From 478833d79a0698a175c651044aeaf09035010d27 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sat, 15 Nov 2025 22:20:59 -0500 Subject: [PATCH] Fixes for all trees Signed-off-by: Sasha Levin --- .../bpf-add-bpf_prog_run_data_pointers.patch | 112 ++++++++++++++++++ queue-5.15/series | 1 + .../bpf-add-bpf_prog_run_data_pointers.patch | 112 ++++++++++++++++++ queue-6.1/series | 1 + ...current-allocated-stack-depth-in-wid.patch | 71 +++++++++++ .../bpf-add-bpf_prog_run_data_pointers.patch | 112 ++++++++++++++++++ ...tc-add-missing-free-callback-in-risc.patch | 43 +++++++ queue-6.12/series | 3 + ...current-allocated-stack-depth-in-wid.patch | 71 +++++++++++ .../bpf-add-bpf_prog_run_data_pointers.patch | 112 ++++++++++++++++++ ...tc-add-missing-free-callback-in-risc.patch | 43 +++++++ ...g-potential-memory-leak-in-do_timer_.patch | 63 ++++++++++ queue-6.17/series | 4 + ...current-allocated-stack-depth-in-wid.patch | 71 +++++++++++ .../bpf-add-bpf_prog_run_data_pointers.patch | 112 ++++++++++++++++++ ...tc-add-missing-free-callback-in-risc.patch | 43 +++++++ queue-6.6/series | 3 + 17 files changed, 977 insertions(+) create mode 100644 queue-5.15/bpf-add-bpf_prog_run_data_pointers.patch create mode 100644 queue-6.1/bpf-add-bpf_prog_run_data_pointers.patch create mode 100644 queue-6.12/bpf-account-for-current-allocated-stack-depth-in-wid.patch create mode 100644 queue-6.12/bpf-add-bpf_prog_run_data_pointers.patch create mode 100644 queue-6.12/irqchip-riscv-intc-add-missing-free-callback-in-risc.patch create mode 100644 queue-6.17/bpf-account-for-current-allocated-stack-depth-in-wid.patch create mode 100644 queue-6.17/bpf-add-bpf_prog_run_data_pointers.patch create mode 100644 queue-6.17/irqchip-riscv-intc-add-missing-free-callback-in-risc.patch create mode 100644 queue-6.17/posix-timers-plug-potential-memory-leak-in-do_timer_.patch create mode 100644 queue-6.6/bpf-account-for-current-allocated-stack-depth-in-wid.patch create mode 100644 queue-6.6/bpf-add-bpf_prog_run_data_pointers.patch create mode 100644 queue-6.6/irqchip-riscv-intc-add-missing-free-callback-in-risc.patch diff --git a/queue-5.15/bpf-add-bpf_prog_run_data_pointers.patch b/queue-5.15/bpf-add-bpf_prog_run_data_pointers.patch new file mode 100644 index 0000000000..fd336f4d09 --- /dev/null +++ b/queue-5.15/bpf-add-bpf_prog_run_data_pointers.patch @@ -0,0 +1,112 @@ +From aac3838bbf8b2c7391f5d00073a2f80fa92c2efa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Nov 2025 12:55:16 +0000 +Subject: bpf: Add bpf_prog_run_data_pointers() + +From: Eric Dumazet + +[ Upstream commit 4ef92743625818932b9c320152b58274c05e5053 ] + +syzbot found that cls_bpf_classify() is able to change +tc_skb_cb(skb)->drop_reason triggering a warning in sk_skb_reason_drop(). + +WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 __sk_skb_reason_drop net/core/skbuff.c:1189 [inline] +WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 sk_skb_reason_drop+0x76/0x170 net/core/skbuff.c:1214 + +struct tc_skb_cb has been added in commit ec624fe740b4 ("net/sched: +Extend qdisc control block with tc control block"), which added a wrong +interaction with db58ba459202 ("bpf: wire in data and data_end for +cls_act_bpf"). + +drop_reason was added later. + +Add bpf_prog_run_data_pointers() helper to save/restore the net_sched +storage colliding with BPF data_meta/data_end. + +Fixes: ec624fe740b4 ("net/sched: Extend qdisc control block with tc control block") +Reported-by: syzbot +Closes: https://lore.kernel.org/netdev/6913437c.a70a0220.22f260.013b.GAE@google.com/ +Signed-off-by: Eric Dumazet +Signed-off-by: Martin KaFai Lau +Reviewed-by: Victor Nogueira +Acked-by: Jamal Hadi Salim +Link: https://patch.msgid.link/20251112125516.1563021-1-edumazet@google.com +Signed-off-by: Sasha Levin +--- + include/linux/filter.h | 20 ++++++++++++++++++++ + net/sched/act_bpf.c | 6 ++---- + net/sched/cls_bpf.c | 6 ++---- + 3 files changed, 24 insertions(+), 8 deletions(-) + +diff --git a/include/linux/filter.h b/include/linux/filter.h +index dc49c8eb00fd6..e8d52cf2883a6 100644 +--- a/include/linux/filter.h ++++ b/include/linux/filter.h +@@ -701,6 +701,26 @@ static inline void bpf_compute_data_pointers(struct sk_buff *skb) + cb->data_end = skb->data + skb_headlen(skb); + } + ++static inline int bpf_prog_run_data_pointers( ++ const struct bpf_prog *prog, ++ struct sk_buff *skb) ++{ ++ struct bpf_skb_data_end *cb = (struct bpf_skb_data_end *)skb->cb; ++ void *save_data_meta, *save_data_end; ++ int res; ++ ++ save_data_meta = cb->data_meta; ++ save_data_end = cb->data_end; ++ ++ bpf_compute_data_pointers(skb); ++ res = bpf_prog_run(prog, skb); ++ ++ cb->data_meta = save_data_meta; ++ cb->data_end = save_data_end; ++ ++ return res; ++} ++ + /* Similar to bpf_compute_data_pointers(), except that save orginal + * data in cb->data and cb->meta_data for restore. + */ +diff --git a/net/sched/act_bpf.c b/net/sched/act_bpf.c +index 5576eb97d39e0..e1b6e88feaf51 100644 +--- a/net/sched/act_bpf.c ++++ b/net/sched/act_bpf.c +@@ -45,12 +45,10 @@ static int tcf_bpf_act(struct sk_buff *skb, const struct tc_action *act, + filter = rcu_dereference(prog->filter); + if (at_ingress) { + __skb_push(skb, skb->mac_len); +- bpf_compute_data_pointers(skb); +- filter_res = bpf_prog_run(filter, skb); ++ filter_res = bpf_prog_run_data_pointers(filter, skb); + __skb_pull(skb, skb->mac_len); + } else { +- bpf_compute_data_pointers(skb); +- filter_res = bpf_prog_run(filter, skb); ++ filter_res = bpf_prog_run_data_pointers(filter, skb); + } + if (skb_sk_is_prefetched(skb) && filter_res != TC_ACT_OK) + skb_orphan(skb); +diff --git a/net/sched/cls_bpf.c b/net/sched/cls_bpf.c +index b7c46a93a4121..63fb61a290cd6 100644 +--- a/net/sched/cls_bpf.c ++++ b/net/sched/cls_bpf.c +@@ -95,12 +95,10 @@ static int cls_bpf_classify(struct sk_buff *skb, const struct tcf_proto *tp, + } else if (at_ingress) { + /* It is safe to push/pull even if skb_shared() */ + __skb_push(skb, skb->mac_len); +- bpf_compute_data_pointers(skb); +- filter_res = bpf_prog_run(prog->filter, skb); ++ filter_res = bpf_prog_run_data_pointers(prog->filter, skb); + __skb_pull(skb, skb->mac_len); + } else { +- bpf_compute_data_pointers(skb); +- filter_res = bpf_prog_run(prog->filter, skb); ++ filter_res = bpf_prog_run_data_pointers(prog->filter, skb); + } + + if (prog->exts_integrated) { +-- +2.51.0 + diff --git a/queue-5.15/series b/queue-5.15/series index 0cd7f47c68..624b697841 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -262,3 +262,4 @@ asoc-cs4271-fix-regulator-leak-on-probe-failure.patch drm-vmwgfx-validate-command-header-size-against-svga.patch nfsv4-fix-an-incorrect-parameter-when-calling-nfs4_c.patch alsa-usb-audio-fix-null-pointer-dereference-in-snd_u.patch +bpf-add-bpf_prog_run_data_pointers.patch diff --git a/queue-6.1/bpf-add-bpf_prog_run_data_pointers.patch b/queue-6.1/bpf-add-bpf_prog_run_data_pointers.patch new file mode 100644 index 0000000000..80380788cd --- /dev/null +++ b/queue-6.1/bpf-add-bpf_prog_run_data_pointers.patch @@ -0,0 +1,112 @@ +From 1b538b004cbb49d02c50538252fc32a548b00959 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Nov 2025 12:55:16 +0000 +Subject: bpf: Add bpf_prog_run_data_pointers() + +From: Eric Dumazet + +[ Upstream commit 4ef92743625818932b9c320152b58274c05e5053 ] + +syzbot found that cls_bpf_classify() is able to change +tc_skb_cb(skb)->drop_reason triggering a warning in sk_skb_reason_drop(). + +WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 __sk_skb_reason_drop net/core/skbuff.c:1189 [inline] +WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 sk_skb_reason_drop+0x76/0x170 net/core/skbuff.c:1214 + +struct tc_skb_cb has been added in commit ec624fe740b4 ("net/sched: +Extend qdisc control block with tc control block"), which added a wrong +interaction with db58ba459202 ("bpf: wire in data and data_end for +cls_act_bpf"). + +drop_reason was added later. + +Add bpf_prog_run_data_pointers() helper to save/restore the net_sched +storage colliding with BPF data_meta/data_end. + +Fixes: ec624fe740b4 ("net/sched: Extend qdisc control block with tc control block") +Reported-by: syzbot +Closes: https://lore.kernel.org/netdev/6913437c.a70a0220.22f260.013b.GAE@google.com/ +Signed-off-by: Eric Dumazet +Signed-off-by: Martin KaFai Lau +Reviewed-by: Victor Nogueira +Acked-by: Jamal Hadi Salim +Link: https://patch.msgid.link/20251112125516.1563021-1-edumazet@google.com +Signed-off-by: Sasha Levin +--- + include/linux/filter.h | 20 ++++++++++++++++++++ + net/sched/act_bpf.c | 6 ++---- + net/sched/cls_bpf.c | 6 ++---- + 3 files changed, 24 insertions(+), 8 deletions(-) + +diff --git a/include/linux/filter.h b/include/linux/filter.h +index bbdae97d50c42..502cab01e9e97 100644 +--- a/include/linux/filter.h ++++ b/include/linux/filter.h +@@ -676,6 +676,26 @@ static inline void bpf_compute_data_pointers(struct sk_buff *skb) + cb->data_end = skb->data + skb_headlen(skb); + } + ++static inline int bpf_prog_run_data_pointers( ++ const struct bpf_prog *prog, ++ struct sk_buff *skb) ++{ ++ struct bpf_skb_data_end *cb = (struct bpf_skb_data_end *)skb->cb; ++ void *save_data_meta, *save_data_end; ++ int res; ++ ++ save_data_meta = cb->data_meta; ++ save_data_end = cb->data_end; ++ ++ bpf_compute_data_pointers(skb); ++ res = bpf_prog_run(prog, skb); ++ ++ cb->data_meta = save_data_meta; ++ cb->data_end = save_data_end; ++ ++ return res; ++} ++ + /* Similar to bpf_compute_data_pointers(), except that save orginal + * data in cb->data and cb->meta_data for restore. + */ +diff --git a/net/sched/act_bpf.c b/net/sched/act_bpf.c +index b79eee44e24eb..e33a6be877def 100644 +--- a/net/sched/act_bpf.c ++++ b/net/sched/act_bpf.c +@@ -45,12 +45,10 @@ static int tcf_bpf_act(struct sk_buff *skb, const struct tc_action *act, + filter = rcu_dereference(prog->filter); + if (at_ingress) { + __skb_push(skb, skb->mac_len); +- bpf_compute_data_pointers(skb); +- filter_res = bpf_prog_run(filter, skb); ++ filter_res = bpf_prog_run_data_pointers(filter, skb); + __skb_pull(skb, skb->mac_len); + } else { +- bpf_compute_data_pointers(skb); +- filter_res = bpf_prog_run(filter, skb); ++ filter_res = bpf_prog_run_data_pointers(filter, skb); + } + if (unlikely(!skb->tstamp && skb->mono_delivery_time)) + skb->mono_delivery_time = 0; +diff --git a/net/sched/cls_bpf.c b/net/sched/cls_bpf.c +index 0320e11eb248b..5820ee95fa36e 