From: Greg Kroah-Hartman Date: Thu, 8 Jan 2026 15:58:15 +0000 (+0100) Subject: 5.15-stable patches X-Git-Tag: v6.1.160~30 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d00fb3c9224bfa1117fb345f9c68675978a08efa;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: ipv4-fix-uninit-value-access-in-__ip_make_skb.patch ipv6-fix-potential-uninit-value-access-in-__ip6_make_skb.patch kvm-arm64-sys_regs-disable-wuninitialized-const-pointer-warning.patch selftests-net-test_vxlan_under_vrf-fix-hv-connectivity-test.patch --- diff --git a/queue-5.15/ipv4-fix-uninit-value-access-in-__ip_make_skb.patch b/queue-5.15/ipv4-fix-uninit-value-access-in-__ip_make_skb.patch new file mode 100644 index 0000000000..e4dd2a3da4 --- /dev/null +++ b/queue-5.15/ipv4-fix-uninit-value-access-in-__ip_make_skb.patch @@ -0,0 +1,106 @@ +From stable+bounces-203406-greg=kroah.com@vger.kernel.org Thu Dec 25 16:53:56 2025 +From: skulkarni@mvista.com +Date: Thu, 25 Dec 2025 21:22:37 +0530 +Subject: ipv4: Fix uninit-value access in __ip_make_skb() +To: stable@vger.kernel.org +Cc: Shigeru Yoshida , syzkaller , Paolo Abeni , Shubham Kulkarni +Message-ID: <20251225155236.1881304-1-skulkarni@mvista.com> + +From: Shigeru Yoshida + +commit fc1092f51567277509563800a3c56732070b6aa4 upstream. + +KMSAN reported uninit-value access in __ip_make_skb() [1]. __ip_make_skb() +tests HDRINCL to know if the skb has icmphdr. However, HDRINCL can cause a +race condition. If calling setsockopt(2) with IP_HDRINCL changes HDRINCL +while __ip_make_skb() is running, the function will access icmphdr in the +skb even if it is not included. This causes the issue reported by KMSAN. + +Check FLOWI_FLAG_KNOWN_NH on fl4->flowi4_flags instead of testing HDRINCL +on the socket. + +Also, fl4->fl4_icmp_type and fl4->fl4_icmp_code are not initialized. These +are union in struct flowi4 and are implicitly initialized by +flowi4_init_output(), but we should not rely on specific union layout. + +Initialize these explicitly in raw_sendmsg(). + +[1] +BUG: KMSAN: uninit-value in __ip_make_skb+0x2b74/0x2d20 net/ipv4/ip_output.c:1481 + __ip_make_skb+0x2b74/0x2d20 net/ipv4/ip_output.c:1481 + ip_finish_skb include/net/ip.h:243 [inline] + ip_push_pending_frames+0x4c/0x5c0 net/ipv4/ip_output.c:1508 + raw_sendmsg+0x2381/0x2690 net/ipv4/raw.c:654 + inet_sendmsg+0x27b/0x2a0 net/ipv4/af_inet.c:851 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg+0x274/0x3c0 net/socket.c:745 + __sys_sendto+0x62c/0x7b0 net/socket.c:2191 + __do_sys_sendto net/socket.c:2203 [inline] + __se_sys_sendto net/socket.c:2199 [inline] + __x64_sys_sendto+0x130/0x200 net/socket.c:2199 + do_syscall_64+0xd8/0x1f0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x6d/0x75 + +Uninit was created at: + slab_post_alloc_hook mm/slub.c:3804 [inline] + slab_alloc_node mm/slub.c:3845 [inline] + kmem_cache_alloc_node+0x5f6/0xc50 mm/slub.c:3888 + kmalloc_reserve+0x13c/0x4a0 net/core/skbuff.c:577 + __alloc_skb+0x35a/0x7c0 net/core/skbuff.c:668 + alloc_skb include/linux/skbuff.h:1318 [inline] + __ip_append_data+0x49ab/0x68c0 net/ipv4/ip_output.c:1128 + ip_append_data+0x1e7/0x260 net/ipv4/ip_output.c:1365 + raw_sendmsg+0x22b1/0x2690 