From aae69cdfc0395e67fe2d33a544635b77f904e5c9 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 19 Jan 2026 11:19:02 +0100 Subject: [PATCH] drop a bunch of patches based on Ben's review --- ...a5d2-fix-spi-flexcom-fifo-size-to-32.patch | 73 ------ ...long-for-page-accountings-and-retval.patch | 227 ------------------ ...-protect-skb-dev-access-in-ip_output.patch | 119 --------- ...e-add-operation-ndo_sk_get_lower_dev.patch | 90 ------- ...netif_f_all_for_all-across-tso-updat.patch | 9 +- queue-5.10/series | 6 - ...d-dst_dev_rcu-in-get_netdev_for_sock.patch | 66 ----- ...a5d2-fix-spi-flexcom-fifo-size-to-32.patch | 73 ------ ...long-for-page-accountings-and-retval.patch | 223 ----------------- ...-protect-skb-dev-access-in-ip_output.patch | 119 --------- queue-5.15/series | 4 - ...d-dst_dev_rcu-in-get_netdev_for_sock.patch | 66 ----- 12 files changed, 2 insertions(+), 1073 deletions(-) delete mode 100644 queue-5.10/arm-dts-microchip-sama5d2-fix-spi-flexcom-fifo-size-to-32.patch delete mode 100644 queue-5.10/mm-mprotect-use-long-for-page-accountings-and-retval.patch delete mode 100644 queue-5.10/net-add-locking-to-protect-skb-dev-access-in-ip_output.patch delete mode 100644 queue-5.10/net-netdevice-add-operation-ndo_sk_get_lower_dev.patch delete mode 100644 queue-5.10/tls-use-__sk_dst_get-and-dst_dev_rcu-in-get_netdev_for_sock.patch delete mode 100644 queue-5.15/arm-dts-microchip-sama5d2-fix-spi-flexcom-fifo-size-to-32.patch delete mode 100644 queue-5.15/mm-mprotect-use-long-for-page-accountings-and-retval.patch delete mode 100644 queue-5.15/net-add-locking-to-protect-skb-dev-access-in-ip_output.patch delete mode 100644 queue-5.15/tls-use-__sk_dst_get-and-dst_dev_rcu-in-get_netdev_for_sock.patch diff --git a/queue-5.10/arm-dts-microchip-sama5d2-fix-spi-flexcom-fifo-size-to-32.patch b/queue-5.10/arm-dts-microchip-sama5d2-fix-spi-flexcom-fifo-size-to-32.patch deleted file mode 100644 index f718ebaece..0000000000 --- a/queue-5.10/arm-dts-microchip-sama5d2-fix-spi-flexcom-fifo-size-to-32.patch +++ /dev/null @@ -1,73 +0,0 @@ -From stable+bounces-204395-greg=kroah.com@vger.kernel.org Wed Dec 31 23:32:07 2025 -From: Sasha Levin -Date: Wed, 31 Dec 2025 17:32:02 -0500 -Subject: ARM: dts: microchip: sama5d2: fix spi flexcom fifo size to 32 -To: stable@vger.kernel.org -Cc: Nicolas Ferre , Claudiu Beznea , Sasha Levin -Message-ID: <20251231223202.3548026-1-sashal@kernel.org> - -From: Nicolas Ferre - -[ Upstream commit 7d5864dc5d5ea6a35983dd05295fb17f2f2f44ce ] - -Unlike standalone spi peripherals, on sama5d2, the flexcom spi have fifo -size of 32 data. Fix flexcom/spi nodes where this property is wrong. - -Fixes: 6b9a3584c7ed ("ARM: dts: at91: sama5d2: Add missing flexcom definitions") -Cc: stable@vger.kernel.org # 5.8+ -Signed-off-by: Nicolas Ferre -Link: https://lore.kernel.org/r/20251114140225.30372-1-nicolas.ferre@microchip.com -Signed-off-by: Claudiu Beznea -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - arch/arm/boot/dts/sama5d2.dtsi | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - ---- a/arch/arm/boot/dts/sama5d2.dtsi -+++ b/arch/arm/boot/dts/sama5d2.dtsi -@@ -555,7 +555,7 @@ - AT91_XDMAC_DT_PER_IF(1) | - AT91_XDMAC_DT_PERID(12))>; - dma-names = "tx", "rx"; -- atmel,fifo-size = <16>; -+ atmel,fifo-size = <32>; - status = "disabled"; - }; - -@@ -625,7 +625,7 @@ - AT91_XDMAC_DT_PER_IF(1) | - AT91_XDMAC_DT_PERID(14))>; - dma-names = "tx", "rx"; -- atmel,fifo-size = <16>; -+ atmel,fifo-size = <32>; - status = "disabled"; - }; - -@@ -835,7 +835,7 @@ - AT91_XDMAC_DT_PER_IF(1) | - AT91_XDMAC_DT_PERID(16))>; - dma-names = "tx", "rx"; -- atmel,fifo-size = <16>; -+ atmel,fifo-size = <32>; - status = "disabled"; - }; - -@@ -925,7 +925,7 @@ - AT91_XDMAC_DT_PER_IF(1) | - AT91_XDMAC_DT_PERID(18))>; - dma-names = "tx", "rx"; -- atmel,fifo-size = <16>; -+ atmel,fifo-size = <32>; - status = "disabled"; - }; - -@@ -976,7 +976,7 @@ - AT91_XDMAC_DT_PER_IF(1) | - AT91_XDMAC_DT_PERID(20))>; - dma-names = "tx", "rx"; -- atmel,fifo-size = <16>; -+ atmel,fifo-size = <32>; - status = "disabled"; - }; - diff --git a/queue-5.10/mm-mprotect-use-long-for-page-accountings-and-retval.patch b/queue-5.10/mm-mprotect-use-long-for-page-accountings-and-retval.patch deleted file mode 100644 index b8b5e38b4f..0000000000 --- a/queue-5.10/mm-mprotect-use-long-for-page-accountings-and-retval.patch +++ /dev/null @@ -1,227 +0,0 @@ -From stable+bounces-206084-greg=kroah.com@vger.kernel.org Wed Jan 7 04:22:20 2026 -From: Harry Yoo -Date: Wed, 7 Jan 2026 12:21:20 +0900 -Subject: mm/mprotect: use long for page accountings and retval -To: stable@vger.kernel.org -Cc: Liam.Howlett@oracle.com, akpm@linux-foundation.org, baohua@kernel.org, baolin.wang@linux.alibaba.com, david@kernel.org, dev.jain@arm.com, hughd@google.com, jane.chu@oracle.com, jannh@google.com, kas@kernel.org, lance.yang@linux.dev, linux-mm@kvack.org, lorenzo.stoakes@oracle.com, npache@redhat.com, pfalcato@suse.de, ryan.roberts@arm.com, vbabka@suse.cz, ziy@nvidia.com, Peter Xu , Mike Kravetz , James Houghton , Andrea Arcangeli , Axel Rasmussen , David Hildenbrand , Muchun Song , Nadav Amit , Harry Yoo -Message-ID: <20260107032121.587629-2-harry.yoo@oracle.com> - -From: Peter Xu - -commit a79390f5d6a78647fd70856bd42b22d994de0ba2 upstream. - -Switch to use type "long" for page accountings and retval across the whole -procedure of change_protection(). - -The change should have shrinked the possible maximum page number to be -half comparing to previous (ULONG_MAX / 2), but it shouldn't overflow on -any system either because the maximum possible pages touched by change -protection should be ULONG_MAX / PAGE_SIZE. - -Two reasons to switch from "unsigned long" to "long": - - 1. It suites better on count_vm_numa_events(), whose 2nd parameter takes - a long type. - - 2. It paves way for returning negative (error) values in the future. - -Currently the only