From: Sasha Levin Date: Sat, 9 May 2026 14:32:19 +0000 (-0400) Subject: Fixes for all trees X-Git-Tag: v6.18.29~5 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4fb1c51ae3c978810f3b462488beb8a5eb29614c;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for all trees Signed-off-by: Sasha Levin --- diff --git a/queue-5.15/octeontx2-pf-handle-otx2_mbox_get_rsp-errors-in-otx2.patch b/queue-5.15/octeontx2-pf-handle-otx2_mbox_get_rsp-errors-in-otx2.patch new file mode 100644 index 0000000000..3b4da3ae1e --- /dev/null +++ b/queue-5.15/octeontx2-pf-handle-otx2_mbox_get_rsp-errors-in-otx2.patch @@ -0,0 +1,50 @@ +From 1fcc2aa192191f6b6eb115debd9d8b24dca874e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 May 2026 13:58:46 +0800 +Subject: octeontx2-pf: handle otx2_mbox_get_rsp errors in otx2_flows.c + +From: Dipendra Khadka + +[ Upstream commit bd3110bc102ab6292656b8118be819faa0de8dd0 ] + +Adding error pointer check after calling otx2_mbox_get_rsp(). + +Fixes: 9917060fc30a ("octeontx2-pf: Cleanup flow rule management") +Fixes: f0a1913f8a6f ("octeontx2-pf: Add support for ethtool ntuple filters") +Fixes: 674b3e164238 ("octeontx2-pf: Add additional checks while configuring ucast/bcast/mcast rules") +Signed-off-by: Dipendra Khadka +Reviewed-by: Simon Horman +Signed-off-by: Andrew Lunn +Signed-off-by: Robert Garcia +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/nic/otx2_flows.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_flows.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_flows.c +index c3e5ebc416676..3c46cb0bd0de0 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_flows.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_flows.c +@@ -119,6 +119,8 @@ int otx2_alloc_mcam_entries(struct otx2_nic *pfvf, u16 count) + + rsp = (struct npc_mcam_alloc_entry_rsp *)otx2_mbox_get_rsp + (&pfvf->mbox.mbox, 0, &req->hdr); ++ if (IS_ERR(rsp)) ++ goto exit; + + for (ent = 0; ent < rsp->count; ent++) + flow_cfg->flow_ent[ent + allocated] = rsp->entry_list[ent]; +@@ -195,6 +197,10 @@ static int otx2_mcam_entry_init(struct otx2_nic *pfvf) + + rsp = (struct npc_mcam_alloc_entry_rsp *)otx2_mbox_get_rsp + (&pfvf->mbox.mbox, 0, &req->hdr); ++ if (IS_ERR(rsp)) { ++ mutex_unlock(&pfvf->mbox.lock); ++ return PTR_ERR(rsp); ++ } + + if (rsp->count != req->count) { + netdev_info(pfvf->netdev, +-- +2.53.0 + diff --git a/queue-5.15/series b/queue-5.15/series index 4d63a2ae90..3478d131d4 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -288,3 +288,4 @@ x86-cpu-amd-add-x86_feature_zen1.patch ksmbd-do-not-expire-session-on-binding-failure.patch spi-meson-spicc-fix-double-put-in-remove-path.patch um-virt-pci-fix-build-failure.patch +octeontx2-pf-handle-otx2_mbox_get_rsp-errors-in-otx2.patch diff --git a/queue-6.12/net-af_key-zero-aligned-sockaddr-tail-in-pf_key-expo.patch b/queue-6.12/net-af_key-zero-aligned-sockaddr-tail-in-pf_key-expo.patch new file mode 100644 index 0000000000..18ceb952b0 --- /dev/null +++ b/queue-6.12/net-af_key-zero-aligned-sockaddr-tail-in-pf_key-expo.patch @@ -0,0 +1,145 @@ +From a0d710558a1e9b0fb8e2aebea39f48026fd5b3ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 22 Mar 2026 11:46:08 -0700 +Subject: net: af_key: zero aligned sockaddr tail in PF_KEY exports + +From: Zhengchuan Liang + +[ Upstream commit 426c355742f02cf743b347d9d7dbdc1bfbfa31ef ] + +PF_KEY export paths use `pfkey_sockaddr_size()` when reserving sockaddr +payload space, so IPv6 addresses occupy 32 bytes on the wire. However, +`pfkey_sockaddr_fill()` initializes only the first 28 bytes of +`struct sockaddr_in6`, leaving the final 4 aligned bytes uninitialized. + +Not every PF_KEY message is affected. The state and policy dump builders +already zero the whole message buffer before filling the sockaddr +payloads. Keep the fix to the export paths that still append aligned +sockaddr payloads with plain `skb_put()`: + + - `SADB_ACQUIRE` + - `SADB_X_NAT_T_NEW_MAPPING` + - `SADB_X_MIGRATE` + +Fix those paths by clearing only the aligned sockaddr tail after +`pfkey_sockaddr_fill()`. