From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 24 Apr 2025 15:29:32 +0000 (+0200)
Subject: drop net-sched-act_mirred-don-t-override-retval-if-we-already-lost-the-skb.patch... 
X-Git-Tag: v6.1.135~6
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8667a2cc8397a4f1aaa9a2a2e550c4b192517c36;p=thirdparty%2Fkernel%2Fstable-queue.git

drop net-sched-act_mirred-don-t-override-retval-if-we-already-lost-the-skb.patch from everywhere
---

diff --git a/queue-5.10/net-sched-act_mirred-don-t-override-retval-if-we-already-lost-the-skb.patch b/queue-5.10/net-sched-act_mirred-don-t-override-retval-if-we-already-lost-the-skb.patch
deleted file mode 100644
index a126f18ec8..0000000000
--- a/queue-5.10/net-sched-act_mirred-don-t-override-retval-if-we-already-lost-the-skb.patch
+++ /dev/null
@@ -1,78 +0,0 @@
-From 166c2c8a6a4dc2e4ceba9e10cfe81c3e469e3210 Mon Sep 17 00:00:00 2001
-From: Jakub Kicinski <kuba@kernel.org>
-Date: Thu, 15 Feb 2024 06:33:46 -0800
-Subject: net/sched: act_mirred: don't override retval if we already lost the skb
-
-From: Jakub Kicinski <kuba@kernel.org>
-
-commit 166c2c8a6a4dc2e4ceba9e10cfe81c3e469e3210 upstream.
-
-If we're redirecting the skb, and haven't called tcf_mirred_forward(),
-yet, we need to tell the core to drop the skb by setting the retcode
-to SHOT. If we have called tcf_mirred_forward(), however, the skb
-is out of our hands and returning SHOT will lead to UaF.
-
-Move the retval override to the error path which actually need it.
-
-Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
-Fixes: e5cf1baf92cb ("act_mirred: use TC_ACT_REINSERT when possible")
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-[Minor conflict resolved due to code context change.]
-Signed-off-by: Jianqi Ren <jianqi.ren.cn@windriver.com>
-Signed-off-by: He Zhe <zhe.he@windriver.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/sched/act_mirred.c |   20 ++++++++++++--------
- 1 file changed, 12 insertions(+), 8 deletions(-)
-
---- a/net/sched/act_mirred.c
-+++ b/net/sched/act_mirred.c
-@@ -260,13 +260,13 @@ static int tcf_mirred_act(struct sk_buff
- 	dev = rcu_dereference_bh(m->tcfm_dev);
- 	if (unlikely(!dev)) {
- 		pr_notice_once("tc mirred: target device is gone\n");
--		goto out;
-+		goto err_cant_do;
- 	}
- 
- 	if (unlikely(!(dev->flags & IFF_UP)) || !netif_carrier_ok(dev)) {
- 		net_notice_ratelimited("tc mirred to Houston: device %s is down\n",
- 				       dev->name);
--		goto out;
-+		goto err_cant_do;
- 	}
- 
- 	/* we could easily avoid the clone only if called by ingress and clsact;
-@@ -280,7 +280,7 @@ static int tcf_mirred_act(struct sk_buff
- 	if (!use_reinsert) {
- 		skb2 = skb_clone(skb, GFP_ATOMIC);
- 		if (!skb2)
--			goto out;
-+			goto err_cant_do;
- 	}
- 
- 	want_ingress = tcf_mirred_act_wants_ingress(m_eaction);
-@@ -323,12 +323,16 @@ static int tcf_mirred_act(struct sk_buff
- 	}
- 
- 	err = tcf_mirred_forward(want_ingress, skb2);
--	if (err) {
--out:
-+	if (err)
- 		tcf_action_inc_overlimit_qstats(&m->common);
--		if (tcf_mirred_is_act_redirect(m_eaction))
--			retval = TC_ACT_SHOT;
--	}
-+	__this_cpu_dec(mirred_nest_level);
-+
-+	return retval;
-+
-+err_cant_do:
-+	if (is_redirect)
-+		retval = TC_ACT_SHOT;
-+	tcf_action_inc_overlimit_qstats(&m->common);
- 	__this_cpu_dec(mirred_nest_level);
- 
- 	return retval;
diff --git a/queue-5.10/series b/queue-5.10/series
index ccc4b0a0e4..6aec8ff766 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -188,5 +188,4 @@ mm-fix-apply_to_existing_page_range.patch
 drivers-staging-rtl8723bs-fix-deadlock-in-rtw_surveydone_event_callback.patch
 s390-dasd-fix-double-module-refcount-decrement.patch
 pmdomain-ti-add-a-null-pointer-check-to-the-omap_prm_domain_init.patch
-net-sched-act_mirred-don-t-override-retval-if-we-already-lost-the-skb.patch
 drivers-staging-rtl8723bs-fix-locking-in-rtw_scan_timeout_handler.patch
diff --git a/queue-5.15/net-sched-act_mirred-don-t-override-retval-if-we-already-lost-the-skb.patch b/queue-5.15/net-sched-act_mirred-don-t-override-retval-if-we-already-lost-the-skb.patch
deleted file mode 100644
index 8b19d005ff..0000000000
--- a/queue-5.15/net-sched-act_mirred-don-t-override-retval-if-we-already-lost-the-skb.patch
+++ /dev/null
@@ -1,78 +0,0 @@
-From 166c2c8a6a4dc2e4ceba9e10cfe81c3e469e3210 Mon Sep 17 00:00:00 2001
-From: Jakub Kicinski <kuba@kernel.org>
-Date: Thu, 15 Feb 2024 06:33:46 -0800
-Subject: net/sched: act_mirred: don't override retval if we already lost the skb
-
-From: Jakub Kicinski <kuba@kernel.org>
-
-commit 166c2c8a6a4dc2e4ceba9e10cfe81c3e469e3210 upstream.