100644 +--- a/net/sched/cls_bpf.c ++++ b/net/sched/cls_bpf.c +@@ -95,12 +95,10 @@ static int cls_bpf_classify(struct sk_buff *skb, const struct tcf_proto *tp, + } else if (at_ingress) { + /* It is safe to push/pull even if skb_shared() */ + __skb_push(skb, skb->mac_len); +- bpf_compute_data_pointers(skb); +- filter_res = bpf_prog_run(prog->filter, skb); ++ filter_res = bpf_prog_run_data_pointers(prog->filter, skb); + __skb_pull(skb, skb->mac_len); + } else { +- bpf_compute_data_pointers(skb); +- filter_res = bpf_prog_run(prog->filter, skb); ++ filter_res = bpf_prog_run_data_pointers(prog->filter, skb); + } + if (unlikely(!skb->tstamp && skb->mono_delivery_time)) + skb->mono_delivery_time = 0; +-- +2.51.0 + diff --git a/queue-6.1/series b/queue-6.1/series index 7123464e7c..ccf85f0d25 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -385,3 +385,4 @@ asoc-codecs-va-macro-fix-resource-leak-in-probe-erro.patch drm-vmwgfx-validate-command-header-size-against-svga.patch nfsv4-fix-an-incorrect-parameter-when-calling-nfs4_c.patch alsa-usb-audio-fix-null-pointer-dereference-in-snd_u.patch +bpf-add-bpf_prog_run_data_pointers.patch diff --git a/queue-6.12/bpf-account-for-current-allocated-stack-depth-in-wid.patch b/queue-6.12/bpf-account-for-current-allocated-stack-depth-in-wid.patch new file mode 100644 index 0000000000..93ed779940 --- /dev/null +++ b/queue-6.12/bpf-account-for-current-allocated-stack-depth-in-wid.patch @@ -0,0 +1,71 @@ +From fcb8c893fc10fc6ba5a10d3eb43d5a7f6b1eeee0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Nov 2025 18:57:29 -0800 +Subject: bpf: account for current allocated stack depth in + widen_imprecise_scalars() + +From: Eduard Zingerman + +[ Upstream commit b0c8e6d3d866b6a7f73877f71968dbffd27b7785 ] + +The usage pattern for widen_imprecise_scalars() looks as follows: + + prev_st = find_prev_entry(env, ...); + queued_st = push_stack(...); + widen_imprecise_scalars(env, prev_st, queued_st); + +Where prev_st is an ancestor of the queued_st in the explored states +tree. This ancestor is not guaranteed to have same allocated stack +depth as queued_st. E.g. in the following case: + + def main(): + for i in 1..2: + foo(i) // same callsite, differnt param + + def foo(i): + if i == 1: + use 128 bytes of stack + iterator based loop + +Here, for a second 'foo' call prev_st->allocated_stack is 128, +while queued_st->allocated_stack is much smaller. +widen_imprecise_scalars() needs to take this into account and avoid +accessing bpf_verifier_state->frame[*]->stack out of bounds. + +Fixes: 2793a8b015f7 ("bpf: exact states comparison for iterator convergence checks") +Reported-by: Emil Tsalapatis +Signed-off-by: Eduard Zingerman +Link: https://lore.kernel.org/r/20251114025730.772723-1-eddyz87@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 218c238d61398..7b75a2dd8cb8f 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -8228,7 +8228,7 @@ static int widen_imprecise_scalars(struct bpf_verifier_env *env, + struct bpf_verifier_state *cur) + { + struct bpf_func_state *fold, *fcur; +- int i, fr; ++ int i, fr, num_slots; + + reset_idmap_scratch(env); + for (fr = old->curframe; fr >= 0; fr--) { +@@ -8241,7 +8241,9 @@ static int widen_imprecise_scalars(struct bpf_verifier_env *env, + &fcur->regs[i], + &env->idmap_scratch); + +- for (i = 0; i < fold->allocated_stack / BPF_REG_SIZE; i++) { ++ num_slots = min(fold->allocated_stack / BPF_REG_SIZE, ++ fcur->allocated_stack / BPF_REG_SIZE); ++ for (i = 0; i < num_slots; i++) { + if (!is_spilled_reg(&fold->stack[i]) || + !is_spilled_reg(&fcur->stack[i])) + continue; +-- +2.51.0 + diff --git a/queue-6.12/bpf-add-bpf_prog_run_data_pointers.patch b/queue-6.12/bpf-add-bpf_prog_run_data_pointers.patch new file mode 100644 index 0000000000..2dfe9dab78 --- /dev/null +++ b/queue-6.12/bpf-add-bpf_prog_run_data_pointers.patch @@ -0,0 +1,112 @@ +From 23d86396642b9566f78f6d69655dd34ab31ea6ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Nov 2025 12:55:16 +0000 +Subject: bpf: Add bpf_prog_run_data_pointers() + +From: Eric Dumazet + +[ Upstream commit 4ef92743625818932b9c320152b58274c05e5053 ] + +syzbot found that cls_bpf_classify() is able to change +tc_skb_cb(skb)->drop_reason triggering a warning in sk_skb_reason_drop(). + +WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 __sk_skb_reason_drop net/core/skbuff.c:1189 [inline] +WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 sk_skb_reason_drop+0x76/0x170 net/core/skbuff.c:1214 + +struct tc_skb_cb has been added in commit ec624fe740b4 ("net/sched: +Extend qdisc control block with tc control block"), which added a wrong +interaction with db58ba459202 ("bpf: wire in data and data_end for +cls_act_bpf"). + +drop_reason was added later. + +Add bpf_prog_run_data_pointers() helper to save/restore the net_sched +storage colliding with BPF data_meta/data_end. + +Fixes: ec624fe740b4 ("net/sched: Extend qdisc control block with tc control block") +Reported-by: syzbot +Closes: https://lore.kernel.org/netdev/6913437c.a70a0220.22f260.013b.GAE@google.com/ +Signed-off-by: Eric Dumazet +Signed-off-by: Martin KaFai Lau +Reviewed-by: Victor Nogueira +Acked-by: Jamal Hadi Salim +Link: