From: Sasha Levin Date: Mon, 21 Jul 2025 12:47:50 +0000 (-0400) Subject: Fixes for 5.10 X-Git-Tag: v6.1.147~53 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4811ab1d59c62233767397615d7d9954052f6e85;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.10 Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/bluetooth-fix-null-ptr-deref-in-l2cap_sock_resume_cb.patch b/queue-5.10/bluetooth-fix-null-ptr-deref-in-l2cap_sock_resume_cb.patch new file mode 100644 index 0000000000..010399e447 --- /dev/null +++ b/queue-5.10/bluetooth-fix-null-ptr-deref-in-l2cap_sock_resume_cb.patch @@ -0,0 +1,80 @@ +From ae6dcda54da3bcf75312edfd4fe010f13287eb93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Jul 2025 19:28:29 +0000 +Subject: Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb() + +From: Kuniyuki Iwashima + +[ Upstream commit a0075accbf0d76c2dad1ad3993d2e944505d99a0 ] + +syzbot reported null-ptr-deref in l2cap_sock_resume_cb(). [0] + +l2cap_sock_resume_cb() has a similar problem that was fixed by commit +1bff51ea59a9 ("Bluetooth: fix use-after-free error in lock_sock_nested()"). + +Since both l2cap_sock_kill() and l2cap_sock_resume_cb() are executed +under l2cap_sock_resume_cb(), we can avoid the issue simply by checking +if chan->data is NULL. + +Let's not access to the killed socket in l2cap_sock_resume_cb(). + +[0]: +BUG: KASAN: null-ptr-deref in instrument_atomic_write include/linux/instrumented.h:82 [inline] +BUG: KASAN: null-ptr-deref in clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline] +BUG: KASAN: null-ptr-deref in l2cap_sock_resume_cb+0xb4/0x17c net/bluetooth/l2cap_sock.c:1711 +Write of size 8 at addr 0000000000000570 by task kworker/u9:0/52 + +CPU: 1 UID: 0 PID: 52 Comm: kworker/u9:0 Not tainted 6.16.0-rc4-syzkaller-g7482bb149b9f #0 PREEMPT +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 +Workqueue: hci0 hci_rx_work +Call trace: + show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:501 (C) + __dump_stack+0x30/0x40 lib/dump_stack.c:94 + dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120 + print_report+0x58/0x84 mm/kasan/report.c:524 + kasan_report+0xb0/0x110 mm/kasan/report.c:634 + check_region_inline mm/kasan/generic.c:-1 [inline] + kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189 + __kasan_check_write+0x20/0x30 mm/kasan/shadow.c:37 + instrument_atomic_write include/linux/instrumented.h:82 [inline] + clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline] + l2cap_sock_resume_cb+0xb4/0x17c net/bluetooth/l2cap_sock.c:1711 + l2cap_security_cfm+0x524/0xea0 net/bluetooth/l2cap_core.c:7357 + hci_auth_cfm include/net/bluetooth/hci_core.h:2092 [inline] + hci_auth_complete_evt+0x2e8/0xa4c net/bluetooth/hci_event.c:3514 + hci_event_func net/bluetooth/hci_event.c:7511 [inline] + hci_event_packet+0x650/0xe9c net/bluetooth/hci_event.c:7565 + hci_rx_work+0x320/0xb18 net/bluetooth/hci_core.c:4070 + process_one_work+0x7e8/0x155c kernel/workqueue.c:3238 + process_scheduled_works kernel/workqueue.c:3321 [inline] + worker_thread+0x958/0xed8 kernel/workqueue.c:3402 + kthread+0x5fc/0x75c kernel/kthread.c:464 + ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:847 + +Fixes: d97c899bde33 ("Bluetooth: Introduce L2CAP channel callback for resuming") +Reported-by: syzbot+e4d73b165c3892852d22@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/686c12bd.a70a0220.29fe6c.0b13.GAE@google.com/ +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_sock.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c +index 49564c61ad4a1..7d7f4ba60a208 100644 +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -1666,6 +1666,9 @@ static void l2cap_sock_resume_cb(struct l2cap_chan *chan) + { + struct sock *sk = chan->data; + ++ if (!sk) ++ return; ++ + if (test_and_clear_bit(FLAG_PENDING_SECURITY, &chan->flags)) { + sk->sk_state = BT_CONNECTED; + chan->state = BT_CONNECTED; +-- +2.39.5 + diff --git a/queue-5.10/bluetooth-l2cap-fix-attempting-to-adjust-outgoing-mt.patch b/queue-5.10/bluetooth-l2cap-fix-attempting-to-adjust-outgoing-mt.patch new file mode 100644 index 0000000000..b15af65a9a --- /dev/null +++ b/queue-5.10/bluetooth-l2cap-fix-attempting-to-adjust-outgoing-mt.patch @@ -0,0 +1,79 @@ +From e7e4aab9545c4e4d1086c7469eeead505284a519 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jul 2025 09:40:49 -0400 +Subject: Bluetooth: L2CAP: Fix attempting to adjust outgoing MTU +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Luiz Augusto von Dentz + +[ Upstream commit d24e4a7fedae121d33fb32ad785b87046527eedb ] + +Configuration request only configure the incoming direction of the peer +initiating the request, so using the MTU is the other direction shall +not be used, that said the spec allows the peer responding to adjust: + +Bluetooth Core 6.1, Vol 3, Part A, Section 4.5 + + 'Each configuration parameter value (if any is present) in an + L2CAP_CONFIGURATION_RSP packet reflects an ‘adjustment’ to a + configuration parameter value that has been sent (or, in case of + default values, implied) in the corresponding + L2CAP_CONFIGURATION_REQ packet.' + +That said adjusting the MTU in the response shall be limited to ERTM +channels only as for older modes the remote stack may not be able to +detect the adjustment causing it to silently drop packets. + +Link: https://github.com/bluez/bluez/issues/1422 +Link: https://gitlab.archlinux.org/archlinux/packaging/packages/linux/-/issues/149 +Link: https://gitlab.freedesktop.org/pipewire/pipewire/-/issues/4793 +Fixes: 042bb9603c44 ("Bluetooth: L2CAP: Fix L2CAP MTU negotiation") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 26 +++++++++++++++++++++----- + 1 file changed, 21 insertions(+), 5 deletions(-) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 8c8631e609f6b..b6345996fc022 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -3682,12 +3682,28 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data + /* Configure output options and let the other side know + * which ones we don't like. */ + +- /* If MTU is not provided in configure request, use the most recently +- * explicitly or implicitly accepted value for the other direction, +- * or the default value. ++ /* If MTU is not provided in configure request, try adjusting it ++ * to the current output MTU if it has been set ++ * ++ * Bluetooth Core 6.1, Vol 3, Part A, Section 4.5 ++ * ++ * Each configuration parameter value (if any is present) in an ++ * L2CAP_CONFIGURATION_RSP packet reflects an ‘adjustment’ to a ++ * configuration parameter value that has been sent (or, in case ++ * of default values, implied) in the corresponding ++ * L2CAP_CONFIGURATION_REQ packet. + */ +- if (mtu == 0) +- mtu = chan->imtu ? chan->imtu : L2CAP_DEFAULT_MTU; ++ if (!mtu) { ++ /* Only adjust for ERTM channels as for older modes the ++ * remote stack may not be able to detect that the ++ * adjustment causing it to silently drop packets. ++ */ ++ if (chan->mode == L2CAP_MODE_ERTM && ++ chan->omtu && chan->omtu != L2CAP_DEFAULT_MTU) ++ mtu = chan->omtu; ++ else ++ mtu = L2CAP_DEFAULT_MTU; ++ } + + if (mtu < L2CAP_DEFAULT_MIN_MTU) + result = L2CAP_CONF_UNACCEPT; +-- +2.39.5 + diff --git a/queue-5.10/bluetooth-smp-fix-using-hci_error_remote_user_term-o.patch b/queue-5.10/bluetooth-smp-fix-using-hci_error_remote_user_term-o.patch new file mode 100644 index 0000000000..1ffc30d64b --- /dev/null +++ b/queue-5.10/bluetooth-smp-fix-using-hci_error_remote_user_term-o.patch @@ -0,0 +1,37 @@ +From c46cac28c128d4dd7bfd2bcb137ebf2e8f11ec78 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Jul 2025 11:53:40 -0400 +Subject: Bluetooth: SMP: Fix using HCI_ERROR_REMOTE_USER_TERM on timeout + +From: Luiz Augusto von Dentz + +[ Upstream commit 6ef99c917688a8510259e565bd1b168b7146295a ] + +This replaces the usage of HCI_ERROR_REMOTE_USER_TERM, which as the name +suggest is to indicate a regular disconnection initiated by an user, +with HCI_ERROR_AUTH_FAILURE to indicate the session has timeout thus any +pairing shall be considered as failed. + +Fixes: 1e91c29eb60c ("Bluetooth: Use hci_disconnect for immediate disconnection from SMP") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/smp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c +index 5a56e862ba13c..fc896d39a6d95 100644 +--- a/net/bluetooth/smp.c ++++ b/net/bluetooth/smp.c +@@ -1374,7 +1374,7 @@ static void smp_timeout(struct work_struct *work) + + bt_dev_dbg(conn->hcon->hdev, "conn %p", conn); + +- hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM); ++ hci_disconnect(conn->hcon, HCI_ERROR_AUTH_FAILURE); + } + + static struct smp_chan *smp_chan_create(struct l2cap_conn *conn) +-- +2.39.5 + diff --git a/queue-5.10/bluetooth-smp-if-an-unallowed-command-is-received-co.patch b/queue-5.10/bluetooth-smp-if-an-unallowed-command-is-received-co.patch new file mode 100644 index 0000000000..fb500badff --- /dev/null +++ b/queue-5.10/bluetooth-smp-if-an-unallowed-command-is-received-co.patch @@ -0,0 +1,130 @@ +From e21c5bfa1baf966ba79ea3b4dca463adf1a83c8a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jun 2025 14:42:23 -0400 +Subject: Bluetooth: SMP: If an unallowed command is received consider it a + failure + +From: Luiz Augusto von Dentz + +[ Upstream commit fe4840df0bdf341f376885271b7680764fe6b34e ] + +If a command is received while a bonding is ongoing consider it a +pairing failure so the session is cleanup properly and the device is +disconnected immediately instead of continuing with other commands that +may result in the session to get stuck without ever completing such as +the case bellow: + +> ACL Data RX: Handle 2048 flags 0x02 dlen 21 + SMP: Identity Information (0x08) len 16 + Identity resolving key[16]: d7e08edef97d3e62cd2331f82d8073b0 +> ACL Data RX: Handle 2048 flags 0x02 dlen 21 + SMP: Signing Information (0x0a) len 16 + Signature key[16]: 1716c536f94e843a9aea8b13ffde477d +Bluetooth: hci0: unexpected SMP command 0x0a from XX:XX:XX:XX:XX:XX +> ACL Data RX: Handle 2048 flags 0x02 dlen 12 + SMP: Identity Address Information (0x09) len 7 + Address: XX:XX:XX:XX:XX:XX (Intel Corporate) + +While accourding to core spec 6.1 the expected order is always BD_ADDR +first first then CSRK: + +When using LE legacy pairing, the keys shall be distributed in the +following order: + + LTK by the Peripheral + + EDIV and Rand by the Peripheral + + IRK by the Peripheral + + BD_ADDR by the Peripheral + + CSRK by the Peripheral + + LTK by the Central + + EDIV and Rand by the Central + + IRK by the Central + + BD_ADDR by the Central + + CSRK by the Central + +When using LE Secure Connections, the keys shall be distributed in the +following order: + + IRK by the Peripheral + + BD_ADDR by the Peripheral + + CSRK by the Peripheral + + IRK by the Central + + BD_ADDR by the Central + + CSRK by the Central + +According to the Core 6.1 for commands used for key distribution "Key +Rejected" can be used: + + '3.6.1. Key distribution and generation + + A device may reject a distributed key