-
-If we're redirecting the skb, and haven't called tcf_mirred_forward(),
-yet, we need to tell the core to drop the skb by setting the retcode
-to SHOT. If we have called tcf_mirred_forward(), however, the skb
-is out of our hands and returning SHOT will lead to UaF.
-
-Move the retval override to the error path which actually need it.
-
-Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
-Fixes: e5cf1baf92cb ("act_mirred: use TC_ACT_REINSERT when possible")
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-[Minor conflict resolved due to code context change.]
-Signed-off-by: Jianqi Ren <jianqi.ren.cn@windriver.com>
-Signed-off-by: He Zhe <zhe.he@windriver.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/sched/act_mirred.c |   20 ++++++++++++--------
- 1 file changed, 12 insertions(+), 8 deletions(-)
-
---- a/net/sched/act_mirred.c
-+++ b/net/sched/act_mirred.c
-@@ -258,13 +258,13 @@ static int tcf_mirred_act(struct sk_buff
- 	dev = rcu_dereference_bh(m->tcfm_dev);
- 	if (unlikely(!dev)) {
- 		pr_notice_once("tc mirred: target device is gone\n");
--		goto out;
-+		goto err_cant_do;
- 	}
- 
- 	if (unlikely(!(dev->flags & IFF_UP)) || !netif_carrier_ok(dev)) {
- 		net_notice_ratelimited("tc mirred to Houston: device %s is down\n",
- 				       dev->name);
--		goto out;
-+		goto err_cant_do;
- 	}
- 
- 	/* we could easily avoid the clone only if called by ingress and clsact;
-@@ -278,7 +278,7 @@ static int tcf_mirred_act(struct sk_buff
- 	if (!use_reinsert) {
- 		skb2 = skb_clone(skb, GFP_ATOMIC);
- 		if (!skb2)
--			goto out;
-+			goto err_cant_do;
- 	}
- 
- 	want_ingress = tcf_mirred_act_wants_ingress(m_eaction);
-@@ -321,12 +321,16 @@ static int tcf_mirred_act(struct sk_buff
- 	}
- 
- 	err = tcf_mirred_forward(want_ingress, skb2);
--	if (err) {
--out:
-+	if (err)
- 		tcf_action_inc_overlimit_qstats(&m->common);
--		if (tcf_mirred_is_act_redirect(m_eaction))
--			retval = TC_ACT_SHOT;
--	}
-+	__this_cpu_dec(mirred_nest_level);
-+
-+	return retval;
-+
-+err_cant_do:
-+	if (is_redirect)
-+		retval = TC_ACT_SHOT;
-+	tcf_action_inc_overlimit_qstats(&m->common);
- 	__this_cpu_dec(mirred_nest_level);
- 
- 	return retval;
diff --git a/queue-5.15/series b/queue-5.15/series
index 662fc8a017..f74f123c4e 100644
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -249,6 +249,5 @@ fs-proc-do_task_stat-use-sig-stats_lock-to-gather-the-threads-children-stats.pat
 mm-fix-apply_to_existing_page_range.patch
 f2fs-check-validation-of-fault-attrs-in-f2fs_build_fault_attr.patch
 pmdomain-ti-add-a-null-pointer-check-to-the-omap_prm_domain_init.patch
-net-sched-act_mirred-don-t-override-retval-if-we-already-lost-the-skb.patch
 scsi-lpfc-fix-null-pointer-dereference-after-failing-to-issue-flogi-and-plogi.patch
 f2fs-add-inline-to-f2fs_build_fault_attr-stub.patch
diff --git a/queue-6.1/net-sched-act_mirred-don-t-override-retval-if-we-already-lost-the-skb.patch b/queue-6.1/net-sched-act_mirred-don-t-override-retval-if-we-already-lost-the-skb.patch
deleted file mode 100644
index 51f8739068..0000000000
--- a/queue-6.1/net-sched-act_mirred-don-t-override-retval-if-we-already-lost-the-skb.patch
+++ /dev/null
@@ -1,78 +0,0 @@
-From 166c2c8a6a4dc2e4ceba9e10cfe81c3e469e3210 Mon Sep 17 00:00:00 2001
-From: Jakub Kicinski <kuba@kernel.org>
-Date: Thu, 15 Feb 2024 06:33:46 -0800
-Subject: net/sched: act_mirred: don't override retval if we already lost the skb
-
-From: Jakub Kicinski <kuba@kernel.org>
-
-commit 166c2c8a6a4dc2e4ceba9e10cfe81c3e469e3210 upstream.