caller that consumes this retval is change_prot_numa(), -where the unsigned long was converted to an int. Since at it, touching up -the numa code to also take a long, so it'll avoid any possible overflow -too during the int-size convertion. - -Link: https://lkml.kernel.org/r/20230104225207.1066932-3-peterx@redhat.com -Signed-off-by: Peter Xu -Acked-by: Mike Kravetz -Acked-by: James Houghton -Cc: Andrea Arcangeli -Cc: Axel Rasmussen -Cc: David Hildenbrand -Cc: Muchun Song -Cc: Nadav Amit -Signed-off-by: Andrew Morton -[ Adjust context ] -Signed-off-by: Harry Yoo -Acked-by: David Hildenbrand (Red Hat) -Signed-off-by: Greg Kroah-Hartman ---- - include/linux/hugetlb.h | 4 ++-- - include/linux/mm.h | 2 +- - mm/hugetlb.c | 4 ++-- - mm/mempolicy.c | 2 +- - mm/mprotect.c | 34 +++++++++++++++++----------------- - 5 files changed, 23 insertions(+), 23 deletions(-) - ---- a/include/linux/hugetlb.h -+++ b/include/linux/hugetlb.h -@@ -184,7 +184,7 @@ struct page *follow_huge_pgd(struct mm_s - - int pmd_huge(pmd_t pmd); - int pud_huge(pud_t pud); --unsigned long hugetlb_change_protection(struct vm_area_struct *vma, -+long hugetlb_change_protection(struct vm_area_struct *vma, - unsigned long address, unsigned long end, pgprot_t newprot); - - bool is_hugetlb_entry_migration(pte_t pte); -@@ -342,7 +342,7 @@ static inline void move_hugetlb_state(st - { - } - --static inline unsigned long hugetlb_change_protection( -+static inline long hugetlb_change_protection( - struct vm_area_struct *vma, unsigned long address, - unsigned long end, pgprot_t newprot) - { ---- a/include/linux/mm.h -+++ b/include/linux/mm.h -@@ -1876,7 +1876,7 @@ extern unsigned long move_page_tables(st - #define MM_CP_UFFD_WP_ALL (MM_CP_UFFD_WP | \ - MM_CP_UFFD_WP_RESOLVE) - --extern unsigned long change_protection(struct vm_area_struct *vma, unsigned long start, -+extern long change_protection(struct vm_area_struct *vma, unsigned long start, - unsigned long end, pgprot_t newprot, - unsigned long cp_flags); - extern int mprotect_fixup(struct vm_area_struct *vma, ---- a/mm/hugetlb.c -+++ b/mm/hugetlb.c -@@ -5051,7 +5051,7 @@ same_page: - #define flush_hugetlb_tlb_range(vma, addr, end) flush_tlb_range(vma, addr, end) - #endif - --unsigned long hugetlb_change_protection(struct vm_area_struct *vma, -+long hugetlb_change_protection(struct vm_area_struct *vma, - unsigned long address, unsigned long end, pgprot_t newprot) - { - struct mm_struct *mm = vma->vm_mm; -@@ -5059,7 +5059,7 @@ unsigned long hugetlb_change_protection( - pte_t *ptep; - pte_t pte; - struct hstate *h = hstate_vma(vma); -- unsigned long pages = 0; -+ long pages = 0; - bool shared_pmd = false; - struct mmu_notifier_range range; - ---- a/mm/mempolicy.c -+++ b/mm/mempolicy.c -@@ -653,7 +653,7 @@ unlock: - unsigned long change_prot_numa(struct vm_area_struct *vma, - unsigned long addr, unsigned long end) - { -- int nr_updated; -+ long nr_updated; - - nr_updated = change_protection(vma, addr, end, PAGE_NONE, MM_CP_PROT_NUMA); - if (nr_updated) ---- a/mm/mprotect.c -+++ b/mm/mprotect.c -@@ -35,13 +35,13 @@ - - #include "internal.h" - --static unsigned long change_pte_range(struct vm_area_struct *vma, pmd_t *pmd, -+static long change_pte_range(struct vm_area_struct *vma, pmd_t *pmd, - unsigned long addr, unsigned long end, pgprot_t newprot, - unsigned long cp_flags) - { - pte_t *pte, oldpte; - spinlock_t *ptl; -- unsigned long pages = 0; -+ long pages = 0; - int target_node = NUMA_NO_NODE; - bool dirty_accountable = cp_flags & MM_CP_DIRTY_ACCT; - bool prot_numa = cp_flags & MM_CP_PROT_NUMA; -@@ -209,13 +209,13 @@ static inline int pmd_none_or_clear_bad_ - return 0; - } - --static inline unsigned long change_pmd_range(struct vm_area_struct *vma, -+static inline long change_pmd_range(struct vm_area_struct *vma, - pud_t *pud, unsigned long addr, unsigned long end, - pgprot_t newprot, unsigned long cp_flags) - { - pmd_t *pmd; - unsigned long next; -- unsigned long pages = 0; -+ long pages = 0; - unsigned long nr_huge_updates = 0; - struct mmu_notifier_range range; - -@@ -223,7 +223,7 @@ static inline unsigned long change_pmd_r - - pmd = pmd_offset(pud, addr); - do { -- unsigned long this_pages; -+ long this_pages; - - next = pmd_addr_end(addr, end); - -@@ -281,13 +281,13 @@ next: - return pages; - } - --static inline unsigned long change_pud_range(struct vm_area_struct *vma, -- p4d_t *p4d, unsigned long addr, unsigned long end, -- pgprot_t newprot, unsigned long cp_flags) -+static inline long change_pud_range(struct vm_area_struct *vma, p4d_t *p4d, -+ unsigned long addr, unsigned long end, pgprot_t newprot, -+ unsigned long cp_flags) - { - pud_t *pud; - unsigned long next; -- unsigned long pages = 0; -+ long pages = 0; - - pud = pud_offset(p4d, addr); - do { -@@ -301,13 +301,13 @@ static inline unsigned long change_pud_r - return pages; - } - --static inline unsigned long change_p4d_range(struct vm_area_struct *vma, -- pgd_t *pgd, unsigned long addr, unsigned long end, -- pgprot_t newprot, unsigned long cp_flags) -+static inline long change_p4d_range(struct vm_area_struct *vma, pgd_t *pgd, -+ unsigned long addr, unsigned long end, pgprot_t newprot, -+ unsigned long cp_flags) - { - p4d_t *p4d; - unsigned long next; -- unsigned long pages = 0; -+ long pages = 0; - - p4d = p4d_offset(pgd, addr); - do { -@@ -321,7 +321,7 @@ static inline unsigned long change_p4d_r - return pages; - } - --static unsigned long change_protection_range(struct vm_area_struct *vma, -+static long change_protection_range(struct vm_area_struct *vma, - unsigned long addr, unsigned long end, pgprot_t newprot, - unsigned long cp_flags) - { -@@ -329,7 +329,7 @@ static unsigned long change_protection_r - pgd_t *pgd; - unsigned long next; - unsigned long start = addr; -- unsigned long pages = 0; -+ long pages = 0; - - BUG_ON(addr >= end); - pgd = pgd_offset(mm, addr); -@@ -351,11 +351,11 @@ static unsigned