--- /dev/null
+From c44da8fa2793405baf00c88284b664d7e9701b66 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Oct 2020 01:55:27 +0100
+Subject: net: appletalk: fix kerneldoc warnings
+
+From: Andrew Lunn <andrew@lunn.ch>
+
+[ Upstream commit 709565ae14aa2670d6b480be46720856e804af41 ]
+
+net/appletalk/aarp.c:68: warning: Function parameter or member 'dev' not described in 'aarp_entry'
+net/appletalk/aarp.c:68: warning: Function parameter or member 'expires_at' not described in 'aarp_entry'
+net/appletalk/aarp.c:68: warning: Function parameter or member 'hwaddr' not described in 'aarp_entry'
+net/appletalk/aarp.c:68: warning: Function parameter or member 'last_sent' not described in 'aarp_entry'
+net/appletalk/aarp.c:68: warning: Function parameter or member 'next' not described in 'aarp_entry'
+net/appletalk/aarp.c:68: warning: Function parameter or member 'packet_queue' not described in 'aarp_entry'
+net/appletalk/aarp.c:68: warning: Function parameter or member 'status' not described in 'aarp_entry'
+net/appletalk/aarp.c:68: warning: Function parameter or member 'target_addr' not described in 'aarp_entry'
+net/appletalk/aarp.c:68: warning: Function parameter or member 'xmit_count' not described in 'aarp_entry'
+net/appletalk/ddp.c:1422: warning: Function parameter or member 'dev' not described in 'atalk_rcv'
+net/appletalk/ddp.c:1422: warning: Function parameter or member 'orig_dev' not described in 'atalk_rcv'
+net/appletalk/ddp.c:1422: warning: Function parameter or member 'pt' not described in 'atalk_rcv'
+net/appletalk/ddp.c:1422: warning: Function parameter or member 'skb' not described in 'atalk_rcv'
+
+Signed-off-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://lore.kernel.org/r/20201028005527.930388-1-andrew@lunn.ch
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: 6c4a92d07b08 ("net: appletalk: Fix use-after-free in AARP proxy probe")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/appletalk/aarp.c | 18 +++++++++---------
+ net/appletalk/ddp.c | 7 ++++---
+ 2 files changed, 13 insertions(+), 12 deletions(-)
+
+diff --git a/net/appletalk/aarp.c b/net/appletalk/aarp.c
+index 45f584171de79..be18af481d7d5 100644
+--- a/net/appletalk/aarp.c
++++ b/net/appletalk/aarp.c
+@@ -44,15 +44,15 @@ int sysctl_aarp_resolve_time = AARP_RESOLVE_TIME;
+ /* Lists of aarp entries */
+ /**
+ * struct aarp_entry - AARP entry
+- * @last_sent - Last time we xmitted the aarp request
+- * @packet_queue - Queue of frames wait for resolution
+- * @status - Used for proxy AARP
+- * expires_at - Entry expiry time
+- * target_addr - DDP Address
+- * dev - Device to use
+- * hwaddr - Physical i/f address of target/router
+- * xmit_count - When this hits 10 we give up
+- * next - Next entry in chain
++ * @last_sent: Last time we xmitted the aarp request
++ * @packet_queue: Queue of frames wait for resolution
++ * @status: Used for proxy AARP
++ * @expires_at: Entry expiry time
++ * @target_addr: DDP Address
++ * @dev: Device to use
++ * @hwaddr: Physical i/f address of target/router
++ * @xmit_count: When this hits 10 we give up
++ * @next: Next entry in chain
+ */
+ struct aarp_entry {
+ /* These first two are only used for unresolved entries */
+diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c
+index 46ca0f1354fde..01170c4e9c6dd 100644
+--- a/net/appletalk/ddp.c
++++ b/net/appletalk/ddp.c
+@@ -1400,9 +1400,10 @@ static int atalk_route_packet(struct sk_buff *skb, struct net_device *dev,
+
+ /**