https://patch.msgid.link/20251112125516.1563021-1-edumazet@google.com +Signed-off-by: Sasha Levin +--- + include/linux/filter.h | 20 ++++++++++++++++++++ + net/sched/act_bpf.c | 6 ++---- + net/sched/cls_bpf.c | 6 ++---- + 3 files changed, 24 insertions(+), 8 deletions(-) + +diff --git a/include/linux/filter.h b/include/linux/filter.h +index aef18f0e9450e..9b6908291de7c 100644 +--- a/include/linux/filter.h ++++ b/include/linux/filter.h +@@ -881,6 +881,26 @@ static inline void bpf_compute_data_pointers(struct sk_buff *skb) + cb->data_end = skb->data + skb_headlen(skb); + } + ++static inline int bpf_prog_run_data_pointers( ++ const struct bpf_prog *prog, ++ struct sk_buff *skb) ++{ ++ struct bpf_skb_data_end *cb = (struct bpf_skb_data_end *)skb->cb; ++ void *save_data_meta, *save_data_end; ++ int res; ++ ++ save_data_meta = cb->data_meta; ++ save_data_end = cb->data_end; ++ ++ bpf_compute_data_pointers(skb); ++ res = bpf_prog_run(prog, skb); ++ ++ cb->data_meta = save_data_meta; ++ cb->data_end = save_data_end; ++ ++ return res; ++} ++ + /* Similar to bpf_compute_data_pointers(), except that save orginal + * data in cb->data and cb->meta_data for restore. + */ +diff --git a/net/sched/act_bpf.c b/net/sched/act_bpf.c +index 396b576390d00..c2b5bc19e0911 100644 +--- a/net/sched/act_bpf.c ++++ b/net/sched/act_bpf.c +@@ -47,12 +47,10 @@ TC_INDIRECT_SCOPE int tcf_bpf_act(struct sk_buff *skb, + filter = rcu_dereference(prog->filter); + if (at_ingress) { + __skb_push(skb, skb->mac_len); +- bpf_compute_data_pointers(skb); +- filter_res = bpf_prog_run(filter, skb); ++ filter_res = bpf_prog_run_data_pointers(filter, skb); + __skb_pull(skb, skb->mac_len); + } else { +- bpf_compute_data_pointers(skb); +- filter_res = bpf_prog_run(filter, skb); ++ filter_res = bpf_prog_run_data_pointers(filter, skb); + } + if (unlikely(!skb->tstamp && skb->tstamp_type)) + skb->tstamp_type = SKB_CLOCK_REALTIME; +diff --git a/net/sched/cls_bpf.c b/net/sched/cls_bpf.c +index 7fbe42f0e5c2b..a32754a2658bb 100644 +--- a/net/sched/cls_bpf.c ++++ b/net/sched/cls_bpf.c +@@ -97,12 +97,10 @@ TC_INDIRECT_SCOPE int cls_bpf_classify(struct sk_buff *skb, + } else if (at_ingress) { + /* It is safe to push/pull even if skb_shared() */ + __skb_push(skb, skb->mac_len); +- bpf_compute_data_pointers(skb); +- filter_res = bpf_prog_run(prog->filter, skb); ++ filter_res = bpf_prog_run_data_pointers(prog->filter, skb); + __skb_pull(skb, skb->mac_len); + } else { +- bpf_compute_data_pointers(skb); +- filter_res = bpf_prog_run(prog->filter, skb); ++ filter_res = bpf_prog_run_data_pointers(prog->filter, skb); + } + if (unlikely(!skb->tstamp && skb->tstamp_type)) + skb->tstamp_type = SKB_CLOCK_REALTIME; +-- +2.51.0 + diff --git a/queue-6.12/irqchip-riscv-intc-add-missing-free-callback-in-risc.patch b/queue-6.12/irqchip-riscv-intc-add-missing-free-callback-in-risc.patch new file mode 100644 index 0000000000..c6e69380af --- /dev/null +++ b/queue-6.12/irqchip-riscv-intc-add-missing-free-callback-in-risc.patch @@ -0,0 +1,43 @@ +From ee06bee42530a9e979df95628e0b315cc12c1e8b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Nov 2025 15:28:44 +0800 +Subject: irqchip/riscv-intc: Add missing free() callback in + riscv_intc_domain_ops + +From: Nick Hu + +[ Upstream commit 14473a1f88596fd729e892782efc267c0097dd1d ] + +The irq_domain_free_irqs() helper requires that the irq_domain_ops->free +callback is implemented. Otherwise, the kernel reports the warning message +"NULL pointer, cannot free irq" when irq_dispose_mapping() is invoked to +release the per-HART local interrupts. + +Set irq_domain_ops->free to irq_domain_free_irqs_top() to cure that. + +Fixes: 832f15f42646 ("RISC-V: Treat IPIs as normal Linux IRQs") +Signed-off-by: Nick Hu +Signed-off-by: Thomas Gleixner +Link: https://patch.msgid.link/20251114-rv-intc-fix-v1-1-a3edd1c1a868@sifive.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-riscv-intc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/irqchip/irq-riscv-intc.c b/drivers/irqchip/irq-riscv-intc.c +index f653c13de62b5..a02ef98848d36 100644 +--- a/drivers/irqchip/irq-riscv-intc.c ++++ b/drivers/irqchip/irq-riscv-intc.c +@@ -166,7 +166,8 @@ static int riscv_intc_domain_alloc(struct irq_domain *domain, + static const struct irq_domain_ops riscv_intc_domain_ops = { + .map = riscv_intc_domain_map, + .xlate = irq_domain_xlate_onecell, +- .alloc = riscv_intc_domain_alloc ++ .alloc = riscv_intc_domain_alloc, ++ .free = irq_domain_free_irqs_top, + }; + + static struct fwnode_handle *riscv_intc_hwnode(void) +-- +2.51.0 + diff --git a/queue-6.12/series b/queue-6.12/series index 84c1f1af6e..2ce7c677e3 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -79,3 +79,6 @@ nfsv4-fix-an-incorrect-parameter-when-calling-nfs4_c.patch nfs-fix-ltp-test-failures-when-timestamps-are-delega.patch alsa-usb-audio-fix-null-pointer-dereference-in-snd_u.patch acpi-hmat-fix-lockdep-warning-for-hmem_register_reso.patch +bpf-add-bpf_prog_run_data_pointers.patch +bpf-account-for-current-allocated-stack-depth-in-wid.patch +irqchip-riscv-intc-add-missing-free-callback-in-risc.patch diff --git a/queue-6.17/bpf-account-for-current-allocated-stack-depth-in-wid.patch