by sending the Pairing Failed command + with the reason set to "Key Rejected". + +Fixes: b28b4943660f ("Bluetooth: Add strict checks for allowed SMP PDUs") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/smp.c | 19 ++++++++++++++++++- + net/bluetooth/smp.h | 1 + + 2 files changed, 19 insertions(+), 1 deletion(-) + +diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c +index 8f9566f37498e..5a56e862ba13c 100644 +--- a/net/bluetooth/smp.c ++++ b/net/bluetooth/smp.c +@@ -2972,8 +2972,25 @@ static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb) + if (code > SMP_CMD_MAX) + goto drop; + +- if (smp && !test_and_clear_bit(code, &smp->allow_cmd)) ++ if (smp && !test_and_clear_bit(code, &smp->allow_cmd)) { ++ /* If there is a context and the command is not allowed consider ++ * it a failure so the session is cleanup properly. ++ */ ++ switch (code) { ++ case SMP_CMD_IDENT_INFO: ++ case SMP_CMD_IDENT_ADDR_INFO: ++ case SMP_CMD_SIGN_INFO: ++ /* 3.6.1. Key distribution and generation ++ * ++ * A device may reject a distributed key by sending the ++ * Pairing Failed command with the reason set to ++ * "Key Rejected". ++ */ ++ smp_failure(conn, SMP_KEY_REJECTED); ++ break; ++ } + goto drop; ++ } + + /* If we don't have a context the only allowed commands are + * pairing request and security request. +diff --git a/net/bluetooth/smp.h b/net/bluetooth/smp.h +index 5fe68e255cb29..bad594642a53d 100644 +--- a/net/bluetooth/smp.h ++++ b/net/bluetooth/smp.h +@@ -138,6 +138,7 @@ struct smp_cmd_keypress_notify { + #define SMP_NUMERIC_COMP_FAILED 0x0c + #define SMP_BREDR_PAIRING_IN_PROGRESS 0x0d + #define SMP_CROSS_TRANSP_NOT_ALLOWED 0x0e ++#define SMP_KEY_REJECTED 0x0f + + #define SMP_MIN_ENC_KEY_SIZE 7 + #define SMP_MAX_ENC_KEY_SIZE 16 +-- +2.39.5 + diff --git a/queue-5.10/hwmon-corsair-cpro-validate-the-size-of-the-received.patch b/queue-5.10/hwmon-corsair-cpro-validate-the-size-of-the-received.patch new file mode 100644 index 0000000000..a71dd26a63 --- /dev/null +++ b/queue-5.10/hwmon-corsair-cpro-validate-the-size-of-the-received.patch @@ -0,0 +1,56 @@ +From debe550067f2d5d3d53f9cdc75fa1c61c05787ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Jun 2025 15:27:47 +0200 +Subject: hwmon: (corsair-cpro) Validate the size of the received input buffer + +From: Marius Zachmann + +[ Upstream commit 495a4f0dce9c8c4478c242209748f1ee9e4d5820 ] + +Add buffer_recv_size to store the size of the received bytes. +Validate buffer_recv_size in send_usb_cmd(). + +Reported-by: syzbot+3bbbade4e1a7ab45ca3b@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/linux-hwmon/61233ba1-e5ad-4d7a-ba31-3b5d0adcffcc@roeck-us.net +Fixes: 40c3a4454225 ("hwmon: add Corsair Commander Pro driver") +Signed-off-by: Marius Zachmann +Link: https://lore.kernel.org/r/20250619132817.39764-5-mail@mariuszachmann.de +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/corsair-cpro.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/hwmon/corsair-cpro.c b/drivers/hwmon/corsair-cpro.c +index 05df31cab2e52..074f812332e89 100644 +--- a/drivers/hwmon/corsair-cpro.c ++++ b/drivers/hwmon/corsair-cpro.c +@@ -84,6 +84,7 @@ struct ccp_device { + struct mutex mutex; /* whenever buffer is used, lock before send_usb_cmd */ + u8 *cmd_buffer; + u8 *buffer; ++ int buffer_recv_size; /* number of received bytes in buffer */ + int target[6]; + DECLARE_BITMAP(temp_cnct, NUM_TEMP_SENSORS); + DECLARE_BITMAP(fan_cnct, NUM_FANS); +@@ -139,6 +140,9 @@ static int send_usb_cmd(struct ccp_device *ccp, u8 command, u8 byte1, u8 byte2, + if (!t) + return -ETIMEDOUT; + ++ if (ccp->buffer_recv_size != IN_BUFFER_SIZE) ++ return -EPROTO; ++ + return ccp_get_errno(ccp); + } + +@@ -150,6 +154,7 @@ static int ccp_raw_event(struct hid_device *hdev, struct hid_report *report, u8 + spin_lock(&ccp->wait_input_report_lock); + if (!completion_done(&ccp->wait_input_report)) { + memcpy(ccp->buffer, data, min(IN_BUFFER_SIZE, size)); ++ ccp->buffer_recv_size = size; + complete_all(&ccp->wait_input_report); + } + spin_unlock(&ccp->wait_input_report_lock); +-- +2.39.5 + diff --git a/queue-5.10/net-emaclite-fix-missing-pointer-increment-in-aligne.patch b/queue-5.10/net-emaclite-fix-missing-pointer-increment-in-aligne.patch new file mode 100644 index 0000000000..c41d32e924 --- /dev/null +++ b/queue-5.10/net-emaclite-fix-missing-pointer-increment-in-aligne.patch @@ -0,0 +1,40 @@ +From 0a23ba8fa7554433201386b1693692c9d36ac2c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jul 2025 10:38:46 -0700 +Subject: net: emaclite: Fix missing pointer increment in aligned_read() + +From: Alok Tiwari + +[ Upstream commit 7727ec1523d7973defa1dff8f9c0aad288d04008 ] + +Add missing post-increment operators for byte pointers in the +loop that copies remaining bytes in xemaclite_aligned_read(). +Without the increment, the same byte was written repeatedly +to the destination. +This update aligns with xemaclite_aligned_write() + +Fixes: bb81b2ddfa19 ("net: add Xilinx emac lite device driver") +Signed-off-by: Alok Tiwari +Link: https://patch.msgid.link/20250710173849.2381003-1-alok.a.tiwari@oracle.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/xilinx/xilinx_emaclite.