+ * atalk_rcv - Receive a packet (in skb) from device dev
+- * @skb - packet received
+- * @dev - network device where the packet comes from
+- * @pt - packet type
++ * @skb: packet received
++ * @dev: network device where the packet comes from
++ * @pt: packet type
++ * @orig_dev: the original receive net device
+ *
+ * Receive a packet (in skb) from device dev. This has come from the SNAP
+ * decoder, and on entry skb->transport_header is the DDP header, skb->len
+--
+2.39.5
+
--- /dev/null
+From d6872ea84713d3c5eea52e01e3ace4ea42615fc2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jul 2025 01:28:43 +0000
+Subject: net: appletalk: Fix use-after-free in AARP proxy probe
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kito Xu (veritas501) <hxzene@gmail.com>
+
+[ Upstream commit 6c4a92d07b0850342d3becf2e608f805e972467c ]
+
+The AARP proxyâprobe routine (aarp_proxy_probe_network) sends a probe,
+releases the aarp_lock, sleeps, then re-acquires the lock. During that
+window an expire timer thread (__aarp_expire_timer) can remove and
+kfree() the same entry, leading to a use-after-free.
+
+race condition:
+
+ cpu 0 | cpu 1
+ atalk_sendmsg() | atif_proxy_probe_device()
+ aarp_send_ddp() | aarp_proxy_probe_network()
+ mod_timer() | lock(aarp_lock) // LOCK!!
+ timeout around 200ms | alloc(aarp_entry)
+ and then call | proxies[hash] = aarp_entry
+ aarp_expire_timeout() | aarp_send_probe()
+ | unlock(aarp_lock) // UNLOCK!!
+ lock(aarp_lock) // LOCK!! | msleep(100);
+ __aarp_expire_timer(&proxies[ct]) |
+ free(aarp_entry) |
+ unlock(aarp_lock) // UNLOCK!! |
+ | lock(aarp_lock) // LOCK!!
+ | UAF aarp_entry !!
+
+==================================================================
+BUG: KASAN: slab-use-after-free in aarp_proxy_probe_network+0x560/0x630 net/appletalk/aarp.c:493
+Read of size 4 at addr ffff8880123aa360 by task repro/13278
+
+CPU: 3 UID: 0 PID: 13278 Comm: repro Not tainted 6.15.2 #3 PREEMPT(full)
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:408 [inline]
+ print_report+0xc1/0x630 mm/kasan/report.c:521
+ kasan_report+0xca/0x100 mm/kasan/report.c:634
+ aarp_proxy_probe_network+0x560/0x630 net/appletalk/aarp.c:493
+ atif_proxy_probe_device net/appletalk/ddp.c:332 [inline]
+ atif_ioctl+0xb58/0x16c0 net/appletalk/ddp.c:857
+ atalk_ioctl+0x198/0x2f0 net/appletalk/ddp.c:1818
+ sock_do_ioctl+0xdc/0x260 net/socket.c:1190
+ sock_ioctl+0x239/0x6a0 net/socket.c:1311
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:906 [inline]
+ __se_sys_ioctl fs/ioctl.c:892 [inline]
+ __x64_sys_ioctl+0x194/0x200 fs/ioctl.c:892
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xcb/0x250 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+ </TASK>
+
+Allocated:
+ aarp_alloc net/appletalk/aarp.c:382 [inline]
+ aarp_proxy_probe_network+0xd8/0x630 net/appletalk/aarp.c:468
+ atif_proxy_probe_device net/appletalk/ddp.c:332 [inline]
+ atif_ioctl+0xb58/0x16c0 net/appletalk/ddp.c:857
+ atalk_ioctl+0x198/0x2f0 net/appletalk/ddp.c:1818
+
+Freed:
+ kfree+0x148/0x4d0 mm/slub.c:4841
+ __aarp_expire net/appletalk/aarp.c:90 [inline]
+ __aarp_expire_timer net/appletalk/aarp.c:261 [inline]
+ aarp_expire_timeout+0x480/0x6e0 net/appletalk/aarp.c:317
+
+The buggy address belongs to the object at ffff8880123aa300
+ which belongs to the cache kmalloc-192 of size 192
+The buggy address is located 96 bytes inside of
+ freed 192-byte region [ffff8880123aa300, ffff8880123aa3c0)
+
+Memory state around the buggy address:
