--- /dev/null
+From stable+bounces-203406-greg=kroah.com@vger.kernel.org Thu Dec 25 16:53:56 2025
+From: skulkarni@mvista.com
+Date: Thu, 25 Dec 2025 21:22:37 +0530
+Subject: ipv4: Fix uninit-value access in __ip_make_skb()
+To: stable@vger.kernel.org
+Cc: Shigeru Yoshida <syoshida@redhat.com>, syzkaller <syzkaller@googlegroups.com>, Paolo Abeni <pabeni@redhat.com>, Shubham Kulkarni <skulkarni@mvista.com>
+Message-ID: <20251225155236.1881304-1-skulkarni@mvista.com>
+
+From: Shigeru Yoshida <syoshida@redhat.com>
+
+commit fc1092f51567277509563800a3c56732070b6aa4 upstream.
+
+KMSAN reported uninit-value access in __ip_make_skb() [1]. __ip_make_skb()
+tests HDRINCL to know if the skb has icmphdr. However, HDRINCL can cause a
+race condition. If calling setsockopt(2) with IP_HDRINCL changes HDRINCL
+while __ip_make_skb() is running, the function will access icmphdr in the
+skb even if it is not included. This causes the issue reported by KMSAN.
+
+Check FLOWI_FLAG_KNOWN_NH on fl4->flowi4_flags instead of testing HDRINCL
+on the socket.
+
+Also, fl4->fl4_icmp_type and fl4->fl4_icmp_code are not initialized. These
+are union in struct flowi4 and are implicitly initialized by
+flowi4_init_output(), but we should not rely on specific union layout.
+
+Initialize these explicitly in raw_sendmsg().
+
+[1]
+BUG: KMSAN: uninit-value in __ip_make_skb+0x2b74/0x2d20 net/ipv4/ip_output.c:1481
+ __ip_make_skb+0x2b74/0x2d20 net/ipv4/ip_output.c:1481
+ ip_finish_skb include/net/ip.h:243 [inline]
+ ip_push_pending_frames+0x4c/0x5c0 net/ipv4/ip_output.c:1508
+ raw_sendmsg+0x2381/0x2690 net/ipv4/raw.c:654
+ inet_sendmsg+0x27b/0x2a0 net/ipv4/af_inet.c:851
+ sock_sendmsg_nosec net/socket.c:730 [inline]
+ __sock_sendmsg+0x274/0x3c0 net/socket.c:745
+ __sys_sendto+0x62c/0x7b0 net/socket.c:2191
+ __do_sys_sendto net/socket.c:2203 [inline]
+ __se_sys_sendto net/socket.c:2199 [inline]
+ __x64_sys_sendto+0x130/0x200 net/socket.c:2199
+ do_syscall_64+0xd8/0x1f0 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x6d/0x75
+
+Uninit was created at:
+ slab_post_alloc_hook mm/slub.c:3804 [inline]
+ slab_alloc_node mm/slub.c:3845 [inline]
+ kmem_cache_alloc_node+0x5f6/0xc50 mm/slub.c:3888
+ kmalloc_reserve+0x13c/0x4a0 net/core/skbuff.c:577
+ __alloc_skb+0x35a/0x7c0 net/core/skbuff.c:668
+ alloc_skb include/linux/skbuff.h:1318 [inline]
+ __ip_append_data+0x49ab/0x68c0 net/ipv4/ip_output.c:1128
+ ip_append_data+0x1e7/0x260 net/ipv4/ip_output.c:1365
+ raw_sendmsg+0x22b1/0x2690 net/ipv4/raw.c:648
+ inet_sendmsg+0x27b/0x2a0 net/ipv4/af_inet.c:851
+ sock_sendmsg_nosec net/socket.c:730 [inline]
+ __sock_sendmsg+0x274/0x3c0 net/socket.c:745
+ __sys_sendto+0x62c/0x7b0 net/socket.c:2191
+ __do_sys_sendto net/socket.c:2203 [inline]
+ __se_sys_sendto net/socket.c:2199 [inline]
+ __x64_sys_sendto+0x130/0x200 net/socket.c:2199
+ do_syscall_64+0xd8/0x1f0 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x6d/0x75
+
+CPU: 1 PID: 15709 Comm: syz-executor.7 Not tainted 6.8.0-11567-gb3603fcb79b1 #25
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014
+
+Fixes: 99e5acae193e ("ipv4: Fix potential uninit variable access bug in __ip_make_skb()")
+Reported-by: syzkaller <syzkaller@googlegroups.com>
+Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
+Link: https://lore.kernel.org/r/20240430123945.2057348-1-syoshida@redhat.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+Referred stable v6.1.y version of the patch to generate this one
+ [ v6.1 link: https://github.com/gregkh/linux/commit/55bf541e018b76b3750cb6c6ea18c46e1ac5562e ]
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ip_output.c | 3 ++-
+ net/ipv4/raw.c | 3 +++
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/ip_output.c
++++ b/net/ipv4/ip_output.c
+@@ -1562,7 +1562,8 @@ struct sk_buff *__ip_make_skb(struct soc
+ * so icmphdr does not in skb linear region and can not get icmp_type
+ * by icmp_hdr(skb)->type.