b/queue-6.17/bpf-account-for-current-allocated-stack-depth-in-wid.patch new file mode 100644 index 0000000000..087b563b39 --- /dev/null +++ b/queue-6.17/bpf-account-for-current-allocated-stack-depth-in-wid.patch @@ -0,0 +1,71 @@ +From d15d7d0efbf198281eff890126d73c8c8bb4ff9c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Nov 2025 18:57:29 -0800 +Subject: bpf: account for current allocated stack depth in + widen_imprecise_scalars() + +From: Eduard Zingerman + +[ Upstream commit b0c8e6d3d866b6a7f73877f71968dbffd27b7785 ] + +The usage pattern for widen_imprecise_scalars() looks as follows: + + prev_st = find_prev_entry(env, ...); + queued_st = push_stack(...); + widen_imprecise_scalars(env, prev_st, queued_st); + +Where prev_st is an ancestor of the queued_st in the explored states +tree. This ancestor is not guaranteed to have same allocated stack +depth as queued_st. E.g. in the following case: + + def main(): + for i in 1..2: + foo(i) // same callsite, differnt param + + def foo(i): + if i == 1: + use 128 bytes of stack + iterator based loop + +Here, for a second 'foo' call prev_st->allocated_stack is 128, +while queued_st->allocated_stack is much smaller. +widen_imprecise_scalars() needs to take this into account and avoid +accessing bpf_verifier_state->frame[*]->stack out of bounds. + +Fixes: 2793a8b015f7 ("bpf: exact states comparison for iterator convergence checks") +Reported-by: Emil Tsalapatis +Signed-off-by: Eduard Zingerman +Link: https://lore.kernel.org/r/20251114025730.772723-1-eddyz87@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 2844adf4da61a..c3cdf2bf09aa4 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -8917,7 +8917,7 @@ static int widen_imprecise_scalars(struct bpf_verifier_env *env, + struct bpf_verifier_state *cur) + { + struct bpf_func_state *fold, *fcur; +- int i, fr; ++ int i, fr, num_slots; + + reset_idmap_scratch(env); + for (fr = old->curframe; fr >= 0; fr--) { +@@ -8930,7 +8930,9 @@ static int widen_imprecise_scalars(struct bpf_verifier_env *env, + &fcur->regs[i], + &env->idmap_scratch); + +- for (i = 0; i < fold->allocated_stack / BPF_REG_SIZE; i++) { ++ num_slots = min(fold->allocated_stack / BPF_REG_SIZE, ++ fcur->allocated_stack / BPF_REG_SIZE); ++ for (i = 0; i < num_slots; i++) { + if (!is_spilled_reg(&fold->stack[i]) || + !is_spilled_reg(&fcur->stack[i])) + continue; +-- +2.51.0 + diff --git a/queue-6.17/bpf-add-bpf_prog_run_data_pointers.patch b/queue-6.17/bpf-add-bpf_prog_run_data_pointers.patch new file mode 100644 index 0000000000..471a0cefb7 --- /dev/null +++ b/queue-6.17/bpf-add-bpf_prog_run_data_pointers.patch @@ -0,0 +1,112 @@ +From e9c87bba978322b7ea1fdc23468ec23e7a6c32d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Nov 2025 12:55:16 +0000 +Subject: bpf: Add bpf_prog_run_data_pointers() + +From: Eric Dumazet + +[ Upstream commit 4ef92743625818932b9c320152b58274c05e5053 ] + +syzbot found that cls_bpf_classify() is able to change +tc_skb_cb(skb)->drop_reason triggering a warning in sk_skb_reason_drop(). + +WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 __sk_skb_reason_drop net/core/skbuff.c:1189 [inline] +WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 sk_skb_reason_drop+0x76/0x170 net/core/skbuff.c:1214 + +struct tc_skb_cb has been added in commit ec624fe740b4 ("net/sched: +Extend qdisc control block with tc control block"), which added a wrong +interaction with db58ba459202 ("bpf: wire in data and data_end for +cls_act_bpf"). + +drop_reason was added later. + +Add bpf_prog_run_data_pointers() helper to save/restore the net_sched +storage colliding with BPF data_meta/data_end. + +Fixes: ec624fe740b4 ("net/sched: Extend qdisc control block with tc control block") +Reported-by: syzbot +Closes: https://lore.kernel.org/netdev/6913437c.a70a0220.22f260.013b.GAE@google.com/ +Signed-off-by: Eric Dumazet +Signed-off-by: Martin KaFai Lau +Reviewed-by: Victor Nogueira +Acked-by: Jamal Hadi Salim +Link: https://patch.msgid.link/20251112125516.1563021-1-edumazet@google.com +Signed-off-by: Sasha Levin +--- + include/linux/filter.h | 20 ++++++++++++++++++++ + net/sched/act_bpf.c | 6 ++---- + net/sched/cls_bpf.c | 6 ++---- + 3 files changed, 24 insertions(+), 8 deletions(-) + +diff --git a/include/linux/filter.h b/include/linux/filter.h +index 52fecb7a1fe36..152f2fc7b65a3 100644 +--- a/include/linux/filter.h ++++ b/include/linux/filter.h +@@ -898,6 +898,26 @@ static inline void bpf_compute_data_pointers(struct sk_buff *skb) + cb->data_end = skb->data + skb_headlen(skb); + } + ++static inline int bpf_prog_run_data_pointers( ++ const struct bpf_prog *prog, ++ struct sk_buff *skb) ++{ ++ struct bpf_skb_data_end *cb = (struct bpf_skb_data_end *)skb->cb; ++ void *save_data_meta, *save_data_end; ++ int res; ++ ++ save_data_meta = cb->data_meta; ++ save_data_end = cb->data_end; ++ ++ bpf_compute_data_pointers(skb); ++ res = bpf_prog_run(prog, skb); ++ ++ cb->data_meta = save_data_meta; ++ cb->data_end = save_data_end; ++ ++ return res; ++} ++ + /* Similar to bpf_compute_data_pointers(), except that save orginal + * data in cb->data and cb->meta_data for restore. + */ +diff --git a/net/sched/act_bpf.c b/net/sched/act_bpf.c +index 396b576390d00..c2b5bc19e0911 100644 +--- a/net/sched/act_bpf.c ++++ b/net/sched/act_bpf.c +@@ -47,12 +47,10 @@ TC_INDIRECT_SCOPE int tcf_bpf_act(struct sk_buff *skb, + filter = rcu_dereference(prog->filter); + if (at_ingress) { + __skb_push(skb, skb->mac_len); +- bpf_compute_data_pointers(skb); +- filter_res = bpf_prog_run(filter, skb); ++ filter_res = bpf_prog_run_data_pointers(filter, skb); + __skb_pull(skb, skb->mac_len); + } else { +- bpf_compute_data_pointers(skb); +- filter_res = bpf_prog_run(filter, skb); ++ filter_res = bpf_prog_run_data_pointers(filter, skb); + } + if (unlikely(!skb->tstamp && skb->tstamp_type)) + skb->tstamp_type = SKB_CLOCK_REALTIME; +diff --git a/net/sched/cls_bpf.c b/net/sched/cls_bpf.c +index 7fbe42f0e5c2b..a32754a2658bb 100644 +--- a/net/sched/cls_bpf.c ++++ b/net/sched/cls_bpf.c +@@ -97,12 +97,10 @@ TC_INDIRECT_SCOPE int cls_bpf_classify(struct sk_buff *skb, + } else if (at_ingress) { + /* It is safe to push/pull even if skb_shared() */ + __skb_push(skb, skb->mac_len); +- bpf_compute_data_pointers(skb); +- filter_res = bpf_prog_run(prog->filter, skb); ++ filter_res = bpf_prog_run_data_pointers(prog->filter, skb); + __skb_pull(skb, skb->mac_len); + } else { +- bpf_compute_data_pointers(skb); +- filter_res = bpf_prog_run(prog->filter, skb); ++ filter_res = bpf_prog_run_data_pointers(prog->filter, skb); + } + if (unlikely(!skb->tstamp && skb->tstamp_type)) + skb->tstamp_type = SKB_CLOCK_REALTIME; +-- +2.51.0 + diff --git a/queue-6.17/irqchip-riscv-intc-add-missing-free-callback-in-risc.patch b/queue-6.17/irqchip-riscv-intc-add-missing-free-callback-in-risc.patch new file mode 100644 index 0000000000..347dd7b664 --- /dev/null +++ b/queue-6.17/irqchip-riscv-intc-add-missing-free-callback-in-risc.patch @@ -0,0 +1,43 @@ +From cfb961a40d30ba5fceaefc3d94eaafe8d9479957 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Nov 2025 15:28:44 +0800 +Subject: irqchip/riscv-intc: Add missing free() callback in + riscv_intc_domain_ops + +From: Nick Hu + +[ Upstream commit 14473a1f88596fd729e892782efc267c0097dd1d ] + +The irq_domain_free_irqs() helper requires that the irq_domain_ops->free +callback is implemented. Otherwise, the kernel reports the warning message +"NULL pointer, cannot free irq" when irq_dispose_mapping() is invoked to +release the per-HART local interrupts. + +Set irq_domain_ops->free to irq_domain_free_irqs_top() to cure that. + +Fixes: 832f15f42646 ("RISC-V: Treat IPIs as normal Linux IRQs") +Signed-off-by: Nick Hu +Signed-off-by: Thomas Gleixner +Link: https://patch.msgid.link/20251114-rv-intc-fix-v1-1-a3edd1c1a868@sifive.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-riscv-intc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/irqchip/irq-riscv-intc.c b/drivers/irqchip/irq-riscv-intc.c +index e5805885394ee..70290b35b3173 100644 +--- a/drivers/irqchip/irq-riscv-intc.c ++++ b/drivers/irqchip/irq-riscv-intc.c +@@ -166,7 +166,8 @@ static int riscv_intc_domain_alloc(struct irq_domain *domain, + static const struct irq_domain_ops riscv_intc_domain_ops = { + .map = riscv_intc_domain_map, + .xlate = irq_domain_xlate_onecell, +- .alloc = riscv_intc_domain_alloc ++ .alloc = riscv_intc_domain_alloc, ++ .free = irq_domain_free_irqs_top, + }; + + static struct fwnode_handle *riscv_intc_hwnode(void) +-- +2.51.0 + diff --git a/queue-6.17/posix-timers-plug-potential-memory-leak-in-do_timer_.patch b/queue-6.17/posix-timers-plug-potential-memory-leak-in-do_timer_.patch new file mode 100644 index 0000000000..53aa35d8fb --- /dev/null +++ b/queue-6.17/posix-timers-plug-potential-memory-leak-in-do_timer_.patch @@ -0,0 +1,63 @@ +From 300c4d5762b3962439b20a249895c71a07708bf9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Nov 2025 14:27:39 +0200 +Subject: posix-timers: Plug potential memory leak in do_timer_create() + +From: Eslam Khafagy + +[ Upstream commit e0fd4d42e27f761e9cc82801b3f183e658dc749d ] + +When posix timer creation is set to allocate a given timer ID and the +access to the user space value faults, the function terminates without +freeing the already allocated posix timer structure. + +Move the allocation after the user space access to cure that. + +[ tglx: Massaged change log ] + +Fixes: ec2d0c04624b3 ("posix-timers: Provide a mechanism to allocate a given timer ID") +Reported-by: syzbot+9c47ad18f978d4394986@syzkaller.appspotmail.com +Suggested-by: Cyrill Gorcunov +Signed-off-by: Eslam Khafagy +Signed-off-by: Thomas Gleixner +Reviewed-by: Frederic Weisbecker +Link: https://patch.msgid.link/20251114122739.994326-1-eslam.medhat1993@gmail.com +Closes: https://lore.kernel.org/all/69155df4.a70a0220.3124cb.0017.GAE@google.com/T/ +Signed-off-by: Sasha Levin +--- + kernel/time/posix-timers.