-
-If we're redirecting the skb, and haven't called tcf_mirred_forward(),
-yet, we need to tell the core to drop the skb by setting the retcode
-to SHOT. If we have called tcf_mirred_forward(), however, the skb
-is out of our hands and returning SHOT will lead to UaF.
-
-Move the retval override to the error path which actually need it.
-
-Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
-Fixes: e5cf1baf92cb ("act_mirred: use TC_ACT_REINSERT when possible")
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-[Minor conflict resolved due to code context change.]
-Signed-off-by: Jianqi Ren <jianqi.ren.cn@windriver.com>
-Signed-off-by: He Zhe <zhe.he@windriver.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/sched/act_mirred.c |   20 ++++++++++++--------
- 1 file changed, 12 insertions(+), 8 deletions(-)
-
---- a/net/sched/act_mirred.c
-+++ b/net/sched/act_mirred.c
-@@ -259,13 +259,13 @@ static int tcf_mirred_act(struct sk_buff
- 	dev = rcu_dereference_bh(m->tcfm_dev);
- 	if (unlikely(!dev)) {
- 		pr_notice_once("tc mirred: target device is gone\n");
--		goto out;
-+		goto err_cant_do;
- 	}
- 
- 	if (unlikely(!(dev->flags & IFF_UP)) || !netif_carrier_ok(dev)) {
- 		net_notice_ratelimited("tc mirred to Houston: device %s is down\n",
- 				       dev->name);
--		goto out;
-+		goto err_cant_do;
- 	}
- 
- 	/* we could easily avoid the clone only if called by ingress and clsact;
-@@ -279,7 +279,7 @@ static int tcf_mirred_act(struct sk_buff
- 	if (!use_reinsert) {
- 		skb2 = skb_clone(skb, GFP_ATOMIC);
- 		if (!skb2)
--			goto out;
-+			goto err_cant_do;
- 	}
- 
- 	want_ingress = tcf_mirred_act_wants_ingress(m_eaction);
-@@ -321,12 +321,16 @@ static int tcf_mirred_act(struct sk_buff
- 	}
- 
- 	err = tcf_mirred_forward(want_ingress, skb2);
--	if (err) {
--out:
-+	if (err)
- 		tcf_action_inc_overlimit_qstats(&m->common);
--		if (tcf_mirred_is_act_redirect(m_eaction))
--			retval = TC_ACT_SHOT;
--	}
-+	__this_cpu_dec(mirred_nest_level);
-+
-+	return retval;
-+
-+err_cant_do:
-+	if (is_redirect)
-+		retval = TC_ACT_SHOT;
-+	tcf_action_inc_overlimit_qstats(&m->common);
- 	__this_cpu_dec(mirred_nest_level);
- 
- 	return retval;
diff --git a/queue-6.1/series b/queue-6.1/series
index b5b9f2d6f4..330fab9480 100644
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -276,7 +276,6 @@ revert-loongarch-bpf-fix-off-by-one-error-in-build_prologue.patch
 nvmet-fc-remove-unused-functions.patch
 smb-server-fix-potential-null-ptr-deref-of-lease_ctx_info-in-smb2_open.patch
 cifs-use-origin-fullpath-for-automounts.patch
-net-sched-act_mirred-don-t-override-retval-if-we-already-lost-the-skb.patch
 btrfs-fix-the-length-of-reserved-qgroup-to-free.patch
 bpf-avoid-holding-freeze_mutex-during-mmap-operation.patch
 bpf-prevent-tail-call-between-progs-attached-to-different-hooks.patch