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Fixes: 08de61beab8a ("[PFKEYV2]: Extension for dynamic update of endpoint address(es)") +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Tested-by: Xiao Liu +Signed-off-by: Zhengchuan Liang +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/key/af_key.c | 52 +++++++++++++++++++++++++++++++----------------- + 1 file changed, 34 insertions(+), 18 deletions(-) + +diff --git a/net/key/af_key.c b/net/key/af_key.c +index 6d7848b824d9b..f4ad0239b7209 100644 +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -757,6 +757,22 @@ static unsigned int pfkey_sockaddr_fill(const xfrm_address_t *xaddr, __be16 port + return 0; + } + ++static unsigned int pfkey_sockaddr_fill_zero_tail(const xfrm_address_t *xaddr, ++ __be16 port, ++ struct sockaddr *sa, ++ unsigned short family) ++{ ++ unsigned int prefixlen; ++ int sockaddr_len = pfkey_sockaddr_len(family); ++ int sockaddr_size = pfkey_sockaddr_size(family); ++ ++ prefixlen = pfkey_sockaddr_fill(xaddr, port, sa, family); ++ if (sockaddr_size > sockaddr_len) ++ memset((u8 *)sa + sockaddr_len, 0, sockaddr_size - sockaddr_len); ++ ++ return prefixlen; ++} ++ + static struct sk_buff *__pfkey_xfrm_state2msg(const struct xfrm_state *x, + int add_keys, int hsc) + { +@@ -3206,9 +3222,9 @@ static int pfkey_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *t, struct + addr->sadb_address_proto = 0; + addr->sadb_address_reserved = 0; + addr->sadb_address_prefixlen = +- pfkey_sockaddr_fill(&x->props.saddr, 0, +- (struct sockaddr *) (addr + 1), +- x->props.family); ++ pfkey_sockaddr_fill_zero_tail(&x->props.saddr, 0, ++ (struct sockaddr *)(addr + 1), ++ x->props.family); + if (!addr->sadb_address_prefixlen) + BUG(); + +@@ -3221,9 +3237,9 @@ static int pfkey_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *t, struct + addr->sadb_address_proto = 0; + addr->sadb_address_reserved = 0; + addr->sadb_address_prefixlen = +- pfkey_sockaddr_fill(&x->id.daddr, 0, +- (struct sockaddr *) (addr + 1), +- x->props.family); ++ pfkey_sockaddr_fill_zero_tail(&x->id.daddr, 0, ++ (struct sockaddr *)(addr + 1), ++ x->props.family); + if (!addr->sadb_address_prefixlen) + BUG(); + +@@ -3421,9 +3437,9 @@ static int pfkey_send_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, + addr->sadb_address_proto = 0; + addr->sadb_address_reserved = 0; + addr->sadb_address_prefixlen = +- pfkey_sockaddr_fill(&x->props.saddr, 0, +- (struct sockaddr *) (addr + 1), +- x->props.family); ++ pfkey_sockaddr_fill_zero_tail(&x->props.saddr, 0, ++ (struct sockaddr *)(addr + 1), ++ x->props.family); + if (!addr->sadb_address_prefixlen) + BUG(); + +@@ -3443,9 +3459,9 @@ static int pfkey_send_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, + addr->sadb_address_proto = 0; + addr->sadb_address_reserved = 0; + addr->sadb_address_prefixlen = +- pfkey_sockaddr_fill(ipaddr, 0, +- (struct sockaddr *) (addr + 1), +- x->props.family); ++ pfkey_sockaddr_fill_zero_tail(ipaddr, 0, ++ (struct sockaddr *)(addr + 1), ++ x->props.family); + if (!addr->sadb_address_prefixlen) + BUG(); + +@@ -3474,15 +3490,15 @@ static int set_sadb_address(struct sk_buff *skb, int sasize, int type, + switch (type) { + case