From: Greg Kroah-Hartman Date: Mon, 6 Apr 2026 09:28:08 +0000 (+0200) Subject: atm patch fixup X-Git-Tag: v6.1.168~74 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=93813a9df91916e53fbbe3ae9276f77c03b67c71;p=thirdparty%2Fkernel%2Fstable-queue.git atm patch fixup --- diff --git a/queue-5.10/atm-lec-fix-use-after-free-in-sock_def_readable.patch b/queue-5.10/atm-lec-fix-use-after-free-in-sock_def_readable.patch index f1f2660748..de6c0f48e3 100644 --- a/queue-5.10/atm-lec-fix-use-after-free-in-sock_def_readable.patch +++ b/queue-5.10/atm-lec-fix-use-after-free-in-sock_def_readable.patch @@ -57,15 +57,21 @@ Link: https://patch.msgid.link/20260309155908.508768-1-kartikey406@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin --- - net/atm/lec.c | 72 +++++++++++++++++++++++++++++++++------------------ - net/atm/lec.h | 2 +- + net/atm/lec.c | 72 +++++++++++++++++++++++++++++++++++++--------------------- + net/atm/lec.h | 2 - 2 files changed, 48 insertions(+), 26 deletions(-) -diff --git a/net/atm/lec.c b/net/atm/lec.c -index 768df9d7cd676..a9d8ee2c68b6a 100644 --- a/net/atm/lec.c +++ b/net/atm/lec.c -@@ -154,10 +154,19 @@ static void lec_handle_bridge(struct sk_buff *skb, struct net_device *dev) +@@ -142,6 +142,7 @@ static void lec_handle_bridge(struct sk_ + struct sock *sk; + struct sk_buff *skb2; + struct atmlec_msg *mesg; ++ struct atm_vcc *vcc; + + skb2 = alloc_skb(sizeof(struct atmlec_msg), GFP_ATOMIC); + if (skb2 == NULL) +@@ -154,10 +155,18 @@ static void lec_handle_bridge(struct sk_ /* 0x01 is topology change */ priv = netdev_priv(dev); @@ -73,7 +79,6 @@ index 768df9d7cd676..a9d8ee2c68b6a 100644 - sk = sk_atm(priv->lecd); - skb_queue_tail(&sk->sk_receive_queue, skb2); - sk->sk_data_ready(sk); -+ struct atm_vcc *vcc; + + rcu_read_lock(); + vcc = rcu_dereference(priv->lecd); @@ -89,7 +94,7 @@ index 768df9d7cd676..a9d8ee2c68b6a 100644 } } #endif /* IS_ENABLED(CONFIG_BRIDGE) */ -@@ -216,7 +225,7 @@ static netdev_tx_t lec_start_xmit(struct sk_buff *skb, +@@ -216,7 +225,7 @@ static netdev_tx_t lec_start_xmit(struct int is_rdesc; pr_debug("called\n"); @@ -98,7 +103,15 @@ index 768df9d7cd676..a9d8ee2c68b6a 100644 pr_info("%s:No lecd attached\n", dev->name); dev->stats.tx_errors++; netif_stop_queue(dev); -@@ -451,10 +460,19 @@ static int lec_atm_send(struct atm_vcc *vcc, struct sk_buff *skb) +@@ -443,6 +452,7 @@ static int lec_atm_send(struct atm_vcc * + /* hit from bridge table, send LE_ARP_RESPONSE */ + struct sk_buff *skb2; + struct sock *sk; ++ struct atm_vcc *vcc; + + pr_debug("%s: entry found, responding to zeppelin\n", + dev->name); +@@ -451,10 +461,18 @@ static int lec_atm_send(struct atm_vcc * break; skb2->len = sizeof(struct atmlec_msg); skb_copy_to_linear_data(skb2, mesg, sizeof(*mesg)); @@ -106,7 +119,6 @@ index 768df9d7cd676..a9d8ee2c68b6a 100644 - sk = sk_atm(priv->lecd); - skb_queue_tail(&sk->sk_receive_queue, skb2); - sk->sk_data_ready(sk); -+ struct atm_vcc *vcc; + + rcu_read_lock(); + vcc = rcu_dereference(priv->lecd); @@ -122,7 +134,7 @@ index 768df9d7cd676..a9d8ee2c68b6a 100644 } } #endif /* IS_ENABLED(CONFIG_BRIDGE) */ -@@ -470,23 +488,16 @@ static int lec_atm_send(struct atm_vcc *vcc, struct sk_buff *skb) +@@ -470,23 +488,16 @@ static int lec_atm_send(struct atm_vcc * static void lec_atm_close(struct atm_vcc *vcc) { @@ -148,7 +160,7 @@ index 768df9d7cd676..a9d8ee2c68b6a 100644 pr_info("%s: Shut down!