net/ipv4/raw.c:648 + inet_sendmsg+0x27b/0x2a0 net/ipv4/af_inet.c:851 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg+0x274/0x3c0 net/socket.c:745 + __sys_sendto+0x62c/0x7b0 net/socket.c:2191 + __do_sys_sendto net/socket.c:2203 [inline] + __se_sys_sendto net/socket.c:2199 [inline] + __x64_sys_sendto+0x130/0x200 net/socket.c:2199 + do_syscall_64+0xd8/0x1f0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x6d/0x75 + +CPU: 1 PID: 15709 Comm: syz-executor.7 Not tainted 6.8.0-11567-gb3603fcb79b1 #25 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014 + +Fixes: 99e5acae193e ("ipv4: Fix potential uninit variable access bug in __ip_make_skb()") +Reported-by: syzkaller +Signed-off-by: Shigeru Yoshida +Link: https://lore.kernel.org/r/20240430123945.2057348-1-syoshida@redhat.com +Signed-off-by: Paolo Abeni +Signed-off-by: Shubham Kulkarni +Signed-off-by: Greg Kroah-Hartman +--- +Referred stable v6.1.y version of the patch to generate this one + [ v6.1 link: https://github.com/gregkh/linux/commit/55bf541e018b76b3750cb6c6ea18c46e1ac5562e ] +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_output.c | 3 ++- + net/ipv4/raw.c | 3 +++ + 2 files changed, 5 insertions(+), 1 deletion(-) + +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -1562,7 +1562,8 @@ struct sk_buff *__ip_make_skb(struct soc + * so icmphdr does not in skb linear region and can not get icmp_type + * by icmp_hdr(skb)->type. + */ +- if (sk->sk_type == SOCK_RAW && !inet_sk(sk)->hdrincl) ++ if (sk->sk_type == SOCK_RAW && ++ !(fl4->flowi4_flags & FLOWI_FLAG_KNOWN_NH)) + icmp_type = fl4->fl4_icmp_type; + else + icmp_type = icmp_hdr(skb)->type; +--- a/net/ipv4/raw.c ++++ b/net/ipv4/raw.c +@@ -634,6 +634,9 @@ static int raw_sendmsg(struct sock *sk, + (hdrincl ? FLOWI_FLAG_KNOWN_NH : 0), + daddr, saddr, 0, 0, sk->sk_uid); + ++ fl4.fl4_icmp_type = 0; ++ fl4.fl4_icmp_code = 0; ++ + if (!hdrincl) { + rfv.msg = msg; + rfv.hlen = 0; diff --git a/queue-5.15/ipv6-fix-potential-uninit-value-access-in-__ip6_make_skb.patch b/queue-5.15/ipv6-fix-potential-uninit-value-access-in-__ip6_make_skb.patch new file mode 100644 index 0000000000..52e143c144 --- /dev/null +++ b/queue-5.15/ipv6-fix-potential-uninit-value-access-in-__ip6_make_skb.patch @@ -0,0 +1,42 @@ +From stable+bounces-203330-greg=kroah.com@vger.kernel.org Tue Dec 23 19:54:34 2025 +From: skulkarni@mvista.com +Date: Wed, 24 Dec 2025 00:23:41 +0530 +Subject: ipv6: Fix potential uninit-value access in __ip6_make_skb() +To: stable@vger.kernel.org +Cc: Shigeru Yoshida , "David S . Miller" , Shubham Kulkarni +Message-ID: <20251223185341.1850880-1-skulkarni@mvista.com> + +From: Shigeru Yoshida + +commit 4e13d3a9c25b7080f8a619f961e943fe08c2672c upstream. + +As it was done in commit fc1092f51567 ("ipv4: Fix uninit-value access in +__ip_make_skb()") for IPv4, check FLOWI_FLAG_KNOWN_NH on fl6->flowi6_flags +instead of testing HDRINCL on the socket to avoid a race condition which +causes uninit-value access. + +Fixes: ea30388baebc ("ipv6: Fix an uninit variable access bug in __ip6_make_skb()") +Signed-off-by: Shigeru Yoshida +Signed-off-by: David S. Miller +Signed-off-by: Shubham Kulkarni +Signed-off-by: Greg Kroah-Hartman +--- +Referred stable v6.1.y version of the patch to generate this one + [ v6.1 link: https://github.com/gregkh/linux/commit/a05c1ede50e9656f0752e523c7b54f3a3489e9a8 ] +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_output.