long change_protection_r - return pages; - } - --unsigned long change_protection(struct vm_area_struct *vma, unsigned long start, -+long change_protection(struct vm_area_struct *vma, unsigned long start, - unsigned long end, pgprot_t newprot, - unsigned long cp_flags) - { -- unsigned long pages; -+ long pages; - - BUG_ON((cp_flags & MM_CP_UFFD_WP_ALL) == MM_CP_UFFD_WP_ALL); - diff --git a/queue-5.10/net-add-locking-to-protect-skb-dev-access-in-ip_output.patch b/queue-5.10/net-add-locking-to-protect-skb-dev-access-in-ip_output.patch deleted file mode 100644 index 05c0925c9d..0000000000 --- a/queue-5.10/net-add-locking-to-protect-skb-dev-access-in-ip_output.patch +++ /dev/null @@ -1,119 +0,0 @@ -From stable+bounces-208038-greg=kroah.com@vger.kernel.org Mon Jan 12 07:34:47 2026 -From: Keerthana K -Date: Mon, 12 Jan 2026 06:30:37 +0000 -Subject: net: Add locking to protect skb->dev access in ip_output -To: stable@vger.kernel.org, gregkh@linuxfoundation.org -Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, yoshfuji@linux-ipv6.org, dsahern@kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, bpf@vger.kernel.org, borisp@nvidia.com, john.fastabend@gmail.com, sashal@kernel.org, leitao@debian.org, kuniyu@amazon.com, willemb@google.com, jramaseu@redhat.com, aviadye@mellanox.com, ilyal@mellanox.com, ajay.kaher@broadcom.com, alexey.makhalov@broadcom.com, vamsi-krishna.brahmajosyula@broadcom.com, yin.ding@broadcom.com, tapas.kundu@broadcom.com, Sharath Chandra Vurukala , Keerthana K -Message-ID: <20260112063039.2968980-2-keerthana.kalyanasundaram@broadcom.com> - -From: Sharath Chandra Vurukala - -[ Upstream commit 1dbf1d590d10a6d1978e8184f8dfe20af22d680a] - -In ip_output() skb->dev is updated from the skb_dst(skb)->dev -this can become invalid when the interface is unregistered and freed, - -Introduced new skb_dst_dev_rcu() function to be used instead of -skb_dst_dev() within rcu_locks in ip_output.This will ensure that -all the skb's associated with the dev being deregistered will -be transnmitted out first, before freeing the dev. - -Given that ip_output() is called within an rcu_read_lock() -critical section or from a bottom-half context, it is safe to introduce -an RCU read-side critical section within it. - -Multiple panic call stacks were observed when UL traffic was run -in concurrency with device deregistration from different functions, -pasting one sample for reference. - -[496733.627565][T13385] Call trace: -[496733.627570][T13385] bpf_prog_ce7c9180c3b128ea_cgroupskb_egres+0x24c/0x7f0 -[496733.627581][T13385] __cgroup_bpf_run_filter_skb+0x128/0x498 -[496733.627595][T13385] ip_finish_output+0xa4/0xf4 -[496733.627605][T13385] ip_output+0x100/0x1a0 -[496733.627613][T13385] ip_send_skb+0x68/0x100 -[496733.627618][T13385] udp_send_skb+0x1c4/0x384 -[496733.627625][T13385] udp_sendmsg+0x7b0/0x898 -[496733.627631][T13385] inet_sendmsg+0x5c/0x7c -[496733.627639][T13385] __sys_sendto+0x174/0x1e4 -[496733.627647][T13385] __arm64_sys_sendto+0x28/0x3c -[496733.627653][T13385] invoke_syscall+0x58/0x11c -[496733.627662][T13385] el0_svc_common+0x88/0xf4 -[496733.627669][T13385] do_el0_svc+0x2c/0xb0 -[496733.627676][T13385] el0_svc+0x2c/0xa4 -[496733.627683][T13385] el0t_64_sync_handler+0x68/0xb4 -[496733.627689][T13385] el0t_64_sync+0x1a4/0x1a8 - -Changes in v3: -- Replaced WARN_ON() with WARN_ON_ONCE(), as suggested by Willem de Bruijn. -- Dropped legacy lines mistakenly pulled in from an outdated branch. - -Changes in v2: -- Addressed review comments from Eric Dumazet -- Used READ_ONCE() to prevent potential load/store tearing -- Added skb_dst_dev_rcu() and used along with rcu_read_lock() in ip_output - -Signed-off-by: Sharath Chandra Vurukala -Reviewed-by: Eric Dumazet -Link: https://patch.msgid.link/20250730105118.GA26100@hu-sharathv-hyd.qualcomm.com -Signed-off-by: Jakub Kicinski -[ Keerthana: Backported the patch to v5.10.y ] -Signed-off-by: Keerthana K -Signed-off-by: Greg Kroah-Hartman ---- - include/net/dst.h | 12 ++++++++++++ - net/ipv4/ip_output.c | 16 +++++++++++----- - 2 files changed, 23 insertions(+), 5 deletions(-) - ---- a/include/net/dst.h -+++ b/include/net/dst.h -@@ -547,6 +547,18 @@ static inline void skb_dst_update_pmtu_n - dst->ops->update_pmtu(dst, NULL, skb, mtu, false); - } - -+static inline struct net_device *dst_dev_rcu(const struct dst_entry *dst) -+{ -+ /* In the future, use rcu_dereference(dst->dev) */ -+ WARN_ON_ONCE(!rcu_read_lock_held()); -+ return READ_ONCE(dst->dev); -+} -+ -+static inline struct net_device *skb_dst_dev_rcu(const struct sk_buff *skb) -+{ -+ return dst_dev_rcu(skb_dst(skb)); -+} -+ - struct dst_entry *dst_blackhole_check(struct dst_entry *dst, u32 cookie); - void dst_blackhole_update_pmtu(struct dst_entry *dst, struct sock *sk, - struct sk_buff *skb, u32 mtu, bool confirm_neigh); ---- a/net/ipv4/ip_output.c -+++ b/net/ipv4/ip_output.c -@@ -429,17 +429,23 @@ int ip_mc_output(struct net *net, struct - - int ip_output(struct net *net, struct sock *sk, struct sk_buff *skb) - { -- struct net_device *dev = skb_dst(skb)->dev, *indev = skb->dev; -+ struct net_device *dev, *indev = skb->dev; -+ int ret_val; -+ -+ rcu_read_lock(); -+ dev = skb_dst_dev_rcu(skb); - - IP_UPD_PO_STATS(net, IPSTATS_MIB_OUT, skb->len); - - skb->dev = dev; - skb->protocol = htons(ETH_P_IP); - -- return NF_HOOK_COND(NFPROTO_IPV4, NF_INET_POST_ROUTING, -- net, sk, skb, indev, dev, -- ip_finish_output, -- !(IPCB(skb)->flags & IPSKB_REROUTED)); -+ ret_val = NF_HOOK_COND(NFPROTO_IPV4, NF_INET_POST_ROUTING, -+ net, sk, skb, indev, dev, -+ ip_finish_output, -+ !