From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 12 Jul 2025 13:49:30 +0000 (+0200)
Subject: 5.4-stable patches
X-Git-Tag: v5.15.188~72
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ecab6c8a0f3a395be06362e76a29e09b1fe315c5;p=thirdparty%2Fkernel%2Fstable-queue.git

5.4-stable patches

added patches:
	rxrpc-fix-oops-due-to-non-existence-of-prealloc-backlog-struct.patch
---

diff --git a/queue-5.4/rxrpc-fix-oops-due-to-non-existence-of-prealloc-backlog-struct.patch b/queue-5.4/rxrpc-fix-oops-due-to-non-existence-of-prealloc-backlog-struct.patch
new file mode 100644
index 0000000000..ce801dc831
--- /dev/null
+++ b/queue-5.4/rxrpc-fix-oops-due-to-non-existence-of-prealloc-backlog-struct.patch
@@ -0,0 +1,44 @@
+From 880a88f318cf1d2a0f4c0a7ff7b07e2062b434a4 Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Tue, 8 Jul 2025 22:15:04 +0100
+Subject: rxrpc: Fix oops due to non-existence of prealloc backlog struct
+
+From: David Howells <dhowells@redhat.com>
+
+commit 880a88f318cf1d2a0f4c0a7ff7b07e2062b434a4 upstream.
+
+If an AF_RXRPC service socket is opened and bound, but calls are
+preallocated, then rxrpc_alloc_incoming_call() will oops because the
+rxrpc_backlog struct doesn't get allocated until the first preallocation is
+made.
+
+Fix this by returning NULL from rxrpc_alloc_incoming_call() if there is no
+backlog struct.  This will cause the incoming call to be aborted.
+
+Reported-by: Junvyyang, Tencent Zhuque Lab <zhuque@tencent.com>
+Suggested-by: Junvyyang, Tencent Zhuque Lab <zhuque@tencent.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+cc: LePremierHomme <kwqcheii@proton.me>
+cc: Marc Dionne <marc.dionne@auristor.com>
+cc: Willy Tarreau <w@1wt.eu>
+cc: Simon Horman <horms@kernel.org>
+cc: linux-afs@lists.infradead.org
+Link: https://patch.msgid.link/20250708211506.2699012-3-dhowells@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rxrpc/call_accept.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/rxrpc/call_accept.c
++++ b/net/rxrpc/call_accept.c
+@@ -281,6 +281,9 @@ static struct rxrpc_call *rxrpc_alloc_in
+ 	unsigned short call_tail, conn_tail, peer_tail;
+ 	unsigned short call_count, conn_count;
+ 
++	if (!b)
++		return NULL;
++
+ 	/* #calls >= #conns >= #peers must hold true. */
+ 	call_head = smp_load_acquire(&b->call_backlog_head);
+ 	call_tail = b->call_backlog_tail;
diff --git a/queue-5.4/series b/queue-5.4/series
index a1aa504363..474faac924 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -119,4 +119,4 @@ atm-clip-fix-memory-leak-of-struct-clip_vcc.patch
 atm-clip-fix-infinite-recursive-call-of-clip_push.patch
 atm-clip-fix-null-pointer-dereference-in-vcc_sendmsg.patch
 net-sched-abort-__tc_modify_qdisc-if-parent-class-do.patch
-x86-cpu-amd-properly-check-the-tsa-microcode.patch
+rxrpc-fix-oops-due-to-non-existence-of-prealloc-backlog-struct.patch
diff --git a/queue-5.4/x86-cpu-amd-properly-check-the-tsa-microcode.patch b/queue-5.4/x86-cpu-amd-properly-check-the-tsa-microcode.patch
deleted file mode 100644
index 1cfc01a99c..0000000000
--- a/queue-5.4/x86-cpu-amd-properly-check-the-tsa-microcode.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From bp@alien8.de  Sat Jul 12 14:01:48 2025
-From: Borislav Petkov <bp@alien8.de>
-Date: Fri, 11 Jul 2025 21:18:44 +0200
-Subject: x86/CPU/AMD: Properly check the TSA microcode
-To: stable@vger.kernel.org
-Cc: Thomas Voegtle <tv@lio96.de>, kim.phillips@amd.com
-Message-ID: <20250711191844.GIaHFjlJiQi_HxyyWG@fat_crate.local>
-Content-Disposition: inline
-
-From: "Borislav Petkov (AMD)" <bp@alien8.de>
-
-In order to simplify backports, I resorted to an older version of the
-microcode revision checking which didn't pull in the whole struct
-x86_cpu_id matching machinery.
-
-My simpler method, however, forgot to add the extended CPU model to the
-patch revision, which lead to mismatches when determining whether TSA
-mitigation support is present.
-
-So add that forgotten extended model.
-
-This is a stable-only fix and the preference is to do it this way
-because it is a lot simpler. Also, the Fixes: tag below points to the
-respective stable patch.
-
-Fixes: 7a0395f6607a ("x86/bugs: Add a Transient Scheduler Attacks mitigation")
-Reported-by: Thomas Voegtle <tv@lio96.de>
-Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
-Tested-by: Thomas Voegtle <tv@lio96.de>
-Message-ID: <04ea0a8e-edb0-c59e-ce21-5f3d5d167af3@lio96.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kernel/cpu/amd.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
-index 8a740e92e483..b42307200e98 100644
---- a/arch/x86/kernel/cpu/amd.c
-+++ b/arch/x86/kernel/cpu/amd.c
-@@ -376,6 +376,7 @@ static bool amd_check_tsa_microcode(void)
- 
- 	p.ext_fam	= c->x86 - 0xf;
- 	p.model		= c->x86_model;
-+	p.ext_model	= c->x86_model >> 4;
- 	p.stepping	= c->x86_stepping;
- 
- 	if (cpu_has(c, X86_FEATURE_ZEN3) ||
--- 
-2.43.0
-
--- 
-Regards/Gruss,
-    Boris.
-
-https://people.kernel.org/tglx/notes-about-netiquette
-