From: Greg Kroah-Hartman Date: Thu, 18 Dec 2025 12:17:17 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v6.12.63~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a81932b3b89df255923119f1f4d178d8a88d5856;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: i3c-fix-uninitialized-variable-use-in-i2c-setup.patch netfilter-nf_conncount-garbage-collection-is-not-skipped-when-jiffies-wrap-around.patch netfilter-nft_connlimit-memleak-if-nf_ct_netns_get-fails.patch nfs-fix-missing-unlock-in-nfs_unlink.patch --- diff --git a/queue-5.10/i3c-fix-uninitialized-variable-use-in-i2c-setup.patch b/queue-5.10/i3c-fix-uninitialized-variable-use-in-i2c-setup.patch new file mode 100644 index 0000000000..dc2666f4c2 --- /dev/null +++ b/queue-5.10/i3c-fix-uninitialized-variable-use-in-i2c-setup.patch @@ -0,0 +1,45 @@ +From 6cbf8b38dfe3aabe330f2c356949bc4d6a1f034f Mon Sep 17 00:00:00 2001 +From: Jamie Iles +Date: Tue, 8 Mar 2022 13:42:26 +0000 +Subject: i3c: fix uninitialized variable use in i2c setup + +From: Jamie Iles + +commit 6cbf8b38dfe3aabe330f2c356949bc4d6a1f034f upstream. + +Commit 31b9887c7258 ("i3c: remove i2c board info from i2c_dev_desc") +removed the boardinfo from i2c_dev_desc to decouple device enumeration from +setup but did not correctly lookup the i2c_dev_desc to store the new +device, instead dereferencing an uninitialized variable. + +Lookup the device that has already been registered by address to store +the i2c client device. + +Fixes: 31b9887c7258 ("i3c: remove i2c board info from i2c_dev_desc") +Reported-by: kernel test robot +Cc: Alexandre Belloni +Signed-off-by: Jamie Iles +Signed-off-by: Alexandre Belloni +Link: https://lore.kernel.org/r/20220308134226.1042367-1-quic_jiles@quicinc.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i3c/master.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/i3c/master.c ++++ b/drivers/i3c/master.c +@@ -2364,8 +2364,13 @@ static int i3c_master_i2c_adapter_init(s + * We silently ignore failures here. The bus should keep working + * correctly even if one or more i2c devices are not registered. + */ +- list_for_each_entry(i2cboardinfo, &master->boardinfo.i2c, node) ++ list_for_each_entry(i2cboardinfo, &master->boardinfo.i2c, node) { ++ i2cdev = i3c_master_find_i2c_dev_by_addr(master, ++ i2cboardinfo->base.addr); ++ if (WARN_ON(!i2cdev)) ++ continue; + i2cdev->dev = i2c_new_client_device(adap, &i2cboardinfo->base); ++ } + + return 0; + } diff --git a/queue-5.10/netfilter-nf_conncount-garbage-collection-is-not-skipped-when-jiffies-wrap-around.patch b/queue-5.10/netfilter-nf_conncount-garbage-collection-is-not-skipped-when-jiffies-wrap-around.patch new file mode 100644 index 0000000000..68e12ad2f7 --- /dev/null +++ b/queue-5.10/netfilter-nf_conncount-garbage-collection-is-not-skipped-when-jiffies-wrap-around.patch @@ -0,0 +1,49 @@ +From df08c94baafb001de6cf44bb7098bb557f36c335 Mon Sep 17 00:00:00 2001 +From: Nicklas Bo Jensen +Date: Thu, 27 Feb 2025 13:32:34 +0000 +Subject: netfilter: nf_conncount: garbage collection is not skipped when jiffies wrap around + +From: Nicklas Bo Jensen + +commit df08c94baafb001de6cf44bb7098bb557f36c335 upstream. + +nf_conncount is supposed to skip garbage collection if it has already +run garbage collection in the same jiffy. Unfortunately, this is broken +when jiffies wrap around which this patch fixes. + +The problem is that last_gc in the nf_conncount_list struct is an u32, +but jiffies is an unsigned long which is 8 bytes on my systems. When +those two are compared it only works until last_gc wraps around. + +See bug report: https://bugzilla.netfilter.org/show_bug.cgi?id=1778 +for more details. + +Fixes: d265929930e2 ("netfilter: nf_conncount: reduce unnecessary GC") +Signed-off-by: Nicklas Bo Jensen +Reviewed-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_conncount.