(IPCB(skb)->flags & IPSKB_REROUTED)); -+ rcu_read_unlock(); -+ return ret_val; - } - EXPORT_SYMBOL(ip_output); - diff --git a/queue-5.10/net-netdevice-add-operation-ndo_sk_get_lower_dev.patch b/queue-5.10/net-netdevice-add-operation-ndo_sk_get_lower_dev.patch deleted file mode 100644 index 37cad1079b..0000000000 --- a/queue-5.10/net-netdevice-add-operation-ndo_sk_get_lower_dev.patch +++ /dev/null @@ -1,90 +0,0 @@ -From stable+bounces-208039-greg=kroah.com@vger.kernel.org Mon Jan 12 07:35:17 2026 -From: Keerthana K -Date: Mon, 12 Jan 2026 06:30:38 +0000 -Subject: net: netdevice: Add operation ndo_sk_get_lower_dev -To: stable@vger.kernel.org, gregkh@linuxfoundation.org -Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, yoshfuji@linux-ipv6.org, dsahern@kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, bpf@vger.kernel.org, borisp@nvidia.com, john.fastabend@gmail.com, sashal@kernel.org, leitao@debian.org, kuniyu@amazon.com, willemb@google.com, jramaseu@redhat.com, aviadye@mellanox.com, ilyal@mellanox.com, ajay.kaher@broadcom.com, alexey.makhalov@broadcom.com, vamsi-krishna.brahmajosyula@broadcom.com, yin.ding@broadcom.com, tapas.kundu@broadcom.com, Tariq Toukan , Keerthana K -Message-ID: <20260112063039.2968980-3-keerthana.kalyanasundaram@broadcom.com> - -From: Tariq Toukan - -[ Upstream commit 719a402cf60311b1cdff3f6320abaecdcc5e46b7] - -ndo_sk_get_lower_dev returns the lower netdev that corresponds to -a given socket. -Additionally, we implement a helper netdev_sk_get_lowest_dev() to get -the lowest one in chain. - -Signed-off-by: Tariq Toukan -Reviewed-by: Boris Pismenny -Signed-off-by: Jakub Kicinski -[ Keerthana: Backported the patch to v5.10.y ] -Signed-off-by: Keerthana K -Signed-off-by: Greg Kroah-Hartman ---- - include/linux/netdevice.h | 4 ++++ - net/core/dev.c | 33 +++++++++++++++++++++++++++++++++ - 2 files changed, 37 insertions(+) - ---- a/include/linux/netdevice.h -+++ b/include/linux/netdevice.h -@@ -1435,6 +1435,8 @@ struct net_device_ops { - struct net_device* (*ndo_get_xmit_slave)(struct net_device *dev, - struct sk_buff *skb, - bool all_slaves); -+ struct net_device* (*ndo_sk_get_lower_dev)(struct net_device *dev, -+ struct sock *sk); - netdev_features_t (*ndo_fix_features)(struct net_device *dev, - netdev_features_t features); - int (*ndo_set_features)(struct net_device *dev, -@@ -2914,6 +2916,8 @@ int init_dummy_netdev(struct net_device - struct net_device *netdev_get_xmit_slave(struct net_device *dev, - struct sk_buff *skb, - bool all_slaves); -+struct net_device *netdev_sk_get_lowest_dev(struct net_device *dev, -+ struct sock *sk); - struct net_device *dev_get_by_index(struct net *net, int ifindex); - struct net_device *__dev_get_by_index(struct net *net, int ifindex); - struct net_device *dev_get_by_index_rcu(struct net *net, int ifindex); ---- a/net/core/dev.c -+++ b/net/core/dev.c -@@ -8169,6 +8169,39 @@ struct net_device *netdev_get_xmit_slave - } - EXPORT_SYMBOL(netdev_get_xmit_slave); - -+static struct net_device *netdev_sk_get_lower_dev(struct net_device *dev, -+ struct sock *sk) -+{ -+ const struct net_device_ops *ops = dev->netdev_ops; -+ -+ if (!ops->ndo_sk_get_lower_dev) -+ return NULL; -+ return ops->ndo_sk_get_lower_dev(dev, sk); -+} -+ -+/** -+ * netdev_sk_get_lowest_dev - Get the lowest device in chain given device and socket -+ * @dev: device -+ * @sk: the socket -+ * -+ * %NULL is returned if no lower device is found. -+ */ -+ -+struct net_device *netdev_sk_get_lowest_dev(struct net_device *dev, -+ struct sock *sk) -+{ -+ struct net_device *lower; -+ -+ lower = netdev_sk_get_lower_dev(dev, sk); -+ while (lower) { -+ dev = lower; -+ lower = netdev_sk_get_lower_dev(dev, sk); -+ } -+ -+ return dev; -+} -+EXPORT_SYMBOL(netdev_sk_get_lowest_dev); -+ - static void netdev_adjacent_add_links(struct net_device *dev) - { - struct netdev_adjacent *iter; diff --git a/queue-5.10/netdev-preserve-netif_f_all_for_all-across-tso-updat.patch b/queue-5.10/netdev-preserve-netif_f_all_for_all-across-tso-updat.patch index f4e356bbfd..fc789d1589 100644 --- a/queue-5.10/netdev-preserve-netif_f_all_for_all-across-tso-updat.patch +++ b/queue-5.10/netdev-preserve-netif_f_all_for_all-across-tso-updat.patch @@ -21,14 +21,12 @@ Link: https://patch.msgid.link/20251224012224.56185-1-zhud@hygon.cn Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin --- - include/linux/netdevice.h | 3 ++- + include/linux/netdevice.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) -diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h -index c9f2a88a6c83e..934ecac171ccb 100644 --- a/include/linux/netdevice.h +++ b/include/linux/netdevice.h -@@ -4894,7 +4894,8 @@ netdev_features_t netdev_increment_features(netdev_features_t all, +@@ -4890,7 +4890,8 @@ netdev_features_t netdev_increment_featu static inline netdev_features_t netdev_add_tso_features(netdev_features_t features, netdev_features_t mask) { @@ -38,6 +36,3 @@ index c9f2a88a6c83e..934ecac171ccb 100644 } int __netdev_update_features(struct net_device *dev); --- -2.51.0 - diff --git a/queue-5.10/series b/queue-5.10/series index e7fa11a74f..36e662526a 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -362,7 +362,6 @@ sunrpc-svcauth_gss-avoid-null-deref-on-zero-length-gss_token-in-gss_read_proxy_v hwmon-replace-snprintf-in-show-functions-with-sysfs_emit.patch hwmon-max16065-use-local-variable-to-avoid-toctou.patch crypto-af_alg-zero-initialize-memory-allocated-via-sock_kmalloc.patch -arm-dts-microchip-sama5d2-fix-spi-flexcom-fifo-size-to-32.patch iommu-qcom-fix-device-leak-on-of_xlate.patch powerpc-64s-slb-fix-slb-multihit-issue-during-slb-preload.patch pci-brcmstb-fix-disabling-l0s-capability.patch @@ -382,7 +381,6 @@ lockd-fix-vfs_test_lock-calls.patch drm-gma500-remove-unused-helper-psb_fbdev_fb_setcolreg.patch wifi-mac80211-discard-beacon-frames-to-non-broadcast-address.patch nfsd-nfsv4-file-creation-neglects-setting-acl.patch -mm-mprotect-use-long-for-page-accountings-and-retval.patch scsi-iscsi-move-pool-freeing.patch scsi-iscsi_tcp-fix-uaf-during-logout-when-accessing-the-shost-ipaddress.patch cpufreq-scmi-fix-null-ptr-deref-in-scmi_cpufreq_get_rate.patch @@ -409,9 +407,6 @@ libceph-make-free_choose_arg_map-resilient-to-partial-allocation.patch