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -1928,7 +1928,8 @@ struct sk_buff *__ip6_make_skb(struct so + struct inet6_dev *idev = ip6_dst_idev(skb_dst(skb)); + u8 icmp6_type; + +- if (sk->sk_socket->type == SOCK_RAW && !inet_sk(sk)->hdrincl) ++ if (sk->sk_socket->type == SOCK_RAW && ++ !(fl6->flowi6_flags & FLOWI_FLAG_KNOWN_NH)) + icmp6_type = fl6->fl6_icmp_type; + else + icmp6_type = icmp6_hdr(skb)->icmp6_type; diff --git a/queue-5.15/kvm-arm64-sys_regs-disable-wuninitialized-const-pointer-warning.patch b/queue-5.15/kvm-arm64-sys_regs-disable-wuninitialized-const-pointer-warning.patch new file mode 100644 index 0000000000..b3ffbeb48c --- /dev/null +++ b/queue-5.15/kvm-arm64-sys_regs-disable-wuninitialized-const-pointer-warning.patch @@ -0,0 +1,47 @@ +From justinstitt@google.com Thu Jan 8 16:52:32 2026 +From: Justin Stitt +Date: Thu, 04 Dec 2025 12:44:48 -0800 +Subject: KVM: arm64: sys_regs: disable -Wuninitialized-const-pointer warning +To: Marc Zyngier , Oliver Upton , Alexandru Elisei , Joey Gouly , Suzuki K Poulose , Catalin Marinas , Zenghui Yu , Will Deacon , Nathan Chancellor , Christopher Covington +Cc: linux-arm-kernel@lists.infradead.org, kvmarm@lists.cs.columbia.edu, linux-kernel@vger.kernel.org, llvm@lists.linux.dev, stable@vger.kernel.org, Justin Stitt +Message-ID: <20251204-b4-stable-disable-uninit-ptr-warn-5-15-v1-1-41212e2c6409@google.com> + +From: Justin Stitt + +A new warning in Clang 22 [1] complains that @clidr passed to +get_clidr_el1() is an uninitialized const pointer. get_clidr_el1() +doesn't really care since it casts away the const-ness anyways -- it is +a false positive. + +| ../arch/arm64/kvm/sys_regs.c:2838:23: warning: variable 'clidr' is uninitialized when passed as a const pointer argument here [-Wuninitialized-const-pointer] +| 2838 | get_clidr_el1(NULL, &clidr); /* Ugly... */ +| | ^~~~~ + +This patch isn't needed for anything past 6.1 as this code section was +reworked in Commit 7af0c2534f4c ("KVM: arm64: Normalize cache +configuration"). Since there is no upstream equivalent, this patch just +needs to be applied to 5.15. + +Disable this warning for sys_regs.o with an iron fist as it doesn't make +sense to waste maintainer's time or potentially break builds by +backporting large changelists from 6.2+. + +Cc: stable@vger.kernel.org +Fixes: 7c8c5e6a9101e ("arm64: KVM: system register handling") +Link: https://github.com/llvm/llvm-project/commit/00dacf8c22f065cb52efb14cd091d441f19b319e [1] +Reviewed-by: Nathan Chancellor +Signed-off-by: Justin Stitt +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kvm/Makefile | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/arm64/kvm/Makefile ++++ b/arch/arm64/kvm/Makefile +@@ -25,3 +25,6 @@ kvm-y := $(KVM)/kvm_main.o $(KVM)/coales + vgic/vgic-its.o vgic/vgic-debug.o + + kvm-$(CONFIG_HW_PERF_EVENTS) += pmu-emul.o ++ ++# Work around a false positive Clang 22 -Wuninitialized-const-pointer