+ ffff8880123aa200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ ffff8880123aa280: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
+>ffff8880123aa300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ ffff8880123aa380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+ ffff8880123aa400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+==================================================================
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Kito Xu (veritas501) <hxzene@gmail.com>
+Link: https://patch.msgid.link/20250717012843.880423-1-hxzene@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/appletalk/aarp.c | 24 +++++++++++++++++++++---
+ 1 file changed, 21 insertions(+), 3 deletions(-)
+
+diff --git a/net/appletalk/aarp.c b/net/appletalk/aarp.c
+index be18af481d7d5..17d9cb380e7bd 100644
+--- a/net/appletalk/aarp.c
++++ b/net/appletalk/aarp.c
+@@ -35,6 +35,7 @@
+ #include <linux/seq_file.h>
+ #include <linux/export.h>
+ #include <linux/etherdevice.h>
++#include <linux/refcount.h>
+
+ int sysctl_aarp_expiry_time = AARP_EXPIRY_TIME;
+ int sysctl_aarp_tick_time = AARP_TICK_TIME;
+@@ -44,6 +45,7 @@ int sysctl_aarp_resolve_time = AARP_RESOLVE_TIME;
+ /* Lists of aarp entries */
+ /**
+ * struct aarp_entry - AARP entry
++ * @refcnt: Reference count
+ * @last_sent: Last time we xmitted the aarp request
+ * @packet_queue: Queue of frames wait for resolution
+ * @status: Used for proxy AARP
+@@ -55,6 +57,7 @@ int sysctl_aarp_resolve_time = AARP_RESOLVE_TIME;
+ * @next: Next entry in chain
+ */
+ struct aarp_entry {
++ refcount_t refcnt;
+ /* These first two are only used for unresolved entries */
+ unsigned long last_sent;
+ struct sk_buff_head packet_queue;
+@@ -79,6 +82,17 @@ static DEFINE_RWLOCK(aarp_lock);
+ /* Used to walk the list and purge/kick entries. */
+ static struct timer_list aarp_timer;
+
++static inline void aarp_entry_get(struct aarp_entry *a)
++{
++ refcount_inc(&a->refcnt);
++}
++
++static inline void aarp_entry_put(struct aarp_entry *a)
++{
++ if (refcount_dec_and_test(&a->refcnt))
++ kfree(a);
++}
++
+ /*
+ * Delete an aarp queue
+ *
+@@ -87,7 +101,7 @@ static struct timer_list aarp_timer;
+ static void __aarp_expire(struct aarp_entry *a)
+ {
+ skb_queue_purge(&a->packet_queue);
+- kfree(a);
++ aarp_entry_put(a);
+ }
+
+ /*
+@@ -380,9 +394,11 @@ static void aarp_purge(void)
+ static struct aarp_entry *aarp_alloc(void)
+ {
+ struct aarp_entry *a = kmalloc(sizeof(*a), GFP_ATOMIC);
++ if (!a)
++ return NULL;
+
+- if (a)
+- skb_queue_head_init(&a->packet_queue);
++ refcount_set(&a->refcnt, 1);
++ skb_queue_head_init(&a->packet_queue);
+ return a;
+ }
+
+@@ -508,6 +524,7 @@ int aarp_proxy_probe_network(struct atalk_iface *atif, struct atalk_addr *sa)
+ entry->dev = atif->dev;
+
+ write_lock_bh(&aarp_lock);
++ aarp_entry_get(entry);
+
+ hash = sa->s_node % (AARP_HASH_SIZE - 1);
+ entry->next = proxies[hash];
+@@ -533,6 +550,7 @@ int aarp_proxy_probe_network(struct atalk_iface *atif, struct atalk_addr *sa)
+ retval = 1;
+ }
+
++ aarp_entry_put(entry);
+ write_unlock_bh(&aarp_lock);
+ out:
+ return retval;
+--
+2.39.5
+
--- /dev/null
+From f496387129e8e6016ad8ed35d4a9a4d157812392 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jul 2025 16:01:28 -0700
+Subject: net/sched: sch_qfq: Avoid triggering might_sleep in atomic context in
+ qfq_delete_class
+
+From: Xiang Mei <xmei5@asu.edu>
+
+[ Upstream commit cf074eca0065bc5142e6004ae236bb35a2687fdf ]
+
+might_sleep could be trigger in the atomic context in qfq_delete_class.