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/xilinx/xilinx_emaclite.c b/drivers/net/ethernet/xilinx/xilinx_emaclite.c +index 02b95afe25066..c8bd4880b609d 100644 +--- a/drivers/net/ethernet/xilinx/xilinx_emaclite.c ++++ b/drivers/net/ethernet/xilinx/xilinx_emaclite.c +@@ -293,7 +293,7 @@ static void xemaclite_aligned_read(u32 *src_ptr, u8 *dest_ptr, + + /* Read the remaining data */ + for (; length > 0; length--) +- *to_u8_ptr = *from_u8_ptr; ++ *to_u8_ptr++ = *from_u8_ptr++; + } + } + +-- +2.39.5 + diff --git a/queue-5.10/net-sched-return-null-when-htb_lookup_leaf-encounter.patch b/queue-5.10/net-sched-return-null-when-htb_lookup_leaf-encounter.patch new file mode 100644 index 0000000000..0ac8e3424b --- /dev/null +++ b/queue-5.10/net-sched-return-null-when-htb_lookup_leaf-encounter.patch @@ -0,0 +1,97 @@ +From d5282bdc49babc1fd11da4225c0586370d48c8f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jul 2025 02:28:38 +0000 +Subject: net/sched: Return NULL when htb_lookup_leaf encounters an empty + rbtree + +From: William Liu + +[ Upstream commit 0e1d5d9b5c5966e2e42e298670808590db5ed628 ] + +htb_lookup_leaf has a BUG_ON that can trigger with the following: + +tc qdisc del dev lo root +tc qdisc add dev lo root handle 1: htb default 1 +tc class add dev lo parent 1: classid 1:1 htb rate 64bit +tc qdisc add dev lo parent 1:1 handle 2: netem +tc qdisc add dev lo parent 2:1 handle 3: blackhole +ping -I lo -c1 -W0.001 127.0.0.1 + +The root cause is the following: + +1. htb_dequeue calls htb_dequeue_tree which calls the dequeue handler on + the selected leaf qdisc +2. netem_dequeue calls enqueue on the child qdisc +3. blackhole_enqueue drops the packet and returns a value that is not + just NET_XMIT_SUCCESS +4. Because of this, netem_dequeue calls qdisc_tree_reduce_backlog, and + since qlen is now 0, it calls htb_qlen_notify -> htb_deactivate -> + htb_deactiviate_prios -> htb_remove_class_from_row -> htb_safe_rb_erase +5. As this is the only class in the selected hprio rbtree, + __rb_change_child in __rb_erase_augmented sets the rb_root pointer to + NULL +6. Because blackhole_dequeue returns NULL, netem_dequeue returns NULL, + which causes htb_dequeue_tree to call htb_lookup_leaf with the same + hprio rbtree, and fail the BUG_ON + +The function graph for this scenario is shown here: + 0) | htb_enqueue() { + 0) + 13.635 us | netem_enqueue(); + 0) 4.719 us | htb_activate_prios(); + 0) # 2249.199 us | } + 0) | htb_dequeue() { + 0) 2.355 us | htb_lookup_leaf(); + 0) | netem_dequeue() { + 0) + 11.061 us | blackhole_enqueue(); + 0) | qdisc_tree_reduce_backlog() { + 0) | qdisc_lookup_rcu() { + 0) 1.873 us | qdisc_match_from_root(); + 0) 6.292 us | } + 0) 1.894 us | htb_search(); + 0) | htb_qlen_notify() { + 0) 2.655 us | htb_deactivate_prios(); + 0) 6.933 us | } + 0) + 25.227 us | } + 0) 1.983 us | blackhole_dequeue(); + 0) + 86.553 us | } + 0) # 2932.761 us | qdisc_warn_nonwc(); + 0) | htb_lookup_leaf() { + 0) | BUG_ON(); + ------------------------------------------ + +The full original bug report can be seen here [1]. + +We can fix this just by returning NULL instead of the BUG_ON, +as htb_dequeue_tree returns NULL when htb_lookup_leaf returns +NULL. + +[1] https://lore.kernel.org/netdev/pF5XOOIim0IuEfhI-SOxTgRvNoDwuux7UHKnE_Y5-zVd4wmGvNk2ceHjKb8ORnzw0cGwfmVu42g9dL7XyJLf1NEzaztboTWcm0Ogxuojoeo=@willsroot.io/ + +Fixes: 512bb43eb542 ("pkt_sched: sch_htb: Optimize WARN_ONs in htb_dequeue_tree() etc.") +Signed-off-by: William Liu +Signed-off-by: Savino Dicanosa +Link: https://patch.msgid.link/20250717022816.221364-1-will@willsroot.io +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_htb.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/sched/sch_htb.c b/net/sched/sch_htb.c +index ff84ed531199a..568754731d426 100644 +--- a/net/sched/sch_htb.c ++++ b/net/sched/sch_htb.c +@@ -775,7 +775,9 @@ static struct htb_class *htb_lookup_leaf(struct htb_prio *hprio, const int prio) + u32 *pid; + } stk[TC_HTB_MAXDEPTH], *sp = stk; + +- BUG_ON(!hprio->row.rb_node); ++ if (unlikely(!hprio->row.rb_node)) ++ return NULL; ++ + sp->root = hprio->row.rb_node; + sp->pptr = &hprio->ptr; + sp->pid = &hprio->last_ptr_id; +-- +2.39.5 + diff --git a/queue-5.10/net-sched-sch_qfq-fix-race-condition-on-qfq_aggregat.patch b/queue-5.10/net-sched-sch_qfq-fix-race-condition-on-qfq_aggregat.patch new file mode 100644 index 0000000000..24fbe3b711 --- /dev/null +++ b/queue-5.10/net-sched-sch_qfq-fix-race-condition-on-qfq_aggregat.patch @@ -0,0 +1,115 @@ +From 69da3ecf35ef5ab0965477ca9f951f26e3eee14a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jul 2025 03:09:42 -0700 +Subject: net/sched: sch_qfq: Fix race condition on qfq_aggregate + +From: Xiang Mei + +[ Upstream commit 5e28d5a3f774f118896aec17a3a20a9c5c9dfc64 ] + +A race condition can occur when 'agg' is modified in qfq_change_agg +(called during qfq_enqueue) while other threads access it +concurrently. For example, qfq_dump_class may trigger a NULL +dereference, and qfq_delete_class may cause a use-after-free. + +This patch addresses the issue by: + +1. Moved qfq_destroy_class into the critical section. + +2. Added sch_tree_lock protection to qfq_dump_class and +qfq_dump_class_stats. + +Fixes: 462dbc9101ac ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost") +Signed-off-by: Xiang Mei +Reviewed-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/sch_qfq.c | 30 +++++++++++++++++++++--------- + 1 file changed, 21 insertions(+), 9 deletions(-) + +diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c +index 1ee15db5fcc8c..e412340f639d2 100644 +--- a/net/sched/sch_qfq.c ++++ b/net/sched/sch_qfq.c +@@ -414,7 +414,7 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid, + bool existing = false; + struct nlattr *tb[TCA_QFQ_MAX + 1]; + struct qfq_aggregate *new_agg = NULL; +- u32 weight, lmax, inv_w; ++ u32 weight, lmax, inv_w, old_weight, old_lmax; + int err; + int delta_w; + +@@ -448,12 +448,16 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid, + inv_w = ONE_FP / weight; + weight = ONE_FP / inv_w; + +- if (cl != NULL && +- lmax == cl->agg->lmax && +- weight == cl->agg->class_weight) +- return 0; /* nothing to change */ ++ if (cl != NULL) { ++ sch_tree_lock(sch); ++ old_weight = cl->agg->class_weight; ++ old_lmax = cl->agg->lmax; ++ sch_tree_unlock(sch); ++ if (lmax == old_lmax && weight == old_weight) ++ return 0; /* nothing to change */ ++ } + +- delta_w = weight - (cl ? cl->agg->class_weight : 0); ++ delta_w = weight - (cl ? old_weight : 0); + + if (q->wsum + delta_w > QFQ_MAX_WSUM) { + pr_notice("qfq: total weight out of range (%d + %u)\n", +@@ -554,10 +558,10 @@ static int qfq_delete_class(struct Qdisc *sch, unsigned long arg) + + qdisc_purge_queue(cl->qdisc); + qdisc_class_hash_remove(&q->clhash, &cl->common); ++ qfq_destroy_class(sch, cl); + + sch_tree_unlock(sch); + +- qfq_destroy_class(sch, cl); + return 0; + } + +@@ -624,6 +628,7 @@ static int qfq_dump_class(struct Qdisc *sch, unsigned long arg, + { + struct qfq_class *cl = (struct qfq_class *)arg; + struct nlattr *nest; ++ u32 class_weight, lmax; + + tcm->tcm_parent = TC_H_ROOT; + tcm->tcm_handle = cl->common.classid; +@@ -632,8 +637,13 @@ static int qfq_dump_class(struct Qdisc *sch, unsigned long arg, + nest = nla_nest_start_noflag(skb, TCA_OPTIONS); + if (nest == NULL) + goto nla_put_failure; +- if (nla_put_u32(skb, TCA_QFQ_WEIGHT, cl->agg->class_weight) || +- nla_put_u32(skb, TCA_QFQ_LMAX, cl->agg->lmax)) ++ ++ sch_tree_lock(sch); ++ class_weight = cl->agg->class_weight; ++ lmax = cl->agg->lmax; ++ sch_tree_unlock(sch); ++ if (nla_put_u32(skb, TCA_QFQ_WEIGHT, class_weight) || ++ nla_put_u32(skb, TCA_QFQ_LMAX, lmax)) + goto nla_put_failure; + return nla_nest_end(skb, nest); + +@@ -650,8 +660,10 @@ static int qfq_dump_class_stats(struct Qdisc *sch, unsigned long arg, + + memset(&xstats, 0, sizeof(xstats)); + ++ sch_tree_lock(sch); + xstats.weight = cl->agg->class_weight; + xstats.lmax = cl->agg->lmax; ++ sch_tree_unlock(sch); + + if (gnet_stats_copy_basic(qdisc_root_sleeping_running(sch), + d, NULL, &cl->bstats) < 0 || +-- +2.39.5 + diff --git a/queue-5.10/net-vlan-fix-vlan-0-refcount-imbalance-of-toggling-f.patch b/queue-5.10/net-vlan-fix-vlan-0-refcount-imbalance-of-toggling-f.patch new file mode 100644 index 0000000000..176883f9db --- /dev/null +++ b/queue-5.10/net-vlan-fix-vlan-0-refcount-imbalance-of-toggling-f.patch @@ -0,0 +1,204 @@ +From 781c33d9e6030e9a48b7cadc10c016adef44d12c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jul 2025 11:45:03 +0800 +Subject: net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during + runtime + +From: Dong Chenchen + +[ Upstream commit 579d4f9ca9a9a605184a9b162355f6ba131f678d ] + +Assuming the "rx-vlan-filter" feature is enabled on a net device, the +8021q module will automatically add or remove VLAN 0 when the net device +is put administratively up or down, respectively. There are a couple of +problems with the above scheme. + +The first problem is a memory leak that can happen if the "rx-vlan-filter" +feature is disabled while the device is running: + + # ip link add bond1 up type bond mode 0 + # ethtool -K bond1 rx-vlan-filter off + # ip link del dev bond1 + +When the device is put administratively down the "rx-vlan-filter" +feature is disabled, so the 8021q module will not remove VLAN 0 and the +memory will be leaked [1]. + +Another problem that can happen is that the kernel can automatically +delete VLAN 0 when the device is put administratively down despite not +adding it when the device was put administratively up since during that +time the "rx-vlan-filter" feature was disabled. null-ptr-unref or +bug_on[2] will be triggered by unregister_vlan_dev() for refcount +imbalance if toggling filtering during runtime: + +$ ip link add bond0 type bond mode 0 +$ ip link add link bond0 name vlan0 type vlan id 0 protocol 802.1q +$ ethtool -K bond0 rx-vlan-filter off +$ ifconfig bond0 up +$ ethtool -K bond0 rx-vlan-filter on +$ ifconfig bond0 down +$ ip link del vlan0 + +Root cause is as below: +step1: add vlan0 for real_dev, such as bond, team. +register_vlan_dev + vlan_vid_add(real_dev,htons(ETH_P_8021Q),0) //refcnt=1 +step2: disable vlan filter feature and enable real_dev +step3: change filter from 0 to 1 +vlan_device_event + vlan_filter_push_vids + ndo_vlan_rx_add_vid //No refcnt added to real_dev vlan0 +step4: real_dev down +vlan_device_event + vlan_vid_del(dev, htons(ETH_P_8021Q), 0); //refcnt=0 + vlan_info_rcu_free //free vlan0 +step5: delete vlan0 +unregister_vlan_dev + BUG_ON(!vlan_info); //vlan_info is null + +Fix both problems by noting in the VLAN info whether VLAN 0 was +automatically added upon NETDEV_UP and based on that decide whether it +should be deleted upon NETDEV_DOWN, regardless of the state of the +"rx-vlan-filter" feature. + +[1] +unreferenced object 0xffff8880068e3100 (size 256): + comm "ip", pid 384, jiffies 4296130254 + hex dump (first 32 bytes): + 00 20 30 0d 80 88 ff ff 00 00 00 00 00 00 00 00 . 