warning ++CFLAGS_sys_regs.o := $(call cc-disable-warning, uninitialized-const-pointer) diff --git a/queue-5.15/selftests-net-test_vxlan_under_vrf-fix-hv-connectivity-test.patch b/queue-5.15/selftests-net-test_vxlan_under_vrf-fix-hv-connectivity-test.patch new file mode 100644 index 0000000000..5c546b4de0 --- /dev/null +++ b/queue-5.15/selftests-net-test_vxlan_under_vrf-fix-hv-connectivity-test.patch @@ -0,0 +1,58 @@ +From caojiaqiang@huawei.com Mon Jan 5 11:39:21 2026 +From: Cao Jiaqiang +Date: Mon, 5 Jan 2026 18:52:51 +0800 +Subject: selftests: net: test_vxlan_under_vrf: fix HV connectivity test +To: , , , +Cc: , , , , , , , , +Message-ID: <20260105105251.33854-1-caojiaqiang@huawei.com> + +From: Andrea Righi + +[ Upstream commit e7e4785fa30f9b5d1b60ed2d8e221891325dfc5f ] + +It looks like test_vxlan_under_vrf.sh is always failing to verify the +connectivity test during the ping between the two simulated VMs. + +This is due to the fact that veth-hv in each VM should have a distinct +MAC address. + +Fix by setting a unique MAC address on each simulated VM interface. + +Without this fix: + + $ sudo ./tools/testing/selftests/net/test_vxlan_under_vrf.sh + Checking HV connectivity [ OK ] + Check VM connectivity through VXLAN (underlay in the default VRF) [FAIL] + +With this fix applied: + + $ sudo ./tools/testing/selftests/net/test_vxlan_under_vrf.sh + Checking HV connectivity [ OK ] + Check VM connectivity through VXLAN (underlay in the default VRF) [ OK ] + Check VM connectivity through VXLAN (underlay in a VRF) [FAIL] + +NOTE: the connectivity test with the underlay VRF is still failing; it +seems that ARP requests are blocked at the simulated hypervisor level, +probably due to some missing ARP forwarding rules. This requires more +investigation (in the meantime we may consider to set that test as +expected failure - XFAIL). + +Signed-off-by: Andrea Righi +Signed-off-by: David S. Miller +Signed-off-by: Cao Jiaqiang +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/test_vxlan_under_vrf.sh | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/tools/testing/selftests/net/test_vxlan_under_vrf.sh ++++ b/tools/testing/selftests/net/test_vxlan_under_vrf.sh +@@ -101,6 +101,8 @@ setup-vm() { + ip -netns hv-$id link set veth-tap master br0 + ip -netns hv-$id link set veth-tap up + ++ ip link set veth-hv address 02:1d:8d:dd:0c:6$id ++ + ip link set veth-hv netns vm-$id + ip -netns vm-$id addr add 10.0.0.$id/24 dev veth-hv + ip -netns vm-$id link set veth-hv up diff --git a/queue-5.15/series b/queue-5.15/series index a965d192bc..868df866dc 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -488,3 +488,7 @@ kvm-x86-acquire-kvm-srcu-when-handling-kvm_set_vcpu_events.patch hid-core-harden-s32ton-against-conversion-to-0-bits.patch mm-mprotect-use-long-for-page-accountings-and-retval.patch mm-mprotect-delete-pmd_none_or_clear_bad_unless_trans_huge.patch +kvm-arm64-sys_regs-disable-wuninitialized-const-pointer-warning.patch +ipv6-fix-potential-uninit-value-access-in-__ip6_make_skb.patch +ipv4-fix-uninit-value-access-in-__ip_make_skb.patch +selftests-net-test_vxlan_under_vrf-fix-hv-connectivity-test.patch