libceph-make-calc_target-set-t-paused-not-just-clear-it.patch ext4-introduce-itail-helper.patch ext4-fix-out-of-bound-read-in-ext4_xattr_inode_dec_ref_all.patch -net-add-locking-to-protect-skb-dev-access-in-ip_output.patch -net-netdevice-add-operation-ndo_sk_get_lower_dev.patch -tls-use-__sk_dst_get-and-dst_dev_rcu-in-get_netdev_for_sock.patch bpf-sockmap-don-t-let-sock_map_-close-destroy-unhash-call-itself.patch arm-9461-1-disable-highpte-on-preempt_rt-kernels.patch alpha-don-t-reference-obsolete-termio-struct-for-tc-.patch @@ -440,4 +435,3 @@ powercap-fix-sscanf-error-return-value-handling.patch can-j1939-make-j1939_session_activate-fail-if-device.patch asoc-fsl_sai-add-missing-registers-to-cache-default.patch scsi-sg-fix-occasional-bogus-elapsed-time-that-excee.patch -6.1.161-rc1-review.patch diff --git a/queue-5.10/tls-use-__sk_dst_get-and-dst_dev_rcu-in-get_netdev_for_sock.patch b/queue-5.10/tls-use-__sk_dst_get-and-dst_dev_rcu-in-get_netdev_for_sock.patch deleted file mode 100644 index f9e489d400..0000000000 --- a/queue-5.10/tls-use-__sk_dst_get-and-dst_dev_rcu-in-get_netdev_for_sock.patch +++ /dev/null @@ -1,66 +0,0 @@ -From stable+bounces-208040-greg=kroah.com@vger.kernel.org Mon Jan 12 07:34:25 2026 -From: Keerthana K -Date: Mon, 12 Jan 2026 06:30:39 +0000 -Subject: tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock(). -To: stable@vger.kernel.org, gregkh@linuxfoundation.org -Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, yoshfuji@linux-ipv6.org, dsahern@kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, bpf@vger.kernel.org, borisp@nvidia.com, john.fastabend@gmail.com, sashal@kernel.org, leitao@debian.org, kuniyu@amazon.com, willemb@google.com, jramaseu@redhat.com, aviadye@mellanox.com, ilyal@mellanox.com, ajay.kaher@broadcom.com, alexey.makhalov@broadcom.com, vamsi-krishna.brahmajosyula@broadcom.com, yin.ding@broadcom.com, tapas.kundu@broadcom.com, Kuniyuki Iwashima , Sabrina Dubroca , Keerthana K -Message-ID: <20260112063039.2968980-4-keerthana.kalyanasundaram@broadcom.com> - -From: Kuniyuki Iwashima - -[ Upstream commit c65f27b9c3be2269918e1cbad6d8884741f835c5 ] - -get_netdev_for_sock() is called during setsockopt(), -so not under RCU. - -Using sk_dst_get(sk)->dev could trigger UAF. - -Let's use __sk_dst_get() and dst_dev_rcu(). - -Note that the only ->ndo_sk_get_lower_dev() user is -bond_sk_get_lower_dev(), which uses RCU. - -Fixes: e8f69799810c ("net/tls: Add generic NIC offload infrastructure") -Signed-off-by: Kuniyuki Iwashima -Reviewed-by: Eric Dumazet -Reviewed-by: Sabrina Dubroca -Link: https://patch.msgid.link/20250916214758.650211-6-kuniyu@google.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin -[ Keerthana: Backported the patch to v5.10.y ] -Signed-off-by: Keerthana K -Signed-off-by: Greg Kroah-Hartman ---- - net/tls/tls_device.c | 18 ++++++++++-------- - 1 file changed, 10 insertions(+), 8 deletions(-) - ---- a/net/tls/tls_device.c -+++ b/net/tls/tls_device.c -@@ -113,17 +113,19 @@ unlock: - /* We assume that the socket is already connected */ - static struct net_device *get_netdev_for_sock(struct sock *sk) - { -- struct dst_entry *dst = sk_dst_get(sk); -- struct net_device *netdev = NULL; -+ struct net_device *dev, *lowest_dev = NULL; -+ struct dst_entry *dst; - -- if (likely(dst)) { -- netdev = dst->dev; -- dev_hold(netdev); -+ rcu_read_lock(); -+ dst = __sk_dst_get(sk); -+ dev = dst ? dst_dev_rcu(dst) : NULL; -+ if (likely(dev)) { -+ lowest_dev = netdev_sk_get_lowest_dev(dev, sk); -+ dev_hold(lowest_dev); - } -+ rcu_read_unlock(); - -- dst_release(dst); -- -- return netdev; -+ return lowest_dev; - } - - static void destroy_record(struct tls_record_info *record) diff --git a/queue-5.15/arm-dts-microchip-sama5d2-fix-spi-flexcom-fifo-size-to-32.patch b/queue-5.15/arm-dts-microchip-sama5d2-fix-spi-flexcom-fifo-size-to-32.patch deleted file mode 100644 index 13d4bcc08c..0000000000 --- a/queue-5.15/arm-dts-microchip-sama5d2-fix-spi-flexcom-fifo-size-to-32.patch +++ /dev/null @@ -1,73 +0,0 @@ -From stable+bounces-204391-greg=kroah.com@vger.kernel.org Wed Dec 31 22:21:02 2025 -From: Sasha Levin -Date: Wed, 31 Dec 2025 16:20:57 -0500 -Subject: ARM: dts: microchip: sama5d2: fix spi flexcom fifo size to 32 -To: stable@vger.kernel.org -Cc: Nicolas Ferre , Claudiu Beznea , Sasha Levin -Message-ID: <20251231212057.3505425-1-sashal@kernel.org> - -From: Nicolas Ferre - -[ Upstream commit 7d5864dc5d5ea6a35983dd05295fb17f2f2f44ce ] - -Unlike standalone spi peripherals, on sama5d2, the flexcom spi have fifo -size of 32 data. Fix flexcom/spi nodes where this property is wrong. - -Fixes: 6b9a3584c7ed ("ARM: dts: at91: sama5d2: Add missing flexcom definitions") -Cc: stable@vger.kernel.org # 5.8+ -Signed-off-by: Nicolas Ferre -Link: https://lore.kernel.org/r/20251114140225.30372-1-nicolas.ferre@microchip.com -Signed-off-by: Claudiu Beznea -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - arch/arm/boot/dts/sama5d2.dtsi | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - ---- a/arch/arm/boot/dts/sama5d2.dtsi -+++ b/arch/arm/boot/dts/sama5d2.dtsi -@@ -555,7 +555,7 @@ - AT91_XDMAC_DT_PER_IF(1) | - AT91_XDMAC_DT_PERID(12))>; - dma-names = "tx", "rx"; -- atmel,fifo-size = <16>; -+ atmel,fifo-size = <32>; - status = "disabled"; - }; - -@@ -625,7 +625,7 @@ - AT91_XDMAC_DT_PER_IF(1) | - AT91_XDMAC_DT_PERID(14))>; - dma-names = "tx", "rx"; -- atmel,fifo-size = <16>; -+ atmel,fifo-size = <32>; - status = "disabled"; - }; - -@@ -835,7 +835,7 @@ - AT91_XDMAC_DT_PER_IF(1) | - AT91_XDMAC_DT_PERID(16))>; - dma-names = "tx", "rx"; -- atmel,fifo-size = <16>; -+ atmel,fifo-size = <32>; - status = "disabled"; - }; - -@@ -925,7 +925,7 @@ - AT91_XDMAC_DT_PER_IF(1) | - AT91_XDMAC_DT_PERID(18))>; - dma-names = "tx", "rx"; -- atmel,fifo-size = <16>; -+ atmel,fifo-size = <32>; - status = "disabled"; - }; - -@@ -976,7 +976,7 @@ - AT91_XDMAC_DT_PER_IF(1) | - AT91_XDMAC_DT_PERID(20))>; - dma-names = "tx", "rx"; -- atmel,fifo-size = <16>; -+ atmel,fifo-size = <32>; - status = "disabled"; - }; - diff --git a/queue-5.15/mm-mprotect-use-long-for-page-accountings-and-retval.patch b/queue-5.15/mm-mprotect-use-long-for-page-accountings-and-retval.patch deleted file mode 100644 index e843156860..0000000000 --- a/queue-5.15/mm-mprotect-use-long-for-page-accountings-and-retval.patch +++ /dev/null @@ -1,223 +0,0 @@ -From stable+bounces-205079-greg=kroah.com@vger.kernel.org Tue Jan 6 12:59:45 2026 -From: Harry Yoo -Date: Tue, 6 Jan 2026 20:50:35 +0900 -Subject: mm/mprotect: use long for page accountings and retval -To: stable@vger.kernel.org -Cc: Liam.Howlett@oracle.com, akpm@linux-foundation.org, baohua@kernel.org, baolin.wang@linux.alibaba.com, david@kernel.org, dev.jain@arm.com, hughd@google.com, jane.chu@oracle.com, jannh@google.com, kas@kernel.org, lance.yang@linux.dev, linux-mm@kvack.org, lorenzo.stoakes@oracle.com, npache@redhat.com, pfalcato@suse.de, ryan.roberts@arm.com, vbabka@suse.cz, ziy@nvidia.com, Peter Xu , Mike Kravetz , James Houghton , Andrea Arcangeli , Axel Rasmussen , David Hildenbrand , Muchun Song , Nadav Amit , Harry Yoo -Message-ID: <20260106115036.86042-2-harry.yoo@oracle.com> - -From: Peter Xu - -commit a79390f5d6a78647fd70856bd42b22d994de0ba2 upstream. - -Switch to use type "long" for page accountings and retval across the whole -procedure of change_protection(). - -The change should have shrinked the possible maximum page number to be -half comparing to previous (ULONG_MAX / 2), but it shouldn't overflow on -any system either because the maximum possible pages touched by change -protection should be ULONG_MAX / PAGE_SIZE. - -Two reasons to switch from "unsigned long" to "long": - - 1. It suites better on count_vm_numa_events(), whose 2nd parameter takes - a long type. - - 2. It paves way for returning negative (error) values in the future. - -Currently the only caller that consumes this retval is change_prot_numa(), -where the unsigned long was converted to an int. Since at it, touching up -the numa code to also take a long, so it'll avoid any possible overflow -too during the int-size convertion. - -Link: https://lkml.kernel.org/r/20230104225207.1066932-3-peterx@redhat.com -Signed-off-by: Peter Xu -Acked-by: Mike Kravetz -Acked-by: James Houghton -Cc: Andrea Arcangeli -Cc: Axel Rasmussen -Cc: David Hildenbrand -Cc: Muchun Song -Cc: Nadav Amit -Signed-off-by: Andrew Morton -[ Adjust context ] -Signed-off-by: Harry Yoo -Acked-by: David Hildenbrand (Red Hat) -Signed-off-by: Greg Kroah-Hartman ---- - include/linux/hugetlb.h | 4 ++-- - include/linux/mm.h | 2 +- - mm/hugetlb.c | 4 ++-- - mm/mempolicy.c | 2 +- - mm/mprotect.c | 26 +++++++++++++------------- - 5 files changed, 19 insertions(+), 19 deletions(-) - ---- a/include/linux/hugetlb.h -+++ b/include/linux/hugetlb.h -@@ -208,7 +208,7 @@ struct page *follow_huge_pgd(struct mm_s - - int pmd_huge(pmd_t pmd); - int pud_huge(pud_t pud); --unsigned long hugetlb_change_protection(struct vm_area_struct *vma, -+long hugetlb_change_protection(struct vm_area_struct *vma, - unsigned long address, unsigned long end, pgprot_t newprot); - - bool is_hugetlb_entry_migration(pte_t pte); -@@ -379,7 +379,7 @@ static inline void move_hugetlb_state(st - { - } - --static inline unsigned long hugetlb_change_protection( -+static inline long hugetlb_change_protection( - struct vm_area_struct *vma, unsigned long address, - unsigned long end, pgprot_t newprot) - { ---- a/include/linux/mm.h -+++ b/include/linux/mm.h -@@ -1910,7 +1910,7 @@ extern unsigned long move_page_tables(st - #define MM_CP_UFFD_WP_ALL (MM_CP_UFFD_WP | \ - MM_CP_UFFD_WP_RESOLVE) - --extern unsigned long change_protection(struct vm_area_struct *vma, unsigned long start, -+extern long change_protection(struct vm_area_struct *vma, unsigned long start, - unsigned long end, pgprot_t newprot, - unsigned long cp_flags); - extern int mprotect_fixup(struct vm_area_struct *vma, ---- a/mm/hugetlb.c -+++ b/mm/hugetlb.c -@@ -5644,7 +5644,7 @@ long follow_hugetlb_page(struct mm_struc - return i ? i : err; - } - --unsigned long hugetlb_change_protection(struct vm_area_struct *vma, -+long hugetlb_change_protection(struct vm_area_struct *vma, - unsigned long address, unsigned long end, pgprot_t newprot) - { - struct mm_struct *mm = vma->vm_mm; -@@ -5652,7 +5652,7 @@ unsigned long hugetlb_change_protection( - pte_t *ptep; - pte_t pte; - struct hstate *h = hstate_vma(vma); -- unsigned long pages = 0; -+ long pages = 0; - bool shared_pmd = false; - struct mmu_notifier_range range; - ---- a/mm/mempolicy.c -+++ b/mm/mempolicy.c -@@ -634,7 +634,7 @@ unlock: - unsigned long change_prot_numa(struct vm_area_struct *vma, - unsigned long addr, unsigned long end) - { -- int nr_updated; -+ long nr_updated; - - nr_updated = change_protection(vma, addr, end, PAGE_NONE, MM_CP_PROT_NUMA); - if (nr_updated) ---- a/mm/mprotect.c -+++ b/mm/mprotect.c -@@ -35,13 +35,13 @@ - - #include "internal.h" - --static unsigned long change_pte_range(struct vm_area_struct *vma, pmd_t *pmd, -+static long change_pte_range(struct vm_area_struct *vma, pmd_t *pmd, - unsigned long addr, unsigned long end, pgprot_t newprot, - unsigned long cp_flags) - { - pte_t *pte, oldpte; - spinlock_t *ptl; -- unsigned long pages = 0; -+ long pages = 0; - int target_node = NUMA_NO_NODE; - bool dirty_accountable = cp_flags & MM_CP_DIRTY_ACCT; - bool prot_numa = cp_flags & MM_CP_PROT_NUMA; -@@ -219,13 +219,13 @@ static inline int pmd_none_or_clear_bad_ - return 0; - } - --static inline unsigned long change_pmd_range(struct vm_area_struct *vma, -+static inline long change_pmd_range(struct vm_area_struct *vma, - pud_t *pud, unsigned long addr, unsigned long end, - pgprot_t newprot, unsigned long cp_flags) - { - pmd_t *pmd; - unsigned long next; -- unsigned long pages = 0; -+ long pages = 0; - unsigned long nr_huge_updates = 0; - struct mmu_notifier_range range; - -@@ -233,7 +233,7 @@ static inline unsigned long change_pmd_r - - pmd = pmd_offset(pud, addr); - do { -- unsigned long this_pages; -+ long this_pages; - - next = pmd_addr_end(addr, end); - -@@ -291,13 +291,13 @@ next: - return pages; - } - --static inline unsigned long change_pud_range(struct vm_area_struct *vma, -+static inline long change_pud_range(struct vm_area_struct *vma, - p4d_t *p4d, unsigned long addr, unsigned long end, - pgprot_t newprot, unsigned long cp_flags) - { - pud_t *pud; - unsigned long next; -- unsigned long pages = 0; -+ long pages = 0; - - pud = pud_offset(p4d, addr); - do { -@@ -311,13 +311,13 @@ static inline unsigned long change_pud_r - return pages; - } - --static inline unsigned long change_p4d_range(struct vm_area_struct *vma, -+static inline long change_p4d_range(struct vm_area_struct *vma, - pgd_t *pgd, unsigned long addr, unsigned long end, - pgprot_t newprot, unsigned long cp_flags) - { - p4d_t *p4d; - unsigned long next; -- unsigned long pages = 0; -+ long pages = 0; - - p4d = p4d_offset(pgd, addr); - do { -@@ -331,7 +331,7 @@ static inline unsigned long change_p4d_r - return pages; - } - --static unsigned long change_protection_range(struct vm_area_struct *vma, -+static long change_protection_range(struct vm_area_struct *vma, - unsigned long addr, unsigned long end, pgprot_t newprot, - unsigned long cp_flags) - { -@@ -339,7 +339,7 @@ static unsigned long change_protection_r - pgd_t *pgd; - unsigned long next; - unsigned long start = addr; -- unsigned long pages = 0; -+ long pages = 0; - - BUG_ON(addr >= end); - pgd = pgd_offset(mm, addr); -@@ -361,11 +361,11 @@ static unsigned long change_protection_r - return pages; - } - --unsigned long change_protection(struct vm_area_struct *vma, unsigned long start, -+long change_protection(struct vm_area_struct *vma, unsigned long start, - unsigned long end, pgprot_t newprot, - unsigned long cp_flags) - { -- unsigned long pages; -+ long pages; - - BUG_ON((cp_flags & MM_CP_UFFD_WP_ALL) == MM_CP_UFFD_WP_ALL); - diff --git a/queue-5.15/net-add-locking-to-protect-skb-dev-access-in-ip_output.patch b/queue-5.15/net-add-locking-to-protect-skb-dev-access-in-ip_output.patch deleted file mode 100644 index 576e9418c0..0000000000 --- a/queue-5.15/net-add-locking-to-protect-skb-dev-access-in-ip_output.patch +++ /dev/null @@ -1,119 +0,0 @@ -From stable+bounces-208042-greg=kroah.com@vger.kernel.org Mon Jan 12 07:39:03 2026 -From: Keerthana K -Date: Mon, 12 Jan 2026 06:35:45 +0000 -Subject: net: Add locking to protect skb->dev access in ip_output -To: stable@vger.kernel.org, gregkh@linuxfoundation.org -Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, yoshfuji@linux-ipv6.org, dsahern@kernel.org, borisp@nvidia.com, john.fastabend@gmail.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, bpf@vger.kernel.org, ajay.kaher@broadcom.com, alexey.makhalov@broadcom.com, vamsi-krishna.brahmajosyula@broadcom.com, yin.ding@broadcom.com, tapas.kundu@broadcom.com, Sharath Chandra Vurukala , Keerthana K -Message-ID: <20260112063546.2969089-2-keerthana.kalyanasundaram@broadcom.com> - -From: Sharath Chandra Vurukala - -[ Upstream commit 1dbf1d590d10a6d1978e8184f8dfe20af22d680a] - -In ip_output() skb->dev is updated from the skb_dst(skb)->dev -this can become invalid when the interface is unregistered and freed, - -Introduced new skb_dst_dev_rcu() function to be used instead of -skb_dst_dev() within rcu_locks in ip_output.This will ensure that -all the skb's associated with the dev being deregistered will -be transnmitted out first, before freeing the dev. - -Given that ip_output() is called within an rcu_read_lock() -critical section or from a bottom-half context, it is safe to introduce -an RCU read-side critical section within it. - -Multiple panic call stacks were observed when UL traffic was run -in concurrency with device deregistration from different functions, -pasting one sample for reference. - -[496733.627565][T13385] Call trace: -[496733.627570][T13385] bpf_prog_ce7c9180c3b128ea_cgroupskb_egres+0x24c/0x7f0 -[496733.627581][T13385] __cgroup_bpf_run_filter_skb+0x128/0x498 -[496733.627595][T13385] ip_finish_output+0xa4/0xf4 -[496733.627605][T13385] ip_output+0x100/0x1a0 -[496733.627613][T13385] ip_send_skb+0x68/0x100 -[496733.627618][T13385] udp_send_skb+0x1c4/0x384 -[496733.627625][T13385] udp_sendmsg+0x7b0/0x898 -[496733.627631][T13385] inet_sendmsg+0x5c/0x7c -[496733.627639][T13385] __sys_sendto+0x174/0x1e4 -[496733.627647][T13385] __arm64_sys_sendto+0x28/0x3c -[496733.627653][T13385] invoke_syscall+0x58/0x11c -[496733.627662][T13385] el0_svc_common+0x88/0xf4 -[496733.627669][T13385] do_el0_svc+0x2c/0xb0 -[496733.627676][T13385] el0_svc+0x2c/0xa4 -[496733.627683][T13385] el0t_64_sync_handler+0x68/0xb4 -[496733.627689][T13385] el0t_64_sync+0x1a4/0x1a8 - -Changes in v3: -- Replaced WARN_ON() with WARN_ON_ONCE(), as suggested by Willem de Bruijn. -- Dropped legacy lines mistakenly pulled in from an outdated branch. - -Changes in v2: -- Addressed review comments from Eric Dumazet -- Used READ_ONCE() to prevent potential load/store tearing -- Added skb_dst_dev_rcu() and used along with rcu_read_lock() in ip_output - -Signed-off-by: Sharath Chandra Vurukala -Reviewed-by: Eric Dumazet -Link: https://patch.msgid.link/20250730105118.GA26100@hu-sharathv-hyd.qualcomm.com -Signed-off-by: Jakub Kicinski -[ Keerthana: Backported the patch to v5.15-v6.1 ] -Signed-off-by: Keerthana K -Signed-off-by: Greg Kroah-Hartman ---- - include/net/dst.h | 12 ++++++++++++ - net/ipv4/ip_output.c | 16 +++++++++++----- - 2 files changed, 23 insertions(+), 5 deletions(-) - ---- a/include/net/dst.h -+++ b/include/net/dst.h -@@ -554,6 +554,18 @@ static inline void skb_dst_update_pmtu_n - dst->ops->update_pmtu(dst, NULL, skb, mtu, false); - } - -+static inline