0............. + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace (crc 81ce31fa): + __kmalloc_cache_noprof+0x2b5/0x340 + vlan_vid_add+0x434/0x940 + vlan_device_event.cold+0x75/0xa8 + notifier_call_chain+0xca/0x150 + __dev_notify_flags+0xe3/0x250 + rtnl_configure_link+0x193/0x260 + rtnl_newlink_create+0x383/0x8e0 + __rtnl_newlink+0x22c/0xa40 + rtnl_newlink+0x627/0xb00 + rtnetlink_rcv_msg+0x6fb/0xb70 + netlink_rcv_skb+0x11f/0x350 + netlink_unicast+0x426/0x710 + netlink_sendmsg+0x75a/0xc20 + __sock_sendmsg+0xc1/0x150 + ____sys_sendmsg+0x5aa/0x7b0 + ___sys_sendmsg+0xfc/0x180 + +[2] +kernel BUG at net/8021q/vlan.c:99! +Oops: invalid opcode: 0000 [#1] SMP KASAN PTI +CPU: 0 UID: 0 PID: 382 Comm: ip Not tainted 6.16.0-rc3 #61 PREEMPT(voluntary) +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), +BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 +RIP: 0010:unregister_vlan_dev (net/8021q/vlan.c:99 (discriminator 1)) +RSP: 0018:ffff88810badf310 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: ffff88810da84000 RCX: ffffffffb47ceb9a +RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88810e8b43c8 +RBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff6cefe80 +R10: ffffffffb677f407 R11: ffff88810badf3c0 R12: ffff88810e8b4000 +R13: 0000000000000000 R14: ffff88810642a5c0 R15: 000000000000017e +FS: 00007f1ff68c20c0(0000) GS:ffff888163a24000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f1ff5dad240 CR3: 0000000107e56000 CR4: 00000000000006f0 +Call Trace: + +rtnl_dellink (net/core/rtnetlink.c:3511 net/core/rtnetlink.c:3553) +rtnetlink_rcv_msg (net/core/rtnetlink.c:6945) +netlink_rcv_skb (net/netlink/af_netlink.c:2535) +netlink_unicast (net/netlink/af_netlink.c:1314 net/netlink/af_netlink.c:1339) +netlink_sendmsg (net/netlink/af_netlink.c:1883) +____sys_sendmsg (net/socket.c:712 net/socket.c:727 net/socket.c:2566) +___sys_sendmsg (net/socket.c:2622) +__sys_sendmsg (net/socket.c:2652) +do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) + +Fixes: ad1afb003939 ("vlan_dev: VLAN 0 should be treated as "no vlan tag" (802.1p packet)") +Reported-by: syzbot+a8b046e462915c65b10b@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=a8b046e462915c65b10b +Suggested-by: Ido Schimmel +Signed-off-by: Dong Chenchen +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/20250716034504.2285203-2-dongchenchen2@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/8021q/vlan.c | 42 +++++++++++++++++++++++++++++++++--------- + net/8021q/vlan.h | 1 + + 2 files changed, 34 insertions(+), 9 deletions(-) + +diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c +index b45b9c9b12684..07b829d19e01e 100644 +--- a/net/8021q/vlan.c ++++ b/net/8021q/vlan.c +@@ -356,6 +356,35 @@ static int __vlan_device_event(struct net_device *dev, unsigned long event) + return err; + } + ++static void vlan_vid0_add(struct net_device *dev) ++{ ++ struct vlan_info *vlan_info; ++ int err; ++ ++ if (!(dev->features & NETIF_F_HW_VLAN_CTAG_FILTER)) ++ return; ++ ++ pr_info("adding VLAN 0 to HW filter on device %s\n", dev->name); ++ ++ err = vlan_vid_add(dev, htons(ETH_P_8021Q), 0); ++ if (err) ++ return; ++ ++ vlan_info = rtnl_dereference(dev->vlan_info); ++ vlan_info->auto_vid0 = true; ++} ++ ++static void vlan_vid0_del(struct net_device *dev) ++{ ++ struct vlan_info *vlan_info = rtnl_dereference(dev->vlan_info); ++ ++ if (!vlan_info || !vlan_info->auto_vid0) ++ return; ++ ++ vlan_info->auto_vid0 = false; ++ vlan_vid_del(dev, htons(ETH_P_8021Q), 0); ++} ++ + static int vlan_device_event(struct notifier_block *unused, unsigned long event, + void *ptr) + { +@@ -377,15 +406,10 @@ static int vlan_device_event(struct notifier_block *unused, unsigned long event, + return notifier_from_errno(err); + } + +- if ((event == NETDEV_UP) && +- (dev->features & NETIF_F_HW_VLAN_CTAG_FILTER)) { +- pr_info("adding VLAN 0 to HW filter on device %s\n", +- dev->name); +- vlan_vid_add(dev, htons(ETH_P_8021Q), 0); +- } +- if (event == NETDEV_DOWN && +- (dev->features & NETIF_F_HW_VLAN_CTAG_FILTER)) +- vlan_vid_del(dev, htons(ETH_P_8021Q), 0); ++ if (event == NETDEV_UP) ++ vlan_vid0_add(dev); ++ else if (event == NETDEV_DOWN) ++ vlan_vid0_del(dev); + + vlan_info = rtnl_dereference(dev->vlan_info); + if (!vlan_info) +diff --git a/net/8021q/vlan.h b/net/8021q/vlan.h +index c373492771146..2633b7616526f 100644 +--- a/net/8021q/vlan.h ++++ b/net/8021q/vlan.h +@@ -33,6 +33,7 @@ struct vlan_info { + struct vlan_group grp; + struct list_head vid_list; + unsigned int nr_vids; ++ bool auto_vid0; + struct rcu_head rcu; + }; + +-- +2.39.5 + diff --git a/queue-5.10/rpl-fix-use-after-free-in-rpl_do_srh_inline.patch b/queue-5.10/rpl-fix-use-after-free-in-rpl_do_srh_inline.patch new file mode 100644 index 0000000000..79428ed3d9 --- /dev/null +++ b/queue-5.10/rpl-fix-use-after-free-in-rpl_do_srh_inline.patch @@ -0,0 +1,187 @@ +From 717374e5d6bf48993ee4d6904320fb9d9ee02a0b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Jul 2025 18:21:19 +0000 +Subject: rpl: Fix use-after-free in rpl_do_srh_inline(). + +From: Kuniyuki Iwashima + +[ Upstream commit b640daa2822a39ff76e70200cb2b7b892b896dce ] + +Running lwt_dst_cache_ref_loop.sh in selftest with KASAN triggers +the splat below [0]. + +rpl_do_srh_inline() fetches ipv6_hdr(skb) and accesses it after +skb_cow_head(), which is illegal as the header could be freed then. + +Let's fix it by making oldhdr to a local struct instead of a pointer. + +[0]: +[root@fedora net]# ./lwt_dst_cache_ref_loop.sh +... +TEST: rpl (input) +[ 57.631529] ================================================================== +BUG: KASAN: slab-use-after-free in rpl_do_srh_inline.isra.0 (net/ipv6/rpl_iptunnel.c:174) +Read of size 40 at addr ffff888122bf96d8 by task ping6/1543 + +CPU: 50 UID: 0 