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/netfilter/nf_conncount.c ++++ b/net/netfilter/nf_conncount.c +@@ -182,7 +182,7 @@ static int __nf_conncount_add(struct net + return -EEXIST; + } + +- if (time_is_after_eq_jiffies((unsigned long)list->last_gc)) ++ if ((u32)jiffies == list->last_gc) + goto add_new_node; + + /* check the saved connections */ +@@ -288,7 +288,7 @@ bool nf_conncount_gc_list(struct net *ne + bool ret = false; + + /* don't bother if we just did GC */ +- if (time_is_after_eq_jiffies((unsigned long)READ_ONCE(list->last_gc))) ++ if ((u32)jiffies == READ_ONCE(list->last_gc)) + return false; + + /* don't bother if other cpu is already doing GC */ diff --git a/queue-5.10/netfilter-nft_connlimit-memleak-if-nf_ct_netns_get-fails.patch b/queue-5.10/netfilter-nft_connlimit-memleak-if-nf_ct_netns_get-fails.patch new file mode 100644 index 0000000000..33d2d9c827 --- /dev/null +++ b/queue-5.10/netfilter-nft_connlimit-memleak-if-nf_ct_netns_get-fails.patch @@ -0,0 +1,46 @@ +From 7d70984a1ad4c445dff08edb9aacce8906b6a222 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Thu, 13 Jan 2022 12:22:38 +0100 +Subject: netfilter: nft_connlimit: memleak if nf_ct_netns_get() fails + +From: Pablo Neira Ayuso + +commit 7d70984a1ad4c445dff08edb9aacce8906b6a222 upstream. + +Check if nf_ct_netns_get() fails then release the limit object +previously allocated via kmalloc(). + +Fixes: 37f319f37d90 ("netfilter: nft_connlimit: move stateful fields out of expression data") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nft_connlimit.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/net/netfilter/nft_connlimit.c ++++ b/net/netfilter/nft_connlimit.c +@@ -56,6 +56,7 @@ static int nft_connlimit_do_init(const s + { + bool invert = false; + u32 flags, limit; ++ int err; + + if (!tb[NFTA_CONNLIMIT_COUNT]) + return -EINVAL; +@@ -78,7 +79,15 @@ static int nft_connlimit_do_init(const s + priv->limit = limit; + priv->invert = invert; + +- return nf_ct_netns_get(ctx->net, ctx->family); ++ err = nf_ct_netns_get(ctx->net, ctx->family); ++ if (err < 0) ++ goto err_netns; ++ ++ return 0; ++err_netns: ++ kfree(priv->list); ++ ++ return err; + } + + static void nft_connlimit_do_destroy(const struct nft_ctx *ctx, diff --git a/queue-5.10/nfs-fix-missing-unlock-in-nfs_unlink.patch b/queue-5.10/nfs-fix-missing-unlock-in-nfs_unlink.patch new file mode 100644 index 0000000000..a47f71f6df --- /dev/null +++ b/queue-5.10/nfs-fix-missing-unlock-in-nfs_unlink.patch @@ -0,0 +1,33 @@ +From 2067231a9e2cbbcae0a4aca6ac36ff2dd6a7b701 Mon Sep 17 00:00:00 2001 +From: Sun Ke +Date: Fri, 12 Aug 2022 09:14:40 +0800 +Subject: NFS: Fix missing unlock in nfs_unlink() + +From: Sun Ke + +commit 2067231a9e2cbbcae0a4aca6ac36ff2dd6a7b701 upstream. + +Add the missing unlock before goto. + +Fixes: 3c59366c207e ("NFS: don't unhash dentry during unlink/rename") +Signed-off-by: Sun Ke +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/dir.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -2109,8 +2109,10 @@ int nfs_unlink(struct inode *dir, struct + */ + error = -ETXTBSY; + if (WARN_ON(dentry->d_flags & DCACHE_NFSFS_RENAMED) || +- WARN_ON(dentry->d_fsdata == NFS_FSDATA_BLOCKED)) ++ WARN_ON(dentry->d_fsdata == NFS_FSDATA_BLOCKED)) { ++ spin_unlock(&dentry->d_lock); + goto out; ++ } + if (dentry->d_fsdata) + /* old devname */ + kfree(dentry->d_fsdata); diff --git a/queue-5.10/series b/queue-5.10/series index e837be7976..e3ef9fddc6 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -148,3 +148,7 @@ ocfs2-fix-memory-leak-in-ocfs2_merge_rec_left.patch usb-gadget-tegra-xudc-always-reinitialize-data-toggle-when-clear-halt.patch usb-phy-initialize-struct-usb_phy-list_head.patch alsa-dice-fix-buffer-overflow-in-detect_stream_formats.patch +nfs-fix-missing-unlock-in-nfs_unlink.patch +netfilter-nf_conncount-garbage-collection-is-not-skipped-when-jiffies-wrap-around.patch +i3c-fix-uninitialized-variable-use-in-i2c-setup.patch +netfilter-nft_connlimit-memleak-if-nf_ct_netns_get-fails.patch