EINPROGRESS || rc == -EBUSY) + return rc; + + tipc_bearer_put(b); ++ put_net(aead->crypto->net); + + exit: + kfree(ctx); +@@ -871,6 +875,7 @@ static void tipc_aead_encrypt_done(struct crypto_async_request *base, int err) + kfree(tx_ctx); + tipc_bearer_put(b); + tipc_aead_put(aead); ++ put_net(net); + } + + /** +-- +2.39.5 + diff --git a/queue-5.15/octeontx2-af-set-lmt_ena-bit-for-apr-table-entries.patch b/queue-5.15/octeontx2-af-set-lmt_ena-bit-for-apr-table-entries.patch new file mode 100644 index 0000000000..7e4f438b51 --- /dev/null +++ b/queue-5.15/octeontx2-af-set-lmt_ena-bit-for-apr-table-entries.patch @@ -0,0 +1,76 @@ +From 5564ac9fc7889c85741ffd783306b2b5ed648455 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 May 2025 11:38:33 +0530 +Subject: octeontx2-af: Set LMT_ENA bit for APR table entries + +From: Subbaraya Sundeep + +[ Upstream commit 0eefa27b493306928d88af6368193b134c98fd64 ] + +This patch enables the LMT line for a PF/VF by setting the +LMT_ENA bit in the APR_LMT_MAP_ENTRY_S structure. + +Additionally, it simplifies the logic for calculating the +LMTST table index by consistently using the maximum +number of hw supported VFs (i.e., 256). + +Fixes: 873a1e3d207a ("octeontx2-af: cn10k: Setting up lmtst map table"). +Signed-off-by: Subbaraya Sundeep +Signed-off-by: Geetha sowjanya +Reviewed-by: Michal Swiatkowski +Link: https://patch.msgid.link/20250521060834.19780-2-gakula@marvell.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + .../net/ethernet/marvell/octeontx2/af/rvu_cn10k.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_cn10k.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_cn10k.c +index 25713287a288f..39870e419ccb0 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_cn10k.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_cn10k.c +@@ -15,13 +15,17 @@ + #define LMT_TBL_OP_WRITE 1 + #define LMT_MAP_TABLE_SIZE (128 * 1024) + #define LMT_MAPTBL_ENTRY_SIZE 16 ++#define LMT_MAX_VFS 256 ++ ++#define LMT_MAP_ENTRY_ENA BIT_ULL(20) ++#define LMT_MAP_ENTRY_LINES GENMASK_ULL(18, 16) + + /* Function to perform operations (read/write) on lmtst map table */ + static int lmtst_map_table_ops(struct rvu *rvu, u32 index, u64 *val, + int lmt_tbl_op) + { + void __iomem *lmt_map_base; +- u64 tbl_base; ++ u64 tbl_base, cfg; + + tbl_base = rvu_read64(rvu, BLKADDR_APR, APR_AF_LMT_MAP_BASE); + +@@ -35,6 +39,13 @@ static int lmtst_map_table_ops(struct rvu *rvu, u32 index, u64 *val, + *val = readq(lmt_map_base + index); + } else { + writeq((*val), (lmt_map_base + index)); ++ ++ cfg = FIELD_PREP(LMT_MAP_ENTRY_ENA, 0x1); ++ /* 2048 LMTLINES */ ++ cfg |= FIELD_PREP(LMT_MAP_ENTRY_LINES, 0x6); ++ ++ writeq(cfg, (lmt_map_base + (index + 8))); ++ + /* Flushing the AP interceptor cache to make APR_LMT_MAP_ENTRY_S + * changes effective. Write 1 for flush and read is being used as a + * barrier and sets up a data dependency. Write to 0 after a write +@@ -52,7 +63,7 @@ static int lmtst_map_table_ops(struct rvu *rvu, u32 index, u64 *val, + #define LMT_MAP_TBL_W1_OFF 8 + static u32 rvu_get_lmtst_tbl_index(struct rvu *rvu, u16 pcifunc) + { +- return ((rvu_get_pf(pcifunc) * rvu->hw->total_vfs) + ++ return ((rvu_get_pf(pcifunc) * LMT_MAX_VFS) + + (pcifunc & RVU_PFVF_FUNC_MASK)) * LMT_MAPTBL_ENTRY_SIZE; + } + +-- +2.39.5 + diff --git a/queue-5.15/remoteproc-qcom_wcnss-fix-on-platforms-without-fallb.patch b/queue-5.15/remoteproc-qcom_wcnss-fix-on-platforms-without-fallb.patch new file mode 100644 index 0000000000..ee219e6364 --- /dev/null +++ b/queue-5.15/remoteproc-qcom_wcnss-fix-on-platforms-without-fallb.patch @@ -0,0 +1,45 @@ +From cee244b75ad13dd56b3ba4c2822ea3be0c2a4969 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 