From: Greg Kroah-Hartman Date: Wed, 17 Jun 2026 03:18:55 +0000 (+0530) Subject: 6.1-stable patches X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f3614470d3d082272b360a08afaeb8fde3f8de89;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: batman-adv-tp_meter-fix-tp_vars-reference-leak-in-receiver-shutdown.patch bootconfig-fix-negative-seeks-on-32-bit-with-lfs-enabled.patch crypto-nx-fix-context-leak-in-nx842_crypto_free_ctx.patch media-rc-igorplugusb-fix-control-request-setup-packet.patch media-rc-ttusbir-fix-inverted-error-logic.patch r8152-hold-the-rtnl_lock-for-all-of-reset.patch selftests-bpf-fix-bpf_nf-selftest-failure.patch --- diff --git a/queue-6.1/batman-adv-tp_meter-fix-tp_vars-reference-leak-in-receiver-shutdown.patch b/queue-6.1/batman-adv-tp_meter-fix-tp_vars-reference-leak-in-receiver-shutdown.patch new file mode 100644 index 0000000000..aff70cdc99 --- /dev/null +++ b/queue-6.1/batman-adv-tp_meter-fix-tp_vars-reference-leak-in-receiver-shutdown.patch @@ -0,0 +1,91 @@ +From 77098e4bea37af51d3962efa88a5af2ea5e1ac57 Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Sun, 10 May 2026 11:31:03 +0200 +Subject: batman-adv: tp_meter: fix tp_vars reference leak in receiver shutdown + +From: Sven Eckelmann + +commit 77098e4bea37af51d3962efa88a5af2ea5e1ac57 upstream. + +The receiver shutdown timer handler, batadv_tp_receiver_shutdown(), is +responsible for releasing the tp_vars reference it holds. However, the +existing logic for coordinating this release with batadv_tp_stop_all() was +flawed. + +timer_shutdown_sync() guarantees the timer will not fire again after it +returns, but it returns non-zero only when the timer was pending at the +time of the call. If the timer had already expired (and +batadv_tp_stop_all() would unsucessfully try to rearm itself), +batadv_tp_stop_all() skips its batadv_tp_vars_put(), and +batadv_tp_receiver_shutdown() fails to put its own reference as well. + +Fix this by introducing a new atomic variable receiving that is set to 1 +when the receiver is initialized and cleared atomically with atomic_xchg() +by whichever side claims it first. Only the side that observes the +transition from 1 to 0 is responsible for releasing the tp_vars timer +reference, eliminating the uncertainty. + +Cc: stable@kernel.org +Fixes: 3d3cf6a7314a ("batman-adv: stop tp_meter sessions during mesh teardown") +Signed-off-by: Sven Eckelmann +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/tp_meter.c | 13 +++++++++++-- + net/batman-adv/types.h | 3 +++ + 2 files changed, 14 insertions(+), 2 deletions(-) + +--- a/net/batman-adv/tp_meter.c ++++ b/net/batman-adv/tp_meter.c +@@ -8,6 +8,7 @@ + #include "main.h" + + #include ++#include + #include + #include + #include +@@ -1157,6 +1158,9 @@ static void batadv_tp_receiver_shutdown( + spin_unlock_bh(&tp_vars->unacked_lock); + + /* drop reference of timer */ ++ if (WARN_ON(atomic_xchg(&tp_vars->receiving, 0) != 1)) ++ return; ++ + batadv_tp_vars_put(tp_vars); + } + +@@ -1375,6 +1379,7 @@ batadv_tp_init_recv(struct batadv_priv * + + ether_addr_copy(tp_vars->other_end, icmp->orig); + tp_vars->role = BATADV_TP_RECEIVER; ++ atomic_set(&tp_vars->receiving, 1); + memcpy(tp_vars->session, icmp->session, sizeof(tp_vars->session)); + tp_vars->last_recv = BATADV_TP_FIRST_SEQ; + tp_vars->bat_priv = bat_priv; +@@ -1547,8 +1552,12 @@ void batadv_tp_stop_all(struct batadv_pr + break; + case BATADV_TP_RECEIVER: + batadv_tp_list_detach(tp_var); +- if (timer_shutdown_sync(&tp_var->timer)) +- batadv_tp_vars_put(tp_var); ++ timer_shutdown_sync(&tp_var->timer); ++ ++ if (atomic_xchg(&tp_var->receiving, 0) != 1) ++ break; ++ ++ batadv_tp_vars_put(tp_var); + break; + } + +--- a/net/batman-adv/types.h ++++ b/net/batman-adv/types.h +@@ -1400,6 +1400,9 @@ struct batadv_tp_vars { + /** @sending: sending binary semaphore: 1 if sending, 0 is not */ + atomic_t sending; + ++ /** @receiving: receiving binary semaphore: 1 if receiving, 0 is not */ ++ atomic_t receiving; ++ + /** @reason: reason for a stopped session */ + enum batadv_tp_meter_reason reason; + diff --git a/queue-6.1/bootconfig-fix-negative-seeks-on-32-bit-with-lfs-enabled.patch b/queue-6.1/bootconfig-fix-negative-seeks-on-32-bit-with-lfs-enabled.patch new file mode 100644 index 0000000000..2a637c8e9b --- /dev/null +++ b/queue-6.1/bootconfig-fix-negative-seeks-on-32-bit-with-lfs-enabled.patch @@ -0,0 +1,53 @@ +From 729dc340a4ed1267774fc8518284e976e2210bdc Mon Sep 17 00:00:00 2001 +From: Ben Hutchings +Date: Sun, 17 Aug 2025 16:21:46 +0200 +Subject: bootconfig: Fix negative seeks on 32-bit with LFS enabled + +From: Ben Hutchings + +commit 729dc340a4ed1267774fc8518284e976e2210bdc upstream. + +Commit 26dda5769509 "tools/bootconfig: Cleanup bootconfig footer size +calculations" replaced some expressions of type int with the +BOOTCONFIG_FOOTER_SIZE macro, which expands to an expression of type +size_t, which is unsigned. + +On 32-bit architectures with LFS enabled (i.e. off_t is 64-bit), the +seek offset of -BOOTCONFIG_FOOTER_SIZE now turns into a positive +value. + +Fix this by casting the size to off_t before negating it. + +Just in case someone changes BOOTCONFIG_MAGIC_LEN to have type size_t +later, do the same thing to the seek offset of -BOOTCONFIG_MAGIC_LEN. + +Link: https://lore.kernel.org/all/aKHlevxeg6Y7UQrz@decadent.org.uk/ + +Fixes: 26dda5769509 ("tools/bootconfig: Cleanup bootconfig footer size calculations") +Signed-off-by: Ben Hutchings +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Greg Kroah-Hartman +--- + tools/bootconfig/main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/tools/bootconfig/main.c ++++ b/tools/bootconfig/main.c +@@ -195,7 +195,7 @@ static int load_xbc_from_initrd(int fd, + if (stat.st_size < BOOTCONFIG_FOOTER_SIZE) + return 0; + +- if (lseek(fd, -BOOTCONFIG_MAGIC_LEN, SEEK_END) < 0) ++ if (lseek(fd, -(off_t)BOOTCONFIG_MAGIC_LEN, SEEK_END) < 0) + return pr_errno("Failed to lseek for magic", -errno); + + if (read(fd, magic, BOOTCONFIG_MAGIC_LEN) < 0) +@@ -205,7 +205,7 @@ static int load_xbc_from_initrd(int fd, + if (memcmp(magic, BOOTCONFIG_MAGIC, BOOTCONFIG_MAGIC_LEN) != 0) + return 0; + +- if (lseek(fd, -BOOTCONFIG_FOOTER_SIZE, SEEK_END) < 0) ++ if (lseek(fd, -(off_t)BOOTCONFIG_FOOTER_SIZE, SEEK_END) < 0) + return pr_errno("Failed to lseek for size", -errno); + + if (read(fd, &size, sizeof(uint32_t)) < 0) diff --git a/queue-6.1/crypto-nx-fix-context-leak-in-nx842_crypto_free_ctx.patch b/queue-6.1/crypto-nx-fix-context-leak-in-nx842_crypto_free_ctx.patch new file mode 100644 index 0000000000..8068a81239 --- /dev/null +++ b/queue-6.1/crypto-nx-fix-context-leak-in-nx842_crypto_free_ctx.patch @@ -0,0 +1,46 @@ +From 344e6a4f7ff4756b9b3f75e0eb7eaec297e35540 Mon Sep 17 00:00:00 2001 +From: Thorsten Blum +Date: Wed, 11 Mar 2026 16:56:49 +0100 +Subject: crypto: nx - fix context leak in nx842_crypto_free_ctx + +From: Thorsten Blum + +commit 344e6a4f7ff4756b9b3f75e0eb7eaec297e35540 upstream. + +Since the scomp conversion, nx842_crypto_alloc_ctx() allocates the +context separately, but nx842_crypto_free_ctx() never releases it. Add +the missing kfree(ctx) to nx842_crypto_free_ctx(), and reuse +nx842_crypto_free_ctx() in the allocation error path. + +Fixes: 980b5705f4e7 ("crypto: nx - Migrate to scomp API") +Cc: stable@vger.kernel.org +Signed-off-by: Thorsten Blum +Reviewed-by: Ard Biesheuvel +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/nx/nx-842.