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/kernel/time/posix-timers.c b/kernel/time/posix-timers.c +index 8b582174b1f94..42db8396f1999 100644 +--- a/kernel/time/posix-timers.c ++++ b/kernel/time/posix-timers.c +@@ -476,12 +476,6 @@ static int do_timer_create(clockid_t which_clock, struct sigevent *event, + if (!kc->timer_create) + return -EOPNOTSUPP; + +- new_timer = alloc_posix_timer(); +- if (unlikely(!new_timer)) +- return -EAGAIN; +- +- spin_lock_init(&new_timer->it_lock); +- + /* Special case for CRIU to restore timers with a given timer ID. */ + if (unlikely(current->signal->timer_create_restore_ids)) { + if (copy_from_user(&req_id, created_timer_id, sizeof(req_id))) +@@ -491,6 +485,12 @@ static int do_timer_create(clockid_t which_clock, struct sigevent *event, + return -EINVAL; + } + ++ new_timer = alloc_posix_timer(); ++ if (unlikely(!new_timer)) ++ return -EAGAIN; ++ ++ spin_lock_init(&new_timer->it_lock); ++ + /* + * Add the timer to the hash table. The timer is not yet valid + * after insertion, but has a unique ID allocated. +-- +2.51.0 + diff --git a/queue-6.17/series b/queue-6.17/series index bce04e6e55..007e1a7b33 100644 --- a/queue-6.17/series +++ b/queue-6.17/series @@ -115,3 +115,7 @@ drm-amd-amdgpu-ensure-isp_kernel_buffer_alloc-create.patch acpi-hmat-fix-lockdep-warning-for-hmem_register_reso.patch asoc-rsnd-fix-of-node-reference-leak-in-rsnd_ssiu_pr.patch drm-client-fix-module_parm_desc-string-for-active.patch +bpf-add-bpf_prog_run_data_pointers.patch +bpf-account-for-current-allocated-stack-depth-in-wid.patch +irqchip-riscv-intc-add-missing-free-callback-in-risc.patch +posix-timers-plug-potential-memory-leak-in-do_timer_.patch diff --git a/queue-6.6/bpf-account-for-current-allocated-stack-depth-in-wid.patch b/queue-6.6/bpf-account-for-current-allocated-stack-depth-in-wid.patch new file mode 100644 index 0000000000..4dc210f609 --- /dev/null +++ b/queue-6.6/bpf-account-for-current-allocated-stack-depth-in-wid.patch @@ -0,0 +1,71 @@ +From f409317c6929c18861bdb5c5f2c194c0a6e334e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Nov 2025 18:57:29 -0800 +Subject: bpf: account for current allocated stack depth in + widen_imprecise_scalars() + +From: Eduard Zingerman + +[ Upstream commit b0c8e6d3d866b6a7f73877f71968dbffd27b7785 ] + +The usage pattern for widen_imprecise_scalars() looks as follows: + + prev_st = find_prev_entry(env, ...); + queued_st = push_stack(...); + widen_imprecise_scalars(env, prev_st, queued_st); + +Where prev_st is an ancestor of the queued_st in the explored states +tree. This ancestor is not guaranteed to have same allocated stack +depth as queued_st. E.g. in the following case: + + def main(): + for i in 1..2: + foo(i) // same callsite, differnt param + + def foo(i): + if i == 1: + use 128 bytes of stack + iterator based loop + +Here, for a second 'foo' call prev_st->allocated_stack is 128, +while queued_st->allocated_stack is much smaller. +widen_imprecise_scalars() needs to take this into account and avoid +accessing bpf_verifier_state->frame[*]->stack out of bounds. + +Fixes: 2793a8b015f7 ("bpf: exact states comparison for iterator convergence checks") +Reported-by: Emil Tsalapatis +Signed-off-by: Eduard Zingerman +Link: https://lore.kernel.org/r/20251114025730.772723-1-eddyz87@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 5e644b1b12aaa..45b2f06de452c 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -7839,7 +7839,7 @@ static int widen_imprecise_scalars(struct bpf_verifier_env *env, + struct bpf_verifier_state *cur) + { + struct bpf_func_state *fold, *fcur; +- int i, fr; ++ int i, fr, num_slots; + + reset_idmap_scratch(env); + for (fr = old->curframe; fr >= 0; fr--) { +@@ -7852,7 +7852,9 @@ static int widen_imprecise_scalars(struct bpf_verifier_env *env, + &fcur->regs[i], + &env->idmap_scratch); + +- for (i = 0; i < fold->allocated_stack / BPF_REG_SIZE; i++) { ++ num_slots = min(fold->allocated_stack / BPF_REG_SIZE, ++ fcur->allocated_stack / BPF_REG_SIZE); ++ for (i = 0; i < num_slots; i++) { + if (!is_spilled_reg(&fold->stack[i]) || + !is_spilled_reg(&fcur->stack[i])) + continue; +-- +2.51.0 + diff --git a/queue-6.6/bpf-add-bpf_prog_run_data_pointers.patch b/queue-6.6/bpf-add-bpf_prog_run_data_pointers.patch new file mode 100644 index 0000000000..7efdc6f564 --- /dev/null +++ b/queue-6.6/bpf-add-bpf_prog_run_data_pointers.patch @@ -0,0 +1,112 @@ +From bc09dcf7f19e10592c6b4a476957f5e1beda229b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Nov 2025 12:55:16 +0000 +Subject: bpf: Add bpf_prog_run_data_pointers() + +From: Eric Dumazet + +[ Upstream commit 4ef92743625818932b9c320152b58274c05e5053 ] + +syzbot found that cls_bpf_classify() is able to change +tc_skb_cb(skb)->drop_reason triggering a warning in sk_skb_reason_drop(). + +WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 __sk_skb_reason_drop net/core/skbuff.c:1189 [inline] +WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 sk_skb_reason_drop+0x76/0x170 net/core/skbuff.c:1214 + +struct tc_skb_cb has been added in commit ec624fe740b4 ("net/sched: +Extend qdisc control block with tc control block"), which added a wrong +interaction with db58ba459202 ("bpf: wire in data and data_end for +cls_act_bpf"). + +drop_reason was added later. + +Add bpf_prog_run_data_pointers() helper to save/restore the net_sched +storage colliding with BPF data_meta/data_end. + +Fixes: ec624fe740b4 ("net/sched: Extend qdisc control block with tc control block") +Reported-by: syzbot +Closes: https://lore.kernel.org/netdev/6913437c.a70a0220.22f260.013b.GAE@google.com/ +Signed-off-by: Eric Dumazet +Signed-off-by: Martin KaFai Lau +Reviewed-by: Victor Nogueira +Acked-by: Jamal Hadi Salim +Link: https://patch.msgid.link/20251112125516.1563021-1-edumazet@google.com +Signed-off-by: Sasha Levin +--- + include/linux/filter.h | 20 ++++++++++++++++++++ + net/sched/act_bpf.c | 6 ++---- + net/sched/cls_bpf.c | 6 ++---- + 3 files changed, 24 insertions(+), 8 deletions(-) + +diff --git a/include/linux/filter.h b/include/linux/filter.h +index 4ffea87e6fb64..ad5a3d68b5552 100644 +--- a/include/linux/filter.h ++++ b/include/linux/filter.h +@@ -685,6 +685,26 @@ static inline void bpf_compute_data_pointers(struct sk_buff *skb) + cb->data_end = skb->data + skb_headlen(skb); + } + ++static inline int bpf_prog_run_data_pointers( ++ const struct bpf_prog *prog, ++ struct sk_buff *skb) ++{ ++ struct bpf_skb_data_end *cb = (struct bpf_skb_data_end *)skb->cb; ++ void *save_data_meta, *save_data_end; ++ int res; ++ ++ save_data_meta = cb->data_meta; ++ save_data_end = cb->data_end; ++ ++ bpf_compute_data_pointers(skb); ++ res = bpf_prog_run(prog, skb); ++ ++ cb->data_meta = save_data_meta; ++ cb->data_end = save_data_end; ++ ++ return res; ++} ++ + /* Similar to bpf_compute_data_pointers(), except that save orginal + * data in cb->data and cb->meta_data for restore. + */ +diff --git a/net/sched/act_bpf.c b/net/sched/act_bpf.c +index ac87fcff4795e..a1c0e8a9fc8c2 100644 +--- a/net/sched/act_bpf.c ++++ b/net/sched/act_bpf.c +@@ -47,12 +47,10 @@ TC_INDIRECT_SCOPE int tcf_bpf_act(struct sk_buff *skb, + filter = rcu_dereference(prog->filter); + if (at_ingress) { + __skb_push(skb, skb->mac_len); +- bpf_compute_data_pointers(skb); +- filter_res = bpf_prog_run(filter, skb); ++ filter_res = bpf_prog_run_data_pointers(filter, skb); + __skb_pull(skb, skb->mac_len); + } else { +- bpf_compute_data_pointers(skb); +- filter_res = bpf_prog_run(filter, skb); ++ filter_res = bpf_prog_run_data_pointers(filter, skb); + } + if (unlikely(!skb->tstamp && skb->tstamp_type)) + skb->tstamp_type = SKB_CLOCK_REALTIME; +diff --git a/net/sched/cls_bpf.c b/net/sched/cls_bpf.c +index db7151c6b70b7..29dfe6767f108 100644 +--- a/net/sched/cls_bpf.c ++++ b/net/sched/cls_bpf.c +@@ -97,12 +97,10 @@ TC_INDIRECT_SCOPE int cls_bpf_classify(struct sk_buff *skb, + } else if (at_ingress) { + /* It is safe to push/pull even if skb_shared() */ + __skb_push(skb, skb->mac_len); +- bpf_compute_data_pointers(skb); +- filter_res = bpf_prog_run(prog->filter, skb); ++ filter_res = bpf_prog_run_data_pointers(prog->filter, skb); + __skb_pull(skb, skb->mac_len); + } else { +- bpf_compute_data_pointers(skb); +- filter_res = bpf_prog_run(prog->filter, skb); ++ filter_res = bpf_prog_run_data_pointers(prog->filter, skb); + } + if (unlikely(!skb->tstamp && skb->tstamp_type)) + skb->tstamp_type = SKB_CLOCK_REALTIME; +-- +2.51.0 + diff --git a/queue-6.6/irqchip-riscv-intc-add-missing-free-callback-in-risc.patch b/queue-6.6/irqchip-riscv-intc-add-missing-free-callback-in-risc.patch new file mode 100644 index 0000000000..3238c3d04f --- /dev/null +++ b/queue-6.6/irqchip-riscv-intc-add-missing-free-callback-in-risc.patch @@ -0,0 +1,43 @@ +From 1bdf62bb3603c3e31ea66aaf9722bfb02d4bdf7b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Nov 2025 15:28:44 +0800 +Subject: irqchip/riscv-intc: Add missing free() callback in + riscv_intc_domain_ops + +From: Nick Hu + +[ Upstream commit 14473a1f88596fd729e892782efc267c0097dd1d ] + +The irq_domain_free_irqs() helper requires that the irq_domain_ops->free +callback is implemented. Otherwise, the kernel reports the warning message +"NULL pointer, cannot free irq" when irq_dispose_mapping() is invoked to +release the per-HART local interrupts. + +Set irq_domain_ops->free to irq_domain_free_irqs_top() to cure that. + +Fixes: 832f15f42646 ("RISC-V: Treat IPIs as normal Linux IRQs") +Signed-off-by: Nick Hu +Signed-off-by: Thomas Gleixner +Link: https://patch.msgid.link/20251114-rv-intc-fix-v1-1-a3edd1c1a868@sifive.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-riscv-intc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/irqchip/irq-riscv-intc.c b/drivers/irqchip/irq-riscv-intc.c +index 627beae9649a2..84cb9cda365ad 100644 +--- a/drivers/irqchip/irq-riscv-intc.c ++++ b/drivers/irqchip/irq-riscv-intc.c +@@ -149,7 +149,8 @@ static int riscv_intc_domain_alloc(struct irq_domain *domain, + static const struct irq_domain_ops riscv_intc_domain_ops = { + .map = riscv_intc_domain_map, + .xlate = irq_domain_xlate_onecell, +- .alloc = riscv_intc_domain_alloc ++ .alloc = riscv_intc_domain_alloc, ++ .free = irq_domain_free_irqs_top, + }; + + static struct fwnode_handle *riscv_intc_hwnode(void) +-- +2.51.0 + diff --git a/queue-6.6/series b/queue-6.6/series index 79211ed8ae..debc8114d7 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -443,3 +443,6 @@ acpi-break-out-nesting-for-hmat_parse_locality.patch acpi-numa-add-setting-of-generic-port-system-localit.patch base-node-acpi-enumerate-node-access-class-for-struc.patch acpi-hmat-fix-lockdep-warning-for-hmem_register_reso.patch +bpf-add-bpf_prog_run_data_pointers.patch +bpf-account-for-current-allocated-stack-depth-in-wid.patch +irqchip-riscv-intc-add-missing-free-callback-in-risc.patch -- 2.47.3