From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 25 Jun 2026 11:43:54 +0000 (+0100)
Subject: 6.1-stable patches
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a2812e209d63754be9b8ab622d993871d35700a4;p=thirdparty%2Fkernel%2Fstable-queue.git

6.1-stable patches

added patches:
	dlm-prevent-npd-when-writing-a-positive-value-to-event_done.patch
	netfilter-nf_tables-always-walk-all-pending-catchall-elements.patch
---

diff --git a/queue-6.1/dlm-prevent-npd-when-writing-a-positive-value-to-event_done.patch b/queue-6.1/dlm-prevent-npd-when-writing-a-positive-value-to-event_done.patch
new file mode 100644
index 0000000000..9e0996a131
--- /dev/null
+++ b/queue-6.1/dlm-prevent-npd-when-writing-a-positive-value-to-event_done.patch
@@ -0,0 +1,42 @@
+From 8e2bad543eca5c25cd02cbc63d72557934d45f13 Mon Sep 17 00:00:00 2001
+From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+Date: Mon, 10 Feb 2025 13:16:22 -0600
+Subject: dlm: prevent NPD when writing a positive value to event_done
+
+From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+
+commit 8e2bad543eca5c25cd02cbc63d72557934d45f13 upstream.
+
+do_uevent returns the value written to event_done. In case it is a
+positive value, new_lockspace would undo all the work, and lockspace
+would not be set. __dlm_new_lockspace, however, would treat that
+positive value as a success due to commit 8511a2728ab8 ("dlm: fix use
+count with multiple joins").
+
+Down the line, device_create_lockspace would pass that NULL lockspace to
+dlm_find_lockspace_local, leading to a NULL pointer dereference.
+
+Treating such positive values as successes prevents the problem. Given
+this has been broken for so long, this is unlikely to break userspace
+expectations.
+
+Fixes: 8511a2728ab8 ("dlm: fix use count with multiple joins")
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Nazar Kalashnikov <nazarkalashnikov0@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/dlm/lockspace.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/dlm/lockspace.c
++++ b/fs/dlm/lockspace.c
+@@ -657,7 +657,7 @@ static int new_lockspace(const char *nam
+ 	   lockspace to start running (via sysfs) in dlm_ls_start(). */
+ 
+ 	error = do_uevent(ls, 1);
+-	if (error)
++	if (error < 0)
+ 		goto out_recoverd;
+ 
+ 	/* wait until recovery is successful or failed */
diff --git a/queue-6.1/netfilter-nf_tables-always-walk-all-pending-catchall-elements.patch b/queue-6.1/netfilter-nf_tables-always-walk-all-pending-catchall-elements.patch
new file mode 100644
index 0000000000..d06b057930
--- /dev/null
+++ b/queue-6.1/netfilter-nf_tables-always-walk-all-pending-catchall-elements.patch
@@ -0,0 +1,54 @@
+From 7cb9a23d7ae40a702577d3d8bacb7026f04ac2a9 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Thu, 5 Mar 2026 21:32:00 +0100
+Subject: netfilter: nf_tables: always walk all pending catchall elements
+
+From: Florian Westphal <fw@strlen.de>
+
+commit 7cb9a23d7ae40a702577d3d8bacb7026f04ac2a9 upstream.
+
+During transaction processing we might have more than one catchall element:
+1 live catchall element and 1 pending element that is coming as part of the
+new batch.
+
+If the map holding the catchall elements is also going away, its
+required to toggle all catchall elements and not just the first viable
+candidate.
+
+Otherwise, we get:
+ WARNING: ./include/net/netfilter/nf_tables.h:1281 at nft_data_release+0xb7/0xe0 [nf_tables], CPU#2: nft/1404
+ RIP: 0010:nft_data_release+0xb7/0xe0 [nf_tables]
+ [..]
+ __nft_set_elem_destroy+0x106/0x380 [nf_tables]
+ nf_tables_abort_release+0x348/0x8d0 [nf_tables]
+ nf_tables_abort+0xcf2/0x3ac0 [nf_tables]
+ nfnetlink_rcv_batch+0x9c9/0x20e0 [..]
+
+Fixes: 628bd3e49cba ("netfilter: nf_tables: drop map element references from preparation phase")
+Reported-by: Yiming Qian <yimingqian591@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+[ Shivani: Modified to apply on v6.6.y-v6.1.y ]
+Signed-off-by: Shivani Agarwal <shivani.agarwal@broadcom.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_tables_api.c |    2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -627,7 +627,6 @@ static void nft_map_catchall_deactivate(
+ 		elem.priv = catchall->elem;
+ 		nft_set_elem_change_active(ctx->net, set, ext);
+ 		nft_setelem_data_deactivate(ctx->net, set, &elem);
+-		break;
+ 	}
+ }
+ 
+@@ -5267,7 +5266,6 @@ static void nft_map_catchall_activate(co
+ 		nft_clear(ctx->net, ext);
+ 		elem.priv = catchall->elem;
+ 		nft_setelem_data_activate(ctx->net, set, &elem);
+-		break;
+ 	}
+ }
+ 
diff --git a/queue-6.1/series b/queue-6.1/series
index d84e75f0e8..35b91df49b 100644
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -35,3 +35,5 @@ agp-amd64-fix-broken-error-propagation-in-agp_amd64_probe.patch
 af_unix-reject-siocatmark-on-non-stream-sockets.patch
 ring-buffer-remove-ring_buffer_read_prepare_sync.patch
 regulator-core-fix-locking-in-regulator_resolve_supply-error-path.patch
+dlm-prevent-npd-when-writing-a-positive-value-to-event_done.patch
+netfilter-nf_tables-always-walk-all-pending-catchall-elements.patch