SADB_EXT_ADDRESS_SRC: + addr->sadb_address_prefixlen = sel->prefixlen_s; +- pfkey_sockaddr_fill(&sel->saddr, 0, +- (struct sockaddr *)(addr + 1), +- sel->family); ++ pfkey_sockaddr_fill_zero_tail(&sel->saddr, 0, ++ (struct sockaddr *)(addr + 1), ++ sel->family); + break; + case SADB_EXT_ADDRESS_DST: + addr->sadb_address_prefixlen = sel->prefixlen_d; +- pfkey_sockaddr_fill(&sel->daddr, 0, +- (struct sockaddr *)(addr + 1), +- sel->family); ++ pfkey_sockaddr_fill_zero_tail(&sel->daddr, 0, ++ (struct sockaddr *)(addr + 1), ++ sel->family); + break; + default: + return -EINVAL; +-- +2.53.0 + diff --git a/queue-6.12/series b/queue-6.12/series index ad80bcb142..b892e62d23 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -19,3 +19,4 @@ iommu-amd-use-atomic64_inc_return-in-iommu.c.patch iommu-amd-serialize-sequence-allocation-under-concur.patch flow_dissector-do-not-dissect-pppoe-pfc-frames.patch net-txgbe-fix-rtnl-assertion-warning-when-remove-mod.patch +net-af_key-zero-aligned-sockaddr-tail-in-pf_key-expo.patch diff --git a/queue-6.18/net-af_key-zero-aligned-sockaddr-tail-in-pf_key-expo.patch b/queue-6.18/net-af_key-zero-aligned-sockaddr-tail-in-pf_key-expo.patch new file mode 100644 index 0000000000..5f1b08f7f5 --- /dev/null +++ b/queue-6.18/net-af_key-zero-aligned-sockaddr-tail-in-pf_key-expo.patch @@ -0,0 +1,145 @@ +From ddef6f80f07aeb0f339ab9d7a75bba48469ce047 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 22 Mar 2026 11:46:08 -0700 +Subject: net: af_key: zero aligned sockaddr tail in PF_KEY exports + +From: Zhengchuan Liang + +[ Upstream commit 426c355742f02cf743b347d9d7dbdc1bfbfa31ef ] + +PF_KEY export paths use `pfkey_sockaddr_size()` when reserving sockaddr +payload space, so IPv6 addresses occupy 32 bytes on the wire. However, +`pfkey_sockaddr_fill()` initializes only the first 28 bytes of +`struct sockaddr_in6`, leaving the final 4 aligned bytes uninitialized. + +Not every PF_KEY message is affected. The state and policy dump builders +already zero the whole message buffer before filling the sockaddr +payloads. Keep the fix to the export paths that still append aligned +sockaddr payloads with plain `skb_put()`: + + - `SADB_ACQUIRE` + - `SADB_X_NAT_T_NEW_MAPPING` + - `SADB_X_MIGRATE` + +Fix those paths by clearing only the aligned sockaddr tail after +`pfkey_sockaddr_fill()`. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Fixes: 08de61beab8a ("[PFKEYV2]: Extension for dynamic update of endpoint address(es)") +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Tested-by: Xiao Liu +Signed-off-by: Zhengchuan Liang +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/key/af_key.c | 52 +++++++++++++++++++++++++++++++----------------- + 1 file changed, 34 insertions(+), 18 deletions(-) + +diff --git a/net/key/af_key.c b/net/key/af_key.c +index ceaa82bc78acc..e01939ab81039 100644 +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -757,6 +757,22 @@ static unsigned int pfkey_sockaddr_fill(const xfrm_address_t *xaddr, __be16 port + return 0; + } + ++static unsigned int pfkey_sockaddr_fill_zero_tail(const xfrm_address_t *xaddr, ++ __be16 port, ++ struct sockaddr *sa, ++ unsigned short family) ++{ ++ unsigned int prefixlen; ++ int sockaddr_len = pfkey_sockaddr_len(family); ++ int sockaddr_size = pfkey_sockaddr_size(family); ++ ++ prefixlen = pfkey_sockaddr_fill(xaddr, port, sa, family); ++ if (sockaddr_size > sockaddr_len) ++ memset((u8 *)sa + sockaddr_len, 0, sockaddr_size - sockaddr_len); ++ ++ return prefixlen; ++} ++ + static struct sk_buff *__pfkey_xfrm_state2msg(const struct xfrm_state *x, + int add_keys, int hsc) + { +@@ -3206,9 +3222,9 @@ static int pfkey_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *t, struct + addr->sadb_address_proto = 0; + addr->sadb_address_reserved = 0; + addr->sadb_address_prefixlen = +- pfkey_sockaddr_fill(&x->props.saddr, 0, +- (struct sockaddr *) (addr + 1), +- x->props.family); ++ pfkey_sockaddr_fill_zero_tail(&x->props.saddr, 0, ++ (struct sockaddr *)(addr + 1), ++ x->props.family); + if (!addr->sadb_address_prefixlen) + BUG(); + +@@ -3221,9 +3237,9 @@ static int pfkey_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *t, struct + addr->sadb_address_proto = 0; + addr->sadb_address_reserved = 0; + addr->sadb_address_prefixlen = +- pfkey_sockaddr_fill(&x->id.daddr, 0, +- (struct sockaddr *) (addr + 1), +- x->props.family); ++ pfkey_sockaddr_fill_zero_tail(&x->id.daddr, 0, ++ (struct sockaddr *)(addr + 1), ++ x->props.family); + if (!addr->sadb_address_prefixlen) + BUG(); + +@@ -3421,9 +3437,9 @@ static int pfkey_send_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, + addr->sadb_address_proto = 0; + addr->sadb_address_reserved = 0; + addr->sadb_address_prefixlen = +- pfkey_sockaddr_fill(&x->props.saddr, 0, +- (struct sockaddr *) (addr + 1), +- x->props.family); ++ pfkey_sockaddr_fill_zero_tail(&x->props.saddr, 0, ++ (struct sockaddr *)(addr + 1), ++ x->props.family); + if (!addr->sadb_address_prefixlen) + BUG(); + +@@ -3443,9 +3459,9 @@ static int pfkey_send_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, + addr->sadb_address_proto = 0; + addr->sadb_address_reserved = 0; + addr->sadb_address_prefixlen = +- pfkey_sockaddr_fill(ipaddr, 0, +- (struct sockaddr *) (addr + 1), +- x->props.family); ++ pfkey_sockaddr_fill_zero_tail(ipaddr, 0, ++ (struct sockaddr *)(addr + 1), ++ x->props.family); + if (!addr->sadb_address_prefixlen) + BUG(); + +@@ -3474,15 +3490,15 @@ static int set_sadb_address(struct sk_buff *skb, int sasize, int type, + switch (type) { + case SADB_EXT_ADDRESS_SRC: + addr->sadb_address_prefixlen = sel->prefixlen_s; +- pfkey_sockaddr_fill(&sel->saddr, 0, +- (struct sockaddr *)(addr + 1), +- sel->family); ++ pfkey_sockaddr_fill_zero_tail(&sel->saddr, 0, ++ (struct sockaddr *)(addr + 1), ++ sel->family); + break; + case SADB_EXT_ADDRESS_DST: + addr->sadb_address_prefixlen = sel->prefixlen_d; +- pfkey_sockaddr_fill(&sel->daddr, 0, +- (struct sockaddr *)(addr + 1), +- sel->family); ++ pfkey_sockaddr_fill_zero_tail(&sel->daddr, 0, ++ (struct sockaddr *)(addr + 1), ++ sel->family); + break; + default: + return -EINVAL; +-- +2.53.0 + diff --git a/queue-6.18/series b/queue-6.18/series index 45f5c841ea..f0229e7394 100644 --- a/queue-6.18/series +++ b/queue-6.18/series @@ -18,3 +18,4 @@ ceph-fix-num_ops-off-by-one-when-crypto-allocation-f.patch flow_dissector-do-not-dissect-pppoe-pfc-frames.patch mptcp-sync-the-msk-sndbuf-at-accept-time.patch smb-client-smbdirect-fix-mr-registration-for-coalesc.patch +net-af_key-zero-aligned-sockaddr-tail-in-pf_key-expo.patch diff --git a/queue-6.6/dmaengine-idxd-fix-crash-when-the-event-log-is-disab.patch b/queue-6.6/dmaengine-idxd-fix-crash-when-the-event-log-is-disab.patch new file mode 100644 index 0000000000..39db0438ed --- /dev/null +++ b/queue-6.6/dmaengine-idxd-fix-crash-when-the-event-log-is-disab.patch @@ -0,0 +1,46 @@ +From 0e9d0478e41a4b16cbc05232b72bf6a677aaef3f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 May 2026 15:48:21 +0800 +Subject: dmaengine: idxd: Fix crash when the event log is disabled + +From: Vinicius Costa Gomes + +[ Upstream commit 52d2edea0d63c935e82631e4b9e4a94eccf97b5b ] + +If reporting errors to the event log is not supported by the hardware, +and