+
+qfq_destroy_class was moved into atomic context locked
+by sch_tree_lock to avoid a race condition bug on
+qfq_aggregate. However, might_sleep could be triggered by
+qfq_destroy_class, which introduced sleeping in atomic context (path:
+qfq_destroy_class->qdisc_put->__qdisc_destroy->lockdep_unregister_key
+->might_sleep).
+
+Considering the race is on the qfq_aggregate objects, keeping
+qfq_rm_from_agg in the lock but moving the left part out can solve
+this issue.
+
+Fixes: 5e28d5a3f774 ("net/sched: sch_qfq: Fix race condition on qfq_aggregate")
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Xiang Mei <xmei5@asu.edu>
+Link: https://patch.msgid.link/4a04e0cc-a64b-44e7-9213-2880ed641d77@sabinyo.mountain
+Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
+Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://patch.msgid.link/20250717230128.159766-1-xmei5@asu.edu
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_qfq.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c
+index 2a4331a084949..be04fcfcc5852 100644
+--- a/net/sched/sch_qfq.c
++++ b/net/sched/sch_qfq.c
+@@ -534,9 +534,6 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid,
+
+ static void qfq_destroy_class(struct Qdisc *sch, struct qfq_class *cl)
+ {
+- struct qfq_sched *q = qdisc_priv(sch);
+-
+- qfq_rm_from_agg(q, cl);
+ gen_kill_estimator(&cl->rate_est);
+ qdisc_put(cl->qdisc);
+ kfree(cl);
+@@ -554,10 +551,11 @@ static int qfq_delete_class(struct Qdisc *sch, unsigned long arg)
+
+ qdisc_purge_queue(cl->qdisc);
+ qdisc_class_hash_remove(&q->clhash, &cl->common);
+- qfq_destroy_class(sch, cl);
++ qfq_rm_from_agg(q, cl);
+
+ sch_tree_unlock(sch);
+
++ qfq_destroy_class(sch, cl);
+ return 0;
+ }
+
+@@ -1507,6 +1505,7 @@ static void qfq_destroy_qdisc(struct Qdisc *sch)
+ for (i = 0; i < q->clhash.hashsize; i++) {
+ hlist_for_each_entry_safe(cl, next, &q->clhash.hash[i],
+ common.hnode) {
++ qfq_rm_from_agg(q, cl);
+ qfq_destroy_class(sch, cl);
+ }
+ }
+--
+2.39.5
+
usb-hub-fix-detection-of-high-tier-usb3-devices-behind-suspended-hubs.patch
regulator-core-fix-null-dereference-on-unbind-due-to.patch
rdma-core-rate-limit-gid-cache-warning-messages.patch
+net-appletalk-fix-kerneldoc-warnings.patch
+net-appletalk-fix-use-after-free-in-aarp-proxy-probe.patch
+net-sched-sch_qfq-avoid-triggering-might_sleep-in-at.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