PID: 1543 Comm: ping6 Not tainted 6.16.0-rc5-01302-gfadd1e6231b1 #23 PREEMPT(voluntary) +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +Call Trace: + + dump_stack_lvl (lib/dump_stack.c:122) + print_report (mm/kasan/report.c:409 mm/kasan/report.c:521) + kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:636) + kasan_check_range (mm/kasan/generic.c:175 (discriminator 1) mm/kasan/generic.c:189 (discriminator 1)) + __asan_memmove (mm/kasan/shadow.c:94 (discriminator 2)) + rpl_do_srh_inline.isra.0 (net/ipv6/rpl_iptunnel.c:174) + rpl_input (net/ipv6/rpl_iptunnel.c:201 net/ipv6/rpl_iptunnel.c:282) + lwtunnel_input (net/core/lwtunnel.c:459) + ipv6_rcv (./include/net/dst.h:471 (discriminator 1) ./include/net/dst.h:469 (discriminator 1) net/ipv6/ip6_input.c:79 (discriminator 1) ./include/linux/netfilter.h:317 (discriminator 1) ./include/linux/netfilter.h:311 (discriminator 1) net/ipv6/ip6_input.c:311 (discriminator 1)) + __netif_receive_skb_one_core (net/core/dev.c:5967) + process_backlog (./include/linux/rcupdate.h:869 net/core/dev.c:6440) + __napi_poll.constprop.0 (net/core/dev.c:7452) + net_rx_action (net/core/dev.c:7518 net/core/dev.c:7643) + handle_softirqs (kernel/softirq.c:579) + do_softirq (kernel/softirq.c:480 (discriminator 20)) + + + __local_bh_enable_ip (kernel/softirq.c:407) + __dev_queue_xmit (net/core/dev.c:4740) + ip6_finish_output2 (./include/linux/netdevice.h:3358 ./include/net/neighbour.h:526 ./include/net/neighbour.h:540 net/ipv6/ip6_output.c:141) + ip6_finish_output (net/ipv6/ip6_output.c:215 net/ipv6/ip6_output.c:226) + ip6_output (./include/linux/netfilter.h:306 net/ipv6/ip6_output.c:248) + ip6_send_skb (net/ipv6/ip6_output.c:1983) + rawv6_sendmsg (net/ipv6/raw.c:588 net/ipv6/raw.c:918) + __sys_sendto (net/socket.c:714 (discriminator 1) net/socket.c:729 (discriminator 1) net/socket.c:2228 (discriminator 1)) + __x64_sys_sendto (net/socket.c:2231) + do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) + entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) +RIP: 0033:0x7f68cffb2a06 +Code: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 <48> 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08 +RSP: 002b:00007ffefb7c53d0 EFLAGS: 00000202 ORIG_RAX: 000000000000002c +RAX: ffffffffffffffda RBX: 0000564cd69f10a0 RCX: 00007f68cffb2a06 +RDX: 0000000000000040 RSI: 0000564cd69f10a4 RDI: 0000000000000003 +RBP: 00007ffefb7c53f0 R08: 0000564cd6a032ac R09: 000000000000001c +R10: 0000000000000000 R11: 0000000000000202 R12: 0000564cd69f10a4 +R13: 0000000000000040 R14: 00007ffefb7c66e0 R15: 0000564cd69f10a0 + + +Allocated by task 1543: + kasan_save_stack (mm/kasan/common.c:48) + kasan_save_track (mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1)) + __kasan_slab_alloc (mm/kasan/common.c:319 mm/kasan/common.c:345) + kmem_cache_alloc_node_noprof (./include/linux/kasan.h:250 mm/slub.c:4148 mm/slub.c:4197 mm/slub.c:4249) + kmalloc_reserve (net/core/skbuff.c:581 (discriminator 88)) + __alloc_skb (net/core/skbuff.c:669) + __ip6_append_data (net/ipv6/ip6_output.c:1672 (discriminator 1)) + ip6_append_data (net/ipv6/ip6_output.c:1859) + rawv6_sendmsg (net/ipv6/raw.c:911) + __sys_sendto (net/socket.c:714 (discriminator 1) net/socket.c:729 (discriminator 1) net/socket.c:2228 (discriminator 1)) + __x64_sys_sendto (net/socket.c:2231) + do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) + entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) + +Freed by task 1543: + kasan_save_stack (mm/kasan/common.c:48) + kasan_save_track (mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1)) + kasan_save_free_info (mm/kasan/generic.c:579 (discriminator 1)) + __kasan_slab_free (mm/kasan/common.c:271) + kmem_cache_free (mm/slub.c:4643 (discriminator 3) mm/slub.c:4745 (discriminator 3)) + pskb_expand_head (net/core/skbuff.c:2274) + rpl_do_srh_inline.isra.0 (net/ipv6/rpl_iptunnel.c:158 (discriminator 1)) + rpl_input (net/ipv6/rpl_iptunnel.c:201 net/ipv6/rpl_iptunnel.c:282) + lwtunnel_input (net/core/lwtunnel.c:459) + ipv6_rcv (./include/net/dst.h:471 (discriminator 1) ./include/net/dst.h:469 (discriminator 1) net/ipv6/ip6_input.c:79 (discriminator 1) ./include/linux/netfilter.h:317 (discriminator 1) ./include/linux/netfilter.h:311 (discriminator 1) net/ipv6/ip6_input.c:311 (discriminator 1)) + __netif_receive_skb_one_core (net/core/dev.c:5967) + process_backlog (./include/linux/rcupdate.h:869 net/core/dev.c:6440) + __napi_poll.constprop.0 (net/core/dev.c:7452) + net_rx_action (net/core/dev.c:7518 net/core/dev.c:7643) + handle_softirqs (kernel/softirq.c:579) + do_softirq (kernel/softirq.c:480 (discriminator 20)) + __local_bh_enable_ip (kernel/softirq.c:407) + __dev_queue_xmit (net/core/dev.c:4740) + ip6_finish_output2 (./include/linux/netdevice.h:3358 ./include/net/neighbour.h:526 ./include/net/neighbour.h:540 net/ipv6/ip6_output.c:141) + ip6_finish_output (net/ipv6/ip6_output.c:215 net/ipv6/ip6_output.c:226) + ip6_output (./include/linux/netfilter.h:306 net/ipv6/ip6_output.c:248) + ip6_send_skb (net/ipv6/ip6_output.c:1983) + rawv6_sendmsg (net/ipv6/raw.c:588 net/ipv6/raw.c:918) + __sys_sendto (net/socket.c:714 (discriminator 1) net/socket.c:729 (discriminator 1) net/socket.c:2228 (discriminator 1)) + __x64_sys_sendto (net/socket.c:2231) + do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) + entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) + +The buggy address belongs to the object at ffff888122bf96c0 + which belongs to the cache skbuff_small_head