May 2025 02:40:15 +0300 +Subject: remoteproc: qcom_wcnss: Fix on platforms without fallback regulators +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Matti Lehtimäki + +[ Upstream commit 4ca45af0a56d00b86285d6fdd720dca3215059a7 ] + +Recent change to handle platforms with only single power domain broke +pronto-v3 which requires power domains and doesn't have fallback voltage +regulators in case power domains are missing. Add a check to verify +the number of fallback voltage regulators before using the code which +handles single power domain situation. + +Fixes: 65991ea8a6d1 ("remoteproc: qcom_wcnss: Handle platforms with only single power domain") +Signed-off-by: Matti Lehtimäki +Tested-by: Luca Weiss # sdm632-fairphone-fp3 +Link: https://lore.kernel.org/r/20250511234026.94735-1-matti.lehtimaki@gmail.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/remoteproc/qcom_wcnss.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/remoteproc/qcom_wcnss.c b/drivers/remoteproc/qcom_wcnss.c +index 3e07f5621d0f2..90c09cde6e0fb 100644 +--- a/drivers/remoteproc/qcom_wcnss.c ++++ b/drivers/remoteproc/qcom_wcnss.c +@@ -446,7 +446,8 @@ static int wcnss_init_regulators(struct qcom_wcnss *wcnss, + if (wcnss->num_pds) { + info += wcnss->num_pds; + /* Handle single power domain case */ +- num_vregs += num_pd_vregs - wcnss->num_pds; ++ if (wcnss->num_pds < num_pd_vregs) ++ num_vregs += num_pd_vregs - wcnss->num_pds; + } else { + num_vregs += num_pd_vregs; + } +-- +2.39.5 + diff --git a/queue-5.15/sch_hfsc-fix-qlen-accounting-bug-when-using-peek-in-.patch b/queue-5.15/sch_hfsc-fix-qlen-accounting-bug-when-using-peek-in-.patch new file mode 100644 index 0000000000..0b6789ed30 --- /dev/null +++ b/queue-5.15/sch_hfsc-fix-qlen-accounting-bug-when-using-peek-in-.patch @@ -0,0 +1,62 @@ +From a84555b94a367661dda584cd7a5de95feb41315d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 May 2025 15:20:37 -0700 +Subject: sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue() + +From: Cong Wang + +[ Upstream commit 3f981138109f63232a5fb7165938d4c945cc1b9d ] + +When enqueuing the first packet to an HFSC class, hfsc_enqueue() calls the +child qdisc's peek() operation before incrementing sch->q.qlen and +sch->qstats.backlog. If the child qdisc uses qdisc_peek_dequeued(), this may +trigger an immediate dequeue and potential packet drop. In such cases, +qdisc_tree_reduce_backlog() is called, but the HFSC qdisc's qlen and backlog +have not yet been updated, leading to inconsistent queue accounting. This +can leave an empty HFSC class in the active list, causing further +consequences like use-after-free. + +This patch fixes the bug by moving the increment of sch->q.qlen and +sch->qstats.backlog before the call to the child qdisc's peek() operation. +This ensures that queue length and backlog are always accurate when packet +drops or dequeues are triggered during the peek. + +Fixes: 12d0ad3be9c3 ("net/sched/sch_hfsc.c: handle corner cases where head may change invalidating calculated deadline") +Reported-by: Mingi Cho +Signed-off-by: Cong Wang +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250518222038.58538-2-xiyou.wangcong@gmail.com +Reviewed-by: Jamal Hadi Salim +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/sched/sch_hfsc.