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/crypto/nx/nx-842.c ++++ b/drivers/crypto/nx/nx-842.c +@@ -115,10 +115,7 @@ void *nx842_crypto_alloc_ctx(struct nx84 + ctx->sbounce = (u8 *)__get_free_pages(GFP_KERNEL, BOUNCE_BUFFER_ORDER); + ctx->dbounce = (u8 *)__get_free_pages(GFP_KERNEL, BOUNCE_BUFFER_ORDER); + if (!ctx->wmem || !ctx->sbounce || !ctx->dbounce) { +- kfree(ctx->wmem); +- free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER); +- free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER); +- kfree(ctx); ++ nx842_crypto_free_ctx(ctx); + return ERR_PTR(-ENOMEM); + } + +@@ -133,6 +130,7 @@ void nx842_crypto_free_ctx(void *p) + kfree(ctx->wmem); + free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER); + free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER); ++ kfree(ctx); + } + EXPORT_SYMBOL_GPL(nx842_crypto_free_ctx); + diff --git a/queue-6.1/media-rc-igorplugusb-fix-control-request-setup-packet.patch b/queue-6.1/media-rc-igorplugusb-fix-control-request-setup-packet.patch new file mode 100644 index 0000000000..91e08726fe --- /dev/null +++ b/queue-6.1/media-rc-igorplugusb-fix-control-request-setup-packet.patch @@ -0,0 +1,50 @@ +From 171022c7d594c133a45f92357a2a91475edabe20 Mon Sep 17 00:00:00 2001 +From: Henri A +Date: Wed, 20 May 2026 10:25:44 -0400 +Subject: media: rc: igorplugusb: fix control request setup packet + +From: Henri A + +commit 171022c7d594c133a45f92357a2a91475edabe20 upstream. + +Commit eac69475b01f ("media: rc: igorplugusb: heed coherency +rules") changed the control request storage from an embedded struct to +an allocated pointer so it can obey DMA coherency rules. + +However, the driver still passes &ir->request to usb_fill_control_urb(). +That points the URB setup packet at the pointer field itself rather than +at the allocated struct usb_ctrlrequest. + +USB core then interprets pointer bytes as the setup packet. This can +produce an invalid bRequestType and trigger the control direction warning +reported by syzbot: + + usb 2-1: BOGUS control dir, pipe 80003580 doesn't match bRequestType 0 + +Pass ir->request itself as the setup packet. + +Fixes: eac69475b01f ("media: rc: igorplugusb: heed coherency rules") +Reported-by: syzbot+11f0e4f957c7c3bf3d51@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=11f0e4f957c7c3bf3d51 +Tested-by: syzbot+11f0e4f957c7c3bf3d51@syzkaller.appspotmail.com +Cc: stable@vger.kernel.org +Assisted-by: Codex:GPT-5.5 +Signed-off-by: Henri A +Signed-off-by: Sean Young +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/rc/igorplugusb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/rc/igorplugusb.c ++++ b/drivers/media/rc/igorplugusb.c +@@ -184,7 +184,7 @@ static int igorplugusb_probe(struct usb_ + if (!ir->buf_in) + goto fail; + usb_fill_control_urb(ir->urb, udev, +- usb_rcvctrlpipe(udev, 0), (uint8_t *)&ir->request, ++ usb_rcvctrlpipe(udev, 0), (uint8_t *)ir->request, + ir->buf_in, MAX_PACKET, igorplugusb_callback, ir); + + usb_make_path(udev, ir->phys, sizeof(ir->phys)); diff --git