an error that causes Function Level Reset (FLR) is received, the +driver will try to restore the event log even if it was not allocated. + +Also, only try to free the event log if it was properly allocated. + +Fixes: 6078a315aec1 ("dmaengine: idxd: Add idxd_device_config_save() and idxd_device_config_restore() helpers") +Reviewed-by: Dave Jiang +Signed-off-by: Vinicius Costa Gomes +Link: https://patch.msgid.link/20260121-idxd-fix-flr-on-kernel-queues-v3-v3-2-7ed70658a9d1@intel.com +Signed-off-by: Vinod Koul +[ Only the idxd_device_evl_free() NULL check portion was backported in v6.6. +idxd_device_config_restore() does not exist in v6.6. It was introduced +in 6.14. ] +Signed-off-by: Wenshan Lan +Signed-off-by: Sasha Levin +--- + drivers/dma/idxd/device.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/dma/idxd/device.c b/drivers/dma/idxd/device.c +index 44bbeb3acd14e..e769e1f0d28b2 100644 +--- a/drivers/dma/idxd/device.c ++++ b/drivers/dma/idxd/device.c +@@ -810,6 +810,9 @@ static void idxd_device_evl_free(struct idxd_device *idxd) + struct device *dev = &idxd->pdev->dev; + struct idxd_evl *evl = idxd->evl; + ++ if (!evl) ++ return; ++ + gencfg.bits = ioread32(idxd->reg_base + IDXD_GENCFG_OFFSET); + if (!gencfg.evl_en) + return; +-- +2.53.0 + diff --git a/queue-6.6/dmaengine-idxd-fix-leaking-event-log-memory.patch b/queue-6.6/dmaengine-idxd-fix-leaking-event-log-memory.patch new file mode 100644 index 0000000000..eb9f01c001 --- /dev/null +++ b/queue-6.6/dmaengine-idxd-fix-leaking-event-log-memory.patch @@ -0,0 +1,47 @@ +From 8aad73437c30a27158edd5bdb5145bf88d13727f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 May 2026 15:48:22 +0800 +Subject: dmaengine: idxd: Fix leaking event log memory + +From: Vinicius Costa Gomes + +[ Upstream commit ee66bc29578391c9b48523dc9119af67bd5c7c0f ] + +During the device remove process, the device is reset, causing the +configuration registers to go back to their default state, which is +zero. As the driver is checking if the event log support was enabled +before deallocating, it will fail if a reset happened before. + +Do not check if the support was enabled, the check for 'idxd->evl' +being valid (only allocated if the HW capability is available) is +enough. + +Fixes: 244da66cda35 ("dmaengine: idxd: setup event log configuration") +Reviewed-by: Dave Jiang +Signed-off-by: Vinicius Costa Gomes +Link: https://patch.msgid.link/20260121-idxd-fix-flr-on-kernel-queues-v3-v3-10-7ed70658a9d1@intel.com +Signed-off-by: Vinod Koul +Signed-off-by: Wenshan Lan +Signed-off-by: Sasha Levin +--- + drivers/dma/idxd/device.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/dma/idxd/device.c b/drivers/dma/idxd/device.c +index e769e1f0d28b2..13af4ef2f43f0 100644 +--- a/drivers/dma/idxd/device.c ++++ b/drivers/dma/idxd/device.c +@@ -813,10 +813,6 @@ static void idxd_device_evl_free(struct idxd_device *idxd) + if (!evl) + return; + +- gencfg.bits = ioread32(idxd->reg_base + IDXD_GENCFG_OFFSET); +- if (!gencfg.evl_en) +- return; +- + mutex_lock(&evl->lock); + gencfg.evl_en = 0; + iowrite32(gencfg.bits, idxd->reg_base + IDXD_GENCFG_OFFSET); +-- +2.53.0 + diff --git a/queue-6.6/series b/queue-6.6/series index a602835c1f..15fb56de43 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -165,3 +165,5 @@ iommu-amd-serialize-sequence-allocation-under-concur.patch net-fix-icmp-host-relookup-triggering-ip_rt_bug.patch flow_dissector-do-not-dissect-pppoe-pfc-frames.patch net-txgbe-fix-rtnl-assertion-warning-when-remove-mod.patch +dmaengine-idxd-fix-crash-when-the-event-log-is-disab.patch +dmaengine-idxd-fix-leaking-event-log-memory.patch