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/sched/sch_hfsc.c b/net/sched/sch_hfsc.c +index d6c5fc543f652..05ac7d55482b8 100644 +--- a/net/sched/sch_hfsc.c ++++ b/net/sched/sch_hfsc.c +@@ -1572,6 +1572,9 @@ hfsc_enqueue(struct sk_buff *skb, struct Qdisc *sch, struct sk_buff **to_free) + return err; + } + ++ sch->qstats.backlog += len; ++ sch->q.qlen++; ++ + if (first && !cl->cl_nactive) { + if (cl->cl_flags & HFSC_RSC) + init_ed(cl, len); +@@ -1587,9 +1590,6 @@ hfsc_enqueue(struct sk_buff *skb, struct Qdisc *sch, struct sk_buff **to_free) + + } + +- sch->qstats.backlog += len; +- sch->q.qlen++; +- + return NET_XMIT_SUCCESS; + } + +-- +2.39.5 + diff --git a/queue-5.15/series b/queue-5.15/series index afdec3a672..ef4d292c95 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -161,3 +161,11 @@ nvmet-tcp-don-t-restore-null-sk_state_change.patch btrfs-correct-the-order-of-prelim_ref-arguments-in-b.patch xenbus-allow-pvh-dom0-a-non-local-xenstore.patch __legitimize_mnt-check-for-mnt_sync_umount-should-be.patch +remoteproc-qcom_wcnss-fix-on-platforms-without-fallb.patch +xfrm-sanitize-marks-before-insert.patch +bluetooth-l2cap-fix-not-checking-l2cap_chan-security.patch +bridge-netfilter-fix-forwarding-of-fragmented-packet.patch +net-dwmac-sun8i-use-parsed-internal-phy-address-inst.patch +sch_hfsc-fix-qlen-accounting-bug-when-using-peek-in-.patch +net-tipc-fix-slab-use-after-free-read-in-tipc_aead_e.patch +octeontx2-af-set-lmt_ena-bit-for-apr-table-entries.patch diff --git a/queue-5.15/xfrm-sanitize-marks-before-insert.patch b/queue-5.15/xfrm-sanitize-marks-before-insert.patch new file mode 100644 index 0000000000..722cbef07c --- /dev/null +++ b/queue-5.15/xfrm-sanitize-marks-before-insert.patch @@ -0,0 +1,71 @@ +From 9a6af3f221ce2ac3373188a9159af45163a462c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 May 2025 13:31:58 +0200 +Subject: xfrm: Sanitize marks before insert + +From: Paul Chaignon + +[ Upstream commit 0b91fda3a1f044141e1e615456ff62508c32b202 ] + +Prior to this patch, the mark is sanitized (applying the state's mask to +the state's value) only on inserts when checking if a conflicting XFRM +state or policy exists. + +We discovered in Cilium that this same sanitization does not occur +in the hot-path __xfrm_state_lookup. In the hot-path, the sk_buff's mark +is simply compared to the state's value: + + if ((mark & x->mark.m) != x->mark.v) + continue; + +Therefore, users can define unsanitized marks (ex. 0xf42/0xf00) which will +never match any packet. + +This commit updates __xfrm_state_insert and xfrm_policy_insert to store +the sanitized marks, thus removing this footgun. + +This has the side effect of changing the ip output, as the +returned mark will have the mask applied to it when printed. + +Fixes: 3d6acfa7641f ("xfrm: SA lookups with mark") +Signed-off-by: Paul Chaignon +Signed-off-by: Louis DeLosSantos +Co-developed-by: Louis DeLosSantos +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_policy.c | 3 +++ + net/xfrm/xfrm_state.c | 3 +++ + 2 files changed, 6 insertions(+) + +diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c +index 55ef8e8329243..16958656b6d43 100644 +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -1594,6 +1594,9 @@ int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl) + struct xfrm_policy *delpol; + struct hlist_head *chain; + ++ /* Sanitize mark before store */ ++ policy->mark.v &= policy->mark.m; ++ + spin_lock_bh(&net->xfrm.xfrm_policy_lock); + chain = policy_hash_bysel(net, &policy->selector, policy->family, dir); + if (chain) +diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c +index ff8159bae7bbf..c1bc5d780f640 100644 +--- a/net/xfrm/xfrm_state.c ++++ b/net/xfrm/xfrm_state.c +@@ -1277,6 +1277,9 @@ static void __xfrm_state_insert(struct xfrm_state *x) + + list_add(&x->km.all, &net->xfrm.state_all); + ++ /* Sanitize mark before store */ ++ x->mark.v &= x->mark.m; ++ + h = xfrm_dst_hash(net, &x->id.daddr, &x->props.saddr, + x->props.reqid, x->props.family); + hlist_add_head_rcu(&x->bydst, net->xfrm.state_bydst + h); +-- +2.39.5 +