a/queue-6.1/media-rc-ttusbir-fix-inverted-error-logic.patch b/queue-6.1/media-rc-ttusbir-fix-inverted-error-logic.patch new file mode 100644 index 0000000000..f44959c56c --- /dev/null +++ b/queue-6.1/media-rc-ttusbir-fix-inverted-error-logic.patch @@ -0,0 +1,33 @@ +From 646ebdd3105809d84ed04aa9e92e47e89cc44502 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Fri, 10 Apr 2026 23:03:09 +0200 +Subject: media: rc: ttusbir: fix inverted error logic + +From: Oliver Neukum + +commit 646ebdd3105809d84ed04aa9e92e47e89cc44502 upstream. + +We have to report ENOMEM if no buffer is allocated. +Typo dropped a "!". Restore it. + +Fixes: 50acaad3d202 ("media: rc: ttusbir: respect DMA coherency rules") +Cc: stable@vger.kernel.org +Signed-off-by: Oliver Neukum +Signed-off-by: Sean Young +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/rc/ttusbir.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/rc/ttusbir.c ++++ b/drivers/media/rc/ttusbir.c +@@ -191,7 +191,7 @@ static int ttusbir_probe(struct usb_inte + tt = kzalloc(sizeof(*tt), GFP_KERNEL); + buffer = kzalloc(5, GFP_KERNEL); + rc = rc_allocate_device(RC_DRIVER_IR_RAW); +- if (!tt || !rc || buffer) { ++ if (!tt || !rc || !buffer) { + ret = -ENOMEM; + goto out; + } diff --git a/queue-6.1/r8152-hold-the-rtnl_lock-for-all-of-reset.patch b/queue-6.1/r8152-hold-the-rtnl_lock-for-all-of-reset.patch new file mode 100644 index 0000000000..8e34461ae1 --- /dev/null +++ b/queue-6.1/r8152-hold-the-rtnl_lock-for-all-of-reset.patch @@ -0,0 +1,93 @@ +From e62adaeecdc6a1e8ae86e7f3f9f8223a3ede94f5 Mon Sep 17 00:00:00 2001 +From: Douglas Anderson +Date: Wed, 29 Nov 2023 13:25:20 -0800 +Subject: r8152: Hold the rtnl_lock for all of reset + +From: Douglas Anderson + +commit e62adaeecdc6a1e8ae86e7f3f9f8223a3ede94f5 upstream. + +As of commit d9962b0d4202 ("r8152: Block future register access if +register access fails") there is a race condition that can happen +between the USB device reset thread and napi_enable() (not) getting +called during rtl8152_open(). Specifically: +* While rtl8152_open() is running we get a register access error + that's _not_ -ENODEV and queue up a USB reset. +* rtl8152_open() exits before calling napi_enable() due to any reason + (including usb_submit_urb() returning an error). + +In that case: +* Since the USB reset is perform in a separate thread asynchronously, + it can run at anytime USB device lock is not held - even before + rtl8152_open() has exited with an error and caused __dev_open() to + clear the __LINK_STATE_START bit. +* The rtl8152_pre_reset() will notice that the netif_running() returns + true (since __LINK_STATE_START wasn't cleared) so it won't exit + early. +* rtl8152_pre_reset() will then hang in napi_disable() because + napi_enable() was never called. + +We can fix the race by making sure that the r8152 reset routines don't +run at the same time as we're opening the device. Specifically we need +the reset routines in their entirety rely on the return value of +netif_running(). The only way to reliably depend on that is for them +to hold the rntl_lock() mutex for the duration of reset. + +Grabbing the rntl_lock() mutex for the duration of reset seems like a +long time, but reset is not expected to be common and the rtnl_lock() +mutex is already held for long durations since the core grabs it +around the open/close calls. + +Fixes: d9962b0d4202 ("r8152: Block future register access if register access fails") +Reviewed-by: Grant Grundler +Signed-off-by: Douglas Anderson +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/r8152.