of size 704 +The buggy address is located 24 bytes inside of + freed 704-byte region [ffff888122bf96c0, ffff888122bf9980) + +The buggy address belongs to the physical page: +page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x122bf8 +head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 +flags: 0x200000000000040(head|node=0|zone=2) +page_type: f5(slab) +raw: 0200000000000040 ffff888101fc0a00 ffffea000464dc00 0000000000000002 +raw: 0000000000000000 0000000080270027 00000000f5000000 0000000000000000 +head: 0200000000000040 ffff888101fc0a00 ffffea000464dc00 0000000000000002 +head: 0000000000000000 0000000080270027 00000000f5000000 0000000000000000 +head: 0200000000000003 ffffea00048afe01 00000000ffffffff 00000000ffffffff +head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff888122bf9580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff888122bf9600: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc +>ffff888122bf9680: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb + ^ + ffff888122bf9700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff888122bf9780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + +Fixes: a7a29f9c361f8 ("net: ipv6: add rpl sr tunnel") +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/rpl_iptunnel.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/ipv6/rpl_iptunnel.c b/net/ipv6/rpl_iptunnel.c +index 5d47948c03642..b849d2a13f87c 100644 +--- a/net/ipv6/rpl_iptunnel.c ++++ b/net/ipv6/rpl_iptunnel.c +@@ -129,13 +129,13 @@ static int rpl_do_srh_inline(struct sk_buff *skb, const struct rpl_lwt *rlwt, + struct dst_entry *cache_dst) + { + struct ipv6_rpl_sr_hdr *isrh, *csrh; +- const struct ipv6hdr *oldhdr; ++ struct ipv6hdr oldhdr; + struct ipv6hdr *hdr; + unsigned char *buf; + size_t hdrlen; + int err; + +- oldhdr = ipv6_hdr(skb); ++ memcpy(&oldhdr, ipv6_hdr(skb), sizeof(oldhdr)); + + buf = kcalloc(struct_size(srh, segments.addr, srh->segments_left), 2, GFP_ATOMIC); + if (!buf) +@@ -147,7 +147,7 @@ static int rpl_do_srh_inline(struct sk_buff *skb, const struct rpl_lwt *rlwt, + memcpy(isrh, srh, sizeof(*isrh)); + memcpy(isrh->rpl_segaddr, &srh->rpl_segaddr[1], + (srh->segments_left - 1) * 16); +- isrh->rpl_segaddr[srh->segments_left - 1] = oldhdr->daddr; ++ isrh->rpl_segaddr[srh->segments_left - 1] = oldhdr.daddr; + + ipv6_rpl_srh_compress(csrh, isrh, &srh->rpl_segaddr[0], + isrh->segments_left - 1); +@@ -169,7 +169,7 @@ static int rpl_do_srh_inline(struct sk_buff *skb, const struct rpl_lwt *rlwt, + skb_mac_header_rebuild(skb); + + hdr = ipv6_hdr(skb); +- memmove(hdr, oldhdr, sizeof(*hdr)); ++ memmove(hdr, &oldhdr, sizeof(*hdr)); + isrh = (void *)hdr + sizeof(*hdr); + memcpy(isrh, csrh, hdrlen); + +-- +2.39.5 + diff --git a/queue-5.10/series b/queue-5.10/series index c0defcc9b4..6275db4bfc 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -31,3 +31,14 @@ comedi-das6402-fix-bit-shift-out-of-bounds.patch comedi-fix-some-signed-shift-left-operations.patch comedi-fix-use-of-uninitialized-data-in-insn_rw_emulate_bits.patch comedi-fix-initialization-of-data-for-instructions-that-write-to-subdevice.patch +net-emaclite-fix-missing-pointer-increment-in-aligne.patch +net-sched-sch_qfq-fix-race-condition-on-qfq_aggregat.patch +rpl-fix-use-after-free-in-rpl_do_srh_inline.patch +hwmon-corsair-cpro-validate-the-size-of-the-received.patch +usb-net-sierra-check-for-no-status-endpoint.patch +bluetooth-fix-null-ptr-deref-in-l2cap_sock_resume_cb.patch +bluetooth-smp-if-an-unallowed-command-is-received-co.patch +bluetooth-smp-fix-using-hci_error_remote_user_term-o.patch +bluetooth-l2cap-fix-attempting-to-adjust-outgoing-mt.patch +net-vlan-fix-vlan-0-refcount-imbalance-of-toggling-f.patch +net-sched-return-null-when-htb_lookup_leaf-encounter.patch diff --git a/queue-5.10/usb-net-sierra-check-for-no-status-endpoint.patch b/queue-5.10/usb-net-sierra-check-for-no-status-endpoint.patch new file mode 100644 index 0000000000..c94551052d --- /dev/null +++ b/queue-5.10/usb-net-sierra-check-for-no-status-endpoint.patch @@ -0,0 +1,44 @@ +From a5841c1bac6cd6e1157bf56f58361a30e23bd9ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Jul 2025 13:12:56 +0200 +Subject: usb: net: sierra: check for no status endpoint + +From: Oliver Neukum + +[ Upstream commit 4c4ca3c46167518f8534ed70f6e3b4bf86c4d158 ] + +The driver checks for having three endpoints and +having bulk in and out endpoints, but not that +the third endpoint is interrupt input. +Rectify the omission. + +Reported-by: syzbot+3f89ec3d1d0842e95d50@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/linux-usb/686d5a9f.050a0220.1ffab7.0017.GAE@google.com/ +Tested-by: syzbot+3f89ec3d1d0842e95d50@syzkaller.appspotmail.com +Fixes: eb4fd8cd355c8 ("net/usb: add sierra_net.c driver") +Signed-off-by: Oliver Neukum +Link: https://patch.msgid.link/20250714111326.258378-1-oneukum@suse.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/sierra_net.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/usb/sierra_net.c b/drivers/net/usb/sierra_net.c +index 777f672f288cb..cfc519bc45451 100644 +--- a/drivers/net/usb/sierra_net.c ++++ b/drivers/net/usb/sierra_net.c +@@ -689,6 +689,10 @@ static int sierra_net_bind(struct usbnet *dev, struct usb_interface *intf) + status); + return -ENODEV; + } ++ if (!dev->status) { ++ dev_err(&dev->udev->dev, "No status endpoint found"); ++ return -ENODEV; ++ } + /* Initialize sierra private data */ + priv = kzalloc(sizeof *priv, GFP_KERNEL); + if (!priv) +-- +2.39.5 +