+ */
+- if (sk->sk_type == SOCK_RAW && !inet_sk(sk)->hdrincl)
++ if (sk->sk_type == SOCK_RAW &&
++ !(fl4->flowi4_flags & FLOWI_FLAG_KNOWN_NH))
+ icmp_type = fl4->fl4_icmp_type;
+ else
+ icmp_type = icmp_hdr(skb)->type;
+--- a/net/ipv4/raw.c
++++ b/net/ipv4/raw.c
+@@ -634,6 +634,9 @@ static int raw_sendmsg(struct sock *sk,
+ (hdrincl ? FLOWI_FLAG_KNOWN_NH : 0),
+ daddr, saddr, 0, 0, sk->sk_uid);
+
++ fl4.fl4_icmp_type = 0;
++ fl4.fl4_icmp_code = 0;
++
+ if (!hdrincl) {
+ rfv.msg = msg;
+ rfv.hlen = 0;
--- /dev/null
+From stable+bounces-203330-greg=kroah.com@vger.kernel.org Tue Dec 23 19:54:34 2025
+From: skulkarni@mvista.com
+Date: Wed, 24 Dec 2025 00:23:41 +0530
+Subject: ipv6: Fix potential uninit-value access in __ip6_make_skb()
+To: stable@vger.kernel.org
+Cc: Shigeru Yoshida <syoshida@redhat.com>, "David S . Miller" <davem@davemloft.net>, Shubham Kulkarni <skulkarni@mvista.com>
+Message-ID: <20251223185341.1850880-1-skulkarni@mvista.com>
+
+From: Shigeru Yoshida <syoshida@redhat.com>
+
+commit 4e13d3a9c25b7080f8a619f961e943fe08c2672c upstream.
+
+As it was done in commit fc1092f51567 ("ipv4: Fix uninit-value access in
+__ip_make_skb()") for IPv4, check FLOWI_FLAG_KNOWN_NH on fl6->flowi6_flags
+instead of testing HDRINCL on the socket to avoid a race condition which
+causes uninit-value access.
+
+Fixes: ea30388baebc ("ipv6: Fix an uninit variable access bug in __ip6_make_skb()")
+Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+Referred stable v6.1.y version of the patch to generate this one
+ [ v6.1 link: https://github.com/gregkh/linux/commit/a05c1ede50e9656f0752e523c7b54f3a3489e9a8 ]
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_output.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -1928,7 +1928,8 @@ struct sk_buff *__ip6_make_skb(struct so
+ struct inet6_dev *idev = ip6_dst_idev(skb_dst(skb));
+ u8 icmp6_type;
+
+- if (sk->sk_socket->type == SOCK_RAW && !inet_sk(sk)->hdrincl)
++ if (sk->sk_socket->type == SOCK_RAW &&
++ !(fl6->flowi6_flags & FLOWI_FLAG_KNOWN_NH))
+ icmp6_type = fl6->fl6_icmp_type;
+ else
+ icmp6_type = icmp6_hdr(skb)->icmp6_type;
--- /dev/null
+From justinstitt@google.com Thu Jan 8 16:52:32 2026
+From: Justin Stitt <justinstitt@google.com>
+Date: Thu, 04 Dec 2025 12:44:48 -0800
+Subject: KVM: arm64: sys_regs: disable -Wuninitialized-const-pointer warning
+To: Marc Zyngier <maz@kernel.org>, Oliver Upton <oliver.upton@linux.dev>, Alexandru Elisei <alexandru.elisei@arm.com>, Joey Gouly <joey.gouly@arm.com>, Suzuki K Poulose <suzuki.poulose@arm.com>, Catalin Marinas <catalin.marinas@arm.com>, Zenghui Yu <yuzenghui@huawei.com>, Will Deacon <will@kernel.org>, Nathan Chancellor <nathan@kernel.org>, Christopher Covington <cov@codeaurora.org>
+Cc: linux-arm-kernel@lists.infradead.org, kvmarm@lists.cs.columbia.edu, linux-kernel@vger.kernel.org, llvm@lists.linux.dev, stable@vger.kernel.org, Justin Stitt <justinstitt@google.com>
+Message-ID: <20251204-b4-stable-disable-uninit-ptr-warn-5-15-v1-1-41212e2c6409@google.com>
+
+From: Justin Stitt <justinstitt@google.com>
+
+A new warning in Clang 22 [1] complains that @clidr passed to
+get_clidr_el1() is an uninitialized const pointer. get_clidr_el1()
+doesn't really care since it casts away the const-ness anyways -- it is
+a false positive.