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -8389,6 +8389,8 @@ static int rtl8152_pre_reset(struct usb_ + struct r8152 *tp = usb_get_intfdata(intf); + struct net_device *netdev; + ++ rtnl_lock(); ++ + if (!tp || !test_bit(PROBED_WITH_NO_ERRORS, &tp->flags)) + return 0; + +@@ -8420,20 +8422,17 @@ static int rtl8152_post_reset(struct usb + struct sockaddr sa; + + if (!tp || !test_bit(PROBED_WITH_NO_ERRORS, &tp->flags)) +- return 0; ++ goto exit; + + rtl_set_accessible(tp); + + /* reset the MAC address in case of policy change */ +- if (determine_ethernet_addr(tp, &sa) >= 0) { +- rtnl_lock(); ++ if (determine_ethernet_addr(tp, &sa) >= 0) + dev_set_mac_address (tp->netdev, &sa, NULL); +- rtnl_unlock(); +- } + + netdev = tp->netdev; + if (!netif_running(netdev)) +- return 0; ++ goto exit; + + set_bit(WORK_ENABLE, &tp->flags); + if (netif_carrier_ok(netdev)) { +@@ -8452,6 +8451,8 @@ static int rtl8152_post_reset(struct usb + if (!list_empty(&tp->rx_done)) + napi_schedule(&tp->napi); + ++exit: ++ rtnl_unlock(); + return 0; + } + diff --git a/queue-6.1/selftests-bpf-fix-bpf_nf-selftest-failure.patch b/queue-6.1/selftests-bpf-fix-bpf_nf-selftest-failure.patch new file mode 100644 index 0000000000..cdac7a5c74 --- /dev/null +++ b/queue-6.1/selftests-bpf-fix-bpf_nf-selftest-failure.patch @@ -0,0 +1,38 @@ +From 967e8def1100cb4b08c28a54d27ce69563fdf281 Mon Sep 17 00:00:00 2001 +From: Saket Kumar Bhaskar +Date: Wed, 9 Apr 2025 15:26:33 +0530 +Subject: selftests/bpf: Fix bpf_nf selftest failure + +From: Saket Kumar Bhaskar + +commit 967e8def1100cb4b08c28a54d27ce69563fdf281 upstream. + +For systems with missing iptables-legacy tool this selftest fails. + +Add check to find if iptables-legacy tool is available and skip the +test if the tool is missing. + +Fixes: de9c8d848d90 ("selftests/bpf: S/iptables/iptables-legacy/ in the bpf_nf and xdp_synproxy test") +Signed-off-by: Saket Kumar Bhaskar +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20250409095633.33653-1-skb99@linux.ibm.com +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/bpf/prog_tests/bpf_nf.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/tools/testing/selftests/bpf/prog_tests/bpf_nf.c ++++ b/tools/testing/selftests/bpf/prog_tests/bpf_nf.c +@@ -63,6 +63,12 @@ static void test_bpf_nf_ct(int mode) + .repeat = 1, + ); + ++ if (SYS_NOFAIL("iptables-legacy --version")) { ++ fprintf(stdout, "Missing required iptables-legacy tool\n"); ++ test__skip(); ++ return; ++ } ++ + skel = test_bpf_nf__open_and_load(); + if (!ASSERT_OK_PTR(skel, "test_bpf_nf__open_and_load")) + return; diff --git a/queue-6.1/series b/queue-6.1/series index bcdc820a96..0c6077a947 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -520,3 +520,10 @@ revert-selftest-ptp-update-ptp-selftest-to-exercise-the-gettimex-options.patch fbdev-vt8500lcdfb-fix-dma_free_coherent-cpu_addr-parameter.patch apparmor-validate-default-dfa-states-are-in-bounds.patch x86-cpu-amd-move-the-zen3-btc_no-detection-to-the-zen3-init-function.patch +r8152-hold-the-rtnl_lock-for-all-of-reset.patch +selftests-bpf-fix-bpf_nf-selftest-failure.patch +bootconfig-fix-negative-seeks-on-32-bit-with-lfs-enabled.patch +crypto-nx-fix-context-leak-in-nx842_crypto_free_ctx.patch +media-rc-ttusbir-fix-inverted-error-logic.patch +batman-adv-tp_meter-fix-tp_vars-reference-leak-in-receiver-shutdown.patch +media-rc-igorplugusb-fix-control-request-setup-packet.patch