\n", dev->name); module_put(THIS_MODULE); } -@@ -512,12 +523,14 @@ send_to_lecd(struct lec_priv *priv, atmlec_msg_type type, +@@ -512,12 +523,14 @@ send_to_lecd(struct lec_priv *priv, atml const unsigned char *mac_addr, const unsigned char *atm_addr, struct sk_buff *data) { @@ -164,7 +176,7 @@ index 768df9d7cd676..a9d8ee2c68b6a 100644 skb = alloc_skb(sizeof(struct atmlec_msg), GFP_ATOMIC); if (!skb) return -1; -@@ -534,18 +547,27 @@ send_to_lecd(struct lec_priv *priv, atmlec_msg_type type, +@@ -534,18 +547,27 @@ send_to_lecd(struct lec_priv *priv, atml if (atm_addr) memcpy(&mesg->content.normal.atm_addr, atm_addr, ATM_ESA_LEN); @@ -195,7 +207,7 @@ index 768df9d7cd676..a9d8ee2c68b6a 100644 return 0; } -@@ -620,7 +642,7 @@ static void lec_push(struct atm_vcc *vcc, struct sk_buff *skb) +@@ -620,7 +642,7 @@ static void lec_push(struct atm_vcc *vcc atm_return(vcc, skb->truesize); if (*(__be16 *) skb->data == htons(priv->lecid) || @@ -204,7 +216,7 @@ index 768df9d7cd676..a9d8ee2c68b6a 100644 /* * Probably looping back, or if lecd is missing, * lecd has gone down -@@ -755,12 +777,12 @@ static int lecd_attach(struct atm_vcc *vcc, int arg) +@@ -755,12 +777,12 @@ static int lecd_attach(struct atm_vcc *v priv = netdev_priv(dev_lec[i]); } else { priv = netdev_priv(dev_lec[i]); @@ -219,8 +231,6 @@ index 768df9d7cd676..a9d8ee2c68b6a 100644 vcc->dev = &lecatm_dev; vcc_insert_socket(sk_atm(vcc)); -diff --git a/net/atm/lec.h b/net/atm/lec.h -index be0e2667bd8c3..ec85709bf8185 100644 --- a/net/atm/lec.h +++ b/net/atm/lec.h @@ -91,7 +91,7 @@ struct lec_priv { @@ -232,6 +242,3 @@ index be0e2667bd8c3..ec85709bf8185 100644 struct delayed_work lec_arp_work; /* C10 */ unsigned int maximum_unknown_frame_count; /* --- -2.53.0 - diff --git a/queue-5.15/atm-lec-fix-use-after-free-in-sock_def_readable.patch b/queue-5.15/atm-lec-fix-use-after-free-in-sock_def_readable.patch index 0defcba9f2..0fd4e8d92a 100644 --- a/queue-5.15/atm-lec-fix-use-after-free-in-sock_def_readable.patch +++ b/queue-5.15/atm-lec-fix-use-after-free-in-sock_def_readable.patch @@ -57,15 +57,21 @@ Link: https://patch.msgid.link/20260309155908.508768-1-kartikey406@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin --- - net/atm/lec.c | 72 +++++++++++++++++++++++++++++++++------------------ - net/atm/lec.h | 2 +- + net/atm/lec.c | 72 +++++++++++++++++++++++++++++++++++++--------------------- + net/atm/lec.h | 2 - 2 files changed, 48 insertions(+), 26 deletions(-) -diff --git a/net/atm/lec.c b/net/atm/lec.c -index 768df9d7cd676..a9d8ee2c68b6a 100644 --- a/net/atm/lec.c +++ b/net/atm/lec.c -@@ -154,10 +154,19 @@ static void lec_handle_bridge(struct sk_buff *skb, struct net_device *dev) +@@ -142,6 +142,7 @@ static void lec_handle_bridge(struct sk_ + struct sock *sk; + struct sk_buff *skb2; + struct atmlec_msg *mesg; ++ struct atm_vcc *vcc; + + skb2 = alloc_skb(sizeof(struct atmlec_msg), GFP_ATOMIC); + if (skb2 == NULL) +@@ -154,10 +155,18 @@ static void lec_handle_bridge(struct sk_ /* 0x01 is topology change */ priv = netdev_priv(dev); @@ -73,7 +79,6 @@ index 768df9d7cd676..a9d8ee2c68b6a 100644 - sk = sk_atm(priv->lecd); - skb_queue_tail(&sk->sk_receive_queue, skb2); - sk->sk_data_ready(sk); -+ struct atm_vcc *vcc; + + rcu_read_lock(); + vcc = rcu_dereference(priv->lecd); @@ -89,7 +94,7 @@ index 768df9d7cd676..a9d8ee2c68b6a 100644 } } #endif /* IS_ENABLED(CONFIG_BRIDGE) */ -@@ -216,7 +225,7 @@ static netdev_tx_t lec_start_xmit(struct sk_buff *skb, +@@ -216,7 +225,7 @@ static netdev_tx_t lec_start_xmit(struct int is_rdesc; pr_debug("called\n"); @@ -98,7 +103,15 @@ index 768df9d7cd676..a9d8ee2c68b6a 100644 pr_info("%s:No lecd attached\n", dev->name); dev->stats.tx_errors++; netif_stop_queue(dev); -@@ -451,10 +460,19 @@ static int lec_atm_send(struct atm_vcc *vcc, struct sk_buff *skb) +@@ -443,6 +452,7 @@ static int lec_atm_send(struct atm_vcc * + /* hit from bridge table, send LE_ARP_RESPONSE */ + struct sk_buff *skb2; + struct sock *sk; ++ struct atm_vcc *vcc; + + pr_debug("%s: entry found, responding to zeppelin\n", + dev->name); +@@ -451,10 +461,18 @@ static int lec_atm_send(struct atm_vcc * break; skb2->len = sizeof(struct atmlec_msg); skb_copy_to_linear_data(skb2, mesg, sizeof(*mesg)); @@ -106,7 +119,6 @@ index 768df9d7cd676..a9d8ee2c68b6a 100644 - sk = sk_atm(priv->lecd); - skb_queue_tail(&sk->sk_receive_queue, skb2); - sk->sk_data_ready(sk); -+ struct atm_vcc *vcc; + + rcu_read_lock(); + vcc = rcu_dereference(priv->lecd); @@ -122,7 +134,7 @@ index 768df9d7cd676..a9d8ee2c68b6a 100644 } } #endif /* IS_ENABLED(CONFIG_BRIDGE) */ -@@ -470,23 +488,16 @@ static int lec_atm_send(struct atm_vcc *vcc, struct sk_buff *skb) +@@ -470,23 +488,16 @@ static int lec_atm_send(struct atm_vcc * static void lec_atm_close(struct atm_vcc *vcc) { @@ -148,7 +160,7 @@ index 768df9d7cd676..a9d8ee2c68b6a 100644 pr_info("%s: Shut down!\n", dev->name); module_put(THIS_MODULE); } -@@ -512,12 +523,14 @@ send_to_lecd(struct lec_priv *priv, atmlec_msg_type type, +@@ -512,12 +523,14 @@ send_to_lecd(struct lec_priv *priv, atml const unsigned char *mac_addr, const unsigned char *atm_addr, struct sk_buff *data) { @@ -164,7 +176,7 @@ index 768df9d7cd676..a9d8ee2c68b6a 100644 skb = alloc_skb(sizeof(struct atmlec_msg), GFP_ATOMIC); if (!skb) return -1; -@@ -534,18 +547,27 @@ send_to_lecd(struct lec_priv *priv, atmlec_msg_type type, +@@ -534,18 +547,27 @@ send_to_lecd(struct lec_priv *priv, atml if (atm_addr) memcpy(&mesg->content.normal.atm_addr, atm_addr, ATM_ESA_LEN); @@ -195,7 +207,7 @@ index 768df9d7cd676..a9d8ee2c68b6a 100644 return 0; } -@@ -620,7 +642,7 @@ static void lec_push(struct atm_vcc *vcc, struct sk_buff *skb) +@@ -620,7 +642,7 @@ static void lec_push(struct atm_vcc *vcc atm_return(vcc, skb->truesize); if (*(__be16 *) skb->data == htons(priv->lecid) || @@ -204,7 +216,7 @@ index 768df9d7cd676..a9d8ee2c68b6a 100644 /* * Probably looping back, or if lecd is missing, * lecd has gone down -@@ -755,12 +777,12 @@ static int lecd_attach(struct atm_vcc *vcc, int arg) +@@ -755,12 +777,12 @@ static int lecd_attach(struct atm_vcc *v priv = netdev_priv(dev_lec[i]); } else { priv = netdev_priv(dev_lec[i]); @@ -219,8 +231,6 @@ index 768df9d7cd676..a9d8ee2c68b6a 100644 vcc->dev = &lecatm_dev; vcc_insert_socket(sk_atm(vcc)); -diff --git a/net/atm/lec.h b/net/atm/lec.h -index be0e2667bd8c3..ec85709bf8185 100644 --- a/net/atm/lec.h +++ b/net/atm/lec.h @@ -91,7 +91,7 @@ struct lec_priv { @@ -232,6 +242,3 @@ index be0e2667bd8c3..ec85709bf8185 100644 struct delayed_work lec_arp_work; /* C10 */ unsigned int maximum_unknown_frame_count; /* --- -2.53.0 -