+
+| ../arch/arm64/kvm/sys_regs.c:2838:23: warning: variable 'clidr' is uninitialized when passed as a const pointer argument here [-Wuninitialized-const-pointer]
+| 2838 | get_clidr_el1(NULL, &clidr); /* Ugly... */
+| | ^~~~~
+
+This patch isn't needed for anything past 6.1 as this code section was
+reworked in Commit 7af0c2534f4c ("KVM: arm64: Normalize cache
+configuration"). Since there is no upstream equivalent, this patch just
+needs to be applied to 5.15.
+
+Disable this warning for sys_regs.o with an iron fist as it doesn't make
+sense to waste maintainer's time or potentially break builds by
+backporting large changelists from 6.2+.
+
+Cc: stable@vger.kernel.org
+Fixes: 7c8c5e6a9101e ("arm64: KVM: system register handling")
+Link: https://github.com/llvm/llvm-project/commit/00dacf8c22f065cb52efb14cd091d441f19b319e [1]
+Reviewed-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Justin Stitt <justinstitt@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kvm/Makefile | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/arm64/kvm/Makefile
++++ b/arch/arm64/kvm/Makefile
+@@ -25,3 +25,6 @@ kvm-y := $(KVM)/kvm_main.o $(KVM)/coales
+ vgic/vgic-its.o vgic/vgic-debug.o
+
+ kvm-$(CONFIG_HW_PERF_EVENTS) += pmu-emul.o
++
++# Work around a false positive Clang 22 -Wuninitialized-const-pointer warning
++CFLAGS_sys_regs.o := $(call cc-disable-warning, uninitialized-const-pointer)
--- /dev/null
+From caojiaqiang@huawei.com Mon Jan 5 11:39:21 2026
+From: Cao Jiaqiang <caojiaqiang@huawei.com>
+Date: Mon, 5 Jan 2026 18:52:51 +0800
+Subject: selftests: net: test_vxlan_under_vrf: fix HV connectivity test
+To: <gregkh@linuxfoundation.org>, <davem@davemloft.net>, <kuba@kernel.org>, <shuah@kernel.org>
+Cc: <stable@vger.kernel.org>, <netdev@vger.kernel.org>, <linux-kselftest@vger.kernel.org>, <linux-kernel@vger.kernel.org>, <dsahern@kernel.org>, <vincent.wang@huawei.com>, <liujian56@huawei.com>, <yi.zhang@huawei.com>, <caojiaqiang@huawei.com>
+Message-ID: <20260105105251.33854-1-caojiaqiang@huawei.com>
+
+From: Andrea Righi <andrea.righi@canonical.com>
+
+[ Upstream commit e7e4785fa30f9b5d1b60ed2d8e221891325dfc5f ]
+
+It looks like test_vxlan_under_vrf.sh is always failing to verify the
+connectivity test during the ping between the two simulated VMs.
+
+This is due to the fact that veth-hv in each VM should have a distinct
+MAC address.
+
+Fix by setting a unique MAC address on each simulated VM interface.
+
+Without this fix:
+
+ $ sudo ./tools/testing/selftests/net/test_vxlan_under_vrf.sh
+ Checking HV connectivity [ OK ]
+ Check VM connectivity through VXLAN (underlay in the default VRF) [FAIL]
+
+With this fix applied:
+
+ $ sudo ./tools/testing/selftests/net/test_vxlan_under_vrf.sh
+ Checking HV connectivity [ OK ]
+ Check VM connectivity through VXLAN (underlay in the default VRF) [ OK ]
+ Check VM connectivity through VXLAN (underlay in a VRF) [FAIL]
+
+NOTE: the connectivity test with the underlay VRF is still failing; it
+seems that ARP requests are blocked at the simulated hypervisor level,
+probably due to some missing ARP forwarding rules. This requires more
+investigation (in the meantime we may consider to set that test as
+expected failure - XFAIL).
+
+Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Cao Jiaqiang <caojiaqiang@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/test_vxlan_under_vrf.sh | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/tools/testing/selftests/net/test_vxlan_under_vrf.sh
++++ b/tools/testing/selftests/net/test_vxlan_under_vrf.sh
+@@ -101,6 +101,8 @@ setup-vm() {
+ ip -netns hv-$id link set veth-tap master br0
+ ip -netns hv-$id link set veth-tap up
+
++ ip link set veth-hv address 02:1d:8d:dd:0c:6$id
++
+ ip link set veth-hv netns vm-$id
+ ip -netns vm-$id addr add 10.0.0.$id/24 dev veth-hv
+ ip -netns vm-$id link set veth-hv up
hid-core-harden-s32ton-against-conversion-to-0-bits.patch
mm-mprotect-use-long-for-page-accountings-and-retval.patch
mm-mprotect-delete-pmd_none_or_clear_bad_unless_trans_huge.patch
+kvm-arm64-sys_regs-disable-wuninitialized-const-pointer-warning.patch
+ipv6-fix-potential-uninit-value-access-in-__ip6_make_skb.patch
+ipv4-fix-uninit-value-access-in-__ip_make_skb.patch
+selftests-net-test_vxlan_under_vrf-fix-hv-connectivity-test.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