struct net_device *dst_dev_rcu(const struct dst_entry *dst) -+{ -+ /* In the future, use rcu_dereference(dst->dev) */ -+ WARN_ON_ONCE(!rcu_read_lock_held()); -+ return READ_ONCE(dst->dev); -+} -+ -+static inline struct net_device *skb_dst_dev_rcu(const struct sk_buff *skb) -+{ -+ return dst_dev_rcu(skb_dst(skb)); -+} -+ - struct dst_entry *dst_blackhole_check(struct dst_entry *dst, u32 cookie); - void dst_blackhole_update_pmtu(struct dst_entry *dst, struct sock *sk, - struct sk_buff *skb, u32 mtu, bool confirm_neigh); ---- a/net/ipv4/ip_output.c -+++ b/net/ipv4/ip_output.c -@@ -420,17 +420,23 @@ int ip_mc_output(struct net *net, struct - - int ip_output(struct net *net, struct sock *sk, struct sk_buff *skb) - { -- struct net_device *dev = skb_dst(skb)->dev, *indev = skb->dev; -+ struct net_device *dev, *indev = skb->dev; -+ int ret_val; -+ -+ rcu_read_lock(); -+ dev = skb_dst_dev_rcu(skb); - - IP_UPD_PO_STATS(net, IPSTATS_MIB_OUT, skb->len); - - skb->dev = dev; - skb->protocol = htons(ETH_P_IP); - -- return NF_HOOK_COND(NFPROTO_IPV4, NF_INET_POST_ROUTING, -- net, sk, skb, indev, dev, -- ip_finish_output, -- !(IPCB(skb)->flags & IPSKB_REROUTED)); -+ ret_val = NF_HOOK_COND(NFPROTO_IPV4, NF_INET_POST_ROUTING, -+ net, sk, skb, indev, dev, -+ ip_finish_output, -+ !(IPCB(skb)->flags & IPSKB_REROUTED)); -+ rcu_read_unlock(); -+ return ret_val; - } - EXPORT_SYMBOL(ip_output); - diff --git a/queue-5.15/series b/queue-5.15/series index 5a16579bba..c0a0b9bed2 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -440,7 +440,6 @@ usb-ohci-nxp-fix-device-leak-on-probe-failure.patch fuse-fix-readahead-reclaim-deadlock.patch arm-dts-microchip-sama7g5-fix-uart-fifo-size-to-32.patch svcrdma-bound-check-rq_pages-index-in-inline-path.patch -arm-dts-microchip-sama5d2-fix-spi-flexcom-fifo-size-to-32.patch crypto-af_alg-zero-initialize-memory-allocated-via-sock_kmalloc.patch kvm-svm-mark-vmcb_npt-as-dirty-on-nested-vmrun.patch sunrpc-svcauth_gss-avoid-null-deref-on-zero-length-gss_token-in-gss_read_proxy_verf.patch @@ -472,7 +471,6 @@ drm-i915-selftests-fix-subtraction-overflow-bug.patch page_pool-fix-use-after-free-in-page_pool_recycle_in_ring.patch kvm-x86-acquire-kvm-srcu-when-handling-kvm_set_vcpu_events.patch hid-core-harden-s32ton-against-conversion-to-0-bits.patch -mm-mprotect-use-long-for-page-accountings-and-retval.patch kvm-arm64-sys_regs-disable-wuninitialized-const-pointer-warning.patch ipv6-fix-potential-uninit-value-access-in-__ip6_make_skb.patch ipv4-fix-uninit-value-access-in-__ip_make_skb.patch @@ -499,8 +497,6 @@ libceph-return-the-handler-error-from-mon_handle_auth_done.patch libceph-make-calc_target-set-t-paused-not-just-clear-it.patch ext4-introduce-itail-helper.patch ext4-fix-out-of-bound-read-in-ext4_xattr_inode_dec_ref_all.patch -net-add-locking-to-protect-skb-dev-access-in-ip_output.patch -tls-use-__sk_dst_get-and-dst_dev_rcu-in-get_netdev_for_sock.patch csky-fix-csky_cmpxchg_fixup-not-working.patch arm-9461-1-disable-highpte-on-preempt_rt-kernels.patch alpha-don-t-reference-obsolete-termio-struct-for-tc-.patch diff --git a/queue-5.15/tls-use-__sk_dst_get-and-dst_dev_rcu-in-get_netdev_for_sock.patch b/queue-5.15/tls-use-__sk_dst_get-and-dst_dev_rcu-in-get_netdev_for_sock.patch deleted file mode 100644 index aad612214a..0000000000 --- a/queue-5.15/tls-use-__sk_dst_get-and-dst_dev_rcu-in-get_netdev_for_sock.patch +++ /dev/null @@ -1,66 +0,0 @@ -From stable+bounces-208043-greg=kroah.com@vger.kernel.org Mon Jan 12 07:39:25 2026 -From: Keerthana K -Date: Mon, 12 Jan 2026 06:35:46 +0000 -Subject: tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock(). -To: stable@vger.kernel.org, gregkh@linuxfoundation.org -Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, yoshfuji@linux-ipv6.org, dsahern@kernel.org, borisp@nvidia.com, john.fastabend@gmail.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, bpf@vger.kernel.org, ajay.kaher@broadcom.com, alexey.makhalov@broadcom.com, vamsi-krishna.brahmajosyula@broadcom.com, yin.ding@broadcom.com, tapas.kundu@broadcom.com, Kuniyuki Iwashima , Sabrina Dubroca , Sasha Levin , Keerthana K -Message-ID: <20260112063546.2969089-3-keerthana.kalyanasundaram@broadcom.com> - -From: Kuniyuki Iwashima - -[ Upstream commit c65f27b9c3be2269918e1cbad6d8884741f835c5 ] - -get_netdev_for_sock() is called during setsockopt(), -so not under RCU. - -Using sk_dst_get(sk)->dev could trigger UAF. - -Let's use __sk_dst_get() and dst_dev_rcu(). - -Note that the only ->ndo_sk_get_lower_dev() user is -bond_sk_get_lower_dev(), which uses RCU. - -Fixes: e8f69799810c ("net/tls: Add generic NIC offload infrastructure") -Signed-off-by: Kuniyuki Iwashima -Reviewed-by: Eric Dumazet -Reviewed-by: Sabrina Dubroca -Link: https://patch.msgid.link/20250916214758.650211-6-kuniyu@google.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin -[ Keerthana: Backport to v5.15-v6.1 ] -Signed-off-by: Keerthana K -Signed-off-by: Greg Kroah-Hartman ---- - net/tls/tls_device.c | 18 ++++++++++-------- - 1 file changed, 10 insertions(+), 8 deletions(-) - ---- a/net/tls/tls_device.c -+++ b/net/tls/tls_device.c -@@ -110,17 +110,19 @@ static void tls_device_queue_ctx_destruc - /* We assume that the socket is already connected */ - static struct net_device *get_netdev_for_sock(struct sock *sk) - { -- struct dst_entry *dst = sk_dst_get(sk); -- struct net_device *netdev = NULL; -+ struct net_device *dev, *lowest_dev = NULL; -+ struct dst_entry *dst; - -- if (likely(dst)) { -- netdev = netdev_sk_get_lowest_dev(dst->dev, sk); -- dev_hold(netdev); -+ rcu_read_lock(); -+ dst = __sk_dst_get(sk); -+ dev = dst ? dst_dev_rcu(dst) : NULL; -+ if (likely(dev)) { -+ lowest_dev = netdev_sk_get_lowest_dev(dev, sk); -+ dev_hold(lowest_dev); - } -+ rcu_read_unlock(); - -- dst_release(dst); -- -- return netdev; -+ return lowest_dev; - } - - static void destroy_record(struct tls_record_info *record) -- 2.47.3